diff options
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 22 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 22 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.h | 5 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_unittest.cc | 15 |
5 files changed, 47 insertions, 19 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 5619247..9526c1c 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -95,6 +95,7 @@ #include "net/cert/cert_verifier.h" #include "net/cert/ct_ev_whitelist.h" #include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_policy_status.h" #include "net/cert/ct_verifier.h" #include "net/cert/ct_verify_result.h" #include "net/cert/scoped_nss_types.h" @@ -2410,7 +2411,7 @@ bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->cert = server_cert_verify_result_.verified_cert; ssl_info->unverified_cert = core_->state().server_cert; - AddSCTInfoToSSLInfo(ssl_info); + AddCTInfoToSSLInfo(ssl_info); ssl_info->connection_status = core_->state().ssl_connection_status; @@ -3126,13 +3127,24 @@ void SSLClientSocketNSS::VerifyCT() { // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension // from the state after verification is complete, to conserve memory. + ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); + ct_verify_result_.ev_policy_compliance = + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; if (policy_enforcer_ && (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = SSLConfigService::GetEVCertsWhitelist(); - if (!policy_enforcer_->DoesConformToCTEVPolicy( + ct::EVPolicyCompliance ev_policy_compliance = + policy_enforcer_->DoesConformToCTEVPolicy( server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), - ct_verify_result_, net_log_)) { + ct_verify_result_.verified_scts, net_log_); + ct_verify_result_.ev_policy_compliance = ev_policy_compliance; + if (ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 VLOG(1) << "EV certificate for " << server_cert_verify_result_.verified_cert->subject() @@ -3158,8 +3170,8 @@ bool SSLClientSocketNSS::CalledOnValidThread() const { return valid_thread_id_ == base::PlatformThread::CurrentId(); } -void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { - ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); +void SSLClientSocketNSS::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { + ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); } // static diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index d8a1549..0df9d4f 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -146,7 +146,7 @@ class SSLClientSocketNSS : public SSLClientSocket { // vetor representing a particular verification state, this method associates // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to // the |ssl_info|.signed_certificate_timestamps list. - void AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const; + void AddCTInfoToSSLInfo(SSLInfo* ssl_info) const; // Move last protocol to first place: SSLConfig::next_protos has protocols in // decreasing order of preference with NPN fallback protocol at the end, but diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 4b09828..b92c4a8 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -39,6 +39,7 @@ #include "net/cert/cert_verifier.h" #include "net/cert/ct_ev_whitelist.h" #include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_policy_status.h" #include "net/cert/ct_verifier.h" #include "net/cert/x509_certificate_net_log_param.h" #include "net/cert/x509_util_openssl.h" @@ -867,7 +868,7 @@ bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) { ssl_info->token_binding_key_param = tb_negotiated_param_; ssl_info->pinning_failure_log = pinning_failure_log_; - AddSCTInfoToSSLInfo(ssl_info); + AddCTInfoToSSLInfo(ssl_info); const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_); CHECK(cipher); @@ -1479,13 +1480,24 @@ void SSLClientSocketOpenSSL::VerifyCT() { server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list, &ct_verify_result_, net_log_); + ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr); + ct_verify_result_.ev_policy_compliance = + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; if (policy_enforcer_ && (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) { scoped_refptr<ct::EVCertsWhitelist> ev_whitelist = SSLConfigService::GetEVCertsWhitelist(); - if (!policy_enforcer_->DoesConformToCTEVPolicy( + ct::EVPolicyCompliance ev_policy_compliance = + policy_enforcer_->DoesConformToCTEVPolicy( server_cert_verify_result_.verified_cert.get(), ev_whitelist.get(), - ct_verify_result_, net_log_)) { + ct_verify_result_.verified_scts, net_log_); + ct_verify_result_.ev_policy_compliance = ev_policy_compliance; + if (ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST && + ev_policy_compliance != + ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) { // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766 VLOG(1) << "EV certificate for " << server_cert_verify_result_.verified_cert->subject() @@ -2147,8 +2159,8 @@ int SSLClientSocketOpenSSL::NewSessionCallback(SSL_SESSION* session) { return 1; } -void SSLClientSocketOpenSSL::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { - ssl_info->UpdateSignedCertificateTimestamps(ct_verify_result_); +void SSLClientSocketOpenSSL::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const { + ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_); } std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const { diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 6e464d7..70d195a 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -197,12 +197,13 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { // Called from the SSL layer whenever a new session is established. int NewSessionCallback(SSL_SESSION* session); - // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|. + // Adds the Certificate Transparency info from ct_verify_result_ to + // |ssl_info|. // SCTs are held in three separate vectors in ct_verify_result, each // vetor representing a particular verification state, this method associates // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to // the |ssl_info|.signed_certificate_timestamps list. - void AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const; + void AddCTInfoToSSLInfo(SSLInfo* ssl_info) const; // Returns a unique key string for the SSL session cache for // this socket. diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index d225390..d54f003 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -22,6 +22,7 @@ #include "net/base/test_data_directory.h" #include "net/cert/asn1_util.h" #include "net/cert/ct_policy_enforcer.h" +#include "net/cert/ct_policy_status.h" #include "net/cert/ct_verifier.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/test_root_certs.h" @@ -699,10 +700,10 @@ class MockCTVerifier : public CTVerifier { class MockCTPolicyEnforcer : public CTPolicyEnforcer { public: MOCK_METHOD4(DoesConformToCTEVPolicy, - bool(X509Certificate* cert, - const ct::EVCertsWhitelist*, - const ct::CTVerifyResult&, - const BoundNetLog&)); + ct::EVPolicyCompliance(X509Certificate* cert, + const ct::EVCertsWhitelist*, + const ct::SCTList&, + const BoundNetLog&)); }; class SSLClientSocketTest : public PlatformTest { @@ -2349,7 +2350,8 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) { MockCTPolicyEnforcer policy_enforcer; SetCTPolicyEnforcer(&policy_enforcer); EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) - .WillRepeatedly(Return(true)); + .WillRepeatedly( + Return(ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS)); int rv; ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); @@ -2381,7 +2383,8 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) { MockCTPolicyEnforcer policy_enforcer; SetCTPolicyEnforcer(&policy_enforcer); EXPECT_CALL(policy_enforcer, DoesConformToCTEVPolicy(_, _, _, _)) - .WillRepeatedly(Return(false)); + .WillRepeatedly( + Return(ct::EVPolicyCompliance::EV_POLICY_NOT_ENOUGH_SCTS)); int rv; ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |