diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-31 16:33:43 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-06 16:33:22 +0000 |
commit | da51f56cc21233c2d30f0fe0d171727c3102b2e0 (patch) | |
tree | 4e579ab70ce4b19bee7984237f3ce05a96d59d83 /chromium/net/ssl | |
parent | c8c2d1901aec01e934adf561a9fdf0cc776cdef8 (diff) | |
download | qtwebengine-chromium-da51f56cc21233c2d30f0fe0d171727c3102b2e0.tar.gz |
BASELINE: Update Chromium to 65.0.3525.40
Also imports missing submodules
Change-Id: I36901b7c6a325cda3d2c10cedb2186c25af3b79b
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Diffstat (limited to 'chromium/net/ssl')
-rw-r--r-- | chromium/net/ssl/client_cert_identity.cc | 16 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_identity.h | 3 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_store_mac.cc | 128 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_store_nss.cc | 7 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_store_nss_unittest.cc | 20 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_store_unittest-inl.h | 2 | ||||
-rw-r--r-- | chromium/net/ssl/client_cert_store_win.cc | 13 | ||||
-rw-r--r-- | chromium/net/ssl/openssl_ssl_util.cc | 9 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_client_session_cache.cc | 7 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_client_session_cache.h | 4 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_client_session_cache_unittest.cc | 12 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_config.cc | 6 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_config.h | 10 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_config_unittest.cc | 58 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_info.cc | 1 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_info.h | 4 | ||||
-rw-r--r-- | chromium/net/ssl/ssl_platform_key_util.cc | 8 |
17 files changed, 187 insertions, 121 deletions
diff --git a/chromium/net/ssl/client_cert_identity.cc b/chromium/net/ssl/client_cert_identity.cc index 3b89f41f757..928aafde8ab 100644 --- a/chromium/net/ssl/client_cert_identity.cc +++ b/chromium/net/ssl/client_cert_identity.cc @@ -5,6 +5,7 @@ #include "net/ssl/client_cert_identity.h" #include "base/bind.h" +#include "net/cert/x509_util.h" #include "net/ssl/ssl_private_key.h" namespace net { @@ -38,7 +39,7 @@ void ClientCertIdentity::SelfOwningAcquirePrivateKey( } void ClientCertIdentity::SetIntermediates( - X509Certificate::OSCertHandles intermediates) { + std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates) { // Allow UTF-8 inside PrintableStrings in client certificates. See // crbug.com/770323. // TODO(mattm): Perhaps X509Certificate should have a method to clone the @@ -47,9 +48,10 @@ void ClientCertIdentity::SetIntermediates( // X509Certificate was initially created.) X509Certificate::UnsafeCreateOptions options; options.printable_string_is_utf8 = true; - cert_ = X509Certificate::CreateFromHandleUnsafeOptions( - cert_->os_cert_handle(), intermediates, options); - // |cert_->os_cert_handle()| was already successfully parsed, so this should + cert_ = X509Certificate::CreateFromBufferUnsafeOptions( + x509_util::DupCryptoBuffer(cert_->cert_buffer()), + std::move(intermediates), options); + // |cert_->cert_buffer()| was already successfully parsed, so this should // never fail. DCHECK(cert_); } @@ -82,10 +84,8 @@ bool ClientCertIdentitySorter::operator()( return a->valid_start() > b->valid_start(); // Otherwise, prefer client certificates with shorter chains. - const X509Certificate::OSCertHandles& a_intermediates = - a->GetIntermediateCertificates(); - const X509Certificate::OSCertHandles& b_intermediates = - b->GetIntermediateCertificates(); + const auto& a_intermediates = a->intermediate_buffers(); + const auto& b_intermediates = b->intermediate_buffers(); return a_intermediates.size() < b_intermediates.size(); } diff --git a/chromium/net/ssl/client_cert_identity.h b/chromium/net/ssl/client_cert_identity.h index 1f8e4cb79be..6848217b2d2 100644 --- a/chromium/net/ssl/client_cert_identity.h +++ b/chromium/net/ssl/client_cert_identity.h @@ -56,7 +56,8 @@ class NET_EXPORT ClientCertIdentity { // this will change the value of |certificate()|, and any references that // were retained to the previous value will not reflect the updated // intermediates list. - void SetIntermediates(X509Certificate::OSCertHandles intermediates); + void SetIntermediates( + std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates); private: scoped_refptr<net::X509Certificate> cert_; diff --git a/chromium/net/ssl/client_cert_store_mac.cc b/chromium/net/ssl/client_cert_store_mac.cc index cbbc35b4b61..b2fb32d680b 100644 --- a/chromium/net/ssl/client_cert_store_mac.cc +++ b/chromium/net/ssl/client_cert_store_mac.cc @@ -13,6 +13,8 @@ #include <algorithm> #include <memory> #include <string> +#include <utility> +#include <vector> #include "base/bind.h" #include "base/bind_helpers.h" @@ -132,7 +134,13 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers, if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers)) return false; - identity->SetIntermediates(new_cert->GetIntermediateCertificates()); + std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_buffers; + intermediate_buffers.reserve(new_cert->intermediate_buffers().size()); + for (const auto& intermediate : new_cert->intermediate_buffers()) { + intermediate_buffers.push_back( + x509_util::DupCryptoBuffer(intermediate.get())); + } + identity->SetIntermediates(std::move(intermediate_buffers)); return true; } @@ -193,7 +201,7 @@ bool SupportsSSLClientAuth(SecCertificateRef cert) { // storing the matching certificates in |selected_identities|. // If |query_keychain| is true, Keychain Services will be queried to construct // full certificate chains. If it is false, only the the certificates and their -// intermediates (available via X509Certificate::GetIntermediateCertificates()) +// intermediates (available via X509Certificate::intermediate_buffers()) // will be considered. void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity, ClientCertIdentityList regular_identities, @@ -219,9 +227,9 @@ void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity, selected_identities->begin(), selected_identities->end(), [&cert]( const std::unique_ptr<ClientCertIdentity>& other_cert_identity) { - return X509Certificate::IsSameOSCert( - cert->certificate()->os_cert_handle(), - other_cert_identity->certificate()->os_cert_handle()); + return x509_util::CryptoBufferEqual( + cert->certificate()->cert_buffer(), + other_cert_identity->certificate()->cert_buffer()); }); if (cert_iter != selected_identities->end()) continue; @@ -236,19 +244,56 @@ void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity, } // Preferred cert should appear first in the ui, so exclude it from the - // sorting. Compare the os_cert_handle since the X509Certificate object may + // sorting. Compare the cert_buffer since the X509Certificate object may // have changed if intermediates were added. ClientCertIdentityList::iterator sort_begin = selected_identities->begin(); ClientCertIdentityList::iterator sort_end = selected_identities->end(); if (preferred_cert_orig && sort_begin != sort_end && - X509Certificate::IsSameOSCert( - sort_begin->get()->certificate()->os_cert_handle(), - preferred_cert_orig->os_cert_handle())) { + x509_util::CryptoBufferEqual( + sort_begin->get()->certificate()->cert_buffer(), + preferred_cert_orig->cert_buffer())) { ++sort_begin; } sort(sort_begin, sort_end, ClientCertIdentitySorter()); } +// Given a |sec_identity|, identifies its corresponding certificate, and either +// adds it to |regular_identities| or assigns it to |preferred_identity|, if the +// |sec_identity| matches the |preferred_sec_identity|. +void AddIdentity(ScopedCFTypeRef<SecIdentityRef> sec_identity, + SecIdentityRef preferred_sec_identity, + ClientCertIdentityList* regular_identities, + std::unique_ptr<ClientCertIdentity>* preferred_identity) { + OSStatus err; + ScopedCFTypeRef<SecCertificateRef> cert_handle; + err = SecIdentityCopyCertificate(sec_identity.get(), + cert_handle.InitializeInto()); + if (err != noErr) + return; + + if (!SupportsSSLClientAuth(cert_handle.get())) + return; + + // Allow UTF-8 inside PrintableStrings in client certificates. See + // crbug.com/770323. + X509Certificate::UnsafeCreateOptions options; + options.printable_string_is_utf8 = true; + scoped_refptr<X509Certificate> cert( + x509_util::CreateX509CertificateFromSecCertificate(cert_handle.get(), {}, + options)); + if (!cert) + return; + + if (preferred_sec_identity && + CFEqual(preferred_sec_identity, sec_identity.get())) { + *preferred_identity = std::make_unique<ClientCertIdentityMac>( + std::move(cert), std::move(sec_identity)); + } else { + regular_identities->push_back(std::make_unique<ClientCertIdentityMac>( + std::move(cert), std::move(sec_identity))); + } +} + ClientCertIdentityList GetClientCertsOnBackgroundThread( const SSLCertRequestInfo& request) { std::string server_domain = request.host_and_port.host(); @@ -293,36 +338,8 @@ ClientCertIdentityList GetClientCertsOnBackgroundThread( } if (err) break; - - ScopedCFTypeRef<SecCertificateRef> cert_handle; - err = SecIdentityCopyCertificate(sec_identity.get(), - cert_handle.InitializeInto()); - if (err != noErr) - continue; - - if (!SupportsSSLClientAuth(cert_handle.get())) - continue; - - // Allow UTF-8 inside PrintableStrings in client certificates. See - // crbug.com/770323. - X509Certificate::UnsafeCreateOptions options; - options.printable_string_is_utf8 = true; - scoped_refptr<X509Certificate> cert( - x509_util::CreateX509CertificateFromSecCertificate( - cert_handle.get(), std::vector<SecCertificateRef>(), options)); - if (!cert) - continue; - - if (preferred_sec_identity && - CFEqual(preferred_sec_identity, sec_identity.get())) { - // Only one certificate should match. - DCHECK(!preferred_identity.get()); - preferred_identity = std::make_unique<ClientCertIdentityMac>( - std::move(cert), std::move(sec_identity)); - } else { - regular_identities.push_back(std::make_unique<ClientCertIdentityMac>( - std::move(cert), std::move(sec_identity))); - } + AddIdentity(std::move(sec_identity), preferred_sec_identity.get(), + ®ular_identities, &preferred_identity); } if (err != errSecItemNotFound) { @@ -330,6 +347,39 @@ ClientCertIdentityList GetClientCertsOnBackgroundThread( return ClientCertIdentityList(); } + // macOS provides two ways to search for identities. SecIdentitySearchCreate() + // is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated + // CDSM/CSSA implementation), but is necessary to return some certificates + // that would otherwise not be returned by SecItemCopyMatching(), which is the + // non-deprecated way. However, SecIdentitySearchCreate() will not return all + // items, particularly smart-card based identities, so it's necessary to call + // both functions. + static const void* kKeys[] = { + kSecClass, kSecMatchLimit, kSecReturnRef, kSecAttrCanSign, + }; + static const void* kValues[] = { + kSecClassIdentity, kSecMatchLimitAll, kCFBooleanTrue, kCFBooleanTrue, + }; + ScopedCFTypeRef<CFDictionaryRef> query(CFDictionaryCreate( + kCFAllocatorDefault, kKeys, kValues, arraysize(kValues), + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)); + ScopedCFTypeRef<CFArrayRef> result; + { + base::AutoLock lock(crypto::GetMacSecurityServicesLock()); + err = SecItemCopyMatching( + query, reinterpret_cast<CFTypeRef*>(result.InitializeInto())); + } + if (!err) { + for (CFIndex i = 0; i < CFArrayGetCount(result); i++) { + SecIdentityRef item = reinterpret_cast<SecIdentityRef>( + const_cast<void*>(CFArrayGetValueAtIndex(result, i))); + AddIdentity( + ScopedCFTypeRef<SecIdentityRef>(item, base::scoped_policy::RETAIN), + preferred_sec_identity.get(), ®ular_identities, + &preferred_identity); + } + } + ClientCertIdentityList selected_identities; GetClientCertsImpl(std::move(preferred_identity), std::move(regular_identities), request, true, diff --git a/chromium/net/ssl/client_cert_store_nss.cc b/chromium/net/ssl/client_cert_store_nss.cc index 512b38e81cb..7c773ee51d1 100644 --- a/chromium/net/ssl/client_cert_store_nss.cc +++ b/chromium/net/ssl/client_cert_store_nss.cc @@ -115,25 +115,22 @@ void ClientCertStoreNSS::FilterCertsOnWorkerThread( continue; } - X509Certificate::OSCertHandles intermediates_raw; - intermediates_raw.reserve(nss_intermediates.size()); std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates; intermediates.reserve(nss_intermediates.size()); for (const ScopedCERTCertificate& nss_intermediate : nss_intermediates) { bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle( - X509Certificate::CreateOSCertHandleFromBytes( + X509Certificate::CreateCertBufferFromBytes( reinterpret_cast<const char*>(nss_intermediate->derCert.data), nss_intermediate->derCert.len)); if (!intermediate_cert_handle) break; - intermediates_raw.push_back(intermediate_cert_handle.get()); intermediates.push_back(std::move(intermediate_cert_handle)); } // Retain a copy of the intermediates. Some deployments expect the client to // supply intermediates out of the local store. See // https://crbug.com/548631. - (*examine_iter)->SetIntermediates(intermediates_raw); + (*examine_iter)->SetIntermediates(std::move(intermediates)); if (examine_iter == keep_iter) ++keep_iter; diff --git a/chromium/net/ssl/client_cert_store_nss_unittest.cc b/chromium/net/ssl/client_cert_store_nss_unittest.cc index 5b9b323a167..859a38c59e9 100644 --- a/chromium/net/ssl/client_cert_store_nss_unittest.cc +++ b/chromium/net/ssl/client_cert_store_nss_unittest.cc @@ -110,9 +110,9 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) { ASSERT_EQ(1u, selected_identities.size()); scoped_refptr<X509Certificate> selected_cert = selected_identities[0]->certificate(); - EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), - selected_cert->os_cert_handle())); - ASSERT_EQ(0u, selected_cert->GetIntermediateCertificates().size()); + EXPECT_TRUE(x509_util::CryptoBufferEqual(client_1->cert_buffer(), + selected_cert->cert_buffer())); + ASSERT_EQ(0u, selected_cert->intermediate_buffers().size()); scoped_refptr<SSLPrivateKey> ssl_private_key; base::RunLoop key_loop; @@ -144,12 +144,12 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) { ASSERT_EQ(1u, selected_identities.size()); scoped_refptr<X509Certificate> selected_cert = selected_identities[0]->certificate(); - EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(), - selected_cert->os_cert_handle())); - ASSERT_EQ(1u, selected_cert->GetIntermediateCertificates().size()); - EXPECT_TRUE(X509Certificate::IsSameOSCert( - client_1_ca->os_cert_handle(), - selected_cert->GetIntermediateCertificates()[0])); + EXPECT_TRUE(x509_util::CryptoBufferEqual(client_1->cert_buffer(), + selected_cert->cert_buffer())); + ASSERT_EQ(1u, selected_cert->intermediate_buffers().size()); + EXPECT_TRUE(x509_util::CryptoBufferEqual( + client_1_ca->cert_buffer(), + selected_cert->intermediate_buffers()[0].get())); scoped_refptr<SSLPrivateKey> ssl_private_key; base::RunLoop key_loop; @@ -221,7 +221,7 @@ TEST(ClientCertStoreNSSTest, SubjectPrintableStringContainingUTF8) { scoped_refptr<X509Certificate> selected_cert = selected_identities[0]->certificate(); EXPECT_TRUE(x509_util::IsSameCertificate(cert.get(), selected_cert.get())); - EXPECT_EQ(0u, selected_cert->GetIntermediateCertificates().size()); + EXPECT_EQ(0u, selected_cert->intermediate_buffers().size()); scoped_refptr<SSLPrivateKey> ssl_private_key; base::RunLoop key_loop; diff --git a/chromium/net/ssl/client_cert_store_unittest-inl.h b/chromium/net/ssl/client_cert_store_unittest-inl.h index 4da72c4afbd..7cc02d3d4be 100644 --- a/chromium/net/ssl/client_cert_store_unittest-inl.h +++ b/chromium/net/ssl/client_cert_store_unittest-inl.h @@ -152,7 +152,7 @@ TYPED_TEST_P(ClientCertStoreTest, PrintableStringContainingUTF8) { X509Certificate::UnsafeCreateOptions options; options.printable_string_is_utf8 = true; scoped_refptr<X509Certificate> cert = - X509Certificate::CreateFromHandleUnsafeOptions(cert_handle.get(), {}, + X509Certificate::CreateFromBufferUnsafeOptions(std::move(cert_handle), {}, options); ASSERT_TRUE(cert); diff --git a/chromium/net/ssl/client_cert_store_win.cc b/chromium/net/ssl/client_cert_store_win.cc index 6622ea417f4..d9c271f3ab1 100644 --- a/chromium/net/ssl/client_cert_store_win.cc +++ b/chromium/net/ssl/client_cert_store_win.cc @@ -25,6 +25,7 @@ #include "net/ssl/ssl_platform_key_util.h" #include "net/ssl/ssl_platform_key_win.h" #include "net/ssl/ssl_private_key.h" +#include "third_party/boringssl/src/include/openssl/pool.h" namespace net { @@ -273,16 +274,16 @@ bool ClientCertStoreWin::SelectClientCertsForTesting( return false; // Add available certificates to the test store. - for (size_t i = 0; i < input_certs.size(); ++i) { + for (const auto& input_cert : input_certs) { // Add the certificate to the test store. PCCERT_CONTEXT cert = NULL; - std::string der_cert; - X509Certificate::GetDEREncoded(input_certs[i]->os_cert_handle(), &der_cert); if (!CertAddEncodedCertificateToStore( test_store, X509_ASN_ENCODING, - reinterpret_cast<const BYTE*>(der_cert.data()), - base::checked_cast<DWORD>(der_cert.size()), CERT_STORE_ADD_NEW, - &cert)) { + reinterpret_cast<const BYTE*>( + CRYPTO_BUFFER_data(input_cert->cert_buffer())), + base::checked_cast<DWORD>( + CRYPTO_BUFFER_len(input_cert->cert_buffer())), + CERT_STORE_ADD_NEW, &cert)) { return false; } // Hold the reference to the certificate (since we requested a copy). diff --git a/chromium/net/ssl/openssl_ssl_util.cc b/chromium/net/ssl/openssl_ssl_util.cc index ae0fb4f75e9..b2067f1fe1f 100644 --- a/chromium/net/ssl/openssl_ssl_util.cc +++ b/chromium/net/ssl/openssl_ssl_util.cc @@ -231,11 +231,10 @@ bool SetSSLChainAndKey(SSL* ssl, EVP_PKEY* pkey, const SSL_PRIVATE_KEY_METHOD* custom_key) { std::vector<CRYPTO_BUFFER*> chain_raw; - chain_raw.push_back(cert->os_cert_handle()); - for (X509Certificate::OSCertHandle handle : - cert->GetIntermediateCertificates()) { - chain_raw.push_back(handle); - } + chain_raw.reserve(1 + cert->intermediate_buffers().size()); + chain_raw.push_back(cert->cert_buffer()); + for (const auto& handle : cert->intermediate_buffers()) + chain_raw.push_back(handle.get()); if (!SSL_set_chain_and_key(ssl, chain_raw.data(), chain_raw.size(), pkey, custom_key)) { diff --git a/chromium/net/ssl/ssl_client_session_cache.cc b/chromium/net/ssl/ssl_client_session_cache.cc index eebca7640b3..f7fcdfa6e8a 100644 --- a/chromium/net/ssl/ssl_client_session_cache.cc +++ b/chromium/net/ssl/ssl_client_session_cache.cc @@ -17,7 +17,7 @@ namespace net { SSLClientSessionCache::SSLClientSessionCache(const Config& config) - : clock_(new base::DefaultClock), + : clock_(base::DefaultClock::GetInstance()), config_(config), cache_(config.max_entries), lookups_since_flush_(0) { @@ -87,9 +87,8 @@ void SSLClientSessionCache::Flush() { cache_.Clear(); } -void SSLClientSessionCache::SetClockForTesting( - std::unique_ptr<base::Clock> clock) { - clock_ = std::move(clock); +void SSLClientSessionCache::SetClockForTesting(base::Clock* clock) { + clock_ = clock; } bool SSLClientSessionCache::IsExpired(SSL_SESSION* session, time_t now) { diff --git a/chromium/net/ssl/ssl_client_session_cache.h b/chromium/net/ssl/ssl_client_session_cache.h index 865206ffe5e..ad64c8062db 100644 --- a/chromium/net/ssl/ssl_client_session_cache.h +++ b/chromium/net/ssl/ssl_client_session_cache.h @@ -64,7 +64,7 @@ class NET_EXPORT SSLClientSessionCache : public base::MemoryCoordinatorClient { // Removes all entries from the cache. void Flush(); - void SetClockForTesting(std::unique_ptr<base::Clock> clock); + void SetClockForTesting(base::Clock* clock); // Dumps memory allocation stats. |pmd| is the ProcessMemoryDump of the // browser process. @@ -101,7 +101,7 @@ class NET_EXPORT SSLClientSessionCache : public base::MemoryCoordinatorClient { void OnMemoryPressure( base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level); - std::unique_ptr<base::Clock> clock_; + base::Clock* clock_; Config config_; base::HashingMRUCache<std::string, Entry> cache_; size_t lookups_since_flush_; diff --git a/chromium/net/ssl/ssl_client_session_cache_unittest.cc b/chromium/net/ssl/ssl_client_session_cache_unittest.cc index 6b6299186a2..461fb189561 100644 --- a/chromium/net/ssl/ssl_client_session_cache_unittest.cc +++ b/chromium/net/ssl/ssl_client_session_cache_unittest.cc @@ -313,8 +313,8 @@ TEST_F(SSLClientSessionCacheTest, Expiration) { SSLClientSessionCache::Config config; config.expiration_check_count = kExpirationCheckCount; SSLClientSessionCache cache(config); - base::SimpleTestClock* clock = MakeTestClock().release(); - cache.SetClockForTesting(base::WrapUnique(clock)); + std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock(); + cache.SetClockForTesting(clock.get()); // Add |kNumEntries - 1| entries. for (size_t i = 0; i < kNumEntries - 1; i++) { @@ -362,8 +362,8 @@ TEST_F(SSLClientSessionCacheTest, LookupExpirationCheck) { SSLClientSessionCache::Config config; config.expiration_check_count = kExpirationCheckCount; SSLClientSessionCache cache(config); - base::SimpleTestClock* clock = MakeTestClock().release(); - cache.SetClockForTesting(base::WrapUnique(clock)); + std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock(); + cache.SetClockForTesting(clock.get()); // Insert an entry into the session cache. bssl::UniquePtr<SSL_SESSION> session = @@ -410,8 +410,8 @@ TEST_F(SSLClientSessionCacheTest, TestFlushOnMemoryNotifications) { SSLClientSessionCache::Config config; config.expiration_check_count = kExpirationCheckCount; SSLClientSessionCache cache(config); - base::SimpleTestClock* clock = MakeTestClock().release(); - cache.SetClockForTesting(base::WrapUnique(clock)); + std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock(); + cache.SetClockForTesting(clock.get()); // Insert an entry into the session cache. bssl::UniquePtr<SSL_SESSION> session1 = diff --git a/chromium/net/ssl/ssl_config.cc b/chromium/net/ssl/ssl_config.cc index a460ebe038f..72d63d83a28 100644 --- a/chromium/net/ssl/ssl_config.cc +++ b/chromium/net/ssl/ssl_config.cc @@ -12,7 +12,7 @@ const uint16_t kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_TLS1; const uint16_t kDefaultSSLVersionMax = SSL_PROTOCOL_VERSION_TLS1_2; -const TLS13Variant kDefaultTLS13Variant = kTLS13VariantDraft; +const TLS13Variant kDefaultTLS13Variant = kTLS13VariantDraft22; SSLConfig::CertAndStatus::CertAndStatus() = default; SSLConfig::CertAndStatus::CertAndStatus(scoped_refptr<X509Certificate> cert_arg, @@ -26,6 +26,7 @@ SSLConfig::SSLConfig() rev_checking_required_local_anchors(false), sha1_local_anchors_enabled(true), common_name_fallback_local_anchors_enabled(true), + symantec_enforcement_disabled(false), version_min(kDefaultSSLVersionMin), version_max(kDefaultSSLVersionMax), tls13_variant(kDefaultTLS13Variant), @@ -69,6 +70,9 @@ int SSLConfig::GetCertVerifyFlags() const { flags |= CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS; if (common_name_fallback_local_anchors_enabled) flags |= CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS; + if (symantec_enforcement_disabled) + flags |= CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT; + return flags; } diff --git a/chromium/net/ssl/ssl_config.h b/chromium/net/ssl/ssl_config.h index cf6c693f425..d1d677179d1 100644 --- a/chromium/net/ssl/ssl_config.h +++ b/chromium/net/ssl/ssl_config.h @@ -36,10 +36,9 @@ enum TokenBindingParam { }; enum TLS13Variant { - kTLS13VariantDraft, - kTLS13VariantExperiment, kTLS13VariantExperiment2, - kTLS13VariantExperiment3, + kTLS13VariantDraft22, + kTLS13VariantDraft23, }; // Default minimum protocol version. @@ -94,6 +93,11 @@ struct NET_EXPORT SSLConfig { // (non-public) trust anchor will be allowed to match. bool common_name_fallback_local_anchors_enabled; + // symantec_enforcement_disabled is true if the policies outlined in + // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html + // should not be enforced. + bool symantec_enforcement_disabled; + // The minimum and maximum protocol versions that are enabled. // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it diff --git a/chromium/net/ssl/ssl_config_unittest.cc b/chromium/net/ssl/ssl_config_unittest.cc index 437edd5bd02..e3fca97dec2 100644 --- a/chromium/net/ssl/ssl_config_unittest.cc +++ b/chromium/net/ssl/ssl_config_unittest.cc @@ -15,32 +15,25 @@ void CheckCertVerifyFlags(SSLConfig* ssl_config, bool rev_checking_enabled, bool verify_ev_cert, bool cert_io_enabled, - bool rev_checking_required_local_anchors) { + bool rev_checking_required_local_anchors, + bool symantec_enforcement_disabled) { ssl_config->rev_checking_enabled = rev_checking_enabled; ssl_config->verify_ev_cert = verify_ev_cert; ssl_config->cert_io_enabled = cert_io_enabled; ssl_config->rev_checking_required_local_anchors = rev_checking_required_local_anchors; + ssl_config->symantec_enforcement_disabled = symantec_enforcement_disabled; + int flags = ssl_config->GetCertVerifyFlags(); - if (rev_checking_enabled) - EXPECT_TRUE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED); - if (verify_ev_cert) - EXPECT_TRUE(flags & CertVerifier::VERIFY_EV_CERT); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_EV_CERT); - if (cert_io_enabled) - EXPECT_TRUE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED); - else - EXPECT_FALSE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED); - if (rev_checking_required_local_anchors) { - EXPECT_TRUE(flags & - CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS); - } else { - EXPECT_FALSE(flags & - CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS); - } + EXPECT_EQ(rev_checking_enabled, + !!(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED)); + EXPECT_EQ(verify_ev_cert, !!(flags & CertVerifier::VERIFY_EV_CERT)); + EXPECT_EQ(cert_io_enabled, !!(flags & CertVerifier::VERIFY_CERT_IO_ENABLED)); + EXPECT_EQ( + rev_checking_required_local_anchors, + !!(flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS)); + EXPECT_EQ(symantec_enforcement_disabled, + !!(flags & CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT)); } } // namespace @@ -51,37 +44,50 @@ TEST(SSLConfigTest, GetCertVerifyFlags) { /*rev_checking_enabled=*/true, /*verify_ev_cert=*/true, /*cert_io_enabled=*/true, - /*rev_checking_required_local_anchors=*/true); + /*rev_checking_required_local_anchors=*/true, + /*symantec_enforcement_disabled=*/true); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/true, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/true, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/true, - /*rev_checking_required_local_anchors=*/false); + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/false); CheckCertVerifyFlags(&ssl_config, /*rev_checking_enabled=*/false, /*verify_ev_cert=*/false, /*cert_io_enabled=*/false, - /*rev_checking_required_local_anchors=*/true); + /*rev_checking_required_local_anchors=*/true, + /*symantec_enforcement_disabled=*/false); + + CheckCertVerifyFlags(&ssl_config, + /*rev_checking_enabled=*/false, + /*verify_ev_cert=*/false, + /*cert_io_enabled=*/true, + /*rev_checking_required_local_anchors=*/false, + /*symantec_enforcement_disabled=*/true); } } // namespace net diff --git a/chromium/net/ssl/ssl_info.cc b/chromium/net/ssl/ssl_info.cc index 28fcc140d66..f80610f22ee 100644 --- a/chromium/net/ssl/ssl_info.cc +++ b/chromium/net/ssl/ssl_info.cc @@ -48,6 +48,7 @@ void SSLInfo::Reset() { ct::CTPolicyCompliance::CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE; ct_policy_compliance_required = false; ocsp_result = OCSPVerifyResult(); + is_fatal_cert_error = false; } void SSLInfo::SetCertError(int error) { diff --git a/chromium/net/ssl/ssl_info.h b/chromium/net/ssl/ssl_info.h index fd39bbc9f62..2d903cf26df 100644 --- a/chromium/net/ssl/ssl_info.h +++ b/chromium/net/ssl/ssl_info.h @@ -139,6 +139,10 @@ class NET_EXPORT SSLInfo { // OCSP stapling details. OCSPVerifyResult ocsp_result; + + // True if there was a certificate error which should be treated as fatal, + // and false otherwise. + bool is_fatal_cert_error; }; } // namespace net diff --git a/chromium/net/ssl/ssl_platform_key_util.cc b/chromium/net/ssl/ssl_platform_key_util.cc index 46ba59f064f..70df11b4fd7 100644 --- a/chromium/net/ssl/ssl_platform_key_util.cc +++ b/chromium/net/ssl/ssl_platform_key_util.cc @@ -12,6 +12,7 @@ #include "crypto/openssl_util.h" #include "net/cert/asn1_util.h" #include "net/cert/x509_certificate.h" +#include "net/cert/x509_util.h" #include "third_party/boringssl/src/include/openssl/bytestring.h" #include "third_party/boringssl/src/include/openssl/ec_key.h" #include "third_party/boringssl/src/include/openssl/evp.h" @@ -54,11 +55,10 @@ bool GetClientCertInfo(const X509Certificate* certificate, size_t* out_max_length) { crypto::OpenSSLErrStackTracer tracker(FROM_HERE); - std::string der_encoded; base::StringPiece spki; - if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(), - &der_encoded) || - !asn1::ExtractSPKIFromDERCert(der_encoded, &spki)) { + if (!asn1::ExtractSPKIFromDERCert( + x509_util::CryptoBufferAsStringPiece(certificate->cert_buffer()), + &spki)) { LOG(ERROR) << "Could not extract SPKI from certificate."; return false; } |