BASELINE: Update Chromium to 65.0.3525.40

Also imports missing submodules Change-Id: I36901b7c6a325cda3d2c10cedb2186c25af3b79b Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-31 16:33:43 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-02-06 16:33:22 +0000
commit: da51f56cc21233c2d30f0fe0d171727c3102b2e0 (patch)
tree: 4e579ab70ce4b19bee7984237f3ce05a96d59d83 /chromium/net/ssl
parent: c8c2d1901aec01e934adf561a9fdf0cc776cdef8 (diff)
download: qtwebengine-chromium-da51f56cc21233c2d30f0fe0d171727c3102b2e0.tar.gz
17 files changed, 187 insertions, 121 deletions
diff --git a/chromium/net/ssl/client_cert_identity.cc b/chromium/net/ssl/client_cert_identity.cc
index 3b89f41f757..928aafde8ab 100644
--- a/chromium/net/ssl/client_cert_identity.cc
+++ b/chromium/net/ssl/client_cert_identity.cc
@@ -5,6 +5,7 @@
 #include "net/ssl/client_cert_identity.h"
 
 #include "base/bind.h"
+#include "net/cert/x509_util.h"
 #include "net/ssl/ssl_private_key.h"
 
 namespace net {
@@ -38,7 +39,7 @@ void ClientCertIdentity::SelfOwningAcquirePrivateKey(
 }
 
 void ClientCertIdentity::SetIntermediates(
-    X509Certificate::OSCertHandles intermediates) {
+    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates) {
   // Allow UTF-8 inside PrintableStrings in client certificates. See
   // crbug.com/770323.
   // TODO(mattm): Perhaps X509Certificate should have a method to clone the
@@ -47,9 +48,10 @@ void ClientCertIdentity::SetIntermediates(
   // X509Certificate was initially created.)
   X509Certificate::UnsafeCreateOptions options;
   options.printable_string_is_utf8 = true;
-  cert_ = X509Certificate::CreateFromHandleUnsafeOptions(
-      cert_->os_cert_handle(), intermediates, options);
-  // |cert_->os_cert_handle()| was already successfully parsed, so this should
+  cert_ = X509Certificate::CreateFromBufferUnsafeOptions(
+      x509_util::DupCryptoBuffer(cert_->cert_buffer()),
+      std::move(intermediates), options);
+  // |cert_->cert_buffer()| was already successfully parsed, so this should
   // never fail.
   DCHECK(cert_);
 }
@@ -82,10 +84,8 @@ bool ClientCertIdentitySorter::operator()(
     return a->valid_start() > b->valid_start();
 
   // Otherwise, prefer client certificates with shorter chains.
-  const X509Certificate::OSCertHandles& a_intermediates =
-      a->GetIntermediateCertificates();
-  const X509Certificate::OSCertHandles& b_intermediates =
-      b->GetIntermediateCertificates();
+  const auto& a_intermediates = a->intermediate_buffers();
+  const auto& b_intermediates = b->intermediate_buffers();
   return a_intermediates.size() < b_intermediates.size();
 }
 
diff --git a/chromium/net/ssl/client_cert_identity.h b/chromium/net/ssl/client_cert_identity.h
index 1f8e4cb79be..6848217b2d2 100644
--- a/chromium/net/ssl/client_cert_identity.h
+++ b/chromium/net/ssl/client_cert_identity.h
@@ -56,7 +56,8 @@ class NET_EXPORT ClientCertIdentity {
   // this will change the value of |certificate()|, and any references that
   // were retained to the previous value will not reflect the updated
   // intermediates list.
-  void SetIntermediates(X509Certificate::OSCertHandles intermediates);
+  void SetIntermediates(
+      std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates);
 
  private:
   scoped_refptr<net::X509Certificate> cert_;
diff --git a/chromium/net/ssl/client_cert_store_mac.cc b/chromium/net/ssl/client_cert_store_mac.cc
index cbbc35b4b61..b2fb32d680b 100644
--- a/chromium/net/ssl/client_cert_store_mac.cc
+++ b/chromium/net/ssl/client_cert_store_mac.cc
@@ -13,6 +13,8 @@
 #include <algorithm>
 #include <memory>
 #include <string>
+#include <utility>
+#include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ -132,7 +134,13 @@ bool IsIssuedByInKeychain(const std::vector<std::string>& valid_issuers,
   if (!new_cert || !new_cert->IsIssuedByEncoded(valid_issuers))
     return false;
 
-  identity->SetIntermediates(new_cert->GetIntermediateCertificates());
+  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_buffers;
+  intermediate_buffers.reserve(new_cert->intermediate_buffers().size());
+  for (const auto& intermediate : new_cert->intermediate_buffers()) {
+    intermediate_buffers.push_back(
+        x509_util::DupCryptoBuffer(intermediate.get()));
+  }
+  identity->SetIntermediates(std::move(intermediate_buffers));
   return true;
 }
 
@@ -193,7 +201,7 @@ bool SupportsSSLClientAuth(SecCertificateRef cert) {
 // storing the matching certificates in |selected_identities|.
 // If |query_keychain| is true, Keychain Services will be queried to construct
 // full certificate chains. If it is false, only the the certificates and their
-// intermediates (available via X509Certificate::GetIntermediateCertificates())
+// intermediates (available via X509Certificate::intermediate_buffers())
 // will be considered.
 void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity,
                         ClientCertIdentityList regular_identities,
@@ -219,9 +227,9 @@ void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity,
         selected_identities->begin(), selected_identities->end(),
         [&cert](
             const std::unique_ptr<ClientCertIdentity>& other_cert_identity) {
-          return X509Certificate::IsSameOSCert(
-              cert->certificate()->os_cert_handle(),
-              other_cert_identity->certificate()->os_cert_handle());
+          return x509_util::CryptoBufferEqual(
+              cert->certificate()->cert_buffer(),
+              other_cert_identity->certificate()->cert_buffer());
         });
     if (cert_iter != selected_identities->end())
       continue;
@@ -236,19 +244,56 @@ void GetClientCertsImpl(std::unique_ptr<ClientCertIdentity> preferred_identity,
   }
 
   // Preferred cert should appear first in the ui, so exclude it from the
-  // sorting.  Compare the os_cert_handle since the X509Certificate object may
+  // sorting.  Compare the cert_buffer since the X509Certificate object may
   // have changed if intermediates were added.
   ClientCertIdentityList::iterator sort_begin = selected_identities->begin();
   ClientCertIdentityList::iterator sort_end = selected_identities->end();
   if (preferred_cert_orig && sort_begin != sort_end &&
-      X509Certificate::IsSameOSCert(
-          sort_begin->get()->certificate()->os_cert_handle(),
-          preferred_cert_orig->os_cert_handle())) {
+      x509_util::CryptoBufferEqual(
+          sort_begin->get()->certificate()->cert_buffer(),
+          preferred_cert_orig->cert_buffer())) {
     ++sort_begin;
   }
   sort(sort_begin, sort_end, ClientCertIdentitySorter());
 }
 
+// Given a |sec_identity|, identifies its corresponding certificate, and either
+// adds it to |regular_identities| or assigns it to |preferred_identity|, if the
+// |sec_identity| matches the |preferred_sec_identity|.
+void AddIdentity(ScopedCFTypeRef<SecIdentityRef> sec_identity,
+                 SecIdentityRef preferred_sec_identity,
+                 ClientCertIdentityList* regular_identities,
+                 std::unique_ptr<ClientCertIdentity>* preferred_identity) {
+  OSStatus err;
+  ScopedCFTypeRef<SecCertificateRef> cert_handle;
+  err = SecIdentityCopyCertificate(sec_identity.get(),
+                                   cert_handle.InitializeInto());
+  if (err != noErr)
+    return;
+
+  if (!SupportsSSLClientAuth(cert_handle.get()))
+    return;
+
+  // Allow UTF-8 inside PrintableStrings in client certificates. See
+  // crbug.com/770323.
+  X509Certificate::UnsafeCreateOptions options;
+  options.printable_string_is_utf8 = true;
+  scoped_refptr<X509Certificate> cert(
+      x509_util::CreateX509CertificateFromSecCertificate(cert_handle.get(), {},
+                                                         options));
+  if (!cert)
+    return;
+
+  if (preferred_sec_identity &&
+      CFEqual(preferred_sec_identity, sec_identity.get())) {
+    *preferred_identity = std::make_unique<ClientCertIdentityMac>(
+        std::move(cert), std::move(sec_identity));
+  } else {
+    regular_identities->push_back(std::make_unique<ClientCertIdentityMac>(
+        std::move(cert), std::move(sec_identity)));
+  }
+}
+
 ClientCertIdentityList GetClientCertsOnBackgroundThread(
     const SSLCertRequestInfo& request) {
   std::string server_domain = request.host_and_port.host();
@@ -293,36 +338,8 @@ ClientCertIdentityList GetClientCertsOnBackgroundThread(
     }
     if (err)
       break;
-
-    ScopedCFTypeRef<SecCertificateRef> cert_handle;
-    err = SecIdentityCopyCertificate(sec_identity.get(),
-                                     cert_handle.InitializeInto());
-    if (err != noErr)
-      continue;
-
-    if (!SupportsSSLClientAuth(cert_handle.get()))
-      continue;
-
-    // Allow UTF-8 inside PrintableStrings in client certificates. See
-    // crbug.com/770323.
-    X509Certificate::UnsafeCreateOptions options;
-    options.printable_string_is_utf8 = true;
-    scoped_refptr<X509Certificate> cert(
-        x509_util::CreateX509CertificateFromSecCertificate(
-            cert_handle.get(), std::vector<SecCertificateRef>(), options));
-    if (!cert)
-      continue;
-
-    if (preferred_sec_identity &&
-        CFEqual(preferred_sec_identity, sec_identity.get())) {
-      // Only one certificate should match.
-      DCHECK(!preferred_identity.get());
-      preferred_identity = std::make_unique<ClientCertIdentityMac>(
-          std::move(cert), std::move(sec_identity));
-    } else {
-      regular_identities.push_back(std::make_unique<ClientCertIdentityMac>(
-          std::move(cert), std::move(sec_identity)));
-    }
+    AddIdentity(std::move(sec_identity), preferred_sec_identity.get(),
+                &regular_identities, &preferred_identity);
   }
 
   if (err != errSecItemNotFound) {
@@ -330,6 +347,39 @@ ClientCertIdentityList GetClientCertsOnBackgroundThread(
     return ClientCertIdentityList();
   }
 
+  // macOS provides two ways to search for identities. SecIdentitySearchCreate()
+  // is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated
+  // CDSM/CSSA implementation), but is necessary to return some certificates
+  // that would otherwise not be returned by SecItemCopyMatching(), which is the
+  // non-deprecated way. However, SecIdentitySearchCreate() will not return all
+  // items, particularly smart-card based identities, so it's necessary to call
+  // both functions.
+  static const void* kKeys[] = {
+      kSecClass, kSecMatchLimit, kSecReturnRef, kSecAttrCanSign,
+  };
+  static const void* kValues[] = {
+      kSecClassIdentity, kSecMatchLimitAll, kCFBooleanTrue, kCFBooleanTrue,
+  };
+  ScopedCFTypeRef<CFDictionaryRef> query(CFDictionaryCreate(
+      kCFAllocatorDefault, kKeys, kValues, arraysize(kValues),
+      &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
+  ScopedCFTypeRef<CFArrayRef> result;
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    err = SecItemCopyMatching(
+        query, reinterpret_cast<CFTypeRef*>(result.InitializeInto()));
+  }
+  if (!err) {
+    for (CFIndex i = 0; i < CFArrayGetCount(result); i++) {
+      SecIdentityRef item = reinterpret_cast<SecIdentityRef>(
+          const_cast<void*>(CFArrayGetValueAtIndex(result, i)));
+      AddIdentity(
+          ScopedCFTypeRef<SecIdentityRef>(item, base::scoped_policy::RETAIN),
+          preferred_sec_identity.get(), &regular_identities,
+          &preferred_identity);
+    }
+  }
+
   ClientCertIdentityList selected_identities;
   GetClientCertsImpl(std::move(preferred_identity),
                      std::move(regular_identities), request, true,
diff --git a/chromium/net/ssl/client_cert_store_nss.cc b/chromium/net/ssl/client_cert_store_nss.cc
index 512b38e81cb..7c773ee51d1 100644
--- a/chromium/net/ssl/client_cert_store_nss.cc
+++ b/chromium/net/ssl/client_cert_store_nss.cc
@@ -115,25 +115,22 @@ void ClientCertStoreNSS::FilterCertsOnWorkerThread(
       continue;
     }
 
-    X509Certificate::OSCertHandles intermediates_raw;
-    intermediates_raw.reserve(nss_intermediates.size());
     std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
     intermediates.reserve(nss_intermediates.size());
     for (const ScopedCERTCertificate& nss_intermediate : nss_intermediates) {
       bssl::UniquePtr<CRYPTO_BUFFER> intermediate_cert_handle(
-          X509Certificate::CreateOSCertHandleFromBytes(
+          X509Certificate::CreateCertBufferFromBytes(
               reinterpret_cast<const char*>(nss_intermediate->derCert.data),
               nss_intermediate->derCert.len));
       if (!intermediate_cert_handle)
         break;
-      intermediates_raw.push_back(intermediate_cert_handle.get());
       intermediates.push_back(std::move(intermediate_cert_handle));
     }
 
     // Retain a copy of the intermediates. Some deployments expect the client to
     // supply intermediates out of the local store. See
     // https://crbug.com/548631.
-    (*examine_iter)->SetIntermediates(intermediates_raw);
+    (*examine_iter)->SetIntermediates(std::move(intermediates));
 
     if (examine_iter == keep_iter)
       ++keep_iter;
diff --git a/chromium/net/ssl/client_cert_store_nss_unittest.cc b/chromium/net/ssl/client_cert_store_nss_unittest.cc
index 5b9b323a167..859a38c59e9 100644
--- a/chromium/net/ssl/client_cert_store_nss_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_nss_unittest.cc
@@ -110,9 +110,9 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) {
     ASSERT_EQ(1u, selected_identities.size());
     scoped_refptr<X509Certificate> selected_cert =
         selected_identities[0]->certificate();
-    EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(),
-                                              selected_cert->os_cert_handle()));
-    ASSERT_EQ(0u, selected_cert->GetIntermediateCertificates().size());
+    EXPECT_TRUE(x509_util::CryptoBufferEqual(client_1->cert_buffer(),
+                                             selected_cert->cert_buffer()));
+    ASSERT_EQ(0u, selected_cert->intermediate_buffers().size());
 
     scoped_refptr<SSLPrivateKey> ssl_private_key;
     base::RunLoop key_loop;
@@ -144,12 +144,12 @@ TEST(ClientCertStoreNSSTest, BuildsCertificateChain) {
     ASSERT_EQ(1u, selected_identities.size());
     scoped_refptr<X509Certificate> selected_cert =
         selected_identities[0]->certificate();
-    EXPECT_TRUE(X509Certificate::IsSameOSCert(client_1->os_cert_handle(),
-                                              selected_cert->os_cert_handle()));
-    ASSERT_EQ(1u, selected_cert->GetIntermediateCertificates().size());
-    EXPECT_TRUE(X509Certificate::IsSameOSCert(
-        client_1_ca->os_cert_handle(),
-        selected_cert->GetIntermediateCertificates()[0]));
+    EXPECT_TRUE(x509_util::CryptoBufferEqual(client_1->cert_buffer(),
+                                             selected_cert->cert_buffer()));
+    ASSERT_EQ(1u, selected_cert->intermediate_buffers().size());
+    EXPECT_TRUE(x509_util::CryptoBufferEqual(
+        client_1_ca->cert_buffer(),
+        selected_cert->intermediate_buffers()[0].get()));
 
     scoped_refptr<SSLPrivateKey> ssl_private_key;
     base::RunLoop key_loop;
@@ -221,7 +221,7 @@ TEST(ClientCertStoreNSSTest, SubjectPrintableStringContainingUTF8) {
   scoped_refptr<X509Certificate> selected_cert =
       selected_identities[0]->certificate();
   EXPECT_TRUE(x509_util::IsSameCertificate(cert.get(), selected_cert.get()));
-  EXPECT_EQ(0u, selected_cert->GetIntermediateCertificates().size());
+  EXPECT_EQ(0u, selected_cert->intermediate_buffers().size());
 
   scoped_refptr<SSLPrivateKey> ssl_private_key;
   base::RunLoop key_loop;
diff --git a/chromium/net/ssl/client_cert_store_unittest-inl.h b/chromium/net/ssl/client_cert_store_unittest-inl.h
index 4da72c4afbd..7cc02d3d4be 100644
--- a/chromium/net/ssl/client_cert_store_unittest-inl.h
+++ b/chromium/net/ssl/client_cert_store_unittest-inl.h
@@ -152,7 +152,7 @@ TYPED_TEST_P(ClientCertStoreTest, PrintableStringContainingUTF8) {
   X509Certificate::UnsafeCreateOptions options;
   options.printable_string_is_utf8 = true;
   scoped_refptr<X509Certificate> cert =
-      X509Certificate::CreateFromHandleUnsafeOptions(cert_handle.get(), {},
+      X509Certificate::CreateFromBufferUnsafeOptions(std::move(cert_handle), {},
                                                      options);
   ASSERT_TRUE(cert);
 
diff --git a/chromium/net/ssl/client_cert_store_win.cc b/chromium/net/ssl/client_cert_store_win.cc
index 6622ea417f4..d9c271f3ab1 100644
--- a/chromium/net/ssl/client_cert_store_win.cc
+++ b/chromium/net/ssl/client_cert_store_win.cc
@@ -25,6 +25,7 @@
 #include "net/ssl/ssl_platform_key_util.h"
 #include "net/ssl/ssl_platform_key_win.h"
 #include "net/ssl/ssl_private_key.h"
+#include "third_party/boringssl/src/include/openssl/pool.h"
 
 namespace net {
 
@@ -273,16 +274,16 @@ bool ClientCertStoreWin::SelectClientCertsForTesting(
     return false;
 
   // Add available certificates to the test store.
-  for (size_t i = 0; i < input_certs.size(); ++i) {
+  for (const auto& input_cert : input_certs) {
     // Add the certificate to the test store.
     PCCERT_CONTEXT cert = NULL;
-    std::string der_cert;
-    X509Certificate::GetDEREncoded(input_certs[i]->os_cert_handle(), &der_cert);
     if (!CertAddEncodedCertificateToStore(
             test_store, X509_ASN_ENCODING,
-            reinterpret_cast<const BYTE*>(der_cert.data()),
-            base::checked_cast<DWORD>(der_cert.size()), CERT_STORE_ADD_NEW,
-            &cert)) {
+            reinterpret_cast<const BYTE*>(
+                CRYPTO_BUFFER_data(input_cert->cert_buffer())),
+            base::checked_cast<DWORD>(
+                CRYPTO_BUFFER_len(input_cert->cert_buffer())),
+            CERT_STORE_ADD_NEW, &cert)) {
       return false;
     }
     // Hold the reference to the certificate (since we requested a copy).
diff --git a/chromium/net/ssl/openssl_ssl_util.cc b/chromium/net/ssl/openssl_ssl_util.cc
index ae0fb4f75e9..b2067f1fe1f 100644
--- a/chromium/net/ssl/openssl_ssl_util.cc
+++ b/chromium/net/ssl/openssl_ssl_util.cc
@@ -231,11 +231,10 @@ bool SetSSLChainAndKey(SSL* ssl,
                        EVP_PKEY* pkey,
                        const SSL_PRIVATE_KEY_METHOD* custom_key) {
   std::vector<CRYPTO_BUFFER*> chain_raw;
-  chain_raw.push_back(cert->os_cert_handle());
-  for (X509Certificate::OSCertHandle handle :
-       cert->GetIntermediateCertificates()) {
-    chain_raw.push_back(handle);
-  }
+  chain_raw.reserve(1 + cert->intermediate_buffers().size());
+  chain_raw.push_back(cert->cert_buffer());
+  for (const auto& handle : cert->intermediate_buffers())
+    chain_raw.push_back(handle.get());
 
   if (!SSL_set_chain_and_key(ssl, chain_raw.data(), chain_raw.size(), pkey,
                              custom_key)) {
diff --git a/chromium/net/ssl/ssl_client_session_cache.cc b/chromium/net/ssl/ssl_client_session_cache.cc
index eebca7640b3..f7fcdfa6e8a 100644
--- a/chromium/net/ssl/ssl_client_session_cache.cc
+++ b/chromium/net/ssl/ssl_client_session_cache.cc
@@ -17,7 +17,7 @@
 namespace net {
 
 SSLClientSessionCache::SSLClientSessionCache(const Config& config)
-    : clock_(new base::DefaultClock),
+    : clock_(base::DefaultClock::GetInstance()),
       config_(config),
       cache_(config.max_entries),
       lookups_since_flush_(0) {
@@ -87,9 +87,8 @@ void SSLClientSessionCache::Flush() {
   cache_.Clear();
 }
 
-void SSLClientSessionCache::SetClockForTesting(
-    std::unique_ptr<base::Clock> clock) {
-  clock_ = std::move(clock);
+void SSLClientSessionCache::SetClockForTesting(base::Clock* clock) {
+  clock_ = clock;
 }
 
 bool SSLClientSessionCache::IsExpired(SSL_SESSION* session, time_t now) {
diff --git a/chromium/net/ssl/ssl_client_session_cache.h b/chromium/net/ssl/ssl_client_session_cache.h
index 865206ffe5e..ad64c8062db 100644
--- a/chromium/net/ssl/ssl_client_session_cache.h
+++ b/chromium/net/ssl/ssl_client_session_cache.h
@@ -64,7 +64,7 @@ class NET_EXPORT SSLClientSessionCache : public base::MemoryCoordinatorClient {
   // Removes all entries from the cache.
   void Flush();
 
-  void SetClockForTesting(std::unique_ptr<base::Clock> clock);
+  void SetClockForTesting(base::Clock* clock);
 
   // Dumps memory allocation stats. |pmd| is the ProcessMemoryDump of the
   // browser process.
@@ -101,7 +101,7 @@ class NET_EXPORT SSLClientSessionCache : public base::MemoryCoordinatorClient {
   void OnMemoryPressure(
       base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level);
 
-  std::unique_ptr<base::Clock> clock_;
+  base::Clock* clock_;
   Config config_;
   base::HashingMRUCache<std::string, Entry> cache_;
   size_t lookups_since_flush_;
diff --git a/chromium/net/ssl/ssl_client_session_cache_unittest.cc b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
index 6b6299186a2..461fb189561 100644
--- a/chromium/net/ssl/ssl_client_session_cache_unittest.cc
+++ b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
@@ -313,8 +313,8 @@ TEST_F(SSLClientSessionCacheTest, Expiration) {
   SSLClientSessionCache::Config config;
   config.expiration_check_count = kExpirationCheckCount;
   SSLClientSessionCache cache(config);
-  base::SimpleTestClock* clock = MakeTestClock().release();
-  cache.SetClockForTesting(base::WrapUnique(clock));
+  std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock();
+  cache.SetClockForTesting(clock.get());
 
   // Add |kNumEntries - 1| entries.
   for (size_t i = 0; i < kNumEntries - 1; i++) {
@@ -362,8 +362,8 @@ TEST_F(SSLClientSessionCacheTest, LookupExpirationCheck) {
   SSLClientSessionCache::Config config;
   config.expiration_check_count = kExpirationCheckCount;
   SSLClientSessionCache cache(config);
-  base::SimpleTestClock* clock = MakeTestClock().release();
-  cache.SetClockForTesting(base::WrapUnique(clock));
+  std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock();
+  cache.SetClockForTesting(clock.get());
 
   // Insert an entry into the session cache.
   bssl::UniquePtr<SSL_SESSION> session =
@@ -410,8 +410,8 @@ TEST_F(SSLClientSessionCacheTest, TestFlushOnMemoryNotifications) {
   SSLClientSessionCache::Config config;
   config.expiration_check_count = kExpirationCheckCount;
   SSLClientSessionCache cache(config);
-  base::SimpleTestClock* clock = MakeTestClock().release();
-  cache.SetClockForTesting(base::WrapUnique(clock));
+  std::unique_ptr<base::SimpleTestClock> clock = MakeTestClock();
+  cache.SetClockForTesting(clock.get());
 
   // Insert an entry into the session cache.
   bssl::UniquePtr<SSL_SESSION> session1 =
diff --git a/chromium/net/ssl/ssl_config.cc b/chromium/net/ssl/ssl_config.cc
index a460ebe038f..72d63d83a28 100644
--- a/chromium/net/ssl/ssl_config.cc
+++ b/chromium/net/ssl/ssl_config.cc
@@ -12,7 +12,7 @@ const uint16_t kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_TLS1;
 
 const uint16_t kDefaultSSLVersionMax = SSL_PROTOCOL_VERSION_TLS1_2;
 
-const TLS13Variant kDefaultTLS13Variant = kTLS13VariantDraft;
+const TLS13Variant kDefaultTLS13Variant = kTLS13VariantDraft22;
 
 SSLConfig::CertAndStatus::CertAndStatus() = default;
 SSLConfig::CertAndStatus::CertAndStatus(scoped_refptr<X509Certificate> cert_arg,
@@ -26,6 +26,7 @@ SSLConfig::SSLConfig()
       rev_checking_required_local_anchors(false),
       sha1_local_anchors_enabled(true),
       common_name_fallback_local_anchors_enabled(true),
+      symantec_enforcement_disabled(false),
       version_min(kDefaultSSLVersionMin),
       version_max(kDefaultSSLVersionMax),
       tls13_variant(kDefaultTLS13Variant),
@@ -69,6 +70,9 @@ int SSLConfig::GetCertVerifyFlags() const {
     flags |= CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
   if (common_name_fallback_local_anchors_enabled)
     flags |= CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS;
+  if (symantec_enforcement_disabled)
+    flags |= CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT;
+
   return flags;
 }
 
diff --git a/chromium/net/ssl/ssl_config.h b/chromium/net/ssl/ssl_config.h
index cf6c693f425..d1d677179d1 100644
--- a/chromium/net/ssl/ssl_config.h
+++ b/chromium/net/ssl/ssl_config.h
@@ -36,10 +36,9 @@ enum TokenBindingParam {
 };
 
 enum TLS13Variant {
-  kTLS13VariantDraft,
-  kTLS13VariantExperiment,
   kTLS13VariantExperiment2,
-  kTLS13VariantExperiment3,
+  kTLS13VariantDraft22,
+  kTLS13VariantDraft23,
 };
 
 // Default minimum protocol version.
@@ -94,6 +93,11 @@ struct NET_EXPORT SSLConfig {
   // (non-public) trust anchor will be allowed to match.
   bool common_name_fallback_local_anchors_enabled;
 
+  // symantec_enforcement_disabled is true if the policies outlined in
+  // https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
+  // should not be enforced.
+  bool symantec_enforcement_disabled;
+
   // The minimum and maximum protocol versions that are enabled.
   // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
   // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it
diff --git a/chromium/net/ssl/ssl_config_unittest.cc b/chromium/net/ssl/ssl_config_unittest.cc
index 437edd5bd02..e3fca97dec2 100644
--- a/chromium/net/ssl/ssl_config_unittest.cc
+++ b/chromium/net/ssl/ssl_config_unittest.cc
@@ -15,32 +15,25 @@ void CheckCertVerifyFlags(SSLConfig* ssl_config,
                           bool rev_checking_enabled,
                           bool verify_ev_cert,
                           bool cert_io_enabled,
-                          bool rev_checking_required_local_anchors) {
+                          bool rev_checking_required_local_anchors,
+                          bool symantec_enforcement_disabled) {
   ssl_config->rev_checking_enabled = rev_checking_enabled;
   ssl_config->verify_ev_cert = verify_ev_cert;
   ssl_config->cert_io_enabled = cert_io_enabled;
   ssl_config->rev_checking_required_local_anchors =
       rev_checking_required_local_anchors;
+  ssl_config->symantec_enforcement_disabled = symantec_enforcement_disabled;
+
   int flags = ssl_config->GetCertVerifyFlags();
-  if (rev_checking_enabled)
-    EXPECT_TRUE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
-  else
-    EXPECT_FALSE(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED);
-  if (verify_ev_cert)
-    EXPECT_TRUE(flags & CertVerifier::VERIFY_EV_CERT);
-  else
-    EXPECT_FALSE(flags & CertVerifier::VERIFY_EV_CERT);
-  if (cert_io_enabled)
-    EXPECT_TRUE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED);
-  else
-    EXPECT_FALSE(flags & CertVerifier::VERIFY_CERT_IO_ENABLED);
-  if (rev_checking_required_local_anchors) {
-    EXPECT_TRUE(flags &
-                CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS);
-  } else {
-    EXPECT_FALSE(flags &
-                 CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS);
-  }
+  EXPECT_EQ(rev_checking_enabled,
+            !!(flags & CertVerifier::VERIFY_REV_CHECKING_ENABLED));
+  EXPECT_EQ(verify_ev_cert, !!(flags & CertVerifier::VERIFY_EV_CERT));
+  EXPECT_EQ(cert_io_enabled, !!(flags & CertVerifier::VERIFY_CERT_IO_ENABLED));
+  EXPECT_EQ(
+      rev_checking_required_local_anchors,
+      !!(flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS));
+  EXPECT_EQ(symantec_enforcement_disabled,
+            !!(flags & CertVerifier::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT));
 }
 
 }  // namespace
@@ -51,37 +44,50 @@ TEST(SSLConfigTest, GetCertVerifyFlags) {
                        /*rev_checking_enabled=*/true,
                        /*verify_ev_cert=*/true,
                        /*cert_io_enabled=*/true,
-                       /*rev_checking_required_local_anchors=*/true);
+                       /*rev_checking_required_local_anchors=*/true,
+                       /*symantec_enforcement_disabled=*/true);
 
   CheckCertVerifyFlags(&ssl_config,
                        /*rev_checking_enabled=*/false,
                        /*verify_ev_cert=*/false,
                        /*cert_io_enabled=*/false,
-                       /*rev_checking_required_local_anchors=*/false);
+                       /*rev_checking_required_local_anchors=*/false,
+                       /*symantec_enforcement_disabled=*/false);
 
   CheckCertVerifyFlags(&ssl_config,
                        /*rev_checking_enabled=*/true,
                        /*verify_ev_cert=*/false,
                        /*cert_io_enabled=*/false,
-                       /*rev_checking_required_local_anchors=*/false);
+                       /*rev_checking_required_local_anchors=*/false,
+                       /*symantec_enforcement_disabled=*/false);
 
   CheckCertVerifyFlags(&ssl_config,
                        /*rev_checking_enabled=*/false,
                        /*verify_ev_cert=*/true,
                        /*cert_io_enabled=*/false,
-                       /*rev_checking_required_local_anchors=*/false);
+                       /*rev_checking_required_local_anchors=*/false,
+                       /*symantec_enforcement_disabled=*/false);
 
   CheckCertVerifyFlags(&ssl_config,
                        /*rev_checking_enabled=*/false,
                        /*verify_ev_cert=*/false,
                        /*cert_io_enabled=*/true,
-                       /*rev_checking_required_local_anchors=*/false);
+                       /*rev_checking_required_local_anchors=*/false,
+                       /*symantec_enforcement_disabled=*/false);
 
   CheckCertVerifyFlags(&ssl_config,
                        /*rev_checking_enabled=*/false,
                        /*verify_ev_cert=*/false,
                        /*cert_io_enabled=*/false,
-                       /*rev_checking_required_local_anchors=*/true);
+                       /*rev_checking_required_local_anchors=*/true,
+                       /*symantec_enforcement_disabled=*/false);
+
+  CheckCertVerifyFlags(&ssl_config,
+                       /*rev_checking_enabled=*/false,
+                       /*verify_ev_cert=*/false,
+                       /*cert_io_enabled=*/true,
+                       /*rev_checking_required_local_anchors=*/false,
+                       /*symantec_enforcement_disabled=*/true);
 }
 
 }  // namespace net
diff --git a/chromium/net/ssl/ssl_info.cc b/chromium/net/ssl/ssl_info.cc
index 28fcc140d66..f80610f22ee 100644
--- a/chromium/net/ssl/ssl_info.cc
+++ b/chromium/net/ssl/ssl_info.cc
@@ -48,6 +48,7 @@ void SSLInfo::Reset() {
       ct::CTPolicyCompliance::CT_POLICY_COMPLIANCE_DETAILS_NOT_AVAILABLE;
   ct_policy_compliance_required = false;
   ocsp_result = OCSPVerifyResult();
+  is_fatal_cert_error = false;
 }
 
 void SSLInfo::SetCertError(int error) {
diff --git a/chromium/net/ssl/ssl_info.h b/chromium/net/ssl/ssl_info.h
index fd39bbc9f62..2d903cf26df 100644
--- a/chromium/net/ssl/ssl_info.h
+++ b/chromium/net/ssl/ssl_info.h
@@ -139,6 +139,10 @@ class NET_EXPORT SSLInfo {
 
   // OCSP stapling details.
   OCSPVerifyResult ocsp_result;
+
+  // True if there was a certificate error which should be treated as fatal,
+  // and false otherwise.
+  bool is_fatal_cert_error;
 };
 
 }  // namespace net
diff --git a/chromium/net/ssl/ssl_platform_key_util.cc b/chromium/net/ssl/ssl_platform_key_util.cc
index 46ba59f064f..70df11b4fd7 100644
--- a/chromium/net/ssl/ssl_platform_key_util.cc
+++ b/chromium/net/ssl/ssl_platform_key_util.cc
@@ -12,6 +12,7 @@
 #include "crypto/openssl_util.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/x509_certificate.h"
+#include "net/cert/x509_util.h"
 #include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/ec_key.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
@@ -54,11 +55,10 @@ bool GetClientCertInfo(const X509Certificate* certificate,
                        size_t* out_max_length) {
   crypto::OpenSSLErrStackTracer tracker(FROM_HERE);
 
-  std::string der_encoded;
   base::StringPiece spki;
-  if (!X509Certificate::GetDEREncoded(certificate->os_cert_handle(),
-                                      &der_encoded) ||
-      !asn1::ExtractSPKIFromDERCert(der_encoded, &spki)) {
+  if (!asn1::ExtractSPKIFromDERCert(
+          x509_util::CryptoBufferAsStringPiece(certificate->cert_buffer()),
+          &spki)) {
     LOG(ERROR) << "Could not extract SPKI from certificate.";
     return false;
   }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-31 16:33:43 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-02-06 16:33:22 +0000
commit	da51f56cc21233c2d30f0fe0d171727c3102b2e0 (patch)
tree	4e579ab70ce4b19bee7984237f3ce05a96d59d83 /chromium/net/ssl
parent	c8c2d1901aec01e934adf561a9fdf0cc776cdef8 (diff)
download	qtwebengine-chromium-da51f56cc21233c2d30f0fe0d171727c3102b2e0.tar.gz