Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(629)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_openssl.cc

Issue 11572060: Improve CertVerifyProcOpenSSL robustness against malicious data (Closed) Base URL: http://git.chromium.org/chromium/src.git@master
Patch Set: Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_openssl.h" 5 #include "net/base/cert_verify_proc_openssl.h"
6 6
7 #include <openssl/x509v3.h> 7 #include <openssl/x509v3.h>
8 8
9 #include <string> 9 #include <string>
10 #include <vector> 10 #include <vector>
(...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after
181 if (!intermediates.get()) 181 if (!intermediates.get())
182 return ERR_OUT_OF_MEMORY; 182 return ERR_OUT_OF_MEMORY;
183 183
184 const X509Certificate::OSCertHandles& os_intermediates = 184 const X509Certificate::OSCertHandles& os_intermediates =
185 cert->GetIntermediateCertificates(); 185 cert->GetIntermediateCertificates();
186 for (X509Certificate::OSCertHandles::const_iterator it = 186 for (X509Certificate::OSCertHandles::const_iterator it =
187 os_intermediates.begin(); it != os_intermediates.end(); ++it) { 187 os_intermediates.begin(); it != os_intermediates.end(); ++it) {
188 if (!sk_X509_push(intermediates.get(), *it)) 188 if (!sk_X509_push(intermediates.get(), *it))
189 return ERR_OUT_OF_MEMORY; 189 return ERR_OUT_OF_MEMORY;
190 } 190 }
191 int rv = X509_STORE_CTX_init(ctx.get(), X509Certificate::cert_store(), 191 if (X509_STORE_CTX_init(ctx.get(), X509Certificate::cert_store(),
192 cert->os_cert_handle(), intermediates.get()); 192 cert->os_cert_handle(), intermediates.get()) != 1) {
193 CHECK_EQ(1, rv); 193 NOTREACHED();
194 return ERR_FAILED;
195 }
194 196
195 if (X509_verify_cert(ctx.get()) != 1) { 197 if (X509_verify_cert(ctx.get()) != 1) {
196 int x509_error = X509_STORE_CTX_get_error(ctx.get()); 198 int x509_error = X509_STORE_CTX_get_error(ctx.get());
197 CertStatus cert_status = MapCertErrorToCertStatus(x509_error); 199 CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
198 LOG(ERROR) << "X509 Verification error " 200 LOG(ERROR) << "X509 Verification error "
199 << X509_verify_cert_error_string(x509_error) 201 << X509_verify_cert_error_string(x509_error)
200 << " : " << x509_error 202 << " : " << x509_error
201 << " : " << X509_STORE_CTX_get_error_depth(ctx.get()) 203 << " : " << X509_STORE_CTX_get_error_depth(ctx.get())
202 << " : " << cert_status; 204 << " : " << cert_status;
203 verify_result->cert_status |= cert_status; 205 verify_result->cert_status |= cert_status;
204 } 206 }
205 207
206 GetCertChainInfo(ctx.get(), verify_result); 208 GetCertChainInfo(ctx.get(), verify_result);
207 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); 209 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes);
208 if (IsCertStatusError(verify_result->cert_status)) 210 if (IsCertStatusError(verify_result->cert_status))
209 return MapCertStatusToNetError(verify_result->cert_status); 211 return MapCertStatusToNetError(verify_result->cert_status);
210 212
211 // Currently we only ues OpenSSL's default root CA paths, so treat all 213 // Currently we only ues OpenSSL's default root CA paths, so treat all
212 // correctly verified certs as being from a known root. 214 // correctly verified certs as being from a known root.
213 // TODO(joth): if the motivations described in 215 // TODO(joth): if the motivations described in
214 // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an 216 // http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 become an
215 // issue on OpenSSL builds, we will need to embed a hardcoded list of well 217 // issue on OpenSSL builds, we will need to embed a hardcoded list of well
216 // known root CAs, as per the _mac and _win versions. 218 // known root CAs, as per the _mac and _win versions.
217 verify_result->is_issued_by_known_root = true; 219 verify_result->is_issued_by_known_root = true;
218 220
219 return OK; 221 return OK;
220 } 222 }
221 223
222 } // namespace net 224 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698