Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets

In order to determine the trustworthiness of the connection, it's necessary for sockets to consider policies regarding CT - both what logs to trust and what policies to enforce. As this is critical to security, make CTVerifier* and CTPolicyEnforcer* necessary, rather than optional, for sockets. For normal URLRequestContexts, this should be a no-op, while for those created via the URLReqestContextBuilder, sane defaults will be provided. BUG=620179 Review-Url: https://codereview.chromium.org/2067843003 Cr-Commit-Position: refs/heads/master@{#400870}
cbchan · Jun 21, 2016 · d6de830 · d6de830
1 parent ddeec57
commit d6de830
Show file tree

Hide file tree

Showing 51 changed files with 590 additions and 228 deletions.
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
@@ -978,6 +978,7 @@ net::URLRequestContext* IOThread::ConstructSystemRequestContext(
       globals->transport_security_state.get());
   context->set_cert_transparency_verifier(
       globals->cert_transparency_verifier.get());
+  context->set_ct_policy_enforcer(globals->ct_policy_enforcer.get());
   context->set_ssl_config_service(globals->ssl_config_service.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
@@ -1033,6 +1034,7 @@ net::URLRequestContext* IOThread::ConstructProxyScriptFetcherContext(
       globals->transport_security_state.get());
   context->set_cert_transparency_verifier(
       globals->cert_transparency_verifier.get());
+  context->set_ct_policy_enforcer(globals->ct_policy_enforcer.get());
   context->set_ssl_config_service(globals->ssl_config_service.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());

diff --git a/chrome/browser/profiles/off_the_record_profile_io_data.cc b/chrome/browser/profiles/off_the_record_profile_io_data.cc
@@ -205,6 +205,10 @@ void OffTheRecordProfileIOData::InitializeInternal(
   ApplyProfileParamsToContext(main_context);
 
   main_context->set_transport_security_state(transport_security_state());
+  main_context->set_cert_transparency_verifier(
+      io_thread_globals->cert_transparency_verifier.get());
+  main_context->set_ct_policy_enforcer(
+      io_thread_globals->ct_policy_enforcer.get());
 
   main_context->set_net_log(io_thread->net_log());
 
@@ -218,8 +222,6 @@ void OffTheRecordProfileIOData::InitializeInternal(
       io_thread_globals->http_auth_handler_factory.get());
   main_context->set_proxy_service(proxy_service());
 
-  main_context->set_cert_transparency_verifier(
-      io_thread_globals->cert_transparency_verifier.get());
   main_context->set_backoff_manager(
       io_thread_globals->url_request_backoff_manager.get());
 

diff --git a/chrome/browser/profiles/profile_impl_io_data.cc b/chrome/browser/profiles/profile_impl_io_data.cc
@@ -461,6 +461,8 @@ void ProfileImplIOData::InitializeInternal(
     http_server_properties_manager_->InitializeOnNetworkThread();
 
   main_context->set_transport_security_state(transport_security_state());
+  main_context->set_ct_policy_enforcer(
+      io_thread_globals->ct_policy_enforcer.get());
 
   main_context->set_net_log(io_thread->net_log());
 
@@ -576,6 +578,8 @@ void ProfileImplIOData::
   ApplyProfileParamsToContext(extensions_context);
 
   extensions_context->set_transport_security_state(transport_security_state());
+  extensions_context->set_ct_policy_enforcer(
+      io_thread_globals->ct_policy_enforcer.get());
 
   extensions_context->set_net_log(io_thread->net_log());
 

diff --git a/chrome/browser/profiles/profile_io_data.h b/chrome/browser/profiles/profile_io_data.h
@@ -74,6 +74,7 @@ namespace net {
 class CertVerifier;
 class ChannelIDService;
 class CookieStore;
+class CTVerifier;
 class FtpTransactionFactory;
 class HttpServerProperties;
 class HttpTransactionFactory;

diff --git a/chromecast/browser/url_request_context_factory.cc b/chromecast/browser/url_request_context_factory.cc
@@ -21,6 +21,8 @@
 #include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
@@ -201,12 +203,12 @@ void URLRequestContextFactory::InitializeSystemContextDependencies() {
     return;
 
   host_resolver_ = net::HostResolver::CreateDefaultResolver(NULL);
-
   cert_verifier_ = net::CertVerifier::CreateDefault();
-
   ssl_config_service_ = new net::SSLConfigServiceDefaults;
-
   transport_security_state_.reset(new net::TransportSecurityState());
+  cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
+  ct_policy_enforcer_.reset(new net::CTPolicyEnforcer());
+
   http_auth_handler_factory_ =
       net::HttpAuthHandlerFactory::CreateDefault(host_resolver_.get());
 
@@ -289,6 +291,8 @@ void URLRequestContextFactory::PopulateNetworkSessionParams(
   params->channel_id_service = channel_id_service_.get();
   params->ssl_config_service = ssl_config_service_.get();
   params->transport_security_state = transport_security_state_.get();
+  params->cert_transparency_verifier = cert_transparency_verifier_.get();
+  params->ct_policy_enforcer = ct_policy_enforcer_.get();
   params->http_auth_handler_factory = http_auth_handler_factory_.get();
   params->http_server_properties = http_server_properties_.get();
   params->ignore_certificate_errors = ignore_certificate_errors;

diff --git a/chromecast/browser/url_request_context_factory.h b/chromecast/browser/url_request_context_factory.h
@@ -102,6 +102,8 @@ class URLRequestContextFactory {
   std::unique_ptr<net::CertVerifier> cert_verifier_;
   scoped_refptr<net::SSLConfigService> ssl_config_service_;
   std::unique_ptr<net::TransportSecurityState> transport_security_state_;
+  std::unique_ptr<net::CTVerifier> cert_transparency_verifier_;
+  std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer_;
   std::unique_ptr<net::ProxyConfigService> proxy_config_service_;
   std::unique_ptr<net::ProxyService> proxy_service_;
   std::unique_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory_;

diff --git a/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc b/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.cc
@@ -334,6 +334,9 @@ int32_t PepperTCPSocketMessageFilter::OnMsgSSLHandshake(
   ssl_context.cert_verifier = ssl_context_helper_->GetCertVerifier();
   ssl_context.transport_security_state =
       ssl_context_helper_->GetTransportSecurityState();
+  ssl_context.cert_transparency_verifier =
+      ssl_context_helper_->GetCertTransparencyVerifier();
+  ssl_context.ct_policy_enforcer = ssl_context_helper_->GetCTPolicyEnforcer();
   ssl_socket_ = factory->CreateSSLClientSocket(
       std::move(handle), host_port_pair, ssl_context_helper_->ssl_config(),
       ssl_context);

diff --git a/content/browser/renderer_host/pepper/ssl_context_helper.cc b/content/browser/renderer_host/pepper/ssl_context_helper.cc
@@ -5,6 +5,8 @@
 #include "content/browser/renderer_host/pepper/ssl_context_helper.h"
 
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/http/transport_security_state.h"
 
 namespace content {
@@ -25,4 +27,16 @@ net::TransportSecurityState* SSLContextHelper::GetTransportSecurityState() {
   return transport_security_state_.get();
 }
 
+net::CTVerifier* SSLContextHelper::GetCertTransparencyVerifier() {
+  if (!cert_transparency_verifier_)
+    cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
+  return cert_transparency_verifier_.get();
+}
+
+net::CTPolicyEnforcer* SSLContextHelper::GetCTPolicyEnforcer() {
+  if (!ct_policy_enforcer_)
+    ct_policy_enforcer_.reset(new net::CTPolicyEnforcer());
+  return ct_policy_enforcer_.get();
+}
+
 }  // namespace content
diff --git a/content/browser/renderer_host/pepper/ssl_context_helper.h b/content/browser/renderer_host/pepper/ssl_context_helper.h
@@ -13,6 +13,8 @@
 
 namespace net {
 class CertVerifier;
+class CTPolicyEnforcer;
+class CTVerifier;
 class TransportSecurityState;
 }
 
@@ -24,6 +26,8 @@ class SSLContextHelper : public base::RefCounted<SSLContextHelper> {
 
   net::CertVerifier* GetCertVerifier();
   net::TransportSecurityState* GetTransportSecurityState();
+  net::CTVerifier* GetCertTransparencyVerifier();
+  net::CTPolicyEnforcer* GetCTPolicyEnforcer();
   const net::SSLConfig& ssl_config() { return ssl_config_; }
 
  private:
@@ -36,6 +40,12 @@ class SSLContextHelper : public base::RefCounted<SSLContextHelper> {
   // This is lazily created. Users should use GetTransportSecurityState to
   // retrieve it.
   std::unique_ptr<net::TransportSecurityState> transport_security_state_;
+  // This is lazily created. Users should use GetCertTransparencyVerifier to
+  // retrieve it.
+  std::unique_ptr<net::CTVerifier> cert_transparency_verifier_;
+  // This is lazily created. Users should use GetCTPolicyEnforcer to
+  // retrieve it.
+  std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer_;
 
   // The default SSL configuration settings are used, as opposed to Chrome's SSL
   // settings.

diff --git a/content/shell/browser/shell_url_request_context_getter.cc b/content/shell/browser/shell_url_request_context_getter.cc
@@ -26,6 +26,8 @@
 #include "content/shell/common/shell_switches.h"
 #include "net/base/cache_type.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mapped_host_resolver.h"
@@ -139,6 +141,10 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
     storage_->set_cert_verifier(net::CertVerifier::CreateDefault());
     storage_->set_transport_security_state(
         base::WrapUnique(new net::TransportSecurityState));
+    storage_->set_cert_transparency_verifier(
+        base::WrapUnique(new net::MultiLogCTVerifier));
+    storage_->set_ct_policy_enforcer(
+        base::WrapUnique(new net::CTPolicyEnforcer));
     storage_->set_proxy_service(GetProxyService());
     storage_->set_ssl_config_service(new net::SSLConfigServiceDefaults);
     storage_->set_http_auth_handler_factory(
@@ -165,6 +171,10 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
         url_request_context_->cert_verifier();
     network_session_params.transport_security_state =
         url_request_context_->transport_security_state();
+    network_session_params.cert_transparency_verifier =
+        url_request_context_->cert_transparency_verifier();
+    network_session_params.ct_policy_enforcer =
+        url_request_context_->ct_policy_enforcer();
     network_session_params.channel_id_service =
         url_request_context_->channel_id_service();
     network_session_params.proxy_service =

diff --git a/extensions/browser/api/socket/socket_api.cc b/extensions/browser/api/socket/socket_api.cc
@@ -1073,11 +1073,11 @@ void SocketSecureFunction::AsyncWorkStart() {
       url_request_getter_->GetURLRequestContext();
 
   TLSSocket::UpgradeSocketToTLS(
-      socket,
-      url_request_context->ssl_config_service(),
+      socket, url_request_context->ssl_config_service(),
       url_request_context->cert_verifier(),
       url_request_context->transport_security_state(),
-      extension_id(),
+      url_request_context->cert_transparency_verifier(),
+      url_request_context->ct_policy_enforcer(), extension_id(),
       params_->options.get(),
       base::Bind(&SocketSecureFunction::TlsConnectDone, this));
 }

diff --git a/extensions/browser/api/socket/tls_socket.cc b/extensions/browser/api/socket/tls_socket.cc
@@ -181,6 +181,8 @@ void TLSSocket::UpgradeSocketToTLS(
     scoped_refptr<net::SSLConfigService> ssl_config_service,
     net::CertVerifier* cert_verifier,
     net::TransportSecurityState* transport_security_state,
+    net::CTVerifier* ct_verifier,
+    net::CTPolicyEnforcer* ct_policy_enforcer,
     const std::string& extension_id,
     api::socket::SecureOptions* options,
     const TLSSocket::SecureCallback& callback) {
@@ -241,6 +243,8 @@ void TLSSocket::UpgradeSocketToTLS(
   net::SSLClientSocketContext context;
   context.cert_verifier = cert_verifier;
   context.transport_security_state = transport_security_state;
+  context.cert_transparency_verifier = ct_verifier;
+  context.ct_policy_enforcer = ct_policy_enforcer;
 
   // Fill in the SSL socket params.
   net::SSLConfig ssl_config;

diff --git a/extensions/browser/api/socket/tls_socket.h b/extensions/browser/api/socket/tls_socket.h
@@ -17,6 +17,8 @@
 namespace net {
 class Socket;
 class CertVerifier;
+class CTPolicyEnforcer;
+class CTVerifier;
 class TransportSecurityState;
 }
 
@@ -98,6 +100,8 @@ class TLSSocket : public ResumableTCPSocket {
       scoped_refptr<net::SSLConfigService> config_service,
       net::CertVerifier* cert_verifier,
       net::TransportSecurityState* transport_security_state,
+      net::CTVerifier* ct_verifier,
+      net::CTPolicyEnforcer* ct_policy_enforcer,
       const std::string& extension_id,
       api::socket::SecureOptions* options,
       const SecureCallback& callback);

diff --git a/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc b/extensions/browser/api/sockets_tcp/sockets_tcp_api.cc
@@ -517,12 +517,11 @@ void SocketsTcpSecureFunction::AsyncWorkStart() {
   }
 
   TLSSocket::UpgradeSocketToTLS(
-      socket,
-      url_request_context->ssl_config_service(),
+      socket, url_request_context->ssl_config_service(),
       url_request_context->cert_verifier(),
       url_request_context->transport_security_state(),
-      extension_id(),
-      &legacy_params,
+      url_request_context->cert_transparency_verifier(),
+      url_request_context->ct_policy_enforcer(), extension_id(), &legacy_params,
       base::Bind(&SocketsTcpSecureFunction::TlsConnectDone, this));
 }
 

diff --git a/google_apis/gcm/tools/mcs_probe.cc b/google_apis/gcm/tools/mcs_probe.cc
@@ -41,6 +41,8 @@
 #include "google_apis/gcm/monitoring/fake_gcm_stats_recorder.h"
 #include "net/base/host_mapping_rules.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/dns/host_resolver.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_auth_preferences.h"
@@ -250,6 +252,8 @@ class MCSProbe {
   std::unique_ptr<net::CertVerifier> cert_verifier_;
   std::unique_ptr<net::ChannelIDService> system_channel_id_service_;
   std::unique_ptr<net::TransportSecurityState> transport_security_state_;
+  std::unique_ptr<net::CTVerifier> cert_transparency_verifier_;
+  std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer_;
   MCSProbeAuthPreferences http_auth_preferences_;
   std::unique_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory_;
   std::unique_ptr<net::HttpServerPropertiesImpl> http_server_properties_;
@@ -399,6 +403,8 @@ void MCSProbe::InitializeNetworkState() {
           base::WorkerPool::GetTaskRunner(true)));
 
   transport_security_state_.reset(new net::TransportSecurityState());
+  cert_transparency_verifier_.reset(new net::MultiLogCTVerifier());
+  ct_policy_enforcer_.reset(new net::CTPolicyEnforcer());
   http_auth_handler_factory_ = net::HttpAuthHandlerRegistryFactory::Create(
       &http_auth_preferences_, host_resolver_.get());
   http_server_properties_.reset(new net::HttpServerPropertiesImpl());
@@ -412,6 +418,8 @@ void MCSProbe::BuildNetworkSession() {
   session_params.cert_verifier = cert_verifier_.get();
   session_params.channel_id_service = system_channel_id_service_.get();
   session_params.transport_security_state = transport_security_state_.get();
+  session_params.cert_transparency_verifier = cert_transparency_verifier_.get();
+  session_params.ct_policy_enforcer = ct_policy_enforcer_.get();
   session_params.ssl_config_service = new net::SSLConfigServiceDefaults();
   session_params.http_auth_handler_factory = http_auth_handler_factory_.get();
   session_params.http_server_properties = http_server_properties_.get();

diff --git a/ios/crnet/crnet_environment.mm b/ios/crnet/crnet_environment.mm
@@ -37,6 +37,8 @@
 #include "net/base/network_change_notifier.h"
 #include "net/base/sdch_manager.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/cookies/cookie_store.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_cache.h"
@@ -385,6 +387,8 @@ bool IsRequestSupported(NSURLRequest* request) override {
   main_context_->set_ssl_config_service(new net::SSLConfigServiceDefaults);
   main_context_->set_transport_security_state(
       new net::TransportSecurityState());
+  main_context_->set_cert_transparency_verifier(new net::MultiLogCTVerifier());
+  main_context_->set_ct_policy_enforcer(new net::CTPolicyEnforcer());
   http_server_properties_.reset(new net::HttpServerPropertiesImpl());
   main_context_->set_http_server_properties(http_server_properties_.get());
   // TODO(rdsmith): Note that the ".release()" calls below are leaking

diff --git a/ios/web/shell/shell_url_request_context_getter.mm b/ios/web/shell/shell_url_request_context_getter.mm
@@ -19,6 +19,8 @@
 #include "ios/web/shell/shell_network_delegate.h"
 #include "net/base/cache_type.h"
 #include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/multi_log_ct_verifier.h"
 #include "net/dns/host_resolver.h"
 #include "net/extras/sqlite/sqlite_persistent_cookie_store.h"
 #include "net/http/http_auth_handler_factory.h"
@@ -99,6 +101,10 @@
 
     storage_->set_transport_security_state(
         base::WrapUnique(new net::TransportSecurityState()));
+    storage_->set_cert_transparency_verifier(
+        base::WrapUnique(new net::MultiLogCTVerifier));
+    storage_->set_ct_policy_enforcer(
+        base::WrapUnique(new net::CTPolicyEnforcer));
     transport_security_persister_.reset(new net::TransportSecurityPersister(
         url_request_context_->transport_security_state(), base_path_,
         file_task_runner_, false));
@@ -121,6 +127,10 @@
         url_request_context_->cert_verifier();
     network_session_params.transport_security_state =
         url_request_context_->transport_security_state();
+    network_session_params.cert_transparency_verifier =
+        url_request_context_->cert_transparency_verifier();
+    network_session_params.ct_policy_enforcer =
+        url_request_context_->ct_policy_enforcer();
     network_session_params.channel_id_service =
         url_request_context_->channel_id_service();
     network_session_params.net_log = url_request_context_->net_log();

diff --git a/jingle/glue/proxy_resolving_client_socket.cc b/jingle/glue/proxy_resolving_client_socket.cc
@@ -62,6 +62,9 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket(
   session_params.cert_verifier = request_context->cert_verifier();
   session_params.transport_security_state =
       request_context->transport_security_state();
+  session_params.cert_transparency_verifier =
+      request_context->cert_transparency_verifier();
+  session_params.ct_policy_enforcer = request_context->ct_policy_enforcer();
   // TODO(rkn): This is NULL because ChannelIDService is not thread safe.
   session_params.channel_id_service = NULL;
   session_params.proxy_service = request_context->proxy_service();

diff --git a/net/cert/ct_verifier.h b/net/cert/ct_verifier.h
@@ -21,7 +21,6 @@ class CTLogVerifier;
 class X509Certificate;
 
 // Interface for verifying Signed Certificate Timestamps over a certificate.
-// The only known (non-test) implementation currently is MultiLogCTVerifier.
 class NET_EXPORT CTVerifier {
  public:
   class NET_EXPORT Observer {