| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
| 6 | 6 |
| 7 #include "base/base64.h" | 7 #include "base/base64.h" |
| 8 #include "base/json/json_reader.h" | 8 #include "base/json/json_reader.h" |
| 9 #include "base/json/json_writer.h" | 9 #include "base/json/json_writer.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 10 matching lines...) Expand all Loading... |
| 21 namespace net { | 21 namespace net { |
| 22 | 22 |
| 23 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year | 23 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year |
| 24 | 24 |
| 25 TransportSecurityState::TransportSecurityState() | 25 TransportSecurityState::TransportSecurityState() |
| 26 : delegate_(NULL) { | 26 : delegate_(NULL) { |
| 27 } | 27 } |
| 28 | 28 |
| 29 void TransportSecurityState::EnableHost(const std::string& host, | 29 void TransportSecurityState::EnableHost(const std::string& host, |
| 30 const DomainState& state) { | 30 const DomainState& state) { |
| 31 const std::string canonicalised_host = CanonicaliseHost(host); | 31 const std::string canonicalized_host = CanonicalizeHost(host); |
| 32 if (canonicalised_host.empty()) | 32 if (canonicalized_host.empty()) |
| 33 return; | 33 return; |
| 34 | 34 |
| 35 bool temp; | 35 bool temp; |
| 36 if (IsPreloadedSTS(canonicalised_host, &temp)) | 36 if (IsPreloadedSTS(canonicalized_host, &temp)) |
| 37 return; | 37 return; |
| 38 | 38 |
| 39 char hashed[base::SHA256_LENGTH]; | 39 char hashed[base::SHA256_LENGTH]; |
| 40 base::SHA256HashString(canonicalised_host, hashed, sizeof(hashed)); | 40 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
| 41 | 41 |
| 42 // Use the original creation date if we already have this host. | 42 // Use the original creation date if we already have this host. |
| 43 DomainState state_copy(state); | 43 DomainState state_copy(state); |
| 44 DomainState existing_state; | 44 DomainState existing_state; |
| 45 if (IsEnabledForHost(&existing_state, host)) | 45 if (IsEnabledForHost(&existing_state, host)) |
| 46 state_copy.created = existing_state.created; | 46 state_copy.created = existing_state.created; |
| 47 | 47 |
| 48 // We don't store these values. |
| 49 state_copy.preloaded = false; |
| 50 state_copy.domain.clear(); |
| 51 |
| 48 enabled_hosts_[std::string(hashed, sizeof(hashed))] = state_copy; | 52 enabled_hosts_[std::string(hashed, sizeof(hashed))] = state_copy; |
| 49 DirtyNotify(); | 53 DirtyNotify(); |
| 50 } | 54 } |
| 51 | 55 |
| 56 bool TransportSecurityState::DeleteHost(const std::string& host) { |
| 57 const std::string canonicalized_host = CanonicalizeHost(host); |
| 58 if (canonicalized_host.empty()) |
| 59 return false; |
| 60 |
| 61 char hashed[base::SHA256_LENGTH]; |
| 62 base::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
| 63 |
| 64 std::map<std::string, DomainState>::iterator i = enabled_hosts_.find( |
| 65 std::string(hashed, sizeof(hashed))); |
| 66 if (i != enabled_hosts_.end()) { |
| 67 enabled_hosts_.erase(i); |
| 68 DirtyNotify(); |
| 69 return true; |
| 70 } |
| 71 return false; |
| 72 } |
| 73 |
| 52 // IncludeNUL converts a char* to a std::string and includes the terminating | 74 // IncludeNUL converts a char* to a std::string and includes the terminating |
| 53 // NUL in the result. | 75 // NUL in the result. |
| 54 static std::string IncludeNUL(const char* in) { | 76 static std::string IncludeNUL(const char* in) { |
| 55 return std::string(in, strlen(in) + 1); | 77 return std::string(in, strlen(in) + 1); |
| 56 } | 78 } |
| 57 | 79 |
| 58 bool TransportSecurityState::IsEnabledForHost(DomainState* result, | 80 bool TransportSecurityState::IsEnabledForHost(DomainState* result, |
| 59 const std::string& host) { | 81 const std::string& host) { |
| 60 const std::string canonicalised_host = CanonicaliseHost(host); | 82 *result = DomainState(); |
| 61 if (canonicalised_host.empty()) | 83 |
| 84 const std::string canonicalized_host = CanonicalizeHost(host); |
| 85 if (canonicalized_host.empty()) |
| 62 return false; | 86 return false; |
| 63 | 87 |
| 64 bool include_subdomains; | 88 bool include_subdomains; |
| 65 if (IsPreloadedSTS(canonicalised_host, &include_subdomains)) { | 89 if (IsPreloadedSTS(canonicalized_host, &include_subdomains)) { |
| 66 result->created = result->expiry = base::Time::FromTimeT(0); | 90 result->created = result->expiry = base::Time::FromTimeT(0); |
| 67 result->mode = DomainState::MODE_STRICT; | 91 result->mode = DomainState::MODE_STRICT; |
| 68 result->include_subdomains = include_subdomains; | 92 result->include_subdomains = include_subdomains; |
| 93 result->preloaded = true; |
| 69 return true; | 94 return true; |
| 70 } | 95 } |
| 71 | 96 |
| 97 result->preloaded = false; |
| 72 base::Time current_time(base::Time::Now()); | 98 base::Time current_time(base::Time::Now()); |
| 73 | 99 |
| 74 for (size_t i = 0; canonicalised_host[i]; i += canonicalised_host[i] + 1) { | 100 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { |
| 75 char hashed_domain[base::SHA256_LENGTH]; | 101 char hashed_domain[base::SHA256_LENGTH]; |
| 76 | 102 |
| 77 base::SHA256HashString(IncludeNUL(&canonicalised_host[i]), &hashed_domain, | 103 base::SHA256HashString(IncludeNUL(&canonicalized_host[i]), &hashed_domain, |
| 78 sizeof(hashed_domain)); | 104 sizeof(hashed_domain)); |
| 79 std::map<std::string, DomainState>::iterator j = | 105 std::map<std::string, DomainState>::iterator j = |
| 80 enabled_hosts_.find(std::string(hashed_domain, sizeof(hashed_domain))); | 106 enabled_hosts_.find(std::string(hashed_domain, sizeof(hashed_domain))); |
| 81 if (j == enabled_hosts_.end()) | 107 if (j == enabled_hosts_.end()) |
| 82 continue; | 108 continue; |
| 83 | 109 |
| 84 if (current_time > j->second.expiry) { | 110 if (current_time > j->second.expiry) { |
| 85 enabled_hosts_.erase(j); | 111 enabled_hosts_.erase(j); |
| 86 DirtyNotify(); | 112 DirtyNotify(); |
| 87 continue; | 113 continue; |
| 88 } | 114 } |
| 89 | 115 |
| 90 *result = j->second; | 116 *result = j->second; |
| 117 result->domain = DNSDomainToString( |
| 118 canonicalized_host.substr(i, canonicalized_host.size() - i)); |
| 91 | 119 |
| 92 // If we matched the domain exactly, it doesn't matter what the value of | 120 // If we matched the domain exactly, it doesn't matter what the value of |
| 93 // include_subdomains is. | 121 // include_subdomains is. |
| 94 if (i == 0) | 122 if (i == 0) |
| 95 return true; | 123 return true; |
| 96 | 124 |
| 97 return j->second.include_subdomains; | 125 return j->second.include_subdomains; |
| 98 } | 126 } |
| 99 | 127 |
| 100 return false; | 128 return false; |
| (...skipping 268 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 369 | 397 |
| 370 TransportSecurityState::~TransportSecurityState() { | 398 TransportSecurityState::~TransportSecurityState() { |
| 371 } | 399 } |
| 372 | 400 |
| 373 void TransportSecurityState::DirtyNotify() { | 401 void TransportSecurityState::DirtyNotify() { |
| 374 if (delegate_) | 402 if (delegate_) |
| 375 delegate_->StateIsDirty(this); | 403 delegate_->StateIsDirty(this); |
| 376 } | 404 } |
| 377 | 405 |
| 378 // static | 406 // static |
| 379 std::string TransportSecurityState::CanonicaliseHost(const std::string& host) { | 407 std::string TransportSecurityState::CanonicalizeHost(const std::string& host) { |
| 380 // We cannot perform the operations as detailed in the spec here as |host| | 408 // We cannot perform the operations as detailed in the spec here as |host| |
| 381 // has already undergone IDN processing before it reached us. Thus, we check | 409 // has already undergone IDN processing before it reached us. Thus, we check |
| 382 // that there are no invalid characters in the host and lowercase the result. | 410 // that there are no invalid characters in the host and lowercase the result. |
| 383 | 411 |
| 384 std::string new_host; | 412 std::string new_host; |
| 385 if (!DNSDomainFromDot(host, &new_host)) { | 413 if (!DNSDomainFromDot(host, &new_host)) { |
| 386 // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole | 414 // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole |
| 387 // name is >255 bytes. However, search terms can have those properties. | 415 // name is >255 bytes. However, search terms can have those properties. |
| 388 return std::string(); | 416 return std::string(); |
| 389 } | 417 } |
| (...skipping 14 matching lines...) Expand all Loading... |
| 404 // step 3(b) | 432 // step 3(b) |
| 405 if (new_host[i + 1] == '-' || | 433 if (new_host[i + 1] == '-' || |
| 406 new_host[i + label_length] == '-') { | 434 new_host[i + label_length] == '-') { |
| 407 return std::string(); | 435 return std::string(); |
| 408 } | 436 } |
| 409 } | 437 } |
| 410 | 438 |
| 411 return new_host; | 439 return new_host; |
| 412 } | 440 } |
| 413 | 441 |
| 414 // IsPreloadedSTS returns true if the canonicalised hostname should always be | 442 // IsPreloadedSTS returns true if the canonicalized hostname should always be |
| 415 // considered to have STS enabled. | 443 // considered to have STS enabled. |
| 416 // static | 444 // static |
| 417 bool TransportSecurityState::IsPreloadedSTS( | 445 bool TransportSecurityState::IsPreloadedSTS( |
| 418 const std::string& canonicalised_host, bool *include_subdomains) { | 446 const std::string& canonicalized_host, bool *include_subdomains) { |
| 419 // In the medium term this list is likely to just be hardcoded here. This, | 447 // In the medium term this list is likely to just be hardcoded here. This, |
| 420 // slightly odd, form removes the need for additional relocations records. | 448 // slightly odd, form removes the need for additional relocations records. |
| 421 static const struct { | 449 static const struct { |
| 422 uint8 length; | 450 uint8 length; |
| 423 bool include_subdomains; | 451 bool include_subdomains; |
| 424 char dns_name[30]; | 452 char dns_name[30]; |
| 425 } kPreloadedSTS[] = { | 453 } kPreloadedSTS[] = { |
| 426 {16, false, "\003www\006paypal\003com"}, | 454 {16, false, "\003www\006paypal\003com"}, |
| 427 {16, false, "\003www\006elanex\003biz"}, | 455 {16, false, "\003www\006elanex\003biz"}, |
| 428 {12, true, "\006jottit\003com"}, | 456 {12, true, "\006jottit\003com"}, |
| 429 {19, true, "\015sunshinepress\003org"}, | 457 {19, true, "\015sunshinepress\003org"}, |
| 430 {21, false, "\003www\013noisebridge\003net"}, | 458 {21, false, "\003www\013noisebridge\003net"}, |
| 431 {10, false, "\004neg9\003org"}, | 459 {10, false, "\004neg9\003org"}, |
| 432 {12, true, "\006riseup\003net"}, | 460 {12, true, "\006riseup\003net"}, |
| 433 {11, false, "\006factor\002cc"}, | 461 {11, false, "\006factor\002cc"}, |
| 434 {22, false, "\007members\010mayfirst\003org"}, | 462 {22, false, "\007members\010mayfirst\003org"}, |
| 435 {22, false, "\007support\010mayfirst\003org"}, | 463 {22, false, "\007support\010mayfirst\003org"}, |
| 436 {17, false, "\002id\010mayfirst\003org"}, | 464 {17, false, "\002id\010mayfirst\003org"}, |
| 437 {20, false, "\005lists\010mayfirst\003org"}, | 465 {20, false, "\005lists\010mayfirst\003org"}, |
| 438 {19, true, "\015splendidbacon\003com"}, | 466 {19, true, "\015splendidbacon\003com"}, |
| 439 {19, false, "\006health\006google\003com"}, | 467 {19, false, "\006health\006google\003com"}, |
| 440 {21, false, "\010checkout\006google\003com"}, | 468 {21, false, "\010checkout\006google\003com"}, |
| 441 {19, false, "\006chrome\006google\003com"}, | 469 {19, false, "\006chrome\006google\003com"}, |
| 442 }; | 470 }; |
| 443 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); | 471 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); |
| 444 | 472 |
| 445 for (size_t i = 0; canonicalised_host[i]; i += canonicalised_host[i] + 1) { | 473 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { |
| 446 for (size_t j = 0; j < kNumPreloadedSTS; j++) { | 474 for (size_t j = 0; j < kNumPreloadedSTS; j++) { |
| 447 if (kPreloadedSTS[j].length == canonicalised_host.size() - i && | 475 if (kPreloadedSTS[j].length == canonicalized_host.size() - i && |
| 448 (kPreloadedSTS[j].include_subdomains || i == 0) && | 476 (kPreloadedSTS[j].include_subdomains || i == 0) && |
| 449 memcmp(kPreloadedSTS[j].dns_name, &canonicalised_host[i], | 477 memcmp(kPreloadedSTS[j].dns_name, &canonicalized_host[i], |
| 450 kPreloadedSTS[j].length) == 0) { | 478 kPreloadedSTS[j].length) == 0) { |
| 451 *include_subdomains = kPreloadedSTS[j].include_subdomains; | 479 *include_subdomains = kPreloadedSTS[j].include_subdomains; |
| 452 return true; | 480 return true; |
| 453 } | 481 } |
| 454 } | 482 } |
| 455 } | 483 } |
| 456 | 484 |
| 457 return false; | 485 return false; |
| 458 } | 486 } |
| 459 | 487 |
| 460 } // namespace | 488 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6500010:
HSTS: add net-internals UI. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src