| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <map> | 9 #include <map> |
| 10 #include <string> | 10 #include <string> |
| (...skipping 13 matching lines...) Expand all Loading... |
| 24 // the in-memory store. A separate object must register itself with this object | 24 // the in-memory store. A separate object must register itself with this object |
| 25 // in order to persist the state to disk. | 25 // in order to persist the state to disk. |
| 26 class TransportSecurityState : | 26 class TransportSecurityState : |
| 27 public base::RefCountedThreadSafe<TransportSecurityState> { | 27 public base::RefCountedThreadSafe<TransportSecurityState> { |
| 28 public: | 28 public: |
| 29 TransportSecurityState(); | 29 TransportSecurityState(); |
| 30 | 30 |
| 31 // A DomainState is the information that we persist about a given domain. | 31 // A DomainState is the information that we persist about a given domain. |
| 32 struct DomainState { | 32 struct DomainState { |
| 33 enum Mode { | 33 enum Mode { |
| 34 // None means there is no HSTS for this domain. |
| 35 MODE_NONE = 0, |
| 34 // Strict mode implies: | 36 // Strict mode implies: |
| 35 // * We generate internal redirects from HTTP -> HTTPS. | 37 // * We generate internal redirects from HTTP -> HTTPS. |
| 36 // * Certificate issues are fatal. | 38 // * Certificate issues are fatal. |
| 37 MODE_STRICT = 0, | 39 MODE_STRICT = 1, |
| 38 // Opportunistic mode implies: | 40 // Opportunistic mode implies: |
| 39 // * We'll request HTTP URLs over HTTPS | 41 // * We'll request HTTP URLs over HTTPS |
| 40 // * Certificate issues are ignored. | 42 // * Certificate issues are ignored. |
| 41 MODE_OPPORTUNISTIC = 1, | 43 MODE_OPPORTUNISTIC = 2, |
| 42 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary | 44 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary |
| 43 // measure. It implies: | 45 // measure. It implies: |
| 44 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. | 46 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. |
| 45 // * Certificate issues are fatal. | 47 // * Certificate issues are fatal. |
| 46 MODE_SPDY_ONLY = 2, | 48 MODE_SPDY_ONLY = 3, |
| 47 }; | 49 }; |
| 48 | 50 |
| 49 DomainState(); | 51 DomainState(); |
| 50 ~DomainState(); | 52 ~DomainState(); |
| 51 | 53 |
| 52 // IsChainOfPublicKeysPermitted takes a set of public key hashes and | 54 // IsChainOfPublicKeysPermitted takes a set of public key hashes and |
| 53 // returns true if: | 55 // returns true if: |
| 54 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. | 56 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. |
| 55 // 2) |hashes| and |public_key_hashes| are not disjoint. | 57 // 2) |hashes| and |public_key_hashes| are not disjoint. |
| 56 bool IsChainOfPublicKeysPermitted( | 58 bool IsChainOfPublicKeysPermitted( |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 115 | 117 |
| 116 ~TransportSecurityState(); | 118 ~TransportSecurityState(); |
| 117 | 119 |
| 118 // If we have a callback configured, call it to let our serialiser know that | 120 // If we have a callback configured, call it to let our serialiser know that |
| 119 // our state is dirty. | 121 // our state is dirty. |
| 120 void DirtyNotify(); | 122 void DirtyNotify(); |
| 121 | 123 |
| 122 static std::string CanonicalizeHost(const std::string& host); | 124 static std::string CanonicalizeHost(const std::string& host); |
| 123 static bool IsPreloadedSTS(const std::string& canonicalized_host, | 125 static bool IsPreloadedSTS(const std::string& canonicalized_host, |
| 124 bool sni_available, | 126 bool sni_available, |
| 125 bool* out_include_subdomains); | 127 DomainState* out); |
| 126 | 128 |
| 127 // The set of hosts that have enabled TransportSecurity. The keys here | 129 // The set of hosts that have enabled TransportSecurity. The keys here |
| 128 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form | 130 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form |
| 129 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" | 131 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" |
| 130 std::map<std::string, DomainState> enabled_hosts_; | 132 std::map<std::string, DomainState> enabled_hosts_; |
| 131 | 133 |
| 132 // Our delegate who gets notified when we are dirtied, or NULL. | 134 // Our delegate who gets notified when we are dirtied, or NULL. |
| 133 Delegate* delegate_; | 135 Delegate* delegate_; |
| 134 | 136 |
| 135 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 137 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
| 136 }; | 138 }; |
| 137 | 139 |
| 138 } // namespace net | 140 } // namespace net |
| 139 | 141 |
| 140 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 142 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6869043:
Add command-line control of the HSTS preload list. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/