| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <map> | 9 #include <map> |
| 10 #include <string> | 10 #include <string> |
| (...skipping 26 matching lines...) Expand all Loading... |
| 37 MODE_STRICT = 0, | 37 MODE_STRICT = 0, |
| 38 // Opportunistic mode implies: | 38 // Opportunistic mode implies: |
| 39 // * We'll request HTTP URLs over HTTPS | 39 // * We'll request HTTP URLs over HTTPS |
| 40 // * Certificate issues are ignored. | 40 // * Certificate issues are ignored. |
| 41 MODE_OPPORTUNISTIC = 1, | 41 MODE_OPPORTUNISTIC = 1, |
| 42 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary | 42 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary |
| 43 // measure. It implies: | 43 // measure. It implies: |
| 44 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. | 44 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. |
| 45 // * Certificate issues are fatal. | 45 // * Certificate issues are fatal. |
| 46 MODE_SPDY_ONLY = 2, | 46 MODE_SPDY_ONLY = 2, |
| 47 // None means there is no HSTS for this domain. |
| 48 MODE_NONE = 3, |
| 47 }; | 49 }; |
| 48 | 50 |
| 49 DomainState(); | 51 DomainState(); |
| 50 ~DomainState(); | 52 ~DomainState(); |
| 51 | 53 |
| 52 // IsChainOfPublicKeysPermitted takes a set of public key hashes and | 54 // IsChainOfPublicKeysPermitted takes a set of public key hashes and |
| 53 // returns true if: | 55 // returns true if: |
| 54 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. | 56 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. |
| 55 // 2) |hashes| and |public_key_hashes| are not disjoint. | 57 // 2) |hashes| and |public_key_hashes| are not disjoint. |
| 56 bool IsChainOfPublicKeysPermitted( | 58 bool IsChainOfPublicKeysPermitted( |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 97 // Thus it must not reenter the TransportSecurityState object. | 99 // Thus it must not reenter the TransportSecurityState object. |
| 98 virtual void StateIsDirty(TransportSecurityState* state) = 0; | 100 virtual void StateIsDirty(TransportSecurityState* state) = 0; |
| 99 | 101 |
| 100 protected: | 102 protected: |
| 101 virtual ~Delegate() {} | 103 virtual ~Delegate() {} |
| 102 }; | 104 }; |
| 103 | 105 |
| 104 void SetDelegate(Delegate*); | 106 void SetDelegate(Delegate*); |
| 105 | 107 |
| 106 bool Serialise(std::string* output); | 108 bool Serialise(std::string* output); |
| 107 bool Deserialise(const std::string& state, bool* dirty); | 109 // Existing non-preloaded entries are cleared and repopulated from the |
| 110 // passed JSON string. |
| 111 bool LoadEntries(const std::string& state, bool* dirty); |
| 108 | 112 |
| 109 // The maximum number of seconds for which we'll cache an HSTS request. | 113 // The maximum number of seconds for which we'll cache an HSTS request. |
| 110 static const long int kMaxHSTSAgeSecs; | 114 static const long int kMaxHSTSAgeSecs; |
| 111 | 115 |
| 112 private: | 116 private: |
| 113 friend class base::RefCountedThreadSafe<TransportSecurityState>; | 117 friend class base::RefCountedThreadSafe<TransportSecurityState>; |
| 114 FRIEND_TEST_ALL_PREFIXES(TransportSecurityStateTest, IsPreloaded); | 118 FRIEND_TEST_ALL_PREFIXES(TransportSecurityStateTest, IsPreloaded); |
| 115 | 119 |
| 116 ~TransportSecurityState(); | 120 ~TransportSecurityState(); |
| 117 | 121 |
| 118 // If we have a callback configured, call it to let our serialiser know that | 122 // If we have a callback configured, call it to let our serialiser know that |
| 119 // our state is dirty. | 123 // our state is dirty. |
| 120 void DirtyNotify(); | 124 void DirtyNotify(); |
| 121 | 125 |
| 122 static std::string CanonicalizeHost(const std::string& host); | 126 static std::string CanonicalizeHost(const std::string& host); |
| 123 static bool IsPreloadedSTS(const std::string& canonicalized_host, | 127 static bool IsPreloadedSTS(const std::string& canonicalized_host, |
| 124 bool sni_available, | 128 bool sni_available, |
| 125 bool* out_include_subdomains); | 129 DomainState* out); |
| 130 static bool Deserialise(const std::string& state, |
| 131 bool* dirty, |
| 132 std::map<std::string, DomainState>* out); |
| 126 | 133 |
| 127 // The set of hosts that have enabled TransportSecurity. The keys here | 134 // The set of hosts that have enabled TransportSecurity. The keys here |
| 128 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form | 135 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form |
| 129 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" | 136 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" |
| 130 std::map<std::string, DomainState> enabled_hosts_; | 137 std::map<std::string, DomainState> enabled_hosts_; |
| 131 | 138 |
| 132 // Our delegate who gets notified when we are dirtied, or NULL. | 139 // Our delegate who gets notified when we are dirtied, or NULL. |
| 133 Delegate* delegate_; | 140 Delegate* delegate_; |
| 134 | 141 |
| 135 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 142 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
| 136 }; | 143 }; |
| 137 | 144 |
| 138 } // namespace net | 145 } // namespace net |
| 139 | 146 |
| 140 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 147 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6869043:
Add command-line control of the HSTS preload list. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/