OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <map> | 9 #include <map> |
10 #include <string> | 10 #include <string> |
(...skipping 26 matching lines...) Expand all Loading... |
37 MODE_STRICT = 0, | 37 MODE_STRICT = 0, |
38 // Opportunistic mode implies: | 38 // Opportunistic mode implies: |
39 // * We'll request HTTP URLs over HTTPS | 39 // * We'll request HTTP URLs over HTTPS |
40 // * Certificate issues are ignored. | 40 // * Certificate issues are ignored. |
41 MODE_OPPORTUNISTIC = 1, | 41 MODE_OPPORTUNISTIC = 1, |
42 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary | 42 // SPDY_ONLY (aka X-Bodge-Transport-Security) is a hopefully temporary |
43 // measure. It implies: | 43 // measure. It implies: |
44 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. | 44 // * We'll request HTTP URLs over HTTPS iff we have SPDY support. |
45 // * Certificate issues are fatal. | 45 // * Certificate issues are fatal. |
46 MODE_SPDY_ONLY = 2, | 46 MODE_SPDY_ONLY = 2, |
| 47 // None means there is no HSTS for this domain. |
| 48 MODE_NONE = 3, |
47 }; | 49 }; |
48 | 50 |
49 DomainState(); | 51 DomainState(); |
50 ~DomainState(); | 52 ~DomainState(); |
51 | 53 |
52 // IsChainOfPublicKeysPermitted takes a set of public key hashes and | 54 // IsChainOfPublicKeysPermitted takes a set of public key hashes and |
53 // returns true if: | 55 // returns true if: |
54 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. | 56 // 1) |public_key_hashes| is empty, i.e. no public keys have been pinned. |
55 // 2) |hashes| and |public_key_hashes| are not disjoint. | 57 // 2) |hashes| and |public_key_hashes| are not disjoint. |
56 bool IsChainOfPublicKeysPermitted( | 58 bool IsChainOfPublicKeysPermitted( |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
97 // Thus it must not reenter the TransportSecurityState object. | 99 // Thus it must not reenter the TransportSecurityState object. |
98 virtual void StateIsDirty(TransportSecurityState* state) = 0; | 100 virtual void StateIsDirty(TransportSecurityState* state) = 0; |
99 | 101 |
100 protected: | 102 protected: |
101 virtual ~Delegate() {} | 103 virtual ~Delegate() {} |
102 }; | 104 }; |
103 | 105 |
104 void SetDelegate(Delegate*); | 106 void SetDelegate(Delegate*); |
105 | 107 |
106 bool Serialise(std::string* output); | 108 bool Serialise(std::string* output); |
107 bool Deserialise(const std::string& state, bool* dirty); | 109 // Existing non-preloaded entries are cleared and repopulated from the |
| 110 // passed JSON string. |
| 111 bool LoadEntries(const std::string& state, bool* dirty); |
108 | 112 |
109 // The maximum number of seconds for which we'll cache an HSTS request. | 113 // The maximum number of seconds for which we'll cache an HSTS request. |
110 static const long int kMaxHSTSAgeSecs; | 114 static const long int kMaxHSTSAgeSecs; |
111 | 115 |
112 private: | 116 private: |
113 friend class base::RefCountedThreadSafe<TransportSecurityState>; | 117 friend class base::RefCountedThreadSafe<TransportSecurityState>; |
114 FRIEND_TEST_ALL_PREFIXES(TransportSecurityStateTest, IsPreloaded); | 118 FRIEND_TEST_ALL_PREFIXES(TransportSecurityStateTest, IsPreloaded); |
115 | 119 |
116 ~TransportSecurityState(); | 120 ~TransportSecurityState(); |
117 | 121 |
118 // If we have a callback configured, call it to let our serialiser know that | 122 // If we have a callback configured, call it to let our serialiser know that |
119 // our state is dirty. | 123 // our state is dirty. |
120 void DirtyNotify(); | 124 void DirtyNotify(); |
121 | 125 |
122 static std::string CanonicalizeHost(const std::string& host); | 126 static std::string CanonicalizeHost(const std::string& host); |
123 static bool IsPreloadedSTS(const std::string& canonicalized_host, | 127 static bool IsPreloadedSTS(const std::string& canonicalized_host, |
124 bool sni_available, | 128 bool sni_available, |
125 bool* out_include_subdomains); | 129 DomainState* out); |
| 130 static bool Deserialise(const std::string& state, |
| 131 bool* dirty, |
| 132 std::map<std::string, DomainState>* out); |
126 | 133 |
127 // The set of hosts that have enabled TransportSecurity. The keys here | 134 // The set of hosts that have enabled TransportSecurity. The keys here |
128 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form | 135 // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form |
129 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" | 136 // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" |
130 std::map<std::string, DomainState> enabled_hosts_; | 137 std::map<std::string, DomainState> enabled_hosts_; |
131 | 138 |
132 // Our delegate who gets notified when we are dirtied, or NULL. | 139 // Our delegate who gets notified when we are dirtied, or NULL. |
133 Delegate* delegate_; | 140 Delegate* delegate_; |
134 | 141 |
135 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 142 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
136 }; | 143 }; |
137 | 144 |
138 } // namespace net | 145 } // namespace net |
139 | 146 |
140 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ | 147 #endif // NET_BASE_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |