OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | 5 #ifndef NET_BASE_SSL_FALSE_START_BLACKLIST_H_ |
6 #define NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | 6 #define NET_BASE_SSL_FALSE_START_BLACKLIST_H_ |
7 | 7 |
8 #include "base/basictypes.h" | 8 #include <string> |
| 9 |
| 10 #include "base/logging.h" |
9 #include "net/base/net_export.h" | 11 #include "net/base/net_export.h" |
10 | 12 |
11 namespace net { | 13 namespace net { |
12 | 14 |
13 // SSLFalseStartBlacklist is a set of domains which we believe to be intolerant | 15 // SSLFalseStartBlacklist is a set of domains which we believe to be intolerant |
14 // to TLS False Start. Because this set is several hundred long, it's | 16 // to TLS False Start. Because this set is several hundred long, it's |
15 // precompiled by the code in ssl_false_start_blacklist_process.cc into a hash | 17 // precompiled by the code in ssl_false_start_blacklist_process.cc into a hash |
16 // table for fast lookups. | 18 // table for fast lookups. |
17 class SSLFalseStartBlacklist { | 19 class SSLFalseStartBlacklist { |
18 public: | 20 public: |
19 // IsMember returns true if the given host is in the blacklist. | 21 // Returns true if |host| (a DNS name in dotted form, e.g. "www.example.com") |
20 // host: a DNS name in dotted form (i.e. "www.example.com") | 22 // is in the blacklist. |
21 NET_EXPORT_PRIVATE static bool IsMember(const char* host); | 23 NET_EXPORT_PRIVATE static bool IsMember(const std::string& host); |
22 | 24 |
23 // Hash returns the modified djb2 hash of the given string. | 25 // Returns the modified djb2 hash of |host|. |
24 static unsigned Hash(const char* str) { | 26 // NOTE: This is inline because the code which generates the hash table needs |
25 // This is inline because the code which generates the hash table needs to | 27 // to use it. However, the generating code cannot link against |
26 // use it. However, the generating code cannot link against | 28 // ssl_false_start_blacklist.cc because that needs the tables which it |
27 // ssl_false_start_blacklist.cc because that needs the tables which it | 29 // generates. |
28 // generates. | 30 static uint32 Hash(const std::string& host) { |
29 const unsigned char* in = reinterpret_cast<const unsigned char*>(str); | 31 uint32 hash = 5381; |
30 unsigned hash = 5381; | 32 for (const uint8* in = reinterpret_cast<const uint8*>(host.c_str()); |
31 unsigned char c; | 33 *in != 0; ++in) |
32 | 34 hash = ((hash << 5) + hash) ^ *in; |
33 while ((c = *in++)) | |
34 hash = ((hash << 5) + hash) ^ c; | |
35 return hash; | 35 return hash; |
36 } | 36 } |
37 | 37 |
38 // LastTwoLabels returns a pointer within |host| to the last two labels of | 38 // Returns the last two dot-separated components of |host|, ignoring any |
39 // |host|. For example, if |host| is "a.b.c.d" then LastTwoLabels will return | 39 // trailing dots. For example, returns "c.d" for "a.b.c.d.". Returns an |
40 // "c.d". | 40 // empty string if |host| does not have two dot-separated components. |
41 // host: a DNS name in dotted form. | 41 // NOTE: Inline for the same reason as Hash(). |
42 // returns: NULL on error, otherwise a pointer inside |host|. | 42 static std::string LastTwoComponents(const std::string& host) { |
43 static const char* LastTwoLabels(const char* host) { | 43 size_t last_nondot = host.find_last_not_of('.'); |
44 // See comment in |Hash| for why this function is inline. | 44 if (last_nondot == std::string::npos) |
45 const size_t len = strlen(host); | 45 return std::string(); |
46 if (len == 0) | 46 size_t last_dot = host.find_last_of('.', last_nondot); |
47 return NULL; | 47 if ((last_dot == 0) || (last_dot == std::string::npos)) |
48 | 48 return std::string(); |
49 unsigned dots_found = 0; | 49 // NOTE: This next line works correctly even when the call returns npos. |
50 size_t i; | 50 size_t components_begin = host.find_last_of('.', last_dot - 1) + 1; |
51 for (i = len - 1; i < len; i--) { | 51 return host.substr(components_begin, last_nondot - components_begin + 1); |
52 if (host[i] == '.') { | |
53 dots_found++; | |
54 if (dots_found == 2) { | |
55 i++; | |
56 break; | |
57 } | |
58 } | |
59 } | |
60 | |
61 if (i > len) | |
62 i = 0; | |
63 | |
64 if (dots_found == 0) | |
65 return NULL; // no names with less than two labels are in the blacklist. | |
66 if (dots_found == 1) { | |
67 if (host[0] == '.') | |
68 return NULL; // ditto | |
69 } | |
70 | |
71 return &host[i]; | |
72 } | 52 } |
73 | 53 |
74 // This is the number of buckets in the blacklist hash table. (Must be a | 54 // This is the number of buckets in the blacklist hash table. (Must be a |
75 // power of two). | 55 // power of two). |
76 static const unsigned kBuckets = 128; | 56 static const size_t kBuckets = 128; |
77 | 57 |
78 private: | 58 private: |
79 // The following two members are defined in | 59 // The following two members are defined in |
80 // ssl_false_start_blacklist_data.cc, which is generated by | 60 // ssl_false_start_blacklist_data.cc, which is generated by |
81 // ssl_false_start_blacklist_process.cc | 61 // ssl_false_start_blacklist_process.cc |
82 | 62 |
83 // kHashTable contains an offset into |kHashData| for each bucket. The | 63 // kHashTable contains an offset into |kHashData| for each bucket. The |
84 // additional element at the end contains the length of |kHashData|. | 64 // additional element at the end contains the length of |kHashData|. |
85 static const uint32 kHashTable[kBuckets + 1]; | 65 static const uint32 kHashTable[kBuckets + 1]; |
86 // kHashData contains the contents of the hash table. |kHashTable| indexes | 66 // kHashData contains the contents of the hash table. |kHashTable| indexes |
87 // into this array. Each bucket consists of zero or more, 8-bit length | 67 // into this array. Each bucket consists of zero or more, 8-bit length |
88 // prefixed strings. Each string is a DNS name in dotted form. For a given | 68 // prefixed strings. Each string is a DNS name in dotted form. For a given |
89 // string x, x and *.x are considered to be in the blacklist. In order to | 69 // string x, x and *.x are considered to be in the blacklist. In order to |
90 // assign a string to a hash bucket, the last two labels (not including the | 70 // assign a string to a hash bucket, the last two labels (not including the |
91 // root label) are hashed. Thus, the bucket for "www.example.com" is | 71 // root label) are hashed. Thus, the bucket for "www.example.com" is |
92 // Hash("example.com"). No names that are less than two labels long are | 72 // Hash("example.com"). No names that are less than two labels long are |
93 // included in the blacklist. | 73 // included in the blacklist. |
94 static const char kHashData[]; | 74 static const char kHashData[]; |
95 }; | 75 }; |
96 | 76 |
97 } // namespace net | 77 } // namespace net |
98 | 78 |
99 #endif // NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | 79 #endif // NET_BASE_SSL_FALSE_START_BLACKLIST_H_ |
OLD | NEW |