OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 826 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
837 hash++; | 837 hash++; |
838 } | 838 } |
839 } | 839 } |
840 } | 840 } |
841 return true; | 841 return true; |
842 } | 842 } |
843 } | 843 } |
844 return false; | 844 return false; |
845 } | 845 } |
846 | 846 |
847 // IsPreloadedSTS returns true if the canonicalized hostname should always be | 847 // These hashes are base64 encodings of SHA1 hashes for cert public keys. |
848 // considered to have STS enabled. | 848 static const char kCertPKHashVerisignClass3[] = |
849 bool TransportSecurityState::IsPreloadedSTS( | 849 "sha1/4n972HfV354KP560yw4uqe/baXc="; |
850 const std::string& canonicalized_host, | 850 static const char kCertPKHashVerisignClass3G3[] = |
851 bool sni_available, | 851 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc="; |
852 DomainState* out) { | 852 static const char kCertPKHashGoogle1024[] = |
853 DCHECK(CalledOnValidThread()); | 853 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; |
| 854 static const char kCertPKHashGoogle2048[] = |
| 855 "sha1/AbkhxY0L343gKf+cki7NVWp+ozk="; |
| 856 static const char kCertPKHashEquifaxSecureCA[] = |
| 857 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; |
| 858 static const char* const kGoogleAcceptableCerts[] = { |
| 859 kCertPKHashVerisignClass3, |
| 860 kCertPKHashVerisignClass3G3, |
| 861 kCertPKHashGoogle1024, |
| 862 kCertPKHashGoogle2048, |
| 863 kCertPKHashEquifaxSecureCA, |
| 864 NULL, |
| 865 }; |
854 | 866 |
855 out->preloaded = true; | 867 static const char kCertRapidSSL[] = |
856 out->mode = DomainState::MODE_STRICT; | 868 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI="; |
857 out->include_subdomains = false; | 869 static const char kCertDigiCertEVRoot[] = |
| 870 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM="; |
| 871 static const char kCertTor1[] = |
| 872 "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y="; |
| 873 static const char kCertTor2[] = |
| 874 "sha1/lia43lPolzSPVIq34Dw57uYcLD8="; |
| 875 static const char kCertTor3[] = |
| 876 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y="; |
| 877 static const char* const kTorAcceptableCerts[] = { |
| 878 kCertRapidSSL, |
| 879 kCertDigiCertEVRoot, |
| 880 kCertTor1, |
| 881 kCertTor2, |
| 882 kCertTor3, |
| 883 NULL, |
| 884 }; |
858 | 885 |
859 // These hashes are base64 encodings of SHA1 hashes for cert public keys. | 886 static const char kCertVerisignClass1[] = |
860 static const char kCertPKHashVerisignClass3[] = | |
861 "sha1/4n972HfV354KP560yw4uqe/baXc="; | |
862 static const char kCertPKHashVerisignClass3G3[] = | |
863 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc="; | |
864 static const char kCertPKHashGoogle1024[] = | |
865 "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | |
866 static const char kCertPKHashGoogle2048[] = | |
867 "sha1/AbkhxY0L343gKf+cki7NVWp+ozk="; | |
868 static const char kCertPKHashEquifaxSecureCA[] = | |
869 "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | |
870 static const char* const kGoogleAcceptableCerts[] = { | |
871 kCertPKHashVerisignClass3, | |
872 kCertPKHashVerisignClass3G3, | |
873 kCertPKHashGoogle1024, | |
874 kCertPKHashGoogle2048, | |
875 kCertPKHashEquifaxSecureCA, | |
876 0, | |
877 }; | |
878 | |
879 static const char kCertRapidSSL[] = | |
880 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI="; | |
881 static const char kCertDigiCertEVRoot[] = | |
882 "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM="; | |
883 static const char kCertTor1[] = | |
884 "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y="; | |
885 static const char kCertTor2[] = | |
886 "sha1/lia43lPolzSPVIq34Dw57uYcLD8="; | |
887 static const char kCertTor3[] = | |
888 "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y="; | |
889 static const char* const kTorAcceptableCerts[] = { | |
890 kCertRapidSSL, | |
891 kCertDigiCertEVRoot, | |
892 kCertTor1, | |
893 kCertTor2, | |
894 kCertTor3, | |
895 0, | |
896 }; | |
897 | |
898 static const char kCertVerisignClass1[] = | |
899 "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc="; | 887 "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc="; |
900 static const char kCertVerisignClass3[] = | 888 static const char kCertVerisignClass3[] = |
901 "sha1/4n972HfV354KP560yw4uqe/baXc="; | 889 "sha1/4n972HfV354KP560yw4uqe/baXc="; |
902 static const char kCertVerisignClass3_G4[] = | 890 static const char kCertVerisignClass3_G4[] = |
903 "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA="; | 891 "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA="; |
904 static const char kCertVerisignClass4_G3[] = | 892 static const char kCertVerisignClass4_G3[] = |
905 "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0="; | 893 "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0="; |
906 static const char kCertVerisignClass3_G3[] = | 894 static const char kCertVerisignClass3_G3[] = |
907 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc="; | 895 "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc="; |
908 static const char kCertVerisignClass1_G3[] = | 896 static const char kCertVerisignClass1_G3[] = |
909 "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU="; | 897 "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU="; |
910 static const char kCertVerisignClass2_G3[] = | 898 static const char kCertVerisignClass2_G3[] = |
911 "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM="; | 899 "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM="; |
912 static const char kCertVerisignClass3_G2[] = | 900 static const char kCertVerisignClass3_G2[] = |
913 "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ="; | 901 "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ="; |
914 static const char kCertVerisignClass2_G2[] = | 902 static const char kCertVerisignClass2_G2[] = |
915 "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw="; | 903 "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw="; |
916 static const char kCertVerisignClass3_G5[] = | 904 static const char kCertVerisignClass3_G5[] = |
917 "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc="; | 905 "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc="; |
918 static const char kCertVerisignUniversal[] = | 906 static const char kCertVerisignUniversal[] = |
919 "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0="; | 907 "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0="; |
920 | 908 |
921 static const char kCertTwitter1[] = | 909 static const char kCertTwitter1[] = |
922 "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40="; | 910 "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40="; |
923 | 911 |
924 static const char kCertGeoTrustGlobal[] = | 912 static const char kCertGeoTrustGlobal[] = |
925 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4="; | 913 "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4="; |
926 static const char kCertGeoTrustGlobal2[] = | 914 static const char kCertGeoTrustGlobal2[] = |
927 "sha1/cTg28gIxU0crbrplRqkQFVggBQk="; | 915 "sha1/cTg28gIxU0crbrplRqkQFVggBQk="; |
928 static const char kCertGeoTrustUniversal[] = | 916 static const char kCertGeoTrustUniversal[] = |
929 "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI="; | 917 "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI="; |
930 static const char kCertGeoTrustUniversal2[] = | 918 static const char kCertGeoTrustUniversal2[] = |
931 "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s="; | 919 "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s="; |
932 static const char kCertGeoTrustPrimary[] = | 920 static const char kCertGeoTrustPrimary[] = |
933 "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo="; | 921 "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo="; |
934 static const char kCertGeoTrustPrimaryG2[] = | 922 static const char kCertGeoTrustPrimaryG2[] = |
935 "sha1/vb6nG6txV/nkddlU0rcngBqCJoI="; | 923 "sha1/vb6nG6txV/nkddlU0rcngBqCJoI="; |
936 static const char kCertGeoTrustPrimaryG3[] = | 924 static const char kCertGeoTrustPrimaryG3[] = |
937 "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY="; | 925 "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY="; |
938 | 926 |
939 static const char* const kTwitterComAcceptableCerts[] = { | 927 static const char* const kTwitterComAcceptableCerts[] = { |
940 kCertVerisignClass1, | 928 kCertVerisignClass1, |
941 kCertVerisignClass3, | 929 kCertVerisignClass3, |
942 kCertVerisignClass3_G4, | 930 kCertVerisignClass3_G4, |
943 kCertVerisignClass4_G3, | 931 kCertVerisignClass4_G3, |
944 kCertVerisignClass3_G3, | 932 kCertVerisignClass3_G3, |
945 kCertVerisignClass1_G3, | 933 kCertVerisignClass1_G3, |
946 kCertVerisignClass2_G3, | 934 kCertVerisignClass2_G3, |
947 kCertVerisignClass3_G2, | 935 kCertVerisignClass3_G2, |
948 kCertVerisignClass2_G2, | 936 kCertVerisignClass2_G2, |
949 kCertVerisignClass3_G5, | 937 kCertVerisignClass3_G5, |
950 kCertVerisignUniversal, | 938 kCertVerisignUniversal, |
951 kCertGeoTrustGlobal, | 939 kCertGeoTrustGlobal, |
952 kCertGeoTrustGlobal2, | 940 kCertGeoTrustGlobal2, |
953 kCertGeoTrustUniversal, | 941 kCertGeoTrustUniversal, |
954 kCertGeoTrustUniversal2, | 942 kCertGeoTrustUniversal2, |
955 kCertGeoTrustPrimary, | 943 kCertGeoTrustPrimary, |
956 kCertGeoTrustPrimaryG2, | 944 kCertGeoTrustPrimaryG2, |
957 kCertGeoTrustPrimaryG3, | 945 kCertGeoTrustPrimaryG3, |
958 kCertTwitter1, | 946 kCertTwitter1, |
959 0, | 947 NULL, |
960 }; | 948 }; |
961 | 949 |
962 // kTestAcceptableCerts doesn't actually match any public keys and is used | 950 // kTestAcceptableCerts doesn't actually match any public keys and is used |
963 // with "pinningtest.appspot.com", below, to test if pinning is active. | 951 // with "pinningtest.appspot.com", below, to test if pinning is active. |
964 static const char* const kTestAcceptableCerts[] = { | 952 static const char* const kTestAcceptableCerts[] = { |
965 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", | 953 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", |
966 }; | 954 }; |
967 | 955 |
968 #if defined(OS_CHROMEOS) | 956 #if defined(OS_CHROMEOS) |
969 static const bool kTwitterHSTS = true; | 957 static const bool kTwitterHSTS = true; |
970 #else | 958 #else |
971 static const bool kTwitterHSTS = false; | 959 static const bool kTwitterHSTS = false; |
972 #endif | 960 #endif |
973 | 961 |
974 // In the medium term this list is likely to just be hardcoded here. This, | 962 // In the medium term this list is likely to just be hardcoded here. This |
975 // slightly odd, form removes the need for additional relocations records. | 963 // slightly odd form removes the need for additional relocations records. |
976 static const struct HSTSPreload kPreloadedSTS[] = { | 964 static const struct HSTSPreload kPreloadedSTS[] = { |
977 // (*.)google.com, iff using SSL must use an acceptable certificate. | 965 // (*.)google.com, iff using SSL must use an acceptable certificate. |
978 {12, true, "\006google\003com", false, kGoogleAcceptableCerts }, | 966 {12, true, "\006google\003com", false, kGoogleAcceptableCerts }, |
979 {25, true, "\013pinningtest\007appspot\003com", false, | 967 {25, true, "\013pinningtest\007appspot\003com", false, |
980 kTestAcceptableCerts }, | 968 kTestAcceptableCerts }, |
981 // Now we force HTTPS for subtrees of google.com. | 969 // Now we force HTTPS for subtrees of google.com. |
982 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts }, | 970 {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts }, |
983 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts }, | 971 {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts }, |
984 {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts }, | 972 {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts }, |
985 {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts }, | 973 {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts }, |
986 {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts }, | 974 {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts }, |
987 {25, true, "\014spreadsheets\006google\003com", true, | 975 {25, true, "\014spreadsheets\006google\003com", true, |
988 kGoogleAcceptableCerts }, | 976 kGoogleAcceptableCerts }, |
989 {22, false, "\011appengine\006google\003com", true, | 977 {22, false, "\011appengine\006google\003com", true, |
990 kGoogleAcceptableCerts }, | 978 kGoogleAcceptableCerts }, |
991 {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts }, | 979 {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts }, |
992 {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts }, | 980 {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts }, |
993 {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts }, | 981 {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts }, |
994 {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts }, | 982 {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts }, |
995 {23, true, "\012talkgadget\006google\003com", true, | 983 {23, true, "\012talkgadget\006google\003com", true, |
996 kGoogleAcceptableCerts }, | 984 kGoogleAcceptableCerts }, |
997 {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts }, | 985 {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts }, |
998 {29, true, "\020hostedtalkgadget\006google\003com", true, | 986 {29, true, "\020hostedtalkgadget\006google\003com", true, |
999 kGoogleAcceptableCerts }, | 987 kGoogleAcceptableCerts }, |
1000 {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts }, | 988 {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts }, |
1001 // Other Google-related domains that must use HTTPS. | 989 // Other Google-related domains that must use HTTPS. |
1002 {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts }, | 990 {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts }, |
1003 {26, true, "\003ssl\020google-analytics\003com", true, | 991 {26, true, "\003ssl\020google-analytics\003com", true, |
1004 kGoogleAcceptableCerts }, | 992 kGoogleAcceptableCerts }, |
1005 {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts }, | 993 {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts }, |
1006 {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts }, | 994 {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts }, |
1007 // Other Google-related domains that must use an acceptable certificate | 995 // Other Google-related domains that must use an acceptable certificate |
1008 // iff using SSL. | 996 // iff using SSL. |
1009 {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts }, | 997 {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts }, |
1010 {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts }, | 998 {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts }, |
1011 {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts }, | 999 {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts }, |
1012 {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts }, | 1000 {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts }, |
1013 {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts }, | 1001 {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts }, |
1014 {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts }, | 1002 {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts }, |
1015 {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts }, | 1003 {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts }, |
1016 {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts }, | 1004 {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts }, |
1017 {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts }, | 1005 {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts }, |
1018 {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts }, | 1006 {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts }, |
1019 // Exclude the learn.doubleclick.net subdomain because it uses a different | 1007 // Exclude the learn.doubleclick.net subdomain because it uses a different |
1020 // CA. | 1008 // CA. |
1021 {23, true, "\005learn\013doubleclick\003net", false, 0 }, | 1009 {23, true, "\005learn\013doubleclick\003net", false, 0 }, |
1022 // Now we force HTTPS for other sites that have requested it. | 1010 // Now we force HTTPS for other sites that have requested it. |
1023 {16, false, "\003www\006paypal\003com", true, 0 }, | 1011 {16, false, "\003www\006paypal\003com", true, 0 }, |
1024 {16, false, "\003www\006elanex\003biz", true, 0 }, | 1012 {16, false, "\003www\006elanex\003biz", true, 0 }, |
1025 {12, true, "\006jottit\003com", true, 0 }, | 1013 {12, true, "\006jottit\003com", true, 0 }, |
1026 {19, true, "\015sunshinepress\003org", true, 0 }, | 1014 {19, true, "\015sunshinepress\003org", true, 0 }, |
1027 {21, false, "\003www\013noisebridge\003net", true, 0 }, | 1015 {21, false, "\003www\013noisebridge\003net", true, 0 }, |
1028 {10, false, "\004neg9\003org", true, 0 }, | 1016 {10, false, "\004neg9\003org", true, 0 }, |
1029 {12, true, "\006riseup\003net", true, 0 }, | 1017 {12, true, "\006riseup\003net", true, 0 }, |
1030 {11, false, "\006factor\002cc", true, 0 }, | 1018 {11, false, "\006factor\002cc", true, 0 }, |
1031 {22, false, "\007members\010mayfirst\003org", true, 0 }, | 1019 {22, false, "\007members\010mayfirst\003org", true, 0 }, |
1032 {22, false, "\007support\010mayfirst\003org", true, 0 }, | 1020 {22, false, "\007support\010mayfirst\003org", true, 0 }, |
1033 {17, false, "\002id\010mayfirst\003org", true, 0 }, | 1021 {17, false, "\002id\010mayfirst\003org", true, 0 }, |
1034 {20, false, "\005lists\010mayfirst\003org", true, 0 }, | 1022 {20, false, "\005lists\010mayfirst\003org", true, 0 }, |
1035 {19, true, "\015splendidbacon\003com", true, 0 }, | 1023 {19, true, "\015splendidbacon\003com", true, 0 }, |
1036 {28, false, "\016aladdinschools\007appspot\003com", true, 0 }, | 1024 {28, false, "\016aladdinschools\007appspot\003com", true, 0 }, |
1037 {14, true, "\011ottospora\002nl", true, 0 }, | 1025 {14, true, "\011ottospora\002nl", true, 0 }, |
1038 {25, false, "\003www\017paycheckrecords\003com", true, 0 }, | 1026 {25, false, "\003www\017paycheckrecords\003com", true, 0 }, |
1039 {14, false, "\010lastpass\003com", true, 0 }, | 1027 {14, false, "\010lastpass\003com", true, 0 }, |
1040 {18, false, "\003www\010lastpass\003com", true, 0 }, | 1028 {18, false, "\003www\010lastpass\003com", true, 0 }, |
1041 {14, true, "\010keyerror\003com", true, 0 }, | 1029 {14, true, "\010keyerror\003com", true, 0 }, |
1042 {13, false, "\010entropia\002de", true, 0 }, | 1030 {13, false, "\010entropia\002de", true, 0 }, |
1043 {17, false, "\003www\010entropia\002de", true, 0 }, | 1031 {17, false, "\003www\010entropia\002de", true, 0 }, |
1044 {11, true, "\005romab\003com", true, 0 }, | 1032 {11, true, "\005romab\003com", true, 0 }, |
1045 {16, false, "\012logentries\003com", true, 0 }, | 1033 {16, false, "\012logentries\003com", true, 0 }, |
1046 {20, false, "\003www\012logentries\003com", true, 0 }, | 1034 {20, false, "\003www\012logentries\003com", true, 0 }, |
1047 {12, true, "\006stripe\003com", true, 0 }, | 1035 {12, true, "\006stripe\003com", true, 0 }, |
1048 {27, true, "\025cloudsecurityalliance\003org", true, 0 }, | 1036 {27, true, "\025cloudsecurityalliance\003org", true, 0 }, |
1049 {15, true, "\005login\004sapo\002pt", true, 0 }, | 1037 {15, true, "\005login\004sapo\002pt", true, 0 }, |
1050 {19, true, "\015mattmccutchen\003net", true, 0 }, | 1038 {19, true, "\015mattmccutchen\003net", true, 0 }, |
1051 {11, true, "\006betnet\002fr", true, 0 }, | 1039 {11, true, "\006betnet\002fr", true, 0 }, |
1052 {13, true, "\010uprotect\002it", true, 0 }, | 1040 {13, true, "\010uprotect\002it", true, 0 }, |
1053 {14, false, "\010squareup\003com", true, 0 }, | 1041 {14, false, "\010squareup\003com", true, 0 }, |
1054 {9, true, "\004cert\002se", true, 0 }, | 1042 {9, true, "\004cert\002se", true, 0 }, |
1055 {11, true, "\006crypto\002is", true, 0 }, | 1043 {11, true, "\006crypto\002is", true, 0 }, |
1056 {20, true, "\005simon\007butcher\004name", true, 0 }, | 1044 {20, true, "\005simon\007butcher\004name", true, 0 }, |
1057 {10, true, "\004linx\003net", true, 0 }, | 1045 {10, true, "\004linx\003net", true, 0 }, |
1058 {13, false, "\007dropcam\003com", true, 0 }, | 1046 {13, false, "\007dropcam\003com", true, 0 }, |
1059 {17, false, "\003www\007dropcam\003com", true, 0 }, | 1047 {17, false, "\003www\007dropcam\003com", true, 0 }, |
1060 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, | 1048 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 }, |
1061 {13, false, "\007epoxate\003com", true, 0 }, | 1049 {13, false, "\007epoxate\003com", true, 0 }, |
1062 {16, false, "\012torproject\003org", true, kTorAcceptableCerts }, | 1050 {16, false, "\012torproject\003org", true, kTorAcceptableCerts }, |
1063 {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts }, | 1051 {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts }, |
1064 {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts }, | 1052 {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts }, |
1065 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, | 1053 {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts }, |
1066 {22, true, "\003www\014moneybookers\003com", true, 0 }, | 1054 {22, true, "\003www\014moneybookers\003com", true, 0 }, |
1067 {17, false, "\013ledgerscope\003net", true, 0 }, | 1055 {17, false, "\013ledgerscope\003net", true, 0 }, |
1068 {21, false, "\003www\013ledgerscope\003net", true, 0 }, | 1056 {21, false, "\003www\013ledgerscope\003net", true, 0 }, |
1069 {10, false, "\004kyps\003net", true, 0 }, | 1057 {10, false, "\004kyps\003net", true, 0 }, |
1070 {14, false, "\003www\004kyps\003net", true, 0 }, | 1058 {14, false, "\003www\004kyps\003net", true, 0 }, |
1071 {17, true, "\003app\007recurly\003com", true, 0 }, | 1059 {17, true, "\003app\007recurly\003com", true, 0 }, |
1072 {17, true, "\003api\007recurly\003com", true, 0 }, | 1060 {17, true, "\003api\007recurly\003com", true, 0 }, |
1073 {13, false, "\007greplin\003com", true, 0 }, | 1061 {13, false, "\007greplin\003com", true, 0 }, |
1074 {17, false, "\003www\007greplin\003com", true, 0 }, | 1062 {17, false, "\003www\007greplin\003com", true, 0 }, |
1075 {27, true, "\006luneta\016nearbuysystems\003com", true, 0 }, | 1063 {27, true, "\006luneta\016nearbuysystems\003com", true, 0 }, |
1076 {12, true, "\006ubertt\003org", true, 0 }, | 1064 {12, true, "\006ubertt\003org", true, 0 }, |
1077 | 1065 |
1078 {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts }
, | 1066 {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts }, |
1079 {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC
erts }, | 1067 {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer
ts }, |
1080 {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC
erts }, | 1068 {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer
ts }, |
1081 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptabl
eCerts }, | 1069 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC
erts }, |
1082 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptab
leCerts }, | 1070 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptable
Certs }, |
1083 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableC
erts }, | 1071 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCer
ts }, |
1084 {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAccept
ableCerts }, | 1072 {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptab
leCerts }, |
1085 | 1073 |
1086 #if 0 | 1074 #if 0 |
1087 // Twitter CDN pins disabled in order to track down pinning failures --agl | 1075 // Twitter CDN pins disabled in order to track down pinning failures --agl |
1088 {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCer
ts }, | 1076 {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts
}, |
1089 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts }, | 1077 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts }, |
1090 {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCe
rts }, | 1078 {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCert
s }, |
1091 #endif | 1079 #endif |
1092 }; | 1080 }; |
1093 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); | 1081 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); |
1094 | 1082 |
1095 static const struct HSTSPreload kPreloadedSNISTS[] = { | 1083 static const struct HSTSPreload kPreloadedSNISTS[] = { |
1096 // These SNI-only domains must always use HTTPS. | 1084 // These SNI-only domains must always use HTTPS. |
1097 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts }, | 1085 {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts }, |
1098 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts }, | 1086 {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts }, |
1099 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts }, | 1087 {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts }, |
1100 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts }, | 1088 {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts }, |
1101 // These SNI-only domains must use an acceptable certificate iff using | 1089 // These SNI-only domains must use an acceptable certificate iff using |
1102 // HTTPS. | 1090 // HTTPS. |
1103 {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts }, | 1091 {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts }, |
1104 // www. requires SNI. | 1092 // www. requires SNI. |
1105 {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts }, | 1093 {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts }, |
1106 }; | 1094 }; |
1107 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS); | 1095 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS); |
| 1096 |
| 1097 // Returns true if there is an HSTSPreload entry for the host in |entries|, and |
| 1098 // if its |required_hashes| member is identical (by address) to |certs|. |
| 1099 static bool ScanForHostAndCerts( |
| 1100 const std::string& canonicalized_host, |
| 1101 const struct HSTSPreload* entries, |
| 1102 size_t num_entries, |
| 1103 const char* const certs[]) { |
| 1104 bool hit = false; |
| 1105 |
| 1106 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { |
| 1107 for (size_t j = 0; j < num_entries; j++) { |
| 1108 const struct HSTSPreload& entry = entries[j]; |
| 1109 |
| 1110 if (i != 0 && !entry.include_subdomains) |
| 1111 continue; |
| 1112 |
| 1113 if (entry.length == canonicalized_host.size() - i && |
| 1114 memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) { |
| 1115 hit = entry.required_hashes == certs; |
| 1116 // Return immediately upon exact match: |
| 1117 if (i == 0) |
| 1118 return hit; |
| 1119 } |
| 1120 } |
| 1121 } |
| 1122 |
| 1123 return hit; |
| 1124 } |
| 1125 |
| 1126 // static |
| 1127 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host, |
| 1128 bool sni_available) { |
| 1129 std::string canonicalized_host = CanonicalizeHost(host); |
| 1130 |
| 1131 if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS, |
| 1132 kGoogleAcceptableCerts)) { |
| 1133 return true; |
| 1134 } |
| 1135 |
| 1136 if (sni_available) { |
| 1137 if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedS
NISTS, |
| 1138 kGoogleAcceptableCerts)) { |
| 1139 return true; |
| 1140 } |
| 1141 } |
| 1142 |
| 1143 return false; |
| 1144 } |
| 1145 |
| 1146 |
| 1147 // IsPreloadedSTS returns true if the canonicalized hostname should always be |
| 1148 // considered to have STS enabled. |
| 1149 bool TransportSecurityState::IsPreloadedSTS( |
| 1150 const std::string& canonicalized_host, |
| 1151 bool sni_available, |
| 1152 DomainState* out) { |
| 1153 DCHECK(CalledOnValidThread()); |
| 1154 |
| 1155 out->preloaded = true; |
| 1156 out->mode = DomainState::MODE_STRICT; |
| 1157 out->include_subdomains = false; |
1108 | 1158 |
1109 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { | 1159 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { |
1110 std::string host_sub_chunk(&canonicalized_host[i], | 1160 std::string host_sub_chunk(&canonicalized_host[i], |
1111 canonicalized_host.size() - i); | 1161 canonicalized_host.size() - i); |
1112 out->domain = DNSDomainToString(host_sub_chunk); | 1162 out->domain = DNSDomainToString(host_sub_chunk); |
1113 std::string hashed_host(HashHost(host_sub_chunk)); | 1163 std::string hashed_host(HashHost(host_sub_chunk)); |
1114 if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) { | 1164 if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) { |
1115 *out = forced_hosts_[hashed_host]; | 1165 *out = forced_hosts_[hashed_host]; |
1116 out->domain = DNSDomainToString(host_sub_chunk); | 1166 out->domain = DNSDomainToString(host_sub_chunk); |
1117 out->preloaded = true; | 1167 out->preloaded = true; |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1172 } | 1222 } |
1173 | 1223 |
1174 LOG(ERROR) << "Rejecting public key chain for domain " << domain | 1224 LOG(ERROR) << "Rejecting public key chain for domain " << domain |
1175 << ". Validated chain: " << HashesToBase64String(hashes) | 1225 << ". Validated chain: " << HashesToBase64String(hashes) |
1176 << ", expected: " << HashesToBase64String(public_key_hashes); | 1226 << ", expected: " << HashesToBase64String(public_key_hashes); |
1177 | 1227 |
1178 return false; | 1228 return false; |
1179 } | 1229 } |
1180 | 1230 |
1181 } // namespace | 1231 } // namespace |
OLD | NEW |