| Index: net/base/transport_security_state.cc
|
| ===================================================================
|
| --- net/base/transport_security_state.cc (revision 105626)
|
| +++ net/base/transport_security_state.cc (working copy)
|
| @@ -844,126 +844,114 @@
|
| return false;
|
| }
|
|
|
| -// IsPreloadedSTS returns true if the canonicalized hostname should always be
|
| -// considered to have STS enabled.
|
| -bool TransportSecurityState::IsPreloadedSTS(
|
| - const std::string& canonicalized_host,
|
| - bool sni_available,
|
| - DomainState* out) {
|
| - DCHECK(CalledOnValidThread());
|
| -
|
| - out->preloaded = true;
|
| - out->mode = DomainState::MODE_STRICT;
|
| - out->include_subdomains = false;
|
| -
|
| - // These hashes are base64 encodings of SHA1 hashes for cert public keys.
|
| - static const char kCertPKHashVerisignClass3[] =
|
| +// These hashes are base64 encodings of SHA1 hashes for cert public keys.
|
| +static const char kCertPKHashVerisignClass3[] =
|
| "sha1/4n972HfV354KP560yw4uqe/baXc=";
|
| - static const char kCertPKHashVerisignClass3G3[] =
|
| +static const char kCertPKHashVerisignClass3G3[] =
|
| "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
|
| - static const char kCertPKHashGoogle1024[] =
|
| +static const char kCertPKHashGoogle1024[] =
|
| "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0=";
|
| - static const char kCertPKHashGoogle2048[] =
|
| +static const char kCertPKHashGoogle2048[] =
|
| "sha1/AbkhxY0L343gKf+cki7NVWp+ozk=";
|
| - static const char kCertPKHashEquifaxSecureCA[] =
|
| +static const char kCertPKHashEquifaxSecureCA[] =
|
| "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q=";
|
| - static const char* const kGoogleAcceptableCerts[] = {
|
| - kCertPKHashVerisignClass3,
|
| - kCertPKHashVerisignClass3G3,
|
| - kCertPKHashGoogle1024,
|
| - kCertPKHashGoogle2048,
|
| - kCertPKHashEquifaxSecureCA,
|
| - 0,
|
| - };
|
| +static const char* const kGoogleAcceptableCerts[] = {
|
| + kCertPKHashVerisignClass3,
|
| + kCertPKHashVerisignClass3G3,
|
| + kCertPKHashGoogle1024,
|
| + kCertPKHashGoogle2048,
|
| + kCertPKHashEquifaxSecureCA,
|
| + NULL,
|
| +};
|
|
|
| - static const char kCertRapidSSL[] =
|
| +static const char kCertRapidSSL[] =
|
| "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=";
|
| - static const char kCertDigiCertEVRoot[] =
|
| +static const char kCertDigiCertEVRoot[] =
|
| "sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM=";
|
| - static const char kCertTor1[] =
|
| +static const char kCertTor1[] =
|
| "sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y=";
|
| - static const char kCertTor2[] =
|
| +static const char kCertTor2[] =
|
| "sha1/lia43lPolzSPVIq34Dw57uYcLD8=";
|
| - static const char kCertTor3[] =
|
| +static const char kCertTor3[] =
|
| "sha1/rzEyQIKOh77j87n5bjWUNguXF8Y=";
|
| - static const char* const kTorAcceptableCerts[] = {
|
| - kCertRapidSSL,
|
| - kCertDigiCertEVRoot,
|
| - kCertTor1,
|
| - kCertTor2,
|
| - kCertTor3,
|
| - 0,
|
| - };
|
| +static const char* const kTorAcceptableCerts[] = {
|
| + kCertRapidSSL,
|
| + kCertDigiCertEVRoot,
|
| + kCertTor1,
|
| + kCertTor2,
|
| + kCertTor3,
|
| + NULL,
|
| +};
|
|
|
| - static const char kCertVerisignClass1[] =
|
| +static const char kCertVerisignClass1[] =
|
| "sha1/I0PRSKJViZuUfUYaeX7ATP7RcLc=";
|
| - static const char kCertVerisignClass3[] =
|
| +static const char kCertVerisignClass3[] =
|
| "sha1/4n972HfV354KP560yw4uqe/baXc=";
|
| - static const char kCertVerisignClass3_G4[] =
|
| +static const char kCertVerisignClass3_G4[] =
|
| "sha1/7WYxNdMb1OymFMQp4xkGn5TBJlA=";
|
| - static const char kCertVerisignClass4_G3[] =
|
| +static const char kCertVerisignClass4_G3[] =
|
| "sha1/PANDaGiVHPNpKri0Jtq6j+ki5b0=";
|
| - static const char kCertVerisignClass3_G3[] =
|
| +static const char kCertVerisignClass3_G3[] =
|
| "sha1/IvGeLsbqzPxdI0b0wuj2xVTdXgc=";
|
| - static const char kCertVerisignClass1_G3[] =
|
| +static const char kCertVerisignClass1_G3[] =
|
| "sha1/VRmyeKyygdftp6vBg5nDu2kEJLU=";
|
| - static const char kCertVerisignClass2_G3[] =
|
| +static const char kCertVerisignClass2_G3[] =
|
| "sha1/Wr7Fddyu87COJxlD/H8lDD32YeM=";
|
| - static const char kCertVerisignClass3_G2[] =
|
| +static const char kCertVerisignClass3_G2[] =
|
| "sha1/GiG0lStik84Ys2XsnA6TTLOB5tQ=";
|
| - static const char kCertVerisignClass2_G2[] =
|
| +static const char kCertVerisignClass2_G2[] =
|
| "sha1/Eje6RRfurSkm/cHN/r7t8t7ZFFw=";
|
| - static const char kCertVerisignClass3_G5[] =
|
| +static const char kCertVerisignClass3_G5[] =
|
| "sha1/sYEIGhmkwJQf+uiVKMEkyZs0rMc=";
|
| - static const char kCertVerisignUniversal[] =
|
| +static const char kCertVerisignUniversal[] =
|
| "sha1/u8I+KQuzKHcdrT6iTb30I70GsD0=";
|
|
|
| - static const char kCertTwitter1[] =
|
| +static const char kCertTwitter1[] =
|
| "sha1/Vv7zwhR9TtOIN/29MFI4cgHld40=";
|
|
|
| - static const char kCertGeoTrustGlobal[] =
|
| +static const char kCertGeoTrustGlobal[] =
|
| "sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=";
|
| - static const char kCertGeoTrustGlobal2[] =
|
| +static const char kCertGeoTrustGlobal2[] =
|
| "sha1/cTg28gIxU0crbrplRqkQFVggBQk=";
|
| - static const char kCertGeoTrustUniversal[] =
|
| +static const char kCertGeoTrustUniversal[] =
|
| "sha1/h+hbY1PGI6MSjLD/u/VR/lmADiI=";
|
| - static const char kCertGeoTrustUniversal2[] =
|
| +static const char kCertGeoTrustUniversal2[] =
|
| "sha1/Xk9ThoXdT57KX9wNRW99UbHcm3s=";
|
| - static const char kCertGeoTrustPrimary[] =
|
| +static const char kCertGeoTrustPrimary[] =
|
| "sha1/sBmJ5+/7Sq/LFI9YRjl2IkFQ4bo=";
|
| - static const char kCertGeoTrustPrimaryG2[] =
|
| +static const char kCertGeoTrustPrimaryG2[] =
|
| "sha1/vb6nG6txV/nkddlU0rcngBqCJoI=";
|
| - static const char kCertGeoTrustPrimaryG3[] =
|
| +static const char kCertGeoTrustPrimaryG3[] =
|
| "sha1/nKmNAK90Dd2BgNITRaWLjy6UONY=";
|
|
|
| - static const char* const kTwitterComAcceptableCerts[] = {
|
| - kCertVerisignClass1,
|
| - kCertVerisignClass3,
|
| - kCertVerisignClass3_G4,
|
| - kCertVerisignClass4_G3,
|
| - kCertVerisignClass3_G3,
|
| - kCertVerisignClass1_G3,
|
| - kCertVerisignClass2_G3,
|
| - kCertVerisignClass3_G2,
|
| - kCertVerisignClass2_G2,
|
| - kCertVerisignClass3_G5,
|
| - kCertVerisignUniversal,
|
| - kCertGeoTrustGlobal,
|
| - kCertGeoTrustGlobal2,
|
| - kCertGeoTrustUniversal,
|
| - kCertGeoTrustUniversal2,
|
| - kCertGeoTrustPrimary,
|
| - kCertGeoTrustPrimaryG2,
|
| - kCertGeoTrustPrimaryG3,
|
| - kCertTwitter1,
|
| - 0,
|
| - };
|
| +static const char* const kTwitterComAcceptableCerts[] = {
|
| + kCertVerisignClass1,
|
| + kCertVerisignClass3,
|
| + kCertVerisignClass3_G4,
|
| + kCertVerisignClass4_G3,
|
| + kCertVerisignClass3_G3,
|
| + kCertVerisignClass1_G3,
|
| + kCertVerisignClass2_G3,
|
| + kCertVerisignClass3_G2,
|
| + kCertVerisignClass2_G2,
|
| + kCertVerisignClass3_G5,
|
| + kCertVerisignUniversal,
|
| + kCertGeoTrustGlobal,
|
| + kCertGeoTrustGlobal2,
|
| + kCertGeoTrustUniversal,
|
| + kCertGeoTrustUniversal2,
|
| + kCertGeoTrustPrimary,
|
| + kCertGeoTrustPrimaryG2,
|
| + kCertGeoTrustPrimaryG3,
|
| + kCertTwitter1,
|
| + NULL,
|
| +};
|
|
|
| - // kTestAcceptableCerts doesn't actually match any public keys and is used
|
| - // with "pinningtest.appspot.com", below, to test if pinning is active.
|
| - static const char* const kTestAcceptableCerts[] = {
|
| - "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
|
| - };
|
| +// kTestAcceptableCerts doesn't actually match any public keys and is used
|
| +// with "pinningtest.appspot.com", below, to test if pinning is active.
|
| +static const char* const kTestAcceptableCerts[] = {
|
| + "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
|
| +};
|
|
|
| #if defined(OS_CHROMEOS)
|
| static const bool kTwitterHSTS = true;
|
| @@ -971,142 +959,204 @@
|
| static const bool kTwitterHSTS = false;
|
| #endif
|
|
|
| - // In the medium term this list is likely to just be hardcoded here. This,
|
| - // slightly odd, form removes the need for additional relocations records.
|
| - static const struct HSTSPreload kPreloadedSTS[] = {
|
| - // (*.)google.com, iff using SSL must use an acceptable certificate.
|
| - {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
|
| - {25, true, "\013pinningtest\007appspot\003com", false,
|
| - kTestAcceptableCerts },
|
| - // Now we force HTTPS for subtrees of google.com.
|
| - {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
|
| - {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
|
| - {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
|
| - {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
|
| - {25, true, "\014spreadsheets\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {22, false, "\011appengine\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
|
| - {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
|
| - {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
|
| - {23, true, "\012talkgadget\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
|
| - {29, true, "\020hostedtalkgadget\006google\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
|
| - // Other Google-related domains that must use HTTPS.
|
| - {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
|
| - {26, true, "\003ssl\020google-analytics\003com", true,
|
| - kGoogleAcceptableCerts },
|
| - {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
|
| - {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
|
| - // Other Google-related domains that must use an acceptable certificate
|
| - // iff using SSL.
|
| - {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
|
| - {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
|
| - {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
|
| - {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
|
| - {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
|
| - {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
|
| - {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
|
| - {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
|
| - {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
|
| - {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
|
| - // Exclude the learn.doubleclick.net subdomain because it uses a different
|
| - // CA.
|
| - {23, true, "\005learn\013doubleclick\003net", false, 0 },
|
| - // Now we force HTTPS for other sites that have requested it.
|
| - {16, false, "\003www\006paypal\003com", true, 0 },
|
| - {16, false, "\003www\006elanex\003biz", true, 0 },
|
| - {12, true, "\006jottit\003com", true, 0 },
|
| - {19, true, "\015sunshinepress\003org", true, 0 },
|
| - {21, false, "\003www\013noisebridge\003net", true, 0 },
|
| - {10, false, "\004neg9\003org", true, 0 },
|
| - {12, true, "\006riseup\003net", true, 0 },
|
| - {11, false, "\006factor\002cc", true, 0 },
|
| - {22, false, "\007members\010mayfirst\003org", true, 0 },
|
| - {22, false, "\007support\010mayfirst\003org", true, 0 },
|
| - {17, false, "\002id\010mayfirst\003org", true, 0 },
|
| - {20, false, "\005lists\010mayfirst\003org", true, 0 },
|
| - {19, true, "\015splendidbacon\003com", true, 0 },
|
| - {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
|
| - {14, true, "\011ottospora\002nl", true, 0 },
|
| - {25, false, "\003www\017paycheckrecords\003com", true, 0 },
|
| - {14, false, "\010lastpass\003com", true, 0 },
|
| - {18, false, "\003www\010lastpass\003com", true, 0 },
|
| - {14, true, "\010keyerror\003com", true, 0 },
|
| - {13, false, "\010entropia\002de", true, 0 },
|
| - {17, false, "\003www\010entropia\002de", true, 0 },
|
| - {11, true, "\005romab\003com", true, 0 },
|
| - {16, false, "\012logentries\003com", true, 0 },
|
| - {20, false, "\003www\012logentries\003com", true, 0 },
|
| - {12, true, "\006stripe\003com", true, 0 },
|
| - {27, true, "\025cloudsecurityalliance\003org", true, 0 },
|
| - {15, true, "\005login\004sapo\002pt", true, 0 },
|
| - {19, true, "\015mattmccutchen\003net", true, 0 },
|
| - {11, true, "\006betnet\002fr", true, 0 },
|
| - {13, true, "\010uprotect\002it", true, 0 },
|
| - {14, false, "\010squareup\003com", true, 0 },
|
| - {9, true, "\004cert\002se", true, 0 },
|
| - {11, true, "\006crypto\002is", true, 0 },
|
| - {20, true, "\005simon\007butcher\004name", true, 0 },
|
| - {10, true, "\004linx\003net", true, 0 },
|
| - {13, false, "\007dropcam\003com", true, 0 },
|
| - {17, false, "\003www\007dropcam\003com", true, 0 },
|
| - {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
|
| - {13, false, "\007epoxate\003com", true, 0 },
|
| - {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
|
| - {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
|
| - {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
|
| - {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
|
| - {22, true, "\003www\014moneybookers\003com", true, 0 },
|
| - {17, false, "\013ledgerscope\003net", true, 0 },
|
| - {21, false, "\003www\013ledgerscope\003net", true, 0 },
|
| - {10, false, "\004kyps\003net", true, 0 },
|
| - {14, false, "\003www\004kyps\003net", true, 0 },
|
| - {17, true, "\003app\007recurly\003com", true, 0 },
|
| - {17, true, "\003api\007recurly\003com", true, 0 },
|
| - {13, false, "\007greplin\003com", true, 0 },
|
| - {17, false, "\003www\007greplin\003com", true, 0 },
|
| - {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
|
| - {12, true, "\006ubertt\003org", true, 0 },
|
| +// In the medium term this list is likely to just be hardcoded here. This
|
| +// slightly odd form removes the need for additional relocations records.
|
| +static const struct HSTSPreload kPreloadedSTS[] = {
|
| + // (*.)google.com, iff using SSL must use an acceptable certificate.
|
| + {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
|
| + {25, true, "\013pinningtest\007appspot\003com", false,
|
| + kTestAcceptableCerts },
|
| + // Now we force HTTPS for subtrees of google.com.
|
| + {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
|
| + {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
|
| + {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
|
| + {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
|
| + {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
|
| + {25, true, "\014spreadsheets\006google\003com", true,
|
| + kGoogleAcceptableCerts },
|
| + {22, false, "\011appengine\006google\003com", true,
|
| + kGoogleAcceptableCerts },
|
| + {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
|
| + {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
|
| + {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
|
| + {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
|
| + {23, true, "\012talkgadget\006google\003com", true,
|
| + kGoogleAcceptableCerts },
|
| + {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
|
| + {29, true, "\020hostedtalkgadget\006google\003com", true,
|
| + kGoogleAcceptableCerts },
|
| + {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
|
| + // Other Google-related domains that must use HTTPS.
|
| + {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
|
| + {26, true, "\003ssl\020google-analytics\003com", true,
|
| + kGoogleAcceptableCerts },
|
| + {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
|
| + {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
|
| + // Other Google-related domains that must use an acceptable certificate
|
| + // iff using SSL.
|
| + {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
|
| + {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
|
| + {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
|
| + {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
|
| + {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
|
| + {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
|
| + {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
|
| + {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
|
| + {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
|
| + {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
|
| + // Exclude the learn.doubleclick.net subdomain because it uses a different
|
| + // CA.
|
| + {23, true, "\005learn\013doubleclick\003net", false, 0 },
|
| + // Now we force HTTPS for other sites that have requested it.
|
| + {16, false, "\003www\006paypal\003com", true, 0 },
|
| + {16, false, "\003www\006elanex\003biz", true, 0 },
|
| + {12, true, "\006jottit\003com", true, 0 },
|
| + {19, true, "\015sunshinepress\003org", true, 0 },
|
| + {21, false, "\003www\013noisebridge\003net", true, 0 },
|
| + {10, false, "\004neg9\003org", true, 0 },
|
| + {12, true, "\006riseup\003net", true, 0 },
|
| + {11, false, "\006factor\002cc", true, 0 },
|
| + {22, false, "\007members\010mayfirst\003org", true, 0 },
|
| + {22, false, "\007support\010mayfirst\003org", true, 0 },
|
| + {17, false, "\002id\010mayfirst\003org", true, 0 },
|
| + {20, false, "\005lists\010mayfirst\003org", true, 0 },
|
| + {19, true, "\015splendidbacon\003com", true, 0 },
|
| + {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
|
| + {14, true, "\011ottospora\002nl", true, 0 },
|
| + {25, false, "\003www\017paycheckrecords\003com", true, 0 },
|
| + {14, false, "\010lastpass\003com", true, 0 },
|
| + {18, false, "\003www\010lastpass\003com", true, 0 },
|
| + {14, true, "\010keyerror\003com", true, 0 },
|
| + {13, false, "\010entropia\002de", true, 0 },
|
| + {17, false, "\003www\010entropia\002de", true, 0 },
|
| + {11, true, "\005romab\003com", true, 0 },
|
| + {16, false, "\012logentries\003com", true, 0 },
|
| + {20, false, "\003www\012logentries\003com", true, 0 },
|
| + {12, true, "\006stripe\003com", true, 0 },
|
| + {27, true, "\025cloudsecurityalliance\003org", true, 0 },
|
| + {15, true, "\005login\004sapo\002pt", true, 0 },
|
| + {19, true, "\015mattmccutchen\003net", true, 0 },
|
| + {11, true, "\006betnet\002fr", true, 0 },
|
| + {13, true, "\010uprotect\002it", true, 0 },
|
| + {14, false, "\010squareup\003com", true, 0 },
|
| + {9, true, "\004cert\002se", true, 0 },
|
| + {11, true, "\006crypto\002is", true, 0 },
|
| + {20, true, "\005simon\007butcher\004name", true, 0 },
|
| + {10, true, "\004linx\003net", true, 0 },
|
| + {13, false, "\007dropcam\003com", true, 0 },
|
| + {17, false, "\003www\007dropcam\003com", true, 0 },
|
| + {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
|
| + {13, false, "\007epoxate\003com", true, 0 },
|
| + {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
|
| + {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
|
| + {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
|
| + {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
|
| + {22, true, "\003www\014moneybookers\003com", true, 0 },
|
| + {17, false, "\013ledgerscope\003net", true, 0 },
|
| + {21, false, "\003www\013ledgerscope\003net", true, 0 },
|
| + {10, false, "\004kyps\003net", true, 0 },
|
| + {14, false, "\003www\004kyps\003net", true, 0 },
|
| + {17, true, "\003app\007recurly\003com", true, 0 },
|
| + {17, true, "\003api\007recurly\003com", true, 0 },
|
| + {13, false, "\007greplin\003com", true, 0 },
|
| + {17, false, "\003www\007greplin\003com", true, 0 },
|
| + {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
|
| + {12, true, "\006ubertt\003org", true, 0 },
|
|
|
| - {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| - {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
| + {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
|
|
|
| #if 0
|
| - // Twitter CDN pins disabled in order to track down pinning failures --agl
|
| - {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
|
| - {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
|
| - {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
|
| + // Twitter CDN pins disabled in order to track down pinning failures --agl
|
| + {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
|
| + {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
|
| + {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
|
| #endif
|
| - };
|
| - static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
|
| +};
|
| +static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
|
|
|
| - static const struct HSTSPreload kPreloadedSNISTS[] = {
|
| - // These SNI-only domains must always use HTTPS.
|
| - {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
|
| - {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| - {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
|
| - {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| - // These SNI-only domains must use an acceptable certificate iff using
|
| - // HTTPS.
|
| - {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
|
| - // www. requires SNI.
|
| - {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
|
| - };
|
| - static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
|
| +static const struct HSTSPreload kPreloadedSNISTS[] = {
|
| + // These SNI-only domains must always use HTTPS.
|
| + {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
|
| + {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| + {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
|
| + {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
|
| + // These SNI-only domains must use an acceptable certificate iff using
|
| + // HTTPS.
|
| + {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
|
| + // www. requires SNI.
|
| + {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
|
| +};
|
| +static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
|
|
|
| +// Returns true if there is an HSTSPreload entry for the host in |entries|, and
|
| +// if its |required_hashes| member is identical (by address) to |certs|.
|
| +static bool ScanForHostAndCerts(
|
| + const std::string& canonicalized_host,
|
| + const struct HSTSPreload* entries,
|
| + size_t num_entries,
|
| + const char* const certs[]) {
|
| + bool hit = false;
|
| +
|
| for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
|
| + for (size_t j = 0; j < num_entries; j++) {
|
| + const struct HSTSPreload& entry = entries[j];
|
| +
|
| + if (i != 0 && !entry.include_subdomains)
|
| + continue;
|
| +
|
| + if (entry.length == canonicalized_host.size() - i &&
|
| + memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
|
| + hit = entry.required_hashes == certs;
|
| + // Return immediately upon exact match:
|
| + if (i == 0)
|
| + return hit;
|
| + }
|
| + }
|
| + }
|
| +
|
| + return hit;
|
| +}
|
| +
|
| +// static
|
| +bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
|
| + bool sni_available) {
|
| + std::string canonicalized_host = CanonicalizeHost(host);
|
| +
|
| + if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
|
| + kGoogleAcceptableCerts)) {
|
| + return true;
|
| + }
|
| +
|
| + if (sni_available) {
|
| + if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
|
| + kGoogleAcceptableCerts)) {
|
| + return true;
|
| + }
|
| + }
|
| +
|
| + return false;
|
| +}
|
| +
|
| +
|
| +// IsPreloadedSTS returns true if the canonicalized hostname should always be
|
| +// considered to have STS enabled.
|
| +bool TransportSecurityState::IsPreloadedSTS(
|
| + const std::string& canonicalized_host,
|
| + bool sni_available,
|
| + DomainState* out) {
|
| + DCHECK(CalledOnValidThread());
|
| +
|
| + out->preloaded = true;
|
| + out->mode = DomainState::MODE_STRICT;
|
| + out->include_subdomains = false;
|
| +
|
| + for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
|
| std::string host_sub_chunk(&canonicalized_host[i],
|
| canonicalized_host.size() - i);
|
| out->domain = DNSDomainToString(host_sub_chunk);
|
|
|
Chromium Code Reviews
Issue 8302019:
Recommit fraudulent certificate reporting infrastructure. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/