OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 950 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
961 kSPKIHash_GeoTrustPrimary_G2, | 961 kSPKIHash_GeoTrustPrimary_G2, |
962 kSPKIHash_GeoTrustPrimary_G3, | 962 kSPKIHash_GeoTrustPrimary_G3, |
963 kSPKIHash_Twitter1, | 963 kSPKIHash_Twitter1, |
964 NULL, | 964 NULL, |
965 }; | 965 }; |
966 #define kTwitterComPins { \ | 966 #define kTwitterComPins { \ |
967 kTwitterComAcceptableCerts, \ | 967 kTwitterComAcceptableCerts, \ |
968 kNoRejectedPublicKeys, \ | 968 kNoRejectedPublicKeys, \ |
969 } | 969 } |
970 | 970 |
| 971 // kTwitterAcceptableCerts2 are the set of public keys valid for Twitter's |
| 972 // CDNs, which includes all the keys from kTwitterAcceptableCerts1. |
| 973 static const char* const kTwitterCDNAcceptableCerts[] = { |
| 974 kSPKIHash_VeriSignClass1, |
| 975 kSPKIHash_VeriSignClass3, |
| 976 kSPKIHash_VeriSignClass3_G4, |
| 977 kSPKIHash_VeriSignClass4_G3, |
| 978 kSPKIHash_VeriSignClass3_G3, |
| 979 kSPKIHash_VeriSignClass1_G3, |
| 980 kSPKIHash_VeriSignClass2_G3, |
| 981 kSPKIHash_VeriSignClass3_G2, |
| 982 kSPKIHash_VeriSignClass2_G2, |
| 983 kSPKIHash_VeriSignClass3_G5, |
| 984 kSPKIHash_VeriSignUniversal, |
| 985 kSPKIHash_GeoTrustGlobal, |
| 986 kSPKIHash_GeoTrustGlobal2, |
| 987 kSPKIHash_GeoTrustUniversal, |
| 988 kSPKIHash_GeoTrustUniversal2, |
| 989 kSPKIHash_GeoTrustPrimary, |
| 990 kSPKIHash_GeoTrustPrimary_G2, |
| 991 kSPKIHash_GeoTrustPrimary_G3, |
| 992 kSPKIHash_Twitter1, |
| 993 |
| 994 kSPKIHash_Entrust_2048, |
| 995 kSPKIHash_Entrust_EV, |
| 996 kSPKIHash_Entrust_G2, |
| 997 kSPKIHash_Entrust_SSL, |
| 998 kSPKIHash_AAACertificateServices, |
| 999 kSPKIHash_AddTrustClass1CARoot, |
| 1000 kSPKIHash_AddTrustExternalCARoot, |
| 1001 kSPKIHash_AddTrustPublicCARoot, |
| 1002 kSPKIHash_AddTrustQualifiedCARoot, |
| 1003 kSPKIHash_COMODOCertificationAuthority, |
| 1004 kSPKIHash_SecureCertificateServices, |
| 1005 kSPKIHash_TrustedCertificateServices, |
| 1006 kSPKIHash_UTNDATACorpSGC, |
| 1007 kSPKIHash_UTNUSERFirstClientAuthenticationandEmail, |
| 1008 kSPKIHash_UTNUSERFirstHardware, |
| 1009 kSPKIHash_UTNUSERFirstObject, |
| 1010 kSPKIHash_GTECyberTrustGlobalRoot, |
| 1011 NULL, |
| 1012 }; |
| 1013 #define kTwitterCDNPins { \ |
| 1014 kTwitterCDNAcceptableCerts, \ |
| 1015 kNoRejectedPublicKeys, \ |
| 1016 } |
| 1017 |
971 // kTestAcceptableCerts doesn't actually match any public keys and is used | 1018 // kTestAcceptableCerts doesn't actually match any public keys and is used |
972 // with "pinningtest.appspot.com", below, to test if pinning is active. | 1019 // with "pinningtest.appspot.com", below, to test if pinning is active. |
973 static const char* const kTestAcceptableCerts[] = { | 1020 static const char* const kTestAcceptableCerts[] = { |
974 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", | 1021 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", |
975 NULL, | 1022 NULL, |
976 }; | 1023 }; |
977 #define kTestPins { \ | 1024 #define kTestPins { \ |
978 kTestAcceptableCerts, \ | 1025 kTestAcceptableCerts, \ |
979 kNoRejectedPublicKeys, \ | 1026 kNoRejectedPublicKeys, \ |
980 } | 1027 } |
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1125 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | 1172 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, |
1126 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | 1173 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, |
1127 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | 1174 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, |
1128 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | 1175 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, |
1129 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | 1176 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, |
1130 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | 1177 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, |
1131 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins, | 1178 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins, |
1132 DOMAIN_NOT_PINNED }, | 1179 DOMAIN_NOT_PINNED }, |
1133 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | 1180 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED }, |
1134 | 1181 |
1135 #if 0 | |
1136 // Twitter pins disabled in order to track down pinning failures --agl | 1182 // Twitter pins disabled in order to track down pinning failures --agl |
1137 {13, false, "\007twitter\003com", kTwitterHSTS, | 1183 {13, false, "\007twitter\003com", kTwitterHSTS, |
1138 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1184 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1139 {17, true, "\003www\007twitter\003com", kTwitterHSTS, | 1185 {17, true, "\003www\007twitter\003com", kTwitterHSTS, |
1140 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1186 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1141 {17, true, "\003api\007twitter\003com", kTwitterHSTS, | 1187 {17, true, "\003api\007twitter\003com", kTwitterHSTS, |
1142 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1188 kTwitterCDNPins, DOMAIN_TWITTER_COM }, |
1143 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, | 1189 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, |
1144 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1190 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1145 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, | 1191 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, |
1146 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1192 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1147 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, | 1193 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, |
1148 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1194 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1149 {22, true, "\010business\007twitter\003com", kTwitterHSTS, | 1195 {22, true, "\010business\007twitter\003com", kTwitterHSTS, |
1150 kTwitterComPins, DOMAIN_TWITTER_COM }, | 1196 kTwitterComPins, DOMAIN_TWITTER_COM }, |
1151 {22, true, "\010platform\007twitter\003com", false, | 1197 {22, true, "\010platform\007twitter\003com", false, |
1152 kTwitterCDNPins, DOMAIN_TWITTER_COM }, | 1198 kTwitterCDNPins, DOMAIN_TWITTER_COM }, |
1153 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins, | 1199 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins, |
1154 DOMAIN_TWIMG_COM }, | 1200 DOMAIN_TWIMG_COM }, |
1155 {23, true, "\010twimg0-a\010akamaihd\003net", false, | 1201 {23, true, "\010twimg0-a\010akamaihd\003net", false, |
1156 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET }, | 1202 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET }, |
1157 #endif | |
1158 }; | 1203 }; |
1159 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); | 1204 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); |
1160 | 1205 |
1161 static const struct HSTSPreload kPreloadedSNISTS[] = { | 1206 static const struct HSTSPreload kPreloadedSNISTS[] = { |
1162 // These SNI-only domains must always use HTTPS. | 1207 // These SNI-only domains must always use HTTPS. |
1163 {11, false, "\005gmail\003com", true, kGooglePins, | 1208 {11, false, "\005gmail\003com", true, kGooglePins, |
1164 DOMAIN_GMAIL_COM }, | 1209 DOMAIN_GMAIL_COM }, |
1165 {16, false, "\012googlemail\003com", true, kGooglePins, | 1210 {16, false, "\012googlemail\003com", true, kGooglePins, |
1166 DOMAIN_GOOGLEMAIL_COM }, | 1211 DOMAIN_GOOGLEMAIL_COM }, |
1167 {15, false, "\003www\005gmail\003com", true, kGooglePins, | 1212 {15, false, "\003www\005gmail\003com", true, kGooglePins, |
(...skipping 185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1353 const { | 1398 const { |
1354 return mode == MODE_STRICT; | 1399 return mode == MODE_STRICT; |
1355 } | 1400 } |
1356 | 1401 |
1357 bool TransportSecurityState::DomainState::ShouldMixedScriptingBeBlocked() | 1402 bool TransportSecurityState::DomainState::ShouldMixedScriptingBeBlocked() |
1358 const { | 1403 const { |
1359 return true; | 1404 return true; |
1360 } | 1405 } |
1361 | 1406 |
1362 } // namespace | 1407 } // namespace |
OLD | NEW |