Chromium Code Reviews Chromium Code Reviews
Issue 9415040:
Refactor TransportSecurityState. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/url_request/url_request_http_job.h" | 5 #include "net/url_request/url_request_http_job.h" |
| 6 | 6 |
| 7 #include "base/base_switches.h" | 7 #include "base/base_switches.h" |
| 8 #include "base/bind.h" | 8 #include "base/bind.h" |
| 9 #include "base/bind_helpers.h" | 9 #include "base/bind_helpers.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 137 if (!request->context() || | 137 if (!request->context() || |
| 138 !request->context()->http_transaction_factory()) { | 138 !request->context()->http_transaction_factory()) { |
| 139 NOTREACHED() << "requires a valid context"; | 139 NOTREACHED() << "requires a valid context"; |
| 140 return new URLRequestErrorJob(request, ERR_INVALID_ARGUMENT); | 140 return new URLRequestErrorJob(request, ERR_INVALID_ARGUMENT); |
| 141 } | 141 } |
| 142 | 142 |
| 143 TransportSecurityState::DomainState domain_state; | 143 TransportSecurityState::DomainState domain_state; |
| 144 if (scheme == "http" && | 144 if (scheme == "http" && |
| 145 request->context()->transport_security_state() && | 145 request->context()->transport_security_state() && |
| 146 request->context()->transport_security_state()->GetDomainState( | 146 request->context()->transport_security_state()->GetDomainState( |
| 147 &domain_state, | |
| 148 request->url().host(), | 147 request->url().host(), |
| 149 SSLConfigService::IsSNIAvailable( | 148 SSLConfigService::IsSNIAvailable( |
| 150 request->context()->ssl_config_service())) && | 149 request->context()->ssl_config_service()), |
| 150 &domain_state) && | |
| 151 domain_state.ShouldRedirectHTTPToHTTPS()) { | 151 domain_state.ShouldRedirectHTTPToHTTPS()) { |
| 152 DCHECK_EQ(request->url().scheme(), "http"); | 152 DCHECK_EQ(request->url().scheme(), "http"); |
| 153 url_canon::Replacements<char> replacements; | 153 url_canon::Replacements<char> replacements; |
| 154 static const char kNewScheme[] = "https"; | 154 static const char kNewScheme[] = "https"; |
| 155 replacements.SetScheme(kNewScheme, | 155 replacements.SetScheme(kNewScheme, |
| 156 url_parse::Component(0, strlen(kNewScheme))); | 156 url_parse::Component(0, strlen(kNewScheme))); |
| 157 GURL new_location = request->url().ReplaceComponents(replacements); | 157 GURL new_location = request->url().ReplaceComponents(replacements); |
| 158 return new URLRequestRedirectJob(request, new_location); | 158 return new URLRequestRedirectJob(request, new_location); |
| 159 } | 159 } |
| 160 | 160 |
| (...skipping 431 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 592 !ctx || !ctx->transport_security_state()) { | 592 !ctx || !ctx->transport_security_state()) { |
| 593 return; | 593 return; |
| 594 } | 594 } |
| 595 | 595 |
| 596 TransportSecurityState* security_state = ctx->transport_security_state(); | 596 TransportSecurityState* security_state = ctx->transport_security_state(); |
| 597 TransportSecurityState::DomainState domain_state; | 597 TransportSecurityState::DomainState domain_state; |
| 598 const std::string& host = request_info_.url.host(); | 598 const std::string& host = request_info_.url.host(); |
| 599 | 599 |
| 600 bool sni_available = | 600 bool sni_available = |
| 601 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | 601 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); |
| 602 if (!security_state->HasMetadata(&domain_state, host, sni_available)) { | 602 if (!security_state->GetDomainState(host, sni_available, &domain_state)) |
| 603 // |HasMetadata| may have altered |domain_state| while searching. If not | 603 domain_state.upgrade_mode = |
| 604 // found, start with a fresh state. | 604 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; |
|
Ryan Sleevi
2012/04/26 19:21:12
I found the original comment was very helpful in e
palmer
2012/04/27 23:52:34
Done.
| |
| 605 domain_state = TransportSecurityState::DomainState(); | |
| 606 domain_state.mode = TransportSecurityState::DomainState::MODE_STRICT; | |
| 607 } | |
| 608 | 605 |
| 609 HttpResponseHeaders* headers = GetResponseHeaders(); | 606 HttpResponseHeaders* headers = GetResponseHeaders(); |
| 610 std::string value; | 607 std::string value; |
| 611 void* iter = NULL; | 608 void* iter = NULL; |
| 609 base::Time now = base::Time::Now(); | |
| 612 | 610 |
| 613 while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) { | 611 while (headers->EnumerateHeader(&iter, "Strict-Transport-Security", &value)) { |
| 614 int max_age; | 612 TransportSecurityState::DomainState domain_state; |
| 615 bool include_subdomains; | 613 if (domain_state.ParseSTSHeader(now, value)) |
| 616 if (TransportSecurityState::ParseHeader(value, &max_age, | |
| 617 &include_subdomains)) { | |
| 618 base::Time current_time(base::Time::Now()); | |
| 619 base::TimeDelta max_age_delta = base::TimeDelta::FromSeconds(max_age); | |
| 620 | |
| 621 domain_state.expiry = current_time + max_age_delta; | |
| 622 domain_state.include_subdomains = include_subdomains; | |
| 623 | |
| 624 security_state->EnableHost(host, domain_state); | 614 security_state->EnableHost(host, domain_state); |
| 625 } | |
| 626 } | 615 } |
| 627 } | 616 } |
| 628 | 617 |
| 629 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { | 618 void URLRequestHttpJob::ProcessPublicKeyPinsHeader() { |
| 630 DCHECK(response_info_); | 619 DCHECK(response_info_); |
| 631 | 620 |
| 632 const URLRequestContext* ctx = request_->context(); | 621 const URLRequestContext* ctx = request_->context(); |
| 633 const SSLInfo& ssl_info = response_info_->ssl_info; | 622 const SSLInfo& ssl_info = response_info_->ssl_info; |
| 634 | 623 |
| 635 // Only accept public key pins headers on HTTPS connections that have no | 624 // Only accept public key pins headers on HTTPS connections that have no |
| 636 // certificate errors. | 625 // certificate errors. |
| 637 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || | 626 if (!ssl_info.is_valid() || IsCertStatusError(ssl_info.cert_status) || |
| 638 !ctx || !ctx->transport_security_state()) { | 627 !ctx || !ctx->transport_security_state()) { |
| 639 return; | 628 return; |
| 640 } | 629 } |
| 641 | 630 |
| 642 TransportSecurityState* security_state = ctx->transport_security_state(); | 631 TransportSecurityState* security_state = ctx->transport_security_state(); |
| 643 TransportSecurityState::DomainState domain_state; | 632 TransportSecurityState::DomainState domain_state; |
| 644 const std::string& host = request_info_.url.host(); | 633 const std::string& host = request_info_.url.host(); |
| 645 | 634 |
| 646 bool sni_available = | 635 bool sni_available = |
| 647 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); | 636 SSLConfigService::IsSNIAvailable(ctx->ssl_config_service()); |
| 648 if (!security_state->HasMetadata(&domain_state, host, sni_available)) { | 637 if (!security_state->GetDomainState(host, sni_available, &domain_state)) |
| 649 // |HasMetadata| may have altered |domain_state| while searching. If not | 638 domain_state.upgrade_mode = |
| 650 // found, start with a fresh state. | 639 TransportSecurityState::DomainState::MODE_DEFAULT; |
| 651 domain_state = TransportSecurityState::DomainState(); | |
| 652 domain_state.mode = TransportSecurityState::DomainState::MODE_PINNING_ONLY; | |
| 653 } | |
| 654 | 640 |
| 655 HttpResponseHeaders* headers = GetResponseHeaders(); | 641 HttpResponseHeaders* headers = GetResponseHeaders(); |
| 656 void* iter = NULL; | 642 void* iter = NULL; |
| 657 std::string value; | 643 std::string value; |
| 644 base::Time now = base::Time::Now(); | |
| 658 | 645 |
| 659 while (headers->EnumerateHeader(&iter, "Public-Key-Pins", &value)) { | 646 while (headers->EnumerateHeader(&iter, "Public-Key-Pins", &value)) { |
| 660 // Note that ParsePinsHeader updates |domain_state| (iff the header parses | 647 // Note that ParsePinsHeader updates |domain_state| (iff the header parses |
| 661 // correctly), but does not completely overwrite it. It just updates the | 648 // correctly), but does not completely overwrite it. It just updates the |
| 662 // dynamic pinning metadata. | 649 // dynamic pinning metadata. |
| 663 if (TransportSecurityState::ParsePinsHeader(value, ssl_info, | 650 if (domain_state.ParsePinsHeader(now, value, ssl_info)) |
| 664 &domain_state)) { | |
| 665 security_state->EnableHost(host, domain_state); | 651 security_state->EnableHost(host, domain_state); |
| 666 } | |
| 667 } | 652 } |
| 668 } | 653 } |
| 669 | 654 |
| 670 void URLRequestHttpJob::OnStartCompleted(int result) { | 655 void URLRequestHttpJob::OnStartCompleted(int result) { |
| 671 RecordTimer(); | 656 RecordTimer(); |
| 672 | 657 |
| 673 // If the request was destroyed, then there is no more work to do. | 658 // If the request was destroyed, then there is no more work to do. |
| 674 if (!request_) | 659 if (!request_) |
| 675 return; | 660 return; |
| 676 | 661 |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 722 | 707 |
| 723 SaveCookiesAndNotifyHeadersComplete(net::OK); | 708 SaveCookiesAndNotifyHeadersComplete(net::OK); |
| 724 } else if (IsCertificateError(result)) { | 709 } else if (IsCertificateError(result)) { |
| 725 // We encountered an SSL certificate error. Ask our delegate to decide | 710 // We encountered an SSL certificate error. Ask our delegate to decide |
| 726 // what we should do. | 711 // what we should do. |
| 727 | 712 |
| 728 TransportSecurityState::DomainState domain_state; | 713 TransportSecurityState::DomainState domain_state; |
| 729 const bool fatal = | 714 const bool fatal = |
| 730 context_->transport_security_state() && | 715 context_->transport_security_state() && |
| 731 context_->transport_security_state()->GetDomainState( | 716 context_->transport_security_state()->GetDomainState( |
| 732 &domain_state, request_info_.url.host(), | 717 request_info_.url.host(), |
| 733 SSLConfigService::IsSNIAvailable(context_->ssl_config_service())); | 718 SSLConfigService::IsSNIAvailable(context_->ssl_config_service()), |
| 719 &domain_state); | |
| 734 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); | 720 NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); |
| 735 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { | 721 } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { |
| 736 NotifyCertificateRequested( | 722 NotifyCertificateRequested( |
| 737 transaction_->GetResponseInfo()->cert_request_info); | 723 transaction_->GetResponseInfo()->cert_request_info); |
| 738 } else { | 724 } else { |
| 739 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result)); | 725 NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result)); |
| 740 } | 726 } |
| 741 } | 727 } |
| 742 | 728 |
| 743 void URLRequestHttpJob::OnHeadersReceivedCallback(int result) { | 729 void URLRequestHttpJob::OnHeadersReceivedCallback(int result) { |
| (...skipping 672 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1416 return override_response_headers_.get() ? | 1402 return override_response_headers_.get() ? |
| 1417 override_response_headers_ : | 1403 override_response_headers_ : |
| 1418 transaction_->GetResponseInfo()->headers; | 1404 transaction_->GetResponseInfo()->headers; |
| 1419 } | 1405 } |
| 1420 | 1406 |
| 1421 void URLRequestHttpJob::NotifyURLRequestDestroyed() { | 1407 void URLRequestHttpJob::NotifyURLRequestDestroyed() { |
| 1422 awaiting_callback_ = false; | 1408 awaiting_callback_ = false; |
| 1423 } | 1409 } |
| 1424 | 1410 |
| 1425 } // namespace net | 1411 } // namespace net |
| OLD | NEW |
