Issue 103803012: Make HSTS headers not clobber preloaded pins.

Issue 103803012: Make HSTS headers not clobber preloaded pins. (Closed)

Created:
7 years ago by palmer

Modified:
6 years, 7 months ago

Reviewers:
eroman, agl, Ryan Sleevi

Base URL:
svn://svn.chromium.org/chrome/trunk/src

Visibility:
Public.

Description

Make HSTS headers not clobber preloaded pins. BUG=329386 TEST=With a fresh profile, ensure that accounts.google.com and twitter.com have public keys pinned. (Check chrome://net-internals/#hsts.) Then visit those sites. Close the browser, re-launch it, and check that the pins are still present in a query in chrome://net-internals/#hsts. Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=268966

Patch Set 1 #

Total comments: 2

Patch Set 2 : Retain the ability to push new static pins; don't persist static pins in dynamic profile state. #

Patch Set 3 : Remove spurious debugging junk. Sigh. #

Total comments: 15

Patch Set 4 : NOT READY YET. Starting on rsleevi's fresh approach. #

Patch Set 5 : Fix DeleteAllDynamicStateSince. #

Patch Set 6 : Make use of has_dynamic. #

Total comments: 15

Patch Set 7 : Rebase and respond to comments. #

Patch Set 8 : Mega-rebase. #

Patch Set 9 : Rebase and updated comment. #

Total comments: 19

Patch Set 10 : Respond to comments. Big change still to come. #

Patch Set 11 : Rebase and refactor. (Not done yet.) #

Total comments: 3

Patch Set 12 : Rebase, clean up, fix tests. #

Patch Set 13 : Rebase and improve display of dynamic settings. #

Patch Set 14 : Fix browser_tests by setting the domain name correctly. Rebase. #

Total comments: 17

Patch Set 15 : Prioritize dynamic state over static. #

Patch Set 16 : Rebase and resolve conflict. #

Patch Set 17 : Rebase and resolve conflict. #

Total comments: 8

Patch Set 18 : Respond to comments and fix compilation errors. #

Total comments: 2

Created: 6 years, 7 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+872 lines, -756 lines)			Patch
M	chrome/browser/net/predictor.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+3 lines, -8 lines	0 comments	Download
M	chrome/browser/resources/net_internals/hsts_view.js	View	1 2 3 4 5 6 7 8 9 10 11 12	2 chunks	+66 lines, -40 lines	2 comments	Download
M	chrome/browser/ui/webui/net_internals/net_internals_ui.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13	1 chunk	+54 lines, -18 lines	0 comments	Download
M	chrome/test/data/webui/net_internals/hsts_view.js	View	1 2 3 4	1 chunk	+4 lines, -4 lines	0 comments	Download
M	net/http/http_security_headers_unittest.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14	2 chunks	+90 lines, -34 lines	0 comments	Download
M	net/http/transport_security_persister.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15	5 chunks	+30 lines, -27 lines	0 comments	Download
M	net/http/transport_security_persister_unittest.cc	View	1 2 3 4 5 6 7 8 9 10 11	4 chunks	+28 lines, -23 lines	0 comments	Download
M	net/http/transport_security_state.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17	5 chunks	+75 lines, -93 lines	0 comments	Download
M	net/http/transport_security_state.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17	14 chunks	+129 lines, -120 lines	0 comments	Download
M	net/http/transport_security_state_unittest.cc	View	1 2 3 4 5 6 7 8 9 10 11	13 chunks	+313 lines, -303 lines	0 comments	Download
M	net/socket/ssl_client_socket_nss.cc	View	1 2 3 4 5 6 7 8 9 10 11	1 chunk	+4 lines, -5 lines	0 comments	Download
M	net/socket_stream/socket_stream.cc	View	1 2 3 4 5 6 7 8 9 10 11	1 chunk	+6 lines, -6 lines	0 comments	Download
M	net/socket_stream/socket_stream_job.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+3 lines, -4 lines	0 comments	Download
M	net/url_request/url_request.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+4 lines, -6 lines	0 comments	Download
M	net/url_request/url_request_http_job.cc	View	1 2 3 4 5 6 7 8 9 10 11	1 chunk	+5 lines, -6 lines	0 comments	Download
M	net/url_request/url_request_unittest.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14	8 chunks	+58 lines, -59 lines	0 comments	Download

Messages

Total messages: 43 (0 generated)

Expand Messages | Collapse Messages

agl

This seems like it might be a bit of a partial solution. For example, if ...

7 years ago (2013-12-18 15:49:19 UTC) #2

palmer

> This seems like it might be a bit of a partial solution. For example, ...

7 years ago (2013-12-18 21:04:33 UTC) #4

palmer

https://codereview.chromium.org/103803012/diff/1/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/1/net/http/transport_security_state.cc#newcode610 net/http/transport_security_state.cc:610: GetDomainState(host, true, &domain_state); On 2013/12/18 15:49:19, agl wrote: > ...

7 years ago (2013-12-18 21:04:39 UTC) #5

Ryan Sleevi

As a temporary solution, this LGTM, but we've discussed in the past why this is ...

7 years ago (2013-12-18 21:48:17 UTC) #6

agl

On 2013/12/18 21:48:17, Ryan Sleevi wrote: > Most importantly, by using GetDomainState, rather than GetDynamicState, ...

7 years ago (2013-12-18 21:52:32 UTC) #7

Ryan Sleevi

On 2013/12/18 21:52:32, agl wrote: > On 2013/12/18 21:48:17, Ryan Sleevi wrote: > > Most ...

7 years ago (2013-12-18 21:59:21 UTC) #8

agl

As a short term solution, how about: if there's a static match, use it. Otherwise ...

7 years ago (2013-12-18 22:01:05 UTC) #9

palmer

> As a short term solution, how about: if there's a static match, use it. ...

7 years ago (2013-12-18 22:27:38 UTC) #10

Ryan Sleevi

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/40001/net/http/transport_security_state.cc#newcode617 net/http/transport_security_state.cc:617: //GetDomainState(host, true /* SNI enabled */, &domain_state); Remove https://codereview.chromium.org/103803012/diff/40001/net/http/transport_security_state.cc#newcode641 ...

6 years, 12 months ago (2013-12-27 00:21:05 UTC) #11

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:617: //GetDomainState(host, true /* SNI
enabled */, &domain_state);
Remove

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:641: //GetDomainState(host, true /* SNI
enabled */, &domain_state);
Remove

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:861: // See crbug.com/29386.
Avoid pronouns in comments.

// TODO(palmer): Static pins are unconditionally checked, preventing
// dynamic pins from being used to replace the static pins. This
// ensures that a dynamic header update for HSTS does not replace
// statically-loaded pins, but does prevent a dynamic header update
// via HPKP for statically pinned sites.
// See http://crbug.com/29386 and [bug for refactor] for more details.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:864: // in the very near future (as of Dec
2013). TODO(palmer).
note: remove this bit.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:868: bool did_restore_static_state = false;
The naming here is a bit confusing, because you're not actually "restoring" the
pins (which suggests mutating the DomainState).

HashValueVector preloaded_static_hashes;
HashValueVector preloaded_bad_static_hashes;
bool did_find_static_hashes = false;

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:869: if (IsBuildTimely()) {
if (TransportSecurityState::IsBuildTimely()) - you're in DomainState here, so
I'm surprised this code would compile?

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:873: std::string
host_sub_chunk(&canonicalized_host[i],
This duplicates significant portions of GetStaticDomainState(), which makes me
really uncomfortable.

Our underlying goal is this:
If receiving an HSTS header, *static* SPKI pins are not persisted, *dynamic*
SPKI pins (if any) are, and the *dynamic* HSTS state should replace the *static*
HSTS state.

If receiving an HPKP header, *static* SPKI pins are not persisted, *dynamic*
SPKI pins are updated and persisted, *static* HSTS state is not persisted and
*dynamic* HSTS state (if any) is.

Within DomainState, we already track static vs dynamic state information for
HPKP via
- pkp_observed
- static_spki_hashes vs dynamic_spki_hashes
- dynamic_spki_hashes_expiry
- bad_static_spki_hashes

We fail to distinguish between the two for pkp_include_subdomains

However, we do *not* track static vs dynamic state information for HSTS, namely
- sts_observed
- upgrade_mode
- upgrade_expiry
- sts_include_subdomains

A 'reasonable' quick-fix to DomainState would be to explicitly track the static
vs dynamic data members for PKP and STS, along with bools to track whether a
static or dynamic state exists.

Persistence would *only* persist dynamic state, if any, while evaluation would
always check dynamic state (if any) before static state.

DomainState {
  struct HSTSState {
    // sts_observed (new to track static as well)
    base::Time last_observed;

    // upgrade_expiry
    base::Time upgrade_expiry;

    // upgrade_mode (new to track static vs dynamic)
    UpgradeMode upgrade_mode;

    // sts_include_subdomains (new to track static vs dynamic)
    bool include_subdomains;
  };

  HPKPState {
    // pkp_observed (new to track static vs dynamic)
    base::Time last_observed;

    // dynamic_spki_hashes_expiry (new to track static vs dynamic)
    base::Time expiry;

    // formerly [static/dynamic]_spki_hashes
    HashValueVector spki_hashes;

    // formerly bad_static_spki_hashes;
    HashValueVector bad_spki_hashes;
  };

  bool has_static_hsts;
  HSTSState static_hsts_state;
  HSTSState dynamic_hsts_state;

  bool has_static_pkp;
  HPKPState static_hpkp_state;
  HPKPState dynamic_hpkp_state;
};


And then updating the functions as appropriate. Of course, this may require more
significant gutter-work, just due to the renaming.

This would also solve the related bug you're trying to solve here, where an HSTS
header on a sub-domain will mask the HPKP state from the parent. By explicitly
storing the static and dynamic state differently, you could continue walking
static state for PKP info even after you found HSTS info from dynamic state.

This is a much larger refactor though, as I write it out, but that's effectively
what you're trying to do here. Your current case handles HSTS-masking-HPKP, but
doesn't handle HPKP-masking-HSTS (although less likely).

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:881: i, &restored_static_state,
&did_restore_static_state)) {
You're unconditionally checking against SNI hosts. This seems incorrect, because
you've lost the sni_enabled flag.

palmer

6 years, 11 months ago (2014-01-03 22:43:43 UTC) #12

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:617: //GetDomainState(host, true /* SNI
enabled */, &domain_state);
On 2013/12/27 00:21:06, Ryan Sleevi wrote:
> Remove

Done.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:641: //GetDomainState(host, true /* SNI
enabled */, &domain_state);
On 2013/12/27 00:21:06, Ryan Sleevi wrote:
> Remove

Done.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:861: // See crbug.com/29386.
On 2013/12/27 00:21:06, Ryan Sleevi wrote:
> Avoid pronouns in comments.
> 
> // TODO(palmer): Static pins are unconditionally checked, preventing
> // dynamic pins from being used to replace the static pins. This
> // ensures that a dynamic header update for HSTS does not replace
> // statically-loaded pins, but does prevent a dynamic header update
> // via HPKP for statically pinned sites.
> // See http://crbug.com/29386 and [bug for refactor] for more details.

Done.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:864: // in the very near future (as of Dec
2013). TODO(palmer).
On 2013/12/27 00:21:06, Ryan Sleevi wrote:
> note: remove this bit.

Done.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:869: if (IsBuildTimely()) {
> if (TransportSecurityState::IsBuildTimely()) - you're in DomainState here, so
> I'm surprised this code would compile?

<spiderman>...and I'm just sitting here, compiling it</spiderman>

Anyway, done (for improved clarity).

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:873: std::string
host_sub_chunk(&canonicalized_host[i],
On 2013/12/27 00:21:06, Ryan Sleevi wrote:
> This duplicates significant portions of GetStaticDomainState(), which makes me
> really uncomfortable.
> 
> Our underlying goal is this:
> If receiving an HSTS header, *static* SPKI pins are not persisted, *dynamic*
> SPKI pins (if any) are, and the *dynamic* HSTS state should replace the
*static*
> HSTS state.
> 
> If receiving an HPKP header, *static* SPKI pins are not persisted, *dynamic*
> SPKI pins are updated and persisted, *static* HSTS state is not persisted and
> *dynamic* HSTS state (if any) is.
> 
> Within DomainState, we already track static vs dynamic state information for
> HPKP via
> - pkp_observed
> - static_spki_hashes vs dynamic_spki_hashes
> - dynamic_spki_hashes_expiry
> - bad_static_spki_hashes
> 
> We fail to distinguish between the two for pkp_include_subdomains
> 
> However, we do *not* track static vs dynamic state information for HSTS,
namely
> - sts_observed
> - upgrade_mode
> - upgrade_expiry
> - sts_include_subdomains
> 
> A 'reasonable' quick-fix to DomainState would be to explicitly track the
static
> vs dynamic data members for PKP and STS, along with bools to track whether a
> static or dynamic state exists.
> 
> Persistence would *only* persist dynamic state, if any, while evaluation would
> always check dynamic state (if any) before static state.
> 
> DomainState {
>   struct HSTSState {
>     // sts_observed (new to track static as well)
>     base::Time last_observed;
> 
>     // upgrade_expiry
>     base::Time upgrade_expiry;
> 
>     // upgrade_mode (new to track static vs dynamic)
>     UpgradeMode upgrade_mode;
> 
>     // sts_include_subdomains (new to track static vs dynamic)
>     bool include_subdomains;
>   };
> 
>   HPKPState {
>     // pkp_observed (new to track static vs dynamic)
>     base::Time last_observed;
> 
>     // dynamic_spki_hashes_expiry (new to track static vs dynamic)
>     base::Time expiry;
> 
>     // formerly [static/dynamic]_spki_hashes
>     HashValueVector spki_hashes;
> 
>     // formerly bad_static_spki_hashes;
>     HashValueVector bad_spki_hashes;
>   };
> 
>   bool has_static_hsts;
>   HSTSState static_hsts_state;
>   HSTSState dynamic_hsts_state;
> 
>   bool has_static_pkp;
>   HPKPState static_hpkp_state;
>   HPKPState dynamic_hpkp_state;
> };
> 
> 
> And then updating the functions as appropriate. Of course, this may require
more
> significant gutter-work, just due to the renaming.
> 
> This would also solve the related bug you're trying to solve here, where an
HSTS
> header on a sub-domain will mask the HPKP state from the parent. By explicitly
> storing the static and dynamic state differently, you could continue walking
> static state for PKP info even after you found HSTS info from dynamic state.
> 
> This is a much larger refactor though, as I write it out, but that's
effectively
> what you're trying to do here. Your current case handles HSTS-masking-HPKP,
but
> doesn't handle HPKP-masking-HSTS (although less likely).

Done.

https://codereview.chromium.org/103803012/diff/40001/net/http/transport_secur...
net/http/transport_security_state.cc:881: i, &restored_static_state,
&did_restore_static_state)) {
> You're unconditionally checking against SNI hosts. This seems incorrect,
because
> you've lost the sni_enabled flag.

Handled this by getting rid of that code.

Ryan Sleevi

Awesome work, palmer. I've not taken an in-depth review of the whole CL, but I've ...

6 years, 10 months ago (2014-01-31 20:24:43 UTC) #14

Awesome work, palmer. I've not taken an in-depth review of the whole CL, but
I've instead focused just on the TSS, Persister, and Domain State to try to make
sure I fully understand those (and their expected/accepted behaviours) before
going too further.

I think we should liberally sprinkle in comments here to explain some of the
logic/decisions, even if it's "self-obvious" from the code, to make it clear
that "Oh yeah, this behaviour, it IS intentional" or the like :)

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
File net/http/transport_security_persister.cc (right):

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_persister.cc:259:
SPKIHashesFromListValue(*pins_list, &domain_state.static_pkp.spki_hashes);
I'm.. surprised.. we're deserializing this still. Perhaps not for this CL, but
I'm curious if/when we can drop this, as it doesn't seem like we'd ever want to
deserialize into the static list?

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:139: // |newer| and converges them into
|older|.
It took me a little bit to parse this comment, in particular "converges them
into |older|"

style wise,
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Function_Param...


// Updates |other| to contain the most recent observations found
// between the states |state| and |other|.
bool MergeDomainStates(const TransportSecurityState::DomainState& state,
                       TransportSecurityState::DomainState* other) {

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:148: return true;
why bool if you always return true?

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:164: DomainState dynamic_state =
static_state;
Add a comment explaining why you initialize dynamic_state to static_state, as
opposed to leaving it uninitialized. This isn't entirely clear to me,
considering line 174

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:174: MergeDomainStates(&static_state,
dynamic_state);
Add a comment here as to why you're updating |static_state| with information
that is contained in |dynamic_state|, which is a bit surprising.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:893:
HashesIntersect(static_pkp.spki_hashes, hashes)) {
This bit surprises me.

Consider a preload of (A, B, C) and a header observation of (A, B). This code
will, in effect, allow C even though we've observed a header that says to *not*
allow C

if (HashesIntersect(dynamic_pkp.spki_hashes, hash) ||
    (dynamic_pkp.spki_hashes.empty() && HashesIntersect(static_pkp.spki_hashes,
hashes))) {

}?

(With a corresponding comment explaining the above logic)

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:905: return dynamic_sts.upgrade_mode ==
MODE_FORCE_HTTPS ||
If we observed a dynamic header with an explicit expiration of 0, should we
still use static pins?

(I'm happy to punt on this as being a bug in our implementation, I just wanted
to make sure we agreed that it is a puntable bug and not a critical bug)

palmer

Thanks for the review! https://codereview.chromium.org/103803012/diff/150001/net/http/transport_security_persister.cc File net/http/transport_security_persister.cc (right): https://codereview.chromium.org/103803012/diff/150001/net/http/transport_security_persister.cc#newcode259 net/http/transport_security_persister.cc:259: SPKIHashesFromListValue(*pins_list, &domain_state.static_pkp.spki_hashes); On 2014/01/31 20:24:43, ...

6 years, 10 months ago (2014-01-31 22:20:51 UTC) #15

Thanks for the review!

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
File net/http/transport_security_persister.cc (right):

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_persister.cc:259:
SPKIHashesFromListValue(*pins_list, &domain_state.static_pkp.spki_hashes);
On 2014/01/31 20:24:43, Ryan Sleevi wrote:
> I'm.. surprised.. we're deserializing this still. Perhaps not for this CL, but
> I'm curious if/when we can drop this, as it doesn't seem like we'd ever want
to
> deserialize into the static list?

I've added a TODO and filed a bug to get rid of it.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:139: // |newer| and converges them into
|older|.
On 2014/01/31 20:24:43, Ryan Sleevi wrote:
> It took me a little bit to parse this comment, in particular "converges them
> into |older|"
> 
> style wise,
>
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Function_Param...
> 
> 
> // Updates |other| to contain the most recent observations found
> // between the states |state| and |other|.
> bool MergeDomainStates(const TransportSecurityState::DomainState& state,
>                        TransportSecurityState::DomainState* other) {

Done.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:148: return true;
> why bool if you always return true?

Same reason as I have curly braces for 1-line if blocks: legacy of debugging. :)
Removed curlies and changed bool to void.

Also moved it up into the anonymous namespace.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:164: DomainState dynamic_state =
static_state;
> Add a comment explaining why you initialize dynamic_state to static_state, as
> opposed to leaving it uninitialized. This isn't entirely clear to me,
> considering line 174

I think this is legacy from before I wrote MergeDomainStates. Removing it does
not change the test-passingness, so removed.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:174: MergeDomainStates(&static_state,
dynamic_state);
On 2014/01/31 20:24:43, Ryan Sleevi wrote:
> Add a comment here as to why you're updating |static_state| with information
> that is contained in |dynamic_state|, which is a bit surprising.

Done.

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:893:
HashesIntersect(static_pkp.spki_hashes, hashes)) {
> Consider a preload of (A, B, C) and a header observation of (A, B). This code
> will, in effect, allow C even though we've observed a header that says to
*not*
> allow C

Have we in fact decided that? (Maybe we have; I haven't looked at the I-D in too
long.)

Note that the current behavior is to fail (slightly) open, which seems prudent
given the risk of bricking and given the expected-known-goodness of static
hashes.

> if (HashesIntersect(dynamic_pkp.spki_hashes, hash) ||
>     (dynamic_pkp.spki_hashes.empty() &&
HashesIntersect(static_pkp.spki_hashes,
> hashes))) {
> 
> }?

That change causes HttpSecurityHeadersTest.NoClobberPins to fail (perhaps
wrongly).

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_secu...
net/http/transport_security_state.cc:905: return dynamic_sts.upgrade_mode ==
MODE_FORCE_HTTPS ||
> If we observed a dynamic header with an explicit expiration of 0, should we
> still use static pins?

I think so, following the same logic as above ("static believed known-good").

But I could be convinced either way. I should really get back into the I-D...

> (I'm happy to punt on this as being a bug in our implementation, I just wanted
> to make sure we agreed that it is a puntable bug and not a critical bug)

I think it is puntable, if it is a bug.

palmer

https://codereview.chromium.org/103803012/diff/150001/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/150001/net/http/transport_security_state.cc#newcode893 net/http/transport_security_state.cc:893: HashesIntersect(static_pkp.spki_hashes, hashes)) { On 2014/01/31 22:20:51, Chromium Palmer wrote: ...

6 years, 10 months ago (2014-02-20 22:13:26 UTC) #16

palmer

> Where do we think we are on this? I'd like to get this bug ...

6 years, 9 months ago (2014-03-07 01:07:47 UTC) #17

Ryan Sleevi

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_headers_unittest.cc File net/http/http_security_headers_unittest.cc (right): https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_headers_unittest.cc#newcode523 net/http/http_security_headers_unittest.cc:523: std::string domain("accounts.google.com"); Use the same form as the other ...

6 years, 9 months ago (2014-03-07 01:39:18 UTC) #18

palmer

6 years, 9 months ago (2014-03-14 21:33:39 UTC) #19

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
File net/http/http_security_headers_unittest.cc (right):

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:523: std::string
domain("accounts.google.com");
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> Use the same form as the other tests? See line 456
> 
> Also add a comment indicating a.g.c has preloaded pins. Or just change this to
> http://docs.google.com

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:526: // pins. Assert sanity.
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> "Assert sanity" is superflous.

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:535: // check the static_pkp data.
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> Rework this comment:
> 
> // Add a dynamic HSTS header.
> // CheckPublicKeyPins should still pass when given the original
> // |saved_hashes|, indicating that the static PKP data is still
> // configured for the domain.

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:545: std::string header = "max-age =
10000; " + good_pin + "; " + backup_pin;
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> // Add a HPKP header, which should only update the dynamic state.

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:554:
EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> // HSTS should still be configured for this domain.

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/http_security_...
net/http/http_security_headers_unittest.cc:556:
EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes));
> What are you testing here? Add a comment.
> 
> 1) Should you be testing that good_pin is valid?
> 2) Should you be testing that backup_pin is valid?
> 3) Should you be testing that a non-existant pin is not valid?
> 4) Does saved_hashes contain good_pin/backup_pin, or are they new pins?
> 
> It's not clear what this is testing, so let's expand more.

It's to check that a good pin is still valid. Added a comment to that effect.

I think other unit tests test the other cases. This test is just to make sure
that clobbering is not going on.

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
File net/http/transport_security_persister.cc (right):

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
net/http/transport_security_persister.cc:257: //
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> comment nit:
> 
> // TODO(palmer): http://crbug.com/339907: Stop deserializing into the
> // static set.

Done.

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
File net/http/transport_security_state.cc (right):

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
net/http/transport_security_state.cc:173: MergeDomainStates(dynamic_state,
&static_state);
On 2014/03/07 01:39:19, Ryan Sleevi wrote:
> BUG: static_state.domain gets all full of lies here.
> 
> Consider static state for http://a.b.example.com, dynamic state for
http://b.example.com
> 
> GetDynamicDomainState will return the state for http://b.example.com (because
it works
> through the host_sub_chunks in canoncalized_host ). GetStaticDomainState will
> return the state for http://a.b.example.com
> 
> static_state.domain will be "a.b.example.com", dynamic_state.domain will be
> "b.example.com"
> 
> When you merge these, static_state.dynamic_pkp / dynamic_sts will be set to
> dynamic_state.dynamic_pkp / dynamic_sts. However, .domain won't be updated.
> 
> As a result, you run the risk of now serializing back to the dynamic store
> "a.b.example.com", duplicating the entry already stored under "b.example.com"
-
> and now no longer updated on any new observations of http://b.example.com.

Ah, yes. OK, I'm going to change the code so that callers always call
GetDynamicDomainState and GetStaticDomainState explicitly. That will cause a lot
of churn in this CL, so brace yourselves.

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
File net/http/transport_security_state.h (right):

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_secu...
net/http/transport_security_state.h:142: // static state.
> // When checking whether or not a pin is valid, both dynamic and
> // static HPKP state are checked. While dynamic state is
> // checked first, static state is always consulted. Unless BOTH
> // static and dynamic states are empty, the set of SPKIs from the
> // TLS peer MUST be present in one of the states.
> 
> 
> That is, your comment about "dynamic state takes precedence" makes me think we
> ignore static state when we have dynamic state - but that's not true, is it?

Well, wouldn't it be a good idea to allow site operators to turn off pinning by
dynamic means? The I-D says:

"""UAs that support additional sources of pinning information MUST use the most
recently observed pinning information when performing Pin Validation for a host.
 The most recently observed pinning information is determined based upon the
most recent Effective Pin Date, as described in Section 2.3.2."""

Suggesting that it should, indeed, be possible for Chrome to ignore static state
if there is newer dynamic state that calls for no pinning.

Ryan Sleevi

https://codereview.chromium.org/103803012/diff/270001/net/http/transport_security_state.h File net/http/transport_security_state.h (right): https://codereview.chromium.org/103803012/diff/270001/net/http/transport_security_state.h#newcode142 net/http/transport_security_state.h:142: // static state. On 2014/03/14 21:33:39, Chromium Palmer wrote: ...

6 years, 9 months ago (2014-03-14 21:55:28 UTC) #20

Ryan Sleevi

I think your refactor is on the right approach for simplifying the public interactions. https://codereview.chromium.org/103803012/diff/310001/net/http/http_security_headers_unittest.cc ...

6 years, 8 months ago (2014-04-08 20:29:10 UTC) #21

palmer

> https://codereview.chromium.org/103803012/diff/310001/net/http/http_security_headers_unittest.cc#newcode506 > net/http/http_security_headers_unittest.cc:506: * TSS::GetPublicKeyPins? > indent issue? > > Still trying to grok ...

6 years, 8 months ago (2014-04-21 19:17:24 UTC) #22

agl

LGTM, although sleevi was doing this review so you might want to wait for him. ...

6 years, 8 months ago (2014-04-24 20:51:09 UTC) #23

Ryan Sleevi

I know how desperate you are to finish this, and I'm with you. A few ...

6 years, 8 months ago (2014-04-24 21:40:20 UTC) #24

agl

https://codereview.chromium.org/103803012/diff/370001/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/370001/net/http/transport_security_state.cc#newcode120 net/http/transport_security_state.cc:120: if (static_state.ShouldUpgradeToSSL()) On 2014/04/24 21:40:21, Ryan Sleevi wrote: > ...

6 years, 8 months ago (2014-04-24 21:45:54 UTC) #25

palmer

(patchset comin' right up) https://codereview.chromium.org/103803012/diff/370001/chrome/browser/ui/webui/net_internals/net_internals_ui.cc File chrome/browser/ui/webui/net_internals/net_internals_ui.cc (right): https://codereview.chromium.org/103803012/diff/370001/chrome/browser/ui/webui/net_internals/net_internals_ui.cc#newcode1267 chrome/browser/ui/webui/net_internals/net_internals_ui.cc:1267: result->SetString("domain", domain); > Let's file ...

6 years, 8 months ago (2014-04-25 00:59:58 UTC) #26

Ryan Sleevi

LGTM mod nits, which you don't need a re-review for. https://codereview.chromium.org/103803012/diff/430001/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/430001/net/http/transport_security_state.cc#newcode124 ...

6 years, 7 months ago (2014-05-05 23:24:23 UTC) #27

palmer

https://codereview.chromium.org/103803012/diff/430001/net/http/transport_security_state.cc File net/http/transport_security_state.cc (right): https://codereview.chromium.org/103803012/diff/430001/net/http/transport_security_state.cc#newcode124 net/http/transport_security_state.cc:124: if (static_state.ShouldUpgradeToSSL()) On 2014/05/05 23:24:23, Ryan Sleevi wrote: > ...

6 years, 7 months ago (2014-05-06 18:37:59 UTC) #28

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/palmer@chromium.org/103803012/450001

6 years, 7 months ago (2014-05-06 22:59:32 UTC) #30

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/palmer@chromium.org/103803012/450001

6 years, 7 months ago (2014-05-07 03:02:15 UTC) #33

commit-bot: I haz the power

FYI, CQ is re-trying this CL (attempt #1). Please consider checking whether the failures are ...

6 years, 7 months ago (2014-05-07 05:03:28 UTC) #34

commit-bot: I haz the power

FYI, CQ is re-trying this CL (attempt #2). Please consider checking whether the failures are ...

6 years, 7 months ago (2014-05-07 11:03:49 UTC) #35

commit-bot: I haz the power

The CQ bit was unchecked by commit-bot@chromium.org

6 years, 7 months ago (2014-05-07 11:19:00 UTC) #36

commit-bot: I haz the power

Try jobs failed on following builders: chromium_presubmit on tryserver.chromium

6 years, 7 months ago (2014-05-07 11:19:00 UTC) #37

palmer

eroman: Can you please take a look at chrome/browser/resources/net_internals/hsts_view.js chrome/browser/ui/webui/net_internals/net_internals_ui.cc ? Thanks!

6 years, 7 months ago (2014-05-07 19:54:04 UTC) #38

eroman

net_internals lgtm https://codereview.chromium.org/103803012/diff/450001/chrome/browser/resources/net_internals/hsts_view.js File chrome/browser/resources/net_internals/hsts_view.js (right): https://codereview.chromium.org/103803012/diff/450001/chrome/browser/resources/net_internals/hsts_view.js#newcode120 chrome/browser/resources/net_internals/hsts_view.js:120: var t; Is there any point to ...

6 years, 7 months ago (2014-05-07 21:17:16 UTC) #39

palmer

Thanks eroman! I assigned a bug to myself to do this clean-up ASAP.

6 years, 7 months ago (2014-05-07 21:27:55 UTC) #40

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/palmer@chromium.org/103803012/450001

6 years, 7 months ago (2014-05-07 21:29:52 UTC) #42

Message was sent while issue was closed.

Change committed as 268966

Expand Messages | Collapse Messages