OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 501 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
512 return true; | 512 return true; |
513 } | 513 } |
514 | 514 |
515 return false; | 515 return false; |
516 } | 516 } |
517 | 517 |
518 bool TransportSecurityState::CheckPublicKeyPins( | 518 bool TransportSecurityState::CheckPublicKeyPins( |
519 const std::string& host, | 519 const std::string& host, |
520 bool is_issued_by_known_root, | 520 bool is_issued_by_known_root, |
521 const HashValueVector& public_key_hashes, | 521 const HashValueVector& public_key_hashes, |
| 522 uint16_t port, |
| 523 const scoped_refptr<X509Certificate>& served_certificate_chain, |
| 524 const scoped_refptr<X509Certificate>& validated_certificate_chain, |
| 525 const PublicKeyPinReportStatus report_status, |
522 std::string* pinning_failure_log) { | 526 std::string* pinning_failure_log) { |
523 // Perform pin validation if, and only if, all these conditions obtain: | 527 // Perform pin validation if, and only if, all these conditions obtain: |
524 // | 528 // |
525 // * the server's certificate chain chains up to a known root (i.e. not a | 529 // * the server's certificate chain chains up to a known root (i.e. not a |
526 // user-installed trust anchor); and | 530 // user-installed trust anchor); and |
527 // * the server actually has public key pins. | 531 // * the server actually has public key pins. |
528 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { | 532 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { |
529 return true; | 533 return true; |
530 } | 534 } |
531 | 535 |
532 bool pins_are_valid = | 536 bool pins_are_valid = CheckPublicKeyPinsImpl( |
533 CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); | 537 host, public_key_hashes, port, served_certificate_chain, |
| 538 validated_certificate_chain, report_status, pinning_failure_log); |
534 if (!pins_are_valid) { | 539 if (!pins_are_valid) { |
535 LOG(ERROR) << *pinning_failure_log; | 540 LOG(ERROR) << *pinning_failure_log; |
536 ReportUMAOnPinFailure(host); | 541 ReportUMAOnPinFailure(host); |
537 } | 542 } |
538 | 543 |
539 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); | 544 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); |
540 return pins_are_valid; | 545 return pins_are_valid; |
541 } | 546 } |
542 | 547 |
543 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { | 548 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
(...skipping 247 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
791 #else | 796 #else |
792 const base::Time build_time = base::GetBuildTime(); | 797 const base::Time build_time = base::GetBuildTime(); |
793 // We consider built-in information to be timely for 10 weeks. | 798 // We consider built-in information to be timely for 10 weeks. |
794 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | 799 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
795 #endif | 800 #endif |
796 } | 801 } |
797 | 802 |
798 bool TransportSecurityState::CheckPublicKeyPinsImpl( | 803 bool TransportSecurityState::CheckPublicKeyPinsImpl( |
799 const std::string& host, | 804 const std::string& host, |
800 const HashValueVector& hashes, | 805 const HashValueVector& hashes, |
| 806 uint16_t port, |
| 807 const scoped_refptr<X509Certificate>& served_certificate_chain, |
| 808 const scoped_refptr<X509Certificate>& validated_certificate_chain, |
| 809 const PublicKeyPinReportStatus report_status, |
801 std::string* failure_log) { | 810 std::string* failure_log) { |
802 DomainState dynamic_state; | 811 DomainState dynamic_state; |
803 if (GetDynamicDomainState(host, &dynamic_state)) | 812 if (GetDynamicDomainState(host, &dynamic_state)) { |
804 return dynamic_state.CheckPublicKeyPins(hashes, failure_log); | 813 bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log); |
| 814 |
| 815 if (result || !reporter_ || |
| 816 report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT) |
| 817 return result; |
| 818 |
| 819 GURL report_uri; |
| 820 std::string serialized_report; |
| 821 |
| 822 if (!reporter_->GetHPKPReportUri(dynamic_state.pkp, &report_uri)) |
| 823 return result; |
| 824 |
| 825 if (!reporter_->BuildHPKPReport( |
| 826 host, port, dynamic_state.pkp.expiry, |
| 827 dynamic_state.pkp.include_subdomains, dynamic_state.pkp.domain, |
| 828 served_certificate_chain, validated_certificate_chain, |
| 829 dynamic_state.pkp.spki_hashes, &serialized_report)) { |
| 830 LOG(ERROR) << "Failed to build HPKP report"; |
| 831 return result; |
| 832 } |
| 833 |
| 834 reporter_->SendHPKPReport(report_uri, serialized_report); |
| 835 } |
805 | 836 |
806 DomainState static_state; | 837 DomainState static_state; |
807 if (GetStaticDomainState(host, &static_state)) | 838 if (GetStaticDomainState(host, &static_state)) |
808 return static_state.CheckPublicKeyPins(hashes, failure_log); | 839 return static_state.CheckPublicKeyPins(hashes, failure_log); |
809 | 840 |
810 // HasPublicKeyPins should have returned true in order for this method | 841 // HasPublicKeyPins should have returned true in order for this method |
811 // to have been called, so if we fall through to here, it's an error. | 842 // to have been called, so if we fall through to here, it's an error. |
812 return false; | 843 return false; |
813 } | 844 } |
814 | 845 |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1006 TransportSecurityState::DomainState::STSState::~STSState() { | 1037 TransportSecurityState::DomainState::STSState::~STSState() { |
1007 } | 1038 } |
1008 | 1039 |
1009 TransportSecurityState::DomainState::PKPState::PKPState() { | 1040 TransportSecurityState::DomainState::PKPState::PKPState() { |
1010 } | 1041 } |
1011 | 1042 |
1012 TransportSecurityState::DomainState::PKPState::~PKPState() { | 1043 TransportSecurityState::DomainState::PKPState::~PKPState() { |
1013 } | 1044 } |
1014 | 1045 |
1015 } // namespace | 1046 } // namespace |
OLD | NEW |