OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 495 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
506 return true; | 506 return true; |
507 } | 507 } |
508 | 508 |
509 return false; | 509 return false; |
510 } | 510 } |
511 | 511 |
512 bool TransportSecurityState::CheckPublicKeyPins( | 512 bool TransportSecurityState::CheckPublicKeyPins( |
513 const std::string& host, | 513 const std::string& host, |
514 bool is_issued_by_known_root, | 514 bool is_issued_by_known_root, |
515 const HashValueVector& public_key_hashes, | 515 const HashValueVector& public_key_hashes, |
| 516 uint16_t port, |
| 517 const X509Certificate* served_certificate_chain, |
| 518 const X509Certificate* validated_certificate_chain, |
| 519 const PublicKeyPinReportStatus report_status, |
516 std::string* pinning_failure_log) { | 520 std::string* pinning_failure_log) { |
517 // Perform pin validation if, and only if, all these conditions obtain: | 521 // Perform pin validation if, and only if, all these conditions obtain: |
518 // | 522 // |
519 // * the server's certificate chain chains up to a known root (i.e. not a | 523 // * the server's certificate chain chains up to a known root (i.e. not a |
520 // user-installed trust anchor); and | 524 // user-installed trust anchor); and |
521 // * the server actually has public key pins. | 525 // * the server actually has public key pins. |
522 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { | 526 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { |
523 return true; | 527 return true; |
524 } | 528 } |
525 | 529 |
526 bool pins_are_valid = | 530 bool pins_are_valid = CheckPublicKeyPinsImpl( |
527 CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); | 531 host, public_key_hashes, port, served_certificate_chain, |
| 532 validated_certificate_chain, report_status, pinning_failure_log); |
528 if (!pins_are_valid) { | 533 if (!pins_are_valid) { |
529 LOG(ERROR) << *pinning_failure_log; | 534 LOG(ERROR) << *pinning_failure_log; |
530 ReportUMAOnPinFailure(host); | 535 ReportUMAOnPinFailure(host); |
531 } | 536 } |
532 | 537 |
533 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); | 538 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); |
534 return pins_are_valid; | 539 return pins_are_valid; |
535 } | 540 } |
536 | 541 |
537 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { | 542 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
(...skipping 276 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
814 #else | 819 #else |
815 const base::Time build_time = base::GetBuildTime(); | 820 const base::Time build_time = base::GetBuildTime(); |
816 // We consider built-in information to be timely for 10 weeks. | 821 // We consider built-in information to be timely for 10 weeks. |
817 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | 822 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
818 #endif | 823 #endif |
819 } | 824 } |
820 | 825 |
821 bool TransportSecurityState::CheckPublicKeyPinsImpl( | 826 bool TransportSecurityState::CheckPublicKeyPinsImpl( |
822 const std::string& host, | 827 const std::string& host, |
823 const HashValueVector& hashes, | 828 const HashValueVector& hashes, |
| 829 uint16_t port, |
| 830 const X509Certificate* served_certificate_chain, |
| 831 const X509Certificate* validated_certificate_chain, |
| 832 const PublicKeyPinReportStatus report_status, |
824 std::string* failure_log) { | 833 std::string* failure_log) { |
825 PKPState dynamic_state; | 834 bool used_static_state = false; |
826 if (GetDynamicPKPState(host, &dynamic_state)) | 835 PKPState pkp_state; |
827 return dynamic_state.CheckPublicKeyPins(hashes, failure_log); | 836 STSState unused; |
828 | 837 |
829 PKPState static_pkp_state; | 838 if (!GetDynamicPKPState(host, &pkp_state)) { |
830 STSState unused; | 839 if (!GetStaticDomainState(host, &unused, &pkp_state)) { |
831 if (GetStaticDomainState(host, &unused, &static_pkp_state)) | 840 // HasPublicKeyPins should have returned true in order for this method |
832 return static_pkp_state.CheckPublicKeyPins(hashes, failure_log); | 841 // to have been called, so if we fall through to here, it's an error. |
| 842 return false; |
| 843 } |
| 844 used_static_state = true; |
| 845 } |
833 | 846 |
834 // HasPublicKeyPins should have returned true in order for this method | 847 bool passed_pin_check = pkp_state.CheckPublicKeyPins(hashes, failure_log); |
835 // to have been called, so if we fall through to here, it's an error. | 848 |
836 return false; | 849 if (passed_pin_check || !reporter_ || report_status != ENABLE_PIN_REPORTS) |
| 850 return passed_pin_check; |
| 851 |
| 852 GURL report_uri; |
| 853 std::string serialized_report; |
| 854 |
| 855 if (!reporter_->GetHPKPReport( |
| 856 host, pkp_state, used_static_state, port, served_certificate_chain, |
| 857 validated_certificate_chain, &report_uri, &serialized_report)) { |
| 858 return passed_pin_check; |
| 859 } |
| 860 |
| 861 reporter_->SendHPKPReport(report_uri, serialized_report); |
| 862 |
| 863 return passed_pin_check; |
837 } | 864 } |
838 | 865 |
839 bool TransportSecurityState::GetStaticDomainState(const std::string& host, | 866 bool TransportSecurityState::GetStaticDomainState(const std::string& host, |
840 STSState* sts_state, | 867 STSState* sts_state, |
841 PKPState* pkp_state) const { | 868 PKPState* pkp_state) const { |
842 DCHECK(CalledOnValidThread()); | 869 DCHECK(CalledOnValidThread()); |
843 | 870 |
844 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 871 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
845 sts_state->include_subdomains = false; | 872 sts_state->include_subdomains = false; |
846 pkp_state->include_subdomains = false; | 873 pkp_state->include_subdomains = false; |
(...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1062 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1089 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1063 const TransportSecurityState& state) | 1090 const TransportSecurityState& state) |
1064 : iterator_(state.enabled_pkp_hosts_.begin()), | 1091 : iterator_(state.enabled_pkp_hosts_.begin()), |
1065 end_(state.enabled_pkp_hosts_.end()) { | 1092 end_(state.enabled_pkp_hosts_.end()) { |
1066 } | 1093 } |
1067 | 1094 |
1068 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1095 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1069 } | 1096 } |
1070 | 1097 |
1071 } // namespace | 1098 } // namespace |
OLD | NEW |