| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
| 8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
| (...skipping 495 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 506 return true; | 506 return true; |
| 507 } | 507 } |
| 508 | 508 |
| 509 return false; | 509 return false; |
| 510 } | 510 } |
| 511 | 511 |
| 512 bool TransportSecurityState::CheckPublicKeyPins( | 512 bool TransportSecurityState::CheckPublicKeyPins( |
| 513 const std::string& host, | 513 const std::string& host, |
| 514 bool is_issued_by_known_root, | 514 bool is_issued_by_known_root, |
| 515 const HashValueVector& public_key_hashes, | 515 const HashValueVector& public_key_hashes, |
| 516 uint16_t port, |
| 517 const X509Certificate* served_certificate_chain, |
| 518 const X509Certificate* validated_certificate_chain, |
| 519 const PublicKeyPinReportStatus report_status, |
| 516 std::string* pinning_failure_log) { | 520 std::string* pinning_failure_log) { |
| 517 // Perform pin validation if, and only if, all these conditions obtain: | 521 // Perform pin validation if, and only if, all these conditions obtain: |
| 518 // | 522 // |
| 519 // * the server's certificate chain chains up to a known root (i.e. not a | 523 // * the server's certificate chain chains up to a known root (i.e. not a |
| 520 // user-installed trust anchor); and | 524 // user-installed trust anchor); and |
| 521 // * the server actually has public key pins. | 525 // * the server actually has public key pins. |
| 522 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { | 526 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { |
| 523 return true; | 527 return true; |
| 524 } | 528 } |
| 525 | 529 |
| 526 bool pins_are_valid = | 530 bool pins_are_valid = CheckPublicKeyPinsImpl( |
| 527 CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); | 531 host, public_key_hashes, port, served_certificate_chain, |
| 532 validated_certificate_chain, report_status, pinning_failure_log); |
| 528 if (!pins_are_valid) { | 533 if (!pins_are_valid) { |
| 529 LOG(ERROR) << *pinning_failure_log; | 534 LOG(ERROR) << *pinning_failure_log; |
| 530 ReportUMAOnPinFailure(host); | 535 ReportUMAOnPinFailure(host); |
| 531 } | 536 } |
| 532 | 537 |
| 533 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); | 538 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); |
| 534 return pins_are_valid; | 539 return pins_are_valid; |
| 535 } | 540 } |
| 536 | 541 |
| 537 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { | 542 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
| (...skipping 276 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 814 #else | 819 #else |
| 815 const base::Time build_time = base::GetBuildTime(); | 820 const base::Time build_time = base::GetBuildTime(); |
| 816 // We consider built-in information to be timely for 10 weeks. | 821 // We consider built-in information to be timely for 10 weeks. |
| 817 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | 822 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
| 818 #endif | 823 #endif |
| 819 } | 824 } |
| 820 | 825 |
| 821 bool TransportSecurityState::CheckPublicKeyPinsImpl( | 826 bool TransportSecurityState::CheckPublicKeyPinsImpl( |
| 822 const std::string& host, | 827 const std::string& host, |
| 823 const HashValueVector& hashes, | 828 const HashValueVector& hashes, |
| 829 uint16_t port, |
| 830 const X509Certificate* served_certificate_chain, |
| 831 const X509Certificate* validated_certificate_chain, |
| 832 const PublicKeyPinReportStatus report_status, |
| 824 std::string* failure_log) { | 833 std::string* failure_log) { |
| 825 PKPState dynamic_state; | 834 bool used_static_state = false; |
| 826 if (GetDynamicPKPState(host, &dynamic_state)) | 835 PKPState pkp_state; |
| 827 return dynamic_state.CheckPublicKeyPins(hashes, failure_log); | 836 STSState unused; |
| 828 | 837 |
| 829 PKPState static_pkp_state; | 838 if (!GetDynamicPKPState(host, &pkp_state)) { |
| 830 STSState unused; | 839 if (!GetStaticDomainState(host, &unused, &pkp_state)) { |
| 831 if (GetStaticDomainState(host, &unused, &static_pkp_state)) | 840 // HasPublicKeyPins should have returned true in order for this method |
| 832 return static_pkp_state.CheckPublicKeyPins(hashes, failure_log); | 841 // to have been called, so if we fall through to here, it's an error. |
| 842 return false; |
| 843 } |
| 844 used_static_state = true; |
| 845 } |
| 833 | 846 |
| 834 // HasPublicKeyPins should have returned true in order for this method | 847 bool passed_pin_check = pkp_state.CheckPublicKeyPins(hashes, failure_log); |
| 835 // to have been called, so if we fall through to here, it's an error. | 848 |
| 836 return false; | 849 if (passed_pin_check || !reporter_ || report_status != ENABLE_PIN_REPORTS) |
| 850 return passed_pin_check; |
| 851 |
| 852 GURL report_uri; |
| 853 std::string serialized_report; |
| 854 |
| 855 if (!reporter_->GetHPKPReport( |
| 856 host, pkp_state, used_static_state, port, served_certificate_chain, |
| 857 validated_certificate_chain, &report_uri, &serialized_report)) { |
| 858 return passed_pin_check; |
| 859 } |
| 860 |
| 861 reporter_->SendHPKPReport(report_uri, serialized_report); |
| 862 |
| 863 return passed_pin_check; |
| 837 } | 864 } |
| 838 | 865 |
| 839 bool TransportSecurityState::GetStaticDomainState(const std::string& host, | 866 bool TransportSecurityState::GetStaticDomainState(const std::string& host, |
| 840 STSState* sts_state, | 867 STSState* sts_state, |
| 841 PKPState* pkp_state) const { | 868 PKPState* pkp_state) const { |
| 842 DCHECK(CalledOnValidThread()); | 869 DCHECK(CalledOnValidThread()); |
| 843 | 870 |
| 844 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 871 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
| 845 sts_state->include_subdomains = false; | 872 sts_state->include_subdomains = false; |
| 846 pkp_state->include_subdomains = false; | 873 pkp_state->include_subdomains = false; |
| (...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1062 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1089 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1063 const TransportSecurityState& state) | 1090 const TransportSecurityState& state) |
| 1064 : iterator_(state.enabled_pkp_hosts_.begin()), | 1091 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1065 end_(state.enabled_pkp_hosts_.end()) { | 1092 end_(state.enabled_pkp_hosts_.end()) { |
| 1066 } | 1093 } |
| 1067 | 1094 |
| 1068 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1095 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1069 } | 1096 } |
| 1070 | 1097 |
| 1071 } // namespace | 1098 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1213783005:
Send HPKP violation reports when a pin check fails (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master