OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 495 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
506 return true; | 506 return true; |
507 } | 507 } |
508 | 508 |
509 return false; | 509 return false; |
510 } | 510 } |
511 | 511 |
512 bool TransportSecurityState::CheckPublicKeyPins( | 512 bool TransportSecurityState::CheckPublicKeyPins( |
513 const std::string& host, | 513 const std::string& host, |
514 bool is_issued_by_known_root, | 514 bool is_issued_by_known_root, |
515 const HashValueVector& public_key_hashes, | 515 const HashValueVector& public_key_hashes, |
516 uint16_t port, | |
517 const X509Certificate* served_certificate_chain, | |
518 const X509Certificate* validated_certificate_chain, | |
519 const PublicKeyPinReportStatus report_status, | |
516 std::string* pinning_failure_log) { | 520 std::string* pinning_failure_log) { |
517 // Perform pin validation if, and only if, all these conditions obtain: | 521 // Perform pin validation if, and only if, all these conditions obtain: |
518 // | 522 // |
519 // * the server's certificate chain chains up to a known root (i.e. not a | 523 // * the server's certificate chain chains up to a known root (i.e. not a |
520 // user-installed trust anchor); and | 524 // user-installed trust anchor); and |
521 // * the server actually has public key pins. | 525 // * the server actually has public key pins. |
522 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { | 526 if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { |
523 return true; | 527 return true; |
524 } | 528 } |
525 | 529 |
526 bool pins_are_valid = | 530 bool pins_are_valid = CheckPublicKeyPinsImpl( |
527 CheckPublicKeyPinsImpl(host, public_key_hashes, pinning_failure_log); | 531 host, public_key_hashes, port, served_certificate_chain, |
532 validated_certificate_chain, report_status, pinning_failure_log); | |
528 if (!pins_are_valid) { | 533 if (!pins_are_valid) { |
529 LOG(ERROR) << *pinning_failure_log; | 534 LOG(ERROR) << *pinning_failure_log; |
530 ReportUMAOnPinFailure(host); | 535 ReportUMAOnPinFailure(host); |
531 } | 536 } |
532 | 537 |
533 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); | 538 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid); |
534 return pins_are_valid; | 539 return pins_are_valid; |
535 } | 540 } |
536 | 541 |
537 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { | 542 bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { |
(...skipping 276 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
814 #else | 819 #else |
815 const base::Time build_time = base::GetBuildTime(); | 820 const base::Time build_time = base::GetBuildTime(); |
816 // We consider built-in information to be timely for 10 weeks. | 821 // We consider built-in information to be timely for 10 weeks. |
817 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; | 822 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */; |
818 #endif | 823 #endif |
819 } | 824 } |
820 | 825 |
821 bool TransportSecurityState::CheckPublicKeyPinsImpl( | 826 bool TransportSecurityState::CheckPublicKeyPinsImpl( |
822 const std::string& host, | 827 const std::string& host, |
823 const HashValueVector& hashes, | 828 const HashValueVector& hashes, |
829 uint16_t port, | |
830 const X509Certificate* served_certificate_chain, | |
831 const X509Certificate* validated_certificate_chain, | |
832 const PublicKeyPinReportStatus report_status, | |
824 std::string* failure_log) { | 833 std::string* failure_log) { |
825 PKPState dynamic_state; | 834 PKPState dynamic_state; |
826 if (GetDynamicPKPState(host, &dynamic_state)) | 835 if (GetDynamicPKPState(host, &dynamic_state)) { |
827 return dynamic_state.CheckPublicKeyPins(hashes, failure_log); | 836 bool result = dynamic_state.CheckPublicKeyPins(hashes, failure_log); |
837 | |
838 if (result || !reporter_ || | |
839 report_status == DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT) | |
840 return result; | |
841 | |
842 GURL report_uri; | |
843 std::string serialized_report; | |
844 | |
845 if (!reporter_->GetHPKPReportUri(dynamic_state, &report_uri)) | |
Ryan Sleevi
2015/07/10 16:40:00
Does this mean we can't preload report-uris? Seems
estark
2015/07/10 19:33:30
Done.
| |
846 return result; | |
847 | |
848 if (!reporter_->BuildHPKPReport( | |
849 host, port, dynamic_state.expiry, dynamic_state.include_subdomains, | |
850 dynamic_state.domain, served_certificate_chain, | |
851 validated_certificate_chain, dynamic_state.spki_hashes, | |
852 &serialized_report)) { | |
853 LOG(ERROR) << "Failed to build HPKP report"; | |
854 return result; | |
855 } | |
856 | |
857 reporter_->SendHPKPReport(report_uri, serialized_report); | |
858 } | |
828 | 859 |
829 PKPState static_pkp_state; | 860 PKPState static_pkp_state; |
830 STSState unused; | 861 STSState unused; |
831 if (GetStaticDomainState(host, &unused, &static_pkp_state)) | 862 if (GetStaticDomainState(host, &unused, &static_pkp_state)) |
832 return static_pkp_state.CheckPublicKeyPins(hashes, failure_log); | 863 return static_pkp_state.CheckPublicKeyPins(hashes, failure_log); |
833 | 864 |
834 // HasPublicKeyPins should have returned true in order for this method | 865 // HasPublicKeyPins should have returned true in order for this method |
835 // to have been called, so if we fall through to here, it's an error. | 866 // to have been called, so if we fall through to here, it's an error. |
836 return false; | 867 return false; |
837 } | 868 } |
(...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1062 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1093 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1063 const TransportSecurityState& state) | 1094 const TransportSecurityState& state) |
1064 : iterator_(state.enabled_pkp_hosts_.begin()), | 1095 : iterator_(state.enabled_pkp_hosts_.begin()), |
1065 end_(state.enabled_pkp_hosts_.end()) { | 1096 end_(state.enabled_pkp_hosts_.end()) { |
1066 } | 1097 } |
1067 | 1098 |
1068 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1099 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1069 } | 1100 } |
1070 | 1101 |
1071 } // namespace | 1102 } // namespace |
OLD | NEW |