| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
| 8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
| (...skipping 527 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 538 const char* const* excluded_hashes; | 538 const char* const* excluded_hashes; |
| 539 }; | 539 }; |
| 540 | 540 |
| 541 struct HSTSPreload { | 541 struct HSTSPreload { |
| 542 uint8 length; | 542 uint8 length; |
| 543 bool include_subdomains; | 543 bool include_subdomains; |
| 544 char dns_name[38]; | 544 char dns_name[38]; |
| 545 bool https_required; | 545 bool https_required; |
| 546 PublicKeyPins pins; | 546 PublicKeyPins pins; |
| 547 SecondLevelDomainName second_level_domain_name; | 547 SecondLevelDomainName second_level_domain_name; |
| 548 SSL_CONNECTION_VERSION ssl_version_min; |
| 548 }; | 549 }; |
| 549 | 550 |
| 550 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries, | 551 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries, |
| 551 const std::string& canonicalized_host, size_t i, | 552 const std::string& canonicalized_host, size_t i, |
| 552 TransportSecurityState::DomainState* out, bool* ret) { | 553 TransportSecurityState::DomainState* out, bool* ret) { |
| 553 for (size_t j = 0; j < num_entries; j++) { | 554 for (size_t j = 0; j < num_entries; j++) { |
| 554 if (entries[j].length == canonicalized_host.size() - i && | 555 if (entries[j].length == canonicalized_host.size() - i && |
| 555 memcmp(entries[j].dns_name, &canonicalized_host[i], | 556 memcmp(entries[j].dns_name, &canonicalized_host[i], |
| 556 entries[j].length) == 0) { | 557 entries[j].length) == 0) { |
| 557 if (!entries[j].include_subdomains && i != 0) { | 558 if (!entries[j].include_subdomains && i != 0) { |
| 558 *ret = false; | 559 *ret = false; |
| 559 } else { | 560 } else { |
| 560 out->include_subdomains = entries[j].include_subdomains; | 561 out->include_subdomains = entries[j].include_subdomains; |
| 562 out->ssl_version_min = entries[j].ssl_version_min; |
| 561 *ret = true; | 563 *ret = true; |
| 562 if (!entries[j].https_required) | 564 if (!entries[j].https_required) |
| 563 out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT; | 565 out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT; |
| 564 if (entries[j].pins.required_hashes) { | 566 if (entries[j].pins.required_hashes) { |
| 565 const char* const* sha1_hash = entries[j].pins.required_hashes; | 567 const char* const* sha1_hash = entries[j].pins.required_hashes; |
| 566 while (*sha1_hash) { | 568 while (*sha1_hash) { |
| 567 AddHash(*sha1_hash, &out->static_spki_hashes); | 569 AddHash(*sha1_hash, &out->static_spki_hashes); |
| 568 sha1_hash++; | 570 sha1_hash++; |
| 569 } | 571 } |
| 570 } | 572 } |
| (...skipping 211 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 782 } | 784 } |
| 783 | 785 |
| 784 void TransportSecurityState::AddOrUpdateForcedHosts( | 786 void TransportSecurityState::AddOrUpdateForcedHosts( |
| 785 const std::string& hashed_host, const DomainState& state) { | 787 const std::string& hashed_host, const DomainState& state) { |
| 786 forced_hosts_[hashed_host] = state; | 788 forced_hosts_[hashed_host] = state; |
| 787 } | 789 } |
| 788 | 790 |
| 789 TransportSecurityState::DomainState::DomainState() | 791 TransportSecurityState::DomainState::DomainState() |
| 790 : upgrade_mode(MODE_FORCE_HTTPS), | 792 : upgrade_mode(MODE_FORCE_HTTPS), |
| 791 created(base::Time::Now()), | 793 created(base::Time::Now()), |
| 792 include_subdomains(false) { | 794 include_subdomains(false), |
| 795 ssl_version_min(SSL_CONNECTION_VERSION_SSL3) { |
| 793 } | 796 } |
| 794 | 797 |
| 795 TransportSecurityState::DomainState::~DomainState() { | 798 TransportSecurityState::DomainState::~DomainState() { |
| 796 } | 799 } |
| 797 | 800 |
| 798 bool TransportSecurityState::DomainState::CheckPublicKeyPins( | 801 bool TransportSecurityState::DomainState::CheckPublicKeyPins( |
| 799 const HashValueVector& hashes) const { | 802 const HashValueVector& hashes) const { |
| 800 // Validate that hashes is not empty. By the time this code is called (in | 803 // Validate that hashes is not empty. By the time this code is called (in |
| 801 // production), that should never happen, but it's good to be defensive. | 804 // production), that should never happen, but it's good to be defensive. |
| 802 // And, hashes *can* be empty in some test scenarios. | 805 // And, hashes *can* be empty in some test scenarios. |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 845 return true; | 848 return true; |
| 846 } | 849 } |
| 847 | 850 |
| 848 bool TransportSecurityState::DomainState::HasPublicKeyPins() const { | 851 bool TransportSecurityState::DomainState::HasPublicKeyPins() const { |
| 849 return static_spki_hashes.size() > 0 || | 852 return static_spki_hashes.size() > 0 || |
| 850 bad_static_spki_hashes.size() > 0 || | 853 bad_static_spki_hashes.size() > 0 || |
| 851 dynamic_spki_hashes.size() > 0; | 854 dynamic_spki_hashes.size() > 0; |
| 852 } | 855 } |
| 853 | 856 |
| 854 } // namespace | 857 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14125003:
Do not roll back to SSL 3.0 for Google properties. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master