Chromium Code Reviews Chromium Code Reviews
Issue 1579063002:
Implement a skeleton version of Expect CT reports (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| 11 #include "base/build_time.h" | 11 #include "base/build_time.h" |
| 12 #include "base/json/json_writer.h" | 12 #include "base/json/json_writer.h" |
| 13 #include "base/logging.h" | 13 #include "base/logging.h" |
| 14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
| 15 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
| 16 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
| 17 #include "base/sha1.h" | 17 #include "base/sha1.h" |
| 18 #include "base/strings/string_number_conversions.h" | 18 #include "base/strings/string_number_conversions.h" |
| 19 #include "base/strings/string_util.h" | 19 #include "base/strings/string_util.h" |
| 20 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
| 21 #include "base/strings/utf_string_conversions.h" | 21 #include "base/strings/utf_string_conversions.h" |
| 22 #include "base/values.h" | 22 #include "base/values.h" |
| 23 #include "crypto/sha2.h" | 23 #include "crypto/sha2.h" |
| 24 #include "net/base/host_port_pair.h" | 24 #include "net/base/host_port_pair.h" |
| 25 #include "net/cert/ct_policy_status.h" | |
| 25 #include "net/cert/x509_cert_types.h" | 26 #include "net/cert/x509_cert_types.h" |
| 26 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 27 #include "net/dns/dns_util.h" | 28 #include "net/dns/dns_util.h" |
| 28 #include "net/http/http_security_headers.h" | 29 #include "net/http/http_security_headers.h" |
| 29 #include "net/ssl/ssl_info.h" | 30 #include "net/ssl/ssl_info.h" |
| 30 #include "url/gurl.h" | 31 #include "url/gurl.h" |
| 31 | 32 |
| 32 namespace net { | 33 namespace net { |
| 33 | 34 |
| 34 namespace { | 35 namespace { |
| (...skipping 647 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 682 DCHECK(CalledOnValidThread()); | 683 DCHECK(CalledOnValidThread()); |
| 683 delegate_ = delegate; | 684 delegate_ = delegate; |
| 684 } | 685 } |
| 685 | 686 |
| 686 void TransportSecurityState::SetReportSender( | 687 void TransportSecurityState::SetReportSender( |
| 687 TransportSecurityState::ReportSender* report_sender) { | 688 TransportSecurityState::ReportSender* report_sender) { |
| 688 DCHECK(CalledOnValidThread()); | 689 DCHECK(CalledOnValidThread()); |
| 689 report_sender_ = report_sender; | 690 report_sender_ = report_sender; |
| 690 } | 691 } |
| 691 | 692 |
| 693 void TransportSecurityState::SetExpectCTReporter( | |
| 694 ExpectCTReporter* expect_ct_reporter) { | |
| 695 DCHECK(CalledOnValidThread()); | |
| 696 expect_ct_reporter_ = expect_ct_reporter; | |
| 697 } | |
| 698 | |
| 692 void TransportSecurityState::AddHSTSInternal( | 699 void TransportSecurityState::AddHSTSInternal( |
| 693 const std::string& host, | 700 const std::string& host, |
| 694 TransportSecurityState::STSState::UpgradeMode upgrade_mode, | 701 TransportSecurityState::STSState::UpgradeMode upgrade_mode, |
| 695 const base::Time& expiry, | 702 const base::Time& expiry, |
| 696 bool include_subdomains) { | 703 bool include_subdomains) { |
| 697 DCHECK(CalledOnValidThread()); | 704 DCHECK(CalledOnValidThread()); |
| 698 | 705 |
| 699 STSState sts_state; | 706 STSState sts_state; |
| 700 sts_state.last_observed = base::Time::Now(); | 707 sts_state.last_observed = base::Time::Now(); |
| 701 sts_state.include_subdomains = include_subdomains; | 708 sts_state.include_subdomains = include_subdomains; |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 813 return false; | 820 return false; |
| 814 sent_reports_cache_.Put( | 821 sent_reports_cache_.Put( |
| 815 report_cache_key, true, base::TimeTicks::Now(), | 822 report_cache_key, true, base::TimeTicks::Now(), |
| 816 base::TimeTicks::Now() + | 823 base::TimeTicks::Now() + |
| 817 base::TimeDelta::FromMinutes(kTimeToRememberHPKPReportsMins)); | 824 base::TimeDelta::FromMinutes(kTimeToRememberHPKPReportsMins)); |
| 818 | 825 |
| 819 report_sender_->Send(pkp_state.report_uri, serialized_report); | 826 report_sender_->Send(pkp_state.report_uri, serialized_report); |
| 820 return false; | 827 return false; |
| 821 } | 828 } |
| 822 | 829 |
| 830 bool TransportSecurityState::GetStaticExpectCTState( | |
| 831 const std::string& host, | |
| 832 ExpectCTState* expect_ct_state) const { | |
| 833 DCHECK(CalledOnValidThread()); | |
| 834 | |
| 835 if (!IsBuildTimely()) | |
| 836 return false; | |
| 837 | |
| 838 PreloadResult result; | |
| 839 if (!DecodeHSTSPreload(host, &result)) | |
| 840 return false; | |
| 841 | |
| 842 if (!enable_static_expect_ct_ || !result.expect_ct) | |
| 843 return false; | |
| 844 | |
| 845 expect_ct_state->domain = host.substr(result.hostname_offset); | |
| 846 expect_ct_state->report_uri = | |
| 847 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | |
| 848 return true; | |
| 849 } | |
| 850 | |
| 823 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 851 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
| 824 DCHECK(CalledOnValidThread()); | 852 DCHECK(CalledOnValidThread()); |
| 825 | 853 |
| 826 const std::string canonicalized_host = CanonicalizeHost(host); | 854 const std::string canonicalized_host = CanonicalizeHost(host); |
| 827 if (canonicalized_host.empty()) | 855 if (canonicalized_host.empty()) |
| 828 return false; | 856 return false; |
| 829 | 857 |
| 830 const std::string hashed_host = HashHost(canonicalized_host); | 858 const std::string hashed_host = HashHost(canonicalized_host); |
| 831 bool deleted = false; | 859 bool deleted = false; |
| 832 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); | 860 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); |
| (...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 986 if (!ssl_info.is_issued_by_known_root) | 1014 if (!ssl_info.is_issued_by_known_root) |
| 987 return true; | 1015 return true; |
| 988 | 1016 |
| 989 CheckPinsAndMaybeSendReport( | 1017 CheckPinsAndMaybeSendReport( |
| 990 host_port_pair, pkp_state, ssl_info.public_key_hashes, | 1018 host_port_pair, pkp_state, ssl_info.public_key_hashes, |
| 991 ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS, | 1019 ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS, |
| 992 &unused_failure_log); | 1020 &unused_failure_log); |
| 993 return true; | 1021 return true; |
| 994 } | 1022 } |
| 995 | 1023 |
| 1024 void TransportSecurityState::ProcessExpectCTHeader( | |
| 1025 const std::string& value, | |
| 1026 const HostPortPair& host_port_pair, | |
| 1027 const SSLInfo& ssl_info) { | |
| 1028 DCHECK(CalledOnValidThread()); | |
| 1029 | |
| 1030 ExpectCTState state; | |
| 1031 if (!expect_ct_reporter_ || value != "preload" || !IsBuildTimely() || | |
|
Eran Messeri
2016/03/04 11:05:37
Nit: very long condition, I suggest breaking it do
estark
2016/03/08 02:36:06
Done.
| |
| 1032 !ssl_info.is_issued_by_known_root || | |
| 1033 !ssl_info.ct_compliance_details_available || | |
| 1034 ssl_info.ct_cert_policy_compliance == | |
| 1035 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS || | |
| 1036 !GetStaticExpectCTState(host_port_pair.host(), &state)) { | |
| 1037 return; | |
| 1038 } | |
| 1039 | |
| 1040 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, | |
| 1041 ssl_info); | |
| 1042 } | |
| 1043 | |
| 996 // static | 1044 // static |
| 997 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { | 1045 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { |
| 998 PreloadResult result; | 1046 PreloadResult result; |
| 999 if (!DecodeHSTSPreload(host, &result) || | 1047 if (!DecodeHSTSPreload(host, &result) || |
| 1000 !result.has_pins) { | 1048 !result.has_pins) { |
| 1001 return; | 1049 return; |
| 1002 } | 1050 } |
| 1003 | 1051 |
| 1004 DCHECK(result.domain_id != DOMAIN_NOT_PINNED); | 1052 DCHECK(result.domain_id != DOMAIN_NOT_PINNED); |
| 1005 | 1053 |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1103 | 1151 |
| 1104 if (!result.has_pins) | 1152 if (!result.has_pins) |
| 1105 return false; | 1153 return false; |
| 1106 | 1154 |
| 1107 if (result.pinset_id >= arraysize(kPinsets)) | 1155 if (result.pinset_id >= arraysize(kPinsets)) |
| 1108 return false; | 1156 return false; |
| 1109 | 1157 |
| 1110 return kPinsets[result.pinset_id].accepted_pins == kGoogleAcceptableCerts; | 1158 return kPinsets[result.pinset_id].accepted_pins == kGoogleAcceptableCerts; |
| 1111 } | 1159 } |
| 1112 | 1160 |
| 1113 bool TransportSecurityState::GetStaticExpectCTState( | |
| 1114 const std::string& host, | |
| 1115 ExpectCTState* expect_ct_state) const { | |
| 1116 DCHECK(CalledOnValidThread()); | |
| 1117 | |
| 1118 if (!IsBuildTimely()) | |
| 1119 return false; | |
| 1120 | |
| 1121 PreloadResult result; | |
| 1122 if (!DecodeHSTSPreload(host, &result)) | |
| 1123 return false; | |
| 1124 | |
| 1125 if (!enable_static_expect_ct_ || !result.expect_ct) | |
| 1126 return false; | |
| 1127 | |
| 1128 expect_ct_state->domain = host.substr(result.hostname_offset); | |
| 1129 expect_ct_state->report_uri = | |
| 1130 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | |
| 1131 return true; | |
| 1132 } | |
| 1133 | |
| 1134 bool TransportSecurityState::GetDynamicSTSState(const std::string& host, | 1161 bool TransportSecurityState::GetDynamicSTSState(const std::string& host, |
| 1135 STSState* result) { | 1162 STSState* result) { |
| 1136 DCHECK(CalledOnValidThread()); | 1163 DCHECK(CalledOnValidThread()); |
| 1137 | 1164 |
| 1138 const std::string canonicalized_host = CanonicalizeHost(host); | 1165 const std::string canonicalized_host = CanonicalizeHost(host); |
| 1139 if (canonicalized_host.empty()) | 1166 if (canonicalized_host.empty()) |
| 1140 return false; | 1167 return false; |
| 1141 | 1168 |
| 1142 base::Time current_time(base::Time::Now()); | 1169 base::Time current_time(base::Time::Now()); |
| 1143 | 1170 |
| (...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1309 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1336 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1310 const TransportSecurityState& state) | 1337 const TransportSecurityState& state) |
| 1311 : iterator_(state.enabled_pkp_hosts_.begin()), | 1338 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1312 end_(state.enabled_pkp_hosts_.end()) { | 1339 end_(state.enabled_pkp_hosts_.end()) { |
| 1313 } | 1340 } |
| 1314 | 1341 |
| 1315 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1342 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1316 } | 1343 } |
| 1317 | 1344 |
| 1318 } // namespace | 1345 } // namespace |
| OLD | NEW |
