OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/base64.h" | 10 #include "base/base64.h" |
11 #include "base/build_time.h" | 11 #include "base/build_time.h" |
12 #include "base/json/json_writer.h" | 12 #include "base/json/json_writer.h" |
13 #include "base/logging.h" | 13 #include "base/logging.h" |
14 #include "base/memory/scoped_ptr.h" | 14 #include "base/memory/scoped_ptr.h" |
15 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
16 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
17 #include "base/sha1.h" | 17 #include "base/sha1.h" |
18 #include "base/strings/string_number_conversions.h" | 18 #include "base/strings/string_number_conversions.h" |
19 #include "base/strings/string_util.h" | 19 #include "base/strings/string_util.h" |
20 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
21 #include "base/strings/utf_string_conversions.h" | 21 #include "base/strings/utf_string_conversions.h" |
22 #include "base/values.h" | 22 #include "base/values.h" |
23 #include "crypto/sha2.h" | 23 #include "crypto/sha2.h" |
24 #include "net/base/host_port_pair.h" | 24 #include "net/base/host_port_pair.h" |
| 25 #include "net/cert/ct_policy_status.h" |
25 #include "net/cert/x509_cert_types.h" | 26 #include "net/cert/x509_cert_types.h" |
26 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
27 #include "net/dns/dns_util.h" | 28 #include "net/dns/dns_util.h" |
28 #include "net/http/http_security_headers.h" | 29 #include "net/http/http_security_headers.h" |
29 #include "net/ssl/ssl_info.h" | 30 #include "net/ssl/ssl_info.h" |
30 #include "url/gurl.h" | 31 #include "url/gurl.h" |
31 | 32 |
32 namespace net { | 33 namespace net { |
33 | 34 |
34 namespace { | 35 namespace { |
(...skipping 647 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
682 DCHECK(CalledOnValidThread()); | 683 DCHECK(CalledOnValidThread()); |
683 delegate_ = delegate; | 684 delegate_ = delegate; |
684 } | 685 } |
685 | 686 |
686 void TransportSecurityState::SetReportSender( | 687 void TransportSecurityState::SetReportSender( |
687 TransportSecurityState::ReportSender* report_sender) { | 688 TransportSecurityState::ReportSender* report_sender) { |
688 DCHECK(CalledOnValidThread()); | 689 DCHECK(CalledOnValidThread()); |
689 report_sender_ = report_sender; | 690 report_sender_ = report_sender; |
690 } | 691 } |
691 | 692 |
| 693 void TransportSecurityState::SetExpectCTReporter( |
| 694 ExpectCTReporter* expect_ct_reporter) { |
| 695 DCHECK(CalledOnValidThread()); |
| 696 expect_ct_reporter_ = expect_ct_reporter; |
| 697 } |
| 698 |
692 void TransportSecurityState::AddHSTSInternal( | 699 void TransportSecurityState::AddHSTSInternal( |
693 const std::string& host, | 700 const std::string& host, |
694 TransportSecurityState::STSState::UpgradeMode upgrade_mode, | 701 TransportSecurityState::STSState::UpgradeMode upgrade_mode, |
695 const base::Time& expiry, | 702 const base::Time& expiry, |
696 bool include_subdomains) { | 703 bool include_subdomains) { |
697 DCHECK(CalledOnValidThread()); | 704 DCHECK(CalledOnValidThread()); |
698 | 705 |
699 STSState sts_state; | 706 STSState sts_state; |
700 sts_state.last_observed = base::Time::Now(); | 707 sts_state.last_observed = base::Time::Now(); |
701 sts_state.include_subdomains = include_subdomains; | 708 sts_state.include_subdomains = include_subdomains; |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
813 return false; | 820 return false; |
814 sent_reports_cache_.Put( | 821 sent_reports_cache_.Put( |
815 report_cache_key, true, base::TimeTicks::Now(), | 822 report_cache_key, true, base::TimeTicks::Now(), |
816 base::TimeTicks::Now() + | 823 base::TimeTicks::Now() + |
817 base::TimeDelta::FromMinutes(kTimeToRememberHPKPReportsMins)); | 824 base::TimeDelta::FromMinutes(kTimeToRememberHPKPReportsMins)); |
818 | 825 |
819 report_sender_->Send(pkp_state.report_uri, serialized_report); | 826 report_sender_->Send(pkp_state.report_uri, serialized_report); |
820 return false; | 827 return false; |
821 } | 828 } |
822 | 829 |
| 830 bool TransportSecurityState::GetStaticExpectCTState( |
| 831 const std::string& host, |
| 832 ExpectCTState* expect_ct_state) const { |
| 833 DCHECK(CalledOnValidThread()); |
| 834 |
| 835 if (!IsBuildTimely()) |
| 836 return false; |
| 837 |
| 838 PreloadResult result; |
| 839 if (!DecodeHSTSPreload(host, &result)) |
| 840 return false; |
| 841 |
| 842 if (!enable_static_expect_ct_ || !result.expect_ct) |
| 843 return false; |
| 844 |
| 845 expect_ct_state->domain = host.substr(result.hostname_offset); |
| 846 expect_ct_state->report_uri = |
| 847 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); |
| 848 return true; |
| 849 } |
| 850 |
823 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 851 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
824 DCHECK(CalledOnValidThread()); | 852 DCHECK(CalledOnValidThread()); |
825 | 853 |
826 const std::string canonicalized_host = CanonicalizeHost(host); | 854 const std::string canonicalized_host = CanonicalizeHost(host); |
827 if (canonicalized_host.empty()) | 855 if (canonicalized_host.empty()) |
828 return false; | 856 return false; |
829 | 857 |
830 const std::string hashed_host = HashHost(canonicalized_host); | 858 const std::string hashed_host = HashHost(canonicalized_host); |
831 bool deleted = false; | 859 bool deleted = false; |
832 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); | 860 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); |
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
986 if (!ssl_info.is_issued_by_known_root) | 1014 if (!ssl_info.is_issued_by_known_root) |
987 return true; | 1015 return true; |
988 | 1016 |
989 CheckPinsAndMaybeSendReport( | 1017 CheckPinsAndMaybeSendReport( |
990 host_port_pair, pkp_state, ssl_info.public_key_hashes, | 1018 host_port_pair, pkp_state, ssl_info.public_key_hashes, |
991 ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS, | 1019 ssl_info.unverified_cert.get(), ssl_info.cert.get(), ENABLE_PIN_REPORTS, |
992 &unused_failure_log); | 1020 &unused_failure_log); |
993 return true; | 1021 return true; |
994 } | 1022 } |
995 | 1023 |
| 1024 void TransportSecurityState::ProcessExpectCTHeader( |
| 1025 const std::string& value, |
| 1026 const HostPortPair& host_port_pair, |
| 1027 const SSLInfo& ssl_info) { |
| 1028 DCHECK(CalledOnValidThread()); |
| 1029 |
| 1030 if (!expect_ct_reporter_) |
| 1031 return; |
| 1032 |
| 1033 if (value != "preload") |
| 1034 return; |
| 1035 |
| 1036 if (!IsBuildTimely()) |
| 1037 return; |
| 1038 |
| 1039 if (!ssl_info.is_issued_by_known_root || |
| 1040 !ssl_info.ct_compliance_details_available || |
| 1041 ssl_info.ct_cert_policy_compliance == |
| 1042 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) { |
| 1043 return; |
| 1044 } |
| 1045 |
| 1046 ExpectCTState state; |
| 1047 if (!GetStaticExpectCTState(host_port_pair.host(), &state)) |
| 1048 return; |
| 1049 |
| 1050 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, |
| 1051 ssl_info); |
| 1052 } |
| 1053 |
996 // static | 1054 // static |
997 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { | 1055 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { |
998 PreloadResult result; | 1056 PreloadResult result; |
999 if (!DecodeHSTSPreload(host, &result) || | 1057 if (!DecodeHSTSPreload(host, &result) || |
1000 !result.has_pins) { | 1058 !result.has_pins) { |
1001 return; | 1059 return; |
1002 } | 1060 } |
1003 | 1061 |
1004 DCHECK(result.domain_id != DOMAIN_NOT_PINNED); | 1062 DCHECK(result.domain_id != DOMAIN_NOT_PINNED); |
1005 | 1063 |
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1103 | 1161 |
1104 if (!result.has_pins) | 1162 if (!result.has_pins) |
1105 return false; | 1163 return false; |
1106 | 1164 |
1107 if (result.pinset_id >= arraysize(kPinsets)) | 1165 if (result.pinset_id >= arraysize(kPinsets)) |
1108 return false; | 1166 return false; |
1109 | 1167 |
1110 return kPinsets[result.pinset_id].accepted_pins == kGoogleAcceptableCerts; | 1168 return kPinsets[result.pinset_id].accepted_pins == kGoogleAcceptableCerts; |
1111 } | 1169 } |
1112 | 1170 |
1113 bool TransportSecurityState::GetStaticExpectCTState( | |
1114 const std::string& host, | |
1115 ExpectCTState* expect_ct_state) const { | |
1116 DCHECK(CalledOnValidThread()); | |
1117 | |
1118 if (!IsBuildTimely()) | |
1119 return false; | |
1120 | |
1121 PreloadResult result; | |
1122 if (!DecodeHSTSPreload(host, &result)) | |
1123 return false; | |
1124 | |
1125 if (!enable_static_expect_ct_ || !result.expect_ct) | |
1126 return false; | |
1127 | |
1128 expect_ct_state->domain = host.substr(result.hostname_offset); | |
1129 expect_ct_state->report_uri = | |
1130 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | |
1131 return true; | |
1132 } | |
1133 | |
1134 bool TransportSecurityState::GetDynamicSTSState(const std::string& host, | 1171 bool TransportSecurityState::GetDynamicSTSState(const std::string& host, |
1135 STSState* result) { | 1172 STSState* result) { |
1136 DCHECK(CalledOnValidThread()); | 1173 DCHECK(CalledOnValidThread()); |
1137 | 1174 |
1138 const std::string canonicalized_host = CanonicalizeHost(host); | 1175 const std::string canonicalized_host = CanonicalizeHost(host); |
1139 if (canonicalized_host.empty()) | 1176 if (canonicalized_host.empty()) |
1140 return false; | 1177 return false; |
1141 | 1178 |
1142 base::Time current_time(base::Time::Now()); | 1179 base::Time current_time(base::Time::Now()); |
1143 | 1180 |
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1309 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1346 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1310 const TransportSecurityState& state) | 1347 const TransportSecurityState& state) |
1311 : iterator_(state.enabled_pkp_hosts_.begin()), | 1348 : iterator_(state.enabled_pkp_hosts_.begin()), |
1312 end_(state.enabled_pkp_hosts_.end()) { | 1349 end_(state.enabled_pkp_hosts_.end()) { |
1313 } | 1350 } |
1314 | 1351 |
1315 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1352 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1316 } | 1353 } |
1317 | 1354 |
1318 } // namespace | 1355 } // namespace |
OLD | NEW |