| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| (...skipping 357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 368 uint32_t domain_id; | 368 uint32_t domain_id; |
| 369 // hostname_offset contains the number of bytes from the start of the given | 369 // hostname_offset contains the number of bytes from the start of the given |
| 370 // hostname where the name of the matching entry starts. | 370 // hostname where the name of the matching entry starts. |
| 371 size_t hostname_offset; | 371 size_t hostname_offset; |
| 372 bool sts_include_subdomains; | 372 bool sts_include_subdomains; |
| 373 bool pkp_include_subdomains; | 373 bool pkp_include_subdomains; |
| 374 bool force_https; | 374 bool force_https; |
| 375 bool has_pins; | 375 bool has_pins; |
| 376 bool expect_ct; | 376 bool expect_ct; |
| 377 uint32_t expect_ct_report_uri_id; | 377 uint32_t expect_ct_report_uri_id; |
| 378 bool expect_staple; |
| 379 bool expect_staple_include_subdomains; |
| 380 uint32_t expect_staple_report_uri_id; |
| 378 }; | 381 }; |
| 379 | 382 |
| 380 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns | 383 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns |
| 381 // false on internal error and true otherwise. After a successful return, | 384 // false on internal error and true otherwise. After a successful return, |
| 382 // |*out_found| is true iff a relevant entry has been found. If so, |*out| | 385 // |*out_found| is true iff a relevant entry has been found. If so, |*out| |
| 383 // contains the details. | 386 // contains the details. |
| 384 // | 387 // |
| 385 // Don't call this function, call DecodeHSTSPreload, below. | 388 // Don't call this function, call DecodeHSTSPreload, below. |
| 386 // | 389 // |
| 387 // Although this code should be robust, it never processes attacker-controlled | 390 // Although this code should be robust, it never processes attacker-controlled |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 503 } | 506 } |
| 504 | 507 |
| 505 if (!reader.Next(&tmp.expect_ct)) | 508 if (!reader.Next(&tmp.expect_ct)) |
| 506 return false; | 509 return false; |
| 507 | 510 |
| 508 if (tmp.expect_ct) { | 511 if (tmp.expect_ct) { |
| 509 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) | 512 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) |
| 510 return false; | 513 return false; |
| 511 } | 514 } |
| 512 | 515 |
| 516 if (!reader.Next(&tmp.expect_staple)) |
| 517 return false; |
| 518 tmp.expect_staple_include_subdomains = false; |
| 519 if (tmp.expect_staple) { |
| 520 if (!reader.Next(&tmp.expect_staple_include_subdomains)) |
| 521 return false; |
| 522 if (!reader.Read(4, &tmp.expect_staple_report_uri_id)) |
| 523 return false; |
| 524 } |
| 525 |
| 513 tmp.hostname_offset = hostname_offset; | 526 tmp.hostname_offset = hostname_offset; |
| 514 | 527 |
| 515 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { | 528 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { |
| 516 *out_found = tmp.sts_include_subdomains || tmp.pkp_include_subdomains; | 529 *out_found = tmp.sts_include_subdomains || |
| 530 tmp.pkp_include_subdomains || |
| 531 tmp.expect_staple_include_subdomains; |
| 517 *out = tmp; | 532 *out = tmp; |
| 518 | 533 |
| 519 if (hostname_offset > 0) { | 534 if (hostname_offset > 0) { |
| 520 out->force_https &= tmp.sts_include_subdomains; | 535 out->force_https &= tmp.sts_include_subdomains; |
| 521 } else { | 536 } else { |
| 522 *out_found = true; | 537 *out_found = true; |
| 523 return true; | 538 return true; |
| 524 } | 539 } |
| 525 } | 540 } |
| 526 | 541 |
| (...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 849 | 864 |
| 850 if (!enable_static_expect_ct_ || !result.expect_ct) | 865 if (!enable_static_expect_ct_ || !result.expect_ct) |
| 851 return false; | 866 return false; |
| 852 | 867 |
| 853 expect_ct_state->domain = host.substr(result.hostname_offset); | 868 expect_ct_state->domain = host.substr(result.hostname_offset); |
| 854 expect_ct_state->report_uri = | 869 expect_ct_state->report_uri = |
| 855 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | 870 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); |
| 856 return true; | 871 return true; |
| 857 } | 872 } |
| 858 | 873 |
| 874 bool TransportSecurityState::GetStaticExpectStapleState( |
| 875 const std::string& host, |
| 876 ExpectStapleState* expect_staple_state) const { |
| 877 DCHECK(CalledOnValidThread()); |
| 878 |
| 879 if (!IsBuildTimely()) |
| 880 return false; |
| 881 |
| 882 PreloadResult result; |
| 883 if (!DecodeHSTSPreload(host, &result)) |
| 884 return false; |
| 885 |
| 886 if (!enable_static_expect_staple_ || !result.expect_staple) |
| 887 return false; |
| 888 |
| 889 expect_staple_state->domain = host.substr(result.hostname_offset); |
| 890 expect_staple_state->include_subdomains = |
| 891 result.expect_staple_include_subdomains; |
| 892 expect_staple_state->report_uri = |
| 893 GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); |
| 894 return true; |
| 895 } |
| 896 |
| 859 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 897 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
| 860 DCHECK(CalledOnValidThread()); | 898 DCHECK(CalledOnValidThread()); |
| 861 | 899 |
| 862 const std::string canonicalized_host = CanonicalizeHost(host); | 900 const std::string canonicalized_host = CanonicalizeHost(host); |
| 863 if (canonicalized_host.empty()) | 901 if (canonicalized_host.empty()) |
| 864 return false; | 902 return false; |
| 865 | 903 |
| 866 const std::string hashed_host = HashHost(canonicalized_host); | 904 const std::string hashed_host = HashHost(canonicalized_host); |
| 867 bool deleted = false; | 905 bool deleted = false; |
| 868 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); | 906 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); |
| (...skipping 434 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1303 | 1341 |
| 1304 TransportSecurityState::PKPState::PKPState(const PKPState& other) = default; | 1342 TransportSecurityState::PKPState::PKPState(const PKPState& other) = default; |
| 1305 | 1343 |
| 1306 TransportSecurityState::PKPState::~PKPState() { | 1344 TransportSecurityState::PKPState::~PKPState() { |
| 1307 } | 1345 } |
| 1308 | 1346 |
| 1309 TransportSecurityState::ExpectCTState::ExpectCTState() {} | 1347 TransportSecurityState::ExpectCTState::ExpectCTState() {} |
| 1310 | 1348 |
| 1311 TransportSecurityState::ExpectCTState::~ExpectCTState() {} | 1349 TransportSecurityState::ExpectCTState::~ExpectCTState() {} |
| 1312 | 1350 |
| 1351 TransportSecurityState::ExpectStapleState::ExpectStapleState() |
| 1352 : include_subdomains(false) {} |
| 1353 |
| 1354 TransportSecurityState::ExpectStapleState::~ExpectStapleState() {} |
| 1355 |
| 1313 bool TransportSecurityState::PKPState::CheckPublicKeyPins( | 1356 bool TransportSecurityState::PKPState::CheckPublicKeyPins( |
| 1314 const HashValueVector& hashes, | 1357 const HashValueVector& hashes, |
| 1315 std::string* failure_log) const { | 1358 std::string* failure_log) const { |
| 1316 // Validate that hashes is not empty. By the time this code is called (in | 1359 // Validate that hashes is not empty. By the time this code is called (in |
| 1317 // production), that should never happen, but it's good to be defensive. | 1360 // production), that should never happen, but it's good to be defensive. |
| 1318 // And, hashes *can* be empty in some test scenarios. | 1361 // And, hashes *can* be empty in some test scenarios. |
| 1319 if (hashes.empty()) { | 1362 if (hashes.empty()) { |
| 1320 failure_log->append( | 1363 failure_log->append( |
| 1321 "Rejecting empty public key chain for public-key-pinned domains: " + | 1364 "Rejecting empty public key chain for public-key-pinned domains: " + |
| 1322 domain); | 1365 domain); |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1356 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1399 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1357 const TransportSecurityState& state) | 1400 const TransportSecurityState& state) |
| 1358 : iterator_(state.enabled_pkp_hosts_.begin()), | 1401 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1359 end_(state.enabled_pkp_hosts_.end()) { | 1402 end_(state.enabled_pkp_hosts_.end()) { |
| 1360 } | 1403 } |
| 1361 | 1404 |
| 1362 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1405 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1363 } | 1406 } |
| 1364 | 1407 |
| 1365 } // namespace | 1408 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2034843003:
Add Expect-Staple to preload list (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master