OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <memory> | 8 #include <memory> |
9 #include <utility> | 9 #include <utility> |
10 | 10 |
(...skipping 357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
368 uint32_t domain_id; | 368 uint32_t domain_id; |
369 // hostname_offset contains the number of bytes from the start of the given | 369 // hostname_offset contains the number of bytes from the start of the given |
370 // hostname where the name of the matching entry starts. | 370 // hostname where the name of the matching entry starts. |
371 size_t hostname_offset; | 371 size_t hostname_offset; |
372 bool sts_include_subdomains; | 372 bool sts_include_subdomains; |
373 bool pkp_include_subdomains; | 373 bool pkp_include_subdomains; |
374 bool force_https; | 374 bool force_https; |
375 bool has_pins; | 375 bool has_pins; |
376 bool expect_ct; | 376 bool expect_ct; |
377 uint32_t expect_ct_report_uri_id; | 377 uint32_t expect_ct_report_uri_id; |
| 378 bool expect_staple; |
| 379 bool expect_staple_include_subdomains; |
| 380 uint32_t expect_staple_report_uri_id; |
378 }; | 381 }; |
379 | 382 |
380 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns | 383 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns |
381 // false on internal error and true otherwise. After a successful return, | 384 // false on internal error and true otherwise. After a successful return, |
382 // |*out_found| is true iff a relevant entry has been found. If so, |*out| | 385 // |*out_found| is true iff a relevant entry has been found. If so, |*out| |
383 // contains the details. | 386 // contains the details. |
384 // | 387 // |
385 // Don't call this function, call DecodeHSTSPreload, below. | 388 // Don't call this function, call DecodeHSTSPreload, below. |
386 // | 389 // |
387 // Although this code should be robust, it never processes attacker-controlled | 390 // Although this code should be robust, it never processes attacker-controlled |
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
503 } | 506 } |
504 | 507 |
505 if (!reader.Next(&tmp.expect_ct)) | 508 if (!reader.Next(&tmp.expect_ct)) |
506 return false; | 509 return false; |
507 | 510 |
508 if (tmp.expect_ct) { | 511 if (tmp.expect_ct) { |
509 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) | 512 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) |
510 return false; | 513 return false; |
511 } | 514 } |
512 | 515 |
| 516 if (!reader.Next(&tmp.expect_staple)) |
| 517 return false; |
| 518 tmp.expect_staple_include_subdomains = false; |
| 519 if (tmp.expect_staple) { |
| 520 if (!reader.Next(&tmp.expect_staple_include_subdomains)) |
| 521 return false; |
| 522 if (!reader.Read(4, &tmp.expect_staple_report_uri_id)) |
| 523 return false; |
| 524 } |
| 525 |
513 tmp.hostname_offset = hostname_offset; | 526 tmp.hostname_offset = hostname_offset; |
514 | 527 |
515 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { | 528 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { |
516 *out_found = tmp.sts_include_subdomains || tmp.pkp_include_subdomains; | 529 *out_found = tmp.sts_include_subdomains || |
| 530 tmp.pkp_include_subdomains || |
| 531 tmp.expect_staple_include_subdomains; |
517 *out = tmp; | 532 *out = tmp; |
518 | 533 |
519 if (hostname_offset > 0) { | 534 if (hostname_offset > 0) { |
520 out->force_https &= tmp.sts_include_subdomains; | 535 out->force_https &= tmp.sts_include_subdomains; |
521 } else { | 536 } else { |
522 *out_found = true; | 537 *out_found = true; |
523 return true; | 538 return true; |
524 } | 539 } |
525 } | 540 } |
526 | 541 |
(...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
849 | 864 |
850 if (!enable_static_expect_ct_ || !result.expect_ct) | 865 if (!enable_static_expect_ct_ || !result.expect_ct) |
851 return false; | 866 return false; |
852 | 867 |
853 expect_ct_state->domain = host.substr(result.hostname_offset); | 868 expect_ct_state->domain = host.substr(result.hostname_offset); |
854 expect_ct_state->report_uri = | 869 expect_ct_state->report_uri = |
855 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | 870 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); |
856 return true; | 871 return true; |
857 } | 872 } |
858 | 873 |
| 874 bool TransportSecurityState::GetStaticExpectStapleState( |
| 875 const std::string& host, |
| 876 ExpectStapleState* expect_staple_state) const { |
| 877 DCHECK(CalledOnValidThread()); |
| 878 |
| 879 if (!IsBuildTimely()) |
| 880 return false; |
| 881 |
| 882 PreloadResult result; |
| 883 if (!DecodeHSTSPreload(host, &result)) |
| 884 return false; |
| 885 |
| 886 if (!enable_static_expect_staple_ || !result.expect_staple) |
| 887 return false; |
| 888 |
| 889 expect_staple_state->domain = host.substr(result.hostname_offset); |
| 890 expect_staple_state->include_subdomains = |
| 891 result.expect_staple_include_subdomains; |
| 892 expect_staple_state->report_uri = |
| 893 GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); |
| 894 return true; |
| 895 } |
| 896 |
859 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 897 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
860 DCHECK(CalledOnValidThread()); | 898 DCHECK(CalledOnValidThread()); |
861 | 899 |
862 const std::string canonicalized_host = CanonicalizeHost(host); | 900 const std::string canonicalized_host = CanonicalizeHost(host); |
863 if (canonicalized_host.empty()) | 901 if (canonicalized_host.empty()) |
864 return false; | 902 return false; |
865 | 903 |
866 const std::string hashed_host = HashHost(canonicalized_host); | 904 const std::string hashed_host = HashHost(canonicalized_host); |
867 bool deleted = false; | 905 bool deleted = false; |
868 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); | 906 STSStateMap::iterator sts_interator = enabled_sts_hosts_.find(hashed_host); |
(...skipping 434 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1303 | 1341 |
1304 TransportSecurityState::PKPState::PKPState(const PKPState& other) = default; | 1342 TransportSecurityState::PKPState::PKPState(const PKPState& other) = default; |
1305 | 1343 |
1306 TransportSecurityState::PKPState::~PKPState() { | 1344 TransportSecurityState::PKPState::~PKPState() { |
1307 } | 1345 } |
1308 | 1346 |
1309 TransportSecurityState::ExpectCTState::ExpectCTState() {} | 1347 TransportSecurityState::ExpectCTState::ExpectCTState() {} |
1310 | 1348 |
1311 TransportSecurityState::ExpectCTState::~ExpectCTState() {} | 1349 TransportSecurityState::ExpectCTState::~ExpectCTState() {} |
1312 | 1350 |
| 1351 TransportSecurityState::ExpectStapleState::ExpectStapleState() |
| 1352 : include_subdomains(false) {} |
| 1353 |
| 1354 TransportSecurityState::ExpectStapleState::~ExpectStapleState() {} |
| 1355 |
1313 bool TransportSecurityState::PKPState::CheckPublicKeyPins( | 1356 bool TransportSecurityState::PKPState::CheckPublicKeyPins( |
1314 const HashValueVector& hashes, | 1357 const HashValueVector& hashes, |
1315 std::string* failure_log) const { | 1358 std::string* failure_log) const { |
1316 // Validate that hashes is not empty. By the time this code is called (in | 1359 // Validate that hashes is not empty. By the time this code is called (in |
1317 // production), that should never happen, but it's good to be defensive. | 1360 // production), that should never happen, but it's good to be defensive. |
1318 // And, hashes *can* be empty in some test scenarios. | 1361 // And, hashes *can* be empty in some test scenarios. |
1319 if (hashes.empty()) { | 1362 if (hashes.empty()) { |
1320 failure_log->append( | 1363 failure_log->append( |
1321 "Rejecting empty public key chain for public-key-pinned domains: " + | 1364 "Rejecting empty public key chain for public-key-pinned domains: " + |
1322 domain); | 1365 domain); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1356 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1399 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1357 const TransportSecurityState& state) | 1400 const TransportSecurityState& state) |
1358 : iterator_(state.enabled_pkp_hosts_.begin()), | 1401 : iterator_(state.enabled_pkp_hosts_.begin()), |
1359 end_(state.enabled_pkp_hosts_.end()) { | 1402 end_(state.enabled_pkp_hosts_.end()) { |
1360 } | 1403 } |
1361 | 1404 |
1362 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1405 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1363 } | 1406 } |
1364 | 1407 |
1365 } // namespace | 1408 } // namespace |
OLD | NEW |