OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
(...skipping 366 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
377 // 1. The header value is "preload", indicating that the site wants to | 377 // 1. The header value is "preload", indicating that the site wants to |
378 // be opted in to Expect CT. | 378 // be opted in to Expect CT. |
379 // 2. The given host is present on the Expect CT preload list with a | 379 // 2. The given host is present on the Expect CT preload list with a |
380 // valid report-uri, and the build is timely (i.e. preload list is fresh). | 380 // valid report-uri, and the build is timely (i.e. preload list is fresh). |
381 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. | 381 // 3. |ssl_info| indicates that the connection violated the Expect CT policy. |
382 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). | 382 // 4. An Expect CT reporter has been provided with SetExpectCTReporter(). |
383 void ProcessExpectCTHeader(const std::string& value, | 383 void ProcessExpectCTHeader(const std::string& value, |
384 const HostPortPair& host_port_pair, | 384 const HostPortPair& host_port_pair, |
385 const SSLInfo& ssl_info); | 385 const SSLInfo& ssl_info); |
386 | 386 |
387 void CheckExpectStaple(const HostPortPair& host_port_pair, | |
estark
2016/06/09 21:24:14
prob needs some documentation
Also (having not re
dadrian
2016/06/10 01:05:52
It could probably just take the report URI.
| |
388 const ExpectStapleState& expect_state_state, | |
389 const X509Certificate& certificate, | |
390 const std::string& ocsp_response); | |
391 | |
392 // Returns true and updates |*expect_staple_result| iff there is a static | |
393 // (built-in) state for |host| with expect_staple=true, or if |host| is a | |
394 // subdomain of another domain with expect_staple=true and | |
395 // include_subdomains_for_expect_staple=true. | |
396 bool GetStaticExpectStapleState( | |
estark
2016/06/09 21:24:15
Why's this public when its compatriots (GetStaticE
dadrian
2016/06/10 01:05:53
Because we only parse OCSP responses if the host i
svaldez
2016/06/13 14:03:04
Would it make more sense to have CheckExpectStaple
dadrian
2016/06/13 23:03:32
Done.
| |
397 const std::string& host, | |
398 ExpectStapleState* expect_staple_result) const; | |
399 | |
387 private: | 400 private: |
388 friend class TransportSecurityStateTest; | 401 friend class TransportSecurityStateTest; |
389 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 402 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
390 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 403 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
391 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 404 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
392 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 405 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
393 | 406 |
394 typedef std::map<std::string, STSState> STSStateMap; | 407 typedef std::map<std::string, STSState> STSStateMap; |
395 typedef std::map<std::string, PKPState> PKPStateMap; | 408 typedef std::map<std::string, PKPState> PKPStateMap; |
396 | 409 |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
457 const X509Certificate* served_certificate_chain, | 470 const X509Certificate* served_certificate_chain, |
458 const X509Certificate* validated_certificate_chain, | 471 const X509Certificate* validated_certificate_chain, |
459 const TransportSecurityState::PublicKeyPinReportStatus report_status, | 472 const TransportSecurityState::PublicKeyPinReportStatus report_status, |
460 std::string* failure_log); | 473 std::string* failure_log); |
461 | 474 |
462 // Returns true and updates |*expect_ct_result| iff there is a static | 475 // Returns true and updates |*expect_ct_result| iff there is a static |
463 // (built-in) state for |host| with expect_ct=true. | 476 // (built-in) state for |host| with expect_ct=true. |
464 bool GetStaticExpectCTState(const std::string& host, | 477 bool GetStaticExpectCTState(const std::string& host, |
465 ExpectCTState* expect_ct_result) const; | 478 ExpectCTState* expect_ct_result) const; |
466 | 479 |
467 // Returns true and updates |*expect_staple_result| iff there is a static | |
468 // (built-in) state for |host| with expect_staple=true, or if |host| is a | |
469 // subdomain of another domain with expect_staple=true and | |
470 // include_subdomains_for_expect_staple=true. | |
471 bool GetStaticExpectStapleState( | |
472 const std::string& host, | |
473 ExpectStapleState* expect_staple_result) const; | |
474 | |
475 // The sets of hosts that have enabled TransportSecurity. |domain| will always | 480 // The sets of hosts that have enabled TransportSecurity. |domain| will always |
476 // be empty for a STSState or PKPState in these maps; the domain | 481 // be empty for a STSState or PKPState in these maps; the domain |
477 // comes from the map keys instead. In addition, |upgrade_mode| in the | 482 // comes from the map keys instead. In addition, |upgrade_mode| in the |
478 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState | 483 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState |
479 // always returns true. | 484 // always returns true. |
480 STSStateMap enabled_sts_hosts_; | 485 STSStateMap enabled_sts_hosts_; |
481 PKPStateMap enabled_pkp_hosts_; | 486 PKPStateMap enabled_pkp_hosts_; |
482 | 487 |
483 Delegate* delegate_; | 488 Delegate* delegate_; |
484 | 489 |
485 ReportSender* report_sender_; | 490 ReportSender* report_sender_; |
486 | 491 |
487 // True if static pins should be used. | 492 // True if static pins should be used. |
488 bool enable_static_pins_; | 493 bool enable_static_pins_; |
489 | 494 |
490 // True if static expect-CT state should be used. | 495 // True if static expect-CT state should be used. |
491 bool enable_static_expect_ct_; | 496 bool enable_static_expect_ct_; |
492 | 497 |
498 ExpectCTReporter* expect_ct_reporter_; | |
499 | |
estark
2016/06/09 21:24:15
any reason for this change?
dadrian
2016/06/10 01:05:52
No idea. I'll try to figure out where this came fr
dadrian
2016/06/13 23:03:32
Just a formatting snafu. Reverted.
| |
493 // True if static expect-staple state should be used. | 500 // True if static expect-staple state should be used. |
494 bool enable_static_expect_staple_; | 501 bool enable_static_expect_staple_; |
495 | 502 |
496 ExpectCTReporter* expect_ct_reporter_; | |
497 | |
498 // Keeps track of reports that have been sent recently for | 503 // Keeps track of reports that have been sent recently for |
499 // rate-limiting. | 504 // rate-limiting. |
500 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 505 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |
501 sent_reports_cache_; | 506 sent_reports_cache_; |
502 | 507 |
503 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 508 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
504 }; | 509 }; |
505 | 510 |
506 } // namespace net | 511 } // namespace net |
507 | 512 |
508 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 513 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |