Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(167)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state.cc

Issue 2040513003: Implement Expect-Staple (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ssl/chrome_expect_staple_reporter.cc ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_static.json » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 6bbe0b032a5997b6c90e90898453410dfa7ae138..06ebc9c1fc82cdfdf18071ed1fe34bbb5f8af6dc 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -375,6 +375,9 @@ struct PreloadResult {
bool has_pins;
bool expect_ct;
uint32_t expect_ct_report_uri_id;
+ bool expect_staple;
+ bool expect_staple_include_subdomains;
+ uint32_t expect_staple_report_uri_id;
};
// DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns
@@ -510,10 +513,22 @@ bool DecodeHSTSPreloadRaw(const std::string& search_hostname,
return false;
}
+ if (!reader.Next(&tmp.expect_staple))
+ return false;
+ tmp.expect_staple_include_subdomains = false;
+ if (tmp.expect_staple) {
+ if (!reader.Next(&tmp.expect_staple_include_subdomains))
+ return false;
+ if (!reader.Read(4, &tmp.expect_staple_report_uri_id))
+ return false;
+ }
+
tmp.hostname_offset = hostname_offset;
if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') {
- *out_found = tmp.sts_include_subdomains || tmp.pkp_include_subdomains;
+ *out_found = tmp.sts_include_subdomains ||
+ tmp.pkp_include_subdomains ||
+ tmp.expect_staple_include_subdomains;
*out = tmp;
if (hostname_offset > 0) {
@@ -704,6 +719,12 @@ void TransportSecurityState::SetExpectCTReporter(
expect_ct_reporter_ = expect_ct_reporter;
}
+void TransportSecurityState::SetExpectStapleReporter(
+ ExpectStapleReporter* expect_staple_reporter) {
+ DCHECK(CalledOnValidThread());
+ expect_staple_reporter_ = expect_staple_reporter;
+}
+
void TransportSecurityState::AddHSTSInternal(
const std::string& host,
TransportSecurityState::STSState::UpgradeMode upgrade_mode,
@@ -856,6 +877,29 @@ bool TransportSecurityState::GetStaticExpectCTState(
return true;
}
+bool TransportSecurityState::GetStaticExpectStapleState(
+ const std::string& host,
+ ExpectStapleState* expect_staple_state) const {
+ DCHECK(CalledOnValidThread());
+
+ if (!IsBuildTimely())
+ return false;
+
+ PreloadResult result;
+ if (!DecodeHSTSPreload(host, &result))
+ return false;
+
+ if (!enable_static_expect_staple_ || !result.expect_staple)
+ return false;
+
+ expect_staple_state->domain = host.substr(result.hostname_offset);
+ expect_staple_state->include_subdomains =
+ result.expect_staple_include_subdomains;
+ expect_staple_state->report_uri =
+ GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]);
+ return true;
+}
+
bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
DCHECK(CalledOnValidThread());
@@ -1059,6 +1103,22 @@ void TransportSecurityState::ProcessExpectCTHeader(
ssl_info);
}
+void TransportSecurityState::CheckExpectStaple(
+ const HostPortPair& host_port_pair,
+ const SSLInfo& ssl_info) {
+ DCHECK(CalledOnValidThread());
+ if (!expect_staple_reporter_)
+ return;
+ if (!IsBuildTimely())
+ return;
+ // TODO: actually check OCSP info
+ ExpectStapleState state;
+ if (!GetStaticExpectStapleState(host_port_pair.host(), &state))
+ return;
+ expect_staple_reporter_->OnExpectStapleFailed(host_port_pair,
+ state.report_uri, ssl_info);
+}
+
// static
void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
PreloadResult result;
@@ -1310,6 +1370,11 @@ TransportSecurityState::ExpectCTState::ExpectCTState() {}
TransportSecurityState::ExpectCTState::~ExpectCTState() {}
+TransportSecurityState::ExpectStapleState::ExpectStapleState()
+ : include_subdomains(false) {}
+
+TransportSecurityState::ExpectStapleState::~ExpectStapleState() {}
+
bool TransportSecurityState::PKPState::CheckPublicKeyPins(
const HashValueVector& hashes,
std::string* failure_log) const {
« chrome/browser/ssl/chrome_expect_staple_reporter.cc ('K') | « net/http/transport_security_state.h ('k') | net/http/transport_security_state_static.json » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698