| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 625 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 636 | 636 |
| 637 return found; | 637 return found; |
| 638 } | 638 } |
| 639 | 639 |
| 640 } // namespace | 640 } // namespace |
| 641 | 641 |
| 642 TransportSecurityState::TransportSecurityState() | 642 TransportSecurityState::TransportSecurityState() |
| 643 : enable_static_pins_(true), | 643 : enable_static_pins_(true), |
| 644 enable_static_expect_ct_(true), | 644 enable_static_expect_ct_(true), |
| 645 enable_static_expect_staple_(false), | 645 enable_static_expect_staple_(false), |
| 646 enable_pkp_bypass_for_local_trust_anchors_(true), |
| 646 sent_reports_cache_(kMaxHPKPReportCacheEntries) { | 647 sent_reports_cache_(kMaxHPKPReportCacheEntries) { |
| 647 // Static pinning is only enabled for official builds to make sure that | 648 // Static pinning is only enabled for official builds to make sure that |
| 648 // others don't end up with pins that cannot be easily updated. | 649 // others don't end up with pins that cannot be easily updated. |
| 649 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) | 650 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) |
| 650 enable_static_pins_ = false; | 651 enable_static_pins_ = false; |
| 651 enable_static_expect_ct_ = false; | 652 enable_static_expect_ct_ = false; |
| 652 #endif | 653 #endif |
| 653 DCHECK(CalledOnValidThread()); | 654 DCHECK(CalledOnValidThread()); |
| 654 } | 655 } |
| 655 | 656 |
| (...skipping 200 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 856 PKPState pkp_state; | 857 PKPState pkp_state; |
| 857 pkp_state.last_observed = last_observed; | 858 pkp_state.last_observed = last_observed; |
| 858 pkp_state.expiry = expiry; | 859 pkp_state.expiry = expiry; |
| 859 pkp_state.include_subdomains = include_subdomains; | 860 pkp_state.include_subdomains = include_subdomains; |
| 860 pkp_state.spki_hashes = hashes; | 861 pkp_state.spki_hashes = hashes; |
| 861 pkp_state.report_uri = report_uri; | 862 pkp_state.report_uri = report_uri; |
| 862 | 863 |
| 863 EnablePKPHost(host, pkp_state); | 864 EnablePKPHost(host, pkp_state); |
| 864 } | 865 } |
| 865 | 866 |
| 867 void TransportSecurityState:: |
| 868 SetEnablePublicKeyPinningBypassForLocalTrustAnchors(bool value) { |
| 869 enable_pkp_bypass_for_local_trust_anchors_ = value; |
| 870 } |
| 871 |
| 866 void TransportSecurityState::EnableSTSHost(const std::string& host, | 872 void TransportSecurityState::EnableSTSHost(const std::string& host, |
| 867 const STSState& state) { | 873 const STSState& state) { |
| 868 DCHECK(CalledOnValidThread()); | 874 DCHECK(CalledOnValidThread()); |
| 869 | 875 |
| 870 const std::string canonicalized_host = CanonicalizeHost(host); | 876 const std::string canonicalized_host = CanonicalizeHost(host); |
| 871 if (canonicalized_host.empty()) | 877 if (canonicalized_host.empty()) |
| 872 return; | 878 return; |
| 873 | 879 |
| 874 // Only store new state when HSTS is explicitly enabled. If it is | 880 // Only store new state when HSTS is explicitly enabled. If it is |
| 875 // disabled, remove the state from the enabled hosts. | 881 // disabled, remove the state from the enabled hosts. |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 920 const TransportSecurityState::PKPState& pkp_state, | 926 const TransportSecurityState::PKPState& pkp_state, |
| 921 const HashValueVector& hashes, | 927 const HashValueVector& hashes, |
| 922 const X509Certificate* served_certificate_chain, | 928 const X509Certificate* served_certificate_chain, |
| 923 const X509Certificate* validated_certificate_chain, | 929 const X509Certificate* validated_certificate_chain, |
| 924 const TransportSecurityState::PublicKeyPinReportStatus report_status, | 930 const TransportSecurityState::PublicKeyPinReportStatus report_status, |
| 925 std::string* failure_log) { | 931 std::string* failure_log) { |
| 926 if (pkp_state.CheckPublicKeyPins(hashes, failure_log)) | 932 if (pkp_state.CheckPublicKeyPins(hashes, failure_log)) |
| 927 return PKPStatus::OK; | 933 return PKPStatus::OK; |
| 928 | 934 |
| 929 // Don't report violations for certificates that chain to local roots. | 935 // Don't report violations for certificates that chain to local roots. |
| 930 if (!is_issued_by_known_root) | 936 if (!is_issued_by_known_root && enable_pkp_bypass_for_local_trust_anchors_) |
| 931 return PKPStatus::BYPASSED; | 937 return PKPStatus::BYPASSED; |
| 932 | 938 |
| 933 if (!report_sender_ || | 939 if (!report_sender_ || |
| 934 report_status != TransportSecurityState::ENABLE_PIN_REPORTS || | 940 report_status != TransportSecurityState::ENABLE_PIN_REPORTS || |
| 935 pkp_state.report_uri.is_empty()) { | 941 pkp_state.report_uri.is_empty()) { |
| 936 return PKPStatus::VIOLATED; | 942 return PKPStatus::VIOLATED; |
| 937 } | 943 } |
| 938 | 944 |
| 939 DCHECK(pkp_state.report_uri.is_valid()); | 945 DCHECK(pkp_state.report_uri.is_valid()); |
| 940 // Report URIs should not be used if they are the same host as the pin | 946 // Report URIs should not be used if they are the same host as the pin |
| (...skipping 574 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1515 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1521 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1516 const TransportSecurityState& state) | 1522 const TransportSecurityState& state) |
| 1517 : iterator_(state.enabled_pkp_hosts_.begin()), | 1523 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1518 end_(state.enabled_pkp_hosts_.end()) { | 1524 end_(state.enabled_pkp_hosts_.end()) { |
| 1519 } | 1525 } |
| 1520 | 1526 |
| 1521 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1527 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1522 } | 1528 } |
| 1523 | 1529 |
| 1524 } // namespace | 1530 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2052363002:
Enable public key pinning of local trust anchors (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master