| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 598 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 609 | 609 |
| 610 return found; | 610 return found; |
| 611 } | 611 } |
| 612 | 612 |
| 613 } // namespace | 613 } // namespace |
| 614 | 614 |
| 615 TransportSecurityState::TransportSecurityState() | 615 TransportSecurityState::TransportSecurityState() |
| 616 : enable_static_pins_(true), | 616 : enable_static_pins_(true), |
| 617 enable_static_expect_ct_(true), | 617 enable_static_expect_ct_(true), |
| 618 enable_static_expect_staple_(false), | 618 enable_static_expect_staple_(false), |
| 619 enable_pkp_bypass_for_local_trust_anchors_(true), | |
| 620 sent_reports_cache_(kMaxHPKPReportCacheEntries) { | 619 sent_reports_cache_(kMaxHPKPReportCacheEntries) { |
| 621 // Static pinning is only enabled for official builds to make sure that | 620 // Static pinning is only enabled for official builds to make sure that |
| 622 // others don't end up with pins that cannot be easily updated. | 621 // others don't end up with pins that cannot be easily updated. |
| 623 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) | 622 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) |
| 624 enable_static_pins_ = false; | 623 enable_static_pins_ = false; |
| 625 enable_static_expect_ct_ = false; | 624 enable_static_expect_ct_ = false; |
| 626 #endif | 625 #endif |
| 627 DCHECK(CalledOnValidThread()); | 626 DCHECK(CalledOnValidThread()); |
| 628 } | 627 } |
| 629 | 628 |
| (...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 768 PKPState pkp_state; | 767 PKPState pkp_state; |
| 769 pkp_state.last_observed = last_observed; | 768 pkp_state.last_observed = last_observed; |
| 770 pkp_state.expiry = expiry; | 769 pkp_state.expiry = expiry; |
| 771 pkp_state.include_subdomains = include_subdomains; | 770 pkp_state.include_subdomains = include_subdomains; |
| 772 pkp_state.spki_hashes = hashes; | 771 pkp_state.spki_hashes = hashes; |
| 773 pkp_state.report_uri = report_uri; | 772 pkp_state.report_uri = report_uri; |
| 774 | 773 |
| 775 EnablePKPHost(host, pkp_state); | 774 EnablePKPHost(host, pkp_state); |
| 776 } | 775 } |
| 777 | 776 |
| 778 void TransportSecurityState:: | |
| 779 SetEnablePublicKeyPinningBypassForLocalTrustAnchors(bool value) { | |
| 780 enable_pkp_bypass_for_local_trust_anchors_ = value; | |
| 781 } | |
| 782 | |
| 783 void TransportSecurityState::EnableSTSHost(const std::string& host, | 777 void TransportSecurityState::EnableSTSHost(const std::string& host, |
| 784 const STSState& state) { | 778 const STSState& state) { |
| 785 DCHECK(CalledOnValidThread()); | 779 DCHECK(CalledOnValidThread()); |
| 786 | 780 |
| 787 const std::string canonicalized_host = CanonicalizeHost(host); | 781 const std::string canonicalized_host = CanonicalizeHost(host); |
| 788 if (canonicalized_host.empty()) | 782 if (canonicalized_host.empty()) |
| 789 return; | 783 return; |
| 790 | 784 |
| 791 // Only store new state when HSTS is explicitly enabled. If it is | 785 // Only store new state when HSTS is explicitly enabled. If it is |
| 792 // disabled, remove the state from the enabled hosts. | 786 // disabled, remove the state from the enabled hosts. |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 837 const TransportSecurityState::PKPState& pkp_state, | 831 const TransportSecurityState::PKPState& pkp_state, |
| 838 const HashValueVector& hashes, | 832 const HashValueVector& hashes, |
| 839 const X509Certificate* served_certificate_chain, | 833 const X509Certificate* served_certificate_chain, |
| 840 const X509Certificate* validated_certificate_chain, | 834 const X509Certificate* validated_certificate_chain, |
| 841 const TransportSecurityState::PublicKeyPinReportStatus report_status, | 835 const TransportSecurityState::PublicKeyPinReportStatus report_status, |
| 842 std::string* failure_log) { | 836 std::string* failure_log) { |
| 843 if (pkp_state.CheckPublicKeyPins(hashes, failure_log)) | 837 if (pkp_state.CheckPublicKeyPins(hashes, failure_log)) |
| 844 return PKPStatus::OK; | 838 return PKPStatus::OK; |
| 845 | 839 |
| 846 // Don't report violations for certificates that chain to local roots. | 840 // Don't report violations for certificates that chain to local roots. |
| 847 if (!is_issued_by_known_root && enable_pkp_bypass_for_local_trust_anchors_) | 841 if (!is_issued_by_known_root) |
| 848 return PKPStatus::BYPASSED; | 842 return PKPStatus::BYPASSED; |
| 849 | 843 |
| 850 if (!report_sender_ || | 844 if (!report_sender_ || |
| 851 report_status != TransportSecurityState::ENABLE_PIN_REPORTS || | 845 report_status != TransportSecurityState::ENABLE_PIN_REPORTS || |
| 852 pkp_state.report_uri.is_empty()) { | 846 pkp_state.report_uri.is_empty()) { |
| 853 return PKPStatus::VIOLATED; | 847 return PKPStatus::VIOLATED; |
| 854 } | 848 } |
| 855 | 849 |
| 856 DCHECK(pkp_state.report_uri.is_valid()); | 850 DCHECK(pkp_state.report_uri.is_valid()); |
| 857 // Report URIs should not be used if they are the same host as the pin | 851 // Report URIs should not be used if they are the same host as the pin |
| (...skipping 565 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1423 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1417 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1424 const TransportSecurityState& state) | 1418 const TransportSecurityState& state) |
| 1425 : iterator_(state.enabled_pkp_hosts_.begin()), | 1419 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1426 end_(state.enabled_pkp_hosts_.end()) { | 1420 end_(state.enabled_pkp_hosts_.end()) { |
| 1427 } | 1421 } |
| 1428 | 1422 |
| 1429 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1423 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1430 } | 1424 } |
| 1431 | 1425 |
| 1432 } // namespace | 1426 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2117763004:
Revert of Enable public key pinning of local trust anchors (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master