Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 1276 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1287 ssl_info.cert.get(), ENABLE_PIN_REPORTS, &unused_failure_log); | 1287 ssl_info.cert.get(), ENABLE_PIN_REPORTS, &unused_failure_log); |
| 1288 return true; | 1288 return true; |
| 1289 } | 1289 } |
| 1290 | 1290 |
| 1291 void TransportSecurityState::ProcessExpectCTHeader( | 1291 void TransportSecurityState::ProcessExpectCTHeader( |
| 1292 const std::string& value, | 1292 const std::string& value, |
| 1293 const HostPortPair& host_port_pair, | 1293 const HostPortPair& host_port_pair, |
| 1294 const SSLInfo& ssl_info) { | 1294 const SSLInfo& ssl_info) { |
| 1295 DCHECK(CalledOnValidThread()); | 1295 DCHECK(CalledOnValidThread()); |
| 1296 | 1296 |
| 1297 // Records the result of processing an Expect-CT header. This enum is | |
| 1298 // histogrammed, so do not reorder or remove values. | |
|
eroman
2016/08/25 23:39:31
Given this, can you assign values to *each* of the
estark
2016/08/27 15:20:05
Done.
| |
| 1299 enum ExpectCTHeaderResult { | |
| 1300 // An Expect-CT header was received, but it had the wrong value. | |
| 1301 EXPECT_CT_HEADER_BAD_VALUE = 0, | |
| 1302 // The Expect-CT header was ignored because the build was old. | |
| 1303 EXPECT_CT_HEADER_BUILD_NOT_TIMELY, | |
| 1304 // The Expect-CT header was ignored because the certificate did not chain to | |
| 1305 // a public root. | |
| 1306 EXPECT_CT_HEADER_PRIVATE_ROOT, | |
| 1307 // The Expect-CT header was ignored because CT compliance details were | |
| 1308 // unavailable. | |
| 1309 EXPECT_CT_HEADER_COMPLIANCE_DETAILS_UNAVAILABLE, | |
| 1310 // The request satisified the Expect-CT compliance policy, so no action was | |
| 1311 // taken. | |
| 1312 EXPECT_CT_HEADER_COMPLIED, | |
| 1313 // The Expect-CT header was ignored because there was no corresponding | |
| 1314 // preload list entry. | |
| 1315 EXPECT_CT_HEADER_NOT_PRELOADED, | |
| 1316 // The Expect-CT header was processed successfully and passed on to the | |
| 1317 // delegate to send a report. | |
| 1318 EXPECT_CT_HEADER_PROCESSED, | |
| 1319 EXPECT_CT_HEADER_MAX | |
|
eroman
2016/08/25 23:39:31
I think it is more idiomatic to use a _LAST value
estark
2016/08/27 15:20:05
Done.
| |
| 1320 }; | |
| 1321 | |
| 1322 ExpectCTHeaderResult result = EXPECT_CT_HEADER_PROCESSED; | |
| 1323 | |
| 1297 if (!expect_ct_reporter_) | 1324 if (!expect_ct_reporter_) |
| 1298 return; | 1325 return; |
| 1299 | 1326 |
| 1300 if (value != "preload") | 1327 ExpectCTState state; |
| 1301 return; | 1328 if (value != "preload") { |
| 1302 | 1329 result = EXPECT_CT_HEADER_BAD_VALUE; |
| 1303 if (!IsBuildTimely()) | 1330 } else if (!IsBuildTimely()) { |
| 1304 return; | 1331 result = EXPECT_CT_HEADER_BUILD_NOT_TIMELY; |
| 1305 | 1332 } else if (!ssl_info.is_issued_by_known_root) { |
| 1306 if (!ssl_info.is_issued_by_known_root || | 1333 result = EXPECT_CT_HEADER_PRIVATE_ROOT; |
| 1307 !ssl_info.ct_compliance_details_available || | 1334 } else if (!ssl_info.ct_compliance_details_available) { |
| 1308 ssl_info.ct_cert_policy_compliance == | 1335 result = EXPECT_CT_HEADER_COMPLIANCE_DETAILS_UNAVAILABLE; |
| 1309 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) { | 1336 } else if (ssl_info.ct_cert_policy_compliance == |
| 1310 return; | 1337 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) { |
| 1338 result = EXPECT_CT_HEADER_COMPLIED; | |
| 1339 } else if (!GetStaticExpectCTState(host_port_pair.host(), &state)) { | |
| 1340 result = EXPECT_CT_HEADER_NOT_PRELOADED; | |
| 1311 } | 1341 } |
| 1312 | 1342 |
| 1313 ExpectCTState state; | 1343 UMA_HISTOGRAM_ENUMERATION("Net.ExpectCTHeaderResult", result, |
| 1314 if (!GetStaticExpectCTState(host_port_pair.host(), &state)) | 1344 EXPECT_CT_HEADER_MAX); |
| 1345 if (result != EXPECT_CT_HEADER_PROCESSED) | |
| 1315 return; | 1346 return; |
| 1316 | 1347 |
| 1317 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, | 1348 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, |
| 1318 ssl_info); | 1349 ssl_info); |
| 1319 } | 1350 } |
| 1320 | 1351 |
| 1321 // static | 1352 // static |
| 1322 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { | 1353 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { |
| 1323 PreloadResult result; | 1354 PreloadResult result; |
| 1324 if (!DecodeHSTSPreload(host, &result) || | 1355 if (!DecodeHSTSPreload(host, &result) || |
| (...skipping 299 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1624 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1655 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1625 const TransportSecurityState& state) | 1656 const TransportSecurityState& state) |
| 1626 : iterator_(state.enabled_pkp_hosts_.begin()), | 1657 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1627 end_(state.enabled_pkp_hosts_.end()) { | 1658 end_(state.enabled_pkp_hosts_.end()) { |
| 1628 } | 1659 } |
| 1629 | 1660 |
| 1630 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1661 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1631 } | 1662 } |
| 1632 | 1663 |
| 1633 } // namespace | 1664 } // namespace |
| OLD | NEW |