| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 374 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 385 | 385 |
| 386 private: | 386 private: |
| 387 const uint8_t* const tree_; | 387 const uint8_t* const tree_; |
| 388 const size_t tree_bytes_; | 388 const size_t tree_bytes_; |
| 389 }; | 389 }; |
| 390 | 390 |
| 391 // PreloadResult is the result of resolving a specific name in the preloaded | 391 // PreloadResult is the result of resolving a specific name in the preloaded |
| 392 // data. | 392 // data. |
| 393 struct PreloadResult { | 393 struct PreloadResult { |
| 394 uint32_t pinset_id; | 394 uint32_t pinset_id; |
| 395 uint32_t domain_id; | |
| 396 // hostname_offset contains the number of bytes from the start of the given | 395 // hostname_offset contains the number of bytes from the start of the given |
| 397 // hostname where the name of the matching entry starts. | 396 // hostname where the name of the matching entry starts. |
| 398 size_t hostname_offset; | 397 size_t hostname_offset; |
| 399 bool sts_include_subdomains; | 398 bool sts_include_subdomains; |
| 400 bool pkp_include_subdomains; | 399 bool pkp_include_subdomains; |
| 401 bool force_https; | 400 bool force_https; |
| 402 bool has_pins; | 401 bool has_pins; |
| 403 bool expect_ct; | 402 bool expect_ct; |
| 404 uint32_t expect_ct_report_uri_id; | 403 uint32_t expect_ct_report_uri_id; |
| 405 bool expect_staple; | 404 bool expect_staple; |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 517 if (c == kEndOfString) { | 516 if (c == kEndOfString) { |
| 518 PreloadResult tmp; | 517 PreloadResult tmp; |
| 519 if (!reader.Next(&tmp.sts_include_subdomains) || | 518 if (!reader.Next(&tmp.sts_include_subdomains) || |
| 520 !reader.Next(&tmp.force_https) || !reader.Next(&tmp.has_pins)) { | 519 !reader.Next(&tmp.force_https) || !reader.Next(&tmp.has_pins)) { |
| 521 return false; | 520 return false; |
| 522 } | 521 } |
| 523 | 522 |
| 524 tmp.pkp_include_subdomains = tmp.sts_include_subdomains; | 523 tmp.pkp_include_subdomains = tmp.sts_include_subdomains; |
| 525 | 524 |
| 526 if (tmp.has_pins) { | 525 if (tmp.has_pins) { |
| 526 // TODO(estark): This can be removed once the preload list |
| 527 // format no longer includes |domain_id|. |
| 528 // https://crbug.com/661206 |
| 529 uint32_t unused_domain_id; |
| 527 if (!reader.Read(4, &tmp.pinset_id) || | 530 if (!reader.Read(4, &tmp.pinset_id) || |
| 528 !reader.Read(9, &tmp.domain_id) || | 531 !reader.Read(9, &unused_domain_id) || |
| 529 (!tmp.sts_include_subdomains && | 532 (!tmp.sts_include_subdomains && |
| 530 !reader.Next(&tmp.pkp_include_subdomains))) { | 533 !reader.Next(&tmp.pkp_include_subdomains))) { |
| 531 return false; | 534 return false; |
| 532 } | 535 } |
| 533 } | 536 } |
| 534 | 537 |
| 535 if (!reader.Next(&tmp.expect_ct)) | 538 if (!reader.Next(&tmp.expect_ct)) |
| 536 return false; | 539 return false; |
| 537 | 540 |
| 538 if (tmp.expect_ct) { | 541 if (tmp.expect_ct) { |
| (...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 771 PKPStatus pin_validity = CheckPublicKeyPinsImpl( | 774 PKPStatus pin_validity = CheckPublicKeyPinsImpl( |
| 772 host_port_pair, is_issued_by_known_root, public_key_hashes, | 775 host_port_pair, is_issued_by_known_root, public_key_hashes, |
| 773 served_certificate_chain, validated_certificate_chain, report_status, | 776 served_certificate_chain, validated_certificate_chain, report_status, |
| 774 pinning_failure_log); | 777 pinning_failure_log); |
| 775 | 778 |
| 776 // Don't track statistics when a local trust anchor would override the pinning | 779 // Don't track statistics when a local trust anchor would override the pinning |
| 777 // anyway. | 780 // anyway. |
| 778 if (!is_issued_by_known_root) | 781 if (!is_issued_by_known_root) |
| 779 return pin_validity; | 782 return pin_validity; |
| 780 | 783 |
| 781 if (pin_validity == PKPStatus::VIOLATED) { | |
| 782 LOG(ERROR) << *pinning_failure_log; | |
| 783 ReportUMAOnPinFailure(host_port_pair.host()); | |
| 784 } | |
| 785 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", | 784 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", |
| 786 pin_validity == PKPStatus::OK); | 785 pin_validity == PKPStatus::OK); |
| 787 return pin_validity; | 786 return pin_validity; |
| 788 } | 787 } |
| 789 | 788 |
| 790 void TransportSecurityState::CheckExpectStaple( | 789 void TransportSecurityState::CheckExpectStaple( |
| 791 const HostPortPair& host_port_pair, | 790 const HostPortPair& host_port_pair, |
| 792 const SSLInfo& ssl_info, | 791 const SSLInfo& ssl_info, |
| 793 const std::string& ocsp_response) { | 792 const std::string& ocsp_response) { |
| 794 DCHECK(CalledOnValidThread()); | 793 DCHECK(CalledOnValidThread()); |
| (...skipping 552 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1347 UMA_HISTOGRAM_ENUMERATION("Net.ExpectCTHeaderResult", result, | 1346 UMA_HISTOGRAM_ENUMERATION("Net.ExpectCTHeaderResult", result, |
| 1348 EXPECT_CT_HEADER_LAST + 1); | 1347 EXPECT_CT_HEADER_LAST + 1); |
| 1349 if (result != EXPECT_CT_HEADER_PROCESSED) | 1348 if (result != EXPECT_CT_HEADER_PROCESSED) |
| 1350 return; | 1349 return; |
| 1351 | 1350 |
| 1352 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, | 1351 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, |
| 1353 ssl_info); | 1352 ssl_info); |
| 1354 } | 1353 } |
| 1355 | 1354 |
| 1356 // static | 1355 // static |
| 1357 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { | |
| 1358 PreloadResult result; | |
| 1359 if (!DecodeHSTSPreload(host, &result) || | |
| 1360 !result.has_pins) { | |
| 1361 return; | |
| 1362 } | |
| 1363 | |
| 1364 DCHECK(result.domain_id != DOMAIN_NOT_PINNED); | |
| 1365 | |
| 1366 UMA_HISTOGRAM_SPARSE_SLOWLY( | |
| 1367 "Net.PublicKeyPinFailureDomain", result.domain_id); | |
| 1368 } | |
| 1369 | |
| 1370 // static | |
| 1371 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { | 1356 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { |
| 1372 if (!required) { | 1357 if (!required) { |
| 1373 g_ct_required_for_testing = 0; | 1358 g_ct_required_for_testing = 0; |
| 1374 return; | 1359 return; |
| 1375 } | 1360 } |
| 1376 g_ct_required_for_testing = *required ? 1 : -1; | 1361 g_ct_required_for_testing = *required ? 1 : -1; |
| 1377 } | 1362 } |
| 1378 | 1363 |
| 1379 // static | 1364 // static |
| 1380 bool TransportSecurityState::IsBuildTimely() { | 1365 bool TransportSecurityState::IsBuildTimely() { |
| (...skipping 278 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1659 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1644 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1660 const TransportSecurityState& state) | 1645 const TransportSecurityState& state) |
| 1661 : iterator_(state.enabled_pkp_hosts_.begin()), | 1646 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1662 end_(state.enabled_pkp_hosts_.end()) { | 1647 end_(state.enabled_pkp_hosts_.end()) { |
| 1663 } | 1648 } |
| 1664 | 1649 |
| 1665 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1650 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1666 } | 1651 } |
| 1667 | 1652 |
| 1668 } // namespace | 1653 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2467953002:
Deprecate old PublicKeyPinFailureDomain histogram (Closed)
