Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(701)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state.cc

Issue 2587243002: Do not do Expect-Staple when OCSPVerifyResult has not been populated (Closed)
Patch Set: Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/cert/ocsp_verify_result.h ('K') | « net/cert/ocsp_verify_result.h ('k') | net/socket/ssl_client_socket_impl.cc » ('j') | net/socket/ssl_client_socket_impl.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <memory> 8 #include <memory>
9 #include <utility> 9 #include <utility>
10 #include <vector> 10 #include <vector>
(...skipping 627 matching lines...) Expand 10 before | Expand all | Expand 10 after
638 } 638 }
639 639
640 return found; 640 return found;
641 } 641 }
642 642
643 // Serializes an OCSPVerifyResult::ResponseStatus to a string enum, suitable for 643 // Serializes an OCSPVerifyResult::ResponseStatus to a string enum, suitable for
644 // the |response-status| field in an Expect-Staple report. 644 // the |response-status| field in an Expect-Staple report.
645 std::string SerializeExpectStapleResponseStatus( 645 std::string SerializeExpectStapleResponseStatus(
646 OCSPVerifyResult::ResponseStatus status) { 646 OCSPVerifyResult::ResponseStatus status) {
647 switch (status) { 647 switch (status) {
648 case OCSPVerifyResult::UNKNOWN:
649 // Reports shouldn't be sent for this response status.
650 NOTREACHED();
651 return "UNKNOWN";
648 case OCSPVerifyResult::MISSING: 652 case OCSPVerifyResult::MISSING:
649 return "MISSING"; 653 return "MISSING";
650 case OCSPVerifyResult::PROVIDED: 654 case OCSPVerifyResult::PROVIDED:
651 return "PROVIDED"; 655 return "PROVIDED";
652 case OCSPVerifyResult::ERROR_RESPONSE: 656 case OCSPVerifyResult::ERROR_RESPONSE:
653 return "ERROR_RESPONSE"; 657 return "ERROR_RESPONSE";
654 case OCSPVerifyResult::BAD_PRODUCED_AT: 658 case OCSPVerifyResult::BAD_PRODUCED_AT:
655 return "BAD_PRODUCED_AT"; 659 return "BAD_PRODUCED_AT";
656 case OCSPVerifyResult::NO_MATCHING_RESPONSE: 660 case OCSPVerifyResult::NO_MATCHING_RESPONSE:
657 return "NO_MATCHING_RESPONSE"; 661 return "NO_MATCHING_RESPONSE";
658 case OCSPVerifyResult::INVALID_DATE: 662 case OCSPVerifyResult::INVALID_DATE:
659 return "INVALID_DATE"; 663 return "INVALID_DATE";
660 case OCSPVerifyResult::PARSE_RESPONSE_ERROR: 664 case OCSPVerifyResult::PARSE_RESPONSE_ERROR:
661 return "PARSE_RESPONSE_ERROR"; 665 return "PARSE_RESPONSE_ERROR";
662 case OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR: 666 case OCSPVerifyResult::PARSE_RESPONSE_DATA_ERROR:
663 return "PARSE_RESPONSE_DATA_ERROR"; 667 return "PARSE_RESPONSE_DATA_ERROR";
664 } 668 }
665 return std::string(); 669 return std::string();
Ryan Sleevi 2016/12/21 01:35:29 nit: Any reason there's not a NOTREACHED() here as
estark 2016/12/21 17:53:12 Not that I can see, added one.
666 } 670 }
667 671
668 // Serializes an OCSPRevocationStatus to a string enum, suitable for the 672 // Serializes an OCSPRevocationStatus to a string enum, suitable for the
669 // |cert-status| field in an Expect-Staple report. 673 // |cert-status| field in an Expect-Staple report.
670 std::string SerializeExpectStapleRevocationStatus( 674 std::string SerializeExpectStapleRevocationStatus(
671 const OCSPRevocationStatus& status) { 675 const OCSPRevocationStatus& status) {
672 switch (status) { 676 switch (status) {
673 case OCSPRevocationStatus::GOOD: 677 case OCSPRevocationStatus::GOOD:
674 return "GOOD"; 678 return "GOOD";
675 case OCSPRevocationStatus::REVOKED: 679 case OCSPRevocationStatus::REVOKED:
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after
796 return; 800 return;
797 } 801 }
798 802
799 // Determine if the host is on the Expect-Staple preload list. If the build is 803 // Determine if the host is on the Expect-Staple preload list. If the build is
800 // not timely (i.e. the preload list is not fresh), this will fail and return 804 // not timely (i.e. the preload list is not fresh), this will fail and return
801 // false. 805 // false.
802 ExpectStapleState expect_staple_state; 806 ExpectStapleState expect_staple_state;
803 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state)) 807 if (!GetStaticExpectStapleState(host_port_pair.host(), &expect_staple_state))
804 return; 808 return;
805 809
806 // No report needed if a stapled OCSP response was provided. 810 // No report needed if OCSP details were not checked on this
807 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED && 811 // connection, or if a stapled OCSP response was provided.
808 ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD) { 812 if (ssl_info.ocsp_result.response_status == OCSPVerifyResult::UNKNOWN ||
813 (ssl_info.ocsp_result.response_status == OCSPVerifyResult::PROVIDED &&
814 ssl_info.ocsp_result.revocation_status == OCSPRevocationStatus::GOOD)) {
Ryan Sleevi 2016/12/21 01:35:29 suggestion: I would actually break these into two
estark 2016/12/21 17:53:12 Done.
809 return; 815 return;
810 } 816 }
811 817
812 std::string serialized_report; 818 std::string serialized_report;
813 if (!SerializeExpectStapleReport(host_port_pair, ssl_info, ocsp_response, 819 if (!SerializeExpectStapleReport(host_port_pair, ssl_info, ocsp_response,
814 &serialized_report)) { 820 &serialized_report)) {
815 return; 821 return;
816 } 822 }
817 report_sender_->Send(expect_staple_state.report_uri, 823 report_sender_->Send(expect_staple_state.report_uri,
818 "application/json; charset=utf-8", serialized_report, 824 "application/json; charset=utf-8", serialized_report,
(...skipping 826 matching lines...) Expand 10 before | Expand all | Expand 10 after
1645 TransportSecurityState::PKPStateIterator::PKPStateIterator( 1651 TransportSecurityState::PKPStateIterator::PKPStateIterator(
1646 const TransportSecurityState& state) 1652 const TransportSecurityState& state)
1647 : iterator_(state.enabled_pkp_hosts_.begin()), 1653 : iterator_(state.enabled_pkp_hosts_.begin()),
1648 end_(state.enabled_pkp_hosts_.end()) { 1654 end_(state.enabled_pkp_hosts_.end()) {
1649 } 1655 }
1650 1656
1651 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { 1657 TransportSecurityState::PKPStateIterator::~PKPStateIterator() {
1652 } 1658 }
1653 1659
1654 } // namespace 1660 } // namespace
OLDNEW
« net/cert/ocsp_verify_result.h ('K') | « net/cert/ocsp_verify_result.h ('k') | net/socket/ssl_client_socket_impl.cc » ('j') | net/socket/ssl_client_socket_impl.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698