OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <memory> | 9 #include <memory> |
10 #include <string> | 10 #include <string> |
11 | 11 |
12 #include "base/containers/mru_cache.h" | 12 #include "base/containers/mru_cache.h" |
13 #include "base/memory/memory_pressure_monitor.h" | 13 #include "base/memory/memory_pressure_monitor.h" |
14 #include "base/memory/ref_counted.h" | 14 #include "base/memory/ref_counted.h" |
15 #include "base/memory/weak_ptr.h" | 15 #include "base/memory/weak_ptr.h" |
16 #include "net/base/hash_value.h" | 16 #include "net/base/hash_value.h" |
17 #include "net/cert/ct_verifier.h" | 17 #include "net/cert/ct_verifier.h" |
18 #include "net/cert/signed_tree_head.h" | 18 #include "net/cert/signed_tree_head.h" |
19 #include "net/cert/sth_observer.h" | 19 #include "net/cert/sth_observer.h" |
| 20 #include "net/log/net_log_with_source.h" |
20 | 21 |
21 namespace net { | 22 namespace net { |
22 | 23 |
23 class CTLogVerifier; | 24 class CTLogVerifier; |
24 class X509Certificate; | 25 class X509Certificate; |
25 | 26 |
26 namespace ct { | 27 namespace ct { |
27 | 28 |
28 struct MerkleAuditProof; | 29 struct MerkleAuditProof; |
29 struct SignedCertificateTimestamp; | 30 struct SignedCertificateTimestamp; |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
71 | 72 |
72 // SCT is known and there's a new-enough STH to check inclusion against. | 73 // SCT is known and there's a new-enough STH to check inclusion against. |
73 // It's in the process of being checked for inclusion. | 74 // It's in the process of being checked for inclusion. |
74 SCT_PENDING_INCLUSION_CHECK, | 75 SCT_PENDING_INCLUSION_CHECK, |
75 | 76 |
76 // Inclusion check succeeded. | 77 // Inclusion check succeeded. |
77 SCT_INCLUDED_IN_LOG, | 78 SCT_INCLUDED_IN_LOG, |
78 }; | 79 }; |
79 | 80 |
80 SingleTreeTracker(scoped_refptr<const net::CTLogVerifier> ct_log, | 81 SingleTreeTracker(scoped_refptr<const net::CTLogVerifier> ct_log, |
81 LogDnsClient* dns_client); | 82 LogDnsClient* dns_client, |
| 83 net::NetLog* net_log); |
82 ~SingleTreeTracker() override; | 84 ~SingleTreeTracker() override; |
83 | 85 |
84 // net::ct::CTVerifier::Observer implementation. | 86 // net::ct::CTVerifier::Observer implementation. |
85 | 87 |
86 // TODO(eranm): Extract CTVerifier::Observer to SCTObserver | 88 // TODO(eranm): Extract CTVerifier::Observer to SCTObserver |
87 // Performs an inclusion check for the given certificate if the latest | 89 // Performs an inclusion check for the given certificate if the latest |
88 // STH known for this log is older than sct.timestamp + Maximum Merge Delay, | 90 // STH known for this log is older than sct.timestamp + Maximum Merge Delay, |
89 // enqueues the SCT for future checking later on. | 91 // enqueues the SCT for future checking later on. |
90 // Should only be called with SCTs issued by the log this instance tracks. | 92 // Should only be called with SCTs issued by the log this instance tracks. |
91 // TODO(eranm): Make sure not to perform any synchronous, blocking operation | 93 // TODO(eranm): Make sure not to perform any synchronous, blocking operation |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
135 // * If there was a failure to obtain or validate an inclusion | 137 // * If there was a failure to obtain or validate an inclusion |
136 // proof, removes |entry| from the queue of entries to validate. | 138 // proof, removes |entry| from the queue of entries to validate. |
137 // Future calls to GetLogEntryInclusionStatus() will indicate the entry | 139 // Future calls to GetLogEntryInclusionStatus() will indicate the entry |
138 // has not been observed. | 140 // has not been observed. |
139 void OnAuditProofObtained(const EntryToAudit& entry, int net_error); | 141 void OnAuditProofObtained(const EntryToAudit& entry, int net_error); |
140 | 142 |
141 // Clears entries to reduce memory overhead. | 143 // Clears entries to reduce memory overhead. |
142 void OnMemoryPressure( | 144 void OnMemoryPressure( |
143 base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level); | 145 base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level); |
144 | 146 |
| 147 void LogAuditResultToNetLog(const EntryToAudit& entry, bool success); |
| 148 |
145 // Holds the latest STH fetched and verified for this log. | 149 // Holds the latest STH fetched and verified for this log. |
146 net::ct::SignedTreeHead verified_sth_; | 150 net::ct::SignedTreeHead verified_sth_; |
147 | 151 |
148 // The log being tracked. | 152 // The log being tracked. |
149 scoped_refptr<const net::CTLogVerifier> ct_log_; | 153 scoped_refptr<const net::CTLogVerifier> ct_log_; |
150 | 154 |
151 // Log entries waiting to be checked for inclusion, or being checked for | 155 // Log entries waiting to be checked for inclusion, or being checked for |
152 // inclusion, and their state. | 156 // inclusion, and their state. |
153 std::map<EntryToAudit, EntryAuditState, OrderByTimestamp> pending_entries_; | 157 std::map<EntryToAudit, EntryAuditState, OrderByTimestamp> pending_entries_; |
154 | 158 |
155 // A cache of leaf hashes identifying entries which were checked for | 159 // A cache of leaf hashes identifying entries which were checked for |
156 // inclusion (the key is the Leaf Hash of the log entry). | 160 // inclusion (the key is the Leaf Hash of the log entry). |
157 // NOTE: The current implementation does not cache failures, so the presence | 161 // NOTE: The current implementation does not cache failures, so the presence |
158 // of an entry in |checked_entries_| indicates success. | 162 // of an entry in |checked_entries_| indicates success. |
159 // To extend support for caching failures, a success indicator should be | 163 // To extend support for caching failures, a success indicator should be |
160 // added to the EntryAuditResult struct. | 164 // added to the EntryAuditResult struct. |
161 base::MRUCache<net::SHA256HashValue, | 165 base::MRUCache<net::SHA256HashValue, |
162 EntryAuditResult, | 166 EntryAuditResult, |
163 net::SHA256HashValueLessThan> | 167 net::SHA256HashValueLessThan> |
164 checked_entries_; | 168 checked_entries_; |
165 | 169 |
166 LogDnsClient* dns_client_; | 170 LogDnsClient* dns_client_; |
167 | 171 |
168 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; | 172 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; |
169 | 173 |
| 174 net::NetLogWithSource net_log_; |
| 175 |
170 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; | 176 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; |
171 | 177 |
172 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); | 178 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); |
173 }; | 179 }; |
174 | 180 |
175 } // namespace certificate_transparency | 181 } // namespace certificate_transparency |
176 | 182 |
177 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 183 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
OLD | NEW |