OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <memory> | 8 #include <memory> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 29 matching lines...) Expand all Loading... |
40 | 40 |
41 namespace { | 41 namespace { |
42 | 42 |
43 #include "net/http/transport_security_state_ct_policies.inc" | 43 #include "net/http/transport_security_state_ct_policies.inc" |
44 #include "net/http/transport_security_state_static.h" | 44 #include "net/http/transport_security_state_static.h" |
45 | 45 |
46 const size_t kMaxHPKPReportCacheEntries = 50; | 46 const size_t kMaxHPKPReportCacheEntries = 50; |
47 const int kTimeToRememberHPKPReportsMins = 60; | 47 const int kTimeToRememberHPKPReportsMins = 60; |
48 const size_t kReportCacheKeyLength = 16; | 48 const size_t kReportCacheKeyLength = 16; |
49 | 49 |
| 50 const uint8_t* g_hsts_huffman_tree = kHSTSHuffmanTree; |
| 51 size_t g_hsts_huffman_tree_size = sizeof(kHSTSHuffmanTree); |
| 52 const uint8_t* g_preloaded_hsts_data = kPreloadedHSTSData; |
| 53 size_t g_preloaded_hsts_bits = kPreloadedHSTSBits; |
| 54 size_t g_hsts_root_position = kHSTSRootPosition; |
| 55 const char* const* g_expect_ct_report_uris = kExpectCTReportURIs; |
| 56 const char* const* g_expect_staple_report_uris = kExpectStapleReportURIs; |
| 57 const struct Pinset* g_hsts_pinsets = kPinsets; |
| 58 size_t g_hsts_pinsets_count = arraysize(kPinsets); |
| 59 |
50 // Override for ShouldRequireCT() for unit tests. Possible values: | 60 // Override for ShouldRequireCT() for unit tests. Possible values: |
51 // -1: Unless a delegate says otherwise, do not require CT. | 61 // -1: Unless a delegate says otherwise, do not require CT. |
52 // 0: Use the default implementation (e.g. production) | 62 // 0: Use the default implementation (e.g. production) |
53 // 1: Unless a delegate says otherwise, require CT. | 63 // 1: Unless a delegate says otherwise, require CT. |
54 int g_ct_required_for_testing = 0; | 64 int g_ct_required_for_testing = 0; |
55 | 65 |
56 // LessThan comparator for use with std::binary_search() in determining | 66 // LessThan comparator for use with std::binary_search() in determining |
57 // whether a SHA-256 HashValue appears within a sorted array of | 67 // whether a SHA-256 HashValue appears within a sorted array of |
58 // SHA256HashValues. | 68 // SHA256HashValues. |
59 struct SHA256ToHashValueComparator { | 69 struct SHA256ToHashValueComparator { |
(...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
427 // it contains the HSTS information: whether subdomains are included, pinsets | 437 // it contains the HSTS information: whether subdomains are included, pinsets |
428 // etc. If an "end of string" matches a period in the hostname then the | 438 // etc. If an "end of string" matches a period in the hostname then the |
429 // information is remembered because, if no more specific node is found, then | 439 // information is remembered because, if no more specific node is found, then |
430 // that information applies to the hostname. | 440 // that information applies to the hostname. |
431 // | 441 // |
432 // Dispatch tables are always given in order, but the "end of string" (zero) | 442 // Dispatch tables are always given in order, but the "end of string" (zero) |
433 // value always comes before an entry for '.'. | 443 // value always comes before an entry for '.'. |
434 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, | 444 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, |
435 bool* out_found, | 445 bool* out_found, |
436 PreloadResult* out) { | 446 PreloadResult* out) { |
437 HuffmanDecoder huffman(kHSTSHuffmanTree, sizeof(kHSTSHuffmanTree)); | 447 HuffmanDecoder huffman(g_hsts_huffman_tree, g_hsts_huffman_tree_size); |
438 BitReader reader(kPreloadedHSTSData, kPreloadedHSTSBits); | 448 BitReader reader(g_preloaded_hsts_data, g_preloaded_hsts_bits); |
439 size_t bit_offset = kHSTSRootPosition; | 449 size_t bit_offset = g_hsts_root_position; |
440 static const char kEndOfString = 0; | 450 static const char kEndOfString = 0; |
441 static const char kEndOfTable = 127; | 451 static const char kEndOfTable = 127; |
442 | 452 |
443 *out_found = false; | 453 *out_found = false; |
444 | 454 |
445 // Ensure that |search_hostname| is a valid hostname before | 455 // Ensure that |search_hostname| is a valid hostname before |
446 // processing. | 456 // processing. |
447 if (CanonicalizeHost(search_hostname).empty()) { | 457 if (CanonicalizeHost(search_hostname).empty()) { |
448 return true; | 458 return true; |
449 } | 459 } |
(...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
714 report.Set("validated-certificate-chain", | 724 report.Set("validated-certificate-chain", |
715 GetPEMEncodedChainAsList(ssl_info.cert.get())); | 725 GetPEMEncodedChainAsList(ssl_info.cert.get())); |
716 | 726 |
717 if (!base::JSONWriter::Write(report, out_serialized_report)) | 727 if (!base::JSONWriter::Write(report, out_serialized_report)) |
718 return false; | 728 return false; |
719 return true; | 729 return true; |
720 } | 730 } |
721 | 731 |
722 } // namespace | 732 } // namespace |
723 | 733 |
| 734 void SetTransportSecurityStateSource( |
| 735 const uint8_t* hsts_huffman_tree, |
| 736 const size_t hsts_huffman_tree_size, |
| 737 const uint8_t* preloaded_hsts_data, |
| 738 const size_t preloaded_hsts_bits, |
| 739 const size_t hsts_root_position, |
| 740 const char* const* expect_ct_report_uris, |
| 741 const char* const* expect_staple_report_uris, |
| 742 const struct Pinset hsts_pinsets[], |
| 743 const size_t hsts_pinsets_count) { |
| 744 g_hsts_huffman_tree = hsts_huffman_tree; |
| 745 g_hsts_huffman_tree_size = hsts_huffman_tree_size; |
| 746 g_preloaded_hsts_data = preloaded_hsts_data; |
| 747 g_preloaded_hsts_bits = preloaded_hsts_bits; |
| 748 g_hsts_root_position = hsts_root_position; |
| 749 g_expect_ct_report_uris = expect_ct_report_uris; |
| 750 g_expect_staple_report_uris = expect_staple_report_uris; |
| 751 g_hsts_pinsets = hsts_pinsets; |
| 752 g_hsts_pinsets_count = hsts_pinsets_count; |
| 753 } |
| 754 |
| 755 void SetDefaultTransportSecurityStateSource() { |
| 756 g_hsts_huffman_tree = kHSTSHuffmanTree; |
| 757 g_hsts_huffman_tree_size = sizeof(kHSTSHuffmanTree); |
| 758 g_preloaded_hsts_data = kPreloadedHSTSData; |
| 759 g_preloaded_hsts_bits = kPreloadedHSTSBits; |
| 760 g_hsts_root_position = kHSTSRootPosition; |
| 761 g_expect_ct_report_uris = kExpectCTReportURIs; |
| 762 g_expect_staple_report_uris = kExpectStapleReportURIs; |
| 763 g_hsts_pinsets = kPinsets; |
| 764 g_hsts_pinsets_count = arraysize(kPinsets); |
| 765 } |
| 766 |
724 TransportSecurityState::TransportSecurityState() | 767 TransportSecurityState::TransportSecurityState() |
725 : enable_static_pins_(true), | 768 : enable_static_pins_(true), |
726 enable_static_expect_ct_(true), | 769 enable_static_expect_ct_(true), |
727 enable_static_expect_staple_(true), | 770 enable_static_expect_staple_(true), |
728 enable_pkp_bypass_for_local_trust_anchors_(true), | 771 enable_pkp_bypass_for_local_trust_anchors_(true), |
729 sent_reports_cache_(kMaxHPKPReportCacheEntries) { | 772 sent_reports_cache_(kMaxHPKPReportCacheEntries) { |
730 // Static pinning is only enabled for official builds to make sure that | 773 // Static pinning is only enabled for official builds to make sure that |
731 // others don't end up with pins that cannot be easily updated. | 774 // others don't end up with pins that cannot be easily updated. |
732 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) | 775 #if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) |
733 enable_static_pins_ = false; | 776 enable_static_pins_ = false; |
(...skipping 364 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1098 | 1141 |
1099 PreloadResult result; | 1142 PreloadResult result; |
1100 if (!DecodeHSTSPreload(host, &result)) | 1143 if (!DecodeHSTSPreload(host, &result)) |
1101 return false; | 1144 return false; |
1102 | 1145 |
1103 if (!enable_static_expect_ct_ || !result.expect_ct) | 1146 if (!enable_static_expect_ct_ || !result.expect_ct) |
1104 return false; | 1147 return false; |
1105 | 1148 |
1106 expect_ct_state->domain = host.substr(result.hostname_offset); | 1149 expect_ct_state->domain = host.substr(result.hostname_offset); |
1107 expect_ct_state->report_uri = | 1150 expect_ct_state->report_uri = |
1108 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | 1151 GURL(g_expect_ct_report_uris[result.expect_ct_report_uri_id]); |
1109 return true; | 1152 return true; |
1110 } | 1153 } |
1111 | 1154 |
1112 bool TransportSecurityState::GetStaticExpectStapleState( | 1155 bool TransportSecurityState::GetStaticExpectStapleState( |
1113 const std::string& host, | 1156 const std::string& host, |
1114 ExpectStapleState* expect_staple_state) const { | 1157 ExpectStapleState* expect_staple_state) const { |
1115 DCHECK(CalledOnValidThread()); | 1158 DCHECK(CalledOnValidThread()); |
1116 | 1159 |
1117 if (!IsBuildTimely()) | 1160 if (!IsBuildTimely()) |
1118 return false; | 1161 return false; |
1119 | 1162 |
1120 PreloadResult result; | 1163 PreloadResult result; |
1121 if (!DecodeHSTSPreload(host, &result)) | 1164 if (!DecodeHSTSPreload(host, &result)) |
1122 return false; | 1165 return false; |
1123 | 1166 |
1124 if (!enable_static_expect_staple_ || !result.expect_staple) | 1167 if (!enable_static_expect_staple_ || !result.expect_staple) |
1125 return false; | 1168 return false; |
1126 | 1169 |
1127 expect_staple_state->domain = host.substr(result.hostname_offset); | 1170 expect_staple_state->domain = host.substr(result.hostname_offset); |
1128 expect_staple_state->include_subdomains = | 1171 expect_staple_state->include_subdomains = |
1129 result.expect_staple_include_subdomains; | 1172 result.expect_staple_include_subdomains; |
1130 expect_staple_state->report_uri = | 1173 expect_staple_state->report_uri = |
1131 GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); | 1174 GURL(g_expect_staple_report_uris[result.expect_staple_report_uri_id]); |
1132 return true; | 1175 return true; |
1133 } | 1176 } |
1134 | 1177 |
1135 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 1178 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
1136 DCHECK(CalledOnValidThread()); | 1179 DCHECK(CalledOnValidThread()); |
1137 | 1180 |
1138 const std::string canonicalized_host = CanonicalizeHost(host); | 1181 const std::string canonicalized_host = CanonicalizeHost(host); |
1139 if (canonicalized_host.empty()) | 1182 if (canonicalized_host.empty()) |
1140 return false; | 1183 return false; |
1141 | 1184 |
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1425 sts_state->last_observed = base::GetBuildTime(); | 1468 sts_state->last_observed = base::GetBuildTime(); |
1426 sts_state->upgrade_mode = STSState::MODE_DEFAULT; | 1469 sts_state->upgrade_mode = STSState::MODE_DEFAULT; |
1427 if (result.force_https) { | 1470 if (result.force_https) { |
1428 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 1471 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
1429 } | 1472 } |
1430 | 1473 |
1431 if (enable_static_pins_ && result.has_pins) { | 1474 if (enable_static_pins_ && result.has_pins) { |
1432 pkp_state->include_subdomains = result.pkp_include_subdomains; | 1475 pkp_state->include_subdomains = result.pkp_include_subdomains; |
1433 pkp_state->last_observed = base::GetBuildTime(); | 1476 pkp_state->last_observed = base::GetBuildTime(); |
1434 | 1477 |
1435 if (result.pinset_id >= arraysize(kPinsets)) | 1478 if (result.pinset_id >= g_hsts_pinsets_count) |
1436 return false; | 1479 return false; |
1437 const Pinset *pinset = &kPinsets[result.pinset_id]; | 1480 const Pinset* pinset = &g_hsts_pinsets[result.pinset_id]; |
1438 | 1481 |
1439 if (pinset->report_uri != kNoReportURI) | 1482 if (pinset->report_uri != kNoReportURI) |
1440 pkp_state->report_uri = GURL(pinset->report_uri); | 1483 pkp_state->report_uri = GURL(pinset->report_uri); |
1441 | 1484 |
1442 if (pinset->accepted_pins) { | 1485 if (pinset->accepted_pins) { |
1443 const char* const* sha256_hash = pinset->accepted_pins; | 1486 const char* const* sha256_hash = pinset->accepted_pins; |
1444 while (*sha256_hash) { | 1487 while (*sha256_hash) { |
1445 AddHash(*sha256_hash, &pkp_state->spki_hashes); | 1488 AddHash(*sha256_hash, &pkp_state->spki_hashes); |
1446 sha256_hash++; | 1489 sha256_hash++; |
1447 } | 1490 } |
(...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1654 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1697 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1655 const TransportSecurityState& state) | 1698 const TransportSecurityState& state) |
1656 : iterator_(state.enabled_pkp_hosts_.begin()), | 1699 : iterator_(state.enabled_pkp_hosts_.begin()), |
1657 end_(state.enabled_pkp_hosts_.end()) { | 1700 end_(state.enabled_pkp_hosts_.end()) { |
1658 } | 1701 } |
1659 | 1702 |
1660 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1703 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1661 } | 1704 } |
1662 | 1705 |
1663 } // namespace | 1706 } // namespace |
OLD | NEW |