| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 217 bool sni_enabled, | 217 bool sni_enabled, |
| 218 DomainState* result); | 218 DomainState* result); |
| 219 | 219 |
| 220 // Processes an HSTS header value from the host, adding entries to | 220 // Processes an HSTS header value from the host, adding entries to |
| 221 // dynamic state if necessary. | 221 // dynamic state if necessary. |
| 222 bool AddHSTSHeader(const std::string& host, const std::string& value); | 222 bool AddHSTSHeader(const std::string& host, const std::string& value); |
| 223 | 223 |
| 224 // Processes an HPKP header value from the host, adding entries to | 224 // Processes an HPKP header value from the host, adding entries to |
| 225 // dynamic state if necessary. ssl_info is used to check that | 225 // dynamic state if necessary. ssl_info is used to check that |
| 226 // the specified pins overlap with the certificate chain. | 226 // the specified pins overlap with the certificate chain. |
| 227 bool AddHPKPHeader(const std::string& host, const std::string& value, | 227 bool AddHPKPHeader(const std::string& host, |
| 228 const std::string& value, |
| 228 const SSLInfo& ssl_info); | 229 const SSLInfo& ssl_info); |
| 229 | 230 |
| 230 // Adds explicitly-specified data as if it was processed from an | 231 // Adds explicitly-specified data as if it was processed from an |
| 231 // HSTS header (used for net-internals and unit tests). | 232 // HSTS header (used for net-internals and unit tests). |
| 232 bool AddHSTS(const std::string& host, const base::Time& expiry, | 233 bool AddHSTS(const std::string& host, |
| 234 const base::Time& expiry, |
| 233 bool include_subdomains); | 235 bool include_subdomains); |
| 234 | 236 |
| 235 // Adds explicitly-specified data as if it was processed from an | 237 // Adds explicitly-specified data as if it was processed from an |
| 236 // HPKP header (used for net-internals and unit tests). | 238 // HPKP header (used for net-internals and unit tests). |
| 237 bool AddHPKP(const std::string& host, const base::Time& expiry, | 239 bool AddHPKP(const std::string& host, |
| 238 bool include_subdomains, const HashValueVector& hashes); | 240 const base::Time& expiry, |
| 241 bool include_subdomains, |
| 242 const HashValueVector& hashes); |
| 239 | 243 |
| 240 // Returns true iff we have any static public key pins for the |host| and | 244 // Returns true iff we have any static public key pins for the |host| and |
| 241 // iff its set of required pins is the set we expect for Google | 245 // iff its set of required pins is the set we expect for Google |
| 242 // properties. | 246 // properties. |
| 243 // | 247 // |
| 244 // If |sni_enabled| is true, searches the static pins defined for | 248 // If |sni_enabled| is true, searches the static pins defined for |
| 245 // SNI-using hosts as well as the rest of the pins. | 249 // SNI-using hosts as well as the rest of the pins. |
| 246 // | 250 // |
| 247 // If |host| matches both an exact entry and is a subdomain of another | 251 // If |host| matches both an exact entry and is a subdomain of another |
| 248 // entry, the exact match determines the return value. | 252 // entry, the exact match determines the return value. |
| 249 static bool IsGooglePinnedProperty(const std::string& host, | 253 static bool IsGooglePinnedProperty(const std::string& host, bool sni_enabled); |
| 250 bool sni_enabled); | |
| 251 | 254 |
| 252 // The maximum number of seconds for which we'll cache an HSTS request. | 255 // The maximum number of seconds for which we'll cache an HSTS request. |
| 253 static const long int kMaxHSTSAgeSecs; | 256 static const long int kMaxHSTSAgeSecs; |
| 254 | 257 |
| 255 // Send an UMA report on pin validation failure, if the host is in a | 258 // Send an UMA report on pin validation failure, if the host is in a |
| 256 // statically-defined list of domains. | 259 // statically-defined list of domains. |
| 257 // | 260 // |
| 258 // TODO(palmer): This doesn't really belong here, and should be moved into | 261 // TODO(palmer): This doesn't really belong here, and should be moved into |
| 259 // the exactly one call site. This requires unifying |struct HSTSPreload| | 262 // the exactly one call site. This requires unifying |struct HSTSPreload| |
| 260 // (an implementation detail of this class) with a more generic | 263 // (an implementation detail of this class) with a more generic |
| 261 // representation of first-class DomainStates, and exposing the preloads | 264 // representation of first-class DomainStates, and exposing the preloads |
| 262 // to the caller with |GetStaticDomainState|. | 265 // to the caller with |GetStaticDomainState|. |
| 263 static void ReportUMAOnPinFailure(const std::string& host); | 266 static void ReportUMAOnPinFailure(const std::string& host); |
| 264 | 267 |
| 265 // IsBuildTimely returns true if the current build is new enough ensure that | 268 // IsBuildTimely returns true if the current build is new enough ensure that |
| 266 // built in security information (i.e. HSTS preloading and pinning | 269 // built in security information (i.e. HSTS preloading and pinning |
| 267 // information) is timely. | 270 // information) is timely. |
| 268 static bool IsBuildTimely(); | 271 static bool IsBuildTimely(); |
| 269 | 272 |
| 270 private: | 273 private: |
| 271 friend class TransportSecurityStateTest; | 274 friend class TransportSecurityStateTest; |
| 272 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | 275 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
| 273 UpdateDynamicPKPOnly); | |
| 274 | 276 |
| 275 typedef std::map<std::string, DomainState> DomainStateMap; | 277 typedef std::map<std::string, DomainState> DomainStateMap; |
| 276 | 278 |
| 277 // If a Delegate is present, notify it that the internal state has | 279 // If a Delegate is present, notify it that the internal state has |
| 278 // changed. | 280 // changed. |
| 279 void DirtyNotify(); | 281 void DirtyNotify(); |
| 280 | 282 |
| 281 // Enable TransportSecurity for |host|. |state| supercedes any previous | 283 // Enable TransportSecurity for |host|. |state| supercedes any previous |
| 282 // state for the |host|, including static entries. | 284 // state for the |host|, including static entries. |
| 283 // | 285 // |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 326 DomainStateMap enabled_hosts_; | 328 DomainStateMap enabled_hosts_; |
| 327 | 329 |
| 328 Delegate* delegate_; | 330 Delegate* delegate_; |
| 329 | 331 |
| 330 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 332 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
| 331 }; | 333 }; |
| 332 | 334 |
| 333 } // namespace net | 335 } // namespace net |
| 334 | 336 |
| 335 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 337 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
