OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 5 #ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 6 #define COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <memory> | 9 #include <memory> |
10 #include <string> | 10 #include <string> |
11 | 11 |
12 #include "base/containers/mru_cache.h" | 12 #include "base/containers/mru_cache.h" |
13 #include "base/memory/memory_pressure_monitor.h" | 13 #include "base/memory/memory_pressure_monitor.h" |
14 #include "base/memory/ref_counted.h" | 14 #include "base/memory/ref_counted.h" |
15 #include "base/memory/weak_ptr.h" | 15 #include "base/memory/weak_ptr.h" |
16 #include "net/base/hash_value.h" | 16 #include "net/base/hash_value.h" |
| 17 #include "net/base/network_change_notifier.h" |
17 #include "net/cert/ct_verifier.h" | 18 #include "net/cert/ct_verifier.h" |
18 #include "net/cert/signed_tree_head.h" | 19 #include "net/cert/signed_tree_head.h" |
19 #include "net/cert/sth_observer.h" | 20 #include "net/cert/sth_observer.h" |
20 #include "net/log/net_log_with_source.h" | 21 #include "net/log/net_log_with_source.h" |
21 | 22 |
22 namespace net { | 23 namespace net { |
23 | 24 |
24 class CTLogVerifier; | 25 class CTLogVerifier; |
25 class X509Certificate; | 26 class X509Certificate; |
26 | 27 |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
106 // |sct| is not an SCT for |cert| or |sct| is not for this log, | 107 // |sct| is not an SCT for |cert| or |sct| is not for this log, |
107 // SCT_NOT_OBSERVED will be returned. | 108 // SCT_NOT_OBSERVED will be returned. |
108 SCTInclusionStatus GetLogEntryInclusionStatus( | 109 SCTInclusionStatus GetLogEntryInclusionStatus( |
109 net::X509Certificate* cert, | 110 net::X509Certificate* cert, |
110 const net::ct::SignedCertificateTimestamp* sct); | 111 const net::ct::SignedCertificateTimestamp* sct); |
111 | 112 |
112 private: | 113 private: |
113 struct EntryToAudit; | 114 struct EntryToAudit; |
114 struct EntryAuditState; | 115 struct EntryAuditState; |
115 struct EntryAuditResult {}; | 116 struct EntryAuditResult {}; |
| 117 class NetworkObserver; |
| 118 friend class NetworkObserver; |
116 | 119 |
117 // Less-than comparator that sorts EntryToAudits based on the SCT timestamp, | 120 // Less-than comparator that sorts EntryToAudits based on the SCT timestamp, |
118 // with smaller (older) SCTs appearing less than larger (newer) SCTs. | 121 // with smaller (older) SCTs appearing less than larger (newer) SCTs. |
119 struct OrderByTimestamp { | 122 struct OrderByTimestamp { |
120 bool operator()(const EntryToAudit& lhs, const EntryToAudit& rhs) const; | 123 bool operator()(const EntryToAudit& lhs, const EntryToAudit& rhs) const; |
121 }; | 124 }; |
122 | 125 |
123 // Requests an inclusion proof for each of the entries in |pending_entries_| | 126 // Requests an inclusion proof for each of the entries in |pending_entries_| |
124 // until throttled by the LogDnsClient. | 127 // until throttled by the LogDnsClient. |
125 void ProcessPendingEntries(); | 128 void ProcessPendingEntries(); |
126 | 129 |
127 // Returns the inclusion status of the given |entry|, similar to | 130 // Returns the inclusion status of the given |entry|, similar to |
128 // GetLogEntryInclusionStatus(). The |entry| is an internal representation of | 131 // GetLogEntryInclusionStatus(). The |entry| is an internal representation of |
129 // a certificate + SCT combination. | 132 // a certificate + SCT combination. |
130 SCTInclusionStatus GetAuditedEntryInclusionStatus(const EntryToAudit& entry); | 133 SCTInclusionStatus GetAuditedEntryInclusionStatus(const EntryToAudit& entry); |
131 | 134 |
132 // Processes the result of obtaining an audit proof for |entry|. | 135 // Processes the result of obtaining an audit proof for |entry|. |
133 // * If an audit proof was successfully obtained and validated, | 136 // * If an audit proof was successfully obtained and validated, |
134 // updates |checked_entries_| so that future calls to | 137 // updates |checked_entries_| so that future calls to |
135 // GetLogEntryInclusionStatus() will indicate the entry's | 138 // GetLogEntryInclusionStatus() will indicate the entry's |
136 // inclusion. | 139 // inclusion. |
137 // * If there was a failure to obtain or validate an inclusion | 140 // * If there was a failure to obtain or validate an inclusion |
138 // proof, removes |entry| from the queue of entries to validate. | 141 // proof, removes |entry| from the queue of entries to validate. |
139 // Future calls to GetLogEntryInclusionStatus() will indicate the entry | 142 // Future calls to GetLogEntryInclusionStatus() will indicate the entry |
140 // has not been observed. | 143 // has not been observed. |
141 void OnAuditProofObtained(const EntryToAudit& entry, int net_error); | 144 void OnAuditProofObtained(const EntryToAudit& entry, int net_error); |
142 | 145 |
| 146 // Discards all entries pending inclusion check on network change. |
| 147 // That is done to prevent the client looking up inclusion proofs for |
| 148 // certificates received from one network, on another network, thus |
| 149 // leaking state between networks. |
| 150 void ResetPendingQueue(); |
| 151 |
143 // Clears entries to reduce memory overhead. | 152 // Clears entries to reduce memory overhead. |
144 void OnMemoryPressure( | 153 void OnMemoryPressure( |
145 base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level); | 154 base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level); |
146 | 155 |
147 void LogAuditResultToNetLog(const EntryToAudit& entry, bool success); | 156 void LogAuditResultToNetLog(const EntryToAudit& entry, bool success); |
148 | 157 |
149 // Holds the latest STH fetched and verified for this log. | 158 // Holds the latest STH fetched and verified for this log. |
150 net::ct::SignedTreeHead verified_sth_; | 159 net::ct::SignedTreeHead verified_sth_; |
151 | 160 |
152 // The log being tracked. | 161 // The log being tracked. |
(...skipping 13 matching lines...) Expand all Loading... |
166 EntryAuditResult, | 175 EntryAuditResult, |
167 net::SHA256HashValueLessThan> | 176 net::SHA256HashValueLessThan> |
168 checked_entries_; | 177 checked_entries_; |
169 | 178 |
170 LogDnsClient* dns_client_; | 179 LogDnsClient* dns_client_; |
171 | 180 |
172 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; | 181 std::unique_ptr<base::MemoryPressureListener> memory_pressure_listener_; |
173 | 182 |
174 net::NetLogWithSource net_log_; | 183 net::NetLogWithSource net_log_; |
175 | 184 |
| 185 std::unique_ptr<NetworkObserver> network_observer_; |
| 186 |
176 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; | 187 base::WeakPtrFactory<SingleTreeTracker> weak_factory_; |
177 | 188 |
178 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); | 189 DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker); |
179 }; | 190 }; |
180 | 191 |
181 } // namespace certificate_transparency | 192 } // namespace certificate_transparency |
182 | 193 |
183 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ | 194 #endif // COMPONENTS_CERTIFICATE_TRANSPARENCY_SINGLE_TREE_TRACKER_H_ |
OLD | NEW |