Chromium Code Reviews Chromium Code Reviews
Issue 2726873003:
Make transport security state data source configurable. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 40 | 40 |
| 41 namespace { | 41 namespace { |
| 42 | 42 |
| 43 #include "net/http/transport_security_state_ct_policies.inc" | 43 #include "net/http/transport_security_state_ct_policies.inc" |
| 44 #include "net/http/transport_security_state_static.h" | 44 #include "net/http/transport_security_state_static.h" |
| 45 | 45 |
| 46 const size_t kMaxHPKPReportCacheEntries = 50; | 46 const size_t kMaxHPKPReportCacheEntries = 50; |
| 47 const int kTimeToRememberHPKPReportsMins = 60; | 47 const int kTimeToRememberHPKPReportsMins = 60; |
| 48 const size_t kReportCacheKeyLength = 16; | 48 const size_t kReportCacheKeyLength = 16; |
| 49 | 49 |
| 50 // Points to the active transport security state source. | |
| 51 const TransportSecurityStateSource* g_hsts_source = &kHSTSSource; | |
| 52 | |
| 50 // Override for ShouldRequireCT() for unit tests. Possible values: | 53 // Override for ShouldRequireCT() for unit tests. Possible values: |
| 51 // -1: Unless a delegate says otherwise, do not require CT. | 54 // -1: Unless a delegate says otherwise, do not require CT. |
| 52 // 0: Use the default implementation (e.g. production) | 55 // 0: Use the default implementation (e.g. production) |
| 53 // 1: Unless a delegate says otherwise, require CT. | 56 // 1: Unless a delegate says otherwise, require CT. |
| 54 int g_ct_required_for_testing = 0; | 57 int g_ct_required_for_testing = 0; |
| 55 | 58 |
| 56 // LessThan comparator for use with std::binary_search() in determining | 59 // LessThan comparator for use with std::binary_search() in determining |
| 57 // whether a SHA-256 HashValue appears within a sorted array of | 60 // whether a SHA-256 HashValue appears within a sorted array of |
| 58 // SHA256HashValues. | 61 // SHA256HashValues. |
| 59 struct SHA256ToHashValueComparator { | 62 struct SHA256ToHashValueComparator { |
| (...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 427 // it contains the HSTS information: whether subdomains are included, pinsets | 430 // it contains the HSTS information: whether subdomains are included, pinsets |
| 428 // etc. If an "end of string" matches a period in the hostname then the | 431 // etc. If an "end of string" matches a period in the hostname then the |
| 429 // information is remembered because, if no more specific node is found, then | 432 // information is remembered because, if no more specific node is found, then |
| 430 // that information applies to the hostname. | 433 // that information applies to the hostname. |
| 431 // | 434 // |
| 432 // Dispatch tables are always given in order, but the "end of string" (zero) | 435 // Dispatch tables are always given in order, but the "end of string" (zero) |
| 433 // value always comes before an entry for '.'. | 436 // value always comes before an entry for '.'. |
| 434 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, | 437 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, |
| 435 bool* out_found, | 438 bool* out_found, |
| 436 PreloadResult* out) { | 439 PreloadResult* out) { |
| 437 HuffmanDecoder huffman(kHSTSHuffmanTree, sizeof(kHSTSHuffmanTree)); | 440 HuffmanDecoder huffman(g_hsts_source->huffman_tree, |
| 438 BitReader reader(kPreloadedHSTSData, kPreloadedHSTSBits); | 441 g_hsts_source->huffman_tree_size); |
| 439 size_t bit_offset = kHSTSRootPosition; | 442 BitReader reader(g_hsts_source->preloaded_data, |
| 443 g_hsts_source->preloaded_bits); | |
| 444 size_t bit_offset = g_hsts_source->root_position; | |
| 440 static const char kEndOfString = 0; | 445 static const char kEndOfString = 0; |
| 441 static const char kEndOfTable = 127; | 446 static const char kEndOfTable = 127; |
| 442 | 447 |
| 443 *out_found = false; | 448 *out_found = false; |
| 444 | 449 |
| 445 // Ensure that |search_hostname| is a valid hostname before | 450 // Ensure that |search_hostname| is a valid hostname before |
| 446 // processing. | 451 // processing. |
| 447 if (CanonicalizeHost(search_hostname).empty()) { | 452 if (CanonicalizeHost(search_hostname).empty()) { |
| 448 return true; | 453 return true; |
| 449 } | 454 } |
| (...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 714 report.Set("validated-certificate-chain", | 719 report.Set("validated-certificate-chain", |
| 715 GetPEMEncodedChainAsList(ssl_info.cert.get())); | 720 GetPEMEncodedChainAsList(ssl_info.cert.get())); |
| 716 | 721 |
| 717 if (!base::JSONWriter::Write(report, out_serialized_report)) | 722 if (!base::JSONWriter::Write(report, out_serialized_report)) |
| 718 return false; | 723 return false; |
| 719 return true; | 724 return true; |
| 720 } | 725 } |
| 721 | 726 |
| 722 } // namespace | 727 } // namespace |
| 723 | 728 |
| 729 void SetTransportSecurityStateSourceForTesting( | |
| 730 const TransportSecurityStateSource* source) { | |
| 731 if (source) { | |
| 732 g_hsts_source = source; | |
| 733 } else { | |
| 734 g_hsts_source = &kHSTSSource; | |
| 735 } | |
|
Ryan Sleevi
2017/03/17 22:07:16
extremely pedantic nit:
g_hsts_source = source ?
martijnc
2017/03/18 16:09:58
Done.
| |
| 736 } | |
| 737 | |
| 724 TransportSecurityState::TransportSecurityState() | 738 TransportSecurityState::TransportSecurityState() |
| 725 : enable_static_pins_(true), | 739 : enable_static_pins_(true), |
| 726 enable_static_expect_ct_(true), | 740 enable_static_expect_ct_(true), |
| 727 enable_static_expect_staple_(true), | 741 enable_static_expect_staple_(true), |
| 728 enable_pkp_bypass_for_local_trust_anchors_(true), | 742 enable_pkp_bypass_for_local_trust_anchors_(true), |
| 729 sent_reports_cache_(kMaxHPKPReportCacheEntries) { | 743 sent_reports_cache_(kMaxHPKPReportCacheEntries) { |
| 730 // Static pinning is only enabled for official builds to make sure that | 744 // Static pinning is only enabled for official builds to make sure that |
| 731 // others don't end up with pins that cannot be easily updated. | 745 // others don't end up with pins that cannot be easily updated. |
| 732 #if !defined(GOOGLE_CHROME_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) | 746 #if !defined(GOOGLE_CHROME_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) |
| 733 enable_static_pins_ = false; | 747 enable_static_pins_ = false; |
| (...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1097 return false; | 1111 return false; |
| 1098 | 1112 |
| 1099 PreloadResult result; | 1113 PreloadResult result; |
| 1100 if (!DecodeHSTSPreload(host, &result)) | 1114 if (!DecodeHSTSPreload(host, &result)) |
| 1101 return false; | 1115 return false; |
| 1102 | 1116 |
| 1103 if (!enable_static_expect_ct_ || !result.expect_ct) | 1117 if (!enable_static_expect_ct_ || !result.expect_ct) |
| 1104 return false; | 1118 return false; |
| 1105 | 1119 |
| 1106 expect_ct_state->domain = host.substr(result.hostname_offset); | 1120 expect_ct_state->domain = host.substr(result.hostname_offset); |
| 1107 expect_ct_state->report_uri = | 1121 expect_ct_state->report_uri = GURL( |
| 1108 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | 1122 g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]); |
| 1109 return true; | 1123 return true; |
| 1110 } | 1124 } |
| 1111 | 1125 |
| 1112 bool TransportSecurityState::GetStaticExpectStapleState( | 1126 bool TransportSecurityState::GetStaticExpectStapleState( |
| 1113 const std::string& host, | 1127 const std::string& host, |
| 1114 ExpectStapleState* expect_staple_state) const { | 1128 ExpectStapleState* expect_staple_state) const { |
| 1115 DCHECK(CalledOnValidThread()); | 1129 DCHECK(CalledOnValidThread()); |
| 1116 | 1130 |
| 1117 if (!IsBuildTimely()) | 1131 if (!IsBuildTimely()) |
| 1118 return false; | 1132 return false; |
| 1119 | 1133 |
| 1120 PreloadResult result; | 1134 PreloadResult result; |
| 1121 if (!DecodeHSTSPreload(host, &result)) | 1135 if (!DecodeHSTSPreload(host, &result)) |
| 1122 return false; | 1136 return false; |
| 1123 | 1137 |
| 1124 if (!enable_static_expect_staple_ || !result.expect_staple) | 1138 if (!enable_static_expect_staple_ || !result.expect_staple) |
| 1125 return false; | 1139 return false; |
| 1126 | 1140 |
| 1127 expect_staple_state->domain = host.substr(result.hostname_offset); | 1141 expect_staple_state->domain = host.substr(result.hostname_offset); |
| 1128 expect_staple_state->include_subdomains = | 1142 expect_staple_state->include_subdomains = |
| 1129 result.expect_staple_include_subdomains; | 1143 result.expect_staple_include_subdomains; |
| 1130 expect_staple_state->report_uri = | 1144 expect_staple_state->report_uri = |
| 1131 GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); | 1145 GURL(g_hsts_source |
| 1146 ->expect_staple_report_uris[result.expect_staple_report_uri_id]); | |
| 1132 return true; | 1147 return true; |
| 1133 } | 1148 } |
| 1134 | 1149 |
| 1135 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 1150 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
| 1136 DCHECK(CalledOnValidThread()); | 1151 DCHECK(CalledOnValidThread()); |
| 1137 | 1152 |
| 1138 const std::string canonicalized_host = CanonicalizeHost(host); | 1153 const std::string canonicalized_host = CanonicalizeHost(host); |
| 1139 if (canonicalized_host.empty()) | 1154 if (canonicalized_host.empty()) |
| 1140 return false; | 1155 return false; |
| 1141 | 1156 |
| (...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1425 sts_state->last_observed = base::GetBuildTime(); | 1440 sts_state->last_observed = base::GetBuildTime(); |
| 1426 sts_state->upgrade_mode = STSState::MODE_DEFAULT; | 1441 sts_state->upgrade_mode = STSState::MODE_DEFAULT; |
| 1427 if (result.force_https) { | 1442 if (result.force_https) { |
| 1428 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 1443 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
| 1429 } | 1444 } |
| 1430 | 1445 |
| 1431 if (enable_static_pins_ && result.has_pins) { | 1446 if (enable_static_pins_ && result.has_pins) { |
| 1432 pkp_state->include_subdomains = result.pkp_include_subdomains; | 1447 pkp_state->include_subdomains = result.pkp_include_subdomains; |
| 1433 pkp_state->last_observed = base::GetBuildTime(); | 1448 pkp_state->last_observed = base::GetBuildTime(); |
| 1434 | 1449 |
| 1435 if (result.pinset_id >= arraysize(kPinsets)) | 1450 if (result.pinset_id >= g_hsts_source->pinsets_count) |
| 1436 return false; | 1451 return false; |
| 1437 const Pinset *pinset = &kPinsets[result.pinset_id]; | 1452 const TransportSecurityStateSource::Pinset* pinset = |
| 1453 &g_hsts_source->pinsets[result.pinset_id]; | |
| 1438 | 1454 |
| 1439 if (pinset->report_uri != kNoReportURI) | 1455 if (pinset->report_uri != kNoReportURI) |
| 1440 pkp_state->report_uri = GURL(pinset->report_uri); | 1456 pkp_state->report_uri = GURL(pinset->report_uri); |
| 1441 | 1457 |
| 1442 if (pinset->accepted_pins) { | 1458 if (pinset->accepted_pins) { |
| 1443 const char* const* sha256_hash = pinset->accepted_pins; | 1459 const char* const* sha256_hash = pinset->accepted_pins; |
| 1444 while (*sha256_hash) { | 1460 while (*sha256_hash) { |
| 1445 AddHash(*sha256_hash, &pkp_state->spki_hashes); | 1461 AddHash(*sha256_hash, &pkp_state->spki_hashes); |
| 1446 sha256_hash++; | 1462 sha256_hash++; |
| 1447 } | 1463 } |
| (...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1654 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1670 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1655 const TransportSecurityState& state) | 1671 const TransportSecurityState& state) |
| 1656 : iterator_(state.enabled_pkp_hosts_.begin()), | 1672 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1657 end_(state.enabled_pkp_hosts_.end()) { | 1673 end_(state.enabled_pkp_hosts_.end()) { |
| 1658 } | 1674 } |
| 1659 | 1675 |
| 1660 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1676 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1661 } | 1677 } |
| 1662 | 1678 |
| 1663 } // namespace | 1679 } // namespace |
| OLD | NEW |
