| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 29 matching lines...) Expand all Loading... |
| 40 | 40 |
| 41 namespace { | 41 namespace { |
| 42 | 42 |
| 43 #include "net/http/transport_security_state_ct_policies.inc" | 43 #include "net/http/transport_security_state_ct_policies.inc" |
| 44 #include "net/http/transport_security_state_static.h" | 44 #include "net/http/transport_security_state_static.h" |
| 45 | 45 |
| 46 const size_t kMaxHPKPReportCacheEntries = 50; | 46 const size_t kMaxHPKPReportCacheEntries = 50; |
| 47 const int kTimeToRememberHPKPReportsMins = 60; | 47 const int kTimeToRememberHPKPReportsMins = 60; |
| 48 const size_t kReportCacheKeyLength = 16; | 48 const size_t kReportCacheKeyLength = 16; |
| 49 | 49 |
| 50 // Points to the active transport security state source. |
| 51 const TransportSecurityStateSource* g_hsts_source = &kHSTSSource; |
| 52 |
| 50 // Override for ShouldRequireCT() for unit tests. Possible values: | 53 // Override for ShouldRequireCT() for unit tests. Possible values: |
| 51 // -1: Unless a delegate says otherwise, do not require CT. | 54 // -1: Unless a delegate says otherwise, do not require CT. |
| 52 // 0: Use the default implementation (e.g. production) | 55 // 0: Use the default implementation (e.g. production) |
| 53 // 1: Unless a delegate says otherwise, require CT. | 56 // 1: Unless a delegate says otherwise, require CT. |
| 54 int g_ct_required_for_testing = 0; | 57 int g_ct_required_for_testing = 0; |
| 55 | 58 |
| 56 // LessThan comparator for use with std::binary_search() in determining | 59 // LessThan comparator for use with std::binary_search() in determining |
| 57 // whether a SHA-256 HashValue appears within a sorted array of | 60 // whether a SHA-256 HashValue appears within a sorted array of |
| 58 // SHA256HashValues. | 61 // SHA256HashValues. |
| 59 struct SHA256ToHashValueComparator { | 62 struct SHA256ToHashValueComparator { |
| (...skipping 367 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 427 // it contains the HSTS information: whether subdomains are included, pinsets | 430 // it contains the HSTS information: whether subdomains are included, pinsets |
| 428 // etc. If an "end of string" matches a period in the hostname then the | 431 // etc. If an "end of string" matches a period in the hostname then the |
| 429 // information is remembered because, if no more specific node is found, then | 432 // information is remembered because, if no more specific node is found, then |
| 430 // that information applies to the hostname. | 433 // that information applies to the hostname. |
| 431 // | 434 // |
| 432 // Dispatch tables are always given in order, but the "end of string" (zero) | 435 // Dispatch tables are always given in order, but the "end of string" (zero) |
| 433 // value always comes before an entry for '.'. | 436 // value always comes before an entry for '.'. |
| 434 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, | 437 bool DecodeHSTSPreloadRaw(const std::string& search_hostname, |
| 435 bool* out_found, | 438 bool* out_found, |
| 436 PreloadResult* out) { | 439 PreloadResult* out) { |
| 437 HuffmanDecoder huffman(kHSTSHuffmanTree, sizeof(kHSTSHuffmanTree)); | 440 HuffmanDecoder huffman(g_hsts_source->huffman_tree, |
| 438 BitReader reader(kPreloadedHSTSData, kPreloadedHSTSBits); | 441 g_hsts_source->huffman_tree_size); |
| 439 size_t bit_offset = kHSTSRootPosition; | 442 BitReader reader(g_hsts_source->preloaded_data, |
| 443 g_hsts_source->preloaded_bits); |
| 444 size_t bit_offset = g_hsts_source->root_position; |
| 440 static const char kEndOfString = 0; | 445 static const char kEndOfString = 0; |
| 441 static const char kEndOfTable = 127; | 446 static const char kEndOfTable = 127; |
| 442 | 447 |
| 443 *out_found = false; | 448 *out_found = false; |
| 444 | 449 |
| 445 // Ensure that |search_hostname| is a valid hostname before | 450 // Ensure that |search_hostname| is a valid hostname before |
| 446 // processing. | 451 // processing. |
| 447 if (CanonicalizeHost(search_hostname).empty()) { | 452 if (CanonicalizeHost(search_hostname).empty()) { |
| 448 return true; | 453 return true; |
| 449 } | 454 } |
| (...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 714 report.Set("validated-certificate-chain", | 719 report.Set("validated-certificate-chain", |
| 715 GetPEMEncodedChainAsList(ssl_info.cert.get())); | 720 GetPEMEncodedChainAsList(ssl_info.cert.get())); |
| 716 | 721 |
| 717 if (!base::JSONWriter::Write(report, out_serialized_report)) | 722 if (!base::JSONWriter::Write(report, out_serialized_report)) |
| 718 return false; | 723 return false; |
| 719 return true; | 724 return true; |
| 720 } | 725 } |
| 721 | 726 |
| 722 } // namespace | 727 } // namespace |
| 723 | 728 |
| 729 void SetTransportSecurityStateSourceForTesting( |
| 730 const TransportSecurityStateSource* source) { |
| 731 g_hsts_source = source ? source : &kHSTSSource; |
| 732 } |
| 733 |
| 724 TransportSecurityState::TransportSecurityState() | 734 TransportSecurityState::TransportSecurityState() |
| 725 : enable_static_pins_(true), | 735 : enable_static_pins_(true), |
| 726 enable_static_expect_ct_(true), | 736 enable_static_expect_ct_(true), |
| 727 enable_static_expect_staple_(true), | 737 enable_static_expect_staple_(true), |
| 728 enable_pkp_bypass_for_local_trust_anchors_(true), | 738 enable_pkp_bypass_for_local_trust_anchors_(true), |
| 729 sent_reports_cache_(kMaxHPKPReportCacheEntries) { | 739 sent_reports_cache_(kMaxHPKPReportCacheEntries) { |
| 730 // Static pinning is only enabled for official builds to make sure that | 740 // Static pinning is only enabled for official builds to make sure that |
| 731 // others don't end up with pins that cannot be easily updated. | 741 // others don't end up with pins that cannot be easily updated. |
| 732 #if !defined(GOOGLE_CHROME_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) | 742 #if !defined(GOOGLE_CHROME_BUILD) || defined(OS_ANDROID) || defined(OS_IOS) |
| 733 enable_static_pins_ = false; | 743 enable_static_pins_ = false; |
| (...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1097 return false; | 1107 return false; |
| 1098 | 1108 |
| 1099 PreloadResult result; | 1109 PreloadResult result; |
| 1100 if (!DecodeHSTSPreload(host, &result)) | 1110 if (!DecodeHSTSPreload(host, &result)) |
| 1101 return false; | 1111 return false; |
| 1102 | 1112 |
| 1103 if (!enable_static_expect_ct_ || !result.expect_ct) | 1113 if (!enable_static_expect_ct_ || !result.expect_ct) |
| 1104 return false; | 1114 return false; |
| 1105 | 1115 |
| 1106 expect_ct_state->domain = host.substr(result.hostname_offset); | 1116 expect_ct_state->domain = host.substr(result.hostname_offset); |
| 1107 expect_ct_state->report_uri = | 1117 expect_ct_state->report_uri = GURL( |
| 1108 GURL(kExpectCTReportURIs[result.expect_ct_report_uri_id]); | 1118 g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]); |
| 1109 return true; | 1119 return true; |
| 1110 } | 1120 } |
| 1111 | 1121 |
| 1112 bool TransportSecurityState::GetStaticExpectStapleState( | 1122 bool TransportSecurityState::GetStaticExpectStapleState( |
| 1113 const std::string& host, | 1123 const std::string& host, |
| 1114 ExpectStapleState* expect_staple_state) const { | 1124 ExpectStapleState* expect_staple_state) const { |
| 1115 DCHECK(CalledOnValidThread()); | 1125 DCHECK(CalledOnValidThread()); |
| 1116 | 1126 |
| 1117 if (!IsBuildTimely()) | 1127 if (!IsBuildTimely()) |
| 1118 return false; | 1128 return false; |
| 1119 | 1129 |
| 1120 PreloadResult result; | 1130 PreloadResult result; |
| 1121 if (!DecodeHSTSPreload(host, &result)) | 1131 if (!DecodeHSTSPreload(host, &result)) |
| 1122 return false; | 1132 return false; |
| 1123 | 1133 |
| 1124 if (!enable_static_expect_staple_ || !result.expect_staple) | 1134 if (!enable_static_expect_staple_ || !result.expect_staple) |
| 1125 return false; | 1135 return false; |
| 1126 | 1136 |
| 1127 expect_staple_state->domain = host.substr(result.hostname_offset); | 1137 expect_staple_state->domain = host.substr(result.hostname_offset); |
| 1128 expect_staple_state->include_subdomains = | 1138 expect_staple_state->include_subdomains = |
| 1129 result.expect_staple_include_subdomains; | 1139 result.expect_staple_include_subdomains; |
| 1130 expect_staple_state->report_uri = | 1140 expect_staple_state->report_uri = |
| 1131 GURL(kExpectStapleReportURIs[result.expect_staple_report_uri_id]); | 1141 GURL(g_hsts_source |
| 1142 ->expect_staple_report_uris[result.expect_staple_report_uri_id]); |
| 1132 return true; | 1143 return true; |
| 1133 } | 1144 } |
| 1134 | 1145 |
| 1135 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { | 1146 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { |
| 1136 DCHECK(CalledOnValidThread()); | 1147 DCHECK(CalledOnValidThread()); |
| 1137 | 1148 |
| 1138 const std::string canonicalized_host = CanonicalizeHost(host); | 1149 const std::string canonicalized_host = CanonicalizeHost(host); |
| 1139 if (canonicalized_host.empty()) | 1150 if (canonicalized_host.empty()) |
| 1140 return false; | 1151 return false; |
| 1141 | 1152 |
| (...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1425 sts_state->last_observed = base::GetBuildTime(); | 1436 sts_state->last_observed = base::GetBuildTime(); |
| 1426 sts_state->upgrade_mode = STSState::MODE_DEFAULT; | 1437 sts_state->upgrade_mode = STSState::MODE_DEFAULT; |
| 1427 if (result.force_https) { | 1438 if (result.force_https) { |
| 1428 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; | 1439 sts_state->upgrade_mode = STSState::MODE_FORCE_HTTPS; |
| 1429 } | 1440 } |
| 1430 | 1441 |
| 1431 if (enable_static_pins_ && result.has_pins) { | 1442 if (enable_static_pins_ && result.has_pins) { |
| 1432 pkp_state->include_subdomains = result.pkp_include_subdomains; | 1443 pkp_state->include_subdomains = result.pkp_include_subdomains; |
| 1433 pkp_state->last_observed = base::GetBuildTime(); | 1444 pkp_state->last_observed = base::GetBuildTime(); |
| 1434 | 1445 |
| 1435 if (result.pinset_id >= arraysize(kPinsets)) | 1446 if (result.pinset_id >= g_hsts_source->pinsets_count) |
| 1436 return false; | 1447 return false; |
| 1437 const Pinset *pinset = &kPinsets[result.pinset_id]; | 1448 const TransportSecurityStateSource::Pinset* pinset = |
| 1449 &g_hsts_source->pinsets[result.pinset_id]; |
| 1438 | 1450 |
| 1439 if (pinset->report_uri != kNoReportURI) | 1451 if (pinset->report_uri != kNoReportURI) |
| 1440 pkp_state->report_uri = GURL(pinset->report_uri); | 1452 pkp_state->report_uri = GURL(pinset->report_uri); |
| 1441 | 1453 |
| 1442 if (pinset->accepted_pins) { | 1454 if (pinset->accepted_pins) { |
| 1443 const char* const* sha256_hash = pinset->accepted_pins; | 1455 const char* const* sha256_hash = pinset->accepted_pins; |
| 1444 while (*sha256_hash) { | 1456 while (*sha256_hash) { |
| 1445 AddHash(*sha256_hash, &pkp_state->spki_hashes); | 1457 AddHash(*sha256_hash, &pkp_state->spki_hashes); |
| 1446 sha256_hash++; | 1458 sha256_hash++; |
| 1447 } | 1459 } |
| (...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1654 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1666 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1655 const TransportSecurityState& state) | 1667 const TransportSecurityState& state) |
| 1656 : iterator_(state.enabled_pkp_hosts_.begin()), | 1668 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1657 end_(state.enabled_pkp_hosts_.end()) { | 1669 end_(state.enabled_pkp_hosts_.end()) { |
| 1658 } | 1670 } |
| 1659 | 1671 |
| 1660 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1672 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1661 } | 1673 } |
| 1662 | 1674 |
| 1663 } // namespace | 1675 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2726873003:
Make transport security state data source configurable. (Closed)
