Index: net/http/transport_security_state.h |
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h |
index 5d3c126dcc2090015107eec88bc71ae0e9c3b7d7..e469d70aabe51a71fc24244ae3e7bb2c30cc51fa 100644 |
--- a/net/http/transport_security_state.h |
+++ b/net/http/transport_security_state.h |
@@ -11,6 +11,7 @@ |
#include <string> |
#include "base/callback.h" |
+#include "base/feature_list.h" |
#include "base/gtest_prod_util.h" |
#include "base/macros.h" |
#include "base/strings/string_piece.h" |
@@ -235,6 +236,29 @@ class NET_EXPORT TransportSecurityState |
// The URI to which reports should be sent if valid CT info is not |
// provided. |
GURL report_uri; |
+ // True if connections should be closed if they do not comply with the CT |
+ // policy. If false, noncompliant connections will be allowed but reports |
+ // will be sent about the violation. |
+ bool enforce; |
+ // The absolute time (UTC) when the Expect-CT state was last observed. |
+ base::Time last_observed; |
+ // The absolute time (UTC) when the Expect-CT state expires. |
+ base::Time expiry; |
+ }; |
+ |
+ class NET_EXPORT ExpectCTStateIterator { |
+ public: |
+ explicit ExpectCTStateIterator(const TransportSecurityState& state); |
+ ~ExpectCTStateIterator(); |
+ |
+ bool HasNext() const { return iterator_ != end_; } |
+ void Advance() { ++iterator_; } |
+ const std::string& hostname() const { return iterator_->first; } |
+ const ExpectCTState& domain_state() const { return iterator_->second; } |
+ |
+ private: |
+ std::map<std::string, ExpectCTState>::const_iterator iterator_; |
+ std::map<std::string, ExpectCTState>::const_iterator end_; |
}; |
// An ExpectStapleState describes a site that expects valid OCSP information |
@@ -293,6 +317,10 @@ class NET_EXPORT TransportSecurityState |
// report if a violation is detected. |
enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
+ // Feature that controls whether Expect-CT HTTP headers are parsed, processed, |
+ // and stored. |
+ static const base::Feature kDynamicExpectCTFeature; |
+ |
TransportSecurityState(); |
~TransportSecurityState(); |
@@ -382,6 +410,13 @@ class NET_EXPORT TransportSecurityState |
void AddOrUpdateEnabledPKPHosts(const std::string& hashed_host, |
const PKPState& state); |
+ // Inserts |state| into |enabled_expect_ct_hosts_| under the key |
+ // |hashed_host|. |hashed_host| is already in the internal representation. |
+ // Note: This is only used for serializing/deserializing the |
+ // TransportSecurityState. |
+ void AddOrUpdateEnabledExpectCTHosts(const std::string& hashed_host, |
+ const ExpectCTState& state); |
+ |
// Deletes all dynamic data (e.g. HSTS or HPKP data) created since a given |
// time. |
// |
@@ -411,14 +446,15 @@ class NET_EXPORT TransportSecurityState |
// deployed. |
bool IsGooglePinnedHost(const std::string& host) const; |
- // Returns true and updates |*result| iff |host| has HSTS (respectively, HPKP) |
- // state. If multiple HSTS (respectively, HPKP) entries match |host|, the |
- // most specific match determines the HSTS (respectively, HPKP) return value. |
+ // Returns true and updates |*result| iff |host| has HSTS/HPKP/Expect-CT |
+ // (respectively) state. If multiple entries match |host|, the most specific |
+ // match determines the return value. |
// |
// Note that these methods are not const because they opportunistically remove |
// entries that have expired. |
bool GetDynamicSTSState(const std::string& host, STSState* result); |
bool GetDynamicPKPState(const std::string& host, PKPState* result); |
+ bool GetDynamicExpectCTState(const std::string& host, ExpectCTState* result); |
// Processes an HSTS header value from the host, adding entries to |
// dynamic state if necessary. |
@@ -446,6 +482,16 @@ class NET_EXPORT TransportSecurityState |
const HashValueVector& hashes, |
const GURL& report_uri); |
+ // Adds explicitly-specified data as if it was processed from an Expect-CT |
+ // header. |
+ // Note: This method will persist the Expect-CT data if a Delegate is present. |
+ // Make sure that the delegate is nullptr if the persistence is not |
+ // desired. See |SetDelegate| method for more details. |
+ void AddExpectCT(const std::string& host, |
+ const base::Time& expiry, |
+ bool enforce, |
+ const GURL& report_uri); |
+ |
// Enables or disables public key pinning bypass for local trust anchors. |
// Disabling the bypass for local trust anchors is highly discouraged. |
// This method is used by Cronet only and *** MUST NOT *** be used by any |
@@ -489,6 +535,7 @@ class NET_EXPORT TransportSecurityState |
typedef std::map<std::string, STSState> STSStateMap; |
typedef std::map<std::string, PKPState> PKPStateMap; |
+ typedef std::map<std::string, ExpectCTState> ExpectCTStateMap; |
// Send an UMA report on pin validation failure, if the host is in a |
// statically-defined list of domains. |
@@ -533,12 +580,20 @@ class NET_EXPORT TransportSecurityState |
const HashValueVector& hashes, |
const GURL& report_uri); |
+ // Adds Expect-CT state to |host|. |
+ void AddExpectCTInternal(const std::string& host, |
+ const base::Time& last_observed, |
+ const base::Time& expiry, |
+ bool enforce, |
+ const GURL& report_uri); |
+ |
// Enable TransportSecurity for |host|. |state| supercedes any previous |
// state for the |host|, including static entries. |
// |
// The new state for |host| is persisted using the Delegate (if any). |
void EnableSTSHost(const std::string& host, const STSState& state); |
void EnablePKPHost(const std::string& host, const PKPState& state); |
+ void EnableExpectCTHost(const std::string& host, const ExpectCTState& state); |
// Returns true if a request to |host_port_pair| with the given |
// SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|, |
@@ -571,12 +626,13 @@ class NET_EXPORT TransportSecurityState |
ExpectStapleState* expect_staple_result) const; |
// The sets of hosts that have enabled TransportSecurity. |domain| will always |
- // be empty for a STSState or PKPState in these maps; the domain |
- // comes from the map keys instead. In addition, |upgrade_mode| in the |
+ // be empty for a STSState, PKPState, or ExpectCTState in these maps; the |
+ // domain comes from the map keys instead. In addition, |upgrade_mode| in the |
// STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState |
// always returns true. |
STSStateMap enabled_sts_hosts_; |
PKPStateMap enabled_pkp_hosts_; |
+ ExpectCTStateMap enabled_expect_ct_hosts_; |
Delegate* delegate_ = nullptr; |