OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <memory> | 8 #include <memory> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 843 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
854 PKPState static_pkp_state; | 854 PKPState static_pkp_state; |
855 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { | 855 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { |
856 if (static_pkp_state.HasPublicKeyPins()) | 856 if (static_pkp_state.HasPublicKeyPins()) |
857 return true; | 857 return true; |
858 } | 858 } |
859 | 859 |
860 return false; | 860 return false; |
861 } | 861 } |
862 | 862 |
863 bool TransportSecurityState::ShouldRequireCT( | 863 bool TransportSecurityState::ShouldRequireCT( |
864 const std::string& hostname, | 864 const net::HostPortPair& host_port_pair, |
| 865 bool is_issued_by_known_root, |
| 866 const HashValueVector& public_key_hashes, |
865 const X509Certificate* validated_certificate_chain, | 867 const X509Certificate* validated_certificate_chain, |
866 const HashValueVector& public_key_hashes) { | 868 const X509Certificate* served_certificate_chain, |
| 869 const SignedCertificateTimestampAndStatusList& |
| 870 signed_certificate_timestamps, |
| 871 const ExpectCTReportStatus report_status) { |
867 using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel; | 872 using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel; |
| 873 std::string hostname = host_port_pair.host(); |
| 874 |
| 875 // Check Expect-CT first so that other CT requirements do not prevent |
| 876 // Expect-CT reports from being sent. |
| 877 ExpectCTState state; |
| 878 if (is_issued_by_known_root && IsDynamicExpectCTEnabled() && |
| 879 GetDynamicExpectCTState(hostname, &state)) { |
| 880 if (expect_ct_reporter_ && !state.report_uri.is_empty() && |
| 881 report_status == ENABLE_EXPECT_CT_REPORTS) { |
| 882 expect_ct_reporter_->OnExpectCTFailed( |
| 883 host_port_pair, state.report_uri, served_certificate_chain, |
| 884 validated_certificate_chain, signed_certificate_timestamps); |
| 885 } |
| 886 if (state.enforce) |
| 887 return true; |
| 888 } |
868 | 889 |
869 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; | 890 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; |
870 if (require_ct_delegate_) | 891 if (require_ct_delegate_) |
871 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); | 892 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); |
872 if (ct_required != CTRequirementLevel::DEFAULT) | 893 if (ct_required != CTRequirementLevel::DEFAULT) |
873 return ct_required == CTRequirementLevel::REQUIRED; | 894 return ct_required == CTRequirementLevel::REQUIRED; |
874 | 895 |
875 // Allow unittests to override the default result. | 896 // Allow unittests to override the default result. |
876 if (g_ct_required_for_testing) | 897 if (g_ct_required_for_testing) |
877 return g_ct_required_for_testing == 1; | 898 return g_ct_required_for_testing == 1; |
(...skipping 528 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1406 return; | 1427 return; |
1407 if (!ssl_info.is_issued_by_known_root) | 1428 if (!ssl_info.is_issued_by_known_root) |
1408 return; | 1429 return; |
1409 if (!ssl_info.ct_compliance_details_available) | 1430 if (!ssl_info.ct_compliance_details_available) |
1410 return; | 1431 return; |
1411 if (ssl_info.ct_cert_policy_compliance == | 1432 if (ssl_info.ct_cert_policy_compliance == |
1412 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) | 1433 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) |
1413 return; | 1434 return; |
1414 ExpectCTState state; | 1435 ExpectCTState state; |
1415 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { | 1436 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { |
1416 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, | 1437 expect_ct_reporter_->OnExpectCTFailed( |
1417 ssl_info); | 1438 host_port_pair, state.report_uri, ssl_info.unverified_cert.get(), |
| 1439 ssl_info.cert.get(), ssl_info.signed_certificate_timestamps); |
1418 } | 1440 } |
1419 return; | 1441 return; |
1420 } | 1442 } |
1421 | 1443 |
1422 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically | 1444 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically |
1423 // turn on reporting and/or enforcement. | 1445 // turn on reporting and/or enforcement. |
1424 if (!IsDynamicExpectCTEnabled()) | 1446 if (!IsDynamicExpectCTEnabled()) |
1425 return; | 1447 return; |
1426 base::Time now = base::Time::Now(); | 1448 base::Time now = base::Time::Now(); |
1427 base::TimeDelta max_age; | 1449 base::TimeDelta max_age; |
(...skipping 12 matching lines...) Expand all Loading... |
1440 ExpectCTState state; | 1462 ExpectCTState state; |
1441 // If an Expect-CT header is observed over a non-compliant connection, the | 1463 // If an Expect-CT header is observed over a non-compliant connection, the |
1442 // site owner should be notified about the misconfiguration. If the site was | 1464 // site owner should be notified about the misconfiguration. If the site was |
1443 // already opted in to Expect-CT, this report would have been sent at | 1465 // already opted in to Expect-CT, this report would have been sent at |
1444 // connection setup time. If the host is not already a noted Expect-CT host, | 1466 // connection setup time. If the host is not already a noted Expect-CT host, |
1445 // however, the lack of CT compliance would not have been evaluated/reported | 1467 // however, the lack of CT compliance would not have been evaluated/reported |
1446 // at connection setup time, so it needs to be reported here while | 1468 // at connection setup time, so it needs to be reported here while |
1447 // processing the header. | 1469 // processing the header. |
1448 if (expect_ct_reporter_ && !report_uri.is_empty() && | 1470 if (expect_ct_reporter_ && !report_uri.is_empty() && |
1449 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { | 1471 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { |
1450 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, report_uri, | 1472 expect_ct_reporter_->OnExpectCTFailed( |
1451 ssl_info); | 1473 host_port_pair, report_uri, ssl_info.unverified_cert.get(), |
| 1474 ssl_info.cert.get(), ssl_info.signed_certificate_timestamps); |
1452 } | 1475 } |
1453 return; | 1476 return; |
1454 } | 1477 } |
1455 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, | 1478 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, |
1456 report_uri); | 1479 report_uri); |
1457 } | 1480 } |
1458 | 1481 |
1459 // static | 1482 // static |
1460 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { | 1483 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { |
1461 if (!required) { | 1484 if (!required) { |
(...skipping 328 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1790 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1813 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1791 const TransportSecurityState& state) | 1814 const TransportSecurityState& state) |
1792 : iterator_(state.enabled_pkp_hosts_.begin()), | 1815 : iterator_(state.enabled_pkp_hosts_.begin()), |
1793 end_(state.enabled_pkp_hosts_.end()) { | 1816 end_(state.enabled_pkp_hosts_.end()) { |
1794 } | 1817 } |
1795 | 1818 |
1796 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1819 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1797 } | 1820 } |
1798 | 1821 |
1799 } // namespace | 1822 } // namespace |
OLD | NEW |