net/spdy/chromium/spdy_session.cc - Issue 2850033002: Check Expect-CT at connection setup

Side by Side Diff: net/spdy/chromium/spdy_session.cc

Issue 2850033002: Check Expect-CT at connection setup (Closed)

Patch Set: mattm comments Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/spdy/chromium/spdy_session.h"	5 #include "net/spdy/chromium/spdy_session.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <limits>	8 #include <limits>

9 #include <map>	9 #include <map>

10 #include <utility>	10 #include <utility>

(...skipping 693 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
704 // attack. Port is left at 0 as it is never used.	704 // attack. Port is left at 0 as it is never used.

705 if (transport_security_state->CheckPublicKeyPins(	705 if (transport_security_state->CheckPublicKeyPins(

706 HostPortPair(new_hostname, 0), ssl_info.is_issued_by_known_root,	706 HostPortPair(new_hostname, 0), ssl_info.is_issued_by_known_root,

707 ssl_info.public_key_hashes, ssl_info.unverified_cert.get(),	707 ssl_info.public_key_hashes, ssl_info.unverified_cert.get(),

708 ssl_info.cert.get(), TransportSecurityState::DISABLE_PIN_REPORTS,	708 ssl_info.cert.get(), TransportSecurityState::DISABLE_PIN_REPORTS,

709 &pinning_failure_log) ==	709 &pinning_failure_log) ==

710 TransportSecurityState::PKPStatus::VIOLATED) {	710 TransportSecurityState::PKPStatus::VIOLATED) {

711 return false;	711 return false;

712 }	712 }

713	713

714 if (ssl_info.ct_cert_policy_compliance !=	714 // As with CheckPublicKeyPins above, disable Expect-CT reports.

715 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&	715 if (!transport_security_state->CheckCTRequirements(

716 ssl_info.ct_cert_policy_compliance !=	716 HostPortPair(new_hostname, 0), ssl_info.is_issued_by_known_root,

717 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY &&	717 ssl_info.public_key_hashes, ssl_info.cert.get(),

718 transport_security_state->ShouldRequireCT(	718 ssl_info.unverified_cert.get(),

719 new_hostname, ssl_info.cert.get(), ssl_info.public_key_hashes)) {	719 ssl_info.signed_certificate_timestamps,

	720 TransportSecurityState::DISABLE_EXPECT_CT_REPORTS,

	721 ssl_info.ct_cert_policy_compliance)) {

720 return false;	722 return false;

721 }	723 }

722	724

723 return true;	725 return true;

724 }	726 }

725	727

726 SpdySession::SpdySession(const SpdySessionKey& spdy_session_key,	728 SpdySession::SpdySession(const SpdySessionKey& spdy_session_key,

727 HttpServerProperties* http_server_properties,	729 HttpServerProperties* http_server_properties,

728 TransportSecurityState* transport_security_state,	730 TransportSecurityState* transport_security_state,

729 bool enable_sending_initial_data,	731 bool enable_sending_initial_data,

(...skipping 2463 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3193 if (!queue->empty()) {	3195 if (!queue->empty()) {

3194 SpdyStreamId stream_id = queue->front();	3196 SpdyStreamId stream_id = queue->front();

3195 queue->pop_front();	3197 queue->pop_front();

3196 return stream_id;	3198 return stream_id;

3197 }	3199 }

3198 }	3200 }

3199 return 0;	3201 return 0;

3200 }	3202 }

3201	3203

3202 } // namespace net	3204 } // namespace net

OLD	NEW

« net/http/transport_security_state_unittest.cc ('K') | « net/socket/ssl_client_socket_unittest.cc ('k') | net/spdy/chromium/spdy_session_unittest.cc » ('j') | no next file with comments »