| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <utility> | 8 #include <utility> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 214 } | 214 } |
| 215 | 215 |
| 216 std::string HashHost(const std::string& canonicalized_host) { | 216 std::string HashHost(const std::string& canonicalized_host) { |
| 217 char hashed[crypto::kSHA256Length]; | 217 char hashed[crypto::kSHA256Length]; |
| 218 crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); | 218 crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
| 219 return std::string(hashed, sizeof(hashed)); | 219 return std::string(hashed, sizeof(hashed)); |
| 220 } | 220 } |
| 221 | 221 |
| 222 // Returns true if the intersection of |a| and |b| is not empty. If either | 222 // Returns true if the intersection of |a| and |b| is not empty. If either |
| 223 // |a| or |b| is empty, returns false. | 223 // |a| or |b| is empty, returns false. |
| 224 bool HashesIntersect(const HashValueVector& a, | 224 bool HashesIntersect2(const HashValueVector& a, |
| 225 const HashValueVector& b) { | 225 const HashValueVector& b) { |
| 226 for (const auto& hash : a) { | 226 for (const auto& hash : a) { |
| 227 if (base::ContainsValue(b, hash)) | 227 if (base::ContainsValue(b, hash)) |
| 228 return true; | 228 return true; |
| 229 } | 229 } |
| 230 return false; | 230 return false; |
| 231 } | 231 } |
| 232 | 232 |
| 233 bool AddHash(const char* sha256_hash, HashValueVector* out) { | 233 bool AddHash(const char* sha256_hash, HashValueVector* out) { |
| 234 HashValue hash(HASH_VALUE_SHA256); | 234 HashValue hash(HASH_VALUE_SHA256); |
| (...skipping 1574 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1809 // Validate that hashes is not empty. By the time this code is called (in | 1809 // Validate that hashes is not empty. By the time this code is called (in |
| 1810 // production), that should never happen, but it's good to be defensive. | 1810 // production), that should never happen, but it's good to be defensive. |
| 1811 // And, hashes *can* be empty in some test scenarios. | 1811 // And, hashes *can* be empty in some test scenarios. |
| 1812 if (hashes.empty()) { | 1812 if (hashes.empty()) { |
| 1813 failure_log->append( | 1813 failure_log->append( |
| 1814 "Rejecting empty public key chain for public-key-pinned domains: " + | 1814 "Rejecting empty public key chain for public-key-pinned domains: " + |
| 1815 domain); | 1815 domain); |
| 1816 return false; | 1816 return false; |
| 1817 } | 1817 } |
| 1818 | 1818 |
| 1819 if (HashesIntersect(bad_spki_hashes, hashes)) { | 1819 if (HashesIntersect2(bad_spki_hashes, hashes)) { |
| 1820 failure_log->append("Rejecting public key chain for domain " + domain + | 1820 failure_log->append("Rejecting public key chain for domain " + domain + |
| 1821 ". Validated chain: " + HashesToBase64String(hashes) + | 1821 ". Validated chain: " + HashesToBase64String(hashes) + |
| 1822 ", matches one or more bad hashes: " + | 1822 ", matches one or more bad hashes: " + |
| 1823 HashesToBase64String(bad_spki_hashes)); | 1823 HashesToBase64String(bad_spki_hashes)); |
| 1824 return false; | 1824 return false; |
| 1825 } | 1825 } |
| 1826 | 1826 |
| 1827 // If there are no pins, then any valid chain is acceptable. | 1827 // If there are no pins, then any valid chain is acceptable. |
| 1828 if (spki_hashes.empty()) | 1828 if (spki_hashes.empty()) |
| 1829 return true; | 1829 return true; |
| 1830 | 1830 |
| 1831 if (HashesIntersect(spki_hashes, hashes)) { | 1831 if (HashesIntersect2(spki_hashes, hashes)) { |
| 1832 return true; | 1832 return true; |
| 1833 } | 1833 } |
| 1834 | 1834 |
| 1835 failure_log->append("Rejecting public key chain for domain " + domain + | 1835 failure_log->append("Rejecting public key chain for domain " + domain + |
| 1836 ". Validated chain: " + HashesToBase64String(hashes) + | 1836 ". Validated chain: " + HashesToBase64String(hashes) + |
| 1837 ", expected: " + HashesToBase64String(spki_hashes)); | 1837 ", expected: " + HashesToBase64String(spki_hashes)); |
| 1838 return false; | 1838 return false; |
| 1839 } | 1839 } |
| 1840 | 1840 |
| 1841 bool TransportSecurityState::PKPState::HasPublicKeyPins() const { | 1841 bool TransportSecurityState::PKPState::HasPublicKeyPins() const { |
| 1842 return spki_hashes.size() > 0 || bad_spki_hashes.size() > 0; | 1842 return spki_hashes.size() > 0 || bad_spki_hashes.size() > 0; |
| 1843 } | 1843 } |
| 1844 | 1844 |
| 1845 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1845 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1846 const TransportSecurityState& state) | 1846 const TransportSecurityState& state) |
| 1847 : iterator_(state.enabled_pkp_hosts_.begin()), | 1847 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1848 end_(state.enabled_pkp_hosts_.end()) { | 1848 end_(state.enabled_pkp_hosts_.end()) { |
| 1849 } | 1849 } |
| 1850 | 1850 |
| 1851 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1851 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1852 } | 1852 } |
| 1853 | 1853 |
| 1854 } // namespace net | 1854 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2867693004:
Snapshot of all changes to get jumbo in blink and content.
