| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <utility> | 8 #include <utility> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 220 } | 220 } |
| 221 | 221 |
| 222 std::string HashHost(const std::string& canonicalized_host) { | 222 std::string HashHost(const std::string& canonicalized_host) { |
| 223 char hashed[crypto::kSHA256Length]; | 223 char hashed[crypto::kSHA256Length]; |
| 224 crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); | 224 crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed)); |
| 225 return std::string(hashed, sizeof(hashed)); | 225 return std::string(hashed, sizeof(hashed)); |
| 226 } | 226 } |
| 227 | 227 |
| 228 // Returns true if the intersection of |a| and |b| is not empty. If either | 228 // Returns true if the intersection of |a| and |b| is not empty. If either |
| 229 // |a| or |b| is empty, returns false. | 229 // |a| or |b| is empty, returns false. |
| 230 bool HashesIntersect(const HashValueVector& a, | 230 bool HashesIntersect2(const HashValueVector& a, |
| 231 const HashValueVector& b) { | 231 const HashValueVector& b) { |
| 232 for (const auto& hash : a) { | 232 for (const auto& hash : a) { |
| 233 if (base::ContainsValue(b, hash)) | 233 if (base::ContainsValue(b, hash)) |
| 234 return true; | 234 return true; |
| 235 } | 235 } |
| 236 return false; | 236 return false; |
| 237 } | 237 } |
| 238 | 238 |
| 239 bool AddHash(const char* sha256_hash, HashValueVector* out) { | 239 bool AddHash(const char* sha256_hash, HashValueVector* out) { |
| 240 HashValue hash(HASH_VALUE_SHA256); | 240 HashValue hash(HASH_VALUE_SHA256); |
| (...skipping 1579 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1820 // Validate that hashes is not empty. By the time this code is called (in | 1820 // Validate that hashes is not empty. By the time this code is called (in |
| 1821 // production), that should never happen, but it's good to be defensive. | 1821 // production), that should never happen, but it's good to be defensive. |
| 1822 // And, hashes *can* be empty in some test scenarios. | 1822 // And, hashes *can* be empty in some test scenarios. |
| 1823 if (hashes.empty()) { | 1823 if (hashes.empty()) { |
| 1824 failure_log->append( | 1824 failure_log->append( |
| 1825 "Rejecting empty public key chain for public-key-pinned domains: " + | 1825 "Rejecting empty public key chain for public-key-pinned domains: " + |
| 1826 domain); | 1826 domain); |
| 1827 return false; | 1827 return false; |
| 1828 } | 1828 } |
| 1829 | 1829 |
| 1830 if (HashesIntersect(bad_spki_hashes, hashes)) { | 1830 if (HashesIntersect2(bad_spki_hashes, hashes)) { |
| 1831 failure_log->append("Rejecting public key chain for domain " + domain + | 1831 failure_log->append("Rejecting public key chain for domain " + domain + |
| 1832 ". Validated chain: " + HashesToBase64String(hashes) + | 1832 ". Validated chain: " + HashesToBase64String(hashes) + |
| 1833 ", matches one or more bad hashes: " + | 1833 ", matches one or more bad hashes: " + |
| 1834 HashesToBase64String(bad_spki_hashes)); | 1834 HashesToBase64String(bad_spki_hashes)); |
| 1835 return false; | 1835 return false; |
| 1836 } | 1836 } |
| 1837 | 1837 |
| 1838 // If there are no pins, then any valid chain is acceptable. | 1838 // If there are no pins, then any valid chain is acceptable. |
| 1839 if (spki_hashes.empty()) | 1839 if (spki_hashes.empty()) |
| 1840 return true; | 1840 return true; |
| 1841 | 1841 |
| 1842 if (HashesIntersect(spki_hashes, hashes)) { | 1842 if (HashesIntersect2(spki_hashes, hashes)) { |
| 1843 return true; | 1843 return true; |
| 1844 } | 1844 } |
| 1845 | 1845 |
| 1846 failure_log->append("Rejecting public key chain for domain " + domain + | 1846 failure_log->append("Rejecting public key chain for domain " + domain + |
| 1847 ". Validated chain: " + HashesToBase64String(hashes) + | 1847 ". Validated chain: " + HashesToBase64String(hashes) + |
| 1848 ", expected: " + HashesToBase64String(spki_hashes)); | 1848 ", expected: " + HashesToBase64String(spki_hashes)); |
| 1849 return false; | 1849 return false; |
| 1850 } | 1850 } |
| 1851 | 1851 |
| 1852 bool TransportSecurityState::PKPState::HasPublicKeyPins() const { | 1852 bool TransportSecurityState::PKPState::HasPublicKeyPins() const { |
| 1853 return spki_hashes.size() > 0 || bad_spki_hashes.size() > 0; | 1853 return spki_hashes.size() > 0 || bad_spki_hashes.size() > 0; |
| 1854 } | 1854 } |
| 1855 | 1855 |
| 1856 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1856 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1857 const TransportSecurityState& state) | 1857 const TransportSecurityState& state) |
| 1858 : iterator_(state.enabled_pkp_hosts_.begin()), | 1858 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1859 end_(state.enabled_pkp_hosts_.end()) { | 1859 end_(state.enabled_pkp_hosts_.end()) { |
| 1860 } | 1860 } |
| 1861 | 1861 |
| 1862 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1862 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1863 } | 1863 } |
| 1864 | 1864 |
| 1865 } // namespace net | 1865 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2867693004:
Snapshot of all changes to get jumbo in blink and content.
