| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| (...skipping 554 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 565 void ProcessExpectCTHeader(const std::string& value, | 565 void ProcessExpectCTHeader(const std::string& value, |
| 566 const HostPortPair& host_port_pair, | 566 const HostPortPair& host_port_pair, |
| 567 const SSLInfo& ssl_info); | 567 const SSLInfo& ssl_info); |
| 568 | 568 |
| 569 // For unit tests only. Causes CheckCTRequirements() to return | 569 // For unit tests only. Causes CheckCTRequirements() to return |
| 570 // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if | 570 // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if |
| 571 // |*required| is false) for non-compliant connections by default (that is, | 571 // |*required| is false) for non-compliant connections by default (that is, |
| 572 // unless a RequireCTDelegate overrides). Set to nullptr to reset. | 572 // unless a RequireCTDelegate overrides). Set to nullptr to reset. |
| 573 static void SetShouldRequireCTForTesting(bool* required); | 573 static void SetShouldRequireCTForTesting(bool* required); |
| 574 | 574 |
| 575 // For unit tests only. Clears the caches that deduplicate sent HPKP and |
| 576 // Expect-CT reports. |
| 577 void ClearReportCachesForTesting(); |
| 578 |
| 575 private: | 579 private: |
| 576 friend class TransportSecurityStateTest; | 580 friend class TransportSecurityStateTest; |
| 577 friend class TransportSecurityStateStaticFuzzer; | 581 friend class TransportSecurityStateStaticFuzzer; |
| 578 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 582 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
| 579 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 583 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
| 580 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 584 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
| 581 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 585 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
| 582 | 586 |
| 583 typedef std::map<std::string, STSState> STSStateMap; | 587 typedef std::map<std::string, STSState> STSStateMap; |
| 584 typedef std::map<std::string, PKPState> PKPStateMap; | 588 typedef std::map<std::string, PKPState> PKPStateMap; |
| 585 typedef std::map<std::string, ExpectCTState> ExpectCTStateMap; | 589 typedef std::map<std::string, ExpectCTState> ExpectCTStateMap; |
| 590 typedef ExpiringCache<std::string, |
| 591 bool, |
| 592 base::TimeTicks, |
| 593 std::less<base::TimeTicks>> |
| 594 ReportCache; |
| 586 | 595 |
| 587 // IsBuildTimely returns true if the current build is new enough ensure that | 596 // IsBuildTimely returns true if the current build is new enough ensure that |
| 588 // built in security information (i.e. HSTS preloading and pinning | 597 // built in security information (i.e. HSTS preloading and pinning |
| 589 // information) is timely. | 598 // information) is timely. |
| 590 static bool IsBuildTimely(); | 599 static bool IsBuildTimely(); |
| 591 | 600 |
| 592 // Helper method for actually checking pins. | 601 // Helper method for actually checking pins. |
| 593 PKPStatus CheckPublicKeyPinsImpl( | 602 PKPStatus CheckPublicKeyPinsImpl( |
| 594 const HostPortPair& host_port_pair, | 603 const HostPortPair& host_port_pair, |
| 595 bool is_issued_by_known_root, | 604 bool is_issued_by_known_root, |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 655 ExpectCTState* expect_ct_result) const; | 664 ExpectCTState* expect_ct_result) const; |
| 656 | 665 |
| 657 // Returns true and updates |*expect_staple_result| iff there is a static | 666 // Returns true and updates |*expect_staple_result| iff there is a static |
| 658 // (built-in) state for |host| with expect_staple=true, or if |host| is a | 667 // (built-in) state for |host| with expect_staple=true, or if |host| is a |
| 659 // subdomain of another domain with expect_staple=true and | 668 // subdomain of another domain with expect_staple=true and |
| 660 // include_subdomains_for_expect_staple=true. | 669 // include_subdomains_for_expect_staple=true. |
| 661 bool GetStaticExpectStapleState( | 670 bool GetStaticExpectStapleState( |
| 662 const std::string& host, | 671 const std::string& host, |
| 663 ExpectStapleState* expect_staple_result) const; | 672 ExpectStapleState* expect_staple_result) const; |
| 664 | 673 |
| 674 void MaybeNotifyExpectCTFailed( |
| 675 const HostPortPair& host_port_pair, |
| 676 const GURL& report_uri, |
| 677 const X509Certificate* validated_certificate_chain, |
| 678 const X509Certificate* served_certificate_chain, |
| 679 const SignedCertificateTimestampAndStatusList& |
| 680 signed_certificate_timestamps); |
| 681 |
| 665 // The sets of hosts that have enabled TransportSecurity. |domain| will always | 682 // The sets of hosts that have enabled TransportSecurity. |domain| will always |
| 666 // be empty for a STSState, PKPState, or ExpectCTState in these maps; the | 683 // be empty for a STSState, PKPState, or ExpectCTState in these maps; the |
| 667 // domain comes from the map keys instead. In addition, |upgrade_mode| in the | 684 // domain comes from the map keys instead. In addition, |upgrade_mode| in the |
| 668 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState | 685 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState |
| 669 // always returns true. | 686 // always returns true. |
| 670 STSStateMap enabled_sts_hosts_; | 687 STSStateMap enabled_sts_hosts_; |
| 671 PKPStateMap enabled_pkp_hosts_; | 688 PKPStateMap enabled_pkp_hosts_; |
| 672 ExpectCTStateMap enabled_expect_ct_hosts_; | 689 ExpectCTStateMap enabled_expect_ct_hosts_; |
| 673 | 690 |
| 674 Delegate* delegate_ = nullptr; | 691 Delegate* delegate_ = nullptr; |
| (...skipping 11 matching lines...) Expand all Loading... |
| 686 | 703 |
| 687 // True if public key pinning bypass is enabled for local trust anchors. | 704 // True if public key pinning bypass is enabled for local trust anchors. |
| 688 bool enable_pkp_bypass_for_local_trust_anchors_; | 705 bool enable_pkp_bypass_for_local_trust_anchors_; |
| 689 | 706 |
| 690 ExpectCTReporter* expect_ct_reporter_ = nullptr; | 707 ExpectCTReporter* expect_ct_reporter_ = nullptr; |
| 691 | 708 |
| 692 RequireCTDelegate* require_ct_delegate_ = nullptr; | 709 RequireCTDelegate* require_ct_delegate_ = nullptr; |
| 693 | 710 |
| 694 // Keeps track of reports that have been sent recently for | 711 // Keeps track of reports that have been sent recently for |
| 695 // rate-limiting. | 712 // rate-limiting. |
| 696 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 713 ReportCache sent_hpkp_reports_cache_; |
| 697 sent_reports_cache_; | 714 ReportCache sent_expect_ct_reports_cache_; |
| 698 | 715 |
| 699 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 716 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
| 700 }; | 717 }; |
| 701 | 718 |
| 702 } // namespace net | 719 } // namespace net |
| 703 | 720 |
| 704 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 721 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2901183002:
Do not send repeated Expect-CT reports to the same host+port (Closed)
