OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <map> | 10 #include <map> |
(...skipping 554 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
565 void ProcessExpectCTHeader(const std::string& value, | 565 void ProcessExpectCTHeader(const std::string& value, |
566 const HostPortPair& host_port_pair, | 566 const HostPortPair& host_port_pair, |
567 const SSLInfo& ssl_info); | 567 const SSLInfo& ssl_info); |
568 | 568 |
569 // For unit tests only. Causes CheckCTRequirements() to return | 569 // For unit tests only. Causes CheckCTRequirements() to return |
570 // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if | 570 // CT_REQUIREMENTS_NOT_MET (if |*required| is true) or CT_REQUIREMENTS_MET (if |
571 // |*required| is false) for non-compliant connections by default (that is, | 571 // |*required| is false) for non-compliant connections by default (that is, |
572 // unless a RequireCTDelegate overrides). Set to nullptr to reset. | 572 // unless a RequireCTDelegate overrides). Set to nullptr to reset. |
573 static void SetShouldRequireCTForTesting(bool* required); | 573 static void SetShouldRequireCTForTesting(bool* required); |
574 | 574 |
| 575 // For unit tests only. Clears the caches that deduplicate sent HPKP and |
| 576 // Expect-CT reports. |
| 577 void ClearReportCachesForTesting(); |
| 578 |
575 private: | 579 private: |
576 friend class TransportSecurityStateTest; | 580 friend class TransportSecurityStateTest; |
577 friend class TransportSecurityStateStaticFuzzer; | 581 friend class TransportSecurityStateStaticFuzzer; |
578 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); | 582 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
579 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); | 583 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0); |
580 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); | 584 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins); |
581 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); | 585 FRIEND_TEST_ALL_PREFIXES(URLRequestTestHTTP, ExpectCTHeader); |
582 | 586 |
583 typedef std::map<std::string, STSState> STSStateMap; | 587 typedef std::map<std::string, STSState> STSStateMap; |
584 typedef std::map<std::string, PKPState> PKPStateMap; | 588 typedef std::map<std::string, PKPState> PKPStateMap; |
585 typedef std::map<std::string, ExpectCTState> ExpectCTStateMap; | 589 typedef std::map<std::string, ExpectCTState> ExpectCTStateMap; |
| 590 typedef ExpiringCache<std::string, |
| 591 bool, |
| 592 base::TimeTicks, |
| 593 std::less<base::TimeTicks>> |
| 594 ReportCache; |
586 | 595 |
587 // IsBuildTimely returns true if the current build is new enough ensure that | 596 // IsBuildTimely returns true if the current build is new enough ensure that |
588 // built in security information (i.e. HSTS preloading and pinning | 597 // built in security information (i.e. HSTS preloading and pinning |
589 // information) is timely. | 598 // information) is timely. |
590 static bool IsBuildTimely(); | 599 static bool IsBuildTimely(); |
591 | 600 |
592 // Helper method for actually checking pins. | 601 // Helper method for actually checking pins. |
593 PKPStatus CheckPublicKeyPinsImpl( | 602 PKPStatus CheckPublicKeyPinsImpl( |
594 const HostPortPair& host_port_pair, | 603 const HostPortPair& host_port_pair, |
595 bool is_issued_by_known_root, | 604 bool is_issued_by_known_root, |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
655 ExpectCTState* expect_ct_result) const; | 664 ExpectCTState* expect_ct_result) const; |
656 | 665 |
657 // Returns true and updates |*expect_staple_result| iff there is a static | 666 // Returns true and updates |*expect_staple_result| iff there is a static |
658 // (built-in) state for |host| with expect_staple=true, or if |host| is a | 667 // (built-in) state for |host| with expect_staple=true, or if |host| is a |
659 // subdomain of another domain with expect_staple=true and | 668 // subdomain of another domain with expect_staple=true and |
660 // include_subdomains_for_expect_staple=true. | 669 // include_subdomains_for_expect_staple=true. |
661 bool GetStaticExpectStapleState( | 670 bool GetStaticExpectStapleState( |
662 const std::string& host, | 671 const std::string& host, |
663 ExpectStapleState* expect_staple_result) const; | 672 ExpectStapleState* expect_staple_result) const; |
664 | 673 |
| 674 void MaybeNotifyExpectCTFailed( |
| 675 const HostPortPair& host_port_pair, |
| 676 const GURL& report_uri, |
| 677 const X509Certificate* validated_certificate_chain, |
| 678 const X509Certificate* served_certificate_chain, |
| 679 const SignedCertificateTimestampAndStatusList& |
| 680 signed_certificate_timestamps); |
| 681 |
665 // The sets of hosts that have enabled TransportSecurity. |domain| will always | 682 // The sets of hosts that have enabled TransportSecurity. |domain| will always |
666 // be empty for a STSState, PKPState, or ExpectCTState in these maps; the | 683 // be empty for a STSState, PKPState, or ExpectCTState in these maps; the |
667 // domain comes from the map keys instead. In addition, |upgrade_mode| in the | 684 // domain comes from the map keys instead. In addition, |upgrade_mode| in the |
668 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState | 685 // STSState is never MODE_DEFAULT and |HasPublicKeyPins| in the PKPState |
669 // always returns true. | 686 // always returns true. |
670 STSStateMap enabled_sts_hosts_; | 687 STSStateMap enabled_sts_hosts_; |
671 PKPStateMap enabled_pkp_hosts_; | 688 PKPStateMap enabled_pkp_hosts_; |
672 ExpectCTStateMap enabled_expect_ct_hosts_; | 689 ExpectCTStateMap enabled_expect_ct_hosts_; |
673 | 690 |
674 Delegate* delegate_ = nullptr; | 691 Delegate* delegate_ = nullptr; |
(...skipping 11 matching lines...) Expand all Loading... |
686 | 703 |
687 // True if public key pinning bypass is enabled for local trust anchors. | 704 // True if public key pinning bypass is enabled for local trust anchors. |
688 bool enable_pkp_bypass_for_local_trust_anchors_; | 705 bool enable_pkp_bypass_for_local_trust_anchors_; |
689 | 706 |
690 ExpectCTReporter* expect_ct_reporter_ = nullptr; | 707 ExpectCTReporter* expect_ct_reporter_ = nullptr; |
691 | 708 |
692 RequireCTDelegate* require_ct_delegate_ = nullptr; | 709 RequireCTDelegate* require_ct_delegate_ = nullptr; |
693 | 710 |
694 // Keeps track of reports that have been sent recently for | 711 // Keeps track of reports that have been sent recently for |
695 // rate-limiting. | 712 // rate-limiting. |
696 ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> | 713 ReportCache sent_hpkp_reports_cache_; |
697 sent_reports_cache_; | 714 ReportCache sent_expect_ct_reports_cache_; |
698 | 715 |
699 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 716 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
700 }; | 717 }; |
701 | 718 |
702 } // namespace net | 719 } // namespace net |
703 | 720 |
704 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 721 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |