| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 #include <utility> | 8 #include <utility> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 376 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 387 } | 387 } |
| 388 | 388 |
| 389 private: | 389 private: |
| 390 const uint8_t* const tree_; | 390 const uint8_t* const tree_; |
| 391 const size_t tree_bytes_; | 391 const size_t tree_bytes_; |
| 392 }; | 392 }; |
| 393 | 393 |
| 394 // PreloadResult is the result of resolving a specific name in the preloaded | 394 // PreloadResult is the result of resolving a specific name in the preloaded |
| 395 // data. | 395 // data. |
| 396 struct PreloadResult { | 396 struct PreloadResult { |
| 397 uint32_t pinset_id; | 397 uint32_t pinset_id = 0; |
| 398 // hostname_offset contains the number of bytes from the start of the given | 398 // hostname_offset contains the number of bytes from the start of the given |
| 399 // hostname where the name of the matching entry starts. | 399 // hostname where the name of the matching entry starts. |
| 400 size_t hostname_offset; | 400 size_t hostname_offset = 0; |
| 401 bool sts_include_subdomains; | 401 bool sts_include_subdomains = false; |
| 402 bool pkp_include_subdomains; | 402 bool pkp_include_subdomains = false; |
| 403 bool force_https; | 403 bool force_https = false; |
| 404 bool has_pins; | 404 bool has_pins = false; |
| 405 bool expect_ct; | 405 bool expect_ct = false; |
| 406 uint32_t expect_ct_report_uri_id; | 406 uint32_t expect_ct_report_uri_id = 0; |
| 407 bool expect_staple; | 407 bool expect_staple = false; |
| 408 bool expect_staple_include_subdomains; | 408 bool expect_staple_include_subdomains = false; |
| 409 uint32_t expect_staple_report_uri_id; | 409 uint32_t expect_staple_report_uri_id = 0; |
| 410 }; | 410 }; |
| 411 | 411 |
| 412 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns | 412 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns |
| 413 // false on internal error and true otherwise. After a successful return, | 413 // false on internal error and true otherwise. After a successful return, |
| 414 // |*out_found| is true iff a relevant entry has been found. If so, |*out| | 414 // |*out_found| is true iff a relevant entry has been found. If so, |*out| |
| 415 // contains the details. | 415 // contains the details. |
| 416 // | 416 // |
| 417 // Don't call this function, call DecodeHSTSPreload, below. | 417 // Don't call this function, call DecodeHSTSPreload, below. |
| 418 // | 418 // |
| 419 // Although this code should be robust, it never processes attacker-controlled | 419 // Although this code should be robust, it never processes attacker-controlled |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 513 if (!huffman.Decode(&reader, &c)) { | 513 if (!huffman.Decode(&reader, &c)) { |
| 514 return false; | 514 return false; |
| 515 } | 515 } |
| 516 if (c == kEndOfTable) { | 516 if (c == kEndOfTable) { |
| 517 // No exact match. | 517 // No exact match. |
| 518 return true; | 518 return true; |
| 519 } | 519 } |
| 520 | 520 |
| 521 if (c == kEndOfString) { | 521 if (c == kEndOfString) { |
| 522 PreloadResult tmp; | 522 PreloadResult tmp; |
| 523 if (!reader.Next(&tmp.sts_include_subdomains) || | 523 bool is_simple_entry; |
| 524 !reader.Next(&tmp.force_https) || !reader.Next(&tmp.has_pins)) { | 524 if (!reader.Next(&is_simple_entry)) { |
| 525 return false; | 525 return false; |
| 526 } | 526 } |
| 527 | 527 |
| 528 tmp.pkp_include_subdomains = tmp.sts_include_subdomains; | 528 // Simple entries only configure HSTS with IncludeSubdomains and use a |
| 529 // compact serialization format where the other policy flags are |
| 530 // omitted. The omitted flags are assumed to be 0 and the associated |
| 531 // policies are disabled. |
| 532 if (is_simple_entry) { |
| 533 tmp.force_https = true; |
| 534 tmp.sts_include_subdomains = true; |
| 535 } else { |
| 536 if (!reader.Next(&tmp.sts_include_subdomains) || |
| 537 !reader.Next(&tmp.force_https) || !reader.Next(&tmp.has_pins)) { |
| 538 return false; |
| 539 } |
| 529 | 540 |
| 530 if (tmp.has_pins) { | 541 tmp.pkp_include_subdomains = tmp.sts_include_subdomains; |
| 531 if (!reader.Read(4, &tmp.pinset_id) || | 542 |
| 532 (!tmp.sts_include_subdomains && | 543 if (tmp.has_pins) { |
| 533 !reader.Next(&tmp.pkp_include_subdomains))) { | 544 if (!reader.Read(4, &tmp.pinset_id) || |
| 545 (!tmp.sts_include_subdomains && |
| 546 !reader.Next(&tmp.pkp_include_subdomains))) { |
| 547 return false; |
| 548 } |
| 549 } |
| 550 |
| 551 if (!reader.Next(&tmp.expect_ct)) |
| 534 return false; | 552 return false; |
| 553 |
| 554 if (tmp.expect_ct) { |
| 555 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) |
| 556 return false; |
| 557 } |
| 558 |
| 559 if (!reader.Next(&tmp.expect_staple)) |
| 560 return false; |
| 561 tmp.expect_staple_include_subdomains = false; |
| 562 if (tmp.expect_staple) { |
| 563 if (!reader.Next(&tmp.expect_staple_include_subdomains)) |
| 564 return false; |
| 565 if (!reader.Read(4, &tmp.expect_staple_report_uri_id)) |
| 566 return false; |
| 535 } | 567 } |
| 536 } | 568 } |
| 537 | 569 |
| 538 if (!reader.Next(&tmp.expect_ct)) | |
| 539 return false; | |
| 540 | |
| 541 if (tmp.expect_ct) { | |
| 542 if (!reader.Read(4, &tmp.expect_ct_report_uri_id)) | |
| 543 return false; | |
| 544 } | |
| 545 | |
| 546 if (!reader.Next(&tmp.expect_staple)) | |
| 547 return false; | |
| 548 tmp.expect_staple_include_subdomains = false; | |
| 549 if (tmp.expect_staple) { | |
| 550 if (!reader.Next(&tmp.expect_staple_include_subdomains)) | |
| 551 return false; | |
| 552 if (!reader.Read(4, &tmp.expect_staple_report_uri_id)) | |
| 553 return false; | |
| 554 } | |
| 555 | |
| 556 tmp.hostname_offset = hostname_offset; | 570 tmp.hostname_offset = hostname_offset; |
| 557 | 571 |
| 558 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { | 572 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { |
| 559 *out_found = tmp.sts_include_subdomains || | 573 *out_found = tmp.sts_include_subdomains || |
| 560 tmp.pkp_include_subdomains || | 574 tmp.pkp_include_subdomains || |
| 561 tmp.expect_staple_include_subdomains; | 575 tmp.expect_staple_include_subdomains; |
| 562 *out = tmp; | 576 *out = tmp; |
| 563 | 577 |
| 564 if (hostname_offset > 0) { | 578 if (hostname_offset > 0) { |
| 565 out->force_https &= tmp.sts_include_subdomains; | 579 out->force_https &= tmp.sts_include_subdomains; |
| (...skipping 1266 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1832 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1846 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
| 1833 const TransportSecurityState& state) | 1847 const TransportSecurityState& state) |
| 1834 : iterator_(state.enabled_pkp_hosts_.begin()), | 1848 : iterator_(state.enabled_pkp_hosts_.begin()), |
| 1835 end_(state.enabled_pkp_hosts_.end()) { | 1849 end_(state.enabled_pkp_hosts_.end()) { |
| 1836 } | 1850 } |
| 1837 | 1851 |
| 1838 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1852 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
| 1839 } | 1853 } |
| 1840 | 1854 |
| 1841 } // namespace net | 1855 } // namespace net |
| OLD | NEW |