| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.h" | |
| 6 | |
| 7 #include <string.h> | |
| 8 | |
| 9 #include <algorithm> | |
| 10 | |
| 11 #include "base/big_endian.h" | |
| 12 #include "base/files/file_util.h" | |
| 13 #include "base/lazy_instance.h" | |
| 14 #include "base/logging.h" | |
| 15 #include "components/packed_ct_ev_whitelist/bit_stream_reader.h" | |
| 16 #include "content/public/browser/browser_thread.h" | |
| 17 #include "net/ssl/ssl_config_service.h" | |
| 18 | |
| 19 namespace { | |
| 20 const uint8_t kCertHashLengthBits = 64; // 8 bytes | |
| 21 const uint8_t kCertHashLength = kCertHashLengthBits / 8; | |
| 22 const uint64_t kGolombMParameterBits = 47; // 2^47 | |
| 23 | |
| 24 void SetEVWhitelistInSSLConfigService( | |
| 25 const scoped_refptr<net::ct::EVCertsWhitelist>& new_whitelist) { | |
| 26 VLOG(1) << "Setting new EV Certs whitelist."; | |
| 27 net::SSLConfigService::SetEVCertsWhitelist(new_whitelist); | |
| 28 } | |
| 29 | |
| 30 int TruncatedHashesComparator(const void* v1, const void* v2) { | |
| 31 const uint64_t& h1(*(static_cast<const uint64_t*>(v1))); | |
| 32 const uint64_t& h2(*(static_cast<const uint64_t*>(v2))); | |
| 33 if (h1 < h2) | |
| 34 return -1; | |
| 35 else if (h1 > h2) | |
| 36 return 1; | |
| 37 return 0; | |
| 38 } | |
| 39 } // namespace | |
| 40 | |
| 41 namespace packed_ct_ev_whitelist { | |
| 42 | |
| 43 void SetEVCertsWhitelist(scoped_refptr<net::ct::EVCertsWhitelist> whitelist) { | |
| 44 if (!whitelist->IsValid()) { | |
| 45 VLOG(1) << "EV Certs whitelist is not valid, not setting."; | |
| 46 return; | |
| 47 } | |
| 48 | |
| 49 base::Closure assign_cb = | |
| 50 base::Bind(SetEVWhitelistInSSLConfigService, whitelist); | |
| 51 content::BrowserThread::PostTask( | |
| 52 content::BrowserThread::IO, FROM_HERE, assign_cb); | |
| 53 } | |
| 54 | |
| 55 bool PackedEVCertsWhitelist::UncompressEVWhitelist( | |
| 56 const std::string& compressed_whitelist, | |
| 57 std::vector<uint64_t>* uncompressed_list) { | |
| 58 internal::BitStreamReader reader(base::StringPiece( | |
| 59 compressed_whitelist.data(), compressed_whitelist.size())); | |
| 60 std::vector<uint64_t> result; | |
| 61 // Reserve exactly the right amount of memory to avoid reallocs. The size | |
| 62 // changes very rarely and if it does change the code will still be correct, | |
| 63 // just slightly less efficient. | |
| 64 result.reserve(110610); | |
| 65 | |
| 66 VLOG(1) << "Uncompressing EV whitelist of size " | |
| 67 << compressed_whitelist.size(); | |
| 68 uint64_t curr_hash(0); | |
| 69 if (!reader.ReadBits(kCertHashLengthBits, &curr_hash)) { | |
| 70 VLOG(1) << "Failed reading first hash."; | |
| 71 return false; | |
| 72 } | |
| 73 result.push_back(curr_hash); | |
| 74 // M is the tunable parameter used by the Golomb coding. | |
| 75 static const uint64_t kGolombParameterM = static_cast<uint64_t>(1) | |
| 76 << kGolombMParameterBits; | |
| 77 | |
| 78 while (reader.BitsLeft() > kGolombMParameterBits) { | |
| 79 uint64_t read_prefix = 0; | |
| 80 if (!reader.ReadUnaryEncoding(&read_prefix)) { | |
| 81 VLOG(1) << "Failed reading unary-encoded prefix."; | |
| 82 return false; | |
| 83 } | |
| 84 if (read_prefix > (UINT64_MAX / kGolombParameterM)) { | |
| 85 VLOG(1) << "Received value that would cause overflow: " << read_prefix; | |
| 86 return false; | |
| 87 } | |
| 88 | |
| 89 uint64_t r = 0; | |
| 90 if (!reader.ReadBits(kGolombMParameterBits, &r)) { | |
| 91 VLOG(1) << "Failed reading " << kGolombMParameterBits << " bits."; | |
| 92 return false; | |
| 93 } | |
| 94 DCHECK_LT(r, kGolombParameterM); | |
| 95 | |
| 96 uint64_t curr_diff = read_prefix * kGolombParameterM + r; | |
| 97 curr_hash += curr_diff; | |
| 98 | |
| 99 result.push_back(curr_hash); | |
| 100 } | |
| 101 | |
| 102 // If there is excess capacity then trim it. | |
| 103 if (result.size() < result.capacity()) { | |
| 104 std::vector<uint64_t> temp(result.size()); | |
| 105 memcpy(&temp[0], &result[0], result.size() * sizeof(result[0])); | |
| 106 | |
| 107 // Swap the right-sized vector with the over-sized vector. | |
| 108 result.swap(temp); | |
| 109 } | |
| 110 | |
| 111 // Make sure our size trimming code worked. | |
| 112 DCHECK(result.size() == result.capacity()); | |
| 113 | |
| 114 uncompressed_list->swap(result); | |
| 115 return true; | |
| 116 } | |
| 117 | |
| 118 PackedEVCertsWhitelist::PackedEVCertsWhitelist( | |
| 119 const std::string& compressed_whitelist, | |
| 120 const base::Version& version) | |
| 121 : version_(version) { | |
| 122 if (!UncompressEVWhitelist(compressed_whitelist, &whitelist_)) { | |
| 123 whitelist_.clear(); | |
| 124 return; | |
| 125 } | |
| 126 } | |
| 127 | |
| 128 PackedEVCertsWhitelist::~PackedEVCertsWhitelist() { | |
| 129 } | |
| 130 | |
| 131 bool PackedEVCertsWhitelist::ContainsCertificateHash( | |
| 132 const std::string& certificate_hash) const { | |
| 133 DCHECK(!whitelist_.empty()); | |
| 134 uint64_t hash_to_lookup; | |
| 135 | |
| 136 base::ReadBigEndian(certificate_hash.data(), &hash_to_lookup); | |
| 137 return bsearch(&hash_to_lookup, | |
| 138 &whitelist_[0], | |
| 139 whitelist_.size(), | |
| 140 kCertHashLength, | |
| 141 TruncatedHashesComparator) != NULL; | |
| 142 } | |
| 143 | |
| 144 bool PackedEVCertsWhitelist::IsValid() const { | |
| 145 return whitelist_.size() > 0; | |
| 146 } | |
| 147 | |
| 148 base::Version PackedEVCertsWhitelist::Version() const { | |
| 149 return version_; | |
| 150 } | |
| 151 | |
| 152 } // namespace packed_ct_ev_whitelist | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937563002:
Remove the EV Certs Whitelist (Closed)
