OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 #include <utility> | 8 #include <utility> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 873 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
884 return CT_REQUIREMENTS_MET; | 884 return CT_REQUIREMENTS_MET; |
885 } | 885 } |
886 | 886 |
887 // Check Expect-CT first so that other CT requirements do not prevent | 887 // Check Expect-CT first so that other CT requirements do not prevent |
888 // Expect-CT reports from being sent. | 888 // Expect-CT reports from being sent. |
889 ExpectCTState state; | 889 ExpectCTState state; |
890 if (is_issued_by_known_root && IsDynamicExpectCTEnabled() && | 890 if (is_issued_by_known_root && IsDynamicExpectCTEnabled() && |
891 GetDynamicExpectCTState(hostname, &state)) { | 891 GetDynamicExpectCTState(hostname, &state)) { |
892 if (expect_ct_reporter_ && !state.report_uri.is_empty() && | 892 if (expect_ct_reporter_ && !state.report_uri.is_empty() && |
893 report_status == ENABLE_EXPECT_CT_REPORTS) { | 893 report_status == ENABLE_EXPECT_CT_REPORTS) { |
894 MaybeNotifyExpectCTFailed( | 894 MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri, state.expiry, |
895 host_port_pair, state.report_uri, validated_certificate_chain, | 895 validated_certificate_chain, |
896 served_certificate_chain, signed_certificate_timestamps); | 896 served_certificate_chain, |
| 897 signed_certificate_timestamps); |
897 } | 898 } |
898 if (state.enforce) | 899 if (state.enforce) |
899 return CT_REQUIREMENTS_NOT_MET; | 900 return CT_REQUIREMENTS_NOT_MET; |
900 } | 901 } |
901 | 902 |
902 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; | 903 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; |
903 if (require_ct_delegate_) | 904 if (require_ct_delegate_) |
904 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); | 905 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); |
905 if (ct_required != CTRequirementLevel::DEFAULT) | 906 if (ct_required != CTRequirementLevel::DEFAULT) |
906 return (ct_required == CTRequirementLevel::REQUIRED | 907 return (ct_required == CTRequirementLevel::REQUIRED |
(...skipping 294 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1201 | 1202 |
1202 expect_ct_state->domain = host.substr(result.hostname_offset); | 1203 expect_ct_state->domain = host.substr(result.hostname_offset); |
1203 expect_ct_state->report_uri = GURL( | 1204 expect_ct_state->report_uri = GURL( |
1204 g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]); | 1205 g_hsts_source->expect_ct_report_uris[result.expect_ct_report_uri_id]); |
1205 return true; | 1206 return true; |
1206 } | 1207 } |
1207 | 1208 |
1208 void TransportSecurityState::MaybeNotifyExpectCTFailed( | 1209 void TransportSecurityState::MaybeNotifyExpectCTFailed( |
1209 const HostPortPair& host_port_pair, | 1210 const HostPortPair& host_port_pair, |
1210 const GURL& report_uri, | 1211 const GURL& report_uri, |
| 1212 base::Time expiration, |
1211 const X509Certificate* validated_certificate_chain, | 1213 const X509Certificate* validated_certificate_chain, |
1212 const X509Certificate* served_certificate_chain, | 1214 const X509Certificate* served_certificate_chain, |
1213 const SignedCertificateTimestampAndStatusList& | 1215 const SignedCertificateTimestampAndStatusList& |
1214 signed_certificate_timestamps) { | 1216 signed_certificate_timestamps) { |
1215 // Do not send repeated reports to the same host/port pair within | 1217 // Do not send repeated reports to the same host/port pair within |
1216 // |kTimeToRememberReportsMins|. Theoretically, there could be scenarios in | 1218 // |kTimeToRememberReportsMins|. Theoretically, there could be scenarios in |
1217 // which the same host/port generates different reports and it would be useful | 1219 // which the same host/port generates different reports and it would be useful |
1218 // to the server operator to receive those different reports, but such | 1220 // to the server operator to receive those different reports, but such |
1219 // scenarios are not expected to arise very often in practice. | 1221 // scenarios are not expected to arise very often in practice. |
1220 const std::string report_cache_key(host_port_pair.ToString()); | 1222 const std::string report_cache_key(host_port_pair.ToString()); |
1221 if (sent_expect_ct_reports_cache_.Get(report_cache_key, | 1223 if (sent_expect_ct_reports_cache_.Get(report_cache_key, |
1222 base::TimeTicks::Now())) { | 1224 base::TimeTicks::Now())) { |
1223 return; | 1225 return; |
1224 } | 1226 } |
1225 sent_expect_ct_reports_cache_.Put( | 1227 sent_expect_ct_reports_cache_.Put( |
1226 report_cache_key, true, base::TimeTicks::Now(), | 1228 report_cache_key, true, base::TimeTicks::Now(), |
1227 base::TimeTicks::Now() + | 1229 base::TimeTicks::Now() + |
1228 base::TimeDelta::FromMinutes(kTimeToRememberReportsMins)); | 1230 base::TimeDelta::FromMinutes(kTimeToRememberReportsMins)); |
1229 | 1231 |
1230 expect_ct_reporter_->OnExpectCTFailed( | 1232 expect_ct_reporter_->OnExpectCTFailed( |
1231 host_port_pair, report_uri, validated_certificate_chain, | 1233 host_port_pair, report_uri, expiration, validated_certificate_chain, |
1232 served_certificate_chain, signed_certificate_timestamps); | 1234 served_certificate_chain, signed_certificate_timestamps); |
1233 } | 1235 } |
1234 | 1236 |
1235 bool TransportSecurityState::GetStaticExpectStapleState( | 1237 bool TransportSecurityState::GetStaticExpectStapleState( |
1236 const std::string& host, | 1238 const std::string& host, |
1237 ExpectStapleState* expect_staple_state) const { | 1239 ExpectStapleState* expect_staple_state) const { |
1238 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); | 1240 DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); |
1239 | 1241 |
1240 if (!IsBuildTimely()) | 1242 if (!IsBuildTimely()) |
1241 return false; | 1243 return false; |
(...skipping 227 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1469 return; | 1471 return; |
1470 if (!ssl_info.is_issued_by_known_root) | 1472 if (!ssl_info.is_issued_by_known_root) |
1471 return; | 1473 return; |
1472 if (!ssl_info.ct_compliance_details_available) | 1474 if (!ssl_info.ct_compliance_details_available) |
1473 return; | 1475 return; |
1474 if (ssl_info.ct_cert_policy_compliance == | 1476 if (ssl_info.ct_cert_policy_compliance == |
1475 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) | 1477 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) |
1476 return; | 1478 return; |
1477 ExpectCTState state; | 1479 ExpectCTState state; |
1478 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { | 1480 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { |
1479 MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri, | 1481 MaybeNotifyExpectCTFailed(host_port_pair, state.report_uri, base::Time(), |
1480 ssl_info.cert.get(), | 1482 ssl_info.cert.get(), |
1481 ssl_info.unverified_cert.get(), | 1483 ssl_info.unverified_cert.get(), |
1482 ssl_info.signed_certificate_timestamps); | 1484 ssl_info.signed_certificate_timestamps); |
1483 } | 1485 } |
1484 return; | 1486 return; |
1485 } | 1487 } |
1486 | 1488 |
1487 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically | 1489 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically |
1488 // turn on reporting and/or enforcement. | 1490 // turn on reporting and/or enforcement. |
1489 if (!IsDynamicExpectCTEnabled()) | 1491 if (!IsDynamicExpectCTEnabled()) |
(...skipping 15 matching lines...) Expand all Loading... |
1505 ExpectCTState state; | 1507 ExpectCTState state; |
1506 // If an Expect-CT header is observed over a non-compliant connection, the | 1508 // If an Expect-CT header is observed over a non-compliant connection, the |
1507 // site owner should be notified about the misconfiguration. If the site was | 1509 // site owner should be notified about the misconfiguration. If the site was |
1508 // already opted in to Expect-CT, this report would have been sent at | 1510 // already opted in to Expect-CT, this report would have been sent at |
1509 // connection setup time. If the host is not already a noted Expect-CT host, | 1511 // connection setup time. If the host is not already a noted Expect-CT host, |
1510 // however, the lack of CT compliance would not have been evaluated/reported | 1512 // however, the lack of CT compliance would not have been evaluated/reported |
1511 // at connection setup time, so it needs to be reported here while | 1513 // at connection setup time, so it needs to be reported here while |
1512 // processing the header. | 1514 // processing the header. |
1513 if (expect_ct_reporter_ && !report_uri.is_empty() && | 1515 if (expect_ct_reporter_ && !report_uri.is_empty() && |
1514 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { | 1516 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { |
1515 MaybeNotifyExpectCTFailed(host_port_pair, report_uri, ssl_info.cert.get(), | 1517 MaybeNotifyExpectCTFailed(host_port_pair, report_uri, base::Time(), |
| 1518 ssl_info.cert.get(), |
1516 ssl_info.unverified_cert.get(), | 1519 ssl_info.unverified_cert.get(), |
1517 ssl_info.signed_certificate_timestamps); | 1520 ssl_info.signed_certificate_timestamps); |
1518 } | 1521 } |
1519 return; | 1522 return; |
1520 } | 1523 } |
1521 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, | 1524 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, |
1522 report_uri); | 1525 report_uri); |
1523 } | 1526 } |
1524 | 1527 |
1525 // static | 1528 // static |
(...skipping 316 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1842 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1845 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1843 const TransportSecurityState& state) | 1846 const TransportSecurityState& state) |
1844 : iterator_(state.enabled_pkp_hosts_.begin()), | 1847 : iterator_(state.enabled_pkp_hosts_.begin()), |
1845 end_(state.enabled_pkp_hosts_.end()) { | 1848 end_(state.enabled_pkp_hosts_.end()) { |
1846 } | 1849 } |
1847 | 1850 |
1848 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1851 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1849 } | 1852 } |
1850 | 1853 |
1851 } // namespace net | 1854 } // namespace net |
OLD | NEW |