Centralize the logic for checking public key pins

net/http/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
@@ skipping 66 matching lines @@
              HashValueVector* out) {
   HashValue hash(HASH_VALUE_SHA1);
   memcpy(hash.data(), sha1_hash, hash.size());
   out->push_back(hash);
   return true;
 }
 
 }  // namespace
 
 TransportSecurityState::TransportSecurityState()
-  : delegate_(NULL) {
+    : delegate_(NULL),
+      enable_static_pinning_(true) {
+  // Static pinning is only enabled for official builds to make sure that
+  // others don't end up with pins that cannot be easily updated.
+#if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
+  enable_static_pinning_ = false;
+#endif
   DCHECK(CalledOnValidThread());
 }
 
 TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
     : iterator_(state.enabled_hosts_.begin()),
       end_(state.enabled_hosts_.end()) {
 }
 
 TransportSecurityState::Iterator::~Iterator() {}
 
@@ skipping 13 matching lines @@
 
   DomainState static_state;
   if (GetStaticDomainState(host, sni_enabled, &static_state) &&
       static_state.ShouldUpgradeToSSL()) {
       return true;
   }
 
   return false;
 }
 
-bool TransportSecurityState::CheckPublicKeyPins(const std::string& host,
-                                                bool sni_enabled,
-                                                const HashValueVector& hashes,
-                                                std::string* failure_log) {
+bool TransportSecurityState::CheckPublicKeyPins(
+    const std::string& host,
+    bool sni_available,
+    bool is_issued_by_known_root,
+    const HashValueVector& public_key_hashes,
+    std::string* pinning_failure_log) {
+  // Perform pin validation if, and only if, all these conditions obtain:
+  //
+  // * the server's certificate chain chains up to a known root (i.e. not a
+  //   user-installed trust anchor); and
+  // * the build is recent (very old builds should fail open so that users
+  //   have some chance to recover).
+  //
+  if (!is_issued_by_known_root ||
+      !IsBuildTimely() ||
+      !HasPublicKeyPins(host, sni_available)) {
+    return true;

[Ryan Sleevi, 2014/08/07 23:31:19]

Re-git-cl-format this?

[Ryan Hamilton, 2014/08/08 00:54:00]

Done.

+  }
+
+  bool pins_are_valid = CheckPublicKeyPinsImpl(host,
+                                               sni_available,
+                                               public_key_hashes,
+                                               pinning_failure_log);
+  if (!pins_are_valid) {
+    LOG(ERROR) << *pinning_failure_log;
+    ReportUMAOnPinFailure(host);
+  }
+
+  UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid);
+  return pins_are_valid;
+}
+
+bool TransportSecurityState::CheckPublicKeyPinsImpl(
+    const std::string& host,
+    bool sni_enabled,
+    const HashValueVector& hashes,
+    std::string* failure_log) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
 
   DomainState static_state;
-  if (GetStaticDomainState(host, sni_enabled, &static_state) &&
-      static_state.CheckPublicKeyPins(hashes, failure_log)) {
-      return true;
-  }
+  if (GetStaticDomainState(host, sni_enabled, &static_state))
+    return static_state.CheckPublicKeyPins(hashes, failure_log);
 
+  // HasPublicKeyPins should have returned true in order for this method
+  // to have been called, so if we fall through to here, it's an error.
   return false;
 }
 
 bool TransportSecurityState::HasPublicKeyPins(const std::string& host,
                                               bool sni_enabled) {
   DomainState dynamic_state;
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.HasPublicKeyPins();
 
   DomainState static_state;
@@ skipping 616 matching lines @@
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 }
 
 bool TransportSecurityState::GetStaticDomainState(const std::string& host,
                                                   bool sni_enabled,
                                                   DomainState* out) const {
   DCHECK(CalledOnValidThread());
 
+  if (!enable_static_pinning_)
+    return false;

[Ryan Sleevi, 2014/08/07 23:31:19]

Ugh and crap.

This breaks HSTS. And we didn't have any tests that caught it, presumably, which
is double-plus-ungood. Or it just worked because of flipping the bool.

I think it just means we move the enable_static_pinning_ check into HasPreload,
and don't set the required hashes / excluded hashes (lines 611 onward, which
modify out->pkp). With out->pkp empty, you should fall through to line 921,
which allows any chain to be valid.

[Ryan Hamilton, 2014/08/08 00:54:00]

Done. (I hope :>)

+
   const std::string canonicalized_host = CanonicalizeHost(host);
 
   out->sts.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
   out->sts.include_subdomains = false;
   out->pkp.include_subdomains = false;
 
   const bool is_build_timely = IsBuildTimely();
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     std::string host_sub_chunk(&canonicalized_host[i],
@@ skipping 120 matching lines @@
   return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0;
 }
 
 TransportSecurityState::DomainState::PKPState::PKPState() {
 }
 
 TransportSecurityState::DomainState::PKPState::~PKPState() {
 }
 
 }  // namespace