OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 5 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 6 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
7 | 7 |
8 #include <map> | 8 #include <map> |
9 #include <string> | 9 #include <string> |
10 #include <utility> | 10 #include <utility> |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
156 std::map<std::string, DomainState>::const_iterator end_; | 156 std::map<std::string, DomainState>::const_iterator end_; |
157 }; | 157 }; |
158 | 158 |
159 // These functions search for static and dynamic DomainStates, and invoke the | 159 // These functions search for static and dynamic DomainStates, and invoke the |
160 // functions of the same name on them. These functions are the primary public | 160 // functions of the same name on them. These functions are the primary public |
161 // interface; direct access to DomainStates is best left to tests. | 161 // interface; direct access to DomainStates is best left to tests. |
162 bool ShouldSSLErrorsBeFatal(const std::string& host, bool sni_enabled); | 162 bool ShouldSSLErrorsBeFatal(const std::string& host, bool sni_enabled); |
163 bool ShouldUpgradeToSSL(const std::string& host, bool sni_enabled); | 163 bool ShouldUpgradeToSSL(const std::string& host, bool sni_enabled); |
164 bool CheckPublicKeyPins(const std::string& host, | 164 bool CheckPublicKeyPins(const std::string& host, |
165 bool sni_enabled, | 165 bool sni_enabled, |
166 bool is_issued_by_known_root, | |
166 const HashValueVector& hashes, | 167 const HashValueVector& hashes, |
167 std::string* failure_log); | 168 std::string* failure_log); |
168 bool HasPublicKeyPins(const std::string& host, bool sni_enabled); | 169 bool HasPublicKeyPins(const std::string& host, bool sni_enabled); |
169 | 170 |
170 // Assign a |Delegate| for persisting the transport security state. If | 171 // Assign a |Delegate| for persisting the transport security state. If |
171 // |NULL|, state will not be persisted. The caller retains | 172 // |NULL|, state will not be persisted. The caller retains |
172 // ownership of |delegate|. | 173 // ownership of |delegate|. |
173 // Note: This is only used for serializing/deserializing the | 174 // Note: This is only used for serializing/deserializing the |
174 // TransportSecurityState. | 175 // TransportSecurityState. |
175 void SetDelegate(Delegate* delegate); | 176 void SetDelegate(Delegate* delegate); |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
260 // SNI-using hosts as well as the rest of the pins. | 261 // SNI-using hosts as well as the rest of the pins. |
261 // | 262 // |
262 // If |host| matches both an exact entry and is a subdomain of another | 263 // If |host| matches both an exact entry and is a subdomain of another |
263 // entry, the exact match determines the return value. | 264 // entry, the exact match determines the return value. |
264 static bool IsGooglePinnedProperty(const std::string& host, | 265 static bool IsGooglePinnedProperty(const std::string& host, |
265 bool sni_enabled); | 266 bool sni_enabled); |
266 | 267 |
267 // The maximum number of seconds for which we'll cache an HSTS request. | 268 // The maximum number of seconds for which we'll cache an HSTS request. |
268 static const long int kMaxHSTSAgeSecs; | 269 static const long int kMaxHSTSAgeSecs; |
269 | 270 |
271 private: | |
272 friend class TransportSecurityStateTest; | |
273 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | |
274 UpdateDynamicPKPOnly); | |
275 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | |
276 UpdateDynamicPKPMaxAge0); | |
277 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | |
278 DISABLED_UpdateDynamicPKPMaxAge0); | |
279 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | |
280 NoClobberPins); | |
281 | |
282 typedef std::map<std::string, DomainState> DomainStateMap; | |
283 | |
270 // Send an UMA report on pin validation failure, if the host is in a | 284 // Send an UMA report on pin validation failure, if the host is in a |
271 // statically-defined list of domains. | 285 // statically-defined list of domains. |
272 // | 286 // |
273 // TODO(palmer): This doesn't really belong here, and should be moved into | 287 // TODO(palmer): This doesn't really belong here, and should be moved into |
274 // the exactly one call site. This requires unifying |struct HSTSPreload| | 288 // the exactly one call site. This requires unifying |struct HSTSPreload| |
275 // (an implementation detail of this class) with a more generic | 289 // (an implementation detail of this class) with a more generic |
276 // representation of first-class DomainStates, and exposing the preloads | 290 // representation of first-class DomainStates, and exposing the preloads |
277 // to the caller with |GetStaticDomainState|. | 291 // to the caller with |GetStaticDomainState|. |
278 static void ReportUMAOnPinFailure(const std::string& host); | 292 static void ReportUMAOnPinFailure(const std::string& host); |
279 | 293 |
280 // IsBuildTimely returns true if the current build is new enough ensure that | 294 // IsBuildTimely returns true if the current build is new enough ensure that |
281 // built in security information (i.e. HSTS preloading and pinning | 295 // built in security information (i.e. HSTS preloading and pinning |
282 // information) is timely. | 296 // information) is timely. |
283 static bool IsBuildTimely(); | 297 static bool IsBuildTimely(); |
wtc
2014/08/07 23:39:12
In the .cc file, these two methods are defined aft
Ryan Hamilton
2014/08/08 00:54:00
Done.
| |
284 | 298 |
285 private: | 299 // Helper method for actually checking pins. |
286 friend class TransportSecurityStateTest; | 300 bool CheckPublicKeyPinsImpl(const std::string& host, |
287 FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, | 301 bool sni_enabled, |
288 UpdateDynamicPKPOnly); | 302 const HashValueVector& hashes, |
289 | 303 std::string* failure_log); |
290 typedef std::map<std::string, DomainState> DomainStateMap; | |
291 | 304 |
292 // If a Delegate is present, notify it that the internal state has | 305 // If a Delegate is present, notify it that the internal state has |
293 // changed. | 306 // changed. |
294 void DirtyNotify(); | 307 void DirtyNotify(); |
295 | 308 |
296 // Enable TransportSecurity for |host|. |state| supercedes any previous | 309 // Enable TransportSecurity for |host|. |state| supercedes any previous |
297 // state for the |host|, including static entries. | 310 // state for the |host|, including static entries. |
298 // | 311 // |
299 // The new state for |host| is persisted using the Delegate (if any). | 312 // The new state for |host| is persisted using the Delegate (if any). |
300 void EnableHost(const std::string& host, const DomainState& state); | 313 void EnableHost(const std::string& host, const DomainState& state); |
301 | 314 |
302 // Converts |hostname| from dotted form ("www.google.com") to the form | 315 // Converts |hostname| from dotted form ("www.google.com") to the form |
303 // used in DNS: "\x03www\x06google\x03com", lowercases that, and returns | 316 // used in DNS: "\x03www\x06google\x03com", lowercases that, and returns |
304 // the result. | 317 // the result. |
305 static std::string CanonicalizeHost(const std::string& hostname); | 318 static std::string CanonicalizeHost(const std::string& hostname); |
306 | 319 |
307 // The set of hosts that have enabled TransportSecurity. | 320 // The set of hosts that have enabled TransportSecurity. |
308 DomainStateMap enabled_hosts_; | 321 DomainStateMap enabled_hosts_; |
309 | 322 |
310 Delegate* delegate_; | 323 Delegate* delegate_; |
311 | 324 |
325 // True if static pins should be used. | |
326 bool enable_static_pinning_; | |
wtc
2014/08/07 23:39:12
Ryan asked you to rename this member "enable_stati
Ryan Hamilton
2014/08/08 00:54:00
Done. Thanks, I missed that.
| |
327 | |
312 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); | 328 DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); |
313 }; | 329 }; |
314 | 330 |
315 } // namespace net | 331 } // namespace net |
316 | 332 |
317 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ | 333 #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_H_ |
OLD | NEW |