Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(728)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state.cc

Issue 452183002: Perform dynamic pin checks even when the build is not timely. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix comments from rsleevi Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ecdsa.h> 8 #include <openssl/ecdsa.h>
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 #else // !defined(USE_OPENSSL) 10 #else // !defined(USE_OPENSSL)
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after
126 bool TransportSecurityState::CheckPublicKeyPins( 126 bool TransportSecurityState::CheckPublicKeyPins(
127 const std::string& host, 127 const std::string& host,
128 bool sni_available, 128 bool sni_available,
129 bool is_issued_by_known_root, 129 bool is_issued_by_known_root,
130 const HashValueVector& public_key_hashes, 130 const HashValueVector& public_key_hashes,
131 std::string* pinning_failure_log) { 131 std::string* pinning_failure_log) {
132 // Perform pin validation if, and only if, all these conditions obtain: 132 // Perform pin validation if, and only if, all these conditions obtain:
133 // 133 //
134 // * the server's certificate chain chains up to a known root (i.e. not a 134 // * the server's certificate chain chains up to a known root (i.e. not a
135 // user-installed trust anchor); and 135 // user-installed trust anchor); and
136 // * the build is recent (very old builds should fail open so that users
137 // have some chance to recover).
138 // * the server actually has public key pins. 136 // * the server actually has public key pins.
139 // 137 if (!is_issued_by_known_root || !HasPublicKeyPins(host, sni_available)) {
140 // TODO(rsleevi): http://crbug.com/391032 - Only disable static HPKP if the
141 // build is not timely.
142 if (!is_issued_by_known_root || !IsBuildTimely() ||
143 !HasPublicKeyPins(host, sni_available)) {
144 return true; 138 return true;
145 } 139 }
146 140
147 bool pins_are_valid = CheckPublicKeyPinsImpl( 141 bool pins_are_valid = CheckPublicKeyPinsImpl(
148 host, sni_available, public_key_hashes, pinning_failure_log); 142 host, sni_available, public_key_hashes, pinning_failure_log);
149 if (!pins_are_valid) { 143 if (!pins_are_valid) {
150 LOG(ERROR) << *pinning_failure_log; 144 LOG(ERROR) << *pinning_failure_log;
151 ReportUMAOnPinFailure(host); 145 ReportUMAOnPinFailure(host);
152 } 146 }
153 147
(...skipping 658 matching lines...) Expand 10 before | Expand all | Expand 10 after
812 bool sni_enabled, 806 bool sni_enabled,
813 DomainState* out) const { 807 DomainState* out) const {
814 DCHECK(CalledOnValidThread()); 808 DCHECK(CalledOnValidThread());
815 809
816 const std::string canonicalized_host = CanonicalizeHost(host); 810 const std::string canonicalized_host = CanonicalizeHost(host);
817 811
818 out->sts.upgrade_mode = DomainState::MODE_FORCE_HTTPS; 812 out->sts.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
819 out->sts.include_subdomains = false; 813 out->sts.include_subdomains = false;
820 out->pkp.include_subdomains = false; 814 out->pkp.include_subdomains = false;
821 815
822 const bool is_build_timely = IsBuildTimely(); 816 const bool is_build_timely = IsBuildTimely();
wtc 2014/08/13 23:08:21 Nit: I assume we are now relying on this IsBuildTi
823 817
824 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) { 818 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
825 std::string host_sub_chunk(&canonicalized_host[i], 819 std::string host_sub_chunk(&canonicalized_host[i],
826 canonicalized_host.size() - i); 820 canonicalized_host.size() - i);
827 out->domain = DNSDomainToString(host_sub_chunk); 821 out->domain = DNSDomainToString(host_sub_chunk);
828 bool ret; 822 bool ret;
829 if (is_build_timely && HasPreload(kPreloadedSTS, 823 if (is_build_timely && HasPreload(kPreloadedSTS,
830 kNumPreloadedSTS, 824 kNumPreloadedSTS,
831 canonicalized_host, 825 canonicalized_host,
832 i, 826 i,
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after
953 return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0; 947 return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0;
954 } 948 }
955 949
956 TransportSecurityState::DomainState::PKPState::PKPState() { 950 TransportSecurityState::DomainState::PKPState::PKPState() {
957 } 951 }
958 952
959 TransportSecurityState::DomainState::PKPState::~PKPState() { 953 TransportSecurityState::DomainState::PKPState::~PKPState() {
960 } 954 }
961 955
962 } // namespace 956 } // namespace
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698