| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
| 8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
| (...skipping 397 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 408 #include "net/http/transport_security_state_static.h" | 408 #include "net/http/transport_security_state_static.h" |
| 409 | 409 |
| 410 // PreloadResult is the result of resolving a specific name in the preloaded | 410 // PreloadResult is the result of resolving a specific name in the preloaded |
| 411 // data. | 411 // data. |
| 412 struct PreloadResult { | 412 struct PreloadResult { |
| 413 uint32 pinset_id; | 413 uint32 pinset_id; |
| 414 uint32 domain_id; | 414 uint32 domain_id; |
| 415 // hostname_offset contains the number of bytes from the start of the given | 415 // hostname_offset contains the number of bytes from the start of the given |
| 416 // hostname where the name of the matching entry starts. | 416 // hostname where the name of the matching entry starts. |
| 417 size_t hostname_offset; | 417 size_t hostname_offset; |
| 418 bool include_subdomains; | 418 bool sts_include_subdomains; |
| 419 bool pkp_include_subdomains; |
| 419 bool force_https; | 420 bool force_https; |
| 420 bool has_pins; | 421 bool has_pins; |
| 421 }; | 422 }; |
| 422 | 423 |
| 423 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns | 424 // DecodeHSTSPreloadRaw resolves |hostname| in the preloaded data. It returns |
| 424 // false on internal error and true otherwise. After a successful return, | 425 // false on internal error and true otherwise. After a successful return, |
| 425 // |*out_found| is true iff a relevant entry has been found. If so, |*out| | 426 // |*out_found| is true iff a relevant entry has been found. If so, |*out| |
| 426 // contains the details. | 427 // contains the details. |
| 427 // | 428 // |
| 428 // Don't call this function, call DecodeHSTSPreload, below. | 429 // Don't call this function, call DecodeHSTSPreload, below. |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 502 if (!huffman.Decode(&reader, &c)) { | 503 if (!huffman.Decode(&reader, &c)) { |
| 503 return false; | 504 return false; |
| 504 } | 505 } |
| 505 if (c == kEndOfTable) { | 506 if (c == kEndOfTable) { |
| 506 // No exact match. | 507 // No exact match. |
| 507 return true; | 508 return true; |
| 508 } | 509 } |
| 509 | 510 |
| 510 if (c == kEndOfString) { | 511 if (c == kEndOfString) { |
| 511 PreloadResult tmp; | 512 PreloadResult tmp; |
| 512 if (!reader.Next(&tmp.include_subdomains) || | 513 if (!reader.Next(&tmp.sts_include_subdomains) || |
| 513 !reader.Next(&tmp.force_https) || | 514 !reader.Next(&tmp.force_https) || |
| 514 !reader.Next(&tmp.has_pins)) { | 515 !reader.Next(&tmp.has_pins)) { |
| 515 return false; | 516 return false; |
| 516 } | 517 } |
| 517 | 518 |
| 519 tmp.pkp_include_subdomains = tmp.sts_include_subdomains; |
| 520 |
| 518 if (tmp.has_pins) { | 521 if (tmp.has_pins) { |
| 519 if (!reader.Read(4, &tmp.pinset_id) || | 522 if (!reader.Read(4, &tmp.pinset_id) || |
| 520 !reader.Read(9, &tmp.domain_id)) { | 523 !reader.Read(9, &tmp.domain_id) || |
| 524 (!tmp.sts_include_subdomains && |
| 525 !reader.Next(&tmp.pkp_include_subdomains))) { |
| 521 return false; | 526 return false; |
| 522 } | 527 } |
| 523 } | 528 } |
| 524 | 529 |
| 525 tmp.hostname_offset = hostname_offset; | 530 tmp.hostname_offset = hostname_offset; |
| 526 | 531 |
| 527 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { | 532 if (hostname_offset == 0 || hostname[hostname_offset - 1] == '.') { |
| 528 *out_found = tmp.include_subdomains; | 533 *out_found = |
| 534 tmp.sts_include_subdomains || tmp.pkp_include_subdomains; |
| 529 *out = tmp; | 535 *out = tmp; |
| 530 } | |
| 531 | 536 |
| 532 if (hostname_offset == 0) { | 537 if (hostname_offset > 0) { |
| 533 *out_found = true; | 538 out->force_https &= tmp.sts_include_subdomains; |
| 534 return true; | 539 } else { |
| 540 *out_found = true; |
| 541 return true; |
| 542 } |
| 535 } | 543 } |
| 536 | 544 |
| 537 continue; | 545 continue; |
| 538 } | 546 } |
| 539 | 547 |
| 540 // The entries in a dispatch table are in order thus we can tell if there | 548 // The entries in a dispatch table are in order thus we can tell if there |
| 541 // will be no match if the current character past the one that we want. | 549 // will be no match if the current character past the one that we want. |
| 542 if (hostname_offset == 0 || hostname[hostname_offset-1] < c) { | 550 if (hostname_offset == 0 || hostname[hostname_offset-1] < c) { |
| 543 return true; | 551 return true; |
| 544 } | 552 } |
| (...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 761 out->pkp.include_subdomains = false; | 769 out->pkp.include_subdomains = false; |
| 762 | 770 |
| 763 if (!IsBuildTimely()) | 771 if (!IsBuildTimely()) |
| 764 return false; | 772 return false; |
| 765 | 773 |
| 766 PreloadResult result; | 774 PreloadResult result; |
| 767 if (!DecodeHSTSPreload(host, &result)) | 775 if (!DecodeHSTSPreload(host, &result)) |
| 768 return false; | 776 return false; |
| 769 | 777 |
| 770 out->domain = host.substr(result.hostname_offset); | 778 out->domain = host.substr(result.hostname_offset); |
| 771 out->sts.include_subdomains = result.include_subdomains; | 779 out->sts.include_subdomains = result.sts_include_subdomains; |
| 772 out->sts.last_observed = base::GetBuildTime(); | 780 out->sts.last_observed = base::GetBuildTime(); |
| 773 out->sts.upgrade_mode = | 781 out->sts.upgrade_mode = |
| 774 TransportSecurityState::DomainState::MODE_DEFAULT; | 782 TransportSecurityState::DomainState::MODE_DEFAULT; |
| 775 if (result.force_https) { | 783 if (result.force_https) { |
| 776 out->sts.upgrade_mode = | 784 out->sts.upgrade_mode = |
| 777 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; | 785 TransportSecurityState::DomainState::MODE_FORCE_HTTPS; |
| 778 } | 786 } |
| 779 | 787 |
| 780 if (enable_static_pins_ && result.has_pins) { | 788 if (enable_static_pins_ && result.has_pins) { |
| 781 out->pkp.include_subdomains = result.include_subdomains; | 789 out->pkp.include_subdomains = result.pkp_include_subdomains; |
| 782 out->pkp.last_observed = base::GetBuildTime(); | 790 out->pkp.last_observed = base::GetBuildTime(); |
| 783 | 791 |
| 784 if (result.pinset_id >= arraysize(kPinsets)) | 792 if (result.pinset_id >= arraysize(kPinsets)) |
| 785 return false; | 793 return false; |
| 786 const Pinset *pinset = &kPinsets[result.pinset_id]; | 794 const Pinset *pinset = &kPinsets[result.pinset_id]; |
| 787 | 795 |
| 788 if (pinset->accepted_pins) { | 796 if (pinset->accepted_pins) { |
| 789 const char* const* sha1_hash = pinset->accepted_pins; | 797 const char* const* sha1_hash = pinset->accepted_pins; |
| 790 while (*sha1_hash) { | 798 while (*sha1_hash) { |
| 791 AddHash(*sha1_hash, &out->pkp.spki_hashes); | 799 AddHash(*sha1_hash, &out->pkp.spki_hashes); |
| (...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 908 return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0; | 916 return pkp.spki_hashes.size() > 0 || pkp.bad_spki_hashes.size() > 0; |
| 909 } | 917 } |
| 910 | 918 |
| 911 TransportSecurityState::DomainState::PKPState::PKPState() { | 919 TransportSecurityState::DomainState::PKPState::PKPState() { |
| 912 } | 920 } |
| 913 | 921 |
| 914 TransportSecurityState::DomainState::PKPState::~PKPState() { | 922 TransportSecurityState::DomainState::PKPState::~PKPState() { |
| 915 } | 923 } |
| 916 | 924 |
| 917 } // namespace | 925 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 723343002:
Update from https://crrev.com/304121 (Closed)
Base URL: git@github.com:domokit/mojo.git@master