OLD | NEW |
| (Empty) |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | |
6 #define NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | |
7 | |
8 #include <string> | |
9 | |
10 #include "base/logging.h" | |
11 #include "net/base/net_export.h" | |
12 | |
13 namespace net { | |
14 | |
15 // SSLFalseStartBlacklist is a set of domains which we believe to be intolerant | |
16 // to TLS False Start. Because this set is several hundred long, it's | |
17 // precompiled by the code in ssl_false_start_blacklist_process.cc into a hash | |
18 // table for fast lookups. | |
19 class SSLFalseStartBlacklist { | |
20 public: | |
21 // Returns true if |host| (a DNS name in dotted form, e.g. "www.example.com") | |
22 // is in the blacklist. | |
23 NET_EXPORT_PRIVATE static bool IsMember(const std::string& host); | |
24 | |
25 // Returns the modified djb2 hash of |host|. | |
26 // NOTE: This is inline because the code which generates the hash table needs | |
27 // to use it. However, the generating code cannot link against | |
28 // ssl_false_start_blacklist.cc because that needs the tables which it | |
29 // generates. | |
30 static uint32 Hash(const std::string& host) { | |
31 uint32 hash = 5381; | |
32 for (const uint8* in = reinterpret_cast<const uint8*>(host.c_str()); | |
33 *in != 0; ++in) | |
34 hash = ((hash << 5) + hash) ^ *in; | |
35 return hash; | |
36 } | |
37 | |
38 // Returns the last two dot-separated components of |host|, ignoring any | |
39 // trailing dots. For example, returns "c.d" for "a.b.c.d.". Returns an | |
40 // empty string if |host| does not have two dot-separated components. | |
41 // NOTE: Inline for the same reason as Hash(). | |
42 static std::string LastTwoComponents(const std::string& host) { | |
43 size_t last_nondot = host.find_last_not_of('.'); | |
44 if (last_nondot == std::string::npos) | |
45 return std::string(); | |
46 size_t last_dot = host.find_last_of('.', last_nondot); | |
47 if ((last_dot == 0) || (last_dot == std::string::npos)) | |
48 return std::string(); | |
49 // NOTE: This next line works correctly even when the call returns npos. | |
50 size_t components_begin = host.find_last_of('.', last_dot - 1) + 1; | |
51 return host.substr(components_begin, last_nondot - components_begin + 1); | |
52 } | |
53 | |
54 // This is the number of buckets in the blacklist hash table. (Must be a | |
55 // power of two). | |
56 static const size_t kBuckets = 128; | |
57 | |
58 private: | |
59 // The following two members are defined in | |
60 // ssl_false_start_blacklist_data.cc, which is generated by | |
61 // ssl_false_start_blacklist_process.cc | |
62 | |
63 // kHashTable contains an offset into |kHashData| for each bucket. The | |
64 // additional element at the end contains the length of |kHashData|. | |
65 static const uint32 kHashTable[kBuckets + 1]; | |
66 // kHashData contains the contents of the hash table. |kHashTable| indexes | |
67 // into this array. Each bucket consists of zero or more, 8-bit length | |
68 // prefixed strings. Each string is a DNS name in dotted form. For a given | |
69 // string x, x and *.x are considered to be in the blacklist. In order to | |
70 // assign a string to a hash bucket, the last two labels (not including the | |
71 // root label) are hashed. Thus, the bucket for "www.example.com" is | |
72 // Hash("example.com"). No names that are less than two labels long are | |
73 // included in the blacklist. | |
74 static const char kHashData[]; | |
75 }; | |
76 | |
77 } // namespace net | |
78 | |
79 #endif // NET_BASE_SSL_FALSE_START_BLACKLIST_H_ | |
OLD | NEW |