OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <memory> | 8 #include <memory> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
43 #include "net/http/transport_security_state_ct_policies.inc" | 43 #include "net/http/transport_security_state_ct_policies.inc" |
44 #include "net/http/transport_security_state_static.h" | 44 #include "net/http/transport_security_state_static.h" |
45 | 45 |
46 const size_t kMaxHPKPReportCacheEntries = 50; | 46 const size_t kMaxHPKPReportCacheEntries = 50; |
47 const int kTimeToRememberHPKPReportsMins = 60; | 47 const int kTimeToRememberHPKPReportsMins = 60; |
48 const size_t kReportCacheKeyLength = 16; | 48 const size_t kReportCacheKeyLength = 16; |
49 | 49 |
50 // Points to the active transport security state source. | 50 // Points to the active transport security state source. |
51 const TransportSecurityStateSource* g_hsts_source = &kHSTSSource; | 51 const TransportSecurityStateSource* g_hsts_source = &kHSTSSource; |
52 | 52 |
53 // Override for ShouldRequireCT() for unit tests. Possible values: | 53 // Override for CheckCTRequirements() for unit tests. Possible values: |
54 // -1: Unless a delegate says otherwise, do not require CT. | 54 // -1: Unless a delegate says otherwise, do not require CT. |
55 // 0: Use the default implementation (e.g. production) | 55 // 0: Use the default implementation (e.g. production) |
56 // 1: Unless a delegate says otherwise, require CT. | 56 // 1: Unless a delegate says otherwise, require CT. |
57 int g_ct_required_for_testing = 0; | 57 int g_ct_required_for_testing = 0; |
58 | 58 |
59 bool IsDynamicExpectCTEnabled() { | 59 bool IsDynamicExpectCTEnabled() { |
60 return base::FeatureList::IsEnabled( | 60 return base::FeatureList::IsEnabled( |
61 TransportSecurityState::kDynamicExpectCTFeature); | 61 TransportSecurityState::kDynamicExpectCTFeature); |
62 } | 62 } |
63 | 63 |
(...skipping 789 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
853 STSState unused; | 853 STSState unused; |
854 PKPState static_pkp_state; | 854 PKPState static_pkp_state; |
855 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { | 855 if (GetStaticDomainState(host, &unused, &static_pkp_state)) { |
856 if (static_pkp_state.HasPublicKeyPins()) | 856 if (static_pkp_state.HasPublicKeyPins()) |
857 return true; | 857 return true; |
858 } | 858 } |
859 | 859 |
860 return false; | 860 return false; |
861 } | 861 } |
862 | 862 |
863 bool TransportSecurityState::ShouldRequireCT( | 863 TransportSecurityState::CTRequirementsStatus |
864 const std::string& hostname, | 864 TransportSecurityState::CheckCTRequirements( |
| 865 const net::HostPortPair& host_port_pair, |
| 866 bool is_issued_by_known_root, |
| 867 const HashValueVector& public_key_hashes, |
865 const X509Certificate* validated_certificate_chain, | 868 const X509Certificate* validated_certificate_chain, |
866 const HashValueVector& public_key_hashes) { | 869 const X509Certificate* served_certificate_chain, |
| 870 const SignedCertificateTimestampAndStatusList& |
| 871 signed_certificate_timestamps, |
| 872 const ExpectCTReportStatus report_status, |
| 873 ct::CertPolicyCompliance cert_policy_compliance) { |
867 using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel; | 874 using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel; |
| 875 std::string hostname = host_port_pair.host(); |
| 876 |
| 877 // If the connection complies with CT policy, then no further checks are |
| 878 // necessary. |
| 879 if (cert_policy_compliance == |
| 880 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS || |
| 881 cert_policy_compliance == |
| 882 ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY) { |
| 883 return CT_REQUIREMENTS_MET; |
| 884 } |
| 885 |
| 886 // Check Expect-CT first so that other CT requirements do not prevent |
| 887 // Expect-CT reports from being sent. |
| 888 ExpectCTState state; |
| 889 if (is_issued_by_known_root && IsDynamicExpectCTEnabled() && |
| 890 GetDynamicExpectCTState(hostname, &state)) { |
| 891 if (expect_ct_reporter_ && !state.report_uri.is_empty() && |
| 892 report_status == ENABLE_EXPECT_CT_REPORTS) { |
| 893 expect_ct_reporter_->OnExpectCTFailed( |
| 894 host_port_pair, state.report_uri, validated_certificate_chain, |
| 895 served_certificate_chain, signed_certificate_timestamps); |
| 896 } |
| 897 if (state.enforce) |
| 898 return CT_REQUIREMENTS_NOT_MET; |
| 899 } |
868 | 900 |
869 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; | 901 CTRequirementLevel ct_required = CTRequirementLevel::DEFAULT; |
870 if (require_ct_delegate_) | 902 if (require_ct_delegate_) |
871 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); | 903 ct_required = require_ct_delegate_->IsCTRequiredForHost(hostname); |
872 if (ct_required != CTRequirementLevel::DEFAULT) | 904 if (ct_required != CTRequirementLevel::DEFAULT) |
873 return ct_required == CTRequirementLevel::REQUIRED; | 905 return (ct_required == CTRequirementLevel::REQUIRED |
| 906 ? CT_REQUIREMENTS_NOT_MET |
| 907 : CT_REQUIREMENTS_MET); |
874 | 908 |
875 // Allow unittests to override the default result. | 909 // Allow unittests to override the default result. |
876 if (g_ct_required_for_testing) | 910 if (g_ct_required_for_testing) |
877 return g_ct_required_for_testing == 1; | 911 return (g_ct_required_for_testing == 1 ? CT_REQUIREMENTS_NOT_MET |
| 912 : CT_REQUIREMENTS_MET); |
878 | 913 |
879 // Until CT is required for all secure hosts on the Internet, this should | 914 // Until CT is required for all secure hosts on the Internet, this should |
880 // remain false. It is provided to simplify the various short-circuit | 915 // remain CT_REQUIREMENTS_MET. It is provided to simplify the various |
881 // returns below. | 916 // short-circuit returns below. |
882 bool default_response = false; | 917 const CTRequirementsStatus default_response = CT_REQUIREMENTS_MET; |
883 | 918 |
884 // FieldTrials are not supported in Native Client apps. | 919 // FieldTrials are not supported in Native Client apps. |
885 #if !defined(OS_NACL) | 920 #if !defined(OS_NACL) |
886 // Emergency escape valve; not to be activated until there's an actual | 921 // Emergency escape valve; not to be activated until there's an actual |
887 // emergency (e.g. a weird path-building bug due to a CA's failed | 922 // emergency (e.g. a weird path-building bug due to a CA's failed |
888 // disclosure of cross-signed sub-CAs). | 923 // disclosure of cross-signed sub-CAs). |
889 std::string group_name = | 924 std::string group_name = |
890 base::FieldTrialList::FindFullName("EnforceCTForProblematicRoots"); | 925 base::FieldTrialList::FindFullName("EnforceCTForProblematicRoots"); |
891 if (base::StartsWith(group_name, "disabled", | 926 if (base::StartsWith(group_name, "disabled", |
892 base::CompareCase::INSENSITIVE_ASCII)) { | 927 base::CompareCase::INSENSITIVE_ASCII)) { |
(...skipping 30 matching lines...) Expand all Loading... |
923 if (std::binary_search( | 958 if (std::binary_search( |
924 restricted_ca.exceptions, | 959 restricted_ca.exceptions, |
925 restricted_ca.exceptions + restricted_ca.exceptions_length, | 960 restricted_ca.exceptions + restricted_ca.exceptions_length, |
926 sub_ca_hash, SHA256ToHashValueComparator())) { | 961 sub_ca_hash, SHA256ToHashValueComparator())) { |
927 // Found an excluded sub-CA; CT is not required. | 962 // Found an excluded sub-CA; CT is not required. |
928 return default_response; | 963 return default_response; |
929 } | 964 } |
930 } | 965 } |
931 | 966 |
932 // No exception found. This certificate must conform to the CT policy. | 967 // No exception found. This certificate must conform to the CT policy. |
933 return true; | 968 return CT_REQUIREMENTS_NOT_MET; |
934 } | 969 } |
935 } | 970 } |
936 | 971 |
937 return default_response; | 972 return default_response; |
938 } | 973 } |
939 | 974 |
940 void TransportSecurityState::SetDelegate( | 975 void TransportSecurityState::SetDelegate( |
941 TransportSecurityState::Delegate* delegate) { | 976 TransportSecurityState::Delegate* delegate) { |
942 DCHECK(CalledOnValidThread()); | 977 DCHECK(CalledOnValidThread()); |
943 delegate_ = delegate; | 978 delegate_ = delegate; |
(...skipping 462 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1406 return; | 1441 return; |
1407 if (!ssl_info.is_issued_by_known_root) | 1442 if (!ssl_info.is_issued_by_known_root) |
1408 return; | 1443 return; |
1409 if (!ssl_info.ct_compliance_details_available) | 1444 if (!ssl_info.ct_compliance_details_available) |
1410 return; | 1445 return; |
1411 if (ssl_info.ct_cert_policy_compliance == | 1446 if (ssl_info.ct_cert_policy_compliance == |
1412 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) | 1447 ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS) |
1413 return; | 1448 return; |
1414 ExpectCTState state; | 1449 ExpectCTState state; |
1415 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { | 1450 if (GetStaticExpectCTState(host_port_pair.host(), &state)) { |
1416 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, state.report_uri, | 1451 expect_ct_reporter_->OnExpectCTFailed( |
1417 ssl_info); | 1452 host_port_pair, state.report_uri, ssl_info.cert.get(), |
| 1453 ssl_info.unverified_cert.get(), |
| 1454 ssl_info.signed_certificate_timestamps); |
1418 } | 1455 } |
1419 return; | 1456 return; |
1420 } | 1457 } |
1421 | 1458 |
1422 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically | 1459 // Otherwise, see if the site has sent a valid Expect-CT header to dynamically |
1423 // turn on reporting and/or enforcement. | 1460 // turn on reporting and/or enforcement. |
1424 if (!IsDynamicExpectCTEnabled()) | 1461 if (!IsDynamicExpectCTEnabled()) |
1425 return; | 1462 return; |
1426 base::Time now = base::Time::Now(); | 1463 base::Time now = base::Time::Now(); |
1427 base::TimeDelta max_age; | 1464 base::TimeDelta max_age; |
(...skipping 12 matching lines...) Expand all Loading... |
1440 ExpectCTState state; | 1477 ExpectCTState state; |
1441 // If an Expect-CT header is observed over a non-compliant connection, the | 1478 // If an Expect-CT header is observed over a non-compliant connection, the |
1442 // site owner should be notified about the misconfiguration. If the site was | 1479 // site owner should be notified about the misconfiguration. If the site was |
1443 // already opted in to Expect-CT, this report would have been sent at | 1480 // already opted in to Expect-CT, this report would have been sent at |
1444 // connection setup time. If the host is not already a noted Expect-CT host, | 1481 // connection setup time. If the host is not already a noted Expect-CT host, |
1445 // however, the lack of CT compliance would not have been evaluated/reported | 1482 // however, the lack of CT compliance would not have been evaluated/reported |
1446 // at connection setup time, so it needs to be reported here while | 1483 // at connection setup time, so it needs to be reported here while |
1447 // processing the header. | 1484 // processing the header. |
1448 if (expect_ct_reporter_ && !report_uri.is_empty() && | 1485 if (expect_ct_reporter_ && !report_uri.is_empty() && |
1449 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { | 1486 !GetDynamicExpectCTState(host_port_pair.host(), &state)) { |
1450 expect_ct_reporter_->OnExpectCTFailed(host_port_pair, report_uri, | 1487 expect_ct_reporter_->OnExpectCTFailed( |
1451 ssl_info); | 1488 host_port_pair, report_uri, ssl_info.cert.get(), |
| 1489 ssl_info.unverified_cert.get(), |
| 1490 ssl_info.signed_certificate_timestamps); |
1452 } | 1491 } |
1453 return; | 1492 return; |
1454 } | 1493 } |
1455 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, | 1494 AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce, |
1456 report_uri); | 1495 report_uri); |
1457 } | 1496 } |
1458 | 1497 |
1459 // static | 1498 // static |
1460 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { | 1499 void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) { |
1461 if (!required) { | 1500 if (!required) { |
(...skipping 328 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1790 TransportSecurityState::PKPStateIterator::PKPStateIterator( | 1829 TransportSecurityState::PKPStateIterator::PKPStateIterator( |
1791 const TransportSecurityState& state) | 1830 const TransportSecurityState& state) |
1792 : iterator_(state.enabled_pkp_hosts_.begin()), | 1831 : iterator_(state.enabled_pkp_hosts_.begin()), |
1793 end_(state.enabled_pkp_hosts_.end()) { | 1832 end_(state.enabled_pkp_hosts_.end()) { |
1794 } | 1833 } |
1795 | 1834 |
1796 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { | 1835 TransportSecurityState::PKPStateIterator::~PKPStateIterator() { |
1797 } | 1836 } |
1798 | 1837 |
1799 } // namespace | 1838 } // namespace |
OLD | NEW |