OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/transport_security_state.h" | 5 #include "net/base/transport_security_state.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ecdsa.h> | 8 #include <openssl/ecdsa.h> |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 #else // !defined(USE_OPENSSL) | 10 #else // !defined(USE_OPENSSL) |
(...skipping 17 matching lines...) Expand all Loading... | |
28 #include "base/string_number_conversions.h" | 28 #include "base/string_number_conversions.h" |
29 #include "base/string_tokenizer.h" | 29 #include "base/string_tokenizer.h" |
30 #include "base/string_util.h" | 30 #include "base/string_util.h" |
31 #include "base/time.h" | 31 #include "base/time.h" |
32 #include "base/utf_string_conversions.h" | 32 #include "base/utf_string_conversions.h" |
33 #include "base/values.h" | 33 #include "base/values.h" |
34 #include "crypto/sha2.h" | 34 #include "crypto/sha2.h" |
35 #include "googleurl/src/gurl.h" | 35 #include "googleurl/src/gurl.h" |
36 #include "net/base/asn1_util.h" | 36 #include "net/base/asn1_util.h" |
37 #include "net/base/dns_util.h" | 37 #include "net/base/dns_util.h" |
38 #include "net/base/public_key_hashes.h" | |
39 #include "net/base/ssl_info.h" | 38 #include "net/base/ssl_info.h" |
40 #include "net/base/x509_certificate.h" | 39 #include "net/base/x509_certificate.h" |
41 #include "net/http/http_util.h" | 40 #include "net/http/http_util.h" |
42 | 41 |
43 #if defined(USE_OPENSSL) | 42 #if defined(USE_OPENSSL) |
44 #include "crypto/openssl_util.h" | 43 #include "crypto/openssl_util.h" |
45 #endif | 44 #endif |
46 | 45 |
47 namespace net { | 46 namespace net { |
48 | 47 |
(...skipping 1092 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1141 hash++; | 1140 hash++; |
1142 } | 1141 } |
1143 } | 1142 } |
1144 } | 1143 } |
1145 return true; | 1144 return true; |
1146 } | 1145 } |
1147 } | 1146 } |
1148 return false; | 1147 return false; |
1149 } | 1148 } |
1150 | 1149 |
1151 // kNoRejectedPublicKeys is a placeholder for when no public keys are rejected. | 1150 #include "net/base/hsts_preloaded.h" |
palmer
2012/03/26 23:40:21
Maybe call it tss_static.h? (It's not just HSTS pe
| |
1152 static const char* const kNoRejectedPublicKeys[] = { | |
1153 NULL, | |
1154 }; | |
1155 | |
1156 static const char* const kGoogleAcceptableCerts[] = { | |
1157 kSPKIHash_VeriSignClass3, | |
1158 kSPKIHash_VeriSignClass3_G3, | |
1159 kSPKIHash_Google1024, | |
1160 kSPKIHash_Google2048, | |
1161 kSPKIHash_EquifaxSecureCA, | |
1162 NULL, | |
1163 }; | |
1164 static const char* const kGoogleRejectedCerts[] = { | |
1165 kSPKIHash_Aetna, | |
1166 kSPKIHash_Intel, | |
1167 kSPKIHash_TCTrustCenter, | |
1168 kSPKIHash_Vodafone, | |
1169 NULL, | |
1170 }; | |
1171 #define kGooglePins { \ | |
1172 kGoogleAcceptableCerts, \ | |
1173 kGoogleRejectedCerts, \ | |
1174 } | |
1175 | |
1176 static const char* const kTorAcceptableCerts[] = { | |
1177 kSPKIHash_RapidSSL, | |
1178 kSPKIHash_DigiCertEVRoot, | |
1179 kSPKIHash_Tor1, | |
1180 kSPKIHash_Tor2, | |
1181 kSPKIHash_Tor3, | |
1182 NULL, | |
1183 }; | |
1184 #define kTorPins { \ | |
1185 kTorAcceptableCerts, \ | |
1186 kNoRejectedPublicKeys, \ | |
1187 } | |
1188 | |
1189 static const char* const kTwitterComAcceptableCerts[] = { | |
1190 kSPKIHash_VeriSignClass1, | |
1191 kSPKIHash_VeriSignClass3, | |
1192 kSPKIHash_VeriSignClass3_G4, | |
1193 kSPKIHash_VeriSignClass4_G3, | |
1194 kSPKIHash_VeriSignClass3_G3, | |
1195 kSPKIHash_VeriSignClass1_G3, | |
1196 kSPKIHash_VeriSignClass2_G3, | |
1197 kSPKIHash_VeriSignClass3_G2, | |
1198 kSPKIHash_VeriSignClass2_G2, | |
1199 kSPKIHash_VeriSignClass3_G5, | |
1200 kSPKIHash_VeriSignUniversal, | |
1201 kSPKIHash_GeoTrustGlobal, | |
1202 kSPKIHash_GeoTrustGlobal2, | |
1203 kSPKIHash_GeoTrustUniversal, | |
1204 kSPKIHash_GeoTrustUniversal2, | |
1205 kSPKIHash_GeoTrustPrimary, | |
1206 kSPKIHash_GeoTrustPrimary_G2, | |
1207 kSPKIHash_GeoTrustPrimary_G3, | |
1208 kSPKIHash_Twitter1, | |
1209 NULL, | |
1210 }; | |
1211 #define kTwitterComPins { \ | |
1212 kTwitterComAcceptableCerts, \ | |
1213 kNoRejectedPublicKeys, \ | |
1214 } | |
1215 | |
1216 // kTwitterCDNAcceptableCerts are the set of public keys valid for Twitter's | |
1217 // CDNs, which includes all the keys from kTwitterComAcceptableCerts. | |
1218 static const char* const kTwitterCDNAcceptableCerts[] = { | |
1219 kSPKIHash_VeriSignClass1, | |
1220 kSPKIHash_VeriSignClass3, | |
1221 kSPKIHash_VeriSignClass3_G4, | |
1222 kSPKIHash_VeriSignClass4_G3, | |
1223 kSPKIHash_VeriSignClass3_G3, | |
1224 kSPKIHash_VeriSignClass1_G3, | |
1225 kSPKIHash_VeriSignClass2_G3, | |
1226 kSPKIHash_VeriSignClass3_G2, | |
1227 kSPKIHash_VeriSignClass2_G2, | |
1228 kSPKIHash_VeriSignClass3_G5, | |
1229 kSPKIHash_VeriSignUniversal, | |
1230 kSPKIHash_GeoTrustGlobal, | |
1231 kSPKIHash_GeoTrustGlobal2, | |
1232 kSPKIHash_GeoTrustUniversal, | |
1233 kSPKIHash_GeoTrustUniversal2, | |
1234 kSPKIHash_GeoTrustPrimary, | |
1235 kSPKIHash_GeoTrustPrimary_G2, | |
1236 kSPKIHash_GeoTrustPrimary_G3, | |
1237 kSPKIHash_Twitter1, | |
1238 | |
1239 kSPKIHash_Entrust_2048, | |
1240 kSPKIHash_Entrust_EV, | |
1241 kSPKIHash_Entrust_G2, | |
1242 kSPKIHash_Entrust_SSL, | |
1243 kSPKIHash_AAACertificateServices, | |
1244 kSPKIHash_AddTrustClass1CARoot, | |
1245 kSPKIHash_AddTrustExternalCARoot, | |
1246 kSPKIHash_AddTrustPublicCARoot, | |
1247 kSPKIHash_AddTrustQualifiedCARoot, | |
1248 kSPKIHash_COMODOCertificationAuthority, | |
1249 kSPKIHash_SecureCertificateServices, | |
1250 kSPKIHash_TrustedCertificateServices, | |
1251 kSPKIHash_UTNDATACorpSGC, | |
1252 kSPKIHash_UTNUSERFirstClientAuthenticationandEmail, | |
1253 kSPKIHash_UTNUSERFirstHardware, | |
1254 kSPKIHash_UTNUSERFirstObject, | |
1255 kSPKIHash_GTECyberTrustGlobalRoot, | |
1256 NULL, | |
1257 }; | |
1258 #define kTwitterCDNPins { \ | |
1259 kTwitterCDNAcceptableCerts, \ | |
1260 kNoRejectedPublicKeys, \ | |
1261 } | |
1262 | |
1263 // kTestAcceptableCerts doesn't actually match any public keys and is used | |
1264 // with "pinningtest.appspot.com", below, to test if pinning is active. | |
1265 static const char* const kTestAcceptableCerts[] = { | |
1266 "sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=", | |
1267 NULL, | |
1268 }; | |
1269 #define kTestPins { \ | |
1270 kTestAcceptableCerts, \ | |
1271 kNoRejectedPublicKeys, \ | |
1272 } | |
1273 | |
1274 #define kNoPins { \ | |
1275 NULL, NULL, \ | |
1276 } | |
1277 | |
1278 #if defined(OS_CHROMEOS) | |
1279 static const bool kTwitterHSTS = true; | |
1280 #else | |
1281 static const bool kTwitterHSTS = false; | |
1282 #endif | |
1283 | |
1284 // In the medium term this list is likely to just be hardcoded here. This | |
1285 // slightly odd form removes the need for additional relocations records. | |
1286 static const struct HSTSPreload kPreloadedSTS[] = { | |
1287 // (*.)google.com, iff using SSL must use an acceptable certificate. | |
1288 {12, true, "\006google\003com", false, kGooglePins, | |
1289 DOMAIN_GOOGLE_COM }, | |
1290 {25, true, "\013pinningtest\007appspot\003com", false, | |
1291 kTestPins, DOMAIN_APPSPOT_COM }, | |
1292 // Now we force HTTPS for subtrees of google.com. | |
1293 {19, true, "\006health\006google\003com", true, kGooglePins, | |
1294 DOMAIN_GOOGLE_COM }, | |
1295 {21, true, "\010checkout\006google\003com", true, kGooglePins, | |
1296 DOMAIN_GOOGLE_COM }, | |
1297 {19, true, "\006chrome\006google\003com", true, kGooglePins, | |
1298 DOMAIN_GOOGLE_COM }, | |
1299 {17, true, "\004docs\006google\003com", true, kGooglePins, | |
1300 DOMAIN_GOOGLE_COM }, | |
1301 {18, true, "\005sites\006google\003com", true, kGooglePins, | |
1302 DOMAIN_GOOGLE_COM }, | |
1303 {25, true, "\014spreadsheets\006google\003com", true, | |
1304 kGooglePins, DOMAIN_GOOGLE_COM }, | |
1305 {22, false, "\011appengine\006google\003com", true, | |
1306 kGooglePins, DOMAIN_GOOGLE_COM }, | |
1307 {22, true, "\011encrypted\006google\003com", true, kGooglePins, | |
1308 DOMAIN_GOOGLE_COM }, | |
1309 {21, true, "\010accounts\006google\003com", true, kGooglePins, | |
1310 DOMAIN_GOOGLE_COM }, | |
1311 {21, true, "\010profiles\006google\003com", true, kGooglePins, | |
1312 DOMAIN_GOOGLE_COM }, | |
1313 {17, true, "\004mail\006google\003com", true, kGooglePins, | |
1314 DOMAIN_GOOGLE_COM }, | |
1315 {23, true, "\012talkgadget\006google\003com", true, | |
1316 kGooglePins, DOMAIN_GOOGLE_COM }, | |
1317 {17, true, "\004talk\006google\003com", true, kGooglePins, | |
1318 DOMAIN_GOOGLE_COM }, | |
1319 {29, true, "\020hostedtalkgadget\006google\003com", true, | |
1320 kGooglePins, DOMAIN_GOOGLE_COM }, | |
1321 {17, true, "\004plus\006google\003com", true, kGooglePins, | |
1322 DOMAIN_GOOGLE_COM }, | |
1323 // Other Google-related domains that must use HTTPS. | |
1324 {20, true, "\006market\007android\003com", true, kGooglePins, | |
1325 DOMAIN_ANDROID_COM }, | |
1326 {26, true, "\003ssl\020google-analytics\003com", true, | |
1327 kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM }, | |
1328 {18, true, "\005drive\006google\003com", true, kGooglePins, | |
1329 DOMAIN_GOOGLE_COM }, | |
1330 {16, true, "\012googleplex\003com", true, kGooglePins, | |
1331 DOMAIN_GOOGLEPLEX_COM }, | |
1332 {19, true, "\006groups\006google\003com", true, kGooglePins, | |
1333 DOMAIN_GOOGLE_COM }, | |
1334 {17, true, "\004apis\006google\003com", true, kGooglePins, | |
1335 DOMAIN_GOOGLE_COM }, | |
1336 // chart.apis.google.com is *not* HSTS because the certificate doesn't match | |
1337 // and there are lots of links out there that still use the name. The correct | |
1338 // hostname for this is chart.googleapis.com. | |
1339 {23, true, "\005chart\004apis\006google\003com", false, kGooglePins, | |
1340 DOMAIN_GOOGLE_COM}, | |
1341 | |
1342 // Other Google-related domains that must use an acceptable certificate | |
1343 // iff using SSL. | |
1344 {11, true, "\005ytimg\003com", false, kGooglePins, | |
1345 DOMAIN_YTIMG_COM }, | |
1346 {23, true, "\021googleusercontent\003com", false, kGooglePins, | |
1347 DOMAIN_GOOGLEUSERCONTENT_COM }, | |
1348 {13, true, "\007youtube\003com", false, kGooglePins, | |
1349 DOMAIN_YOUTUBE_COM }, | |
1350 {16, true, "\012googleapis\003com", false, kGooglePins, | |
1351 DOMAIN_GOOGLEAPIS_COM }, | |
1352 {22, true, "\020googleadservices\003com", false, kGooglePins, | |
1353 DOMAIN_GOOGLEADSERVICES_COM }, | |
1354 {16, true, "\012googlecode\003com", false, kGooglePins, | |
1355 DOMAIN_GOOGLECODE_COM }, | |
1356 {13, true, "\007appspot\003com", false, kGooglePins, | |
1357 DOMAIN_APPSPOT_COM }, | |
1358 {23, true, "\021googlesyndication\003com", false, kGooglePins, | |
1359 DOMAIN_GOOGLESYNDICATION_COM }, | |
1360 {17, true, "\013doubleclick\003net", false, kGooglePins, | |
1361 DOMAIN_DOUBLECLICK_NET }, | |
1362 {17, true, "\003ssl\007gstatic\003com", false, kGooglePins, | |
1363 DOMAIN_GSTATIC_COM }, | |
1364 // Exclude the learn.doubleclick.net subdomain because it uses a different | |
1365 // CA. | |
1366 {23, true, "\005learn\013doubleclick\003net", false, kNoPins, DOMAIN_NOT_PINNE D }, | |
1367 // Now we force HTTPS for other sites that have requested it. | |
1368 {16, false, "\003www\006paypal\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1369 {16, false, "\003www\006elanex\003biz", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1370 {12, true, "\006jottit\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1371 {19, true, "\015sunshinepress\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1372 {21, false, "\003www\013noisebridge\003net", true, kNoPins, | |
1373 DOMAIN_NOT_PINNED }, | |
1374 {10, false, "\004neg9\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1375 {12, true, "\006riseup\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1376 {11, false, "\006factor\002cc", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1377 {22, false, "\007members\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1378 {22, false, "\007support\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1379 {17, false, "\002id\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1380 {20, false, "\005lists\010mayfirst\003org", true, kNoPins, DOMAIN_NOT_PINNED } , | |
1381 {19, true, "\015splendidbacon\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1382 {28, false, "\016aladdinschools\007appspot\003com", true, kNoPins, | |
1383 DOMAIN_NOT_PINNED }, | |
1384 {14, true, "\011ottospora\002nl", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1385 {25, false, "\003www\017paycheckrecords\003com", true, kNoPins, | |
1386 DOMAIN_NOT_PINNED }, | |
1387 {14, false, "\010lastpass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1388 {18, false, "\003www\010lastpass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1389 {14, true, "\010keyerror\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1390 {13, false, "\010entropia\002de", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1391 {17, false, "\003www\010entropia\002de", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1392 {11, true, "\005romab\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1393 {16, false, "\012logentries\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1394 {20, false, "\003www\012logentries\003com", true, kNoPins, DOMAIN_NOT_PINNED } , | |
1395 {12, true, "\006stripe\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1396 {27, true, "\025cloudsecurityalliance\003org", true, kNoPins, | |
1397 DOMAIN_NOT_PINNED }, | |
1398 {15, true, "\005login\004sapo\002pt", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1399 {19, true, "\015mattmccutchen\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1400 {11, true, "\006betnet\002fr", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1401 {13, true, "\010uprotect\002it", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1402 {14, false, "\010squareup\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1403 {9, true, "\004cert\002se", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1404 {11, true, "\006crypto\002is", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1405 {20, true, "\005simon\007butcher\004name", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1406 {10, true, "\004linx\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1407 {13, false, "\007dropcam\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1408 {17, false, "\003www\007dropcam\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1409 {30, true, "\010ebanking\014indovinabank\003com\002vn", true, kNoPins, | |
1410 DOMAIN_NOT_PINNED }, | |
1411 {13, false, "\007epoxate\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1412 {16, false, "\012torproject\003org", true, kTorPins, | |
1413 DOMAIN_TORPROJECT_ORG }, | |
1414 {21, true, "\004blog\012torproject\003org", true, kTorPins, | |
1415 DOMAIN_TORPROJECT_ORG }, | |
1416 {22, true, "\005check\012torproject\003org", true, kTorPins, | |
1417 DOMAIN_TORPROJECT_ORG }, | |
1418 {20, true, "\003www\012torproject\003org", true, kTorPins, | |
1419 DOMAIN_TORPROJECT_ORG }, | |
1420 {22, true, "\003www\014moneybookers\003com", true, kNoPins, | |
1421 DOMAIN_NOT_PINNED }, | |
1422 {17, false, "\013ledgerscope\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1423 {21, false, "\003www\013ledgerscope\003net", true, kNoPins, | |
1424 DOMAIN_NOT_PINNED }, | |
1425 {10, false, "\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1426 {14, false, "\003www\004kyps\003net", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1427 {17, true, "\003app\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1428 {17, true, "\003api\007recurly\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1429 {13, false, "\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1430 {17, false, "\003www\007greplin\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1431 {27, true, "\006luneta\016nearbuysystems\003com", true, kNoPins, | |
1432 DOMAIN_NOT_PINNED }, | |
1433 {12, true, "\006ubertt\003org", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1434 {9, true, "\004pixi\002me", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1435 {14, true, "\010grepular\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1436 {16, false , "\012mydigipass\003com", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1437 {20, false , "\003www\012mydigipass\003com", true, kNoPins, | |
1438 DOMAIN_NOT_PINNED }, | |
1439 {26, false , "\011developer\012mydigipass\003com", true, kNoPins, | |
1440 DOMAIN_NOT_PINNED }, | |
1441 {30, false , "\003www\011developer\012mydigipass\003com", true, kNoPins, | |
1442 DOMAIN_NOT_PINNED }, | |
1443 {24, false , "\007sandbox\012mydigipass\003com", true, kNoPins, | |
1444 DOMAIN_NOT_PINNED }, | |
1445 {28, false , "\003www\007sandbox\012mydigipass\003com", true, kNoPins, | |
1446 DOMAIN_NOT_PINNED }, | |
1447 {12, true, "\006crypto\003cat", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1448 {25, true, "\014bigshinylock\006minazo\003net", true, kNoPins, | |
1449 DOMAIN_NOT_PINNED }, | |
1450 {10, true, "\005crate\002io", true, kNoPins, DOMAIN_NOT_PINNED }, | |
1451 | |
1452 {13, false, "\007twitter\003com", kTwitterHSTS, | |
1453 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1454 {17, true, "\003www\007twitter\003com", kTwitterHSTS, | |
1455 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1456 {17, true, "\003api\007twitter\003com", kTwitterHSTS, | |
1457 kTwitterCDNPins, DOMAIN_TWITTER_COM }, | |
1458 {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, | |
1459 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1460 {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, | |
1461 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1462 {17, true, "\003dev\007twitter\003com", kTwitterHSTS, | |
1463 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1464 {22, true, "\010business\007twitter\003com", kTwitterHSTS, | |
1465 kTwitterComPins, DOMAIN_TWITTER_COM }, | |
1466 {22, true, "\010platform\007twitter\003com", false, | |
1467 kTwitterCDNPins, DOMAIN_TWITTER_COM }, | |
1468 {15, true, "\003si0\005twimg\003com", false, kTwitterCDNPins, | |
1469 DOMAIN_TWIMG_COM }, | |
1470 {23, true, "\010twimg0-a\010akamaihd\003net", false, | |
1471 kTwitterCDNPins, DOMAIN_AKAMAIHD_NET }, | |
1472 }; | |
1473 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); | |
1474 | |
1475 static const struct HSTSPreload kPreloadedSNISTS[] = { | |
1476 // These SNI-only domains must always use HTTPS. | |
1477 {11, false, "\005gmail\003com", true, kGooglePins, | |
1478 DOMAIN_GMAIL_COM }, | |
1479 {16, false, "\012googlemail\003com", true, kGooglePins, | |
1480 DOMAIN_GOOGLEMAIL_COM }, | |
1481 {15, false, "\003www\005gmail\003com", true, kGooglePins, | |
1482 DOMAIN_GMAIL_COM }, | |
1483 {20, false, "\003www\012googlemail\003com", true, kGooglePins, | |
1484 DOMAIN_GOOGLEMAIL_COM }, | |
1485 // These SNI-only domains must use an acceptable certificate iff using | |
1486 // HTTPS. | |
1487 {22, true, "\020google-analytics\003com", false, kGooglePins, | |
1488 DOMAIN_GOOGLE_ANALYTICS_COM }, | |
1489 // www. requires SNI. | |
1490 {18, true, "\014googlegroups\003com", false, kGooglePins, | |
1491 DOMAIN_GOOGLEGROUPS_COM }, | |
1492 }; | |
1493 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS); | |
1494 | 1151 |
1495 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|, | 1152 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|, |
1496 // or NULL if there is none. Prefers exact hostname matches to those that | 1153 // or NULL if there is none. Prefers exact hostname matches to those that |
1497 // match only because HSTSPreload.include_subdomains is true. | 1154 // match only because HSTSPreload.include_subdomains is true. |
1498 // | 1155 // |
1499 // |canonicalized_host| should be the hostname as canonicalized by | 1156 // |canonicalized_host| should be the hostname as canonicalized by |
1500 // CanonicalizeHost. | 1157 // CanonicalizeHost. |
1501 static const struct HSTSPreload* GetHSTSPreload( | 1158 static const struct HSTSPreload* GetHSTSPreload( |
1502 const std::string& canonicalized_host, | 1159 const std::string& canonicalized_host, |
1503 const struct HSTSPreload* entries, | 1160 const struct HSTSPreload* entries, |
(...skipping 153 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1657 | 1314 |
1658 return true; | 1315 return true; |
1659 } | 1316 } |
1660 | 1317 |
1661 bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS() | 1318 bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS() |
1662 const { | 1319 const { |
1663 return mode == MODE_STRICT; | 1320 return mode == MODE_STRICT; |
1664 } | 1321 } |
1665 | 1322 |
1666 } // namespace | 1323 } // namespace |
OLD | NEW |