diff options
Diffstat (limited to 'chromium/net/http/transport_security_state.h')
-rw-r--r-- | chromium/net/http/transport_security_state.h | 118 |
1 files changed, 61 insertions, 57 deletions
diff --git a/chromium/net/http/transport_security_state.h b/chromium/net/http/transport_security_state.h index 99899b7c5c2..464cbd182e1 100644 --- a/chromium/net/http/transport_security_state.h +++ b/chromium/net/http/transport_security_state.h @@ -1,4 +1,4 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -21,7 +21,7 @@ #include "net/base/expiring_cache.h" #include "net/base/hash_value.h" #include "net/base/net_export.h" -#include "net/base/network_isolation_key.h" +#include "net/base/network_anonymization_key.h" #include "net/cert/signed_certificate_timestamp_and_status.h" #include "net/http/transport_security_state_source.h" #include "net/log/net_log_with_source.h" @@ -35,10 +35,19 @@ enum class CTPolicyCompliance; } class HostPortPair; -class NetworkIsolationKey; +class NetworkAnonymizationKey; class SSLInfo; class X509Certificate; +// Feature that controls whether Expect-CT HTTP headers are parsed, processed, +// and stored. +NET_EXPORT BASE_DECLARE_FEATURE(kDynamicExpectCTFeature); + +// Feature that controls whether Certificate Transparency is enforced. This +// feature is default enabled and meant only as an emergency killswitch. It +// will not enable enforcement in platforms that otherwise have it disabled. +NET_EXPORT BASE_DECLARE_FEATURE(kCertificateTransparencyEnforcement); + void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting( const TransportSecurityStateSource* source); @@ -246,28 +255,29 @@ class NET_EXPORT TransportSecurityState { base::Time expiry; }; - // Unlike other data, Expect-CT information is indexed by NetworkIsolationKey - // in addition to domain hash, to prevent leaking user IDs across different - // first party contexts. Public only because ExpectCTStateIterator is public - // and depends on it. + // Unlike other data, Expect-CT information is indexed by + // NetworkAnonymizationKey in addition to domain hash, to prevent leaking user + // IDs across different first party contexts. Public only because + // ExpectCTStateIterator is public and depends on it. struct ExpectCTStateIndex { - // Creates an ExpectCTStateIndex. Uses an empty NetworkIsolationKey instead - // of the passed in one, depending on |respect_network_isolation_key|. - // The value of features::kPartitionExpectCTStateByNetworkIsolationKey is - // cached on creation of the TransportSecurityState, and then passed in to - // this method whenever an ExpectCTStateIndex() is created, to avoid - // constantly querying the field trial. + // Creates an ExpectCTStateIndex. Uses an empty NetworkAnonymizationKey + // instead of the passed in one, depending on + // |respect_network_anonymization_key|. The value of + // features::kPartitionExpectCTStateByNetworkIsolationKey is cached on + // creation of the TransportSecurityState, and then passed in to this method + // whenever an ExpectCTStateIndex() is created, to avoid constantly querying + // the field trial. ExpectCTStateIndex(const std::string& hashed_host, - const NetworkIsolationKey& network_isolation_key, - bool respect_network_isolation_key); + const NetworkAnonymizationKey& network_anonymization_key, + bool respect_network_anonymization_key); bool operator<(const ExpectCTStateIndex& other) const { - return std::tie(hashed_host, network_isolation_key) < - std::tie(other.hashed_host, other.network_isolation_key); + return std::tie(hashed_host, network_anonymization_key) < + std::tie(other.hashed_host, other.network_anonymization_key); } std::string hashed_host; - NetworkIsolationKey network_isolation_key; + NetworkAnonymizationKey network_anonymization_key; }; class NET_EXPORT ExpectCTStateIterator { @@ -278,8 +288,8 @@ class NET_EXPORT TransportSecurityState { bool HasNext() const { return iterator_ != end_; } void Advance() { ++iterator_; } const std::string& hostname() const { return iterator_->first.hashed_host; } - const NetworkIsolationKey& network_isolation_key() const { - return iterator_->first.network_isolation_key; + const NetworkAnonymizationKey& network_anonymization_key() const { + return iterator_->first.network_anonymization_key; } const ExpectCTState& domain_state() const { return iterator_->second; } @@ -302,7 +312,7 @@ class NET_EXPORT TransportSecurityState { virtual void Send(const GURL& report_uri, base::StringPiece content_type, base::StringPiece report, - const NetworkIsolationKey& network_isolation_key, + const NetworkAnonymizationKey& network_anonymization_key, base::OnceCallback<void()> success_callback, base::OnceCallback<void(const GURL&, int /* net_error */, @@ -329,7 +339,7 @@ class NET_EXPORT TransportSecurityState { const X509Certificate* served_certificate_chain, const SignedCertificateTimestampAndStatusList& signed_certificate_timestamps, - const NetworkIsolationKey& network_isolation_key) = 0; + const NetworkAnonymizationKey& network_anonymization_key) = 0; protected: virtual ~ExpectCTReporter() = default; @@ -392,15 +402,6 @@ class NET_EXPORT TransportSecurityState { CT_REQUIREMENTS_NOT_MET, }; - // Feature that controls whether Expect-CT HTTP headers are parsed, processed, - // and stored. - static const base::Feature kDynamicExpectCTFeature; - - // Feature that controls whether Certificate Transparency is enforced. This - // feature is default enabled and meant only as an emergency killswitch. It - // will not enable enforcement in platforms that otherwise have it disabled. - static const base::Feature kCertificateTransparencyEnforcement; - TransportSecurityState(); // Creates a TransportSecurityState object that will skip the check to force @@ -429,7 +430,7 @@ class NET_EXPORT TransportSecurityState { const X509Certificate* served_certificate_chain, const X509Certificate* validated_certificate_chain, const PublicKeyPinReportStatus report_status, - const NetworkIsolationKey& network_isolation_key, + const NetworkAnonymizationKey& network_anonymization_key, std::string* failure_log); bool HasPublicKeyPins(const std::string& host); @@ -457,7 +458,7 @@ class NET_EXPORT TransportSecurityState { signed_certificate_timestamps, const ExpectCTReportStatus report_status, ct::CTPolicyCompliance policy_compliance, - const NetworkIsolationKey& network_isolation_key); + const NetworkAnonymizationKey& network_anonymization_key); // Assign a |Delegate| for persisting the transport security state. If // |NULL|, state will not be persisted. The caller retains @@ -521,7 +522,7 @@ class NET_EXPORT TransportSecurityState { // TransportSecurityState. void AddOrUpdateEnabledExpectCTHosts( const std::string& hashed_host, - const NetworkIsolationKey& network_isolation_key, + const NetworkAnonymizationKey& network_anonymization_key, const ExpectCTState& state); // Deletes all dynamic data (e.g. HSTS or HPKP data) created between a time @@ -567,9 +568,10 @@ class NET_EXPORT TransportSecurityState { // entries that have expired. bool GetDynamicSTSState(const std::string& host, STSState* result); bool GetDynamicPKPState(const std::string& host, PKPState* result); - bool GetDynamicExpectCTState(const std::string& host, - const NetworkIsolationKey& network_isolation_key, - ExpectCTState* result); + bool GetDynamicExpectCTState( + const std::string& host, + const NetworkAnonymizationKey& network_anonymization_key, + ExpectCTState* result); // Processes an HSTS header value from the host, adding entries to // dynamic state if necessary. @@ -598,7 +600,7 @@ class NET_EXPORT TransportSecurityState { const base::Time& expiry, bool enforce, const GURL& report_uri, - const NetworkIsolationKey& network_isolation_key); + const NetworkAnonymizationKey& network_anonymization_key); // Enables or disables public key pinning bypass for local trust anchors. // Disabling the bypass for local trust anchors is highly discouraged. @@ -618,10 +620,11 @@ class NET_EXPORT TransportSecurityState { // wants to opt-in to the static report-only version of Expect-CT. If the // given host is present on the preload list and the build is timely and the // connection is not CT-compliant, then a report will be sent. - void ProcessExpectCTHeader(const std::string& value, - const HostPortPair& host_port_pair, - const SSLInfo& ssl_info, - const NetworkIsolationKey& network_isolation_key); + void ProcessExpectCTHeader( + const std::string& value, + const HostPortPair& host_port_pair, + const SSLInfo& ssl_info, + const NetworkAnonymizationKey& network_anonymization_key); void AssertCalledOnValidThread() const { DCHECK_CALLED_ON_VALID_THREAD(thread_checker_); @@ -678,7 +681,7 @@ class NET_EXPORT TransportSecurityState { const X509Certificate* served_certificate_chain, const X509Certificate* validated_certificate_chain, const PublicKeyPinReportStatus report_status, - const NetworkIsolationKey& network_isolation_key, + const NetworkAnonymizationKey& network_anonymization_key, std::string* failure_log); // If a Delegate is present, notify it that the internal state has @@ -699,12 +702,13 @@ class NET_EXPORT TransportSecurityState { bool include_subdomains, const HashValueVector& hashes, const GURL& report_uri); - void AddExpectCTInternal(const std::string& host, - const base::Time& last_observed, - const base::Time& expiry, - bool enforce, - const GURL& report_uri, - const NetworkIsolationKey& network_isolation_key); + void AddExpectCTInternal( + const std::string& host, + const base::Time& last_observed, + const base::Time& expiry, + bool enforce, + const GURL& report_uri, + const NetworkAnonymizationKey& network_anonymization_key); // Returns true if a request to |host_port_pair| with the given // SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|, @@ -721,7 +725,7 @@ class NET_EXPORT TransportSecurityState { const X509Certificate* served_certificate_chain, const X509Certificate* validated_certificate_chain, const TransportSecurityState::PublicKeyPinReportStatus report_status, - const net::NetworkIsolationKey& network_isolation_key, + const net::NetworkAnonymizationKey& network_anonymization_key, std::string* failure_log); // Returns true and updates |*expect_ct_result| iff there is a static @@ -737,13 +741,13 @@ class NET_EXPORT TransportSecurityState { const X509Certificate* served_certificate_chain, const SignedCertificateTimestampAndStatusList& signed_certificate_timestamps, - const NetworkIsolationKey& network_isolation_key); + const NetworkAnonymizationKey& network_anonymization_key); // Convenience method to create ExpectCTStateIndex, taking into account // |key_expect_ct_by_nik_|. ExpectCTStateIndex CreateExpectCTStateIndex( const std::string& hashed_host, - const NetworkIsolationKey& network_isolation_key); + const NetworkAnonymizationKey& network_anonymization_key); // Checks if Expect-CT entries should be pruned, based on number of them and // when entries were last pruned, and then performs pruning if necessary. @@ -793,11 +797,11 @@ class NET_EXPORT TransportSecurityState { ReportCache sent_hpkp_reports_cache_; ReportCache sent_expect_ct_reports_cache_; - // Whether Expect-CT data should keyed by a NetworkIsolationKey. When false, - // ExpectCTStateIndex is always created with an empty NetworkIsolationKey. - // Populated based on features::kPartitionExpectCTStateByNetworkIsolationKey - // on construction of the TransportSecurityStateObject to avoid repeatedly - // querying the feature. + // Whether Expect-CT data should keyed by a NetworkAnonymizationKey. When + // false, ExpectCTStateIndex is always created with an empty + // NetworkAnonymizationKey. Populated based on + // features::kPartitionExpectCTStateByNetworkIsolationKey on construction of + // the TransportSecurityStateObject to avoid repeatedly querying the feature. bool key_expect_ct_by_nik_; // The earliest possible time for the next pruning of Expect-CT state. |