Skip to content

GitLab

T
tangled
Commit 8d60aa54 authored by rch@chromium.org's avatar rch@chromium.org
Browse files
Options

Centralize the logic for checking public key pins from ClientSocketNSS 

and ProofVerifierChromium to TransportSecurityState::CheckPublicKeyPins.
This required adding an is_issued_by_known_root argument to this method.

In addition, CheckPublicKeyPins now only checks static pins if the
TransportSecurityState's enable_static_pins_ member is true. This defaults
to true only for official desktop builds. This also means that dynamic
pins are now checked on mobile and on non-official builds.

BUG=398925,391033

Review URL: https://codereview.chromium.org/433123003

Cr-Commit-Position: refs/heads/master@{#288435}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288435 0039d316-1c4b-4281-b951-d872f2087c98
parent eb7b4aac
Hide whitespace changes
Inline Side-by-side
Showing with 233 additions and 174 deletions
net/http/http_security_headers_unittest.cc
View file @ 8d60aa54
......@@ -506,6 +506,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
// docs.google.com has preloaded pins.
const bool sni_enabled = true;
std::string domain = "docs.google.com";
state.enable_static_pins_ = true;
EXPECT_TRUE(
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
......@@ -554,8 +555,9 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
HashValueVector hashes;
hashes.push_back(good_hash);
std::string failure_log;
EXPECT_TRUE(
state.CheckPublicKeyPins(domain, sni_enabled, hashes, &failure_log));
const bool is_issued_by_known_root = true;
EXPECT_TRUE(state.CheckPublicKeyPins(
domain, sni_enabled, is_issued_by_known_root, hashes, &failure_log));
TransportSecurityState::DomainState new_dynamic_domain_state;
EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
......@@ -585,6 +587,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
// docs.google.com has preloaded pins.
const bool sni_enabled = true;
std::string domain = "docs.google.com";
state.enable_static_pins_ = true;
ASSERT_TRUE(
state.GetStaticDomainState(domain, sni_enabled, &static_domain_state));
EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL);
......@@ -648,8 +651,13 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
// Damage the hashes to cause a pin validation failure.
new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80;
new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80;
EXPECT_FALSE(state.CheckPublicKeyPins(
domain, true, new_static_domain_state2.pkp.spki_hashes, &failure_log));
const bool is_issued_by_known_root = true;
EXPECT_FALSE(
state.CheckPublicKeyPins(domain,
true,
is_issued_by_known_root,
new_static_domain_state2.pkp.spki_hashes,
&failure_log));
EXPECT_NE(0UL, failure_log.length());
}
#undef MAYBE_UpdateDynamicPKPMaxAge0
......@@ -663,6 +671,7 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
// accounts.google.com has preloaded pins.
std::string domain = "accounts.google.com";
state.enable_static_pins_ = true;
// Retrieve the DomainState as it is by default, including its known good
// pins.
......@@ -680,8 +689,12 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
std::string failure_log;
EXPECT_TRUE(state.CheckPublicKeyPins(
domain, sni_enabled, saved_hashes, &failure_log));
const bool is_issued_by_known_root = true;
EXPECT_TRUE(state.CheckPublicKeyPins(domain,
sni_enabled,
is_issued_by_known_root,
saved_hashes,
&failure_log));
// Add an HPKP header, which should only update the dynamic state.
HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
......@@ -701,8 +714,11 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
// The dynamic pins, which do not match |saved_hashes|, should take
// precedence over the static pins and cause the check to fail.
EXPECT_FALSE(state.CheckPublicKeyPins(
domain, sni_enabled, saved_hashes, &failure_log));
EXPECT_FALSE(state.CheckPublicKeyPins(domain,
sni_enabled,
is_issued_by_known_root,
saved_hashes,
&failure_log));
}
}; // namespace net
net/http/transport_security_state.cc
View file @ 8d60aa54
......@@ -84,7 +84,12 @@ bool AddHash(const char* sha1_hash,
} // namespace
TransportSecurityState::TransportSecurityState()
: delegate_(NULL) {
: delegate_(NULL), enable_static_pins_(true) {
// Static pinning is only enabled for official builds to make sure that
// others don't end up with pins that cannot be easily updated.
#if !defined(OFFICIAL_BUILD) || defined(OS_ANDROID) || defined(OS_IOS)
enable_static_pins_ = false;
#endif
DCHECK(CalledOnValidThread());
}
......@@ -118,21 +123,36 @@ bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host,
return false;
}
bool TransportSecurityState::CheckPublicKeyPins(const std::string& host,
bool sni_enabled,
const HashValueVector& hashes,
std::string* failure_log) {
DomainState dynamic_state;
if (GetDynamicDomainState(host, &dynamic_state))
return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
bool TransportSecurityState::CheckPublicKeyPins(
const std::string& host,
bool sni_available,
bool is_issued_by_known_root,
const HashValueVector& public_key_hashes,
std::string* pinning_failure_log) {
// Perform pin validation if, and only if, all these conditions obtain:
//
// * the server's certificate chain chains up to a known root (i.e. not a
// user-installed trust anchor); and
// * the build is recent (very old builds should fail open so that users
// have some chance to recover).
// * the server actually has public key pins.
//
// TODO(rsleevi): http://crbug.com/391032 - Only disable static HPKP if the
// build is not timely.
if (!is_issued_by_known_root || !IsBuildTimely() ||
!HasPublicKeyPins(host, sni_available)) {
return true;
}
DomainState static_state;
if (GetStaticDomainState(host, sni_enabled, &static_state) &&
static_state.CheckPublicKeyPins(hashes, failure_log)) {
return true;
bool pins_are_valid = CheckPublicKeyPinsImpl(
host, sni_available, public_key_hashes, pinning_failure_log);
if (!pins_are_valid) {
LOG(ERROR) << *pinning_failure_log;
ReportUMAOnPinFailure(host);
}
return false;
UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", pins_are_valid);
return pins_are_valid;
}
bool TransportSecurityState::HasPublicKeyPins(const std::string& host,
......@@ -549,9 +569,13 @@ struct HSTSPreload {
SecondLevelDomainName second_level_domain_name;
};
static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
const std::string& canonicalized_host, size_t i,
TransportSecurityState::DomainState* out, bool* ret) {
static bool HasPreload(const struct HSTSPreload* entries,
size_t num_entries,
const std::string& canonicalized_host,
size_t i,
bool enable_static_pins,
TransportSecurityState::DomainState* out,
bool* ret) {
for (size_t j = 0; j < num_entries; j++) {
if (entries[j].length == canonicalized_host.size() - i &&
memcmp(entries[j].dns_name, &canonicalized_host[i],
......@@ -561,26 +585,29 @@ static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
} else {
out->sts.include_subdomains = entries[j].include_subdomains;
out->sts.last_observed = base::GetBuildTime();
out->pkp.include_subdomains = entries[j].include_subdomains;
out->pkp.last_observed = base::GetBuildTime();
*ret = true;
out->sts.upgrade_mode =
TransportSecurityState::DomainState::MODE_FORCE_HTTPS;
if (!entries[j].https_required)
out->sts.upgrade_mode =
TransportSecurityState::DomainState::MODE_DEFAULT;
if (entries[j].pins.required_hashes) {
const char* const* sha1_hash = entries[j].pins.required_hashes;
while (*sha1_hash) {
AddHash(*sha1_hash, &out->pkp.spki_hashes);
sha1_hash++;
if (enable_static_pins) {
out->pkp.include_subdomains = entries[j].include_subdomains;
out->pkp.last_observed = base::GetBuildTime();
if (entries[j].pins.required_hashes) {
const char* const* sha1_hash = entries[j].pins.required_hashes;
while (*sha1_hash) {
AddHash(*sha1_hash, &out->pkp.spki_hashes);
sha1_hash++;
}
}
}
if (entries[j].pins.excluded_hashes) {
const char* const* sha1_hash = entries[j].pins.excluded_hashes;
while (*sha1_hash) {
AddHash(*sha1_hash, &out->pkp.bad_spki_hashes);
sha1_hash++;
if (entries[j].pins.excluded_hashes) {
const char* const* sha1_hash = entries[j].pins.excluded_hashes;
while (*sha1_hash) {
AddHash(*sha1_hash, &out->pkp.bad_spki_hashes);
sha1_hash++;
}
}
}
}
......@@ -763,6 +790,24 @@ bool TransportSecurityState::IsBuildTimely() {
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
}
bool TransportSecurityState::CheckPublicKeyPinsImpl(
const std::string& host,
bool sni_enabled,
const HashValueVector& hashes,
std::string* failure_log) {
DomainState dynamic_state;
if (GetDynamicDomainState(host, &dynamic_state))
return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
DomainState static_state;
if (GetStaticDomainState(host, sni_enabled, &static_state))
return static_state.CheckPublicKeyPins(hashes, failure_log);
// HasPublicKeyPins should have returned true in order for this method
// to have been called, so if we fall through to here, it's an error.
return false;
}
bool TransportSecurityState::GetStaticDomainState(const std::string& host,
bool sni_enabled,
DomainState* out) const {
......@@ -781,15 +826,22 @@ bool TransportSecurityState::GetStaticDomainState(const std::string& host,
canonicalized_host.size() - i);
out->domain = DNSDomainToString(host_sub_chunk);
bool ret;
if (is_build_timely &&
HasPreload(kPreloadedSTS, kNumPreloadedSTS, canonicalized_host, i, out,
&ret)) {
if (is_build_timely && HasPreload(kPreloadedSTS,
kNumPreloadedSTS,
canonicalized_host,
i,
enable_static_pins_,
out,
&ret)) {
return ret;
}
if (sni_enabled &&
is_build_timely &&
HasPreload(kPreloadedSNISTS, kNumPreloadedSNISTS, canonicalized_host, i,
out, &ret)) {
if (sni_enabled && is_build_timely && HasPreload(kPreloadedSNISTS,
kNumPreloadedSNISTS,
canonicalized_host,
i,
enable_static_pins_,
out,
&ret)) {
return ret;
}
}
......
net/http/transport_security_state.h
View file @ 8d60aa54
......@@ -163,6 +163,7 @@ class NET_EXPORT TransportSecurityState
bool ShouldUpgradeToSSL(const std::string& host, bool sni_enabled);
bool CheckPublicKeyPins(const std::string& host,
bool sni_enabled,
bool is_issued_by_known_root,
const HashValueVector& hashes,
std::string* failure_log);
bool HasPublicKeyPins(const std::string& host, bool sni_enabled);
......@@ -267,6 +268,14 @@ class NET_EXPORT TransportSecurityState
// The maximum number of seconds for which we'll cache an HSTS request.
static const long int kMaxHSTSAgeSecs;
private:
friend class TransportSecurityStateTest;
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
typedef std::map<std::string, DomainState> DomainStateMap;
// Send an UMA report on pin validation failure, if the host is in a
// statically-defined list of domains.
//
......@@ -282,12 +291,11 @@ class NET_EXPORT TransportSecurityState
// information) is timely.
static bool IsBuildTimely();
private:
friend class TransportSecurityStateTest;
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest,
UpdateDynamicPKPOnly);
typedef std::map<std::string, DomainState> DomainStateMap;
// Helper method for actually checking pins.
bool CheckPublicKeyPinsImpl(const std::string& host,
bool sni_enabled,
const HashValueVector& hashes,
std::string* failure_log);
// If a Delegate is present, notify it that the internal state has
// changed.
......@@ -309,6 +317,9 @@ class NET_EXPORT TransportSecurityState
Delegate* delegate_;
// True if static pins should be used.
bool enable_static_pins_;
DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
};
......
net/http/transport_security_state_unittest.cc
View file @ 8d60aa54
......@@ -37,6 +37,7 @@
namespace net {
class TransportSecurityStateTest : public testing::Test {
public:
virtual void SetUp() {
#if defined(USE_OPENSSL)
crypto::EnsureOpenSSLInit();
......@@ -45,6 +46,14 @@ class TransportSecurityStateTest : public testing::Test {
#endif
}
static void DisableStaticPins(TransportSecurityState* state) {
state->enable_static_pins_ = false;
}
static void EnableStaticPins(TransportSecurityState* state) {
state->enable_static_pins_ = true;
}
protected:
bool GetStaticDomainState(TransportSecurityState* state,
const std::string& host,
......@@ -162,6 +171,27 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
}
TEST_F(TransportSecurityStateTest, EnableStaticPins) {
TransportSecurityState state;
TransportSecurityState::DomainState domain_state;
EnableStaticPins(&state);
EXPECT_TRUE(
state.GetStaticDomainState("chrome.google.com", true, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
}
TEST_F(TransportSecurityStateTest, DisableStaticPins) {
TransportSecurityState state;
TransportSecurityState::DomainState domain_state;
DisableStaticPins(&state);
EXPECT_TRUE(
state.GetStaticDomainState("chrome.google.com", true, &domain_state));
EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
}
TEST_F(TransportSecurityStateTest, IsPreloaded) {
const std::string paypal = "paypal.com";
const std::string www_paypal = "www.paypal.com";
......@@ -177,7 +207,6 @@ TEST_F(TransportSecurityStateTest, IsPreloaded) {
EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
EXPECT_FALSE(domain_state.sts.include_subdomains);
EXPECT_FALSE(domain_state.pkp.include_subdomains);
EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
......@@ -214,6 +243,7 @@ static bool HasStaticState(const char* hostname) {
static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) {
TransportSecurityState state;
TransportSecurityStateTest::EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state))
return false;
......@@ -227,6 +257,7 @@ static bool HasStaticPublicKeyPins(const char* hostname) {
static bool OnlyPinningInStaticState(const char* hostname) {
TransportSecurityState state;
TransportSecurityStateTest::EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state))
return false;
......@@ -285,24 +316,6 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
EXPECT_FALSE(HasStaticState("m.gmail.com"));
EXPECT_FALSE(HasStaticState("m.googlemail.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
// Tests for domains that don't work without SNI.
EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state));
EXPECT_FALSE(
......@@ -407,28 +420,12 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com"));
EXPECT_FALSE(HasStaticState("foo.dropcam.com"));
EXPECT_TRUE(
state.GetStaticDomainState("torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("www.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("check.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn"));
EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn"));
EXPECT_TRUE(StaticShouldRedirect("epoxate.com"));
EXPECT_FALSE(HasStaticState("foo.epoxate.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
EXPECT_FALSE(HasStaticState("foo.torproject.org"));
EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com"));
......@@ -478,6 +475,57 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
EXPECT_TRUE(StaticShouldRedirect("crate.io"));
EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
}
TEST_F(TransportSecurityStateTest, PreloadedPins) {
TransportSecurityState state;
EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
// We do more extensive checks for the first domain.
EXPECT_TRUE(
state.GetStaticDomainState("www.paypal.com", true, &domain_state));
EXPECT_EQ(domain_state.sts.upgrade_mode,
TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
EXPECT_FALSE(domain_state.sts.include_subdomains);
EXPECT_FALSE(domain_state.pkp.include_subdomains);
EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
EXPECT_FALSE(HasStaticState("foo.torproject.org"));
EXPECT_TRUE(
state.GetStaticDomainState("torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("www.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("check.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(
state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
}
......@@ -495,6 +543,7 @@ TEST_F(TransportSecurityStateTest, LongNames) {
TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
TransportSecurityState state;
EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
EXPECT_TRUE(
......@@ -534,7 +583,6 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com"));
// Disabled in order to help track down pinning failures --agl
EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com"));
EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com"));
EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
......@@ -585,6 +633,8 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
}
TransportSecurityState state;
EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
EXPECT_TRUE(
state.GetStaticDomainState("blog.torproject.org", true, &domain_state));
......@@ -597,6 +647,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
TransportSecurityState state;
EnableStaticPins(&state);
TransportSecurityState::DomainState domain_state;
EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
......
net/quic/crypto/proof_verifier_chromium.cc
View file @ 8d60aa54
......@@ -236,58 +236,20 @@ int ProofVerifierChromium::Job::DoVerifyCert(int result) {
int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
verifier_.reset();
#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
// TODO(wtc): The following code was copied from ssl_client_socket_nss.cc.
// Convert it to a new function that can be called by both files. These
// variables simulate the arguments to the new function.
const CertVerifyResult& cert_verify_result =
verify_details_->cert_verify_result;
bool sni_available = true;
const std::string& host = hostname_;
TransportSecurityState* transport_security_state = transport_security_state_;
std::string* pinning_failure_log = &verify_details_->pinning_failure_log;
// Take care of any mandates for public key pinning.
//
// Pinning is only enabled for official builds to make sure that others don't
// end up with pins that cannot be easily updated.
//
// TODO(agl): We might have an issue here where a request for foo.example.com
// merges into a SPDY connection to www.example.com, and gets a different
// certificate.
// Perform pin validation if, and only if, all these conditions obtain:
//
// * a TransportSecurityState object is available;
// * the server's certificate chain is valid (or suffers from only a minor
// error);
// * the server's certificate chain chains up to a known root (i.e. not a
// user-installed trust anchor); and
// * the build is recent (very old builds should fail open so that users
// have some chance to recover).
//
const CertStatus cert_status = cert_verify_result.cert_status;
if (transport_security_state &&
if (transport_security_state_ &&
(result == OK ||
(IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
cert_verify_result.is_issued_by_known_root &&
TransportSecurityState::IsBuildTimely()) {
if (transport_security_state->HasPublicKeyPins(host, sni_available)) {
if (!transport_security_state->CheckPublicKeyPins(
host,
sni_available,
cert_verify_result.public_key_hashes,
pinning_failure_log)) {
LOG(ERROR) << *pinning_failure_log;
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
TransportSecurityState::ReportUMAOnPinFailure(host);
} else {
UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
}
}
!transport_security_state_->CheckPublicKeyPins(
hostname_,
true, /* sni_available */
cert_verify_result.is_issued_by_known_root,
cert_verify_result.public_key_hashes,
&verify_details_->pinning_failure_log)) {
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
}
#endif
if (result != OK) {
std::string error_string = ErrorToString(result);
......
net/socket/ssl_client_socket_nss.cc
View file @ 8d60aa54
......@@ -3427,53 +3427,20 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
if (result == OK)
LogConnectionTypeMetrics();
#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
// Take care of any mandates for public key pinning.
//
// Pinning is only enabled for official builds to make sure that others don't
// end up with pins that cannot be easily updated.
//
// TODO(agl): We might have an issue here where a request for foo.example.com
// merges into a SPDY connection to www.example.com, and gets a different
// certificate.
// Perform pin validation if, and only if, all these conditions obtain:
//
// * a TransportSecurityState object is available;
// * the server's certificate chain is valid (or suffers from only a minor
// error);
// * the server's certificate chain chains up to a known root (i.e. not a
// user-installed trust anchor); and
// * the build is recent (very old builds should fail open so that users
// have some chance to recover).
//
bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
ssl_config_.version_fallback;
const CertStatus cert_status = server_cert_verify_result_.cert_status;
if (transport_security_state_ &&
(result == OK ||
(IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
server_cert_verify_result_.is_issued_by_known_root &&
TransportSecurityState::IsBuildTimely()) {
bool sni_available =
ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
ssl_config_.version_fallback;
const std::string& host = host_and_port_.host();
if (transport_security_state_->HasPublicKeyPins(host, sni_available)) {
if (!transport_security_state_->CheckPublicKeyPins(
host,
sni_available,
server_cert_verify_result_.public_key_hashes,
&pinning_failure_log_)) {
LOG(ERROR) << pinning_failure_log_;
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
TransportSecurityState::ReportUMAOnPinFailure(host);
} else {
UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
}
}
!transport_security_state_->CheckPublicKeyPins(
host_and_port_.host(),
sni_available,
server_cert_verify_result_.is_issued_by_known_root,
server_cert_verify_result_.public_key_hashes,
&pinning_failure_log_)) {
result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
}
#endif
if (result == OK) {
// Only check Certificate Transparency if there were no other errors with
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment