diff options
| author | erg@google.com <erg@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-07 23:02:11 +0000 |
|---|---|---|
| committer | erg@google.com <erg@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-07 23:02:11 +0000 |
| commit | 4b3c95dd199586b4c540800be8cd223e948e5e3f (patch) | |
| tree | c97ef865a3c85f09e920d8b1bc4024a56bb8e8cf /net/base | |
| parent | d160ec0e875e98829684f040d843e6a292dbb3ba (diff) | |
| download | chromium_src-4b3c95dd199586b4c540800be8cd223e948e5e3f.zip chromium_src-4b3c95dd199586b4c540800be8cd223e948e5e3f.tar.gz chromium_src-4b3c95dd199586b4c540800be8cd223e948e5e3f.tar.bz2 | |
Start reordering the methods in headers in net/.
This patch also starts reordering some of the cc files to match their
headers. More of both cleanups will be done in future patches.
BUG=68682
TEST=compiles
Review URL: http://codereview.chromium.org/6085013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70799 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
| -rw-r--r-- | net/base/cert_database.h | 22 | ||||
| -rw-r--r-- | net/base/gzip_header.h | 18 | ||||
| -rw-r--r-- | net/base/mock_host_resolver.h | 24 | ||||
| -rw-r--r-- | net/base/registry_controlled_domain.h | 4 | ||||
| -rw-r--r-- | net/base/sdch_manager.cc | 449 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 6 | ||||
| -rw-r--r-- | net/base/transport_security_state.h | 10 | ||||
| -rw-r--r-- | net/base/x509_certificate.h | 10 |
8 files changed, 272 insertions, 271 deletions
diff --git a/net/base/cert_database.h b/net/base/cert_database.h index 7915cc6..5ffb6a2 100644 --- a/net/base/cert_database.h +++ b/net/base/cert_database.h @@ -29,6 +29,17 @@ typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; class CertDatabase { public: + // Stores per-certificate error codes for import failures. + struct ImportCertFailure { + public: + ImportCertFailure(X509Certificate* cert, int err); + ~ImportCertFailure(); + + scoped_refptr<X509Certificate> certificate; + int net_error; + }; + typedef std::vector<ImportCertFailure> ImportCertFailureList; + // Constants that define which usages a certificate is trusted for. // They are used in combination with CertType to specify trust for each type // of certificate. @@ -45,17 +56,6 @@ class CertDatabase { TRUSTED_OBJ_SIGN = 1 << 2, }; - // Stores per-certificate error codes for import failures. - struct ImportCertFailure { - public: - ImportCertFailure(X509Certificate* cert, int err); - ~ImportCertFailure(); - - scoped_refptr<X509Certificate> certificate; - int net_error; - }; - typedef std::vector<ImportCertFailure> ImportCertFailureList; - CertDatabase(); // Check whether this is a valid user cert that we have the private key for. diff --git a/net/base/gzip_header.h b/net/base/gzip_header.h index 81f6f19..c245de2 100644 --- a/net/base/gzip_header.h +++ b/net/base/gzip_header.h @@ -20,9 +20,16 @@ class GZipHeader { public: + enum Status { + INCOMPLETE_HEADER, // don't have all the bits yet... + COMPLETE_HEADER, // complete, valid header + INVALID_HEADER, // found something invalid in the header + }; + GZipHeader() { Reset(); } + ~GZipHeader() { } @@ -33,12 +40,6 @@ class GZipHeader { extra_length_ = 0; } - enum Status { - INCOMPLETE_HEADER, // don't have all the bits yet... - COMPLETE_HEADER, // complete, valid header - INVALID_HEADER, // found something invalid in the header - }; - // Attempt to parse the given buffer as the next installment of // bytes from a gzip header. If the bytes we've seen so far do not // yet constitute a complete gzip header, return @@ -49,9 +50,6 @@ class GZipHeader { Status ReadMore(const char* inbuf, int inbuf_len, const char** header_end); private: - - static const uint8 magic[]; // gzip magic header - enum { // flags (see RFC) FLAG_FTEXT = 0x01, // bit 0 set: file probably ascii text FLAG_FHCRC = 0x02, // bit 1 set: header CRC present @@ -88,6 +86,8 @@ class GZipHeader { IN_DONE, }; + static const uint8 magic[]; // gzip magic header + int state_; // our current State in the parsing FSM: an int so we can ++ uint8 flags_; // the flags byte of the header ("FLG" in the RFC) uint16 extra_length_; // how much of the "extra field" we have yet to read diff --git a/net/base/mock_host_resolver.h b/net/base/mock_host_resolver.h index 2972c84..3b1e36a 100644 --- a/net/base/mock_host_resolver.h +++ b/net/base/mock_host_resolver.h @@ -41,16 +41,6 @@ class MockHostResolverBase : public HostResolver { public: virtual ~MockHostResolverBase(); - // HostResolver methods: - virtual int Resolve(const RequestInfo& info, - AddressList* addresses, - CompletionCallback* callback, - RequestHandle* out_req, - const BoundNetLog& net_log); - virtual void CancelRequest(RequestHandle req); - virtual void AddObserver(Observer* observer); - virtual void RemoveObserver(Observer* observer); - RuleBasedHostResolverProc* rules() { return rules_; } // Controls whether resolutions complete synchronously or asynchronously. @@ -68,6 +58,16 @@ class MockHostResolverBase : public HostResolver { pool_index, max_outstanding_jobs, max_pending_requests); } + // HostResolver methods: + virtual int Resolve(const RequestInfo& info, + AddressList* addresses, + CompletionCallback* callback, + RequestHandle* out_req, + const BoundNetLog& net_log); + virtual void CancelRequest(RequestHandle req); + virtual void AddObserver(Observer* observer); + virtual void RemoveObserver(Observer* observer); + protected: MockHostResolverBase(bool use_caching); @@ -143,11 +143,11 @@ class RuleBasedHostResolverProc : public HostResolverProc { int* os_error); private: - ~RuleBasedHostResolverProc(); - struct Rule; typedef std::list<Rule> RuleList; + ~RuleBasedHostResolverProc(); + RuleList rules_; }; diff --git a/net/base/registry_controlled_domain.h b/net/base/registry_controlled_domain.h index 7586c12..90a1b8f 100644 --- a/net/base/registry_controlled_domain.h +++ b/net/base/registry_controlled_domain.h @@ -204,6 +204,8 @@ class RegistryControlledDomainService { static RegistryControlledDomainService* GetInstance(); protected: + typedef const struct DomainRule* (*FindDomainPtr)(const char *, unsigned int); + // The entire protected API is only for unit testing. I mean it. Don't make // me come over there! RegistryControlledDomainService(); @@ -216,8 +218,6 @@ class RegistryControlledDomainService { static RegistryControlledDomainService* SetInstance( RegistryControlledDomainService* instance); - typedef const struct DomainRule* (*FindDomainPtr)(const char *, unsigned int); - // Used for unit tests, so that a different perfect hash map from the full // list is used. static void UseFindDomainFunction(FindDomainPtr function); diff --git a/net/base/sdch_manager.cc b/net/base/sdch_manager.cc index 5aca923..18976c9 100644 --- a/net/base/sdch_manager.cc +++ b/net/base/sdch_manager.cc @@ -26,41 +26,176 @@ const size_t SdchManager::kMaxDictionaryCount = 20; // static SdchManager* SdchManager::global_; -// static -SdchManager* SdchManager::Global() { - return global_; +//------------------------------------------------------------------------------ +SdchManager::Dictionary::Dictionary(const std::string& dictionary_text, + size_t offset, const std::string& client_hash, const GURL& gurl, + const std::string& domain, const std::string& path, const Time& expiration, + const std::set<int> ports) + : text_(dictionary_text, offset), + client_hash_(client_hash), + url_(gurl), + domain_(domain), + path_(path), + expiration_(expiration), + ports_(ports) { } -// static -void SdchManager::SdchErrorRecovery(ProblemCodes problem) { - UMA_HISTOGRAM_ENUMERATION("Sdch3.ProblemCodes_4", problem, MAX_PROBLEM_CODE); +SdchManager::Dictionary::~Dictionary() { } -// static -void SdchManager::ClearBlacklistings() { - Global()->blacklisted_domains_.clear(); - Global()->exponential_blacklist_count.clear(); +bool SdchManager::Dictionary::CanAdvertise(const GURL& target_url) { + if (!SdchManager::Global()->IsInSupportedDomain(target_url)) + return false; + /* The specific rules of when a dictionary should be advertised in an + Avail-Dictionary header are modeled after the rules for cookie scoping. The + terms "domain-match" and "pathmatch" are defined in RFC 2965 [6]. A + dictionary may be advertised in the Avail-Dictionaries header exactly when + all of the following are true: + 1. The server's effective host name domain-matches the Domain attribute of + the dictionary. + 2. If the dictionary has a Port attribute, the request port is one of the + ports listed in the Port attribute. + 3. The request URI path-matches the path header of the dictionary. + 4. The request is not an HTTPS request. + */ + if (!DomainMatch(target_url, domain_)) + return false; + if (!ports_.empty() && 0 == ports_.count(target_url.EffectiveIntPort())) + return false; + if (path_.size() && !PathMatch(target_url.path(), path_)) + return false; + if (target_url.SchemeIsSecure()) + return false; + if (Time::Now() > expiration_) + return false; + return true; } +//------------------------------------------------------------------------------ +// Security functions restricting loads and use of dictionaries. + // static -void SdchManager::ClearDomainBlacklisting(const std::string& domain) { - Global()->blacklisted_domains_.erase(StringToLowerASCII(domain)); +bool SdchManager::Dictionary::CanSet(const std::string& domain, + const std::string& path, + const std::set<int> ports, + const GURL& dictionary_url) { + if (!SdchManager::Global()->IsInSupportedDomain(dictionary_url)) + return false; + /* + A dictionary is invalid and must not be stored if any of the following are + true: + 1. The dictionary has no Domain attribute. + 2. The effective host name that derives from the referer URL host name does + not domain-match the Domain attribute. + 3. The Domain attribute is a top level domain. + 4. The referer URL host is a host domain name (not IP address) and has the + form HD, where D is the value of the Domain attribute, and H is a string + that contains one or more dots. + 5. If the dictionary has a Port attribute and the referer URL's port was not + in the list. + */ + + // TODO(jar): Redirects in dictionary fetches might plausibly be problematic, + // and hence the conservative approach is to not allow any redirects (if there + // were any... then don't allow the dictionary to be set). + + if (domain.empty()) { + SdchErrorRecovery(DICTIONARY_MISSING_DOMAIN_SPECIFIER); + return false; // Domain is required. + } + if (net::RegistryControlledDomainService::GetDomainAndRegistry(domain).size() + == 0) { + SdchErrorRecovery(DICTIONARY_SPECIFIES_TOP_LEVEL_DOMAIN); + return false; // domain was a TLD. + } + if (!Dictionary::DomainMatch(dictionary_url, domain)) { + SdchErrorRecovery(DICTIONARY_DOMAIN_NOT_MATCHING_SOURCE_URL); + return false; + } + + std::string referrer_url_host = dictionary_url.host(); + size_t postfix_domain_index = referrer_url_host.rfind(domain); + // See if it is indeed a postfix, or just an internal string. + if (referrer_url_host.size() == postfix_domain_index + domain.size()) { + // It is a postfix... so check to see if there's a dot in the prefix. + size_t end_of_host_index = referrer_url_host.find_first_of('.'); + if (referrer_url_host.npos != end_of_host_index && + end_of_host_index < postfix_domain_index) { + SdchErrorRecovery(DICTIONARY_REFERER_URL_HAS_DOT_IN_PREFIX); + return false; + } + } + + if (!ports.empty() + && 0 == ports.count(dictionary_url.EffectiveIntPort())) { + SdchErrorRecovery(DICTIONARY_PORT_NOT_MATCHING_SOURCE_URL); + return false; + } + return true; } // static -int SdchManager::BlackListDomainCount(const std::string& domain) { - if (Global()->blacklisted_domains_.end() == - Global()->blacklisted_domains_.find(domain)) - return 0; - return Global()->blacklisted_domains_[StringToLowerASCII(domain)]; +bool SdchManager::Dictionary::CanUse(const GURL& referring_url) { + if (!SdchManager::Global()->IsInSupportedDomain(referring_url)) + return false; + /* + 1. The request URL's host name domain-matches the Domain attribute of the + dictionary. + 2. If the dictionary has a Port attribute, the request port is one of the + ports listed in the Port attribute. + 3. The request URL path-matches the path attribute of the dictionary. + 4. The request is not an HTTPS request. +*/ + if (!DomainMatch(referring_url, domain_)) { + SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_DOMAIN); + return false; + } + if (!ports_.empty() + && 0 == ports_.count(referring_url.EffectiveIntPort())) { + SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_PORT_LIST); + return false; + } + if (path_.size() && !PathMatch(referring_url.path(), path_)) { + SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_PATH); + return false; + } + if (referring_url.SchemeIsSecure()) { + SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_SCHEME); + return false; + } + + // TODO(jar): Remove overly restrictive failsafe test (added per security + // review) when we have a need to be more general. + if (!referring_url.SchemeIs("http")) { + SdchErrorRecovery(ATTEMPT_TO_DECODE_NON_HTTP_DATA); + return false; + } + + return true; +} + +bool SdchManager::Dictionary::PathMatch(const std::string& path, + const std::string& restriction) { + /* Must be either: + 1. P2 is equal to P1 + 2. P2 is a prefix of P1 and either the final character in P2 is "/" or the + character following P2 in P1 is "/". + */ + if (path == restriction) + return true; + size_t prefix_length = restriction.size(); + if (prefix_length > path.size()) + return false; // Can't be a prefix. + if (0 != path.compare(0, prefix_length, restriction)) + return false; + return restriction[prefix_length - 1] == '/' || path[prefix_length] == '/'; } // static -int SdchManager::BlacklistDomainExponential(const std::string& domain) { - if (Global()->exponential_blacklist_count.end() == - Global()->exponential_blacklist_count.find(domain)) - return 0; - return Global()->exponential_blacklist_count[StringToLowerASCII(domain)]; +bool SdchManager::Dictionary::DomainMatch(const GURL& gurl, + const std::string& restriction) { + // TODO(jar): This is not precisely a domain match definition. + return gurl.DomainIs(restriction.data(), restriction.size()); } //------------------------------------------------------------------------------ @@ -87,6 +222,22 @@ void SdchManager::Shutdown() { } // static +SdchManager* SdchManager::Global() { + return global_; +} + +// static +void SdchManager::SdchErrorRecovery(ProblemCodes problem) { + UMA_HISTOGRAM_ENUMERATION("Sdch3.ProblemCodes_4", problem, MAX_PROBLEM_CODE); +} + +void SdchManager::EnableSdchSupport(const std::string& domain) { + // We presume that there is a SDCH manager instance. + global_->supported_domain_ = domain; + global_->sdch_enabled_ = true; +} + +// static void SdchManager::BlacklistDomain(const GURL& url) { if (!global_ ) return; @@ -117,10 +268,31 @@ void SdchManager::BlacklistDomainForever(const GURL& url) { global_->blacklisted_domains_[domain] = INT_MAX; } -void SdchManager::EnableSdchSupport(const std::string& domain) { - // We presume that there is a SDCH manager instance. - global_->supported_domain_ = domain; - global_->sdch_enabled_ = true; +// static +void SdchManager::ClearBlacklistings() { + Global()->blacklisted_domains_.clear(); + Global()->exponential_blacklist_count.clear(); +} + +// static +void SdchManager::ClearDomainBlacklisting(const std::string& domain) { + Global()->blacklisted_domains_.erase(StringToLowerASCII(domain)); +} + +// static +int SdchManager::BlackListDomainCount(const std::string& domain) { + if (Global()->blacklisted_domains_.end() == + Global()->blacklisted_domains_.find(domain)) + return 0; + return Global()->blacklisted_domains_[StringToLowerASCII(domain)]; +} + +// static +int SdchManager::BlacklistDomainExponential(const std::string& domain) { + if (Global()->exponential_blacklist_count.end() == + Global()->exponential_blacklist_count.find(domain)) + return 0; + return Global()->exponential_blacklist_count[StringToLowerASCII(domain)]; } bool SdchManager::IsInSupportedDomain(const GURL& url) { @@ -147,6 +319,13 @@ bool SdchManager::IsInSupportedDomain(const GURL& url) { return false; } +void SdchManager::FetchDictionary(const GURL& request_url, + const GURL& dictionary_url) { + if (SdchManager::Global()->CanFetchDictionary(request_url, dictionary_url) && + fetcher_.get()) + fetcher_->Schedule(dictionary_url); +} + bool SdchManager::CanFetchDictionary(const GURL& referring_url, const GURL& dictionary_url) const { /* The user agent may retrieve a dictionary from the dictionary URL if all of @@ -179,13 +358,6 @@ bool SdchManager::CanFetchDictionary(const GURL& referring_url, return true; } -void SdchManager::FetchDictionary(const GURL& request_url, - const GURL& dictionary_url) { - if (SdchManager::Global()->CanFetchDictionary(request_url, dictionary_url) && - fetcher_.get()) - fetcher_->Schedule(dictionary_url); -} - bool SdchManager::AddSdchDictionary(const std::string& dictionary_text, const GURL& dictionary_url) { std::string client_hash; @@ -317,22 +489,6 @@ void SdchManager::GetAvailDictionaryList(const GURL& target_url, UMA_HISTOGRAM_COUNTS("Sdch3.Advertisement_Count", count); } -SdchManager::Dictionary::Dictionary(const std::string& dictionary_text, - size_t offset, const std::string& client_hash, const GURL& gurl, - const std::string& domain, const std::string& path, const Time& expiration, - const std::set<int> ports) - : text_(dictionary_text, offset), - client_hash_(client_hash), - url_(gurl), - domain_(domain), - path_(path), - expiration_(expiration), - ports_(ports) { -} - -SdchManager::Dictionary::~Dictionary() { -} - // static void SdchManager::GenerateHash(const std::string& dictionary_text, std::string* client_hash, std::string* server_hash) { @@ -348,181 +504,6 @@ void SdchManager::GenerateHash(const std::string& dictionary_text, DCHECK_EQ(client_hash->length(), 8u); } -// static -void SdchManager::UrlSafeBase64Encode(const std::string& input, - std::string* output) { - // Since this is only done during a dictionary load, and hashes are only 8 - // characters, we just do the simple fixup, rather than rewriting the encoder. - base::Base64Encode(input, output); - for (size_t i = 0; i < output->size(); ++i) { - switch (output->data()[i]) { - case '+': - (*output)[i] = '-'; - continue; - case '/': - (*output)[i] = '_'; - continue; - default: - continue; - } - } -} - -//------------------------------------------------------------------------------ -// Security functions restricting loads and use of dictionaries. - -// static -bool SdchManager::Dictionary::CanSet(const std::string& domain, - const std::string& path, - const std::set<int> ports, - const GURL& dictionary_url) { - if (!SdchManager::Global()->IsInSupportedDomain(dictionary_url)) - return false; - /* - A dictionary is invalid and must not be stored if any of the following are - true: - 1. The dictionary has no Domain attribute. - 2. The effective host name that derives from the referer URL host name does - not domain-match the Domain attribute. - 3. The Domain attribute is a top level domain. - 4. The referer URL host is a host domain name (not IP address) and has the - form HD, where D is the value of the Domain attribute, and H is a string - that contains one or more dots. - 5. If the dictionary has a Port attribute and the referer URL's port was not - in the list. - */ - - // TODO(jar): Redirects in dictionary fetches might plausibly be problematic, - // and hence the conservative approach is to not allow any redirects (if there - // were any... then don't allow the dictionary to be set). - - if (domain.empty()) { - SdchErrorRecovery(DICTIONARY_MISSING_DOMAIN_SPECIFIER); - return false; // Domain is required. - } - if (net::RegistryControlledDomainService::GetDomainAndRegistry(domain).size() - == 0) { - SdchErrorRecovery(DICTIONARY_SPECIFIES_TOP_LEVEL_DOMAIN); - return false; // domain was a TLD. - } - if (!Dictionary::DomainMatch(dictionary_url, domain)) { - SdchErrorRecovery(DICTIONARY_DOMAIN_NOT_MATCHING_SOURCE_URL); - return false; - } - - std::string referrer_url_host = dictionary_url.host(); - size_t postfix_domain_index = referrer_url_host.rfind(domain); - // See if it is indeed a postfix, or just an internal string. - if (referrer_url_host.size() == postfix_domain_index + domain.size()) { - // It is a postfix... so check to see if there's a dot in the prefix. - size_t end_of_host_index = referrer_url_host.find_first_of('.'); - if (referrer_url_host.npos != end_of_host_index && - end_of_host_index < postfix_domain_index) { - SdchErrorRecovery(DICTIONARY_REFERER_URL_HAS_DOT_IN_PREFIX); - return false; - } - } - - if (!ports.empty() - && 0 == ports.count(dictionary_url.EffectiveIntPort())) { - SdchErrorRecovery(DICTIONARY_PORT_NOT_MATCHING_SOURCE_URL); - return false; - } - return true; -} - -// static -bool SdchManager::Dictionary::CanUse(const GURL& referring_url) { - if (!SdchManager::Global()->IsInSupportedDomain(referring_url)) - return false; - /* - 1. The request URL's host name domain-matches the Domain attribute of the - dictionary. - 2. If the dictionary has a Port attribute, the request port is one of the - ports listed in the Port attribute. - 3. The request URL path-matches the path attribute of the dictionary. - 4. The request is not an HTTPS request. -*/ - if (!DomainMatch(referring_url, domain_)) { - SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_DOMAIN); - return false; - } - if (!ports_.empty() - && 0 == ports_.count(referring_url.EffectiveIntPort())) { - SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_PORT_LIST); - return false; - } - if (path_.size() && !PathMatch(referring_url.path(), path_)) { - SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_PATH); - return false; - } - if (referring_url.SchemeIsSecure()) { - SdchErrorRecovery(DICTIONARY_FOUND_HAS_WRONG_SCHEME); - return false; - } - - // TODO(jar): Remove overly restrictive failsafe test (added per security - // review) when we have a need to be more general. - if (!referring_url.SchemeIs("http")) { - SdchErrorRecovery(ATTEMPT_TO_DECODE_NON_HTTP_DATA); - return false; - } - - return true; -} - -bool SdchManager::Dictionary::CanAdvertise(const GURL& target_url) { - if (!SdchManager::Global()->IsInSupportedDomain(target_url)) - return false; - /* The specific rules of when a dictionary should be advertised in an - Avail-Dictionary header are modeled after the rules for cookie scoping. The - terms "domain-match" and "pathmatch" are defined in RFC 2965 [6]. A - dictionary may be advertised in the Avail-Dictionaries header exactly when - all of the following are true: - 1. The server's effective host name domain-matches the Domain attribute of - the dictionary. - 2. If the dictionary has a Port attribute, the request port is one of the - ports listed in the Port attribute. - 3. The request URI path-matches the path header of the dictionary. - 4. The request is not an HTTPS request. - */ - if (!DomainMatch(target_url, domain_)) - return false; - if (!ports_.empty() && 0 == ports_.count(target_url.EffectiveIntPort())) - return false; - if (path_.size() && !PathMatch(target_url.path(), path_)) - return false; - if (target_url.SchemeIsSecure()) - return false; - if (Time::Now() > expiration_) - return false; - return true; -} - -bool SdchManager::Dictionary::PathMatch(const std::string& path, - const std::string& restriction) { - /* Must be either: - 1. P2 is equal to P1 - 2. P2 is a prefix of P1 and either the final character in P2 is "/" or the - character following P2 in P1 is "/". - */ - if (path == restriction) - return true; - size_t prefix_length = restriction.size(); - if (prefix_length > path.size()) - return false; // Can't be a prefix. - if (0 != path.compare(0, prefix_length, restriction)) - return false; - return restriction[prefix_length - 1] == '/' || path[prefix_length] == '/'; -} - -// static -bool SdchManager::Dictionary::DomainMatch(const GURL& gurl, - const std::string& restriction) { - // TODO(jar): This is not precisely a domain match definition. - return gurl.DomainIs(restriction.data(), restriction.size()); -} - //------------------------------------------------------------------------------ // Methods for supporting latency experiments. @@ -542,3 +523,23 @@ void SdchManager::SetAllowLatencyExperiment(const GURL& url, bool enable) { SdchErrorRecovery(LATENCY_TEST_DISALLOWED); allow_latency_experiment_.erase(it); } + +// static +void SdchManager::UrlSafeBase64Encode(const std::string& input, + std::string* output) { + // Since this is only done during a dictionary load, and hashes are only 8 + // characters, we just do the simple fixup, rather than rewriting the encoder. + base::Base64Encode(input, output); + for (size_t i = 0; i < output->size(); ++i) { + switch (output->data()[i]) { + case '+': + (*output)[i] = '-'; + continue; + case '/': + (*output)[i] = '_'; + continue; + default: + continue; + } + } +} diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index de2ebef..0a9d569e 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -22,6 +22,9 @@ struct SSLConfig { SSLConfig(); ~SSLConfig(); + // Returns true if |cert| is one of the certs in |allowed_bad_certs|. + bool IsAllowedBadCert(X509Certificate* cert) const; + bool rev_checking_enabled; // True if server certificate revocation // checking is enabled. // SSL 2.0 is not supported. @@ -79,9 +82,6 @@ struct SSLConfig { int cert_status; }; - // Returns true if |cert| is one of the certs in |allowed_bad_certs|. - bool IsAllowedBadCert(X509Certificate* cert) const; - // Add any known-bad SSL certificate (with its cert status) to // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when // calling SSLClientSocket::Connect. This would normally be done in diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h index fcd4e79..768ccbb 100644 --- a/net/base/transport_security_state.h +++ b/net/base/transport_security_state.h @@ -43,13 +43,13 @@ class TransportSecurityState : // * Certificate issues are fatal. MODE_SPDY_ONLY = 2, }; - Mode mode; DomainState() : mode(MODE_STRICT), created(base::Time::Now()), include_subdomains(false) { } + Mode mode; base::Time created; // when this host entry was first created base::Time expiry; // the absolute time (UTC) when this record expires bool include_subdomains; // subdomains included? @@ -101,6 +101,10 @@ class TransportSecurityState : // our state is dirty. void DirtyNotify(); + static std::string CanonicaliseHost(const std::string& host); + static bool IsPreloadedSTS(const std::string& canonicalised_host, + bool* out_include_subdomains); + // The set of hosts that have enabled TransportSecurity. The keys here // are SHA256(DNSForm(domain)) where DNSForm converts from dotted form // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" @@ -109,10 +113,6 @@ class TransportSecurityState : // Our delegate who gets notified when we are dirtied, or NULL. Delegate* delegate_; - static std::string CanonicaliseHost(const std::string& host); - static bool IsPreloadedSTS(const std::string& canonicalised_host, - bool* out_include_subdomains); - DISALLOW_COPY_AND_ASSIGN(TransportSecurityState); }; diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index c59c33c..47178f5 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -109,6 +109,11 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { FORMAT_PKCS7, }; + // Creates a X509Certificate from the ground up. Used by tests that simulate + // SSL connections. + X509Certificate(const std::string& subject, const std::string& issuer, + base::Time start_date, base::Time expiration_date); + // Create an X509Certificate from a handle to the certificate object in the // underlying crypto library. |source| specifies where |cert_handle| comes // from. Given two certificate handles for the same certificate, our @@ -175,11 +180,6 @@ class X509Certificate : public base::RefCountedThreadSafe<X509Certificate> { uint32 serial_number, base::TimeDelta valid_duration); - // Creates a X509Certificate from the ground up. Used by tests that simulate - // SSL connections. - X509Certificate(const std::string& subject, const std::string& issuer, - base::Time start_date, base::Time expiration_date); - // Appends a representation of this object to the given pickle. void Persist(Pickle* pickle); |