diff options
| author | Adam Langley <agl@google.com> | 2014-09-25 16:14:12 -0700 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-09-25 23:14:57 +0000 |
| commit | 5cbb7d7a2ce034432b7d56f5940009bc75c337d4 (patch) | |
| tree | 6f87d6db9fb2919b293985637a2fbaaecd6ca00b /net/http | |
| parent | cfdd7ba3cf8658df5a5484b716a1dc48ce3e0674 (diff) | |
| download | chromium_src-5cbb7d7a2ce034432b7d56f5940009bc75c337d4.zip chromium_src-5cbb7d7a2ce034432b7d56f5940009bc75c337d4.tar.gz chromium_src-5cbb7d7a2ce034432b7d56f5940009bc75c337d4.tar.bz2 | |
Remove the "snionly" concept from the HSTS preload.
The "snionly" tag only applies to preloaded values and only affects
people who are forcing SSLv3 on the command line. (We no longer have the
option in the preferences to disable TLS and the preference has been
renamed so even those who might have set it in the past shouldn't have
it now).
It also complicates pending work to reduce the size of the preload data.
BUG=102779
R=eroman@chromium.org, rsleevi@chromium.org
Review URL: https://codereview.chromium.org/578553004
Cr-Commit-Position: refs/heads/master@{#296821}
Diffstat (limited to 'net/http')
| -rw-r--r-- | net/http/http_security_headers_unittest.cc | 34 | ||||
| -rw-r--r-- | net/http/transport_security_persister_unittest.cc | 4 | ||||
| -rw-r--r-- | net/http/transport_security_state.cc | 53 | ||||
| -rw-r--r-- | net/http/transport_security_state.h | 21 | ||||
| -rw-r--r-- | net/http/transport_security_state_static.h | 24 | ||||
| -rw-r--r-- | net/http/transport_security_state_static.json | 24 | ||||
| -rw-r--r-- | net/http/transport_security_state_unittest.cc | 140 |
7 files changed, 114 insertions, 186 deletions
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc index 240e76d..d09f6fd 100644 --- a/net/http/http_security_headers_unittest.cc +++ b/net/http/http_security_headers_unittest.cc @@ -504,11 +504,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { TransportSecurityState::DomainState static_domain_state; // docs.google.com has preloaded pins. - const bool sni_enabled = true; std::string domain = "docs.google.com"; state.enable_static_pins_ = true; EXPECT_TRUE( - state.GetStaticDomainState(domain, sni_enabled, &static_domain_state)); + state.GetStaticDomainState(domain, &static_domain_state)); EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; @@ -528,7 +527,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { // Expect the static state to remain unchanged. TransportSecurityState::DomainState new_static_domain_state; EXPECT_TRUE(state.GetStaticDomainState( - domain, sni_enabled, &new_static_domain_state)); + domain, &new_static_domain_state)); for (size_t i = 0; i < saved_hashes.size(); ++i) { EXPECT_TRUE(HashValuesEqual(saved_hashes[i])( new_static_domain_state.pkp.spki_hashes[i])); @@ -551,13 +550,13 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { EXPECT_NE(dynamic_domain_state.pkp.spki_hashes.end(), hash); // Expect the overall state to reflect the header, too. - EXPECT_TRUE(state.HasPublicKeyPins(domain, sni_enabled)); + EXPECT_TRUE(state.HasPublicKeyPins(domain)); HashValueVector hashes; hashes.push_back(good_hash); std::string failure_log; const bool is_issued_by_known_root = true; EXPECT_TRUE(state.CheckPublicKeyPins( - domain, sni_enabled, is_issued_by_known_root, hashes, &failure_log)); + domain, is_issued_by_known_root, hashes, &failure_log)); TransportSecurityState::DomainState new_dynamic_domain_state; EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state)); @@ -585,11 +584,10 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { TransportSecurityState::DomainState static_domain_state; // docs.google.com has preloaded pins. - const bool sni_enabled = true; std::string domain = "docs.google.com"; state.enable_static_pins_ = true; ASSERT_TRUE( - state.GetStaticDomainState(domain, sni_enabled, &static_domain_state)); + state.GetStaticDomainState(domain, &static_domain_state)); EXPECT_GT(static_domain_state.pkp.spki_hashes.size(), 1UL); HashValueVector saved_hashes = static_domain_state.pkp.spki_hashes; @@ -608,7 +606,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { // Expect the static state to remain unchanged. TransportSecurityState::DomainState new_static_domain_state; EXPECT_TRUE(state.GetStaticDomainState( - domain, sni_enabled, &new_static_domain_state)); + domain, &new_static_domain_state)); EXPECT_EQ(saved_hashes.size(), new_static_domain_state.pkp.spki_hashes.size()); for (size_t i = 0; i < saved_hashes.size(); ++i) { @@ -630,7 +628,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { // Expect the static state to remain unchanged. TransportSecurityState::DomainState new_static_domain_state2; EXPECT_TRUE(state.GetStaticDomainState( - domain, sni_enabled, &new_static_domain_state2)); + domain, &new_static_domain_state2)); EXPECT_EQ(saved_hashes.size(), new_static_domain_state2.pkp.spki_hashes.size()); for (size_t i = 0; i < saved_hashes.size(); ++i) { @@ -645,8 +643,8 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { // Expect the exact-matching static policy to continue to apply, even // though dynamic policy has been removed. (This policy may change in the // future, in which case this test must be updated.) - EXPECT_TRUE(state.HasPublicKeyPins(domain, true)); - EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain, true)); + EXPECT_TRUE(state.HasPublicKeyPins(domain)); + EXPECT_TRUE(state.ShouldSSLErrorsBeFatal(domain)); std::string failure_log; // Damage the hashes to cause a pin validation failure. new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80; @@ -654,7 +652,6 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) { const bool is_issued_by_known_root = true; EXPECT_FALSE( state.CheckPublicKeyPins(domain, - true, is_issued_by_known_root, new_static_domain_state2.pkp.spki_hashes, &failure_log)); @@ -675,23 +672,21 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) { // Retrieve the DomainState as it is by default, including its known good // pins. - const bool sni_enabled = true; - EXPECT_TRUE(state.GetStaticDomainState(domain, sni_enabled, &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState(domain, &domain_state)); HashValueVector saved_hashes = domain_state.pkp.spki_hashes; EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); EXPECT_TRUE(domain_state.HasPublicKeyPins()); - EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled)); - EXPECT_TRUE(state.HasPublicKeyPins(domain, sni_enabled)); + EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); + EXPECT_TRUE(state.HasPublicKeyPins(domain)); // Add a dynamic HSTS header. CheckPublicKeyPins should still pass when given // the original |saved_hashes|, indicating that the static PKP data is still // configured for the domain. EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000")); - EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled)); + EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); std::string failure_log; const bool is_issued_by_known_root = true; EXPECT_TRUE(state.CheckPublicKeyPins(domain, - sni_enabled, is_issued_by_known_root, saved_hashes, &failure_log)); @@ -711,11 +706,10 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) { EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info)); // HSTS should still be configured for this domain. EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); - EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled)); + EXPECT_TRUE(state.ShouldUpgradeToSSL(domain)); // The dynamic pins, which do not match |saved_hashes|, should take // precedence over the static pins and cause the check to fail. EXPECT_FALSE(state.CheckPublicKeyPins(domain, - sni_enabled, is_issued_by_known_root, saved_hashes, &failure_log)); diff --git a/net/http/transport_security_persister_unittest.cc b/net/http/transport_security_persister_unittest.cc index 7de0a44..f4d49f7 100644 --- a/net/http/transport_security_persister_unittest.cc +++ b/net/http/transport_security_persister_unittest.cc @@ -57,7 +57,7 @@ TEST_F(TransportSecurityPersisterTest, SerializeData2) { const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); static const char kYahooDomain[] = "yahoo.com"; - EXPECT_FALSE(state_.GetStaticDomainState(kYahooDomain, true, &domain_state)); + EXPECT_FALSE(state_.GetStaticDomainState(kYahooDomain, &domain_state)); EXPECT_FALSE(state_.GetDynamicDomainState(kYahooDomain, &domain_state)); bool include_subdomains = true; @@ -81,7 +81,7 @@ TEST_F(TransportSecurityPersisterTest, SerializeData2) { state_.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state)); EXPECT_EQ(domain_state.sts.upgrade_mode, TransportSecurityState::DomainState::MODE_FORCE_HTTPS); - EXPECT_FALSE(state_.GetStaticDomainState("com", true, &domain_state)); + EXPECT_FALSE(state_.GetStaticDomainState("com", &domain_state)); } TEST_F(TransportSecurityPersisterTest, SerializeData3) { diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc index 79ee302..b00bc57 100644 --- a/net/http/transport_security_state.cc +++ b/net/http/transport_security_state.cc @@ -100,22 +100,20 @@ TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state) TransportSecurityState::Iterator::~Iterator() {} -bool TransportSecurityState::ShouldSSLErrorsBeFatal(const std::string& host, - bool sni_enabled) { +bool TransportSecurityState::ShouldSSLErrorsBeFatal(const std::string& host) { DomainState state; - if (GetStaticDomainState(host, sni_enabled, &state)) + if (GetStaticDomainState(host, &state)) return true; return GetDynamicDomainState(host, &state); } -bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host, - bool sni_enabled) { +bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host) { DomainState dynamic_state; if (GetDynamicDomainState(host, &dynamic_state)) return dynamic_state.ShouldUpgradeToSSL(); DomainState static_state; - if (GetStaticDomainState(host, sni_enabled, &static_state) && + if (GetStaticDomainState(host, &static_state) && static_state.ShouldUpgradeToSSL()) { return true; } @@ -125,7 +123,6 @@ bool TransportSecurityState::ShouldUpgradeToSSL(const std::string& host, bool TransportSecurityState::CheckPublicKeyPins( const std::string& host, - bool sni_available, bool is_issued_by_known_root, const HashValueVector& public_key_hashes, std::string* pinning_failure_log) { @@ -134,12 +131,12 @@ bool TransportSecurityState::CheckPublicKeyPins( // * the server's certificate chain chains up to a known root (i.e. not a // user-installed trust anchor); and // * the server actually has public key pins. - if (!is_issued_by_known_root || !HasPublicKeyPins(host, sni_available)) { + if (!is_issued_by_known_root || !HasPublicKeyPins(host)) { return true; } bool pins_are_valid = CheckPublicKeyPinsImpl( - host, sni_available, public_key_hashes, pinning_failure_log); + host, public_key_hashes, pinning_failure_log); if (!pins_are_valid) { LOG(ERROR) << *pinning_failure_log; ReportUMAOnPinFailure(host); @@ -149,14 +146,13 @@ bool TransportSecurityState::CheckPublicKeyPins( return pins_are_valid; } -bool TransportSecurityState::HasPublicKeyPins(const std::string& host, - bool sni_enabled) { +bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { DomainState dynamic_state; if (GetDynamicDomainState(host, &dynamic_state)) return dynamic_state.HasPublicKeyPins(); DomainState static_state; - if (GetStaticDomainState(host, sni_enabled, &static_state)) { + if (GetStaticDomainState(host, &static_state)) { if (static_state.HasPublicKeyPins()) return true; } @@ -735,23 +731,12 @@ bool TransportSecurityState::AddHPKP(const std::string& host, } // static -bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host, - bool sni_enabled) { +bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host) { std::string canonicalized_host = CanonicalizeHost(host); const struct HSTSPreload* entry = GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS); - if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts) - return true; - - if (sni_enabled) { - entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS, - kNumPreloadedSNISTS); - if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts) - return true; - } - - return false; + return entry && entry->pins.required_hashes == kGoogleAcceptableCerts; } // static @@ -762,11 +747,6 @@ void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) { GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS); if (!entry) { - entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS, - kNumPreloadedSNISTS); - } - - if (!entry) { // We don't care to report pin failures for dynamic pins. return; } @@ -788,7 +768,6 @@ bool TransportSecurityState::IsBuildTimely() { bool TransportSecurityState::CheckPublicKeyPinsImpl( const std::string& host, - bool sni_enabled, const HashValueVector& hashes, std::string* failure_log) { DomainState dynamic_state; @@ -796,7 +775,7 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl( return dynamic_state.CheckPublicKeyPins(hashes, failure_log); DomainState static_state; - if (GetStaticDomainState(host, sni_enabled, &static_state)) + if (GetStaticDomainState(host, &static_state)) return static_state.CheckPublicKeyPins(hashes, failure_log); // HasPublicKeyPins should have returned true in order for this method @@ -805,7 +784,6 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl( } bool TransportSecurityState::GetStaticDomainState(const std::string& host, - bool sni_enabled, DomainState* out) const { DCHECK(CalledOnValidThread()); @@ -831,15 +809,6 @@ bool TransportSecurityState::GetStaticDomainState(const std::string& host, &ret)) { return ret; } - if (sni_enabled && is_build_timely && HasPreload(kPreloadedSNISTS, - kNumPreloadedSNISTS, - canonicalized_host, - i, - enable_static_pins_, - out, - &ret)) { - return ret; - } } return false; diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h index 4d49da1..f9e82c7 100644 --- a/net/http/transport_security_state.h +++ b/net/http/transport_security_state.h @@ -159,14 +159,13 @@ class NET_EXPORT TransportSecurityState // These functions search for static and dynamic DomainStates, and invoke the // functions of the same name on them. These functions are the primary public // interface; direct access to DomainStates is best left to tests. - bool ShouldSSLErrorsBeFatal(const std::string& host, bool sni_enabled); - bool ShouldUpgradeToSSL(const std::string& host, bool sni_enabled); + bool ShouldSSLErrorsBeFatal(const std::string& host); + bool ShouldUpgradeToSSL(const std::string& host); bool CheckPublicKeyPins(const std::string& host, - bool sni_enabled, bool is_issued_by_known_root, const HashValueVector& hashes, std::string* failure_log); - bool HasPublicKeyPins(const std::string& host, bool sni_enabled); + bool HasPublicKeyPins(const std::string& host); // Assign a |Delegate| for persisting the transport security state. If // |NULL|, state will not be persisted. The caller retains @@ -210,17 +209,12 @@ class NET_EXPORT TransportSecurityState // Returns true and updates |*result| iff there is a static (built-in) // DomainState for |host|. // - // If |sni_enabled| is true, searches the static pins defined for SNI-using - // hosts as well as the rest of the pins. - // // If |host| matches both an exact entry and is a subdomain of another entry, // the exact match determines the return value. // // Note that this method is not const because it opportunistically removes // entries that have expired. - bool GetStaticDomainState(const std::string& host, - bool sni_enabled, - DomainState* result) const; + bool GetStaticDomainState(const std::string& host, DomainState* result) const; // Returns true and updates |*result| iff there is a dynamic DomainState // (learned from HSTS or HPKP headers, or set by the user, or other means) for @@ -257,13 +251,9 @@ class NET_EXPORT TransportSecurityState // iff its set of required pins is the set we expect for Google // properties. // - // If |sni_enabled| is true, searches the static pins defined for - // SNI-using hosts as well as the rest of the pins. - // // If |host| matches both an exact entry and is a subdomain of another // entry, the exact match determines the return value. - static bool IsGooglePinnedProperty(const std::string& host, - bool sni_enabled); + static bool IsGooglePinnedProperty(const std::string& host); // The maximum number of seconds for which we'll cache an HSTS request. static const long int kMaxHSTSAgeSecs; @@ -293,7 +283,6 @@ class NET_EXPORT TransportSecurityState // Helper method for actually checking pins. bool CheckPublicKeyPinsImpl(const std::string& host, - bool sni_enabled, const HashValueVector& hashes, std::string* failure_log); diff --git a/net/http/transport_security_state_static.h b/net/http/transport_security_state_static.h index c3f40de..8de890a 100644 --- a/net/http/transport_security_state_static.h +++ b/net/http/transport_security_state_static.h @@ -468,6 +468,10 @@ static const struct HSTSPreload kPreloadedSTS[] = { {23, true, "\005" "login" "\004" "corp" "\006" "google" "\003" "com", true, kGooglePins, DOMAIN_GOOGLE_COM }, {17, false, "\004" "play" "\006" "google" "\003" "com", true, kGooglePins, DOMAIN_GOOGLE_COM }, {22, true, "\011" "passwords" "\006" "google" "\003" "com", true, kGooglePins, DOMAIN_GOOGLE_COM }, + {11, false, "\005" "gmail" "\003" "com", true, kGooglePins, DOMAIN_GMAIL_COM }, + {16, false, "\012" "googlemail" "\003" "com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM }, + {15, false, "\003" "www" "\005" "gmail" "\003" "com", true, kGooglePins, DOMAIN_GMAIL_COM }, + {20, false, "\003" "www" "\012" "googlemail" "\003" "com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM }, {20, true, "\006" "market" "\007" "android" "\003" "com", true, kGooglePins, DOMAIN_ANDROID_COM }, {26, true, "\003" "ssl" "\020" "google-analytics" "\003" "com", true, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM }, {18, true, "\005" "drive" "\006" "google" "\003" "com", true, kGooglePins, DOMAIN_GOOGLE_COM }, @@ -498,6 +502,8 @@ static const struct HSTSPreload kPreloadedSTS[] = { {32, true, "\022" "wf-training-master" "\007" "appspot" "\003" "com", true, kGooglePins, DOMAIN_APPSPOT_COM }, {28, true, "\016" "wf-dogfood-hrd" "\007" "appspot" "\003" "com", true, kGooglePins, DOMAIN_APPSPOT_COM }, {23, true, "\005" "chart" "\004" "apis" "\006" "google" "\003" "com", false, kGooglePins, DOMAIN_GOOGLE_COM }, + {22, true, "\020" "google-analytics" "\003" "com", false, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM }, + {18, true, "\014" "googlegroups" "\003" "com", false, kGooglePins, DOMAIN_GOOGLEGROUPS_COM }, {11, true, "\005" "ytimg" "\003" "com", false, kGooglePins, DOMAIN_YTIMG_COM }, {23, true, "\021" "googleusercontent" "\003" "com", false, kGooglePins, DOMAIN_GOOGLEUSERCONTENT_COM }, {13, true, "\007" "youtube" "\003" "com", false, kGooglePins, DOMAIN_YOUTUBE_COM }, @@ -1417,6 +1423,10 @@ static const struct HSTSPreload kPreloadedSTS[] = { {17, true, "\014" "tobias-kluge" "\002" "de", true, kNoPins, DOMAIN_NOT_PINNED }, {19, true, "\015" "vortexhobbies" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, {16, true, "\012" "willnorris" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, + {13, true, "\007" "mykolab" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, + {17, true, "\013" "semenkovich" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, + {8, false, "\003" "rme" "\002" "li", true, kNoPins, DOMAIN_NOT_PINNED }, + {12, false, "\003" "www" "\003" "rme" "\002" "li", true, kNoPins, DOMAIN_NOT_PINNED }, {13, true, "\007" "aiticon" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, {12, true, "\007" "aiticon" "\002" "de", true, kNoPins, DOMAIN_NOT_PINNED }, {13, true, "\010" "anetaben" "\002" "nl", true, kNoPins, DOMAIN_NOT_PINNED }, @@ -1460,18 +1470,4 @@ static const struct HSTSPreload kPreloadedSTS[] = { }; static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS); -static const struct HSTSPreload kPreloadedSNISTS[] = { - {11, false, "\005" "gmail" "\003" "com", true, kGooglePins, DOMAIN_GMAIL_COM }, - {16, false, "\012" "googlemail" "\003" "com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM }, - {15, false, "\003" "www" "\005" "gmail" "\003" "com", true, kGooglePins, DOMAIN_GMAIL_COM }, - {20, false, "\003" "www" "\012" "googlemail" "\003" "com", true, kGooglePins, DOMAIN_GOOGLEMAIL_COM }, - {22, true, "\020" "google-analytics" "\003" "com", false, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM }, - {18, true, "\014" "googlegroups" "\003" "com", false, kGooglePins, DOMAIN_GOOGLEGROUPS_COM }, - {13, true, "\007" "mykolab" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, - {17, true, "\013" "semenkovich" "\003" "com", true, kNoPins, DOMAIN_NOT_PINNED }, - {8, false, "\003" "rme" "\002" "li", true, kNoPins, DOMAIN_NOT_PINNED }, - {12, false, "\003" "www" "\003" "rme" "\002" "li", true, kNoPins, DOMAIN_NOT_PINNED }, -}; -static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS); - #endif // NET_HTTP_TRANSPORT_SECURITY_STATE_STATIC_H_ diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json index 35ab786..c13b8ca 100644 --- a/net/http/transport_security_state_static.json +++ b/net/http/transport_security_state_static.json @@ -218,6 +218,10 @@ { "name": "passwords.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, // Other Google-related domains that must use HTTPS. + { "name": "gmail.com", "mode": "force-https", "pins": "google" }, + { "name": "googlemail.com", "mode": "force-https", "pins": "google" }, + { "name": "www.gmail.com", "mode": "force-https", "pins": "google" }, + { "name": "www.googlemail.com", "mode": "force-https", "pins": "google" }, { "name": "market.android.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, { "name": "ssl.google-analytics.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, { "name": "drive.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, @@ -256,6 +260,8 @@ // Other Google-related domains that must use an acceptable certificate // iff using SSL. + { "name": "google-analytics.com", "include_subdomains": true, "pins": "google" }, + { "name": "googlegroups.com", "include_subdomains": true, "pins": "google" }, { "name": "ytimg.com", "include_subdomains": true, "pins": "google" }, { "name": "googleusercontent.com", "include_subdomains": true, "pins": "google" }, { "name": "youtube.com", "include_subdomains": true, "pins": "google" }, @@ -1179,6 +1185,10 @@ { "name": "tobias-kluge.de", "include_subdomains": true, "mode": "force-https" }, { "name": "vortexhobbies.com", "include_subdomains": true, "mode": "force-https" }, { "name": "willnorris.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "mykolab.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "semenkovich.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "rme.li", "mode": "force-https" }, + { "name": "www.rme.li", "mode": "force-https" }, { "name": "aiticon.com", "include_subdomains": true, "mode": "force-https" }, { "name": "aiticon.de", "include_subdomains": true, "mode": "force-https" }, { "name": "anetaben.nl", "include_subdomains": true, "mode": "force-https" }, @@ -1218,18 +1228,6 @@ { "name": "mqas.net", "include_subdomains": true, "mode": "force-https" }, { "name": "dlc.viasinc.com", "include_subdomains": true, "mode": "force-https" }, { "name": "www.viasinc.com", "include_subdomains": true, "mode": "force-https" }, - { "name": "viasinc.com", "mode": "force-https" }, - - // Entries that are only valid if the client supports SNI. - { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true }, - { "name": "googlemail.com", "mode": "force-https", "pins": "google", "snionly": true }, - { "name": "www.gmail.com", "mode": "force-https", "pins": "google", "snionly": true }, - { "name": "www.googlemail.com", "mode": "force-https", "pins": "google", "snionly": true }, - { "name": "google-analytics.com", "include_subdomains": true, "pins": "google", "snionly": true }, - { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "snionly": true }, - { "name": "mykolab.com", "include_subdomains": true, "mode": "force-https", "snionly": true }, - { "name": "semenkovich.com", "include_subdomains": true, "mode": "force-https", "snionly": true }, - { "name": "rme.li", "mode": "force-https", "snionly": true }, - { "name": "www.rme.li", "mode": "force-https", "snionly": true } + { "name": "viasinc.com", "mode": "force-https" } ] } diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc index dfbc753..67e6f91 100644 --- a/net/http/transport_security_state_unittest.cc +++ b/net/http/transport_security_state_unittest.cc @@ -57,9 +57,8 @@ class TransportSecurityStateTest : public testing::Test { protected: bool GetStaticDomainState(TransportSecurityState* state, const std::string& host, - bool sni_enabled, TransportSecurityState::DomainState* result) { - return state->GetStaticDomainState(host, sni_enabled, result); + return state->GetStaticDomainState(host, result); } void EnableHost(TransportSecurityState* state, @@ -178,7 +177,7 @@ TEST_F(TransportSecurityStateTest, EnableStaticPins) { EnableStaticPins(&state); EXPECT_TRUE( - state.GetStaticDomainState("chrome.google.com", true, &domain_state)); + state.GetStaticDomainState("chrome.google.com", &domain_state)); EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); } @@ -188,7 +187,7 @@ TEST_F(TransportSecurityStateTest, DisableStaticPins) { DisableStaticPins(&state); EXPECT_TRUE( - state.GetStaticDomainState("chrome.google.com", true, &domain_state)); + state.GetStaticDomainState("chrome.google.com", &domain_state)); EXPECT_TRUE(domain_state.pkp.spki_hashes.empty()); } @@ -204,13 +203,13 @@ TEST_F(TransportSecurityStateTest, IsPreloaded) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); - EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); + EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state)); + EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state)); EXPECT_FALSE(domain_state.sts.include_subdomains); - EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); - EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); - EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); - EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); + EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state)); + EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state)); + EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state)); + EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state)); } TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { @@ -220,10 +219,10 @@ TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { // The domain wasn't being set, leading to a blank string in the // chrome://net-internals/#hsts UI. So test that. EXPECT_TRUE( - state.GetStaticDomainState("market.android.com", true, &domain_state)); + state.GetStaticDomainState("market.android.com", &domain_state)); EXPECT_EQ(domain_state.domain, "market.android.com"); EXPECT_TRUE(state.GetStaticDomainState( - "sub.market.android.com", true, &domain_state)); + "sub.market.android.com", &domain_state)); EXPECT_EQ(domain_state.domain, "market.android.com"); } @@ -231,35 +230,31 @@ static bool StaticShouldRedirect(const char* hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; return state.GetStaticDomainState( - hostname, true /* SNI ok */, &domain_state) && + hostname, &domain_state) && domain_state.ShouldUpgradeToSSL(); } static bool HasStaticState(const char* hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; - return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); + return state.GetStaticDomainState(hostname, &domain_state); } -static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { +static bool HasStaticPublicKeyPins(const char* hostname) { TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::DomainState domain_state; - if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) + if (!state.GetStaticDomainState(hostname, &domain_state)) return false; return domain_state.HasPublicKeyPins(); } -static bool HasStaticPublicKeyPins(const char* hostname) { - return HasStaticPublicKeyPins(hostname, true); -} - static bool OnlyPinningInStaticState(const char* hostname) { TransportSecurityState state; TransportSecurityStateTest::EnableStaticPins(&state); TransportSecurityState::DomainState domain_state; - if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) + if (!state.GetStaticDomainState(hostname, &domain_state)) return false; return (domain_state.pkp.spki_hashes.size() > 0 || @@ -273,7 +268,7 @@ TEST_F(TransportSecurityStateTest, Preloaded) { // We do more extensive checks for the first domain. EXPECT_TRUE( - state.GetStaticDomainState("www.paypal.com", true, &domain_state)); + state.GetStaticDomainState("www.paypal.com", &domain_state)); EXPECT_EQ(domain_state.sts.upgrade_mode, TransportSecurityState::DomainState::MODE_FORCE_HTTPS); EXPECT_FALSE(domain_state.sts.include_subdomains); @@ -313,20 +308,12 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); - EXPECT_FALSE(HasStaticState("m.gmail.com")); - EXPECT_FALSE(HasStaticState("m.googlemail.com")); - - // Tests for domains that don't work without SNI. - EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); - EXPECT_FALSE( - state.GetStaticDomainState("www.gmail.com", false, &domain_state)); - EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); - EXPECT_FALSE( - state.GetStaticDomainState("googlemail.com", false, &domain_state)); - EXPECT_FALSE( - state.GetStaticDomainState("www.googlemail.com", false, &domain_state)); - EXPECT_FALSE( - state.GetStaticDomainState("m.googlemail.com", false, &domain_state)); + + // These domains used to be only HSTS when SNI was available. + EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state)); // Other hosts: @@ -484,7 +471,7 @@ TEST_F(TransportSecurityStateTest, PreloadedPins) { // We do more extensive checks for the first domain. EXPECT_TRUE( - state.GetStaticDomainState("www.paypal.com", true, &domain_state)); + state.GetStaticDomainState("www.paypal.com", &domain_state)); EXPECT_EQ(domain_state.sts.upgrade_mode, TransportSecurityState::DomainState::MODE_FORCE_HTTPS); EXPECT_FALSE(domain_state.sts.include_subdomains); @@ -514,17 +501,14 @@ TEST_F(TransportSecurityStateTest, PreloadedPins) { EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); EXPECT_FALSE(HasStaticState("foo.torproject.org")); - EXPECT_TRUE( - state.GetStaticDomainState("torproject.org", false, &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state)); EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); - EXPECT_TRUE( - state.GetStaticDomainState("www.torproject.org", false, &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state)); EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); EXPECT_TRUE( - state.GetStaticDomainState("check.torproject.org", false, &domain_state)); + state.GetStaticDomainState("check.torproject.org", &domain_state)); EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); - EXPECT_TRUE( - state.GetStaticDomainState("blog.torproject.org", false, &domain_state)); + EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state)); EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); @@ -537,7 +521,7 @@ TEST_F(TransportSecurityStateTest, LongNames) { "WaveletIdDomainAndBlipBlipid"; TransportSecurityState::DomainState domain_state; // Just checks that we don't hit a NOTREACHED. - EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); + EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state)); EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); } @@ -547,7 +531,7 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) { TransportSecurityState::DomainState domain_state; EXPECT_TRUE( - state.GetStaticDomainState("chrome.google.com", true, &domain_state)); + state.GetStaticDomainState("chrome.google.com", &domain_state)); EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); HashValueVector hashes; @@ -637,7 +621,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { TransportSecurityState::DomainState domain_state; EXPECT_TRUE( - state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); + state.GetStaticDomainState("blog.torproject.org", &domain_state)); EXPECT_TRUE(domain_state.HasPublicKeyPins()); std::string failure_log; @@ -652,7 +636,6 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); - EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false)); EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); @@ -671,7 +654,6 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net")); EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); - EXPECT_FALSE(HasStaticPublicKeyPins("a.googlegroups.com", false)); } TEST_F(TransportSecurityStateTest, OverrideBuiltins) { @@ -691,65 +673,65 @@ TEST_F(TransportSecurityStateTest, OverrideBuiltins) { TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.example.com", true)); + "www.example.com")); EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.paypal.com", true)); + "www.paypal.com")); EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "mail.twitter.com", true)); + "mail.twitter.com")); EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.google.com.int", true)); + "www.google.com.int")); EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "jottit.com", true)); + "jottit.com")); // learn.doubleclick.net has a more specific match than // *.doubleclick.com, and has 0 or NULL for its required certs. // This test ensures that the exact-match-preferred behavior // works. EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "learn.doubleclick.net", true)); + "learn.doubleclick.net")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "encrypted.google.com", true)); + "encrypted.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "mail.google.com", true)); + "mail.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "accounts.google.com", true)); + "accounts.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "doubleclick.net", true)); + "doubleclick.net")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "ad.doubleclick.net", true)); + "ad.doubleclick.net")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "youtube.com", true)); + "youtube.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "www.profiles.google.com", true)); + "www.profiles.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "checkout.google.com", true)); + "checkout.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "googleadservices.com", true)); + "googleadservices.com")); - // Test with sni_enabled false: EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.example.com", false)); + "www.example.com")); EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.paypal.com", false)); + "www.paypal.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "checkout.google.com", false)); + "checkout.google.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "googleadservices.com", false)); + "googleadservices.com")); // Test some SNI hosts: EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "gmail.com", true)); + "gmail.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "googlegroups.com", true)); + "googlegroups.com")); EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( - "www.googlegroups.com", true)); - // Expect to fail for SNI hosts when not searching the SNI list: - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "gmail.com", false)); - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "googlegroups.com", false)); - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( - "www.googlegroups.com", false)); + "www.googlegroups.com")); + + // These hosts used to only be HSTS when SNI was available. + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( + "gmail.com")); + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( + "googlegroups.com")); + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( + "www.googlegroups.com")); } } // namespace net |