diff options
| author | unsafe@trevp.net <unsafe@trevp.net@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-22 22:06:09 +0000 |
|---|---|---|
| committer | unsafe@trevp.net <unsafe@trevp.net@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-22 22:06:09 +0000 |
| commit | 843329e98717e263ae5751323e8716a3f1e9c4f6 (patch) | |
| tree | 136dc64a78731d5fc544826668ff0431c594b10e /net | |
| parent | 9aaee227a933ad08eb3a493aa0e5e0e766eb1329 (diff) | |
| download | chromium_src-843329e98717e263ae5751323e8716a3f1e9c4f6.zip chromium_src-843329e98717e263ae5751323e8716a3f1e9c4f6.tar.gz chromium_src-843329e98717e263ae5751323e8716a3f1e9c4f6.tar.bz2 | |
Renames some DomainState functions for increased clarity.
Updates consumers of DomainState to rely on these functions
instead of relying on GetDomainState() returning true indicating
HSTS semantics, as this would likely become a problem later on
(eg: as DomainState is extended to store non-HSTS data like
HPKP or TACK)
BUG=156152
TBR=thakis
TBR=eroman
Review URL: https://chromiumcodereview.appspot.com/11929019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@178119 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/transport_security_state.cc | 10 | ||||
| -rw-r--r-- | net/base/transport_security_state.h | 15 | ||||
| -rw-r--r-- | net/base/transport_security_state_unittest.cc | 174 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 4 | ||||
| -rw-r--r-- | net/socket_stream/socket_stream.cc | 9 | ||||
| -rw-r--r-- | net/socket_stream/socket_stream_job.cc | 2 | ||||
| -rw-r--r-- | net/url_request/url_request.cc | 2 | ||||
| -rw-r--r-- | net/url_request/url_request_http_job.cc | 6 |
8 files changed, 115 insertions, 107 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc index 0fc9a68..d61c0fb 100644 --- a/net/base/transport_security_state.cc +++ b/net/base/transport_security_state.cc @@ -750,7 +750,7 @@ TransportSecurityState::DomainState::DomainState() TransportSecurityState::DomainState::~DomainState() { } -bool TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted( +bool TransportSecurityState::DomainState::CheckPublicKeyPins( const HashValueVector& hashes) const { // Validate that hashes is not empty. By the time this code is called (in // production), that should never happen, but it's good to be defensive. @@ -785,10 +785,14 @@ bool TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted( return false; } -bool TransportSecurityState::DomainState::ShouldRedirectHTTPToHTTPS() const { +bool TransportSecurityState::DomainState::ShouldUpgradeToSSL() const { return upgrade_mode == MODE_FORCE_HTTPS; } +bool TransportSecurityState::DomainState::ShouldSSLErrorsBeFatal() const { + return true; +} + bool TransportSecurityState::DomainState::Equals( const DomainState& other) const { // TODO(palmer): Implement this @@ -796,7 +800,7 @@ bool TransportSecurityState::DomainState::Equals( return true; } -bool TransportSecurityState::DomainState::HasPins() const { +bool TransportSecurityState::DomainState::HasPublicKeyPins() const { return static_spki_hashes.size() > 0 || bad_static_spki_hashes.size() > 0 || dynamic_spki_hashes.size() > 0; diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h index 06fee49..ca9dec4 100644 --- a/net/base/transport_security_state.h +++ b/net/base/transport_security_state.h @@ -77,16 +77,21 @@ class NET_EXPORT TransportSecurityState // // |bad_static_spki_hashes| contains public keys that we don't want to // trust. - bool IsChainOfPublicKeysPermitted(const HashValueVector& hashes) const; + bool CheckPublicKeyPins(const HashValueVector& hashes) const; // Returns true if any of the HashValueVectors |static_spki_hashes|, // |bad_static_spki_hashes|, or |dynamic_spki_hashes| contains any // items. - bool HasPins() const; + bool HasPublicKeyPins() const; - // ShouldRedirectHTTPToHTTPS returns true iff, given the |mode| of this - // DomainState, HTTP requests should be internally redirected to HTTPS. - bool ShouldRedirectHTTPToHTTPS() const; + // ShouldUpgradeToSSL returns true iff, given the |mode| of this + // DomainState, HTTP requests should be internally redirected to HTTPS + // (also if the "ws" WebSocket request should be upgraded to "wss") + bool ShouldUpgradeToSSL() const; + + // ShouldSSLErrorsBeFatal returns true iff HTTPS errors should cause + // hard-fail behavior (e.g. if HSTS is set for the domain) + bool ShouldSSLErrorsBeFatal() const; bool Equals(const DomainState& other) const; diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc index 78c29a5..66f97d6 100644 --- a/net/base/transport_security_state_unittest.cc +++ b/net/base/transport_security_state_unittest.cc @@ -178,7 +178,7 @@ static bool ShouldRedirect(const char* hostname) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && - domain_state.ShouldRedirectHTTPToHTTPS(); + domain_state.ShouldUpgradeToSSL(); } static bool HasState(const char* hostname) { @@ -187,17 +187,17 @@ static bool HasState(const char* hostname) { return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); } -static bool HasPins(const char* hostname, bool sni_enabled) { +static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) return false; - return domain_state.HasPins(); + return domain_state.HasPublicKeyPins(); } -static bool HasPins(const char* hostname) { - return HasPins(hostname, true); +static bool HasPublicKeyPins(const char* hostname) { + return HasPublicKeyPins(hostname, true); } static bool OnlyPinning(const char *hostname) { @@ -209,7 +209,7 @@ static bool OnlyPinning(const char *hostname) { return (domain_state.static_spki_hashes.size() > 0 || domain_state.bad_static_spki_hashes.size() > 0 || domain_state.dynamic_spki_hashes.size() > 0) && - !domain_state.ShouldRedirectHTTPToHTTPS(); + !domain_state.ShouldUpgradeToSSL(); } TEST_F(TransportSecurityStateTest, Preloaded) { @@ -395,10 +395,10 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_TRUE(ShouldRedirect("epoxate.com")); EXPECT_FALSE(HasState("foo.epoxate.com")); - EXPECT_TRUE(HasPins("torproject.org")); - EXPECT_TRUE(HasPins("www.torproject.org")); - EXPECT_TRUE(HasPins("check.torproject.org")); - EXPECT_TRUE(HasPins("blog.torproject.org")); + EXPECT_TRUE(HasPublicKeyPins("torproject.org")); + EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); + EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); + EXPECT_TRUE(HasPublicKeyPins("blog.torproject.org")); EXPECT_FALSE(HasState("foo.torproject.org")); EXPECT_TRUE(ShouldRedirect("www.moneybookers.com")); @@ -453,7 +453,7 @@ TEST_F(TransportSecurityStateTest, Preloaded) { EXPECT_TRUE(ShouldRedirect("crate.io")); EXPECT_TRUE(ShouldRedirect("foo.crate.io")); - EXPECT_TRUE(HasPins("www.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); } TEST_F(TransportSecurityStateTest, LongNames) { @@ -471,51 +471,51 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) { TransportSecurityState::DomainState domain_state; EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); - EXPECT_TRUE(HasPins("chrome.google.com")); + EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); HashValueVector hashes; // Checks that a built-in list does exist. - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes)); - EXPECT_FALSE(HasPins("www.paypal.com")); - - EXPECT_TRUE(HasPins("docs.google.com")); - EXPECT_TRUE(HasPins("1.docs.google.com")); - EXPECT_TRUE(HasPins("sites.google.com")); - EXPECT_TRUE(HasPins("drive.google.com")); - EXPECT_TRUE(HasPins("spreadsheets.google.com")); - EXPECT_TRUE(HasPins("health.google.com")); - EXPECT_TRUE(HasPins("checkout.google.com")); - EXPECT_TRUE(HasPins("appengine.google.com")); - EXPECT_TRUE(HasPins("market.android.com")); - EXPECT_TRUE(HasPins("encrypted.google.com")); - EXPECT_TRUE(HasPins("accounts.google.com")); - EXPECT_TRUE(HasPins("profiles.google.com")); - EXPECT_TRUE(HasPins("mail.google.com")); - EXPECT_TRUE(HasPins("chatenabled.mail.google.com")); - EXPECT_TRUE(HasPins("talkgadget.google.com")); - EXPECT_TRUE(HasPins("hostedtalkgadget.google.com")); - EXPECT_TRUE(HasPins("talk.google.com")); - EXPECT_TRUE(HasPins("plus.google.com")); - EXPECT_TRUE(HasPins("groups.google.com")); - EXPECT_TRUE(HasPins("apis.google.com")); - - EXPECT_TRUE(HasPins("ssl.gstatic.com")); - EXPECT_FALSE(HasPins("www.gstatic.com")); - EXPECT_TRUE(HasPins("ssl.google-analytics.com")); - EXPECT_TRUE(HasPins("www.googleplex.com")); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); + EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); + + EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); + EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); + EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); + EXPECT_TRUE(HasPublicKeyPins("drive.google.com")); + EXPECT_TRUE(HasPublicKeyPins("spreadsheets.google.com")); + EXPECT_TRUE(HasPublicKeyPins("health.google.com")); + EXPECT_TRUE(HasPublicKeyPins("checkout.google.com")); + EXPECT_TRUE(HasPublicKeyPins("appengine.google.com")); + EXPECT_TRUE(HasPublicKeyPins("market.android.com")); + EXPECT_TRUE(HasPublicKeyPins("encrypted.google.com")); + EXPECT_TRUE(HasPublicKeyPins("accounts.google.com")); + EXPECT_TRUE(HasPublicKeyPins("profiles.google.com")); + EXPECT_TRUE(HasPublicKeyPins("mail.google.com")); + EXPECT_TRUE(HasPublicKeyPins("chatenabled.mail.google.com")); + EXPECT_TRUE(HasPublicKeyPins("talkgadget.google.com")); + EXPECT_TRUE(HasPublicKeyPins("hostedtalkgadget.google.com")); + EXPECT_TRUE(HasPublicKeyPins("talk.google.com")); + EXPECT_TRUE(HasPublicKeyPins("plus.google.com")); + EXPECT_TRUE(HasPublicKeyPins("groups.google.com")); + EXPECT_TRUE(HasPublicKeyPins("apis.google.com")); + + EXPECT_TRUE(HasPublicKeyPins("ssl.gstatic.com")); + EXPECT_FALSE(HasPublicKeyPins("www.gstatic.com")); + EXPECT_TRUE(HasPublicKeyPins("ssl.google-analytics.com")); + EXPECT_TRUE(HasPublicKeyPins("www.googleplex.com")); // Disabled in order to help track down pinning failures --agl - EXPECT_TRUE(HasPins("twitter.com")); - EXPECT_FALSE(HasPins("foo.twitter.com")); - EXPECT_TRUE(HasPins("www.twitter.com")); - EXPECT_TRUE(HasPins("api.twitter.com")); - EXPECT_TRUE(HasPins("oauth.twitter.com")); - EXPECT_TRUE(HasPins("mobile.twitter.com")); - EXPECT_TRUE(HasPins("dev.twitter.com")); - EXPECT_TRUE(HasPins("business.twitter.com")); - EXPECT_TRUE(HasPins("platform.twitter.com")); - EXPECT_TRUE(HasPins("si0.twimg.com")); - EXPECT_TRUE(HasPins("twimg0-a.akamaihd.net")); + EXPECT_TRUE(HasPublicKeyPins("twitter.com")); + EXPECT_FALSE(HasPublicKeyPins("foo.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("api.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("oauth.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("mobile.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("dev.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("business.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("platform.twitter.com")); + EXPECT_TRUE(HasPublicKeyPins("si0.twimg.com")); + EXPECT_TRUE(HasPublicKeyPins("twimg0-a.akamaihd.net")); } static bool AddHash(const std::string& type_and_base64, @@ -559,10 +559,10 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCerts) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); - EXPECT_TRUE(domain_state.HasPins()); + EXPECT_TRUE(domain_state.HasPublicKeyPins()); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(good_hashes)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); } TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { @@ -595,10 +595,10 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); - EXPECT_TRUE(domain_state.HasPins()); + EXPECT_TRUE(domain_state.HasPublicKeyPins()); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(good_hashes)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(bad_hashes)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); } TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { @@ -624,7 +624,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { TransportSecurityState state; TransportSecurityState::DomainState domain_state; EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); - EXPECT_TRUE(domain_state.HasPins()); + EXPECT_TRUE(domain_state.HasPublicKeyPins()); // The statically-defined pins are all SHA-1, so we add some SHA-256 pins // manually: @@ -637,42 +637,42 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); // Try an all-bad SHA1 chain. validated_chain.clear(); EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); EXPECT_TRUE(AddHash(trustcenter_sha1, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); // Try an all-good SHA-256 chain. validated_chain.clear(); EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); // Try an all-bad SHA-256 chain. validated_chain.clear(); EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); // Try a mixed-hash good chain. validated_chain.clear(); EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); EXPECT_TRUE(AddHash(google_1024_sha1, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); // Try a mixed-hash bad chain. validated_chain.clear(); EXPECT_TRUE(AddHash(ee_sha1, &validated_chain)); EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha1, &validated_chain)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); // Try a chain with all good hashes. validated_chain.clear(); @@ -682,7 +682,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); EXPECT_TRUE(AddHash(google_1024_sha256, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); - EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_TRUE(domain_state.CheckPublicKeyPins(validated_chain)); // Try a chain with all bad hashes. validated_chain.clear(); @@ -692,7 +692,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { EXPECT_TRUE(AddHash(ee_sha256, &validated_chain)); EXPECT_TRUE(AddHash(trustcenter_sha256, &validated_chain)); EXPECT_TRUE(AddHash(equifax_sha256, &validated_chain)); - EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(validated_chain)); + EXPECT_FALSE(domain_state.CheckPublicKeyPins(validated_chain)); } TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { @@ -701,30 +701,30 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { EXPECT_FALSE(ShouldRedirect("www.google-analytics.com")); - EXPECT_FALSE(HasPins("www.google-analytics.com", false)); - EXPECT_TRUE(HasPins("www.google-analytics.com")); - EXPECT_TRUE(HasPins("google.com")); - EXPECT_TRUE(HasPins("www.google.com")); - EXPECT_TRUE(HasPins("mail-attachment.googleusercontent.com")); - EXPECT_TRUE(HasPins("www.youtube.com")); - EXPECT_TRUE(HasPins("i.ytimg.com")); - EXPECT_TRUE(HasPins("googleapis.com")); - EXPECT_TRUE(HasPins("ajax.googleapis.com")); - EXPECT_TRUE(HasPins("googleadservices.com")); - EXPECT_TRUE(HasPins("pagead2.googleadservices.com")); - EXPECT_TRUE(HasPins("googlecode.com")); - EXPECT_TRUE(HasPins("kibbles.googlecode.com")); - EXPECT_TRUE(HasPins("appspot.com")); - EXPECT_TRUE(HasPins("googlesyndication.com")); - EXPECT_TRUE(HasPins("doubleclick.net")); - EXPECT_TRUE(HasPins("ad.doubleclick.net")); - EXPECT_FALSE(HasPins("learn.doubleclick.net")); - EXPECT_TRUE(HasPins("a.googlegroups.com")); - EXPECT_FALSE(HasPins("a.googlegroups.com", false)); + EXPECT_FALSE(HasPublicKeyPins("www.google-analytics.com", false)); + EXPECT_TRUE(HasPublicKeyPins("www.google-analytics.com")); + EXPECT_TRUE(HasPublicKeyPins("google.com")); + EXPECT_TRUE(HasPublicKeyPins("www.google.com")); + EXPECT_TRUE(HasPublicKeyPins("mail-attachment.googleusercontent.com")); + EXPECT_TRUE(HasPublicKeyPins("www.youtube.com")); + EXPECT_TRUE(HasPublicKeyPins("i.ytimg.com")); + EXPECT_TRUE(HasPublicKeyPins("googleapis.com")); + EXPECT_TRUE(HasPublicKeyPins("ajax.googleapis.com")); + EXPECT_TRUE(HasPublicKeyPins("googleadservices.com")); + EXPECT_TRUE(HasPublicKeyPins("pagead2.googleadservices.com")); + EXPECT_TRUE(HasPublicKeyPins("googlecode.com")); + EXPECT_TRUE(HasPublicKeyPins("kibbles.googlecode.com")); + EXPECT_TRUE(HasPublicKeyPins("appspot.com")); + EXPECT_TRUE(HasPublicKeyPins("googlesyndication.com")); + EXPECT_TRUE(HasPublicKeyPins("doubleclick.net")); + EXPECT_TRUE(HasPublicKeyPins("ad.doubleclick.net")); + EXPECT_FALSE(HasPublicKeyPins("learn.doubleclick.net")); + EXPECT_TRUE(HasPublicKeyPins("a.googlegroups.com")); + EXPECT_FALSE(HasPublicKeyPins("a.googlegroups.com", false)); } TEST_F(TransportSecurityStateTest, OverrideBuiltins) { - EXPECT_TRUE(HasPins("google.com")); + EXPECT_TRUE(HasPublicKeyPins("google.com")); EXPECT_FALSE(ShouldRedirect("google.com")); EXPECT_FALSE(ShouldRedirect("www.google.com")); diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 809dbc5..bdf1a5f0 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -3426,8 +3426,8 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { TransportSecurityState::DomainState domain_state; if (transport_security_state_->GetDomainState(host, sni_available, &domain_state) && - domain_state.HasPins()) { - if (!domain_state.IsChainOfPublicKeysPermitted( + domain_state.HasPublicKeyPins()) { + if (!domain_state.CheckPublicKeyPins( server_cert_verify_result_.public_key_hashes)) { // Pins are not enforced if the build is too old. if (TransportSecurityState::IsBuildTimely()) { diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index 73d5a2b..bf53d17 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -1260,12 +1260,11 @@ int SocketStream::HandleCertificateError(int result) { TransportSecurityState::DomainState domain_state; DCHECK(context_); - const bool fatal = - context_->transport_security_state() && - context_->transport_security_state()->GetDomainState( - url_.host(), + const bool fatal = context_->transport_security_state() && + context_->transport_security_state()->GetDomainState(url_.host(), SSLConfigService::IsSNIAvailable(context_->ssl_config_service()), - &domain_state); + &domain_state) && + domain_state.ShouldSSLErrorsBeFatal(); delegate_->OnSSLCertificateError(this, ssl_info, fatal); return ERR_IO_PENDING; diff --git a/net/socket_stream/socket_stream_job.cc b/net/socket_stream/socket_stream_job.cc index 106656e..3bbb6b6 100644 --- a/net/socket_stream/socket_stream_job.cc +++ b/net/socket_stream/socket_stream_job.cc @@ -29,7 +29,7 @@ SocketStreamJob* SocketStreamJob::CreateSocketStreamJob( TransportSecurityState::DomainState domain_state; if (url.scheme() == "ws" && sts && sts->GetDomainState( url.host(), SSLConfigService::IsSNIAvailable(ssl), &domain_state) && - domain_state.ShouldRedirectHTTPToHTTPS()) { + domain_state.ShouldUpgradeToSSL()) { url_canon::Replacements<char> replacements; static const char kNewScheme[] = "wss"; replacements.SetScheme(kNewScheme, diff --git a/net/url_request/url_request.cc b/net/url_request/url_request.cc index f642e2b..617dac0 100644 --- a/net/url_request/url_request.cc +++ b/net/url_request/url_request.cc @@ -840,7 +840,7 @@ bool URLRequest::GetHSTSRedirect(GURL* redirect_url) const { url.host(), SSLConfigService::IsSNIAvailable(context()->ssl_config_service()), &domain_state) && - domain_state.ShouldRedirectHTTPToHTTPS()) { + domain_state.ShouldUpgradeToSSL()) { url_canon::Replacements<char> replacements; const char kNewScheme[] = "https"; replacements.SetScheme(kNewScheme, diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index c950475..b26812d 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -793,12 +793,12 @@ void URLRequestHttpJob::OnStartCompleted(int result) { TransportSecurityState::DomainState domain_state; const URLRequestContext* context = request_->context(); - const bool fatal = - context->transport_security_state() && + const bool fatal = context->transport_security_state() && context->transport_security_state()->GetDomainState( request_info_.url.host(), SSLConfigService::IsSNIAvailable(context->ssl_config_service()), - &domain_state); + &domain_state) && + domain_state.ShouldSSLErrorsBeFatal(); NotifySSLCertificateError(transaction_->GetResponseInfo()->ssl_info, fatal); } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { NotifyCertificateRequested( |