summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorunsafe@trevp.net <unsafe@trevp.net@0039d316-1c4b-4281-b951-d872f2087c98>2013-05-25 13:59:09 +0000
committerunsafe@trevp.net <unsafe@trevp.net@0039d316-1c4b-4281-b951-d872f2087c98>2013-05-25 13:59:09 +0000
commitb4e1f7e0884b5e7f42aa210e16a0de294ddd758c (patch)
tree4d3bedbda5fe19f18f19ce31548aa9a6495fb3af /net
parente9fcf1b5b6d11d68076d96c49a7881359952c047 (diff)
downloadchromium_src-b4e1f7e0884b5e7f42aa210e16a0de294ddd758c.zip
chromium_src-b4e1f7e0884b5e7f42aa210e16a0de294ddd758c.tar.gz
chromium_src-b4e1f7e0884b5e7f42aa210e16a0de294ddd758c.tar.bz2
Have HttpSecurityHeaders return the 'raw' max_age for HPKP/HSTS headers, rather than computing the expiration
internally. This makes it easier for the caller to handle the special max-age=0. BUG=156152 R=rsleevi,palmer Review URL: https://chromiumcodereview.appspot.com/15962009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202272 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/http/http_security_headers.cc14
-rw-r--r--net/http/http_security_headers.h16
-rw-r--r--net/http/http_security_headers_unittest.cc371
-rw-r--r--net/http/transport_security_state.cc16
4 files changed, 196 insertions, 221 deletions
diff --git a/net/http/http_security_headers.cc b/net/http/http_security_headers.cc
index 4848441..e808713 100644
--- a/net/http/http_security_headers.cc
+++ b/net/http/http_security_headers.cc
@@ -164,9 +164,8 @@ bool ParseAndAppendPin(const std::string& value,
// the UA, the UA MUST ignore the unrecognized directives and if the
// STS header field otherwise satisfies the above requirements (1
// through 4), the UA MUST process the recognized directives.
-bool ParseHSTSHeader(const base::Time& now,
- const std::string& value,
- base::Time* expiry,
+bool ParseHSTSHeader(const std::string& value,
+ base::TimeDelta* max_age,
bool* include_subdomains) {
uint32 max_age_candidate = 0;
bool include_subdomains_candidate = false;
@@ -257,7 +256,7 @@ bool ParseHSTSHeader(const base::Time& now,
case AFTER_MAX_AGE:
case AFTER_INCLUDE_SUBDOMAINS:
case AFTER_UNKNOWN_LABEL:
- *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
+ *max_age = base::TimeDelta::FromSeconds(max_age_candidate);
*include_subdomains = include_subdomains_candidate;
return true;
case START:
@@ -274,10 +273,9 @@ bool ParseHSTSHeader(const base::Time& now,
// "Public-Key-Pins" ":"
// "max-age" "=" delta-seconds ";"
// "pin-" algo "=" base64 [ ";" ... ]
-bool ParseHPKPHeader(const base::Time& now,
- const std::string& value,
+bool ParseHPKPHeader(const std::string& value,
const HashValueVector& chain_hashes,
- base::Time* expiry,
+ base::TimeDelta* max_age,
HashValueVector* hashes) {
bool parsed_max_age = false;
uint32 max_age_candidate = 0;
@@ -319,7 +317,7 @@ bool ParseHPKPHeader(const base::Time& now,
if (!IsPinListValid(pins, chain_hashes))
return false;
- *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
+ *max_age = base::TimeDelta::FromSeconds(max_age_candidate);
for (HashValueVector::const_iterator i = pins.begin();
i != pins.end(); ++i) {
hashes->push_back(*i);
diff --git a/net/http/http_security_headers.h b/net/http/http_security_headers.h
index bc465e9..fd6632c 100644
--- a/net/http/http_security_headers.h
+++ b/net/http/http_security_headers.h
@@ -19,23 +19,20 @@ namespace net {
const int64 kMaxHSTSAgeSecs = 86400 * 365; // 1 year
// Parses |value| as a Strict-Transport-Security header value. If successful,
-// returns true and sets |*expiry| and |*include_subdomains|.
+// returns true and sets |*max_age| and |*include_subdomains|.
// Otherwise returns false and leaves the output parameters unchanged.
-// Interprets the max-age directive relative to |now|.
//
// value is the right-hand side of:
//
// "Strict-Transport-Security" ":"
// [ directive ] *( ";" [ directive ] )
-bool NET_EXPORT_PRIVATE ParseHSTSHeader(const base::Time& now,
- const std::string& value,
- base::Time* expiry,
+bool NET_EXPORT_PRIVATE ParseHSTSHeader(const std::string& value,
+ base::TimeDelta* max_age,
bool* include_subdomains);
// Parses |value| as a Public-Key-Pins header value. If successful,
-// returns true and populates the expiry and hashes values.
+// returns true and populates the |*max_age| and hashes values.
// Otherwise returns false and leaves the output parameters unchanged.
-// Interprets the max-age directive relative to |now|.
//
// value is the right-hand side of:
//
@@ -49,10 +46,9 @@ bool NET_EXPORT_PRIVATE ParseHSTSHeader(const base::Time& now,
// (as specified by the chain_hashes) parameter. In addition, there MUST
// be at least one key hash which does NOT match the site's SSL certificate
// chain (this is the "backup pin").
-bool NET_EXPORT_PRIVATE ParseHPKPHeader(const base::Time& now,
- const std::string& value,
+bool NET_EXPORT_PRIVATE ParseHPKPHeader(const std::string& value,
const HashValueVector& chain_hashes,
- base::Time* expiry,
+ base::TimeDelta* max_age,
HashValueVector* hashes);
} // namespace net
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index f9a1c1f..0dd286b 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -47,83 +47,78 @@ class HttpSecurityHeadersTest : public testing::Test {
TEST_F(HttpSecurityHeadersTest, BogusHeaders) {
- base::Time now = base::Time::Now();
- base::Time expiry = now;
+ base::TimeDelta max_age;
bool include_subdomains = false;
EXPECT_FALSE(
- ParseHSTSHeader(now, std::string(), &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " ", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "abc", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " abc", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " abc ", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age", &expiry,
+ ParseHSTSHeader(std::string(), &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader(" ", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("abc", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader(" abc", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader(" abc ", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader(" max-age", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age ", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age ", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=", &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age=", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age=", &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader(" max-age=", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age =", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age =", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age= ", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age= ", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age = ", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age = ", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age = xy", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age = xy", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, " max-age = 3488a923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader(" max-age = 3488a923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488a923 ", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488a923 ", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-ag=3488923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-ag=3488923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-aged=3488923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-aged=3488923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age==3488923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age==3488923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "amax-age=3488923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("amax-age=3488923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=-3488923", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age=-3488923", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923;", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923;", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 e", &expiry,
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 e", &max_age,
&include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now,
- "max-age=3488923 includesubdomain",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923includesubdomains",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923=includesubdomains",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainx",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomain=",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now,
- "max-age=3488923 includesubdomain=true",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainsx",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now,
- "max-age=3488923 includesubdomains x",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889.23 includesubdomains",
- &expiry, &include_subdomains));
- EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889 includesubdomains",
- &expiry, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923includesubdomains",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923=includesubdomains",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainx",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=true",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainsx",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomains x",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=34889.23 includesubdomains",
+ &max_age, &include_subdomains));
+ EXPECT_FALSE(ParseHSTSHeader("max-age=34889 includesubdomains",
+ &max_age, &include_subdomains));
// Check the out args were not updated by checking the default
// values for its predictable fields.
- EXPECT_EQ(now, expiry);
+ EXPECT_EQ(0, max_age.InSeconds());
EXPECT_FALSE(include_subdomains);
}
static void TestBogusPinsHeaders(HashValueTag tag) {
- base::Time now = base::Time::Now();
- base::Time expiry = now;
+ base::TimeDelta max_age;
HashValueVector hashes;
HashValueVector chain_hashes;
@@ -137,195 +132,187 @@ static void TestBogusPinsHeaders(HashValueTag tag) {
std::string backup_pin = GetTestPin(4, tag);
EXPECT_FALSE(
- ParseHPKPHeader(now, std::string(), chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " ", chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "abc", chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " abc", chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " abc ", chain_hashes, &expiry,
+ ParseHPKPHeader(std::string(), chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader(" ", chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("abc", chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader(" abc", chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader(" abc ", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("max-age", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader(" max-age", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age ", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader(" max-age ", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("max-age=", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age=", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader(" max-age=", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age =", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader(" max-age =", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age= ", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader(" max-age= ", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age = ", chain_hashes,
- &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, " max-age = xy", chain_hashes,
- &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now,
- " max-age = 3488a923",
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488a923 ", chain_hashes,
- &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now,
- "max-ag=3488923pins=" + good_pin + "," +
+ EXPECT_FALSE(ParseHPKPHeader(" max-age = ", chain_hashes,
+ &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader(" max-age = xy", chain_hashes,
+ &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader(" max-age = 3488a923",
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-age=3488a923 ", chain_hashes,
+ &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-ag=3488923pins=" + good_pin + "," +
backup_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923" + backup_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + backup_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now,
- "max-aged=3488923; " + backup_pin + ";" +
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923" + backup_pin,
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin,
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + backup_pin + ";" +
backup_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now,
- "max-aged=3488923; " + good_pin + ";" +
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin + ";" +
good_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + good_pin,
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age==3488923", chain_hashes, &expiry,
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-aged=3488923; " + good_pin,
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-age==3488923", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "amax-age=3488923", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("amax-age=3488923", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=-3488923", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("max-age=-3488923", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923;", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("max-age=3488923;", chain_hashes, &max_age,
&hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923 e", chain_hashes,
- &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now,
- "max-age=3488923 includesubdomain",
- chain_hashes, &expiry, &hashes));
- EXPECT_FALSE(ParseHPKPHeader(now, "max-age=34889.23", chain_hashes, &expiry,
+ EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 e", chain_hashes,
+ &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-age=3488923 includesubdomain",
+ chain_hashes, &max_age, &hashes));
+ EXPECT_FALSE(ParseHPKPHeader("max-age=34889.23", chain_hashes, &max_age,
&hashes));
// Check the out args were not updated by checking the default
// values for its predictable fields.
- EXPECT_EQ(now, expiry);
+ EXPECT_EQ(0, max_age.InSeconds());
EXPECT_EQ(hashes.size(), (size_t)0);
}
TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {
- base::Time now = base::Time::Now();
- base::Time expiry = now;
- base::Time expect_expiry = now;
+ base::TimeDelta max_age;
+ base::TimeDelta expect_max_age;
bool include_subdomains = false;
- EXPECT_TRUE(ParseHSTSHeader(now, "max-age=243", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader("max-age=243", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(243);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(243);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_FALSE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, " Max-agE = 567", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(" Max-agE = 567", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(567);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(567);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_FALSE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, " mAx-aGe = 890 ", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(" mAx-aGe = 890 ", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(890);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(890);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_FALSE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, "max-age=123;incLudesUbdOmains", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader("max-age=123;incLudesUbdOmains", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, "incLudesUbdOmains; max-age=123", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader("incLudesUbdOmains; max-age=123", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, " incLudesUbdOmains; max-age=123",
- &expiry, &include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_TRUE(ParseHSTSHeader(" incLudesUbdOmains; max-age=123",
+ &max_age, &include_subdomains));
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now,
- " incLudesUbdOmains; max-age=123; pumpkin=kitten", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(
+ " incLudesUbdOmains; max-age=123; pumpkin=kitten", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now,
- " pumpkin=894; incLudesUbdOmains; max-age=123 ", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(
+ " pumpkin=894; incLudesUbdOmains; max-age=123 ", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now,
- " pumpkin; incLudesUbdOmains; max-age=123 ", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(
+ " pumpkin; incLudesUbdOmains; max-age=123 ", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now,
- " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &expiry,
+ EXPECT_TRUE(ParseHSTSHeader(
+ " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now,
+ EXPECT_TRUE(ParseHSTSHeader(
"animal=\"squirrel; distinguished\"; incLudesUbdOmains; max-age=123",
- &expiry, &include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ &max_age, &include_subdomains));
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
- EXPECT_TRUE(ParseHSTSHeader(now, "max-age=394082; incLudesUbdOmains",
- &expiry, &include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(394082);
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_TRUE(ParseHSTSHeader("max-age=394082; incLudesUbdOmains",
+ &max_age, &include_subdomains));
+ expect_max_age = base::TimeDelta::FromSeconds(394082);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
EXPECT_TRUE(ParseHSTSHeader(
- now, "max-age=39408299 ;incLudesUbdOmains", &expiry,
+ "max-age=39408299 ;incLudesUbdOmains", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(
+ expect_max_age = base::TimeDelta::FromSeconds(
std::min(kMaxHSTSAgeSecs, static_cast<int64>(GG_INT64_C(39408299))));
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
EXPECT_TRUE(ParseHSTSHeader(
- now, "max-age=394082038 ; incLudesUbdOmains", &expiry,
+ "max-age=394082038 ; incLudesUbdOmains", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(
+ expect_max_age = base::TimeDelta::FromSeconds(
std::min(kMaxHSTSAgeSecs, static_cast<int64>(GG_INT64_C(394082038))));
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
EXPECT_TRUE(ParseHSTSHeader(
- now, " max-age=0 ; incLudesUbdOmains ", &expiry,
+ " max-age=0 ; incLudesUbdOmains ", &max_age,
&include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(0);
- EXPECT_EQ(expect_expiry, expiry);
+ expect_max_age = base::TimeDelta::FromSeconds(0);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
EXPECT_TRUE(ParseHSTSHeader(
- now,
" max-age=999999999999999999999999999999999999999999999 ;"
- " incLudesUbdOmains ", &expiry, &include_subdomains));
- expect_expiry = now + base::TimeDelta::FromSeconds(
+ " incLudesUbdOmains ", &max_age, &include_subdomains));
+ expect_max_age = base::TimeDelta::FromSeconds(
kMaxHSTSAgeSecs);
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(include_subdomains);
}
static void TestValidPinsHeaders(HashValueTag tag) {
- base::Time now = base::Time::Now();
- base::Time expiry = now;
- base::Time expect_expiry = now;
+ base::TimeDelta max_age;
+ base::TimeDelta expect_max_age;
HashValueVector hashes;
HashValueVector chain_hashes;
@@ -339,72 +326,62 @@ static void TestValidPinsHeaders(HashValueTag tag) {
std::string backup_pin = GetTestPin(4, tag);
EXPECT_TRUE(ParseHPKPHeader(
- now,
"max-age=243; " + good_pin + ";" + backup_pin,
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(243);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(243);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
" " + good_pin + "; " + backup_pin + " ; Max-agE = 567",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(567);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(567);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
good_pin + ";" + backup_pin + " ; mAx-aGe = 890 ",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(890);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(890);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
good_pin + ";" + backup_pin + "; max-age=123;IGNORED;",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(123);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(123);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
"max-age=394082;" + backup_pin + ";" + good_pin + "; ",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(394082);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(394082);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
"max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(
std::min(kMaxHSTSAgeSecs, static_cast<int64>(GG_INT64_C(39408299))));
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
"max-age=39408038 ; cybers=39408038 ; " +
good_pin + ";" + backup_pin + "; ",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(
std::min(kMaxHSTSAgeSecs, static_cast<int64>(GG_INT64_C(394082038))));
- EXPECT_EQ(expect_expiry, expiry);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
" max-age=0 ; " + good_pin + ";" + backup_pin,
- chain_hashes, &expiry, &hashes));
- expect_expiry = now + base::TimeDelta::FromSeconds(0);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(0);
+ EXPECT_EQ(expect_max_age, max_age);
EXPECT_TRUE(ParseHPKPHeader(
- now,
" max-age=999999999999999999999999999999999999999999999 ; " +
backup_pin + ";" + good_pin + "; ",
- chain_hashes, &expiry, &hashes));
- expect_expiry = now +
- base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
- EXPECT_EQ(expect_expiry, expiry);
+ chain_hashes, &max_age, &hashes));
+ expect_max_age = base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
+ EXPECT_EQ(expect_max_age, max_age);
}
TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 49ba1c1..bb80f82 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -614,15 +614,16 @@ static const struct HSTSPreload* GetHSTSPreload(
bool TransportSecurityState::AddHSTSHeader(const std::string& host,
const std::string& value) {
base::Time now = base::Time::Now();
+ base::TimeDelta max_age;
TransportSecurityState::DomainState domain_state;
- if (ParseHSTSHeader(now, value, &domain_state.upgrade_expiry,
- &domain_state.include_subdomains)) {
+ if (ParseHSTSHeader(value, &max_age, &domain_state.include_subdomains)) {
// Handle max-age == 0
- if (now == domain_state.upgrade_expiry)
+ if (max_age.InSeconds() == 0)
domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
else
domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
domain_state.created = now;
+ domain_state.upgrade_expiry = now + max_age;
EnableHost(host, domain_state);
return true;
}
@@ -633,11 +634,14 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host,
const std::string& value,
const SSLInfo& ssl_info) {
base::Time now = base::Time::Now();
+ base::TimeDelta max_age;
TransportSecurityState::DomainState domain_state;
- if (ParseHPKPHeader(now, value, ssl_info.public_key_hashes,
- &domain_state.dynamic_spki_hashes_expiry,
- &domain_state.dynamic_spki_hashes)) {
+ if (ParseHPKPHeader(value, ssl_info.public_key_hashes,
+ &max_age, &domain_state.dynamic_spki_hashes)) {
+ // TODO(palmer): http://crbug.com/243865 handle max-age == 0
+ // and includeSubdomains.
domain_state.created = now;
+ domain_state.dynamic_spki_hashes_expiry = now + max_age;
EnableHost(host, domain_state);
return true;
}
generated by cgit v1.1 at 2024-11-09 20:21:50 +0000