1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/net/packed_ct_ev_whitelist.h"
#include <string.h>
#include <algorithm>
#include "base/big_endian.h"
#include "base/files/file_util.h"
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "chrome/browser/net/bit_stream_reader.h"
#include "content/public/browser/browser_thread.h"
#include "net/ssl/ssl_config_service.h"
namespace {
const uint8_t kCertHashLengthBits = 64; // 8 bytes
const uint8_t kCertHashLength = kCertHashLengthBits / 8;
const uint64_t kGolombMParameterBits = 47; // 2^47
void SetEVWhitelistInSSLConfigService(
const scoped_refptr<net::ct::EVCertsWhitelist>& new_whitelist) {
VLOG(1) << "Setting new EV Certs whitelist.";
net::SSLConfigService::SetEVCertsWhitelist(new_whitelist);
}
int TruncatedHashesComparator(const void* v1, const void* v2) {
const uint64_t& h1(*(static_cast<const uint64_t*>(v1)));
const uint64_t& h2(*(static_cast<const uint64_t*>(v2)));
if (h1 < h2)
return -1;
else if (h1 > h2)
return 1;
return 0;
}
} // namespace
void SetEVCertsWhitelist(scoped_refptr<net::ct::EVCertsWhitelist> whitelist) {
if (!whitelist->IsValid()) {
VLOG(1) << "EV Certs whitelist is not valid, not setting.";
return;
}
base::Closure assign_cb =
base::Bind(SetEVWhitelistInSSLConfigService, whitelist);
content::BrowserThread::PostTask(
content::BrowserThread::IO, FROM_HERE, assign_cb);
}
bool PackedEVCertsWhitelist::UncompressEVWhitelist(
const std::string& compressed_whitelist,
std::vector<uint64_t>* uncompressed_list) {
internal::BitStreamReader reader(base::StringPiece(
compressed_whitelist.data(), compressed_whitelist.size()));
std::vector<uint64_t> result;
VLOG(1) << "Uncompressing EV whitelist of size "
<< compressed_whitelist.size();
uint64_t curr_hash(0);
if (!reader.ReadBits(kCertHashLengthBits, &curr_hash)) {
VLOG(1) << "Failed reading first hash.";
return false;
}
result.push_back(curr_hash);
// M is the tunable parameter used by the Golomb coding.
static const uint64_t kGolombParameterM = static_cast<uint64_t>(1)
<< kGolombMParameterBits;
while (reader.BitsLeft() > kGolombMParameterBits) {
uint64_t read_prefix = 0;
if (!reader.ReadUnaryEncoding(&read_prefix)) {
VLOG(1) << "Failed reading unary-encoded prefix.";
return false;
}
if (read_prefix > (UINT64_MAX / kGolombParameterM)) {
VLOG(1) << "Received value that would cause overflow: " << read_prefix;
return false;
}
uint64_t r = 0;
if (!reader.ReadBits(kGolombMParameterBits, &r)) {
VLOG(1) << "Failed reading " << kGolombMParameterBits << " bits.";
return false;
}
DCHECK_LT(r, kGolombParameterM);
uint64_t curr_diff = read_prefix * kGolombParameterM + r;
curr_hash += curr_diff;
result.push_back(curr_hash);
}
uncompressed_list->swap(result);
return true;
}
PackedEVCertsWhitelist::PackedEVCertsWhitelist(
const std::string& compressed_whitelist,
const base::Version& version)
: version_(version) {
if (!UncompressEVWhitelist(compressed_whitelist, &whitelist_)) {
whitelist_.clear();
return;
}
}
PackedEVCertsWhitelist::~PackedEVCertsWhitelist() {
}
bool PackedEVCertsWhitelist::ContainsCertificateHash(
const std::string& certificate_hash) const {
DCHECK(!whitelist_.empty());
uint64_t hash_to_lookup;
base::ReadBigEndian(certificate_hash.data(), &hash_to_lookup);
return bsearch(&hash_to_lookup,
&whitelist_[0],
whitelist_.size(),
kCertHashLength,
TruncatedHashesComparator) != NULL;
}
bool PackedEVCertsWhitelist::IsValid() const {
return whitelist_.size() > 0;
}
base::Version PackedEVCertsWhitelist::Version() const {
return version_;
}
|
