summaryrefslogtreecommitdiffstats
path: root/net/base/ssl_false_start_blacklist.h
blob: d0b10e2e53146e8d04c00029a01da2fcbe0bd325 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef NET_BASE_SSL_FALSE_START_BLACKLIST_H_
#define NET_BASE_SSL_FALSE_START_BLACKLIST_H_

#include "base/basictypes.h"

namespace net {

// SSLFalseStartBlacklist is a set of domains which we believe to be intolerant
// to TLS False Start. Because this set is several hundred long, it's
// precompiled by the code in ssl_false_start_blacklist_process.cc into a hash
// table for fast lookups.
class SSLFalseStartBlacklist {
 public:
  // IsMember returns true if the given host is in the blacklist.
  //   host: a DNS name in dotted form (i.e. "www.example.com")
  static bool IsMember(const char* host);

  // Hash returns the modified djb2 hash of the given string.
  static unsigned Hash(const char* str) {
    // This is inline because the code which generates the hash table needs to
    // use it. However, the generating code cannot link against
    // ssl_false_start_blacklist.cc because that needs the tables which it
    // generates.
    const unsigned char* in = reinterpret_cast<const unsigned char*>(str);
    unsigned hash = 5381;
    unsigned char c;

    while ((c = *in++))
      hash = ((hash << 5) + hash) ^ c;
    return hash;
  }

  // LastTwoLabels returns a pointer within |host| to the last two labels of
  // |host|. For example, if |host| is "a.b.c.d" then LastTwoLabels will return
  // "c.d".
  //   host: a DNS name in dotted form.
  //   returns: NULL on error, otherwise a pointer inside |host|.
  static const char* LastTwoLabels(const char* host) {
    // See comment in |Hash| for why this function is inline.
    const size_t len = strlen(host);
    if (len == 0)
      return NULL;

    unsigned dots_found = 0;
    size_t i;
    for (i = len - 1; i < len; i--) {
      if (host[i] == '.') {
        dots_found++;
        if (dots_found == 2) {
          i++;
          break;
        }
      }
    }

    if (i > len)
      i = 0;

    if (dots_found == 0)
      return NULL;  // no names with less than two labels are in the blacklist.
    if (dots_found == 1) {
      if (host[0] == '.')
        return NULL;  // ditto
    }

    return &host[i];
  }

  // This is the number of buckets in the blacklist hash table. (Must be a
  // power of two).
  static const unsigned kBuckets = 128;

 private:
  // The following two members are defined in
  // ssl_false_start_blacklist_data.cc, which is generated by
  // ssl_false_start_blacklist_process.cc

  // kHashTable contains an offset into |kHashData| for each bucket. The
  // additional element at the end contains the length of |kHashData|.
  static const uint32 kHashTable[kBuckets + 1];
  // kHashData contains the contents of the hash table. |kHashTable| indexes
  // into this array. Each bucket consists of zero or more, 8-bit length
  // prefixed strings. Each string is a DNS name in dotted form. For a given
  // string x, x and *.x are considered to be in the blacklist. In order to
  // assign a string to a hash bucket, the last two labels (not including the
  // root label) are hashed. Thus, the bucket for "www.example.com" is
  // Hash("example.com"). No names that are less than two labels long are
  // included in the blacklist.
  static const char kHashData[];
};

}  // namespace net

#endif  // NET_BASE_SSL_FALSE_START_BLACKLIST_H_