Home | History | Annotate | Download | only in http
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/http/transport_security_state.h"
      6 
      7 #if defined(USE_OPENSSL)
      8 #include <openssl/ecdsa.h>
      9 #include <openssl/ssl.h>
     10 #else  // !defined(USE_OPENSSL)
     11 #include <cryptohi.h>
     12 #include <hasht.h>
     13 #include <keyhi.h>
     14 #include <nspr.h>
     15 #include <pk11pub.h>
     16 #endif
     17 
     18 #include <algorithm>
     19 
     20 #include "base/base64.h"
     21 #include "base/build_time.h"
     22 #include "base/logging.h"
     23 #include "base/memory/scoped_ptr.h"
     24 #include "base/metrics/histogram.h"
     25 #include "base/sha1.h"
     26 #include "base/strings/string_number_conversions.h"
     27 #include "base/strings/string_util.h"
     28 #include "base/strings/utf_string_conversions.h"
     29 #include "base/time/time.h"
     30 #include "base/values.h"
     31 #include "crypto/sha2.h"
     32 #include "net/base/dns_util.h"
     33 #include "net/cert/x509_cert_types.h"
     34 #include "net/cert/x509_certificate.h"
     35 #include "net/http/http_security_headers.h"
     36 #include "net/ssl/ssl_info.h"
     37 #include "url/gurl.h"
     38 
     39 #if defined(USE_OPENSSL)
     40 #include "crypto/openssl_util.h"
     41 #endif
     42 
     43 namespace net {
     44 
     45 namespace {
     46 
     47 std::string HashesToBase64String(const HashValueVector& hashes) {
     48   std::string str;
     49   for (size_t i = 0; i != hashes.size(); ++i) {
     50     if (i != 0)
     51       str += ",";
     52     str += hashes[i].ToString();
     53   }
     54   return str;
     55 }
     56 
     57 std::string HashHost(const std::string& canonicalized_host) {
     58   char hashed[crypto::kSHA256Length];
     59   crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed));
     60   return std::string(hashed, sizeof(hashed));
     61 }
     62 
     63 // Returns true if the intersection of |a| and |b| is not empty. If either
     64 // |a| or |b| is empty, returns false.
     65 bool HashesIntersect(const HashValueVector& a,
     66                      const HashValueVector& b) {
     67   for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
     68     HashValueVector::const_iterator j =
     69         std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
     70     if (j != b.end())
     71       return true;
     72   }
     73   return false;
     74 }
     75 
     76 bool AddHash(const char* sha1_hash,
     77              HashValueVector* out) {
     78   HashValue hash(HASH_VALUE_SHA1);
     79   memcpy(hash.data(), sha1_hash, hash.size());
     80   out->push_back(hash);
     81   return true;
     82 }
     83 
     84 }  // namespace
     85 
     86 TransportSecurityState::TransportSecurityState()
     87   : delegate_(NULL) {
     88   DCHECK(CalledOnValidThread());
     89 }
     90 
     91 TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
     92     : iterator_(state.enabled_hosts_.begin()),
     93       end_(state.enabled_hosts_.end()) {
     94 }
     95 
     96 TransportSecurityState::Iterator::~Iterator() {}
     97 
     98 void TransportSecurityState::SetDelegate(
     99     TransportSecurityState::Delegate* delegate) {
    100   DCHECK(CalledOnValidThread());
    101   delegate_ = delegate;
    102 }
    103 
    104 void TransportSecurityState::EnableHost(const std::string& host,
    105                                         const DomainState& state) {
    106   DCHECK(CalledOnValidThread());
    107 
    108   const std::string canonicalized_host = CanonicalizeHost(host);
    109   if (canonicalized_host.empty())
    110     return;
    111 
    112   DomainState state_copy(state);
    113   // No need to store this value since it is redundant. (|canonicalized_host|
    114   // is the map key.)
    115   state_copy.domain.clear();
    116 
    117   enabled_hosts_[HashHost(canonicalized_host)] = state_copy;
    118   DirtyNotify();
    119 }
    120 
    121 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
    122   DCHECK(CalledOnValidThread());
    123 
    124   const std::string canonicalized_host = CanonicalizeHost(host);
    125   if (canonicalized_host.empty())
    126     return false;
    127 
    128   DomainStateMap::iterator i = enabled_hosts_.find(
    129       HashHost(canonicalized_host));
    130   if (i != enabled_hosts_.end()) {
    131     enabled_hosts_.erase(i);
    132     DirtyNotify();
    133     return true;
    134   }
    135   return false;
    136 }
    137 
    138 bool TransportSecurityState::GetDomainState(const std::string& host,
    139                                             bool sni_enabled,
    140                                             DomainState* result) {
    141   DCHECK(CalledOnValidThread());
    142 
    143   DomainState state;
    144   const std::string canonicalized_host = CanonicalizeHost(host);
    145   if (canonicalized_host.empty())
    146     return false;
    147 
    148   bool has_preload = GetStaticDomainState(canonicalized_host, sni_enabled,
    149                                           &state);
    150   std::string canonicalized_preload = CanonicalizeHost(state.domain);
    151   GetDynamicDomainState(host, &state);
    152 
    153   base::Time current_time(base::Time::Now());
    154 
    155   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
    156     std::string host_sub_chunk(&canonicalized_host[i],
    157                                canonicalized_host.size() - i);
    158     // Exact match of a preload always wins.
    159     if (has_preload && host_sub_chunk == canonicalized_preload) {
    160       *result = state;
    161       return true;
    162     }
    163 
    164     DomainStateMap::iterator j =
    165         enabled_hosts_.find(HashHost(host_sub_chunk));
    166     if (j == enabled_hosts_.end())
    167       continue;
    168 
    169     if (current_time > j->second.upgrade_expiry &&
    170         current_time > j->second.dynamic_spki_hashes_expiry) {
    171       enabled_hosts_.erase(j);
    172       DirtyNotify();
    173       continue;
    174     }
    175 
    176     state = j->second;
    177     state.domain = DNSDomainToString(host_sub_chunk);
    178 
    179     // Succeed if we matched the domain exactly or if subdomain matches are
    180     // allowed.
    181     if (i == 0 || j->second.sts_include_subdomains ||
    182         j->second.pkp_include_subdomains) {
    183       *result = state;
    184       return true;
    185     }
    186 
    187     return false;
    188   }
    189 
    190   return false;
    191 }
    192 
    193 void TransportSecurityState::ClearDynamicData() {
    194   DCHECK(CalledOnValidThread());
    195   enabled_hosts_.clear();
    196 }
    197 
    198 void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
    199   DCHECK(CalledOnValidThread());
    200 
    201   bool dirtied = false;
    202 
    203   DomainStateMap::iterator i = enabled_hosts_.begin();
    204   while (i != enabled_hosts_.end()) {
    205     if (i->second.created >= time) {
    206       dirtied = true;
    207       enabled_hosts_.erase(i++);
    208     } else {
    209       i++;
    210     }
    211   }
    212 
    213   if (dirtied)
    214     DirtyNotify();
    215 }
    216 
    217 TransportSecurityState::~TransportSecurityState() {
    218   DCHECK(CalledOnValidThread());
    219 }
    220 
    221 void TransportSecurityState::DirtyNotify() {
    222   DCHECK(CalledOnValidThread());
    223 
    224   if (delegate_)
    225     delegate_->StateIsDirty(this);
    226 }
    227 
    228 // static
    229 std::string TransportSecurityState::CanonicalizeHost(const std::string& host) {
    230   // We cannot perform the operations as detailed in the spec here as |host|
    231   // has already undergone IDN processing before it reached us. Thus, we check
    232   // that there are no invalid characters in the host and lowercase the result.
    233 
    234   std::string new_host;
    235   if (!DNSDomainFromDot(host, &new_host)) {
    236     // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole
    237     // name is >255 bytes. However, search terms can have those properties.
    238     return std::string();
    239   }
    240 
    241   for (size_t i = 0; new_host[i]; i += new_host[i] + 1) {
    242     const unsigned label_length = static_cast<unsigned>(new_host[i]);
    243     if (!label_length)
    244       break;
    245 
    246     for (size_t j = 0; j < label_length; ++j) {
    247       new_host[i + 1 + j] = tolower(new_host[i + 1 + j]);
    248     }
    249   }
    250 
    251   return new_host;
    252 }
    253 
    254 // |ReportUMAOnPinFailure| uses these to report which domain was associated
    255 // with the public key pinning failure.
    256 //
    257 // DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
    258 // domains at the END of the listing (but before DOMAIN_NUM_EVENTS).
    259 enum SecondLevelDomainName {
    260   DOMAIN_NOT_PINNED,
    261 
    262   DOMAIN_GOOGLE_COM,
    263   DOMAIN_ANDROID_COM,
    264   DOMAIN_GOOGLE_ANALYTICS_COM,
    265   DOMAIN_GOOGLEPLEX_COM,
    266   DOMAIN_YTIMG_COM,
    267   DOMAIN_GOOGLEUSERCONTENT_COM,
    268   DOMAIN_YOUTUBE_COM,
    269   DOMAIN_GOOGLEAPIS_COM,
    270   DOMAIN_GOOGLEADSERVICES_COM,
    271   DOMAIN_GOOGLECODE_COM,
    272   DOMAIN_APPSPOT_COM,
    273   DOMAIN_GOOGLESYNDICATION_COM,
    274   DOMAIN_DOUBLECLICK_NET,
    275   DOMAIN_GSTATIC_COM,
    276   DOMAIN_GMAIL_COM,
    277   DOMAIN_GOOGLEMAIL_COM,
    278   DOMAIN_GOOGLEGROUPS_COM,
    279 
    280   DOMAIN_TORPROJECT_ORG,
    281 
    282   DOMAIN_TWITTER_COM,
    283   DOMAIN_TWIMG_COM,
    284 
    285   DOMAIN_AKAMAIHD_NET,
    286 
    287   DOMAIN_TOR2WEB_ORG,
    288 
    289   DOMAIN_YOUTU_BE,
    290   DOMAIN_GOOGLECOMMERCE_COM,
    291   DOMAIN_URCHIN_COM,
    292   DOMAIN_GOO_GL,
    293   DOMAIN_G_CO,
    294   DOMAIN_GOOGLE_AC,
    295   DOMAIN_GOOGLE_AD,
    296   DOMAIN_GOOGLE_AE,
    297   DOMAIN_GOOGLE_AF,
    298   DOMAIN_GOOGLE_AG,
    299   DOMAIN_GOOGLE_AM,
    300   DOMAIN_GOOGLE_AS,
    301   DOMAIN_GOOGLE_AT,
    302   DOMAIN_GOOGLE_AZ,
    303   DOMAIN_GOOGLE_BA,
    304   DOMAIN_GOOGLE_BE,
    305   DOMAIN_GOOGLE_BF,
    306   DOMAIN_GOOGLE_BG,
    307   DOMAIN_GOOGLE_BI,
    308   DOMAIN_GOOGLE_BJ,
    309   DOMAIN_GOOGLE_BS,
    310   DOMAIN_GOOGLE_BY,
    311   DOMAIN_GOOGLE_CA,
    312   DOMAIN_GOOGLE_CAT,
    313   DOMAIN_GOOGLE_CC,
    314   DOMAIN_GOOGLE_CD,
    315   DOMAIN_GOOGLE_CF,
    316   DOMAIN_GOOGLE_CG,
    317   DOMAIN_GOOGLE_CH,
    318   DOMAIN_GOOGLE_CI,
    319   DOMAIN_GOOGLE_CL,
    320   DOMAIN_GOOGLE_CM,
    321   DOMAIN_GOOGLE_CN,
    322   DOMAIN_CO_AO,
    323   DOMAIN_CO_BW,
    324   DOMAIN_CO_CK,
    325   DOMAIN_CO_CR,
    326   DOMAIN_CO_HU,
    327   DOMAIN_CO_ID,
    328   DOMAIN_CO_IL,
    329   DOMAIN_CO_IM,
    330   DOMAIN_CO_IN,
    331   DOMAIN_CO_JE,
    332   DOMAIN_CO_JP,
    333   DOMAIN_CO_KE,
    334   DOMAIN_CO_KR,
    335   DOMAIN_CO_LS,
    336   DOMAIN_CO_MA,
    337   DOMAIN_CO_MZ,
    338   DOMAIN_CO_NZ,
    339   DOMAIN_CO_TH,
    340   DOMAIN_CO_TZ,
    341   DOMAIN_CO_UG,
    342   DOMAIN_CO_UK,
    343   DOMAIN_CO_UZ,
    344   DOMAIN_CO_VE,
    345   DOMAIN_CO_VI,
    346   DOMAIN_CO_ZA,
    347   DOMAIN_CO_ZM,
    348   DOMAIN_CO_ZW,
    349   DOMAIN_COM_AF,
    350   DOMAIN_COM_AG,
    351   DOMAIN_COM_AI,
    352   DOMAIN_COM_AR,
    353   DOMAIN_COM_AU,
    354   DOMAIN_COM_BD,
    355   DOMAIN_COM_BH,
    356   DOMAIN_COM_BN,
    357   DOMAIN_COM_BO,
    358   DOMAIN_COM_BR,
    359   DOMAIN_COM_BY,
    360   DOMAIN_COM_BZ,
    361   DOMAIN_COM_CN,
    362   DOMAIN_COM_CO,
    363   DOMAIN_COM_CU,
    364   DOMAIN_COM_CY,
    365   DOMAIN_COM_DO,
    366   DOMAIN_COM_EC,
    367   DOMAIN_COM_EG,
    368   DOMAIN_COM_ET,
    369   DOMAIN_COM_FJ,
    370   DOMAIN_COM_GE,
    371   DOMAIN_COM_GH,
    372   DOMAIN_COM_GI,
    373   DOMAIN_COM_GR,
    374   DOMAIN_COM_GT,
    375   DOMAIN_COM_HK,
    376   DOMAIN_COM_IQ,
    377   DOMAIN_COM_JM,
    378   DOMAIN_COM_JO,
    379   DOMAIN_COM_KH,
    380   DOMAIN_COM_KW,
    381   DOMAIN_COM_LB,
    382   DOMAIN_COM_LY,
    383   DOMAIN_COM_MT,
    384   DOMAIN_COM_MX,
    385   DOMAIN_COM_MY,
    386   DOMAIN_COM_NA,
    387   DOMAIN_COM_NF,
    388   DOMAIN_COM_NG,
    389   DOMAIN_COM_NI,
    390   DOMAIN_COM_NP,
    391   DOMAIN_COM_NR,
    392   DOMAIN_COM_OM,
    393   DOMAIN_COM_PA,
    394   DOMAIN_COM_PE,
    395   DOMAIN_COM_PH,
    396   DOMAIN_COM_PK,
    397   DOMAIN_COM_PL,
    398   DOMAIN_COM_PR,
    399   DOMAIN_COM_PY,
    400   DOMAIN_COM_QA,
    401   DOMAIN_COM_RU,
    402   DOMAIN_COM_SA,
    403   DOMAIN_COM_SB,
    404   DOMAIN_COM_SG,
    405   DOMAIN_COM_SL,
    406   DOMAIN_COM_SV,
    407   DOMAIN_COM_TJ,
    408   DOMAIN_COM_TN,
    409   DOMAIN_COM_TR,
    410   DOMAIN_COM_TW,
    411   DOMAIN_COM_UA,
    412   DOMAIN_COM_UY,
    413   DOMAIN_COM_VC,
    414   DOMAIN_COM_VE,
    415   DOMAIN_COM_VN,
    416   DOMAIN_GOOGLE_CV,
    417   DOMAIN_GOOGLE_CZ,
    418   DOMAIN_GOOGLE_DE,
    419   DOMAIN_GOOGLE_DJ,
    420   DOMAIN_GOOGLE_DK,
    421   DOMAIN_GOOGLE_DM,
    422   DOMAIN_GOOGLE_DZ,
    423   DOMAIN_GOOGLE_EE,
    424   DOMAIN_GOOGLE_ES,
    425   DOMAIN_GOOGLE_FI,
    426   DOMAIN_GOOGLE_FM,
    427   DOMAIN_GOOGLE_FR,
    428   DOMAIN_GOOGLE_GA,
    429   DOMAIN_GOOGLE_GE,
    430   DOMAIN_GOOGLE_GG,
    431   DOMAIN_GOOGLE_GL,
    432   DOMAIN_GOOGLE_GM,
    433   DOMAIN_GOOGLE_GP,
    434   DOMAIN_GOOGLE_GR,
    435   DOMAIN_GOOGLE_GY,
    436   DOMAIN_GOOGLE_HK,
    437   DOMAIN_GOOGLE_HN,
    438   DOMAIN_GOOGLE_HR,
    439   DOMAIN_GOOGLE_HT,
    440   DOMAIN_GOOGLE_HU,
    441   DOMAIN_GOOGLE_IE,
    442   DOMAIN_GOOGLE_IM,
    443   DOMAIN_GOOGLE_INFO,
    444   DOMAIN_GOOGLE_IQ,
    445   DOMAIN_GOOGLE_IS,
    446   DOMAIN_GOOGLE_IT,
    447   DOMAIN_IT_AO,
    448   DOMAIN_GOOGLE_JE,
    449   DOMAIN_GOOGLE_JO,
    450   DOMAIN_GOOGLE_JOBS,
    451   DOMAIN_GOOGLE_JP,
    452   DOMAIN_GOOGLE_KG,
    453   DOMAIN_GOOGLE_KI,
    454   DOMAIN_GOOGLE_KZ,
    455   DOMAIN_GOOGLE_LA,
    456   DOMAIN_GOOGLE_LI,
    457   DOMAIN_GOOGLE_LK,
    458   DOMAIN_GOOGLE_LT,
    459   DOMAIN_GOOGLE_LU,
    460   DOMAIN_GOOGLE_LV,
    461   DOMAIN_GOOGLE_MD,
    462   DOMAIN_GOOGLE_ME,
    463   DOMAIN_GOOGLE_MG,
    464   DOMAIN_GOOGLE_MK,
    465   DOMAIN_GOOGLE_ML,
    466   DOMAIN_GOOGLE_MN,
    467   DOMAIN_GOOGLE_MS,
    468   DOMAIN_GOOGLE_MU,
    469   DOMAIN_GOOGLE_MV,
    470   DOMAIN_GOOGLE_MW,
    471   DOMAIN_GOOGLE_NE,
    472   DOMAIN_NE_JP,
    473   DOMAIN_GOOGLE_NET,
    474   DOMAIN_GOOGLE_NL,
    475   DOMAIN_GOOGLE_NO,
    476   DOMAIN_GOOGLE_NR,
    477   DOMAIN_GOOGLE_NU,
    478   DOMAIN_OFF_AI,
    479   DOMAIN_GOOGLE_PK,
    480   DOMAIN_GOOGLE_PL,
    481   DOMAIN_GOOGLE_PN,
    482   DOMAIN_GOOGLE_PS,
    483   DOMAIN_GOOGLE_PT,
    484   DOMAIN_GOOGLE_RO,
    485   DOMAIN_GOOGLE_RS,
    486   DOMAIN_GOOGLE_RU,
    487   DOMAIN_GOOGLE_RW,
    488   DOMAIN_GOOGLE_SC,
    489   DOMAIN_GOOGLE_SE,
    490   DOMAIN_GOOGLE_SH,
    491   DOMAIN_GOOGLE_SI,
    492   DOMAIN_GOOGLE_SK,
    493   DOMAIN_GOOGLE_SM,
    494   DOMAIN_GOOGLE_SN,
    495   DOMAIN_GOOGLE_SO,
    496   DOMAIN_GOOGLE_ST,
    497   DOMAIN_GOOGLE_TD,
    498   DOMAIN_GOOGLE_TG,
    499   DOMAIN_GOOGLE_TK,
    500   DOMAIN_GOOGLE_TL,
    501   DOMAIN_GOOGLE_TM,
    502   DOMAIN_GOOGLE_TN,
    503   DOMAIN_GOOGLE_TO,
    504   DOMAIN_GOOGLE_TP,
    505   DOMAIN_GOOGLE_TT,
    506   DOMAIN_GOOGLE_US,
    507   DOMAIN_GOOGLE_UZ,
    508   DOMAIN_GOOGLE_VG,
    509   DOMAIN_GOOGLE_VU,
    510   DOMAIN_GOOGLE_WS,
    511 
    512   DOMAIN_CHROMIUM_ORG,
    513 
    514   DOMAIN_CRYPTO_CAT,
    515   DOMAIN_LAVABIT_COM,
    516 
    517   DOMAIN_GOOGLETAGMANAGER_COM,
    518 
    519   // Boundary value for UMA_HISTOGRAM_ENUMERATION:
    520   DOMAIN_NUM_EVENTS
    521 };
    522 
    523 // PublicKeyPins contains a number of SubjectPublicKeyInfo hashes for a site.
    524 // The validated certificate chain for the site must not include any of
    525 // |excluded_hashes| and must include one or more of |required_hashes|.
    526 struct PublicKeyPins {
    527   const char* const* required_hashes;
    528   const char* const* excluded_hashes;
    529 };
    530 
    531 struct HSTSPreload {
    532   uint8 length;
    533   bool include_subdomains;
    534   char dns_name[38];
    535   bool https_required;
    536   PublicKeyPins pins;
    537   SecondLevelDomainName second_level_domain_name;
    538 };
    539 
    540 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
    541                        const std::string& canonicalized_host, size_t i,
    542                        TransportSecurityState::DomainState* out, bool* ret) {
    543   for (size_t j = 0; j < num_entries; j++) {
    544     if (entries[j].length == canonicalized_host.size() - i &&
    545         memcmp(entries[j].dns_name, &canonicalized_host[i],
    546                entries[j].length) == 0) {
    547       if (!entries[j].include_subdomains && i != 0) {
    548         *ret = false;
    549       } else {
    550         out->sts_include_subdomains = entries[j].include_subdomains;
    551         out->pkp_include_subdomains = entries[j].include_subdomains;
    552         *ret = true;
    553         if (!entries[j].https_required)
    554           out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT;
    555         if (entries[j].pins.required_hashes) {
    556           const char* const* sha1_hash = entries[j].pins.required_hashes;
    557           while (*sha1_hash) {
    558             AddHash(*sha1_hash, &out->static_spki_hashes);
    559             sha1_hash++;
    560           }
    561         }
    562         if (entries[j].pins.excluded_hashes) {
    563           const char* const* sha1_hash = entries[j].pins.excluded_hashes;
    564           while (*sha1_hash) {
    565             AddHash(*sha1_hash, &out->bad_static_spki_hashes);
    566             sha1_hash++;
    567           }
    568         }
    569       }
    570       return true;
    571     }
    572   }
    573   return false;
    574 }
    575 
    576 #include "net/http/transport_security_state_static.h"
    577 
    578 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
    579 // or NULL if there is none. Prefers exact hostname matches to those that
    580 // match only because HSTSPreload.include_subdomains is true.
    581 //
    582 // |canonicalized_host| should be the hostname as canonicalized by
    583 // CanonicalizeHost.
    584 static const struct HSTSPreload* GetHSTSPreload(
    585     const std::string& canonicalized_host,
    586     const struct HSTSPreload* entries,
    587     size_t num_entries) {
    588   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
    589     for (size_t j = 0; j < num_entries; j++) {
    590       const struct HSTSPreload* entry = entries + j;
    591 
    592       if (i != 0 && !entry->include_subdomains)
    593         continue;
    594 
    595       if (entry->length == canonicalized_host.size() - i &&
    596           memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
    597         return entry;
    598       }
    599     }
    600   }
    601 
    602   return NULL;
    603 }
    604 
    605 bool TransportSecurityState::AddHSTSHeader(const std::string& host,
    606                                            const std::string& value) {
    607   DCHECK(CalledOnValidThread());
    608 
    609   base::Time now = base::Time::Now();
    610   base::TimeDelta max_age;
    611   TransportSecurityState::DomainState domain_state;
    612   GetDynamicDomainState(host, &domain_state);
    613   if (ParseHSTSHeader(value, &max_age, &domain_state.sts_include_subdomains)) {
    614     // Handle max-age == 0
    615     if (max_age.InSeconds() == 0)
    616       domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
    617     else
    618       domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
    619     domain_state.created = now;
    620     domain_state.upgrade_expiry = now + max_age;
    621     EnableHost(host, domain_state);
    622     return true;
    623   }
    624   return false;
    625 }
    626 
    627 bool TransportSecurityState::AddHPKPHeader(const std::string& host,
    628                                            const std::string& value,
    629                                            const SSLInfo& ssl_info) {
    630   DCHECK(CalledOnValidThread());
    631 
    632   base::Time now = base::Time::Now();
    633   base::TimeDelta max_age;
    634   TransportSecurityState::DomainState domain_state;
    635   GetDynamicDomainState(host, &domain_state);
    636   if (ParseHPKPHeader(value, ssl_info.public_key_hashes,
    637                       &max_age, &domain_state.pkp_include_subdomains,
    638                       &domain_state.dynamic_spki_hashes)) {
    639     // TODO(palmer): http://crbug.com/243865 handle max-age == 0.
    640     domain_state.created = now;
    641     domain_state.dynamic_spki_hashes_expiry = now + max_age;
    642     EnableHost(host, domain_state);
    643     return true;
    644   }
    645   return false;
    646 }
    647 
    648 bool TransportSecurityState::AddHSTS(const std::string& host,
    649                                      const base::Time& expiry,
    650                                      bool include_subdomains) {
    651   DCHECK(CalledOnValidThread());
    652 
    653   // Copy-and-modify the existing DomainState for this host (if any).
    654   TransportSecurityState::DomainState domain_state;
    655   const std::string canonicalized_host = CanonicalizeHost(host);
    656   const std::string hashed_host = HashHost(canonicalized_host);
    657   DomainStateMap::const_iterator i = enabled_hosts_.find(
    658       hashed_host);
    659   if (i != enabled_hosts_.end())
    660     domain_state = i->second;
    661 
    662   domain_state.created = base::Time::Now();
    663   domain_state.sts_include_subdomains = include_subdomains;
    664   domain_state.upgrade_expiry = expiry;
    665   domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
    666   EnableHost(host, domain_state);
    667   return true;
    668 }
    669 
    670 bool TransportSecurityState::AddHPKP(const std::string& host,
    671                                      const base::Time& expiry,
    672                                      bool include_subdomains,
    673                                      const HashValueVector& hashes) {
    674   DCHECK(CalledOnValidThread());
    675 
    676   // Copy-and-modify the existing DomainState for this host (if any).
    677   TransportSecurityState::DomainState domain_state;
    678   const std::string canonicalized_host = CanonicalizeHost(host);
    679   const std::string hashed_host = HashHost(canonicalized_host);
    680   DomainStateMap::const_iterator i = enabled_hosts_.find(
    681       hashed_host);
    682   if (i != enabled_hosts_.end())
    683     domain_state = i->second;
    684 
    685   domain_state.created = base::Time::Now();
    686   domain_state.pkp_include_subdomains = include_subdomains;
    687   domain_state.dynamic_spki_hashes_expiry = expiry;
    688   domain_state.dynamic_spki_hashes = hashes;
    689   EnableHost(host, domain_state);
    690   return true;
    691 }
    692 
    693 // static
    694 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
    695                                                     bool sni_enabled) {
    696   std::string canonicalized_host = CanonicalizeHost(host);
    697   const struct HSTSPreload* entry =
    698       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
    699 
    700   if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
    701     return true;
    702 
    703   if (sni_enabled) {
    704     entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
    705                            kNumPreloadedSNISTS);
    706     if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
    707       return true;
    708   }
    709 
    710   return false;
    711 }
    712 
    713 // static
    714 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
    715   std::string canonicalized_host = CanonicalizeHost(host);
    716 
    717   const struct HSTSPreload* entry =
    718       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
    719 
    720   if (!entry) {
    721     entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
    722                            kNumPreloadedSNISTS);
    723   }
    724 
    725   if (!entry) {
    726     // We don't care to report pin failures for dynamic pins.
    727     return;
    728   }
    729 
    730   DCHECK(entry);
    731   DCHECK(entry->pins.required_hashes);
    732   DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
    733 
    734   UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
    735                             entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
    736 }
    737 
    738 // static
    739 bool TransportSecurityState::IsBuildTimely() {
    740   const base::Time build_time = base::GetBuildTime();
    741   // We consider built-in information to be timely for 10 weeks.
    742   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
    743 }
    744 
    745 bool TransportSecurityState::GetStaticDomainState(
    746     const std::string& canonicalized_host,
    747     bool sni_enabled,
    748     DomainState* out) {
    749   DCHECK(CalledOnValidThread());
    750 
    751   out->upgrade_mode = DomainState::MODE_FORCE_HTTPS;
    752   out->sts_include_subdomains = false;
    753   out->pkp_include_subdomains = false;
    754 
    755   const bool is_build_timely = IsBuildTimely();
    756 
    757   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
    758     std::string host_sub_chunk(&canonicalized_host[i],
    759                                canonicalized_host.size() - i);
    760     out->domain = DNSDomainToString(host_sub_chunk);
    761     bool ret;
    762     if (is_build_timely &&
    763         HasPreload(kPreloadedSTS, kNumPreloadedSTS, canonicalized_host, i, out,
    764                    &ret)) {
    765       return ret;
    766     }
    767     if (sni_enabled &&
    768         is_build_timely &&
    769         HasPreload(kPreloadedSNISTS, kNumPreloadedSNISTS, canonicalized_host, i,
    770                    out, &ret)) {
    771       return ret;
    772     }
    773   }
    774 
    775   return false;
    776 }
    777 
    778 bool TransportSecurityState::GetDynamicDomainState(const std::string& host,
    779                                                    DomainState* result) {
    780   DCHECK(CalledOnValidThread());
    781 
    782   DomainState state;
    783   const std::string canonicalized_host = CanonicalizeHost(host);
    784   if (canonicalized_host.empty())
    785     return false;
    786 
    787   base::Time current_time(base::Time::Now());
    788 
    789   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
    790     std::string host_sub_chunk(&canonicalized_host[i],
    791                                canonicalized_host.size() - i);
    792     DomainStateMap::iterator j =
    793         enabled_hosts_.find(HashHost(host_sub_chunk));
    794     if (j == enabled_hosts_.end())
    795       continue;
    796 
    797     if (current_time > j->second.upgrade_expiry &&
    798         current_time > j->second.dynamic_spki_hashes_expiry) {
    799       enabled_hosts_.erase(j);
    800       DirtyNotify();
    801       continue;
    802     }
    803 
    804     state = j->second;
    805     state.domain = DNSDomainToString(host_sub_chunk);
    806 
    807     // Succeed if we matched the domain exactly or if subdomain matches are
    808     // allowed.
    809     if (i == 0 || j->second.sts_include_subdomains ||
    810         j->second.pkp_include_subdomains) {
    811       *result = state;
    812       return true;
    813     }
    814 
    815     return false;
    816   }
    817 
    818   return false;
    819 }
    820 
    821 
    822 void TransportSecurityState::AddOrUpdateEnabledHosts(
    823     const std::string& hashed_host, const DomainState& state) {
    824   DCHECK(CalledOnValidThread());
    825   enabled_hosts_[hashed_host] = state;
    826 }
    827 
    828 TransportSecurityState::DomainState::DomainState()
    829     : upgrade_mode(MODE_DEFAULT),
    830       created(base::Time::Now()),
    831       sts_include_subdomains(false),
    832       pkp_include_subdomains(false) {
    833 }
    834 
    835 TransportSecurityState::DomainState::~DomainState() {
    836 }
    837 
    838 bool TransportSecurityState::DomainState::CheckPublicKeyPins(
    839     const HashValueVector& hashes) const {
    840   // Validate that hashes is not empty. By the time this code is called (in
    841   // production), that should never happen, but it's good to be defensive.
    842   // And, hashes *can* be empty in some test scenarios.
    843   if (hashes.empty()) {
    844     LOG(ERROR) << "Rejecting empty public key chain for public-key-pinned "
    845                   "domain " << domain;
    846     return false;
    847   }
    848 
    849   if (HashesIntersect(bad_static_spki_hashes, hashes)) {
    850     LOG(ERROR) << "Rejecting public key chain for domain " << domain
    851                << ". Validated chain: " << HashesToBase64String(hashes)
    852                << ", matches one or more bad hashes: "
    853                << HashesToBase64String(bad_static_spki_hashes);
    854     return false;
    855   }
    856 
    857   // If there are no pins, then any valid chain is acceptable.
    858   if (dynamic_spki_hashes.empty() && static_spki_hashes.empty())
    859     return true;
    860 
    861   if (HashesIntersect(dynamic_spki_hashes, hashes) ||
    862       HashesIntersect(static_spki_hashes, hashes)) {
    863     return true;
    864   }
    865 
    866   LOG(ERROR) << "Rejecting public key chain for domain " << domain
    867              << ". Validated chain: " << HashesToBase64String(hashes)
    868              << ", expected: " << HashesToBase64String(dynamic_spki_hashes)
    869              << " or: " << HashesToBase64String(static_spki_hashes);
    870   return false;
    871 }
    872 
    873 bool TransportSecurityState::DomainState::ShouldUpgradeToSSL() const {
    874   return upgrade_mode == MODE_FORCE_HTTPS;
    875 }
    876 
    877 bool TransportSecurityState::DomainState::ShouldSSLErrorsBeFatal() const {
    878   return true;
    879 }
    880 
    881 bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
    882   return static_spki_hashes.size() > 0 ||
    883          bad_static_spki_hashes.size() > 0 ||
    884          dynamic_spki_hashes.size() > 0;
    885 }
    886 
    887 }  // namespace
    888