transport_security_state.cc | Explore in Territory

// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/40284755): Remove this and spanify to fix the errors.
#pragma allow_unsafe_buffers
#endif

#include "net/http/transport_security_state.h"

#include <algorithm>
#include <cstdint>
#include <memory>
#include <optional>
#include <string_view>
#include <tuple>
#include <utility>
#include <vector>

#include "base/base64.h"
#include "base/build_time.h"
#include "base/containers/contains.h"
#include "base/containers/span.h"
#include "base/feature_list.h"
#include "base/functional/bind.h"
#include "base/json/json_writer.h"
#include "base/logging.h"
#include "base/metrics/field_trial.h"
#include "base/metrics/field_trial_params.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/strings/utf_string_conversions.h"
#include "base/time/time.h"
#include "base/values.h"
#include "build/branding_buildflags.h"
#include "build/build_config.h"
#include "crypto/sha2.h"
#include "net/base/features.h"
#include "net/base/hash_value.h"
#include "net/base/host_port_pair.h"
#include "net/cert/ct_policy_status.h"
#include "net/cert/x509_certificate.h"
#include "net/dns/dns_names_util.h"
#include "net/extras/preload_data/decoder.h"
#include "net/http/http_security_headers.h"
#include "net/net_buildflags.h"
#include "net/ssl/ssl_info.h"

namespace net {

namespace {

#if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
#include "net/http/transport_security_state_static.h"  // nogncheck
// Points to the active transport security state source.
const TransportSecurityStateSource* const kDefaultHSTSSource = …;
#else
const TransportSecurityStateSource* const kDefaultHSTSSource = nullptr;
#endif

const TransportSecurityStateSource* g_hsts_source = …;

TransportSecurityState::HashedHost HashHost(
    base::span<const uint8_t> canonicalized_host) { … }

// Returns true if the intersection of |a| and |b| is not empty. If either
// |a| or |b| is empty, returns false.
bool HashesIntersect(const HashValueVector& a, const HashValueVector& b) { … }

bool AddHash(const char* sha256_hash, HashValueVector* out) { … }

// Converts |hostname| from dotted form ("www.google.com") to the form
// used in DNS: "\x03www\x06google\x03com", lowercases that, and returns
// the result.
std::vector<uint8_t> CanonicalizeHost(const std::string& host) { … }

// PreloadResult is the result of resolving a specific name in the preloaded
// data.
struct PreloadResult { … };

PreloadDecoder;

// Extracts the current PreloadResult entry from the given Huffman encoded trie.
// If an "end of string" matches a period in the hostname then the information
// is remembered because, if no more specific node is found, then that
// information applies to the hostname.
class HSTSPreloadDecoder : public extras::PreloadDecoder { … };

bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) { … }

}  // namespace

void SetTransportSecurityStateSourceForTesting(
    const TransportSecurityStateSource* source) { … }

TransportSecurityState::TransportSecurityState()
    : … { … }

TransportSecurityState::TransportSecurityState(
    std::vector<std::string> hsts_host_bypass_list) { … }

// Both HSTS and HPKP cause fatal SSL errors, so return true if a
// host has either.
bool TransportSecurityState::ShouldSSLErrorsBeFatal(const std::string& host) { … }

base::Value::Dict TransportSecurityState::NetLogUpgradeToSSLParam(
    const std::string& host) { … }

SSLUpgradeDecision TransportSecurityState::GetSSLUpgradeDecision(
    const std::string& host,
    const NetLogWithSource& net_log) { … }

bool TransportSecurityState::ShouldUpgradeToSSL(
    const std::string& host,
    const NetLogWithSource& net_log) { … }

TransportSecurityState::PKPStatus TransportSecurityState::CheckPublicKeyPins(
    const HostPortPair& host_port_pair,
    bool is_issued_by_known_root,
    const HashValueVector& public_key_hashes) { … }

bool TransportSecurityState::HasPublicKeyPins(const std::string& host) { … }

TransportSecurityState::CTRequirementsStatus
TransportSecurityState::CheckCTRequirements(
    const HostPortPair& host_port_pair,
    bool is_issued_by_known_root,
    const HashValueVector& public_key_hashes,
    const X509Certificate* validated_certificate_chain,
    ct::CTPolicyCompliance policy_compliance) { … }

void TransportSecurityState::SetDelegate(
    TransportSecurityState::Delegate* delegate) { … }

void TransportSecurityState::SetRequireCTDelegate(RequireCTDelegate* delegate) { … }

void TransportSecurityState::UpdatePinList(
    const std::vector<PinSet>& pinsets,
    const std::vector<PinSetInfo>& host_pins,
    base::Time update_time) { … }

void TransportSecurityState::AddHSTSInternal(
    const std::string& host,
    TransportSecurityState::STSState::UpgradeMode upgrade_mode,
    const base::Time& expiry,
    bool include_subdomains) { … }

void TransportSecurityState::AddHPKPInternal(const std::string& host,
                                             const base::Time& last_observed,
                                             const base::Time& expiry,
                                             bool include_subdomains,
                                             const HashValueVector& hashes) { … }

void TransportSecurityState::
    SetEnablePublicKeyPinningBypassForLocalTrustAnchors(bool value) { … }

TransportSecurityState::PKPStatus TransportSecurityState::CheckPins(
    const HostPortPair& host_port_pair,
    bool is_issued_by_known_root,
    const TransportSecurityState::PKPState& pkp_state,
    const HashValueVector& hashes) { … }

bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) { … }

void TransportSecurityState::ClearDynamicData() { … }

void TransportSecurityState::DeleteAllDynamicDataBetween(
    base::Time start_time,
    base::Time end_time,
    base::OnceClosure callback) { … }

TransportSecurityState::~TransportSecurityState() { … }

void TransportSecurityState::DirtyNotify() { … }

bool TransportSecurityState::AddHSTSHeader(const std::string& host,
                                           const std::string& value) { … }

void TransportSecurityState::AddHSTS(const std::string& host,
                                     const base::Time& expiry,
                                     bool include_subdomains) { … }

void TransportSecurityState::AddHPKP(const std::string& host,
                                     const base::Time& expiry,
                                     bool include_subdomains,
                                     const HashValueVector& hashes) { … }

size_t TransportSecurityState::num_sts_entries() const { … }

// static
bool TransportSecurityState::IsBuildTimely() { … }

TransportSecurityState::PKPStatus
TransportSecurityState::CheckPublicKeyPinsImpl(
    const HostPortPair& host_port_pair,
    bool is_issued_by_known_root,
    const HashValueVector& hashes) { … }

bool TransportSecurityState::GetStaticSTSState(const std::string& host,
                                               STSState* sts_result) const { … }

bool TransportSecurityState::GetStaticPKPState(const std::string& host,
                                               PKPState* pkp_result) const { … }

bool TransportSecurityState::GetSTSState(const std::string& host,
                                         STSState* result) { … }

bool TransportSecurityState::GetPKPState(const std::string& host,
                                         PKPState* result) { … }

bool TransportSecurityState::GetDynamicSTSState(const std::string& host,
                                                STSState* result) { … }

bool TransportSecurityState::GetDynamicPKPState(const std::string& host,
                                                PKPState* result) { … }

void TransportSecurityState::AddOrUpdateEnabledSTSHosts(
    const HashedHost& hashed_host,
    const STSState& state) { … }

TransportSecurityState::STSState::STSState() = default;

TransportSecurityState::STSState::~STSState() = default;

bool TransportSecurityState::STSState::ShouldUpgradeToSSL() const { … }

TransportSecurityState::STSStateIterator::STSStateIterator(
    const TransportSecurityState& state)
    : … { … }

TransportSecurityState::STSStateIterator::~STSStateIterator() = default;

TransportSecurityState::PKPState::PKPState() = default;

TransportSecurityState::PKPState::PKPState(const PKPState& other) = default;

TransportSecurityState::PKPState::~PKPState() = default;

TransportSecurityState::PinSet::PinSet(
    std::string name,
    std::vector<std::vector<uint8_t>> static_spki_hashes,
    std::vector<std::vector<uint8_t>> bad_static_spki_hashes)
    : … { … }

TransportSecurityState::PinSet::PinSet(const PinSet& other) = default;
TransportSecurityState::PinSet::~PinSet() = default;

TransportSecurityState::PinSetInfo::PinSetInfo(std::string hostname,
                                               std::string pinset_name,
                                               bool include_subdomains)
    : … { … }

bool TransportSecurityState::PKPState::CheckPublicKeyPins(
    const HashValueVector& hashes) const { … }

bool TransportSecurityState::PKPState::HasPublicKeyPins() const { … }

bool TransportSecurityState::IsStaticPKPListTimely() const { … }

}  // namespace net
chromium/net/http/transport_security_state.cc
