1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/http/transport_security_state.h"
7 #if defined(USE_OPENSSL)
8 #include <openssl/ecdsa.h>
9 #include <openssl/ssl.h>
10 #else // !defined(USE_OPENSSL)
20 #include "base/base64.h"
21 #include "base/build_time.h"
22 #include "base/logging.h"
23 #include "base/memory/scoped_ptr.h"
24 #include "base/metrics/histogram.h"
25 #include "base/sha1.h"
26 #include "base/strings/string_number_conversions.h"
27 #include "base/strings/string_util.h"
28 #include "base/strings/utf_string_conversions.h"
29 #include "base/time/time.h"
30 #include "base/values.h"
31 #include "crypto/sha2.h"
32 #include "net/base/dns_util.h"
33 #include "net/cert/x509_cert_types.h"
34 #include "net/cert/x509_certificate.h"
35 #include "net/http/http_security_headers.h"
36 #include "net/ssl/ssl_info.h"
39 #if defined(USE_OPENSSL)
40 #include "crypto/openssl_util.h"
47 std::string HashesToBase64String(const HashValueVector& hashes) {
49 for (size_t i = 0; i != hashes.size(); ++i) {
52 str += hashes[i].ToString();
57 std::string HashHost(const std::string& canonicalized_host) {
58 char hashed[crypto::kSHA256Length];
59 crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed));
60 return std::string(hashed, sizeof(hashed));
63 // Returns true if the intersection of |a| and |b| is not empty. If either
64 // |a| or |b| is empty, returns false.
65 bool HashesIntersect(const HashValueVector& a,
66 const HashValueVector& b) {
67 for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
68 HashValueVector::const_iterator j =
69 std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
76 bool AddHash(const char* sha1_hash,
77 HashValueVector* out) {
78 HashValue hash(HASH_VALUE_SHA1);
79 memcpy(hash.data(), sha1_hash, hash.size());
86 TransportSecurityState::TransportSecurityState()
88 DCHECK(CalledOnValidThread());
91 TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
92 : iterator_(state.enabled_hosts_.begin()),
93 end_(state.enabled_hosts_.end()) {
96 TransportSecurityState::Iterator::~Iterator() {}
98 void TransportSecurityState::SetDelegate(
99 TransportSecurityState::Delegate* delegate) {
100 DCHECK(CalledOnValidThread());
101 delegate_ = delegate;
104 void TransportSecurityState::EnableHost(const std::string& host,
105 const DomainState& state) {
106 DCHECK(CalledOnValidThread());
108 const std::string canonicalized_host = CanonicalizeHost(host);
109 if (canonicalized_host.empty())
112 DomainState state_copy(state);
113 // No need to store this value since it is redundant. (|canonicalized_host|
115 state_copy.domain.clear();
117 enabled_hosts_[HashHost(canonicalized_host)] = state_copy;
121 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
122 DCHECK(CalledOnValidThread());
124 const std::string canonicalized_host = CanonicalizeHost(host);
125 if (canonicalized_host.empty())
128 DomainStateMap::iterator i = enabled_hosts_.find(
129 HashHost(canonicalized_host));
130 if (i != enabled_hosts_.end()) {
131 enabled_hosts_.erase(i);
138 bool TransportSecurityState::GetDomainState(const std::string& host,
140 DomainState* result) {
141 DCHECK(CalledOnValidThread());
144 const std::string canonicalized_host = CanonicalizeHost(host);
145 if (canonicalized_host.empty())
148 bool has_preload = GetStaticDomainState(canonicalized_host, sni_enabled,
150 std::string canonicalized_preload = CanonicalizeHost(state.domain);
151 GetDynamicDomainState(host, &state);
153 base::Time current_time(base::Time::Now());
155 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
156 std::string host_sub_chunk(&canonicalized_host[i],
157 canonicalized_host.size() - i);
158 // Exact match of a preload always wins.
159 if (has_preload && host_sub_chunk == canonicalized_preload) {
164 DomainStateMap::iterator j =
165 enabled_hosts_.find(HashHost(host_sub_chunk));
166 if (j == enabled_hosts_.end())
169 if (current_time > j->second.upgrade_expiry &&
170 current_time > j->second.dynamic_spki_hashes_expiry) {
171 enabled_hosts_.erase(j);
177 state.domain = DNSDomainToString(host_sub_chunk);
179 // Succeed if we matched the domain exactly or if subdomain matches are
181 if (i == 0 || j->second.sts_include_subdomains ||
182 j->second.pkp_include_subdomains) {
193 void TransportSecurityState::ClearDynamicData() {
194 DCHECK(CalledOnValidThread());
195 enabled_hosts_.clear();
198 void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) {
199 DCHECK(CalledOnValidThread());
201 bool dirtied = false;
202 DomainStateMap::iterator i = enabled_hosts_.begin();
203 while (i != enabled_hosts_.end()) {
204 if (i->second.sts_observed >= time && i->second.pkp_observed >= time) {
206 enabled_hosts_.erase(i++);
210 if (i->second.sts_observed >= time) {
212 i->second.upgrade_mode = DomainState::MODE_DEFAULT;
213 } else if (i->second.pkp_observed >= time) {
215 i->second.dynamic_spki_hashes.clear();
224 TransportSecurityState::~TransportSecurityState() {
225 DCHECK(CalledOnValidThread());
228 void TransportSecurityState::DirtyNotify() {
229 DCHECK(CalledOnValidThread());
232 delegate_->StateIsDirty(this);
236 std::string TransportSecurityState::CanonicalizeHost(const std::string& host) {
237 // We cannot perform the operations as detailed in the spec here as |host|
238 // has already undergone IDN processing before it reached us. Thus, we check
239 // that there are no invalid characters in the host and lowercase the result.
241 std::string new_host;
242 if (!DNSDomainFromDot(host, &new_host)) {
243 // DNSDomainFromDot can fail if any label is > 63 bytes or if the whole
244 // name is >255 bytes. However, search terms can have those properties.
245 return std::string();
248 for (size_t i = 0; new_host[i]; i += new_host[i] + 1) {
249 const unsigned label_length = static_cast<unsigned>(new_host[i]);
253 for (size_t j = 0; j < label_length; ++j) {
254 new_host[i + 1 + j] = tolower(new_host[i + 1 + j]);
261 // |ReportUMAOnPinFailure| uses these to report which domain was associated
262 // with the public key pinning failure.
264 // DO NOT CHANGE THE ORDERING OF THESE NAMES OR REMOVE ANY OF THEM. Add new
265 // domains at the END of the listing (but before DOMAIN_NUM_EVENTS).
266 enum SecondLevelDomainName {
271 DOMAIN_GOOGLE_ANALYTICS_COM,
272 DOMAIN_GOOGLEPLEX_COM,
274 DOMAIN_GOOGLEUSERCONTENT_COM,
276 DOMAIN_GOOGLEAPIS_COM,
277 DOMAIN_GOOGLEADSERVICES_COM,
278 DOMAIN_GOOGLECODE_COM,
280 DOMAIN_GOOGLESYNDICATION_COM,
281 DOMAIN_DOUBLECLICK_NET,
284 DOMAIN_GOOGLEMAIL_COM,
285 DOMAIN_GOOGLEGROUPS_COM,
287 DOMAIN_TORPROJECT_ORG,
297 DOMAIN_GOOGLECOMMERCE_COM,
524 DOMAIN_GOOGLETAGMANAGER_COM,
526 // Boundary value for UMA_HISTOGRAM_ENUMERATION:
530 // PublicKeyPins contains a number of SubjectPublicKeyInfo hashes for a site.
531 // The validated certificate chain for the site must not include any of
532 // |excluded_hashes| and must include one or more of |required_hashes|.
533 struct PublicKeyPins {
534 const char* const* required_hashes;
535 const char* const* excluded_hashes;
540 bool include_subdomains;
544 SecondLevelDomainName second_level_domain_name;
547 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
548 const std::string& canonicalized_host, size_t i,
549 TransportSecurityState::DomainState* out, bool* ret) {
550 for (size_t j = 0; j < num_entries; j++) {
551 if (entries[j].length == canonicalized_host.size() - i &&
552 memcmp(entries[j].dns_name, &canonicalized_host[i],
553 entries[j].length) == 0) {
554 if (!entries[j].include_subdomains && i != 0) {
557 out->sts_include_subdomains = entries[j].include_subdomains;
558 out->pkp_include_subdomains = entries[j].include_subdomains;
560 if (!entries[j].https_required)
561 out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT;
562 if (entries[j].pins.required_hashes) {
563 const char* const* sha1_hash = entries[j].pins.required_hashes;
565 AddHash(*sha1_hash, &out->static_spki_hashes);
569 if (entries[j].pins.excluded_hashes) {
570 const char* const* sha1_hash = entries[j].pins.excluded_hashes;
572 AddHash(*sha1_hash, &out->bad_static_spki_hashes);
583 #include "net/http/transport_security_state_static.h"
585 // Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
586 // or NULL if there is none. Prefers exact hostname matches to those that
587 // match only because HSTSPreload.include_subdomains is true.
589 // |canonicalized_host| should be the hostname as canonicalized by
591 static const struct HSTSPreload* GetHSTSPreload(
592 const std::string& canonicalized_host,
593 const struct HSTSPreload* entries,
594 size_t num_entries) {
595 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
596 for (size_t j = 0; j < num_entries; j++) {
597 const struct HSTSPreload* entry = entries + j;
599 if (i != 0 && !entry->include_subdomains)
602 if (entry->length == canonicalized_host.size() - i &&
603 memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
612 bool TransportSecurityState::AddHSTSHeader(const std::string& host,
613 const std::string& value) {
614 DCHECK(CalledOnValidThread());
616 base::Time now = base::Time::Now();
617 base::TimeDelta max_age;
618 TransportSecurityState::DomainState domain_state;
619 GetDynamicDomainState(host, &domain_state);
620 if (ParseHSTSHeader(value, &max_age, &domain_state.sts_include_subdomains)) {
621 // Handle max-age == 0
622 if (max_age.InSeconds() == 0)
623 domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
625 domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
626 domain_state.sts_observed = now;
627 domain_state.upgrade_expiry = now + max_age;
628 EnableHost(host, domain_state);
634 bool TransportSecurityState::AddHPKPHeader(const std::string& host,
635 const std::string& value,
636 const SSLInfo& ssl_info) {
637 DCHECK(CalledOnValidThread());
639 base::Time now = base::Time::Now();
640 base::TimeDelta max_age;
641 TransportSecurityState::DomainState domain_state;
642 GetDynamicDomainState(host, &domain_state);
643 if (ParseHPKPHeader(value, ssl_info.public_key_hashes,
644 &max_age, &domain_state.pkp_include_subdomains,
645 &domain_state.dynamic_spki_hashes)) {
646 // TODO(palmer): http://crbug.com/243865 handle max-age == 0.
647 domain_state.pkp_observed = now;
648 domain_state.dynamic_spki_hashes_expiry = now + max_age;
649 EnableHost(host, domain_state);
655 bool TransportSecurityState::AddHSTS(const std::string& host,
656 const base::Time& expiry,
657 bool include_subdomains) {
658 DCHECK(CalledOnValidThread());
660 // Copy-and-modify the existing DomainState for this host (if any).
661 TransportSecurityState::DomainState domain_state;
662 const std::string canonicalized_host = CanonicalizeHost(host);
663 const std::string hashed_host = HashHost(canonicalized_host);
664 DomainStateMap::const_iterator i = enabled_hosts_.find(
666 if (i != enabled_hosts_.end())
667 domain_state = i->second;
669 domain_state.sts_observed = base::Time::Now();
670 domain_state.sts_include_subdomains = include_subdomains;
671 domain_state.upgrade_expiry = expiry;
672 domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
673 EnableHost(host, domain_state);
677 bool TransportSecurityState::AddHPKP(const std::string& host,
678 const base::Time& expiry,
679 bool include_subdomains,
680 const HashValueVector& hashes) {
681 DCHECK(CalledOnValidThread());
683 // Copy-and-modify the existing DomainState for this host (if any).
684 TransportSecurityState::DomainState domain_state;
685 const std::string canonicalized_host = CanonicalizeHost(host);
686 const std::string hashed_host = HashHost(canonicalized_host);
687 DomainStateMap::const_iterator i = enabled_hosts_.find(
689 if (i != enabled_hosts_.end())
690 domain_state = i->second;
692 domain_state.pkp_observed = base::Time::Now();
693 domain_state.pkp_include_subdomains = include_subdomains;
694 domain_state.dynamic_spki_hashes_expiry = expiry;
695 domain_state.dynamic_spki_hashes = hashes;
696 EnableHost(host, domain_state);
701 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
703 std::string canonicalized_host = CanonicalizeHost(host);
704 const struct HSTSPreload* entry =
705 GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
707 if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
711 entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
712 kNumPreloadedSNISTS);
713 if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
721 void TransportSecurityState::ReportUMAOnPinFailure(const std::string& host) {
722 std::string canonicalized_host = CanonicalizeHost(host);
724 const struct HSTSPreload* entry =
725 GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
728 entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
729 kNumPreloadedSNISTS);
733 // We don't care to report pin failures for dynamic pins.
738 DCHECK(entry->pins.required_hashes);
739 DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
741 UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
742 entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
746 bool TransportSecurityState::IsBuildTimely() {
747 const base::Time build_time = base::GetBuildTime();
748 // We consider built-in information to be timely for 10 weeks.
749 return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
752 bool TransportSecurityState::GetStaticDomainState(
753 const std::string& canonicalized_host,
756 DCHECK(CalledOnValidThread());
758 out->upgrade_mode = DomainState::MODE_FORCE_HTTPS;
759 out->sts_include_subdomains = false;
760 out->pkp_include_subdomains = false;
762 const bool is_build_timely = IsBuildTimely();
764 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
765 std::string host_sub_chunk(&canonicalized_host[i],
766 canonicalized_host.size() - i);
767 out->domain = DNSDomainToString(host_sub_chunk);
769 if (is_build_timely &&
770 HasPreload(kPreloadedSTS, kNumPreloadedSTS, canonicalized_host, i, out,
776 HasPreload(kPreloadedSNISTS, kNumPreloadedSNISTS, canonicalized_host, i,
785 bool TransportSecurityState::GetDynamicDomainState(const std::string& host,
786 DomainState* result) {
787 DCHECK(CalledOnValidThread());
790 const std::string canonicalized_host = CanonicalizeHost(host);
791 if (canonicalized_host.empty())
794 base::Time current_time(base::Time::Now());
796 for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
797 std::string host_sub_chunk(&canonicalized_host[i],
798 canonicalized_host.size() - i);
799 DomainStateMap::iterator j =
800 enabled_hosts_.find(HashHost(host_sub_chunk));
801 if (j == enabled_hosts_.end())
804 if (current_time > j->second.upgrade_expiry &&
805 current_time > j->second.dynamic_spki_hashes_expiry) {
806 enabled_hosts_.erase(j);
812 state.domain = DNSDomainToString(host_sub_chunk);
814 // Succeed if we matched the domain exactly or if subdomain matches are
816 if (i == 0 || j->second.sts_include_subdomains ||
817 j->second.pkp_include_subdomains) {
829 void TransportSecurityState::AddOrUpdateEnabledHosts(
830 const std::string& hashed_host, const DomainState& state) {
831 DCHECK(CalledOnValidThread());
832 enabled_hosts_[hashed_host] = state;
835 TransportSecurityState::DomainState::DomainState()
836 : upgrade_mode(MODE_DEFAULT),
837 sts_include_subdomains(false),
838 pkp_include_subdomains(false) {
839 base::Time now(base::Time::Now());
844 TransportSecurityState::DomainState::~DomainState() {
847 bool TransportSecurityState::DomainState::CheckPublicKeyPins(
848 const HashValueVector& hashes) const {
849 // Validate that hashes is not empty. By the time this code is called (in
850 // production), that should never happen, but it's good to be defensive.
851 // And, hashes *can* be empty in some test scenarios.
852 if (hashes.empty()) {
853 LOG(ERROR) << "Rejecting empty public key chain for public-key-pinned "
858 if (HashesIntersect(bad_static_spki_hashes, hashes)) {
859 LOG(ERROR) << "Rejecting public key chain for domain " << domain
860 << ". Validated chain: " << HashesToBase64String(hashes)
861 << ", matches one or more bad hashes: "
862 << HashesToBase64String(bad_static_spki_hashes);
866 // If there are no pins, then any valid chain is acceptable.
867 if (dynamic_spki_hashes.empty() && static_spki_hashes.empty())
870 if (HashesIntersect(dynamic_spki_hashes, hashes) ||
871 HashesIntersect(static_spki_hashes, hashes)) {
875 LOG(ERROR) << "Rejecting public key chain for domain " << domain
876 << ". Validated chain: " << HashesToBase64String(hashes)
877 << ", expected: " << HashesToBase64String(dynamic_spki_hashes)
878 << " or: " << HashesToBase64String(static_spki_hashes);
882 bool TransportSecurityState::DomainState::ShouldUpgradeToSSL() const {
883 return upgrade_mode == MODE_FORCE_HTTPS;
886 bool TransportSecurityState::DomainState::ShouldSSLErrorsBeFatal() const {
890 bool TransportSecurityState::DomainState::HasPublicKeyPins() const {
891 return static_spki_hashes.size() > 0 ||
892 bad_static_spki_hashes.size() > 0 ||
893 dynamic_spki_hashes.size() > 0;