2018-05-21 14:54:08 +02:00
|
|
|
diff --git components/certificate_transparency/chrome_ct_policy_enforcer.cc components/certificate_transparency/chrome_ct_policy_enforcer.cc
|
2018-10-02 14:14:11 +02:00
|
|
|
index 99a4405290ea..d0b35f74e552 100644
|
2018-05-21 14:54:08 +02:00
|
|
|
--- components/certificate_transparency/chrome_ct_policy_enforcer.cc
|
|
|
|
+++ components/certificate_transparency/chrome_ct_policy_enforcer.cc
|
|
|
|
@@ -36,15 +36,6 @@ namespace certificate_transparency {
|
2016-11-18 22:11:38 +01:00
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
-// Returns true if the current build is recent enough to ensure that
|
|
|
|
-// built-in security information (e.g. CT Logs) is fresh enough.
|
|
|
|
-// TODO(eranm): Move to base or net/base
|
|
|
|
-bool IsBuildTimely() {
|
|
|
|
- const base::Time build_time = base::GetBuildTime();
|
|
|
|
- // We consider built-in information to be timely for 10 weeks.
|
|
|
|
- return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
|
|
|
|
-}
|
|
|
|
-
|
|
|
|
// Returns a rounded-down months difference of |start| and |end|,
|
|
|
|
// together with an indication of whether the last month was
|
|
|
|
// a full month, because the range starts specified in the policy
|
2018-05-21 14:54:08 +02:00
|
|
|
@@ -304,4 +295,16 @@ CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance(
|
2017-07-27 01:19:27 +02:00
|
|
|
return compliance;
|
2016-11-18 22:11:38 +01:00
|
|
|
}
|
|
|
|
|
2018-05-21 14:54:08 +02:00
|
|
|
+// Returns true if the current build is recent enough to ensure that
|
|
|
|
+// built-in security information (e.g. CT Logs) is fresh enough.
|
|
|
|
+// TODO(eranm): Move to base or net/base
|
|
|
|
+bool ChromeCTPolicyEnforcer::IsBuildTimely() const {
|
2016-11-18 22:11:38 +01:00
|
|
|
+ if (!enforce_net_security_expiration_)
|
|
|
|
+ return true;
|
|
|
|
+
|
|
|
|
+ const base::Time build_time = base::GetBuildTime();
|
|
|
|
+ // We consider built-in information to be timely for 10 weeks.
|
|
|
|
+ return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
|
|
|
|
+}
|
|
|
|
+
|
2018-05-21 14:54:08 +02:00
|
|
|
} // namespace certificate_transparency
|
|
|
|
diff --git components/certificate_transparency/chrome_ct_policy_enforcer.h components/certificate_transparency/chrome_ct_policy_enforcer.h
|
|
|
|
index f61ff0d0564a..e6727c7b1cbc 100644
|
|
|
|
--- components/certificate_transparency/chrome_ct_policy_enforcer.h
|
|
|
|
+++ components/certificate_transparency/chrome_ct_policy_enforcer.h
|
|
|
|
@@ -26,6 +26,17 @@ class ChromeCTPolicyEnforcer : public net::CTPolicyEnforcer {
|
|
|
|
net::X509Certificate* cert,
|
|
|
|
const net::ct::SCTList& verified_scts,
|
|
|
|
const net::NetLogWithSource& net_log) override;
|
2016-11-18 22:11:38 +01:00
|
|
|
+
|
|
|
|
+ void set_enforce_net_security_expiration(bool enforce) {
|
|
|
|
+ enforce_net_security_expiration_ = enforce;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ private:
|
|
|
|
+ // Returns true if the current build is recent enough to ensure that
|
|
|
|
+ // built-in security information (e.g. CT Logs) is fresh enough.
|
|
|
|
+ bool IsBuildTimely() const;
|
|
|
|
+
|
|
|
|
+ bool enforce_net_security_expiration_ = true;
|
|
|
|
};
|
|
|
|
|
2018-05-21 14:54:08 +02:00
|
|
|
} // namespace certificate_transparency
|
2016-11-18 22:11:38 +01:00
|
|
|
diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
|
2018-10-24 22:37:39 +02:00
|
|
|
index f1a5d1cec270..2a586caaf0c4 100644
|
2016-11-18 22:11:38 +01:00
|
|
|
--- net/http/transport_security_state.cc
|
|
|
|
+++ net/http/transport_security_state.cc
|
2018-10-24 22:37:39 +02:00
|
|
|
@@ -1151,8 +1151,10 @@ void TransportSecurityState::ClearReportCachesForTesting() {
|
2017-05-31 17:33:30 +02:00
|
|
|
sent_expect_ct_reports_cache_.Clear();
|
2016-11-18 22:11:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
-// static
|
|
|
|
-bool TransportSecurityState::IsBuildTimely() {
|
|
|
|
+bool TransportSecurityState::IsBuildTimely() const {
|
|
|
|
+ if (!enforce_net_security_expiration_)
|
|
|
|
+ return true;
|
|
|
|
+
|
|
|
|
const base::Time build_time = base::GetBuildTime();
|
|
|
|
// We consider built-in information to be timely for 10 weeks.
|
|
|
|
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
|
|
|
|
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
|
2018-07-13 21:29:20 +02:00
|
|
|
index 9c65b59e4ec2..0ac0509abf78 100644
|
2016-11-18 22:11:38 +01:00
|
|
|
--- net/http/transport_security_state.h
|
|
|
|
+++ net/http/transport_security_state.h
|
2018-07-13 21:29:20 +02:00
|
|
|
@@ -561,6 +561,10 @@ class NET_EXPORT TransportSecurityState {
|
2017-05-31 17:33:30 +02:00
|
|
|
// Expect-CT reports.
|
|
|
|
void ClearReportCachesForTesting();
|
2016-11-18 22:11:38 +01:00
|
|
|
|
|
|
|
+ void set_enforce_net_security_expiration(bool enforce) {
|
|
|
|
+ enforce_net_security_expiration_ = enforce;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
private:
|
|
|
|
friend class TransportSecurityStateTest;
|
2017-01-23 18:36:54 +01:00
|
|
|
friend class TransportSecurityStateStaticFuzzer;
|
2018-07-13 21:29:20 +02:00
|
|
|
@@ -581,7 +585,7 @@ class NET_EXPORT TransportSecurityState {
|
2016-11-18 22:11:38 +01:00
|
|
|
// IsBuildTimely returns true if the current build is new enough ensure that
|
|
|
|
// built in security information (i.e. HSTS preloading and pinning
|
|
|
|
// information) is timely.
|
|
|
|
- static bool IsBuildTimely();
|
|
|
|
+ bool IsBuildTimely() const;
|
|
|
|
|
|
|
|
// Helper method for actually checking pins.
|
|
|
|
PKPStatus CheckPublicKeyPinsImpl(
|
2018-07-13 21:29:20 +02:00
|
|
|
@@ -679,6 +683,8 @@ class NET_EXPORT TransportSecurityState {
|
2016-11-18 22:11:38 +01:00
|
|
|
// True if public key pinning bypass is enabled for local trust anchors.
|
|
|
|
bool enable_pkp_bypass_for_local_trust_anchors_;
|
|
|
|
|
|
|
|
+ bool enforce_net_security_expiration_ = true;
|
|
|
|
+
|
|
|
|
ExpectCTReporter* expect_ct_reporter_ = nullptr;
|
|
|
|
|
|
|
|
RequireCTDelegate* require_ct_delegate_ = nullptr;
|