Add option to enable/disable net security expiration (issue #1994)

- Net security (CT, HSTS) expiration based on build age is now
  disabled by default.
- Add new enable_net_security_expiration option to CefSettings and
  CefRequestContextSettings.
This commit is contained in:
Marshall Greenblatt 2016-11-18 16:11:38 -05:00
parent d7afec5dbd
commit ffd843c47c
8 changed files with 158 additions and 4 deletions

View File

@ -376,6 +376,19 @@ typedef struct _cef_settings_t {
///
int ignore_certificate_errors;
///
// Set to true (1) to enable date-based expiration of built in network
// security information (i.e. certificate transparency logs, HSTS preloading
// and pinning information). Enabling this option improves network security
// but may cause HTTPS load failures when using CEF binaries built more than
// 10 weeks in the past. See https://www.certificate-transparency.org/ and
// https://www.chromium.org/hsts for details. Also configurable using the
// "enable-net-security-expiration" command-line switch. Can be overridden for
// individual CefRequestContext instances via the
// CefRequestContextSettings.enable_net_security_expiration value.
///
int enable_net_security_expiration;
///
// Opaque background color used for accelerated content. By default the
// background color will be white. Only the RGB compontents of the specified
@ -443,6 +456,17 @@ typedef struct _cef_request_context_settings_t {
///
int ignore_certificate_errors;
///
// Set to true (1) to enable date-based expiration of built in network
// security information (i.e. certificate transparency logs, HSTS preloading
// and pinning information). Enabling this option improves network security
// but may cause HTTPS load failures when using CEF binaries built more than
// 10 weeks in the past. See https://www.certificate-transparency.org/ and
// https://www.chromium.org/hsts for details. Can be set globally using the
// CefSettings.enable_net_security_expiration value.
///
int enable_net_security_expiration;
///
// Comma delimited ordered list of language codes without any whitespace that
// will be used in the "Accept-Language" HTTP header. Can be set globally

View File

@ -607,6 +607,8 @@ struct CefSettingsTraits {
target->uncaught_exception_stack_size = src->uncaught_exception_stack_size;
target->context_safety_implementation = src->context_safety_implementation;
target->ignore_certificate_errors = src->ignore_certificate_errors;
target->enable_net_security_expiration =
src->enable_net_security_expiration;
target->background_color = src->background_color;
cef_string_set(src->accept_language_list.str,
@ -639,6 +641,8 @@ struct CefRequestContextSettingsTraits {
target->persist_session_cookies = src->persist_session_cookies;
target->persist_user_preferences = src->persist_user_preferences;
target->ignore_certificate_errors = src->ignore_certificate_errors;
target->enable_net_security_expiration =
src->enable_net_security_expiration;
cef_string_set(src->accept_language_list.str,
src->accept_language_list.length, &target->accept_language_list, copy);
}

View File

@ -368,6 +368,9 @@ void CefContext::PopulateRequestContextSettings(
settings->ignore_certificate_errors =
settings_.ignore_certificate_errors ||
command_line->HasSwitch(switches::kIgnoreCertificateErrors);
settings->enable_net_security_expiration =
settings_.enable_net_security_expiration ||
command_line->HasSwitch(switches::kEnableNetSecurityExpiration);
CefString(&settings->accept_language_list) =
CefString(&settings_.accept_language_list);
}

View File

@ -216,8 +216,12 @@ net::URLRequestContext* CefURLRequestContextGetterImpl::GetURLRequestContext() {
storage_->set_host_resolver(net::HostResolver::CreateDefaultResolver(NULL));
storage_->set_cert_verifier(net::CertVerifier::CreateDefault());
storage_->set_transport_security_state(
base::WrapUnique(new net::TransportSecurityState));
std::unique_ptr<net::TransportSecurityState> transport_security_state(
new net::TransportSecurityState);
transport_security_state->set_enforce_net_security_expiration(
settings_.enable_net_security_expiration ? true : false);
storage_->set_transport_security_state(std::move(transport_security_state));
std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs(
net::ct::CreateLogVerifiersForKnownLogs());
@ -226,8 +230,11 @@ net::URLRequestContext* CefURLRequestContextGetterImpl::GetURLRequestContext() {
ct_verifier->AddLogs(ct_logs);
storage_->set_cert_transparency_verifier(std::move(ct_verifier));
storage_->set_ct_policy_enforcer(
base::WrapUnique(new net::CTPolicyEnforcer));
std::unique_ptr<net::CTPolicyEnforcer> ct_policy_enforcer(
new net::CTPolicyEnforcer);
ct_policy_enforcer->set_enforce_net_security_expiration(
settings_.enable_net_security_expiration ? true : false);
storage_->set_ct_policy_enforcer(std::move(ct_policy_enforcer));
std::unique_ptr<net::ProxyService> system_proxy_service =
ProxyServiceFactory::CreateProxyService(

View File

@ -122,4 +122,7 @@ const char kPluginPolicy_Block[] = "block";
// Expose preferences used only by unit tests.
const char kEnablePreferenceTesting[] = "enable-preference-testing";
// Enable date-based expiration of built in network security information.
const char kEnableNetSecurityExpiration[] = "enable-net-security-expiration";
} // namespace switches

View File

@ -51,6 +51,7 @@ extern const char kPluginPolicy_Allow[];
extern const char kPluginPolicy_Detect[];
extern const char kPluginPolicy_Block[];
extern const char kEnablePreferenceTesting[];
extern const char kEnableNetSecurityExpiration[];
} // namespace switches

View File

@ -264,4 +264,10 @@ patches = [
'name': 'webview_plugin_2352673003',
'path': '../',
},
{
# Support an option to enable/disable net security expiration.
# https://bitbucket.org/chromiumembedded/cef/issues/1994
'name': 'net_security_expiration_1994',
'path': '../',
},
]

View File

@ -0,0 +1,106 @@
diff --git net/cert/ct_policy_enforcer.cc net/cert/ct_policy_enforcer.cc
index a4e1e81..f3c627d 100644
--- net/cert/ct_policy_enforcer.cc
+++ net/cert/ct_policy_enforcer.cc
@@ -33,15 +33,6 @@ namespace net {
namespace {
-// Returns true if the current build is recent enough to ensure that
-// built-in security information (e.g. CT Logs) is fresh enough.
-// TODO(eranm): Move to base or net/base
-bool IsBuildTimely() {
- const base::Time build_time = base::GetBuildTime();
- // We consider built-in information to be timely for 10 weeks.
- return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
-}
-
// Returns a rounded-down months difference of |start| and |end|,
// together with an indication of whether the last month was
// a full month, because the range starts specified in the policy
@@ -455,4 +446,13 @@ ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
return details.status;
}
+bool CTPolicyEnforcer::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
+ const base::Time build_time = base::GetBuildTime();
+ // We consider built-in information to be timely for 10 weeks.
+ return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
+}
+
} // namespace net
diff --git net/cert/ct_policy_enforcer.h net/cert/ct_policy_enforcer.h
index c49e091..d3edffa 100644
--- net/cert/ct_policy_enforcer.h
+++ net/cert/ct_policy_enforcer.h
@@ -100,6 +100,17 @@ class NET_EXPORT CTPolicyEnforcer {
const ct::EVCertsWhitelist* ev_whitelist,
const SCTList& verified_scts,
const BoundNetLog& net_log);
+
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
+ private:
+ // Returns true if the current build is recent enough to ensure that
+ // built-in security information (e.g. CT Logs) is fresh enough.
+ bool IsBuildTimely() const;
+
+ bool enforce_net_security_expiration_ = true;
};
} // namespace net
diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
index 026871b..f7251e8 100644
--- net/http/transport_security_state.cc
+++ net/http/transport_security_state.cc
@@ -1343,8 +1343,10 @@ void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) {
g_ct_required_for_testing = *required ? 1 : -1;
}
-// static
-bool TransportSecurityState::IsBuildTimely() {
+bool TransportSecurityState::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
const base::Time build_time = base::GetBuildTime();
// We consider built-in information to be timely for 10 weeks.
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
index 3326ca2..a2de308 100644
--- net/http/transport_security_state.h
+++ net/http/transport_security_state.h
@@ -472,6 +472,10 @@ class NET_EXPORT TransportSecurityState
// nullptr to reset.
static void SetShouldRequireCTForTesting(bool* required);
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
private:
friend class TransportSecurityStateTest;
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
@@ -495,7 +499,7 @@ class NET_EXPORT TransportSecurityState
// IsBuildTimely returns true if the current build is new enough ensure that
// built in security information (i.e. HSTS preloading and pinning
// information) is timely.
- static bool IsBuildTimely();
+ bool IsBuildTimely() const;
// Helper method for actually checking pins.
PKPStatus CheckPublicKeyPinsImpl(
@@ -586,6 +590,8 @@ class NET_EXPORT TransportSecurityState
// True if public key pinning bypass is enabled for local trust anchors.
bool enable_pkp_bypass_for_local_trust_anchors_;
+ bool enforce_net_security_expiration_ = true;
+
ExpectCTReporter* expect_ct_reporter_ = nullptr;
RequireCTDelegate* require_ct_delegate_ = nullptr;