cef/patch/patches/net_security_expiration_199...

110 lines
4.5 KiB
Diff

diff --git components/certificate_transparency/chrome_ct_policy_enforcer.cc components/certificate_transparency/chrome_ct_policy_enforcer.cc
index a2e2b493def0..c08872260c68 100644
--- components/certificate_transparency/chrome_ct_policy_enforcer.cc
+++ components/certificate_transparency/chrome_ct_policy_enforcer.cc
@@ -36,15 +36,6 @@ namespace certificate_transparency {
namespace {
-// Returns true if the current build is recent enough to ensure that
-// built-in security information (e.g. CT Logs) is fresh enough.
-// TODO(eranm): Move to base or net/base
-bool IsBuildTimely() {
- const base::Time build_time = base::GetBuildTime();
- // We consider built-in information to be timely for 10 weeks.
- return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
-}
-
// Returns a rounded-down months difference of |start| and |end|,
// together with an indication of whether the last month was
// a full month, because the range starts specified in the policy
@@ -304,4 +295,16 @@ CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance(
return compliance;
}
+// Returns true if the current build is recent enough to ensure that
+// built-in security information (e.g. CT Logs) is fresh enough.
+// TODO(eranm): Move to base or net/base
+bool ChromeCTPolicyEnforcer::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
+ const base::Time build_time = base::GetBuildTime();
+ // We consider built-in information to be timely for 10 weeks.
+ return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
+}
+
} // namespace certificate_transparency
diff --git components/certificate_transparency/chrome_ct_policy_enforcer.h components/certificate_transparency/chrome_ct_policy_enforcer.h
index f61ff0d0564a..e6727c7b1cbc 100644
--- components/certificate_transparency/chrome_ct_policy_enforcer.h
+++ components/certificate_transparency/chrome_ct_policy_enforcer.h
@@ -26,6 +26,17 @@ class ChromeCTPolicyEnforcer : public net::CTPolicyEnforcer {
net::X509Certificate* cert,
const net::ct::SCTList& verified_scts,
const net::NetLogWithSource& net_log) override;
+
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
+ private:
+ // Returns true if the current build is recent enough to ensure that
+ // built-in security information (e.g. CT Logs) is fresh enough.
+ bool IsBuildTimely() const;
+
+ bool enforce_net_security_expiration_ = true;
};
} // namespace certificate_transparency
diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
index 5177ef21fdfe..5a98b43c9512 100644
--- net/http/transport_security_state.cc
+++ net/http/transport_security_state.cc
@@ -1562,8 +1562,10 @@ void TransportSecurityState::ClearReportCachesForTesting() {
sent_expect_ct_reports_cache_.Clear();
}
-// static
-bool TransportSecurityState::IsBuildTimely() {
+bool TransportSecurityState::IsBuildTimely() const {
+ if (!enforce_net_security_expiration_)
+ return true;
+
const base::Time build_time = base::GetBuildTime();
// We consider built-in information to be timely for 10 weeks.
return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
index 5f7873f76376..bccb857b682d 100644
--- net/http/transport_security_state.h
+++ net/http/transport_security_state.h
@@ -593,6 +593,10 @@ class NET_EXPORT TransportSecurityState {
// Expect-CT reports.
void ClearReportCachesForTesting();
+ void set_enforce_net_security_expiration(bool enforce) {
+ enforce_net_security_expiration_ = enforce;
+ }
+
private:
friend class TransportSecurityStateTest;
friend class TransportSecurityStateStaticFuzzer;
@@ -613,7 +617,7 @@ class NET_EXPORT TransportSecurityState {
// IsBuildTimely returns true if the current build is new enough ensure that
// built in security information (i.e. HSTS preloading and pinning
// information) is timely.
- static bool IsBuildTimely();
+ bool IsBuildTimely() const;
// Helper method for actually checking pins.
PKPStatus CheckPublicKeyPinsImpl(
@@ -722,6 +726,8 @@ class NET_EXPORT TransportSecurityState {
// True if public key pinning bypass is enabled for local trust anchors.
bool enable_pkp_bypass_for_local_trust_anchors_;
+ bool enforce_net_security_expiration_ = true;
+
ExpectCTReporter* expect_ct_reporter_ = nullptr;
RequireCTDelegate* require_ct_delegate_ = nullptr;