mirror of
				https://bitbucket.org/chromiumembedded/cef
				synced 2025-06-05 21:39:12 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			107 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			107 lines
		
	
	
		
			3.9 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| diff --git net/cert/ct_policy_enforcer.cc net/cert/ct_policy_enforcer.cc
 | |
| index 0f7778089273..40111e89a2e0 100644
 | |
| --- net/cert/ct_policy_enforcer.cc
 | |
| +++ net/cert/ct_policy_enforcer.cc
 | |
| @@ -35,15 +35,6 @@ namespace net {
 | |
|  
 | |
|  namespace {
 | |
|  
 | |
| -// Returns true if the current build is recent enough to ensure that
 | |
| -// built-in security information (e.g. CT Logs) is fresh enough.
 | |
| -// TODO(eranm): Move to base or net/base
 | |
| -bool IsBuildTimely() {
 | |
| -  const base::Time build_time = base::GetBuildTime();
 | |
| -  // We consider built-in information to be timely for 10 weeks.
 | |
| -  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| -}
 | |
| -
 | |
|  // Returns a rounded-down months difference of |start| and |end|,
 | |
|  // together with an indication of whether the last month was
 | |
|  // a full month, because the range starts specified in the policy
 | |
| @@ -302,4 +293,13 @@ ct::CTPolicyCompliance CTPolicyEnforcer::CheckCompliance(
 | |
|    return compliance;
 | |
|  }
 | |
|  
 | |
| +bool CTPolicyEnforcer::IsBuildTimely() const {
 | |
| +  if (!enforce_net_security_expiration_)
 | |
| +    return true;
 | |
| +
 | |
| +  const base::Time build_time = base::GetBuildTime();
 | |
| +  // We consider built-in information to be timely for 10 weeks.
 | |
| +  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| +}
 | |
| +
 | |
|  }  // namespace net
 | |
| diff --git net/cert/ct_policy_enforcer.h net/cert/ct_policy_enforcer.h
 | |
| index fb6f4847cfe9..aa4c1cdafb9f 100644
 | |
| --- net/cert/ct_policy_enforcer.h
 | |
| +++ net/cert/ct_policy_enforcer.h
 | |
| @@ -42,6 +42,17 @@ class NET_EXPORT CTPolicyEnforcer {
 | |
|        X509Certificate* cert,
 | |
|        const SCTList& verified_scts,
 | |
|        const NetLogWithSource& net_log);
 | |
| +
 | |
| +  void set_enforce_net_security_expiration(bool enforce) {
 | |
| +    enforce_net_security_expiration_ = enforce;
 | |
| +  }
 | |
| +
 | |
| + private:
 | |
| +  // Returns true if the current build is recent enough to ensure that
 | |
| +  // built-in security information (e.g. CT Logs) is fresh enough.
 | |
| +  bool IsBuildTimely() const;
 | |
| +
 | |
| +  bool enforce_net_security_expiration_ = true;
 | |
|  };
 | |
|  
 | |
|  }  // namespace net
 | |
| diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
 | |
| index 6eaa321ef4b8..9926ea6afc40 100644
 | |
| --- net/http/transport_security_state.cc
 | |
| +++ net/http/transport_security_state.cc
 | |
| @@ -1567,8 +1567,10 @@ void TransportSecurityState::ClearReportCachesForTesting() {
 | |
|    sent_expect_ct_reports_cache_.Clear();
 | |
|  }
 | |
|  
 | |
| -// static
 | |
| -bool TransportSecurityState::IsBuildTimely() {
 | |
| +bool TransportSecurityState::IsBuildTimely() const {
 | |
| +  if (!enforce_net_security_expiration_)
 | |
| +    return true;
 | |
| +
 | |
|    const base::Time build_time = base::GetBuildTime();
 | |
|    // We consider built-in information to be timely for 10 weeks.
 | |
|    return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| diff --git net/http/transport_security_state.h net/http/transport_security_state.h
 | |
| index 79d3a1c3453f..d97e26b4b024 100644
 | |
| --- net/http/transport_security_state.h
 | |
| +++ net/http/transport_security_state.h
 | |
| @@ -576,6 +576,10 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // Expect-CT reports.
 | |
|    void ClearReportCachesForTesting();
 | |
|  
 | |
| +  void set_enforce_net_security_expiration(bool enforce) {
 | |
| +    enforce_net_security_expiration_ = enforce;
 | |
| +  }
 | |
| +
 | |
|   private:
 | |
|    friend class TransportSecurityStateTest;
 | |
|    friend class TransportSecurityStateStaticFuzzer;
 | |
| @@ -596,7 +600,7 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // IsBuildTimely returns true if the current build is new enough ensure that
 | |
|    // built in security information (i.e. HSTS preloading and pinning
 | |
|    // information) is timely.
 | |
| -  static bool IsBuildTimely();
 | |
| +  bool IsBuildTimely() const;
 | |
|  
 | |
|    // Helper method for actually checking pins.
 | |
|    PKPStatus CheckPublicKeyPinsImpl(
 | |
| @@ -705,6 +709,8 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // True if public key pinning bypass is enabled for local trust anchors.
 | |
|    bool enable_pkp_bypass_for_local_trust_anchors_;
 | |
|  
 | |
| +  bool enforce_net_security_expiration_ = true;
 | |
| +
 | |
|    ExpectCTReporter* expect_ct_reporter_ = nullptr;
 | |
|  
 | |
|    RequireCTDelegate* require_ct_delegate_ = nullptr;
 |