mirror of
				https://bitbucket.org/chromiumembedded/cef
				synced 2025-06-05 21:39:12 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			110 lines
		
	
	
		
			4.5 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			110 lines
		
	
	
		
			4.5 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| diff --git components/certificate_transparency/chrome_ct_policy_enforcer.cc components/certificate_transparency/chrome_ct_policy_enforcer.cc
 | |
| index 99a4405290ea..d0b35f74e552 100644
 | |
| --- components/certificate_transparency/chrome_ct_policy_enforcer.cc
 | |
| +++ components/certificate_transparency/chrome_ct_policy_enforcer.cc
 | |
| @@ -36,15 +36,6 @@ namespace certificate_transparency {
 | |
|  
 | |
|  namespace {
 | |
|  
 | |
| -// Returns true if the current build is recent enough to ensure that
 | |
| -// built-in security information (e.g. CT Logs) is fresh enough.
 | |
| -// TODO(eranm): Move to base or net/base
 | |
| -bool IsBuildTimely() {
 | |
| -  const base::Time build_time = base::GetBuildTime();
 | |
| -  // We consider built-in information to be timely for 10 weeks.
 | |
| -  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| -}
 | |
| -
 | |
|  // Returns a rounded-down months difference of |start| and |end|,
 | |
|  // together with an indication of whether the last month was
 | |
|  // a full month, because the range starts specified in the policy
 | |
| @@ -304,4 +295,16 @@ CTPolicyCompliance ChromeCTPolicyEnforcer::CheckCompliance(
 | |
|    return compliance;
 | |
|  }
 | |
|  
 | |
| +// Returns true if the current build is recent enough to ensure that
 | |
| +// built-in security information (e.g. CT Logs) is fresh enough.
 | |
| +// TODO(eranm): Move to base or net/base
 | |
| +bool ChromeCTPolicyEnforcer::IsBuildTimely() const {
 | |
| +  if (!enforce_net_security_expiration_)
 | |
| +    return true;
 | |
| +
 | |
| +  const base::Time build_time = base::GetBuildTime();
 | |
| +  // We consider built-in information to be timely for 10 weeks.
 | |
| +  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| +}
 | |
| +
 | |
|  }  // namespace certificate_transparency
 | |
| diff --git components/certificate_transparency/chrome_ct_policy_enforcer.h components/certificate_transparency/chrome_ct_policy_enforcer.h
 | |
| index f61ff0d0564a..e6727c7b1cbc 100644
 | |
| --- components/certificate_transparency/chrome_ct_policy_enforcer.h
 | |
| +++ components/certificate_transparency/chrome_ct_policy_enforcer.h
 | |
| @@ -26,6 +26,17 @@ class ChromeCTPolicyEnforcer : public net::CTPolicyEnforcer {
 | |
|        net::X509Certificate* cert,
 | |
|        const net::ct::SCTList& verified_scts,
 | |
|        const net::NetLogWithSource& net_log) override;
 | |
| +
 | |
| +  void set_enforce_net_security_expiration(bool enforce) {
 | |
| +    enforce_net_security_expiration_ = enforce;
 | |
| +  }
 | |
| +
 | |
| + private:
 | |
| +  // Returns true if the current build is recent enough to ensure that
 | |
| +  // built-in security information (e.g. CT Logs) is fresh enough.
 | |
| +  bool IsBuildTimely() const;
 | |
| +
 | |
| +  bool enforce_net_security_expiration_ = true;
 | |
|  };
 | |
|  
 | |
|  }  // namespace certificate_transparency
 | |
| diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
 | |
| index f1a5d1cec270..2a586caaf0c4 100644
 | |
| --- net/http/transport_security_state.cc
 | |
| +++ net/http/transport_security_state.cc
 | |
| @@ -1151,8 +1151,10 @@ void TransportSecurityState::ClearReportCachesForTesting() {
 | |
|    sent_expect_ct_reports_cache_.Clear();
 | |
|  }
 | |
|  
 | |
| -// static
 | |
| -bool TransportSecurityState::IsBuildTimely() {
 | |
| +bool TransportSecurityState::IsBuildTimely() const {
 | |
| +  if (!enforce_net_security_expiration_)
 | |
| +    return true;
 | |
| +
 | |
|    const base::Time build_time = base::GetBuildTime();
 | |
|    // We consider built-in information to be timely for 10 weeks.
 | |
|    return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
 | |
| diff --git net/http/transport_security_state.h net/http/transport_security_state.h
 | |
| index 9c65b59e4ec2..0ac0509abf78 100644
 | |
| --- net/http/transport_security_state.h
 | |
| +++ net/http/transport_security_state.h
 | |
| @@ -561,6 +561,10 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // Expect-CT reports.
 | |
|    void ClearReportCachesForTesting();
 | |
|  
 | |
| +  void set_enforce_net_security_expiration(bool enforce) {
 | |
| +    enforce_net_security_expiration_ = enforce;
 | |
| +  }
 | |
| +
 | |
|   private:
 | |
|    friend class TransportSecurityStateTest;
 | |
|    friend class TransportSecurityStateStaticFuzzer;
 | |
| @@ -581,7 +585,7 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // IsBuildTimely returns true if the current build is new enough ensure that
 | |
|    // built in security information (i.e. HSTS preloading and pinning
 | |
|    // information) is timely.
 | |
| -  static bool IsBuildTimely();
 | |
| +  bool IsBuildTimely() const;
 | |
|  
 | |
|    // Helper method for actually checking pins.
 | |
|    PKPStatus CheckPublicKeyPinsImpl(
 | |
| @@ -679,6 +683,8 @@ class NET_EXPORT TransportSecurityState {
 | |
|    // True if public key pinning bypass is enabled for local trust anchors.
 | |
|    bool enable_pkp_bypass_for_local_trust_anchors_;
 | |
|  
 | |
| +  bool enforce_net_security_expiration_ = true;
 | |
| +
 | |
|    ExpectCTReporter* expect_ct_reporter_ = nullptr;
 | |
|  
 | |
|    RequireCTDelegate* require_ct_delegate_ = nullptr;
 |