202 lines
9.3 KiB
Diff
202 lines
9.3 KiB
Diff
|
From: csagan5 <32685696+csagan5@users.noreply.github.com>
|
||
|
Date: Fri, 10 Jun 2022 14:20:02 +0200
|
||
|
Subject: Enable Certificate Transparency
|
||
|
|
||
|
Reporting/auditing functionalities are disabled; a flag is exposed.
|
||
|
Add guard to make sure that certificate transparency stays enabled
|
||
|
by default.
|
||
|
|
||
|
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
|
||
|
Change-Id: I743519ccda7c357578c23b0a074292649b3afb3d
|
||
|
---
|
||
|
chrome/browser/about_flags.cc | 5 +++++
|
||
|
chrome/browser/browser_features.cc | 4 ++--
|
||
|
chrome/browser/flag_descriptions.cc | 4 ++++
|
||
|
chrome/browser/flag_descriptions.h | 3 +++
|
||
|
chrome/browser/net/system_network_context_manager.cc | 4 ----
|
||
|
chrome/browser/ssl/sct_reporting_service.cc | 5 +++++
|
||
|
chrome/common/chrome_features.cc | 6 +-----
|
||
|
net/http/transport_security_state.cc | 5 +++--
|
||
|
net/url_request/report_sender.cc | 3 ++-
|
||
|
services/network/network_context.cc | 2 +-
|
||
|
services/network/sct_auditing/sct_auditing_handler.cc | 2 ++
|
||
|
11 files changed, 28 insertions(+), 15 deletions(-)
|
||
|
|
||
|
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
|
||
|
--- a/chrome/browser/about_flags.cc
|
||
|
+++ b/chrome/browser/about_flags.cc
|
||
|
@@ -8778,6 +8778,11 @@ const FeatureEntry kFeatureEntries[] = {
|
||
|
flag_descriptions::kWebMidiDescription, kOsAll,
|
||
|
FEATURE_VALUE_TYPE(features::kWebMidi)},
|
||
|
#if BUILDFLAG(IS_ANDROID)
|
||
|
+ {"certificate-transparency-enabled",
|
||
|
+ flag_descriptions::kCTEnabledName,
|
||
|
+ flag_descriptions::kCTEnabledDescription, kOsAndroid,
|
||
|
+ FEATURE_VALUE_TYPE(features::kCertificateTransparencyAndroid)},
|
||
|
+
|
||
|
{"use-real-color-space-for-android-video",
|
||
|
flag_descriptions::kUseRealColorSpaceForAndroidVideoName,
|
||
|
flag_descriptions::kUseRealColorSpaceForAndroidVideoDescription,
|
||
|
diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
|
||
|
--- a/chrome/browser/browser_features.cc
|
||
|
+++ b/chrome/browser/browser_features.cc
|
||
|
@@ -173,8 +173,8 @@ BASE_FEATURE(kWebUsbDeviceDetection,
|
||
|
#if BUILDFLAG(IS_ANDROID)
|
||
|
// Enables Certificate Transparency on Android.
|
||
|
BASE_FEATURE(kCertificateTransparencyAndroid,
|
||
|
- "CertificateTransparencyAndroid",
|
||
|
- base::FEATURE_ENABLED_BY_DEFAULT);
|
||
|
+ "CertificateTransparencyAndroid", // must be enabled
|
||
|
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
|
||
|
#endif
|
||
|
|
||
|
BASE_FEATURE(kLargeFaviconFromGoogle,
|
||
|
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
|
||
|
--- a/chrome/browser/flag_descriptions.cc
|
||
|
+++ b/chrome/browser/flag_descriptions.cc
|
||
|
@@ -6753,6 +6753,10 @@ const char kAutofillCreditCardUploadDescription[] =
|
||
|
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
|
||
|
|
||
|
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
||
|
+const char kCTEnabledName[] = "Enable Certificate Transparency";
|
||
|
+const char kCTEnabledDescription[] =
|
||
|
+ "Enables compliance against the Certificate Transparency Policy, with reporting disabled.";
|
||
|
+
|
||
|
const char kElasticOverscrollName[] = "Elastic Overscroll";
|
||
|
const char kElasticOverscrollDescription[] =
|
||
|
"Enables Elastic Overscrolling on touchscreens and precision touchpads.";
|
||
|
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
|
||
|
--- a/chrome/browser/flag_descriptions.h
|
||
|
+++ b/chrome/browser/flag_descriptions.h
|
||
|
@@ -3929,6 +3929,9 @@ extern const char kAutofillCreditCardUploadDescription[];
|
||
|
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
|
||
|
|
||
|
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
||
|
+extern const char kCTEnabledName[];
|
||
|
+extern const char kCTEnabledDescription[];
|
||
|
+
|
||
|
extern const char kElasticOverscrollName[];
|
||
|
extern const char kElasticOverscrollDescription[];
|
||
|
#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
||
|
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
|
||
|
--- a/chrome/browser/net/system_network_context_manager.cc
|
||
|
+++ b/chrome/browser/net/system_network_context_manager.cc
|
||
|
@@ -920,7 +920,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
||
|
bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
|
||
|
if (certificate_transparency_enabled_for_testing_.has_value())
|
||
|
return certificate_transparency_enabled_for_testing_.value();
|
||
|
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
|
||
|
// TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD and
|
||
|
// GOOGLE_CHROME_BRANDING checks now that enforcement does not rely on build
|
||
|
// dates, and allow embedders to enforce.
|
||
|
@@ -934,9 +933,6 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
|
||
|
#else
|
||
|
return true;
|
||
|
#endif // BUILDFLAG(IS_ANDROID)
|
||
|
-#else
|
||
|
- return false;
|
||
|
-#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
|
||
|
}
|
||
|
|
||
|
network::mojom::NetworkContextParamsPtr
|
||
|
diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
|
||
|
--- a/chrome/browser/ssl/sct_reporting_service.cc
|
||
|
+++ b/chrome/browser/ssl/sct_reporting_service.cc
|
||
|
@@ -211,6 +211,11 @@ void SetSCTAuditingEnabledForStoragePartition(
|
||
|
} // namespace
|
||
|
|
||
|
network::mojom::SCTAuditingMode SCTReportingService::GetReportingMode() {
|
||
|
+ if ((true)) {
|
||
|
+ // always disabled in Bromite
|
||
|
+ return network::mojom::SCTAuditingMode::kDisabled;
|
||
|
+ }
|
||
|
+
|
||
|
if (profile_->IsOffTheRecord() ||
|
||
|
!base::FeatureList::IsEnabled(features::kSCTAuditing)) {
|
||
|
return network::mojom::SCTAuditingMode::kDisabled;
|
||
|
diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
|
||
|
--- a/chrome/common/chrome_features.cc
|
||
|
+++ b/chrome/common/chrome_features.cc
|
||
|
@@ -989,11 +989,7 @@ BASE_FEATURE(kSchedulerConfiguration,
|
||
|
|
||
|
// Controls whether SCT audit reports are queued and the rate at which they
|
||
|
// should be sampled. Default sampling rate is 1/10,000 certificates.
|
||
|
-#if BUILDFLAG(IS_ANDROID)
|
||
|
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT);
|
||
|
-#else
|
||
|
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_ENABLED_BY_DEFAULT);
|
||
|
-#endif
|
||
|
+BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT); // disabled in Bromite
|
||
|
constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
|
||
|
&kSCTAuditing, "sampling_rate", 0.0001};
|
||
|
|
||
|
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
|
||
|
--- a/net/http/transport_security_state.cc
|
||
|
+++ b/net/http/transport_security_state.cc
|
||
|
@@ -319,6 +319,7 @@ class HSTSPreloadDecoder : public net::extras::PreloadDecoder {
|
||
|
|
||
|
bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
|
||
|
#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
|
||
|
+#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
|
||
|
if (g_hsts_source == nullptr)
|
||
|
return false;
|
||
|
#endif
|
||
|
@@ -364,8 +365,8 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
|
||
|
|
||
|
// static
|
||
|
BASE_FEATURE(kCertificateTransparencyEnforcement,
|
||
|
- "CertificateTransparencyEnforcement",
|
||
|
- base::FEATURE_ENABLED_BY_DEFAULT);
|
||
|
+ "CertificateTransparencyEnforcement", // must be enabled
|
||
|
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
|
||
|
|
||
|
void SetTransportSecurityStateSourceForTesting(
|
||
|
const TransportSecurityStateSource* source) {
|
||
|
diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
|
||
|
--- a/net/url_request/report_sender.cc
|
||
|
+++ b/net/url_request/report_sender.cc
|
||
|
@@ -87,7 +87,8 @@ void ReportSender::Send(
|
||
|
|
||
|
URLRequest* raw_url_request = url_request.get();
|
||
|
inflight_requests_[raw_url_request] = std::move(url_request);
|
||
|
- raw_url_request->Start();
|
||
|
+ // pretend that request completed
|
||
|
+ OnResponseStarted(raw_url_request, OK);
|
||
|
}
|
||
|
|
||
|
void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
|
||
|
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
|
||
|
--- a/services/network/network_context.cc
|
||
|
+++ b/services/network/network_context.cc
|
||
|
@@ -2566,7 +2566,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
|
||
|
// TransportSecurityState. Since no requests have been made yet, safe to do
|
||
|
// this even after the call to Build().
|
||
|
|
||
|
- if (params_->enable_certificate_reporting) {
|
||
|
+ if ((false) /* params_->enable_certificate_reporting*/) {
|
||
|
net::NetworkTrafficAnnotationTag traffic_annotation =
|
||
|
net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
|
||
|
semantics {
|
||
|
diff --git a/services/network/sct_auditing/sct_auditing_handler.cc b/services/network/sct_auditing/sct_auditing_handler.cc
|
||
|
--- a/services/network/sct_auditing/sct_auditing_handler.cc
|
||
|
+++ b/services/network/sct_auditing/sct_auditing_handler.cc
|
||
|
@@ -109,6 +109,7 @@ void SCTAuditingHandler::MaybeEnqueueReport(
|
||
|
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
|
||
|
return;
|
||
|
}
|
||
|
+ if ((true)) return;
|
||
|
|
||
|
// Only audit valid SCTs. This ensures that they come from a known log, have
|
||
|
// a valid signature, and thus are expected to be public certificates. If
|
||
|
@@ -327,6 +328,7 @@ void SCTAuditingHandler::AddReporter(
|
||
|
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
|
||
|
return;
|
||
|
}
|
||
|
+ if ((true)) return;
|
||
|
|
||
|
auto reporter = std::make_unique<SCTAuditingReporter>(
|
||
|
owner_network_context_, reporter_key, std::move(report),
|
||
|
--
|
||
|
2.40.1
|
||
|
|