LeOSium_old/patches/0003-LeOS/1-19/6 - Enable-Certificate-Tran...

202 lines
9.3 KiB
Diff
Raw Permalink Normal View History

2023-11-18 11:23:04 +01:00
From: csagan5 <32685696+csagan5@users.noreply.github.com>
Date: Fri, 10 Jun 2022 14:20:02 +0200
Subject: Enable Certificate Transparency
Reporting/auditing functionalities are disabled; a flag is exposed.
Add guard to make sure that certificate transparency stays enabled
by default.
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
Change-Id: I743519ccda7c357578c23b0a074292649b3afb3d
---
chrome/browser/about_flags.cc | 5 +++++
chrome/browser/browser_features.cc | 4 ++--
chrome/browser/flag_descriptions.cc | 4 ++++
chrome/browser/flag_descriptions.h | 3 +++
chrome/browser/net/system_network_context_manager.cc | 4 ----
chrome/browser/ssl/sct_reporting_service.cc | 5 +++++
chrome/common/chrome_features.cc | 6 +-----
net/http/transport_security_state.cc | 5 +++--
net/url_request/report_sender.cc | 3 ++-
services/network/network_context.cc | 2 +-
services/network/sct_auditing/sct_auditing_handler.cc | 2 ++
11 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -8778,6 +8778,11 @@ const FeatureEntry kFeatureEntries[] = {
flag_descriptions::kWebMidiDescription, kOsAll,
FEATURE_VALUE_TYPE(features::kWebMidi)},
#if BUILDFLAG(IS_ANDROID)
+ {"certificate-transparency-enabled",
+ flag_descriptions::kCTEnabledName,
+ flag_descriptions::kCTEnabledDescription, kOsAndroid,
+ FEATURE_VALUE_TYPE(features::kCertificateTransparencyAndroid)},
+
{"use-real-color-space-for-android-video",
flag_descriptions::kUseRealColorSpaceForAndroidVideoName,
flag_descriptions::kUseRealColorSpaceForAndroidVideoDescription,
diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
--- a/chrome/browser/browser_features.cc
+++ b/chrome/browser/browser_features.cc
@@ -173,8 +173,8 @@ BASE_FEATURE(kWebUsbDeviceDetection,
#if BUILDFLAG(IS_ANDROID)
// Enables Certificate Transparency on Android.
BASE_FEATURE(kCertificateTransparencyAndroid,
- "CertificateTransparencyAndroid",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "CertificateTransparencyAndroid", // must be enabled
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
#endif
BASE_FEATURE(kLargeFaviconFromGoogle,
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -6753,6 +6753,10 @@ const char kAutofillCreditCardUploadDescription[] =
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+const char kCTEnabledName[] = "Enable Certificate Transparency";
+const char kCTEnabledDescription[] =
+ "Enables compliance against the Certificate Transparency Policy, with reporting disabled.";
+
const char kElasticOverscrollName[] = "Elastic Overscroll";
const char kElasticOverscrollDescription[] =
"Enables Elastic Overscrolling on touchscreens and precision touchpads.";
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -3929,6 +3929,9 @@ extern const char kAutofillCreditCardUploadDescription[];
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
+extern const char kCTEnabledName[];
+extern const char kCTEnabledDescription[];
+
extern const char kElasticOverscrollName[];
extern const char kElasticOverscrollDescription[];
#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
--- a/chrome/browser/net/system_network_context_manager.cc
+++ b/chrome/browser/net/system_network_context_manager.cc
@@ -920,7 +920,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
if (certificate_transparency_enabled_for_testing_.has_value())
return certificate_transparency_enabled_for_testing_.value();
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
// TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD and
// GOOGLE_CHROME_BRANDING checks now that enforcement does not rely on build
// dates, and allow embedders to enforce.
@@ -934,9 +933,6 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
#else
return true;
#endif // BUILDFLAG(IS_ANDROID)
-#else
- return false;
-#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD)
}
network::mojom::NetworkContextParamsPtr
diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
--- a/chrome/browser/ssl/sct_reporting_service.cc
+++ b/chrome/browser/ssl/sct_reporting_service.cc
@@ -211,6 +211,11 @@ void SetSCTAuditingEnabledForStoragePartition(
} // namespace
network::mojom::SCTAuditingMode SCTReportingService::GetReportingMode() {
+ if ((true)) {
+ // always disabled in Bromite
+ return network::mojom::SCTAuditingMode::kDisabled;
+ }
+
if (profile_->IsOffTheRecord() ||
!base::FeatureList::IsEnabled(features::kSCTAuditing)) {
return network::mojom::SCTAuditingMode::kDisabled;
diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
--- a/chrome/common/chrome_features.cc
+++ b/chrome/common/chrome_features.cc
@@ -989,11 +989,7 @@ BASE_FEATURE(kSchedulerConfiguration,
// Controls whether SCT audit reports are queued and the rate at which they
// should be sampled. Default sampling rate is 1/10,000 certificates.
-#if BUILDFLAG(IS_ANDROID)
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT);
-#else
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_ENABLED_BY_DEFAULT);
-#endif
+BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT); // disabled in Bromite
constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
&kSCTAuditing, "sampling_rate", 0.0001};
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -319,6 +319,7 @@ class HSTSPreloadDecoder : public net::extras::PreloadDecoder {
bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
+#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
if (g_hsts_source == nullptr)
return false;
#endif
@@ -364,8 +365,8 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
// static
BASE_FEATURE(kCertificateTransparencyEnforcement,
- "CertificateTransparencyEnforcement",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "CertificateTransparencyEnforcement", // must be enabled
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
void SetTransportSecurityStateSourceForTesting(
const TransportSecurityStateSource* source) {
diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
--- a/net/url_request/report_sender.cc
+++ b/net/url_request/report_sender.cc
@@ -87,7 +87,8 @@ void ReportSender::Send(
URLRequest* raw_url_request = url_request.get();
inflight_requests_[raw_url_request] = std::move(url_request);
- raw_url_request->Start();
+ // pretend that request completed
+ OnResponseStarted(raw_url_request, OK);
}
void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -2566,7 +2566,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
// TransportSecurityState. Since no requests have been made yet, safe to do
// this even after the call to Build().
- if (params_->enable_certificate_reporting) {
+ if ((false) /* params_->enable_certificate_reporting*/) {
net::NetworkTrafficAnnotationTag traffic_annotation =
net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
semantics {
diff --git a/services/network/sct_auditing/sct_auditing_handler.cc b/services/network/sct_auditing/sct_auditing_handler.cc
--- a/services/network/sct_auditing/sct_auditing_handler.cc
+++ b/services/network/sct_auditing/sct_auditing_handler.cc
@@ -109,6 +109,7 @@ void SCTAuditingHandler::MaybeEnqueueReport(
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
return;
}
+ if ((true)) return;
// Only audit valid SCTs. This ensures that they come from a known log, have
// a valid signature, and thus are expected to be public certificates. If
@@ -327,6 +328,7 @@ void SCTAuditingHandler::AddReporter(
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
return;
}
+ if ((true)) return;
auto reporter = std::make_unique<SCTAuditingReporter>(
owner_network_context_, reporter_key, std::move(report),
--
2.40.1