248 lines
11 KiB
Diff
248 lines
11 KiB
Diff
From: csagan5 <32685696+csagan5@users.noreply.github.com>
|
|
Date: Fri, 10 Jun 2022 14:20:02 +0200
|
|
Subject: Enable Certificate Transparency
|
|
|
|
Reporting/auditing functionalities are disabled; a flag is exposed.
|
|
Add guard to make sure that certificate transparency stays enabled
|
|
by default.
|
|
|
|
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
|
|
---
|
|
chrome/browser/about_flags.cc | 5 +++++
|
|
chrome/browser/browser_features.cc | 13 +++++++------
|
|
chrome/browser/browser_features.h | 1 +
|
|
chrome/browser/flag_descriptions.cc | 6 +++++-
|
|
chrome/browser/flag_descriptions.h | 5 ++++-
|
|
.../browser/net/system_network_context_manager.cc | 6 +-----
|
|
chrome/browser/ssl/sct_reporting_service.cc | 5 +++++
|
|
chrome/common/chrome_features.cc | 10 ++--------
|
|
net/http/transport_security_state.cc | 5 +++--
|
|
net/url_request/report_sender.cc | 3 ++-
|
|
services/network/network_context.cc | 2 +-
|
|
.../network/sct_auditing/sct_auditing_handler.cc | 2 ++
|
|
12 files changed, 38 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
|
|
--- a/chrome/browser/about_flags.cc
|
|
+++ b/chrome/browser/about_flags.cc
|
|
@@ -9878,6 +9878,11 @@ const FeatureEntry kFeatureEntries[] = {
|
|
flag_descriptions::kWebMidiDescription, kOsAll,
|
|
FEATURE_VALUE_TYPE(features::kWebMidi)},
|
|
|
|
+ {"certificate-transparency-enabled",
|
|
+ flag_descriptions::kCTEnabledName,
|
|
+ flag_descriptions::kCTEnabledDescription, kOsAll,
|
|
+ FEATURE_VALUE_TYPE(features::kCertificateTransparency)},
|
|
+
|
|
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
|
{"dns-over-https-with-identifiers-reuse-old-policy",
|
|
flag_descriptions::kDnsOverHttpsWithIdentifiersReuseOldPolicyName,
|
|
diff --git a/chrome/browser/browser_features.cc b/chrome/browser/browser_features.cc
|
|
--- a/chrome/browser/browser_features.cc
|
|
+++ b/chrome/browser/browser_features.cc
|
|
@@ -77,6 +77,11 @@ BASE_FEATURE(kEnableUniveralLinks,
|
|
base::FEATURE_ENABLED_BY_DEFAULT);
|
|
#endif
|
|
|
|
+// Enables Certificate Transparency
|
|
+BASE_FEATURE(kCertificateTransparency,
|
|
+ "CertificateTransparency", // must be enabled
|
|
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
|
|
+
|
|
#if BUILDFLAG(IS_CHROMEOS_ASH)
|
|
// Enables reading and writing PWA notification permissions from quick settings
|
|
// menu.
|
|
@@ -177,12 +182,8 @@ BASE_FEATURE(kWebUsbDeviceDetection,
|
|
// update the list of accepted logs. Embedders who are planning to enable this
|
|
// should first reach out to chrome-certificate-transparency@google.com.
|
|
BASE_FEATURE(kCertificateTransparencyAskBeforeEnabling,
|
|
- "CertificateTransparencyAskBeforeEnabling",
|
|
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
|
|
- base::FEATURE_ENABLED_BY_DEFAULT);
|
|
-#else
|
|
- base::FEATURE_DISABLED_BY_DEFAULT);
|
|
-#endif // BUILDFLAG(GOOGLE_CHROME_BRANDING)
|
|
+ "CertificateTransparencyAskBeforeEnabling", // enabled
|
|
+ base::FEATURE_ENABLED_BY_DEFAULT); // by default
|
|
|
|
BASE_FEATURE(kLargeFaviconFromGoogle,
|
|
"LargeFaviconFromGoogle",
|
|
diff --git a/chrome/browser/browser_features.h b/chrome/browser/browser_features.h
|
|
--- a/chrome/browser/browser_features.h
|
|
+++ b/chrome/browser/browser_features.h
|
|
@@ -58,6 +58,7 @@ BASE_DECLARE_FEATURE(kTabCaptureBlueBorderCrOS);
|
|
|
|
BASE_DECLARE_FEATURE(kWebUsbDeviceDetection);
|
|
|
|
+BASE_DECLARE_FEATURE(kCertificateTransparency);
|
|
BASE_DECLARE_FEATURE(kCertificateTransparencyAskBeforeEnabling);
|
|
|
|
BASE_DECLARE_FEATURE(kLargeFaviconFromGoogle);
|
|
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
|
|
--- a/chrome/browser/flag_descriptions.cc
|
|
+++ b/chrome/browser/flag_descriptions.cc
|
|
@@ -7760,7 +7760,11 @@ const char kAutofillCreditCardUploadDescription[] =
|
|
|
|
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
|
|
|
|
-#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
|
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
|
|
+const char kCTEnabledName[] = "Enable Certificate Transparency";
|
|
+const char kCTEnabledDescription[] =
|
|
+ "Enables compliance against the Certificate Transparency Policy, with reporting disabled.";
|
|
+
|
|
const char kElasticOverscrollName[] = "Elastic Overscroll";
|
|
const char kElasticOverscrollDescription[] =
|
|
"Enables Elastic Overscrolling on touchscreens and precision touchpads.";
|
|
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
|
|
--- a/chrome/browser/flag_descriptions.h
|
|
+++ b/chrome/browser/flag_descriptions.h
|
|
@@ -4496,7 +4496,10 @@ extern const char kAutofillCreditCardUploadDescription[];
|
|
|
|
#endif // defined(TOOLKIT_VIEWS) || BUILDFLAG(IS_ANDROID)
|
|
|
|
-#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
|
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
|
|
+extern const char kCTEnabledName[];
|
|
+extern const char kCTEnabledDescription[];
|
|
+
|
|
extern const char kElasticOverscrollName[];
|
|
extern const char kElasticOverscrollDescription[];
|
|
#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_ANDROID)
|
|
diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
|
|
--- a/chrome/browser/net/system_network_context_manager.cc
|
|
+++ b/chrome/browser/net/system_network_context_manager.cc
|
|
@@ -957,7 +957,6 @@ void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
|
|
bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
|
|
if (certificate_transparency_enabled_for_testing_.has_value())
|
|
return certificate_transparency_enabled_for_testing_.value();
|
|
-#if defined(OFFICIAL_BUILD)
|
|
// TODO(carlosil): Figure out if we can/should remove the OFFICIAL_BUILD
|
|
// check now that enforcement does not rely on build dates.
|
|
// Certificate Transparency is enabled:
|
|
@@ -965,10 +964,7 @@ bool SystemNetworkContextManager::IsCertificateTransparencyEnabled() {
|
|
// - on an opt-in basis for other builds and embedders, controlled with the
|
|
// kCertificateTransparencyAskBeforeEnabling flag
|
|
return base::FeatureList::IsEnabled(
|
|
- features::kCertificateTransparencyAskBeforeEnabling);
|
|
-#else
|
|
- return false;
|
|
-#endif // defined(OFFICIAL_BUILD)
|
|
+ features::kCertificateTransparency);
|
|
}
|
|
|
|
#if BUILDFLAG(CHROME_ROOT_STORE_OPTIONAL)
|
|
diff --git a/chrome/browser/ssl/sct_reporting_service.cc b/chrome/browser/ssl/sct_reporting_service.cc
|
|
--- a/chrome/browser/ssl/sct_reporting_service.cc
|
|
+++ b/chrome/browser/ssl/sct_reporting_service.cc
|
|
@@ -211,6 +211,11 @@ void SetSCTAuditingEnabledForStoragePartition(
|
|
} // namespace
|
|
|
|
network::mojom::SCTAuditingMode SCTReportingService::GetReportingMode() {
|
|
+ if ((true)) {
|
|
+ // always disabled in Bromite
|
|
+ return network::mojom::SCTAuditingMode::kDisabled;
|
|
+ }
|
|
+
|
|
if (profile_->IsOffTheRecord() ||
|
|
!base::FeatureList::IsEnabled(features::kSCTAuditing)) {
|
|
return network::mojom::SCTAuditingMode::kDisabled;
|
|
diff --git a/chrome/common/chrome_features.cc b/chrome/common/chrome_features.cc
|
|
--- a/chrome/common/chrome_features.cc
|
|
+++ b/chrome/common/chrome_features.cc
|
|
@@ -1127,15 +1127,9 @@ BASE_FEATURE(kSchedulerConfiguration,
|
|
base::FEATURE_DISABLED_BY_DEFAULT);
|
|
#endif // BUILDFLAG(IS_CHROMEOS_ASH)
|
|
|
|
-// Controls whether SCT audit reports are queued and the rate at which they
|
|
-// should be sampled. Default sampling rate is 1/10,000 certificates.
|
|
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && !BUILDFLAG(IS_ANDROID)
|
|
-BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_ENABLED_BY_DEFAULT);
|
|
-#else
|
|
// This requires backend infrastructure and a data collection policy.
|
|
// Non-Chrome builds should not use Chrome's infrastructure.
|
|
BASE_FEATURE(kSCTAuditing, "SCTAuditing", base::FEATURE_DISABLED_BY_DEFAULT);
|
|
-#endif
|
|
constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
|
|
&kSCTAuditing, "sampling_rate", 0.0001};
|
|
|
|
@@ -1144,8 +1138,8 @@ constexpr base::FeatureParam<double> kSCTAuditingSamplingRate{
|
|
// about an SCT seen in the wild. If it hasn't been seen, then it is considered
|
|
// a security incident and uploaded to Google.
|
|
BASE_FEATURE(kSCTAuditingHashdance,
|
|
- "SCTAuditingHashdance",
|
|
- base::FEATURE_ENABLED_BY_DEFAULT);
|
|
+ "SCTAuditingHashdance", // disabled
|
|
+ base::FEATURE_DISABLED_BY_DEFAULT); // by default
|
|
|
|
// An estimated high bound for the time it takes Google to ingest updates to an
|
|
// SCT log. Chrome will wait for at least this time plus the Log's Maximum Merge
|
|
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
|
|
--- a/net/http/transport_security_state.cc
|
|
+++ b/net/http/transport_security_state.cc
|
|
@@ -329,6 +329,7 @@ class HSTSPreloadDecoder : public net::extras::PreloadDecoder {
|
|
|
|
bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
|
|
#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
|
|
+#error "BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) must be enabled"
|
|
if (g_hsts_source == nullptr)
|
|
return false;
|
|
#endif
|
|
@@ -374,8 +375,8 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
|
|
|
|
// static
|
|
BASE_FEATURE(kCertificateTransparencyEnforcement,
|
|
- "CertificateTransparencyEnforcement",
|
|
- base::FEATURE_ENABLED_BY_DEFAULT);
|
|
+ "CertificateTransparencyEnforcement", // must be enabled
|
|
+ base::FEATURE_ENABLED_BY_DEFAULT); // in Bromite
|
|
|
|
void SetTransportSecurityStateSourceForTesting(
|
|
const TransportSecurityStateSource* source) {
|
|
diff --git a/net/url_request/report_sender.cc b/net/url_request/report_sender.cc
|
|
--- a/net/url_request/report_sender.cc
|
|
+++ b/net/url_request/report_sender.cc
|
|
@@ -87,7 +87,8 @@ void ReportSender::Send(
|
|
|
|
URLRequest* raw_url_request = url_request.get();
|
|
inflight_requests_[raw_url_request] = std::move(url_request);
|
|
- raw_url_request->Start();
|
|
+ // pretend that request completed
|
|
+ OnResponseStarted(raw_url_request, OK);
|
|
}
|
|
|
|
void ReportSender::OnResponseStarted(URLRequest* request, int net_error) {
|
|
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
|
|
--- a/services/network/network_context.cc
|
|
+++ b/services/network/network_context.cc
|
|
@@ -2796,7 +2796,7 @@ URLRequestContextOwner NetworkContext::MakeURLRequestContext(
|
|
// TransportSecurityState. Since no requests have been made yet, safe to do
|
|
// this even after the call to Build().
|
|
|
|
- if (params_->enable_certificate_reporting) {
|
|
+ if ((false) /* params_->enable_certificate_reporting*/) {
|
|
net::NetworkTrafficAnnotationTag traffic_annotation =
|
|
net::DefineNetworkTrafficAnnotation("domain_security_policy", R"(
|
|
semantics {
|
|
diff --git a/services/network/sct_auditing/sct_auditing_handler.cc b/services/network/sct_auditing/sct_auditing_handler.cc
|
|
--- a/services/network/sct_auditing/sct_auditing_handler.cc
|
|
+++ b/services/network/sct_auditing/sct_auditing_handler.cc
|
|
@@ -109,6 +109,7 @@ void SCTAuditingHandler::MaybeEnqueueReport(
|
|
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
|
|
return;
|
|
}
|
|
+ if ((true)) return;
|
|
|
|
// Only audit valid SCTs. This ensures that they come from a known log, have
|
|
// a valid signature, and thus are expected to be public certificates. If
|
|
@@ -324,6 +325,7 @@ void SCTAuditingHandler::AddReporter(
|
|
if (mode_ == mojom::SCTAuditingMode::kDisabled) {
|
|
return;
|
|
}
|
|
+ if ((true)) return;
|
|
|
|
auto reporter = std::make_unique<SCTAuditingReporter>(
|
|
owner_network_context_, reporter_key, std::move(report),
|
|
--
|
|
2.25.1
|