[chromium-libs-media-freeworld: 78/201] Merge branch 'master' into epel8
by hellbanger
commit 67061b489484edb1d5e87b3551ed72695fbaafce
Merge: 2c4faae f341b67
Author: Tom Callaway <spot(a)fedoraproject.org>
Date: Thu Sep 5 16:58:58 2019 -0400
Merge branch 'master' into epel8
.gitignore | 22 +
GardinerModBug.ttf | Bin 0 -> 2864 bytes
GardinerModCat.ttf | Bin 0 -> 2296 bytes
chrome-remote-desktop@.service | 14 +
chromium-45.0.2454.101-linux-path-max.patch | 44 +
...7.0.2526.80-nacl-ignore-broken-fd-counter.patch | 27 +
chromium-47.0.2526.80-pnacl-fgnu-inline-asm.patch | 11 +
chromium-53.0.2785.92-boringssl-time-fix.patch | 11 +
chromium-54.0.2840.59-jpeg-include-dir.patch | 11 +
chromium-55.0.2883.75-addrfix.patch | 11 +
...-b794998819088f76b4cf44c8db6940240c563cf4.patch | 19 +
chromium-59.0.3071.86-i686-ld-memory-tricks.patch | 12 +
...3112.113-libavutil-timer-include-path-fix.patch | 21 +
chromium-60.0.3112.78-jpeg-nomangle.patch | 14 +
chromium-60.0.3112.78-no-libpng-prefix.patch | 17 +
chromium-61.0.3163.79-gcc-no-opt-safe-math.patch | 13 +
chromium-62.0.3202.62-kmaxskip-constexpr.patch | 12 +
chromium-63.0.3289.84-nullfix.patch | 43 +
chromium-64.0.3282.119-ffmpeg-stdatomic.patch | 17 +
chromium-65.0.3325.146-gcc-round-fix.patch | 12 +
chromium-65.0.3325.146-memcpy-fix.patch | 12 +
...fully-declare-ConfigurationPolicyProvider.patch | 18 +
chromium-66.0.3359.117-system-clang.patch | 12 +
chromium-67.0.3396.62-gcc5.patch | 12 +
chromium-67.0.3396.62-gn-system.patch | 208 ++
chromium-68.0.3440.106-boolfix.patch | 36 +
...8.0.3440.106-fix-default-on-redeclaration.patch | 30 +
chromium-68.0.3440.106-master-prefs-path.patch | 15 +
chromium-69.0.3497.81-build-sanely-please.patch | 33 +
....0.3538.67-disable-fontconfig-cache-magic.patch | 13 +
chromium-70.0.3538.67-sandbox-pie.patch | 20 +
...m-70.0.3538.77-aarch64-arch-want-new-stat.patch | 12 +
chromium-71.0.3578.98-gcc9-drop-rsp-clobber.patch | 12 +
chromium-71.0.3578.98-py2-bootstrap.patch | 33 +
chromium-71.0.3578.98-skia-aarch64-buildfix.patch | 21 +
chromium-71.0.3578.98-widevine-r3.patch | 22 +
chromium-72.0.3626.121-fedora-user-agent.patch | 12 +
chromium-72.0.3626.121-gcc5-r3.patch | 36 +
chromium-72.0.3626.121-notest.patch | 11 +
...75-disable-fno-delete-null-pointer-checks.patch | 48 +
chromium-73.0.3683.75-norar.patch | 81 +
chromium-75.0.3770.100-epel7-stdc++.patch | 11 +
chromium-75.0.3770.100-fix-v8-gcc.patch | 14 +
chromium-75.0.3770.100-git00281713.patch | 34 +
chromium-75.0.3770.80-SIOCGSTAMP.patch | 15 +
...ium-75.0.3770.80-aeed4d-gcc-dcheck_ne-fix.patch | 14 +
chromium-75.0.3770.80-gcc-no-assume.patch | 21 +
chromium-75.0.3770.80-grpc-gettid-fix.patch | 22 +
chromium-75.0.3770.80-no-zlib-mangle.patch | 14 +
chromium-75.0.3770.80-pure-virtual-crash-fix.patch | 24 +
chromium-75.0.3770.80-revert-daff6b.patch | 13 +
chromium-75.0.3770.80-vaapi-i686-fpermissive.patch | 23 +
...m-75.0.3770.80-vaapi-libva1-compatibility.patch | 14 +
chromium-76.0.3809.100-el7-noexcept.patch | 129 +
....0.3809.100-gcc-accountinfo-move-noexcept.patch | 53 +
chromium-76.0.3809.100-gcc-cc-no-except.patch | 105 +
...m-76.0.3809.100-gcc-feature-policy-parser.patch | 76 +
...m-76.0.3809.100-gcc-hasfraction-constexpr.patch | 32 +
...m-76.0.3809.100-gcc-history-move-noexcept.patch | 42 +
...um-76.0.3809.100-gcc-initialization-order.patch | 33 +
...3809.100-gcc-move-explicit-initialization.patch | 97 +
chromium-76.0.3809.100-gcc-net-fetcher.patch | 63 +
...m-76.0.3809.100-gcc-no-alignas-and-export.patch | 14 +
...mium-76.0.3809.100-gcc-remoting-constexpr.patch | 27 +
...m-76.0.3809.100-gcc-themeservice-includes.patch | 36 +
chromium-76.0.3809.100-gcc-vulkan.patch | 115 +
...0.3809.100-libusb_interrupt_event_handler.patch | 15 +
chromium-76.0.3809.100-pulse-api-change.patch | 47 +
chromium-76.0.3809.100-quiche-compile-fix.patch | 225 ++
chromium-76.0.3809.100-throttling-dead-beef.patch | 30 +
...ium-76.0.3809.100-vtable-symbol-undefined.patch | 11 +
chromium-76.0.3809.100-weak-ptr-no-except.patch | 66 +
...um-76.0.3809.132-certificate-transparency.patch | 539 ++++
...-76.0.3809.132-gcc-ambigous-instantiation.patch | 21 +
chromium-browser.desktop | 356 +++
chromium-browser.sh | 58 +
chromium-browser.xml | 18 +
chromium-latest.py | 344 +++
chromium-widevine-other-locations.patch | 23 +
chromium.spec | 2783 ++++++++++++++++++++
clean_ffmpeg.sh | 345 +++
enable-vaapi.patch | 96 +
get_free_ffmpeg_source_files.py | 82 +
get_linux_tests_names.py | 121 +
master_preferences | 17 +
sources | 20 +
86 files changed, 7286 insertions(+)
---
5 years, 1 month
[chromium-libs-media-freeworld: 77/201] "Adding package.cfg file"
by hellbanger
commit 2c4faaedb3611d1d5cbf09d7e277a7586b1e9084
Author: Gwyn Ciesla <gwync(a)protonmail.com>
Date: Thu Sep 5 15:46:11 2019 -0500
"Adding package.cfg file"
package.cfg | 2 ++
1 file changed, 2 insertions(+)
---
diff --git a/package.cfg b/package.cfg
new file mode 100644
index 0000000..66ea79d
--- /dev/null
+++ b/package.cfg
@@ -0,0 +1,2 @@
+[koji]
+targets = epel8 epel8-playground
\ No newline at end of file
5 years, 1 month
[chromium-libs-media-freeworld: 76/201] More fixes to a backported patch for certificate transparency
by hellbanger
commit c5383dd2883385aa29924a70ec9e644fb4f86b1a
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Wed Sep 4 10:48:30 2019 +0200
More fixes to a backported patch for certificate transparency
...um-76.0.3809.132-certificate-transparency.patch | 413 +++++++++++++++++++--
1 file changed, 373 insertions(+), 40 deletions(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 51937e0..8bfbced 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -1,6 +1,73 @@
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-03 22:08:28.931786496 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-03 22:15:24.743555759 +0200
+@@ -17,6 +17,7 @@
+ #include "chrome/common/pref_names.h"
+ #include "chrome/test/base/in_process_browser_test.h"
+ #include "components/prefs/pref_service.h"
++#include "services/network/public/cpp/network_service_buildflags.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ #include "services/network/public/mojom/network_service.mojom.h"
+ #include "testing/gmock/include/gmock/gmock.h"
+@@ -297,3 +298,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont
+ INSTANTIATE_TEST_SUITE_P(,
+ SystemNetworkContextManagerStubResolverBrowsertest,
+ ::testing::Values(false, true));
++
++class SystemNetworkContextManagerCertificateTransparencyBrowsertest
++ : public SystemNetworkContextManagerBrowsertest,
++ public testing::WithParamInterface<base::Optional<bool>> {
++ public:
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest() {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ GetParam());
++ }
++ ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
++};
++
++#if BUILDFLAG(IS_CT_SUPPORTED)
++IN_PROC_BROWSER_TEST_P(
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ CertificateTransparencyConfig) {
++ network::mojom::NetworkContextParamsPtr context_params =
++ g_browser_process->system_network_context_manager()
++ ->CreateDefaultNetworkContextParams();
++
++ const bool kDefault =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ true;
++#else
++ false;
++#endif
++
++ EXPECT_EQ(GetParam().value_or(kDefault),
++ context_params->enforce_chrome_ct_policy);
++ EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty());
++
++ if (GetParam().value_or(kDefault)) {
++ bool has_google_log = false;
++ bool has_disqualified_log = false;
++ for (const auto& ct_log : context_params->ct_logs) {
++ has_google_log |= ct_log->operated_by_google;
++ has_disqualified_log |= ct_log->disqualified_at.has_value();
++ }
++ EXPECT_TRUE(has_google_log);
++ EXPECT_TRUE(has_disqualified_log);
++ }
++}
++#endif
++
++INSTANTIATE_TEST_SUITE_P(
++ ,
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ ::testing::Values(base::nullopt, true, false));
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
-+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 22:13:26.451198970 +0200
@@ -4,11 +4,13 @@
#include "chrome/browser/net/system_network_context_manager.h"
@@ -23,52 +90,205 @@ diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manage
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
#include "net/dns/public/util.h"
#include "net/net_buildflags.h"
-@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
+@@ -81,6 +84,20 @@
+
+ namespace {
+
++constexpr bool kCertificateTransparencyEnabled =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ // Certificate Transparency is only enabled if:
++ // - Desktop (!OS_ANDROID); OS_IOS does not use this file
++ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
++ // - The build in reliably updatable (GOOGLE_CHROME_BUILD)
++ true;
++#else
++ false;
++#endif
++
++bool g_enable_certificate_transparency = kCertificateTransparencyEnabled;
++
+ // The global instance of the SystemNetworkContextmanager.
+ SystemNetworkContextManager* g_system_network_context_manager = nullptr;
+
+@@ -686,14 +703,35 @@ SystemNetworkContextManager::CreateDefau
bool http_09_on_non_default_ports_enabled = false;
#if !defined(OS_ANDROID)
- // CT is only enabled on Desktop platforms for now.
+- network_context_params->enforce_chrome_ct_policy = true;
+- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
+- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
+- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
+- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
+- log_info->name = ct_log.log_name;
+- network_context_params->ct_logs.push_back(std::move(log_info));
++
++ if (g_enable_certificate_transparency) {
++ network_context_params->enforce_chrome_ct_policy = true;
++ network_context_params->ct_log_update_time = base::GetBuildTime();
+
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
-+ !defined(OS_IOS)
-+ // Certificate Transparency is only enabled if:
-+ // - Desktop (!OS_ANDROID, !OS_IOS)
-+ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
-+ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
- network_context_params->enforce_chrome_ct_policy = true;
-+ network_context_params->ct_log_update_time = base::GetBuildTime();
-+
-+ std::vector<std::string> operated_by_google_logs =
-+ certificate_transparency::GetLogsOperatedByGoogle();
-+ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
-+ certificate_transparency::GetDisqualifiedLogs();
- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
- log_info->name = ct_log.log_name;
-+
-+ std::string log_id = crypto::SHA256HashString(log_info->public_key);
-+ log_info->operated_by_google =
-+ std::binary_search(std::begin(operated_by_google_logs),
-+ std::end(operated_by_google_logs), log_id);
-+ auto it = std::lower_bound(
-+ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
-+ [](const auto& disqualified_log, const std::string& log_id) {
-+ return disqualified_log.first < log_id;
-+ });
-+ if (it != std::end(disqualified_logs) && it->first == log_id) {
-+ log_info->disqualified_at = it->second;
++ std::vector<std::string> operated_by_google_logs =
++ certificate_transparency::GetLogsOperatedByGoogle();
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
++ certificate_transparency::GetDisqualifiedLogs();
++ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
++ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
++ log_info->name = ct_log.log_name;
++
++ std::string log_id = crypto::SHA256HashString(log_info->public_key);
++ log_info->operated_by_google =
++ std::binary_search(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs), log_id);
++ auto it = std::lower_bound(
++ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
++ [](const auto& disqualified_log, const std::string& log_id) {
++ return disqualified_log.first < log_id;
++ });
++ if (it != std::end(disqualified_logs) && it->first == log_id) {
++ log_info->disqualified_at = it->second;
++ }
++ network_context_params->ct_logs.push_back(std::move(log_info));
+ }
- network_context_params->ct_logs.push_back(std::move(log_info));
}
-+#endif
const base::Value* value =
- g_browser_process->policy_service()
+@@ -756,6 +794,12 @@ SystemNetworkContextManager::GetHttpAuth
+ return CreateHttpAuthDynamicParams(g_browser_process->local_state());
+ }
+
++void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled) {
++ g_enable_certificate_transparency =
++ enabled.value_or(kCertificateTransparencyEnabled);
++}
++
+ network::mojom::NetworkContextParamsPtr
+ SystemNetworkContextManager::CreateNetworkContextParams() {
+ // TODO(mmenke): Set up parameters here (in memory cookie store, etc).
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h 2019-09-03 22:08:28.931786496 +0200
+@@ -158,6 +158,12 @@ class SystemNetworkContextManager {
+ static network::mojom::HttpAuthDynamicParamsPtr
+ GetHttpAuthDynamicParamsForTesting();
+
++ // Enables Certificate Transparency and enforcing the Chrome Certificate
++ // Transparency Policy. For test use only. Use base::nullopt_t to reset to
++ // the default state.
++ static void SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled);
++
+ private:
+ class URLLoaderFactoryForSystem;
+
+diff -up chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -4834,7 +4834,7 @@ IN_PROC_BROWSER_TEST_P(SSLPolicyTestComm
+ browser()->tab_strip_model()->GetActiveWebContents()->GetTitle());
+ }
+
+-IN_PROC_BROWSER_TEST_F(PolicyTest,
++IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
+ CertificateTransparencyEnforcementDisabledForCas) {
+ net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
+ https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -8,6 +8,7 @@
+ #include "base/callback.h"
+ #include "base/run_loop.h"
+ #include "base/test/scoped_feature_list.h"
++#include "chrome/browser/net/system_network_context_manager.h"
+ #include "chrome/browser/profiles/profile.h"
+ #include "chrome/browser/ssl/cert_verifier_browser_test.h"
+ #include "chrome/browser/ui/browser.h"
+@@ -27,7 +28,17 @@ namespace {
+ // received by a server.
+ class ExpectCTBrowserTest : public CertVerifierBrowserTest {
+ public:
+- ExpectCTBrowserTest() : CertVerifierBrowserTest() {}
++ ExpectCTBrowserTest() : CertVerifierBrowserTest() {
++ // Expect-CT reporting depends on actually enforcing Certificate
++ // Transparency.
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~ExpectCTBrowserTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ run_loop_ = std::make_unique<base::RunLoop>();
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -457,6 +457,13 @@ class SecurityStateTabHelperTest : publi
+ SecurityStateTabHelperTest()
+ : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
+ https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir());
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~SecurityStateTabHelperTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
+ }
+
+ void SetUpOnMainThread() override {
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc 2019-09-03 22:08:28.934786531 +0200
+@@ -2008,8 +2008,14 @@ class CertificateTransparencySSLUITest :
+ public:
+ CertificateTransparencySSLUITest()
+ : CertVerifierBrowserTest(),
+- https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}
+- ~CertificateTransparencySSLUITest() override {}
++ https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++ ~CertificateTransparencySSLUITest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ CertVerifierBrowserTest::SetUpOnMainThread();
+diff -up chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h
+--- chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-08-26 21:02:14.000000000 +0200
++++ chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-03 22:08:28.934786531 +0200
+@@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne
+
+ void SetClockForTesting(const base::Clock* clock) { clock_ = clock; }
+
++ // TODO(https://crbug.com/999240): These are exposed to allow end-to-end
++ // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is
++ // correctly constructed). When either this issue or https://crbug.com/848277
++ // are fixed, the configuration can be tested independently, and these can
++ // be removed.
++ const std::vector<std::string>& operated_by_google_logs_for_testing() {
++ return operated_by_google_logs_;
++ }
++ const std::vector<std::pair<std::string, base::TimeDelta>>&
++ disqualified_logs_for_testing() {
++ return disqualified_logs_;
++ }
++
+ private:
+ // Returns true if the log identified by |log_id| (the SHA-256 hash of the
+ // log's DER-encoded SPKI) has been disqualified, and sets
diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
++++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 22:17:27.977834857 +0200
@@ -35,6 +35,7 @@
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
@@ -115,12 +335,16 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
scoped_refptr<const net::CTLogVerifier> log_verifier =
net::CTLogVerifier::Create(log->public_key, log->name);
if (!log_verifier) {
-@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
+@@ -1924,6 +1927,17 @@ URLRequestContextOwner NetworkContext::A
ct_verifier->AddLogs(ct_logs);
builder->set_ct_verifier(std::move(ct_verifier));
}
+
+ if (params_->enforce_chrome_ct_policy) {
++ std::sort(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs));
++ std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
++
+ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
@@ -129,9 +353,118 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
#endif // BUILDFLAG(IS_CT_SUPPORTED)
const base::CommandLine* command_line =
+diff -up chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context_unittest.cc
+--- chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/network_context_unittest.cc 2019-09-03 22:20:22.382888089 +0200
+@@ -2,6 +2,7 @@
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+
++#include <algorithm>
+ #include <map>
+ #include <memory>
+ #include <string>
+@@ -38,10 +39,12 @@
+ #include "base/threading/thread_task_runner_handle.h"
+ #include "base/time/default_clock.h"
+ #include "base/time/default_tick_clock.h"
++#include "base/time/time.h"
+ #include "build/build_config.h"
+ #include "components/network_session_configurator/browser/network_session_configurator.h"
+ #include "components/network_session_configurator/common/network_switches.h"
+ #include "components/prefs/testing_pref_service.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/interface_request.h"
+ #include "mojo/public/cpp/bindings/strong_binding.h"
+ #include "mojo/public/cpp/system/data_pipe_utils.h"
+@@ -113,6 +116,11 @@
+ #include "url/scheme_host_port.h"
+ #include "url/url_constants.h"
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
++#include "services/network/public/mojom/ct_log_info.mojom.h"
++#endif
++
+ #if BUILDFLAG(ENABLE_REPORTING)
+ #include "net/network_error_logging/network_error_logging_service.h"
+ #include "net/reporting/reporting_cache.h"
+@@ -5566,6 +5574,72 @@ TEST_F(NetworkContextTest, BlockAllCooki
+ EXPECT_EQ("None", response_body);
+ }
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++TEST_F(NetworkContextTest, CertificateTransparencyConfig) {
++ mojom::NetworkContextParamsPtr params = CreateContextParams();
++ params->enforce_chrome_ct_policy = true;
++ params->ct_log_update_time = base::Time::Now();
++
++ // The log public keys do not matter for the test, so invalid keys are used.
++ // However, because the log IDs are derived from the SHA-256 hash of the log
++ // key, the log keys are generated such that qualified logs are in the form
++ // of four digits (e.g. "0000", "1111"), while disqualified logs are in the
++ // form of four letters (e.g. "AAAA", "BBBB").
++
++ for (int i = 0; i < 6; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII '0' (0x30)
++ log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->operated_by_google = i % 2;
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ for (int i = 0; i < 3; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII 'A' (0x41)
++ log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->operated_by_google = false;
++ log_info->disqualified_at = base::TimeDelta::FromSeconds(i);
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ std::unique_ptr<NetworkContext> network_context =
++ CreateContextWithParams(std::move(params));
++
++ net::CTPolicyEnforcer* request_enforcer =
++ network_context->url_request_context()->ct_policy_enforcer();
++ ASSERT_TRUE(request_enforcer);
++
++ // Completely unsafe if |enforce_chrome_ct_policy| is false.
++ certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
++ reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
++ request_enforcer);
++
++ EXPECT_TRUE(std::is_sorted(
++ policy_enforcer->operated_by_google_logs_for_testing().begin(),
++ policy_enforcer->operated_by_google_logs_for_testing().end()));
++ EXPECT_TRUE(
++ std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
++ policy_enforcer->disqualified_logs_for_testing().end()));
++
++ EXPECT_THAT(
++ policy_enforcer->operated_by_google_logs_for_testing(),
++ ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"),
++ crypto::SHA256HashString("3333"),
++ crypto::SHA256HashString("5555")}));
++ EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
++ ::testing::UnorderedElementsAre(
++ ::testing::Pair(crypto::SHA256HashString("AAAA"),
++ base::TimeDelta::FromSeconds(0)),
++ ::testing::Pair(crypto::SHA256HashString("BBBB"),
++ base::TimeDelta::FromSeconds(1)),
++ ::testing::Pair(crypto::SHA256HashString("CCCC"),
++ base::TimeDelta::FromSeconds(2))));
++}
++#endif
++
+ } // namespace
+
+ } // namespace network
diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -4,6 +4,8 @@
module network.mojom;
@@ -148,7 +481,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
+
+ // Whether or not the log should should be considered a Google Log for the
+ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
-+ bool operated_by_google;
++ bool operated_by_google = false;
+
+ // If set, the time since the Unix Epoch when the log was disqualified. This
+ // is used to determine the "once or currently qualified" status of the log.
@@ -157,7 +490,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
};
diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -238,15 +238,6 @@ struct NetworkContextParams {
[EnableIf=is_android]
bool check_clear_text_permitted = false;
5 years, 1 month
[chromium-libs-media-freeworld: 75/201] More fixes to a backported patch for certificate transparency
by hellbanger
commit 6140e1104effb04aa4f3c65110ec71eca3efb66d
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Wed Sep 4 10:48:30 2019 +0200
More fixes to a backported patch for certificate transparency
...um-76.0.3809.132-certificate-transparency.patch | 413 +++++++++++++++++++--
1 file changed, 373 insertions(+), 40 deletions(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 51937e0..8bfbced 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -1,6 +1,73 @@
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-03 22:08:28.931786496 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-03 22:15:24.743555759 +0200
+@@ -17,6 +17,7 @@
+ #include "chrome/common/pref_names.h"
+ #include "chrome/test/base/in_process_browser_test.h"
+ #include "components/prefs/pref_service.h"
++#include "services/network/public/cpp/network_service_buildflags.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ #include "services/network/public/mojom/network_service.mojom.h"
+ #include "testing/gmock/include/gmock/gmock.h"
+@@ -297,3 +298,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont
+ INSTANTIATE_TEST_SUITE_P(,
+ SystemNetworkContextManagerStubResolverBrowsertest,
+ ::testing::Values(false, true));
++
++class SystemNetworkContextManagerCertificateTransparencyBrowsertest
++ : public SystemNetworkContextManagerBrowsertest,
++ public testing::WithParamInterface<base::Optional<bool>> {
++ public:
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest() {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ GetParam());
++ }
++ ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
++};
++
++#if BUILDFLAG(IS_CT_SUPPORTED)
++IN_PROC_BROWSER_TEST_P(
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ CertificateTransparencyConfig) {
++ network::mojom::NetworkContextParamsPtr context_params =
++ g_browser_process->system_network_context_manager()
++ ->CreateDefaultNetworkContextParams();
++
++ const bool kDefault =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ true;
++#else
++ false;
++#endif
++
++ EXPECT_EQ(GetParam().value_or(kDefault),
++ context_params->enforce_chrome_ct_policy);
++ EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty());
++
++ if (GetParam().value_or(kDefault)) {
++ bool has_google_log = false;
++ bool has_disqualified_log = false;
++ for (const auto& ct_log : context_params->ct_logs) {
++ has_google_log |= ct_log->operated_by_google;
++ has_disqualified_log |= ct_log->disqualified_at.has_value();
++ }
++ EXPECT_TRUE(has_google_log);
++ EXPECT_TRUE(has_disqualified_log);
++ }
++}
++#endif
++
++INSTANTIATE_TEST_SUITE_P(
++ ,
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ ::testing::Values(base::nullopt, true, false));
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
-+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 22:13:26.451198970 +0200
@@ -4,11 +4,13 @@
#include "chrome/browser/net/system_network_context_manager.h"
@@ -23,52 +90,205 @@ diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manage
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
#include "net/dns/public/util.h"
#include "net/net_buildflags.h"
-@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
+@@ -81,6 +84,20 @@
+
+ namespace {
+
++constexpr bool kCertificateTransparencyEnabled =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ // Certificate Transparency is only enabled if:
++ // - Desktop (!OS_ANDROID); OS_IOS does not use this file
++ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
++ // - The build in reliably updatable (GOOGLE_CHROME_BUILD)
++ true;
++#else
++ false;
++#endif
++
++bool g_enable_certificate_transparency = kCertificateTransparencyEnabled;
++
+ // The global instance of the SystemNetworkContextmanager.
+ SystemNetworkContextManager* g_system_network_context_manager = nullptr;
+
+@@ -686,14 +703,35 @@ SystemNetworkContextManager::CreateDefau
bool http_09_on_non_default_ports_enabled = false;
#if !defined(OS_ANDROID)
- // CT is only enabled on Desktop platforms for now.
+- network_context_params->enforce_chrome_ct_policy = true;
+- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
+- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
+- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
+- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
+- log_info->name = ct_log.log_name;
+- network_context_params->ct_logs.push_back(std::move(log_info));
++
++ if (g_enable_certificate_transparency) {
++ network_context_params->enforce_chrome_ct_policy = true;
++ network_context_params->ct_log_update_time = base::GetBuildTime();
+
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
-+ !defined(OS_IOS)
-+ // Certificate Transparency is only enabled if:
-+ // - Desktop (!OS_ANDROID, !OS_IOS)
-+ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
-+ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
- network_context_params->enforce_chrome_ct_policy = true;
-+ network_context_params->ct_log_update_time = base::GetBuildTime();
-+
-+ std::vector<std::string> operated_by_google_logs =
-+ certificate_transparency::GetLogsOperatedByGoogle();
-+ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
-+ certificate_transparency::GetDisqualifiedLogs();
- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
- log_info->name = ct_log.log_name;
-+
-+ std::string log_id = crypto::SHA256HashString(log_info->public_key);
-+ log_info->operated_by_google =
-+ std::binary_search(std::begin(operated_by_google_logs),
-+ std::end(operated_by_google_logs), log_id);
-+ auto it = std::lower_bound(
-+ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
-+ [](const auto& disqualified_log, const std::string& log_id) {
-+ return disqualified_log.first < log_id;
-+ });
-+ if (it != std::end(disqualified_logs) && it->first == log_id) {
-+ log_info->disqualified_at = it->second;
++ std::vector<std::string> operated_by_google_logs =
++ certificate_transparency::GetLogsOperatedByGoogle();
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
++ certificate_transparency::GetDisqualifiedLogs();
++ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
++ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
++ log_info->name = ct_log.log_name;
++
++ std::string log_id = crypto::SHA256HashString(log_info->public_key);
++ log_info->operated_by_google =
++ std::binary_search(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs), log_id);
++ auto it = std::lower_bound(
++ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
++ [](const auto& disqualified_log, const std::string& log_id) {
++ return disqualified_log.first < log_id;
++ });
++ if (it != std::end(disqualified_logs) && it->first == log_id) {
++ log_info->disqualified_at = it->second;
++ }
++ network_context_params->ct_logs.push_back(std::move(log_info));
+ }
- network_context_params->ct_logs.push_back(std::move(log_info));
}
-+#endif
const base::Value* value =
- g_browser_process->policy_service()
+@@ -756,6 +794,12 @@ SystemNetworkContextManager::GetHttpAuth
+ return CreateHttpAuthDynamicParams(g_browser_process->local_state());
+ }
+
++void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled) {
++ g_enable_certificate_transparency =
++ enabled.value_or(kCertificateTransparencyEnabled);
++}
++
+ network::mojom::NetworkContextParamsPtr
+ SystemNetworkContextManager::CreateNetworkContextParams() {
+ // TODO(mmenke): Set up parameters here (in memory cookie store, etc).
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h 2019-09-03 22:08:28.931786496 +0200
+@@ -158,6 +158,12 @@ class SystemNetworkContextManager {
+ static network::mojom::HttpAuthDynamicParamsPtr
+ GetHttpAuthDynamicParamsForTesting();
+
++ // Enables Certificate Transparency and enforcing the Chrome Certificate
++ // Transparency Policy. For test use only. Use base::nullopt_t to reset to
++ // the default state.
++ static void SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled);
++
+ private:
+ class URLLoaderFactoryForSystem;
+
+diff -up chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -4834,7 +4834,7 @@ IN_PROC_BROWSER_TEST_P(SSLPolicyTestComm
+ browser()->tab_strip_model()->GetActiveWebContents()->GetTitle());
+ }
+
+-IN_PROC_BROWSER_TEST_F(PolicyTest,
++IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
+ CertificateTransparencyEnforcementDisabledForCas) {
+ net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
+ https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -8,6 +8,7 @@
+ #include "base/callback.h"
+ #include "base/run_loop.h"
+ #include "base/test/scoped_feature_list.h"
++#include "chrome/browser/net/system_network_context_manager.h"
+ #include "chrome/browser/profiles/profile.h"
+ #include "chrome/browser/ssl/cert_verifier_browser_test.h"
+ #include "chrome/browser/ui/browser.h"
+@@ -27,7 +28,17 @@ namespace {
+ // received by a server.
+ class ExpectCTBrowserTest : public CertVerifierBrowserTest {
+ public:
+- ExpectCTBrowserTest() : CertVerifierBrowserTest() {}
++ ExpectCTBrowserTest() : CertVerifierBrowserTest() {
++ // Expect-CT reporting depends on actually enforcing Certificate
++ // Transparency.
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~ExpectCTBrowserTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ run_loop_ = std::make_unique<base::RunLoop>();
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -457,6 +457,13 @@ class SecurityStateTabHelperTest : publi
+ SecurityStateTabHelperTest()
+ : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
+ https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir());
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~SecurityStateTabHelperTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
+ }
+
+ void SetUpOnMainThread() override {
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc 2019-09-03 22:08:28.934786531 +0200
+@@ -2008,8 +2008,14 @@ class CertificateTransparencySSLUITest :
+ public:
+ CertificateTransparencySSLUITest()
+ : CertVerifierBrowserTest(),
+- https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}
+- ~CertificateTransparencySSLUITest() override {}
++ https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++ ~CertificateTransparencySSLUITest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ CertVerifierBrowserTest::SetUpOnMainThread();
+diff -up chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h
+--- chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-08-26 21:02:14.000000000 +0200
++++ chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-03 22:08:28.934786531 +0200
+@@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne
+
+ void SetClockForTesting(const base::Clock* clock) { clock_ = clock; }
+
++ // TODO(https://crbug.com/999240): These are exposed to allow end-to-end
++ // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is
++ // correctly constructed). When either this issue or https://crbug.com/848277
++ // are fixed, the configuration can be tested independently, and these can
++ // be removed.
++ const std::vector<std::string>& operated_by_google_logs_for_testing() {
++ return operated_by_google_logs_;
++ }
++ const std::vector<std::pair<std::string, base::TimeDelta>>&
++ disqualified_logs_for_testing() {
++ return disqualified_logs_;
++ }
++
+ private:
+ // Returns true if the log identified by |log_id| (the SHA-256 hash of the
+ // log's DER-encoded SPKI) has been disqualified, and sets
diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
++++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 22:17:27.977834857 +0200
@@ -35,6 +35,7 @@
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
@@ -115,12 +335,16 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
scoped_refptr<const net::CTLogVerifier> log_verifier =
net::CTLogVerifier::Create(log->public_key, log->name);
if (!log_verifier) {
-@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
+@@ -1924,6 +1927,17 @@ URLRequestContextOwner NetworkContext::A
ct_verifier->AddLogs(ct_logs);
builder->set_ct_verifier(std::move(ct_verifier));
}
+
+ if (params_->enforce_chrome_ct_policy) {
++ std::sort(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs));
++ std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
++
+ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
@@ -129,9 +353,118 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
#endif // BUILDFLAG(IS_CT_SUPPORTED)
const base::CommandLine* command_line =
+diff -up chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context_unittest.cc
+--- chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/network_context_unittest.cc 2019-09-03 22:20:22.382888089 +0200
+@@ -2,6 +2,7 @@
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+
++#include <algorithm>
+ #include <map>
+ #include <memory>
+ #include <string>
+@@ -38,10 +39,12 @@
+ #include "base/threading/thread_task_runner_handle.h"
+ #include "base/time/default_clock.h"
+ #include "base/time/default_tick_clock.h"
++#include "base/time/time.h"
+ #include "build/build_config.h"
+ #include "components/network_session_configurator/browser/network_session_configurator.h"
+ #include "components/network_session_configurator/common/network_switches.h"
+ #include "components/prefs/testing_pref_service.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/interface_request.h"
+ #include "mojo/public/cpp/bindings/strong_binding.h"
+ #include "mojo/public/cpp/system/data_pipe_utils.h"
+@@ -113,6 +116,11 @@
+ #include "url/scheme_host_port.h"
+ #include "url/url_constants.h"
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
++#include "services/network/public/mojom/ct_log_info.mojom.h"
++#endif
++
+ #if BUILDFLAG(ENABLE_REPORTING)
+ #include "net/network_error_logging/network_error_logging_service.h"
+ #include "net/reporting/reporting_cache.h"
+@@ -5566,6 +5574,72 @@ TEST_F(NetworkContextTest, BlockAllCooki
+ EXPECT_EQ("None", response_body);
+ }
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++TEST_F(NetworkContextTest, CertificateTransparencyConfig) {
++ mojom::NetworkContextParamsPtr params = CreateContextParams();
++ params->enforce_chrome_ct_policy = true;
++ params->ct_log_update_time = base::Time::Now();
++
++ // The log public keys do not matter for the test, so invalid keys are used.
++ // However, because the log IDs are derived from the SHA-256 hash of the log
++ // key, the log keys are generated such that qualified logs are in the form
++ // of four digits (e.g. "0000", "1111"), while disqualified logs are in the
++ // form of four letters (e.g. "AAAA", "BBBB").
++
++ for (int i = 0; i < 6; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII '0' (0x30)
++ log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->operated_by_google = i % 2;
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ for (int i = 0; i < 3; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII 'A' (0x41)
++ log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->operated_by_google = false;
++ log_info->disqualified_at = base::TimeDelta::FromSeconds(i);
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ std::unique_ptr<NetworkContext> network_context =
++ CreateContextWithParams(std::move(params));
++
++ net::CTPolicyEnforcer* request_enforcer =
++ network_context->url_request_context()->ct_policy_enforcer();
++ ASSERT_TRUE(request_enforcer);
++
++ // Completely unsafe if |enforce_chrome_ct_policy| is false.
++ certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
++ reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
++ request_enforcer);
++
++ EXPECT_TRUE(std::is_sorted(
++ policy_enforcer->operated_by_google_logs_for_testing().begin(),
++ policy_enforcer->operated_by_google_logs_for_testing().end()));
++ EXPECT_TRUE(
++ std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
++ policy_enforcer->disqualified_logs_for_testing().end()));
++
++ EXPECT_THAT(
++ policy_enforcer->operated_by_google_logs_for_testing(),
++ ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"),
++ crypto::SHA256HashString("3333"),
++ crypto::SHA256HashString("5555")}));
++ EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
++ ::testing::UnorderedElementsAre(
++ ::testing::Pair(crypto::SHA256HashString("AAAA"),
++ base::TimeDelta::FromSeconds(0)),
++ ::testing::Pair(crypto::SHA256HashString("BBBB"),
++ base::TimeDelta::FromSeconds(1)),
++ ::testing::Pair(crypto::SHA256HashString("CCCC"),
++ base::TimeDelta::FromSeconds(2))));
++}
++#endif
++
+ } // namespace
+
+ } // namespace network
diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -4,6 +4,8 @@
module network.mojom;
@@ -148,7 +481,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
+
+ // Whether or not the log should should be considered a Google Log for the
+ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
-+ bool operated_by_google;
++ bool operated_by_google = false;
+
+ // If set, the time since the Unix Epoch when the log was disqualified. This
+ // is used to determine the "once or currently qualified" status of the log.
@@ -157,7 +490,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
};
diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -238,15 +238,6 @@ struct NetworkContextParams {
[EnableIf=is_android]
bool check_clear_text_permitted = false;
5 years, 1 month
[chromium-libs-media-freeworld: 74/201] More fixes to a backported patch for certificate transparency
by hellbanger
commit 82c3fb0c11b8125b95e298f467ccc77d9f3bafa4
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Wed Sep 4 10:48:30 2019 +0200
More fixes to a backported patch for certificate transparency
...um-76.0.3809.132-certificate-transparency.patch | 413 +++++++++++++++++++--
1 file changed, 373 insertions(+), 40 deletions(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 51937e0..8bfbced 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -1,6 +1,73 @@
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-03 22:08:28.931786496 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-03 22:15:24.743555759 +0200
+@@ -17,6 +17,7 @@
+ #include "chrome/common/pref_names.h"
+ #include "chrome/test/base/in_process_browser_test.h"
+ #include "components/prefs/pref_service.h"
++#include "services/network/public/cpp/network_service_buildflags.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ #include "services/network/public/mojom/network_service.mojom.h"
+ #include "testing/gmock/include/gmock/gmock.h"
+@@ -297,3 +298,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont
+ INSTANTIATE_TEST_SUITE_P(,
+ SystemNetworkContextManagerStubResolverBrowsertest,
+ ::testing::Values(false, true));
++
++class SystemNetworkContextManagerCertificateTransparencyBrowsertest
++ : public SystemNetworkContextManagerBrowsertest,
++ public testing::WithParamInterface<base::Optional<bool>> {
++ public:
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest() {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ GetParam());
++ }
++ ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
++};
++
++#if BUILDFLAG(IS_CT_SUPPORTED)
++IN_PROC_BROWSER_TEST_P(
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ CertificateTransparencyConfig) {
++ network::mojom::NetworkContextParamsPtr context_params =
++ g_browser_process->system_network_context_manager()
++ ->CreateDefaultNetworkContextParams();
++
++ const bool kDefault =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ true;
++#else
++ false;
++#endif
++
++ EXPECT_EQ(GetParam().value_or(kDefault),
++ context_params->enforce_chrome_ct_policy);
++ EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty());
++
++ if (GetParam().value_or(kDefault)) {
++ bool has_google_log = false;
++ bool has_disqualified_log = false;
++ for (const auto& ct_log : context_params->ct_logs) {
++ has_google_log |= ct_log->operated_by_google;
++ has_disqualified_log |= ct_log->disqualified_at.has_value();
++ }
++ EXPECT_TRUE(has_google_log);
++ EXPECT_TRUE(has_disqualified_log);
++ }
++}
++#endif
++
++INSTANTIATE_TEST_SUITE_P(
++ ,
++ SystemNetworkContextManagerCertificateTransparencyBrowsertest,
++ ::testing::Values(base::nullopt, true, false));
diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
-+++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 22:13:26.451198970 +0200
@@ -4,11 +4,13 @@
#include "chrome/browser/net/system_network_context_manager.h"
@@ -23,52 +90,205 @@ diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manage
#include "mojo/public/cpp/bindings/associated_interface_ptr.h"
#include "net/dns/public/util.h"
#include "net/net_buildflags.h"
-@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
+@@ -81,6 +84,20 @@
+
+ namespace {
+
++constexpr bool kCertificateTransparencyEnabled =
++#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_ANDROID)
++ // Certificate Transparency is only enabled if:
++ // - Desktop (!OS_ANDROID); OS_IOS does not use this file
++ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
++ // - The build in reliably updatable (GOOGLE_CHROME_BUILD)
++ true;
++#else
++ false;
++#endif
++
++bool g_enable_certificate_transparency = kCertificateTransparencyEnabled;
++
+ // The global instance of the SystemNetworkContextmanager.
+ SystemNetworkContextManager* g_system_network_context_manager = nullptr;
+
+@@ -686,14 +703,35 @@ SystemNetworkContextManager::CreateDefau
bool http_09_on_non_default_ports_enabled = false;
#if !defined(OS_ANDROID)
- // CT is only enabled on Desktop platforms for now.
+- network_context_params->enforce_chrome_ct_policy = true;
+- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
+- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
+- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
+- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
+- log_info->name = ct_log.log_name;
+- network_context_params->ct_logs.push_back(std::move(log_info));
++
++ if (g_enable_certificate_transparency) {
++ network_context_params->enforce_chrome_ct_policy = true;
++ network_context_params->ct_log_update_time = base::GetBuildTime();
+
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
-+ !defined(OS_IOS)
-+ // Certificate Transparency is only enabled if:
-+ // - Desktop (!OS_ANDROID, !OS_IOS)
-+ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
-+ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
- network_context_params->enforce_chrome_ct_policy = true;
-+ network_context_params->ct_log_update_time = base::GetBuildTime();
-+
-+ std::vector<std::string> operated_by_google_logs =
-+ certificate_transparency::GetLogsOperatedByGoogle();
-+ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
-+ certificate_transparency::GetDisqualifiedLogs();
- for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
- // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
- network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
- log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
- log_info->name = ct_log.log_name;
-+
-+ std::string log_id = crypto::SHA256HashString(log_info->public_key);
-+ log_info->operated_by_google =
-+ std::binary_search(std::begin(operated_by_google_logs),
-+ std::end(operated_by_google_logs), log_id);
-+ auto it = std::lower_bound(
-+ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
-+ [](const auto& disqualified_log, const std::string& log_id) {
-+ return disqualified_log.first < log_id;
-+ });
-+ if (it != std::end(disqualified_logs) && it->first == log_id) {
-+ log_info->disqualified_at = it->second;
++ std::vector<std::string> operated_by_google_logs =
++ certificate_transparency::GetLogsOperatedByGoogle();
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
++ certificate_transparency::GetDisqualifiedLogs();
++ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
++ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
++ log_info->name = ct_log.log_name;
++
++ std::string log_id = crypto::SHA256HashString(log_info->public_key);
++ log_info->operated_by_google =
++ std::binary_search(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs), log_id);
++ auto it = std::lower_bound(
++ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
++ [](const auto& disqualified_log, const std::string& log_id) {
++ return disqualified_log.first < log_id;
++ });
++ if (it != std::end(disqualified_logs) && it->first == log_id) {
++ log_info->disqualified_at = it->second;
++ }
++ network_context_params->ct_logs.push_back(std::move(log_info));
+ }
- network_context_params->ct_logs.push_back(std::move(log_info));
}
-+#endif
const base::Value* value =
- g_browser_process->policy_service()
+@@ -756,6 +794,12 @@ SystemNetworkContextManager::GetHttpAuth
+ return CreateHttpAuthDynamicParams(g_browser_process->local_state());
+ }
+
++void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled) {
++ g_enable_certificate_transparency =
++ enabled.value_or(kCertificateTransparencyEnabled);
++}
++
+ network::mojom::NetworkContextParamsPtr
+ SystemNetworkContextManager::CreateNetworkContextParams() {
+ // TODO(mmenke): Set up parameters here (in memory cookie store, etc).
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.h 2019-09-03 22:08:28.931786496 +0200
+@@ -158,6 +158,12 @@ class SystemNetworkContextManager {
+ static network::mojom::HttpAuthDynamicParamsPtr
+ GetHttpAuthDynamicParamsForTesting();
+
++ // Enables Certificate Transparency and enforcing the Chrome Certificate
++ // Transparency Policy. For test use only. Use base::nullopt_t to reset to
++ // the default state.
++ static void SetEnableCertificateTransparencyForTesting(
++ base::Optional<bool> enabled);
++
+ private:
+ class URLLoaderFactoryForSystem;
+
+diff -up chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/policy/policy_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -4834,7 +4834,7 @@ IN_PROC_BROWSER_TEST_P(SSLPolicyTestComm
+ browser()->tab_strip_model()->GetActiveWebContents()->GetTitle());
+ }
+
+-IN_PROC_BROWSER_TEST_F(PolicyTest,
++IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest,
+ CertificateTransparencyEnforcementDisabledForCas) {
+ net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS);
+ https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK);
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -8,6 +8,7 @@
+ #include "base/callback.h"
+ #include "base/run_loop.h"
+ #include "base/test/scoped_feature_list.h"
++#include "chrome/browser/net/system_network_context_manager.h"
+ #include "chrome/browser/profiles/profile.h"
+ #include "chrome/browser/ssl/cert_verifier_browser_test.h"
+ #include "chrome/browser/ui/browser.h"
+@@ -27,7 +28,17 @@ namespace {
+ // received by a server.
+ class ExpectCTBrowserTest : public CertVerifierBrowserTest {
+ public:
+- ExpectCTBrowserTest() : CertVerifierBrowserTest() {}
++ ExpectCTBrowserTest() : CertVerifierBrowserTest() {
++ // Expect-CT reporting depends on actually enforcing Certificate
++ // Transparency.
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~ExpectCTBrowserTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ run_loop_ = std::make_unique<base::RunLoop>();
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-03 22:08:28.932786508 +0200
+@@ -457,6 +457,13 @@ class SecurityStateTabHelperTest : publi
+ SecurityStateTabHelperTest()
+ : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
+ https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir());
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++
++ ~SecurityStateTabHelperTest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
+ }
+
+ void SetUpOnMainThread() override {
+diff -up chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc
+--- chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-08-26 21:02:07.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/ssl/ssl_browsertest.cc 2019-09-03 22:08:28.934786531 +0200
+@@ -2008,8 +2008,14 @@ class CertificateTransparencySSLUITest :
+ public:
+ CertificateTransparencySSLUITest()
+ : CertVerifierBrowserTest(),
+- https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {}
+- ~CertificateTransparencySSLUITest() override {}
++ https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ true);
++ }
++ ~CertificateTransparencySSLUITest() override {
++ SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting(
++ base::nullopt);
++ }
+
+ void SetUpOnMainThread() override {
+ CertVerifierBrowserTest::SetUpOnMainThread();
+diff -up chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h
+--- chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-08-26 21:02:14.000000000 +0200
++++ chromium-76.0.3809.132/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-03 22:08:28.934786531 +0200
+@@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne
+
+ void SetClockForTesting(const base::Clock* clock) { clock_ = clock; }
+
++ // TODO(https://crbug.com/999240): These are exposed to allow end-to-end
++ // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is
++ // correctly constructed). When either this issue or https://crbug.com/848277
++ // are fixed, the configuration can be tested independently, and these can
++ // be removed.
++ const std::vector<std::string>& operated_by_google_logs_for_testing() {
++ return operated_by_google_logs_;
++ }
++ const std::vector<std::pair<std::string, base::TimeDelta>>&
++ disqualified_logs_for_testing() {
++ return disqualified_logs_;
++ }
++
+ private:
+ // Returns true if the log identified by |log_id| (the SHA-256 hash of the
+ // log's DER-encoded SPKI) has been disqualified, and sets
diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
++++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 22:17:27.977834857 +0200
@@ -35,6 +35,7 @@
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
@@ -115,12 +335,16 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
scoped_refptr<const net::CTLogVerifier> log_verifier =
net::CTLogVerifier::Create(log->public_key, log->name);
if (!log_verifier) {
-@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
+@@ -1924,6 +1927,17 @@ URLRequestContextOwner NetworkContext::A
ct_verifier->AddLogs(ct_logs);
builder->set_ct_verifier(std::move(ct_verifier));
}
+
+ if (params_->enforce_chrome_ct_policy) {
++ std::sort(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs));
++ std::sort(std::begin(disqualified_logs), std::end(disqualified_logs));
++
+ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
@@ -129,9 +353,118 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
#endif // BUILDFLAG(IS_CT_SUPPORTED)
const base::CommandLine* command_line =
+diff -up chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context_unittest.cc
+--- chromium-76.0.3809.132/services/network/network_context_unittest.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/network_context_unittest.cc 2019-09-03 22:20:22.382888089 +0200
+@@ -2,6 +2,7 @@
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+
++#include <algorithm>
+ #include <map>
+ #include <memory>
+ #include <string>
+@@ -38,10 +39,12 @@
+ #include "base/threading/thread_task_runner_handle.h"
+ #include "base/time/default_clock.h"
+ #include "base/time/default_tick_clock.h"
++#include "base/time/time.h"
+ #include "build/build_config.h"
+ #include "components/network_session_configurator/browser/network_session_configurator.h"
+ #include "components/network_session_configurator/common/network_switches.h"
+ #include "components/prefs/testing_pref_service.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/interface_request.h"
+ #include "mojo/public/cpp/bindings/strong_binding.h"
+ #include "mojo/public/cpp/system/data_pipe_utils.h"
+@@ -113,6 +116,11 @@
+ #include "url/scheme_host_port.h"
+ #include "url/url_constants.h"
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++#include "components/certificate_transparency/chrome_ct_policy_enforcer.h"
++#include "services/network/public/mojom/ct_log_info.mojom.h"
++#endif
++
+ #if BUILDFLAG(ENABLE_REPORTING)
+ #include "net/network_error_logging/network_error_logging_service.h"
+ #include "net/reporting/reporting_cache.h"
+@@ -5566,6 +5574,72 @@ TEST_F(NetworkContextTest, BlockAllCooki
+ EXPECT_EQ("None", response_body);
+ }
+
++#if BUILDFLAG(IS_CT_SUPPORTED)
++TEST_F(NetworkContextTest, CertificateTransparencyConfig) {
++ mojom::NetworkContextParamsPtr params = CreateContextParams();
++ params->enforce_chrome_ct_policy = true;
++ params->ct_log_update_time = base::Time::Now();
++
++ // The log public keys do not matter for the test, so invalid keys are used.
++ // However, because the log IDs are derived from the SHA-256 hash of the log
++ // key, the log keys are generated such that qualified logs are in the form
++ // of four digits (e.g. "0000", "1111"), while disqualified logs are in the
++ // form of four letters (e.g. "AAAA", "BBBB").
++
++ for (int i = 0; i < 6; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII '0' (0x30)
++ log_info->public_key = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x30 + static_cast<char>(i));
++ log_info->operated_by_google = i % 2;
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ for (int i = 0; i < 3; ++i) {
++ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
++ // Shift to ASCII 'A' (0x41)
++ log_info->public_key = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->name = std::string(4, 0x41 + static_cast<char>(i));
++ log_info->operated_by_google = false;
++ log_info->disqualified_at = base::TimeDelta::FromSeconds(i);
++
++ params->ct_logs.push_back(std::move(log_info));
++ }
++ std::unique_ptr<NetworkContext> network_context =
++ CreateContextWithParams(std::move(params));
++
++ net::CTPolicyEnforcer* request_enforcer =
++ network_context->url_request_context()->ct_policy_enforcer();
++ ASSERT_TRUE(request_enforcer);
++
++ // Completely unsafe if |enforce_chrome_ct_policy| is false.
++ certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer =
++ reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>(
++ request_enforcer);
++
++ EXPECT_TRUE(std::is_sorted(
++ policy_enforcer->operated_by_google_logs_for_testing().begin(),
++ policy_enforcer->operated_by_google_logs_for_testing().end()));
++ EXPECT_TRUE(
++ std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(),
++ policy_enforcer->disqualified_logs_for_testing().end()));
++
++ EXPECT_THAT(
++ policy_enforcer->operated_by_google_logs_for_testing(),
++ ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"),
++ crypto::SHA256HashString("3333"),
++ crypto::SHA256HashString("5555")}));
++ EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(),
++ ::testing::UnorderedElementsAre(
++ ::testing::Pair(crypto::SHA256HashString("AAAA"),
++ base::TimeDelta::FromSeconds(0)),
++ ::testing::Pair(crypto::SHA256HashString("BBBB"),
++ base::TimeDelta::FromSeconds(1)),
++ ::testing::Pair(crypto::SHA256HashString("CCCC"),
++ base::TimeDelta::FromSeconds(2))));
++}
++#endif
++
+ } // namespace
+
+ } // namespace network
diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -4,6 +4,8 @@
module network.mojom;
@@ -148,7 +481,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
+
+ // Whether or not the log should should be considered a Google Log for the
+ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
-+ bool operated_by_google;
++ bool operated_by_google = false;
+
+ // If set, the time since the Unix Epoch when the log was disqualified. This
+ // is used to determine the "once or currently qualified" status of the log.
@@ -157,7 +490,7 @@ diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.
};
diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
-+++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 22:08:28.936786554 +0200
@@ -238,15 +238,6 @@ struct NetworkContextParams {
[EnableIf=is_android]
bool check_clear_text_permitted = false;
5 years, 1 month
[chromium-libs-media-freeworld: 73/201] Fix certificate-transparency patch
by hellbanger
commit da8d872e924923bdd1d8c7eae0ace87bba8c0309
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Tue Sep 3 15:26:53 2019 +0200
Fix certificate-transparency patch
chromium-76.0.3809.132-certificate-transparency.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 25a08af..51937e0 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -121,7 +121,7 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
}
+
+ if (params_->enforce_chrome_ct_policy) {
-+ builder.set_ct_policy_enforcer(
++ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
+ operated_by_google_logs));
5 years, 1 month
[chromium-libs-media-freeworld: 72/201] Fix certificate-transparency patch
by hellbanger
commit 2f5fd975735eb1a7fd06d9804d0e036372e6ead7
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Tue Sep 3 15:26:53 2019 +0200
Fix certificate-transparency patch
chromium-76.0.3809.132-certificate-transparency.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 25a08af..51937e0 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -121,7 +121,7 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
}
+
+ if (params_->enforce_chrome_ct_policy) {
-+ builder.set_ct_policy_enforcer(
++ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
+ operated_by_google_logs));
5 years, 1 month
[chromium-libs-media-freeworld: 71/201] Fix certificate-transparency patch
by hellbanger
commit b974e5ab1a621f965dba65d413d46ee4a964fbdf
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Tue Sep 3 15:26:53 2019 +0200
Fix certificate-transparency patch
chromium-76.0.3809.132-certificate-transparency.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
index 25a08af..51937e0 100644
--- a/chromium-76.0.3809.132-certificate-transparency.patch
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -121,7 +121,7 @@ diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-
}
+
+ if (params_->enforce_chrome_ct_policy) {
-+ builder.set_ct_policy_enforcer(
++ builder->set_ct_policy_enforcer(
+ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+ params_->ct_log_update_time, disqualified_logs,
+ operated_by_google_logs));
5 years, 1 month
[chromium-libs-media-freeworld: 70/201] Backport patch to fix certificate transparency
by hellbanger
commit df09cb5bec0fb8b996887505bbdd979981c43adc
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Tue Sep 3 12:20:51 2019 +0200
Backport patch to fix certificate transparency
...um-76.0.3809.132-certificate-transparency.patch | 206 +++++++++++++++++++++
chromium.spec | 8 +-
2 files changed, 213 insertions(+), 1 deletion(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
new file mode 100644
index 0000000..25a08af
--- /dev/null
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -0,0 +1,206 @@
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
+@@ -4,11 +4,13 @@
+
+ #include "chrome/browser/net/system_network_context_manager.h"
+
++#include <algorithm>
+ #include <set>
+ #include <unordered_map>
+ #include <utility>
+
+ #include "base/bind.h"
++#include "base/build_time.h"
+ #include "base/command_line.h"
+ #include "base/feature_list.h"
+ #include "base/logging.h"
+@@ -51,6 +53,7 @@
+ #include "content/public/common/mime_handler_view_mode.h"
+ #include "content/public/common/service_names.mojom.h"
+ #include "content/public/common/user_agent.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/associated_interface_ptr.h"
+ #include "net/dns/public/util.h"
+ #include "net/net_buildflags.h"
+@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
+
+ bool http_09_on_non_default_ports_enabled = false;
+ #if !defined(OS_ANDROID)
+- // CT is only enabled on Desktop platforms for now.
++
++#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_IOS)
++ // Certificate Transparency is only enabled if:
++ // - Desktop (!OS_ANDROID, !OS_IOS)
++ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
++ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
+ network_context_params->enforce_chrome_ct_policy = true;
++ network_context_params->ct_log_update_time = base::GetBuildTime();
++
++ std::vector<std::string> operated_by_google_logs =
++ certificate_transparency::GetLogsOperatedByGoogle();
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
++ certificate_transparency::GetDisqualifiedLogs();
+ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
+ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
+ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
+ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
+ log_info->name = ct_log.log_name;
++
++ std::string log_id = crypto::SHA256HashString(log_info->public_key);
++ log_info->operated_by_google =
++ std::binary_search(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs), log_id);
++ auto it = std::lower_bound(
++ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
++ [](const auto& disqualified_log, const std::string& log_id) {
++ return disqualified_log.first < log_id;
++ });
++ if (it != std::end(disqualified_logs) && it->first == log_id) {
++ log_info->disqualified_at = it->second;
++ }
+ network_context_params->ct_logs.push_back(std::move(log_info));
+ }
++#endif
+
+ const base::Value* value =
+ g_browser_process->policy_service()
+diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
+--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
+@@ -35,6 +35,7 @@
+ #include "components/prefs/pref_registry_simple.h"
+ #include "components/prefs/pref_service.h"
+ #include "components/prefs/pref_service_factory.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/strong_binding.h"
+ #include "net/base/layered_network_delegate.h"
+ #include "net/base/load_flags.h"
+@@ -1851,16 +1852,6 @@ URLRequestContextOwner NetworkContext::A
+ base::FeatureList::IsEnabled(features::kNetworkErrorLogging));
+ #endif // BUILDFLAG(ENABLE_REPORTING)
+
+-#if BUILDFLAG(IS_CT_SUPPORTED)
+- if (params_->enforce_chrome_ct_policy) {
+- builder->set_ct_policy_enforcer(
+- std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+- base::GetBuildTime(),
+- certificate_transparency::GetDisqualifiedLogs(),
+- certificate_transparency::GetLogsOperatedByGoogle()));
+- }
+-#endif // BUILDFLAG(IS_CT_SUPPORTED)
+-
+ net::HttpNetworkSession::Params session_params;
+ bool is_quic_force_disabled = false;
+ if (network_service_ && network_service_->quic_disabled())
+@@ -1910,8 +1901,20 @@ URLRequestContextOwner NetworkContext::A
+
+ #if BUILDFLAG(IS_CT_SUPPORTED)
+ std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs;
++ std::vector<std::string> operated_by_google_logs;
++
+ if (!params_->ct_logs.empty()) {
+ for (const auto& log : params_->ct_logs) {
++ if (log->operated_by_google || log->disqualified_at) {
++ std::string log_id = crypto::SHA256HashString(log->public_key);
++ if (log->operated_by_google)
++ operated_by_google_logs.push_back(log_id);
++ if (log->disqualified_at) {
++ disqualified_logs.push_back(
++ std::make_pair(log_id, log->disqualified_at.value()));
++ }
++ }
+ scoped_refptr<const net::CTLogVerifier> log_verifier =
+ net::CTLogVerifier::Create(log->public_key, log->name);
+ if (!log_verifier) {
+@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
+ ct_verifier->AddLogs(ct_logs);
+ builder->set_ct_verifier(std::move(ct_verifier));
+ }
++
++ if (params_->enforce_chrome_ct_policy) {
++ builder.set_ct_policy_enforcer(
++ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
++ params_->ct_log_update_time, disqualified_logs,
++ operated_by_google_logs));
++ }
+ #endif // BUILDFLAG(IS_CT_SUPPORTED)
+
+ const base::CommandLine* command_line =
+diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
+--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
+@@ -4,6 +4,8 @@
+
+ module network.mojom;
+
++import "mojo/public/mojom/base/time.mojom";
++
+ // A single Certificate Transparency Log configuration.
+ struct CTLogInfo {
+ // The DER-encoded SubjectPublicKeyInfo of the log.
+@@ -14,4 +16,13 @@ struct CTLogInfo {
+ // The human-readable, log-supplied log name. Note that this will not be
+ // translated.
+ string name;
++
++ // Whether or not the log should should be considered a Google Log for the
++ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
++ bool operated_by_google;
++
++ // If set, the time since the Unix Epoch when the log was disqualified. This
++ // is used to determine the "once or currently qualified" status of the log.
++ // If the log is currently qualified, this will not be set.
++ mojo_base.mojom.TimeDelta? disqualified_at;
+ };
+diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
+--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
+@@ -238,15 +238,6 @@ struct NetworkContextParams {
+ [EnableIf=is_android]
+ bool check_clear_text_permitted = false;
+
+- // True if the "Certificate Transparency in Chrome" policy (see
+- // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
+- // be enforced for certificates and connections.
+- //
+- // See //net/docs/certificate-transparency.md before setting this flag to
+- // true.
+- [EnableIf=is_ct_supported]
+- bool enforce_chrome_ct_policy = false;
+-
+ // Enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
+ bool http_09_on_non_default_ports_enabled = false;
+
+@@ -299,6 +290,15 @@ struct NetworkContextParams {
+ // servers, so they can discover misconfigurations.
+ bool enable_certificate_reporting = false;
+
++ // True if the "Certificate Transparency in Chrome" policy (see
++ // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
++ // be enforced for certificates and connections.
++ //
++ // See //net/docs/certificate-transparency.md before setting this flag to
++ // true.
++ [EnableIf=is_ct_supported]
++ bool enforce_chrome_ct_policy = false;
++
+ // Enables Expect CT reporting, which sends reports for opted-in sites that
+ // don't serve sufficient Certificate Transparency information.
+ [EnableIf=is_ct_supported]
+@@ -310,6 +310,13 @@ struct NetworkContextParams {
+ [EnableIf=is_ct_supported]
+ array<CTLogInfo> ct_logs;
+
++ // When the Certificate Transparency logs in |ct_logs| were last updated. If
++ // |enforce_chrome_ct_policy| is set, and |ct_log_update_time| is not
++ // sufficiently recent, enforcement of the "Certificate Transparency in
++ // Chrome" policy will be disabled.
++ [EnableIf=is_ct_supported]
++ mojo_base.mojom.Time ct_log_update_time;
++
+ // Specifies the path to the directory where NSS will store its database.
+ [EnableIf=is_chromeos]
+ mojo_base.mojom.FilePath? nss_path;
diff --git a/chromium.spec b/chromium.spec
index cbc4fa4..877f8f7 100644
--- a/chromium.spec
+++ b/chromium.spec
@@ -172,7 +172,7 @@ Name: chromium%{chromium_channel}%{?freeworld:-freeworld}
Name: chromium%{chromium_channel}
%endif
Version: %{majorversion}.0.3809.132
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A WebKit (Blink) powered web browser
Url: http://www.chromium.org/Home
License: BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2)
@@ -304,6 +304,8 @@ Patch61: chromium-76.0.3809.100-gcc-no-alignas-and-export.patch
Patch62: chromium-76.0.3809.100-gcc-remoting-constexpr.patch
# Needs to be submitted.. (ugly hack, needs to be added properly to GN files)
Patch63: chromium-76.0.3809.100-vtable-symbol-undefined.patch
+# https://chromium.googlesource.com/chromium/src.git/+/3c9720245e440c4b7222...
+Patch64: chromium-76.0.3809.132-certificate-transparency.patch
# Apply these changes to work around EPEL7 compiler issues
Patch100: chromium-62.0.3202.62-kmaxskip-constexpr.patch
@@ -879,6 +881,7 @@ udev.
%patch61 -p1 -b .gcc-no-alignas-and-export
%patch62 -p1 -b .gcc-remoting-constexpr
%patch63 -p1 -b .vtable-symbol-undefined
+%patch64 -p1 -b .certificate-transparency
# EPEL specific patches
%if 0%{?rhel} == 7
@@ -1908,6 +1911,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
%changelog
+* Tue Sep 03 2019 Tomas Popela <tpopela(a)redhat.com> - 76.0.3809.132-2
+- Backport patch to fix certificate transparency
+
* Tue Aug 27 2019 Tomas Popela <tpopela(a)redhat.com> - 76.0.3809.132-1
- Update to 76.0.3809.132
5 years, 1 month
[chromium-libs-media-freeworld: 69/201] Backport patch to fix certificate transparency
by hellbanger
commit fb0db49d82bdd82577da78dea191d39bf02f0051
Author: Tomas Popela <tpopela(a)redhat.com>
Date: Tue Sep 3 12:20:51 2019 +0200
Backport patch to fix certificate transparency
...um-76.0.3809.132-certificate-transparency.patch | 206 +++++++++++++++++++++
chromium.spec | 8 +-
2 files changed, 213 insertions(+), 1 deletion(-)
---
diff --git a/chromium-76.0.3809.132-certificate-transparency.patch b/chromium-76.0.3809.132-certificate-transparency.patch
new file mode 100644
index 0000000..25a08af
--- /dev/null
+++ b/chromium-76.0.3809.132-certificate-transparency.patch
@@ -0,0 +1,206 @@
+diff -up chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc
+--- chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-08-26 21:02:05.000000000 +0200
++++ chromium-76.0.3809.132/chrome/browser/net/system_network_context_manager.cc 2019-09-03 12:01:33.004949320 +0200
+@@ -4,11 +4,13 @@
+
+ #include "chrome/browser/net/system_network_context_manager.h"
+
++#include <algorithm>
+ #include <set>
+ #include <unordered_map>
+ #include <utility>
+
+ #include "base/bind.h"
++#include "base/build_time.h"
+ #include "base/command_line.h"
+ #include "base/feature_list.h"
+ #include "base/logging.h"
+@@ -51,6 +53,7 @@
+ #include "content/public/common/mime_handler_view_mode.h"
+ #include "content/public/common/service_names.mojom.h"
+ #include "content/public/common/user_agent.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/associated_interface_ptr.h"
+ #include "net/dns/public/util.h"
+ #include "net/net_buildflags.h"
+@@ -686,15 +689,41 @@ SystemNetworkContextManager::CreateDefau
+
+ bool http_09_on_non_default_ports_enabled = false;
+ #if !defined(OS_ANDROID)
+- // CT is only enabled on Desktop platforms for now.
++
++#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && defined(OFFICIAL_BUILD) && \
++ !defined(OS_IOS)
++ // Certificate Transparency is only enabled if:
++ // - Desktop (!OS_ANDROID, !OS_IOS)
++ // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD)
++ // - The build in reliably updatable (GOOGLE_CHROME_BRANDING)
+ network_context_params->enforce_chrome_ct_policy = true;
++ network_context_params->ct_log_update_time = base::GetBuildTime();
++
++ std::vector<std::string> operated_by_google_logs =
++ certificate_transparency::GetLogsOperatedByGoogle();
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs =
++ certificate_transparency::GetDisqualifiedLogs();
+ for (const auto& ct_log : certificate_transparency::GetKnownLogs()) {
+ // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication.
+ network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New();
+ log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length);
+ log_info->name = ct_log.log_name;
++
++ std::string log_id = crypto::SHA256HashString(log_info->public_key);
++ log_info->operated_by_google =
++ std::binary_search(std::begin(operated_by_google_logs),
++ std::end(operated_by_google_logs), log_id);
++ auto it = std::lower_bound(
++ std::begin(disqualified_logs), std::end(disqualified_logs), log_id,
++ [](const auto& disqualified_log, const std::string& log_id) {
++ return disqualified_log.first < log_id;
++ });
++ if (it != std::end(disqualified_logs) && it->first == log_id) {
++ log_info->disqualified_at = it->second;
++ }
+ network_context_params->ct_logs.push_back(std::move(log_info));
+ }
++#endif
+
+ const base::Value* value =
+ g_browser_process->policy_service()
+diff -up chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency chromium-76.0.3809.132/services/network/network_context.cc
+--- chromium-76.0.3809.132/services/network/network_context.cc.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/network_context.cc 2019-09-03 12:04:01.983890928 +0200
+@@ -35,6 +35,7 @@
+ #include "components/prefs/pref_registry_simple.h"
+ #include "components/prefs/pref_service.h"
+ #include "components/prefs/pref_service_factory.h"
++#include "crypto/sha2.h"
+ #include "mojo/public/cpp/bindings/strong_binding.h"
+ #include "net/base/layered_network_delegate.h"
+ #include "net/base/load_flags.h"
+@@ -1851,16 +1852,6 @@ URLRequestContextOwner NetworkContext::A
+ base::FeatureList::IsEnabled(features::kNetworkErrorLogging));
+ #endif // BUILDFLAG(ENABLE_REPORTING)
+
+-#if BUILDFLAG(IS_CT_SUPPORTED)
+- if (params_->enforce_chrome_ct_policy) {
+- builder->set_ct_policy_enforcer(
+- std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
+- base::GetBuildTime(),
+- certificate_transparency::GetDisqualifiedLogs(),
+- certificate_transparency::GetLogsOperatedByGoogle()));
+- }
+-#endif // BUILDFLAG(IS_CT_SUPPORTED)
+-
+ net::HttpNetworkSession::Params session_params;
+ bool is_quic_force_disabled = false;
+ if (network_service_ && network_service_->quic_disabled())
+@@ -1910,8 +1901,20 @@ URLRequestContextOwner NetworkContext::A
+
+ #if BUILDFLAG(IS_CT_SUPPORTED)
+ std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs;
++ std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs;
++ std::vector<std::string> operated_by_google_logs;
++
+ if (!params_->ct_logs.empty()) {
+ for (const auto& log : params_->ct_logs) {
++ if (log->operated_by_google || log->disqualified_at) {
++ std::string log_id = crypto::SHA256HashString(log->public_key);
++ if (log->operated_by_google)
++ operated_by_google_logs.push_back(log_id);
++ if (log->disqualified_at) {
++ disqualified_logs.push_back(
++ std::make_pair(log_id, log->disqualified_at.value()));
++ }
++ }
+ scoped_refptr<const net::CTLogVerifier> log_verifier =
+ net::CTLogVerifier::Create(log->public_key, log->name);
+ if (!log_verifier) {
+@@ -1924,6 +1927,13 @@ URLRequestContextOwner NetworkContext::A
+ ct_verifier->AddLogs(ct_logs);
+ builder->set_ct_verifier(std::move(ct_verifier));
+ }
++
++ if (params_->enforce_chrome_ct_policy) {
++ builder.set_ct_policy_enforcer(
++ std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>(
++ params_->ct_log_update_time, disqualified_logs,
++ operated_by_google_logs));
++ }
+ #endif // BUILDFLAG(IS_CT_SUPPORTED)
+
+ const base::CommandLine* command_line =
+diff -up chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom
+--- chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/ct_log_info.mojom 2019-09-03 11:59:48.423862022 +0200
+@@ -4,6 +4,8 @@
+
+ module network.mojom;
+
++import "mojo/public/mojom/base/time.mojom";
++
+ // A single Certificate Transparency Log configuration.
+ struct CTLogInfo {
+ // The DER-encoded SubjectPublicKeyInfo of the log.
+@@ -14,4 +16,13 @@ struct CTLogInfo {
+ // The human-readable, log-supplied log name. Note that this will not be
+ // translated.
+ string name;
++
++ // Whether or not the log should should be considered a Google Log for the
++ // purposes of enforcing the "Certificate Transparency in Chrome" policy.
++ bool operated_by_google;
++
++ // If set, the time since the Unix Epoch when the log was disqualified. This
++ // is used to determine the "once or currently qualified" status of the log.
++ // If the log is currently qualified, this will not be set.
++ mojo_base.mojom.TimeDelta? disqualified_at;
+ };
+diff -up chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom
+--- chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-08-26 21:02:33.000000000 +0200
++++ chromium-76.0.3809.132/services/network/public/mojom/network_context.mojom 2019-09-03 11:59:48.424862032 +0200
+@@ -238,15 +238,6 @@ struct NetworkContextParams {
+ [EnableIf=is_android]
+ bool check_clear_text_permitted = false;
+
+- // True if the "Certificate Transparency in Chrome" policy (see
+- // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
+- // be enforced for certificates and connections.
+- //
+- // See //net/docs/certificate-transparency.md before setting this flag to
+- // true.
+- [EnableIf=is_ct_supported]
+- bool enforce_chrome_ct_policy = false;
+-
+ // Enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS.
+ bool http_09_on_non_default_ports_enabled = false;
+
+@@ -299,6 +290,15 @@ struct NetworkContextParams {
+ // servers, so they can discover misconfigurations.
+ bool enable_certificate_reporting = false;
+
++ // True if the "Certificate Transparency in Chrome" policy (see
++ // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should
++ // be enforced for certificates and connections.
++ //
++ // See //net/docs/certificate-transparency.md before setting this flag to
++ // true.
++ [EnableIf=is_ct_supported]
++ bool enforce_chrome_ct_policy = false;
++
+ // Enables Expect CT reporting, which sends reports for opted-in sites that
+ // don't serve sufficient Certificate Transparency information.
+ [EnableIf=is_ct_supported]
+@@ -310,6 +310,13 @@ struct NetworkContextParams {
+ [EnableIf=is_ct_supported]
+ array<CTLogInfo> ct_logs;
+
++ // When the Certificate Transparency logs in |ct_logs| were last updated. If
++ // |enforce_chrome_ct_policy| is set, and |ct_log_update_time| is not
++ // sufficiently recent, enforcement of the "Certificate Transparency in
++ // Chrome" policy will be disabled.
++ [EnableIf=is_ct_supported]
++ mojo_base.mojom.Time ct_log_update_time;
++
+ // Specifies the path to the directory where NSS will store its database.
+ [EnableIf=is_chromeos]
+ mojo_base.mojom.FilePath? nss_path;
diff --git a/chromium.spec b/chromium.spec
index aec9f9f..4239a65 100644
--- a/chromium.spec
+++ b/chromium.spec
@@ -172,7 +172,7 @@ Name: chromium%{chromium_channel}%{?freeworld:-freeworld}
Name: chromium%{chromium_channel}
%endif
Version: %{majorversion}.0.3809.132
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A WebKit (Blink) powered web browser
Url: http://www.chromium.org/Home
License: BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2)
@@ -304,6 +304,8 @@ Patch61: chromium-76.0.3809.100-gcc-no-alignas-and-export.patch
Patch62: chromium-76.0.3809.100-gcc-remoting-constexpr.patch
# Needs to be submitted.. (ugly hack, needs to be added properly to GN files)
Patch63: chromium-76.0.3809.100-vtable-symbol-undefined.patch
+# https://chromium.googlesource.com/chromium/src.git/+/3c9720245e440c4b7222...
+Patch64: chromium-76.0.3809.132-certificate-transparency.patch
# Apply these changes to work around EPEL7 compiler issues
Patch100: chromium-62.0.3202.62-kmaxskip-constexpr.patch
@@ -879,6 +881,7 @@ udev.
%patch61 -p1 -b .gcc-no-alignas-and-export
%patch62 -p1 -b .gcc-remoting-constexpr
%patch63 -p1 -b .vtable-symbol-undefined
+%patch64 -p1 -b .certificate-transparency
# EPEL specific patches
%if 0%{?rhel} == 7
@@ -1908,6 +1911,9 @@ getent group chrome-remote-desktop >/dev/null || groupadd -r chrome-remote-deskt
%changelog
+* Tue Sep 03 2019 Tomas Popela <tpopela(a)redhat.com> - 76.0.3809.132-2
+- Backport patch to fix certificate transparency
+
* Tue Aug 27 2019 Tomas Popela <tpopela(a)redhat.com> - 76.0.3809.132-1
- Update to 76.0.3809.132
5 years, 1 month