Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/net/certificate_error_reporter.h" | 5 #include "chrome/browser/net/certificate_error_reporter.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/stl_util.h" | 10 #include "base/stl_util.h" |
| 11 #include "base/time/time.h" | 11 #include "base/time/time.h" |
| 12 #include "chrome/browser/net/cert_logger.pb.h" | 12 #include "chrome/browser/net/cert_logger.pb.h" |
| 13 #include "crypto/curve25519.h" | |
| 14 #include "crypto/encryptor.h" | |
| 15 #include "crypto/hmac.h" | |
| 16 #include "crypto/random.h" | |
| 17 #include "crypto/sha2.h" | |
| 18 #include "crypto/symmetric_key.h" | |
| 13 #include "net/base/elements_upload_data_stream.h" | 19 #include "net/base/elements_upload_data_stream.h" |
| 14 #include "net/base/load_flags.h" | 20 #include "net/base/load_flags.h" |
| 15 #include "net/base/request_priority.h" | 21 #include "net/base/request_priority.h" |
| 16 #include "net/base/upload_bytes_element_reader.h" | 22 #include "net/base/upload_bytes_element_reader.h" |
| 17 #include "net/cert/x509_certificate.h" | 23 #include "net/cert/x509_certificate.h" |
| 18 #include "net/ssl/ssl_info.h" | 24 #include "net/ssl/ssl_info.h" |
| 19 #include "net/url_request/url_request_context.h" | 25 #include "net/url_request/url_request_context.h" |
| 20 | 26 |
| 27 namespace { | |
| 28 // Constants used for crypto | |
| 29 // TODO(estark): insert the production public key | |
|
felt
2015/04/14 04:30:16
Why's it missing here?
estark
2015/04/14 04:39:16
Um, I don't know. I thought I had a reason for not
estark
2015/04/16 15:04:24
Done.
| |
| 30 static const uint8 kServerPublicKey[] = { | |
| 31 0xc5, 0x3e, 0x58, 0x9e, 0x43, 0xec, 0xbc, 0x84, 0xff, 0xec, 0x8d, | |
| 32 0x57, 0x20, 0xa3, 0x61, 0x60, 0xe1, 0x0b, 0x7d, 0x30, 0x5d, 0x3b, | |
| 33 0x2a, 0x90, 0xcf, 0x73, 0xe7, 0x61, 0xa8, 0x92, 0xa1, 0x79}; | |
| 34 static const uint32 kServerPublicKeyVersion = 1; | |
| 35 static const size_t kAesKeySize = 16; | |
| 36 static const size_t kAeadNonceSize = 12; | |
| 37 static const size_t kAeadTagSize = 32; | |
| 38 static const size_t kAesBlockSize = 16; | |
| 39 static const size_t kAeadKeySize = 48; | |
| 40 static const size_t kSha256BlockSize = 64; | |
| 41 | |
| 42 void CalculateAeadKey(const uint8 client_private_key[32], | |
| 43 const uint8 server_public_key[32], | |
| 44 std::string* aead_key) { | |
| 45 // Compute the shared secret, and then hash it once with a 0 prepended | |
| 46 // and once with a 1 prepended. | |
| 47 uint8 shared_secret[crypto::curve25519::kBytes + 1]; | |
| 48 | |
| 49 crypto::curve25519::ScalarMult(client_private_key, server_public_key, | |
| 50 shared_secret + 1); | |
| 51 | |
| 52 std::string shared_secret_str((char*)shared_secret, sizeof(shared_secret)); | |
| 53 | |
| 54 shared_secret_str[0] = 0; | |
| 55 *aead_key = crypto::SHA256HashString(shared_secret_str); | |
| 56 shared_secret[0] = 1; | |
| 57 // Take only as many bytes of the second hash as we need to get to | |
| 58 // |kAeadKeySize|. | |
| 59 *aead_key += crypto::SHA256HashString(shared_secret_str) | |
| 60 .substr(0, kAeadKeySize - aead_key->size()); | |
| 61 } | |
| 62 | |
| 63 void CopyUint64(uint64 value, std::string* input) { | |
| 64 unsigned i; | |
| 65 uint8 bytes[8]; | |
| 66 for (i = 0; i < sizeof(bytes); i++) { | |
| 67 bytes[i] = value & 0xff; | |
| 68 value >>= 8; | |
| 69 } | |
| 70 *input += std::string((char*)bytes, 8); | |
| 71 } | |
| 72 | |
| 73 void ComputeHmacInput(const std::string& ciphertext, | |
| 74 const std::string& nonce, | |
| 75 std::string* hmac_input) { | |
| 76 CopyUint64(0, hmac_input); | |
| 77 CopyUint64(ciphertext.size(), hmac_input); | |
| 78 | |
| 79 *hmac_input += nonce; | |
| 80 | |
| 81 // Pad with zeroes to the end of the SHA256 block | |
| 82 const size_t num_padding = | |
| 83 (kSha256BlockSize - | |
| 84 ((sizeof(uint64) * 2 + kAeadNonceSize) % kSha256BlockSize)) % | |
| 85 kSha256BlockSize; | |
| 86 uint8 padding[kSha256BlockSize]; | |
| 87 memset(padding, 0, num_padding); | |
| 88 *hmac_input += std::string((char*)padding, num_padding); | |
| 89 | |
| 90 *hmac_input += ciphertext; | |
| 91 } | |
| 92 | |
| 93 // Used only by tests (by way of |DecryptCertificateErrorReport|). | |
| 94 bool Open(const std::string& aead_key, | |
| 95 const std::string& nonce, | |
| 96 const std::string& ciphertext, | |
| 97 std::string* const plaintext) { | |
| 98 crypto::Encryptor encryptor; | |
| 99 uint8 counter[kAesBlockSize]; | |
| 100 scoped_ptr<crypto::SymmetricKey> aes_key(crypto::SymmetricKey::Import( | |
| 101 crypto::SymmetricKey::AES, aead_key.substr(0, kAesKeySize))); | |
| 102 | |
| 103 memset(counter, 0, kAesBlockSize); | |
| 104 memcpy(counter, nonce.data(), kAeadNonceSize); | |
| 105 | |
| 106 std::string aes_ciphertext = | |
| 107 ciphertext.substr(0, ciphertext.size() - kAeadTagSize); | |
| 108 std::string tag = ciphertext.substr(ciphertext.size() - kAeadTagSize); | |
| 109 | |
| 110 // Compute HMAC(ad_len || ct_len || nonce || ciphertext) | |
| 111 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
| 112 if (!hmac.Init(aead_key.substr(kAesKeySize))) { | |
| 113 LOG(ERROR) << "Failed to initialize HMAC"; | |
| 114 return false; | |
| 115 } | |
| 116 | |
| 117 std::string hmac_input; | |
| 118 ComputeHmacInput(aes_ciphertext, nonce, &hmac_input); | |
| 119 if (!hmac.Verify(hmac_input, tag)) | |
| 120 return false; | |
| 121 | |
| 122 encryptor.Init(aes_key.get(), crypto::Encryptor::CTR, ""); | |
| 123 encryptor.SetCounter(std::string((char*)counter, kAesBlockSize)); | |
| 124 encryptor.Decrypt(aes_ciphertext, plaintext); | |
| 125 return true; | |
| 126 } | |
| 127 | |
| 128 bool EncryptSerializedReport( | |
| 129 const uint8* server_public_key, | |
| 130 uint32 server_public_key_version, | |
| 131 const std::string& report, | |
| 132 chrome_browser_net::EncryptedCertLoggerRequest* encrypted_report) { | |
| 133 // Generate an ephemeral key pair to generate a shared secret. | |
| 134 uint8 public_key[crypto::curve25519::kBytes]; | |
| 135 uint8 private_key[crypto::curve25519::kScalarBytes]; | |
| 136 | |
| 137 crypto::RandBytes(private_key, sizeof(private_key)); | |
| 138 crypto::curve25519::ScalarBaseMult(private_key, public_key); | |
| 139 | |
| 140 std::string aead_key; | |
| 141 std::string ciphertext; | |
| 142 CalculateAeadKey(private_key, server_public_key, &aead_key); | |
| 143 | |
| 144 // Use an all-zero nonce because the key is random per-message. | |
| 145 std::string nonce(kAeadNonceSize, 0); | |
| 146 if (!chrome_browser_net::Seal(aead_key, nonce, report, &ciphertext)) | |
| 147 return false; | |
| 148 | |
| 149 encrypted_report->set_encrypted_report(ciphertext); | |
| 150 encrypted_report->set_server_public_key_version(server_public_key_version); | |
| 151 encrypted_report->set_client_public_key( | |
| 152 std::string((char*)public_key, crypto::curve25519::kBytes)); | |
| 153 encrypted_report->set_algorithm( | |
| 154 chrome_browser_net::EncryptedCertLoggerRequest:: | |
| 155 AEAD_ECDH_AES_128_CTR_HMAC_SHA256); | |
| 156 return true; | |
| 157 } | |
| 158 | |
| 159 } // namespace | |
| 160 | |
| 21 namespace chrome_browser_net { | 161 namespace chrome_browser_net { |
| 22 | 162 |
| 163 // Seal |plaintext| with AES-CTR-128-HMAC-SHA256. Support for AD | |
| 164 // (additional authenticated data) is not implemented because it's not | |
| 165 // needed for cert reporting. | |
| 166 bool Seal(const std::string& aead_key, | |
|
estark
2015/04/13 23:43:57
I wasn't sure whether to put the AEAD code here or
| |
| 167 const std::string& nonce, | |
| 168 const std::string& plaintext, | |
| 169 std::string* const ciphertext) { | |
| 170 crypto::Encryptor encryptor; | |
| 171 uint8 counter[kAesBlockSize]; | |
| 172 scoped_ptr<crypto::SymmetricKey> aes_key(crypto::SymmetricKey::Import( | |
| 173 crypto::SymmetricKey::AES, aead_key.substr(0, kAesKeySize))); | |
| 174 | |
| 175 memset(counter, 0, kAesBlockSize); | |
| 176 memcpy(counter, nonce.data(), kAeadNonceSize); | |
| 177 | |
| 178 encryptor.Init(aes_key.get(), crypto::Encryptor::CTR, ""); | |
| 179 encryptor.SetCounter(std::string((char*)counter, sizeof(counter))); | |
| 180 encryptor.Encrypt(plaintext, ciphertext); | |
| 181 | |
| 182 // Compute HMAC(ad_len || ct_len || nonce || ad || padding || ciphertext) | |
| 183 crypto::HMAC hmac(crypto::HMAC::SHA256); | |
| 184 unsigned char digest[32]; | |
| 185 CHECK_EQ(32u, hmac.DigestLength()); | |
| 186 if (!hmac.Init(aead_key.substr(kAesKeySize))) { | |
| 187 LOG(ERROR) << "Failed to initialize HMAC"; | |
| 188 return false; | |
| 189 } | |
| 190 | |
| 191 std::string hmac_input; | |
| 192 ComputeHmacInput(*ciphertext, nonce, &hmac_input); | |
| 193 if (!hmac.Sign(hmac_input, digest, sizeof(digest))) { | |
| 194 LOG(ERROR) << "Failed to compute HMAC."; | |
| 195 return false; | |
| 196 } | |
| 197 | |
| 198 *ciphertext += std::string((char*)digest, kAeadTagSize); | |
| 199 return true; | |
| 200 } | |
| 201 | |
| 202 // Used only by tests. | |
| 203 bool DecryptCertificateErrorReport( | |
| 204 const uint8 server_private_key[32], | |
| 205 const EncryptedCertLoggerRequest& encrypted_report, | |
| 206 CertLoggerRequest* decrypted_report) { | |
| 207 std::string aead_key; | |
| 208 std::string plaintext; | |
| 209 CalculateAeadKey(server_private_key, | |
| 210 (uint8*)encrypted_report.client_public_key().data(), | |
| 211 &aead_key); | |
| 212 | |
| 213 // Use an all-zero nonce because the key is random per-message. | |
| 214 std::string nonce(kAeadNonceSize, 0); | |
| 215 if (!Open(aead_key, nonce, encrypted_report.encrypted_report(), &plaintext)) | |
| 216 return false; | |
| 217 | |
| 218 decrypted_report->ParseFromString(plaintext); | |
| 219 return true; | |
| 220 } | |
| 221 | |
| 23 CertificateErrorReporter::CertificateErrorReporter( | 222 CertificateErrorReporter::CertificateErrorReporter( |
| 24 net::URLRequestContext* request_context, | 223 net::URLRequestContext* request_context, |
| 25 const GURL& upload_url, | 224 const GURL& upload_url, |
| 26 CookiesPreference cookies_preference) | 225 CookiesPreference cookies_preference) |
| 226 : CertificateErrorReporter(request_context, | |
| 227 upload_url, | |
| 228 cookies_preference, | |
| 229 kServerPublicKey, | |
| 230 kServerPublicKeyVersion) { | |
| 231 } | |
| 232 | |
| 233 CertificateErrorReporter::CertificateErrorReporter( | |
| 234 net::URLRequestContext* request_context, | |
| 235 const GURL& upload_url, | |
| 236 CookiesPreference cookies_preference, | |
| 237 const uint8 server_public_key[32], | |
| 238 const uint32 server_public_key_version) | |
| 27 : request_context_(request_context), | 239 : request_context_(request_context), |
| 28 upload_url_(upload_url), | 240 upload_url_(upload_url), |
| 29 cookies_preference_(cookies_preference) { | 241 cookies_preference_(cookies_preference), |
| 242 server_public_key_(server_public_key), | |
| 243 server_public_key_version_(server_public_key_version) { | |
| 30 DCHECK(!upload_url.is_empty()); | 244 DCHECK(!upload_url.is_empty()); |
| 31 } | 245 } |
| 32 | 246 |
| 33 CertificateErrorReporter::~CertificateErrorReporter() { | 247 CertificateErrorReporter::~CertificateErrorReporter() { |
| 34 STLDeleteElements(&inflight_requests_); | 248 STLDeleteElements(&inflight_requests_); |
| 35 } | 249 } |
| 36 | 250 |
| 37 void CertificateErrorReporter::SendReport(ReportType type, | 251 void CertificateErrorReporter::SendReport(ReportType type, |
| 38 const std::string& hostname, | 252 const std::string& hostname, |
| 39 const net::SSLInfo& ssl_info) { | 253 const net::SSLInfo& ssl_info) { |
| 40 CertLoggerRequest request; | 254 CertLoggerRequest request; |
| 41 std::string out; | |
| 42 | |
| 43 BuildReport(hostname, ssl_info, &request); | 255 BuildReport(hostname, ssl_info, &request); |
| 44 | 256 |
| 45 switch (type) { | 257 switch (type) { |
| 46 case REPORT_TYPE_PINNING_VIOLATION: | 258 case REPORT_TYPE_PINNING_VIOLATION: |
| 47 SendCertLoggerRequest(request); | 259 SendCertLoggerRequest(request); |
| 48 break; | 260 break; |
| 49 case REPORT_TYPE_EXTENDED_REPORTING: | 261 case REPORT_TYPE_EXTENDED_REPORTING: |
| 50 // TODO(estark): Encrypt the report if not sending over HTTPS | 262 if (upload_url_.SchemeIsSecure()) { |
| 51 DCHECK(upload_url_.SchemeIsSecure()); | 263 SendCertLoggerRequest(request); |
| 52 SendCertLoggerRequest(request); | 264 } else { |
| 265 EncryptedCertLoggerRequest encrypted_report; | |
| 266 std::string serialized_report; | |
| 267 request.SerializeToString(&serialized_report); | |
| 268 if (!EncryptSerializedReport(server_public_key_, | |
| 269 server_public_key_version_, | |
| 270 serialized_report, &encrypted_report)) { | |
| 271 LOG(ERROR) << "Failed to encrypt serialized report."; | |
| 272 return; | |
| 273 } | |
| 274 std::string serialized_encrypted_report; | |
| 275 encrypted_report.SerializeToString(&serialized_encrypted_report); | |
| 276 SendSerializedRequest(serialized_encrypted_report); | |
| 277 } | |
| 53 break; | 278 break; |
| 54 default: | 279 default: |
| 55 NOTREACHED(); | 280 NOTREACHED(); |
| 56 } | 281 } |
| 57 } | 282 } |
| 58 | 283 |
| 59 void CertificateErrorReporter::OnResponseStarted(net::URLRequest* request) { | 284 void CertificateErrorReporter::OnResponseStarted(net::URLRequest* request) { |
| 60 const net::URLRequestStatus& status(request->status()); | 285 const net::URLRequestStatus& status(request->status()); |
| 61 if (!status.is_success()) { | 286 if (!status.is_success()) { |
| 62 LOG(WARNING) << "Certificate upload failed" | 287 LOG(WARNING) << "Certificate upload failed" |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 81 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | | 306 request->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES | |
| 82 net::LOAD_DO_NOT_SAVE_COOKIES); | 307 net::LOAD_DO_NOT_SAVE_COOKIES); |
| 83 } | 308 } |
| 84 return request.Pass(); | 309 return request.Pass(); |
| 85 } | 310 } |
| 86 | 311 |
| 87 void CertificateErrorReporter::SendCertLoggerRequest( | 312 void CertificateErrorReporter::SendCertLoggerRequest( |
| 88 const CertLoggerRequest& request) { | 313 const CertLoggerRequest& request) { |
| 89 std::string serialized_request; | 314 std::string serialized_request; |
| 90 request.SerializeToString(&serialized_request); | 315 request.SerializeToString(&serialized_request); |
| 316 SendSerializedRequest(serialized_request); | |
| 317 } | |
| 91 | 318 |
| 319 void CertificateErrorReporter::SendSerializedRequest( | |
| 320 const std::string& serialized_request) { | |
| 92 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); | 321 scoped_ptr<net::URLRequest> url_request = CreateURLRequest(request_context_); |
| 93 url_request->set_method("POST"); | 322 url_request->set_method("POST"); |
| 94 | 323 |
| 95 scoped_ptr<net::UploadElementReader> reader( | 324 scoped_ptr<net::UploadElementReader> reader( |
| 96 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); | 325 net::UploadOwnedBytesElementReader::CreateWithString(serialized_request)); |
| 97 url_request->set_upload( | 326 url_request->set_upload( |
| 98 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); | 327 net::ElementsUploadDataStream::CreateWithReader(reader.Pass(), 0)); |
| 99 | 328 |
| 100 net::HttpRequestHeaders headers; | 329 net::HttpRequestHeaders headers; |
| 101 headers.SetHeader(net::HttpRequestHeaders::kContentType, | 330 headers.SetHeader(net::HttpRequestHeaders::kContentType, |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 126 } | 355 } |
| 127 | 356 |
| 128 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { | 357 void CertificateErrorReporter::RequestComplete(net::URLRequest* request) { |
| 129 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); | 358 std::set<net::URLRequest*>::iterator i = inflight_requests_.find(request); |
| 130 DCHECK(i != inflight_requests_.end()); | 359 DCHECK(i != inflight_requests_.end()); |
| 131 scoped_ptr<net::URLRequest> url_request(*i); | 360 scoped_ptr<net::URLRequest> url_request(*i); |
| 132 inflight_requests_.erase(i); | 361 inflight_requests_.erase(i); |
| 133 } | 362 } |
| 134 | 363 |
| 135 } // namespace chrome_browser_net | 364 } // namespace chrome_browser_net |
| OLD | NEW |