Chromium Code Reviews
Help | Chromium Project | Sign in
(862)

Side by Side Diff: net/http/http_security_headers.cc

Issue 11274032: Separate http_security_headers from transport_security_state (Closed) Base URL: https://src.chromium.org/chrome/trunk/src/
Patch Set: Created 1 year, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/base64.h"
6 #include "base/string_number_conversions.h"
7 #include "base/string_tokenizer.h"
8 #include "base/string_util.h"
9 #include "net/http/http_security_headers.h"
10 #include "net/http/http_util.h"
11
12 namespace net {
13
14 namespace {
15
16 // MaxAgeToInt converts a string representation of a number of seconds into a
17 // int. We use strtol in order to handle overflow correctly. The string may
18 // contain an arbitary number which we should truncate correctly rather than
19 // throwing a parse failure.
20 bool MaxAgeToInt(std::string::const_iterator begin,
21 std::string::const_iterator end,
22 int* result) {
23 const std::string s(begin, end);
24 char* endptr;
25 long int i = strtol(s.data(), &endptr, 10 /* base */);
26 if (*endptr || i < 0)
27 return false;
28 if (i > kMaxHSTSAgeSecs)
29 i = kMaxHSTSAgeSecs;
30 *result = i;
31 return true;
32 }
33
34 // Returns true iff there is an item in |pins| which is not present in
35 // |from_cert_chain|. Such an SPKI hash is called a "backup pin".
36 bool IsBackupPinPresent(const HashValueVector& pins,
37 const HashValueVector& from_cert_chain) {
38 for (HashValueVector::const_iterator
39 i = pins.begin(); i != pins.end(); ++i) {
40 HashValueVector::const_iterator j =
41 std::find_if(from_cert_chain.begin(), from_cert_chain.end(),
42 HashValuesEqual(*i));
43 if (j == from_cert_chain.end())
44 return true;
45 }
46
47 return false;
48 }
49
50 // Returns true if the intersection of |a| and |b| is not empty. If either
51 // |a| or |b| is empty, returns false.
52 bool HashesIntersect(const HashValueVector& a,
53 const HashValueVector& b) {
54 for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
55 HashValueVector::const_iterator j =
56 std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
57 if (j != b.end())
58 return true;
59 }
60 return false;
61 }
62
63 // Returns true iff |pins| contains both a live and a backup pin. A live pin
64 // is a pin whose SPKI is present in the certificate chain in |ssl_info|. A
65 // backup pin is a pin intended for disaster recovery, not day-to-day use, and
66 // thus must be absent from the certificate chain. The Public-Key-Pins header
67 // specification requires both.
68 bool IsPinListValid(const HashValueVector& pins,
69 const HashValueVector& from_cert_chain) {
70 // Fast fail: 1 live + 1 backup = at least 2 pins. (Check for actual
71 // liveness and backupness below.)
72 if (pins.size() < 2)
73 return false;
74
75 if (from_cert_chain.empty())
76 return false;
77
78 return IsBackupPinPresent(pins, from_cert_chain) &&
79 HashesIntersect(pins, from_cert_chain);
80 }
81
82 // Strip, Split, StringPair, and ParsePins are private implementation details
83 // of ParsePinsHeader(std::string&, DomainState&).
Ryan Sleevi 2012/11/13 23:32:05 No need for this comment
84 std::string Strip(const std::string& source) {
85 if (source.empty())
86 return source;
87
88 std::string::const_iterator start = source.begin();
89 std::string::const_iterator end = source.end();
90 HttpUtil::TrimLWS(&start, &end);
91 return std::string(start, end);
92 }
93
94 typedef std::pair<std::string, std::string> StringPair;
95
96 StringPair Split(const std::string& source, char delimiter) {
97 StringPair pair;
98 size_t point = source.find(delimiter);
99
100 pair.first = source.substr(0, point);
101 if (std::string::npos != point)
102 pair.second = source.substr(point + 1);
103
104 return pair;
105 }
106
107 bool ParseAndAppendPin(const std::string& value,
108 HashValueTag tag,
109 HashValueVector* hashes) {
110 std::string unquoted = HttpUtil::Unquote(value);
111 std::string decoded;
112
113 // This code has to assume that 32 bytes is SHA-256 and 20 bytes is SHA-1.
114 // Currently, those are the only two possibilities, so the assumption is
115 // valid.
116 if (!base::Base64Decode(unquoted, &decoded))
117 return false;
118
119 HashValue hash(tag);
120 if (decoded.size() != hash.size())
121 return false;
122
123 memcpy(hash.data(), decoded.data(), hash.size());
124 hashes->push_back(hash);
125 return true;
126 }
127
128 } // namespace
129
130 // Parse the Strict-Transport-Security header, as currently defined in
131 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
132 //
133 // Strict-Transport-Security = "Strict-Transport-Security" ":"
134 // [ directive ] *( ";" [ directive ] )
135 //
136 // directive = directive-name [ "=" directive-value ]
137 // directive-name = token
138 // directive-value = token | quoted-string
139 //
140 // 1. The order of appearance of directives is not significant.
141 //
142 // 2. All directives MUST appear only once in an STS header field.
143 // Directives are either optional or required, as stipulated in
144 // their definitions.
145 //
146 // 3. Directive names are case-insensitive.
147 //
148 // 4. UAs MUST ignore any STS header fields containing directives, or
149 // other header field value data, that does not conform to the
150 // syntax defined in this specification.
151 //
152 // 5. If an STS header field contains directive(s) not recognized by
153 // the UA, the UA MUST ignore the unrecognized directives and if the
154 // STS header field otherwise satisfies the above requirements (1
155 // through 4), the UA MUST process the recognized directives.
156 bool ParseHSTSHeader(const base::Time& now, const std::string& value,
157 base::Time* expiry, // OUT
158 bool* include_subdomains) { // OUT
159 int max_age_candidate = 0;
160 bool include_subdomains_candidate = false;
161
162 // We must see max-age exactly once.
163 int max_age_observed = 0;
164 // We must see includeSubdomains exactly 0 or 1 times.
165 int include_subdomains_observed = 0;
166
167 enum ParserState {
168 START,
169 AFTER_MAX_AGE_LABEL,
170 AFTER_MAX_AGE_EQUALS,
171 AFTER_MAX_AGE,
172 AFTER_INCLUDE_SUBDOMAINS,
173 AFTER_UNKNOWN_LABEL,
174 DIRECTIVE_END
175 } state = START;
176
177 StringTokenizer tokenizer(value, " \t=;");
178 tokenizer.set_options(StringTokenizer::RETURN_DELIMS);
179 tokenizer.set_quote_chars("\"");
180 std::string unquoted;
181 while (tokenizer.GetNext()) {
182 DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1);
183 switch (state) {
184 case START:
185 case DIRECTIVE_END:
186 if (IsAsciiWhitespace(*tokenizer.token_begin()))
187 continue;
188 if (LowerCaseEqualsASCII(tokenizer.token(), "max-age")) {
189 state = AFTER_MAX_AGE_LABEL;
190 max_age_observed++;
191 } else if (LowerCaseEqualsASCII(tokenizer.token(),
192 "includesubdomains")) {
193 state = AFTER_INCLUDE_SUBDOMAINS;
194 include_subdomains_observed++;
195 include_subdomains_candidate = true;
196 } else {
197 state = AFTER_UNKNOWN_LABEL;
198 }
199 break;
200
201 case AFTER_MAX_AGE_LABEL:
202 if (IsAsciiWhitespace(*tokenizer.token_begin()))
203 continue;
204 if (*tokenizer.token_begin() != '=')
205 return false;
206 DCHECK_EQ(tokenizer.token().length(), 1U);
207 state = AFTER_MAX_AGE_EQUALS;
208 break;
209
210 case AFTER_MAX_AGE_EQUALS:
211 if (IsAsciiWhitespace(*tokenizer.token_begin()))
212 continue;
213 unquoted = HttpUtil::Unquote(tokenizer.token());
214 if (!MaxAgeToInt(unquoted.begin(),
215 unquoted.end(),
216 &max_age_candidate))
217 return false;
218 state = AFTER_MAX_AGE;
219 break;
220
221 case AFTER_MAX_AGE:
222 case AFTER_INCLUDE_SUBDOMAINS:
223 if (IsAsciiWhitespace(*tokenizer.token_begin()))
224 continue;
225 else if (*tokenizer.token_begin() == ';')
226 state = DIRECTIVE_END;
227 else
228 return false;
229 break;
230
231 case AFTER_UNKNOWN_LABEL:
232 // Consume and ignore the post-label contents (if any).
233 if (*tokenizer.token_begin() != ';')
234 continue;
235 state = DIRECTIVE_END;
236 break;
237 }
238 }
239
240 // We've consumed all the input. Let's see what state we ended up in.
241 if (max_age_observed != 1 ||
242 (include_subdomains_observed != 0 && include_subdomains_observed != 1)) {
243 return false;
244 }
245
246 switch (state) {
247 case AFTER_MAX_AGE:
248 case AFTER_INCLUDE_SUBDOMAINS:
249 case AFTER_UNKNOWN_LABEL:
250 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
251 *include_subdomains = include_subdomains_candidate;
252 return true;
253 case START:
254 case DIRECTIVE_END:
255 case AFTER_MAX_AGE_LABEL:
256 case AFTER_MAX_AGE_EQUALS:
257 return false;
258 default:
259 NOTREACHED();
260 return false;
261 }
262 }
263
264 // "Public-Key-Pins" ":"
265 // "max-age" "=" delta-seconds ";"
266 // "pin-" algo "=" base64 [ ";" ... ]
267 bool ParseHPKPHeader(const base::Time& now,
268 const std::string& value,
269 const HashValueVector& chain_hashes,
270 base::Time* expiry,
271 HashValueVector* hashes) {
272 bool parsed_max_age = false;
273 int max_age_candidate = 0;
274 HashValueVector pins;
275
276 std::string source = value;
277
278 while (!source.empty()) {
279 StringPair semicolon = Split(source, ';');
280 semicolon.first = Strip(semicolon.first);
281 semicolon.second = Strip(semicolon.second);
282 StringPair equals = Split(semicolon.first, '=');
283 equals.first = Strip(equals.first);
284 equals.second = Strip(equals.second);
285
286 if (LowerCaseEqualsASCII(equals.first, "max-age")) {
287 if (equals.second.empty() ||
288 !MaxAgeToInt(equals.second.begin(), equals.second.end(),
289 &max_age_candidate)) {
290 return false;
291 }
292 parsed_max_age = true;
293 } else if (StartsWithASCII(equals.first, "pin-", false)) {
294 HashValueTag tag;
295 if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) {
296 tag = HASH_VALUE_SHA1;
297 } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) {
298 tag = HASH_VALUE_SHA256;
299 } else {
300 return false;
301 }
302 if (!ParseAndAppendPin(equals.second, tag, &pins)) {
303 return false;
304 }
305 } else {
306 // Silently ignore unknown directives for forward compatibility.
307 }
308
309 source = semicolon.second;
310 }
311
312 if (!parsed_max_age)
313 return false;
314
315 if (!IsPinListValid(pins, chain_hashes))
316 return false;
317
318 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
319 for (HashValueVector::const_iterator i = pins.begin();
320 i != pins.end(); ++i) {
321 hashes->push_back(*i);
322 }
323
324 return true;
325 }
326
327 } // namespace net
328
OLDNEW

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 1280:2d3e6564b7b6