Separate http_security_headers from transport_security_state

net/base/transport_security_state.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/transport_security_state.h"
 
 #if defined(USE_OPENSSL)
 #include <openssl/ecdsa.h>
 #include <openssl/ssl.h>
 #else  // !defined(USE_OPENSSL)
 #include <cryptohi.h>
 #include <hasht.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <nspr.h>
 #endif
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
-#include "base/string_tokenizer.h"
 #include "base/string_util.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "crypto/sha2.h"
 #include "googleurl/src/gurl.h"
 #include "net/base/dns_util.h"
 #include "net/base/ssl_info.h"
 #include "net/base/x509_cert_types.h"
 #include "net/base/x509_certificate.h"
-#include "net/http/http_util.h"
+#include "net/http/http_security_headers.h"
 
 #if defined(USE_OPENSSL)
 #include "crypto/openssl_util.h"
 #endif
 
 namespace net {
 
-const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
+namespace {
 
-static std::string HashHost(const std::string& canonicalized_host) {
+std::string HashesToBase64String(const HashValueVector& hashes) {
+  std::string str;
+  for (size_t i = 0; i != hashes.size(); ++i) {
+    if (i != 0)
+      str += ",";
+    str += hashes[i].ToString();
+  }
+  return str;
+}
+
+std::string HashHost(const std::string& canonicalized_host) {
   char hashed[crypto::kSHA256Length];
   crypto::SHA256HashString(canonicalized_host, hashed, sizeof(hashed));
   return std::string(hashed, sizeof(hashed));
 }
 
+// Returns true if the intersection of |a| and |b| is not empty. If either
+// |a| or |b| is empty, returns false.
+bool HashesIntersect(const HashValueVector& a,
+                     const HashValueVector& b) {
+  for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
+    HashValueVector::const_iterator j =
+      std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
+    if (j != b.end())
+      return true;
+  }
+  return false;
+}
+
+bool AddHash(const char* sha1_hash,
+             HashValueVector* out) {
+  HashValue hash(HASH_VALUE_SHA1);
+  memcpy(hash.data(), sha1_hash, 20);

[Ryan Sleevi, 2012/12/07 23:37:21]

nit: 20 -> hash.size()?

[unsafe, 2012/12/08 09:22:42]

Done.

+  out->push_back(hash);
+  return true;
+}
+
+} // namespace
+
 TransportSecurityState::TransportSecurityState()
   : delegate_(NULL) {
 }
 
 TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state)
     : iterator_(state.enabled_hosts_.begin()),
       end_(state.enabled_hosts_.end()) {
 }
 
 TransportSecurityState::Iterator::~Iterator() {}
@@ skipping 112 matching lines @@
       enabled_hosts_.erase(i++);
     } else {
       i++;
     }
   }
 
   if (dirtied)
     DirtyNotify();
 }
 
-// MaxAgeToInt converts a string representation of a number of seconds into a
-// int. We use strtol in order to handle overflow correctly. The string may
-// contain an arbitary number which we should truncate correctly rather than
-// throwing a parse failure.
-static bool MaxAgeToInt(std::string::const_iterator begin,
-                        std::string::const_iterator end,
-                        int* result) {
-  const std::string s(begin, end);
-  char* endptr;
-  long int i = strtol(s.data(), &endptr, 10 /* base */);
-  if (*endptr || i < 0)
-    return false;
-  if (i > TransportSecurityState::kMaxHSTSAgeSecs)
-    i = TransportSecurityState::kMaxHSTSAgeSecs;
-  *result = i;
-  return true;
-}
-
-// Strip, Split, StringPair, and ParsePins are private implementation details
-// of ParsePinsHeader(std::string&, DomainState&).
-static std::string Strip(const std::string& source) {
-  if (source.empty())
-    return source;
-
-  std::string::const_iterator start = source.begin();
-  std::string::const_iterator end = source.end();
-  HttpUtil::TrimLWS(&start, &end);
-  return std::string(start, end);
-}
-
-typedef std::pair<std::string, std::string> StringPair;
-
-static StringPair Split(const std::string& source, char delimiter) {
-  StringPair pair;
-  size_t point = source.find(delimiter);
-
-  pair.first = source.substr(0, point);
-  if (std::string::npos != point)
-    pair.second = source.substr(point + 1);
-
-  return pair;
-}
-
-// static
-bool TransportSecurityState::ParsePin(const std::string& value,
-                                      HashValue* out) {
-  StringPair slash = Split(Strip(value), '/');
-
-  if (slash.first == "sha1")
-    out->tag = HASH_VALUE_SHA1;
-  else if (slash.first == "sha256")
-    out->tag = HASH_VALUE_SHA256;
-  else
-    return false;
-
-  std::string decoded;
-  if (!base::Base64Decode(slash.second, &decoded) ||
-      decoded.size() != out->size()) {
-    return false;
-  }
-
-  memcpy(out->data(), decoded.data(), out->size());
-  return true;
-}
-
-static bool ParseAndAppendPin(const std::string& value,
-                              HashValueTag tag,
-                              HashValueVector* hashes) {
-  std::string unquoted = HttpUtil::Unquote(value);
-  std::string decoded;
-
-  // This code has to assume that 32 bytes is SHA-256 and 20 bytes is SHA-1.
-  // Currently, those are the only two possibilities, so the assumption is
-  // valid.
-  if (!base::Base64Decode(unquoted, &decoded))
-    return false;
-
-  HashValue hash(tag);
-  if (decoded.size() != hash.size())
-    return false;
-
-  memcpy(hash.data(), decoded.data(), hash.size());
-  hashes->push_back(hash);
-  return true;
-}
-
-struct HashValuesEqualPredicate {
-  explicit HashValuesEqualPredicate(const HashValue& fingerprint) :
-      fingerprint_(fingerprint) {}
-
-  bool operator()(const HashValue& other) const {
-    return fingerprint_.Equals(other);
-  }
-
-  const HashValue& fingerprint_;
-};
-
-// Returns true iff there is an item in |pins| which is not present in
-// |from_cert_chain|. Such an SPKI hash is called a "backup pin".
-static bool IsBackupPinPresent(const HashValueVector& pins,
-                               const HashValueVector& from_cert_chain) {
-  for (HashValueVector::const_iterator
-       i = pins.begin(); i != pins.end(); ++i) {
-    HashValueVector::const_iterator j =
-        std::find_if(from_cert_chain.begin(), from_cert_chain.end(),
-                     HashValuesEqualPredicate(*i));
-      if (j == from_cert_chain.end())
-        return true;
-  }
-
-  return false;
-}
-
-// Returns true if the intersection of |a| and |b| is not empty. If either
-// |a| or |b| is empty, returns false.
-static bool HashesIntersect(const HashValueVector& a,
-                            const HashValueVector& b) {
-  for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
-    HashValueVector::const_iterator j =
-        std::find_if(b.begin(), b.end(), HashValuesEqualPredicate(*i));
-    if (j != b.end())
-      return true;
-  }
-
-  return false;
-}
-
-// Returns true iff |pins| contains both a live and a backup pin. A live pin
-// is a pin whose SPKI is present in the certificate chain in |ssl_info|. A
-// backup pin is a pin intended for disaster recovery, not day-to-day use, and
-// thus must be absent from the certificate chain. The Public-Key-Pins header
-// specification requires both.
-static bool IsPinListValid(const HashValueVector& pins,
-                           const SSLInfo& ssl_info) {
-  // Fast fail: 1 live + 1 backup = at least 2 pins. (Check for actual
-  // liveness and backupness below.)
-  if (pins.size() < 2)
-    return false;
-
-  const HashValueVector& from_cert_chain = ssl_info.public_key_hashes;
-  if (from_cert_chain.empty())
-    return false;
-
-  return IsBackupPinPresent(pins, from_cert_chain) &&
-         HashesIntersect(pins, from_cert_chain);
-}
-
-// "Public-Key-Pins" ":"
-//     "max-age" "=" delta-seconds ";"
-//     "pin-" algo "=" base64 [ ";" ... ]
-bool TransportSecurityState::DomainState::ParsePinsHeader(
-    const base::Time& now,
-    const std::string& value,
-    const SSLInfo& ssl_info) {
-  bool parsed_max_age = false;
-  int max_age_candidate = 0;
-  HashValueVector pins;
-
-  std::string source = value;
-
-  while (!source.empty()) {
-    StringPair semicolon = Split(source, ';');
-    semicolon.first = Strip(semicolon.first);
-    semicolon.second = Strip(semicolon.second);
-    StringPair equals = Split(semicolon.first, '=');
-    equals.first = Strip(equals.first);
-    equals.second = Strip(equals.second);
-
-    if (LowerCaseEqualsASCII(equals.first, "max-age")) {
-      if (equals.second.empty() ||
-          !MaxAgeToInt(equals.second.begin(), equals.second.end(),
-                       &max_age_candidate)) {
-        return false;
-      }
-      if (max_age_candidate > kMaxHSTSAgeSecs)
-        max_age_candidate = kMaxHSTSAgeSecs;
-      parsed_max_age = true;
-    } else if (StartsWithASCII(equals.first, "pin-", false)) {
-      HashValueTag tag;
-      if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) {
-        tag = HASH_VALUE_SHA1;
-      } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) {
-        tag = HASH_VALUE_SHA256;
-      } else {
-        LOG(WARNING) << "Ignoring pin of unknown type: " << equals.first;
-        return false;
-      }
-      if (!ParseAndAppendPin(equals.second, tag, &pins))
-        return false;
-    } else {
-      // Silently ignore unknown directives for forward compatibility.
-    }
-
-    source = semicolon.second;
-  }
-
-  if (!parsed_max_age || !IsPinListValid(pins, ssl_info))
-    return false;
-
-  dynamic_spki_hashes_expiry =
-      now + base::TimeDelta::FromSeconds(max_age_candidate);
-
-  dynamic_spki_hashes.clear();
-  if (max_age_candidate > 0) {
-    for (HashValueVector::const_iterator i = pins.begin();
-         i != pins.end(); ++i) {
-      dynamic_spki_hashes.push_back(*i);
-    }
-  }
-
-  return true;
-}
-
-// Parse the Strict-Transport-Security header, as currently defined in
-// http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
-//
-// Strict-Transport-Security = "Strict-Transport-Security" ":"
-//                             [ directive ]  *( ";" [ directive ] )
-//
-// directive                 = directive-name [ "=" directive-value ]
-// directive-name            = token
-// directive-value           = token | quoted-string
-//
-// 1.  The order of appearance of directives is not significant.
-//
-// 2.  All directives MUST appear only once in an STS header field.
-//     Directives are either optional or required, as stipulated in
-//     their definitions.
-//
-// 3.  Directive names are case-insensitive.
-//
-// 4.  UAs MUST ignore any STS header fields containing directives, or
-//     other header field value data, that does not conform to the
-//     syntax defined in this specification.
-//
-// 5.  If an STS header field contains directive(s) not recognized by
-//     the UA, the UA MUST ignore the unrecognized directives and if the
-//     STS header field otherwise satisfies the above requirements (1
-//     through 4), the UA MUST process the recognized directives.
-bool TransportSecurityState::DomainState::ParseSTSHeader(
-    const base::Time& now,
-    const std::string& value) {
-  int max_age_candidate = 0;
-  bool include_subdomains_candidate = false;
-
-  // We must see max-age exactly once.
-  int max_age_observed = 0;
-  // We must see includeSubdomains exactly 0 or 1 times.
-  int include_subdomains_observed = 0;
-
-  enum ParserState {
-    START,
-    AFTER_MAX_AGE_LABEL,
-    AFTER_MAX_AGE_EQUALS,
-    AFTER_MAX_AGE,
-    AFTER_INCLUDE_SUBDOMAINS,
-    AFTER_UNKNOWN_LABEL,
-    DIRECTIVE_END
-  } state = START;
-
-  StringTokenizer tokenizer(value, " \t=;");
-  tokenizer.set_options(StringTokenizer::RETURN_DELIMS);
-  tokenizer.set_quote_chars("\"");
-  std::string unquoted;
-  while (tokenizer.GetNext()) {
-    DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1);
-    switch (state) {
-      case START:
-      case DIRECTIVE_END:
-        if (IsAsciiWhitespace(*tokenizer.token_begin()))
-          continue;
-        if (LowerCaseEqualsASCII(tokenizer.token(), "max-age")) {
-          state = AFTER_MAX_AGE_LABEL;
-          max_age_observed++;
-        } else if (LowerCaseEqualsASCII(tokenizer.token(),
-                                        "includesubdomains")) {
-          state = AFTER_INCLUDE_SUBDOMAINS;
-          include_subdomains_observed++;
-          include_subdomains_candidate = true;
-        } else {
-          state = AFTER_UNKNOWN_LABEL;
-        }
-        break;
-
-      case AFTER_MAX_AGE_LABEL:
-        if (IsAsciiWhitespace(*tokenizer.token_begin()))
-          continue;
-        if (*tokenizer.token_begin() != '=')
-          return false;
-        DCHECK_EQ(tokenizer.token().length(), 1U);
-        state = AFTER_MAX_AGE_EQUALS;
-        break;
-
-      case AFTER_MAX_AGE_EQUALS:
-        if (IsAsciiWhitespace(*tokenizer.token_begin()))
-          continue;
-        unquoted = HttpUtil::Unquote(tokenizer.token());
-        if (!MaxAgeToInt(unquoted.begin(),
-                         unquoted.end(),
-                         &max_age_candidate))
-          return false;
-        state = AFTER_MAX_AGE;
-        break;
-
-      case AFTER_MAX_AGE:
-      case AFTER_INCLUDE_SUBDOMAINS:
-        if (IsAsciiWhitespace(*tokenizer.token_begin()))
-          continue;
-        else if (*tokenizer.token_begin() == ';')
-          state = DIRECTIVE_END;
-        else
-          return false;
-        break;
-
-      case AFTER_UNKNOWN_LABEL:
-        // Consume and ignore the post-label contents (if any).
-        if (*tokenizer.token_begin() != ';')
-          continue;
-        state = DIRECTIVE_END;
-        break;
-    }
-  }
-
-  // We've consumed all the input.  Let's see what state we ended up in.
-  if (max_age_observed != 1 ||
-      (include_subdomains_observed != 0 && include_subdomains_observed != 1)) {
-    return false;
-  }
-
-  switch (state) {
-    case AFTER_MAX_AGE:
-    case AFTER_INCLUDE_SUBDOMAINS:
-    case AFTER_UNKNOWN_LABEL:
-      if (max_age_candidate > 0) {
-        upgrade_expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
-        upgrade_mode = MODE_FORCE_HTTPS;
-      } else {
-        upgrade_expiry = now;
-        upgrade_mode = MODE_DEFAULT;
-      }
-      include_subdomains = include_subdomains_candidate;
-      return true;
-    case START:
-    case DIRECTIVE_END:
-    case AFTER_MAX_AGE_LABEL:
-    case AFTER_MAX_AGE_EQUALS:
-      return false;
-    default:
-      NOTREACHED();
-      return false;
-  }
-}
-
-static bool AddHash(const std::string& type_and_base64,
-                    HashValueVector* out) {
-  HashValue hash;
-
-  if (!TransportSecurityState::ParsePin(type_and_base64, &hash))
-    return false;
-
-  out->push_back(hash);
-  return true;
-}
-
 TransportSecurityState::~TransportSecurityState() {}
 
 void TransportSecurityState::DirtyNotify() {
   DCHECK(CalledOnValidThread());
 
   if (delegate_)
     delegate_->StateIsDirty(this);
 }
 
 // static
@@ skipping 319 matching lines @@
         memcmp(entries[j].dns_name, &canonicalized_host[i],
                entries[j].length) == 0) {
       if (!entries[j].include_subdomains && i != 0) {
         *ret = false;
       } else {
         out->include_subdomains = entries[j].include_subdomains;
         *ret = true;
         if (!entries[j].https_required)
           out->upgrade_mode = TransportSecurityState::DomainState::MODE_DEFAULT;
         if (entries[j].pins.required_hashes) {
-          const char* const* hash = entries[j].pins.required_hashes;
-          while (*hash) {
-            bool ok = AddHash(*hash, &out->static_spki_hashes);
-            DCHECK(ok) << " failed to parse " << *hash;
-            hash++;
+          const char* const* sha1_hash = entries[j].pins.required_hashes;
+          while (*sha1_hash) {
+            AddHash(*sha1_hash, &out->static_spki_hashes);
+            sha1_hash++;
           }
         }
         if (entries[j].pins.excluded_hashes) {
-          const char* const* hash = entries[j].pins.excluded_hashes;
-          while (*hash) {
-            bool ok = AddHash(*hash, &out->bad_static_spki_hashes);
-            DCHECK(ok) << " failed to parse " << *hash;
-            hash++;
+          const char* const* sha1_hash = entries[j].pins.excluded_hashes;
+          while (*sha1_hash) {
+            AddHash(*sha1_hash, &out->bad_static_spki_hashes);
+            sha1_hash++;
           }
         }
       }
       return true;
     }
   }
   return false;
 }
 
 #include "net/base/transport_security_state_static.h"
@@ skipping 18 matching lines @@
       if (entry->length == canonicalized_host.size() - i &&
           memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
         return entry;
       }
     }
   }
 
   return NULL;
 }
 
+bool TransportSecurityState::AddHSTSHeader(const std::string& host,
+                                           const std::string& value) {
+  base::Time now = base::Time::Now();
+  TransportSecurityState::DomainState domain_state;
+  if (ParseHSTSHeader(now, value,
+                      &domain_state.upgrade_expiry,
+                      &domain_state.include_subdomains)) {

[Ryan Sleevi, 2012/12/07 23:37:21]

The wrapping here is inconsistent. Can you fit this on two lines instead of
three?

See also 629-632

[unsafe, 2012/12/08 09:22:42]

Done.

+    // Handle max-age == 0
+    if (now == domain_state.upgrade_expiry)
+      domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
+    else
+      domain_state.upgrade_mode = DomainState::MODE_FORCE_HTTPS;
+    domain_state.created = now;
+    EnableHost(host, domain_state);
+    return true;
+  }
+  return false;
+}
+
+bool TransportSecurityState::AddHPKPHeader(const std::string& host,
+                                           const std::string& value,
+                                           const SSLInfo& ssl_info) {
+  base::Time now = base::Time::Now();
+  TransportSecurityState::DomainState domain_state;
+  if (ParseHPKPHeader(now, value,
+                      ssl_info.public_key_hashes,
+                      &domain_state.dynamic_spki_hashes_expiry,
+                      &domain_state.dynamic_spki_hashes)) {
+    domain_state.upgrade_mode = DomainState::MODE_DEFAULT;
+    domain_state.created = now;
+    EnableHost(host, domain_state);
+    return true;
+  }
+  return false;
+}
+
 // static
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_enabled) {
   std::string canonicalized_host = CanonicalizeHost(host);
   const struct HSTSPreload* entry =
       GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
   if (entry && entry->pins.required_hashes == kGoogleAcceptableCerts)
     return true;
 
@@ skipping 25 matching lines @@
   }
 
   DCHECK(entry);
   DCHECK(entry->pins.required_hashes);
   DCHECK(entry->second_level_domain_name != DOMAIN_NOT_PINNED);
 
   UMA_HISTOGRAM_ENUMERATION("Net.PublicKeyPinFailureDomain",
                             entry->second_level_domain_name, DOMAIN_NUM_EVENTS);
 }
 
-// static
-const char* TransportSecurityState::HashValueLabel(
-    const HashValue& hash_value) {
-  switch (hash_value.tag) {
-    case HASH_VALUE_SHA1:
-      return "sha1/";
-    case HASH_VALUE_SHA256:
-      return "sha256/";
-    default:
-      NOTREACHED();
-      LOG(WARNING) << "Invalid fingerprint of unknown type " << hash_value.tag;
-      return "unknown/";
-  }
-}
-
 bool TransportSecurityState::GetStaticDomainState(
     const std::string& canonicalized_host,
     bool sni_enabled,
     DomainState* out) {
   DCHECK(CalledOnValidThread());
 
   out->upgrade_mode = DomainState::MODE_FORCE_HTTPS;
   out->include_subdomains = false;
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
@@ skipping 24 matching lines @@
 void TransportSecurityState::AddOrUpdateEnabledHosts(
     const std::string& hashed_host, const DomainState& state) {
   enabled_hosts_[hashed_host] = state;
 }
 
 void TransportSecurityState::AddOrUpdateForcedHosts(
     const std::string& hashed_host, const DomainState& state) {
   forced_hosts_[hashed_host] = state;
 }
 
-static std::string HashesToBase64String(
-    const HashValueVector& hashes) {
-  std::vector<std::string> hashes_strs;
-  for (HashValueVector::const_iterator
-       i = hashes.begin(); i != hashes.end(); i++) {
-    std::string s;
-    const std::string hash_str(reinterpret_cast<const char*>(i->data()),
-                               i->size());
-    base::Base64Encode(hash_str, &s);
-    hashes_strs.push_back(s);
-  }
-
-  return JoinString(hashes_strs, ',');
-}
-
 TransportSecurityState::DomainState::DomainState()
     : upgrade_mode(MODE_FORCE_HTTPS),
       created(base::Time::Now()),
       include_subdomains(false) {
 }
 
 TransportSecurityState::DomainState::~DomainState() {
 }
 
 bool TransportSecurityState::DomainState::IsChainOfPublicKeysPermitted(
@@ skipping 42 matching lines @@
   return true;
 }
 
 bool TransportSecurityState::DomainState::HasPins() const {
   return static_spki_hashes.size() > 0 ||
          bad_static_spki_hashes.size() > 0 ||
          dynamic_spki_hashes.size() > 0;
 }
 
 }  // namespace