Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(185)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_security_headers.cc

Issue 11274032: Separate http_security_headers from transport_security_state (Closed) Base URL: https://src.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/base/transport_security_state.cc ('K') | « net/http/http_security_headers.h ('k') | net/http/http_security_headers_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/base64.h"
6 #include "base/string_number_conversions.h"
7 #include "base/string_tokenizer.h"
8 #include "base/string_util.h"
9 #include "net/http/http_security_headers.h"
10 #include "net/http/http_util.h"
11
12 namespace net {
13
14 namespace {
15
16 // MaxAgeToInt converts a string representation of a number of seconds into a
17 // int. We use strtol in order to handle overflow correctly. The string may
18 // contain an arbitary number which we should truncate correctly rather than
19 // throwing a parse failure.
20 bool MaxAgeToInt(std::string::const_iterator begin,
21 std::string::const_iterator end,
22 int* result) {
23 const std::string s(begin, end);
24 char* endptr;
25 long int i = strtol(s.data(), &endptr, 10 /* base */);
Ryan Sleevi 2012/12/07 23:37:21 BUG: I previously advised you not to use strtol, b
unsafe 2012/12/08 09:22:42 Not my code, but fixed. StringToUint64 doesn't se
26 if (*endptr || i < 0)
27 return false;
28 if (i > kMaxHSTSAgeSecs)
29 i = kMaxHSTSAgeSecs;
30 *result = i;
31 return true;
32 }
33
34 // Returns true iff there is an item in |pins| which is not present in
35 // |from_cert_chain|. Such an SPKI hash is called a "backup pin".
36 bool IsBackupPinPresent(const HashValueVector& pins,
37 const HashValueVector& from_cert_chain) {
38 for (HashValueVector::const_iterator
39 i = pins.begin(); i != pins.end(); ++i) {
Ryan Sleevi 2012/12/07 23:37:21 i = pins.begin(); should fit on the previous line,
unsafe 2012/12/08 09:22:42 Done.
40 HashValueVector::const_iterator j =
41 std::find_if(from_cert_chain.begin(), from_cert_chain.end(),
42 HashValuesEqual(*i));
43 if (j == from_cert_chain.end())
44 return true;
45 }
46
47 return false;
48 }
49
50 // Returns true if the intersection of |a| and |b| is not empty. If either
51 // |a| or |b| is empty, returns false.
52 bool HashesIntersect(const HashValueVector& a,
53 const HashValueVector& b) {
54 for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
55 HashValueVector::const_iterator j =
56 std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
Ryan Sleevi 2012/12/07 23:37:21 style nit: four space indent here
unsafe 2012/12/08 09:22:42 Done.
57 if (j != b.end())
58 return true;
59 }
60 return false;
61 }
62
63 // Returns true iff |pins| contains both a live and a backup pin. A live pin
64 // is a pin whose SPKI is present in the certificate chain in |ssl_info|. A
65 // backup pin is a pin intended for disaster recovery, not day-to-day use, and
66 // thus must be absent from the certificate chain. The Public-Key-Pins header
67 // specification requires both.
68 bool IsPinListValid(const HashValueVector& pins,
69 const HashValueVector& from_cert_chain) {
70 // Fast fail: 1 live + 1 backup = at least 2 pins. (Check for actual
71 // liveness and backupness below.)
72 if (pins.size() < 2)
73 return false;
74
75 if (from_cert_chain.empty())
76 return false;
77
78 return IsBackupPinPresent(pins, from_cert_chain) &&
79 HashesIntersect(pins, from_cert_chain);
80 }
81
82 std::string Strip(const std::string& source) {
83 if (source.empty())
84 return source;
85
86 std::string::const_iterator start = source.begin();
87 std::string::const_iterator end = source.end();
88 HttpUtil::TrimLWS(&start, &end);
89 return std::string(start, end);
90 }
91
92 typedef std::pair<std::string, std::string> StringPair;
93
94 StringPair Split(const std::string& source, char delimiter) {
95 StringPair pair;
96 size_t point = source.find(delimiter);
97
98 pair.first = source.substr(0, point);
99 if (std::string::npos != point)
100 pair.second = source.substr(point + 1);
101
102 return pair;
103 }
104
105 bool ParseAndAppendPin(const std::string& value,
106 HashValueTag tag,
107 HashValueVector* hashes) {
108 std::string unquoted = HttpUtil::Unquote(value);
109 std::string decoded;
110
111 // This code has to assume that 32 bytes is SHA-256 and 20 bytes is SHA-1.
Ryan Sleevi 2012/12/07 23:37:21 comment nit: This code does not assume that (becau
unsafe 2012/12/08 09:22:42 Done.
112 // Currently, those are the only two possibilities, so the assumption is
113 // valid.
114 if (!base::Base64Decode(unquoted, &decoded))
115 return false;
116
117 HashValue hash(tag);
118 if (decoded.size() != hash.size())
119 return false;
120
121 memcpy(hash.data(), decoded.data(), hash.size());
122 hashes->push_back(hash);
123 return true;
124 }
125
126 } // namespace
127
128 // Parse the Strict-Transport-Security header, as currently defined in
129 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
130 //
131 // Strict-Transport-Security = "Strict-Transport-Security" ":"
132 // [ directive ] *( ";" [ directive ] )
133 //
134 // directive = directive-name [ "=" directive-value ]
135 // directive-name = token
136 // directive-value = token | quoted-string
137 //
138 // 1. The order of appearance of directives is not significant.
139 //
140 // 2. All directives MUST appear only once in an STS header field.
141 // Directives are either optional or required, as stipulated in
142 // their definitions.
143 //
144 // 3. Directive names are case-insensitive.
145 //
146 // 4. UAs MUST ignore any STS header fields containing directives, or
147 // other header field value data, that does not conform to the
148 // syntax defined in this specification.
149 //
150 // 5. If an STS header field contains directive(s) not recognized by
151 // the UA, the UA MUST ignore the unrecognized directives and if the
152 // STS header field otherwise satisfies the above requirements (1
153 // through 4), the UA MUST process the recognized directives.
154 bool ParseHSTSHeader(const base::Time& now, const std::string& value,
155 base::Time* expiry, // OUT
156 bool* include_subdomains) { // OUT
157 int max_age_candidate = 0;
158 bool include_subdomains_candidate = false;
159
160 // We must see max-age exactly once.
161 int max_age_observed = 0;
162 // We must see includeSubdomains exactly 0 or 1 times.
163 int include_subdomains_observed = 0;
164
165 enum ParserState {
166 START,
167 AFTER_MAX_AGE_LABEL,
168 AFTER_MAX_AGE_EQUALS,
169 AFTER_MAX_AGE,
170 AFTER_INCLUDE_SUBDOMAINS,
171 AFTER_UNKNOWN_LABEL,
172 DIRECTIVE_END
173 } state = START;
174
175 StringTokenizer tokenizer(value, " \t=;");
176 tokenizer.set_options(StringTokenizer::RETURN_DELIMS);
177 tokenizer.set_quote_chars("\"");
178 std::string unquoted;
179 while (tokenizer.GetNext()) {
180 DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1);
181 switch (state) {
182 case START:
183 case DIRECTIVE_END:
184 if (IsAsciiWhitespace(*tokenizer.token_begin()))
185 continue;
186 if (LowerCaseEqualsASCII(tokenizer.token(), "max-age")) {
187 state = AFTER_MAX_AGE_LABEL;
188 max_age_observed++;
189 } else if (LowerCaseEqualsASCII(tokenizer.token(),
190 "includesubdomains")) {
191 state = AFTER_INCLUDE_SUBDOMAINS;
192 include_subdomains_observed++;
193 include_subdomains_candidate = true;
194 } else {
195 state = AFTER_UNKNOWN_LABEL;
196 }
197 break;
198
199 case AFTER_MAX_AGE_LABEL:
200 if (IsAsciiWhitespace(*tokenizer.token_begin()))
201 continue;
202 if (*tokenizer.token_begin() != '=')
203 return false;
204 DCHECK_EQ(tokenizer.token().length(), 1U);
205 state = AFTER_MAX_AGE_EQUALS;
206 break;
207
208 case AFTER_MAX_AGE_EQUALS:
209 if (IsAsciiWhitespace(*tokenizer.token_begin()))
210 continue;
211 unquoted = HttpUtil::Unquote(tokenizer.token());
212 if (!MaxAgeToInt(unquoted.begin(),
213 unquoted.end(),
214 &max_age_candidate))
Ryan Sleevi 2012/12/07 23:37:21 nit: add braces because the if condition spans mul
unsafe 2012/12/08 09:22:42 Done.
215 return false;
216 state = AFTER_MAX_AGE;
217 break;
218
219 case AFTER_MAX_AGE:
220 case AFTER_INCLUDE_SUBDOMAINS:
221 if (IsAsciiWhitespace(*tokenizer.token_begin()))
222 continue;
223 else if (*tokenizer.token_begin() == ';')
224 state = DIRECTIVE_END;
225 else
226 return false;
227 break;
228
229 case AFTER_UNKNOWN_LABEL:
230 // Consume and ignore the post-label contents (if any).
231 if (*tokenizer.token_begin() != ';')
232 continue;
233 state = DIRECTIVE_END;
234 break;
235 }
236 }
237
238 // We've consumed all the input. Let's see what state we ended up in.
239 if (max_age_observed != 1 ||
240 (include_subdomains_observed != 0 && include_subdomains_observed != 1)) {
241 return false;
242 }
243
244 switch (state) {
245 case AFTER_MAX_AGE:
246 case AFTER_INCLUDE_SUBDOMAINS:
247 case AFTER_UNKNOWN_LABEL:
248 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
249 *include_subdomains = include_subdomains_candidate;
250 return true;
251 case START:
252 case DIRECTIVE_END:
253 case AFTER_MAX_AGE_LABEL:
254 case AFTER_MAX_AGE_EQUALS:
255 return false;
256 default:
257 NOTREACHED();
258 return false;
259 }
260 }
261
262 // "Public-Key-Pins" ":"
263 // "max-age" "=" delta-seconds ";"
264 // "pin-" algo "=" base64 [ ";" ... ]
265 bool ParseHPKPHeader(const base::Time& now,
266 const std::string& value,
267 const HashValueVector& chain_hashes,
268 base::Time* expiry,
269 HashValueVector* hashes) {
270 bool parsed_max_age = false;
271 int max_age_candidate = 0;
272 HashValueVector pins;
273
274 std::string source = value;
275
276 while (!source.empty()) {
277 StringPair semicolon = Split(source, ';');
278 semicolon.first = Strip(semicolon.first);
279 semicolon.second = Strip(semicolon.second);
280 StringPair equals = Split(semicolon.first, '=');
281 equals.first = Strip(equals.first);
282 equals.second = Strip(equals.second);
283
284 if (LowerCaseEqualsASCII(equals.first, "max-age")) {
285 if (equals.second.empty() ||
286 !MaxAgeToInt(equals.second.begin(), equals.second.end(),
287 &max_age_candidate)) {
288 return false;
289 }
290 parsed_max_age = true;
291 } else if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) {
292 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA1, &pins)) {
293 return false;
294 }
Ryan Sleevi 2012/12/07 23:37:21 nit: no braces
unsafe 2012/12/08 09:22:42 Done.
295 } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) {
296 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA256, &pins)) {
297 return false;
298 }
Ryan Sleevi 2012/12/07 23:37:21 nit: no braces
unsafe 2012/12/08 09:22:42 Done.
299 } else {
300 // Silently ignore unknown directives for forward compatibility.
301 }
302
303 source = semicolon.second;
304 }
305
306 if (!parsed_max_age)
307 return false;
308
309 if (!IsPinListValid(pins, chain_hashes))
310 return false;
311
312 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
313 for (HashValueVector::const_iterator i = pins.begin();
314 i != pins.end(); ++i) {
315 hashes->push_back(*i);
316 }
317
318 return true;
319 }
320
321 } // namespace net
322
OLDNEW
« net/base/transport_security_state.cc ('K') | « net/http/http_security_headers.h ('k') | net/http/http_security_headers_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698