Separate http_security_headers from transport_security_state

net/http/http_security_headers.cc

+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/base64.h"
+#include "base/basictypes.h"
+#include "base/string_number_conversions.h"
+#include "base/string_tokenizer.h"
+#include "base/string_util.h"
+#include "net/http/http_security_headers.h"
+#include "net/http/http_util.h"
+
+namespace net {
+
+namespace {
+COMPILE_ASSERT(kMaxHSTSAgeSecs <= kuint32max, kMaxHSTSAgeSecsTooLarge);

[Ryan Sleevi, 2012/12/22 00:56:30]

nit: Add a line break here

[unsafe, 2012/12/22 05:49:43]

Done.

+
+// MaxAgeToInt converts a string representation of a number of seconds
+// into a uint32. We use StringToInt64 in order to handle overflow and
+// negative numbers correctly (StringToUint64 does not return false on
+// negative numbers, so we have to check for this explicitly).  The
+// string may contain an arbitarily large number which we should
+// clip to kMaxHSTSAgeSecs, rather than returning false.

[Ryan Sleevi, 2012/12/22 00:56:30]

So looking over the comment changes:

1) StringToInt64 -> StringToUint64 (problem solved :-p)
2) The reason to use an [u]int64 has nothing to do with the sizing here, and has
everything to do with the notion of "Delta Seconds" in RFC 2616, which does not
restrict the prevision. HTTP clients 'typically' (always) treat delta-seconds
using maximum width integers

"MaxAgeToInt converts a string representation of a number of seconds
('delta-seconds', as defined in RFC 2616) into a suitable maximum age. The
string may contain an arbitrarily large number, which we clip to
kMaxHSTSAgeSecs."

[unsafe, 2012/12/22 05:49:43]

What do you mean? That the code should use StringToUint64?  StringToUint64
doesn't return false on negative numbers! (which I found surprising, what's it
good for?!)
I'm using it because it's large enough to to contain kuint32max, if there was a
StringToUint32 that did the obvious thing (returned false on negatives), I'd use
that instead, but there isn't (there's a StringToUint / StringToInt, but are
those guaranteed to be 32-bit types?)
OK, I did something similar to this.

+

[Ryan Sleevi, 2012/12/22 00:56:30]

You can nuke this extra whitespace.

[unsafe, 2012/12/22 05:49:43]

Done.

+bool MaxAgeToInt(std::string::const_iterator begin,
+                 std::string::const_iterator end,
+                 uint32* result) {
+  const std::string s(begin, end);
+  int64 i = 0;
+  // Reject any StringToInt64 parse errors *except* int64 overflow.
+  // Values too large to be stored in an int64 return false with
+  // i set to kint64max.  Such values, and any values larger than
+  // kMaxHSTSAgeSecs, will be clipped to kMaxHSTSAgeSecs, which is
+  // guaranteed by the COMPILE_ASSERT above to fit within a
+  // 32-bit unsigned integer, thus guaranteeing that the final
+  // result value will not be overflowed.

[Ryan Sleevi, 2012/12/22 00:56:30]

You can just nuke this comment, since I think it duplicates the function level
comment.

Again, you are NOT handling int64 overflow here - when int64 is overflowed,
StringTo[U]Int64 returns false ( see
https://code.google.com/searchframe#OAMlx_jo-ck/src/base/string_number_conver...
), so it will not be handled.

[unsafe, 2012/12/22 05:49:43]

Reworked the comments to be less redundant, but I think there's value in a
comment describing what the function does, as well as an implementation comment
describing why/how we're using StringToInt64, because there's a couple
non-obvious points (handling of negative inputs, and inputs > kint64max).
Yes, but in that case StringToInt64 simultaneously sets the output value to
kint64max.  MaxAgeToInt detects this case and does not treat it as a parse error
(see following line).  So, the code "handles" arbitrarily large values in the
sense that an input greater than kMaxHSTSAgeSecs is clipped to kMaxHSTSAgeSecs,
whether that input is also greater than kint64max or not  (and the unit test
checks both cases).

+  if (!base::StringToInt64(s, &i) && i != kint64max)
+    return false;
+  if (i < 0)
+    return false;
+  if (i > kMaxHSTSAgeSecs)
+    i = kMaxHSTSAgeSecs;
+  *result = (uint32)i;
+  return true;
+}
+
+// Returns true iff there is an item in |pins| which is not present in
+// |from_cert_chain|. Such an SPKI hash is called a "backup pin".
+bool IsBackupPinPresent(const HashValueVector& pins,
+                        const HashValueVector& from_cert_chain) {
+  for (HashValueVector::const_iterator i = pins.begin(); i != pins.end();
+       ++i) {
+    HashValueVector::const_iterator j =
+        std::find_if(from_cert_chain.begin(), from_cert_chain.end(),
+                     HashValuesEqual(*i));
+    if (j == from_cert_chain.end())
+      return true;
+  }
+
+  return false;
+}
+
+// Returns true if the intersection of |a| and |b| is not empty. If either
+// |a| or |b| is empty, returns false.
+bool HashesIntersect(const HashValueVector& a,
+                     const HashValueVector& b) {
+  for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) {
+    HashValueVector::const_iterator j =
+        std::find_if(b.begin(), b.end(), HashValuesEqual(*i));
+    if (j != b.end())
+      return true;
+  }
+  return false;
+}
+
+// Returns true iff |pins| contains both a live and a backup pin. A live pin
+// is a pin whose SPKI is present in the certificate chain in |ssl_info|. A
+// backup pin is a pin intended for disaster recovery, not day-to-day use, and
+// thus must be absent from the certificate chain. The Public-Key-Pins header
+// specification requires both.
+bool IsPinListValid(const HashValueVector& pins,
+                    const HashValueVector& from_cert_chain) {
+  // Fast fail: 1 live + 1 backup = at least 2 pins. (Check for actual
+  // liveness and backupness below.)
+  if (pins.size() < 2)
+    return false;
+
+  if (from_cert_chain.empty())
+    return false;
+
+  return IsBackupPinPresent(pins, from_cert_chain) &&
+         HashesIntersect(pins, from_cert_chain);
+}
+
+std::string Strip(const std::string& source) {
+  if (source.empty())
+    return source;
+
+  std::string::const_iterator start = source.begin();
+  std::string::const_iterator end = source.end();
+  HttpUtil::TrimLWS(&start, &end);
+  return std::string(start, end);
+}
+
+typedef std::pair<std::string, std::string> StringPair;
+
+StringPair Split(const std::string& source, char delimiter) {
+  StringPair pair;
+  size_t point = source.find(delimiter);
+
+  pair.first = source.substr(0, point);
+  if (std::string::npos != point)
+    pair.second = source.substr(point + 1);
+
+  return pair;
+}
+
+bool ParseAndAppendPin(const std::string& value,
+                       HashValueTag tag,
+                       HashValueVector* hashes) {
+  std::string unquoted = HttpUtil::Unquote(value);
+  std::string decoded;
+
+  if (unquoted.empty())
+      return false;
+
+  if (!base::Base64Decode(unquoted, &decoded))
+    return false;
+
+  HashValue hash(tag);
+  if (decoded.size() != hash.size())
+    return false;
+
+  memcpy(hash.data(), decoded.data(), hash.size());
+  hashes->push_back(hash);
+  return true;
+}
+
+}  // namespace
+
+// Parse the Strict-Transport-Security header, as currently defined in
+// http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14:
+//
+// Strict-Transport-Security = "Strict-Transport-Security" ":"
+//                             [ directive ]  *( ";" [ directive ] )
+//
+// directive                 = directive-name [ "=" directive-value ]
+// directive-name            = token
+// directive-value           = token | quoted-string
+//
+// 1.  The order of appearance of directives is not significant.
+//
+// 2.  All directives MUST appear only once in an STS header field.
+//     Directives are either optional or required, as stipulated in
+//     their definitions.
+//
+// 3.  Directive names are case-insensitive.
+//
+// 4.  UAs MUST ignore any STS header fields containing directives, or
+//     other header field value data, that does not conform to the
+//     syntax defined in this specification.
+//
+// 5.  If an STS header field contains directive(s) not recognized by
+//     the UA, the UA MUST ignore the unrecognized directives and if the
+//     STS header field otherwise satisfies the above requirements (1
+//     through 4), the UA MUST process the recognized directives.
+bool ParseHSTSHeader(const base::Time& now, const std::string& value,
+                     base::Time* expiry,         // OUT
+                     bool* include_subdomains) {  // OUT
+  uint32 max_age_candidate = 0;
+  bool include_subdomains_candidate = false;
+
+  // We must see max-age exactly once.
+  int max_age_observed = 0;
+  // We must see includeSubdomains exactly 0 or 1 times.
+  int include_subdomains_observed = 0;
+
+  enum ParserState {
+    START,
+    AFTER_MAX_AGE_LABEL,
+    AFTER_MAX_AGE_EQUALS,
+    AFTER_MAX_AGE,
+    AFTER_INCLUDE_SUBDOMAINS,
+    AFTER_UNKNOWN_LABEL,
+    DIRECTIVE_END
+  } state = START;
+
+  StringTokenizer tokenizer(value, " \t=;");
+  tokenizer.set_options(StringTokenizer::RETURN_DELIMS);
+  tokenizer.set_quote_chars("\"");
+  std::string unquoted;
+  while (tokenizer.GetNext()) {
+    DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1);
+    switch (state) {
+      case START:
+      case DIRECTIVE_END:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (LowerCaseEqualsASCII(tokenizer.token(), "max-age")) {
+          state = AFTER_MAX_AGE_LABEL;
+          max_age_observed++;
+        } else if (LowerCaseEqualsASCII(tokenizer.token(),
+                                        "includesubdomains")) {
+          state = AFTER_INCLUDE_SUBDOMAINS;
+          include_subdomains_observed++;
+          include_subdomains_candidate = true;
+        } else {
+          state = AFTER_UNKNOWN_LABEL;
+        }
+        break;
+
+      case AFTER_MAX_AGE_LABEL:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        if (*tokenizer.token_begin() != '=')
+          return false;
+        DCHECK_EQ(tokenizer.token().length(), 1U);
+        state = AFTER_MAX_AGE_EQUALS;
+        break;
+
+      case AFTER_MAX_AGE_EQUALS:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        unquoted = HttpUtil::Unquote(tokenizer.token());
+        if (!MaxAgeToInt(unquoted.begin(), unquoted.end(), &max_age_candidate))
+          return false;
+        state = AFTER_MAX_AGE;
+        break;
+
+      case AFTER_MAX_AGE:
+      case AFTER_INCLUDE_SUBDOMAINS:
+        if (IsAsciiWhitespace(*tokenizer.token_begin()))
+          continue;
+        else if (*tokenizer.token_begin() == ';')
+          state = DIRECTIVE_END;
+        else
+          return false;
+        break;
+
+      case AFTER_UNKNOWN_LABEL:
+        // Consume and ignore the post-label contents (if any).
+        if (*tokenizer.token_begin() != ';')
+          continue;
+        state = DIRECTIVE_END;
+        break;
+    }
+  }
+
+  // We've consumed all the input.  Let's see what state we ended up in.
+  if (max_age_observed != 1 ||
+      (include_subdomains_observed != 0 && include_subdomains_observed != 1)) {
+    return false;
+  }
+
+  switch (state) {
+    case AFTER_MAX_AGE:
+    case AFTER_INCLUDE_SUBDOMAINS:
+    case AFTER_UNKNOWN_LABEL:
+      *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
+      *include_subdomains = include_subdomains_candidate;
+      return true;
+    case START:
+    case DIRECTIVE_END:
+    case AFTER_MAX_AGE_LABEL:
+    case AFTER_MAX_AGE_EQUALS:
+      return false;
+    default:
+      NOTREACHED();
+      return false;
+  }
+}
+
+// "Public-Key-Pins" ":"
+//     "max-age" "=" delta-seconds ";"
+//     "pin-" algo "=" base64 [ ";" ... ]
+bool ParseHPKPHeader(const base::Time& now,
+                     const std::string& value,
+                     const HashValueVector& chain_hashes,
+                     base::Time* expiry,
+                     HashValueVector* hashes) {
+  bool parsed_max_age = false;
+  uint32 max_age_candidate = 0;
+  HashValueVector pins;
+
+  std::string source = value;
+
+  while (!source.empty()) {
+    StringPair semicolon = Split(source, ';');
+    semicolon.first = Strip(semicolon.first);
+    semicolon.second = Strip(semicolon.second);
+    StringPair equals = Split(semicolon.first, '=');
+    equals.first = Strip(equals.first);
+    equals.second = Strip(equals.second);
+
+    if (LowerCaseEqualsASCII(equals.first, "max-age")) {
+      if (equals.second.empty() ||
+          !MaxAgeToInt(equals.second.begin(), equals.second.end(),
+                       &max_age_candidate)) {
+        return false;
+      }
+      parsed_max_age = true;
+    } else if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) {
+      if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA1, &pins))
+        return false;
+    } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) {
+      if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA256, &pins))
+        return false;
+    } else {
+      // Silently ignore unknown directives for forward compatibility.
+    }
+
+    source = semicolon.second;
+  }
+
+  if (!parsed_max_age)
+    return false;
+
+  if (!IsPinListValid(pins, chain_hashes))
+    return false;
+
+  *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate);
+  for (HashValueVector::const_iterator i = pins.begin();
+       i != pins.end(); ++i) {
+    hashes->push_back(*i);
+  }
+
+  return true;
+}
+
+}  // namespace net