OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/base64.h" | |
6 #include "base/basictypes.h" | |
7 #include "base/string_number_conversions.h" | |
8 #include "base/string_tokenizer.h" | |
9 #include "base/string_util.h" | |
10 #include "net/http/http_security_headers.h" | |
11 #include "net/http/http_util.h" | |
12 | |
13 namespace net { | |
14 | |
15 namespace { | |
16 | |
17 COMPILE_ASSERT(kMaxHSTSAgeSecs <= kuint32max, kMaxHSTSAgeSecsTooLarge); | |
18 | |
19 // MaxAgeToInt converts a string representation of a "whole number" of | |
20 // seconds into a uint32. The string may contain an arbitrarily large | |
21 // number which we clip to kMaxHSTSAgeSecs (which is guaranteed by the | |
22 // COMPILE_ASSERT above to fit within a 32-bit unsigned integer). False | |
23 // is returned on any parse error. | |
Ryan Sleevi
2013/01/03 01:11:32
OCD nit: single spaces after period
grammar nit: T
unsafe
2013/01/04 09:09:54
Done.
| |
24 bool MaxAgeToInt(std::string::const_iterator begin, | |
25 std::string::const_iterator end, | |
26 uint32* result) { | |
27 const std::string s(begin, end); | |
28 int64 i = 0; | |
29 | |
30 // Return false on any StringToInt64 parse errors *except* int64 | |
31 // overflow. We use StringToInt64 instead of StringToUint64 because | |
32 // StringToUint64 does not return false on negative numbers, so we | |
33 // have to handle this check explicitly. For values too large to | |
34 // be stored in an int64, StringToInt64 returns false with i set | |
35 // to kint64max, so we detect this case and allow it to fall | |
36 // through so that i gets clipped to kMaxHSTSAgeSecs. | |
Ryan Sleevi
2013/01/03 01:11:32
Same comments here as above re: rewording
"Return
unsafe
2013/01/04 09:09:54
Done but edited your wording to be more specific.
| |
37 if (!base::StringToInt64(s, &i) && i != kint64max) | |
38 return false; | |
39 if (i < 0) | |
40 return false; | |
41 if (i > kMaxHSTSAgeSecs) | |
42 i = kMaxHSTSAgeSecs; | |
43 *result = (uint32)i; | |
44 return true; | |
45 } | |
46 | |
47 // Returns true iff there is an item in |pins| which is not present in | |
48 // |from_cert_chain|. Such an SPKI hash is called a "backup pin". | |
49 bool IsBackupPinPresent(const HashValueVector& pins, | |
50 const HashValueVector& from_cert_chain) { | |
51 for (HashValueVector::const_iterator i = pins.begin(); i != pins.end(); | |
52 ++i) { | |
53 HashValueVector::const_iterator j = | |
54 std::find_if(from_cert_chain.begin(), from_cert_chain.end(), | |
55 HashValuesEqual(*i)); | |
56 if (j == from_cert_chain.end()) | |
57 return true; | |
58 } | |
59 | |
60 return false; | |
61 } | |
62 | |
63 // Returns true if the intersection of |a| and |b| is not empty. If either | |
64 // |a| or |b| is empty, returns false. | |
65 bool HashesIntersect(const HashValueVector& a, | |
66 const HashValueVector& b) { | |
67 for (HashValueVector::const_iterator i = a.begin(); i != a.end(); ++i) { | |
68 HashValueVector::const_iterator j = | |
69 std::find_if(b.begin(), b.end(), HashValuesEqual(*i)); | |
70 if (j != b.end()) | |
71 return true; | |
72 } | |
73 return false; | |
74 } | |
75 | |
76 // Returns true iff |pins| contains both a live and a backup pin. A live pin | |
77 // is a pin whose SPKI is present in the certificate chain in |ssl_info|. A | |
78 // backup pin is a pin intended for disaster recovery, not day-to-day use, and | |
79 // thus must be absent from the certificate chain. The Public-Key-Pins header | |
80 // specification requires both. | |
81 bool IsPinListValid(const HashValueVector& pins, | |
82 const HashValueVector& from_cert_chain) { | |
83 // Fast fail: 1 live + 1 backup = at least 2 pins. (Check for actual | |
84 // liveness and backupness below.) | |
85 if (pins.size() < 2) | |
86 return false; | |
87 | |
88 if (from_cert_chain.empty()) | |
89 return false; | |
90 | |
91 return IsBackupPinPresent(pins, from_cert_chain) && | |
92 HashesIntersect(pins, from_cert_chain); | |
93 } | |
94 | |
95 std::string Strip(const std::string& source) { | |
96 if (source.empty()) | |
97 return source; | |
98 | |
99 std::string::const_iterator start = source.begin(); | |
100 std::string::const_iterator end = source.end(); | |
101 HttpUtil::TrimLWS(&start, &end); | |
102 return std::string(start, end); | |
103 } | |
104 | |
105 typedef std::pair<std::string, std::string> StringPair; | |
106 | |
107 StringPair Split(const std::string& source, char delimiter) { | |
108 StringPair pair; | |
109 size_t point = source.find(delimiter); | |
110 | |
111 pair.first = source.substr(0, point); | |
112 if (std::string::npos != point) | |
113 pair.second = source.substr(point + 1); | |
114 | |
115 return pair; | |
116 } | |
117 | |
118 bool ParseAndAppendPin(const std::string& value, | |
119 HashValueTag tag, | |
120 HashValueVector* hashes) { | |
121 std::string unquoted = HttpUtil::Unquote(value); | |
122 std::string decoded; | |
123 | |
124 if (unquoted.empty()) | |
125 return false; | |
126 | |
127 if (!base::Base64Decode(unquoted, &decoded)) | |
128 return false; | |
129 | |
130 HashValue hash(tag); | |
131 if (decoded.size() != hash.size()) | |
132 return false; | |
133 | |
134 memcpy(hash.data(), decoded.data(), hash.size()); | |
135 hashes->push_back(hash); | |
136 return true; | |
137 } | |
138 | |
139 } // namespace | |
140 | |
141 // Parse the Strict-Transport-Security header, as currently defined in | |
142 // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14: | |
143 // | |
144 // Strict-Transport-Security = "Strict-Transport-Security" ":" | |
145 // [ directive ] *( ";" [ directive ] ) | |
146 // | |
147 // directive = directive-name [ "=" directive-value ] | |
148 // directive-name = token | |
149 // directive-value = token | quoted-string | |
150 // | |
151 // 1. The order of appearance of directives is not significant. | |
152 // | |
153 // 2. All directives MUST appear only once in an STS header field. | |
154 // Directives are either optional or required, as stipulated in | |
155 // their definitions. | |
156 // | |
157 // 3. Directive names are case-insensitive. | |
158 // | |
159 // 4. UAs MUST ignore any STS header fields containing directives, or | |
160 // other header field value data, that does not conform to the | |
161 // syntax defined in this specification. | |
162 // | |
163 // 5. If an STS header field contains directive(s) not recognized by | |
164 // the UA, the UA MUST ignore the unrecognized directives and if the | |
165 // STS header field otherwise satisfies the above requirements (1 | |
166 // through 4), the UA MUST process the recognized directives. | |
167 bool ParseHSTSHeader(const base::Time& now, const std::string& value, | |
168 base::Time* expiry, // OUT | |
169 bool* include_subdomains) { // OUT | |
170 uint32 max_age_candidate = 0; | |
171 bool include_subdomains_candidate = false; | |
172 | |
173 // We must see max-age exactly once. | |
174 int max_age_observed = 0; | |
175 // We must see includeSubdomains exactly 0 or 1 times. | |
176 int include_subdomains_observed = 0; | |
177 | |
178 enum ParserState { | |
179 START, | |
180 AFTER_MAX_AGE_LABEL, | |
181 AFTER_MAX_AGE_EQUALS, | |
182 AFTER_MAX_AGE, | |
183 AFTER_INCLUDE_SUBDOMAINS, | |
184 AFTER_UNKNOWN_LABEL, | |
185 DIRECTIVE_END | |
186 } state = START; | |
187 | |
188 StringTokenizer tokenizer(value, " \t=;"); | |
189 tokenizer.set_options(StringTokenizer::RETURN_DELIMS); | |
190 tokenizer.set_quote_chars("\""); | |
191 std::string unquoted; | |
192 while (tokenizer.GetNext()) { | |
193 DCHECK(!tokenizer.token_is_delim() || tokenizer.token().length() == 1); | |
194 switch (state) { | |
195 case START: | |
196 case DIRECTIVE_END: | |
197 if (IsAsciiWhitespace(*tokenizer.token_begin())) | |
198 continue; | |
199 if (LowerCaseEqualsASCII(tokenizer.token(), "max-age")) { | |
200 state = AFTER_MAX_AGE_LABEL; | |
201 max_age_observed++; | |
202 } else if (LowerCaseEqualsASCII(tokenizer.token(), | |
203 "includesubdomains")) { | |
204 state = AFTER_INCLUDE_SUBDOMAINS; | |
205 include_subdomains_observed++; | |
206 include_subdomains_candidate = true; | |
207 } else { | |
208 state = AFTER_UNKNOWN_LABEL; | |
209 } | |
210 break; | |
211 | |
212 case AFTER_MAX_AGE_LABEL: | |
213 if (IsAsciiWhitespace(*tokenizer.token_begin())) | |
214 continue; | |
215 if (*tokenizer.token_begin() != '=') | |
216 return false; | |
217 DCHECK_EQ(tokenizer.token().length(), 1U); | |
218 state = AFTER_MAX_AGE_EQUALS; | |
219 break; | |
220 | |
221 case AFTER_MAX_AGE_EQUALS: | |
222 if (IsAsciiWhitespace(*tokenizer.token_begin())) | |
223 continue; | |
224 unquoted = HttpUtil::Unquote(tokenizer.token()); | |
225 if (!MaxAgeToInt(unquoted.begin(), unquoted.end(), &max_age_candidate)) | |
226 return false; | |
227 state = AFTER_MAX_AGE; | |
228 break; | |
229 | |
230 case AFTER_MAX_AGE: | |
231 case AFTER_INCLUDE_SUBDOMAINS: | |
232 if (IsAsciiWhitespace(*tokenizer.token_begin())) | |
233 continue; | |
234 else if (*tokenizer.token_begin() == ';') | |
235 state = DIRECTIVE_END; | |
236 else | |
237 return false; | |
238 break; | |
239 | |
240 case AFTER_UNKNOWN_LABEL: | |
241 // Consume and ignore the post-label contents (if any). | |
242 if (*tokenizer.token_begin() != ';') | |
243 continue; | |
244 state = DIRECTIVE_END; | |
245 break; | |
246 } | |
247 } | |
248 | |
249 // We've consumed all the input. Let's see what state we ended up in. | |
250 if (max_age_observed != 1 || | |
251 (include_subdomains_observed != 0 && include_subdomains_observed != 1)) { | |
252 return false; | |
253 } | |
254 | |
255 switch (state) { | |
256 case AFTER_MAX_AGE: | |
257 case AFTER_INCLUDE_SUBDOMAINS: | |
258 case AFTER_UNKNOWN_LABEL: | |
259 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate); | |
260 *include_subdomains = include_subdomains_candidate; | |
261 return true; | |
262 case START: | |
263 case DIRECTIVE_END: | |
264 case AFTER_MAX_AGE_LABEL: | |
265 case AFTER_MAX_AGE_EQUALS: | |
266 return false; | |
267 default: | |
268 NOTREACHED(); | |
269 return false; | |
270 } | |
271 } | |
272 | |
273 // "Public-Key-Pins" ":" | |
274 // "max-age" "=" delta-seconds ";" | |
275 // "pin-" algo "=" base64 [ ";" ... ] | |
276 bool ParseHPKPHeader(const base::Time& now, | |
277 const std::string& value, | |
278 const HashValueVector& chain_hashes, | |
279 base::Time* expiry, | |
280 HashValueVector* hashes) { | |
281 bool parsed_max_age = false; | |
282 uint32 max_age_candidate = 0; | |
283 HashValueVector pins; | |
284 | |
285 std::string source = value; | |
286 | |
287 while (!source.empty()) { | |
288 StringPair semicolon = Split(source, ';'); | |
289 semicolon.first = Strip(semicolon.first); | |
290 semicolon.second = Strip(semicolon.second); | |
291 StringPair equals = Split(semicolon.first, '='); | |
292 equals.first = Strip(equals.first); | |
293 equals.second = Strip(equals.second); | |
294 | |
295 if (LowerCaseEqualsASCII(equals.first, "max-age")) { | |
296 if (equals.second.empty() || | |
297 !MaxAgeToInt(equals.second.begin(), equals.second.end(), | |
298 &max_age_candidate)) { | |
299 return false; | |
300 } | |
301 parsed_max_age = true; | |
302 } else if (LowerCaseEqualsASCII(equals.first, "pin-sha1")) { | |
303 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA1, &pins)) | |
304 return false; | |
305 } else if (LowerCaseEqualsASCII(equals.first, "pin-sha256")) { | |
306 if (!ParseAndAppendPin(equals.second, HASH_VALUE_SHA256, &pins)) | |
307 return false; | |
308 } else { | |
309 // Silently ignore unknown directives for forward compatibility. | |
310 } | |
311 | |
312 source = semicolon.second; | |
313 } | |
314 | |
315 if (!parsed_max_age) | |
316 return false; | |
317 | |
318 if (!IsPinListValid(pins, chain_hashes)) | |
319 return false; | |
320 | |
321 *expiry = now + base::TimeDelta::FromSeconds(max_age_candidate); | |
322 for (HashValueVector::const_iterator i = pins.begin(); | |
323 i != pins.end(); ++i) { | |
324 hashes->push_back(*i); | |
325 } | |
326 | |
327 return true; | |
328 } | |
329 | |
330 } // namespace net | |
OLD | NEW |