Separate http_security_headers from transport_security_state

net/base/hash_value.cc

Index: net/base/hash_value.cc
===================================================================
--- net/base/hash_value.cc	(revision 0)
+++ net/base/hash_value.cc	(revision 0)
@@ -0,0 +1,128 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/hash_value.h"
+
+#include "base/base64.h"
+#include "base/logging.h"
+#include "base/sha1.h"
+#include "base/string_split.h"
+#include "base/string_util.h"
+#include "crypto/secure_util.h"
+
+namespace net {
+
+namespace {
+
+// CompareSHA1Hashes is a helper function for using bsearch() with an array of
+// SHA1 hashes.
+int CompareSHA1Hashes(const void* a, const void* b) {
+  return memcmp(a, b, base::kSHA1Length);
+}
+
+}  // namespace
+
+
+bool SHA1HashValue::Equals(const SHA1HashValue& other) const {
+  return crypto::SecureMemEqual(data, other.data, sizeof(data));
+}
+
+bool SHA256HashValue::Equals(const SHA256HashValue& other) const {
+  return crypto::SecureMemEqual(data, other.data, sizeof(data));

[Ryan Sleevi, 2012/12/20 23:44:13]

I missed this change from your moving data.

I would rather use memcmp() here and create a new SecureEquals if we believe
timing to be a concern.

This is because we index a number of things on their SHA1HashValue or the like,
and so Equals should keep the optimized path.

[unsafe, 2012/12/21 02:56:49]

This was a new change in last patch set, based on AGL feedback.  But timing
leaks are not a concern in existing code, so I rolled back to memset, and added
a comment explaining the potential risk.

+}
+
+bool HashValue::Equals(const HashValue& other) const {
+  if (tag != other.tag)
+    return false;
+  switch (tag) {
+    case HASH_VALUE_SHA1:
+      return fingerprint.sha1.Equals(other.fingerprint.sha1);
+    case HASH_VALUE_SHA256:
+      return fingerprint.sha256.Equals(other.fingerprint.sha256);
+    default:
+      NOTREACHED() << "Unknown HashValueTag " << tag;
+      return false;
+  }
+}
+
+bool HashValue::FromString(const base::StringPiece value) {
+  base::StringPiece base64_str;
+  /* Cannot take substr(pos, ...) with 'pos' past end of string,
+     so check for adequate string length first */

[Ryan Sleevi, 2012/12/20 23:44:13]

Nit: This comment is unnecessary.

[unsafe, 2012/12/21 02:56:49]

Done.

+  if (value.size() > 5 && value.substr(0, 5) == "sha1/") {

[Ryan Sleevi, 2012/12/20 23:44:13]

if (value.compare(0, 5, "sha1/") == 0) {
  ...
} else if (value.compare(0, 7, "sha256/") == 0 {
  ...
}
if (base64_str.empty())
  return false;

C++03 (21.3.6.8.1) guarantees that for str.compare(), if str.size() < n, it will
return < 0. See C++03 21.3.1.5 for the further guarantee that it will take
min(size(), n).

C++03 21.3.6.7.3 guarantees that str2 = str1.substr(str1.size()) is safe and
will return an empty string.

[unsafe, 2012/12/21 02:56:49]

StringPiece doesn't have the 3-arg compare() but starts_with seems like a good
substitute.

(thanks for clarifying substr() as well - it looks like we can remove it here
and elsewhere, but me (and maybe Adam?) were thinking str1.substr(str1.size())
would throw.)

+    tag = HASH_VALUE_SHA1;
+    base64_str = value.substr(5);
+  } else if (value.size() > 7 && value.substr(0, 7) == "sha256/") {
+    tag = HASH_VALUE_SHA256;
+    base64_str = value.substr(7);
+  } else {
+    return false;
+  }
+
+  std::string decoded;
+  if (!base::Base64Decode(base64_str, &decoded) ||
+      decoded.size() != size()) {

[Ryan Sleevi, 2012/12/20 23:44:13]

style nit: Does this fit on one line? If so, do that, and drop the brackets.

[unsafe, 2012/12/21 02:56:49]

Done.

+    return false;
+  }
+
+  memcpy(data(), decoded.data(), size());
+  return true;
+}
+
+std::string HashValue::ToString() const {
+  std::string base64_str;
+  base::Base64Encode(base::StringPiece(reinterpret_cast<const char*>(data()),
+                                       size()), &base64_str);
+  switch (tag) {
+  case HASH_VALUE_SHA1:
+    return std::string("sha1/") + base64_str;
+  case HASH_VALUE_SHA256:
+    return std::string("sha256/") + base64_str;
+  default:
+    NOTREACHED() << "Unknown HashValueTag " << tag;
+    return std::string("unknown/" + base64_str);
+  }
+}
+
+size_t HashValue::size() const {
+  switch (tag) {
+    case HASH_VALUE_SHA1:
+      return sizeof(fingerprint.sha1.data);
+    case HASH_VALUE_SHA256:
+      return sizeof(fingerprint.sha256.data);
+    default:
+      NOTREACHED() << "Unknown HashValueTag " << tag;
+      // While an invalid tag should not happen, return a non-zero length
+      // to avoid compiler warnings when the result of size() is
+      // used with functions like memset.
+      return sizeof(fingerprint.sha1.data);
+  }
+}
+
+unsigned char* HashValue::data() {
+  return const_cast<unsigned char*>(const_cast<const HashValue*>(this)->data());
+}
+
+const unsigned char* HashValue::data() const {
+  switch (tag) {
+    case HASH_VALUE_SHA1:
+      return fingerprint.sha1.data;
+    case HASH_VALUE_SHA256:
+      return fingerprint.sha256.data;
+    default:
+      NOTREACHED() << "Unknown HashValueTag " << tag;
+      return NULL;
+  }
+}
+
+bool IsSHA1HashInSortedArray(const SHA1HashValue& hash,
+                             const uint8* array,
+                             size_t array_byte_len) {
+  DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
+  const size_t arraylen = array_byte_len / base::kSHA1Length;
+  return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
+                         CompareSHA1Hashes);
+}
+
+}  // namespace net