Source/core/frame/SubresourceIntegrity.cpp - Issue 1156413005: Implement hash function prioritization for SRI.

Side by Side Diff: Source/core/frame/SubresourceIntegrity.cpp

Issue 1156413005: Implement hash function prioritization for SRI. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "config.h"	5 #include "config.h"

6 #include "core/frame/SubresourceIntegrity.h"	6 #include "core/frame/SubresourceIntegrity.h"

7	7

8 #include "core/HTMLNames.h"	8 #include "core/HTMLNames.h"

9 #include "core/dom/Document.h"	9 #include "core/dom/Document.h"

10 #include "core/dom/Element.h"	10 #include "core/dom/Element.h"

11 #include "core/fetch/Resource.h"	11 #include "core/fetch/Resource.h"

12 #include "core/frame/ConsoleTypes.h"	12 #include "core/frame/ConsoleTypes.h"

13 #include "core/frame/UseCounter.h"	13 #include "core/frame/UseCounter.h"

14 #include "core/inspector/ConsoleMessage.h"	14 #include "core/inspector/ConsoleMessage.h"

15 #include "platform/Crypto.h"	15 #include "platform/Crypto.h"

16 #include "platform/ParsingUtilities.h"	16 #include "platform/ParsingUtilities.h"

17 #include "platform/RuntimeEnabledFeatures.h"	17 #include "platform/RuntimeEnabledFeatures.h"

18 #include "platform/weborigin/KURL.h"	18 #include "platform/weborigin/KURL.h"

19 #include "platform/weborigin/SecurityOrigin.h"	19 #include "platform/weborigin/SecurityOrigin.h"

20 #include "public/platform/WebCrypto.h"	20 #include "public/platform/WebCrypto.h"

21 #include "public/platform/WebCryptoAlgorithm.h"	21 #include "public/platform/WebCryptoAlgorithm.h"

22 #include "wtf/ASCIICType.h"	22 #include "wtf/ASCIICType.h"

23 #include "wtf/Vector.h"	23 #include "wtf/Vector.h"

	24 #include "wtf/dtoa/utils.h"

24 #include "wtf/text/Base64.h"	25 #include "wtf/text/Base64.h"

25 #include "wtf/text/StringUTF8Adaptor.h"	26 #include "wtf/text/StringUTF8Adaptor.h"

26 #include "wtf/text/WTFString.h"	27 #include "wtf/text/WTFString.h"

27	28

28 namespace blink {	29 namespace blink {

29	30

30 // FIXME: This should probably use common functions with ContentSecurityPolicy.	31 // FIXME: This should probably use common functions with ContentSecurityPolicy.

31 static bool isIntegrityCharacter(UChar c)	32 static bool isIntegrityCharacter(UChar c)

32 {	33 {

33 // Check if it's a base64 encoded value. We're pretty loose here, as there's	34 // Check if it's a base64 encoded value. We're pretty loose here, as there's

(...skipping 24 matching lines...) Expand all Loading...
58	59

59 return true;	60 return true;

60 }	61 }

61	62

62 static String digestToString(const DigestValue& digest)	63 static String digestToString(const DigestValue& digest)

63 {	64 {

64 // We always output base64url encoded data, even though we use base64 intern ally.	65 // We always output base64url encoded data, even though we use base64 intern ally.

65 return base64URLEncode(reinterpret_cast<const char*>(digest.data()), digest. size(), Base64DoNotInsertLFs);	66 return base64URLEncode(reinterpret_cast<const char*>(digest.data()), digest. size(), Base64DoNotInsertLFs);

66 }	67 }

67	68

	69

	70 SubresourceIntegrity::PrioritizationResult SubresourceIntegrity::getPrioritizedH ashFunction(HashAlgorithm algorithm1, HashAlgorithm algorithm2)

	71 {

	72 const HashAlgorithm weakerThanSha256[] = { HashAlgorithmSha1 };
	Mike West 2015/06/03 09:13:33 Why do we support SHA-1 at all? I don't remember i Why do we support SHA-1 at all? I don't remember it being in the spec. Can we ASSERT that we never get to this check for that known-bad algorithm? jww 2015/06/03 19:26:56 SHA1 is not supported, so, yes, we can ASSERT that Show quoted text On 2015/06/03 09:13:33, Mike West wrote: > Why do we support SHA-1 at all? I don't remember it being in the spec. Can we > ASSERT that we never get to this check for that known-bad algorithm? SHA1 is not supported, so, yes, we can ASSERT that. It's not that we support SHA-1 (in fact, there's a list of supported hash functions later in SubresourceIntegrity.cpp that doesn't include SHA-1), but it does exist as an algorithm listed in HashAlgorithm. I'll take it out of the lists and add asserts that neither algorithm is ever SHA1.
	73 const HashAlgorithm weakerThanSha384[] = { HashAlgorithmSha1, HashAlgorithmS ha256 };

	74 const HashAlgorithm weakerThanSha512[] = { HashAlgorithmSha1, HashAlgorithmS ha256, HashAlgorithmSha384 };

	75

	76 if (algorithm1 == algorithm2)

	77 return SameStrength;

	78

	79 const HashAlgorithm* weakerAlgorithms;

	80 size_t length;

	81 switch (algorithm1) {

	82 case HashAlgorithmSha1:

	83 return SecondAlgorithmIsStronger;

	84 case HashAlgorithmSha256:

	85 weakerAlgorithms = weakerThanSha256;

	86 length = ARRAY_SIZE(weakerThanSha256);

	87 break;

	88 case HashAlgorithmSha384:

	89 weakerAlgorithms = weakerThanSha384;

	90 length = ARRAY_SIZE(weakerThanSha384);

	91 break;

	92 case HashAlgorithmSha512:

	93 weakerAlgorithms = weakerThanSha512;

	94 length = ARRAY_SIZE(weakerThanSha512);

	95 break;

	96 default:

	97 ASSERT_NOT_REACHED();

	98 };

	99

	100 for (size_t i = 0; i < length; i++) {

	101 if (weakerAlgorithms[i] == algorithm2)

	102 return FirstAlgorithmIsStronger;

	103 }

	104

	105 return SecondAlgorithmIsStronger;

	106 }

	107

68 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl, const Resource& resource)	108 bool SubresourceIntegrity::CheckSubresourceIntegrity(const Element& element, con st String& source, const KURL& resourceUrl, const Resource& resource)

69 {	109 {

70 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())	110 if (!RuntimeEnabledFeatures::subresourceIntegrityEnabled())

71 return true;	111 return true;

72	112

73 Document& document = element.document();	113 Document& document = element.document();

74 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr);	114 String attribute = element.fastGetAttribute(HTMLNames::integrityAttr);

75 if (attribute.isEmpty())	115 if (attribute.isEmpty())

76 return true;	116 return true;

77	117

78 if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) {	118 if (!resource.isEligibleForIntegrityCheck(document.securityOrigin())) {

79 logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl. elidedString() + "' has an integrity attribute, but the resource requires CORS t o be enabled to check the integrity, and it is not. The resource has been blocke d.", document);	119 logErrorToConsole("Subresource Integrity: The resource '" + resourceUrl. elidedString() + "' has an integrity attribute, but the resource requires CORS t o be enabled to check the integrity, and it is not. The resource has been blocke d.", document);

80 return false;	120 return false;

81 }	121 }

82	122

83 WTF::Vector<IntegrityMetadata> metadataList;	123 WTF::Vector<IntegrityMetadata> metadataList;

84 IntegrityParseResult integrityParseResult = parseIntegrityAttribute(attribut e, metadataList, document);	124 IntegrityParseResult integrityParseResult = parseIntegrityAttribute(attribut e, metadataList, document);

85 if (integrityParseResult != IntegrityParseValidResult)	125 if (integrityParseResult != IntegrityParseValidResult)

86 return false;	126 return false;

87	127

88 StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF ::EntitiesForUnencodables);	128 StringUTF8Adaptor normalizedSource(source, StringUTF8Adaptor::Normalize, WTF ::EntitiesForUnencodables);

89	129

90 if (!metadataList.size())	130 if (!metadataList.size())

91 return true;	131 return true;

92	132

	133 HashAlgorithm strongestAlgorithm = HashAlgorithmSha256;

	134 for (IntegrityMetadata& metadata : metadataList) {
	Mike West 2015/06/03 09:13:33 Nit: `const IntegrityMetadata&` Nit: `const IntegrityMetadata&` jww 2015/06/03 19:26:56 Done. Show quoted text On 2015/06/03 09:13:33, Mike West wrote: > Nit: `const IntegrityMetadata&` Done.
	135 if (FirstAlgorithmIsStronger == getPrioritizedHashFunction(metadata.algo rithm, strongestAlgorithm))

	136 strongestAlgorithm = metadata.algorithm;
	Mike West 2015/06/03 09:13:33 If you just return the strongest algorithm, you ca If you just return the strongest algorithm, you can drop the `if` entirely. jww 2015/06/03 19:26:56 Done. Show quoted text On 2015/06/03 09:13:33, Mike West wrote: > If you just return the strongest algorithm, you can drop the `if` entirely. Done.
	137 }

	138

93 DigestValue digest;	139 DigestValue digest;

94 for (IntegrityMetadata& metadata : metadataList) {	140 for (IntegrityMetadata& metadata : metadataList) {

	141 PrioritizationResult result = getPrioritizedHashFunction(metadata.algori thm, strongestAlgorithm);

	142 if (result != SameStrength)
	Mike West 2015/06/03 09:13:33 Nit: It seems like this could be simplified to `if Nit: It seems like this could be simplified to `if (result != strongestAlgorithm)` jww 2015/06/03 19:26:56 Long term, that's not strictly true because in the Show quoted text On 2015/06/03 09:13:33, Mike West wrote: > Nit: It seems like this could be simplified to `if (result != > strongestAlgorithm)` Long term, that's not strictly true because in theory two different hash functions can be equally strong (and the spec's definition of getPrioritizedHashFunction is supposed to account for that). However, given that's not currently the case, I'll modify getPrioritizedHashFunction to just return the strongest of the two.
	143 continue;

	144

95 digest.clear();	145 digest.clear();

96 bool digestSuccess = computeDigest(metadata.algorithm, normalizedSource. data(), normalizedSource.length(), digest);	146 bool digestSuccess = computeDigest(metadata.algorithm, normalizedSource. data(), normalizedSource.length(), digest);

97	147

98 if (digestSuccess) {	148 if (digestSuccess) {

99 Vector<char> hashVector;	149 Vector<char> hashVector;

100 base64Decode(metadata.digest, hashVector);	150 base64Decode(metadata.digest, hashVector);

101 DigestValue convertedHashVector;	151 DigestValue convertedHashVector;

102 convertedHashVector.append(reinterpret_cast<uint8_t*>(hashVector.dat a()), hashVector.size());	152 convertedHashVector.append(reinterpret_cast<uint8_t*>(hashVector.dat a()), hashVector.size());

103	153

104 if (DigestsEqual(digest, convertedHashVector)) {	154 if (DigestsEqual(digest, convertedHashVector)) {

(...skipping 168 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
273 metadataList.append(integrityMetadata);	323 metadataList.append(integrityMetadata);

274 }	324 }

275	325

276 if (metadataList.size() == 0 && error)	326 if (metadataList.size() == 0 && error)

277 return IntegrityParseNoValidResult;	327 return IntegrityParseNoValidResult;

278	328

279 return IntegrityParseValidResult;	329 return IntegrityParseValidResult;

280 }	330 }

281	331

282 } // namespace blink	332 } // namespace blink

OLD	NEW

« Source/core/frame/SubresourceIntegrity.h ('K') | « Source/core/frame/SubresourceIntegrity.h ('k') | Source/core/frame/SubresourceIntegrityTest.cpp » ('j') | no next file with comments »