| Index: components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
|
| diff --git a/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc b/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..10ebea32599f0792d836c4ecd2728fb2244c54f1
|
| --- /dev/null
|
| +++ b/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
|
| @@ -0,0 +1,404 @@
|
| +// Copyright 2014 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.h"
|
| +
|
| +#include <algorithm>
|
| +#include <cstring>
|
| +
|
| +#include "base/base64.h"
|
| +#include "base/md5.h"
|
| +#include "base/metrics/histogram.h"
|
| +#include "base/metrics/sparse_histogram.h"
|
| +#include "base/strings/string_number_conversions.h"
|
| +#include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h"
|
| +#include "net/android/network_library.h"
|
| +#include "net/http/http_response_headers.h"
|
| +#include "net/http/http_util.h"
|
| +
|
| +// Macro for UMA reporting. Depending on |scheme_is_https|, first reports to
|
| +// histogram events |https_histogram| or |http_histogram| by |carrier_id|; then
|
| +// reports total counts to |https_histogram|_Total or |http_histogram|_Total.
|
| +#define REPORT_TAMPER_DETECTION_UMA(scheme_is_https, http_histogram, https_histogram, carrier_id) \
|
| + do { \
|
| + if (scheme_is_https) { \
|
| + UMA_HISTOGRAM_SPARSE_SLOWLY(https_histogram, carrier_id); \
|
| + UMA_HISTOGRAM_COUNTS(https_histogram "_Total", 1); \
|
| + } else { \
|
| + UMA_HISTOGRAM_SPARSE_SLOWLY(http_histogram, carrier_id); \
|
| + UMA_HISTOGRAM_COUNTS(http_histogram "_Total", 1); \
|
| + }\
|
| + } while (0)
|
| +
|
| +namespace data_reduction_proxy {
|
| +
|
| +// static
|
| +void DataReductionProxyTamperDetection::DetectAndReport(
|
| + const net::HttpResponseHeaders* headers,
|
| + const bool is_secure_scheme) {
|
| + DCHECK(headers);
|
| + if (!headers)
|
| + return;
|
| +
|
| + // If the fingerprint of the Chrome-Proxy header is absent, abort tamper
|
| + // detection.
|
| + std::string chrome_proxy_fingerprint;
|
| + if (!GetDataReductionProxyActionValue(
|
| + headers,
|
| + kChromeProxyActionFingerprintChromeProxy,
|
| + &chrome_proxy_fingerprint))
|
| + return;
|
| +
|
| + // Gets the Chrome-Proxy header values.
|
| + std::vector<std::string> chrome_proxy_header_values =
|
| + GetHeaderValues(headers, "Chrome-Proxy");
|
| +
|
| + // Removes header's fingerprint for generating the fingerprint of received
|
| + // Chrome-Proxy header later.
|
| + RemoveChromeProxyFingerprint(&chrome_proxy_header_values);
|
| +
|
| + // Get carrier ID.
|
| + unsigned carrier_id = 0;
|
| +#if defined(OS_ANDROID)
|
| + base::StringToUint(net::android::GetTelephonyNetworkOperator(), &carrier_id);
|
| +#endif
|
| +
|
| + DataReductionProxyTamperDetection tamper_detection(
|
| + headers,
|
| + is_secure_scheme,
|
| + carrier_id,
|
| + &chrome_proxy_header_values);
|
| +
|
| + // Checks if the Chrome-Proxy header has been tampered with.
|
| + if (tamper_detection.IsChromeProxyHeaderTampered(chrome_proxy_fingerprint)) {
|
| + tamper_detection.ReportChromeProxyHeaderTamperedUMA();
|
| + return;
|
| + }
|
| +
|
| + // Since the Chrome-Proxy header has not been tampered with, reports the
|
| + // number of responses that other fingerprints will be checked.
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme,
|
| + "DataReductionProxy.HTTPSHeaderTamperDetection",
|
| + "DataReductionProxy.HTTPHeaderTamperDetection",
|
| + carrier_id);
|
| +
|
| + std::map<std::string, FingerprintCode>::iterator i;
|
| + for (i = tamper_detection.fingerprint_name_code_map_.begin();
|
| + i != tamper_detection.fingerprint_name_code_map_.end(); ++i) {
|
| + std::string fingerprint;
|
| + if (!GetDataReductionProxyActionValue(
|
| + headers, i->first, &fingerprint)) {
|
| + continue;
|
| + }
|
| +
|
| + switch (i->second) {
|
| + case VIA:
|
| + bool has_chrome_proxy_via_header;
|
| + if (tamper_detection.IsViaHeaderTampered(
|
| + fingerprint, &has_chrome_proxy_via_header))
|
| + tamper_detection.ReportViaHeaderTamperedUMA(
|
| + has_chrome_proxy_via_header);
|
| + break;
|
| + case OTHERHEADERS:
|
| + if (tamper_detection.AreOtherHeadersTampered(fingerprint))
|
| + tamper_detection.ReportOtherHeadersTamperedUMA();
|
| + break;
|
| + case CONTENTLENGTH:
|
| + if (tamper_detection.IsContentLengthHeaderTampered(fingerprint))
|
| + tamper_detection.ReportContentLengthHeaderTamperedUMA();
|
| + break;
|
| + default:
|
| + NOTREACHED();
|
| + break;
|
| + }
|
| + }
|
| +}
|
| +
|
| +// Constructor initializes the map of fingerprint name to code.
|
| +DataReductionProxyTamperDetection::DataReductionProxyTamperDetection(
|
| + const net::HttpResponseHeaders* headers,
|
| + const bool is_secure,
|
| + const unsigned carrier_id,
|
| + std::vector<std::string>* values)
|
| + : response_headers_(headers),
|
| + is_secure_scheme_(is_secure),
|
| + carrier_id_(carrier_id),
|
| + clean_chrome_proxy_header_values_(values) {
|
| + DCHECK(headers);
|
| + fingerprint_name_code_map_ = std::map<std::string, FingerprintCode>();
|
| + fingerprint_name_code_map_
|
| + [kChromeProxyActionFingerprintVia] = VIA;
|
| + fingerprint_name_code_map_
|
| + [kChromeProxyActionFingerprintOtherHeaders] = OTHERHEADERS;
|
| + fingerprint_name_code_map_
|
| + [kChromeProxyActionFingerprintContentLength] = CONTENTLENGTH;
|
| +};
|
| +
|
| +DataReductionProxyTamperDetection::~DataReductionProxyTamperDetection() {};
|
| +
|
| +// Checks whether the Chrome-Proxy header has been tampered with. |fingerprint|
|
| +// is the fingerprint received from the data reduction proxy, which is Base64
|
| +// encoded. Decodes it first. Then calculates the fingerprint of received
|
| +// Chrome-Proxy header, and compares the two to see whether they are equal or
|
| +// not. Note that |clean_chrome_proxy_header_values_| holds the values of the
|
| +// Chrome-Proxy header with its own fingerprint removed, so it's the correct
|
| +// values to calculate fingerprint of received Chrome-Proxy header.
|
| +bool DataReductionProxyTamperDetection::IsChromeProxyHeaderTampered(
|
| + const std::string& fingerprint) const {
|
| + std::string received_fingerprint;
|
| + if (!base::Base64Decode(fingerprint, &received_fingerprint))
|
| + return true;
|
| + // Calculates the MD5 hash value of Chrome-Proxy.
|
| + std::string actual_fingerprint = GetMD5(
|
| + ValuesToSortedString(clean_chrome_proxy_header_values_));
|
| +
|
| + return received_fingerprint != actual_fingerprint;
|
| +}
|
| +
|
| +void DataReductionProxyTamperDetection::ReportChromeProxyHeaderTamperedUMA()
|
| + const {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ChromeProxy",
|
| + "DataReductionProxy.HTTPHeaderTampered_ChromeProxy",
|
| + carrier_id_);
|
| +}
|
| +
|
| +// Checks whether there are other proxies/middleboxes' name after the data
|
| +// reduction proxy's name in Via header. |has_chrome_proxy_via_header| marks
|
| +// that whether the data reduction proxy's Via header occurs or not.
|
| +bool DataReductionProxyTamperDetection::IsViaHeaderTampered(
|
| + const std::string& fingerprint, bool* has_chrome_proxy_via_header) const {
|
| + bool has_intermediary;
|
| + *has_chrome_proxy_via_header = HasDataReductionProxyViaHeader(
|
| + response_headers_,
|
| + &has_intermediary);
|
| +
|
| + if (*has_chrome_proxy_via_header)
|
| + return !has_intermediary;
|
| + return false;
|
| +}
|
| +
|
| +void DataReductionProxyTamperDetection::ReportViaHeaderTamperedUMA(
|
| + bool has_chrome_proxy) const {
|
| + // The Via header of the data reduction proxy is missing.
|
| + if (!has_chrome_proxy) {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_Via_Missing",
|
| + "DataReductionProxy.HTTPHeaderTampered_Via_Missing",
|
| + carrier_id_);
|
| + return;
|
| + }
|
| +
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_Via",
|
| + "DataReductionProxy.HTTPHeaderTampered_Via",
|
| + carrier_id_);
|
| +}
|
| +
|
| +// Checks whether values of a predefined list of headers have been modified. At
|
| +// the data reduction proxy side, it constructs a canonical representation of
|
| +// values of a list headers. The fingerprint is constructed as follows:
|
| +// 1) for each header, gets the string representation of its values (same to
|
| +// ValuesToSortedString);
|
| +// 2) concatenates all header's string representation with a ";" delimiter,
|
| +// respect to the order of the header list;
|
| +// 3) calculates the MD5 hash value of above concatenated string;
|
| +// 4) appends the header names to the fingerprint, with a delimiter "|".
|
| +// The constructed fingerprint looks like:
|
| +// [hashed_fingerprint]|header_name1|header_namer2:...
|
| +//
|
| +// To check whether such fingerprint matches the response that the Chromium
|
| +// client receives, the Chromium client firstly extracts the header names. For
|
| +// each header, gets its string representation (by ValuesToSortedString),
|
| +// concatenates them and calculates the MD5 hash value. Compares such hash
|
| +// value to the fingerprint received from the data reduction proxy.
|
| +bool DataReductionProxyTamperDetection::AreOtherHeadersTampered(
|
| + const std::string& fingerprint) const {
|
| + std::string received_fingerprint;
|
| + DCHECK(fingerprint.size());
|
| +
|
| + // "|" delimiter would not occur in base64 as well as header names.
|
| + net::HttpUtil::ValuesIterator it(fingerprint.begin(),
|
| + fingerprint.end(), '|');
|
| +
|
| + // The first value from fingerprint is the base64 encoded fingerprint; the
|
| + // following values are the header names included in fingerprint calculation.
|
| + // Make sure there is [base64fingerprint] and it can be decoded.
|
| + if (!(it.GetNext() &&
|
| + base::Base64Decode(it.value(), &received_fingerprint))) {
|
| + NOTREACHED();
|
| + return true;
|
| + }
|
| +
|
| + std::string header_values;
|
| + // Enumerates the list of headers.
|
| + while (it.GetNext()) {
|
| + // Gets values of one header.
|
| + std::vector<std::string> response_header_values =
|
| + GetHeaderValues(response_headers_, it.value());
|
| + // Sorts the values and concatenate them, with delimiter ";". ";" would not
|
| + // occur in header values,
|
| + header_values += ValuesToSortedString(&response_header_values) + ";";
|
| + }
|
| +
|
| + // Calculates the MD5 hash of the concatenated string.
|
| + std::string actual_fingerprint = GetMD5(header_values);
|
| +
|
| + return received_fingerprint != actual_fingerprint;
|
| +}
|
| +
|
| +void DataReductionProxyTamperDetection::ReportOtherHeadersTamperedUMA() const {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_OtherHeaders",
|
| + "DataReductionProxy.HTTPHeaderTampered_OtherHeaders",
|
| + carrier_id_);
|
| +}
|
| +
|
| +// Checks whether the Content-Length value is different from what the data
|
| +// reduction proxy sends. Reports it as modified only if Content-Length can be
|
| +// decoded as an integer at both ends and such two numbers are not equal.
|
| +bool DataReductionProxyTamperDetection::IsContentLengthHeaderTampered(
|
| + const std::string& fingerprint) const {
|
| + int received_content_length_fingerprint, actual_content_length;
|
| + // If Content-Length value from data reduction proxy does not exist or it
|
| + // cannot be converted to an integer, abort.
|
| + if (base::StringToInt(fingerprint, &received_content_length_fingerprint)) {
|
| + std::string actual_content_length_string;
|
| + // If there is no Content-Length header received, abort.
|
| + if (response_headers_->GetNormalizedHeader("Content-Length",
|
| + &actual_content_length_string)) {
|
| + // If the Content-Length value cannot be converted to integer, abort.
|
| + if (!base::StringToInt(actual_content_length_string,
|
| + &actual_content_length)) {
|
| + return false;
|
| + }
|
| +
|
| + return received_content_length_fingerprint != actual_content_length;
|
| + }
|
| + }
|
| + return false;
|
| +}
|
| +
|
| +void DataReductionProxyTamperDetection::ReportContentLengthHeaderTamperedUMA()
|
| + const {
|
| + // Gets MIME type of the response and reports to UMA histograms separately.
|
| + // Divides MIME types into 4 groups: JavaScript, CSS, Images, and others.
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ContentLength",
|
| + "DataReductionProxy.HTTPHeaderTampered_ContentLength",
|
| + carrier_id_);
|
| +
|
| + // Gets MIME type.
|
| + std::string mime_type;
|
| + response_headers_->GetMimeType(&mime_type);
|
| +
|
| + // Reports tampered JavaScript.
|
| + if (mime_type.compare("text/javascript") == 0 ||
|
| + mime_type.compare("application/x-javascript") == 0 ||
|
| + mime_type.compare("application/javascript") == 0) {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ContentLength_JS",
|
| + "DataReductionProxy.HTTPHeaderTampered_ContentLength_JS",
|
| + carrier_id_);
|
| + }
|
| + // Reports tampered CSSs.
|
| + else if (mime_type.compare("text/css") == 0) {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ContentLength_CSS",
|
| + "DataReductionProxy.HTTPHeaderTampered_ContentLength_CSS",
|
| + carrier_id_);
|
| + }
|
| + // Reports tampered images.
|
| + else if (mime_type.find("image/") == 0) {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ContentLength_Image",
|
| + "DataReductionProxy.HTTPHeaderTampered_ContentLength_Image",
|
| + carrier_id_);
|
| + }
|
| + // Reports tampered other MIME types.
|
| + else {
|
| + REPORT_TAMPER_DETECTION_UMA(
|
| + is_secure_scheme_,
|
| + "DataReductionProxy.HTTPSHeaderTampered_ContentLength_Other",
|
| + "DataReductionProxy.HTTPHeaderTampered_ContentLength_Other",
|
| + carrier_id_);
|
| + }
|
| +}
|
| +
|
| +DataReductionProxyTamperDetection::FingerprintCode
|
| + DataReductionProxyTamperDetection::GetFingerprintCode(
|
| + const std::string& fingerprint_name) {
|
| + std::map<std::string, FingerprintCode>::iterator it =
|
| + fingerprint_name_code_map_.find(fingerprint_name);
|
| +
|
| + if (it != fingerprint_name_code_map_.end())
|
| + return it->second;
|
| + return NONEXIST;
|
| +}
|
| +
|
| +// Removes the Chrome-Proxy header's fingerprint (action name
|
| +// |kFingerprintChromeProxy|) from its values vector.
|
| +void DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
|
| + std::vector<std::string>* values) {
|
| + DCHECK(values);
|
| + if (!values) return;
|
| +
|
| + std::string chrome_proxy_fingerprint_prefix = std::string(
|
| + kChromeProxyActionFingerprintChromeProxy) + "=";
|
| +
|
| + for (size_t i = 0; i < values->size(); ++i) {
|
| + if ((*values)[i].find(chrome_proxy_fingerprint_prefix) == 0) {
|
| + values->erase(values->begin() + i);
|
| + break;
|
| + }
|
| + }
|
| +}
|
| +
|
| +// We construct a canonical representation of the header so that reordered
|
| +// header values will produce the same fingerprint. The fingerprint is
|
| +// constructed as follows:
|
| +// 1) sorts the values;
|
| +// 2) concatenates sorted values with a "," delimiter.
|
| +std::string DataReductionProxyTamperDetection::ValuesToSortedString(
|
| + std::vector<std::string>* values) {
|
| + std::string concatenated_values;
|
| + DCHECK(values);
|
| + if (!values) return "";
|
| +
|
| + std::sort(values->begin(), values->end());
|
| + for (size_t i = 0; i < values->size(); ++i) {
|
| + // Concatenates with delimiter ",".
|
| + concatenated_values += (*values)[i] + ",";
|
| + }
|
| + return concatenated_values;
|
| +}
|
| +
|
| +std::string DataReductionProxyTamperDetection::GetMD5(
|
| + const std::string &input) {
|
| + base::MD5Digest digest;
|
| + base::MD5Sum(input.c_str(), input.size(), &digest);
|
| + return std::string((char*)digest.a, ARRAYSIZE_UNSAFE(digest.a));
|
| +}
|
| +
|
| +std::vector<std::string> DataReductionProxyTamperDetection::GetHeaderValues(
|
| + const net::HttpResponseHeaders* headers, const std::string& header_name) {
|
| + std::vector<std::string> values;
|
| + std::string value;
|
| + void* iter = NULL;
|
| + while (headers->EnumerateHeader(&iter, header_name, &value)) {
|
| + values.push_back(value);
|
| + }
|
| + return values;
|
| +}
|
| +
|
| +} // namespace data_reduction_proxy
|
|
|
Chromium Code Reviews
Issue 338483002:
Chrome Participated Tamper Detect (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master