Chrome Participated Tamper Detect

components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc

Index: components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
diff --git a/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc b/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
new file mode 100644
index 0000000000000000000000000000000000000000..068318000acdd97c1f6d25ec4f8e4766b6c37bbe
--- /dev/null
+++ b/components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.cc
@@ -0,0 +1,412 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.h"
+
+#include <algorithm>
+#include <cstring>
+
+#include "base/base64.h"
+#include "base/md5.h"
+#include "base/metrics/histogram.h"
+#include "base/metrics/sparse_histogram.h"
+#include "base/strings/string_number_conversions.h"
+#include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h"
+#include "net/android/network_library.h"
+#include "net/http/http_response_headers.h"
+#include "net/http/http_util.h"
+
+// Macro for UMA reporting. Depending on |scheme_is_https|, first reports to
+// histogram events |https_histogram| or |http_histogram| by |carrier_id|; then
+// reports total counts to |https_histogram|_Total or |http_histogram|_Total.
+#define REPORT_TAMPER_DETECTION_UMA(scheme_is_https, http_histogram, https_histogram, carrier_id) \
+  do { \
+    if (scheme_is_https) { \
+      UMA_HISTOGRAM_SPARSE_SLOWLY(https_histogram, carrier_id); \
+      UMA_HISTOGRAM_COUNTS(https_histogram "_Total", 1); \
+    } else { \
+      UMA_HISTOGRAM_SPARSE_SLOWLY(http_histogram, carrier_id); \
+      UMA_HISTOGRAM_COUNTS(http_histogram "_Total", 1); \
+    }\
+  } while (0)
+
+namespace data_reduction_proxy {
+
+// static
+bool DataReductionProxyTamperDetection::DetectAndReport(
+    const net::HttpResponseHeaders* headers,
+    const bool is_secure_scheme) {
+  DCHECK(headers);
+  if (!headers)
+    return false;
+
+  // If the fingerprint of the Chrome-Proxy header is absent, abort tamper
+  // detection.
+  std::string chrome_proxy_fingerprint;
+  if (!GetDataReductionProxyActionValue(
+      headers,
+      kChromeProxyActionFingerprintChromeProxy,
+      &chrome_proxy_fingerprint))
+    return false;
+
+  // Gets the Chrome-Proxy header values.
+  std::vector<std::string> chrome_proxy_header_values =
+      GetHeaderValues(headers, "Chrome-Proxy");
+
+  // Removes header's fingerprint for generating the fingerprint of received
+  // Chrome-Proxy header later.
+  RemoveChromeProxyFingerprint(&chrome_proxy_header_values);
+
+  // Get carrier ID.
+  unsigned carrier_id = 0;
+#if defined(OS_ANDROID)
+  base::StringToUint(net::android::GetTelephonyNetworkOperator(), &carrier_id);
+#endif
+
+  DataReductionProxyTamperDetection tamper_detection(
+      headers,
+      is_secure_scheme,
+      carrier_id,
+      &chrome_proxy_header_values);
+
+  // Checks if the Chrome-Proxy header has been tampered with.
+  if (tamper_detection.IsChromeProxyHeaderTampered(chrome_proxy_fingerprint)) {
+    tamper_detection.ReportChromeProxyHeaderTamperedUMA();
+    return true;
+  }
+
+  // Since the Chrome-Proxy header has not been tampered with, reports the
+  // number of responses that other fingerprints will be checked.
+  REPORT_TAMPER_DETECTION_UMA(
+      is_secure_scheme,
+      "DataReductionProxy.HTTPSHeaderTamperDetection",
+      "DataReductionProxy.HTTPHeaderTamperDetection",
+      carrier_id);
+
+  bool tampered = false;
+  std::map<std::string, FingerprintCode>::iterator i;
+  for (i = tamper_detection.fingerprint_name_code_map_.begin();
+       i != tamper_detection.fingerprint_name_code_map_.end(); ++i) {
+    std::string fingerprint;
+    if (!GetDataReductionProxyActionValue(
+        headers, i->first, &fingerprint)) {
+      continue;
+    }
+
+    switch (i->second) {
+    case VIA:
+      bool has_chrome_proxy_via_header;
+      if (tamper_detection.IsViaHeaderTampered(
+          fingerprint, &has_chrome_proxy_via_header)) {
+        tamper_detection.ReportViaHeaderTamperedUMA(
+            has_chrome_proxy_via_header);
+        tampered = true;
+      }
+      break;
+    case OTHERHEADERS:
+      if (tamper_detection.AreOtherHeadersTampered(fingerprint)) {
+        tamper_detection.ReportOtherHeadersTamperedUMA();
+        tampered = true;
+      }
+      break;
+    case CONTENTLENGTH:
+      if (tamper_detection.IsContentLengthHeaderTampered(fingerprint)) {
+        tamper_detection.ReportContentLengthHeaderTamperedUMA();
+        tampered = true;
+      }
+      break;
+    default:
+      NOTREACHED();
+      break;
+    }
+  }
+  return tampered;
+}
+
+// Constructor initializes the map of fingerprint name to code.
+DataReductionProxyTamperDetection::DataReductionProxyTamperDetection(
+    const net::HttpResponseHeaders* headers,
+    const bool is_secure,
+    const unsigned carrier_id,
+    std::vector<std::string>* values)
+    : response_headers_(headers),
+      is_secure_scheme_(is_secure),
+      carrier_id_(carrier_id),
+      clean_chrome_proxy_header_values_(values) {
+  DCHECK(headers);
+  fingerprint_name_code_map_ = std::map<std::string, FingerprintCode>();
+  fingerprint_name_code_map_
+      [kChromeProxyActionFingerprintVia] = VIA;
+  fingerprint_name_code_map_
+      [kChromeProxyActionFingerprintOtherHeaders] = OTHERHEADERS;
+  fingerprint_name_code_map_
+      [kChromeProxyActionFingerprintContentLength] = CONTENTLENGTH;
+};
+
+DataReductionProxyTamperDetection::~DataReductionProxyTamperDetection() {};
+
+// Checks whether the Chrome-Proxy header has been tampered with. |fingerprint|
+// is the fingerprint received from the data reduction proxy, which is Base64
+// encoded. Decodes it first. Then calculates the fingerprint of received
+// Chrome-Proxy header, and compares the two to see whether they are equal or
+// not. Note that |clean_chrome_proxy_header_values_| holds the values of the
+// Chrome-Proxy header with its own fingerprint removed, so it's the correct
+// values to calculate fingerprint of received Chrome-Proxy header.
+bool DataReductionProxyTamperDetection::IsChromeProxyHeaderTampered(
+    const std::string& fingerprint) const {
+  std::string received_fingerprint;
+  if (!base::Base64Decode(fingerprint, &received_fingerprint))
+    return true;
+  // Calculates the MD5 hash value of Chrome-Proxy.
+  std::string actual_fingerprint = GetMD5(
+      ValuesToSortedString(clean_chrome_proxy_header_values_));
+
+  return received_fingerprint != actual_fingerprint;
+}
+
+void DataReductionProxyTamperDetection::ReportChromeProxyHeaderTamperedUMA()
+    const {
+  REPORT_TAMPER_DETECTION_UMA(
+      is_secure_scheme_,
+      "DataReductionProxy.HTTPSHeaderTampered_ChromeProxy",
+      "DataReductionProxy.HTTPHeaderTampered_ChromeProxy",
+      carrier_id_);
+}
+
+// Checks whether there are other proxies/middleboxes' name after the data
+// reduction proxy's name in Via header. |has_chrome_proxy_via_header| marks
+// that whether the data reduction proxy's Via header occurs or not.
+bool DataReductionProxyTamperDetection::IsViaHeaderTampered(
+    const std::string& fingerprint, bool* has_chrome_proxy_via_header) const {
+  bool has_intermediary;
+  *has_chrome_proxy_via_header = HasDataReductionProxyViaHeader(
+      response_headers_,
+      &has_intermediary);
+
+  if (*has_chrome_proxy_via_header)
+    return !has_intermediary;
+  return false;
+}
+
+void DataReductionProxyTamperDetection::ReportViaHeaderTamperedUMA(
+    bool has_chrome_proxy) const {
+  // The Via header of the data reduction proxy is missing.
+  if (!has_chrome_proxy) {
+    REPORT_TAMPER_DETECTION_UMA(
+        is_secure_scheme_,
+        "DataReductionProxy.HTTPSHeaderTampered_Via_Missing",
+        "DataReductionProxy.HTTPHeaderTampered_Via_Missing",
+        carrier_id_);
+    return;
+  }
+
+  REPORT_TAMPER_DETECTION_UMA(
+      is_secure_scheme_,
+      "DataReductionProxy.HTTPSHeaderTampered_Via",
+      "DataReductionProxy.HTTPHeaderTampered_Via",
+      carrier_id_);
+}
+
+// Checks whether values of a predefined list of headers have been modified. At
+// the data reduction proxy side, it constructs a canonical representation of
+// values of a list headers. The fingerprint is constructed as follows:
+// 1) for each header, gets the string representation of its values (same to
+//    ValuesToSortedString);
+// 2) concatenates all header's string representation with a ";" delimiter,
+//    respect to the order of the header list;
+// 3) calculates the MD5 hash value of above concatenated string;
+// 4) appends the header names to the fingerprint, with a delimiter "|".
+// The constructed fingerprint looks like:
+//     [hashed_fingerprint]|header_name1|header_namer2:...
+//
+// To check whether such fingerprint matches the response that the Chromium
+// client receives, the Chromium client firstly extracts the header names. For
+// each header, gets its string representation (by ValuesToSortedString),
+// concatenates them and calculates the MD5 hash value. Compares such hash
+// value to the fingerprint received from the data reduction proxy.
+bool DataReductionProxyTamperDetection::AreOtherHeadersTampered(
+    const std::string& fingerprint) const {
+  std::string received_fingerprint;
+  DCHECK(fingerprint.size());
+
+  // "|" delimiter would not occur in base64 as well as header names.
+  net::HttpUtil::ValuesIterator it(fingerprint.begin(),
+                                   fingerprint.end(), '|');
+
+  // The first value from fingerprint is the base64 encoded fingerprint; the
+  // following values are the header names included in fingerprint calculation.
+  // Make sure there is [base64fingerprint] and it can be decoded.
+  if (!(it.GetNext() &&
+        base::Base64Decode(it.value(), &received_fingerprint))) {
+    NOTREACHED();
+    return true;
+  }
+
+  std::string header_values;
+  // Enumerates the list of headers.
+  while (it.GetNext()) {
+    // Gets values of one header.
+    std::vector<std::string> response_header_values =
+        GetHeaderValues(response_headers_, it.value());
+    // Sorts the values and concatenate them, with delimiter ";". ";" would not
+    // occur in header values,
+    header_values += ValuesToSortedString(&response_header_values)  + ";";
+  }
+
+  // Calculates the MD5 hash of the concatenated string.
+  std::string actual_fingerprint = GetMD5(header_values);
+
+  return received_fingerprint != actual_fingerprint;
+}
+
+void DataReductionProxyTamperDetection::ReportOtherHeadersTamperedUMA() const {
+  REPORT_TAMPER_DETECTION_UMA(
+      is_secure_scheme_,
+      "DataReductionProxy.HTTPSHeaderTampered_OtherHeaders",
+      "DataReductionProxy.HTTPHeaderTampered_OtherHeaders",
+      carrier_id_);
+}
+
+// Checks whether the Content-Length value is different from what the data
+// reduction proxy sends. Reports it as modified only if Content-Length can be
+// decoded as an integer at both ends and such two numbers are not equal.
+bool DataReductionProxyTamperDetection::IsContentLengthHeaderTampered(
+    const std::string& fingerprint) const {
+  int received_content_length_fingerprint, actual_content_length;
+  // If Content-Length value from data reduction proxy does not exist or it
+  // cannot be converted to an integer, abort.
+  if (base::StringToInt(fingerprint, &received_content_length_fingerprint)) {
+    std::string actual_content_length_string;
+    // If there is no Content-Length header received, abort.
+    if (response_headers_->GetNormalizedHeader("Content-Length",
+        &actual_content_length_string)) {
+      // If the Content-Length value cannot be converted to integer, abort.
+      if (!base::StringToInt(actual_content_length_string,
+                             &actual_content_length)) {
+        return false;
+      }
+
+      return received_content_length_fingerprint != actual_content_length;
+    }
+  }
+  return false;
+}
+
+void DataReductionProxyTamperDetection::ReportContentLengthHeaderTamperedUMA()
+    const {
+  // Gets MIME type of the response and reports to UMA histograms separately.
+  // Divides MIME types into 4 groups: JavaScript, CSS, Images, and others.
+  REPORT_TAMPER_DETECTION_UMA(
+      is_secure_scheme_,
+      "DataReductionProxy.HTTPSHeaderTampered_ContentLength",
+      "DataReductionProxy.HTTPHeaderTampered_ContentLength",
+      carrier_id_);
+
+  // Gets MIME type.
+  std::string mime_type;
+  response_headers_->GetMimeType(&mime_type);
+
+  // Reports tampered JavaScript.
+  if (mime_type.compare("text/javascript") == 0 ||
+      mime_type.compare("application/x-javascript") == 0 ||
+      mime_type.compare("application/javascript") == 0) {
+    REPORT_TAMPER_DETECTION_UMA(
+        is_secure_scheme_,
+        "DataReductionProxy.HTTPSHeaderTampered_ContentLength_JS",
+        "DataReductionProxy.HTTPHeaderTampered_ContentLength_JS",
+        carrier_id_);
+  }
+  // Reports tampered CSSs.
+  else if (mime_type.compare("text/css") == 0) {
+    REPORT_TAMPER_DETECTION_UMA(
+        is_secure_scheme_,
+        "DataReductionProxy.HTTPSHeaderTampered_ContentLength_CSS",
+        "DataReductionProxy.HTTPHeaderTampered_ContentLength_CSS",
+        carrier_id_);
+  }
+  // Reports tampered images.
+  else if (mime_type.find("image/") == 0) {
+    REPORT_TAMPER_DETECTION_UMA(
+        is_secure_scheme_,
+        "DataReductionProxy.HTTPSHeaderTampered_ContentLength_Image",
+        "DataReductionProxy.HTTPHeaderTampered_ContentLength_Image",
+        carrier_id_);
+  }
+  // Reports tampered other MIME types.
+  else {
+    REPORT_TAMPER_DETECTION_UMA(
+        is_secure_scheme_,
+        "DataReductionProxy.HTTPSHeaderTampered_ContentLength_Other",
+        "DataReductionProxy.HTTPHeaderTampered_ContentLength_Other",
+        carrier_id_);
+  }
+}
+
+DataReductionProxyTamperDetection::FingerprintCode
+    DataReductionProxyTamperDetection::GetFingerprintCode(
+    const std::string& fingerprint_name) {
+  std::map<std::string, FingerprintCode>::iterator it =
+      fingerprint_name_code_map_.find(fingerprint_name);
+
+  if (it != fingerprint_name_code_map_.end())
+    return it->second;
+  return NONEXIST;
+}
+
+// Removes the Chrome-Proxy header's fingerprint (action name
+// |kFingerprintChromeProxy|) from its values vector.
+void DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
+    std::vector<std::string>* values) {
+  DCHECK(values);
+  if (!values) return;
+
+  std::string chrome_proxy_fingerprint_prefix = std::string(
+      kChromeProxyActionFingerprintChromeProxy) + "=";
+
+  for (size_t i = 0; i < values->size(); ++i) {
+    if ((*values)[i].find(chrome_proxy_fingerprint_prefix) == 0) {
+      values->erase(values->begin() + i);
+      break;
+    }
+  }
+}
+
+// We construct a canonical representation of the header so that reordered
+// header values will produce the same fingerprint. The fingerprint is
+// constructed as follows:
+// 1) sorts the values;
+// 2) concatenates sorted values with a "," delimiter.
+std::string DataReductionProxyTamperDetection::ValuesToSortedString(
+    std::vector<std::string>* values) {
+  std::string concatenated_values;
+  DCHECK(values);
+  if (!values) return "";
+
+  std::sort(values->begin(), values->end());
+  for (size_t i = 0; i < values->size(); ++i) {
+    // Concatenates with delimiter ",".
+    concatenated_values += (*values)[i] + ",";
+  }
+  return concatenated_values;
+}
+
+std::string DataReductionProxyTamperDetection::GetMD5(
+    const std::string &input) {
+  base::MD5Digest digest;
+  base::MD5Sum(input.c_str(), input.size(), &digest);
+  return std::string((char*)digest.a, ARRAYSIZE_UNSAFE(digest.a));
+}
+
+std::vector<std::string> DataReductionProxyTamperDetection::GetHeaderValues(
+    const net::HttpResponseHeaders* headers, const std::string& header_name) {
+  std::vector<std::string> values;
+  std::string value;
+  void* iter = NULL;
+  while (headers->EnumerateHeader(&iter, header_name, &value)) {
+    values.push_back(value);
+  }
+  return values;
+}
+
+}  // namespace data_reduction_proxy