• Home
  • History
  • Annotate
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detection.h"
6 
7 #include <algorithm>
8 #include <cstring>
9 
10 #include "base/base64.h"
11 #include "base/md5.h"
12 #include "base/metrics/histogram.h"
13 #include "base/metrics/sparse_histogram.h"
14 #include "base/strings/string_number_conversions.h"
15 #include "base/strings/string_util.h"
16 #include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h"
17 #include "net/http/http_response_headers.h"
18 #include "net/http/http_util.h"
19 
20 #if defined(OS_ANDROID)
21 #include "net/android/network_library.h"
22 #endif
23 
24 // Macro for UMA reporting. HTTP response first reports to histogram events
25 // |http_histogram| by |carrier_id|; then reports the total counts to
26 // |http_histogram|_Total. HTTPS response reports to histograms
27 // |https_histogram| and |https_histogram|_Total similarly.
28 #define REPORT_TAMPER_DETECTION_UMA( \
29     scheme_is_https, https_histogram, http_histogram, carrier_id) \
30   do { \
31     if (scheme_is_https) { \
32       UMA_HISTOGRAM_SPARSE_SLOWLY(https_histogram, carrier_id); \
33       UMA_HISTOGRAM_COUNTS(https_histogram "_Total", 1); \
34     } else { \
35       UMA_HISTOGRAM_SPARSE_SLOWLY(http_histogram, carrier_id); \
36       UMA_HISTOGRAM_COUNTS(http_histogram "_Total", 1); \
37     }\
38   } while (0)
39 
40 namespace data_reduction_proxy {
41 
42 // static
DetectAndReport(const net::HttpResponseHeaders * headers,const bool scheme_is_https)43 bool DataReductionProxyTamperDetection::DetectAndReport(
44     const net::HttpResponseHeaders* headers,
45     const bool scheme_is_https) {
46   DCHECK(headers);
47   // Abort tamper detection, if the fingerprint of the Chrome-Proxy header is
48   // absent.
49   std::string chrome_proxy_fingerprint;
50   if (!GetDataReductionProxyActionFingerprintChromeProxy(
51       headers, &chrome_proxy_fingerprint)) {
52     return false;
53   }
54 
55   // Get carrier ID.
56   unsigned carrier_id = 0;
57 #if defined(OS_ANDROID)
58   base::StringToUint(net::android::GetTelephonyNetworkOperator(), &carrier_id);
59 #endif
60 
61   DataReductionProxyTamperDetection tamper_detection(
62       headers, scheme_is_https, carrier_id);
63 
64   // Checks if the Chrome-Proxy header has been tampered with.
65   if (tamper_detection.ValidateChromeProxyHeader(chrome_proxy_fingerprint)) {
66     tamper_detection.ReportUMAforChromeProxyHeaderValidation();
67     return true;
68   }
69 
70   // Chrome-Proxy header has not been tampered with, and thus other
71   // fingerprints are valid. Reports the number of responses that other
72   // fingerprints will be checked.
73   REPORT_TAMPER_DETECTION_UMA(
74       scheme_is_https,
75       "DataReductionProxy.HeaderTamperDetectionHTTPS",
76       "DataReductionProxy.HeaderTamperDetectionHTTP",
77       carrier_id);
78 
79   bool tampered = false;
80   std::string fingerprint;
81 
82   if (GetDataReductionProxyActionFingerprintVia(headers, &fingerprint)) {
83     bool has_chrome_proxy_via_header;
84     if (tamper_detection.ValidateViaHeader(
85         fingerprint, &has_chrome_proxy_via_header)) {
86       tamper_detection.ReportUMAforViaHeaderValidation(
87           has_chrome_proxy_via_header);
88       tampered = true;
89     }
90   }
91 
92   if (GetDataReductionProxyActionFingerprintOtherHeaders(
93       headers, &fingerprint)) {
94     if (tamper_detection.ValidateOtherHeaders(fingerprint)) {
95       tamper_detection.ReportUMAforOtherHeadersValidation();
96       tampered = true;
97     }
98   }
99 
100   if (GetDataReductionProxyActionFingerprintContentLength(
101       headers, &fingerprint)) {
102     if (tamper_detection.ValidateContentLengthHeader(fingerprint)) {
103       tamper_detection.ReportUMAforContentLengthHeaderValidation();
104       tampered = true;
105     }
106   }
107 
108   if (!tampered) {
109     REPORT_TAMPER_DETECTION_UMA(
110         scheme_is_https,
111         "DataReductionProxy.HeaderTamperDetectionPassHTTPS",
112         "DataReductionProxy.HeaderTamperDetectionPassHTTP",
113         carrier_id);
114   }
115 
116   return tampered;
117 }
118 
119 // Constructor initializes the map of fingerprint names to codes.
DataReductionProxyTamperDetection(const net::HttpResponseHeaders * headers,const bool is_secure,const unsigned carrier_id)120 DataReductionProxyTamperDetection::DataReductionProxyTamperDetection(
121     const net::HttpResponseHeaders* headers,
122     const bool is_secure,
123     const unsigned carrier_id)
124     : response_headers_(headers),
125       scheme_is_https_(is_secure),
126       carrier_id_(carrier_id) {
127   DCHECK(headers);
128 }
129 
~DataReductionProxyTamperDetection()130 DataReductionProxyTamperDetection::~DataReductionProxyTamperDetection() {};
131 
132 // |fingerprint| is Base64 encoded. Decodes it first. Then calculates the
133 // fingerprint of received Chrome-Proxy header, and compares the two to see
134 // whether they are equal or not.
ValidateChromeProxyHeader(const std::string & fingerprint) const135 bool DataReductionProxyTamperDetection::ValidateChromeProxyHeader(
136     const std::string& fingerprint) const {
137   std::string received_fingerprint;
138   if (!base::Base64Decode(fingerprint, &received_fingerprint))
139     return true;
140 
141   // Gets the Chrome-Proxy header values with its fingerprint removed.
142   std::vector<std::string> chrome_proxy_header_values;
143   GetDataReductionProxyHeaderWithFingerprintRemoved(
144       response_headers_, &chrome_proxy_header_values);
145 
146   // Calculates the MD5 hash value of Chrome-Proxy.
147   std::string actual_fingerprint;
148   GetMD5(ValuesToSortedString(&chrome_proxy_header_values),
149          &actual_fingerprint);
150 
151   return received_fingerprint != actual_fingerprint;
152 }
153 
154 void DataReductionProxyTamperDetection::
ReportUMAforChromeProxyHeaderValidation() const155     ReportUMAforChromeProxyHeaderValidation() const {
156   REPORT_TAMPER_DETECTION_UMA(
157       scheme_is_https_,
158       "DataReductionProxy.HeaderTamperedHTTPS_ChromeProxy",
159       "DataReductionProxy.HeaderTamperedHTTP_ChromeProxy",
160       carrier_id_);
161 }
162 
163 // Checks whether there are other proxies/middleboxes' named after the data
164 // reduction proxy's name in Via header. |has_chrome_proxy_via_header| marks
165 // that whether the data reduction proxy's Via header occurs or not.
ValidateViaHeader(const std::string & fingerprint,bool * has_chrome_proxy_via_header) const166 bool DataReductionProxyTamperDetection::ValidateViaHeader(
167     const std::string& fingerprint,
168     bool* has_chrome_proxy_via_header) const {
169   bool has_intermediary;
170   *has_chrome_proxy_via_header = HasDataReductionProxyViaHeader(
171       response_headers_,
172       &has_intermediary);
173 
174   if (*has_chrome_proxy_via_header)
175     return !has_intermediary;
176   return true;
177 }
178 
ReportUMAforViaHeaderValidation(bool has_chrome_proxy) const179 void DataReductionProxyTamperDetection::ReportUMAforViaHeaderValidation(
180     bool has_chrome_proxy) const {
181   // The Via header of the data reduction proxy is missing.
182   if (!has_chrome_proxy) {
183     REPORT_TAMPER_DETECTION_UMA(
184         scheme_is_https_,
185         "DataReductionProxy.HeaderTamperedHTTPS_Via_Missing",
186         "DataReductionProxy.HeaderTamperedHTTP_Via_Missing",
187         carrier_id_);
188     return;
189   }
190 
191   REPORT_TAMPER_DETECTION_UMA(
192       scheme_is_https_,
193       "DataReductionProxy.HeaderTamperedHTTPS_Via",
194       "DataReductionProxy.HeaderTamperedHTTP_Via",
195       carrier_id_);
196 }
197 
198 // The data reduction proxy constructs a canonical representation of values of
199 // a list of headers. The fingerprint is constructed as follows:
200 // 1) for each header, gets the string representation of its values (same as
201 //    ValuesToSortedString);
202 // 2) concatenates all header's string representations using ";" as a delimiter;
203 // 3) calculates the MD5 hash value of above concatenated string;
204 // 4) appends the header names to the fingerprint, with a delimiter "|".
205 // The constructed fingerprint looks like:
206 //     [hashed_fingerprint]|header_name1|header_namer2:...
207 //
208 // To check whether such a fingerprint matches the response that the Chromium
209 // client receives, the client firstly extracts the header names. For
210 // each header, gets its string representation (by ValuesToSortedString),
211 // concatenates them and calculates the MD5 hash value. Compares the hash
212 // value to the fingerprint received from the data reduction proxy.
ValidateOtherHeaders(const std::string & fingerprint) const213 bool DataReductionProxyTamperDetection::ValidateOtherHeaders(
214     const std::string& fingerprint) const {
215   DCHECK(!fingerprint.empty());
216 
217   // According to RFC 2616, "|" is not a valid character in a header name; and
218   // it is not a valid base64 encoding character, so there is no ambituity in
219   //using it as a delimiter.
220   net::HttpUtil::ValuesIterator it(
221       fingerprint.begin(), fingerprint.end(), '|');
222 
223   // The first value is the base64 encoded fingerprint.
224   std::string received_fingerprint;
225   if (!it.GetNext() ||
226       !base::Base64Decode(it.value(), &received_fingerprint)) {
227     NOTREACHED();
228     return true;
229   }
230 
231   std::string header_values;
232   // The following values are the header names included in the fingerprint
233   // calculation.
234   while (it.GetNext()) {
235     // Gets values of one header.
236     std::vector<std::string> response_header_values =
237         GetHeaderValues(response_headers_, it.value());
238     // Sorts the values and concatenate them, with delimiter ";". ";" can occur
239     // in a header value and thus two different sets of header values could map
240     // to the same string representation. This should be very rare.
241     // TODO(xingx): find an unambiguous representation.
242     header_values += ValuesToSortedString(&response_header_values)  + ";";
243   }
244 
245   // Calculates the MD5 hash of the concatenated string.
246   std::string actual_fingerprint;
247   GetMD5(header_values, &actual_fingerprint);
248 
249   return received_fingerprint != actual_fingerprint;
250 }
251 
252 void DataReductionProxyTamperDetection::
ReportUMAforOtherHeadersValidation() const253     ReportUMAforOtherHeadersValidation() const {
254   REPORT_TAMPER_DETECTION_UMA(
255       scheme_is_https_,
256       "DataReductionProxy.HeaderTamperedHTTPS_OtherHeaders",
257       "DataReductionProxy.HeaderTamperedHTTP_OtherHeaders",
258       carrier_id_);
259 }
260 
261 // The Content-Length value will not be reported as different if at either side
262 // (the data reduction proxy side and the client side), the Content-Length is
263 // missing or it cannot be decoded as a valid integer.
ValidateContentLengthHeader(const std::string & fingerprint) const264 bool DataReductionProxyTamperDetection::ValidateContentLengthHeader(
265     const std::string& fingerprint) const {
266   int received_content_length_fingerprint, actual_content_length;
267   // Abort, if Content-Length value from the data reduction proxy does not
268   // exist or it cannot be converted to an integer.
269   if (!base::StringToInt(fingerprint, &received_content_length_fingerprint))
270     return false;
271 
272   std::string actual_content_length_string;
273   // Abort, if there is no Content-Length header received.
274   if (!response_headers_->GetNormalizedHeader("Content-Length",
275       &actual_content_length_string)) {
276     return false;
277   }
278 
279   // Abort, if the Content-Length value cannot be converted to integer.
280   if (!base::StringToInt(actual_content_length_string,
281                          &actual_content_length)) {
282     return false;
283   }
284 
285   return received_content_length_fingerprint != actual_content_length;
286 }
287 
288 void DataReductionProxyTamperDetection::
ReportUMAforContentLengthHeaderValidation() const289     ReportUMAforContentLengthHeaderValidation() const {
290   // Gets MIME type of the response and reports to UMA histograms separately.
291   // Divides MIME types into 4 groups: JavaScript, CSS, Images, and others.
292   REPORT_TAMPER_DETECTION_UMA(
293       scheme_is_https_,
294       "DataReductionProxy.HeaderTamperedHTTPS_ContentLength",
295       "DataReductionProxy.HeaderTamperedHTTP_ContentLength",
296       carrier_id_);
297 
298   // Gets MIME type.
299   std::string mime_type;
300   response_headers_->GetMimeType(&mime_type);
301 
302   std::string JS1   = "text/javascript";
303   std::string JS2   = "application/x-javascript";
304   std::string JS3   = "application/javascript";
305   std::string CSS   = "text/css";
306   std::string IMAGE = "image/";
307 
308   size_t mime_type_size = mime_type.size();
309   if ((mime_type_size >= JS1.size() && LowerCaseEqualsASCII(mime_type.begin(),
310       mime_type.begin() + JS1.size(), JS1.c_str())) ||
311       (mime_type_size >= JS2.size() && LowerCaseEqualsASCII(mime_type.begin(),
312       mime_type.begin() + JS2.size(), JS2.c_str())) ||
313       (mime_type_size >= JS3.size() && LowerCaseEqualsASCII(mime_type.begin(),
314       mime_type.begin() + JS3.size(), JS3.c_str()))) {
315     REPORT_TAMPER_DETECTION_UMA(
316         scheme_is_https_,
317         "DataReductionProxy.HeaderTamperedHTTPS_ContentLength_JS",
318         "DataReductionProxy.HeaderTamperedHTTP_ContentLength_JS",
319         carrier_id_);
320   } else if (mime_type_size >= CSS.size() &&
321       LowerCaseEqualsASCII(mime_type.begin(),
322       mime_type.begin() + CSS.size(), CSS.c_str())) {
323     REPORT_TAMPER_DETECTION_UMA(
324         scheme_is_https_,
325         "DataReductionProxy.HeaderTamperedHTTPS_ContentLength_CSS",
326         "DataReductionProxy.HeaderTamperedHTTP_ContentLength_CSS",
327         carrier_id_);
328   } else if (mime_type_size >= IMAGE.size() &&
329       LowerCaseEqualsASCII(mime_type.begin(),
330       mime_type.begin() + IMAGE.size(), IMAGE.c_str())) {
331     REPORT_TAMPER_DETECTION_UMA(
332         scheme_is_https_,
333         "DataReductionProxy.HeaderTamperedHTTPS_ContentLength_Image",
334         "DataReductionProxy.HeaderTamperedHTTP_ContentLength_Image",
335         carrier_id_);
336   } else {
337     REPORT_TAMPER_DETECTION_UMA(
338         scheme_is_https_,
339         "DataReductionProxy.HeaderTamperedHTTPS_ContentLength_Other",
340         "DataReductionProxy.HeaderTamperedHTTP_ContentLength_Other",
341         carrier_id_);
342   }
343 }
344 
345 // We construct a canonical representation of the header so that reordered
346 // header values will produce the same fingerprint. The fingerprint is
347 // constructed as follows:
348 // 1) sort the values;
349 // 2) concatenate sorted values with a "," delimiter.
ValuesToSortedString(std::vector<std::string> * values)350 std::string DataReductionProxyTamperDetection::ValuesToSortedString(
351     std::vector<std::string>* values) {
352   std::string concatenated_values;
353   DCHECK(values);
354   if (!values) return "";
355 
356   std::sort(values->begin(), values->end());
357   for (size_t i = 0; i < values->size(); ++i) {
358     // Concatenates with delimiter ",".
359     concatenated_values += (*values)[i] + ",";
360   }
361   return concatenated_values;
362 }
363 
GetMD5(const std::string & input,std::string * output)364 void DataReductionProxyTamperDetection::GetMD5(
365     const std::string& input, std::string* output) {
366   base::MD5Digest digest;
367   base::MD5Sum(input.c_str(), input.size(), &digest);
368   *output = std::string(
369       reinterpret_cast<char*>(digest.a), ARRAYSIZE_UNSAFE(digest.a));
370 }
371 
GetHeaderValues(const net::HttpResponseHeaders * headers,const std::string & header_name)372 std::vector<std::string> DataReductionProxyTamperDetection::GetHeaderValues(
373     const net::HttpResponseHeaders* headers,
374     const std::string& header_name) {
375   std::vector<std::string> values;
376   std::string value;
377   void* iter = NULL;
378   while (headers->EnumerateHeader(&iter, header_name, &value)) {
379     values.push_back(value);
380   }
381   return values;
382 }
383 
384 }  // namespace data_reduction_proxy
385