1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/internal_auth.h"
10 #include "base/base64.h"
11 #include "base/lazy_instance.h"
12 #include "base/rand_util.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/strings/string_split.h"
15 #include "base/strings/string_util.h"
16 #include "base/synchronization/lock.h"
17 #include "base/threading/thread_checker.h"
18 #include "base/time/time.h"
19 #include "base/values.h"
20 #include "crypto/hmac.h"
24 typedef std::map
<std::string
, std::string
> VarValueMap
;
26 // Size of a tick in microseconds. This determines upper bound for average
27 // number of passports generated per time unit. This bound equals to
28 // (kMicrosecondsPerSecond / TickUs) calls per second.
29 const int64 kTickUs
= 10000;
31 // Verification window size in ticks; that means any passport expires in
32 // (kVerificationWindowTicks * TickUs / kMicrosecondsPerSecond) seconds.
33 const int kVerificationWindowTicks
= 2000;
35 // Generation window determines how well we are able to cope with bursts of
36 // GeneratePassport calls those exceed upper bound on average speed.
37 const int kGenerationWindowTicks
= 20;
39 // Makes no sense to compare other way round.
40 static_assert(kGenerationWindowTicks
<= kVerificationWindowTicks
,
41 "generation window should not be larger than the verification window");
42 // We are not optimized for high value of kGenerationWindowTicks.
43 static_assert(kGenerationWindowTicks
< 30,
44 "generation window should not be too large");
46 // Regenerate key after this number of ticks.
47 const int kKeyRegenerationSoftTicks
= 500000;
48 // Reject passports if key has not been regenerated in that number of ticks.
49 const int kKeyRegenerationHardTicks
= kKeyRegenerationSoftTicks
* 2;
51 // Limit for number of accepted var=value pairs. Feel free to bump this limit
52 // higher once needed.
53 const size_t kVarsLimit
= 16;
55 // Limit for length of caller-supplied strings. Feel free to bump this limit
56 // higher once needed.
57 const size_t kStringLengthLimit
= 512;
59 // Character used as a separator for construction of message to take HMAC of.
60 // It is critical to validate all caller-supplied data (used to construct
61 // message) to be clear of this separator because it could allow attacks.
62 const char kItemSeparator
= '\n';
64 // Character used for var=value separation.
65 const char kVarValueSeparator
= '=';
67 const size_t kKeySizeInBytes
= 128 / 8;
68 const size_t kHMACSizeInBytes
= 256 / 8;
70 // Length of base64 string required to encode given number of raw octets.
71 #define BASE64_PER_RAW(X) (X > 0 ? ((X - 1) / 3 + 1) * 4 : 0)
73 // Size of decimal string representing 64-bit tick.
74 const size_t kTickStringLength
= 20;
76 // A passport consists of 2 parts: HMAC and tick.
77 const size_t kPassportSize
=
78 BASE64_PER_RAW(kHMACSizeInBytes
) + kTickStringLength
;
80 int64
GetCurrentTick() {
81 int64 tick
= base::Time::Now().ToInternalValue() / kTickUs
;
82 if (tick
< kVerificationWindowTicks
||
83 tick
< kKeyRegenerationHardTicks
||
84 tick
> kint64max
- kKeyRegenerationHardTicks
) {
90 bool IsDomainSane(const std::string
& domain
) {
91 return !domain
.empty() &&
92 domain
.size() <= kStringLengthLimit
&&
93 base::IsStringUTF8(domain
) &&
94 domain
.find_first_of(kItemSeparator
) == std::string::npos
;
97 bool IsVarSane(const std::string
& var
) {
98 static const char kAllowedChars
[] =
99 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
100 "abcdefghijklmnopqrstuvwxyz"
104 sizeof(kAllowedChars
) == 26 + 26 + 10 + 1 + 1, "some mess with chars");
105 // We must not allow kItemSeparator in anything used as an input to construct
107 DCHECK(std::find(kAllowedChars
, kAllowedChars
+ arraysize(kAllowedChars
),
108 kItemSeparator
) == kAllowedChars
+ arraysize(kAllowedChars
));
109 DCHECK(std::find(kAllowedChars
, kAllowedChars
+ arraysize(kAllowedChars
),
110 kVarValueSeparator
) == kAllowedChars
+ arraysize(kAllowedChars
));
111 return !var
.empty() &&
112 var
.size() <= kStringLengthLimit
&&
113 base::IsStringASCII(var
) &&
114 var
.find_first_not_of(kAllowedChars
) == std::string::npos
&&
115 !base::IsAsciiDigit(var
[0]);
118 bool IsValueSane(const std::string
& value
) {
119 return value
.size() <= kStringLengthLimit
&&
120 base::IsStringUTF8(value
) &&
121 value
.find_first_of(kItemSeparator
) == std::string::npos
;
124 bool IsVarValueMapSane(const VarValueMap
& map
) {
125 if (map
.size() > kVarsLimit
)
127 for (VarValueMap::const_iterator it
= map
.begin(); it
!= map
.end(); ++it
) {
128 const std::string
& var
= it
->first
;
129 const std::string
& value
= it
->second
;
130 if (!IsVarSane(var
) || !IsValueSane(value
))
136 void ConvertVarValueMapToBlob(const VarValueMap
& map
, std::string
* out
) {
138 DCHECK(IsVarValueMapSane(map
));
139 for (VarValueMap::const_iterator it
= map
.begin(); it
!= map
.end(); ++it
)
140 *out
+= it
->first
+ kVarValueSeparator
+ it
->second
+ kItemSeparator
;
143 void CreatePassport(const std::string
& domain
,
144 const VarValueMap
& map
,
146 const crypto::HMAC
* engine
,
150 DCHECK(IsDomainSane(domain
));
151 DCHECK(IsVarValueMapSane(map
));
154 std::string
result(kPassportSize
, '0');
157 blob
= domain
+ kItemSeparator
;
159 ConvertVarValueMapToBlob(map
, &tmp
);
160 blob
+= tmp
+ kItemSeparator
+ base::Int64ToString(tick
);
163 unsigned char* hmac_data
= reinterpret_cast<unsigned char*>(
164 base::WriteInto(&hmac
, kHMACSizeInBytes
+ 1));
165 if (!engine
->Sign(blob
, hmac_data
, kHMACSizeInBytes
)) {
169 std::string hmac_base64
;
170 base::Base64Encode(hmac
, &hmac_base64
);
171 if (hmac_base64
.size() != BASE64_PER_RAW(kHMACSizeInBytes
)) {
175 DCHECK(hmac_base64
.size() < result
.size());
176 std::copy(hmac_base64
.begin(), hmac_base64
.end(), result
.begin());
178 std::string tick_decimal
= base::Int64ToString(tick
);
179 DCHECK(tick_decimal
.size() <= kTickStringLength
);
181 tick_decimal
.begin(),
183 result
.begin() + kPassportSize
- tick_decimal
.size());
192 class InternalAuthVerificationService
{
194 InternalAuthVerificationService()
195 : key_change_tick_(0),
200 const std::string
& passport
,
201 const std::string
& domain
,
202 const VarValueMap
& map
) {
203 int64 current_tick
= GetCurrentTick();
204 int64 tick
= PreVerifyPassport(passport
, domain
, current_tick
);
207 if (!IsVarValueMapSane(map
))
209 std::string reference_passport
;
210 CreatePassport(domain
, map
, tick
, engine_
.get(), &reference_passport
);
211 if (passport
!= reference_passport
) {
213 if (key_change_tick_
+ get_verification_window_ticks() < tick
) {
216 if (old_key_
.empty() || old_engine_
== NULL
)
218 CreatePassport(domain
, map
, tick
, old_engine_
.get(), &reference_passport
);
219 if (passport
!= reference_passport
)
223 // Record used tick to prevent reuse.
224 std::deque
<int64
>::iterator it
= std::lower_bound(
225 used_ticks_
.begin(), used_ticks_
.end(), tick
);
226 DCHECK(it
== used_ticks_
.end() || *it
!= tick
);
227 used_ticks_
.insert(it
, tick
);
229 // Consider pruning |used_ticks_|.
230 if (used_ticks_
.size() > 50) {
231 dark_tick_
= std::max(dark_tick_
,
232 current_tick
- get_verification_window_ticks());
235 std::lower_bound(used_ticks_
.begin(), used_ticks_
.end(),
241 void ChangeKey(const std::string
& key
) {
244 old_engine_
.swap(engine_
);
247 if (key
.size() != kKeySizeInBytes
)
249 scoped_ptr
<crypto::HMAC
> new_engine(
250 new crypto::HMAC(crypto::HMAC::SHA256
));
251 if (!new_engine
->Init(key
))
253 engine_
.swap(new_engine
);
255 key_change_tick_
= GetCurrentTick();
259 static int get_verification_window_ticks() {
260 return InternalAuthVerification::get_verification_window_ticks();
263 // Returns tick bound to given passport on success or zero on failure.
264 int64
PreVerifyPassport(
265 const std::string
& passport
,
266 const std::string
& domain
,
267 int64 current_tick
) {
268 if (passport
.size() != kPassportSize
||
269 !base::IsStringASCII(passport
) ||
270 !IsDomainSane(domain
) ||
271 current_tick
<= dark_tick_
||
272 current_tick
> key_change_tick_
+ kKeyRegenerationHardTicks
||
278 // Passport consists of 2 parts: first hmac and then tick.
279 std::string tick_decimal
=
280 passport
.substr(BASE64_PER_RAW(kHMACSizeInBytes
));
281 DCHECK(tick_decimal
.size() == kTickStringLength
);
283 if (!base::StringToInt64(tick_decimal
, &tick
) ||
284 tick
<= dark_tick_
||
285 tick
> key_change_tick_
+ kKeyRegenerationHardTicks
||
286 tick
< current_tick
- get_verification_window_ticks() ||
287 std::binary_search(used_ticks_
.begin(), used_ticks_
.end(), tick
)) {
296 // We keep previous key in order to be able to verify passports during
297 // regeneration time. Keys are regenerated on a regular basis.
298 std::string old_key_
;
300 // Corresponding HMAC engines.
301 scoped_ptr
<crypto::HMAC
> engine_
;
302 scoped_ptr
<crypto::HMAC
> old_engine_
;
304 // Tick at a time of recent key regeneration.
305 int64 key_change_tick_
;
307 // Keeps track of ticks of successfully verified passports to prevent their
308 // reuse. Size of this container is kept reasonably low by purging outdated
310 std::deque
<int64
> used_ticks_
;
312 // Some ticks before |dark_tick_| were purged from |used_ticks_| container.
313 // That means that we must not trust any tick less than or equal to dark tick.
316 DISALLOW_COPY_AND_ASSIGN(InternalAuthVerificationService
);
319 } // namespace chrome
323 static base::LazyInstance
<chrome::InternalAuthVerificationService
>
324 g_verification_service
= LAZY_INSTANCE_INITIALIZER
;
325 static base::LazyInstance
<base::Lock
>::Leaky
326 g_verification_service_lock
= LAZY_INSTANCE_INITIALIZER
;
332 class InternalAuthGenerationService
: public base::ThreadChecker
{
334 InternalAuthGenerationService() : key_regeneration_tick_(0) {
338 void GenerateNewKey() {
339 DCHECK(CalledOnValidThread());
340 scoped_ptr
<crypto::HMAC
> new_engine(new crypto::HMAC(crypto::HMAC::SHA256
));
341 std::string key
= base::RandBytesAsString(kKeySizeInBytes
);
342 if (!new_engine
->Init(key
))
344 engine_
.swap(new_engine
);
345 key_regeneration_tick_
= GetCurrentTick();
346 g_verification_service
.Get().ChangeKey(key
);
347 std::fill(key
.begin(), key
.end(), 0);
350 // Returns zero on failure.
351 int64
GetUnusedTick(const std::string
& domain
) {
352 DCHECK(CalledOnValidThread());
353 if (engine_
== NULL
) {
357 if (!IsDomainSane(domain
))
360 int64 current_tick
= GetCurrentTick();
361 if (!used_ticks_
.empty() && used_ticks_
.back() > current_tick
)
362 current_tick
= used_ticks_
.back();
363 for (bool first_iteration
= true;; first_iteration
= false) {
364 if (current_tick
< key_regeneration_tick_
+ kKeyRegenerationHardTicks
)
366 if (!first_iteration
)
371 // Forget outdated ticks if any.
374 std::lower_bound(used_ticks_
.begin(), used_ticks_
.end(),
375 current_tick
- kGenerationWindowTicks
+ 1));
376 DCHECK(used_ticks_
.size() <= kGenerationWindowTicks
+ 0u);
377 if (used_ticks_
.size() >= kGenerationWindowTicks
+ 0u) {
378 // Average speed of GeneratePassport calls exceeds limit.
381 for (int64 tick
= current_tick
;
382 tick
> current_tick
- kGenerationWindowTicks
;
384 int idx
= static_cast<int>(used_ticks_
.size()) -
385 static_cast<int>(current_tick
- tick
+ 1);
386 if (idx
< 0 || used_ticks_
[idx
] != tick
) {
387 DCHECK(used_ticks_
.end() ==
388 std::find(used_ticks_
.begin(), used_ticks_
.end(), tick
));
396 std::string
GeneratePassport(
397 const std::string
& domain
, const VarValueMap
& map
, int64 tick
) {
398 DCHECK(CalledOnValidThread());
400 tick
= GetUnusedTick(domain
);
402 return std::string();
404 if (!IsVarValueMapSane(map
))
405 return std::string();
408 CreatePassport(domain
, map
, tick
, engine_
.get(), &result
);
410 std::lower_bound(used_ticks_
.begin(), used_ticks_
.end(), tick
), tick
);
415 static int get_verification_window_ticks() {
416 return InternalAuthVerification::get_verification_window_ticks();
419 scoped_ptr
<crypto::HMAC
> engine_
;
420 int64 key_regeneration_tick_
;
421 std::deque
<int64
> used_ticks_
;
423 DISALLOW_COPY_AND_ASSIGN(InternalAuthGenerationService
);
426 } // namespace chrome
430 static base::LazyInstance
<chrome::InternalAuthGenerationService
>
431 g_generation_service
= LAZY_INSTANCE_INITIALIZER
;
438 bool InternalAuthVerification::VerifyPassport(
439 const std::string
& passport
,
440 const std::string
& domain
,
441 const VarValueMap
& var_value_map
) {
442 base::AutoLock
alk(g_verification_service_lock
.Get());
443 return g_verification_service
.Get().VerifyPassport(
444 passport
, domain
, var_value_map
);
448 void InternalAuthVerification::ChangeKey(const std::string
& key
) {
449 base::AutoLock
alk(g_verification_service_lock
.Get());
450 g_verification_service
.Get().ChangeKey(key
);
454 int InternalAuthVerification::get_verification_window_ticks() {
455 int candidate
= kVerificationWindowTicks
;
456 if (verification_window_seconds_
> 0)
457 candidate
= verification_window_seconds_
*
458 base::Time::kMicrosecondsPerSecond
/ kTickUs
;
459 return std::max(1, std::min(candidate
, kVerificationWindowTicks
));
462 int InternalAuthVerification::verification_window_seconds_
= 0;
465 std::string
InternalAuthGeneration::GeneratePassport(
466 const std::string
& domain
, const VarValueMap
& var_value_map
) {
467 return g_generation_service
.Get().GeneratePassport(domain
, var_value_map
, 0);
471 void InternalAuthGeneration::GenerateNewKey() {
472 g_generation_service
.Get().GenerateNewKey();
475 } // namespace chrome