blob: 788f6f4634ca999cdf51c12e3460d96cf1df133a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "storage/browser/quota/padding_key.h"
#include <cstdint>
#include <vector>
#include "base/no_destructor.h"
#include "crypto/hmac.h"
#include "net/http/http_request_headers.h"
using crypto::SymmetricKey;
namespace storage {
namespace {
const SymmetricKey::Algorithm kPaddingKeyAlgorithm = SymmetricKey::AES;
// The range of the padding added to response sizes for opaque resources.
// Increment the CacheStorage padding version if changed.
constexpr uint64_t kPaddingRange = 14431 * 1024;
std::unique_ptr<SymmetricKey>* GetPaddingKeyInternal() {
static base::NoDestructor<std::unique_ptr<SymmetricKey>> s_padding_key([] {
return SymmetricKey::GenerateRandomKey(kPaddingKeyAlgorithm, 128);
}());
return s_padding_key.get();
}
} // namespace
const SymmetricKey* GetDefaultPaddingKey() {
return GetPaddingKeyInternal()->get();
}
std::unique_ptr<SymmetricKey> CopyDefaultPaddingKey() {
return SymmetricKey::Import(kPaddingKeyAlgorithm,
(*GetPaddingKeyInternal())->key());
}
std::unique_ptr<SymmetricKey> DeserializePaddingKey(
const std::string& raw_key) {
return SymmetricKey::Import(kPaddingKeyAlgorithm, raw_key);
}
std::string SerializeDefaultPaddingKey() {
return (*GetPaddingKeyInternal())->key();
}
void ResetPaddingKeyForTesting() {
*GetPaddingKeyInternal() =
SymmetricKey::GenerateRandomKey(kPaddingKeyAlgorithm, 128);
}
int64_t ComputeResponsePadding(const std::string& response_url,
const crypto::SymmetricKey* padding_key,
bool has_metadata,
bool loaded_with_credentials,
const std::string& request_method) {
DCHECK(!response_url.empty());
crypto::HMAC hmac(crypto::HMAC::SHA256);
CHECK(hmac.Init(padding_key));
std::string key = response_url;
if (has_metadata)
key += "METADATA";
if (loaded_with_credentials)
key += "CREDENTIALED";
// It should only be possible to have a CORS safelisted method here since
// the spec does not permit other methods for no-cors requests.
DCHECK(request_method == net::HttpRequestHeaders::kGetMethod ||
request_method == net::HttpRequestHeaders::kHeadMethod ||
request_method == net::HttpRequestHeaders::kPostMethod);
key += request_method;
uint64_t digest_start;
CHECK(hmac.Sign(key, reinterpret_cast<uint8_t*>(&digest_start),
sizeof(digest_start)));
return digest_start % kPaddingRange;
}
} // namespace storage
|