improve signing\n\nSignature timestamp is now handled in a saner way. Sha256 implementation is no longer pulled in contexts that don't require it.

5 files changed, 118 insertions, 61 deletions

diff --git a/background/main.js b/background/main.js
index 85f8ce8..2c8a87b 100644
--- a/background/main.js
+++ b/background/main.js
@@ -69,7 +69,7 @@ function on_headers_received(details)
 	    skip = true;
     }
 
-    headers = inject_csp_headers(details, headers, policy);
+    headers = inject_csp_headers(headers, policy);
 
     skip = skip || (details.statusCode >= 300 && details.statusCode < 400);
     if (!skip) {
diff --git a/background/policy_injector.js b/background/policy_injector.js
index 1d4db6f..72318d4 100644
--- a/background/policy_injector.js
+++ b/background/policy_injector.js
@@ -16,25 +16,27 @@
  * IMPORTS_END
  */
 
-function inject_csp_headers(details, headers, policy)
+function inject_csp_headers(headers, policy)
 {
-    const url = details.url;
-
-    let orig_csp_headers;
+    let csp_headers;
     let old_signature;
     let hachette_header;
 
     for (const header of headers.filter(h => h.name === "x-hachette")) {
-	const match = /^([^%])(%.*)$/.exec(header.value);
+	/* x-hachette header has format: <signature>_0_<data> */
+	const match = /^([^_]+)_(0_.*)$/.exec(header.value);
 	if (!match)
 	    continue;
 
-	const old_data = extract_signed(...match.splice(1, 2), [[0]]);
-	if (!old_data || old_data.url !== url)
+	const result = extract_signed(...match.slice(1, 3));
+	if (result.fail)
 	    continue;
 
+	/* This should succeed - it's our self-produced valid JSON. */
+	const old_data = JSON.parse(decodeURIComponent(result.data));
+
 	/* Confirmed- it's the originals, smuggled in! */
-	orig_csp_headers = old_data.csp_headers;
+	csp_headers = old_data.csp_headers;
 	old_signature = old_data.policy_sig;
 
 	hachette_header = header;
@@ -46,24 +48,23 @@ function inject_csp_headers(details, headers, policy)
 	headers.push(hachette_header);
     }
 
-    orig_csp_headers = orig_csp_headers ||
+    csp_headers = csp_headers ||
 	headers.filter(h => is_csp_header_name(h.name));
 
     /* When blocking remove report-only CSP headers that snitch on us. */
     headers = headers.filter(h => !is_csp_header_name(h.name, !policy.allow));
 
     if (old_signature)
-	headers = headers.filter(h => h.name.search(old_signature) === -1);
+	headers = headers.filter(h => h.value.search(old_signature) === -1);
 
-    const sanitizer = h => sanitize_csp_header(h, policy);
-    headers.push(...orig_csp_headers.map(sanitizer));
+    headers.push(...csp_headers.map(h => sanitize_csp_header(h, policy)));
 
     const policy_str = encodeURIComponent(JSON.stringify(policy));
-    const policy_sig = sign_data(policy_str, new Date());
+    const signed_policy = sign_data(policy_str, new Date().getTime());
     const later_30sec = new Date(new Date().getTime() + 30000).toGMTString();
     headers.push({
 	name: "Set-Cookie",
-	value: `hachette-${policy_sig}=${policy_str}; Expires=${later_30sec};`
+	value: `hachette-${signed_policy.join("=")}; Expires=${later_30sec};`
     });
 
     /*
@@ -71,9 +72,9 @@ function inject_csp_headers(details, headers, policy)
      * These are signed with a time of 0, as it's not clear there is a limit on
      * how long Firefox might retain headers in the cache.
      */
-    let hachette_data = {csp_headers: orig_csp_headers, policy_sig, url};
+    let hachette_data = {csp_headers, policy_sig: signed_policy[0]};
     hachette_data = encodeURIComponent(JSON.stringify(hachette_data));
-    hachette_header.value = sign_data(hachette_data, 0) + hachette_data;
+    hachette_header.value = sign_data(hachette_data, 0).join("_");
 
     /* To ensure there is a CSP header if required */
     if (!policy.allow)
diff --git a/common/misc.js b/common/misc.js
index 8894d60..d6b9662 100644
--- a/common/misc.js
+++ b/common/misc.js
@@ -8,9 +8,7 @@
 
 /*
  * IMPORTS_START
- * IMPORT sha256
  * IMPORT browser
- * IMPORT is_chrome
  * IMPORT TYPE_NAME
  * IMPORT TYPE_PREFIX
  * IMPORTS_END
@@ -45,32 +43,6 @@ function gen_nonce(length) // Default 16
     return Uint8toHex(randomData);
 }
 
-function get_secure_salt()
-{
-    if (is_chrome)
-	return browser.runtime.getManifest().key.substring(0, 50);
-    else
-	return browser.runtime.getURL("dummy");
-}
-
-function extract_signed(signature, data, times)
-{
-    const now = new Date();
-    times = times || [[now], [now, -1]];
-
-    const reductor =
-	  (ok, time) => ok || signature === sign_data(data, ...time);
-    if (!times.reduce(reductor, false))
-	return undefined;
-
-    try {
-	return JSON.parse(decodeURIComponent(data));
-    } catch (e) {
-	/* This should not be reached - it's our self-produced valid JSON. */
-	console.log("Unexpected internal error - invalid JSON smuggled!", e);
-    }
-}
-
 /* csp rule that blocks all scripts except for those injected by us */
 function csp_rule(nonce)
 {
@@ -89,7 +61,7 @@ const report_only_header_name = "content-security-policy-report-only";
 
 function is_csp_header_name(string, include_report_only)
 {
-    string = string && string.toLowerCase() || "";
+    string = string && string.toLowerCase().trim() || "";
 
     return (include_report_only && string === report_only_header_name) ||
 	csp_header_names.has(string);
@@ -118,12 +90,6 @@ function is_privileged_url(url)
     return !!/^(chrome(-extension)?|moz-extension):\/\/|^about:/i.exec(url);
 }
 
-/* Sign a given string for a given time */
-function sign_data(data, now, hours_offset) {
-    let time = Math.floor(now / 3600000) + (hours_offset || 0);
-    return sha256(get_secure_salt() + time + data);
-}
-
 /* Parse a CSP header */
 function parse_csp(csp) {
     let directive, directive_array;
@@ -193,8 +159,6 @@ const matchers = {
 /*
  * EXPORTS_START
  * EXPORT gen_nonce
- * EXPORT extract_signed
- * EXPORT sign_data
  * EXPORT csp_rule
  * EXPORT is_csp_header_name
  * EXPORT nice_name
diff --git a/common/signing.js b/common/signing.js
new file mode 100644
index 0000000..2171714
--- /dev/null
+++ b/common/signing.js
@@ -0,0 +1,73 @@
+/**
+ * part of Hachette
+ * Functions related to "signing" of data, refactored to a separate file.
+ *
+ * Copyright (C) 2021 Wojtek Kosior
+ * Redistribution terms are gathered in the `copyright' file.
+ */
+
+/*
+ * IMPORTS_START
+ * IMPORT sha256
+ * IMPORT browser
+ * IMPORT is_chrome
+ * IMPORTS_END
+ */
+
+/*
+ * In order to make certain data synchronously accessible in certain contexts,
+ * hachette smuggles it in string form in places like cookies, URLs and headers.
+ * When using the smuggled data, we first need to make sure it isn't spoofed.
+ * For that, we use this pseudo-signing mechanism.
+ *
+ * Despite what name suggests, no assymetric cryptography is involved, as it
+ * would bring no additional benefits and would incur bigger performance
+ * overhead. Instead, we hash the string data together with some secret value
+ * that is supposed to be known only by this browser instance. Resulting hash
+ * sum plays the role of the signature. In the hash we also include current
+ * time. This way, even if signed data leaks (which shouldn't happen in the
+ * first place), an attacker won't be able to re-use it indefinitely.
+ *
+ * The secret shared between execution contexts has to be available
+ * synchronously. Under Mozilla, this is the extension's per-session id. Under
+ * Chromium, this is the key that resides in the manifest.
+ *
+ * An idea to (under Chromium) instead store the secret in a file fetched
+ * synchronously using XMLHttpRequest is being considered.
+ */
+
+function get_secret()
+{
+    if (is_chrome)
+	return browser.runtime.getManifest().key.substring(0, 50);
+    else
+	return browser.runtime.getURL("dummy");
+}
+
+function extract_signed(signature, signed_data)
+{
+    const match = /^([1-9][0-9]{12}|0)_(.*)$/.exec(signed_data);
+    if (!match)
+	return {fail: "bad format"};
+
+    const result = {time: parseInt(match[1]), data: match[2]};
+    if (sign_data(result.data, result.time)[0] !== signature)
+	result.fail = "bad signature";
+
+    return result;
+}
+
+/*
+ * Sign a given string for a given time. Time should be either 0 or in the range
+ * 10^12 <= time < 10^13.
+ */
+function sign_data(data, time) {
+    return [sha256(get_secret() + time + data), `${time}_${data}`];
+}
+
+/*
+ * EXPORTS_START
+ * EXPORT extract_signed
+ * EXPORT sign_data
+ * EXPORTS_END
+ */
diff --git a/content/main.js b/content/main.js
index 4ae7738..984b3cb 100644
--- a/content/main.js
+++ b/content/main.js
@@ -32,17 +32,36 @@ function accept_node(node, parent)
 }
 
 if (!is_privileged_url(document.URL)) {
-    const reductor =
-	  (ac, [_, sig, pol]) => ac[0] && ac || [extract_signed(sig, pol), sig];
-    const matches = [...document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)];
-    let [policy, signature] = matches.reduce(reductor, []);
+    /* Signature valid for half an hour. */
+    const min_time = new Date().getTime() - 1800 * 1000;
+    let best_result = {time: -1};
+    let policy = null;
+    const extracted_signatures = [];
+    for (const match of document.cookie.matchAll(/hachette-(\w*)=([^;]*)/g)) {
+	const new_result = extract_signed(...match.slice(1, 3));
+	if (new_result.fail)
+	    continue;
 
-    if (!policy || policy.url !== document.URL) {
-	console.log("WARNING! Using default policy!!!");
+	extracted_signatures.push(match[1]);
+
+	if (new_result.time < Math.max(min_time, best_result.time))
+	    continue;
+
+	/* This should succeed - it's our self-produced valid JSON. */
+	const new_policy = JSON.parse(decodeURIComponent(new_result.data));
+	if (new_policy.url !== document.URL)
+	    continue;
+
+	best_result = new_result;
+	policy = new_policy;
+    }
+
+    if (!policy) {
+	console.warn("WARNING! Using default policy!!!");
 	policy = {allow: false, nonce: gen_nonce()};
     }
 
-    if (signature)
+    for (const signature of extracted_signatures)
 	document.cookie = `hachette-${signature}=; Max-Age=-1;`;
 
     handle_page_actions(policy.nonce);