1 /*
2 * Copyright (C) 2011 Google Inc. All rights reserved.
3 * Copyright (C) Research In Motion Limited 2011. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 *
9 * * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above
12 * copyright notice, this list of conditions and the following disclaimer
13 * in the documentation and/or other materials provided with the
14 * distribution.
15 * * Neither the name of Google Inc. nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include "config.h"
33
34 #include "modules/websockets/WebSocketHandshake.h"
35
36 #include "core/dom/Document.h"
37 #include "core/dom/ExecutionContext.h"
38 #include "core/inspector/ScriptCallStack.h"
39 #include "core/loader/CookieJar.h"
40 #include "modules/websockets/WebSocket.h"
41 #include "platform/Cookie.h"
42 #include "platform/Logging.h"
43 #include "platform/network/HTTPHeaderMap.h"
44 #include "platform/network/HTTPParsers.h"
45 #include "platform/weborigin/SecurityOrigin.h"
46 #include "public/platform/Platform.h"
47 #include "wtf/CryptographicallyRandomNumber.h"
48 #include "wtf/SHA1.h"
49 #include "wtf/StdLibExtras.h"
50 #include "wtf/StringExtras.h"
51 #include "wtf/Vector.h"
52 #include "wtf/text/Base64.h"
53 #include "wtf/text/CString.h"
54 #include "wtf/text/StringBuilder.h"
55 #include "wtf/unicode/CharacterNames.h"
56
57 namespace WebCore {
58
59 namespace {
60
61 // FIXME: The spec says that the Sec-WebSocket-Protocol header in a handshake
62 // response can't be null if the header in a request is not null.
63 // Some servers are not accustomed to the shutdown,
64 // so we provide an adhoc white-list for it tentatively.
65 const char* const missingProtocolWhiteList[] = {
66 "ica.citrix.com",
67 };
68
formatHandshakeFailureReason(const String & detail)69 String formatHandshakeFailureReason(const String& detail)
70 {
71 return "Error during WebSocket handshake: " + detail;
72 }
73
74 } // namespace
75
resourceName(const KURL & url)76 static String resourceName(const KURL& url)
77 {
78 StringBuilder name;
79 name.append(url.path());
80 if (name.isEmpty())
81 name.append('/');
82 if (!url.query().isNull()) {
83 name.append('?');
84 name.append(url.query());
85 }
86 String result = name.toString();
87 ASSERT(!result.isEmpty());
88 ASSERT(!result.contains(' '));
89 return result;
90 }
91
hostName(const KURL & url,bool secure)92 static String hostName(const KURL& url, bool secure)
93 {
94 ASSERT(url.protocolIs("wss") == secure);
95 StringBuilder builder;
96 builder.append(url.host().lower());
97 if (url.port() && ((!secure && url.port() != 80) || (secure && url.port() != 443))) {
98 builder.append(':');
99 builder.appendNumber(url.port());
100 }
101 return builder.toString();
102 }
103
104 static const size_t maxInputSampleSize = 128;
trimInputSample(const char * p,size_t len)105 static String trimInputSample(const char* p, size_t len)
106 {
107 String s = String(p, std::min<size_t>(len, maxInputSampleSize));
108 if (len > maxInputSampleSize)
109 s.append(horizontalEllipsis);
110 return s;
111 }
112
generateSecWebSocketKey()113 static String generateSecWebSocketKey()
114 {
115 static const size_t nonceSize = 16;
116 unsigned char key[nonceSize];
117 cryptographicallyRandomValues(key, nonceSize);
118 return base64Encode(reinterpret_cast<char*>(key), nonceSize);
119 }
120
getExpectedWebSocketAccept(const String & secWebSocketKey)121 String WebSocketHandshake::getExpectedWebSocketAccept(const String& secWebSocketKey)
122 {
123 static const char webSocketKeyGUID[] = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
124 static const size_t sha1HashSize = 20; // FIXME: This should be defined in SHA1.h.
125 SHA1 sha1;
126 CString keyData = secWebSocketKey.ascii();
127 sha1.addBytes(reinterpret_cast<const uint8_t*>(keyData.data()), keyData.length());
128 sha1.addBytes(reinterpret_cast<const uint8_t*>(webSocketKeyGUID), strlen(webSocketKeyGUID));
129 Vector<uint8_t, sha1HashSize> hash;
130 sha1.computeHash(hash);
131 return base64Encode(reinterpret_cast<const char*>(hash.data()), sha1HashSize);
132 }
133
WebSocketHandshake(const KURL & url,const String & protocol,ExecutionContext * context)134 WebSocketHandshake::WebSocketHandshake(const KURL& url, const String& protocol, ExecutionContext* context)
135 : m_url(url)
136 , m_clientProtocol(protocol)
137 , m_secure(m_url.protocolIs("wss"))
138 , m_context(context)
139 , m_mode(Incomplete)
140 {
141 m_secWebSocketKey = generateSecWebSocketKey();
142 m_expectedAccept = getExpectedWebSocketAccept(m_secWebSocketKey);
143 }
144
~WebSocketHandshake()145 WebSocketHandshake::~WebSocketHandshake()
146 {
147 blink::Platform::current()->histogramEnumeration("WebCore.WebSocket.HandshakeResult", m_mode, WebSocketHandshake::ModeMax);
148 }
149
url() const150 const KURL& WebSocketHandshake::url() const
151 {
152 return m_url;
153 }
154
setURL(const KURL & url)155 void WebSocketHandshake::setURL(const KURL& url)
156 {
157 m_url = url.copy();
158 }
159
host() const160 const String WebSocketHandshake::host() const
161 {
162 return m_url.host().lower();
163 }
164
clientProtocol() const165 const String& WebSocketHandshake::clientProtocol() const
166 {
167 return m_clientProtocol;
168 }
169
setClientProtocol(const String & protocol)170 void WebSocketHandshake::setClientProtocol(const String& protocol)
171 {
172 m_clientProtocol = protocol;
173 }
174
secure() const175 bool WebSocketHandshake::secure() const
176 {
177 return m_secure;
178 }
179
clientOrigin() const180 String WebSocketHandshake::clientOrigin() const
181 {
182 return m_context->securityOrigin()->toString();
183 }
184
clientLocation() const185 String WebSocketHandshake::clientLocation() const
186 {
187 StringBuilder builder;
188 builder.append(m_secure ? "wss" : "ws");
189 builder.append("://");
190 builder.append(hostName(m_url, m_secure));
191 builder.append(resourceName(m_url));
192 return builder.toString();
193 }
194
clientHandshakeMessage() const195 CString WebSocketHandshake::clientHandshakeMessage() const
196 {
197 // Keep the following consistent with clientHandshakeRequest().
198 StringBuilder builder;
199
200 builder.append("GET ");
201 builder.append(resourceName(m_url));
202 builder.append(" HTTP/1.1\r\n");
203
204 Vector<String> fields;
205 fields.append("Upgrade: websocket");
206 fields.append("Connection: Upgrade");
207 fields.append("Host: " + hostName(m_url, m_secure));
208 fields.append("Origin: " + clientOrigin());
209 if (!m_clientProtocol.isEmpty())
210 fields.append("Sec-WebSocket-Protocol: " + m_clientProtocol);
211
212 KURL url = httpURLForAuthenticationAndCookies();
213 if (m_context->isDocument()) {
214 Document* document = toDocument(m_context);
215 String cookie = cookieRequestHeaderFieldValue(document, url);
216 if (!cookie.isEmpty())
217 fields.append("Cookie: " + cookie);
218 // Set "Cookie2: <cookie>" if cookies 2 exists for url?
219 }
220
221 // Add no-cache headers to avoid compatibility issue.
222 // There are some proxies that rewrite "Connection: upgrade"
223 // to "Connection: close" in the response if a request doesn't contain
224 // these headers.
225 fields.append("Pragma: no-cache");
226 fields.append("Cache-Control: no-cache");
227
228 fields.append("Sec-WebSocket-Key: " + m_secWebSocketKey);
229 fields.append("Sec-WebSocket-Version: 13");
230 const String extensionValue = m_extensionDispatcher.createHeaderValue();
231 if (extensionValue.length())
232 fields.append("Sec-WebSocket-Extensions: " + extensionValue);
233
234 // Add a User-Agent header.
235 fields.append("User-Agent: " + m_context->userAgent(m_context->url()));
236
237 // Fields in the handshake are sent by the client in a random order; the
238 // order is not meaningful. Thus, it's ok to send the order we constructed
239 // the fields.
240
241 for (size_t i = 0; i < fields.size(); i++) {
242 builder.append(fields[i]);
243 builder.append("\r\n");
244 }
245
246 builder.append("\r\n");
247
248 return builder.toString().utf8();
249 }
250
clientHandshakeRequest() const251 PassRefPtr<WebSocketHandshakeRequest> WebSocketHandshake::clientHandshakeRequest() const
252 {
253 // Keep the following consistent with clientHandshakeMessage().
254 // FIXME: do we need to store m_secWebSocketKey1, m_secWebSocketKey2 and
255 // m_key3 in WebSocketHandshakeRequest?
256 RefPtr<WebSocketHandshakeRequest> request = WebSocketHandshakeRequest::create("GET", m_url);
257 request->addHeaderField("Upgrade", "websocket");
258 request->addHeaderField("Connection", "Upgrade");
259 request->addHeaderField("Host", hostName(m_url, m_secure));
260 request->addHeaderField("Origin", clientOrigin());
261 if (!m_clientProtocol.isEmpty())
262 request->addHeaderField("Sec-WebSocket-Protocol", m_clientProtocol);
263
264 KURL url = httpURLForAuthenticationAndCookies();
265 if (m_context->isDocument()) {
266 Document* document = toDocument(m_context);
267 String cookie = cookieRequestHeaderFieldValue(document, url);
268 if (!cookie.isEmpty())
269 request->addHeaderField("Cookie", cookie);
270 // Set "Cookie2: <cookie>" if cookies 2 exists for url?
271 }
272
273 request->addHeaderField("Pragma", "no-cache");
274 request->addHeaderField("Cache-Control", "no-cache");
275
276 request->addHeaderField("Sec-WebSocket-Key", m_secWebSocketKey);
277 request->addHeaderField("Sec-WebSocket-Version", "13");
278 const String extensionValue = m_extensionDispatcher.createHeaderValue();
279 if (extensionValue.length())
280 request->addHeaderField("Sec-WebSocket-Extensions", extensionValue);
281
282 // Add a User-Agent header.
283 request->addHeaderField("User-Agent", m_context->userAgent(m_context->url()));
284
285 return request.release();
286 }
287
reset()288 void WebSocketHandshake::reset()
289 {
290 m_mode = Incomplete;
291 m_extensionDispatcher.reset();
292 }
293
clearExecutionContext()294 void WebSocketHandshake::clearExecutionContext()
295 {
296 m_context = 0;
297 }
298
readServerHandshake(const char * header,size_t len)299 int WebSocketHandshake::readServerHandshake(const char* header, size_t len)
300 {
301 m_mode = Incomplete;
302 int statusCode;
303 String statusText;
304 int lineLength = readStatusLine(header, len, statusCode, statusText);
305 if (lineLength == -1)
306 return -1;
307 if (statusCode == -1) {
308 m_mode = Failed; // m_failureReason is set inside readStatusLine().
309 return len;
310 }
311 WTF_LOG(Network, "WebSocketHandshake %p readServerHandshake() Status code is %d", this, statusCode);
312 m_response.setStatusCode(statusCode);
313 m_response.setStatusText(statusText);
314 if (statusCode != 101) {
315 m_mode = Failed;
316 m_failureReason = formatHandshakeFailureReason("Unexpected response code: " + String::number(statusCode));
317 return len;
318 }
319 m_mode = Normal;
320 if (!strnstr(header, "\r\n\r\n", len)) {
321 // Just hasn't been received fully yet.
322 m_mode = Incomplete;
323 return -1;
324 }
325 const char* p = readHTTPHeaders(header + lineLength, header + len);
326 if (!p) {
327 WTF_LOG(Network, "WebSocketHandshake %p readServerHandshake() readHTTPHeaders() failed", this);
328 m_mode = Failed; // m_failureReason is set inside readHTTPHeaders().
329 return len;
330 }
331 if (!checkResponseHeaders()) {
332 WTF_LOG(Network, "WebSocketHandshake %p readServerHandshake() checkResponseHeaders() failed", this);
333 m_mode = Failed;
334 return p - header;
335 }
336
337 m_mode = Connected;
338 return p - header;
339 }
340
mode() const341 WebSocketHandshake::Mode WebSocketHandshake::mode() const
342 {
343 return m_mode;
344 }
345
failureReason() const346 String WebSocketHandshake::failureReason() const
347 {
348 return m_failureReason;
349 }
350
serverWebSocketProtocol() const351 const AtomicString& WebSocketHandshake::serverWebSocketProtocol() const
352 {
353 return m_response.headerFields().get("sec-websocket-protocol");
354 }
355
serverSetCookie() const356 const AtomicString& WebSocketHandshake::serverSetCookie() const
357 {
358 return m_response.headerFields().get("set-cookie");
359 }
360
serverSetCookie2() const361 const AtomicString& WebSocketHandshake::serverSetCookie2() const
362 {
363 return m_response.headerFields().get("set-cookie2");
364 }
365
serverUpgrade() const366 const AtomicString& WebSocketHandshake::serverUpgrade() const
367 {
368 return m_response.headerFields().get("upgrade");
369 }
370
serverConnection() const371 const AtomicString& WebSocketHandshake::serverConnection() const
372 {
373 return m_response.headerFields().get("connection");
374 }
375
serverWebSocketAccept() const376 const AtomicString& WebSocketHandshake::serverWebSocketAccept() const
377 {
378 return m_response.headerFields().get("sec-websocket-accept");
379 }
380
acceptedExtensions() const381 String WebSocketHandshake::acceptedExtensions() const
382 {
383 return m_extensionDispatcher.acceptedExtensions();
384 }
385
serverHandshakeResponse() const386 const WebSocketHandshakeResponse& WebSocketHandshake::serverHandshakeResponse() const
387 {
388 return m_response;
389 }
390
addExtensionProcessor(PassOwnPtr<WebSocketExtensionProcessor> processor)391 void WebSocketHandshake::addExtensionProcessor(PassOwnPtr<WebSocketExtensionProcessor> processor)
392 {
393 m_extensionDispatcher.addProcessor(processor);
394 }
395
httpURLForAuthenticationAndCookies() const396 KURL WebSocketHandshake::httpURLForAuthenticationAndCookies() const
397 {
398 KURL url = m_url.copy();
399 bool couldSetProtocol = url.setProtocol(m_secure ? "https" : "http");
400 ASSERT_UNUSED(couldSetProtocol, couldSetProtocol);
401 return url;
402 }
403
404 // Returns the header length (including "\r\n"), or -1 if we have not received enough data yet.
405 // If the line is malformed or the status code is not a 3-digit number,
406 // statusCode and statusText will be set to -1 and a null string, respectively.
readStatusLine(const char * header,size_t headerLength,int & statusCode,String & statusText)407 int WebSocketHandshake::readStatusLine(const char* header, size_t headerLength, int& statusCode, String& statusText)
408 {
409 // Arbitrary size limit to prevent the server from sending an unbounded
410 // amount of data with no newlines and forcing us to buffer it all.
411 static const int maximumLength = 1024;
412
413 statusCode = -1;
414 statusText = String();
415
416 const char* space1 = 0;
417 const char* space2 = 0;
418 const char* p;
419 size_t consumedLength;
420
421 for (p = header, consumedLength = 0; consumedLength < headerLength; p++, consumedLength++) {
422 if (*p == ' ') {
423 if (!space1)
424 space1 = p;
425 else if (!space2)
426 space2 = p;
427 } else if (*p == '\0') {
428 // The caller isn't prepared to deal with null bytes in status
429 // line. WebSockets specification doesn't prohibit this, but HTTP
430 // does, so we'll just treat this as an error.
431 m_failureReason = formatHandshakeFailureReason("Status line contains embedded null");
432 return p + 1 - header;
433 } else if (*p == '\n') {
434 break;
435 }
436 }
437 if (consumedLength == headerLength)
438 return -1; // We have not received '\n' yet.
439
440 const char* end = p + 1;
441 int lineLength = end - header;
442 if (lineLength > maximumLength) {
443 m_failureReason = formatHandshakeFailureReason("Status line is too long");
444 return maximumLength;
445 }
446
447 // The line must end with "\r\n".
448 if (lineLength < 2 || *(end - 2) != '\r') {
449 m_failureReason = formatHandshakeFailureReason("Status line does not end with CRLF");
450 return lineLength;
451 }
452
453 if (!space1 || !space2) {
454 m_failureReason = formatHandshakeFailureReason("No response code found in status line: " + trimInputSample(header, lineLength - 2));
455 return lineLength;
456 }
457
458 String statusCodeString(space1 + 1, space2 - space1 - 1);
459 if (statusCodeString.length() != 3) // Status code must consist of three digits.
460 return lineLength;
461 for (int i = 0; i < 3; ++i) {
462 if (statusCodeString[i] < '0' || statusCodeString[i] > '9') {
463 m_failureReason = formatHandshakeFailureReason("Invalid status code: " + statusCodeString);
464 return lineLength;
465 }
466 }
467
468 bool ok = false;
469 statusCode = statusCodeString.toInt(&ok);
470 ASSERT(ok);
471
472 statusText = String(space2 + 1, end - space2 - 3); // Exclude "\r\n".
473 return lineLength;
474 }
475
readHTTPHeaders(const char * start,const char * end)476 const char* WebSocketHandshake::readHTTPHeaders(const char* start, const char* end)
477 {
478 m_response.clearHeaderFields();
479
480 AtomicString name;
481 AtomicString value;
482 bool sawSecWebSocketAcceptHeaderField = false;
483 bool sawSecWebSocketProtocolHeaderField = false;
484 const char* p = start;
485 for (; p < end; p++) {
486 size_t consumedLength = parseHTTPHeader(p, end - p, m_failureReason, name, value);
487 if (!consumedLength)
488 return 0;
489 p += consumedLength;
490
491 // Stop once we consumed an empty line.
492 if (name.isEmpty())
493 break;
494
495 // Sec-WebSocket-Extensions may be split. We parse and check the
496 // header value every time the header appears.
497 if (equalIgnoringCase("Sec-WebSocket-Extensions", name)) {
498 if (!m_extensionDispatcher.processHeaderValue(value)) {
499 m_failureReason = formatHandshakeFailureReason(m_extensionDispatcher.failureReason());
500 return 0;
501 }
502 } else if (equalIgnoringCase("Sec-WebSocket-Accept", name)) {
503 if (sawSecWebSocketAcceptHeaderField) {
504 m_failureReason = formatHandshakeFailureReason("'Sec-WebSocket-Accept' header must not appear more than once in a response");
505 return 0;
506 }
507 m_response.addHeaderField(name, value);
508 sawSecWebSocketAcceptHeaderField = true;
509 } else if (equalIgnoringCase("Sec-WebSocket-Protocol", name)) {
510 if (sawSecWebSocketProtocolHeaderField) {
511 m_failureReason = formatHandshakeFailureReason("'Sec-WebSocket-Protocol' header must not appear more than once in a response");
512 return 0;
513 }
514 m_response.addHeaderField(name, value);
515 sawSecWebSocketProtocolHeaderField = true;
516 } else {
517 m_response.addHeaderField(name, value);
518 }
519 }
520
521 String extensions = m_extensionDispatcher.acceptedExtensions();
522 if (!extensions.isEmpty())
523 m_response.addHeaderField("Sec-WebSocket-Extensions", extensions);
524 return p;
525 }
526
checkResponseHeaders()527 bool WebSocketHandshake::checkResponseHeaders()
528 {
529 const AtomicString& serverWebSocketProtocol = this->serverWebSocketProtocol();
530 const AtomicString& serverUpgrade = this->serverUpgrade();
531 const AtomicString& serverConnection = this->serverConnection();
532 const AtomicString& serverWebSocketAccept = this->serverWebSocketAccept();
533
534 if (serverUpgrade.isNull()) {
535 m_failureReason = formatHandshakeFailureReason("'Upgrade' header is missing");
536 return false;
537 }
538 if (serverConnection.isNull()) {
539 m_failureReason = formatHandshakeFailureReason("'Connection' header is missing");
540 return false;
541 }
542 if (serverWebSocketAccept.isNull()) {
543 m_failureReason = formatHandshakeFailureReason("'Sec-WebSocket-Accept' header is missing");
544 return false;
545 }
546
547 if (!equalIgnoringCase(serverUpgrade, "websocket")) {
548 m_failureReason = formatHandshakeFailureReason("'Upgrade' header value is not 'WebSocket': " + serverUpgrade);
549 return false;
550 }
551 if (!equalIgnoringCase(serverConnection, "upgrade")) {
552 m_failureReason = formatHandshakeFailureReason("'Connection' header value is not 'Upgrade': " + serverConnection);
553 return false;
554 }
555
556 if (serverWebSocketAccept != m_expectedAccept) {
557 m_failureReason = formatHandshakeFailureReason("Incorrect 'Sec-WebSocket-Accept' header value");
558 return false;
559 }
560 if (!serverWebSocketProtocol.isNull()) {
561 if (m_clientProtocol.isEmpty()) {
562 m_failureReason = formatHandshakeFailureReason("Response must not include 'Sec-WebSocket-Protocol' header if not present in request: " + serverWebSocketProtocol);
563 return false;
564 }
565 Vector<String> result;
566 m_clientProtocol.split(String(WebSocket::subProtocolSeperator()), result);
567 if (!result.contains(serverWebSocketProtocol)) {
568 m_failureReason = formatHandshakeFailureReason("'Sec-WebSocket-Protocol' header value '" + serverWebSocketProtocol + "' in response does not match any of sent values");
569 return false;
570 }
571 } else if (!m_clientProtocol.isEmpty()) {
572 // FIXME: Some servers are not accustomed to this failure, so we provide an adhoc white-list for it tentatively.
573 Vector<String> protocols;
574 m_clientProtocol.split(String(WebSocket::subProtocolSeperator()), protocols);
575 bool match = false;
576 for (size_t i = 0; i < protocols.size() && !match; ++i) {
577 for (size_t j = 0; j < WTF_ARRAY_LENGTH(missingProtocolWhiteList) && !match; ++j) {
578 if (protocols[i] == missingProtocolWhiteList[j])
579 match = true;
580 }
581 }
582 if (!match) {
583 m_failureReason = formatHandshakeFailureReason("Sent non-empty 'Sec-WebSocket-Protocol' header but no response was received");
584 return false;
585 }
586 }
587 return true;
588 }
589
590 } // namespace WebCore
591