Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-13 17:35:36 +01:00
Code Issues Projects Releases Packages Wiki Activity

Auto merge of #11115 - mbrubeck:openssl-verify, r=jdm

Browse source 
Use openssl-verify to check certificate + hostname

Fixes #4954.  r? @jdm

This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context.

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/11115)
<!-- Reviewable:end -->
This commit is contained in:
bors-servo 2016-05-10 15:00:48 -07:00
commit 40be84df26
9 changed files with 94 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

1
components/net/Cargo.toml
View file

@ -28,6 +28,7 @@ matches = "0.1"
mime = "0.2.0" mime = "0.2.0"
mime_guess = "1.6.0" mime_guess = "1.6.0"
openssl = "0.7.6" openssl = "0.7.6"
openssl-verify = "0.1"
rustc-serialize = "0.3" rustc-serialize = "0.3"
threadpool = "1.0" threadpool = "1.0"
time = "0.1.17" time = "0.1.17"

58
components/net/connector.rs Normal file
View file

@ -0,0 +1,58 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
use hyper::client::Pool;
use hyper::net::{HttpStream, HttpsConnector, SslClient};
use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER};
use openssl::ssl::{Ssl, SslContext, SslMethod, SslStream};
use std::sync::Arc;
use util::resource_files::resources_dir_path;
pub type Connector = HttpsConnector<ServoSslClient>;
// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
// A complete discussion of the issues involved in TLS configuration can be found here:
// https://wiki.mozilla.org/Security/Server_Side_TLS
const DEFAULT_CIPHERS: &'static str = concat!(
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
"DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
"ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
"ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
"DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
"ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
"AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
);
pub fn create_http_connector() -> Arc<Pool<Connector>> {
let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
let connector = HttpsConnector::new(ServoSslClient {
context: Arc::new(context)
});
Arc::new(Pool::with_connector(Default::default(), connector))
}
pub struct ServoSslClient {
context: Arc<SslContext>,
}
impl SslClient for ServoSslClient {
type Stream = SslStream<HttpStream>;
fn wrap_client(&self, stream: HttpStream, host: &str) -> Result<Self::Stream, ::hyper::Error> {
let mut ssl = try!(Ssl::new(&self.context));
try!(ssl.set_hostname(host));
let host = host.to_owned();
ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| {
::openssl_verify::verify_callback(&host, p, x)
});
SslStream::connect(ssl, stream).map_err(From::from)
}
}

3
components/net/fetch/methods.rs
View file

@ -2,9 +2,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
use connector::create_http_connector;
use data_loader::decode; use data_loader::decode;
use fetch::cors_cache::CORSCache; use fetch::cors_cache::CORSCache;
use http_loader::{NetworkHttpRequestFactory, create_http_connector, obtain_response}; use http_loader::{NetworkHttpRequestFactory, obtain_response};
use hyper::header::{Accept, AcceptLanguage, Authorization, AccessControlAllowCredentials}; use hyper::header::{Accept, AcceptLanguage, Authorization, AccessControlAllowCredentials};
use hyper::header::{AccessControlAllowOrigin, AccessControlAllowHeaders, AccessControlAllowMethods}; use hyper::header::{AccessControlAllowOrigin, AccessControlAllowHeaders, AccessControlAllowMethods};
use hyper::header::{AccessControlRequestHeaders, AccessControlMaxAge, AccessControlRequestMethod, Basic}; use hyper::header::{AccessControlRequestHeaders, AccessControlMaxAge, AccessControlRequestMethod, Basic};

36
components/net/http_loader.rs
View file

@ -4,6 +4,7 @@
use brotli::Decompressor; use brotli::Decompressor;
use connector::Connector;
use cookie; use cookie;
use cookie_storage::CookieStorage; use cookie_storage::CookieStorage;
use devtools_traits::{ChromeToDevtoolsControlMsg, DevtoolsControlMsg, HttpRequest as DevtoolsHttpRequest}; use devtools_traits::{ChromeToDevtoolsControlMsg, DevtoolsControlMsg, HttpRequest as DevtoolsHttpRequest};
@ -19,7 +20,7 @@ use hyper::header::{Location, SetCookie, StrictTransportSecurity, UserAgent, qit
use hyper::http::RawStatus; use hyper::http::RawStatus;
use hyper::method::Method; use hyper::method::Method;
use hyper::mime::{Mime, SubLevel, TopLevel}; use hyper::mime::{Mime, SubLevel, TopLevel};
use hyper::net::{Fresh, HttpsConnector, Openssl}; use hyper::net::Fresh;
use hyper::status::{StatusClass, StatusCode}; use hyper::status::{StatusClass, StatusCode};
use log; use log;
use mime_classifier::MIMEClassifier; use mime_classifier::MIMEClassifier;
@ -30,7 +31,6 @@ use net_traits::response::HttpsState;
use net_traits::{CookieSource, IncludeSubdomains, LoadConsumer, LoadContext, LoadData}; use net_traits::{CookieSource, IncludeSubdomains, LoadConsumer, LoadContext, LoadData};
use net_traits::{Metadata, NetworkError}; use net_traits::{Metadata, NetworkError};
use openssl::ssl::error::{SslError, OpensslError}; use openssl::ssl::error::{SslError, OpensslError};
use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER, SslContext, SslMethod};
use resource_thread::{CancellationListener, send_error, start_sending_sniffed_opt, AuthCache, AuthCacheEntry}; use resource_thread::{CancellationListener, send_error, start_sending_sniffed_opt, AuthCache, AuthCacheEntry};
use std::borrow::ToOwned; use std::borrow::ToOwned;
use std::boxed::FnBox; use std::boxed::FnBox;
@ -46,41 +46,9 @@ use time::Tm;
use tinyfiledialogs; use tinyfiledialogs;
use url::{Url, Position}; use url::{Url, Position};
use util::prefs; use util::prefs;
use util::resource_files::resources_dir_path;
use util::thread::spawn_named; use util::thread::spawn_named;
use uuid; use uuid;
pub type Connector = HttpsConnector<Openssl>;
// The basic logic here is to prefer ciphers with ECDSA certificates, Forward
// Secrecy, AES GCM ciphers, AES ciphers, and finally 3DES ciphers.
// A complete discussion of the issues involved in TLS configuration can be found here:
// https://wiki.mozilla.org/Security/Server_Side_TLS
const DEFAULT_CIPHERS: &'static str = concat!(
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
"DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
"ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
"ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
"DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
"ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
"AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
);
pub fn create_http_connector() -> Arc<Pool<Connector>> {
let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
context.set_verify(SSL_VERIFY_PEER, None);
context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
let connector = HttpsConnector::new(Openssl {
context: Arc::new(context)
});
Arc::new(Pool::with_connector(Default::default(), connector))
}
pub fn factory(user_agent: String, pub fn factory(user_agent: String,
http_state: HttpState, http_state: HttpState,
devtools_chan: Option<Sender<DevtoolsControlMsg>>, devtools_chan: Option<Sender<DevtoolsControlMsg>>,

2
components/net/lib.rs
View file

@ -29,6 +29,7 @@ extern crate mime_guess;
extern crate msg; extern crate msg;
extern crate net_traits; extern crate net_traits;
extern crate openssl; extern crate openssl;
extern crate openssl_verify;
extern crate rustc_serialize; extern crate rustc_serialize;
extern crate threadpool; extern crate threadpool;
extern crate time; extern crate time;
@ -44,6 +45,7 @@ extern crate websocket;
pub mod about_loader; pub mod about_loader;
pub mod bluetooth_thread; pub mod bluetooth_thread;
pub mod chrome_loader; pub mod chrome_loader;
pub mod connector;
pub mod cookie; pub mod cookie;
pub mod cookie_storage; pub mod cookie_storage;
pub mod data_loader; pub mod data_loader;

3
components/net/resource_thread.rs
View file

@ -5,13 +5,14 @@
//! A thread that takes a URL and streams back the binary data. //! A thread that takes a URL and streams back the binary data.
use about_loader; use about_loader;
use chrome_loader; use chrome_loader;
use connector::{Connector, create_http_connector};
use cookie; use cookie;
use cookie_storage::CookieStorage; use cookie_storage::CookieStorage;
use data_loader; use data_loader;
use devtools_traits::{DevtoolsControlMsg}; use devtools_traits::{DevtoolsControlMsg};
use file_loader; use file_loader;
use hsts::HstsList; use hsts::HstsList;
use http_loader::{self, Connector, create_http_connector, HttpState}; use http_loader::{self, HttpState};
use hyper::client::pool::Pool; use hyper::client::pool::Pool;
use hyper::header::{ContentType, Header, SetCookie}; use hyper::header::{ContentType, Header, SetCookie};
use hyper::mime::{Mime, SubLevel, TopLevel}; use hyper::mime::{Mime, SubLevel, TopLevel};

9
components/servo/Cargo.lock generated
View file

@ -1346,6 +1346,7 @@ dependencies = [
"msg 0.0.1", "msg 0.0.1",
"net_traits 0.0.1", "net_traits 0.0.1",
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"plugins 0.0.1", "plugins 0.0.1",
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)", "rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)", "threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
@ -1581,6 +1582,14 @@ dependencies = [
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "openssl-verify"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "osmesa-sys" name = "osmesa-sys"
version = "0.0.5" version = "0.0.5"

9
ports/cef/Cargo.lock generated
View file

@ -1260,6 +1260,7 @@ dependencies = [
"msg 0.0.1", "msg 0.0.1",
"net_traits 0.0.1", "net_traits 0.0.1",
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"plugins 0.0.1", "plugins 0.0.1",
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)", "rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)", "threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
@ -1469,6 +1470,14 @@ dependencies = [
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "openssl-verify"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "osmesa-sys" name = "osmesa-sys"
version = "0.0.5" version = "0.0.5"

9
ports/gonk/Cargo.lock generated
View file

@ -1243,6 +1243,7 @@ dependencies = [
"msg 0.0.1", "msg 0.0.1",
"net_traits 0.0.1", "net_traits 0.0.1",
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
"openssl-verify 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
"plugins 0.0.1", "plugins 0.0.1",
"rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)", "rustc-serialize 0.3.19 (registry+https://github.com/rust-lang/crates.io-index)",
"threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)", "threadpool 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)",
@ -1452,6 +1453,14 @@ dependencies = [
"openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)", "openssl-sys 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "openssl-verify"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"openssl 0.7.11 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "osmesa-sys" name = "osmesa-sys"
version = "0.0.5" version = "0.0.5"