Auto merge of #25736 - Darkspirit:ossl, r=jdm

Add OpenSSL 1.1.1 build check, Update HSTS Preload list

* This variant also works with cross-compilation. PR should fail in CI on Android at first:
  The net crate successfully compiled after switching to OpenSSL 1.1.1 on Android. It seemed openssl.sh doesn't need any changes.(?)
* Updated HSTS preload list and public suffix list.
* Configured OpenSSL [SECLEVEL=2](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html) like [Debian](https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1) Stable:
  > As a result RSA, DSA and DH keys shorter than [2048 bits](16a5a9bb78/docs/BR.md (6153-subscriber-certificates)) and ECC keys shorter than 224 bits are prohibited.
* Although all other crates compile I generally get a `libscript-fe019dd3e0a4e06d.rlib: bad extended name index at 8` error on simpleservo_jniapi, I guess Debian Testing is too new and I just haven't found the right steps so far.
./mach build -d --android
```
  = note: /home/darkspirit/github/servo/android-toolchains/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/lib/gcc/arm-linux-androideabi/4.9.x/../../../../arm-linux-androideabi/bin/ld.gold: error: /home/darkspirit/github/servo/target/android/armv7-linux-androideabi/debug/deps/libscript-fe019dd3e0a4e06d.rlib: bad extended name index at 8
          clang: error: linker command failed with exit code 1 (use -v to see invocation)
          toolchain: /home/darkspirit/github/servo/android-toolchains/ndk/toolchains/llvm/prebuilt/linux-x86_64/bin
          libs dir: /home/darkspirit/github/servo/android-toolchains/ndk/sources/cxx-stl/llvm-libc++/libs/armeabi-v7a
          sysroot: /home/darkspirit/github/servo/android-toolchains/ndk/platforms/android-21/arch-arm
          targetdir: /home/darkspirit/github/servo/target/android/armv7-linux-androideabi/debug/build/simpleservo_jniapi-26ef18debb5b3630/out/../../..
```

- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix #25708, fix #25619.

Cargo.lock

@@ -3664,6 +3664,7 @@ dependencies = [
  "msg",
  "net_traits",
  "openssl",
+ "openssl-sys",
  "percent-encoding",
  "pixels",
  "profile_traits",

components/net/Cargo.toml

@@ -6,6 +6,7 @@ license = "MPL-2.0"
 edition = "2018"
 publish = false
 autotests = false  # Inhibit lookup for tests/*.rs without [[test]] sections
+build = "build.rs"
 
 [lib]
 name = "net"
@@ -43,6 +44,7 @@ mime_guess = "2.0.0-alpha.6"
 msg = {path = "../msg"}
 net_traits = {path = "../net_traits"}
 openssl = "0.10"
+openssl-sys = "0.9"
 percent-encoding = "2.0"
 pixels = {path = "../pixels"}
 profile_traits = {path = "../profile_traits"}

components/net/build.rs

@@ -0,0 +1,16 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+fn main() {
+    let version =
+        std::env::var("DEP_OPENSSL_VERSION_NUMBER").expect("missing DEP_OPENSSL_VERSION_NUMBER");
+    let actual = u64::from_str_radix(&version, 16).unwrap();
+    let minimum = 0x10101000;
+    if actual < minimum {
+        panic!(
+            "Your OpenSSL version is older than 1.1.1 ({:x}), you have: {:x}",
+            minimum, actual
+        );
+    }
+}

components/net/connector.rs

@@ -21,7 +21,7 @@ const TLS1_2_CIPHERSUITES: &'static str = concat!(
     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:",
     "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:",
     "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:",
-    "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA"
+    "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA@SECLEVEL=2"
 );
 const SIGNATURE_ALGORITHMS: &'static str = concat!(
     "ed448:ed25519:",

etc/ci/check_dynamic_symbols.py

@@ -32,6 +32,7 @@ allowed_symbols = frozenset([
     b'sigemptyset',
     b'AHardwareBuffer_allocate',
     b'AHardwareBuffer_release',
+    b'getentropy',
 ])
 actual_symbols = set()
 

python/servo/build_commands.py

@@ -331,7 +331,7 @@ class MachCommands(CommandBase):
             android_arch = self.config["android"]["arch"]
 
             # Build OpenSSL for android
-            env["OPENSSL_VERSION"] = "1.0.2k"
+            env["OPENSSL_VERSION"] = "1.1.1d"
             make_cmd = ["make"]
             if jobs is not None:
                 make_cmd += ["-j" + jobs]
@@ -580,7 +580,7 @@ class MachCommands(CommandBase):
 
             # The Open SSL configuration
             env.setdefault("OPENSSL_DIR", path.join(target_path, target, "native", "openssl"))
-            env.setdefault("OPENSSL_VERSION", "1.0.2k")
+            env.setdefault("OPENSSL_VERSION", "1.1.1d")
             env.setdefault("OPENSSL_STATIC", "1")
 
             # GStreamer configuration

resources/public_domains.txt

@@ -188,7 +188,6 @@ vic.au
 wa.au
 act.edu.au
 catholic.edu.au
-eq.edu.au
 nsw.edu.au
 nt.edu.au
 qld.edu.au
@@ -5320,12 +5319,6 @@ gov.rs
 in.rs
 org.rs
 ru
-ac.ru
-edu.ru
-gov.ru
-int.ru
-mil.ru
-test.ru
 rw
 ac.rw
 co.rw
@@ -6184,6 +6177,7 @@ allstate
 ally
 alsace
 alstom
+amazon
 americanexpress
 americanfamily
 amex
@@ -6314,7 +6308,6 @@ care
 career
 careers
 cars
-cartier
 casa
 case
 caseih
@@ -6341,7 +6334,6 @@ cheap
 chintai
 christmas
 chrome
-chrysler
 church
 cipriani
 circle
@@ -6435,7 +6427,6 @@ diy
 dnp
 docs
 doctor
-dodge
 dog
 domains
 dot
@@ -6471,7 +6462,6 @@ etisalat
 eurovision
 eus
 events
-everbank
 exchange
 expert
 exposed
@@ -6700,12 +6690,10 @@ kred
 kuokgroup
 kyoto
 lacaixa
-ladbrokes
 lamborghini
 lamer
 lancaster
 lancia
-lancome
 land
 landrover
 lanxess
@@ -6723,7 +6711,6 @@ legal
 lego
 lexus
 lgbt
-liaison
 lidl
 life
 lifeinsurance
@@ -6805,7 +6792,6 @@ mom
 monash
 money
 monster
-mopar
 mormon
 mortgage
 moscow
@@ -6813,7 +6799,6 @@ moto
 motorcycles
 mov
 movie
-movistar
 msd
 mtn
 mtr
@@ -6900,7 +6885,6 @@ photo
 photography
 photos
 physio
-piaget
 pics
 pictet
 pictures
@@ -7071,7 +7055,6 @@ sport
 spot
 spreadbetting
 srl
-srt
 stada
 staples
 star
@@ -7114,7 +7097,6 @@ tdk
 team
 tech
 technology
-telefonica
 temasek
 tennis
 teva
@@ -7159,7 +7141,6 @@ tushu
 tvs
 ubank
 ubs
-uconnect
 unicom
 university
 uno
@@ -7200,7 +7181,6 @@ walmart
 walter
 wang
 wanggou
-warman
 watch
 watches
 weather
@@ -7264,6 +7244,7 @@ xn--bck1b9a5dre4c
 xn--c1avg
 xn--c2br7g
 xn--cck2b3b
+xn--cckwcxetd
 xn--cg4bki
 xn--czr694b
 xn--czrs0t
@@ -7287,6 +7268,7 @@ xn--i1b6b1a6a2e
 xn--imr513n
 xn--io0a7i
 xn--j1aef
+xn--jlq480n2rg
 xn--jlq61u9w7b
 xn--jvr189m
 xn--kcrx77d1x4a
@@ -7348,6 +7330,9 @@ zuerich
 cc.ua
 inf.ua
 ltd.ua
+adobeaemcloud.com
+adobeaemcloud.net
+*.dev.adobeaemcloud.com
 beep.pl
 barsy.ca
 *.compute.estate
@@ -7435,6 +7420,7 @@ s3-website.eu-central-1.amazonaws.com
 s3-website.eu-west-2.amazonaws.com
 s3-website.eu-west-3.amazonaws.com
 s3-website.us-east-2.amazonaws.com
+amsw.nl
 t3l3p0rt.net
 tele.amune.org
 apigee.io
@@ -7510,6 +7496,7 @@ c.la
 certmgr.org
 xenapponazure.com
 discourse.group
+discourse.team
 virtueeldomein.nl
 cleverapps.io
 *.lcl.dev
@@ -7553,6 +7540,12 @@ co.nl
 co.no
 webhosting.be
 hosting-cluster.nl
+ac.ru
+edu.ru
+gov.ru
+int.ru
+mil.ru
+test.ru
 dyn.cosidns.de
 dynamisches-dns.de
 dnsupdater.de
@@ -7565,6 +7558,10 @@ static-access.net
 realm.cz
 *.cryptonomic.net
 cupcake.is
+*.customer-oci.com
+*.oci.customer-oci.com
+*.ocp.customer-oci.com
+*.ocs.customer-oci.com
 cyon.link
 cyon.site
 daplie.me
@@ -7582,6 +7579,8 @@ reg.dk
 store.dk
 *.dapps.earth
 *.bzz.dapps.earth
+builtwithdark.com
+edgestack.me
 debian.net
 dedyn.io
 dnshome.de
@@ -7905,6 +7904,7 @@ myddns.rocks
 blogsite.xyz
 dynv6.net
 e4.cz
+en-root.fr
 mytuleap.com
 onred.one
 staging.onred.one
@@ -8053,6 +8053,7 @@ vladikavkaz.su
 vladimir.su
 vologda.su
 channelsdvr.net
+u.channelsdvr.net
 fastly-terrarium.com
 fastlylb.net
 map.fastlylb.net
@@ -8082,6 +8083,7 @@ filegear-sg.me
 firebaseapp.com
 flynnhub.com
 flynnhosting.net
+0e.vc
 freebox-os.com
 freeboxos.com
 fbx-os.fr
@@ -8100,6 +8102,7 @@ futuremailing.at
 service.gov.uk
 gehirn.ne.jp
 usercontent.jp
+gentapps.com
 lab.ms
 github.io
 githubusercontent.com
@@ -8117,6 +8120,7 @@ a.run.app
 web.app
 *.0emm.com
 appspot.com
+*.r.appspot.com
 blogspot.ae
 blogspot.al
 blogspot.am
@@ -8200,6 +8204,7 @@ pagespeedmobilizer.com
 publishproxy.com
 withgoogle.com
 withyoutube.com
+awsmppl.com
 fin.ci
 free.hr
 caa.li
@@ -8227,6 +8232,7 @@ col.ng
 firm.ng
 gen.ng
 ltd.ng
+ngo.ng
 ng.school
 sch.so
 xn--hkkinen-5wa.fi
@@ -8293,6 +8299,7 @@ keymachine.de
 kinghost.net
 uni5.net
 knightpoint.systems
+oya.to
 co.krd
 edu.krd
 git-repos.de
@@ -8563,11 +8570,13 @@ nom.ug
 nom.uy
 nom.vc
 nom.vg
+static.observableusercontent.com
 cya.gg
 cloudycluster.net
 nid.io
 opencraft.hosting
 operaunite.com
+skygearapp.com
 outsystemscloud.com
 ownprovider.com
 own.pm
@@ -8584,6 +8593,7 @@ zakopane.pl
 pantheonsite.io
 gotpantheon.com
 mypep.link
+perspecta.cloud
 on-web.fr
 *.platform.sh
 *.platformsh.site
@@ -8598,9 +8608,12 @@ chirurgiens-dentistes-en-france.fr
 byen.site
 pubtls.org
 qualifioapp.com
+qbuser.com
 instantcloud.cn
 ras.ru
 qa2.com
+qcx.io
+*.sys.qcx.io
 dev-myqnapcloud.com
 alpha-myqnapcloud.com
 myqnapcloud.com
@@ -8609,6 +8622,7 @@ vapor.cloud
 vaporcloud.io
 rackmaze.com
 rackmaze.net
+*.on-k3s.io
 *.on-rancher.cloud
 *.on-rio.io
 readthedocs.io
@@ -8628,6 +8642,7 @@ sandcats.io
 logoip.de
 logoip.com
 schokokeks.net
+gov.scot
 scrysec.com
 firewall-gateway.com
 firewall-gateway.de
@@ -8639,6 +8654,7 @@ firewall-gateway.net
 my-firewall.org
 myfirewall.org
 spdns.org
+senseering.net
 biz.ua
 co.ua
 pp.ua
@@ -8758,6 +8774,7 @@ lib.de.us
 router.management
 v-info.info
 voorloper.cloud
+v.ua
 wafflecell.com
 *.webhare.dev
 wedeploy.io
@@ -8765,6 +8782,11 @@ wedeploy.me
 wedeploy.sh
 remotewd.com
 wmflabs.org
+myforum.community
+community-pro.de
+diskussionsbereich.de
+community-pro.net
+meinforum.net
 half.host
 xnbay.com
 u2.xnbay.com