WebKit Bugzilla
Attachment 339459 Details for
Bug 185139
: [Curl] Make the cipher suites, the signing algorithms and the curve lists configurable.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PATCH
185139.diff (text/plain), 10.15 KB, created by
Basuke Suzuki
on 2018-05-03 13:59:19 PDT
(
hide
)
Description:
PATCH
Filename:
MIME Type:
Creator:
Basuke Suzuki
Created:
2018-05-03 13:59:19 PDT
Size:
10.15 KB
patch
obsolete
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 84d3e7f8978..ab718a4e3e6 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,35 @@ >+2018-05-03 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl] Make the cipher suites, the signing algorithms and the curve lists configurable. >+ https://bugs.webkit.org/show_bug.cgi?id=185139 >+ >+ Add interface to configure the cipher suites, the signing algorithms and the curve lists >+ used by OpenSSL and libcurl to exchange, to sign or to verify keys. >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ No new tests in public. Have tested internally. >+ >+ * platform/network/curl/CurlContext.cpp: >+ (WebCore::CurlHandle::setSslCipherList): >+ * platform/network/curl/CurlContext.h: >+ * platform/network/curl/CurlRequest.cpp: >+ (WebCore::CurlRequest::setupTransfer): >+ (WebCore::CurlRequest::willSetupSslCtx): >+ * platform/network/curl/CurlSSLHandle.cpp: >+ (WebCore::CurlSSLHandle::getCACertPathEnv): >+ * platform/network/curl/CurlSSLHandle.h: >+ (WebCore::CurlSSLHandle::getCipherList const): >+ (WebCore::CurlSSLHandle::getSignatureAlgorithmsList const): >+ (WebCore::CurlSSLHandle::getCurvesList const): >+ (WebCore::CurlSSLHandle::setCipherList): >+ (WebCore::CurlSSLHandle::setSignatureAlgorithmsList): >+ (WebCore::CurlSSLHandle::setCurvesList): >+ (WebCore::CurlSSLHandle::getCACertPath const): >+ (WebCore::CurlSSLHandle::setCACertPath): >+ * platform/network/curl/CurlSSLVerifier.cpp: >+ (WebCore::CurlSSLVerifier::CurlSSLVerifier): >+ > 2018-05-03 Zalan Bujtas <zalan@apple.com> > > [LFC] Box invalidation logic should go to dedicated classes. >diff --git a/Source/WebCore/platform/network/curl/CurlContext.cpp b/Source/WebCore/platform/network/curl/CurlContext.cpp >index 24095c78f66..ef132974aeb 100644 >--- a/Source/WebCore/platform/network/curl/CurlContext.cpp >+++ b/Source/WebCore/platform/network/curl/CurlContext.cpp >@@ -482,6 +482,11 @@ void CurlHandle::setSslKeyPassword(const char* password) > curl_easy_setopt(m_handle, CURLOPT_KEYPASSWD, password); > } > >+void CurlHandle::setSslCipherList(const char* cipherList) >+{ >+ curl_easy_setopt(m_handle, CURLOPT_SSL_CIPHER_LIST, cipherList); >+} >+ > void CurlHandle::enableProxyIfExists() > { > auto& proxy = CurlContext::singleton().proxySettings(); >diff --git a/Source/WebCore/platform/network/curl/CurlContext.h b/Source/WebCore/platform/network/curl/CurlContext.h >index 0e63de8cf6c..9677e0a31f8 100644 >--- a/Source/WebCore/platform/network/curl/CurlContext.h >+++ b/Source/WebCore/platform/network/curl/CurlContext.h >@@ -252,6 +252,7 @@ public: > void setSslCert(const char*); > void setSslCertType(const char*); > void setSslKeyPassword(const char*); >+ void setSslCipherList(const char*); > > void enableProxyIfExists(); > >diff --git a/Source/WebCore/platform/network/curl/CurlRequest.cpp b/Source/WebCore/platform/network/curl/CurlRequest.cpp >index 0335a67b958..4ea9152318d 100644 >--- a/Source/WebCore/platform/network/curl/CurlRequest.cpp >+++ b/Source/WebCore/platform/network/curl/CurlRequest.cpp >@@ -192,6 +192,7 @@ CURL* CurlRequest::setupTransfer() > m_curlHandle->setHttpAuthUserPass(m_user, m_password); > } > >+ m_curlHandle->setSslCtxCallbackFunction(willSetupSslCtxCallback, this); > m_curlHandle->setHeaderCallbackFunction(didReceiveHeaderCallback, this); > m_curlHandle->setWriteCallbackFunction(didReceiveDataCallback, this); > >@@ -205,8 +206,17 @@ CURL* CurlRequest::setupTransfer() > > m_curlHandle->enableProxyIfExists(); > >- m_curlHandle->setSslVerifyPeer(CurlHandle::VerifyPeer::Enable); >- m_curlHandle->setSslVerifyHost(CurlHandle::VerifyHost::StrictNameCheck); >+ if (!sslHandle.shouldIgnoreSSLErrors()) { >+ m_curlHandle->setSslVerifyPeer(CurlHandle::VerifyPeer::Enable); >+ m_curlHandle->setSslVerifyHost(CurlHandle::VerifyHost::StrictNameCheck); >+ } else { >+ m_curlHandle->setSslVerifyPeer(CurlHandle::VerifyPeer::Disable); >+ m_curlHandle->setSslVerifyHost(CurlHandle::VerifyHost::LooseNameCheck); >+ } >+ >+ const auto& cipherList = sslHandle.getCipherList(); >+ if (cipherList) >+ m_curlHandle->setSslCipherList(cipherList->utf8().data()); > > auto sslClientCertificate = sslHandle.getSSLClientCertificate(m_request.url().host()); > if (sslClientCertificate) { >@@ -215,12 +225,7 @@ CURL* CurlRequest::setupTransfer() > m_curlHandle->setSslKeyPassword(sslClientCertificate->second.utf8().data()); > } > >- if (sslHandle.shouldIgnoreSSLErrors()) >- m_curlHandle->setSslVerifyPeer(CurlHandle::VerifyPeer::Disable); >- else >- m_curlHandle->setSslCtxCallbackFunction(willSetupSslCtxCallback, this); >- >- m_curlHandle->setCACertPath(sslHandle.getCACertPath()); >+ m_curlHandle->setCACertPath(sslHandle.getCACertPath().utf8().data()); > > if (m_shouldSuspend) > suspend(); >@@ -235,8 +240,10 @@ CURL* CurlRequest::setupTransfer() > > CURLcode CurlRequest::willSetupSslCtx(void* sslCtx) > { >- m_sslVerifier = std::make_unique<CurlSSLVerifier>(m_curlHandle.get(), m_request.url().host(), sslCtx); >+ if (!sslCtx) >+ return CURLE_ABORTED_BY_CALLBACK; > >+ m_sslVerifier = std::make_unique<CurlSSLVerifier>(m_curlHandle.get(), m_request.url().host(), sslCtx); > return CURLE_OK; > } > >diff --git a/Source/WebCore/platform/network/curl/CurlSSLHandle.cpp b/Source/WebCore/platform/network/curl/CurlSSLHandle.cpp >index f4ea372f563..e84f776cce3 100644 >--- a/Source/WebCore/platform/network/curl/CurlSSLHandle.cpp >+++ b/Source/WebCore/platform/network/curl/CurlSSLHandle.cpp >@@ -55,11 +55,11 @@ CurlSSLHandle::CurlSSLHandle() > #endif > } > >-CString CurlSSLHandle::getCACertPathEnv() >+String CurlSSLHandle::getCACertPathEnv() > { > char* envPath = getenv("CURL_CA_BUNDLE_PATH"); > if (envPath) >- return envPath; >+ return String(envPath); > > #if USE(CF) > CFBundleRef webKitBundleRef = webKitBundle(); >@@ -68,12 +68,12 @@ CString CurlSSLHandle::getCACertPathEnv() > if (certURLRef) { > char path[MAX_PATH]; > CFURLGetFileSystemRepresentation(certURLRef.get(), false, reinterpret_cast<UInt8*>(path), MAX_PATH); >- return path; >+ return String(path); > } > } > #endif > >- return CString(); >+ return String(); > } > > void CurlSSLHandle::setHostAllowsAnyHTTPSCertificate(const String& hostName) >diff --git a/Source/WebCore/platform/network/curl/CurlSSLHandle.h b/Source/WebCore/platform/network/curl/CurlSSLHandle.h >index 2afbc155eff..ae3bc392116 100644 >--- a/Source/WebCore/platform/network/curl/CurlSSLHandle.h >+++ b/Source/WebCore/platform/network/curl/CurlSSLHandle.h >@@ -45,14 +45,34 @@ namespace WebCore { > class CurlSSLHandle { > WTF_MAKE_NONCOPYABLE(CurlSSLHandle); > friend NeverDestroyed<CurlSSLHandle>; >+ using ClientCertificate = std::pair<String, String>; > > public: > CurlSSLHandle(); > >- using ClientCertificate = std::pair<String, String>; >+ std::optional<String> getCipherList() const >+ { >+ return !m_cipherList.isEmpty() ? m_cipherList : std::optional<String>(std::nullopt); >+ } >+ >+ std::optional<String> getSignatureAlgorithmsList() const >+ { >+ return !m_signatureAlgorithmsList.isEmpty() ? m_signatureAlgorithmsList : std::optional<String>(std::nullopt); >+ } >+ >+ std::optional<String> getCurvesList() const >+ { >+ return !m_curvesList.isEmpty() ? m_curvesList : std::optional<String>(std::nullopt); >+ } >+ >+ void setCipherList(const String& cipherList) { m_cipherList = cipherList.isolatedCopy(); } >+ void setSignatureAlgorithmsList(const String& signatureAlgorithmsList) { m_signatureAlgorithmsList = signatureAlgorithmsList.isolatedCopy(); } >+ void setCurvesList(const String& curvesList) { m_curvesList = curvesList.isolatedCopy(); } > > bool shouldIgnoreSSLErrors() const { return m_ignoreSSLErrors; } >- const char* getCACertPath() const { return m_caCertPath.data(); } >+ >+ const String& getCACertPath() const { return m_caCertPath; } >+ void setCACertPath(const String& caCertPath) { m_caCertPath = caCertPath; } > > WEBCORE_EXPORT void setHostAllowsAnyHTTPSCertificate(const String&); > bool isAllowedHTTPSCertificateHost(const String&); >@@ -62,8 +82,6 @@ public: > std::optional<ClientCertificate> getSSLClientCertificate(const String&); > > private: >- CString getCACertPathEnv(); >- > #if NEED_OPENSSL_THREAD_SUPPORT > class ThreadSupport { > friend NeverDestroyed<CurlSSLHandle::ThreadSupport>; >@@ -91,8 +109,15 @@ private: > }; > #endif > >+ String getCACertPathEnv(); >+ > bool m_ignoreSSLErrors { false }; >- CString m_caCertPath; >+ >+ String m_cipherList; >+ String m_signatureAlgorithmsList; >+ String m_curvesList; >+ >+ String m_caCertPath; > > Lock m_mutex; > HashMap<String, ListHashSet<String>, ASCIICaseInsensitiveHash> m_allowedHosts; >diff --git a/Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp b/Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp >index 34d6c975c5d..81c22859a37 100644 >--- a/Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp >+++ b/Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp >@@ -38,10 +38,21 @@ CurlSSLVerifier::CurlSSLVerifier(CurlHandle* curlHandle, const String& hostName, > : m_curlHandle(curlHandle) > , m_hostName(hostName) > { >- if (sslCtx) { >- SSL_CTX_set_app_data(static_cast<SSL_CTX*>(sslCtx), this); >- SSL_CTX_set_verify(static_cast<SSL_CTX*>(sslCtx), SSL_VERIFY_PEER, certVerifyCallback); >- } >+ auto ctx = static_cast<SSL_CTX*>(sslCtx); >+ auto& sslHandle = CurlContext::singleton().sslHandle(); >+ >+ SSL_CTX_set_app_data(ctx, this); >+ SSL_CTX_set_verify(ctx, SSL_CTX_get_verify_mode(ctx), certVerifyCallback); >+ >+#if (!defined(LIBRESSL_VERSION_NUMBER)) >+ const auto& signatureAlgorithmsList = sslHandle.getSignatureAlgorithmsList(); >+ if (signatureAlgorithmsList) >+ SSL_CTX_set1_sigalgs_list(ctx, signatureAlgorithmsList->utf8().data()); >+#endif >+ >+ const auto& curvesList = sslHandle.getCurvesList(); >+ if (curvesList) >+ SSL_CTX_set1_curves_list(ctx, curvesList->utf8().data()); > } > > int CurlSSLVerifier::certVerifyCallback(int ok, X509_STORE_CTX* storeCtx)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339459">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185139
:
339459
|
339474
|
340139