Summary: | REGRESSION(r228088): [SOUP] Certificate verification no longer performed for secure WebSocket connections | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Security | Reporter: | Michael Catanzaro <mcatanzaro> | ||||||
Component: | Security | Assignee: | WebKit Security Group <webkit-security-unassigned> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | bfulgham, cgarcia, csaavedra, mcatanzaro, product-security, svillar, webkit-bug-importer | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | PC | ||||||||
OS: | Linux | ||||||||
See Also: |
https://bugs.webkit.org/show_bug.cgi?id=126384 https://bugs.webkit.org/show_bug.cgi?id=184480 https://bugs.webkit.org/show_bug.cgi?id=184821 |
||||||||
Bug Depends on: | 184480 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Michael Catanzaro
2018-04-19 20:00:01 PDT
Created attachment 338389 [details]
Patch
Comment on attachment 338389 [details]
Patch
(It's not ready for review, because it doesn't fix the bug. Necessary, not sufficient.)
Comment on attachment 338389 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=338389&action=review > Source/WebCore/testing/InternalSettings.cpp:-844 > -#if USE(SOUP) > - SoupNetworkSession::setShouldIgnoreTLSErrors(allowsAnyCertificate); > -#endif (If it breaks layout tests, this would probably be why.) Comment on attachment 338389 [details]
Patch
There's too much noise in this patch to be a security fix, note that I'll have to backport it to 2.20 branch. So, I would simply fix the bug here, and then do the renames, cleanups and update jhbuild in follow up patches.
Created attachment 338404 [details] Simpler patch This patch fixes the bug if applied on top of patch attached to bug #184480. I've fixed the bug and copied the test case added by Michael in the previous patch. I also updated the test to move the asserts from the fixture to the test and simplify it a bit. Michael, if you are going to bump libsoup version in jhbuild, remember to include a patch for this commit: https://git.gnome.org/browse/libsoup/commit/?id=e8995d4e1d5cf984cf10327c59808976425b2f9c Comment on attachment 338404 [details] Simpler patch View in context: https://bugs.webkit.org/attachment.cgi?id=338404&action=review I see you simplified several aspects of my code. Excellent! I'll create another bug to deal with the insane testing setting. > Source/WebCore/ChangeLog:3 > + REGRESSION(r228088): [SOUP] Check TLS errors for WebSockets right after TLS handshacking event handshaking > Source/WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp:92 > + reinterpret_cast<SoupSessionConnectProgressCallback>(connectProgressCallback), I would change the ternary condition to url.protocolIs("wss") instead of removing it entirely, to avoid the unnecessary progress callbacks otherwise. > Tools/TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp:348 > + DidReachServer = 1 << 0, This flag is misnamed. Of course the request will always reach the server, because the client won't be able to check for TLS errors if the server has not sent it anything. Rename it, perhaps: "DidServerCompleteHandshake" I'm going to request a CVE for this one. Bug #184480 is really minor since we don't support TLS 1.3 or fast open, so that doesn't need a CVE. Committed r230886: <https://trac.webkit.org/changeset/230886> (In reply to Michael Catanzaro from comment #9) > Bug #184480 is really minor since we don't support TLS 1.3 or fast open, so > that doesn't need a CVE. But note this fix depends on that one. (In reply to Michael Catanzaro from comment #9) > I'm going to request a CVE for this one. > > Bug #184480 is really minor since we don't support TLS 1.3 or fast open, so > that doesn't need a CVE. It's been six weeks without a response from the DWF project. I've asked them to not issue the CVE after all, and requested one from Debian instead. Hopefully we don't wind up with a duplicate. And MITRE responds in one day... phenomenal, really. I don't understand what DWF is trying to accomplish, they are just getting in the way. (In reply to Michael Catanzaro from comment #13) > And MITRE responds in one day... phenomenal, really. Oh yeah, Debian directed me to apply from MITRE. |