Changeset 230886 in webkit
- Timestamp:
- Apr 20, 2018 11:36:12 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/platform/network/soup/SocketStreamHandleImpl.h (modified) (1 diff)
-
Source/WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp (modified) (4 diffs)
-
Tools/ChangeLog (modified) (1 diff)
-
Tools/TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r230885 r230886 1 2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com> 2 3 REGRESSION(r228088): [SOUP] Check TLS errors for WebSockets on GTlsConnection::accept-certificate 4 https://bugs.webkit.org/show_bug.cgi?id=184804 5 6 Reviewed by Michael Catanzaro. 7 8 * platform/network/soup/SocketStreamHandleImpl.h: Add a public url getter. 9 * platform/network/soup/SocketStreamHandleImplSoup.cpp: 10 (WebCore::acceptCertificateCallback): Call SoupNetworkSession::checkTLSErrors() to decide whether to accept the 11 certificate or not. 12 (WebCore::connectProgressCallback): Receive the SocketStreamHandle and pass it to acceptCertificateCallback callback. 13 (WebCore::socketClientEventCallback): Ditto. 14 (WebCore::SocketStreamHandleImpl::create): Always connect to network events. 15 (WebCore::wssConnectionAcceptCertificateCallback): Deleted. 16 (WebCore::wssSocketClientEventCallback): Deleted. 17 1 18 2018-04-20 Carlos Garcia Campos <cgarcia@igalia.com> 2 19 -
trunk/Source/WebCore/platform/network/soup/SocketStreamHandleImpl.h
r230875 r230886 52 52 virtual ~SocketStreamHandleImpl(); 53 53 54 const URL& url() const { return m_url; } 55 54 56 void platformSend(const uint8_t* data, size_t length, Function<void(bool)>&&) final; 55 57 void platformSendHandshake(const uint8_t* data, size_t length, const std::optional<CookieRequestHeaderFieldProxy>&, Function<void(bool, bool)>&&) final; -
trunk/Source/WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp
r230875 r230886 51 51 namespace WebCore { 52 52 53 static gboolean wssConnectionAcceptCertificateCallback(GTlsConnection*, GTlsCertificate*, GTlsCertificateFlags) 54 { 55 return TRUE; 53 static gboolean acceptCertificateCallback(GTlsConnection*, GTlsCertificate* certificate, GTlsCertificateFlags errors, SocketStreamHandleImpl* handle) 54 { 55 // FIXME: Using DeprecatedGlobalSettings from here is a layering violation. 56 if (DeprecatedGlobalSettings::allowsAnySSLCertificate()) 57 return TRUE; 58 59 return !SoupNetworkSession::checkTLSErrors(handle->url(), certificate, errors); 56 60 } 57 61 58 62 #if SOUP_CHECK_VERSION(2, 61, 90) 59 static void wssSocketClientEventCallback(SoupSession*, GSocketClientEvent event, GIOStream* connection)63 static void connectProgressCallback(SoupSession*, GSocketClientEvent event, GIOStream* connection, SocketStreamHandleImpl* handle) 60 64 { 61 65 if (event != G_SOCKET_CLIENT_TLS_HANDSHAKING) 62 66 return; 63 67 64 g_signal_connect(connection, "accept-certificate", G_CALLBACK( wssConnectionAcceptCertificateCallback), nullptr);68 g_signal_connect(connection, "accept-certificate", G_CALLBACK(acceptCertificateCallback), handle); 65 69 } 66 70 #else 67 static void wssSocketClientEventCallback(GSocketClient*, GSocketClientEvent event, GSocketConnectable*, GIOStream* connection)71 static void socketClientEventCallback(GSocketClient*, GSocketClientEvent event, GSocketConnectable*, GIOStream* connection, SocketStreamHandleImpl* handle) 68 72 { 69 73 if (event != G_SOCKET_CLIENT_TLS_HANDSHAKING) 70 74 return; 71 75 72 g_signal_connect(connection, "accept-certificate", G_CALLBACK( wssConnectionAcceptCertificateCallback), nullptr);76 g_signal_connect(connection, "accept-certificate", G_CALLBACK(acceptCertificateCallback), handle); 73 77 } 74 78 #endif … … 77 81 { 78 82 Ref<SocketStreamHandleImpl> socket = adoptRef(*new SocketStreamHandleImpl(url, client)); 79 80 // FIXME: Using DeprecatedGlobalSettings from here is a layering violation.81 bool allowsAnySSLCertificate = url.protocolIs("wss") && DeprecatedGlobalSettings::allowsAnySSLCertificate();82 83 83 84 #if SOUP_CHECK_VERSION(2, 61, 90) … … 89 90 Ref<SocketStreamHandle> protectedSocketStreamHandle = socket.copyRef(); 90 91 soup_session_connect_async(networkStorageSession->getOrCreateSoupNetworkSession().soupSession(), uri.get(), socket->m_cancellable.get(), 91 allowsAnySSLCertificate ? reinterpret_cast<SoupSessionConnectProgressCallback>(wssSocketClientEventCallback) : nullptr,92 url.protocolIs("wss") ? reinterpret_cast<SoupSessionConnectProgressCallback>(connectProgressCallback) : nullptr, 92 93 reinterpret_cast<GAsyncReadyCallback>(connectedCallback), &protectedSocketStreamHandle.leakRef()); 93 94 #else … … 97 98 if (url.protocolIs("wss")) { 98 99 g_socket_client_set_tls(socketClient.get(), TRUE); 99 if (allowsAnySSLCertificate) 100 g_signal_connect(socketClient.get(), "event", G_CALLBACK(wssSocketClientEventCallback), nullptr); 100 g_signal_connect(socketClient.get(), "event", G_CALLBACK(socketClientEventCallback), socket.ptr()); 101 101 } 102 102 Ref<SocketStreamHandle> protectedSocketStreamHandle = socket.copyRef(); -
trunk/Tools/ChangeLog
r230883 r230886 1 2018-04-20 Michael Catanzaro <mcatanzaro@igalia.com> 2 3 REGRESSION(r228088): [SOUP] Check TLS errors for WebSockets on GTlsConnection::accept-certificate 4 https://bugs.webkit.org/show_bug.cgi?id=184804 5 6 Reviewed by Carlos Garcia Campos. 7 8 * TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp: 9 (WebSocketTest::WebSocketTest): 10 (WebSocketTest::~WebSocketTest): 11 (WebSocketTest::serverWebSocketCallback): 12 (WebSocketTest::webSocketTestResultCallback): 13 (WebSocketTest::connectToServerAndWaitForEvents): 14 (testWebSocketTLSErrors): 15 (beforeAll): 16 1 17 2018-04-20 Chris Dumez <cdumez@apple.com> 2 18 -
trunk/Tools/TestWebKitAPI/Tests/WebKitGLib/TestSSL.cpp
r218686 r230886 339 339 } 340 340 341 #if SOUP_CHECK_VERSION(2, 50, 0) 342 class WebSocketTest : public WebViewTest { 343 public: 344 MAKE_GLIB_TEST_FIXTURE(WebSocketTest); 345 346 enum EventFlags { 347 None = 0, 348 DidServerCompleteHandshake = 1 << 0, 349 DidOpen = 1 << 1, 350 DidClose = 1 << 2 351 }; 352 353 WebSocketTest() 354 { 355 webkit_user_content_manager_register_script_message_handler(m_userContentManager.get(), "event"); 356 g_signal_connect(m_userContentManager.get(), "script-message-received::event", G_CALLBACK(webSocketTestResultCallback), this); 357 } 358 359 virtual ~WebSocketTest() 360 { 361 webkit_user_content_manager_unregister_script_message_handler(m_userContentManager.get(), "event"); 362 g_signal_handlers_disconnect_by_data(m_userContentManager.get(), this); 363 } 364 365 static constexpr const char* webSocketTestJSFormat = 366 "var socket = new WebSocket('%s');" 367 "socket.addEventListener('open', onOpen);" 368 "socket.addEventListener('close', onClose);" 369 "function onOpen() {" 370 " window.webkit.messageHandlers.event.postMessage('open');" 371 " socket.removeEventListener('close', onClose);" 372 "}" 373 "function onClose() {" 374 " window.webkit.messageHandlers.event.postMessage('close');" 375 " socket.removeEventListener('open', onOpen);" 376 "}"; 377 378 static void serverWebSocketCallback(SoupServer*, SoupWebsocketConnection*, const char*, SoupClientContext*, gpointer userData) 379 { 380 static_cast<WebSocketTest*>(userData)->m_events |= WebSocketTest::EventFlags::DidServerCompleteHandshake; 381 } 382 383 static void webSocketTestResultCallback(WebKitUserContentManager*, WebKitJavascriptResult* javascriptResult, WebSocketTest* test) 384 { 385 GUniquePtr<char> event(WebViewTest::javascriptResultToCString(javascriptResult)); 386 if (!g_strcmp0(event.get(), "open")) 387 test->m_events |= WebSocketTest::EventFlags::DidOpen; 388 else if (!g_strcmp0(event.get(), "close")) 389 test->m_events |= WebSocketTest::EventFlags::DidClose; 390 else 391 g_assert_not_reached(); 392 test->quitMainLoop(); 393 } 394 395 unsigned connectToServerAndWaitForEvents(WebKitTestServer* server) 396 { 397 m_events = 0; 398 399 server->addWebSocketHandler(serverWebSocketCallback, this); 400 GUniquePtr<char> createWebSocketJS(g_strdup_printf(webSocketTestJSFormat, server->getWebSocketURIForPath("/foo").data())); 401 webkit_web_view_run_javascript(m_webView, createWebSocketJS.get(), nullptr, nullptr, nullptr); 402 g_main_loop_run(m_mainLoop); 403 server->removeWebSocketHandler(); 404 405 return m_events; 406 } 407 408 unsigned m_events { 0 }; 409 }; 410 411 static void testWebSocketTLSErrors(WebSocketTest* test, gconstpointer) 412 { 413 WebKitWebContext* context = webkit_web_view_get_context(test->m_webView); 414 WebKitTLSErrorsPolicy originalPolicy = webkit_web_context_get_tls_errors_policy(context); 415 webkit_web_context_set_tls_errors_policy(context, WEBKIT_TLS_ERRORS_POLICY_FAIL); 416 417 // First, check that insecure ws:// web sockets work fine. 418 unsigned events = test->connectToServerAndWaitForEvents(kHttpServer); 419 g_assert_true(events); 420 g_assert_true(events & WebSocketTest::EventFlags::DidServerCompleteHandshake); 421 g_assert_true(events & WebSocketTest::EventFlags::DidOpen); 422 g_assert_false(events & WebSocketTest::EventFlags::DidClose); 423 424 // Try again using wss:// this time. It should be blocked because the 425 // server certificate is self-signed. 426 events = test->connectToServerAndWaitForEvents(kHttpsServer); 427 g_assert_true(events); 428 g_assert_false(events & WebSocketTest::EventFlags::DidServerCompleteHandshake); 429 g_assert_false(events & WebSocketTest::EventFlags::DidOpen); 430 g_assert_true(events & WebSocketTest::EventFlags::DidClose); 431 432 // Now try wss:// again, this time ignoring TLS errors. 433 webkit_web_context_set_tls_errors_policy(context, WEBKIT_TLS_ERRORS_POLICY_IGNORE); 434 events = test->connectToServerAndWaitForEvents(kHttpsServer); 435 g_assert_true(events & WebSocketTest::EventFlags::DidServerCompleteHandshake); 436 g_assert_true(events & WebSocketTest::EventFlags::DidOpen); 437 g_assert_false(events & WebSocketTest::EventFlags::DidClose); 438 439 webkit_web_context_set_tls_errors_policy(context, originalPolicy); 440 } 441 #endif 442 341 443 static void httpsServerCallback(SoupServer* server, SoupMessage* message, const char* path, GHashTable*, SoupClientContext*, gpointer) 342 444 { … … 425 527 TLSSubresourceTest::add("WebKitWebView", "tls-subresource", testSubresourceLoadFailedWithTLSErrors); 426 528 TLSErrorsTest::add("WebKitWebView", "load-failed-with-tls-errors", testLoadFailedWithTLSErrors); 529 #if SOUP_CHECK_VERSION(2, 50, 0) 530 WebSocketTest::add("WebKitWebView", "web-socket-tls-errors", testWebSocketTLSErrors); 531 #endif 427 532 } 428 533
Note: See TracChangeset
for help on using the changeset viewer.