Changeset 159632 in webkit
- Timestamp:
- Nov 21, 2013 9:43:06 AM (10 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r159626 r159632 1 2013-11-21 Robert Sipka <sipka@inf.u-szeged.hu> 2 3 [curl]Improve ssl certificate storage and check 4 https://bugs.webkit.org/show_bug.cgi?id=124569 5 6 Reviewed by Brent Fulgham. 7 8 Storage and check the whole certificate chain, not just the root certificate. 9 10 * platform/network/curl/SSLHandle.cpp: 11 (WebCore::allowsAnyHTTPSCertificateHosts): 12 (WebCore::sslIgnoreHTTPSCertificate): 13 (WebCore::pemData): 14 (WebCore::certVerifyCallback): 15 1 16 2013-11-21 Mihai Maerean <mmaerean@adobe.com> 2 17 -
trunk/Source/WebCore/platform/network/curl/SSLHandle.cpp
r159587 r159632 33 33 #include <openssl/ssl.h> 34 34 #include <openssl/x509_vfy.h> 35 #include <wtf/HashSet.h> 35 36 36 37 namespace WebCore { 37 38 38 static HashMap<String, String> allowedHosts;39 static HashMap<String, HashSet<String>> allowedHosts; 39 40 40 41 void allowsAnyHTTPSCertificateHosts(const String& host) 41 42 { 42 HashMap<String, String>::iterator it = allowedHosts.find(host); 43 if (it != allowedHosts.end()) 44 it->value = String(); 45 else 46 allowedHosts.add(host, String()); 47 } 48 49 bool sslIgnoreHTTPSCertificate(const String& host, const String& cert) 50 { 51 HashMap<String, String>::iterator it = allowedHosts.find(host); 43 HashSet<String> certificates; 44 allowedHosts.set(host, certificates); 45 } 46 47 bool sslIgnoreHTTPSCertificate(const String& host, const HashSet<String>& certificates) 48 { 49 HashMap<String, HashSet<String>>::iterator it = allowedHosts.find(host); 52 50 if (it != allowedHosts.end()) { 53 51 if ((it->value).isEmpty()) { 54 it->value = cert ;52 it->value = certificates; 55 53 return true; 56 54 } 57 if (it->value == cert) 58 return true; 55 if (certificates.size() != it->value.size()) 56 return false; 57 HashSet<String>::const_iterator certsIter = certificates.begin(); 58 HashSet<String>::iterator valueIter = (it->value).begin(); 59 for (; valueIter != (it->value).end(); ++valueIter, ++certsIter) { 60 if (*certsIter != *valueIter) 61 return false; 62 } 63 return true; 59 64 } 60 65 return false; … … 119 124 120 125 #if !PLATFORM(WIN) 121 // success of certificate extraction 122 bool pemData(X509_STORE_CTX* ctx, String& certificate) 123 { 124 X509* errCert = X509_STORE_CTX_get_current_cert(ctx); 125 126 // get the cert in PEM format 127 BIO* bio = BIO_new(BIO_s_mem()); 128 129 int res = PEM_write_bio_X509(bio, errCert); 130 if (!res) { 126 // success of certificates extraction 127 bool pemData(X509_STORE_CTX* ctx, HashSet<String>& certificates) 128 { 129 bool ok = true; 130 STACK_OF(X509)* certs = X509_STORE_CTX_get1_chain(ctx); 131 for (int i = 0; i < sk_X509_num(certs); i++) { 132 X509* uCert = sk_X509_value(certs, i); 133 BIO* bio = BIO_new(BIO_s_mem()); 134 int res = PEM_write_bio_X509(bio, uCert); 135 if (!res) { 136 ok = false; 137 BIO_free(bio); 138 break; 139 } 140 141 unsigned char* certificateData; 142 long length = BIO_get_mem_data(bio, &certificateData); 143 if (length < 0) { 144 ok = false; 145 BIO_free(bio); 146 break; 147 } 148 149 certificateData[length] = '\0'; 150 String certificate = certificateData; 151 certificates.add(certificate); 131 152 BIO_free(bio); 132 return false; 133 } 134 135 unsigned char* data; 136 long len = BIO_get_mem_data(bio, &data); 137 if (len < 0) { 138 BIO_free(bio); 139 return false; 140 } 141 142 data[len] = '\0'; 143 certificate = data; 144 BIO_free(bio); 145 return true; 153 } 154 sk_X509_pop_free(certs, X509_free); 155 return ok; 146 156 } 147 157 #endif … … 167 177 ok = (it != allowedHosts.end()); 168 178 #else 169 String certificate;170 if (!pemData(ctx, certificate ))179 HashSet<String> certificates; 180 if (!pemData(ctx, certificates)) 171 181 return 0; 172 ok = sslIgnoreHTTPSCertificate(host.lower(), certificate );182 ok = sslIgnoreHTTPSCertificate(host.lower(), certificates); 173 183 #endif 174 184
Note: See TracChangeset
for help on using the changeset viewer.