Changeset 159632 in webkit


Ignore:
Timestamp:
Nov 21, 2013 9:43:06 AM (10 years ago)
Author:
commit-queue@webkit.org
Message:

[curl]Improve ssl certificate storage and check
https://bugs.webkit.org/show_bug.cgi?id=124569

Patch by Robert Sipka <sipka@inf.u-szeged.hu> on 2013-11-21
Reviewed by Brent Fulgham.

Storage and check the whole certificate chain, not just the root certificate.

  • platform/network/curl/SSLHandle.cpp:

(WebCore::allowsAnyHTTPSCertificateHosts):
(WebCore::sslIgnoreHTTPSCertificate):
(WebCore::pemData):
(WebCore::certVerifyCallback):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r159626 r159632  
     12013-11-21  Robert Sipka  <sipka@inf.u-szeged.hu>
     2
     3        [curl]Improve ssl certificate storage and check
     4        https://bugs.webkit.org/show_bug.cgi?id=124569
     5
     6        Reviewed by Brent Fulgham.
     7
     8        Storage and check the whole certificate chain, not just the root certificate.
     9
     10        * platform/network/curl/SSLHandle.cpp:
     11        (WebCore::allowsAnyHTTPSCertificateHosts):
     12        (WebCore::sslIgnoreHTTPSCertificate):
     13        (WebCore::pemData):
     14        (WebCore::certVerifyCallback):
     15
    1162013-11-21  Mihai Maerean  <mmaerean@adobe.com>
    217

  • trunk/Source/WebCore/platform/network/curl/SSLHandle.cpp

    r159587 r159632  
    3333#include <openssl/ssl.h>
    3434#include <openssl/x509_vfy.h>
     35#include <wtf/HashSet.h>
    3536
    3637namespace WebCore {
    3738
    38 static HashMap<String, String> allowedHosts;
     39static HashMap<String, HashSet<String>> allowedHosts;
    3940
    4041void allowsAnyHTTPSCertificateHosts(const String& host)
    4142{
    42     HashMap<String, String>::iterator it = allowedHosts.find(host);
    43     if (it != allowedHosts.end())
    44         it->value = String();
    45     else
    46         allowedHosts.add(host, String());
    47 }
    48 
    49 bool sslIgnoreHTTPSCertificate(const String& host, const String& cert)
    50 {
    51     HashMap<String, String>::iterator it = allowedHosts.find(host);
     43    HashSet<String> certificates;
     44    allowedHosts.set(host, certificates);
     45}
     46
     47bool sslIgnoreHTTPSCertificate(const String& host, const HashSet<String>& certificates)
     48{
     49    HashMap<String, HashSet<String>>::iterator it = allowedHosts.find(host);
    5250    if (it != allowedHosts.end()) {
    5351        if ((it->value).isEmpty()) {
    54             it->value = cert;
     52            it->value = certificates;
    5553            return true;
    5654        }
    57         if (it->value == cert)
    58             return true;
     55        if (certificates.size() != it->value.size())
     56            return false;
     57        HashSet<String>::const_iterator certsIter = certificates.begin();
     58        HashSet<String>::iterator valueIter = (it->value).begin();
     59        for (; valueIter != (it->value).end(); ++valueIter, ++certsIter) {
     60            if (*certsIter != *valueIter)
     61                return false;
     62        }
     63        return true;
    5964    }
    6065    return false;
     
    119124
    120125#if !PLATFORM(WIN)
    121 // success of certificate extraction
    122 bool pemData(X509_STORE_CTX* ctx, String& certificate)
    123 {
    124     X509* errCert = X509_STORE_CTX_get_current_cert(ctx);
    125 
    126     // get the cert in PEM format
    127     BIO* bio = BIO_new(BIO_s_mem());
    128 
    129     int res = PEM_write_bio_X509(bio, errCert);
    130     if (!res) {
     126// success of certificates extraction
     127bool pemData(X509_STORE_CTX* ctx, HashSet<String>& certificates)
     128{
     129    bool ok = true;
     130    STACK_OF(X509)* certs = X509_STORE_CTX_get1_chain(ctx);
     131    for (int i = 0; i < sk_X509_num(certs); i++) {
     132        X509* uCert = sk_X509_value(certs, i);
     133        BIO* bio = BIO_new(BIO_s_mem());
     134        int res = PEM_write_bio_X509(bio, uCert);
     135        if (!res) {
     136            ok = false;
     137            BIO_free(bio);
     138            break;
     139        }
     140
     141        unsigned char* certificateData;
     142        long length = BIO_get_mem_data(bio, &certificateData);
     143        if (length < 0) {
     144            ok = false;
     145            BIO_free(bio);
     146            break;
     147        }
     148
     149        certificateData[length] = '\0';
     150        String certificate = certificateData;
     151        certificates.add(certificate);
    131152        BIO_free(bio);
    132         return false;
    133     }
    134 
    135     unsigned char* data;
    136     long len = BIO_get_mem_data(bio, &data);
    137     if (len < 0) {
    138         BIO_free(bio);
    139         return false;
    140     }
    141 
    142     data[len] = '\0';
    143     certificate = data;
    144     BIO_free(bio);
    145     return true;
     153    }
     154        sk_X509_pop_free(certs, X509_free);
     155        return ok;
    146156}
    147157#endif
     
    167177    ok = (it != allowedHosts.end());
    168178#else
    169     String certificate;
    170     if (!pemData(ctx, certificate))
     179    HashSet<String> certificates;
     180    if (!pemData(ctx, certificates))
    171181        return 0;
    172     ok = sslIgnoreHTTPSCertificate(host.lower(), certificate);
     182    ok = sslIgnoreHTTPSCertificate(host.lower(), certificates);
    173183#endif
    174184
Note: See TracChangeset for help on using the changeset viewer.