Changeset 233919 in webkit

Timestamp:

Jul 18, 2018 11:35:16 AM (6 years ago)

Author:

Basuke Suzuki

Message:

[Curl] Disable CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST specified by setAllowsAnyHTTPSCertificate.
​https://bugs.webkit.org/show_bug.cgi?id=187611

Reviewed by Fujii Hironori.

Current interface for TLS certificate validation for Curl port are as follows:

• WEBCORE_EXPORT void setHostAllowsAnyHTTPSCertificate(const String&);
• bool isAllowedHTTPSCertificateHost(const String&);
• bool canIgnoredHTTPSCertificate(const String&, const Vector<CertificateInfo::Certificate>&);

First one registers a host to be ignored for any certificate check. Once it is registered, no
further certificate validation check is executed.
Second one checks the host is registered in the list above.
Third one is weird. The method signature implies it checks the certificate for the host and detect
whether we can ignore this certificate for the host, but actually it just check only the host and
register the certificate into the vector. Then in the next request for the host, the certificate
will be checked with the previously stored certificate.

It's hard to understand, but in short,

• We can register a host as an exception for any TLS certificate validation.
• But only certificate arrived first is ignored, not any certificates for the host (which is rare, but possible for mis configured web cluster).

This behavior is incomplete. To ignore any certificates of the host, these two methods are enough:

• void allowAnyHTTPSCertificatesForHost(const String&)
• bool canIgnoreAnyHTTPSCertificatesForHost(const String&)

No new tests. Covered by existing tests.

• platform/network/curl/CertificateInfo.h:
• platform/network/curl/CurlContext.cpp:

(WebCore::CurlHandle::enableSSLForHost): Ignore TLS verification for registered host.

• platform/network/curl/CurlSSLHandle.cpp:

(WebCore::CurlSSLHandle::allowAnyHTTPSCertificatesForHost): Added.
(WebCore::CurlSSLHandle::canIgnoreAnyHTTPSCertificatesForHost const): Ditto.
(WebCore::CurlSSLHandle::setClientCertificateInfo): Separate lock.
(WebCore::CurlSSLHandle::getSSLClientCertificate const): Ditto and add const.
(WebCore::CurlSSLHandle::setHostAllowsAnyHTTPSCertificate): Deleted.
(WebCore::CurlSSLHandle::isAllowedHTTPSCertificateHost): Deleted.
(WebCore::CurlSSLHandle::canIgnoredHTTPSCertificate): Deleted.
(WebCore::CurlSSLHandle::getSSLClientCertificate): Deleted.

• platform/network/curl/CurlSSLHandle.h:
• platform/network/curl/CurlSSLVerifier.cpp:

(WebCore::CurlSSLVerifier::CurlSSLVerifier):
(WebCore::CurlSSLVerifier::collectInfo): Renamed from verify.
(WebCore::CurlSSLVerifier::verifyCallback):
(WebCore::CurlSSLVerifier::verify): Renamed to collectInfo.

• platform/network/curl/CurlSSLVerifier.h:
• platform/network/curl/ResourceHandleCurl.cpp:

(WebCore::ResourceHandle::setHostAllowsAnyHTTPSCertificate): Rename calling method.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/network/curl/CertificateInfo.h (modified) (1 diff)
• platform/network/curl/CurlContext.cpp (modified) (1 diff)
• platform/network/curl/CurlSSLHandle.cpp (modified) (1 diff)
• platform/network/curl/CurlSSLHandle.h (modified) (3 diffs)
• platform/network/curl/CurlSSLVerifier.cpp (modified) (3 diffs)
• platform/network/curl/CurlSSLVerifier.h (modified) (1 diff)
• platform/network/curl/ResourceHandleCurl.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-07-18  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [Curl] Disable CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST specified by setAllowsAnyHTTPSCertificate.
+        https://bugs.webkit.org/show_bug.cgi?id=187611
+
+        Reviewed by Fujii Hironori.
+
+        Current interface for TLS certificate validation for Curl port are as follows:
+
+        - WEBCORE_EXPORT void setHostAllowsAnyHTTPSCertificate(const String&);
+        - bool isAllowedHTTPSCertificateHost(const String&);
+        - bool canIgnoredHTTPSCertificate(const String&, const Vector<CertificateInfo::Certificate>&);
+
+        First one registers a host to be ignored for any certificate check. Once it is registered, no
+        further certificate validation check is executed.
+        Second one checks the host is registered in the list above.
+        Third one is weird. The method signature implies it checks the certificate for the host and detect
+        whether we can ignore this certificate for the host, but actually it  just check only the host and
+        register the certificate into the vector. Then in the next request for the host, the certificate
+        will be checked with the previously stored certificate.
+
+        It's hard to understand, but in short,
+        - We can register a host as an exception for any TLS certificate validation.
+        - But only certificate arrived first is ignored, not any certificates for the host
+          (which is rare, but possible for mis configured web cluster).
+
+        This behavior is incomplete. To ignore any certificates of the host, these two methods are enough:
+
+        - void allowAnyHTTPSCertificatesForHost(const String&)
+        - bool canIgnoreAnyHTTPSCertificatesForHost(const String&)
+
+        No new tests. Covered by existing tests.
+
+        * platform/network/curl/CertificateInfo.h:
+        * platform/network/curl/CurlContext.cpp:
+        (WebCore::CurlHandle::enableSSLForHost): Ignore TLS verification for registered host.
+        * platform/network/curl/CurlSSLHandle.cpp:
+        (WebCore::CurlSSLHandle::allowAnyHTTPSCertificatesForHost): Added.
+        (WebCore::CurlSSLHandle::canIgnoreAnyHTTPSCertificatesForHost const): Ditto.
+        (WebCore::CurlSSLHandle::setClientCertificateInfo): Separate lock.
+        (WebCore::CurlSSLHandle::getSSLClientCertificate const): Ditto and add const.
+        (WebCore::CurlSSLHandle::setHostAllowsAnyHTTPSCertificate): Deleted.
+        (WebCore::CurlSSLHandle::isAllowedHTTPSCertificateHost): Deleted.
+        (WebCore::CurlSSLHandle::canIgnoredHTTPSCertificate): Deleted.
+        (WebCore::CurlSSLHandle::getSSLClientCertificate): Deleted.
+        * platform/network/curl/CurlSSLHandle.h:
+        * platform/network/curl/CurlSSLVerifier.cpp:
+        (WebCore::CurlSSLVerifier::CurlSSLVerifier):
+        (WebCore::CurlSSLVerifier::collectInfo): Renamed from verify.
+        (WebCore::CurlSSLVerifier::verifyCallback):
+        (WebCore::CurlSSLVerifier::verify): Renamed to collectInfo.
+        * platform/network/curl/CurlSSLVerifier.h:
+        * platform/network/curl/ResourceHandleCurl.cpp:
+        (WebCore::ResourceHandle::setHostAllowsAnyHTTPSCertificate): Rename calling method.
+
 2018-07-18  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/platform/network/curl/CertificateInfo.h

@@ -33 +33 @@
 class CertificateInfo {
 public:
-    using Certificate = Vector<char>;
+    using Certificate = Vector<uint8_t>;
 
     CertificateInfo() = default;

trunk/Source/WebCore/platform/network/curl/CurlContext.cpp

@@ -302 +302 @@
     }
 
-    if (sslHandle.shouldIgnoreSSLErrors()) {
+    if (sslHandle.canIgnoreAnyHTTPSCertificatesForHost(host) || sslHandle.shouldIgnoreSSLErrors()) {
         setSslVerifyPeer(CurlHandle::VerifyPeer::Disable);
         setSslVerifyHost(CurlHandle::VerifyHost::LooseNameCheck);

trunk/Source/WebCore/platform/network/curl/CurlSSLHandle.cpp

@@ -93 +93 @@
 }
 
-void CurlSSLHandle::setHostAllowsAnyHTTPSCertificate(const String& hostName)
+void CurlSSLHandle::allowAnyHTTPSCertificatesForHost(const String& host)
 {
-    LockHolder mutex(m_mutex);
+    LockHolder mutex(m_allowedHostsLock);
 
-    m_allowedHosts.set(hostName, Vector<CertificateInfo::Certificate> { });
+    m_allowedHosts.addVoid(host);
 }
 
-bool CurlSSLHandle::isAllowedHTTPSCertificateHost(const String& hostName)
+bool CurlSSLHandle::canIgnoreAnyHTTPSCertificatesForHost(const String& host) const
 {
-    LockHolder mutex(m_mutex);
+    LockHolder mutex(m_allowedHostsLock);
 
-    auto it = m_allowedHosts.find(hostName);
-    return (it != m_allowedHosts.end());
-}
-
-bool CurlSSLHandle::canIgnoredHTTPSCertificate(const String& hostName, const Vector<CertificateInfo::Certificate>& certificates)
-{
-    LockHolder mutex(m_mutex);
-
-    auto found = m_allowedHosts.find(hostName);
-    if (found == m_allowedHosts.end())
-        return false;
-
-    auto& value = found->value;
-    if (value.isEmpty()) {
-        value = certificates;
-        return true;
-    }
-
-    return std::equal(certificates.begin(), certificates.end(), value.begin());
+    return m_allowedHosts.contains(host);
 }
 
 void CurlSSLHandle::setClientCertificateInfo(const String& hostName, const String& certificate, const String& key)
 {
-    LockHolder mutex(m_mutex);
+    LockHolder mutex(m_allowedClientHostsLock);
 
     m_allowedClientHosts.set(hostName, ClientCertificate { certificate, key });
 }
 
-std::optional<CurlSSLHandle::ClientCertificate> CurlSSLHandle::getSSLClientCertificate(const String& hostName)
+std::optional<CurlSSLHandle::ClientCertificate> CurlSSLHandle::getSSLClientCertificate(const String& hostName) const
 {
-    LockHolder mutex(m_mutex);
+    LockHolder mutex(m_allowedClientHostsLock);
 
     auto it = m_allowedClientHosts.find(hostName);

trunk/Source/WebCore/platform/network/curl/CurlSSLHandle.h

@@ -30 +30 @@
 #include <openssl/crypto.h>
 #include <wtf/HashMap.h>
+#include <wtf/HashSet.h>
 #include <wtf/NeverDestroyed.h>
-#include <wtf/Noncopyable.h>
 #include <wtf/Variant.h>
 #include <wtf/text/StringHash.h>
@@ -70 +70 @@
     WEBCORE_EXPORT void clearCACertInfo();
 
-    WEBCORE_EXPORT void setHostAllowsAnyHTTPSCertificate(const String&);
-    bool isAllowedHTTPSCertificateHost(const String&);
-    bool canIgnoredHTTPSCertificate(const String&, const Vector<CertificateInfo::Certificate>&);
+    WEBCORE_EXPORT void allowAnyHTTPSCertificatesForHost(const String& host);
+    bool canIgnoreAnyHTTPSCertificatesForHost(const String&) const;
 
     WEBCORE_EXPORT void setClientCertificateInfo(const String&, const String&, const String&);
-    std::optional<ClientCertificate> getSSLClientCertificate(const String&);
+    std::optional<ClientCertificate> getSSLClientCertificate(const String&) const;
 
 private:
@@ -114 +113 @@
     bool m_ignoreSSLErrors { false };
 
-    Lock m_mutex;
-    HashMap<String, Vector<CertificateInfo::Certificate>, ASCIICaseInsensitiveHash> m_allowedHosts;
+    mutable Lock m_allowedHostsLock;
+    mutable Lock m_allowedClientHostsLock;
+    HashSet<String, ASCIICaseInsensitiveHash> m_allowedHosts;
     HashMap<String, ClientCertificate, ASCIICaseInsensitiveHash> m_allowedClientHosts;
 };

trunk/Source/WebCore/platform/network/curl/CurlSSLVerifier.cpp

@@ -48 +48 @@
 
 #if defined(LIBRESSL_VERSION_NUMBER)
-    if (auto* data = WTF::get_if<Vector<char>>(sslHandle.getCACertInfo()))
-        SSL_CTX_load_verify_mem(ctx, static_cast<void*>(const_cast<char*>(data->data())), data->size());
+    if (auto data = WTF::get_if<CertificateInfo::Certificate>(sslHandle.getCACertInfo()))
+        SSL_CTX_load_verify_mem(ctx, static_cast<void*>(const_cast<uint8_t*>(data->data())), data->size());
 #endif
 
@@ -63 +63 @@
 }
 
-bool CurlSSLVerifier::verify(X509StoreCTX* ctx)
-{
-    // whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0)
+void CurlSSLVerifier::collectInfo(X509StoreCTX* ctx)
+{
     m_certificateInfo = CertificateInfo { X509_STORE_CTX_get_error(ctx), pemDataFromCtx(ctx) };
 
-    auto error = m_certificateInfo.verificationError();
-    if (!error)
-        return 1;
-
-    m_sslErrors = static_cast<int>(convertToSSLCertificateFlags(error));
-
-#if PLATFORM(WIN)
-    bool ok = CurlContext::singleton().sslHandle().isAllowedHTTPSCertificateHost(m_curlHandle.url().host().toString());
-#else
-    bool ok = CurlContext::singleton().sslHandle().canIgnoredHTTPSCertificate(m_curlHandle.url().host().toString(), m_certificateInfo.certificateChain());
-#endif
-
-    if (ok) {
-        // if the host and the certificate are stored for the current handle that means is enabled,
-        // so don't need to curl verifies the authenticity of the peer's certificate
-        m_curlHandle.setSslVerifyPeer(CurlHandle::VerifyPeer::Disable);
-    }
-
-    return ok;
-}
-
-int CurlSSLVerifier::verifyCallback(int ok, X509StoreCTX* ctx)
+    if (auto error = m_certificateInfo.verificationError())
+        m_sslErrors = static_cast<int>(convertToSSLCertificateFlags(error));
+}
+
+int CurlSSLVerifier::verifyCallback(int preverified, X509StoreCTX* ctx)
 {
     auto ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
@@ -95 +77 @@
     auto verifier = static_cast<CurlSSLVerifier*>(SSL_CTX_get_app_data(sslCtx));
 
-    // whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0)
-    return verifier->verify(ctx);
+    verifier->collectInfo(ctx);
+    // whether the verification of the certificate in question was passed (preverified=1) or not (preverified=0)
+    return preverified;
 }
 

trunk/Source/WebCore/platform/network/curl/CurlSSLVerifier.h

@@ -64 +64 @@
     CertificateInfo m_certificateInfo;
 
-    bool verify(X509StoreCTX*);
+    void collectInfo(X509StoreCTX*);
 };
 

trunk/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp

@@ -170 +170 @@
     ASSERT(isMainThread());
 
-    CurlContext::singleton().sslHandle().setHostAllowsAnyHTTPSCertificate(host);
+    CurlContext::singleton().sslHandle().allowAnyHTTPSCertificatesForHost(host);
 }