servo: Merge #11115 - Use openssl-verify to check certificate + hostn…

…ame (from mbrubeck:openssl-verify); r=jdm

Fixes #4954.  r? jdm

This is based on hyperium/hyper#472, though it doesn't re-use that code directly because Servo configures its own OpenSSL context.

Source-Repo: https://github.com/servo/servo
Source-Revision: 40be84df26ce3ce80851e751374154c015506921

UltraBlame original commit: 4403e83bbb8e763bb0f0e8509051a286eb73ec41

servo/components/net/Cargo.toml

@@ -28,6 +28,7 @@ matches = "0.1"
 mime = "0.2.0"
 mime_guess = "1.6.0"
 openssl = "0.7.6"
+openssl-verify = "0.1"
 rustc-serialize = "0.3"
 threadpool = "1.0"
 time = "0.1.17"

servo/components/net/connector.rs

@@ -0,0 +1,58 @@
+
+
+
+
+use hyper::client::Pool;
+use hyper::net::{HttpStream, HttpsConnector, SslClient};
+use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER};
+use openssl::ssl::{Ssl, SslContext, SslMethod, SslStream};
+use std::sync::Arc;
+use util::resource_files::resources_dir_path;
+
+pub type Connector = HttpsConnector<ServoSslClient>;
+
+
+
+
+
+const DEFAULT_CIPHERS: &'static str = concat!(
+    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
+    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
+    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
+    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
+    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
+    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
+    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
+    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+);
+
+pub fn create_http_connector() -> Arc<Pool<Connector>> {
+    let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
+    context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
+    context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
+    context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
+    let connector = HttpsConnector::new(ServoSslClient {
+        context: Arc::new(context)
+    });
+
+    Arc::new(Pool::with_connector(Default::default(), connector))
+}
+
+pub struct ServoSslClient {
+    context: Arc<SslContext>,
+}
+
+impl SslClient for ServoSslClient {
+    type Stream = SslStream<HttpStream>;
+
+    fn wrap_client(&self, stream: HttpStream, host: &str) -> Result<Self::Stream, ::hyper::Error> {
+        let mut ssl = try!(Ssl::new(&self.context));
+        try!(ssl.set_hostname(host));
+        let host = host.to_owned();
+        ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| {
+            ::openssl_verify::verify_callback(&host, p, x)
+        });
+        SslStream::connect(ssl, stream).map_err(From::from)
+    }
+}

servo/components/net/fetch/methods.rs

@@ -2,9 +2,10 @@
 
 
 
+use connector::create_http_connector;
 use data_loader::decode;
 use fetch::cors_cache::CORSCache;
-use http_loader::{NetworkHttpRequestFactory, create_http_connector, obtain_response};
+use http_loader::{NetworkHttpRequestFactory, obtain_response};
 use hyper::header::{Accept, AcceptLanguage, Authorization, AccessControlAllowCredentials};
 use hyper::header::{AccessControlAllowOrigin, AccessControlAllowHeaders, AccessControlAllowMethods};
 use hyper::header::{AccessControlRequestHeaders, AccessControlMaxAge, AccessControlRequestMethod, Basic};

servo/components/net/http_loader.rs

@@ -4,6 +4,7 @@
 
 
 use brotli::Decompressor;
+use connector::Connector;
 use cookie;
 use cookie_storage::CookieStorage;
 use devtools_traits::{ChromeToDevtoolsControlMsg, DevtoolsControlMsg, HttpRequest as DevtoolsHttpRequest};
@@ -19,7 +20,7 @@ use hyper::header::{Location, SetCookie, StrictTransportSecurity, UserAgent, qit
 use hyper::http::RawStatus;
 use hyper::method::Method;
 use hyper::mime::{Mime, SubLevel, TopLevel};
-use hyper::net::{Fresh, HttpsConnector, Openssl};
+use hyper::net::Fresh;
 use hyper::status::{StatusClass, StatusCode};
 use log;
 use mime_classifier::MIMEClassifier;
@@ -30,7 +31,6 @@ use net_traits::response::HttpsState;
 use net_traits::{CookieSource, IncludeSubdomains, LoadConsumer, LoadContext, LoadData};
 use net_traits::{Metadata, NetworkError};
 use openssl::ssl::error::{SslError, OpensslError};
-use openssl::ssl::{SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3, SSL_VERIFY_PEER, SslContext, SslMethod};
 use resource_thread::{CancellationListener, send_error, start_sending_sniffed_opt, AuthCache, AuthCacheEntry};
 use std::borrow::ToOwned;
 use std::boxed::FnBox;
@@ -46,41 +46,9 @@ use time::Tm;
 use tinyfiledialogs;
 use url::{Url, Position};
 use util::prefs;
-use util::resource_files::resources_dir_path;
 use util::thread::spawn_named;
 use uuid;
 
-pub type Connector = HttpsConnector<Openssl>;
-
-
-
-
-
-const DEFAULT_CIPHERS: &'static str = concat!(
-    "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:",
-    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:",
-    "DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:",
-    "ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:",
-    "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:",
-    "ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:",
-    "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:",
-    "ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:",
-    "AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
-);
-
-pub fn create_http_connector() -> Arc<Pool<Connector>> {
-    let mut context = SslContext::new(SslMethod::Sslv23).unwrap();
-    context.set_verify(SSL_VERIFY_PEER, None);
-    context.set_CA_file(&resources_dir_path().join("certs")).unwrap();
-    context.set_cipher_list(DEFAULT_CIPHERS).unwrap();
-    context.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
-    let connector = HttpsConnector::new(Openssl {
-        context: Arc::new(context)
-    });
-
-    Arc::new(Pool::with_connector(Default::default(), connector))
-}
-
 pub fn factory(user_agent: String,
                http_state: HttpState,
                devtools_chan: Option<Sender<DevtoolsControlMsg>>,

servo/components/net/lib.rs

@@ -29,6 +29,7 @@ extern crate mime_guess;
 extern crate msg;
 extern crate net_traits;
 extern crate openssl;
+extern crate openssl_verify;
 extern crate rustc_serialize;
 extern crate threadpool;
 extern crate time;
@@ -44,6 +45,7 @@ extern crate websocket;
 pub mod about_loader;
 pub mod bluetooth_thread;
 pub mod chrome_loader;
+pub mod connector;
 pub mod cookie;
 pub mod cookie_storage;
 pub mod data_loader;

servo/components/net/resource_thread.rs

@@ -5,13 +5,14 @@
 
 use about_loader;
 use chrome_loader;
+use connector::{Connector, create_http_connector};
 use cookie;
 use cookie_storage::CookieStorage;
 use data_loader;
 use devtools_traits::{DevtoolsControlMsg};
 use file_loader;
 use hsts::HstsList;
-use http_loader::{self, Connector, create_http_connector, HttpState};
+use http_loader::{self, HttpState};
 use hyper::client::pool::Pool;
 use hyper::header::{ContentType, Header, SetCookie};
 use hyper::mime::{Mime, SubLevel, TopLevel};