Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement HSTS (preload-only) #6490

Merged
merged 24 commits into from Jul 22, 2015
+12,334 −56
Merged

Implement HSTS (preload-only) #6490

Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
aa19a9a
Preload an HSTS domain list from chromium
samfoo Jun 19, 2015
d2f3555
Implement mutable HSTS list
samfoo Jun 22, 2015
72d4433
Do not allow IP address in HSTS list
samfoo Jun 22, 2015
855a948
Do not change the port when loading HSTS domain
samfoo Jun 22, 2015
cb9b0c2
Add max-age to HSTS entries
samfoo Jun 22, 2015
8d39fb6
Shift checking for IP address host for HSTS entry to constructor
samfoo Jun 22, 2015
15c90a5
Expire HSTS entries that have exceeded their max-age
samfoo Jun 23, 2015
690ac63
Rename/refactor
samfoo Jun 23, 2015
ff1777e
Evict HSTS entries when a max-age of 0 is seen
samfoo Jun 23, 2015
f284181
Abstract out ResourceManager messaging from impl
samfoo Jun 24, 2015
795454f
Adds control message for HSTS headers
samfoo Jun 24, 2015
8a401d5
Re-parse URL to not have inconsistent state
samfoo Jun 25, 2015
865fb2e
Resolve tidy issues
samfoo Jun 26, 2015
a068a80
Don't unnecessarily clone strings
samfoo Jul 8, 2015
8086034
Commit HSTS preload list to source control
samfoo Jul 8, 2015
29a34db
Resolves code review comments
samfoo Jul 18, 2015
02bd5cd
Resolves remaining code review issues
samfoo Jul 18, 2015
826f56b
Moves HSTS code to it's own module
samfoo Jul 18, 2015
f2148f0
Moves the HSTS replacement code to http_loader
samfoo Jul 18, 2015
11f5be6
Responds to more code review feedback
samfoo Jul 18, 2015
82cafc4
Passes an Arc<Mutex<HSTSList>> to threads instead of cloning
samfoo Jul 19, 2015
bae9791
Moves HSTS includeSubdomains enum to net_traits
samfoo Jul 19, 2015
5014da4
Only secure URL's that aren't already to HTTPS.
samfoo Jul 19, 2015
118122d
Uses the approach suggested by @SimonSapin for changing Url scheme
samfoo Jul 19, 2015
File filter...
Filter file types
Clear filters
Jump to…
Jump to file
Failed to load files.

Always

Just for now

Prev Next

Moves HSTS code to it's own module

  • Loading branch information
@samfoo
samfoo committed Jul 21, 2015
commit 826f56bdf3f73bc9105a252f909acd4de28fcc07
145 components/net/hsts.rs
View file
Open in desktop
@@ -0,0 +1,145 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

use regex::Regex;
use rustc_serialize::json::{decode};
use time;
use url::Url;

use std::str::{from_utf8};

use net_traits::LoadData;
use util::resource_files::read_resource_file;

static IPV4_REGEX: Regex = regex!(
r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
);
static IPV6_REGEX: Regex = regex!(r"^([a-fA-F0-9]{0,4}[:]?){1,8}(/\d{1,3})?$");

#[derive(RustcDecodable, RustcEncodable, Clone)]
pub struct HSTSEntry {
pub host: String,
pub include_subdomains: bool,
pub max_age: Option<u64>,
pub timestamp: Option<u64>
}

#[derive(PartialEq, Copy, Clone)]
pub enum Subdomains {
Included,
NotIncluded
}

impl HSTSEntry {
pub fn new(host: String, subdomains: Subdomains, max_age: Option<u64>) -> Option<HSTSEntry> {
if IPV4_REGEX.is_match(&host) || IPV6_REGEX.is_match(&host) {
None
} else {
Some(HSTSEntry {
host: host,
include_subdomains: (subdomains == Subdomains::Included),
max_age: max_age,
timestamp: Some(time::get_time().sec as u64)
})
}
}

pub fn is_expired(&self) -> bool {
match (self.max_age, self.timestamp) {
(Some(max_age), Some(timestamp)) => {
(time::get_time().sec as u64) - timestamp >= max_age
},

_ => false
}
}

fn matches_domain(&self, host: &str) -> bool {
!self.is_expired() && self.host == host
}

fn matches_subdomain(&self, host: &str) -> bool {
!self.is_expired() && host.ends_with(&format!(".{}", self.host))
}
}

#[derive(RustcDecodable, RustcEncodable)]
pub struct HSTSList {
pub entries: Vec<HSTSEntry>
}

impl HSTSList {
pub fn new_from_preload(preload_content: &str) -> Option<HSTSList> {
decode(preload_content).ok()
}

pub fn is_host_secure(&self, host: &str) -> bool {
// TODO - Should this be faster than O(n)? The HSTS list is only a few
// hundred or maybe thousand entries...
//
// Could optimise by searching for exact matches first (via a map or
// something), then checking for subdomains.
self.entries.iter().any(|e| {
if e.include_subdomains {
e.matches_subdomain(host) || e.matches_domain(host)
} else {
e.matches_domain(host)
}
})
}

fn has_domain(&self, host: &str) -> bool {
self.entries.iter().any(|e| {
e.matches_domain(&host)
})
}

fn has_subdomain(&self, host: &str) -> bool {
self.entries.iter().any(|e| {
e.matches_subdomain(host)
})
}

pub fn push(&mut self, entry: HSTSEntry) {
let have_domain = self.has_domain(&entry.host);
let have_subdomain = self.has_subdomain(&entry.host);

if !have_domain && !have_subdomain {
self.entries.push(entry);
} else if !have_subdomain {
for e in &mut self.entries {
if e.matches_domain(&entry.host) {
e.include_subdomains = entry.include_subdomains;
e.max_age = entry.max_age;
}
}
}
}
}

pub fn preload_hsts_domains() -> Option<HSTSList> {
read_resource_file(&["hsts_preload.json"]).ok().and_then(|bytes| {
from_utf8(&bytes).ok().and_then(|hsts_preload_content| {
HSTSList::new_from_preload(hsts_preload_content)
})
})
}

pub fn secure_load_data(load_data: &LoadData) -> LoadData {
if &*load_data.url.scheme == "http" {
let mut secure_load_data = load_data.clone();
let mut secure_url = load_data.url.clone();
secure_url.scheme = "https".to_string();
// The Url struct parses the port for a known scheme only once.
// Updating the scheme doesn't update the port internally, resulting in
// HTTPS connections attempted on port 80. Serialising and re-parsing
// the Url is a hack to get around this.
secure_load_data.url = Url::parse(&secure_url.serialize()).unwrap();

secure_load_data
} else {
load_data.clone()
}
}

1 components/net/lib.rs
View file
Open in desktop
@@ -40,6 +40,7 @@ pub mod image_cache_task;
pub mod net_error_list;
pub mod pub_domains;
pub mod resource_task;
pub mod hsts;
pub mod storage_task;
pub mod mime_classifier;

137 components/net/resource_task.rs
View file
Open in desktop
@@ -17,26 +17,27 @@ use net_traits::{Metadata, ProgressMsg, ResourceTask, AsyncResponseTarget, Respo
use net_traits::ProgressMsg::Done;
use util::opts;
use util::task::spawn_named;
use util::resource_files::read_resource_file;
use url::Url;

use hsts::HSTSList;
use hsts::HSTSEntry;
use hsts::Subdomains;
use hsts::preload_hsts_domains;
use hsts::secure_load_data;

use devtools_traits::{DevtoolsControlMsg};
use hyper::header::{ContentType, Header, SetCookie, UserAgent};
use hyper::mime::{Mime, TopLevel, SubLevel};

use rustc_serialize::json::{decode};

use regex::Regex;
use std::borrow::ToOwned;
use std::boxed::FnBox;
use std::collections::HashMap;
use std::env;
use std::fs::File;
use std::io::{BufReader, Read};
use std::str::{from_utf8};
use std::sync::Arc;
use std::sync::mpsc::{channel, Receiver, Sender};
use time;

static mut HOST_TABLE: Option<*mut HashMap<String, String>> = None;
static IPV4_REGEX: Regex = regex!(
@@ -162,14 +163,6 @@ pub fn start_sending_opt(start_chan: LoadConsumer, metadata: Metadata) -> Result
}
}

fn preload_hsts_domains() -> Option<HSTSList> {
read_resource_file(&["hsts_preload.json"]).ok().and_then(|bytes| {
from_utf8(&bytes).ok().and_then(|hsts_preload_content| {
HSTSList::new_from_preload(hsts_preload_content)
})
})
}

/// Create a ResourceTask
pub fn new_resource_task(user_agent: Option<String>,
devtools_chan: Option<Sender<DevtoolsControlMsg>>) -> ResourceTask {
@@ -192,124 +185,6 @@ pub fn new_resource_task(user_agent: Option<String>,
setup_chan
}

#[derive(RustcDecodable, RustcEncodable, Clone)]
pub struct HSTSEntry {
pub host: String,
pub include_subdomains: bool,
pub max_age: Option<u64>,
pub timestamp: Option<u64>
}

#[derive(PartialEq, Copy, Clone)]
pub enum Subdomains {
Included,
NotIncluded
}

impl HSTSEntry {
pub fn new(host: String, subdomains: Subdomains, max_age: Option<u64>) -> Option<HSTSEntry> {
if IPV4_REGEX.is_match(&host) || IPV6_REGEX.is_match(&host) {
None
} else {
Some(HSTSEntry {
host: host,
include_subdomains: (subdomains == Subdomains::Included),
max_age: max_age,
timestamp: Some(time::get_time().sec as u64)
})
}
}

pub fn is_expired(&self) -> bool {
match (self.max_age, self.timestamp) {
(Some(max_age), Some(timestamp)) => {
(time::get_time().sec as u64) - timestamp >= max_age
},

_ => false
}
}

fn matches_domain(&self, host: &str) -> bool {
!self.is_expired() && self.host == host
}

fn matches_subdomain(&self, host: &str) -> bool {
!self.is_expired() && host.ends_with(&format!(".{}", self.host))
}
}

#[derive(RustcDecodable, RustcEncodable)]
pub struct HSTSList {
pub entries: Vec<HSTSEntry>
}

impl HSTSList {
pub fn new_from_preload(preload_content: &str) -> Option<HSTSList> {
decode(preload_content).ok()
}

pub fn is_host_secure(&self, host: &str) -> bool {
// TODO - Should this be faster than O(n)? The HSTS list is only a few
// hundred or maybe thousand entries...
//
// Could optimise by searching for exact matches first (via a map or
// something), then checking for subdomains.
self.entries.iter().any(|e| {
if e.include_subdomains {
e.matches_subdomain(host) || e.matches_domain(host)
} else {
e.matches_domain(host)
}
})
}

fn has_domain(&self, host: &str) -> bool {
self.entries.iter().any(|e| {
e.matches_domain(&host)
})
}

fn has_subdomain(&self, host: &str) -> bool {
self.entries.iter().any(|e| {
e.matches_subdomain(host)
})
}

pub fn push(&mut self, entry: HSTSEntry) {
let have_domain = self.has_domain(&entry.host);
let have_subdomain = self.has_subdomain(&entry.host);

if !have_domain && !have_subdomain {
self.entries.push(entry);
} else if !have_subdomain {
for e in &mut self.entries {
if e.matches_domain(&entry.host) {
e.include_subdomains = entry.include_subdomains;
e.max_age = entry.max_age;
}
}
}
}
}

pub fn secure_load_data(load_data: &LoadData) -> LoadData {
if &*load_data.url.scheme == "http" {
let mut secure_load_data = load_data.clone();
let mut secure_url = load_data.url.clone();
secure_url.scheme = "https".to_string();
// The Url struct parses the port for a known scheme only once.
// Updating the scheme doesn't update the port internally, resulting in
// HTTPS connections attempted on port 80. Serialising and re-parsing
// the Url is a hack to get around this.
secure_load_data.url = Url::parse(&secure_url.serialize()).unwrap();

secure_load_data
} else {
load_data.clone()
}
}

pub fn parse_hostsfile(hostsfile_content: &str) -> Box<HashMap<String, String>> {
let mut host_table = HashMap::new();
let lines: Vec<&str> = hostsfile_content.split('\n').collect();
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.