[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - loolwsd.xml.in wsd/FileServer.cpp wsd/LOOLWSD.cpp
Pranav Kant
pranavk at collabora.co.uk
Mon Apr 10 12:46:59 UTC 2017
loolwsd.xml.in | 7 ++++++
wsd/FileServer.cpp | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
wsd/LOOLWSD.cpp | 4 +++
3 files changed, 68 insertions(+)
New commits:
commit 8db2911cd45a059262814f78b286d9419eab2045
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Mon Apr 10 13:42:29 2017 +0530
security: Implement HTTP Public key pinning
Though this guard the user against MITM attacks, but enabling this also
has the potential to brick your websites. So, do not use it/enable it
without understanding what it actually is.
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
Though this should work, but I have not been able to test it because of
Firefox and Chrome's limitation/feature that key validation is not done
when certificate chain terminates at a user-defined trust anchor and I
couldn't find any way to temporarily enable the HPKP key validation for
such CA chains.
Change-Id: I64d4ff82b04c59642fa7b8bac2f8788a03950b28
Reviewed-on: https://gerrit.libreoffice.org/36357
Reviewed-by: pranavk <pranavk at collabora.co.uk>
Tested-by: pranavk <pranavk at collabora.co.uk>
(cherry picked from commit 1437a060ec9eb24c4b33fcbb1ed76950a861da81)
Reviewed-on: https://gerrit.libreoffice.org/36379
diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index a37ec2b5..511b5479 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -51,6 +51,13 @@
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
+ <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
+ <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
+ <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
+ <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
+ <pin></pin>
+ </pins>
+ </hpkp>
</ssl>
<storage desc="Backend storage">
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 9f056903..b8448ddb 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -357,6 +357,63 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
oss << "X-Frame-Options: deny\r\n";
}
+ // Setup HTTP Public key pinning
+ if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
+ {
+ size_t i = 0;
+ std::string pinPath = "ssl.hpkp.pins.pin[" + std::to_string(i) + "]";
+ std::ostringstream hpkpOss;
+ bool keysPinned = false;
+ while (config.has(pinPath))
+ {
+ const auto pin = config.getString(pinPath, "");
+ if (!pin.empty())
+ {
+ hpkpOss << "pin-sha256=\"" << pin << "\"; ";
+ keysPinned = true;
+ }
+ pinPath = "ssl.hpkp.pins.pin[" + std::to_string(++i) + "]";
+ }
+
+ if (keysPinned && config.getBool("ssl.hpkp.max_age[@enable]", false))
+ {
+ int maxAge = 1000; // seconds
+ try
+ {
+ maxAge = config.getInt("ssl.hpkp.max_age", maxAge);
+ }
+ catch (Poco::SyntaxException& exc)
+ {
+ LOG_WRN("Invalid value of HPKP's max-age directive found in config file. Defaulting to "
+ << maxAge);
+ }
+ hpkpOss << "max-age=" << maxAge << "; ";
+ }
+
+ if (keysPinned && config.getBool("ssl.hpkp.report_uri[@enable]", false))
+ {
+ const std::string reportUri = config.getString("ssl.hpkp.report_uri", "");
+ if (!reportUri.empty())
+ {
+ hpkpOss << "report-uri=" << reportUri << "; ";
+ }
+ }
+
+ if (!hpkpOss.str().empty())
+ {
+ if (config.getBool("ssl.hpkp[@report_only]", false))
+ {
+ // Only send validation failure reports to reportUri while still allowing UAs to
+ // connect to the server
+ oss << "Public-Key-Pins-Report-Only: " << hpkpOss.str() << "\r\n";
+ }
+ else
+ {
+ oss << "Public-Key-Pins: " << hpkpOss.str() << "\r\n";
+ }
+ }
+ }
+
oss << "\r\n"
<< preprocess;
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 2d1c6779..0f91598e 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -623,6 +623,10 @@ void LOOLWSD::initialize(Application& self)
{ "ssl.cert_file_path", LOOLWSD_CONFIGDIR "/cert.pem" },
{ "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" },
{ "ssl.ca_file_path", LOOLWSD_CONFIGDIR "/ca-chain.cert.pem" },
+ { "ssl.hpkp[@enable]", "false" },
+ { "ssl.hpkp[@report_only]", "false" },
+ { "ssl.hpkp.max_age[@enable]", "true" },
+ { "ssl.hpkp.report_uri[@enable]", "false" },
{ "storage.filesystem[@allow]", "false" },
{ "storage.wopi[@allow]", "true" },
{ "storage.wopi.host[0][@allow]", "true" },
More information about the Libreoffice-commits
mailing list