[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - loolwsd.xml.in wsd/FileServer.cpp wsd/LOOLWSD.cpp

Pranav Kant pranavk at collabora.co.uk
Mon Apr 10 12:46:59 UTC 2017 

 loolwsd.xml.in     |    7 ++++++
 wsd/FileServer.cpp |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 wsd/LOOLWSD.cpp    |    4 +++
 3 files changed, 68 insertions(+)

New commits:
commit 8db2911cd45a059262814f78b286d9419eab2045
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Mon Apr 10 13:42:29 2017 +0530

    security: Implement HTTP Public key pinning
    
    Though this guard the user against MITM attacks, but enabling this also
    has the potential to brick your websites. So, do not use it/enable it
    without understanding what it actually is.
    
    See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
    
    Though this should work, but I have not been able to test it because of
    Firefox and Chrome's limitation/feature that key validation is not done
    when certificate chain terminates at a user-defined trust anchor and I
    couldn't find any way to temporarily enable the HPKP key validation for
    such CA chains.
    
    Change-Id: I64d4ff82b04c59642fa7b8bac2f8788a03950b28
    Reviewed-on: https://gerrit.libreoffice.org/36357
    Reviewed-by: pranavk <pranavk at collabora.co.uk>
    Tested-by: pranavk <pranavk at collabora.co.uk>
    (cherry picked from commit 1437a060ec9eb24c4b33fcbb1ed76950a861da81)
    Reviewed-on: https://gerrit.libreoffice.org/36379

diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index a37ec2b5..511b5479 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -51,6 +51,13 @@
         <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
         <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
         <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
+	<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
+	    <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
+	    <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
+	    <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
+	      <pin></pin>
+	    </pins>
+	</hpkp>
     </ssl>
 
     <storage desc="Backend storage">
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 9f056903..b8448ddb 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -357,6 +357,63 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
         oss << "X-Frame-Options: deny\r\n";
     }
 
+    // Setup HTTP Public key pinning
+    if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
+    {
+        size_t i = 0;
+        std::string pinPath = "ssl.hpkp.pins.pin[" + std::to_string(i) + "]";
+        std::ostringstream hpkpOss;
+        bool keysPinned = false;
+        while (config.has(pinPath))
+        {
+            const auto pin = config.getString(pinPath, "");
+            if (!pin.empty())
+            {
+                hpkpOss << "pin-sha256=\"" << pin << "\"; ";
+                keysPinned = true;
+            }
+            pinPath = "ssl.hpkp.pins.pin[" + std::to_string(++i) + "]";
+        }
+
+        if (keysPinned && config.getBool("ssl.hpkp.max_age[@enable]", false))
+        {
+            int maxAge = 1000; // seconds
+            try
+            {
+                maxAge = config.getInt("ssl.hpkp.max_age", maxAge);
+            }
+            catch (Poco::SyntaxException& exc)
+            {
+                LOG_WRN("Invalid value of HPKP's max-age directive found in config file. Defaulting to "
+                        << maxAge);
+            }
+            hpkpOss << "max-age=" << maxAge << "; ";
+        }
+
+        if (keysPinned && config.getBool("ssl.hpkp.report_uri[@enable]", false))
+        {
+            const std::string reportUri = config.getString("ssl.hpkp.report_uri", "");
+            if (!reportUri.empty())
+            {
+                hpkpOss << "report-uri=" << reportUri << "; ";
+            }
+        }
+
+        if (!hpkpOss.str().empty())
+        {
+            if (config.getBool("ssl.hpkp[@report_only]", false))
+            {
+                // Only send validation failure reports to reportUri while still allowing UAs to
+                // connect to the server
+                oss << "Public-Key-Pins-Report-Only: " << hpkpOss.str() << "\r\n";
+            }
+            else
+            {
+                oss << "Public-Key-Pins: " << hpkpOss.str() << "\r\n";
+            }
+        }
+    }
+
     oss << "\r\n"
         << preprocess;
 
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 2d1c6779..0f91598e 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -623,6 +623,10 @@ void LOOLWSD::initialize(Application& self)
             { "ssl.cert_file_path", LOOLWSD_CONFIGDIR "/cert.pem" },
             { "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" },
             { "ssl.ca_file_path", LOOLWSD_CONFIGDIR "/ca-chain.cert.pem" },
+            { "ssl.hpkp[@enable]", "false" },
+            { "ssl.hpkp[@report_only]", "false" },
+            { "ssl.hpkp.max_age[@enable]", "true" },
+            { "ssl.hpkp.report_uri[@enable]", "false" },
             { "storage.filesystem[@allow]", "false" },
             { "storage.wopi[@allow]", "true" },
             { "storage.wopi.host[0][@allow]", "true" },

More information about the Libreoffice-commits mailing list