Patchwork [04,of,11,V4] sslutil: prevent CRIME

login
register
mail settings
Submitter Gregory Szorc
Date July 15, 2016, 4:09 a.m.
Message ID <99d9188b9d45039a06c6.1468555745@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15868/
State Superseded
Headers show

Comments

Gregory Szorc - July 15, 2016, 4:09 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1468552030 25200
#      Thu Jul 14 20:07:10 2016 -0700
# Node ID 99d9188b9d45039a06c65fa7dda36a12d08369c2
# Parent  cd9f086b6c88bc847baf5d2b7d46eeae4c8c1e79
sslutil: prevent CRIME

ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.

Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -150,16 +150,20 @@  def _hostsettings(ui, hostname):
     else:
         s['protocol'] = ssl.PROTOCOL_TLSv1
 
     # SSLv2 and SSLv3 are broken. We ban them outright.
     # WARNING: ctxoptions doesn't have an effect unless the modern ssl module
     # is available. Be careful when adding flags!
     s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # Prevent CRIME.
+    # There is no guarantee this attribute is defined on the module.
+    s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
     fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
                                  [])
     for fingerprint in fingerprints:
         if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
             raise error.Abort(_('invalid fingerprint for %s: %s') % (
                                 hostname, fingerprint),