Patchwork [2,of,6,V6] sslutil: prevent CRIME

login
register
mail settings
Submitter Gregory Szorc
Date July 16, 2016, 5:18 a.m.
Message ID <da2cb958a05e73864687.1468646325@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/15900/
State Superseded
Headers show

Comments

Gregory Szorc - July 16, 2016, 5:18 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1468552030 25200
#      Thu Jul 14 20:07:10 2016 -0700
# Node ID da2cb958a05e738646878e564ad109cfb478ac13
# Parent  8b135fc9edb73748fbc1329ba63f95a60b8e07a5
sslutil: prevent CRIME

ssl.create_default_context() disables compression on the TLS channel
in order to prevent CRIME. I think we should follow CPython's lead
and attempt to disable channel compression in order to help prevent
information leakage.

Sadly, I don't think there is anything we can do on Python versions
that don't have an SSLContext, as there is no way to set channel
options with the limited ssl API.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -150,16 +150,20 @@  def _hostsettings(ui, hostname):
     else:
         s['protocol'] = ssl.PROTOCOL_TLSv1
 
     # SSLv2 and SSLv3 are broken. We ban them outright.
     # WARNING: ctxoptions doesn't have an effect unless the modern ssl module
     # is available. Be careful when adding flags!
     s['ctxoptions'] = OP_NO_SSLv2 | OP_NO_SSLv3
 
+    # Prevent CRIME.
+    # There is no guarantee this attribute is defined on the module.
+    s['ctxoptions'] |= getattr(ssl, 'OP_NO_COMPRESSION', 0)
+
     # Look for fingerprints in [hostsecurity] section. Value is a list
     # of <alg>:<fingerprint> strings.
     fingerprints = ui.configlist('hostsecurity', '%s:fingerprints' % hostname,
                                  [])
     for fingerprint in fingerprints:
         if not (fingerprint.startswith(('sha1:', 'sha256:', 'sha512:'))):
             raise error.Abort(_('invalid fingerprint for %s: %s') % (
                                 hostname, fingerprint),