[libsoup/wip/aplazas/hsts] soup-hsts-enforcer: Redirect insecure connections to HSTS hosts

From: Adrien Plazas <aplazas src gnome org>
To: commits-list gnome org
Cc:
Subject: [libsoup/wip/aplazas/hsts] soup-hsts-enforcer: Redirect insecure connections to HSTS hosts
Date: Fri, 13 May 2016 15:15:21 +0000 (UTC)
commit b5f120aed6dfd0bd049854a0e8f09c3f43b0fefe
Author: Adrien Plazas <kekun plazas laposte net>
Date:   Tue Mar 29 13:30:27 2016 +0200

    soup-hsts-enforcer: Redirect insecure connections to HSTS hosts

 docs/specs/README            |    1 +
 libsoup/Makefile.am          |    2 +-
 libsoup/soup-hsts-enforcer.c |   74 ++++++++++++++++++++++++-----------------
 libsoup/soup-hsts-policy.c   |    2 +-
 4 files changed, 46 insertions(+), 33 deletions(-)
---
diff --git a/docs/specs/README b/docs/specs/README
index 0dee62d..e498a22 100644
--- a/docs/specs/README
+++ b/docs/specs/README
@@ -11,3 +11,4 @@ rfc2817 - Upgrading to TLS Within HTTP/1.1
 rfc2818 - HTTP Over TLS
 rfc2965 - HTTP State Management Mechanism (allegedly obsoletes 2109)
 rfc3986 - Uniform Resource Identifiers (URI): Generic Syntax
+rfc6797 - HTTP Strict Transport Security (HSTS)
diff --git a/libsoup/Makefile.am b/libsoup/Makefile.am
index 89ee106..cead4d1 100644
--- a/libsoup/Makefile.am
+++ b/libsoup/Makefile.am
@@ -48,7 +48,6 @@ soup_headers =                        \
        soup-form.h             \
        soup-headers.h          \
        soup-hsts-enforcer.h    \
-       soup-hsts-enforcer-private.h \
        soup-hsts-enforcer-db.h \
        soup-hsts-policy.h      \
        soup-logger.h           \
@@ -164,6 +163,7 @@ libsoup_2_4_la_SOURCES =            \
        soup-headers.c                  \
        soup-hsts-enforcer.c            \
        soup-hsts-enforcer-db.c         \
+       soup-hsts-enforcer-private.h    \
        soup-hsts-policy.c              \
        soup-init.c                     \
        soup-io-stream.h                \
diff --git a/libsoup/soup-hsts-enforcer.c b/libsoup/soup-hsts-enforcer.c
index 0a6774c..48ffcd6 100644
--- a/libsoup/soup-hsts-enforcer.c
+++ b/libsoup/soup-hsts-enforcer.c
@@ -442,38 +442,46 @@ soup_hsts_enforcer_process_sts_header (SoupHstsEnforcer *hsts_enforcer,
 }
 
 /* Enforces HTTPS when demanded. */
-static void
-soup_hsts_enforcer_apply_host_policy (SoupHstsEnforcer *hsts_enforcer,
-                                     SoupMessage *msg)
+static gboolean
+soup_hsts_enforcer_should_redirect_ot_https (SoupHstsEnforcer *hsts_enforcer,
+                                            SoupMessage *msg)
 {
        SoupURI *uri;
        const gchar *domain;
 
-       g_return_if_fail (hsts_enforcer != NULL);
-       g_return_if_fail (msg != NULL);
+       g_return_val_if_fail (hsts_enforcer != NULL, FALSE);
+       g_return_val_if_fail (msg != NULL, FALSE);
 
        uri = soup_message_get_uri (msg);
 
-       g_return_if_fail (uri != NULL);
-
-printf ("soup_hsts_enforcer_apply_host_policy %s\n", uri->scheme);
+       g_return_val_if_fail (uri != NULL, FALSE);
 
        // HSTS secures only HTTP connections.
        if (uri->scheme != SOUP_URI_SCHEME_HTTP)
-               return;
+               return FALSE;
 
        domain = soup_uri_get_host (uri);
 
-       g_return_if_fail (domain != NULL);
+       g_return_val_if_fail (domain != NULL, FALSE);
 
-printf ("soup_hsts_enforcer_apply_host_policy %s\n", domain);
+       return soup_hsts_enforcer_must_enforce_secure_transport (hsts_enforcer, domain);
+}
 
-/*     if (!soup_hsts_enforcer_must_enforce_secure_transport (hsts_enforcer, domain))*/
-/*             return;*/
+static void
+redirect_to_https (SoupMessage *msg)
+{
+       SoupURI *src_uri, *dst_uri;
+       char *dst;
+
+       src_uri = soup_message_get_uri (msg);
 
-printf ("soup_hsts_enforcer_apply_host_policy %s sécurisé !!!\n", domain);
+       dst_uri = soup_uri_copy (src_uri);
+       soup_uri_set_scheme (dst_uri, SOUP_URI_SCHEME_HTTPS);
+       dst = soup_uri_to_string (dst_uri, FALSE);
+       soup_uri_free (dst_uri);
 
-       soup_uri_set_scheme (uri, SOUP_URI_SCHEME_HTTPS);
+       soup_message_set_redirect (msg, 301, dst);
+       g_free (dst);
 }
 
 static void
@@ -488,29 +496,33 @@ process_sts_header (SoupMessage *msg, gpointer user_data)
 }
 
 static void
-msg_starting_cb (SoupMessage *msg, gpointer feature)
+soup_hsts_enforcer_request_queued (SoupSessionFeature *feature,
+                                  SoupSession *session,
+                                  SoupMessage *msg)
 {
        SoupHstsEnforcer *hsts_enforcer = SOUP_HSTS_ENFORCER (feature);
+       SoupURI *uri;
+       const char *scheme;
 
        g_return_if_fail (hsts_enforcer != NULL);
        g_return_if_fail (msg != NULL);
 
-       soup_hsts_enforcer_apply_host_policy (hsts_enforcer, msg);
-}
+       uri = soup_message_get_uri (msg);
 
-static void
-soup_hsts_enforcer_request_queued (SoupSessionFeature *feature,
-                                  SoupSession *session,
-                                  SoupMessage *msg)
-{
-       g_signal_connect (msg, "starting",
-                         G_CALLBACK (msg_starting_cb),
-                         feature);
-
-       soup_message_add_header_handler (msg, "got-headers",
-                                        "Strict-Transport-Security",
-                                        G_CALLBACK (process_sts_header),
-                                        feature);
+       g_return_if_fail (uri != NULL);
+
+       scheme = soup_uri_get_scheme (uri);
+
+       if (scheme == SOUP_URI_SCHEME_HTTP) {
+               if (soup_hsts_enforcer_should_redirect_ot_https (hsts_enforcer, msg))
+                       redirect_to_https (msg);
+       }
+       else if (scheme == SOUP_URI_SCHEME_HTTP) {
+               soup_message_add_header_handler (msg, "got-headers",
+                                                "Strict-Transport-Security",
+                                                G_CALLBACK (process_sts_header),
+                                                hsts_enforcer);
+       }
 }
 
 static void
diff --git a/libsoup/soup-hsts-policy.c b/libsoup/soup-hsts-policy.c
index 50856a1..0efb224 100644
--- a/libsoup/soup-hsts-policy.c
+++ b/libsoup/soup-hsts-policy.c
@@ -352,7 +352,7 @@ soup_hsts_policy_from_response (SoupMessage *msg)
 {
        SoupURI *origin;
        const char *name, *value;
-       SoupHstsPolicy *policy;
+/*     SoupHstsPolicy *policy;*/
        SoupMessageHeadersIter iter;
 
        // TODO just directly get the first one?
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]