1/*
2 * Copyright (C) 2014 Igalia S.L.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "config.h"
27
28#if USE(SOUP)
29
30#include "SoupNetworkSession.h"
31
32#include "AuthenticationChallenge.h"
33#include "GUniquePtrSoup.h"
34#include "Logging.h"
35#include "SoupNetworkProxySettings.h"
36#include <glib/gstdio.h>
37#include <libsoup/soup.h>
38#include <pal/crypto/CryptoDigest.h>
39#include <wtf/FileSystem.h>
40#include <wtf/HashSet.h>
41#include <wtf/NeverDestroyed.h>
42#include <wtf/text/Base64.h>
43#include <wtf/text/CString.h>
44
45namespace WebCore {
46
47static bool gIgnoreTLSErrors;
48static GType gCustomProtocolRequestType;
49
50static CString& initialAcceptLanguages()
51{
52 static NeverDestroyed<CString> storage;
53 return storage.get();
54}
55
56static SoupNetworkProxySettings& proxySettings()
57{
58 static NeverDestroyed<SoupNetworkProxySettings> settings;
59 return settings.get();
60}
61
62#if !LOG_DISABLED
63inline static void soupLogPrinter(SoupLogger*, SoupLoggerLogLevel, char direction, const char* data, gpointer)
64{
65 LOG(Network, "%c %s", direction, data);
66}
67#endif
68
69class HostTLSCertificateSet {
70public:
71 void add(GTlsCertificate* certificate)
72 {
73 String certificateHash = computeCertificateHash(certificate);
74 if (!certificateHash.isEmpty())
75 m_certificates.add(certificateHash);
76 }
77
78 bool contains(GTlsCertificate* certificate) const
79 {
80 return m_certificates.contains(computeCertificateHash(certificate));
81 }
82
83private:
84 static String computeCertificateHash(GTlsCertificate* certificate)
85 {
86 GRefPtr<GByteArray> certificateData;
87 g_object_get(G_OBJECT(certificate), "certificate", &certificateData.outPtr(), nullptr);
88 if (!certificateData)
89 return String();
90
91 auto digest = PAL::CryptoDigest::create(PAL::CryptoDigest::Algorithm::SHA_256);
92 digest->addBytes(certificateData->data, certificateData->len);
93
94 auto hash = digest->computeHash();
95 return base64Encode(reinterpret_cast<const char*>(hash.data()), hash.size());
96 }
97
98 HashSet<String> m_certificates;
99};
100
101using AllowedCertificatesMap = HashMap<String, HostTLSCertificateSet, ASCIICaseInsensitiveHash>;
102
103static AllowedCertificatesMap& allowedCertificates()
104{
105 static NeverDestroyed<AllowedCertificatesMap> certificates;
106 return certificates;
107}
108
109SoupNetworkSession::SoupNetworkSession(PAL::SessionID sessionID, SoupCookieJar* cookieJar)
110 : m_soupSession(adoptGRef(soup_session_new()))
111{
112 // Values taken from http://www.browserscope.org/ following
113 // the rule "Do What Every Other Modern Browser Is Doing". They seem
114 // to significantly improve page loading time compared to soup's
115 // default values.
116 static const int maxConnections = 17;
117 static const int maxConnectionsPerHost = 6;
118
119 GRefPtr<SoupCookieJar> jar = cookieJar;
120 if (!jar) {
121 jar = adoptGRef(soup_cookie_jar_new());
122 soup_cookie_jar_set_accept_policy(jar.get(), SOUP_COOKIE_JAR_ACCEPT_NO_THIRD_PARTY);
123 }
124
125 g_object_set(m_soupSession.get(),
126 SOUP_SESSION_MAX_CONNS, maxConnections,
127 SOUP_SESSION_MAX_CONNS_PER_HOST, maxConnectionsPerHost,
128 SOUP_SESSION_TIMEOUT, 0,
129 SOUP_SESSION_IDLE_TIMEOUT, 0,
130 SOUP_SESSION_ADD_FEATURE_BY_TYPE, SOUP_TYPE_CONTENT_SNIFFER,
131 SOUP_SESSION_ADD_FEATURE, jar.get(),
132 nullptr);
133
134 setupCustomProtocols();
135
136 if (!initialAcceptLanguages().isNull())
137 setAcceptLanguages(initialAcceptLanguages());
138
139#if SOUP_CHECK_VERSION(2, 53, 92)
140 if (soup_auth_negotiate_supported() && !sessionID.isEphemeral()) {
141 g_object_set(m_soupSession.get(),
142 SOUP_SESSION_ADD_FEATURE_BY_TYPE, SOUP_TYPE_AUTH_NEGOTIATE,
143 nullptr);
144 }
145#else
146 UNUSED_PARAM(sessionID);
147#endif
148
149 if (proxySettings().mode != SoupNetworkProxySettings::Mode::Default)
150 setupProxy();
151 setupLogger();
152}
153
154SoupNetworkSession::~SoupNetworkSession() = default;
155
156void SoupNetworkSession::setupLogger()
157{
158#if !LOG_DISABLED
159 if (LogNetwork.state != WTFLogChannelState::On || soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_LOGGER))
160 return;
161
162 GRefPtr<SoupLogger> logger = adoptGRef(soup_logger_new(SOUP_LOGGER_LOG_BODY, -1));
163 soup_session_add_feature(m_soupSession.get(), SOUP_SESSION_FEATURE(logger.get()));
164 soup_logger_set_printer(logger.get(), soupLogPrinter, nullptr, nullptr);
165#endif
166}
167
168void SoupNetworkSession::setCookieJar(SoupCookieJar* jar)
169{
170 if (SoupCookieJar* currentJar = cookieJar())
171 soup_session_remove_feature(m_soupSession.get(), SOUP_SESSION_FEATURE(currentJar));
172 soup_session_add_feature(m_soupSession.get(), SOUP_SESSION_FEATURE(jar));
173}
174
175SoupCookieJar* SoupNetworkSession::cookieJar() const
176{
177 return SOUP_COOKIE_JAR(soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_COOKIE_JAR));
178}
179
180static inline bool stringIsNumeric(const char* str)
181{
182 while (*str) {
183 if (!g_ascii_isdigit(*str))
184 return false;
185 str++;
186 }
187 return true;
188}
189
190// Old versions of WebKit created this cache.
191void SoupNetworkSession::clearOldSoupCache(const String& cacheDirectory)
192{
193 CString cachePath = FileSystem::fileSystemRepresentation(cacheDirectory);
194 GUniquePtr<char> cacheFile(g_build_filename(cachePath.data(), "soup.cache2", nullptr));
195 if (!g_file_test(cacheFile.get(), G_FILE_TEST_IS_REGULAR))
196 return;
197
198 GUniquePtr<GDir> dir(g_dir_open(cachePath.data(), 0, nullptr));
199 if (!dir)
200 return;
201
202 while (const char* name = g_dir_read_name(dir.get())) {
203 if (!g_str_has_prefix(name, "soup.cache") && !stringIsNumeric(name))
204 continue;
205
206 GUniquePtr<gchar> filename(g_build_filename(cachePath.data(), name, nullptr));
207 if (g_file_test(filename.get(), G_FILE_TEST_IS_REGULAR))
208 g_unlink(filename.get());
209 }
210}
211
212void SoupNetworkSession::setupProxy()
213{
214 GRefPtr<GProxyResolver> resolver;
215 switch (proxySettings().mode) {
216 case SoupNetworkProxySettings::Mode::Default: {
217 GRefPtr<GProxyResolver> currentResolver;
218 g_object_get(m_soupSession.get(), SOUP_SESSION_PROXY_RESOLVER, &currentResolver.outPtr(), nullptr);
219 GProxyResolver* defaultResolver = g_proxy_resolver_get_default();
220 if (currentResolver.get() == defaultResolver)
221 return;
222 resolver = defaultResolver;
223 break;
224 }
225 case SoupNetworkProxySettings::Mode::NoProxy:
226 // Do nothing in this case, resolver is nullptr so that when set it will disable proxies.
227 break;
228 case SoupNetworkProxySettings::Mode::Custom:
229 resolver = adoptGRef(g_simple_proxy_resolver_new(nullptr, nullptr));
230 if (!proxySettings().defaultProxyURL.isNull())
231 g_simple_proxy_resolver_set_default_proxy(G_SIMPLE_PROXY_RESOLVER(resolver.get()), proxySettings().defaultProxyURL.data());
232 if (proxySettings().ignoreHosts)
233 g_simple_proxy_resolver_set_ignore_hosts(G_SIMPLE_PROXY_RESOLVER(resolver.get()), proxySettings().ignoreHosts.get());
234 for (const auto& iter : proxySettings().proxyMap)
235 g_simple_proxy_resolver_set_uri_proxy(G_SIMPLE_PROXY_RESOLVER(resolver.get()), iter.key.data(), iter.value.data());
236 break;
237 }
238
239 g_object_set(m_soupSession.get(), SOUP_SESSION_PROXY_RESOLVER, resolver.get(), nullptr);
240 soup_session_abort(m_soupSession.get());
241}
242
243void SoupNetworkSession::setProxySettings(const SoupNetworkProxySettings& settings)
244{
245 proxySettings() = settings;
246}
247
248void SoupNetworkSession::setInitialAcceptLanguages(const CString& languages)
249{
250 initialAcceptLanguages() = languages;
251}
252
253void SoupNetworkSession::setAcceptLanguages(const CString& languages)
254{
255 g_object_set(m_soupSession.get(), "accept-language", languages.data(), nullptr);
256}
257
258void SoupNetworkSession::setCustomProtocolRequestType(GType requestType)
259{
260 ASSERT(g_type_is_a(requestType, SOUP_TYPE_REQUEST));
261 gCustomProtocolRequestType = requestType;
262}
263
264void SoupNetworkSession::setupCustomProtocols()
265{
266 if (!g_type_is_a(gCustomProtocolRequestType, SOUP_TYPE_REQUEST))
267 return;
268
269 auto* requestClass = static_cast<SoupRequestClass*>(g_type_class_peek(gCustomProtocolRequestType));
270 if (!requestClass || !requestClass->schemes)
271 return;
272
273 soup_session_add_feature_by_type(m_soupSession.get(), gCustomProtocolRequestType);
274}
275
276void SoupNetworkSession::setShouldIgnoreTLSErrors(bool ignoreTLSErrors)
277{
278 gIgnoreTLSErrors = ignoreTLSErrors;
279}
280
281Optional<ResourceError> SoupNetworkSession::checkTLSErrors(const URL& requestURL, GTlsCertificate* certificate, GTlsCertificateFlags tlsErrors)
282{
283 if (gIgnoreTLSErrors)
284 return WTF::nullopt;
285
286 if (!tlsErrors)
287 return WTF::nullopt;
288
289 auto it = allowedCertificates().find(requestURL.host().toStringWithoutCopying());
290 if (it != allowedCertificates().end() && it->value.contains(certificate))
291 return WTF::nullopt;
292
293 return ResourceError::tlsError(requestURL, tlsErrors, certificate);
294}
295
296void SoupNetworkSession::allowSpecificHTTPSCertificateForHost(const CertificateInfo& certificateInfo, const String& host)
297{
298 allowedCertificates().add(host, HostTLSCertificateSet()).iterator->value.add(certificateInfo.certificate());
299}
300
301} // namespace WebCore
302
303#endif
304