Fixed Policies to assert CRL, invalid host, SHA1, and a bunch of othe…

…r security flaws in the Trust validation.
brave · Nov 19, 2019 · 221cafe · 221cafe
1 parent a1fadbd
commit 221cafe
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/Client/Frontend/Browser/BrowserViewController.swift b/Client/Frontend/Browser/BrowserViewController.swift
@@ -1210,7 +1210,13 @@ class BrowserViewController: UIViewController {
             guard let serverTrust = tab.webView?.serverTrust else {
                 break
             }
-
+
+            let policies = [
+                SecPolicyCreateBasicX509(),
+                SecPolicyCreateSSL(true, tab.webView?.url?.host as CFString?)
+            ]
+
+            SecTrustSetPolicies(serverTrust, policies as CFTypeRef)
             SecTrustEvaluateAsync(serverTrust, DispatchQueue.global()) { _, secTrustResult in
                 switch secTrustResult {
                 case .proceed, .unspecified:

diff --git a/Client/Frontend/Browser/Onboarding/OnboardingWebViewController.swift b/Client/Frontend/Browser/Onboarding/OnboardingWebViewController.swift
@@ -6,7 +6,7 @@ import Foundation
 import WebKit
 import Shared
 
-class OnboardingWebViewController: UIViewController {
+class OnboardingWebViewController: UIViewController, WKNavigationDelegate {
 
     private let url = URL(string: "https://brave.com/terms-of-use/")
 
@@ -58,6 +58,7 @@ class OnboardingWebViewController: UIViewController {
 
         KVOs.forEach { webView.addObserver(self, forKeyPath: $0.rawValue, options: .new, context: nil) }
 
+        webView.navigationDelegate = self
         webView.load(URLRequest(url: url!))
 
         toolbar.exitButton.addTarget(self, action: #selector(onExit), for: .touchUpInside)
@@ -111,10 +112,14 @@ class OnboardingWebViewController: UIViewController {
         if let trust = webView.serverTrust {
             toolbar.secureIcon.isHidden = false
 
+            let x509 = SecPolicyCreateBasicX509()
+            let sslPolicy = SecPolicyCreateSSL(true, (webView.url?.host ?? "") as CFString)
+            SecTrustSetPolicies(trust, [x509, sslPolicy] as CFTypeRef)
+
             var result: SecTrustResultType = .invalid
             SecTrustEvaluate(trust, &result)
 
-            if result == .proceed || result == .unspecified {
+            if (result == .proceed || result == .unspecified) && webView.hasOnlySecureContent {
                 toolbar.secureIcon.tintColor = UX.secureWebPageColor
                 toolbar.urlLabel.textColor = UX.secureWebPageColor
             } else {
@@ -134,6 +139,15 @@ class OnboardingWebViewController: UIViewController {
         toolbar.forwardButton.isEnabled = webView.canGoForward
         toolbar.forwardButton.tintColor = webView.canGoForward ? UX.buttonEnabledColor : UX.buttonDisabledColor
     }
+
+    func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
+
+        if let trust = challenge.protectionSpace.serverTrust {
+            return completionHandler(.useCredential, URLCredential(trust: trust))
+        }
+
+        return completionHandler(.performDefaultHandling, nil)
+    }
 }
 
 extension OnboardingWebViewController {