From 0c72f162110ef8da4b7d5941af8cf6deabd82dc9 Mon Sep 17 00:00:00 2001
From: Tiga Ultraman <liaoxude@huawei.com>
Date: Tue, 18 Jun 2024 11:57:18 +0800
Subject: [PATCH] remove unsafe tls algorithm

Signed-off-by: Tiga Ultraman <liaoxude@huawei.com>
---
 .../src/async_impl/connector/mod.rs           |  8 ++--
 .../src/util/c_openssl/ffi/ssl.rs             |  1 +
 .../src/util/c_openssl/ssl/ctx.rs             | 46 ++++++++++++++++++-
 ylong_http_client/src/util/h2/streams.rs      |  1 -
 4 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/ylong_http_client/src/async_impl/connector/mod.rs b/ylong_http_client/src/async_impl/connector/mod.rs
index 963921c..73ae085 100644
--- a/ylong_http_client/src/async_impl/connector/mod.rs
+++ b/ylong_http_client/src/async_impl/connector/mod.rs
@@ -63,21 +63,19 @@ async fn tcp_stream(addr: &str) -> Result<TcpStream, HttpClientError> {
         .map_err(|e| {
             #[cfg(target_os = "linux")]
             if format!("{}", e).contains("failed to lookup address information") {
-                return HttpClientError::from_dns_error(crate::ErrorKind::Connect, e)
+                return HttpClientError::from_dns_error(crate::ErrorKind::Connect, e);
             }
             #[cfg(target_os = "windows")]
             if let Some(code) = e.raw_os_error() {
                 if (0x2329..=0x26B2).contains(&code) || code == 0x2AF9 {
-                    return HttpClientError::from_dns_error(crate::ErrorKind::Connect, e)
+                    return HttpClientError::from_dns_error(crate::ErrorKind::Connect, e);
                 }
             }
             HttpClientError::from_io_error(crate::ErrorKind::Connect, e)
         })
         .and_then(|stream| match stream.set_nodelay(true) {
             Ok(()) => Ok(stream),
-            Err(e) => {
-                err_from_io!(Connect, e)
-            }
+            Err(e) => err_from_io!(Connect, e),
         })
 }
 
diff --git a/ylong_http_client/src/util/c_openssl/ffi/ssl.rs b/ylong_http_client/src/util/c_openssl/ffi/ssl.rs
index 09baff8..8b3ab8b 100644
--- a/ylong_http_client/src/util/c_openssl/ffi/ssl.rs
+++ b/ylong_http_client/src/util/c_openssl/ffi/ssl.rs
@@ -125,6 +125,7 @@ extern "C" {
         callback: extern "C" fn(*mut X509_STORE_CTX, *mut c_void) -> c_int,
         arg: *mut c_void,
     );
+
 }
 
 /// This is the main SSL/TLS structure which is created by a server or client
diff --git a/ylong_http_client/src/util/c_openssl/ssl/ctx.rs b/ylong_http_client/src/util/c_openssl/ssl/ctx.rs
index 13fbd4c..bd46f66 100644
--- a/ylong_http_client/src/util/c_openssl/ssl/ctx.rs
+++ b/ylong_http_client/src/util/c_openssl/ssl/ctx.rs
@@ -37,6 +37,7 @@ use crate::util::config::tls::DefaultCertVerifier;
 
 const SSL_CTRL_SET_MIN_PROTO_VERSION: c_int = 123;
 const SSL_CTRL_SET_MAX_PROTO_VERSION: c_int = 124;
+const SSL_CTRL_SET_SIGALGS_LIST: c_int = 98;
 
 foreign_type!(
     type CStruct = SSL_CTX;
@@ -91,8 +92,9 @@ impl SslContextBuilder {
         let mut builder = Self::from_ptr(ptr);
         builder.set_verify(SSL_VERIFY_PEER);
         builder.set_cipher_list(
-            "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
+            "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK:!SHA1:!CBC",
         )?;
+        builder.set_sigalgs_list()?;
 
         Ok(builder)
     }
@@ -266,4 +268,46 @@ impl SslContextBuilder {
         let ptr = self.as_ptr_mut();
         unsafe { X509StoreRef::from_ptr_mut(SSL_CTX_get_cert_store(ptr)) }
     }
+
+    pub(crate) fn set_sigalgs_list(&mut self) -> Result<(), ErrorStack> {
+        // Allowed signature algorithms:
+        // ecdsa_secp256r1_sha256 (0x0403)
+        // ecdsa_secp384r1_sha384 (0x0503)
+        // ecdsa_secp521r1_sha512 (0x0603)
+        // ed25519 (0x0807)
+        // ed448 (0x0808)
+        // rsa_pss_pss_sha256 (0x0809)
+        // rsa_pss_pss_sha384 (0x080a)
+        // rsa_pss_pss_sha512 (0x080b)
+        // rsa_pss_rsae_sha256 (0x0804)
+        // rsa_pss_rsae_sha384 (0x0805)
+        // rsa_pss_rsae_sha512 (0x0806)
+        // rsa_pkcs1_sha256 (0x0401)
+        // rsa_pkcs1_sha384 (0x0501)
+        // rsa_pkcs1_sha512 (0x0601)
+        // SHA256 DSA (0x0402)
+        // SHA384 DSA (0x0502)
+        // SHA512 DSA (0x0602)
+        const SUPPORT_SIGNATURE_ALGORITHMS: &str = "\
+        ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:\
+        ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:\
+        rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:\
+        rsa_pss_rsae_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512:DSA+SHA256:DSA+SHA384:DSA+SHA512";
+        let list = match CString::new(SUPPORT_SIGNATURE_ALGORITHMS) {
+            Ok(cstr) => cstr,
+            Err(_) => return Err(ErrorStack::get()),
+        };
+
+        let ptr = self.as_ptr_mut();
+
+        check_ret(unsafe {
+            SSL_CTX_ctrl(
+                ptr,
+                SSL_CTRL_SET_SIGALGS_LIST,
+                0,
+                list.as_ptr() as *const c_void as *mut c_void,
+            )
+        } as c_int)
+        .map(|_| ())
+    }
 }
diff --git a/ylong_http_client/src/util/h2/streams.rs b/ylong_http_client/src/util/h2/streams.rs
index 304b617..fad3f95 100644
--- a/ylong_http_client/src/util/h2/streams.rs
+++ b/ylong_http_client/src/util/h2/streams.rs
@@ -226,7 +226,6 @@ impl Streams {
                     stream.send_window.increase_size(excess)?;
                 }
                 for id in self.pending_stream_window.iter() {
-                    // self.push_back_pending_send(*id);
                     self.pending_send.push_back(*id);
                 }
                 self.pending_stream_window.clear();
-- 
Gitee