Remove TOFU implementation that has been proved to be buggy and cause only overhead

Author: evilaliv3

tor2web/t2w.py

@@ -85,7 +85,6 @@ def __init__(self, config):
         self.crawler_list = []
         self.hosts_map = {}
         self.TorExitNodes = []
-        self.certs_tofu = LimitedSizeDict(size_limit=config.ssl_tofu_cache_size)
 
         self.load_lists()
 
@@ -143,17 +142,6 @@ def remote_get_tor_exits_list(self):
     def remote_get_hosts_map(self):
         return dict(self.hosts_map)
 
-    def remote_is_https(self, hostname):
-        return hostname in self.certs_tofu
-
-    def remote_verify_tls_tofu(self, hostname, cert):
-        h = hashlib.sha512(cert).hexdigest()
-        if hostname not in self.certs_tofu:
-            self.certs_tofu[hostname] = h
-            return True
-
-        return self.certs_tofu[hostname] == h
-
     def remote_update_stats(self, onion):
         self.stats.update(onion)
 
@@ -323,9 +311,6 @@ def __init__(self, reactor,
                                connectTimeout, bindAddress, pool)
 
     def _getEndpoint(self, scheme, host, port):
-        def verify_tofu(hostname, cert):
-            return rpc("verify_tls_tofu", hostname, cert)
-
         if scheme not in ('http', 'https'):
             raise SchemeNotSupported("Unsupported scheme: %r" % (scheme,))
 
@@ -344,7 +329,7 @@ def verify_tofu(hostname, cert):
                                                        host,
                                                        port,
                                                        config.socksoptimisticdata)
-                return TLSWrapClientEndpoint(HTTPSVerifyingContextFactory(host, verify_tofu),
+                return TLSWrapClientEndpoint(HTTPSVerifyingContextFactory(host),
                                              torSockEndpoint)
         else:
             if scheme == 'http':
@@ -365,12 +350,8 @@ def request(self, method, uri, headers, bodyProducer=None):
         """
         parsedURI = URI.fromBytes(uri)
 
-        is_https = yield rpc("is_https", parsedURI.host)
-
-        scheme = 'https' if is_https else 'http'
-
         for key, values in headers.getAllRawHeaders():
-            fixed_values = [re_sub(rexp['w2t'], r'' + scheme + r'://\2.onion', value) for value in values]
+            fixed_values = [re_sub(rexp['w2t'], r'http://\2.onion', value) for value in values]
             headers.setRawHeaders(key, fixed_values)
 
         try:

tor2web/utils/config.py

@@ -77,7 +77,6 @@ def __init__(self):
         self.__dict__['cipher_list'] = 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:' \
                                        'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:' \
                                        'ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:'
-        self.__dict__['ssl_tofu_cache_size'] = 100
         self.__dict__['mode'] = 'BLOCKLIST'
         self.__dict__['onion'] = None
         self.__dict__['blockhotlinking'] = True

tor2web/utils/ssl.py

@@ -16,8 +16,7 @@
 
 import os
 from OpenSSL import SSL
-from OpenSSL.crypto import load_certificate, dump_certificate, FILETYPE_PEM, \
- _raise_current_error
+from OpenSSL.crypto import load_certificate, FILETYPE_PEM
 from OpenSSL._util import lib as _lib, ffi as _ffi
 from pyasn1.type import univ, constraint, char, namedtype, tag
 from pyasn1.codec.der.decoder import decode
@@ -145,10 +144,9 @@ def getContext(self):
 
 
 class HTTPSVerifyingContextFactory(ssl.ClientContextFactory):
-    def __init__(self, hostname, verify_tofu=None):
+    def __init__(self, hostname):
         self.hostname = hostname
-        self.verify_tofu = verify_tofu
-        
+
         # read in T2WSSLContextFactory why this settings ends in enabling only TLS
         self.method = SSL.SSLv23_METHOD
 
@@ -187,9 +185,4 @@ def verifyCert(self, connection, x509, errno, depth, preverifyOK):
             elif self.hostname in altnames(x509):
                 verify = True
 
-            if verify and self.verify_tofu is not None:
-                return self.verify_tofu(self.hostname, dump_certificate(FILETYPE_PEM, x509))
-
         return verify
-
-CERTS_TOFU = {}