Made peer verification more secure

Author: SammyK

src/Facebook/HttpClients/FacebookCurlHttpClient.php

@@ -146,12 +146,6 @@ public function send($url, $method = 'GET', $parameters = array())
     $this->openConnection($url, $method, $parameters);
     $this->tryToSendRequest();
 
-    // Need to verify the peer
-    if ($this->curlErrorCode == 60 || $this->curlErrorCode == 77) {
-      $this->addBundledCert();
-      $this->tryToSendRequest();
-    }
-
     if ($this->curlErrorCode) {
       throw new FacebookSDKException($this->curlErrorMessage, $this->curlErrorCode);
     }
@@ -181,6 +175,9 @@ public function openConnection($url, $method = 'GET', $parameters = array())
       CURLOPT_TIMEOUT        => 60,
       CURLOPT_RETURNTRANSFER => true, // Follow 301 redirects
       CURLOPT_HEADER         => true, // Enable header processing
+      CURLOPT_SSL_VERIFYHOST => 2,
+      CURLOPT_SSL_VERIFYPEER => true,
+      CURLOPT_CAINFO         => __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem',
     );
 
     if ($method !== "GET") {
@@ -202,15 +199,6 @@ public function openConnection($url, $method = 'GET', $parameters = array())
     self::$facebookCurl->setopt_array($options);
   }
 
-  /**
-   * Add a bundled cert to the connection
-   */
-  public function addBundledCert()
-  {
-    self::$facebookCurl->setopt(CURLOPT_CAINFO,
-      dirname(__FILE__) . DIRECTORY_SEPARATOR . 'fb_ca_chain_bundle.crt');
-  }
-
   /**
    * Closes an existing curl connection
    */

src/Facebook/HttpClients/FacebookGuzzleHttpClient.php

@@ -108,6 +108,8 @@ public function send($url, $method = 'GET', $parameters = array())
       $options = array('body' => $parameters);
     }
 
+    $options['verify'] = __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem';
+
     $request = self::$guzzleClient->createRequest($method, $url, $options);
 
     foreach($this->requestHeaders as $k => $v) {

src/Facebook/HttpClients/FacebookStreamHttpClient.php

@@ -107,7 +107,9 @@ public function send($url, $method = 'GET', $parameters = array())
       ),
       'ssl' => array(
         'verify_peer' => true,
-        'cafile' => dirname(__FILE__) . DIRECTORY_SEPARATOR . 'fb_ca_chain_bundle.crt',
+        'verify_peer_name' => true,
+        'allow_self_signed' => true, // All root certificates are self-signed
+        'cafile' => __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem',
       ),
     );
 

src/Facebook/HttpClients/certs/DigiCertHighAssuranceEVRootCA.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
++OkuE6N36B9K
+-----END CERTIFICATE-----

src/Facebook/HttpClients/fb_ca_chain_bundle.crt

@@ -9,7 +9,7 @@ class FacebookPageTabHelperTest extends PHPUnit_Framework_TestCase
 
   public function testPageDataCanBeAccessed()
   {
-    $_GET['signed_request'] = $this->rawSignedRequestAuthorized;
+    $_POST['signed_request'] = $this->rawSignedRequestAuthorized;
     $helper = new FacebookPageTabHelper('123', 'foo_app_secret');
 
     $this->assertTrue($helper->isLiked());

tests/FacebookPageTabHelperTest.php

@@ -25,12 +25,10 @@ public function testLoginURL()
       'sdk' => 'php-sdk-' . FacebookRequest::VERSION,
       'scope' => implode(',', array())
     );
-    $expectedUrl = 'https://www.facebook.com/v2.0/dialog/oauth?';
-    $this->assertTrue(strpos($loginUrl, $expectedUrl) !== false);
+    $expectedUrl = 'https://www.facebook.com/' . FacebookRequest::GRAPH_API_VERSION . '/dialog/oauth?';
+    $this->assertTrue(strpos($loginUrl, $expectedUrl) === 0, 'Unexpected base login URL returned from getLoginUrl().');
     foreach ($params as $key => $value) {
-      $this->assertTrue(
-        strpos($loginUrl, $key . '=' . urlencode($value)) !== false
-      );
+      $this->assertContains($key . '=' . urlencode($value), $loginUrl);
     }
   }
 

tests/FacebookRedirectLoginHelperTest.php

@@ -41,7 +41,7 @@ public function testCanPostAndDelete()
       'DELETE',
       '/' . $user_id
     ))->execute()->getGraphObject()->asArray();
-    $this->assertTrue($response);
+    $this->assertEquals(['success' => true], $response);
   }
 
   public function testETagHit()

tests/FacebookRequestTest.php

@@ -34,13 +34,29 @@ public function testCanOpenGetCurlConnection()
       ->andReturn(null);
     $this->curlMock
       ->shouldReceive('setopt_array')
-      ->with(array(
-          CURLOPT_URL            => 'http://foo.com',
-          CURLOPT_CONNECTTIMEOUT => 10,
-          CURLOPT_TIMEOUT        => 60,
-          CURLOPT_RETURNTRANSFER => true,
-          CURLOPT_HEADER         => true,
-        ))
+      ->with(m::on(function($arg) {
+            $caInfo = array_diff($arg, [
+                CURLOPT_CUSTOMREQUEST  => 'GET',
+                CURLOPT_HTTPHEADER     => [],
+                CURLOPT_URL            => 'http://foo.com',
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 60,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER         => true,
+                CURLOPT_SSL_VERIFYHOST => 2,
+                CURLOPT_SSL_VERIFYPEER => true,
+              ]);
+
+            if (count($caInfo) !== 1) {
+              return false;
+            }
+
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+              return false;
+            }
+
+            return true;
+          }))
       ->once()
       ->andReturn(null);
 
@@ -55,16 +71,31 @@ public function testCanOpenGetCurlConnectionWithHeaders()
       ->andReturn(null);
     $this->curlMock
       ->shouldReceive('setopt_array')
-      ->with(array(
-          CURLOPT_URL            => 'http://foo.com',
-          CURLOPT_CONNECTTIMEOUT => 10,
-          CURLOPT_TIMEOUT        => 60,
-          CURLOPT_RETURNTRANSFER => true,
-          CURLOPT_HEADER         => true,
-          CURLOPT_HTTPHEADER     => array(
-            'X-foo: bar',
-          ),
-        ))
+      ->with(m::on(function($arg) {
+            $caInfo = array_diff($arg, [
+                CURLOPT_CUSTOMREQUEST  => 'GET',
+                CURLOPT_HTTPHEADER     => array(
+                  'X-foo: bar',
+                ),
+                CURLOPT_URL            => 'http://foo.com',
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 60,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER         => true,
+                CURLOPT_SSL_VERIFYHOST => 2,
+                CURLOPT_SSL_VERIFYPEER => true,
+              ]);
+
+            if (count($caInfo) !== 1) {
+              return false;
+            }
+
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+              return false;
+            }
+
+            return true;
+          }))
       ->once()
       ->andReturn(null);
 
@@ -80,16 +111,32 @@ public function testCanOpenPostCurlConnection()
       ->andReturn(null);
     $this->curlMock
       ->shouldReceive('setopt_array')
-      ->with(array(
-          CURLOPT_URL            => 'http://bar.com',
-          CURLOPT_CONNECTTIMEOUT => 10,
-          CURLOPT_TIMEOUT        => 60,
-          CURLOPT_RETURNTRANSFER => true,
-          CURLOPT_HEADER         => true,
-          CURLOPT_POSTFIELDS     => array(
-            'baz' => 'bar',
-          ),
-        ))
+      ->with(m::on(function($arg) {
+            $caInfo = array_diff($arg, [
+                CURLOPT_CUSTOMREQUEST  => 'POST',
+                CURLOPT_HTTPHEADER     => [],
+                CURLOPT_URL            => 'http://bar.com',
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 60,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER         => true,
+                CURLOPT_SSL_VERIFYHOST => 2,
+                CURLOPT_SSL_VERIFYPEER => true,
+                CURLOPT_POSTFIELDS     => array(
+                  'baz' => 'bar',
+                ),
+              ]);
+
+            if (count($caInfo) !== 1) {
+              return false;
+            }
+
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+              return false;
+            }
+
+            return true;
+          }))
       ->once()
       ->andReturn(null);
 
@@ -104,17 +151,32 @@ public function testCanOpenPutCurlConnection()
       ->andReturn(null);
     $this->curlMock
       ->shouldReceive('setopt_array')
-      ->with(array(
-          CURLOPT_URL            => 'http://baz.com',
-          CURLOPT_CONNECTTIMEOUT => 10,
-          CURLOPT_TIMEOUT        => 60,
-          CURLOPT_RETURNTRANSFER => true,
-          CURLOPT_HEADER         => true,
-          CURLOPT_CUSTOMREQUEST  => 'PUT',
-          CURLOPT_POSTFIELDS     => array(
-            'baz' => 'bar',
-          ),
-        ))
+      ->with(m::on(function($arg) {
+            $caInfo = array_diff($arg, [
+                CURLOPT_CUSTOMREQUEST  => 'PUT',
+                CURLOPT_HTTPHEADER     => [],
+                CURLOPT_URL            => 'http://baz.com',
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 60,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER         => true,
+                CURLOPT_SSL_VERIFYHOST => 2,
+                CURLOPT_SSL_VERIFYPEER => true,
+                CURLOPT_POSTFIELDS     => array(
+                  'baz' => 'bar',
+                ),
+              ]);
+
+            if (count($caInfo) !== 1) {
+              return false;
+            }
+
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+              return false;
+            }
+
+            return true;
+          }))
       ->once()
       ->andReturn(null);
 
@@ -129,34 +191,38 @@ public function testCanOpenDeleteCurlConnection()
       ->andReturn(null);
     $this->curlMock
       ->shouldReceive('setopt_array')
-      ->with(array(
-          CURLOPT_URL            => 'http://faz.com',
-          CURLOPT_CONNECTTIMEOUT => 10,
-          CURLOPT_TIMEOUT        => 60,
-          CURLOPT_RETURNTRANSFER => true,
-          CURLOPT_HEADER         => true,
-          CURLOPT_CUSTOMREQUEST  => 'DELETE',
-          CURLOPT_POSTFIELDS     => array(
-            'baz' => 'bar',
-          ),
-        ))
+      ->with(m::on(function($arg) {
+            $caInfo = array_diff($arg, [
+                CURLOPT_CUSTOMREQUEST  => 'DELETE',
+                CURLOPT_HTTPHEADER     => [],
+                CURLOPT_URL            => 'http://faz.com',
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 60,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER         => true,
+                CURLOPT_SSL_VERIFYHOST => 2,
+                CURLOPT_SSL_VERIFYPEER => true,
+                CURLOPT_POSTFIELDS     => array(
+                  'baz' => 'bar',
+                ),
+              ]);
+
+            if (count($caInfo) !== 1) {
+              return false;
+            }
+
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+              return false;
+            }
+
+            return true;
+          }))
       ->once()
       ->andReturn(null);
 
     $this->curlClient->openConnection('http://faz.com', 'DELETE', array('baz' => 'bar'));
   }
 
-  public function testCanAddBundledCert()
-  {
-    $this->curlMock
-      ->shouldReceive('setopt')
-      ->with(CURLOPT_CAINFO, '/.fb_ca_chain_bundle\.crt$/')
-      ->once()
-      ->andReturn(null);
-
-    $this->curlClient->addBundledCert();
-  }
-
   public function testCanCloseConnection()
   {
     $this->curlMock

tests/HttpClients/FacebookCurlHttpClientTest.php

@@ -49,8 +49,14 @@ public function testCanSendNormalRequest()
     $this->guzzleMock
       ->shouldReceive('createRequest')
       ->once()
-      ->with('GET', 'http://foo.com/', array())
+      ->with('GET', 'http://foo.com/', m::on(function($arg) {
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $arg['verify'])) {
+              return false;
+            }
+            return true;
+          }))
       ->andReturn($requestMock);
+
     $this->guzzleMock
       ->shouldReceive('send')
       ->once()
@@ -83,8 +89,14 @@ public function testThrowsExceptionOnClientError()
     $this->guzzleMock
       ->shouldReceive('createRequest')
       ->once()
-      ->with('GET', 'http://foo.com/', array())
+      ->with('GET', 'http://foo.com/', m::on(function($arg) {
+            if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $arg['verify'])) {
+              return false;
+            }
+            return true;
+          }))
       ->andReturn($requestMock);
+
     $this->guzzleMock
       ->shouldReceive('send')
       ->once()