The Tor Browser: security/manager/ssl/src/nsNSSCertTrust.cpp@b8a032363ba2 (annotated)

security/manager/ssl/src/nsNSSCertTrust.cpp@b8a032363ba2 (annotated)

security/manager/ssl/src/nsNSSCertTrust.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nsNSSCertTrust.h"
 void
 nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
 {
   if (ssl) {
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
   }
   if (email) {
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
   }
   if (objSign) {
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
   }
 }
 void
 nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
 {
   if (ssl)
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
   if (email)
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
   if (objSign)
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
 }
 nsNSSCertTrust::nsNSSCertTrust()
 {
   memset(&mTrust, 0, sizeof(CERTCertTrust));
 }
 nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
                                unsigned int email,
                                unsigned int objsign)
 {
   memset(&mTrust, 0, sizeof(CERTCertTrust));
   addTrust(&mTrust.sslFlags, ssl);
   addTrust(&mTrust.emailFlags, email);
   addTrust(&mTrust.objectSigningFlags, objsign);
 }
 nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
 {
   if (t)
     memcpy(&mTrust, t, sizeof(CERTCertTrust));
   else
     memset(&mTrust, 0, sizeof(CERTCertTrust));
 }
 nsNSSCertTrust::~nsNSSCertTrust()
 {
 }
 void
 nsNSSCertTrust::SetSSLTrust(bool peer, bool tPeer,
                             bool ca,   bool tCA, bool tClientCA,
                             bool user, bool warn)
 {
   mTrust.sslFlags = 0;
   if (peer || tPeer)
     addTrust(&mTrust.sslFlags, CERTDB_TERMINAL_RECORD);
   if (tPeer)
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
   if (ca || tCA)
     addTrust(&mTrust.sslFlags, CERTDB_VALID_CA);
   if (tClientCA)
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA);
   if (tCA)
     addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
   if (user)
     addTrust(&mTrust.sslFlags, CERTDB_USER);
   if (warn)
     addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN);
 }
 void
 nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
                               bool ca,   bool tCA, bool tClientCA,
                               bool user, bool warn)
 {
   mTrust.emailFlags = 0;
   if (peer || tPeer)
     addTrust(&mTrust.emailFlags, CERTDB_TERMINAL_RECORD);
   if (tPeer)
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
   if (ca || tCA)
     addTrust(&mTrust.emailFlags, CERTDB_VALID_CA);
   if (tClientCA)
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
   if (tCA)
     addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
   if (user)
     addTrust(&mTrust.emailFlags, CERTDB_USER);
   if (warn)
     addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
 }
 void
 nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
                                 bool ca,   bool tCA, bool tClientCA,
                                 bool user, bool warn)
 {
   mTrust.objectSigningFlags = 0;
   if (peer || tPeer)
     addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
   if (tPeer)
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
   if (ca || tCA)
     addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
   if (tClientCA)
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
   if (tCA)
     addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
   if (user)
     addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
   if (warn)
     addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
 }
 void
 nsNSSCertTrust::SetValidCA()
 {
   SetSSLTrust(false, false,
               true, false, false,
               false, false);
   SetEmailTrust(false, false,
                 true, false, false,
                 false, false);
   SetObjSignTrust(false, false,
                   true, false, false,
                   false, false);
 }
 void
 nsNSSCertTrust::SetTrustedServerCA()
 {
   SetSSLTrust(false, false,
               true, true, false,
               false, false);
   SetEmailTrust(false, false,
                 true, true, false,
                 false, false);
   SetObjSignTrust(false, false,
                   true, true, false,
                   false, false);
 }
 void
 nsNSSCertTrust::SetTrustedCA()
 {
   SetSSLTrust(false, false,
               true, true, true,
               false, false);
   SetEmailTrust(false, false,
                 true, true, true,
                 false, false);
   SetObjSignTrust(false, false,
                   true, true, true,
                   false, false);
 }
 void
 nsNSSCertTrust::SetValidPeer()
 {
   SetSSLTrust(true, false,
               false, false, false,
               false, false);
   SetEmailTrust(true, false,
                 false, false, false,
                 false, false);
   SetObjSignTrust(true, false,
                   false, false, false,
                   false, false);
 }
 void
 nsNSSCertTrust::SetValidServerPeer()
 {
   SetSSLTrust(true, false,
               false, false, false,
               false, false);
   SetEmailTrust(false, false,
                 false, false, false,
                 false, false);
   SetObjSignTrust(false, false,
                   false, false, false,
                   false, false);
 }
 void
 nsNSSCertTrust::SetTrustedPeer()
 {
   SetSSLTrust(true, true,
               false, false, false,
               false, false);
   SetEmailTrust(true, true,
                 false, false, false,
                 false, false);
   SetObjSignTrust(true, true,
                   false, false, false,
                   false, false);
 }
 void
 nsNSSCertTrust::SetUser()
 {
   SetSSLTrust(false, false,
               false, false, false,
               true, false);
   SetEmailTrust(false, false,
                 false, false, false,
                 true, false);
   SetObjSignTrust(false, false,
                   false, false, false,
                   true, false);
 }
 bool
 nsNSSCertTrust::HasAnyCA()
 {
   if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) ||
       hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) ||
       hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
     return true;
   return false;
 }
 bool
 nsNSSCertTrust::HasCA(bool checkSSL,
                       bool checkEmail,
                       bool checkObjSign)
 {
   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA))
     return false;
   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA))
     return false;
   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA))
     return false;
   return true;
 }
 bool
 nsNSSCertTrust::HasPeer(bool checkSSL,
                         bool checkEmail,
                         bool checkObjSign)
 {
   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
     return false;
   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
     return false;
   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
     return false;
   return true;
 }
 bool
 nsNSSCertTrust::HasAnyUser()
 {
   if (hasTrust(mTrust.sslFlags, CERTDB_USER) ||
       hasTrust(mTrust.emailFlags, CERTDB_USER) ||
       hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
     return true;
   return false;
 }
 bool
 nsNSSCertTrust::HasUser(bool checkSSL,
                         bool checkEmail,
                         bool checkObjSign)
 {
   if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER))
     return false;
   if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER))
     return false;
   if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER))
     return false;
   return true;
 }
 bool
 nsNSSCertTrust::HasTrustedCA(bool checkSSL,
                              bool checkEmail,
                              bool checkObjSign)
 {
   if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
                     hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
     return false;
   if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
                       hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
     return false;
   if (checkObjSign &&
        !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
          hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
     return false;
   return true;
 }
 bool
 nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
                                bool checkEmail,
                                bool checkObjSign)
 {
   if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
     return false;
   if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
     return false;
   if (checkObjSign &&
        !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
     return false;
   return true;
 }
 void
 nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v)
 {
   *t |= v;
 }
 bool
 nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v)
 {
   return !!(t & v);
 }

The Tor Browser / annotate

security/manager/ssl/src/nsNSSCertTrust.cpp@b8a032363ba2 (annotated)

security/manager/ssl/src/nsNSSCertTrust.cpp