security/manager/ssl/src/nsRecentBadCerts.cpp@b8a032363ba2 (annotated)
security/manager/ssl/src/nsRecentBadCerts.cpp
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
| michael@0 | 2 | * |
| michael@0 | 3 | * This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | #include "nsRecentBadCerts.h" |
| michael@0 | 8 | |
| michael@0 | 9 | #include "pkix/pkixtypes.h" |
| michael@0 | 10 | #include "nsIX509Cert.h" |
| michael@0 | 11 | #include "nsIObserverService.h" |
| michael@0 | 12 | #include "mozilla/RefPtr.h" |
| michael@0 | 13 | #include "mozilla/Services.h" |
| michael@0 | 14 | #include "nsSSLStatus.h" |
| michael@0 | 15 | #include "nsCOMPtr.h" |
| michael@0 | 16 | #include "nsNSSCertificate.h" |
| michael@0 | 17 | #include "nsCRT.h" |
| michael@0 | 18 | #include "nsPromiseFlatString.h" |
| michael@0 | 19 | #include "nsStringBuffer.h" |
| michael@0 | 20 | #include "nspr.h" |
| michael@0 | 21 | #include "pk11pub.h" |
| michael@0 | 22 | #include "certdb.h" |
| michael@0 | 23 | #include "sechash.h" |
| michael@0 | 24 | |
| michael@0 | 25 | using namespace mozilla; |
| michael@0 | 26 | |
| michael@0 | 27 | NS_IMPL_ISUPPORTS(nsRecentBadCerts, nsIRecentBadCerts) |
| michael@0 | 28 | |
| michael@0 | 29 | nsRecentBadCerts::nsRecentBadCerts() |
| michael@0 | 30 | :monitor("nsRecentBadCerts.monitor") |
| michael@0 | 31 | ,mNextStorePosition(0) |
| michael@0 | 32 | { |
| michael@0 | 33 | } |
| michael@0 | 34 | |
| michael@0 | 35 | nsRecentBadCerts::~nsRecentBadCerts() |
| michael@0 | 36 | { |
| michael@0 | 37 | } |
| michael@0 | 38 | |
| michael@0 | 39 | NS_IMETHODIMP |
| michael@0 | 40 | nsRecentBadCerts::GetRecentBadCert(const nsAString & aHostNameWithPort, |
| michael@0 | 41 | nsISSLStatus **aStatus) |
| michael@0 | 42 | { |
| michael@0 | 43 | NS_ENSURE_ARG_POINTER(aStatus); |
| michael@0 | 44 | if (!aHostNameWithPort.Length()) |
| michael@0 | 45 | return NS_ERROR_INVALID_ARG; |
| michael@0 | 46 | |
| michael@0 | 47 | *aStatus = nullptr; |
| michael@0 | 48 | RefPtr<nsSSLStatus> status(new nsSSLStatus()); |
| michael@0 | 49 | |
| michael@0 | 50 | SECItem foundDER; |
| michael@0 | 51 | foundDER.len = 0; |
| michael@0 | 52 | foundDER.data = nullptr; |
| michael@0 | 53 | |
| michael@0 | 54 | bool isDomainMismatch = false; |
| michael@0 | 55 | bool isNotValidAtThisTime = false; |
| michael@0 | 56 | bool isUntrusted = false; |
| michael@0 | 57 | |
| michael@0 | 58 | { |
| michael@0 | 59 | ReentrantMonitorAutoEnter lock(monitor); |
| michael@0 | 60 | for (size_t i=0; i<const_recently_seen_list_size; ++i) { |
| michael@0 | 61 | if (mCerts[i].mHostWithPort.Equals(aHostNameWithPort)) { |
| michael@0 | 62 | SECStatus srv = SECITEM_CopyItem(nullptr, &foundDER, &mCerts[i].mDERCert); |
| michael@0 | 63 | if (srv != SECSuccess) |
| michael@0 | 64 | return NS_ERROR_OUT_OF_MEMORY; |
| michael@0 | 65 | |
| michael@0 | 66 | isDomainMismatch = mCerts[i].isDomainMismatch; |
| michael@0 | 67 | isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime; |
| michael@0 | 68 | isUntrusted = mCerts[i].isUntrusted; |
| michael@0 | 69 | } |
| michael@0 | 70 | } |
| michael@0 | 71 | } |
| michael@0 | 72 | |
| michael@0 | 73 | if (foundDER.len) { |
| michael@0 | 74 | CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); |
| michael@0 | 75 | mozilla::pkix::ScopedCERTCertificate nssCert( |
| michael@0 | 76 | CERT_FindCertByDERCert(certdb, &foundDER)); |
| michael@0 | 77 | if (!nssCert) |
| michael@0 | 78 | nssCert = CERT_NewTempCertificate(certdb, &foundDER, |
| michael@0 | 79 | nullptr, // no nickname |
| michael@0 | 80 | false, // not perm |
| michael@0 | 81 | true); // copy der |
| michael@0 | 82 | |
| michael@0 | 83 | SECITEM_FreeItem(&foundDER, false); |
| michael@0 | 84 | |
| michael@0 | 85 | if (!nssCert) |
| michael@0 | 86 | return NS_ERROR_FAILURE; |
| michael@0 | 87 | |
| michael@0 | 88 | status->mServerCert = nsNSSCertificate::Create(nssCert.get()); |
| michael@0 | 89 | status->mHaveCertErrorBits = true; |
| michael@0 | 90 | status->mIsDomainMismatch = isDomainMismatch; |
| michael@0 | 91 | status->mIsNotValidAtThisTime = isNotValidAtThisTime; |
| michael@0 | 92 | status->mIsUntrusted = isUntrusted; |
| michael@0 | 93 | |
| michael@0 | 94 | *aStatus = status; |
| michael@0 | 95 | NS_IF_ADDREF(*aStatus); |
| michael@0 | 96 | } |
| michael@0 | 97 | |
| michael@0 | 98 | return NS_OK; |
| michael@0 | 99 | } |
| michael@0 | 100 | |
| michael@0 | 101 | NS_IMETHODIMP |
| michael@0 | 102 | nsRecentBadCerts::AddBadCert(const nsAString &hostWithPort, |
| michael@0 | 103 | nsISSLStatus *aStatus) |
| michael@0 | 104 | { |
| michael@0 | 105 | NS_ENSURE_ARG(aStatus); |
| michael@0 | 106 | |
| michael@0 | 107 | nsCOMPtr<nsIX509Cert> cert; |
| michael@0 | 108 | nsresult rv; |
| michael@0 | 109 | rv = aStatus->GetServerCert(getter_AddRefs(cert)); |
| michael@0 | 110 | NS_ENSURE_SUCCESS(rv, rv); |
| michael@0 | 111 | |
| michael@0 | 112 | bool isDomainMismatch; |
| michael@0 | 113 | bool isNotValidAtThisTime; |
| michael@0 | 114 | bool isUntrusted; |
| michael@0 | 115 | |
| michael@0 | 116 | rv = aStatus->GetIsDomainMismatch(&isDomainMismatch); |
| michael@0 | 117 | NS_ENSURE_SUCCESS(rv, rv); |
| michael@0 | 118 | |
| michael@0 | 119 | rv = aStatus->GetIsNotValidAtThisTime(&isNotValidAtThisTime); |
| michael@0 | 120 | NS_ENSURE_SUCCESS(rv, rv); |
| michael@0 | 121 | |
| michael@0 | 122 | rv = aStatus->GetIsUntrusted(&isUntrusted); |
| michael@0 | 123 | NS_ENSURE_SUCCESS(rv, rv); |
| michael@0 | 124 | |
| michael@0 | 125 | SECItem tempItem; |
| michael@0 | 126 | rv = cert->GetRawDER(&tempItem.len, (uint8_t **)&tempItem.data); |
| michael@0 | 127 | NS_ENSURE_SUCCESS(rv, rv); |
| michael@0 | 128 | |
| michael@0 | 129 | { |
| michael@0 | 130 | ReentrantMonitorAutoEnter lock(monitor); |
| michael@0 | 131 | RecentBadCert &updatedEntry = mCerts[mNextStorePosition]; |
| michael@0 | 132 | |
| michael@0 | 133 | ++mNextStorePosition; |
| michael@0 | 134 | if (mNextStorePosition == const_recently_seen_list_size) |
| michael@0 | 135 | mNextStorePosition = 0; |
| michael@0 | 136 | |
| michael@0 | 137 | updatedEntry.Clear(); |
| michael@0 | 138 | updatedEntry.mHostWithPort = hostWithPort; |
| michael@0 | 139 | updatedEntry.mDERCert = tempItem; // consume |
| michael@0 | 140 | updatedEntry.isDomainMismatch = isDomainMismatch; |
| michael@0 | 141 | updatedEntry.isNotValidAtThisTime = isNotValidAtThisTime; |
| michael@0 | 142 | updatedEntry.isUntrusted = isUntrusted; |
| michael@0 | 143 | } |
| michael@0 | 144 | |
| michael@0 | 145 | return NS_OK; |
| michael@0 | 146 | } |
| michael@0 | 147 | |
| michael@0 | 148 | NS_IMETHODIMP |
| michael@0 | 149 | nsRecentBadCerts::ResetStoredCerts() |
| michael@0 | 150 | { |
| michael@0 | 151 | for (size_t i = 0; i < const_recently_seen_list_size; ++i) { |
| michael@0 | 152 | RecentBadCert &entry = mCerts[i]; |
| michael@0 | 153 | entry.Clear(); |
| michael@0 | 154 | } |
| michael@0 | 155 | return NS_OK; |
| michael@0 | 156 | } |
