• file
• revisions
• annotate
• diff
• comparison
• raw

security/manager/ssl/src/nsSDR.cpp@b8a032363ba2 (annotated)

security/manager/ssl/src/nsSDR.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
michael@0	2	*
michael@0	3	* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	4	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	5	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	6
michael@0	7	#include "stdlib.h"
michael@0	8	#include "plstr.h"
michael@0	9	#include "plbase64.h"
michael@0	10
michael@0	11	#include "mozilla/Services.h"
michael@0	12	#include "nsMemory.h"
michael@0	13	#include "nsString.h"
michael@0	14	#include "nsCOMPtr.h"
michael@0	15	#include "nsThreadUtils.h"
michael@0	16	#include "nsIInterfaceRequestor.h"
michael@0	17	#include "nsIInterfaceRequestorUtils.h"
michael@0	18	#include "nsIServiceManager.h"
michael@0	19	#include "nsITokenPasswordDialogs.h"
michael@0	20
michael@0	21	#include "nsISecretDecoderRing.h"
michael@0	22	#include "nsCRT.h"
michael@0	23	#include "nsSDR.h"
michael@0	24	#include "nsNSSComponent.h"
michael@0	25	#include "nsNSSShutDown.h"
michael@0	26	#include "ScopedNSSTypes.h"
michael@0	27
michael@0	28	#include "pk11func.h"
michael@0	29	#include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt
michael@0	30
michael@0	31	#include "ssl.h" // For SSL_ClearSessionCache
michael@0	32
michael@0	33	using namespace mozilla;
michael@0	34
michael@0	35	// Standard ISupports implementation
michael@0	36	// NOTE: Should these be the thread-safe versions?
michael@0	37	NS_IMPL_ISUPPORTS(nsSecretDecoderRing, nsISecretDecoderRing, nsISecretDecoderRingConfig)
michael@0	38
michael@0	39	// nsSecretDecoderRing constructor
michael@0	40	nsSecretDecoderRing::nsSecretDecoderRing()
michael@0	41	{
michael@0	42	// initialize superclass
michael@0	43	}
michael@0	44
michael@0	45	// nsSecretDecoderRing destructor
michael@0	46	nsSecretDecoderRing::~nsSecretDecoderRing()
michael@0	47	{
michael@0	48	}
michael@0	49
michael@0	50	/* [noscript] long encrypt (in buffer data, in long dataLen, out buffer result); */
michael@0	51	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	52	Encrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval)
michael@0	53	{
michael@0	54	nsNSSShutDownPreventionLock locker;
michael@0	55	nsresult rv = NS_OK;
michael@0	56	ScopedPK11SlotInfo slot;
michael@0	57	SECItem keyid;
michael@0	58	SECItem request;
michael@0	59	SECItem reply;
michael@0	60	SECStatus s;
michael@0	61	nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0	62
michael@0	63	slot = PK11_GetInternalKeySlot();
michael@0	64	if (!slot) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
michael@0	65
michael@0	66	/* Make sure token is initialized. */
michael@0	67	rv = setPassword(slot, ctx);
michael@0	68	if (NS_FAILED(rv))
michael@0	69	goto loser;
michael@0	70
michael@0	71	/* Force authentication */
michael@0	72	s = PK11_Authenticate(slot, true, ctx);
michael@0	73	if (s != SECSuccess) { rv = NS_ERROR_FAILURE; goto loser; }
michael@0	74
michael@0	75	/* Use default key id */
michael@0	76	keyid.data = 0;
michael@0	77	keyid.len = 0;
michael@0	78	request.data = data;
michael@0	79	request.len = dataLen;
michael@0	80	reply.data = 0;
michael@0	81	reply.len = 0;
michael@0	82	s= PK11SDR_Encrypt(&keyid, &request, &reply, ctx);
michael@0	83	if (s != SECSuccess) { rv = NS_ERROR_FAILURE; goto loser; }
michael@0	84
michael@0	85	*result = reply.data;
michael@0	86	*_retval = reply.len;
michael@0	87
michael@0	88	loser:
michael@0	89	return rv;
michael@0	90	}
michael@0	91
michael@0	92	/* [noscript] long decrypt (in buffer data, in long dataLen, out buffer result); */
michael@0	93	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	94	Decrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval)
michael@0	95	{
michael@0	96	nsNSSShutDownPreventionLock locker;
michael@0	97	nsresult rv = NS_OK;
michael@0	98	ScopedPK11SlotInfo slot;
michael@0	99	SECStatus s;
michael@0	100	SECItem request;
michael@0	101	SECItem reply;
michael@0	102	nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0	103
michael@0	104	*result = 0;
michael@0	105	*_retval = 0;
michael@0	106
michael@0	107	/* Find token with SDR key */
michael@0	108	slot = PK11_GetInternalKeySlot();
michael@0	109	if (!slot) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
michael@0	110
michael@0	111	/* Force authentication */
michael@0	112	if (PK11_Authenticate(slot, true, ctx) != SECSuccess)
michael@0	113	{
michael@0	114	rv = NS_ERROR_NOT_AVAILABLE;
michael@0	115	goto loser;
michael@0	116	}
michael@0	117
michael@0	118	request.data = data;
michael@0	119	request.len = dataLen;
michael@0	120	reply.data = 0;
michael@0	121	reply.len = 0;
michael@0	122	s = PK11SDR_Decrypt(&request, &reply, ctx);
michael@0	123	if (s != SECSuccess) { rv = NS_ERROR_FAILURE; goto loser; }
michael@0	124
michael@0	125	*result = reply.data;
michael@0	126	*_retval = reply.len;
michael@0	127
michael@0	128	loser:
michael@0	129	return rv;
michael@0	130	}
michael@0	131
michael@0	132	/* string encryptString (in string text); */
michael@0	133	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	134	EncryptString(const char *text, char **_retval)
michael@0	135	{
michael@0	136	nsNSSShutDownPreventionLock locker;
michael@0	137	nsresult rv = NS_OK;
michael@0	138	unsigned char *encrypted = 0;
michael@0	139	int32_t eLen;
michael@0	140
michael@0	141	if (!text || !_retval) {
michael@0	142	rv = NS_ERROR_INVALID_POINTER;
michael@0	143	goto loser;
michael@0	144	}
michael@0	145
michael@0	146	rv = Encrypt((unsigned char *)text, strlen(text), &encrypted, &eLen);
michael@0	147	if (rv != NS_OK) { goto loser; }
michael@0	148
michael@0	149	rv = encode(encrypted, eLen, _retval);
michael@0	150
michael@0	151	loser:
michael@0	152	if (encrypted) PORT_Free(encrypted);
michael@0	153
michael@0	154	return rv;
michael@0	155	}
michael@0	156
michael@0	157	/* string decryptString (in string crypt); */
michael@0	158	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	159	DecryptString(const char *crypt, char **_retval)
michael@0	160	{
michael@0	161	nsNSSShutDownPreventionLock locker;
michael@0	162	nsresult rv = NS_OK;
michael@0	163	char *r = 0;
michael@0	164	unsigned char *decoded = 0;
michael@0	165	int32_t decodedLen;
michael@0	166	unsigned char *decrypted = 0;
michael@0	167	int32_t decryptedLen;
michael@0	168
michael@0	169	if (!crypt || !_retval) {
michael@0	170	rv = NS_ERROR_INVALID_POINTER;
michael@0	171	goto loser;
michael@0	172	}
michael@0	173
michael@0	174	rv = decode(crypt, &decoded, &decodedLen);
michael@0	175	if (rv != NS_OK) goto loser;
michael@0	176
michael@0	177	rv = Decrypt(decoded, decodedLen, &decrypted, &decryptedLen);
michael@0	178	if (rv != NS_OK) goto loser;
michael@0	179
michael@0	180	// Convert to NUL-terminated string
michael@0	181	r = (char *)nsMemory::Alloc(decryptedLen+1);
michael@0	182	if (!r) { rv = NS_ERROR_OUT_OF_MEMORY; goto loser; }
michael@0	183
michael@0	184	memcpy(r, decrypted, decryptedLen);
michael@0	185	r[decryptedLen] = 0;
michael@0	186
michael@0	187	*_retval = r;
michael@0	188	r = 0;
michael@0	189
michael@0	190	loser:
michael@0	191	if (decrypted) PORT_Free(decrypted);
michael@0	192	if (decoded) PR_DELETE(decoded);
michael@0	193
michael@0	194	return rv;
michael@0	195	}
michael@0	196
michael@0	197	/* void changePassword(); */
michael@0	198	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	199	ChangePassword()
michael@0	200	{
michael@0	201	nsNSSShutDownPreventionLock locker;
michael@0	202	nsresult rv;
michael@0	203	ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
michael@0	204	if (!slot) return NS_ERROR_NOT_AVAILABLE;
michael@0	205
michael@0	206	/* Convert UTF8 token name to UCS2 */
michael@0	207	NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot));
michael@0	208
michael@0	209	/* Get the set password dialog handler imlementation */
michael@0	210	nsCOMPtr<nsITokenPasswordDialogs> dialogs;
michael@0	211
michael@0	212	rv = getNSSDialogs(getter_AddRefs(dialogs),
michael@0	213	NS_GET_IID(nsITokenPasswordDialogs),
michael@0	214	NS_TOKENPASSWORDSDIALOG_CONTRACTID);
michael@0	215	if (NS_FAILED(rv)) return rv;
michael@0	216
michael@0	217	nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
michael@0	218	bool canceled;
michael@0	219
michael@0	220	{
michael@0	221	nsPSMUITracker tracker;
michael@0	222	if (tracker.isUIForbidden()) {
michael@0	223	rv = NS_ERROR_NOT_AVAILABLE;
michael@0	224	}
michael@0	225	else {
michael@0	226	rv = dialogs->SetPassword(ctx, tokenName.get(), &canceled);
michael@0	227	}
michael@0	228	}
michael@0	229
michael@0	230	/* canceled is ignored */
michael@0	231
michael@0	232	return rv;
michael@0	233	}
michael@0	234
michael@0	235	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	236	Logout()
michael@0	237	{
michael@0	238	static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
michael@0	239
michael@0	240	nsresult rv;
michael@0	241	nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
michael@0	242	if (NS_FAILED(rv))
michael@0	243	return rv;
michael@0	244
michael@0	245	{
michael@0	246	nsNSSShutDownPreventionLock locker;
michael@0	247	PK11_LogoutAll();
michael@0	248	SSL_ClearSessionCache();
michael@0	249	}
michael@0	250
michael@0	251	return NS_OK;
michael@0	252	}
michael@0	253
michael@0	254	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	255	LogoutAndTeardown()
michael@0	256	{
michael@0	257	static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
michael@0	258
michael@0	259	nsresult rv;
michael@0	260	nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
michael@0	261	if (NS_FAILED(rv))
michael@0	262	return rv;
michael@0	263
michael@0	264	{
michael@0	265	nsNSSShutDownPreventionLock locker;
michael@0	266	PK11_LogoutAll();
michael@0	267	SSL_ClearSessionCache();
michael@0	268	}
michael@0	269
michael@0	270	rv = nssComponent->LogoutAuthenticatedPK11();
michael@0	271
michael@0	272	// After we just logged out, we need to prune dead connections to make
michael@0	273	// sure that all connections that should be stopped, are stopped. See
michael@0	274	// bug 517584.
michael@0	275	nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
michael@0	276	if (os)
michael@0	277	os->NotifyObservers(nullptr, "net:prune-dead-connections", nullptr);
michael@0	278
michael@0	279	return rv;
michael@0	280	}
michael@0	281
michael@0	282	/* void setWindow(in nsISupports w); */
michael@0	283	NS_IMETHODIMP nsSecretDecoderRing::
michael@0	284	SetWindow(nsISupports *w)
michael@0	285	{
michael@0	286	return NS_OK;
michael@0	287	}
michael@0	288
michael@0	289	// Support routines
michael@0	290
michael@0	291	nsresult nsSecretDecoderRing::
michael@0	292	encode(const unsigned char *data, int32_t dataLen, char **_retval)
michael@0	293	{
michael@0	294	nsresult rv = NS_OK;
michael@0	295
michael@0	296	char *result = PL_Base64Encode((const char *)data, dataLen, nullptr);
michael@0	297	if (!result) { rv = NS_ERROR_OUT_OF_MEMORY; goto loser; }
michael@0	298
michael@0	299	*_retval = NS_strdup(result);
michael@0	300	PR_DELETE(result);
michael@0	301	if (!*_retval) { rv = NS_ERROR_OUT_OF_MEMORY; goto loser; }
michael@0	302
michael@0	303	loser:
michael@0	304	return rv;
michael@0	305	}
michael@0	306
michael@0	307	nsresult nsSecretDecoderRing::
michael@0	308	decode(const char *data, unsigned char **result, int32_t * _retval)
michael@0	309	{
michael@0	310	nsresult rv = NS_OK;
michael@0	311	uint32_t len = strlen(data);
michael@0	312	int adjust = 0;
michael@0	313
michael@0	314	/* Compute length adjustment */
michael@0	315	if (data[len-1] == '=') {
michael@0	316	adjust++;
michael@0	317	if (data[len-2] == '=') adjust++;
michael@0	318	}
michael@0	319
michael@0	320	*result = (unsigned char *)PL_Base64Decode(data, len, nullptr);
michael@0	321	if (!*result) { rv = NS_ERROR_ILLEGAL_VALUE; goto loser; }
michael@0	322
michael@0	323	*_retval = (len*3)/4 - adjust;
michael@0	324
michael@0	325	loser:
michael@0	326	return rv;
michael@0	327	}