The Tor Browser: security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rwxr-xr-x

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * pkix_revocationchecker.c
  *
  * RevocationChecker Object Functions
  *
  */
 #include "pkix_revocationchecker.h"
 #include "pkix_tools.h"
 /* --Private-Functions-------------------------------------------- */
 /*
  * FUNCTION: pkix_RevocationChecker_Destroy
  *      (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_RevocationChecker_Destroy(
         PKIX_PL_Object *object,
         void *plContext)
 {
         PKIX_RevocationChecker *checker = NULL;
         PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
         PKIX_NULLCHECK_ONE(object);
         /* Check that this object is a revocation checker */
         PKIX_CHECK(pkix_CheckType
                     (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
                     PKIX_OBJECTNOTREVOCATIONCHECKER);
         checker = (PKIX_RevocationChecker *)object;
         PKIX_DECREF(checker->leafMethodList);
         PKIX_DECREF(checker->chainMethodList);
 cleanup:
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 /*
  * FUNCTION: pkix_RevocationChecker_Duplicate
  * (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_RevocationChecker_Duplicate(
         PKIX_PL_Object *object,
         PKIX_PL_Object **pNewObject,
         void *plContext)
 {
         PKIX_RevocationChecker *checker = NULL;
         PKIX_RevocationChecker *checkerDuplicate = NULL;
         PKIX_List *dupLeafList = NULL;
         PKIX_List *dupChainList = NULL;
         PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");
         PKIX_NULLCHECK_TWO(object, pNewObject);
         PKIX_CHECK(pkix_CheckType
                     (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
                     PKIX_OBJECTNOTCERTCHAINCHECKER);
         checker = (PKIX_RevocationChecker *)object;
         if (checker->leafMethodList){
                 PKIX_CHECK(PKIX_PL_Object_Duplicate
                             ((PKIX_PL_Object *)checker->leafMethodList,
                             (PKIX_PL_Object **)&dupLeafList,
                             plContext),
                             PKIX_OBJECTDUPLICATEFAILED);
         }
         if (checker->chainMethodList){
                 PKIX_CHECK(PKIX_PL_Object_Duplicate
                             ((PKIX_PL_Object *)checker->chainMethodList,
                             (PKIX_PL_Object **)&dupChainList,
                             plContext),
                             PKIX_OBJECTDUPLICATEFAILED);
         }
         PKIX_CHECK(
             PKIX_RevocationChecker_Create(checker->leafMethodListFlags,
                                           checker->chainMethodListFlags,
                                           &checkerDuplicate,
                                           plContext),
             PKIX_REVOCATIONCHECKERCREATEFAILED);
         checkerDuplicate->leafMethodList = dupLeafList;
         checkerDuplicate->chainMethodList = dupChainList;
         dupLeafList = NULL;
         dupChainList = NULL;
         *pNewObject = (PKIX_PL_Object *)checkerDuplicate;
 cleanup:
         PKIX_DECREF(dupLeafList);
         PKIX_DECREF(dupChainList);
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 /*
  * FUNCTION: pkix_RevocationChecker_RegisterSelf
  * DESCRIPTION:
  *  Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with
  *  systemClasses[]
  * THREAD SAFETY:
  *  Not Thread Safe - for performance and complexity reasons
  *
  *  Since this function is only called by PKIX_PL_Initialize, which should
  *  only be called once, it is acceptable that this function is not
  *  thread-safe.
  */
 PKIX_Error *
 pkix_RevocationChecker_RegisterSelf(void *plContext)
 {
         extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
         pkix_ClassTable_Entry entry;
         PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");
         entry.description = "RevocationChecker";
         entry.objCounter = 0;
         entry.typeObjectSize = sizeof(PKIX_RevocationChecker);
         entry.destructor = pkix_RevocationChecker_Destroy;
         entry.equalsFunction = NULL;
         entry.hashcodeFunction = NULL;
         entry.toStringFunction = NULL;
         entry.comparator = NULL;
         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 /* Sort methods by theirs priorities */
 static PKIX_Error *
 pkix_RevocationChecker_SortComparator(
         PKIX_PL_Object *obj1,
         PKIX_PL_Object *obj2,
         PKIX_Int32 *pResult,
         void *plContext)
 {
     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
     method1 = (pkix_RevocationMethod *)obj1;
     method2 = (pkix_RevocationMethod *)obj2;
     *pResult = (method1->priority > method2->priority);
     PKIX_RETURN(BUILD);
 }
 /* --Public-Functions--------------------------------------------- */
 /*
  * FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)
  */
 PKIX_Error *
 PKIX_RevocationChecker_Create(
     PKIX_UInt32 leafMethodListFlags,
     PKIX_UInt32 chainMethodListFlags,
     PKIX_RevocationChecker **pChecker,
     void *plContext)
 {
     PKIX_RevocationChecker *checker = NULL;
     PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
     PKIX_NULLCHECK_ONE(pChecker);
     PKIX_CHECK(
         PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,
                              sizeof (PKIX_RevocationChecker),
                              (PKIX_PL_Object **)&checker,
                              plContext),
         PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
     checker->leafMethodListFlags = leafMethodListFlags;
     checker->chainMethodListFlags = chainMethodListFlags;
     checker->leafMethodList = NULL;
     checker->chainMethodList = NULL;
     *pChecker = checker;
     checker = NULL;
 cleanup:
     PKIX_DECREF(checker);
     PKIX_RETURN(REVOCATIONCHECKER);
 }
 /*
  * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
  */
 PKIX_Error *
 PKIX_RevocationChecker_CreateAndAddMethod(
     PKIX_RevocationChecker *revChecker,
     PKIX_ProcessingParams *params,
     PKIX_RevocationMethodType methodType,
     PKIX_UInt32 flags,
     PKIX_UInt32 priority,
     PKIX_PL_VerifyCallback verificationFn,
     PKIX_Boolean isLeafMethod,
     void *plContext)
 {
     PKIX_List **methodList = NULL;
     PKIX_List  *unsortedList = NULL;
     PKIX_List  *certStores = NULL;
     pkix_RevocationMethod *method = NULL;
     pkix_LocalRevocationCheckFn *localRevChecker = NULL;
     pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
     PKIX_UInt32 miFlags;
     PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
     PKIX_NULLCHECK_ONE(revChecker);
     /* If the caller has said "Either one is sufficient, then don't let the
      * absence of any one method's info lead to an overall failure.
      */
     miFlags = isLeafMethod ? revChecker->leafMethodListFlags
 	                   : revChecker->chainMethodListFlags;
     if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
 	flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
     switch (methodType) {
     case PKIX_RevocationMethod_CRL:
         localRevChecker = pkix_CrlChecker_CheckLocal;
         externRevChecker = pkix_CrlChecker_CheckExternal;
         PKIX_CHECK(
             PKIX_ProcessingParams_GetCertStores(params, &certStores,
                                                 plContext),
             PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
         PKIX_CHECK(
             pkix_CrlChecker_Create(methodType, flags, priority,
                                    localRevChecker, externRevChecker,
                                    certStores, verificationFn,
                                    &method,
                                    plContext),
             PKIX_COULDNOTCREATECRLCHECKEROBJECT);
         break;
     case PKIX_RevocationMethod_OCSP:
         localRevChecker = pkix_OcspChecker_CheckLocal;
         externRevChecker = pkix_OcspChecker_CheckExternal;
         PKIX_CHECK(
             pkix_OcspChecker_Create(methodType, flags, priority,
                                     localRevChecker, externRevChecker,
                                     verificationFn,
                                     &method,
                                     plContext),
             PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
         break;
     default:
         PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
     }
     if (isLeafMethod) {
         methodList = &revChecker->leafMethodList;
     } else {
         methodList = &revChecker->chainMethodList;
     }
     if (*methodList == NULL) {
         PKIX_CHECK(
             PKIX_List_Create(methodList, plContext),
             PKIX_LISTCREATEFAILED);
     }
     unsortedList = *methodList;
     PKIX_CHECK(
         PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
         PKIX_LISTAPPENDITEMFAILED);
     PKIX_CHECK(
         pkix_List_BubbleSort(unsortedList,
                              pkix_RevocationChecker_SortComparator,
                              methodList, plContext),
         PKIX_LISTBUBBLESORTFAILED);
 cleanup:
     PKIX_DECREF(method);
     PKIX_DECREF(unsortedList);
     PKIX_DECREF(certStores);
     PKIX_RETURN(REVOCATIONCHECKER);
 }
 /*
  * FUNCTION: PKIX_RevocationChecker_Check
  */
 PKIX_Error *
 PKIX_RevocationChecker_Check(
     PKIX_PL_Cert *cert,
     PKIX_PL_Cert *issuer,
     PKIX_RevocationChecker *revChecker,
     PKIX_ProcessingParams *procParams,
     PKIX_Boolean chainVerificationState,
     PKIX_Boolean testingLeafCert,
     PKIX_RevocationStatus *pRevStatus,
     PKIX_UInt32 *pReasonCode,
     void **pNbioContext,
     void *plContext)
 {
     PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;
     PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];
     PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;
     PKIX_UInt32 revFlags = 0;
     PKIX_List *revList = NULL;
     PKIX_PL_Date *date = NULL;
     pkix_RevocationMethod *method = NULL;
     void *nbioContext;
     int tries;
     PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");
     PKIX_NULLCHECK_TWO(revChecker, procParams);
     nbioContext = *pNbioContext;
     *pNbioContext = NULL;
     if (testingLeafCert) {
         revList = revChecker->leafMethodList;
         revFlags = revChecker->leafMethodListFlags;
     } else {
         revList = revChecker->chainMethodList;
         revFlags = revChecker->chainMethodListFlags;
     }
     if (!revList) {
         /* Return NoInfo status */
         goto cleanup;
     }
     PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,
                 sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
     date = procParams->date;
     /* Need to have two loops if we testing all local info first:
      *    first we are going to test all local(cached) info
      *    second, all remote info(fetching) */
     for (tries = 0;tries < 2;tries++) {
         int methodNum = 0;
         for (;methodNum < revList->length;methodNum++) {
             PKIX_UInt32 methodFlags = 0;
             PKIX_DECREF(method);
             PKIX_CHECK(
                 PKIX_List_GetItem(revList, methodNum,
                                   (PKIX_PL_Object**)&method, plContext),
                 PKIX_LISTGETITEMFAILED);
             methodFlags = method->flags;
             if (!(methodFlags & PKIX_REV_M_TEST_USING_THIS_METHOD)) {
                 /* Will not check with this method. Skipping... */
                 continue;
             }
             if (!onlyUseRemoteMethods &&
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
                 PKIX_CHECK_NO_GOTO(
                     (*method->localRevChecker)(cert, issuer, date,
                                                method, procParams,
                                                methodFlags,
                                                chainVerificationState,
                                                &revStatus,
                                                pReasonCode, plContext),
                     PKIX_REVCHECKERCHECKFAILED);
                 methodStatus[methodNum] = revStatus;
                 if (revStatus == PKIX_RevStatus_Revoked) {
                     /* if error was generated use it as final error. */
                     overallStatus = PKIX_RevStatus_Revoked;
                     goto cleanup;
                 }
                 if (pkixErrorResult) {
                     /* Disregard errors. Only returned revStatus matters. */
                     PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
                                           plContext);
                     pkixErrorResult = NULL;
                 }
             }
             if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||
                  onlyUseRemoteMethods) &&
                 chainVerificationState &&
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
                     PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
                     PKIX_CHECK_NO_GOTO(
                         (*method->externalRevChecker)(cert, issuer, date,
                                                       method,
                                                       procParams, methodFlags,
                                                       &revStatus, pReasonCode,
                                                       &nbioContext, plContext),
                         PKIX_REVCHECKERCHECKFAILED);
                     methodStatus[methodNum] = revStatus;
                     if (revStatus == PKIX_RevStatus_Revoked) {
                         /* if error was generated use it as final error. */
                         overallStatus = PKIX_RevStatus_Revoked;
                         goto cleanup;
                     }
                     if (pkixErrorResult) {
                         /* Disregard errors. Only returned revStatus matters. */
                         PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
                                               plContext);
                         pkixErrorResult = NULL;
                     }
                 } else if (methodFlags &
                            PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
                     /* Info is not in the local cache. Network fetching is not
                      * allowed. If need to fail on missing fresh info for the
                      * the method, then we should fail right here.*/
                     overallStatus = PKIX_RevStatus_Revoked;
                     goto cleanup;
                 }
             }
             /* If success and we should not check the next method, then
              * return a success. */
             if (methodStatus[methodNum] == PKIX_RevStatus_Success &&
                 !(methodFlags & PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO)) {
                 overallStatus = PKIX_RevStatus_Success;
                 goto cleanup;
             }
         } /* inner loop */
         if (!onlyUseRemoteMethods &&
             revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST &&
             chainVerificationState) {
             onlyUseRemoteMethods = PKIX_TRUE;
             continue;
         }
         break;
     } /* outer loop */
     if (overallStatus == PKIX_RevStatus_NoInfo &&
         chainVerificationState) {
         /* The following check makes sence only for chain
          * validation step, sinse we do not fetch info while
          * in the process of finding trusted anchor.
          * For chain building step it is enough to know, that
          * the cert was not directly revoked by any of the
          * methods. */
         /* Still have no info. But one of the method could
          * have returned success status(possible if CONTINUE
          * TESTING ON FRESH INFO flag was used).
          * If any of the methods have returned Success status,
          * the overallStatus should be success. */
         int methodNum = 0;
         for (;methodNum < PKIX_RevocationMethod_MAX;methodNum++) {
             if (methodStatus[methodNum] == PKIX_RevStatus_Success) {
                 overallStatus = PKIX_RevStatus_Success;
                 goto cleanup;
             }
         }
         if (revFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) {
             overallStatus = PKIX_RevStatus_Revoked;
         }
     }
 cleanup:
     *pRevStatus = overallStatus;
     PKIX_DECREF(method);
     PKIX_RETURN(REVOCATIONCHECKER);
 }

The Tor Browser / annotate

security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c@b8a032363ba2 (annotated)

security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c