The Tor Browser / file diff

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/certverifier/OCSPCache.h	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,107 @@
     1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
     1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
     1.6 +/* Copyright 2013 Mozilla Foundation
     1.7 + *
     1.8 + * Licensed under the Apache License, Version 2.0 (the "License");
     1.9 + * you may not use this file except in compliance with the License.
    1.10 + * You may obtain a copy of the License at
    1.11 + *
    1.12 + *     http://www.apache.org/licenses/LICENSE-2.0
    1.13 + *
    1.14 + * Unless required by applicable law or agreed to in writing, software
    1.15 + * distributed under the License is distributed on an "AS IS" BASIS,
    1.16 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    1.17 + * See the License for the specific language governing permissions and
    1.18 + * limitations under the License.
    1.19 + */
    1.20 +
    1.21 +#ifndef mozilla_psm_OCSPCache_h
    1.22 +#define mozilla_psm_OCSPCache_h
    1.23 +
    1.24 +#include "certt.h"
    1.25 +#include "hasht.h"
    1.26 +#include "pkix/pkixtypes.h"
    1.27 +#include "mozilla/Mutex.h"
    1.28 +#include "mozilla/Vector.h"
    1.29 +#include "prerror.h"
    1.30 +
    1.31 +namespace mozilla { namespace psm {
    1.32 +
    1.33 +// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
    1.34 +typedef uint8_t SHA384Buffer[SHA384_LENGTH];
    1.35 +
    1.36 +// OCSPCache can store and retrieve OCSP response verification results. Each
    1.37 +// result is keyed on the certificate that purportedly corresponds to it (where
    1.38 +// certificates are distinguished based on serial number, issuer, and
    1.39 +// issuer public key, much like in an encoded OCSP response itself). A maximum
    1.40 +// of 1024 distinct entries can be stored.
    1.41 +// OCSPCache is thread-safe.
    1.42 +class OCSPCache
    1.43 +{
    1.44 +public:
    1.45 +  OCSPCache();
    1.46 +  ~OCSPCache();
    1.47 +
    1.48 +  // Returns true if the status of the given certificate (issued by the given
    1.49 +  // issuer) is in the cache, and false otherwise.
    1.50 +  // If it is in the cache, returns by reference the error code of the cached
    1.51 +  // status and the time through which the status is considered trustworthy.
    1.52 +  bool Get(const CERTCertificate* aCert, const CERTCertificate* aIssuerCert,
    1.53 +           /* out */ PRErrorCode& aErrorCode, /* out */ PRTime& aValidThrough);
    1.54 +
    1.55 +  // Caches the status of the given certificate (issued by the given issuer).
    1.56 +  // The status is considered trustworthy through the given time.
    1.57 +  // A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
    1.58 +  // be replaced or evicted.
    1.59 +  // A status with an error code of SEC_ERROR_OCSP_UNKNOWN_CERT will not
    1.60 +  // be evicted when the cache is full.
    1.61 +  // A status with a more recent thisUpdate will not be replaced with a
    1.62 +  // status with a less recent thisUpdate unless the less recent status
    1.63 +  // indicates the certificate is revoked.
    1.64 +  SECStatus Put(const CERTCertificate* aCert,
    1.65 +                const CERTCertificate* aIssuerCert,
    1.66 +                PRErrorCode aErrorCode,
    1.67 +                PRTime aThisUpdate,
    1.68 +                PRTime aValidThrough);
    1.69 +
    1.70 +  // Removes everything from the cache.
    1.71 +  void Clear();
    1.72 +
    1.73 +private:
    1.74 +  class Entry
    1.75 +  {
    1.76 +  public:
    1.77 +    SECStatus Init(const CERTCertificate* aCert,
    1.78 +                   const CERTCertificate* aIssuerCert,
    1.79 +                   PRErrorCode aErrorCode, PRTime aThisUpdate,
    1.80 +                   PRTime aValidThrough);
    1.81 +
    1.82 +    PRErrorCode mErrorCode;
    1.83 +    PRTime mThisUpdate;
    1.84 +    PRTime mValidThrough;
    1.85 +    // The SHA-384 hash of the concatenation of the DER encodings of the
    1.86 +    // issuer name and issuer key, followed by the serial number.
    1.87 +    // See the documentation for CertIDHash in OCSPCache.cpp.
    1.88 +    SHA384Buffer mIDHash;
    1.89 +  };
    1.90 +
    1.91 +  int32_t FindInternal(const CERTCertificate* aCert,
    1.92 +                       const CERTCertificate* aIssuerCert,
    1.93 +                       const MutexAutoLock& aProofOfLock);
    1.94 +  void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);
    1.95 +  void LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
    1.96 +                    const CERTCertificate* aIssuerCert);
    1.97 +
    1.98 +  Mutex mMutex;
    1.99 +  static const size_t MaxEntries = 1024;
   1.100 +  // Sorted with the most-recently-used entry at the end.
   1.101 +  // Using 256 here reserves as much possible inline storage as the vector
   1.102 +  // implementation will give us. 1024 bytes is the maximum it allows,
   1.103 +  // which results in 256 Entry pointers or 128 Entry pointers, depending
   1.104 +  // on the size of a pointer.
   1.105 +  Vector<Entry*, 256> mEntries;
   1.106 +};
   1.107 +
   1.108 +} } // namespace mozilla::psm
   1.109 +
   1.110 +#endif // mozilla_psm_OCSPCache_h