diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-11-14 12:13:54 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-11-14 12:13:54 +0100 |
commit | 0a8dff525669a5f974e29bf03daba744b2d84e47 (patch) | |
tree | 280dd3616fbf74f767082f882b07bcac9dd790bf | |
parent | c3144281b5c83b5e7c8657a563e45dc08d491e4a (diff) | |
download | UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.gz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.lz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.xz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.zip |
Issue #1289 - Part 1: Add a pref to disable HPKP header processing.
-rw-r--r-- | netwerk/base/security-prefs.js | 8 | ||||
-rw-r--r-- | security/manager/ssl/nsSiteSecurityService.cpp | 40 | ||||
-rw-r--r-- | security/manager/ssl/nsSiteSecurityService.h | 1 |
3 files changed, 45 insertions, 4 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js index ef78ddccb..702315d43 100644 --- a/netwerk/base/security-prefs.js +++ b/netwerk/base/security-prefs.js @@ -132,6 +132,14 @@ pref("security.cert_pinning.process_headers_from_non_builtin_roots", false); // blacking themselves out by setting a bad pin. (60 days by default) // https://tools.ietf.org/html/rfc7469#section-4.1 pref("security.cert_pinning.max_max_age_seconds", 5184000); +// Controls whether or not HPKP (the HTTP Public Key Pinning header) is enabled. +// If true, the header is processed and collected HPKP information is consulted +// when looking for pinning information. +// If false, the header is not processed and collected HPKP information is not +// consulted when looking for pinning information. Preloaded pins are not +// affected by this preference. +// Default: false +pref("security.cert_pinning.hpkp.enabled", false); // If a request is mixed-content, send an HSTS priming request to attempt to // see if it is available over HTTPS. diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 44ee7dcc0..1b7f06a47 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService() , mUsePreloadList(true) , mUseStsService(true) , mPreloadListTimeOffset(0) + , mHPKPEnabled(false) { } @@ -240,6 +241,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); + mozilla::Preferences::AddStrongObserver(this, + "security.cert_pinning.hpkp.enabled"); mUseStsService = mozilla::Preferences::GetBool( "network.stricttransportsecurity.enabled", true); mozilla::Preferences::AddStrongObserver(this, @@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (aFailureResult) { *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; } + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader)); + if (aMaxAge) { + *aMaxAge = 0; + } + if (aIncludeSubdomains) { + *aIncludeSubdomains = false; + } + return NS_OK; + } + SSSLOG(("SSS: processing HPKP header '%s'", aHeader)); NS_ENSURE_ARG(aSSLStatus); @@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, mozilla::pkix::Time& aEvalTime, /*out*/ nsTArray<nsCString>& pinArray, /*out*/ bool* aIncludeSubdomains, - /*out*/ bool* afound) { + /*out*/ bool* aFound) { // Child processes are not allowed direct access to this. if (!XRE_IsParentProcess()) { MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname"); } - NS_ENSURE_ARG(afound); + NS_ENSURE_ARG(aFound); NS_ENSURE_ARG(aHostname); + if (!mHPKPEnabled) { + SSSLOG(("HPKP disabled - returning 'pins not found' for %s", + aHostname)); + *aFound = false; + return NS_OK; + } + SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname)); - *afound = false; + *aFound = false; *aIncludeSubdomains = false; pinArray.Clear(); @@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, } pinArray = foundEntry.mSHA256keys; *aIncludeSubdomains = foundEntry.mIncludeSubdomains; - *afound = true; + *aFound = true; return NS_OK; } @@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains, NS_ENSURE_ARG_POINTER(aResult); NS_ENSURE_ARG_POINTER(aSha256Pins); + + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not setting pins")); + *aResult = false; + return NS_OK; + } + SSSLOG(("Top of SetPins")); nsTArray<nsCString> sha256keys; @@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mMaxMaxAge = mozilla::Preferences::GetInt( diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index 63afee377..c14543684 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -152,6 +152,7 @@ private: bool mUsePreloadList; bool mUseStsService; int64_t mPreloadListTimeOffset; + bool mHPKPEnabled; bool mProcessPKPHeadersFromNonBuiltInRoots; RefPtr<mozilla::DataStorage> mSiteStateStorage; RefPtr<mozilla::DataStorage> mPreloadStateStorage; |