diff options
author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
---|---|---|
committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
tree | 10027f336435511475e392454359edea8e25895d /security/manager/ssl/nsSiteSecurityService.h | |
parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip |
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/manager/ssl/nsSiteSecurityService.h')
-rw-r--r-- | security/manager/ssl/nsSiteSecurityService.h | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h new file mode 100644 index 000000000..f100a8f40 --- /dev/null +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -0,0 +1,159 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __nsSiteSecurityService_h__ +#define __nsSiteSecurityService_h__ + +#include "mozilla/DataStorage.h" +#include "nsCOMPtr.h" +#include "nsIObserver.h" +#include "nsISiteSecurityService.h" +#include "nsString.h" +#include "nsTArray.h" +#include "pkix/pkixtypes.h" +#include "prtime.h" + +class nsIURI; +class nsISSLStatus; + +// {16955eee-6c48-4152-9309-c42a465138a1} +#define NS_SITE_SECURITY_SERVICE_CID \ + {0x16955eee, 0x6c48, 0x4152, \ + {0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1} } + +/** + * SecurityPropertyState: A utility enum for representing the different states + * a security property can be in. + * SecurityPropertySet and SecurityPropertyUnset correspond to indicating + * a site has or does not have the security property in question, respectively. + * SecurityPropertyKnockout indicates a value on a preloaded list is being + * overridden, and the associated site does not have the security property + * in question. + */ +enum SecurityPropertyState { + SecurityPropertyUnset = 0, + SecurityPropertySet = 1, + SecurityPropertyKnockout = 2, + SecurityPropertyNegative = 3, +}; + +/** + * SiteHPKPState: A utility class that encodes/decodes a string describing + * the public key pins of a site. + * HPKP state consists of: + * - Expiry time (PRTime (aka int64_t) in milliseconds) + * - A state flag (SecurityPropertyState, default SecurityPropertyUnset) + * - An include subdomains flag (bool, default false) + * - An array of sha-256 hashed base 64 encoded fingerprints of required keys + */ +class SiteHPKPState +{ +public: + SiteHPKPState(); + explicit SiteHPKPState(nsCString& aStateString); + SiteHPKPState(PRTime aExpireTime, SecurityPropertyState aState, + bool aIncludeSubdomains, nsTArray<nsCString>& SHA256keys); + + PRTime mExpireTime; + SecurityPropertyState mState; + bool mIncludeSubdomains; + nsTArray<nsCString> mSHA256keys; + + bool IsExpired(mozilla::pkix::Time aTime) + { + if (aTime > mozilla::pkix::TimeFromEpochInSeconds(mExpireTime / + PR_MSEC_PER_SEC)) { + return true; + } + return false; + } + + void ToString(nsCString& aString); +}; + +/** + * SiteHSTSState: A utility class that encodes/decodes a string describing + * the security state of a site. Currently only handles HSTS. + * HSTS state consists of: + * - Expiry time (PRTime (aka int64_t) in milliseconds) + * - A state flag (SecurityPropertyState, default SecurityPropertyUnset) + * - An include subdomains flag (bool, default false) + */ +class SiteHSTSState +{ +public: + explicit SiteHSTSState(nsCString& aStateString); + SiteHSTSState(PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState, + bool aHSTSIncludeSubdomains); + + PRTime mHSTSExpireTime; + SecurityPropertyState mHSTSState; + bool mHSTSIncludeSubdomains; + + bool IsExpired(uint32_t aType) + { + // If mHSTSExpireTime is 0, this entry never expires (this is the case for + // knockout entries). + if (mHSTSExpireTime == 0) { + return false; + } + + PRTime now = PR_Now() / PR_USEC_PER_MSEC; + if (now > mHSTSExpireTime) { + return true; + } + + return false; + } + + void ToString(nsCString &aString); +}; + +struct nsSTSPreload; + +class nsSiteSecurityService : public nsISiteSecurityService + , public nsIObserver +{ +public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSIOBSERVER + NS_DECL_NSISITESECURITYSERVICE + + nsSiteSecurityService(); + nsresult Init(); + +protected: + virtual ~nsSiteSecurityService(); + +private: + nsresult GetHost(nsIURI *aURI, nsACString &aResult); + nsresult SetHSTSState(uint32_t aType, nsIURI* aSourceURI, int64_t maxage, + bool includeSubdomains, uint32_t flags, + SecurityPropertyState aHSTSState); + nsresult ProcessHeaderInternal(uint32_t aType, nsIURI* aSourceURI, + const char* aHeader, nsISSLStatus* aSSLStatus, + uint32_t aFlags, uint64_t* aMaxAge, + bool* aIncludeSubdomains, + uint32_t* aFailureResult); + nsresult ProcessSTSHeader(nsIURI* aSourceURI, const char* aHeader, + uint32_t flags, uint64_t* aMaxAge, + bool* aIncludeSubdomains, uint32_t* aFailureResult); + nsresult ProcessPKPHeader(nsIURI* aSourceURI, const char* aHeader, + nsISSLStatus* aSSLStatus, uint32_t flags, + uint64_t* aMaxAge, bool* aIncludeSubdomains, + uint32_t* aFailureResult); + nsresult SetHPKPState(const char* aHost, SiteHPKPState& entry, uint32_t flags, + bool aIsPreload); + + const nsSTSPreload *GetPreloadListEntry(const char *aHost); + + uint64_t mMaxMaxAge; + bool mUsePreloadList; + int64_t mPreloadListTimeOffset; + bool mProcessPKPHeadersFromNonBuiltInRoots; + RefPtr<mozilla::DataStorage> mSiteStateStorage; + RefPtr<mozilla::DataStorage> mPreloadStateStorage; +}; + +#endif // __nsSiteSecurityService_h__ |