From 0a8dff525669a5f974e29bf03daba744b2d84e47 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 14 Nov 2019 12:13:54 +0100 Subject: Issue #1289 - Part 1: Add a pref to disable HPKP header processing. --- security/manager/ssl/nsSiteSecurityService.cpp | 40 +++++++++++++++++++++++--- security/manager/ssl/nsSiteSecurityService.h | 1 + 2 files changed, 37 insertions(+), 4 deletions(-) (limited to 'security/manager') diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 44ee7dcc0..1b7f06a47 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService() , mUsePreloadList(true) , mUseStsService(true) , mPreloadListTimeOffset(0) + , mHPKPEnabled(false) { } @@ -240,6 +241,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); + mozilla::Preferences::AddStrongObserver(this, + "security.cert_pinning.hpkp.enabled"); mUseStsService = mozilla::Preferences::GetBool( "network.stricttransportsecurity.enabled", true); mozilla::Preferences::AddStrongObserver(this, @@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (aFailureResult) { *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; } + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader)); + if (aMaxAge) { + *aMaxAge = 0; + } + if (aIncludeSubdomains) { + *aIncludeSubdomains = false; + } + return NS_OK; + } + SSSLOG(("SSS: processing HPKP header '%s'", aHeader)); NS_ENSURE_ARG(aSSLStatus); @@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, mozilla::pkix::Time& aEvalTime, /*out*/ nsTArray& pinArray, /*out*/ bool* aIncludeSubdomains, - /*out*/ bool* afound) { + /*out*/ bool* aFound) { // Child processes are not allowed direct access to this. if (!XRE_IsParentProcess()) { MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname"); } - NS_ENSURE_ARG(afound); + NS_ENSURE_ARG(aFound); NS_ENSURE_ARG(aHostname); + if (!mHPKPEnabled) { + SSSLOG(("HPKP disabled - returning 'pins not found' for %s", + aHostname)); + *aFound = false; + return NS_OK; + } + SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname)); - *afound = false; + *aFound = false; *aIncludeSubdomains = false; pinArray.Clear(); @@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, } pinArray = foundEntry.mSHA256keys; *aIncludeSubdomains = foundEntry.mIncludeSubdomains; - *afound = true; + *aFound = true; return NS_OK; } @@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains, NS_ENSURE_ARG_POINTER(aResult); NS_ENSURE_ARG_POINTER(aSha256Pins); + + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not setting pins")); + *aResult = false; + return NS_OK; + } + SSSLOG(("Top of SetPins")); nsTArray sha256keys; @@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mMaxMaxAge = mozilla::Preferences::GetInt( diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index 63afee377..c14543684 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -152,6 +152,7 @@ private: bool mUsePreloadList; bool mUseStsService; int64_t mPreloadListTimeOffset; + bool mHPKPEnabled; bool mProcessPKPHeadersFromNonBuiltInRoots; RefPtr mSiteStateStorage; RefPtr mPreloadStateStorage; -- cgit v1.2.3