diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-11-14 12:13:54 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-11-14 12:13:54 +0100 |
| commit | 0a8dff525669a5f974e29bf03daba744b2d84e47 (patch) | |
| tree | 280dd3616fbf74f767082f882b07bcac9dd790bf /security | |
| parent | c3144281b5c83b5e7c8657a563e45dc08d491e4a (diff) | |
| download | UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.gz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.lz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.xz UXP-0a8dff525669a5f974e29bf03daba744b2d84e47.zip | |
Issue #1289 - Part 1: Add a pref to disable HPKP header processing.
Diffstat (limited to 'security')
| -rw-r--r-- | security/manager/ssl/nsSiteSecurityService.cpp | 40 | ||||
| -rw-r--r-- | security/manager/ssl/nsSiteSecurityService.h | 1 |
2 files changed, 37 insertions, 4 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 44ee7dcc0..1b7f06a47 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService() , mUsePreloadList(true) , mUseStsService(true) , mPreloadListTimeOffset(0) + , mHPKPEnabled(false) { } @@ -240,6 +241,10 @@ nsSiteSecurityService::Init() "network.stricttransportsecurity.preloadlist", true); mozilla::Preferences::AddStrongObserver(this, "network.stricttransportsecurity.preloadlist"); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); + mozilla::Preferences::AddStrongObserver(this, + "security.cert_pinning.hpkp.enabled"); mUseStsService = mozilla::Preferences::GetBool( "network.stricttransportsecurity.enabled", true); mozilla::Preferences::AddStrongObserver(this, @@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI, if (aFailureResult) { *aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN; } + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader)); + if (aMaxAge) { + *aMaxAge = 0; + } + if (aIncludeSubdomains) { + *aIncludeSubdomains = false; + } + return NS_OK; + } + SSSLOG(("SSS: processing HPKP header '%s'", aHeader)); NS_ENSURE_ARG(aSSLStatus); @@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, mozilla::pkix::Time& aEvalTime, /*out*/ nsTArray<nsCString>& pinArray, /*out*/ bool* aIncludeSubdomains, - /*out*/ bool* afound) { + /*out*/ bool* aFound) { // Child processes are not allowed direct access to this. if (!XRE_IsParentProcess()) { MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname"); } - NS_ENSURE_ARG(afound); + NS_ENSURE_ARG(aFound); NS_ENSURE_ARG(aHostname); + if (!mHPKPEnabled) { + SSSLOG(("HPKP disabled - returning 'pins not found' for %s", + aHostname)); + *aFound = false; + return NS_OK; + } + SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname)); - *afound = false; + *aFound = false; *aIncludeSubdomains = false; pinArray.Clear(); @@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname, } pinArray = foundEntry.mSHA256keys; *aIncludeSubdomains = foundEntry.mIncludeSubdomains; - *afound = true; + *aFound = true; return NS_OK; } @@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains, NS_ENSURE_ARG_POINTER(aResult); NS_ENSURE_ARG_POINTER(aSha256Pins); + + if (!mHPKPEnabled) { + SSSLOG(("SSS: HPKP disabled: not setting pins")); + *aResult = false; + return NS_OK; + } + SSSLOG(("Top of SetPins")); nsTArray<nsCString> sha256keys; @@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject, "network.stricttransportsecurity.enabled", true); mPreloadListTimeOffset = mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0); + mHPKPEnabled = mozilla::Preferences::GetBool( + "security.cert_pinning.hpkp.enabled", false); mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool( "security.cert_pinning.process_headers_from_non_builtin_roots", false); mMaxMaxAge = mozilla::Preferences::GetInt( diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index 63afee377..c14543684 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -152,6 +152,7 @@ private: bool mUsePreloadList; bool mUseStsService; int64_t mPreloadListTimeOffset; + bool mHPKPEnabled; bool mProcessPKPHeadersFromNonBuiltInRoots; RefPtr<mozilla::DataStorage> mSiteStateStorage; RefPtr<mozilla::DataStorage> mPreloadStateStorage; |