From cef7fcb377e79e52e6baa34d387400671e9a5fb0 Mon Sep 17 00:00:00 2001 From: trav90 Date: Tue, 5 Jun 2018 22:46:15 -0500 Subject: Restore clearly-delimited format for the HSTS preload list --- security/manager/ssl/nsSiteSecurityService.cpp | 2 +- security/manager/ssl/nsSiteSecurityService.h | 2 +- security/manager/tools/getHSTSPreloadList.js | 84 +++++++------------------- 3 files changed, 23 insertions(+), 65 deletions(-) (limited to 'security') diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index d461f6b61..1d79844ff 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -935,7 +935,7 @@ int STSPreloadCompare(const void *key, const void *entry) { const char *keyStr = (const char *)key; const nsSTSPreload *preloadEntry = (const nsSTSPreload *)entry; - return strcmp(keyStr, &kSTSHostTable[preloadEntry->mHostIndex]); + return strcmp(keyStr, preloadEntry->mHost); } // Returns the preload list entry for the given host, if it exists. diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h index f100a8f40..c40180550 100644 --- a/security/manager/ssl/nsSiteSecurityService.h +++ b/security/manager/ssl/nsSiteSecurityService.h @@ -110,7 +110,7 @@ public: void ToString(nsCString &aString); }; -struct nsSTSPreload; +class nsSTSPreload; class nsSiteSecurityService : public nsISiteSecurityService , public nsIObserver diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js index 29f4ba420..518a9246b 100644 --- a/security/manager/tools/getHSTSPreloadList.js +++ b/security/manager/tools/getHSTSPreloadList.js @@ -42,6 +42,16 @@ const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla "/*****************************************************************************/\n" + "\n" + "#include \n"; +const PREFIX = "\n" + +"class nsSTSPreload\n" + +"{\n" + +" public:\n" + +" const char *mHost;\n" + +" const bool mIncludeSubdomains;\n" + +"};\n" + +"\n" + +"static const nsSTSPreload kSTSPreloadList[] = {\n"; +const POSTFIX = "};\n"; function download() { var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"] @@ -244,9 +254,12 @@ function errorToString(status) { : status.error); } -function writeEntry(status, indices, outputStream) { - let includeSubdomains = (status.finalIncludeSubdomains ? "true" : "false"); - writeTo(" { " + indices[status.name] + ", " + includeSubdomains + " },\n", +function writeEntry(status, outputStream) { + let incSubdomainsBool = (status.forceInclude && status.error != ERROR_NONE + ? status.originalIncludeSubdomains + : status.includeSubdomains); + let includeSubdomains = (incSubdomainsBool ? "true" : "false"); + writeTo(" { \"" + status.name + "\", " + includeSubdomains + " },\n", outputStream); } @@ -258,6 +271,7 @@ function output(sortedStatuses, currentList) { var eos = FileUtils.openSafeFileOutputStream(errorFile); writeTo(HEADER, fos); writeTo(getExpirationTimeString(), fos); + writeTo(PREFIX, fos); for (let status in sortedStatuses) { // If we've encountered an error for this entry (other than the site not @@ -289,56 +303,8 @@ function output(sortedStatuses, currentList) { return true; }); - // Resolve whether we should include subdomains for each entry. We could - // do this while writing out entries, but separating out that decision is - // clearer. Making that decision here also means we can write the choices - // in the comments in the static string table, which makes parsing the - // current list significantly easier when we go to update the list. - for (let status of includedStatuses) { - let incSubdomainsBool = (status.forceInclude && status.error != ERROR_NONE - ? status.originalIncludeSubdomains - : status.includeSubdomains); - status.finalIncludeSubdomains = incSubdomainsBool; - } - - writeTo("\nstatic const char kSTSHostTable[] = {\n", fos); - var indices = {}; - var currentIndex = 0; - for (let status of includedStatuses) { - indices[status.name] = currentIndex; - // Add 1 for the null terminator in C. - currentIndex += status.name.length + 1; - // Rebuilding the preload list requires reading the previous preload - // list. Write out a comment describing each host prior to writing out - // the string for the host. - writeTo(" /* \"" + status.name + "\", " + - (status.finalIncludeSubdomains ? "true" : "false") + " */ ", - fos); - // Write out the string itself as individual characters, including the - // null terminator. We do it this way rather than using C's string - // concatentation because some compilers have hardcoded limits on the - // lengths of string literals, and the preload list is large enough - // that it runs into said limits. - for (let c of status.name) { - writeTo("'" + c + "', ", fos); - } - writeTo("'\\0',\n", fos); - } - writeTo("};\n", fos); - - const PREFIX = "\n" + - "struct nsSTSPreload\n" + - "{\n" + - " const uint32_t mHostIndex : 31;\n" + - " const uint32_t mIncludeSubdomains : 1;\n" + - "};\n" + - "\n" + - "static const nsSTSPreload kSTSPreloadList[] = {\n"; - const POSTFIX = "};\n"; - - writeTo(PREFIX, fos); - for (let status of includedStatuses) { - writeEntry(status, indices, fos); + for (var status of includedStatuses) { + writeEntry(status, fos); } writeTo(POSTFIX, fos); FileUtils.closeSafeFileOutputStream(fos); @@ -404,17 +370,9 @@ function readCurrentList(filename) { .createInstance(Ci.nsILineInputStream); fis.init(file, -1, -1, Ci.nsIFileInputStream.CLOSE_ON_EOF); var line = {}; - // While we generate entries matching the version 2 format (see bug 1255425 - // for details), we still need to be able to read entries in the version 1 - // format for bootstrapping a version 2 preload list from a version 1 - // preload list. Hence these two regexes. - var v1EntryRegex = / { "([^"]*)", (true|false) },/; - var v2EntryRegex = / \/\* "([^"]*)", (true|false) \*\//; + var entryRegex = / { "([^"]*)", (true|false) },/; while (fis.readLine(line)) { - var match = v1EntryRegex.exec(line.value); - if (!match) { - match = v2EntryRegex.exec(line.value); - } + var match = entryRegex.exec(line.value); if (match) { currentHosts[match[1]] = (match[2] == "true"); } -- cgit v1.2.3