summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:13:54 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:13:54 +0100
commit0a8dff525669a5f974e29bf03daba744b2d84e47 (patch)
tree280dd3616fbf74f767082f882b07bcac9dd790bf
parentc3144281b5c83b5e7c8657a563e45dc08d491e4a (diff)
downloaduxp-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.gz
Issue #1289 - Part 1: Add a pref to disable HPKP header processing.
-rw-r--r--netwerk/base/security-prefs.js8
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp40
-rw-r--r--security/manager/ssl/nsSiteSecurityService.h1
3 files changed, 45 insertions, 4 deletions
diff --git a/netwerk/base/security-prefs.js b/netwerk/base/security-prefs.js
index ef78ddccbb..702315d430 100644
--- a/netwerk/base/security-prefs.js
+++ b/netwerk/base/security-prefs.js
@@ -132,6 +132,14 @@ pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
// blacking themselves out by setting a bad pin. (60 days by default)
// https://tools.ietf.org/html/rfc7469#section-4.1
pref("security.cert_pinning.max_max_age_seconds", 5184000);
+// Controls whether or not HPKP (the HTTP Public Key Pinning header) is enabled.
+// If true, the header is processed and collected HPKP information is consulted
+// when looking for pinning information.
+// If false, the header is not processed and collected HPKP information is not
+// consulted when looking for pinning information. Preloaded pins are not
+// affected by this preference.
+// Default: false
+pref("security.cert_pinning.hpkp.enabled", false);
// If a request is mixed-content, send an HSTS priming request to attempt to
// see if it is available over HTTPS.
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 44ee7dcc07..1b7f06a470 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService()
, mUsePreloadList(true)
, mUseStsService(true)
, mPreloadListTimeOffset(0)
+ , mHPKPEnabled(false)
{
}
@@ -240,6 +241,10 @@ nsSiteSecurityService::Init()
"network.stricttransportsecurity.preloadlist", true);
mozilla::Preferences::AddStrongObserver(this,
"network.stricttransportsecurity.preloadlist");
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
+ mozilla::Preferences::AddStrongObserver(this,
+ "security.cert_pinning.hpkp.enabled");
mUseStsService = mozilla::Preferences::GetBool(
"network.stricttransportsecurity.enabled", true);
mozilla::Preferences::AddStrongObserver(this,
@@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
if (aFailureResult) {
*aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
}
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader));
+ if (aMaxAge) {
+ *aMaxAge = 0;
+ }
+ if (aIncludeSubdomains) {
+ *aIncludeSubdomains = false;
+ }
+ return NS_OK;
+ }
+
SSSLOG(("SSS: processing HPKP header '%s'", aHeader));
NS_ENSURE_ARG(aSSLStatus);
@@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
mozilla::pkix::Time& aEvalTime,
/*out*/ nsTArray<nsCString>& pinArray,
/*out*/ bool* aIncludeSubdomains,
- /*out*/ bool* afound) {
+ /*out*/ bool* aFound) {
// Child processes are not allowed direct access to this.
if (!XRE_IsParentProcess()) {
MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname");
}
- NS_ENSURE_ARG(afound);
+ NS_ENSURE_ARG(aFound);
NS_ENSURE_ARG(aHostname);
+ if (!mHPKPEnabled) {
+ SSSLOG(("HPKP disabled - returning 'pins not found' for %s",
+ aHostname));
+ *aFound = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname));
- *afound = false;
+ *aFound = false;
*aIncludeSubdomains = false;
pinArray.Clear();
@@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
}
pinArray = foundEntry.mSHA256keys;
*aIncludeSubdomains = foundEntry.mIncludeSubdomains;
- *afound = true;
+ *aFound = true;
return NS_OK;
}
@@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains,
NS_ENSURE_ARG_POINTER(aResult);
NS_ENSURE_ARG_POINTER(aSha256Pins);
+
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not setting pins"));
+ *aResult = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of SetPins"));
nsTArray<nsCString> sha256keys;
@@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject,
"network.stricttransportsecurity.enabled", true);
mPreloadListTimeOffset =
mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
"security.cert_pinning.process_headers_from_non_builtin_roots", false);
mMaxMaxAge = mozilla::Preferences::GetInt(
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
index 63afee3771..c14543684f 100644
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -152,6 +152,7 @@ private:
bool mUsePreloadList;
bool mUseStsService;
int64_t mPreloadListTimeOffset;
+ bool mHPKPEnabled;
bool mProcessPKPHeadersFromNonBuiltInRoots;
RefPtr<mozilla::DataStorage> mSiteStateStorage;
RefPtr<mozilla::DataStorage> mPreloadStateStorage;