summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:13:54 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:13:54 +0100
commit0a8dff525669a5f974e29bf03daba744b2d84e47 (patch)
tree280dd3616fbf74f767082f882b07bcac9dd790bf /security
parentc3144281b5c83b5e7c8657a563e45dc08d491e4a (diff)
downloaduxp-0a8dff525669a5f974e29bf03daba744b2d84e47.tar.gz
Issue #1289 - Part 1: Add a pref to disable HPKP header processing.
Diffstat (limited to 'security')
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp40
-rw-r--r--security/manager/ssl/nsSiteSecurityService.h1
2 files changed, 37 insertions, 4 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index 44ee7dcc07..1b7f06a470 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -212,6 +212,7 @@ nsSiteSecurityService::nsSiteSecurityService()
, mUsePreloadList(true)
, mUseStsService(true)
, mPreloadListTimeOffset(0)
+ , mHPKPEnabled(false)
{
}
@@ -240,6 +241,10 @@ nsSiteSecurityService::Init()
"network.stricttransportsecurity.preloadlist", true);
mozilla::Preferences::AddStrongObserver(this,
"network.stricttransportsecurity.preloadlist");
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
+ mozilla::Preferences::AddStrongObserver(this,
+ "security.cert_pinning.hpkp.enabled");
mUseStsService = mozilla::Preferences::GetBool(
"network.stricttransportsecurity.enabled", true);
mozilla::Preferences::AddStrongObserver(this,
@@ -687,6 +692,17 @@ nsSiteSecurityService::ProcessPKPHeader(nsIURI* aSourceURI,
if (aFailureResult) {
*aFailureResult = nsISiteSecurityService::ERROR_UNKNOWN;
}
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not processing header '%s'", aHeader));
+ if (aMaxAge) {
+ *aMaxAge = 0;
+ }
+ if (aIncludeSubdomains) {
+ *aIncludeSubdomains = false;
+ }
+ return NS_OK;
+ }
+
SSSLOG(("SSS: processing HPKP header '%s'", aHeader));
NS_ENSURE_ARG(aSSLStatus);
@@ -1185,17 +1201,24 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
mozilla::pkix::Time& aEvalTime,
/*out*/ nsTArray<nsCString>& pinArray,
/*out*/ bool* aIncludeSubdomains,
- /*out*/ bool* afound) {
+ /*out*/ bool* aFound) {
// Child processes are not allowed direct access to this.
if (!XRE_IsParentProcess()) {
MOZ_CRASH("Child process: no direct access to nsISiteSecurityService::GetKeyPinsForHostname");
}
- NS_ENSURE_ARG(afound);
+ NS_ENSURE_ARG(aFound);
NS_ENSURE_ARG(aHostname);
+ if (!mHPKPEnabled) {
+ SSSLOG(("HPKP disabled - returning 'pins not found' for %s",
+ aHostname));
+ *aFound = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of GetKeyPinsForHostname for %s", aHostname));
- *afound = false;
+ *aFound = false;
*aIncludeSubdomains = false;
pinArray.Clear();
@@ -1228,7 +1251,7 @@ nsSiteSecurityService::GetKeyPinsForHostname(const char* aHostname,
}
pinArray = foundEntry.mSHA256keys;
*aIncludeSubdomains = foundEntry.mIncludeSubdomains;
- *afound = true;
+ *aFound = true;
return NS_OK;
}
@@ -1248,6 +1271,13 @@ nsSiteSecurityService::SetKeyPins(const char* aHost, bool aIncludeSubdomains,
NS_ENSURE_ARG_POINTER(aResult);
NS_ENSURE_ARG_POINTER(aSha256Pins);
+
+ if (!mHPKPEnabled) {
+ SSSLOG(("SSS: HPKP disabled: not setting pins"));
+ *aResult = false;
+ return NS_OK;
+ }
+
SSSLOG(("Top of SetPins"));
nsTArray<nsCString> sha256keys;
@@ -1313,6 +1343,8 @@ nsSiteSecurityService::Observe(nsISupports *subject,
"network.stricttransportsecurity.enabled", true);
mPreloadListTimeOffset =
mozilla::Preferences::GetInt("test.currentTimeOffsetSeconds", 0);
+ mHPKPEnabled = mozilla::Preferences::GetBool(
+ "security.cert_pinning.hpkp.enabled", false);
mProcessPKPHeadersFromNonBuiltInRoots = mozilla::Preferences::GetBool(
"security.cert_pinning.process_headers_from_non_builtin_roots", false);
mMaxMaxAge = mozilla::Preferences::GetInt(
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
index 63afee3771..c14543684f 100644
--- a/security/manager/ssl/nsSiteSecurityService.h
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -152,6 +152,7 @@ private:
bool mUsePreloadList;
bool mUseStsService;
int64_t mPreloadListTimeOffset;
+ bool mHPKPEnabled;
bool mProcessPKPHeadersFromNonBuiltInRoots;
RefPtr<mozilla::DataStorage> mSiteStateStorage;
RefPtr<mozilla::DataStorage> mPreloadStateStorage;