tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

SSLServerCertVerification.h (6415B)

      1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 *
      3 * This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 #ifndef _SSLSERVERCERTVERIFICATION_H
      7 #define _SSLSERVERCERTVERIFICATION_H
      8 
      9 #include "CertVerifier.h"
     10 #include "CommonSocketControl.h"
     11 #include "ScopedNSSTypes.h"
     12 #include "mozilla/Maybe.h"
     13 #include "mozpkix/pkix.h"
     14 #include "nsITransportSecurityInfo.h"
     15 #include "nsIX509Cert.h"
     16 #include "nsTArray.h"
     17 #include "nsThreadUtils.h"
     18 #include "prerror.h"
     19 #include "prio.h"
     20 #include "seccomon.h"
     21 #include "secoidt.h"
     22 
     23 using namespace mozilla::pkix;
     24 
     25 namespace mozilla {
     26 namespace psm {
     27 
     28 enum class EVStatus : uint8_t;
     29 
     30 SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
     31                              PRBool isServer);
     32 
     33 // This function triggers the certificate verification. The verification is
     34 // asynchronous and the info object will be notified when the verification has
     35 // completed via SetCertVerificationResult.
     36 SECStatus AuthCertificateHookWithInfo(
     37    CommonSocketControl* socketControl, const nsACString& aHostName,
     38    const void* aPtrForLogging, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
     39    Maybe<nsTArray<nsTArray<uint8_t>>>& stapledOCSPResponses,
     40    Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags);
     41 
     42 // Base class for dispatching the certificate verification result.
     43 class BaseSSLServerCertVerificationResult {
     44 public:
     45  NS_INLINE_DECL_PURE_VIRTUAL_REFCOUNTING
     46 
     47  [[nodiscard]] virtual nsresult Dispatch(
     48      nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
     49      nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
     50      uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
     51      bool aSucceeded, PRErrorCode aFinalError,
     52      nsITransportSecurityInfo::OverridableErrorCategory
     53          aOverridableErrorCategory,
     54      bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
     55      bool aMadeOCSPRequests) = 0;
     56 };
     57 
     58 // Dispatched to the STS thread to notify the infoObject of the verification
     59 // result.
     60 //
     61 // This will cause the PR_Poll in the STS thread to return, so things work
     62 // correctly even if the STS thread is blocked polling (only) on the file
     63 // descriptor that is waiting for this result.
     64 class SSLServerCertVerificationResult final
     65    : public BaseSSLServerCertVerificationResult,
     66      public Runnable {
     67 public:
     68  NS_DECL_ISUPPORTS_INHERITED
     69  NS_DECL_NSIRUNNABLE
     70 
     71  explicit SSLServerCertVerificationResult(CommonSocketControl* socketControl);
     72 
     73  [[nodiscard]] nsresult Dispatch(
     74      nsTArray<nsTArray<uint8_t>>&& aBuiltChain,
     75      nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,
     76      uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus,
     77      bool aSucceeded, PRErrorCode aFinalError,
     78      nsITransportSecurityInfo::OverridableErrorCategory
     79          aOverridableErrorCategory,
     80      bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags,
     81      bool aMadeOCSPRequests) override;
     82 
     83 private:
     84  ~SSLServerCertVerificationResult() = default;
     85 
     86  RefPtr<CommonSocketControl> mSocketControl;
     87  nsTArray<nsTArray<uint8_t>> mBuiltChain;
     88  nsTArray<nsTArray<uint8_t>> mPeerCertChain;
     89  uint16_t mCertificateTransparencyStatus;
     90  EVStatus mEVStatus;
     91  bool mSucceeded;
     92  PRErrorCode mFinalError;
     93  nsITransportSecurityInfo::OverridableErrorCategory mOverridableErrorCategory;
     94  bool mIsBuiltCertChainRootBuiltInRoot;
     95  uint32_t mProviderFlags;
     96  bool mMadeOCSPRequests;
     97 };
     98 
     99 class SSLServerCertVerificationJob : public Runnable {
    100 public:
    101  SSLServerCertVerificationJob(const SSLServerCertVerificationJob&) = delete;
    102 
    103  // Must be called only on the socket transport thread
    104  static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg,
    105                            nsTArray<nsTArray<uint8_t>>&& peerCertChain,
    106                            const nsACString& aHostName, int32_t aPort,
    107                            const OriginAttributes& aOriginAttributes,
    108                            Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
    109                            Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
    110                            Maybe<DelegatedCredentialInfo>& dcInfo,
    111                            uint32_t providerFlags, Time time,
    112                            uint32_t certVerifierFlags,
    113                            BaseSSLServerCertVerificationResult* aResultTask);
    114 
    115 private:
    116  NS_DECL_NSIRUNNABLE
    117 
    118  // Must be called only on the socket transport thread
    119  SSLServerCertVerificationJob(uint64_t addrForLogging, void* aPinArg,
    120                               nsTArray<nsTArray<uint8_t>>&& peerCertChain,
    121                               const nsACString& aHostName, int32_t aPort,
    122                               const OriginAttributes& aOriginAttributes,
    123                               Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
    124                               Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
    125                               Maybe<DelegatedCredentialInfo>& dcInfo,
    126                               uint32_t providerFlags, Time time,
    127                               uint32_t certVerifierFlags,
    128                               BaseSSLServerCertVerificationResult* aResultTask)
    129      : Runnable("psm::SSLServerCertVerificationJob"),
    130        mAddrForLogging(addrForLogging),
    131        mPinArg(aPinArg),
    132        mPeerCertChain(std::move(peerCertChain)),
    133        mHostName(aHostName),
    134        mPort(aPort),
    135        mOriginAttributes(aOriginAttributes),
    136        mProviderFlags(providerFlags),
    137        mCertVerifierFlags(certVerifierFlags),
    138        mTime(time),
    139        mStapledOCSPResponse(std::move(stapledOCSPResponse)),
    140        mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)),
    141        mDCInfo(std::move(dcInfo)),
    142        mResultTask(aResultTask) {
    143    FixOnionAlias();
    144  }
    145 
    146  void FixOnionAlias();
    147 
    148  uint64_t mAddrForLogging;
    149  void* mPinArg;
    150  nsTArray<nsTArray<uint8_t>> mPeerCertChain;
    151  nsCString mHostName;
    152  int32_t mPort;
    153  OriginAttributes mOriginAttributes;
    154  const uint32_t mProviderFlags;
    155  const uint32_t mCertVerifierFlags;
    156  const Time mTime;
    157  Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
    158  Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
    159  Maybe<DelegatedCredentialInfo> mDCInfo;
    160  RefPtr<BaseSSLServerCertVerificationResult> mResultTask;
    161 };
    162 
    163 }  // namespace psm
    164 }  // namespace mozilla
    165 
    166 #endif