tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

nsNSSComponent.h (6031B)

      1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 *
      3 * This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #ifndef _nsNSSComponent_h_
      8 #define _nsNSSComponent_h_
      9 
     10 #include "nsINSSComponent.h"
     11 
     12 #include "EnterpriseRoots.h"
     13 #include "ScopedNSSTypes.h"
     14 #include "SharedCertVerifier.h"
     15 #include "mozilla/Monitor.h"
     16 #include "mozilla/Mutex.h"
     17 #include "mozilla/RefPtr.h"
     18 #include "nsCOMPtr.h"
     19 #include "nsIObserver.h"
     20 #include "nsNSSCallbacks.h"
     21 #include "nsServiceManagerUtils.h"
     22 #include "prerror.h"
     23 #include "sslt.h"
     24 
     25 #ifdef XP_WIN
     26 #  include <windows.h>  // this needs to be before the following includes
     27 #  include <wincrypt.h>
     28 #endif  // XP_WIN
     29 
     30 class nsIDOMWindow;
     31 class nsIPrompt;
     32 class nsISerialEventTarget;
     33 class nsITimer;
     34 
     35 namespace mozilla {
     36 namespace psm {
     37 
     38 [[nodiscard]] ::already_AddRefed<mozilla::psm::SharedCertVerifier>
     39 GetDefaultCertVerifier();
     40 UniqueCERTCertList FindClientCertificatesWithPrivateKeys();
     41 CertVerifier::CertificateTransparencyMode GetCertificateTransparencyMode();
     42 
     43 }  // namespace psm
     44 }  // namespace mozilla
     45 
     46 #define NS_NSSCOMPONENT_CID \
     47  {0x4cb64dfd, 0xca98, 0x4e24, {0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb}}
     48 
     49 bool EnsureNSSInitializedChromeOrContent();
     50 bool HandleTLSPrefChange(const nsCString& aPref);
     51 void SetValidationOptionsCommon();
     52 void PrepareForShutdownInSocketProcess();
     53 
     54 // RAII helper class to indicate that gecko is searching for client auth
     55 // certificates. Will automatically stop indicating that a search is happening
     56 // when it goes out of scope.
     57 // osclientcerts (or ipcclientcerts, in the socket process) will call
     58 // IsGeckoSearchingForClientAuthCertificates() to determine if gecko is
     59 // searching for client auth certificates. If so, the module knows to refresh
     60 // its list of certificates and keys (which can be costly).
     61 // In theory, two separate threads could both create a
     62 // AutoSearchingForClientAuthCertificates at overlapping times. If one goes out
     63 // of scope sooner than the other, IsGeckoSearchingForClientAuthCertificates()
     64 // could potentially incorrectly return false for the slower thread. However,
     65 // as long as the faster thread has ensured that osclientcerts/ipcclientcerts
     66 // has updated its list of known certificates, a second search would be
     67 // redundant anyway, so it doesn't matter.
     68 class AutoSearchingForClientAuthCertificates {
     69 public:
     70  AutoSearchingForClientAuthCertificates();
     71  ~AutoSearchingForClientAuthCertificates();
     72 };
     73 
     74 // Implementation of the PSM component interface.
     75 class nsNSSComponent final : public nsINSSComponent, public nsIObserver {
     76 public:
     77  // LoadLoadableCertsTask updates mLoadableCertsLoaded and
     78  // mLoadableCertsLoadedResult and then signals mLoadableCertsLoadedMonitor.
     79  friend class LoadLoadableCertsTask;
     80  // BackgroundImportEnterpriseCertsTask calls ImportEnterpriseRoots and
     81  // UpdateCertVerifierWithEnterpriseRoots.
     82  friend class BackgroundImportEnterpriseCertsTask;
     83 
     84  nsNSSComponent();
     85 
     86  NS_DECL_THREADSAFE_ISUPPORTS
     87  NS_DECL_NSINSSCOMPONENT
     88  NS_DECL_NSIOBSERVER
     89 
     90  nsresult Init();
     91 
     92  static nsresult GetNewPrompter(nsIPrompt** result);
     93 
     94  static void FillTLSVersionRange(SSLVersionRange& rangeOut,
     95                                  uint32_t minFromPrefs, uint32_t maxFromPrefs,
     96                                  SSLVersionRange defaults);
     97 
     98  static nsresult SetEnabledTLSVersions();
     99 
    100  // This function does the actual work of clearing the session cache. It is to
    101  // be used by the socket process (where there is no nsINSSComponent) and
    102  // internally by nsNSSComponent.
    103  // NB: NSS must have already been initialized before this is called.
    104  static void DoClearSSLExternalAndInternalSessionCache();
    105 
    106 protected:
    107  ~nsNSSComponent();
    108 
    109 private:
    110  nsresult InitializeNSS();
    111  void PrepareForShutdown();
    112 
    113  void setValidationOptions(const mozilla::MutexAutoLock& proofOfLock);
    114  void GetRevocationBehaviorFromPrefs(
    115      /*out*/ mozilla::psm::CertVerifier::OcspDownloadConfig* odc,
    116      /*out*/ mozilla::psm::CertVerifier::OcspStrictConfig* osc,
    117      /*out*/ uint32_t* certShortLifetimeInDays,
    118      /*out*/ TimeDuration& softTimeout,
    119      /*out*/ TimeDuration& hardTimeout);
    120  void UpdateCertVerifierWithEnterpriseRoots();
    121  nsresult RegisterObservers();
    122 
    123  void MaybeImportEnterpriseRoots();
    124  void ImportEnterpriseRoots();
    125  void UnloadEnterpriseRoots();
    126  nsresult CommonGetEnterpriseCerts(
    127      nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots);
    128 
    129  // mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded.
    130  mozilla::Monitor mLoadableCertsLoadedMonitor;
    131  bool mLoadableCertsLoaded MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
    132  nsresult mLoadableCertsLoadedResult
    133      MOZ_GUARDED_BY(mLoadableCertsLoadedMonitor);
    134 
    135  // mMutex protects all members that are accessed from more than one thread.
    136  mozilla::Mutex mMutex;
    137 
    138  // The following members are accessed from more than one thread:
    139 
    140 #ifdef DEBUG
    141  nsCString mTestBuiltInRootHash MOZ_GUARDED_BY(mMutex);
    142 #endif
    143  RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier
    144      MOZ_GUARDED_BY(mMutex);
    145  nsString mMitmCanaryIssuer MOZ_GUARDED_BY(mMutex);
    146  bool mMitmDetecionEnabled MOZ_GUARDED_BY(mMutex);
    147  nsTArray<EnterpriseCert> mEnterpriseCerts MOZ_GUARDED_BY(mMutex);
    148 
    149  // The following members are accessed only on the main thread:
    150  static int mInstanceCount;
    151 };
    152 
    153 inline nsresult BlockUntilLoadableCertsLoaded() {
    154  nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
    155  if (!component) {
    156    return NS_ERROR_FAILURE;
    157  }
    158  return component->BlockUntilLoadableCertsLoaded();
    159 }
    160 
    161 inline nsresult CheckForSmartCardChanges() {
    162 #ifndef MOZ_NO_SMART_CARDS
    163  nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
    164  if (!component) {
    165    return NS_ERROR_FAILURE;
    166  }
    167  return component->CheckForSmartCardChanges();
    168 #else
    169  return NS_OK;
    170 #endif
    171 }
    172 
    173 #endif  // _nsNSSComponent_h_