tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

nsSiteSecurityService.h (5497B)

      1 /* This Source Code Form is subject to the terms of the Mozilla Public
      2 * License, v. 2.0. If a copy of the MPL was not distributed with this
      3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      4 
      5 #ifndef __nsSiteSecurityService_h__
      6 #define __nsSiteSecurityService_h__
      7 
      8 #include "mozilla/BasePrincipal.h"
      9 #include "mozilla/Dafsa.h"
     10 #include "nsCOMPtr.h"
     11 #include "nsIDataStorage.h"
     12 #include "nsISiteSecurityService.h"
     13 #include "nsString.h"
     14 #include "nsTArray.h"
     15 #include "mozpkix/pkixtypes.h"
     16 #include "prtime.h"
     17 
     18 class nsIURI;
     19 
     20 using mozilla::OriginAttributes;
     21 
     22 // {16955eee-6c48-4152-9309-c42a465138a1}
     23 #define NS_SITE_SECURITY_SERVICE_CID \
     24  {0x16955eee, 0x6c48, 0x4152, {0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1}}
     25 
     26 /**
     27 * SecurityPropertyState: A utility enum for representing the different states
     28 * a security property can be in.
     29 * SecurityPropertySet and SecurityPropertyUnset correspond to indicating
     30 * a site has or does not have the security property in question, respectively.
     31 * SecurityPropertyKnockout indicates a value on a preloaded list is being
     32 * overridden, and the associated site does not have the security property
     33 * in question.
     34 */
     35 enum SecurityPropertyState {
     36  SecurityPropertyUnset = 0,
     37  SecurityPropertySet = 1,
     38  SecurityPropertyKnockout = 2,
     39 };
     40 
     41 /**
     42 * SiteHSTSState: A utility class that encodes/decodes a string describing
     43 * the security state of a site. Currently only handles HSTS.
     44 * HSTS state consists of:
     45 *  - Hostname (nsCString)
     46 *  - Origin attributes (OriginAttributes)
     47 *  - Expiry time (PRTime (aka int64_t) in milliseconds)
     48 *  - A state flag (SecurityPropertyState, default SecurityPropertyUnset)
     49 *  - An include subdomains flag (bool, default false)
     50 */
     51 class SiteHSTSState {
     52 public:
     53  SiteHSTSState(const nsCString& aHost,
     54                const OriginAttributes& aOriginAttributes,
     55                const nsCString& aStateString);
     56  SiteHSTSState(const nsCString& aHost,
     57                const OriginAttributes& aOriginAttributes,
     58                PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState,
     59                bool aHSTSIncludeSubdomains);
     60 
     61  nsCString mHostname;
     62  OriginAttributes mOriginAttributes;
     63  PRTime mHSTSExpireTime;
     64  SecurityPropertyState mHSTSState;
     65  bool mHSTSIncludeSubdomains;
     66 
     67  bool IsExpired() {
     68    // If mHSTSExpireTime is 0, this entry never expires (this is the case for
     69    // knockout entries).
     70    if (mHSTSExpireTime == 0) {
     71      return false;
     72    }
     73 
     74    PRTime now = PR_Now() / PR_USEC_PER_MSEC;
     75    if (now > mHSTSExpireTime) {
     76      return true;
     77    }
     78 
     79    return false;
     80  }
     81 
     82  void ToString(nsCString& aString);
     83 };
     84 
     85 struct nsSTSPreload;
     86 
     87 class nsSiteSecurityService : public nsISiteSecurityService {
     88 public:
     89  NS_DECL_THREADSAFE_ISUPPORTS
     90  NS_DECL_NSISITESECURITYSERVICE
     91 
     92  nsSiteSecurityService();
     93  nsresult Init();
     94 
     95  static nsresult GetHost(nsIURI* aURI, nsACString& aResult);
     96  static bool HostIsIPAddress(const nsCString& hostname);
     97 
     98 protected:
     99  virtual ~nsSiteSecurityService();
    100 
    101 private:
    102  nsresult SetHSTSState(const char* aHost, int64_t maxage,
    103                        bool includeSubdomains,
    104                        SecurityPropertyState aHSTSState,
    105                        const OriginAttributes& aOriginAttributes);
    106  nsresult ProcessHeaderInternal(nsIURI* aSourceURI, const nsCString& aHeader,
    107                                 const OriginAttributes& aOriginAttributes,
    108                                 uint64_t* aMaxAge, bool* aIncludeSubdomains,
    109                                 uint32_t* aFailureResult);
    110  nsresult ProcessSTSHeader(nsIURI* aSourceURI, const nsCString& aHeader,
    111                            const OriginAttributes& aOriginAttributes,
    112                            uint64_t* aMaxAge, bool* aIncludeSubdomains,
    113                            uint32_t* aFailureResult);
    114  nsresult MarkHostAsNotHSTS(const nsAutoCString& aHost,
    115                             const OriginAttributes& aOriginAttributes);
    116  nsresult ResetStateInternal(nsIURI* aURI,
    117                              const OriginAttributes& aOriginAttributes,
    118                              nsISiteSecurityService::ResetStateBy aScope);
    119  void ResetStateForExactDomain(const nsCString& aHostname,
    120                                const OriginAttributes& aOriginAttributes);
    121  nsresult HostMatchesHSTSEntry(const nsAutoCString& aHost,
    122                                bool aRequireIncludeSubdomains,
    123                                const OriginAttributes& aOriginAttributes,
    124                                bool& aHostMatchesHSTSEntry);
    125  bool GetPreloadStatus(
    126      const nsACString& aHost,
    127      /*optional out*/ bool* aIncludeSubdomains = nullptr) const;
    128 
    129  nsresult GetWithMigration(const nsACString& aHostname,
    130                            const OriginAttributes& aOriginAttributes,
    131                            nsIDataStorage::DataType aDataStorageType,
    132                            nsACString& aValue);
    133  nsresult PutWithMigration(const nsACString& aHostname,
    134                            const OriginAttributes& aOriginAttributes,
    135                            nsIDataStorage::DataType aDataStorageType,
    136                            const nsACString& aStateString);
    137  nsresult RemoveWithMigration(const nsACString& aHostname,
    138                               const OriginAttributes& aOriginAttributes,
    139                               nsIDataStorage::DataType aDataStorageType);
    140 
    141  nsCOMPtr<nsIDataStorage> mSiteStateStorage;
    142  const mozilla::Dafsa mDafsa;
    143 };
    144 
    145 #endif  // __nsSiteSecurityService_h__