nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity
fune/security/manager/ssl/CommonSocketControl.cpp
Dana Keeler 101100dc72 Bug 1401466 - make the client auth certificate selection dialog tab modal r=jschanck,necko-reviewers,bolsson,kershaw,valentin 
Previously, the client authentication certificate selection dialog could show
up unexpectedly. Because it was modal, it would prevent user interaction with
the browser. It could even get in a state where the dialog couldn't be
interacted with, and neither could anything else, so the entire browser would
be locked and the user would have to quit and restart.

This patch associates a top-level outer content window ID (called "browserId"
in networking code) with each NSSSocketControl. When a peer asks for a client
authentication certificate, the NSSSocketControl can use the ID to find the
relevant tab and open a tab-modal dialog, which allows other browser UI to be
interacted with.

Some loads cannot be associated with browser tabs, and so the implementation
falls back to opening a window-modal dialog on the most recently active window.
This is still better than the previous implementation, since the dialog is
connected to a window rather than being its own separate dialog.

Differential Revision: https://phabricator.services.mozilla.com/D183775
2023-08-30 03:05:35 +00:00

533 lines
16 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "CommonSocketControl.h"
#include "PublicKeyPinningService.h"
#include "SharedCertVerifier.h"
#include "SharedSSLState.h"
#include "mozilla/ErrorResult.h"
#include "mozilla/StaticPrefs_network.h"
#include "mozilla/dom/Promise.h"
#include "nsICertOverrideService.h"
#include "nsISocketProvider.h"
#include "nsITlsHandshakeListener.h"
#include "nsNSSComponent.h"
#include "nsNSSHelper.h"
#include "secerr.h"
#include "ssl.h"
#include "sslt.h"
using namespace mozilla;
extern LazyLogModule gPIPNSSLog;
NS_IMPL_ISUPPORTS(CommonSocketControl, nsITLSSocketControl)
CommonSocketControl::CommonSocketControl(const nsCString& aHostName,
int32_t aPort, uint32_t aProviderFlags)
: mHostName(aHostName),
mPort(aPort),
mOriginAttributes(),
mCanceled(false),
mSessionCacheInfo(),
mHandshakeCompleted(false),
mJoined(false),
mSentClientCert(false),
mFailedVerification(false),
mSSLVersionUsed(nsITLSSocketControl::SSL_VERSION_UNKNOWN),
mProviderFlags(aProviderFlags),
mSecurityState(0),
mErrorCode(0),
mFailedCertChain(),
mServerCert(nullptr),
mSucceededCertChain(),
mCipherSuite(),
mKeaGroupName(),
mSignatureSchemeName(),
mProtocolVersion(),
mCertificateTransparencyStatus(0),
mIsAcceptedEch(),
mIsDelegatedCredential(),
mOverridableErrorCategory(),
mMadeOCSPRequests(false),
mUsedPrivateDNS(false),
mIsEV(),
mNPNCompleted(false),
mNegotiatedNPN(),
mResumed(false),
mIsBuiltCertChainRootBuiltInRoot(false),
mPeerId() {
#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
mOwningThread = PR_GetCurrentThread();
#endif
}
void CommonSocketControl::SetStatusErrorBits(
const nsCOMPtr<nsIX509Cert>& cert,
nsITransportSecurityInfo::OverridableErrorCategory
overridableErrorCategory) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
SetServerCert(cert, mozilla::psm::EVStatus::NotEV);
mOverridableErrorCategory = Some(overridableErrorCategory);
}
static void CreateCertChain(nsTArray<RefPtr<nsIX509Cert>>& aOutput,
nsTArray<nsTArray<uint8_t>>&& aCertList) {
nsTArray<nsTArray<uint8_t>> certList = std::move(aCertList);
aOutput.Clear();
for (auto& certBytes : certList) {
RefPtr<nsIX509Cert> cert = new nsNSSCertificate(std::move(certBytes));
aOutput.AppendElement(cert);
}
}
void CommonSocketControl::SetServerCert(
const nsCOMPtr<nsIX509Cert>& aServerCert,
mozilla::psm::EVStatus aEVStatus) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
mServerCert = aServerCert;
mIsEV = Some(aEVStatus == mozilla::psm::EVStatus::EV);
}
void CommonSocketControl::SetSucceededCertChain(
nsTArray<nsTArray<uint8_t>>&& aCertList) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
return CreateCertChain(mSucceededCertChain, std::move(aCertList));
}
void CommonSocketControl::SetFailedCertChain(
nsTArray<nsTArray<uint8_t>>&& aCertList) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
return CreateCertChain(mFailedCertChain, std::move(aCertList));
}
void CommonSocketControl::SetCanceled(PRErrorCode errorCode) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
MOZ_ASSERT(errorCode != 0);
if (errorCode == 0) {
errorCode = SEC_ERROR_LIBRARY_FAILURE;
}
mErrorCode = errorCode;
mCanceled = true;
}
// NB: GetErrorCode may be called before an error code is set (if ever). In that
// case, this returns 0, which is treated as a successful value.
int32_t CommonSocketControl::GetErrorCode() {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
// We're in an inconsistent state if we think we've been canceled but no error
// code was set or we haven't been canceled but an error code was set.
MOZ_ASSERT(
!((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0)));
if ((mCanceled && mErrorCode == 0) || (!mCanceled && mErrorCode != 0)) {
mCanceled = true;
mErrorCode = SEC_ERROR_LIBRARY_FAILURE;
}
return mErrorCode;
}
NS_IMETHODIMP
CommonSocketControl::ProxyStartSSL(void) { return NS_ERROR_NOT_IMPLEMENTED; }
NS_IMETHODIMP
CommonSocketControl::StartTLS(void) { return NS_ERROR_NOT_IMPLEMENTED; }
NS_IMETHODIMP
CommonSocketControl::SetNPNList(nsTArray<nsCString>& aNPNList) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetAlpnEarlySelection(nsACString& _retval) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetEarlyDataAccepted(bool* aEarlyDataAccepted) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::DriveHandshake(void) { return NS_ERROR_NOT_IMPLEMENTED; }
NS_IMETHODIMP
CommonSocketControl::JoinConnection(const nsACString& npnProtocol,
const nsACString& hostname, int32_t port,
bool* _retval) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
nsresult rv = TestJoinConnection(npnProtocol, hostname, port, _retval);
if (NS_SUCCEEDED(rv) && *_retval) {
// All tests pass - this is joinable
mJoined = true;
}
return rv;
}
NS_IMETHODIMP
CommonSocketControl::TestJoinConnection(const nsACString& npnProtocol,
const nsACString& hostname,
int32_t port, bool* _retval) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
*_retval = false;
// Different ports may not be joined together
if (port != GetPort()) return NS_OK;
// Make sure NPN has been completed and matches requested npnProtocol
if (!mNPNCompleted || !mNegotiatedNPN.Equals(npnProtocol)) {
return NS_OK;
}
IsAcceptableForHost(hostname, _retval); // sets _retval
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
bool* _retval) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
NS_ENSURE_ARG(_retval);
*_retval = false;
// If this is the same hostname then the certicate status does not
// need to be considered. They are joinable.
if (hostname.Equals(GetHostName())) {
*_retval = true;
return NS_OK;
}
// Before checking the server certificate we need to make sure the
// handshake has completed.
if (!mHandshakeCompleted || !HasServerCert()) {
return NS_OK;
}
// Security checks can only be skipped when running xpcshell tests.
if (PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR")) {
nsCOMPtr<nsICertOverrideService> overrideService =
do_GetService(NS_CERTOVERRIDE_CONTRACTID);
if (overrideService) {
bool securityCheckDisabled = false;
overrideService->GetSecurityCheckDisabled(&securityCheckDisabled);
if (securityCheckDisabled) {
*_retval = true;
return NS_OK;
}
}
}
// If the cert has error bits (e.g. it is untrusted) then do not join.
if (mOverridableErrorCategory.isSome()) {
return NS_OK;
}
// If the connection is using client certificates then do not join
// because the user decides on whether to send client certs to hosts on a
// per-domain basis.
if (mSentClientCert) return NS_OK;
// Ensure that the server certificate covers the hostname that would
// like to join this connection
nsCOMPtr<nsIX509Cert> cert(GetServerCert());
if (!cert) {
return NS_OK;
}
nsTArray<uint8_t> certDER;
if (NS_FAILED(cert->GetRawDER(certDER))) {
return NS_OK;
}
// An empty mSucceededCertChain means the server certificate verification
// failed before, so don't join in this case.
if (mSucceededCertChain.IsEmpty()) {
return NS_OK;
}
// See where CheckCertHostname() is called in
// CertVerifier::VerifySSLServerCert. We are doing the same hostname-specific
// checks here. If any hostname-specific checks are added to
// CertVerifier::VerifySSLServerCert we need to add them here too.
pkix::Input serverCertInput;
mozilla::pkix::Result rv =
serverCertInput.Init(certDER.Elements(), certDER.Length());
if (rv != pkix::Success) {
return NS_OK;
}
pkix::Input hostnameInput;
rv = hostnameInput.Init(
BitwiseCast<const uint8_t*, const char*>(hostname.BeginReading()),
hostname.Length());
if (rv != pkix::Success) {
return NS_OK;
}
rv = CheckCertHostname(serverCertInput, hostnameInput);
if (rv != pkix::Success) {
return NS_OK;
}
nsTArray<nsTArray<uint8_t>> rawDerCertList;
nsTArray<Span<const uint8_t>> derCertSpanList;
for (const auto& cert : mSucceededCertChain) {
rawDerCertList.EmplaceBack();
nsresult nsrv = cert->GetRawDER(rawDerCertList.LastElement());
if (NS_FAILED(nsrv)) {
return nsrv;
}
derCertSpanList.EmplaceBack(rawDerCertList.LastElement());
}
bool chainHasValidPins;
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), pkix::Now(),
mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
if (NS_FAILED(nsrv)) {
return NS_OK;
}
if (!chainHasValidPins) {
return NS_OK;
}
// All tests pass
*_retval = true;
return NS_OK;
}
void CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache() {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
if (!mSessionCacheInfo) {
MOZ_LOG(
gPIPNSSLog, LogLevel::Debug,
("CommonSocketControl::RebuildCertificateInfoFromSSLTokenCache cannot "
"find cached info."));
return;
}
mozilla::net::SessionCacheInfo& info = *mSessionCacheInfo;
nsCOMPtr<nsIX509Cert> cert(
new nsNSSCertificate(std::move(info.mServerCertBytes)));
if (info.mOverridableErrorCategory ==
nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET) {
SetServerCert(cert, info.mEVStatus);
} else {
SetStatusErrorBits(cert, info.mOverridableErrorCategory);
}
SetCertificateTransparencyStatus(info.mCertificateTransparencyStatus);
if (info.mSucceededCertChainBytes) {
SetSucceededCertChain(std::move(*info.mSucceededCertChainBytes));
}
if (info.mIsBuiltCertChainRootBuiltInRoot) {
SetIsBuiltCertChainRootBuiltInRoot(*info.mIsBuiltCertChainRootBuiltInRoot);
}
if (info.mFailedCertChainBytes) {
SetFailedCertChain(std::move(*info.mFailedCertChainBytes));
}
}
NS_IMETHODIMP
CommonSocketControl::GetKEAUsed(int16_t* aKEAUsed) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetKEAKeyBits(uint32_t* aKEAKeyBits) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetProviderFlags(uint32_t* aProviderFlags) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
*aProviderFlags = mProviderFlags;
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::GetSSLVersionUsed(int16_t* aSSLVersionUsed) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
*aSSLVersionUsed = mSSLVersionUsed;
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::GetSSLVersionOffered(int16_t* aSSLVersionOffered) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetMACAlgorithmUsed(int16_t* aMACAlgorithmUsed) {
return NS_ERROR_NOT_IMPLEMENTED;
}
bool CommonSocketControl::GetDenyClientCert() { return true; }
void CommonSocketControl::SetDenyClientCert(bool aDenyClientCert) {}
NS_IMETHODIMP
CommonSocketControl::GetClientCertSent(bool* arg) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
*arg = mSentClientCert;
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::GetFailedVerification(bool* arg) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
*arg = mFailedVerification;
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::GetEsniTxt(nsACString& aEsniTxt) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::SetEsniTxt(const nsACString& aEsniTxt) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetEchConfig(nsACString& aEchConfig) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::SetEchConfig(const nsACString& aEchConfig) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::GetRetryEchConfig(nsACString& aEchConfig) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::SetHandshakeCallbackListener(
nsITlsHandshakeCallbackListener* callback) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP
CommonSocketControl::DisableEarlyData(void) { return NS_ERROR_NOT_IMPLEMENTED; }
NS_IMETHODIMP
CommonSocketControl::GetPeerId(nsACString& aResult) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
if (!mPeerId.IsEmpty()) {
aResult.Assign(mPeerId);
return NS_OK;
}
if (mProviderFlags &
nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080
mPeerId.AppendLiteral("anon:");
}
if (mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE) {
mPeerId.AppendLiteral("private:");
}
if (mProviderFlags & nsISocketProvider::BE_CONSERVATIVE) {
mPeerId.AppendLiteral("beConservative:");
}
mPeerId.Append(mHostName);
mPeerId.Append(':');
mPeerId.AppendInt(GetPort());
nsAutoCString suffix;
mOriginAttributes.CreateSuffix(suffix);
mPeerId.Append(suffix);
aResult.Assign(mPeerId);
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::GetSecurityInfo(nsITransportSecurityInfo** aSecurityInfo) {
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
// Make sure peerId is set.
nsAutoCString unused;
nsresult rv = GetPeerId(unused);
if (NS_FAILED(rv)) {
return rv;
}
nsCOMPtr<nsITransportSecurityInfo> securityInfo(
new psm::TransportSecurityInfo(
mSecurityState, mErrorCode, mFailedCertChain.Clone(), mServerCert,
mSucceededCertChain.Clone(), mCipherSuite, mKeaGroupName,
mSignatureSchemeName, mProtocolVersion,
mCertificateTransparencyStatus, mIsAcceptedEch,
mIsDelegatedCredential, mOverridableErrorCategory, mMadeOCSPRequests,
mUsedPrivateDNS, mIsEV, mNPNCompleted, mNegotiatedNPN, mResumed,
mIsBuiltCertChainRootBuiltInRoot, mPeerId));
securityInfo.forget(aSecurityInfo);
return NS_OK;
}
NS_IMETHODIMP
CommonSocketControl::AsyncGetSecurityInfo(JSContext* aCx,
mozilla::dom::Promise** aPromise) {
MOZ_RELEASE_ASSERT(NS_IsMainThread());
NS_ENSURE_ARG_POINTER(aCx);
NS_ENSURE_ARG_POINTER(aPromise);
nsIGlobalObject* globalObject = xpc::CurrentNativeGlobal(aCx);
if (!globalObject) {
return NS_ERROR_UNEXPECTED;
}
ErrorResult result;
RefPtr<mozilla::dom::Promise> promise =
mozilla::dom::Promise::Create(globalObject, result);
if (result.Failed()) {
return result.StealNSResult();
}
nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
"CommonSocketControl::AsyncGetSecurityInfo",
[promise, self = RefPtr{this}]() mutable {
nsCOMPtr<nsITransportSecurityInfo> securityInfo;
nsresult rv = self->GetSecurityInfo(getter_AddRefs(securityInfo));
nsCOMPtr<nsIRunnable> runnable(NS_NewRunnableFunction(
"CommonSocketControl::AsyncGetSecurityInfoResolve",
[rv, promise = std::move(promise),
securityInfo = std::move(securityInfo)]() {
if (NS_FAILED(rv)) {
promise->MaybeReject(rv);
} else {
promise->MaybeResolve(securityInfo);
}
}));
NS_DispatchToMainThread(runnable.forget());
}));
nsCOMPtr<nsIEventTarget> target(
do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
if (!target) {
return NS_ERROR_FAILURE;
}
nsresult rv = target->Dispatch(runnable, NS_DISPATCH_NORMAL);
if (NS_FAILED(rv)) {
return rv;
}
promise.forget(aPromise);
return NS_OK;
}
NS_IMETHODIMP CommonSocketControl::Claim() { return NS_ERROR_NOT_IMPLEMENTED; }
NS_IMETHODIMP CommonSocketControl::SetBrowserId(uint64_t) {
return NS_ERROR_NOT_IMPLEMENTED;
}
NS_IMETHODIMP CommonSocketControl::GetBrowserId(uint64_t*) {
return NS_ERROR_NOT_IMPLEMENTED;
}
View git blame Copy permalink