Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-02 01:48:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 932176: Add preference to control whether OCSP GET is used, off by default, r=cviecco

Browse Source 
--HG--
extra : rebase_source : 7cbc273155d04bc64a110eda9216c6f727ce0c18
This commit is contained in:
Brian Smith 2013-10-24 14:32:09 -07:00
parent fcee792ee1
commit c4d5fa5097
4 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
netwerk/base/public/security-prefs.js
View File

@ -61,3 +61,4 @@ pref("security.password_lifetime", 30);
pref("security.OCSP.enabled", 1); pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false); pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);

11
security/manager/ssl/src/CertVerifier.cpp
View File

@ -25,7 +25,8 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
ocsp_download_config odc, ocsp_download_config odc,
ocsp_strict_config osc, ocsp_strict_config osc,
any_revo_fresh_config arfc, any_revo_fresh_config arfc,
const char *firstNetworkRevocationMethod) const char *firstNetworkRevocationMethod,
ocsp_get_config ogc)
: mMissingCertDownloadEnabled(mcdc == missing_cert_download_on) : mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
, mCRLDownloadEnabled(cdc == crl_download_allowed) , mCRLDownloadEnabled(cdc == crl_download_allowed)
, mOCSPDownloadEnabled(odc == ocsp_on) , mOCSPDownloadEnabled(odc == ocsp_on)
@ -33,6 +34,7 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
, mRequireRevocationInfo(arfc == any_revo_strict) , mRequireRevocationInfo(arfc == any_revo_strict)
, mCRLFirst(firstNetworkRevocationMethod != nullptr && , mCRLFirst(firstNetworkRevocationMethod != nullptr &&
!strcmp("crl", firstNetworkRevocationMethod)) !strcmp("crl", firstNetworkRevocationMethod))
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
{ {
MOZ_COUNT_CTOR(CertVerifier); MOZ_COUNT_CTOR(CertVerifier);
} }
@ -230,8 +232,11 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags; rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = revMethodFlags; rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
= revMethodFlags
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
rev.leafTests.cert_rev_method_independent_flags = rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags = rev.chainTests.cert_rev_method_independent_flags =
@ -342,6 +347,8 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
// ocsp enabled controls network fetching, too // ocsp enabled controls network fetching, too
| ((mOCSPDownloadEnabled && !localOnly) ? | ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
; ;
rev.leafTests.preferred_methods[0] = rev.leafTests.preferred_methods[0] =

5
security/manager/ssl/src/CertVerifier.h
View File

@ -39,6 +39,7 @@ public:
enum ocsp_download_config { ocsp_off = 0, ocsp_on }; enum ocsp_download_config { ocsp_off = 0, ocsp_on };
enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict }; enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
enum any_revo_fresh_config { any_revo_relaxed = 0, any_revo_strict }; enum any_revo_fresh_config { any_revo_relaxed = 0, any_revo_strict };
enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; } bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
@ -46,7 +47,8 @@ private:
CertVerifier(missing_cert_download_config ac, crl_download_config cdc, CertVerifier(missing_cert_download_config ac, crl_download_config cdc,
ocsp_download_config odc, ocsp_strict_config osc, ocsp_download_config odc, ocsp_strict_config osc,
any_revo_fresh_config arfc, any_revo_fresh_config arfc,
const char *firstNetworkRevocationMethod); const char *firstNetworkRevocationMethod,
ocsp_get_config ogc);
~CertVerifier(); ~CertVerifier();
const bool mMissingCertDownloadEnabled; const bool mMissingCertDownloadEnabled;
@ -55,6 +57,7 @@ private:
const bool mOCSPStrict; const bool mOCSPStrict;
const bool mRequireRevocationInfo; const bool mRequireRevocationInfo;
const bool mCRLFirst; const bool mCRLFirst;
const bool mOCSPGETEnabled;
friend class ::nsNSSComponent; friend class ::nsNSSComponent;
}; };

9
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -940,6 +940,10 @@ void nsNSSComponent::setValidationOptions()
} }
CERT_SetOCSPTimeout(OCSPTimeoutSeconds); CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
// XXX: Always use POST for OCSP; see bug 871954 for undoing this.
bool ocspGetEnabled = Preferences::GetBool("security.OCSP.GET.enabled", false);
CERT_ForcePostMethodForOCSP(!ocspGetEnabled);
mDefaultCertVerifier = new CertVerifier( mDefaultCertVerifier = new CertVerifier(
aiaDownloadEnabled ? aiaDownloadEnabled ?
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off, CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
@ -951,7 +955,9 @@ void nsNSSComponent::setValidationOptions()
CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed, CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed,
anyFreshRequired ? anyFreshRequired ?
CertVerifier::any_revo_strict : CertVerifier::any_revo_relaxed, CertVerifier::any_revo_strict : CertVerifier::any_revo_relaxed,
firstNetworkRevo.get()); firstNetworkRevo.get(),
ocspGetEnabled ?
CertVerifier::ocsp_get_enabled : CertVerifier::ocsp_get_disabled);
/* /*
* The new defaults might change the validity of already established SSL sessions, * The new defaults might change the validity of already established SSL sessions,
@ -1658,6 +1664,7 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
|| prefName.Equals("security.missing_cert_download.enabled") || prefName.Equals("security.missing_cert_download.enabled")
|| prefName.Equals("security.first_network_revocation_method") || prefName.Equals("security.first_network_revocation_method")
|| prefName.Equals("security.OCSP.require") || prefName.Equals("security.OCSP.require")
|| prefName.Equals("security.OCSP.GET.enabled")
|| prefName.Equals("security.ssl.enable_ocsp_stapling")) { || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
MutexAutoLock lock(mutex); MutexAutoLock lock(mutex);
setValidationOptions(); setValidationOptions();