corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Backed out 3 changesets (bug 1382001) at developer's request a=backout

Browse Source 
Backed out changeset 1fe47b777980 (bug 1382001)
Backed out changeset bd6770fadff3 (bug 1382001)
Backed out changeset 29353fb6613b (bug 1382001)

MozReview-Commit-ID: F4S2q5WAxe4
This commit is contained in:
Wes Kocher
2017-08-10 18:03:05 -07:00
parent 3facc4f334
commit 5662a0562f
6 changed files with 43605 additions and 21827 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
security/manager/ssl/moz.build
View File

@@ -176,13 +176,6 @@ LOCAL_INCLUDES += [
'!/dist/public/nss',
]
GENERATED_FILES = [
'nsSTSPreloadList.h',
]
dafsa_data = GENERATED_FILES['nsSTSPreloadList.h']
dafsa_data.script = '../../../xpcom/ds/make_dafsa.py'
dafsa_data.inputs = ['nsSTSPreloadList.inc']
if CONFIG['NSS_DISABLE_DBM']:
DEFINES['NSS_DISABLE_DBM'] = '1'

65265
security/manager/ssl/nsSTSPreloadList.inc
View File

File diff suppressed because it is too large Load Diff

53
security/manager/ssl/nsSiteSecurityService.cpp
View File

@@ -41,7 +41,7 @@
// influence its HSTS status via include subdomains, however).
// This prevents the preload list from overriding the site's current
// desired HSTS status.
#include "nsSTSPreloadList.h"
#include "nsSTSPreloadList.inc"
using namespace mozilla;
using namespace mozilla::psm;
@@ -495,7 +495,6 @@ nsSiteSecurityService::nsSiteSecurityService()
: mMaxMaxAge(kSixtyDaysInSeconds)
, mUsePreloadList(true)
, mPreloadListTimeOffset(0)
, mDafsa(kDafsa)
{
}
@@ -731,7 +730,7 @@ nsSiteSecurityService::RemoveStateInternal(
mozilla::DataStorage_Persistent);
RefPtr<SiteHSTSState> dynamicState =
new SiteHSTSState(aHost, aOriginAttributes, value);
if (GetPreloadStatus(aHost) ||
if (GetPreloadListEntry(aHost.get()) ||
dynamicState->mHSTSState != SecurityPropertyUnset) {
SSSLOG(("SSS: storing knockout entry for %s", aHost.get()));
RefPtr<SiteHSTSState> siteState = new SiteHSTSState(
@@ -1371,31 +1370,29 @@ nsSiteSecurityService::IsSecureURI(uint32_t aType, nsIURI* aURI,
source, aResult);
}
// Checks if the given host is in the preload list.
//
// @param aHost The host to match. Only does exact host matching.
// @param aIncludeSubdomains Out, optional. Indicates whether or not to include
// subdomains. Only set if the host is matched and this function returns
// true.
//
// @return True if the host is matched, false otherwise.
bool
nsSiteSecurityService::GetPreloadStatus(const nsACString& aHost,
bool* aIncludeSubdomains) const
int STSPreloadCompare(const void *key, const void *entry)
{
const int kIncludeSubdomains = 1;
bool found = false;
const char *keyStr = (const char *)key;
const nsSTSPreload *preloadEntry = (const nsSTSPreload *)entry;
return strcmp(keyStr, &kSTSHostTable[preloadEntry->mHostIndex]);
}
// Returns the preload list entry for the given host, if it exists.
// Only does exact host matching - the user must decide how to use the returned
// data. May return null.
const nsSTSPreload *
nsSiteSecurityService::GetPreloadListEntry(const char *aHost)
{
PRTime currentTime = PR_Now() + (mPreloadListTimeOffset * PR_USEC_PER_SEC);
if (mUsePreloadList && currentTime < gPreloadListExpirationTime) {
int result = mDafsa.Lookup(aHost);
found = (result != mozilla::Dafsa::kKeyNotFound);
if (found && aIncludeSubdomains) {
*aIncludeSubdomains = (result == kIncludeSubdomains);
}
return (const nsSTSPreload *) bsearch(aHost,
kSTSPreloadList,
mozilla::ArrayLength(kSTSPreloadList),
sizeof(nsSTSPreload),
STSPreloadCompare);
}
return found;
return nullptr;
}
// Allows us to determine if we have an HSTS entry for a given host (and, if
@@ -1479,7 +1476,7 @@ nsSiteSecurityService::HostHasHSTSEntry(
if (dynamicState->mHSTSState == SecurityPropertyUnset) {
SSSLOG(("No dynamic preload - checking for static preload"));
// Now check the static preload list.
if (!GetPreloadStatus(aHost)) {
if (!GetPreloadListEntry(aHost.get())) {
SSSLOG(("No static preload - removing expired entry"));
mSiteStateStorage->Remove(storageKey, storageType);
}
@@ -1523,7 +1520,7 @@ nsSiteSecurityService::HostHasHSTSEntry(
} else {
// if a dynamic preload has expired and is not in the static preload
// list, we can remove it.
if (!GetPreloadStatus(aHost)) {
if (!GetPreloadListEntry(aHost.get())) {
mPreloadStateStorage->Remove(preloadKey,
mozilla::DataStorage_Persistent);
}
@@ -1531,18 +1528,18 @@ nsSiteSecurityService::HostHasHSTSEntry(
return false;
}
bool includeSubdomains = false;
const nsSTSPreload* preload = nullptr;
// Finally look in the static preload list.
if (siteState->mHSTSState == SecurityPropertyUnset &&
dynamicState->mHSTSState == SecurityPropertyUnset &&
GetPreloadStatus(aHost, &includeSubdomains)) {
(preload = GetPreloadListEntry(aHost.get())) != nullptr) {
SSSLOG(("%s is a preloaded HSTS host", aHost.get()));
*aResult = aRequireIncludeSubdomains ? includeSubdomains
*aResult = aRequireIncludeSubdomains ? preload->mIncludeSubdomains
: true;
if (aCached) {
// Only set cached if this includes subdomains
*aCached = aRequireIncludeSubdomains ? includeSubdomains
*aCached = aRequireIncludeSubdomains ? preload->mIncludeSubdomains
: true;
}
if (aSource) {

5
security/manager/ssl/nsSiteSecurityService.h
View File

@@ -6,7 +6,6 @@
#define __nsSiteSecurityService_h__
#include "mozilla/BasePrincipal.h"
#include "mozilla/Dafsa.h"
#include "mozilla/DataStorage.h"
#include "mozilla/RefPtr.h"
#include "nsCOMPtr.h"
@@ -209,8 +208,7 @@ private:
const OriginAttributes& aOriginAttributes,
bool* aResult, bool* aCached,
SecurityPropertySource* aSource);
bool GetPreloadStatus(const nsACString& aHost,
/*optional out*/ bool* aIncludeSubdomains = nullptr) const;
const nsSTSPreload *GetPreloadListEntry(const char *aHost);
nsresult IsSecureHost(uint32_t aType, const nsACString& aHost,
uint32_t aFlags,
const OriginAttributes& aOriginAttributes,
@@ -223,7 +221,6 @@ private:
bool mProcessPKPHeadersFromNonBuiltInRoots;
RefPtr<mozilla::DataStorage> mSiteStateStorage;
RefPtr<mozilla::DataStorage> mPreloadStateStorage;
const mozilla::Dafsa mDafsa;
};
#endif // __nsSiteSecurityService_h__

75
security/manager/tools/getHSTSPreloadList.js
View File

@@ -42,7 +42,6 @@ const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla
"/*****************************************************************************/\n" +
"\n" +
"#include <stdint.h>\n";
const GPERF_DELIM = "%%\n";
function download() {
var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
@@ -241,6 +240,12 @@ function errorToString(status) {
: status.error);
}
function writeEntry(status, indices, outputStream) {
let includeSubdomains = (status.finalIncludeSubdomains ? "true" : "false");
writeTo(" { " + indices[status.name] + ", " + includeSubdomains + " },\n",
outputStream);
}
function output(sortedStatuses, currentList) {
try {
var file = FileUtils.getFile("CurWorkD", [OUTPUT]);
@@ -293,14 +298,47 @@ function output(sortedStatuses, currentList) {
status.finalIncludeSubdomains = incSubdomainsBool;
}
writeTo(GPERF_DELIM, fos);
writeTo("\nstatic const char kSTSHostTable[] = {\n", fos);
var indices = {};
var currentIndex = 0;
for (let status of includedStatuses) {
let includeSubdomains = (status.finalIncludeSubdomains ? 1 : 0);
writeTo(status.name + ", " + includeSubdomains + "\n", fos);
indices[status.name] = currentIndex;
// Add 1 for the null terminator in C.
currentIndex += status.name.length + 1;
// Rebuilding the preload list requires reading the previous preload
// list. Write out a comment describing each host prior to writing out
// the string for the host.
writeTo(" /* \"" + status.name + "\", " +
(status.finalIncludeSubdomains ? "true" : "false") + " */ ",
fos);
// Write out the string itself as individual characters, including the
// null terminator. We do it this way rather than using C's string
// concatentation because some compilers have hardcoded limits on the
// lengths of string literals, and the preload list is large enough
// that it runs into said limits.
for (let c of status.name) {
writeTo("'" + c + "', ", fos);
}
writeTo("'\\0',\n", fos);
}
writeTo("};\n", fos);
writeTo(GPERF_DELIM, fos);
const PREFIX = "\n" +
"struct nsSTSPreload\n" +
"{\n" +
" // See bug 1338873 about making these fields const.\n" +
" uint32_t mHostIndex : 31;\n" +
" uint32_t mIncludeSubdomains : 1;\n" +
"};\n" +
"\n" +
"static const nsSTSPreload kSTSPreloadList[] = {\n";
const POSTFIX = "};\n";
writeTo(PREFIX, fos);
for (let status of includedStatuses) {
writeEntry(status, indices, fos);
}
writeTo(POSTFIX, fos);
FileUtils.closeSafeFileOutputStream(fos);
FileUtils.closeSafeFileOutputStream(eos);
} catch (e) {
@@ -360,22 +398,19 @@ function readCurrentList(filename) {
.createInstance(Ci.nsILineInputStream);
fis.init(file, -1, -1, Ci.nsIFileInputStream.CLOSE_ON_EOF);
var line = {};
// While we generate entries matching the latest version format,
// we still need to be able to read entries in the previous version formats
// for bootstrapping a latest version preload list from a previous version
// preload list. Hence these regexes.
const entryRegexes = [
/([^,]+), (0|1)/, // v3
/ {2}\/\* "([^"]*)", (true|false) \*\//, // v2
/ {2}{ "([^"]*)", (true|false) },/, // v1
];
// While we generate entries matching the version 2 format (see bug 1255425
// for details), we still need to be able to read entries in the version 1
// format for bootstrapping a version 2 preload list from a version 1
// preload list. Hence these two regexes.
var v1EntryRegex = / {2}{ "([^"]*)", (true|false) },/;
var v2EntryRegex = / {2}\/\* "([^"]*)", (true|false) \*\//;
while (fis.readLine(line)) {
let match;
entryRegexes.find((r) => { match = r.exec(line.value); return match; } );
var match = v1EntryRegex.exec(line.value);
if (!match) {
match = v2EntryRegex.exec(line.value);
}
if (match) {
currentHosts[match[1]] = (match[2] == "1" || match[2] == "true");
currentHosts[match[1]] = (match[2] == "true");
}
}
return currentHosts;

27
xpcom/ds/make_dafsa.py
View File

@@ -415,17 +415,12 @@ def encode(dafsa):
return output
def to_cxx(data, preamble=None):
def to_cxx(data):
"""Generates C++ code from a list of encoded bytes."""
text = '/* This file is generated. DO NOT EDIT!\n\n'
text += 'The byte array encodes a dictionary of strings and values. See '
text += 'make_dafsa.py for documentation.'
text += 'The byte array encodes effective tld names. See make_dafsa.py for'
text += ' documentation.'
text += '*/\n\n'
if preamble:
text += preamble
text += '\n\n'
text += 'const unsigned char kDafsa[%s] = {\n' % len(data)
for i in range(0, len(data), 12):
text += ' '
@@ -435,24 +430,19 @@ def to_cxx(data, preamble=None):
return text
def words_to_cxx(words, preamble=None):
def words_to_cxx(words):
"""Generates C++ code from a word list"""
dafsa = to_dafsa(words)
for fun in (reverse, join_suffixes, reverse, join_suffixes, join_labels):
dafsa = fun(dafsa)
return to_cxx(encode(dafsa), preamble)
return to_cxx(encode(dafsa))
def parse_gperf(infile):
"""Parses gperf file and extract strings and return code"""
lines = [line.strip() for line in infile]
# Extract the preamble.
first_delimeter = lines.index('%%')
preamble = '\n'.join(lines[0:first_delimeter])
# Extract strings after the first '%%' and before the second '%%'.
begin = first_delimeter + 1
begin = lines.index('%%') + 1
end = lines.index('%%', begin)
lines = lines[begin:end]
for line in lines:
@@ -463,13 +453,12 @@ def parse_gperf(infile):
if line[-1] not in '0124':
raise InputError('Expected value to be one of {0,1,2,4}, found "%s"' %
line[-1])
return (preamble, [line[:-3] + line[-1] for line in lines])
return [line[:-3] + line[-1] for line in lines]
def main(outfile, infile):
with open(infile, 'r') as infile:
preamble, words = parse_gperf(infile)
outfile.write(words_to_cxx(words, preamble))
outfile.write(words_to_cxx(parse_gperf(infile)))
return 0