5e3c261ad8
SEC_ERROR_REVOKED_CERTIFICATE is a certificate error, not a TLS protocol error. This patch updates the categorization of this error while maintaining the property that it cannot be overridden. This has the benefit of making it possible to show more diagnostic information in the error page, which this patch also adds. Differential Revision: https://phabricator.services.mozilla.com/D239220
191 lines
6.6 KiB
C++
191 lines
6.6 KiB
C++
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef CommonSocketControl_h
|
|
#define CommonSocketControl_h
|
|
|
|
#include "CertVerifier.h"
|
|
#include "TransportSecurityInfo.h"
|
|
#include "mozilla/Maybe.h"
|
|
#include "mozilla/net/SSLTokensCache.h"
|
|
#include "nsIInterfaceRequestor.h"
|
|
#include "nsITLSSocketControl.h"
|
|
#include "nsSocketTransportService2.h"
|
|
|
|
#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
|
|
# include "prthread.h"
|
|
# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \
|
|
MOZ_DIAGNOSTIC_ASSERT(mOwningThread == PR_GetCurrentThread())
|
|
#else
|
|
# define COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() \
|
|
do { \
|
|
} while (false)
|
|
#endif
|
|
|
|
// CommonSocketControl is the base class that implements nsITLSSocketControl.
|
|
// Various concrete TLS socket control implementations inherit from this class.
|
|
// Currently these implementations consist of NSSSocketControl (a socket
|
|
// control for NSS) and QuicSocketControl (a socket control for quic).
|
|
// NB: these classes must only be used on the socket thread (the one exception
|
|
// being tests that incidentally use CommonSocketControl on the main thread
|
|
// (and only the main thread)). This is enforced via the macro
|
|
// COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD() that should be called at the
|
|
// beginning of every function in this class and all subclasses.
|
|
class CommonSocketControl : public nsITLSSocketControl {
|
|
public:
|
|
NS_DECL_THREADSAFE_ISUPPORTS
|
|
NS_DECL_NSITLSSOCKETCONTROL
|
|
|
|
CommonSocketControl(const nsCString& aHostName, int32_t aPort,
|
|
uint32_t aProviderFlags);
|
|
|
|
// Use "errorCode" 0 to indicate success.
|
|
virtual void SetCertVerificationResult(PRErrorCode errorCode) {
|
|
MOZ_ASSERT_UNREACHABLE("Subclasses must override this.");
|
|
}
|
|
|
|
const nsACString& GetHostName() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mHostName;
|
|
}
|
|
int32_t GetPort() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mPort;
|
|
}
|
|
void SetMadeOCSPRequests(bool aMadeOCSPRequests) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mMadeOCSPRequests = aMadeOCSPRequests;
|
|
}
|
|
bool GetMadeOCSPRequests() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mMadeOCSPRequests;
|
|
}
|
|
void SetUsedPrivateDNS(bool aUsedPrivateDNS) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mUsedPrivateDNS = aUsedPrivateDNS;
|
|
}
|
|
bool GetUsedPrivateDNS() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mUsedPrivateDNS;
|
|
}
|
|
|
|
void SetServerCert(const nsCOMPtr<nsIX509Cert>& aServerCert,
|
|
mozilla::psm::EVStatus aEVStatus);
|
|
already_AddRefed<nsIX509Cert> GetServerCert() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return do_AddRef(mServerCert);
|
|
}
|
|
bool HasServerCert() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mServerCert != nullptr;
|
|
}
|
|
void SetStatusErrorBits(nsITransportSecurityInfo::OverridableErrorCategory
|
|
overridableErrorCategory);
|
|
bool HasUserOverriddenCertificateError() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mOverridableErrorCategory.isSome() &&
|
|
*mOverridableErrorCategory !=
|
|
nsITransportSecurityInfo::OverridableErrorCategory::ERROR_UNSET;
|
|
}
|
|
void SetSucceededCertChain(nsTArray<nsTArray<uint8_t>>&& certList);
|
|
void SetFailedCertChain(nsTArray<nsTArray<uint8_t>>&& certList);
|
|
void SetIsBuiltCertChainRootBuiltInRoot(
|
|
bool aIsBuiltCertChainRootBuiltInRoot) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot;
|
|
}
|
|
void SetCertificateTransparencyStatus(
|
|
uint16_t aCertificateTransparencyStatus) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mCertificateTransparencyStatus = aCertificateTransparencyStatus;
|
|
}
|
|
void SetOriginAttributes(const mozilla::OriginAttributes& aOriginAttributes) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mOriginAttributes = aOriginAttributes;
|
|
}
|
|
mozilla::OriginAttributes& GetOriginAttributes() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mOriginAttributes;
|
|
}
|
|
|
|
void SetSecurityState(uint32_t aSecurityState) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mSecurityState = aSecurityState;
|
|
}
|
|
void SetResumed(bool aResumed) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mResumed = aResumed;
|
|
}
|
|
|
|
uint32_t GetProviderFlags() const {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mProviderFlags;
|
|
}
|
|
void SetSSLVersionUsed(uint16_t version) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mSSLVersionUsed = version;
|
|
}
|
|
void SetSessionCacheInfo(mozilla::net::SessionCacheInfo&& aInfo) {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
mSessionCacheInfo.reset();
|
|
mSessionCacheInfo.emplace(std::move(aInfo));
|
|
}
|
|
void RebuildCertificateInfoFromSSLTokenCache();
|
|
void SetCanceled(PRErrorCode errorCode);
|
|
bool IsCanceled() {
|
|
COMMON_SOCKET_CONTROL_ASSERT_ON_OWNING_THREAD();
|
|
return mCanceled;
|
|
}
|
|
int32_t GetErrorCode();
|
|
|
|
protected:
|
|
virtual ~CommonSocketControl() = default;
|
|
|
|
nsCString mHostName;
|
|
int32_t mPort;
|
|
mozilla::OriginAttributes mOriginAttributes;
|
|
|
|
bool mCanceled;
|
|
mozilla::Maybe<mozilla::net::SessionCacheInfo> mSessionCacheInfo;
|
|
bool mHandshakeCompleted;
|
|
bool mJoined;
|
|
bool mSentClientCert;
|
|
bool mFailedVerification;
|
|
uint16_t mSSLVersionUsed;
|
|
uint32_t mProviderFlags;
|
|
|
|
// Fields used to build a TransportSecurityInfo
|
|
uint32_t mSecurityState;
|
|
PRErrorCode mErrorCode;
|
|
// Peer cert chain for failed connections.
|
|
nsTArray<RefPtr<nsIX509Cert>> mFailedCertChain;
|
|
nsCOMPtr<nsIX509Cert> mServerCert;
|
|
nsTArray<RefPtr<nsIX509Cert>> mSucceededCertChain;
|
|
mozilla::Maybe<uint16_t> mCipherSuite;
|
|
mozilla::Maybe<nsCString> mKeaGroupName;
|
|
mozilla::Maybe<nsCString> mSignatureSchemeName;
|
|
mozilla::Maybe<uint16_t> mProtocolVersion;
|
|
uint16_t mCertificateTransparencyStatus;
|
|
mozilla::Maybe<bool> mIsAcceptedEch;
|
|
mozilla::Maybe<bool> mIsDelegatedCredential;
|
|
mozilla::Maybe<nsITransportSecurityInfo::OverridableErrorCategory>
|
|
mOverridableErrorCategory;
|
|
bool mMadeOCSPRequests;
|
|
bool mUsedPrivateDNS;
|
|
mozilla::Maybe<bool> mIsEV;
|
|
bool mNPNCompleted;
|
|
nsCString mNegotiatedNPN;
|
|
bool mResumed;
|
|
bool mIsBuiltCertChainRootBuiltInRoot;
|
|
nsCString mPeerId;
|
|
|
|
#if defined(MOZ_DIAGNOSTIC_ASSERT_ENABLED)
|
|
const PRThread* mOwningThread;
|
|
#endif
|
|
};
|
|
|
|
#endif // CommonSocketControl_h
|