Line data Source code
1 : /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 : *
3 : * This Source Code Form is subject to the terms of the Mozilla Public
4 : * License, v. 2.0. If a copy of the MPL was not distributed with this
5 : * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 :
7 : #ifndef _nsNSSComponent_h_
8 : #define _nsNSSComponent_h_
9 :
10 : #include "ScopedNSSTypes.h"
11 : #include "SharedCertVerifier.h"
12 : #include "mozilla/Attributes.h"
13 : #include "mozilla/Monitor.h"
14 : #include "mozilla/Mutex.h"
15 : #include "mozilla/RefPtr.h"
16 : #include "nsCOMPtr.h"
17 : #include "nsIObserver.h"
18 : #include "nsNSSCallbacks.h"
19 : #include "prerror.h"
20 : #include "sslt.h"
21 :
22 : #ifdef XP_WIN
23 : #include "windows.h" // this needs to be before the following includes
24 : #include "wincrypt.h"
25 : #endif // XP_WIN
26 :
27 : class nsIDOMWindow;
28 : class nsIPrompt;
29 : class nsIX509CertList;
30 : class SmartCardThreadList;
31 :
32 : namespace mozilla { namespace psm {
33 :
34 : MOZ_MUST_USE
35 : ::already_AddRefed<mozilla::psm::SharedCertVerifier>
36 : GetDefaultCertVerifier();
37 :
38 : } } // namespace mozilla::psm
39 :
40 :
41 : #define NS_NSSCOMPONENT_CID \
42 : {0x4cb64dfd, 0xca98, 0x4e24, {0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb}}
43 :
44 : #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
45 :
46 : #define NS_INSSCOMPONENT_IID \
47 : { 0xa0a8f52b, 0xea18, 0x4abc, \
48 : { 0xa3, 0xca, 0xec, 0xcf, 0x70, 0x4f, 0xfe, 0x63 } }
49 :
50 : extern bool EnsureNSSInitializedChromeOrContent();
51 :
52 1 : class NS_NO_VTABLE nsINSSComponent : public nsISupports
53 : {
54 : public:
55 : NS_DECLARE_STATIC_IID_ACCESSOR(NS_INSSCOMPONENT_IID)
56 :
57 : NS_IMETHOD LogoutAuthenticatedPK11() = 0;
58 :
59 : #ifdef DEBUG
60 : NS_IMETHOD IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result) = 0;
61 : #endif
62 :
63 : NS_IMETHOD IsCertContentSigningRoot(CERTCertificate* cert, bool& result) = 0;
64 :
65 : #ifdef XP_WIN
66 : NS_IMETHOD GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) = 0;
67 : NS_IMETHOD TrustLoaded3rdPartyRoots() = 0;
68 : #endif
69 :
70 : NS_IMETHOD BlockUntilLoadableRootsLoaded() = 0;
71 : NS_IMETHOD CheckForSmartCardChanges() = 0;
72 : // IssuerMatchesMitmCanary succeeds if aCertIssuer matches the canary and
73 : // the feature is enabled. It returns an error if the strings don't match,
74 : // the canary is not set, or the feature is disabled.
75 : NS_IMETHOD IssuerMatchesMitmCanary(const char* aCertIssuer) = 0;
76 :
77 : // Main thread only
78 : NS_IMETHOD HasActiveSmartCards(bool& result) = 0;
79 : NS_IMETHOD HasUserCertsInstalled(bool& result) = 0;
80 :
81 : virtual ::already_AddRefed<mozilla::psm::SharedCertVerifier>
82 : GetDefaultCertVerifier() = 0;
83 : };
84 :
85 : NS_DEFINE_STATIC_IID_ACCESSOR(nsINSSComponent, NS_INSSCOMPONENT_IID)
86 :
87 : // Implementation of the PSM component interface.
88 : class nsNSSComponent final : public nsINSSComponent
89 : , public nsIObserver
90 : {
91 : public:
92 : // LoadLoadableRootsTask updates mLoadableRootsLoaded and
93 : // mLoadableRootsLoadedResult and then signals mLoadableRootsLoadedMonitor.
94 : friend class LoadLoadableRootsTask;
95 :
96 : NS_DEFINE_STATIC_CID_ACCESSOR( NS_NSSCOMPONENT_CID )
97 :
98 : nsNSSComponent();
99 :
100 : NS_DECL_THREADSAFE_ISUPPORTS
101 : NS_DECL_NSIOBSERVER
102 :
103 : nsresult Init();
104 :
105 : static nsresult GetNewPrompter(nsIPrompt** result);
106 :
107 : NS_IMETHOD LogoutAuthenticatedPK11() override;
108 :
109 : #ifdef DEBUG
110 : NS_IMETHOD IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result) override;
111 : #endif
112 :
113 : NS_IMETHOD IsCertContentSigningRoot(CERTCertificate* cert, bool& result) override;
114 :
115 : #ifdef XP_WIN
116 : NS_IMETHOD GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) override;
117 : NS_IMETHOD TrustLoaded3rdPartyRoots() override;
118 : #endif
119 :
120 : NS_IMETHOD BlockUntilLoadableRootsLoaded() override;
121 : NS_IMETHOD CheckForSmartCardChanges() override;
122 : NS_IMETHOD IssuerMatchesMitmCanary(const char* aCertIssuer) override;
123 :
124 : // Main thread only
125 : NS_IMETHOD HasActiveSmartCards(bool& result) override;
126 : NS_IMETHOD HasUserCertsInstalled(bool& result) override;
127 :
128 : ::already_AddRefed<mozilla::psm::SharedCertVerifier>
129 : GetDefaultCertVerifier() override;
130 :
131 : // The following two methods are thread-safe.
132 : static bool AreAnyWeakCiphersEnabled();
133 : static void UseWeakCiphersOnSocket(PRFileDesc* fd);
134 :
135 : static void FillTLSVersionRange(SSLVersionRange& rangeOut,
136 : uint32_t minFromPrefs,
137 : uint32_t maxFromPrefs,
138 : SSLVersionRange defaults);
139 :
140 : protected:
141 : virtual ~nsNSSComponent();
142 :
143 : private:
144 : nsresult InitializeNSS();
145 : void ShutdownNSS();
146 :
147 : void setValidationOptions(bool isInitialSetting,
148 : const mozilla::MutexAutoLock& proofOfLock);
149 : nsresult setEnabledTLSVersions();
150 : nsresult RegisterObservers();
151 :
152 : void MaybeEnableFamilySafetyCompatibility();
153 : void MaybeImportEnterpriseRoots();
154 : #ifdef XP_WIN
155 : void ImportEnterpriseRootsForLocation(
156 : DWORD locationFlag, const mozilla::MutexAutoLock& proofOfLock);
157 : nsresult MaybeImportFamilySafetyRoot(PCCERT_CONTEXT certificate,
158 : bool& wasFamilySafetyRoot);
159 : nsresult LoadFamilySafetyRoot();
160 : void UnloadFamilySafetyRoot();
161 :
162 : void UnloadEnterpriseRoots();
163 : #endif // XP_WIN
164 :
165 : // mLoadableRootsLoadedMonitor protects mLoadableRootsLoaded.
166 : mozilla::Monitor mLoadableRootsLoadedMonitor;
167 : bool mLoadableRootsLoaded;
168 : nsresult mLoadableRootsLoadedResult;
169 :
170 : // mMutex protects all members that are accessed from more than one thread.
171 : mozilla::Mutex mMutex;
172 :
173 : // The following members are accessed from more than one thread:
174 : bool mNSSInitialized;
175 : #ifdef DEBUG
176 : nsString mTestBuiltInRootHash;
177 : #endif
178 : nsString mContentSigningRootHash;
179 : RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier;
180 : nsString mMitmCanaryIssuer;
181 : bool mMitmDetecionEnabled;
182 : #ifdef XP_WIN
183 : mozilla::UniqueCERTCertificate mFamilySafetyRoot;
184 : mozilla::UniqueCERTCertList mEnterpriseRoots;
185 : #endif // XP_WIN
186 :
187 : // The following members are accessed only on the main thread:
188 : static int mInstanceCount;
189 : };
190 :
191 : inline nsresult
192 2 : BlockUntilLoadableRootsLoaded()
193 : {
194 4 : nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
195 2 : if (!component) {
196 : return NS_ERROR_FAILURE;
197 : }
198 2 : return component->BlockUntilLoadableRootsLoaded();
199 : }
200 :
201 : inline nsresult
202 1 : CheckForSmartCardChanges()
203 : {
204 : #ifndef MOZ_NO_SMART_CARDS
205 2 : nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
206 1 : if (!component) {
207 : return NS_ERROR_FAILURE;
208 : }
209 1 : return component->CheckForSmartCardChanges();
210 : #else
211 : return NS_OK;
212 : #endif
213 : }
214 :
215 : #endif // _nsNSSComponent_h_
|
