Bug 932176: Add preference to control whether OCSP GET is used, off by default, r=cviecco

--HG-- extra : rebase_source : 4452d8959f22152512ed428184726c9834f6e4c3
2024-09-13 09:24:08 -07:00 · 2013-11-12 18:28:20 -08:00 · 2013-11-12 18:28:20 -08:00 · 60bd09c93f
commit 60bd09c93f
parent 5cce2d3d3f
4 changed files with 22 additions and 4 deletions
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@ -23,3 +23,4 @@ pref("security.password_lifetime",       30);

 pref("security.OCSP.enabled", 1);
 pref("security.OCSP.require", false);
+pref("security.OCSP.GET.enabled", false);
--- a/security/manager/ssl/src/CertVerifier.cpp
+++ b/security/manager/ssl/src/CertVerifier.cpp
@ -25,7 +25,8 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
                           ocsp_download_config odc,
                           ocsp_strict_config osc,
                           any_revo_fresh_config arfc,
-                           const char *firstNetworkRevocationMethod)
+                           const char *firstNetworkRevocationMethod,
+                           ocsp_get_config ogc)
  : mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
  , mCRLDownloadEnabled(cdc == crl_download_allowed)
  , mOCSPDownloadEnabled(odc == ocsp_on)
@ -33,6 +34,7 @@ CertVerifier::CertVerifier(missing_cert_download_config mcdc,
  , mRequireRevocationInfo(arfc == any_revo_strict)
  , mCRLFirst(firstNetworkRevocationMethod != nullptr &&
              !strcmp("crl", firstNetworkRevocationMethod))
+  , mOCSPGETEnabled(ogc == ocsp_get_enabled)
 {
  MOZ_COUNT_CTOR(CertVerifier);
 }
@ -230,8 +232,11 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
 
    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = revMethodFlags;
+
    rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
-    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = revMethodFlags;
+    rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
+      = revMethodFlags
+      | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);

    rev.leafTests.cert_rev_method_independent_flags =
    rev.chainTests.cert_rev_method_independent_flags =
@ -342,6 +347,8 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
    // ocsp enabled controls network fetching, too
    | ((mOCSPDownloadEnabled && !localOnly) ?
        CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
+    
+    | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
    ;

  rev.leafTests.preferred_methods[0] =
--- a/security/manager/ssl/src/CertVerifier.h
+++ b/security/manager/ssl/src/CertVerifier.h
@ -39,6 +39,7 @@ public:
  enum ocsp_download_config { ocsp_off = 0, ocsp_on };
  enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
  enum any_revo_fresh_config { any_revo_relaxed = 0, any_revo_strict };
+  enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };

  bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }

@ -46,7 +47,8 @@ private:
  CertVerifier(missing_cert_download_config ac, crl_download_config cdc,
               ocsp_download_config odc, ocsp_strict_config osc,
               any_revo_fresh_config arfc,
-               const char *firstNetworkRevocationMethod);
+               const char *firstNetworkRevocationMethod,
+               ocsp_get_config ogc);
  ~CertVerifier();

  const bool mMissingCertDownloadEnabled;
@ -55,6 +57,7 @@ private:
  const bool mOCSPStrict;
  const bool mRequireRevocationInfo;
  const bool mCRLFirst;
+  const bool mOCSPGETEnabled;
  friend class ::nsNSSComponent;
 };

--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -1057,6 +1057,10 @@ void nsNSSComponent::setValidationOptions()
  }
  CERT_SetOCSPTimeout(OCSPTimeoutSeconds);

+  // XXX: Always use POST for OCSP; see bug 871954 for undoing this.
+  bool ocspGetEnabled = Preferences::GetBool("security.OCSP.GET.enabled", false);
+  CERT_ForcePostMethodForOCSP(!ocspGetEnabled);
+
  mDefaultCertVerifier = new CertVerifier(
      aiaDownloadEnabled ? 
        CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
@ -1068,7 +1072,9 @@ void nsNSSComponent::setValidationOptions()
        CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed,
      anyFreshRequired ?
        CertVerifier::any_revo_strict : CertVerifier::any_revo_relaxed,
-      firstNetworkRevo.get());
+      firstNetworkRevo.get(),
+      ocspGetEnabled ?
+        CertVerifier::ocsp_get_enabled : CertVerifier::ocsp_get_disabled);

  /*
    * The new defaults might change the validity of already established SSL sessions,
@ -1730,6 +1736,7 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
               || prefName.Equals("security.missing_cert_download.enabled")
               || prefName.Equals("security.first_network_revocation_method")
               || prefName.Equals("security.OCSP.require")
+               || prefName.Equals("security.OCSP.GET.enabled")
               || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
      MutexAutoLock lock(mutex);
      setValidationOptions();