wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

bug 1049095 - re-verify joinee certificate with joining hostname when joining connections r=briansmith r=mcmanus r=cviecco r=mmc r=rbarnes

Browse Source
This commit is contained in:
David Keeler 2014-08-21 10:37:23 -07:00
parent 9d30e4e27f
commit 8be74b716b
4 changed files with 34 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/certverifier/CertVerifier.cpp
View File

@ -432,6 +432,7 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase,
Flags flags,
/*optional out*/ ScopedCERTCertList* builtChain,
/*optional out*/ SECOidTag* evOidPolicy)
{
@ -456,8 +457,8 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
// CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
// if VerifyCert succeeded.
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
hostname, 0, stapledOCSPResponse, &builtChainTemp,
evOidPolicy);
hostname, flags, stapledOCSPResponse,
&builtChainTemp, evOidPolicy);
if (rv != SECSuccess) {
return rv;
}

1
security/certverifier/CertVerifier.h
View File

@ -43,6 +43,7 @@ public:
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase = false,
Flags flags = 0,
/*optional out*/ ScopedCERTCertList* builtChain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr);

2
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -759,7 +759,7 @@ AuthCertificate(CertVerifier& certVerifier,
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
time, infoObject,
infoObject->GetHostNameRaw(),
saveIntermediates, nullptr,
saveIntermediates, 0, nullptr,
&evOidPolicy);
// We want to remember the CA certs in the temp db, so that the application can find the

32
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -432,9 +432,35 @@ nsNSSSocketInfo::JoinConnection(const nsACString& npnProtocol,
return NS_OK;
}
if (CERT_VerifyCertName(nssCert, PromiseFlatCString(hostname).get()) !=
SECSuccess) {
return NS_OK;
// Attempt to verify the joinee's certificate using the joining hostname.
// This ensures that any hostname-specific verification logic (e.g. key
// pinning) is satisfied by the joinee's certificate chain.
// This verification only uses local information; since we're on the network
// thread, we would be blocking on ourselves if we attempted any network i/o.
// TODO(bug 1056935): The certificate chain built by this verification may be
// different than the certificate chain originally built during the joined
// connection's TLS handshake. Consequently, we may report a wrong and/or
// misleading certificate chain for HTTP transactions coalesced onto this
// connection. This may become problematic in the future. For example,
// if/when we begin relying on intermediate certificates being stored in the
// securityInfo of a cached HTTPS response, that cached certificate chain may
// actually be the wrong chain. We should consider having JoinConnection
// return the certificate chain built here, so that the calling Necko code
// can associate the correct certificate chain with the HTTP transactions it
// is trying to join onto this connection.
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
if (!certVerifier) {
return NS_OK;
}
nsAutoCString hostnameFlat(PromiseFlatCString(hostname));
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY;
SECStatus rv = certVerifier->VerifySSLServerCert(nssCert, nullptr,
mozilla::pkix::Now(),
nullptr, hostnameFlat.get(),
false, flags, nullptr,
nullptr);
if (rv != SECSuccess) {
return NS_OK;
}
// All tests pass - this is joinable