security/certverifier/OCSPRequestor.cpp
author Dustin J. Mitchell <dustin@mozilla.com>
Thu, 12 May 2016 15:11:52 +0000
changeset 366368 427e0cb5e394a9e3b8047a0681675f350c92462d
parent 348146 63c6be19398d5654cd577fc009c3874742f028e7
child 367413 a1b6269a4ded14d84ed43a5af45cfcb542e57f2f
permissions -rw-r--r--
Bug 1258497: Implement a new taskgraph generation system; r?gps The `taskgraph` package generates TaskCluster task graphs based on collections of task "kinds". Initially, there is only one kind, the "legacy" kind, which reads the YAML files from `testing/taskcluster/tasks` to generate the task graph. Try syntax is implemented by filtering the tasks in the taskgraph after it has been created, then extending the result to include any prerequisite tasks. A collection of `mach taskgraph` subcommands are provided for developers to extend or debug the task-graph generation process. MozReview-Commit-ID: 1TJCns4XxZ8

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "OCSPRequestor.h"

#include <limits>

#include "ScopedNSSTypes.h"
#include "mozilla/Base64.h"
#include "nsIURLParser.h"
#include "nsNSSCallbacks.h"
#include "nsNetCID.h"
#include "nsServiceManagerUtils.h"
#include "secerr.h"

extern mozilla::LazyLogModule gCertVerifierLog;

namespace mozilla {

void
ReleaseHttpServerSession(nsNSSHttpServerSession* httpServerSession)
{
  delete httpServerSession;
}

void
ReleaseHttpRequestSession(nsNSSHttpRequestSession* httpRequestSession)
{
  httpRequestSession->Release();
}

MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHTTPServerSession,
                                      nsNSSHttpServerSession,
                                      ReleaseHttpServerSession)

MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHTTPRequestSession,
                                      nsNSSHttpRequestSession,
                                      ReleaseHttpRequestSession)

} // namespace mozilla

namespace mozilla { namespace psm {

static nsresult
AppendEscapedBase64Item(const SECItem* encodedRequest, nsACString& path)
{
  nsresult rv;
  nsDependentCSubstring requestAsSubstring(
    reinterpret_cast<const char*>(encodedRequest->data), encodedRequest->len);
  nsCString base64Request;
  rv = Base64Encode(requestAsSubstring, base64Request);
  if (NS_WARN_IF(NS_FAILED(rv))) {
    return rv;
  }

  MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
         ("Setting up OCSP GET path, pre path =%s\n",
          PromiseFlatCString(path).get()));

  // The path transformation is not a direct url encoding. Three characters
  // need change '+' -> "%2B", '/' -> "%2F", and '=' -> '%3D'.
  // http://tools.ietf.org/html/rfc5019#section-5
  base64Request.ReplaceSubstring("+", "%2B");
  base64Request.ReplaceSubstring("/", "%2F");
  base64Request.ReplaceSubstring("=", "%3D");
  path.Append(base64Request);
  return NS_OK;
}

Result
DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
              const SECItem* encodedRequest, PRIntervalTime timeout,
              bool useGET,
      /*out*/ SECItem*& encodedResponse)
{
  MOZ_ASSERT(arena.get());
  MOZ_ASSERT(url);
  MOZ_ASSERT(encodedRequest);
  MOZ_ASSERT(encodedRequest->data);
  if (!arena.get() || !url || !encodedRequest || !encodedRequest->data) {
    return Result::FATAL_ERROR_INVALID_ARGS;
  }
  uint32_t urlLen = PL_strlen(url);
  if (urlLen > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
    return Result::FATAL_ERROR_INVALID_ARGS;
  }

  nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID);
  if (!urlParser) {
    return Result::FATAL_ERROR_LIBRARY_FAILURE;
  }

  uint32_t schemePos;
  int32_t schemeLen;
  uint32_t authorityPos;
  int32_t authorityLen;
  uint32_t pathPos;
  int32_t pathLen;
  nsresult nsrv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
                                      &schemePos, &schemeLen,
                                      &authorityPos, &authorityLen,
                                      &pathPos, &pathLen);
  if (NS_FAILED(nsrv)) {
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }
  if (schemeLen < 0 || authorityLen < 0) {
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }
  nsAutoCString scheme(url + schemePos,
                       static_cast<nsAutoCString::size_type>(schemeLen));
  if (!scheme.LowerCaseEqualsLiteral("http")) {
    // We don't support HTTPS to avoid loops. See Bug 92923.
    // We also in general only support HTTP.
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }

  uint32_t hostnamePos;
  int32_t hostnameLen;
  int32_t port;
  // We ignore user:password sections: if one is present, we send an OCSP
  // request to the URL as normal without sending the username or password.
  nsrv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
                                   nullptr, nullptr, nullptr, nullptr,
                                   &hostnamePos, &hostnameLen, &port);
  if (NS_FAILED(nsrv)) {
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }
  if (hostnameLen < 0) {
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }
  if (port == -1) {
    port = 80;
  } else if (port < 0 || port > 0xffff) {
    return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
  }
  nsAutoCString
    hostname(url + authorityPos + hostnamePos,
             static_cast<nsACString_internal::size_type>(hostnameLen));

  SEC_HTTP_SERVER_SESSION serverSessionPtr = nullptr;
  Result rv = nsNSSHttpInterface::createSessionFcn(
    hostname.BeginReading(), static_cast<uint16_t>(port), &serverSessionPtr);
  if (rv != Success) {
    return rv;
  }
  UniqueHTTPServerSession serverSession(
    reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr));

  nsAutoCString path;
  if (pathLen > 0) {
    path.Assign(url + pathPos, static_cast<nsAutoCString::size_type>(pathLen));
  } else {
    path.Assign("/");
  }
  MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
         ("Setting up OCSP request: pre all path =%s  pathlen=%d\n", path.get(),
          pathLen));
  nsAutoCString method("POST");
  if (useGET) {
    method.Assign("GET");
    if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) {
      path.Append("/");
    }
    nsresult nsrv = AppendEscapedBase64Item(encodedRequest, path);
    if (NS_WARN_IF(NS_FAILED(nsrv))) {
      return Result::FATAL_ERROR_LIBRARY_FAILURE;
    }
  }

  SEC_HTTP_REQUEST_SESSION requestSessionPtr;
  rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(),
                                     method.get(), timeout, &requestSessionPtr);
  if (rv != Success) {
    return rv;
  }

  UniqueHTTPRequestSession requestSession(
    reinterpret_cast<nsNSSHttpRequestSession*>(requestSessionPtr));

  if (!useGET) {
    rv = nsNSSHttpInterface::setPostDataFcn(
      requestSession.get(), reinterpret_cast<char*>(encodedRequest->data),
      encodedRequest->len, "application/ocsp-request");
    if (rv != Success) {
      return rv;
    }
  }

  uint16_t httpResponseCode;
  const char* httpResponseData;
  uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable
  rv = nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
                                                &httpResponseCode, nullptr,
                                                nullptr, &httpResponseData,
                                                &httpResponseDataLen);
  if (rv != Success) {
    return rv;
  }

  if (httpResponseCode != 200) {
    return Result::ERROR_OCSP_SERVER_ERROR;
  }

  encodedResponse = SECITEM_AllocItem(arena.get(), nullptr, httpResponseDataLen);
  if (!encodedResponse) {
    return Result::FATAL_ERROR_NO_MEMORY;
  }

  memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen);
  return Success;
}

} } // namespace mozilla::psm