summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsSiteSecurityService.h
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/manager/ssl/nsSiteSecurityService.h145
1 files changed, 145 insertions, 0 deletions
diff --git a/security/manager/ssl/nsSiteSecurityService.h b/security/manager/ssl/nsSiteSecurityService.h
new file mode 100644
index 0000000000..21403b0009
--- /dev/null
+++ b/security/manager/ssl/nsSiteSecurityService.h
@@ -0,0 +1,145 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __nsSiteSecurityService_h__
+#define __nsSiteSecurityService_h__
+
+#include "mozilla/BasePrincipal.h"
+#include "mozilla/Dafsa.h"
+#include "mozilla/DataStorage.h"
+#include "mozilla/RefPtr.h"
+#include "nsCOMPtr.h"
+#include "nsIObserver.h"
+#include "nsISiteSecurityService.h"
+#include "nsString.h"
+#include "nsTArray.h"
+#include "mozpkix/pkixtypes.h"
+#include "prtime.h"
+
+class nsIURI;
+
+using mozilla::OriginAttributes;
+
+// {16955eee-6c48-4152-9309-c42a465138a1}
+#define NS_SITE_SECURITY_SERVICE_CID \
+ { \
+ 0x16955eee, 0x6c48, 0x4152, { \
+ 0x93, 0x09, 0xc4, 0x2a, 0x46, 0x51, 0x38, 0xa1 \
+ } \
+ }
+
+/**
+ * SecurityPropertyState: A utility enum for representing the different states
+ * a security property can be in.
+ * SecurityPropertySet and SecurityPropertyUnset correspond to indicating
+ * a site has or does not have the security property in question, respectively.
+ * SecurityPropertyKnockout indicates a value on a preloaded list is being
+ * overridden, and the associated site does not have the security property
+ * in question.
+ */
+enum SecurityPropertyState {
+ SecurityPropertyUnset = 0,
+ SecurityPropertySet = 1,
+ SecurityPropertyKnockout = 2,
+};
+
+/**
+ * SiteHSTSState: A utility class that encodes/decodes a string describing
+ * the security state of a site. Currently only handles HSTS.
+ * HSTS state consists of:
+ * - Hostname (nsCString)
+ * - Origin attributes (OriginAttributes)
+ * - Expiry time (PRTime (aka int64_t) in milliseconds)
+ * - A state flag (SecurityPropertyState, default SecurityPropertyUnset)
+ * - An include subdomains flag (bool, default false)
+ */
+class SiteHSTSState {
+ public:
+ SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ const nsCString& aStateString);
+ SiteHSTSState(const nsCString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ PRTime aHSTSExpireTime, SecurityPropertyState aHSTSState,
+ bool aHSTSIncludeSubdomains);
+
+ nsCString mHostname;
+ OriginAttributes mOriginAttributes;
+ PRTime mHSTSExpireTime;
+ SecurityPropertyState mHSTSState;
+ bool mHSTSIncludeSubdomains;
+
+ bool IsExpired() {
+ // If mHSTSExpireTime is 0, this entry never expires (this is the case for
+ // knockout entries).
+ if (mHSTSExpireTime == 0) {
+ return false;
+ }
+
+ PRTime now = PR_Now() / PR_USEC_PER_MSEC;
+ if (now > mHSTSExpireTime) {
+ return true;
+ }
+
+ return false;
+ }
+
+ void ToString(nsCString& aString);
+};
+
+struct nsSTSPreload;
+
+class nsSiteSecurityService : public nsISiteSecurityService,
+ public nsIObserver {
+ public:
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSIOBSERVER
+ NS_DECL_NSISITESECURITYSERVICE
+
+ nsSiteSecurityService();
+ nsresult Init();
+
+ static nsresult GetHost(nsIURI* aURI, nsACString& aResult);
+ static bool HostIsIPAddress(const nsCString& hostname);
+
+ protected:
+ virtual ~nsSiteSecurityService();
+
+ private:
+ nsresult SetHSTSState(const char* aHost, int64_t maxage,
+ bool includeSubdomains,
+ SecurityPropertyState aHSTSState,
+ const OriginAttributes& aOriginAttributes);
+ nsresult ProcessHeaderInternal(nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes,
+ uint64_t* aMaxAge, bool* aIncludeSubdomains,
+ uint32_t* aFailureResult);
+ nsresult ProcessSTSHeader(nsIURI* aSourceURI, const nsCString& aHeader,
+ const OriginAttributes& aOriginAttributes,
+ uint64_t* aMaxAge, bool* aIncludeSubdomains,
+ uint32_t* aFailureResult);
+ nsresult MarkHostAsNotHSTS(const nsAutoCString& aHost,
+ const OriginAttributes& aOriginAttributes);
+ nsresult ResetStateInternal(nsIURI* aURI,
+ const OriginAttributes& aOriginAttributes,
+ nsISiteSecurityService::ResetStateBy aScope);
+ void ResetStateForExactDomain(const nsCString& aHostname,
+ const OriginAttributes& aOriginAttributes);
+ bool HostMatchesHSTSEntry(const nsAutoCString& aHost,
+ bool aRequireIncludeSubdomains,
+ const OriginAttributes& aOriginAttributes);
+ bool GetPreloadStatus(
+ const nsACString& aHost,
+ /*optional out*/ bool* aIncludeSubdomains = nullptr) const;
+ nsresult IsSecureHost(const nsACString& aHost,
+ const OriginAttributes& aOriginAttributes,
+ bool* aResult);
+
+ bool mUsePreloadList;
+ int64_t mPreloadListTimeOffset;
+ RefPtr<mozilla::DataStorage> mSiteStateStorage;
+ const mozilla::Dafsa mDafsa;
+};
+
+#endif // __nsSiteSecurityService_h__