mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 19:50:12 +01:00
a572ea8ca3
bug1095307, bug1073330(backout), bug1084986, bug1050069, bug942172, bug1054547, bug532081, bug1096348, bug1058870, bug1093940, bug1102985, bug1112461, bug1094492, bug112029, bug1119983, bug1120685, bug1120691, bug1113632, bug863076, bug1082973, bug1124539, bug1117617, bug1117621, bug1121273, bug753136, bug921684, bug1132818, bug1125375, bug647690, bug1055441, bug1134455, bug975010, bug950369, bug1128367, bug1129573, bug1136095, bug1117897, bug1113453, bug1061725, bug1073330, bug1111901, bug1083900, bug1136095, bug1138820, bug1096741, bug1134548, bug345725, bug950348, bug950344, bug1151037, bug991783, bug1153994
474 lines
17 KiB
C
474 lines
17 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
/*
|
|
* pkix_revocationchecker.c
|
|
*
|
|
* RevocationChecker Object Functions
|
|
*
|
|
*/
|
|
|
|
#include "pkix_revocationchecker.h"
|
|
#include "pkix_tools.h"
|
|
|
|
/* --Private-Functions-------------------------------------------- */
|
|
|
|
/*
|
|
* FUNCTION: pkix_RevocationChecker_Destroy
|
|
* (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
|
|
*/
|
|
static PKIX_Error *
|
|
pkix_RevocationChecker_Destroy(
|
|
PKIX_PL_Object *object,
|
|
void *plContext)
|
|
{
|
|
PKIX_RevocationChecker *checker = NULL;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Destroy");
|
|
PKIX_NULLCHECK_ONE(object);
|
|
|
|
/* Check that this object is a revocation checker */
|
|
PKIX_CHECK(pkix_CheckType
|
|
(object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
|
|
PKIX_OBJECTNOTREVOCATIONCHECKER);
|
|
|
|
checker = (PKIX_RevocationChecker *)object;
|
|
|
|
PKIX_DECREF(checker->leafMethodList);
|
|
PKIX_DECREF(checker->chainMethodList);
|
|
|
|
cleanup:
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: pkix_RevocationChecker_Duplicate
|
|
* (see comments for PKIX_PL_DuplicateCallback in pkix_pl_system.h)
|
|
*/
|
|
static PKIX_Error *
|
|
pkix_RevocationChecker_Duplicate(
|
|
PKIX_PL_Object *object,
|
|
PKIX_PL_Object **pNewObject,
|
|
void *plContext)
|
|
{
|
|
PKIX_RevocationChecker *checker = NULL;
|
|
PKIX_RevocationChecker *checkerDuplicate = NULL;
|
|
PKIX_List *dupLeafList = NULL;
|
|
PKIX_List *dupChainList = NULL;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_Duplicate");
|
|
PKIX_NULLCHECK_TWO(object, pNewObject);
|
|
|
|
PKIX_CHECK(pkix_CheckType
|
|
(object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
|
|
PKIX_OBJECTNOTCERTCHAINCHECKER);
|
|
|
|
checker = (PKIX_RevocationChecker *)object;
|
|
|
|
if (checker->leafMethodList){
|
|
PKIX_CHECK(PKIX_PL_Object_Duplicate
|
|
((PKIX_PL_Object *)checker->leafMethodList,
|
|
(PKIX_PL_Object **)&dupLeafList,
|
|
plContext),
|
|
PKIX_OBJECTDUPLICATEFAILED);
|
|
}
|
|
if (checker->chainMethodList){
|
|
PKIX_CHECK(PKIX_PL_Object_Duplicate
|
|
((PKIX_PL_Object *)checker->chainMethodList,
|
|
(PKIX_PL_Object **)&dupChainList,
|
|
plContext),
|
|
PKIX_OBJECTDUPLICATEFAILED);
|
|
}
|
|
|
|
PKIX_CHECK(
|
|
PKIX_RevocationChecker_Create(checker->leafMethodListFlags,
|
|
checker->chainMethodListFlags,
|
|
&checkerDuplicate,
|
|
plContext),
|
|
PKIX_REVOCATIONCHECKERCREATEFAILED);
|
|
|
|
checkerDuplicate->leafMethodList = dupLeafList;
|
|
checkerDuplicate->chainMethodList = dupChainList;
|
|
dupLeafList = NULL;
|
|
dupChainList = NULL;
|
|
|
|
*pNewObject = (PKIX_PL_Object *)checkerDuplicate;
|
|
|
|
cleanup:
|
|
PKIX_DECREF(dupLeafList);
|
|
PKIX_DECREF(dupChainList);
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: pkix_RevocationChecker_RegisterSelf
|
|
* DESCRIPTION:
|
|
* Registers PKIX_REVOCATIONCHECKER_TYPE and its related functions with
|
|
* systemClasses[]
|
|
* THREAD SAFETY:
|
|
* Not Thread Safe - for performance and complexity reasons
|
|
*
|
|
* Since this function is only called by PKIX_PL_Initialize, which should
|
|
* only be called once, it is acceptable that this function is not
|
|
* thread-safe.
|
|
*/
|
|
PKIX_Error *
|
|
pkix_RevocationChecker_RegisterSelf(void *plContext)
|
|
{
|
|
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
|
|
pkix_ClassTable_Entry entry;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "pkix_RevocationChecker_RegisterSelf");
|
|
|
|
entry.description = "RevocationChecker";
|
|
entry.objCounter = 0;
|
|
entry.typeObjectSize = sizeof(PKIX_RevocationChecker);
|
|
entry.destructor = pkix_RevocationChecker_Destroy;
|
|
entry.equalsFunction = NULL;
|
|
entry.hashcodeFunction = NULL;
|
|
entry.toStringFunction = NULL;
|
|
entry.comparator = NULL;
|
|
entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
|
|
|
|
systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|
|
/* Sort methods by their priorities (lower priority = higher preference) */
|
|
static PKIX_Error *
|
|
pkix_RevocationChecker_SortComparator(
|
|
PKIX_PL_Object *obj1,
|
|
PKIX_PL_Object *obj2,
|
|
PKIX_Int32 *pResult,
|
|
void *plContext)
|
|
{
|
|
pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
|
|
|
|
PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
|
|
|
|
method1 = (pkix_RevocationMethod *)obj1;
|
|
method2 = (pkix_RevocationMethod *)obj2;
|
|
|
|
if (method1->priority < method2->priority) {
|
|
*pResult = -1;
|
|
} else if (method1->priority > method2->priority) {
|
|
*pResult = 1;
|
|
} else {
|
|
*pResult = 0;
|
|
}
|
|
|
|
PKIX_RETURN(BUILD);
|
|
}
|
|
|
|
|
|
/* --Public-Functions--------------------------------------------- */
|
|
|
|
|
|
/*
|
|
* FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)
|
|
*/
|
|
PKIX_Error *
|
|
PKIX_RevocationChecker_Create(
|
|
PKIX_UInt32 leafMethodListFlags,
|
|
PKIX_UInt32 chainMethodListFlags,
|
|
PKIX_RevocationChecker **pChecker,
|
|
void *plContext)
|
|
{
|
|
PKIX_RevocationChecker *checker = NULL;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
|
|
PKIX_NULLCHECK_ONE(pChecker);
|
|
|
|
PKIX_CHECK(
|
|
PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,
|
|
sizeof (PKIX_RevocationChecker),
|
|
(PKIX_PL_Object **)&checker,
|
|
plContext),
|
|
PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
|
|
|
|
checker->leafMethodListFlags = leafMethodListFlags;
|
|
checker->chainMethodListFlags = chainMethodListFlags;
|
|
checker->leafMethodList = NULL;
|
|
checker->chainMethodList = NULL;
|
|
|
|
*pChecker = checker;
|
|
checker = NULL;
|
|
|
|
cleanup:
|
|
PKIX_DECREF(checker);
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
|
|
*/
|
|
PKIX_Error *
|
|
PKIX_RevocationChecker_CreateAndAddMethod(
|
|
PKIX_RevocationChecker *revChecker,
|
|
PKIX_ProcessingParams *params,
|
|
PKIX_RevocationMethodType methodType,
|
|
PKIX_UInt32 flags,
|
|
PKIX_UInt32 priority,
|
|
PKIX_PL_VerifyCallback verificationFn,
|
|
PKIX_Boolean isLeafMethod,
|
|
void *plContext)
|
|
{
|
|
PKIX_List **methodList = NULL;
|
|
PKIX_List *unsortedList = NULL;
|
|
PKIX_List *certStores = NULL;
|
|
pkix_RevocationMethod *method = NULL;
|
|
pkix_LocalRevocationCheckFn *localRevChecker = NULL;
|
|
pkix_ExternalRevocationCheckFn *externRevChecker = NULL;
|
|
PKIX_UInt32 miFlags;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_CreateAndAddMethod");
|
|
PKIX_NULLCHECK_ONE(revChecker);
|
|
|
|
/* If the caller has said "Either one is sufficient, then don't let the
|
|
* absence of any one method's info lead to an overall failure.
|
|
*/
|
|
miFlags = isLeafMethod ? revChecker->leafMethodListFlags
|
|
: revChecker->chainMethodListFlags;
|
|
if (miFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE)
|
|
flags &= ~PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
|
|
|
|
switch (methodType) {
|
|
case PKIX_RevocationMethod_CRL:
|
|
localRevChecker = pkix_CrlChecker_CheckLocal;
|
|
externRevChecker = pkix_CrlChecker_CheckExternal;
|
|
PKIX_CHECK(
|
|
PKIX_ProcessingParams_GetCertStores(params, &certStores,
|
|
plContext),
|
|
PKIX_PROCESSINGPARAMSGETCERTSTORESFAILED);
|
|
PKIX_CHECK(
|
|
pkix_CrlChecker_Create(methodType, flags, priority,
|
|
localRevChecker, externRevChecker,
|
|
certStores, verificationFn,
|
|
&method,
|
|
plContext),
|
|
PKIX_COULDNOTCREATECRLCHECKEROBJECT);
|
|
break;
|
|
case PKIX_RevocationMethod_OCSP:
|
|
localRevChecker = pkix_OcspChecker_CheckLocal;
|
|
externRevChecker = pkix_OcspChecker_CheckExternal;
|
|
PKIX_CHECK(
|
|
pkix_OcspChecker_Create(methodType, flags, priority,
|
|
localRevChecker, externRevChecker,
|
|
verificationFn,
|
|
&method,
|
|
plContext),
|
|
PKIX_COULDNOTCREATEOCSPCHECKEROBJECT);
|
|
break;
|
|
default:
|
|
PKIX_ERROR(PKIX_INVALIDREVOCATIONMETHOD);
|
|
}
|
|
|
|
if (isLeafMethod) {
|
|
methodList = &revChecker->leafMethodList;
|
|
} else {
|
|
methodList = &revChecker->chainMethodList;
|
|
}
|
|
|
|
if (*methodList == NULL) {
|
|
PKIX_CHECK(
|
|
PKIX_List_Create(methodList, plContext),
|
|
PKIX_LISTCREATEFAILED);
|
|
}
|
|
unsortedList = *methodList;
|
|
PKIX_CHECK(
|
|
PKIX_List_AppendItem(unsortedList, (PKIX_PL_Object*)method, plContext),
|
|
PKIX_LISTAPPENDITEMFAILED);
|
|
PKIX_CHECK(
|
|
pkix_List_BubbleSort(unsortedList,
|
|
pkix_RevocationChecker_SortComparator,
|
|
methodList, plContext),
|
|
PKIX_LISTBUBBLESORTFAILED);
|
|
|
|
cleanup:
|
|
PKIX_DECREF(method);
|
|
PKIX_DECREF(unsortedList);
|
|
PKIX_DECREF(certStores);
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|
|
/*
|
|
* FUNCTION: PKIX_RevocationChecker_Check
|
|
*/
|
|
PKIX_Error *
|
|
PKIX_RevocationChecker_Check(
|
|
PKIX_PL_Cert *cert,
|
|
PKIX_PL_Cert *issuer,
|
|
PKIX_RevocationChecker *revChecker,
|
|
PKIX_ProcessingParams *procParams,
|
|
PKIX_Boolean chainVerificationState,
|
|
PKIX_Boolean testingLeafCert,
|
|
PKIX_RevocationStatus *pRevStatus,
|
|
PKIX_UInt32 *pReasonCode,
|
|
void **pNbioContext,
|
|
void *plContext)
|
|
{
|
|
PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;
|
|
PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];
|
|
PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;
|
|
PKIX_UInt32 revFlags = 0;
|
|
PKIX_List *revList = NULL;
|
|
PKIX_PL_Date *date = NULL;
|
|
pkix_RevocationMethod *method = NULL;
|
|
void *nbioContext;
|
|
int tries;
|
|
|
|
PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");
|
|
PKIX_NULLCHECK_TWO(revChecker, procParams);
|
|
|
|
nbioContext = *pNbioContext;
|
|
*pNbioContext = NULL;
|
|
|
|
if (testingLeafCert) {
|
|
revList = revChecker->leafMethodList;
|
|
revFlags = revChecker->leafMethodListFlags;
|
|
} else {
|
|
revList = revChecker->chainMethodList;
|
|
revFlags = revChecker->chainMethodListFlags;
|
|
}
|
|
if (!revList) {
|
|
/* Return NoInfo status */
|
|
goto cleanup;
|
|
}
|
|
|
|
PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,
|
|
sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
|
|
|
|
date = procParams->date;
|
|
|
|
/* Need to have two loops if we testing all local info first:
|
|
* first we are going to test all local(cached) info
|
|
* second, all remote info(fetching) */
|
|
for (tries = 0;tries < 2;tries++) {
|
|
int methodNum = 0;
|
|
for (;methodNum < revList->length;methodNum++) {
|
|
PKIX_UInt32 methodFlags = 0;
|
|
|
|
PKIX_DECREF(method);
|
|
PKIX_CHECK(
|
|
PKIX_List_GetItem(revList, methodNum,
|
|
(PKIX_PL_Object**)&method, plContext),
|
|
PKIX_LISTGETITEMFAILED);
|
|
methodFlags = method->flags;
|
|
if (!(methodFlags & PKIX_REV_M_TEST_USING_THIS_METHOD)) {
|
|
/* Will not check with this method. Skipping... */
|
|
continue;
|
|
}
|
|
if (!onlyUseRemoteMethods &&
|
|
methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
|
|
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
|
|
PKIX_CHECK_NO_GOTO(
|
|
(*method->localRevChecker)(cert, issuer, date,
|
|
method, procParams,
|
|
methodFlags,
|
|
chainVerificationState,
|
|
&revStatus,
|
|
pReasonCode, plContext),
|
|
PKIX_REVCHECKERCHECKFAILED);
|
|
methodStatus[methodNum] = revStatus;
|
|
if (revStatus == PKIX_RevStatus_Revoked) {
|
|
/* if error was generated use it as final error. */
|
|
overallStatus = PKIX_RevStatus_Revoked;
|
|
goto cleanup;
|
|
}
|
|
if (pkixErrorResult) {
|
|
/* Disregard errors. Only returned revStatus matters. */
|
|
PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
|
|
plContext);
|
|
pkixErrorResult = NULL;
|
|
}
|
|
}
|
|
if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||
|
|
onlyUseRemoteMethods) &&
|
|
chainVerificationState &&
|
|
methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
|
|
if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
|
|
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
|
|
PKIX_CHECK_NO_GOTO(
|
|
(*method->externalRevChecker)(cert, issuer, date,
|
|
method,
|
|
procParams, methodFlags,
|
|
&revStatus, pReasonCode,
|
|
&nbioContext, plContext),
|
|
PKIX_REVCHECKERCHECKFAILED);
|
|
methodStatus[methodNum] = revStatus;
|
|
if (revStatus == PKIX_RevStatus_Revoked) {
|
|
/* if error was generated use it as final error. */
|
|
overallStatus = PKIX_RevStatus_Revoked;
|
|
goto cleanup;
|
|
}
|
|
if (pkixErrorResult) {
|
|
/* Disregard errors. Only returned revStatus matters. */
|
|
PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
|
|
plContext);
|
|
pkixErrorResult = NULL;
|
|
}
|
|
} else if (methodFlags &
|
|
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
|
|
/* Info is not in the local cache. Network fetching is not
|
|
* allowed. If need to fail on missing fresh info for the
|
|
* the method, then we should fail right here.*/
|
|
overallStatus = PKIX_RevStatus_Revoked;
|
|
goto cleanup;
|
|
}
|
|
}
|
|
/* If success and we should not check the next method, then
|
|
* return a success. */
|
|
if (methodStatus[methodNum] == PKIX_RevStatus_Success &&
|
|
!(methodFlags & PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO)) {
|
|
overallStatus = PKIX_RevStatus_Success;
|
|
goto cleanup;
|
|
}
|
|
} /* inner loop */
|
|
if (!onlyUseRemoteMethods &&
|
|
revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST &&
|
|
chainVerificationState) {
|
|
onlyUseRemoteMethods = PKIX_TRUE;
|
|
continue;
|
|
}
|
|
break;
|
|
} /* outer loop */
|
|
|
|
if (overallStatus == PKIX_RevStatus_NoInfo &&
|
|
chainVerificationState) {
|
|
/* The following check makes sence only for chain
|
|
* validation step, sinse we do not fetch info while
|
|
* in the process of finding trusted anchor.
|
|
* For chain building step it is enough to know, that
|
|
* the cert was not directly revoked by any of the
|
|
* methods. */
|
|
|
|
/* Still have no info. But one of the method could
|
|
* have returned success status(possible if CONTINUE
|
|
* TESTING ON FRESH INFO flag was used).
|
|
* If any of the methods have returned Success status,
|
|
* the overallStatus should be success. */
|
|
int methodNum = 0;
|
|
for (;methodNum < PKIX_RevocationMethod_MAX;methodNum++) {
|
|
if (methodStatus[methodNum] == PKIX_RevStatus_Success) {
|
|
overallStatus = PKIX_RevStatus_Success;
|
|
goto cleanup;
|
|
}
|
|
}
|
|
if (revFlags & PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE) {
|
|
overallStatus = PKIX_RevStatus_Revoked;
|
|
}
|
|
}
|
|
|
|
cleanup:
|
|
*pRevStatus = overallStatus;
|
|
PKIX_DECREF(method);
|
|
|
|
PKIX_RETURN(REVOCATIONCHECKER);
|
|
}
|
|
|