bool Sekrit::IsKeyValid() const { if(!m_impl->keyHasBeenSet) return false; Plaintext plaintext = DoDecrypt(); bool IsValid = VerifyHash(plaintext, m_impl->header.iv); return IsValid; }
/* static */ nsresult SRICheck::VerifyIntegrity(const SRIMetadata& aMetadata, nsIURI* aRequestURI, const CORSMode aCORSMode, uint32_t aStringLen, const uint8_t* aString, const nsIDocument* aDocument) { if (MOZ_LOG_TEST(GetSriLog(), mozilla::LogLevel::Debug)) { nsAutoCString requestURL; aRequestURI->GetAsciiSpec(requestURL); // requestURL will be empty if GetAsciiSpec fails SRILOG(("SRICheck::VerifyIntegrity, url=%s (length=%u)", requestURL.get(), aStringLen)); } MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller // IntegrityMetadata() checks this and returns "no metadata" if // it's disabled so we should never make it this far MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false)); if (NS_FAILED(IsEligible(aRequestURI, aCORSMode, aDocument))) { return NS_OK; // ignore non-CORS resources for forward-compatibility } if (!aMetadata.IsValid()) { nsContentUtils::ReportToConsole(nsIScriptError::warningFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "NoValidMetadata"); return NS_OK; // ignore invalid metadata for forward-compatibility } for (uint32_t i = 0; i < aMetadata.HashCount(); i++) { if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aStringLen, aString, aDocument))) { return NS_OK; // stop at the first valid hash } } nsAutoCString alg; aMetadata.GetAlgorithm(&alg); NS_ConvertUTF8toUTF16 algUTF16(alg); const char16_t* params[] = { algUTF16.get() }; nsContentUtils::ReportToConsole(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "IntegrityMismatch", params, ArrayLength(params)); return NS_ERROR_SRI_CORRUPT; }
nsresult SRICheckDataVerifier::Verify(const SRIMetadata& aMetadata, nsIChannel* aChannel, const nsACString& aSourceFileURI, nsIConsoleReportCollector* aReporter) { NS_ENSURE_ARG_POINTER(aReporter); if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) { nsAutoCString requestURL; nsCOMPtr<nsIRequest> request = aChannel; request->GetName(requestURL); SRILOG(("SRICheckDataVerifier::Verify, url=%s (length=%zu)", requestURL.get(), mBytesHashed)); } nsresult rv = Finish(); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo(); NS_ENSURE_TRUE(loadInfo, NS_ERROR_FAILURE); LoadTainting tainting = loadInfo->GetTainting(); if (NS_FAILED(IsEligible(aChannel, tainting, aSourceFileURI, aReporter))) { return NS_ERROR_SRI_NOT_ELIGIBLE; } if (mInvalidMetadata) { return NS_OK; // ignore invalid metadata for forward-compatibility } for (uint32_t i = 0; i < aMetadata.HashCount(); i++) { if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aSourceFileURI, aReporter))) { return NS_OK; // stop at the first valid hash } } nsAutoCString alg; aMetadata.GetAlgorithm(&alg); NS_ConvertUTF8toUTF16 algUTF16(alg); nsTArray<nsString> params; params.AppendElement(algUTF16); aReporter->AddConsoleReport(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), nsContentUtils::eSECURITY_PROPERTIES, aSourceFileURI, 0, 0, NS_LITERAL_CSTRING("IntegrityMismatch"), const_cast<const nsTArray<nsString>&>(params)); return NS_ERROR_SRI_CORRUPT; }
nsresult SRICheckDataVerifier::Verify(const SRIMetadata& aMetadata, nsIChannel* aChannel, const CORSMode aCORSMode, const nsIDocument* aDocument) { NS_ENSURE_ARG_POINTER(aDocument); if (MOZ_LOG_TEST(SRILogHelper::GetSriLog(), mozilla::LogLevel::Debug)) { nsAutoCString requestURL; nsCOMPtr<nsIRequest> request; request = do_QueryInterface(aChannel); request->GetName(requestURL); SRILOG(("SRICheckDataVerifier::Verify, url=%s (length=%lu)", requestURL.get(), mBytesHashed)); } nsresult rv = Finish(); NS_ENSURE_SUCCESS(rv, rv); if (NS_FAILED(IsEligible(aChannel, aCORSMode, aDocument))) { return NS_ERROR_SRI_NOT_ELIGIBLE; } if (mInvalidMetadata) { return NS_OK; // ignore invalid metadata for forward-compatibility } for (uint32_t i = 0; i < aMetadata.HashCount(); i++) { if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aDocument))) { return NS_OK; // stop at the first valid hash } } nsAutoCString alg; aMetadata.GetAlgorithm(&alg); NS_ConvertUTF8toUTF16 algUTF16(alg); const char16_t* params[] = { algUTF16.get() }; nsContentUtils::ReportToConsole(nsIScriptError::errorFlag, NS_LITERAL_CSTRING("Sub-resource Integrity"), aDocument, nsContentUtils::eSECURITY_PROPERTIES, "IntegrityMismatch", params, ArrayLength(params)); return NS_ERROR_SRI_CORRUPT; }
nsresult nsXPInstallManager::InstallItems() { nsresult rv; nsCOMPtr<nsIZipReader> hZip = do_CreateInstance(kZipReaderCID, &rv); NS_ENSURE_SUCCESS(rv, rv); nsCOMPtr<nsIExtensionManager> em = do_GetService("@mozilla.org/extensions/manager;1", &rv); NS_ENSURE_SUCCESS(rv, rv); // can't cancel from here on cause we can't undo installs in a multitrigger for (PRUint32 i = 0; i < mTriggers->Size(); ++i) { mItem = (nsXPITriggerItem*)mTriggers->Get(i); if ( !mItem || !mItem->mFile ) { // notification for these errors already handled continue; } // If there was hash info in the trigger, but // there wasn't a hash object created, then the // algorithm used isn't known. if (mItem->mHashFound && !mItem->mHasher) { // report failure mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH_TYPE ); if (mDlg) mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE, nsInstall::INVALID_HASH_TYPE ); continue; } // Don't install if we can't verify the hash (if specified) if (mItem->mHasher && !VerifyHash(mItem)) { // report failure mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH ); if (mDlg) mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE, nsInstall::INVALID_HASH ); continue; } if (mDlg) mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_START, 0 ); PRInt32 finalStatus = OpenAndValidateArchive( hZip, mItem->mFile, mItem->mPrincipal); hZip->Close(); if (finalStatus == nsInstall::SUCCESS) { rv = em->InstallItemFromFile( mItem->mFile, NS_INSTALL_LOCATION_APPPROFILE); if (NS_FAILED(rv)) finalStatus = nsInstall::EXECUTION_ERROR; } mTriggers->SendStatus( mItem->mURL.get(), finalStatus ); if (mDlg) mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE, finalStatus ); } return NS_OK; }