Permalink
Browse files

Advanced configuration options for whitelisting rfc1918 address space…

… and private PKIs.
  • Loading branch information...
1 parent dff6cac commit f1e310e280be571484d24477e401cb8679e3a6f8 @moxie0 committed Dec 11, 2011
@@ -39,6 +39,8 @@ function onOptionsSave() {
settingsManager.setConnectivityErrorIsFailure(document.getElementById("connectivity-failure").checked);
settingsManager.setVerificationThreshold(document.getElementById("threshold").selectedItem.id);
settingsManager.setMaxNotaryQuorum(document.getElementById("notary-quorum").value);
+ settingsManager.setPrivatePkiExempt(document.getElementById("private-pki-exempt").checked);
+ settingsManager.setPrivateIpExempt(document.getElementById("private-ip-exempt").checked);
settingsManager.setNotaryList(notaries);
settingsManager.savePreferences();
@@ -132,12 +134,16 @@ function updateAdvancedSettings() {
var connectivityIsFailureEnabled = convergence.getSettingsManager().getConnectivityErrorIsFailure();
var verificationThreshold = convergence.getSettingsManager().getVerificationThreshold();
var maxQuorum = convergence.getSettingsManager().getMaxNotaryQuorum();
+ var privateIpExempt = convergence.getSettingsManager().getPrivateIpExempt();
+ var privatePkiExempt = convergence.getSettingsManager().getPrivatePkiExempt();
document.getElementById("cache-certificates").checked = cacheCertificatesEnabled;
document.getElementById("notary-bounce").checked = notaryBounceEnabled;
document.getElementById("connectivity-failure").checked = connectivityIsFailureEnabled;
document.getElementById("threshold").selectedItem = document.getElementById(verificationThreshold);
document.getElementById("notary-quorum").value = maxQuorum;
+ document.getElementById("private-ip-exempt").checked = privateIpExempt;
+ document.getElementById("private-pki-exempt").checked = privatePkiExempt;
};
function updateCacheSettings(sortColumn, sortDirection) {
@@ -1,7 +1,7 @@
<?xml version="1.0"?>
<?xml-stylesheet href="options.css" type="text/css"?>
-<dialog id="convergence-options" title="Convergence Notary Preferences" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" width="620" height="350" buttons="accept,cancel" onload="onOptionsLoad();" ondialogaccept="return onOptionsSave();">
+<dialog id="convergence-options" title="Convergence Notary Preferences" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" width="620" height="450" buttons="accept,cancel" onload="onOptionsLoad();" ondialogaccept="return onOptionsSave();">
<script src="options.js" />
@@ -43,6 +43,8 @@
<checkbox id="cache-certificates" label="Cache certificates locally." />
<checkbox id="notary-bounce" label="Anonymize communication with notaries." />
<checkbox id="connectivity-failure" label="Notary connectivity failure counts as authenticity failure."/>
+ <checkbox id="private-ip-exempt" label="Don't check RFC 1918 (private) IP addresses." />
+ <checkbox id="private-pki-exempt" label="Whitelist private PKI signatures." />
<groupbox>
<caption label="Verification Threshold"/>
@@ -59,10 +59,12 @@ function sendClientResponse(localSocket, certificateManager, certificateInfo) {
localSocket.negotiateSSL(certificateManager, certificateInfo);
};
-function checkCertificateValidity(certificateCache, activeNotaries, host, port, certificateInfo) {
+function checkCertificateValidity(certificateCache, activeNotaries, host, port,
+ certificateInfo, privatePkiExempt)
+{
var target = host + ":" + port;
- if (certificateInfo.isLocalPki) {
+ if (privatePkiExempt && certificateInfo.isLocalPki) {
dump("Certificate is a local PKI cert.\n");
return {'status' : true,
'target' : target,
@@ -119,7 +121,7 @@ onmessage = function(event) {
var results = this.checkCertificateValidity(certificateCache, activeNotaries,
destination.host, destination.port,
- certificateInfo);
+ certificateInfo, event.data.settings['privatePkiExempt']);
if (results['status'] == false) {
certificateInfo.commonName = new NSS.lib.buffer("Invalid Certificate");
@@ -295,7 +295,8 @@ Convergence.prototype = {
return uri.host == "localhost" ||
uri.host == "127.0.0.1" ||
uri.host == "aus3.mozilla.org" ||
- this.rfc1918.test(uri.host);
+ (this.settingsManager.getPrivateIpExempt() &&
+ this.rfc1918.test(uri.host));
},
applyFilter : function(protocolService, uri, proxy) {
@@ -29,6 +29,8 @@ function SettingsManager() {
this.cacheCertificatesEnabled = true;
this.notaryBounceEnabled = true;
this.connectivityIsFailureEnabled = true;
+ this.privateIpExempt = true;
+ this.privatePkiExempt = true;
this.maxNotaryQuorum = 3;
this.verificationThreshold = "majority";
this.notaries = new Array();
@@ -61,6 +63,22 @@ SettingsManager.prototype.getConnectivityErrorIsFailure = function() {
return this.connectivityIsFailureEnabled;
};
+SettingsManager.prototype.setPrivateIpExempt = function(val) {
+ this.privateIpExempt = val;
+};
+
+SettingsManager.prototype.getPrivateIpExempt = function() {
+ return this.privateIpExempt;
+};
+
+SettingsManager.prototype.setPrivatePkiExempt = function(val) {
+ this.privatePkiExempt = val;
+};
+
+SettingsManager.prototype.getPrivatePkiExempt = function() {
+ return this.privatePkiExempt;
+};
+
SettingsManager.prototype.setVerificationThreshold = function(val) {
this.verificationThreshold = val;
};
@@ -132,7 +150,8 @@ SettingsManager.prototype.getSerializedSettings = function() {
'notaryBounceEnabled' : this.notaryBounceEnabled,
'connectivityIsFailureEnabled' : this.connectivityIsFailureEnabled,
'verificationThreshold' : this.verificationThreshold,
- 'maxNotaryQuorum' : this.maxNotaryQuorum
+ 'maxNotaryQuorum' : this.maxNotaryQuorum,
+ 'privatePkiExempt' : this.privatePkiExempt
};
};
@@ -229,6 +248,8 @@ SettingsManager.prototype.savePreferences = function() {
rootElement.setAttribute("cache_certificates", this.cacheCertificatesEnabled);
rootElement.setAttribute("notary_bounce", this.notaryBounceEnabled);
rootElement.setAttribute("connectivity_failure", this.connectivityIsFailureEnabled);
+ rootElement.setAttribute("private_pki_exempt", this.privatePkiExempt);
+ rootElement.setAttribute("private_ip_exempt", this.privateIpExempt);
rootElement.setAttribute("threshold", this.verificationThreshold);
rootElement.setAttribute("max_notary_quorum", this.maxNotaryQuorum);
rootElement.setAttribute("version", 1);
@@ -352,6 +373,8 @@ SettingsManager.prototype.loadPreferences = function() {
this.cacheCertificatesEnabled = (rootElement.item(0).getAttribute("cache_certificates") == "true");
this.notaryBounceEnabled = (rootElement.item(0).getAttribute("notary_bounce") == "true");
this.connectivityIsFailureEnabled = (rootElement.item(0).getAttribute("connectivity_failure") == "true");
+ this.privateIpExempt = (rootElement.item(0).getAttribute("private_ip_exempt") == "true");
+ this.privatePkiExempt = (rootElement.item(0).getAttribute("private_pki_exempt") == "true");
this.verificationThreshold = rootElement.item(0).getAttribute("threshold");
this.maxNotaryQuorum = rootElement.item(0).getAttribute("max_notary_quorum");
this.version = rootElement.item(0).getAttribute("version");
@@ -368,6 +391,14 @@ SettingsManager.prototype.loadPreferences = function() {
this.connectivityIsFailureEnabled = true;
}
+ if (!rootElement.item(0).hasAttribute("private_pki_exempt")) {
+ this.privatePkiExempt = true;
+ }
+
+ if (!rootElement.item(0).hasAttribute("private_ip_exempt")) {
+ this.privateIpExempt = true;
+ }
+
if (!rootElement.item(0).hasAttribute("threshold")) {
this.verificationThreshold = "majority";
}

0 comments on commit f1e310e

Please sign in to comment.