Bug 302284. add xpi hash support to InstallTrigger.install(). r=dveditz, sr=shaver, a=asa

caps/idl/nsICryptoHash.idl

@@ -1,123 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Doug Turner <dougt@meer.net>.
- * Portions created by the Initial Developer are Copyright (C) 2005
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-interface nsIInputStream;
-
-/**
- * nsICryptoHash
- * This interface provides crytographic hashing algorithms.
- */
-
-[scriptable, uuid(8751865e-b01d-4f33-bc13-b361dde165ed)]
-interface nsICryptoHash : nsISupports
-{
-    /**
-     * Hashing Algorithms.  These values are to be used by the
-     * |init| method to indicate which hashing function to
-     * use.  These values map directly onto the values defined
-     * in mozilla/security/nss/lib/cryptohi/hasht.h.
-     */
-    const short MD2    = 1;
-    const short MD5    = 2;
-    const short SHA1   = 3;
-    const short SHA256 = 4;    
-    const short SHA384 = 5;
-    const short SHA512 = 6;
-
-    /**
-     * Initialize the hashing object. This method may be
-     * called multiple times with different algorithm types.
-     *
-     * @param aAlgorithm the algorithm type to be used.
-     *        This value must be one of the above valid
-     *        algorithm types.
-     *
-     * @throws NS_ERROR_INVALID_ARG if an unsupported algorithm
-     *         type is passed.
-     *
-     * NOTE: This method must be called before any other method on 
-     *       this interface is called.
-     */
-    void init(in unsigned long aAlgorithm);
-
-    /**
-     * @param aData a buffer to calculate the hash over
-     *
-     * @param aLen the length of the buffer |aData|
-     *
-     * @throws NS_ERROR_NOT_INITIALIZED if |init| has not been 
-     *         called.
-     */
-    void update([const, array, size_is(aLen)] in octet aData, in unsigned long aLen);
-
-    /**
-     * Calculates and updates a new hash based on a given data stream.
-     *
-     * @param aStream an input stream to read from.
-     *
-     * @param aLen how much to read from the given |aStream|.  Passing
-     *        PR_UINT32_MAX indicates that all data available will be used 
-     *        to update the hash. 
-     *
-     * @throws NS_ERROR_NOT_INITIALIZED if |init| has not been 
-     *         called.
-     *
-     * @throws NS_ERROR_NOT_AVAILABLE if the requested amount of 
-     *         data to be calculated into the hash is not available.
-     *
-     */
-    void updateFromStream(in nsIInputStream aStream, in unsigned long aLen);
-    
-    /**
-     * Completes this hash object and produces the actual hash data.
-     *
-     * @param aASCII if true then the returned value is a base-64 
-     *        encoded string.  if false, then the returned value is
-     *        binary data.  
-     *
-     * @return a hash of the data that was read by this object.  This can
-     *         be either binary data or base 64 encoded.
-     *
-     * @throws NS_ERROR_NOT_INITIALIZED if |init| has not been 
-     *         called.
-     *
-     * NOTE: This method may be called any time after |init|
-     *       is called.  This call resets the object to its
-     *       pre-init state.
-     */
-    ACString finish(in PRBool aASCII);
-};

security/manager/ssl/src/nsNSSComponent.cpp

@@ -2096,6 +2096,30 @@ nsCryptoHash::Init(PRUint32 algorithm)
   return NS_OK; 
 }
 
+NS_IMETHODIMP
+nsCryptoHash::InitWithString(const nsACString & aAlgorithm)
+{
+  if (aAlgorithm.LowerCaseEqualsLiteral("md2"))
+    return Init(nsICryptoHash::MD2);
+
+  if (aAlgorithm.LowerCaseEqualsLiteral("md5"))
+    return Init(nsICryptoHash::MD5);
+
+  if (aAlgorithm.LowerCaseEqualsLiteral("sha1"))
+    return Init(nsICryptoHash::SHA1);
+
+  if (aAlgorithm.LowerCaseEqualsLiteral("sha256"))
+    return Init(nsICryptoHash::SHA256);
+
+  if (aAlgorithm.LowerCaseEqualsLiteral("sha384"))
+    return Init(nsICryptoHash::SHA384);
+
+  if (aAlgorithm.LowerCaseEqualsLiteral("sha512"))
+    return Init(nsICryptoHash::SHA512);
+
+  return NS_ERROR_INVALID_ARG;
+}
+
 NS_IMETHODIMP
 nsCryptoHash::Update(const PRUint8 *data, PRUint32 len)
 {

toolkit/locales/en-US/chrome/global/xpinstall/xpinstall.properties

@@ -120,6 +120,8 @@ error-235=Out of space
 error-239=Chrome registration failed
 error-240=Unfinished install
 error-260=Signing could not be verified.
+error-261=Invalid file hash (possible download corruption)
+error-262=Unknown or invalid file hash type
 error-299=Out of memory
 
 # there are other error codes, either rare or obsolete,

xpinstall/public/nsIXPInstallManager.idl

@@ -40,10 +40,8 @@ interface nsIXPIProgressDialog;
 
 /**
  * Interface to XPInstallManager - manages download and install operations.
- *
- * @status UNDER_REVIEW
  */
-[scriptable, uuid(50941e6a-ecfd-481c-9725-d0695c7c538e)]
+[scriptable, uuid(566689cb-9926-4bec-a66e-a034e364ad2c)]
 interface nsIXPInstallManager : nsISupports
 {
     /** 
@@ -56,5 +54,21 @@ interface nsIXPInstallManager : nsISupports
     void initManagerFromChrome([array, size_is(aURLCount)] in wstring aURLs,
                                in unsigned long aURLCount,
                                in nsIXPIProgressDialog aListener);
+    /**
+     * Initiates a set of downloads and checks the supplied hashes after
+     * download. Just like initManagerFromChrome() in all other respects
+     * @param aURLs     array of XPI urls to download and install
+     * @param aHashes   array of hash strings to validate. The entire array
+     *                  or individual hashes can be null to indicate no
+     *                  checking. If supplied looks like "type:hash", like
+     *                  "md5:3232bc5624041c507db0965324188024".
+     *                  Supports the types in nsICryptoHash
+     * @param aURLCount number of XPI urls in aURLs and aHashes
+     * @param aListener a listener to receive status notifications
+     */
+    void initManagerWithHashes([array, size_is(aURLCount)] in wstring aURLs,
+                               [array, size_is(aURLCount)] in string aHashes,
+                               in unsigned long aURLCount,
+                               in nsIXPIProgressDialog aListener);
 };
 

xpinstall/src/nsInstall.h

@@ -222,6 +222,8 @@ class nsInstall
             VALUE_DOES_NOT_EXIST        = -243,
 
             INVALID_SIGNATURE           = -260,
+            INVALID_HASH                = -261,
+            INVALID_HASH_TYPE           = -262,
 
             OUT_OF_MEMORY               = -299,
 

xpinstall/src/nsJSInstall.cpp

@@ -1821,6 +1821,8 @@ static JSConstDoubleSpec install_constants[] =
     { nsInstall::SUCCESS,                    "SUCCESS"                      },
     { nsInstall::REBOOT_NEEDED,              "REBOOT_NEEDED"                },
     { nsInstall::INVALID_SIGNATURE,          "INVALID_SIGNATURE"            },
+    { nsInstall::INVALID_HASH,               "INVALID_HASH"                 },
+    { nsInstall::INVALID_HASH_TYPE,          "INVALID_HASH_TYPE"            },
 
     // these are flags supported by confirm
     { nsIPromptService::BUTTON_POS_0,            "BUTTON_POS_0"             },

xpinstall/src/nsJSInstallTriggerGlobal.cpp

@@ -90,6 +90,7 @@ JSClass InstallTriggerGlobalClass = {
   FinalizeInstallTriggerGlobal
 };
 
+
 //
 // InstallTriggerGlobal finalizer
 //
@@ -222,6 +223,7 @@ InstallTriggerGlobalUpdateEnabled(JSContext *cx, JSObject *obj, uintN argc, jsva
   return JS_TRUE;
 }
 
+
 //
 // Native method Install
 //
@@ -236,13 +238,13 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
   if (nsnull == nativeThis  &&  (JS_FALSE == CreateNativeObject(cx, obj, &nativeThis)) )
     return JS_TRUE;
 
-  
+
   // make sure XPInstall is enabled, return false if not
   nsIScriptGlobalObject *globalObject = nsnull;
   nsIScriptContext *scriptContext = GetScriptContextFromJSContext(cx);
   if (scriptContext)
     globalObject = scriptContext->GetGlobalObject();
-  
+
   PRBool enabled = PR_FALSE;
   nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled);
   if (!enabled || !globalObject)
@@ -272,7 +274,7 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
     JS_ReportError(cx, "Could not get the Subject Principal during InstallTrigger.Install()");
     return JS_FALSE;
   }
-  
+
   // get window.location to construct relative URLs
   nsCOMPtr<nsIURI> baseURL;
   JSObject* global = JS_GetGlobalObject(cx);
@@ -304,6 +306,7 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
       jsval v;
       const PRUnichar *name, *URL;
       const PRUnichar *iconURL = nsnull;
+      const char *hash;
 
       for (int i = 0; i < ida->length && !abortLoad; i++ )
       {
@@ -311,15 +314,19 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
         name = NS_REINTERPRET_CAST(const PRUnichar*, JS_GetStringChars( JS_ValueToString( cx, v ) ));
 
         URL = iconURL = nsnull;
+        hash = nsnull;
         JS_GetUCProperty( cx, JSVAL_TO_OBJECT(argv[0]), NS_REINTERPRET_CAST(const jschar*, name), nsCRT::strlen(name), &v );
         if ( JSVAL_IS_OBJECT(v) && JSVAL_TO_OBJECT(v) ) 
         {
           jsval v2;
-          if (JS_GetProperty( cx, JSVAL_TO_OBJECT(v), "URL", &v2 ))
+          if (JS_GetProperty( cx, JSVAL_TO_OBJECT(v), "URL", &v2 ) && !JSVAL_IS_VOID(v2))
             URL = NS_REINTERPRET_CAST(const PRUnichar*, JS_GetStringChars( JS_ValueToString( cx, v2 ) ));
 
-          if (JS_GetProperty( cx, JSVAL_TO_OBJECT(v), "IconURL", &v2 ))
+          if (JS_GetProperty( cx, JSVAL_TO_OBJECT(v), "IconURL", &v2 ) && !JSVAL_IS_VOID(v2))
             iconURL = NS_REINTERPRET_CAST(const PRUnichar*, JS_GetStringChars( JS_ValueToString( cx, v2 ) ));
+
+          if (JS_GetProperty( cx, JSVAL_TO_OBJECT(v), "Hash", &v2) && !JSVAL_IS_VOID(v2))
+            hash = NS_REINTERPRET_CAST(const char*, JS_GetStringBytes( JS_ValueToString( cx, v2 ) ));
         }
         else
         {
@@ -359,7 +366,9 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
 
             if (!abortLoad)
             {
-                nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
+                // Add the install item to the trigger collection
+                nsXPITriggerItem *item =
+                    new nsXPITriggerItem( name, xpiURL.get(), icon.get(), hash );
                 if ( item )
                 {
                     trigger->Add( item );

xpinstall/src/nsXPITriggerInfo.cpp

@@ -45,10 +45,10 @@
 #include "nsIEventQueueService.h"
 #include "nsIJSContextStack.h"
 #include "nsIScriptSecurityManager.h"
+#include "nsICryptoHash.h"
 
 static NS_DEFINE_IID(kEventQueueServiceCID, NS_EVENTQUEUESERVICE_CID);
 
-
 //
 // nsXPITriggerItem
 //
@@ -57,8 +57,9 @@ MOZ_DECL_CTOR_COUNTER(nsXPITriggerItem)
 nsXPITriggerItem::nsXPITriggerItem( const PRUnichar* aName,
                                     const PRUnichar* aURL,
                                     const PRUnichar* aIconURL,
+                                    const char* aHash,
                                     PRInt32 aFlags)
-  : mName(aName), mURL(aURL), mIconURL(aIconURL), mFlags(aFlags)
+    : mName(aName), mURL(aURL), mIconURL(aIconURL), mFlags(aFlags), mHashFound(PR_FALSE)
 {
     MOZ_COUNT_CTOR(nsXPITriggerItem);
 
@@ -90,6 +91,27 @@ nsXPITriggerItem::nsXPITriggerItem( const PRUnichar* aName,
 
         mName = Substring( mURL, namestart, length );
     }
+
+    // parse optional hash into its parts
+    if (aHash)
+    {
+        mHashFound = PR_TRUE;
+
+        PRUint32 htype = 1;
+        char * colon = PL_strchr(aHash, ':');
+        if (colon)
+        {
+            mHasher = do_CreateInstance("@mozilla.org/security/hash;1");
+            if (!mHasher) return;
+            
+            *colon = '\0'; // null the colon so that aHash is just the type.
+            nsresult rv = mHasher->InitWithString(aHash);
+            *colon = ':';  // restore the colon
+
+            if (NS_SUCCEEDED(rv))
+                mHash = colon+1;
+        }
+    }
 }
 
 nsXPITriggerItem::~nsXPITriggerItem()

xpinstall/src/nsXPITriggerInfo.h

@@ -51,7 +51,7 @@
 #include "prthread.h"
 #include "plevent.h"
 #include "nsIXPConnect.h"
-
+#include "nsICryptoHash.h"
 #include "nsIPrincipal.h"
 
 typedef struct XPITriggerEvent {
@@ -70,7 +70,11 @@ typedef struct XPITriggerEvent {
 class nsXPITriggerItem
 {
   public:
-    nsXPITriggerItem( const PRUnichar* name, const PRUnichar* URL, const PRUnichar* iconURL, PRInt32 flags = 0);
+    nsXPITriggerItem( const PRUnichar* name,
+                      const PRUnichar* URL,
+                      const PRUnichar* iconURL,
+                      const char* hash = nsnull,
+                      PRInt32 flags = 0);
     ~nsXPITriggerItem();
 
     nsString    mName;
@@ -78,6 +82,10 @@ class nsXPITriggerItem
     nsString    mIconURL;
     nsString    mArguments;
     nsString    mCertName;
+
+    PRBool      mHashFound; // this flag indicates that we found _some_ hash info in the trigger
+    nsCString   mHash;
+    nsCOMPtr<nsICryptoHash> mHasher;
     PRInt32     mFlags;
 
     nsCOMPtr<nsILocalFile>      mFile;

xpinstall/src/nsXPInstallManager.cpp

@@ -39,6 +39,7 @@
 #include "nscore.h"
 #include "pratom.h"
 #include "prmem.h"
+#include "prprf.h"
 #include "nsInt64.h"
 
 #include "nsISupports.h"
@@ -53,6 +54,7 @@
 #include "nsIInputStream.h"
 #include "nsIFileStreams.h"
 #include "nsIStreamListener.h"
+#include "nsICryptoHash.h"
 
 #include "nsISoftwareUpdate.h"
 #include "nsSoftwareUpdateIIDs.h"
@@ -145,7 +147,17 @@ NS_IMPL_THREADSAFE_ISUPPORTS9( nsXPInstallManager,
                                nsISupportsWeakReference)
 
 NS_IMETHODIMP
-nsXPInstallManager::InitManagerFromChrome(const PRUnichar **aURLs, PRUint32 aURLCount, 
+nsXPInstallManager::InitManagerFromChrome(const PRUnichar **aURLs,
+                                          PRUint32 aURLCount,
+                                          nsIXPIProgressDialog* aListener)
+{
+    return InitManagerWithHashes(aURLs, nsnull, aURLCount, aListener);
+}
+
+NS_IMETHODIMP
+nsXPInstallManager::InitManagerWithHashes(const PRUnichar **aURLs,
+                                          const char **aHashes,
+                                          PRUint32 aURLCount,
                                           nsIXPIProgressDialog* aListener)
 {
     // If Software Installation is not enabled, we don't want to proceed with
@@ -164,7 +176,8 @@ nsXPInstallManager::InitManagerFromChrome(const PRUnichar **aURLs, PRUint32 aURL
 
     for (PRUint32 i = 0; i < aURLCount; ++i) 
     {
-        nsXPITriggerItem* item = new nsXPITriggerItem(0, aURLs[i], nsnull);
+        nsXPITriggerItem* item = new nsXPITriggerItem(0, aURLs[i], nsnull,
+                                                      aHashes ? aHashes[i] : nsnull);
         if (!item)
         {
             delete mTriggers; // nsXPITriggerInfo frees any alloc'ed nsXPITriggerItems
@@ -708,6 +721,31 @@ NS_IMETHODIMP nsXPInstallManager::DownloadNext()
                 continue;
             }
 
+            // If there was hash info in the trigger, but
+            // there wasn't a hash object created, then the
+            // algorithm used isn't known.
+
+            if (mItem->mHashFound && !mItem->mHasher)
+            {
+                // report failure
+                mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH_TYPE );
+                if (mDlg)
+                    mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE,
+                                         nsInstall::INVALID_HASH_TYPE );
+                continue;
+            }
+
+            // Don't install if we can't verify the hash (if specified)
+            if (mItem->mHasher && !VerifyHash(mItem))
+            {
+                // report failure
+                mTriggers->SendStatus( mItem->mURL.get(), nsInstall::INVALID_HASH );
+                if (mDlg)
+                    mDlg->OnStateChange( i, nsIXPIProgressDialog::INSTALL_DONE,
+                                         nsInstall::INVALID_HASH );
+                continue;
+            }
+
             // We've got one to install; increment count first so we
             // don't have to worry about thread timing.
             PR_AtomicIncrement(&mNumJars);
@@ -753,6 +791,45 @@ NS_IMETHODIMP nsXPInstallManager::DownloadNext()
 }
 
 
+//-------------------------------------------------------------------
+// VerifyHash
+//
+// Returns true if the file hash matches the expected value (or if
+// the item has no hash value). False if we can't verify the hash
+// for any reason
+//
+PRBool nsXPInstallManager::VerifyHash(nsXPITriggerItem* aItem)
+{
+    NS_ASSERTION(aItem, "Null nsXPITriggerItem passed to VerifyHash");
+
+    nsresult rv;
+    if (!aItem->mHasher)
+      return PR_FALSE;
+    
+    nsCOMPtr<nsIInputStream> stream;
+    rv = NS_NewLocalFileInputStream(getter_AddRefs(stream), aItem->mFile);
+    if (NS_FAILED(rv)) return PR_FALSE;
+
+    rv = aItem->mHasher->UpdateFromStream(stream, PR_UINT32_MAX);
+    if (NS_FAILED(rv)) return PR_FALSE;
+
+    nsCAutoString binaryHash;
+    rv = aItem->mHasher->Finish(PR_FALSE, binaryHash);
+    if (NS_FAILED(rv)) return PR_FALSE;
+
+    char* hash = nsnull;
+    for (PRUint32 i=0; i < binaryHash.Length(); ++i)
+    {
+        hash = PR_sprintf_append(hash,"%.2x", (PRUint8)binaryHash[i]);
+    }
+
+    PRBool result = aItem->mHash.EqualsIgnoreCase(hash);
+
+    PR_smprintf_free(hash);
+    return result;
+}
+
+
 void nsXPInstallManager::Shutdown()
 {
     if (mDlg)

xpinstall/src/nsXPInstallManager.h

@@ -110,6 +110,7 @@ class nsXPInstallManager : public nsIXPIListener,
         NS_IMETHOD  LoadParams(PRUint32 aCount, const PRUnichar** aPackageList, nsIDialogParamBlock** aParams);
         PRBool      ConfirmChromeInstall(nsIDOMWindowInternal* aParentWindow, const PRUnichar** aPackage);
         PRBool      TimeToUpdate(PRTime now);
+        PRBool      VerifyHash(nsXPITriggerItem* aItem);
         PRInt32     GetIndexFromURL(const PRUnichar* aUrl);
 
         nsXPITriggerInfo*   mTriggers;