1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 #include "BackgroundFileSaver.h"
8
9 #include "ScopedNSSTypes.h"
10 #include "mozilla/ArrayAlgorithm.h"
11 #include "mozilla/Casting.h"
12 #include "mozilla/Logging.h"
13 #include "mozilla/Telemetry.h"
14 #include "nsCOMArray.h"
15 #include "nsComponentManagerUtils.h"
16 #include "nsDependentSubstring.h"
17 #include "nsIAsyncInputStream.h"
18 #include "nsIFile.h"
19 #include "nsIMutableArray.h"
20 #include "nsIPipe.h"
21 #include "nsNetUtil.h"
22 #include "nsThreadUtils.h"
23 #include "pk11pub.h"
24 #include "secoidt.h"
25
26 #ifdef XP_WIN
27 # include <windows.h>
28 # include <softpub.h>
29 # include <wintrust.h>
30 #endif // XP_WIN
31
32 namespace mozilla {
33 namespace net {
34
35 // MOZ_LOG=BackgroundFileSaver:5
36 static LazyLogModule prlog("BackgroundFileSaver");
37 #define LOG(args) MOZ_LOG(prlog, mozilla::LogLevel::Debug, args)
38 #define LOG_ENABLED() MOZ_LOG_TEST(prlog, mozilla::LogLevel::Debug)
39
40 ////////////////////////////////////////////////////////////////////////////////
41 //// Globals
42
43 /**
44 * Buffer size for writing to the output file or reading from the input file.
45 */
46 #define BUFFERED_IO_SIZE (1024 * 32)
47
48 /**
49 * When this upper limit is reached, the original request is suspended.
50 */
51 #define REQUEST_SUSPEND_AT (1024 * 1024 * 4)
52
53 /**
54 * When this lower limit is reached, the original request is resumed.
55 */
56 #define REQUEST_RESUME_AT (1024 * 1024 * 2)
57
58 ////////////////////////////////////////////////////////////////////////////////
59 //// NotifyTargetChangeRunnable
60
61 /**
62 * Runnable object used to notify the control thread that file contents will now
63 * be saved to the specified file.
64 */
65 class NotifyTargetChangeRunnable final : public Runnable {
66 public:
NotifyTargetChangeRunnable(BackgroundFileSaver * aSaver,nsIFile * aTarget)67 NotifyTargetChangeRunnable(BackgroundFileSaver* aSaver, nsIFile* aTarget)
68 : Runnable("net::NotifyTargetChangeRunnable"),
69 mSaver(aSaver),
70 mTarget(aTarget) {}
71
Run()72 NS_IMETHOD Run() override { return mSaver->NotifyTargetChange(mTarget); }
73
74 private:
75 RefPtr<BackgroundFileSaver> mSaver;
76 nsCOMPtr<nsIFile> mTarget;
77 };
78
79 ////////////////////////////////////////////////////////////////////////////////
80 //// BackgroundFileSaver
81
82 uint32_t BackgroundFileSaver::sThreadCount = 0;
83 uint32_t BackgroundFileSaver::sTelemetryMaxThreadCount = 0;
84
BackgroundFileSaver()85 BackgroundFileSaver::BackgroundFileSaver()
86 : mControlEventTarget(nullptr),
87 mBackgroundET(nullptr),
88 mPipeOutputStream(nullptr),
89 mPipeInputStream(nullptr),
90 mObserver(nullptr),
91 mLock("BackgroundFileSaver.mLock"),
92 mWorkerThreadAttentionRequested(false),
93 mFinishRequested(false),
94 mComplete(false),
95 mStatus(NS_OK),
96 mAppend(false),
97 mInitialTarget(nullptr),
98 mInitialTargetKeepPartial(false),
99 mRenamedTarget(nullptr),
100 mRenamedTargetKeepPartial(false),
101 mAsyncCopyContext(nullptr),
102 mSha256Enabled(false),
103 mSignatureInfoEnabled(false),
104 mActualTarget(nullptr),
105 mActualTargetKeepPartial(false),
106 mDigestContext(nullptr) {
107 LOG(("Created BackgroundFileSaver [this = %p]", this));
108 }
109
~BackgroundFileSaver()110 BackgroundFileSaver::~BackgroundFileSaver() {
111 LOG(("Destroying BackgroundFileSaver [this = %p]", this));
112 }
113
114 // Called on the control thread.
Init()115 nsresult BackgroundFileSaver::Init() {
116 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");
117
118 nsresult rv;
119
120 rv = NS_NewPipe2(getter_AddRefs(mPipeInputStream),
121 getter_AddRefs(mPipeOutputStream), true, true, 0,
122 HasInfiniteBuffer() ? UINT32_MAX : 0);
123 NS_ENSURE_SUCCESS(rv, rv);
124
125 mControlEventTarget = GetCurrentThreadEventTarget();
126 NS_ENSURE_TRUE(mControlEventTarget, NS_ERROR_NOT_INITIALIZED);
127
128 rv = NS_CreateBackgroundTaskQueue("BgFileSaver",
129 getter_AddRefs(mBackgroundET));
130 NS_ENSURE_SUCCESS(rv, rv);
131
132 sThreadCount++;
133 if (sThreadCount > sTelemetryMaxThreadCount) {
134 sTelemetryMaxThreadCount = sThreadCount;
135 }
136
137 return NS_OK;
138 }
139
140 // Called on the control thread.
141 NS_IMETHODIMP
GetObserver(nsIBackgroundFileSaverObserver ** aObserver)142 BackgroundFileSaver::GetObserver(nsIBackgroundFileSaverObserver** aObserver) {
143 NS_ENSURE_ARG_POINTER(aObserver);
144 *aObserver = mObserver;
145 NS_IF_ADDREF(*aObserver);
146 return NS_OK;
147 }
148
149 // Called on the control thread.
150 NS_IMETHODIMP
SetObserver(nsIBackgroundFileSaverObserver * aObserver)151 BackgroundFileSaver::SetObserver(nsIBackgroundFileSaverObserver* aObserver) {
152 mObserver = aObserver;
153 return NS_OK;
154 }
155
156 // Called on the control thread.
157 NS_IMETHODIMP
EnableAppend()158 BackgroundFileSaver::EnableAppend() {
159 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");
160
161 MutexAutoLock lock(mLock);
162 mAppend = true;
163
164 return NS_OK;
165 }
166
167 // Called on the control thread.
168 NS_IMETHODIMP
SetTarget(nsIFile * aTarget,bool aKeepPartial)169 BackgroundFileSaver::SetTarget(nsIFile* aTarget, bool aKeepPartial) {
170 NS_ENSURE_ARG(aTarget);
171 {
172 MutexAutoLock lock(mLock);
173 if (!mInitialTarget) {
174 aTarget->Clone(getter_AddRefs(mInitialTarget));
175 mInitialTargetKeepPartial = aKeepPartial;
176 } else {
177 aTarget->Clone(getter_AddRefs(mRenamedTarget));
178 mRenamedTargetKeepPartial = aKeepPartial;
179 }
180 }
181
182 // After the worker thread wakes up because attention is requested, it will
183 // rename or create the target file as requested, and start copying data.
184 return GetWorkerThreadAttention(true);
185 }
186
187 // Called on the control thread.
188 NS_IMETHODIMP
Finish(nsresult aStatus)189 BackgroundFileSaver::Finish(nsresult aStatus) {
190 nsresult rv;
191
192 // This will cause the NS_AsyncCopy operation, if it's in progress, to consume
193 // all the data that is still in the pipe, and then finish.
194 rv = mPipeOutputStream->Close();
195 NS_ENSURE_SUCCESS(rv, rv);
196
197 // Ensure that, when we get attention from the worker thread, if no pending
198 // rename operation is waiting, the operation will complete.
199 {
200 MutexAutoLock lock(mLock);
201 mFinishRequested = true;
202 if (NS_SUCCEEDED(mStatus)) {
203 mStatus = aStatus;
204 }
205 }
206
207 // After the worker thread wakes up because attention is requested, it will
208 // process the completion conditions, detect that completion is requested, and
209 // notify the main thread of the completion. If this function was called with
210 // a success code, we wait for the copy to finish before processing the
211 // completion conditions, otherwise we interrupt the copy immediately.
212 return GetWorkerThreadAttention(NS_FAILED(aStatus));
213 }
214
215 NS_IMETHODIMP
EnableSha256()216 BackgroundFileSaver::EnableSha256() {
217 MOZ_ASSERT(NS_IsMainThread(),
218 "Can't enable sha256 or initialize NSS off the main thread");
219 // Ensure Personal Security Manager is initialized. This is required for
220 // PK11_* operations to work.
221 nsresult rv;
222 nsCOMPtr<nsISupports> nssDummy = do_GetService("@mozilla.org/psm;1", &rv);
223 NS_ENSURE_SUCCESS(rv, rv);
224 mSha256Enabled = true;
225 return NS_OK;
226 }
227
228 NS_IMETHODIMP
GetSha256Hash(nsACString & aHash)229 BackgroundFileSaver::GetSha256Hash(nsACString& aHash) {
230 MOZ_ASSERT(NS_IsMainThread(), "Can't inspect sha256 off the main thread");
231 // We acquire a lock because mSha256 is written on the worker thread.
232 MutexAutoLock lock(mLock);
233 if (mSha256.IsEmpty()) {
234 return NS_ERROR_NOT_AVAILABLE;
235 }
236 aHash = mSha256;
237 return NS_OK;
238 }
239
240 NS_IMETHODIMP
EnableSignatureInfo()241 BackgroundFileSaver::EnableSignatureInfo() {
242 MOZ_ASSERT(NS_IsMainThread(),
243 "Can't enable signature extraction off the main thread");
244 // Ensure Personal Security Manager is initialized.
245 nsresult rv;
246 nsCOMPtr<nsISupports> nssDummy = do_GetService("@mozilla.org/psm;1", &rv);
247 NS_ENSURE_SUCCESS(rv, rv);
248 mSignatureInfoEnabled = true;
249 return NS_OK;
250 }
251
252 NS_IMETHODIMP
GetSignatureInfo(nsTArray<nsTArray<nsTArray<uint8_t>>> & aSignatureInfo)253 BackgroundFileSaver::GetSignatureInfo(
254 nsTArray<nsTArray<nsTArray<uint8_t>>>& aSignatureInfo) {
255 MOZ_ASSERT(NS_IsMainThread(), "Can't inspect signature off the main thread");
256 // We acquire a lock because mSignatureInfo is written on the worker thread.
257 MutexAutoLock lock(mLock);
258 if (!mComplete || !mSignatureInfoEnabled) {
259 return NS_ERROR_NOT_AVAILABLE;
260 }
261 for (const auto& signatureChain : mSignatureInfo) {
262 aSignatureInfo.AppendElement(TransformIntoNewArray(
263 signatureChain, [](const auto& element) { return element.Clone(); }));
264 }
265 return NS_OK;
266 }
267
268 // Called on the control thread.
GetWorkerThreadAttention(bool aShouldInterruptCopy)269 nsresult BackgroundFileSaver::GetWorkerThreadAttention(
270 bool aShouldInterruptCopy) {
271 nsresult rv;
272
273 MutexAutoLock lock(mLock);
274
275 // We only require attention one time. If this function is called two times
276 // before the worker thread wakes up, and the first has aShouldInterruptCopy
277 // false and the second true, we won't forcibly interrupt the copy from the
278 // control thread. However, that never happens, because calling Finish with a
279 // success code is the only case that may result in aShouldInterruptCopy being
280 // false. In that case, we won't call this function again, because consumers
281 // should not invoke other methods on the control thread after calling Finish.
282 // And in any case, Finish already closes one end of the pipe, causing the
283 // copy to finish properly on its own.
284 if (mWorkerThreadAttentionRequested) {
285 return NS_OK;
286 }
287
288 if (!mAsyncCopyContext) {
289 // Background event queues are not shutdown and could be called after
290 // the queue is reset to null. To match the behavior of nsIThread
291 // return NS_ERROR_UNEXPECTED
292 if (!mBackgroundET) {
293 return NS_ERROR_UNEXPECTED;
294 }
295
296 // Copy is not in progress, post an event to handle the change manually.
297 rv = mBackgroundET->Dispatch(
298 NewRunnableMethod("net::BackgroundFileSaver::ProcessAttention", this,
299 &BackgroundFileSaver::ProcessAttention),
300 NS_DISPATCH_EVENT_MAY_BLOCK);
301 NS_ENSURE_SUCCESS(rv, rv);
302
303 } else if (aShouldInterruptCopy) {
304 // Interrupt the copy. The copy will be resumed, if needed, by the
305 // ProcessAttention function, invoked by the AsyncCopyCallback function.
306 NS_CancelAsyncCopy(mAsyncCopyContext, NS_ERROR_ABORT);
307 }
308
309 // Indicate that attention has been requested successfully, there is no need
310 // to post another event until the worker thread processes the current one.
311 mWorkerThreadAttentionRequested = true;
312
313 return NS_OK;
314 }
315
316 // Called on the worker thread.
317 // static
AsyncCopyCallback(void * aClosure,nsresult aStatus)318 void BackgroundFileSaver::AsyncCopyCallback(void* aClosure, nsresult aStatus) {
319 // We called NS_ADDREF_THIS when NS_AsyncCopy started, to keep the object
320 // alive even if other references disappeared. At the end of this method,
321 // we've finished using the object and can safely release our reference.
322 RefPtr<BackgroundFileSaver> self =
323 dont_AddRef((BackgroundFileSaver*)aClosure);
324 {
325 MutexAutoLock lock(self->mLock);
326
327 // Now that the copy was interrupted or terminated, any notification from
328 // the control thread requires an event to be posted to the worker thread.
329 self->mAsyncCopyContext = nullptr;
330
331 // When detecting failures, ignore the status code we use to interrupt.
332 if (NS_FAILED(aStatus) && aStatus != NS_ERROR_ABORT &&
333 NS_SUCCEEDED(self->mStatus)) {
334 self->mStatus = aStatus;
335 }
336 }
337
338 (void)self->ProcessAttention();
339 }
340
341 // Called on the worker thread.
ProcessAttention()342 nsresult BackgroundFileSaver::ProcessAttention() {
343 nsresult rv;
344
345 // This function is called whenever the attention of the worker thread has
346 // been requested. This may happen in these cases:
347 // * We are about to start the copy for the first time. In this case, we are
348 // called from an event posted on the worker thread from the control thread
349 // by GetWorkerThreadAttention, and mAsyncCopyContext is null.
350 // * We have interrupted the copy for some reason. In this case, we are
351 // called by AsyncCopyCallback, and mAsyncCopyContext is null.
352 // * We are currently executing ProcessStateChange, and attention is requested
353 // by the control thread, for example because SetTarget or Finish have been
354 // called. In this case, we are called from from an event posted through
355 // GetWorkerThreadAttention. While mAsyncCopyContext was always null when
356 // the event was posted, at this point mAsyncCopyContext may not be null
357 // anymore, because ProcessStateChange may have started the copy before the
358 // event that called this function was processed on the worker thread.
359 // If mAsyncCopyContext is not null, we interrupt the copy and re-enter
360 // through AsyncCopyCallback. This allows us to check if, for instance, we
361 // should rename the target file. We will then restart the copy if needed.
362 if (mAsyncCopyContext) {
363 NS_CancelAsyncCopy(mAsyncCopyContext, NS_ERROR_ABORT);
364 return NS_OK;
365 }
366 // Use the current shared state to determine the next operation to execute.
367 rv = ProcessStateChange();
368 if (NS_FAILED(rv)) {
369 // If something failed while processing, terminate the operation now.
370 {
371 MutexAutoLock lock(mLock);
372
373 if (NS_SUCCEEDED(mStatus)) {
374 mStatus = rv;
375 }
376 }
377 // Ensure we notify completion now that the operation failed.
378 CheckCompletion();
379 }
380
381 return NS_OK;
382 }
383
384 // Called on the worker thread.
ProcessStateChange()385 nsresult BackgroundFileSaver::ProcessStateChange() {
386 nsresult rv;
387
388 // We might have been notified because the operation is complete, verify.
389 if (CheckCompletion()) {
390 return NS_OK;
391 }
392
393 // Get a copy of the current shared state for the worker thread.
394 nsCOMPtr<nsIFile> initialTarget;
395 bool initialTargetKeepPartial;
396 nsCOMPtr<nsIFile> renamedTarget;
397 bool renamedTargetKeepPartial;
398 bool sha256Enabled;
399 bool append;
400 {
401 MutexAutoLock lock(mLock);
402
403 initialTarget = mInitialTarget;
404 initialTargetKeepPartial = mInitialTargetKeepPartial;
405 renamedTarget = mRenamedTarget;
406 renamedTargetKeepPartial = mRenamedTargetKeepPartial;
407 sha256Enabled = mSha256Enabled;
408 append = mAppend;
409
410 // From now on, another attention event needs to be posted if state changes.
411 mWorkerThreadAttentionRequested = false;
412 }
413
414 // The initial target can only be null if it has never been assigned. In this
415 // case, there is nothing to do since we never created any output file.
416 if (!initialTarget) {
417 return NS_OK;
418 }
419
420 // Determine if we are processing the attention request for the first time.
421 bool isContinuation = !!mActualTarget;
422 if (!isContinuation) {
423 // Assign the target file for the first time.
424 mActualTarget = initialTarget;
425 mActualTargetKeepPartial = initialTargetKeepPartial;
426 }
427
428 // Verify whether we have actually been instructed to use a different file.
429 // This may happen the first time this function is executed, if SetTarget was
430 // called two times before the worker thread processed the attention request.
431 bool equalToCurrent = false;
432 if (renamedTarget) {
433 rv = mActualTarget->Equals(renamedTarget, &equalToCurrent);
434 NS_ENSURE_SUCCESS(rv, rv);
435 if (!equalToCurrent) {
436 // If we were asked to rename the file but the initial file did not exist,
437 // we simply create the file in the renamed location. We avoid this check
438 // if we have already started writing the output file ourselves.
439 bool exists = true;
440 if (!isContinuation) {
441 rv = mActualTarget->Exists(&exists);
442 NS_ENSURE_SUCCESS(rv, rv);
443 }
444 if (exists) {
445 // We are moving the previous target file to a different location.
446 nsCOMPtr<nsIFile> renamedTargetParentDir;
447 rv = renamedTarget->GetParent(getter_AddRefs(renamedTargetParentDir));
448 NS_ENSURE_SUCCESS(rv, rv);
449
450 nsAutoString renamedTargetName;
451 rv = renamedTarget->GetLeafName(renamedTargetName);
452 NS_ENSURE_SUCCESS(rv, rv);
453
454 // We must delete any existing target file before moving the current
455 // one.
456 rv = renamedTarget->Exists(&exists);
457 NS_ENSURE_SUCCESS(rv, rv);
458 if (exists) {
459 rv = renamedTarget->Remove(false);
460 NS_ENSURE_SUCCESS(rv, rv);
461 }
462
463 // Move the file. If this fails, we still reference the original file
464 // in mActualTarget, so that it is deleted if requested. If this
465 // succeeds, the nsIFile instance referenced by mActualTarget mutates
466 // and starts pointing to the new file, but we'll discard the reference.
467 rv = mActualTarget->MoveTo(renamedTargetParentDir, renamedTargetName);
468 NS_ENSURE_SUCCESS(rv, rv);
469 }
470
471 // We should not only update the mActualTarget with renameTarget when
472 // they point to the different files.
473 // In this way, if mActualTarget and renamedTarget point to the same file
474 // with different addresses, "CheckCompletion()" will return false
475 // forever.
476 }
477
478 // Update mActualTarget with renameTarget,
479 // even if they point to the same file.
480 mActualTarget = renamedTarget;
481 mActualTargetKeepPartial = renamedTargetKeepPartial;
482 }
483
484 // Notify if the target file name actually changed.
485 if (!equalToCurrent) {
486 // We must clone the nsIFile instance because mActualTarget is not
487 // immutable, it may change if the target is renamed later.
488 nsCOMPtr<nsIFile> actualTargetToNotify;
489 rv = mActualTarget->Clone(getter_AddRefs(actualTargetToNotify));
490 NS_ENSURE_SUCCESS(rv, rv);
491
492 RefPtr<NotifyTargetChangeRunnable> event =
493 new NotifyTargetChangeRunnable(this, actualTargetToNotify);
494 NS_ENSURE_TRUE(event, NS_ERROR_FAILURE);
495
496 rv = mControlEventTarget->Dispatch(event, NS_DISPATCH_NORMAL);
497 NS_ENSURE_SUCCESS(rv, rv);
498 }
499
500 if (isContinuation) {
501 // The pending rename operation might be the last task before finishing. We
502 // may return here only if we have already created the target file.
503 if (CheckCompletion()) {
504 return NS_OK;
505 }
506
507 // Even if the operation did not complete, the pipe input stream may be
508 // empty and may have been closed already. We detect this case using the
509 // Available property, because it never returns an error if there is more
510 // data to be consumed. If the pipe input stream is closed, we just exit
511 // and wait for more calls like SetTarget or Finish to be invoked on the
512 // control thread. However, we still truncate the file or create the
513 // initial digest context if we are expected to do that.
514 uint64_t available;
515 rv = mPipeInputStream->Available(&available);
516 if (NS_FAILED(rv)) {
517 return NS_OK;
518 }
519 }
520
521 // Create the digest context if requested and NSS hasn't been shut down.
522 if (sha256Enabled && !mDigestContext) {
523 mDigestContext =
524 UniquePK11Context(PK11_CreateDigestContext(SEC_OID_SHA256));
525 NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
526 }
527
528 // When we are requested to append to an existing file, we should read the
529 // existing data and ensure we include it as part of the final hash.
530 if (mDigestContext && append && !isContinuation) {
531 nsCOMPtr<nsIInputStream> inputStream;
532 rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream), mActualTarget,
533 PR_RDONLY | nsIFile::OS_READAHEAD);
534 if (rv != NS_ERROR_FILE_NOT_FOUND) {
535 NS_ENSURE_SUCCESS(rv, rv);
536
537 char buffer[BUFFERED_IO_SIZE];
538 while (true) {
539 uint32_t count;
540 rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count);
541 NS_ENSURE_SUCCESS(rv, rv);
542
543 if (count == 0) {
544 // We reached the end of the file.
545 break;
546 }
547
548 nsresult rv = MapSECStatus(
549 PK11_DigestOp(mDigestContext.get(),
550 BitwiseCast<unsigned char*, char*>(buffer), count));
551 NS_ENSURE_SUCCESS(rv, rv);
552 }
553
554 rv = inputStream->Close();
555 NS_ENSURE_SUCCESS(rv, rv);
556 }
557 }
558
559 // We will append to the initial target file only if it was requested by the
560 // caller, but we'll always append on subsequent accesses to the target file.
561 int32_t creationIoFlags;
562 if (isContinuation) {
563 creationIoFlags = PR_APPEND;
564 } else {
565 creationIoFlags = (append ? PR_APPEND : PR_TRUNCATE) | PR_CREATE_FILE;
566 }
567
568 // Create the target file, or append to it if we already started writing it.
569 // The 0600 permissions are used while the file is being downloaded, and for
570 // interrupted downloads. Those may be located in the system temporary
571 // directory, as well as the target directory, and generally have a ".part"
572 // extension. Those part files should never be group or world-writable even
573 // if the umask allows it.
574 nsCOMPtr<nsIOutputStream> outputStream;
575 rv = NS_NewLocalFileOutputStream(getter_AddRefs(outputStream), mActualTarget,
576 PR_WRONLY | creationIoFlags, 0600);
577 NS_ENSURE_SUCCESS(rv, rv);
578
579 nsCOMPtr<nsIOutputStream> bufferedStream;
580 rv = NS_NewBufferedOutputStream(getter_AddRefs(bufferedStream),
581 outputStream.forget(), BUFFERED_IO_SIZE);
582 NS_ENSURE_SUCCESS(rv, rv);
583 outputStream = bufferedStream;
584
585 // Wrap the output stream so that it feeds the digest context if needed.
586 if (mDigestContext) {
587 // Constructing the DigestOutputStream cannot fail. Passing mDigestContext
588 // to DigestOutputStream is safe, because BackgroundFileSaver always
589 // outlives the outputStream. BackgroundFileSaver is reference-counted
590 // before the call to AsyncCopy, and mDigestContext is never destroyed
591 // before AsyncCopyCallback.
592 outputStream = new DigestOutputStream(outputStream, mDigestContext.get());
593 }
594
595 // Start copying our input to the target file. No errors can be raised past
596 // this point if the copy starts, since they should be handled by the thread.
597 {
598 MutexAutoLock lock(mLock);
599
600 rv = NS_AsyncCopy(mPipeInputStream, outputStream, mBackgroundET,
601 NS_ASYNCCOPY_VIA_READSEGMENTS, 4096, AsyncCopyCallback,
602 this, false, true, getter_AddRefs(mAsyncCopyContext),
603 GetProgressCallback());
604 if (NS_FAILED(rv)) {
605 NS_WARNING("NS_AsyncCopy failed.");
606 mAsyncCopyContext = nullptr;
607 return rv;
608 }
609 }
610
611 // If the operation succeeded, we must ensure that we keep this object alive
612 // for the entire duration of the copy, since only the raw pointer will be
613 // provided as the argument of the AsyncCopyCallback function. We can add the
614 // reference now, after NS_AsyncCopy returned, because it always starts
615 // processing asynchronously, and there is no risk that the callback is
616 // invoked before we reach this point. If the operation failed instead, then
617 // AsyncCopyCallback will never be called.
618 NS_ADDREF_THIS();
619
620 return NS_OK;
621 }
622
623 // Called on the worker thread.
CheckCompletion()624 bool BackgroundFileSaver::CheckCompletion() {
625 nsresult rv;
626
627 MOZ_ASSERT(!mAsyncCopyContext,
628 "Should not be copying when checking completion conditions.");
629
630 bool failed = true;
631 {
632 MutexAutoLock lock(mLock);
633
634 if (mComplete) {
635 return true;
636 }
637
638 // If an error occurred, we don't need to do the checks in this code block,
639 // and the operation can be completed immediately with a failure code.
640 if (NS_SUCCEEDED(mStatus)) {
641 failed = false;
642
643 // We did not incur in an error, so we must determine if we can stop now.
644 // If the Finish method has not been called, we can just continue now.
645 if (!mFinishRequested) {
646 return false;
647 }
648
649 // We can only stop when all the operations requested by the control
650 // thread have been processed. First, we check whether we have processed
651 // the first SetTarget call, if any. Then, we check whether we have
652 // processed any rename requested by subsequent SetTarget calls.
653 if ((mInitialTarget && !mActualTarget) ||
654 (mRenamedTarget && mRenamedTarget != mActualTarget)) {
655 return false;
656 }
657
658 // If we still have data to write to the output file, allow the copy
659 // operation to resume. The Available getter may return an error if one
660 // of the pipe's streams has been already closed.
661 uint64_t available;
662 rv = mPipeInputStream->Available(&available);
663 if (NS_SUCCEEDED(rv) && available != 0) {
664 return false;
665 }
666 }
667
668 mComplete = true;
669 }
670
671 // Ensure we notify completion now that the operation finished.
672 // Do a best-effort attempt to remove the file if required.
673 if (failed && mActualTarget && !mActualTargetKeepPartial) {
674 (void)mActualTarget->Remove(false);
675 }
676
677 // Finish computing the hash
678 if (!failed && mDigestContext) {
679 Digest d;
680 rv = d.End(SEC_OID_SHA256, mDigestContext);
681 if (NS_SUCCEEDED(rv)) {
682 MutexAutoLock lock(mLock);
683 mSha256 = nsDependentCSubstring(
684 BitwiseCast<char*, unsigned char*>(d.get().data), d.get().len);
685 }
686 }
687
688 // Compute the signature of the binary. ExtractSignatureInfo doesn't do
689 // anything on non-Windows platforms except return an empty nsIArray.
690 if (!failed && mActualTarget) {
691 nsString filePath;
692 mActualTarget->GetTarget(filePath);
693 nsresult rv = ExtractSignatureInfo(filePath);
694 if (NS_FAILED(rv)) {
695 LOG(("Unable to extract signature information [this = %p].", this));
696 } else {
697 LOG(("Signature extraction success! [this = %p]", this));
698 }
699 }
700
701 // Post an event to notify that the operation completed.
702 if (NS_FAILED(mControlEventTarget->Dispatch(
703 NewRunnableMethod("BackgroundFileSaver::NotifySaveComplete", this,
704 &BackgroundFileSaver::NotifySaveComplete),
705 NS_DISPATCH_NORMAL))) {
706 NS_WARNING("Unable to post completion event to the control thread.");
707 }
708
709 return true;
710 }
711
712 // Called on the control thread.
NotifyTargetChange(nsIFile * aTarget)713 nsresult BackgroundFileSaver::NotifyTargetChange(nsIFile* aTarget) {
714 if (mObserver) {
715 (void)mObserver->OnTargetChange(this, aTarget);
716 }
717
718 return NS_OK;
719 }
720
721 // Called on the control thread.
NotifySaveComplete()722 nsresult BackgroundFileSaver::NotifySaveComplete() {
723 MOZ_ASSERT(NS_IsMainThread(), "This should be called on the main thread");
724
725 nsresult status;
726 {
727 MutexAutoLock lock(mLock);
728 status = mStatus;
729 }
730
731 if (mObserver) {
732 (void)mObserver->OnSaveComplete(this, status);
733 // If mObserver keeps alive an enclosure that captures `this`, we'll have a
734 // cycle that won't be caught by the cycle-collector, so we need to break it
735 // when we're done here (see bug 1444265).
736 mObserver = nullptr;
737 }
738
739 // At this point, the worker thread will not process any more events, and we
740 // can shut it down. Shutting down a thread may re-enter the event loop on
741 // this thread. This is not a problem in this case, since this function is
742 // called by a top-level event itself, and we have already invoked the
743 // completion observer callback. Re-entering the loop can only delay the
744 // final release and destruction of this saver object, since we are keeping a
745 // reference to it through the event object.
746 mBackgroundET = nullptr;
747
748 sThreadCount--;
749
750 // When there are no more active downloads, we consider the download session
751 // finished. We record the maximum number of concurrent downloads reached
752 // during the session in a telemetry histogram, and we reset the maximum
753 // thread counter for the next download session
754 if (sThreadCount == 0) {
755 Telemetry::Accumulate(Telemetry::BACKGROUNDFILESAVER_THREAD_COUNT,
756 sTelemetryMaxThreadCount);
757 sTelemetryMaxThreadCount = 0;
758 }
759
760 return NS_OK;
761 }
762
ExtractSignatureInfo(const nsAString & filePath)763 nsresult BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath) {
764 MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread");
765 {
766 MutexAutoLock lock(mLock);
767 if (!mSignatureInfoEnabled) {
768 return NS_OK;
769 }
770 }
771 #ifdef XP_WIN
772 // Setup the file to check.
773 WINTRUST_FILE_INFO fileToCheck = {0};
774 fileToCheck.cbStruct = sizeof(WINTRUST_FILE_INFO);
775 fileToCheck.pcwszFilePath = filePath.Data();
776 fileToCheck.hFile = nullptr;
777 fileToCheck.pgKnownSubject = nullptr;
778
779 // We want to check it is signed and trusted.
780 WINTRUST_DATA trustData = {0};
781 trustData.cbStruct = sizeof(trustData);
782 trustData.pPolicyCallbackData = nullptr;
783 trustData.pSIPClientData = nullptr;
784 trustData.dwUIChoice = WTD_UI_NONE;
785 trustData.fdwRevocationChecks = WTD_REVOKE_NONE;
786 trustData.dwUnionChoice = WTD_CHOICE_FILE;
787 trustData.dwStateAction = WTD_STATEACTION_VERIFY;
788 trustData.hWVTStateData = nullptr;
789 trustData.pwszURLReference = nullptr;
790 // Disallow revocation checks over the network
791 trustData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL;
792 // no UI
793 trustData.dwUIContext = 0;
794 trustData.pFile = &fileToCheck;
795
796 // The WINTRUST_ACTION_GENERIC_VERIFY_V2 policy verifies that the certificate
797 // chains up to a trusted root CA and has appropriate permissions to sign
798 // code.
799 GUID policyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
800 // Check if the file is signed by something that is trusted. If the file is
801 // not signed, this is a no-op.
802 LONG ret = WinVerifyTrust(nullptr, &policyGUID, &trustData);
803 CRYPT_PROVIDER_DATA* cryptoProviderData = nullptr;
804 // According to the Windows documentation, we should check against 0 instead
805 // of ERROR_SUCCESS, which is an HRESULT.
806 if (ret == 0) {
807 cryptoProviderData = WTHelperProvDataFromStateData(trustData.hWVTStateData);
808 }
809 if (cryptoProviderData) {
810 // Lock because signature information is read on the main thread.
811 MutexAutoLock lock(mLock);
812 LOG(("Downloaded trusted and signed file [this = %p].", this));
813 // A binary may have multiple signers. Each signer may have multiple certs
814 // in the chain.
815 for (DWORD i = 0; i < cryptoProviderData->csSigners; ++i) {
816 const CERT_CHAIN_CONTEXT* certChainContext =
817 cryptoProviderData->pasSigners[i].pChainContext;
818 if (!certChainContext) {
819 break;
820 }
821 for (DWORD j = 0; j < certChainContext->cChain; ++j) {
822 const CERT_SIMPLE_CHAIN* certSimpleChain =
823 certChainContext->rgpChain[j];
824 if (!certSimpleChain) {
825 break;
826 }
827
828 nsTArray<nsTArray<uint8_t>> certList;
829 bool extractionSuccess = true;
830 for (DWORD k = 0; k < certSimpleChain->cElement; ++k) {
831 CERT_CHAIN_ELEMENT* certChainElement = certSimpleChain->rgpElement[k];
832 if (certChainElement->pCertContext->dwCertEncodingType !=
833 X509_ASN_ENCODING) {
834 continue;
835 }
836 nsTArray<uint8_t> cert;
837 cert.AppendElements(certChainElement->pCertContext->pbCertEncoded,
838 certChainElement->pCertContext->cbCertEncoded);
839 certList.AppendElement(std::move(cert));
840 }
841 if (extractionSuccess) {
842 mSignatureInfo.AppendElement(std::move(certList));
843 }
844 }
845 }
846 // Free the provider data if cryptoProviderData is not null.
847 trustData.dwStateAction = WTD_STATEACTION_CLOSE;
848 WinVerifyTrust(nullptr, &policyGUID, &trustData);
849 } else {
850 LOG(("Downloaded unsigned or untrusted file [this = %p].", this));
851 }
852 #endif
853 return NS_OK;
854 }
855
856 ////////////////////////////////////////////////////////////////////////////////
857 //// BackgroundFileSaverOutputStream
858
NS_IMPL_ISUPPORTS(BackgroundFileSaverOutputStream,nsIBackgroundFileSaver,nsIOutputStream,nsIAsyncOutputStream,nsIOutputStreamCallback)859 NS_IMPL_ISUPPORTS(BackgroundFileSaverOutputStream, nsIBackgroundFileSaver,
860 nsIOutputStream, nsIAsyncOutputStream,
861 nsIOutputStreamCallback)
862
863 BackgroundFileSaverOutputStream::BackgroundFileSaverOutputStream()
864 : BackgroundFileSaver(), mAsyncWaitCallback(nullptr) {}
865
HasInfiniteBuffer()866 bool BackgroundFileSaverOutputStream::HasInfiniteBuffer() { return false; }
867
GetProgressCallback()868 nsAsyncCopyProgressFun BackgroundFileSaverOutputStream::GetProgressCallback() {
869 return nullptr;
870 }
871
872 NS_IMETHODIMP
Close()873 BackgroundFileSaverOutputStream::Close() { return mPipeOutputStream->Close(); }
874
875 NS_IMETHODIMP
Flush()876 BackgroundFileSaverOutputStream::Flush() { return mPipeOutputStream->Flush(); }
877
878 NS_IMETHODIMP
Write(const char * aBuf,uint32_t aCount,uint32_t * _retval)879 BackgroundFileSaverOutputStream::Write(const char* aBuf, uint32_t aCount,
880 uint32_t* _retval) {
881 return mPipeOutputStream->Write(aBuf, aCount, _retval);
882 }
883
884 NS_IMETHODIMP
WriteFrom(nsIInputStream * aFromStream,uint32_t aCount,uint32_t * _retval)885 BackgroundFileSaverOutputStream::WriteFrom(nsIInputStream* aFromStream,
886 uint32_t aCount, uint32_t* _retval) {
887 return mPipeOutputStream->WriteFrom(aFromStream, aCount, _retval);
888 }
889
890 NS_IMETHODIMP
WriteSegments(nsReadSegmentFun aReader,void * aClosure,uint32_t aCount,uint32_t * _retval)891 BackgroundFileSaverOutputStream::WriteSegments(nsReadSegmentFun aReader,
892 void* aClosure, uint32_t aCount,
893 uint32_t* _retval) {
894 return mPipeOutputStream->WriteSegments(aReader, aClosure, aCount, _retval);
895 }
896
897 NS_IMETHODIMP
IsNonBlocking(bool * _retval)898 BackgroundFileSaverOutputStream::IsNonBlocking(bool* _retval) {
899 return mPipeOutputStream->IsNonBlocking(_retval);
900 }
901
902 NS_IMETHODIMP
CloseWithStatus(nsresult reason)903 BackgroundFileSaverOutputStream::CloseWithStatus(nsresult reason) {
904 return mPipeOutputStream->CloseWithStatus(reason);
905 }
906
907 NS_IMETHODIMP
AsyncWait(nsIOutputStreamCallback * aCallback,uint32_t aFlags,uint32_t aRequestedCount,nsIEventTarget * aEventTarget)908 BackgroundFileSaverOutputStream::AsyncWait(nsIOutputStreamCallback* aCallback,
909 uint32_t aFlags,
910 uint32_t aRequestedCount,
911 nsIEventTarget* aEventTarget) {
912 NS_ENSURE_STATE(!mAsyncWaitCallback);
913
914 mAsyncWaitCallback = aCallback;
915
916 return mPipeOutputStream->AsyncWait(this, aFlags, aRequestedCount,
917 aEventTarget);
918 }
919
920 NS_IMETHODIMP
OnOutputStreamReady(nsIAsyncOutputStream * aStream)921 BackgroundFileSaverOutputStream::OnOutputStreamReady(
922 nsIAsyncOutputStream* aStream) {
923 NS_ENSURE_STATE(mAsyncWaitCallback);
924
925 nsCOMPtr<nsIOutputStreamCallback> asyncWaitCallback = nullptr;
926 asyncWaitCallback.swap(mAsyncWaitCallback);
927
928 return asyncWaitCallback->OnOutputStreamReady(this);
929 }
930
931 ////////////////////////////////////////////////////////////////////////////////
932 //// BackgroundFileSaverStreamListener
933
NS_IMPL_ISUPPORTS(BackgroundFileSaverStreamListener,nsIBackgroundFileSaver,nsIRequestObserver,nsIStreamListener)934 NS_IMPL_ISUPPORTS(BackgroundFileSaverStreamListener, nsIBackgroundFileSaver,
935 nsIRequestObserver, nsIStreamListener)
936
937 BackgroundFileSaverStreamListener::BackgroundFileSaverStreamListener()
938 : BackgroundFileSaver(),
939 mSuspensionLock("BackgroundFileSaverStreamListener.mSuspensionLock"),
940 mReceivedTooMuchData(false),
941 mRequest(nullptr),
942 mRequestSuspended(false) {}
943
HasInfiniteBuffer()944 bool BackgroundFileSaverStreamListener::HasInfiniteBuffer() { return true; }
945
946 nsAsyncCopyProgressFun
GetProgressCallback()947 BackgroundFileSaverStreamListener::GetProgressCallback() {
948 return AsyncCopyProgressCallback;
949 }
950
951 NS_IMETHODIMP
OnStartRequest(nsIRequest * aRequest)952 BackgroundFileSaverStreamListener::OnStartRequest(nsIRequest* aRequest) {
953 NS_ENSURE_ARG(aRequest);
954
955 return NS_OK;
956 }
957
958 NS_IMETHODIMP
OnStopRequest(nsIRequest * aRequest,nsresult aStatusCode)959 BackgroundFileSaverStreamListener::OnStopRequest(nsIRequest* aRequest,
960 nsresult aStatusCode) {
961 // If an error occurred, cancel the operation immediately. On success, wait
962 // until the caller has determined whether the file should be renamed.
963 if (NS_FAILED(aStatusCode)) {
964 Finish(aStatusCode);
965 }
966
967 return NS_OK;
968 }
969
970 NS_IMETHODIMP
OnDataAvailable(nsIRequest * aRequest,nsIInputStream * aInputStream,uint64_t aOffset,uint32_t aCount)971 BackgroundFileSaverStreamListener::OnDataAvailable(nsIRequest* aRequest,
972 nsIInputStream* aInputStream,
973 uint64_t aOffset,
974 uint32_t aCount) {
975 nsresult rv;
976
977 NS_ENSURE_ARG(aRequest);
978
979 // Read the requested data. Since the pipe has an infinite buffer, we don't
980 // expect any write error to occur here.
981 uint32_t writeCount;
982 rv = mPipeOutputStream->WriteFrom(aInputStream, aCount, &writeCount);
983 NS_ENSURE_SUCCESS(rv, rv);
984
985 // If reading from the input stream fails for any reason, the pipe will return
986 // a success code, but without reading all the data. Since we should be able
987 // to read the requested data when OnDataAvailable is called, raise an error.
988 if (writeCount < aCount) {
989 NS_WARNING("Reading from the input stream should not have failed.");
990 return NS_ERROR_UNEXPECTED;
991 }
992
993 bool stateChanged = false;
994 {
995 MutexAutoLock lock(mSuspensionLock);
996
997 if (!mReceivedTooMuchData) {
998 uint64_t available;
999 nsresult rv = mPipeInputStream->Available(&available);
1000 if (NS_SUCCEEDED(rv) && available > REQUEST_SUSPEND_AT) {
1001 mReceivedTooMuchData = true;
1002 mRequest = aRequest;
1003 stateChanged = true;
1004 }
1005 }
1006 }
1007
1008 if (stateChanged) {
1009 NotifySuspendOrResume();
1010 }
1011
1012 return NS_OK;
1013 }
1014
1015 // Called on the worker thread.
1016 // static
AsyncCopyProgressCallback(void * aClosure,uint32_t aCount)1017 void BackgroundFileSaverStreamListener::AsyncCopyProgressCallback(
1018 void* aClosure, uint32_t aCount) {
1019 BackgroundFileSaverStreamListener* self =
1020 (BackgroundFileSaverStreamListener*)aClosure;
1021
1022 // Wait if the control thread is in the process of suspending or resuming.
1023 MutexAutoLock lock(self->mSuspensionLock);
1024
1025 // This function is called when some bytes are consumed by NS_AsyncCopy. Each
1026 // time this happens, verify if a suspended request should be resumed, because
1027 // we have now consumed enough data.
1028 if (self->mReceivedTooMuchData) {
1029 uint64_t available;
1030 nsresult rv = self->mPipeInputStream->Available(&available);
1031 if (NS_FAILED(rv) || available < REQUEST_RESUME_AT) {
1032 self->mReceivedTooMuchData = false;
1033
1034 // Post an event to verify if the request should be resumed.
1035 if (NS_FAILED(self->mControlEventTarget->Dispatch(
1036 NewRunnableMethod(
1037 "BackgroundFileSaverStreamListener::NotifySuspendOrResume",
1038 self,
1039 &BackgroundFileSaverStreamListener::NotifySuspendOrResume),
1040 NS_DISPATCH_NORMAL))) {
1041 NS_WARNING("Unable to post resume event to the control thread.");
1042 }
1043 }
1044 }
1045 }
1046
1047 // Called on the control thread.
NotifySuspendOrResume()1048 nsresult BackgroundFileSaverStreamListener::NotifySuspendOrResume() {
1049 // Prevent the worker thread from changing state while processing.
1050 MutexAutoLock lock(mSuspensionLock);
1051
1052 if (mReceivedTooMuchData) {
1053 if (!mRequestSuspended) {
1054 // Try to suspend the request. If this fails, don't try to resume later.
1055 if (NS_SUCCEEDED(mRequest->Suspend())) {
1056 mRequestSuspended = true;
1057 } else {
1058 NS_WARNING("Unable to suspend the request.");
1059 }
1060 }
1061 } else {
1062 if (mRequestSuspended) {
1063 // Resume the request only if we succeeded in suspending it.
1064 if (NS_SUCCEEDED(mRequest->Resume())) {
1065 mRequestSuspended = false;
1066 } else {
1067 NS_WARNING("Unable to resume the request.");
1068 }
1069 }
1070 }
1071
1072 return NS_OK;
1073 }
1074
1075 ////////////////////////////////////////////////////////////////////////////////
1076 //// DigestOutputStream
NS_IMPL_ISUPPORTS(DigestOutputStream,nsIOutputStream)1077 NS_IMPL_ISUPPORTS(DigestOutputStream, nsIOutputStream)
1078
1079 DigestOutputStream::DigestOutputStream(nsIOutputStream* aStream,
1080 PK11Context* aContext)
1081 : mOutputStream(aStream), mDigestContext(aContext) {
1082 MOZ_ASSERT(mDigestContext, "Can't have null digest context");
1083 MOZ_ASSERT(mOutputStream, "Can't have null output stream");
1084 }
1085
1086 NS_IMETHODIMP
Close()1087 DigestOutputStream::Close() { return mOutputStream->Close(); }
1088
1089 NS_IMETHODIMP
Flush()1090 DigestOutputStream::Flush() { return mOutputStream->Flush(); }
1091
1092 NS_IMETHODIMP
Write(const char * aBuf,uint32_t aCount,uint32_t * retval)1093 DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval) {
1094 nsresult rv = MapSECStatus(PK11_DigestOp(
1095 mDigestContext, BitwiseCast<const unsigned char*, const char*>(aBuf),
1096 aCount));
1097 NS_ENSURE_SUCCESS(rv, rv);
1098
1099 return mOutputStream->Write(aBuf, aCount, retval);
1100 }
1101
1102 NS_IMETHODIMP
WriteFrom(nsIInputStream * aFromStream,uint32_t aCount,uint32_t * retval)1103 DigestOutputStream::WriteFrom(nsIInputStream* aFromStream, uint32_t aCount,
1104 uint32_t* retval) {
1105 // Not supported. We could read the stream to a buf, call DigestOp on the
1106 // result, seek back and pass the stream on, but it's not worth it since our
1107 // application (NS_AsyncCopy) doesn't invoke this on the sink.
1108 MOZ_CRASH("DigestOutputStream::WriteFrom not implemented");
1109 }
1110
1111 NS_IMETHODIMP
WriteSegments(nsReadSegmentFun aReader,void * aClosure,uint32_t aCount,uint32_t * retval)1112 DigestOutputStream::WriteSegments(nsReadSegmentFun aReader, void* aClosure,
1113 uint32_t aCount, uint32_t* retval) {
1114 MOZ_CRASH("DigestOutputStream::WriteSegments not implemented");
1115 }
1116
1117 NS_IMETHODIMP
IsNonBlocking(bool * retval)1118 DigestOutputStream::IsNonBlocking(bool* retval) {
1119 return mOutputStream->IsNonBlocking(retval);
1120 }
1121
1122 #undef LOG_ENABLED
1123
1124 } // namespace net
1125 } // namespace mozilla
1126