Backed out changeset 38a63dbeab37 (bug 733644) for suspicion of causing test_bug798843_pref.html failures.

2024-09-13 09:24:08 -07:00 · 2013-09-13 10:47:38 -04:00 · 2013-09-13 10:47:38 -04:00 · 1bdee984a4
commit 1bdee984a4
parent c74f8b598b
2 changed files with 120 additions and 112 deletions
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -16,7 +16,7 @@
 #include "nsComponentManagerUtils.h"
 #include "nsDirectoryServiceDefs.h"
 #include "nsICertOverrideService.h"
-#include "mozilla/Preferences.h"
+#include "nsIPrefService.h"

 #ifndef MOZ_DISABLE_CRYPTOLEGACY
 #include "nsIDOMNode.h"
@ -871,9 +871,9 @@ static CipherPref CipherPrefs[] = {
 };

 static void
-setNonPkixOcspEnabled(int32_t ocspEnabled)
+setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 {
-  // Note: this preference is numeric vs boolean because previously we
+  // Note: this preference is numeric vs bolean because previously we
  // supported more than two options.
  if (!ocspEnabled) {
    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
@ -886,7 +886,7 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)

 #define CRL_DOWNLOAD_DEFAULT false
 #define OCSP_ENABLED_DEFAULT 1
-#define OCSP_REQUIRED_DEFAULT false
+#define OCSP_REQUIRED_DEFAULT 0
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
 #define FIRST_REVO_METHOD_DEFAULT "ocsp"
@ -894,39 +894,56 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
 #define OCSP_STAPLING_ENABLED_DEFAULT true

 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
-void nsNSSComponent::setValidationOptions()
+void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
 {
  nsNSSShutDownPreventionLock locker;
+  nsresult rv;

-  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
-                                             CRL_DOWNLOAD_DEFAULT);
-  // 0 = disabled, 1 = enabled
-  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
-                                            OCSP_ENABLED_DEFAULT);
+  bool crlDownloading;
+  rv = pref->GetBoolPref("security.CRL_download.enabled", &crlDownloading);
+  if (NS_FAILED(rv))
+    crlDownloading = CRL_DOWNLOAD_DEFAULT;
+  
+  int32_t ocspEnabled;
+  rv = pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
+  // 0 = disabled, 1 = enabled, 
+  // 2 = enabled with given default responder
+  if (NS_FAILED(rv))
+    ocspEnabled = OCSP_ENABLED_DEFAULT;

-  bool ocspRequired = Preferences::GetBool("security.OCSP.require",
-                                           OCSP_REQUIRED_DEFAULT);
-  bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
-                                               FRESH_REVOCATION_REQUIRED_DEFAULT);
-  bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
-                                                 MISSING_CERT_DOWNLOAD_DEFAULT);
+  bool ocspRequired;
+  rv = pref->GetBoolPref("security.OCSP.require", &ocspRequired);
+  if (NS_FAILED(rv))
+    ocspRequired = OCSP_REQUIRED_DEFAULT;

-  nsCString firstNetworkRevo =
-    Preferences::GetCString("security.first_network_revocation_method");
-  if (firstNetworkRevo.IsEmpty()) {
+  bool anyFreshRequired;
+  rv = pref->GetBoolPref("security.fresh_revocation_info.require", &anyFreshRequired);
+  if (NS_FAILED(rv))
+    anyFreshRequired = FRESH_REVOCATION_REQUIRED_DEFAULT;
+  
+  bool aiaDownloadEnabled;
+  rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled);
+  if (NS_FAILED(rv))
+    aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT;
+
+  nsCString firstNetworkRevo;
+  rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo));
+  if (NS_FAILED(rv))
    firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT;
-  }

-  bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
-                                                  OCSP_STAPLING_ENABLED_DEFAULT);
+  bool ocspStaplingEnabled;
+  rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled);
+  if (NS_FAILED(rv)) {
+    ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT;
+  }
  if (!ocspEnabled) {
    ocspStaplingEnabled = false;
  }
  PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
  PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
-
-  setNonPkixOcspEnabled(ocspEnabled);
-
+  
+  setNonPkixOcspEnabled(ocspEnabled, pref);
+  
  CERT_SetOCSPFailureMode( ocspRequired ?
                           ocspMode_FailureIsVerificationFailure
                           : ocspMode_FailureIsNotAVerificationFailure);
@ -954,16 +971,16 @@ void nsNSSComponent::setValidationOptions()
 // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
 // TLS 1.0 when the prefs aren't set or when they are set to invalid values.
 nsresult
-nsNSSComponent::setEnabledTLSVersions()
+nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
 {
  // keep these values in sync with security-prefs.js and firefox.js
  static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
  static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1;

-  int32_t minVersion = Preferences::GetInt("security.tls.version.min",
-                                           PSM_DEFAULT_MIN_TLS_VERSION);
-  int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
-                                           PSM_DEFAULT_MAX_TLS_VERSION);
+  int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
+  int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
+  mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
+  mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);

  // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
  minVersion += SSL_LIBRARY_VERSION_3_0;
@ -999,11 +1016,13 @@ NS_IMETHODIMP
 nsNSSComponent::SkipOcspOff()
 {
  nsNSSShutDownPreventionLock locker;
-  // 0 = disabled, 1 = enabled
-  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
-                                            OCSP_ENABLED_DEFAULT);
-
-  setNonPkixOcspEnabled(ocspEnabled);
+  int32_t ocspEnabled;
+  if (NS_FAILED(mPrefBranch->GetIntPref("security.OCSP.enabled", &ocspEnabled)))
+    ocspEnabled = OCSP_ENABLED_DEFAULT;
+  // 0 = disabled, 1 = enabled, 
+  // 2 = enabled with given default responder
+  
+  setNonPkixOcspEnabled(ocspEnabled, mPrefBranch);

  if (ocspEnabled)
    SSL_ClearSessionCache();
@ -1031,14 +1050,6 @@ static void configureMD5(bool enabled)
  }
 }

-static const bool SUPPRESS_WARNING_PREF_DEFAULT = false;
-static const bool MD5_ENABLED_DEFAULT = false;
-static const bool TLS_SESSION_TICKETS_ENABLED_DEFAULT = true;
-static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
-static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
-static const bool FALSE_START_ENABLED_DEFAULT = true;
-static const bool CIPHER_ENABLED_DEFAULT = false;
-
 nsresult
 nsNSSComponent::InitializeNSS(bool showWarningBox)
 {
@ -1108,13 +1119,17 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
    }

 #ifndef NSS_NO_LIBPKIX
-    globalConstFlagUsePKIXVerification =
-      Preferences::GetBool("security.use_libpkix_verification", USE_NSS_LIBPKIX_DEFAULT);
+    rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification);
+    if (NS_FAILED(rv))
+      globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT;
 #endif

-    bool suppressWarningPref =
-      Preferences::GetBool("security.suppress_nss_rw_impossible_warning",
-                           SUPPRESS_WARNING_PREF_DEFAULT);
+    bool supress_warning_preference = false;
+    rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference);
+
+    if (NS_FAILED(rv)) {
+      supress_warning_preference = false;
+    }

    // init phase 2, init calls to NSS library

@ -1140,7 +1155,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
    if (init_rv != SECSuccess) {
      PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get()));

-      if (suppressWarningPref) {
+      if (supress_warning_preference) {
        which_nss_problem = problem_none;
      }
      else {
@ -1178,44 +1193,38 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
      SharedSSLState::GlobalInit();

      // Register an observer so we can inform NSS when these prefs change
-      Preferences::AddStrongObserver(this, "security.");
+      mPrefBranch->AddObserver("security.", this, false);

      SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
      SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);

-      rv = setEnabledTLSVersions();
+      rv = setEnabledTLSVersions(mPrefBranch);
      if (NS_FAILED(rv)) {
        nsPSMInitPanic::SetPanic();
        return NS_ERROR_UNEXPECTED;
      }

-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      configureMD5(md5Enabled);
+      bool enabled = true; // XXX: see bug 733644
+
+      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
+      configureMD5(enabled);

      // Configure TLS session tickets
-      bool tlsSessionTicketsEnabled =
-        Preferences::GetBool("security.enable_tls_session_tickets",
-                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
+      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);

-      bool requireSafeNegotiation =
-        Preferences::GetBool("security.ssl.require_safe_negotiation",
-                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
+      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);

-      bool allowUnrestrictedRenego =
-        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
-                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
-                           allowUnrestrictedRenego ?
-                             SSL_RENEGOTIATE_UNRESTRICTED :
-                             SSL_RENEGOTIATE_REQUIRES_XTN);
+      mPrefBranch->GetBoolPref(
+        "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", 
+        &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
+        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);

 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
+      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
 #endif

      // Disable any ciphers that NSS might have enabled by default
@ -1225,11 +1234,13 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
        SSL_CipherPrefSetDefault(cipher_id, false);
      }

-      bool cipherEnabled;
      // Now only set SSL/TLS ciphers we knew about at compile time
      for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
-        cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
-        SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
+        rv = mPrefBranch->GetBoolPref(cp->pref, &enabled);
+        if (NS_FAILED(rv))
+          enabled = false;
+
+        SSL_CipherPrefSetDefault(cp->id, enabled);
      }

      // Enable ciphers for PKCS#12
@ -1243,7 +1254,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
      PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);

      // dynamic options from prefs
-      setValidationOptions();
+      setValidationOptions(mPrefBranch);

      mHttpForNSS.initTable();
      mHttpForNSS.registerHttpClient();
@ -1289,7 +1300,9 @@ nsNSSComponent::ShutdownNSS()
    PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
    mHttpForNSS.unregisterHttpClient();

-    Preferences::RemoveObserver(this, "security.");
+    if (mPrefBranch) {
+      mPrefBranch->RemoveObserver("security.", this);
+    }

 #ifndef MOZ_DISABLE_CRYPTOLEGACY
    ShutdownSmartCardThreads();
@ -1310,9 +1323,7 @@ nsNSSComponent::ShutdownNSS()
    }
  }
 }
-
-static const bool SEND_LM_DEFAULT = false;
-
+ 
 NS_IMETHODIMP
 nsNSSComponent::Init()
 {
@ -1348,8 +1359,13 @@ nsNSSComponent::Init()
                                        getter_Copies(result));
  }

-  bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
-                                     SEND_LM_DEFAULT);
+  if (!mPrefBranch) {
+    mPrefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID);
+    NS_ASSERTION(mPrefBranch, "Unable to get pref service");
+  }
+
+  bool sendLM = false;
+  mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
  nsNTLMAuthModule::SetSendLM(sendLM);

  // Do that before NSS init, to make sure we won't get unloaded.
@ -1619,40 +1635,31 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
  else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { 
    nsNSSShutDownPreventionLock locker;
    bool clearSessionCache = false;
+    bool enabled;
    NS_ConvertUTF16toUTF8  prefName(someData);

    if (prefName.Equals("security.tls.version.min") ||
        prefName.Equals("security.tls.version.max")) {
-      (void) setEnabledTLSVersions();
+      (void) setEnabledTLSVersions(mPrefBranch);
      clearSessionCache = true;
    } else if (prefName.Equals("security.enable_md5_signatures")) {
-      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
-                                             MD5_ENABLED_DEFAULT);
-      configureMD5(md5Enabled);
+      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
+      configureMD5(enabled);
      clearSessionCache = true;
    } else if (prefName.Equals("security.enable_tls_session_tickets")) {
-      bool tlsSessionTicketsEnabled =
-        Preferences::GetBool("security.enable_tls_session_tickets",
-                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
+      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
    } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
-      bool requireSafeNegotiation =
-        Preferences::GetBool("security.ssl.require_safe_negotiation",
-                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
+      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
    } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
-      bool allowUnrestrictedRenego =
-        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
-                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
-                           allowUnrestrictedRenego ?
-                             SSL_RENEGOTIATE_UNRESTRICTED :
-                             SSL_RENEGOTIATE_REQUIRES_XTN);
+      mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
+        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
    } else if (prefName.Equals("security.ssl.enable_false_start")) {
-      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
-                                                    FALSE_START_ENABLED_DEFAULT);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
+      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
 #endif
    } else if (prefName.Equals("security.OCSP.enabled")
               || prefName.Equals("security.CRL_download.enabled")
@ -1662,18 +1669,17 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
               || prefName.Equals("security.OCSP.require")
               || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
      MutexAutoLock lock(mutex);
-      setValidationOptions();
+      setValidationOptions(mPrefBranch);
    } else if (prefName.Equals("network.ntlm.send-lm-response")) {
-      bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
-                                         SEND_LM_DEFAULT);
+      bool sendLM = false;
+      mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
      nsNTLMAuthModule::SetSendLM(sendLM);
    } else {
      /* Look through the cipher table and set according to pref setting */
-      bool cipherEnabled;
      for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
        if (prefName.Equals(cp->pref)) {
-          cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
-          SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
+          mPrefBranch->GetBoolPref(cp->pref, &enabled);
+          SSL_CipherPrefSetDefault(cp->id, enabled);
          clearSessionCache = true;
          break;
        }
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@ -13,6 +13,7 @@
 #include "nsISignatureVerifier.h"
 #include "nsIEntropyCollector.h"
 #include "nsIStringBundle.h"
+#include "nsIPrefBranch.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
@ -184,8 +185,8 @@ private:
  void InstallLoadableRoots();
  void UnloadLoadableRoots();
  void CleanupIdentityInfo();
-  void setValidationOptions();
-  nsresult setEnabledTLSVersions();
+  void setValidationOptions(nsIPrefBranch * pref);
+  nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
  nsresult InitializePIPNSSBundle();
  nsresult ConfigureInternalPKCS11Token();
  nsresult RegisterObservers();
@ -202,6 +203,7 @@ private:
  
  nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
  nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
+  nsCOMPtr<nsIPrefBranch> mPrefBranch;
  bool mNSSInitialized;
  bool mObserversRegistered;
  static int mInstanceCount;