wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backed out changeset 38a63dbeab37 (bug 733644) for suspicion of causing test_bug798843_pref.html failures.

Browse Source
This commit is contained in:
Ryan VanderMeulen 2013-09-13 10:47:38 -04:00
parent c74f8b598b
commit 1bdee984a4
2 changed files with 120 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -16,7 +16,7 @@
#include "nsComponentManagerUtils.h"
#include "nsDirectoryServiceDefs.h"
#include "nsICertOverrideService.h"
#include "mozilla/Preferences.h"
#include "nsIPrefService.h"
#ifndef MOZ_DISABLE_CRYPTOLEGACY
#include "nsIDOMNode.h"
@ -871,9 +871,9 @@ static CipherPref CipherPrefs[] = {
};
static void
setNonPkixOcspEnabled(int32_t ocspEnabled)
setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
{
// Note: this preference is numeric vs boolean because previously we
// Note: this preference is numeric vs bolean because previously we
// supported more than two options.
if (!ocspEnabled) {
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
@ -886,7 +886,7 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
#define CRL_DOWNLOAD_DEFAULT false
#define OCSP_ENABLED_DEFAULT 1
#define OCSP_REQUIRED_DEFAULT false
#define OCSP_REQUIRED_DEFAULT 0
#define FRESH_REVOCATION_REQUIRED_DEFAULT false
#define MISSING_CERT_DOWNLOAD_DEFAULT false
#define FIRST_REVO_METHOD_DEFAULT "ocsp"
@ -894,38 +894,55 @@ setNonPkixOcspEnabled(int32_t ocspEnabled)
#define OCSP_STAPLING_ENABLED_DEFAULT true
// Caller must hold a lock on nsNSSComponent::mutex when calling this function
void nsNSSComponent::setValidationOptions()
void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
{
nsNSSShutDownPreventionLock locker;
nsresult rv;
bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
CRL_DOWNLOAD_DEFAULT);
// 0 = disabled, 1 = enabled
int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
OCSP_ENABLED_DEFAULT);
bool crlDownloading;
rv = pref->GetBoolPref("security.CRL_download.enabled", &crlDownloading);
if (NS_FAILED(rv))
crlDownloading = CRL_DOWNLOAD_DEFAULT;
bool ocspRequired = Preferences::GetBool("security.OCSP.require",
OCSP_REQUIRED_DEFAULT);
bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
FRESH_REVOCATION_REQUIRED_DEFAULT);
bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
MISSING_CERT_DOWNLOAD_DEFAULT);
int32_t ocspEnabled;
rv = pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
// 0 = disabled, 1 = enabled,
// 2 = enabled with given default responder
if (NS_FAILED(rv))
ocspEnabled = OCSP_ENABLED_DEFAULT;
nsCString firstNetworkRevo =
Preferences::GetCString("security.first_network_revocation_method");
if (firstNetworkRevo.IsEmpty()) {
bool ocspRequired;
rv = pref->GetBoolPref("security.OCSP.require", &ocspRequired);
if (NS_FAILED(rv))
ocspRequired = OCSP_REQUIRED_DEFAULT;
bool anyFreshRequired;
rv = pref->GetBoolPref("security.fresh_revocation_info.require", &anyFreshRequired);
if (NS_FAILED(rv))
anyFreshRequired = FRESH_REVOCATION_REQUIRED_DEFAULT;
bool aiaDownloadEnabled;
rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled);
if (NS_FAILED(rv))
aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT;
nsCString firstNetworkRevo;
rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo));
if (NS_FAILED(rv))
firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT;
}
bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
OCSP_STAPLING_ENABLED_DEFAULT);
bool ocspStaplingEnabled;
rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled);
if (NS_FAILED(rv)) {
ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT;
}
if (!ocspEnabled) {
ocspStaplingEnabled = false;
}
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
setNonPkixOcspEnabled(ocspEnabled);
setNonPkixOcspEnabled(ocspEnabled, pref);
CERT_SetOCSPFailureMode( ocspRequired ?
ocspMode_FailureIsVerificationFailure
@ -954,16 +971,16 @@ void nsNSSComponent::setValidationOptions()
// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
// TLS 1.0 when the prefs aren't set or when they are set to invalid values.
nsresult
nsNSSComponent::setEnabledTLSVersions()
nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
{
// keep these values in sync with security-prefs.js and firefox.js
static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1;
int32_t minVersion = Preferences::GetInt("security.tls.version.min",
PSM_DEFAULT_MIN_TLS_VERSION);
int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
PSM_DEFAULT_MAX_TLS_VERSION);
int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);
// 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
minVersion += SSL_LIBRARY_VERSION_3_0;
@ -999,11 +1016,13 @@ NS_IMETHODIMP
nsNSSComponent::SkipOcspOff()
{
nsNSSShutDownPreventionLock locker;
// 0 = disabled, 1 = enabled
int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
OCSP_ENABLED_DEFAULT);
int32_t ocspEnabled;
if (NS_FAILED(mPrefBranch->GetIntPref("security.OCSP.enabled", &ocspEnabled)))
ocspEnabled = OCSP_ENABLED_DEFAULT;
// 0 = disabled, 1 = enabled,
// 2 = enabled with given default responder
setNonPkixOcspEnabled(ocspEnabled);
setNonPkixOcspEnabled(ocspEnabled, mPrefBranch);
if (ocspEnabled)
SSL_ClearSessionCache();
@ -1031,14 +1050,6 @@ static void configureMD5(bool enabled)
}
}
static const bool SUPPRESS_WARNING_PREF_DEFAULT = false;
static const bool MD5_ENABLED_DEFAULT = false;
static const bool TLS_SESSION_TICKETS_ENABLED_DEFAULT = true;
static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
static const bool FALSE_START_ENABLED_DEFAULT = true;
static const bool CIPHER_ENABLED_DEFAULT = false;
nsresult
nsNSSComponent::InitializeNSS(bool showWarningBox)
{
@ -1108,13 +1119,17 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
}
#ifndef NSS_NO_LIBPKIX
globalConstFlagUsePKIXVerification =
Preferences::GetBool("security.use_libpkix_verification", USE_NSS_LIBPKIX_DEFAULT);
rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification);
if (NS_FAILED(rv))
globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT;
#endif
bool suppressWarningPref =
Preferences::GetBool("security.suppress_nss_rw_impossible_warning",
SUPPRESS_WARNING_PREF_DEFAULT);
bool supress_warning_preference = false;
rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference);
if (NS_FAILED(rv)) {
supress_warning_preference = false;
}
// init phase 2, init calls to NSS library
@ -1140,7 +1155,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
if (init_rv != SECSuccess) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get()));
if (suppressWarningPref) {
if (supress_warning_preference) {
which_nss_problem = problem_none;
}
else {
@ -1178,44 +1193,38 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
SharedSSLState::GlobalInit();
// Register an observer so we can inform NSS when these prefs change
Preferences::AddStrongObserver(this, "security.");
mPrefBranch->AddObserver("security.", this, false);
SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);
rv = setEnabledTLSVersions();
rv = setEnabledTLSVersions(mPrefBranch);
if (NS_FAILED(rv)) {
nsPSMInitPanic::SetPanic();
return NS_ERROR_UNEXPECTED;
}
bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
MD5_ENABLED_DEFAULT);
configureMD5(md5Enabled);
bool enabled = true; // XXX: see bug 733644
mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
configureMD5(enabled);
// Configure TLS session tickets
bool tlsSessionTicketsEnabled =
Preferences::GetBool("security.enable_tls_session_tickets",
TLS_SESSION_TICKETS_ENABLED_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
bool requireSafeNegotiation =
Preferences::GetBool("security.ssl.require_safe_negotiation",
REQUIRE_SAFE_NEGOTIATION_DEFAULT);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
bool allowUnrestrictedRenego =
Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
mPrefBranch->GetBoolPref(
"security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
&enabled);
SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
allowUnrestrictedRenego ?
SSL_RENEGOTIATE_UNRESTRICTED :
SSL_RENEGOTIATE_REQUIRES_XTN);
enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
#ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
FALSE_START_ENABLED_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
#endif
// Disable any ciphers that NSS might have enabled by default
@ -1225,11 +1234,13 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
SSL_CipherPrefSetDefault(cipher_id, false);
}
bool cipherEnabled;
// Now only set SSL/TLS ciphers we knew about at compile time
for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
rv = mPrefBranch->GetBoolPref(cp->pref, &enabled);
if (NS_FAILED(rv))
enabled = false;
SSL_CipherPrefSetDefault(cp->id, enabled);
}
// Enable ciphers for PKCS#12
@ -1243,7 +1254,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);
// dynamic options from prefs
setValidationOptions();
setValidationOptions(mPrefBranch);
mHttpForNSS.initTable();
mHttpForNSS.registerHttpClient();
@ -1289,7 +1300,9 @@ nsNSSComponent::ShutdownNSS()
PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
mHttpForNSS.unregisterHttpClient();
Preferences::RemoveObserver(this, "security.");
if (mPrefBranch) {
mPrefBranch->RemoveObserver("security.", this);
}
#ifndef MOZ_DISABLE_CRYPTOLEGACY
ShutdownSmartCardThreads();
@ -1311,8 +1324,6 @@ nsNSSComponent::ShutdownNSS()
}
}
static const bool SEND_LM_DEFAULT = false;
NS_IMETHODIMP
nsNSSComponent::Init()
{
@ -1348,8 +1359,13 @@ nsNSSComponent::Init()
getter_Copies(result));
}
bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
SEND_LM_DEFAULT);
if (!mPrefBranch) {
mPrefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID);
NS_ASSERTION(mPrefBranch, "Unable to get pref service");
}
bool sendLM = false;
mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
nsNTLMAuthModule::SetSendLM(sendLM);
// Do that before NSS init, to make sure we won't get unloaded.
@ -1619,40 +1635,31 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
nsNSSShutDownPreventionLock locker;
bool clearSessionCache = false;
bool enabled;
NS_ConvertUTF16toUTF8 prefName(someData);
if (prefName.Equals("security.tls.version.min") ||
prefName.Equals("security.tls.version.max")) {
(void) setEnabledTLSVersions();
(void) setEnabledTLSVersions(mPrefBranch);
clearSessionCache = true;
} else if (prefName.Equals("security.enable_md5_signatures")) {
bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
MD5_ENABLED_DEFAULT);
configureMD5(md5Enabled);
mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
configureMD5(enabled);
clearSessionCache = true;
} else if (prefName.Equals("security.enable_tls_session_tickets")) {
bool tlsSessionTicketsEnabled =
Preferences::GetBool("security.enable_tls_session_tickets",
TLS_SESSION_TICKETS_ENABLED_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
} else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
bool requireSafeNegotiation =
Preferences::GetBool("security.ssl.require_safe_negotiation",
REQUIRE_SAFE_NEGOTIATION_DEFAULT);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
} else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
bool allowUnrestrictedRenego =
Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
allowUnrestrictedRenego ?
SSL_RENEGOTIATE_UNRESTRICTED :
SSL_RENEGOTIATE_REQUIRES_XTN);
enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
#ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
} else if (prefName.Equals("security.ssl.enable_false_start")) {
bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
FALSE_START_ENABLED_DEFAULT);
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
#endif
} else if (prefName.Equals("security.OCSP.enabled")
|| prefName.Equals("security.CRL_download.enabled")
@ -1662,18 +1669,17 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
|| prefName.Equals("security.OCSP.require")
|| prefName.Equals("security.ssl.enable_ocsp_stapling")) {
MutexAutoLock lock(mutex);
setValidationOptions();
setValidationOptions(mPrefBranch);
} else if (prefName.Equals("network.ntlm.send-lm-response")) {
bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
SEND_LM_DEFAULT);
bool sendLM = false;
mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
nsNTLMAuthModule::SetSendLM(sendLM);
} else {
/* Look through the cipher table and set according to pref setting */
bool cipherEnabled;
for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
if (prefName.Equals(cp->pref)) {
cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
mPrefBranch->GetBoolPref(cp->pref, &enabled);
SSL_CipherPrefSetDefault(cp->id, enabled);
clearSessionCache = true;
break;
}

6
security/manager/ssl/src/nsNSSComponent.h
View File

@ -13,6 +13,7 @@
#include "nsISignatureVerifier.h"
#include "nsIEntropyCollector.h"
#include "nsIStringBundle.h"
#include "nsIPrefBranch.h"
#include "nsIObserver.h"
#include "nsIObserverService.h"
#ifndef MOZ_DISABLE_CRYPTOLEGACY
@ -184,8 +185,8 @@ private:
void InstallLoadableRoots();
void UnloadLoadableRoots();
void CleanupIdentityInfo();
void setValidationOptions();
nsresult setEnabledTLSVersions();
void setValidationOptions(nsIPrefBranch * pref);
nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
nsresult InitializePIPNSSBundle();
nsresult ConfigureInternalPKCS11Token();
nsresult RegisterObservers();
@ -202,6 +203,7 @@ private:
nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
nsCOMPtr<nsIPrefBranch> mPrefBranch;
bool mNSSInitialized;
bool mObserversRegistered;
static int mInstanceCount;