wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 787155: Avoid using libpkix on B2G to work around crash in PKIX_List_GetItem and improve performance, r=honzab, a=tef+

Browse Source 
--HG--
extra : rebase_source : 88ef8746f7f74dc4891599ba6d074a20c801778f
This commit is contained in:
Brian Smith 2013-04-17 17:17:10 -07:00
parent 01afd7c8e0
commit 7eb83c7ec9
15 changed files with 200 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
configure.in
View File

@ -223,6 +223,7 @@ if test -n "$gonkdir" ; then
AC_DEFINE(HAVE_PTHREADS)
CROSS_COMPILE=1
MOZ_CHROME_FILE_FORMAT=omni
NSS_NO_LIBPKIX=1
direct_nspr_config=1
else
MOZ_ANDROID_NDK
@ -8541,6 +8542,8 @@ AC_SUBST(MOZ_PERMISSIONS)
AC_SUBST(MOZ_PREF_EXTENSIONS)
AC_SUBST(MOZ_JS_LIBS)
AC_SUBST(MOZ_PSM)
AC_DEFINE(NSS_NO_LIBPKIX)
AC_SUBST(NSS_NO_LIBPKIX)
AC_SUBST(MOZ_DEBUG)
AC_SUBST(MOZ_DEBUG_SYMBOLS)
AC_SUBST(MOZ_DEBUG_ENABLE_DEFS)

7
security/manager/ssl/src/Makefile.in
View File

@ -20,7 +20,6 @@ LIBXUL_LIBRARY = 1
CPPSRCS = \
CryptoTask.cpp \
JARSignatureVerification.cpp \
nsCERTValInParamWrapper.cpp \
nsNSSCleaner.cpp \
nsCertOverrideService.cpp \
nsRecentBadCerts.cpp \
@ -73,6 +72,12 @@ CPPSRCS = \
SharedSSLState.cpp \
$(NULL)
ifndef NSS_NO_LIBPKIX
CPPSRCS += \
nsCERTValInParamWrapper.cpp \
$(NULL)
endif
ifndef MOZ_DISABLE_CRYPTOLEGACY
CPPSRCS += \
nsSmartCardMonitor.cpp \

36
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -476,14 +476,6 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport,
return nullptr;
}
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv)) {
NS_ERROR("GetDefaultCERTValInParam failed");
PR_SetError(defaultErrorCodeToReport, 0);
return nullptr;
}
PLArenaPool *log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
if (!log_arena) {
@ -499,13 +491,24 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport,
CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
verify_log->arena = log_arena;
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
srv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert,
true, certificateUsageSSLServer,
PR_Now(), static_cast<void*>(infoObject),
verify_log, nullptr);
#ifndef NSS_NO_LIBPKIX
}
else {
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv)) {
NS_ERROR("GetDefaultCERTValInParam failed");
PR_SetError(defaultErrorCodeToReport, 0);
return nullptr;
}
CERTValOutParam cvout[2];
cvout[0].type = cert_po_errorLog;
cvout[0].value.pointer.log = verify_log;
@ -515,6 +518,7 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport,
survivingParams->GetRawPointerForNSS(),
cvout, static_cast<void*>(infoObject));
}
#endif
// We ignore the result code of the cert verification.
// Either it is a failure, which is expected, and we'll process the
@ -666,9 +670,12 @@ PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg,
{
SECStatus rv;
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, true,
certUsageSSLServer, pinarg);
#ifndef NSS_NO_LIBPKIX
}
else {
nsresult nsrv;
@ -686,6 +693,7 @@ PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg,
survivingParams->GetRawPointerForNSS(),
cvout, pinarg);
}
#endif
if (rv == SECSuccess) {
/* cert is OK. This is the client side of an SSL connection.
@ -1073,12 +1081,16 @@ SSLServerCertVerificationJob::Run()
if (rv == SECSuccess) {
uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
Telemetry::ID telemetryID;
#ifndef NSS_NO_LIBPKIX
if(nsNSSComponent::globalConstFlagUsePKIXVerification){
telemetryID = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
}
else{
#endif
telemetryID = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
#ifndef NSS_NO_LIBPKIX
}
#endif
RefPtr<SSLServerCertVerificationResult> restart(
new SSLServerCertVerificationResult(mInfoObject, 0,
telemetryID, interval));
@ -1092,12 +1104,16 @@ SSLServerCertVerificationJob::Run()
{
TimeStamp now = TimeStamp::Now();
Telemetry::ID telemetryID;
#ifndef NSS_NO_LIBPKIX
if(nsNSSComponent::globalConstFlagUsePKIXVerification){
telemetryID = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
}
else{
#endif
telemetryID = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
#ifndef NSS_NO_LIBPKIX
}
#endif
MutexAutoLock telemetryMutex(*gSSLVerificationTelemetryMutex);
Telemetry::AccumulateTimeDelta(telemetryID,
mJobStartTime,
@ -1274,6 +1290,7 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
return SECFailure;
}
#ifndef NSS_NO_LIBPKIX
class InitializeIdentityInfo : public nsRunnable
, public nsNSSShutDownObject
{
@ -1302,9 +1319,11 @@ private:
shutdown(calledFromObject);
}
};
#endif
void EnsureServerVerificationInitialized()
{
#ifndef NSS_NO_LIBPKIX
// Should only be called from socket transport thread due to the static
// variable and the reference to gCertVerificationThreadPool
@ -1316,6 +1335,7 @@ void EnsureServerVerificationInitialized()
RefPtr<InitializeIdentityInfo> initJob = new InitializeIdentityInfo();
if (gCertVerificationThreadPool)
gCertVerificationThreadPool->Dispatch(initJob, NS_DISPATCH_NORMAL);
#endif
}
SSLServerCertVerificationResult::SSLServerCertVerificationResult(

4
security/manager/ssl/src/nsCMS.cpp
View File

@ -264,7 +264,9 @@ nsresult nsCMSMessage::CommonVerifySignature(unsigned char* aDigestData, uint32_
// See bug 324474. We want to make sure the signing cert is
// still valid at the current time.
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), si->cert, true,
certificateUsageEmailSigner,
si->cmsg->pwfn_arg, nullptr) != SECSuccess) {
@ -272,6 +274,7 @@ nsresult nsCMSMessage::CommonVerifySignature(unsigned char* aDigestData, uint32_
rv = NS_ERROR_CMS_VERIFY_UNTRUSTED;
goto loser;
}
#ifndef NSS_NO_LIBPKIX
}
else {
CERTValOutParam cvout[1];
@ -294,6 +297,7 @@ nsresult nsCMSMessage::CommonVerifySignature(unsigned char* aDigestData, uint32_
goto loser;
}
}
#endif
// We verify the first signer info, only //
if (NSS_CMSSignedData_VerifySignerInfo(sigd, 0, CERT_GetDefaultCertDB(), certUsageEmailSigner) != SECSuccess) {

32
security/manager/ssl/src/nsIdentityChecking.cpp
View File

@ -4,6 +4,12 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSCertificate.h"
#include "nsNSSComponent.h"
#include "nsSSLStatus.h"
#ifndef NSS_NO_LIBPKIX
#include "mozilla/RefPtr.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsStreamUtils.h"
@ -14,9 +20,7 @@
#include "cert.h"
#include "base64.h"
#include "nsNSSComponent.h"
#include "nsSSLStatus.h"
#include "nsNSSCertificate.h"
#include "ScopedNSSTypes.h"
using namespace mozilla;
@ -1154,12 +1158,17 @@ static SECStatus getFirstEVPolicy(CERTCertificate *cert, SECOidTag &outOidTag)
return SECFailure;
}
#endif
NS_IMETHODIMP
nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
{
NS_ENSURE_ARG_POINTER(aIsEV);
*aIsEV = false;
#ifdef NSS_NO_LIBPKIX
return NS_OK;
#else
nsCOMPtr<nsIX509Cert> cert = mServerCert;
nsresult rv;
nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(cert, &rv);
@ -1180,8 +1189,11 @@ nsSSLStatus::GetIsExtendedValidation(bool* aIsEV)
return NS_OK;
return idinfo->GetIsExtendedValidation(aIsEV);
#endif
}
#ifndef NSS_NO_LIBPKIX
nsresult
nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
{
@ -1314,9 +1326,15 @@ nsNSSCertificate::getValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
return rv;
}
#endif // NSS_NO_LIBPKIX
NS_IMETHODIMP
nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
{
#ifdef NSS_NO_LIBPKIX
*aIsEV = false;
return NS_OK;
#else
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
@ -1331,11 +1349,15 @@ nsNSSCertificate::GetIsExtendedValidation(bool* aIsEV)
SECOidTag oid_tag;
return getValidEVOidTag(oid_tag, *aIsEV);
#endif
}
NS_IMETHODIMP
nsNSSCertificate::GetValidEVPolicyOid(nsACString &outDottedOid)
{
outDottedOid.Truncate();
#ifndef NSS_NO_LIBPKIX
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
@ -1358,9 +1380,13 @@ nsNSSCertificate::GetValidEVPolicyOid(nsACString &outDottedOid)
outDottedOid = oid_str;
PR_smprintf_free(oid_str);
}
#endif
return NS_OK;
}
#ifndef NSS_NO_LIBPKIX
NS_IMETHODIMP
nsNSSComponent::EnsureIdentityInfoLoaded()
{
@ -1396,3 +1422,5 @@ nsNSSComponent::CleanupIdentityInfo()
#endif
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
}
#endif

5
security/manager/ssl/src/nsNSSCertHelper.cpp
View File

@ -2088,7 +2088,9 @@ nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence,
}
if (mCert->extensions) {
SECOidTag ev_oid_tag;
SECOidTag ev_oid_tag = SEC_OID_UNKNOWN;
#ifndef NSS_NO_LIBPKIX
bool validEV;
rv = hasValidEVOidTag(ev_oid_tag, validEV);
if (NS_FAILED(rv))
@ -2096,6 +2098,7 @@ nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence,
if (!validEV)
ev_oid_tag = SEC_OID_UNKNOWN;
#endif
rv = ProcessExtensions(mCert->extensions, sequence, ev_oid_tag, nssComponent);
if (NS_FAILED(rv))

45
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -127,11 +127,13 @@ nsNSSCertificate::InitFromDER(char *certDER, int derLen)
return true;
}
nsNSSCertificate::nsNSSCertificate(CERTCertificate *cert) :
mCert(nullptr),
mPermDelete(false),
mCertType(CERT_TYPE_NOT_YET_INITIALIZED),
mCachedEVStatus(ev_status_unknown)
nsNSSCertificate::nsNSSCertificate(CERTCertificate *cert)
: mCert(nullptr)
, mPermDelete(false)
, mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
#ifndef NSS_NO_LIBPKIX
, mCachedEVStatus(ev_status_unknown)
#endif
{
#if defined(DEBUG)
if (GeckoProcessType_Default != XRE_GetProcessType())
@ -146,11 +148,13 @@ nsNSSCertificate::nsNSSCertificate(CERTCertificate *cert) :
mCert = CERT_DupCertificate(cert);
}
nsNSSCertificate::nsNSSCertificate() :
mCert(nullptr),
mPermDelete(false),
mCertType(CERT_TYPE_NOT_YET_INITIALIZED),
mCachedEVStatus(ev_status_unknown)
nsNSSCertificate::nsNSSCertificate()
: mCert(nullptr)
, mPermDelete(false)
, mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
#ifndef NSS_NO_LIBPKIX
, mCachedEVStatus(ev_status_unknown)
#endif
{
if (GeckoProcessType_Default != XRE_GetProcessType())
NS_ERROR("Trying to initialize nsNSSCertificate in a non-chrome process!");
@ -1201,15 +1205,6 @@ nsNSSCertificate::VerifyForUsage(uint32_t usage, uint32_t *verificationResult)
NS_ENSURE_ARG(verificationResult);
nsresult nsrv;
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
SECCertificateUsage nss_usage;
switch (usage)
@ -1267,18 +1262,30 @@ nsNSSCertificate::VerifyForUsage(uint32_t usage, uint32_t *verificationResult)
}
SECStatus verify_result;
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB();
verify_result = CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
nss_usage, nullptr, nullptr);
#ifndef NSS_NO_LIBPKIX
}
else {
nsresult nsrv;
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
verify_result = CERT_PKIXVerifyCert(mCert, nss_usage,
survivingParams->GetRawPointerForNSS(),
cvout, nullptr);
}
#endif
if (verify_result == SECSuccess)
{

2
security/manager/ssl/src/nsNSSCertificate.h
View File

@ -69,12 +69,14 @@ private:
void destructorSafeDestroyNSSReference();
bool InitFromDER(char* certDER, int derLen); // return false on failure
#ifndef NSS_NO_LIBPKIX
enum {
ev_status_unknown = -1, ev_status_invalid = 0, ev_status_valid = 1
} mCachedEVStatus;
SECOidTag mCachedEVOidTag;
nsresult hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV);
nsresult getValidEVOidTag(SECOidTag &resultOidTag, bool &validEV);
#endif
};
class nsNSSCertList: public nsIX509CertList

69
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@ -500,17 +500,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
SECItem **rawArray;
int numcerts;
int i;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
return NS_ERROR_OUT_OF_MEMORY;
@ -577,13 +567,25 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
continue;
}
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
if (CERT_VerifyCert(certdb, node->cert,
true, certusage, now, ctx, nullptr) != SECSuccess) {
alert_and_skip = true;
}
#ifndef NSS_NO_LIBPKIX
}
else {
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
if (CERT_PKIXVerifyCert(node->cert, certificateusage,
survivingParams->GetRawPointerForNSS(),
cvout, ctx)
@ -591,6 +593,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
alert_and_skip = true;
}
}
#endif
ScopedCERTCertificateList certChain;
@ -753,13 +756,6 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
{
SECItem **rawArray;
nsresult nsrv;
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
/* filter out the certs we don't want */
SECStatus srv = CERT_FilterCertListByUsage(certList, certUsageAnyCA, true);
@ -771,8 +767,6 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
* valid chains, if yes, then import.
*/
CERTCertListNode *node;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node,certList);
@ -780,13 +774,25 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
bool alert_and_skip = false;
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
if (CERT_VerifyCert(CERT_GetDefaultCertDB(), node->cert,
true, certUsageVerifyCA, PR_Now(), ctx, nullptr) != SECSuccess) {
alert_and_skip = true;
}
#ifndef NSS_NO_LIBPKIX
}
else {
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
if (CERT_PKIXVerifyCert(node->cert, certificateUsageVerifyCA,
survivingParams->GetRawPointerForNSS(),
cvout, ctx)
@ -794,6 +800,7 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
alert_and_skip = true;
}
}
#endif
ScopedCERTCertificateList certChain;
@ -1324,19 +1331,6 @@ nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEma
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsINSSComponent> inss;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsresult nsrv;
if (nsNSSComponent::globalConstFlagUsePKIXVerification) {
inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
}
ScopedCERTCertList certlist(
PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr));
if (!certlist)
@ -1354,14 +1348,24 @@ nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEma
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
if (CERT_VerifyCert(CERT_GetDefaultCertDB(), node->cert,
true, certUsageEmailRecipient, PR_Now(), nullptr, nullptr) == SECSuccess) {
// found a valid certificate
break;
}
#ifndef NSS_NO_LIBPKIX
}
else {
nsCOMPtr<nsINSSComponent> inss = do_GetService(kNSSComponentCID, &nsrv);
if (!inss)
return nsrv;
RefPtr<nsCERTValInParamWrapper> survivingParams;
nsresult nsrv = inss->GetDefaultCERTValInParam(survivingParams);
if (NS_FAILED(nsrv))
return nsrv;
CERTValOutParam cvout[1];
cvout[0].type = cert_po_end;
if (CERT_PKIXVerifyCert(node->cert, certificateUsageEmailRecipient,
@ -1372,6 +1376,7 @@ nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEma
break;
}
}
#endif
}
if (CERT_LIST_END(node, certlist)) {

16
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -105,8 +105,12 @@ PRLogModuleInfo* gPIPNSSLog = nullptr;
#define NS_CRYPTO_HASH_BUFFER_SIZE 4096
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
int nsNSSComponent::mInstanceCount = 0;
#ifndef NSS_NO_LIBPKIX
bool nsNSSComponent::globalConstFlagUsePKIXVerification = false;
#endif
// XXX tmp callback for slot password
extern char* pk11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void *arg);
@ -351,9 +355,11 @@ nsNSSComponent::nsNSSComponent()
mTimer = nullptr;
mObserversRegistered = false;
#ifndef NSS_NO_LIBPKIX
// In order to keep startup time lower, we delay loading and
// registering all identity data until first needed.
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
#endif
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
++mInstanceCount;
@ -1098,6 +1104,7 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
ocspMode_FailureIsVerificationFailure
: ocspMode_FailureIsNotAVerificationFailure);
#ifndef NSS_NO_LIBPKIX
RefPtr<nsCERTValInParamWrapper> newCVIN(new nsCERTValInParamWrapper);
if (NS_SUCCEEDED(newCVIN->Construct(
aiaDownloadEnabled ?
@ -1115,6 +1122,7 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
// as soon as any concurrent use of the old default objects has finished.
mDefaultCERTValInParam = newCVIN;
}
#endif
/*
* The new defaults might change the validity of already established SSL sessions,
@ -1692,9 +1700,11 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
TryCFM2MachOMigration(cfmSecurityPath, profilePath);
#endif
#ifndef NSS_NO_LIBPKIX
rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification);
if (NS_FAILED(rv))
globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT;
#endif
bool supress_warning_preference = false;
rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference);
@ -1826,6 +1836,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
// dynamic options from prefs
setValidationOptions(mPrefBranch);
#ifndef NSS_NO_LIBPKIX
// static validation options for usagesarray - do not hit the network
mDefaultCERTValInParamLocalOnly = new nsCERTValInParamWrapper;
rv = mDefaultCERTValInParamLocalOnly->Construct(
@ -1839,6 +1850,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
nsPSMInitPanic::SetPanic();
return rv;
}
#endif
RegisterMyOCSPAIAInfoCallback();
@ -1902,7 +1914,9 @@ nsNSSComponent::ShutdownNSS()
#endif
SSL_ClearSessionCache();
UnloadLoadableRoots();
#ifndef NSS_NO_LIBPKIX
CleanupIdentityInfo();
#endif
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
mShutdownObjectList->evaporateAllNSSResources();
EnsureNSSInitialized(nssShutdown);
@ -2525,6 +2539,7 @@ nsNSSComponent::IsNSSInitialized(bool *initialized)
return NS_OK;
}
#ifndef NSS_NO_LIBPKIX
NS_IMETHODIMP
nsNSSComponent::GetDefaultCERTValInParam(RefPtr<nsCERTValInParamWrapper> &out)
{
@ -2544,6 +2559,7 @@ nsNSSComponent::GetDefaultCERTValInParamLocalOnly(RefPtr<nsCERTValInParamWrapper
out = mDefaultCERTValInParamLocalOnly;
return NS_OK;
}
#endif
//---------------------------------------------
// Implementing nsICryptoHash

34
security/manager/ssl/src/nsNSSComponent.h
View File

@ -37,7 +37,10 @@
#include "nsNSSHelper.h"
#include "nsClientAuthRemember.h"
#ifndef NSS_NO_LIBPKIX
#include "nsCERTValInParamWrapper.h"
#endif
#define NS_NSSCOMPONENT_CID \
{0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
@ -152,15 +155,17 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0;
#endif
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
NS_IMETHOD IsNSSInitialized(bool *initialized) = 0;
#ifndef NSS_NO_LIBPKIX
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
NS_IMETHOD GetDefaultCERTValInParam(
mozilla::RefPtr<nsCERTValInParamWrapper> &out) = 0;
NS_IMETHOD GetDefaultCERTValInParamLocalOnly(
mozilla::RefPtr<nsCERTValInParamWrapper> &out) = 0;
#endif
};
NS_DEFINE_STATIC_IID_ACCESSOR(nsINSSComponent, NS_INSSCOMPONENT_IID)
@ -261,13 +266,9 @@ public:
void ShutdownSmartCardThreads();
nsresult DispatchEventToWindow(nsIDOMWindow *domWin, const nsAString &eventType, const nsAString &token);
#endif
NS_IMETHOD EnsureIdentityInfoLoaded();
NS_IMETHOD IsNSSInitialized(bool *initialized);
NS_IMETHOD GetDefaultCERTValInParam(
mozilla::RefPtr<nsCERTValInParamWrapper> &out);
NS_IMETHOD GetDefaultCERTValInParamLocalOnly(
mozilla::RefPtr<nsCERTValInParamWrapper> &out);
private:
nsresult InitializeNSS(bool showWarningBox);
@ -279,7 +280,6 @@ private:
void InstallLoadableRoots();
void UnloadLoadableRoots();
void CleanupIdentityInfo();
void setValidationOptions(nsIPrefBranch * pref);
nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
nsresult InitializePIPNSSBundle();
@ -297,6 +297,16 @@ private:
void DoProfileChangeTeardown(nsISupports* aSubject);
void DoProfileBeforeChange(nsISupports* aSubject);
void DoProfileChangeNetRestore();
#ifndef NSS_NO_LIBPKIX
NS_IMETHOD EnsureIdentityInfoLoaded();
static PRStatus IdentityInfoInit(void);
void CleanupIdentityInfo();
NS_IMETHOD GetDefaultCERTValInParam(
mozilla::RefPtr<nsCERTValInParamWrapper> &out);
NS_IMETHOD GetDefaultCERTValInParamLocalOnly(
mozilla::RefPtr<nsCERTValInParamWrapper> &out);
#endif
Mutex mutex;
@ -327,14 +337,16 @@ private:
nsCertVerificationThread *mCertVerificationThread;
nsNSSHttpInterface mHttpForNSS;
#ifndef NSS_NO_LIBPKIX
private:
mozilla::RefPtr<nsCERTValInParamWrapper> mDefaultCERTValInParam;
mozilla::RefPtr<nsCERTValInParamWrapper> mDefaultCERTValInParamLocalOnly;
static PRStatus IdentityInfoInit(void);
PRCallOnceType mIdentityInfoCallOnce;
public:
static bool globalConstFlagUsePKIXVerification;
#endif
};
class PSMContentListener : public nsIURIContentListener,

10
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -20,10 +20,14 @@
#include "SSLServerCertVerification.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCleaner.h"
#ifndef NSS_NO_LIBPKIX
#include "nsIDocShell.h"
#include "nsIDocShellTreeItem.h"
#include "nsISecureBrowserUI.h"
#include "nsIInterfaceRequestorUtils.h"
#endif
#include "nsCharSeparatedTokenizer.h"
#include "nsIConsoleService.h"
#include "PSMRunnable.h"
@ -158,6 +162,7 @@ nsNSSSocketInfo::SetNotificationCallbacks(nsIInterfaceRequestor* aCallbacks)
return NS_OK;
}
#ifndef NSS_NO_LIBPKIX
static void
getSecureBrowserUI(nsIInterfaceRequestor * callbacks,
nsISecureBrowserUI ** result)
@ -188,6 +193,7 @@ getSecureBrowserUI(nsIInterfaceRequestor * callbacks,
}
}
}
#endif
void
nsNSSSocketInfo::SetHandshakeCompleted(bool aResumedSession)
@ -381,6 +387,7 @@ nsresult nsNSSSocketInfo::SetFileDescPtr(PRFileDesc* aFilePtr)
return NS_OK;
}
#ifndef NSS_NO_LIBPKIX
class PreviousCertRunnable : public SyncRunnableBase
{
public:
@ -407,16 +414,19 @@ public:
private:
nsCOMPtr<nsIInterfaceRequestor> mCallbacks; // in
};
#endif
void nsNSSSocketInfo::GetPreviousCert(nsIX509Cert** _result)
{
NS_ASSERTION(_result, "_result parameter to GetPreviousCert is null");
*_result = nullptr;
#ifndef NSS_NO_LIBPKIX
RefPtr<PreviousCertRunnable> runnable(new PreviousCertRunnable(mCallbacks));
nsresult rv = runnable->DispatchToMainThreadAndWait();
NS_ASSERTION(NS_SUCCEEDED(rv), "runnable->DispatchToMainThreadAndWait() failed");
runnable->mPreviousCert.forget(_result);
#endif
}
void

2
security/manager/ssl/src/nsSSLStatus.cpp
View File

@ -212,8 +212,6 @@ nsSSLStatus::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
return NS_OK;
}
nsSSLStatus::nsSSLStatus()
: mKeyLength(0), mSecretKeyLength(0)
, mIsDomainMismatch(false)

9
security/manager/ssl/src/nsUsageArrayHelper.cpp
View File

@ -110,6 +110,8 @@ isFatalError(uint32_t checkResult)
} // unnamed namespace
#ifndef NSS_NO_LIBPKIX
// Validates the certificate for the given usage. If the certificate is valid
// for the given usage, aCounter is incremented, a string description of the
// usage is appended to outUsages, and nsNSSCertificate::VERIFIED_OK is
@ -213,6 +215,8 @@ nsUsageArrayHelper::check(uint32_t previousCheckResult,
return result;
}
#endif
// Maps the error code to one of the Constants for certificate verification
// results" in nsIX509Cert.
void
@ -266,7 +270,9 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
// TODO: This block will be removed as soon as the switch to libpkix is
// complete.
#ifndef NSS_NO_LIBPKIX
if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
#endif
if (localOnly) {
nssComponent->SkipOcsp();
}
@ -321,6 +327,8 @@ if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
*_verified = nsNSSCertificate::VERIFIED_OK;
}
return NS_OK;
#ifndef NSS_NO_LIBPKIX
}
RefPtr<nsCERTValInParamWrapper> params;
@ -377,4 +385,5 @@ if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
*_verified = nsNSSCertificate::VERIFIED_OK;
}
return NS_OK;
#endif
}

2
security/manager/ssl/src/nsUsageArrayHelper.h
View File

@ -36,12 +36,14 @@ private:
uint32_t &aCounter,
PRUnichar **outUsages);
#ifndef NSS_NO_LIBPKIX
uint32_t check(uint32_t previousCheckResult,
const char *suffix,
SECCertificateUsage aCertUsage,
nsCERTValInParamWrapper * aValInParams,
uint32_t &aCounter,
PRUnichar **outUsages);
#endif
void verifyFailed(uint32_t *_verified, int err);
};