From 1dcb5ba1bb65aeeb10d15886677c99284dcf8f7c Mon Sep 17 00:00:00 2001 From: Ehsan Akhgari Date: Wed, 12 Dec 2012 00:05:49 -0500 Subject: [PATCH] Backed out 7 changesets (bug 769288) because of leaks Backed out changeset b2fb475b6e4e (bug 769288) Backed out changeset 912331d0c2fd (bug 769288) Backed out changeset 6d8d78bd56a9 (bug 769288) Backed out changeset e75cd1e1fca3 (bug 769288) Backed out changeset e10c24f10bd2 (bug 769288) Backed out changeset 7b0fdedb4fa9 (bug 769288) Backed out changeset 42b468942a84 (bug 769288) --- .../src/nsPrivateBrowsingService.js | 5 + netwerk/base/public/nsASocketHandler.h | 3 - netwerk/base/src/nsSocketTransport2.cpp | 1 - .../base/src/nsSocketTransportService2.cpp | 45 +--- netwerk/base/src/nsSocketTransportService2.h | 2 - .../pki/resources/content/exceptionDialog.js | 7 +- .../ssl/public/nsIRecentBadCertsService.idl | 10 +- security/manager/ssl/public/nsIX509CertDB.idl | 13 +- security/manager/ssl/src/Makefile.in | 8 +- security/manager/ssl/src/PublicSSL.h | 23 -- .../ssl/src/SSLServerCertVerification.cpp | 126 ++++----- security/manager/ssl/src/SharedSSLState.cpp | 240 ------------------ security/manager/ssl/src/SharedSSLState.h | 72 ------ .../manager/ssl/src/nsCertOverrideService.cpp | 3 - .../manager/ssl/src/nsClientAuthRemember.cpp | 12 - .../manager/ssl/src/nsClientAuthRemember.h | 1 - security/manager/ssl/src/nsNSSCallbacks.cpp | 8 +- .../manager/ssl/src/nsNSSCertificateDB.cpp | 24 -- security/manager/ssl/src/nsNSSCertificateDB.h | 7 - security/manager/ssl/src/nsNSSComponent.cpp | 53 +++- security/manager/ssl/src/nsNSSComponent.h | 4 + security/manager/ssl/src/nsNSSIOLayer.cpp | 175 ++++--------- security/manager/ssl/src/nsNSSIOLayer.h | 62 ++--- security/manager/ssl/src/nsNSSModule.cpp | 5 + security/manager/ssl/src/nsRecentBadCerts.cpp | 34 +-- security/manager/ssl/src/nsRecentBadCerts.h | 10 +- 26 files changed, 218 insertions(+), 735 deletions(-) delete mode 100644 security/manager/ssl/src/PublicSSL.h delete mode 100644 security/manager/ssl/src/SharedSSLState.cpp delete mode 100644 security/manager/ssl/src/SharedSSLState.h diff --git a/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js b/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js index 21d85fa004cf..47c2f6d8f72f 100644 --- a/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js +++ b/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js @@ -439,6 +439,11 @@ PrivateBrowsingService.prototype = { this._unload(); break; case "private-browsing": + // clear all auth tokens + let sdr = Cc["@mozilla.org/security/sdr;1"]. + getService(Ci.nsISecretDecoderRing); + sdr.logoutAndTeardown(); + if (!this._inPrivateBrowsing) { // Clear the error console let consoleService = Cc["@mozilla.org/consoleservice;1"]. diff --git a/netwerk/base/public/nsASocketHandler.h b/netwerk/base/public/nsASocketHandler.h index 7af6aa20e63a..ff459bbb2de7 100644 --- a/netwerk/base/public/nsASocketHandler.h +++ b/netwerk/base/public/nsASocketHandler.h @@ -15,7 +15,6 @@ public: : mCondition(NS_OK) , mPollFlags(0) , mPollTimeout(UINT16_MAX) - , mIsPrivate(false) {} // @@ -43,8 +42,6 @@ public: // uint16_t mPollTimeout; - bool mIsPrivate; - // // called to service a socket // diff --git a/netwerk/base/src/nsSocketTransport2.cpp b/netwerk/base/src/nsSocketTransport2.cpp index dd7eafc1f41a..a348eb59b117 100644 --- a/netwerk/base/src/nsSocketTransport2.cpp +++ b/netwerk/base/src/nsSocketTransport2.cpp @@ -2206,7 +2206,6 @@ NS_IMETHODIMP nsSocketTransport::SetConnectionFlags(uint32_t value) { mConnectionFlags = value; - mIsPrivate = value & nsISocketTransport::NO_PERMANENT_STORAGE; return NS_OK; } diff --git a/netwerk/base/src/nsSocketTransportService2.cpp b/netwerk/base/src/nsSocketTransportService2.cpp index 50889d8a1352..3bfb5f497c9c 100644 --- a/netwerk/base/src/nsSocketTransportService2.cpp +++ b/netwerk/base/src/nsSocketTransportService2.cpp @@ -23,7 +23,15 @@ #include "mozilla/Services.h" #include "mozilla/Preferences.h" #include "mozilla/Likely.h" -#include "mozilla/PublicSSL.h" + + +// XXX: There is no good header file to put these in. :( +namespace mozilla { namespace psm { + +void InitializeSSLServerCertVerificationThreads(); +void StopSSLServerCertVerificationThreads(); + +} } // namespace mozilla::psm using namespace mozilla; using namespace mozilla::net; @@ -462,7 +470,6 @@ nsSocketTransportService::Init() nsCOMPtr obsSvc = services::GetObserverService(); if (obsSvc) { obsSvc->AddObserver(this, "profile-initial-state", false); - obsSvc->AddObserver(this, "last-pb-context-exited", false); } mInitialized = true; @@ -510,7 +517,6 @@ nsSocketTransportService::Shutdown() nsCOMPtr obsSvc = services::GetObserverService(); if (obsSvc) { obsSvc->RemoveObserver(this, "profile-initial-state"); - obsSvc->RemoveObserver(this, "last-pb-context-exited"); } mozilla::net::NetworkActivityMonitor::Shutdown(); @@ -878,42 +884,9 @@ nsSocketTransportService::Observe(nsISupports *subject, return net::NetworkActivityMonitor::Init(blipInterval); } - - if (!strcmp(topic, "last-pb-context-exited")) { - nsCOMPtr ev = - NS_NewRunnableMethod(this, - &nsSocketTransportService::ClosePrivateConnections); - nsresult rv = Dispatch(ev, nsIEventTarget::DISPATCH_NORMAL); - NS_ENSURE_SUCCESS(rv, rv); - } - return NS_OK; } -void -nsSocketTransportService::ClosePrivateConnections() -{ - // Must be called on the socket thread. -#ifdef DEBUG - bool onSTSThread; - IsOnCurrentThread(&onSTSThread); - MOZ_ASSERT(onSTSThread); -#endif - - for (int32_t i = mActiveCount - 1; i >= 0; --i) { - if (mActiveList[i].mHandler->mIsPrivate) { - DetachSocket(mActiveList, &mActiveList[i]); - } - } - for (int32_t i = mIdleCount - 1; i >= 0; --i) { - if (mIdleList[i].mHandler->mIsPrivate) { - DetachSocket(mIdleList, &mIdleList[i]); - } - } - - mozilla::ClearPrivateSSLState(); -} - NS_IMETHODIMP nsSocketTransportService::GetSendBufferSize(int32_t *value) { diff --git a/netwerk/base/src/nsSocketTransportService2.h b/netwerk/base/src/nsSocketTransportService2.h index 9a9486e0f2af..7e2045b49470 100644 --- a/netwerk/base/src/nsSocketTransportService2.h +++ b/netwerk/base/src/nsSocketTransportService2.h @@ -188,8 +188,6 @@ private: #endif bool mProbedMaxCount; - void ClosePrivateConnections(); - void AnalyzeConnection(nsTArray *data, SocketContext *context, bool aActive); }; diff --git a/security/manager/pki/resources/content/exceptionDialog.js b/security/manager/pki/resources/content/exceptionDialog.js index 6d4eb89eacf9..e6cae8415859 100644 --- a/security/manager/pki/resources/content/exceptionDialog.js +++ b/security/manager/pki/resources/content/exceptionDialog.js @@ -88,11 +88,8 @@ function initExceptionDialog() { // returns true if found and global status could be set function findRecentBadCert(uri) { try { - var certDB = Components.classes["@mozilla.org/security/x509certdb;1"] - .getService(Components.interfaces.nsIX509CertDB); - if (!certDB) - return false; - var recentCertsSvc = certDB.getRecentBadCertsService(inPrivateBrowsingMode()); + var recentCertsSvc = Components.classes["@mozilla.org/security/recentbadcerts;1"] + .getService(Components.interfaces.nsIRecentBadCertsService); if (!recentCertsSvc) return false; diff --git a/security/manager/ssl/public/nsIRecentBadCertsService.idl b/security/manager/ssl/public/nsIRecentBadCertsService.idl index c221aa1dbd93..398b792e4cc1 100644 --- a/security/manager/ssl/public/nsIRecentBadCertsService.idl +++ b/security/manager/ssl/public/nsIRecentBadCertsService.idl @@ -20,8 +20,9 @@ interface nsISSLStatus; * The implementation will decide how many entries it will hold, * the number is expected to be small. */ -[scriptable, uuid(0fed7784-d152-44d6-95a7-67a59024de0f)] -interface nsIRecentBadCerts : nsISupports { +[scriptable, uuid(a5ae8b05-a76e-408f-b0ba-02a831265749)] +interface nsIRecentBadCertsService : nsISupports { + /** * Retrieve the recently seen bad ssl status for the given hostname:port. * If no SSL cert was recently seen for the given hostname:port, return null. @@ -42,9 +43,4 @@ interface nsIRecentBadCerts : nsISupports { */ void addBadCert(in AString aHostNameWithPort, in nsISSLStatus aStatus); - - /** - * Clear all stored cert data. - */ - void resetStoredCerts(); }; diff --git a/security/manager/ssl/public/nsIX509CertDB.idl b/security/manager/ssl/public/nsIX509CertDB.idl index aec9964a1fab..cedbb2644473 100644 --- a/security/manager/ssl/public/nsIX509CertDB.idl +++ b/security/manager/ssl/public/nsIX509CertDB.idl @@ -12,7 +12,6 @@ interface nsIX509Cert3; interface nsIFile; interface nsIInterfaceRequestor; interface nsIZipReader; -interface nsIRecentBadCerts; %{C++ #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1" @@ -30,7 +29,7 @@ interface nsIOpenSignedJARFileCallback : nsISupports * This represents a service to access and manipulate * X.509 certificates stored in a database. */ -[scriptable, uuid(a18df2a5-84a9-46cd-9140-3fdb3879d9ff)] +[scriptable, uuid(735d0363-e219-4387-b5c6-72e800c3ea0b)] interface nsIX509CertDB : nsISupports { /** @@ -265,16 +264,6 @@ interface nsIX509CertDB : nsISupports { */ nsIX509Cert constructX509FromBase64(in string base64); - /* - * Obtain a reference to the appropriate service for recent - * bad certificates. May only be called on the main thread. - * - * @param isPrivate True if the service for certs for private connections - * is desired, false otherwise. - * @return The requested service. - */ - nsIRecentBadCerts getRecentBadCerts(in boolean isPrivate); - /** * Verifies the signature on the given JAR file to verify that it has a * valid signature. To be considered valid, there must be exactly one diff --git a/security/manager/ssl/src/Makefile.in b/security/manager/ssl/src/Makefile.in index a5ba00289423..1ea14e33748b 100644 --- a/security/manager/ssl/src/Makefile.in +++ b/security/manager/ssl/src/Makefile.in @@ -74,7 +74,6 @@ CPPSRCS = \ PSMRunnable.cpp \ nsNSSVersion.cpp \ nsCertificatePrincipal.cpp \ - SharedSSLState.cpp \ $(NULL) ifdef MOZ_XUL @@ -83,6 +82,7 @@ endif CSRCS += md4.c + EXTRA_DEPS = $(NSS_DEP_LIBS) DEFINES += \ @@ -97,11 +97,5 @@ EXPORTS += \ ScopedNSSTypes.h \ $(NULL) -EXPORTS_NAMESPACES = mozilla - -EXPORTS_mozilla += \ - PublicSSL.h \ - $(NULL) - include $(topsrcdir)/config/rules.mk diff --git a/security/manager/ssl/src/PublicSSL.h b/security/manager/ssl/src/PublicSSL.h deleted file mode 100644 index 738a6e1f12d1..000000000000 --- a/security/manager/ssl/src/PublicSSL.h +++ /dev/null @@ -1,23 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef mozilla_SSL_h -#define mozilla_SSL_h - -namespace mozilla { - -void ClearPrivateSSLState(); - -namespace psm { - -void InitializeSSLServerCertVerificationThreads(); -void StopSSLServerCertVerificationThreads(); - -} //namespace psm -} // namespace mozilla - -#endif - diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp index c03f003b30e3..ae09139f1010 100644 --- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -112,7 +112,6 @@ #include "nsIConsoleService.h" #include "PSMRunnable.h" #include "ScopedNSSTypes.h" -#include "SharedSSLState.h" #include "ssl.h" #include "secerr.h" @@ -239,15 +238,13 @@ class CertErrorRunnable : public SyncRunnableBase uint32_t collectedErrors, PRErrorCode errorCodeTrust, PRErrorCode errorCodeMismatch, - PRErrorCode errorCodeExpired, - uint32_t providerFlags) + PRErrorCode errorCodeExpired) : mFdForLogging(fdForLogging), mCert(cert), mInfoObject(infoObject), mDefaultErrorCodeToReport(defaultErrorCodeToReport), mCollectedErrors(collectedErrors), mErrorCodeTrust(errorCodeTrust), mErrorCodeMismatch(errorCodeMismatch), - mErrorCodeExpired(errorCodeExpired), - mProviderFlags(providerFlags) + mErrorCodeExpired(errorCodeExpired) { } @@ -264,7 +261,6 @@ private: const PRErrorCode mErrorCodeTrust; const PRErrorCode mErrorCodeMismatch; const PRErrorCode mErrorCodeExpired; - const uint32_t mProviderFlags; }; SSLServerCertVerificationResult * @@ -300,8 +296,12 @@ CertErrorRunnable::CheckCertOverrides() if (NS_SUCCEEDED(nsrv)) { nsCOMPtr sslSocketControl = do_QueryInterface( NS_ISUPPORTS_CAST(nsITransportSecurityInfo*, mInfoObject)); + uint32_t flags = 0; + if (sslSocketControl) { + sslSocketControl->GetProviderFlags(&flags); + } nsrv = stss->IsStsHost(mInfoObject->GetHostName(), - mProviderFlags, + flags, &strictTransportSecurityEnabled); } if (NS_FAILED(nsrv)) { @@ -371,12 +371,8 @@ CertErrorRunnable::CheckCertOverrides() } } - nsCOMPtr certdb = do_GetService(NS_X509CERTDB_CONTRACTID); - nsCOMPtr recentBadCertsService; - if (certdb) { - bool isPrivate = mProviderFlags & nsISocketProvider::NO_PERMANENT_STORAGE; - certdb->GetRecentBadCerts(isPrivate, getter_AddRefs(recentBadCertsService)); - } + nsCOMPtr recentBadCertsService = + do_GetService(NS_RECENTBADCERTS_CONTRACTID); if (recentBadCertsService) { NS_ConvertUTF8toUTF16 hostWithPortStringUTF16(hostWithPortString); @@ -422,8 +418,7 @@ CertErrorRunnable * CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport, TransportSecurityInfo * infoObject, CERTCertificate * cert, - const void * fdForLogging, - uint32_t providerFlags) + const void * fdForLogging) { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); @@ -572,8 +567,7 @@ CreateCertErrorRunnable(PRErrorCode defaultErrorCodeToReport, static_cast(nssCert.get()), infoObject, defaultErrorCodeToReport, collected_errors, errorCodeTrust, - errorCodeMismatch, errorCodeExpired, - providerFlags); + errorCodeMismatch, errorCodeExpired); } // When doing async cert processing, we dispatch one of these runnables to the @@ -613,29 +607,25 @@ public: // Must be called only on the socket transport thread static SECStatus Dispatch(const void * fdForLogging, TransportSecurityInfo * infoObject, - CERTCertificate * serverCert, - uint32_t providerFlags); + CERTCertificate * serverCert); private: NS_DECL_NSIRUNNABLE // Must be called only on the socket transport thread SSLServerCertVerificationJob(const void * fdForLogging, TransportSecurityInfo * infoObject, - CERTCertificate * cert, - uint32_t providerFlags); + CERTCertificate * cert); const void * const mFdForLogging; const RefPtr mInfoObject; const ScopedCERTCertificate mCert; - const uint32_t mProviderFlags; }; SSLServerCertVerificationJob::SSLServerCertVerificationJob( const void * fdForLogging, TransportSecurityInfo * infoObject, - CERTCertificate * cert, uint32_t providerFlags) + CERTCertificate * cert) : mFdForLogging(fdForLogging) , mInfoObject(infoObject) , mCert(CERT_DupCertificate(cert)) - , mProviderFlags(providerFlags) { } @@ -835,8 +825,7 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject, } SECStatus -AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert, - uint32_t providerFlags) +AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert) { if (cert->serialNumber.data && cert->issuerName && @@ -922,41 +911,37 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert, } nsCOMPtr nssComponent; + + for (CERTCertListNode *node = CERT_LIST_HEAD(certList); + !CERT_LIST_END(node, certList); + node = CERT_LIST_NEXT(node)) { - // We want to avoid storing any intermediate cert information when browsing - // in private, transient contexts. - if (!(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE)) { - for (CERTCertListNode *node = CERT_LIST_HEAD(certList); - !CERT_LIST_END(node, certList); - node = CERT_LIST_NEXT(node)) { - - if (node->cert->slot) { - // This cert was found on a token, no need to remember it in the temp db. - continue; - } - - if (node->cert->isperm) { - // We don't need to remember certs already stored in perm db. - continue; - } - - if (node->cert == cert) { - // We don't want to remember the server cert, - // the code that cares for displaying page info does this already. - continue; - } - - // We have found a signer cert that we want to remember. - char* nickname = nsNSSCertificate::defaultServerNickname(node->cert); - if (nickname && *nickname) { - ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); - if (slot) { - PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, - nickname, false); - } - } - PR_FREEIF(nickname); + if (node->cert->slot) { + // This cert was found on a token, no need to remember it in the temp db. + continue; } + + if (node->cert->isperm) { + // We don't need to remember certs already stored in perm db. + continue; + } + + if (node->cert == cert) { + // We don't want to remember the server cert, + // the code that cares for displaying page info does this already. + continue; + } + + // We have found a signer cert that we want to remember. + char* nickname = nsNSSCertificate::defaultServerNickname(node->cert); + if (nickname && *nickname) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (slot) { + PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, + nickname, false); + } + } + PR_FREEIF(nickname); } // The connection may get terminated, for example, if the server requires @@ -992,8 +977,7 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert, /*static*/ SECStatus SSLServerCertVerificationJob::Dispatch(const void * fdForLogging, TransportSecurityInfo * infoObject, - CERTCertificate * serverCert, - uint32_t providerFlags) + CERTCertificate * serverCert) { // Runs on the socket transport thread if (!infoObject || !serverCert) { @@ -1003,8 +987,7 @@ SSLServerCertVerificationJob::Dispatch(const void * fdForLogging, } RefPtr job( - new SSLServerCertVerificationJob(fdForLogging, infoObject, serverCert, - providerFlags)); + new SSLServerCertVerificationJob(fdForLogging, infoObject, serverCert)); nsresult nrv; if (!gCertVerificationThreadPool) { @@ -1048,7 +1031,7 @@ SSLServerCertVerificationJob::Run() // Reset the error code here so we can detect if AuthCertificate fails to // set the error code if/when it fails. PR_SetError(0, 0); - SECStatus rv = AuthCertificate(mInfoObject, mCert, mProviderFlags); + SECStatus rv = AuthCertificate(mInfoObject, mCert); if (rv == SECSuccess) { RefPtr restart( new SSLServerCertVerificationResult(mInfoObject, 0)); @@ -1059,7 +1042,7 @@ SSLServerCertVerificationJob::Run() error = PR_GetError(); if (error != 0) { RefPtr runnable(CreateCertErrorRunnable( - error, mInfoObject, mCert, mFdForLogging, mProviderFlags)); + error, mInfoObject, mCert, mFdForLogging)); if (!runnable) { // CreateCertErrorRunnable set a new error code error = PR_GetError(); @@ -1152,20 +1135,15 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) PR_SetError(PR_UNKNOWN_ERROR, 0); return SECFailure; } - - uint32_t providerFlags = 0; - socketInfo->GetProviderFlags(&providerFlags); - + if (onSTSThread) { - // We *must* do certificate verification on a background thread because // we need the socket transport thread to be free for our OCSP requests, // and we *want* to do certificate verification on a background thread // because of the performance benefits of doing so. socketInfo->SetCertVerificationWaiting(); SECStatus rv = SSLServerCertVerificationJob::Dispatch( - static_cast(fd), socketInfo, serverCert, - providerFlags); + static_cast(fd), socketInfo, serverCert); return rv; } @@ -1173,7 +1151,7 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) // thread doing the network I/O may not interrupt its network I/O on receipt // of our SSLServerCertVerificationResult event, and/or it might not even be // a non-blocking socket. - SECStatus rv = AuthCertificate(socketInfo, serverCert, providerFlags); + SECStatus rv = AuthCertificate(socketInfo, serverCert); if (rv == SECSuccess) { return SECSuccess; } @@ -1182,7 +1160,7 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) if (error != 0) { RefPtr runnable(CreateCertErrorRunnable( error, socketInfo, serverCert, - static_cast(fd), providerFlags)); + static_cast(fd))); if (!runnable) { // CreateCertErrorRunnable sets a new error code when it fails error = PR_GetError(); diff --git a/security/manager/ssl/src/SharedSSLState.cpp b/security/manager/ssl/src/SharedSSLState.cpp deleted file mode 100644 index eaa07357bf1d..000000000000 --- a/security/manager/ssl/src/SharedSSLState.cpp +++ /dev/null @@ -1,240 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "SharedSSLState.h" -#include "nsClientAuthRemember.h" -#include "nsComponentManagerUtils.h" -#include "nsICertOverrideService.h" -#include "nsIObserverService.h" -#include "mozilla/Services.h" -#include "nsThreadUtils.h" -#include "nsCRT.h" -#include "nsServiceManagerUtils.h" -#include "nsRecentBadCerts.h" -#include "PSMRunnable.h" -#include "PublicSSL.h" -#include "ssl.h" -#include "nsNetCID.h" - -using mozilla::psm::SyncRunnableBase; - -namespace { - -class MainThreadClearer : public SyncRunnableBase -{ -public: - MainThreadClearer() : mShouldClearSessionCache(false) {} - - void RunOnTargetThread() { - // In some cases it's possible to cause PSM/NSS to initialize while XPCOM shutdown - // is in progress. We want to avoid this, since they do not handle the situation well, - // hence the flags to avoid instantiating the services if they don't already exist. - - if (mozilla::psm::SharedSSLState::CertOverrideServiceInstantiated()) { - nsCOMPtr icos = do_GetService(NS_CERTOVERRIDE_CONTRACTID); - if (icos) { - icos->ClearValidityOverride( - NS_LITERAL_CSTRING("all:temporary-certificates"), - 0); - } - } - - if (mozilla::psm::SharedSSLState::CertDBServiceInstantiated()) { - nsCOMPtr certdb = do_GetService(NS_X509CERTDB_CONTRACTID); - if (certdb) { - nsCOMPtr badCerts; - certdb->GetRecentBadCerts(true, getter_AddRefs(badCerts)); - if (badCerts) { - badCerts->ResetStoredCerts(); - } - } - } - - // This needs to be checked on the main thread to avoid racing with NSS - // initialization. - mShouldClearSessionCache = mozilla::psm::PrivateSSLState() && - mozilla::psm::PrivateSSLState()->SocketCreated(); - } - bool mShouldClearSessionCache; -}; - -} // anonymous namespace - -namespace mozilla { - -void ClearPrivateSSLState() -{ - // This only works if it is called on the socket transport - // service thread immediately after closing all private SSL - // connections. -#ifdef DEBUG - nsresult rv; - nsCOMPtr sts - = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv); - MOZ_ASSERT(NS_SUCCEEDED(rv)); - bool onSTSThread; - sts->IsOnCurrentThread(&onSTSThread); - MOZ_ASSERT(NS_SUCCEEDED(rv) && onSTSThread); -#endif - - RefPtr runnable = new MainThreadClearer; - runnable->DispatchToMainThreadAndWait(); - - // If NSS isn't initialized, this throws an assertion. We guard it by checking if - // the session cache might even have anything worth clearing. - if (runnable->mShouldClearSessionCache) { - SSL_ClearSessionCache(); - } -} - -namespace psm { - -namespace { -class PrivateBrowsingObserver : public nsIObserver { -public: - NS_DECL_ISUPPORTS - NS_DECL_NSIOBSERVER - PrivateBrowsingObserver(SharedSSLState* aOwner) : mOwner(aOwner) {} - virtual ~PrivateBrowsingObserver() {} -private: - SharedSSLState* mOwner; -}; - -SharedSSLState* gPublicState; -SharedSSLState* gPrivateState; -} // anonymous namespace - -NS_IMPL_ISUPPORTS1(PrivateBrowsingObserver, nsIObserver) - -NS_IMETHODIMP -PrivateBrowsingObserver::Observe(nsISupports *aSubject, - const char *aTopic, - const PRUnichar *aData) -{ - if (!nsCRT::strcmp(aTopic, "last-pb-context-exited")) { - mOwner->ResetStoredData(); - } - return NS_OK; -} - -SharedSSLState::SharedSSLState() -: mClientAuthRemember(new nsClientAuthRememberService) -, mSocketCreated(false) -{ - mIOLayerHelpers.Init(); - mClientAuthRemember->Init(); -} - -SharedSSLState::~SharedSSLState() -{ -} - -void -SharedSSLState::NotePrivateBrowsingStatus() -{ - MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); - mObserver = new PrivateBrowsingObserver(this); - nsCOMPtr obsSvc = mozilla::services::GetObserverService(); - obsSvc->AddObserver(mObserver, "last-pb-context-exited", false); -} - -void -SharedSSLState::ResetStoredData() -{ - MOZ_ASSERT(NS_IsMainThread()); - mClientAuthRemember->ClearRememberedDecisions(); - mIOLayerHelpers.clearStoredData(); -} - -void -SharedSSLState::NoteSocketCreated() -{ - MutexAutoLock lock(sLock); - mSocketCreated = true; -} - -bool -SharedSSLState::SocketCreated() -{ - MutexAutoLock lock(sLock); - return mSocketCreated; -} - -Mutex SharedSSLState::sLock("SharedSSLState::sLock"); -bool SharedSSLState::sCertOverrideSvcExists = false; -bool SharedSSLState::sCertDBExists = false; - -/*static*/ void -SharedSSLState::GlobalInit() -{ - MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); - gPublicState = new SharedSSLState(); - gPrivateState = new SharedSSLState(); - gPrivateState->NotePrivateBrowsingStatus(); -} - -/*static*/ void -SharedSSLState::GlobalCleanup() -{ - MOZ_ASSERT(NS_IsMainThread(), "Not on main thread"); - - gPrivateState->Cleanup(); - delete gPrivateState; - gPrivateState = nullptr; - - gPublicState->Cleanup(); - delete gPublicState; - gPublicState = nullptr; -} - -/*static*/ void -SharedSSLState::NoteCertOverrideServiceInstantiated() -{ - MutexAutoLock lock(sLock); - sCertOverrideSvcExists = true; -} - -/*static*/ bool -SharedSSLState::CertOverrideServiceInstantiated() -{ - MutexAutoLock lock(sLock); - return sCertOverrideSvcExists; -} - -/*static*/ void -SharedSSLState::NoteCertDBServiceInstantiated() -{ - MutexAutoLock lock(sLock); - sCertDBExists = true; -} - -/*static*/ bool -SharedSSLState::CertDBServiceInstantiated() -{ - MutexAutoLock lock(sLock); - return sCertDBExists; -} - -void -SharedSSLState::Cleanup() -{ - mIOLayerHelpers.Cleanup(); -} - -SharedSSLState* -PublicSSLState() -{ - return gPublicState; -} - -SharedSSLState* -PrivateSSLState() -{ - return gPrivateState; -} - -} // namespace psm -} // namespace mozilla diff --git a/security/manager/ssl/src/SharedSSLState.h b/security/manager/ssl/src/SharedSSLState.h deleted file mode 100644 index 132ca3412225..000000000000 --- a/security/manager/ssl/src/SharedSSLState.h +++ /dev/null @@ -1,72 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef SharedSSLState_h -#define SharedSSLState_h - -#include "mozilla/RefPtr.h" -#include "nsNSSIOLayer.h" - -class nsClientAuthRememberService; -class nsIObserver; - -namespace mozilla { -namespace psm { - -class SharedSSLState { -public: - NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedSSLState) - SharedSSLState(); - ~SharedSSLState(); - - static void GlobalInit(); - static void GlobalCleanup(); - - nsClientAuthRememberService* GetClientAuthRememberService() { - return mClientAuthRemember; - } - - nsSSLIOLayerHelpers& IOLayerHelpers() { - return mIOLayerHelpers; - } - - // Main-thread only - void ResetStoredData(); - void NotePrivateBrowsingStatus(); - - // The following methods may be called from any thread - bool SocketCreated(); - void NoteSocketCreated(); - static void NoteCertOverrideServiceInstantiated(); - static void NoteCertDBServiceInstantiated(); - static bool CertOverrideServiceInstantiated(); - static bool CertDBServiceInstantiated(); - -private: - void Cleanup(); - - nsCOMPtr mObserver; - RefPtr mClientAuthRemember; - nsSSLIOLayerHelpers mIOLayerHelpers; - - // Since various NSS-related services can be instantiated on any thread, - // these flags all require the following lock for synchronization. - static Mutex sLock; - static bool sCertOverrideSvcExists; - static bool sCertDBExists; - // True if any sockets have been created that use this shared data. - // Requires synchronization between the socket and main threads for - // reading/writing. - bool mSocketCreated; -}; - -SharedSSLState* PublicSSLState(); -SharedSSLState* PrivateSSLState(); - -} // namespace psm -} // namespace mozilla - -#endif diff --git a/security/manager/ssl/src/nsCertOverrideService.cpp b/security/manager/ssl/src/nsCertOverrideService.cpp index e033f74c299b..456564bd8b8a 100644 --- a/security/manager/ssl/src/nsCertOverrideService.cpp +++ b/security/manager/ssl/src/nsCertOverrideService.cpp @@ -19,7 +19,6 @@ #include "nsThreadUtils.h" #include "nsStringBuffer.h" #include "ScopedNSSTypes.h" -#include "SharedSSLState.h" #include "nspr.h" #include "pk11pub.h" @@ -28,7 +27,6 @@ #include "ssl.h" // For SSL_ClearSessionCache using namespace mozilla; -using mozilla::psm::SharedSSLState; static const char kCertOverrideFileName[] = "cert_override.txt"; @@ -130,7 +128,6 @@ nsCertOverrideService::Init() Observe(nullptr, "profile-do-change", nullptr); } - SharedSSLState::NoteCertOverrideServiceInstantiated(); return NS_OK; } diff --git a/security/manager/ssl/src/nsClientAuthRemember.cpp b/security/manager/ssl/src/nsClientAuthRemember.cpp index ad595810da3a..b3ac013b4e26 100644 --- a/security/manager/ssl/src/nsClientAuthRemember.cpp +++ b/security/manager/ssl/src/nsClientAuthRemember.cpp @@ -21,10 +21,8 @@ #include "pk11pub.h" #include "certdb.h" #include "sechash.h" -#include "SharedSSLState.h" using namespace mozilla; -using namespace mozilla::psm; NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService, nsIObserver, @@ -82,16 +80,6 @@ void nsClientAuthRememberService::ClearRememberedDecisions() RemoveAllFromMemory(); } -void nsClientAuthRememberService::ClearAllRememberedDecisions() -{ - RefPtr svc = - PublicSSLState()->GetClientAuthRememberService(); - svc->ClearRememberedDecisions(); - - svc = PrivateSSLState()->GetClientAuthRememberService(); - svc->ClearRememberedDecisions(); -} - void nsClientAuthRememberService::RemoveAllFromMemory() { diff --git a/security/manager/ssl/src/nsClientAuthRemember.h b/security/manager/ssl/src/nsClientAuthRemember.h index 161303f07576..35a8a21b47a5 100644 --- a/security/manager/ssl/src/nsClientAuthRemember.h +++ b/security/manager/ssl/src/nsClientAuthRemember.h @@ -128,7 +128,6 @@ public: nsACString & aCertDBKey, bool *_retval); void ClearRememberedDecisions(); - static void ClearAllRememberedDecisions(); protected: mozilla::ReentrantMonitor monitor; diff --git a/security/manager/ssl/src/nsNSSCallbacks.cpp b/security/manager/ssl/src/nsNSSCallbacks.cpp index 02188b78493d..d7809989c7a6 100644 --- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -23,7 +23,6 @@ #include "nsIConsoleService.h" #include "nsIHttpChannelInternal.h" #include "nsCRT.h" -#include "SharedSSLState.h" #include "ssl.h" #include "sslproto.h" @@ -842,8 +841,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { // If the handshake completed, then we know the site is TLS tolerant (if this // was a TLS connection). - nsSSLIOLayerHelpers& ioLayerHelpers = infoObject->SharedState().IOLayerHelpers(); - ioLayerHelpers.rememberTolerantSite(infoObject); + nsSSLIOLayerHelpers::rememberTolerantSite(infoObject); if (SECSuccess != SSL_SecurityStatus(fd, &sslStatus, &cipherName, &keyLength, &encryptBits, &signer, nullptr)) { @@ -861,7 +859,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { if (SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn, &siteSupportsSafeRenego) != SECSuccess || !siteSupportsSafeRenego) { - bool wantWarning = (ioLayerHelpers.getWarnLevelMissingRFC5746() > 0); + bool wantWarning = (nsSSLIOLayerHelpers::getWarnLevelMissingRFC5746() > 0); nsCOMPtr console; if (infoObject && wantWarning) { @@ -877,7 +875,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { console->LogStringMessage(msg.get()); } } - if (ioLayerHelpers.treatUnsafeNegotiationAsBroken()) { + if (nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken()) { secStatus = nsIWebProgressListener::STATE_IS_BROKEN; } } diff --git a/security/manager/ssl/src/nsNSSCertificateDB.cpp b/security/manager/ssl/src/nsNSSCertificateDB.cpp index d165c0745f96..912ced9a8d68 100644 --- a/security/manager/ssl/src/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp @@ -31,9 +31,6 @@ #include "nsIPrompt.h" #include "nsThreadUtils.h" #include "ScopedNSSTypes.h" -#include "nsIObserverService.h" -#include "nsRecentBadCerts.h" -#include "SharedSSLState.h" #include "nspr.h" #include "certdb.h" @@ -46,7 +43,6 @@ #include "plbase64.h" using namespace mozilla; -using mozilla::psm::SharedSSLState; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; @@ -58,9 +54,7 @@ static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); NS_IMPL_THREADSAFE_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2) nsNSSCertificateDB::nsNSSCertificateDB() -: mBadCertsLock("nsNSSCertificateDB::mBadCertsLock") { - SharedSSLState::NoteCertDBServiceInstantiated(); } nsNSSCertificateDB::~nsNSSCertificateDB() @@ -1650,21 +1644,3 @@ nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval) NS_ADDREF(*_retval); return NS_OK; } - -NS_IMETHODIMP -nsNSSCertificateDB::GetRecentBadCerts(bool isPrivate, nsIRecentBadCerts** result) -{ - MutexAutoLock lock(mBadCertsLock); - if (isPrivate) { - if (!mPrivateRecentBadCerts) { - mPrivateRecentBadCerts = new nsRecentBadCerts; - } - NS_ADDREF(*result = mPrivateRecentBadCerts); - } else { - if (!mPublicRecentBadCerts) { - mPublicRecentBadCerts = new nsRecentBadCerts; - } - NS_ADDREF(*result = mPublicRecentBadCerts); - } - return NS_OK; -} diff --git a/security/manager/ssl/src/nsNSSCertificateDB.h b/security/manager/ssl/src/nsNSSCertificateDB.h index 5ef5015598d1..efdbff80d339 100644 --- a/security/manager/ssl/src/nsNSSCertificateDB.h +++ b/security/manager/ssl/src/nsNSSCertificateDB.h @@ -7,13 +7,10 @@ #include "nsIX509CertDB.h" #include "nsIX509CertDB2.h" -#include "mozilla/RefPtr.h" -#include "mozilla/Mutex.h" #include "certt.h" class nsCString; class nsIArray; -class nsRecentBadCerts; class nsNSSCertificateDB : public nsIX509CertDB, public nsIX509CertDB2 { @@ -51,10 +48,6 @@ private: uint32_t length); nsresult handleCACertDownload(nsIArray *x509Certs, nsIInterfaceRequestor *ctx); - - mozilla::Mutex mBadCertsLock; - mozilla::RefPtr mPublicRecentBadCerts; - mozilla::RefPtr mPrivateRecentBadCerts; }; #define NS_X509CERTDB_CID { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \ diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp index aabe6fab9789..486a3e1f907b 100644 --- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -60,7 +60,6 @@ #include "nsSmartCardEvent.h" #include "nsIKeyModule.h" #include "ScopedNSSTypes.h" -#include "SharedSSLState.h" #include "nss.h" #include "pk11func.h" @@ -401,7 +400,7 @@ nsNSSComponent::~nsNSSComponent() // All cleanup code requiring services needs to happen in xpcom_shutdown ShutdownNSS(); - SharedSSLState::GlobalCleanup(); + nsSSLIOLayerHelpers::Cleanup(); RememberCertErrorsTable::Cleanup(); --mInstanceCount; delete mShutdownObjectList; @@ -1861,6 +1860,9 @@ nsNSSComponent::ShutdownNSS() ShutdownSmartCardThreads(); SSL_ClearSessionCache(); + if (mClientAuthRememberService) { + mClientAuthRememberService->ClearRememberedDecisions(); + } UnloadLoadableRoots(); CleanupIdentityInfo(); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n")); @@ -1931,8 +1933,27 @@ nsNSSComponent::Init() } RememberCertErrorsTable::Init(); - SharedSSLState::GlobalInit(); + nsSSLIOLayerHelpers::Init(); + char *unrestricted_hosts=nullptr; + mPrefBranch->GetCharPref("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts); + if (unrestricted_hosts) { + nsSSLIOLayerHelpers::setRenegoUnrestrictedSites(nsDependentCString(unrestricted_hosts)); + nsMemory::Free(unrestricted_hosts); + unrestricted_hosts=nullptr; + } + + bool enabled = false; + mPrefBranch->GetBoolPref("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); + nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(enabled); + + int32_t warnLevel = 1; + mPrefBranch->GetIntPref("security.ssl.warn_missing_rfc5746", &warnLevel); + nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(warnLevel); + mClientAuthRememberService = new nsClientAuthRememberService; + if (mClientAuthRememberService) + mClientAuthRememberService->Init(); + createBackgroundThreads(); if (!mCertVerificationThread) { @@ -2250,6 +2271,20 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic, mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled); SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN); + } else if (prefName.Equals("security.ssl.renego_unrestricted_hosts")) { + char *unrestricted_hosts=nullptr; + mPrefBranch->GetCharPref("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts); + if (unrestricted_hosts) { + nsSSLIOLayerHelpers::setRenegoUnrestrictedSites(nsDependentCString(unrestricted_hosts)); + nsMemory::Free(unrestricted_hosts); + } + } else if (prefName.Equals("security.ssl.treat_unsafe_negotiation_as_broken")) { + mPrefBranch->GetBoolPref("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); + nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(enabled); + } else if (prefName.Equals("security.ssl.warn_missing_rfc5746")) { + int32_t warnLevel = 1; + mPrefBranch->GetIntPref("security.ssl.warn_missing_rfc5746", &warnLevel); + nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(warnLevel); #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8 } else if (prefName.Equals("security.ssl.enable_false_start")) { mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled); @@ -2352,7 +2387,9 @@ nsresult nsNSSComponent::LogoutAuthenticatedPK11() 0); } - nsClientAuthRememberService::ClearAllRememberedDecisions(); + if (mClientAuthRememberService) { + mClientAuthRememberService->ClearRememberedDecisions(); + } return mShutdownObjectList->doPK11Logout(); } @@ -2531,6 +2568,14 @@ nsNSSComponent::DoProfileChangeNetRestore() mIsNetworkDown = false; } +NS_IMETHODIMP +nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars) +{ + NS_ENSURE_ARG_POINTER(cars); + NS_IF_ADDREF(*cars = mClientAuthRememberService); + return NS_OK; +} + NS_IMETHODIMP nsNSSComponent::IsNSSInitialized(bool *initialized) { diff --git a/security/manager/ssl/src/nsNSSComponent.h b/security/manager/ssl/src/nsNSSComponent.h index b47b989c21f5..2391d95565d2 100644 --- a/security/manager/ssl/src/nsNSSComponent.h +++ b/security/manager/ssl/src/nsNSSComponent.h @@ -154,6 +154,8 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports { NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0; + NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0; + NS_IMETHOD EnsureIdentityInfoLoaded() = 0; NS_IMETHOD IsNSSInitialized(bool *initialized) = 0; @@ -257,6 +259,7 @@ public: NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module); NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token); NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token); + NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars); NS_IMETHOD EnsureIdentityInfoLoaded(); NS_IMETHOD IsNSSInitialized(bool *initialized); @@ -324,6 +327,7 @@ private: nsCertVerificationThread *mCertVerificationThread; nsNSSHttpInterface mHttpForNSS; + mozilla::RefPtr mClientAuthRememberService; mozilla::RefPtr mDefaultCERTValInParam; mozilla::RefPtr mDefaultCERTValInParamLocalOnly; diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp index 03c5d4ec2c7e..7f52d25af224 100644 --- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -28,8 +28,6 @@ #include "nsIConsoleService.h" #include "PSMRunnable.h" #include "ScopedNSSTypes.h" -#include "SharedSSLState.h" -#include "mozilla/Preferences.h" #include "ssl.h" #include "secerr.h" @@ -65,10 +63,9 @@ typedef enum {ASK, AUTO} SSM_UserCertChoice; extern PRLogModuleInfo* gPIPNSSLog; #endif -nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags) +nsNSSSocketInfo::nsNSSSocketInfo(uint32_t providerFlags) : mFd(nullptr), mCertVerificationState(before_cert_verification), - mSharedState(aState), mForSTARTTLS(false), mSSL3Enabled(false), mTLSEnabled(false), @@ -460,11 +457,6 @@ void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(bool aAllow) mAllowTLSIntoleranceTimeout = aAllow; } -SharedSSLState& nsNSSSocketInfo::SharedState() -{ - return mSharedState; -} - bool nsNSSSocketInfo::HandshakeTimeout() { if (!mAllowTLSIntoleranceTimeout) @@ -922,8 +914,7 @@ int32_t checkHandshake(int32_t bytesTransfered, bool wasReading, if (!wantRetry // no decision yet && isTLSIntoleranceError(err, socketInfo->GetHasCleartextPhase())) { - nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers(); - wantRetry = helpers.rememberPossibleTLSProblemSite(socketInfo); + wantRetry = nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(socketInfo); } } @@ -951,8 +942,8 @@ int32_t checkHandshake(int32_t bytesTransfered, bool wasReading, if (!wantRetry // no decision yet && !socketInfo->GetHasCleartextPhase()) // mirror PR_CONNECT_RESET_ERROR treament { - nsSSLIOLayerHelpers& helpers = socketInfo->SharedState().IOLayerHelpers(); - wantRetry = helpers.rememberPossibleTLSProblemSite(socketInfo); + wantRetry = + nsSSLIOLayerHelpers::rememberPossibleTLSProblemSite(socketInfo); } } } @@ -1040,16 +1031,12 @@ nsSSLIOLayerPoll(PRFileDesc * fd, int16_t in_flags, int16_t *out_flags) bool nsSSLIOLayerHelpers::nsSSLIOLayerInitialized = false; PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity; PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods; - -nsSSLIOLayerHelpers::nsSSLIOLayerHelpers() -: mutex(nullptr) -, mTLSIntolerantSites(nullptr) -, mTLSTolerantSites(nullptr) -, mRenegoUnrestrictedSites(nullptr) -, mTreatUnsafeNegotiationAsBroken(false) -, mWarnLevelMissingRFC5746(1) -{ -} +Mutex *nsSSLIOLayerHelpers::mutex = nullptr; +nsTHashtable *nsSSLIOLayerHelpers::mTLSIntolerantSites = nullptr; +nsTHashtable *nsSSLIOLayerHelpers::mTLSTolerantSites = nullptr; +nsTHashtable *nsSSLIOLayerHelpers::mRenegoUnrestrictedSites = nullptr; +bool nsSSLIOLayerHelpers::mTreatUnsafeNegotiationAsBroken = false; +int32_t nsSSLIOLayerHelpers::mWarnLevelMissingRFC5746 = 1; static int _PSM_InvalidInt(void) { @@ -1203,53 +1190,6 @@ static int64_t PSMAvailable64(void) return -1; } -namespace { -class PrefObserver : public nsIObserver { -public: - NS_DECL_ISUPPORTS - NS_DECL_NSIOBSERVER - PrefObserver(nsSSLIOLayerHelpers* aOwner) : mOwner(aOwner) {} - virtual ~PrefObserver() {} -private: - nsSSLIOLayerHelpers* mOwner; -}; -} // namespace anonymous - -NS_IMPL_THREADSAFE_ISUPPORTS1(PrefObserver, nsIObserver) - -NS_IMETHODIMP -PrefObserver::Observe(nsISupports *aSubject, const char *aTopic, - const PRUnichar *someData) -{ - if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { - NS_ConvertUTF16toUTF8 prefName(someData); - - if (prefName.Equals("security.ssl.renego_unrestricted_hosts")) { - nsCString unrestricted_hosts; - Preferences::GetCString("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts); - if (!unrestricted_hosts.IsEmpty()) { - mOwner->setRenegoUnrestrictedSites(unrestricted_hosts); - } - } else if (prefName.Equals("security.ssl.treat_unsafe_negotiation_as_broken")) { - bool enabled; - Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); - mOwner->setTreatUnsafeNegotiationAsBroken(enabled); - } else if (prefName.Equals("security.ssl.warn_missing_rfc5746")) { - int32_t warnLevel = 1; - Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel); - mOwner->setWarnLevelMissingRFC5746(warnLevel); - } - } - return NS_OK; -} - -nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers() -{ - Preferences::RemoveObserver(mPrefObserver, "security.ssl.renego_unrestricted_hosts"); - Preferences::RemoveObserver(mPrefObserver, "security.ssl.treat_unsafe_negotiation_as_broken"); - Preferences::RemoveObserver(mPrefObserver, "security.ssl.warn_missing_rfc5746"); -} - nsresult nsSSLIOLayerHelpers::Init() { if (!nsSSLIOLayerInitialized) { @@ -1304,50 +1244,23 @@ nsresult nsSSLIOLayerHelpers::Init() mRenegoUnrestrictedSites = new nsTHashtable(); mRenegoUnrestrictedSites->Init(1); - nsCString unrestricted_hosts; - Preferences::GetCString("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts); - if (!unrestricted_hosts.IsEmpty()) { - setRenegoUnrestrictedSites(unrestricted_hosts); - } - - bool enabled = false; - Preferences::GetBool("security.ssl.treat_unsafe_negotiation_as_broken", &enabled); - setTreatUnsafeNegotiationAsBroken(enabled); - - int32_t warnLevel = 1; - Preferences::GetInt("security.ssl.warn_missing_rfc5746", &warnLevel); - setWarnLevelMissingRFC5746(warnLevel); - - mPrefObserver = new PrefObserver(this); - Preferences::AddStrongObserver(mPrefObserver, - "security.ssl.renego_unrestricted_hosts"); - Preferences::AddStrongObserver(mPrefObserver, - "security.ssl.treat_unsafe_negotiation_as_broken"); - Preferences::AddStrongObserver(mPrefObserver, - "security.ssl.warn_missing_rfc5746"); - + mTreatUnsafeNegotiationAsBroken = false; + return NS_OK; } -void nsSSLIOLayerHelpers::clearStoredData() -{ - mRenegoUnrestrictedSites->Clear(); - mTLSTolerantSites->Clear(); - mTLSIntolerantSites->Clear(); -} - void nsSSLIOLayerHelpers::addIntolerantSite(const nsCString &str) { MutexAutoLock lock(*mutex); // Remember intolerant site only if it is not known as tolerant if (!mTLSTolerantSites->Contains(str)) - mTLSIntolerantSites->PutEntry(str); + nsSSLIOLayerHelpers::mTLSIntolerantSites->PutEntry(str); } void nsSSLIOLayerHelpers::removeIntolerantSite(const nsCString &str) { MutexAutoLock lock(*mutex); - mTLSIntolerantSites->RemoveEntry(str); + nsSSLIOLayerHelpers::mTLSIntolerantSites->RemoveEntry(str); } bool nsSSLIOLayerHelpers::isKnownAsIntolerantSite(const nsCString &str) @@ -2010,7 +1923,6 @@ void ClientAuthDataRunnable::RunOnTargetThread() SSM_UserCertChoice certChoice; int32_t NumberOfCerts = 0; void * wincx = mSocketInfo; - nsresult rv; /* create caNameStrings */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -2112,14 +2024,19 @@ void ClientAuthDataRunnable::RunOnTargetThread() nsXPIDLCString hostname; mSocketInfo->GetHostName(getter_Copies(hostname)); - RefPtr cars = - mSocketInfo->SharedState().GetClientAuthRememberService(); + nsresult rv; + NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID); + nsCOMPtr nssComponent(do_GetService(nssComponentCID, &rv)); + RefPtr cars; + if (nssComponent) { + nssComponent->GetClientAuthRememberService(byRef(cars)); + } bool hasRemembered = false; nsCString rememberedDBKey; if (cars) { bool found; - rv = cars->HasRememberedDecision(hostname, mServerCert, + nsresult rv = cars->HasRememberedDecision(hostname, mServerCert, rememberedDBKey, &found); if (NS_SUCCEEDED(rv) && found) { hasRemembered = true; @@ -2302,9 +2219,9 @@ if (!hasRemembered) } /* Throw up the client auth dialog and get back the index of the selected cert */ - nsresult rv = getNSSDialogs((void**)&dialogs, - NS_GET_IID(nsIClientAuthDialogs), - NS_CLIENTAUTHDIALOGS_CONTRACTID); + rv = getNSSDialogs((void**)&dialogs, + NS_GET_IID(nsIClientAuthDialogs), + NS_CLIENTAUTHDIALOGS_CONTRACTID); if (NS_FAILED(rv)) { NS_FREE_XPCOM_ALLOCATED_POINTER_ARRAY(CertsToUse, certNicknameList); @@ -2448,7 +2365,7 @@ loser: static nsresult nsSSLIOLayerSetOptions(PRFileDesc *fd, bool forSTARTTLS, const char *proxyHost, const char *host, int32_t port, - nsNSSSocketInfo *infoObject) + bool anonymousLoad, nsNSSSocketInfo *infoObject) { nsNSSShutDownPreventionLock locker; if (forSTARTTLS || proxyHost) { @@ -2463,7 +2380,7 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, bool forSTARTTLS, nsAutoCString key; key = nsDependentCString(host) + NS_LITERAL_CSTRING(":") + nsPrintfCString("%d", port); - if (infoObject->SharedState().IOLayerHelpers().isKnownAsIntolerantSite(key)) { + if (nsSSLIOLayerHelpers::isKnownAsIntolerantSite(key)) { if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_TLS, false)) return NS_ERROR_FAILURE; @@ -2490,9 +2407,8 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, bool forSTARTTLS, if (SECSuccess != SSL_OptionSet(fd, SSL_HANDSHAKE_AS_CLIENT, true)) { return NS_ERROR_FAILURE; } - - nsSSLIOLayerHelpers& ioHelpers = infoObject->SharedState().IOLayerHelpers(); - if (ioHelpers.isRenegoUnrestrictedSite(nsDependentCString(host))) { + + if (nsSSLIOLayerHelpers::isRenegoUnrestrictedSite(nsDependentCString(host))) { if (SECSuccess != SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, false)) { return NS_ERROR_FAILURE; } @@ -2501,23 +2417,20 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, bool forSTARTTLS, } } - // Set the Peer ID so that SSL proxy connections work properly and to - // separate anonymous and/or private browsing connections. - uint32_t flags = infoObject->GetProviderFlags(); - nsAutoCString peerId; - if (flags & nsISocketProvider::ANONYMOUS_CONNECT) { // See bug 466080 - peerId.Append("anon:"); + // Set the Peer ID so that SSL proxy connections work properly. + char *peerId; + if (anonymousLoad) { // See bug #466080. Separate the caches. + peerId = PR_smprintf("anon:%s:%d", host, port); + } else { + peerId = PR_smprintf("%s:%d", host, port); } - if (flags & nsISocketProvider::NO_PERMANENT_STORAGE) { - peerId.Append("private:"); - } - peerId.Append(host); - peerId.Append(':'); - peerId.AppendInt(port); - if (SECSuccess != SSL_SetSockPeerID(fd, peerId.get())) { + + if (SECSuccess != SSL_SetSockPeerID(fd, peerId)) { + PR_smprintf_free(peerId); return NS_ERROR_FAILURE; } + PR_smprintf_free(peerId); return NS_OK; } @@ -2537,9 +2450,7 @@ nsSSLIOLayerAddToSocket(int32_t family, nsresult rv; PRStatus stat; - SharedSSLState* sharedState = - providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE ? PrivateSSLState() : PublicSSLState(); - nsNSSSocketInfo* infoObject = new nsNSSSocketInfo(*sharedState, providerFlags); + nsNSSSocketInfo* infoObject = new nsNSSSocketInfo(providerFlags); if (!infoObject) return NS_ERROR_FAILURE; NS_ADDREF(infoObject); @@ -2547,6 +2458,7 @@ nsSSLIOLayerAddToSocket(int32_t family, infoObject->SetHostName(host); infoObject->SetPort(port); + bool anonymousLoad = providerFlags & nsISocketProvider::ANONYMOUS_CONNECT; PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host); if (!sslSock) { NS_ASSERTION(false, "NSS: Error importing socket"); @@ -2555,7 +2467,8 @@ nsSSLIOLayerAddToSocket(int32_t family, infoObject->SetFileDescPtr(sslSock); - rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, proxyHost, host, port, + rv = nsSSLIOLayerSetOptions(sslSock, + forSTARTTLS, proxyHost, host, port, anonymousLoad, infoObject); if (NS_FAILED(rv)) @@ -2584,8 +2497,6 @@ nsSSLIOLayerAddToSocket(int32_t family, infoObject->SetHandshakePending(false); } - infoObject->SharedState().NoteSocketCreated(); - return NS_OK; loser: NS_IF_RELEASE(infoObject); diff --git a/security/manager/ssl/src/nsNSSIOLayer.h b/security/manager/ssl/src/nsNSSIOLayer.h index abdf8d430051..4ee3bd9b8aac 100644 --- a/security/manager/ssl/src/nsNSSIOLayer.h +++ b/security/manager/ssl/src/nsNSSIOLayer.h @@ -15,20 +15,12 @@ #include "nsTHashtable.h" #include "mozilla/TimeStamp.h" -namespace mozilla { -namespace psm { -class SharedSSLState; -} -} - -class nsIObserver; - class nsNSSSocketInfo : public mozilla::psm::TransportSecurityInfo, public nsISSLSocketControl, public nsIClientAuthUserDecision { public: - nsNSSSocketInfo(mozilla::psm::SharedSSLState& aState, uint32_t providerFlags); + nsNSSSocketInfo(uint32_t providerFlags); NS_DECL_ISUPPORTS_INHERITED NS_DECL_NSISSLSOCKETCONTROL @@ -63,11 +55,7 @@ public: bool GetJoined() { return mJoined; } void SetSentClientCert() { mSentClientCert = true; } - - uint32_t GetProviderFlags() const { return mProviderFlags; } - - mozilla::psm::SharedSSLState& SharedState(); - + // XXX: These are only used on for diagnostic purposes enum CertVerificationState { before_cert_verification, @@ -95,7 +83,6 @@ private: CertVerificationState mCertVerificationState; - mozilla::psm::SharedSSLState& mSharedState; bool mForSTARTTLS; bool mSSL3Enabled; bool mTLSEnabled; @@ -122,44 +109,37 @@ private: class nsSSLIOLayerHelpers { public: - nsSSLIOLayerHelpers(); - ~nsSSLIOLayerHelpers(); - - nsresult Init(); - void Cleanup(); + static nsresult Init(); + static void Cleanup(); static bool nsSSLIOLayerInitialized; static PRDescIdentity nsSSLIOLayerIdentity; static PRIOMethods nsSSLIOLayerMethods; - mozilla::Mutex *mutex; - nsTHashtable *mTLSIntolerantSites; - nsTHashtable *mTLSTolerantSites; + static mozilla::Mutex *mutex; + static nsTHashtable *mTLSIntolerantSites; + static nsTHashtable *mTLSTolerantSites; - nsTHashtable *mRenegoUnrestrictedSites; - bool mTreatUnsafeNegotiationAsBroken; - int32_t mWarnLevelMissingRFC5746; + static nsTHashtable *mRenegoUnrestrictedSites; + static bool mTreatUnsafeNegotiationAsBroken; + static int32_t mWarnLevelMissingRFC5746; - void setTreatUnsafeNegotiationAsBroken(bool broken); - bool treatUnsafeNegotiationAsBroken(); + static void setTreatUnsafeNegotiationAsBroken(bool broken); + static bool treatUnsafeNegotiationAsBroken(); - void setWarnLevelMissingRFC5746(int32_t level); - int32_t getWarnLevelMissingRFC5746(); + static void setWarnLevelMissingRFC5746(int32_t level); + static int32_t getWarnLevelMissingRFC5746(); static void getSiteKey(nsNSSSocketInfo *socketInfo, nsCSubstring &key); - bool rememberPossibleTLSProblemSite(nsNSSSocketInfo *socketInfo); - void rememberTolerantSite(nsNSSSocketInfo *socketInfo); + static bool rememberPossibleTLSProblemSite(nsNSSSocketInfo *socketInfo); + static void rememberTolerantSite(nsNSSSocketInfo *socketInfo); - void addIntolerantSite(const nsCString &str); - void removeIntolerantSite(const nsCString &str); - bool isKnownAsIntolerantSite(const nsCString &str); + static void addIntolerantSite(const nsCString &str); + static void removeIntolerantSite(const nsCString &str); + static bool isKnownAsIntolerantSite(const nsCString &str); - void setRenegoUnrestrictedSites(const nsCString &str); - bool isRenegoUnrestrictedSite(const nsCString &str); - - void clearStoredData(); -private: - nsCOMPtr mPrefObserver; + static void setRenegoUnrestrictedSites(const nsCString &str); + static bool isRenegoUnrestrictedSite(const nsCString &str); }; nsresult nsSSLIOLayerNewSocket(int32_t family, diff --git a/security/manager/ssl/src/nsNSSModule.cpp b/security/manager/ssl/src/nsNSSModule.cpp index 568c2be52ae5..90debb592819 100644 --- a/security/manager/ssl/src/nsNSSModule.cpp +++ b/security/manager/ssl/src/nsNSSModule.cpp @@ -38,6 +38,7 @@ #include "nsDataSignatureVerifier.h" #include "nsCertOverrideService.h" #include "nsRandomGenerator.h" +#include "nsRecentBadCerts.h" #include "nsSSLStatus.h" #include "TransportSecurityInfo.h" #include "NSSErrorsService.h" @@ -203,6 +204,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory) NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsDataSignatureVerifier) NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsCertOverrideService, Init) NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsRandomGenerator) +NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsRecentBadCertsService, Init) NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, nsSSLStatus) NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo) @@ -241,6 +243,7 @@ NS_DEFINE_NAMED_CID(NS_KEYMODULEOBJECTFACTORY_CID); NS_DEFINE_NAMED_CID(NS_DATASIGNATUREVERIFIER_CID); NS_DEFINE_NAMED_CID(NS_CERTOVERRIDE_CID); NS_DEFINE_NAMED_CID(NS_RANDOMGENERATOR_CID); +NS_DEFINE_NAMED_CID(NS_RECENTBADCERTS_CID); NS_DEFINE_NAMED_CID(NS_SSLSTATUS_CID); NS_DEFINE_NAMED_CID(TRANSPORTSECURITYINFO_CID); NS_DEFINE_NAMED_CID(NS_NSSERRORSSERVICE_CID); @@ -278,6 +281,7 @@ static const mozilla::Module::CIDEntry kNSSCIDs[] = { { &kNS_DATASIGNATUREVERIFIER_CID, false, nullptr, nsDataSignatureVerifierConstructor }, { &kNS_CERTOVERRIDE_CID, false, nullptr, nsCertOverrideServiceConstructor }, { &kNS_RANDOMGENERATOR_CID, false, nullptr, nsRandomGeneratorConstructor }, + { &kNS_RECENTBADCERTS_CID, false, nullptr, nsRecentBadCertsServiceConstructor }, { &kNS_SSLSTATUS_CID, false, nullptr, nsSSLStatusConstructor }, { &kTRANSPORTSECURITYINFO_CID, false, nullptr, TransportSecurityInfoConstructor }, { &kNS_NSSERRORSSERVICE_CID, false, nullptr, NSSErrorsServiceConstructor }, @@ -320,6 +324,7 @@ static const mozilla::Module::ContractIDEntry kNSSContracts[] = { { NS_DATASIGNATUREVERIFIER_CONTRACTID, &kNS_DATASIGNATUREVERIFIER_CID }, { NS_CERTOVERRIDE_CONTRACTID, &kNS_CERTOVERRIDE_CID }, { NS_RANDOMGENERATOR_CONTRACTID, &kNS_RANDOMGENERATOR_CID }, + { NS_RECENTBADCERTS_CONTRACTID, &kNS_RECENTBADCERTS_CID }, { nullptr } }; diff --git a/security/manager/ssl/src/nsRecentBadCerts.cpp b/security/manager/ssl/src/nsRecentBadCerts.cpp index 1b121cc767d7..de378b9e9bb5 100644 --- a/security/manager/ssl/src/nsRecentBadCerts.cpp +++ b/security/manager/ssl/src/nsRecentBadCerts.cpp @@ -6,9 +6,7 @@ #include "nsRecentBadCerts.h" #include "nsIX509Cert.h" -#include "nsIObserverService.h" #include "mozilla/RefPtr.h" -#include "mozilla/Services.h" #include "nsSSLStatus.h" #include "nsCOMPtr.h" #include "nsNSSCertificate.h" @@ -22,22 +20,28 @@ using namespace mozilla; -NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCerts, - nsIRecentBadCerts) +NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCertsService, + nsIRecentBadCertsService) -nsRecentBadCerts::nsRecentBadCerts() -:monitor("nsRecentBadCerts.monitor") +nsRecentBadCertsService::nsRecentBadCertsService() +:monitor("nsRecentBadCertsService.monitor") ,mNextStorePosition(0) { } -nsRecentBadCerts::~nsRecentBadCerts() +nsRecentBadCertsService::~nsRecentBadCertsService() { } +nsresult +nsRecentBadCertsService::Init() +{ + return NS_OK; +} + NS_IMETHODIMP -nsRecentBadCerts::GetRecentBadCert(const nsAString & aHostNameWithPort, - nsISSLStatus **aStatus) +nsRecentBadCertsService::GetRecentBadCert(const nsAString & aHostNameWithPort, + nsISSLStatus **aStatus) { NS_ENSURE_ARG_POINTER(aStatus); if (!aHostNameWithPort.Length()) @@ -97,7 +101,7 @@ nsRecentBadCerts::GetRecentBadCert(const nsAString & aHostNameWithPort, } NS_IMETHODIMP -nsRecentBadCerts::AddBadCert(const nsAString &hostWithPort, +nsRecentBadCertsService::AddBadCert(const nsAString &hostWithPort, nsISSLStatus *aStatus) { NS_ENSURE_ARG(aStatus); @@ -142,13 +146,3 @@ nsRecentBadCerts::AddBadCert(const nsAString &hostWithPort, return NS_OK; } - -NS_IMETHODIMP -nsRecentBadCerts::ResetStoredCerts() -{ - for (size_t i = 0; i < const_recently_seen_list_size; ++i) { - RecentBadCert &entry = mCerts[i]; - entry.Clear(); - } - return NS_OK; -} diff --git a/security/manager/ssl/src/nsRecentBadCerts.h b/security/manager/ssl/src/nsRecentBadCerts.h index 064cb46cd1e8..e82f780c252a 100644 --- a/security/manager/ssl/src/nsRecentBadCerts.h +++ b/security/manager/ssl/src/nsRecentBadCerts.h @@ -54,14 +54,16 @@ private: RecentBadCert &operator=(const RecentBadCert &other) MOZ_DELETE; }; -class nsRecentBadCerts MOZ_FINAL : public nsIRecentBadCerts +class nsRecentBadCertsService MOZ_FINAL : public nsIRecentBadCertsService { public: NS_DECL_ISUPPORTS - NS_DECL_NSIRECENTBADCERTS + NS_DECL_NSIRECENTBADCERTSSERVICE - nsRecentBadCerts(); - ~nsRecentBadCerts(); + nsRecentBadCertsService(); + ~nsRecentBadCertsService(); + + nsresult Init(); protected: mozilla::ReentrantMonitor monitor;