Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-20 16:55:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1560354 - Transform some nss types into gecko types. r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Dragana Damjanovic 2019-07-02 21:26:36 +00:00
parent 0a2a769367
commit 1ed2904c50
7 changed files with 77 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
security/certverifier/CertVerifier.cpp
View File

@ -447,8 +447,8 @@ Result CertVerifier::VerifyCert(
const char* hostname,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponseSECItem,
/*optional*/ const SECItem* sctsFromTLSSECItem,
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg,
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
/*optional*/ const OriginAttributes& originAttributes,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
@ -516,9 +516,9 @@ Result CertVerifier::VerifyCert(
Input stapledOCSPResponseInput;
const Input* stapledOCSPResponse = nullptr;
if (stapledOCSPResponseSECItem) {
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
stapledOCSPResponseSECItem->len);
if (stapledOCSPResponseArg) {
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseArg->Elements(),
stapledOCSPResponseArg->Length());
if (rv != Success) {
// The stapled OCSP response was too big.
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
@ -527,12 +527,12 @@ Result CertVerifier::VerifyCert(
}
Input sctsFromTLSInput;
if (sctsFromTLSSECItem) {
rv = sctsFromTLSInput.Init(sctsFromTLSSECItem->data,
sctsFromTLSSECItem->len);
// Silently discard the error of the extension being too big,
// do not fail the verification.
MOZ_ASSERT(rv == Success);
if (sctsFromTLS) {
rv = sctsFromTLSInput.Init(sctsFromTLS->Elements(),
sctsFromTLS->Length());
if (rv != Success && sctsFromTLSInput.GetLength() != 0) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
}
switch (usage) {
@ -854,8 +854,8 @@ static bool CertIsSelfSigned(const UniqueCERTCertificate& cert, void* pinarg) {
Result CertVerifier::VerifySSLServerCert(
const UniqueCERTCertificate& peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional*/ const SECItem* sctsFromTLS, Time time,
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, Time time,
/*optional*/ void* pinarg, const nsACString& hostname,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ bool saveIntermediatesInPermanentDatabase,
@ -924,8 +924,8 @@ Result CertVerifier::VerifySSLServerCert(
Input stapledOCSPResponseInput;
Input* responseInputPtr = nullptr;
if (stapledOCSPResponse) {
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
stapledOCSPResponse->len);
rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->Elements(),
stapledOCSPResponse->Length());
if (rv != Success) {
// The stapled OCSP response was too big.
return Result::ERROR_OCSP_MALFORMED_RESPONSE;

8
security/certverifier/CertVerifier.h
View File

@ -146,8 +146,8 @@ class CertVerifier {
CERTCertificate* cert, SECCertificateUsage usage,
mozilla::pkix::Time time, void* pinArg, const char* hostname,
/*out*/ UniqueCERTCertList& builtChain, Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
/*optional in*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg = Maybe<nsTArray<uint8_t>>(),
/*optional in*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS = Maybe<nsTArray<uint8_t>>(),
/*optional in*/ const OriginAttributes& originAttributes =
OriginAttributes(),
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
@ -159,8 +159,8 @@ class CertVerifier {
mozilla::pkix::Result VerifySSLServerCert(
const UniqueCERTCertificate& peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional*/ const SECItem* sctsFromTLS, mozilla::pkix::Time time,
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, mozilla::pkix::Time time,
/*optional*/ void* pinarg, const nsACString& hostname,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ bool saveIntermediatesInPermanentDatabase = false,

58
security/manager/ssl/SSLServerCertVerification.cpp
View File

@ -731,8 +731,8 @@ class SSLServerCertVerificationJob : public Runnable {
nsNSSSocketInfo* infoObject,
const UniqueCERTCertificate& serverCert,
const UniqueCERTCertList& peerCertChain,
const SECItem* stapledOCSPResponse,
const SECItem* sctsFromTLSExtension,
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
uint32_t providerFlags, Time time, PRTime prtime);
private:
@ -742,9 +742,10 @@ class SSLServerCertVerificationJob : public Runnable {
SSLServerCertVerificationJob(
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
PRTime prtime);
UniqueCERTCertList peerCertChain,
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
uint32_t providerFlags, Time time, PRTime prtime);
const RefPtr<SharedCertVerifier> mCertVerifier;
const void* const mFdForLogging;
const RefPtr<nsNSSSocketInfo> mInfoObject;
@ -754,16 +755,17 @@ class SSLServerCertVerificationJob : public Runnable {
const Time mTime;
const PRTime mPRTime;
const TimeStamp mJobStartTime;
const UniqueSECItem mStapledOCSPResponse;
const UniqueSECItem mSCTsFromTLSExtension;
Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& cert,
UniqueCERTCertList peerCertChain, const SECItem* stapledOCSPResponse,
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
PRTime prtime)
UniqueCERTCertList peerCertChain,
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
Time time, PRTime prtime)
: Runnable("psm::SSLServerCertVerificationJob"),
mCertVerifier(certVerifier),
mFdForLogging(fdForLogging),
@ -774,8 +776,8 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
mTime(time),
mPRTime(prtime),
mJobStartTime(TimeStamp::Now()),
mStapledOCSPResponse(SECITEM_DupItem(stapledOCSPResponse)),
mSCTsFromTLSExtension(SECITEM_DupItem(sctsFromTLSExtension)) {}
mStapledOCSPResponse(std::move(stapledOCSPResponse)),
mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)) {}
// This function assumes that we will only use the SPDY connection coalescing
// feature on connections where we have negotiated SPDY using NPN. If we ever
@ -1275,8 +1277,8 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
nsNSSSocketInfo* infoObject,
const UniqueCERTCertificate& cert,
UniqueCERTCertList& peerCertChain,
const SECItem* stapledOCSPResponse,
const SECItem* sctsFromTLSExtension,
const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
uint32_t providerFlags, Time time) {
MOZ_ASSERT(infoObject);
MOZ_ASSERT(cert);
@ -1379,9 +1381,10 @@ SECStatus AuthCertificate(CertVerifier& certVerifier,
SECStatus SSLServerCertVerificationJob::Dispatch(
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert,
const UniqueCERTCertList& peerCertChain, const SECItem* stapledOCSPResponse,
const SECItem* sctsFromTLSExtension, uint32_t providerFlags, Time time,
PRTime prtime) {
const UniqueCERTCertList& peerCertChain,
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
Time time, PRTime prtime) {
// Runs on the socket transport thread
if (!certVerifier || !infoObject || !serverCert) {
NS_ERROR("Invalid parameters for SSL server cert validation");
@ -1445,7 +1448,7 @@ SSLServerCertVerificationJob::Run() {
PR_SetError(0, 0);
SECStatus rv =
AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain,
mStapledOCSPResponse.get(), mSCTsFromTLSExtension.get(),
mStapledOCSPResponse, mSCTsFromTLSExtension,
mProviderFlags, mTime);
MOZ_ASSERT((mPeerCertChain && rv == SECSuccess) ||
(!mPeerCertChain && rv != SECSuccess),
@ -1590,18 +1593,21 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
// return a stapled OCSP response.
// We don't own these pointers.
const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd);
SECItem* stapledOCSPResponse = nullptr;
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
// we currently only support single stapled responses
if (csa && csa->len == 1) {
stapledOCSPResponse = &csa->items[0];
stapledOCSPResponse.emplace();
stapledOCSPResponse->SetCapacity(csa->items[0].len);
stapledOCSPResponse->AppendElements(csa->items[0].data, csa->items[0].len);
}
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
// SSL_PeerSignedCertTimestamps returns null on error and empty item
// when no extension was returned by the server. We always use null when
// no extension was received (for whatever reason), ignoring errors.
sctsFromTLSExtension = nullptr;
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
if (sctsFromTLSExtensionSECItem) {
stapledOCSPResponse.emplace();
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
sctsFromTLSExtensionSECItem->len);
}
uint32_t providerFlags = 0;

27
security/manager/ssl/nsNSSCallbacks.cpp
View File

@ -1044,17 +1044,22 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
// We don't own these pointers.
const SECItemArray* stapledOCSPResponses = SSL_PeerStapledOCSPResponses(fd);
const SECItem* stapledOCSPResponse = nullptr;
Maybe<nsTArray<uint8_t>> stapledOCSPResponse;
// we currently only support single stapled responses
if (stapledOCSPResponses && stapledOCSPResponses->len == 1) {
stapledOCSPResponse = &stapledOCSPResponses->items[0];
stapledOCSPResponse.emplace();
stapledOCSPResponse->SetCapacity(stapledOCSPResponses->items[0].len);
stapledOCSPResponse->AppendElements(stapledOCSPResponses->items[0].data,
stapledOCSPResponses->items[0].len);
}
const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
// SSL_PeerSignedCertTimestamps returns null on error and empty item
// when no extension was returned by the server. We always use null when
// no extension was received (for whatever reason), ignoring errors.
sctsFromTLSExtension = nullptr;
Maybe<nsTArray<uint8_t>> sctsFromTLSExtension;
const SECItem* sctsFromTLSExtensionSECItem = SSL_PeerSignedCertTimestamps(fd);
if (sctsFromTLSExtensionSECItem) {
sctsFromTLSExtension.emplace();
sctsFromTLSExtension->SetCapacity(sctsFromTLSExtensionSECItem->len);
sctsFromTLSExtension->AppendElements(sctsFromTLSExtensionSECItem->data,
sctsFromTLSExtensionSECItem->len);
}
int flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY;
@ -1068,9 +1073,9 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
UniqueCERTCertList builtChain;
const bool saveIntermediates = false;
mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
cert, stapledOCSPResponse, sctsFromTLSExtension, mozilla::pkix::Now(),
infoObject, infoObject->GetHostName(), builtChain, saveIntermediates,
flags, infoObject->GetOriginAttributes(), &evOidPolicy,
cert, stapledOCSPResponse, sctsFromTLSExtension,
mozilla::pkix::Now(), infoObject, infoObject->GetHostName(), builtChain,
saveIntermediates, flags, infoObject->GetOriginAttributes(), &evOidPolicy,
nullptr, // OCSP stapling telemetry
nullptr, // key size telemetry
nullptr, // SHA-1 telemetry

8
security/manager/ssl/nsNSSCertificateDB.cpp
View File

@ -1143,8 +1143,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
result = certVerifier->VerifySSLServerCert(
nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
aTime,
nullptr, // Assume no context
aHostname, resultChain,
@ -1156,8 +1156,8 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
nssCert.get(), aUsage, aTime,
nullptr, // Assume no context
aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
OriginAttributes(), &evOidPolicy);
}

4
security/manager/ssl/nsNSSIOLayer.cpp
View File

@ -472,8 +472,8 @@ nsNSSSocketInfo::IsAcceptableForHost(const nsACString& hostname,
UniqueCERTCertList unusedBuiltChain;
mozilla::pkix::Result result =
certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
mozilla::pkix::Now(),
nullptr, // pinarg
hostname, unusedBuiltChain,

8
security/manager/ssl/nsSiteSecurityService.cpp
View File

@ -1052,10 +1052,10 @@ nsresult nsSiteSecurityService::ProcessPKPHeader(
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY |
CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
if (certVerifier->VerifySSLServerCert(nssCert,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
now, nullptr, // pinarg
host, // hostname
Maybe<nsTArray<uint8_t>>(), // stapledOCSPResponse
Maybe<nsTArray<uint8_t>>(), // sctsFromTLSExtension
now, nullptr, // pinarg
host, // hostname
certList,
false, // don't store intermediates
flags, aOriginAttributes) !=