Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-12 02:31:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1820573 - Make security/ buildable outside of a unified build environment r=andi,keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D171732
This commit is contained in:
serge-sans-paille 2023-03-15 07:30:36 +00:00
parent 42fa42c77a
commit 860ac9660a
46 changed files with 321 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ipc/glue/IPCMessageUtils.h
View File

@ -13,8 +13,8 @@
#include "build/build_config.h"
#include "chrome/common/ipc_message.h"
#include "chrome/common/ipc_message_utils.h"
#include "mozilla/MacroForEach.h"
#include "mozilla/ipc/IPCCore.h"
#include "mozilla/MacroForEach.h"
class PickleIterator;

75
security/certverifier/ExtendedValidation.cpp
View File

@ -13,12 +13,16 @@
#include "mozilla/Base64.h"
#include "mozilla/Casting.h"
#include "mozilla/PodOperations.h"
#include "mozpkix/pkixder.h"
#include "mozpkix/pkixtypes.h"
#include "mozpkix/pkixutil.h"
#include "nsDependentString.h"
#include "nsString.h"
#include "pk11pub.h"
#include "mozpkix/pkixtypes.h"
namespace mozilla {
namespace psm {
struct EVInfo {
@ -1171,14 +1175,14 @@ static const struct EVInfo kEVInfos[] = {
// clang-format on
};
static CertPolicyId sEVInfoIds[ArrayLength(kEVInfos)];
static pkix::CertPolicyId sEVInfoIds[ArrayLength(kEVInfos)];
static_assert(
ArrayLength(sEVInfoIds) == ArrayLength(kEVInfos),
"These arrays are used in parallel and must have the same length.");
static CertPolicyId sCABForumEVId = {};
static pkix::CertPolicyId sCABForumEVId = {};
bool CertIsAuthoritativeForEVPolicy(const nsTArray<uint8_t>& certBytes,
const mozilla::pkix::CertPolicyId& policy) {
const pkix::CertPolicyId& policy) {
nsTArray<uint8_t> fingerprint;
nsresult rv = Digest::DigestBuf(SEC_OID_SHA256, certBytes.Elements(),
certBytes.Length(), fingerprint);
@ -1216,7 +1220,7 @@ nsresult LoadExtendedValidationInfo() {
SECSuccess) {
return NS_ERROR_FAILURE;
}
if (cabforumOIDItem.len > CertPolicyId::MAX_BYTES) {
if (cabforumOIDItem.len > pkix::CertPolicyId::MAX_BYTES) {
return NS_ERROR_UNEXPECTED;
}
@ -1289,7 +1293,7 @@ nsresult LoadExtendedValidationInfo() {
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
if (evOIDItem.len > CertPolicyId::MAX_BYTES) {
if (evOIDItem.len > pkix::CertPolicyId::MAX_BYTES) {
return NS_ERROR_UNEXPECTED;
}
sEVInfoIds[i].numBytes = evOIDItem.len;
@ -1301,72 +1305,73 @@ nsresult LoadExtendedValidationInfo() {
// Helper function for GetKnownEVPolicies(): reads an EV Policy if there is one,
// and appends it to the given list of CertPolicyIds.
void FindMatchingEVPolicy(Reader& idReader,
nsTArray<mozilla::pkix::CertPolicyId>& policies) {
Input cabForumEVIdBytes;
Result rv =
void FindMatchingEVPolicy(pkix::Reader& idReader,
nsTArray<pkix::CertPolicyId>& policies) {
pkix::Input cabForumEVIdBytes;
pkix::Result rv =
cabForumEVIdBytes.Init(sCABForumEVId.bytes, sCABForumEVId.numBytes);
if (rv == Success && idReader.MatchRest(cabForumEVIdBytes)) {
if (rv == pkix::Success && idReader.MatchRest(cabForumEVIdBytes)) {
policies.AppendElement(sCABForumEVId);
return;
}
for (const CertPolicyId& id : sEVInfoIds) {
Input idBytes;
for (const pkix::CertPolicyId& id : sEVInfoIds) {
pkix::Input idBytes;
rv = idBytes.Init(id.bytes, id.numBytes);
if (rv == Success && idReader.MatchRest(idBytes)) {
if (rv == pkix::Success && idReader.MatchRest(idBytes)) {
policies.AppendElement(id);
return;
}
}
}
void GetKnownEVPolicies(
const nsTArray<uint8_t>& certBytes,
/*out*/ nsTArray<mozilla::pkix::CertPolicyId>& policies) {
Input certInput;
Result rv = certInput.Init(certBytes.Elements(), certBytes.Length());
if (rv != Success) {
void GetKnownEVPolicies(const nsTArray<uint8_t>& certBytes,
/*out*/ nsTArray<pkix::CertPolicyId>& policies) {
pkix::Input certInput;
pkix::Result rv = certInput.Init(certBytes.Elements(), certBytes.Length());
if (rv != pkix::Success) {
return;
}
// we don't use the certificate for path building, so this parameter
// doesn't matter
EndEntityOrCA notUsedForPaths = EndEntityOrCA::MustBeEndEntity;
BackCert cert(certInput, notUsedForPaths, nullptr);
pkix::EndEntityOrCA notUsedForPaths = pkix::EndEntityOrCA::MustBeEndEntity;
pkix::BackCert cert(certInput, notUsedForPaths, nullptr);
rv = cert.Init();
if (rv != Success) {
if (rv != pkix::Success) {
return;
}
const Input* extensionInput = cert.GetCertificatePolicies();
const pkix::Input* extensionInput = cert.GetCertificatePolicies();
if (!extensionInput) {
return;
}
Reader extension(*extensionInput);
Reader certificatePolicies;
pkix::Reader extension(*extensionInput);
pkix::Reader certificatePolicies;
// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
// PolicyInformation ::= SEQUENCE {
// policyIdentifier CertPolicyId,
// ...
// }
// CertPolicyId ::= OBJECT IDENTIFIER
rv = der::ExpectTagAndGetValue(extension, der::SEQUENCE, certificatePolicies);
if (rv != Success || !extension.AtEnd()) {
rv = pkix::der::ExpectTagAndGetValue(extension, pkix::der::SEQUENCE,
certificatePolicies);
if (rv != pkix::Success || !extension.AtEnd()) {
return;
}
do {
Reader policyInformation;
rv = der::ExpectTagAndGetValue(certificatePolicies, der::SEQUENCE,
policyInformation);
if (rv != Success) {
pkix::Reader policyInformation;
rv = pkix::der::ExpectTagAndGetValue(
certificatePolicies, pkix::der::SEQUENCE, policyInformation);
if (rv != pkix::Success) {
return;
}
Reader policyOid;
rv = der::ExpectTagAndGetValue(policyInformation, der::OIDTag, policyOid);
if (rv != Success) {
pkix::Reader policyOid;
rv = pkix::der::ExpectTagAndGetValue(policyInformation, pkix::der::OIDTag,
policyOid);
if (rv != pkix::Success) {
return;
}

2
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -21,6 +21,7 @@
#include "mozilla/Assertions.h"
#include "mozilla/Casting.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/Logging.h"
#include "mozilla/PodOperations.h"
#include "mozilla/Services.h"
#include "mozilla/SyncRunnable.h"
@ -33,6 +34,7 @@
#include "nsCRTGlue.h"
#include "nsIObserverService.h"
#include "nsNetCID.h"
#include "nsNSSCallbacks.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertificate.h"
#include "nsNSSCertificateDB.h"

1
security/certverifier/OCSPCache.cpp
View File

@ -28,6 +28,7 @@
#include "NSSCertDBTrustDomain.h"
#include "pk11pub.h"
#include "mozilla/Logging.h"
#include "mozilla/StaticPrefs_privacy.h"
#include "mozpkix/pkixnss.h"
#include "ScopedNSSTypes.h"

2
security/certverifier/moz.build
View File

@ -52,5 +52,3 @@ FINAL_LIBRARY = "xul"
if CONFIG["CC_TYPE"] == "clang-cl":
AllowCompilerWarnings() # workaround for bug 1090497
REQUIRES_UNIFIED_BUILD = True

4
security/ct/CTDiversityPolicy.cpp
View File

@ -9,7 +9,7 @@
namespace mozilla {
namespace ct {
typedef mozilla::pkix::Result Result;
typedef pkix::Result Result;
void GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
CTLogOperatorList& operators) {
@ -32,7 +32,7 @@ void GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
Result CTDiversityPolicy::GetDependentOperators(
const nsTArray<nsTArray<uint8_t>>& builtChain,
const CTLogOperatorList& operators, CTLogOperatorList& dependentOperators) {
return Success;
return pkix::Success;
}
} // namespace ct

54
security/ct/CTSerialization.cpp
View File

@ -38,65 +38,11 @@ static const size_t kTbsCertificateLengthBytes = 3;
static const size_t kSCTListLengthBytes = 2;
static const size_t kSerializedSCTLengthBytes = 2;
// Length of sha256RootHash buffer of SignedTreeHead
static const size_t kSthRootHashLength = 32;
enum class SignatureType {
CertificateTimestamp = 0,
TreeHash = 1,
};
// Reads a TLS-encoded variable length unsigned integer from |in|.
// The integer is expected to be in big-endian order, which is used by TLS.
// Note: does not check if the output parameter overflows while reading.
// |length| indicates the size (in bytes) of the serialized integer.
static Result UncheckedReadUint(size_t length, Reader& in, uint64_t& out) {
uint64_t result = 0;
for (size_t i = 0; i < length; ++i) {
uint8_t value;
Result rv = in.Read(value);
if (rv != Success) {
return rv;
}
result = (result << 8) | value;
}
out = result;
return Success;
}
// Performs overflow sanity checks and calls UncheckedReadUint.
template <size_t length, typename T>
Result ReadUint(Reader& in, T& out) {
uint64_t value;
static_assert(std::is_unsigned<T>::value, "T must be unsigned");
static_assert(length <= 8, "At most 8 byte integers can be read");
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
Result rv = UncheckedReadUint(length, in, value);
if (rv != Success) {
return rv;
}
out = static_cast<T>(value);
return Success;
}
// Reads |length| bytes from |in|.
static Result ReadFixedBytes(size_t length, Reader& in, Input& out) {
return in.Skip(length, out);
}
// Reads a length-prefixed variable amount of bytes from |in|, updating |out|
// on success. |prefixLength| indicates the number of bytes needed to represent
// the length.
template <size_t prefixLength>
Result ReadVariableBytes(Reader& in, Input& out) {
size_t length;
Result rv = ReadUint<prefixLength>(in, length);
if (rv != Success) {
return rv;
}
return ReadFixedBytes(length, in, out);
}
// Reads a serialized hash algorithm.
static Result ReadHashAlgorithm(Reader& in,
DigitallySigned::HashAlgorithm& out) {

47
security/ct/CTUtils.h
View File

@ -54,17 +54,56 @@ namespace ct {
// Reads a TLS-encoded variable length unsigned integer from |in|.
// The integer is expected to be in big-endian order, which is used by TLS.
// Note: checks if the output parameter overflows while reading.
// Note: does not check if the output parameter overflows while reading.
// |length| indicates the size (in bytes) of the serialized integer.
inline static pkix::Result UncheckedReadUint(size_t length, pkix::Reader& in,
uint64_t& out) {
uint64_t result = 0;
for (size_t i = 0; i < length; ++i) {
uint8_t value;
pkix::Result rv = in.Read(value);
if (rv != pkix::Success) {
return rv;
}
result = (result << 8) | value;
}
out = result;
return pkix::Success;
}
// Performs overflow sanity checks and calls UncheckedReadUint.
template <size_t length, typename T>
mozilla::pkix::Result ReadUint(mozilla::pkix::Reader& in, T& out);
pkix::Result ReadUint(pkix::Reader& in, T& out) {
uint64_t value;
static_assert(std::is_unsigned<T>::value, "T must be unsigned");
static_assert(length <= 8, "At most 8 byte integers can be read");
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
pkix::Result rv = UncheckedReadUint(length, in, value);
if (rv != pkix::Success) {
return rv;
}
out = static_cast<T>(value);
return pkix::Success;
}
// Reads |length| bytes from |in|.
static inline pkix::Result ReadFixedBytes(size_t length, pkix::Reader& in,
pkix::Input& out) {
return in.Skip(length, out);
}
// Reads a length-prefixed variable amount of bytes from |in|, updating |out|
// on success. |prefixLength| indicates the number of bytes needed to represent
// the length.
template <size_t prefixLength>
mozilla::pkix::Result ReadVariableBytes(mozilla::pkix::Reader& in,
mozilla::pkix::Input& out);
pkix::Result ReadVariableBytes(pkix::Reader& in, pkix::Input& out) {
size_t length;
pkix::Result rv = ReadUint<prefixLength>(in, length);
if (rv != pkix::Success) {
return rv;
}
return ReadFixedBytes(length, in, out);
}
} // namespace ct
} // namespace mozilla

2
security/ct/moz.build
View File

@ -51,5 +51,3 @@ FINAL_LIBRARY = "xul"
if CONFIG["CC_TYPE"] == "clang-cl":
AllowCompilerWarnings() # workaround for bug 1090497
REQUIRES_UNIFIED_BUILD = True

2
security/ct/tests/gtest/moz.build
View File

@ -54,5 +54,3 @@ if not CONFIG["MOZ_DEBUG"]:
DEFINES["NDEBUG"] = True
FINAL_LIBRARY = "xul-gtest"
REQUIRES_UNIFIED_BUILD = True

100
security/manager/ssl/AppTrustDomain.cpp
View File

@ -8,11 +8,17 @@
#include "MainThreadUtils.h"
#include "cert_storage/src/cert_storage.h"
// FIXME: these two must be included before certdb.h {
#include "seccomon.h"
#include "certt.h"
// }
#include "certdb.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/Preferences.h"
#include "mozpkix/pkixnss.h"
#include "NSSCertDBTrustDomain.h"
#include "nsComponentManagerUtils.h"
#include "nsDirectoryServiceUtils.h"
#include "nsIContentSignatureVerifier.h"
@ -87,16 +93,17 @@ nsresult AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot) {
return NS_OK;
}
Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, Time) {
pkix::Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
IssuerChecker& checker, Time) {
MOZ_ASSERT(!mTrustedRoot.IsEmpty());
if (mTrustedRoot.IsEmpty()) {
return Result::FATAL_ERROR_INVALID_STATE;
return pkix::Result::FATAL_ERROR_INVALID_STATE;
}
nsTArray<Input> candidates;
Input rootInput;
Result rv = rootInput.Init(mTrustedRoot.Elements(), mTrustedRoot.Length());
pkix::Result rv =
rootInput.Init(mTrustedRoot.Elements(), mTrustedRoot.Length());
// This should never fail, since the possible roots are all hard-coded and
// they should never be too long.
if (rv != Success) {
@ -146,7 +153,8 @@ Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
for (CERTCertListNode* n = CERT_LIST_HEAD(nssCandidates);
!CERT_LIST_END(n, nssCandidates); n = CERT_LIST_NEXT(n)) {
Input certDER;
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
pkix::Result rv =
certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
continue; // probably too big
}
@ -166,17 +174,17 @@ Result AppTrustDomain::FindIssuer(Input encodedIssuerName,
return Success;
}
Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) {
pkix::Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) {
MOZ_ASSERT(policy.IsAnyPolicy());
MOZ_ASSERT(!mTrustedRoot.IsEmpty());
if (!policy.IsAnyPolicy()) {
return Result::FATAL_ERROR_INVALID_ARGS;
return pkix::Result::FATAL_ERROR_INVALID_ARGS;
}
if (mTrustedRoot.IsEmpty()) {
return Result::FATAL_ERROR_INVALID_STATE;
return pkix::Result::FATAL_ERROR_INVALID_STATE;
}
nsTArray<uint8_t> issuerBytes;
@ -184,7 +192,7 @@ Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
nsTArray<uint8_t> subjectBytes;
nsTArray<uint8_t> pubKeyBytes;
Result result =
pkix::Result result =
BuildRevocationCheckArrays(candidateCertDER, endEntityOrCA, issuerBytes,
serialBytes, subjectBytes, pubKeyBytes);
if (result != Success) {
@ -195,11 +203,11 @@ Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
nsresult nsrv = mCertBlocklist->GetRevocationState(
issuerBytes, serialBytes, subjectBytes, pubKeyBytes, &revocationState);
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
if (revocationState == nsICertStorage::STATE_ENFORCE) {
return Result::ERROR_REVOKED_CERTIFICATE;
return pkix::Result::ERROR_REVOKED_CERTIFICATE;
}
// mTrustedRoot is the only trust anchor for this validation.
@ -214,67 +222,65 @@ Result AppTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
return Success;
}
Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) {
pkix::Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) {
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
}
Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
Duration,
/*optional*/ const Input*,
/*optional*/ const Input*,
/*optional*/ const Input*) {
pkix::Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
Duration,
/*optional*/ const Input*,
/*optional*/ const Input*,
/*optional*/ const Input*) {
// We don't currently do revocation checking. If we need to distrust an Apps
// certificate, we will use the active distrust mechanism.
return Success;
}
Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
const CertPolicyId& requiredPolicy) {
pkix::Result AppTrustDomain::IsChainValid(const DERArray& certChain, Time time,
const CertPolicyId& requiredPolicy) {
MOZ_ASSERT(requiredPolicy.IsAnyPolicy());
return Success;
}
Result AppTrustDomain::CheckSignatureDigestAlgorithm(DigestAlgorithm digestAlg,
EndEntityOrCA, Time) {
pkix::Result AppTrustDomain::CheckSignatureDigestAlgorithm(
DigestAlgorithm digestAlg, EndEntityOrCA, Time) {
switch (digestAlg) {
case DigestAlgorithm::sha256: // fall through
case DigestAlgorithm::sha384: // fall through
case DigestAlgorithm::sha512:
return Success;
case DigestAlgorithm::sha1:
return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
return pkix::Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
}
return Result::FATAL_ERROR_LIBRARY_FAILURE;
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
pkix::Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) {
if (modulusSizeInBits < 2048u) {
return Result::ERROR_INADEQUATE_KEY_SIZE;
return pkix::Result::ERROR_INADEQUATE_KEY_SIZE;
}
return Success;
}
Result AppTrustDomain::VerifyRSAPKCS1SignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
pkix::Result AppTrustDomain::VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
// TODO: We should restrict signatures to SHA-256 or better.
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result AppTrustDomain::VerifyRSAPSSSignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
pkix::Result AppTrustDomain::VerifyRSAPSSSignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result AppTrustDomain::CheckECDSACurveIsAcceptable(
pkix::Result AppTrustDomain::CheckECDSACurveIsAcceptable(
EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) {
switch (curve) {
case NamedCurve::secp256r1: // fall through
@ -283,25 +289,25 @@ Result AppTrustDomain::CheckECDSACurveIsAcceptable(
return Success;
}
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
return pkix::Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
}
Result AppTrustDomain::VerifyECDSASignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
pkix::Result AppTrustDomain::VerifyECDSASignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result AppTrustDomain::CheckValidityIsAcceptable(
pkix::Result AppTrustDomain::CheckValidityIsAcceptable(
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
KeyPurposeId /*keyPurpose*/) {
return Success;
}
Result AppTrustDomain::NetscapeStepUpMatchesServerAuth(Time /*notBefore*/,
/*out*/ bool& matches) {
pkix::Result AppTrustDomain::NetscapeStepUpMatchesServerAuth(
Time /*notBefore*/,
/*out*/ bool& matches) {
matches = false;
return Success;
}

29
security/manager/ssl/CommonSocketControl.cpp
View File

@ -17,6 +17,7 @@
#include "nsITlsHandshakeListener.h"
#include "nsNSSComponent.h"
#include "nsNSSHelper.h"
#include "secerr.h"
#include "ssl.h"
#include "sslt.h"
@ -254,23 +255,23 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
// CertVerifier::VerifySSLServerCert. We are doing the same hostname-specific
// checks here. If any hostname-specific checks are added to
// CertVerifier::VerifySSLServerCert we need to add them here too.
Input serverCertInput;
pkix::Input serverCertInput;
mozilla::pkix::Result rv =
serverCertInput.Init(certDER.Elements(), certDER.Length());
if (rv != Success) {
if (rv != pkix::Success) {
return NS_OK;
}
Input hostnameInput;
pkix::Input hostnameInput;
rv = hostnameInput.Init(
BitwiseCast<const uint8_t*, const char*>(hostname.BeginReading()),
hostname.Length());
if (rv != Success) {
if (rv != pkix::Success) {
return NS_OK;
}
rv = CheckCertHostname(serverCertInput, hostnameInput);
if (rv != Success) {
if (rv != pkix::Success) {
return NS_OK;
}
@ -286,7 +287,7 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
}
bool chainHasValidPins;
nsresult nsrv = mozilla::psm::PublicKeyPinningService::ChainHasValidPins(
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), Now(),
derCertSpanList, PromiseFlatCString(hostname).BeginReading(), pkix::Now(),
mIsBuiltCertChainRootBuiltInRoot, chainHasValidPins, nullptr);
if (NS_FAILED(nsrv)) {
return NS_OK;
@ -459,13 +460,15 @@ CommonSocketControl::GetSecurityInfo(nsITransportSecurityInfo** aSecurityInfo) {
if (NS_FAILED(rv)) {
return rv;
}
nsCOMPtr<nsITransportSecurityInfo> securityInfo(new TransportSecurityInfo(
mSecurityState, mErrorCode, mFailedCertChain.Clone(), mServerCert,
mSucceededCertChain.Clone(), mCipherSuite, mKeaGroupName,
mSignatureSchemeName, mProtocolVersion, mCertificateTransparencyStatus,
mIsAcceptedEch, mIsDelegatedCredential, mOverridableErrorCategory,
mMadeOCSPRequests, mUsedPrivateDNS, mIsEV, mNPNCompleted, mNegotiatedNPN,
mResumed, mIsBuiltCertChainRootBuiltInRoot, mPeerId));
nsCOMPtr<nsITransportSecurityInfo> securityInfo(
new psm::TransportSecurityInfo(
mSecurityState, mErrorCode, mFailedCertChain.Clone(), mServerCert,
mSucceededCertChain.Clone(), mCipherSuite, mKeaGroupName,
mSignatureSchemeName, mProtocolVersion,
mCertificateTransparencyStatus, mIsAcceptedEch,
mIsDelegatedCredential, mOverridableErrorCategory, mMadeOCSPRequests,
mUsedPrivateDNS, mIsEV, mNPNCompleted, mNegotiatedNPN, mResumed,
mIsBuiltCertChainRootBuiltInRoot, mPeerId));
securityInfo.forget(aSecurityInfo);
return NS_OK;
}

2
security/manager/ssl/ContentSignatureVerifier.cpp
View File

@ -6,12 +6,14 @@
#include "ContentSignatureVerifier.h"
#include "AppTrustDomain.h"
#include "CryptoTask.h"
#include "ScopedNSSTypes.h"
#include "SharedCertVerifier.h"
#include "cryptohi.h"
#include "keyhi.h"
#include "mozilla/Base64.h"
#include "mozilla/Logging.h"
#include "mozilla/dom/Promise.h"
#include "nsCOMPtr.h"
#include "nsPromiseFlatString.h"

5
security/manager/ssl/DataStorage.cpp
View File

@ -6,8 +6,8 @@
#include "DataStorage.h"
#include "mozilla/Assertions.h"
#include "mozilla/AppShutdown.h"
#include "mozilla/Assertions.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/FileUtils.h"
#include "mozilla/Preferences.h"
@ -22,9 +22,10 @@
#include "nsIFileStreams.h"
#include "nsIMemoryReporter.h"
#include "nsIObserverService.h"
#include "nsISafeOutputStream.h"
#include "nsISerialEventTarget.h"
#include "nsITimer.h"
#include "nsIThread.h"
#include "nsITimer.h"
#include "nsNetUtil.h"
#include "nsPrintfCString.h"
#include "nsStreamUtils.h"

3
security/manager/ssl/IPCClientCertsParent.cpp
View File

@ -6,6 +6,9 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "IPCClientCertsParent.h"
#include "ScopedNSSTypes.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"
#include "mozilla/SyncRunnable.h"
#include "mozilla/ipc/BackgroundParent.h"

2
security/manager/ssl/LibSecret.cpp
View File

@ -11,6 +11,8 @@
#include <memory>
#include "mozilla/Base64.h"
#include "mozilla/Logging.h"
#include "MainThreadUtils.h"
#include "prlink.h"
// This is the implementation of LibSecret, an instantiation of OSKeyStore for

3
security/manager/ssl/NSSKeyStore.cpp
View File

@ -6,8 +6,11 @@
#include "NSSKeyStore.h"
#include "mozilla/AbstractThread.h"
#include "mozilla/Base64.h"
#include "mozilla/Logging.h"
#include "mozilla/SyncRunnable.h"
#include "nsIThread.h"
#include "nsNSSComponent.h"
#include "nsPK11TokenDB.h"
#include "nsXULAppAPI.h"

9
security/manager/ssl/NSSSocketControl.cpp
View File

@ -8,6 +8,15 @@
#include "ssl.h"
#include "sslexp.h"
#include "nsISocketProvider.h"
#include "secerr.h"
#include "mozilla/Base64.h"
#include "nsNSSCallbacks.h"
using namespace mozilla;
using namespace mozilla::psm;
extern LazyLogModule gPIPNSSLog;
NSSSocketControl::NSSSocketControl(const nsCString& aHostName, int32_t aPort,
SharedSSLState& aState,

1
security/manager/ssl/SecretDecoderRing.cpp
View File

@ -9,6 +9,7 @@
#include "ScopedNSSTypes.h"
#include "mozilla/Base64.h"
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/Services.h"
#include "mozilla/ErrorResult.h"
#include "mozilla/dom/Promise.h"

1
security/manager/ssl/SelectTLSClientAuthCertParent.h
View File

@ -7,6 +7,7 @@
#ifndef SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_
#define SECURITY_MANAGER_SSL_SELECTTLSCLIENTAUTHCERTPARENT_H_
#include "mozilla/OriginAttributes.h"
#include "mozilla/psm/PSelectTLSClientAuthCertParent.h"
namespace mozilla {

2
security/manager/ssl/SharedSSLState.cpp
View File

@ -8,6 +8,8 @@
#include "nsClientAuthRemember.h"
#include "nsComponentManagerUtils.h"
#include "nsICertOverrideService.h"
#include "mozilla/OriginAttributes.h"
#include "nsNSSComponent.h"
#include "nsIObserverService.h"
#include "mozilla/Services.h"
#include "nsThreadUtils.h"

186
security/manager/ssl/TLSClientAuthCertSelection.cpp
View File

@ -26,6 +26,7 @@
#include "TLSClientAuthCertSelection.h"
#include "cert_storage/src/cert_storage.h"
#include "mozilla/Logging.h"
#include "mozilla/ipc/BackgroundChild.h"
#include "mozilla/ipc/BackgroundParent.h"
#include "mozilla/ipc/PBackgroundChild.h"
@ -33,9 +34,25 @@
#include "mozilla/psm/SelectTLSClientAuthCertParent.h"
#include "nsArray.h"
#include "nsArrayUtils.h"
#include "nsNSSComponent.h"
#include "nsIClientAuthDialogs.h"
#include "nsIMutableArray.h"
#include "nsINSSComponent.h"
#include "NSSCertDBTrustDomain.h"
#include "nsIClientAuthRememberService.h"
#include "nsIX509CertDB.h"
#include "nsNSSHelper.h"
#include "mozpkix/pkixnss.h"
#include "mozpkix/pkixutil.h"
#include "mozpkix/pkix.h"
#include "secerr.h"
#include "sslerr.h"
using namespace mozilla;
using namespace mozilla::pkix;
using namespace mozilla::psm;
extern LazyLogModule gPIPNSSLog;
// Possible behaviors for choosing a cert for client auth.
enum class UserCertChoice {
@ -169,71 +186,74 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
mThirdPartyCertificates(thirdPartyCertificates) {}
virtual mozilla::pkix::Result GetCertTrust(
EndEntityOrCA endEntityOrCA, const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) override;
virtual mozilla::pkix::Result FindIssuer(Input encodedIssuerName,
pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy,
pkix::Input candidateCertDER,
/*out*/ pkix::TrustLevel& trustLevel) override;
virtual mozilla::pkix::Result FindIssuer(pkix::Input encodedIssuerName,
IssuerChecker& checker,
Time time) override;
pkix::Time time) override;
virtual mozilla::pkix::Result CheckRevocation(
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
EndEntityOrCA endEntityOrCA, const pkix::CertID& certID, Time time,
mozilla::pkix::Duration validityDuration,
/*optional*/ const Input* stapledOCSPresponse,
/*optional*/ const Input* aiaExtension,
/*optional*/ const Input* sctExtension) override {
return Success;
return pkix::Success;
}
virtual mozilla::pkix::Result IsChainValid(
const DERArray& certChain, Time time,
const CertPolicyId& requiredPolicy) override;
const pkix::DERArray& certChain, pkix::Time time,
const pkix::CertPolicyId& requiredPolicy) override;
virtual mozilla::pkix::Result CheckSignatureDigestAlgorithm(
DigestAlgorithm digestAlg, EndEntityOrCA endEntityOrCA,
Time notBefore) override {
return Success;
pkix::DigestAlgorithm digestAlg, pkix::EndEntityOrCA endEntityOrCA,
pkix::Time notBefore) override {
return pkix::Success;
}
virtual mozilla::pkix::Result CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override {
return Success;
pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override {
return pkix::Success;
}
virtual mozilla::pkix::Result VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm, Input signature,
Input subjectPublicKeyInfo) override {
return Success;
pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
pkix::Input subjectPublicKeyInfo) override {
return pkix::Success;
}
virtual mozilla::pkix::Result VerifyRSAPSSSignedData(
Input data, DigestAlgorithm, Input signature,
Input subjectPublicKeyInfo) override {
return Success;
pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
pkix::Input subjectPublicKeyInfo) override {
return pkix::Success;
}
virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable(
EndEntityOrCA endEntityOrCA, NamedCurve curve) override {
return Success;
pkix::EndEntityOrCA endEntityOrCA, pkix::NamedCurve curve) override {
return pkix::Success;
}
virtual mozilla::pkix::Result VerifyECDSASignedData(
Input data, DigestAlgorithm, Input signature,
Input subjectPublicKeyInfo) override {
return Success;
pkix::Input data, pkix::DigestAlgorithm, pkix::Input signature,
pkix::Input subjectPublicKeyInfo) override {
return pkix::Success;
}
virtual mozilla::pkix::Result CheckValidityIsAcceptable(
Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
KeyPurposeId keyPurpose) override {
return Success;
pkix::Time notBefore, pkix::Time notAfter,
pkix::EndEntityOrCA endEntityOrCA,
pkix::KeyPurposeId keyPurpose) override {
return pkix::Success;
}
virtual mozilla::pkix::Result NetscapeStepUpMatchesServerAuth(
Time notBefore,
pkix::Time notBefore,
/*out*/ bool& matches) override {
matches = true;
return Success;
return pkix::Success;
}
virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
Input extensionData) override {}
virtual mozilla::pkix::Result DigestBuf(Input item, DigestAlgorithm digestAlg,
virtual void NoteAuxiliaryExtension(pkix::AuxiliaryExtension extension,
pkix::Input extensionData) override {}
virtual mozilla::pkix::Result DigestBuf(pkix::Input item,
pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) override {
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
return pkix::DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
}
nsTArray<nsTArray<uint8_t>> TakeBuiltChain() {
@ -248,18 +268,18 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
};
mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::GetCertTrust(
EndEntityOrCA endEntityOrCA, const CertPolicyId& policy,
Input candidateCertDER,
/*out*/ TrustLevel& trustLevel) {
pkix::EndEntityOrCA endEntityOrCA, const pkix::CertPolicyId& policy,
pkix::Input candidateCertDER,
/*out*/ pkix::TrustLevel& trustLevel) {
// If the server did not specify any CA names, all client certificates are
// acceptable.
if (mCANames.Length() == 0) {
trustLevel = TrustLevel::TrustAnchor;
return Success;
trustLevel = pkix::TrustLevel::TrustAnchor;
return pkix::Success;
}
BackCert cert(candidateCertDER, endEntityOrCA, nullptr);
mozilla::pkix::Result rv = cert.Init();
if (rv != Success) {
if (rv != pkix::Success) {
return rv;
}
// If this certificate's issuer distinguished name is in the set of acceptable
@ -269,22 +289,22 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::GetCertTrust(
// the case where client certificates that have the id-kp-OCSPSigning EKU
// can't be trust anchors according to mozilla::pkix, and thus we may be
// looking directly at the issuer.
Input issuer(cert.GetIssuer());
Input subject(cert.GetSubject());
pkix::Input issuer(cert.GetIssuer());
pkix::Input subject(cert.GetSubject());
for (const auto& caName : mCANames) {
Input caNameInput;
pkix::Input caNameInput;
rv = caNameInput.Init(caName.Elements(), caName.Length());
if (rv != Success) {
if (rv != pkix::Success) {
continue; // probably too big
}
if (InputsAreEqual(issuer, caNameInput) ||
InputsAreEqual(subject, caNameInput)) {
trustLevel = TrustLevel::TrustAnchor;
return Success;
trustLevel = pkix::TrustLevel::TrustAnchor;
return pkix::Success;
}
}
trustLevel = TrustLevel::InheritsTrust;
return Success;
trustLevel = pkix::TrustLevel::InheritsTrust;
return pkix::Success;
}
// In theory this implementation should only need to consider intermediate
@ -297,10 +317,10 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::GetCertTrust(
// certificates directly. These issuers could be roots, so we have to consider
// roots here.
mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
Input encodedIssuerName, IssuerChecker& checker, Time time) {
pkix::Input encodedIssuerName, IssuerChecker& checker, pkix::Time time) {
// First try all relevant certificates known to Gecko, which avoids calling
// CERT_CreateSubjectCertList, because that can be expensive.
Vector<Input> geckoCandidates;
Vector<pkix::Input> geckoCandidates;
if (!mCertStorage) {
return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -313,9 +333,9 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
for (auto& cert : certs) {
Input certDER;
pkix::Input certDER;
mozilla::pkix::Result rv = certDER.Init(cert.Elements(), cert.Length());
if (rv != Success) {
if (rv != pkix::Success) {
continue; // probably too big
}
if (!geckoCandidates.append(certDER)) {
@ -324,10 +344,10 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
}
for (const auto& thirdPartyCertificate : mThirdPartyCertificates) {
Input thirdPartyCertificateInput;
pkix::Input thirdPartyCertificateInput;
mozilla::pkix::Result rv = thirdPartyCertificateInput.Init(
thirdPartyCertificate.Elements(), thirdPartyCertificate.Length());
if (rv != Success) {
if (rv != pkix::Success) {
continue; // probably too big
}
if (!geckoCandidates.append(thirdPartyCertificateInput)) {
@ -336,30 +356,31 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
}
bool keepGoing = true;
for (Input candidate : geckoCandidates) {
for (pkix::Input candidate : geckoCandidates) {
mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing);
if (rv != Success) {
if (rv != pkix::Success) {
return rv;
}
if (!keepGoing) {
return Success;
return pkix::Success;
}
}
SECItem encodedIssuerNameItem = UnsafeMapInputToSECItem(encodedIssuerName);
SECItem encodedIssuerNameItem =
pkix::UnsafeMapInputToSECItem(encodedIssuerName);
// NSS seems not to differentiate between "no potential issuers found" and
// "there was an error trying to retrieve the potential issuers." We assume
// there was no error if CERT_CreateSubjectCertList returns nullptr.
UniqueCERTCertList candidates(CERT_CreateSubjectCertList(
nullptr, CERT_GetDefaultCertDB(), &encodedIssuerNameItem, 0, false));
Vector<Input> nssCandidates;
Vector<pkix::Input> nssCandidates;
if (candidates) {
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
Input certDER;
pkix::Input certDER;
mozilla::pkix::Result rv =
certDER.Init(n->cert->derCert.data, n->cert->derCert.len);
if (rv != Success) {
if (rv != pkix::Success) {
continue; // probably too big
}
if (!nssCandidates.append(certDER)) {
@ -368,26 +389,26 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::FindIssuer(
}
}
for (Input candidate : nssCandidates) {
for (pkix::Input candidate : nssCandidates) {
mozilla::pkix::Result rv = checker.Check(candidate, nullptr, keepGoing);
if (rv != Success) {
if (rv != pkix::Success) {
return rv;
}
if (!keepGoing) {
return Success;
return pkix::Success;
}
}
return Success;
return pkix::Success;
}
mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::IsChainValid(
const DERArray& certArray, Time, const CertPolicyId&) {
const pkix::DERArray& certArray, pkix::Time, const pkix::CertPolicyId&) {
mBuiltChain.Clear();
size_t numCerts = certArray.GetLength();
for (size_t i = 0; i < numCerts; ++i) {
nsTArray<uint8_t> certBytes;
const Input* certInput = certArray.GetDER(i);
const pkix::Input* certInput = certArray.GetDER(i);
MOZ_ASSERT(certInput != nullptr);
if (!certInput) {
return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
@ -397,7 +418,7 @@ mozilla::pkix::Result ClientAuthCertNonverifyingTrustDomain::IsChainValid(
mBuiltChain.AppendElement(std::move(certBytes));
}
return Success;
return pkix::Success;
}
void ClientAuthCertificateSelectedBase::SetSelectedClientAuthData(
@ -455,7 +476,7 @@ SelectClientAuthCertificate::Run() {
if (mSelectedCertBytes.Length() > 0) {
nsTArray<nsTArray<uint8_t>> selectedCertChainBytes;
if (BuildChainForCertificate(mSelectedCertBytes, selectedCertChainBytes) !=
Success) {
pkix::Success) {
selectedCertChainBytes.Clear();
}
mContinuation->SetSelectedClientAuthData(std::move(mSelectedCertBytes),
@ -480,17 +501,17 @@ mozilla::pkix::Result SelectClientAuthCertificate::BuildChainForCertificate(
nsTArray<uint8_t>& certBytes, nsTArray<nsTArray<uint8_t>>& certChainBytes) {
ClientAuthCertNonverifyingTrustDomain trustDomain(mCANames,
mEnterpriseCertificates);
Input certDER;
pkix::Input certDER;
mozilla::pkix::Result result =
certDER.Init(certBytes.Elements(), certBytes.Length());
if (result != Success) {
if (result != pkix::Success) {
return result;
}
// Client certificates shouldn't be CAs, but for interoperability reasons we
// attempt to build a path with each certificate as an end entity and then as
// a CA if that fails.
const EndEntityOrCA kEndEntityOrCAParams[] = {EndEntityOrCA::MustBeEndEntity,
EndEntityOrCA::MustBeCA};
const pkix::EndEntityOrCA kEndEntityOrCAParams[] = {
pkix::EndEntityOrCA::MustBeEndEntity, pkix::EndEntityOrCA::MustBeCA};
// mozilla::pkix rejects certificates with id-kp-OCSPSigning unless it is
// specifically required. A client certificate should never have this EKU.
// Unfortunately, there are some client certificates in private PKIs that
@ -498,17 +519,18 @@ mozilla::pkix::Result SelectClientAuthCertificate::BuildChainForCertificate(
// restriction in mozilla::pkix by first building the certificate chain with
// no particular EKU required and then again with id-kp-OCSPSigning required
// if that fails.
const KeyPurposeId kKeyPurposeIdParams[] = {KeyPurposeId::anyExtendedKeyUsage,
KeyPurposeId::id_kp_OCSPSigning};
const pkix::KeyPurposeId kKeyPurposeIdParams[] = {
pkix::KeyPurposeId::anyExtendedKeyUsage,
pkix::KeyPurposeId::id_kp_OCSPSigning};
for (const auto& endEntityOrCAParam : kEndEntityOrCAParams) {
for (const auto& keyPurposeIdParam : kKeyPurposeIdParams) {
mozilla::pkix::Result result =
BuildCertChain(trustDomain, certDER, Now(), endEntityOrCAParam,
KeyUsage::noParticularKeyUsageRequired,
keyPurposeIdParam, CertPolicyId::anyPolicy, nullptr);
if (result == Success) {
mozilla::pkix::Result result = BuildCertChain(
trustDomain, certDER, Now(), endEntityOrCAParam,
KeyUsage::noParticularKeyUsageRequired, keyPurposeIdParam,
pkix::CertPolicyId::anyPolicy, nullptr);
if (result == pkix::Success) {
certChainBytes = trustDomain.TakeBuiltChain();
return Success;
return pkix::Success;
}
}
}
@ -550,7 +572,7 @@ void SelectClientAuthCertificate::DoSelectClientAuthCertificate() {
certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len);
mozilla::pkix::Result result =
BuildChainForCertificate(certBytes, unusedBuiltChain);
if (result != Success) {
if (result != pkix::Success) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("removing cert '%s'", n->cert->subjectName));
CERTCertListNode* toRemove = n;

1
security/manager/ssl/TLSClientAuthCertSelection.h
View File

@ -10,6 +10,7 @@
#include "NSSSocketControl.h"
#include "nsIX509Cert.h"
#include "nsNSSIOLayer.h"
#include "nsThreadUtils.h"
#include "ssl.h"
// NSS callback to select a client authentication certificate. See documentation

3
security/manager/ssl/TransportSecurityInfo.cpp
View File

@ -20,9 +20,12 @@
#include "nsServiceManagerUtils.h"
#include "nsStringStream.h"
#include "nsXULAppAPI.h"
#include "nsIX509Cert.h"
#include "secerr.h"
#include "ssl.h"
#include "mozilla/ipc/IPDLParamTraits.h"
// nsITransportSecurityInfo should not be created via do_CreateInstance. This
// stub prevents that.
template <>

2
security/manager/ssl/VerifySSLServerCertChild.cpp
View File

@ -13,6 +13,8 @@
#include "nsNSSIOLayer.h"
#include "nsSerializationHelper.h"
#include "secerr.h"
extern mozilla::LazyLogModule gPIPNSSLog;
namespace mozilla {

2
security/manager/ssl/VerifySSLServerCertParent.cpp
View File

@ -11,8 +11,10 @@
#include "nsNSSComponent.h"
#include "secerr.h"
#include "SharedCertVerifier.h"
#include "NSSCertDBTrustDomain.h"
#include "SSLServerCertVerification.h"
#include "nsNSSIOLayer.h"
#include "nsISocketProvider.h"
#include "mozilla/ipc/BackgroundParent.h"
#include "mozilla/Unused.h"

2
security/manager/ssl/moz.build
View File

@ -276,5 +276,3 @@ for header, array_name, cert in headers_arrays_certs:
GeneratedFile(
header, script="gen_cert_header.py", entry_point=array_name, inputs=[cert]
)
REQUIRES_UNIFIED_BUILD = True

1
security/manager/ssl/nsCertOverrideService.cpp
View File

@ -16,6 +16,7 @@
#include "mozilla/TextUtils.h"
#include "mozilla/Tokenizer.h"
#include "mozilla/Unused.h"
#include "mozilla/dom/ToJSValue.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsCRT.h"
#include "nsILineInputStream.h"

9
security/manager/ssl/nsCertOverrideService.h
View File

@ -11,6 +11,7 @@
#include "mozilla/HashFunctions.h"
#include "mozilla/Mutex.h"
#include "mozilla/OriginAttributes.h"
#include "mozilla/TaskQueue.h"
#include "nsIAsyncShutdown.h"
#include "nsICertOverrideService.h"
@ -30,7 +31,7 @@ class nsCertOverride final : public nsICertOverride {
nsCString mAsciiHost;
int32_t mPort;
OriginAttributes mOriginAttributes;
mozilla::OriginAttributes mOriginAttributes;
bool mIsTemporary; // true: session only, false: stored on disk
nsCString mFingerprint;
nsCString mDBKey;
@ -105,7 +106,7 @@ class nsCertOverrideService final : public nsICertOverrideService,
// Concatenates host name, port number, and origin attributes.
static void GetKeyString(const nsACString& aHostName, int32_t aPort,
const OriginAttributes& aOriginAttributes,
const mozilla::OriginAttributes& aOriginAttributes,
nsACString& aRetval);
void AssertOnTaskQueue() const {
@ -128,14 +129,14 @@ class nsCertOverrideService final : public nsICertOverrideService,
nsresult Read(const mozilla::MutexAutoLock& aProofOfLock);
nsresult Write(const mozilla::MutexAutoLock& aProofOfLock);
nsresult AddEntryToList(const nsACString& host, int32_t port,
const OriginAttributes& aOriginAttributes,
const mozilla::OriginAttributes& aOriginAttributes,
nsIX509Cert* aCert, const bool aIsTemporary,
const nsACString& fingerprint,
const nsACString& dbKey,
const mozilla::MutexAutoLock& aProofOfLock);
already_AddRefed<nsCertOverride> GetOverrideFor(
const nsACString& aHostName, int32_t aPort,
const OriginAttributes& aOriginAttributes);
const mozilla::OriginAttributes& aOriginAttributes);
// Set in constructor only
RefPtr<mozilla::TaskQueue> mWriterTaskQueue;

1
security/manager/ssl/nsCertTree.cpp
View File

@ -17,6 +17,7 @@
#include "nsIX509CertValidity.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertificate.h"
#include "nsComponentManagerUtils.h"
#include "nsNSSCertificateDB.h"
#include "nsNSSHelper.h"
#include "nsReadableUtils.h"

3
security/manager/ssl/nsClientAuthRemember.cpp
View File

@ -10,6 +10,9 @@
#include "mozilla/DataStorage.h"
#include "mozilla/RefPtr.h"
#include "nsCRT.h"
#include "nsINSSComponent.h"
#include "nsPrintfCString.h"
#include "nsNSSComponent.h"
#include "nsNSSCertHelper.h"
#include "nsIObserverService.h"
#include "nsNetUtil.h"

4
security/manager/ssl/nsIClientAuthRememberService.idl
View File

@ -6,7 +6,9 @@
#include "nsISupports.idl"
%{C++
%{ C++
#include "mozilla/OriginAttributes.h"
#define NS_CLIENTAUTHREMEMBERSERVICE_CONTRACTID "@mozilla.org/security/clientAuthRememberService;1"
%}

1
security/manager/ssl/nsNSSCertificate.cpp
View File

@ -19,6 +19,7 @@
#include "mozilla/TextUtils.h"
#include "mozilla/Unused.h"
#include "mozilla/ipc/TransportSecurityInfoUtils.h"
#include "mozilla/ipc/IPDLParamTraits.h"
#include "mozilla/net/DNS.h"
#include "mozpkix/Result.h"
#include "mozpkix/pkixnss.h"

2
security/manager/ssl/nsNSSCertificateDB.cpp
View File

@ -1218,8 +1218,6 @@ nsNSSCertificateDB::AsyncHasThirdPartyRoots(nsIAsyncBoolCallback* aCallback) {
}));
}),
NS_DISPATCH_EVENT_MAY_BLOCK);
return NS_OK;
}
nsresult VerifyCertAtTime(nsIX509Cert* aCert,

1
security/manager/ssl/nsNSSIOLayer.cpp
View File

@ -60,6 +60,7 @@
#include "sslexp.h"
#include "sslproto.h"
using namespace mozilla;
using namespace mozilla::psm;
using namespace mozilla::ipc;

13
security/manager/ssl/nsNTLMAuthModule.cpp
View File

@ -626,8 +626,9 @@ static nsresult GenerateType3Msg(const nsString& domain,
NTLM_Hash(password, ntlmHash);
HMAC ntlmv2HashHmac;
rv = ntlmv2HashHmac.Begin(SEC_OID_MD5, Span(ntlmHash, NTLM_HASH_LEN));
mozilla::HMAC ntlmv2HashHmac;
rv = ntlmv2HashHmac.Begin(SEC_OID_MD5,
mozilla::Span(ntlmHash, NTLM_HASH_LEN));
if (NS_FAILED(rv)) {
return rv;
}
@ -650,8 +651,8 @@ static nsresult GenerateType3Msg(const nsString& domain,
uint8_t client_random[NTLM_CHAL_LEN];
PK11_GenerateRandom(client_random, NTLM_CHAL_LEN);
HMAC lmv2ResponseHmac;
rv = lmv2ResponseHmac.Begin(SEC_OID_MD5, Span(ntlmv2Hash));
mozilla::HMAC lmv2ResponseHmac;
rv = lmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash));
if (NS_FAILED(rv)) {
return rv;
}
@ -688,8 +689,8 @@ static nsresult GenerateType3Msg(const nsString& domain,
mozilla::LittleEndian::writeUint64(&ntlmv2_blob1[8], nt_time);
PK11_GenerateRandom(&ntlmv2_blob1[16], NTLM_CHAL_LEN);
HMAC ntlmv2ResponseHmac;
rv = ntlmv2ResponseHmac.Begin(SEC_OID_MD5, Span(ntlmv2Hash));
mozilla::HMAC ntlmv2ResponseHmac;
rv = ntlmv2ResponseHmac.Begin(SEC_OID_MD5, mozilla::Span(ntlmv2Hash));
if (NS_FAILED(rv)) {
return rv;
}

1
security/manager/ssl/nsPK11TokenDB.cpp
View File

@ -10,6 +10,7 @@
#include "ScopedNSSTypes.h"
#include "mozilla/Casting.h"
#include "mozilla/Unused.h"
#include "mozilla/Logging.h"
#include "nsISupports.h"
#include "nsNSSCertHelper.h"
#include "nsNSSComponent.h"

1
security/manager/ssl/nsPKCS11Slot.cpp
View File

@ -16,6 +16,7 @@
#include "nsNSSComponent.h"
#include "nsPK11TokenDB.h"
#include "nsPromiseFlatString.h"
#include "nsComponentManagerUtils.h"
#include "secmod.h"
using mozilla::LogLevel;

1
security/manager/ssl/nsPKCS12Blob.cpp
View File

@ -6,6 +6,7 @@
#include "mozilla/Assertions.h"
#include "mozilla/Casting.h"
#include "mozilla/Logging.h"
#include "mozilla/Preferences.h"
#include "mozilla/Unused.h"
#include "mozpkix/pkixtypes.h"

2
security/manager/ssl/nsSiteSecurityService.cpp
View File

@ -206,8 +206,6 @@ SiteHSTSState::GetOriginAttributes(
return NS_OK;
}
const uint64_t kSixtyDaysInSeconds = 60 * 24 * 60 * 60;
nsSiteSecurityService::nsSiteSecurityService()
: mUsePreloadList(true), mPreloadListTimeOffset(0), mDafsa(kDafsa) {}

2
security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
View File

@ -686,8 +686,6 @@ int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT);
HandleConnection(clientSocket, modelSocket);
}
return 0;
}
} // namespace test

2
security/manager/ssl/tests/unit/tlsserver/lib/moz.build
View File

@ -46,5 +46,3 @@ if not CONFIG["MOZ_SYSTEM_NSS"]:
USE_LIBS += ["nssutil3"]
Library("tlsserver")
REQUIRES_UNIFIED_BUILD = True

2
security/sandbox/linux/broker/moz.build
View File

@ -35,5 +35,3 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"]
FINAL_LIBRARY = "xul"
REQUIRES_UNIFIED_BUILD = True

2
security/sandbox/linux/glue/moz.build
View File

@ -33,5 +33,3 @@ USE_LIBS += [
]
FINAL_LIBRARY = "xul"
REQUIRES_UNIFIED_BUILD = True

2
security/sandbox/linux/moz.build
View File

@ -144,5 +144,3 @@ DIRS += [
TEST_DIRS += [
"gtest",
]
REQUIRES_UNIFIED_BUILD = True

2
security/sandbox/linux/reporter/moz.build
View File

@ -32,5 +32,3 @@ LOCAL_INCLUDES += [
]
FINAL_LIBRARY = "xul"
REQUIRES_UNIFIED_BUILD = True