Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-19 08:15:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D39011

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Moritz Birghan 2019-08-02 17:51:22 +00:00
parent a2b73b8abc
commit 978fb0351d
3 changed files with 31 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -1281,8 +1281,8 @@ void NSSCertDBTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension extension,
} }
} }
SECStatus InitializeNSS(const nsACString& dir, bool readOnly, SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig,
bool loadPKCS11Modules) { PKCS11DBConfig pkcs11DbConfig) {
MOZ_ASSERT(NS_IsMainThread()); MOZ_ASSERT(NS_IsMainThread());
// The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs // The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs
@ -1291,24 +1291,24 @@ SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
// Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as // Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as
// "/usr/lib/nss/libnssckbi.so". // "/usr/lib/nss/libnssckbi.so".
uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE; uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
if (readOnly) { if (nssDbConfig == NSSDBConfig::ReadOnly) {
flags |= NSS_INIT_READONLY; flags |= NSS_INIT_READONLY;
} }
if (!loadPKCS11Modules) { if (pkcs11DbConfig == PKCS11DBConfig::DoNotLoadModules) {
flags |= NSS_INIT_NOMODDB; flags |= NSS_INIT_NOMODDB;
} }
nsAutoCString dbTypeAndDirectory("sql:"); nsAutoCString dbTypeAndDirectory("sql:");
dbTypeAndDirectory.Append(dir); dbTypeAndDirectory.Append(dir);
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(), readOnly, ("InitializeNSS(%s, %d, %d)", dbTypeAndDirectory.get(),
loadPKCS11Modules)); (int)nssDbConfig, (int)pkcs11DbConfig));
SECStatus srv = SECStatus srv =
NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags); NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags);
if (srv != SECSuccess) { if (srv != SECSuccess) {
return srv; return srv;
} }
if (!readOnly) { if (nssDbConfig == NSSDBConfig::ReadWrite) {
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) { if (!slot) {
return SECFailure; return SECFailure;

14
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -28,6 +28,16 @@ enum class ValidityCheckingMode {
CheckForEV = 1, CheckForEV = 1,
}; };
enum class NSSDBConfig {
ReadWrite = 0,
ReadOnly = 1,
};
enum class PKCS11DBConfig {
DoNotLoadModules = 0,
LoadModules = 1,
};
// Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA // Policy options for matching id-Netscape-stepUp with id-kp-serverAuth (for CA
// certificates only): // certificates only):
// * Always match: the step-up OID is considered equivalent to serverAuth // * Always match: the step-up OID is considered equivalent to serverAuth
@ -42,8 +52,8 @@ enum class NetscapeStepUpPolicy : uint32_t {
NeverMatch = 3, NeverMatch = 3,
}; };
SECStatus InitializeNSS(const nsACString& dir, bool readOnly, SECStatus InitializeNSS(const nsACString& dir, NSSDBConfig nssDbConfig,
bool loadPKCS11Modules); PKCS11DBConfig pkcs11DbConfig);
void DisableMD5(); void DisableMD5();

17
security/manager/ssl/nsNSSComponent.cpp
View File

@ -1571,7 +1571,10 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
#ifndef ANDROID #ifndef ANDROID
PRErrorCode savedPRErrorCode1; PRErrorCode savedPRErrorCode1;
#endif // ifndef ANDROID #endif // ifndef ANDROID
SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode); PKCS11DBConfig safeModeDBConfig =
safeMode ? PKCS11DBConfig::DoNotLoadModules : PKCS11DBConfig::LoadModules;
SECStatus srv = ::mozilla::psm::InitializeNSS(
profilePath, NSSDBConfig::ReadWrite, safeModeDBConfig);
if (srv == SECSuccess) { if (srv == SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode")); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
#ifndef ANDROID #ifndef ANDROID
@ -1584,7 +1587,8 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
PRErrorCode savedPRErrorCode2; PRErrorCode savedPRErrorCode2;
#endif // ifndef ANDROID #endif // ifndef ANDROID
// That failed. Try read-only mode. // That failed. Try read-only mode.
srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode); srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
safeModeDBConfig);
if (srv == SECSuccess) { if (srv == SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode")); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r-o mode"));
return NS_OK; return NS_OK;
@ -1611,7 +1615,8 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
// problem, but for some reason the combination of read-only and no-moddb // problem, but for some reason the combination of read-only and no-moddb
// flags causes NSS initialization to fail, so unfortunately we have to use // flags causes NSS initialization to fail, so unfortunately we have to use
// read-write mode. // read-write mode.
srv = ::mozilla::psm::InitializeNSS(profilePath, false, false); srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
PKCS11DBConfig::DoNotLoadModules);
if (srv == SECSuccess) { if (srv == SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem")); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("FIPS may be the problem"));
// Unload NSS so we can attempt to fix this situation for the user. // Unload NSS so we can attempt to fix this situation for the user.
@ -1637,12 +1642,14 @@ static nsresult InitializeNSSWithFallbacks(const nsACString& profilePath,
# endif # endif
return rv; return rv;
} }
srv = ::mozilla::psm::InitializeNSS(profilePath, false, true); srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadWrite,
PKCS11DBConfig::LoadModules);
if (srv == SECSuccess) { if (srv == SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode")); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r/w mode"));
return NS_OK; return NS_OK;
} }
srv = ::mozilla::psm::InitializeNSS(profilePath, true, true); srv = ::mozilla::psm::InitializeNSS(profilePath, NSSDBConfig::ReadOnly,
PKCS11DBConfig::LoadModules);
if (srv == SECSuccess) { if (srv == SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode")); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized in r-o mode"));
return NS_OK; return NS_OK;