Backed out changeset 50650e0f0edf (bug 1085509) for causing perma failure in win7 xperf

This commit is contained in:
Carsten "Tomcat" Book 2014-10-28 14:10:38 +01:00
parent b4bfea0bd6
commit 98dda84064
2 changed files with 81 additions and 32 deletions

View File

@ -6,23 +6,29 @@
#include "nsCertOverrideService.h"
#include "pkix/pkixtypes.h"
#include "nsIX509Cert.h"
#include "NSSCertDBTrustDomain.h"
#include "ScopedNSSTypes.h"
#include "SharedSSLState.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsNSSCertificate.h"
#include "nsNSSCertHelper.h"
#include "nsCRT.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsStreamUtils.h"
#include "nsNetUtil.h"
#include "nsILineInputStream.h"
#include "nsIObserver.h"
#include "nsIObserverService.h"
#include "nsIX509Cert.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertificate.h"
#include "nsNSSComponent.h"
#include "nsNetUtil.h"
#include "nsISupportsPrimitives.h"
#include "nsPromiseFlatString.h"
#include "nsStreamUtils.h"
#include "nsStringBuffer.h"
#include "nsThreadUtils.h"
#include "nsStringBuffer.h"
#include "ScopedNSSTypes.h"
#include "SharedSSLState.h"
#include "nspr.h"
#include "pk11pub.h"
#include "certdb.h"
#include "sechash.h"
#include "ssl.h" // For SSL_ClearSessionCache
using namespace mozilla;
@ -100,11 +106,18 @@ nsCertOverrideService::Init()
return NS_ERROR_NOT_SAME_THREAD;
}
// Note that the names of these variables would seem to indicate that at one
// point another hash algorithm was used and is still supported for backwards
// compatibility. This is not the case. It has always been SHA256.
mOidTagForStoringNewHashes = SEC_OID_SHA256;
mDottedOidForStoringNewHashes.Assign("OID.2.16.840.1.101.3.4.2.1");
SECOidData *od = SECOID_FindOIDByTag(mOidTagForStoringNewHashes);
if (!od)
return NS_ERROR_FAILURE;
char *dotted_oid = CERT_GetOidString(&od->oid);
if (!dotted_oid)
return NS_ERROR_FAILURE;
mDottedOidForStoringNewHashes = dotted_oid;
PR_smprintf_free(dotted_oid);
nsCOMPtr<nsIObserverService> observerService =
mozilla::services::GetObserverService();
@ -385,6 +398,42 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
}
static nsresult
GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
const nsCString &dottedOid,
nsCString &fp)
{
SECItem oid;
oid.data = nullptr;
oid.len = 0;
SECStatus srv = SEC_StringToOID(nullptr, &oid,
dottedOid.get(), dottedOid.Length());
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
SECOidTag oid_tag = SECOID_FindOIDTag(&oid);
SECITEM_FreeItem(&oid, false);
if (oid_tag == SEC_OID_UNKNOWN)
return NS_ERROR_FAILURE;
return GetCertFingerprintByOidTag(nsscert, oid_tag, fp);
}
static nsresult
GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
const nsCString &dottedOid,
nsCString &fp)
{
ScopedCERTCertificate nsscert(aCert->GetCert());
if (!nsscert) {
return NS_ERROR_FAILURE;
}
return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
}
NS_IMETHODIMP
nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
int32_t aPort,
@ -497,17 +546,14 @@ nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t
nsAutoCString fpStr;
nsresult rv;
// This code was originally written in a way that suggested that other hash
// algorithms are supported for backwards compatibility. However, this was
// always unnecessary, because only SHA256 has ever been used here.
if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
if (NS_FAILED(rv)) {
return rv;
}
} else {
return NS_ERROR_UNEXPECTED;
}
else {
rv = GetCertFingerprintByDottedOidString(aCert, settings.mFingerprintAlgOID, fpStr);
}
if (NS_FAILED(rv))
return rv;
*_retval = settings.mFingerprint.Equals(fpStr);
return NS_OK;
@ -603,13 +649,7 @@ nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, int32
mSettingsTable.RemoveEntry(hostPort.get());
Write();
}
if (EnsureNSSInitialized(nssEnsure)) {
SSL_ClearSessionCache();
} else {
return NS_ERROR_NOT_AVAILABLE;
}
SSL_ClearSessionCache();
return NS_OK;
}
@ -698,11 +738,15 @@ FindMatchingCertCallback(nsCertOverrideEntry *aEntry,
if (still_ok && matchesDBKey(cai->cert, settings.mDBKey.get())) {
nsAutoCString cert_fingerprint;
nsresult rv = NS_ERROR_UNEXPECTED;
nsresult rv;
if (settings.mFingerprintAlgOID.Equals(cai->mDottedOidForStoringNewHashes)) {
rv = GetCertFingerprintByOidTag(cai->cert,
cai->mOidTagForStoringNewHashes, cert_fingerprint);
}
else {
rv = GetCertFingerprintByDottedOidString(cai->cert,
settings.mFingerprintAlgOID, cert_fingerprint);
}
if (NS_SUCCEEDED(rv) &&
settings.mFingerprint.Equals(cert_fingerprint)) {
cai->counter++;
@ -764,11 +808,15 @@ EnumerateCertOverridesCallback(nsCertOverrideEntry *aEntry,
else {
if (matchesDBKey(capac->cert, settings.mDBKey.get())) {
nsAutoCString cert_fingerprint;
nsresult rv = NS_ERROR_UNEXPECTED;
nsresult rv;
if (settings.mFingerprintAlgOID.Equals(capac->mDottedOidForStoringNewHashes)) {
rv = GetCertFingerprintByOidTag(capac->cert,
capac->mOidTagForStoringNewHashes, cert_fingerprint);
}
else {
rv = GetCertFingerprintByDottedOidString(capac->cert,
settings.mFingerprintAlgOID, cert_fingerprint);
}
if (NS_SUCCEEDED(rv) &&
settings.mFingerprint.Equals(cert_fingerprint)) {
(*capac->enumerator)(settings, capac->userdata);
@ -812,3 +860,4 @@ nsCertOverrideService::GetHostWithPort(const nsACString & aHostName, int32_t aPo
}
_retval.Assign(hostPort);
}

View File

@ -199,6 +199,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsStreamCipher)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObject)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsDataSignatureVerifier)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsCertOverrideService, Init)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsRandomGenerator)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, nsSSLStatus)
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
@ -206,7 +207,6 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
typedef mozilla::psm::NSSErrorsService NSSErrorsService;
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NSSErrorsService, Init)
NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSVersion)
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsCertOverrideService, Init)
NS_DEFINE_NAMED_CID(NS_NSSCOMPONENT_CID);
NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER_CID);