mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 06:43:32 +00:00
Backed out changeset 50650e0f0edf (bug 1085509
) for causing perma failure in win7 xperf
This commit is contained in:
parent
b4bfea0bd6
commit
98dda84064
@ -6,23 +6,29 @@
|
||||
|
||||
#include "nsCertOverrideService.h"
|
||||
|
||||
#include "pkix/pkixtypes.h"
|
||||
#include "nsIX509Cert.h"
|
||||
#include "NSSCertDBTrustDomain.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
#include "SharedSSLState.h"
|
||||
#include "nsAppDirectoryServiceDefs.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nsNSSCertHelper.h"
|
||||
#include "nsCRT.h"
|
||||
#include "nsAppDirectoryServiceDefs.h"
|
||||
#include "nsStreamUtils.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsILineInputStream.h"
|
||||
#include "nsIObserver.h"
|
||||
#include "nsIObserverService.h"
|
||||
#include "nsIX509Cert.h"
|
||||
#include "nsNSSCertHelper.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nsNSSComponent.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsISupportsPrimitives.h"
|
||||
#include "nsPromiseFlatString.h"
|
||||
#include "nsStreamUtils.h"
|
||||
#include "nsStringBuffer.h"
|
||||
#include "nsThreadUtils.h"
|
||||
#include "nsStringBuffer.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
#include "SharedSSLState.h"
|
||||
|
||||
#include "nspr.h"
|
||||
#include "pk11pub.h"
|
||||
#include "certdb.h"
|
||||
#include "sechash.h"
|
||||
#include "ssl.h" // For SSL_ClearSessionCache
|
||||
|
||||
using namespace mozilla;
|
||||
@ -100,11 +106,18 @@ nsCertOverrideService::Init()
|
||||
return NS_ERROR_NOT_SAME_THREAD;
|
||||
}
|
||||
|
||||
// Note that the names of these variables would seem to indicate that at one
|
||||
// point another hash algorithm was used and is still supported for backwards
|
||||
// compatibility. This is not the case. It has always been SHA256.
|
||||
mOidTagForStoringNewHashes = SEC_OID_SHA256;
|
||||
mDottedOidForStoringNewHashes.Assign("OID.2.16.840.1.101.3.4.2.1");
|
||||
|
||||
SECOidData *od = SECOID_FindOIDByTag(mOidTagForStoringNewHashes);
|
||||
if (!od)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
char *dotted_oid = CERT_GetOidString(&od->oid);
|
||||
if (!dotted_oid)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
mDottedOidForStoringNewHashes = dotted_oid;
|
||||
PR_smprintf_free(dotted_oid);
|
||||
|
||||
nsCOMPtr<nsIObserverService> observerService =
|
||||
mozilla::services::GetObserverService();
|
||||
@ -385,6 +398,42 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
|
||||
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
|
||||
}
|
||||
|
||||
static nsresult
|
||||
GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
|
||||
const nsCString &dottedOid,
|
||||
nsCString &fp)
|
||||
{
|
||||
SECItem oid;
|
||||
oid.data = nullptr;
|
||||
oid.len = 0;
|
||||
SECStatus srv = SEC_StringToOID(nullptr, &oid,
|
||||
dottedOid.get(), dottedOid.Length());
|
||||
if (srv != SECSuccess)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
SECOidTag oid_tag = SECOID_FindOIDTag(&oid);
|
||||
SECITEM_FreeItem(&oid, false);
|
||||
|
||||
if (oid_tag == SEC_OID_UNKNOWN)
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
return GetCertFingerprintByOidTag(nsscert, oid_tag, fp);
|
||||
}
|
||||
|
||||
static nsresult
|
||||
GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
|
||||
const nsCString &dottedOid,
|
||||
nsCString &fp)
|
||||
{
|
||||
|
||||
ScopedCERTCertificate nsscert(aCert->GetCert());
|
||||
if (!nsscert) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
|
||||
int32_t aPort,
|
||||
@ -497,17 +546,14 @@ nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t
|
||||
nsAutoCString fpStr;
|
||||
nsresult rv;
|
||||
|
||||
// This code was originally written in a way that suggested that other hash
|
||||
// algorithms are supported for backwards compatibility. However, this was
|
||||
// always unnecessary, because only SHA256 has ever been used here.
|
||||
if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
|
||||
rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
} else {
|
||||
return NS_ERROR_UNEXPECTED;
|
||||
}
|
||||
else {
|
||||
rv = GetCertFingerprintByDottedOidString(aCert, settings.mFingerprintAlgOID, fpStr);
|
||||
}
|
||||
if (NS_FAILED(rv))
|
||||
return rv;
|
||||
|
||||
*_retval = settings.mFingerprint.Equals(fpStr);
|
||||
return NS_OK;
|
||||
@ -603,13 +649,7 @@ nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, int32
|
||||
mSettingsTable.RemoveEntry(hostPort.get());
|
||||
Write();
|
||||
}
|
||||
|
||||
if (EnsureNSSInitialized(nssEnsure)) {
|
||||
SSL_ClearSessionCache();
|
||||
} else {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
SSL_ClearSessionCache();
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
@ -698,11 +738,15 @@ FindMatchingCertCallback(nsCertOverrideEntry *aEntry,
|
||||
|
||||
if (still_ok && matchesDBKey(cai->cert, settings.mDBKey.get())) {
|
||||
nsAutoCString cert_fingerprint;
|
||||
nsresult rv = NS_ERROR_UNEXPECTED;
|
||||
nsresult rv;
|
||||
if (settings.mFingerprintAlgOID.Equals(cai->mDottedOidForStoringNewHashes)) {
|
||||
rv = GetCertFingerprintByOidTag(cai->cert,
|
||||
cai->mOidTagForStoringNewHashes, cert_fingerprint);
|
||||
}
|
||||
else {
|
||||
rv = GetCertFingerprintByDottedOidString(cai->cert,
|
||||
settings.mFingerprintAlgOID, cert_fingerprint);
|
||||
}
|
||||
if (NS_SUCCEEDED(rv) &&
|
||||
settings.mFingerprint.Equals(cert_fingerprint)) {
|
||||
cai->counter++;
|
||||
@ -764,11 +808,15 @@ EnumerateCertOverridesCallback(nsCertOverrideEntry *aEntry,
|
||||
else {
|
||||
if (matchesDBKey(capac->cert, settings.mDBKey.get())) {
|
||||
nsAutoCString cert_fingerprint;
|
||||
nsresult rv = NS_ERROR_UNEXPECTED;
|
||||
nsresult rv;
|
||||
if (settings.mFingerprintAlgOID.Equals(capac->mDottedOidForStoringNewHashes)) {
|
||||
rv = GetCertFingerprintByOidTag(capac->cert,
|
||||
capac->mOidTagForStoringNewHashes, cert_fingerprint);
|
||||
}
|
||||
else {
|
||||
rv = GetCertFingerprintByDottedOidString(capac->cert,
|
||||
settings.mFingerprintAlgOID, cert_fingerprint);
|
||||
}
|
||||
if (NS_SUCCEEDED(rv) &&
|
||||
settings.mFingerprint.Equals(cert_fingerprint)) {
|
||||
(*capac->enumerator)(settings, capac->userdata);
|
||||
@ -812,3 +860,4 @@ nsCertOverrideService::GetHostWithPort(const nsACString & aHostName, int32_t aPo
|
||||
}
|
||||
_retval.Assign(hostPort);
|
||||
}
|
||||
|
||||
|
@ -199,6 +199,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsStreamCipher)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObject)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsDataSignatureVerifier)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsCertOverrideService, Init)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsRandomGenerator)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, nsSSLStatus)
|
||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
|
||||
@ -206,7 +207,6 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
|
||||
typedef mozilla::psm::NSSErrorsService NSSErrorsService;
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NSSErrorsService, Init)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSVersion)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsCertOverrideService, Init)
|
||||
|
||||
NS_DEFINE_NAMED_CID(NS_NSSCOMPONENT_CID);
|
||||
NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER_CID);
|
||||
|
Loading…
Reference in New Issue
Block a user