Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-26 19:55:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ba6b32f6d5
gecko-dev/security/certverifier/moz.build
David Keeler 6ea4fb08d4 bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 
OCSP requests cannot be performed on the main thread. If we were to wait for a
response from the network, we would be blocking the main thread for an
unnaceptably long time. If we were to spin the event loop while waiting (which
is what we do currently), other parts of the code that assume this will never
happen (which is essentially all of them) can break.

As of bug 867473, no certificate verification happens on the main thread, so no
OCSP requests happen on the main thread. Given this, we can go ahead and
prohibit such requests.

Incidentally, this gives us an opportunity to improve the current OCSP
implementation, which has a few drawbacks (the largest of which is that it's
unclear that its ownership model is implemented correctly).

This also removes OCSP GET support. Due to recent OCSP server implementations
(namely, the ability to cache OCSP POST request responses), OCSP GET is not a
compelling technology to pursue. Furthermore, continued support presents a
maintenance burden.

MozReview-Commit-ID: 4ACDY09nCBA

--HG--
extra : rebase_source : 072564adf1836720e147b8250afca7cebe4dbf62
2018-04-23 18:09:35 +02:00

140 lines
4.8 KiB
Python
Raw Blame History

# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
with Files("**"):
BUG_COMPONENT = ("Core", "Security: PSM")
EXPORTS += [
'BRNameMatchingPolicy.h',
'BTInclusionProof.h',
'BTVerifier.h',
'Buffer.h',
'CertVerifier.h',
'CTLog.h',
'CTPolicyEnforcer.h',
'CTVerifyResult.h',
'OCSPCache.h',
'SignedCertificateTimestamp.h',
'SignedTreeHead.h',
]
UNIFIED_SOURCES += [
'BRNameMatchingPolicy.cpp',
'BTVerifier.cpp',
'Buffer.cpp',
'CertVerifier.cpp',
'CTDiversityPolicy.cpp',
'CTLogVerifier.cpp',
'CTObjectsExtractor.cpp',
'CTPolicyEnforcer.cpp',
'CTSerialization.cpp',
'CTVerifyResult.cpp',
'MultiLogCTVerifier.cpp',
'NSSCertDBTrustDomain.cpp',
'OCSPCache.cpp',
'OCSPVerificationTrustDomain.cpp',
'SignedCertificateTimestamp.cpp',
]
if not CONFIG['NSS_NO_EV_CERTS']:
UNIFIED_SOURCES += [
'ExtendedValidation.cpp',
]
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
DEFINES[var] = '"%s"' % CONFIG[var]
LOCAL_INCLUDES += [
'/security/manager/ssl',
'/security/pkix/include',
'/security/pkix/lib',
]
DIRS += [
'../pkix',
]
TEST_DIRS += [
'tests/gtest',
]
CXXFLAGS += ['-Wall']
if CONFIG['CC_TYPE'] in ('msvc', 'clang-cl'):
# -Wall with Visual C++ enables too many problematic warnings
CXXFLAGS += [
'-wd4324', # structure was padded due to __declspec(align())
'-wd4355', # 'this' used in base member initializer list
'-wd4464', # relative include path contains '..'
'-wd4480', # nonstandard extension used: specifying underlying type for
# enum 'enum'
'-wd4481', # nonstandard extension used: override specifier 'keyword'
'-wd4510', # default constructor could not be generated
'-wd4512', # assignment operator could not be generated
'-wd4514', # 'function': unreferenced inline function has been removed
'-wd4610', # struct 'symbol' can never be instantiated - user defined
# constructor required
'-wd4619', # pragma warning: there is no warning 'warning'
'-wd4623', # default constructor could not be generated because a base
# class default constructor is inaccessible or deleted
'-wd4625', # copy constructor could not be generated because a base
# class copy constructor is inaccessible or deleted
'-wd4626', # assignment operator could not be generated because a base
# class assignment operator is inaccessible or deleted
'-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
# what would be the digraph "<:" in the expression
# "mozilla::EnableIf<::detail::...". Since we don't want it
# interpreted as a digraph anyway, we can disable the
# warning.)
'-wd4640', # construction of local static object is not thread-safe
'-wd4710', # 'function': function not inlined
'-wd4711', # function 'function' selected for inline expansion
'-wd4820', # 'bytes' bytes padding added after construct 'member_name'
]
# MSVC 2010's headers trigger these
CXXFLAGS += [
'-wd4548', # expression before comma has no effect; ...
'-wd4668', # 'symbol' is not defined as a preprocessor macro...
'-wd4987', # nonstandard extension used
]
# MSVC 2015 triggers these
CXXFLAGS += [
'-wd4456', # declaration of 'rv' hides previous local declaration
'-wd4458', # declaration of 'input' hides class member
]
# The following warnings are disabled because MSVC 2017 headers aren't
# warning free at the -Wall level.
CXXFLAGS += [
'-wd4061', # enumerator 'identifier' in switch of enum 'enumeration' is
# not explicitly handled by a case label
'-wd4365', # 'action' : conversion from 'type_1' to 'type_2',
# signed/unsigned mismatch
'-wd4774', # '<function>' : format string expected in argument
# <position> is not a string literal
]
# Gecko headers aren't warning-free enough for us to enable these warnings
CXXFLAGS += [
'-wd4100', # 'symbol' : unreferenced formal parameter
'-wd4127', # conditional expression is constant
'-wd4946', # reinterpret_cast used between related types
]
if CONFIG['CC_TYPE'] in ('clang', 'gcc'):
CXXFLAGS += [
'-Wextra',
'-Wunreachable-code',
]
# Gecko headers aren't warning-free enough for us to enable these warnings.
CXXFLAGS += [
'-Wno-unused-parameter',
]
FINAL_LIBRARY = 'xul'
Reference in New Issue View Git Blame Copy Permalink