Bug 733644 - Make nsNSSComponent use mozilla::Preferences. r=keeler, sr=bsmith

2013-09-13 09:02:15 -04:00 · 2013-09-13 09:02:15 -04:00 · 19a28af708
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@ -16,7 +16,7 @@
 #include "nsComponentManagerUtils.h"
 #include "nsDirectoryServiceDefs.h"
 #include "nsICertOverrideService.h"
-#include "nsIPrefService.h"
+#include "mozilla/Preferences.h"

 #ifndef MOZ_DISABLE_CRYPTOLEGACY
 #include "nsIDOMNode.h"
@ -871,9 +871,9 @@ static CipherPref CipherPrefs[] = {
 };

 static void
-setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
+setNonPkixOcspEnabled(int32_t ocspEnabled)
 {
-  // Note: this preference is numeric vs bolean because previously we
+  // Note: this preference is numeric vs boolean because previously we
  // supported more than two options.
  if (!ocspEnabled) {
    CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
@ -886,7 +886,7 @@ setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)

 #define CRL_DOWNLOAD_DEFAULT false
 #define OCSP_ENABLED_DEFAULT 1
-#define OCSP_REQUIRED_DEFAULT 0
+#define OCSP_REQUIRED_DEFAULT false
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
 #define FIRST_REVO_METHOD_DEFAULT "ocsp"
@ -894,56 +894,39 @@ setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 #define OCSP_STAPLING_ENABLED_DEFAULT true

 // Caller must hold a lock on nsNSSComponent::mutex when calling this function
-void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
+void nsNSSComponent::setValidationOptions()
 {
  nsNSSShutDownPreventionLock locker;
-  nsresult rv;

-  bool crlDownloading;
-  rv = pref->GetBoolPref("security.CRL_download.enabled", &crlDownloading);
-  if (NS_FAILED(rv))
-    crlDownloading = CRL_DOWNLOAD_DEFAULT;
-  
-  int32_t ocspEnabled;
-  rv = pref->GetIntPref("security.OCSP.enabled", &ocspEnabled);
-  // 0 = disabled, 1 = enabled, 
-  // 2 = enabled with given default responder
-  if (NS_FAILED(rv))
-    ocspEnabled = OCSP_ENABLED_DEFAULT;
+  bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
+                                             CRL_DOWNLOAD_DEFAULT);
+  // 0 = disabled, 1 = enabled
+  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
+                                            OCSP_ENABLED_DEFAULT);

-  bool ocspRequired;
-  rv = pref->GetBoolPref("security.OCSP.require", &ocspRequired);
-  if (NS_FAILED(rv))
-    ocspRequired = OCSP_REQUIRED_DEFAULT;
+  bool ocspRequired = Preferences::GetBool("security.OCSP.require",
+                                           OCSP_REQUIRED_DEFAULT);
+  bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require",
+                                               FRESH_REVOCATION_REQUIRED_DEFAULT);
+  bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled",
+                                                 MISSING_CERT_DOWNLOAD_DEFAULT);

-  bool anyFreshRequired;
-  rv = pref->GetBoolPref("security.fresh_revocation_info.require", &anyFreshRequired);
-  if (NS_FAILED(rv))
-    anyFreshRequired = FRESH_REVOCATION_REQUIRED_DEFAULT;
-  
-  bool aiaDownloadEnabled;
-  rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled);
-  if (NS_FAILED(rv))
-    aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT;
-
-  nsCString firstNetworkRevo;
-  rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo));
-  if (NS_FAILED(rv))
+  nsCString firstNetworkRevo =
+    Preferences::GetCString("security.first_network_revocation_method");
+  if (firstNetworkRevo.IsEmpty()) {
    firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT;
-
-  bool ocspStaplingEnabled;
-  rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled);
-  if (NS_FAILED(rv)) {
-    ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT;
  }
+
+  bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
+                                                  OCSP_STAPLING_ENABLED_DEFAULT);
  if (!ocspEnabled) {
    ocspStaplingEnabled = false;
  }
  PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
  PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
-  
-  setNonPkixOcspEnabled(ocspEnabled, pref);
-  
+
+  setNonPkixOcspEnabled(ocspEnabled);
+
  CERT_SetOCSPFailureMode( ocspRequired ?
                           ocspMode_FailureIsVerificationFailure
                           : ocspMode_FailureIsNotAVerificationFailure);
@ -971,16 +954,16 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref)
 // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and
 // TLS 1.0 when the prefs aren't set or when they are set to invalid values.
 nsresult
-nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch)
+nsNSSComponent::setEnabledTLSVersions()
 {
  // keep these values in sync with security-prefs.js and firefox.js
  static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0;
  static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1;

-  int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION;
-  int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION;
-  mPrefBranch->GetIntPref("security.tls.version.min", &minVersion);
-  mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion);
+  int32_t minVersion = Preferences::GetInt("security.tls.version.min",
+                                           PSM_DEFAULT_MIN_TLS_VERSION);
+  int32_t maxVersion = Preferences::GetInt("security.tls.version.max",
+                                           PSM_DEFAULT_MAX_TLS_VERSION);

  // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc.
  minVersion += SSL_LIBRARY_VERSION_3_0;
@ -1016,13 +999,11 @@ NS_IMETHODIMP
 nsNSSComponent::SkipOcspOff()
 {
  nsNSSShutDownPreventionLock locker;
-  int32_t ocspEnabled;
-  if (NS_FAILED(mPrefBranch->GetIntPref("security.OCSP.enabled", &ocspEnabled)))
-    ocspEnabled = OCSP_ENABLED_DEFAULT;
-  // 0 = disabled, 1 = enabled, 
-  // 2 = enabled with given default responder
-  
-  setNonPkixOcspEnabled(ocspEnabled, mPrefBranch);
+  // 0 = disabled, 1 = enabled
+  int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled",
+                                            OCSP_ENABLED_DEFAULT);
+
+  setNonPkixOcspEnabled(ocspEnabled);

  if (ocspEnabled)
    SSL_ClearSessionCache();
@ -1050,6 +1031,14 @@ static void configureMD5(bool enabled)
  }
 }

+static const bool SUPPRESS_WARNING_PREF_DEFAULT = false;
+static const bool MD5_ENABLED_DEFAULT = false;
+static const bool TLS_SESSION_TICKETS_ENABLED_DEFAULT = true;
+static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false;
+static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false;
+static const bool FALSE_START_ENABLED_DEFAULT = true;
+static const bool CIPHER_ENABLED_DEFAULT = false;
+
 nsresult
 nsNSSComponent::InitializeNSS(bool showWarningBox)
 {
@ -1119,17 +1108,13 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
    }

 #ifndef NSS_NO_LIBPKIX
-    rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification);
-    if (NS_FAILED(rv))
-      globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT;
+    globalConstFlagUsePKIXVerification =
+      Preferences::GetBool("security.use_libpkix_verification", USE_NSS_LIBPKIX_DEFAULT);
 #endif

-    bool supress_warning_preference = false;
-    rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference);
-
-    if (NS_FAILED(rv)) {
-      supress_warning_preference = false;
-    }
+    bool suppressWarningPref =
+      Preferences::GetBool("security.suppress_nss_rw_impossible_warning",
+                           SUPPRESS_WARNING_PREF_DEFAULT);

    // init phase 2, init calls to NSS library

@ -1155,7 +1140,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
    if (init_rv != SECSuccess) {
      PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get()));

-      if (supress_warning_preference) {
+      if (suppressWarningPref) {
        which_nss_problem = problem_none;
      }
      else {
@ -1193,38 +1178,44 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
      SharedSSLState::GlobalInit();

      // Register an observer so we can inform NSS when these prefs change
-      mPrefBranch->AddObserver("security.", this, false);
+      Preferences::AddStrongObserver(this, "security.");

      SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
      SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);

-      rv = setEnabledTLSVersions(mPrefBranch);
+      rv = setEnabledTLSVersions();
      if (NS_FAILED(rv)) {
        nsPSMInitPanic::SetPanic();
        return NS_ERROR_UNEXPECTED;
      }

-      bool enabled = true; // XXX: see bug 733644
-
-      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
-      configureMD5(enabled);
+      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
+                                             MD5_ENABLED_DEFAULT);
+      configureMD5(md5Enabled);

      // Configure TLS session tickets
-      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
+      bool tlsSessionTicketsEnabled =
+        Preferences::GetBool("security.enable_tls_session_tickets",
+                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);

-      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
+      bool requireSafeNegotiation =
+        Preferences::GetBool("security.ssl.require_safe_negotiation",
+                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);

-      mPrefBranch->GetBoolPref(
-        "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", 
-        &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
-        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
+      bool allowUnrestrictedRenego =
+        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
+                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
+                           allowUnrestrictedRenego ?
+                             SSL_RENEGOTIATE_UNRESTRICTED :
+                             SSL_RENEGOTIATE_REQUIRES_XTN);

 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
-      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
+      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
+                                                    FALSE_START_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
 #endif

      // Disable any ciphers that NSS might have enabled by default
@ -1234,13 +1225,11 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
        SSL_CipherPrefSetDefault(cipher_id, false);
      }

+      bool cipherEnabled;
      // Now only set SSL/TLS ciphers we knew about at compile time
      for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
-        rv = mPrefBranch->GetBoolPref(cp->pref, &enabled);
-        if (NS_FAILED(rv))
-          enabled = false;
-
-        SSL_CipherPrefSetDefault(cp->id, enabled);
+        cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
+        SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
      }

      // Enable ciphers for PKCS#12
@ -1254,7 +1243,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
      PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn);

      // dynamic options from prefs
-      setValidationOptions(mPrefBranch);
+      setValidationOptions();

      mHttpForNSS.initTable();
      mHttpForNSS.registerHttpClient();
@ -1300,9 +1289,7 @@ nsNSSComponent::ShutdownNSS()
    PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
    mHttpForNSS.unregisterHttpClient();

-    if (mPrefBranch) {
-      mPrefBranch->RemoveObserver("security.", this);
-    }
+    Preferences::RemoveObserver(this, "security.");

 #ifndef MOZ_DISABLE_CRYPTOLEGACY
    ShutdownSmartCardThreads();
@ -1323,7 +1310,9 @@ nsNSSComponent::ShutdownNSS()
    }
  }
 }
- 
+
+static const bool SEND_LM_DEFAULT = false;
+
 NS_IMETHODIMP
 nsNSSComponent::Init()
 {
@ -1359,13 +1348,8 @@ nsNSSComponent::Init()
                                        getter_Copies(result));
  }

-  if (!mPrefBranch) {
-    mPrefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID);
-    NS_ASSERTION(mPrefBranch, "Unable to get pref service");
-  }
-
-  bool sendLM = false;
-  mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
+  bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
+                                     SEND_LM_DEFAULT);
  nsNTLMAuthModule::SetSendLM(sendLM);

  // Do that before NSS init, to make sure we won't get unloaded.
@ -1635,31 +1619,40 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
  else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { 
    nsNSSShutDownPreventionLock locker;
    bool clearSessionCache = false;
-    bool enabled;
    NS_ConvertUTF16toUTF8  prefName(someData);

    if (prefName.Equals("security.tls.version.min") ||
        prefName.Equals("security.tls.version.max")) {
-      (void) setEnabledTLSVersions(mPrefBranch);
+      (void) setEnabledTLSVersions();
      clearSessionCache = true;
    } else if (prefName.Equals("security.enable_md5_signatures")) {
-      mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled);
-      configureMD5(enabled);
+      bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures",
+                                             MD5_ENABLED_DEFAULT);
+      configureMD5(md5Enabled);
      clearSessionCache = true;
    } else if (prefName.Equals("security.enable_tls_session_tickets")) {
-      mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
+      bool tlsSessionTicketsEnabled =
+        Preferences::GetBool("security.enable_tls_session_tickets",
+                             TLS_SESSION_TICKETS_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled);
    } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
-      mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
-      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
+      bool requireSafeNegotiation =
+        Preferences::GetBool("security.ssl.require_safe_negotiation",
+                             REQUIRE_SAFE_NEGOTIATION_DEFAULT);
+      SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation);
    } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
-      mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, 
-        enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
+      bool allowUnrestrictedRenego =
+        Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
+                             ALLOW_UNRESTRICTED_RENEGO_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
+                           allowUnrestrictedRenego ?
+                             SSL_RENEGOTIATE_UNRESTRICTED :
+                             SSL_RENEGOTIATE_REQUIRES_XTN);
 #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
    } else if (prefName.Equals("security.ssl.enable_false_start")) {
-      mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
-      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
+      bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start",
+                                                    FALSE_START_ENABLED_DEFAULT);
+      SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled);
 #endif
    } else if (prefName.Equals("security.OCSP.enabled")
               || prefName.Equals("security.CRL_download.enabled")
@ -1669,17 +1662,18 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
               || prefName.Equals("security.OCSP.require")
               || prefName.Equals("security.ssl.enable_ocsp_stapling")) {
      MutexAutoLock lock(mutex);
-      setValidationOptions(mPrefBranch);
+      setValidationOptions();
    } else if (prefName.Equals("network.ntlm.send-lm-response")) {
-      bool sendLM = false;
-      mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM);
+      bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
+                                         SEND_LM_DEFAULT);
      nsNTLMAuthModule::SetSendLM(sendLM);
    } else {
      /* Look through the cipher table and set according to pref setting */
+      bool cipherEnabled;
      for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
        if (prefName.Equals(cp->pref)) {
-          mPrefBranch->GetBoolPref(cp->pref, &enabled);
-          SSL_CipherPrefSetDefault(cp->id, enabled);
+          cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT);
+          SSL_CipherPrefSetDefault(cp->id, cipherEnabled);
          clearSessionCache = true;
          break;
        }
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@ -13,7 +13,6 @@
 #include "nsISignatureVerifier.h"
 #include "nsIEntropyCollector.h"
 #include "nsIStringBundle.h"
-#include "nsIPrefBranch.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
@ -185,8 +184,8 @@ private:
  void InstallLoadableRoots();
  void UnloadLoadableRoots();
  void CleanupIdentityInfo();
-  void setValidationOptions(nsIPrefBranch * pref);
-  nsresult setEnabledTLSVersions(nsIPrefBranch * pref);
+  void setValidationOptions();
+  nsresult setEnabledTLSVersions();
  nsresult InitializePIPNSSBundle();
  nsresult ConfigureInternalPKCS11Token();
  nsresult RegisterObservers();
@ -203,7 +202,6 @@ private:
  
  nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
  nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
-  nsCOMPtr<nsIPrefBranch> mPrefBranch;
  bool mNSSInitialized;
  bool mObserversRegistered;
  static int mInstanceCount;