From 19a28af7088c339a073f39b96862009098c13ebd Mon Sep 17 00:00:00 2001 From: Cykesiopka Date: Fri, 13 Sep 2013 09:02:15 -0400 Subject: [PATCH] Bug 733644 - Make nsNSSComponent use mozilla::Preferences. r=keeler, sr=bsmith --- security/manager/ssl/src/nsNSSComponent.cpp | 226 ++++++++++---------- security/manager/ssl/src/nsNSSComponent.h | 6 +- 2 files changed, 112 insertions(+), 120 deletions(-) diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp index 8fb43e7fa318..5c5f2bbf6f99 100644 --- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -16,7 +16,7 @@ #include "nsComponentManagerUtils.h" #include "nsDirectoryServiceDefs.h" #include "nsICertOverrideService.h" -#include "nsIPrefService.h" +#include "mozilla/Preferences.h" #ifndef MOZ_DISABLE_CRYPTOLEGACY #include "nsIDOMNode.h" @@ -871,9 +871,9 @@ static CipherPref CipherPrefs[] = { }; static void -setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref) +setNonPkixOcspEnabled(int32_t ocspEnabled) { - // Note: this preference is numeric vs bolean because previously we + // Note: this preference is numeric vs boolean because previously we // supported more than two options. if (!ocspEnabled) { CERT_DisableOCSPChecking(CERT_GetDefaultCertDB()); @@ -886,7 +886,7 @@ setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref) #define CRL_DOWNLOAD_DEFAULT false #define OCSP_ENABLED_DEFAULT 1 -#define OCSP_REQUIRED_DEFAULT 0 +#define OCSP_REQUIRED_DEFAULT false #define FRESH_REVOCATION_REQUIRED_DEFAULT false #define MISSING_CERT_DOWNLOAD_DEFAULT false #define FIRST_REVO_METHOD_DEFAULT "ocsp" @@ -894,56 +894,39 @@ setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref) #define OCSP_STAPLING_ENABLED_DEFAULT true // Caller must hold a lock on nsNSSComponent::mutex when calling this function -void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref) +void nsNSSComponent::setValidationOptions() { nsNSSShutDownPreventionLock locker; - nsresult rv; - bool crlDownloading; - rv = pref->GetBoolPref("security.CRL_download.enabled", &crlDownloading); - if (NS_FAILED(rv)) - crlDownloading = CRL_DOWNLOAD_DEFAULT; - - int32_t ocspEnabled; - rv = pref->GetIntPref("security.OCSP.enabled", &ocspEnabled); - // 0 = disabled, 1 = enabled, - // 2 = enabled with given default responder - if (NS_FAILED(rv)) - ocspEnabled = OCSP_ENABLED_DEFAULT; + bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled", + CRL_DOWNLOAD_DEFAULT); + // 0 = disabled, 1 = enabled + int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled", + OCSP_ENABLED_DEFAULT); - bool ocspRequired; - rv = pref->GetBoolPref("security.OCSP.require", &ocspRequired); - if (NS_FAILED(rv)) - ocspRequired = OCSP_REQUIRED_DEFAULT; + bool ocspRequired = Preferences::GetBool("security.OCSP.require", + OCSP_REQUIRED_DEFAULT); + bool anyFreshRequired = Preferences::GetBool("security.fresh_revocation_info.require", + FRESH_REVOCATION_REQUIRED_DEFAULT); + bool aiaDownloadEnabled = Preferences::GetBool("security.missing_cert_download.enabled", + MISSING_CERT_DOWNLOAD_DEFAULT); - bool anyFreshRequired; - rv = pref->GetBoolPref("security.fresh_revocation_info.require", &anyFreshRequired); - if (NS_FAILED(rv)) - anyFreshRequired = FRESH_REVOCATION_REQUIRED_DEFAULT; - - bool aiaDownloadEnabled; - rv = pref->GetBoolPref("security.missing_cert_download.enabled", &aiaDownloadEnabled); - if (NS_FAILED(rv)) - aiaDownloadEnabled = MISSING_CERT_DOWNLOAD_DEFAULT; - - nsCString firstNetworkRevo; - rv = pref->GetCharPref("security.first_network_revocation_method", getter_Copies(firstNetworkRevo)); - if (NS_FAILED(rv)) + nsCString firstNetworkRevo = + Preferences::GetCString("security.first_network_revocation_method"); + if (firstNetworkRevo.IsEmpty()) { firstNetworkRevo = FIRST_REVO_METHOD_DEFAULT; - - bool ocspStaplingEnabled; - rv = pref->GetBoolPref("security.ssl.enable_ocsp_stapling", &ocspStaplingEnabled); - if (NS_FAILED(rv)) { - ocspStaplingEnabled = OCSP_STAPLING_ENABLED_DEFAULT; } + + bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling", + OCSP_STAPLING_ENABLED_DEFAULT); if (!ocspEnabled) { ocspStaplingEnabled = false; } PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); - - setNonPkixOcspEnabled(ocspEnabled, pref); - + + setNonPkixOcspEnabled(ocspEnabled); + CERT_SetOCSPFailureMode( ocspRequired ? ocspMode_FailureIsVerificationFailure : ocspMode_FailureIsNotAVerificationFailure); @@ -971,16 +954,16 @@ void nsNSSComponent::setValidationOptions(nsIPrefBranch * pref) // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 and // TLS 1.0 when the prefs aren't set or when they are set to invalid values. nsresult -nsNSSComponent::setEnabledTLSVersions(nsIPrefBranch * prefBranch) +nsNSSComponent::setEnabledTLSVersions() { // keep these values in sync with security-prefs.js and firefox.js static const int32_t PSM_DEFAULT_MIN_TLS_VERSION = 0; static const int32_t PSM_DEFAULT_MAX_TLS_VERSION = 1; - int32_t minVersion = PSM_DEFAULT_MIN_TLS_VERSION; - int32_t maxVersion = PSM_DEFAULT_MAX_TLS_VERSION; - mPrefBranch->GetIntPref("security.tls.version.min", &minVersion); - mPrefBranch->GetIntPref("security.tls.version.max", &maxVersion); + int32_t minVersion = Preferences::GetInt("security.tls.version.min", + PSM_DEFAULT_MIN_TLS_VERSION); + int32_t maxVersion = Preferences::GetInt("security.tls.version.max", + PSM_DEFAULT_MAX_TLS_VERSION); // 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1, etc. minVersion += SSL_LIBRARY_VERSION_3_0; @@ -1016,13 +999,11 @@ NS_IMETHODIMP nsNSSComponent::SkipOcspOff() { nsNSSShutDownPreventionLock locker; - int32_t ocspEnabled; - if (NS_FAILED(mPrefBranch->GetIntPref("security.OCSP.enabled", &ocspEnabled))) - ocspEnabled = OCSP_ENABLED_DEFAULT; - // 0 = disabled, 1 = enabled, - // 2 = enabled with given default responder - - setNonPkixOcspEnabled(ocspEnabled, mPrefBranch); + // 0 = disabled, 1 = enabled + int32_t ocspEnabled = Preferences::GetInt("security.OCSP.enabled", + OCSP_ENABLED_DEFAULT); + + setNonPkixOcspEnabled(ocspEnabled); if (ocspEnabled) SSL_ClearSessionCache(); @@ -1050,6 +1031,14 @@ static void configureMD5(bool enabled) } } +static const bool SUPPRESS_WARNING_PREF_DEFAULT = false; +static const bool MD5_ENABLED_DEFAULT = false; +static const bool TLS_SESSION_TICKETS_ENABLED_DEFAULT = true; +static const bool REQUIRE_SAFE_NEGOTIATION_DEFAULT = false; +static const bool ALLOW_UNRESTRICTED_RENEGO_DEFAULT = false; +static const bool FALSE_START_ENABLED_DEFAULT = true; +static const bool CIPHER_ENABLED_DEFAULT = false; + nsresult nsNSSComponent::InitializeNSS(bool showWarningBox) { @@ -1119,17 +1108,13 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) } #ifndef NSS_NO_LIBPKIX - rv = mPrefBranch->GetBoolPref("security.use_libpkix_verification", &globalConstFlagUsePKIXVerification); - if (NS_FAILED(rv)) - globalConstFlagUsePKIXVerification = USE_NSS_LIBPKIX_DEFAULT; + globalConstFlagUsePKIXVerification = + Preferences::GetBool("security.use_libpkix_verification", USE_NSS_LIBPKIX_DEFAULT); #endif - bool supress_warning_preference = false; - rv = mPrefBranch->GetBoolPref("security.suppress_nss_rw_impossible_warning", &supress_warning_preference); - - if (NS_FAILED(rv)) { - supress_warning_preference = false; - } + bool suppressWarningPref = + Preferences::GetBool("security.suppress_nss_rw_impossible_warning", + SUPPRESS_WARNING_PREF_DEFAULT); // init phase 2, init calls to NSS library @@ -1155,7 +1140,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) if (init_rv != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get())); - if (supress_warning_preference) { + if (suppressWarningPref) { which_nss_problem = problem_none; } else { @@ -1193,38 +1178,44 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) SharedSSLState::GlobalInit(); // Register an observer so we can inform NSS when these prefs change - mPrefBranch->AddObserver("security.", this, false); + Preferences::AddStrongObserver(this, "security."); SSL_OptionSetDefault(SSL_ENABLE_SSL2, false); SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false); - rv = setEnabledTLSVersions(mPrefBranch); + rv = setEnabledTLSVersions(); if (NS_FAILED(rv)) { nsPSMInitPanic::SetPanic(); return NS_ERROR_UNEXPECTED; } - bool enabled = true; // XXX: see bug 733644 - - mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled); - configureMD5(enabled); + bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures", + MD5_ENABLED_DEFAULT); + configureMD5(md5Enabled); // Configure TLS session tickets - mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled); + bool tlsSessionTicketsEnabled = + Preferences::GetBool("security.enable_tls_session_tickets", + TLS_SESSION_TICKETS_ENABLED_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled); - mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled); - SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled); + bool requireSafeNegotiation = + Preferences::GetBool("security.ssl.require_safe_negotiation", + REQUIRE_SAFE_NEGOTIATION_DEFAULT); + SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation); - mPrefBranch->GetBoolPref( - "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", - &enabled); - SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, - enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN); + bool allowUnrestrictedRenego = + Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", + ALLOW_UNRESTRICTED_RENEGO_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, + allowUnrestrictedRenego ? + SSL_RENEGOTIATE_UNRESTRICTED : + SSL_RENEGOTIATE_REQUIRES_XTN); #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8 - mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled); + bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start", + FALSE_START_ENABLED_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled); #endif // Disable any ciphers that NSS might have enabled by default @@ -1234,13 +1225,11 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) SSL_CipherPrefSetDefault(cipher_id, false); } + bool cipherEnabled; // Now only set SSL/TLS ciphers we knew about at compile time for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) { - rv = mPrefBranch->GetBoolPref(cp->pref, &enabled); - if (NS_FAILED(rv)) - enabled = false; - - SSL_CipherPrefSetDefault(cp->id, enabled); + cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT); + SSL_CipherPrefSetDefault(cp->id, cipherEnabled); } // Enable ciphers for PKCS#12 @@ -1254,7 +1243,7 @@ nsNSSComponent::InitializeNSS(bool showWarningBox) PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn); // dynamic options from prefs - setValidationOptions(mPrefBranch); + setValidationOptions(); mHttpForNSS.initTable(); mHttpForNSS.registerHttpClient(); @@ -1300,9 +1289,7 @@ nsNSSComponent::ShutdownNSS() PK11_SetPasswordFunc((PK11PasswordFunc)nullptr); mHttpForNSS.unregisterHttpClient(); - if (mPrefBranch) { - mPrefBranch->RemoveObserver("security.", this); - } + Preferences::RemoveObserver(this, "security."); #ifndef MOZ_DISABLE_CRYPTOLEGACY ShutdownSmartCardThreads(); @@ -1323,7 +1310,9 @@ nsNSSComponent::ShutdownNSS() } } } - + +static const bool SEND_LM_DEFAULT = false; + NS_IMETHODIMP nsNSSComponent::Init() { @@ -1359,13 +1348,8 @@ nsNSSComponent::Init() getter_Copies(result)); } - if (!mPrefBranch) { - mPrefBranch = do_GetService(NS_PREFSERVICE_CONTRACTID); - NS_ASSERTION(mPrefBranch, "Unable to get pref service"); - } - - bool sendLM = false; - mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM); + bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response", + SEND_LM_DEFAULT); nsNTLMAuthModule::SetSendLM(sendLM); // Do that before NSS init, to make sure we won't get unloaded. @@ -1635,31 +1619,40 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic, else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { nsNSSShutDownPreventionLock locker; bool clearSessionCache = false; - bool enabled; NS_ConvertUTF16toUTF8 prefName(someData); if (prefName.Equals("security.tls.version.min") || prefName.Equals("security.tls.version.max")) { - (void) setEnabledTLSVersions(mPrefBranch); + (void) setEnabledTLSVersions(); clearSessionCache = true; } else if (prefName.Equals("security.enable_md5_signatures")) { - mPrefBranch->GetBoolPref("security.enable_md5_signatures", &enabled); - configureMD5(enabled); + bool md5Enabled = Preferences::GetBool("security.enable_md5_signatures", + MD5_ENABLED_DEFAULT); + configureMD5(md5Enabled); clearSessionCache = true; } else if (prefName.Equals("security.enable_tls_session_tickets")) { - mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled); + bool tlsSessionTicketsEnabled = + Preferences::GetBool("security.enable_tls_session_tickets", + TLS_SESSION_TICKETS_ENABLED_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, tlsSessionTicketsEnabled); } else if (prefName.Equals("security.ssl.require_safe_negotiation")) { - mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled); - SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled); + bool requireSafeNegotiation = + Preferences::GetBool("security.ssl.require_safe_negotiation", + REQUIRE_SAFE_NEGOTIATION_DEFAULT); + SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, requireSafeNegotiation); } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) { - mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, - enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN); + bool allowUnrestrictedRenego = + Preferences::GetBool("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", + ALLOW_UNRESTRICTED_RENEGO_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION, + allowUnrestrictedRenego ? + SSL_RENEGOTIATE_UNRESTRICTED : + SSL_RENEGOTIATE_REQUIRES_XTN); #ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8 } else if (prefName.Equals("security.ssl.enable_false_start")) { - mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled); - SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled); + bool falseStartEnabled = Preferences::GetBool("security.ssl.enable_false_start", + FALSE_START_ENABLED_DEFAULT); + SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, falseStartEnabled); #endif } else if (prefName.Equals("security.OCSP.enabled") || prefName.Equals("security.CRL_download.enabled") @@ -1669,17 +1662,18 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic, || prefName.Equals("security.OCSP.require") || prefName.Equals("security.ssl.enable_ocsp_stapling")) { MutexAutoLock lock(mutex); - setValidationOptions(mPrefBranch); + setValidationOptions(); } else if (prefName.Equals("network.ntlm.send-lm-response")) { - bool sendLM = false; - mPrefBranch->GetBoolPref("network.ntlm.send-lm-response", &sendLM); + bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response", + SEND_LM_DEFAULT); nsNTLMAuthModule::SetSendLM(sendLM); } else { /* Look through the cipher table and set according to pref setting */ + bool cipherEnabled; for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) { if (prefName.Equals(cp->pref)) { - mPrefBranch->GetBoolPref(cp->pref, &enabled); - SSL_CipherPrefSetDefault(cp->id, enabled); + cipherEnabled = Preferences::GetBool(cp->pref, CIPHER_ENABLED_DEFAULT); + SSL_CipherPrefSetDefault(cp->id, cipherEnabled); clearSessionCache = true; break; } diff --git a/security/manager/ssl/src/nsNSSComponent.h b/security/manager/ssl/src/nsNSSComponent.h index 8cca171b4296..ef3e553cf4e6 100644 --- a/security/manager/ssl/src/nsNSSComponent.h +++ b/security/manager/ssl/src/nsNSSComponent.h @@ -13,7 +13,6 @@ #include "nsISignatureVerifier.h" #include "nsIEntropyCollector.h" #include "nsIStringBundle.h" -#include "nsIPrefBranch.h" #include "nsIObserver.h" #include "nsIObserverService.h" #ifndef MOZ_DISABLE_CRYPTOLEGACY @@ -185,8 +184,8 @@ private: void InstallLoadableRoots(); void UnloadLoadableRoots(); void CleanupIdentityInfo(); - void setValidationOptions(nsIPrefBranch * pref); - nsresult setEnabledTLSVersions(nsIPrefBranch * pref); + void setValidationOptions(); + nsresult setEnabledTLSVersions(); nsresult InitializePIPNSSBundle(); nsresult ConfigureInternalPKCS11Token(); nsresult RegisterObservers(); @@ -203,7 +202,6 @@ private: nsCOMPtr mPIPNSSBundle; nsCOMPtr mNSSErrorsBundle; - nsCOMPtr mPrefBranch; bool mNSSInitialized; bool mObserversRegistered; static int mInstanceCount;