mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Try again to really back out everything from bug 431819 in order to fix bug 454406.

This commit is contained in:
Reed Loden 2008-10-01 01:58:56 -05:00
Родитель 109b544036
Коммит 5b263e95c7
5 изменённых файлов: 19 добавлений и 529 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

257
security/manager/ssl/src/nsClientAuthRemember.cpp
Просмотреть файл

@ -1,257 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Red Hat, Inc.
* Portions created by the Initial Developer are Copyright (C) 2008
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Kai Engert <kengert@redhat.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nsClientAuthRemember.h"
#include "nsIX509Cert.h"
#include "nsCRT.h"
#include "nsNetUtil.h"
#include "nsIObserverService.h"
#include "nsNetUtil.h"
#include "nsISupportsPrimitives.h"
#include "nsPromiseFlatString.h"
#include "nsProxiedService.h"
#include "nsStringBuffer.h"
#include "nsAutoLock.h"
#include "nspr.h"
#include "pk11pub.h"
#include "certdb.h"
#include "sechash.h"
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService,
nsIObserver,
nsISupportsWeakReference)
nsClientAuthRememberService::nsClientAuthRememberService()
{
monitor = PR_NewMonitor();
}
nsClientAuthRememberService::~nsClientAuthRememberService()
{
RemoveAllFromMemory();
if (monitor)
PR_DestroyMonitor(monitor);
}
nsresult
nsClientAuthRememberService::Init()
{
if (!mSettingsTable.Init())
return NS_ERROR_OUT_OF_MEMORY;
nsCOMPtr<nsIProxyObjectManager> proxyman(do_GetService(NS_XPCOMPROXY_CONTRACTID));
if (!proxyman)
return NS_ERROR_FAILURE;
nsCOMPtr<nsIObserverService> observerService(do_GetService("@mozilla.org/observer-service;1"));
nsCOMPtr<nsIObserverService> proxiedObserver;
NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
NS_GET_IID(nsIObserverService),
observerService,
NS_PROXY_SYNC,
getter_AddRefs(proxiedObserver));
if (proxiedObserver) {
proxiedObserver->AddObserver(this, "profile-before-change", PR_TRUE);
}
return NS_OK;
}
NS_IMETHODIMP
nsClientAuthRememberService::Observe(nsISupports *aSubject,
const char *aTopic,
const PRUnichar *aData)
{
// check the topic
if (!nsCRT::strcmp(aTopic, "profile-before-change")) {
// The profile is about to change,
// or is going away because the application is shutting down.
nsAutoMonitor lock(monitor);
RemoveAllFromMemory();
}
return NS_OK;
}
void nsClientAuthRememberService::ClearRememberedDecisions()
{
nsAutoMonitor lock(monitor);
RemoveAllFromMemory();
}
void
nsClientAuthRememberService::RemoveAllFromMemory()
{
mSettingsTable.Clear();
}
static nsresult
GetCertFingerprintByOidTag(CERTCertificate* nsscert,
SECOidTag aOidTag,
nsCString &fp)
{
unsigned int hash_len = HASH_ResultLenByOidTag(aOidTag);
nsRefPtr<nsStringBuffer> fingerprint = nsStringBuffer::Alloc(hash_len);
if (!fingerprint)
return NS_ERROR_OUT_OF_MEMORY;
PK11_HashBuf(aOidTag, (unsigned char*)fingerprint->Data(),
nsscert->derCert.data, nsscert->derCert.len);
SECItem fpItem;
fpItem.data = (unsigned char*)fingerprint->Data();
fpItem.len = hash_len;
fp.Adopt(CERT_Hexify(&fpItem, 1));
return NS_OK;
}
nsresult
nsClientAuthRememberService::RememberDecision(const nsACString & aHostName,
CERTCertificate *aServerCert, CERTCertificate *aClientCert)
{
// aClientCert == NULL means: remember that user does not want to use a cert
NS_ENSURE_ARG_POINTER(aServerCert);
if (aHostName.IsEmpty())
return NS_ERROR_INVALID_ARG;
nsCAutoString fpStr;
nsresult rv = GetCertFingerprintByOidTag(aServerCert, SEC_OID_SHA256, fpStr);
if (NS_FAILED(rv))
return rv;
{
nsAutoMonitor lock(monitor);
if (aClientCert) {
AddEntryToList(aHostName, fpStr,
nsDependentCString(aClientCert->nickname));
}
else {
nsCString empty;
AddEntryToList(aHostName, fpStr, empty);
}
}
return NS_OK;
}
nsresult
nsClientAuthRememberService::HasRememberedDecision(const nsACString & aHostName,
CERTCertificate *aCert,
nsACString & aClientNickname,
PRBool *_retval)
{
if (aHostName.IsEmpty())
return NS_ERROR_INVALID_ARG;
NS_ENSURE_ARG_POINTER(aCert);
NS_ENSURE_ARG_POINTER(_retval);
*_retval = PR_FALSE;
nsresult rv;
nsCAutoString fpStr;
rv = GetCertFingerprintByOidTag(aCert, SEC_OID_SHA256, fpStr);
if (NS_FAILED(rv))
return rv;
nsCAutoString hostCert;
GetHostWithCert(aHostName, fpStr, hostCert);
nsClientAuthRemember settings;
{
nsAutoMonitor lock(monitor);
nsClientAuthRememberEntry *entry = mSettingsTable.GetEntry(hostCert.get());
if (!entry)
return NS_OK;
settings = entry->mSettings; // copy
}
aClientNickname = settings.mClientNickname;
*_retval = PR_TRUE;
return NS_OK;
}
nsresult
nsClientAuthRememberService::AddEntryToList(const nsACString &aHostName,
const nsACString &fingerprint,
const nsACString &client_nickname)
{
nsCAutoString hostCert;
GetHostWithCert(aHostName, fingerprint, hostCert);
{
nsAutoMonitor lock(monitor);
nsClientAuthRememberEntry *entry = mSettingsTable.PutEntry(hostCert.get());
if (!entry) {
NS_ERROR("can't insert a null entry!");
return NS_ERROR_OUT_OF_MEMORY;
}
entry->mHostWithCert = hostCert;
nsClientAuthRemember &settings = entry->mSettings;
settings.mAsciiHost = aHostName;
settings.mFingerprint = fingerprint;
settings.mClientNickname = client_nickname;
}
return NS_OK;
}
void
nsClientAuthRememberService::GetHostWithCert(const nsACString & aHostName,
const nsACString & fingerprint,
nsACString& _retval)
{
nsCAutoString hostCert(aHostName);
hostCert.AppendLiteral(":");
hostCert.Append(fingerprint);
_retval.Assign(hostCert);
}

174
security/manager/ssl/src/nsClientAuthRemember.h
Просмотреть файл

@ -1,174 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is mozilla.org code.
*
* The Initial Developer of the Original Code is
* Red Hat, Inc.
* Portions created by the Initial Developer are Copyright (C) 2008
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Kai Engert <kengert@redhat.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef __NSCLIENTAUTHREMEMBER_H__
#define __NSCLIENTAUTHREMEMBER_H__
#include "nsTHashtable.h"
#include "nsIObserver.h"
#include "nsIX509Cert.h"
#include "nsAutoPtr.h"
#include "nsNSSCertificate.h"
#include "nsString.h"
#include "nsWeakReference.h"
#include "prmon.h"
class nsClientAuthRemember
{
public:
nsClientAuthRemember()
{
}
nsClientAuthRemember(const nsClientAuthRemember &other)
{
this->operator=(other);
}
nsClientAuthRemember &operator=(const nsClientAuthRemember &other)
{
mAsciiHost = other.mAsciiHost;
mFingerprint = other.mFingerprint;
mClientNickname = other.mClientNickname;
return *this;
}
nsCString mAsciiHost;
nsCString mFingerprint;
nsCString mClientNickname;
};
// hash entry class
class nsClientAuthRememberEntry : public PLDHashEntryHdr
{
public:
// Hash methods
typedef const char* KeyType;
typedef const char* KeyTypePointer;
// do nothing with aHost - we require mHead to be set before we're live!
nsClientAuthRememberEntry(KeyTypePointer aHostWithCertUTF8)
{
}
nsClientAuthRememberEntry(const nsClientAuthRememberEntry& toCopy)
{
mSettings = toCopy.mSettings;
}
~nsClientAuthRememberEntry()
{
}
KeyType GetKey() const
{
return HostWithCertPtr();
}
KeyTypePointer GetKeyPointer() const
{
return HostWithCertPtr();
}
PRBool KeyEquals(KeyTypePointer aKey) const
{
return !strcmp(HostWithCertPtr(), aKey);
}
static KeyTypePointer KeyToPointer(KeyType aKey)
{
return aKey;
}
static PLDHashNumber HashKey(KeyTypePointer aKey)
{
// PL_DHashStringKey doesn't use the table parameter, so we can safely
// pass nsnull
return PL_DHashStringKey(nsnull, aKey);
}
enum { ALLOW_MEMMOVE = PR_FALSE };
// get methods
inline const nsCString &HostWithCert() const { return mHostWithCert; }
inline KeyTypePointer HostWithCertPtr() const
{
return mHostWithCert.get();
}
nsClientAuthRemember mSettings;
nsCString mHostWithCert;
};
class nsClientAuthRememberService : public nsIObserver,
public nsSupportsWeakReference
{
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIOBSERVER
nsClientAuthRememberService();
~nsClientAuthRememberService();
nsresult Init();
static void GetHostWithCert(const nsACString & aHostName,
const nsACString & nickname, nsACString& _retval);
nsresult RememberDecision(const nsACString & aHostName,
CERTCertificate *aServerCert, CERTCertificate *aClientCert);
nsresult HasRememberedDecision(const nsACString & aHostName,
CERTCertificate *aCert, nsACString & aClientNickname, PRBool *_retval);
void ClearRememberedDecisions();
protected:
PRMonitor *monitor;
nsTHashtable<nsClientAuthRememberEntry> mSettingsTable;
void RemoveAllFromMemory();
nsresult AddEntryToList(const nsACString &host,
const nsACString &server_fingerprint,
const nsACString &client_nickname);
};
#endif

20
security/manager/ssl/src/nsNSSComponent.cpp
Просмотреть файл

@ -296,10 +296,7 @@ nsNSSComponent::nsNSSComponent()
memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
nsSSLIOLayerHelpers::Init();
mClientAuthRememberService = new nsClientAuthRememberService;
if (mClientAuthRememberService)
mClientAuthRememberService->Init();
NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
++mInstanceCount;
hashTableCerts = nsnull;
@ -1686,9 +1683,6 @@ nsNSSComponent::ShutdownNSS()
ShutdownSmartCardThreads();
SSL_ClearSessionCache();
if (mClientAuthRememberService) {
mClientAuthRememberService->ClearRememberedDecisions();
}
UnloadLoadableRoots();
CleanupIdentityInfo();
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
@ -2147,9 +2141,6 @@ void nsNSSComponent::ShowAlert(AlertIdentifier ai)
nsresult nsNSSComponent::LogoutAuthenticatedPK11()
{
if (mClientAuthRememberService) {
mClientAuthRememberService->ClearRememberedDecisions();
}
return mShutdownObjectList->doPK11Logout();
}
@ -2410,14 +2401,6 @@ nsNSSComponent::DoProfileChangeNetRestore()
mIsNetworkDown = PR_FALSE;
}
NS_IMETHODIMP
nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars)
{
NS_ENSURE_ARG_POINTER(cars);
NS_IF_ADDREF(*cars = mClientAuthRememberService);
return NS_OK;
}
//---------------------------------------------
// Implementing nsICryptoHash
//---------------------------------------------
@ -3187,3 +3170,4 @@ PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentLis
mParentContentListener = aContentListener;
return NS_OK;
}

5
security/manager/ssl/src/nsNSSComponent.h
Просмотреть файл

@ -69,7 +69,6 @@
#include "nsNSSCallbacks.h"
#include "nsNSSHelper.h"
#include "nsClientAuthRemember.h"
#define NS_NSSCOMPONENT_CID \
{0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
@ -172,8 +171,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0;
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0;
NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
};
@ -262,7 +259,6 @@ public:
NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module);
NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token);
NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token);
NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars);
NS_IMETHOD EnsureIdentityInfoLoaded();
private:
@ -328,7 +324,6 @@ private:
nsSSLThread *mSSLThread;
nsCertVerificationThread *mCertVerificationThread;
nsNSSHttpInterface mHttpForNSS;
nsRefPtr<nsClientAuthRememberService> mClientAuthRememberService;
static PRStatus PR_CALLBACK IdentityInfoInit(void);
PRCallOnceType mIdentityInfoCallOnce;

92
security/manager/ssl/src/nsNSSIOLayer.cpp
Просмотреть файл

@ -58,7 +58,6 @@
#include "nsIDateTimeFormat.h"
#include "nsDateTimeFormatCID.h"
#include "nsIClientAuthDialogs.h"
#include "nsClientAuthRemember.h"
#include "nsICertOverrideService.h"
#include "nsIBadCertListener2.h"
#include "nsISSLErrorListener.h"
@ -239,7 +238,7 @@ void nsNSSSocketInfo::virtualDestroyNSSReference()
{
}
NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
nsITransportSecurityInfo,
nsISSLSocketControl,
nsIInterfaceRequestor,
@ -247,8 +246,7 @@ NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
nsIIdentityInfo,
nsIAssociatedContentSecurity,
nsISerializable,
nsIClassInfo,
nsIClientAuthUserDecision)
nsIClassInfo)
nsresult
nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending)
@ -302,19 +300,6 @@ PRBool nsNSSSocketInfo::GetCanceled()
return mCanceled;
}
NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(PRBool *aRememberClientAuthCertificate)
{
NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
*aRememberClientAuthCertificate = mRememberClientAuthCertificate;
return NS_OK;
}
NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(PRBool aRememberClientAuthCertificate)
{
mRememberClientAuthCertificate = aRememberClientAuthCertificate;
return NS_OK;
}
void nsNSSSocketInfo::SetHasCleartextPhase(PRBool aHasCleartextPhase)
{
mHasCleartextPhase = aHasCleartextPhase;
@ -2501,10 +2486,12 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
nsNSSShutDownPreventionLock locker;
void* wincx = NULL;
SECStatus ret = SECFailure;
nsresult rv;
nsNSSSocketInfo* info = NULL;
PRArenaPool* arena = NULL;
char** caNameStrings;
CERTCertificate* cert = NULL;
CERTCertificate* serverCert = NULL;
SECKEYPrivateKey* privKey = NULL;
CERTCertList* certList = NULL;
CERTCertListNode* node;
@ -2628,57 +2615,13 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
goto noCert;
}
}
else { // Not Auto => ask
/* Get the SSL Certificate */
CERTCertificate* serverCert = NULL;
CERTCertificateCleaner serverCertCleaner(serverCert);
serverCert = SSL_PeerCertificate(socket);
if (serverCert == NULL) {
/* couldn't get the server cert: what do I do? */
goto loser;
}
nsXPIDLCString hostname;
info->GetHostName(getter_Copies(hostname));
nsresult rv;
NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID);
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(nssComponentCID, &rv));
nsRefPtr<nsClientAuthRememberService> cars;
if (nssComponent) {
nssComponent->GetClientAuthRememberService(getter_AddRefs(cars));
}
PRBool hasRemembered = PR_FALSE;
nsCString rememberedNickname;
if (cars) {
PRBool found;
nsresult rv = cars->HasRememberedDecision(hostname,
serverCert,
rememberedNickname, &found);
if (NS_SUCCEEDED(rv) && found) {
hasRemembered = PR_TRUE;
}
}
PRBool canceled = PR_FALSE;
if (hasRemembered)
{
if (rememberedNickname.IsEmpty())
canceled = PR_TRUE;
else {
char *const_nickname = const_cast<char*>(rememberedNickname.get());
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_nickname);
}
}
else
{
/* user selects a cert to present */
nsIClientAuthDialogs *dialogs = NULL;
PRInt32 selectedIndex = -1;
PRUnichar **certNicknameList = NULL;
PRUnichar **certDetailsList = NULL;
PRBool canceled;
/* find all user certs that are for SSL */
/* note that we are allowing expired certs in this list */
@ -2735,6 +2678,13 @@ else
NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts");
/* Get the SSL Certificate */
serverCert = SSL_PeerCertificate(socket);
if (serverCert == NULL) {
/* couldn't get the server cert: what do I do? */
goto loser;
}
/* Get CN and O of the subject and O of the issuer */
char *ccn = CERT_GetCommonName(&serverCert->subject);
charCleaner ccnCleaner(ccn);
@ -2742,6 +2692,8 @@ else
PRInt32 port;
info->GetPort(&port);
char *hostname = SSL_RevealURL(socket);
charCleaner hostnameCleaner(hostname);
nsString cn_host_port;
if (ccn && strcmp(ccn, hostname) == 0) {
@ -2765,6 +2717,8 @@ else
NS_ConvertUTF8toUTF16 issuer(cissuer);
if (cissuer) PORT_Free(cissuer);
CERT_DestroyCertificate(serverCert);
certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
if (!certNicknameList)
goto loser;
@ -2832,12 +2786,9 @@ else
if (NS_FAILED(rv)) goto loser;
// even if the user has canceled, we want to remember that, to avoid repeating prompts
PRBool wantRemember = PR_FALSE;
info->GetRememberClientAuthCertificate(&wantRemember);
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
int i;
if (!canceled)
for (i = 0, node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node, certList);
++i, node = CERT_LIST_NEXT(node)) {
@ -2848,15 +2799,6 @@ else
}
}
if (cars && wantRemember) {
cars->RememberDecision(hostname,
serverCert,
canceled ? 0 : cert);
}
}
if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
if (cert == NULL) {
goto loser;
}