зеркало из https://github.com/mozilla/gecko-dev.git
Backed out changeset 50650e0f0edf (bug 1085509
) for causing perma failure in win7 xperf
This commit is contained in:
Родитель
b4bfea0bd6
Коммит
98dda84064
|
@ -6,23 +6,29 @@
|
||||||
|
|
||||||
#include "nsCertOverrideService.h"
|
#include "nsCertOverrideService.h"
|
||||||
|
|
||||||
|
#include "pkix/pkixtypes.h"
|
||||||
|
#include "nsIX509Cert.h"
|
||||||
#include "NSSCertDBTrustDomain.h"
|
#include "NSSCertDBTrustDomain.h"
|
||||||
#include "ScopedNSSTypes.h"
|
#include "nsNSSCertificate.h"
|
||||||
#include "SharedSSLState.h"
|
#include "nsNSSCertHelper.h"
|
||||||
#include "nsAppDirectoryServiceDefs.h"
|
|
||||||
#include "nsCRT.h"
|
#include "nsCRT.h"
|
||||||
|
#include "nsAppDirectoryServiceDefs.h"
|
||||||
|
#include "nsStreamUtils.h"
|
||||||
|
#include "nsNetUtil.h"
|
||||||
#include "nsILineInputStream.h"
|
#include "nsILineInputStream.h"
|
||||||
#include "nsIObserver.h"
|
#include "nsIObserver.h"
|
||||||
#include "nsIObserverService.h"
|
#include "nsIObserverService.h"
|
||||||
#include "nsIX509Cert.h"
|
#include "nsISupportsPrimitives.h"
|
||||||
#include "nsNSSCertHelper.h"
|
|
||||||
#include "nsNSSCertificate.h"
|
|
||||||
#include "nsNSSComponent.h"
|
|
||||||
#include "nsNetUtil.h"
|
|
||||||
#include "nsPromiseFlatString.h"
|
#include "nsPromiseFlatString.h"
|
||||||
#include "nsStreamUtils.h"
|
|
||||||
#include "nsStringBuffer.h"
|
|
||||||
#include "nsThreadUtils.h"
|
#include "nsThreadUtils.h"
|
||||||
|
#include "nsStringBuffer.h"
|
||||||
|
#include "ScopedNSSTypes.h"
|
||||||
|
#include "SharedSSLState.h"
|
||||||
|
|
||||||
|
#include "nspr.h"
|
||||||
|
#include "pk11pub.h"
|
||||||
|
#include "certdb.h"
|
||||||
|
#include "sechash.h"
|
||||||
#include "ssl.h" // For SSL_ClearSessionCache
|
#include "ssl.h" // For SSL_ClearSessionCache
|
||||||
|
|
||||||
using namespace mozilla;
|
using namespace mozilla;
|
||||||
|
@ -100,11 +106,18 @@ nsCertOverrideService::Init()
|
||||||
return NS_ERROR_NOT_SAME_THREAD;
|
return NS_ERROR_NOT_SAME_THREAD;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Note that the names of these variables would seem to indicate that at one
|
|
||||||
// point another hash algorithm was used and is still supported for backwards
|
|
||||||
// compatibility. This is not the case. It has always been SHA256.
|
|
||||||
mOidTagForStoringNewHashes = SEC_OID_SHA256;
|
mOidTagForStoringNewHashes = SEC_OID_SHA256;
|
||||||
mDottedOidForStoringNewHashes.Assign("OID.2.16.840.1.101.3.4.2.1");
|
|
||||||
|
SECOidData *od = SECOID_FindOIDByTag(mOidTagForStoringNewHashes);
|
||||||
|
if (!od)
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
|
||||||
|
char *dotted_oid = CERT_GetOidString(&od->oid);
|
||||||
|
if (!dotted_oid)
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
|
||||||
|
mDottedOidForStoringNewHashes = dotted_oid;
|
||||||
|
PR_smprintf_free(dotted_oid);
|
||||||
|
|
||||||
nsCOMPtr<nsIObserverService> observerService =
|
nsCOMPtr<nsIObserverService> observerService =
|
||||||
mozilla::services::GetObserverService();
|
mozilla::services::GetObserverService();
|
||||||
|
@ -385,6 +398,42 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
|
||||||
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
|
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static nsresult
|
||||||
|
GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
|
||||||
|
const nsCString &dottedOid,
|
||||||
|
nsCString &fp)
|
||||||
|
{
|
||||||
|
SECItem oid;
|
||||||
|
oid.data = nullptr;
|
||||||
|
oid.len = 0;
|
||||||
|
SECStatus srv = SEC_StringToOID(nullptr, &oid,
|
||||||
|
dottedOid.get(), dottedOid.Length());
|
||||||
|
if (srv != SECSuccess)
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
|
||||||
|
SECOidTag oid_tag = SECOID_FindOIDTag(&oid);
|
||||||
|
SECITEM_FreeItem(&oid, false);
|
||||||
|
|
||||||
|
if (oid_tag == SEC_OID_UNKNOWN)
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
|
||||||
|
return GetCertFingerprintByOidTag(nsscert, oid_tag, fp);
|
||||||
|
}
|
||||||
|
|
||||||
|
static nsresult
|
||||||
|
GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
|
||||||
|
const nsCString &dottedOid,
|
||||||
|
nsCString &fp)
|
||||||
|
{
|
||||||
|
|
||||||
|
ScopedCERTCertificate nsscert(aCert->GetCert());
|
||||||
|
if (!nsscert) {
|
||||||
|
return NS_ERROR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
|
||||||
|
}
|
||||||
|
|
||||||
NS_IMETHODIMP
|
NS_IMETHODIMP
|
||||||
nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
|
nsCertOverrideService::RememberValidityOverride(const nsACString& aHostName,
|
||||||
int32_t aPort,
|
int32_t aPort,
|
||||||
|
@ -497,17 +546,14 @@ nsCertOverrideService::HasMatchingOverride(const nsACString & aHostName, int32_t
|
||||||
nsAutoCString fpStr;
|
nsAutoCString fpStr;
|
||||||
nsresult rv;
|
nsresult rv;
|
||||||
|
|
||||||
// This code was originally written in a way that suggested that other hash
|
|
||||||
// algorithms are supported for backwards compatibility. However, this was
|
|
||||||
// always unnecessary, because only SHA256 has ever been used here.
|
|
||||||
if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
|
if (settings.mFingerprintAlgOID.Equals(mDottedOidForStoringNewHashes)) {
|
||||||
rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
|
rv = GetCertFingerprintByOidTag(aCert, mOidTagForStoringNewHashes, fpStr);
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return NS_ERROR_UNEXPECTED;
|
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
rv = GetCertFingerprintByDottedOidString(aCert, settings.mFingerprintAlgOID, fpStr);
|
||||||
|
}
|
||||||
|
if (NS_FAILED(rv))
|
||||||
|
return rv;
|
||||||
|
|
||||||
*_retval = settings.mFingerprint.Equals(fpStr);
|
*_retval = settings.mFingerprint.Equals(fpStr);
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
|
@ -603,13 +649,7 @@ nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, int32
|
||||||
mSettingsTable.RemoveEntry(hostPort.get());
|
mSettingsTable.RemoveEntry(hostPort.get());
|
||||||
Write();
|
Write();
|
||||||
}
|
}
|
||||||
|
SSL_ClearSessionCache();
|
||||||
if (EnsureNSSInitialized(nssEnsure)) {
|
|
||||||
SSL_ClearSessionCache();
|
|
||||||
} else {
|
|
||||||
return NS_ERROR_NOT_AVAILABLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -698,11 +738,15 @@ FindMatchingCertCallback(nsCertOverrideEntry *aEntry,
|
||||||
|
|
||||||
if (still_ok && matchesDBKey(cai->cert, settings.mDBKey.get())) {
|
if (still_ok && matchesDBKey(cai->cert, settings.mDBKey.get())) {
|
||||||
nsAutoCString cert_fingerprint;
|
nsAutoCString cert_fingerprint;
|
||||||
nsresult rv = NS_ERROR_UNEXPECTED;
|
nsresult rv;
|
||||||
if (settings.mFingerprintAlgOID.Equals(cai->mDottedOidForStoringNewHashes)) {
|
if (settings.mFingerprintAlgOID.Equals(cai->mDottedOidForStoringNewHashes)) {
|
||||||
rv = GetCertFingerprintByOidTag(cai->cert,
|
rv = GetCertFingerprintByOidTag(cai->cert,
|
||||||
cai->mOidTagForStoringNewHashes, cert_fingerprint);
|
cai->mOidTagForStoringNewHashes, cert_fingerprint);
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
rv = GetCertFingerprintByDottedOidString(cai->cert,
|
||||||
|
settings.mFingerprintAlgOID, cert_fingerprint);
|
||||||
|
}
|
||||||
if (NS_SUCCEEDED(rv) &&
|
if (NS_SUCCEEDED(rv) &&
|
||||||
settings.mFingerprint.Equals(cert_fingerprint)) {
|
settings.mFingerprint.Equals(cert_fingerprint)) {
|
||||||
cai->counter++;
|
cai->counter++;
|
||||||
|
@ -764,11 +808,15 @@ EnumerateCertOverridesCallback(nsCertOverrideEntry *aEntry,
|
||||||
else {
|
else {
|
||||||
if (matchesDBKey(capac->cert, settings.mDBKey.get())) {
|
if (matchesDBKey(capac->cert, settings.mDBKey.get())) {
|
||||||
nsAutoCString cert_fingerprint;
|
nsAutoCString cert_fingerprint;
|
||||||
nsresult rv = NS_ERROR_UNEXPECTED;
|
nsresult rv;
|
||||||
if (settings.mFingerprintAlgOID.Equals(capac->mDottedOidForStoringNewHashes)) {
|
if (settings.mFingerprintAlgOID.Equals(capac->mDottedOidForStoringNewHashes)) {
|
||||||
rv = GetCertFingerprintByOidTag(capac->cert,
|
rv = GetCertFingerprintByOidTag(capac->cert,
|
||||||
capac->mOidTagForStoringNewHashes, cert_fingerprint);
|
capac->mOidTagForStoringNewHashes, cert_fingerprint);
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
rv = GetCertFingerprintByDottedOidString(capac->cert,
|
||||||
|
settings.mFingerprintAlgOID, cert_fingerprint);
|
||||||
|
}
|
||||||
if (NS_SUCCEEDED(rv) &&
|
if (NS_SUCCEEDED(rv) &&
|
||||||
settings.mFingerprint.Equals(cert_fingerprint)) {
|
settings.mFingerprint.Equals(cert_fingerprint)) {
|
||||||
(*capac->enumerator)(settings, capac->userdata);
|
(*capac->enumerator)(settings, capac->userdata);
|
||||||
|
@ -812,3 +860,4 @@ nsCertOverrideService::GetHostWithPort(const nsACString & aHostName, int32_t aPo
|
||||||
}
|
}
|
||||||
_retval.Assign(hostPort);
|
_retval.Assign(hostPort);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -199,6 +199,7 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsStreamCipher)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObject)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObject)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsKeyObjectFactory)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsDataSignatureVerifier)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsDataSignatureVerifier)
|
||||||
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nssEnsure, nsCertOverrideService, Init)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsRandomGenerator)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsure, nsRandomGenerator)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, nsSSLStatus)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, nsSSLStatus)
|
||||||
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
|
NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
|
||||||
|
@ -206,7 +207,6 @@ NS_NSS_GENERIC_FACTORY_CONSTRUCTOR(nssEnsureOnChromeOnly, TransportSecurityInfo)
|
||||||
typedef mozilla::psm::NSSErrorsService NSSErrorsService;
|
typedef mozilla::psm::NSSErrorsService NSSErrorsService;
|
||||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NSSErrorsService, Init)
|
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(NSSErrorsService, Init)
|
||||||
NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSVersion)
|
NS_GENERIC_FACTORY_CONSTRUCTOR(nsNSSVersion)
|
||||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsCertOverrideService, Init)
|
|
||||||
|
|
||||||
NS_DEFINE_NAMED_CID(NS_NSSCOMPONENT_CID);
|
NS_DEFINE_NAMED_CID(NS_NSSCOMPONENT_CID);
|
||||||
NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER_CID);
|
NS_DEFINE_NAMED_CID(NS_SSLSOCKETPROVIDER_CID);
|
||||||
|
|
Загрузка…
Ссылка в новой задаче