Bug 1453795 - PSM-Security - Initialize member fields in classes/ structures. r=keeler

--HG-- extra : rebase_source : 4e22100b95356d8f36f26459c985dbfb064453d1
2018-06-18 12:31:47 +03:00 · 2018-06-18 12:31:47 +03:00 · be47373507
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@ -11,6 +11,7 @@
 #include "CTPolicyEnforcer.h"
 #include "CTVerifyResult.h"
 #include "OCSPCache.h"
+#include "RootCertificateTelemetryUtils.h"
 #include "ScopedNSSTypes.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
@ -78,11 +79,16 @@ enum class NetscapeStepUpPolicy : uint32_t;
 class PinningTelemetryInfo
 {
 public:
-  PinningTelemetryInfo() { Reset(); }
+  PinningTelemetryInfo()
+    : certPinningResultBucket(0)
+    , rootBucket(ROOT_CERTIFICATE_UNKNOWN)
+  {
+    Reset();
+  }

  // Should we accumulate pinning telemetry for the result?
  bool accumulateResult;
-  Telemetry::HistogramID certPinningResultHistogram;
+  Maybe<Telemetry::HistogramID> certPinningResultHistogram;
  int32_t certPinningResultBucket;
  // Should we accumulate telemetry for the root?
  bool accumulateForRoot;
@ -94,7 +100,12 @@ public:
 class CertificateTransparencyInfo
 {
 public:
-  CertificateTransparencyInfo() { Reset(); }
+  CertificateTransparencyInfo()
+    : enabled(false)
+    , policyCompliance(mozilla::ct::CTPolicyCompliance::Unknown)
+  {
+    Reset();
+  }

  // Was CT enabled?
  bool enabled;
--- a/security/manager/ssl/PublicKeyPinningService.cpp
+++ b/security/manager/ssl/PublicKeyPinningService.cpp
@ -305,7 +305,7 @@ CheckPinsForHostname(const RefPtr<nsNSSCertList>& certList, const char* hostname
            enforceTestModeResult ? 1 : 0;
      }
      pinningTelemetryInfo->accumulateResult = true;
-      pinningTelemetryInfo->certPinningResultHistogram = histogram;
+      pinningTelemetryInfo->certPinningResultHistogram = Some(histogram);
    }

    // We only collect per-CA pinning statistics upon failures.
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -1431,7 +1431,8 @@ AuthCertificate(CertVerifier& certVerifier,
  }

  if (pinningTelemetryInfo.accumulateResult) {
-    Telemetry::Accumulate(pinningTelemetryInfo.certPinningResultHistogram,
+    MOZ_ASSERT(pinningTelemetryInfo.certPinningResultHistogram.isSome());
+    Telemetry::Accumulate(pinningTelemetryInfo.certPinningResultHistogram.value(),
                          pinningTelemetryInfo.certPinningResultBucket);
  }

--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@ -61,6 +61,7 @@ public:
    , stapledOCSPResponse(aStapledOCSPResponse)
    , subCACount(aSubCACount)
    , deferredSubjectError(aDeferredSubjectError)
+    , subjectSignaturePublicKeyAlg(der::PublicKeyAlgorithm::Uninitialized)
    , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
    , resultWasSet(false)
    , buildForwardCallBudget(aBuildForwardCallBudget)
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@ -118,6 +118,10 @@ CheckSignatureAlgorithm(TrustDomain& trustDomain,
      // during path building is too low to be worth bothering with.
      break;

+    case der::PublicKeyAlgorithm::Uninitialized:
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+
    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
  }

--- a/security/pkix/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@ -457,7 +457,7 @@ CertificateSerialNumber(Reader& input, /*out*/ Input& value)

 // x.509 and OCSP both use this same version numbering scheme, though OCSP
 // only supports v1.
-enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3 };
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3, Uninitialized = 255 };

 // X.509 Certificate and OCSP ResponseData both use
 // "[0] EXPLICIT Version DEFAULT v1". Although an explicit encoding of v1 is
@ -522,6 +522,7 @@ enum class PublicKeyAlgorithm
 {
  RSA_PKCS1,
  ECDSA,
+  Uninitialized
 };

 Result SignatureAlgorithmIdentifierValue(
--- a/security/pkix/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@ -42,11 +42,13 @@ class BackCert final
 {
 public:
  // certDER and childCert must be valid for the lifetime of BackCert.
-  BackCert(Input aCertDER, EndEntityOrCA aEndEntityOrCA,
+  BackCert(Input aCertDER,
+           EndEntityOrCA aEndEntityOrCA,
           const BackCert* aChildCert)
    : der(aCertDER)
    , endEntityOrCA(aEndEntityOrCA)
    , childCert(aChildCert)
+    , version(der::Version::Uninitialized)
  {
  }

--- a/security/pkix/lib/pkixverify.cpp
+++ b/security/pkix/lib/pkixverify.cpp
@ -79,6 +79,9 @@ VerifySignedDigest(TrustDomain& trustDomain,
    case der::PublicKeyAlgorithm::RSA_PKCS1:
      return trustDomain.VerifyRSAPKCS1SignedDigest(signedDigest,
                                                    signerSubjectPublicKeyInfo);
+    case der::PublicKeyAlgorithm::Uninitialized:
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
  }
 }