зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1844908 - Remove pre-Win10-specific codepath from security/manager/. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D184298
This commit is contained in:
Родитель
12a9d6878f
Коммит
c9bcb80226
|
@ -13924,17 +13924,6 @@
|
||||||
value: false
|
value: false
|
||||||
mirror: once
|
mirror: once
|
||||||
|
|
||||||
# On Windows 8.1, if the following preference is 2, we will attempt to detect
|
|
||||||
# whether the Family Safety TLS interception feature has been enabled.
|
|
||||||
# If so, we will behave as if the enterprise roots feature has been enabled
|
|
||||||
# (i.e. import and trust third party root certificates from the OS).
|
|
||||||
# With any other value of the pref or on any other platform, this does nothing.
|
|
||||||
# This preference takes precedence over "security.enterprise_roots.enabled".
|
|
||||||
- name: security.family_safety.mode
|
|
||||||
type: RelaxedAtomicUint32
|
|
||||||
value: 2
|
|
||||||
mirror: always
|
|
||||||
|
|
||||||
# Whether or not to import and trust third party root certificates from the OS.
|
# Whether or not to import and trust third party root certificates from the OS.
|
||||||
- name: security.enterprise_roots.enabled
|
- name: security.enterprise_roots.enabled
|
||||||
type: RelaxedAtomicBool
|
type: RelaxedAtomicBool
|
||||||
|
|
|
@ -60,7 +60,6 @@
|
||||||
#include "nsIWindowWatcher.h"
|
#include "nsIWindowWatcher.h"
|
||||||
#include "nsIXULRuntime.h"
|
#include "nsIXULRuntime.h"
|
||||||
#include "nsLiteralString.h"
|
#include "nsLiteralString.h"
|
||||||
#include "nsNSSCertificateDB.h"
|
|
||||||
#include "nsNSSHelper.h"
|
#include "nsNSSHelper.h"
|
||||||
#include "nsNetCID.h"
|
#include "nsNetCID.h"
|
||||||
#include "nsPK11TokenDB.h"
|
#include "nsPK11TokenDB.h"
|
||||||
|
@ -84,14 +83,7 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef XP_WIN
|
#ifdef XP_WIN
|
||||||
# include "mozilla/WindowsVersion.h"
|
|
||||||
# include "nsILocalFileWin.h"
|
# include "nsILocalFileWin.h"
|
||||||
|
|
||||||
# include "windows.h" // this needs to be before the following includes
|
|
||||||
# include "lmcons.h"
|
|
||||||
# include "sddl.h"
|
|
||||||
# include "wincrypt.h"
|
|
||||||
# include "nsIWindowsRegKey.h"
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
using namespace mozilla;
|
using namespace mozilla;
|
||||||
|
@ -310,245 +302,6 @@ nsNSSComponent::~nsNSSComponent() {
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor finished\n"));
|
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSComponent::dtor finished\n"));
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef XP_WIN
|
|
||||||
static bool GetUserSid(nsAString& sidString) {
|
|
||||||
// UNLEN is the maximum user name length (see Lmcons.h). +1 for the null
|
|
||||||
// terminator.
|
|
||||||
WCHAR lpAccountName[UNLEN + 1];
|
|
||||||
DWORD lcAccountName = sizeof(lpAccountName) / sizeof(lpAccountName[0]);
|
|
||||||
BOOL success = GetUserName(lpAccountName, &lcAccountName);
|
|
||||||
if (!success) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetUserName failed"));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
char sid_buffer[SECURITY_MAX_SID_SIZE];
|
|
||||||
SID* sid = BitwiseCast<SID*, char*>(sid_buffer);
|
|
||||||
DWORD cbSid = ArrayLength(sid_buffer);
|
|
||||||
SID_NAME_USE eUse;
|
|
||||||
// There doesn't appear to be a defined maximum length for the domain name
|
|
||||||
// here. To deal with this, we start with a reasonable buffer length and
|
|
||||||
// see if that works. If it fails and the error indicates insufficient length,
|
|
||||||
// we use the indicated required length and try again.
|
|
||||||
DWORD cchReferencedDomainName = 128;
|
|
||||||
auto ReferencedDomainName(MakeUnique<WCHAR[]>(cchReferencedDomainName));
|
|
||||||
success = LookupAccountName(nullptr, lpAccountName, sid, &cbSid,
|
|
||||||
ReferencedDomainName.get(),
|
|
||||||
&cchReferencedDomainName, &eUse);
|
|
||||||
if (!success && GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("LookupAccountName failed"));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if (!success) {
|
|
||||||
ReferencedDomainName = MakeUnique<WCHAR[]>(cchReferencedDomainName);
|
|
||||||
success = LookupAccountName(nullptr, lpAccountName, sid, &cbSid,
|
|
||||||
ReferencedDomainName.get(),
|
|
||||||
&cchReferencedDomainName, &eUse);
|
|
||||||
}
|
|
||||||
if (!success) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("LookupAccountName failed"));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
LPTSTR StringSid;
|
|
||||||
success = ConvertSidToStringSid(sid, &StringSid);
|
|
||||||
if (!success) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("ConvertSidToStringSid failed"));
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
sidString.Assign(StringSid);
|
|
||||||
LocalFree(StringSid);
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
// This is a specialized helper function to read the value of a registry key
|
|
||||||
// that might not be present. If it is present, returns (via the output
|
|
||||||
// parameter) its value. Otherwise, returns the given default value.
|
|
||||||
// This function handles one level of nesting. That is, if the desired value
|
|
||||||
// is actually in a direct child of the given registry key (where the child
|
|
||||||
// and/or the value being sought may not actually be present), this function
|
|
||||||
// will handle that. In the normal case, though, optionalChildName will be
|
|
||||||
// null.
|
|
||||||
static nsresult ReadRegKeyValueWithDefault(nsCOMPtr<nsIWindowsRegKey> regKey,
|
|
||||||
uint32_t flags,
|
|
||||||
const wchar_t* optionalChildName,
|
|
||||||
const wchar_t* valueName,
|
|
||||||
uint32_t defaultValue,
|
|
||||||
uint32_t& valueOut) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("ReadRegKeyValueWithDefault"));
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("attempting to read '%S%s%S' with default '%u'",
|
|
||||||
optionalChildName ? optionalChildName : L"",
|
|
||||||
optionalChildName ? "\\" : "", valueName, defaultValue));
|
|
||||||
if (optionalChildName) {
|
|
||||||
nsDependentString childNameString(optionalChildName);
|
|
||||||
bool hasChild;
|
|
||||||
nsresult rv = regKey->HasChild(childNameString, &hasChild);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("failed to determine if child key is present"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
if (!hasChild) {
|
|
||||||
valueOut = defaultValue;
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
nsCOMPtr<nsIWindowsRegKey> childRegKey;
|
|
||||||
rv = regKey->OpenChild(childNameString, flags, getter_AddRefs(childRegKey));
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't open child key"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
return ReadRegKeyValueWithDefault(childRegKey, flags, nullptr, valueName,
|
|
||||||
defaultValue, valueOut);
|
|
||||||
}
|
|
||||||
nsDependentString valueNameString(valueName);
|
|
||||||
bool hasValue;
|
|
||||||
nsresult rv = regKey->HasValue(valueNameString, &hasValue);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("failed to determine if value is present"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
if (!hasValue) {
|
|
||||||
valueOut = defaultValue;
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
rv = regKey->ReadIntValue(valueNameString, &valueOut);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed to read value"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
static nsresult AccountHasFamilySafetyEnabled(bool& enabled) {
|
|
||||||
enabled = false;
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("AccountHasFamilySafetyEnabled?"));
|
|
||||||
nsCOMPtr<nsIWindowsRegKey> parentalControlsKey(
|
|
||||||
do_CreateInstance("@mozilla.org/windows-registry-key;1"));
|
|
||||||
if (!parentalControlsKey) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't create nsIWindowsRegKey"));
|
|
||||||
return NS_ERROR_FAILURE;
|
|
||||||
}
|
|
||||||
uint32_t flags = nsIWindowsRegKey::ACCESS_READ | nsIWindowsRegKey::WOW64_64;
|
|
||||||
constexpr auto familySafetyPath =
|
|
||||||
u"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Parental Controls"_ns;
|
|
||||||
nsresult rv = parentalControlsKey->Open(
|
|
||||||
nsIWindowsRegKey::ROOT_KEY_LOCAL_MACHINE, familySafetyPath, flags);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't open parentalControlsKey"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
constexpr auto usersString = u"Users"_ns;
|
|
||||||
bool hasUsers;
|
|
||||||
rv = parentalControlsKey->HasChild(usersString, &hasUsers);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HasChild(Users) failed"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
if (!hasUsers) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("Users subkey not present - Parental Controls not enabled"));
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
nsCOMPtr<nsIWindowsRegKey> usersKey;
|
|
||||||
rv = parentalControlsKey->OpenChild(usersString, flags,
|
|
||||||
getter_AddRefs(usersKey));
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("failed to open Users subkey"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
nsAutoString sid;
|
|
||||||
if (!GetUserSid(sid)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't get sid"));
|
|
||||||
return NS_ERROR_FAILURE;
|
|
||||||
}
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("our sid is '%S'", static_cast<const wchar_t*>(sid.get())));
|
|
||||||
bool hasSid;
|
|
||||||
rv = usersKey->HasChild(sid, &hasSid);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("HasChild(sid) failed"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
if (!hasSid) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("sid not present in Family Safety Users"));
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
nsCOMPtr<nsIWindowsRegKey> sidKey;
|
|
||||||
rv = usersKey->OpenChild(sid, flags, getter_AddRefs(sidKey));
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("couldn't open sid key"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
// There are three keys we're interested in: "Parental Controls On",
|
|
||||||
// "Logging Required", and "Web\\Filter On". These keys will have value 0
|
|
||||||
// or 1, indicating a particular feature is disabled or enabled,
|
|
||||||
// respectively. So, if "Parental Controls On" is not 1, Family Safety is
|
|
||||||
// disabled and we don't care about anything else. If both "Logging
|
|
||||||
// Required" and "Web\\Filter On" are 0, the proxy will not be running,
|
|
||||||
// so for our purposes we can consider Family Safety disabled in that
|
|
||||||
// case.
|
|
||||||
// By default, "Logging Required" is 1 and "Web\\Filter On" is 0,
|
|
||||||
// reflecting the initial settings when Family Safety is enabled for an
|
|
||||||
// account for the first time, However, these sub-keys are not created
|
|
||||||
// unless they are switched away from the default value.
|
|
||||||
uint32_t parentalControlsOn;
|
|
||||||
rv = sidKey->ReadIntValue(u"Parental Controls On"_ns, &parentalControlsOn);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("couldn't read Parental Controls On"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("Parental Controls On: %u", parentalControlsOn));
|
|
||||||
if (parentalControlsOn != 1) {
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
uint32_t loggingRequired;
|
|
||||||
rv = ReadRegKeyValueWithDefault(sidKey, flags, nullptr, L"Logging Required",
|
|
||||||
1, loggingRequired);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("failed to read value of Logging Required"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("Logging Required: %u", loggingRequired));
|
|
||||||
uint32_t webFilterOn;
|
|
||||||
rv = ReadRegKeyValueWithDefault(sidKey, flags, L"Web", L"Filter On", 0,
|
|
||||||
webFilterOn);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
|
||||||
("failed to read value of Web\\Filter On"));
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Web\\Filter On: %u", webFilterOn));
|
|
||||||
enabled = loggingRequired == 1 || webFilterOn == 1;
|
|
||||||
return NS_OK;
|
|
||||||
}
|
|
||||||
#endif // XP_WIN
|
|
||||||
|
|
||||||
bool nsNSSComponent::ShouldEnableEnterpriseRootsForFamilySafety(
|
|
||||||
uint32_t familySafetyMode) {
|
|
||||||
#ifdef XP_WIN
|
|
||||||
if (!(IsWin8Point1OrLater() && !IsWin10OrLater())) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
if (familySafetyMode != 2) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
bool familySafetyEnabled;
|
|
||||||
nsresult rv = AccountHasFamilySafetyEnabled(familySafetyEnabled);
|
|
||||||
if (NS_FAILED(rv)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
return familySafetyEnabled;
|
|
||||||
#else
|
|
||||||
return false;
|
|
||||||
#endif // XP_WIN
|
|
||||||
}
|
|
||||||
|
|
||||||
void nsNSSComponent::UnloadEnterpriseRoots() {
|
void nsNSSComponent::UnloadEnterpriseRoots() {
|
||||||
MOZ_ASSERT(NS_IsMainThread());
|
MOZ_ASSERT(NS_IsMainThread());
|
||||||
if (!NS_IsMainThread()) {
|
if (!NS_IsMainThread()) {
|
||||||
|
@ -591,12 +344,6 @@ void nsNSSComponent::MaybeImportEnterpriseRoots() {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
bool importEnterpriseRoots = StaticPrefs::security_enterprise_roots_enabled();
|
bool importEnterpriseRoots = StaticPrefs::security_enterprise_roots_enabled();
|
||||||
uint32_t familySafetyMode = StaticPrefs::security_family_safety_mode();
|
|
||||||
// If we've been configured to detect the Family Safety TLS interception
|
|
||||||
// feature, see if it's enabled. If so, we want to import enterprise roots.
|
|
||||||
if (ShouldEnableEnterpriseRootsForFamilySafety(familySafetyMode)) {
|
|
||||||
importEnterpriseRoots = true;
|
|
||||||
}
|
|
||||||
if (importEnterpriseRoots) {
|
if (importEnterpriseRoots) {
|
||||||
RefPtr<BackgroundImportEnterpriseCertsTask> task =
|
RefPtr<BackgroundImportEnterpriseCertsTask> task =
|
||||||
new BackgroundImportEnterpriseCertsTask(this);
|
new BackgroundImportEnterpriseCertsTask(this);
|
||||||
|
@ -685,13 +432,12 @@ nsNSSComponent::AddEnterpriseIntermediate(
|
||||||
class LoadLoadableCertsTask final : public Runnable {
|
class LoadLoadableCertsTask final : public Runnable {
|
||||||
public:
|
public:
|
||||||
LoadLoadableCertsTask(nsNSSComponent* nssComponent,
|
LoadLoadableCertsTask(nsNSSComponent* nssComponent,
|
||||||
bool importEnterpriseRoots, uint32_t familySafetyMode,
|
bool importEnterpriseRoots,
|
||||||
Vector<nsCString>&& possibleLoadableRootsLocations,
|
Vector<nsCString>&& possibleLoadableRootsLocations,
|
||||||
Maybe<nsCString>&& osClientCertsModuleLocation)
|
Maybe<nsCString>&& osClientCertsModuleLocation)
|
||||||
: Runnable("LoadLoadableCertsTask"),
|
: Runnable("LoadLoadableCertsTask"),
|
||||||
mNSSComponent(nssComponent),
|
mNSSComponent(nssComponent),
|
||||||
mImportEnterpriseRoots(importEnterpriseRoots),
|
mImportEnterpriseRoots(importEnterpriseRoots),
|
||||||
mFamilySafetyMode(familySafetyMode),
|
|
||||||
mPossibleLoadableRootsLocations(
|
mPossibleLoadableRootsLocations(
|
||||||
std::move(possibleLoadableRootsLocations)),
|
std::move(possibleLoadableRootsLocations)),
|
||||||
mOSClientCertsModuleLocation(std::move(osClientCertsModuleLocation)) {
|
mOSClientCertsModuleLocation(std::move(osClientCertsModuleLocation)) {
|
||||||
|
@ -707,7 +453,6 @@ class LoadLoadableCertsTask final : public Runnable {
|
||||||
nsresult LoadLoadableRoots();
|
nsresult LoadLoadableRoots();
|
||||||
RefPtr<nsNSSComponent> mNSSComponent;
|
RefPtr<nsNSSComponent> mNSSComponent;
|
||||||
bool mImportEnterpriseRoots;
|
bool mImportEnterpriseRoots;
|
||||||
uint32_t mFamilySafetyMode;
|
|
||||||
Vector<nsCString> mPossibleLoadableRootsLocations; // encoded in UTF-8
|
Vector<nsCString> mPossibleLoadableRootsLocations; // encoded in UTF-8
|
||||||
Maybe<nsCString> mOSClientCertsModuleLocation; // encoded in UTF-8
|
Maybe<nsCString> mOSClientCertsModuleLocation; // encoded in UTF-8
|
||||||
};
|
};
|
||||||
|
@ -748,12 +493,6 @@ LoadLoadableCertsTask::Run() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we've been configured to detect the Family Safety TLS interception
|
|
||||||
// feature, see if it's enabled. If so, we want to import enterprise roots.
|
|
||||||
if (mNSSComponent->ShouldEnableEnterpriseRootsForFamilySafety(
|
|
||||||
mFamilySafetyMode)) {
|
|
||||||
mImportEnterpriseRoots = true;
|
|
||||||
}
|
|
||||||
if (mImportEnterpriseRoots) {
|
if (mImportEnterpriseRoots) {
|
||||||
mNSSComponent->ImportEnterpriseRoots();
|
mNSSComponent->ImportEnterpriseRoots();
|
||||||
mNSSComponent->UpdateCertVerifierWithEnterpriseRoots();
|
mNSSComponent->UpdateCertVerifierWithEnterpriseRoots();
|
||||||
|
@ -1899,7 +1638,6 @@ nsresult nsNSSComponent::InitializeNSS() {
|
||||||
|
|
||||||
bool importEnterpriseRoots =
|
bool importEnterpriseRoots =
|
||||||
StaticPrefs::security_enterprise_roots_enabled();
|
StaticPrefs::security_enterprise_roots_enabled();
|
||||||
uint32_t familySafetyMode = StaticPrefs::security_family_safety_mode();
|
|
||||||
Vector<nsCString> possibleLoadableRootsLocations;
|
Vector<nsCString> possibleLoadableRootsLocations;
|
||||||
rv = ListPossibleLoadableRootsLocations(possibleLoadableRootsLocations);
|
rv = ListPossibleLoadableRootsLocations(possibleLoadableRootsLocations);
|
||||||
MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
|
MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
|
||||||
|
@ -1917,7 +1655,7 @@ nsresult nsNSSComponent::InitializeNSS() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
RefPtr<LoadLoadableCertsTask> loadLoadableCertsTask(
|
RefPtr<LoadLoadableCertsTask> loadLoadableCertsTask(
|
||||||
new LoadLoadableCertsTask(this, importEnterpriseRoots, familySafetyMode,
|
new LoadLoadableCertsTask(this, importEnterpriseRoots,
|
||||||
std::move(possibleLoadableRootsLocations),
|
std::move(possibleLoadableRootsLocations),
|
||||||
std::move(maybeOSClientCertsModuleLocation)));
|
std::move(maybeOSClientCertsModuleLocation)));
|
||||||
rv = loadLoadableCertsTask->Dispatch();
|
rv = loadLoadableCertsTask->Dispatch();
|
||||||
|
@ -2229,8 +1967,7 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
|
||||||
Preferences::GetCString("security.test.built_in_root_hash",
|
Preferences::GetCString("security.test.built_in_root_hash",
|
||||||
mTestBuiltInRootHash);
|
mTestBuiltInRootHash);
|
||||||
#endif // DEBUG
|
#endif // DEBUG
|
||||||
} else if (prefName.Equals("security.enterprise_roots.enabled") ||
|
} else if (prefName.Equals("security.enterprise_roots.enabled")) {
|
||||||
prefName.Equals("security.family_safety.mode")) {
|
|
||||||
UnloadEnterpriseRoots();
|
UnloadEnterpriseRoots();
|
||||||
MaybeImportEnterpriseRoots();
|
MaybeImportEnterpriseRoots();
|
||||||
} else if (prefName.Equals("security.osclientcerts.autoload")) {
|
} else if (prefName.Equals("security.osclientcerts.autoload")) {
|
||||||
|
|
|
@ -110,8 +110,6 @@ class nsNSSComponent final : public nsINSSComponent, public nsIObserver {
|
||||||
nsresult CommonGetEnterpriseCerts(
|
nsresult CommonGetEnterpriseCerts(
|
||||||
nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots);
|
nsTArray<nsTArray<uint8_t>>& enterpriseCerts, bool getRoots);
|
||||||
|
|
||||||
bool ShouldEnableEnterpriseRootsForFamilySafety(uint32_t familySafetyMode);
|
|
||||||
|
|
||||||
nsresult MaybeEnableIntermediatePreloadingHealer();
|
nsresult MaybeEnableIntermediatePreloadingHealer();
|
||||||
|
|
||||||
// mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded.
|
// mLoadableCertsLoadedMonitor protects mLoadableCertsLoaded.
|
||||||
|
|
Загрузка…
Ссылка в новой задаче