--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -80,29 +80,27 @@ CertificateTransparencyInfo::Reset()
{
enabled = false;
verifyResult.Reset();
policyCompliance = CTPolicyCompliance::Unknown;
}
CertVerifier::CertVerifier(OcspDownloadConfig odc,
OcspStrictConfig osc,
- OcspGetConfig ogc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays,
PinningMode pinningMode,
SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
DistrustedCAPolicy distrustedCAPolicy)
: mOCSPDownloadConfig(odc)
, mOCSPStrict(osc == ocspStrict)
- , mOCSPGETEnabled(ogc == ocspGetEnabled)
, mOCSPTimeoutSoft(ocspTimeoutSoft)
, mOCSPTimeoutHard(ocspTimeoutHard)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
, mPinningMode(pinningMode)
, mSHA1Mode(sha1Mode)
, mNameMatchingMode(nameMatchingMode)
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
, mCTMode(ctMode)
@@ -515,19 +513,16 @@ CertVerifier::VerifyCert(CERTCertificate
// verifications.
NSSCertDBTrustDomain::OCSPFetching defaultOCSPFetching
= (mOCSPDownloadConfig == ocspOff) ||
(mOCSPDownloadConfig == ocspEVOnly) ||
(flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
: !mOCSPStrict ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
: NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
- OcspGetConfig ocspGETConfig = mOCSPGETEnabled ? ocspGetEnabled
- : ocspGetDisabled;
-
Input stapledOCSPResponseInput;
const Input* stapledOCSPResponse = nullptr;
if (stapledOCSPResponseSECItem) {
rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
stapledOCSPResponseSECItem->len);
if (rv != Success) {
// The stapled OCSP response was too big.
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
@@ -544,17 +539,17 @@ CertVerifier::VerifyCert(CERTCertificate
MOZ_ASSERT(rv == Success);
}
switch (usage) {
case certificateUsageSSLClient: {
// XXX: We don't really have a trust bit for SSL client authentication so
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
mDistrustedCAPolicy, originAttributes,
builtChain, nullptr, nullptr);
@@ -621,17 +616,17 @@ CertVerifier::VerifyCert(CERTCertificate
// Because of the try-strict and fallback approach, we have to clear any
// previously noted telemetry information
if (pinningTelemetryInfo) {
pinningTelemetryInfo->Reset();
}
NSSCertDBTrustDomain
trustDomain(trustSSL, evOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
mDistrustedCAPolicy, originAttributes, builtChain,
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,// (EC)DHE
@@ -708,17 +703,17 @@ CertVerifier::VerifyCert(CERTCertificate
}
// invalidate any telemetry info relating to failed chains
if (pinningTelemetryInfo) {
pinningTelemetryInfo->Reset();
}
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays,
mPinningMode, keySizeOptions[i],
ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
mDistrustedCAPolicy, originAttributes,
builtChain, pinningTelemetryInfo,
@@ -783,34 +778,34 @@ CertVerifier::VerifyCert(CERTCertificate
*sha1ModeResult = SHA1ModeResult::Failed;
}
break;
}
case certificateUsageSSLCA: {
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
mDistrustedCAPolicy, originAttributes,
builtChain, nullptr, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
KeyPurposeId::id_kp_serverAuth,
CertPolicyId::anyPolicy, stapledOCSPResponse);
break;
}
case certificateUsageEmailSigner: {
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
mDistrustedCAPolicy, originAttributes,
builtChain, nullptr, nullptr);
@@ -829,17 +824,17 @@ CertVerifier::VerifyCert(CERTCertificate
break;
}
case certificateUsageEmailRecipient: {
// TODO: The higher level S/MIME processing should pass in which key
// usage it is trying to verify for, and base its algorithm choices
// based on the result of the verification(s).
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
+ mOCSPCache, pinArg,
mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
mDistrustedCAPolicy, originAttributes,
builtChain, nullptr, nullptr);
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -183,39 +183,37 @@ public:
};
enum OcspDownloadConfig {
ocspOff = 0,
ocspOn = 1,
ocspEVOnly = 2
};
enum OcspStrictConfig { ocspRelaxed = 0, ocspStrict };
- enum OcspGetConfig { ocspGetDisabled = 0, ocspGetEnabled = 1 };
enum class CertificateTransparencyMode {
Disabled = 0,
TelemetryOnly = 1,
};
- CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc,
+ CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays,
PinningMode pinningMode, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
DistrustedCAPolicy distrustedCAPolicy);
~CertVerifier();
void ClearOCSPCache() { mOCSPCache.Clear(); }
const OcspDownloadConfig mOCSPDownloadConfig;
const bool mOCSPStrict;
- const bool mOCSPGETEnabled;
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
const PinningMode mPinningMode;
const SHA1Mode mSHA1Mode;
const BRNameMatchingPolicy::Mode mNameMatchingMode;
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
const CertificateTransparencyMode mCTMode;
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -5,17 +5,16 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "NSSCertDBTrustDomain.h"
#include <stdint.h>
#include "ExtendedValidation.h"
#include "NSSErrorsService.h"
-#include "OCSPRequestor.h"
#include "OCSPVerificationTrustDomain.h"
#include "PublicKeyPinningService.h"
#include "cert.h"
#include "certdb.h"
#include "mozilla/Assertions.h"
#include "mozilla/Casting.h"
#include "mozilla/Move.h"
#include "mozilla/PodOperations.h"
@@ -48,17 +47,16 @@ extern LazyLogModule gCertVerifierLog;
static const uint64_t ServerFailureDelaySeconds = 5 * 60;
namespace mozilla { namespace psm {
NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
OCSPFetching ocspFetching,
OCSPCache& ocspCache,
/*optional but shouldn't be*/ void* pinArg,
- CertVerifier::OcspGetConfig ocspGETConfig,
TimeDuration ocspTimeoutSoft,
TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays,
CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
@@ -66,17 +64,16 @@ NSSCertDBTrustDomain::NSSCertDBTrustDoma
const OriginAttributes& originAttributes,
UniqueCERTCertList& builtChain,
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional*/ const char* hostname)
: mCertDBTrustType(certDBTrustType)
, mOCSPFetching(ocspFetching)
, mOCSPCache(ocspCache)
, mPinArg(pinArg)
- , mOCSPGetConfig(ocspGETConfig)
, mOCSPTimeoutSoft(ocspTimeoutSoft)
, mOCSPTimeoutHard(ocspTimeoutHard)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
, mPinningMode(pinningMode)
, mMinRSABits(minRSABits)
, mValidityCheckingMode(validityCheckingMode)
, mSHA1Mode(sha1Mode)
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
@@ -300,30 +297,29 @@ NSSCertDBTrustDomain::GetOCSPTimeout() c
}
MOZ_ASSERT_UNREACHABLE("we're not handling every OCSPFetching type");
return mOCSPTimeoutSoft;
}
// Copied and modified from CERT_GetOCSPAuthorityInfoAccessLocation and
// CERT_GetGeneralNameByType. Returns a non-Result::Success result on error,
-// Success with url == nullptr when an OCSP URI was not found, and Success with
-// url != nullptr when an OCSP URI was found. The output url will be owned
-// by the arena.
+// Success with result.IsVoid() == true when an OCSP URI was not found, and
+// Success with result.IsVoid() == false when an OCSP URI was found.
static Result
GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena,
Input aiaExtension,
- /*out*/ char const*& url)
+ /*out*/ nsCString& result)
{
MOZ_ASSERT(arena.get());
if (!arena.get()) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
- url = nullptr;
+ result.Assign(VoidCString());
SECItem aiaExtensionSECItem = UnsafeMapInputToSECItem(aiaExtension);
CERTAuthInfoAccess** aia =
CERT_DecodeAuthInfoAccessExtension(arena.get(), &aiaExtensionSECItem);
if (!aia) {
return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
}
for (size_t i = 0; aia[i]; ++i) {
if (SECOID_FindOIDTag(&aia[i]->method) == SEC_OID_PKIX_OCSP) {
@@ -336,25 +332,19 @@ GetOCSPAuthorityInfoAccessLocation(const
if (current->type == certURI) {
const SECItem& location = current->name.other;
// (location.len + 1) must be small enough to fit into a uint32_t,
// but we limit it to a smaller bound to reduce OOM risk.
if (location.len > 1024 || memchr(location.data, 0, location.len)) {
// Reject embedded nulls. (NSS doesn't do this)
return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
}
- // Copy the non-null-terminated SECItem into a null-terminated string.
- char* nullTerminatedURL(
- static_cast<char*>(PORT_ArenaAlloc(arena.get(), location.len + 1)));
- if (!nullTerminatedURL) {
- return Result::FATAL_ERROR_NO_MEMORY;
- }
- memcpy(nullTerminatedURL, location.data, location.len);
- nullTerminatedURL[location.len] = 0;
- url = nullTerminatedURL;
+ result.Assign(nsDependentCSubstring(
+ reinterpret_cast<const char*>(location.data),
+ location.len));
return Success;
}
current = CERT_GetNextGeneralName(current);
} while (current != aia[i]->location);
}
}
return Success;
@@ -532,26 +522,26 @@ NSSCertDBTrustDomain::CheckRevocation(En
}
UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena) {
return Result::FATAL_ERROR_NO_MEMORY;
}
Result rv;
- const char* url = nullptr; // owned by the arena
+ nsCString aiaLocation(VoidCString());
if (aiaExtension) {
- rv = GetOCSPAuthorityInfoAccessLocation(arena, *aiaExtension, url);
+ rv = GetOCSPAuthorityInfoAccessLocation(arena, *aiaExtension, aiaLocation);
if (rv != Success) {
return rv;
}
}
- if (!url) {
+ if (aiaLocation.IsVoid()) {
if (mOCSPFetching == FetchOCSPForEV ||
cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) {
return Result::ERROR_OCSP_UNKNOWN_CERT;
}
if (cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) {
return Result::ERROR_OCSP_OLD_RESPONSE;
}
if (stapledOCSPResponseResult != Success) {
@@ -562,44 +552,40 @@ NSSCertDBTrustDomain::CheckRevocation(En
// assume it is good. Note that this is the confusing, but intended,
// interpretation of "strict" revocation checking in the face of a
// certificate that lacks an OCSP responder URI.
return Success;
}
// Only request a response if we didn't have a cached indication of failure
// (don't keep requesting responses from a failing server).
+ bool attemptedRequest;
+ Vector<uint8_t> ocspResponse;
Input response;
- bool attemptedRequest;
if (cachedResponseResult == Success ||
cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT ||
cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) {
- uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+ uint8_t ocspRequestBytes[OCSP_REQUEST_MAX_LENGTH];
size_t ocspRequestLength;
- rv = CreateEncodedOCSPRequest(*this, certID, ocspRequest,
+ rv = CreateEncodedOCSPRequest(*this, certID, ocspRequestBytes,
ocspRequestLength);
if (rv != Success) {
return rv;
}
- SECItem ocspRequestItem = {
- siBuffer,
- ocspRequest,
- static_cast<unsigned int>(ocspRequestLength)
- };
- // Owned by arena
- SECItem* responseSECItem = nullptr;
- Result tempRV =
- DoOCSPRequest(arena, url, mOriginAttributes, &ocspRequestItem,
- GetOCSPTimeout(),
- mOCSPGetConfig == CertVerifier::ocspGetEnabled,
- responseSECItem);
- MOZ_ASSERT((tempRV != Success) || responseSECItem);
+ Vector<uint8_t> ocspRequest;
+ if (!ocspRequest.append(ocspRequestBytes, ocspRequestLength)) {
+ return Result::FATAL_ERROR_NO_MEMORY;
+ }
+ Result tempRV = DoOCSPRequest(aiaLocation, mOriginAttributes,
+ Move(ocspRequest), GetOCSPTimeout(),
+ ocspResponse);
+ MOZ_ASSERT((tempRV != Success) || ocspResponse.length() > 0);
if (tempRV != Success) {
rv = tempRV;
- } else if (response.Init(responseSECItem->data, responseSECItem->len)
+ } else if (response.Init(ocspResponse.begin(), ocspResponse.length())
!= Success) {
rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big
}
attemptedRequest = true;
} else {
rv = cachedResponseResult;
attemptedRequest = false;
}
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -73,17 +73,16 @@ public:
FetchOCSPForDVSoftFail = 1,
FetchOCSPForDVHardFail = 2,
FetchOCSPForEV = 3,
LocalOnlyOCSPForEV = 4,
};
NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
OCSPCache& ocspCache, void* pinArg,
- CertVerifier::OcspGetConfig ocspGETConfig,
mozilla::TimeDuration ocspTimeoutSoft,
mozilla::TimeDuration ocspTimeoutHard,
uint32_t certShortLifetimeInDays,
CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
@@ -185,17 +184,16 @@ private:
uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
EncodedResponseSource responseSource, /*out*/ bool& expired);
TimeDuration GetOCSPTimeout() const;
const SECTrustType mCertDBTrustType;
const OCSPFetching mOCSPFetching;
OCSPCache& mOCSPCache; // non-owning!
void* mPinArg; // non-owning!
- const CertVerifier::OcspGetConfig mOCSPGetConfig;
const mozilla::TimeDuration mOCSPTimeoutSoft;
const mozilla::TimeDuration mOCSPTimeoutHard;
const uint32_t mCertShortLifetimeInDays;
CertVerifier::PinningMode mPinningMode;
const unsigned int mMinRSABits;
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;
NetscapeStepUpPolicy mNetscapeStepUpPolicy;
deleted file mode 100644
--- a/security/certverifier/OCSPRequestor.cpp
+++ /dev/null
@@ -1,219 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "OCSPRequestor.h"
-
-#include <limits>
-
-#include "ScopedNSSTypes.h"
-#include "mozilla/Base64.h"
-#include "mozilla/Casting.h"
-#include "nsIURLParser.h"
-#include "nsNSSCallbacks.h"
-#include "nsNetCID.h"
-#include "nsServiceManagerUtils.h"
-#include "secerr.h"
-
-extern mozilla::LazyLogModule gCertVerifierLog;
-
-namespace mozilla {
-
-void
-ReleaseHttpServerSession(nsNSSHttpServerSession* httpServerSession)
-{
- delete httpServerSession;
-}
-
-void
-ReleaseHttpRequestSession(nsNSSHttpRequestSession* httpRequestSession)
-{
- httpRequestSession->Release();
-}
-
-MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHTTPServerSession,
- nsNSSHttpServerSession,
- ReleaseHttpServerSession)
-
-MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueHTTPRequestSession,
- nsNSSHttpRequestSession,
- ReleaseHttpRequestSession)
-
-} // namespace mozilla
-
-namespace mozilla { namespace psm {
-
-static nsresult
-AppendEscapedBase64Item(const SECItem* encodedRequest, nsACString& path)
-{
- nsresult rv;
- nsDependentCSubstring requestAsSubstring(
- BitwiseCast<char*, unsigned char*>(encodedRequest->data),
- encodedRequest->len);
- nsCString base64Request;
- rv = Base64Encode(requestAsSubstring, base64Request);
- if (NS_WARN_IF(NS_FAILED(rv))) {
- return rv;
- }
-
- MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
- ("Setting up OCSP GET path, pre path =%s\n",
- PromiseFlatCString(path).get()));
-
- // The path transformation is not a direct url encoding. Three characters
- // need change '+' -> "%2B", '/' -> "%2F", and '=' -> '%3D'.
- // http://tools.ietf.org/html/rfc5019#section-5
- base64Request.ReplaceSubstring("+", "%2B");
- base64Request.ReplaceSubstring("/", "%2F");
- base64Request.ReplaceSubstring("=", "%3D");
- path.Append(base64Request);
- return NS_OK;
-}
-
-Result
-DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
- const OriginAttributes& originAttributes,
- const SECItem* encodedRequest, TimeDuration timeout,
- bool useGET,
- /*out*/ SECItem*& encodedResponse)
-{
- MOZ_ASSERT(arena.get());
- MOZ_ASSERT(url);
- MOZ_ASSERT(encodedRequest);
- MOZ_ASSERT(encodedRequest->data);
- if (!arena.get() || !url || !encodedRequest || !encodedRequest->data) {
- return Result::FATAL_ERROR_INVALID_ARGS;
- }
- uint32_t urlLen = strlen(url);
- if (urlLen > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) {
- return Result::FATAL_ERROR_INVALID_ARGS;
- }
-
- nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID);
- if (!urlParser) {
- return Result::FATAL_ERROR_LIBRARY_FAILURE;
- }
-
- uint32_t schemePos;
- int32_t schemeLen;
- uint32_t authorityPos;
- int32_t authorityLen;
- uint32_t pathPos;
- int32_t pathLen;
- nsresult nsrv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen),
- &schemePos, &schemeLen,
- &authorityPos, &authorityLen,
- &pathPos, &pathLen);
- if (NS_FAILED(nsrv)) {
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
- if (schemeLen < 0 || authorityLen < 0) {
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
- nsAutoCString scheme(url + schemePos,
- static_cast<nsAutoCString::size_type>(schemeLen));
- if (!scheme.LowerCaseEqualsLiteral("http")) {
- // We don't support HTTPS to avoid loops. See Bug 92923.
- // We also in general only support HTTP.
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
-
- uint32_t hostnamePos;
- int32_t hostnameLen;
- int32_t port;
- // We ignore user:password sections: if one is present, we send an OCSP
- // request to the URL as normal without sending the username or password.
- nsrv = urlParser->ParseAuthority(url + authorityPos, authorityLen,
- nullptr, nullptr, nullptr, nullptr,
- &hostnamePos, &hostnameLen, &port);
- if (NS_FAILED(nsrv)) {
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
- if (hostnameLen < 0) {
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
- if (port == -1) {
- port = 80;
- } else if (port < 0 || port > 0xffff) {
- return Result::ERROR_CERT_BAD_ACCESS_LOCATION;
- }
- nsAutoCString
- hostname(url + authorityPos + hostnamePos,
- static_cast<nsACString::size_type>(hostnameLen));
-
- nsNSSHttpServerSession* serverSessionPtr = nullptr;
- Result rv = nsNSSHttpInterface::createSessionFcn(
- hostname.BeginReading(), static_cast<uint16_t>(port), &serverSessionPtr);
- if (rv != Success) {
- return rv;
- }
- UniqueHTTPServerSession serverSession(serverSessionPtr);
-
- nsAutoCString path;
- if (pathLen > 0) {
- path.Assign(url + pathPos, static_cast<nsAutoCString::size_type>(pathLen));
- } else {
- path.AssignLiteral("/");
- }
- MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
- ("Setting up OCSP request: pre all path =%s pathlen=%d\n", path.get(),
- pathLen));
- nsAutoCString method("POST");
- if (useGET) {
- method.AssignLiteral("GET");
- if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) {
- path.Append("/");
- }
- nsrv = AppendEscapedBase64Item(encodedRequest, path);
- if (NS_WARN_IF(NS_FAILED(nsrv))) {
- return Result::FATAL_ERROR_LIBRARY_FAILURE;
- }
- }
-
- nsNSSHttpRequestSession* requestSessionPtr;
- rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(),
- method.get(), originAttributes, timeout,
- &requestSessionPtr);
- if (rv != Success) {
- return rv;
- }
-
- UniqueHTTPRequestSession requestSession(requestSessionPtr);
-
- if (!useGET) {
- rv = nsNSSHttpInterface::setPostDataFcn(
- requestSession.get(),
- BitwiseCast<char*, unsigned char*>(encodedRequest->data),
- encodedRequest->len, "application/ocsp-request");
- if (rv != Success) {
- return rv;
- }
- }
-
- uint16_t httpResponseCode;
- const char* httpResponseData;
- uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable
- rv = nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr,
- &httpResponseCode,
- nullptr, &httpResponseData,
- &httpResponseDataLen);
- if (rv != Success) {
- return rv;
- }
-
- if (httpResponseCode != 200) {
- return Result::ERROR_OCSP_SERVER_ERROR;
- }
-
- encodedResponse = SECITEM_AllocItem(arena.get(), nullptr, httpResponseDataLen);
- if (!encodedResponse) {
- return Result::FATAL_ERROR_NO_MEMORY;
- }
-
- memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen);
- return Success;
-}
-
-} } // namespace mozilla::psm
deleted file mode 100644
--- a/security/certverifier/OCSPRequestor.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef OCSPRequestor_h
-#define OCSPRequestor_h
-
-#include "CertVerifier.h"
-#include "mozilla/TimeStamp.h"
-#include "secmodt.h"
-
-namespace mozilla {
-class OriginAttributes;
-}
-
-namespace mozilla { namespace psm {
-
-// The memory returned via |encodedResponse| is owned by the given arena.
-Result DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
- const OriginAttributes& originAttributes,
- const SECItem* encodedRequest, TimeDuration timeout,
- bool useGET,
- /*out*/ SECItem*& encodedResponse);
-
-} } // namespace mozilla::psm
-
-#endif // OCSPRequestor_h
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -30,17 +30,16 @@ UNIFIED_SOURCES += [
'CTLogVerifier.cpp',
'CTObjectsExtractor.cpp',
'CTPolicyEnforcer.cpp',
'CTSerialization.cpp',
'CTVerifyResult.cpp',
'MultiLogCTVerifier.cpp',
'NSSCertDBTrustDomain.cpp',
'OCSPCache.cpp',
- 'OCSPRequestor.cpp',
'OCSPVerificationTrustDomain.cpp',
'SignedCertificateTimestamp.cpp',
]
if not CONFIG['NSS_NO_EV_CERTS']:
UNIFIED_SOURCES += [
'ExtendedValidation.cpp',
]
--- a/security/manager/ssl/SharedCertVerifier.h
+++ b/security/manager/ssl/SharedCertVerifier.h
@@ -15,26 +15,25 @@ class SharedCertVerifier : public mozill
{
protected:
~SharedCertVerifier();
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
- OcspGetConfig ogc,
mozilla::TimeDuration ocspSoftTimeout,
mozilla::TimeDuration ocspHardTimeout,
uint32_t certShortLifetimeInDays,
PinningMode pinningMode, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
DistrustedCAPolicy distrustedCAPolicy)
- : mozilla::psm::CertVerifier(odc, osc, ogc, ocspSoftTimeout,
+ : mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout,
ocspHardTimeout, certShortLifetimeInDays,
pinningMode, sha1Mode, nameMatchingMode,
netscapeStepUpPolicy, ctMode,
distrustedCAPolicy)
{
}
};
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -16,16 +16,17 @@
#include "mozilla/RefPtr.h"
#include "mozilla/Telemetry.h"
#include "mozilla/Unused.h"
#include "nsContentUtils.h"
#include "nsICertOverrideService.h"
#include "nsIHttpChannelInternal.h"
#include "nsIPrompt.h"
#include "nsISupportsPriority.h"
+#include "nsIStreamLoader.h"
#include "nsITokenDialogs.h"
#include "nsIUploadChannel.h"
#include "nsIWebProgressListener.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertificate.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"
#include "nsNetUtil.h"
@@ -56,629 +57,436 @@ namespace {
// These bits are numbered so that the least subtle issues have higher values.
// This should make it easier for us to interpret the results.
const uint32_t POSSIBLE_VERSION_DOWNGRADE = 4;
const uint32_t POSSIBLE_CIPHER_SUITE_DOWNGRADE = 2;
const uint32_t KEA_NOT_SUPPORTED = 1;
} // namespace
-class nsHTTPDownloadEvent : public Runnable {
+class OCSPRequest final : public nsIStreamLoaderObserver
+ , public nsIRunnable
+{
public:
- nsHTTPDownloadEvent();
- ~nsHTTPDownloadEvent();
+ OCSPRequest(const nsCString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ Vector<uint8_t>&& ocspRequest,
+ TimeDuration timeout);
+
+ NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSISTREAMLOADEROBSERVER
+ NS_DECL_NSIRUNNABLE
+
+ nsresult DispatchToMainThreadAndWait();
+ nsresult GetResponse(/*out*/ Vector<uint8_t>& response);
+
+private:
+ ~OCSPRequest() = default;
+
+ static void OnTimeout(nsITimer* timer, void* closure);
+ nsresult NotifyDone(nsresult rv, MonitorAutoLock& proofOfLock);
- NS_IMETHOD Run() override;
-
- RefPtr<nsNSSHttpRequestSession> mRequestSession;
-
- RefPtr<nsHTTPListener> mListener;
- bool mResponsibleForDoneSignal;
+ // mMonitor provides the memory barrier protecting these member variables.
+ // What happens is the originating thread creates an OCSPRequest object with
+ // the information necessary to perform an OCSP request. It sends the object
+ // to the main thread and waits on the monitor for the operation to complete.
+ // On the main thread, a channel is set up to perform the request. This gets
+ // dispatched to necko. At the same time, a timeout timer is initialized. If
+ // the necko request completes, the response data is filled out, mNotifiedDone
+ // is set to true, and the monitor is notified. The original thread then wakes
+ // up and continues with the results that have been filled out. If the request
+ // times out, again the response data is filled out, mNotifiedDone is set to
+ // true, and the monitor is notified. The first of these two events wins. That
+ // is, if the timeout timer fires but the request completes shortly after, the
+ // caller will see the request as having timed out, and vice-versa. (Also note
+ // that no effort is made to cancel either the request or the timeout timer if
+ // the other event completes first.)
+ Monitor mMonitor;
+ bool mNotifiedDone;
+ nsCOMPtr<nsIStreamLoader> mLoader;
+ const nsCString mAIALocation;
+ const OriginAttributes mOriginAttributes;
+ const Vector<uint8_t> mPOSTData;
+ const TimeDuration mTimeout;
+ nsCOMPtr<nsITimer> mTimeoutTimer;
TimeStamp mStartTime;
+ nsresult mResponseResult;
+ Vector<uint8_t> mResponseBytes;
};
-nsHTTPDownloadEvent::nsHTTPDownloadEvent()
- : mozilla::Runnable("nsHTTPDownloadEvent")
- , mResponsibleForDoneSignal(true)
+NS_IMPL_ISUPPORTS(OCSPRequest, nsIStreamLoaderObserver, nsIRunnable)
+
+OCSPRequest::OCSPRequest(const nsCString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ Vector<uint8_t>&& ocspRequest,
+ TimeDuration timeout)
+ : mMonitor("OCSPRequest.mMonitor")
+ , mNotifiedDone(false)
+ , mLoader(nullptr)
+ , mAIALocation(aiaLocation)
+ , mOriginAttributes(originAttributes)
+ , mPOSTData(Move(ocspRequest))
+ , mTimeout(timeout)
+ , mTimeoutTimer(nullptr)
+ , mStartTime()
+ , mResponseResult(NS_ERROR_FAILURE)
+ , mResponseBytes()
{
}
-nsHTTPDownloadEvent::~nsHTTPDownloadEvent()
+nsresult
+OCSPRequest::DispatchToMainThreadAndWait()
{
- if (mResponsibleForDoneSignal && mListener)
- mListener->send_done_signal();
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+ nsresult rv = NS_DispatchToMainThread(this);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ while (!mNotifiedDone) {
+ lock.Wait();
+ }
+
+ TimeStamp endTime = TimeStamp::Now();
+ // CERT_VALIDATION_HTTP_REQUEST_RESULT:
+ // 0: request timed out
+ // 1: request succeeded
+ // 2: request failed
+ // 3: internal error
+ // If mStartTime was never set, we consider this an internal error.
+ // Otherwise, we managed to at least send the request.
+ if (mStartTime.IsNull()) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
+ } else if (mResponseResult == NS_ERROR_NET_TIMEOUT) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME,
+ mStartTime, endTime);
+ } else if (NS_SUCCEEDED(mResponseResult)) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME,
+ mStartTime, endTime);
+ } else {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME,
+ mStartTime, endTime);
+ }
+ return rv;
}
+nsresult
+OCSPRequest::GetResponse(/*out*/ Vector<uint8_t>& response)
+{
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+ if (!mNotifiedDone) {
+ return NS_ERROR_IN_PROGRESS;
+ }
+ if (NS_FAILED(mResponseResult)) {
+ return mResponseResult;
+ }
+ response.clear();
+ if (!response.append(mResponseBytes.begin(), mResponseBytes.length())) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ return NS_OK;
+}
+
+static NS_NAMED_LITERAL_CSTRING(OCSP_REQUEST_MIME_TYPE,
+ "application/ocsp-request");
+static NS_NAMED_LITERAL_CSTRING(OCSP_REQUEST_METHOD, "POST");
+
NS_IMETHODIMP
-nsHTTPDownloadEvent::Run()
+OCSPRequest::Run()
{
- if (!mListener)
- return NS_OK;
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
- nsresult rv;
+ MonitorAutoLock lock(mMonitor);
nsCOMPtr<nsIIOService> ios = do_GetIOService();
- NS_ENSURE_STATE(ios);
+ if (!ios) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
- nsCOMPtr<nsIChannel> chan;
- ios->NewChannel2(mRequestSession->mURL,
- nullptr,
- nullptr,
- nullptr, // aLoadingNode
- nsContentUtils::GetSystemPrincipal(),
- nullptr, // aTriggeringPrincipal
- nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
- nsIContentPolicy::TYPE_OTHER,
- getter_AddRefs(chan));
- NS_ENSURE_STATE(chan);
+ nsCOMPtr<nsIURI> uri;
+ nsresult rv = NS_NewURI(getter_AddRefs(uri), mAIALocation, nullptr, nullptr,
+ ios);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(NS_ERROR_MALFORMED_URI, lock);
+ }
+ nsAutoCString scheme;
+ rv = uri->GetScheme(scheme);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (!scheme.LowerCaseEqualsLiteral("http")) {
+ return NotifyDone(NS_ERROR_MALFORMED_URI, lock);
+ }
+
+ nsCOMPtr<nsIChannel> channel;
+ rv = ios->NewChannel2(mAIALocation,
+ nullptr,
+ nullptr,
+ nullptr, // aLoadingNode
+ nsContentUtils::GetSystemPrincipal(),
+ nullptr, // aTriggeringPrincipal
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+ nsIContentPolicy::TYPE_OTHER,
+ getter_AddRefs(channel));
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
// Security operations scheduled through normal HTTP channels are given
// high priority to accommodate real time OCSP transactions.
- nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(chan);
- if (priorityChannel)
+ nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(channel);
+ if (priorityChannel) {
priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
+ }
- chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
- nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
+ channel->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
+ nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
// For OCSP requests, only the first party domain and private browsing id
// aspects of origin attributes are used. This means that:
// a) if first party isolation is enabled, OCSP requests will be isolated
// according to the first party domain of the original https request
// b) OCSP requests are shared across different containers as long as first
// party isolation is not enabled and none of the containers are in private
// browsing mode.
- if (mRequestSession->mOriginAttributes != OriginAttributes()) {
+ if (mOriginAttributes != OriginAttributes()) {
OriginAttributes attrs;
- attrs.mFirstPartyDomain =
- mRequestSession->mOriginAttributes.mFirstPartyDomain;
- attrs.mPrivateBrowsingId =
- mRequestSession->mOriginAttributes.mPrivateBrowsingId;
+ attrs.mFirstPartyDomain = mOriginAttributes.mFirstPartyDomain;
+ attrs.mPrivateBrowsingId = mOriginAttributes.mPrivateBrowsingId;
- nsCOMPtr<nsILoadInfo> loadInfo = chan->GetLoadInfo();
- if (loadInfo) {
- rv = loadInfo->SetOriginAttributes(attrs);
- NS_ENSURE_SUCCESS(rv, rv);
+ nsCOMPtr<nsILoadInfo> loadInfo = channel->GetLoadInfo();
+ if (!loadInfo) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+ rv = loadInfo->SetOriginAttributes(attrs);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
}
}
- // Create a loadgroup for this new channel. This way if the channel
- // is redirected, we'll have a way to cancel the resulting channel.
+ // If we don't set a load group, the above origin attributes won't be honored
+ // by necko. This seems to be a bug or at least an API confusion issue, hence
+ // bug 1456742.
nsCOMPtr<nsILoadGroup> lg = do_CreateInstance(NS_LOADGROUP_CONTRACTID);
- chan->SetLoadGroup(lg);
+ channel->SetLoadGroup(lg);
- if (mRequestSession->mHasPostData)
- {
- nsCOMPtr<nsIInputStream> uploadStream;
- rv = NS_NewCStringInputStream(getter_AddRefs(uploadStream),
- mRequestSession->mPostData);
- NS_ENSURE_SUCCESS(rv, rv);
-
- nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(chan));
- NS_ENSURE_STATE(uploadChannel);
-
- rv = uploadChannel->SetUploadStream(uploadStream,
- mRequestSession->mPostContentType,
- -1);
- NS_ENSURE_SUCCESS(rv, rv);
+ nsCOMPtr<nsIInputStream> uploadStream;
+ rv = NS_NewByteInputStream(getter_AddRefs(uploadStream),
+ reinterpret_cast<const char*>(mPOSTData.begin()),
+ mPOSTData.length());
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
}
-
+ nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(channel));
+ if (!uploadChannel) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+ rv = uploadChannel->SetUploadStream(uploadStream, OCSP_REQUEST_MIME_TYPE, -1);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
// Do not use SPDY for internal security operations. It could result
// in the silent upgrade to ssl, which in turn could require an SSL
// operation to fulfill something like an OCSP fetch, which is an
// endless loop.
- nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
- if (internalChannel) {
- rv = internalChannel->SetAllowSpdy(false);
- NS_ENSURE_SUCCESS(rv, rv);
+ nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(channel);
+ if (!internalChannel) {
+ return NotifyDone(rv, lock);
+ }
+ rv = internalChannel->SetAllowSpdy(false);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(channel);
+ if (!hchan) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+ rv = hchan->SetAllowSTS(false);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ rv = hchan->SetRequestMethod(OCSP_REQUEST_METHOD);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
}
- nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
- NS_ENSURE_STATE(hchan);
-
- rv = hchan->SetAllowSTS(false);
- NS_ENSURE_SUCCESS(rv, rv);
-
- rv = hchan->SetRequestMethod(mRequestSession->mRequestMethod);
- NS_ENSURE_SUCCESS(rv, rv);
-
- mResponsibleForDoneSignal = false;
- mListener->mResponsibleForDoneSignal = true;
-
- mListener->mLoadGroup = lg.get();
- NS_ADDREF(mListener->mLoadGroup);
- mListener->mLoadGroupOwnerThread = PR_GetCurrentThread();
-
- rv = NS_NewStreamLoader(getter_AddRefs(mListener->mLoader),
- mListener);
-
- if (NS_SUCCEEDED(rv)) {
- mStartTime = TimeStamp::Now();
- rv = hchan->AsyncOpen2(mListener->mLoader);
+ rv = NS_NewStreamLoader(getter_AddRefs(mLoader), this);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
}
+ rv = NS_NewTimerWithFuncCallback(getter_AddRefs(mTimeoutTimer),
+ OCSPRequest::OnTimeout,
+ this,
+ mTimeout.ToMilliseconds(),
+ nsITimer::TYPE_ONE_SHOT,
+ "OCSPRequest::Run");
if (NS_FAILED(rv)) {
- mListener->mResponsibleForDoneSignal = false;
- mResponsibleForDoneSignal = true;
-
- NS_RELEASE(mListener->mLoadGroup);
- mListener->mLoadGroup = nullptr;
- mListener->mLoadGroupOwnerThread = nullptr;
+ return NotifyDone(rv, lock);
}
-
+ rv = hchan->AsyncOpen2(this->mLoader);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ mStartTime = TimeStamp::Now();
return NS_OK;
}
-struct nsCancelHTTPDownloadEvent : Runnable {
- RefPtr<nsHTTPListener> mListener;
-
- nsCancelHTTPDownloadEvent() : Runnable("nsCancelHTTPDownloadEvent") {}
- NS_IMETHOD Run() override {
- mListener->FreeLoadGroup(true);
- mListener = nullptr;
- return NS_OK;
- }
-};
-
-mozilla::pkix::Result
-nsNSSHttpServerSession::createSessionFcn(const char* host,
- uint16_t portnum,
- /*out*/ nsNSSHttpServerSession** pSession)
+nsresult
+OCSPRequest::NotifyDone(nsresult rv, MonitorAutoLock& lock)
{
- if (!host || !pSession) {
- return Result::FATAL_ERROR_INVALID_ARGS;
- }
-
- nsNSSHttpServerSession* hss = new nsNSSHttpServerSession;
- if (!hss) {
- return Result::FATAL_ERROR_NO_MEMORY;
- }
-
- hss->mHost = host;
- hss->mPort = portnum;
-
- *pSession = hss;
- return Success;
-}
-
-mozilla::pkix::Result
-nsNSSHttpRequestSession::createFcn(const nsNSSHttpServerSession* session,
- const char* http_protocol_variant,
- const char* path_and_query_string,
- const char* http_request_method,
- const OriginAttributes& origin_attributes,
- const TimeDuration timeout,
- /*out*/ nsNSSHttpRequestSession** pRequest)
-{
- if (!session || !http_protocol_variant || !path_and_query_string ||
- !http_request_method || !pRequest) {
- return Result::FATAL_ERROR_INVALID_ARGS;
- }
-
- nsNSSHttpRequestSession* rs = new nsNSSHttpRequestSession;
- if (!rs) {
- return Result::FATAL_ERROR_NO_MEMORY;
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
}
- rs->mTimeout = timeout;
-
- rs->mURL.Assign(http_protocol_variant);
- rs->mURL.AppendLiteral("://");
- rs->mURL.Append(session->mHost);
- rs->mURL.Append(':');
- rs->mURL.AppendInt(session->mPort);
- rs->mURL.Append(path_and_query_string);
-
- rs->mOriginAttributes = origin_attributes;
-
- rs->mRequestMethod = http_request_method;
-
- *pRequest = rs;
- return Success;
-}
-
-mozilla::pkix::Result
-nsNSSHttpRequestSession::setPostDataFcn(const char* http_data,
- const uint32_t http_data_len,
- const char* http_content_type)
-{
- mHasPostData = true;
- mPostData.Assign(http_data, http_data_len);
- mPostContentType.Assign(http_content_type);
-
- return Success;
-}
-
-mozilla::pkix::Result
-nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc** pPollDesc,
- uint16_t* http_response_code,
- const char** http_response_headers,
- const char** http_response_data,
- uint32_t* http_response_data_len)
-{
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get()));
-
- bool onSTSThread;
- nsresult nrv;
- nsCOMPtr<nsIEventTarget> sts
- = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
- if (NS_FAILED(nrv)) {
- NS_ERROR("Could not get STS service");
- return Result::FATAL_ERROR_INVALID_STATE;
+ if (mNotifiedDone) {
+ return mResponseResult;
}
-
- nrv = sts->IsOnCurrentThread(&onSTSThread);
- if (NS_FAILED(nrv)) {
- NS_ERROR("IsOnCurrentThread failed");
- return Result::FATAL_ERROR_INVALID_STATE;
- }
-
- if (onSTSThread) {
- NS_ERROR("nsNSSHttpRequestSession::trySendAndReceiveFcn called on socket "
- "thread; this will not work.");
- return Result::FATAL_ERROR_INVALID_STATE;
- }
-
- const int max_retries = 2;
- int retry_count = 0;
- bool retryable_error = false;
- Result rv = Result::ERROR_UNKNOWN_ERROR;
-
- do
- {
- if (retry_count > 0)
- {
- if (retryable_error)
- {
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("nsNSSHttpRequestSession::trySendAndReceiveFcn - sleeping and retrying: %d of %d\n",
- retry_count, max_retries));
- }
-
- PR_Sleep( PR_MillisecondsToInterval(300) * retry_count );
- }
-
- ++retry_count;
- retryable_error = false;
-
- rv =
- internal_send_receive_attempt(retryable_error, pPollDesc, http_response_code,
- http_response_headers,
- http_response_data, http_response_data_len);
- }
- while (retryable_error &&
- retry_count < max_retries);
-
- if (retry_count > 1)
- {
- if (retryable_error)
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("nsNSSHttpRequestSession::trySendAndReceiveFcn - still failing, giving up...\n"));
- else
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("nsNSSHttpRequestSession::trySendAndReceiveFcn - success at attempt %d\n",
- retry_count));
- }
-
+ mLoader = nullptr;
+ mResponseResult = rv;
+ mNotifiedDone = true;
+ lock.Notify();
return rv;
}
-void
-nsNSSHttpRequestSession::AddRef()
+NS_IMETHODIMP
+OCSPRequest::OnStreamComplete(nsIStreamLoader* aLoader,
+ nsISupports* aContext,
+ nsresult aStatus,
+ uint32_t responseLen,
+ const uint8_t* responseBytes)
{
- ++mRefCount;
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_FAILURE;
+ }
+
+ MonitorAutoLock lock(mMonitor);
+
+ nsCOMPtr<nsIRequest> req;
+ nsresult rv = aLoader->GetRequest(getter_AddRefs(req));
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+
+ if (NS_FAILED(aStatus)) {
+ return NotifyDone(aStatus, lock);
+ }
+
+ nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(req);
+ if (!hchan) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ bool requestSucceeded;
+ rv = hchan->GetRequestSucceeded(&requestSucceeded);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (!requestSucceeded) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ unsigned int rcode;
+ rv = hchan->GetResponseStatus(&rcode);
+ if (NS_FAILED(rv)) {
+ return NotifyDone(rv, lock);
+ }
+ if (rcode != 200) {
+ return NotifyDone(NS_ERROR_FAILURE, lock);
+ }
+
+ mResponseBytes.clear();
+ if (!mResponseBytes.append(responseBytes, responseLen)) {
+ return NotifyDone(NS_ERROR_OUT_OF_MEMORY, lock);
+ }
+ mResponseResult = aStatus;
+
+ return NotifyDone(NS_OK, lock);
}
void
-nsNSSHttpRequestSession::Release()
+OCSPRequest::OnTimeout(nsITimer* timer, void* closure)
{
- int32_t newRefCount = --mRefCount;
- if (!newRefCount) {
- delete this;
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return;
}
+
+ OCSPRequest* self = static_cast<OCSPRequest*>(closure);
+ MonitorAutoLock lock(self->mMonitor);
+ self->mTimeoutTimer = nullptr;
+ self->NotifyDone(NS_ERROR_NET_TIMEOUT, lock);
}
mozilla::pkix::Result
-nsNSSHttpRequestSession::internal_send_receive_attempt(bool &retryable_error,
- PRPollDesc **pPollDesc,
- uint16_t *http_response_code,
- const char **http_response_headers,
- const char **http_response_data,
- uint32_t *http_response_data_len)
+DoOCSPRequest(const nsCString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ Vector<uint8_t>&& ocspRequest,
+ TimeDuration timeout,
+ /*out*/ Vector<uint8_t>& result)
{
- if (pPollDesc) *pPollDesc = nullptr;
- if (http_response_code) *http_response_code = 0;
- if (http_response_headers) *http_response_headers = 0;
- if (http_response_data) *http_response_data = 0;
-
- uint32_t acceptableResultSize = 0;
-
- if (http_response_data_len)
- {
- acceptableResultSize = *http_response_data_len;
- *http_response_data_len = 0;
- }
-
- if (!mListener) {
- return Result::FATAL_ERROR_INVALID_STATE;
- }
-
- Mutex& waitLock = mListener->mLock;
- CondVar& waitCondition = mListener->mCondition;
- volatile bool &waitFlag = mListener->mWaitFlag;
- waitFlag = true;
-
- RefPtr<nsHTTPDownloadEvent> event(new nsHTTPDownloadEvent);
- if (!event) {
- return Result::FATAL_ERROR_NO_MEMORY;
- }
-
- event->mListener = mListener;
- event->mRequestSession = this;
-
- nsresult rv = NS_DispatchToMainThread(event);
- if (NS_FAILED(rv)) {
- event->mResponsibleForDoneSignal = false;
- return Result::FATAL_ERROR_LIBRARY_FAILURE;
- }
-
- bool request_canceled = false;
-
- {
- MutexAutoLock locker(waitLock);
-
- const TimeStamp startTime = TimeStamp::NowLoRes();
- TimeDuration wait_interval;
-
- bool running_on_main_thread = NS_IsMainThread();
- if (running_on_main_thread)
- {
- // The result of running this on the main thread
- // is a series of small timeouts mixed with spinning the
- // event loop - this is always dangerous as there is so much main
- // thread code that does not expect to be called re-entrantly. Your
- // app really shouldn't do that.
- NS_WARNING("Security network blocking I/O on Main Thread");
-
- // let's process events quickly
- wait_interval = TimeDuration::FromMicroseconds(50);
- }
- else
- {
- // On a secondary thread, it's fine to wait some more for
- // for the condition variable.
- wait_interval = TimeDuration::FromMilliseconds(250);
- }
-
- while (waitFlag)
- {
- if (running_on_main_thread)
- {
- // Networking runs on the main thread, which we happen to block here.
- // Processing events will allow the OCSP networking to run while we
- // are waiting. Thanks a lot to Darin Fisher for rewriting the
- // thread manager. Thanks a lot to Christian Biesinger who
- // made me aware of this possibility. (kaie)
-
- MutexAutoUnlock unlock(waitLock);
- NS_ProcessNextEvent(nullptr);
- }
-
- waitCondition.Wait(wait_interval);
-
- if (!waitFlag)
- break;
-
- if (!request_canceled)
- {
- bool timeout = (TimeStamp::NowLoRes() - startTime) > mTimeout;
- if (timeout)
- {
- request_canceled = true;
-
- RefPtr<nsCancelHTTPDownloadEvent> cancelevent(
- new nsCancelHTTPDownloadEvent);
- cancelevent->mListener = mListener;
- rv = NS_DispatchToMainThread(cancelevent);
- if (NS_FAILED(rv)) {
- NS_WARNING("cannot post cancel event");
- }
- break;
- }
- }
- }
- }
-
- if (!event->mStartTime.IsNull()) {
- if (request_canceled) {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0);
- Telemetry::AccumulateTimeDelta(
- Telemetry::CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME,
- event->mStartTime, TimeStamp::Now());
- }
- else if (NS_SUCCEEDED(mListener->mResultCode) &&
- mListener->mHttpResponseCode == 200) {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1);
- Telemetry::AccumulateTimeDelta(
- Telemetry::CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME,
- event->mStartTime, TimeStamp::Now());
- }
- else {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2);
- Telemetry::AccumulateTimeDelta(
- Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME,
- event->mStartTime, TimeStamp::Now());
- }
- }
- else {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
- }
-
- if (request_canceled) {
- return Result::ERROR_OCSP_SERVER_ERROR;
- }
-
- if (NS_FAILED(mListener->mResultCode)) {
- if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED ||
- mListener->mResultCode == NS_ERROR_NET_RESET) {
- retryable_error = true;
- }
- return Result::ERROR_OCSP_SERVER_ERROR;
+ MOZ_ASSERT(!NS_IsMainThread());
+ if (NS_IsMainThread()) {
+ return mozilla::pkix::Result::ERROR_OCSP_UNKNOWN_CERT;
}
- if (http_response_code)
- *http_response_code = mListener->mHttpResponseCode;
-
- if (mListener->mHttpRequestSucceeded && http_response_data &&
- http_response_data_len) {
- *http_response_data_len = mListener->mResultLen;
-
- // acceptableResultSize == 0 means: any size is acceptable
- if (acceptableResultSize != 0 &&
- acceptableResultSize < mListener->mResultLen) {
- return Result::ERROR_OCSP_SERVER_ERROR;
- }
-
- // Return data by reference, result data will be valid until "this" gets
- // destroyed.
- *http_response_data = (const char*)mListener->mResultData;
- }
-
- return Success;
-}
+ result.clear();
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("DoOCSPRequest to '%s'", aiaLocation.get()));
-nsNSSHttpRequestSession::nsNSSHttpRequestSession()
- : mRefCount(1)
- , mHasPostData(false)
- , mTimeout(0)
- , mListener(new nsHTTPListener)
-{
-}
-
-nsNSSHttpRequestSession::~nsNSSHttpRequestSession()
-{
-}
-
-nsHTTPListener::nsHTTPListener()
-: mHttpRequestSucceeded(false),
- mHttpResponseCode(0),
- mResultData(nullptr),
- mResultLen(0),
- mLock("nsHTTPListener.mLock"),
- mCondition(mLock, "nsHTTPListener.mCondition"),
- mWaitFlag(true),
- mResponsibleForDoneSignal(false),
- mLoadGroup(nullptr),
- mLoadGroupOwnerThread(nullptr)
-{
-}
-
-nsHTTPListener::~nsHTTPListener()
-{
- if (mResponsibleForDoneSignal)
- send_done_signal();
-
- if (mResultData) {
- free(const_cast<uint8_t *>(mResultData));
+ nsCOMPtr<nsIEventTarget> sts = do_GetService(
+ NS_SOCKETTRANSPORTSERVICE_CONTRACTID);
+ MOZ_ASSERT(sts);
+ if (!sts) {
+ return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE;
+ }
+ bool onSTSThread;
+ nsresult rv = sts->IsOnCurrentThread(&onSTSThread);
+ if (NS_FAILED(rv)) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ MOZ_ASSERT(!onSTSThread);
+ if (onSTSThread) {
+ return mozilla::pkix::Result::FATAL_ERROR_INVALID_STATE;
}
- if (mLoader) {
- NS_ReleaseOnMainThreadSystemGroup("nsHTTPListener::mLoader",
- mLoader.forget());
- }
-}
-
-NS_IMPL_ISUPPORTS(nsHTTPListener, nsIStreamLoaderObserver)
-
-void
-nsHTTPListener::FreeLoadGroup(bool aCancelLoad)
-{
- nsILoadGroup *lg = nullptr;
-
- MutexAutoLock locker(mLock);
-
- if (mLoadGroup) {
- if (mLoadGroupOwnerThread != PR_GetCurrentThread()) {
- MOZ_ASSERT_UNREACHABLE(
- "Attempt to access mLoadGroup on multiple threads, leaking it!");
- }
- else {
- lg = mLoadGroup;
- mLoadGroup = nullptr;
- }
- }
-
- if (lg) {
- if (aCancelLoad) {
- lg->Cancel(NS_ERROR_ABORT);
- }
- NS_RELEASE(lg);
+ RefPtr<OCSPRequest> request(new OCSPRequest(aiaLocation, originAttributes,
+ Move(ocspRequest), timeout));
+ rv = request->DispatchToMainThreadAndWait();
+ if (NS_FAILED(rv)) {
+ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
-}
-
-NS_IMETHODIMP
-nsHTTPListener::OnStreamComplete(nsIStreamLoader* aLoader,
- nsISupports* aContext,
- nsresult aStatus,
- uint32_t stringLen,
- const uint8_t* string)
-{
- mResultCode = aStatus;
-
- FreeLoadGroup(false);
-
- nsCOMPtr<nsIRequest> req;
- nsCOMPtr<nsIHttpChannel> hchan;
-
- nsresult rv = aLoader->GetRequest(getter_AddRefs(req));
-
- if (NS_FAILED(aStatus))
- {
- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
- ("nsHTTPListener::OnStreamComplete status failed %" PRIu32,
- static_cast<uint32_t>(aStatus)));
+ rv = request->GetResponse(result);
+ if (NS_FAILED(rv)) {
+ if (rv == NS_ERROR_MALFORMED_URI) {
+ return mozilla::pkix::Result::ERROR_CERT_BAD_ACCESS_LOCATION;
+ }
+ return mozilla::pkix::Result::ERROR_OCSP_SERVER_ERROR;
}
-
- if (NS_SUCCEEDED(rv))
- hchan = do_QueryInterface(req, &rv);
-
- if (NS_SUCCEEDED(rv))
- {
- rv = hchan->GetRequestSucceeded(&mHttpRequestSucceeded);
- if (NS_FAILED(rv))
- mHttpRequestSucceeded = false;
-
- mResultLen = stringLen;
- mResultData = string; // take ownership of allocation
- aStatus = NS_SUCCESS_ADOPTED_DATA;
-
- unsigned int rcode;
- rv = hchan->GetResponseStatus(&rcode);
- if (NS_FAILED(rv))
- mHttpResponseCode = 500;
- else
- mHttpResponseCode = rcode;
- }
-
- if (mResponsibleForDoneSignal)
- send_done_signal();
-
- return aStatus;
-}
-
-void nsHTTPListener::send_done_signal()
-{
- mResponsibleForDoneSignal = false;
-
- {
- MutexAutoLock locker(mLock);
- mWaitFlag = false;
- mCondition.NotifyAll();
- }
+ return Success;
}
static char*
ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIInterfaceRequestor *ir)
{
if (!NS_IsMainThread()) {
NS_ERROR("ShowProtectedAuthPrompt called off the main thread");
return nullptr;
--- a/security/manager/ssl/nsNSSCallbacks.h
+++ b/security/manager/ssl/nsNSSCallbacks.h
@@ -4,191 +4,36 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef nsNSSCallbacks_h
#define nsNSSCallbacks_h
#include "mozilla/Attributes.h"
#include "mozilla/BasePrincipal.h"
-#include "mozilla/CondVar.h"
-#include "mozilla/Mutex.h"
#include "mozilla/TimeStamp.h"
-#include "nsAutoPtr.h"
-#include "nsCOMPtr.h"
-#include "nsIStreamLoader.h"
+#include "mozilla/Vector.h"
#include "nspr.h"
#include "nsString.h"
#include "pk11func.h"
#include "pkix/pkixtypes.h"
-#include "ocspt.h" // Must be included after pk11func.h.
-
using mozilla::OriginAttributes;
+using mozilla::TimeDuration;
+using mozilla::Vector;
class nsILoadGroup;
char*
PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);
void HandshakeCallback(PRFileDesc *fd, void *client_data);
SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
PRBool *canFalseStart);
-class nsHTTPListener final : public nsIStreamLoaderObserver
-{
-private:
- // For XPCOM implementations that are not a base class for some other
- // class, it is good practice to make the destructor non-virtual and
- // private. Then the only way to delete the object is via Release.
-#ifdef _MSC_VER
- // C4265: Class has virtual members but destructor is not virtual
- __pragma(warning(disable:4265))
-#endif
- ~nsHTTPListener();
-
-public:
- nsHTTPListener();
-
- NS_DECL_THREADSAFE_ISUPPORTS
- NS_DECL_NSISTREAMLOADEROBSERVER
-
- nsCOMPtr<nsIStreamLoader> mLoader;
-
- nsresult mResultCode;
-
- bool mHttpRequestSucceeded;
- uint16_t mHttpResponseCode;
-
- const uint8_t* mResultData; // allocated in loader, but owned by listener
- uint32_t mResultLen;
-
- mozilla::Mutex mLock;
- mozilla::CondVar mCondition;
- volatile bool mWaitFlag;
-
- bool mResponsibleForDoneSignal;
- void send_done_signal();
-
- // no nsCOMPtr. When I use it, I get assertions about
- // loadgroup not being thread safe.
- // So, let's use a raw pointer and ensure we only create and destroy
- // it on the network thread ourselves.
- nsILoadGroup *mLoadGroup;
- PRThread *mLoadGroupOwnerThread;
- void FreeLoadGroup(bool aCancelLoad);
-};
-
-class nsNSSHttpServerSession
-{
-public:
- typedef mozilla::pkix::Result Result;
-
- nsCString mHost;
- uint16_t mPort;
-
- static Result createSessionFcn(const char* host,
- uint16_t portnum,
- /*out*/ nsNSSHttpServerSession** pSession);
-};
-
-class nsNSSHttpRequestSession
-{
-protected:
- mozilla::ThreadSafeAutoRefCnt mRefCount;
-
-public:
- typedef mozilla::pkix::Result Result;
-
- static Result createFcn(const nsNSSHttpServerSession* session,
- const char* httpProtocolVariant,
- const char* pathAndQueryString,
- const char* httpRequestMethod,
- const OriginAttributes& originAttributes,
- const mozilla::TimeDuration timeout,
- /*out*/ nsNSSHttpRequestSession** pRequest);
-
- Result setPostDataFcn(const char* httpData,
- const uint32_t httpDataLen,
- const char* httpContentType);
-
- Result trySendAndReceiveFcn(PRPollDesc** pPollDesc,
- uint16_t* httpResponseCode,
- const char** httpResponseHeaders,
- const char** httpResponseData,
- uint32_t* httpResponseDataLen);
-
- void AddRef();
- void Release();
-
- nsCString mURL;
- nsCString mRequestMethod;
-
- bool mHasPostData;
- nsCString mPostData;
- nsCString mPostContentType;
-
- OriginAttributes mOriginAttributes;
-
- mozilla::TimeDuration mTimeout;
-
- RefPtr<nsHTTPListener> mListener;
-
-protected:
- nsNSSHttpRequestSession();
- ~nsNSSHttpRequestSession();
-
- Result internal_send_receive_attempt(bool& retryableError,
- PRPollDesc** pPollDesc,
- uint16_t* httpResponseCode,
- const char** httpResponseHeaders,
- const char** httpResponseData,
- uint32_t* httpResponseDataLen);
-};
-
-class nsNSSHttpInterface
-{
-public:
- typedef mozilla::pkix::Result Result;
-
- static Result createSessionFcn(const char* host,
- uint16_t portnum,
- /*out*/ nsNSSHttpServerSession** pSession)
- {
- return nsNSSHttpServerSession::createSessionFcn(host, portnum, pSession);
- }
-
- static Result createFcn(const nsNSSHttpServerSession* session,
- const char* httpProtocolVariant,
- const char* pathAndQueryString,
- const char* httpRequestMethod,
- const OriginAttributes& originAttributes,
- const mozilla::TimeDuration timeout,
- /*out*/ nsNSSHttpRequestSession** pRequest)
- {
- return nsNSSHttpRequestSession::createFcn(session, httpProtocolVariant,
- pathAndQueryString,
- httpRequestMethod, originAttributes,
- timeout, pRequest);
- }
-
- static Result setPostDataFcn(nsNSSHttpRequestSession* request,
- const char* httpData,
- const uint32_t httpDataLen,
- const char* httpContentType)
- {
- return request->setPostDataFcn(httpData, httpDataLen, httpContentType);
- }
-
- static Result trySendAndReceiveFcn(nsNSSHttpRequestSession* request,
- PRPollDesc** pPollDesc,
- uint16_t* httpResponseCode,
- const char** httpResponseHeaders,
- const char** httpResponseData,
- uint32_t* httpResponseDataLen)
- {
- return request->trySendAndReceiveFcn(pPollDesc, httpResponseCode,
- httpResponseHeaders,
- httpResponseData, httpResponseDataLen);
- }
-};
+mozilla::pkix::Result
+DoOCSPRequest(const nsCString& aiaLocation,
+ const OriginAttributes& originAttributes,
+ Vector<uint8_t>&& ocspRequest,
+ TimeDuration timeout,
+ /*out*/ Vector<uint8_t>& result);
#endif // nsNSSCallbacks_h
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -142,47 +142,40 @@ bool EnsureNSSInitializedChromeOrContent
static const uint32_t OCSP_TIMEOUT_MILLISECONDS_SOFT_DEFAULT = 2000;
static const uint32_t OCSP_TIMEOUT_MILLISECONDS_SOFT_MAX = 5000;
static const uint32_t OCSP_TIMEOUT_MILLISECONDS_HARD_DEFAULT = 10000;
static const uint32_t OCSP_TIMEOUT_MILLISECONDS_HARD_MAX = 20000;
static void
GetRevocationBehaviorFromPrefs(/*out*/ CertVerifier::OcspDownloadConfig* odc,
/*out*/ CertVerifier::OcspStrictConfig* osc,
- /*out*/ CertVerifier::OcspGetConfig* ogc,
/*out*/ uint32_t* certShortLifetimeInDays,
/*out*/ TimeDuration& softTimeout,
/*out*/ TimeDuration& hardTimeout,
const MutexAutoLock& /*proofOfLock*/)
{
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(odc);
MOZ_ASSERT(osc);
- MOZ_ASSERT(ogc);
MOZ_ASSERT(certShortLifetimeInDays);
// 0 = disabled
// 1 = enabled for everything (default)
// 2 = enabled for EV certificates only
int32_t ocspLevel = Preferences::GetInt("security.OCSP.enabled", 1);
switch (ocspLevel) {
case 0: *odc = CertVerifier::ocspOff; break;
case 2: *odc = CertVerifier::ocspEVOnly; break;
default: *odc = CertVerifier::ocspOn; break;
}
*osc = Preferences::GetBool("security.OCSP.require", false)
? CertVerifier::ocspStrict
: CertVerifier::ocspRelaxed;
- // XXX: Always use POST for OCSP; see bug 871954 for undoing this.
- *ogc = Preferences::GetBool("security.OCSP.GET.enabled", false)
- ? CertVerifier::ocspGetEnabled
- : CertVerifier::ocspGetDisabled;
-
// If we pass in just 0 as the second argument to Preferences::GetUint, there
// are two function signatures that match (given that 0 can be intepreted as
// a null pointer). Thus the compiler will complain without the cast.
*certShortLifetimeInDays =
Preferences::GetUint("security.pki.cert_short_lifetime_in_days",
static_cast<uint32_t>(0));
uint32_t softTimeoutMillis =
@@ -1698,24 +1691,23 @@ void nsNSSComponent::setValidationOption
break;
default:
distrustedCAPolicy = defaultCAPolicyMode;
break;
}
CertVerifier::OcspDownloadConfig odc;
CertVerifier::OcspStrictConfig osc;
- CertVerifier::OcspGetConfig ogc;
uint32_t certShortLifetimeInDays;
TimeDuration softTimeout;
TimeDuration hardTimeout;
- GetRevocationBehaviorFromPrefs(&odc, &osc, &ogc, &certShortLifetimeInDays,
+ GetRevocationBehaviorFromPrefs(&odc, &osc, &certShortLifetimeInDays,
softTimeout, hardTimeout, lock);
- mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc, softTimeout,
+ mDefaultCertVerifier = new SharedCertVerifier(odc, osc, softTimeout,
hardTimeout,
certShortLifetimeInDays,
pinningMode, sha1Mode,
nameMatchingMode,
netscapeStepUpPolicy,
ctMode, distrustedCAPolicy);
}
@@ -2330,17 +2322,16 @@ nsNSSComponent::Observe(nsISupports* aSu
} else if (prefName.EqualsLiteral("security.tls.enable_0rtt_data")) {
SSL_OptionSetDefault(SSL_ENABLE_0RTT_DATA,
Preferences::GetBool("security.tls.enable_0rtt_data",
ENABLED_0RTT_DATA_DEFAULT));
} else if (prefName.EqualsLiteral("security.ssl.disable_session_identifiers")) {
ConfigureTLSSessionIdentifiers();
} else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
prefName.EqualsLiteral("security.OCSP.require") ||
- prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
prefName.EqualsLiteral("security.pki.cert_short_lifetime_in_days") ||
prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
prefName.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
prefName.EqualsLiteral("security.pki.certificate_transparency.mode") ||
prefName.EqualsLiteral("security.cert_pinning.enforcement_level") ||
prefName.EqualsLiteral("security.pki.sha1_enforcement_level") ||
prefName.EqualsLiteral("security.pki.name_matching_mode") ||
prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||
--- a/security/manager/ssl/security-prefs.js
+++ b/security/manager/ssl/security-prefs.js
@@ -48,17 +48,16 @@ pref("security.family_safety.mode", 2);
pref("security.enterprise_roots.enabled", false);
// The supported values of this pref are:
// 0: do not fetch OCSP
// 1: fetch OCSP for DV and EV certificates
// 2: fetch OCSP only for EV certificates
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false);
-pref("security.OCSP.GET.enabled", false);
#ifdef RELEASE_OR_BETA
pref("security.OCSP.timeoutMilliseconds.soft", 2000);
#else
pref("security.OCSP.timeoutMilliseconds.soft", 1000);
#endif
pref("security.OCSP.timeoutMilliseconds.hard", 10000);
pref("security.pki.cert_short_lifetime_in_days", 10);
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -24,17 +24,16 @@ TEST_DIRS += [
'test_content_signing',
'test_ct',
'test_ev_certs',
'test_intermediate_basic_usage_constraints',
'test_keysize',
'test_keysize_ev',
'test_missing_intermediate',
'test_name_constraints',
- 'test_ocsp_fetch_method',
'test_ocsp_url',
'test_onecrl',
'test_pinning_dynamic',
'test_signed_apps',
'test_startcom_wosign',
'test_symantec_apple_google',
'test_validity',
]
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ /dev/null
@@ -1,53 +0,0 @@
-// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-"use strict";
-
-// In which we try to validate several ocsp responses, checking in particular
-// that we use the specified method for fetching ocsp. We also check what
-// POST fallback when an invalid GET response is received.
-
-do_get_profile(); // must be called before getting nsIX509CertDB
-const certdb = Cc["@mozilla.org/security/x509certdb;1"]
- .getService(Ci.nsIX509CertDB);
-
-const SERVER_PORT = 8888;
-
-function start_ocsp_responder(expectedCertNames, expectedPaths,
- expectedMethods) {
- return startOCSPResponder(SERVER_PORT, "www.example.com",
- "test_ocsp_fetch_method", expectedCertNames,
- expectedPaths, expectedMethods);
-}
-
-function check_cert_err(cert_name, expected_error) {
- let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
- return checkCertErrorGeneric(certdb, cert, expected_error,
- certificateUsageSSLServer);
-}
-
-add_task(async function() {
- addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", "CTu,CTu,CTu");
- addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ",,");
-
- // Enabled so that we can force ocsp failure responses.
- Services.prefs.setBoolPref("security.OCSP.require", true);
-
- Services.prefs.setCharPref("network.dns.localDomains",
- "www.example.com");
- Services.prefs.setIntPref("security.OCSP.enabled", 1);
-
- clearOCSPCache();
- Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
- let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
- await check_cert_err("a", PRErrorCodeSuccess);
- await stopOCSPResponder(ocspResponder);
-
- clearOCSPCache();
- Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
- ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
- await check_cert_err("a", PRErrorCodeSuccess);
- await stopOCSPResponder(ocspResponder);
-});
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/a.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC6DCCAdCgAwIBAgIUS8pgcDdrqfaJ50nT5OJVvgCwHOwwDQYJKoZIhvcNAQEL
-BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUw
-MDAwMDBaMAwxCjAIBgNVBAMMAWEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
-m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
-bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
-SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
-/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
-FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjPDA6MDgGCCsGAQUFBwEBBCwwKjAo
-BggrBgEFBQcwAYYcaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4LzANBgkqhkiG
-9w0BAQsFAAOCAQEANHXUdAzTkmgDTOvXNSsnkBhTdf9+9bDJ0Gh/whz2zufjpUfZ
-U+3nT4dxdK3Za721jstojoqrLozgdVxkB0f0SyDTvwCmEAM1FrGP+KH9Au9opiCC
-/kJpIqURlXtZRB7oasp3HnHfhrFd4Y2L3PJkco/u9HodSJf1bRC8+0MBy3rrxp6v
-XrFQ7OLlAKU0PD3ufYFB9vBKRwUr59gXTwJM/5E3D/dghsMEyBePKrwsCEmHKbmd
-G/gwNDwfnKJIsBKbKRxZzG6dums2cCyE+J3iLxWXSKM3vr+AhQ0j7SHSeVJOhp5I
-HVl7XyoZBMMbk08tuJwY9MX8nOTWxeTExVf8JA==
------END CERTIFICATE-----
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/a.pem.certspec
+++ /dev/null
@@ -1,3 +0,0 @@
-issuer:int
-subject:a
-extension:authorityInformationAccess:http://www.example.com:8888/
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/ca.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyTCCAbGgAwIBAgIURxOdvmKY1LMeejuRTiuHeGBhZHwwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAw
-MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
-m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
-bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
-SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
-/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
-FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
-VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBXd3Rnz2WW+aczo/SPlYSst4Bp
-hWx6S3ncLB4RznGMCTndfJCkpOdkDvDi9swIN4xO19XlUJFX5FiJ9vbjrxgz1hV9
-/FsqApPRAMuA6cWMOFWtIu/qgurcCMpgcPyO6MKGR1YH1C2fpVIDIDc/ID7sIpLt
-m208pK6P9J61ka0QqjQkQZ1aDulBj+6Ic5GYwyJXAWyE3OoUJPteGM12yfT/7lOC
-ObxJaqJrOYQEmI2ZZQ67MjDgfvivopIFQKOJvlBJKHujDSz3ZFykwx7CwnvN74sJ
-07snm4Vz6lAKESVa4H65oExOqL1kEMQQKyNmOKEAMOmHM+L4toh17ax4q2xP
------END CERTIFICATE-----
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/ca.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:ca
-subject:ca
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
-braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
-eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
-iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
-qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
-LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
-2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
-VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
-JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
-r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
-iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
-SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
-TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
-gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
-xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
-ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
-3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
-EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
-2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
-WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
-tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
-rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
-TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
-tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
-ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
-NBinA5ZsT8d0v3QCr2xDJH9D
------END PRIVATE KEY-----
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.key.keyspec
+++ /dev/null
@@ -1,1 +0,0 @@
-default
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.pem
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyjCCAbKgAwIBAgIURRpew+peNiTRP+IDQZk7Q263SD8wDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjExMjcwMDAwMDBaGA8yMDE5MDIwNTAw
-MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
-BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
-a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
-uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
-9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
-mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
-A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEARlMpWb7v0xw1Se7YGAhvIEWf
-fhfCx23z1VzoU7Y+85rxnKpbPWuuHgHgeXXJFGXEJNEbC8eWCYvRZYr+wUVRZhdu
-B8W4a+TJFjxiPbO4PGm47t9J82sOd0qPM06AiQU2TRW3WGGOWfoxnVNXulujcxEV
-h+BDMMo0udkn5M7idh3rZ8uCX6xunCX0PVdpxGx0vhsSU5O86Wjg8tRpYBmYmwX9
-+bA84PE5e+Rk6JeUV7DlwTKfyif18Os8+iSqxXU4OcEG0m4CCRYej1KTyREqg2QG
-NoSyQJ6hQd0Nv/NHE9zymT2imvVdtbr8qjkOksSTC1e51YMW6zQWFWRCs7vRQw==
------END CERTIFICATE-----
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.pem.certspec
+++ /dev/null
@@ -1,4 +0,0 @@
-issuer:ca
-subject:int
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method/moz.build
+++ /dev/null
@@ -1,22 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# Temporarily disabled. See bug 1256495.
-#test_certificates = (
-# 'a.pem',
-# 'ca.pem',
-# 'int.pem',
-#)
-#
-#for test_certificate in test_certificates:
-# GeneratedTestCertificate(test_certificate)
-#
-#test_keys = (
-# 'int.key',
-#)
-#
-#for test_key in test_keys:
-# GeneratedTestKey(test_key)
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -72,18 +72,17 @@ add_task(async function() {
clearOCSPCache();
ocspResponder = failingOCSPResponder();
await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
await stopOCSPResponder(ocspResponder);
clearOCSPCache();
ocspResponder = failingOCSPResponder();
- // XXX Bug 1013615 parser accepts ":8888" as hostname
- await check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
+ await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
await stopOCSPResponder(ocspResponder);
clearOCSPCache();
ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
await check_cert_err("no-path-url", PRErrorCodeSuccess);
await stopOCSPResponder(ocspResponder);
clearOCSPCache();
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -20,17 +20,16 @@ support-files =
test_content_signing/**
test_ct/**
test_ev_certs/**
test_intermediate_basic_usage_constraints/**
test_keysize/**
test_keysize_ev/**
test_missing_intermediate/**
test_name_constraints/**
- test_ocsp_fetch_method/**
test_ocsp_url/**
test_onecrl/**
test_pinning_dynamic/**
test_sdr_preexisting/**
test_sdr_preexisting_with_password/**
test_signed_apps/**
test_signed_dir/**
test_startcom_wosign/**
@@ -112,18 +111,16 @@ run-sequentially = hardcoded ports
run-sequentially = hardcoded ports
[test_nsIX509Cert_utf8.js]
[test_nsIX509CertValidity.js]
[test_nss_shutdown.js]
[test_ocsp_caching.js]
run-sequentially = hardcoded ports
[test_ocsp_enabled_pref.js]
run-sequentially = hardcoded ports
-[test_ocsp_fetch_method.js]
-run-sequentially = hardcoded ports
[test_ocsp_must_staple.js]
run-sequentially = hardcoded ports
[test_ocsp_private_caching.js]
run-sequentially = hardcoded ports
[test_ocsp_no_hsts_upgrade.js]
run-sequentially = hardcoded ports
[test_ocsp_required.js]
run-sequentially = hardcoded ports