Macintosh-SW
/
tenfourfox
mirror of https://github.com/classilla/tenfourfox.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

revert some upstream changes 

whatever it was broke the titlebar, tabs, etc.
This commit is contained in:
wicknix 2022-04-05 23:35:58 -05:00
parent 01ed7674af
commit 2ecdabc218
15 changed files with 4031 additions and 2367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dom/base/nsStructuredCloneContainer.cpp Normal file → Executable file
View File

@ -133,10 +133,6 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut)
if (!DataLength()) {
return NS_ERROR_FAILURE;
}
CheckedInt<nsAutoCString::size_type> sizeCheck(DataLength());
if (MOZ_UNLIKELY(!sizeCheck.isValid())) {
return NS_ERROR_FAILURE;
}
if (HasClonedDOMObjects()) {
return NS_ERROR_FAILURE;

12
dom/base/nsTextFragment.cpp Normal file → Executable file
View File

@ -209,11 +209,6 @@ FirstNon8Bit(const char16_t *str, const char16_t *end)
bool
nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
{
if (MOZ_UNLIKELY(aLength < 0 || static_cast<uint32_t>(aLength) >
NS_MAX_TEXT_FRAGMENT_LENGTH)) {
return false;
}
ReleaseText();
if (aLength == 0) {
@ -342,16 +337,9 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount)
bool
nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
{
if (!aLength) {
return true;
}
// This is a common case because some callsites create a textnode
// with a value by creating the node and then calling AppendData.
if (mState.mLength == 0) {
if (MOZ_UNLIKELY(aLength > INT32_MAX)) {
return false;
}
return SetTo(aBuffer, aLength, aUpdateBidi);
}

5
dom/events/EventListenerManager.cpp Normal file → Executable file
View File

@ -24,7 +24,6 @@
#include "mozilla/dom/Element.h"
#include "mozilla/dom/Event.h"
#include "mozilla/dom/EventTargetBinding.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/TimelineConsumers.h"
#include "mozilla/EventTimelineMarker.h"
@ -713,8 +712,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
bool aPermitUntrustedEvents,
Element* aElement)
{
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIScriptGlobalObject> global =
GetScriptGlobalAndDocument(getter_AddRefs(doc));
@ -789,8 +786,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
NS_ENSURE_STATE(global->GetGlobalJSObject());
removeEventHandler.release();
Listener* listener = SetEventHandlerInternal(aName,
EmptyString(),
TypedEventHandler(),

3
dom/media/ADTSDemuxer.cpp Normal file → Executable file
View File

@ -852,9 +852,8 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) {
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
// Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, max);
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
}
uint32_t read = 0;

3
dom/media/MP3Demuxer.cpp Normal file → Executable file
View File

@ -655,8 +655,7 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) {
// Prevent blocking reads after successful initialization.
uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
aSize = std::min<int64_t>(aSize, max);
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
}
uint32_t read = 0;

2
dom/workers/ScriptLoader.cpp Normal file → Executable file
View File

@ -1993,14 +1993,12 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
case NS_ERROR_FILE_NOT_FOUND:
case NS_ERROR_NOT_AVAILABLE:
case NS_ERROR_CORRUPTED_CONTENT:
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
break;
case NS_ERROR_MALFORMED_URI:
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
// fall through
case NS_ERROR_DOM_BAD_URI:
case NS_ERROR_DOM_SECURITY_ERR:
case NS_ERROR_DOM_SYNTAX_ERR:
Throw(aCx, aLoadResult);

34
dom/xslt/xslt/txMozillaXMLOutput.cpp Normal file → Executable file
View File

@ -236,6 +236,19 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
}
}
if (!mRefreshString.IsEmpty()) {
nsPIDOMWindow *win = mDocument->GetWindow();
if (win) {
nsCOMPtr<nsIRefreshURI> refURI =
do_QueryInterface(win->GetDocShell());
if (refURI) {
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
mDocument->NodePrincipal(),
mRefreshString);
}
}
}
if (mNotifier) {
mNotifier->OnTransformEnd();
}
@ -734,13 +747,30 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
return NS_OK;
}
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
// handle HTTP-EQUIV data
nsAutoString httpEquiv;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
if (!httpEquiv.IsEmpty()) {
nsAutoString value;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
if (!value.IsEmpty()) {
nsContentUtils::ASCIIToLower(httpEquiv);
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
processHTTPEquiv(header, value);
}
}
}
return NS_OK;
}
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
{
MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720");
// For now we only handle "refresh". There's a longer list in
// HTMLContentSink::ProcessHeaderData
if (aHeader == nsGkAtoms::refresh)
LossyCopyUTF16toASCII(aValue, mRefreshString);
}
nsresult

5911
security/manager/ssl/nsSTSPreloadList.inc Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

196
security/nss/lib/cryptohi/secvfy.c Normal file → Executable file
View File

@ -164,37 +164,6 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
static unsigned int
checkedSignatureLen(const SECKEYPublicKey *pubk)
{
unsigned int sigLen = SECKEY_SignatureLen(pubk);
if (sigLen == 0) {
/* Error set by SECKEY_SignatureLen */
return sigLen;
}
unsigned int maxSigLen;
switch (pubk->keyType) {
case rsaKey:
case rsaPssKey:
maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
break;
case dsaKey:
maxSigLen = DSA_MAX_SIGNATURE_LEN;
break;
case ecKey:
maxSigLen = 2 * MAX_ECKEY_LEN;
break;
default:
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
return 0;
}
if (sigLen > maxSigLen) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
return sigLen;
}
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
@ -205,38 +174,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
unsigned int len)
{
SECItem *dsasig = NULL; /* also used for ECDSA */
SECStatus rv = SECSuccess;
/* Safety: Ensure algId is as expected and that signature size is within maxmimums */
if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
if (len > DSA_MAX_SIGNATURE_LEN) {
goto loser;
if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
if (sig->len != len) {
PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
}
} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
PORT_Memcpy(dsig, sig->data, sig->len);
return SECSuccess;
}
if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
if (len > MAX_ECKEY_LEN * 2) {
goto loser;
PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
}
} else {
goto loser;
}
/* Decode and pad to length */
dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
if (dsasig == NULL) {
goto loser;
if ((dsasig == NULL) || (dsasig->len != len)) {
rv = SECFailure;
} else {
PORT_Memcpy(dsig, dsasig->data, dsasig->len);
}
if (dsasig->len != len) {
if (dsasig != NULL)
SECITEM_FreeItem(dsasig, PR_TRUE);
goto loser;
}
PORT_Memcpy(dsig, dsasig->data, len);
SECITEM_FreeItem(dsasig, PR_TRUE);
return SECSuccess;
loser:
PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
if (rv == SECFailure)
PORT_SetError(SEC_ERROR_BAD_DER);
return rv;
}
const SEC_ASN1Template hashParameterTemplate[] =
@ -262,7 +231,7 @@ SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
{
unsigned int len;
int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
@ -477,52 +446,48 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
rv = SECFailure;
if (type == rsaKey) {
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
&cx->pkcs1RSADigestInfo,
&cx->pkcs1RSADigestInfoLen,
cx->key,
sig, wincx);
} else {
sigLen = checkedSignatureLen(key);
/* Check signature length is within limits */
if (sigLen == 0) {
/* error set by checkedSignatureLen */
rv = SECFailure;
goto loser;
}
if (sigLen > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
goto loser;
}
switch (type) {
case rsaPssKey:
if (sig->len != sigLen) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
goto loser;
}
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
rv = SECSuccess;
break;
case ecKey:
case dsaKey:
/* decodeECorDSASignature will check sigLen == sig->len after padding */
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
default:
/* Unreachable */
switch (type) {
case rsaKey:
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
&cx->pkcs1RSADigestInfo,
&cx->pkcs1RSADigestInfoLen,
cx->key,
sig, wincx);
break;
case rsaPssKey:
sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) {
/* error set by SECKEY_SignatureLen */
rv = SECFailure;
goto loser;
}
}
if (rv != SECSuccess) {
goto loser;
break;
}
if (sig->len != sigLen) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
break;
}
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
break;
case dsaKey:
case ecKey:
sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) {
/* error set by SECKEY_SignatureLen */
rv = SECFailure;
break;
}
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
default:
rv = SECFailure;
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
break;
}
}
if (rv)
goto loser;
/* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@ -657,16 +622,11 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
switch (cx->key->keyType) {
case ecKey:
case dsaKey:
dsasig.len = checkedSignatureLen(cx->key);
dsasig.data = cx->u.buffer;
dsasig.len = SECKEY_SignatureLen(cx->key);
if (dsasig.len == 0) {
return SECFailure;
}
if (dsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
dsasig.data = cx->u.buffer;
if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len);
@ -698,13 +658,8 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
}
rsasig.data = cx->u.buffer;
rsasig.len = checkedSignatureLen(cx->key);
rsasig.len = SECKEY_SignatureLen(cx->key);
if (rsasig.len == 0) {
/* Error set by checkedSignatureLen */
return SECFailure;
}
if (rsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
if (sig) {
@ -766,6 +721,7 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
SECStatus rv;
VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@ -773,25 +729,19 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
switch (key->keyType) {
case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest);
/* Error (if any) set by verifyPKCS1DigestInfo */
break;
case ecKey:
case dsaKey:
case ecKey:
dsasig.data = cx->u.buffer;
dsasig.len = checkedSignatureLen(cx->key);
dsasig.len = SECKEY_SignatureLen(cx->key);
if (dsasig.len == 0) {
/* Error set by checkedSignatureLen */
rv = SECFailure;
break;
}
if (dsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
break;
}
rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
if (rv != SECSuccess) {
if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
} else {
rv = SECSuccess;
}
break;
default:

14
security/nss/lib/mozpkix/include/pkix/pkixutil.h Normal file → Executable file
View File

@ -259,20 +259,6 @@ Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
#else
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
#endif
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
switch (digestAlgorithm) {
case DigestAlgorithm::sha1:
return 160 / 8;
case DigestAlgorithm::sha256:
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
}
} // namespace mozilla::pkix

92
security/nss/lib/mozpkix/lib/pkixocsp.cpp Normal file → Executable file
View File

@ -28,6 +28,12 @@
#include "mozpkix/pkixcheck.h"
#include "mozpkix/pkixutil.h"
namespace {
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
} // namespace
namespace mozilla { namespace pkix {
// These values correspond to the tag values in the ASN.1 CertStatus
@ -175,12 +181,10 @@ static inline Result MatchCertID(Reader& input,
const Context& context,
/*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -209,7 +213,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) {
return rv;
}
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
return MatchKeyHash(trustDomain, keyHash,
potentialSignerSubjectPublicKeyInfo, match);
}
@ -737,36 +741,36 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success;
}
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
// TODO: support SHA-2 hashes.
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked."
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
rv = context.trustDomain.DigestBuf(context.certID.issuer,
hashAlgorithm, hashBuf,
hashAlgorithmLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
DigestAlgorithm::sha1, hashBuf,
sizeof(hashBuf));
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
return MatchKeyHash(context.trustDomain, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match);
}
@ -780,53 +784,30 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused
// -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
Input keyHash, const Input subjectPublicKeyInfo,
/*out*/ bool& match)
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
const Input subjectPublicKeyInfo, /*out*/ bool& match)
{
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (keyHash.GetLength() != hashLength) {
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
sizeof hashBuf);
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash);
return Success;
}
// TODO(bug 966856): support SHA-2 hashes
Result
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
size_t hashBufSize)
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
{
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -859,8 +840,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
return rv;
}
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
hashBufSize);
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
hashBuf, hashBufSize);
}
Result
@ -940,6 +921,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash.
@ -1003,8 +986,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04;
*d++ = hashLen;
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
certID.issuerSubjectPublicKeyInfo, d, hashLen);
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) {
return rv;
}

9
security/nss/lib/mozpkix/lib/pkixverify.cpp Normal file → Executable file
View File

@ -43,7 +43,14 @@ DigestSignedData(TrustDomain& trustDomain,
return Result::ERROR_BAD_DER;
}
size_t digestLen = DigestAlgorithmToSizeInBytes(signedDigest.digestAlgorithm);
size_t digestLen;
switch (signedDigest.digestAlgorithm) {
case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
assert(digestLen <= sizeof(digestBuf));
rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,

5
security/nss/lib/pkcs7/certread.c Normal file → Executable file
View File

@ -139,11 +139,6 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
goto done;
}
if (contentInfo.content.signedData == NULL) {
PORT_SetError(SEC_ERROR_BAD_DER);
goto done;
}
rv = SECSuccess;
certs = contentInfo.content.signedData->certificates;

106
security/pkix/lib/pkixocsp.cpp Normal file → Executable file
View File

@ -28,21 +28,13 @@
#include "pkixcheck.h"
#include "pkixutil.h"
namespace mozilla { namespace pkix {
namespace {
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
switch (digestAlgorithm) {
case DigestAlgorithm::sha1:
return 160 / 8;
case DigestAlgorithm::sha256:
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
} // unnamed namespace
namespace mozilla { namespace pkix {
// These values correspond to the tag values in the ASN.1 CertStatus
enum class CertStatus : uint8_t {
@ -180,12 +172,10 @@ static inline Result CertID(Reader& input,
const Context& context,
/*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -214,7 +204,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) {
return rv;
}
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
return MatchKeyHash(trustDomain, keyHash,
potentialSignerSubjectPublicKeyInfo, match);
}
@ -725,36 +715,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success;
}
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
// TODO: support SHA-2 hashes.
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked."
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
rv = context.trustDomain.DigestBuf(context.certID.issuer,
hashAlgorithm, hashBuf,
hashAlgorithmLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
DigestAlgorithm::sha1, hashBuf,
sizeof(hashBuf));
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
return MatchKeyHash(context.trustDomain, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match);
}
@ -768,53 +758,30 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused
// -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
Input keyHash, const Input subjectPublicKeyInfo,
/*out*/ bool& match)
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
const Input subjectPublicKeyInfo, /*out*/ bool& match)
{
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (keyHash.GetLength() != hashLength) {
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
}
static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
static uint8_t hashBuf[SHA1_DIGEST_LENGTH];
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
sizeof hashBuf);
if (rv != Success) {
return rv;
}
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash);
return Success;
}
// TODO(bug 966856): support SHA-2 hashes
Result
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
size_t hashBufSize)
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
{
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -847,8 +814,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
return rv;
}
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
hashBufSize);
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
hashBuf, hashBufSize);
}
Result
@ -898,6 +865,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash.
@ -961,8 +930,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04;
*d++ = hashLen;
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
certID.issuerSubjectPublicKeyInfo, d, hashLen);
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) {
return rv;
}

2
widget/cocoa/nsCocoaWindow.mm Normal file → Executable file
View File

@ -1272,8 +1272,6 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
[mWindow deminiaturize:nil];
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
[mWindow zoom:nil];
else if (previousMode == nsSizeMode_Fullscreen)
MakeFullScreen(false);
}
else if (aMode == nsSizeMode_Minimized) {
if (![mWindow isMiniaturized])