revert some upstream changes
whatever it was broke the titlebar, tabs, etc.
This commit is contained in:
parent
01ed7674af
commit
2ecdabc218
|
@ -133,10 +133,6 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut)
|
|||
if (!DataLength()) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
CheckedInt<nsAutoCString::size_type> sizeCheck(DataLength());
|
||||
if (MOZ_UNLIKELY(!sizeCheck.isValid())) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
if (HasClonedDOMObjects()) {
|
||||
return NS_ERROR_FAILURE;
|
||||
|
|
|
@ -209,11 +209,6 @@ FirstNon8Bit(const char16_t *str, const char16_t *end)
|
|||
bool
|
||||
nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
|
||||
{
|
||||
if (MOZ_UNLIKELY(aLength < 0 || static_cast<uint32_t>(aLength) >
|
||||
NS_MAX_TEXT_FRAGMENT_LENGTH)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ReleaseText();
|
||||
|
||||
if (aLength == 0) {
|
||||
|
@ -342,16 +337,9 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount)
|
|||
bool
|
||||
nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
|
||||
{
|
||||
if (!aLength) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// This is a common case because some callsites create a textnode
|
||||
// with a value by creating the node and then calling AppendData.
|
||||
if (mState.mLength == 0) {
|
||||
if (MOZ_UNLIKELY(aLength > INT32_MAX)) {
|
||||
return false;
|
||||
}
|
||||
return SetTo(aBuffer, aLength, aUpdateBidi);
|
||||
}
|
||||
|
||||
|
|
|
@ -24,7 +24,6 @@
|
|||
#include "mozilla/dom/Element.h"
|
||||
#include "mozilla/dom/Event.h"
|
||||
#include "mozilla/dom/EventTargetBinding.h"
|
||||
#include "mozilla/ScopeExit.h"
|
||||
#include "mozilla/TimelineConsumers.h"
|
||||
#include "mozilla/EventTimelineMarker.h"
|
||||
|
||||
|
@ -713,8 +712,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
|
|||
bool aPermitUntrustedEvents,
|
||||
Element* aElement)
|
||||
{
|
||||
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
|
||||
|
||||
nsCOMPtr<nsIDocument> doc;
|
||||
nsCOMPtr<nsIScriptGlobalObject> global =
|
||||
GetScriptGlobalAndDocument(getter_AddRefs(doc));
|
||||
|
@ -789,8 +786,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
|
|||
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
|
||||
NS_ENSURE_STATE(global->GetGlobalJSObject());
|
||||
|
||||
removeEventHandler.release();
|
||||
|
||||
Listener* listener = SetEventHandlerInternal(aName,
|
||||
EmptyString(),
|
||||
TypedEventHandler(),
|
||||
|
|
|
@ -852,9 +852,8 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
|
|||
|
||||
const int64_t streamLen = StreamLength();
|
||||
if (mInfo && streamLen > 0) {
|
||||
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
|
||||
// Prevent blocking reads after successful initialization.
|
||||
aSize = std::min<int64_t>(aSize, max);
|
||||
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
|
||||
}
|
||||
|
||||
uint32_t read = 0;
|
||||
|
|
|
@ -655,8 +655,7 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
|
|||
const int64_t streamLen = StreamLength();
|
||||
if (mInfo && streamLen > 0) {
|
||||
// Prevent blocking reads after successful initialization.
|
||||
uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
|
||||
aSize = std::min<int64_t>(aSize, max);
|
||||
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
|
||||
}
|
||||
|
||||
uint32_t read = 0;
|
||||
|
|
|
@ -1993,14 +1993,12 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
|
|||
|
||||
case NS_ERROR_FILE_NOT_FOUND:
|
||||
case NS_ERROR_NOT_AVAILABLE:
|
||||
case NS_ERROR_CORRUPTED_CONTENT:
|
||||
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
|
||||
break;
|
||||
|
||||
case NS_ERROR_MALFORMED_URI:
|
||||
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
|
||||
// fall through
|
||||
case NS_ERROR_DOM_BAD_URI:
|
||||
case NS_ERROR_DOM_SECURITY_ERR:
|
||||
case NS_ERROR_DOM_SYNTAX_ERR:
|
||||
Throw(aCx, aLoadResult);
|
||||
|
|
|
@ -236,6 +236,19 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
|
|||
}
|
||||
}
|
||||
|
||||
if (!mRefreshString.IsEmpty()) {
|
||||
nsPIDOMWindow *win = mDocument->GetWindow();
|
||||
if (win) {
|
||||
nsCOMPtr<nsIRefreshURI> refURI =
|
||||
do_QueryInterface(win->GetDocShell());
|
||||
if (refURI) {
|
||||
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
|
||||
mDocument->NodePrincipal(),
|
||||
mRefreshString);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (mNotifier) {
|
||||
mNotifier->OnTransformEnd();
|
||||
}
|
||||
|
@ -734,13 +747,30 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
|
|||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
|
||||
// handle HTTP-EQUIV data
|
||||
nsAutoString httpEquiv;
|
||||
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
|
||||
if (!httpEquiv.IsEmpty()) {
|
||||
nsAutoString value;
|
||||
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
|
||||
if (!value.IsEmpty()) {
|
||||
nsContentUtils::ASCIIToLower(httpEquiv);
|
||||
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
|
||||
processHTTPEquiv(header, value);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
|
||||
{
|
||||
MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720");
|
||||
// For now we only handle "refresh". There's a longer list in
|
||||
// HTMLContentSink::ProcessHeaderData
|
||||
if (aHeader == nsGkAtoms::refresh)
|
||||
LossyCopyUTF16toASCII(aValue, mRefreshString);
|
||||
}
|
||||
|
||||
nsresult
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -164,37 +164,6 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
|
|||
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
checkedSignatureLen(const SECKEYPublicKey *pubk)
|
||||
{
|
||||
unsigned int sigLen = SECKEY_SignatureLen(pubk);
|
||||
if (sigLen == 0) {
|
||||
/* Error set by SECKEY_SignatureLen */
|
||||
return sigLen;
|
||||
}
|
||||
unsigned int maxSigLen;
|
||||
switch (pubk->keyType) {
|
||||
case rsaKey:
|
||||
case rsaPssKey:
|
||||
maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
|
||||
break;
|
||||
case dsaKey:
|
||||
maxSigLen = DSA_MAX_SIGNATURE_LEN;
|
||||
break;
|
||||
case ecKey:
|
||||
maxSigLen = 2 * MAX_ECKEY_LEN;
|
||||
break;
|
||||
default:
|
||||
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
||||
return 0;
|
||||
}
|
||||
if (sigLen > maxSigLen) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
return 0;
|
||||
}
|
||||
return sigLen;
|
||||
}
|
||||
|
||||
/*
|
||||
* decode the ECDSA or DSA signature from it's DER wrapping.
|
||||
* The unwrapped/raw signature is placed in the buffer pointed
|
||||
|
@ -205,38 +174,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
|
|||
unsigned int len)
|
||||
{
|
||||
SECItem *dsasig = NULL; /* also used for ECDSA */
|
||||
SECStatus rv = SECSuccess;
|
||||
|
||||
/* Safety: Ensure algId is as expected and that signature size is within maxmimums */
|
||||
if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
|
||||
if (len > DSA_MAX_SIGNATURE_LEN) {
|
||||
goto loser;
|
||||
if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
|
||||
(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
|
||||
if (sig->len != len) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return SECFailure;
|
||||
}
|
||||
} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
||||
|
||||
PORT_Memcpy(dsig, sig->data, sig->len);
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
||||
if (len > MAX_ECKEY_LEN * 2) {
|
||||
goto loser;
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return SECFailure;
|
||||
}
|
||||
} else {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* Decode and pad to length */
|
||||
dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
||||
if (dsasig == NULL) {
|
||||
goto loser;
|
||||
|
||||
if ((dsasig == NULL) || (dsasig->len != len)) {
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
PORT_Memcpy(dsig, dsasig->data, dsasig->len);
|
||||
}
|
||||
if (dsasig->len != len) {
|
||||
|
||||
if (dsasig != NULL)
|
||||
SECITEM_FreeItem(dsasig, PR_TRUE);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
PORT_Memcpy(dsig, dsasig->data, len);
|
||||
SECITEM_FreeItem(dsasig, PR_TRUE);
|
||||
|
||||
return SECSuccess;
|
||||
|
||||
loser:
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return SECFailure;
|
||||
if (rv == SECFailure)
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return rv;
|
||||
}
|
||||
|
||||
const SEC_ASN1Template hashParameterTemplate[] =
|
||||
|
@ -262,7 +231,7 @@ SECStatus
|
|||
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
|
||||
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
|
||||
{
|
||||
unsigned int len;
|
||||
int len;
|
||||
PLArenaPool *arena;
|
||||
SECStatus rv;
|
||||
SECItem oid;
|
||||
|
@ -477,52 +446,48 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
|
|||
cx->pkcs1RSADigestInfo = NULL;
|
||||
rv = SECSuccess;
|
||||
if (sig) {
|
||||
rv = SECFailure;
|
||||
if (type == rsaKey) {
|
||||
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
||||
&cx->pkcs1RSADigestInfo,
|
||||
&cx->pkcs1RSADigestInfoLen,
|
||||
cx->key,
|
||||
sig, wincx);
|
||||
} else {
|
||||
sigLen = checkedSignatureLen(key);
|
||||
/* Check signature length is within limits */
|
||||
if (sigLen == 0) {
|
||||
/* error set by checkedSignatureLen */
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
if (sigLen > sizeof(cx->u)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
switch (type) {
|
||||
case rsaPssKey:
|
||||
if (sig->len != sigLen) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
||||
rv = SECSuccess;
|
||||
break;
|
||||
case ecKey:
|
||||
case dsaKey:
|
||||
/* decodeECorDSASignature will check sigLen == sig->len after padding */
|
||||
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
||||
break;
|
||||
default:
|
||||
/* Unreachable */
|
||||
switch (type) {
|
||||
case rsaKey:
|
||||
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
||||
&cx->pkcs1RSADigestInfo,
|
||||
&cx->pkcs1RSADigestInfoLen,
|
||||
cx->key,
|
||||
sig, wincx);
|
||||
break;
|
||||
case rsaPssKey:
|
||||
sigLen = SECKEY_SignatureLen(key);
|
||||
if (sigLen == 0) {
|
||||
/* error set by SECKEY_SignatureLen */
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
break;
|
||||
}
|
||||
if (sig->len != sigLen) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
||||
break;
|
||||
case dsaKey:
|
||||
case ecKey:
|
||||
sigLen = SECKEY_SignatureLen(key);
|
||||
if (sigLen == 0) {
|
||||
/* error set by SECKEY_SignatureLen */
|
||||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
||||
break;
|
||||
default:
|
||||
rv = SECFailure;
|
||||
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (rv)
|
||||
goto loser;
|
||||
|
||||
/* check hash alg again, RSA may have changed it.*/
|
||||
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
|
||||
/* error set by HASH_GetHashTypeByOidTag */
|
||||
|
@ -657,16 +622,11 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
|
|||
switch (cx->key->keyType) {
|
||||
case ecKey:
|
||||
case dsaKey:
|
||||
dsasig.len = checkedSignatureLen(cx->key);
|
||||
dsasig.data = cx->u.buffer;
|
||||
dsasig.len = SECKEY_SignatureLen(cx->key);
|
||||
if (dsasig.len == 0) {
|
||||
return SECFailure;
|
||||
}
|
||||
if (dsasig.len > sizeof(cx->u)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
return SECFailure;
|
||||
}
|
||||
dsasig.data = cx->u.buffer;
|
||||
|
||||
if (sig) {
|
||||
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
|
||||
dsasig.len);
|
||||
|
@ -698,13 +658,8 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
|
|||
}
|
||||
|
||||
rsasig.data = cx->u.buffer;
|
||||
rsasig.len = checkedSignatureLen(cx->key);
|
||||
rsasig.len = SECKEY_SignatureLen(cx->key);
|
||||
if (rsasig.len == 0) {
|
||||
/* Error set by checkedSignatureLen */
|
||||
return SECFailure;
|
||||
}
|
||||
if (rsasig.len > sizeof(cx->u)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
return SECFailure;
|
||||
}
|
||||
if (sig) {
|
||||
|
@ -766,6 +721,7 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
|
|||
SECStatus rv;
|
||||
VFYContext *cx;
|
||||
SECItem dsasig; /* also used for ECDSA */
|
||||
|
||||
rv = SECFailure;
|
||||
|
||||
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
|
||||
|
@ -773,25 +729,19 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
|
|||
switch (key->keyType) {
|
||||
case rsaKey:
|
||||
rv = verifyPKCS1DigestInfo(cx, digest);
|
||||
/* Error (if any) set by verifyPKCS1DigestInfo */
|
||||
break;
|
||||
case ecKey:
|
||||
case dsaKey:
|
||||
case ecKey:
|
||||
dsasig.data = cx->u.buffer;
|
||||
dsasig.len = checkedSignatureLen(cx->key);
|
||||
dsasig.len = SECKEY_SignatureLen(cx->key);
|
||||
if (dsasig.len == 0) {
|
||||
/* Error set by checkedSignatureLen */
|
||||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
if (dsasig.len > sizeof(cx->u)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
|
||||
if (rv != SECSuccess) {
|
||||
if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
|
||||
SECSuccess) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
} else {
|
||||
rv = SECSuccess;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
|
|
|
@ -259,20 +259,6 @@ Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
|
|||
#else
|
||||
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
|
||||
#endif
|
||||
|
||||
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
|
||||
switch (digestAlgorithm) {
|
||||
case DigestAlgorithm::sha1:
|
||||
return 160 / 8;
|
||||
case DigestAlgorithm::sha256:
|
||||
return 256 / 8;
|
||||
case DigestAlgorithm::sha384:
|
||||
return 384 / 8;
|
||||
case DigestAlgorithm::sha512:
|
||||
return 512 / 8;
|
||||
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
||||
}
|
||||
}
|
||||
}
|
||||
} // namespace mozilla::pkix
|
||||
|
||||
|
|
|
@ -28,6 +28,12 @@
|
|||
#include "mozpkix/pkixcheck.h"
|
||||
#include "mozpkix/pkixutil.h"
|
||||
|
||||
namespace {
|
||||
|
||||
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
|
||||
|
||||
} // namespace
|
||||
|
||||
namespace mozilla { namespace pkix {
|
||||
|
||||
// These values correspond to the tag values in the ASN.1 CertStatus
|
||||
|
@ -175,12 +181,10 @@ static inline Result MatchCertID(Reader& input,
|
|||
const Context& context,
|
||||
/*out*/ bool& match);
|
||||
static Result MatchKeyHash(TrustDomain& trustDomain,
|
||||
DigestAlgorithm hashAlgorithm,
|
||||
Input issuerKeyHash,
|
||||
Input issuerSubjectPublicKeyInfo,
|
||||
/*out*/ bool& match);
|
||||
static Result KeyHash(TrustDomain& trustDomain,
|
||||
DigestAlgorithm hashAlgorithm,
|
||||
Input subjectPublicKeyInfo,
|
||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
||||
|
||||
|
@ -209,7 +213,7 @@ MatchResponderID(TrustDomain& trustDomain,
|
|||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
|
||||
return MatchKeyHash(trustDomain, keyHash,
|
||||
potentialSignerSubjectPublicKeyInfo, match);
|
||||
}
|
||||
|
||||
|
@ -737,36 +741,36 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
|
|||
return Success;
|
||||
}
|
||||
|
||||
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
||||
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
|
||||
// TODO: support SHA-2 hashes.
|
||||
|
||||
if (hashAlgorithm != DigestAlgorithm::sha1) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return Success;
|
||||
}
|
||||
|
||||
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
}
|
||||
|
||||
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
||||
// "The hash shall be calculated over the DER encoding of the
|
||||
// issuer's name field in the certificate being checked."
|
||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
||||
if (hashAlgorithmLength > sizeof(hashBuf)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
||||
hashAlgorithm, hashBuf,
|
||||
hashAlgorithmLength);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed;
|
||||
rv = computed.Init(hashBuf, hashAlgorithmLength);
|
||||
DigestAlgorithm::sha1, hashBuf,
|
||||
sizeof(hashBuf));
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed(hashBuf);
|
||||
if (!InputsAreEqual(computed, issuerNameHash)) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return Success;
|
||||
}
|
||||
|
||||
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
|
||||
return MatchKeyHash(context.trustDomain, issuerKeyHash,
|
||||
context.certID.issuerSubjectPublicKeyInfo, match);
|
||||
}
|
||||
|
||||
|
@ -780,53 +784,30 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
|
|||
// -- BIT STRING subjectPublicKey [excluding
|
||||
// -- the tag, length, and number of unused
|
||||
// -- bits] in the responder's certificate)
|
||||
//
|
||||
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
|
||||
// CertID ::= SEQUENCE {
|
||||
// hashAlgorithm AlgorithmIdentifier,
|
||||
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
|
||||
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
|
||||
// serialNumber CertificateSerialNumber }
|
||||
// ...
|
||||
// o hashAlgorithm is the hash algorithm used to generate the
|
||||
// issuerNameHash and issuerKeyHash values.
|
||||
// ...
|
||||
// o issuerKeyHash is the hash of the issuer's public key. The hash
|
||||
// shall be calculated over the value (excluding tag and length) of
|
||||
// the subject public key field in the issuer's certificate.
|
||||
static Result
|
||||
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||
Input keyHash, const Input subjectPublicKeyInfo,
|
||||
/*out*/ bool& match)
|
||||
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
|
||||
const Input subjectPublicKeyInfo, /*out*/ bool& match)
|
||||
{
|
||||
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
||||
if (keyHash.GetLength() != hashLength) {
|
||||
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
}
|
||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
||||
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
|
||||
hashBuf, hashLength);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed;
|
||||
rv = computed.Init(hashBuf, hashLength);
|
||||
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
|
||||
sizeof hashBuf);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed(hashBuf);
|
||||
match = InputsAreEqual(computed, keyHash);
|
||||
return Success;
|
||||
}
|
||||
|
||||
// TODO(bug 966856): support SHA-2 hashes
|
||||
Result
|
||||
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
|
||||
size_t hashBufSize)
|
||||
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
|
||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
|
||||
{
|
||||
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
|
||||
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
|
@ -859,8 +840,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
|||
return rv;
|
||||
}
|
||||
|
||||
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
|
||||
hashBufSize);
|
||||
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
|
||||
hashBuf, hashBufSize);
|
||||
}
|
||||
|
||||
Result
|
||||
|
@ -940,6 +921,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
|||
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
||||
// is specified in RFC 5019 Section 5.
|
||||
|
||||
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
|
||||
|
||||
// Since we don't know whether the OCSP responder supports anything other
|
||||
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
||||
// issuerKeyHash.
|
||||
|
@ -1003,8 +986,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
|||
// reqCert.issuerKeyHash (OCTET STRING)
|
||||
*d++ = 0x04;
|
||||
*d++ = hashLen;
|
||||
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
|
||||
certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -43,7 +43,14 @@ DigestSignedData(TrustDomain& trustDomain,
|
|||
return Result::ERROR_BAD_DER;
|
||||
}
|
||||
|
||||
size_t digestLen = DigestAlgorithmToSizeInBytes(signedDigest.digestAlgorithm);
|
||||
size_t digestLen;
|
||||
switch (signedDigest.digestAlgorithm) {
|
||||
case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
|
||||
case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
|
||||
case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
|
||||
case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
|
||||
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
||||
}
|
||||
assert(digestLen <= sizeof(digestBuf));
|
||||
|
||||
rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
|
||||
|
|
|
@ -139,11 +139,6 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
|
|||
goto done;
|
||||
}
|
||||
|
||||
if (contentInfo.content.signedData == NULL) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
goto done;
|
||||
}
|
||||
|
||||
rv = SECSuccess;
|
||||
|
||||
certs = contentInfo.content.signedData->certificates;
|
||||
|
|
|
@ -28,21 +28,13 @@
|
|||
#include "pkixcheck.h"
|
||||
#include "pkixutil.h"
|
||||
|
||||
namespace mozilla { namespace pkix {
|
||||
namespace {
|
||||
|
||||
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
|
||||
switch (digestAlgorithm) {
|
||||
case DigestAlgorithm::sha1:
|
||||
return 160 / 8;
|
||||
case DigestAlgorithm::sha256:
|
||||
return 256 / 8;
|
||||
case DigestAlgorithm::sha384:
|
||||
return 384 / 8;
|
||||
case DigestAlgorithm::sha512:
|
||||
return 512 / 8;
|
||||
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
||||
}
|
||||
}
|
||||
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
|
||||
|
||||
} // unnamed namespace
|
||||
|
||||
namespace mozilla { namespace pkix {
|
||||
|
||||
// These values correspond to the tag values in the ASN.1 CertStatus
|
||||
enum class CertStatus : uint8_t {
|
||||
|
@ -180,12 +172,10 @@ static inline Result CertID(Reader& input,
|
|||
const Context& context,
|
||||
/*out*/ bool& match);
|
||||
static Result MatchKeyHash(TrustDomain& trustDomain,
|
||||
DigestAlgorithm hashAlgorithm,
|
||||
Input issuerKeyHash,
|
||||
Input issuerSubjectPublicKeyInfo,
|
||||
/*out*/ bool& match);
|
||||
static Result KeyHash(TrustDomain& trustDomain,
|
||||
DigestAlgorithm hashAlgorithm,
|
||||
Input subjectPublicKeyInfo,
|
||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
||||
|
||||
|
@ -214,7 +204,7 @@ MatchResponderID(TrustDomain& trustDomain,
|
|||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
|
||||
return MatchKeyHash(trustDomain, keyHash,
|
||||
potentialSignerSubjectPublicKeyInfo, match);
|
||||
}
|
||||
|
||||
|
@ -725,36 +715,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
|
|||
return Success;
|
||||
}
|
||||
|
||||
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
||||
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
|
||||
// TODO: support SHA-2 hashes.
|
||||
|
||||
if (hashAlgorithm != DigestAlgorithm::sha1) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return Success;
|
||||
}
|
||||
|
||||
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
}
|
||||
|
||||
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
||||
// "The hash shall be calculated over the DER encoding of the
|
||||
// issuer's name field in the certificate being checked."
|
||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
||||
if (hashAlgorithmLength > sizeof(hashBuf)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
||||
hashAlgorithm, hashBuf,
|
||||
hashAlgorithmLength);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed;
|
||||
rv = computed.Init(hashBuf, hashAlgorithmLength);
|
||||
DigestAlgorithm::sha1, hashBuf,
|
||||
sizeof(hashBuf));
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed(hashBuf);
|
||||
if (!InputsAreEqual(computed, issuerNameHash)) {
|
||||
// Again, not interested in this response. Consume input, return success.
|
||||
input.SkipToEnd();
|
||||
return Success;
|
||||
}
|
||||
|
||||
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
|
||||
return MatchKeyHash(context.trustDomain, issuerKeyHash,
|
||||
context.certID.issuerSubjectPublicKeyInfo, match);
|
||||
}
|
||||
|
||||
|
@ -768,53 +758,30 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
|
|||
// -- BIT STRING subjectPublicKey [excluding
|
||||
// -- the tag, length, and number of unused
|
||||
// -- bits] in the responder's certificate)
|
||||
//
|
||||
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
|
||||
// CertID ::= SEQUENCE {
|
||||
// hashAlgorithm AlgorithmIdentifier,
|
||||
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
|
||||
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
|
||||
// serialNumber CertificateSerialNumber }
|
||||
// ...
|
||||
// o hashAlgorithm is the hash algorithm used to generate the
|
||||
// issuerNameHash and issuerKeyHash values.
|
||||
// ...
|
||||
// o issuerKeyHash is the hash of the issuer's public key. The hash
|
||||
// shall be calculated over the value (excluding tag and length) of
|
||||
// the subject public key field in the issuer's certificate.
|
||||
static Result
|
||||
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||
Input keyHash, const Input subjectPublicKeyInfo,
|
||||
/*out*/ bool& match)
|
||||
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
|
||||
const Input subjectPublicKeyInfo, /*out*/ bool& match)
|
||||
{
|
||||
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
||||
if (keyHash.GetLength() != hashLength) {
|
||||
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||
}
|
||||
static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
||||
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
|
||||
hashBuf, hashLength);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed;
|
||||
rv = computed.Init(hashBuf, hashLength);
|
||||
static uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
|
||||
sizeof hashBuf);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input computed(hashBuf);
|
||||
match = InputsAreEqual(computed, keyHash);
|
||||
return Success;
|
||||
}
|
||||
|
||||
// TODO(bug 966856): support SHA-2 hashes
|
||||
Result
|
||||
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
|
||||
size_t hashBufSize)
|
||||
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
|
||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
|
||||
{
|
||||
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
|
||||
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
|
@ -847,8 +814,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
|||
return rv;
|
||||
}
|
||||
|
||||
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
|
||||
hashBufSize);
|
||||
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
|
||||
hashBuf, hashBufSize);
|
||||
}
|
||||
|
||||
Result
|
||||
|
@ -898,6 +865,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
|||
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
||||
// is specified in RFC 5019 Section 5.
|
||||
|
||||
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
|
||||
|
||||
// Since we don't know whether the OCSP responder supports anything other
|
||||
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
||||
// issuerKeyHash.
|
||||
|
@ -961,8 +930,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
|||
// reqCert.issuerKeyHash (OCTET STRING)
|
||||
*d++ = 0x04;
|
||||
*d++ = hashLen;
|
||||
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
|
||||
certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -1272,8 +1272,6 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
|
|||
[mWindow deminiaturize:nil];
|
||||
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
|
||||
[mWindow zoom:nil];
|
||||
else if (previousMode == nsSizeMode_Fullscreen)
|
||||
MakeFullScreen(false);
|
||||
}
|
||||
else if (aMode == nsSizeMode_Minimized) {
|
||||
if (![mWindow isMiniaturized])
|
||||
|
|
Loading…
Reference in New Issue