Macintosh-SW/tenfourfox
1
0
Fork 0
mirror of https://github.com/classilla/tenfourfox.git synced 2024-06-10 18:29:43 +00:00
Code Issues Projects Releases Wiki Activity

revert some upstream changes

Browse Source 
whatever it was broke the titlebar, tabs, etc.
This commit is contained in:
wicknix 2022-04-05 23:35:58 -05:00
parent 01ed7674af
commit 2ecdabc218
15 changed files with 4031 additions and 2367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dom/base/nsStructuredCloneContainer.cpp Normal file → Executable file
View File

@ -133,10 +133,6 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut)
if (!DataLength()) { if (!DataLength()) {
return NS_ERROR_FAILURE; return NS_ERROR_FAILURE;
} }
CheckedInt<nsAutoCString::size_type> sizeCheck(DataLength());
if (MOZ_UNLIKELY(!sizeCheck.isValid())) {
return NS_ERROR_FAILURE;
}
if (HasClonedDOMObjects()) { if (HasClonedDOMObjects()) {
return NS_ERROR_FAILURE; return NS_ERROR_FAILURE;

12
dom/base/nsTextFragment.cpp Normal file → Executable file
View File

@ -209,11 +209,6 @@ FirstNon8Bit(const char16_t *str, const char16_t *end)
bool bool
nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi) nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
{ {
if (MOZ_UNLIKELY(aLength < 0 || static_cast<uint32_t>(aLength) >
NS_MAX_TEXT_FRAGMENT_LENGTH)) {
return false;
}
ReleaseText(); ReleaseText();
if (aLength == 0) { if (aLength == 0) {
@ -342,16 +337,9 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount)
bool bool
nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi) nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
{ {
if (!aLength) {
return true;
}
// This is a common case because some callsites create a textnode // This is a common case because some callsites create a textnode
// with a value by creating the node and then calling AppendData. // with a value by creating the node and then calling AppendData.
if (mState.mLength == 0) { if (mState.mLength == 0) {
if (MOZ_UNLIKELY(aLength > INT32_MAX)) {
return false;
}
return SetTo(aBuffer, aLength, aUpdateBidi); return SetTo(aBuffer, aLength, aUpdateBidi);
} }

5
dom/events/EventListenerManager.cpp Normal file → Executable file
View File

@ -24,7 +24,6 @@
#include "mozilla/dom/Element.h" #include "mozilla/dom/Element.h"
#include "mozilla/dom/Event.h" #include "mozilla/dom/Event.h"
#include "mozilla/dom/EventTargetBinding.h" #include "mozilla/dom/EventTargetBinding.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/TimelineConsumers.h" #include "mozilla/TimelineConsumers.h"
#include "mozilla/EventTimelineMarker.h" #include "mozilla/EventTimelineMarker.h"
@ -713,8 +712,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
bool aPermitUntrustedEvents, bool aPermitUntrustedEvents,
Element* aElement) Element* aElement)
{ {
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
nsCOMPtr<nsIDocument> doc; nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIScriptGlobalObject> global = nsCOMPtr<nsIScriptGlobalObject> global =
GetScriptGlobalAndDocument(getter_AddRefs(doc)); GetScriptGlobalAndDocument(getter_AddRefs(doc));
@ -789,8 +786,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE); NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
NS_ENSURE_STATE(global->GetGlobalJSObject()); NS_ENSURE_STATE(global->GetGlobalJSObject());
removeEventHandler.release();
Listener* listener = SetEventHandlerInternal(aName, Listener* listener = SetEventHandlerInternal(aName,
EmptyString(), EmptyString(),
TypedEventHandler(), TypedEventHandler(),

3
dom/media/ADTSDemuxer.cpp Normal file → Executable file
View File

@ -852,9 +852,8 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
const int64_t streamLen = StreamLength(); const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) { if (mInfo && streamLen > 0) {
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
// Prevent blocking reads after successful initialization. // Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, max); aSize = std::min<int64_t>(aSize, streamLen - aOffset);
} }
uint32_t read = 0; uint32_t read = 0;

3
dom/media/MP3Demuxer.cpp Normal file → Executable file
View File

@ -655,8 +655,7 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
const int64_t streamLen = StreamLength(); const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) { if (mInfo && streamLen > 0) {
// Prevent blocking reads after successful initialization. // Prevent blocking reads after successful initialization.
uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0; aSize = std::min<int64_t>(aSize, streamLen - aOffset);
aSize = std::min<int64_t>(aSize, max);
} }
uint32_t read = 0; uint32_t read = 0;

2
dom/workers/ScriptLoader.cpp Normal file → Executable file
View File

@ -1993,14 +1993,12 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
case NS_ERROR_FILE_NOT_FOUND: case NS_ERROR_FILE_NOT_FOUND:
case NS_ERROR_NOT_AVAILABLE: case NS_ERROR_NOT_AVAILABLE:
case NS_ERROR_CORRUPTED_CONTENT:
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR); Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
break; break;
case NS_ERROR_MALFORMED_URI: case NS_ERROR_MALFORMED_URI:
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR; aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
// fall through // fall through
case NS_ERROR_DOM_BAD_URI:
case NS_ERROR_DOM_SECURITY_ERR: case NS_ERROR_DOM_SECURITY_ERR:
case NS_ERROR_DOM_SYNTAX_ERR: case NS_ERROR_DOM_SYNTAX_ERR:
Throw(aCx, aLoadResult); Throw(aCx, aLoadResult);

34
dom/xslt/xslt/txMozillaXMLOutput.cpp Normal file → Executable file
View File

@ -236,6 +236,19 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
} }
} }
if (!mRefreshString.IsEmpty()) {
nsPIDOMWindow *win = mDocument->GetWindow();
if (win) {
nsCOMPtr<nsIRefreshURI> refURI =
do_QueryInterface(win->GetDocShell());
if (refURI) {
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
mDocument->NodePrincipal(),
mRefreshString);
}
}
}
if (mNotifier) { if (mNotifier) {
mNotifier->OnTransformEnd(); mNotifier->OnTransformEnd();
} }
@ -734,13 +747,30 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
return NS_OK; return NS_OK;
} }
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
// handle HTTP-EQUIV data
nsAutoString httpEquiv;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
if (!httpEquiv.IsEmpty()) {
nsAutoString value;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
if (!value.IsEmpty()) {
nsContentUtils::ASCIIToLower(httpEquiv);
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
processHTTPEquiv(header, value);
}
}
}
return NS_OK; return NS_OK;
} }
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue) void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
{ {
MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720"); // For now we only handle "refresh". There's a longer list in
// HTMLContentSink::ProcessHeaderData
if (aHeader == nsGkAtoms::refresh)
LossyCopyUTF16toASCII(aValue, mRefreshString);
} }
nsresult nsresult

5911
security/manager/ssl/nsSTSPreloadList.inc Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

196
security/nss/lib/cryptohi/secvfy.c Normal file → Executable file
View File

@ -164,37 +164,6 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
PR_FALSE /*XXX: unsafeAllowMissingParameters*/); PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
} }
static unsigned int
checkedSignatureLen(const SECKEYPublicKey *pubk)
{
unsigned int sigLen = SECKEY_SignatureLen(pubk);
if (sigLen == 0) {
/* Error set by SECKEY_SignatureLen */
return sigLen;
}
unsigned int maxSigLen;
switch (pubk->keyType) {
case rsaKey:
case rsaPssKey:
maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
break;
case dsaKey:
maxSigLen = DSA_MAX_SIGNATURE_LEN;
break;
case ecKey:
maxSigLen = 2 * MAX_ECKEY_LEN;
break;
default:
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
return 0;
}
if (sigLen > maxSigLen) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
return sigLen;
}
/* /*
* decode the ECDSA or DSA signature from it's DER wrapping. * decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed * The unwrapped/raw signature is placed in the buffer pointed
@ -205,38 +174,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
unsigned int len) unsigned int len)
{ {
SECItem *dsasig = NULL; /* also used for ECDSA */ SECItem *dsasig = NULL; /* also used for ECDSA */
SECStatus rv = SECSuccess;
/* Safety: Ensure algId is as expected and that signature size is within maxmimums */ if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
if (len > DSA_MAX_SIGNATURE_LEN) { if (sig->len != len) {
goto loser; PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
} }
} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
PORT_Memcpy(dsig, sig->data, sig->len);
return SECSuccess;
}
if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
if (len > MAX_ECKEY_LEN * 2) { if (len > MAX_ECKEY_LEN * 2) {
goto loser; PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
} }
} else {
goto loser;
} }
/* Decode and pad to length */
dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
if (dsasig == NULL) {
goto loser; if ((dsasig == NULL) || (dsasig->len != len)) {
rv = SECFailure;
} else {
PORT_Memcpy(dsig, dsasig->data, dsasig->len);
} }
if (dsasig->len != len) {
if (dsasig != NULL)
SECITEM_FreeItem(dsasig, PR_TRUE); SECITEM_FreeItem(dsasig, PR_TRUE);
goto loser; if (rv == SECFailure)
} PORT_SetError(SEC_ERROR_BAD_DER);
return rv;
PORT_Memcpy(dsig, dsasig->data, len);
SECITEM_FreeItem(dsasig, PR_TRUE);
return SECSuccess;
loser:
PORT_SetError(SEC_ERROR_BAD_DER);
return SECFailure;
} }
const SEC_ASN1Template hashParameterTemplate[] = const SEC_ASN1Template hashParameterTemplate[] =
@ -262,7 +231,7 @@ SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
{ {
unsigned int len; int len;
PLArenaPool *arena; PLArenaPool *arena;
SECStatus rv; SECStatus rv;
SECItem oid; SECItem oid;
@ -477,52 +446,48 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
cx->pkcs1RSADigestInfo = NULL; cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess; rv = SECSuccess;
if (sig) { if (sig) {
rv = SECFailure; switch (type) {
if (type == rsaKey) { case rsaKey:
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
&cx->pkcs1RSADigestInfo, &cx->pkcs1RSADigestInfo,
&cx->pkcs1RSADigestInfoLen, &cx->pkcs1RSADigestInfoLen,
cx->key, cx->key,
sig, wincx); sig, wincx);
} else { break;
sigLen = checkedSignatureLen(key); case rsaPssKey:
/* Check signature length is within limits */ sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) { if (sigLen == 0) {
/* error set by checkedSignatureLen */ /* error set by SECKEY_SignatureLen */
rv = SECFailure;
goto loser;
}
if (sigLen > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
goto loser;
}
switch (type) {
case rsaPssKey:
if (sig->len != sigLen) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
goto loser;
}
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
rv = SECSuccess;
break;
case ecKey:
case dsaKey:
/* decodeECorDSASignature will check sigLen == sig->len after padding */
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
default:
/* Unreachable */
rv = SECFailure; rv = SECFailure;
goto loser; break;
} }
} if (sig->len != sigLen) {
if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
goto loser; rv = SECFailure;
break;
}
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
break;
case dsaKey:
case ecKey:
sigLen = SECKEY_SignatureLen(key);
if (sigLen == 0) {
/* error set by SECKEY_SignatureLen */
rv = SECFailure;
break;
}
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
default:
rv = SECFailure;
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
break;
} }
} }
if (rv)
goto loser;
/* check hash alg again, RSA may have changed it.*/ /* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */ /* error set by HASH_GetHashTypeByOidTag */
@ -657,16 +622,11 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
switch (cx->key->keyType) { switch (cx->key->keyType) {
case ecKey: case ecKey:
case dsaKey: case dsaKey:
dsasig.len = checkedSignatureLen(cx->key); dsasig.data = cx->u.buffer;
dsasig.len = SECKEY_SignatureLen(cx->key);
if (dsasig.len == 0) { if (dsasig.len == 0) {
return SECFailure; return SECFailure;
} }
if (dsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
dsasig.data = cx->u.buffer;
if (sig) { if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len); dsasig.len);
@ -698,13 +658,8 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
} }
rsasig.data = cx->u.buffer; rsasig.data = cx->u.buffer;
rsasig.len = checkedSignatureLen(cx->key); rsasig.len = SECKEY_SignatureLen(cx->key);
if (rsasig.len == 0) { if (rsasig.len == 0) {
/* Error set by checkedSignatureLen */
return SECFailure;
}
if (rsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure; return SECFailure;
} }
if (sig) { if (sig) {
@ -766,6 +721,7 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
SECStatus rv; SECStatus rv;
VFYContext *cx; VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */ SECItem dsasig; /* also used for ECDSA */
rv = SECFailure; rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@ -773,25 +729,19 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
switch (key->keyType) { switch (key->keyType) {
case rsaKey: case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest); rv = verifyPKCS1DigestInfo(cx, digest);
/* Error (if any) set by verifyPKCS1DigestInfo */
break; break;
case ecKey:
case dsaKey: case dsaKey:
case ecKey:
dsasig.data = cx->u.buffer; dsasig.data = cx->u.buffer;
dsasig.len = checkedSignatureLen(cx->key); dsasig.len = SECKEY_SignatureLen(cx->key);
if (dsasig.len == 0) { if (dsasig.len == 0) {
/* Error set by checkedSignatureLen */
rv = SECFailure;
break; break;
} }
if (dsasig.len > sizeof(cx->u)) { if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
PORT_SetError(SEC_ERROR_BAD_SIGNATURE); SECSuccess) {
rv = SECFailure;
break;
}
rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE); PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
} else {
rv = SECSuccess;
} }
break; break;
default: default:

14
security/nss/lib/mozpkix/include/pkix/pkixutil.h Normal file → Executable file
View File

@ -259,20 +259,6 @@ Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
#else #else
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT. #error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
#endif #endif
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
switch (digestAlgorithm) {
case DigestAlgorithm::sha1:
return 160 / 8;
case DigestAlgorithm::sha256:
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
} }
} // namespace mozilla::pkix } // namespace mozilla::pkix

92
security/nss/lib/mozpkix/lib/pkixocsp.cpp Normal file → Executable file
View File

@ -28,6 +28,12 @@
#include "mozpkix/pkixcheck.h" #include "mozpkix/pkixcheck.h"
#include "mozpkix/pkixutil.h" #include "mozpkix/pkixutil.h"
namespace {
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
} // namespace
namespace mozilla { namespace pkix { namespace mozilla { namespace pkix {
// These values correspond to the tag values in the ASN.1 CertStatus // These values correspond to the tag values in the ASN.1 CertStatus
@ -175,12 +181,10 @@ static inline Result MatchCertID(Reader& input,
const Context& context, const Context& context,
/*out*/ bool& match); /*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain, static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash, Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo, Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match); /*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain, static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo, Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize); /*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -209,7 +213,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash, return MatchKeyHash(trustDomain, keyHash,
potentialSignerSubjectPublicKeyInfo, match); potentialSignerSubjectPublicKeyInfo, match);
} }
@ -737,36 +741,36 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success; return Success;
} }
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm); // TODO: support SHA-2 hashes.
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
// From http://tools.ietf.org/html/rfc6960#section-4.1.1: // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the // "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked." // issuer's name field in the certificate being checked."
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES]; uint8_t hashBuf[SHA1_DIGEST_LENGTH];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
rv = context.trustDomain.DigestBuf(context.certID.issuer, rv = context.trustDomain.DigestBuf(context.certID.issuer,
hashAlgorithm, hashBuf, DigestAlgorithm::sha1, hashBuf,
hashAlgorithmLength); sizeof(hashBuf));
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) { if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success. // Again, not interested in this response. Consume input, return success.
input.SkipToEnd(); input.SkipToEnd();
return Success; return Success;
} }
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash, return MatchKeyHash(context.trustDomain, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match); context.certID.issuerSubjectPublicKeyInfo, match);
} }
@ -780,53 +784,30 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding // -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused // -- the tag, length, and number of unused
// -- bits] in the responder's certificate) // -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result static Result
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm, MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
Input keyHash, const Input subjectPublicKeyInfo, const Input subjectPublicKeyInfo, /*out*/ bool& match)
/*out*/ bool& match)
{ {
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm); if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
if (keyHash.GetLength() != hashLength) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES]; uint8_t hashBuf[SHA1_DIGEST_LENGTH];
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) { Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
return Result::FATAL_ERROR_LIBRARY_FAILURE; sizeof hashBuf);
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash); match = InputsAreEqual(computed, keyHash);
return Success; return Success;
} }
// TODO(bug 966856): support SHA-2 hashes
Result Result
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm, KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf, /*out*/ uint8_t* hashBuf, size_t hashBufSize)
size_t hashBufSize)
{ {
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) { if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
return Result::FATAL_ERROR_LIBRARY_FAILURE; return Result::FATAL_ERROR_LIBRARY_FAILURE;
} }
@ -859,8 +840,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
return rv; return rv;
} }
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf, return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
hashBufSize); hashBuf, hashBufSize);
} }
Result Result
@ -940,6 +921,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that // and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5. // is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other // Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash. // issuerKeyHash.
@ -1003,8 +986,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING) // reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04; *d++ = 0x04;
*d++ = hashLen; *d++ = hashLen;
rv = KeyHash(trustDomain, DigestAlgorithm::sha1, rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }

9
security/nss/lib/mozpkix/lib/pkixverify.cpp Normal file → Executable file
View File

@ -43,7 +43,14 @@ DigestSignedData(TrustDomain& trustDomain,
return Result::ERROR_BAD_DER; return Result::ERROR_BAD_DER;
} }
size_t digestLen = DigestAlgorithmToSizeInBytes(signedDigest.digestAlgorithm); size_t digestLen;
switch (signedDigest.digestAlgorithm) {
case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
assert(digestLen <= sizeof(digestBuf)); assert(digestLen <= sizeof(digestBuf));
rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm, rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,

5
security/nss/lib/pkcs7/certread.c Normal file → Executable file
View File

@ -139,11 +139,6 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
goto done; goto done;
} }
if (contentInfo.content.signedData == NULL) {
PORT_SetError(SEC_ERROR_BAD_DER);
goto done;
}
rv = SECSuccess; rv = SECSuccess;
certs = contentInfo.content.signedData->certificates; certs = contentInfo.content.signedData->certificates;

106
security/pkix/lib/pkixocsp.cpp Normal file → Executable file
View File

@ -28,21 +28,13 @@
#include "pkixcheck.h" #include "pkixcheck.h"
#include "pkixutil.h" #include "pkixutil.h"
namespace mozilla { namespace pkix { namespace {
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) { const size_t SHA1_DIGEST_LENGTH = 160 / 8;
switch (digestAlgorithm) {
case DigestAlgorithm::sha1: } // unnamed namespace
return 160 / 8;
case DigestAlgorithm::sha256: namespace mozilla { namespace pkix {
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
// These values correspond to the tag values in the ASN.1 CertStatus // These values correspond to the tag values in the ASN.1 CertStatus
enum class CertStatus : uint8_t { enum class CertStatus : uint8_t {
@ -180,12 +172,10 @@ static inline Result CertID(Reader& input,
const Context& context, const Context& context,
/*out*/ bool& match); /*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain, static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash, Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo, Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match); /*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain, static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo, Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize); /*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -214,7 +204,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash, return MatchKeyHash(trustDomain, keyHash,
potentialSignerSubjectPublicKeyInfo, match); potentialSignerSubjectPublicKeyInfo, match);
} }
@ -725,36 +715,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success; return Success;
} }
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm); // TODO: support SHA-2 hashes.
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
// From http://tools.ietf.org/html/rfc6960#section-4.1.1: // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the // "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked." // issuer's name field in the certificate being checked."
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES]; uint8_t hashBuf[SHA1_DIGEST_LENGTH];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
rv = context.trustDomain.DigestBuf(context.certID.issuer, rv = context.trustDomain.DigestBuf(context.certID.issuer,
hashAlgorithm, hashBuf, DigestAlgorithm::sha1, hashBuf,
hashAlgorithmLength); sizeof(hashBuf));
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) { if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success. // Again, not interested in this response. Consume input, return success.
input.SkipToEnd(); input.SkipToEnd();
return Success; return Success;
} }
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash, return MatchKeyHash(context.trustDomain, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match); context.certID.issuerSubjectPublicKeyInfo, match);
} }
@ -768,53 +758,30 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding // -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused // -- the tag, length, and number of unused
// -- bits] in the responder's certificate) // -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result static Result
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm, MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
Input keyHash, const Input subjectPublicKeyInfo, const Input subjectPublicKeyInfo, /*out*/ bool& match)
/*out*/ bool& match)
{ {
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm); if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
if (keyHash.GetLength() != hashLength) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES]; static uint8_t hashBuf[SHA1_DIGEST_LENGTH];
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) { Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
return Result::FATAL_ERROR_LIBRARY_FAILURE; sizeof hashBuf);
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash); match = InputsAreEqual(computed, keyHash);
return Success; return Success;
} }
// TODO(bug 966856): support SHA-2 hashes
Result Result
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm, KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf, /*out*/ uint8_t* hashBuf, size_t hashBufSize)
size_t hashBufSize)
{ {
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) { if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
return Result::FATAL_ERROR_LIBRARY_FAILURE; return Result::FATAL_ERROR_LIBRARY_FAILURE;
} }
@ -847,8 +814,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
return rv; return rv;
} }
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf, return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
hashBufSize); hashBuf, hashBufSize);
} }
Result Result
@ -898,6 +865,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that // and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5. // is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other // Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash. // issuerKeyHash.
@ -961,8 +930,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING) // reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04; *d++ = 0x04;
*d++ = hashLen; *d++ = hashLen;
rv = KeyHash(trustDomain, DigestAlgorithm::sha1, rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }

2
widget/cocoa/nsCocoaWindow.mm Normal file → Executable file
View File

@ -1272,8 +1272,6 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
[mWindow deminiaturize:nil]; [mWindow deminiaturize:nil];
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed]) else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
[mWindow zoom:nil]; [mWindow zoom:nil];
else if (previousMode == nsSizeMode_Fullscreen)
MakeFullScreen(false);
} }
else if (aMode == nsSizeMode_Minimized) { else if (aMode == nsSizeMode_Minimized) {
if (![mWindow isMiniaturized]) if (![mWindow isMiniaturized])