mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-06-10 18:29:43 +00:00
revert some upstream changes
whatever it was broke the titlebar, tabs, etc.
This commit is contained in:
parent
01ed7674af
commit
2ecdabc218
4
dom/base/nsStructuredCloneContainer.cpp
Normal file → Executable file
4
dom/base/nsStructuredCloneContainer.cpp
Normal file → Executable file
|
@ -133,10 +133,6 @@ nsStructuredCloneContainer::GetDataAsBase64(nsAString &aOut)
|
||||||
if (!DataLength()) {
|
if (!DataLength()) {
|
||||||
return NS_ERROR_FAILURE;
|
return NS_ERROR_FAILURE;
|
||||||
}
|
}
|
||||||
CheckedInt<nsAutoCString::size_type> sizeCheck(DataLength());
|
|
||||||
if (MOZ_UNLIKELY(!sizeCheck.isValid())) {
|
|
||||||
return NS_ERROR_FAILURE;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (HasClonedDOMObjects()) {
|
if (HasClonedDOMObjects()) {
|
||||||
return NS_ERROR_FAILURE;
|
return NS_ERROR_FAILURE;
|
||||||
|
|
12
dom/base/nsTextFragment.cpp
Normal file → Executable file
12
dom/base/nsTextFragment.cpp
Normal file → Executable file
|
@ -209,11 +209,6 @@ FirstNon8Bit(const char16_t *str, const char16_t *end)
|
||||||
bool
|
bool
|
||||||
nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
|
nsTextFragment::SetTo(const char16_t* aBuffer, int32_t aLength, bool aUpdateBidi)
|
||||||
{
|
{
|
||||||
if (MOZ_UNLIKELY(aLength < 0 || static_cast<uint32_t>(aLength) >
|
|
||||||
NS_MAX_TEXT_FRAGMENT_LENGTH)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
ReleaseText();
|
ReleaseText();
|
||||||
|
|
||||||
if (aLength == 0) {
|
if (aLength == 0) {
|
||||||
|
@ -342,16 +337,9 @@ nsTextFragment::CopyTo(char16_t *aDest, int32_t aOffset, int32_t aCount)
|
||||||
bool
|
bool
|
||||||
nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
|
nsTextFragment::Append(const char16_t* aBuffer, uint32_t aLength, bool aUpdateBidi)
|
||||||
{
|
{
|
||||||
if (!aLength) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
// This is a common case because some callsites create a textnode
|
// This is a common case because some callsites create a textnode
|
||||||
// with a value by creating the node and then calling AppendData.
|
// with a value by creating the node and then calling AppendData.
|
||||||
if (mState.mLength == 0) {
|
if (mState.mLength == 0) {
|
||||||
if (MOZ_UNLIKELY(aLength > INT32_MAX)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
return SetTo(aBuffer, aLength, aUpdateBidi);
|
return SetTo(aBuffer, aLength, aUpdateBidi);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
5
dom/events/EventListenerManager.cpp
Normal file → Executable file
5
dom/events/EventListenerManager.cpp
Normal file → Executable file
|
@ -24,7 +24,6 @@
|
||||||
#include "mozilla/dom/Element.h"
|
#include "mozilla/dom/Element.h"
|
||||||
#include "mozilla/dom/Event.h"
|
#include "mozilla/dom/Event.h"
|
||||||
#include "mozilla/dom/EventTargetBinding.h"
|
#include "mozilla/dom/EventTargetBinding.h"
|
||||||
#include "mozilla/ScopeExit.h"
|
|
||||||
#include "mozilla/TimelineConsumers.h"
|
#include "mozilla/TimelineConsumers.h"
|
||||||
#include "mozilla/EventTimelineMarker.h"
|
#include "mozilla/EventTimelineMarker.h"
|
||||||
|
|
||||||
|
@ -713,8 +712,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
|
||||||
bool aPermitUntrustedEvents,
|
bool aPermitUntrustedEvents,
|
||||||
Element* aElement)
|
Element* aElement)
|
||||||
{
|
{
|
||||||
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
|
|
||||||
|
|
||||||
nsCOMPtr<nsIDocument> doc;
|
nsCOMPtr<nsIDocument> doc;
|
||||||
nsCOMPtr<nsIScriptGlobalObject> global =
|
nsCOMPtr<nsIScriptGlobalObject> global =
|
||||||
GetScriptGlobalAndDocument(getter_AddRefs(doc));
|
GetScriptGlobalAndDocument(getter_AddRefs(doc));
|
||||||
|
@ -789,8 +786,6 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
|
||||||
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
|
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
|
||||||
NS_ENSURE_STATE(global->GetGlobalJSObject());
|
NS_ENSURE_STATE(global->GetGlobalJSObject());
|
||||||
|
|
||||||
removeEventHandler.release();
|
|
||||||
|
|
||||||
Listener* listener = SetEventHandlerInternal(aName,
|
Listener* listener = SetEventHandlerInternal(aName,
|
||||||
EmptyString(),
|
EmptyString(),
|
||||||
TypedEventHandler(),
|
TypedEventHandler(),
|
||||||
|
|
3
dom/media/ADTSDemuxer.cpp
Normal file → Executable file
3
dom/media/ADTSDemuxer.cpp
Normal file → Executable file
|
@ -852,9 +852,8 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
|
||||||
|
|
||||||
const int64_t streamLen = StreamLength();
|
const int64_t streamLen = StreamLength();
|
||||||
if (mInfo && streamLen > 0) {
|
if (mInfo && streamLen > 0) {
|
||||||
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
|
|
||||||
// Prevent blocking reads after successful initialization.
|
// Prevent blocking reads after successful initialization.
|
||||||
aSize = std::min<int64_t>(aSize, max);
|
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
|
||||||
}
|
}
|
||||||
|
|
||||||
uint32_t read = 0;
|
uint32_t read = 0;
|
||||||
|
|
3
dom/media/MP3Demuxer.cpp
Normal file → Executable file
3
dom/media/MP3Demuxer.cpp
Normal file → Executable file
|
@ -655,8 +655,7 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
|
||||||
const int64_t streamLen = StreamLength();
|
const int64_t streamLen = StreamLength();
|
||||||
if (mInfo && streamLen > 0) {
|
if (mInfo && streamLen > 0) {
|
||||||
// Prevent blocking reads after successful initialization.
|
// Prevent blocking reads after successful initialization.
|
||||||
uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
|
aSize = std::min<int64_t>(aSize, streamLen - aOffset);
|
||||||
aSize = std::min<int64_t>(aSize, max);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
uint32_t read = 0;
|
uint32_t read = 0;
|
||||||
|
|
2
dom/workers/ScriptLoader.cpp
Normal file → Executable file
2
dom/workers/ScriptLoader.cpp
Normal file → Executable file
|
@ -1993,14 +1993,12 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
|
||||||
|
|
||||||
case NS_ERROR_FILE_NOT_FOUND:
|
case NS_ERROR_FILE_NOT_FOUND:
|
||||||
case NS_ERROR_NOT_AVAILABLE:
|
case NS_ERROR_NOT_AVAILABLE:
|
||||||
case NS_ERROR_CORRUPTED_CONTENT:
|
|
||||||
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
|
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case NS_ERROR_MALFORMED_URI:
|
case NS_ERROR_MALFORMED_URI:
|
||||||
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
|
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
|
||||||
// fall through
|
// fall through
|
||||||
case NS_ERROR_DOM_BAD_URI:
|
|
||||||
case NS_ERROR_DOM_SECURITY_ERR:
|
case NS_ERROR_DOM_SECURITY_ERR:
|
||||||
case NS_ERROR_DOM_SYNTAX_ERR:
|
case NS_ERROR_DOM_SYNTAX_ERR:
|
||||||
Throw(aCx, aLoadResult);
|
Throw(aCx, aLoadResult);
|
||||||
|
|
34
dom/xslt/xslt/txMozillaXMLOutput.cpp
Normal file → Executable file
34
dom/xslt/xslt/txMozillaXMLOutput.cpp
Normal file → Executable file
|
@ -236,6 +236,19 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!mRefreshString.IsEmpty()) {
|
||||||
|
nsPIDOMWindow *win = mDocument->GetWindow();
|
||||||
|
if (win) {
|
||||||
|
nsCOMPtr<nsIRefreshURI> refURI =
|
||||||
|
do_QueryInterface(win->GetDocShell());
|
||||||
|
if (refURI) {
|
||||||
|
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
|
||||||
|
mDocument->NodePrincipal(),
|
||||||
|
mRefreshString);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (mNotifier) {
|
if (mNotifier) {
|
||||||
mNotifier->OnTransformEnd();
|
mNotifier->OnTransformEnd();
|
||||||
}
|
}
|
||||||
|
@ -734,13 +747,30 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
|
||||||
|
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
|
||||||
|
// handle HTTP-EQUIV data
|
||||||
|
nsAutoString httpEquiv;
|
||||||
|
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
|
||||||
|
if (!httpEquiv.IsEmpty()) {
|
||||||
|
nsAutoString value;
|
||||||
|
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
|
||||||
|
if (!value.IsEmpty()) {
|
||||||
|
nsContentUtils::ASCIIToLower(httpEquiv);
|
||||||
|
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
|
||||||
|
processHTTPEquiv(header, value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return NS_OK;
|
return NS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
|
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
|
||||||
{
|
{
|
||||||
MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720");
|
// For now we only handle "refresh". There's a longer list in
|
||||||
|
// HTMLContentSink::ProcessHeaderData
|
||||||
|
if (aHeader == nsGkAtoms::refresh)
|
||||||
|
LossyCopyUTF16toASCII(aValue, mRefreshString);
|
||||||
}
|
}
|
||||||
|
|
||||||
nsresult
|
nsresult
|
||||||
|
|
5911
security/manager/ssl/nsSTSPreloadList.inc
Normal file → Executable file
5911
security/manager/ssl/nsSTSPreloadList.inc
Normal file → Executable file
File diff suppressed because it is too large
Load Diff
196
security/nss/lib/cryptohi/secvfy.c
Normal file → Executable file
196
security/nss/lib/cryptohi/secvfy.c
Normal file → Executable file
|
@ -164,37 +164,6 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
|
||||||
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
|
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
|
||||||
checkedSignatureLen(const SECKEYPublicKey *pubk)
|
|
||||||
{
|
|
||||||
unsigned int sigLen = SECKEY_SignatureLen(pubk);
|
|
||||||
if (sigLen == 0) {
|
|
||||||
/* Error set by SECKEY_SignatureLen */
|
|
||||||
return sigLen;
|
|
||||||
}
|
|
||||||
unsigned int maxSigLen;
|
|
||||||
switch (pubk->keyType) {
|
|
||||||
case rsaKey:
|
|
||||||
case rsaPssKey:
|
|
||||||
maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
|
|
||||||
break;
|
|
||||||
case dsaKey:
|
|
||||||
maxSigLen = DSA_MAX_SIGNATURE_LEN;
|
|
||||||
break;
|
|
||||||
case ecKey:
|
|
||||||
maxSigLen = 2 * MAX_ECKEY_LEN;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
if (sigLen > maxSigLen) {
|
|
||||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return sigLen;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* decode the ECDSA or DSA signature from it's DER wrapping.
|
* decode the ECDSA or DSA signature from it's DER wrapping.
|
||||||
* The unwrapped/raw signature is placed in the buffer pointed
|
* The unwrapped/raw signature is placed in the buffer pointed
|
||||||
|
@ -205,38 +174,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
|
||||||
unsigned int len)
|
unsigned int len)
|
||||||
{
|
{
|
||||||
SECItem *dsasig = NULL; /* also used for ECDSA */
|
SECItem *dsasig = NULL; /* also used for ECDSA */
|
||||||
|
SECStatus rv = SECSuccess;
|
||||||
|
|
||||||
/* Safety: Ensure algId is as expected and that signature size is within maxmimums */
|
if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
|
||||||
if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
|
(algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
|
||||||
if (len > DSA_MAX_SIGNATURE_LEN) {
|
if (sig->len != len) {
|
||||||
goto loser;
|
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||||
|
return SECFailure;
|
||||||
}
|
}
|
||||||
} else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
|
||||||
|
PORT_Memcpy(dsig, sig->data, sig->len);
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
||||||
if (len > MAX_ECKEY_LEN * 2) {
|
if (len > MAX_ECKEY_LEN * 2) {
|
||||||
goto loser;
|
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||||
|
return SECFailure;
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
goto loser;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Decode and pad to length */
|
|
||||||
dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
||||||
if (dsasig == NULL) {
|
|
||||||
goto loser;
|
if ((dsasig == NULL) || (dsasig->len != len)) {
|
||||||
|
rv = SECFailure;
|
||||||
|
} else {
|
||||||
|
PORT_Memcpy(dsig, dsasig->data, dsasig->len);
|
||||||
}
|
}
|
||||||
if (dsasig->len != len) {
|
|
||||||
|
if (dsasig != NULL)
|
||||||
SECITEM_FreeItem(dsasig, PR_TRUE);
|
SECITEM_FreeItem(dsasig, PR_TRUE);
|
||||||
goto loser;
|
if (rv == SECFailure)
|
||||||
}
|
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||||
|
return rv;
|
||||||
PORT_Memcpy(dsig, dsasig->data, len);
|
|
||||||
SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
||||||
|
|
||||||
return SECSuccess;
|
|
||||||
|
|
||||||
loser:
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const SEC_ASN1Template hashParameterTemplate[] =
|
const SEC_ASN1Template hashParameterTemplate[] =
|
||||||
|
@ -262,7 +231,7 @@ SECStatus
|
||||||
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
|
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
|
||||||
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
|
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
|
||||||
{
|
{
|
||||||
unsigned int len;
|
int len;
|
||||||
PLArenaPool *arena;
|
PLArenaPool *arena;
|
||||||
SECStatus rv;
|
SECStatus rv;
|
||||||
SECItem oid;
|
SECItem oid;
|
||||||
|
@ -477,52 +446,48 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
|
||||||
cx->pkcs1RSADigestInfo = NULL;
|
cx->pkcs1RSADigestInfo = NULL;
|
||||||
rv = SECSuccess;
|
rv = SECSuccess;
|
||||||
if (sig) {
|
if (sig) {
|
||||||
rv = SECFailure;
|
switch (type) {
|
||||||
if (type == rsaKey) {
|
case rsaKey:
|
||||||
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
||||||
&cx->pkcs1RSADigestInfo,
|
&cx->pkcs1RSADigestInfo,
|
||||||
&cx->pkcs1RSADigestInfoLen,
|
&cx->pkcs1RSADigestInfoLen,
|
||||||
cx->key,
|
cx->key,
|
||||||
sig, wincx);
|
sig, wincx);
|
||||||
} else {
|
break;
|
||||||
sigLen = checkedSignatureLen(key);
|
case rsaPssKey:
|
||||||
/* Check signature length is within limits */
|
sigLen = SECKEY_SignatureLen(key);
|
||||||
if (sigLen == 0) {
|
if (sigLen == 0) {
|
||||||
/* error set by checkedSignatureLen */
|
/* error set by SECKEY_SignatureLen */
|
||||||
rv = SECFailure;
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
if (sigLen > sizeof(cx->u)) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
rv = SECFailure;
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
switch (type) {
|
|
||||||
case rsaPssKey:
|
|
||||||
if (sig->len != sigLen) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
rv = SECFailure;
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
|
||||||
rv = SECSuccess;
|
|
||||||
break;
|
|
||||||
case ecKey:
|
|
||||||
case dsaKey:
|
|
||||||
/* decodeECorDSASignature will check sigLen == sig->len after padding */
|
|
||||||
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
/* Unreachable */
|
|
||||||
rv = SECFailure;
|
rv = SECFailure;
|
||||||
goto loser;
|
break;
|
||||||
}
|
}
|
||||||
}
|
if (sig->len != sigLen) {
|
||||||
if (rv != SECSuccess) {
|
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||||
goto loser;
|
rv = SECFailure;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
||||||
|
break;
|
||||||
|
case dsaKey:
|
||||||
|
case ecKey:
|
||||||
|
sigLen = SECKEY_SignatureLen(key);
|
||||||
|
if (sigLen == 0) {
|
||||||
|
/* error set by SECKEY_SignatureLen */
|
||||||
|
rv = SECFailure;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
rv = SECFailure;
|
||||||
|
PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (rv)
|
||||||
|
goto loser;
|
||||||
|
|
||||||
/* check hash alg again, RSA may have changed it.*/
|
/* check hash alg again, RSA may have changed it.*/
|
||||||
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
|
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
|
||||||
/* error set by HASH_GetHashTypeByOidTag */
|
/* error set by HASH_GetHashTypeByOidTag */
|
||||||
|
@ -657,16 +622,11 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
|
||||||
switch (cx->key->keyType) {
|
switch (cx->key->keyType) {
|
||||||
case ecKey:
|
case ecKey:
|
||||||
case dsaKey:
|
case dsaKey:
|
||||||
dsasig.len = checkedSignatureLen(cx->key);
|
dsasig.data = cx->u.buffer;
|
||||||
|
dsasig.len = SECKEY_SignatureLen(cx->key);
|
||||||
if (dsasig.len == 0) {
|
if (dsasig.len == 0) {
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
}
|
}
|
||||||
if (dsasig.len > sizeof(cx->u)) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
dsasig.data = cx->u.buffer;
|
|
||||||
|
|
||||||
if (sig) {
|
if (sig) {
|
||||||
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
|
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
|
||||||
dsasig.len);
|
dsasig.len);
|
||||||
|
@ -698,13 +658,8 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
|
||||||
}
|
}
|
||||||
|
|
||||||
rsasig.data = cx->u.buffer;
|
rsasig.data = cx->u.buffer;
|
||||||
rsasig.len = checkedSignatureLen(cx->key);
|
rsasig.len = SECKEY_SignatureLen(cx->key);
|
||||||
if (rsasig.len == 0) {
|
if (rsasig.len == 0) {
|
||||||
/* Error set by checkedSignatureLen */
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
if (rsasig.len > sizeof(cx->u)) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
}
|
}
|
||||||
if (sig) {
|
if (sig) {
|
||||||
|
@ -766,6 +721,7 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
|
||||||
SECStatus rv;
|
SECStatus rv;
|
||||||
VFYContext *cx;
|
VFYContext *cx;
|
||||||
SECItem dsasig; /* also used for ECDSA */
|
SECItem dsasig; /* also used for ECDSA */
|
||||||
|
|
||||||
rv = SECFailure;
|
rv = SECFailure;
|
||||||
|
|
||||||
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
|
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
|
||||||
|
@ -773,25 +729,19 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
|
||||||
switch (key->keyType) {
|
switch (key->keyType) {
|
||||||
case rsaKey:
|
case rsaKey:
|
||||||
rv = verifyPKCS1DigestInfo(cx, digest);
|
rv = verifyPKCS1DigestInfo(cx, digest);
|
||||||
/* Error (if any) set by verifyPKCS1DigestInfo */
|
|
||||||
break;
|
break;
|
||||||
case ecKey:
|
|
||||||
case dsaKey:
|
case dsaKey:
|
||||||
|
case ecKey:
|
||||||
dsasig.data = cx->u.buffer;
|
dsasig.data = cx->u.buffer;
|
||||||
dsasig.len = checkedSignatureLen(cx->key);
|
dsasig.len = SECKEY_SignatureLen(cx->key);
|
||||||
if (dsasig.len == 0) {
|
if (dsasig.len == 0) {
|
||||||
/* Error set by checkedSignatureLen */
|
|
||||||
rv = SECFailure;
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (dsasig.len > sizeof(cx->u)) {
|
if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
SECSuccess) {
|
||||||
rv = SECFailure;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||||
|
} else {
|
||||||
|
rv = SECSuccess;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|
14
security/nss/lib/mozpkix/include/pkix/pkixutil.h
Normal file → Executable file
14
security/nss/lib/mozpkix/include/pkix/pkixutil.h
Normal file → Executable file
|
@ -259,20 +259,6 @@ Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
|
||||||
#else
|
#else
|
||||||
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
|
#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
|
|
||||||
switch (digestAlgorithm) {
|
|
||||||
case DigestAlgorithm::sha1:
|
|
||||||
return 160 / 8;
|
|
||||||
case DigestAlgorithm::sha256:
|
|
||||||
return 256 / 8;
|
|
||||||
case DigestAlgorithm::sha384:
|
|
||||||
return 384 / 8;
|
|
||||||
case DigestAlgorithm::sha512:
|
|
||||||
return 512 / 8;
|
|
||||||
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
} // namespace mozilla::pkix
|
} // namespace mozilla::pkix
|
||||||
|
|
||||||
|
|
92
security/nss/lib/mozpkix/lib/pkixocsp.cpp
Normal file → Executable file
92
security/nss/lib/mozpkix/lib/pkixocsp.cpp
Normal file → Executable file
|
@ -28,6 +28,12 @@
|
||||||
#include "mozpkix/pkixcheck.h"
|
#include "mozpkix/pkixcheck.h"
|
||||||
#include "mozpkix/pkixutil.h"
|
#include "mozpkix/pkixutil.h"
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
|
||||||
|
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
|
||||||
|
|
||||||
|
} // namespace
|
||||||
|
|
||||||
namespace mozilla { namespace pkix {
|
namespace mozilla { namespace pkix {
|
||||||
|
|
||||||
// These values correspond to the tag values in the ASN.1 CertStatus
|
// These values correspond to the tag values in the ASN.1 CertStatus
|
||||||
|
@ -175,12 +181,10 @@ static inline Result MatchCertID(Reader& input,
|
||||||
const Context& context,
|
const Context& context,
|
||||||
/*out*/ bool& match);
|
/*out*/ bool& match);
|
||||||
static Result MatchKeyHash(TrustDomain& trustDomain,
|
static Result MatchKeyHash(TrustDomain& trustDomain,
|
||||||
DigestAlgorithm hashAlgorithm,
|
|
||||||
Input issuerKeyHash,
|
Input issuerKeyHash,
|
||||||
Input issuerSubjectPublicKeyInfo,
|
Input issuerSubjectPublicKeyInfo,
|
||||||
/*out*/ bool& match);
|
/*out*/ bool& match);
|
||||||
static Result KeyHash(TrustDomain& trustDomain,
|
static Result KeyHash(TrustDomain& trustDomain,
|
||||||
DigestAlgorithm hashAlgorithm,
|
|
||||||
Input subjectPublicKeyInfo,
|
Input subjectPublicKeyInfo,
|
||||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
||||||
|
|
||||||
|
@ -209,7 +213,7 @@ MatchResponderID(TrustDomain& trustDomain,
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
|
return MatchKeyHash(trustDomain, keyHash,
|
||||||
potentialSignerSubjectPublicKeyInfo, match);
|
potentialSignerSubjectPublicKeyInfo, match);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -737,36 +741,36 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
// TODO: support SHA-2 hashes.
|
||||||
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
|
|
||||||
|
if (hashAlgorithm != DigestAlgorithm::sha1) {
|
||||||
|
// Again, not interested in this response. Consume input, return success.
|
||||||
|
input.SkipToEnd();
|
||||||
|
return Success;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
||||||
// "The hash shall be calculated over the DER encoding of the
|
// "The hash shall be calculated over the DER encoding of the
|
||||||
// issuer's name field in the certificate being checked."
|
// issuer's name field in the certificate being checked."
|
||||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||||
if (hashAlgorithmLength > sizeof(hashBuf)) {
|
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
|
||||||
}
|
|
||||||
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
||||||
hashAlgorithm, hashBuf,
|
DigestAlgorithm::sha1, hashBuf,
|
||||||
hashAlgorithmLength);
|
sizeof(hashBuf));
|
||||||
if (rv != Success) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
Input computed;
|
|
||||||
rv = computed.Init(hashBuf, hashAlgorithmLength);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
Input computed(hashBuf);
|
||||||
if (!InputsAreEqual(computed, issuerNameHash)) {
|
if (!InputsAreEqual(computed, issuerNameHash)) {
|
||||||
// Again, not interested in this response. Consume input, return success.
|
// Again, not interested in this response. Consume input, return success.
|
||||||
input.SkipToEnd();
|
input.SkipToEnd();
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
|
return MatchKeyHash(context.trustDomain, issuerKeyHash,
|
||||||
context.certID.issuerSubjectPublicKeyInfo, match);
|
context.certID.issuerSubjectPublicKeyInfo, match);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -780,53 +784,30 @@ MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
|
||||||
// -- BIT STRING subjectPublicKey [excluding
|
// -- BIT STRING subjectPublicKey [excluding
|
||||||
// -- the tag, length, and number of unused
|
// -- the tag, length, and number of unused
|
||||||
// -- bits] in the responder's certificate)
|
// -- bits] in the responder's certificate)
|
||||||
//
|
|
||||||
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
|
|
||||||
// CertID ::= SEQUENCE {
|
|
||||||
// hashAlgorithm AlgorithmIdentifier,
|
|
||||||
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
|
|
||||||
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
|
|
||||||
// serialNumber CertificateSerialNumber }
|
|
||||||
// ...
|
|
||||||
// o hashAlgorithm is the hash algorithm used to generate the
|
|
||||||
// issuerNameHash and issuerKeyHash values.
|
|
||||||
// ...
|
|
||||||
// o issuerKeyHash is the hash of the issuer's public key. The hash
|
|
||||||
// shall be calculated over the value (excluding tag and length) of
|
|
||||||
// the subject public key field in the issuer's certificate.
|
|
||||||
static Result
|
static Result
|
||||||
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
|
||||||
Input keyHash, const Input subjectPublicKeyInfo,
|
const Input subjectPublicKeyInfo, /*out*/ bool& match)
|
||||||
/*out*/ bool& match)
|
|
||||||
{
|
{
|
||||||
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||||
if (keyHash.GetLength() != hashLength) {
|
|
||||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||||
}
|
}
|
||||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||||
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
|
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
sizeof hashBuf);
|
||||||
}
|
|
||||||
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
|
|
||||||
hashBuf, hashLength);
|
|
||||||
if (rv != Success) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
Input computed;
|
|
||||||
rv = computed.Init(hashBuf, hashLength);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
Input computed(hashBuf);
|
||||||
match = InputsAreEqual(computed, keyHash);
|
match = InputsAreEqual(computed, keyHash);
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO(bug 966856): support SHA-2 hashes
|
||||||
Result
|
Result
|
||||||
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
|
||||||
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
|
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
|
||||||
size_t hashBufSize)
|
|
||||||
{
|
{
|
||||||
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
|
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -859,8 +840,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
|
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
|
||||||
hashBufSize);
|
hashBuf, hashBufSize);
|
||||||
}
|
}
|
||||||
|
|
||||||
Result
|
Result
|
||||||
|
@ -940,6 +921,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
||||||
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
||||||
// is specified in RFC 5019 Section 5.
|
// is specified in RFC 5019 Section 5.
|
||||||
|
|
||||||
|
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
|
||||||
|
|
||||||
// Since we don't know whether the OCSP responder supports anything other
|
// Since we don't know whether the OCSP responder supports anything other
|
||||||
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
||||||
// issuerKeyHash.
|
// issuerKeyHash.
|
||||||
|
@ -1003,8 +986,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
||||||
// reqCert.issuerKeyHash (OCTET STRING)
|
// reqCert.issuerKeyHash (OCTET STRING)
|
||||||
*d++ = 0x04;
|
*d++ = 0x04;
|
||||||
*d++ = hashLen;
|
*d++ = hashLen;
|
||||||
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
|
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||||
certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
9
security/nss/lib/mozpkix/lib/pkixverify.cpp
Normal file → Executable file
9
security/nss/lib/mozpkix/lib/pkixverify.cpp
Normal file → Executable file
|
@ -43,7 +43,14 @@ DigestSignedData(TrustDomain& trustDomain,
|
||||||
return Result::ERROR_BAD_DER;
|
return Result::ERROR_BAD_DER;
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t digestLen = DigestAlgorithmToSizeInBytes(signedDigest.digestAlgorithm);
|
size_t digestLen;
|
||||||
|
switch (signedDigest.digestAlgorithm) {
|
||||||
|
case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
|
||||||
|
case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
|
||||||
|
case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
|
||||||
|
case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
|
||||||
|
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
||||||
|
}
|
||||||
assert(digestLen <= sizeof(digestBuf));
|
assert(digestLen <= sizeof(digestBuf));
|
||||||
|
|
||||||
rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
|
rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
|
||||||
|
|
5
security/nss/lib/pkcs7/certread.c
Normal file → Executable file
5
security/nss/lib/pkcs7/certread.c
Normal file → Executable file
|
@ -139,11 +139,6 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (contentInfo.content.signedData == NULL) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
rv = SECSuccess;
|
rv = SECSuccess;
|
||||||
|
|
||||||
certs = contentInfo.content.signedData->certificates;
|
certs = contentInfo.content.signedData->certificates;
|
||||||
|
|
106
security/pkix/lib/pkixocsp.cpp
Normal file → Executable file
106
security/pkix/lib/pkixocsp.cpp
Normal file → Executable file
|
@ -28,21 +28,13 @@
|
||||||
#include "pkixcheck.h"
|
#include "pkixcheck.h"
|
||||||
#include "pkixutil.h"
|
#include "pkixutil.h"
|
||||||
|
|
||||||
namespace mozilla { namespace pkix {
|
namespace {
|
||||||
|
|
||||||
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
|
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
|
||||||
switch (digestAlgorithm) {
|
|
||||||
case DigestAlgorithm::sha1:
|
} // unnamed namespace
|
||||||
return 160 / 8;
|
|
||||||
case DigestAlgorithm::sha256:
|
namespace mozilla { namespace pkix {
|
||||||
return 256 / 8;
|
|
||||||
case DigestAlgorithm::sha384:
|
|
||||||
return 384 / 8;
|
|
||||||
case DigestAlgorithm::sha512:
|
|
||||||
return 512 / 8;
|
|
||||||
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// These values correspond to the tag values in the ASN.1 CertStatus
|
// These values correspond to the tag values in the ASN.1 CertStatus
|
||||||
enum class CertStatus : uint8_t {
|
enum class CertStatus : uint8_t {
|
||||||
|
@ -180,12 +172,10 @@ static inline Result CertID(Reader& input,
|
||||||
const Context& context,
|
const Context& context,
|
||||||
/*out*/ bool& match);
|
/*out*/ bool& match);
|
||||||
static Result MatchKeyHash(TrustDomain& trustDomain,
|
static Result MatchKeyHash(TrustDomain& trustDomain,
|
||||||
DigestAlgorithm hashAlgorithm,
|
|
||||||
Input issuerKeyHash,
|
Input issuerKeyHash,
|
||||||
Input issuerSubjectPublicKeyInfo,
|
Input issuerSubjectPublicKeyInfo,
|
||||||
/*out*/ bool& match);
|
/*out*/ bool& match);
|
||||||
static Result KeyHash(TrustDomain& trustDomain,
|
static Result KeyHash(TrustDomain& trustDomain,
|
||||||
DigestAlgorithm hashAlgorithm,
|
|
||||||
Input subjectPublicKeyInfo,
|
Input subjectPublicKeyInfo,
|
||||||
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
/*out*/ uint8_t* hashBuf, size_t hashBufSize);
|
||||||
|
|
||||||
|
@ -214,7 +204,7 @@ MatchResponderID(TrustDomain& trustDomain,
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
|
return MatchKeyHash(trustDomain, keyHash,
|
||||||
potentialSignerSubjectPublicKeyInfo, match);
|
potentialSignerSubjectPublicKeyInfo, match);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -725,36 +715,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
// TODO: support SHA-2 hashes.
|
||||||
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
|
|
||||||
|
if (hashAlgorithm != DigestAlgorithm::sha1) {
|
||||||
|
// Again, not interested in this response. Consume input, return success.
|
||||||
|
input.SkipToEnd();
|
||||||
|
return Success;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
|
||||||
// "The hash shall be calculated over the DER encoding of the
|
// "The hash shall be calculated over the DER encoding of the
|
||||||
// issuer's name field in the certificate being checked."
|
// issuer's name field in the certificate being checked."
|
||||||
uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||||
if (hashAlgorithmLength > sizeof(hashBuf)) {
|
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
|
||||||
}
|
|
||||||
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
rv = context.trustDomain.DigestBuf(context.certID.issuer,
|
||||||
hashAlgorithm, hashBuf,
|
DigestAlgorithm::sha1, hashBuf,
|
||||||
hashAlgorithmLength);
|
sizeof(hashBuf));
|
||||||
if (rv != Success) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
Input computed;
|
|
||||||
rv = computed.Init(hashBuf, hashAlgorithmLength);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
Input computed(hashBuf);
|
||||||
if (!InputsAreEqual(computed, issuerNameHash)) {
|
if (!InputsAreEqual(computed, issuerNameHash)) {
|
||||||
// Again, not interested in this response. Consume input, return success.
|
// Again, not interested in this response. Consume input, return success.
|
||||||
input.SkipToEnd();
|
input.SkipToEnd();
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
|
return MatchKeyHash(context.trustDomain, issuerKeyHash,
|
||||||
context.certID.issuerSubjectPublicKeyInfo, match);
|
context.certID.issuerSubjectPublicKeyInfo, match);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -768,53 +758,30 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
|
||||||
// -- BIT STRING subjectPublicKey [excluding
|
// -- BIT STRING subjectPublicKey [excluding
|
||||||
// -- the tag, length, and number of unused
|
// -- the tag, length, and number of unused
|
||||||
// -- bits] in the responder's certificate)
|
// -- bits] in the responder's certificate)
|
||||||
//
|
|
||||||
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
|
|
||||||
// CertID ::= SEQUENCE {
|
|
||||||
// hashAlgorithm AlgorithmIdentifier,
|
|
||||||
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
|
|
||||||
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
|
|
||||||
// serialNumber CertificateSerialNumber }
|
|
||||||
// ...
|
|
||||||
// o hashAlgorithm is the hash algorithm used to generate the
|
|
||||||
// issuerNameHash and issuerKeyHash values.
|
|
||||||
// ...
|
|
||||||
// o issuerKeyHash is the hash of the issuer's public key. The hash
|
|
||||||
// shall be calculated over the value (excluding tag and length) of
|
|
||||||
// the subject public key field in the issuer's certificate.
|
|
||||||
static Result
|
static Result
|
||||||
MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
|
||||||
Input keyHash, const Input subjectPublicKeyInfo,
|
const Input subjectPublicKeyInfo, /*out*/ bool& match)
|
||||||
/*out*/ bool& match)
|
|
||||||
{
|
{
|
||||||
size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
|
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) {
|
||||||
if (keyHash.GetLength() != hashLength) {
|
|
||||||
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
return Result::ERROR_OCSP_MALFORMED_RESPONSE;
|
||||||
}
|
}
|
||||||
static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
|
static uint8_t hashBuf[SHA1_DIGEST_LENGTH];
|
||||||
if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
|
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
sizeof hashBuf);
|
||||||
}
|
|
||||||
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
|
|
||||||
hashBuf, hashLength);
|
|
||||||
if (rv != Success) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
Input computed;
|
|
||||||
rv = computed.Init(hashBuf, hashLength);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
Input computed(hashBuf);
|
||||||
match = InputsAreEqual(computed, keyHash);
|
match = InputsAreEqual(computed, keyHash);
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO(bug 966856): support SHA-2 hashes
|
||||||
Result
|
Result
|
||||||
KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
|
||||||
const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
|
/*out*/ uint8_t* hashBuf, size_t hashBufSize)
|
||||||
size_t hashBufSize)
|
|
||||||
{
|
{
|
||||||
if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
|
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
|
||||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -847,8 +814,8 @@ KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
|
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
|
||||||
hashBufSize);
|
hashBuf, hashBufSize);
|
||||||
}
|
}
|
||||||
|
|
||||||
Result
|
Result
|
||||||
|
@ -898,6 +865,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
||||||
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
// and thus more likely to fit within the 255 byte limit for OCSP GET that
|
||||||
// is specified in RFC 5019 Section 5.
|
// is specified in RFC 5019 Section 5.
|
||||||
|
|
||||||
|
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
|
||||||
|
|
||||||
// Since we don't know whether the OCSP responder supports anything other
|
// Since we don't know whether the OCSP responder supports anything other
|
||||||
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
|
||||||
// issuerKeyHash.
|
// issuerKeyHash.
|
||||||
|
@ -961,8 +930,7 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
|
||||||
// reqCert.issuerKeyHash (OCTET STRING)
|
// reqCert.issuerKeyHash (OCTET STRING)
|
||||||
*d++ = 0x04;
|
*d++ = 0x04;
|
||||||
*d++ = hashLen;
|
*d++ = hashLen;
|
||||||
rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
|
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
||||||
certID.issuerSubjectPublicKeyInfo, d, hashLen);
|
|
||||||
if (rv != Success) {
|
if (rv != Success) {
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
2
widget/cocoa/nsCocoaWindow.mm
Normal file → Executable file
2
widget/cocoa/nsCocoaWindow.mm
Normal file → Executable file
|
@ -1272,8 +1272,6 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
|
||||||
[mWindow deminiaturize:nil];
|
[mWindow deminiaturize:nil];
|
||||||
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
|
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
|
||||||
[mWindow zoom:nil];
|
[mWindow zoom:nil];
|
||||||
else if (previousMode == nsSizeMode_Fullscreen)
|
|
||||||
MakeFullScreen(false);
|
|
||||||
}
|
}
|
||||||
else if (aMode == nsSizeMode_Minimized) {
|
else if (aMode == nsSizeMode_Minimized) {
|
||||||
if (![mWindow isMiniaturized])
|
if (![mWindow isMiniaturized])
|
||||||
|
|
Loading…
Reference in New Issue
Block a user