#654: M1746720 M1737816 M1746011 M1739957 M1740985+backbugs M1742421, update HSTS, TLDs

This commit is contained in:
Cameron Kaiser 2022-02-24 10:06:45 -08:00
parent fd2b82f13a
commit 861ae8f628
10 changed files with 1128 additions and 2287 deletions

View File

@ -24,6 +24,7 @@
#include "mozilla/dom/Element.h" #include "mozilla/dom/Element.h"
#include "mozilla/dom/Event.h" #include "mozilla/dom/Event.h"
#include "mozilla/dom/EventTargetBinding.h" #include "mozilla/dom/EventTargetBinding.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/TimelineConsumers.h" #include "mozilla/TimelineConsumers.h"
#include "mozilla/EventTimelineMarker.h" #include "mozilla/EventTimelineMarker.h"
@ -712,6 +713,8 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
bool aPermitUntrustedEvents, bool aPermitUntrustedEvents,
Element* aElement) Element* aElement)
{ {
auto removeEventHandler = MakeScopeExit([&] { RemoveEventHandler(aName, EmptyString()); });
nsCOMPtr<nsIDocument> doc; nsCOMPtr<nsIDocument> doc;
nsCOMPtr<nsIScriptGlobalObject> global = nsCOMPtr<nsIScriptGlobalObject> global =
GetScriptGlobalAndDocument(getter_AddRefs(doc)); GetScriptGlobalAndDocument(getter_AddRefs(doc));
@ -786,6 +789,8 @@ EventListenerManager::SetEventHandler(nsIAtom* aName,
NS_ENSURE_TRUE(context, NS_ERROR_FAILURE); NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
NS_ENSURE_STATE(global->GetGlobalJSObject()); NS_ENSURE_STATE(global->GetGlobalJSObject());
removeEventHandler.release();
Listener* listener = SetEventHandlerInternal(aName, Listener* listener = SetEventHandlerInternal(aName,
EmptyString(), EmptyString(),
TypedEventHandler(), TypedEventHandler(),

View File

@ -852,8 +852,9 @@ ADTSTrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize)
const int64_t streamLen = StreamLength(); const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) { if (mInfo && streamLen > 0) {
int64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
// Prevent blocking reads after successful initialization. // Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, streamLen - aOffset); aSize = std::min<int64_t>(aSize, max);
} }
uint32_t read = 0; uint32_t read = 0;

View File

@ -655,7 +655,8 @@ MP3TrackDemuxer::Read(uint8_t* aBuffer, int64_t aOffset, int32_t aSize) {
const int64_t streamLen = StreamLength(); const int64_t streamLen = StreamLength();
if (mInfo && streamLen > 0) { if (mInfo && streamLen > 0) {
// Prevent blocking reads after successful initialization. // Prevent blocking reads after successful initialization.
aSize = std::min<int64_t>(aSize, streamLen - aOffset); uint64_t max = streamLen > aOffset ? streamLen - aOffset : 0;
aSize = std::min<int64_t>(aSize, max);
} }
uint32_t read = 0; uint32_t read = 0;

View File

@ -1993,12 +1993,14 @@ void ReportLoadError(JSContext* aCx, nsresult aLoadResult)
case NS_ERROR_FILE_NOT_FOUND: case NS_ERROR_FILE_NOT_FOUND:
case NS_ERROR_NOT_AVAILABLE: case NS_ERROR_NOT_AVAILABLE:
case NS_ERROR_CORRUPTED_CONTENT:
Throw(aCx, NS_ERROR_DOM_NETWORK_ERR); Throw(aCx, NS_ERROR_DOM_NETWORK_ERR);
break; break;
case NS_ERROR_MALFORMED_URI: case NS_ERROR_MALFORMED_URI:
aLoadResult = NS_ERROR_DOM_SYNTAX_ERR; aLoadResult = NS_ERROR_DOM_SYNTAX_ERR;
// fall through // fall through
case NS_ERROR_DOM_BAD_URI:
case NS_ERROR_DOM_SECURITY_ERR: case NS_ERROR_DOM_SECURITY_ERR:
case NS_ERROR_DOM_SYNTAX_ERR: case NS_ERROR_DOM_SYNTAX_ERR:
Throw(aCx, aLoadResult); Throw(aCx, aLoadResult);

View File

@ -236,19 +236,6 @@ txMozillaXMLOutput::endDocument(nsresult aResult)
} }
} }
if (!mRefreshString.IsEmpty()) {
nsPIDOMWindow *win = mDocument->GetWindow();
if (win) {
nsCOMPtr<nsIRefreshURI> refURI =
do_QueryInterface(win->GetDocShell());
if (refURI) {
refURI->SetupRefreshURIFromHeader(mDocument->GetDocBaseURI(),
mDocument->NodePrincipal(),
mRefreshString);
}
}
}
if (mNotifier) { if (mNotifier) {
mNotifier->OnTransformEnd(); mNotifier->OnTransformEnd();
} }
@ -747,30 +734,13 @@ txMozillaXMLOutput::endHTMLElement(nsIContent* aElement)
return NS_OK; return NS_OK;
} }
else if (mCreatingNewDocument && aElement->IsHTMLElement(nsGkAtoms::meta)) {
// handle HTTP-EQUIV data
nsAutoString httpEquiv;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::httpEquiv, httpEquiv);
if (!httpEquiv.IsEmpty()) {
nsAutoString value;
aElement->GetAttr(kNameSpaceID_None, nsGkAtoms::content, value);
if (!value.IsEmpty()) {
nsContentUtils::ASCIIToLower(httpEquiv);
nsCOMPtr<nsIAtom> header = do_GetAtom(httpEquiv);
processHTTPEquiv(header, value);
}
}
}
return NS_OK; return NS_OK;
} }
void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue) void txMozillaXMLOutput::processHTTPEquiv(nsIAtom* aHeader, const nsString& aValue)
{ {
// For now we only handle "refresh". There's a longer list in MOZ_CRASH("Don't call processHTTPEquiv, see bug 1746720");
// HTMLContentSink::ProcessHeaderData
if (aHeader == nsGkAtoms::refresh)
LossyCopyUTF16toASCII(aValue, mRefreshString);
} }
nsresult nsresult

View File

@ -9,7 +9,7 @@
// ===BEGIN ICANN DOMAINS=== // ===BEGIN ICANN DOMAINS===
// ac : https://en.wikipedia.org/wiki/.ac // ac : http://nic.ac/rules.htm
ac ac
com.ac com.ac
edu.ac edu.ac
@ -865,6 +865,7 @@ gov.cx
// cy : http://www.nic.cy/ // cy : http://www.nic.cy/
// Submitted by registry Panayiotou Fotia <cydns@ucy.ac.cy> // Submitted by registry Panayiotou Fotia <cydns@ucy.ac.cy>
// namespace policies URL https://www.nic.cy/portal//sites/default/files/symfonia_gia_eggrafi.pdf
cy cy
ac.cy ac.cy
biz.cy biz.cy
@ -872,10 +873,9 @@ com.cy
ekloges.cy ekloges.cy
gov.cy gov.cy
ltd.cy ltd.cy
name.cy mil.cy
net.cy net.cy
org.cy org.cy
parliament.cy
press.cy press.cy
pro.cy pro.cy
tm.cy tm.cy
@ -1366,7 +1366,7 @@ info
int int
eu.int eu.int
// io : http://www.nic.io/rules.html // io : http://www.nic.io/rules.htm
// list of other 2nd level tlds ? // list of other 2nd level tlds ?
io io
com.io com.io
@ -3765,11 +3765,10 @@ org.kw
// ky : http://www.icta.ky/da_ky_reg_dom.php // ky : http://www.icta.ky/da_ky_reg_dom.php
// Confirmed by registry <kysupport@perimeterusa.com> 2008-06-17 // Confirmed by registry <kysupport@perimeterusa.com> 2008-06-17
ky ky
edu.ky
gov.ky
com.ky com.ky
org.ky edu.ky
net.ky net.ky
org.ky
// kz : https://en.wikipedia.org/wiki/.kz // kz : https://en.wikipedia.org/wiki/.kz
// see also: http://www.nic.kz/rules/index.jsp // see also: http://www.nic.kz/rules/index.jsp
@ -6037,7 +6036,7 @@ gov.sg
edu.sg edu.sg
per.sg per.sg
// sh : http://www.nic.sh/registrar.html // sh : http://nic.sh/rules.htm
sh sh
com.sh com.sh
net.sh net.sh
@ -7132,7 +7131,7 @@ org.zw
// newGTLDs // newGTLDs
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2021-12-04T15:13:28Z // List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2022-02-18T15:13:38Z
// This list is auto-generated, don't edit it manually. // This list is auto-generated, don't edit it manually.
// aaa : 2015-02-26 American Automobile Association, Inc. // aaa : 2015-02-26 American Automobile Association, Inc.
aaa aaa
@ -7527,7 +7526,7 @@ bosch
// bostik : 2015-05-28 Bostik SA // bostik : 2015-05-28 Bostik SA
bostik bostik
// boston : 2015-12-10 Boston TLD Management, LLC // boston : 2015-12-10 Registry Services, LLC
boston boston
// bot : 2014-12-18 Amazon Registry Services, Inc. // bot : 2014-12-18 Amazon Registry Services, Inc.
@ -7557,9 +7556,6 @@ brother
// brussels : 2014-02-06 DNS.be vzw // brussels : 2014-02-06 DNS.be vzw
brussels brussels
// budapest : 2013-11-21 Minds + Machines Group Limited
budapest
// bugatti : 2015-07-23 Bugatti International SA // bugatti : 2015-07-23 Bugatti International SA
bugatti bugatti
@ -7596,7 +7592,7 @@ call
// calvinklein : 2015-07-30 PVH gTLD Holdings LLC // calvinklein : 2015-07-30 PVH gTLD Holdings LLC
calvinklein calvinklein
// cam : 2016-04-21 AC Webconnecting Holding B.V. // cam : 2016-04-21 Cam Connecting SARL
cam cam
// camera : 2013-08-27 Binky Moon, LLC // camera : 2013-08-27 Binky Moon, LLC
@ -7869,9 +7865,6 @@ cruise
// cruises : 2013-12-05 Binky Moon, LLC // cruises : 2013-12-05 Binky Moon, LLC
cruises cruises
// csc : 2014-09-25 Alliance-One Services, Inc.
csc
// cuisinella : 2014-04-03 SCHMIDT GROUPE S.A.S. // cuisinella : 2014-04-03 SCHMIDT GROUPE S.A.S.
cuisinella cuisinella
@ -8871,9 +8864,6 @@ live
// living : 2015-07-30 Lifestyle Domain Holdings, Inc. // living : 2015-07-30 Lifestyle Domain Holdings, Inc.
living living
// lixil : 2015-03-19 LIXIL Group Corporation
lixil
// llc : 2017-12-14 Afilias Limited // llc : 2017-12-14 Afilias Limited
llc llc
@ -9012,7 +9002,7 @@ menu
// merckmsd : 2016-07-14 MSD Registry Holdings, Inc. // merckmsd : 2016-07-14 MSD Registry Holdings, Inc.
merckmsd merckmsd
// miami : 2013-12-19 Minds + Machines Group Limited // miami : 2013-12-19 Registry Services, LLC
miami miami
// microsoft : 2014-12-18 Microsoft Corporation // microsoft : 2014-12-18 Microsoft Corporation
@ -10815,6 +10805,10 @@ myasustor.com
// Submitted by Sam Smyth <devloop@atlassian.com> // Submitted by Sam Smyth <devloop@atlassian.com>
cdn.prod.atlassian-dev.net cdn.prod.atlassian-dev.net
// Authentick UG (haftungsbeschränkt) : https://authentick.net
// Submitted by Lukas Reschke <lukas@authentick.net>
translated.page
// AVM : https://avm.de // AVM : https://avm.de
// Submitted by Andreas Weise <a.weise@avm.de> // Submitted by Andreas Weise <a.weise@avm.de>
myfritz.net myfritz.net
@ -10868,6 +10862,10 @@ theshop.jp
shopselect.net shopselect.net
base.shop base.shop
// Beget Ltd
// Submitted by Lev Nekrasov <lnekrasov@beget.com>
*.beget.app
// BetaInABox // BetaInABox
// Submitted by Adrian <adrian@betainabox.com> // Submitted by Adrian <adrian@betainabox.com>
betainabox.com betainabox.com
@ -11109,6 +11107,10 @@ cloudns.us
// Submitted by Angelo Gladding <angelo@lahacker.net> // Submitted by Angelo Gladding <angelo@lahacker.net>
cnpy.gdn cnpy.gdn
// Codeberg e. V. : https://codeberg.org
// Submitted by Moritz Marquardt <git@momar.de>
codeberg.page
// CoDNS B.V. // CoDNS B.V.
co.nl co.nl
co.no co.no
@ -11240,6 +11242,11 @@ dedyn.io
*.rss.my.id *.rss.my.id
*.diher.solutions *.diher.solutions
// Discord Inc : https://discord.com
// Submitted by Sahn Lam <slam@discordapp.com>
discordsays.com
discordsez.com
// DNS Africa Ltd https://dns.business // DNS Africa Ltd https://dns.business
// Submitted by Calvin Browne <calvin@dns.business> // Submitted by Calvin Browne <calvin@dns.business>
jozi.biz jozi.biz
@ -11964,10 +11971,21 @@ futuremailing.at
*.kunden.ortsinfo.at *.kunden.ortsinfo.at
*.statics.cloud *.statics.cloud
// GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains // GDS : https://www.gov.uk/service-manual/technology/managing-domain-names
// Submitted by David Illsley <david.illsley@digital.cabinet-office.gov.uk> // Submitted by Stephen Ford <hostmaster@digital.cabinet-office.gov.uk>
independent-commission.uk
independent-inquest.uk
independent-inquiry.uk
independent-panel.uk
independent-review.uk
public-inquiry.uk
royal-commission.uk
service.gov.uk service.gov.uk
// CDDO : https://www.gov.uk/guidance/get-an-api-domain-on-govuk
// Submitted by Jamie Tanna <jamie.tanna@digital.cabinet-office.gov.uk>
api.gov.uk
// Gehirn Inc. : https://www.gehirn.co.jp/ // Gehirn Inc. : https://www.gehirn.co.jp/
// Submitted by Kohei YOSHIDA <tech@gehirn.co.jp> // Submitted by Kohei YOSHIDA <tech@gehirn.co.jp>
gehirn.ne.jp gehirn.ne.jp
@ -12437,6 +12455,10 @@ js.org
kaas.gg kaas.gg
khplay.nl khplay.nl
// Kapsi : https://kapsi.fi
// Submitted by Tomi Juntunen <erani@kapsi.fi>
kapsi.fi
// Keyweb AG : https://www.keyweb.de // Keyweb AG : https://www.keyweb.de
// Submitted by Martin Dannehl <postmaster@keymachine.de> // Submitted by Martin Dannehl <postmaster@keymachine.de>
keymachine.de keymachine.de
@ -13046,6 +13068,10 @@ pleskns.com
// Submitted by Maximilian Schieder <maxi@zeug.co> // Submitted by Maximilian Schieder <maxi@zeug.co>
dyn53.io dyn53.io
// Porter : https://porter.run/
// Submitted by Rudraksh MK <rudi@porter.run>
onporter.run
// Positive Codes Technology Company : http://co.bn/faq.html // Positive Codes Technology Company : http://co.bn/faq.html
// Submitted by Zulfais <pc@co.bn> // Submitted by Zulfais <pc@co.bn>
co.bn co.bn
@ -13207,6 +13233,10 @@ itcouldbewor.se
// Submitted by Jennifer Herting <jchits@rit.edu> // Submitted by Jennifer Herting <jchits@rit.edu>
git-pages.rit.edu git-pages.rit.edu
// Rocky Enterprise Software Foundation : https://resf.org
// Submitted by Neil Hanlon <neil@resf.org>
rocky.page
// Rusnames Limited: http://rusnames.ru/ // Rusnames Limited: http://rusnames.ru/
// Submitted by Sergey Zotov <admin@rusnames.ru> // Submitted by Sergey Zotov <admin@rusnames.ru>
биз.рус биз.рус
@ -13483,6 +13513,10 @@ gdynia.pl
med.pl med.pl
sopot.pl sopot.pl
// team.blue https://team.blue
// Submitted by Cedric Dubois <cedric.dubois@team.blue>
site.tb-hosting.com
// Teckids e.V. : https://www.teckids.org // Teckids e.V. : https://www.teckids.org
// Submitted by Dominik George <dominik.george@teckids.org> // Submitted by Dominik George <dominik.george@teckids.org>
edugit.io edugit.io
@ -13686,6 +13720,10 @@ me.vu
// Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua> // Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
v.ua v.ua
// Vultr Objects : https://www.vultr.com/products/object-storage/
// Submitted by Niels Maumenee <storage@vultr.com>
*.vultrobjects.com
// Waffle Computer Inc., Ltd. : https://docs.waffleinfo.com // Waffle Computer Inc., Ltd. : https://docs.waffleinfo.com
// Submitted by Masayuki Note <masa@blade.wafflecell.com> // Submitted by Masayuki Note <masa@blade.wafflecell.com>
wafflecell.com wafflecell.com
@ -13735,6 +13773,10 @@ wmcloud.org
panel.gg panel.gg
daemon.panel.gg daemon.panel.gg
// Wizard Zines : https://wizardzines.com
// Submitted by Julia Evans <julia@wizardzines.com>
messwithdns.com
// WoltLab GmbH : https://www.woltlab.com // WoltLab GmbH : https://www.woltlab.com
// Submitted by Tim Düsterhus <security@woltlab.cloud> // Submitted by Tim Düsterhus <security@woltlab.cloud>
woltlab-demo.com woltlab-demo.com

View File

@ -1149,4 +1149,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
static const int32_t kUnknownId = -1; static const int32_t kUnknownId = -1;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1648464588021000); static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1654167021983000);

File diff suppressed because it is too large Load Diff

View File

@ -28,14 +28,22 @@
#include "pkixcheck.h" #include "pkixcheck.h"
#include "pkixutil.h" #include "pkixutil.h"
namespace {
const size_t SHA1_DIGEST_LENGTH = 160 / 8;
} // unnamed namespace
namespace mozilla { namespace pkix { namespace mozilla { namespace pkix {
inline size_t DigestAlgorithmToSizeInBytes(DigestAlgorithm digestAlgorithm) {
switch (digestAlgorithm) {
case DigestAlgorithm::sha1:
return 160 / 8;
case DigestAlgorithm::sha256:
return 256 / 8;
case DigestAlgorithm::sha384:
return 384 / 8;
case DigestAlgorithm::sha512:
return 512 / 8;
MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
}
}
// These values correspond to the tag values in the ASN.1 CertStatus // These values correspond to the tag values in the ASN.1 CertStatus
enum class CertStatus : uint8_t { enum class CertStatus : uint8_t {
Good = der::CONTEXT_SPECIFIC | 0, Good = der::CONTEXT_SPECIFIC | 0,
@ -172,10 +180,12 @@ static inline Result CertID(Reader& input,
const Context& context, const Context& context,
/*out*/ bool& match); /*out*/ bool& match);
static Result MatchKeyHash(TrustDomain& trustDomain, static Result MatchKeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input issuerKeyHash, Input issuerKeyHash,
Input issuerSubjectPublicKeyInfo, Input issuerSubjectPublicKeyInfo,
/*out*/ bool& match); /*out*/ bool& match);
static Result KeyHash(TrustDomain& trustDomain, static Result KeyHash(TrustDomain& trustDomain,
DigestAlgorithm hashAlgorithm,
Input subjectPublicKeyInfo, Input subjectPublicKeyInfo,
/*out*/ uint8_t* hashBuf, size_t hashBufSize); /*out*/ uint8_t* hashBuf, size_t hashBufSize);
@ -204,7 +214,7 @@ MatchResponderID(TrustDomain& trustDomain,
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
return MatchKeyHash(trustDomain, keyHash, return MatchKeyHash(trustDomain, DigestAlgorithm::sha1, keyHash,
potentialSignerSubjectPublicKeyInfo, match); potentialSignerSubjectPublicKeyInfo, match);
} }
@ -715,36 +725,36 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
return Success; return Success;
} }
// TODO: support SHA-2 hashes. size_t hashAlgorithmLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (issuerNameHash.GetLength() != hashAlgorithmLength) {
if (hashAlgorithm != DigestAlgorithm::sha1) {
// Again, not interested in this response. Consume input, return success.
input.SkipToEnd();
return Success;
}
if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
// From http://tools.ietf.org/html/rfc6960#section-4.1.1: // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
// "The hash shall be calculated over the DER encoding of the // "The hash shall be calculated over the DER encoding of the
// issuer's name field in the certificate being checked." // issuer's name field in the certificate being checked."
uint8_t hashBuf[SHA1_DIGEST_LENGTH]; uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
if (hashAlgorithmLength > sizeof(hashBuf)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
rv = context.trustDomain.DigestBuf(context.certID.issuer, rv = context.trustDomain.DigestBuf(context.certID.issuer,
DigestAlgorithm::sha1, hashBuf, hashAlgorithm, hashBuf,
sizeof(hashBuf)); hashAlgorithmLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashAlgorithmLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
if (!InputsAreEqual(computed, issuerNameHash)) { if (!InputsAreEqual(computed, issuerNameHash)) {
// Again, not interested in this response. Consume input, return success. // Again, not interested in this response. Consume input, return success.
input.SkipToEnd(); input.SkipToEnd();
return Success; return Success;
} }
return MatchKeyHash(context.trustDomain, issuerKeyHash, return MatchKeyHash(context.trustDomain, hashAlgorithm, issuerKeyHash,
context.certID.issuerSubjectPublicKeyInfo, match); context.certID.issuerSubjectPublicKeyInfo, match);
} }
@ -758,30 +768,53 @@ CertID(Reader& input, const Context& context, /*out*/ bool& match)
// -- BIT STRING subjectPublicKey [excluding // -- BIT STRING subjectPublicKey [excluding
// -- the tag, length, and number of unused // -- the tag, length, and number of unused
// -- bits] in the responder's certificate) // -- bits] in the responder's certificate)
//
// From https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1:
// CertID ::= SEQUENCE {
// hashAlgorithm AlgorithmIdentifier,
// issuerNameHash OCTET STRING, -- Hash of issuer's DN
// issuerKeyHash OCTET STRING, -- Hash of issuer's public key
// serialNumber CertificateSerialNumber }
// ...
// o hashAlgorithm is the hash algorithm used to generate the
// issuerNameHash and issuerKeyHash values.
// ...
// o issuerKeyHash is the hash of the issuer's public key. The hash
// shall be calculated over the value (excluding tag and length) of
// the subject public key field in the issuer's certificate.
static Result static Result
MatchKeyHash(TrustDomain& trustDomain, Input keyHash, MatchKeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
const Input subjectPublicKeyInfo, /*out*/ bool& match) Input keyHash, const Input subjectPublicKeyInfo,
/*out*/ bool& match)
{ {
if (keyHash.GetLength() != SHA1_DIGEST_LENGTH) { size_t hashLength = DigestAlgorithmToSizeInBytes(hashAlgorithm);
if (keyHash.GetLength() != hashLength) {
return Result::ERROR_OCSP_MALFORMED_RESPONSE; return Result::ERROR_OCSP_MALFORMED_RESPONSE;
} }
static uint8_t hashBuf[SHA1_DIGEST_LENGTH]; static uint8_t hashBuf[MAX_DIGEST_SIZE_IN_BYTES];
Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf, if (hashLength > MAX_DIGEST_SIZE_IN_BYTES) {
sizeof hashBuf); return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
Result rv = KeyHash(trustDomain, hashAlgorithm, subjectPublicKeyInfo,
hashBuf, hashLength);
if (rv != Success) {
return rv;
}
Input computed;
rv = computed.Init(hashBuf, hashLength);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }
Input computed(hashBuf);
match = InputsAreEqual(computed, keyHash); match = InputsAreEqual(computed, keyHash);
return Success; return Success;
} }
// TODO(bug 966856): support SHA-2 hashes
Result Result
KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo, KeyHash(TrustDomain& trustDomain, DigestAlgorithm hashAlgorithm,
/*out*/ uint8_t* hashBuf, size_t hashBufSize) const Input subjectPublicKeyInfo, /*out*/ uint8_t* hashBuf,
size_t hashBufSize)
{ {
if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) { if (!hashBuf || hashBufSize != DigestAlgorithmToSizeInBytes(hashAlgorithm)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE; return Result::FATAL_ERROR_LIBRARY_FAILURE;
} }
@ -814,8 +847,8 @@ KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
return rv; return rv;
} }
return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1, return trustDomain.DigestBuf(subjectPublicKey, hashAlgorithm, hashBuf,
hashBuf, hashBufSize); hashBufSize);
} }
Result Result
@ -865,8 +898,6 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// and thus more likely to fit within the 255 byte limit for OCSP GET that // and thus more likely to fit within the 255 byte limit for OCSP GET that
// is specified in RFC 5019 Section 5. // is specified in RFC 5019 Section 5.
// Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
// Since we don't know whether the OCSP responder supports anything other // Since we don't know whether the OCSP responder supports anything other
// than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
// issuerKeyHash. // issuerKeyHash.
@ -930,7 +961,8 @@ CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
// reqCert.issuerKeyHash (OCTET STRING) // reqCert.issuerKeyHash (OCTET STRING)
*d++ = 0x04; *d++ = 0x04;
*d++ = hashLen; *d++ = hashLen;
rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen); rv = KeyHash(trustDomain, DigestAlgorithm::sha1,
certID.issuerSubjectPublicKeyInfo, d, hashLen);
if (rv != Success) { if (rv != Success) {
return rv; return rv;
} }

View File

@ -1272,6 +1272,8 @@ NS_METHOD nsCocoaWindow::SetSizeMode(nsSizeMode aMode)
[mWindow deminiaturize:nil]; [mWindow deminiaturize:nil];
else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed]) else if (previousMode == nsSizeMode_Maximized && [mWindow isZoomed])
[mWindow zoom:nil]; [mWindow zoom:nil];
else if (previousMode == nsSizeMode_Fullscreen)
MakeFullScreen(false);
} }
else if (aMode == nsSizeMode_Minimized) { else if (aMode == nsSizeMode_Minimized) {
if (![mWindow isMiniaturized]) if (![mWindow isMiniaturized])