summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoradesh <adeshk@hotmail.com>2020-11-10 04:22:12 -0500
committeradesh <adeshk@hotmail.com>2020-11-10 23:07:22 -0500
commit5ef801fdc5744daf9455fc6dcf90d3f7c60ae084 (patch)
tree75f97c59a685652a7b06e3d7ae00757affcfbb8d
parent0ba1d49ae5564a9e0b141b656a8cdc68e7582baf (diff)
downloaduxp-5ef801fdc5744daf9455fc6dcf90d3f7c60ae084.tar.gz
Issue #1280 - Follow-up: Get rid of HPKP pinning mode.
This was a leftover from HPKP removal. Also remove a couple of unused variables from security/manager/ssl/nsSiteSecurityService.cpp.
-rw-r--r--security/certverifier/CertVerifier.cpp21
-rw-r--r--security/certverifier/CertVerifier.h13
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp2
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.h2
-rw-r--r--security/manager/ssl/SharedCertVerifier.h4
-rw-r--r--security/manager/ssl/nsNSSComponent.cpp10
-rw-r--r--security/manager/ssl/nsSiteSecurityService.cpp4
7 files changed, 14 insertions, 42 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index bcb24fe395..2e6086b2d5 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -41,7 +41,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
OcspStrictConfig osc,
OcspGetConfig ogc,
uint32_t certShortLifetimeInDays,
- PinningMode pinningMode,
SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
@@ -50,7 +49,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
, mOCSPStrict(osc == ocspStrict)
, mOCSPGETEnabled(ogc == ocspGetEnabled)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
- , mPinningMode(pinningMode)
, mSHA1Mode(sha1Mode)
, mNameMatchingMode(nameMatchingMode)
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
@@ -416,7 +414,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -485,7 +483,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain
trustDomain(trustSSL, evOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
- mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
+ mCertShortLifetimeInDays, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
originAttributes, builtChain);
@@ -566,7 +564,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- mPinningMode, keySizeOptions[i],
+ keySizeOptions[i],
ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
@@ -629,7 +627,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
originAttributes, builtChain);
@@ -644,7 +642,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -671,7 +669,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -695,7 +693,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -728,7 +726,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
pinArg, ocspGETConfig, mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -740,7 +738,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -753,7 +751,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
defaultOCSPFetching, mOCSPCache,
pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled,
MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index 6bae219ce7..54568c0878 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -139,13 +139,6 @@ public:
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
- enum PinningMode {
- pinningDisabled = 0,
- pinningAllowUserCAMITM = 1,
- pinningStrict = 2,
- pinningEnforceTestMode = 3
- };
-
enum class SHA1Mode {
Allowed = 0,
Forbidden = 1,
@@ -172,7 +165,7 @@ public:
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
- PinningMode pinningMode, SHA1Mode sha1Mode,
+ SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode);
@@ -184,7 +177,6 @@ public:
const bool mOCSPStrict;
const bool mOCSPGETEnabled;
const uint32_t mCertShortLifetimeInDays;
- const PinningMode mPinningMode;
const SHA1Mode mSHA1Mode;
const BRNameMatchingPolicy::Mode mNameMatchingMode;
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
@@ -214,8 +206,7 @@ private:
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
mozilla::pkix::Result CertListContainsExpectedKeys(
- const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time,
- CertVerifier::PinningMode pinningMode);
+ const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time);
} } // namespace mozilla::psm
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index bc68c446a5..c0311d4af7 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -51,7 +51,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
/*optional but shouldn't be*/ void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
@@ -64,7 +63,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mPinArg(pinArg)
, mOCSPGetConfig(ocspGETConfig)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
- , mPinningMode(pinningMode)
, mMinRSABits(minRSABits)
, mValidityCheckingMode(validityCheckingMode)
, mSHA1Mode(sha1Mode)
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 24c4f16e63..585a41b175 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -76,7 +76,6 @@ public:
OCSPCache& ocspCache, void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
@@ -178,7 +177,6 @@ private:
void* mPinArg; // non-owning!
const CertVerifier::OcspGetConfig mOCSPGetConfig;
const uint32_t mCertShortLifetimeInDays;
- CertVerifier::PinningMode mPinningMode;
const unsigned int mMinRSABits;
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;
diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h
index 03619573af..135c8ae514 100644
--- a/security/manager/ssl/SharedCertVerifier.h
+++ b/security/manager/ssl/SharedCertVerifier.h
@@ -20,12 +20,12 @@ public:
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
- PinningMode pinningMode, SHA1Mode sha1Mode,
+ SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode)
: mozilla::psm::CertVerifier(odc, osc, ogc, certShortLifetimeInDays,
- pinningMode, sha1Mode, nameMatchingMode,
+ sha1Mode, nameMatchingMode,
netscapeStepUpPolicy, ctMode)
{
}
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 897b5743ce..6e6d614410 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1579,14 +1579,6 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
- CertVerifier::PinningMode pinningMode =
- static_cast<CertVerifier::PinningMode>
- (Preferences::GetInt("security.cert_pinning.enforcement_level",
- CertVerifier::pinningDisabled));
- if (pinningMode > CertVerifier::pinningEnforceTestMode) {
- pinningMode = CertVerifier::pinningDisabled;
- }
-
CertVerifier::SHA1Mode sha1Mode = static_cast<CertVerifier::SHA1Mode>
(Preferences::GetInt("security.pki.sha1_enforcement_level",
static_cast<int32_t>(CertVerifier::SHA1Mode::Allowed)));
@@ -1646,7 +1638,7 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
lock);
mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
certShortLifetimeInDays,
- pinningMode, sha1Mode,
+ sha1Mode,
nameMatchingMode,
netscapeStepUpPolicy,
ctMode);
diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp
index fa2619414d..5a6ff3d46c 100644
--- a/security/manager/ssl/nsSiteSecurityService.cpp
+++ b/security/manager/ssl/nsSiteSecurityService.cpp
@@ -87,8 +87,6 @@ SiteHSTSState::ToString(nsCString& aString)
////////////////////////////////////////////////////////////////////////////////
-const uint64_t kSixtyDaysInSeconds = 60 * 24 * 60 * 60;
-
static bool
HostIsIPAddress(const char *hostname)
{
@@ -398,8 +396,6 @@ ParseSSSHeaders(uint32_t aType,
// Unrecognized directives (that are otherwise syntactically valid) are
// ignored, and the rest of the header is parsed as normal.
- bool foundReportURI = false;
-
NS_NAMED_LITERAL_CSTRING(max_age_var, "max-age");
NS_NAMED_LITERAL_CSTRING(include_subd_var, "includesubdomains");