diff options
| author | Matt A. Tobin <mattatobin@no-reply.palemoon.org> | 2020-11-16 17:54:58 +0000 |
|---|---|---|
| committer | Matt A. Tobin <mattatobin@no-reply.palemoon.org> | 2020-11-16 17:54:58 +0000 |
| commit | 241f06bc534be30c271b1874990cfc060b729ab2 (patch) | |
| tree | fd60ceff2912cc2588dfccfb1a0fe73ae1b8b106 | |
| parent | ecb827c5c4782934453054b0b94a27169a65f3d6 (diff) | |
| parent | 5ef801fdc5744daf9455fc6dcf90d3f7c60ae084 (diff) | |
| download | uxp-241f06bc534be30c271b1874990cfc060b729ab2.tar.gz | |
Merge pull request 'Get rid of HPKP pinning mode leftovers' (#1680) from adesh/UXP:cleanup-hpkp-pinning-mode into master
Reviewed-on: https://repo.palemoon.org/MoonchildProductions/UXP/pulls/1680
| -rw-r--r-- | security/certverifier/CertVerifier.cpp | 21 | ||||
| -rw-r--r-- | security/certverifier/CertVerifier.h | 13 | ||||
| -rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 2 | ||||
| -rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.h | 2 | ||||
| -rw-r--r-- | security/manager/ssl/SharedCertVerifier.h | 4 | ||||
| -rw-r--r-- | security/manager/ssl/nsNSSComponent.cpp | 10 | ||||
| -rw-r--r-- | security/manager/ssl/nsSiteSecurityService.cpp | 4 |
7 files changed, 14 insertions, 42 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index bcb24fe395..2e6086b2d5 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -41,7 +41,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc, uint32_t certShortLifetimeInDays, - PinningMode pinningMode, SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, @@ -50,7 +49,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, , mOCSPStrict(osc == ocspStrict) , mOCSPGETEnabled(ogc == ocspGetEnabled) , mCertShortLifetimeInDays(certShortLifetimeInDays) - , mPinningMode(pinningMode) , mSHA1Mode(sha1Mode) , mNameMatchingMode(nameMatchingMode) , mNetscapeStepUpPolicy(netscapeStepUpPolicy) @@ -416,7 +414,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -485,7 +483,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, evOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, - mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS, + mCertShortLifetimeInDays, MIN_RSA_BITS, ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i], mNetscapeStepUpPolicy, originAttributes, builtChain); @@ -566,7 +564,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - mPinningMode, keySizeOptions[i], + keySizeOptions[i], ValidityCheckingMode::CheckingOff, sha1ModeConfigurations[j], mNetscapeStepUpPolicy, @@ -629,7 +627,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, mNetscapeStepUpPolicy, originAttributes, builtChain); @@ -644,7 +642,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -671,7 +669,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -695,7 +693,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -728,7 +726,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -740,7 +738,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -753,7 +751,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h index 6bae219ce7..54568c0878 100644 --- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -139,13 +139,6 @@ public: /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr, /*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr); - enum PinningMode { - pinningDisabled = 0, - pinningAllowUserCAMITM = 1, - pinningStrict = 2, - pinningEnforceTestMode = 3 - }; - enum class SHA1Mode { Allowed = 0, Forbidden = 1, @@ -172,7 +165,7 @@ public: CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc, uint32_t certShortLifetimeInDays, - PinningMode pinningMode, SHA1Mode sha1Mode, + SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode); @@ -184,7 +177,6 @@ public: const bool mOCSPStrict; const bool mOCSPGETEnabled; const uint32_t mCertShortLifetimeInDays; - const PinningMode mPinningMode; const SHA1Mode mSHA1Mode; const BRNameMatchingPolicy::Mode mNameMatchingMode; const NetscapeStepUpPolicy mNetscapeStepUpPolicy; @@ -214,8 +206,7 @@ private: mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result); mozilla::pkix::Result CertListContainsExpectedKeys( - const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time, - CertVerifier::PinningMode pinningMode); + const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time); } } // namespace mozilla::psm diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index bc68c446a5..c0311d4af7 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -51,7 +51,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, /*optional but shouldn't be*/ void* pinArg, CertVerifier::OcspGetConfig ocspGETConfig, uint32_t certShortLifetimeInDays, - CertVerifier::PinningMode pinningMode, unsigned int minRSABits, ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode, @@ -64,7 +63,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, , mPinArg(pinArg) , mOCSPGetConfig(ocspGETConfig) , mCertShortLifetimeInDays(certShortLifetimeInDays) - , mPinningMode(pinningMode) , mMinRSABits(minRSABits) , mValidityCheckingMode(validityCheckingMode) , mSHA1Mode(sha1Mode) diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index 24c4f16e63..585a41b175 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -76,7 +76,6 @@ public: OCSPCache& ocspCache, void* pinArg, CertVerifier::OcspGetConfig ocspGETConfig, uint32_t certShortLifetimeInDays, - CertVerifier::PinningMode pinningMode, unsigned int minRSABits, ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode, @@ -178,7 +177,6 @@ private: void* mPinArg; // non-owning! const CertVerifier::OcspGetConfig mOCSPGetConfig; const uint32_t mCertShortLifetimeInDays; - CertVerifier::PinningMode mPinningMode; const unsigned int mMinRSABits; ValidityCheckingMode mValidityCheckingMode; CertVerifier::SHA1Mode mSHA1Mode; diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h index 03619573af..135c8ae514 100644 --- a/security/manager/ssl/SharedCertVerifier.h +++ b/security/manager/ssl/SharedCertVerifier.h @@ -20,12 +20,12 @@ public: SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc, uint32_t certShortLifetimeInDays, - PinningMode pinningMode, SHA1Mode sha1Mode, + SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode) : mozilla::psm::CertVerifier(odc, osc, ogc, certShortLifetimeInDays, - pinningMode, sha1Mode, nameMatchingMode, + sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode) { } diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 897b5743ce..6e6d614410 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1579,14 +1579,6 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting, PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); - CertVerifier::PinningMode pinningMode = - static_cast<CertVerifier::PinningMode> - (Preferences::GetInt("security.cert_pinning.enforcement_level", - CertVerifier::pinningDisabled)); - if (pinningMode > CertVerifier::pinningEnforceTestMode) { - pinningMode = CertVerifier::pinningDisabled; - } - CertVerifier::SHA1Mode sha1Mode = static_cast<CertVerifier::SHA1Mode> (Preferences::GetInt("security.pki.sha1_enforcement_level", static_cast<int32_t>(CertVerifier::SHA1Mode::Allowed))); @@ -1646,7 +1638,7 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting, lock); mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc, certShortLifetimeInDays, - pinningMode, sha1Mode, + sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode); diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index fa2619414d..5a6ff3d46c 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -87,8 +87,6 @@ SiteHSTSState::ToString(nsCString& aString) //////////////////////////////////////////////////////////////////////////////// -const uint64_t kSixtyDaysInSeconds = 60 * 24 * 60 * 60; - static bool HostIsIPAddress(const char *hostname) { @@ -398,8 +396,6 @@ ParseSSSHeaders(uint32_t aType, // Unrecognized directives (that are otherwise syntactically valid) are // ignored, and the rest of the header is parsed as normal. - bool foundReportURI = false; - NS_NAMED_LITERAL_CSTRING(max_age_var, "max-age"); NS_NAMED_LITERAL_CSTRING(include_subd_var, "includesubdomains"); |