Bug 454406: back out patches from bug 431819 and bug 426555 to fix regression in client cert authentication, a=beltzner

git-svn-id: svn://10.0.0.236/trunk@254241 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/netwerk/base/public/security-prefs.js

@@ -61,7 +61,6 @@ pref("security.ssl3.rsa_null_sha", false);
 pref("security.ssl3.rsa_null_md5", false);
 
 pref("security.default_personal_cert",   "Ask Every Time");
-pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 pref("security.warn_entering_secure",    false);

mozilla/security/manager/pki/resources/content/clientauthask.js

@@ -42,7 +42,6 @@ const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock;
 
 var dialogParams;
 var itemCount = 0;
-var rememberBox;
 
 function onLoad()
 {
@@ -55,28 +54,6 @@ function onLoad()
     org = dialogParams.GetString(1);
     issuer = dialogParams.GetString(2);
 
-    // added with bug 431819. reuse string from caps in order to avoid string changes
-    var capsBundle = srGetStrBundle("chrome://global/locale/security/caps.properties");
-    var rememberString = capsBundle.GetStringFromName("CheckMessage");
-    var rememberSetting = true;
-
-    var pref = Components.classes['@mozilla.org/preferences-service;1']
-	       .getService(Components.interfaces.nsIPrefService);
-    if (pref) {
-      pref = pref.getBranch(null);
-      try {
-	rememberSetting = 
-	  pref.getBoolPref("security.remember_cert_checkbox_default_setting");
-      }
-      catch(e) {
-	// pref is missing
-      }
-    }
-
-    rememberBox = document.getElementById("rememberBox");
-    rememberBox.label = rememberString;
-    rememberBox.checked = rememberSetting;
-
     var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties");
     var message1 = bundle.formatStringFromName("clientAuthMessage1", 
                                              [org],
@@ -121,14 +98,11 @@ function doOK()
   dialogParams.SetInt(0,1);
   var index = parseInt(document.getElementById("nicknames").value);
   dialogParams.SetInt(1, index);
-  dialogParams.SetInt(2, rememberBox.checked);
   return true;
 }
 
 function doCancel()
 {
   dialogParams.SetInt(0,0);
-  dialogParams.SetInt(1, -1); // invalid value
-  dialogParams.SetInt(2, rememberBox.checked);
   return true;
 }

mozilla/security/manager/pki/resources/content/clientauthask.xul

@@ -73,7 +73,6 @@
     <description>&clientAuthAsk.message3;</description>
     <textbox readonly="true" id="details" multiline="true"
       style="height: 11em;"/>
-    <checkbox id="rememberBox" checked="true"/>
   </groupbox>
 
 </dialog>

mozilla/security/manager/pki/src/nsNSSDialogs.cpp

@@ -309,18 +309,10 @@ nsNSSDialogs::ChooseCertificate(nsIInterfaceRequestor *ctx, const PRUnichar *cn,
   if (NS_FAILED(rv)) return rv;
 
   PRInt32 status;
+
   rv = block->GetInt(0, &status);
   if (NS_FAILED(rv)) return rv;
 
-  nsCOMPtr<nsIClientAuthUserDecision> extraResult = do_QueryInterface(ctx);
-  if (extraResult) {
-    PRInt32 rememberSelection;
-    rv = block->GetInt(2, &rememberSelection);
-    if (NS_SUCCEEDED(rv)) {
-      extraResult->SetRememberClientAuthCertificate(rememberSelection!=0);
-    }
-  }
-
   *canceled = (status == 0)?PR_TRUE:PR_FALSE;
   if (!*canceled) {
     // retrieve the nickname

mozilla/security/manager/ssl/public/nsIClientAuthDialogs.idl

@@ -61,12 +61,6 @@ interface nsIClientAuthDialogs : nsISupports
                         out boolean canceled);
 };
 
-[scriptable, uuid(95c4373e-bdd4-4a63-b431-f5b000367721)]
-interface nsIClientAuthUserDecision : nsISupports
-{
-  attribute boolean rememberClientAuthCertificate;
-};
-
 %{C++
 #define NS_CLIENTAUTHDIALOGS_CONTRACTID "@mozilla.org/nsClientAuthDialogs;1"
 %}

mozilla/security/manager/ssl/src/Makefile.in

@@ -60,7 +60,6 @@ CPPSRCS = 				\
 	nsNSSCleaner.cpp                \
 	nsCertOverrideService.cpp   \
 	nsRecentBadCerts.cpp \
-        nsClientAuthRemember.cpp        \
 	nsPSMBackgroundThread.cpp       \
 	nsSSLThread.cpp                 \
 	nsCertVerificationThread.cpp    \

mozilla/security/manager/ssl/src/nsNSSComponent.cpp

@@ -296,10 +296,7 @@ nsNSSComponent::nsNSSComponent()
   memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
 
   nsSSLIOLayerHelpers::Init();
-  mClientAuthRememberService = new nsClientAuthRememberService;
-  if (mClientAuthRememberService)
-    mClientAuthRememberService->Init();
-
+  
   NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!");
   ++mInstanceCount;
   hashTableCerts = nsnull;
@@ -1686,9 +1683,6 @@ nsNSSComponent::ShutdownNSS()
 
     ShutdownSmartCardThreads();
     SSL_ClearSessionCache();
-    if (mClientAuthRememberService) {
-      mClientAuthRememberService->ClearRememberedDecisions();
-    }
     UnloadLoadableRoots();
     CleanupIdentityInfo();
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n"));
@@ -2154,9 +2148,6 @@ void nsNSSComponent::ShowAlert(AlertIdentifier ai)
 
 nsresult nsNSSComponent::LogoutAuthenticatedPK11()
 {
-  if (mClientAuthRememberService) {
-    mClientAuthRememberService->ClearRememberedDecisions();
-  }
   return mShutdownObjectList->doPK11Logout();
 }
 
@@ -2418,14 +2409,6 @@ nsNSSComponent::DoProfileChangeNetRestore()
   mIsNetworkDown = PR_FALSE;
 }
 
-NS_IMETHODIMP
-nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars)
-{
-  NS_ENSURE_ARG_POINTER(cars);
-  NS_IF_ADDREF(*cars = mClientAuthRememberService);
-  return NS_OK;
-}
-
 //---------------------------------------------
 // Implementing nsICryptoHash
 //---------------------------------------------
@@ -3195,3 +3178,4 @@ PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentLis
   mParentContentListener = aContentListener;
   return NS_OK;
 }
+

mozilla/security/manager/ssl/src/nsNSSComponent.h

@@ -69,7 +69,6 @@
 #include "nsNSSCallbacks.h"
 
 #include "nsNSSHelper.h"
-#include "nsClientAuthRemember.h"
 
 #define NS_NSSCOMPONENT_CID \
 {0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
@@ -172,8 +171,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports {
 
   NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0;
   
-  NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0;
-
   NS_IMETHOD EnsureIdentityInfoLoaded() = 0;
 };
 
@@ -262,7 +259,6 @@ public:
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module);
   NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token);
   NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token);
-  NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars);
   NS_IMETHOD EnsureIdentityInfoLoaded();
 
 private:
@@ -328,7 +324,6 @@ private:
   nsSSLThread *mSSLThread;
   nsCertVerificationThread *mCertVerificationThread;
   nsNSSHttpInterface mHttpForNSS;
-  nsRefPtr<nsClientAuthRememberService> mClientAuthRememberService;
 
   static PRStatus PR_CALLBACK IdentityInfoInit(void);
   PRCallOnceType mIdentityInfoCallOnce;

mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -58,7 +58,6 @@
 #include "nsIDateTimeFormat.h"
 #include "nsDateTimeFormatCID.h"
 #include "nsIClientAuthDialogs.h"
-#include "nsClientAuthRemember.h"
 #include "nsICertOverrideService.h"
 #include "nsIBadCertListener2.h"
 #include "nsISSLErrorListener.h"
@@ -238,7 +237,7 @@ void nsNSSSocketInfo::virtualDestroyNSSReference()
 {
 }
 
-NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
+NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
                               nsITransportSecurityInfo,
                               nsISSLSocketControl,
                               nsIInterfaceRequestor,
@@ -246,8 +245,7 @@ NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo,
                               nsIIdentityInfo,
                               nsIAssociatedContentSecurity,
                               nsISerializable,
-                              nsIClassInfo,
-                              nsIClientAuthUserDecision)
+                              nsIClassInfo)
 
 nsresult
 nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending)
@@ -301,19 +299,6 @@ PRBool nsNSSSocketInfo::GetCanceled()
   return mCanceled;
 }
 
-NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(PRBool *aRememberClientAuthCertificate)
-{
-  NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
-  *aRememberClientAuthCertificate = mRememberClientAuthCertificate;
-  return NS_OK;
-}
-
-NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(PRBool aRememberClientAuthCertificate)
-{
-  mRememberClientAuthCertificate = aRememberClientAuthCertificate;
-  return NS_OK;
-}
-
 void nsNSSSocketInfo::SetHasCleartextPhase(PRBool aHasCleartextPhase)
 {
   mHasCleartextPhase = aHasCleartextPhase;
@@ -2479,10 +2464,12 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
   nsNSSShutDownPreventionLock locker;
   void* wincx = NULL;
   SECStatus ret = SECFailure;
+  nsresult rv;
   nsNSSSocketInfo* info = NULL;
   PRArenaPool* arena = NULL;
   char** caNameStrings;
   CERTCertificate* cert = NULL;
+  CERTCertificate* serverCert = NULL;
   SECKEYPrivateKey* privKey = NULL;
   CERTCertList* certList = NULL;
   CERTCertListNode* node;
@@ -2606,57 +2593,13 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
         goto noCert;
     }
   }
-  else { // Not Auto => ask
-    /* Get the SSL Certificate */
-    CERTCertificate* serverCert = NULL;
-    CERTCertificateCleaner serverCertCleaner(serverCert);
-    serverCert = SSL_PeerCertificate(socket);
-    if (serverCert == NULL) {
-      /* couldn't get the server cert: what do I do? */
-      goto loser;
-    }
-
-    nsXPIDLCString hostname;
-    info->GetHostName(getter_Copies(hostname));
-
-    nsresult rv;
-    NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID);
-    nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(nssComponentCID, &rv));
-    nsRefPtr<nsClientAuthRememberService> cars;
-    if (nssComponent) {
-      nssComponent->GetClientAuthRememberService(getter_AddRefs(cars));
-    }
-
-    PRBool hasRemembered = PR_FALSE;
-    nsCString rememberedNickname;
-    if (cars) {
-      PRBool found;
-      nsresult rv = cars->HasRememberedDecision(hostname, 
-                                                serverCert,
-                                                rememberedNickname, &found);
-      if (NS_SUCCEEDED(rv) && found) {
-        hasRemembered = PR_TRUE;
-      }
-    }
-
-    PRBool canceled = PR_FALSE;
-
-if (hasRemembered)
-{
-  if (rememberedNickname.IsEmpty())
-    canceled = PR_TRUE;
   else {
-    char *const_nickname = const_cast<char*>(rememberedNickname.get());
-    cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_nickname);
-  }
-}
-else
-{
     /* user selects a cert to present */
     nsIClientAuthDialogs *dialogs = NULL;
     PRInt32 selectedIndex = -1;
     PRUnichar **certNicknameList = NULL;
     PRUnichar **certDetailsList = NULL;
+    PRBool canceled;
 
     /* find all user certs that are for SSL */
     /* note that we are allowing expired certs in this list */
@@ -2713,6 +2656,13 @@ else
 
     NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts");
 
+    /* Get the SSL Certificate */
+    serverCert = SSL_PeerCertificate(socket);
+    if (serverCert == NULL) {
+      /* couldn't get the server cert: what do I do? */
+      goto loser;
+    }
+
     /* Get CN and O of the subject and O of the issuer */
     char *ccn = CERT_GetCommonName(&serverCert->subject);
     charCleaner ccnCleaner(ccn);
@@ -2720,6 +2670,8 @@ else
 
     PRInt32 port;
     info->GetPort(&port);
+    char *hostname = SSL_RevealURL(socket);
+    charCleaner hostnameCleaner(hostname);
 
     nsString cn_host_port;
     if (ccn && strcmp(ccn, hostname) == 0) {
@@ -2743,6 +2695,8 @@ else
     NS_ConvertUTF8toUTF16 issuer(cissuer);
     if (cissuer) PORT_Free(cissuer);
 
+    CERT_DestroyCertificate(serverCert);
+
     certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames);
     if (!certNicknameList)
       goto loser;
@@ -2810,12 +2764,9 @@ else
     
     if (NS_FAILED(rv)) goto loser;
 
-    // even if the user has canceled, we want to remember that, to avoid repeating prompts
-    PRBool wantRemember = PR_FALSE;
-    info->GetRememberClientAuthCertificate(&wantRemember);
+    if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
 
     int i;
-    if (!canceled)
     for (i = 0, node = CERT_LIST_HEAD(certList);
          !CERT_LIST_END(node, certList);
          ++i, node = CERT_LIST_NEXT(node)) {
@@ -2826,15 +2777,6 @@ else
       }
     }
 
-    if (cars && wantRemember) {
-      cars->RememberDecision(hostname, 
-                             serverCert, 
-                             canceled ? 0 : cert);
-    }
-}
-
-    if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; }
-
     if (cert == NULL) {
       goto loser;
     }

mozilla/security/manager/ssl/src/nsNSSIOLayer.h

@@ -55,7 +55,6 @@
 #include "nsIAssociatedContentSecurity.h"
 #include "nsXPIDLString.h"
 #include "nsNSSShutDown.h"
-#include "nsIClientAuthDialogs.h"
 #include "nsAutoPtr.h"
 #include "nsNSSCertificate.h"
 
@@ -133,7 +132,6 @@ class nsNSSSocketInfo : public nsITransportSecurityInfo,
                         public nsIAssociatedContentSecurity,
                         public nsISerializable,
                         public nsIClassInfo,
-                        public nsIClientAuthUserDecision,
                         public nsNSSShutDownObject,
                         public nsOnPK11LogoutCancelObject
 {
@@ -150,7 +148,6 @@ public:
   NS_DECL_NSIASSOCIATEDCONTENTSECURITY
   NS_DECL_NSISERIALIZABLE
   NS_DECL_NSICLASSINFO
-  NS_DECL_NSICLIENTAUTHUSERDECISION
 
   nsresult SetSecurityState(PRUint32 aState);
   nsresult SetShortSecurityDescription(const PRUnichar *aText);
@@ -223,7 +220,6 @@ protected:
   PRPackedBool mHasCleartextPhase;
   PRPackedBool mHandshakeInProgress;
   PRPackedBool mAllowTLSIntoleranceTimeout;
-  PRPackedBool mRememberClientAuthCertificate;
   PRIntervalTime mHandshakeStartTime;
   PRInt32 mPort;
   nsXPIDLCString mHostName;