From e48a85d4d62dccaa09005978e2dc67c3a2a873e8 Mon Sep 17 00:00:00 2001 From: "gavin%gavinsharp.com" Date: Tue, 16 Sep 2008 20:47:17 +0000 Subject: [PATCH] Bug 454406: back out patches from bug 431819 and bug 426555 to fix regression in client cert authentication, a=beltzner git-svn-id: svn://10.0.0.236/trunk@254241 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/netwerk/base/public/security-prefs.js | 1 - .../pki/resources/content/clientauthask.js | 26 ------ .../pki/resources/content/clientauthask.xul | 1 - .../security/manager/pki/src/nsNSSDialogs.cpp | 10 +- .../ssl/public/nsIClientAuthDialogs.idl | 6 -- mozilla/security/manager/ssl/src/Makefile.in | 1 - .../manager/ssl/src/nsNSSComponent.cpp | 20 +--- .../security/manager/ssl/src/nsNSSComponent.h | 5 - .../security/manager/ssl/src/nsNSSIOLayer.cpp | 92 ++++--------------- .../security/manager/ssl/src/nsNSSIOLayer.h | 4 - 10 files changed, 20 insertions(+), 146 deletions(-) diff --git a/mozilla/netwerk/base/public/security-prefs.js b/mozilla/netwerk/base/public/security-prefs.js index cc43f33f4d7..c1ac20e9ab7 100644 --- a/mozilla/netwerk/base/public/security-prefs.js +++ b/mozilla/netwerk/base/public/security-prefs.js @@ -61,7 +61,6 @@ pref("security.ssl3.rsa_null_sha", false); pref("security.ssl3.rsa_null_md5", false); pref("security.default_personal_cert", "Ask Every Time"); -pref("security.remember_cert_checkbox_default_setting", true); pref("security.ask_for_password", 0); pref("security.password_lifetime", 30); pref("security.warn_entering_secure", false); diff --git a/mozilla/security/manager/pki/resources/content/clientauthask.js b/mozilla/security/manager/pki/resources/content/clientauthask.js index ae35604c6c0..9f9db3aaa8d 100644 --- a/mozilla/security/manager/pki/resources/content/clientauthask.js +++ b/mozilla/security/manager/pki/resources/content/clientauthask.js @@ -42,7 +42,6 @@ const nsIDialogParamBlock = Components.interfaces.nsIDialogParamBlock; var dialogParams; var itemCount = 0; -var rememberBox; function onLoad() { @@ -55,28 +54,6 @@ function onLoad() org = dialogParams.GetString(1); issuer = dialogParams.GetString(2); - // added with bug 431819. reuse string from caps in order to avoid string changes - var capsBundle = srGetStrBundle("chrome://global/locale/security/caps.properties"); - var rememberString = capsBundle.GetStringFromName("CheckMessage"); - var rememberSetting = true; - - var pref = Components.classes['@mozilla.org/preferences-service;1'] - .getService(Components.interfaces.nsIPrefService); - if (pref) { - pref = pref.getBranch(null); - try { - rememberSetting = - pref.getBoolPref("security.remember_cert_checkbox_default_setting"); - } - catch(e) { - // pref is missing - } - } - - rememberBox = document.getElementById("rememberBox"); - rememberBox.label = rememberString; - rememberBox.checked = rememberSetting; - var bundle = srGetStrBundle("chrome://pippki/locale/pippki.properties"); var message1 = bundle.formatStringFromName("clientAuthMessage1", [org], @@ -121,14 +98,11 @@ function doOK() dialogParams.SetInt(0,1); var index = parseInt(document.getElementById("nicknames").value); dialogParams.SetInt(1, index); - dialogParams.SetInt(2, rememberBox.checked); return true; } function doCancel() { dialogParams.SetInt(0,0); - dialogParams.SetInt(1, -1); // invalid value - dialogParams.SetInt(2, rememberBox.checked); return true; } diff --git a/mozilla/security/manager/pki/resources/content/clientauthask.xul b/mozilla/security/manager/pki/resources/content/clientauthask.xul index 66b0bf2799d..3baacae5526 100644 --- a/mozilla/security/manager/pki/resources/content/clientauthask.xul +++ b/mozilla/security/manager/pki/resources/content/clientauthask.xul @@ -73,7 +73,6 @@ &clientAuthAsk.message3; - diff --git a/mozilla/security/manager/pki/src/nsNSSDialogs.cpp b/mozilla/security/manager/pki/src/nsNSSDialogs.cpp index 5805159244d..65d8f5c8eeb 100644 --- a/mozilla/security/manager/pki/src/nsNSSDialogs.cpp +++ b/mozilla/security/manager/pki/src/nsNSSDialogs.cpp @@ -309,18 +309,10 @@ nsNSSDialogs::ChooseCertificate(nsIInterfaceRequestor *ctx, const PRUnichar *cn, if (NS_FAILED(rv)) return rv; PRInt32 status; + rv = block->GetInt(0, &status); if (NS_FAILED(rv)) return rv; - nsCOMPtr extraResult = do_QueryInterface(ctx); - if (extraResult) { - PRInt32 rememberSelection; - rv = block->GetInt(2, &rememberSelection); - if (NS_SUCCEEDED(rv)) { - extraResult->SetRememberClientAuthCertificate(rememberSelection!=0); - } - } - *canceled = (status == 0)?PR_TRUE:PR_FALSE; if (!*canceled) { // retrieve the nickname diff --git a/mozilla/security/manager/ssl/public/nsIClientAuthDialogs.idl b/mozilla/security/manager/ssl/public/nsIClientAuthDialogs.idl index fc7638792be..667bb97b08f 100644 --- a/mozilla/security/manager/ssl/public/nsIClientAuthDialogs.idl +++ b/mozilla/security/manager/ssl/public/nsIClientAuthDialogs.idl @@ -61,12 +61,6 @@ interface nsIClientAuthDialogs : nsISupports out boolean canceled); }; -[scriptable, uuid(95c4373e-bdd4-4a63-b431-f5b000367721)] -interface nsIClientAuthUserDecision : nsISupports -{ - attribute boolean rememberClientAuthCertificate; -}; - %{C++ #define NS_CLIENTAUTHDIALOGS_CONTRACTID "@mozilla.org/nsClientAuthDialogs;1" %} diff --git a/mozilla/security/manager/ssl/src/Makefile.in b/mozilla/security/manager/ssl/src/Makefile.in index 39a1579286b..031be55a571 100644 --- a/mozilla/security/manager/ssl/src/Makefile.in +++ b/mozilla/security/manager/ssl/src/Makefile.in @@ -60,7 +60,6 @@ CPPSRCS = \ nsNSSCleaner.cpp \ nsCertOverrideService.cpp \ nsRecentBadCerts.cpp \ - nsClientAuthRemember.cpp \ nsPSMBackgroundThread.cpp \ nsSSLThread.cpp \ nsCertVerificationThread.cpp \ diff --git a/mozilla/security/manager/ssl/src/nsNSSComponent.cpp b/mozilla/security/manager/ssl/src/nsNSSComponent.cpp index 70582f69095..45adcb91b2a 100644 --- a/mozilla/security/manager/ssl/src/nsNSSComponent.cpp +++ b/mozilla/security/manager/ssl/src/nsNSSComponent.cpp @@ -296,10 +296,7 @@ nsNSSComponent::nsNSSComponent() memset(&mIdentityInfoCallOnce, 0, sizeof(PRCallOnceType)); nsSSLIOLayerHelpers::Init(); - mClientAuthRememberService = new nsClientAuthRememberService; - if (mClientAuthRememberService) - mClientAuthRememberService->Init(); - + NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!"); ++mInstanceCount; hashTableCerts = nsnull; @@ -1686,9 +1683,6 @@ nsNSSComponent::ShutdownNSS() ShutdownSmartCardThreads(); SSL_ClearSessionCache(); - if (mClientAuthRememberService) { - mClientAuthRememberService->ClearRememberedDecisions(); - } UnloadLoadableRoots(); CleanupIdentityInfo(); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n")); @@ -2154,9 +2148,6 @@ void nsNSSComponent::ShowAlert(AlertIdentifier ai) nsresult nsNSSComponent::LogoutAuthenticatedPK11() { - if (mClientAuthRememberService) { - mClientAuthRememberService->ClearRememberedDecisions(); - } return mShutdownObjectList->doPK11Logout(); } @@ -2418,14 +2409,6 @@ nsNSSComponent::DoProfileChangeNetRestore() mIsNetworkDown = PR_FALSE; } -NS_IMETHODIMP -nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars) -{ - NS_ENSURE_ARG_POINTER(cars); - NS_IF_ADDREF(*cars = mClientAuthRememberService); - return NS_OK; -} - //--------------------------------------------- // Implementing nsICryptoHash //--------------------------------------------- @@ -3195,3 +3178,4 @@ PSMContentListener::SetParentContentListener(nsIURIContentListener * aContentLis mParentContentListener = aContentListener; return NS_OK; } + diff --git a/mozilla/security/manager/ssl/src/nsNSSComponent.h b/mozilla/security/manager/ssl/src/nsNSSComponent.h index 3f64dd88a1f..e3d1f66ba17 100644 --- a/mozilla/security/manager/ssl/src/nsNSSComponent.h +++ b/mozilla/security/manager/ssl/src/nsNSSComponent.h @@ -69,7 +69,6 @@ #include "nsNSSCallbacks.h" #include "nsNSSHelper.h" -#include "nsClientAuthRemember.h" #define NS_NSSCOMPONENT_CID \ {0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}} @@ -172,8 +171,6 @@ class NS_NO_VTABLE nsINSSComponent : public nsISupports { NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token) = 0; - NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars) = 0; - NS_IMETHOD EnsureIdentityInfoLoaded() = 0; }; @@ -262,7 +259,6 @@ public: NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module); NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token); NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token); - NS_IMETHOD GetClientAuthRememberService(nsClientAuthRememberService **cars); NS_IMETHOD EnsureIdentityInfoLoaded(); private: @@ -328,7 +324,6 @@ private: nsSSLThread *mSSLThread; nsCertVerificationThread *mCertVerificationThread; nsNSSHttpInterface mHttpForNSS; - nsRefPtr mClientAuthRememberService; static PRStatus PR_CALLBACK IdentityInfoInit(void); PRCallOnceType mIdentityInfoCallOnce; diff --git a/mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp b/mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp index 25e9798e955..d7cc58357b0 100644 --- a/mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -58,7 +58,6 @@ #include "nsIDateTimeFormat.h" #include "nsDateTimeFormatCID.h" #include "nsIClientAuthDialogs.h" -#include "nsClientAuthRemember.h" #include "nsICertOverrideService.h" #include "nsIBadCertListener2.h" #include "nsISSLErrorListener.h" @@ -238,7 +237,7 @@ void nsNSSSocketInfo::virtualDestroyNSSReference() { } -NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo, +NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo, nsITransportSecurityInfo, nsISSLSocketControl, nsIInterfaceRequestor, @@ -246,8 +245,7 @@ NS_IMPL_THREADSAFE_ISUPPORTS9(nsNSSSocketInfo, nsIIdentityInfo, nsIAssociatedContentSecurity, nsISerializable, - nsIClassInfo, - nsIClientAuthUserDecision) + nsIClassInfo) nsresult nsNSSSocketInfo::GetHandshakePending(PRBool *aHandshakePending) @@ -301,19 +299,6 @@ PRBool nsNSSSocketInfo::GetCanceled() return mCanceled; } -NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(PRBool *aRememberClientAuthCertificate) -{ - NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate); - *aRememberClientAuthCertificate = mRememberClientAuthCertificate; - return NS_OK; -} - -NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(PRBool aRememberClientAuthCertificate) -{ - mRememberClientAuthCertificate = aRememberClientAuthCertificate; - return NS_OK; -} - void nsNSSSocketInfo::SetHasCleartextPhase(PRBool aHasCleartextPhase) { mHasCleartextPhase = aHasCleartextPhase; @@ -2479,10 +2464,12 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket, nsNSSShutDownPreventionLock locker; void* wincx = NULL; SECStatus ret = SECFailure; + nsresult rv; nsNSSSocketInfo* info = NULL; PRArenaPool* arena = NULL; char** caNameStrings; CERTCertificate* cert = NULL; + CERTCertificate* serverCert = NULL; SECKEYPrivateKey* privKey = NULL; CERTCertList* certList = NULL; CERTCertListNode* node; @@ -2606,57 +2593,13 @@ SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket, goto noCert; } } - else { // Not Auto => ask - /* Get the SSL Certificate */ - CERTCertificate* serverCert = NULL; - CERTCertificateCleaner serverCertCleaner(serverCert); - serverCert = SSL_PeerCertificate(socket); - if (serverCert == NULL) { - /* couldn't get the server cert: what do I do? */ - goto loser; - } - - nsXPIDLCString hostname; - info->GetHostName(getter_Copies(hostname)); - - nsresult rv; - NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID); - nsCOMPtr nssComponent(do_GetService(nssComponentCID, &rv)); - nsRefPtr cars; - if (nssComponent) { - nssComponent->GetClientAuthRememberService(getter_AddRefs(cars)); - } - - PRBool hasRemembered = PR_FALSE; - nsCString rememberedNickname; - if (cars) { - PRBool found; - nsresult rv = cars->HasRememberedDecision(hostname, - serverCert, - rememberedNickname, &found); - if (NS_SUCCEEDED(rv) && found) { - hasRemembered = PR_TRUE; - } - } - - PRBool canceled = PR_FALSE; - -if (hasRemembered) -{ - if (rememberedNickname.IsEmpty()) - canceled = PR_TRUE; else { - char *const_nickname = const_cast(rememberedNickname.get()); - cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), const_nickname); - } -} -else -{ /* user selects a cert to present */ nsIClientAuthDialogs *dialogs = NULL; PRInt32 selectedIndex = -1; PRUnichar **certNicknameList = NULL; PRUnichar **certDetailsList = NULL; + PRBool canceled; /* find all user certs that are for SSL */ /* note that we are allowing expired certs in this list */ @@ -2713,6 +2656,13 @@ else NS_ASSERTION(nicknames->numnicknames == NumberOfCerts, "nicknames->numnicknames != NumberOfCerts"); + /* Get the SSL Certificate */ + serverCert = SSL_PeerCertificate(socket); + if (serverCert == NULL) { + /* couldn't get the server cert: what do I do? */ + goto loser; + } + /* Get CN and O of the subject and O of the issuer */ char *ccn = CERT_GetCommonName(&serverCert->subject); charCleaner ccnCleaner(ccn); @@ -2720,6 +2670,8 @@ else PRInt32 port; info->GetPort(&port); + char *hostname = SSL_RevealURL(socket); + charCleaner hostnameCleaner(hostname); nsString cn_host_port; if (ccn && strcmp(ccn, hostname) == 0) { @@ -2743,6 +2695,8 @@ else NS_ConvertUTF8toUTF16 issuer(cissuer); if (cissuer) PORT_Free(cissuer); + CERT_DestroyCertificate(serverCert); + certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames); if (!certNicknameList) goto loser; @@ -2810,12 +2764,9 @@ else if (NS_FAILED(rv)) goto loser; - // even if the user has canceled, we want to remember that, to avoid repeating prompts - PRBool wantRemember = PR_FALSE; - info->GetRememberClientAuthCertificate(&wantRemember); + if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; } int i; - if (!canceled) for (i = 0, node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); ++i, node = CERT_LIST_NEXT(node)) { @@ -2826,15 +2777,6 @@ else } } - if (cars && wantRemember) { - cars->RememberDecision(hostname, - serverCert, - canceled ? 0 : cert); - } -} - - if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; } - if (cert == NULL) { goto loser; } diff --git a/mozilla/security/manager/ssl/src/nsNSSIOLayer.h b/mozilla/security/manager/ssl/src/nsNSSIOLayer.h index 1087e7fbe25..b530d98f9f8 100644 --- a/mozilla/security/manager/ssl/src/nsNSSIOLayer.h +++ b/mozilla/security/manager/ssl/src/nsNSSIOLayer.h @@ -55,7 +55,6 @@ #include "nsIAssociatedContentSecurity.h" #include "nsXPIDLString.h" #include "nsNSSShutDown.h" -#include "nsIClientAuthDialogs.h" #include "nsAutoPtr.h" #include "nsNSSCertificate.h" @@ -133,7 +132,6 @@ class nsNSSSocketInfo : public nsITransportSecurityInfo, public nsIAssociatedContentSecurity, public nsISerializable, public nsIClassInfo, - public nsIClientAuthUserDecision, public nsNSSShutDownObject, public nsOnPK11LogoutCancelObject { @@ -150,7 +148,6 @@ public: NS_DECL_NSIASSOCIATEDCONTENTSECURITY NS_DECL_NSISERIALIZABLE NS_DECL_NSICLASSINFO - NS_DECL_NSICLIENTAUTHUSERDECISION nsresult SetSecurityState(PRUint32 aState); nsresult SetShortSecurityDescription(const PRUnichar *aText); @@ -223,7 +220,6 @@ protected: PRPackedBool mHasCleartextPhase; PRPackedBool mHandshakeInProgress; PRPackedBool mAllowTLSIntoleranceTimeout; - PRPackedBool mRememberClientAuthCertificate; PRIntervalTime mHandshakeStartTime; PRInt32 mPort; nsXPIDLCString mHostName;