Ticket #2949: nocertdb.2.diff

File nocertdb.2.diff, 11.5 KB (added by mikeperry, 9 years ago)

Updated patch against FF4.0. Implements observer for pref, but we still want a notify eventually.

  • security/manager/ssl/src/nsNSSComponent.cpp

    diff -r f43e15acc6ca security/manager/ssl/src/nsNSSComponent.cpp
    a b  
    16741674    // Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as
    16751675    // "/usr/lib/nss/libnssckbi.so".
    16761676    PRUint32 init_flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE;
    1677     SECStatus init_rv = ::NSS_Initialize(profileStr.get(), "", "",
     1677    PRBool nocertdb = false;
     1678    mPrefBranch->GetBoolPref("security.nocertdb", &nocertdb);
     1679
     1680    // XXX: We can also do the the following to only disable the certdb.
     1681    // Leaving this codepath in as a fallback in case InitNODB fails
     1682    if (nocertdb)
     1683      init_flags |= NSS_INIT_NOCERTDB;
     1684
     1685    SECStatus init_rv;
     1686    if (nocertdb) {
     1687        init_rv = ::NSS_NoDB_Init(NULL);
     1688    } else {
     1689        init_rv = ::NSS_Initialize(profileStr.get(), "", "",
    16781690                                         SECMOD_DB, init_flags);
     1691    }
    16791692
    16801693    if (init_rv != SECSuccess) {
    16811694      PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("can not init NSS r/w in %s\n", profileStr.get()));
     
    22312244      }
    22322245    }
    22332246  }
    2234   else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
    2235     nsNSSShutDownPreventionLock locker;
    2236     PRBool clearSessionCache = PR_FALSE;
    2237     PRBool enabled;
     2247  else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
    22382248    NS_ConvertUTF16toUTF8  prefName(someData);
    2239 
    2240     if (prefName.Equals("security.enable_ssl2")) {
    2241       mPrefBranch->GetBoolPref("security.enable_ssl2", &enabled);
    2242       SSL_OptionSetDefault(SSL_ENABLE_SSL2, enabled);
    2243       SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, enabled);
    2244       clearSessionCache = PR_TRUE;
    2245     } else if (prefName.Equals("security.enable_ssl3")) {
    2246       mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
    2247       SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
    2248       clearSessionCache = PR_TRUE;
    2249     } else if (prefName.Equals("security.enable_tls")) {
    2250       mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
    2251       SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
    2252       clearSessionCache = PR_TRUE;
    2253     } else if (prefName.Equals("security.enable_tls_session_tickets")) {
    2254       mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
    2255       SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
    2256     } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
    2257       mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
    2258       SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
    2259     } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
    2260       mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
    2261       SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
    2262         enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
    2263     } else if (prefName.Equals("security.ssl.renego_unrestricted_hosts")) {
    2264       char *unrestricted_hosts=nsnull;
    2265       mPrefBranch->GetCharPref("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts);
    2266       if (unrestricted_hosts) {
    2267         nsSSLIOLayerHelpers::setRenegoUnrestrictedSites(nsDependentCString(unrestricted_hosts));
    2268         nsMemory::Free(unrestricted_hosts);
     2249    // XXX: This should be an observer notification, so we can properly cancel it
     2250    if (prefName.Equals("security.nocertdb")) {
     2251      // XXX: If these functions tell us to cancel, the browser seems to get left in an
     2252      // indeterminate state that prevents SSL from being used.
     2253      //
     2254      // We apparently need to wait for all SSL sockets to shut down on their
     2255      // own (this can take up to a minute!) and then attempt to alter the pref
     2256      // again before doing anything.
     2257      //
     2258      // So any implementation of New Identity based on this code will need to keep
     2259      // attempting to send the notification until it is not canceled. Ugh...
     2260      if (!DoProfileApproveChange(aSubject)) {
     2261        PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CertDB change canceled\n"));
     2262        return NS_OK;
    22692263      }
    2270     } else if (prefName.Equals("security.ssl.treat_unsafe_negotiation_as_broken")) {
    2271       mPrefBranch->GetBoolPref("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
    2272       nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(enabled);
    2273     } else if (prefName.Equals("security.ssl.warn_missing_rfc5746")) {
    2274       PRInt32 warnLevel = 1;
    2275       mPrefBranch->GetIntPref("security.ssl.warn_missing_rfc5746", &warnLevel);
    2276       nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(warnLevel);
     2264
     2265      DoProfileChangeNetTeardown();
     2266      if (!DoProfileChangeTeardown(aSubject)) {
     2267        PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CertDB change canceled\n"));
     2268        return NS_OK;
     2269      }
     2270
     2271      if (!DoProfileBeforeChange(aSubject)) {
     2272        PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CertDB change canceled by NSS shutdown\n"));
     2273        // Need to re-add observer because ShutdownNSS removed it.
     2274        nsCOMPtr<nsIPrefBranch2> pbi = do_QueryInterface(mPrefBranch);
     2275        pbi->AddObserver("security.", this, PR_FALSE);
     2276        return NS_OK;
     2277      }
     2278
     2279      DoProfileChangeNetRestore();
     2280      InitializeNSS(PR_FALSE);
     2281      InitializeCRLUpdateTimer();
     2282      return NS_OK;
     2283    } else {
     2284      nsNSSShutDownPreventionLock locker;
     2285      PRBool clearSessionCache = PR_FALSE;
     2286      PRBool enabled;
     2287
     2288      if (prefName.Equals("security.enable_ssl2")) {
     2289        mPrefBranch->GetBoolPref("security.enable_ssl2", &enabled);
     2290        SSL_OptionSetDefault(SSL_ENABLE_SSL2, enabled);
     2291        SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, enabled);
     2292        clearSessionCache = PR_TRUE;
     2293      } else if (prefName.Equals("security.enable_ssl3")) {
     2294        mPrefBranch->GetBoolPref("security.enable_ssl3", &enabled);
     2295        SSL_OptionSetDefault(SSL_ENABLE_SSL3, enabled);
     2296        clearSessionCache = PR_TRUE;
     2297      } else if (prefName.Equals("security.enable_tls")) {
     2298        mPrefBranch->GetBoolPref("security.enable_tls", &enabled);
     2299        SSL_OptionSetDefault(SSL_ENABLE_TLS, enabled);
     2300        clearSessionCache = PR_TRUE;
     2301      } else if (prefName.Equals("security.enable_tls_session_tickets")) {
     2302        mPrefBranch->GetBoolPref("security.enable_tls_session_tickets", &enabled);
     2303        SSL_OptionSetDefault(SSL_ENABLE_SESSION_TICKETS, enabled);
     2304      } else if (prefName.Equals("security.ssl.require_safe_negotiation")) {
     2305        mPrefBranch->GetBoolPref("security.ssl.require_safe_negotiation", &enabled);
     2306        SSL_OptionSetDefault(SSL_REQUIRE_SAFE_NEGOTIATION, enabled);
     2307      } else if (prefName.Equals("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref")) {
     2308        mPrefBranch->GetBoolPref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", &enabled);
     2309        SSL_OptionSetDefault(SSL_ENABLE_RENEGOTIATION,
     2310          enabled ? SSL_RENEGOTIATE_UNRESTRICTED : SSL_RENEGOTIATE_REQUIRES_XTN);
     2311      } else if (prefName.Equals("security.ssl.renego_unrestricted_hosts")) {
     2312        char *unrestricted_hosts=nsnull;
     2313        mPrefBranch->GetCharPref("security.ssl.renego_unrestricted_hosts", &unrestricted_hosts);
     2314        if (unrestricted_hosts) {
     2315          nsSSLIOLayerHelpers::setRenegoUnrestrictedSites(nsDependentCString(unrestricted_hosts));
     2316          nsMemory::Free(unrestricted_hosts);
     2317        }
     2318      } else if (prefName.Equals("security.ssl.treat_unsafe_negotiation_as_broken")) {
     2319        mPrefBranch->GetBoolPref("security.ssl.treat_unsafe_negotiation_as_broken", &enabled);
     2320        nsSSLIOLayerHelpers::setTreatUnsafeNegotiationAsBroken(enabled);
     2321      } else if (prefName.Equals("security.ssl.warn_missing_rfc5746")) {
     2322        PRInt32 warnLevel = 1;
     2323        mPrefBranch->GetIntPref("security.ssl.warn_missing_rfc5746", &warnLevel);
     2324        nsSSLIOLayerHelpers::setWarnLevelMissingRFC5746(warnLevel);
    22772325#ifdef SSL_ENABLE_FALSE_START // Requires NSS 3.12.8
    2278     } else if (prefName.Equals("security.ssl.enable_false_start")) {
    2279       mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
    2280       SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
     2326      } else if (prefName.Equals("security.ssl.enable_false_start")) {
     2327        mPrefBranch->GetBoolPref("security.ssl.enable_false_start", &enabled);
     2328        SSL_OptionSetDefault(SSL_ENABLE_FALSE_START, enabled);
    22812329#endif
    2282     } else if (prefName.Equals("security.OCSP.enabled")
    2283                || prefName.Equals("security.OCSP.require")) {
    2284       setOCSPOptions(mPrefBranch);
    2285     } else {
    2286       /* Look through the cipher table and set according to pref setting */
    2287       for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
    2288         if (prefName.Equals(cp->pref)) {
    2289           mPrefBranch->GetBoolPref(cp->pref, &enabled);
    2290           SSL_CipherPrefSetDefault(cp->id, enabled);
    2291           clearSessionCache = PR_TRUE;
    2292           break;
     2330      } else if (prefName.Equals("security.OCSP.enabled")
     2331                 || prefName.Equals("security.OCSP.require")) {
     2332        setOCSPOptions(mPrefBranch);
     2333      } else {
     2334        /* Look through the cipher table and set according to pref setting */
     2335        for (CipherPref* cp = CipherPrefs; cp->pref; ++cp) {
     2336          if (prefName.Equals(cp->pref)) {
     2337            mPrefBranch->GetBoolPref(cp->pref, &enabled);
     2338            SSL_CipherPrefSetDefault(cp->id, enabled);
     2339            clearSessionCache = PR_TRUE;
     2340            break;
     2341          }
    22932342        }
    22942343      }
     2344      if (clearSessionCache)
     2345        SSL_ClearSessionCache();
    22952346    }
    2296     if (clearSessionCache)
    2297       SSL_ClearSessionCache();
    22982347  }
    22992348  else if (nsCRT::strcmp(aTopic, PROFILE_CHANGE_NET_TEARDOWN_TOPIC) == 0) {
    23002349    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("receiving network teardown topic\n"));
     
    24632512  return NS_OK;
    24642513}
    24652514
    2466 void
     2515PRBool
    24672516nsNSSComponent::DoProfileApproveChange(nsISupports* aSubject)
    24682517{
    24692518  if (mShutdownObjectList->isUIActive()) {
     2519    PR_LOG(gPIPNSSLog, PR_LOG_WARN, ("NSS UI active in profile change!\n"));
    24702520    ShowAlert(ai_crypto_ui_active);
    24712521    nsCOMPtr<nsIProfileChangeStatus> status = do_QueryInterface(aSubject);
    24722522    if (status) {
    24732523      status->VetoChange();
    24742524    }
     2525    return false;
    24752526  }
     2527  return true;
    24762528}
    24772529
    24782530void
     
    24852537  mIsNetworkDown = PR_TRUE;
    24862538}
    24872539
    2488 void
     2540PRBool
    24892541nsNSSComponent::DoProfileChangeTeardown(nsISupports* aSubject)
    24902542{
    24912543  PRBool callVeto = PR_FALSE;
    24922544
    24932545  if (!mShutdownObjectList->ifPossibleDisallowUI()) {
    24942546    callVeto = PR_TRUE;
     2547    PR_LOG(gPIPNSSLog, PR_LOG_WARN, ("NSS: Not possible to disallow UI!\n"));
    24952548    ShowAlert(ai_crypto_ui_active);
    24962549  }
    24972550  else if (mShutdownObjectList->areSSLSocketsActive()) {
     2551    PR_LOG(gPIPNSSLog, PR_LOG_WARN, ("NSS: SSL Sockets are active!\n"));
    24982552    callVeto = PR_TRUE;
    24992553    ShowAlert(ai_sockets_still_active);
    25002554  }
     
    25052559      status->VetoChange();
    25062560    }
    25072561  }
     2562
     2563  return !callVeto;
    25082564}
    25092565
    2510 void
     2566PRBool
    25112567nsNSSComponent::DoProfileBeforeChange(nsISupports* aSubject)
    25122568{
    25132569  NS_ASSERTION(mIsNetworkDown, "nsNSSComponent relies on profile manager to wait for synchronous shutdown of all network activity");
     
    25262582  }
    25272583   
    25282584  StopCRLUpdateTimer();
     2585  PRBool allow_change = PR_TRUE;
    25292586
    25302587  if (needsCleanup) {
    25312588    if (NS_FAILED(ShutdownNSS())) {
     2589      PR_LOG(gPIPNSSLog, PR_LOG_WARN, ("NSS: Shutdown failed\n"));
    25322590      nsCOMPtr<nsIProfileChangeStatus> status = do_QueryInterface(aSubject);
    25332591      if (status) {
    25342592        status->ChangeFailed();
    25352593      }
     2594      allow_change = PR_FALSE;
    25362595    }
    25372596  }
    25382597  mShutdownObjectList->allowUI();
     2598  return allow_change;
    25392599}
    25402600
    25412601void