Bug 1063281, Part 9: Switch Gecko from NSS to CheckCertHostname, r=keeler
authorBrian Smith <brian@briansmith.org>
Sun, 21 Sep 2014 17:43:29 -0700
changeset 212048 9b72d139e81766bdcf363c7b9ed0bf3f248c32d2
parent 212047 fcd878ebe03e8cb4103f7ea5eb3c6cfb4ba5eb7a
child 212049 9d83b21c98e8c95d207078ae7542e40ff6307088
push id27697
push usercbook@mozilla.com
push dateFri, 24 Oct 2014 13:48:53 +0000
treeherdermozilla-central@de805196bbc4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1063281
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1063281, Part 9: Switch Gecko from NSS to CheckCertHostname, r=keeler
config/external/nss/nss.def
security/certverifier/CertVerifier.cpp
security/manager/ssl/src/SSLServerCertVerification.cpp
--- a/config/external/nss/nss.def
+++ b/config/external/nss/nss.def
@@ -141,17 +141,16 @@ CERT_SetOCSPFailureMode
 CERT_SetOCSPTimeout
 CERT_SignedCrlTemplate DATA
 CERT_SignedDataTemplate DATA
 CERT_StartCertExtensions
 CERT_StartCertificateRequestAttributes
 CERT_SubjectPublicKeyInfoTemplate DATA
 CERT_TimeChoiceTemplate DATA
 CERT_VerifyCertificate
-CERT_VerifyCertName
 CERT_VerifySignedDataWithPublicKeyInfo
 DER_AsciiToTime_Util
 DER_DecodeTimeChoice_Util
 DER_Encode
 DER_EncodeTimeChoice_Util
 DER_Encode_Util
 DER_GeneralizedTimeToTime
 DER_GeneralizedTimeToTime_Util
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -433,28 +433,42 @@ CertVerifier::VerifySSLServerCert(CERTCe
   }
 
   if (!hostname || !hostname[0]) {
     PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
     return SECFailure;
   }
 
   ScopedCERTCertList builtChainTemp;
-  // CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
+  // CreateCertErrorRunnable assumes that CheckCertHostname is only called
   // if VerifyCert succeeded.
   SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
                             hostname, flags, stapledOCSPResponse,
                             &builtChainTemp, evOidPolicy);
   if (rv != SECSuccess) {
     return rv;
   }
 
-  rv = CERT_VerifyCertName(peerCert, hostname);
-  if (rv != SECSuccess) {
-    return rv;
+  Input peerCertInput;
+  Result result = peerCertInput.Init(peerCert->derCert.data,
+                                     peerCert->derCert.len);
+  if (result != Success) {
+    PR_SetError(MapResultToPRErrorCode(result), 0);
+    return SECFailure;
+  }
+  Input hostnameInput;
+  result = hostnameInput.Init(uint8_t_ptr_cast(hostname), strlen(hostname));
+  if (result != Success) {
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return SECFailure;
+  }
+  result = CheckCertHostname(peerCertInput, hostnameInput);
+  if (result != Success) {
+    PR_SetError(MapResultToPRErrorCode(result), 0);
+    return SECFailure;
   }
 
   if (saveIntermediatesInPermanentDatabase) {
     SaveIntermediateCerts(builtChainTemp);
   }
 
   if (builtChain) {
     *builtChain = builtChainTemp.forget();
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -91,17 +91,17 @@
 // an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because
 // we need the event to interrupt the PR_Poll that may waiting for I/O on the
 // socket for which we are validating the cert.
 
 #include "SSLServerCertVerification.h"
 
 #include <cstring>
 
-#include "pkix/pkixtypes.h"
+#include "pkix/pkix.h"
 #include "pkix/pkixnss.h"
 #include "pkix/ScopedPtr.h"
 #include "CertVerifier.h"
 #include "CryptoTask.h"
 #include "ExtendedValidation.h"
 #include "NSSCertDBTrustDomain.h"
 #include "nsIBadCertListener2.h"
 #include "nsICertOverrideService.h"
@@ -323,17 +323,17 @@ DetermineCertOverrideErrors(CERTCertific
   MOZ_ASSERT(cert);
   MOZ_ASSERT(hostName);
   MOZ_ASSERT(collectedErrors == 0);
   MOZ_ASSERT(errorCodeTrust == 0);
   MOZ_ASSERT(errorCodeMismatch == 0);
   MOZ_ASSERT(errorCodeExpired == 0);
 
   // Assumes the error prioritization described in mozilla::pkix's
-  // BuildForward function. Also assumes that CERT_VerifyCertName was only
+  // BuildForward function. Also assumes that CheckCertHostname was only
   // called if CertVerifier::VerifyCert succeeded.
   switch (defaultErrorCodeToReport) {
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     case SEC_ERROR_UNKNOWN_ISSUER:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
     {
@@ -368,24 +368,35 @@ DetermineCertOverrideErrors(CERTCertific
       return SECFailure;
 
     default:
       PR_SetError(defaultErrorCodeToReport, 0);
       return SECFailure;
   }
 
   if (defaultErrorCodeToReport != SSL_ERROR_BAD_CERT_DOMAIN) {
-    if (CERT_VerifyCertName(cert, hostName) != SECSuccess) {
-      if (PR_GetError() != SSL_ERROR_BAD_CERT_DOMAIN) {
-        PR_SetError(defaultErrorCodeToReport, 0);
-        return SECFailure;
-      }
-
+    Input certInput;
+    if (certInput.Init(cert->derCert.data, cert->derCert.len) != Success) {
+      PR_SetError(SEC_ERROR_BAD_DER, 0);
+      return SECFailure;
+    }
+    Input hostnameInput;
+    Result result = hostnameInput.Init(uint8_t_ptr_cast(hostName),
+                                       strlen(hostName));
+    if (result != Success) {
+      PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+      return SECFailure;
+    }
+    result = CheckCertHostname(certInput, hostnameInput);
+    if (result == Result::ERROR_BAD_CERT_DOMAIN) {
       collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
       errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
+    } else if (result != Success) {
+      PR_SetError(defaultErrorCodeToReport, 0);
+      return SECFailure;
     }
   }
 
   return SECSuccess;
 }
 
 SSLServerCertVerificationResult*
 CertErrorRunnable::CheckCertOverrides()