Bug 412455, Regression, EV UI no longer shows up r=rrelyea, a1.9=mtschrep
authorkaie@kuix.de
Tue, 22 Jan 2008 15:43:12 -0800
changeset 10546 a0855364db222104cc3dd1a39e8d60d0e1025fe4
parent 10545 759d460bed651eb5d92d43105ecb0e0932ab4434
child 10547 e8a02dad7e03c3f5ef543734f2ced29dc0743b05
push id1
push userbsmedberg@mozilla.com
push dateThu, 20 Mar 2008 16:49:24 +0000
treeherdermozilla-central@61007906a1f8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrrelyea
bugs412455
milestone1.9b3pre
Bug 412455, Regression, EV UI no longer shows up r=rrelyea, a1.9=mtschrep
security/manager/ssl/src/nsIdentityChecking.cpp
security/manager/ssl/src/nsNSSIOLayer.cpp
security/manager/ssl/src/nsRecentBadCerts.cpp
security/manager/ssl/src/nsSSLStatus.cpp
security/manager/ssl/src/nsSSLStatus.h
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -500,35 +500,34 @@ static SECStatus getFirstEVPolicy(CERTCe
   }
 
   return SECFailure;
 }
 
 PRBool
 nsNSSSocketInfo::hasCertErrors()
 {
-  if (!mSSLStatus || !mSSLStatus->mHaveCertStatus) {
-    // if the status is unknown, assume the cert is bad :-)
+  if (!mSSLStatus) {
+    // if the status is unknown, assume the cert is bad, better safe than sorry
     return PR_TRUE;
   }
 
-  return mSSLStatus->mIsDomainMismatch ||
-         mSSLStatus->mIsNotValidAtThisTime ||
-         mSSLStatus->mIsUntrusted;
+  return mSSLStatus->mHaveCertErrorBits;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::GetIsExtendedValidation(PRBool* aIsEV)
 {
   NS_ENSURE_ARG(aIsEV);
   *aIsEV = PR_FALSE;
 
   if (!mCert)
     return NS_OK;
 
+  // Never allow bad certs for EV, regardless of overrides.
   if (hasCertErrors())
     return NS_OK;
 
   nsresult rv;
   nsCOMPtr<nsIIdentityInfo> idinfo = do_QueryInterface(mCert, &rv);
   if (NS_FAILED(rv))
     return rv;
 
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -2822,17 +2822,17 @@ nsNSSBadCertHandler(void *arg, PRFileDes
     infoObject->SetSSLStatus(status);
   }
 
   if (status) {
     if (!status->mServerCert) {
       status->mServerCert = nssCert;
     }
 
-    status->mHaveCertStatus = PR_TRUE;
+    status->mHaveCertErrorBits = PR_TRUE;
     status->mIsDomainMismatch = collected_errors & nsICertOverrideService::ERROR_MISMATCH;
     status->mIsNotValidAtThisTime = collected_errors & nsICertOverrideService::ERROR_TIME;
     status->mIsUntrusted = collected_errors & nsICertOverrideService::ERROR_UNTRUSTED;
   }
 
   remaining_display_errors = collected_errors;
 
   nsCOMPtr<nsICertOverrideService> overrideService = 
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp
+++ b/security/manager/ssl/src/nsRecentBadCerts.cpp
@@ -126,17 +126,17 @@ nsRecentBadCertsService::GetRecentBadCer
     SECITEM_FreeItem(&foundDER, PR_FALSE);
 
     if (!nssCert)
       return NS_ERROR_FAILURE;
 
     status->mServerCert = new nsNSSCertificate(nssCert);
     CERT_DestroyCertificate(nssCert);
 
-    status->mHaveCertStatus = PR_TRUE;
+    status->mHaveCertErrorBits = PR_TRUE;
     status->mIsDomainMismatch = isDomainMismatch;
     status->mIsNotValidAtThisTime = isNotValidAtThisTime;
     status->mIsUntrusted = isUntrusted;
 
     *aStatus = status;
     NS_IF_ADDREF(*aStatus);
   }
 
--- a/security/manager/ssl/src/nsSSLStatus.cpp
+++ b/security/manager/ssl/src/nsSSLStatus.cpp
@@ -90,44 +90,38 @@ nsSSLStatus::GetCipherName(char** _resul
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::GetIsDomainMismatch(PRBool* _result)
 {
   NS_ASSERTION(_result, "non-NULL destination required");
-  if (!mHaveCertStatus)
-    return NS_ERROR_NOT_AVAILABLE;
 
-  *_result = mIsDomainMismatch;
+  *_result = mHaveCertErrorBits && mIsDomainMismatch;
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::GetIsNotValidAtThisTime(PRBool* _result)
 {
   NS_ASSERTION(_result, "non-NULL destination required");
-  if (!mHaveCertStatus)
-    return NS_ERROR_NOT_AVAILABLE;
 
-  *_result = mIsNotValidAtThisTime;
+  *_result = mHaveCertErrorBits && mIsNotValidAtThisTime;
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::GetIsUntrusted(PRBool* _result)
 {
   NS_ASSERTION(_result, "non-NULL destination required");
-  if (!mHaveCertStatus)
-    return NS_ERROR_NOT_AVAILABLE;
 
-  *_result = mIsUntrusted;
+  *_result = mHaveCertErrorBits && mIsUntrusted;
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::Read(nsIObjectInputStream* stream)
 {
   nsCOMPtr<nsISupports> cert;
@@ -149,17 +143,17 @@ nsSSLStatus::Read(nsIObjectInputStream* 
   NS_ENSURE_SUCCESS(rv, rv);
   rv = stream->ReadBoolean(&mIsNotValidAtThisTime);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = stream->ReadBoolean(&mIsUntrusted);
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = stream->ReadBoolean(&mHaveKeyLengthAndCipher);
   NS_ENSURE_SUCCESS(rv, rv);
-  rv = stream->ReadBoolean(&mHaveCertStatus);
+  rv = stream->ReadBoolean(&mHaveCertErrorBits);
   NS_ENSURE_SUCCESS(rv, rv);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::Write(nsIObjectOutputStream* stream)
 {
@@ -179,17 +173,17 @@ nsSSLStatus::Write(nsIObjectOutputStream
   NS_ENSURE_SUCCESS(rv, rv);
   rv = stream->WriteBoolean(mIsNotValidAtThisTime);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = stream->WriteBoolean(mIsUntrusted);
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = stream->WriteBoolean(mHaveKeyLengthAndCipher);
   NS_ENSURE_SUCCESS(rv, rv);
-  rv = stream->WriteBoolean(mHaveCertStatus);
+  rv = stream->WriteBoolean(mHaveCertErrorBits);
   NS_ENSURE_SUCCESS(rv, rv);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsSSLStatus::GetInterfaces(PRUint32 *count, nsIID * **array)
 {
@@ -254,17 +248,17 @@ nsSSLStatus::GetClassIDNoAlloc(nsCID *aC
 
 
 nsSSLStatus::nsSSLStatus()
 : mKeyLength(0), mSecretKeyLength(0)
 , mIsDomainMismatch(PR_FALSE)
 , mIsNotValidAtThisTime(PR_FALSE)
 , mIsUntrusted(PR_FALSE)
 , mHaveKeyLengthAndCipher(PR_FALSE)
-, mHaveCertStatus(PR_FALSE)
+, mHaveCertErrorBits(PR_FALSE)
 {
 }
 
 NS_IMPL_THREADSAFE_ISUPPORTS3(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
 
 nsSSLStatus::~nsSSLStatus()
 {
 }
--- a/security/manager/ssl/src/nsSSLStatus.h
+++ b/security/manager/ssl/src/nsSSLStatus.h
@@ -69,17 +69,17 @@ public:
   PRUint32 mSecretKeyLength;
   nsXPIDLCString mCipherName;
 
   PRBool mIsDomainMismatch;
   PRBool mIsNotValidAtThisTime;
   PRBool mIsUntrusted;
 
   PRBool mHaveKeyLengthAndCipher;
-  PRBool mHaveCertStatus;
+  PRBool mHaveCertErrorBits;
 };
 
 // 2c3837af-8b85-4a68-b0d8-0aed88985b32
 #define NS_SSLSTATUS_CID \
 { 0x2c3837af, 0x8b85, 0x4a68, \
   { 0xb0, 0xd8, 0x0a, 0xed, 0x88, 0x98, 0x5b, 0x32 } }
 
 #endif