bug 860076 - remove SkipOcsp for being totally bogus r=briansmith
☠☠ backed out by 3635f2f0c4f6 ☠ ☠
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 30 Jan 2014 14:55:51 -0800
changeset 182162 f693f6c91b238f1a1ca7ff9c4651135f66225539
parent 182161 5509778fb65b0e9f7ef49b0b651ed929fed02c23
child 182163 7c3373499773a8181289fd16b8769d5ecab79fdc
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith
bugs860076
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 860076 - remove SkipOcsp for being totally bogus r=briansmith
security/manager/ssl/src/PSMContentDownloader.h
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSComponent.h
security/manager/ssl/src/nsUsageArrayHelper.cpp
security/manager/ssl/tests/mochitest/browser/browser.ini
security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
--- a/security/manager/ssl/src/PSMContentDownloader.h
+++ b/security/manager/ssl/src/PSMContentDownloader.h
@@ -113,24 +113,16 @@ class NS_NO_VTABLE nsINSSComponent : pub
 
   NS_IMETHOD GetNSSBundleString(const char *name,
                                 nsAString &outString) = 0;
   NS_IMETHOD NSSBundleFormatStringFromName(const char *name,
                                            const char16_t **params,
                                            uint32_t numParams,
                                            nsAString &outString) = 0;
 
-  // This method will just disable OCSP in NSS, it will not
-  // alter the respective pref values.
-  NS_IMETHOD SkipOcsp() = 0;
-
-  // This method will set the OCSP value according to the 
-  // values in the preferences.
-  NS_IMETHOD SkipOcspOff() = 0;
-
   NS_IMETHOD LogoutAuthenticatedPK11() = 0;
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule *module) = 0;
 
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module) = 0;
 
   NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token) = 0;
@@ -186,18 +178,16 @@ public:
                                            uint32_t numParams,
                                            nsAString &outString);
   NS_IMETHOD GetNSSBundleString(const char *name,
                                nsAString &outString);
   NS_IMETHOD NSSBundleFormatStringFromName(const char *name,
                                            const char16_t **params,
                                            uint32_t numParams,
                                            nsAString &outString);
-  NS_IMETHOD SkipOcsp();
-  NS_IMETHOD SkipOcspOff();
   NS_IMETHOD LogoutAuthenticatedPK11();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule *module);
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule *module);
   NS_IMETHOD PostEvent(const nsAString &eventType, const nsAString &token);
   NS_IMETHOD DispatchEvent(const nsAString &eventType, const nsAString &token);
   void LaunchSmartCardThreads();
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -1021,42 +1021,16 @@ nsNSSComponent::setEnabledTLSVersions()
           != SECSuccess) {
       return NS_ERROR_UNEXPECTED;
     }
   }
 
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsNSSComponent::SkipOcsp()
-{
-  nsNSSShutDownPreventionLock locker;
-  CERTCertDBHandle* certdb = CERT_GetDefaultCertDB();
-
-  SECStatus rv = CERT_DisableOCSPChecking(certdb);
-  return (rv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
-}
-
-NS_IMETHODIMP
-nsNSSComponent::SkipOcspOff()
-{
-  MutexAutoLock lock(mutex);
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(mNSSInitialized);
-  NS_ENSURE_TRUE(mNSSInitialized, NS_ERROR_NOT_INITIALIZED);
-
-  CertVerifier::ocsp_download_config odc; // ignored
-  CertVerifier::ocsp_strict_config osc; // ignored
-  CertVerifier::ocsp_get_config ogc; // ignored
-  SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
-
-  return NS_OK;
-}
-
 nsresult
 nsNSSComponent::InitializeNSS()
 {
   // Can be called both during init and profile change.
   // Needs mutex protection.
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::InitializeNSS\n"));
 
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@@ -80,24 +80,16 @@ class NS_NO_VTABLE nsINSSComponent : pub
 
   NS_IMETHOD GetNSSBundleString(const char* name,
                                 nsAString& outString) = 0;
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString) = 0;
 
-  // This method will just disable OCSP in NSS, it will not
-  // alter the respective pref values.
-  NS_IMETHOD SkipOcsp() = 0;
-
-  // This method will set the OCSP value according to the
-  // values in the preferences.
-  NS_IMETHOD SkipOcspOff() = 0;
-
   NS_IMETHOD LogoutAuthenticatedPK11() = 0;
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module) = 0;
 
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module) = 0;
 
   NS_IMETHOD PostEvent(const nsAString& eventType,
@@ -150,18 +142,16 @@ public:
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString);
   NS_IMETHOD GetNSSBundleString(const char* name, nsAString& outString);
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString);
-  NS_IMETHOD SkipOcsp();
-  NS_IMETHOD SkipOcspOff();
   NS_IMETHOD LogoutAuthenticatedPK11();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module);
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module);
   NS_IMETHOD PostEvent(const nsAString& eventType, const nsAString& token);
   NS_IMETHOD DispatchEvent(const nsAString& eventType, const nsAString& token);
   void LaunchSmartCardThreads();
--- a/security/manager/ssl/src/nsUsageArrayHelper.cpp
+++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp
@@ -197,30 +197,16 @@ nsUsageArrayHelper::GetUsagesArray(const
   NS_ENSURE_TRUE(nssComponent, NS_ERROR_NOT_AVAILABLE);
 
   if (outArraySize < max_returned_out_array_size)
     return NS_ERROR_FAILURE;
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect.
-  const bool localOSCPDisable
-    = certVerifier->mImplementation == CertVerifier::classic;
-  if (localOSCPDisable) {
-    nsresult rv;
-    nssComponent = do_GetService(kNSSComponentCID, &rv);
-    if (NS_FAILED(rv))
-      return rv;
-    
-    if (nssComponent) {
-      nssComponent->SkipOcsp();
-    }
-  }
-
   uint32_t &count = *_count;
   count = 0;
 
   PRTime now = PR_Now();
   CertVerifier::Flags flags = localOnly ? CertVerifier::FLAG_LOCAL_ONLY : 0;
 
   // The following list of checks must be < max_returned_out_array_size
 
@@ -250,21 +236,16 @@ nsUsageArrayHelper::GetUsagesArray(const
 #endif
   result = check(result, suffix, certVerifier,
                  certificateUsageStatusResponder, now, flags, count, outUsages);
 #if 0
   result = check(result, suffix, certVerifier,
                  certificateUsageAnyCA, now, flags, count, outUsages);
 #endif
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect
-  if (localOSCPDisable) {
-     nssComponent->SkipOcspOff();
-  }
-
   if (isFatalError(result) || count == 0) {
     MOZ_ASSERT(result != nsIX509Cert::VERIFIED_OK);
 
     // Clear the output usage strings in the case where we encountered a fatal
     // error after we already successfully validated the cert for some usages.
     for (uint32_t i = 0; i < count; ++i) {
       delete outUsages[i];
       outUsages[i] = nullptr;
--- a/security/manager/ssl/tests/mochitest/browser/browser.ini
+++ b/security/manager/ssl/tests/mochitest/browser/browser.ini
@@ -1,5 +1,6 @@
 [DEFAULT]
 support-files = head.js
 
 [browser_bug627234_perwindowpb.js]
 [browser_certificateManagerLeak.js]
+[browser_certViewer.js]
copy from security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
copy to security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
--- a/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -11,16 +11,28 @@ function onLoad() {
 }
 
 function onUnload() {
   gBugWindow.removeEventListener("unload", onUnload);
   window.focus();
   finish();
 }
 
-// This test opens and then closes the certificate manager to test that it
-// does not leak. The test harness keeps track of and reports leaks, so
-// there are no actual checks here.
+// This test opens and then closes the certificate viewer to test that it
+// does not crash.
 function test() {
   waitForExplicitFinish();
-  gBugWindow = window.openDialog("chrome://pippki/content/certManager.xul");
+  let certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+  // If the certificate with the nickname "pgoca" is ever removed,
+  // this will fail. Simply find another certificate. Any one will
+  // do.
+  let cert = certdb.findCertByNickname(null, "pgoca");
+  ok(cert, "found a certificate to look at");
+  let arg = {
+    QueryInterface: function() this,
+    getISupportAtIndex: function() this.cert,
+    cert: cert
+  };
+  gBugWindow = window.openDialog("chrome://pippki/content/certViewer.xul",
+                                 "", "", arg);
   gBugWindow.addEventListener("load", onLoad);
 }