Author: arekm Date: Thu Mar 24 11:15:54 2011 GMT Module: packages Tag: HEAD ---- Log message: - rel 1; Fore-port-nsIBadCertListener-from-1.8.patch from debian as our xulrunner-ssl_oldapi.patch
---- Files affected: packages/xulrunner: xulrunner-ssl_oldapi.patch (1.2 -> 1.3) , xulrunner.spec (1.175 -> 1.176) ---- Diffs: ================================================================ Index: packages/xulrunner/xulrunner-ssl_oldapi.patch diff -u packages/xulrunner/xulrunner-ssl_oldapi.patch:1.2 packages/xulrunner/xulrunner-ssl_oldapi.patch:1.3 --- packages/xulrunner/xulrunner-ssl_oldapi.patch:1.2 Tue Jun 30 20:28:24 2009 +++ packages/xulrunner/xulrunner-ssl_oldapi.patch Thu Mar 24 12:15:48 2011 @@ -1,193 +1,35 @@ ---- xulrunner-1.9.0.1.orig/security/manager/ssl/src/nsNSSIOLayer.h -+++ xulrunner-1.9.0.1/security/manager/ssl/src/nsNSSIOLayer.h -@@ -185,6 +185,13 @@ +From: Mike Hommey <[email protected]> +Date: Sun, 15 Jun 2008 12:54:32 +0200 +Subject: Fore-port nsIBadCertListener from 1.8 + +This allows embedding applications to use the same dialogs as before, instead +of the new ssl alert pages from Firefox, which have several problems in +embedding applications. +--- + security/manager/ssl/public/Makefile.in | 1 + + security/manager/ssl/public/nsIBadCertListener.idl | 155 ++++++++++++++++++++ + security/manager/ssl/src/nsNSSIOLayer.cpp | 105 +++++++++++++- + security/manager/ssl/src/nsNSSIOLayer.h | 8 + + 4 files changed, 268 insertions(+), 1 deletions(-) + create mode 100644 security/manager/ssl/public/nsIBadCertListener.idl + +diff --git a/security/manager/ssl/public/Makefile.in b/security/manager/ssl/public/Makefile.in +index fa84d3a..affd50a 100644 +--- a/security/manager/ssl/public/Makefile.in ++++ b/security/manager/ssl/public/Makefile.in +@@ -60,6 +60,7 @@ SDK_XPIDLSRCS = \ - void SetAllowTLSIntoleranceTimeout(PRBool aAllow); - -+ enum BadCertUIStatusType { -+ bcuis_not_shown, bcuis_active, bcuis_was_shown -+ }; -+ -+ void SetBadCertUIStatus(BadCertUIStatusType aNewStatus); -+ BadCertUIStatusType GetBadCertUIStatus() { return mBadCertUIStatus; } -+ - nsresult GetExternalErrorReporting(PRBool* state); - nsresult SetExternalErrorReporting(PRBool aState); - -@@ -225,6 +232,7 @@ - PRPackedBool mHandshakeInProgress; - PRPackedBool mAllowTLSIntoleranceTimeout; - PRPackedBool mRememberClientAuthCertificate; -+ BadCertUIStatusType mBadCertUIStatus; - PRIntervalTime mHandshakeStartTime; - PRInt32 mPort; - nsXPIDLCString mHostName; ---- xulrunner-1.9.0.1.orig/security/manager/ssl/src/nsNSSIOLayer.cpp -+++ xulrunner-1.9.0.1/security/manager/ssl/src/nsNSSIOLayer.cpp -@@ -59,6 +59,7 @@ - #include "nsDateTimeFormatCID.h" - #include "nsIClientAuthDialogs.h" - #include "nsICertOverrideService.h" -+#include "nsIBadCertListener.h" - #include "nsIBadCertListener2.h" - #include "nsISSLErrorListener.h" - #include "nsIObjectInputStream.h" -@@ -750,6 +751,20 @@ - } - } - -+void nsNSSSocketInfo::SetBadCertUIStatus(nsNSSSocketInfo::BadCertUIStatusType aNewStatus) -+{ -+ if (mBadCertUIStatus == bcuis_active && -+ aNewStatus == bcuis_was_shown) -+ { -+ // we were blocked and going back to unblocked, -+ // so let's reset the handshake start time, in order to ensure -+ // we do not count the amount of time while the UI was shown. -+ mHandshakeStartTime = PR_IntervalNow(); -+ } -+ -+ mBadCertUIStatus = aNewStatus; -+} -+ - void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(PRBool aAllow) - { - mAllowTLSIntoleranceTimeout = aAllow; -@@ -759,7 +774,8 @@ - - PRBool nsNSSSocketInfo::HandshakeTimeout() - { -- if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout) -+ if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout || -+ mBadCertUIStatus == bcuis_active) - return PR_FALSE; - - return ((PRIntervalTime)(PR_IntervalNow() - mHandshakeStartTime) -@@ -1610,6 +1626,37 @@ - return PR_FALSE; - } - -+static PRBool -+isClosedConnectionAfterBadCertUIWasShown(PRInt32 bytesTransfered, -+ PRBool wasReading, -+ PRInt32 err, -+ nsNSSSocketInfo::BadCertUIStatusType aBadCertUIStatus) -+{ -+ if (aBadCertUIStatus != nsNSSSocketInfo::bcuis_not_shown) -+ { -+ // Bad cert UI was shown for this socket. -+ // Server timeout possible. -+ // Retry on a simple connection close. -+ -+ if (wasReading && 0 == bytesTransfered) -+ return PR_TRUE; -+ -+ if (0 > bytesTransfered) -+ { -+ switch (err) -+ { -+ case PR_CONNECT_RESET_ERROR: -+ case PR_END_OF_FILE_ERROR: -+ return PR_TRUE; -+ default: -+ break; -+ } -+ } -+ } -+ -+ return PR_FALSE; -+} -+ - PRInt32 - nsSSLThread::checkHandshake(PRInt32 bytesTransfered, - PRBool wasReading, -@@ -1661,6 +1708,12 @@ - return bytesTransfered; - } - -+ wantRetry = -+ isClosedConnectionAfterBadCertUIWasShown(bytesTransfered, -+ wasReading, -+ err, -+ socketInfo->GetBadCertUIStatus()); -+ - if (!wantRetry // no decision yet - && isTLSIntoleranceError(err, socketInfo->GetHasCleartextPhase())) - { -@@ -1678,6 +1731,12 @@ - { - if (handleHandshakeResultNow) - { -+ wantRetry = -+ isClosedConnectionAfterBadCertUIWasShown(bytesTransfered, -+ wasReading, -+ 0, -+ socketInfo->GetBadCertUIStatus()); -+ - if (!wantRetry // no decision yet - && !socketInfo->GetHasCleartextPhase()) // mirror PR_CONNECT_RESET_ERROR treament - { -@@ -3035,6 +3094,48 @@ - rv = proxy_bcl->NotifyCertProblem(csi, status, hostWithPortString, - &suppressMessage); - } -+ } else { -+ nsCOMPtr<nsIBadCertListener> handler = do_GetInterface(callbacks); -+ nsIBadCertListener *badCertHandler = nsnull; -+ if (handler) { -+ NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, -+ NS_GET_IID(nsIBadCertListener), -+ handler, -+ NS_PROXY_SYNC, -+ (void**)&badCertHandler); -+ } -+ if (!badCertHandler) { -+ getNSSDialogs((void**)&badCertHandler, -+ NS_GET_IID(nsIBadCertListener), -+ NS_BADCERTLISTENER_CONTRACTID); -+ } -+ if (badCertHandler) { -+ PRBool retVal = PR_TRUE; -+ PRInt16 addType = nsIBadCertListener::UNINIT_ADD_FLAG; -+ nsIInterfaceRequestor *csi = static_cast<nsIInterfaceRequestor*>(infoObject); -+ infoObject->SetBadCertUIStatus(nsNSSSocketInfo::bcuis_active); -+ if (remaining_display_errors & nsICertOverrideService::ERROR_UNTRUSTED) { -+ rv = badCertHandler->ConfirmUnknownIssuer(csi, ix509, &addType, &retVal); -+ if (NS_FAILED(rv)) retVal = PR_FALSE; -+ } -+ if (retVal && (remaining_display_errors & nsICertOverrideService::ERROR_MISMATCH)) { -+ rv = badCertHandler->ConfirmMismatchDomain(csi, hostString, ix509, &retVal); -+ if (NS_FAILED(rv)) retVal = PR_FALSE; -+ } -+ if (retVal && (remaining_display_errors & nsICertOverrideService::ERROR_TIME)) { -+ rv = badCertHandler->ConfirmCertExpired(csi, ix509, &retVal); -+ if (NS_FAILED(rv)) retVal = PR_FALSE; -+ } -+ if (overrideService && retVal && addType != nsIBadCertListener::UNINIT_ADD_FLAG) { -+ overrideService->RememberValidityOverride(hostString, port, ix509, -+ nsICertOverrideService::ERROR_UNTRUSTED, -+ addType == nsIBadCertListener::ADD_TRUSTED_FOR_SESSION); -+ } -+ infoObject->SetBadCertUIStatus(nsNSSSocketInfo::bcuis_was_shown); -+ if (retVal) -+ return SECSuccess; -+ suppressMessage = PR_TRUE; -+ } - } - } - ---- xulrunner-1.9.0.1.orig/security/manager/ssl/public/Makefile.in -+++ xulrunner-1.9.0.1/security/manager/ssl/public/Makefile.in -@@ -51,6 +51,7 @@ - SDK_XPIDLSRCS = \ - nsIASN1Object.idl \ - nsIASN1Sequence.idl \ + XPIDLSRCS = \ + nsISSLCertErrorDialog.idl \ + nsIBadCertListener.idl \ - nsICertificateDialogs.idl \ - nsICRLInfo.idl \ - nsIX509Cert.idl \ ---- xulrunner-1.9.0.1.orig/security/manager/ssl/public/nsIBadCertListener.idl -+++ xulrunner-1.9.0.1/security/manager/ssl/public/nsIBadCertListener.idl + nsIBadCertListener2.idl \ + nsISSLErrorListener.idl \ + nsIIdentityInfo.idl \ +diff --git a/security/manager/ssl/public/nsIBadCertListener.idl b/security/manager/ssl/public/nsIBadCertListener.idl +new file mode 100644 +index 0000000..5e9e750 +--- /dev/null ++++ b/security/manager/ssl/public/nsIBadCertListener.idl @@ -0,0 +1,155 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * @@ -344,3 +186,187 @@ +%{C++ +#define NS_BADCERTLISTENER_CONTRACTID "@mozilla.org/nsBadCertListener;1" +%} +diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp +index 88f0c98..c4d8db9 100644 +--- a/security/manager/ssl/src/nsNSSIOLayer.cpp ++++ b/security/manager/ssl/src/nsNSSIOLayer.cpp +@@ -60,6 +60,7 @@ + #include "nsIClientAuthDialogs.h" + #include "nsClientAuthRemember.h" + #include "nsICertOverrideService.h" ++#include "nsIBadCertListener.h" + #include "nsIBadCertListener2.h" + #include "nsISSLErrorListener.h" + #include "nsIObjectInputStream.h" +@@ -899,6 +900,20 @@ void nsNSSSocketInfo::SetHandshakeInProgress(PRBool aIsIn) + } + } + ++void nsNSSSocketInfo::SetBadCertUIStatus(nsNSSSocketInfo::BadCertUIStatusType aNewStatus) ++{ ++ if (mBadCertUIStatus == bcuis_active && ++ aNewStatus == bcuis_was_shown) ++ { ++ // we were blocked and going back to unblocked, ++ // so let's reset the handshake start time, in order to ensure ++ // we do not count the amount of time while the UI was shown. ++ mHandshakeStartTime = PR_IntervalNow(); ++ } ++ ++ mBadCertUIStatus = aNewStatus; ++} ++ + void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(PRBool aAllow) + { + mAllowTLSIntoleranceTimeout = aAllow; +@@ -908,7 +923,8 @@ void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(PRBool aAllow) + + PRBool nsNSSSocketInfo::HandshakeTimeout() + { +- if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout) ++ if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout || ++ mBadCertUIStatus == bcuis_active) + return PR_FALSE; + + return ((PRIntervalTime)(PR_IntervalNow() - mHandshakeStartTime) +@@ -1949,6 +1965,37 @@ isTLSIntoleranceError(PRInt32 err, PRBool withInitialCleartext) + return PR_FALSE; + } + ++static PRBool ++isClosedConnectionAfterBadCertUIWasShown(PRInt32 bytesTransfered, ++ PRBool wasReading, ++ PRInt32 err, ++ nsNSSSocketInfo::BadCertUIStatusType aBadCertUIStatus) ++{ ++ if (aBadCertUIStatus != nsNSSSocketInfo::bcuis_not_shown) ++ { ++ // Bad cert UI was shown for this socket. ++ // Server timeout possible. ++ // Retry on a simple connection close. ++ ++ if (wasReading && 0 == bytesTransfered) ++ return PR_TRUE; ++ ++ if (0 > bytesTransfered) ++ { ++ switch (err) ++ { ++ case PR_CONNECT_RESET_ERROR: ++ case PR_END_OF_FILE_ERROR: ++ return PR_TRUE; ++ default: ++ break; ++ } ++ } ++ } ++ ++ return PR_FALSE; ++} ++ + PRInt32 + nsSSLThread::checkHandshake(PRInt32 bytesTransfered, + PRBool wasReading, +@@ -2000,6 +2047,12 @@ nsSSLThread::checkHandshake(PRInt32 bytesTransfered, + return bytesTransfered; + } + ++ wantRetry = ++ isClosedConnectionAfterBadCertUIWasShown(bytesTransfered, ++ wasReading, ++ err, ++ socketInfo->GetBadCertUIStatus()); ++ + if (!wantRetry // no decision yet + && isTLSIntoleranceError(err, socketInfo->GetHasCleartextPhase())) + { +@@ -2017,6 +2070,12 @@ nsSSLThread::checkHandshake(PRInt32 bytesTransfered, + { + if (handleHandshakeResultNow) + { ++ wantRetry = ++ isClosedConnectionAfterBadCertUIWasShown(bytesTransfered, ++ wasReading, ++ 0, ++ socketInfo->GetBadCertUIStatus()); ++ + if (!wantRetry // no decision yet + && !socketInfo->GetHasCleartextPhase()) // mirror PR_CONNECT_RESET_ERROR treament + { +@@ -3577,6 +3636,50 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket) + rv = proxy_bcl->NotifyCertProblem(csi, status, hostWithPortString, + &suppressMessage); + } ++ } else { ++ nsCOMPtr<nsIBadCertListener> handler = do_GetInterface(callbacks); ++ nsIBadCertListener *badCertHandler = nsnull; ++ if (handler) { ++ NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, ++ NS_GET_IID(nsIBadCertListener), ++ handler, ++ NS_PROXY_SYNC, ++ (void**)&badCertHandler); ++ } ++ if (!badCertHandler) { ++ getNSSDialogs((void**)&badCertHandler, ++ NS_GET_IID(nsIBadCertListener), ++ NS_BADCERTLISTENER_CONTRACTID); ++ } ++ if (badCertHandler) { ++ PRBool retVal = PR_TRUE; ++ PRInt16 addType = nsIBadCertListener::UNINIT_ADD_FLAG; ++ nsIInterfaceRequestor *csi = static_cast<nsIInterfaceRequestor*>(infoObject); ++ infoObject->SetBadCertUIStatus(nsNSSSocketInfo::bcuis_active); ++ if (remaining_display_errors & nsICertOverrideService::ERROR_UNTRUSTED) { ++ rv = badCertHandler->ConfirmUnknownIssuer(csi, ix509, &addType, &retVal); ++ if (NS_FAILED(rv)) retVal = PR_FALSE; ++ } ++ if (retVal && (remaining_display_errors & nsICertOverrideService::ERROR_MISMATCH)) { ++ rv = badCertHandler->ConfirmMismatchDomain(csi, hostString, ix509, &retVal); ++ if (NS_FAILED(rv)) retVal = PR_FALSE; ++ } ++ if (retVal && (remaining_display_errors & nsICertOverrideService::ERROR_TIME)) { ++ rv = badCertHandler->ConfirmCertExpired(csi, ix509, &retVal); ++ if (NS_FAILED(rv)) retVal = PR_FALSE; ++ } ++ nsCOMPtr<nsICertOverrideService> overrideService = ++ do_GetService(NS_CERTOVERRIDE_CONTRACTID); ++ if (overrideService && retVal && addType != nsIBadCertListener::UNINIT_ADD_FLAG) { ++ overrideService->RememberValidityOverride(hostString, port, ix509, ++ nsICertOverrideService::ERROR_UNTRUSTED, ++ addType == nsIBadCertListener::ADD_TRUSTED_FOR_SESSION); ++ } ++ infoObject->SetBadCertUIStatus(nsNSSSocketInfo::bcuis_was_shown); ++ if (retVal) ++ return SECSuccess; ++ suppressMessage = PR_TRUE; ++ } + } + } + +diff --git a/security/manager/ssl/src/nsNSSIOLayer.h b/security/manager/ssl/src/nsNSSIOLayer.h +index c619282..fbca648 100644 +--- a/security/manager/ssl/src/nsNSSIOLayer.h ++++ b/security/manager/ssl/src/nsNSSIOLayer.h +@@ -189,6 +189,13 @@ public: + + void SetAllowTLSIntoleranceTimeout(PRBool aAllow); + ++ enum BadCertUIStatusType { ++ bcuis_not_shown, bcuis_active, bcuis_was_shown ++ }; ++ ++ void SetBadCertUIStatus(BadCertUIStatusType aNewStatus); ++ BadCertUIStatusType GetBadCertUIStatus() { return mBadCertUIStatus; } ++ + nsresult GetExternalErrorReporting(PRBool* state); + nsresult SetExternalErrorReporting(PRBool aState); + +@@ -225,6 +232,7 @@ protected: + PRPackedBool mHandshakeInProgress; + PRPackedBool mAllowTLSIntoleranceTimeout; + PRPackedBool mRememberClientAuthCertificate; ++ BadCertUIStatusType mBadCertUIStatus; + PRIntervalTime mHandshakeStartTime; + PRInt32 mPort; + nsXPIDLCString mHostName; ================================================================ Index: packages/xulrunner/xulrunner.spec diff -u packages/xulrunner/xulrunner.spec:1.175 packages/xulrunner/xulrunner.spec:1.176 --- packages/xulrunner/xulrunner.spec:1.175 Thu Mar 24 10:46:47 2011 +++ packages/xulrunner/xulrunner.spec Thu Mar 24 12:15:48 2011 @@ -27,7 +27,7 @@ Summary(pl.UTF-8): XULRunner - środowisko uruchomieniowe Mozilli dla aplikacji XUL+XPCOM Name: xulrunner Version: %{xulrunner_ver} -Release: 0.1 +Release: 1 Epoch: 2 License: MPL v1.1 or GPL v2+ or LGPL v2.1+ Group: X11/Applications @@ -185,8 +185,7 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 -# applies but fails to builds - needs update -#%patch8 -p1 +%patch8 -p1 %patch9 -p1 %build @@ -597,6 +596,9 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.176 2011/03/24 11:15:48 arekm +- rel 1; Fore-port-nsIBadCertListener-from-1.8.patch from debian as our xulrunner-ssl_oldapi.patch + Revision 1.175 2011/03/24 09:46:47 arekm - patch8 still needs update ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/xulrunner/xulrunner-ssl_oldapi.patch?r1=1.2&r2=1.3&f=u http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/xulrunner/xulrunner.spec?r1=1.175&r2=1.176&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
