Commit 7c40d127 authored by Stephen Pohl's avatar Stephen Pohl Committed by Georg Koppen
Browse files

Bug 991993: Disable NSS for updater on OSX and enable native APIs. r=smichaud,rstrong

parent 38209bde

modules/libmar/verify/MacVerifyCrypto.cpp

+12 −102
Original line number Diff line number Diff line
@@ -212,9 +212,10 @@ CryptoMac_VerifyUpdate(CryptoX_SignatureHandle* aInputData, void* aBuf, 


CryptoX_Result

CryptoMac_LoadPublicKey(const unsigned char* aCertData,

                        unsigned int aDataSize,

                        CryptoX_PublicKey* aPublicKey)

{

  if (!aCertData || !aPublicKey) {

  if (!aCertData || aDataSize == 0 || !aPublicKey) {

    return CryptoX_Error;

  }

  *aPublicKey = NULL;
@@ -261,42 +262,11 @@ CryptoMac_LoadPublicKey(const unsigned char* aCertData, 
      }

      sCspHandle = cspHandle;

    }



    FILE* certFile = NULL;

    long certFileSize = 0;

    uint8* certBuffer = NULL;



    certFile = fopen((char*)aCertData, "rb");

    if (!certFile) {

      return CryptoX_Error;

    }

    if (fseek(certFile, 0, SEEK_END)) {

      fclose(certFile);

      return CryptoX_Error;

    }

    certFileSize = ftell(certFile);

    if (certFileSize < 0) {

      fclose(certFile);

      return CryptoX_Error;

  }

    certBuffer = (uint8*)malloc(certFileSize);

    if (fseek(certFile, 0, SEEK_SET)) {

      free(certBuffer);

      fclose(certFile);

      return CryptoX_Error;

    }

    uint readResult = fread(certBuffer, sizeof(uint8), certFileSize, certFile);

    if (readResult != certFileSize) {

      free(certBuffer);

      fclose(certFile);

      return CryptoX_Error;

    }

    fclose(certFile);



  CFDataRef certData = CFDataCreate(kCFAllocatorDefault,

                                      certBuffer,

                                      certFileSize);

    free(certBuffer);

                                    aCertData,

                                    aDataSize);

  if (!certData) {

    return CryptoX_Error;

  }
@@ -308,76 +278,16 @@ CryptoMac_LoadPublicKey(const unsigned char* aCertData, 
    return CryptoX_Error;

  }



    SecKeyRef publicKey;

    OSStatus status = SecCertificateCopyPublicKey(cert, (SecKeyRef*)&publicKey);

  OSStatus status = SecCertificateCopyPublicKey(cert,

                                                (SecKeyRef*)aPublicKey);

  CFRelease(cert);

    if (status) {

  if (status != 0) {

    return CryptoX_Error;

  }



    *aPublicKey = (void*)publicKey;

  return CryptoX_Success;

}



  CFURLRef url =

    CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault,

                                            aCertData,

                                            strlen((char*)aCertData),

                                            false);

  if (!url) {

    return CryptoX_Error;

  }



  CFReadStreamRef stream = CFReadStreamCreateWithFile(kCFAllocatorDefault, url);

  if (!stream) {

    CFRelease(url);

    return CryptoX_Error;

  }



  SecTransformRef readTransform =

    SecTransformCreateReadTransformWithReadStreamPtr(stream);

  if (!readTransform) {

    CFRelease(url);

    CFRelease(stream);

    return CryptoX_Error;

  }



  CFErrorRef error;

  CFDataRef tempCertData = (CFDataRef)SecTransformExecutePtr(readTransform,

                                                             &error);

  if (!tempCertData || error) {

    CFRelease(url);

    CFRelease(stream);

    CFRelease(readTransform);

    return CryptoX_Error;

  }



  SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault,

                                                        tempCertData);

  if (!cert) {

    CFRelease(url);

    CFRelease(stream);

    CFRelease(readTransform);

    CFRelease(tempCertData);

    return CryptoX_Error;

  }



  CryptoX_Result result = CryptoX_Error;

  OSStatus status = SecCertificateCopyPublicKey(cert,

                                                (SecKeyRef*)aPublicKey);

  if (status == 0) {

    result = CryptoX_Success;

  }



  CFRelease(url);

  CFRelease(stream);

  CFRelease(readTransform);

  CFRelease(tempCertData);

  CFRelease(cert);



  return result;

}



CryptoX_Result

CryptoMac_VerifySignature(CryptoX_SignatureHandle* aInputData,

                          CryptoX_PublicKey* aPublicKey,

modules/libmar/verify/cryptox.h

+2 −1
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ CryptoX_Result CryptoMac_VerifyBegin(CryptoX_SignatureHandle* aInputData); 
CryptoX_Result CryptoMac_VerifyUpdate(CryptoX_SignatureHandle* aInputData,

                                      void* aBuf, unsigned int aLen);

CryptoX_Result CryptoMac_LoadPublicKey(const unsigned char* aCertData,

                                       unsigned int aDataSize,

                                       CryptoX_PublicKey* aPublicKey);

CryptoX_Result CryptoMac_VerifySignature(CryptoX_SignatureHandle* aInputData,

                                         CryptoX_PublicKey* aPublicKey,
@@ -93,7 +94,7 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey); 
  CryptoMac_VerifyUpdate(aInputData, aBuf, aLen)

#define CryptoX_LoadPublicKey(aProviderHandle, aCertData, aDataSize, \

                              aPublicKey) \

  CryptoMac_LoadPublicKey(aCertData, aPublicKey)

  CryptoMac_LoadPublicKey(aCertData, aDataSize, aPublicKey)

#define CryptoX_VerifySignature(aInputData, aPublicKey, aSignature, \

                                aSignatureLen) \

  CryptoMac_VerifySignature(aInputData, aPublicKey, aSignature, aSignatureLen)

toolkit/mozapps/update/updater/archivereader.cpp

+5 −0
Original line number Diff line number Diff line
@@ -47,11 +47,16 @@ template<uint32_t SIZE> 
int

VerifyLoadedCert(MarFile *archive, const uint8_t (&certData)[SIZE])

{

  (void)archive;

  (void)certData;



#ifdef MOZ_VERIFY_MAR_SIGNATURE

  const uint32_t size = SIZE;

  const uint8_t* const data = &certData[0];

  if (mar_verify_signatures(archive, &data, &size, 1)) {

    return CERT_VERIFY_ERROR;

  }

#endif



  return OK;

}

toolkit/mozapps/update/updater/moz.build

+11 −3
Original line number Diff line number Diff line
@@ -13,6 +13,12 @@ SOURCES += [ 
]



have_progressui = 0



if CONFIG['MOZ_VERIFY_MAR_SIGNATURE']:

    USE_LIBS += [

        'verifymar',

    ]



if CONFIG['OS_ARCH'] == 'WINNT':

    have_progressui = 1

    SOURCES += [
@@ -32,7 +38,6 @@ if CONFIG['OS_ARCH'] == 'WINNT': 
    ]

    USE_LIBS += [

        'updatecommon-standalone',

        'verifymar',

    ]

    OS_LIBS += [

        'comctl32',
@@ -42,15 +47,18 @@ if CONFIG['OS_ARCH'] == 'WINNT': 
        'crypt32',

        'advapi32',

    ]

else:

elif CONFIG['OS_ARCH'] == 'Linux':

    USE_LIBS += [

        'updatecommon',

        '/modules/libmar/sign/signmar',

        '/modules/libmar/sign/verifymar',

        '/security/nss/lib/nss/nss3',

        '/security/nss/lib/util/nssutil3',

    ]

    OS_LIBS += CONFIG['NSPR_LIBS']

else:

    USE_LIBS += [

        'updatecommon',

    ]



USE_LIBS += [

    'mar',

toolkit/mozapps/update/updater/updater.cpp

+4 −4
Original line number Diff line number Diff line
@@ -116,7 +116,7 @@ static bool sUseHardLinks = true; 
# define MAYBE_USE_HARD_LINKS 0

#endif



#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)

#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && !defined(XP_MACOSX)

#include "nss.h"

#include "prerror.h"

#endif
@@ -2558,9 +2558,9 @@ int NS_main(int argc, NS_tchar **argv) 
  }

#endif



#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN)

  // On Windows we rely on CyrptoAPI to do verifications so we don't need to

  // initialize NSS at all there.

#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && !defined(XP_MACOSX)

  // On Windows and Mac we rely on native APIs to do verifications so we don't

  // need to initialize NSS at all there.

  // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS

  // databases.

  if (NSS_NoDB_Init(NULL) != SECSuccess) {