diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:14:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 01:14:29 +0000 |
commit | fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 (patch) | |
tree | 4c1ccaf5486d4f2009f9a338a98a83e886e29c97 /security/certverifier | |
parent | Releasing progress-linux version 124.0.1-1~progress7.99u1. (diff) | |
download | firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.tar.xz firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.zip |
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/certverifier')
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 42 | ||||
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.h | 3 |
2 files changed, 6 insertions, 39 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 02a005f8b6..cfc17f46a7 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -861,10 +861,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP( Result stapledOCSPResponseResult = Success; if (stapledOCSPResponse) { bool expired; - uint32_t ageInHours; stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse( certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse, - ResponseWasStapled, expired, ageInHours); + ResponseWasStapled, expired); Telemetry::AccumulateCategorical( Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP); if (stapledOCSPResponseResult == Success) { @@ -1087,10 +1086,9 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer( // or unknown certificate, PR_GetError() will return the appropriate error. // We actually ignore expired here. bool expired; - uint32_t ageInHours; - rv = VerifyAndMaybeCacheEncodedOCSPResponse( - certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork, - expired, ageInHours); + rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time, + maxOCSPLifetimeInDays, response, + ResponseIsFromNetwork, expired); // If the CRLite filter covers the certificate, compare the CRLite result // with the OCSP fetching result. OCSP may have succeeded, said the @@ -1109,11 +1107,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer( // CRLite says the certificate is revoked, but OCSP says it is OK. Telemetry::AccumulateCategorical( Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk); - - if (mCRLiteMode == CRLiteMode::ConfirmRevocations) { - Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE, - ageInHours); - } } } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) { if (crliteResult == Success) { @@ -1209,8 +1202,7 @@ Result NSSCertDBTrustDomain::HandleOCSPFailure( Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( const CertID& certID, Time time, uint16_t maxLifetimeInDays, Input encodedResponse, EncodedResponseSource responseSource, - /*out*/ bool& expired, - /*out*/ uint32_t& ageInHours) { + /*out*/ bool& expired) { Time thisUpdate(Time::uninitialized); Time validThrough(Time::uninitialized); @@ -1234,30 +1226,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow } } - // The `thisUpdate` field holds the latest time at which the server knew the - // response was correct. The age of the response is the time that has elapsed - // since. We only use this for the telemetry defined in Bug 1794479. - uint64_t timeInSeconds; - uint64_t thisUpdateInSeconds; - uint64_t ageInSeconds; - SecondsSinceEpochFromTime(time, &timeInSeconds); - SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds); - if (timeInSeconds >= thisUpdateInSeconds) { - ageInSeconds = timeInSeconds - thisUpdateInSeconds; - // ageInHours is 32 bits because of the telemetry api. - if (ageInSeconds > UINT32_MAX) { - // We could divide by 3600 before checking the UINT32_MAX bound, but if - // ageInSeconds is more than UINT32_MAX then there's been some sort of - // error. - ageInHours = UINT32_MAX; - } else { - // We start at 1 and divide with truncation to reserve ageInHours=0 for - // the case where `thisUpdate` is in the future. - ageInHours = 1 + ageInSeconds / (60 * 60); - } - } else { - ageInHours = 0; - } if (responseSource == ResponseIsFromNetwork || rv == Success || rv == Result::ERROR_REVOKED_CERTIFICATE || rv == Result::ERROR_OCSP_UNKNOWN_CERT) { diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index 129efd075f..a219082339 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -272,8 +272,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { Result VerifyAndMaybeCacheEncodedOCSPResponse( const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse, - EncodedResponseSource responseSource, /*out*/ bool& expired, - /*out*/ uint32_t& ageInHours); + EncodedResponseSource responseSource, /*out*/ bool& expired); TimeDuration GetOCSPTimeout() const; Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID, |