summaryrefslogtreecommitdiffstats
path: root/security/certverifier
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:14:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:14:29 +0000
commitfbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 (patch)
tree4c1ccaf5486d4f2009f9a338a98a83e886e29c97 /security/certverifier
parentReleasing progress-linux version 124.0.1-1~progress7.99u1. (diff)
downloadfirefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.tar.xz
firefox-fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8.zip
Merging upstream version 125.0.1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/certverifier')
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp42
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.h3
2 files changed, 6 insertions, 39 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 02a005f8b6..cfc17f46a7 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -861,10 +861,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
Result stapledOCSPResponseResult = Success;
if (stapledOCSPResponse) {
bool expired;
- uint32_t ageInHours;
stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse(
certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse,
- ResponseWasStapled, expired, ageInHours);
+ ResponseWasStapled, expired);
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP);
if (stapledOCSPResponseResult == Success) {
@@ -1087,10 +1086,9 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
// or unknown certificate, PR_GetError() will return the appropriate error.
// We actually ignore expired here.
bool expired;
- uint32_t ageInHours;
- rv = VerifyAndMaybeCacheEncodedOCSPResponse(
- certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork,
- expired, ageInHours);
+ rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time,
+ maxOCSPLifetimeInDays, response,
+ ResponseIsFromNetwork, expired);
// If the CRLite filter covers the certificate, compare the CRLite result
// with the OCSP fetching result. OCSP may have succeeded, said the
@@ -1109,11 +1107,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
// CRLite says the certificate is revoked, but OCSP says it is OK.
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk);
-
- if (mCRLiteMode == CRLiteMode::ConfirmRevocations) {
- Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE,
- ageInHours);
- }
}
} else if (rv == Result::ERROR_REVOKED_CERTIFICATE) {
if (crliteResult == Success) {
@@ -1209,8 +1202,7 @@ Result NSSCertDBTrustDomain::HandleOCSPFailure(
Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
const CertID& certID, Time time, uint16_t maxLifetimeInDays,
Input encodedResponse, EncodedResponseSource responseSource,
- /*out*/ bool& expired,
- /*out*/ uint32_t& ageInHours) {
+ /*out*/ bool& expired) {
Time thisUpdate(Time::uninitialized);
Time validThrough(Time::uninitialized);
@@ -1234,30 +1226,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow
}
}
- // The `thisUpdate` field holds the latest time at which the server knew the
- // response was correct. The age of the response is the time that has elapsed
- // since. We only use this for the telemetry defined in Bug 1794479.
- uint64_t timeInSeconds;
- uint64_t thisUpdateInSeconds;
- uint64_t ageInSeconds;
- SecondsSinceEpochFromTime(time, &timeInSeconds);
- SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds);
- if (timeInSeconds >= thisUpdateInSeconds) {
- ageInSeconds = timeInSeconds - thisUpdateInSeconds;
- // ageInHours is 32 bits because of the telemetry api.
- if (ageInSeconds > UINT32_MAX) {
- // We could divide by 3600 before checking the UINT32_MAX bound, but if
- // ageInSeconds is more than UINT32_MAX then there's been some sort of
- // error.
- ageInHours = UINT32_MAX;
- } else {
- // We start at 1 and divide with truncation to reserve ageInHours=0 for
- // the case where `thisUpdate` is in the future.
- ageInHours = 1 + ageInSeconds / (60 * 60);
- }
- } else {
- ageInHours = 0;
- }
if (responseSource == ResponseIsFromNetwork || rv == Success ||
rv == Result::ERROR_REVOKED_CERTIFICATE ||
rv == Result::ERROR_OCSP_UNKNOWN_CERT) {
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 129efd075f..a219082339 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -272,8 +272,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
Result VerifyAndMaybeCacheEncodedOCSPResponse(
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
- EncodedResponseSource responseSource, /*out*/ bool& expired,
- /*out*/ uint32_t& ageInHours);
+ EncodedResponseSource responseSource, /*out*/ bool& expired);
TimeDuration GetOCSPTimeout() const;
Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID,