From 40a355a42d4a9444dc753c04c6608dade2f06a23 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:13:27 +0200 Subject: Adding upstream version 125.0.1. Signed-off-by: Daniel Baumann --- security/certverifier/NSSCertDBTrustDomain.cpp | 42 +++----------------------- 1 file changed, 5 insertions(+), 37 deletions(-) (limited to 'security/certverifier/NSSCertDBTrustDomain.cpp') diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 02a005f8b6..cfc17f46a7 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -861,10 +861,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP( Result stapledOCSPResponseResult = Success; if (stapledOCSPResponse) { bool expired; - uint32_t ageInHours; stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse( certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse, - ResponseWasStapled, expired, ageInHours); + ResponseWasStapled, expired); Telemetry::AccumulateCategorical( Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP); if (stapledOCSPResponseResult == Success) { @@ -1087,10 +1086,9 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer( // or unknown certificate, PR_GetError() will return the appropriate error. // We actually ignore expired here. bool expired; - uint32_t ageInHours; - rv = VerifyAndMaybeCacheEncodedOCSPResponse( - certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork, - expired, ageInHours); + rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time, + maxOCSPLifetimeInDays, response, + ResponseIsFromNetwork, expired); // If the CRLite filter covers the certificate, compare the CRLite result // with the OCSP fetching result. OCSP may have succeeded, said the @@ -1109,11 +1107,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer( // CRLite says the certificate is revoked, but OCSP says it is OK. Telemetry::AccumulateCategorical( Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk); - - if (mCRLiteMode == CRLiteMode::ConfirmRevocations) { - Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE, - ageInHours); - } } } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) { if (crliteResult == Success) { @@ -1209,8 +1202,7 @@ Result NSSCertDBTrustDomain::HandleOCSPFailure( Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( const CertID& certID, Time time, uint16_t maxLifetimeInDays, Input encodedResponse, EncodedResponseSource responseSource, - /*out*/ bool& expired, - /*out*/ uint32_t& ageInHours) { + /*out*/ bool& expired) { Time thisUpdate(Time::uninitialized); Time validThrough(Time::uninitialized); @@ -1234,30 +1226,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow } } - // The `thisUpdate` field holds the latest time at which the server knew the - // response was correct. The age of the response is the time that has elapsed - // since. We only use this for the telemetry defined in Bug 1794479. - uint64_t timeInSeconds; - uint64_t thisUpdateInSeconds; - uint64_t ageInSeconds; - SecondsSinceEpochFromTime(time, &timeInSeconds); - SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds); - if (timeInSeconds >= thisUpdateInSeconds) { - ageInSeconds = timeInSeconds - thisUpdateInSeconds; - // ageInHours is 32 bits because of the telemetry api. - if (ageInSeconds > UINT32_MAX) { - // We could divide by 3600 before checking the UINT32_MAX bound, but if - // ageInSeconds is more than UINT32_MAX then there's been some sort of - // error. - ageInHours = UINT32_MAX; - } else { - // We start at 1 and divide with truncation to reserve ageInHours=0 for - // the case where `thisUpdate` is in the future. - ageInHours = 1 + ageInSeconds / (60 * 60); - } - } else { - ageInHours = 0; - } if (responseSource == ResponseIsFromNetwork || rv == Success || rv == Result::ERROR_REVOKED_CERTIFICATE || rv == Result::ERROR_OCSP_UNKNOWN_CERT) { -- cgit v1.2.3