From 2a4827ea40d1e629318bcbb17ed07cc64a1431b5 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 16 Mar 2020 13:38:19 +0100 Subject: Issue #1467 - Part 1: Set up conditional NSS-SQL builds. - Adds buildconfig option --enable-nss-sqlstore - Prefixes NSS dbinit with either sql: or dbm: depending on config - Pre-initializes mozStorage when NSS-SQL storage is used to prevent an sqlite3_config race in NSS Init --- old-configure.in | 19 +++++++++++++++++++ security/certverifier/NSSCertDBTrustDomain.cpp | 5 +++++ security/manager/ssl/nsNSSComponent.cpp | 11 +++++++++++ 3 files changed, 35 insertions(+) diff --git a/old-configure.in b/old-configure.in index d438d9ea3..6c0b80d7b 100644 --- a/old-configure.in +++ b/old-configure.in @@ -2160,6 +2160,7 @@ MOZ_SERVICES_HEALTHREPORT=1 MOZ_SERVICES_SYNC=1 MOZ_USERINFO=1 NSS_DISABLE_DBM= +NSS_SQLSTORE= MOZ_MAILNEWS= MOZ_MAILNEWS_OAUTH2= MOZ_LDAP_XPCOM= @@ -2716,6 +2717,24 @@ fi AC_SUBST(NSS_DISABLE_DBM) +dnl ========================================================= +dnl = NSS SQL storage format +dnl ========================================================= +MOZ_ARG_ENABLE_BOOL(nss-sqlstore, +[ --enable-nss-sqlstore Enable the us of SQL storage for NSS], + NSS_SQLSTORE=1, + NSS_SQLSTORE=) + +if test -n "$NSS_DISABLE_DBM" -a -z "$NSS_SQLSTORE"; then + AC_MSG_ERROR([DBM storage support is required if not using NSS SQL storage]) +fi + +if test -n "$NSS_SQLSTORE"; then + AC_DEFINE(NSS_SQLSTORE) +fi + +AC_SUBST(NSS_SQLSTORE) + dnl ========================================================= dnl = Don't fold mailnews related comps into libXUL dnl ========================================================= diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 5e89c2484..2793fad48 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -1102,7 +1102,12 @@ InitializeNSS(const nsACString& dir, bool readOnly, bool loadPKCS11Modules) flags |= NSS_INIT_NOMODDB; } nsAutoCString dbTypeAndDirectory; +#ifdef NSS_SQLSTORE + // Not strictly necessary with current NSS versions, but can't hurt to be explicit. + dbTypeAndDirectory.Append("sql:"); +#else dbTypeAndDirectory.Append("dbm:"); +#endif dbTypeAndDirectory.Append(dir); return ::NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags); } diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index dfff59da9..d505b8aba 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -12,6 +12,9 @@ #include "SharedSSLState.h" #include "cert.h" #include "certdb.h" +#ifdef NSS_SQLSTORE +#include "mozStorageCID.h" +#endif #include "mozilla/ArrayUtils.h" #include "mozilla/Casting.h" #include "mozilla/Preferences.h" @@ -1970,6 +1973,14 @@ nsNSSComponent::Init() return NS_ERROR_NOT_SAME_THREAD; } +#ifdef NSS_SQLSTORE + // To avoid an sqlite3_config race in NSS init, we require the storage service to get initialized first. + nsCOMPtr storageService = do_GetService(MOZ_STORAGE_SERVICE_CONTRACTID); + if (!storageService) { + return NS_ERROR_NOT_AVAILABLE; + } +#endif + nsresult rv = NS_OK; MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Beginning NSS initialization\n")); -- cgit v1.2.3 From 6b3fbe9ef069d15e52bd44c72d59325d7873127c Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 17 Mar 2020 12:40:10 +0100 Subject: Issue #1467 - Part 1b: Fix type and make moz.configure happy. --- build/moz.configure/old.configure | 1 + old-configure.in | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/build/moz.configure/old.configure b/build/moz.configure/old.configure index 72c294706..cf224594a 100644 --- a/build/moz.configure/old.configure +++ b/build/moz.configure/old.configure @@ -204,6 +204,7 @@ def old_configure_options(*options): '--enable-negotiateauth', '--enable-nfc', '--enable-nspr-build', + '--enable-nss-sqlstore', '--enable-official-branding', '--enable-official-vendor', '--enable-oom-breakpoint', diff --git a/old-configure.in b/old-configure.in index 6c0b80d7b..1a2c32486 100644 --- a/old-configure.in +++ b/old-configure.in @@ -2721,7 +2721,7 @@ dnl ========================================================= dnl = NSS SQL storage format dnl ========================================================= MOZ_ARG_ENABLE_BOOL(nss-sqlstore, -[ --enable-nss-sqlstore Enable the us of SQL storage for NSS], +[ --enable-nss-sqlstore Enable the use of SQL storage for NSS], NSS_SQLSTORE=1, NSS_SQLSTORE=) -- cgit v1.2.3 From 09abc10635f7f2d5aa9d918386b8a34590b8443a Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 17 Mar 2020 13:33:03 +0100 Subject: Issue #1467 - Part 2: Make the PBKDF rounds adaptive to choice of NSS db --- toolkit/xre/nsAppRunner.cpp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp index e3705a5c2..1f3615a6a 100644 --- a/toolkit/xre/nsAppRunner.cpp +++ b/toolkit/xre/nsAppRunner.cpp @@ -2781,19 +2781,26 @@ XREMain::XRE_mainInit(bool* aExitFlag) #endif SetupErrorHandling(gArgv[0]); - - // Set up environment for NSS DBM database + // Set up environment for NSS database choice +#ifndef NSS_DISABLE_DBM // Allow iteration counts in DBM mode SaveToEnv("NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1"); - // Set default Master Password rounds to a sane value for DBM which is slower - // than SQL for PBKDF. The NSS hard-coded default of 10,000 is too much. - // See also Bug 1606992 for perf issues. +#endif + #ifdef DEBUG + // Reduce the number of rounds for debug builds for perf/test reasons. SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=15"); #else +#ifdef NSS_SQLSTORE + // We're using SQL; NSS's defaults for rounds are fine. +#else + // Set default Master Password rounds to a sane value for DBM which is slower + // than SQL for PBKDF. The NSS hard-coded default of 10,000 is too much. + // See also Bug 1606992 for perf issues. SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=500"); #endif +#endif #ifdef CAIRO_HAS_DWRITE_FONT { -- cgit v1.2.3 From 6cbe27d1498666c410a3df1fe81b725f9a4056a0 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 17 Mar 2020 20:14:22 +0100 Subject: Issue #1467 - Part 3: Use UTF-8 file paths for NSS-SQL database. --- security/manager/ssl/nsNSSComponent.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index d505b8aba..6d1e3c5f7 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1706,16 +1706,25 @@ GetNSSProfilePath(nsAutoCString& aProfilePath) } #if defined(XP_WIN) - // Native path will drop Unicode characters that cannot be mapped to system's - // codepage, using short (canonical) path as workaround. nsCOMPtr profileFileWin(do_QueryInterface(profileFile)); if (!profileFileWin) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("Could not get nsILocalFileWin for profile directory.\n")); return NS_ERROR_FAILURE; } +#ifdef NSS_SQLSTORE + // SQLite always takes UTF-8 file paths regardless of the current system + // code page. + nsAutoString u16ProfilePath; + rv = profileFileWin->GetCanonicalPath(u16ProfilePath); + CopyUTF16toUTF8(u16ProfilePath, aProfilePath); +#else + // Native path will drop Unicode characters that cannot be mapped to system's + // codepage, using short (canonical) path as workaround. rv = profileFileWin->GetNativeCanonicalPath(aProfilePath); +#endif #else + // On non-Windows, just get the native profile path. rv = profileFile->GetNativePath(aProfilePath); #endif -- cgit v1.2.3 From 6f1d8fcce1f064447ccf778ea9925efae95bb5fc Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 19 Mar 2020 23:01:29 +0100 Subject: Issue #1467 - Part 4: Rename NSS_SQLSTORE to MOZ_SECURITY_SQLSTORE. Rename the build config option accordingly. --- build/moz.configure/old.configure | 2 +- old-configure.in | 18 +++++++++--------- security/certverifier/NSSCertDBTrustDomain.cpp | 2 +- security/manager/ssl/nsNSSComponent.cpp | 6 +++--- toolkit/xre/nsAppRunner.cpp | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/build/moz.configure/old.configure b/build/moz.configure/old.configure index cf224594a..d0f6909b9 100644 --- a/build/moz.configure/old.configure +++ b/build/moz.configure/old.configure @@ -204,7 +204,6 @@ def old_configure_options(*options): '--enable-negotiateauth', '--enable-nfc', '--enable-nspr-build', - '--enable-nss-sqlstore', '--enable-official-branding', '--enable-official-vendor', '--enable-oom-breakpoint', @@ -224,6 +223,7 @@ def old_configure_options(*options): '--enable-release', '--enable-safe-browsing', '--enable-sandbox', + '--enable-security-sqlstore', '--enable-signmar', '--enable-simulator', '--enable-small-chunk-size', diff --git a/old-configure.in b/old-configure.in index 1a2c32486..86cf2ae18 100644 --- a/old-configure.in +++ b/old-configure.in @@ -2156,11 +2156,11 @@ MOZ_JETPACK=1 MOZ_DEVTOOLS_SERVER=1 MOZ_DEVTOOLS= MOZ_PLACES=1 +MOZ_SECURITY_SQLSTORE= MOZ_SERVICES_HEALTHREPORT=1 MOZ_SERVICES_SYNC=1 MOZ_USERINFO=1 NSS_DISABLE_DBM= -NSS_SQLSTORE= MOZ_MAILNEWS= MOZ_MAILNEWS_OAUTH2= MOZ_LDAP_XPCOM= @@ -2720,20 +2720,20 @@ AC_SUBST(NSS_DISABLE_DBM) dnl ========================================================= dnl = NSS SQL storage format dnl ========================================================= -MOZ_ARG_ENABLE_BOOL(nss-sqlstore, -[ --enable-nss-sqlstore Enable the use of SQL storage for NSS], - NSS_SQLSTORE=1, - NSS_SQLSTORE=) +MOZ_ARG_ENABLE_BOOL(security-sqlstore, +[ --enable-security-sqlstore Enable the use of SQL storage for NSS], + MOZ_SECURITY_SQLSTORE=1, + MOZ_SECURITY_SQLSTORE=) -if test -n "$NSS_DISABLE_DBM" -a -z "$NSS_SQLSTORE"; then +if test -n "$NSS_DISABLE_DBM" -a -z "$MOZ_SECURITY_SQLSTORE"; then AC_MSG_ERROR([DBM storage support is required if not using NSS SQL storage]) fi -if test -n "$NSS_SQLSTORE"; then - AC_DEFINE(NSS_SQLSTORE) +if test -n "$MOZ_SECURITY_SQLSTORE"; then + AC_DEFINE(MOZ_SECURITY_SQLSTORE) fi -AC_SUBST(NSS_SQLSTORE) +AC_SUBST(MOZ_SECURITY_SQLSTORE) dnl ========================================================= dnl = Don't fold mailnews related comps into libXUL diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 2793fad48..cf48f6392 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -1102,7 +1102,7 @@ InitializeNSS(const nsACString& dir, bool readOnly, bool loadPKCS11Modules) flags |= NSS_INIT_NOMODDB; } nsAutoCString dbTypeAndDirectory; -#ifdef NSS_SQLSTORE +#ifdef MOZ_SECURITY_SQLSTORE // Not strictly necessary with current NSS versions, but can't hurt to be explicit. dbTypeAndDirectory.Append("sql:"); #else diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 6d1e3c5f7..897b5743c 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -12,7 +12,7 @@ #include "SharedSSLState.h" #include "cert.h" #include "certdb.h" -#ifdef NSS_SQLSTORE +#ifdef MOZ_SECURITY_SQLSTORE #include "mozStorageCID.h" #endif #include "mozilla/ArrayUtils.h" @@ -1712,7 +1712,7 @@ GetNSSProfilePath(nsAutoCString& aProfilePath) ("Could not get nsILocalFileWin for profile directory.\n")); return NS_ERROR_FAILURE; } -#ifdef NSS_SQLSTORE +#ifdef MOZ_SECURITY_SQLSTORE // SQLite always takes UTF-8 file paths regardless of the current system // code page. nsAutoString u16ProfilePath; @@ -1982,7 +1982,7 @@ nsNSSComponent::Init() return NS_ERROR_NOT_SAME_THREAD; } -#ifdef NSS_SQLSTORE +#ifdef MOZ_SECURITY_SQLSTORE // To avoid an sqlite3_config race in NSS init, we require the storage service to get initialized first. nsCOMPtr storageService = do_GetService(MOZ_STORAGE_SERVICE_CONTRACTID); if (!storageService) { diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp index 1f3615a6a..55072c474 100644 --- a/toolkit/xre/nsAppRunner.cpp +++ b/toolkit/xre/nsAppRunner.cpp @@ -2792,7 +2792,7 @@ XREMain::XRE_mainInit(bool* aExitFlag) // Reduce the number of rounds for debug builds for perf/test reasons. SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=15"); #else -#ifdef NSS_SQLSTORE +#ifdef MOZ_SECURITY_SQLSTORE // We're using SQL; NSS's defaults for rounds are fine. #else // Set default Master Password rounds to a sane value for DBM which is slower -- cgit v1.2.3