mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out changeset c966b16e4fb5 

--HG--
extra : rebase_source : 4b3f5af10951cf33c70f459a5043075bb946ccb4
This commit is contained in:
Brian Smith 2012-11-30 19:37:39 -08:00
Родитель b01adc0cab
Коммит 6f43374e85
19 изменённых файлов: 379 добавлений и 190 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

28
security/manager/ssl/src/SSLServerCertVerification.cpp
Просмотреть файл

@ -111,7 +111,6 @@
#include "nsServiceManagerUtils.h"
#include "nsIConsoleService.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "ssl.h"
#include "secerr.h"
@ -128,6 +127,7 @@ namespace {
NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
// do not use a nsCOMPtr to avoid static initializer/destructor
@ -615,9 +615,11 @@ private:
SSLServerCertVerificationJob(const void * fdForLogging,
TransportSecurityInfo * infoObject,
CERTCertificate * cert);
~SSLServerCertVerificationJob();
const void * const mFdForLogging;
const RefPtr<TransportSecurityInfo> mInfoObject;
const ScopedCERTCertificate mCert;
CERTCertificate * const mCert;
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
@ -629,6 +631,11 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
{
}
SSLServerCertVerificationJob::~SSLServerCertVerificationJob()
{
CERT_DestroyCertificate(mCert);
}
SECStatus
PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg,
const char * hostname)
@ -811,9 +818,10 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject,
" Assuming spdy.\n"));
// Check to see if the cert has actually changed
ScopedCERTCertificate c(cert2->GetCert());
CERTCertificate * c = cert2->GetCert();
NS_ASSERTION(c, "very bad and hopefully impossible state");
bool sameCert = CERT_CompareCerts(c, serverCert);
CERT_DestroyCertificate(c);
if (sameCert)
return SECSuccess;
@ -879,8 +887,8 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert)
nsc = nsNSSCertificate::Create(cert);
}
ScopedCERTCertList certList(CERT_GetCertChainFromCert(cert, PR_Now(),
certUsageSSLCA));
CERTCertList *certList = nullptr;
certList = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageSSLCA);
if (!certList) {
rv = SECFailure;
} else {
@ -935,15 +943,20 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert)
// We have found a signer cert that we want to remember.
char* nickname = nsNSSCertificate::defaultServerNickname(node->cert);
if (nickname && *nickname) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
if (slot) {
PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
nickname, false);
PK11_FreeSlot(slot);
}
}
PR_FREEIF(nickname);
}
if (certList) {
CERT_DestroyCertList(certList);
}
// The connection may get terminated, for example, if the server requires
// a client cert. Let's provide a minimal SSLStatus
// to the caller that contains at least the cert and its status.
@ -1112,7 +1125,8 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
socketInfo->SetFirstServerHelloReceived();
}
ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
CERTCertificateCleaner serverCertCleaner(serverCert);
if (!checkSig || isServer || !socketInfo || !serverCert) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);

7
security/manager/ssl/src/TransportSecurityInfo.cpp
Просмотреть файл

@ -15,10 +15,10 @@
#include "nsIObjectInputStream.h"
#include "nsIObjectOutputStream.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCleaner.h"
#include "nsIProgrammingLanguage.h"
#include "nsIArray.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "secerr.h"
@ -34,6 +34,8 @@
namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
} // unnamed namespace
@ -778,7 +780,8 @@ AppendErrorTextMismatch(const nsString &host,
const PRUnichar *params[1];
nsresult rv;
ScopedCERTCertificate nssCert;
CERTCertificate *nssCert = nullptr;
CERTCertificateCleaner nssCertCleaner(nssCert);
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
if (cert2)

16
security/manager/ssl/src/nsCMS.cpp
Просмотреть файл

@ -14,10 +14,10 @@
#include "nsArrayUtils.h"
#include "nsCertVerificationThread.h"
#include "nsCERTValInParamWrapper.h"
#include "ScopedNSSTypes.h"
#include "prlog.h"
#include "nsNSSCleaner.h"
#include "nsNSSComponent.h"
#ifdef PR_LOGGING
@ -28,6 +28,8 @@ using namespace mozilla;
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS2(nsCMSMessage, nsICMSMessage,
nsICMSMessage2)
@ -538,7 +540,8 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
if (!nssRecipientCert)
return NS_ERROR_FAILURE;
ScopedCERTCertificate c(nssRecipientCert->GetCert());
CERTCertificate *c = nssRecipientCert->GetCert();
CERTCertificateCleaner rcCleaner(c);
recipientCerts.set(i, c);
}
@ -576,7 +579,8 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
// Create and attach recipient information //
for (i=0; i < recipientCertCount; i++) {
ScopedCERTCertificate rc(recipientCerts.get(i));
CERTCertificate *rc = recipientCerts.get(i);
CERTCertificateCleaner rcCleaner(rc);
if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc)) == nullptr) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
goto loser;
@ -607,8 +611,7 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
ScopedCERTCertificate scert;
ScopedCERTCertificate ecert;
CERTCertificate *scert = nullptr, *ecert = nullptr;
nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
nsresult rv = NS_ERROR_FAILURE;
@ -627,6 +630,9 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
}
}
CERTCertificateCleaner ecertCleaner(ecert);
CERTCertificateCleaner scertCleaner(scert);
/*
* create the message object
*/

19
security/manager/ssl/src/nsCertOverrideService.cpp
Просмотреть файл

@ -18,14 +18,15 @@
#include "nsPromiseFlatString.h"
#include "nsThreadUtils.h"
#include "nsStringBuffer.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11pub.h"
#include "certdb.h"
#include "sechash.h"
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
using namespace mozilla;
static const char kCertOverrideFileName[] = "cert_override.txt";
@ -413,10 +414,11 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
ScopedCERTCertificate nsscert(cert2->GetCert());
CERTCertificate* nsscert = cert2->GetCert();
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
return GetCertFingerprintByOidTag(nsscert, aOidTag, fp);
}
@ -451,10 +453,11 @@ GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
ScopedCERTCertificate nsscert(cert2->GetCert());
CERTCertificate* nsscert = cert2->GetCert();
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
return GetCertFingerprintByDottedOidString(nsscert, dottedOid, fp);
}
@ -474,14 +477,16 @@ nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, in
if (!cert2)
return NS_ERROR_FAILURE;
ScopedCERTCertificate nsscert(cert2->GetCert());
CERTCertificate* nsscert = cert2->GetCert();
if (!nsscert)
return NS_ERROR_FAILURE;
CERTCertificateCleaner nsscertCleaner(nsscert);
char* nickname = nsNSSCertificate::defaultServerNickname(nsscert);
if (!aTemporary && nickname && *nickname)
{
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
if (!slot) {
PR_Free(nickname);
return NS_ERROR_FAILURE;
@ -489,6 +494,8 @@ nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, in
SECStatus srv = PK11_ImportCert(slot, nsscert, CK_INVALID_HANDLE,
nickname, false);
PK11_FreeSlot(slot);
if (srv != SECSuccess) {
PR_Free(nickname);
return NS_ERROR_FAILURE;

22
security/manager/ssl/src/nsCertPicker.cpp
Просмотреть файл

@ -11,15 +11,16 @@
#include "nsNSSComponent.h"
#include "nsNSSCertificate.h"
#include "nsReadableUtils.h"
#include "nsNSSCleaner.h"
#include "nsICertPickDialogs.h"
#include "nsNSSShutDown.h"
#include "nsNSSCertHelper.h"
#include "ScopedNSSTypes.h"
NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
#include "cert.h"
using namespace mozilla;
NS_IMPL_ISUPPORTS1(nsCertPicker, nsIUserCertPicker)
nsCertPicker::nsCertPicker()
@ -48,24 +49,31 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(nsIInterfaceRequestor *ctx,
{
// Iterate over all certs. This assures that user is logged in to all hardware tokens.
CERTCertList *allcerts = nullptr;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
ScopedCERTCertList allcerts(PK11_ListCerts(PK11CertListUnique, ctx));
allcerts = PK11_ListCerts(PK11CertListUnique, ctx);
CERT_DestroyCertList(allcerts);
}
/* find all user certs that are valid and for SSL */
/* note that we are allowing expired certs in this list */
ScopedCERTCertList certList(
CERTCertList *certList =
CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
(SECCertUsage)certUsage,
!allowDuplicateNicknames,
!allowInvalid,
ctx));
ctx);
CERTCertListCleaner clc(certList);
if (!certList) {
return NS_ERROR_NOT_AVAILABLE;
}
ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
CERTCertNicknames *nicknames = getNSSCertNicknamesFromCertList(certList);
CERTCertNicknamesCleaner cnc(nicknames);
if (!nicknames) {
return NS_ERROR_NOT_AVAILABLE;
}

14
security/manager/ssl/src/nsCertTree.cpp
Просмотреть файл

@ -20,9 +20,9 @@
#include "nsXPCOMCID.h"
#include "nsTHashtable.h"
#include "nsHashKeys.h"
#include "ScopedNSSTypes.h"
#include "prlog.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
@ -30,6 +30,8 @@ using namespace mozilla;
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);
@ -639,9 +641,12 @@ nsCertTree::GetCertsByType(uint32_t aType,
void *aCertCmpFnArg)
{
nsNSSShutDownPreventionLock locker;
CERTCertList *certList = nullptr;
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
ScopedCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt));
certList = PK11_ListCerts(PK11CertListUnique, cxt);
nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
if (certList)
CERT_DestroyCertList(certList);
return rv;
}
@ -810,7 +815,8 @@ nsCertTree::DeleteEntryObject(uint32_t index)
// although there are still overrides stored,
// so, we keep the cert, but remove the trust
ScopedCERTCertificate nsscert;
CERTCertificate *nsscert = nullptr;
CERTCertificateCleaner nsscertCleaner(nsscert);
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
if (cert2) {

4
security/manager/ssl/src/nsClientAuthRemember.cpp
Просмотреть файл

@ -22,8 +22,12 @@
#include "certdb.h"
#include "sechash.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService,
nsIObserver,
nsISupportsWeakReference)

81
security/manager/ssl/src/nsCrypto.cpp
Просмотреть файл

@ -59,7 +59,6 @@
#include "secmod.h"
#include "nsISaveAsCharset.h"
#include "nsNativeCharsetUtils.h"
#include "ScopedNSSTypes.h"
#include "ssl.h" // For SSL_ClearSessionCache
@ -70,7 +69,12 @@
using namespace mozilla;
NSSCleanupAutoPtrClass(SECKEYPrivateKey, SECKEY_DestroyPrivateKey)
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames)
NSSCleanupAutoPtrClass(PK11SymKey, PK11_FreeSymKey)
NSSCleanupAutoPtrClass_WithParam(PK11Context, PK11_DestroyContext, TrueParam, true)
NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
/*
* These are the most common error strings that are returned
@ -694,7 +698,8 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
// user's key3.db file. Which the slot returned by
// PK11_GetInternalKeySlot has access to and PK11_GetInternalSlot
// does not.
ScopedPK11SlotInfo intSlot;
PK11SlotInfo *intSlot = nullptr;
PK11SlotInfoCleaner siCleaner(intSlot);
if (willEscrow && !PK11_IsInternal(slot)) {
intSlot = PK11_GetInternalSlot();
@ -702,6 +707,7 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
if (!PK11_DoesMechanism(intSlot, mechanism)) {
// Set to null, and the subsequent code will not attempt to use it.
PK11_FreeSlot(intSlot);
intSlot = nullptr;
}
}
@ -826,17 +832,23 @@ cryptojs_generateOneKeyPair(JSContext *cx, nsKeyPairInfo *keyPairInfo,
//If we generated the key pair on the internal slot because the
// keys were going to be escrowed, move the keys over right now.
if (mustMoveKey) {
ScopedSECKEYPrivateKey newPrivKey(PK11_LoadPrivKey(slot,
SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,
keyPairInfo->privKey,
keyPairInfo->pubKey,
true, true));
true, true);
SECKEYPrivateKeyCleaner pkCleaner(newPrivKey);
if (!newPrivKey)
return NS_ERROR_FAILURE;
// The private key is stored on the selected slot now, and the copy we
// ultimately use for escrowing when the time comes lives
// in the internal slot. We will delete it from that slot
// after the requests are made.
// after the requests are made. This call only gives up
// our reference to the key object and does not actually
// physically remove it from the card itself.
// The actual delete calls are being made in the destructors
// of the cleaner helper instances.
}
return NS_OK;
@ -1001,12 +1013,13 @@ nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
return NS_ERROR_FAILURE;
}
ScopedCERTCertificate cert(wrappingCert->GetCert());
CERTCertificate *cert = wrappingCert->GetCert();
if (!cert)
return NS_ERROR_FAILURE;
CRMFEncryptedKey *encrKey =
CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert);
CERT_DestroyCertificate(cert);
if (!encrKey)
return NS_ERROR_FAILURE;
@ -1033,13 +1046,14 @@ nsSetDNForRequest(CRMFCertRequest *certReq, char *reqDN)
if (!reqDN || CRMF_CertRequestIsFieldPresent(certReq, crmfSubject)) {
return NS_ERROR_FAILURE;
}
ScopedCERTName subjectName(CERT_AsciiToName(reqDN));
CERTName *subjectName = CERT_AsciiToName(reqDN);
if (!subjectName) {
return NS_ERROR_FAILURE;
}
SECStatus srv = CRMF_CertRequestSetTemplateField(certReq, crmfSubject,
static_cast<void*>
(subjectName));
CERT_DestroyName(subjectName);
return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
}
@ -1474,7 +1488,8 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
// allows multiple requests to be sent in one step.
unsigned long der_request_len = 0;
ScopedSECItem der_request;
SECItem *der_request = nullptr;
SECItemCleanerTrueParam der_request_cleaner(der_request);
if (SECSuccess != CRMF_EncodeCertRequest(certReq,
nsCRMFEncoderItemCount,
@ -1501,10 +1516,17 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
// issuer names in the CA's certificate as follows:
// K = SHA1(DER-encoded-subjectName | Kec | DER-encoded-issuerName)"
ScopedPK11SymKey shared_secret;
ScopedPK11SymKey subject_and_secret;
ScopedPK11SymKey subject_and_secret_and_issuer;
ScopedPK11SymKey sha1_of_subject_and_secret_and_issuer;
PK11SymKey *shared_secret = nullptr;
PK11SymKeyCleaner shared_secret_cleaner(shared_secret);
PK11SymKey *subject_and_secret = nullptr;
PK11SymKeyCleaner subject_and_secret_cleaner(subject_and_secret);
PK11SymKey *subject_and_secret_and_issuer = nullptr;
PK11SymKeyCleaner subject_and_secret_and_issuer_cleaner(subject_and_secret_and_issuer);
PK11SymKey *sha1_of_subject_and_secret_and_issuer = nullptr;
PK11SymKeyCleaner sha1_of_subject_and_secret_and_issuer_cleaner(sha1_of_subject_and_secret_and_issuer);
shared_secret =
PK11_PubDeriveWithKDF(keyInfo->privKey, // SECKEYPrivateKey *privKey
@ -1593,18 +1615,23 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCertReqMsg *certReqMsg,
PK11_DigestOp(context, der_request->data, der_request->len))
return NS_ERROR_FAILURE;
ScopedAutoSECItem result_hmac_sha1_item(SHA1_LENGTH);
SECItem *result_hmac_sha1_item = nullptr;
SECItemCleanerTrueParam result_hmac_sha1_item_cleaner(result_hmac_sha1_item);
result_hmac_sha1_item = SECITEM_AllocItem(nullptr, nullptr, SHA1_LENGTH);
if (!result_hmac_sha1_item)
return NS_ERROR_FAILURE;
if (SECSuccess !=
PK11_DigestFinal(context,
result_hmac_sha1_item.data,
&result_hmac_sha1_item.len,
result_hmac_sha1_item->data,
&result_hmac_sha1_item->len,
SHA1_LENGTH))
return NS_ERROR_FAILURE;
if (SECSuccess !=
CRMF_CertReqMsgSetKeyAgreementPOP(certReqMsg, crmfDHMAC,
crmfNoSubseqMess, &result_hmac_sha1_item))
crmfNoSubseqMess, result_hmac_sha1_item))
return NS_ERROR_FAILURE;
return NS_OK;
@ -1923,13 +1950,14 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMFObject** aReturn)
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr,
false, true));
CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr, false,
true);
if (!cert)
return NS_ERROR_FAILURE;
escrowCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
nssCert = escrowCert;
if (!nssCert)
return NS_ERROR_OUT_OF_MEMORY;
@ -2189,9 +2217,10 @@ static bool
nsCertAlreadyExists(SECItem *derCert)
{
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
CERTCertificate *cert;
bool retVal = false;
ScopedCERTCertificate cert(CERT_FindCertByDERCert(handle, derCert));
cert = CERT_FindCertByDERCert(handle, derCert);
if (cert) {
if (cert->isperm && !cert->nickname && !cert->emailAddr) {
//If the cert doesn't have a nickname or email addr, it is
@ -2200,6 +2229,7 @@ nsCertAlreadyExists(SECItem *derCert)
} else if (cert->isperm) {
retVal = true;
}
CERT_DestroyCertificate(cert);
}
return retVal;
}
@ -2240,6 +2270,7 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
nsAutoCString localNick;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsresult rv = NS_OK;
CERTCertList *caPubs = nullptr;
nsCOMPtr<nsIPK11Token> token;
nickname = ToNewCString(aNickname);
@ -2351,8 +2382,7 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
//That would be a good thing.
//Import the root chain into the cert db.
{
ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
caPubs = CMMF_CertRepContentGetCAPubs(certRepContent);
if (caPubs) {
int32_t numCAs = nsCertListCount(caPubs);
@ -2375,8 +2405,9 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
nsNSSCertificateDB::ImportValidCACerts(numCAs, derCerts, ctx);
nsMemory::Free(derCerts);
}
CERT_DestroyCertList(caPubs);
}
}
if (aDoForcedBackup) {
// I can't pop up a file picker from the depths of JavaScript,
@ -2608,7 +2639,7 @@ nsCrypto::SignText(const nsAString& aStringToSign, const nsAString& aCaOption,
++numberOfCerts;
}
ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList));
CERTCertNicknames* nicknames = getNSSCertNicknamesFromCertList(certList);
if (!nicknames) {
aResult.Append(internalError);
@ -2616,6 +2647,8 @@ nsCrypto::SignText(const nsAString& aStringToSign, const nsAString& aCaOption,
return NS_OK;
}
CERTCertNicknamesCleaner cnc(nicknames);
NS_ASSERTION(nicknames->numnicknames == numberOfCerts,
"nicknames->numnicknames != numberOfCerts");

16
security/manager/ssl/src/nsIdentityChecking.cpp
Просмотреть файл

@ -16,9 +16,7 @@
#include "nsNSSComponent.h"
#include "nsSSLStatus.h"
#include "nsNSSCertificate.h"
#include "ScopedNSSTypes.h"
using namespace mozilla;
#include "nsNSSCleaner.h"
#ifdef DEBUG
#ifndef PSM_ENABLE_TEST_EV_ROOTS
@ -30,6 +28,10 @@ using namespace mozilla;
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true)
#define CONST_OID static const unsigned char
#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
@ -1215,7 +1217,8 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
return NS_OK;
ScopedCERTCertList rootList(getRootsForOid(oid_tag));
CERTCertList *rootList = getRootsForOid(oid_tag);
CERTCertListCleaner rootListCleaner(rootList);
CERTRevocationMethodIndex preferedRevMethods[1] = {
cert_revocation_method_ocsp
@ -1274,13 +1277,14 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, bool &validEV)
cvout[0].value.pointer.cert = nullptr;
cvout[1].type = cert_po_end;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert.get()));
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert));
rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer,
cvin, cvout, nullptr);
if (rv != SECSuccess)
return NS_OK;
ScopedCERTCertificate issuerCert(cvout[0].value.pointer.cert);
CERTCertificate *issuerCert = cvout[0].value.pointer.cert;
CERTCertificateCleaner issuerCleaner(issuerCert);
#ifdef PR_LOGGING
if (PR_LOG_TEST(gPIPNSSLog, PR_LOG_DEBUG)) {

11
security/manager/ssl/src/nsKeyModule.cpp
Просмотреть файл

@ -6,10 +6,6 @@
#include "nsCOMPtr.h"
#include "nsKeyModule.h"
#include "nsString.h"
#include "ScopedNSSTypes.h"
using namespace mozilla;
using namespace mozilla::psm;
NS_IMPL_ISUPPORTS1(nsKeyObject, nsIKeyObject)
@ -178,7 +174,8 @@ nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString & aKey,
keyItem.data = (unsigned char*)flatKey.get();
keyItem.len = flatKey.Length();
ScopedPK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr));
PK11SlotInfo *slot = nullptr;
slot = PK11_GetBestSlot(cipherMech, nullptr);
if (!slot) {
NS_ERROR("no slot");
return NS_ERROR_FAILURE;
@ -186,6 +183,10 @@ nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString & aKey,
PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap,
cipherOperation, &keyItem, nullptr);
// cleanup code
if (slot)
PK11_FreeSlot(slot);
if (!symKey) {
return NS_ERROR_FAILURE;
}

14
security/manager/ssl/src/nsNSSCallbacks.cpp
Просмотреть файл

@ -3,12 +3,12 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSComponent.h"
#include "nsNSSCallbacks.h"
#include "mozilla/Telemetry.h"
#include "mozilla/TimeStamp.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"
#include "nsIWebProgressListener.h"
#include "nsProtectedAuthThread.h"
@ -19,7 +19,6 @@
#include "nsIPrompt.h"
#include "nsProxyRelease.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "nsIConsoleService.h"
#include "nsIHttpChannelInternal.h"
#include "nsCRT.h"
@ -881,9 +880,10 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
}
ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
CERTCertificate *peerCert = SSL_PeerCertificate(fd);
const char* caName = nullptr; // caName is a pointer only, no ownership
char* certOrgName = CERT_GetOrgName(&serverCert->issuer);
char* certOrgName = CERT_GetOrgName(&peerCert->issuer);
CERT_DestroyCertificate(peerCert);
caName = certOrgName ? certOrgName : signer;
const char* verisignName = "Verisign, Inc.";
@ -917,8 +917,12 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject,
status);
CERTCertificate *serverCert = SSL_PeerCertificate(fd);
if (serverCert) {
RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert));
CERT_DestroyCertificate(serverCert);
serverCert = nullptr;
nsCOMPtr<nsIX509Cert> prevcert;
infoObject->GetPreviousCert(getter_AddRefs(prevcert));

4
security/manager/ssl/src/nsNSSCallbacks.h
Просмотреть файл

@ -7,7 +7,6 @@
#ifndef _NSNSSCALLBACKS_H_
#define _NSNSSCALLBACKS_H_
#include "nsCOMPtr.h"
#include "pk11func.h"
#include "nspr.h"
#include "ocspt.h"
@ -15,9 +14,6 @@
#include "mozilla/CondVar.h"
#include "mozilla/Mutex.h"
#include "mozilla/Attributes.h"
#include "nsString.h"
class nsILoadGroup;
char*
PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg);

62
security/manager/ssl/src/nsNSSCertificate.cpp
Просмотреть файл

@ -34,11 +34,13 @@
#include "nsIObjectOutputStream.h"
#include "nsIObjectInputStream.h"
#include "nsIProgrammingLanguage.h"
#include "nsXULAppAPI.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
@ -46,6 +48,8 @@
#include "ssl.h"
#include "ocsp.h"
#include "plbase64.h"
#include "cms.h"
#include "cert.h"
using namespace mozilla;
@ -55,7 +59,12 @@ extern PRLogModuleInfo* gPIPNSSLog;
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(NSSCMSMessage, NSS_CMSMessage_Destroy)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
NSSCleanupAutoPtrClass(NSSCMSSignedData, NSS_CMSSignedData_Destroy)
NSSCleanupAutoPtrClass(PK11SlotList, PK11_FreeSlotList)
// This is being stored in an uint32_t that can otherwise
// only take values from nsIX509Cert's list of cert types.
@ -189,6 +198,7 @@ void nsNSSCertificate::destructorSafeDestroyNSSReference()
}
if (mCert) {
CERT_DestroyCertificate(mCert);
mCert = nullptr;
}
}
@ -766,7 +776,7 @@ nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer)
NS_ENSURE_ARG(aIssuer);
*aIssuer = nullptr;
ScopedCERTCertificate issuer;
CERTCertificate *issuer;
issuer = CERT_FindCertIssuer(mCert, PR_Now(), certUsageSSLClient);
if (issuer) {
nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(issuer);
@ -774,6 +784,7 @@ nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer)
*aIssuer = cert;
NS_ADDREF(*aIssuer);
}
CERT_DestroyCertificate(issuer);
}
return NS_OK;
}
@ -811,8 +822,8 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
NS_ENSURE_ARG(_rvChain);
nsresult rv;
/* Get the cert chain from NSS */
CERTCertList *nssChain = nullptr;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
ScopedCERTCertList nssChain;
nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
if (!nssChain)
return NS_ERROR_FAILURE;
@ -834,6 +845,8 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
NS_IF_ADDREF(*_rvChain);
rv = NS_OK;
done:
if (nssChain)
CERT_DestroyCertList(nssChain);
return rv;
}
@ -850,7 +863,8 @@ nsNSSCertificate::GetAllTokenNames(uint32_t *aLength, PRUnichar*** aTokenNames)
*aTokenNames = nullptr;
/* Get the slots from NSS */
ScopedPK11SlotList slots;
PK11SlotList *slots = nullptr;
PK11SlotListCleaner slotCleaner(slots);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting slots for \"%s\"\n", mCert->nickname));
slots = PK11_GetAllSlotsForCert(mCert, nullptr);
if (!slots) {
@ -1068,7 +1082,8 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
return NS_ERROR_OUT_OF_MEMORY;
}
ScopedNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr));
NSSCMSMessage *cmsg = NSS_CMSMessage_Create(nullptr);
NSSCMSMessageCleaner cmsgCleaner(cmsg);
if (!cmsg) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("nsNSSCertificate::ExportAsCMS - can't create CMS message\n"));
@ -1078,8 +1093,8 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
/*
* first, create SignedData with the certificate only (no chain)
*/
ScopedNSSCMSSignedData sigd(NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert,
false));
NSSCMSSignedData *sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert, false);
NSSCMSSignedDataCleaner sigdCleaner(sigd);
if (!sigd) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
("nsNSSCertificate::ExportAsCMS - can't create SignedData\n"));
@ -1095,8 +1110,8 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
*/
if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain ||
chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) {
ScopedCERTCertificate issuerCert(
CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA));
CERTCertificate *issuerCert = CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA);
CERTCertificateCleaner issuerCertCleaner(issuerCert);
/*
* the issuerCert of a self signed root is the cert itself,
* so make sure we're not adding duplicates, again
@ -1104,11 +1119,11 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
if (issuerCert && issuerCert != mCert) {
bool includeRoot =
(chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot);
ScopedCERTCertificateList certChain(
CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot));
CERTCertificateList *certChain = CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot);
CERTCertificateListCleaner certChainCleaner(certChain);
if (certChain) {
if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) {
certChain.forget();
certChainCleaner.detach();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1120,7 +1135,7 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
/* try to add the issuerCert, at least */
if (NSS_CMSSignedData_AddCertificate(sigd, issuerCert)
== SECSuccess) {
issuerCert.forget();
issuerCertCleaner.detach();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1134,7 +1149,7 @@ nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd)
== SECSuccess) {
sigd.forget();
sigdCleaner.detach();
}
else {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
@ -1492,8 +1507,11 @@ nsNSSCertificate::Equals(nsIX509Cert *other, bool *result)
if (!other2)
return NS_ERROR_FAILURE;
ScopedCERTCertificate cert(other2->GetCert());
CERTCertificate *cert = other2->GetCert();
*result = (mCert == cert);
if (cert) {
CERT_DestroyCertificate(cert);
}
return NS_OK;
}
@ -1582,6 +1600,13 @@ nsNSSCertList::nsNSSCertList(CERTCertList *certList, bool adopt)
}
}
nsNSSCertList::~nsNSSCertList()
{
if (mCertList) {
CERT_DestroyCertList(mCertList);
}
}
/* void addCert (in nsIX509Cert cert); */
NS_IMETHODIMP
nsNSSCertList::AddCert(nsIX509Cert *aCert)
@ -1681,6 +1706,13 @@ nsNSSCertListEnumerator::nsNSSCertListEnumerator(CERTCertList *certList)
mCertList = nsNSSCertList::DupCertList(certList);
}
nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
{
if (mCertList) {
CERT_DestroyCertList(mCertList);
}
}
/* boolean hasMoreElements (); */
NS_IMETHODIMP
nsNSSCertListEnumerator::HasMoreElements(bool *_retval)

19
security/manager/ssl/src/nsNSSCertificate.h
Просмотреть файл

@ -19,7 +19,6 @@
#include "nsISimpleEnumerator.h"
#include "nsISerializable.h"
#include "nsIClassInfo.h"
#include "ScopedNSSTypes.h"
#include "certt.h"
class nsAutoString;
@ -57,7 +56,7 @@ public:
static char* defaultServerNickname(CERTCertificate* cert);
private:
mozilla::ScopedCERTCertificate mCert;
CERTCertificate *mCert;
bool mPermDelete;
uint32_t mCertType;
nsCOMPtr<nsIASN1Object> mASN1Structure;
@ -84,15 +83,11 @@ public:
NS_DECL_NSIX509CERTLIST
nsNSSCertList(CERTCertList *certList = nullptr, bool adopt = false);
virtual ~nsNSSCertList();
static CERTCertList *DupCertList(CERTCertList *aCertList);
private:
virtual ~nsNSSCertList() { }
mozilla::ScopedCERTCertList mCertList;
nsNSSCertList(const nsNSSCertList &) MOZ_DELETE;
void operator=(const nsNSSCertList &) MOZ_DELETE;
CERTCertList *mCertList;
};
class nsNSSCertListEnumerator: public nsISimpleEnumerator
@ -102,13 +97,9 @@ public:
NS_DECL_NSISIMPLEENUMERATOR
nsNSSCertListEnumerator(CERTCertList *certList);
virtual ~nsNSSCertListEnumerator();
private:
virtual ~nsNSSCertListEnumerator() { }
mozilla::ScopedCERTCertList mCertList;
nsNSSCertListEnumerator(const nsNSSCertListEnumerator &) MOZ_DELETE;
void operator=(const nsNSSCertListEnumerator &) MOZ_DELETE;
CERTCertList *mCertList;
};

180
security/manager/ssl/src/nsNSSCertificateDB.cpp
Просмотреть файл

@ -29,10 +29,11 @@
#include "nsComponentManagerUtils.h"
#include "nsIPrompt.h"
#include "nsThreadUtils.h"
#include "ScopedNSSTypes.h"
#include "nspr.h"
#include "pk11func.h"
#include "certdb.h"
#include "cert.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
@ -41,12 +42,19 @@
#include "ocsp.h"
#include "plbase64.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList)
NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList)
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -65,11 +73,8 @@ nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
const nsAString &nickname,
nsIX509Cert **_rvCert)
{
NS_ENSURE_ARG_POINTER(_rvCert);
*_rvCert = nullptr;
nsNSSShutDownPreventionLock locker;
ScopedCERTCertificate cert;
CERTCertificate *cert = nullptr;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
@ -89,11 +94,14 @@ nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
if (cert) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n"));
nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
if (pCert) {
pCert.forget(_rvCert);
*_rvCert = pCert;
NS_ADDREF(*_rvCert);
return NS_OK;
}
}
*_rvCert = nullptr;
return NS_ERROR_FAILURE;
}
@ -101,17 +109,14 @@ NS_IMETHODIMP
nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
nsIX509Cert **_cert)
{
NS_ENSURE_ARG_POINTER(aDBkey);
NS_ENSURE_ARG(aDBkey[0]);
NS_ENSURE_ARG_POINTER(aToken);
NS_ENSURE_ARG_POINTER(_cert);
*_cert = nullptr;
nsNSSShutDownPreventionLock locker;
SECItem keyItem = {siBuffer, nullptr, 0};
SECItem *dummy;
CERTIssuerAndSN issuerSN;
//unsigned long moduleID,slotID;
*_cert = nullptr;
if (!aDBkey || !*aDBkey)
return NS_ERROR_INVALID_ARG;
dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
(uint32_t)PL_strlen(aDBkey));
@ -120,7 +125,7 @@ nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
return NS_ERROR_INVALID_ARG;
}
ScopedCERTCertificate cert;
CERTCertificate *cert;
// someday maybe we can speed up the search using the moduleID and slotID
// moduleID = NS_NSS_GET_LONG(keyItem.data);
// slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
@ -141,10 +146,12 @@ nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN);
PR_FREEIF(keyItem.data);
if (cert) {
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
nsNSSCertificate *nssCert = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
if (!nssCert)
return NS_ERROR_OUT_OF_MEMORY;
nssCert.forget(_cert);
NS_ADDREF(nssCert);
*_cert = static_cast<nsIX509Cert*>(nssCert);
}
return NS_OK;
}
@ -160,7 +167,7 @@ nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken,
/*
* obtain the cert list from NSS
*/
ScopedCERTCertList certList;
CERTCertList *certList = nullptr;
PK11CertListType pk11type;
#if 0
// this would seem right, but it didn't work...
@ -183,6 +190,8 @@ nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken,
* finish up
*/
cleanup:
if (certList)
CERT_DestroyCertList(certList);
return rv;
}
@ -325,7 +334,7 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
return rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
ScopedCERTCertificate tmpCert;
CERTCertificate *tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert) {
@ -341,6 +350,8 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
return NS_ERROR_FAILURE;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
if (!CERT_IsCACert(tmpCert, nullptr)) {
DisplayCertificateAlert(ctx, "NotACACert", certToShow);
return NS_ERROR_FAILURE;
@ -382,11 +393,13 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
// Import additional delivered certificates that can be verified.
// build a CertList for filtering
ScopedCERTCertList certList(CERT_NewCertList());
CERTCertList *certList = CERT_NewCertList();
if (!certList) {
return NS_ERROR_FAILURE;
}
CERTCertListCleaner listCleaner(certList);
// get all remaining certs into temp store
for (uint32_t i=0; i<numCerts; i++) {
@ -486,7 +499,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
nsresult nsrv = NS_OK;
CERTCertDBHandle *certdb;
CERTCertificate **certArray = nullptr;
ScopedCERTCertList certList;
CERTCertList *certList = nullptr;
CERTCertListNode *node;
PRTime now;
SECCertUsage certusage;
@ -586,7 +599,8 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
}
}
ScopedCERTCertificateList certChain;
CERTCertificateList *certChain = nullptr;
CERTCertificateListCleaner chainCleaner(certChain);
if (!alert_and_skip) {
certChain = CERT_CertChainFromCert(node->cert, certusage, false);
@ -625,6 +639,9 @@ loser:
if (certArray) {
CERT_DestroyCertArray(certArray, numcerts);
}
if (certList) {
CERT_DestroyCertList(certList);
}
if (arena)
PORT_FreeArena(arena, true);
return nsrv;
@ -638,7 +655,7 @@ nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length,
nsNSSShutDownPreventionLock locker;
SECStatus srv = SECFailure;
nsresult nsrv = NS_OK;
ScopedCERTCertificate cert;
CERTCertificate * cert;
SECItem **rawCerts = nullptr;
int numcerts;
int i;
@ -689,6 +706,8 @@ nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length,
}
loser:
PORT_Free(rawCerts);
if (cert)
CERT_DestroyCertificate(cert);
if (arena)
PORT_FreeArena(arena, true);
return nsrv;
@ -697,7 +716,7 @@ loser:
nsresult
nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx)
{
ScopedCERTCertList certList;
CERTCertList *certList = nullptr;
SECItem **rawArray;
// build a CertList for filtering
@ -706,6 +725,8 @@ nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInte
return NS_ERROR_FAILURE;
}
CERTCertListCleaner listCleaner(certList);
// get all certs into temp store
SECStatus srv = SECFailure;
CERTCertificate **certArray = nullptr;
@ -789,7 +810,8 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
}
}
ScopedCERTCertificateList certChain;
CERTCertificateList *certChain = nullptr;
CERTCertificateListCleaner chainCleaner(certChain);
if (!alert_and_skip) {
certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, false);
@ -869,14 +891,14 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
}
nsNSSShutDownPreventionLock locker;
ScopedPK11SlotInfo slot;
PK11SlotInfo *slot;
nsAutoCString nickname;
nsresult rv = NS_ERROR_FAILURE;
int numCACerts;
SECItem *CACerts;
CERTDERCerts * collectArgs;
PLArenaPool *arena;
ScopedCERTCertificate cert;
CERTCertificate * cert = nullptr;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
@ -900,7 +922,7 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow);
goto loser;
}
slot = nullptr;
PK11_FreeSlot(slot);
/* pick a nickname for the cert */
if (cert->nickname) {
@ -921,7 +943,7 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
if (!slot) {
goto loser;
}
slot = nullptr;
PK11_FreeSlot(slot);
{
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert);
@ -939,6 +961,9 @@ loser:
if (arena) {
PORT_FreeArena(arena, false);
}
if ( cert ) {
CERT_DestroyCertificate(cert);
}
return rv;
}
@ -950,8 +975,9 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
ScopedCERTCertificate cert(nssCert->GetCert());
CERTCertificate *cert = nssCert->GetCert();
if (!cert) return NS_ERROR_FAILURE;
CERTCertificateCleaner certCleaner(cert);
SECStatus srv = SECSuccess;
uint32_t certType;
@ -993,8 +1019,8 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
if (!pipCert)
return NS_ERROR_FAILURE;
ScopedCERTCertificate nsscert(pipCert->GetCert());
CERTCertificate *nsscert = pipCert->GetCert();
CERTCertificateCleaner certCleaner(nsscert);
if (type == nsIX509Cert::CA_CERT) {
// always start with untrusted and move up
trust.SetValidCA();
@ -1037,13 +1063,14 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
nsNSSShutDownPreventionLock locker;
SECStatus srv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
ScopedCERTCertificate nsscert(pipCert->GetCert());
CERTCertificate *nsscert = pipCert->GetCert();
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert, &nsstrust);
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
nsNSSCertTrust trust(&nsstrust);
CERT_DestroyCertificate(nsscert);
if (certType == nsIX509Cert::CA_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedCA(true, false, false);
@ -1170,9 +1197,10 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports *aToken,
if (count == 0) return NS_OK;
nsCOMPtr<nsIPK11Token> localRef;
if (!aToken) {
ScopedPK11SlotInfo keySlot(PK11_GetInternalKeySlot());
PK11SlotInfo *keySlot = PK11_GetInternalKeySlot();
NS_ASSERTION(keySlot,"Failed to get the internal key slot");
localRef = new nsPK11Token(keySlot);
PK11_FreeSlot(keySlot);
}
else {
localRef = do_QueryInterface(aToken);
@ -1267,47 +1295,59 @@ nsNSSCertificateDB::GetIsOcspOn(bool *aOcspOn)
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval)
{
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (!_retval)
return NS_ERROR_FAILURE;
*_retval = 0;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsNSSCertificate *nssCert = nullptr;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
ScopedCERTCertificate cert;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailRecipient, true, ctx);
if (!cert) {
return NS_OK;
}
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!cert) { goto loser; }
nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
rv = NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
loser:
if (cert) CERT_DestroyCertificate(cert);
return rv;
}
/* nsIX509Cert getDefaultEmailSigningCert (); */
NS_IMETHODIMP
nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval)
{
NS_ENSURE_ARG_POINTER(_retval);
*_retval = nullptr;
if (!_retval)
return NS_ERROR_FAILURE;
*_retval = 0;
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
ScopedCERTCertificate cert;
nsresult rv = NS_OK;
CERTCertificate *cert = 0;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsNSSCertificate *nssCert = nullptr;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
@ -1315,16 +1355,20 @@ nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert
/* Find a good cert in the user's database */
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailSigner, true, ctx);
if (!cert) {
return NS_OK;
}
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!cert) { goto loser; }
nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
return NS_ERROR_OUT_OF_MEMORY;
rv = NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
NS_ADDREF(nssCert);
*_retval = static_cast<nsIX509Cert*>(nssCert);
loser:
if (cert) CERT_DestroyCertificate(cert);
return rv;
}
NS_IMETHODIMP
@ -1345,14 +1389,15 @@ nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEma
return nsrv;
}
ScopedCERTCertList certlist(
PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr));
CERTCertList *certlist = PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr);
if (!certlist)
return NS_ERROR_FAILURE;
// certlist now contains certificates with the right email address,
// but they might not have the correct usage or might even be invalid
CERTCertListCleaner listCleaner(certlist);
if (CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist))
return NS_ERROR_FAILURE; // no certs found
@ -1431,8 +1476,7 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
secitem_cert.data = (unsigned char*)certDER;
secitem_cert.len = lengthDER;
ScopedCERTCertificate cert;
cert =
CERTCertificate *cert =
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
nullptr, false, true);
PL_strfree(certDER);
@ -1441,12 +1485,13 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert);
if (!nssCert) {
nsNSSCertificate *nsNSS = nsNSSCertificate::Create(cert);
CERT_DestroyCertificate(cert);
if (!nsNSS)
return NS_ERROR_OUT_OF_MEMORY;
}
nssCert.forget(_retval);
return NS_OK;
return CallQueryInterface(nsNSS, _retval);
}
void
@ -1502,7 +1547,8 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
* then we need to check for nicknames that already exist on the smart
* card.
*/
ScopedPK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx));
PK11SlotInfo *slot = PK11_KeyForCertExists(cert, &keyHandle, ctx);
PK11SlotInfoCleaner slotCleaner(slot);
if (!slot)
return;
@ -1530,7 +1576,8 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
PR_smprintf_free(tmp);
}
ScopedCERTCertificate dummycert;
CERTCertificate *dummycert = nullptr;
CERTCertificateCleaner dummycertCleaner(dummycert);
if (PK11_IsInternal(slot)) {
/* look up the nickname to make sure it isn't in use already */
@ -1553,6 +1600,7 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
* the same subject name on the smart card, so let's use this
* nickname.
*/
CERT_DestroyCertificate(dummycert);
dummycert = nullptr;
}
}
@ -1585,8 +1633,9 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
NS_ENSURE_SUCCESS(rv, rv);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertificate *tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nullptr, false, true);
@ -1600,9 +1649,12 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
}
if (tmpCert->isperm) {
CERT_DestroyCertificate(tmpCert);
return NS_OK;
}
CERTCertificateCleaner tmpCertCleaner(tmpCert);
nsXPIDLCString nickname;
nickname.Adopt(CERT_MakeCANickname(tmpCert));

37
security/manager/ssl/src/nsNSSIOLayer.cpp
Просмотреть файл

@ -27,7 +27,6 @@
#include "nsCharSeparatedTokenizer.h"
#include "nsIConsoleService.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "ssl.h"
#include "secerr.h"
@ -50,6 +49,7 @@ using namespace mozilla::psm;
namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass(void, PR_FREEIF)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -259,7 +259,8 @@ nsNSSSocketInfo::JoinConnection(const nsACString & npnProtocol,
// Ensure that the server certificate covers the hostname that would
// like to join this connection
ScopedCERTCertificate nssCert;
CERTCertificate *nssCert = nullptr;
CERTCertificateCleaner nsscertCleaner(nssCert);
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
if (cert2)
@ -1913,11 +1914,11 @@ void ClientAuthDataRunnable::RunOnTargetThread()
{
PLArenaPool* arena = nullptr;
char** caNameStrings;
ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey privKey;
ScopedCERTCertList certList;
CERTCertificate* cert = nullptr;
SECKEYPrivateKey* privKey = nullptr;
CERTCertList* certList = nullptr;
CERTCertListNode* node;
ScopedCERTCertNicknames nicknames;
CERTCertNicknames* nicknames = nullptr;
char* extracted = nullptr;
int keyError = 0; /* used for private key retrieval error */
SSM_UserCertChoice certChoice;
@ -1971,7 +1972,8 @@ void ClientAuthDataRunnable::RunOnTargetThread()
goto noCert;
}
ScopedCERTCertificate low_prio_nonrep_cert;
CERTCertificate* low_prio_nonrep_cert = nullptr;
CERTCertificateCleaner low_prio_cleaner(low_prio_nonrep_cert);
/* loop through the list until we find a cert with a key */
while (!CERT_LIST_END(node, certList)) {
@ -1989,6 +1991,7 @@ void ClientAuthDataRunnable::RunOnTargetThread()
privKey = PK11_FindKeyByAnyCert(node->cert, wincx);
if (privKey) {
if (hasExplicitKeyUsageNonRepudiation(node->cert)) {
SECKEY_DestroyPrivateKey(privKey);
privKey = nullptr;
// Not a prefered cert
if (!low_prio_nonrep_cert) // did not yet find a low prio cert
@ -2010,7 +2013,8 @@ void ClientAuthDataRunnable::RunOnTargetThread()
}
if (!cert && low_prio_nonrep_cert) {
cert = low_prio_nonrep_cert.forget();
cert = low_prio_nonrep_cert;
low_prio_nonrep_cert = nullptr; // take it away from the cleaner
privKey = PK11_FindKeyByAnyCert(cert, wincx);
}
@ -2266,8 +2270,7 @@ if (!hasRemembered)
}
if (cars && wantRemember) {
cars->RememberDecision(hostname, mServerCert,
canceled ? nullptr : cert.get());
cars->RememberDecision(hostname, mServerCert, canceled ? 0 : cert);
}
}
@ -2297,18 +2300,28 @@ loser:
if (mRV == SECSuccess) {
mRV = SECFailure;
}
if (cert) {
CERT_DestroyCertificate(cert);
cert = nullptr;
}
done:
int error = PR_GetError();
if (extracted) {
PR_Free(extracted);
}
if (nicknames) {
CERT_FreeNicknames(nicknames);
}
if (certList) {
CERT_DestroyCertList(certList);
}
if (arena) {
PORT_FreeArena(arena, false);
}
*mPRetCert = cert.forget();
*mPRetKey = privKey.forget();
*mPRetCert = cert;
*mPRetKey = privKey;
if (mRV == SECFailure) {
mErrorCodeToReport = error;

10
security/manager/ssl/src/nsPKCS12Blob.cpp
Просмотреть файл

@ -26,15 +26,15 @@
#include "nsICertificateDialogs.h"
#include "nsNSSShutDown.h"
#include "nsCRT.h"
#include "ScopedNSSTypes.h"
#include "pk11func.h"
#include "secerr.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
using namespace mozilla;
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@ -360,7 +360,9 @@ nsPKCS12Blob::ExportToFile(nsIFile *file,
// nsNSSCertificate *cert = reinterpret_cast<nsNSSCertificate *>(certs[i]);
nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
// get it as a CERTCertificate XXX
ScopedCERTCertificate nssCert(cert->GetCert());
CERTCertificate *nssCert = NULL;
CERTCertificateCleaner nssCertCleaner(nssCert);
nssCert = cert->GetCert();
if (!nssCert) {
rv = NS_ERROR_FAILURE;
goto finish;

9
security/manager/ssl/src/nsRecentBadCerts.cpp
Просмотреть файл

@ -18,8 +18,12 @@
#include "certdb.h"
#include "sechash.h"
#include "nsNSSCleaner.h"
using namespace mozilla;
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCertsService,
nsIRecentBadCertsService)
@ -74,8 +78,9 @@ nsRecentBadCertsService::GetRecentBadCert(const nsAString & aHostNameWithPort,
}
if (foundDER.len) {
CERTCertificate *nssCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
ScopedCERTCertificate nssCert(CERT_FindCertByDERCert(certdb, &foundDER));
nssCert = CERT_FindCertByDERCert(certdb, &foundDER);
if (!nssCert)
nssCert = CERT_NewTempCertificate(certdb, &foundDER,
nullptr, // no nickname
@ -88,6 +93,8 @@ nsRecentBadCertsService::GetRecentBadCert(const nsAString & aHostNameWithPort,
return NS_ERROR_FAILURE;
status->mServerCert = nsNSSCertificate::Create(nssCert);
CERT_DestroyCertificate(nssCert);
status->mHaveCertErrorBits = true;
status->mIsDomainMismatch = isDomainMismatch;
status->mIsNotValidAtThisTime = isNotValidAtThisTime;

16
security/manager/ssl/src/nsSDR.cpp
Просмотреть файл

@ -21,14 +21,14 @@
#include "nsSDR.h"
#include "nsNSSComponent.h"
#include "nsNSSShutDown.h"
#include "ScopedNSSTypes.h"
#include "pk11func.h"
#include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt
#include "ssl.h" // For SSL_ClearSessionCache
using namespace mozilla;
#include "nsNSSCleaner.h"
NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot)
// Standard ISupports implementation
// NOTE: Should these be the thread-safe versions?
@ -51,7 +51,8 @@ Encrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t
{
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
ScopedPK11SlotInfo slot;
PK11SlotInfo *slot = 0;
PK11SlotInfoCleaner tmpSlotCleaner(slot);
SECItem keyid;
SECItem request;
SECItem reply;
@ -93,7 +94,8 @@ Decrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t
{
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_OK;
ScopedPK11SlotInfo slot;
PK11SlotInfo *slot = 0;
PK11SlotInfoCleaner tmpSlotCleaner(slot);
SECStatus s;
SECItem request;
SECItem reply;
@ -198,12 +200,16 @@ ChangePassword()
{
nsNSSShutDownPreventionLock locker;
nsresult rv;
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
PK11SlotInfo *slot;
slot = PK11_GetInternalKeySlot();
if (!slot) return NS_ERROR_NOT_AVAILABLE;
/* Convert UTF8 token name to UCS2 */
NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot));
PK11_FreeSlot(slot);
/* Get the set password dialog handler imlementation */
nsCOMPtr<nsITokenPasswordDialogs> dialogs;