diff --git a/security/manager/ssl/PublicKeyPinningService.cpp b/security/manager/ssl/PublicKeyPinningService.cpp index 5ee65eb3e692..5d4c46afed6d 100644 --- a/security/manager/ssl/PublicKeyPinningService.cpp +++ b/security/manager/ssl/PublicKeyPinningService.cpp @@ -209,7 +209,7 @@ static nsresult FindPinningInformation( if (found && (evalHost == hostname || includeSubdomains)) { MOZ_LOG(gPublicKeyPinningLog, LogLevel::Debug, ("pkpin: Found dyn match for host: '%s'\n", evalHost)); - dynamicFingerprints = pinArray; + dynamicFingerprints = std::move(pinArray); return NS_OK; } diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index 33c88a1f12aa..46ffbb488d03 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -1099,16 +1099,18 @@ Result AuthCertificate( nsTArray> peerCertsBytes; // Don't include the end-entity certificate. if (!peerCertChain.IsEmpty()) { - peerCertsBytes.AppendElements(peerCertChain.Elements() + 1, - peerCertChain.Length() - 1); + std::transform( + peerCertChain.cbegin() + 1, peerCertChain.cend(), + MakeBackInserter(peerCertsBytes), + [](const auto& elementArray) { return elementArray.Clone(); }); } Result rv = certVerifier.VerifySSLServerCert( cert, time, aPinArg, aHostName, builtCertChain, certVerifierFlags, - Some(peerCertsBytes), stapledOCSPResponse, sctsFromTLSExtension, dcInfo, - aOriginAttributes, saveIntermediates, &evOidPolicy, &ocspStaplingStatus, - &keySizeStatus, &sha1ModeResult, &pinningTelemetryInfo, - &certificateTransparencyInfo, &crliteTelemetryInfo, + Some(std::move(peerCertsBytes)), stapledOCSPResponse, + sctsFromTLSExtension, dcInfo, aOriginAttributes, saveIntermediates, + &evOidPolicy, &ocspStaplingStatus, &keySizeStatus, &sha1ModeResult, + &pinningTelemetryInfo, &certificateTransparencyInfo, &crliteTelemetryInfo, &aIsCertChainRootBuiltInRoot); CollectCertTelemetry(rv, evOidPolicy, ocspStaplingStatus, keySizeStatus, @@ -1528,7 +1530,7 @@ SECStatus AuthCertificateHookWithInfo( // we currently only support single stapled responses Maybe> stapledOCSPResponse; if (stapledOCSPResponses && (stapledOCSPResponses->Length() == 1)) { - stapledOCSPResponse.emplace(stapledOCSPResponses->ElementAt(0)); + stapledOCSPResponse.emplace(stapledOCSPResponses->ElementAt(0).Clone()); } uint32_t certVerifierFlags = 0; diff --git a/security/manager/ssl/SSLServerCertVerification.h b/security/manager/ssl/SSLServerCertVerification.h index 54ffa74c8e21..06c5755584b0 100644 --- a/security/manager/ssl/SSLServerCertVerification.h +++ b/security/manager/ssl/SSLServerCertVerification.h @@ -93,6 +93,8 @@ class SSLServerCertVerificationResult final class SSLServerCertVerificationJob : public Runnable { public: + SSLServerCertVerificationJob(const SSLServerCertVerificationJob&) = delete; + // Must be called only on the socket transport thread static SECStatus Dispatch(uint64_t addrForLogging, void* aPinArg, const UniqueCERTCertificate& serverCert, diff --git a/security/manager/ssl/SecretDecoderRing.cpp b/security/manager/ssl/SecretDecoderRing.cpp index 198dcad24f9e..b77e453bca3e 100644 --- a/security/manager/ssl/SecretDecoderRing.cpp +++ b/security/manager/ssl/SecretDecoderRing.cpp @@ -206,7 +206,8 @@ SecretDecoderRing::AsyncEncryptStrings(const nsTArray& plaintexts, // plaintexts are already expected to be UTF-8. nsCOMPtr runnable(NS_NewRunnableFunction( - "BackgroundSdrEncryptStrings", [promise, plaintexts]() mutable { + "BackgroundSdrEncryptStrings", + [promise, plaintexts = plaintexts.Clone()]() mutable { BackgroundSdrEncryptStrings(plaintexts, promise); })); @@ -263,7 +264,8 @@ SecretDecoderRing::AsyncDecryptStrings( // encryptedStrings are expected to be base64. nsCOMPtr runnable(NS_NewRunnableFunction( - "BackgroundSdrDecryptStrings", [promise, encryptedStrings]() mutable { + "BackgroundSdrDecryptStrings", + [promise, encryptedStrings = encryptedStrings.Clone()]() mutable { BackgroundSdrDecryptStrings(encryptedStrings, promise); })); diff --git a/security/manager/ssl/VerifySSLServerCertChild.cpp b/security/manager/ssl/VerifySSLServerCertChild.cpp index ede14b538671..019a51346365 100644 --- a/security/manager/ssl/VerifySSLServerCertChild.cpp +++ b/security/manager/ssl/VerifySSLServerCertChild.cpp @@ -76,8 +76,8 @@ SECStatus RemoteProcessCertVerification( return SECFailure; } - nsTArray serverCertSerialized; - serverCertSerialized.AppendElements(aCert->derCert.data, aCert->derCert.len); + const ByteArray serverCertSerialized = + CopyableTArray{aCert->derCert.data, aCert->derCert.len}; nsTArray peerCertBytes; for (auto& certBytes : aPeerCertChain) { diff --git a/security/manager/ssl/VerifySSLServerCertParent.cpp b/security/manager/ssl/VerifySSLServerCertParent.cpp index 17aa22c04517..f85a0cd82775 100644 --- a/security/manager/ssl/VerifySSLServerCertParent.cpp +++ b/security/manager/ssl/VerifySSLServerCertParent.cpp @@ -141,12 +141,12 @@ bool VerifySSLServerCertParent::Dispatch( Maybe> stapledOCSPResponse; if (aStapledOCSPResponse) { - stapledOCSPResponse.emplace(aStapledOCSPResponse->data()); + stapledOCSPResponse.emplace(aStapledOCSPResponse->data().Clone()); } Maybe> sctsFromTLSExtension; if (aSctsFromTLSExtension) { - sctsFromTLSExtension.emplace(aSctsFromTLSExtension->data()); + sctsFromTLSExtension.emplace(aSctsFromTLSExtension->data().Clone()); } Maybe dcInfo; diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 5ecc18d5ec10..288fa4ee55c6 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -1815,7 +1815,7 @@ class RemoteClientAuthDataRunnable : public ClientAuthDataRunnable { protected: virtual void RunOnTargetThread() override; - nsTArray mBuiltChain; + CopyableTArray mBuiltChain; }; nsTArray> CollectCANames(CERTDistNames* caNames) { @@ -2250,7 +2250,7 @@ void ClientAuthDataRunnable::RunOnTargetThread() { if (NS_WARN_IF(NS_FAILED(rv))) { return; } - mEnterpriseCertificates.AppendElements(enterpriseRoots); + mEnterpriseCertificates.AppendElements(std::move(enterpriseRoots)); if (NS_WARN_IF(NS_FAILED(CheckForSmartCardChanges()))) { return; @@ -2475,9 +2475,8 @@ mozilla::pkix::Result RemoteClientAuthDataRunnable::BuildChainForCertificate( void RemoteClientAuthDataRunnable::RunOnTargetThread() { MOZ_ASSERT(NS_IsMainThread()); - nsTArray serverCertSerialized; - serverCertSerialized.AppendElements(mServerCert->derCert.data, - mServerCert->derCert.len); + const ByteArray serverCertSerialized = CopyableTArray{ + mServerCert->derCert.data, mServerCert->derCert.len}; // Note that client cert is NULL in socket process until bug 1632809 is done. Maybe clientCertSerialized; diff --git a/security/manager/ssl/nsSiteSecurityService.cpp b/security/manager/ssl/nsSiteSecurityService.cpp index 740a52743398..a411c163abb9 100644 --- a/security/manager/ssl/nsSiteSecurityService.cpp +++ b/security/manager/ssl/nsSiteSecurityService.cpp @@ -379,7 +379,7 @@ SiteHPKPState::SiteHPKPState(const nsCString& aHost, mExpireTime(aExpireTime), mState(aState), mIncludeSubdomains(aIncludeSubdomains), - mSHA256keys(aSHA256keys) {} + mSHA256keys(aSHA256keys.Clone()) {} NS_IMETHODIMP SiteHPKPState::GetHostname(nsACString& aHostname) { @@ -1662,7 +1662,7 @@ nsSiteSecurityService::GetKeyPinsForHostname( foundEntry = privateEntry; } } - pinArray = foundEntry->mSHA256keys; + pinArray = foundEntry->mSHA256keys.Clone(); *aIncludeSubdomains = foundEntry->mIncludeSubdomains; *aFound = true; return NS_OK;