From b5df830a0d5d22381ee8e5fe1d06725c76cd94ea Mon Sep 17 00:00:00 2001 From: John Schanck Date: Thu, 18 Jul 2024 16:53:57 +0000 Subject: [PATCH] Bug 1899431 - Use SSL_PeerCertificateChainDER in SSLServerCertVerification. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D211944 --- .../manager/ssl/SSLServerCertVerification.cpp | 20 +++++++++++-------- security/manager/ssl/ScopedNSSTypes.h | 6 ++++++ security/nss.symbols | 1 + 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index 81ce5b78aadb..e94216e286a6 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -697,12 +697,12 @@ PRErrorCode AuthCertificateParseResults( } static nsTArray> CreateCertBytesArray( - const UniqueCERTCertList& aCertChain) { + const UniqueSECItemArray& aCertChain) { nsTArray> certsBytes; - for (CERTCertListNode* n = CERT_LIST_HEAD(aCertChain); - !CERT_LIST_END(n, aCertChain); n = CERT_LIST_NEXT(n)) { + for (size_t i = 0; i < aCertChain->len; i++) { nsTArray certBytes; - certBytes.AppendElements(n->cert->derCert.data, n->cert->derCert.len); + certBytes.AppendElements(aCertChain->items[i].data, + aCertChain->items[i].len); certsBytes.AppendElement(std::move(certBytes)); } return certsBytes; @@ -921,11 +921,15 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, return SECFailure; } - UniqueCERTCertList peerCertChain(SSL_PeerCertificateChain(fd)); - if (!peerCertChain) { + UniqueSECItemArray peerCertChain; + SECStatus rv = + SSL_PeerCertificateChainDER(fd, TempPtrToSetter(&peerCertChain)); + if (rv != SECSuccess) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } + MOZ_ASSERT(peerCertChain, + "AuthCertificateHook: peerCertChain unexpectedly null"); nsTArray> peerCertsBytes = CreateCertBytesArray(peerCertChain); @@ -964,8 +968,8 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig, // Get DC information Maybe dcInfo; SSLPreliminaryChannelInfo channelPreInfo; - SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo, - sizeof(channelPreInfo)); + rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo, + sizeof(channelPreInfo)); if (rv != SECSuccess) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; diff --git a/security/manager/ssl/ScopedNSSTypes.h b/security/manager/ssl/ScopedNSSTypes.h index 6ae25db8681d..aa42cd65bc7e 100644 --- a/security/manager/ssl/ScopedNSSTypes.h +++ b/security/manager/ssl/ScopedNSSTypes.h @@ -369,6 +369,10 @@ inline void SECITEM_FreeItem_true(SECItem* s) { return SECITEM_FreeItem(s, true); } +inline void SECITEM_FreeArray_true(SECItemArray* s) { + return SECITEM_FreeArray(s, true); +} + inline void SECOID_DestroyAlgorithmID_true(SECAlgorithmID* a) { return SECOID_DestroyAlgorithmID(a, true); } @@ -432,6 +436,8 @@ MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECAlgorithmID, SECAlgorithmID, internal::SECOID_DestroyAlgorithmID_true) MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItem, SECItem, internal::SECITEM_FreeItem_true) +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECItemArray, SECItemArray, + internal::SECITEM_FreeArray_true) MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKey, SECKEYPrivateKey, SECKEY_DestroyPrivateKey) MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueSECKEYPrivateKeyList, diff --git a/security/nss.symbols b/security/nss.symbols index 24db983063d2..0c0294b117ff 100644 --- a/security/nss.symbols +++ b/security/nss.symbols @@ -531,6 +531,7 @@ SECITEM_CopyItem_Util SECITEM_DupArray SECITEM_DupItem SECITEM_DupItem_Util +SECITEM_FreeArray SECITEM_FreeItem SECITEM_FreeItem_Util SECITEM_HashCompare