| author | David Keeler <dkeeler@mozilla.com> |
| Tue, 23 Jan 2018 10:37:47 -0800 | |
| changeset 402141 | b2b6ca8d0f70173d7b18bca53fa4e7a57dba9a14 |
| parent 402140 | c0cef2d01295fce0ac263fcc6c1283e7264ef29a |
| child 402142 | ecb9941ee0344bd6952724e371589c3d0834e30d |
| push id | 99498 |
| push user | rgurzau@mozilla.com |
| push date | Thu, 01 Feb 2018 21:59:17 +0000 |
| treeherder | mozilla-inbound@b76c08a1f5b3 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | mt, ttaubert |
| bugs | 1421084, 1417680 |
| milestone | 60.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/dom/crypto/CryptoKey.cpp +++ b/dom/crypto/CryptoKey.cpp @@ -157,17 +157,16 @@ CryptoKey::CryptoKey(nsIGlobalObject* aG , mSymKey() , mPrivateKey(nullptr) , mPublicKey(nullptr) { } CryptoKey::~CryptoKey() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } JSObject* @@ -324,18 +323,16 @@ CryptoKey::AddPublicKeyData(SECKEYPublic { // This should be a private key. MOZ_ASSERT(GetKeyType() == PRIVATE); // There should be a private NSS key with type 'EC'. MOZ_ASSERT(mPrivateKey && mPrivateKey->keyType == ecKey); // The given public key should have the same key type. MOZ_ASSERT(aPublicKey->keyType == mPrivateKey->keyType); - nsNSSShutDownPreventionLock locker; - // Read EC params. ScopedAutoSECItem params; SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, mPrivateKey.get(), CKA_EC_PARAMS, ¶ms); if (rv != SECSuccess) { return NS_ERROR_DOM_OPERATION_ERR; } @@ -450,32 +447,28 @@ nsresult CryptoKey::SetSymKey(const Cryp } return NS_OK; } nsresult CryptoKey::SetPrivateKey(SECKEYPrivateKey* aPrivateKey) { - nsNSSShutDownPreventionLock locker; - if (!aPrivateKey || isAlreadyShutDown()) { mPrivateKey = nullptr; return NS_OK; } mPrivateKey = UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(aPrivateKey)); return mPrivateKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY; } nsresult CryptoKey::SetPublicKey(SECKEYPublicKey* aPublicKey) { - nsNSSShutDownPreventionLock locker; - if (!aPublicKey || isAlreadyShutDown()) { mPublicKey = nullptr; return NS_OK; } mPublicKey = UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(aPublicKey)); return mPublicKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY; } @@ -484,27 +477,25 @@ const CryptoBuffer& CryptoKey::GetSymKey() const { return mSymKey; } UniqueSECKEYPrivateKey CryptoKey::GetPrivateKey() const { - nsNSSShutDownPreventionLock locker; if (!mPrivateKey || isAlreadyShutDown()) { return nullptr; } return UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(mPrivateKey.get())); } UniqueSECKEYPublicKey CryptoKey::GetPublicKey() const { - nsNSSShutDownPreventionLock locker; if (!mPublicKey || isAlreadyShutDown()) { return nullptr; } return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(mPublicKey.get())); } void CryptoKey::virtualDestroyNSSReference() { @@ -516,18 +507,17 @@ void CryptoKey::destructorSafeDestroyNSS mPrivateKey = nullptr; mPublicKey = nullptr; } // Serialization and deserialization convenience methods UniqueSECKEYPrivateKey -CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData) { UniquePK11SlotInfo slot(PK11_GetInternalSlot()); if (!slot) { return nullptr; } UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { @@ -550,18 +540,17 @@ CryptoKey::PrivateKeyFromPkcs8(CryptoBuf if (rv == SECFailure) { return nullptr; } return UniqueSECKEYPrivateKey(privKey); } UniqueSECKEYPublicKey -CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData) { UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return nullptr; } SECItem spkiItem = { siBuffer, nullptr, 0 }; if (!aKeyData.ToSECItem(arena.get(), &spkiItem)) { @@ -608,19 +597,17 @@ CryptoKey::PublicKeyFromSpki(CryptoBuffe if (!tmp.get() || !PublicKeyValid(tmp.get())) { return nullptr; } return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(tmp.get())); } nsresult -CryptoKey::PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey, CryptoBuffer& aRetVal) { UniqueSECItem pkcs8Item(PK11_ExportDERPrivateKeyInfo(aPrivKey, nullptr)); if (!pkcs8Item.get()) { return NS_ERROR_DOM_INVALID_ACCESS_ERR; } if (!aRetVal.Assign(pkcs8Item.get())) { return NS_ERROR_DOM_OPERATION_ERR; } @@ -657,19 +644,17 @@ PublicDhKeyToSpki(SECKEYPublicKey* aPubK // The public value is a BIT_STRING encoded as an INTEGER. After encoding // an INT we need to adjust the length to reflect the number of bits. aSpki->subjectPublicKey.len <<= 3; return NS_OK; } nsresult -CryptoKey::PublicKeyToSpki(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicKeyToSpki(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal) { UniqueCERTSubjectPublicKeyInfo spki; // NSS doesn't support exporting DH public keys. if (aPubKey->keyType == dhKey) { // Mimic the behavior of SECKEY_CreateSubjectPublicKeyInfo() and create // a new arena for the SPKI object. UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); @@ -746,18 +731,17 @@ CreateECPointForCoordinates(const Crypto point->data[0] = EC_POINT_FORM_UNCOMPRESSED; memcpy(point->data + 1, aX.Elements(), aX.Length()); memcpy(point->data + 1 + aX.Length(), aY.Elements(), aY.Length()); return point; } UniqueSECKEYPrivateKey -CryptoKey::PrivateKeyFromJwk(const JsonWebKey& aJwk, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PrivateKeyFromJwk(const JsonWebKey& aJwk) { CK_OBJECT_CLASS privateKeyValue = CKO_PRIVATE_KEY; CK_BBOOL falseValue = CK_FALSE; if (aJwk.mKty.EqualsLiteral(JWK_TYPE_EC)) { // Verify that all of the required parameters are present CryptoBuffer x, y, d; if (!aJwk.mCrv.WasPassed() || @@ -933,19 +917,17 @@ ECKeyToJwk(const PK11ObjectType aKeyType return false; } aRetVal.mKty = NS_LITERAL_STRING(JWK_TYPE_EC); return true; } nsresult -CryptoKey::PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey, - JsonWebKey& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey, JsonWebKey& aRetVal) { switch (aPrivKey->keyType) { case rsaKey: { aRetVal.mN.Construct(); aRetVal.mE.Construct(); aRetVal.mD.Construct(); aRetVal.mP.Construct(); aRetVal.mQ.Construct(); @@ -1038,18 +1020,17 @@ CreateECPublicKey(const SECItem* aKeyDat if (!CryptoKey::PublicKeyValid(key.get())) { return nullptr; } return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(key.get())); } UniqueSECKEYPublicKey -CryptoKey::PublicKeyFromJwk(const JsonWebKey& aJwk, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicKeyFromJwk(const JsonWebKey& aJwk) { if (aJwk.mKty.EqualsLiteral(JWK_TYPE_RSA)) { // Verify that all of the required parameters are present CryptoBuffer n, e; if (!aJwk.mN.WasPassed() || NS_FAILED(n.FromJwkBase64(aJwk.mN.Value())) || !aJwk.mE.WasPassed() || NS_FAILED(e.FromJwkBase64(aJwk.mE.Value()))) { return nullptr; } @@ -1106,19 +1087,17 @@ CryptoKey::PublicKeyFromJwk(const JsonWe return CreateECPublicKey(point, namedCurve); } return nullptr; } nsresult -CryptoKey::PublicKeyToJwk(SECKEYPublicKey* aPubKey, - JsonWebKey& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicKeyToJwk(SECKEYPublicKey* aPubKey, JsonWebKey& aRetVal) { switch (aPubKey->keyType) { case rsaKey: { CryptoBuffer n, e; aRetVal.mN.Construct(); aRetVal.mE.Construct(); if (!n.Assign(&aPubKey->u.rsa.modulus) || @@ -1140,18 +1119,17 @@ CryptoKey::PublicKeyToJwk(SECKEYPublicKe default: return NS_ERROR_DOM_NOT_SUPPORTED_ERR; } } UniqueSECKEYPublicKey CryptoKey::PublicDhKeyFromRaw(CryptoBuffer& aKeyData, const CryptoBuffer& aPrime, - const CryptoBuffer& aGenerator, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) + const CryptoBuffer& aGenerator) { UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return nullptr; } SECKEYPublicKey* key = PORT_ArenaZNew(arena.get(), SECKEYPublicKey); if (!key) { @@ -1172,30 +1150,27 @@ CryptoKey::PublicDhKeyFromRaw(CryptoBuff key->u.dh.prime.type = siUnsignedInteger; key->u.dh.base.type = siUnsignedInteger; key->u.dh.publicValue.type = siUnsignedInteger; return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(key)); } nsresult -CryptoKey::PublicDhKeyToRaw(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicDhKeyToRaw(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal) { if (!aRetVal.Assign(&aPubKey->u.dh.publicValue)) { return NS_ERROR_DOM_OPERATION_ERR; } return NS_OK; } UniqueSECKEYPublicKey CryptoKey::PublicECKeyFromRaw(CryptoBuffer& aKeyData, - const nsString& aNamedCurve, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) + const nsString& aNamedCurve) { UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return nullptr; } SECItem rawItem = { siBuffer, nullptr, 0 }; if (!aKeyData.ToSECItem(arena.get(), &rawItem)) { @@ -1223,19 +1198,17 @@ CryptoKey::PublicECKeyFromRaw(CryptoBuff if (rawItem.data[0] != EC_POINT_FORM_UNCOMPRESSED) { return nullptr; } return CreateECPublicKey(&rawItem, aNamedCurve); } nsresult -CryptoKey::PublicECKeyToRaw(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +CryptoKey::PublicECKeyToRaw(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal) { if (!aRetVal.Assign(&aPubKey->u.ec.publicValue)) { return NS_ERROR_DOM_OPERATION_ERR; } return NS_OK; } bool @@ -1256,53 +1229,50 @@ CryptoKey::PublicKeyValid(SECKEYPublicKe SECStatus rv = PK11_DestroyObject(slot.get(), id); return (rv == SECSuccess); } bool CryptoKey::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return false; } // Write in five pieces // 1. Attributes // 2. Symmetric key as raw (if present) // 3. Private key as pkcs8 (if present) // 4. Public key as spki (if present) // 5. Algorithm in whatever form it chooses CryptoBuffer priv, pub; if (mPrivateKey) { - if (NS_FAILED(CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), priv, - locker))) { + if (NS_FAILED(CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), priv))) { return false; } } if (mPublicKey) { - if (NS_FAILED(CryptoKey::PublicKeyToSpki(mPublicKey.get(), pub, locker))) { + if (NS_FAILED(CryptoKey::PublicKeyToSpki(mPublicKey.get(), pub))) { return false; } } return JS_WriteUint32Pair(aWriter, mAttributes, CRYPTOKEY_SC_VERSION) && WriteBuffer(aWriter, mSymKey) && WriteBuffer(aWriter, priv) && WriteBuffer(aWriter, pub) && mAlgorithm.WriteStructuredClone(aWriter); } bool CryptoKey::ReadStructuredClone(JSStructuredCloneReader* aReader) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return false; } // Ensure that NSS is initialized. if (!EnsureNSSInitializedChromeOrContent()) { return false; } @@ -1319,20 +1289,20 @@ CryptoKey::ReadStructuredClone(JSStructu if (!read) { return false; } if (sym.Length() > 0 && !mSymKey.Assign(sym)) { return false; } if (priv.Length() > 0) { - mPrivateKey = CryptoKey::PrivateKeyFromPkcs8(priv, locker); + mPrivateKey = CryptoKey::PrivateKeyFromPkcs8(priv); } if (pub.Length() > 0) { - mPublicKey = CryptoKey::PublicKeyFromSpki(pub, locker); + mPublicKey = CryptoKey::PublicKeyFromSpki(pub); } // Ensure that what we've read is consistent // If the attributes indicate a key type, should have a key of that type if (!((GetKeyType() == SECRET && mSymKey.Length() > 0) || (GetKeyType() == PRIVATE && mPrivateKey) || (GetKeyType() == PUBLIC && mPublicKey))) { return false;
--- a/dom/crypto/CryptoKey.h +++ b/dom/crypto/CryptoKey.h @@ -140,60 +140,44 @@ public: virtual void virtualDestroyNSSReference() override; void destructorSafeDestroyNSSReference(); // Serialization and deserialization convenience methods // Note: // 1. The inputs aKeyData are non-const only because the NSS import // functions lack the const modifier. They should not be modified. // 2. All of the NSS key objects returned need to be freed by the caller. - static UniqueSECKEYPrivateKey PrivateKeyFromPkcs8( - CryptoBuffer& aKeyData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + static UniqueSECKEYPrivateKey PrivateKeyFromPkcs8(CryptoBuffer& aKeyData); static nsresult PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + CryptoBuffer& aRetVal); - static UniqueSECKEYPublicKey PublicKeyFromSpki( - CryptoBuffer& aKeyData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + static UniqueSECKEYPublicKey PublicKeyFromSpki(CryptoBuffer& aKeyData); static nsresult PublicKeyToSpki(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + CryptoBuffer& aRetVal); - static UniqueSECKEYPrivateKey PrivateKeyFromJwk( - const JsonWebKey& aJwk, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + static UniqueSECKEYPrivateKey PrivateKeyFromJwk(const JsonWebKey& aJwk); static nsresult PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey, - JsonWebKey& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + JsonWebKey& aRetVal); - static UniqueSECKEYPublicKey PublicKeyFromJwk( - const JsonWebKey& aKeyData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + static UniqueSECKEYPublicKey PublicKeyFromJwk(const JsonWebKey& aKeyData); static nsresult PublicKeyToJwk(SECKEYPublicKey* aPubKey, - JsonWebKey& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + JsonWebKey& aRetVal); static UniqueSECKEYPublicKey PublicDhKeyFromRaw( CryptoBuffer& aKeyData, const CryptoBuffer& aPrime, - const CryptoBuffer& aGenerator, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + const CryptoBuffer& aGenerator); static nsresult PublicDhKeyToRaw(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + CryptoBuffer& aRetVal); static UniqueSECKEYPublicKey PublicECKeyFromRaw( CryptoBuffer& aKeyData, - const nsString& aNamedCurve, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + const nsString& aNamedCurve); static nsresult PublicECKeyToRaw(SECKEYPublicKey* aPubKey, - CryptoBuffer& aRetVal, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + CryptoBuffer& aRetVal); static bool PublicKeyValid(SECKEYPublicKey* aPubKey); // Structured clone methods use these to clone keys bool WriteStructuredClone(JSStructuredCloneWriter* aWriter) const; bool ReadStructuredClone(JSStructuredCloneReader* aReader); private:
--- a/dom/crypto/WebCryptoTask.cpp +++ b/dom/crypto/WebCryptoTask.cpp @@ -400,18 +400,16 @@ WebCryptoTask::DispatchWithPromise(Promi MAYBE_EARLY_FAIL(mEarlyRv) } NS_IMETHODIMP WebCryptoTask::Run() { // Run heavy crypto operations on the thread pool, off the original thread. if (!IsOnOriginalThread()) { - nsNSSShutDownPreventionLock locker; - if (isAlreadyShutDown()) { mRv = NS_ERROR_NOT_AVAILABLE; } else { mRv = CalculateResult(); } // Back to the original thread, i.e. continue below. mOriginalEventTarget->Dispatch(this, NS_DISPATCH_NORMAL); @@ -1764,48 +1762,46 @@ public: private: nsString mHashName; uint32_t mModulusLength; CryptoBuffer mPublicExponent; virtual nsresult DoCrypto() override { - nsNSSShutDownPreventionLock locker; - // Import the key data itself UniqueSECKEYPublicKey pubKey; UniqueSECKEYPrivateKey privKey; if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI) || (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) && !mJwk.mD.WasPassed())) { // Public key import if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) { - pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker); + pubKey = CryptoKey::PublicKeyFromSpki(mKeyData); } else { - pubKey = CryptoKey::PublicKeyFromJwk(mJwk, locker); + pubKey = CryptoKey::PublicKeyFromJwk(mJwk); } if (!pubKey) { return NS_ERROR_DOM_DATA_ERR; } if (NS_FAILED(mKey->SetPublicKey(pubKey.get()))) { return NS_ERROR_DOM_OPERATION_ERR; } mKey->SetType(CryptoKey::PUBLIC); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8) || (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) && mJwk.mD.WasPassed())) { // Private key import if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8)) { - privKey = CryptoKey::PrivateKeyFromPkcs8(mKeyData, locker); + privKey = CryptoKey::PrivateKeyFromPkcs8(mKeyData); } else { - privKey = CryptoKey::PrivateKeyFromJwk(mJwk, locker); + privKey = CryptoKey::PrivateKeyFromJwk(mJwk); } if (!privKey) { return NS_ERROR_DOM_DATA_ERR; } if (NS_FAILED(mKey->SetPrivateKey(privKey.get()))) { return NS_ERROR_DOM_OPERATION_ERR; @@ -1916,40 +1912,39 @@ private: nsString mNamedCurve; virtual nsresult DoCrypto() override { // Import the key data itself UniqueSECKEYPublicKey pubKey; UniqueSECKEYPrivateKey privKey; - nsNSSShutDownPreventionLock locker; if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) && mJwk.mD.WasPassed()) { // Private key import - privKey = CryptoKey::PrivateKeyFromJwk(mJwk, locker); + privKey = CryptoKey::PrivateKeyFromJwk(mJwk); if (!privKey) { return NS_ERROR_DOM_DATA_ERR; } if (NS_FAILED(mKey->SetPrivateKey(privKey.get()))) { return NS_ERROR_DOM_OPERATION_ERR; } mKey->SetType(CryptoKey::PRIVATE); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW) || mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI) || (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) && !mJwk.mD.WasPassed())) { // Public key import if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) { - pubKey = CryptoKey::PublicECKeyFromRaw(mKeyData, mNamedCurve, locker); + pubKey = CryptoKey::PublicECKeyFromRaw(mKeyData, mNamedCurve); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) { - pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker); + pubKey = CryptoKey::PublicKeyFromSpki(mKeyData); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK)) { - pubKey = CryptoKey::PublicKeyFromJwk(mJwk, locker); + pubKey = CryptoKey::PublicKeyFromJwk(mJwk); } else { MOZ_ASSERT(false); } if (!pubKey) { return NS_ERROR_DOM_DATA_ERR; } @@ -2068,25 +2063,23 @@ private: CryptoBuffer mPrime; CryptoBuffer mGenerator; virtual nsresult DoCrypto() override { // Import the key data itself UniqueSECKEYPublicKey pubKey; - nsNSSShutDownPreventionLock locker; if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW) || mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) { // Public key import if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) { - pubKey = CryptoKey::PublicDhKeyFromRaw(mKeyData, mPrime, mGenerator, - locker); + pubKey = CryptoKey::PublicDhKeyFromRaw(mKeyData, mPrime, mGenerator); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) { - pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker); + pubKey = CryptoKey::PublicKeyFromSpki(mKeyData); } else { MOZ_ASSERT(false); } if (!pubKey) { return NS_ERROR_DOM_DATA_ERR; } @@ -2153,31 +2146,27 @@ private: virtual void ReleaseNSSResources() override { mPrivateKey = nullptr; mPublicKey = nullptr; } virtual nsresult DoCrypto() override { - nsNSSShutDownPreventionLock locker; - if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) { if (mPublicKey && mPublicKey->keyType == dhKey) { - nsresult rv = CryptoKey::PublicDhKeyToRaw(mPublicKey.get(), mResult, - locker); + nsresult rv = CryptoKey::PublicDhKeyToRaw(mPublicKey.get(), mResult); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } return NS_OK; } if (mPublicKey && mPublicKey->keyType == ecKey) { - nsresult rv = CryptoKey::PublicECKeyToRaw(mPublicKey.get(), mResult, - locker); + nsresult rv = CryptoKey::PublicECKeyToRaw(mPublicKey.get(), mResult); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } return NS_OK; } mResult = mSymKey; if (mResult.Length() == 0) { @@ -2187,56 +2176,55 @@ private: return NS_OK; } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8)) { if (!mPrivateKey) { return NS_ERROR_DOM_NOT_SUPPORTED_ERR; } switch (mPrivateKey->keyType) { case rsaKey: { - nsresult rv = CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), mResult, locker); + nsresult rv = CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), mResult); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } return NS_OK; } default: return NS_ERROR_DOM_NOT_SUPPORTED_ERR; } } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) { if (!mPublicKey) { return NS_ERROR_DOM_NOT_SUPPORTED_ERR; } - return CryptoKey::PublicKeyToSpki(mPublicKey.get(), mResult, locker); + return CryptoKey::PublicKeyToSpki(mPublicKey.get(), mResult); } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK)) { if (mKeyType == CryptoKey::SECRET) { nsString k; nsresult rv = mSymKey.ToJwkBase64(k); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } mJwk.mK.Construct(k); mJwk.mKty = NS_LITERAL_STRING(JWK_TYPE_SYMMETRIC); } else if (mKeyType == CryptoKey::PUBLIC) { if (!mPublicKey) { return NS_ERROR_DOM_UNKNOWN_ERR; } - nsresult rv = CryptoKey::PublicKeyToJwk(mPublicKey.get(), mJwk, locker); + nsresult rv = CryptoKey::PublicKeyToJwk(mPublicKey.get(), mJwk); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } } else if (mKeyType == CryptoKey::PRIVATE) { if (!mPrivateKey) { return NS_ERROR_DOM_UNKNOWN_ERR; } - nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), mJwk, - locker); + nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), mJwk); if (NS_FAILED(rv)) { return NS_ERROR_DOM_OPERATION_ERR; } } if (!mAlg.IsEmpty()) { mJwk.mAlg.Construct(mAlg); } @@ -3733,17 +3721,16 @@ WebCryptoTask::WebCryptoTask() , mRv(NS_ERROR_NOT_INITIALIZED) { } WebCryptoTask::~WebCryptoTask() { MOZ_ASSERT(mReleasedNSSResources); - nsNSSShutDownPreventionLock lock; if (!isAlreadyShutDown()) { shutdown(ShutdownCalledFrom::Object); } if (mWorkerHolder) { NS_ProxyRelease( "WebCryptoTask::mWorkerHolder", mOriginalEventTarget, mWorkerHolder.forget());
--- a/dom/media/webrtc/RTCCertificate.cpp +++ b/dom/media/webrtc/RTCCertificate.cpp @@ -303,17 +303,16 @@ RTCCertificate::RTCCertificate(nsIGlobal mCertificate(aCertificate), mAuthType(aAuthType), mExpires(aExpires) { } RTCCertificate::~RTCCertificate() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } // This creates some interesting lifecycle consequences, since the DtlsIdentity @@ -325,17 +324,16 @@ RTCCertificate::~RTCCertificate() // have a lifetime that is strictly shorter than the RTCCertificate. // // RTCPeerConnection provides this guarantee by holding a strong reference to // the RTCCertificate. It will cleanup any DtlsIdentity instances that it // creates before the RTCCertificate reference is released. RefPtr<DtlsIdentity> RTCCertificate::CreateDtlsIdentity() const { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) { return nullptr; } UniqueSECKEYPrivateKey key(SECKEY_CopyPrivateKey(mPrivateKey.get())); UniqueCERTCertificate cert(CERT_DupCertificate(mCertificate.get())); RefPtr<DtlsIdentity> id = new DtlsIdentity(Move(key), Move(cert), mAuthType); return id; } @@ -355,96 +353,90 @@ RTCCertificate::virtualDestroyNSSReferen void RTCCertificate::destructorSafeDestroyNSSReference() { mPrivateKey.reset(); mCertificate.reset(); } bool -RTCCertificate::WritePrivateKey(JSStructuredCloneWriter* aWriter, - const nsNSSShutDownPreventionLock& aLockProof) const +RTCCertificate::WritePrivateKey(JSStructuredCloneWriter* aWriter) const { JsonWebKey jwk; - nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), jwk, aLockProof); + nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), jwk); if (NS_FAILED(rv)) { return false; } nsString json; if (!jwk.ToJSON(json)) { return false; } return WriteString(aWriter, json); } bool -RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter, - const nsNSSShutDownPreventionLock& /*proof*/) const +RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter) const { UniqueCERTCertificateList certs(CERT_CertListFromCert(mCertificate.get())); if (!certs || certs->len <= 0) { return false; } if (!JS_WriteUint32Pair(aWriter, certs->certs[0].len, 0)) { return false; } return JS_WriteBytes(aWriter, certs->certs[0].data, certs->certs[0].len); } bool RTCCertificate::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) { return false; } return JS_WriteUint32Pair(aWriter, RTCCERTIFICATE_SC_VERSION, mAuthType) && JS_WriteUint32Pair(aWriter, (mExpires >> 32) & 0xffffffff, mExpires & 0xffffffff) && - WritePrivateKey(aWriter, locker) && - WriteCertificate(aWriter, locker); + WritePrivateKey(aWriter) && + WriteCertificate(aWriter); } bool -RTCCertificate::ReadPrivateKey(JSStructuredCloneReader* aReader, - const nsNSSShutDownPreventionLock& aLockProof) +RTCCertificate::ReadPrivateKey(JSStructuredCloneReader* aReader) { nsString json; if (!ReadString(aReader, json)) { return false; } JsonWebKey jwk; if (!jwk.Init(json)) { return false; } - mPrivateKey = CryptoKey::PrivateKeyFromJwk(jwk, aLockProof); + mPrivateKey = CryptoKey::PrivateKeyFromJwk(jwk); return !!mPrivateKey; } bool -RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader, - const nsNSSShutDownPreventionLock& /*proof*/) +RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader) { CryptoBuffer cert; if (!ReadBuffer(aReader, cert) || cert.Length() == 0) { return false; } SECItem der = { siBuffer, cert.Elements(), static_cast<unsigned int>(cert.Length()) }; mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der, nullptr, true, true)); return !!mCertificate; } bool RTCCertificate::ReadStructuredClone(JSStructuredCloneReader* aReader) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return false; } uint32_t version, authType; if (!JS_ReadUint32Pair(aReader, &version, &authType) || version != RTCCERTIFICATE_SC_VERSION) { return false; @@ -452,14 +444,14 @@ RTCCertificate::ReadStructuredClone(JSSt mAuthType = static_cast<SSLKEAType>(authType); uint32_t high, low; if (!JS_ReadUint32Pair(aReader, &high, &low)) { return false; } mExpires = static_cast<PRTime>(high) << 32 | low; - return ReadPrivateKey(aReader, locker) && - ReadCertificate(aReader, locker); + return ReadPrivateKey(aReader) && + ReadCertificate(aReader); } } // namespace dom } // namespace mozilla
--- a/dom/media/webrtc/RTCCertificate.h +++ b/dom/media/webrtc/RTCCertificate.h @@ -71,24 +71,20 @@ public: bool WriteStructuredClone(JSStructuredCloneWriter* aWriter) const; bool ReadStructuredClone(JSStructuredCloneReader* aReader); private: ~RTCCertificate(); void operator=(const RTCCertificate&) = delete; RTCCertificate(const RTCCertificate&) = delete; - bool ReadCertificate(JSStructuredCloneReader* aReader, - const nsNSSShutDownPreventionLock& /*lockproof*/); - bool ReadPrivateKey(JSStructuredCloneReader* aReader, - const nsNSSShutDownPreventionLock& aLockProof); - bool WriteCertificate(JSStructuredCloneWriter* aWriter, - const nsNSSShutDownPreventionLock& /*lockproof*/) const; - bool WritePrivateKey(JSStructuredCloneWriter* aWriter, - const nsNSSShutDownPreventionLock& aLockProof) const; + bool ReadCertificate(JSStructuredCloneReader* aReader); + bool ReadPrivateKey(JSStructuredCloneReader* aReader); + bool WriteCertificate(JSStructuredCloneWriter* aWriter) const; + bool WritePrivateKey(JSStructuredCloneWriter* aWriter) const; RefPtr<nsIGlobalObject> mGlobal; UniqueSECKEYPrivateKey mPrivateKey; UniqueCERTCertificate mCertificate; SSLKEAType mAuthType; PRTime mExpires; };
--- a/dom/webauthn/U2FSoftTokenManager.cpp +++ b/dom/webauthn/U2FSoftTokenManager.cpp @@ -65,17 +65,16 @@ enum SoftTokenHandle { U2FSoftTokenManager::U2FSoftTokenManager(uint32_t aCounter) : mInitialized(false), mCounter(aCounter) {} U2FSoftTokenManager::~U2FSoftTokenManager() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } @@ -97,19 +96,17 @@ U2FSoftTokenManager::destructorSafeDestr * keys found are not returned. * PK11_GetNextSymKey() should not be called on the returned key. * * @param aSlot Slot to search. * @param aNickname Nickname the key should have. * @return The first key found. nullptr if no key could be found. */ static UniquePK11SymKey -GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot, - const nsCString& aNickname, - const nsNSSShutDownPreventionLock&) +GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot, const nsCString& aNickname) { MOZ_ASSERT(aSlot); if (NS_WARN_IF(!aSlot)) { return nullptr; } MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("Searching for a symmetric key named %s", aNickname.get())); @@ -135,18 +132,17 @@ GetSymKeyByNickname(const UniquePK11Slot } return keyListHead; } static nsresult GenEcKeypair(const UniquePK11SlotInfo& aSlot, /*out*/ UniqueSECKEYPrivateKey& aPrivKey, - /*out*/ UniqueSECKEYPublicKey& aPubKey, - const nsNSSShutDownPreventionLock&) + /*out*/ UniqueSECKEYPublicKey& aPubKey) { MOZ_ASSERT(aSlot); if (NS_WARN_IF(!aSlot)) { return NS_ERROR_INVALID_ARG; } UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (NS_WARN_IF(!arena)) { @@ -177,27 +173,26 @@ GenEcKeypair(const UniquePK11SlotInfo& a if (NS_WARN_IF(aPubKey->u.ec.publicValue.len != kPublicKeyLen)) { return NS_ERROR_FAILURE; } return NS_OK; } nsresult -U2FSoftTokenManager::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot, - const nsNSSShutDownPreventionLock& locker) +U2FSoftTokenManager::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot) { MOZ_ASSERT(aSlot); if (NS_WARN_IF(!aSlot)) { return NS_ERROR_INVALID_ARG; } // Search for an existing wrapping key. If we find it, // store it for later and mark ourselves initialized. - mWrappingKey = GetSymKeyByNickname(aSlot, mSecretNickname, locker); + mWrappingKey = GetSymKeyByNickname(aSlot, mSecretNickname); if (mWrappingKey) { MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("U2F Soft Token Key found.")); mInitialized = true; return NS_OK; } MOZ_LOG(gNSSTokenLog, LogLevel::Info, ("No keys found. Generating new U2F Soft Token wrapping key.")); @@ -239,28 +234,27 @@ U2FSoftTokenManager::GetOrCreateWrapping })); return NS_OK; } static nsresult GetAttestationCertificate(const UniquePK11SlotInfo& aSlot, /*out*/ UniqueSECKEYPrivateKey& aAttestPrivKey, - /*out*/ UniqueCERTCertificate& aAttestCert, - const nsNSSShutDownPreventionLock& locker) + /*out*/ UniqueCERTCertificate& aAttestCert) { MOZ_ASSERT(aSlot); if (NS_WARN_IF(!aSlot)) { return NS_ERROR_INVALID_ARG; } UniqueSECKEYPublicKey pubKey; // Construct an ephemeral keypair for this Attestation Certificate - nsresult rv = GenEcKeypair(aSlot, aAttestPrivKey, pubKey, locker); + nsresult rv = GenEcKeypair(aSlot, aAttestPrivKey, pubKey); if (NS_WARN_IF(NS_FAILED(rv) || !aAttestPrivKey || !pubKey)) { MOZ_LOG(gNSSTokenLog, LogLevel::Warning, ("Failed to gen keypair, NSS error #%d", PORT_GetError())); return NS_ERROR_FAILURE; } // Construct the Attestation Certificate itself UniqueCERTName subjectName(CERT_AsciiToName(kAttestCertSubjectName.get())); @@ -367,44 +361,42 @@ GetAttestationCertificate(const UniquePK nsresult U2FSoftTokenManager::Init() { // If we've already initialized, just return. if (mInitialized) { return NS_OK; } - nsNSSShutDownPreventionLock locker; if (NS_WARN_IF(isAlreadyShutDown())) { return NS_ERROR_NOT_AVAILABLE; } UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); MOZ_ASSERT(slot.get()); // Search for an existing wrapping key, or create one. - nsresult rv = GetOrCreateWrappingKey(slot, locker); + nsresult rv = GetOrCreateWrappingKey(slot); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } mInitialized = true; MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("U2F Soft Token initialized.")); return NS_OK; } // Convert a Private Key object into an opaque key handle, using AES Key Wrap // with the long-lived aPersistentKey mixed with aAppParam to convert aPrivKey. // The key handle's format is version || saltLen || salt || wrappedPrivateKey static UniqueSECItem KeyHandleFromPrivateKey(const UniquePK11SlotInfo& aSlot, const UniquePK11SymKey& aPersistentKey, uint8_t* aAppParam, uint32_t aAppParamLen, - const UniqueSECKEYPrivateKey& aPrivKey, - const nsNSSShutDownPreventionLock&) + const UniqueSECKEYPrivateKey& aPrivKey) { MOZ_ASSERT(aSlot); MOZ_ASSERT(aPersistentKey); MOZ_ASSERT(aAppParam); MOZ_ASSERT(aPrivKey); if (NS_WARN_IF(!aSlot || !aPersistentKey || !aPrivKey || !aAppParam)) { return nullptr; } @@ -487,18 +479,17 @@ KeyHandleFromPrivateKey(const UniquePK11 // Convert an opaque key handle aKeyHandle back into a Private Key object, using // the long-lived aPersistentKey mixed with aAppParam and the AES Key Wrap // algorithm. static UniqueSECKEYPrivateKey PrivateKeyFromKeyHandle(const UniquePK11SlotInfo& aSlot, const UniquePK11SymKey& aPersistentKey, uint8_t* aKeyHandle, uint32_t aKeyHandleLen, - uint8_t* aAppParam, uint32_t aAppParamLen, - const nsNSSShutDownPreventionLock&) + uint8_t* aAppParam, uint32_t aAppParamLen) { MOZ_ASSERT(aSlot); MOZ_ASSERT(aPersistentKey); MOZ_ASSERT(aKeyHandle); MOZ_ASSERT(aAppParam); MOZ_ASSERT(aAppParamLen == SHA256_LENGTH); if (NS_WARN_IF(!aSlot || !aPersistentKey || !aKeyHandle || !aAppParam || aAppParamLen != SHA256_LENGTH)) { @@ -574,17 +565,16 @@ PrivateKeyFromKeyHandle(const UniquePK11 } // IsRegistered determines if the provided key handle is usable by this token. nsresult U2FSoftTokenManager::IsRegistered(const nsTArray<uint8_t>& aKeyHandle, const nsTArray<uint8_t>& aAppParam, bool& aResult) { - nsNSSShutDownPreventionLock locker; if (NS_WARN_IF(isAlreadyShutDown())) { return NS_ERROR_FAILURE; } if (!mInitialized) { nsresult rv = Init(); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; @@ -594,18 +584,17 @@ U2FSoftTokenManager::IsRegistered(const UniquePK11SlotInfo slot(PK11_GetInternalSlot()); MOZ_ASSERT(slot.get()); // Decode the key handle UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey, const_cast<uint8_t*>(aKeyHandle.Elements()), aKeyHandle.Length(), const_cast<uint8_t*>(aAppParam.Elements()), - aAppParam.Length(), - locker); + aAppParam.Length()); aResult = privKey.get() != nullptr; return NS_OK; } // A U2F Register operation causes a new key pair to be generated by the token. // The token then returns the public key of the key pair, and a handle to the // private key, which is a fancy way of saying "key wrapped private key", as // well as the generated attestation certificate and a signature using that @@ -626,17 +615,16 @@ U2FSoftTokenManager::IsRegistered(const // RefPtr<U2FRegisterPromise> U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredential>& aCredentials, const WebAuthnAuthenticatorSelection &aAuthenticatorSelection, const nsTArray<uint8_t>& aApplication, const nsTArray<uint8_t>& aChallenge, uint32_t aTimeoutMS) { - nsNSSShutDownPreventionLock locker; if (NS_WARN_IF(isAlreadyShutDown())) { return U2FRegisterPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__); } if (!mInitialized) { nsresult rv = Init(); if (NS_WARN_IF(NS_FAILED(rv))) { return U2FRegisterPromise::CreateAndReject(rv, __func__); @@ -667,37 +655,36 @@ U2FSoftTokenManager::Register(const nsTA MOZ_ASSERT(mWrappingKey); UniquePK11SlotInfo slot(PK11_GetInternalSlot()); MOZ_ASSERT(slot.get()); // Construct a one-time-use Attestation Certificate UniqueSECKEYPrivateKey attestPrivKey; UniqueCERTCertificate attestCert; - nsresult rv = GetAttestationCertificate(slot, attestPrivKey, attestCert, - locker); + nsresult rv = GetAttestationCertificate(slot, attestPrivKey, attestCert); if (NS_WARN_IF(NS_FAILED(rv))) { return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__); } MOZ_ASSERT(attestCert); MOZ_ASSERT(attestPrivKey); // Generate a new keypair; the private will be wrapped into a Key Handle UniqueSECKEYPrivateKey privKey; UniqueSECKEYPublicKey pubKey; - rv = GenEcKeypair(slot, privKey, pubKey, locker); + rv = GenEcKeypair(slot, privKey, pubKey); if (NS_WARN_IF(NS_FAILED(rv))) { return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__); } // The key handle will be the result of keywrap(privKey, key=mWrappingKey) UniqueSECItem keyHandleItem = KeyHandleFromPrivateKey(slot, mWrappingKey, const_cast<uint8_t*>(aApplication.Elements()), aApplication.Length(), - privKey, locker); + privKey); if (NS_WARN_IF(!keyHandleItem.get())) { return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__); } // Sign the challenge using the Attestation privkey (from attestCert) mozilla::dom::CryptoBuffer signedDataBuf; if (NS_WARN_IF(!signedDataBuf.SetCapacity(1 + aApplication.Length() + aChallenge.Length() + keyHandleItem->len + kPublicKeyLen, @@ -759,17 +746,16 @@ U2FSoftTokenManager::Register(const nsTA // RefPtr<U2FSignPromise> U2FSoftTokenManager::Sign(const nsTArray<WebAuthnScopedCredential>& aCredentials, const nsTArray<uint8_t>& aApplication, const nsTArray<uint8_t>& aChallenge, bool aRequireUserVerification, uint32_t aTimeoutMS) { - nsNSSShutDownPreventionLock locker; if (NS_WARN_IF(isAlreadyShutDown())) { return U2FSignPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__); } // The U2F softtoken doesn't support user verification. if (aRequireUserVerification) { return U2FSignPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR, __func__); } @@ -802,18 +788,17 @@ U2FSoftTokenManager::Sign(const nsTArray return U2FSignPromise::CreateAndReject(NS_ERROR_ILLEGAL_VALUE, __func__); } // Decode the key handle UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey, const_cast<uint8_t*>(keyHandle.Elements()), keyHandle.Length(), const_cast<uint8_t*>(aApplication.Elements()), - aApplication.Length(), - locker); + aApplication.Length()); if (NS_WARN_IF(!privKey.get())) { MOZ_LOG(gNSSTokenLog, LogLevel::Warning, ("Couldn't get the priv key!")); return U2FSignPromise::CreateAndReject(NS_ERROR_FAILURE, __func__); } // Increment the counter and turn it into a SECItem mCounter += 1; ScopedAutoSECItem counterItem(4);
--- a/dom/webauthn/U2FSoftTokenManager.h +++ b/dom/webauthn/U2FSoftTokenManager.h @@ -53,17 +53,16 @@ private: const nsTArray<uint8_t>& aAppParam, bool& aResult); bool mInitialized; mozilla::UniquePK11SymKey mWrappingKey; static const nsCString mSecretNickname; - nsresult GetOrCreateWrappingKey(const mozilla::UniquePK11SlotInfo& aSlot, - const nsNSSShutDownPreventionLock&); + nsresult GetOrCreateWrappingKey(const mozilla::UniquePK11SlotInfo& aSlot); uint32_t mCounter; }; } // namespace dom } // namespace mozilla #endif // mozilla_dom_U2FSoftTokenManager_h
--- a/netwerk/base/BackgroundFileSaver.cpp +++ b/netwerk/base/BackgroundFileSaver.cpp @@ -113,17 +113,16 @@ BackgroundFileSaver::BackgroundFileSaver , mDigestContext(nullptr) { LOG(("Created BackgroundFileSaver [this = %p]", this)); } BackgroundFileSaver::~BackgroundFileSaver() { LOG(("Destroying BackgroundFileSaver [this = %p]", this)); - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -548,17 +547,16 @@ BackgroundFileSaver::ProcessStateChange( rv = mPipeInputStream->Available(&available); if (NS_FAILED(rv)) { return NS_OK; } } // Create the digest context if requested and NSS hasn't been shut down. if (sha256Enabled && !mDigestContext) { - nsNSSShutDownPreventionLock lock; if (!isAlreadyShutDown()) { mDigestContext = UniquePK11Context( PK11_CreateDigestContext(SEC_OID_SHA256)); NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY); } } // When we are requested to append to an existing file, we should read the @@ -577,17 +575,16 @@ BackgroundFileSaver::ProcessStateChange( rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count); NS_ENSURE_SUCCESS(rv, rv); if (count == 0) { // We reached the end of the file. break; } - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = MapSECStatus( PK11_DigestOp(mDigestContext.get(), BitwiseCast<unsigned char*, char*>(buffer), count)); @@ -623,23 +620,21 @@ BackgroundFileSaver::ProcessStateChange( nsCOMPtr<nsIOutputStream> bufferedStream; rv = NS_NewBufferedOutputStream(getter_AddRefs(bufferedStream), outputStream.forget(), BUFFERED_IO_SIZE); NS_ENSURE_SUCCESS(rv, rv); outputStream = bufferedStream; // Wrap the output stream so that it feeds the digest context if needed. if (mDigestContext) { - // No need to acquire the NSS lock here, DigestOutputStream must acquire it - // in any case before each asynchronous write. Constructing the - // DigestOutputStream cannot fail. Passing mDigestContext to - // DigestOutputStream is safe, because BackgroundFileSaver always outlives - // the outputStream. BackgroundFileSaver is reference-counted before the - // call to AsyncCopy, and mDigestContext is never destroyed before - // AsyncCopyCallback. + // Constructing the DigestOutputStream cannot fail. Passing mDigestContext + // to DigestOutputStream is safe, because BackgroundFileSaver always + // outlives the outputStream. BackgroundFileSaver is reference-counted + // before the call to AsyncCopy, and mDigestContext is never destroyed + // before AsyncCopyCallback. outputStream = new DigestOutputStream(outputStream, mDigestContext.get()); } // Start copying our input to the target file. No errors can be raised past // this point if the copy starts, since they should be handled by the thread. { MutexAutoLock lock(mLock); @@ -719,17 +714,16 @@ BackgroundFileSaver::CheckCompletion() // Ensure we notify completion now that the operation finished. // Do a best-effort attempt to remove the file if required. if (failed && mActualTarget && !mActualTargetKeepPartial) { (void)mActualTarget->Remove(false); } // Finish computing the hash if (!failed && mDigestContext) { - nsNSSShutDownPreventionLock lock; if (!isAlreadyShutDown()) { Digest d; rv = d.End(SEC_OID_SHA256, mDigestContext); if (NS_SUCCEEDED(rv)) { MutexAutoLock lock(mLock); mSha256 = nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data), d.get().len); @@ -812,17 +806,16 @@ BackgroundFileSaver::NotifySaveComplete( return NS_OK; } nsresult BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath) { MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread"); - nsNSSShutDownPreventionLock nssLock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } { MutexAutoLock lock(mLock); if (!mSignatureInfoEnabled) { return NS_OK; } @@ -1214,17 +1207,16 @@ DigestOutputStream::DigestOutputStream(n , mDigestContext(aContext) { MOZ_ASSERT(mDigestContext, "Can't have null digest context"); MOZ_ASSERT(mOutputStream, "Can't have null output stream"); } DigestOutputStream::~DigestOutputStream() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP DigestOutputStream::Close() @@ -1236,17 +1228,16 @@ NS_IMETHODIMP DigestOutputStream::Flush() { return mOutputStream->Flush(); } NS_IMETHODIMP DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval) { - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = MapSECStatus( PK11_DigestOp(mDigestContext, BitwiseCast<const unsigned char*, const char*>(aBuf), aCount));
--- a/security/apps/AppSignatureVerification.cpp +++ b/security/apps/AppSignatureVerification.cpp @@ -734,20 +734,16 @@ GetSignerInfoForDigestAlgorithm(NSSCMSSi nsresult VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer, const SECItem& detachedSHA1Digest, const SECItem& detachedSHA256Digest, /*out*/ SECOidTag& digestAlgorithm, /*out*/ UniqueCERTCertList& builtChain) { - // Currently, this function is only called within the CalculateResult() method - // of CryptoTasks. As such, NSS should not be shut down at this point and the - // CryptoTask implementation should already hold a nsNSSShutDownPreventionLock. - if (NS_WARN_IF(!buffer.data || buffer.len == 0 || !detachedSHA1Digest.data || detachedSHA1Digest.len == 0 || !detachedSHA256Digest.data || detachedSHA256Digest.len == 0)) { return NS_ERROR_INVALID_ARG; } UniqueNSSCMSMessage cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
--- a/security/certverifier/ExtendedValidation.cpp +++ b/security/certverifier/ExtendedValidation.cpp @@ -1080,17 +1080,17 @@ CertIsAuthoritativeForEVPolicy(const Uni return true; } } return false; } nsresult -LoadExtendedValidationInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/) +LoadExtendedValidationInfo() { static const char* sCABForumOIDString = "2.23.140.1.1"; static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID"; ScopedAutoSECItem cabforumOIDItem; if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0) != SECSuccess) { return NS_ERROR_FAILURE;
--- a/security/certverifier/ExtendedValidation.h +++ b/security/certverifier/ExtendedValidation.h @@ -9,18 +9,17 @@ #include "ScopedNSSTypes.h" #include "certt.h" #include "nsNSSShutDown.h" namespace mozilla { namespace pkix { struct CertPolicyId; } } namespace mozilla { namespace psm { -nsresult LoadExtendedValidationInfo( - const nsNSSShutDownPreventionLock& proofOfLock); +nsresult LoadExtendedValidationInfo(); /** * Finds the first policy OID in the given cert that is known to be an EV policy * OID. * * @param cert * The cert to find the first EV policy of. * @param policy
--- a/security/manager/ssl/ContentSignatureVerifier.cpp +++ b/security/manager/ssl/ContentSignatureVerifier.cpp @@ -39,17 +39,16 @@ using namespace mozilla::psm; static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier"); #define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args) // Content-Signature prefix const nsLiteralCString kPREFIX = NS_LITERAL_CSTRING("Content-Signature:\x00"); ContentSignatureVerifier::~ContentSignatureVerifier() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP @@ -76,18 +75,17 @@ ContentSignatureVerifier::VerifyContentS bool IsNewLine(char16_t c) { return c == '\n' || c == '\r'; } nsresult -ReadChainIntoCertList(const nsACString& aCertChain, CERTCertList* aCertList, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +ReadChainIntoCertList(const nsACString& aCertChain, CERTCertList* aCertList) { bool inBlock = false; bool certFound = false; const nsCString header = NS_LITERAL_CSTRING("-----BEGIN CERTIFICATE-----"); const nsCString footer = NS_LITERAL_CSTRING("-----END CERTIFICATE-----"); nsCWhitespaceTokenizerTemplate<IsNewLine> tokenizer(aCertChain); @@ -143,28 +141,27 @@ ReadChainIntoCertList(const nsACString& } nsresult ContentSignatureVerifier::CreateContextInternal(const nsACString& aData, const nsACString& aCertChain, const nsACString& aName) { MOZ_ASSERT(NS_IsMainThread()); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { CSVerifier_LOG(("CSVerifier: nss is already shutdown\n")); return NS_ERROR_FAILURE; } UniqueCERTCertList certCertList(CERT_NewCertList()); if (!certCertList) { return NS_ERROR_OUT_OF_MEMORY; } - nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get(), locker); + nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get()); if (NS_FAILED(rv)) { return rv; } CERTCertListNode* node = CERT_LIST_HEAD(certCertList.get()); if (!node || CERT_LIST_END(node, certCertList.get()) || !node->cert) { return NS_ERROR_FAILURE; } @@ -275,22 +272,22 @@ ContentSignatureVerifier::CreateContextI } if (VFY_Begin(mCx.get()) != SECSuccess) { // Creating context failed. Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 9); return NS_ERROR_INVALID_SIGNATURE; } - rv = UpdateInternal(kPREFIX, locker); + rv = UpdateInternal(kPREFIX); if (NS_FAILED(rv)) { return rv; } // add data if we got any - return UpdateInternal(aData, locker); + return UpdateInternal(aData); } nsresult ContentSignatureVerifier::DownloadCertChain() { MOZ_ASSERT(NS_IsMainThread()); if (mCertChainURL.IsEmpty()) { @@ -386,18 +383,17 @@ ContentSignatureVerifier::CreateContext( if (NS_FAILED(rv)) { return rv; } return CreateContextInternal(aData, aCertChain, aName); } nsresult -ContentSignatureVerifier::UpdateInternal( - const nsACString& aData, const nsNSSShutDownPreventionLock& /*proofOfLock*/) +ContentSignatureVerifier::UpdateInternal(const nsACString& aData) { if (!aData.IsEmpty()) { if (VFY_Update(mCx.get(), (const unsigned char*)nsPromiseFlatCString(aData).get(), aData.Length()) != SECSuccess){ return NS_ERROR_INVALID_SIGNATURE; } } return NS_OK; @@ -405,42 +401,40 @@ ContentSignatureVerifier::UpdateInternal /** * Add data to the context that shold be verified. */ NS_IMETHODIMP ContentSignatureVerifier::Update(const nsACString& aData) { MOZ_ASSERT(NS_IsMainThread()); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { CSVerifier_LOG(("CSVerifier: nss is already shutdown\n")); return NS_ERROR_FAILURE; } // If we didn't create the context yet, bail! if (!mHasCertChain) { MOZ_ASSERT_UNREACHABLE( "Someone called ContentSignatureVerifier::Update before " "downloading the cert chain."); return NS_ERROR_FAILURE; } - return UpdateInternal(aData, locker); + return UpdateInternal(aData); } /** * Finish signature verification and return the result in _retval. */ NS_IMETHODIMP ContentSignatureVerifier::End(bool* _retval) { NS_ENSURE_ARG(_retval); MOZ_ASSERT(NS_IsMainThread()); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { CSVerifier_LOG(("CSVerifier: nss is already shutdown\n")); return NS_ERROR_FAILURE; } // If we didn't create the context yet, bail! if (!mHasCertChain) { Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 2);
--- a/security/manager/ssl/ContentSignatureVerifier.h +++ b/security/manager/ssl/ContentSignatureVerifier.h @@ -46,18 +46,17 @@ public: virtual void virtualDestroyNSSReference() override { destructorSafeDestroyNSSReference(); } private: ~ContentSignatureVerifier(); - nsresult UpdateInternal(const nsACString& aData, - const nsNSSShutDownPreventionLock& /*proofOfLock*/); + nsresult UpdateInternal(const nsACString& aData); nsresult DownloadCertChain(); nsresult CreateContextInternal(const nsACString& aData, const nsACString& aCertChain, const nsACString& aName); void destructorSafeDestroyNSSReference() { mCx = nullptr;
--- a/security/manager/ssl/CryptoTask.cpp +++ b/security/manager/ssl/CryptoTask.cpp @@ -8,17 +8,16 @@ #include "nsNSSComponent.h" namespace mozilla { CryptoTask::~CryptoTask() { MOZ_ASSERT(mReleasedNSSResources); - nsNSSShutDownPreventionLock lock; if (!isAlreadyShutDown()) { shutdown(ShutdownCalledFrom::Object); } } nsresult CryptoTask::Dispatch(const nsACString& taskThreadName) { @@ -41,17 +40,16 @@ CryptoTask::Dispatch(const nsACString& t // Note: event must not null out mThread! return mThread->Dispatch(this, NS_DISPATCH_NORMAL); } NS_IMETHODIMP CryptoTask::Run() { if (!NS_IsMainThread()) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { mRv = NS_ERROR_NOT_AVAILABLE; } else { mRv = CalculateResult(); } NS_DispatchToMainThread(this); } else { // back on the main thread
--- a/security/manager/ssl/PKCS11ModuleDB.cpp +++ b/security/manager/ssl/PKCS11ModuleDB.cpp @@ -20,28 +20,26 @@ namespace mozilla { namespace psm { NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB) PKCS11ModuleDB::PKCS11ModuleDB() { } PKCS11ModuleDB::~PKCS11ModuleDB() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } // Delete a PKCS11 module from the user's profile. NS_IMETHODIMP PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (aModuleName.IsEmpty()) { return NS_ERROR_INVALID_ARG; } @@ -86,17 +84,16 @@ GetModuleNameForTelemetry(/*in*/ const S // Add a new PKCS11 module to the user's profile. NS_IMETHODIMP PKCS11ModuleDB::AddModule(const nsAString& aModuleName, const nsAString& aLibraryFullPath, int32_t aCryptoMechanismFlags, int32_t aCipherFlags) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (aModuleName.IsEmpty()) { return NS_ERROR_INVALID_ARG; } @@ -150,17 +147,16 @@ PKCS11ModuleDB::AddModule(const nsAStrin } NS_IMETHODIMP PKCS11ModuleDB::FindModuleByName(const nsACString& name, /*out*/ nsIPKCS11Module** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -175,17 +171,16 @@ PKCS11ModuleDB::FindModuleByName(const n return NS_OK; } NS_IMETHODIMP PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -219,30 +214,28 @@ PKCS11ModuleDB::ListModules(nsISimpleEnu return array->Enumerate(_retval); } NS_IMETHODIMP PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS) { NS_ENSURE_ARG_POINTER(aCanToggleFIPS); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } *aCanToggleFIPS = SECMOD_CanDeleteInternalModule(); return NS_OK; } NS_IMETHODIMP PKCS11ModuleDB::ToggleFIPSMode() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we // delete the internal module, and it gets replaced with the opposite module // (i.e. if it was FIPS before, then it becomes non-FIPS next). // SECMOD_GetInternalModule() returns a pointer to a local copy of the @@ -264,17 +257,16 @@ PKCS11ModuleDB::ToggleFIPSMode() return NS_OK; } NS_IMETHODIMP PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled) { NS_ENSURE_ARG_POINTER(aIsFIPSEnabled); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } *aIsFIPSEnabled = PK11_IsFIPS(); return NS_OK; }
--- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -1517,21 +1517,18 @@ SSLServerCertVerificationJob::Dispatch( if (!gCertVerificationThreadPool) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } // Copy the certificate list so the runnable can take ownership of it in the // constructor. - // We can safely skip checking if NSS has already shut down here since we're - // in the middle of verifying a certificate. - nsNSSShutDownPreventionLock lock; UniqueCERTCertList peerCertChainCopy = - nsNSSCertList::DupCertList(peerCertChain, lock); + nsNSSCertList::DupCertList(peerCertChain); if (!peerCertChainCopy) { PR_SetError(SEC_ERROR_NO_MEMORY, 0); return SECFailure; } RefPtr<SSLServerCertVerificationJob> job( new SSLServerCertVerificationJob(certVerifier, fdForLogging, infoObject, serverCert, Move(peerCertChainCopy), @@ -1562,17 +1559,16 @@ SSLServerCertVerificationJob::Run() { // Runs on a cert verification thread MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get())); PRErrorCode error; - nsNSSShutDownPreventionLock nssShutdownPrevention; if (mInfoObject->isAlreadyShutDown()) { error = SEC_ERROR_USER_CANCELLED; } else { Telemetry::HistogramID successTelemetry = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX; Telemetry::HistogramID failureTelemetry = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
--- a/security/manager/ssl/SecretDecoderRing.cpp +++ b/security/manager/ssl/SecretDecoderRing.cpp @@ -61,40 +61,38 @@ void BackgroundSdrEncryptStrings(const n } SecretDecoderRing::SecretDecoderRing() { } SecretDecoderRing::~SecretDecoderRing() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } nsresult SecretDecoderRing::Encrypt(const nsACString& data, /*out*/ nsACString& result) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return NS_ERROR_NOT_AVAILABLE; } /* Make sure token is initialized. */ nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - nsresult rv = setPassword(slot.get(), ctx, locker); + nsresult rv = setPassword(slot.get(), ctx); if (NS_FAILED(rv)) { return rv; } /* Force authentication */ if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) { return NS_ERROR_FAILURE; } @@ -113,17 +111,16 @@ SecretDecoderRing::Encrypt(const nsACStr result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len); return NS_OK; } nsresult SecretDecoderRing::Decrypt(const nsACString& data, /*out*/ nsACString& result) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } /* Find token with SDR key */ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return NS_ERROR_NOT_AVAILABLE; @@ -226,17 +223,16 @@ SecretDecoderRing::DecryptString(const n } return NS_OK; } NS_IMETHODIMP SecretDecoderRing::ChangePassword() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return NS_ERROR_NOT_AVAILABLE; } @@ -262,17 +258,16 @@ SecretDecoderRing::Logout() static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } PK11_LogoutAll(); SSL_ClearSessionCache(); } @@ -285,17 +280,16 @@ SecretDecoderRing::LogoutAndTeardown() static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } PK11_LogoutAll(); SSL_ClearSessionCache(); }
--- a/security/manager/ssl/TransportSecurityInfo.cpp +++ b/security/manager/ssl/TransportSecurityInfo.cpp @@ -45,17 +45,16 @@ TransportSecurityInfo::TransportSecurity , mErrorCode(0) , mErrorMessageType(SSLErrorMessageType::Plain) , mPort(0) { } TransportSecurityInfo::~TransportSecurityInfo() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; shutdown(ShutdownCalledFrom::Object); } void TransportSecurityInfo::virtualDestroyNSSReference() @@ -1036,20 +1035,19 @@ TransportSecurityInfo::GetFailedCertChai NS_IF_ADDREF(*_result); return NS_OK; } nsresult TransportSecurityInfo::SetFailedCertChain(UniqueCERTCertList certList) { - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // nsNSSCertList takes ownership of certList - mFailedCertChain = new nsNSSCertList(Move(certList), lock); + mFailedCertChain = new nsNSSCertList(Move(certList)); return NS_OK; } } } // namespace mozilla::psm
--- a/security/manager/ssl/nsCertTree.cpp +++ b/security/manager/ssl/nsCertTree.cpp @@ -603,42 +603,33 @@ nsCertTree::GetCertsByTypeFromCertList(C return NS_OK; } nsresult nsCertTree::GetCertsByType(uint32_t aType, nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg) { - nsNSSShutDownPreventionLock locker; nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt)); return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn, aCertCmpFnArg); } nsresult nsCertTree::GetCertsByTypeFromCache(nsIX509CertList *aCache, uint32_t aType, nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg) { NS_ENSURE_ARG_POINTER(aCache); - // GetRawCertList checks for NSS shutdown since we can't do it ourselves here - // easily. We still have to acquire a shutdown prevention lock to prevent NSS - // shutting down after GetRawCertList has returned. While cumbersome, this is - // at least mostly correct. The rest of this implementation doesn't even go - // this far in attempting to check for or prevent NSS shutdown at the - // appropriate times. If this were reimplemented at a higher level using - // more encapsulated types that handled NSS shutdown themselves, we wouldn't - // be having these kinds of problems. - nsNSSShutDownPreventionLock locker; CERTCertList* certList = aCache->GetRawCertList(); - if (!certList) + if (!certList) { return NS_ERROR_FAILURE; + } return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg); } // LoadCerts // // Load all of the certificates in the DB for this type. Sort them // by token, organization, then common name. NS_IMETHODIMP
--- a/security/manager/ssl/nsCryptoHash.cpp +++ b/security/manager/ssl/nsCryptoHash.cpp @@ -33,17 +33,16 @@ static const uint64_t STREAM_BUFFER_SIZE nsCryptoHash::nsCryptoHash() : mHashContext(nullptr) , mInitialized(false) { } nsCryptoHash::~nsCryptoHash() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -58,17 +57,16 @@ nsCryptoHash::destructorSafeDestroyNSSRe mHashContext = nullptr; } NS_IMPL_ISUPPORTS(nsCryptoHash, nsICryptoHash) NS_IMETHODIMP nsCryptoHash::Init(uint32_t algorithm) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } HASH_HashType hashType; switch (algorithm) { case nsICryptoHash::MD2: hashType = HASH_AlgMD2; break; @@ -131,33 +129,31 @@ nsCryptoHash::InitWithString(const nsACS return Init(nsICryptoHash::SHA512); return NS_ERROR_INVALID_ARG; } NS_IMETHODIMP nsCryptoHash::Update(const uint8_t *data, uint32_t len) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mInitialized) { return NS_ERROR_NOT_INITIALIZED; } HASH_Update(mHashContext.get(), data, len); return NS_OK; } NS_IMETHODIMP nsCryptoHash::UpdateFromStream(nsIInputStream *data, uint32_t aLen) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mInitialized) return NS_ERROR_NOT_INITIALIZED; if (!data) @@ -204,17 +200,16 @@ nsCryptoHash::UpdateFromStream(nsIInputS } return NS_OK; } NS_IMETHODIMP nsCryptoHash::Finish(bool ascii, nsACString & _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mInitialized) { return NS_ERROR_NOT_INITIALIZED; } @@ -241,17 +236,16 @@ NS_IMPL_ISUPPORTS(nsCryptoHMAC, nsICrypt nsCryptoHMAC::nsCryptoHMAC() : mHMACContext(nullptr) { } nsCryptoHMAC::~nsCryptoHMAC() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -264,17 +258,16 @@ void nsCryptoHMAC::destructorSafeDestroyNSSReference() { mHMACContext = nullptr; } NS_IMETHODIMP nsCryptoHMAC::Init(uint32_t aAlgorithm, nsIKeyObject *aKeyObject) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (mHMACContext) { mHMACContext = nullptr; } @@ -321,17 +314,16 @@ nsCryptoHMAC::Init(uint32_t aAlgorithm, } return NS_OK; } NS_IMETHODIMP nsCryptoHMAC::Update(const uint8_t *aData, uint32_t aLen) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mHMACContext) return NS_ERROR_NOT_INITIALIZED; if (!aData) @@ -342,17 +334,16 @@ nsCryptoHMAC::Update(const uint8_t *aDat } return NS_OK; } NS_IMETHODIMP nsCryptoHMAC::UpdateFromStream(nsIInputStream *aStream, uint32_t aLen) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mHMACContext) return NS_ERROR_NOT_INITIALIZED; if (!aStream) @@ -402,17 +393,16 @@ nsCryptoHMAC::UpdateFromStream(nsIInputS } return NS_OK; } NS_IMETHODIMP nsCryptoHMAC::Finish(bool aASCII, nsACString & _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mHMACContext) return NS_ERROR_NOT_INITIALIZED; uint32_t hashLen = 0; @@ -430,17 +420,16 @@ nsCryptoHMAC::Finish(bool aASCII, nsACSt _retval.Assign(BitwiseCast<char*>(buffer), hashLen); return NS_OK; } NS_IMETHODIMP nsCryptoHMAC::Reset() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (PK11_DigestBegin(mHMACContext.get()) != SECSuccess) { return NS_ERROR_FAILURE; }
--- a/security/manager/ssl/nsDataSignatureVerifier.cpp +++ b/security/manager/ssl/nsDataSignatureVerifier.cpp @@ -26,33 +26,31 @@ const SEC_ASN1Template CERT_SignatureDat SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), }, { SEC_ASN1_BIT_STRING, offsetof(CERTSignedData,signature), }, { 0, } }; nsDataSignatureVerifier::~nsDataSignatureVerifier() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP nsDataSignatureVerifier::VerifyData(const nsACString& aData, const nsACString& aSignature, const nsACString& aPublicKey, bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // Allocate an arena to handle the majority of the allocations UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return NS_ERROR_OUT_OF_MEMORY;
--- a/security/manager/ssl/nsIX509CertList.idl +++ b/security/manager/ssl/nsIX509CertList.idl @@ -21,18 +21,16 @@ class nsNSSCertList; interface nsIX509CertList : nsISupports { [must_use] void addCert(in nsIX509Cert cert); [must_use] nsISimpleEnumerator getEnumerator(); /** * Returns the raw, backing cert list. - * Must be called only from functions where an nsNSSShutDownPreventionLock - * has been acquired. */ [notxpcom, noscript, must_use] CERTCertListPtr getRawCertList(); /** * Test whether two certificate list instances represent the same * certificate list. *
--- a/security/manager/ssl/nsKeyModule.cpp +++ b/security/manager/ssl/nsKeyModule.cpp @@ -14,17 +14,16 @@ NS_IMPL_ISUPPORTS(nsKeyObject, nsIKeyObj nsKeyObject::nsKeyObject() : mSymKey(nullptr) { } nsKeyObject::~nsKeyObject() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -44,17 +43,16 @@ nsKeyObject::destructorSafeDestroyNSSRef NS_IMETHODIMP nsKeyObject::InitKey(int16_t aAlgorithm, PK11SymKey* aKey) { if (!aKey || aAlgorithm != nsIKeyObject::HMAC) { return NS_ERROR_INVALID_ARG; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } mSymKey.reset(aKey); return NS_OK; } @@ -62,17 +60,16 @@ NS_IMETHODIMP nsKeyObject::GetKeyObj(PK11SymKey** _retval) { if (!_retval) { return NS_ERROR_INVALID_ARG; } *_retval = nullptr; - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mSymKey) { return NS_ERROR_NOT_INITIALIZED; } @@ -96,32 +93,30 @@ nsKeyObject::GetType(int16_t *_retval) NS_IMPL_ISUPPORTS(nsKeyObjectFactory, nsIKeyObjectFactory) nsKeyObjectFactory::nsKeyObjectFactory() { } nsKeyObjectFactory::~nsKeyObjectFactory() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString& aKey, nsIKeyObject** _retval) { if (!_retval || aAlgorithm != nsIKeyObject::HMAC) { return NS_ERROR_INVALID_ARG; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } CK_MECHANISM_TYPE cipherMech = CKM_GENERIC_SECRET_KEY_GEN; CK_ATTRIBUTE_TYPE cipherOperation = CKA_SIGN; nsresult rv;
--- a/security/manager/ssl/nsKeygenHandler.cpp +++ b/security/manager/ssl/nsKeygenHandler.cpp @@ -217,17 +217,16 @@ NS_IMPL_ISUPPORTS(nsKeygenFormProcessor, nsKeygenFormProcessor::nsKeygenFormProcessor() { m_ctx = new PipUIContext(); } nsKeygenFormProcessor::~nsKeygenFormProcessor() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } nsresult @@ -270,22 +269,21 @@ nsKeygenFormProcessor::Init() mSECKeySizeChoiceList[1].size = 1024; return NS_OK; } nsresult nsKeygenFormProcessor::GetSlot(uint32_t aMechanism, PK11SlotInfo** aSlot) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - return GetSlotWithMechanism(aMechanism, m_ctx, aSlot, locker); + return GetSlotWithMechanism(aMechanism, m_ctx, aSlot); } uint32_t MapGenMechToAlgoMech(uint32_t mechanism) { uint32_t searchMech; /* We are interested in slots based on the ability to perform a given algorithm, not on their ability to generate keys usable @@ -313,17 +311,17 @@ uint32_t MapGenMechToAlgoMech(uint32_t m break; } return searchMech; } nsresult GetSlotWithMechanism(uint32_t aMechanism, nsIInterfaceRequestor* m_ctx, - PK11SlotInfo** aSlot, nsNSSShutDownPreventionLock& /*proofOfLock*/) + PK11SlotInfo** aSlot) { PK11SlotList * slotList = nullptr; char16_t** tokenNameList = nullptr; nsCOMPtr<nsITokenDialogs> dialogs; nsAutoString tokenStr; PK11SlotListElement *slotElement, *tmpSlot; uint32_t numSlots = 0, i = 0; bool canceled; @@ -421,17 +419,16 @@ loser: nsresult nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue, const nsAString& aChallenge, const nsString& aKeyType, nsAString& aOutPublicKey, const nsAString& aKeyParams) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = NS_ERROR_FAILURE; nsAutoCString keystring; char *keyparamsString = nullptr; uint32_t keyGenMechanism; @@ -547,17 +544,17 @@ nsKeygenFormProcessor::GetPublicKey(cons */ algTag = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; break; default: goto loser; } /* Make sure token is initialized. */ - rv = setPassword(slot, m_ctx, locker); + rv = setPassword(slot, m_ctx); if (NS_FAILED(rv)) goto loser; srv = PK11_Authenticate(slot, true, m_ctx); if (srv != SECSuccess) { goto loser; }
--- a/security/manager/ssl/nsKeygenHandler.h +++ b/security/manager/ssl/nsKeygenHandler.h @@ -15,18 +15,17 @@ #include "nsIInterfaceRequestor.h" #include "nsNSSShutDown.h" #include "nsString.h" #include "nsTArray.h" #include "secmodt.h" nsresult GetSlotWithMechanism(uint32_t mechanism, nsIInterfaceRequestor* ctx, - PK11SlotInfo** retSlot, - nsNSSShutDownPreventionLock& /*proofOfLock*/); + PK11SlotInfo** retSlot); #define DEFAULT_RSA_KEYGEN_PE 65537L #define DEFAULT_RSA_KEYGEN_ALG SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION mozilla::UniqueSECItem DecodeECParams(const char* curve); class nsKeygenFormProcessor : public nsIFormProcessor , public nsNSSShutDownObject
--- a/security/manager/ssl/nsKeygenThread.cpp +++ b/security/manager/ssl/nsKeygenThread.cpp @@ -61,17 +61,16 @@ void nsKeygenThread::SetParams( PK11SlotInfo *a_slot, PK11AttrFlags a_flags, PK11SlotInfo *a_alternative_slot, PK11AttrFlags a_alternative_flags, uint32_t a_keyGenMechanism, void *a_params, void *a_wincx ) { - nsNSSShutDownPreventionLock locker; MutexAutoLock lock(mutex); if (!alreadyReceivedParams) { alreadyReceivedParams = true; slot = (a_slot) ? PK11_ReferenceSlot(a_slot) : nullptr; flags = a_flags; altSlot = (a_alternative_slot) ? PK11_ReferenceSlot(a_alternative_slot) : nullptr; altFlags = a_alternative_flags; @@ -173,17 +172,16 @@ nsresult nsKeygenThread::UserCanceled(bo // it again to avoid problems. statusDialogClosed = true; return NS_OK; } void nsKeygenThread::Run(void) { - nsNSSShutDownPreventionLock locker; bool canGenerate = false; { MutexAutoLock lock(mutex); if (alreadyReceivedParams) { canGenerate = true; keygenReady = false; }
--- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -748,28 +748,26 @@ public: virtual void RunOnTargetThread() override; private: PK11SlotInfo* const mSlot; // in nsIInterfaceRequestor* const mIR; // in }; PK11PasswordPromptRunnable::~PK11PasswordPromptRunnable() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } void PK11PasswordPromptRunnable::RunOnTargetThread() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } nsresult rv; nsCOMPtr<nsIPrompt> prompt; if (!mIR) { rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt)); @@ -987,18 +985,16 @@ PreliminaryHandshakeDone(PRFileDesc* fd) infoObject->SetPreliminaryHandshakeDone(); } SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart) { *canFalseStart = false; - nsNSSShutDownPreventionLock locker; - nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret; if (!infoObject) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } infoObject->SetFalseStartCallbackCalled(); @@ -1325,17 +1321,16 @@ IsCertificateDistrustImminent(nsIX509Cer }); // If this chain did not match the whitelist, exit true aResult = !foundInWhitelist; return NS_OK; } void HandshakeCallback(PRFileDesc* fd, void* client_data) { - nsNSSShutDownPreventionLock locker; SECStatus rv; nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret; // Do the bookkeeping that needs to be done after the // server's ServerHello...ServerHelloDone have been processed, but that doesn't // need the handshake to be completed. PreliminaryHandshakeDone(fd);
--- a/security/manager/ssl/nsNSSCertHelper.cpp +++ b/security/manager/ssl/nsNSSCertHelper.cpp @@ -1829,17 +1829,16 @@ RegisterDynamicOids() } registered = true; return rv; } nsresult nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (RegisterDynamicOids() != SECSuccess) return NS_ERROR_FAILURE; // // TBSCertificate ::= SEQUENCE { @@ -1977,17 +1976,16 @@ nsNSSCertificate::CreateTBSCertificateAS } sequence.forget(retSequence); return NS_OK; } nsresult nsNSSCertificate::CreateASN1Struct(nsIASN1Object** aRetVal) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsCOMPtr<nsIASN1Sequence> sequence = new nsNSSASN1Sequence(); nsCOMPtr<nsIMutableArray> asn1Objects; sequence->GetASN1Objects(getter_AddRefs(asn1Objects));
--- a/security/manager/ssl/nsNSSCertValidity.cpp +++ b/security/manager/ssl/nsNSSCertValidity.cpp @@ -17,29 +17,27 @@ nsX509CertValidity::nsX509CertValidity(c , mNotAfter(0) , mTimesInitialized(false) { MOZ_ASSERT(cert); if (!cert) { return; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) { mTimesInitialized = true; } } nsX509CertValidity::~nsX509CertValidity() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP
--- a/security/manager/ssl/nsNSSCertificate.cpp +++ b/security/manager/ssl/nsNSSCertificate.cpp @@ -85,17 +85,16 @@ nsNSSCertificate::ConstructFromDER(char* } return newObject; } bool nsNSSCertificate::InitFromDER(char* certDER, int derLen) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return false; if (!certDER || !derLen) return false; CERTCertificate* aCert = CERT_DecodeCertFromPackage(certDER, derLen); @@ -111,17 +110,16 @@ nsNSSCertificate::InitFromDER(char* cert return true; } nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert) : mCert(nullptr) , mPermDelete(false) , mCertType(CERT_TYPE_NOT_YET_INITIALIZED) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; if (cert) { mCert.reset(CERT_DupCertificate(cert)); } } @@ -129,17 +127,16 @@ nsNSSCertificate::nsNSSCertificate() : mCert(nullptr) , mPermDelete(false) , mCertType(CERT_TYPE_NOT_YET_INITIALIZED) { } nsNSSCertificate::~nsNSSCertificate() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void nsNSSCertificate::virtualDestroyNSSReference() @@ -175,44 +172,41 @@ nsNSSCertificate::GetCertType(uint32_t* return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIsSelfSigned(bool* aIsSelfSigned) { NS_ENSURE_ARG(aIsSelfSigned); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; *aIsSelfSigned = mCert->isRoot; return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot) { NS_ENSURE_ARG(aIsBuiltInRoot); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot); if (rv != pkix::Result::Success) { return NS_ERROR_FAILURE; } return NS_OK; } nsresult nsNSSCertificate::MarkForPermDeletion() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; // make sure user is logged in to the token nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); if (mCert->slot && PK11_NeedLogin(mCert->slot) && !PK11_NeedUserInit(mCert->slot) && !PK11_IsInternal(mCert->slot)) { @@ -304,17 +298,16 @@ nsNSSCertificate::GetKeyUsages(nsAString } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetDbKey(nsACString& aDbKey) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } return GetDbKey(mCert, aDbKey); } nsresult nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey) @@ -345,17 +338,16 @@ nsNSSCertificate::GetDbKey(const UniqueC cert->derIssuer.len); return Base64Encode(buf, aDbKey); } NS_IMETHODIMP nsNSSCertificate::GetDisplayName(nsAString& aDisplayName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } aDisplayName.Truncate(); MOZ_ASSERT(mCert, "mCert should not be null in GetDisplayName"); if (!mCert) { @@ -414,17 +406,16 @@ nsNSSCertificate::GetDisplayName(nsAStri } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (mCert->emailAddr) { CopyUTF8toUTF16(mCert->emailAddr, aEmailAddress); } else { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); @@ -434,17 +425,16 @@ nsNSSCertificate::GetEmailAddress(nsAStr nssComponent->GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress); } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetEmailAddresses(uint32_t* aLength, char16_t*** aAddresses) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(aLength); NS_ENSURE_ARG(aAddresses); *aLength = 0; @@ -474,17 +464,16 @@ nsNSSCertificate::GetEmailAddresses(uint return NS_OK; } NS_IMETHODIMP nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress, bool* result) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(result); *result = false; const char* aAddr = nullptr; for (aAddr = CERT_GetFirstEmailAddress(mCert.get()) @@ -508,102 +497,96 @@ nsNSSCertificate::ContainsEmailAddress(c } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetCommonName(nsAString& aCommonName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aCommonName.Truncate(); if (mCert) { UniquePORTString commonName(CERT_GetCommonName(&mCert->subject)); if (commonName) { aCommonName = NS_ConvertUTF8toUTF16(commonName.get()); } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetOrganization(nsAString& aOrganization) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aOrganization.Truncate(); if (mCert) { UniquePORTString organization(CERT_GetOrgName(&mCert->subject)); if (organization) { aOrganization = NS_ConvertUTF8toUTF16(organization.get()); } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aCommonName.Truncate(); if (mCert) { UniquePORTString commonName(CERT_GetCommonName(&mCert->issuer)); if (commonName) { aCommonName = NS_ConvertUTF8toUTF16(commonName.get()); } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aOrganization.Truncate(); if (mCert) { UniquePORTString organization(CERT_GetOrgName(&mCert->issuer)); if (organization) { aOrganization = NS_ConvertUTF8toUTF16(organization.get()); } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aOrganizationUnit.Truncate(); if (mCert) { UniquePORTString organizationUnit(CERT_GetOrgUnitName(&mCert->issuer)); if (organizationUnit) { aOrganizationUnit = NS_ConvertUTF8toUTF16(organizationUnit.get()); } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIssuer(nsIX509Cert** aIssuer) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(aIssuer); *aIssuer = nullptr; nsCOMPtr<nsIArray> chain; nsresult rv; @@ -623,17 +606,16 @@ nsNSSCertificate::GetIssuer(nsIX509Cert* } cert.forget(aIssuer); return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aOrganizationalUnit.Truncate(); if (mCert) { UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject)); if (orgunit) { aOrganizationalUnit = NS_ConvertUTF8toUTF16(orgunit.get()); @@ -668,17 +650,16 @@ UniqueCERTCertListToMutableArray(/*in*/ array.forget(x509CertArray); return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetChain(nsIArray** _rvChain) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(_rvChain); mozilla::pkix::Time now(mozilla::pkix::Now()); RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); @@ -713,61 +694,57 @@ nsNSSCertificate::GetChain(nsIArray** _r return NS_ERROR_FAILURE; } return UniqueCERTCertListToMutableArray(nssChain, _rvChain); } NS_IMETHODIMP nsNSSCertificate::GetSubjectName(nsAString& _subjectName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; _subjectName.Truncate(); if (mCert->subjectName) { _subjectName = NS_ConvertUTF8toUTF16(mCert->subjectName); } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetIssuerName(nsAString& _issuerName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; _issuerName.Truncate(); if (mCert->issuerName) { _issuerName = NS_ConvertUTF8toUTF16(mCert->issuerName); } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; _serialNumber.Truncate(); UniquePORTString tmpstr(CERT_Hexify(&mCert->serialNumber, 1)); if (tmpstr) { _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get()); return NS_OK; } return NS_ERROR_FAILURE; } nsresult nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } aFingerprint.Truncate(); Digest digest; nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data, mCert->derCert.len); @@ -795,17 +772,16 @@ NS_IMETHODIMP nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint) { return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1); } NS_IMETHODIMP nsNSSCertificate::GetTokenName(nsAString& aTokenName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; aTokenName.Truncate(); if (mCert) { // HACK alert // When the trust of a builtin cert is modified, NSS copies it into the // cert db. At this point, it is now "managed" by the user, and should @@ -830,17 +806,16 @@ nsNSSCertificate::GetTokenName(nsAString } } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(nsACString& aSha256SPKIDigest) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } aSha256SPKIDigest.Truncate(); Digest digest; nsresult rv = digest.DigestBuf(SEC_OID_SHA256, mCert->derPublicKey.data, mCert->derPublicKey.len); @@ -855,17 +830,16 @@ nsNSSCertificate::GetSha256SubjectPublic return rv; } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetRawDER(uint32_t* aLength, uint8_t** aArray) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (mCert) { *aArray = (uint8_t*)moz_xmalloc(mCert->derCert.len); if (*aArray) { memcpy(*aArray, mCert->derCert.data, mCert->derCert.len); *aLength = mCert->derCert.len; @@ -878,17 +852,16 @@ nsNSSCertificate::GetRawDER(uint32_t* aL NS_IMETHODIMP nsNSSCertificate::ExportAsCMS(uint32_t chainMode, uint32_t* aLength, uint8_t** aArray) { NS_ENSURE_ARG(aLength); NS_ENSURE_ARG(aArray); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -1004,27 +977,25 @@ nsNSSCertificate::ExportAsCMS(uint32_t c memcpy(*aArray, certP7.data, certP7.len); *aLength = certP7.len; return NS_OK; } CERTCertificate* nsNSSCertificate::GetCert() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return nullptr; return (mCert) ? CERT_DupCertificate(mCert.get()) : nullptr; } NS_IMETHODIMP nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(aValidity); if (!mCert) { return NS_ERROR_FAILURE; } @@ -1042,17 +1013,16 @@ nsNSSCertificate::GetASN1Structure(nsIAS return NS_ERROR_NOT_SAME_THREAD; } return CreateASN1Struct(aASN1Structure); } NS_IMETHODIMP nsNSSCertificate::Equals(nsIX509Cert* other, bool* result) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(other); NS_ENSURE_ARG(result); UniqueCERTCertificate cert(other->GetCert()); *result = (mCert.get() == cert.get()); @@ -1102,34 +1072,32 @@ NS_IMPL_CLASSINFO(nsNSSCertList, // inferred from nsIX509Cert nsIClassInfo::THREADSAFE, NS_X509CERTLIST_CID) NS_IMPL_ISUPPORTS_CI(nsNSSCertList, nsIX509CertList, nsISerializable) -nsNSSCertList::nsNSSCertList(UniqueCERTCertList certList, - const nsNSSShutDownPreventionLock& proofOfLock) +nsNSSCertList::nsNSSCertList(UniqueCERTCertList certList) { if (certList) { mCertList = Move(certList); } else { mCertList = UniqueCERTCertList(CERT_NewCertList()); } } nsNSSCertList::nsNSSCertList() { mCertList = UniqueCERTCertList(CERT_NewCertList()); } nsNSSCertList::~nsNSSCertList() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void nsNSSCertList::virtualDestroyNSSReference() @@ -1146,17 +1114,16 @@ nsNSSCertList* nsNSSCertList::GetCertList() { return this; } NS_IMETHODIMP nsNSSCertList::AddCert(nsIX509Cert* aCert) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // We need an owning handle when calling nsIX509Cert::GetCert(). UniqueCERTCertificate cert(aCert->GetCert()); if (!cert) { NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate."); return NS_ERROR_FAILURE; @@ -1169,18 +1136,17 @@ nsNSSCertList::AddCert(nsIX509Cert* aCer if (CERT_AddCertToListTail(mCertList.get(), cert.get()) != SECSuccess) { return NS_ERROR_OUT_OF_MEMORY; } Unused << cert.release(); // Ownership transferred to the cert list. return NS_OK; } UniqueCERTCertList -nsNSSCertList::DupCertList(const UniqueCERTCertList& certList, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +nsNSSCertList::DupCertList(const UniqueCERTCertList& certList) { if (!certList) { return nullptr; } UniqueCERTCertList newList(CERT_NewCertList()); if (!newList) { return nullptr; @@ -1201,34 +1167,25 @@ nsNSSCertList::DupCertList(const UniqueC Unused << cert.release(); // Ownership transferred to the cert list. } return newList; } CERTCertList* nsNSSCertList::GetRawCertList() { - // This function should only be called after acquiring a - // nsNSSShutDownPreventionLock. It's difficult to enforce this in code since - // this is an implementation of an XPCOM interface function (albeit a - // C++-only one), so we acquire the (reentrant) lock and check for shutdown - // ourselves here. At the moment it appears that only nsCertTree uses this - // function. When that gets removed and replaced by a more reasonable - // implementation of the certificate manager, this function can be removed. - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return nullptr; } return mCertList.get(); } NS_IMETHODIMP nsNSSCertList::Write(nsIObjectOutputStream* aStream) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_STATE(mCertList); nsresult rv = NS_OK; // First, enumerate the certs to get the length of the list @@ -1262,17 +1219,16 @@ nsNSSCertList::Write(nsIObjectOutputStre } return rv; } NS_IMETHODIMP nsNSSCertList::Read(nsIObjectInputStream* aStream) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_STATE(mCertList); nsresult rv = NS_OK; uint32_t certListLen; @@ -1296,36 +1252,34 @@ nsNSSCertList::Read(nsIObjectInputStream } return rv; } NS_IMETHODIMP nsNSSCertList::GetEnumerator(nsISimpleEnumerator** _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mCertList) { return NS_ERROR_FAILURE; } nsCOMPtr<nsISimpleEnumerator> enumerator = - new nsNSSCertListEnumerator(mCertList, locker); + new nsNSSCertListEnumerator(mCertList); enumerator.forget(_retval); return NS_OK; } NS_IMETHODIMP nsNSSCertList::Equals(nsIX509CertList* other, bool* result) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_ARG(result); *result = true; nsresult rv; @@ -1466,26 +1420,24 @@ nsNSSCertList::SegmentCertificateChain(/ } return NS_OK; } NS_IMPL_ISUPPORTS(nsNSSCertListEnumerator, nsISimpleEnumerator) nsNSSCertListEnumerator::nsNSSCertListEnumerator( - const UniqueCERTCertList& certList, - const nsNSSShutDownPreventionLock& proofOfLock) + const UniqueCERTCertList& certList) { MOZ_ASSERT(certList); - mCertList = nsNSSCertList::DupCertList(certList, proofOfLock); + mCertList = nsNSSCertList::DupCertList(certList); } nsNSSCertListEnumerator::~nsNSSCertListEnumerator() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void nsNSSCertListEnumerator::virtualDestroyNSSReference() @@ -1496,31 +1448,29 @@ void nsNSSCertListEnumerator::virtualDes void nsNSSCertListEnumerator::destructorSafeDestroyNSSReference() { mCertList = nullptr; } NS_IMETHODIMP nsNSSCertListEnumerator::HasMoreElements(bool* _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE); *_retval = !CERT_LIST_EMPTY(mCertList); return NS_OK; } NS_IMETHODIMP nsNSSCertListEnumerator::GetNext(nsISupports** _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE); CERTCertListNode* node = CERT_LIST_HEAD(mCertList); if (CERT_LIST_END(node, mCertList)) {
--- a/security/manager/ssl/nsNSSCertificate.h +++ b/security/manager/ssl/nsNSSCertificate.h @@ -79,24 +79,22 @@ class nsNSSCertList: public nsIX509CertL public nsNSSShutDownObject { public: NS_DECL_THREADSAFE_ISUPPORTS NS_DECL_NSIX509CERTLIST NS_DECL_NSISERIALIZABLE // certList is adopted - nsNSSCertList(mozilla::UniqueCERTCertList certList, - const nsNSSShutDownPreventionLock& proofOfLock); + explicit nsNSSCertList(mozilla::UniqueCERTCertList certList); nsNSSCertList(); static mozilla::UniqueCERTCertList DupCertList( - const mozilla::UniqueCERTCertList& certList, - const nsNSSShutDownPreventionLock& proofOfLock); + const mozilla::UniqueCERTCertList& certList); // For each certificate in this CertList, run the operation aOperation. // To end early with NS_OK, set the `aContinue` argument false before // returning. To end early with an error, return anything except NS_OK. // The `aHasMore` argument is false when this is the last certificate in the // chain. nsresult ForEachCertificateInChain(ForEachCertOperation& aOperation); @@ -126,18 +124,17 @@ private: class nsNSSCertListEnumerator: public nsISimpleEnumerator, public nsNSSShutDownObject { public: NS_DECL_THREADSAFE_ISUPPORTS NS_DECL_NSISIMPLEENUMERATOR - nsNSSCertListEnumerator(const mozilla::UniqueCERTCertList& certList, - const nsNSSShutDownPreventionLock& proofOfLock); + explicit nsNSSCertListEnumerator(const mozilla::UniqueCERTCertList& certList); private: virtual ~nsNSSCertListEnumerator(); virtual void virtualDestroyNSSReference() override; void destructorSafeDestroyNSSReference(); mozilla::UniqueCERTCertList mCertList; nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) = delete;
--- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -54,17 +54,16 @@ using namespace mozilla::psm; using mozilla::psm::SharedSSLState; extern LazyLogModule gPIPNSSLog; NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB) nsNSSCertificateDB::~nsNSSCertificateDB() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP @@ -73,17 +72,16 @@ nsNSSCertificateDB::FindCertByDBKey(cons { NS_ENSURE_ARG_POINTER(_cert); *_cert = nullptr; if (aDBKey.IsEmpty()) { return NS_ERROR_INVALID_ARG; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -187,18 +185,17 @@ collect_certs(void *arg, SECItem **certs certs++; } return (SECSuccess); } CERTDERCerts* nsNSSCertificateDB::getCertsFromPackage(const UniquePLArenaPool& arena, - uint8_t* data, uint32_t length, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) + uint8_t* data, uint32_t length) { CERTDERCerts* collectArgs = PORT_ArenaZNew(arena.get(), CERTDERCerts); if (!collectArgs) { return nullptr; } collectArgs->arena = arena.get(); if (CERT_DecodeCertPackage(BitwiseCast<char*, uint8_t*>(data), length, @@ -237,18 +234,17 @@ ChangeCertTrustWithPossibleAuthenticatio } if (srv != SECSuccess) { return srv; } return CERT_ChangeCertTrust(nullptr, cert.get(), &trust); } static nsresult -ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain) { bool encounteredFailure = false; PRErrorCode savedErrorCode = 0; UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain); !CERT_LIST_END(chainNode, certChain); chainNode = CERT_LIST_NEXT(chainNode)) { UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert)); @@ -265,18 +261,17 @@ ImportCertsIntoPermanentStorage(const Un return GetXPCOMFromNSSError(savedErrorCode); } return NS_OK; } nsresult nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs, - nsIInterfaceRequestor *ctx, - const nsNSSShutDownPreventionLock &proofOfLock) + nsIInterfaceRequestor *ctx) { // First thing we have to do is figure out which certificate we're // gonna present to the user. The CA may have sent down a list of // certs which may or may not be a chained list of certs. Until // the day we can design some solid UI for the general case, we'll // code to the > 90% case. That case is where a CA sends down a // list that is a hierarchy whose root is either the first or // the last cert. What we're gonna do is compare the first @@ -351,22 +346,22 @@ nsNSSCertificateDB::handleCACertDownload } UniqueCERTCertificate tmpCert(certToShow->GetCert()); if (!tmpCert) { return NS_ERROR_FAILURE; } if (!CERT_IsCACert(tmpCert.get(), nullptr)) { - DisplayCertificateAlert(ctx, "NotACACert", certToShow, proofOfLock); + DisplayCertificateAlert(ctx, "NotACACert", certToShow); return NS_ERROR_FAILURE; } if (tmpCert->isperm) { - DisplayCertificateAlert(ctx, "CaCertExists", certToShow, proofOfLock); + DisplayCertificateAlert(ctx, "CaCertExists", certToShow); return NS_ERROR_FAILURE; } uint32_t trustBits; bool allows; rv = dialogs->ConfirmDownloadCACert(ctx, certToShow, &trustBits, &allows); if (NS_FAILED(rv)) return rv; @@ -425,41 +420,39 @@ nsNSSCertificateDB::handleCACertDownload if (CERT_AddCertToListTail(certList.get(), tmpCert2.get()) != SECSuccess) { continue; } Unused << tmpCert2.release(); } - return ImportCertsIntoPermanentStorage(certList, proofOfLock); + return ImportCertsIntoPermanentStorage(certList); } NS_IMETHODIMP nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length, uint32_t type, nsIInterfaceRequestor* ctx) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // We currently only handle CA certificates. if (type != nsIX509Cert::CA_CERT) { return NS_ERROR_FAILURE; } UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return NS_ERROR_OUT_OF_MEMORY; } - CERTDERCerts* certCollection = getCertsFromPackage(arena, data, length, - locker); + CERTDERCerts* certCollection = getCertsFromPackage(arena, data, length); if (!certCollection) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create(); if (!array) { return NS_ERROR_FAILURE; } @@ -473,32 +466,31 @@ nsNSSCertificateDB::ImportCertificates(u return NS_ERROR_FAILURE; } nsresult rv = array->AppendElement(cert); if (NS_FAILED(rv)) { return rv; } } - return handleCACertDownload(WrapNotNull(array), ctx, locker); + return handleCACertDownload(WrapNotNull(array), ctx); } /** * Decodes a given array of DER-encoded certificates into temporary storage. * * @param numcerts * Size of the |certs| array. * @param certs * Pointer to array of certs to decode. * @param temporaryCerts * List of decoded certificates. */ static nsresult ImportCertsIntoTempStorage(int numcerts, SECItem* certs, - const nsNSSShutDownPreventionLock& /*proofOfLock*/, /*out*/ const UniqueCERTCertList& temporaryCerts) { NS_ENSURE_ARG_MIN(numcerts, 1); NS_ENSURE_ARG_POINTER(certs); NS_ENSURE_ARG_POINTER(temporaryCerts); // CERT_ImportCerts() expects an array of *pointers* to SECItems, so we have // to convert |certs| to such a format first. @@ -543,69 +535,65 @@ ImportCertsIntoTempStorage(int numcerts, return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length, nsIInterfaceRequestor* ctx) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return NS_ERROR_OUT_OF_MEMORY; } - CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length, locker); + CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length); if (!certCollection) { return NS_ERROR_FAILURE; } UniqueCERTCertList temporaryCerts(CERT_NewCertList()); if (!temporaryCerts) { return NS_ERROR_FAILURE; } nsresult rv = ImportCertsIntoTempStorage(certCollection->numcerts, certCollection->rawCerts, - locker, temporaryCerts); + temporaryCerts); if (NS_FAILED(rv)) { return rv; } - return ImportCertsIntoPermanentStorage(temporaryCerts, locker); + return ImportCertsIntoPermanentStorage(temporaryCerts); } nsresult nsNSSCertificateDB::ImportCACerts(int numCACerts, SECItem* caCerts, - nsIInterfaceRequestor* ctx, - const nsNSSShutDownPreventionLock& proofOfLock) + nsIInterfaceRequestor* ctx) { UniqueCERTCertList temporaryCerts(CERT_NewCertList()); if (!temporaryCerts) { return NS_ERROR_FAILURE; } - nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, proofOfLock, - temporaryCerts); + nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, temporaryCerts); if (NS_FAILED(rv)) { return rv; } - return ImportCertsIntoPermanentStorage(temporaryCerts, proofOfLock); + return ImportCertsIntoPermanentStorage(temporaryCerts); } void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor *ctx, const char *stringID, - nsIX509Cert *certToShow, - const nsNSSShutDownPreventionLock &/*proofOfLock*/) + nsIX509Cert *certToShow) { static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); if (!NS_IsMainThread()) { NS_ERROR("nsNSSCertificateDB::DisplayCertificateAlert called off the main thread"); return; } @@ -636,87 +624,85 @@ NS_IMETHODIMP nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length, nsIInterfaceRequestor* ctx) { if (!NS_IsMainThread()) { NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread"); return NS_ERROR_NOT_SAME_THREAD; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return NS_ERROR_OUT_OF_MEMORY; } - CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length, locker); + CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length); if (!collectArgs) { return NS_ERROR_FAILURE; } UniqueCERTCertificate cert( CERT_NewTempCertificate(CERT_GetDefaultCertDB(), collectArgs->rawCerts, nullptr, false, true)); if (!cert) { return NS_ERROR_FAILURE; } UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert.get(), nullptr, ctx)); if (!slot) { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert.get()); - DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow, locker); + DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow); return NS_ERROR_FAILURE; } slot = nullptr; /* pick a nickname for the cert */ nsAutoCString nickname; if (cert->nickname) { nickname = cert->nickname; } else { - get_default_nickname(cert.get(), ctx, nickname, locker); + get_default_nickname(cert.get(), ctx, nickname); } /* user wants to import the cert */ slot.reset(PK11_ImportCertForKey(cert.get(), nickname.get(), ctx)); if (!slot) { return NS_ERROR_FAILURE; } slot = nullptr; { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert.get()); - DisplayCertificateAlert(ctx, "UserCertImported", certToShow, locker); + DisplayCertificateAlert(ctx, "UserCertImported", certToShow); } nsresult rv = NS_OK; int numCACerts = collectArgs->numcerts - 1; if (numCACerts) { SECItem* caCerts = collectArgs->rawCerts + 1; - rv = ImportCACerts(numCACerts, caCerts, ctx, locker); + rv = ImportCACerts(numCACerts, caCerts, ctx); } nsCOMPtr<nsIObserverService> observerService = mozilla::services::GetObserverService(); if (observerService) { observerService->NotifyObservers(nullptr, "psm:user-certificate-added", nullptr); } return rv; } NS_IMETHODIMP nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert) { NS_ENSURE_ARG_POINTER(aCert); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniqueCERTCertificate cert(aCert->GetCert()); if (!cert) { return NS_ERROR_FAILURE; } SECStatus srv = SECSuccess; @@ -752,17 +738,16 @@ nsNSSCertificateDB::DeleteCertificate(ns } NS_IMETHODIMP nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert, uint32_t type, uint32_t trusted) { NS_ENSURE_ARG_POINTER(cert); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsNSSCertTrust trust; switch (type) { case nsIX509Cert::CA_CERT: trust.SetValidCA(); @@ -793,17 +778,16 @@ NS_IMETHODIMP nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert, uint32_t certType, uint32_t trustType, bool *_isTrusted) { NS_ENSURE_ARG_POINTER(_isTrusted); *_isTrusted = false; - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -843,17 +827,16 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50 } /* user: ignore */ return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } NS_ENSURE_ARG(aFile); switch (aType) { case nsIX509Cert::CA_CERT: case nsIX509Cert::EMAIL_CERT: @@ -903,17 +886,16 @@ nsNSSCertificateDB::ImportCertsFromFile( } NS_IMETHODIMP nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile) { if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -932,17 +914,16 @@ nsNSSCertificateDB::ImportPKCS12File(nsI NS_IMETHODIMP nsNSSCertificateDB::ExportPKCS12File(nsIFile* aFile, uint32_t count, nsIX509Cert** certs) { if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -953,17 +934,16 @@ nsNSSCertificateDB::ExportPKCS12File(nsI nsPKCS12Blob blob; return blob.ExportToFile(aFile, certs, count); } NS_IMETHODIMP nsNSSCertificateDB::FindCertByEmailAddress(const nsACString& aEmailAddress, nsIX509Cert** _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -1014,17 +994,16 @@ nsNSSCertificateDB::FindCertByEmailAddre nssCert.forget(_retval); return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64, /*out*/ nsIX509Cert** _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!_retval) { return NS_ERROR_INVALID_POINTER; } // Base64Decode() doesn't consider a zero length input as an error, and just @@ -1042,17 +1021,16 @@ nsNSSCertificateDB::ConstructX509FromBas return ConstructX509(certDER, _retval); } NS_IMETHODIMP nsNSSCertificateDB::ConstructX509(const nsACString& certDER, nsIX509Cert** _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (NS_WARN_IF(!_retval)) { return NS_ERROR_INVALID_POINTER; } SECItem certData; @@ -1073,18 +1051,17 @@ nsNSSCertificateDB::ConstructX509(const } nssCert.forget(_retval); return NS_OK; } void nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx, - nsCString &nickname, - const nsNSSShutDownPreventionLock &/*proofOfLock*/) + nsCString &nickname) { static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); nickname.Truncate(); nsresult rv; CK_OBJECT_HANDLE keyHandle; @@ -1187,17 +1164,16 @@ nsNSSCertificateDB::AddCertFromBase64(co nsIX509Cert** addedCertificate) { MOZ_ASSERT(addedCertificate); if (!addedCertificate) { return NS_ERROR_INVALID_ARG; } *addedCertificate = nullptr; - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsNSSCertTrust trust; if (CERT_DecodeTrustString(&trust.GetTrust(), PromiseFlatCString(aTrust).get()) != SECSuccess) { return NS_ERROR_FAILURE; @@ -1272,17 +1248,16 @@ nsNSSCertificateDB::SetCertTrustFromStri srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr); return MapSECStatus(srv); } NS_IMETHODIMP nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; } @@ -1293,33 +1268,32 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); nsCOMPtr<nsIX509CertList> nssCertList; UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx)); // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine. // (returns an empty list) - nssCertList = new nsNSSCertList(Move(certList), locker); + nssCertList = new nsNSSCertList(Move(certList)); nssCertList.forget(_retval); return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) { MOZ_ASSERT(NS_IsMainThread()); if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } NS_ENSURE_ARG_POINTER(enterpriseRoots); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } #ifdef XP_WIN nsCOMPtr<nsINSSComponent> psm(do_GetService(PSM_COMPONENT_CONTRACTID)); if (!psm) { return NS_ERROR_FAILURE; @@ -1333,18 +1307,17 @@ nsNSSCertificateDB::GetEnterpriseRoots(n nsresult VerifyCertAtTime(nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, const nsACString& aHostname, mozilla::pkix::Time aTime, nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy, - int32_t* /*PRErrorCode*/ _retval, - const nsNSSShutDownPreventionLock& locker) + int32_t* /*PRErrorCode*/ _retval) { NS_ENSURE_ARG_POINTER(aCert); NS_ENSURE_ARG_POINTER(aHasEVPolicy); NS_ENSURE_ARG_POINTER(aVerifiedChain); NS_ENSURE_ARG_POINTER(_retval); *aVerifiedChain = nullptr; *aHasEVPolicy = false; @@ -1385,17 +1358,17 @@ VerifyCertAtTime(nsIX509Cert* aCert, nullptr, // stapledOCSPResponse nullptr, // sctsFromTLSExtension OriginAttributes(), &evOidPolicy); } nsCOMPtr<nsIX509CertList> nssCertList; // This adopts the list - nssCertList = new nsNSSCertList(Move(resultChain), locker); + nssCertList = new nsNSSCertList(Move(resultChain)); NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE); *_retval = mozilla::pkix::MapResultToPRErrorCode(result); if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) { *aHasEVPolicy = true; } nssCertList.forget(aVerifiedChain); @@ -1406,44 +1379,42 @@ NS_IMETHODIMP nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, const nsACString& aHostname, nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy, int32_t* /*PRErrorCode*/ _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname, mozilla::pkix::Now(), - aVerifiedChain, aHasEVPolicy, _retval, locker); + aVerifiedChain, aHasEVPolicy, _retval); } NS_IMETHODIMP nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, const nsACString& aHostname, uint64_t aTime, nsIX509CertList** aVerifiedChain, bool* aHasEVPolicy, int32_t* /*PRErrorCode*/ _retval) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname, mozilla::pkix::TimeFromEpochInSeconds(aTime), - aVerifiedChain, aHasEVPolicy, _retval, locker); + aVerifiedChain, aHasEVPolicy, _retval); } class VerifyCertAtTimeTask final : public CryptoTask { public: VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags, const nsACString& aHostname, uint64_t aTime, nsICertVerificationCallback* aCallback) @@ -1500,30 +1471,28 @@ private: NS_IMETHODIMP nsNSSCertificateDB::AsyncVerifyCertAtTime(nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, const nsACString& aHostname, uint64_t aTime, nsICertVerificationCallback* aCallback) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(aCert, aUsage, aFlags, aHostname, aTime, aCallback)); return task->Dispatch("VerifyCert"); } NS_IMETHODIMP nsNSSCertificateDB::ClearOCSPCache() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); certVerifier->ClearOCSPCache(); return NS_OK;
--- a/security/manager/ssl/nsNSSCertificateDB.h +++ b/security/manager/ssl/nsNSSCertificateDB.h @@ -33,33 +33,29 @@ public: protected: virtual ~nsNSSCertificateDB(); private: // Use this function to generate a default nickname for a user // certificate that is to be imported onto a token. static void get_default_nickname(CERTCertificate* cert, nsIInterfaceRequestor* ctx, - nsCString& nickname, - const nsNSSShutDownPreventionLock& proofOfLock); + nsCString& nickname); static nsresult - ImportCACerts(int numCACerts, SECItem* CACerts, nsIInterfaceRequestor* ctx, - const nsNSSShutDownPreventionLock& proofOfLock); + ImportCACerts(int numCACerts, SECItem* CACerts, nsIInterfaceRequestor* ctx); - static void DisplayCertificateAlert(nsIInterfaceRequestor *ctx, - const char *stringID, nsIX509Cert *certToShow, - const nsNSSShutDownPreventionLock &proofOfLock); + static void DisplayCertificateAlert(nsIInterfaceRequestor* ctx, + const char* stringID, + nsIX509Cert* certToShow); CERTDERCerts* getCertsFromPackage(const mozilla::UniquePLArenaPool& arena, - uint8_t* data, uint32_t length, - const nsNSSShutDownPreventionLock& proofOfLock); + uint8_t* data, uint32_t length); nsresult handleCACertDownload(mozilla::NotNull<nsIArray*> x509Certs, - nsIInterfaceRequestor *ctx, - const nsNSSShutDownPreventionLock &proofOfLock); + nsIInterfaceRequestor* ctx); // We don't own any NSS objects here, so no need to clean up virtual void virtualDestroyNSSReference() override { }; }; #define NS_X509CERTDB_CID { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \ 0xfb0bbc5c, \ 0x452e, \
--- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -810,17 +810,16 @@ nsNSSComponent::UnloadEnterpriseRoots(co } mEnterpriseRoots = nullptr; MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("unloaded enterprise roots")); } NS_IMETHODIMP nsNSSComponent::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) { - nsNSSShutDownPreventionLock lock; MutexAutoLock nsNSSComponentLock(mMutex); MOZ_ASSERT(NS_IsMainThread()); if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } NS_ENSURE_ARG_POINTER(enterpriseRoots); // nsNSSComponent isn't a nsNSSShutDownObject, so we can't check @@ -828,22 +827,22 @@ nsNSSComponent::GetEnterpriseRoots(nsIX5 // shuts down, we can use that as a proxy for checking for NSS shutdown. // (Of course, it may also be the case that no enterprise roots were imported, // so we should just return a null list and NS_OK in this case.) if (!mEnterpriseRoots) { *enterpriseRoots = nullptr; return NS_OK; } UniqueCERTCertList enterpriseRootsCopy( - nsNSSCertList::DupCertList(mEnterpriseRoots, lock)); + nsNSSCertList::DupCertList(mEnterpriseRoots)); if (!enterpriseRootsCopy) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIX509CertList> enterpriseRootsCertList( - new nsNSSCertList(Move(enterpriseRootsCopy), lock)); + new nsNSSCertList(Move(enterpriseRootsCopy))); if (!enterpriseRootsCertList) { return NS_ERROR_FAILURE; } enterpriseRootsCertList.forget(enterpriseRoots); return NS_OK; } #endif // XP_WIN @@ -992,24 +991,23 @@ public: ~LoadLoadableRootsTask(); nsresult Dispatch(); void virtualDestroyNSSReference() override {} // nothing to release private: NS_IMETHOD Run() override; - nsresult LoadLoadableRoots(const nsNSSShutDownPreventionLock& proofOfLock); + nsresult LoadLoadableRoots(); RefPtr<nsNSSComponent> mNSSComponent; nsCOMPtr<nsIThread> mThread; }; LoadLoadableRootsTask::~LoadLoadableRootsTask() { - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } nsresult LoadLoadableRootsTask::Dispatch() @@ -1024,32 +1022,31 @@ LoadLoadableRootsTask::Dispatch() // Note: event must not null out mThread! return mThread->Dispatch(this, NS_DISPATCH_NORMAL); } NS_IMETHODIMP LoadLoadableRootsTask::Run() { - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - nsresult rv = LoadLoadableRoots(lock); + nsresult rv = LoadLoadableRoots(); if (NS_FAILED(rv)) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed")); // We don't return rv here because then BlockUntilLoadableRootsLoaded will // just wait forever. Instead we'll save its value (below) so we can inform // code that relies on the roots module being present that loading it // failed. } if (NS_SUCCEEDED(rv)) { - if (NS_FAILED(LoadExtendedValidationInfo(lock))) { + if (NS_FAILED(LoadExtendedValidationInfo())) { // This isn't a show-stopper in the same way that failing to load the // roots module is. MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to load EV info")); } } { MonitorAutoLock rootsLoadedLock(mNSSComponent->mLoadableRootsLoadedMonitor); mNSSComponent->mLoadableRootsLoaded = true; @@ -1068,17 +1065,16 @@ nsresult nsNSSComponent::HasActiveSmartCards(bool& result) { MOZ_ASSERT(NS_IsMainThread(), "Main thread only"); if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } #ifndef MOZ_NO_SMART_CARDS - nsNSSShutDownPreventionLock lock; MutexAutoLock nsNSSComponentLock(mMutex); AutoSECMODListReadLock secmodLock; SECMODModuleList* list = SECMOD_GetDefaultModuleList(); while (list) { if (SECMOD_HasRemovableSlots(list->module)) { result = true; return NS_OK; @@ -1093,17 +1089,16 @@ nsNSSComponent::HasActiveSmartCards(bool nsresult nsNSSComponent::HasUserCertsInstalled(bool& result) { MOZ_ASSERT(NS_IsMainThread(), "Main thread only"); if (!NS_IsMainThread()) { return NS_ERROR_NOT_SAME_THREAD; } - nsNSSShutDownPreventionLock lock; MutexAutoLock nsNSSComponentLock(mMutex); if (!mNSSInitialized) { return NS_ERROR_NOT_INITIALIZED; } result = false; UniqueCERTCertList certList( @@ -1137,17 +1132,16 @@ nsNSSComponent::BlockUntilLoadableRootsL return mLoadableRootsLoadedResult; } nsresult nsNSSComponent::CheckForSmartCardChanges() { #ifndef MOZ_NO_SMART_CARDS - nsNSSShutDownPreventionLock lock; MutexAutoLock nsNSSComponentLock(mMutex); if (!mNSSInitialized) { return NS_ERROR_NOT_INITIALIZED; } // SECMOD_UpdateSlotList attempts to acquire the list lock as well, // so we have to do this in two steps. The lock protects the list itself, so @@ -1255,18 +1249,17 @@ GetDirectoryPath(const char* directoryKe return directoryWin->GetNativeCanonicalPath(result); #else return directory->GetNativePath(result); #endif } nsresult -LoadLoadableRootsTask::LoadLoadableRoots( - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +LoadLoadableRootsTask::LoadLoadableRoots() { // Find the best Roots module for our purposes. // Prefer the application's installation directory, // but also ensure the library is at least the version we expect. nsAutoString modName; nsresult rv = mNSSComponent->GetPIPNSSBundleString("RootCertModuleName", modName); @@ -2259,17 +2252,16 @@ nsNSSComponent::Observe(nsISupports* aSu // closing the sql-backed softoken requires sqlite still be available. Thus, // we observe "xpcom-shutdown" just in case. if (nsCRT::strcmp(aTopic, PROFILE_BEFORE_CHANGE_TOPIC) == 0 || nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("receiving profile change or XPCOM shutdown notification")); ShutdownNSS(); } else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) { - nsNSSShutDownPreventionLock locker; bool clearSessionCache = true; NS_ConvertUTF16toUTF8 prefName(someData); if (prefName.EqualsLiteral("security.tls.version.min") || prefName.EqualsLiteral("security.tls.version.max")) { (void) setEnabledTLSVersions(); } else if (prefName.EqualsLiteral("security.ssl.require_safe_negotiation")) { bool requireSafeNegotiation = @@ -2393,19 +2385,16 @@ nsNSSComponent::RegisterObservers() } #ifdef DEBUG NS_IMETHODIMP nsNSSComponent::IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result) { result = false; - // Create the nsNSSCertificate and get its hash before acquiring mMutex (we - // must avoid acquiring mMutex and then creating an - // nsNSSShutDownPreventionLock). RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert); if (!nsc) { return NS_ERROR_FAILURE; } nsAutoString certHash; nsresult rv = nsc->GetSha256Fingerprint(certHash); if (NS_FAILED(rv)) { return rv; @@ -2422,19 +2411,16 @@ nsNSSComponent::IsCertTestBuiltInRoot(CE } #endif // DEBUG NS_IMETHODIMP nsNSSComponent::IsCertContentSigningRoot(CERTCertificate* cert, bool& result) { result = false; - // Create the nsNSSCertificate and get its hash before acquiring mMutex (we - // must avoid acquiring mMutex and then creating an - // nsNSSShutDownPreventionLock). RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert); if (!nsc) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("creating nsNSSCertificate failed")); return NS_ERROR_FAILURE; } nsAutoString certHash; nsresult rv = nsc->GetSha256Fingerprint(certHash); if (NS_FAILED(rv)) { @@ -2528,18 +2514,17 @@ getNSSDialogs(void** _result, REFNSIID a } rv = svc->QueryInterface(aIID, _result); return rv; } nsresult -setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx, - nsNSSShutDownPreventionLock& /*proofOfLock*/) +setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx) { MOZ_ASSERT(slot); MOZ_ASSERT(ctx); NS_ENSURE_ARG_POINTER(slot); NS_ENSURE_ARG_POINTER(ctx); if (PK11_NeedUserInit(slot)) { nsCOMPtr<nsITokenPasswordDialogs> dialogs;
--- a/security/manager/ssl/nsNSSComponent.h +++ b/security/manager/ssl/nsNSSComponent.h @@ -178,19 +178,16 @@ private: #endif // XP_WIN // mLoadableRootsLoadedMonitor protects mLoadableRootsLoaded. mozilla::Monitor mLoadableRootsLoadedMonitor; bool mLoadableRootsLoaded; nsresult mLoadableRootsLoadedResult; // mMutex protects all members that are accessed from more than one thread. - // While this lock is held, the same thread must not attempt to acquire a - // nsNSSShutDownPreventionLock (acquiring a nsNSSShutDownPreventionLock and - // then acquiring this lock is fine). mozilla::Mutex mMutex; // The following members are accessed from more than one thread: nsCOMPtr<nsIStringBundle> mPIPNSSBundle; nsCOMPtr<nsIStringBundle> mNSSErrorsBundle; bool mNSSInitialized; #ifdef DEBUG nsString mTestBuiltInRootHash;
--- a/security/manager/ssl/nsNSSHelper.h +++ b/security/manager/ssl/nsNSSHelper.h @@ -47,12 +47,11 @@ pip_ucs2_ascii_conversion_fn(PRBool toUn unsigned int *outBufLen, PRBool swapBytes); } // // A function that sets the password on an unitialized slot. // nsresult -setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx, - nsNSSShutDownPreventionLock& /*proofOfLock*/); +setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx); #endif
--- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -353,17 +353,16 @@ nsNSSSocketInfo::GetNegotiatedNPN(nsACSt return NS_OK; } NS_IMETHODIMP nsNSSSocketInfo::GetAlpnEarlySelection(nsACString& aAlpnSelected) { aAlpnSelected.Truncate(); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } SSLPreliminaryChannelInfo info; SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info)); if (rv != SECSuccess || !info.canSendEarlyData) { return NS_ERROR_NOT_AVAILABLE; @@ -398,17 +397,16 @@ void nsNSSSocketInfo::SetEarlyDataAccepted(bool aAccepted) { mEarlyDataAccepted = aAccepted; } NS_IMETHODIMP nsNSSSocketInfo::DriveHandshake() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (!mFd) { return NS_ERROR_FAILURE; } PRErrorCode errorCode = GetErrorCode(); if (errorCode) { @@ -581,17 +579,16 @@ NS_IMETHODIMP nsNSSSocketInfo::StartTLS() { return ActivateSSL(); } NS_IMETHODIMP nsNSSSocketInfo::SetNPNList(nsTArray<nsCString>& protocolArray) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (!mFd) return NS_ERROR_FAILURE; // the npn list is a concatenated list of 8 bit byte strings. nsCString npnList; @@ -611,17 +608,16 @@ nsNSSSocketInfo::SetNPNList(nsTArray<nsC return NS_ERROR_FAILURE; return NS_OK; } nsresult nsNSSSocketInfo::ActivateSSL() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true)) return NS_ERROR_FAILURE; if (SECSuccess != SSL_ResetHandshake(mFd, false)) return NS_ERROR_FAILURE; @@ -745,18 +741,17 @@ namespace { enum Operation { reading, writing, not_reading_or_writing }; int32_t checkHandshake(int32_t bytesTransfered, bool wasReading, PRFileDesc* ssl_layer_fd, nsNSSSocketInfo* socketInfo); nsNSSSocketInfo* -getSocketInfoIfRunning(PRFileDesc* fd, Operation op, - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +getSocketInfoIfRunning(PRFileDesc* fd, Operation op) { if (!fd || !fd->lower || !fd->secret || fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) { NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning"); PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0); return nullptr; } @@ -787,18 +782,17 @@ getSocketInfoIfRunning(PRFileDesc* fd, O } // namespace static PRStatus nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr, PRIntervalTime timeout) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] connecting SSL socket\n", (void*) fd)); - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; PRStatus status = fd->lower->methods->connect(fd->lower, addr, timeout); if (status != PR_SUCCESS) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("[%p] Lower layer connect error: %d\n", (void*) fd, PR_GetError())); return status; } @@ -960,32 +954,30 @@ bool nsSSLIOLayerHelpers::nsSSLIOLayerIn PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity; PRDescIdentity nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity; PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods; PRIOMethods nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods; static PRStatus nsSSLIOLayerClose(PRFileDesc* fd) { - nsNSSShutDownPreventionLock locker; if (!fd) return PR_FAILURE; MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Shutting down socket\n", (void*) fd)); nsNSSSocketInfo* socketInfo = (nsNSSSocketInfo*) fd->secret; MOZ_ASSERT(socketInfo, "nsNSSSocketInfo was null for an fd"); - return socketInfo->CloseSocketAndDestroy(locker); + return socketInfo->CloseSocketAndDestroy(); } PRStatus -nsNSSSocketInfo::CloseSocketAndDestroy( - const nsNSSShutDownPreventionLock& /*proofOfLock*/) +nsNSSSocketInfo::CloseSocketAndDestroy() { PRFileDesc* popped = PR_PopIOLayer(mFd, PR_TOP_IO_LAYER); MOZ_ASSERT(popped && popped->identity == nsSSLIOLayerHelpers::nsSSLIOLayerIdentity, "SSL Layer not on top of stack"); // The plaintext layer is not always present - so it's not a fatal error if it // cannot be removed. @@ -1351,27 +1343,25 @@ checkHandshake(int32_t bytesTransfered, return bytesTransfered; } } // namespace static int16_t nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags, int16_t* out_flags) { - nsNSSShutDownPreventionLock locker; - if (!out_flags) { NS_WARNING("nsSSLIOLayerPoll called with null out_flags"); return 0; } *out_flags = 0; nsNSSSocketInfo* socketInfo = - getSocketInfoIfRunning(fd, not_reading_or_writing, locker); + getSocketInfoIfRunning(fd, not_reading_or_writing); if (!socketInfo) { // If we get here, it is probably because certificate validation failed // and this is the first I/O operation after the failure. MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] polling SSL socket right after certificate verification failed " "or NSS shutdown or SDR logout %d\n", fd, (int) in_flags)); @@ -1440,59 +1430,54 @@ static PRFileDesc* MOZ_ASSERT_UNREACHABLE("I/O method is invalid"); PR_SetError(PR_INVALID_METHOD_ERROR, 0); return nullptr; } static PRStatus PSMGetsockname(PRFileDesc* fd, PRNetAddr* addr) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; return fd->lower->methods->getsockname(fd->lower, addr); } static PRStatus PSMGetpeername(PRFileDesc* fd, PRNetAddr* addr) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; return fd->lower->methods->getpeername(fd->lower, addr); } static PRStatus PSMGetsocketoption(PRFileDesc* fd, PRSocketOptionData* data) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; return fd->lower->methods->getsocketoption(fd, data); } static PRStatus PSMSetsocketoption(PRFileDesc* fd, const PRSocketOptionData* data) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; return fd->lower->methods->setsocketoption(fd, data); } static int32_t PSMRecv(PRFileDesc* fd, void* buf, int32_t amount, int flags, PRIntervalTime timeout) { - nsNSSShutDownPreventionLock locker; - nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, reading, locker); + nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, reading); if (!socketInfo) return -1; if (flags != PR_MSG_PEEK && flags != 0) { PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); return -1; } @@ -1508,18 +1493,17 @@ PSMRecv(PRFileDesc* fd, void* buf, int32 return checkHandshake(bytesRead, true, fd, socketInfo); } static int32_t PSMSend(PRFileDesc* fd, const void* buf, int32_t amount, int flags, PRIntervalTime timeout) { - nsNSSShutDownPreventionLock locker; - nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, writing, locker); + nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, writing); if (!socketInfo) return -1; if (flags != 0) { PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); return -1; } @@ -1594,18 +1578,17 @@ PSMSend(PRFileDesc* fd, const void* buf, ("[%p] wrote %d bytes\n", fd, bytesWritten)); return checkHandshake(bytesWritten, false, fd, socketInfo); } static PRStatus PSMBind(PRFileDesc* fd, const PRNetAddr *addr) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) return PR_FAILURE; return fd->lower->methods->bind(fd->lower, addr); } static int32_t nsSSLIOLayerRead(PRFileDesc* fd, void* buf, int32_t amount) { @@ -1616,18 +1599,17 @@ static int32_t nsSSLIOLayerWrite(PRFileDesc* fd, const void* buf, int32_t amount) { return PSMSend(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT); } static PRStatus PSMConnectcontinue(PRFileDesc* fd, int16_t out_flags) { - nsNSSShutDownPreventionLock locker; - if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) { + if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) { return PR_FAILURE; } return fd->lower->methods->connectcontinue(fd, out_flags); } static int PSMAvailable(void) @@ -2160,18 +2142,16 @@ private: // successful; otherwise nullptr // - pRetKey: returns a pointer to a pointer to the corresponding key if // successful; otherwise nullptr SECStatus nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket, CERTDistNames* caNames, CERTCertificate** pRetCert, SECKEYPrivateKey** pRetKey) { - nsNSSShutDownPreventionLock locker; - if (!socket || !caNames || !pRetCert || !pRetKey) { PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0); return SECFailure; } RefPtr<nsNSSSocketInfo> info( BitwiseCast<nsNSSSocketInfo*, PRFilePrivate*>(socket->higher->secret)); @@ -2493,17 +2473,16 @@ done: } } static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd, nsNSSSocketInfo* infoObject, const char* host) { - nsNSSShutDownPreventionLock locker; PRFileDesc* sslSock = SSL_ImportFD(nullptr, fd); if (!sslSock) { MOZ_ASSERT_UNREACHABLE("NSS: Error importing socket"); return nullptr; } SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*) infoObject); SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject); SSL_SetCanFalseStartCallback(sslSock, CanFalseStartCallback, infoObject); @@ -2558,17 +2537,16 @@ static const SSLSignatureScheme sEnabled ssl_sig_rsa_pkcs1_sha1, }; static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, bool haveProxy, const char* host, int32_t port, nsNSSSocketInfo* infoObject) { - nsNSSShutDownPreventionLock locker; if (forSTARTTLS || haveProxy) { if (SECSuccess != SSL_OptionSet(fd, SSL_SECURITY, false)) { return NS_ERROR_FAILURE; } } SSLVersionRange range; if (SSL_VersionRangeGet(fd, &range) != SECSuccess) { @@ -2733,17 +2711,16 @@ nsSSLIOLayerAddToSocket(int32_t family, nsIProxyInfo* proxy, const OriginAttributes& originAttributes, PRFileDesc* fd, nsISupports** info, bool forSTARTTLS, uint32_t providerFlags, uint32_t providerTlsFlags) { - nsNSSShutDownPreventionLock locker; PRFileDesc* layer = nullptr; PRFileDesc* plaintextLayer = nullptr; nsresult rv; PRStatus stat; SharedSSLState* sharedState = nullptr; RefPtr<SharedSSLState> allocatedState; if (providerTlsFlags) {
--- a/security/manager/ssl/nsNSSIOLayer.h +++ b/security/manager/ssl/nsNSSIOLayer.h @@ -50,18 +50,17 @@ public: nsresult SetFileDescPtr(PRFileDesc* aFilePtr); bool IsHandshakePending() const { return mHandshakePending; } void SetHandshakeNotPending() { mHandshakePending = false; } void SetTLSVersionRange(SSLVersionRange range) { mTLSVersionRange = range; } SSLVersionRange GetTLSVersionRange() const { return mTLSVersionRange; }; - PRStatus CloseSocketAndDestroy( - const nsNSSShutDownPreventionLock& proofOfLock); + PRStatus CloseSocketAndDestroy(); void SetNegotiatedNPN(const char* value, uint32_t length); void SetEarlyDataAccepted(bool aAccepted); void SetHandshakeCompleted(); void NoteTimeUntilReady();
--- a/security/manager/ssl/nsNSSShutDown.h +++ b/security/manager/ssl/nsNSSShutDown.h @@ -5,36 +5,16 @@ #ifndef nsNSSShutDown_h #define nsNSSShutDown_h // This is the vestigial remains of the old NSS shutdown tracking // infrastructure. It will be removed entirely in bug 1421084 when we've // demonstrated that shutting down NSS only when all non-main-threads have been // joined is feasible (and beneficial). -// Yes, this races. We don't care because we're only temporarily using this to -// silence compiler warnings. Without it every instance of a -// nsNSSShutDownPreventionLock would be unused, causing the compiler to -// complain. -static int sSilenceCompilerWarnings; - -class nsNSSShutDownPreventionLock -{ -public: - nsNSSShutDownPreventionLock() - { - sSilenceCompilerWarnings++; - } - - ~nsNSSShutDownPreventionLock() - { - sSilenceCompilerWarnings--; - } -}; - class nsNSSShutDownObject { public: enum class ShutdownCalledFrom { List, Object, };
--- a/security/manager/ssl/nsNTLMAuthModule.cpp +++ b/security/manager/ssl/nsNTLMAuthModule.cpp @@ -981,20 +981,17 @@ nsNTLMAuthModule::InitTest() { static bool prefObserved = false; if (!prefObserved) { mozilla::Preferences::AddBoolVarCache( &sNTLMv1Forced, "network.auth.force-generic-ntlm-v1", sNTLMv1Forced); prefObserved = true; } - nsNSSShutDownPreventionLock locker; - // // disable NTLM authentication when FIPS mode is enabled. - // return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK; } NS_IMETHODIMP nsNTLMAuthModule::Init(const char* /*serviceName*/, uint32_t serviceFlags, const char16_t* domain, const char16_t* username, const char16_t* password) { @@ -1022,22 +1019,21 @@ nsNTLMAuthModule::Init(const char* /*ser NS_IMETHODIMP nsNTLMAuthModule::GetNextToken(const void *inToken, uint32_t inTokenLen, void **outToken, uint32_t *outTokenLen) { nsresult rv; - nsNSSShutDownPreventionLock locker; - // + // disable NTLM authentication when FIPS mode is enabled. - // - if (PK11_IsFIPS()) + if (PK11_IsFIPS()) { return NS_ERROR_NOT_AVAILABLE; + } if (mNTLMNegotiateSent) { // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1), // then the NTLMSSP_CHALLENGE (type 2) is expected if (inToken) { LogToken("in-token", inToken, inTokenLen); // Now generate the NTLMSSP_AUTH (type 3) rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken,
--- a/security/manager/ssl/nsPK11TokenDB.cpp +++ b/security/manager/ssl/nsPK11TokenDB.cpp @@ -22,28 +22,27 @@ extern mozilla::LazyLogModule gPIPNSSLog NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token) nsPK11Token::nsPK11Token(PK11SlotInfo* slot) : mUIContext(new PipUIContext()) { MOZ_ASSERT(slot); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; mSlot.reset(PK11_ReferenceSlot(slot)); mSeries = PK11_GetSlotSeries(slot); - Unused << refreshTokenInfo(locker); + Unused << refreshTokenInfo(); } nsresult -nsPK11Token::refreshTokenInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/) +nsPK11Token::refreshTokenInfo() { mTokenName = PK11_GetTokenName(mSlot.get()); CK_TOKEN_INFO tokInfo; nsresult rv = MapSECStatus(PK11_GetTokenInfo(mSlot.get(), &tokInfo)); if (NS_FAILED(rv)) { return rv; } @@ -80,17 +79,16 @@ nsPK11Token::refreshTokenInfo(const nsNS strnlen(ccSerial, sizeof(tokInfo.serialNumber))); mTokenSerialNum.Trim(" ", false, true); return NS_OK; } nsPK11Token::~nsPK11Token() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -104,24 +102,23 @@ nsPK11Token::destructorSafeDestroyNSSRef { mSlot = nullptr; } nsresult nsPK11Token::GetAttributeHelper(const nsACString& attribute, /*out*/ nsACString& xpcomOutParam) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // Handle removals/insertions. if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { - nsresult rv = refreshTokenInfo(locker); + nsresult rv = refreshTokenInfo(); if (NS_FAILED(rv)) { return rv; } } xpcomOutParam = attribute; return NS_OK; } @@ -162,50 +159,47 @@ nsPK11Token::GetTokenSerialNumber(/*out* return GetAttributeHelper(mTokenSerialNum, tokenSerialNum); } NS_IMETHODIMP nsPK11Token::IsLoggedIn(bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; *_retval = PK11_IsLoggedIn(mSlot.get(), 0); return NS_OK; } NS_IMETHODIMP nsPK11Token::Login(bool force) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsresult rv; bool test; rv = this->NeedsLogin(&test); if (NS_FAILED(rv)) return rv; if (test && force) { rv = this->LogoutSimple(); if (NS_FAILED(rv)) return rv; } - rv = setPassword(mSlot.get(), mUIContext, locker); + rv = setPassword(mSlot.get(), mUIContext); if (NS_FAILED(rv)) return rv; return MapSECStatus(PK11_Authenticate(mSlot.get(), true, mUIContext)); } NS_IMETHODIMP nsPK11Token::LogoutSimple() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; // PK11_Logout() can fail if the user wasn't logged in beforehand. We want // this method to succeed even in this case, so we ignore the return value. Unused << PK11_Logout(mSlot.get()); return NS_OK; } @@ -225,42 +219,39 @@ nsPK11Token::LogoutAndDropAuthenticatedR return rv; return nssComponent->LogoutAuthenticatedPK11(); } NS_IMETHODIMP nsPK11Token::Reset() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; return MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr)); } NS_IMETHODIMP nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit) { NS_ENSURE_ARG_POINTER(aNeedsUserInit); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; *aNeedsUserInit = PK11_NeedUserInit(mSlot.get()); return NS_OK; } NS_IMETHODIMP nsPK11Token::CheckPassword(const nsACString& password, bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; SECStatus srv = PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get()); if (srv != SECSuccess) { *_retval = false; PRErrorCode error = PR_GetError(); @@ -272,17 +263,16 @@ nsPK11Token::CheckPassword(const nsACStr *_retval = true; } return NS_OK; } NS_IMETHODIMP nsPK11Token::InitPassword(const nsACString& initialPassword) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } const nsCString& passwordCStr = PromiseFlatCString(initialPassword); // PSM initializes the sqlite-backed softoken with an empty password. The // implementation considers this not to be a password (GetHasPassword returns // false), but we can't actually call PK11_InitPin again. Instead, we call @@ -297,17 +287,16 @@ nsPK11Token::InitPassword(const nsACStri } return MapSECStatus(PK11_InitPin(mSlot.get(), "", passwordCStr.get())); } NS_IMETHODIMP nsPK11Token::ChangePassword(const nsACString& oldPassword, const nsACString& newPassword) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; // PK11_ChangePW() has different semantics for the empty string and for // nullptr. In order to support this difference, we need to check IsVoid() to // find out if our caller supplied null/undefined args or just empty strings. // See Bug 447589. return MapSECStatus(PK11_ChangePW( @@ -316,34 +305,32 @@ nsPK11Token::ChangePassword(const nsACSt newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get())); } NS_IMETHODIMP nsPK11Token::GetHasPassword(bool* hasPassword) { NS_ENSURE_ARG_POINTER(hasPassword); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // PK11_NeedLogin returns true if the token is currently configured to require // the user to log in (whether or not the user is actually logged in makes no // difference). *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get()); return NS_OK; } NS_IMETHODIMP nsPK11Token::NeedsLogin(bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; *_retval = PK11_NeedLogin(mSlot.get()); return NS_OK; } @@ -352,30 +339,28 @@ nsPK11Token::NeedsLogin(bool* _retval) NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB) nsPK11TokenDB::nsPK11TokenDB() { } nsPK11TokenDB::~nsPK11TokenDB() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } NS_IMETHODIMP nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return NS_ERROR_FAILURE; } @@ -387,17 +372,16 @@ nsPK11TokenDB::GetInternalKeyToken(nsIPK } NS_IMETHODIMP nsPK11TokenDB::FindTokenByName(const nsACString& tokenName, /*out*/ nsIPK11Token** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = BlockUntilLoadableRootsLoaded(); if (NS_FAILED(rv)) { return rv; }
--- a/security/manager/ssl/nsPK11TokenDB.h +++ b/security/manager/ssl/nsPK11TokenDB.h @@ -26,17 +26,17 @@ public: explicit nsPK11Token(PK11SlotInfo *slot); protected: virtual ~nsPK11Token(); private: friend class nsPK11TokenDB; - nsresult refreshTokenInfo(const nsNSSShutDownPreventionLock& proofOfLock); + nsresult refreshTokenInfo(); nsCString mTokenName; nsCString mTokenLabel; nsCString mTokenManufacturerID; nsCString mTokenHWVersion; nsCString mTokenFWVersion; nsCString mTokenSerialNum; mozilla::UniquePK11SlotInfo mSlot;
--- a/security/manager/ssl/nsPKCS11Slot.cpp +++ b/security/manager/ssl/nsPKCS11Slot.cpp @@ -22,27 +22,26 @@ using mozilla::LogLevel; extern mozilla::LazyLogModule gPIPNSSLog; NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot) nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot) { MOZ_ASSERT(slot); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; mSlot.reset(PK11_ReferenceSlot(slot)); mSeries = PK11_GetSlotSeries(slot); - Unused << refreshSlotInfo(locker); + Unused << refreshSlotInfo(); } nsresult -nsPKCS11Slot::refreshSlotInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/) +nsPKCS11Slot::refreshSlotInfo() { CK_SLOT_INFO slotInfo; nsresult rv = MapSECStatus(PK11_GetSlotInfo(mSlot.get(), &slotInfo)); if (NS_FAILED(rv)) { return rv; } // Set the Description field @@ -71,17 +70,16 @@ nsPKCS11Slot::refreshSlotInfo(const nsNS mSlotFWVersion.Append('.'); mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor); return NS_OK; } nsPKCS11Slot::~nsPKCS11Slot() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -95,36 +93,34 @@ nsPKCS11Slot::destructorSafeDestroyNSSRe { mSlot = nullptr; } nsresult nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute, /*out*/ nsACString& xpcomOutParam) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { - nsresult rv = refreshSlotInfo(locker); + nsresult rv = refreshSlotInfo(); if (NS_FAILED(rv)) { return rv; } } xpcomOutParam = attribute; return NS_OK; } NS_IMETHODIMP nsPKCS11Slot::GetName(/*out*/ nsACString& name) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; // |csn| is non-owning. char* csn = PK11_GetSlotName(mSlot.get()); if (csn && *csn) { name = csn; } else if (PK11_HasRootCerts(mSlot.get())) { @@ -164,54 +160,51 @@ nsPKCS11Slot::GetFWVersion(/*out*/ nsACS return GetAttributeHelper(mSlotFWVersion, fwVersion); } NS_IMETHODIMP nsPKCS11Slot::GetToken(nsIPK11Token** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get()); token.forget(_retval); return NS_OK; } NS_IMETHODIMP nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (!PK11_IsPresent(mSlot.get())) { tokenName.SetIsVoid(true); return NS_OK; } if (PK11_GetSlotSeries(mSlot.get()) != mSeries) { - nsresult rv = refreshSlotInfo(locker); + nsresult rv = refreshSlotInfo(); if (NS_FAILED(rv)) { return rv; } } tokenName = PK11_GetTokenName(mSlot.get()); return NS_OK; } NS_IMETHODIMP nsPKCS11Slot::GetStatus(uint32_t* _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (PK11_IsDisabled(mSlot.get())) { *_retval = SLOT_DISABLED; } else if (!PK11_IsPresent(mSlot.get())) { *_retval = SLOT_NOT_PRESENT; } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) { @@ -228,26 +221,24 @@ nsPKCS11Slot::GetStatus(uint32_t* _retva } NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module) nsPKCS11Module::nsPKCS11Module(SECMODModule* module) { MOZ_ASSERT(module); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return; mModule.reset(SECMOD_ReferenceModule(module)); } nsPKCS11Module::~nsPKCS11Module() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void @@ -260,28 +251,26 @@ void nsPKCS11Module::destructorSafeDestroyNSSReference() { mModule = nullptr; } NS_IMETHODIMP nsPKCS11Module::GetName(/*out*/ nsACString& name) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; name = mModule->commonName; return NS_OK; } NS_IMETHODIMP nsPKCS11Module::GetLibName(/*out*/ nsACString& libName) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (mModule->dllName) { libName = mModule->dllName; } else { libName.SetIsVoid(true); } @@ -289,17 +278,16 @@ nsPKCS11Module::GetLibName(/*out*/ nsACS } NS_IMETHODIMP nsPKCS11Module::FindSlotByName(const nsACString& name, /*out*/ nsIPKCS11Slot** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; const nsCString& flatName = PromiseFlatCString(name); MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"", flatName.get())); UniquePK11SlotInfo slotInfo; UniquePK11SlotList slotList(PK11_FindSlotsByNames(mModule->dllName, flatName.get() /*slotName*/, @@ -328,17 +316,16 @@ nsPKCS11Module::FindSlotByName(const nsA return NS_OK; } NS_IMETHODIMP nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval) { NS_ENSURE_ARG_POINTER(_retval); - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = CheckForSmartCardChanges(); if (NS_FAILED(rv)) { return rv; }
--- a/security/manager/ssl/nsPKCS11Slot.h +++ b/security/manager/ssl/nsPKCS11Slot.h @@ -32,17 +32,17 @@ private: nsCString mSlotDesc; nsCString mSlotManufacturerID; nsCString mSlotHWVersion; nsCString mSlotFWVersion; int mSeries; virtual void virtualDestroyNSSReference() override; void destructorSafeDestroyNSSReference(); - nsresult refreshSlotInfo(const nsNSSShutDownPreventionLock& proofOfLock); + nsresult refreshSlotInfo(); nsresult GetAttributeHelper(const nsACString& attribute, /*out*/ nsACString& xpcomOutParam); }; class nsPKCS11Module : public nsIPKCS11Module, public nsNSSShutDownObject { public:
--- a/security/manager/ssl/nsPKCS12Blob.cpp +++ b/security/manager/ssl/nsPKCS12Blob.cpp @@ -37,32 +37,30 @@ nsPKCS12Blob::nsPKCS12Blob() , mTmpFile(nullptr) { mUIContext = new PipUIContext(); } // destructor nsPKCS12Blob::~nsPKCS12Blob() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } // nsPKCS12Blob::ImportFromFile // // Given a file handle, read a PKCS#12 blob from that file, decode it, and // import the results into the internal database. nsresult nsPKCS12Blob::ImportFromFile(nsIFile *file) { - nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; RetryReason wantRetry; do { rv = ImportFromFileHelper(file, im_standard_prompt, wantRetry); if (NS_SUCCEEDED(rv) && wantRetry == rr_auto_retry_empty_password_flavors) { @@ -74,17 +72,16 @@ nsPKCS12Blob::ImportFromFile(nsIFile *fi return rv; } nsresult nsPKCS12Blob::ImportFromFileHelper(nsIFile *file, nsPKCS12Blob::ImportMode aImportMode, nsPKCS12Blob::RetryReason &aWantRetry) { - nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; SECStatus srv = SECSuccess; SEC_PKCS12DecoderContext *dcx = nullptr; SECItem unicodePw = { siBuffer, nullptr, 0 }; aWantRetry = rr_do_not_retry; UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); @@ -183,17 +180,16 @@ isExtractable(SECKEYPrivateKey *privKey) // nsPKCS12Blob::ExportToFile // // Having already loaded the certs, form them into a blob (loading the keys // also), encode the blob, and stuff it into the file. nsresult nsPKCS12Blob::ExportToFile(nsIFile *file, nsIX509Cert **certs, int numCerts) { - nsNSSShutDownPreventionLock locker; nsresult rv; SECStatus srv = SECSuccess; SEC_PKCS12ExportContext *ecx = nullptr; SEC_PKCS12SafeInfo *certSafe = nullptr, *keySafe = nullptr; SECItem unicodePw; nsAutoString filePath; int i; nsCOMPtr<nsIFile> localFileRef; @@ -384,17 +380,16 @@ nsPKCS12Blob::getPKCS12FilePassword(SECI } // inputToDecoder // // Given a decoder, read bytes from file and input them to the decoder. nsresult nsPKCS12Blob::inputToDecoder(SEC_PKCS12DecoderContext *dcx, nsIFile *file) { - nsNSSShutDownPreventionLock locker; nsresult rv; SECStatus srv; uint32_t amount; char buf[PIP_PKCS12_BUFFER_SIZE]; nsCOMPtr<nsIInputStream> fileStream; rv = NS_NewLocalFileInputStream(getter_AddRefs(fileStream), file); @@ -424,17 +419,16 @@ nsPKCS12Blob::inputToDecoder(SEC_PKCS12D } // nickname_collision // what to do when the nickname collides with one already in the db. // TODO: not handled, throw a dialog allowing the nick to be changed? SECItem * nsPKCS12Blob::nickname_collision(SECItem *oldNick, PRBool *cancel, void *wincx) { - nsNSSShutDownPreventionLock locker; *cancel = false; int count = 1; nsCString nickname; nsAutoString nickFromProp; nsresult rv = GetPIPNSSBundleString("P12DefaultNickname", nickFromProp); if (NS_FAILED(rv)) { return nullptr; }
--- a/security/manager/ssl/nsRandomGenerator.cpp +++ b/security/manager/ssl/nsRandomGenerator.cpp @@ -14,17 +14,16 @@ NS_IMPL_ISUPPORTS(nsRandomGenerator, nsI NS_IMETHODIMP nsRandomGenerator::GenerateRandomBytes(uint32_t aLength, uint8_t** aBuffer) { NS_ENSURE_ARG_POINTER(aBuffer); *aBuffer = nullptr; - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot()); if (!slot) { return NS_ERROR_FAILURE; } @@ -42,14 +41,13 @@ nsRandomGenerator::GenerateRandomBytes(u *aBuffer = buf; return NS_OK; } nsRandomGenerator::~nsRandomGenerator() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); }
--- a/security/manager/ssl/nsSSLStatus.cpp +++ b/security/manager/ssl/nsSSLStatus.cpp @@ -390,17 +390,16 @@ nsSSLStatus::nsSSLStatus() , mHaveCertErrorBits(false) { } NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo) nsSSLStatus::~nsSSLStatus() { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } shutdown(ShutdownCalledFrom::Object); } void nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus) @@ -410,23 +409,22 @@ nsSSLStatus::SetServerCert(nsNSSCertific mServerCert = aServerCert; mIsEV = (aEVStatus == EVStatus::EV); mHasIsEVStatus = true; } nsresult nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList) { - nsNSSShutDownPreventionLock lock; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } // nsNSSCertList takes ownership of certList - mSucceededCertChain = new nsNSSCertList(Move(aCertList), lock); + mSucceededCertChain = new nsNSSCertList(Move(aCertList)); return NS_OK; } void nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList) { mFailedCertChain = aX509CertList;
--- a/services/crypto/component/IdentityCryptoService.cpp +++ b/services/crypto/component/IdentityCryptoService.cpp @@ -54,17 +54,16 @@ public: NS_DECL_NSIIDENTITYKEYPAIR KeyPair(SECKEYPrivateKey* aPrivateKey, SECKEYPublicKey* aPublicKey, nsIEventTarget* aOperationThread); private: ~KeyPair() override { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void virtualDestroyNSSReference() override @@ -96,17 +95,16 @@ public: NS_DECL_NSIRUNNABLE KeyGenRunnable(KeyType keyType, nsIIdentityKeyGenCallback * aCallback, nsIEventTarget* aOperationThread); private: ~KeyGenRunnable() override { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void virtualDestroyNSSReference() override @@ -134,17 +132,16 @@ public: NS_DECL_NSIRUNNABLE SignRunnable(const nsACString & textToSign, SECKEYPrivateKey * privateKey, nsIIdentitySignCallback * aCallback); private: ~SignRunnable() override { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return; } destructorSafeDestroyNSSReference(); shutdown(ShutdownCalledFrom::Object); } void virtualDestroyNSSReference() override @@ -436,17 +433,16 @@ GenerateDSAKeyPair(PK11SlotInfo * slot, return GenerateKeyPair(slot, privateKey, publicKey, CKM_DSA_KEY_PAIR_GEN, &pqgParams); } NS_IMETHODIMP KeyGenRunnable::Run() { if (!NS_IsMainThread()) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { mRv = NS_ERROR_NOT_AVAILABLE; } else { // We always want to use the internal slot for BrowserID; in particular, // we want to avoid smartcard slots. PK11SlotInfo *slot = PK11_GetInternalSlot(); if (!slot) { mRv = NS_ERROR_UNEXPECTED; @@ -495,17 +491,16 @@ SignRunnable::SignRunnable(const nsACStr , mRv(NS_ERROR_NOT_INITIALIZED) { } NS_IMETHODIMP SignRunnable::Run() { if (!NS_IsMainThread()) { - nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { mRv = NS_ERROR_NOT_AVAILABLE; } else { // We need the output in PKCS#11 format, not DER encoding, so we must use // PK11_HashBuf and PK11_Sign instead of SEC_SignData. SECItem sig = { siBuffer, nullptr, 0 }; int sigLength = PK11_SignatureLen(mPrivateKey);