| author | Brian Smith <bsmith@mozilla.com> |
| Mon, 12 Nov 2012 09:42:28 -0800 | |
| changeset 115135 | 57e047e6401989a7b04528f75ab095bb40b27b9f |
| parent 115134 | 9f24c48b21e3a7787a2cd11e760136c37fe1c824 |
| child 115136 | a2da6577872b0df1930730c3e2bd6c1791eae8f5 |
| push id | 23973 |
| push user | emorley@mozilla.com |
| push date | Thu, 06 Dec 2012 10:04:18 +0000 |
| treeherder | mozilla-central@ddda5400c826 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | honzab |
| bugs | 767241 |
| milestone | 20.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -106,33 +106,33 @@ #include "mozilla/Assertions.h" #include "nsIThreadPool.h" #include "nsXPCOMCIDInternal.h" #include "nsComponentManagerUtils.h" #include "nsServiceManagerUtils.h" #include "nsIConsoleService.h" #include "PSMRunnable.h" +#include "ScopedNSSTypes.h" #include "ssl.h" #include "secerr.h" #include "secport.h" #include "sslerr.h" #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif namespace mozilla { namespace psm { namespace { NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false) // do not use a nsCOMPtr to avoid static initializer/destructor nsIThreadPool * gCertVerificationThreadPool = nullptr; } // unnamed namespace // Called when the socket transport thread starts, to initialize the SSL cert // verification thread pool. By tying the thread pool startup/shutdown directly @@ -610,37 +610,30 @@ public: CERTCertificate * serverCert); private: NS_DECL_NSIRUNNABLE // Must be called only on the socket transport thread SSLServerCertVerificationJob(const void * fdForLogging, TransportSecurityInfo * infoObject, CERTCertificate * cert); - ~SSLServerCertVerificationJob(); - const void * const mFdForLogging; const RefPtr<TransportSecurityInfo> mInfoObject; - CERTCertificate * const mCert; + const ScopedCERTCertificate mCert; }; SSLServerCertVerificationJob::SSLServerCertVerificationJob( const void * fdForLogging, TransportSecurityInfo * infoObject, CERTCertificate * cert) : mFdForLogging(fdForLogging) , mInfoObject(infoObject) , mCert(CERT_DupCertificate(cert)) { } -SSLServerCertVerificationJob::~SSLServerCertVerificationJob() -{ - CERT_DestroyCertificate(mCert); -} - SECStatus PSM_SSL_PKIX_AuthCertificate(CERTCertificate *peerCert, void * pinarg, const char * hostname) { SECStatus rv; if (!nsNSSComponent::globalConstFlagUsePKIXVerification) { rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, true, @@ -813,20 +806,19 @@ BlockServerCertChangeForSpdy(nsNSSSocket // If GetNegotiatedNPN() failed we will assume spdy for safety's safe if (NS_FAILED(rv)) PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call." " Assuming spdy.\n")); // Check to see if the cert has actually changed - CERTCertificate * c = cert2->GetCert(); + ScopedCERTCertificate c(cert2->GetCert()); NS_ASSERTION(c, "very bad and hopefully impossible state"); bool sameCert = CERT_CompareCerts(c, serverCert); - CERT_DestroyCertificate(c); if (sameCert) return SECSuccess; // Report an error - changed cert is confirmed PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("SPDY Refused to allow new cert during renegotiation\n")); PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0); return SECFailure; @@ -882,18 +874,18 @@ AuthCertificate(TransportSecurityInfo * RefPtr<nsSSLStatus> status(infoObject->SSLStatus()); RefPtr<nsNSSCertificate> nsc; if (!status || !status->mServerCert) { nsc = nsNSSCertificate::Create(cert); } - CERTCertList *certList = nullptr; - certList = CERT_GetCertChainFromCert(cert, PR_Now(), certUsageSSLCA); + ScopedCERTCertList certList(CERT_GetCertChainFromCert(cert, PR_Now(), + certUsageSSLCA)); if (!certList) { rv = SECFailure; } else { PRErrorCode blacklistErrorCode; if (rv == SECSuccess) { // PSM_SSL_PKIX_AuthCertificate said "valid cert" blacklistErrorCode = PSM_SSL_BlacklistDigiNotar(cert, certList); } else { // PSM_SSL_PKIX_AuthCertificate said "invalid cert" PRErrorCode savedErrorCode = PORT_GetError(); @@ -938,30 +930,25 @@ AuthCertificate(TransportSecurityInfo * // We don't want to remember the server cert, // the code that cares for displaying page info does this already. continue; } // We have found a signer cert that we want to remember. char* nickname = nsNSSCertificate::defaultServerNickname(node->cert); if (nickname && *nickname) { - PK11SlotInfo *slot = PK11_GetInternalKeySlot(); + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (slot) { PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE, nickname, false); - PK11_FreeSlot(slot); } } PR_FREEIF(nickname); } - if (certList) { - CERT_DestroyCertList(certList); - } - // The connection may get terminated, for example, if the server requires // a client cert. Let's provide a minimal SSLStatus // to the caller that contains at least the cert and its status. if (!status) { status = new nsSSLStatus(); infoObject->SetSSLStatus(status); } @@ -1120,18 +1107,17 @@ AuthCertificateHook(void *arg, PRFileDes nsNSSSocketInfo *socketInfo = static_cast<nsNSSSocketInfo*>(arg); if (socketInfo) { // This is the first callback during full handshakes. socketInfo->SetFirstServerHelloReceived(); } - CERTCertificate *serverCert = SSL_PeerCertificate(fd); - CERTCertificateCleaner serverCertCleaner(serverCert); + ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); if (!checkSig || isServer || !socketInfo || !serverCert) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } if (BlockServerCertChangeForSpdy(socketInfo, serverCert) != SECSuccess) return SECFailure;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp +++ b/security/manager/ssl/src/TransportSecurityInfo.cpp @@ -10,37 +10,35 @@ #include "nsNSSCertificate.h" #include "nsIX509CertValidity.h" #include "nsIDateTimeFormat.h" #include "nsDateTimeFormatCID.h" #include "nsICertOverrideService.h" #include "nsIObjectInputStream.h" #include "nsIObjectOutputStream.h" #include "nsNSSCertHelper.h" -#include "nsNSSCleaner.h" #include "nsIProgrammingLanguage.h" #include "nsIArray.h" #include "PSMRunnable.h" +#include "ScopedNSSTypes.h" #include "secerr.h" //#define DEBUG_SSL_VERBOSE //Enable this define to get minimal //reports when doing SSL read/write //#define DUMP_BUFFER //Enable this define along with //DEBUG_SSL_VERBOSE to dump SSL //read/write buffer to a log. //Uses PR_LOG except on Mac where //we always write out to our own //file. namespace { -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); } // unnamed namespace namespace mozilla { namespace psm { TransportSecurityInfo::TransportSecurityInfo() : mMutex("TransportSecurityInfo::mMutex"), @@ -775,18 +773,17 @@ AppendErrorTextMismatch(const nsString & nsIX509Cert* ix509, nsINSSComponent *component, bool wantsHtml, nsString &returnedMessage) { const PRUnichar *params[1]; nsresult rv; - CERTCertificate *nssCert = nullptr; - CERTCertificateCleaner nssCertCleaner(nssCert); + ScopedCERTCertificate nssCert; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv); if (cert2) nssCert = cert2->GetCert(); if (!nssCert) { // We are unable to extract the valid names, say "not valid for name". params[0] = host.get();
--- a/security/manager/ssl/src/nsCMS.cpp +++ b/security/manager/ssl/src/nsCMS.cpp @@ -9,32 +9,30 @@ #include "nsNSSCertificate.h" #include "smime.h" #include "cms.h" #include "nsICMSMessageErrors.h" #include "nsIArray.h" #include "nsArrayUtils.h" #include "nsCertVerificationThread.h" #include "nsCERTValInParamWrapper.h" +#include "ScopedNSSTypes.h" #include "prlog.h" -#include "nsNSSCleaner.h" #include "nsNSSComponent.h" #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif using namespace mozilla; static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - NS_IMPL_THREADSAFE_ISUPPORTS2(nsCMSMessage, nsICMSMessage, nsICMSMessage2) nsCMSMessage::nsCMSMessage() { m_cmsMsg = nullptr; } nsCMSMessage::nsCMSMessage(NSSCMSMessage *aCMSMsg) @@ -535,18 +533,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp for (i=0; i<recipientCertCount; i++) { nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i); nssRecipientCert = do_QueryInterface(x509cert); if (!nssRecipientCert) return NS_ERROR_FAILURE; - CERTCertificate *c = nssRecipientCert->GetCert(); - CERTCertificateCleaner rcCleaner(c); + ScopedCERTCertificate c(nssRecipientCert->GetCert()); recipientCerts.set(i, c); } // Find a bulk key algorithm // if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag, &keySize) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n")); rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG; @@ -574,18 +571,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd); if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n")); goto loser; } // Create and attach recipient information // for (i=0; i < recipientCertCount; i++) { - CERTCertificate *rc = recipientCerts.get(i); - CERTCertificateCleaner rcCleaner(rc); + ScopedCERTCertificate rc(recipientCerts.get(i)); if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc)) == nullptr) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n")); goto loser; } if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n")); goto loser; } @@ -606,17 +602,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n")); NSSCMSContentInfo *cinfo; NSSCMSSignedData *sigd; NSSCMSSignerInfo *signerinfo; - CERTCertificate *scert = nullptr, *ecert = nullptr; + ScopedCERTCertificate scert; + ScopedCERTCertificate ecert; nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert); nsresult rv = NS_ERROR_FAILURE; /* Get the certs */ if (aSigningCert2) { scert = aSigningCert2->GetCert(); } if (!scert) { @@ -625,19 +622,16 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned if (aEncryptCert) { nsCOMPtr<nsIX509Cert2> aEncryptCert2 = do_QueryInterface(aEncryptCert); if (aEncryptCert2) { ecert = aEncryptCert2->GetCert(); } } - CERTCertificateCleaner ecertCleaner(ecert); - CERTCertificateCleaner scertCleaner(scert); - /* * create the message object */ m_cmsMsg = NSS_CMSMessage_Create(nullptr); /* create a message on its own pool */ if (!m_cmsMsg) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned - can't create new message\n")); rv = NS_ERROR_OUT_OF_MEMORY; goto loser;
--- a/security/manager/ssl/src/nsCertOverrideService.cpp +++ b/security/manager/ssl/src/nsCertOverrideService.cpp @@ -13,25 +13,24 @@ #include "nsNetUtil.h" #include "nsILineInputStream.h" #include "nsIObserver.h" #include "nsIObserverService.h" #include "nsISupportsPrimitives.h" #include "nsPromiseFlatString.h" #include "nsThreadUtils.h" #include "nsStringBuffer.h" +#include "ScopedNSSTypes.h" + #include "nspr.h" #include "pk11pub.h" #include "certdb.h" #include "sechash.h" #include "ssl.h" // For SSL_ClearSessionCache -#include "nsNSSCleaner.h" -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - using namespace mozilla; static const char kCertOverrideFileName[] = "cert_override.txt"; void nsCertOverride::convertBitsToString(OverrideBits ob, nsACString &str) { str.Truncate(); @@ -409,21 +408,20 @@ static nsresult GetCertFingerprintByOidTag(nsIX509Cert *aCert, SECOidTag aOidTag, nsCString &fp) { nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - CERTCertificate* nsscert = cert2->GetCert(); + ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; - CERTCertificateCleaner nsscertCleaner(nsscert); return GetCertFingerprintByOidTag(nsscert, aOidTag, fp); } static nsresult GetCertFingerprintByDottedOidString(CERTCertificate* nsscert, const nsCString &dottedOid, nsCString &fp) { @@ -448,21 +446,20 @@ static nsresult GetCertFingerprintByDottedOidString(nsIX509Cert *aCert, const nsCString &dottedOid, nsCString &fp) { nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - CERTCertificate* nsscert = cert2->GetCert(); + ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; - CERTCertificateCleaner nsscertCleaner(nsscert); return GetCertFingerprintByDottedOidString(nsscert, dottedOid, fp); } NS_IMETHODIMP nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, nsIX509Cert *aCert, uint32_t aOverrideBits, bool aTemporary) @@ -472,35 +469,31 @@ nsCertOverrideService::RememberValidityO return NS_ERROR_INVALID_ARG; if (aPort < -1) return NS_ERROR_INVALID_ARG; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - CERTCertificate* nsscert = cert2->GetCert(); + ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; - CERTCertificateCleaner nsscertCleaner(nsscert); - char* nickname = nsNSSCertificate::defaultServerNickname(nsscert); if (!aTemporary && nickname && *nickname) { - PK11SlotInfo *slot = PK11_GetInternalKeySlot(); + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { PR_Free(nickname); return NS_ERROR_FAILURE; } SECStatus srv = PK11_ImportCert(slot, nsscert, CK_INVALID_HANDLE, nickname, false); - PK11_FreeSlot(slot); - if (srv != SECSuccess) { PR_Free(nickname); return NS_ERROR_FAILURE; } } PR_FREEIF(nickname); nsAutoCString fpStr;
--- a/security/manager/ssl/src/nsCertPicker.cpp +++ b/security/manager/ssl/src/nsCertPicker.cpp @@ -6,26 +6,25 @@ #include "nsCertPicker.h" #include "nsMemory.h" #include "nsCOMPtr.h" #include "nsXPIDLString.h" #include "nsIServiceManager.h" #include "nsNSSComponent.h" #include "nsNSSCertificate.h" #include "nsReadableUtils.h" -#include "nsNSSCleaner.h" #include "nsICertPickDialogs.h" #include "nsNSSShutDown.h" #include "nsNSSCertHelper.h" - -NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames) -NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList) +#include "ScopedNSSTypes.h" #include "cert.h" +using namespace mozilla; + NS_IMPL_ISUPPORTS1(nsCertPicker, nsIUserCertPicker) nsCertPicker::nsCertPicker() { } nsCertPicker::~nsCertPicker() { @@ -44,41 +43,34 @@ NS_IMETHODIMP nsCertPicker::PickByUsage( bool selectionFound = false; PRUnichar **certNicknameList = nullptr; PRUnichar **certDetailsList = nullptr; CERTCertListNode* node = nullptr; nsresult rv = NS_OK; { // Iterate over all certs. This assures that user is logged in to all hardware tokens. - CERTCertList *allcerts = nullptr; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - allcerts = PK11_ListCerts(PK11CertListUnique, ctx); - CERT_DestroyCertList(allcerts); + ScopedCERTCertList allcerts(PK11_ListCerts(PK11CertListUnique, ctx)); } /* find all user certs that are valid and for SSL */ /* note that we are allowing expired certs in this list */ - CERTCertList *certList = + ScopedCERTCertList certList( CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), (SECCertUsage)certUsage, !allowDuplicateNicknames, !allowInvalid, - ctx); - CERTCertListCleaner clc(certList); - + ctx)); if (!certList) { return NS_ERROR_NOT_AVAILABLE; } - CERTCertNicknames *nicknames = getNSSCertNicknamesFromCertList(certList); - - CERTCertNicknamesCleaner cnc(nicknames); - + ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList)); if (!nicknames) { return NS_ERROR_NOT_AVAILABLE; } certNicknameList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames); certDetailsList = (PRUnichar **)nsMemory::Alloc(sizeof(PRUnichar *) * nicknames->numnicknames); if (!certNicknameList || !certDetailsList) {
--- a/security/manager/ssl/src/nsCertTree.cpp +++ b/security/manager/ssl/src/nsCertTree.cpp @@ -15,28 +15,26 @@ #include "nsNSSCertHelper.h" #include "nsINSSCertCache.h" #include "nsIMutableArray.h" #include "nsArrayUtils.h" #include "nsISupportsPrimitives.h" #include "nsXPCOMCID.h" #include "nsTHashtable.h" #include "nsHashKeys.h" - +#include "ScopedNSSTypes.h" + #include "prlog.h" -#include "nsNSSCleaner.h" using namespace mozilla; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID); // treeArrayElStr // // structure used to hold map of tree. Each thread (an organization // field from a cert) has an element in the array. The numChildren field // stores the number of certs corresponding to that thread. @@ -636,22 +634,19 @@ nsCertTree::GetCertsByTypeFromCertList(C } nsresult nsCertTree::GetCertsByType(uint32_t aType, nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg) { nsNSSShutDownPreventionLock locker; - CERTCertList *certList = nullptr; nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); - certList = PK11_ListCerts(PK11CertListUnique, cxt); + ScopedCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt)); nsresult rv = GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg); - if (certList) - CERT_DestroyCertList(certList); return rv; } nsresult nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache *aCache, uint32_t aType, nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg) @@ -810,18 +805,17 @@ nsCertTree::DeleteEntryObject(uint32_t i } } else { if (addonInfo && addonInfo->mUsageCount > 1) { // user is trying to delete a perm trusted cert, // although there are still overrides stored, // so, we keep the cert, but remove the trust - CERTCertificate *nsscert = nullptr; - CERTCertificateCleaner nsscertCleaner(nsscert); + ScopedCERTCertificate nsscert; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert); if (cert2) { nsscert = cert2->GetCert(); } if (nsscert) { CERTCertTrust trust;
--- a/security/manager/ssl/src/nsClientAuthRemember.cpp +++ b/security/manager/ssl/src/nsClientAuthRemember.cpp @@ -17,22 +17,18 @@ #include "nsThreadUtils.h" #include "nsStringBuffer.h" #include "cert.h" #include "nspr.h" #include "pk11pub.h" #include "certdb.h" #include "sechash.h" -#include "nsNSSCleaner.h" - using namespace mozilla; -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService, nsIObserver, nsISupportsWeakReference) nsClientAuthRememberService::nsClientAuthRememberService() : monitor("nsClientAuthRememberService.monitor") { }
--- a/security/manager/ssl/src/nsCrypto.cpp +++ b/security/manager/ssl/src/nsCrypto.cpp @@ -54,32 +54,28 @@ #include "cmmf.h" #include "nssb64.h" #include "base64.h" #include "cert.h" #include "certdb.h" #include "secmod.h" #include "nsISaveAsCharset.h" #include "nsNativeCharsetUtils.h" +#include "ScopedNSSTypes.h" #include "ssl.h" // For SSL_ClearSessionCache #include "nsNSSCleaner.h" #include "nsNSSShutDown.h" #include "nsNSSCertHelper.h" using namespace mozilla; -NSSCleanupAutoPtrClass(SECKEYPrivateKey, SECKEY_DestroyPrivateKey) -NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot) -NSSCleanupAutoPtrClass(CERTCertNicknames, CERT_FreeNicknames) -NSSCleanupAutoPtrClass(PK11SymKey, PK11_FreeSymKey) NSSCleanupAutoPtrClass_WithParam(PK11Context, PK11_DestroyContext, TrueParam, true) -NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true) /* * These are the most common error strings that are returned * by the JavaScript methods in case of error. */ #define JS_ERROR "error:" #define JS_ERROR_INTERNAL JS_ERROR"internalError" @@ -693,26 +689,24 @@ cryptojs_generateOneKeyPair(JSContext *c // the destination token, with the EXTRACTABLE flag set. // If it works, we'll extract, escrow, done. // If it failed, then we're unable to escrow and return failure. // NOTE: We call PK11_GetInternalSlot instead of PK11_GetInternalKeySlot // so that the key has zero chance of being store in the // user's key3.db file. Which the slot returned by // PK11_GetInternalKeySlot has access to and PK11_GetInternalSlot // does not. - PK11SlotInfo *intSlot = nullptr; - PK11SlotInfoCleaner siCleaner(intSlot); + ScopedPK11SlotInfo intSlot; if (willEscrow && !PK11_IsInternal(slot)) { intSlot = PK11_GetInternalSlot(); NS_ASSERTION(intSlot,"Couldn't get the internal slot"); if (!PK11_DoesMechanism(intSlot, mechanism)) { // Set to null, and the subsequent code will not attempt to use it. - PK11_FreeSlot(intSlot); intSlot = nullptr; } } rv = getNSSDialogs((void**)&dialogs, NS_GET_IID(nsIGeneratingKeypairInfoDialogs), NS_GENERATINGKEYPAIRINFODIALOGS_CONTRACTID); @@ -827,33 +821,27 @@ cryptojs_generateOneKeyPair(JSContext *c if (!keyPairInfo->privKey || !keyPairInfo->pubKey) { return NS_ERROR_FAILURE; } //If we generated the key pair on the internal slot because the // keys were going to be escrowed, move the keys over right now. if (mustMoveKey) { - SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot, + ScopedSECKEYPrivateKey newPrivKey(PK11_LoadPrivKey(slot, keyPairInfo->privKey, keyPairInfo->pubKey, - true, true); - SECKEYPrivateKeyCleaner pkCleaner(newPrivKey); - + true, true)); if (!newPrivKey) return NS_ERROR_FAILURE; // The private key is stored on the selected slot now, and the copy we // ultimately use for escrowing when the time comes lives // in the internal slot. We will delete it from that slot - // after the requests are made. This call only gives up - // our reference to the key object and does not actually - // physically remove it from the card itself. - // The actual delete calls are being made in the destructors - // of the cleaner helper instances. + // after the requests are made. } return NS_OK; } /* * FUNCTION: cryptojs_ReadArgsAndGenerateKey * ------------------------------------- @@ -1008,23 +996,22 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c static nsresult nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo, nsNSSCertificate *wrappingCert) { if (!wrappingCert || CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){ return NS_ERROR_FAILURE; } - CERTCertificate *cert = wrappingCert->GetCert(); + ScopedCERTCertificate cert(wrappingCert->GetCert()); if (!cert) return NS_ERROR_FAILURE; CRMFEncryptedKey *encrKey = CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert); - CERT_DestroyCertificate(cert); if (!encrKey) return NS_ERROR_FAILURE; CRMFPKIArchiveOptions *archOpt = CRMF_CreatePKIArchiveOptions(crmfEncryptedPrivateKey, encrKey); if (!archOpt) { CRMF_DestroyEncryptedKey(encrKey); return NS_ERROR_FAILURE; @@ -1041,24 +1028,23 @@ nsSetEscrowAuthority(CRMFCertRequest *ce //Set the Distinguished Name (Subject Name) for the cert //being requested. static nsresult nsSetDNForRequest(CRMFCertRequest *certReq, char *reqDN) { if (!reqDN || CRMF_CertRequestIsFieldPresent(certReq, crmfSubject)) { return NS_ERROR_FAILURE; } - CERTName *subjectName = CERT_AsciiToName(reqDN); + ScopedCERTName subjectName(CERT_AsciiToName(reqDN)); if (!subjectName) { return NS_ERROR_FAILURE; } SECStatus srv = CRMF_CertRequestSetTemplateField(certReq, crmfSubject, static_cast<void*> (subjectName)); - CERT_DestroyName(subjectName); return (srv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE; } //Set Registration Token Control on the request. static nsresult nsSetRegToken(CRMFCertRequest *certReq, char *regToken) { // this should never happen, but might as well add this. @@ -1483,18 +1469,17 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer // the "text" input for HMAC shall be the DER encoded version of // of the single cert request. // We'll produce that encoding and destroy it afterwards, // because when sending the complete package to the CA, // we'll use a different encoding, one that includes POP and // allows multiple requests to be sent in one step. unsigned long der_request_len = 0; - SECItem *der_request = nullptr; - SECItemCleanerTrueParam der_request_cleaner(der_request); + ScopedSECItem der_request; if (SECSuccess != CRMF_EncodeCertRequest(certReq, nsCRMFEncoderItemCount, &der_request_len)) return NS_ERROR_FAILURE; der_request = SECITEM_AllocItem(nullptr, nullptr, der_request_len); if (!der_request) @@ -1511,27 +1496,20 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer der_request)) return NS_ERROR_FAILURE; // RFC 2511 Appendix A section 2 c): // "A key K is derived from the shared secret Kec and the subject and // issuer names in the CA's certificate as follows: // K = SHA1(DER-encoded-subjectName | Kec | DER-encoded-issuerName)" - PK11SymKey *shared_secret = nullptr; - PK11SymKeyCleaner shared_secret_cleaner(shared_secret); - - PK11SymKey *subject_and_secret = nullptr; - PK11SymKeyCleaner subject_and_secret_cleaner(subject_and_secret); - - PK11SymKey *subject_and_secret_and_issuer = nullptr; - PK11SymKeyCleaner subject_and_secret_and_issuer_cleaner(subject_and_secret_and_issuer); - - PK11SymKey *sha1_of_subject_and_secret_and_issuer = nullptr; - PK11SymKeyCleaner sha1_of_subject_and_secret_and_issuer_cleaner(sha1_of_subject_and_secret_and_issuer); + ScopedPK11SymKey shared_secret; + ScopedPK11SymKey subject_and_secret; + ScopedPK11SymKey subject_and_secret_and_issuer; + ScopedPK11SymKey sha1_of_subject_and_secret_and_issuer; shared_secret = PK11_PubDeriveWithKDF(keyInfo->privKey, // SECKEYPrivateKey *privKey keyInfo->ecPopPubKey, // SECKEYPublicKey *pubKey false, // bool isSender nullptr, // SECItem *randomA nullptr, // SECItem *randomB CKM_ECDH1_DERIVE, // CK_MECHANISM_TYPE derive @@ -1610,33 +1588,28 @@ nsSet_EC_DHMAC_ProofOfPossession(CRMFCer if (SECSuccess != PK11_DigestBegin(context)) return NS_ERROR_FAILURE; if (SECSuccess != PK11_DigestOp(context, der_request->data, der_request->len)) return NS_ERROR_FAILURE; - SECItem *result_hmac_sha1_item = nullptr; - SECItemCleanerTrueParam result_hmac_sha1_item_cleaner(result_hmac_sha1_item); - - result_hmac_sha1_item = SECITEM_AllocItem(nullptr, nullptr, SHA1_LENGTH); - if (!result_hmac_sha1_item) - return NS_ERROR_FAILURE; + ScopedAutoSECItem result_hmac_sha1_item(SHA1_LENGTH); if (SECSuccess != PK11_DigestFinal(context, - result_hmac_sha1_item->data, - &result_hmac_sha1_item->len, + result_hmac_sha1_item.data, + &result_hmac_sha1_item.len, SHA1_LENGTH)) return NS_ERROR_FAILURE; if (SECSuccess != CRMF_CertReqMsgSetKeyAgreementPOP(certReqMsg, crmfDHMAC, - crmfNoSubseqMess, result_hmac_sha1_item)) + crmfNoSubseqMess, &result_hmac_sha1_item)) return NS_ERROR_FAILURE; return NS_OK; } static nsresult nsSetProofOfPossession(CRMFCertReqMsg *certReqMsg, nsKeyPairInfo *keyInfo, @@ -1945,24 +1918,23 @@ nsCrypto::GenerateCRMFRequest(nsIDOMCRMF nsCOMPtr<nsIX509Cert> nssCert; bool willEscrow = false; if (!!eaCert) { SECItem certDer = {siBuffer, nullptr, 0}; SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, eaCert.ptr()); if (srv != SECSuccess) { return NS_ERROR_FAILURE; } - CERTCertificate *cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), - &certDer, nullptr, false, - true); + ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), + &certDer, nullptr, + false, true)); if (!cert) return NS_ERROR_FAILURE; escrowCert = nsNSSCertificate::Create(cert); - CERT_DestroyCertificate(cert); nssCert = escrowCert; if (!nssCert) return NS_ERROR_OUT_OF_MEMORY; nsCOMPtr<nsIDOMCryptoDialogs> dialogs; nsresult rv = getNSSDialogs(getter_AddRefs(dialogs), NS_GET_IID(nsIDOMCryptoDialogs), NS_DOMCRYPTODIALOGS_CONTRACTID); @@ -2212,29 +2184,27 @@ nsCryptoRunnable::Run() } //Quick helper function to check if a newly issued cert //already exists in the user's database. static bool nsCertAlreadyExists(SECItem *derCert) { CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); - CERTCertificate *cert; bool retVal = false; - cert = CERT_FindCertByDERCert(handle, derCert); + ScopedCERTCertificate cert(CERT_FindCertByDERCert(handle, derCert)); if (cert) { if (cert->isperm && !cert->nickname && !cert->emailAddr) { //If the cert doesn't have a nickname or email addr, it is //bogus cruft, so delete it. SEC_DeletePermCertificate(cert); } else if (cert->isperm) { retVal = true; } - CERT_DestroyCertificate(cert); } return retVal; } static int32_t nsCertListCount(CERTCertList *certList) { int32_t numCerts = 0; @@ -2265,17 +2235,16 @@ nsCrypto::ImportUserCertificates(const n int i; CMMFCertResponse *currResponse; CMMFPKIStatus reqStatus; CERTCertificate *currCert; PK11SlotInfo *slot; nsAutoCString localNick; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); nsresult rv = NS_OK; - CERTCertList *caPubs = nullptr; nsCOMPtr<nsIPK11Token> token; nickname = ToNewCString(aNickname); cmmfResponse = ToNewCString(aCmmfResponse); if (nsCRT::strcmp("null", nickname) == 0) { nsMemory::Free(nickname); nickname = nullptr; } @@ -2377,17 +2346,18 @@ nsCrypto::ImportUserCertificates(const n PK11_FreeSlot(slot); CMMF_DestroyCertResponse(currResponse); } //Let the loser: label take care of freeing up our reference to //nickname (This way we don't free it twice and avoid crashing. //That would be a good thing. //Import the root chain into the cert db. - caPubs = CMMF_CertRepContentGetCAPubs(certRepContent); + { + ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent)); if (caPubs) { int32_t numCAs = nsCertListCount(caPubs); NS_ASSERTION(numCAs > 0, "Invalid number of CA's"); if (numCAs > 0) { CERTCertListNode *node; SECItem *derCerts; @@ -2400,19 +2370,18 @@ nsCrypto::ImportUserCertificates(const n for (node = CERT_LIST_HEAD(caPubs), i=0; !CERT_LIST_END(node, caPubs); node = CERT_LIST_NEXT(node), i++) { derCerts[i] = node->cert->derCert; } nsNSSCertificateDB::ImportValidCACerts(numCAs, derCerts, ctx); nsMemory::Free(derCerts); } - - CERT_DestroyCertList(caPubs); } + } if (aDoForcedBackup) { // I can't pop up a file picker from the depths of JavaScript, // so I'll just post an event on the UI queue to do the backups // later. nsCOMPtr<nsIRunnable> p12Runnable = new nsP12Runnable(certArr, numResponses, token); if (!p12Runnable) { @@ -2634,26 +2603,24 @@ nsCrypto::SignText(const nsAString& aStr int32_t numberOfCerts = 0; CERTCertListNode* node; for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node)) { ++numberOfCerts; } - CERTCertNicknames* nicknames = getNSSCertNicknamesFromCertList(certList); + ScopedCERTCertNicknames nicknames(getNSSCertNicknamesFromCertList(certList)); if (!nicknames) { aResult.Append(internalError); return NS_OK; } - CERTCertNicknamesCleaner cnc(nicknames); - NS_ASSERTION(nicknames->numnicknames == numberOfCerts, "nicknames->numnicknames != numberOfCerts"); nsAutoArrayPtr<PRUnichar*> certNicknameList(new PRUnichar*[nicknames->numnicknames * 2]); if (!certNicknameList) { aResult.Append(internalError); return NS_OK;
--- a/security/manager/ssl/src/nsIdentityChecking.cpp +++ b/security/manager/ssl/src/nsIdentityChecking.cpp @@ -11,32 +11,30 @@ #include "nsPromiseFlatString.h" #include "nsTArray.h" #include "cert.h" #include "base64.h" #include "nsNSSComponent.h" #include "nsSSLStatus.h" #include "nsNSSCertificate.h" -#include "nsNSSCleaner.h" +#include "ScopedNSSTypes.h" + +using namespace mozilla; #ifdef DEBUG #ifndef PSM_ENABLE_TEST_EV_ROOTS #define PSM_ENABLE_TEST_EV_ROOTS #endif #endif #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) -NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList) -NSSCleanupAutoPtrClass_WithParam(SECItem, SECITEM_FreeItem, TrueParam, true) - #define CONST_OID static const unsigned char #define OI(x) { siDEROID, (unsigned char *)x, sizeof x } struct nsMyTrustedEVInfo { const char *dotted_oid; const char *oid_name; // Set this to null to signal an invalid structure, // (We can't have an empty list, so we'll use a dummy entry) @@ -1212,18 +1210,17 @@ nsNSSCertificate::hasValidEVOidTag(SECOi SECOidTag oid_tag; SECStatus rv = getFirstEVPolicy(mCert, oid_tag); if (rv != SECSuccess) return NS_OK; if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV return NS_OK; - CERTCertList *rootList = getRootsForOid(oid_tag); - CERTCertListCleaner rootListCleaner(rootList); + ScopedCERTCertList rootList(getRootsForOid(oid_tag)); CERTRevocationMethodIndex preferedRevMethods[1] = { cert_revocation_method_ocsp }; uint64_t revMethodFlags = CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING @@ -1272,24 +1269,23 @@ nsNSSCertificate::hasValidEVOidTag(SECOi cvin[3].type = cert_pi_end; CERTValOutParam cvout[2]; cvout[0].type = cert_po_trustAnchor; cvout[0].value.pointer.cert = nullptr; cvout[1].type = cert_po_end; - PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert)); + PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("calling CERT_PKIXVerifyCert nss cert %p\n", mCert.get())); rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer, cvin, cvout, nullptr); if (rv != SECSuccess) return NS_OK; - CERTCertificate *issuerCert = cvout[0].value.pointer.cert; - CERTCertificateCleaner issuerCleaner(issuerCert); + ScopedCERTCertificate issuerCert(cvout[0].value.pointer.cert); #ifdef PR_LOGGING if (PR_LOG_TEST(gPIPNSSLog, PR_LOG_DEBUG)) { nsNSSCertificate ic(issuerCert); nsAutoString fingerprint; ic.GetSha1Fingerprint(fingerprint); NS_LossyConvertUTF16toASCII fpa(fingerprint); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("CERT_PKIXVerifyCert returned success, issuer: %s, SHA1: %s\n",
--- a/security/manager/ssl/src/nsKeyModule.cpp +++ b/security/manager/ssl/src/nsKeyModule.cpp @@ -1,16 +1,20 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsComponentManagerUtils.h" #include "nsCOMPtr.h" #include "nsKeyModule.h" #include "nsString.h" +#include "ScopedNSSTypes.h" + +using namespace mozilla; +using namespace mozilla::psm; NS_IMPL_ISUPPORTS1(nsKeyObject, nsIKeyObject) nsKeyObject::nsKeyObject() : mKeyType(0), mSymKey(nullptr), mPrivateKey(nullptr), mPublicKey(nullptr) { } @@ -169,29 +173,24 @@ nsKeyObjectFactory::KeyFromString(int16_ NS_ENSURE_SUCCESS(rv, rv); // Convert the raw string into a SECItem const nsCString& flatKey = PromiseFlatCString(aKey); SECItem keyItem; keyItem.data = (unsigned char*)flatKey.get(); keyItem.len = flatKey.Length(); - PK11SlotInfo *slot = nullptr; - slot = PK11_GetBestSlot(cipherMech, nullptr); + ScopedPK11SlotInfo slot(PK11_GetBestSlot(cipherMech, nullptr)); if (!slot) { NS_ERROR("no slot"); return NS_ERROR_FAILURE; } PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, cipherOperation, &keyItem, nullptr); - // cleanup code - if (slot) - PK11_FreeSlot(slot); - if (!symKey) { return NS_ERROR_FAILURE; } rv = key->InitKey(aAlgorithm, (void*)symKey); NS_ENSURE_SUCCESS(rv, rv); key.swap(*_retval);
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -1,29 +1,30 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "nsNSSComponent.h" + #include "nsNSSCallbacks.h" #include "mozilla/Telemetry.h" #include "mozilla/TimeStamp.h" - +#include "nsNSSComponent.h" #include "nsNSSIOLayer.h" #include "nsIWebProgressListener.h" #include "nsProtectedAuthThread.h" #include "nsITokenDialogs.h" #include "nsNSSShutDown.h" #include "nsIUploadChannel.h" #include "nsThreadUtils.h" #include "nsIPrompt.h" #include "nsProxyRelease.h" #include "PSMRunnable.h" +#include "ScopedNSSTypes.h" #include "nsIConsoleService.h" #include "nsIHttpChannelInternal.h" #include "nsCRT.h" #include "ssl.h" #include "sslproto.h" #include "ocsp.h" #include "nssb64.h" @@ -875,20 +876,19 @@ void HandshakeCallback(PRFileDesc* fd, v } } if (nsSSLIOLayerHelpers::treatUnsafeNegotiationAsBroken()) { secStatus = nsIWebProgressListener::STATE_IS_BROKEN; } } - CERTCertificate *peerCert = SSL_PeerCertificate(fd); + ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); const char* caName = nullptr; // caName is a pointer only, no ownership - char* certOrgName = CERT_GetOrgName(&peerCert->issuer); - CERT_DestroyCertificate(peerCert); + char* certOrgName = CERT_GetOrgName(&serverCert->issuer); caName = certOrgName ? certOrgName : signer; const char* verisignName = "Verisign, Inc."; // If the CA name is RSA Data Security, then change the name to the real // name of the company i.e. VeriSign, Inc. if (nsCRT::strcmp((const char*)caName, "RSA Data Security, Inc.") == 0) { caName = verisignName; } @@ -912,22 +912,18 @@ void HandshakeCallback(PRFileDesc* fd, v if (!status) { status = new nsSSLStatus(); infoObject->SetSSLStatus(status); } RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject, status); - CERTCertificate *serverCert = SSL_PeerCertificate(fd); if (serverCert) { RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(serverCert)); - CERT_DestroyCertificate(serverCert); - serverCert = nullptr; - nsCOMPtr<nsIX509Cert> prevcert; infoObject->GetPreviousCert(getter_AddRefs(prevcert)); bool equals_previous = false; if (prevcert && nssc) { nsresult rv = nssc->Equals(prevcert, &equals_previous); if (NS_FAILED(rv)) { equals_previous = false;
--- a/security/manager/ssl/src/nsNSSCallbacks.h +++ b/security/manager/ssl/src/nsNSSCallbacks.h @@ -2,23 +2,27 @@ * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef _NSNSSCALLBACKS_H_ #define _NSNSSCALLBACKS_H_ +#include "nsCOMPtr.h" #include "pk11func.h" #include "nspr.h" #include "ocspt.h" #include "nsIStreamLoader.h" #include "mozilla/CondVar.h" #include "mozilla/Mutex.h" #include "mozilla/Attributes.h" +#include "nsString.h" + +class nsILoadGroup; char* PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg); void HandshakeCallback(PRFileDesc *fd, void *client_data); SECStatus RegisterMyOCSPAIAInfoCallback(); SECStatus UnregisterMyOCSPAIAInfoCallback();
--- a/security/manager/ssl/src/nsNSSCertificate.cpp +++ b/security/manager/ssl/src/nsNSSCertificate.cpp @@ -29,47 +29,38 @@ #include "nsNSSCertHelper.h" #include "nsISupportsPrimitives.h" #include "nsUnicharUtils.h" #include "nsThreadUtils.h" #include "nsCertVerificationThread.h" #include "nsIObjectOutputStream.h" #include "nsIObjectInputStream.h" #include "nsIProgrammingLanguage.h" - #include "nsXULAppAPI.h" +#include "ScopedNSSTypes.h" #include "nspr.h" -#include "pk11func.h" #include "certdb.h" -#include "cert.h" #include "secerr.h" #include "nssb64.h" #include "secasn1.h" #include "secder.h" #include "ssl.h" #include "ocsp.h" #include "plbase64.h" -#include "cms.h" -#include "cert.h" using namespace mozilla; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); -NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList) -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) -NSSCleanupAutoPtrClass(NSSCMSMessage, NSS_CMSMessage_Destroy) NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false) -NSSCleanupAutoPtrClass(NSSCMSSignedData, NSS_CMSSignedData_Destroy) -NSSCleanupAutoPtrClass(PK11SlotList, PK11_FreeSlotList) // This is being stored in an uint32_t that can otherwise // only take values from nsIX509Cert's list of cert types. // As nsIX509Cert is frozen, we choose a value not contained // in the list to mean not yet initialized. #define CERT_TYPE_NOT_YET_INITIALIZED (1 << 30) /* nsNSSCertificate */ @@ -193,17 +184,16 @@ void nsNSSCertificate::destructorSafeDes // If the list of built-ins does contain a non-removable // copy of this certificate, our call will not remove // the certificate permanently, but rather remove all trust. SEC_DeletePermCertificate(mCert); } } if (mCert) { - CERT_DestroyCertificate(mCert); mCert = nullptr; } } nsresult nsNSSCertificate::GetCertType(uint32_t *aCertType) { if (mCertType == CERT_TYPE_NOT_YET_INITIALIZED) { @@ -771,25 +761,24 @@ NS_IMETHODIMP nsNSSCertificate::GetIssuer(nsIX509Cert * *aIssuer) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(aIssuer); *aIssuer = nullptr; - CERTCertificate *issuer; + ScopedCERTCertificate issuer; issuer = CERT_FindCertIssuer(mCert, PR_Now(), certUsageSSLClient); if (issuer) { nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(issuer); if (cert) { *aIssuer = cert; NS_ADDREF(*aIssuer); } - CERT_DestroyCertificate(issuer); } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::GetOrganizationalUnit(nsAString &aOrganizationalUnit) { nsNSSShutDownPreventionLock locker; @@ -817,18 +806,18 @@ nsNSSCertificate::GetChain(nsIArray **_r { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(_rvChain); nsresult rv; /* Get the cert chain from NSS */ - CERTCertList *nssChain = nullptr; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname)); + ScopedCERTCertList nssChain; nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient); if (!nssChain) return NS_ERROR_FAILURE; /* enumerate the chain for scripting purposes */ nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID, &rv); if (NS_FAILED(rv)) { goto done; @@ -840,36 +829,33 @@ nsNSSCertificate::GetChain(nsIArray **_r PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("adding %s to chain\n", node->cert->nickname)); nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert); array->AppendElement(cert, false); } *_rvChain = array; NS_IF_ADDREF(*_rvChain); rv = NS_OK; done: - if (nssChain) - CERT_DestroyCertList(nssChain); return rv; } NS_IMETHODIMP nsNSSCertificate::GetAllTokenNames(uint32_t *aLength, PRUnichar*** aTokenNames) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(aLength); NS_ENSURE_ARG(aTokenNames); *aLength = 0; *aTokenNames = nullptr; /* Get the slots from NSS */ - PK11SlotList *slots = nullptr; - PK11SlotListCleaner slotCleaner(slots); + ScopedPK11SlotList slots; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting slots for \"%s\"\n", mCert->nickname)); slots = PK11_GetAllSlotsForCert(mCert, nullptr); if (!slots) { if (PORT_GetError() == SEC_ERROR_NO_TOKEN) return NS_OK; // List of slots is empty, return empty array else return NS_ERROR_FAILURE; } @@ -1077,84 +1063,83 @@ nsNSSCertificate::ExportAsCMS(uint32_t c PLArenaPool *arena = PORT_NewArena(1024); PLArenaPoolCleanerFalseParam arenaCleaner(arena); if (!arena) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - out of memory\n")); return NS_ERROR_OUT_OF_MEMORY; } - NSSCMSMessage *cmsg = NSS_CMSMessage_Create(nullptr); - NSSCMSMessageCleaner cmsgCleaner(cmsg); + ScopedNSSCMSMessage cmsg(NSS_CMSMessage_Create(nullptr)); if (!cmsg) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - can't create CMS message\n")); return NS_ERROR_OUT_OF_MEMORY; } /* * first, create SignedData with the certificate only (no chain) */ - NSSCMSSignedData *sigd = NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert, false); - NSSCMSSignedDataCleaner sigdCleaner(sigd); + ScopedNSSCMSSignedData sigd(NSS_CMSSignedData_CreateCertsOnly(cmsg, mCert, + false)); if (!sigd) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - can't create SignedData\n")); return NS_ERROR_FAILURE; } /* * Calling NSS_CMSSignedData_CreateCertsOnly() will not allow us * to specify the inclusion of the root, but CERT_CertChainFromCert() does. * Since CERT_CertChainFromCert() also includes the certificate itself, * we have to start at the issuing cert (to avoid duplicate certs * in the SignedData). */ if (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChain || chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot) { - CERTCertificate *issuerCert = CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA); - CERTCertificateCleaner issuerCertCleaner(issuerCert); + ScopedCERTCertificate issuerCert( + CERT_FindCertIssuer(mCert, PR_Now(), certUsageAnyCA)); /* * the issuerCert of a self signed root is the cert itself, * so make sure we're not adding duplicates, again */ if (issuerCert && issuerCert != mCert) { bool includeRoot = (chainMode == nsIX509Cert3::CMS_CHAIN_MODE_CertChainWithRoot); - CERTCertificateList *certChain = CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot); - CERTCertificateListCleaner certChainCleaner(certChain); + ScopedCERTCertificateList certChain( + CERT_CertChainFromCert(issuerCert, certUsageAnyCA, includeRoot)); if (certChain) { if (NSS_CMSSignedData_AddCertList(sigd, certChain) == SECSuccess) { - certChainCleaner.detach(); + certChain.forget(); } else { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - can't add chain\n")); return NS_ERROR_FAILURE; } } else { /* try to add the issuerCert, at least */ if (NSS_CMSSignedData_AddCertificate(sigd, issuerCert) == SECSuccess) { - issuerCertCleaner.detach(); + issuerCert.forget(); } else { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - can't add issuer cert\n")); return NS_ERROR_FAILURE; } } } } NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg); if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) == SECSuccess) { - sigdCleaner.detach(); + sigd.forget(); } else { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSCertificate::ExportAsCMS - can't attach SignedData\n")); return NS_ERROR_FAILURE; } SECItem certP7 = { siBuffer, nullptr, 0 }; @@ -1502,21 +1487,18 @@ nsNSSCertificate::Equals(nsIX509Cert *ot NS_ENSURE_ARG(other); NS_ENSURE_ARG(result); nsCOMPtr<nsIX509Cert2> other2 = do_QueryInterface(other); if (!other2) return NS_ERROR_FAILURE; - CERTCertificate *cert = other2->GetCert(); + ScopedCERTCertificate cert(other2->GetCert()); *result = (mCert == cert); - if (cert) { - CERT_DestroyCertificate(cert); - } return NS_OK; } NS_IMETHODIMP nsNSSCertificate::SaveSMimeProfile() { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) @@ -1595,23 +1577,16 @@ nsNSSCertList::nsNSSCertList(CERTCertLis } else { mCertList = DupCertList(certList); } } else { mCertList = CERT_NewCertList(); } } -nsNSSCertList::~nsNSSCertList() -{ - if (mCertList) { - CERT_DestroyCertList(mCertList); - } -} - /* void addCert (in nsIX509Cert cert); */ NS_IMETHODIMP nsNSSCertList::AddCert(nsIX509Cert *aCert) { /* This should be a query interface, but currently this his how the * rest of PSM is working */ nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert); CERTCertificate *cert; @@ -1701,23 +1676,16 @@ nsNSSCertList::GetEnumerator(nsISimpleEn NS_IMPL_THREADSAFE_ISUPPORTS1(nsNSSCertListEnumerator, nsISimpleEnumerator) nsNSSCertListEnumerator::nsNSSCertListEnumerator(CERTCertList *certList) { mCertList = nsNSSCertList::DupCertList(certList); } -nsNSSCertListEnumerator::~nsNSSCertListEnumerator() -{ - if (mCertList) { - CERT_DestroyCertList(mCertList); - } -} - /* boolean hasMoreElements (); */ NS_IMETHODIMP nsNSSCertListEnumerator::HasMoreElements(bool *_retval) { NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE); *_retval = !CERT_LIST_EMPTY(mCertList); return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.h +++ b/security/manager/ssl/src/nsNSSCertificate.h @@ -14,16 +14,17 @@ #include "nsIASN1Object.h" #include "nsISMimeCert.h" #include "nsIIdentityInfo.h" #include "nsCOMPtr.h" #include "nsNSSShutDown.h" #include "nsISimpleEnumerator.h" #include "nsISerializable.h" #include "nsIClassInfo.h" +#include "ScopedNSSTypes.h" #include "certt.h" class nsAutoString; class nsINSSComponent; class nsIASN1Sequence; /* Certificate */ class nsNSSCertificate : public nsIX509Cert3, @@ -51,17 +52,17 @@ public: static nsNSSCertificate* Create(CERTCertificate *cert = nullptr); static nsNSSCertificate* ConstructFromDER(char *certDER, int derLen); // It is the responsibility of the caller of this method to free the returned // string using PR_Free. static char* defaultServerNickname(CERTCertificate* cert); private: - CERTCertificate *mCert; + mozilla::ScopedCERTCertificate mCert; bool mPermDelete; uint32_t mCertType; nsCOMPtr<nsIASN1Object> mASN1Structure; nsresult CreateASN1Struct(); nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence, nsINSSComponent *nssComponent); nsresult GetSortableDate(PRTime aTime, nsAString &_aSortableDate); virtual void virtualDestroyNSSReference(); @@ -78,33 +79,41 @@ private: class nsNSSCertList: public nsIX509CertList { public: NS_DECL_ISUPPORTS NS_DECL_NSIX509CERTLIST nsNSSCertList(CERTCertList *certList = nullptr, bool adopt = false); - virtual ~nsNSSCertList(); static CERTCertList *DupCertList(CERTCertList *aCertList); private: - CERTCertList *mCertList; + virtual ~nsNSSCertList() { } + + mozilla::ScopedCERTCertList mCertList; + + nsNSSCertList(const nsNSSCertList &) MOZ_DELETE; + void operator=(const nsNSSCertList &) MOZ_DELETE; }; class nsNSSCertListEnumerator: public nsISimpleEnumerator { public: NS_DECL_ISUPPORTS NS_DECL_NSISIMPLEENUMERATOR nsNSSCertListEnumerator(CERTCertList *certList); - virtual ~nsNSSCertListEnumerator(); private: - CERTCertList *mCertList; + virtual ~nsNSSCertListEnumerator() { } + + mozilla::ScopedCERTCertList mCertList; + + nsNSSCertListEnumerator(const nsNSSCertListEnumerator &) MOZ_DELETE; + void operator=(const nsNSSCertListEnumerator &) MOZ_DELETE; }; #define NS_NSS_LONG 4 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \ (((unsigned long)((x)[1])) << 16) | \ (((unsigned long)((x)[2])) << 8) | \ ((unsigned long)((x)[3])) )
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp @@ -24,42 +24,34 @@ #include "nsIMutableArray.h" #include "nsArrayUtils.h" #include "nsNSSShutDown.h" #include "nsIPrefService.h" #include "nsIPrefBranch.h" #include "nsComponentManagerUtils.h" #include "nsIPrompt.h" #include "nsThreadUtils.h" +#include "ScopedNSSTypes.h" #include "nspr.h" -#include "pk11func.h" #include "certdb.h" -#include "cert.h" #include "secerr.h" #include "nssb64.h" #include "secasn1.h" #include "secder.h" #include "ssl.h" #include "ocsp.h" #include "plbase64.h" -#include "nsNSSCleaner.h" - using namespace mozilla; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) -NSSCleanupAutoPtrClass(CERTCertList, CERT_DestroyCertList) -NSSCleanupAutoPtrClass(CERTCertificateList, CERT_DestroyCertificateList) -NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot) - static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); NS_IMPL_THREADSAFE_ISUPPORTS2(nsNSSCertificateDB, nsIX509CertDB, nsIX509CertDB2) nsNSSCertificateDB::nsNSSCertificateDB() { } @@ -68,18 +60,21 @@ nsNSSCertificateDB::~nsNSSCertificateDB( { } NS_IMETHODIMP nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken, const nsAString &nickname, nsIX509Cert **_rvCert) { + NS_ENSURE_ARG_POINTER(_rvCert); + *_rvCert = nullptr; + nsNSSShutDownPreventionLock locker; - CERTCertificate *cert = nullptr; + ScopedCERTCertificate cert; char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname)); #if 0 // what it should be, but for now... if (aToken) { cert = PK11_FindCertFromNickname(asciiname, nullptr); @@ -89,48 +84,48 @@ nsNSSCertificateDB::FindCertByNickname(n #endif cert = PK11_FindCertFromNickname(asciiname, nullptr); if (!cert) { cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname); } if (cert) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n")); nsCOMPtr<nsIX509Cert> pCert = nsNSSCertificate::Create(cert); - CERT_DestroyCertificate(cert); if (pCert) { - *_rvCert = pCert; - NS_ADDREF(*_rvCert); + pCert.forget(_rvCert); return NS_OK; } } - *_rvCert = nullptr; return NS_ERROR_FAILURE; } NS_IMETHODIMP nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken, nsIX509Cert **_cert) { + NS_ENSURE_ARG_POINTER(aDBkey); + NS_ENSURE_ARG(aDBkey[0]); + NS_ENSURE_ARG_POINTER(aToken); + NS_ENSURE_ARG_POINTER(_cert); + *_cert = nullptr; + nsNSSShutDownPreventionLock locker; SECItem keyItem = {siBuffer, nullptr, 0}; SECItem *dummy; CERTIssuerAndSN issuerSN; //unsigned long moduleID,slotID; - *_cert = nullptr; - if (!aDBkey || !*aDBkey) - return NS_ERROR_INVALID_ARG; dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey, (uint32_t)PL_strlen(aDBkey)); if (!dummy || keyItem.len < NS_NSS_LONG*4) { PR_FREEIF(keyItem.data); return NS_ERROR_INVALID_ARG; } - CERTCertificate *cert; + ScopedCERTCertificate cert; // someday maybe we can speed up the search using the moduleID and slotID // moduleID = NS_NSS_GET_LONG(keyItem.data); // slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]); // build the issuer/SN structure issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]); issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]); if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0 @@ -141,38 +136,36 @@ nsNSSCertificateDB::FindCertByDBKey(cons } issuerSN.serialNumber.data= &keyItem.data[NS_NSS_LONG*4]; issuerSN.derIssuer.data= &keyItem.data[NS_NSS_LONG*4+ issuerSN.serialNumber.len]; cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerSN); PR_FREEIF(keyItem.data); if (cert) { - nsNSSCertificate *nssCert = nsNSSCertificate::Create(cert); - CERT_DestroyCertificate(cert); + nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert); if (!nssCert) return NS_ERROR_OUT_OF_MEMORY; - NS_ADDREF(nssCert); - *_cert = static_cast<nsIX509Cert*>(nssCert); + nssCert.forget(_cert); } return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken, uint32_t aType, uint32_t *_count, PRUnichar ***_certNames) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_ERROR_FAILURE; /* * obtain the cert list from NSS */ - CERTCertList *certList = nullptr; + ScopedCERTCertList certList; PK11CertListType pk11type; #if 0 // this would seem right, but it didn't work... // oh, I know why - bonks out on internal slot certs if (aType == nsIX509Cert::USER_CERT) pk11type = PK11CertListUser; else #endif @@ -185,18 +178,16 @@ nsNSSCertificateDB::FindCertNicknames(ns * XXX also cull the list (NSS only distinguishes based on user/non-user */ getCertNames(certList, aType, _count, _certNames); rv = NS_OK; /* * finish up */ cleanup: - if (certList) - CERT_DestroyCertList(certList); return rv; } SECStatus collect_certs(void *arg, SECItem **certs, int numcerts) { CERTDERCerts *collectArgs; SECItem *cert; @@ -329,34 +320,32 @@ nsNSSCertificateDB::handleCACertDownload SECItem der; rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data); if (NS_FAILED(rv)) return rv; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n")); - CERTCertificate *tmpCert; + ScopedCERTCertificate tmpCert; CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); tmpCert = CERT_FindCertByDERCert(certdb, &der); if (!tmpCert) { tmpCert = CERT_NewTempCertificate(certdb, &der, nullptr, false, true); } nsMemory::Free(der.data); der.data = nullptr; der.len = 0; if (!tmpCert) { NS_ERROR("Couldn't create cert from DER blob"); return NS_ERROR_FAILURE; } - CERTCertificateCleaner tmpCertCleaner(tmpCert); - if (!CERT_IsCACert(tmpCert, nullptr)) { DisplayCertificateAlert(ctx, "NotACACert", certToShow); return NS_ERROR_FAILURE; } if (tmpCert->isperm) { DisplayCertificateAlert(ctx, "CaCertExists", certToShow); return NS_ERROR_FAILURE; @@ -388,23 +377,21 @@ nsNSSCertificateDB::handleCACertDownload trust.GetTrust()); if (srv != SECSuccess) return NS_ERROR_FAILURE; // Import additional delivered certificates that can be verified. // build a CertList for filtering - CERTCertList *certList = CERT_NewCertList(); + ScopedCERTCertList certList(CERT_NewCertList()); if (!certList) { return NS_ERROR_FAILURE; } - CERTCertListCleaner listCleaner(certList); - // get all remaining certs into temp store for (uint32_t i=0; i<numCerts; i++) { if (i == selCertIndex) { // we already processed that one continue; } @@ -494,17 +481,17 @@ nsNSSCertificateDB::ImportEmailCertifica nsIInterfaceRequestor *ctx) { nsNSSShutDownPreventionLock locker; SECStatus srv = SECFailure; nsresult nsrv = NS_OK; CERTCertDBHandle *certdb; CERTCertificate **certArray = nullptr; - CERTCertList *certList = nullptr; + ScopedCERTCertList certList; CERTCertListNode *node; PRTime now; SECCertUsage certusage; SECCertificateUsage certificateusage; SECItem **rawArray; int numcerts; int i; CERTValOutParam cvout[1]; @@ -594,18 +581,17 @@ nsNSSCertificateDB::ImportEmailCertifica if (CERT_PKIXVerifyCert(node->cert, certificateusage, survivingParams->GetRawPointerForNSS(), cvout, ctx) != SECSuccess) { alert_and_skip = true; } } - CERTCertificateList *certChain = nullptr; - CERTCertificateListCleaner chainCleaner(certChain); + ScopedCERTCertificateList certChain; if (!alert_and_skip) { certChain = CERT_CertChainFromCert(node->cert, certusage, false); if (!certChain) { alert_and_skip = true; } } @@ -634,33 +620,30 @@ nsNSSCertificateDB::ImportEmailCertifica PORT_Free(rawArray); } loser: if (certArray) { CERT_DestroyCertArray(certArray, numcerts); } - if (certList) { - CERT_DestroyCertList(certList); - } if (arena) PORT_FreeArena(arena, true); return nsrv; } NS_IMETHODIMP nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length, nsIInterfaceRequestor *ctx) { nsNSSShutDownPreventionLock locker; SECStatus srv = SECFailure; nsresult nsrv = NS_OK; - CERTCertificate * cert; + ScopedCERTCertificate cert; SECItem **rawCerts = nullptr; int numcerts; int i; nsNSSCertTrust trust; char *serverNickname = nullptr; PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) @@ -701,37 +684,33 @@ nsNSSCertificateDB::ImportServerCertific trust.SetValidServerPeer(); srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, trust.GetTrust()); if ( srv != SECSuccess ) { nsrv = NS_ERROR_FAILURE; goto loser; } loser: PORT_Free(rawCerts); - if (cert) - CERT_DestroyCertificate(cert); if (arena) PORT_FreeArena(arena, true); return nsrv; } nsresult nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx) { - CERTCertList *certList = nullptr; + ScopedCERTCertList certList; SECItem **rawArray; // build a CertList for filtering certList = CERT_NewCertList(); if (!certList) { return NS_ERROR_FAILURE; } - CERTCertListCleaner listCleaner(certList); - // get all certs into temp store SECStatus srv = SECFailure; CERTCertificate **certArray = nullptr; rawArray = (SECItem **) PORT_Alloc(sizeof(SECItem *) * numCACerts); if ( !rawArray ) { return NS_ERROR_FAILURE; } @@ -805,18 +784,17 @@ nsNSSCertificateDB::ImportValidCACertsIn if (CERT_PKIXVerifyCert(node->cert, certificateUsageVerifyCA, survivingParams->GetRawPointerForNSS(), cvout, ctx) != SECSuccess) { alert_and_skip = true; } } - CERTCertificateList *certChain = nullptr; - CERTCertificateListCleaner chainCleaner(certChain); + ScopedCERTCertificateList certChain; if (!alert_and_skip) { certChain = CERT_CertChainFromCert(node->cert, certUsageAnyCA, false); if (!certChain) { alert_and_skip = true; } } @@ -886,24 +864,24 @@ NS_IMETHODIMP nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInterfaceRequestor *ctx) { if (!NS_IsMainThread()) { NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread"); return NS_ERROR_NOT_SAME_THREAD; } nsNSSShutDownPreventionLock locker; - PK11SlotInfo *slot; + ScopedPK11SlotInfo slot; nsAutoCString nickname; nsresult rv = NS_ERROR_FAILURE; int numCACerts; SECItem *CACerts; CERTDERCerts * collectArgs; PLArenaPool *arena; - CERTCertificate * cert = nullptr; + ScopedCERTCertificate cert; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { goto loser; } collectArgs = getCertsFromPackage(arena, data, length); if (!collectArgs) { @@ -917,17 +895,17 @@ nsNSSCertificateDB::ImportUserCertificat } slot = PK11_KeyForCertExists(cert, nullptr, ctx); if (!slot) { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert); DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow); goto loser; } - PK11_FreeSlot(slot); + slot = nullptr; /* pick a nickname for the cert */ if (cert->nickname) { /* sigh, we need a call to look up other certs with this subject and * identify nicknames from them. We can no longer walk down internal * database structures rjr */ nickname = cert->nickname; } @@ -938,17 +916,17 @@ nsNSSCertificateDB::ImportUserCertificat /* user wants to import the cert */ { char *cast_const_away = const_cast<char*>(nickname.get()); slot = PK11_ImportCertForKey(cert, cast_const_away, ctx); } if (!slot) { goto loser; } - PK11_FreeSlot(slot); + slot = nullptr; { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert); DisplayCertificateAlert(ctx, "UserCertImported", certToShow); } rv = NS_OK; numCACerts = collectArgs->numcerts - 1; @@ -956,33 +934,29 @@ nsNSSCertificateDB::ImportUserCertificat CACerts = collectArgs->rawCerts+1; rv = ImportValidCACerts(numCACerts, CACerts, ctx); } loser: if (arena) { PORT_FreeArena(arena, false); } - if ( cert ) { - CERT_DestroyCertificate(cert); - } return rv; } /* * void deleteCertificate(in nsIX509Cert aCert); */ NS_IMETHODIMP nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert) { nsNSSShutDownPreventionLock locker; nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert); - CERTCertificate *cert = nssCert->GetCert(); + ScopedCERTCertificate cert(nssCert->GetCert()); if (!cert) return NS_ERROR_FAILURE; - CERTCertificateCleaner certCleaner(cert); SECStatus srv = SECSuccess; uint32_t certType; nssCert->GetCertType(&certType); if (NS_FAILED(nssCert->MarkForPermDeletion())) { return NS_ERROR_FAILURE; } @@ -1014,18 +988,18 @@ nsNSSCertificateDB::SetCertTrust(nsIX509 uint32_t trusted) { nsNSSShutDownPreventionLock locker; SECStatus srv; nsNSSCertTrust trust; nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert); if (!pipCert) return NS_ERROR_FAILURE; - CERTCertificate *nsscert = pipCert->GetCert(); - CERTCertificateCleaner certCleaner(nsscert); + ScopedCERTCertificate nsscert(pipCert->GetCert()); + if (type == nsIX509Cert::CA_CERT) { // always start with untrusted and move up trust.SetValidCA(); trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL), !!(trusted & nsIX509CertDB::TRUSTED_EMAIL), !!(trusted & nsIX509CertDB::TRUSTED_OBJSIGN)); srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nsscert, @@ -1058,24 +1032,23 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50 bool *_isTrusted) { NS_ENSURE_ARG_POINTER(_isTrusted); *_isTrusted = false; nsNSSShutDownPreventionLock locker; SECStatus srv; nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert); - CERTCertificate *nsscert = pipCert->GetCert(); + ScopedCERTCertificate nsscert(pipCert->GetCert()); CERTCertTrust nsstrust; srv = CERT_GetCertTrust(nsscert, &nsstrust); if (srv != SECSuccess) return NS_ERROR_FAILURE; nsNSSCertTrust trust(&nsstrust); - CERT_DestroyCertificate(nsscert); if (certType == nsIX509Cert::CA_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { *_isTrusted = trust.HasTrustedCA(true, false, false); } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { *_isTrusted = trust.HasTrustedCA(false, true, false); } else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) { *_isTrusted = trust.HasTrustedCA(false, false, true); } else { @@ -1192,20 +1165,19 @@ nsNSSCertificateDB::ExportPKCS12File(nsI //const PRUnichar **aCertNames) { nsNSSShutDownPreventionLock locker; NS_ENSURE_ARG(aFile); nsPKCS12Blob blob; if (count == 0) return NS_OK; nsCOMPtr<nsIPK11Token> localRef; if (!aToken) { - PK11SlotInfo *keySlot = PK11_GetInternalKeySlot(); + ScopedPK11SlotInfo keySlot(PK11_GetInternalKeySlot()); NS_ASSERTION(keySlot,"Failed to get the internal key slot"); localRef = new nsPK11Token(keySlot); - PK11_FreeSlot(keySlot); } else { localRef = do_QueryInterface(aToken); } blob.SetToken(localRef); //blob.LoadCerts(aCertNames, count); //return blob.ExportToFile(aFile); return blob.ExportToFile(aFile, certs, count); @@ -1290,90 +1262,74 @@ nsNSSCertificateDB::GetIsOcspOn(bool *aO *aOcspOn = ( ocspEnabled == 0 ) ? false : true; return NS_OK; } /* nsIX509Cert getDefaultEmailEncryptionCert (); */ NS_IMETHODIMP nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509Cert **_retval) { - if (!_retval) - return NS_ERROR_FAILURE; - - *_retval = 0; + NS_ENSURE_ARG_POINTER(_retval); + *_retval = nullptr; if (aNickname.IsEmpty()) return NS_OK; nsNSSShutDownPreventionLock locker; - nsresult rv = NS_OK; - CERTCertificate *cert = 0; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - nsNSSCertificate *nssCert = nullptr; char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ + ScopedCERTCertificate cert; cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailRecipient, true, ctx); - - if (!cert) { goto loser; } - - nssCert = nsNSSCertificate::Create(cert); - if (!nssCert) { - rv = NS_ERROR_OUT_OF_MEMORY; + if (!cert) { + return NS_OK; } - NS_ADDREF(nssCert); - *_retval = static_cast<nsIX509Cert*>(nssCert); - -loser: - if (cert) CERT_DestroyCertificate(cert); - return rv; + nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert); + if (!nssCert) { + return NS_ERROR_OUT_OF_MEMORY; + } + nssCert.forget(_retval); + return NS_OK; } /* nsIX509Cert getDefaultEmailSigningCert (); */ NS_IMETHODIMP nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert **_retval) { - if (!_retval) - return NS_ERROR_FAILURE; - - *_retval = 0; + NS_ENSURE_ARG_POINTER(_retval); + *_retval = nullptr; if (aNickname.IsEmpty()) return NS_OK; nsNSSShutDownPreventionLock locker; - nsresult rv = NS_OK; - CERTCertificate *cert = 0; + ScopedCERTCertificate cert; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - nsNSSCertificate *nssCert = nullptr; char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailSigner, true, ctx); - - if (!cert) { goto loser; } - - nssCert = nsNSSCertificate::Create(cert); - if (!nssCert) { - rv = NS_ERROR_OUT_OF_MEMORY; + if (!cert) { + return NS_OK; } - NS_ADDREF(nssCert); - *_retval = static_cast<nsIX509Cert*>(nssCert); - -loser: - if (cert) CERT_DestroyCertificate(cert); - return rv; + nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert); + if (!nssCert) { + return NS_ERROR_OUT_OF_MEMORY; + } + nssCert.forget(_retval); + return NS_OK; } NS_IMETHODIMP nsNSSCertificateDB::FindCertByEmailAddress(nsISupports *aToken, const char *aEmailAddress, nsIX509Cert **_retval) { nsNSSShutDownPreventionLock locker; nsCOMPtr<nsINSSComponent> inss; @@ -1384,25 +1340,24 @@ nsNSSCertificateDB::FindCertByEmailAddre inss = do_GetService(kNSSComponentCID, &nsrv); if (!inss) return nsrv; nsrv = inss->GetDefaultCERTValInParam(survivingParams); if (NS_FAILED(nsrv)) return nsrv; } - CERTCertList *certlist = PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr); + ScopedCERTCertList certlist( + PK11_FindCertsFromEmailAddress(aEmailAddress, nullptr)); if (!certlist) return NS_ERROR_FAILURE; // certlist now contains certificates with the right email address, // but they might not have the correct usage or might even be invalid - CERTCertListCleaner listCleaner(certlist); - if (CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) return NS_ERROR_FAILURE; // no certs found CERTCertListNode *node; // search for a valid certificate for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node, certlist); node = CERT_LIST_NEXT(node)) { @@ -1471,32 +1426,32 @@ nsNSSCertificateDB::ConstructX509FromBas } nsNSSShutDownPreventionLock locker; SECItem secitem_cert; secitem_cert.type = siDERCertBuffer; secitem_cert.data = (unsigned char*)certDER; secitem_cert.len = lengthDER; - CERTCertificate *cert = + ScopedCERTCertificate cert; + cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert, nullptr, false, true); PL_strfree(certDER); if (!cert) return (PORT_GetError() == SEC_ERROR_NO_MEMORY) ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE; - nsNSSCertificate *nsNSS = nsNSSCertificate::Create(cert); - CERT_DestroyCertificate(cert); - - if (!nsNSS) + nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert); + if (!nssCert) { return NS_ERROR_OUT_OF_MEMORY; - - return CallQueryInterface(nsNSS, _retval); + } + nssCert.forget(_retval); + return NS_OK; } void nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx, nsCString &nickname) { nickname.Truncate(); @@ -1542,18 +1497,17 @@ nsNSSCertificateDB::get_default_nickname nickname = baseName; /* * We need to see if the private key exists on a token, if it does * then we need to check for nicknames that already exist on the smart * card. */ - PK11SlotInfo *slot = PK11_KeyForCertExists(cert, &keyHandle, ctx); - PK11SlotInfoCleaner slotCleaner(slot); + ScopedPK11SlotInfo slot(PK11_KeyForCertExists(cert, &keyHandle, ctx)); if (!slot) return; if (!PK11_IsInternal(slot)) { char *tmp = PR_smprintf("%s:%s", PK11_GetTokenName(slot), baseName.get()); if (!tmp) { nickname.Truncate(); return; @@ -1571,18 +1525,17 @@ nsNSSCertificateDB::get_default_nickname if (!tmp) { nickname.Truncate(); return; } nickname = tmp; PR_smprintf_free(tmp); } - CERTCertificate *dummycert = nullptr; - CERTCertificateCleaner dummycertCleaner(dummycert); + ScopedCERTCertificate dummycert; if (PK11_IsInternal(slot)) { /* look up the nickname to make sure it isn't in use already */ dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get()); } else { /* * Check the cert against others that already live on the smart @@ -1595,17 +1548,16 @@ nsNSSCertificateDB::get_default_nickname */ if (CERT_CompareName(&cert->subject, &dummycert->subject) == SECEqual) { /* * There is another certificate with the same nickname and * the same subject name on the smart card, so let's use this * nickname. */ - CERT_DestroyCertificate(dummycert); dummycert = nullptr; } } } if (!dummycert) break; count++; @@ -1628,38 +1580,34 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer nsresult rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert)); NS_ENSURE_SUCCESS(rv, rv); SECItem der; rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data); NS_ENSURE_SUCCESS(rv, rv); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n")); - CERTCertificate *tmpCert; CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - tmpCert = CERT_FindCertByDERCert(certdb, &der); + ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); if (!tmpCert) tmpCert = CERT_NewTempCertificate(certdb, &der, nullptr, false, true); nsMemory::Free(der.data); der.data = nullptr; der.len = 0; if (!tmpCert) { NS_ERROR("Couldn't create cert from DER blob"); return NS_ERROR_FAILURE; } if (tmpCert->isperm) { - CERT_DestroyCertificate(tmpCert); return NS_OK; } - CERTCertificateCleaner tmpCertCleaner(tmpCert); - nsXPIDLCString nickname; nickname.Adopt(CERT_MakeCANickname(tmpCert)); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get())); SECStatus srv = __CERT_AddTempCertToPerm(tmpCert, const_cast<char*>(nickname.get()), trust.GetTrust());
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -22,16 +22,17 @@ #include "nsNSSCleaner.h" #include "nsIDocShell.h" #include "nsIDocShellTreeItem.h" #include "nsISecureBrowserUI.h" #include "nsIInterfaceRequestorUtils.h" #include "nsCharSeparatedTokenizer.h" #include "nsIConsoleService.h" #include "PSMRunnable.h" +#include "ScopedNSSTypes.h" #include "ssl.h" #include "secerr.h" #include "sslerr.h" #include "secder.h" #include "keyhi.h" using namespace mozilla; @@ -44,17 +45,16 @@ using namespace mozilla::psm; //DEBUG_SSL_VERBOSE to dump SSL //read/write buffer to a log. //Uses PR_LOG except on Mac where //we always write out to our own //file. namespace { -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) NSSCleanupAutoPtrClass(void, PR_FREEIF) static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); /* SSM_UserCertChoice: enum for cert choice info */ typedef enum {ASK, AUTO} SSM_UserCertChoice; } // unnamed namespace @@ -254,18 +254,17 @@ nsNSSSocketInfo::JoinConnection(const ns // because the user decides on whether to send client certs to hosts on a // per-domain basis. if (mSentClientCert) return NS_OK; // Ensure that the server certificate covers the hostname that would // like to join this connection - CERTCertificate *nssCert = nullptr; - CERTCertificateCleaner nsscertCleaner(nssCert); + ScopedCERTCertificate nssCert; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert); if (cert2) nssCert = cert2->GetCert(); if (!nssCert) return NS_OK; @@ -1909,21 +1908,21 @@ SECStatus nsNSS_SSLGetClientAuthData(voi return runnable->mRV; } void ClientAuthDataRunnable::RunOnTargetThread() { PLArenaPool* arena = nullptr; char** caNameStrings; - CERTCertificate* cert = nullptr; - SECKEYPrivateKey* privKey = nullptr; - CERTCertList* certList = nullptr; + ScopedCERTCertificate cert; + ScopedSECKEYPrivateKey privKey; + ScopedCERTCertList certList; CERTCertListNode* node; - CERTCertNicknames* nicknames = nullptr; + ScopedCERTCertNicknames nicknames; char* extracted = nullptr; int keyError = 0; /* used for private key retrieval error */ SSM_UserCertChoice certChoice; int32_t NumberOfCerts = 0; void * wincx = mSocketInfo; /* create caNameStrings */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -1967,18 +1966,17 @@ void ClientAuthDataRunnable::RunOnTarget } /* make sure the list is not empty */ node = CERT_LIST_HEAD(certList); if (CERT_LIST_END(node, certList)) { goto noCert; } - CERTCertificate* low_prio_nonrep_cert = nullptr; - CERTCertificateCleaner low_prio_cleaner(low_prio_nonrep_cert); + ScopedCERTCertificate low_prio_nonrep_cert; /* loop through the list until we find a cert with a key */ while (!CERT_LIST_END(node, certList)) { /* if the certificate has restriction and we do not satisfy it * we do not use it */ #if 0 /* XXX This must be re-enabled */ if (!CERT_MatchesScopeOfUse(node->cert, mSocketInfo->GetHostName, @@ -1986,17 +1984,16 @@ void ClientAuthDataRunnable::RunOnTarget node = CERT_LIST_NEXT(node); continue; } #endif privKey = PK11_FindKeyByAnyCert(node->cert, wincx); if (privKey) { if (hasExplicitKeyUsageNonRepudiation(node->cert)) { - SECKEY_DestroyPrivateKey(privKey); privKey = nullptr; // Not a prefered cert if (!low_prio_nonrep_cert) // did not yet find a low prio cert low_prio_nonrep_cert = CERT_DupCertificate(node->cert); } else { // this is a good cert to present cert = CERT_DupCertificate(node->cert); @@ -2008,18 +2005,17 @@ void ClientAuthDataRunnable::RunOnTarget /* problem with password: bail */ goto loser; } node = CERT_LIST_NEXT(node); } if (!cert && low_prio_nonrep_cert) { - cert = low_prio_nonrep_cert; - low_prio_nonrep_cert = nullptr; // take it away from the cleaner + cert = low_prio_nonrep_cert.forget(); privKey = PK11_FindKeyByAnyCert(cert, wincx); } if (!cert) { goto noCert; } } else { // Not Auto => ask @@ -2265,17 +2261,18 @@ if (!hasRemembered) if (i == selectedIndex) { cert = CERT_DupCertificate(node->cert); break; } } if (cars && wantRemember) { - cars->RememberDecision(hostname, mServerCert, canceled ? 0 : cert); + cars->RememberDecision(hostname, mServerCert, + canceled ? nullptr : cert.get()); } } if (canceled) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; } if (!cert) { goto loser; } @@ -2295,38 +2292,28 @@ if (!hasRemembered) } goto done; noCert: loser: if (mRV == SECSuccess) { mRV = SECFailure; } - if (cert) { - CERT_DestroyCertificate(cert); - cert = nullptr; - } done: int error = PR_GetError(); if (extracted) { PR_Free(extracted); } - if (nicknames) { - CERT_FreeNicknames(nicknames); - } - if (certList) { - CERT_DestroyCertList(certList); - } if (arena) { PORT_FreeArena(arena, false); } - *mPRetCert = cert; - *mPRetKey = privKey; + *mPRetCert = cert.forget(); + *mPRetKey = privKey.forget(); if (mRV == SECFailure) { mErrorCodeToReport = error; } } static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc *fd,
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp +++ b/security/manager/ssl/src/nsPKCS12Blob.cpp @@ -21,25 +21,25 @@ #include "nsDirectoryServiceDefs.h" #include "nsNSSHelper.h" #include "nsNSSCertificate.h" #include "nsKeygenHandler.h" //For GetSlotWithMechanism #include "nsPK11TokenDB.h" #include "nsICertificateDialogs.h" #include "nsNSSShutDown.h" #include "nsCRT.h" -#include "pk11func.h" +#include "ScopedNSSTypes.h" + #include "secerr.h" #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif -#include "nsNSSCleaner.h" -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) +using namespace mozilla; static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID); #define PIP_PKCS12_TMPFILENAME NS_LITERAL_CSTRING(".pip_p12tmp") #define PIP_PKCS12_BUFFER_SIZE 2048 #define PIP_PKCS12_RESTORE_OK 1 #define PIP_PKCS12_BACKUP_OK 2 #define PIP_PKCS12_USER_CANCELED 3 @@ -355,19 +355,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file nsCOMPtr<nsIX509Cert> cert; nrv = mCertArray->GetElementAt(i, getter_AddRefs(cert)); if (NS_FAILED(nrv)) goto finish; #endif for (i=0; i<numCerts; i++) { // nsNSSCertificate *cert = reinterpret_cast<nsNSSCertificate *>(certs[i]); nsNSSCertificate *cert = (nsNSSCertificate *)certs[i]; // get it as a CERTCertificate XXX - CERTCertificate *nssCert = NULL; - CERTCertificateCleaner nssCertCleaner(nssCert); - nssCert = cert->GetCert(); + ScopedCERTCertificate nssCert(cert->GetCert()); if (!nssCert) { rv = NS_ERROR_FAILURE; goto finish; } // We can only successfully export certs that are on // internal token. Most, if not all, smart card vendors // won't let you extract the private key (in any way // shape or form) from the card. So let's punt if
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp +++ b/security/manager/ssl/src/nsRecentBadCerts.cpp @@ -13,22 +13,18 @@ #include "nsCRT.h" #include "nsPromiseFlatString.h" #include "nsStringBuffer.h" #include "nspr.h" #include "pk11pub.h" #include "certdb.h" #include "sechash.h" -#include "nsNSSCleaner.h" - using namespace mozilla; -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) - NS_IMPL_THREADSAFE_ISUPPORTS1(nsRecentBadCertsService, nsIRecentBadCertsService) nsRecentBadCertsService::nsRecentBadCertsService() :monitor("nsRecentBadCertsService.monitor") ,mNextStorePosition(0) { } @@ -73,33 +69,30 @@ nsRecentBadCertsService::GetRecentBadCer isDomainMismatch = mCerts[i].isDomainMismatch; isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime; isUntrusted = mCerts[i].isUntrusted; } } } if (foundDER.len) { - CERTCertificate *nssCert; CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - nssCert = CERT_FindCertByDERCert(certdb, &foundDER); + ScopedCERTCertificate nssCert(CERT_FindCertByDERCert(certdb, &foundDER)); if (!nssCert) nssCert = CERT_NewTempCertificate(certdb, &foundDER, nullptr, // no nickname false, // not perm true); // copy der SECITEM_FreeItem(&foundDER, false); if (!nssCert) return NS_ERROR_FAILURE; status->mServerCert = nsNSSCertificate::Create(nssCert); - CERT_DestroyCertificate(nssCert); - status->mHaveCertErrorBits = true; status->mIsDomainMismatch = isDomainMismatch; status->mIsNotValidAtThisTime = isNotValidAtThisTime; status->mIsUntrusted = isUntrusted; *aStatus = status; NS_IF_ADDREF(*aStatus); }
--- a/security/manager/ssl/src/nsSDR.cpp +++ b/security/manager/ssl/src/nsSDR.cpp @@ -16,24 +16,24 @@ #include "nsIInterfaceRequestorUtils.h" #include "nsIServiceManager.h" #include "nsITokenPasswordDialogs.h" #include "nsISecretDecoderRing.h" #include "nsSDR.h" #include "nsNSSComponent.h" #include "nsNSSShutDown.h" +#include "ScopedNSSTypes.h" #include "pk11func.h" #include "pk11sdr.h" // For PK11SDR_Encrypt, PK11SDR_Decrypt #include "ssl.h" // For SSL_ClearSessionCache -#include "nsNSSCleaner.h" -NSSCleanupAutoPtrClass(PK11SlotInfo, PK11_FreeSlot) +using namespace mozilla; // Standard ISupports implementation // NOTE: Should these be the thread-safe versions? NS_IMPL_ISUPPORTS2(nsSecretDecoderRing, nsISecretDecoderRing, nsISecretDecoderRingConfig) // nsSecretDecoderRing constructor nsSecretDecoderRing::nsSecretDecoderRing() { @@ -46,18 +46,17 @@ nsSecretDecoderRing::~nsSecretDecoderRin } /* [noscript] long encrypt (in buffer data, in long dataLen, out buffer result); */ NS_IMETHODIMP nsSecretDecoderRing:: Encrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; - PK11SlotInfo *slot = 0; - PK11SlotInfoCleaner tmpSlotCleaner(slot); + ScopedPK11SlotInfo slot; SECItem keyid; SECItem request; SECItem reply; SECStatus s; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); slot = PK11_GetInternalKeySlot(); if (!slot) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; } @@ -89,18 +88,17 @@ loser: } /* [noscript] long decrypt (in buffer data, in long dataLen, out buffer result); */ NS_IMETHODIMP nsSecretDecoderRing:: Decrypt(unsigned char * data, int32_t dataLen, unsigned char * *result, int32_t *_retval) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; - PK11SlotInfo *slot = 0; - PK11SlotInfoCleaner tmpSlotCleaner(slot); + ScopedPK11SlotInfo slot; SECStatus s; SECItem request; SECItem reply; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); *result = 0; *_retval = 0; @@ -195,26 +193,22 @@ loser: } /* void changePassword(); */ NS_IMETHODIMP nsSecretDecoderRing:: ChangePassword() { nsNSSShutDownPreventionLock locker; nsresult rv; - PK11SlotInfo *slot; - - slot = PK11_GetInternalKeySlot(); + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) return NS_ERROR_NOT_AVAILABLE; /* Convert UTF8 token name to UCS2 */ NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot)); - PK11_FreeSlot(slot); - /* Get the set password dialog handler imlementation */ nsCOMPtr<nsITokenPasswordDialogs> dialogs; rv = getNSSDialogs(getter_AddRefs(dialogs), NS_GET_IID(nsITokenPasswordDialogs), NS_TOKENPASSWORDSDIALOG_CONTRACTID); if (NS_FAILED(rv)) return rv;