Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 22:32:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1311383 - Use unique pointers for DTLS transport and related, r=Cykesiopka

Browse Source 
MozReview-Commit-ID: 79wKQtJjBNP

--HG--
extra : rebase_source : 1f5c7f2417c25d17fb99bc55eff8a6b2e5a333ba
This commit is contained in:
Martin Thomson 2016-10-20 11:29:58 +11:00
parent 21ca7c1c21
commit c09374be30
8 changed files with 71 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
dom/media/webrtc/RTCCertificate.cpp
View File

@ -82,7 +82,7 @@ public:
private:
PRTime mExpires;
SSLKEAType mAuthType;
ScopedCERTCertificate mCertificate;
UniqueCERTCertificate mCertificate;
SECOidTag mSignatureAlg;
static CERTName* GenerateRandomName(PK11SlotInfo* aSlot)
@ -172,7 +172,7 @@ private:
mCertificate->version.len = 1;
SECItem innerDER = { siBuffer, nullptr, 0 };
if (!SEC_ASN1EncodeItem(arena, &innerDER, mCertificate,
if (!SEC_ASN1EncodeItem(arena, &innerDER, mCertificate.get(),
SEC_ASN1_GET(CERT_CertificateTemplate))) {
return NS_ERROR_DOM_UNKNOWN_ERR;
}
@ -241,7 +241,7 @@ private:
// Make copies of the private key and certificate, otherwise, when this
// object is deleted, the structures they reference will be deleted too.
SECKEYPrivateKey* key = mKeyPair->mPrivateKey.get()->GetPrivateKey();
CERTCertificate* cert = CERT_DupCertificate(mCertificate);
CERTCertificate* cert = CERT_DupCertificate(mCertificate.get());
RefPtr<RTCCertificate> result =
new RTCCertificate(mResultPromise->GetParentObject(),
key, cert, mAuthType, mExpires);
@ -320,8 +320,8 @@ RTCCertificate::CreateDtlsIdentity() const
if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
return nullptr;
}
SECKEYPrivateKey* key = SECKEY_CopyPrivateKey(mPrivateKey);
CERTCertificate* cert = CERT_DupCertificate(mCertificate);
SECKEYPrivateKey* key = SECKEY_CopyPrivateKey(mPrivateKey.get());
CERTCertificate* cert = CERT_DupCertificate(mCertificate.get());
RefPtr<DtlsIdentity> id = new DtlsIdentity(key, cert, mAuthType);
return id;
}
@ -341,8 +341,8 @@ RTCCertificate::virtualDestroyNSSReference()
void
RTCCertificate::destructorSafeDestroyNSSReference()
{
mPrivateKey.dispose();
mCertificate.dispose();
mPrivateKey.reset();
mCertificate.reset();
}
bool
@ -350,7 +350,7 @@ RTCCertificate::WritePrivateKey(JSStructuredCloneWriter* aWriter,
const nsNSSShutDownPreventionLock& aLockProof) const
{
JsonWebKey jwk;
nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey, jwk, aLockProof);
nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), jwk, aLockProof);
if (NS_FAILED(rv)) {
return false;
}
@ -402,7 +402,7 @@ RTCCertificate::ReadPrivateKey(JSStructuredCloneReader* aReader,
if (!jwk.Init(json)) {
return false;
}
mPrivateKey = CryptoKey::PrivateKeyFromJwk(jwk, aLockProof);
mPrivateKey.reset(CryptoKey::PrivateKeyFromJwk(jwk, aLockProof));
return !!mPrivateKey;
}
@ -417,8 +417,8 @@ RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader,
SECItem der = { siBuffer, cert.Elements(),
static_cast<unsigned int>(cert.Length()) };
mCertificate = CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&der, nullptr, true, true);
mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&der, nullptr, true, true));
return !!mCertificate;
}

6
dom/media/webrtc/RTCCertificate.h
View File

@ -60,7 +60,7 @@ public:
// Accessors for use by PeerConnectionImpl.
RefPtr<DtlsIdentity> CreateDtlsIdentity() const;
CERTCertificate* Certificate() const { return mCertificate; }
const UniqueCERTCertificate& Certificate() const { return mCertificate; }
// For nsNSSShutDownObject
virtual void virtualDestroyNSSReference() override;
@ -85,8 +85,8 @@ private:
const nsNSSShutDownPreventionLock& aLockProof) const;
RefPtr<nsIGlobalObject> mGlobal;
ScopedSECKEYPrivateKey mPrivateKey;
ScopedCERTCertificate mCertificate;
UniqueSECKEYPrivateKey mPrivateKey;
UniqueCERTCertificate mCertificate;
SSLKEAType mAuthType;
PRTime mExpires;
};

10
media/mtransport/dtlsidentity.cpp
View File

@ -18,12 +18,6 @@
namespace mozilla {
DtlsIdentity::~DtlsIdentity() {
if (cert_) {
CERT_DestroyCertificate(cert_);
}
}
RefPtr<DtlsIdentity> DtlsIdentity::Generate() {
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
if (!slot) {
@ -164,13 +158,13 @@ nsresult DtlsIdentity::ComputeFingerprint(const std::string algorithm,
uint8_t *digest,
size_t size,
size_t *digest_length) const {
const CERTCertificate* c = cert();
const UniqueCERTCertificate& c = cert();
MOZ_ASSERT(c);
return ComputeFingerprint(c, algorithm, digest, size, digest_length);
}
nsresult DtlsIdentity::ComputeFingerprint(const CERTCertificate *cert,
nsresult DtlsIdentity::ComputeFingerprint(const UniqueCERTCertificate& cert,
const std::string algorithm,
uint8_t *digest,
size_t size,

9
media/mtransport/dtlsidentity.h
View File

@ -33,7 +33,7 @@ class DtlsIdentity final {
// These don't create copies or transfer ownership. If you want these to live
// on, make a copy.
CERTCertificate *cert() const { return cert_; }
const UniqueCERTCertificate& cert() const { return cert_; }
SECKEYPrivateKey *privkey() const { return private_key_; }
// Note: this uses SSLKEAType because that is what the libssl API requires.
// This is a giant confusing mess, but libssl indexes certificates based on a
@ -45,7 +45,7 @@ class DtlsIdentity final {
uint8_t *digest,
size_t size,
size_t *digest_length) const;
static nsresult ComputeFingerprint(const CERTCertificate *cert,
static nsresult ComputeFingerprint(const UniqueCERTCertificate& cert,
const std::string algorithm,
uint8_t *digest,
size_t size,
@ -59,12 +59,11 @@ class DtlsIdentity final {
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(DtlsIdentity)
private:
~DtlsIdentity();
~DtlsIdentity() {}
DISALLOW_COPY_ASSIGN(DtlsIdentity);
ScopedSECKEYPrivateKey private_key_;
CERTCertificate *cert_; // TODO: Using a smart pointer here causes link
// errors.
UniqueCERTCertificate cert_;
SSLKEAType auth_type_;
};
} // close namespace

91
media/mtransport/transportlayerdtls.cpp
View File

@ -15,7 +15,9 @@
#include "dtlsidentity.h"
#include "keyhi.h"
#include "logging.h"
#include "mozilla/Move.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/Unused.h"
#include "nsCOMPtr.h"
#include "nsComponentManagerUtils.h"
#include "nsComponentManagerUtils.h"
@ -489,24 +491,24 @@ bool TransportLayerDtls::Setup() {
transport_layer_identity = PR_GetUniqueIdentity("nssstreamadapter");
}
ScopedPRFileDesc pr_fd(PR_CreateIOLayerStub(transport_layer_identity,
UniquePRFileDesc pr_fd(PR_CreateIOLayerStub(transport_layer_identity,
&TransportLayerMethods));
MOZ_ASSERT(pr_fd != nullptr);
if (!pr_fd)
return false;
pr_fd->secret = reinterpret_cast<PRFilePrivate *>(nspr_io_adapter_.get());
ScopedPRFileDesc ssl_fd(DTLS_ImportFD(nullptr, pr_fd));
UniquePRFileDesc ssl_fd(DTLS_ImportFD(nullptr, pr_fd.get()));
MOZ_ASSERT(ssl_fd != nullptr); // This should never happen
if (!ssl_fd) {
return false;
}
pr_fd.forget(); // ownership transfered to ssl_fd;
Unused << pr_fd.release(); // ownership transfered to ssl_fd;
if (role_ == CLIENT) {
MOZ_MTLOG(ML_INFO, "Setting up DTLS as client");
rv = SSL_GetClientAuthDataHook(ssl_fd, GetClientAuthDataHook,
rv = SSL_GetClientAuthDataHook(ssl_fd.get(), GetClientAuthDataHook,
this);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
@ -515,7 +517,7 @@ bool TransportLayerDtls::Setup() {
} else {
MOZ_MTLOG(ML_INFO, "Setting up DTLS as server");
// Server side
rv = SSL_ConfigSecureServer(ssl_fd, identity_->cert(),
rv = SSL_ConfigSecureServer(ssl_fd.get(), identity_->cert().get(),
identity_->privkey(),
identity_->auth_type());
if (rv != SECSuccess) {
@ -524,13 +526,13 @@ bool TransportLayerDtls::Setup() {
}
// Insist on a certificate from the client
rv = SSL_OptionSet(ssl_fd, SSL_REQUEST_CERTIFICATE, PR_TRUE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUEST_CERTIFICATE, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't request certificate");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_REQUIRE_CERTIFICATE, PR_TRUE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUIRE_CERTIFICATE, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't require certificate");
return false;
@ -544,49 +546,50 @@ bool TransportLayerDtls::Setup() {
SSL_LIBRARY_VERSION_TLS_1_2
};
rv = SSL_VersionRangeSet(ssl_fd, &version_range);
rv = SSL_VersionRangeSet(ssl_fd.get(), &version_range);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Can't disable SSLv3");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable session tickets");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_NO_CACHE, PR_TRUE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_CACHE, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable session caching");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_DEFLATE, PR_FALSE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_DEFLATE, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable deflate");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);
rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_RENEGOTIATION,
SSL_RENEGOTIATE_NEVER);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable renegotiation");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_FALSE_START, PR_FALSE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_FALSE_START, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable false start");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_NO_LOCKS, PR_TRUE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_LOCKS, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable locks");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
return false;
@ -596,7 +599,7 @@ bool TransportLayerDtls::Setup() {
return false;
}
rv = SSL_NamedGroupConfig(ssl_fd, NamedGroupPreferences,
rv = SSL_NamedGroupConfig(ssl_fd.get(), NamedGroupPreferences,
mozilla::ArrayLength(NamedGroupPreferences));
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
@ -604,7 +607,7 @@ bool TransportLayerDtls::Setup() {
}
// Certificate validation
rv = SSL_AuthCertificateHook(ssl_fd, AuthCertificateHook,
rv = SSL_AuthCertificateHook(ssl_fd.get(), AuthCertificateHook,
reinterpret_cast<void *>(this));
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
@ -616,12 +619,12 @@ bool TransportLayerDtls::Setup() {
}
// Now start the handshake
rv = SSL_ResetHandshake(ssl_fd, role_ == SERVER ? PR_TRUE : PR_FALSE);
rv = SSL_ResetHandshake(ssl_fd.get(), role_ == SERVER ? PR_TRUE : PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't reset handshake");
return false;
}
ssl_fd_ = ssl_fd.forget();
ssl_fd_ = Move(ssl_fd);
// Finally, get ready to receive data
downward_->SignalStateChange.connect(this, &TransportLayerDtls::StateChange);
@ -635,18 +638,18 @@ bool TransportLayerDtls::Setup() {
return true;
}
bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const {
bool TransportLayerDtls::SetupAlpn(UniquePRFileDesc& ssl_fd) const {
if (alpn_allowed_.empty()) {
return true;
}
SECStatus rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_NPN, PR_FALSE);
SECStatus rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_NPN, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't disable NPN");
return false;
}
rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_ALPN, PR_TRUE);
rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_ALPN, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't enable ALPN");
return false;
@ -664,7 +667,7 @@ bool TransportLayerDtls::SetupAlpn(PRFileDesc* ssl_fd) const {
memcpy(buf + offset, tag->c_str(), tag->length());
offset += tag->length();
}
rv = SSL_SetNextProtoNego(ssl_fd, buf, offset);
rv = SSL_SetNextProtoNego(ssl_fd.get(), buf, offset);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set ALPN string");
return false;
@ -741,14 +744,14 @@ static const uint32_t DisabledCiphers[] = {
TLS_RSA_WITH_NULL_MD5,
};
bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
bool TransportLayerDtls::SetupCipherSuites(UniquePRFileDesc& ssl_fd) const {
SECStatus rv;
// Set the SRTP ciphers
if (!srtp_ciphers_.empty()) {
// Note: std::vector is guaranteed to contiguous
rv = SSL_SetSRTPCiphers(ssl_fd, &srtp_ciphers_[0], srtp_ciphers_.size());
rv = SSL_SetSRTPCiphers(ssl_fd.get(), &srtp_ciphers_[0],
srtp_ciphers_.size());
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, "Couldn't set SRTP cipher suite");
return false;
@ -757,7 +760,7 @@ bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
for (const auto& cipher : EnabledCiphers) {
MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Enabling: " << cipher);
rv = SSL_CipherPrefSet(ssl_fd, cipher, PR_TRUE);
rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_TRUE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_ERROR, LAYER_INFO <<
"Unable to enable suite: " << cipher);
@ -769,14 +772,14 @@ bool TransportLayerDtls::SetupCipherSuites(PRFileDesc* ssl_fd) const {
MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Disabling: " << cipher);
PRBool enabled = false;
rv = SSL_CipherPrefGet(ssl_fd, cipher, &enabled);
rv = SSL_CipherPrefGet(ssl_fd.get(), cipher, &enabled);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
"Unable to check if suite is enabled: " << cipher);
return false;
}
if (enabled) {
rv = SSL_CipherPrefSet(ssl_fd, cipher, PR_FALSE);
rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_FALSE);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_NOTICE, LAYER_INFO <<
"Unable to disable suite: " << cipher);
@ -798,7 +801,7 @@ nsresult TransportLayerDtls::GetCipherSuite(uint16_t* cipherSuite) const {
return NS_ERROR_NOT_AVAILABLE;
}
SSLChannelInfo info;
SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
SECStatus rv = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
if (rv != SECSuccess) {
MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "GetCipherSuite can't get channel info");
return NS_ERROR_FAILURE;
@ -859,7 +862,7 @@ void TransportLayerDtls::Handshake() {
// Clear the retransmit timer
timer_->Cancel();
SECStatus rv = SSL_ForceHandshake(ssl_fd_);
SECStatus rv = SSL_ForceHandshake(ssl_fd_.get());
if (rv == SECSuccess) {
MOZ_MTLOG(ML_NOTICE,
@ -890,7 +893,7 @@ void TransportLayerDtls::Handshake() {
case PR_WOULD_BLOCK_ERROR:
MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Handshake would have blocked");
PRIntervalTime timeout;
rv = DTLS_GetHandshakeTimeout(ssl_fd_, &timeout);
rv = DTLS_GetHandshakeTimeout(ssl_fd_.get(), &timeout);
if (rv == SECSuccess) {
uint32_t timeout_ms = PR_IntervalToMilliseconds(timeout);
@ -923,7 +926,7 @@ bool TransportLayerDtls::CheckAlpn() {
SSLNextProtoState alpnState;
char chosenAlpn[MAX_ALPN_LENGTH];
unsigned int chosenAlpnLen;
SECStatus rv = SSL_GetNextProto(ssl_fd_, &alpnState,
SECStatus rv = SSL_GetNextProto(ssl_fd_.get(), &alpnState,
reinterpret_cast<unsigned char*>(chosenAlpn),
&chosenAlpnLen, sizeof(chosenAlpn));
if (rv != SECSuccess) {
@ -1002,7 +1005,7 @@ void TransportLayerDtls::PacketReceived(TransportLayer* layer,
int32_t rv;
// One packet might contain several DTLS packets
do {
rv = PR_Recv(ssl_fd_, buf, sizeof(buf), 0, PR_INTERVAL_NO_WAIT);
rv = PR_Recv(ssl_fd_.get(), buf, sizeof(buf), 0, PR_INTERVAL_NO_WAIT);
if (rv > 0) {
// We have data
MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Read " << rv << " bytes from NSS");
@ -1033,7 +1036,7 @@ TransportResult TransportLayerDtls::SendPacket(const unsigned char *data,
return TE_ERROR;
}
int32_t rv = PR_Send(ssl_fd_, data, len, 0, PR_INTERVAL_NO_WAIT);
int32_t rv = PR_Send(ssl_fd_.get(), data, len, 0, PR_INTERVAL_NO_WAIT);
if (rv > 0) {
// We have data
@ -1074,7 +1077,7 @@ SECStatus TransportLayerDtls::GetClientAuthDataHook(void *arg, PRFileDesc *fd,
return SECFailure;
}
*pRetCert = CERT_DupCertificate(stream->identity_->cert());
*pRetCert = CERT_DupCertificate(stream->identity_->cert().get());
if (!*pRetCert) {
PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
return SECFailure;
@ -1103,7 +1106,7 @@ nsresult TransportLayerDtls::GetSrtpCipher(uint16_t *cipher) const {
if (state_ != TS_OPEN) {
return NS_ERROR_NOT_AVAILABLE;
}
SECStatus rv = SSL_GetSRTPCipher(ssl_fd_, cipher);
SECStatus rv = SSL_GetSRTPCipher(ssl_fd_.get(), cipher);
if (rv != SECSuccess) {
MOZ_MTLOG(ML_DEBUG, "No SRTP cipher negotiated");
return NS_ERROR_FAILURE;
@ -1122,7 +1125,7 @@ nsresult TransportLayerDtls::ExportKeyingMaterial(const std::string& label,
MOZ_ASSERT(false, "Transport must be open for ExportKeyingMaterial");
return NS_ERROR_NOT_AVAILABLE;
}
SECStatus rv = SSL_ExportKeyingMaterial(ssl_fd_,
SECStatus rv = SSL_ExportKeyingMaterial(ssl_fd_.get(),
label.c_str(),
label.size(),
use_context,
@ -1149,9 +1152,8 @@ SECStatus TransportLayerDtls::AuthCertificateHook(void *arg,
}
SECStatus
TransportLayerDtls::CheckDigest(const RefPtr<VerificationDigest>&
digest,
CERTCertificate *peer_cert) {
TransportLayerDtls::CheckDigest(const RefPtr<VerificationDigest>& digest,
UniqueCERTCertificate& peer_cert) const {
unsigned char computed_digest[kMaxDigestLength];
size_t computed_digest_len;
@ -1193,9 +1195,7 @@ SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc *fd,
PRBool checksig,
PRBool isServer) {
CheckThread();
ScopedCERTCertificate peer_cert;
peer_cert = SSL_PeerCertificate(fd);
UniqueCERTCertificate peer_cert(SSL_PeerCertificate(fd));
// We are not set up to take this being called multiple
// times. Change this if we ever add renegotiation.
@ -1207,7 +1207,6 @@ SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc *fd,
auth_hook_called_ = true;
MOZ_ASSERT(verification_mode_ != VERIFY_UNSET);
MOZ_ASSERT(peer_cert_ == nullptr);
switch (verification_mode_) {
case VERIFY_UNSET:
@ -1216,7 +1215,6 @@ SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc *fd,
break;
case VERIFY_ALLOW_ALL:
peer_cert_ = peer_cert.forget();
cert_ok_ = true;
return SECSuccess;
@ -1234,7 +1232,6 @@ SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc *fd,
// Matches a digest, we are good to go
if (rv == SECSuccess) {
cert_ok_ = true;
peer_cert = peer_cert.forget();
return SECSuccess;
}
}

15
media/mtransport/transportlayerdtls.h
View File

@ -91,10 +91,6 @@ class TransportLayerDtls final : public TransportLayer {
unsigned char *out,
unsigned int outlen);
const CERTCertificate *GetPeerCert() const {
return peer_cert_;
}
// Transport layer overrides.
virtual nsresult InitInternal();
virtual void WasInserted();
@ -106,7 +102,7 @@ class TransportLayerDtls final : public TransportLayer {
size_t len);
// For testing use only. Returns the fd.
PRFileDesc* internal_fd() { CheckThread(); return ssl_fd_.rwget(); }
PRFileDesc* internal_fd() { CheckThread(); return ssl_fd_.get(); }
TRANSPORT_LAYER_ID("dtls")
@ -138,8 +134,8 @@ class TransportLayerDtls final : public TransportLayer {
bool Setup();
bool SetupCipherSuites(PRFileDesc* ssl_fd) const;
bool SetupAlpn(PRFileDesc* ssl_fd) const;
bool SetupCipherSuites(UniquePRFileDesc& ssl_fd) const;
bool SetupAlpn(UniquePRFileDesc& ssl_fd) const;
void Handshake();
bool CheckAlpn();
@ -159,7 +155,7 @@ class TransportLayerDtls final : public TransportLayer {
static void TimerCallback(nsITimer *timer, void *arg);
SECStatus CheckDigest(const RefPtr<VerificationDigest>& digest,
CERTCertificate *cert);
UniqueCERTCertificate& cert) const;
RefPtr<DtlsIdentity> identity_;
// What ALPN identifiers are permitted.
@ -178,9 +174,8 @@ class TransportLayerDtls final : public TransportLayer {
// Must delete nspr_io_adapter after ssl_fd_ b/c ssl_fd_ causes an alert
// (ssl_fd_ contains an un-owning pointer to nspr_io_adapter_)
UniquePtr<TransportLayerNSPRAdapter> nspr_io_adapter_;
ScopedPRFileDesc ssl_fd_;
UniquePRFileDesc ssl_fd_;
ScopedCERTCertificate peer_cert_;
nsCOMPtr<nsITimer> timer_;
bool auth_hook_called_;
bool cert_ok_;

5
media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
View File

@ -2838,13 +2838,12 @@ PeerConnectionImpl::CalculateFingerprint(
std::vector<uint8_t>* fingerprint) const {
uint8_t buf[DtlsIdentity::HASH_ALGORITHM_MAX_LENGTH];
size_t len = 0;
CERTCertificate* cert;
MOZ_ASSERT(fingerprint);
#if !defined(MOZILLA_EXTERNAL_LINKAGE)
cert = mCertificate->Certificate();
const UniqueCERTCertificate& cert = mCertificate->Certificate();
#else
cert = mIdentity->cert();
const UniqueCERTCertificate& cert = mIdentity->cert();
#endif
nsresult rv = DtlsIdentity::ComputeFingerprint(cert, algorithm,
&buf[0], sizeof(buf),

3
security/manager/ssl/ScopedNSSTypes.h
View File

@ -59,9 +59,6 @@ MapSECStatus(SECStatus rv)
// Alphabetical order by NSS type
// Deprecated: use the equivalent UniquePtr templates instead.
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedPRFileDesc,
PRFileDesc,
PR_Close)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertificate,
CERTCertificate,
CERT_DestroyCertificate)