roytam1/mozilla45esr
1
0
Fork 0
mirror of https://github.com/roytam1/mozilla45esr.git synced 2026-05-26 15:39:48 +00:00
Code Issues Projects Releases Wiki Activity

[NSS] sync with https://github.com/roytam1/NSS/tree/NSS_3_48_UXP_BRANCH

Browse Source
This commit is contained in:
roytam1
2023-11-17 14:32:24 +08:00
parent b1f3b6d3cc
commit 9022d33dd5
15 changed files with 107 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
security/nss/lib/certdb/certdb.c
+3 -3
View File
@@ -384,9 +384,9 @@ GetKeyUsage(CERTCertificate *cert)
rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
if (rv == SECSuccess) {
/* remember the actual value of the extension */
cert->rawKeyUsage = tmpitem.data[0];
cert->rawKeyUsage = tmpitem.len ? tmpitem.data[0] : 0;
cert->keyUsagePresent = PR_TRUE;
cert->keyUsage = tmpitem.data[0];
cert->keyUsage = cert->rawKeyUsage;
PORT_Free(tmpitem.data);
tmpitem.data = NULL;
@@ -506,7 +506,7 @@ cert_ComputeCertType(CERTCertificate *cert)
isCA = basicConstraint.isCA;
}
if (tmpitem.data != NULL || extKeyUsage != NULL) {
if (tmpitem.data == NULL) {
if (tmpitem.data == NULL || tmpitem.len == 0) {
nsCertType = 0;
} else {
nsCertType = tmpitem.data[0];
security/nss/lib/certdb/certv3.c
+1 -1
View File
@@ -213,7 +213,7 @@ CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
if (rv == SECFailure) {
rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
: SECFailure;
} else if (!keyUsage.data || !(keyUsage.data[0] & usage)) {
} else if (!keyUsage.data || !keyUsage.len || !(keyUsage.data[0] & usage)) {
PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
rv = SECFailure;
}
security/nss/lib/certdb/certxutl.c
+4 -2
View File
@@ -417,12 +417,14 @@ CERT_FindBitStringExtension(CERTCertExtension **extensions, int tag,
goto loser;
}
retItem->data = (unsigned char *)PORT_Alloc((tmpItem.len + 7) >> 3);
retItem->data = (unsigned char *)PORT_ZAlloc((tmpItem.len + 7) >> 3);
if (retItem->data == NULL) {
goto loser;
}
PORT_Memcpy(retItem->data, tmpItem.data, (tmpItem.len + 7) >> 3);
if (tmpItem.len > 0) {
PORT_Memcpy(retItem->data, tmpItem.data, (tmpItem.len + 7) >> 3);
}
retItem->len = tmpItem.len;
rv = SECSuccess;
security/nss/lib/certdb/xbsconst.c
+4 -1
View File
@@ -120,8 +120,11 @@ CERT_DecodeBasicConstraintValue(CERTBasicConstraints *value,
number
for unlimited certificate path.
*/
if (value->isCA)
if (value->isCA) {
value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
} else {
value->pathLenConstraint = 0;
}
} else if (value->isCA) {
long len = DER_GetInteger(&decodeContext.pathLenConstraint);
if (len < 0 || len == LONG_MAX) {
security/nss/lib/crmf/cmmfrec.c
+1 -1
View File
@@ -291,7 +291,7 @@ CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
CERT_FindKeyUsageExtension(cert, &keyUsageValue);
if (keyUsageValue.data != NULL) {
keyUsage = keyUsageValue.data[3];
keyUsage = keyUsageValue.len ? keyUsageValue.data[0] : 0;
PORT_Free(keyUsageValue.data);
}
pubKey = CERT_ExtractPublicKey(cert);
security/nss/lib/cryptohi/secvfy.c
+2 -2
View File
@@ -296,8 +296,8 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
PORT_DestroyCheapArena(&tmpArena);
/* only accept hash algorithms */
if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
if (rv != SECSuccess || HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
/* error set by sec_DecodeRSAPSSParams or HASH_GetHashTypeByOidTag */
return SECFailure;
}
} else {
security/nss/lib/pkcs12/p12d.c
+5 -1
View File
@@ -337,7 +337,11 @@ sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data,
SEC_PKCS12DecoderContext *p12dcx;
SECStatus rv;
if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
/* make sure that we are not skipping the current safeBag,
* and that there are no errors. If so, just return rather
* than continuing to process.
*/
if (!safeContentsCtx || !safeContentsCtx->p12dcx || safeContentsCtx->skipCurrentSafeBag) {
return;
}
p12dcx = safeContentsCtx->p12dcx;
security/nss/lib/smime/cmsdigest.c
+2 -2
View File
@@ -239,7 +239,7 @@ NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx,
SECItem *digest)
{
SECStatus rv = SECFailure;
SECItem **dp;
SECItem **dp = NULL;
PLArenaPool *arena = NULL;
if ((arena = PORT_NewArena(1024)) == NULL)
@@ -247,7 +247,7 @@ NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx,
/* get the digests into arena, then copy the first digest into poolp */
rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp);
if (rv == SECSuccess) {
if (rv == SECSuccess && dp) {
/* now copy it into poolp */
rv = SECITEM_CopyItem(poolp, digest, dp[0]);
}
security/nss/lib/softoken/legacydb/lginit.c
+1 -6
View File
@@ -515,6 +515,7 @@ lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr,
lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues,
SECITEM_HashCompare, NULL, 0);
if (lgdb_p->hashTable == NULL) {
PR_DestroyLock(lgdb_p->dbLock);
goto loser;
}
@@ -546,12 +547,6 @@ loser:
PORT_Free(sdb);
}
if (lgdb_p) {
if (lgdb_p->dbLock) {
PR_DestroyLock(lgdb_p->dbLock);
}
if (lgdb_p->hashTable) {
PL_HashTableDestroy(lgdb_p->hashTable);
}
PORT_Free(lgdb_p);
}
return error;
security/nss/lib/softoken/pkcs11.c
+51 -15
View File
@@ -1583,6 +1583,7 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session)
CK_OBJECT_HANDLE handle;
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE;
PRBool isLoggedIn, needLogin;
CK_RV crv;
/* make sure all the base object types are defined. If not set the
@@ -1600,9 +1601,13 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session)
if (crv != CKR_OK)
return crv;
PZ_Lock(slot->slotLock);
isLoggedIn = slot->isLoggedIn;
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
/* don't create a private object if we aren't logged in */
if ((!slot->isLoggedIn) && (slot->needLogin) &&
(sftk_isTrue(object, CKA_PRIVATE))) {
if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
return CKR_USER_NOT_LOGGED_IN;
}
@@ -3472,11 +3477,18 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
static PRBool
sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle)
{
PRBool needLogin;
if (sftkdb_PWCached(keyHandle) == SECSuccess) {
return slot->needLogin;
PZ_Lock(slot->slotLock);
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
} else {
needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
PZ_Lock(slot->slotLock);
slot->needLogin = needLogin;
PZ_Unlock(slot->slotLock);
}
slot->needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
return (slot->needLogin);
return needLogin;
}
static PRBool
@@ -3848,8 +3860,11 @@ NSC_InitPIN(CK_SESSION_HANDLE hSession,
/* Now update our local copy of the pin */
if (rv == SECSuccess) {
if (ulPinLen == 0)
if (ulPinLen == 0) {
PZ_Lock(slot->slotLock);
slot->needLogin = PR_FALSE;
PZ_Unlock(slot->slotLock);
}
/* database has been initialized, now force min password in FIPS
* mode. NOTE: if we are in level1, we may not have a password, but
* forcing it now will prevent an insufficient password from being set.
@@ -3884,6 +3899,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
char newPinStr[SFTK_MAX_PIN + 1], oldPinStr[SFTK_MAX_PIN + 1];
SECStatus rv;
CK_RV crv = CKR_SESSION_HANDLE_INVALID;
PRBool needLogin;
PRBool tokenRemoved = PR_FALSE;
CHECK_FORK();
@@ -3904,7 +3920,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */
}
if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
PZ_Lock(slot->slotLock);
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
crv = CKR_USER_NOT_LOGGED_IN;
goto loser;
}
@@ -4132,6 +4151,8 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_RV crv;
char pinStr[SFTK_MAX_PIN + 1];
PRBool tokenRemoved = PR_FALSE;
PRBool isLoggedIn;
PRBool needLogin;
CHECK_FORK();
@@ -4155,9 +4176,14 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
return CKR_USER_TYPE_INVALID;
}
if (slot->isLoggedIn)
PZ_Lock(slot->slotLock);
isLoggedIn = slot->isLoggedIn;
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
if (isLoggedIn)
return CKR_USER_ALREADY_LOGGED_IN;
if (!slot->needLogin) {
if (!needLogin) {
return ulPinLen ? CKR_PIN_INCORRECT : CKR_OK;
}
slot->ssoLoggedIn = PR_FALSE;
@@ -4611,7 +4637,7 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
SFTKSession *session;
SFTKObject *object;
SFTKAttribute *attribute;
PRBool sensitive;
PRBool sensitive, isLoggedIn, needLogin;
CK_RV crv;
int i;
@@ -4642,9 +4668,13 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
return CKR_OBJECT_HANDLE_INVALID;
}
PZ_Lock(slot->slotLock);
isLoggedIn = slot->isLoggedIn;
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
/* don't read a private object if we aren't logged in */
if ((!slot->isLoggedIn) && (slot->needLogin) &&
(sftk_isTrue(object, CKA_PRIVATE))) {
if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
sftk_FreeObject(object);
return CKR_USER_NOT_LOGGED_IN;
}
@@ -4685,7 +4715,7 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession,
SFTKSession *session;
SFTKAttribute *attribute;
SFTKObject *object;
PRBool isToken;
PRBool isToken, isLoggedIn, needLogin;
CK_RV crv = CKR_OK;
CK_BBOOL legal;
int i;
@@ -4709,9 +4739,13 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession,
return CKR_OBJECT_HANDLE_INVALID;
}
PZ_Lock(slot->slotLock);
isLoggedIn = slot->isLoggedIn;
needLogin = slot->needLogin;
PZ_Unlock(slot->slotLock);
/* don't modify a private object if we aren't logged in */
if ((!slot->isLoggedIn) && (slot->needLogin) &&
(sftk_isTrue(object, CKA_PRIVATE))) {
if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
sftk_FreeSession(session);
sftk_FreeObject(object);
return CKR_USER_NOT_LOGGED_IN;
@@ -4989,7 +5023,9 @@ NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
search->index = 0;
search->size = 0;
search->array_size = NSC_SEARCH_BLOCK_SIZE;
PZ_Lock(slot->slotLock);
isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
PZ_Unlock(slot->slotLock);
crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn);
if (crv != CKR_OK) {
security/nss/lib/softoken/pkcs11i.h
+1 -1
View File
@@ -310,7 +310,7 @@ struct SFTKSessionStr {
* object hash tables (sessObjHashTable[] and tokObjHashTable), and
* sessionObjectHandleCount.
* slotLock protects the remaining protected elements:
* password, isLoggedIn, ssoLoggedIn, and sessionCount,
* password, needLogin, isLoggedIn, ssoLoggedIn, and sessionCount,
* and pwCheckLock serializes the key database password checks in
* NSC_SetPIN and NSC_Login.
*
security/nss/lib/softoken/sftkdb.c
+12 -2
View File
@@ -314,7 +314,7 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID,
if ((keyHandle == NULL) ||
((SFTK_GET_SDB(keyHandle)->sdb_flags & SDB_HAS_META) == 0) ||
(keyHandle->passwordKey.data == NULL)) {
(sftkdb_PWCached(keyHandle) != SECSuccess)) {
checkSig = PR_FALSE;
}
@@ -1460,10 +1460,14 @@ sftkdb_CloseDB(SFTKDBHandle *handle)
}
(*handle->db->sdb_Close)(handle->db);
}
if (handle->passwordLock) {
PZ_Lock(handle->passwordLock);
}
if (handle->passwordKey.data) {
PORT_ZFree(handle->passwordKey.data, handle->passwordKey.len);
}
if (handle->passwordLock) {
PZ_Unlock(handle->passwordLock);
SKIP_AFTER_FORK(PZ_DestroyLock(handle->passwordLock));
}
if (handle->updatePasswordKey) {
@@ -2483,7 +2487,7 @@ sftkdb_ResetKeyDB(SFTKDBHandle *handle)
{
CK_RV crv;
/* only rest the key db */
/* only reset the key db */
if (handle->type != SFTK_KEYDB_TYPE) {
return SECFailure;
}
@@ -2492,6 +2496,12 @@ sftkdb_ResetKeyDB(SFTKDBHandle *handle)
/* set error */
return SECFailure;
}
PZ_Lock(handle->passwordLock);
if (handle->passwordKey.data) {
SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE);
handle->passwordKey.data = NULL;
}
PZ_Unlock(handle->passwordLock);
return SECSuccess;
}
security/nss/lib/softoken/sftkpwd.c
+5 -1
View File
@@ -998,7 +998,11 @@ done:
SECStatus
sftkdb_PWCached(SFTKDBHandle *keydb)
{
return keydb->passwordKey.data ? SECSuccess : SECFailure;
SECStatus rv;
PZ_Lock(keydb->passwordLock);
rv = keydb->passwordKey.data ? SECSuccess : SECFailure;
PZ_Unlock(keydb->passwordLock);
return rv;
}
static CK_RV
security/nss/lib/util/secasn1d.c
+13 -2
View File
@@ -1114,7 +1114,7 @@ sec_asn1d_prepare_for_contents(sec_asn1d_state *state)
* inspection, too) then move this code into the switch statement
* below under cases SET_OF and SEQUENCE_OF; it will be cleaner.
*/
PORT_Assert(state->underlying_kind == SEC_ASN1_SET_OF || state->underlying_kind == SEC_ASN1_SEQUENCE_OF || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF | SEC_ASN1_DYNAMIC) || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF | SEC_ASN1_DYNAMIC));
PORT_Assert(state->underlying_kind == SEC_ASN1_SET_OF || state->underlying_kind == SEC_ASN1_SEQUENCE_OF || state->underlying_kind == (SEC_ASN1_SET_OF | SEC_ASN1_DYNAMIC) || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF | SEC_ASN1_DYNAMIC));
if (state->contents_length != 0 || state->indefinite) {
const SEC_ASN1Template *subt;
@@ -2463,7 +2463,18 @@ sec_asn1d_parse_end_of_contents(sec_asn1d_state *state,
if (state->pending == 0) {
state->place = afterEndOfContents;
state->endofcontents = PR_TRUE;
/* These end-of-contents octets either terminate a SEQUENCE, a GROUP,
* or a constructed string. The SEQUENCE case is unique in that the
* state parses its own end-of-contents octets and therefore should not
* have its `endofcontents` flag set. We identify the SEQUENCE case by
* checking whether the child state's template is pointing at a
* template terminator (see `sec_asn1d_next_in_sequence`).
*/
if (state->child && state->child->theTemplate->kind == 0) {
state->endofcontents = PR_FALSE;
} else {
state->endofcontents = PR_TRUE;
}
}
return len;
security/nss/lib/zlib/deflate.c
+2 -1
View File
@@ -586,7 +586,8 @@ int ZEXPORT deflatePrime (strm, bits, value)
if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
s = strm->state;
if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
if (bits < 0 || bits > 16 ||
s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
return Z_BUF_ERROR;
do {
put = Buf_size - s->bi_valid;