Bug 1677548 - land NSS f84fb229842a UPGRADE_NSS_RELEASE, r=bbeurdouche

2020-12-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc, lib/pk11wrap/pk11obj.c: Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche [f84fb229842a] [tip] 2020-12-03 yogesh <yoyogesh01@gmail.com> * cmd/tstclnt/tstclnt.c: Bug 1570539 - Removed -X alt-server-hello option from tstclnt r=kjacobs [ef9198eb2895] 2020-12-03 J.C. Jones <jjones@mozilla.com> * lib/util/pkcs11t.h: Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value r=bbeurdouche PKCS#11 v2.40: https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h line 1150 jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1 /src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155 [f9bcf45ca3bf] Differential Revision: https://phabricator.services.mozilla.com/D98946
2020-12-07 19:40:13 +00:00 · 2020-12-07 19:40:13 +00:00 · 254f0c7699
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-f8c49b334e51
+f84fb229842a
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@ -313,7 +313,6 @@ PrintParameterUsage()
                    "%-20s rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
                    "%-20s dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
            "-J", "", "", "", "", "", "", "");
-    fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
    fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
    fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
    fprintf(stderr, "%-20s Use Encrypted Client Hello with the given Base64-encoded ECHConfigs\n", "-N");
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc
@ -66,6 +66,14 @@ TEST_F(Pkcs11AESKeyWrapPadTest, WrapUnwrapECKey) {
                         true, CKK_EC, usages, usageCount, nullptr));
  ASSERT_EQ(0, PORT_GetError());
  ASSERT_TRUE(!!unwrapped);
+
+  // Try it with internal params allocation.
+  SECKEYPrivateKey* tmp = PK11_UnwrapPrivKey(
+      slot.get(), kek.get(), CKM_NSS_AES_KEY_WRAP_PAD, nullptr, wrapped.get(),
+      nullptr, &pubKey, false, true, CKK_EC, usages, usageCount, nullptr);
+  ASSERT_EQ(0, PORT_GetError());
+  ASSERT_NE(nullptr, tmp);
+  unwrapped.reset(tmp);
 }

 // Encrypt an ephemeral RSA key
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@ -1321,23 +1321,23 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
                                                                NULL, perm, sensitive);
                SECKEY_DestroyPrivateKey(privKey);
                PK11_FreeSlot(int_slot);
+                SECITEM_FreeItem(param_free, PR_TRUE);
                return newPrivKey;
            }
        }
        if (int_slot)
            PK11_FreeSlot(int_slot);
        PORT_SetError(PK11_MapError(crv));
+        SECITEM_FreeItem(param_free, PR_TRUE);
        return NULL;
    }
+    SECITEM_FreeItem(param_free, PR_TRUE);
    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);

 loser:
-    if (newKey) {
-        PK11_FreeSymKey(newKey);
-    }
-    if (ck_id) {
-        SECITEM_FreeItem(ck_id, PR_TRUE);
-    }
+    PK11_FreeSymKey(newKey);
+    SECITEM_FreeItem(ck_id, PR_TRUE);
+    SECITEM_FreeItem(param_free, PR_TRUE);
    return NULL;
 }

--- a/security/nss/lib/util/pkcs11t.h
+++ b/security/nss/lib/util/pkcs11t.h
@ -1460,7 +1460,7 @@ typedef CK_ULONG CK_RV;
 #define CKR_FIPS_SELF_TEST_FAILED 0x000001B6UL
 #define CKR_LIBRARY_LOAD_FAILED 0x000001B7UL
 #define CKR_PIN_TOO_WEAK 0x000001B8UL
-#define CKR_PUBLIC_KEY_INVALID 0x000001B
+#define CKR_PUBLIC_KEY_INVALID 0x000001B9UL

 /* This is new to v2.20 */
 #define CKR_FUNCTION_REJECTED 0x00000200UL