mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1386955 - land NSS 984849c0a0f1 UPGRADE_NSS_RELEASE, r=me

This commit is contained in:
Franziskus Kiefer 2017-08-17 11:57:16 +02:00
Родитель bd606d1190
Коммит 74e77f7e73
10 изменённых файлов: 140 добавлений и 23 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
3e81bdac8449
984849c0a0f1

2
security/nss/coreconf/config.gypi
Просмотреть файл

@ -167,7 +167,7 @@
},
},
}],
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
[ 'target_arch=="arm64" or target_arch=="aarch64" or target_arch=="sparc64"', {
'defines': [
'NSS_USE_64',
],

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

2
security/nss/cpputil/scoped_ptrs.h
Просмотреть файл

@ -36,6 +36,7 @@ struct ScopedDelete {
void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
};
template <class T>
@ -66,6 +67,7 @@ SCOPED(SECKEYPrivateKeyList);
SCOPED(PK11URI);
SCOPED(PLArenaPool);
SCOPED(PK11Context);
SCOPED(PK11GenericObject);
#undef SCOPED

117
security/nss/gtests/softoken_gtest/softoken_gtest.cc
Просмотреть файл

@ -3,6 +3,7 @@
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
#include "secerr.h"
#include "scoped_ptrs.h"
@ -25,24 +26,24 @@ namespace nss_test {
// this implementation.
class ScopedUniqueDirectory {
public:
explicit ScopedUniqueDirectory(const std::string& prefix);
explicit ScopedUniqueDirectory(const std::string &prefix);
// NB: the directory must be empty upon destruction
~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); }
const std::string& GetPath() { return mPath; }
const std::string &GetPath() { return mPath; }
private:
static const int RETRY_LIMIT = 5;
static void GenerateRandomName(/*in/out*/ std::string& prefix);
static bool TryMakingDirectory(/*in/out*/ std::string& prefix);
static void GenerateRandomName(/*in/out*/ std::string &prefix);
static bool TryMakingDirectory(/*in/out*/ std::string &prefix);
std::string mPath;
};
ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) {
ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
std::string path;
const char* workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
const char *workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
if (workingDirectory) {
path.assign(workingDirectory);
}
@ -59,7 +60,7 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) {
assert(mPath.length() > 0);
}
void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) {
void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) {
std::stringstream ss;
ss << prefix;
// RAND_MAX is at least 32767.
@ -69,7 +70,7 @@ void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) {
ss >> prefix;
}
bool ScopedUniqueDirectory::TryMakingDirectory(std::string& prefix) {
bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) {
GenerateRandomName(prefix);
#if defined(_WIN32)
return _mkdir(prefix.c_str()) == 0;
@ -91,7 +92,7 @@ class SoftokenTest : public ::testing::Test {
virtual void TearDown() {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
const std::string& nssDBDirPath = mNSSDBDir.GetPath();
const std::string &nssDBDirPath = mNSSDBDir.GetPath();
ASSERT_EQ(0, unlink((nssDBDirPath + "/cert9.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/key4.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/pkcs11.txt").c_str()));
@ -116,9 +117,105 @@ TEST_F(SoftokenTest, ResetSoftokenNonEmptyPassword) {
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password2"));
}
// Test certificate to use in the CreateObject tests.
static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
static const CK_BBOOL ck_false = CK_FALSE;
static const CK_BBOOL ck_true = CK_TRUE;
static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
static const CK_ATTRIBUTE attributes[] = {
{CKA_CLASS, (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS)},
{CKA_TOKEN, (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)},
{CKA_PRIVATE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
{CKA_MODIFIABLE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
{CKA_LABEL,
(void *)"Symantec Class 2 Public Primary Certification Authority - G4",
(PRUint32)61},
{CKA_CERT_SHA1_HASH,
(void *)"\147\044\220\056\110\001\260\042\226\100\020\106\264\261\147\054"
"\251\165\375\053",
(PRUint32)20},
{CKA_CERT_MD5_HASH,
(void *)"\160\325\060\361\332\224\227\324\327\164\337\276\355\150\336\226",
(PRUint32)16},
{CKA_ISSUER,
(void *)"\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123"
"\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156"
"\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061"
"\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164"
"\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153"
"\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156"
"\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154"
"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
"\164\171\040\055\040\107\064",
(PRUint32)151},
{CKA_SERIAL_NUMBER,
(void *)"\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125"
"\246\036",
(PRUint32)18},
{CKA_TRUST_SERVER_AUTH, (void *)&ckt_nss_must_verify_trust,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_EMAIL_PROTECTION, (void *)&ckt_nss_trusted_delegator,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_CODE_SIGNING, (void *)&ckt_nss_must_verify_trust,
(PRUint32)sizeof(CK_TRUST)},
{CKA_TRUST_STEP_UP_APPROVED, (void *)&ck_false,
(PRUint32)sizeof(CK_BBOOL)}};
TEST_F(SoftokenTest, CreateObjectNonEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
TEST_F(SoftokenTest, CreateObjectChangePassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", ""));
// PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user
// is not "logged in".
EXPECT_EQ(SECFailure, PK11_Logout(slot.get()));
EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError());
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
// Because there's no password we can't logout and the operation should have
// succeeded.
EXPECT_NE(nullptr, obj);
}
class SoftokenNoDBTest : public ::testing::Test {};
TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
ASSERT_EQ(SECSuccess, NSS_NoDB_Init("."));
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
// When shutting down in here we have to release the slot first.
slot = nullptr;
ASSERT_EQ(SECSuccess, NSS_Shutdown());
}
} // namespace nss_test
int main(int argc, char** argv) {
int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS();

2
security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
Просмотреть файл

@ -551,7 +551,7 @@ class ECCServerKEXFilter : public TlsHandshakeFilter {
// Replace the server key exchange message with an empty point
output->Allocate(4);
output->Write(0, 3U, 1); // named curve
uint32_t curve;
uint32_t curve = 0;
EXPECT_TRUE(input.Read(1, 2, &curve)); // get curve id
output->Write(1, curve, 2); // write curve id
output->Write(3, 0U, 1); // point length 0

10
security/nss/lib/freebl/gcm.c
Просмотреть файл

@ -574,7 +574,7 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *params)
{
GCMContext *gcm = NULL;
gcmHashContext *ghash = NULL;
gcmHashContext *ghash = NULL, *ghashmem = NULL;
unsigned char H[MAX_BLOCK_SIZE];
unsigned int tmp;
PRBool freeCtr = PR_FALSE;
@ -596,13 +596,13 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
return NULL;
}
/* aligned_alloc is C11 so we have to do it the old way. */
ghash = PORT_ZAlloc(sizeof(gcmHashContext) + 15);
if (ghash == NULL) {
ghashmem = PORT_ZAlloc(sizeof(gcmHashContext) + 15);
if (ghashmem == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
ghash->mem = ghash;
ghash = (gcmHashContext *)(((uintptr_t)ghash + 15) & ~(uintptr_t)0x0F);
ghash = (gcmHashContext *)(((uintptr_t)ghashmem + 15) & ~(uintptr_t)0x0F);
ghash->mem = ghashmem;
/* first plug in the ghash context */
gcm->ghash_context = ghash;

10
security/nss/lib/freebl/rijndael.c
Просмотреть файл

@ -1018,13 +1018,15 @@ AESContext *
AES_AllocateContext(void)
{
/* aligned_alloc is C11 so we have to do it the old way. */
AESContext *ctx = PORT_ZAlloc(sizeof(AESContext) + 15);
if (ctx == NULL) {
AESContext *ctx, *ctxmem;
ctxmem = PORT_ZAlloc(sizeof(AESContext) + 15);
if (ctxmem == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
ctx->mem = ctx;
return (AESContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F);
ctx = (AESContext *)(((uintptr_t)ctxmem + 15) & ~(uintptr_t)0x0F);
ctx->mem = ctxmem;
return ctx;
}
/*

5
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -1182,7 +1182,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
/* set the slot flags to the current token values */
slot->series++; /* allow other objects to detect that the
* slot is different */
* slot is different */
slot->flags = slot->tokenInfo.flags;
slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE);
slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE);
@ -1471,6 +1471,9 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
slot->hasRootCerts = PR_TRUE;
}
}
if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) {
slot->flags |= CKF_USER_PIN_INITIALIZED;
}
}
/*********************************************************************

12
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -3305,6 +3305,15 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
}
}
/* If there is no key database, this is for example the case when NSS was
* initialized with NSS_NoDbInit(), then there won't be any point in
* requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that
* PK11_NeedUserInit() doesn't indicate that a PIN is needed.
*/
if (slot->keyDB == NULL) {
pInfo->flags |= CKF_USER_PIN_INITIALIZED;
}
/* ok we really should read it out of the keydb file. */
/* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
@ -3788,7 +3797,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
/* Now update our local copy of the pin */
if (rv == SECSuccess) {
PZ_Lock(slot->slotLock);
slot->needLogin = (PRBool)(ulNewLen != 0);
slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess);
PZ_Unlock(slot->slotLock);
/* Reset login flags. */
if (ulNewLen == 0) {
PRBool tokenRemoved = PR_FALSE;