Bug 898431: Update NSS to NSS 3.15.4 beta 10 (NSS_3_15_4_BETA10), r=me

2013-12-21 23:15:41 -08:00 · 2013-12-21 23:15:41 -08:00 · 987c5c3e05
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_15_4_BETA9
+NSS_3_15_4_BETA10
--- a/security/nss/coreconf/arch.mk
+++ b/security/nss/coreconf/arch.mk
@ -146,7 +146,7 @@ endif
 # uses fibers).
 #
 # If OS_TARGET is not specified, it defaults to $(OS_ARCH), i.e., no
-# cross-compilation.
+# cross-compilation, except on Windows, where it defaults to WIN95.
 #

 #
@ -185,7 +185,7 @@ ifeq ($(OS_ARCH), Windows_NT)
    endif
 endif
 #
-# If uname -s returns "CYGWIN_NT-4.0", we assume that we are using
+# If uname -s returns "CYGWIN_NT-*", we assume that we are using
 # the uname.exe in the Cygwin tools.
 #
 ifeq (CYGWIN_NT,$(findstring CYGWIN_NT,$(OS_ARCH)))
@ -205,7 +205,7 @@ ifeq (CYGWIN_NT,$(findstring CYGWIN_NT,$(OS_ARCH)))
    endif
 endif
 #
-# If uname -s returns "MINGW32_NT-5.1", we assume that we are using
+# If uname -s returns "MINGW32_NT-*", we assume that we are using
 # the uname.exe in the MSYS toolkit.
 #
 ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
@ -235,8 +235,12 @@ ifeq ($(OS_TARGET),Android)
 endif

 ifndef OS_TARGET
+ifeq ($(OS_ARCH), WINNT)
+    OS_TARGET = WIN95
+else
    OS_TARGET = $(OS_ARCH)
 endif
+endif

 ifeq ($(OS_TARGET), WIN95)
    OS_RELEASE = 4.0
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@ -750,14 +750,23 @@ static PRBool
 ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem)
 {
    PRTime now;
-    PRBool retval;
+    PRBool fresh;

-    PR_EnterMonitor(OCSP_Global.monitor);
    now = PR_Now();
-    retval = (cacheItem->nextFetchAttemptTime > now);
-    OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", retval));
-    PR_ExitMonitor(OCSP_Global.monitor);
-    return retval;
+
+    fresh = cacheItem->nextFetchAttemptTime > now;
+
+    /* Work around broken OCSP responders that return unknown responses for
+     * certificates, especially certificates that were just recently issued.
+     */
+    if (fresh && cacheItem->certStatusArena &&
+        cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) {
+        fresh = PR_FALSE;
+    }
+
+    OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh));
+
+    return fresh;
 }

 /*
@ -784,6 +793,19 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,
    PORT_Assert(OCSP_Global.maxCacheEntries >= 0);
  
    cacheItem = ocsp_FindCacheEntry(cache, certID);
+
+    /* Don't replace an unknown or revoked entry with an error entry, even if
+     * the existing entry is expired. Instead, we'll continue to use the
+     * existing (possibly expired) cache entry until we receive a valid signed
+     * response to replace it.
+     */
+    if (!single && cacheItem && cacheItem->certStatusArena &&
+        (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked ||
+         cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) {
+        PR_ExitMonitor(OCSP_Global.monitor);
+        return SECSuccess;
+    }
+
    if (!cacheItem) {
        CERTOCSPCertID *myCertID;
        if (certIDWasConsumed) {
@ -4915,7 +4937,7 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
    return ocsp_CertHasGoodStatus(single->certStatus, time);
 }

-/* Return value SECFailure means: not found or not fresh.
+/* SECFailure means the arguments were invalid.
 * On SECSuccess, the out parameters contain the OCSP status.
 * rvOcsp contains the overall result of the OCSP operation.
 * Depending on input parameter ignoreGlobalOcspFailureSetting,
@ -4923,34 +4945,39 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
 * If the cached attempt to obtain OCSP information had resulted
 * in a failure, missingResponseError shows the error code of
 * that failure.
+ * cacheFreshness is ocspMissing if no entry was found,
+ *                   ocspFresh if a fresh entry was found, or
+ *                   ocspStale if a stale entry was found.
 */
 SECStatus
-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
-                                        PRTime time,
-                                        PRBool ignoreGlobalOcspFailureSetting,
-                                        SECStatus *rvOcsp,
-                                        SECErrorCodes *missingResponseError)
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+                                 PRTime time,
+                                 PRBool ignoreGlobalOcspFailureSetting,
+                                 SECStatus *rvOcsp,
+                                 SECErrorCodes *missingResponseError,
+                                 OCSPFreshness *cacheFreshness)
 {
    OCSPCacheItem *cacheItem = NULL;
-    SECStatus rv = SECFailure;
  
-    if (!certID || !missingResponseError || !rvOcsp) {
+    if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
    *rvOcsp = SECFailure;
    *missingResponseError = 0;
+    *cacheFreshness = ocspMissing;
  
    PR_EnterMonitor(OCSP_Global.monitor);
    cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID);
-    if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) {
+    if (cacheItem) {
+        *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
+                                                           : ocspStale;
        /* having an arena means, we have a cached certStatus */
        if (cacheItem->certStatusArena) {
            *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
            if (*rvOcsp != SECSuccess) {
                *missingResponseError = PORT_GetError();
            }
-            rv = SECSuccess;
        } else {
            /*
             * No status cached, the previous attempt failed.
@ -4958,17 +4985,17 @@ ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
             * However, if OCSP is optional, a recent OCSP failure is
             * an allowed good state.
             */
-            if (!ignoreGlobalOcspFailureSetting &&
+            if (*cacheFreshness == ocspFresh &&
+                !ignoreGlobalOcspFailureSetting &&
                OCSP_Global.ocspFailureMode == 
                    ocspMode_FailureIsNotAVerificationFailure) {
-                rv = SECSuccess;
                *rvOcsp = SECSuccess;
            }
            *missingResponseError = cacheItem->missingResponseError;
        }
    }
    PR_ExitMonitor(OCSP_Global.monitor);
-    return rv;
+    return SECSuccess;
 }

 PRBool
@ -5039,9 +5066,10 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
 {
    CERTOCSPCertID *certID;
    PRBool certIDWasConsumed = PR_FALSE;
-    SECStatus rv = SECFailure;
+    SECStatus rv;
    SECStatus rvOcsp;
-    SECErrorCodes dummy_error_code; /* we ignore this */
+    SECErrorCodes cachedErrorCode;
+    OCSPFreshness cachedResponseFreshness;
  
    OCSP_TRACE_CERT(cert);
    OCSP_TRACE_TIME("## requested validity time:", time);
@ -5049,21 +5077,41 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
    certID = CERT_CreateOCSPCertID(cert, time);
    if (!certID)
        return SECFailure;
-    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+    rv = ocsp_GetCachedOCSPResponseStatus(
        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
-        &rvOcsp, &dummy_error_code);
-    if (rv == SECSuccess) {
+        &rvOcsp, &cachedErrorCode, &cachedResponseFreshness);
+    if (rv != SECSuccess) {
+        CERT_DestroyOCSPCertID(certID);
+        return SECFailure;
+    }
+    if (cachedResponseFreshness == ocspFresh) {
        CERT_DestroyOCSPCertID(certID);
        return rvOcsp;
    }
-    rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, 
+
+    rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
                                       &certIDWasConsumed, 
                                       &rvOcsp);
    if (rv != SECSuccess) {
-        /* we were unable to obtain ocsp status. Check if we should
-         * return cert status revoked. */
-        rvOcsp = ocsp_FetchingFailureIsVerificationFailure() ?
-            SECFailure : SECSuccess;
+        PRErrorCode err = PORT_GetError();
+        if (ocsp_FetchingFailureIsVerificationFailure()) {
+            PORT_SetError(err);
+            rvOcsp = SECFailure;
+        } else if (cachedResponseFreshness == ocspStale &&
+                   (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+                    cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+            /* If we couldn't get a response for a certificate that the OCSP
+             * responder previously told us was bad, then assume it is still
+             * bad until we hear otherwise, as it is very unlikely that the
+             * certificate status has changed from "revoked" to "good" and it
+             * is also unlikely that the certificate status has changed from
+             * "unknown" to "good", except for some buggy OCSP responders.
+             */
+            PORT_SetError(cachedErrorCode);
+            rvOcsp = SECFailure;
+        } else {
+            rvOcsp = SECSuccess;
+        }
    }
    if (!certIDWasConsumed) {
        CERT_DestroyOCSPCertID(certID);
@ -5113,6 +5161,7 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
    SECErrorCodes dummy_error_code; /* we ignore this */
    CERTOCSPResponse *decodedResponse = NULL;
    CERTOCSPSingleResponse *singleResponse = NULL;
+    OCSPFreshness freshness;

    /* The OCSP cache can be in three states regarding this certificate:
     *    + Good (cached, timely, 'good' response, or revoked in the future)
@ -5160,10 +5209,14 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
    certID = CERT_CreateOCSPCertID(cert, time);
    if (!certID)
        return SECFailure;
-    rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
-        &rvOcsp, &dummy_error_code);
-    if (rv == SECSuccess && rvOcsp == SECSuccess) {
+
+    /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached
+     * error entry is not interpreted as being a 'Good' entry here.
+     */
+    rv = ocsp_GetCachedOCSPResponseStatus(
+        certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */
+        &rvOcsp, &dummy_error_code, &freshness);
+    if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) {
        /* The cached value is good. We don't want to waste time validating
         * this OCSP response. This is the first column in the table above. */
        CERT_DestroyOCSPCertID(certID);
--- a/security/nss/lib/certhigh/ocspi.h
+++ b/security/nss/lib/certhigh/ocspi.h
@ -41,12 +41,15 @@ cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,
                                 PRBool addServiceLocator,
                                 CERTCertificate *signerCert);

+typedef enum { ocspMissing, ocspFresh, ocspStale } OCSPFreshness;
+
 SECStatus
-ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
-                                        PRTime time,
-                                        PRBool ignoreOcspFailureMode,
-                                        SECStatus *rvOcsp,
-                                        SECErrorCodes *missingResponseError);
+ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID,
+                                 PRTime time,
+                                 PRBool ignoreOcspFailureMode,
+                                 SECStatus *rvOcsp,
+                                 SECErrorCodes *missingResponseError,
+                                 OCSPFreshness *freshness);

 /*
 * FUNCTION: cert_ProcessOCSPResponse
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
@ -184,6 +184,7 @@ PKIX_PL_OcspCertID_GetFreshCacheStatus(
        PRTime time = 0;
        SECStatus rv;
        SECStatus rvOcsp;
+        OCSPFreshness freshness;

        PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_GetFreshCacheStatus");
        PKIX_NULLCHECK_THREE(cid, hasFreshStatus, statusIsGood);
@ -195,11 +196,11 @@ PKIX_PL_OcspCertID_GetFreshCacheStatus(
                time = PR_Now();
        }

-        rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
+        rv = ocsp_GetCachedOCSPResponseStatus(
                cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
-                &rvOcsp, missingResponseError);
+                &rvOcsp, missingResponseError, &freshness);

-        *hasFreshStatus = (rv == SECSuccess);
+        *hasFreshStatus = (rv == SECSuccess && freshness == ocspFresh);
        if (*hasFreshStatus) {
                *statusIsGood = (rvOcsp == SECSuccess);
        }