mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1785784 - land NSS NSS_3_82_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,bbeurdouche 

Differential Revision: https://phabricator.services.mozilla.com/D154974
This commit is contained in:
Anna Weine 2022-08-18 10:14:31 +00:00
Родитель a1bbaa5751
Коммит db08a45c3d
21 изменённых файлов: 452 добавлений и 83 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
build/moz.configure/nss.configure
Просмотреть файл

@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.81", when="--with-system-nss", config=False
"NSS", "nss >= 3.82", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_81_RTM
NSS_3_82_RTM

6
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
Просмотреть файл

@ -0,0 +1,6 @@
2 Added functions:
'function const SECItem* PK11URI_GetPathAttributeItem(PK11URI*, const char*)' {PK11URI_GetPathAttributeItem@@NSSUTIL_3.82}
'function const SECItem* PK11URI_GetQueryAttributeItem(PK11URI*, const char*)' {PK11URI_GetQueryAttributeItem@@NSSUTIL_3.82}

2
security/nss/automation/abi-check/previous-nss-release
Просмотреть файл

@ -1 +1 @@
NSS_3_80_BRANCH
NSS_3_81_BRANCH

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

18
security/nss/doc/rst/releases/index.rst
Просмотреть файл

@ -8,6 +8,7 @@ Releases
:glob:
:hidden:
nss_3_82.rst
nss_3_81.rst
nss_3_80.rst
nss_3_79.rst
@ -38,8 +39,8 @@ Releases
.. note::
**NSS 3.81** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_81_release_notes`
**NSS 3.82** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_82_release_notes`
**NSS 3.79** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_release_notes`
@ -47,11 +48,10 @@ Releases
.. container::
Changes in 3.81 included in this release:
- Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD.
- Bug 1775359 - make NSS_SecureMemcmp 0/1 valued.
- Bug 1779285: Add no_application_protocol alert handler and test client error code is set.
- Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Changes in 3.82 included in this release:
- Bug 1330271 - check for null template in sec_asn1{d,e}_push_state
- Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length
- Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
- Bug 1784191 - Cast the result of GetProcAddress
- Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI

61
security/nss/doc/rst/releases/nss_3_82.rst Normal file
Просмотреть файл

@ -0,0 +1,61 @@
.. _mozilla_projects_nss_nss_3_82_release_notes:
NSS 3.82 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.82 was released on **18 August 2022**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_82_RTM. NSS 3.82 requires NSPR 4.34 or newer.
NSS 3.82 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_82_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.82:
`Changes in NSS 3.82 <#changes_in_nss_3.82>`__
----------------------------------------------------
.. container::
- Bug 1330271 - check for null template in sec_asn1{d,e}_push_state
- Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length
- Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
- Bug 1784191 - Cast the result of GetProcAddress
- Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.82 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

35
security/nss/gtests/pk11_gtest/pk11_module_unittest.cc
Просмотреть файл

@ -45,7 +45,7 @@ TEST_F(Pkcs11ModuleTest, ListSlots) {
PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, nullptr));
ASSERT_NE(nullptr, slots);
PK11SlotListElement* element = PK11_GetFirstSafe(slots.get());
PK11SlotListElement *element = PK11_GetFirstSafe(slots.get());
ASSERT_NE(nullptr, element);
// These tokens are always present.
@ -81,6 +81,39 @@ TEST_F(Pkcs11ModuleTest, PublicCertificatesToken) {
EXPECT_TRUE(PK11_IsFriendly(slot2.get()));
}
TEST_F(Pkcs11ModuleTest, PublicCertificatesTokenLookup) {
const std::string kCertUrl =
"pkcs11:id=%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f";
ScopedCERTCertList certsByUrl(
PK11_FindCertsFromURI(kCertUrl.c_str(), nullptr));
EXPECT_NE(nullptr, certsByUrl.get());
size_t count = 0;
CERTCertificate *certByUrl = nullptr;
for (CERTCertListNode *node = CERT_LIST_HEAD(certsByUrl);
!CERT_LIST_END(node, certsByUrl); node = CERT_LIST_NEXT(node)) {
if (count == 0) {
certByUrl = node->cert;
}
count++;
}
EXPECT_EQ(1UL, count);
EXPECT_NE(nullptr, certByUrl);
EXPECT_EQ(
0, strcmp(certByUrl->nickname, "Test PKCS11 Public Certs Token:cert2"));
}
TEST_F(Pkcs11ModuleTest, PublicCertificatesTokenLookupNoMatch) {
const std::string kCertUrl =
"pkcs11:id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0e";
ScopedCERTCertList certsByUrl(
PK11_FindCertsFromURI(kCertUrl.c_str(), nullptr));
EXPECT_EQ(nullptr, certsByUrl.get());
}
#if defined(_WIN32)
#include <windows.h>

221
security/nss/gtests/pkcs11testmodule/pkcs11testmodule.cpp
Просмотреть файл

@ -76,13 +76,79 @@ CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; }
static int tokenPresent = 0;
// The token in slot 4 has 2 objects. Both of them are profile object
// and identified by object ID 1 or 2.
// The token in slot 4 has 4 objects:
// 1. CKO_PROFILE with CKP_PUBLIC_CERTIFICATES_TOKEN
// 2. CKO_PROFILE with CKP_BASELINE_PROVIDER
// 3. CKO_CERTIFICATE with CKA_ID "\x00..\x0f"
// 4. CKO_CERTIFICATE with CKA_ID "\x10..\x1f"
static bool readingProfile = false;
static const CK_PROFILE_ID profiles[] = {CKP_PUBLIC_CERTIFICATES_TOKEN,
CKP_BASELINE_PROVIDER};
static int profileIndex = 0;
static bool readingCert = false;
static const unsigned char certId1[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
static const char *certLabel1 = "cert1";
static const unsigned char certId2[] = {
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
static const char *certLabel2 = "cert2";
static const unsigned char certValue[] = {
0x30, 0x82, 0x01, 0x54, 0x30, 0x81, 0xfc, 0xa0, 0x03, 0x02, 0x01, 0x02,
0x02, 0x02, 0x0e, 0x42, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
0x3d, 0x04, 0x03, 0x02, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x03, 0x13, 0x0a, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65,
0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x32, 0x31,
0x39, 0x30, 0x39, 0x30, 0x32, 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x31,
0x30, 0x33, 0x31, 0x39, 0x30, 0x39, 0x30, 0x32, 0x34, 0x39, 0x5a, 0x30,
0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a,
0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x41, 0x30, 0x59,
0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,
0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
0x04, 0x24, 0xd1, 0x96, 0xcc, 0x72, 0x36, 0xbb, 0xd6, 0x04, 0x36, 0x14,
0x59, 0x9a, 0x27, 0x24, 0x6b, 0x03, 0x7c, 0x02, 0x69, 0x68, 0x50, 0x70,
0x52, 0xe5, 0x5f, 0xe1, 0xf1, 0xd4, 0x0a, 0x00, 0x18, 0x76, 0x14, 0xa3,
0xed, 0x7d, 0xc5, 0x0a, 0xfe, 0xe4, 0x6f, 0x09, 0xf8, 0xcd, 0xe8, 0x5a,
0x39, 0x81, 0xf4, 0xcc, 0x25, 0xbe, 0x26, 0x76, 0xe1, 0x23, 0x52, 0x09,
0x6f, 0xbd, 0xf1, 0x75, 0xbe, 0xa3, 0x3c, 0x30, 0x3a, 0x30, 0x14, 0x06,
0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x01, 0x01,
0xff, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x12, 0x06, 0x03, 0x55,
0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff,
0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x0a, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44,
0x02, 0x20, 0x76, 0x56, 0x09, 0xe9, 0x79, 0xc2, 0x62, 0x28, 0xfc, 0x48,
0xf8, 0xac, 0x73, 0xbb, 0xe1, 0xe5, 0x79, 0x93, 0x78, 0x05, 0x4b, 0x45,
0x08, 0xcf, 0x10, 0x9f, 0x0d, 0xb9, 0x50, 0x7d, 0x70, 0x24, 0x02, 0x20,
0x27, 0x52, 0xe7, 0x9e, 0x42, 0xe3, 0xb2, 0x4d, 0xbb, 0x7d, 0xa3, 0x81,
0x5f, 0x7f, 0x0f, 0x3a, 0x55, 0x34, 0xfa, 0x86, 0x35, 0xcb, 0x68, 0x4f,
0xad, 0x67, 0x67, 0x05, 0x36, 0xcb, 0x11, 0x4d
};
static const unsigned char certSerial[] = {
0x02, 0x02, 0x0e, 0x42
};
static const unsigned char certIssuer[] = {
0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x0a, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x41
};
static const struct cert {
const unsigned char *id;
size_t idLen;
const char *label;
} certs[] = {
{ certId1, sizeof(certId1), certLabel1 },
{ certId2, sizeof(certId2), certLabel2 }
};
static int certIndex = 0;
static CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
static bool certIdGiven = false;
CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent,
CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
if (!pulCount) {
@ -316,22 +382,78 @@ CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
if (hSession == 4) {
assert(hObject >= 1 &&
hObject - 1 < sizeof(profiles) / sizeof(profiles[0]));
for (CK_ULONG count = 0; count < ulCount; count++) {
if (pTemplate[count].type == CKA_PROFILE_ID) {
if (pTemplate[count].pValue) {
assert(pTemplate[count].ulValueLen == sizeof(CK_ULONG));
CK_ULONG value = profiles[hObject - 1];
memcpy(pTemplate[count].pValue, &value, sizeof(value));
switch (hObject) {
case 1:
case 2:
for (CK_ULONG count = 0; count < ulCount; count++) {
if (pTemplate[count].type == CKA_PROFILE_ID) {
if (pTemplate[count].pValue) {
assert(pTemplate[count].ulValueLen == sizeof(CK_ULONG));
CK_ULONG value = profiles[hObject - 1];
memcpy(pTemplate[count].pValue, &value, sizeof(value));
} else {
pTemplate[count].ulValueLen = sizeof(CK_ULONG);
}
} else {
pTemplate[count].ulValueLen = sizeof(CK_ULONG);
pTemplate[count].ulValueLen = (CK_ULONG)-1;
}
} else {
pTemplate[count].ulValueLen = (CK_ULONG)-1;
}
return CKR_OK;
case 3:
case 4:
for (CK_ULONG count = 0; count < ulCount; count++) {
switch (pTemplate[count].type) {
case CKA_TOKEN:
if (pTemplate[count].pValue) {
assert(pTemplate[count].ulValueLen == sizeof(CK_BBOOL));
CK_BBOOL value = true;
memcpy(pTemplate[count].pValue, &value, sizeof(value));
} else {
pTemplate[count].ulValueLen = sizeof(CK_BBOOL);
}
break;
case CKA_LABEL: {
const char *label = certs[hObject - 3].label;
size_t labelLen = strlen(label);
if (pTemplate[count].pValue) {
if (pTemplate[count].ulValueLen >= labelLen) {
memcpy(pTemplate[count].pValue, label, labelLen);
} else {
pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION;
}
} else {
pTemplate[count].ulValueLen = labelLen;
}
break;
}
#define BYTEARRAY_CASE(label, array) \
case label: \
if (pTemplate[count].pValue) { \
if (pTemplate[count].ulValueLen >= sizeof(array)) { \
memcpy(pTemplate[count].pValue, array, sizeof(array)); \
} else { \
pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION; \
} \
} else { \
pTemplate[count].ulValueLen = sizeof(array); \
} \
break;
BYTEARRAY_CASE(CKA_VALUE, certValue)
BYTEARRAY_CASE(CKA_SERIAL_NUMBER, certSerial)
BYTEARRAY_CASE(CKA_ISSUER, certIssuer)
default:
pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION;
break;
}
}
return CKR_OK;
default:
break;
}
return CKR_OK;
}
return CKR_FUNCTION_NOT_SUPPORTED;
}
@ -345,19 +467,47 @@ CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
// Slot 4
if (hSession == 4) {
CK_OBJECT_CLASS objectClass = CKO_DATA;
CK_BYTE *id = NULL;
CK_ULONG idLen = 0;
for (CK_ULONG count = 0; count < ulCount; count++) {
CK_ATTRIBUTE attribute = pTemplate[count];
if (attribute.type == CKA_CLASS) {
assert(attribute.ulValueLen == sizeof(CK_ULONG));
switch (attribute.type) {
case CKA_CLASS:
assert(attribute.ulValueLen == sizeof(CK_OBJECT_CLASS));
CK_ULONG value;
memcpy(&value, attribute.pValue, attribute.ulValueLen);
if (value == CKO_PROFILE) {
readingProfile = true;
profileIndex = 0;
break;
memcpy(&objectClass, attribute.pValue, attribute.ulValueLen);
break;
case CKA_ID:
id = (CK_BYTE *)attribute.pValue;
idLen = attribute.ulValueLen;
break;
default:
break;
}
}
switch (objectClass) {
case CKO_PROFILE:
readingProfile = true;
profileIndex = 0;
break;
case CKO_CERTIFICATE:
readingCert = true;
certIndex = 0;
if (id) {
certIdGiven = true;
for (size_t count = 0; count < sizeof(certs) / sizeof(certs[0]); count++) {
if (certs[count].idLen == idLen &&
memcmp(certs[count].id, id, idLen) == 0) {
certHandle = count + 3;
break;
}
}
}
break;
default:
break;
}
}
return CKR_OK;
@ -379,6 +529,30 @@ CK_RV Test_C_FindObjects(CK_SESSION_HANDLE hSession,
}
profileIndex += count;
*pulObjectCount = count;
} else if (readingCert) {
assert(hSession == 4);
if (!certIdGiven) {
CK_ULONG count = ulMaxObjectCount;
size_t remaining = sizeof(certs) / sizeof(certs[0]) - certIndex;
if (count > remaining) {
count = remaining;
}
for (CK_ULONG i = 0; i < count; i++) {
phObject[i] = i + 3;
}
*pulObjectCount = count;
certIndex += count;
} else if (certHandle != CK_INVALID_HANDLE) {
if (certIndex == 0 && ulMaxObjectCount > 0) {
phObject[0] = certHandle;
*pulObjectCount = 1;
certIndex = 1;
} else {
*pulObjectCount = 0;
}
} else {
*pulObjectCount = 0;
}
} else {
*pulObjectCount = 0;
}
@ -387,6 +561,9 @@ CK_RV Test_C_FindObjects(CK_SESSION_HANDLE hSession,
CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
readingProfile = false;
readingCert = false;
certHandle = CK_INVALID_HANDLE;
certIdGiven = false;
return CKR_OK;
}

6
security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
Просмотреть файл

@ -152,17 +152,17 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
SendReceive();
// Check that we used the right cipher suite, auth type and kea type.
uint16_t actual;
uint16_t actual = TLS_NULL_WITH_NULL_NULL;
EXPECT_TRUE(client_->cipher_suite(&actual));
EXPECT_EQ(cipher_suite_, actual);
EXPECT_TRUE(server_->cipher_suite(&actual));
EXPECT_EQ(cipher_suite_, actual);
SSLAuthType auth;
SSLAuthType auth = ssl_auth_size;
EXPECT_TRUE(client_->auth_type(&auth));
EXPECT_EQ(auth_type_, auth);
EXPECT_TRUE(server_->auth_type(&auth));
EXPECT_EQ(auth_type_, auth);
SSLKEAType kea;
SSLKEAType kea = ssl_kea_size;
EXPECT_TRUE(client_->kea_type(&kea));
EXPECT_EQ(kea_type_, kea);
EXPECT_TRUE(server_->kea_type(&kea));

2
security/nss/lib/base/error.c
Просмотреть файл

@ -86,7 +86,7 @@ error_once_function(void)
#if defined(__MINGW32__)
HMODULE nss3 = GetModuleHandleW(L"nss3");
if (nss3) {
FARPROC freePtr = GetProcAddress(nss3, "PR_Free");
PRThreadPrivateDTOR freePtr = (PRThreadPrivateDTOR)GetProcAddress(nss3, "PR_Free");
if (freePtr) {
return PR_NewThreadPrivateIndex(&error_stack_index, freePtr);
}

4
security/nss/lib/nss/nss.h
Просмотреть файл

@ -22,9 +22,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.81" _NSS_CUSTOMIZED
#define NSS_VERSION "3.82" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 81
#define NSS_VMINOR 82
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE

39
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

@ -616,9 +616,8 @@ transfer_uri_certs_to_collection(nssList *certList, PK11URI *uri,
PRUint32 i, count;
NSSToken **tokens, **tp;
PK11SlotInfo *slot;
const char *id;
const SECItem *id;
id = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_ID);
count = nssList_Count(certList);
if (count == 0) {
return;
@ -627,13 +626,14 @@ transfer_uri_certs_to_collection(nssList *certList, PK11URI *uri,
if (!certs) {
return;
}
id = PK11URI_GetPathAttributeItem(uri, PK11URI_PATTR_ID);
nssList_GetArray(certList, (void **)certs, count);
for (i = 0; i < count; i++) {
/*
* Filter the subject matched certs based on the
* CKA_ID from the URI
*/
if (id && (strlen(id) != certs[i]->id.size ||
* Filter the subject matched certs based on the
* CKA_ID from the URI
*/
if (id && (id->len != certs[i]->id.size ||
memcmp(id, certs[i]->id.data, certs[i]->id.size)))
continue;
tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL);
@ -666,6 +666,14 @@ transfer_uri_certs_to_collection(nssList *certList, PK11URI *uri,
continue;
}
value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_SERIAL);
if (value &&
!pk11_MatchString(value,
(char *)slot->tokenInfo.serialNumber,
sizeof(slot->tokenInfo.serialNumber))) {
continue;
}
nssPKIObjectCollection_AddObject(collection,
(nssPKIObject *)certs[i]);
break;
@ -683,7 +691,8 @@ find_certs_from_uri(const char *uriString, void *wincx)
PK11URI *uri = NULL;
CK_ATTRIBUTE attributes[10];
CK_ULONG nattributes = 0;
const char *label;
const SECItem *id;
const char *label, *type;
PK11SlotInfo *slotinfo;
nssCryptokiObject **instances;
PRStatus status;
@ -710,10 +719,16 @@ find_certs_from_uri(const char *uriString, void *wincx)
goto loser;
}
/* if the "type" attribute is specified its value must be "cert" */
type = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TYPE);
if (type && strcmp(type, "cert")) {
goto loser;
}
label = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_OBJECT);
if (label) {
(void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
(const char *)label,
label,
certList);
} else {
(void)nssTrustDomain_GetCertsFromCache(defaultTD, certList);
@ -739,6 +754,14 @@ find_certs_from_uri(const char *uriString, void *wincx)
nattributes++;
}
id = PK11URI_GetPathAttributeItem(uri, PK11URI_PATTR_ID);
if (id) {
attributes[nattributes].type = CKA_ID;
attributes[nattributes].pValue = (void *)id->data;
attributes[nattributes].ulValueLen = id->len;
nattributes++;
}
tokens = NSSTrustDomain_FindTokensByURI(defaultTD, uri);
for (tok = tokens; tok && *tok; tok++) {
if (nssToken_IsPresent(*tok)) {

4
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -17,9 +17,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.81" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.82" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 81
#define SOFTOKEN_VMINOR 82
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE

7
security/nss/lib/util/nssutil.def
Просмотреть файл

@ -341,3 +341,10 @@ NSS_LockPolicy;
;+ local:
;+ *;
;+};
;+NSSUTIL_3.82 { # NSS Utilities 3.82 release
;+ global:
PK11URI_GetPathAttributeItem;
PK11URI_GetQueryAttributeItem;
;+ local:
;+ *;
;+};

4
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -19,9 +19,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.81"
#define NSSUTIL_VERSION "3.82"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 81
#define NSSUTIL_VMINOR 82
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE

88
security/nss/lib/util/pkcs11uri.c
Просмотреть файл

@ -47,7 +47,7 @@ static const char *qattr_names[] = {
struct PK11URIBufferStr {
PLArenaPool *arena;
char *data;
unsigned char *data;
size_t size;
size_t allocated;
};
@ -55,7 +55,7 @@ typedef struct PK11URIBufferStr PK11URIBuffer;
struct PK11URIAttributeListEntryStr {
char *name;
char *value;
SECItem value;
};
typedef struct PK11URIAttributeListEntryStr PK11URIAttributeListEntry;
@ -133,11 +133,11 @@ pk11uri_DestroyBuffer(PK11URIBuffer *buffer)
/* URI encoding functions. */
static char *
pk11uri_Escape(PLArenaPool *arena, const char *value, size_t length,
pk11uri_Escape(PLArenaPool *arena, const unsigned char *value, size_t length,
const char *available)
{
PK11URIBuffer buffer;
const char *p;
const unsigned char *p;
unsigned char buf[4];
char *result = NULL;
SECStatus ret;
@ -154,7 +154,7 @@ pk11uri_Escape(PLArenaPool *arena, const char *value, size_t length,
goto fail;
}
} else {
ret = pk11uri_AppendBuffer(&buffer, (const unsigned char *)p, 1);
ret = pk11uri_AppendBuffer(&buffer, p, 1);
if (ret != SECSuccess) {
goto fail;
}
@ -167,7 +167,7 @@ pk11uri_Escape(PLArenaPool *arena, const char *value, size_t length,
}
/* Steal the memory allocated in buffer. */
result = buffer.data;
result = (char *)buffer.data;
buffer.data = NULL;
fail:
@ -176,18 +176,18 @@ fail:
return result;
}
static char *
pk11uri_Unescape(PLArenaPool *arena, const char *value, size_t length)
static unsigned char *
pk11uri_Unescape(PLArenaPool *arena, const char *value, size_t *length)
{
PK11URIBuffer buffer;
const char *p;
unsigned char buf[1];
char *result = NULL;
unsigned char *result = NULL;
SECStatus ret;
pk11uri_InitBuffer(&buffer, arena);
for (p = value; p < value + length; p++) {
for (p = value; p < value + *length; p++) {
if (*p == '%') {
int c;
size_t i;
@ -218,6 +218,7 @@ pk11uri_Unescape(PLArenaPool *arena, const char *value, size_t length)
goto fail;
}
}
*length = buffer.size;
buf[0] = '\0';
ret = pk11uri_AppendBuffer(&buffer, buf, 1);
if (ret != SECSuccess) {
@ -277,7 +278,7 @@ pk11uri_CompareQueryAttributeName(const char *a, const char *b)
static SECStatus
pk11uri_InsertToAttributeList(PK11URIAttributeList *attrs,
char *name, char *value,
char *name, unsigned char *value, size_t size,
PK11URIAttributeCompareNameFunc compare_name,
PRBool allow_duplicate)
{
@ -309,7 +310,9 @@ pk11uri_InsertToAttributeList(PK11URIAttributeList *attrs,
}
attrs->attrs[i].name = name;
attrs->attrs[i].value = value;
attrs->attrs[i].value.type = siBuffer;
attrs->attrs[i].value.data = value;
attrs->attrs[i].value.len = size;
attrs->num_attrs++;
@ -323,7 +326,8 @@ pk11uri_InsertToAttributeListEscaped(PK11URIAttributeList *attrs,
PK11URIAttributeCompareNameFunc compare_name,
PRBool allow_duplicate)
{
char *name_copy = NULL, *value_copy = NULL;
char *name_copy = NULL;
unsigned char *value_copy = NULL;
SECStatus ret;
if (attrs->arena) {
@ -337,13 +341,13 @@ pk11uri_InsertToAttributeListEscaped(PK11URIAttributeList *attrs,
memcpy(name_copy, name, name_size);
name_copy[name_size] = '\0';
value_copy = pk11uri_Unescape(attrs->arena, value, value_size);
value_copy = pk11uri_Unescape(attrs->arena, value, &value_size);
if (value_copy == NULL) {
goto fail;
}
ret = pk11uri_InsertToAttributeList(attrs, name_copy, value_copy, compare_name,
allow_duplicate);
ret = pk11uri_InsertToAttributeList(attrs, name_copy, value_copy, value_size,
compare_name, allow_duplicate);
if (ret != SECSuccess) {
goto fail;
}
@ -374,7 +378,7 @@ pk11uri_DestroyAttributeList(PK11URIAttributeList *attrs)
for (i = 0; i < attrs->num_attrs; i++) {
PORT_Free(attrs->attrs[i].name);
PORT_Free(attrs->attrs[i].value);
PORT_Free(attrs->attrs[i].value.data);
}
PORT_Free(attrs->attrs);
}
@ -414,7 +418,7 @@ pk11uri_AppendAttributeListToBuffer(PK11URIBuffer *buffer,
return ret;
}
escaped = pk11uri_Escape(buffer->arena, attr->value, strlen(attr->value),
escaped = pk11uri_Escape(buffer->arena, attr->value.data, attr->value.len,
unescaped);
if (escaped == NULL) {
return ret;
@ -510,7 +514,9 @@ pk11uri_InsertAttributes(PK11URIAttributeList *dest_attrs,
if (j < num_attr_names) {
/* Named attribute. */
ret = pk11uri_InsertToAttributeList(dest_attrs,
name, value,
name,
(unsigned char *)value,
strlen(value),
compare_name,
allow_duplicate);
if (ret != SECSuccess) {
@ -519,7 +525,9 @@ pk11uri_InsertAttributes(PK11URIAttributeList *dest_attrs,
} else {
/* Vendor attribute. */
ret = pk11uri_InsertToAttributeList(dest_vattrs,
name, value,
name,
(unsigned char *)value,
strlen(value),
strcmp,
vendor_allow_duplicate);
if (ret != SECSuccess) {
@ -777,7 +785,7 @@ PK11URI_FormatURI(PLArenaPool *arena, PK11URI *uri)
goto fail;
}
result = buffer.data;
result = (char *)buffer.data;
buffer.data = NULL;
fail:
@ -798,7 +806,7 @@ PK11URI_DestroyURI(PK11URI *uri)
}
/* Accessors. */
static const char *
static const SECItem *
pk11uri_GetAttribute(PK11URIAttributeList *attrs,
PK11URIAttributeList *vattrs,
const char *name)
@ -807,27 +815,53 @@ pk11uri_GetAttribute(PK11URIAttributeList *attrs,
for (i = 0; i < attrs->num_attrs; i++) {
if (strcmp(name, attrs->attrs[i].name) == 0) {
return attrs->attrs[i].value;
return &attrs->attrs[i].value;
}
}
for (i = 0; i < vattrs->num_attrs; i++) {
if (strcmp(name, vattrs->attrs[i].name) == 0) {
return vattrs->attrs[i].value;
return &vattrs->attrs[i].value;
}
}
return NULL;
}
const char *
PK11URI_GetPathAttribute(PK11URI *uri, const char *name)
const SECItem *
PK11URI_GetPathAttributeItem(PK11URI *uri, const char *name)
{
return pk11uri_GetAttribute(&uri->pattrs, &uri->vpattrs, name);
}
const char *
PK11URI_GetQueryAttribute(PK11URI *uri, const char *name)
PK11URI_GetPathAttribute(PK11URI *uri, const char *name)
{
const SECItem *value;
value = PK11URI_GetPathAttributeItem(uri, name);
if (!value) {
return NULL;
}
return (const char *)value->data;
}
const SECItem *
PK11URI_GetQueryAttributeItem(PK11URI *uri, const char *name)
{
return pk11uri_GetAttribute(&uri->qattrs, &uri->vqattrs, name);
}
const char *
PK11URI_GetQueryAttribute(PK11URI *uri, const char *name)
{
const SECItem *value;
value = PK11URI_GetQueryAttributeItem(uri, name);
if (!value) {
return NULL;
}
return (const char *)value->data;
}

17
security/nss/lib/util/pkcs11uri.h
Просмотреть файл

@ -56,12 +56,25 @@ extern char *PK11URI_FormatURI(PLArenaPool *arena, PK11URI *uri);
/* Destroy a PK11URI object. */
extern void PK11URI_DestroyURI(PK11URI *uri);
/* Retrieve a path attribute with the given name. */
/* Retrieve a path attribute with the given name. This function can be used only
* when we can assume that the attribute value is a string (such as "label" or
* "type"). If it can be a binary blob (such as "id"), use
* PK11URI_GetPathAttributeItem.
*/
extern const char *PK11URI_GetPathAttribute(PK11URI *uri, const char *name);
/* Retrieve a query attribute with the given name. */
/* Retrieve a query attribute with the given name. This function can be used
* only when we can assume that the attribute value is a string (such as
* "module-name"). If it can be a binary blob, use
* PK11URI_GetQueryAttributeItem.*/
extern const char *PK11URI_GetQueryAttribute(PK11URI *uri, const char *name);
/* Retrieve a path attribute with the given name as a SECItem. */
extern const SECItem *PK11URI_GetPathAttributeItem(PK11URI *uri, const char *name);
/* Retrieve a query attribute with the given name as a SECItem. */
extern const SECItem *PK11URI_GetQueryAttributeItem(PK11URI *uri, const char *name);
SEC_END_PROTOS
#endif /* _PKCS11URI_H_ */

5
security/nss/lib/util/quickder.c
Просмотреть файл

@ -92,6 +92,11 @@ definite_length_decoder(const unsigned char* buf,
}
}
if ((tag & SEC_ASN1_TAGNUM_MASK) == SEC_ASN1_NULL && data_length != 0) {
/* The DER encoding of NULL has no contents octets */
return NULL;
}
if (data_length > (buf_length - used_length)) {
/* The decoded length exceeds the available buffer */
return NULL;

5
security/nss/lib/util/secasn1d.c
Просмотреть файл

@ -365,6 +365,11 @@ sec_asn1d_push_state(SEC_ASN1DecoderContext *cx,
state->our_mark = PORT_ArenaMark(cx->our_pool);
}
if (theTemplate == NULL) {
PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
goto loser;
}
new_state = (sec_asn1d_state *)sec_asn1d_zalloc(cx->our_pool,
sizeof(*new_state));
if (new_state == NULL) {

6
security/nss/lib/util/secasn1e.c
Просмотреть файл

@ -94,8 +94,12 @@ sec_asn1e_push_state(SEC_ASN1EncoderContext *cx,
{
sec_asn1e_state *state, *new_state;
state = cx->current;
if (theTemplate == NULL) {
cx->status = encodeError;
return NULL;
}
state = cx->current;
new_state = (sec_asn1e_state *)PORT_ArenaZAlloc(cx->our_pool,
sizeof(*new_state));
if (new_state == NULL) {