From d20cedab704cce4c219c22dbabcd55036afb48a1 Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Tue, 10 Feb 2009 09:18:32 -0800 Subject: [PATCH] Bug 466745: Upgraded NSS to NSS_3_12_3_BETA3. --- security/coreconf/WIN32.mk | 29 + security/coreconf/coreconf.dep | 1 + security/nss/cmd/bltest/blapitest.c | 5 + security/nss/cmd/crlutil/crlgen_lex.c | 8 +- security/nss/cmd/crlutil/crlgen_lex_fix.sed | 4 +- security/nss/cmd/crlutil/crlutil.c | 13 +- security/nss/cmd/pk11mode/pk11mode.c | 12 + security/nss/cmd/vfychain/vfychain.c | 12 +- security/nss/lib/certdb/alg1485.c | 51 +- security/nss/lib/certdb/certdb.c | 8 +- security/nss/lib/certdb/crl.c | 10 +- security/nss/lib/certhigh/certvfypkix.c | 9 +- security/nss/lib/ckfw/crypto.c | 22 +- security/nss/lib/ckfw/find.c | 32 +- security/nss/lib/ckfw/hash.c | 14 +- security/nss/lib/ckfw/instance.c | 72 +- security/nss/lib/ckfw/mechanism.c | 120 +- security/nss/lib/ckfw/mutex.c | 4 +- security/nss/lib/ckfw/object.c | 72 +- security/nss/lib/ckfw/session.c | 194 +-- security/nss/lib/ckfw/sessobj.c | 40 +- security/nss/lib/ckfw/slot.c | 48 +- security/nss/lib/ckfw/token.c | 120 +- security/nss/lib/ckfw/wrap.c | 390 +++--- security/nss/lib/dev/ckhelper.c | 6 +- security/nss/lib/freebl/blapi.h | 6 +- security/nss/lib/freebl/blapii.h | 60 + security/nss/lib/freebl/config.mk | 5 +- security/nss/lib/freebl/ldvector.c | 8 +- security/nss/lib/freebl/loader.c | 16 +- security/nss/lib/freebl/loader.h | 6 +- security/nss/lib/freebl/prng_fips1861.c | 5 +- security/nss/lib/freebl/rsa.c | 36 +- security/nss/lib/freebl/win_rand.c | 313 ++--- .../nss/lib/libpkix/include/pkix_certstore.h | 1 + .../lib/libpkix/include/pkix_errorstrings.h | 4 + .../nss/lib/libpkix/include/pkix_pl_pki.h | 8 + .../nss/lib/libpkix/include/pkix_revchecker.h | 1 - .../libpkix/pkix/checker/pkix_crlchecker.c | 16 +- .../libpkix/pkix/checker/pkix_crlchecker.h | 1 + .../libpkix/pkix/checker/pkix_ocspchecker.c | 12 +- .../libpkix/pkix/checker/pkix_ocspchecker.h | 1 + .../pkix/checker/pkix_revocationchecker.c | 41 +- .../pkix/checker/pkix_revocationchecker.h | 1 - .../pkix/checker/pkix_revocationmethod.h | 1 + .../lib/libpkix/pkix/params/pkix_procparams.c | 5 +- .../libpkix/pkix/params/pkix_trustanchor.c | 4 + .../libpkix/pkix/results/pkix_verifynode.c | 2 +- .../nss/lib/libpkix/pkix/top/pkix_build.c | 1050 ++++------------- .../nss/lib/libpkix/pkix/top/pkix_build.h | 3 - .../nss/lib/libpkix/pkix/top/pkix_validate.c | 24 +- .../nss/lib/libpkix/pkix/util/pkix_list.c | 5 +- .../module/pkix_pl_pk11certstore.c | 38 +- .../libpkix/pkix_pl_nss/pki/pkix_pl_cert.c | 20 + .../libpkix/pkix_pl_nss/pki/pkix_pl_cert.h | 1 + security/nss/lib/pki/certificate.c | 5 +- security/nss/lib/softoken/fipsaudt.c | 26 +- security/nss/lib/softoken/fipstokn.c | 81 +- security/nss/lib/softoken/legacydb/keydb.c | 8 +- security/nss/lib/softoken/legacydb/lgdb.h | 18 + security/nss/lib/softoken/legacydb/lginit.c | 23 +- security/nss/lib/softoken/legacydb/pcertdb.c | 22 +- security/nss/lib/softoken/lgglue.c | 6 +- security/nss/lib/softoken/lgglue.h | 4 +- security/nss/lib/softoken/pkcs11.c | 128 +- security/nss/lib/softoken/pkcs11c.c | 2 +- security/nss/lib/softoken/pkcs11i.h | 1 + security/nss/lib/softoken/pkcs11u.c | 11 +- security/nss/lib/softoken/sdb.c | 9 + security/nss/lib/softoken/sdb.h | 1 + security/nss/lib/softoken/sftkdb.c | 59 +- security/nss/lib/softoken/sftkpwd.c | 6 +- security/nss/lib/softoken/softoken.h | 32 +- security/nss/lib/softoken/softoknt.h | 23 +- security/nss/lib/util/nssutil.def | 1 + security/nss/lib/util/secoid.c | 18 +- security/nss/lib/util/secoid.h | 4 +- security/nss/tests/chains/chains.sh | 146 ++- .../nss/tests/chains/scenarios/realcerts.cfg | 4 + security/nss/tests/chains/scenarios/revoc.cfg | 82 ++ security/nss/tests/chains/scenarios/scenarios | 1 + .../tests/libpkix/certs/BrAirWaysBadSig.cert | Bin 0 -> 1647 bytes .../nss/tests/libpkix/certs/PayPalEE.cert | Bin 1514 -> 1488 bytes 83 files changed, 1807 insertions(+), 1904 deletions(-) create mode 100644 security/nss/lib/freebl/blapii.h create mode 100644 security/nss/tests/chains/scenarios/revoc.cfg create mode 100644 security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk index ed92acb8ec0..0a6da095f28 100644 --- a/security/coreconf/WIN32.mk +++ b/security/coreconf/WIN32.mk @@ -165,6 +165,10 @@ endif # Purify requires /FIXED:NO when linking EXEs. LDFLAGS += /FIXED:NO endif + # Convert certain deadly warnings to errors (see list at end of file) + OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 \ + -we4013 -we4015 -we4033 -we4035 -we4045 -we4053 -we4054 -we4063 \ + -we4064 -we4078 -we4087 -we4098 -we4390 -we4551 -we4553 -we4715 endif # NS_USE_GCC ifdef USE_64 @@ -306,3 +310,28 @@ ifndef TARGETS TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM) endif +# list of MSVC warnings converted to errors above: +# 4002: too many actual parameters for macro 'identifier' +# 4003: not enough actual parameters for macro 'identifier' +# 4004: incorrect construction after 'defined' +# 4006: #undef expected an identifier +# 4009: string too big; trailing characters truncated +# 4015: 'identifier' : type of bit field must be integral +# 4033: 'function' must return a value +# 4035: 'function' : no return value +# 4045: 'identifier' : array bounds overflow +# 4053: one void operand for '?:' +# 4054: 'conversion' : from function pointer 'type1' to data pointer 'type2' +# 4059: pascal string too big, length byte is length % 256 +# 4063: case 'identifier' is not a valid value for switch of enum 'identifier' +# 4064: switch of incomplete enum 'identifier' +# 4078: case constant 'value' too big for the type of the switch expression +# 4087: 'function' : declared with 'void' parameter list +# 4098: 'function' : void function returning a value +# 4390: ';' : empty controlled statement found; is this the intent? +# 4541: RTTI train wreck +# 4715: not all control paths return a value +# 4013: function undefined; assuming extern returning int +# 4553: '==' : operator has no effect; did you intend '='? +# 4551: function call missing argument list + diff --git a/security/coreconf/coreconf.dep b/security/coreconf/coreconf.dep index b75161110bb..b536cfc01b9 100644 --- a/security/coreconf/coreconf.dep +++ b/security/coreconf/coreconf.dep @@ -42,3 +42,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index 9eaf28db1d9..5f8b673c6f3 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -3267,6 +3267,11 @@ int main(int argc, char **argv) SECU_PrintPRandOSError(progName); return -1; } + rv = BL_Init(); + if (rv != SECSuccess) { + SECU_PrintPRandOSError(progName); + return -1; + } RNG_SystemInfoForRNG(); rv = SECU_ParseCommandLine(argc, argv, progName, &bltest); diff --git a/security/nss/cmd/crlutil/crlgen_lex.c b/security/nss/cmd/crlutil/crlgen_lex.c index d2da166c6f7..ee07a68d48b 100644 --- a/security/nss/cmd/crlutil/crlgen_lex.c +++ b/security/nss/cmd/crlutil/crlgen_lex.c @@ -1,7 +1,7 @@ /* A lexical scanner generated by flex */ /* Scanner skeleton version: - * $Header: /cvsroot/mozilla/security/nss/cmd/crlutil/crlgen_lex.c,v 1.1 2005/04/12 02:24:14 alexei.volkov.bugs%sun.com Exp $ + * $Header: /cvsroot/mozilla/security/nss/cmd/crlutil/crlgen_lex.c,v 1.2 2009/02/04 23:23:40 alexei.volkov.bugs%sun.com Exp $ */ #define FLEX_SCANNER @@ -9,11 +9,12 @@ #define YY_FLEX_MINOR_VERSION 5 #include -#ifndef _WIN32 +#ifdef _WIN32 +#include +#else #include #endif - /* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */ #ifdef c_plusplus #ifndef __cplusplus @@ -21,7 +22,6 @@ #endif #endif - #ifdef __cplusplus #include diff --git a/security/nss/cmd/crlutil/crlgen_lex_fix.sed b/security/nss/cmd/crlutil/crlgen_lex_fix.sed index 57125cd4aef..603dd2d1bea 100644 --- a/security/nss/cmd/crlutil/crlgen_lex_fix.sed +++ b/security/nss/cmd/crlutil/crlgen_lex_fix.sed @@ -1,4 +1,6 @@ // { - i #ifndef _WIN32 + i #ifdef _WIN32 + i #include + i #else a #endif } diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c index a1b57bf6427..9ee54335c2d 100644 --- a/security/nss/cmd/crlutil/crlutil.c +++ b/security/nss/cmd/crlutil/crlutil.c @@ -360,15 +360,14 @@ CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle, PRFileDesc *inFile, PRInt32 decodeOptions, PRInt32 importOptions) { - SECItem crlDER; + SECItem crlDER = {0, NULL, 0}; CERTSignedCrl *signCrl = NULL; CERTSignedCrl *modCrl = NULL; PRArenaPool *modArena = NULL; SECStatus rv = SECSuccess; - PORT_Assert(arena != NULL && certHandle != NULL && - certNickName != NULL); if (!arena || !certHandle || !certNickName) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n"); return NULL; } @@ -444,7 +443,9 @@ CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle, signCrl->arena = arena; loser: - SECITEM_FreeItem(&crlDER, PR_FALSE); + if (crlDER.data) { + SECITEM_FreeItem(&crlDER, PR_FALSE); + } if (modCrl) SEC_DestroyCrl(modCrl); if (rv != SECSuccess && signCrl) { @@ -466,8 +467,8 @@ CreateNewCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle, /* if the CERTSignedCrl structure changes, this function will need to be updated as well */ - PORT_Assert(cert != NULL); if (!cert || !arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); SECU_PrintError(progName, "invalid args for function " "CreateNewCrl\n"); return NULL; @@ -531,8 +532,8 @@ UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile) CRLGENGeneratorData *crlGenData = NULL; SECStatus rv; - PORT_Assert(signCrl != NULL && inCrlInitFile != NULL); if (!signCrl || !inCrlInitFile) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); SECU_PrintError(progName, "invalid args for function " "CreateNewCrl\n"); return SECFailure; diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c index 297b5dca865..35c854303e6 100644 --- a/security/nss/cmd/pk11mode/pk11mode.c +++ b/security/nss/cmd/pk11mode/pk11mode.c @@ -741,6 +741,18 @@ int main(int argc, char **argv) goto cleanup; } + if (doForkTests) + { + /* In this next test, we fork and try to re-initialize softoken in + * the child. This should now work because softoken has the ability + * to hard reset. + */ + /* try to fork with softoken both loaded and initialized */ + crv = PKM_ForkCheck(CKR_OK, pFunctionList, PR_TRUE, &initArgs); + if (crv != CKR_OK) + goto cleanup; + } + crv = PKM_ShowInfo(pFunctionList, slotID); if (crv == CKR_OK) { PKM_LogIt("PKM_ShowInfo succeeded\n"); diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index 16bc289b775..3d04e53c689 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -114,7 +114,7 @@ Usage(const char *progName) "\t\t\tPossible types are \"crl\" and \"ocsp\".\n" "\t-s method flags\t Sets revocation flags for the method it follows.\n" "\t\t\tPossible types are \"doNotUse\", \"forbidFetching\",\n" - "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failInNoInfo\".\n", + "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failIfNoInfo\".\n", progName); exit(1); } @@ -258,7 +258,7 @@ getCert(const char *name, PRBool isAscii, const char * progName) #define REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR "forbidFetching" #define REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR "ignoreDefaultSrc" #define REVCONFIG_METHOD_REQUIREINFO_STR "requireInfo" -#define REVCONFIG_METHOD_FAILIFNOINFO_STR "failInNoInfo" +#define REVCONFIG_METHOD_FAILIFNOINFO_STR "failIfNoInfo" #define REV_METHOD_INDEX_MAX 4 @@ -680,10 +680,6 @@ breakout: cvin[inParamIndex].value.scalar.b = certFetching; inParamIndex++; - cvin[inParamIndex].type = cert_pi_date; - cvin[inParamIndex].value.scalar.time = time; - inParamIndex++; - rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf; rev.chainTests.cert_rev_flags_per_method = revFlagsChain; secStatus = configureRevocationParams(&rev); @@ -696,6 +692,10 @@ breakout: cvin[inParamIndex].value.pointer.revocation = &rev; inParamIndex++; + cvin[inParamIndex].type = cert_pi_date; + cvin[inParamIndex].value.scalar.time = time; + inParamIndex++; + cvin[inParamIndex].type = cert_pi_end; cvout[0].type = cert_po_trustAnchor; diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index 739254cd94b..2b40e4fb230 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -54,7 +54,7 @@ typedef struct NameToKindStr { /* local type for directory string--could be printable_string or utf8 */ #define SEC_ASN1_DS SEC_ASN1_HIGH_TAG_NUMBER -/* Add new entries to this table, and maybe to function CERT_ParseRFC1485AVA */ +/* Add new entries to this table, and maybe to function ParseRFC1485AVA */ static const NameToKind name2kinds[] = { /* IANA registered type names * (See: http://www.iana.org/assignments/ldap-parameters) @@ -361,10 +361,15 @@ loser: return SECFailure; } - -CERTAVA * -CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr, - PRBool singleAVA) +/* Parses one AVA, starting at *pbp. Stops at endptr. + * Advances *pbp past parsed AVA and trailing separator (if present). + * On any error, returns NULL and *pbp is undefined. + * On success, returns CERTAVA allocated from arena, and (*pbp)[-1] was + * the last character parsed. *pbp is either equal to endptr or + * points to first character after separator. + */ +static CERTAVA * +ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr) { CERTAVA *a; const NameToKind *n2k; @@ -374,6 +379,7 @@ CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr, SECOidTag kind = SEC_OID_UNKNOWN; SECStatus rv = SECFailure; SECItem derOid = { 0, NULL, 0 }; + char sep = 0; char tagBuf[32]; char valBuf[384]; @@ -384,17 +390,15 @@ CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr, goto loser; } - /* insist that if we haven't finished we've stopped on a separator */ bp = *pbp; if (bp < endptr) { - if (singleAVA || (*bp != ',' && *bp != ';')) { - *pbp = bp; - goto loser; - } - /* ok, skip over separator */ - bp++; + sep = *bp++; /* skip over separator */ } *pbp = bp; + /* if we haven't finished, insist that we've stopped on a separator */ + if (sep && sep != ',' && sep != ';' && sep != '+') { + goto loser; + } /* is this a dotted decimal OID attribute type ? */ if (!PL_strncasecmp("oid.", tagBuf, 4)) { @@ -459,7 +463,7 @@ ParseRFC1485Name(char *buf, int len) CERTName *name; char *bp, *e; CERTAVA *ava; - CERTRDN *rdn; + CERTRDN *rdn = NULL; name = CERT_CreateName(NULL); if (name == NULL) { @@ -469,12 +473,21 @@ ParseRFC1485Name(char *buf, int len) e = buf + len; bp = buf; while (bp < e) { - ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE); - if (ava == 0) goto loser; - rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0); - if (rdn == 0) goto loser; - rv = CERT_AddRDN(name, rdn); - if (rv) goto loser; + ava = ParseRFC1485AVA(name->arena, &bp, e); + if (ava == 0) + goto loser; + if (!rdn) { + rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0); + if (rdn == 0) + goto loser; + rv = CERT_AddRDN(name, rdn); + } else { + rv = CERT_AddAVA(name->arena, rdn, ava); + } + if (rv) + goto loser; + if (bp[-1] != '+') + rdn = NULL; /* done with this RDN */ skipSpace(&bp, e); } diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 460f459c01b..05c4b451af5 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: certdb.c,v 1.95 2008/12/02 23:24:48 nelson%bolyard.com Exp $ + * $Id: certdb.c,v 1.96 2009/02/09 07:51:30 nelson%bolyard.com Exp $ */ #include "nssilock.h" @@ -938,15 +938,15 @@ CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER, goto loser; } + /* determine if this is a root cert */ + cert->isRoot = cert_IsRootCert(cert); + /* initialize the certType */ rv = cert_GetCertType(cert); if ( rv != SECSuccess ) { goto loser; } - /* determine if this is a root cert */ - cert->isRoot = cert_IsRootCert(cert); - tmpname = CERT_NameToAscii(&cert->subject); if ( tmpname != NULL ) { cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname); diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 27d57fedcc5..48c898e905b 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -37,7 +37,7 @@ /* * Moved from secpkcs7.c * - * $Id: crl.c,v 1.60 2008/10/31 23:02:36 alexei.volkov.bugs%sun.com Exp $ + * $Id: crl.c,v 1.62 2009/02/05 20:31:26 nelson%bolyard.com Exp $ */ #include "cert.h" @@ -732,6 +732,10 @@ crl_storeCRL (PK11SlotInfo *slot,char *url, crl = newCrl; crl->slot = PK11_ReferenceSlot(slot); crl->pkcs11ID = oldCrl->pkcs11ID; + if (oldCrl->url && !url) + url = oldCrl->url; + if (url) + crl->url = PORT_ArenaStrdup(crl->arena, url); goto done; } if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) { @@ -754,7 +758,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url, } /* if we have a url in the database, use that one */ - if (oldCrl->url) { + if (oldCrl->url && !url) { url = oldCrl->url; } @@ -1644,7 +1648,7 @@ static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate, rv = CachedCrl_Destroy(returned); returned = NULL; } - else + else if (vfdate) { rv = CachedCrl_Verify(cache, returned, vfdate, wincx); } diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 3028a217111..54756ca86d7 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -566,7 +566,7 @@ cert_CreatePkixProcessingParams( PKIX_PROCESSINGPARAMSSETDATEFAILED); PKIX_CHECK( - PKIX_RevocationChecker_Create(date, + PKIX_RevocationChecker_Create( PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | @@ -1650,13 +1650,8 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams, chainIMFlags = flags->chainTests.cert_rev_method_independent_flags; - error = PKIX_ProcessingParams_GetDate(procParams, &date, plContext); - if (error != NULL) { - errCode = SEC_ERROR_INVALID_TIME; - } - error = - PKIX_RevocationChecker_Create(date, leafIMFlags, chainIMFlags, + PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags, &revChecker, plContext); if (error) { break; diff --git a/security/nss/lib/ckfw/crypto.c b/security/nss/lib/ckfw/crypto.c index 22ff200555d..87f8aea8945 100644 --- a/security/nss/lib/ckfw/crypto.c +++ b/security/nss/lib/ckfw/crypto.c @@ -36,7 +36,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: crypto.c,v $ $Revision: 1.3 $ $Date: 2006/04/22 05:30:18 $"; +static const char CVS_ID[] = "@(#) $RCSfile: crypto.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:51 $"; #endif /* DEBUG */ /* @@ -101,7 +101,7 @@ nssCKFWCryptoOperation_Create( { NSSCKFWCryptoOperation *fwOperation; fwOperation = nss_ZNEW(NULL, NSSCKFWCryptoOperation); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { *pError = CKR_HOST_MEMORY; return (NSSCKFWCryptoOperation *)NULL; } @@ -126,7 +126,7 @@ nssCKFWCryptoOperation_Destroy ) { if ((NSSCKMDCryptoOperation *) NULL != fwOperation->mdOperation) { - if ((void *) NULL != (void *)fwOperation->mdOperation->Destroy) { + if (fwOperation->mdOperation->Destroy) { fwOperation->mdOperation->Destroy( fwOperation->mdOperation, fwOperation, @@ -171,7 +171,7 @@ nssCKFWCryptoOperation_GetFinalLength CK_RV *pError ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->GetFinalLength) { + if (!fwOperation->mdOperation->GetFinalLength) { *pError = CKR_FUNCTION_FAILED; return 0; } @@ -198,7 +198,7 @@ nssCKFWCryptoOperation_GetOperationLength CK_RV *pError ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->GetOperationLength) { + if (!fwOperation->mdOperation->GetOperationLength) { *pError = CKR_FUNCTION_FAILED; return 0; } @@ -225,7 +225,7 @@ nssCKFWCryptoOperation_Final NSSItem *outputBuffer ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->Final) { + if (!fwOperation->mdOperation->Final) { return CKR_FUNCTION_FAILED; } return fwOperation->mdOperation->Final( @@ -251,7 +251,7 @@ nssCKFWCryptoOperation_Update NSSItem *outputBuffer ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->Update) { + if (!fwOperation->mdOperation->Update) { return CKR_FUNCTION_FAILED; } return fwOperation->mdOperation->Update( @@ -277,7 +277,7 @@ nssCKFWCryptoOperation_DigestUpdate NSSItem *inputBuffer ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->DigestUpdate) { + if (!fwOperation->mdOperation->DigestUpdate) { return CKR_FUNCTION_FAILED; } return fwOperation->mdOperation->DigestUpdate( @@ -304,7 +304,7 @@ nssCKFWCryptoOperation_DigestKey { NSSCKMDObject *mdObject; - if ((void *) NULL == (void *)fwOperation->mdOperation->DigestKey) { + if (!fwOperation->mdOperation->DigestKey) { return CKR_FUNCTION_FAILED; } mdObject = nssCKFWObject_GetMDObject(fwObject); @@ -330,7 +330,7 @@ nssCKFWCryptoOperation_UpdateFinal NSSItem *outputBuffer ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateFinal) { + if (!fwOperation->mdOperation->UpdateFinal) { return CKR_FUNCTION_FAILED; } return fwOperation->mdOperation->UpdateFinal( @@ -358,7 +358,7 @@ nssCKFWCryptoOperation_UpdateCombo NSSItem *outputBuffer ) { - if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateCombo) { + if (!fwOperation->mdOperation->UpdateCombo) { return CKR_FUNCTION_FAILED; } return fwOperation->mdOperation->UpdateCombo( diff --git a/security/nss/lib/ckfw/find.c b/security/nss/lib/ckfw/find.c index df26a3011fa..56916a020b6 100644 --- a/security/nss/lib/ckfw/find.c +++ b/security/nss/lib/ckfw/find.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.8 $ $Date: 2006/04/20 00:03:33 $"; +static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.9 $ $Date: 2009/02/09 07:55:52 $"; #endif /* DEBUG */ /* @@ -147,7 +147,7 @@ nssCKFWFindObjects_Create mdInstance = nssCKFWInstance_GetMDInstance(fwInstance); fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects); - if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) { + if (!fwFindObjects) { *pError = CKR_HOST_MEMORY; goto loser; } @@ -162,7 +162,7 @@ nssCKFWFindObjects_Create fwFindObjects->mdInstance = mdInstance; fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError); - if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) { + if (!fwFindObjects->mutex) { goto loser; } @@ -222,8 +222,8 @@ nssCKFWFindObjects_Destroy (void)nssCKFWMutex_Destroy(fwFindObjects->mutex); - if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) { - if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) { + if (fwFindObjects->mdfo1) { + if (fwFindObjects->mdfo1->Final) { fwFindObjects->mdFindObjects = fwFindObjects->mdfo1; fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession, @@ -232,8 +232,8 @@ nssCKFWFindObjects_Destroy } } - if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) { - if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) { + if (fwFindObjects->mdfo2) { + if (fwFindObjects->mdfo2->Final) { fwFindObjects->mdFindObjects = fwFindObjects->mdfo2; fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession, @@ -287,7 +287,7 @@ nssCKFWFindObjects_Next NSSArena *objArena; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWObject *)NULL; } @@ -302,15 +302,15 @@ nssCKFWFindObjects_Next return (NSSCKFWObject *)NULL; } - if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) { - if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) { + if (fwFindObjects->mdfo1) { + if (fwFindObjects->mdfo1->Next) { fwFindObjects->mdFindObjects = fwFindObjects->mdfo1; mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1, fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession, fwFindObjects->mdToken, fwFindObjects->fwToken, fwFindObjects->mdInstance, fwFindObjects->fwInstance, arenaOpt, pError); - if( (NSSCKMDObject *)NULL == mdObject ) { + if (!mdObject) { if( CKR_OK != *pError ) { goto done; } @@ -327,15 +327,15 @@ nssCKFWFindObjects_Next } } - if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) { - if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) { + if (fwFindObjects->mdfo2) { + if (fwFindObjects->mdfo2->Next) { fwFindObjects->mdFindObjects = fwFindObjects->mdfo2; mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2, fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession, fwFindObjects->mdToken, fwFindObjects->fwToken, fwFindObjects->mdInstance, fwFindObjects->fwInstance, arenaOpt, pError); - if( (NSSCKMDObject *)NULL == mdObject ) { + if (!mdObject) { if( CKR_OK != *pError ) { goto done; } @@ -373,7 +373,7 @@ nssCKFWFindObjects_Next * but it depends on nssCKFWObject_Create caching all objects. */ objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError); - if( (NSSArena *)NULL == objArena ) { + if (!objArena) { if( CKR_OK == *pError ) { *pError = CKR_HOST_MEMORY; } @@ -383,7 +383,7 @@ nssCKFWFindObjects_Next fwObject = nssCKFWObject_Create(objArena, mdObject, NULL, fwFindObjects->fwToken, fwFindObjects->fwInstance, pError); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c index 9cbe7b83bd8..6fd25c3d075 100644 --- a/security/nss/lib/ckfw/hash.c +++ b/security/nss/lib/ckfw/hash.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.3 $ $Date: 2005/01/20 02:25:45 $"; +static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:52 $"; #endif /* DEBUG */ /* @@ -104,7 +104,7 @@ nssCKFWHash_Create nssCKFWHash *rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (nssCKFWHash *)NULL; } @@ -115,13 +115,13 @@ nssCKFWHash_Create #endif /* NSSDEBUG */ rv = nss_ZNEW(arena, nssCKFWHash); - if( (nssCKFWHash *)NULL == rv ) { + if (!rv) { *pError = CKR_HOST_MEMORY; return (nssCKFWHash *)NULL; } rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError); - if( (NSSCKFWMutex *)NULL == rv->mutex ) { + if (!rv->mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -130,7 +130,7 @@ nssCKFWHash_Create rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena); - if( (PLHashTable *)NULL == rv->plHashTable ) { + if (!rv->plHashTable) { (void)nssCKFWMutex_Destroy(rv->mutex); (void)nss_ZFreeIf(rv); *pError = CKR_HOST_MEMORY; @@ -178,7 +178,7 @@ nssCKFWHash_Add } he = PL_HashTableAdd(hash->plHashTable, key, (void *)value); - if( (PLHashEntry *)NULL == he ) { + if (!he) { error = CKR_HOST_MEMORY; } else { hash->count++; @@ -259,7 +259,7 @@ nssCKFWHash_Exists (void)nssCKFWMutex_Unlock(hash->mutex); - if( (void *)NULL == value ) { + if (!value) { return CK_FALSE; } else { return CK_TRUE; diff --git a/security/nss/lib/ckfw/instance.c b/security/nss/lib/ckfw/instance.c index 588ce933bb8..5fde8b9a629 100644 --- a/security/nss/lib/ckfw/instance.c +++ b/security/nss/lib/ckfw/instance.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: instance.c,v $ $Revision: 1.11 $ $Date: 2006/10/09 22:16:59 $"; +static const char CVS_ID[] = "@(#) $RCSfile: instance.c,v $ $Revision: 1.12 $ $Date: 2009/02/09 07:55:52 $"; #endif /* DEBUG */ /* @@ -208,20 +208,20 @@ nssCKFWInstance_Create return (NSSCKFWInstance *)NULL; } - if( (NSSCKMDInstance *)NULL == mdInstance ) { + if (!mdInstance) { *pError = CKR_ARGUMENTS_BAD; return (NSSCKFWInstance *)NULL; } #endif /* NSSDEBUG */ arena = NSSArena_Create(); - if( (NSSArena *)NULL == arena ) { + if (!arena) { *pError = CKR_HOST_MEMORY; return (NSSCKFWInstance *)NULL; } fwInstance = nss_ZNEW(arena, NSSCKFWInstance); - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { goto nomem; } @@ -244,14 +244,14 @@ nssCKFWInstance_Create fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena, pError); - if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) { + if (!fwInstance->mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } goto loser; } - if( (void *)NULL != (void *)mdInstance->Initialize ) { + if (mdInstance->Initialize) { *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData); if( CKR_OK != *pError ) { goto loser; @@ -260,14 +260,14 @@ nssCKFWInstance_Create called_Initialize = CK_TRUE; } - if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) { + if (mdInstance->ModuleHandlesSessionObjects) { fwInstance->moduleHandlesSessionObjects = mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance); } else { fwInstance->moduleHandlesSessionObjects = CK_FALSE; } - if( (void *)NULL == (void *)mdInstance->GetNSlots ) { + if (!mdInstance->GetNSlots) { /* That routine is required */ *pError = CKR_GENERAL_ERROR; goto loser; @@ -294,17 +294,17 @@ nssCKFWInstance_Create fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, fwInstance->arena, pError); - if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) { + if (!fwInstance->sessionHandleHash) { goto loser; } fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance, fwInstance->arena, pError); - if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) { + if (!fwInstance->objectHandleHash) { goto loser; } - if( (void *)NULL == (void *)mdInstance->GetSlots ) { + if (!mdInstance->GetSlots) { /* That routine is required */ *pError = CKR_GENERAL_ERROR; goto loser; @@ -318,7 +318,7 @@ nssCKFWInstance_Create for( i = 0; i < fwInstance->nSlots; i++ ) { NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i]; - if( (NSSCKMDSlot *)NULL == mdSlot ) { + if (!mdSlot) { *pError = CKR_GENERAL_ERROR; goto loser; } @@ -333,7 +333,7 @@ nssCKFWInstance_Create for( j = i; j < fwInstance->nSlots; j++ ) { NSSCKMDSlot *mds = fwInstance->mdSlotList[j]; - if( (void *)NULL != (void *)mds->Destroy ) { + if (mds->Destroy) { mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance); } } @@ -362,7 +362,7 @@ nssCKFWInstance_Create loser: if( CK_TRUE == called_Initialize ) { - if( (void *)NULL != (void *)mdInstance->Finalize ) { + if (mdInstance->Finalize) { mdInstance->Finalize(mdInstance, fwInstance); } } @@ -401,7 +401,7 @@ nssCKFWInstance_Destroy (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]); } - if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) { + if (fwInstance->mdInstance->Finalize) { fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance); } @@ -452,7 +452,7 @@ nssCKFWInstance_GetArena ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -500,7 +500,7 @@ nssCKFWInstance_CreateMutex NSSCKFWMutex *mutex; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWMutex *)NULL; } @@ -512,7 +512,7 @@ nssCKFWInstance_CreateMutex mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, fwInstance->LockingState, arena, pError); - if( (NSSCKFWMutex *)NULL == mutex ) { + if (!mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -576,7 +576,7 @@ nssCKFWInstance_CreateSessionHandle CK_SESSION_HANDLE hSession; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_SESSION_HANDLE)0; } @@ -720,7 +720,7 @@ nssCKFWInstance_CreateObjectHandle CK_OBJECT_HANDLE hObject; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_OBJECT_HANDLE)0; } @@ -905,7 +905,7 @@ nssCKFWInstance_GetNSlots ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -949,7 +949,7 @@ nssCKFWInstance_GetCryptokiVersion goto done; } - if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) { + if (fwInstance->mdInstance->GetCryptokiVersion) { fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion( fwInstance->mdInstance, fwInstance); } else { @@ -993,11 +993,11 @@ nssCKFWInstance_GetManufacturerID return error; } - if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) { - if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) { + if (!fwInstance->manufacturerID) { + if (fwInstance->mdInstance->GetManufacturerID) { fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID( fwInstance->mdInstance, fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) { + if ((!fwInstance->manufacturerID) && (CKR_OK != error)) { goto done; } } else { @@ -1062,11 +1062,11 @@ nssCKFWInstance_GetLibraryDescription return error; } - if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) { - if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) { + if (!fwInstance->libraryDescription) { + if (fwInstance->mdInstance->GetLibraryDescription) { fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription( fwInstance->mdInstance, fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) { + if ((!fwInstance->libraryDescription) && (CKR_OK != error)) { goto done; } } else { @@ -1112,7 +1112,7 @@ nssCKFWInstance_GetLibraryVersion goto done; } - if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) { + if (fwInstance->mdInstance->GetLibraryVersion) { fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion( fwInstance->mdInstance, fwInstance); } else { @@ -1157,7 +1157,7 @@ nssCKFWInstance_GetSlots ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWSlot **)NULL; } @@ -1187,7 +1187,7 @@ nssCKFWInstance_WaitForSlotEvent CK_ULONG i, n; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWSlot *)NULL; } @@ -1206,7 +1206,7 @@ nssCKFWInstance_WaitForSlotEvent } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) { + if (!fwInstance->mdInstance->WaitForSlotEvent) { *pError = CKR_NO_EVENT; return (NSSCKFWSlot *)NULL; } @@ -1218,7 +1218,7 @@ nssCKFWInstance_WaitForSlotEvent pError ); - if( (NSSCKMDSlot *)NULL == mdSlot ) { + if (!mdSlot) { return (NSSCKFWSlot *)NULL; } @@ -1234,7 +1234,7 @@ nssCKFWInstance_WaitForSlotEvent } } - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { /* Internal error */ *pError = CKR_GENERAL_ERROR; return (NSSCKFWSlot *)NULL; @@ -1274,7 +1274,7 @@ NSSCKFWInstance_GetArena ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -1319,7 +1319,7 @@ NSSCKFWInstance_CreateMutex ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWMutex *)NULL; } diff --git a/security/nss/lib/ckfw/mechanism.c b/security/nss/lib/ckfw/mechanism.c index ad426642788..2b1883ab260 100644 --- a/security/nss/lib/ckfw/mechanism.c +++ b/security/nss/lib/ckfw/mechanism.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.5 $ $Date: 2007/12/12 00:50:58 $"; +static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.6 $ $Date: 2009/02/09 07:55:52 $"; #endif /* DEBUG */ /* @@ -118,7 +118,7 @@ nssCKFWMechanism_Create fwMechanism = nss_ZNEW(NULL, NSSCKFWMechanism); - if ((NSSCKFWMechanism *)NULL == fwMechanism) { + if (!fwMechanism) { return (NSSCKFWMechanism *)NULL; } fwMechanism->mdMechanism = mdMechanism; @@ -141,7 +141,7 @@ nssCKFWMechanism_Destroy { /* destroy any fw resources held by nssCKFWMechanism (currently none) */ - if ((void *)NULL == (void *)fwMechanism->mdMechanism->Destroy) { + if (!fwMechanism->mdMechanism->Destroy) { /* destroys it's parent as well */ fwMechanism->mdMechanism->Destroy( fwMechanism->mdMechanism, @@ -178,7 +178,7 @@ nssCKFWMechanism_GetMinKeySize CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMinKeySize) { + if (!fwMechanism->mdMechanism->GetMinKeySize) { return 0; } @@ -198,7 +198,7 @@ nssCKFWMechanism_GetMaxKeySize CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMaxKeySize) { + if (!fwMechanism->mdMechanism->GetMaxKeySize) { return 0; } @@ -218,7 +218,7 @@ nssCKFWMechanism_GetInHardware CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetInHardware) { + if (!fwMechanism->mdMechanism->GetInHardware) { return CK_FALSE; } @@ -243,7 +243,7 @@ nssCKFWMechanism_GetCanEncrypt CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) { + if (!fwMechanism->mdMechanism->EncryptInit) { return CK_FALSE; } return CK_TRUE; @@ -260,7 +260,7 @@ nssCKFWMechanism_GetCanDecrypt CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) { + if (!fwMechanism->mdMechanism->DecryptInit) { return CK_FALSE; } return CK_TRUE; @@ -277,7 +277,7 @@ nssCKFWMechanism_GetCanDigest CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) { + if (!fwMechanism->mdMechanism->DigestInit) { return CK_FALSE; } return CK_TRUE; @@ -294,7 +294,7 @@ nssCKFWMechanism_GetCanSign CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) { + if (!fwMechanism->mdMechanism->SignInit) { return CK_FALSE; } return CK_TRUE; @@ -311,7 +311,7 @@ nssCKFWMechanism_GetCanSignRecover CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) { + if (!fwMechanism->mdMechanism->SignRecoverInit) { return CK_FALSE; } return CK_TRUE; @@ -328,7 +328,7 @@ nssCKFWMechanism_GetCanVerify CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) { + if (!fwMechanism->mdMechanism->VerifyInit) { return CK_FALSE; } return CK_TRUE; @@ -345,7 +345,7 @@ nssCKFWMechanism_GetCanVerifyRecover CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) { + if (!fwMechanism->mdMechanism->VerifyRecoverInit) { return CK_FALSE; } return CK_TRUE; @@ -362,7 +362,7 @@ nssCKFWMechanism_GetCanGenerate CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) { + if (!fwMechanism->mdMechanism->GenerateKey) { return CK_FALSE; } return CK_TRUE; @@ -379,7 +379,7 @@ nssCKFWMechanism_GetCanGenerateKeyPair CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKeyPair) { + if (!fwMechanism->mdMechanism->GenerateKeyPair) { return CK_FALSE; } return CK_TRUE; @@ -396,7 +396,7 @@ nssCKFWMechanism_GetCanUnwrap CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) { + if (!fwMechanism->mdMechanism->UnwrapKey) { return CK_FALSE; } return CK_TRUE; @@ -413,7 +413,7 @@ nssCKFWMechanism_GetCanWrap CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) { + if (!fwMechanism->mdMechanism->WrapKey) { return CK_FALSE; } return CK_TRUE; @@ -430,7 +430,7 @@ nssCKFWMechanism_GetCanDerive CK_RV *pError ) { - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) { + if (!fwMechanism->mdMechanism->DeriveKey) { return CK_FALSE; } return CK_TRUE; @@ -462,11 +462,11 @@ nssCKFWMechanism_EncryptInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_EncryptDecrypt); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) { + if (!fwMechanism->mdMechanism->EncryptInit) { return CKR_FUNCTION_FAILED; } @@ -486,7 +486,7 @@ nssCKFWMechanism_EncryptInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -494,7 +494,7 @@ nssCKFWMechanism_EncryptInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_Encrypt, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_EncryptDecrypt); } @@ -525,11 +525,11 @@ nssCKFWMechanism_DecryptInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_EncryptDecrypt); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) { + if (!fwMechanism->mdMechanism->DecryptInit) { return CKR_FUNCTION_FAILED; } @@ -549,7 +549,7 @@ nssCKFWMechanism_DecryptInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -557,7 +557,7 @@ nssCKFWMechanism_DecryptInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_Decrypt, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_EncryptDecrypt); } @@ -586,11 +586,11 @@ nssCKFWMechanism_DigestInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_Digest); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) { + if (!fwMechanism->mdMechanism->DigestInit) { return CKR_FUNCTION_FAILED; } @@ -607,7 +607,7 @@ nssCKFWMechanism_DigestInit fwMechanism->fwInstance, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -615,7 +615,7 @@ nssCKFWMechanism_DigestInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_Digest, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_Digest); } @@ -646,11 +646,11 @@ nssCKFWMechanism_SignInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_SignVerify); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) { + if (!fwMechanism->mdMechanism->SignInit) { return CKR_FUNCTION_FAILED; } @@ -670,7 +670,7 @@ nssCKFWMechanism_SignInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -678,7 +678,7 @@ nssCKFWMechanism_SignInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_Sign, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_SignVerify); } @@ -709,11 +709,11 @@ nssCKFWMechanism_VerifyInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_SignVerify); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) { + if (!fwMechanism->mdMechanism->VerifyInit) { return CKR_FUNCTION_FAILED; } @@ -733,7 +733,7 @@ nssCKFWMechanism_VerifyInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -741,7 +741,7 @@ nssCKFWMechanism_VerifyInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_Verify, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_SignVerify); } @@ -772,11 +772,11 @@ nssCKFWMechanism_SignRecoverInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_SignVerify); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) { + if (!fwMechanism->mdMechanism->SignRecoverInit) { return CKR_FUNCTION_FAILED; } @@ -796,7 +796,7 @@ nssCKFWMechanism_SignRecoverInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -804,7 +804,7 @@ nssCKFWMechanism_SignRecoverInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_SignRecover, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_SignVerify); } @@ -835,11 +835,11 @@ nssCKFWMechanism_VerifyRecoverInit fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_SignVerify); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { return CKR_OPERATION_ACTIVE; } - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) { + if (!fwMechanism->mdMechanism->VerifyRecoverInit) { return CKR_FUNCTION_FAILED; } @@ -859,7 +859,7 @@ nssCKFWMechanism_VerifyRecoverInit fwObject, &error ); - if ((NSSCKMDCryptoOperation *)NULL == mdOperation) { + if (!mdOperation) { goto loser; } @@ -867,7 +867,7 @@ nssCKFWMechanism_VerifyRecoverInit mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken, fwMechanism->mdInstance, fwMechanism->fwInstance, NSSCKFWCryptoOperationType_VerifyRecover, &error); - if ((NSSCKFWCryptoOperation *)NULL != fwOperation) { + if (fwOperation) { nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation, NSSCKFWCryptoOperationState_SignVerify); } @@ -895,13 +895,13 @@ nssCKFWMechanism_GenerateKey NSSCKFWObject *fwObject = NULL; NSSArena *arena; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) { + if (!fwMechanism->mdMechanism->GenerateKey) { *pError = CKR_FUNCTION_FAILED; return (NSSCKFWObject *)NULL; } arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError); - if ((NSSArena *)NULL == arena) { + if (!arena) { if (CKR_OK == *pError) { *pError = CKR_GENERAL_ERROR; } @@ -923,7 +923,7 @@ nssCKFWMechanism_GenerateKey ulAttributeCount, pError); - if ((NSSCKMDObject *)NULL == mdObject) { + if (!mdObject) { return (NSSCKFWObject *)NULL; } @@ -956,12 +956,12 @@ nssCKFWMechanism_GenerateKeyPair NSSArena *arena; CK_RV error = CKR_OK; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) { + if (!fwMechanism->mdMechanism->GenerateKey) { return CKR_FUNCTION_FAILED; } arena = nssCKFWToken_GetArena(fwMechanism->fwToken, &error); - if ((NSSArena *)NULL == arena) { + if (!arena) { if (CKR_OK == error) { error = CKR_GENERAL_ERROR; } @@ -992,7 +992,7 @@ nssCKFWMechanism_GenerateKeyPair *fwPublicKeyObject = nssCKFWObject_Create(arena, mdPublicKeyObject, fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, &error); - if ((NSSCKFWObject *)NULL == *fwPublicKeyObject) { + if (!*fwPublicKeyObject) { return error; } *fwPrivateKeyObject = nssCKFWObject_Create(arena, mdPrivateKeyObject, @@ -1019,7 +1019,7 @@ nssCKFWMechanism_GetWrapKeyLength NSSCKMDObject *mdWrappingKeyObject; NSSCKMDObject *mdKeyObject; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) { + if (!fwMechanism->mdMechanism->WrapKey) { *pError = CKR_FUNCTION_FAILED; return (CK_ULONG) 0; } @@ -1062,7 +1062,7 @@ nssCKFWMechanism_WrapKey NSSCKMDObject *mdWrappingKeyObject; NSSCKMDObject *mdKeyObject; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) { + if (!fwMechanism->mdMechanism->WrapKey) { return CKR_FUNCTION_FAILED; } @@ -1108,7 +1108,7 @@ nssCKFWMechanism_UnwrapKey NSSCKFWObject *fwObject = NULL; NSSArena *arena; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) { + if (!fwMechanism->mdMechanism->UnwrapKey) { /* we could simulate UnwrapKey using Decrypt and Create object, but * 1) it's not clear that would work well, and 2) the low level token * may want to restrict unwrap key for a reason, so just fail it it @@ -1118,7 +1118,7 @@ nssCKFWMechanism_UnwrapKey } arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError); - if ((NSSArena *)NULL == arena) { + if (!arena) { if (CKR_OK == *pError) { *pError = CKR_GENERAL_ERROR; } @@ -1144,7 +1144,7 @@ nssCKFWMechanism_UnwrapKey ulAttributeCount, pError); - if ((NSSCKMDObject *)NULL == mdObject) { + if (!mdObject) { return (NSSCKFWObject *)NULL; } @@ -1175,13 +1175,13 @@ nssCKFWMechanism_DeriveKey NSSCKFWObject *fwObject = NULL; NSSArena *arena; - if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) { + if (!fwMechanism->mdMechanism->DeriveKey) { *pError = CKR_FUNCTION_FAILED; return (NSSCKFWObject *)NULL; } arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError); - if ((NSSArena *)NULL == arena) { + if (!arena) { if (CKR_OK == *pError) { *pError = CKR_GENERAL_ERROR; } @@ -1206,7 +1206,7 @@ nssCKFWMechanism_DeriveKey ulAttributeCount, pError); - if ((NSSCKMDObject *)NULL == mdObject) { + if (!mdObject) { return (NSSCKFWObject *)NULL; } diff --git a/security/nss/lib/ckfw/mutex.c b/security/nss/lib/ckfw/mutex.c index 8701d18025f..406ad8d245f 100644 --- a/security/nss/lib/ckfw/mutex.c +++ b/security/nss/lib/ckfw/mutex.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: mutex.c,v $ $Revision: 1.8 $ $Date: 2008/06/06 01:15:32 $"; +static const char CVS_ID[] = "@(#) $RCSfile: mutex.c,v $ $Revision: 1.9 $ $Date: 2009/02/09 07:55:52 $"; #endif /* DEBUG */ /* @@ -127,7 +127,7 @@ nssCKFWMutex_Create NSSCKFWMutex *mutex; mutex = nss_ZNEW(arena, NSSCKFWMutex); - if( (NSSCKFWMutex *)NULL == mutex ) { + if (!mutex) { *pError = CKR_HOST_MEMORY; return (NSSCKFWMutex *)NULL; } diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c index 740a0591b93..5879d1d6947 100644 --- a/security/nss/lib/ckfw/object.c +++ b/security/nss/lib/ckfw/object.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: object.c,v $ $Revision: 1.15 $ $Date: 2007/12/12 00:41:37 $"; +static const char CVS_ID[] = "@(#) $RCSfile: object.c,v $ $Revision: 1.16 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -159,7 +159,7 @@ nssCKFWObject_Create nssCKFWHash *mdObjectHash; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWObject *)NULL; } @@ -169,12 +169,12 @@ nssCKFWObject_Create } #endif /* NSSDEBUG */ - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { *pError = CKR_ARGUMENTS_BAD; return (NSSCKFWObject *)NULL; } mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken); - if( (nssCKFWHash *)NULL == mdObjectHash ) { + if (!mdObjectHash) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWObject *)NULL; } @@ -185,7 +185,7 @@ nssCKFWObject_Create } fwObject = nss_ZNEW(arena, NSSCKFWObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { *pError = CKR_HOST_MEMORY; return (NSSCKFWObject *)NULL; } @@ -194,7 +194,7 @@ nssCKFWObject_Create fwObject->mdObject = mdObject; fwObject->fwSession = fwSession; - if( (NSSCKFWSession *)NULL != fwSession ) { + if (fwSession) { fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession); } @@ -203,7 +203,7 @@ nssCKFWObject_Create fwObject->fwInstance = fwInstance; fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance); fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError); - if( (NSSCKFWMutex *)NULL == fwObject->mutex ) { + if (!fwObject->mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -250,7 +250,7 @@ nssCKFWObject_Finalize (void)nssCKFWMutex_Destroy(fwObject->mutex); - if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) { + if (fwObject->mdObject->Finalize) { fwObject->mdObject->Finalize(fwObject->mdObject, fwObject, fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance); @@ -258,7 +258,7 @@ nssCKFWObject_Finalize if (removeFromHash) { mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken); - if( (nssCKFWHash *)NULL != mdObjectHash ) { + if (mdObjectHash) { nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject); } } @@ -295,14 +295,14 @@ nssCKFWObject_Destroy (void)nssCKFWMutex_Destroy(fwObject->mutex); - if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) { + if (fwObject->mdObject->Destroy) { fwObject->mdObject->Destroy(fwObject->mdObject, fwObject, fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance); } mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken); - if( (nssCKFWHash *)NULL != mdObjectHash ) { + if (mdObjectHash) { nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject); } @@ -349,7 +349,7 @@ nssCKFWObject_GetArena ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -430,7 +430,7 @@ nssCKFWObject_IsTokenObject } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) { + if (!fwObject->mdObject->IsTokenObject) { NSSItem item; NSSItem *pItem; CK_RV rv = CKR_OK; @@ -440,7 +440,7 @@ nssCKFWObject_IsTokenObject pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, (NSSArena *)NULL, &rv); - if( (NSSItem *)NULL == pItem ) { + if (!pItem) { /* Error of some type */ b = CK_FALSE; goto done; @@ -471,7 +471,7 @@ nssCKFWObject_GetAttributeCount CK_ULONG rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -481,7 +481,7 @@ nssCKFWObject_GetAttributeCount } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) { + if (!fwObject->mdObject->GetAttributeCount) { *pError = CKR_GENERAL_ERROR; return (CK_ULONG)0; } @@ -525,7 +525,7 @@ nssCKFWObject_GetAttributeTypes } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) { + if (!fwObject->mdObject->GetAttributeTypes) { return CKR_GENERAL_ERROR; } @@ -558,7 +558,7 @@ nssCKFWObject_GetAttributeSize CK_ULONG rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -568,7 +568,7 @@ nssCKFWObject_GetAttributeSize } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) { + if (!fwObject->mdObject->GetAttributeSize) { *pError = CKR_GENERAL_ERROR; return (CK_ULONG )0; } @@ -611,7 +611,7 @@ nssCKFWObject_GetAttribute NSSCKFWItem mdItem; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSItem *)NULL; } @@ -621,7 +621,7 @@ nssCKFWObject_GetAttribute } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->GetAttribute ) { + if (!fwObject->mdObject->GetAttribute) { *pError = CKR_GENERAL_ERROR; return (NSSItem *)NULL; } @@ -636,7 +636,7 @@ nssCKFWObject_GetAttribute fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance, attribute, pError); - if( (NSSItem *)NULL == mdItem.item ) { + if (!mdItem.item) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -644,9 +644,9 @@ nssCKFWObject_GetAttribute goto done; } - if( (NSSItem *)NULL == itemOpt ) { + if (!itemOpt) { rv = nss_ZNEW(arenaOpt, NSSItem); - if( (NSSItem *)NULL == rv ) { + if (!rv) { *pError = CKR_HOST_MEMORY; goto done; } @@ -654,12 +654,12 @@ nssCKFWObject_GetAttribute rv = itemOpt; } - if( (void *)NULL == rv->data ) { + if (!rv->data) { rv->size = mdItem.item->size; rv->data = nss_ZAlloc(arenaOpt, rv->size); - if( (void *)NULL == rv->data ) { + if (!rv->data) { *pError = CKR_HOST_MEMORY; - if( (NSSItem *)NULL == itemOpt ) { + if (!itemOpt) { nss_ZFreeIf(rv); } rv = (NSSItem *)NULL; @@ -729,7 +729,7 @@ nssCKFWObject_SetAttribute newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject, &a, 1, &error); - if( (NSSCKFWObject *)NULL == newFwObject ) { + if (!newFwObject) { if( CKR_OK == error ) { error = CKR_GENERAL_ERROR; } @@ -799,7 +799,7 @@ nssCKFWObject_SetAttribute /* * An "ordinary" change. */ - if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) { + if (!fwObject->mdObject->SetAttribute) { /* We could fake it with copying, like above.. later */ return CKR_ATTRIBUTE_READ_ONLY; } @@ -834,7 +834,7 @@ nssCKFWObject_GetObjectSize CK_ULONG rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -844,7 +844,7 @@ nssCKFWObject_GetObjectSize } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) { + if (!fwObject->mdObject->GetObjectSize) { *pError = CKR_INFORMATION_SENSITIVE; return (CK_ULONG)0; } @@ -894,7 +894,7 @@ NSSCKFWObject_GetArena ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -938,7 +938,7 @@ NSSCKFWObject_GetAttributeCount ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -992,7 +992,7 @@ NSSCKFWObject_GetAttributeSize ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -1020,7 +1020,7 @@ NSSCKFWObject_GetAttribute ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSItem *)NULL; } @@ -1045,7 +1045,7 @@ NSSCKFWObject_GetObjectSize ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c index f6f8a4af88f..0dd32b4f65b 100644 --- a/security/nss/lib/ckfw/session.c +++ b/security/nss/lib/ckfw/session.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.12 $ $Date: 2007/10/06 01:41:28 $"; +static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -179,7 +179,7 @@ nssCKFWSession_Create NSSCKFWSlot *fwSlot; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWSession *)NULL; } @@ -190,13 +190,13 @@ nssCKFWSession_Create #endif /* NSSDEBUG */ arena = NSSArena_Create(); - if( (NSSArena *)NULL == arena ) { + if (!arena) { *pError = CKR_HOST_MEMORY; return (NSSCKFWSession *)NULL; } fwSession = nss_ZNEW(arena, NSSCKFWSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { *pError = CKR_HOST_MEMORY; goto loser; } @@ -217,7 +217,7 @@ nssCKFWSession_Create fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL; fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError); - if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) { + if (!fwSession->sessionObjectHash) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -234,8 +234,8 @@ nssCKFWSession_Create return fwSession; loser: - if( (NSSArena *)NULL != arena ) { - if( fwSession && (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) { + if (arena) { + if (fwSession && fwSession->sessionObjectHash) { (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash); } NSSArena_Destroy(arena); @@ -294,7 +294,7 @@ nssCKFWSession_Destroy (void *)NULL); for (i=0; i < NSSCKFWCryptoOperationState_Max; i++) { - if ((NSSCKFWCryptoOperation *)NULL != fwSession->fwOperationArray[i]) { + if (fwSession->fwOperationArray[i]) { nssCKFWCryptoOperation_Destroy(fwSession->fwOperationArray[i]); } } @@ -339,7 +339,7 @@ nssCKFWSession_GetArena ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -500,8 +500,8 @@ nssCKFWSession_SetFWFindObjects /* fwFindObjects may be null */ #endif /* NSSDEBUG */ - if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) && - ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) { + if ((fwSession->fwFindObjects) && + (fwFindObjects)) { return CKR_OPERATION_ACTIVE; } @@ -522,7 +522,7 @@ nssCKFWSession_GetFWFindObjects ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWFindObjects *)NULL; } @@ -532,7 +532,7 @@ nssCKFWSession_GetFWFindObjects } #endif /* NSSDEBUG */ - if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) { + if (!fwSession->fwFindObjects) { *pError = CKR_OPERATION_NOT_INITIALIZED; return (NSSCKFWFindObjects *)NULL; } @@ -561,12 +561,12 @@ nssCKFWSession_SetMDSession return error; } - if( (NSSCKMDSession *)NULL == mdSession ) { + if (!mdSession) { return CKR_ARGUMENTS_BAD; } #endif /* NSSDEBUG */ - if( (NSSCKMDSession *)NULL != fwSession->mdSession ) { + if (fwSession->mdSession) { return CKR_GENERAL_ERROR; } @@ -644,7 +644,7 @@ nssCKFWSession_RegisterSessionObject } #endif /* NSSDEBUG */ - if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) { + if (fwSession->sessionObjectHash) { rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject); } @@ -668,7 +668,7 @@ nssCKFWSession_DeregisterSessionObject } #endif /* NSSDEBUG */ - if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) { + if (fwSession->sessionObjectHash) { nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject); } @@ -690,12 +690,12 @@ nssCKFWSession_GetDeviceError return (CK_ULONG)0; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return (CK_ULONG)0; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) { + if (!fwSession->mdSession->GetDeviceError) { return (CK_ULONG)0; } @@ -734,13 +734,13 @@ nssCKFWSession_Login return CKR_USER_TYPE_INVALID; } - if( (NSSItem *)NULL == pin ) { + if (!pin) { if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) { return CKR_ARGUMENTS_BAD; } } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -802,7 +802,7 @@ nssCKFWSession_Login * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS; */ - if( (void *)NULL == (void *)fwSession->mdSession->Login ) { + if (!fwSession->mdSession->Login) { /* * The Module doesn't want to be informed (or check the pin) * it'll just rely on the Framework as needed. @@ -841,7 +841,7 @@ nssCKFWSession_Logout return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -874,7 +874,7 @@ nssCKFWSession_Logout * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION; */ - if( (void *)NULL == (void *)fwSession->mdSession->Logout ) { + if (!fwSession->mdSession->Logout) { /* * The Module doesn't want to be informed. Okay. */ @@ -916,7 +916,7 @@ nssCKFWSession_InitPIN return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -926,14 +926,14 @@ nssCKFWSession_InitPIN return CKR_USER_NOT_LOGGED_IN; } - if( (NSSItem *)NULL == pin ) { + if (!pin) { CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken); if( CK_TRUE != has ) { return CKR_ARGUMENTS_BAD; } } - if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) { + if (!fwSession->mdSession->InitPIN) { return CKR_TOKEN_WRITE_PROTECTED; } @@ -964,26 +964,26 @@ nssCKFWSession_SetPIN return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ - if( (NSSItem *)NULL == newPin ) { + if (!newPin) { CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken); if( CK_TRUE != has ) { return CKR_ARGUMENTS_BAD; } } - if( (NSSItem *)NULL == oldPin ) { + if (!oldPin) { CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken); if( CK_TRUE != has ) { return CKR_ARGUMENTS_BAD; } } - if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) { + if (!fwSession->mdSession->SetPIN) { return CKR_TOKEN_WRITE_PROTECTED; } @@ -1009,7 +1009,7 @@ nssCKFWSession_GetOperationStateLen CK_ULONG fwAmt; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (CK_ULONG)0; } @@ -1018,13 +1018,13 @@ nssCKFWSession_GetOperationStateLen return (CK_ULONG)0; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { *pError = CKR_GENERAL_ERROR; return (CK_ULONG)0; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) { + if (!fwSession->mdSession->GetOperationStateLen) { *pError = CKR_STATE_UNSAVEABLE; return (CK_ULONG)0; } @@ -1072,20 +1072,20 @@ nssCKFWSession_GetOperationState return error; } - if( (NSSItem *)NULL == buffer ) { + if (!buffer) { return CKR_ARGUMENTS_BAD; } - if( (void *)NULL == buffer->data ) { + if (!buffer->data) { return CKR_ARGUMENTS_BAD; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) { + if (!fwSession->mdSession->GetOperationState) { return CKR_STATE_UNSAVEABLE; } @@ -1159,29 +1159,29 @@ nssCKFWSession_SetOperationState return error; } - if( (NSSItem *)NULL == state ) { + if (!state) { return CKR_ARGUMENTS_BAD; } - if( (void *)NULL == state->data ) { + if (!state->data) { return CKR_ARGUMENTS_BAD; } - if( (NSSCKFWObject *)NULL != encryptionKey ) { + if (encryptionKey) { error = nssCKFWObject_verifyPointer(encryptionKey); if( CKR_OK != error ) { return error; } } - if( (NSSCKFWObject *)NULL != authenticationKey ) { + if (authenticationKey) { error = nssCKFWObject_verifyPointer(authenticationKey); if( CKR_OK != error ) { return error; } } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -1200,20 +1200,20 @@ nssCKFWSession_SetOperationState return CKR_SAVED_STATE_INVALID; } - if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) { + if (!fwSession->mdSession->SetOperationState) { return CKR_GENERAL_ERROR; } s.size = state->size - 2*sizeof(CK_ULONG); s.data = (void *)&ulBuffer[2]; - if( (NSSCKFWObject *)NULL != encryptionKey ) { + if (encryptionKey) { mdek = nssCKFWObject_GetMDObject(encryptionKey); } else { mdek = (NSSCKMDObject *)NULL; } - if( (NSSCKFWObject *)NULL != authenticationKey ) { + if (authenticationKey) { mdak = nssCKFWObject_GetMDObject(authenticationKey); } else { mdak = (NSSCKMDObject *)NULL; @@ -1278,7 +1278,7 @@ nssCKFWSession_CreateObject CK_BBOOL isTokenObject; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWObject *)NULL; } @@ -1292,7 +1292,7 @@ nssCKFWSession_CreateObject return (NSSCKFWObject *)NULL; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWObject *)NULL; } @@ -1306,13 +1306,13 @@ nssCKFWSession_CreateObject if( CK_TRUE == isTokenObject ) { /* === TOKEN OBJECT === */ - if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) { + if (!fwSession->mdSession->CreateObject) { *pError = CKR_TOKEN_WRITE_PROTECTED; return (NSSCKFWObject *)NULL; } arena = nssCKFWToken_GetArena(fwSession->fwToken, pError); - if( (NSSArena *)NULL == arena ) { + if (!arena) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1324,7 +1324,7 @@ nssCKFWSession_CreateObject /* === SESSION OBJECT === */ arena = nssCKFWSession_GetArena(fwSession, pError); - if( (NSSArena *)NULL == arena ) { + if (!arena) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1335,7 +1335,7 @@ nssCKFWSession_CreateObject fwSession->fwInstance) ) { /* --- module handles the session object -- */ - if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) { + if (!fwSession->mdSession->CreateObject) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWObject *)NULL; } @@ -1356,7 +1356,7 @@ nssCKFWSession_CreateObject ulAttributeCount, pError); gotmdobject: - if( (NSSCKMDObject *)NULL == mdObject ) { + if (!mdObject) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1366,12 +1366,12 @@ nssCKFWSession_CreateObject fwObject = nssCKFWObject_Create(arena, mdObject, isTokenObject ? NULL : fwSession, fwSession->fwToken, fwSession->fwInstance, pError); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } - if( (void *)NULL != (void *)mdObject->Destroy ) { + if (mdObject->Destroy) { (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL, fwSession->mdSession, fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance); @@ -1413,7 +1413,7 @@ nssCKFWSession_CopyObject NSSCKFWObject *rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWObject *)NULL; } @@ -1427,7 +1427,7 @@ nssCKFWSession_CopyObject return (NSSCKFWObject *)NULL; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWObject *)NULL; } @@ -1437,7 +1437,7 @@ nssCKFWSession_CopyObject * Sanity-check object */ - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { *pError = CKR_ARGUMENTS_BAD; return (NSSCKFWObject *)NULL; } @@ -1458,7 +1458,7 @@ nssCKFWSession_CopyObject * and old object are token objects, use CopyObject if it exists. */ - if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) && + if ((fwSession->mdSession->CopyObject) && (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) || (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects( fwSession->fwInstance))) ) { @@ -1474,7 +1474,7 @@ nssCKFWSession_CopyObject } else { arena = nssCKFWSession_GetArena(fwSession, pError); } - if( (NSSArena *)NULL == arena ) { + if (!arena) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1485,7 +1485,7 @@ nssCKFWSession_CopyObject fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance, mdOldObject, fwObject, arena, pTemplate, ulAttributeCount, pError); - if( (NSSCKMDObject *)NULL == mdObject ) { + if (!mdObject) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1516,7 +1516,7 @@ nssCKFWSession_CopyObject NSSCKFWObject *rv; tmpArena = NSSArena_Create(); - if( (NSSArena *)NULL == tmpArena ) { + if (!tmpArena) { *pError = CKR_HOST_MEMORY; return (NSSCKFWObject *)NULL; } @@ -1587,7 +1587,7 @@ nssCKFWSession_CopyObject item.data = (void *)NULL; it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j], &item, tmpArena, pError); - if( (NSSItem *)NULL == it ) { + if (!it) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1603,7 +1603,7 @@ nssCKFWSession_CopyObject /* assert that k == newLength */ rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError); - if( (NSSCKFWObject *)NULL == rv ) { + if (!rv) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1633,7 +1633,7 @@ nssCKFWSession_FindObjectsInit NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWFindObjects *)NULL; } @@ -1647,7 +1647,7 @@ nssCKFWSession_FindObjectsInit return (NSSCKFWFindObjects *)NULL; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWFindObjects *)NULL; } @@ -1674,7 +1674,7 @@ nssCKFWSession_FindObjectsInit if( CK_TRUE == isToken ) { /* Pass it on to the module's search routine */ - if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) { + if (!fwSession->mdSession->FindObjectsInit) { goto wrap; } @@ -1688,7 +1688,7 @@ nssCKFWSession_FindObjectsInit pTemplate, ulAttributeCount, pError); } - if( (NSSCKMDFindObjects *)NULL == mdfo1 ) { + if (!mdfo1) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1706,7 +1706,7 @@ nssCKFWSession_FindObjectsInit fwSession->mdInstance, fwSession->fwInstance, pTemplate, ulAttributeCount, pError); - if( (NSSCKMDFindObjects *)NULL == mdfo1 ) { + if (!mdfo1) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1715,11 +1715,11 @@ nssCKFWSession_FindObjectsInit mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, pTemplate, ulAttributeCount, pError); - if( (NSSCKMDFindObjects *)NULL == mdfo2 ) { + if (!mdfo2) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } - if( (void *)NULL != (void *)mdfo1->Final ) { + if (mdfo1->Final) { mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession, fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance); @@ -1737,7 +1737,7 @@ nssCKFWSession_FindObjectsInit fwSession->mdInstance, fwSession->fwInstance, pTemplate, ulAttributeCount, pError); - if( (NSSCKMDFindObjects *)NULL == mdfo1 ) { + if (!mdfo1) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1771,11 +1771,11 @@ nssCKFWSession_SeedRandom return error; } - if( (NSSItem *)NULL == seed ) { + if (!seed) { return CKR_ARGUMENTS_BAD; } - if( (void *)NULL == seed->data ) { + if (!seed->data) { return CKR_ARGUMENTS_BAD; } @@ -1783,12 +1783,12 @@ nssCKFWSession_SeedRandom return CKR_ARGUMENTS_BAD; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) { + if (!fwSession->mdSession->SeedRandom) { return CKR_RANDOM_SEED_NOT_SUPPORTED; } @@ -1818,20 +1818,20 @@ nssCKFWSession_GetRandom return error; } - if( (NSSItem *)NULL == buffer ) { + if (!buffer) { return CKR_ARGUMENTS_BAD; } - if( (void *)NULL == buffer->data ) { + if (!buffer->data) { return CKR_ARGUMENTS_BAD; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) { + if (!fwSession->mdSession->GetRandom) { if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) { return CKR_GENERAL_ERROR; } else { @@ -1873,7 +1873,7 @@ nssCKFWSession_SetCurrentCryptoOperation return; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return; } #endif /* NSSDEBUG */ @@ -1902,7 +1902,7 @@ nssCKFWSession_GetCurrentCryptoOperation return (NSSCKFWCryptoOperation *)NULL; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return (NSSCKFWCryptoOperation *)NULL; } #endif /* NSSDEBUG */ @@ -1932,14 +1932,14 @@ nssCKFWSession_Final return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2012,14 +2012,14 @@ nssCKFWSession_Update return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2077,14 +2077,14 @@ nssCKFWSession_DigestUpdate return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2121,7 +2121,7 @@ nssCKFWSession_DigestKey return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -2129,7 +2129,7 @@ nssCKFWSession_DigestKey /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_Digest); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2146,7 +2146,7 @@ nssCKFWSession_DigestKey /* no machine depended way for this to happen, do it by hand */ inputBuffer=nssCKFWObject_GetAttribute(fwKey, CKA_VALUE, NULL, NULL, &error); - if ((NSSItem *)NULL == inputBuffer) { + if (!inputBuffer) { /* couldn't get the value, just fail then */ return error; } @@ -2182,14 +2182,14 @@ nssCKFWSession_UpdateFinal return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2289,7 +2289,7 @@ nssCKFWSession_UpdateCombo return error; } - if( (NSSCKMDSession *)NULL == fwSession->mdSession ) { + if (!fwSession->mdSession) { return CKR_GENERAL_ERROR; } #endif /* NSSDEBUG */ @@ -2297,7 +2297,7 @@ nssCKFWSession_UpdateCombo /* make sure we have a valid operation initialized */ fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, NSSCKFWCryptoOperationState_EncryptDecrypt); - if ((NSSCKFWCryptoOperation *)NULL == fwOperation) { + if (!fwOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2308,7 +2308,7 @@ nssCKFWSession_UpdateCombo /* make sure we have a valid operation initialized */ fwPeerOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, digestState); - if ((NSSCKFWCryptoOperation *)NULL == fwPeerOperation) { + if (!fwPeerOperation) { return CKR_OPERATION_NOT_INITIALIZED; } @@ -2397,7 +2397,7 @@ NSSCKFWSession_GetArena ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c index 5463b7bfcb2..206f3d4f036 100644 --- a/security/nss/lib/ckfw/sessobj.c +++ b/security/nss/lib/ckfw/sessobj.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.13 $ $Date: 2007/01/05 00:23:14 $"; +static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.14 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -271,14 +271,14 @@ nssCKMDSessionObject_Create *pError = CKR_OK; mdso = nss_ZNEW(arena, nssCKMDSessionObject); - if( (nssCKMDSessionObject *)NULL == mdso ) { + if (!mdso) { goto loser; } mdso->arena = arena; mdso->n = ulCount; mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount); - if( (NSSItem *)NULL == mdso->attributes ) { + if (!mdso->attributes) { goto loser; } @@ -290,7 +290,7 @@ nssCKMDSessionObject_Create mdso->types[i] = attributes[i].type; mdso->attributes[i].size = attributes[i].ulValueLen; mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen); - if( (void *)NULL == mdso->attributes[i].data ) { + if (!mdso->attributes[i].data) { goto loser; } (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue, @@ -298,7 +298,7 @@ nssCKMDSessionObject_Create } mdObject = nss_ZNEW(arena, NSSCKMDObject); - if( (NSSCKMDObject *)NULL == mdObject ) { + if (!mdObject) { goto loser; } @@ -314,7 +314,7 @@ nssCKMDSessionObject_Create mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize; hash = nssCKFWToken_GetSessionObjectHash(fwToken); - if( (nssCKFWHash *)NULL == hash ) { + if (!hash) { *pError = CKR_GENERAL_ERROR; goto loser; } @@ -335,8 +335,8 @@ nssCKMDSessionObject_Create return mdObject; loser: - if( (nssCKMDSessionObject *)NULL != mdso ) { - if( (NSSItem *)NULL != mdso->attributes ) { + if (mdso) { + if (mdso->attributes) { for( i = 0; i < ulCount; i++ ) { nss_ZFreeIf(mdso->attributes[i].data); } @@ -475,7 +475,7 @@ nss_ckmdSessionObject_GetAttributeCount nssCKMDSessionObject *obj; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return 0; } @@ -560,7 +560,7 @@ nss_ckmdSessionObject_GetAttributeSize CK_ULONG i; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return 0; } @@ -610,7 +610,7 @@ nss_ckmdSessionObject_GetAttribute item.needsFreeing = PR_FALSE; item.item = NULL; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return item; } @@ -684,7 +684,7 @@ nss_ckmdSessionObject_SetAttribute n.size = value->size; n.data = nss_ZAlloc(obj->arena, n.size); - if( (void *)NULL == n.data ) { + if (!n.data) { return CKR_HOST_MEMORY; } (void)nsslibc_memcpy(n.data, value->data, n.size); @@ -702,7 +702,7 @@ nss_ckmdSessionObject_SetAttribute */ ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1)); - if( (NSSItem *)NULL == ra ) { + if (!ra) { nss_ZFreeIf(n.data); return CKR_HOST_MEMORY; } @@ -711,7 +711,7 @@ nss_ckmdSessionObject_SetAttribute if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) { nss_ZFreeIf(n.data); obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n); - if( (NSSItem *)NULL == obj->attributes ) { + if (!obj->attributes) { return CKR_GENERAL_ERROR; } return CKR_HOST_MEMORY; @@ -749,7 +749,7 @@ nss_ckmdSessionObject_GetObjectSize CK_ULONG rv = (CK_ULONG)0; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return 0; } @@ -967,7 +967,7 @@ nssCKMDFindSessionObjects_Create NSSCKMDFindObjects *rv; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKMDFindObjects *)NULL; } @@ -985,19 +985,19 @@ nssCKMDFindSessionObjects_Create *pError = CKR_OK; hash = nssCKFWToken_GetSessionObjectHash(fwToken); - if( (nssCKFWHash *)NULL == hash ) { + if (!hash) { *pError= CKR_GENERAL_ERROR; return (NSSCKMDFindObjects *)NULL; } arena = NSSArena_Create(); - if( (NSSArena *)NULL == arena ) { + if (!arena) { *pError = CKR_HOST_MEMORY; return (NSSCKMDFindObjects *)NULL; } mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects); - if( (nssCKMDFindSessionObjects *)NULL == mdfso ) { + if (!mdfso) { goto loser; } @@ -1097,7 +1097,7 @@ nss_ckmdFindSessionObjects_Next mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc; - while( (NSSCKMDObject *)NULL == rv ) { + while (!rv) { if( (struct nodeStr *)NULL == mdfso->list ) { *pError = CKR_OK; return (NSSCKMDObject *)NULL; diff --git a/security/nss/lib/ckfw/slot.c b/security/nss/lib/ckfw/slot.c index afa09404abb..01a1b96d1c0 100644 --- a/security/nss/lib/ckfw/slot.c +++ b/security/nss/lib/ckfw/slot.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: slot.c,v $ $Revision: 1.6 $ $Date: 2005/01/20 02:25:45 $"; +static const char CVS_ID[] = "@(#) $RCSfile: slot.c,v $ $Revision: 1.7 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -172,7 +172,7 @@ nssCKFWSlot_Create NSSArena *arena; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWSlot *)NULL; } @@ -183,20 +183,20 @@ nssCKFWSlot_Create #endif /* NSSDEBUG */ mdInstance = nssCKFWInstance_GetMDInstance(fwInstance); - if( (NSSCKMDInstance *)NULL == mdInstance ) { + if (!mdInstance) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWSlot *)NULL; } arena = nssCKFWInstance_GetArena(fwInstance, pError); - if( (NSSArena *)NULL == arena ) { + if (!arena) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } } fwSlot = nss_ZNEW(arena, NSSCKFWSlot); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { *pError = CKR_HOST_MEMORY; return (NSSCKFWSlot *)NULL; } @@ -207,7 +207,7 @@ nssCKFWSlot_Create fwSlot->slotID = slotID; fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError); - if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) { + if (!fwSlot->mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -215,7 +215,7 @@ nssCKFWSlot_Create return (NSSCKFWSlot *)NULL; } - if( (void *)NULL != (void *)mdSlot->Initialize ) { + if (mdSlot->Initialize) { *pError = CKR_OK; *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance); if( CKR_OK != *pError ) { @@ -228,7 +228,7 @@ nssCKFWSlot_Create #ifdef DEBUG *pError = slot_add_pointer(fwSlot); if( CKR_OK != *pError ) { - if( (void *)NULL != (void *)mdSlot->Destroy ) { + if (mdSlot->Destroy) { mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance); } @@ -265,7 +265,7 @@ nssCKFWSlot_Destroy (void)nssCKFWMutex_Destroy(fwSlot->mutex); - if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) { + if (fwSlot->mdSlot->Destroy) { fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance); } @@ -384,12 +384,12 @@ nssCKFWSlot_GetSlotDescription return error; } - if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) { - if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) { + if (!fwSlot->slotDescription) { + if (fwSlot->mdSlot->GetSlotDescription) { fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription( fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) { + if ((!fwSlot->slotDescription) && (CKR_OK != error)) { goto done; } } else { @@ -434,12 +434,12 @@ nssCKFWSlot_GetManufacturerID return error; } - if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) { - if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) { + if (!fwSlot->manufacturerID) { + if (fwSlot->mdSlot->GetManufacturerID) { fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID( fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) { + if ((!fwSlot->manufacturerID) && (CKR_OK != error)) { goto done; } } else { @@ -471,7 +471,7 @@ nssCKFWSlot_GetTokenPresent } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) { + if (!fwSlot->mdSlot->GetTokenPresent) { return CK_TRUE; } @@ -495,7 +495,7 @@ nssCKFWSlot_GetRemovableDevice } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) { + if (!fwSlot->mdSlot->GetRemovableDevice) { return CK_FALSE; } @@ -519,7 +519,7 @@ nssCKFWSlot_GetHardwareSlot } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) { + if (!fwSlot->mdSlot->GetHardwareSlot) { return CK_FALSE; } @@ -557,7 +557,7 @@ nssCKFWSlot_GetHardwareVersion goto done; } - if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) { + if (fwSlot->mdSlot->GetHardwareVersion) { fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion( fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance); } else { @@ -601,7 +601,7 @@ nssCKFWSlot_GetFirmwareVersion goto done; } - if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) { + if (fwSlot->mdSlot->GetFirmwareVersion) { fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion( fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance); } else { @@ -630,7 +630,7 @@ nssCKFWSlot_GetToken NSSCKFWToken *fwToken; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWToken *)NULL; } @@ -645,8 +645,8 @@ nssCKFWSlot_GetToken return (NSSCKFWToken *)NULL; } - if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) { - if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) { + if (!fwSlot->fwToken) { + if (!fwSlot->mdSlot->GetToken) { *pError = CKR_GENERAL_ERROR; fwToken = (NSSCKFWToken *)NULL; goto done; @@ -654,7 +654,7 @@ nssCKFWSlot_GetToken mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance, pError); - if( (NSSCKMDToken *)NULL == mdToken ) { + if (!mdToken) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } diff --git a/security/nss/lib/ckfw/token.c b/security/nss/lib/ckfw/token.c index 30c7f49abca..323593e2804 100644 --- a/security/nss/lib/ckfw/token.c +++ b/security/nss/lib/ckfw/token.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: token.c,v $ $Revision: 1.12 $ $Date: 2007/10/06 01:41:28 $"; +static const char CVS_ID[] = "@(#) $RCSfile: token.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -218,13 +218,13 @@ nssCKFWToken_Create */ arena = NSSArena_Create(); - if( (NSSArena *)NULL == arena ) { + if (!arena) { *pError = CKR_HOST_MEMORY; goto loser; } fwToken = nss_ZNEW(arena, NSSCKFWToken); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { *pError = CKR_HOST_MEMORY; goto loser; } @@ -239,7 +239,7 @@ nssCKFWToken_Create fwToken->rwSessionCount = 0; fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError); - if( (NSSCKFWMutex *)NULL == fwToken->mutex ) { + if (!fwToken->mutex) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -247,7 +247,7 @@ nssCKFWToken_Create } fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError); - if( (nssCKFWHash *)NULL == fwToken->sessions ) { + if (!fwToken->sessions) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -258,7 +258,7 @@ nssCKFWToken_Create fwToken->fwInstance) ) { fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, arena, pError); - if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) { + if (!fwToken->sessionObjectHash) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -268,7 +268,7 @@ nssCKFWToken_Create fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, arena, pError); - if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) { + if (!fwToken->mdObjectHash) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -277,7 +277,7 @@ nssCKFWToken_Create fwToken->mdMechanismHash = nssCKFWHash_Create(fwToken->fwInstance, arena, pError); - if( (nssCKFWHash *)NULL == fwToken->mdMechanismHash ) { + if (!fwToken->mdMechanismHash) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -286,7 +286,7 @@ nssCKFWToken_Create /* More here */ - if( (void *)NULL != (void *)mdToken->Setup ) { + if (mdToken->Setup) { *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); if( CKR_OK != *pError ) { goto loser; @@ -308,12 +308,12 @@ nssCKFWToken_Create loser: if( CK_TRUE == called_setup ) { - if( (void *)NULL != (void *)mdToken->Invalidate ) { + if (mdToken->Invalidate) { mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); } } - if( (NSSArena *)NULL != arena ) { + if (arena) { (void)NSSArena_Destroy(arena); } @@ -373,7 +373,7 @@ nssCKFWToken_Destroy (void)nssCKFWMutex_Destroy(fwToken->mutex); - if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) { + if (fwToken->mdToken->Invalidate) { fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); } @@ -440,7 +440,7 @@ nssCKFWToken_GetArena ) { #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } @@ -552,12 +552,12 @@ nssCKFWToken_InitToken goto done; } - if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) { + if (!fwToken->mdToken->InitToken) { error = CKR_DEVICE_ERROR; goto done; } - if( (NSSItem *)NULL == pin ) { + if (!pin) { if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) { ; /* okay */ } else { @@ -566,7 +566,7 @@ nssCKFWToken_InitToken } } - if( (NSSUTF8 *)NULL == label ) { + if (!label) { label = (NSSUTF8 *) ""; } @@ -607,11 +607,11 @@ nssCKFWToken_GetLabel return error; } - if( (NSSUTF8 *)NULL == fwToken->label ) { - if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) { + if (!fwToken->label) { + if (fwToken->mdToken->GetLabel) { fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) { + if ((!fwToken->label) && (CKR_OK != error)) { goto done; } } else { @@ -656,11 +656,11 @@ nssCKFWToken_GetManufacturerID return error; } - if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) { - if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) { + if (!fwToken->manufacturerID) { + if (fwToken->mdToken->GetManufacturerID) { fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) { + if ((!fwToken->manufacturerID) && (CKR_OK != error)) { goto done; } } else { @@ -705,11 +705,11 @@ nssCKFWToken_GetModel return error; } - if( (NSSUTF8 *)NULL == fwToken->model ) { - if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) { + if (!fwToken->model) { + if (fwToken->mdToken->GetModel) { fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) { + if ((!fwToken->model) && (CKR_OK != error)) { goto done; } } else { @@ -754,11 +754,11 @@ nssCKFWToken_GetSerialNumber return error; } - if( (NSSUTF8 *)NULL == fwToken->serialNumber ) { - if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) { + if (!fwToken->serialNumber) { + if (fwToken->mdToken->GetSerialNumber) { fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, &error); - if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) { + if ((!fwToken->serialNumber) && (CKR_OK != error)) { goto done; } } else { @@ -791,7 +791,7 @@ nssCKFWToken_GetHasRNG } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) { + if (!fwToken->mdToken->GetHasRNG) { return CK_FALSE; } @@ -815,7 +815,7 @@ nssCKFWToken_GetIsWriteProtected } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) { + if (!fwToken->mdToken->GetIsWriteProtected) { return CK_FALSE; } @@ -839,7 +839,7 @@ nssCKFWToken_GetLoginRequired } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) { + if (!fwToken->mdToken->GetLoginRequired) { return CK_FALSE; } @@ -863,7 +863,7 @@ nssCKFWToken_GetUserPinInitialized } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) { + if (!fwToken->mdToken->GetUserPinInitialized) { return CK_FALSE; } @@ -887,7 +887,7 @@ nssCKFWToken_GetRestoreKeyNotNeeded } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) { + if (!fwToken->mdToken->GetRestoreKeyNotNeeded) { return CK_FALSE; } @@ -911,7 +911,7 @@ nssCKFWToken_GetHasClockOnToken } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) { + if (!fwToken->mdToken->GetHasClockOnToken) { return CK_FALSE; } @@ -935,7 +935,7 @@ nssCKFWToken_GetHasProtectedAuthenticationPath } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) { + if (!fwToken->mdToken->GetHasProtectedAuthenticationPath) { return CK_FALSE; } @@ -959,7 +959,7 @@ nssCKFWToken_GetSupportsDualCryptoOperations } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) { + if (!fwToken->mdToken->GetSupportsDualCryptoOperations) { return CK_FALSE; } @@ -983,7 +983,7 @@ nssCKFWToken_GetMaxSessionCount } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) { + if (!fwToken->mdToken->GetMaxSessionCount) { return CK_UNAVAILABLE_INFORMATION; } @@ -1007,7 +1007,7 @@ nssCKFWToken_GetMaxRwSessionCount } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) { + if (!fwToken->mdToken->GetMaxRwSessionCount) { return CK_UNAVAILABLE_INFORMATION; } @@ -1031,7 +1031,7 @@ nssCKFWToken_GetMaxPinLen } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) { + if (!fwToken->mdToken->GetMaxPinLen) { return CK_UNAVAILABLE_INFORMATION; } @@ -1055,7 +1055,7 @@ nssCKFWToken_GetMinPinLen } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) { + if (!fwToken->mdToken->GetMinPinLen) { return CK_UNAVAILABLE_INFORMATION; } @@ -1079,7 +1079,7 @@ nssCKFWToken_GetTotalPublicMemory } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) { + if (!fwToken->mdToken->GetTotalPublicMemory) { return CK_UNAVAILABLE_INFORMATION; } @@ -1103,7 +1103,7 @@ nssCKFWToken_GetFreePublicMemory } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) { + if (!fwToken->mdToken->GetFreePublicMemory) { return CK_UNAVAILABLE_INFORMATION; } @@ -1127,7 +1127,7 @@ nssCKFWToken_GetTotalPrivateMemory } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) { + if (!fwToken->mdToken->GetTotalPrivateMemory) { return CK_UNAVAILABLE_INFORMATION; } @@ -1151,7 +1151,7 @@ nssCKFWToken_GetFreePrivateMemory } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) { + if (!fwToken->mdToken->GetFreePrivateMemory) { return CK_UNAVAILABLE_INFORMATION; } @@ -1189,7 +1189,7 @@ nssCKFWToken_GetHardwareVersion goto done; } - if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) { + if (fwToken->mdToken->GetHardwareVersion) { fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion( fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); } else { @@ -1234,7 +1234,7 @@ nssCKFWToken_GetFirmwareVersion goto done; } - if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) { + if (fwToken->mdToken->GetFirmwareVersion) { fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion( fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); } else { @@ -1279,7 +1279,7 @@ nssCKFWToken_GetUTCTime return CKR_OK; } - if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) { + if (!fwToken->mdToken->GetUTCTime) { /* It said it had one! */ return CKR_GENERAL_ERROR; } @@ -1355,7 +1355,7 @@ nssCKFWToken_OpenSession NSSCKMDSession *mdSession; #ifdef NSSDEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSCKFWSession *)NULL; } @@ -1395,7 +1395,7 @@ nssCKFWToken_OpenSession /* We could compare sesion counts to any limits we know of, I guess.. */ - if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) { + if (!fwToken->mdToken->OpenSession) { /* * I'm not sure that the Module actually needs to implement * mdSessions -- the Framework can keep track of everything @@ -1406,7 +1406,7 @@ nssCKFWToken_OpenSession } fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } @@ -1416,7 +1416,7 @@ nssCKFWToken_OpenSession mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, fwSession, rw, pError); - if( (NSSCKMDSession *)NULL == mdSession ) { + if (!mdSession) { (void)nssCKFWSession_Destroy(fwSession, CK_FALSE); if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; @@ -1426,7 +1426,7 @@ nssCKFWToken_OpenSession *pError = nssCKFWSession_SetMDSession(fwSession, mdSession); if( CKR_OK != *pError ) { - if( (void *)NULL != (void *)mdSession->Close ) { + if (mdSession->Close) { mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance); } @@ -1462,7 +1462,7 @@ nssCKFWToken_GetMechanismCount } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismCount ) { + if (!fwToken->mdToken->GetMechanismCount) { return 0; } @@ -1486,12 +1486,12 @@ nssCKFWToken_GetMechanismTypes return CKR_ARGUMENTS_BAD; } - if( (CK_MECHANISM_TYPE *)NULL == types ) { + if (!types) { return CKR_ARGUMENTS_BAD; } #endif /* NSSDEBUG */ - if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismTypes ) { + if (!fwToken->mdToken->GetMechanismTypes) { /* * This should only be called with a sufficiently-large * "types" array, which can only be done if GetMechanismCount @@ -1519,12 +1519,12 @@ nssCKFWToken_GetMechanism ) { NSSCKMDMechanism *mdMechanism; - if ((nssCKFWHash *)NULL == fwToken->mdMechanismHash) { + if (!fwToken->mdMechanismHash) { *pError = CKR_GENERAL_ERROR; return (NSSCKFWMechanism *)NULL; } - if( (void *)NULL == (void *)fwToken->mdToken->GetMechanism ) { + if (!fwToken->mdToken->GetMechanism) { /* * If we don't implement any GetMechanism function, then we must * not support any. @@ -1536,7 +1536,7 @@ nssCKFWToken_GetMechanism /* lookup in hash table */ mdMechanism = fwToken->mdToken->GetMechanism(fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance, which, pError); - if ((NSSCKMDMechanism *)NULL == mdMechanism) { + if (!mdMechanism) { return (NSSCKFWMechanism *) NULL; } /* store in hash table */ @@ -1665,7 +1665,7 @@ nssCKFWToken_CloseAllSessions nssCKFWHash_Destroy(fwToken->sessions); fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error); - if( (nssCKFWHash *)NULL == fwToken->sessions ) { + if (!fwToken->sessions) { if( CKR_OK == error ) { error = CKR_GENERAL_ERROR; } @@ -1854,7 +1854,7 @@ NSSCKFWToken_GetArena ) { #ifdef DEBUG - if( (CK_RV *)NULL == pError ) { + if (!pError) { return (NSSArena *)NULL; } diff --git a/security/nss/lib/ckfw/wrap.c b/security/nss/lib/ckfw/wrap.c index 84c2733e0ef..886d25541eb 100644 --- a/security/nss/lib/ckfw/wrap.c +++ b/security/nss/lib/ckfw/wrap.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.17 $ $Date: 2008/08/25 22:47:32 $"; +static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.18 $ $Date: 2009/02/09 07:55:53 $"; #endif /* DEBUG */ /* @@ -187,12 +187,12 @@ NSSCKFWC_Initialize goto loser; } - if( (NSSCKFWInstance *)NULL != *pFwInstance ) { + if (*pFwInstance) { error = CKR_CRYPTOKI_ALREADY_INITIALIZED; goto loser; } - if( (NSSCKMDInstance *)NULL == mdInstance ) { + if (!mdInstance) { error = CKR_GENERAL_ERROR; goto loser; } @@ -203,7 +203,7 @@ NSSCKFWC_Initialize } *pFwInstance = nssCKFWInstance_Create(pInitArgs, locking_state, mdInstance, &error); - if( (NSSCKFWInstance *)NULL == *pFwInstance ) { + if (!*pFwInstance) { goto loser; } PR_AtomicIncrement(&liveInstances); @@ -245,7 +245,7 @@ NSSCKFWC_Finalize goto loser; } - if( (NSSCKFWInstance *)NULL == *pFwInstance ) { + if (!*pFwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -366,7 +366,7 @@ NSSCKFWC_GetSlotList CK_RV error = CKR_OK; CK_ULONG nSlots; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -454,7 +454,7 @@ NSSCKFWC_GetSlotInfo NSSCKFWSlot **slots; NSSCKFWSlot *fwSlot; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -548,7 +548,7 @@ NSSCKFWC_GetTokenInfo NSSCKFWSlot *fwSlot; NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -586,7 +586,7 @@ NSSCKFWC_GetTokenInfo } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } @@ -707,7 +707,7 @@ NSSCKFWC_WaitForSlotEvent NSSCKFWSlot *fwSlot; CK_ULONG i; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -740,7 +740,7 @@ NSSCKFWC_WaitForSlotEvent } fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { goto loser; } @@ -790,7 +790,7 @@ NSSCKFWC_GetMechanismList NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL; CK_ULONG count; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -823,7 +823,7 @@ NSSCKFWC_GetMechanismList } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } @@ -904,7 +904,7 @@ NSSCKFWC_GetMechanismInfo NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -942,12 +942,12 @@ NSSCKFWC_GetMechanismInfo (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO)); fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -1046,7 +1046,7 @@ NSSCKFWC_InitToken NSSItem pin; NSSUTF8 *label; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -1074,7 +1074,7 @@ NSSCKFWC_InitToken } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } @@ -1136,13 +1136,13 @@ NSSCKFWC_InitPIN NSSCKFWSession *fwSession; NSSItem pin, *arg; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1212,13 +1212,13 @@ NSSCKFWC_SetPIN NSSCKFWSession *fwSession; NSSItem oldPin, newPin, *oldArg, *newArg; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1301,7 +1301,7 @@ NSSCKFWC_OpenSession NSSCKFWSession *fwSession; CK_BBOOL rw; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -1357,13 +1357,13 @@ NSSCKFWC_OpenSession } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication, Notify, &error); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { goto loser; } @@ -1421,13 +1421,13 @@ NSSCKFWC_CloseSession CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1483,7 +1483,7 @@ NSSCKFWC_CloseAllSessions NSSCKFWSlot *fwSlot; NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -1511,7 +1511,7 @@ NSSCKFWC_CloseAllSessions } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } @@ -1561,13 +1561,13 @@ NSSCKFWC_GetSessionInfo NSSCKFWSession *fwSession; NSSCKFWSlot *fwSlot; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1583,7 +1583,7 @@ NSSCKFWC_GetSessionInfo (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO)); fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; goto loser; } @@ -1644,13 +1644,13 @@ NSSCKFWC_GetOperationState CK_ULONG len; NSSItem buf; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1736,7 +1736,7 @@ NSSCKFWC_SetOperationState NSSCKFWObject *aKey; NSSItem state; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } @@ -1752,7 +1752,7 @@ NSSCKFWC_SetOperationState */ fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1761,7 +1761,7 @@ NSSCKFWC_SetOperationState eKey = (NSSCKFWObject *)NULL; } else { eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey); - if( (NSSCKFWObject *)NULL == eKey ) { + if (!eKey) { error = CKR_KEY_HANDLE_INVALID; goto loser; } @@ -1771,7 +1771,7 @@ NSSCKFWC_SetOperationState aKey = (NSSCKFWObject *)NULL; } else { aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey); - if( (NSSCKFWObject *)NULL == aKey ) { + if (!aKey) { error = CKR_KEY_HANDLE_INVALID; goto loser; } @@ -1831,13 +1831,13 @@ NSSCKFWC_Login NSSCKFWSession *fwSession; NSSItem pin, *arg; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1905,13 +1905,13 @@ NSSCKFWC_Logout CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1967,13 +1967,13 @@ NSSCKFWC_CreateObject NSSCKFWSession *fwSession; NSSCKFWObject *fwObject; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -1990,7 +1990,7 @@ NSSCKFWC_CreateObject fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate, ulCount, &error); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { goto loser; } @@ -2055,13 +2055,13 @@ NSSCKFWC_CopyObject NSSCKFWObject *fwObject; NSSCKFWObject *fwNewObject; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -2077,14 +2077,14 @@ NSSCKFWC_CopyObject *phNewObject = (CK_OBJECT_HANDLE)0; fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_OBJECT_HANDLE_INVALID; goto loser; } fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject, pTemplate, ulCount, &error); - if( (NSSCKFWObject *)NULL == fwNewObject ) { + if (!fwNewObject) { goto loser; } @@ -2146,19 +2146,19 @@ NSSCKFWC_DestroyObject NSSCKFWSession *fwSession; NSSCKFWObject *fwObject; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_OBJECT_HANDLE_INVALID; goto loser; } @@ -2213,19 +2213,19 @@ NSSCKFWC_GetObjectSize NSSCKFWSession *fwSession; NSSCKFWObject *fwObject; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_OBJECT_HANDLE_INVALID; goto loser; } @@ -2296,19 +2296,19 @@ NSSCKFWC_GetAttributeValue CK_BBOOL tooSmall = CK_FALSE; CK_ULONG i; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_OBJECT_HANDLE_INVALID; goto loser; } @@ -2353,7 +2353,7 @@ NSSCKFWC_GetAttributeValue it.data = (void *)pTemplate[i].pValue; p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, (NSSArena *)NULL, &error); - if( (NSSItem *)NULL == p ) { + if (!p) { switch( error ) { case CKR_ATTRIBUTE_SENSITIVE: case CKR_INFORMATION_SENSITIVE: @@ -2434,19 +2434,19 @@ NSSCKFWC_SetAttributeValue NSSCKFWObject *fwObject; CK_ULONG i; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_OBJECT_HANDLE_INVALID; goto loser; } @@ -2521,13 +2521,13 @@ NSSCKFWC_FindObjectsInit NSSCKFWSession *fwSession; NSSCKFWFindObjects *fwFindObjects; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -2538,7 +2538,7 @@ NSSCKFWC_FindObjectsInit } fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error); - if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) { + if (fwFindObjects) { error = CKR_OPERATION_ACTIVE; goto loser; } @@ -2549,7 +2549,7 @@ NSSCKFWC_FindObjectsInit fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession, pTemplate, ulCount, &error); - if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) { + if (!fwFindObjects) { goto loser; } @@ -2609,13 +2609,13 @@ NSSCKFWC_FindObjects NSSCKFWFindObjects *fwFindObjects; CK_ULONG i; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -2632,14 +2632,14 @@ NSSCKFWC_FindObjects *pulObjectCount = (CK_ULONG)0; fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error); - if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) { + if (!fwFindObjects) { goto loser; } for( i = 0; i < ulMaxObjectCount; i++ ) { NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects, NULL, &error); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { break; } @@ -2699,19 +2699,19 @@ NSSCKFWC_FindObjectsFinal NSSCKFWSession *fwSession; NSSCKFWFindObjects *fwFindObjects; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error); - if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) { + if (!fwFindObjects) { error = CKR_OPERATION_NOT_INITIALIZED; goto loser; } @@ -2772,25 +2772,25 @@ NSSCKFWC_EncryptInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -2801,12 +2801,12 @@ NSSCKFWC_EncryptInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -2868,13 +2868,13 @@ NSSCKFWC_Encrypt CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -2933,13 +2933,13 @@ NSSCKFWC_EncryptUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -2995,13 +2995,13 @@ NSSCKFWC_EncryptFinal CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3061,25 +3061,25 @@ NSSCKFWC_DecryptInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -3090,12 +3090,12 @@ NSSCKFWC_DecryptInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -3157,13 +3157,13 @@ NSSCKFWC_Decrypt CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3229,13 +3229,13 @@ NSSCKFWC_DecryptUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3299,13 +3299,13 @@ NSSCKFWC_DecryptFinal CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3371,19 +3371,19 @@ NSSCKFWC_DigestInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -3394,12 +3394,12 @@ NSSCKFWC_DigestInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -3457,13 +3457,13 @@ NSSCKFWC_Digest CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3518,13 +3518,13 @@ NSSCKFWC_DigestUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3578,19 +3578,19 @@ NSSCKFWC_DigestKey NSSCKFWSession *fwSession; NSSCKFWObject *fwObject; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } @@ -3643,13 +3643,13 @@ NSSCKFWC_DigestFinal CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3708,25 +3708,25 @@ NSSCKFWC_SignInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -3737,12 +3737,12 @@ NSSCKFWC_SignInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -3805,13 +3805,13 @@ NSSCKFWC_Sign CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3870,13 +3870,13 @@ NSSCKFWC_SignUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -3932,13 +3932,13 @@ NSSCKFWC_SignFinal CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4000,25 +4000,25 @@ NSSCKFWC_SignRecoverInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -4029,12 +4029,12 @@ NSSCKFWC_SignRecoverInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -4097,13 +4097,13 @@ NSSCKFWC_SignRecover CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4165,25 +4165,25 @@ NSSCKFWC_VerifyInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -4194,12 +4194,12 @@ NSSCKFWC_VerifyInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -4262,13 +4262,13 @@ NSSCKFWC_Verify CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4326,13 +4326,13 @@ NSSCKFWC_VerifyUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4387,13 +4387,13 @@ NSSCKFWC_VerifyFinal CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4454,25 +4454,25 @@ NSSCKFWC_VerifyRecoverInit NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwObject ) { + if (!fwObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -4483,12 +4483,12 @@ NSSCKFWC_VerifyRecoverInit } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -4551,13 +4551,13 @@ NSSCKFWC_VerifyRecover CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4616,13 +4616,13 @@ NSSCKFWC_DigestEncryptUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4681,13 +4681,13 @@ NSSCKFWC_DecryptDigestUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4753,13 +4753,13 @@ NSSCKFWC_SignEncryptUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4819,13 +4819,13 @@ NSSCKFWC_DecryptVerifyUpdate CK_RV error = CKR_OK; NSSCKFWSession *fwSession; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -4893,19 +4893,19 @@ NSSCKFWC_GenerateKey NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -4916,12 +4916,12 @@ NSSCKFWC_GenerateKey } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -4934,7 +4934,7 @@ NSSCKFWC_GenerateKey &error); nssCKFWMechanism_Destroy(fwMechanism); - if ((NSSCKFWObject *)NULL == fwObject) { + if (!fwObject) { goto loser; } *phKey= nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error); @@ -5004,19 +5004,19 @@ NSSCKFWC_GenerateKeyPair NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -5027,12 +5027,12 @@ NSSCKFWC_GenerateKeyPair } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -5126,32 +5126,32 @@ NSSCKFWC_WrapKey NSSItem wrappedKey; CK_ULONG wrappedKeyLength = 0; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hWrappingKey); - if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) { + if (!fwWrappingKeyObject) { error = CKR_WRAPPING_KEY_HANDLE_INVALID; goto loser; } fwKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey); - if( (NSSCKFWObject *)NULL == fwKeyObject ) { + if (!fwKeyObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -5162,12 +5162,12 @@ NSSCKFWC_WrapKey } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -5281,26 +5281,26 @@ NSSCKFWC_UnwrapKey NSSCKFWMechanism *fwMechanism; NSSItem wrappedKey; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hUnwrappingKey); - if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) { + if (!fwWrappingKeyObject) { error = CKR_WRAPPING_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -5311,12 +5311,12 @@ NSSCKFWC_UnwrapKey } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -5334,7 +5334,7 @@ NSSCKFWC_UnwrapKey &error); nssCKFWMechanism_Destroy(fwMechanism); - if ((NSSCKFWObject *)NULL == fwObject) { + if (!fwObject) { goto loser; } *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error); @@ -5424,25 +5424,25 @@ NSSCKFWC_DeriveKey NSSCKFWToken *fwToken; NSSCKFWMechanism *fwMechanism; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } fwBaseKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hBaseKey); - if( (NSSCKFWObject *)NULL == fwBaseKeyObject ) { + if (!fwBaseKeyObject) { error = CKR_KEY_HANDLE_INVALID; goto loser; } fwSlot = nssCKFWSession_GetFWSlot(fwSession); - if( (NSSCKFWSlot *)NULL == fwSlot ) { + if (!fwSlot) { error = CKR_GENERAL_ERROR; /* should never happen! */ goto loser; } @@ -5453,12 +5453,12 @@ NSSCKFWC_DeriveKey } fwToken = nssCKFWSlot_GetToken(fwSlot, &error); - if( (NSSCKFWToken *)NULL == fwToken ) { + if (!fwToken) { goto loser; } fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error); - if( (NSSCKFWMechanism *)NULL == fwMechanism ) { + if (!fwMechanism) { goto loser; } @@ -5472,7 +5472,7 @@ NSSCKFWC_DeriveKey &error); nssCKFWMechanism_Destroy(fwMechanism); - if ((NSSCKFWObject *)NULL == fwObject) { + if (!fwObject) { goto loser; } *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error); @@ -5537,13 +5537,13 @@ NSSCKFWC_SeedRandom NSSCKFWSession *fwSession; NSSItem seed; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } @@ -5614,13 +5614,13 @@ NSSCKFWC_GenerateRandom NSSCKFWSession *fwSession; NSSItem buffer; - if( (NSSCKFWInstance *)NULL == fwInstance ) { + if (!fwInstance) { error = CKR_CRYPTOKI_NOT_INITIALIZED; goto loser; } fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession); - if( (NSSCKFWSession *)NULL == fwSession ) { + if (!fwSession) { error = CKR_SESSION_HANDLE_INVALID; goto loser; } diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c index 6cc58a9cb21..a81403a4f2b 100644 --- a/security/nss/lib/dev/ckhelper.c +++ b/security/nss/lib/dev/ckhelper.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.38 $ $Date: 2008/09/30 04:09:02 $"; +static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.39 $ $Date: 2009/01/22 01:29:24 $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -133,8 +133,8 @@ nssCKObject_GetAttributes ( /* Allocate memory for each attribute. */ for (i=0; ip_BL_Init)(); +} RSAPrivateKey * RSA_NewKey(int keySizeInBits, SECItem * publicExponent) @@ -1641,3 +1648,10 @@ Camellia_Decrypt(CamelliaContext *cx, unsigned char *output, return (vector->p_Camellia_Decrypt)(cx, output, outputLen, maxOutputLen, input, inputLen); } + +void BL_SetForkState(PRBool forked) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_BL_SetForkState)(forked); +} diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h index 739387c26a5..4632528e0e9 100644 --- a/security/nss/lib/freebl/loader.h +++ b/security/nss/lib/freebl/loader.h @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: loader.h,v 1.22 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */ +/* $Id: loader.h,v 1.23 2009/02/03 05:34:40 julien.pierre.boogz%sun.com Exp $ */ #ifndef _LOADER_H_ #define _LOADER_H_ 1 @@ -518,6 +518,10 @@ struct FREEBLVectorStr { /* Version 3.011 came to here */ + SECStatus (* p_BL_Init)(void); + void ( * p_BL_SetForkState)(PRBool); + + /* Version 3.012 came to here */ }; typedef struct FREEBLVectorStr FREEBLVector; diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c index b6e02ebeca3..dd24cae023c 100644 --- a/security/nss/lib/freebl/prng_fips1861.c +++ b/security/nss/lib/freebl/prng_fips1861.c @@ -35,7 +35,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: prng_fips1861.c,v 1.28 2008/11/18 19:48:23 rrelyea%redhat.com Exp $ */ +/* $Id: prng_fips1861.c,v 1.29 2009/02/03 05:34:41 julien.pierre.boogz%sun.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -53,6 +53,7 @@ #include "sha256.h" #include "secrng.h" /* for RNG_GetNoise() */ #include "secmpi.h" +#include "blapii.h" /* * The minimum amount of seed data required before the generator will @@ -188,7 +189,7 @@ freeRNGContext() SECStatus rv; /* destroy context lock */ - PZ_DestroyLock(globalrng->lock); + SKIP_AFTER_FORK(PZ_DestroyLock(globalrng->lock)); /* zero global RNG context except for XKEY to preserve entropy */ rv = SHA256_HashBuf(inputhash, globalrng->XKEY, BSIZE); diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c index 91f47e1914e..83f9da5f383 100644 --- a/security/nss/lib/freebl/rsa.c +++ b/security/nss/lib/freebl/rsa.c @@ -37,7 +37,7 @@ /* * RSA key generation, public key op, private key op. * - * $Id: rsa.c,v 1.38 2008/11/18 19:48:24 rrelyea%redhat.com Exp $ + * $Id: rsa.c,v 1.39 2009/02/03 05:34:41 julien.pierre.boogz%sun.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -54,6 +54,7 @@ #include "mplogic.h" #include "secmpi.h" #include "secitem.h" +#include "blapii.h" /* ** Number of times to attempt to generate a prime (p or q) from a random @@ -602,10 +603,8 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, struct RSABlindingParamsStr *rsabp = NULL; /* Init the list if neccessary (the init function is only called once!) */ if (blindingParamsList.lock == NULL) { - if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } /* Acquire the list lock */ PZ_Lock(blindingParamsList.lock); @@ -921,6 +920,20 @@ cleanup: return rv; } +static SECStatus RSA_Init(void) +{ + if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return SECSuccess; +} + +SECStatus BL_Init(void) +{ + return RSA_Init(); +} + /* cleanup at shutdown */ void RSA_Cleanup(void) { @@ -940,7 +953,7 @@ void RSA_Cleanup(void) if (blindingParamsList.lock) { - PZ_DestroyLock(blindingParamsList.lock); + SKIP_AFTER_FORK(PZ_DestroyLock(blindingParamsList.lock)); blindingParamsList.lock = NULL; } @@ -958,3 +971,14 @@ void BL_Cleanup(void) { RSA_Cleanup(); } + +PRBool parentForkedAfterC_Initialize; + +/* + * Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms. + */ +void BL_SetForkState(PRBool forked) +{ + parentForkedAfterC_Initialize = forked; +} + diff --git a/security/nss/lib/freebl/win_rand.c b/security/nss/lib/freebl/win_rand.c index 4a3f61b5993..b78598fdf37 100644 --- a/security/nss/lib/freebl/win_rand.c +++ b/security/nss/lib/freebl/win_rand.c @@ -36,8 +36,10 @@ #include "secrng.h" #include "secerr.h" + #ifdef XP_WIN #include +#include /* for CSIDL constants */ #if defined(_WIN32_WCE) #include /* Win CE puts lots of stuff here. */ @@ -49,13 +51,6 @@ #include #endif #include - -#ifndef _WIN32 -#define VTD_Device_ID 5 -#define OP_OVERRIDE _asm _emit 0x66 -#include -#endif - #include "prio.h" #include "prerror.h" @@ -67,7 +62,6 @@ static DWORD dwNumFiles, dwReadEvery; static BOOL CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow) { -#ifdef _WIN32 LARGE_INTEGER liCount; if (!QueryPerformanceCounter(&liCount)) @@ -76,57 +70,6 @@ CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow) *lpdwHigh = liCount.u.HighPart; *lpdwLow = liCount.u.LowPart; return TRUE; - -#else /* is WIN16 */ - BOOL bRetVal; - FARPROC lpAPI; - WORD w1, w2, w3, w4; - - // Get direct access to the VTD and query the current clock tick time - _asm { - xor di, di - mov es, di - mov ax, 1684h - mov bx, VTD_Device_ID - int 2fh - mov ax, es - or ax, di - jz EnumerateFailed - - ; VTD API is available. First store the API address (the address actually - ; contains an instruction that causes a fault, the fault handler then - ; makes the ring transition and calls the API in the VxD) - mov word ptr lpAPI, di - mov word ptr lpAPI+2, es - mov ax, 100h ; API function to VTD_Get_Real_Time -; call dword ptr [lpAPI] - call [lpAPI] - - ; Result is in EDX:EAX which we will get 16-bits at a time - mov w2, dx - OP_OVERRIDE - shr dx,10h ; really "shr edx, 16" - mov w1, dx - - mov w4, ax - OP_OVERRIDE - shr ax,10h ; really "shr eax, 16" - mov w3, ax - - mov bRetVal, 1 ; return TRUE - jmp EnumerateExit - - EnumerateFailed: - mov bRetVal, 0 ; return FALSE - - EnumerateExit: - } - - *lpdwHigh = MAKELONG(w2, w1); - *lpdwLow = MAKELONG(w4, w3); - - return bRetVal; -#endif /* is WIN16 */ } size_t RNG_GetNoise(void *buf, size_t maxbuf) @@ -168,125 +111,100 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf) if (maxbuf <= 0) return n; + { #if defined(_WIN32_WCE) - { // get the number of milliseconds elapsed since Windows CE was started. - DWORD tickCount = GetTickCount(); - nBytes = (sizeof tickCount) > maxbuf ? maxbuf : (sizeof tickCount); - memcpy(((char *)buf) + n, &tickCount, nBytes); - n += nBytes; - } + FILETIME sTime; + SYSTEMTIME st; + GetSystemTime(&st); + SystemTimeToFileTime(&st,&sTime); #else - { time_t sTime; // get the time in seconds since midnight Jan 1, 1970 time(&sTime); +#endif nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime); memcpy(((char *)buf) + n, &sTime, nBytes); n += nBytes; } -#endif return n; } -#if defined(_WIN32_WCE) -static BOOL -EnumSystemFilesWithNSPR(const char * dirName, - BOOL recursive, - PRInt32 (*func)(const char *)) +typedef PRInt32 (* Handler)(const char *); +#define MAX_DEPTH 2 + +static void +EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) { - PRDir * pDir; - PRDirEntry * pEntry; - BOOL rv = FALSE; - - pDir = PR_OpenDir(dirName); - if (!pDir) - return rv; - while ((pEntry = PR_ReadDir(pDir, PR_SKIP_BOTH|PR_SKIP_HIDDEN)) != NULL) { - PRStatus status; - PRInt32 count; - PRInt32 stop; - PRFileInfo fileInfo; - char szFileName[_MAX_PATH]; - - count = (PRInt32)PR_snprintf(szFileName, sizeof szFileName, "%s\\%s", - dirName, PR_DirName(pEntry)); - if (count < 1) - continue; - status = PR_GetFileInfo(szFileName, &fileInfo); - if (status != PR_SUCCESS) - continue; - if (fileInfo.type == PR_FILE_FILE) { - stop = (*func)(szFileName); - rv = TRUE; - if (stop) - break; - continue; - } - if (recursive && fileInfo.type == PR_FILE_DIRECTORY) { - rv |= EnumSystemFilesWithNSPR(szFileName, recursive, func); - } - } - PR_CloseDir(pDir); - return rv; -} -#endif - -static BOOL -EnumSystemFiles(PRInt32 (*func)(const char *)) -{ -#if defined(_WIN32_WCE) - BOOL rv = FALSE; - rv |= EnumSystemFilesWithNSPR("\\Windows\\Temporary Internet Files", TRUE, func); - rv |= EnumSystemFilesWithNSPR("\\Temp", FALSE, func); - rv |= EnumSystemFilesWithNSPR("\\Windows", FALSE, func); - return rv; -#else - int iStatus; - char szSysDir[_MAX_PATH]; - char szFileName[_MAX_PATH]; -#ifdef _WIN32 - WIN32_FIND_DATA fdData; + int iContinue; HANDLE lFindHandle; -#else - struct _find_t fdData; -#endif - - if (!GetSystemDirectory(szSysDir, sizeof(szSysDir))) - return FALSE; + WIN32_FIND_DATAW fdData; + PRUnichar szFileName[_MAX_PATH]; + char narrowFileName[_MAX_PATH]; + if (maxDepth < 0) + return; // tack *.* on the end so we actually look for files. this will // not overflow - strcpy(szFileName, szSysDir); - strcat(szFileName, "\\*.*"); + wcscpy(szFileName, szSysDir); + wcscat(szFileName, L"\\*.*"); -#ifdef _WIN32 - lFindHandle = FindFirstFile(szFileName, &fdData); + lFindHandle = FindFirstFileW(szFileName, &fdData); if (lFindHandle == INVALID_HANDLE_VALUE) - return FALSE; + return; do { - // pass the full pathname to the callback - sprintf(szFileName, "%s\\%s", szSysDir, fdData.cFileName); - (*func)(szFileName); - iStatus = FindNextFile(lFindHandle, &fdData); - } while (iStatus != 0); + iContinue = 1; + if (wcscmp(fdData.cFileName, L".") == 0 || + wcscmp(fdData.cFileName, L"..") == 0) { + // skip "." and ".." + } else { + // pass the full pathname to the callback + _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, + fdData.cFileName); + if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { + EnumSystemFilesInFolder(func, szFileName, maxDepth - 1); + } else { + iContinue = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, + narrowFileName, _MAX_PATH, + NULL, NULL); + if (iContinue) + iContinue = !(*func)(narrowFileName); + } + } + if (iContinue) + iContinue = FindNextFileW(lFindHandle, &fdData); + } while (iContinue); FindClose(lFindHandle); -#else - if (_dos_findfirst(szFileName, - _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0) - return FALSE; - do { - // pass the full pathname to the callback - sprintf(szFileName, "%s\\%s", szSysDir, fdData.name); - (*func)(szFileName); - iStatus = _dos_findnext(&fdData); - } while (iStatus == 0); - _dos_findclose(&fdData); -#endif +} - return TRUE; +static BOOL +EnumSystemFiles(Handler func) +{ + PRUnichar szSysDir[_MAX_PATH]; + static const int folders[] = { + CSIDL_BITBUCKET, + CSIDL_RECENT, +#ifndef WINCE + CSIDL_INTERNET_CACHE, + CSIDL_COMPUTERSNEARME, + CSIDL_HISTORY, #endif + 0 + }; + int i = 0; + if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) { + if (i > 0 && szSysDir[i-1] == L'\\') + szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash + EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH); + } + for(i = 0; folders[i]; i++) { + DWORD rv = SHGetSpecialFolderPathW(NULL, szSysDir, folders[i], 0); + if (szSysDir[0]) + EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH); + szSysDir[0] = L'\0'; + } + return PR_TRUE; } static PRInt32 @@ -342,7 +260,6 @@ void RNG_SystemInfoForRNG(void) DWORD dwVal; char buffer[256]; int nBytes; -#ifdef _WIN32 MEMORYSTATUS sMem; HANDLE hVal; #if !defined(_WIN32_WCE) @@ -352,17 +269,10 @@ void RNG_SystemInfoForRNG(void) char volName[128]; DWORD dwSectors, dwBytes, dwFreeClusters, dwNumClusters; #endif -#else - int iVal; - HTASK hTask; - WORD wDS, wCS; - LPSTR lpszEnv; -#endif nBytes = RNG_GetNoise(buffer, 20); // get up to 20 bytes RNG_RandomUpdate(buffer, nBytes); -#ifdef _WIN32 sMem.dwLength = sizeof(sMem); GlobalMemoryStatus(&sMem); // assorted memory stats RNG_RandomUpdate(&sMem, sizeof(sMem)); @@ -370,47 +280,12 @@ void RNG_SystemInfoForRNG(void) dwVal = GetLogicalDrives(); RNG_RandomUpdate(&dwVal, sizeof(dwVal)); // bitfields in bits 0-25 #endif -#else - dwVal = GetFreeSpace(0); - RNG_RandomUpdate(&dwVal, sizeof(dwVal)); - _asm mov wDS, ds; - _asm mov wCS, cs; - RNG_RandomUpdate(&wDS, sizeof(wDS)); - RNG_RandomUpdate(&wCS, sizeof(wCS)); -#endif - -#ifdef _WIN32 #if !defined(_WIN32_WCE) dwVal = sizeof(buffer); if (GetComputerName(buffer, &dwVal)) RNG_RandomUpdate(buffer, dwVal); #endif -/* XXX This is code that got yanked because of NSPR20. We should put it - * back someday. - */ -#ifdef notdef - { - POINT ptVal; - GetCursorPos(&ptVal); - RNG_RandomUpdate(&ptVal, sizeof(ptVal)); - } - - dwVal = GetQueueStatus(QS_ALLINPUT); // high and low significant - RNG_RandomUpdate(&dwVal, sizeof(dwVal)); - - { - HWND hWnd; - hWnd = GetClipboardOwner(); // 2 or 4 bytes - RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd)); - } - - { - UUID sUuid; - UuidCreate(&sUuid); // this will fail on machines with no ethernet - RNG_RandomUpdate(&sUuid, sizeof(sUuid)); // boards. shove the bits in regardless - } -#endif hVal = GetCurrentProcess(); // 4 or 8 byte pseudo handle (a // constant!) of current process @@ -440,27 +315,14 @@ void RNG_SystemInfoForRNG(void) RNG_RandomUpdate(&dwSysFlags, sizeof(dwSysFlags)); RNG_RandomUpdate(buffer, strlen(buffer)); - if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) { + if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, + &dwNumClusters)) { RNG_RandomUpdate(&dwSectors, sizeof(dwSectors)); RNG_RandomUpdate(&dwBytes, sizeof(dwBytes)); RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters)); RNG_RandomUpdate(&dwNumClusters, sizeof(dwNumClusters)); } #endif -#else /* is WIN16 */ - hTask = GetCurrentTask(); - RNG_RandomUpdate((void *)&hTask, sizeof(hTask)); - - iVal = GetNumTasks(); - RNG_RandomUpdate(&iVal, sizeof(iVal)); // number of running tasks - - lpszEnv = GetDOSEnvironment(); - while (*lpszEnv != '\0') { - RNG_RandomUpdate(lpszEnv, strlen(lpszEnv)); - - lpszEnv += strlen(lpszEnv) + 1; - } -#endif /* is WIN16 */ // now let's do some files ReadSystemFiles(); @@ -477,12 +339,7 @@ void RNG_FileForRNG(const char *filename) PRFileInfo infoBuf; unsigned char buffer[1024]; - /* windows doesn't initialize all the bytes in the stat buf, - * so initialize them all here to avoid UMRs. - */ - memset(&infoBuf, 0, sizeof infoBuf); - - if (PR_GetFileInfo(filename, &infoBuf) < 0) + if (PR_GetFileInfo(filename, &infoBuf) != PR_SUCCESS) return; RNG_RandomUpdate((unsigned char*)&infoBuf, sizeof(infoBuf)); @@ -508,6 +365,25 @@ void RNG_FileForRNG(const char *filename) RNG_RandomUpdate(buffer, nBytes); } +/* + * The Windows CE and Windows Mobile FIPS Security Policy, page 13, + * (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp825.pdf) + * says CeGenRandom is the right function to call for creating a seed + * for a random number generator. + */ +size_t RNG_SystemRNG(void *dest, size_t maxLen) +{ + size_t bytes = 0; + if (CeGenRandom(maxLen, dest)) { + bytes = maxLen; + } + if (bytes == 0) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); /* system RNG failed */ + } + return bytes; +} + + #else /* not WinCE */ void RNG_FileForRNG(const char *filename) @@ -550,8 +426,6 @@ void RNG_FileForRNG(const char *filename) RNG_RandomUpdate(buffer, nBytes); } -#endif /* not WinCE */ - /* * CryptoAPI requires Windows NT 4.0 or Windows 95 OSR2 and later. * Until we drop support for Windows 95, we need to emulate some @@ -644,5 +518,6 @@ done: FreeLibrary(hModule); return bytes; } +#endif /* not WinCE */ #endif /* is XP_WIN */ diff --git a/security/nss/lib/libpkix/include/pkix_certstore.h b/security/nss/lib/libpkix/include/pkix_certstore.h index 25e07c92013..42e202760b5 100644 --- a/security/nss/lib/libpkix/include/pkix_certstore.h +++ b/security/nss/lib/libpkix/include/pkix_certstore.h @@ -346,6 +346,7 @@ typedef PKIX_Error * PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer, PKIX_PL_Date *date, + PKIX_Boolean delayCrlSigCheck, PKIX_UInt32 *reasonCode, PKIX_RevocationStatus *revStatus, void *plContext); diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h index 9e7a1744fbc..9d0f337df3a 100644 --- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -240,6 +240,7 @@ PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPKALGIDFAILED,pkix_CertSelector_Match_SubjP PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPUBKEYFAILED,pkix_CertSelector_Match_SubjPubKey failed,0), PKIX_ERRORENTRY(CERTSELECTORSELECTFAILED,pkix_CertSelector_Select failed,0), PKIX_ERRORENTRY(CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_SetCommonCertSelectorParams failed,0), +PKIX_ERRORENTRY(CERTSETASTRUSTANCHORFAILED, PKIX_PL_Cert_SetAsTrustAnchor failed, 0), PKIX_ERRORENTRY(CERTSETCACHEFLAGFAILED,PKIX_PL_Cert_SetCacheFlag failed,0), PKIX_ERRORENTRY(CERTSETTRUSTCERTSTOREFAILED,PKIX_PL_Cert_SetTrustCertStore failed,0), PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFAILED,PKIX_CertStore_CertContinue failed,0), @@ -435,6 +436,7 @@ PKIX_ERRORENTRY(DERUTCTIMETOASCIIFAILED,DER_UTCTimeToAscii failed,0), PKIX_ERRORENTRY(DESTROYSPKIFAILED,pkix_pl_DestroySPKI failed,0), PKIX_ERRORENTRY(DIRECTORYNAMECREATEFAILED,pkix_pl_DirectoryName_Create failed,0), PKIX_ERRORENTRY(DUPLICATEIMMUTABLEFAILED,pkix_duplicateImmutable failed,0), +PKIX_ERRORENTRY(CANNOTSORTIMMUTABLELIST,pkix_List_BubbleSort can not sort immutable list,0), PKIX_ERRORENTRY(EKUCHECKERGETREQUIREDEKUFAILED,pkix_pl_EkuChecker_GetRequiredEku failed,0), PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed,0), PKIX_ERRORENTRY(EKUCHECKERSTATECREATEFAILED,pkix_pl_EkuCheckerState_Create failed,0), @@ -477,6 +479,7 @@ PKIX_ERRORENTRY(EXTRACTPARAMETERSFAILED,pkix_ExtractParameters failed,0), PKIX_ERRORENTRY(FAILEDINENCODINGSEARCHREQUEST,failed in encoding searchRequest,SEC_ERROR_FAILED_TO_ENCODE_DATA), PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots,0), PKIX_ERRORENTRY(FAILEDTOGETTRUST, failed to get trust from the cert,0), +PKIX_ERRORENTRY(FAILTOSELECTCERTSFROMANCHORS,failed to select certs from anchors,0), PKIX_ERRORENTRY(FAILUREHASHINGCERT,Failure hashing Cert,0), PKIX_ERRORENTRY(FAILUREHASHINGERROR,Failure hashing Error,0), PKIX_ERRORENTRY(FAILUREHASHINGLISTEXPECTEDPOLICYSET,Failure hashing PKIX_List expectedPolicySet,0), @@ -674,6 +677,7 @@ PKIX_ERRORENTRY(LISTGETLENGTHFAILED,PKIX_List_GetLength failed,0), PKIX_ERRORENTRY(LISTHASHCODEFAILED,pkix_List_Hashcode failed,0), PKIX_ERRORENTRY(LISTINSERTITEMFAILED,PKIX_List_InsertItem failed,0), PKIX_ERRORENTRY(LISTISEMPTYFAILED,PKIX_List_IsEmpty failed,0), +PKIX_ERRORENTRY(LISTMERGEFAILED,pkix_List_MergeList failed,0), PKIX_ERRORENTRY(LISTQUICKSORTFAILED,pkix_List_QuickSort failed,0), PKIX_ERRORENTRY(LISTREMOVEFAILED,pkix_List_Remove failed,0), PKIX_ERRORENTRY(LISTREMOVEITEMSFAILED,pkix_List_RemoveItems failed,0), diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h index fbdef00acd8..794fa1c8c52 100644 --- a/security/nss/lib/libpkix/include/pkix_pl_pki.h +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -1511,6 +1511,8 @@ PKIX_PL_Cert_VerifySignature( * "cert" * Address of Cert whose trustworthiness is to be determined. Must be * non-NULL. + * "trustOnlyUserAnchors" + * States that we can only trust explicitly defined user trust anchors. * "pTrusted" * Address where the Boolean value will be stored. Must be non-NULL. * "plContext" @@ -1525,9 +1527,15 @@ PKIX_PL_Cert_VerifySignature( PKIX_Error * PKIX_PL_Cert_IsCertTrusted( PKIX_PL_Cert *cert, + PKIX_Boolean trustOnlyUserAnchors, PKIX_Boolean *pTrusted, void *plContext); +/* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */ +PKIX_Error* +PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, + void *plContext); + /* * FUNCTION: PKIX_PL_Cert_GetCacheFlag * DESCRIPTION: diff --git a/security/nss/lib/libpkix/include/pkix_revchecker.h b/security/nss/lib/libpkix/include/pkix_revchecker.h index 7158e87cf07..261f7859eb0 100644 --- a/security/nss/lib/libpkix/include/pkix_revchecker.h +++ b/security/nss/lib/libpkix/include/pkix_revchecker.h @@ -126,7 +126,6 @@ extern "C" { */ PKIX_Error * PKIX_RevocationChecker_Create( - PKIX_PL_Date *revDate, PKIX_UInt32 leafMethodListFlags, PKIX_UInt32 chainMethodListFlags, PKIX_RevocationChecker **pChecker, diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c index 8bb95688b11..362f2df3187 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c @@ -226,7 +226,8 @@ pkix_CrlChecker_CheckLocal( pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, - PKIX_RevocationStatus *revStatus, + PKIX_Boolean chainVerificationState, + PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *pReasonCode, void *plContext) { @@ -237,6 +238,7 @@ pkix_CrlChecker_CheckLocal( PKIX_UInt32 crlStoreIndex = 0; PKIX_UInt32 numCrlStores = 0; PKIX_Boolean storeIsLocal = PKIX_FALSE; + PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckLocal"); PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, checkerObject); @@ -268,10 +270,14 @@ pkix_CrlChecker_CheckLocal( if (storeCheckRevocationFn) { PKIX_CHECK( storeCheckRevocationFn(certStore, cert, issuer, - date, &reasonCode, - revStatus, plContext), + date, + /* delay sig check if building + * a chain */ + !chainVerificationState, + &reasonCode, + &revStatus, plContext), PKIX_CERTSTORECRLCHECKFAILED); - if (*revStatus == PKIX_RevStatus_Revoked) { + if (revStatus == PKIX_RevStatus_Revoked) { break; } } @@ -280,6 +286,7 @@ pkix_CrlChecker_CheckLocal( } /* while */ cleanup: + *pRevStatus = revStatus; PKIX_DECREF(certStore); PKIX_RETURN(CERTCHAINCHECKER); @@ -426,6 +433,7 @@ pkix_CrlChecker_CheckExternal( PKIX_CHECK( storeCheckRevocationFn(certStore, cert, issuer, date, + PKIX_FALSE /* do not delay sig check */, &reasonCode, &revStatus, plContext), PKIX_CERTSTORECRLCHECKFAILED); if (revStatus != PKIX_RevStatus_NoInfo) { diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h index b269d0c3362..6255e946e02 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h +++ b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h @@ -62,6 +62,7 @@ pkix_CrlChecker_CheckLocal( pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, + PKIX_Boolean chainVerificationState, PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *reasonCode, void *plContext); diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c index 2dc591a1823..78e3b329309 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -165,6 +165,7 @@ pkix_OcspChecker_CheckLocal( pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, + PKIX_Boolean chainVerificationState, PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *pReasonCode, void *plContext) @@ -203,6 +204,11 @@ pkix_OcspChecker_CheckLocal( cleanup: *pRevStatus = revStatus; + + /* ocsp carries only tree statuses: good, bad, and unknown. + * revStatus is used to pass them. reasonCode is always set + * to be unknown. */ + *pReasonCode = crlEntryReasonUnspecified; PKIX_DECREF(cid); PKIX_RETURN(OCSPCHECKER); @@ -314,7 +320,6 @@ pkix_OcspChecker_CheckExternal( goto cleanup; } if (passed == PKIX_FALSE) { - resultCode = PORT_GetError(); goto cleanup; } @@ -336,6 +341,11 @@ cleanup: } *pRevStatus = revStatus; + /* ocsp carries only tree statuses: good, bad, and unknown. + * revStatus is used to pass them. reasonCode is always set + * to be unknown. */ + *pReasonCode = crlEntryReasonUnspecified; + if (!passed && cid && cid->certID) { /* We still own the certID object, which means that * it did not get consumed to create a cache entry. diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h index 16462744fe8..89c1a1cc511 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h @@ -61,6 +61,7 @@ pkix_OcspChecker_CheckLocal( pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, + PKIX_Boolean chainVerificationState, PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *reasonCode, void *plContext); diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c index 75920d9645c..9c076f8a1b7 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c @@ -67,7 +67,6 @@ pkix_RevocationChecker_Destroy( checker = (PKIX_RevocationChecker *)object; - PKIX_DECREF(checker->date); PKIX_DECREF(checker->leafMethodList); PKIX_DECREF(checker->chainMethodList); @@ -116,8 +115,7 @@ pkix_RevocationChecker_Duplicate( } PKIX_CHECK( - PKIX_RevocationChecker_Create(checker->date, - checker->leafMethodListFlags, + PKIX_RevocationChecker_Create(checker->leafMethodListFlags, checker->chainMethodListFlags, &checkerDuplicate, plContext), @@ -201,7 +199,6 @@ pkix_RevocationChecker_SortComparator( */ PKIX_Error * PKIX_RevocationChecker_Create( - PKIX_PL_Date *revDate, PKIX_UInt32 leafMethodListFlags, PKIX_UInt32 chainMethodListFlags, PKIX_RevocationChecker **pChecker, @@ -219,9 +216,6 @@ PKIX_RevocationChecker_Create( plContext), PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT); - PKIX_INCREF(revDate); - checker->date = revDate; - checker->leafMethodListFlags = leafMethodListFlags; checker->chainMethodListFlags = chainMethodListFlags; checker->leafMethodList = NULL; @@ -341,12 +335,13 @@ PKIX_RevocationChecker_Check( PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE; PKIX_UInt32 revFlags = 0; PKIX_List *revList = NULL; + PKIX_PL_Date *date = NULL; pkix_RevocationMethod *method = NULL; void *nbioContext; int tries; PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check"); - PKIX_NULLCHECK_ONE(revChecker); + PKIX_NULLCHECK_TWO(revChecker, procParams); nbioContext = *pNbioContext; *pNbioContext = NULL; @@ -366,6 +361,8 @@ PKIX_RevocationChecker_Check( PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo, sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX); + date = procParams->date; + /* Need to have two loops if we testing all local info first: * first we are going to test all local(cached) info * second, all remote info(fetching) */ @@ -392,22 +389,24 @@ PKIX_RevocationChecker_Check( PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; pkixErrorResult = - (*method->localRevChecker)(cert, issuer, - revChecker->date, + (*method->localRevChecker)(cert, issuer, date, method, procParams, - methodFlags, &revStatus, + methodFlags, + chainVerificationState, + &revStatus, pReasonCode, plContext); methodStatus[methodNum] = revStatus; + if (revStatus == PKIX_RevStatus_Revoked) { + /* if error was generated use it as final error. */ + overallStatus = PKIX_RevStatus_Revoked; + goto cleanup; + } if (pkixErrorResult) { /* Disregard errors. Only returned revStatus matters. */ PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult, plContext); pkixErrorResult = NULL; } - if (revStatus == PKIX_RevStatus_Revoked) { - overallStatus = PKIX_RevStatus_Revoked; - goto cleanup; - } } if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) || onlyUseRemoteMethods) && @@ -416,23 +415,23 @@ PKIX_RevocationChecker_Check( if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) { PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; pkixErrorResult = - (*method->externalRevChecker)(cert, issuer, - revChecker->date, + (*method->externalRevChecker)(cert, issuer, date, method, procParams, methodFlags, &revStatus, pReasonCode, &nbioContext, plContext); methodStatus[methodNum] = revStatus; + if (revStatus == PKIX_RevStatus_Revoked) { + /* if error was generated use it as final error. */ + overallStatus = PKIX_RevStatus_Revoked; + goto cleanup; + } if (pkixErrorResult) { /* Disregard errors. Only returned revStatus matters. */ PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult, plContext); pkixErrorResult = NULL; } - if (revStatus == PKIX_RevStatus_Revoked) { - overallStatus = PKIX_RevStatus_Revoked; - goto cleanup; - } } else if (methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) { /* Info is not in the local cache. Network fetching is not diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h index 1240dc149ca..5a10e125174 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h +++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h @@ -166,7 +166,6 @@ extern "C" { /* Defines check time for the cert, revocation methods lists and * flags for leaf and chain certs revocation tests. */ struct PKIX_RevocationCheckerStruct { - PKIX_PL_Date *date; PKIX_List *leafMethodList; PKIX_List *chainMethodList; PKIX_UInt32 leafMethodListFlags; diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h index cc7526a4193..3ce18945956 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h +++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h @@ -62,6 +62,7 @@ pkix_LocalRevocationCheckFn(PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer, pkix_RevocationMethod *checkerObject, PKIX_ProcessingParams *procParams, PKIX_UInt32 methodFlags, + PKIX_Boolean chainVerificationState, PKIX_RevocationStatus *pRevStatus, PKIX_UInt32 *reasonCode, void *plContext); diff --git a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c index 4769af67026..7253495fe41 100644 --- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c +++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c @@ -567,9 +567,12 @@ PKIX_ProcessingParams_Create( PKIX_CHECK(PKIX_List_SetImmutable(params->trustAnchors, plContext), PKIX_LISTSETIMMUTABLEFAILED); + PKIX_CHECK(PKIX_PL_Date_Create_UTCTime + (NULL, ¶ms->date, plContext), + PKIX_DATECREATEUTCTIMEFAILED); + params->hintCerts = NULL; params->constraints = NULL; - params->date = NULL; params->initialPolicies = NULL; params->initialPolicyMappingInhibit = PKIX_FALSE; params->initialAnyPolicyInhibit = PKIX_FALSE; diff --git a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c index 1e69dfeb8bd..b903bb248a1 100644 --- a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c +++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c @@ -393,6 +393,10 @@ PKIX_TrustAnchor_CreateWithCert( PKIX_COULDNOTCREATETRUSTANCHOROBJECT); /* initialize fields */ + PKIX_CHECK( + PKIX_PL_Cert_SetAsTrustAnchor(cert, plContext), + PKIX_CERTSETASTRUSTANCHORFAILED); + PKIX_INCREF(cert); anchor->trustedCert = cert; diff --git a/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c index 9c6dccc931b..433030728e3 100644 --- a/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c +++ b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c @@ -1203,7 +1203,7 @@ pkix_VerifyNode_FindError( } } - if (node->error) { + if (node->error && node->error->plErr) { PKIX_INCREF(node->error); *error = node->error; } diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index 2f1f4dd1752..45bfa5ea534 100644 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -126,14 +126,12 @@ pkix_ForwardBuilderState_Destroy( state->numAias = 0; state->certIndex = 0; state->aiaIndex = 0; - state->anchorIndex = 0; state->certCheckedIndex = 0; state->checkerIndex = 0; state->hintCertIndex = 0; state->numFanout = 0; state->numDepth = 0; state->reasonCode = 0; - state->dsaParamsNeeded = PKIX_FALSE; state->revCheckDelayed = PKIX_FALSE; state->canBeCached = PKIX_FALSE; state->useOnlyLocal = PKIX_FALSE; @@ -195,8 +193,6 @@ cleanup: * Number of Certs that can be considered at this level (0 = no limit) * "numDepth" * Number of additional levels that can be searched (0 = no limit) - * "dsaParamsNeeded" - * Boolean value indicating whether DSA parameters are needed. * "revCheckDelayed" * Boolean value indicating whether rev check is delayed until after * entire chain is built. @@ -230,7 +226,6 @@ pkix_ForwardBuilderState_Create( PKIX_Int32 traversedCACerts, PKIX_UInt32 numFanout, PKIX_UInt32 numDepth, - PKIX_Boolean dsaParamsNeeded, PKIX_Boolean revCheckDelayed, PKIX_Boolean canBeCached, PKIX_PL_Date *validityDate, @@ -260,7 +255,6 @@ pkix_ForwardBuilderState_Create( state->numAias = 0; state->certIndex = 0; state->aiaIndex = 0; - state->anchorIndex = 0; state->certCheckedIndex = 0; state->checkerIndex = 0; state->hintCertIndex = 0; @@ -268,7 +262,6 @@ pkix_ForwardBuilderState_Create( state->numDepth = numDepth; state->reasonCode = 0; state->revChecking = numDepth; - state->dsaParamsNeeded = dsaParamsNeeded; state->revCheckDelayed = revCheckDelayed; state->canBeCached = canBeCached; state->useOnlyLocal = PKIX_TRUE; @@ -443,7 +436,6 @@ pkix_ForwardBuilderState_ToString "\tnumFanout: \t%d\n" "\tnumDepth: \t%d\n" "\treasonCode: \t%d\n" - "\tdsaParamsNeeded: \t%d\n" "\trevCheckDelayed: \t%d\n" "\tcanBeCached: \t%d\n" "\tuseOnlyLocal: \t%d\n" @@ -501,8 +493,6 @@ pkix_ForwardBuilderState_ToString break; case BUILD_ADDTOCHAIN: asciiStatus = "BUILD_ADDTOCHAIN"; break; - case BUILD_CHECKWITHANCHORS:asciiStatus = "BUILD_CHECKWITHANCHORS"; - break; case BUILD_CRL2: asciiStatus = "BUILD_CRL2"; break; case BUILD_VALCHAIN: asciiStatus = "BUILD_VALCHAIN"; @@ -573,7 +563,6 @@ pkix_ForwardBuilderState_ToString (PKIX_UInt32)state->numFanout, (PKIX_UInt32)state->numDepth, (PKIX_UInt32)state->reasonCode, - state->dsaParamsNeeded, state->revCheckDelayed, state->canBeCached, state->useOnlyLocal, @@ -747,193 +736,6 @@ pkix_ForwardBuilderState_IsIOPending( /* --Private-BuildChain-Functions------------------------------------------- */ -/* - * FUNCTION: pkix_Build_CheckCertAgainstAnchor - * DESCRIPTION: - * - * Checks whether the Cert pointed to by "candidateCert" successfully chains to - * the TrustAnchor pointed to by "anchor". Successful chaining includes - * successful subject/issuer name chaining, using the List of traversed subject - * names pointed to by "traversedSubjNames" to check for name constraints - * violation, and successful signature verification. If the "candidateCert" - * successfully chains, PKIX_TRUE is stored at the address pointed to by - * "pPassed". Otherwise PKIX_FALSE is stored. - * - * If a non-NULL VerifyNode is supplied, then this function will, in the event - * of a failure, set the Error associated with the failure in the VerifyNode. - * . - * - * PARAMETERS: - * "candidateCert" - * Address of Cert that is being checked. Must be non-NULL. - * "anchor" - * Address of TrustAnchor with which the Cert must successfully chain. - * Must be non-NULL. - * "traversedSubjNames" - * Address of List of subject names in certificates previously traversed. - * Must be non-NULL. - * "pPassed" - * Address at which Boolean result is stored. Must be non-NULL. - * "verifyNode" - * Address of the VerifyNode to receive the Error. May be NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a Build Error if the function fails in a non-fatal way - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_Build_CheckCertAgainstAnchor( - PKIX_PL_Cert *candidateCert, - PKIX_TrustAnchor *anchor, - PKIX_List *traversedSubjNames, - PKIX_Boolean *pPassed, - PKIX_VerifyNode *verifyNode, - void *plContext) -{ - PKIX_PL_Cert *trustedCert = NULL; - PKIX_PL_CertNameConstraints *anchorNC = NULL; - PKIX_CertSelector *certSel = NULL; - PKIX_ComCertSelParams *certSelParams = NULL; - PKIX_PL_X500Name *trustedSubject = NULL; - PKIX_PL_X500Name *candidateIssuer = NULL; - PKIX_CertSelector_MatchCallback selectorMatch = NULL; - PKIX_Boolean certMatch = PKIX_TRUE; - PKIX_Boolean anchorMatch = PKIX_FALSE; - PKIX_PL_PublicKey *trustedPubKey = NULL; - PKIX_VerifyNode *anchorVerifyNode = NULL; - PKIX_Error *verifyError = NULL; - - PKIX_ENTER(BUILD, "pkix_Build_CheckCertAgainstAnchor"); - PKIX_NULLCHECK_THREE(anchor, candidateCert, pPassed); - - *pPassed = PKIX_FALSE; - - PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert - (anchor, &trustedCert, plContext), - PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); - - PKIX_CHECK(PKIX_PL_Cert_GetSubject - (trustedCert, &trustedSubject, plContext), - PKIX_CERTGETSUBJECTFAILED); - - PKIX_NULLCHECK_ONE(trustedSubject); - - PKIX_CHECK(PKIX_PL_Cert_GetIssuer - (candidateCert, &candidateIssuer, plContext), - PKIX_CERTGETISSUERFAILED); - - PKIX_CHECK(PKIX_PL_X500Name_Match - (trustedSubject, candidateIssuer, &anchorMatch, plContext), - PKIX_X500NAMEMATCHFAILED); - - if (!anchorMatch) { - goto cleanup; - } - - PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints - (anchor, &anchorNC, plContext), - PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED); - - if (anchorNC == NULL) { - PKIX_CHECK(PKIX_CertSelector_Create - (NULL, NULL, &certSel, plContext), - PKIX_CERTSELECTORCREATEFAILED); - - PKIX_CHECK(PKIX_ComCertSelParams_Create - (&certSelParams, plContext), - PKIX_COMCERTSELPARAMSCREATEFAILED); - - PKIX_NULLCHECK_ONE(traversedSubjNames); - - PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames - (certSelParams, traversedSubjNames, plContext), - PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED); - - PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams - (certSel, certSelParams, plContext), - PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); - - PKIX_CHECK(PKIX_CertSelector_GetMatchCallback - (certSel, &selectorMatch, plContext), - PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); - - PKIX_CHECK(selectorMatch - (certSel, candidateCert, &certMatch, plContext), - PKIX_SELECTORMATCHFAILED); - - if (!certMatch) { - goto cleanup; - } - - } - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey - (trustedCert, &trustedPubKey, plContext), - PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - - PKIX_CHECK(PKIX_PL_Cert_VerifySignature - (candidateCert, trustedPubKey, plContext), - PKIX_CERTVERIFYSIGNATUREFAILED); - -cleanup: - - if (PKIX_ERROR_RECEIVED || !anchorMatch || !certMatch) { - if (pkixErrorClass == PKIX_FATAL_ERROR) { - goto fatal; - } - if (verifyNode != NULL) { - if (!anchorMatch) { - PKIX_ERROR_CREATE - (BUILD, - PKIX_ANCHORDIDNOTCHAINTOCERT, - verifyError); - } else if (!certMatch) { - PKIX_ERROR_CREATE - (BUILD, - PKIX_ANCHORDIDNOTPASSCERTSELECTORCRITERIA, - verifyError); - } else { - verifyError = pkixErrorResult; - pkixErrorResult = NULL; - } - PKIX_DECREF(pkixErrorResult); - } - } else { - *pPassed = PKIX_TRUE; - } - - if (verifyNode != NULL) { - PKIX_CHECK_FATAL(pkix_VerifyNode_Create - (trustedCert, - 1, - verifyError, - &anchorVerifyNode, - plContext), - PKIX_VERIFYNODECREATEFAILED); - PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree - (verifyNode, anchorVerifyNode, plContext), - PKIX_VERIFYNODEADDTOTREEFAILED); - PKIX_DECREF(verifyError); - } - -fatal: - PKIX_DECREF(verifyError); - PKIX_DECREF(anchorVerifyNode); - PKIX_DECREF(trustedCert); - PKIX_DECREF(anchorNC); - PKIX_DECREF(certSel); - PKIX_DECREF(certSelParams); - PKIX_DECREF(trustedSubject); - PKIX_DECREF(trustedPubKey); - PKIX_DECREF(candidateIssuer); - - PKIX_RETURN(BUILD); -} - /* * FUNCTION: pkix_Build_SortCertComparator * DESCRIPTION: @@ -1093,16 +895,15 @@ pkix_Build_VerifyCertificate( PKIX_UInt32 numUserCheckers = 0; PKIX_UInt32 i = 0; PKIX_Boolean loopFound = PKIX_FALSE; - PKIX_Boolean dsaParamsNeeded = PKIX_FALSE; - PKIX_Boolean isSelfIssued = PKIX_FALSE; PKIX_Boolean supportForwardChecking = PKIX_FALSE; PKIX_Boolean trusted = PKIX_FALSE; PKIX_PL_Cert *candidateCert = NULL; PKIX_PL_PublicKey *candidatePubKey = NULL; PKIX_CertChainChecker *userChecker = NULL; PKIX_CertChainChecker_CheckCallback checkerCheck = NULL; + PKIX_Boolean trustOnlyUserAnchors = PKIX_FALSE; void *nbioContext = NULL; - + PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate"); PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking); PKIX_NULLCHECK_THREE @@ -1115,12 +916,16 @@ pkix_Build_VerifyCertificate( /* If user defined trust anchor list is not empty, do not * trust any certs except to the ones that are in the list */ - if (!state->buildConstants.numAnchors) { - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - (candidateCert, &trusted, plContext), - PKIX_CERTISCERTTRUSTEDFAILED); + if (state->buildConstants.numAnchors) { + trustOnlyUserAnchors = PKIX_TRUE; } + PKIX_CHECK( + PKIX_PL_Cert_IsCertTrusted(candidateCert, + trustOnlyUserAnchors, + &trusted, plContext), + PKIX_CERTISCERTTRUSTEDFAILED); + *pTrusted = trusted; /* check for loops */ @@ -1186,60 +991,42 @@ pkix_Build_VerifyCertificate( } } - /* signature check */ - - if ((!(state->dsaParamsNeeded)) || trusted) { - PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey - (candidateCert, &candidatePubKey, plContext), - PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - - PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters - (candidatePubKey, &dsaParamsNeeded, plContext), - PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED); - - if (dsaParamsNeeded) { - if (trusted) { - PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS); - } else { - state->dsaParamsNeeded = PKIX_TRUE; - goto cleanup; - } - } - - pkixErrorResult = PKIX_PL_Cert_VerifyKeyUsage - (candidateCert, PKIX_KEY_CERT_SIGN, plContext); - - ERROR_CHECK(PKIX_CERTVERIFYKEYUSAGEFAILED); - - pkixErrorResult = PKIX_PL_Cert_VerifySignature - (state->prevCert, candidatePubKey, plContext); - - ERROR_CHECK(PKIX_CERTVERIFYSIGNATUREFAILED); - - if (revocationChecking) { - if (!trusted) { - if (state->revCheckDelayed) { - goto cleanup; - } else { - PKIX_CHECK(pkix_IsCertSelfIssued - (candidateCert, - &isSelfIssued, - plContext), - PKIX_ISCERTSELFISSUEDFAILED); - - if (isSelfIssued) { - state->revCheckDelayed = PKIX_TRUE; - goto cleanup; - } - } - } - - *pNeedsCRLChecking = PKIX_TRUE; + /* Check that public key of the trusted dsa cert has + * dsa parameters */ + if (trusted) { + PKIX_Boolean paramsNeeded = PKIX_FALSE; + PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey + (candidateCert, &candidatePubKey, plContext), + PKIX_CERTGETSUBJECTPUBLICKEYFAILED); + PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters + (candidatePubKey, ¶msNeeded, plContext), + PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED); + if (paramsNeeded) { + PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS); + } + } + + + if (revocationChecking) { + if (!trusted) { + if (state->revCheckDelayed) { + goto cleanup; + } else { + PKIX_Boolean isSelfIssued = PKIX_FALSE; + PKIX_CHECK( + pkix_IsCertSelfIssued(candidateCert, &isSelfIssued, + plContext), + PKIX_ISCERTSELFISSUEDFAILED); + if (isSelfIssued) { + state->revCheckDelayed = PKIX_TRUE; + goto cleanup; + } } + } + *pNeedsCRLChecking = PKIX_TRUE; } cleanup: - PKIX_DECREF(candidateCert); PKIX_DECREF(candidatePubKey); PKIX_DECREF(userChecker); @@ -1456,30 +1243,27 @@ pkix_Build_ValidationCheckers( } } - if (state->dsaParamsNeeded) { - PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert - (anchor, &trustedCert, plContext), - PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); - - PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey - (trustedCert, &trustedPubKey, plContext), - PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - - PKIX_NULLCHECK_ONE(state->buildConstants.certStores); - - PKIX_CHECK(pkix_SignatureChecker_Initialize - (trustedPubKey, - numChainCerts, - &sigChecker, - plContext), - PKIX_SIGNATURECHECKERINITIALIZEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (checkers, - (PKIX_PL_Object *)sigChecker, - plContext), - PKIX_LISTAPPENDITEMFAILED); - } + /* Inabling post chain building signature check on the certs. */ + PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert + (anchor, &trustedCert, plContext), + PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); + + PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey + (trustedCert, &trustedPubKey, plContext), + PKIX_CERTGETSUBJECTPUBLICKEYFAILED); + + PKIX_CHECK(pkix_SignatureChecker_Initialize + (trustedPubKey, + numChainCerts, + &sigChecker, + plContext), + PKIX_SIGNATURECHECKERINITIALIZEFAILED); + + PKIX_CHECK(PKIX_List_AppendItem + (checkers, + (PKIX_PL_Object *)sigChecker, + plContext), + PKIX_LISTAPPENDITEMFAILED); PKIX_INCREF(reversedCertChain); state->reversedCertChain = reversedCertChain; @@ -1595,11 +1379,6 @@ pkix_Build_ValidateEntireChain( PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER); } - if (state->dsaParamsNeeded == PKIX_FALSE) { - PKIX_INCREF(state->buildConstants.targetPubKey); - subjPubKey = state->buildConstants.targetPubKey; - } - PKIX_CHECK(pkix_ValidateResult_Create (subjPubKey, anchor, policyTree, &valResult, plContext), PKIX_VALIDATERESULTCREATEFAILED); @@ -1798,138 +1577,78 @@ cleanup: PKIX_RETURN(BUILD); } -/* - * FUNCTION: pkix_Build_CombineWithTrust - * DESCRIPTION: - * - * Adds each Cert in the List pointed to by "fromList" to the List pointed - * to by "toList", if it is not already a member of that List. If it is a - * member of both Lists, then the two instances are checked to see if either - * is trusted, in which case the trusted one is retained. In other words, - * "toList" becomes the union of the two sets, with trust preserved. - * - * It is assumed that fromList does not contain duplicates. Therefore as - * elements of "fromlist" are added to "tolist", subsequent additions do - * not need to be checked for equality against these new members. - * - * PARAMETERS: - * "fromList" - * Address of a List of Certs to be added, if not already present, to - * "toList". Must be non-NULL, but may be empty. - * "toList" - * Address of a List of Certs to be augmented by "fromList". Must be - * non-NULL, but may be empty. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Not Thread Safe - assumes exclusive access to "toList" - * (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds - * Returns a Build Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way - */ -static PKIX_Error * -pkix_Build_CombineWithTrust( - PKIX_List *toList, - PKIX_List *fromList, - void *plContext) +/* Match trust anchor to select params in order to find next cert. */ +static PKIX_Error* +pkix_Build_SelectCertsFromTrustAnchors( + PKIX_List *trustAnchorsList, + PKIX_ComCertSelParams *certSelParams, + PKIX_List **pMatchList, + void *plContext) { - PKIX_Boolean match = PKIX_FALSE; - PKIX_Boolean trusted = PKIX_FALSE; - PKIX_UInt32 fromlistLen = 0; - PKIX_UInt32 originalTolistLen = 0; - PKIX_UInt32 fromlistIx = 0; - PKIX_UInt32 tolistIx = 0; - PKIX_PL_Object *fObject = NULL; - PKIX_PL_Object *tObject = NULL; + int anchorIndex = 0; + PKIX_TrustAnchor *anchor = NULL; + PKIX_PL_Cert *trustedCert = NULL; + PKIX_List *matchList = NULL; + PKIX_CertSelector *certSel = NULL; + PKIX_CertSelector_MatchCallback selectorMatchCB = NULL; + PKIX_Boolean certMatch = PKIX_TRUE; - PKIX_ENTER(BUILD, "pkix_Build_CombineWithTrust"); - PKIX_NULLCHECK_TWO(fromList, toList); + PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors"); + + PKIX_CHECK(PKIX_CertSelector_Create + (NULL, NULL, &certSel, plContext), + PKIX_CERTSELECTORCREATEFAILED); + PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams + (certSel, certSelParams, plContext), + PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED); + PKIX_CHECK(PKIX_CertSelector_GetMatchCallback + (certSel, &selectorMatchCB, plContext), + PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); - PKIX_CHECK(PKIX_List_GetLength(fromList, &fromlistLen, plContext), - PKIX_LISTGETLENGTHFAILED); - - PKIX_CHECK(PKIX_List_GetLength(toList, &originalTolistLen, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (fromlistIx = 0; fromlistIx < fromlistLen; fromlistIx++) { - - PKIX_CHECK(PKIX_List_GetItem - (fromList, fromlistIx, &fObject, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_NULLCHECK_ONE(fObject); - - match = PKIX_FALSE; - for (tolistIx = 0; tolistIx < originalTolistLen; tolistIx++) { - PKIX_CHECK(PKIX_List_GetItem - (toList, tolistIx, &tObject, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_NULLCHECK_ONE(tObject); - - PKIX_CHECK(PKIX_PL_Object_Equals - (fObject, tObject, &match, plContext), - PKIX_OBJECTEQUALSFAILED); - - if (match) { - PKIX_CHECK(pkix_CheckType - (tObject, PKIX_CERT_TYPE, plContext), - PKIX_OBJECTNOTCERT); - - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - ((PKIX_PL_Cert *)tObject, &trusted, - plContext), - PKIX_CERTISCERTTRUSTEDFAILED); - - /* If tObject is a trusted cert, keep it. */ - if (trusted == PKIX_TRUE) { - PKIX_DECREF(tObject); - break; - } - - PKIX_CHECK(pkix_CheckType - (fObject, PKIX_CERT_TYPE, plContext), - PKIX_OBJECTNOTCERT); - - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - ((PKIX_PL_Cert *)fObject, &trusted, - plContext), - PKIX_CERTISCERTTRUSTEDFAILED); - - /* If fObject is a trusted cert, replace it. */ - if (trusted == PKIX_TRUE) { - PKIX_CHECK(PKIX_List_SetItem - (toList, - tolistIx, - fObject, - plContext), - PKIX_LISTSETITEMFAILED); - PKIX_DECREF(tObject); - break; - } - } - PKIX_DECREF(tObject); - } - - if (match == PKIX_FALSE) { - PKIX_CHECK(PKIX_List_AppendItem - (toList, fObject, plContext), - PKIX_LISTAPPENDITEMFAILED); - } - - PKIX_DECREF(fObject); + for (anchorIndex = 0;anchorIndex < trustAnchorsList->length; anchorIndex++) { + PKIX_CHECK( + PKIX_List_GetItem(trustAnchorsList, + anchorIndex, + (PKIX_PL_Object **)&anchor, + plContext), + PKIX_LISTGETITEMFAILED); + PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert + (anchor, &trustedCert, plContext), + PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); + pkixErrorResult = + (*selectorMatchCB)(certSel, trustedCert, + &certMatch, plContext); + if (!pkixErrorResult && certMatch) { + if (!matchList) { + PKIX_CHECK(PKIX_List_Create(&matchList, + plContext), + PKIX_LISTCREATEFAILED); + } + PKIX_CHECK( + PKIX_List_AppendItem(matchList, + (PKIX_PL_Object*)trustedCert, + plContext), + PKIX_LISTAPPENDITEMFAILED); + } else { + PKIX_DECREF(pkixErrorResult); } + PKIX_DECREF(trustedCert); + PKIX_DECREF(anchor); + } + + *pMatchList = matchList; + matchList = NULL; cleanup: - - PKIX_DECREF(fObject); - PKIX_DECREF(tObject); - - PKIX_RETURN(BUILD); + PKIX_DECREF(matchList); + PKIX_DECREF(trustedCert); + PKIX_DECREF(anchor); + PKIX_DECREF(certSel); + + PKIX_RETURN(BUILD); } + /* * FUNCTION: pkix_Build_GatherCerts * DESCRIPTION: @@ -1977,11 +1696,10 @@ pkix_Build_GatherCerts( PKIX_Boolean certStoreIsCached = PKIX_FALSE; PKIX_Boolean certStoreIsLocal = PKIX_FALSE; PKIX_Boolean foundInCache = PKIX_FALSE; - PKIX_Boolean listIsEmpty = PKIX_FALSE; PKIX_CertStore *certStore = NULL; PKIX_CertStore_CertCallback getCerts = NULL; PKIX_List *certsFound = NULL; - PKIX_List *sorted = NULL; + PKIX_List *trustedCertList = NULL; void *nbioContext = NULL; PKIX_ENTER(BUILD, "pkix_Build_GatherCerts"); @@ -1990,22 +1708,7 @@ pkix_Build_GatherCerts( nbioContext = *pNBIOContext; *pNBIOContext = NULL; - PKIX_CHECK( - PKIX_List_IsEmpty(state->candidateCerts, &listIsEmpty, plContext), - PKIX_LISTISEMPTYFAILED); - - /* The caller is responsible to make sure that the list is empty */ -#ifdef UNDEF - /* I suspect that the list will not be empty. Commenting the assertion - * out for now. More work needs to be done for bug 418544 to clean up - * code related to candidateCerts list */ - PORT_Assert(listIsEmpty); -#endif - if (!listIsEmpty) { - PKIX_DECREF(state->candidateCerts); - PKIX_CHECK(PKIX_List_Create(&state->candidateCerts, plContext), - PKIX_LISTCREATEFAILED); - } + PKIX_DECREF(state->candidateCerts); while (state->certStoreIndex < state->buildConstants.numCertStores) { @@ -2104,11 +1807,6 @@ pkix_Build_GatherCerts( state->status = BUILD_GATHERPENDING; *pNBIOContext = nbioContext; goto cleanup; - } else { - PKIX_CHECK(pkix_Build_CombineWithTrust - (state->candidateCerts, certsFound, plContext), - PKIX_BUILDCOMBINEWITHTRUSTFAILED); - PKIX_DECREF(certsFound); } } @@ -2117,26 +1815,40 @@ pkix_Build_GatherCerts( ++(state->certStoreIndex); } + if (certsFound && certsFound->length > 1) { + PKIX_List *sorted = NULL; + + /* sort Certs to try to optimize search */ + PKIX_CHECK(pkix_Build_SortCandidateCerts + (certsFound, &sorted, plContext), + PKIX_BUILDSORTCANDIDATECERTSFAILED); + PKIX_DECREF(certsFound); + certsFound = sorted; + } + + PKIX_CHECK( + pkix_Build_SelectCertsFromTrustAnchors( + state->buildConstants.anchors, + certSelParams, &trustedCertList, + plContext), + PKIX_FAILTOSELECTCERTSFROMANCHORS); + + PKIX_CHECK( + pkix_List_MergeLists(trustedCertList, + certsFound, + &state->candidateCerts, + plContext), + PKIX_LISTMERGEFAILED); + /* No, return the list we have gathered */ PKIX_CHECK(PKIX_List_GetLength (state->candidateCerts, &state->numCerts, plContext), PKIX_LISTGETLENGTHFAILED); - if (state->numCerts > 1) { - /* sort Certs to try to optimize search */ - PKIX_CHECK(pkix_Build_SortCandidateCerts - (state->candidateCerts, &sorted, plContext), - PKIX_BUILDSORTCANDIDATECERTSFAILED); - - PKIX_DECREF(state->candidateCerts); - state->candidateCerts = sorted; - sorted = NULL; - } - state->certIndex = 0; cleanup: - + PKIX_DECREF(trustedCertList); PKIX_DECREF(certStore); PKIX_DECREF(certsFound); @@ -2310,7 +2022,6 @@ pkix_BuildForwardDepthFirstSearch( PKIX_Boolean trusted = PKIX_FALSE; PKIX_Boolean isSelfIssued = PKIX_FALSE; PKIX_Boolean canBeCached = PKIX_FALSE; - PKIX_Boolean passed = PKIX_FALSE; PKIX_Boolean revocationCheckingExists = PKIX_FALSE; PKIX_Boolean needsCRLChecking = PKIX_FALSE; PKIX_Boolean ioPending = PKIX_FALSE; @@ -2331,8 +2042,6 @@ pkix_BuildForwardDepthFirstSearch( PKIX_ForwardBuilderState *childState = NULL; PKIX_ForwardBuilderState *parentState = NULL; PKIX_PL_Object *revCheckerState = NULL; - PKIX_PL_PublicKey *candidatePubKey = NULL; - PKIX_PL_PublicKey *trustedPubKey = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_TrustAnchor *trustAnchor = NULL; PKIX_PL_Cert *trustedCert = NULL; @@ -2696,7 +2405,7 @@ pkix_BuildForwardDepthFirstSearch( PKIX_RevocationStatus revStatus; PKIX_UInt32 reasonCode; - PKIX_CHECK( + verifyError = PKIX_RevocationChecker_Check( state->prevCert, state->candidateCert, state->buildConstants.revChecker, @@ -2705,15 +2414,19 @@ pkix_BuildForwardDepthFirstSearch( (state->parentState == NULL) ? PKIX_TRUE : PKIX_FALSE, &revStatus, &reasonCode, - &nbio, plContext), - PKIX_REVCHECKERCHECKFAILED); + &nbio, plContext); if (nbio != NULL) { *pNBIOContext = nbio; goto cleanup; } - if (revStatus == PKIX_RevStatus_Revoked) { - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, - verifyError); + if (revStatus == PKIX_RevStatus_Revoked || verifyError) { + if (!verifyError) { + /* if verifyError is returned then use it as + * it has a detailed revocation error code. + * Otherwise create a new error */ + PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, + verifyError); + } if (state->verifyNode != NULL) { PKIX_CHECK_FATAL(pkix_VerifyNode_SetError (verifyNode, verifyError, plContext), @@ -2780,14 +2493,12 @@ pkix_BuildForwardDepthFirstSearch( } if (state->status == BUILD_CHECKTRUSTED2) { - PKIX_CHECK_ONLY_FATAL(pkix_Build_ValidateEntireChain - (state, - trustAnchor, - &nbio, &valResult, - verifyNode, - plContext), - PKIX_BUILDVALIDATEENTIRECHAINFAILED); - + verifyError = + pkix_Build_ValidateEntireChain(state, + trustAnchor, + &nbio, &valResult, + verifyNode, + plContext); if (nbio != NULL) { /* IO still pending, resume later */ goto cleanup; @@ -2795,6 +2506,16 @@ pkix_BuildForwardDepthFirstSearch( PKIX_DECREF(state->reversedCertChain); PKIX_DECREF(state->checkedCritExtOIDs); PKIX_DECREF(state->checkerChain); + /* checking the error for fatal status */ + if (verifyError) { + pkixTempErrorReceived = PKIX_TRUE; + pkixErrorClass = verifyError->errClass; + if (pkixErrorClass == PKIX_FATAL_ERROR) { + pkixErrorResult = verifyError; + verifyError = NULL; + goto fatal; + } + } if (state->verifyNode != NULL) { PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree (state->verifyNode, @@ -2803,7 +2524,6 @@ pkix_BuildForwardDepthFirstSearch( PKIX_VERIFYNODEADDTOTREEFAILED); PKIX_DECREF(verifyNode); } - if (!PKIX_ERROR_RECEIVED) { *pValResult = valResult; valResult = NULL; @@ -2811,6 +2531,9 @@ pkix_BuildForwardDepthFirstSearch( state->status = BUILD_CHECKTRUSTED; goto cleanup; } + PKIX_DECREF(finalError); + finalError = verifyError; + verifyError = NULL; /* Reset temp error that was set by * PKIX_CHECK_ONLY_FATAL and continue */ pkixTempErrorReceived = PKIX_FALSE; @@ -2840,157 +2563,9 @@ pkix_BuildForwardDepthFirstSearch( plContext), PKIX_LISTAPPENDITEMFAILED); - state->status = BUILD_CHECKWITHANCHORS; - state->anchorIndex = 0; + state->status = BUILD_EXTENDCHAIN; } - while ((state->status == BUILD_CHECKWITHANCHORS) || - (state->status == BUILD_CRL2) || - (state->status == BUILD_VALCHAIN2)) { - if (state->anchorIndex >= - state->buildConstants.numAnchors) { - state->status = BUILD_EXTENDCHAIN; - break; - } else { - - PKIX_CHECK(PKIX_List_GetItem - (state->buildConstants.anchors, - state->anchorIndex, - (PKIX_PL_Object **)&trustAnchor, - plContext), - PKIX_LISTGETITEMFAILED); - - } - - if (state->status == BUILD_CHECKWITHANCHORS) { - - /* - * Does this Trust Anchor chain to this cert? - * (If state->verifyNode is non-NULL, this function - * chains a verifyNode for each anchor checked.) - */ - PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor - (state->candidateCert, - trustAnchor, - state->traversedSubjNames, - &passed, - verifyNode, - plContext), - PKIX_CHECKCERTAGAINSTANCHORFAILED); - - if (passed == PKIX_TRUE) { - if (state->buildConstants.revChecker) { - state->status = BUILD_CRL2; - } else { - state->status = BUILD_VALCHAIN; - } - } /* else increment anchorIndex and try next */ - } - - if (state->status == BUILD_CRL2) { - PKIX_RevocationStatus revStatus; - PKIX_UInt32 reasonCode; - - PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert - (trustAnchor, &trustedCert, plContext), - PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); - PKIX_CHECK( - PKIX_RevocationChecker_Check( - state->prevCert, trustedCert, - state->buildConstants.revChecker, - state->buildConstants.procParams, - PKIX_FALSE, - (state->certIndex == 0) ? PKIX_TRUE : - PKIX_FALSE, - &revStatus, &reasonCode, - &nbio, plContext), - PKIX_REVCHECKERCHECKFAILED); - PKIX_DECREF(trustedCert); - if (nbio != NULL) { - *pNBIOContext = nbio; - goto cleanup; - } - if (revStatus == PKIX_RevStatus_Revoked) { - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, - verifyError); - if (state->verifyNode != NULL) { - PKIX_CHECK_FATAL( - pkix_VerifyNode_SetError(verifyNode, - verifyError, - plContext), - PKIX_VERIFYNODESETERRORFAILED); - } - PKIX_DECREF(finalError); - finalError = verifyError; - verifyError = NULL; - /* try again with the next trust anchor */ - state->status = BUILD_CHECKWITHANCHORS; - } else { - state->status = BUILD_VALCHAIN; - } - } - - if (state->status == BUILD_VALCHAIN) { - /* Does the chain pass all validation tests? */ - PKIX_CHECK(pkix_Build_ValidationCheckers - (state, - state->trustChain, - trustAnchor, - PKIX_FALSE, /* do not add eku checker - * since eku was already - * checked */ - plContext), - PKIX_BUILDVALIDATIONCHECKERSFAILED); - - state->status = BUILD_VALCHAIN2; - } - - if (state->status == BUILD_VALCHAIN2) { - PKIX_CHECK_ONLY_FATAL - (pkix_Build_ValidateEntireChain - (state, - trustAnchor, - &nbio, - &valResult, - verifyNode, - plContext), - PKIX_BUILDVALIDATEENTIRECHAINFAILED); - - if (nbio != NULL) { - /* IO still pending, resume later */ - goto cleanup; - } else { - PKIX_DECREF(state->reversedCertChain); - PKIX_DECREF(state->checkedCritExtOIDs); - PKIX_DECREF(state->checkerChain); - if (!PKIX_ERROR_RECEIVED) { - *pValResult = valResult; - valResult = NULL; - if (state->verifyNode != NULL) { - PKIX_CHECK_FATAL - (pkix_VerifyNode_AddToTree - (state->verifyNode, - verifyNode, - plContext), - PKIX_VERIFYNODEADDTOTREEFAILED); - PKIX_DECREF(verifyNode); - } - /* Make IsIOPending FALSE */ - state->status = BUILD_VALCHAIN; - goto cleanup; - } - /* Reset temp error that was set by - * PKIX_CHECK_ONLY_FATAL and continue */ - pkixTempErrorReceived = PKIX_FALSE; - } - - state->status = BUILD_CHECKWITHANCHORS; - } - - PKIX_DECREF(trustAnchor); - state->anchorIndex++; - } /* while (anchorIndex < numAnchors) */ - if (state->status == BUILD_EXTENDCHAIN) { /* Check whether we are allowed to extend the chain */ @@ -3072,7 +2647,6 @@ pkix_BuildForwardDepthFirstSearch( (childTraversedCACerts, state->buildConstants.maxFanout, state->numDepth - 1, - state->dsaParamsNeeded, state->revCheckDelayed, canBeCached, validityDate, @@ -3179,7 +2753,7 @@ pkix_BuildForwardDepthFirstSearch( PKIX_DECREF(state); state = parentState; parentState = NULL; - if (state->verifyNode != NULL) { + if (state->verifyNode != NULL && verifyNode) { PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree (state->verifyNode, verifyNode, @@ -3245,7 +2819,7 @@ cleanup: PKIX_DECREF(state); state = parentState; parentState = NULL; - if (state->verifyNode != NULL) { + if (state->verifyNode != NULL && verifyNode) { PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree (state->verifyNode, verifyNode, @@ -3307,8 +2881,6 @@ fatal: PKIX_DECREF(verifyError); PKIX_DECREF(finalError); PKIX_DECREF(verifyNode); - PKIX_DECREF(candidatePubKey); - PKIX_DECREF(trustedPubKey); PKIX_DECREF(childTraversedSubjNames); PKIX_DECREF(certSelParams); PKIX_DECREF(subjectNames); @@ -3324,204 +2896,6 @@ fatal: PKIX_RETURN(BUILD); } -/* - * FUNCTION: pkix_Build_TryShortcut - * DESCRIPTION: - * - * This function checks whether the target cert in "state", subject to the name - * constraints specified by "targetSubjNames", forms a complete trust chain - * with any of the trust anchors. - * - * If a revChecker using non-blocking I/O returns with an indication that I/O - * is in progress, this function stores the NBIOContext (returned by the - * checker) at "pNBIOContext". Otherwise, it stores NULL at "pNBIOContext" and - * indicates in "pAnchor" whether a complete trust chain was found. If no - * successful trust chain is found, NULL is stored at "pAnchor". If a - * successful trust chain is found, the anchor that completed the chain is - * stored at "pAnchor". - * - * PARAMETERS: - * "state" - * Address of ForwardBuilderState to be used. Must be non-NULL. - * "targetSubjNames" - * Address of List of subject names in targetCertificate. Must be non-NULL. - * "pNBIOContext" - * Address at which the NBIOContext is stored indicating whether the - * checking is complete. Must be non-NULL. - * "pAnchor" - * Address at which successful trustAnchor is stored, if trustAnchor and - * Certificate form a complete trust chain. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a Build Error if the function fails in a non-fatal way - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_Build_TryShortcut( - PKIX_ForwardBuilderState *state, - PKIX_List *targetSubjNames, - void **pNBIOContext, - PKIX_TrustAnchor **pAnchor, - PKIX_ValidateResult **pValResult, - void *plContext) -{ - PKIX_Boolean passed = PKIX_FALSE; - void *nbioContext = NULL; - PKIX_TrustAnchor *anchor = NULL; - PKIX_PL_Cert *trustedCert = NULL; - PKIX_PL_PublicKey *trustedPubKey = NULL; - PKIX_PL_Object *revCheckerState = NULL; - PKIX_Error *validationError = NULL; - PKIX_VerifyNode *verifyNode = NULL; - PKIX_ValidateResult *valResult = NULL; - - PKIX_ENTER(BUILD, "pkix_Build_TryShortcut"); - PKIX_NULLCHECK_THREE(state, pNBIOContext, pAnchor); - - *pNBIOContext = NULL; /* prepare in case of error exit */ - - /* - * Does the target cert, with any of our trust - * anchors, form a complete trust chain? - */ - while (state->anchorIndex < state->buildConstants.numAnchors) { - PKIX_CHECK(PKIX_List_GetItem - (state->buildConstants.anchors, - state->anchorIndex, - (PKIX_PL_Object **)&anchor, - plContext), - PKIX_LISTGETITEMFAILED); - PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor - (state->prevCert, - anchor, - targetSubjNames, - &passed, - state->verifyNode, - plContext), - PKIX_CHECKCERTAGAINSTANCHORFAILED); - - if (passed != PKIX_TRUE) { - PKIX_DECREF(anchor); - state->anchorIndex++; - continue; - } - - if (state->buildConstants.revChecker != NULL) { - PKIX_RevocationStatus revStatus; - PKIX_UInt32 reasonCode; - - PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert - (anchor, &trustedCert, plContext), - PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); - PKIX_CHECK( - PKIX_RevocationChecker_Check( - state->prevCert, trustedCert, - state->buildConstants.revChecker, - state->buildConstants.procParams, - PKIX_FALSE, - (state->certIndex == 0) ? PKIX_TRUE : - PKIX_FALSE, - &revStatus, &reasonCode, - &nbioContext, plContext), - PKIX_REVCHECKERCHECKFAILED); - if (nbioContext != NULL) { - *pNBIOContext = nbioContext; - goto cleanup; - } - PKIX_DECREF(trustedCert); - if (revStatus == PKIX_RevStatus_Revoked) { - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, - validationError); - if (state->verifyNode != NULL) { - PKIX_CHECK_FATAL( - pkix_VerifyNode_Create(state->prevCert, - 0, validationError, - &verifyNode, - plContext), - PKIX_VERIFYNODECREATEFAILED); - PKIX_CHECK_FATAL( - pkix_VerifyNode_AddToTree(state->verifyNode, - verifyNode, - plContext), - PKIX_VERIFYNODEADDTOTREEFAILED); - PKIX_DECREF(verifyNode); - } - PKIX_DECREF(validationError); - /* contunue to the next anchor */ - PKIX_DECREF(anchor); - state->anchorIndex++; - continue; - } - } - - PKIX_CHECK_FATAL( - pkix_VerifyNode_Create(state->prevCert, 0, NULL, - &verifyNode, - plContext), - PKIX_VERIFYNODECREATEFAILED); - - PKIX_CHECK( - pkix_Build_ValidationCheckers(state, state->trustChain, - anchor, PKIX_TRUE, - plContext), - PKIX_BUILDVALIDATIONCHECKERSFAILED); - - PKIX_CHECK_ONLY_FATAL( - pkix_Build_ValidateEntireChain(state, anchor, &nbioContext, - &valResult, verifyNode, - plContext), - PKIX_BUILDVALIDATEENTIRECHAINFAILED); - - if (nbioContext != NULL) { - /* IO still pending, resume later */ - *pNBIOContext = nbioContext; - goto cleanup; - } - /* Cleanup after pkix_Build_ValidateEntireChain. */ - PKIX_DECREF(state->reversedCertChain); - PKIX_DECREF(state->checkedCritExtOIDs); - PKIX_DECREF(state->checkerChain); - if (state->verifyNode != NULL) { - PKIX_CHECK_FATAL( - pkix_VerifyNode_AddToTree(state->verifyNode, - verifyNode, plContext), - PKIX_VERIFYNODEADDTOTREEFAILED); - PKIX_DECREF(verifyNode); - } - - if (!PKIX_ERROR_RECEIVED) { - *pValResult = valResult; - valResult = NULL; - break; - } - /* Reset temp error that was set by - * PKIX_CHECK_ONLY_FATAL and continue */ - pkixTempErrorReceived = PKIX_FALSE; - PKIX_DECREF(anchor); - state->anchorIndex++; - } /* while (state->anchorIndex < state->buildConstants.numAnchors) */ - - *pAnchor = anchor; - anchor = NULL; - -cleanup: -fatal: - - PKIX_DECREF(validationError); - PKIX_DECREF(valResult); - PKIX_DECREF(verifyNode); - PKIX_DECREF(trustedCert); - PKIX_DECREF(trustedPubKey); - PKIX_DECREF(revCheckerState); - PKIX_DECREF(anchor); - - PKIX_RETURN(BUILD); -} - /* * FUNCTION: pkix_Build_CheckInCache * DESCRIPTION: @@ -3609,10 +2983,20 @@ pkix_Build_CheckInCache( (matchingAnchor, &trustedCert, plContext), PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); - PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted - (trustedCert, &trusted, plContext), - PKIX_CERTISCERTTRUSTEDFAILED); - + if (!state->buildConstants.anchors) { + PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted + (trustedCert, PKIX_FALSE, &trusted, plContext), + PKIX_CERTISCERTTRUSTEDFAILED); + } else { + /* Check if it is one of the trust anchors */ + PKIX_CHECK( + pkix_List_Contains(state->buildConstants.anchors, + (PKIX_PL_Object *)matchingAnchor, + &trusted, + plContext), + PKIX_LISTCONTAINSFAILED); + } + if (!trusted) { goto cleanup; } @@ -3744,7 +3128,6 @@ pkix_Build_InitiateBuildChain( PKIX_UInt32 numCertStores = 0; PKIX_UInt32 numHintCerts = 0; PKIX_UInt32 i = 0; - PKIX_Boolean dsaParamsNeeded = PKIX_FALSE; PKIX_Boolean isDuplicate = PKIX_FALSE; PKIX_PL_Cert *trustedCert = NULL; PKIX_CertSelector *targetConstraints = NULL; @@ -3786,12 +3169,6 @@ pkix_Build_InitiateBuildChain( (procParams, &testDate, plContext), PKIX_PROCESSINGPARAMSGETDATEFAILED); - if (!testDate) { - PKIX_CHECK(PKIX_PL_Date_Create_UTCTime - (NULL, &testDate, plContext), - PKIX_DATECREATEUTCTIMEFAILED); - } - PKIX_CHECK(PKIX_ProcessingParams_GetTrustAnchors (procParams, &anchors, plContext), PKIX_PROCESSINGPARAMSGETTRUSTANCHORSFAILED); @@ -3894,10 +3271,6 @@ pkix_Build_InitiateBuildChain( (tentativeChain, (PKIX_PL_Object *)targetCert, plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters - (targetPubKey, &dsaParamsNeeded, plContext), - PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED); - /* Failure here is reportable */ pkixErrorResult = PKIX_PL_Cert_CheckValidity (targetCert, testDate, plContext); @@ -4004,7 +3377,6 @@ pkix_Build_InitiateBuildChain( (0, /* PKIX_UInt32 traversedCACerts */ buildConstants.maxFanout, buildConstants.maxDepth, - dsaParamsNeeded, /* PKIX_Boolean dsaParamsNeeded */ PKIX_FALSE, /* PKIX_Boolean revCheckDelayed */ PKIX_TRUE, /* PKIX_Boolean canBeCached */ NULL, /* PKIX_Date *validityDate */ @@ -4095,26 +3467,6 @@ pkix_Build_InitiateBuildChain( PKIX_CERTGETALLSUBJECTNAMESFAILED); } - /* - * We can avoid the search if this cert, with any of our trust - * anchors, forms a complete trust chain. - */ - PKIX_CHECK_ONLY_FATAL(pkix_Build_TryShortcut - (state, - targetSubjNames, - &nbioContext, - &matchingAnchor, - &valResult, - plContext), - PKIX_BUILDTRYSHORTCUTFAILED); - - if (nbioContext != NULL) { - *pNBIOContext = nbioContext; - PKIX_INCREF(state); - *pState = state; - goto cleanup; - } - state->status = BUILD_INITIAL; if (!matchingAnchor) { diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.h b/security/nss/lib/libpkix/pkix/top/pkix_build.h index 80fc9ab2870..2c11fa0c174 100644 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.h +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h @@ -66,7 +66,6 @@ typedef enum { BUILD_CHECKTRUSTED, BUILD_CHECKTRUSTED2, BUILD_ADDTOCHAIN, - BUILD_CHECKWITHANCHORS, BUILD_CRL2PREP, BUILD_CRL2, BUILD_VALCHAIN, @@ -112,14 +111,12 @@ struct PKIX_ForwardBuilderStateStruct{ PKIX_UInt32 numAias; PKIX_UInt32 certIndex; PKIX_UInt32 aiaIndex; - PKIX_UInt32 anchorIndex; PKIX_UInt32 certCheckedIndex; PKIX_UInt32 checkerIndex; PKIX_UInt32 hintCertIndex; PKIX_UInt32 numFanout; PKIX_UInt32 numDepth; PKIX_UInt32 reasonCode; - PKIX_Boolean dsaParamsNeeded; PKIX_Boolean revCheckDelayed; PKIX_Boolean canBeCached; PKIX_Boolean useOnlyLocal; diff --git a/security/nss/lib/libpkix/pkix/top/pkix_validate.c b/security/nss/lib/libpkix/pkix/top/pkix_validate.c index b3a5092dd32..186433cbead 100644 --- a/security/nss/lib/libpkix/pkix/top/pkix_validate.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_validate.c @@ -728,7 +728,6 @@ pkix_CheckChain( void *plContext) { PKIX_UInt32 j = 0; - SECErrorCodes reasonCode = 0; PKIX_Boolean revChecking = PKIX_FALSE; PKIX_Error *checkCertError = NULL; void *nbioContext = NULL; @@ -793,23 +792,29 @@ pkix_CheckChain( if (revChecking == PKIX_TRUE) { PKIX_RevocationStatus revStatus; - PKIX_CHECK( + pkixErrorResult = PKIX_RevocationChecker_Check( cert, issuer, revChecker, procParams, PKIX_TRUE, - (j == 0) ? PKIX_TRUE : PKIX_FALSE, - &revStatus, &reasonCode, - &nbioContext, plContext), - PKIX_REVCHECKCERTFAILED); + (j == numCerts - 1) ? PKIX_TRUE : PKIX_FALSE, + &revStatus, pReasonCode, + &nbioContext, plContext); if (nbioContext != NULL) { *pCertCheckedIndex = j; *pRevChecking = revChecking; *pNBIOContext = nbioContext; goto cleanup; } - if (revStatus == PKIX_RevStatus_Revoked) { - PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED, - pkixErrorResult); + if (revStatus == PKIX_RevStatus_Revoked || + pkixErrorResult) { + if (!pkixErrorResult) { + /* if pkixErrorResult is returned then + * use it as it has a detailed revocation + * error code. Otherwise create a new error */ + PKIX_ERROR_CREATE(VALIDATE, + PKIX_CERTIFICATEREVOKED, + pkixErrorResult); + } goto cleanup; } revChecking = PKIX_FALSE; @@ -825,7 +830,6 @@ pkix_CheckChain( (checkers, pFinalSubjPubKey, pPolicyTree, plContext), PKIX_RETRIEVEOUTPUTSFAILED); - *pReasonCode = (PKIX_UInt32)reasonCode; *pNBIOContext = NULL; cleanup: diff --git a/security/nss/lib/libpkix/pkix/util/pkix_list.c b/security/nss/lib/libpkix/pkix/util/pkix_list.c index 541f0fc1f39..c89fbf05650 100644 --- a/security/nss/lib/libpkix/pkix/util/pkix_list.c +++ b/security/nss/lib/libpkix/pkix/util/pkix_list.c @@ -1225,7 +1225,10 @@ pkix_List_BubbleSort( PKIX_ENTER(BUILD, "pkix_List_BubbleSort"); PKIX_NULLCHECK_THREE(fromList, comparator, pSortedList); - + + if (fromList->immutable) { + PKIX_ERROR(PKIX_CANNOTSORTIMMUTABLELIST); + } PKIX_CHECK(pkix_List_Duplicate ((PKIX_PL_Object *) fromList, (PKIX_PL_Object **) &sortedList, diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c index aa8a89ff59c..e7c13295f9f 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c @@ -573,11 +573,13 @@ pkix_pl_Pk11CertStore_CheckRevByCrl( PKIX_PL_Cert *pkixCert, PKIX_PL_Cert *pkixIssuer, PKIX_PL_Date *date, + PKIX_Boolean delayCrlSigCheck, PKIX_UInt32 *pReasonCode, PKIX_RevocationStatus *pStatus, void *plContext) { CERTCRLEntryReasonCode revReason = crlEntryReasonUnspecified; + PKIX_RevocationStatus status = PKIX_RevStatus_NoInfo; PRTime time = 0; void *wincx = NULL; PRBool lockedwrite = PR_FALSE; @@ -610,23 +612,29 @@ pkix_pl_Pk11CertStore_CheckRevByCrl( PKIX_ERROR(PKIX_CRLISSUECERTEXPIRED); } - rv = AcquireDPCache(issuer, &issuer->derSubject, NULL, time, + rv = AcquireDPCache(issuer, &issuer->derSubject, NULL, + /* AcquireDPCache will not validate the signature + * on the crl if time is not specified. */ + delayCrlSigCheck ? 0: time, wincx, &dpcache, &lockedwrite); - if (rv == SECFailure) { PKIX_ERROR(PKIX_CERTCHECKCRLFAILED); } - if (!dpcache->ncrls) { - *pStatus = PKIX_RevStatus_NoInfo; + if ((delayCrlSigCheck && dpcache->invalid) || + /* obtained cache is invalid due to delayed signature check */ + !dpcache->ncrls) { goto cleanup; } /* now look up the certificate SN in the DP cache's CRL */ rv = DPCache_Lookup(dpcache, &cert->serialNumber, &entry); - if (SECSuccess == rv && entry) { + if (rv == SECFailure) { + PKIX_ERROR(PKIX_CERTCHECKCRLFAILED); + } + if (entry) { /* check the time if we have one */ if (entry->revocationDate.data && entry->revocationDate.len) { PRTime revocationDate = 0; - + if (SECSuccess == DER_DecodeTimeChoice(&revocationDate, &entry->revocationDate)) { /* we got a good revocation date, only consider the @@ -645,20 +653,18 @@ pkix_pl_Pk11CertStore_CheckRevByCrl( rv = SECFailure; } if (SECFailure == rv) { - CERTCRLEntryReasonCode reasonCode = crlEntryReasonUnspecified; - /* Find real revocation reason */ - CERT_FindCRLEntryReasonExten(entry, &reasonCode); - *pReasonCode = (PKIX_UInt32)reasonCode; - *pStatus = PKIX_RevStatus_Revoked; + CERT_FindCRLEntryReasonExten(entry, &revReason); + status = PKIX_RevStatus_Revoked; PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); } } else { - *pReasonCode = revReason; - *pStatus = PKIX_RevStatus_Success; + status = PKIX_RevStatus_Success; } cleanup: + *pStatus = status; + *pReasonCode = revReason; if (dpcache) { ReleaseDPCache(dpcache, lockedwrite); } @@ -763,9 +769,6 @@ pkix_pl_Pk11CertStore_GetCert( /* Don't throw away the list if one cert was bad! */ pkixTempErrorReceived = PKIX_FALSE; - PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext), - PKIX_LISTSETIMMUTABLEFAILED); - *pCertList = filtered; filtered = NULL; @@ -855,9 +858,6 @@ pkix_pl_Pk11CertStore_GetCRL( /* Don't throw away the list if one CRL was bad! */ pkixTempErrorReceived = PKIX_FALSE; - PKIX_CHECK(PKIX_List_SetImmutable(filtered, plContext), - PKIX_LISTSETIMMUTABLEFAILED); - *pCrlList = filtered; filtered = NULL; diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index 4089ebb8593..bc2823e2df0 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -1490,6 +1490,7 @@ pkix_pl_Cert_CreateWithNSSCert( cert->store = NULL; cert->authorityInfoAccess = NULL; cert->subjectInfoAccess = NULL; + cert->isUserTrustAnchor = PKIX_FALSE; *pCert = cert; @@ -3252,6 +3253,7 @@ cleanup: PKIX_Error * PKIX_PL_Cert_IsCertTrusted( PKIX_PL_Cert *cert, + PKIX_Boolean trustOnlyUserAnchors, PKIX_Boolean *pTrusted, void *plContext) { @@ -3268,6 +3270,11 @@ PKIX_PL_Cert_IsCertTrusted( PKIX_ENTER(CERT, "pkix_pl_Cert_IsCertTrusted"); PKIX_NULLCHECK_TWO(cert, pTrusted); + if (trustOnlyUserAnchors) { + *pTrusted = cert->isUserTrustAnchor; + goto cleanup; + } + /* no key usage information and store is not trusted */ if (plContext == NULL || cert->store == NULL) { *pTrusted = PKIX_FALSE; @@ -3322,6 +3329,19 @@ cleanup: PKIX_RETURN(CERT); } +/* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */ +PKIX_Error* +PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, + void *plContext) +{ + PKIX_ENTER(CERT, "PKIX_PL_Cert_SetAsTrustAnchor"); + PKIX_NULLCHECK_ONE(cert); + + cert->isUserTrustAnchor = PKIX_TRUE; + + PKIX_RETURN(CERT); +} + /* * FUNCTION: PKIX_PL_Cert_GetCacheFlag (see comments in pkix_pl_pki.h) */ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h index 067ef03f2c6..3aec675ff21 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h @@ -85,6 +85,7 @@ struct PKIX_PL_CertStruct { PKIX_CertStore *store; PKIX_List *authorityInfoAccess; /* list of PKIX_PL_InfoAccess */ PKIX_List *subjectInfoAccess; /* list of PKIX_PL_InfoAccess */ + PKIX_Boolean isUserTrustAnchor; }; /* see source file for function documentation */ diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index 4296f0f554f..760d7bb137c 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.65 $ $Date: 2008/06/14 04:38:32 $"; +static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.66 $ $Date: 2009/02/09 07:51:27 $"; #endif /* DEBUG */ #ifndef NSSPKI_H @@ -317,6 +317,9 @@ nssCertificate_GetDecoding ( ) { nssDecodedCert* deco = NULL; + if (c->type == NSSCertificateType_PKIX) { + (void)STAN_GetCERTCertificate(c); + } nssPKIObject_Lock(&c->object); if (!c->decoding) { deco = nssDecodedCert_Create(NULL, &c->encoding, c->type); diff --git a/security/nss/lib/softoken/fipsaudt.c b/security/nss/lib/softoken/fipsaudt.c index d17496deb21..573a17cf1af 100644 --- a/security/nss/lib/softoken/fipsaudt.c +++ b/security/nss/lib/softoken/fipsaudt.c @@ -105,7 +105,7 @@ void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession, "phObject=%p)=0x%08lX%s", (PRUint32)hSession, pTemplate, (PRUint32)ulCount, phObject, (PRUint32)rv, shObject); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOAD_KEY, msg); } void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession, @@ -124,7 +124,7 @@ void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession, "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s", (PRUint32)hSession, (PRUint32)hObject, pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_COPY_KEY, msg); } /* WARNING: hObject has been destroyed and can only be printed. */ @@ -138,7 +138,7 @@ void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession, PR_snprintf(msg, sizeof msg, "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX", (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_DESTROY_KEY, msg); } void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession, @@ -153,7 +153,7 @@ void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession, "pulSize=%p)=0x%08lX", (PRUint32)hSession, (PRUint32)hObject, pulSize, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg); } void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession, @@ -169,7 +169,7 @@ void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession, "pTemplate=%p, ulCount=%lu)=0x%08lX", (PRUint32)hSession, (PRUint32)hObject, pTemplate, (PRUint32)ulCount, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg); } void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession, @@ -185,7 +185,7 @@ void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession, "pTemplate=%p, ulCount=%lu)=0x%08lX", (PRUint32)hSession, (PRUint32)hObject, pTemplate, (PRUint32)ulCount, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_CHANGE_KEY, msg); } void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession, @@ -202,7 +202,7 @@ void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession, "hKey=0x%08lX)=0x%08lX", opName, (PRUint32)hSession, mech, (PRUint32)hKey, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_CRYPT, msg); } void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession, @@ -222,7 +222,7 @@ void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession, "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s", (PRUint32)hSession, mech, pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg); } void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession, @@ -252,7 +252,7 @@ void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession, pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount, pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg); } void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession, @@ -271,7 +271,7 @@ void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession, "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX", (PRUint32)hSession, mech, (PRUint32)hWrappingKey, (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_WRAP_KEY, msg); } void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession, @@ -295,7 +295,7 @@ void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession, (PRUint32)hSession, mech, (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen, pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_UNWRAP_KEY, msg); } void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession, @@ -334,7 +334,7 @@ void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession, (PRUint32)hSession, mech, (PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey, sTlsKeys); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_DERIVE_KEY, msg); } void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, @@ -347,5 +347,5 @@ void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, PR_snprintf(msg, sizeof msg, "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX", (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_DIGEST_KEY, msg); } diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index ca6aa34f22f..96fc6f2f001 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -74,8 +74,13 @@ #include #include #define LIBAUDIT_NAME "libaudit.so.0" -#ifndef AUDIT_USER -#define AUDIT_USER 1005 /* message type: message from userspace */ +#ifndef AUDIT_CRYPTO_TEST_USER +#define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */ +#define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */ +#define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */ +#define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */ +#define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */ +#define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomize */ #endif static void *libaudit_handle; static int (*audit_open_func)(void); @@ -321,6 +326,47 @@ sftk_get_object_class_and_fipsCheck(CK_SESSION_HANDLE hSession, return rv; } +#ifdef LINUX + +int +sftk_mapLinuxAuditType(NSSAuditSeverity severity, NSSAuditType auditType) +{ + switch (auditType) { + case NSS_AUDIT_ACCESS_KEY: + case NSS_AUDIT_CHANGE_KEY: + case NSS_AUDIT_COPY_KEY: + case NSS_AUDIT_DERIVE_KEY: + case NSS_AUDIT_DESTROY_KEY: + case NSS_AUDIT_DIGEST_KEY: + case NSS_AUDIT_GENERATE_KEY: + case NSS_AUDIT_LOAD_KEY: + case NSS_AUDIT_UNWRAP_KEY: + case NSS_AUDIT_WRAP_KEY: + return AUDIT_CRYPTO_KEY_USER; + case NSS_AUDIT_CRYPT: + return (severity == NSS_AUDIT_ERROR) ? AUDIT_CRYPTO_FAILURE_USER : + AUDIT_CRYPTO_KEY_USER; + case NSS_AUDIT_FIPS_STATE: + case NSS_AUDIT_INIT_PIN: + case NSS_AUDIT_INIT_TOKEN: + case NSS_AUDIT_SET_PIN: + return AUDIT_CRYPTO_PARAM_CHANGE_USER; + case NSS_AUDIT_SELF_TEST: + return AUDIT_CRYPTO_TEST_USER; + case NSS_AUDIT_LOGIN: + return AUDIT_CRYPTO_LOGIN; + case NSS_AUDIT_LOGOUT: + return AUDIT_CRYPTO_LOGOUT; + /* we skip the fault case here so we can get compiler + * warnings if new 'NSSAuditType's are added without + * added them to this list, defaults fall through */ + } + /* default */ + return AUDIT_CRYPTO_PARAM_CHANGE_USER; +} +#endif + + /********************************************************************** * * FIPS 140 auditable event logging @@ -344,7 +390,8 @@ PRBool sftk_audit_enabled = PR_FALSE; * - for assuming a role, the type of role, and the location of the request */ void -sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg) +sftk_LogAuditMessage(NSSAuditSeverity severity, NSSAuditType auditType, + const char *msg) { #ifdef NSS_AUDIT_WITH_SYSLOG int level; @@ -370,6 +417,7 @@ sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg) } if (libaudit_handle) { int audit_fd; + int linuxAuditType; int result = (severity != NSS_AUDIT_ERROR); /* 1=success; 0=failed */ char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg); if (!message) { @@ -380,11 +428,12 @@ sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg) PR_smprintf_free(message); return; } + linuxAuditType = sftk_mapLinuxAuditType(severity, auditType); if (audit_log_user_message_func) { - audit_log_user_message_func(audit_fd, AUDIT_USER, message, + audit_log_user_message_func(audit_fd, linuxAuditType, message, NULL, NULL, NULL, result); } else { - audit_send_user_message_func(audit_fd, AUDIT_USER, message); + audit_send_user_message_func(audit_fd, linuxAuditType, message); } audit_close_func(audit_fd); PR_smprintf_free(message); @@ -446,7 +495,7 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { const char *envp; CK_RV crv; - CHECK_FORK(); + sftk_ForkReset(pReserved, &crv); if (nsf_init) { return CKR_CRYPTOKI_ALREADY_INITIALIZED; @@ -476,7 +525,7 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { "C_Initialize()=0x%08lX " "power-up self-tests failed", (PRUint32)crv); - sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } return crv; } @@ -489,12 +538,16 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { CK_RV FC_Finalize (CK_VOID_PTR pReserved) { CK_RV crv; - CHECK_FORK(); + if (sftk_ForkReset(pReserved, &crv)) { + return crv; + } if (!nsf_init) { return CKR_OK; } + crv = nsc_CommonFinalize (pReserved, PR_TRUE); + nsf_init = (PRBool) !(crv == CKR_OK); return crv; } @@ -580,7 +633,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { PR_snprintf(msg,sizeof msg, "C_InitToken(slotID=%lu, pLabel=\"%.32s\")=0x%08lX", (PRUint32)slotID,pLabel,(PRUint32)crv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_TOKEN, msg); } return crv; } @@ -604,7 +657,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { PR_snprintf(msg,sizeof msg, "C_InitPIN(hSession=0x%08lX)=0x%08lX", (PRUint32)hSession,(PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_PIN, msg); } return rv; } @@ -629,7 +682,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { PR_snprintf(msg,sizeof msg, "C_SetPIN(hSession=0x%08lX)=0x%08lX", (PRUint32)hSession,(PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_SET_PIN, msg); } return rv; } @@ -699,7 +752,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { PR_snprintf(msg,sizeof msg, "C_Login(hSession=0x%08lX, userType=%lu)=0x%08lX", (PRUint32)hSession,(PRUint32)userType,(PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOGIN, msg); } return rv; } @@ -721,7 +774,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { PR_snprintf(msg,sizeof msg, "C_Logout(hSession=0x%08lX)=0x%08lX", (PRUint32)hSession,(PRUint32)rv); - sftk_LogAuditMessage(severity, msg); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOGOUT, msg); } return rv; } @@ -1416,7 +1469,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { "self-test: continuous RNG test failed", (PRUint32)hSession,pRandomData, (PRUint32)ulRandomLen,(PRUint32)crv); - sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } } return crv; diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c index f60419acea6..e6ba01e6a52 100644 --- a/security/nss/lib/softoken/legacydb/keydb.c +++ b/security/nss/lib/softoken/legacydb/keydb.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: keydb.c,v 1.10 2008/06/06 01:16:25 wtc%google.com Exp $ */ +/* $Id: keydb.c,v 1.11 2009/02/03 05:34:44 julien.pierre.boogz%sun.com Exp $ */ #include "lowkeyi.h" #include "secasn1.h" @@ -1051,7 +1051,7 @@ nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle) SECITEM_FreeItem(handle->global_salt,PR_TRUE); } if (handle->lock != NULL) { - PZ_DestroyLock(handle->lock); + SKIP_AFTER_FORK(PZ_DestroyLock(handle->lock)); } PORT_Free(handle); @@ -2194,11 +2194,11 @@ keydb_Close(NSSLOWKEYDBHandle *kdb) DB *db = kdb->db; PORT_Assert(kdbLock != NULL); - PZ_Lock(kdbLock); + SKIP_AFTER_FORK(PZ_Lock(kdbLock)); (* db->close)(db); - prstat = PZ_Unlock(kdbLock); + SKIP_AFTER_FORK(prstat = PZ_Unlock(kdbLock)); return; } diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h index 207b7aecfb9..ed6f1298d4c 100644 --- a/security/nss/lib/softoken/legacydb/lgdb.h +++ b/security/nss/lib/softoken/legacydb/lgdb.h @@ -195,4 +195,22 @@ CK_RV lg_PutMetaData(SDB *sdb, const char *id, SEC_END_PROTOS +#ifndef XP_UNIX + +#define NO_CHECK_FORK + +#endif + +#ifndef NO_CHECK_FORK + +extern PRBool parentForkedAfterC_Initialize; +#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x + +#else + +#define SKIP_AFTER_FORK(x) x + +#endif /* NO_CHECK_FORK */ + #endif /* _LGDB_H_ */ + diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c index 62732f087b3..fd34d6d8533 100644 --- a/security/nss/lib/softoken/legacydb/lginit.c +++ b/security/nss/lib/softoken/legacydb/lginit.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: lginit.c,v 1.12 2008/02/16 04:38:07 julien.pierre.boogz%sun.com Exp $ */ +/* $Id: lginit.c,v 1.14 2009/02/03 23:18:48 julien.pierre.boogz%sun.com Exp $ */ #include "lowkeyi.h" #include "pcert.h" @@ -429,14 +429,14 @@ void lg_DBLock(SDB *sdb) { LGPrivate *lgdb_p = (LGPrivate *)sdb->private; - PR_Lock(lgdb_p->dbLock); + SKIP_AFTER_FORK(PR_Lock(lgdb_p->dbLock)); } void lg_DBUnlock(SDB *sdb) { LGPrivate *lgdb_p = (LGPrivate *)sdb->private; - PR_Unlock(lgdb_p->dbLock); + SKIP_AFTER_FORK(PR_Unlock(lgdb_p->dbLock)); } PLHashTable * @@ -462,6 +462,13 @@ lg_getKeyDB(SDB *sdb) return lgdb_p->keyDB; } +PRBool parentForkedAfterC_Initialize; + +void lg_SetForkState(PRBool forked) +{ + parentForkedAfterC_Initialize = forked; +} + CK_RV lg_Close(SDB *sdb) { @@ -474,7 +481,7 @@ lg_Close(SDB *sdb) nsslowkey_CloseKeyDB(lgdb_p->keyDB); } if (lgdb_p->dbLock) { - PR_DestroyLock(lgdb_p->dbLock); + SKIP_AFTER_FORK(PR_DestroyLock(lgdb_p->dbLock)); } if (lgdb_p->hashTable) { PL_HashTableDestroy(lgdb_p->hashTable); @@ -499,7 +506,6 @@ lg_CompareValues(const void *v1, const void *v2) return (value1 == value2); } - /* * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle * with and sdb structure. @@ -551,7 +557,7 @@ lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr, sdb->sdb_Abort = lg_Abort; sdb->sdb_Reset = lg_Reset; sdb->sdb_Close = lg_Close; - + sdb->sdb_SetForkState = lg_SetForkState; *pSdb = sdb; return CKR_OK; @@ -654,10 +660,13 @@ loser: } CK_RV -legacy_Shutdown(void) +legacy_Shutdown(PRBool forked) { + lg_SetForkState(forked); nsslowcert_DestroyFreeLists(); nsslowcert_DestroyGlobalLocks(); SECOID_Shutdown(); + lg_SetForkState(PR_FALSE); return CKR_OK; } + diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c index 0f41c942268..641b6796c18 100644 --- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -37,7 +37,7 @@ /* * Permanent Certificate database handling code * - * $Id: pcertdb.c,v 1.6 2007/11/16 02:04:57 julien.pierre.boogz%sun.com Exp $ + * $Id: pcertdb.c,v 1.7 2009/02/03 05:34:44 julien.pierre.boogz%sun.com Exp $ */ #include "lowkeyti.h" #include "pcert.h" @@ -223,7 +223,7 @@ nsslowcert_LockFreeList(void) { PORT_Assert(freeListLock != NULL); - PZ_Lock(freeListLock); + SKIP_AFTER_FORK(PZ_Lock(freeListLock)); return; } @@ -233,11 +233,11 @@ nsslowcert_LockFreeList(void) static void nsslowcert_UnlockFreeList(void) { - PRStatus prstat; + PRStatus prstat = PR_SUCCESS; PORT_Assert(freeListLock != NULL); - prstat = PZ_Unlock(freeListLock); + SKIP_AFTER_FORK(prstat = PZ_Unlock(freeListLock)); PORT_Assert(prstat == PR_SUCCESS); @@ -344,14 +344,14 @@ certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags) static void certdb_Close(DB *db) { - PRStatus prstat; + PRStatus prstat = PR_SUCCESS; PORT_Assert(dbLock != NULL); - PZ_Lock(dbLock); + SKIP_AFTER_FORK(PZ_Lock(dbLock)); (* db->close)(db); - prstat = PZ_Unlock(dbLock); + SKIP_AFTER_FORK(prstat = PZ_Unlock(dbLock)); return; } @@ -5269,7 +5269,7 @@ nsslowcert_DestroyFreeLists(void) DestroyCertEntryFreeList(); DestroyTrustFreeList(); DestroyCertFreeList(); - PZ_DestroyLock(freeListLock); + SKIP_AFTER_FORK(PZ_DestroyLock(freeListLock)); freeListLock = NULL; } @@ -5277,15 +5277,15 @@ void nsslowcert_DestroyGlobalLocks(void) { if (dbLock) { - PZ_DestroyLock(dbLock); + SKIP_AFTER_FORK(PZ_DestroyLock(dbLock)); dbLock = NULL; } if (certRefCountLock) { - PZ_DestroyLock(certRefCountLock); + SKIP_AFTER_FORK(PZ_DestroyLock(certRefCountLock)); certRefCountLock = NULL; } if (certTrustLock) { - PZ_DestroyLock(certTrustLock); + SKIP_AFTER_FORK(PZ_DestroyLock(certTrustLock)); certTrustLock = NULL; } } diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c index d541fb722da..b5112dd36ee 100644 --- a/security/nss/lib/softoken/lgglue.c +++ b/security/nss/lib/softoken/lgglue.c @@ -46,6 +46,7 @@ #include "prenv.h" #include "lgglue.h" #include "secerr.h" +#include "softoken.h" static LGOpenFunc legacy_glue_open = NULL; static LGReadSecmodFunc legacy_glue_readSecmod = NULL; @@ -411,7 +412,10 @@ sftkdbCall_Shutdown(void) return CKR_OK; } if (legacy_glue_shutdown) { - crv = (*legacy_glue_shutdown)(); +#ifdef NO_FORK_CHECK + PRBool parentForkedAfterC_Initialize = PR_FALSE; +#endif + crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); } disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); if (!disableUnload) { diff --git a/security/nss/lib/softoken/lgglue.h b/security/nss/lib/softoken/lgglue.h index 8ced909d355..998f30a94c9 100644 --- a/security/nss/lib/softoken/lgglue.h +++ b/security/nss/lib/softoken/lgglue.h @@ -66,10 +66,10 @@ typedef SECStatus (*LGDeleteSecmodFunc)(const char *appName, typedef SECStatus (*LGAddSecmodFunc)(const char *appName, const char *filename, const char *dbname, char *params, PRBool rw); -typedef SECStatus (*LGShutdownFunc)(void); +typedef SECStatus (*LGShutdownFunc)(PRBool forked); +typedef void (*LGSetForkStateFunc)(PRBool); typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); - /* * Softoken Glue Functions */ diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 926176abe48..43775d8339e 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -68,6 +68,8 @@ #include "sftkdb.h" #include "sftkpars.h" +PRBool parentForkedAfterC_Initialize; + #ifndef NO_FORK_CHECK #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) @@ -484,7 +486,8 @@ static const struct mechanismList mechanisms[] = { }; static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]); -static PRBool nsc_init = PR_FALSE; +/* sigh global so fipstokn can read it */ +PRBool nsc_init = PR_FALSE; #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) @@ -1190,6 +1193,21 @@ validateSecretKey(SFTKSession *session, SFTKObject *object, attribute->attrib.ulValueLen); sftk_FreeAttribute(attribute); break; + case CKK_AES: + attribute = sftk_FindAttribute(object,CKA_VALUE); + /* shouldn't happen */ + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + if (attribute->attrib.ulValueLen != 16 && + attribute->attrib.ulValueLen != 24 && + attribute->attrib.ulValueLen != 32) { + sftk_FreeAttribute(attribute); + return CKR_KEY_SIZE_RANGE; + } + crv = sftk_forceAttribute(object, CKA_VALUE_LEN, + &attribute->attrib.ulValueLen, sizeof(CK_ULONG)); + sftk_FreeAttribute(attribute); + break; default: break; } @@ -2224,12 +2242,12 @@ CK_RV sftk_CloseAllSessions(SFTKSlot *slot) /* first log out the card */ handle = sftk_getKeyDB(slot); - PZ_Lock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); slot->isLoggedIn = PR_FALSE; if (handle) { sftkdb_ClearPassword(handle); } - PZ_Unlock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); if (handle) { sftk_freeDB(handle); } @@ -2242,7 +2260,7 @@ CK_RV sftk_CloseAllSessions(SFTKSlot *slot) for (i=0; i < slot->sessHashSize; i++) { PZLock *lock = SFTK_SESSION_LOCK(slot,i); do { - PZ_Lock(lock); + SKIP_AFTER_FORK(PZ_Lock(lock)); session = slot->head[i]; /* hand deque */ /* this duplicates function of NSC_close session functions, but @@ -2252,15 +2270,15 @@ CK_RV sftk_CloseAllSessions(SFTKSlot *slot) slot->head[i] = session->next; if (session->next) session->next->prev = NULL; session->next = session->prev = NULL; - PZ_Unlock(lock); - PZ_Lock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Unlock(lock)); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); --slot->sessionCount; - PZ_Unlock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); if (session->info.flags & CKF_RW_SESSION) { PR_AtomicDecrement(&slot->rwSessionCount); } } else { - PZ_Unlock(lock); + SKIP_AFTER_FORK(PZ_Unlock(lock)); } if (session) sftk_FreeSession(session); } while (session != NULL); @@ -2283,12 +2301,12 @@ sftk_DBShutdown(SFTKSlot *slot) { SFTKDBHandle *certHandle; SFTKDBHandle *keyHandle; - PZ_Lock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); certHandle = slot->certDB; slot->certDB = NULL; keyHandle = slot->keyDB; slot->keyDB = NULL; - PZ_Unlock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); if (certHandle) { sftk_freeDB(certHandle); } @@ -2355,12 +2373,12 @@ SFTK_DestroySlotData(SFTKSlot *slot) /* OK everything has been disassembled, now we can finally get rid * of the locks */ - PZ_DestroyLock(slot->slotLock); + SKIP_AFTER_FORK(PZ_DestroyLock(slot->slotLock)); slot->slotLock = NULL; if (slot->sessionLock) { for (i=0; i < slot->numSessionLocks; i++) { if (slot->sessionLock[i]) { - PZ_DestroyLock(slot->sessionLock[i]); + SKIP_AFTER_FORK(PZ_DestroyLock(slot->sessionLock[i])); slot->sessionLock[i] = NULL; } } @@ -2368,11 +2386,11 @@ SFTK_DestroySlotData(SFTKSlot *slot) slot->sessionLock = NULL; } if (slot->objectLock) { - PZ_DestroyLock(slot->objectLock); + SKIP_AFTER_FORK(PZ_DestroyLock(slot->objectLock)); slot->objectLock = NULL; } if (slot->pwCheckLock) { - PR_DestroyLock(slot->pwCheckLock); + SKIP_AFTER_FORK(PR_DestroyLock(slot->pwCheckLock)); slot->pwCheckLock = NULL; } PORT_Free(slot); @@ -2514,6 +2532,11 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) crv = CKR_DEVICE_ERROR; return crv; } + rv = BL_Init(); /* initialize freebl engine */ + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + return crv; + } RNG_SystemInfoForRNG(); @@ -2523,7 +2546,7 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) * off from the rest on NSS. */ - /* initialize the key and cert db's */ + /* initialize the key and cert db's */ if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK))) { if (init_args->CreateMutex && init_args->DestroyMutex && init_args->LockMutex && init_args->UnlockMutex) { @@ -2562,9 +2585,11 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) sftk_closePeer(isFIPS); if (sftk_audit_enabled) { if (isFIPS && nsc_init) { - sftk_LogAuditMessage(NSS_AUDIT_INFO, "enabled FIPS mode"); + sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, + "enabled FIPS mode"); } else { - sftk_LogAuditMessage(NSS_AUDIT_INFO, "disabled FIPS mode"); + sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, + "disabled FIPS mode"); } } } @@ -2627,7 +2652,7 @@ CK_RV NSC_Initialize(CK_VOID_PTR pReserved) { CK_RV crv; - CHECK_FORK(); + sftk_ForkReset(pReserved, &crv); if (nsc_init) { return CKR_CRYPTOKI_ALREADY_INITIALIZED; @@ -2642,9 +2667,13 @@ CK_RV NSC_Initialize(CK_VOID_PTR pReserved) * Cryptoki library.*/ CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS) { + /* propagate the fork status to freebl and util */ + BL_SetForkState(parentForkedAfterC_Initialize); + UTIL_SetForkState(parentForkedAfterC_Initialize); + nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE); - /* don't muck with the globals is our peer is still initialized */ + /* don't muck with the globals if our peer is still initialized */ if (isFIPS && nsc_init) { return CKR_OK; } @@ -2660,33 +2689,77 @@ CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS) /* tell freeBL to clean up after itself */ BL_Cleanup(); - /* unload freeBL shared library from memory */ + + /* reset fork status in freebl. We must do this before BL_Unload so that + * this call doesn't force freebl to be reloaded. */ + BL_SetForkState(PR_FALSE); + + /* unload freeBL shared library from memory. This may only decrement the + * OS refcount if it's been loaded multiple times, eg. by libssl */ BL_Unload(); + /* clean up the default OID table */ SECOID_Shutdown(); + + /* reset fork status in util */ + UTIL_SetForkState(PR_FALSE); + nsc_init = PR_FALSE; -#ifdef SOLARIS +#ifdef CHECK_FORK_MIXED if (!usePthread_atfork) { myPid = 0; /* allow CHECK_FORK in the next softoken initialization to * succeed */ + } else { + forked = PR_FALSE; /* allow reinitialization */ } -#elif defined(XP_UNIX) && !defined(LINUX) +#elif defined(CHECK_FORK_GETPID) myPid = 0; /* allow reinitialization */ +#elif defined (CHECK_FORK_PTHREAD) + forked = PR_FALSE; /* allow reinitialization */ #endif return CKR_OK; } +/* Hard-reset the entire softoken PKCS#11 module if the parent process forked + * while it was initialized. */ +PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV* crv) +{ +#ifndef NO_FORK_CHECK + if (PARENT_FORKED()) { + parentForkedAfterC_Initialize = PR_TRUE; + if (nsc_init) { + /* finalize non-FIPS token */ + *crv = nsc_CommonFinalize(pReserved, PR_FALSE); + PORT_Assert(CKR_OK == *crv); + nsc_init = (PRBool) !(*crv == CKR_OK); + } + if (nsf_init) { + /* finalize FIPS token */ + *crv = nsc_CommonFinalize(pReserved, PR_TRUE); + PORT_Assert(CKR_OK == *crv); + nsf_init = (PRBool) !(*crv == CKR_OK); + } + parentForkedAfterC_Initialize = PR_FALSE; + return PR_TRUE; + } +#endif + return PR_FALSE; +} + /* NSC_Finalize indicates that an application is done with the * Cryptoki library.*/ CK_RV NSC_Finalize (CK_VOID_PTR pReserved) { CK_RV crv; - CHECK_FORK(); + /* reset entire PKCS#11 module upon fork */ + if (sftk_ForkReset(pReserved, &crv)) { + return crv; + } if (!nsc_init) { - return CKR_OK; + return CKR_OK; } crv = nsc_CommonFinalize (pReserved, PR_FALSE); @@ -3347,7 +3420,12 @@ CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID) { SFTKSlot *slot; - CHECK_FORK(); +#ifndef NO_CHECK_FORK + /* skip fork check if we are being called from C_Initialize or C_Finalize */ + if (!parentForkedAfterC_Initialize) { + CHECK_FORK(); + } +#endif slot = sftk_SlotFromID(slotID, PR_FALSE); if (slot == NULL) return CKR_SLOT_ID_INVALID; diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 4852f5cd682..1320eeeb5c6 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -4126,7 +4126,7 @@ ecgn_done: "self-test: pair-wise consistency test failed", (PRUint32)hSession,(PRUint32)pMechanism->mechanism, (PRUint32)crv); - sftk_LogAuditMessage(NSS_AUDIT_ERROR, msg); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } return crv; } diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index 3ab20156247..ea0febc7245 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -584,6 +584,7 @@ SEC_BEGIN_PROTOS extern PRBool nsf_init; extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS); extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS); +extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV* crv); extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex); diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index 5245f4e759c..a416c63f6a8 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -45,6 +45,7 @@ #include "secerr.h" #include "prnetdb.h" /* for PR_ntohl */ #include "sftkdb.h" +#include "softoken.h" /* * ******************** Attribute Utilities ******************************* @@ -843,12 +844,12 @@ sftk_lookupTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle) */ static void sftk_tokenKeyLock(SFTKSlot *slot) { - PZ_Lock(slot->objectLock); + SKIP_AFTER_FORK(PZ_Lock(slot->objectLock)); } static void sftk_tokenKeyUnlock(SFTKSlot *slot) { - PZ_Unlock(slot->objectLock); + SKIP_AFTER_FORK(PZ_Unlock(slot->objectLock)); } static PRIntn @@ -966,7 +967,7 @@ sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList) if (!list->lock) { return; } - PZ_Lock(list->lock); + SKIP_AFTER_FORK(PZ_Lock(list->lock)); for (object= list->head; object != NULL; object = sftk_freeObjectData(object)) { PZ_DestroyLock(object->refLock); @@ -976,8 +977,8 @@ sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList) } list->count = 0; list->head = NULL; - PZ_Unlock(list->lock); - PZ_DestroyLock(list->lock); + SKIP_AFTER_FORK(PZ_Unlock(list->lock)); + SKIP_AFTER_FORK(PZ_DestroyLock(list->lock)); list->lock = NULL; } diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c index 6ef8978c833..81c92f396d3 100644 --- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -1653,6 +1653,14 @@ static int tableExists(sqlite3 *sqlDB, const char *tableName) return (sqlerr == SQLITE_OK) ? 1 : 0; } +void sdb_SetForkState(PRBool forked) +{ + /* XXXright now this is a no-op. The global fork state in the softokn3 + * shared library is already taken care of at the PKCS#11 level. + * If and when we add fork state to the sqlite shared library and extern + * interface, we will need to set it and reset it from here */ +} + /* * initialize a single database */ @@ -1900,6 +1908,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, sdb->sdb_Commit = sdb_Commit; sdb->sdb_Abort = sdb_Abort; sdb->sdb_Close = sdb_Close; + sdb->sdb_SetForkState = sdb_SetForkState; if (inTransaction) { sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL); diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h index 9e041f476c4..e4ded727188 100644 --- a/security/nss/lib/softoken/sdb.h +++ b/security/nss/lib/softoken/sdb.h @@ -94,6 +94,7 @@ struct SDBStr { CK_RV (*sdb_Abort)(SDB *sdb); CK_RV (*sdb_Reset)(SDB *sdb); CK_RV (*sdb_Close)(SDB *sdb); + void (*sdb_SetForkState)(PRBool forked); }; CK_RV s_open(const char *directory, const char *certPrefix, diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index 74fe569fc80..ab9db9d51d4 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -60,6 +60,7 @@ #include "lgglue.h" #include "sftkpars.h" #include "secerr.h" +#include "softoken.h" /* * We want all databases to have the same binary representation independent of @@ -76,11 +77,18 @@ static PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type) { switch(type) { - case CKA_CLASS: - case CKA_CERTIFICATE_TYPE: case CKA_CERTIFICATE_CATEGORY: - case CKA_KEY_TYPE: + case CKA_CERTIFICATE_TYPE: + case CKA_CLASS: case CKA_JAVA_MIDP_SECURITY_DOMAIN: + case CKA_KEY_GEN_MECHANISM: + case CKA_KEY_TYPE: + case CKA_MECHANISM_TYPE: + case CKA_MODULUS_BITS: + case CKA_PRIME_BITS: + case CKA_SUBPRIME_BITS: + case CKA_VALUE_BITS: + case CKA_VALUE_LEN: case CKA_TRUST_DIGITAL_SIGNATURE: case CKA_TRUST_NON_REPUDIATION: @@ -873,12 +881,12 @@ sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType, /* fetch the subject of the source. For creation and merge, this should * be found in the template */ attr2 = sftkdb_getAttributeFromConstTemplate(CKA_SUBJECT, ptemplate, len); - if ((attr2 == NULL) || (attr2->ulValueLen == 0)) { - if (sourceID == CK_INVALID_HANDLE) { + if (sourceID == CK_INVALID_HANDLE) { + if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen < 0)) { crv = CKR_TEMPLATE_INCOMPLETE; goto done; } - + } else if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen <= 0)) { /* sourceID is set if we are trying to modify an existing entry instead * of creating a new one. In this case the subject may not be (probably * isn't) in the template, we have to read it from the database */ @@ -889,11 +897,11 @@ sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType, if (crv != CKR_OK) { goto done; } - if (subject.ulValueLen <= 0) { + if ((CK_LONG)subject.ulValueLen < 0) { crv = CKR_DEVICE_ERROR; /* closest pkcs11 error to corrupted DB */ goto done; } - temp1 = subject.pValue = PORT_Alloc(subject.ulValueLen); + temp1 = subject.pValue = PORT_Alloc(++subject.ulValueLen); if (temp1 == NULL) { crv = CKR_HOST_MEMORY; goto done; @@ -934,7 +942,7 @@ sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType, * source subject is too big, and therefore not a match. GetAttributeValue * will return CKR_BUFFER_TOO_SMALL. Otherwise it should be exactly enough * space (or enough space to be able to compare the result. */ - temp2 = findTemplate[0].pValue = PORT_Alloc(attr2->ulValueLen); + temp2 = findTemplate[0].pValue = PORT_Alloc(++findTemplate[0].ulValueLen); if (temp2 == NULL) { crv = CKR_HOST_MEMORY; goto done; @@ -954,7 +962,9 @@ sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType, /* Ok, we have both subjects, make sure they are the same. * Compare the subjects */ if ((findTemplate[0].ulValueLen != attr2->ulValueLen) || - (PORT_Memcmp(findTemplate[0].pValue,attr2->pValue,attr2->ulValueLen) != 0)) { + (attr2->ulValueLen > 0 && + PORT_Memcmp(findTemplate[0].pValue, attr2->pValue, attr2->ulValueLen) + != 0)) { crv = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } @@ -1392,17 +1402,26 @@ loser: CK_RV sftkdb_CloseDB(SFTKDBHandle *handle) { +#ifdef NO_FORK_CHECK + PRBool parentForkedAfterC_Initialize = PR_FALSE; +#endif if (handle == NULL) { return CKR_OK; } if (handle->update) { + if (handle->db->sdb_SetForkState) { + (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize); + } (*handle->update->sdb_Close)(handle->update); } if (handle->db) { + if (handle->db->sdb_SetForkState) { + (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize); + } (*handle->db->sdb_Close)(handle->db); } if (handle->passwordLock) { - PZ_DestroyLock(handle->passwordLock); + SKIP_AFTER_FORK(PZ_DestroyLock(handle->passwordLock)); } if (handle->updatePasswordKey) { SECITEM_FreeItem(handle->updatePasswordKey, PR_TRUE); @@ -1750,7 +1769,7 @@ typedef enum { } sftkdbUpdateStatus; /* - * helper function to reconsile a single trust entry. + * helper function to reconcile a single trust entry. * Identify which trust entry we want to keep. * If we don't need to do anything (the records are already equal). * return SFTKDB_DO_NOTHING. @@ -1765,7 +1784,7 @@ typedef enum { * any SFTKDB_MODIFY_OBJECT returns. */ sftkdbUpdateStatus -sftkdb_reconsileTrustEntry(PRArenaPool *arena, CK_ATTRIBUTE *target, +sftkdb_reconcileTrustEntry(PRArenaPool *arena, CK_ATTRIBUTE *target, CK_ATTRIBUTE *source) { CK_ULONG targetTrust = sftkdb_getULongFromTemplate(target->type, @@ -1849,12 +1868,12 @@ const CK_ATTRIBUTE_TYPE sftkdb_trustList[] = #define SFTK_TRUST_TEMPLATE_COUNT \ (sizeof(sftkdb_trustList)/sizeof(sftkdb_trustList[0])) /* - * Run through the list of known trust types, and reconsile each trust + * Run through the list of known trust types, and reconcile each trust * entry one by one. Keep track of we really need to write out the source * trust object (overwriting the existing one). */ static sftkdbUpdateStatus -sftkdb_reconsileTrust(PRArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, +sftkdb_reconcileTrust(PRArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, CK_ATTRIBUTE *ptemplate, CK_ULONG *plen) { CK_ATTRIBUTE trustTemplate[SFTK_TRUST_TEMPLATE_COUNT]; @@ -1900,7 +1919,7 @@ sftkdb_reconsileTrust(PRArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, continue; } - status = sftkdb_reconsileTrustEntry(arena, &trustTemplate[i], attr); + status = sftkdb_reconcileTrustEntry(arena, &trustTemplate[i], attr); if (status == SFTKDB_MODIFY_OBJECT) { update = SFTKDB_MODIFY_OBJECT; } else if (status == SFTKDB_DROP_ATTRIBUTE) { @@ -2062,9 +2081,9 @@ sftkdb_updateObjectTemplate(PRArenaPool *arena, SDB *db, return sftkdb_handleIDAndName(arena, db, id, ptemplate, plen); case CKO_NSS_TRUST: /* if we have conflicting trust object types, - * we need to reconsile them */ + * we need to reconcile them */ *targetID = id; - return sftkdb_reconsileTrust(arena, db, id, ptemplate, plen); + return sftkdb_reconcileTrust(arena, db, id, ptemplate, plen); case CKO_SECRET_KEY: /* secret keys in the old database are all sdr keys, * unfortunately they all appear to have the same CKA_ID, @@ -2364,12 +2383,12 @@ sftk_getKeyDB(SFTKSlot *slot) { SFTKDBHandle *dbHandle; - PZ_Lock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); dbHandle = slot->keyDB; if (dbHandle) { PR_AtomicIncrement(&dbHandle->ref); } - PZ_Unlock(slot->slotLock); + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); return dbHandle; } diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index 7198596a60b..a481e718ce9 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -66,7 +66,7 @@ #include "prsystem.h" #include "lgglue.h" #include "secerr.h" - +#include "softoken.h" /****************************************************************** * @@ -540,14 +540,14 @@ sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey) } /* an atomic pointer set would be nice */ - PZ_Lock(keydb->passwordLock); + SKIP_AFTER_FORK(PZ_Lock(keydb->passwordLock)); data = keydb->passwordKey.data; len = keydb->passwordKey.len; keydb->passwordKey.data = passKey->data; keydb->passwordKey.len = passKey->len; passKey->data = data; passKey->len = len; - PZ_Unlock(keydb->passwordLock); + SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock)); } /* diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h index 4114379dace..6cdd43d36bc 100644 --- a/security/nss/lib/softoken/softoken.h +++ b/security/nss/lib/softoken/softoken.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: softoken.h,v 1.20 2008/11/19 00:16:56 julien.pierre.boogz%sun.com Exp $ */ +/* $Id: softoken.h,v 1.22 2009/02/03 05:34:43 julien.pierre.boogz%sun.com Exp $ */ #ifndef _SOFTOKEN_H_ #define _SOFTOKEN_H_ @@ -189,7 +189,8 @@ unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType); */ extern PRBool sftk_audit_enabled; -extern void sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg); +extern void sftk_LogAuditMessage(NSSAuditSeverity severity, + NSSAuditType, const char *msg); extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, @@ -325,41 +326,41 @@ extern PRBool usePthread_atfork; extern pid_t myPid; extern PRBool forked; -#define CHECK_FORK() \ - do { \ - if (usePthread_atfork ? forked : (myPid && myPid != getpid()) ) { \ - FORK_ASSERT(); \ - return CKR_DEVICE_ERROR; \ - } \ - } while (0) +#define PARENT_FORKED() usePthread_atfork ? forked : (myPid && myPid != getpid()) #elif defined(CHECK_FORK_PTHREAD) extern PRBool forked; -#define CHECK_FORK() \ - do { if (forked) { FORK_ASSERT(); return CKR_DEVICE_ERROR; } } while (0) +#define PARENT_FORKED() forked -#else +#elif defined(CHECK_FORK_GETPID) #include extern pid_t myPid; +#define PARENT_FORKED() myPid && myPid != getpid() + +#endif + +extern PRBool parentForkedAfterC_Initialize; + #define CHECK_FORK() \ do { \ - if (myPid && myPid != getpid()) { \ + if (PARENT_FORKED()) { \ FORK_ASSERT(); \ return CKR_DEVICE_ERROR; \ } \ } while (0) - -#endif + +#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x #else /* non-Unix platforms, or fork check disabled */ #define CHECK_FORK() +#define SKIP_AFTER_FORK(x) x #ifndef NO_FORK_CHECK #define NO_FORK_CHECK @@ -367,6 +368,7 @@ extern pid_t myPid; #endif + SEC_END_PROTOS #endif /* _SOFTOKEN_H_ */ diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h index 7162fafebd2..dde481b164d 100644 --- a/security/nss/lib/softoken/softoknt.h +++ b/security/nss/lib/softoken/softoknt.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: softoknt.h,v 1.4 2006/05/05 20:02:47 wtchang%redhat.com Exp $ */ +/* $Id: softoknt.h,v 1.5 2009/01/27 23:13:21 rrelyea%redhat.com Exp $ */ #ifndef _SOFTOKNT_H_ #define _SOFTOKNT_H_ @@ -70,4 +70,25 @@ typedef enum { NSS_AUDIT_INFO = 1 /* informational messages */ } NSSAuditSeverity; +typedef enum { + NSS_AUDIT_ACCESS_KEY = 0, + NSS_AUDIT_CHANGE_KEY, + NSS_AUDIT_COPY_KEY, + NSS_AUDIT_CRYPT, + NSS_AUDIT_DERIVE_KEY, + NSS_AUDIT_DESTROY_KEY, + NSS_AUDIT_DIGEST_KEY, + NSS_AUDIT_FIPS_STATE, + NSS_AUDIT_GENERATE_KEY, + NSS_AUDIT_INIT_PIN, + NSS_AUDIT_INIT_TOKEN, + NSS_AUDIT_LOAD_KEY, + NSS_AUDIT_LOGIN, + NSS_AUDIT_LOGOUT, + NSS_AUDIT_SELF_TEST, + NSS_AUDIT_SET_PIN, + NSS_AUDIT_UNWRAP_KEY, + NSS_AUDIT_WRAP_KEY, +} NSSAuditType; + #endif /* _SOFTOKNT_H_ */ diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index fcfad111be2..65d8539af3c 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -235,6 +235,7 @@ NSS_Get_sgn_DigestInfoTemplate_Util; ;+NSSUTIL_3.12.3 { # NSS Utilities 3.12.3 release ;+ global: SECITEM_ReallocItem; +UTIL_SetForkState; ;+ local: ;+ *; ;+}; diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 7ae71f6dd30..dba5c488ee7 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -1931,6 +1931,11 @@ SECOID_FindOIDTagDescription(SECOidTag tagnum) return oidData ? oidData->desc : 0; } +/* for now, this is only used in a single place, so it can remain static */ +static PRBool parentForkedAfterC_Initialize; + +#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x + /* * free up the oid tables. */ @@ -1951,7 +1956,7 @@ SECOID_Shutdown(void) ** the destruction of data that probably isn't initialized anyway. */ if (dynOidLock) { - NSSRWLock_LockWrite(dynOidLock); + SKIP_AFTER_FORK(NSSRWLock_LockWrite(dynOidLock)); if (dynOidHash) { PL_HashTableDestroy(dynOidHash); dynOidHash = NULL; @@ -1967,8 +1972,8 @@ SECOID_Shutdown(void) dynOidEntriesAllocated = 0; dynOidEntriesUsed = 0; - NSSRWLock_UnlockWrite(dynOidLock); - NSSRWLock_Destroy(dynOidLock); + SKIP_AFTER_FORK(NSSRWLock_UnlockWrite(dynOidLock)); + SKIP_AFTER_FORK(NSSRWLock_Destroy(dynOidLock)); dynOidLock = NULL; } else { /* Since dynOidLock doesn't exist, then all the data it protects @@ -1985,3 +1990,10 @@ SECOID_Shutdown(void) } return SECSuccess; } + +void UTIL_SetForkState(PRBool forked) +{ + parentForkedAfterC_Initialize = forked; +} + + diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h index 31bb61d3ef5..2d86861ea73 100644 --- a/security/nss/lib/util/secoid.h +++ b/security/nss/lib/util/secoid.h @@ -42,7 +42,7 @@ /* * secoid.h - public data structures and prototypes for ASN.1 OID functions * - * $Id: secoid.h,v 1.10 2008/06/14 14:20:38 wtc%google.com Exp $ + * $Id: secoid.h,v 1.11 2009/02/03 05:34:47 julien.pierre.boogz%sun.com Exp $ */ #include "plarena.h" @@ -147,6 +147,8 @@ extern SECStatus SECOID_Shutdown(void); extern SECStatus SEC_StringToOID(PLArenaPool *pool, SECItem *to, const char *from, PRUint32 len); +extern void UTIL_SetForkState(PRBool forked); + SEC_END_PROTOS #endif /* _SECOID_H_ */ diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh index 60bec6ef44a..f1725b02a83 100644 --- a/security/nss/tests/chains/chains.sh +++ b/security/nss/tests/chains/chains.sh @@ -71,12 +71,15 @@ chains_init() CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios" - CERT_SN=$(date '+%m%d%H%M%S') - PK7_NONCE=$CERT_SN; + CERT_SN_CNT=$(date '+%m%d%H%M%S') + CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) + + PK7_NONCE=$CERT_SN_CNT; AIA_FILES="${HOSTDIR}/aiafiles" CU_DATA=${HOSTDIR}/cu_data + CRL_DATA=${HOSTDIR}/crl_data html_head "Certificate Chains Tests" } @@ -102,6 +105,22 @@ print_cu_data() echo "===" } +set_cert_sn() +{ + if [ -z "${SERIAL}" ]; then + CERT_SN_CNT=$(expr ${CERT_SN_CNT} + 1) + CERT_SN=${CERT_SN_CNT} + else + echo ${SERIAL} | cut -b 1 | grep '+' > /dev/null + if [ $? -eq 0 ]; then + CERT_SN=$(echo ${SERIAL} | cut -b 2-) + CERT_SN=$(expr ${CERT_SN_FIX} + ${CERT_SN}) + else + CERT_SN=${SERIAL} + fi + fi +} + ############################# create_db ################################ # local shell function to create certificate database ######################################################################## @@ -119,8 +138,6 @@ create_db() echo "certutil -N -d ${DB} -f ${DB}/dbpasswd" ${BINDIR}/certutil -N -d ${DB} -f ${DB}/dbpasswd html_msg $? 0 "${SCENARIO}${TESTNAME}" - - TESTDB=${DB} } ########################### create_root_ca ############################# @@ -131,7 +148,7 @@ create_root_ca() ENTITY=$1 ENTITY_DB=${ENTITY}DB - CERT_SN=$(expr ${CERT_SN} + 1) + set_cert_sn date >> ${NOISE_FILE} 2>&1 CTYPE_OPT= @@ -399,7 +416,7 @@ sign_cert() REQ=${ENTITY}Req.der CERT=${ENTITY}${ISSUER}.der - CERT_SN=$(expr ${CERT_SN} + 1) + set_cert_sn EMAIL_OPT= if [ "${TYPE}" = "Bridge" ]; then @@ -478,16 +495,83 @@ import_cert() html_msg $? 0 "${SCENARIO}${TESTNAME}" } +import_crl() +{ + IMPORT=$1 + DB=$2 + + CRL_NICK=`echo ${IMPORT} | cut -d: -f1` + CRL_FILE=${CRL_NICK}.crl + + if [ ! -f "${CRL_FILE}" ]; then + return + fi + + TESTNAME="Importing CRL ${CRL_FILE} to ${DB} database" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE}" + ${BINDIR}/crlutil -I -d ${DB} -f ${DB}/dbpasswd -i ${CRL_FILE} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +create_crl() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + DATE=$(date -u '+%Y%m%d%H%M%SZ') + UPDATE=$(expr $(date -u '+%Y') + 1)$(date -u '+%m%d%H%M%SZ') + + echo "update=${DATE}" > ${CRL_DATA} + echo "nextupdate=${UPDATE}" >> ${CRL_DATA} + + TESTNAME="Create CRL for ${ISSUER_DB}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -G -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + +revoke_cert() +{ + ISSUER=$1 + ISSUER_DB=${ISSUER}DB + + CRL=${ISSUER}.crl + + set_cert_sn + + sleep 1 + DATE=$(date -u '+%Y%m%d%H%M%SZ') + echo "update=${DATE}" > ${CRL_DATA} + echo "addcert ${CERT_SN} ${DATE}" >> ${CRL_DATA} + + TESTNAME="Revoking certificate with SN ${CERT_SN} issued by ${ISSUER}" + echo "${SCRIPTNAME}: ${TESTNAME}" + echo "crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL}" + echo "=== Crlutil input data ===" + cat ${CRL_DATA} + echo "===" + ${BINDIR}/crlutil -M -d ${ISSUER_DB} -n ${ISSUER} -f ${ISSUER_DB}/dbpasswd -o ${CRL} < ${CRL_DATA} + html_msg $? 0 "${SCENARIO}${TESTNAME}" +} + ######################################################################## # List of global variables related to certificate verification: # # Generated by parse_config: -# TESTDB - DB used for testing +# DB - DB used for testing # FETCH - fetch flag (used with AIA extension) # POLICY - list of policies # TRUST - trust anchor # VERIFY - list of certificates to use as vfychain parameters # EXP_RESULT - expected result +# REV_OPTS - revocation options ######################################################################## ############################# verify_cert ############################## @@ -502,8 +586,8 @@ verify_cert() VFY_CERTS= VFY_LIST= - if [ -n "${TESTDB}" ]; then - DB_OPT="-d ${TESTDB}" + if [ -n "${DB}" ]; then + DB_OPT="-d ${DB}" fi if [ -n "${FETCH}" ]; then @@ -546,15 +630,15 @@ verify_cert() fi done - TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}" + TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}" echo "${SCRIPTNAME}: ${TESTNAME}" - echo "vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" + echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" if [ -z "${MEMLEAK_DBG}" ]; then - ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} + ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} RESULT=$? else - ${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE} + ${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE} RESULT=$? fi @@ -661,6 +745,17 @@ parse_config() "import") IMPORT="${VALUE}" import_cert "${IMPORT}" "${DB}" + import_crl "${IMPORT}" "${DB}" + ;; + "crl") + ISSUER="${VALUE}" + create_crl "${ISSUER}" + ;; + "revoke") + REVOKE="${VALUE}" + ;; + "serial") + SERIAL="${VALUE}" ;; "verify") VERIFY="${VALUE}" @@ -668,15 +763,16 @@ parse_config() POLICY= FETCH= EXP_RESULT= + REV_OPTS= ;; "cert") VERIFY="${VERIFY} ${VALUE}" ;; "testdb") if [ -n "${VALUE}" ]; then - TESTDB="${VALUE}DB" + DB="${VALUE}DB" else - TESTDB= + DB= fi ;; "trust") @@ -689,6 +785,18 @@ parse_config() EXP_RESULT="${VALUE}" parse_result ;; + "rev_type") + REV_OPTS="${REV_OPTS} -g ${VALUE}" + ;; + "rev_flags") + REV_OPTS="${REV_OPTS} -h ${VALUE}" + ;; + "rev_mtype") + REV_OPTS="${REV_OPTS} -m ${VALUE}" + ;; + "rev_mflags") + REV_OPTS="${REV_OPTS} -s ${VALUE}" + ;; "scenario") SCENARIO="${VALUE}: " @@ -701,6 +809,9 @@ parse_config() LOGFILE="${LOGDIR}/${LOGNAME}" fi ;; + "break") + break + ;; "") if [ -n "${ENTITY}" ]; then if [ -z "${DB}" ]; then @@ -717,6 +828,11 @@ parse_config() verify_cert VERIFY= fi + + if [ -n "${REVOKE}" ]; then + revoke_cert "${REVOKE}" "${DB}" + REVOKE= + fi ;; *) if [ `echo ${KEY} | cut -b 1` != "#" ]; then diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg index a4fe28d20a4..81b910f0f86 100644 --- a/security/nss/tests/chains/scenarios/realcerts.cfg +++ b/security/nss/tests/chains/scenarios/realcerts.cfg @@ -8,6 +8,7 @@ import TestUser51:x: import PayPalRootCA:x:CT,C,C import PayPalICA:x: import PayPalEE:x: +import BrAirWaysBadSig:x: verify TestUser50:x result pass @@ -19,3 +20,6 @@ verify PayPalEE:x policy OID.2.16.840.1.113733.1.7.23.6 result pass +verify BrAirWaysBadSig:x + result fail + diff --git a/security/nss/tests/chains/scenarios/revoc.cfg b/security/nss/tests/chains/scenarios/revoc.cfg new file mode 100644 index 00000000000..38b58dd84b0 --- /dev/null +++ b/security/nss/tests/chains/scenarios/revoc.cfg @@ -0,0 +1,82 @@ +scenario Revocation + +entity Root + type Root + serial 10 + +entity CA0 + type Intermediate + issuer Root + serial 11 + +entity CA1 + type Intermediate + issuer CA0 + serial 12 + +entity EE11 + type EE + issuer CA1 + serial 13 + +entity EE12 + type EE + issuer CA1 + serial 14 + +entity CA2 + type Intermediate + issuer CA0 + serial 15 + +entity EE21 + type EE + issuer CA2 + serial 16 + +crl Root +crl CA0 +crl CA1 +crl CA2 + +revoke CA1 + serial 14 + +revoke CA0 + serial 15 + +db All + +import Root::CTu,CTu,CTu +import CA0:Root: +import CA1:CA0: +import CA2:CA0: + +# EE11 - not revoked +verify EE11:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result pass + +# EE12 - revoked +verify EE12:CA1 + trust Root: + rev_type leaf + rev_mtype crl + result fail + +# EE11 - CA1 not revoked +verify EE11:CA1 + trust Root: + rev_type chain + rev_mtype crl + result pass + +# EE21 - CA2 revoked +verify EE21:CA2 + trust Root: + rev_type chain + rev_mtype crl + result fail + diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios index 26d79889c90..15a429a2854 100644 --- a/security/nss/tests/chains/scenarios/scenarios +++ b/security/nss/tests/chains/scenarios/scenarios @@ -12,3 +12,4 @@ bridgewithhalfaia.cfg bridgewithpolicyextensionandmapping.cfg realcerts.cfg dsa.cfg +revoc.cfg diff --git a/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert b/security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert new file mode 100644 index 0000000000000000000000000000000000000000..30d2f18c3de8a537b4f48b5637240b9711eb4834 GIT binary patch literal 1647 zcmaJ>X;2eq7|w1s2_bTs7$b75*drV!-vS|kU`uEO${`RyMMqhZg+!Jt?k0a$qklL4t%n2m_# zaJC7X3?}i0tK2<@plv2wp*;jmvYR!SKk(%NnOr#rpjmV&!=h;f>!9c&Y$k{rbqLKO z=wb$?3eZx9KyenevTO+xt<^dl4ow-y%5bb2GgYjmOK?vmH_IMI! z7&Htuma~N2LRioooU~bR)<)S;lPLu?CB&ogalmh~8;AsY3D zRPkmafwNYca-fM68fv$ovq_4gQ6tWcbgs=_h#EK;&9q>?U@9Nss!$kc8*5{%Xq=69 z;O{XZXgX=ef;*JOM35(u4;hk(0xg`E&2=r}v9QBND%JH)u)kJ=9O#$Nx1@s*S3hB8;x zd`(8&-1({oYZ_N4XI3Ba3 z$|tX+`-iH=^C_ROGVk_-#7z6_T@}dsx*79*X8tVOa#a=oEXH#0%j~<$FV=4BT7B!r zszrknGs*{c`4w-|DA@wj5MfMc6;r>Qtc$o&-$i*huK$i*VgIPU_wFUhhPZuCH=n&z zS1CHQ+M4I8v|f0taZ^n8!Q^9ge`QrCompJo1q&eo)aZl;xry|T=*Cx$z(6n}4qtaf zi6}ZvElbw)K3^DgY4L%8d%@4HW*is*GHyq{9ta|YMGfE`-awI9z)MD!SCt4=JuyO( z$zl)$)M6Lzp^8Kj7*hKDpK!n|p2Z*0104u!z#6nwGkAASX2zT(J4? z5TW5PE)y63Ix-FTkEIksufAZhbhIu50&xzU=X68`lq(cz@g2TpeR@;HoX7L1Ed!DF zuAROM%Esa#2w4KGAb89MP?i7qswgv4GOjFc1TQ-V@PAvtZTL9fm#vMqK+wQG779&3 z@>$lu}zUUPx#QZ3Td95J<$LV0R(xjVO|fPN=KJ6HZ>qjI0T4NtUde zCQ^Ynl&`(4lB5c$@hQtV*%nfmhNl|;@8pyL3FbEUKa>4_Ll{WGEoEua+>-gt%aZzB z+fpw-@~rRN+?sZz-8!^A4xb+McuKyixuWQM#HDLDdA)DtV906-o9TY%Npy3Q|C83W z7y7kr%VSYlNca8FEof}`i{pLoFIVS2|Fb%+$)>$12%i;R86CbX=k!`BaVm7T`Tq8U zZV$SQhx(I0_@js1n^}{Do!XRgY>jSxbY(}yEYoKX&R@>I*&ER^X;W>nD$Ul3ew*BG ztX3aMCH6HPbu4RrFxa_)^mnEn4za3W!|=}QOSWeI#-8Z@yvT3{PixR$dv{L6BJXR) io45O#&h_Z6`@MI6+IGj7-r^J2!_?hYku`$Egns~9Y%28t literal 0 HcmV?d00001 diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert index 87cba91c048236f51e2c18fea6ddc75fe0800781..1a8a0859330596e5b06b9f2899f7824077af6898 100644 GIT binary patch delta 798 zcmaFGeSurvpo#U2K@-cC1Qy|T4!qWo2P3jIjM&2!kZJM0f%c zD+3a9bS58QRGBQvWLkey@b(d|Lm8?SKNO>ul(yauy}uwe)IoF`chSa2ZCp+cEy^w` zyO!0e`gB%qSj%-Xvf|S3PpVw}*6EW3Zxvc=+h6l+GZrxP5S`qz)Tm*LP`OCKk6D#d z`z$>~bTXTZR8ra{@_Nl(j~@TX6c-yM-xuGL@m7NSL50&C*VxD3?t8kvWMXDyU|ih9 z_yy?k4+fk-XUYn*Fc~ly$by)BEMhDoEk|l!2Q+#faN2spO?#Khb4SsBZ3AwQG(QUq zGZX8A$wAESlZBZbG&Mkisw|2I@@yR1Y>cd|?97aC784t1LYoI;+Ycue#>wZHXG!M4 zq!@Wvk_-|S#x003h%$&U2%FrFej@r|0XHr50rtXQt=rCFkermlcD=4E548(+qgoIJMe5+P?EL0v*A?+{DPpkZ2tk zzSKtbvJz{=%!W4kw=q389$fy(+Tu3nq}2`4iQi1jPtMBS>|tkjqx+@QwA%U=Cd(t* z^j>V5dHQl9`!uf;YSj&fhYIRm`l|_K>Gd=B%(P;26L~*9=I!g={2d2=-}F7`R^DWr zcFX*|{AI7BAKCttP5s|`$GBu2&uy04j$>xLdnNvH%~5`vuCd`e*WDL76KozwCEc3& zN+jc_m-PHQ3LDs-{4Wvr>3mTVEjQ;=VvxtmU(fr`%{V+&(`UcYj-sBZgqe3&6)y5% z&0KI#ZN|QJH|}nZe6=c+=j$o$@c+g>uU<}8?f3Bi@#Mgd7}4F=S?81pe@{fb-Opo#UFK@-cl1e_u4>H{{)x7P>Q{j-66XmZOnj07z8$dvm zIIn@FfuWJ5k+G?zsb!Qw6Qi7=fB_#Hb0`a|FuSpVp^1^1`D9^6!^y>rN<7>KoFEwv zVJ2tC$txLk1VjvkKmuGM+yRM|1&KM6pE0UP0d;`{xka=>Qj2nn74p**N{dq!5=#^& z&X%6c#bjE)W$LxOW9vggYj>%BR5v(3<=tevw%1Z?ce?-Dvh@Sc7MQ?E3#=zNI&o<<FU@(vcx?GlzMT|w{ZGcbQ0$-^~1+zbh1YWu}H|NpG3kKXEX?_+KW+v7J zlRcRoC$liSnVNtERatZmwAnbc*%(<_*_j#PEG9P2gfg^sER31p1~qtuLn}k%f_kI=F#?@ml5a`2IeM4Mh3&h z&;NL?i+gs?Lq>Sb{l^`j{hbVcfAD5Dms@jVBX>>Y^IhldWbz_~xxy_tcw3Bjf1i7+ z>Eik2^Xd%C;?9S!*tFHfOz?zd?4&dPe|Q|9C$LC0MDP4!dSvP5PNDEj&sEHMM_KpO zd<(1B?yuYx%BiBh?bMGh|8HN6m+@Pri0E8&U3=_^wDp~r{D-6}`n$ewujFEhkJCx0 zbt$*Hoz~X=d8T}1?HZX~`aKK0w@lk{FXaZq1h=NJaQ4|A-Pbm+oF)4I?LOzADc8&^ zUM%OY4`n&DT3qk9&kMoBA(wMzmAE>Yy`0A2nd&poS*qgG!w->iz1AEPu5X;?c`UU~ N&S4tk;=2YxodBwtAX)$b