Issue #1693 - Update NSS to 3.59.1.1

This updates to MoonchildProductions/NSS@bd49b2b88 in the repo created for our
consumption of the library.

3 files changed, 50 insertions, 18 deletions

diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 0796fe5d7..4a713b6d7 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -2908,16 +2908,27 @@ CERT_LockCertTrust(const CERTCertificate *cert)
     PZ_Lock(certTrustLock);
 }
 
-static PZLock *certTempPermLock = NULL;
+static PZLock *certTempPermCertLock = NULL;
 
 /*
- * Acquire the cert temp/perm lock
+ * Acquire the cert temp/perm/nssCert lock
  */
 void
 CERT_LockCertTempPerm(const CERTCertificate *cert)
 {
-    PORT_Assert(certTempPermLock != NULL);
-    PZ_Lock(certTempPermLock);
+    PORT_Assert(certTempPermCertLock != NULL);
+    PZ_Lock(certTempPermCertLock);
+}
+
+/* Maybe[Lock, Unlock] variants are only to be used by
+ * CERT_DestroyCertificate, since an application could
+ * call this after NSS_Shutdown destroys cert locks. */
+void
+CERT_MaybeLockCertTempPerm(const CERTCertificate *cert)
+{
+    if (certTempPermCertLock) {
+        PZ_Lock(certTempPermCertLock);
+    }
 }
 
 SECStatus
@@ -2941,10 +2952,10 @@ cert_InitLocks(void)
         }
     }
 
-    if (certTempPermLock == NULL) {
-        certTempPermLock = PZ_NewLock(nssILockCertDB);
-        PORT_Assert(certTempPermLock != NULL);
-        if (!certTempPermLock) {
+    if (certTempPermCertLock == NULL) {
+        certTempPermCertLock = PZ_NewLock(nssILockCertDB);
+        PORT_Assert(certTempPermCertLock != NULL);
+        if (!certTempPermCertLock) {
             PZ_DestroyLock(certTrustLock);
             PZ_DestroyLock(certRefCountLock);
             certRefCountLock = NULL;
@@ -2977,10 +2988,10 @@ cert_DestroyLocks(void)
         rv = SECFailure;
     }
 
-    PORT_Assert(certTempPermLock != NULL);
-    if (certTempPermLock) {
-        PZ_DestroyLock(certTempPermLock);
-        certTempPermLock = NULL;
+    PORT_Assert(certTempPermCertLock != NULL);
+    if (certTempPermCertLock) {
+        PZ_DestroyLock(certTempPermCertLock);
+        certTempPermCertLock = NULL;
     } else {
         rv = SECFailure;
     }
@@ -2999,16 +3010,24 @@ CERT_UnlockCertTrust(const CERTCertificate *cert)
 }
 
 /*
- * Free the temp/perm lock
+ * Free the temp/perm/nssCert lock
  */
 void
 CERT_UnlockCertTempPerm(const CERTCertificate *cert)
 {
-    PORT_Assert(certTempPermLock != NULL);
-    PRStatus prstat = PZ_Unlock(certTempPermLock);
+    PORT_Assert(certTempPermCertLock != NULL);
+    PRStatus prstat = PZ_Unlock(certTempPermCertLock);
     PORT_AssertArg(prstat == PR_SUCCESS);
 }
 
+void
+CERT_MaybeUnlockCertTempPerm(const CERTCertificate *cert)
+{
+    if (certTempPermCertLock) {
+        PZ_Unlock(certTempPermCertLock);
+    }
+}
+
 /*
  * Get the StatusConfig data for this handle
  */
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index 63adcad46..cc5c71f20 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -1405,7 +1405,7 @@ TokenCRLStillExists(CERTSignedCrl* crl)
         if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual) {
             xstatus = PR_FALSE;
         }
-        if (CKO_NETSCAPE_CRL != crl_class) {
+        if (CKO_NSS_CRL != crl_class) {
             xstatus = PR_FALSE;
         }
     } else {
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index e2a668bb1..8e1cf279a 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -32,6 +32,9 @@
 #include "dev.h"
 #include "secmodi.h"
 
+extern void CERT_MaybeLockCertTempPerm(const CERTCertificate *cert);
+extern void CERT_MaybeUnlockCertTempPerm(const CERTCertificate *cert);
+
 PRBool
 SEC_CertNicknameConflict(const char *nickname, const SECItem *derSubject,
                          CERTCertDBHandle *handle)
@@ -311,7 +314,9 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
     nssPKIObject_AddInstance(&c->object, permInstance);
     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
     /* reset the CERTCertificate fields */
+    CERT_LockCertTempPerm(cert);
     cert->nssCertificate = NULL;
+    CERT_UnlockCertTempPerm(cert);
     cert = STAN_GetCERTCertificateOrRelease(c); /* should return same pointer */
     if (!cert) {
         CERT_MapStanError();
@@ -808,9 +813,17 @@ CERT_DestroyCertificate(CERTCertificate *cert)
         /* don't use STAN_GetNSSCertificate because we don't want to
          * go to the trouble of translating the CERTCertificate into
          * an NSSCertificate just to destroy it.  If it hasn't been done
-         * yet, don't do it at all.
-         */
+         * yet, don't do it at all
+         *
+         * cert->nssCertificate contains its own locks and refcount, but as it
+         * may be NULL, the pointer itself must be guarded by some other lock.
+         * Rather than creating a new global lock for only this purpose, share
+         * an existing global lock that happens to be taken near the write in
+         * fill_CERTCertificateFields(). The longer-term goal is to refactor
+         * all these global locks to be certificate-scoped. */
+        CERT_MaybeLockCertTempPerm(cert);
         NSSCertificate *tmp = cert->nssCertificate;
+        CERT_MaybeUnlockCertTempPerm(cert);
         if (tmp) {
             /* delete the NSSCertificate */
             NSSCertificate_Destroy(tmp);