summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/pk11wrap
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
commitfba28f19754f62b5227650143d5441fc86d4c7d7 (patch)
tree26629d73f83543ff92a060fd7b310bb748b13173 /security/nss/lib/pk11wrap
parentb4154e043bfc0d2f301d88304efc896989d650bf (diff)
downloadUXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.gz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.lz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.xz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.zip
Revert "Update NSS to 3.35-RTM"
This reverts commit f1a0f0a56fdd0fc39f255174ce08c06b91c66c94.
Diffstat (limited to 'security/nss/lib/pk11wrap')
-rw-r--r--security/nss/lib/pk11wrap/pk11load.c3
-rw-r--r--security/nss/lib/pk11wrap/pk11merge.c6
-rw-r--r--security/nss/lib/pk11wrap/pk11obj.c39
-rw-r--r--security/nss/lib/pk11wrap/pk11pars.c3
-rw-r--r--security/nss/lib/pk11wrap/pk11pbe.c19
-rw-r--r--security/nss/lib/pk11wrap/pk11pk12.c23
-rw-r--r--security/nss/lib/pk11wrap/pk11pub.h4
-rw-r--r--security/nss/lib/pk11wrap/pk11skey.c4
-rw-r--r--security/nss/lib/pk11wrap/pk11slot.c5
-rw-r--r--security/nss/lib/pk11wrap/pk11util.c9
-rw-r--r--security/nss/lib/pk11wrap/secmodti.h1
11 files changed, 28 insertions, 88 deletions
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
index d1f6ec442..91339fad8 100644
--- a/security/nss/lib/pk11wrap/pk11load.c
+++ b/security/nss/lib/pk11wrap/pk11load.c
@@ -64,7 +64,8 @@ secmodUnlockMutext(CK_VOID_PTR mutext)
static SECMODModuleID nextModuleID = 1;
static const CK_C_INITIALIZE_ARGS secmodLockFunctions = {
secmodCreateMutext, secmodDestroyMutext, secmodLockMutext,
- secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS | CKF_OS_LOCKING_OK,
+ secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS |
+ CKF_OS_LOCKING_OK,
NULL
};
static const CK_C_INITIALIZE_ARGS secmodNoLockArgs = {
diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c
index b2101b819..8c4c5129a 100644
--- a/security/nss/lib/pk11wrap/pk11merge.c
+++ b/security/nss/lib/pk11wrap/pk11merge.c
@@ -68,11 +68,8 @@ pk11_copyAttributes(PLArenaPool *arena,
copyTemplate, copyTemplateCount);
/* if we have missing attributes, just skip them and create the object */
if (crv == CKR_ATTRIBUTE_TYPE_INVALID) {
- CK_ULONG i, j;
+ int i, j;
newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount);
- if (!newTemplate) {
- return SECFailure;
- }
/* remove the unknown attributes. If we don't have enough attributes
* PK11_CreateNewObject() will fail */
for (i = 0, j = 0; i < copyTemplateCount; i++) {
@@ -1261,7 +1258,6 @@ pk11_newMergeLogNode(PLArenaPool *arena,
/* initialize it */
obj->slot = slot;
obj->objectID = id;
- obj->owner = PR_FALSE;
newLog->object = obj;
newLog->error = error;
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
index b97caddd4..47c56154d 100644
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -201,6 +201,7 @@ PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
/* make pedantic happy... note that it's only used arena != NULL */
void *mark = NULL;
CK_RV crv;
+ PORT_Assert(slot->session != CK_INVALID_SESSION);
if (slot->session == CK_INVALID_SESSION)
return CKR_SESSION_HANDLE_INVALID;
@@ -1505,7 +1506,6 @@ PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass)
/* initialize it */
obj->slot = PK11_ReferenceSlot(slot);
obj->objectID = objectIDs[i];
- obj->owner = PR_FALSE;
obj->next = NULL;
obj->prev = NULL;
@@ -1586,9 +1586,6 @@ PK11_DestroyGenericObject(PK11GenericObject *object)
PK11_UnlinkGenericObject(object);
if (object->slot) {
- if (object->owner) {
- PK11_DestroyObject(object->slot, object->objectID);
- }
PK11_FreeSlot(object->slot);
}
PORT_Free(object);
@@ -1630,9 +1627,8 @@ PK11_DestroyGenericObjects(PK11GenericObject *objects)
* Hand Create a new object and return the Generic object for our new object.
*/
PK11GenericObject *
-pk11_CreateGenericObjectHelper(PK11SlotInfo *slot,
- const CK_ATTRIBUTE *pTemplate,
- int count, PRBool token, PRBool owner)
+PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate,
+ int count, PRBool token)
{
CK_OBJECT_HANDLE objectID;
PK11GenericObject *obj;
@@ -1656,40 +1652,11 @@ pk11_CreateGenericObjectHelper(PK11SlotInfo *slot,
/* initialize it */
obj->slot = PK11_ReferenceSlot(slot);
obj->objectID = objectID;
- obj->owner = owner;
obj->next = NULL;
obj->prev = NULL;
return obj;
}
-/* This is the classic interface. Applications would call this function to
- * create new object that would not be destroyed later. This lead to resource
- * leaks (and thus memory leaks in the PKCS #11 module). To solve this we have
- * a new interface that automatically marks objects created on the fly to be
- * destroyed later.
- * The old interface is preserved because applications like Mozilla purposefully
- * leak the reference to be found later with PK11_FindGenericObjects. New
- * applications should use the new interface PK11_CreateManagedGenericObject */
-PK11GenericObject *
-PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate,
- int count, PRBool token)
-{
- return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token,
- PR_FALSE);
-}
-
-/* Use this interface. It will automatically destroy any temporary objects
- * (token = PR_FALSE) when the PK11GenericObject is freed. Permanent objects still
- * need to be destroyed by hand with PK11_DestroyTokenObject.
- */
-PK11GenericObject *
-PK11_CreateManagedGenericObject(PK11SlotInfo *slot,
- const CK_ATTRIBUTE *pTemplate, int count, PRBool token)
-{
- return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token,
- !token);
-}
-
/*
* Change an attribute on a raw object
*/
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index fc30222b3..ee20789cc 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -413,7 +413,8 @@ static const policyFlagDef policyFlagList[] = {
/* add other signatures in the future */
{ CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
/* enable everything */
- { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX |
+ NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("NONE"), 0 }
};
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
index 5f68f399e..bea9333f6 100644
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -367,24 +367,7 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
- /* Previously, the PKCS#12 files created with the old NSS
- * releases encoded the maximum key size of AES (that is 32)
- * in the keyLength field of PBKDF2-params. That resulted in
- * always performing AES-256 even if AES-128-CBC or
- * AES-192-CBC is specified in the encryptionScheme field of
- * PBES2-params. This is wrong, but for compatibility reasons,
- * check the keyLength field and use the value if it is 32.
- */
- if (p5_param.keyLength.data != NULL) {
- length = DER_GetInteger(&p5_param.keyLength);
- }
- /* If the keyLength field is present and contains a value
- * other than 32, that means the file is created outside of
- * NSS, which we don't care about. Note that the following
- * also handles the case when the field is absent. */
- if (length != 32) {
- length = sec_pkcs5v2_aes_key_length(cipherAlg);
- }
+ length = sec_pkcs5v2_aes_key_length(cipherAlg);
} else if (p5_param.keyLength.data != NULL) {
length = DER_GetInteger(&p5_param.keyLength);
} else {
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 035143af8..d753b87e5 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -153,6 +153,7 @@ const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) },
};
+#ifndef NSS_DISABLE_ECC
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
@@ -177,6 +178,7 @@ const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = {
SEC_ASN1_SUB(SEC_BitStringTemplate) },
{ 0 }
};
+#endif /* NSS_DISABLE_ECC */
const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
@@ -344,13 +346,16 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
switch (lpk->keyType) {
case rsaKey:
keyType = CKK_RSA;
- PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? &cktrue : &ckfalse,
+ PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? &cktrue
+ : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
- PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? &cktrue : &ckfalse,
+ PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? &cktrue
+ : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
- PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue : &ckfalse,
+ PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue
+ : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER,
@@ -477,6 +482,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
lpk->u.dh.privateValue.len);
attrs++;
break;
+#ifndef NSS_DISABLE_ECC
case ecKey:
keyType = CKK_EC;
if (lpk->u.ec.publicValue.len == 0) {
@@ -488,7 +494,8 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
lpk->u.ec.publicValue.len);
attrs++;
}
- PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue : &ckfalse,
+ PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue
+ : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER,
@@ -496,7 +503,8 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
: &ckfalse,
sizeof(CK_BBOOL));
attrs++;
- PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue : &ckfalse,
+ PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue
+ : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
ck_id = PK11_MakeIDFromPubKey(&lpk->u.ec.publicValue);
@@ -517,6 +525,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
lpk->u.ec.publicValue.len);
attrs++;
break;
+#endif /* NSS_DISABLE_ECC */
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
@@ -597,6 +606,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
paramDest = NULL;
lpk->keyType = dhKey;
break;
+#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
prepare_ec_priv_key_export_for_asn1(lpk);
keyTemplate = SECKEY_ECPrivateKeyExportTemplate;
@@ -604,6 +614,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
paramDest = NULL;
lpk->keyType = ecKey;
break;
+#endif /* NSS_DISABLE_ECC */
default:
keyTemplate = NULL;
@@ -622,6 +633,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
goto loser;
}
+#ifndef NSS_DISABLE_ECC
if (lpk->keyType == ecKey) {
/* Convert length in bits to length in bytes. */
lpk->u.ec.publicValue.len >>= 3;
@@ -633,6 +645,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
goto loser;
}
}
+#endif /* NSS_DISABLE_ECC */
if (paramDest && paramTemplate) {
rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
index dbd8da092..edfe82f5a 100644
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -831,10 +831,6 @@ SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
PK11GenericObject *object);
SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
-PK11GenericObject *PK11_CreateManagedGenericObject(PK11SlotInfo *slot,
- const CK_ATTRIBUTE *pTemplate,
- int count, PRBool token);
-/* deprecated */
PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot,
const CK_ATTRIBUTE *pTemplate,
int count, PRBool token);
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index cf2a40a2f..1ef53e1d7 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -182,10 +182,6 @@ PK11_FreeSymKey(PK11SymKey *symKey)
PK11SlotInfo *slot;
PRBool freeit = PR_TRUE;
- if (!symKey) {
- return;
- }
-
if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) {
PK11SymKey *parent = symKey->parent;
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index c39abe17e..0a6ed6c08 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -1182,7 +1182,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
/* set the slot flags to the current token values */
slot->series++; /* allow other objects to detect that the
- * slot is different */
+ * slot is different */
slot->flags = slot->tokenInfo.flags;
slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE);
slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE);
@@ -1471,9 +1471,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
slot->hasRootCerts = PR_TRUE;
}
}
- if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) {
- slot->flags |= CKF_USER_PIN_INITIALIZED;
- }
}
/*********************************************************************
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
index e316f1f1a..a962e9bb3 100644
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -437,11 +437,6 @@ SECMOD_DeleteInternalModule(const char *name)
return rv;
}
-#ifdef NSS_FIPS_DISABLED
- PORT_SetError(PR_OPERATION_NOT_SUPPORTED_ERROR);
- return rv;
-#endif
-
SECMOD_GetWriteLock(moduleLock);
for (mlpp = &modules, mlp = modules;
mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
@@ -960,11 +955,7 @@ SECMOD_DestroyModuleList(SECMODModuleList *list)
PRBool
SECMOD_CanDeleteInternalModule(void)
{
-#ifdef NSS_FIPS_DISABLED
- return PR_FALSE;
-#else
return (PRBool)(pendingModule == NULL);
-#endif
}
/*
diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h
index 260e6387d..63c207929 100644
--- a/security/nss/lib/pk11wrap/secmodti.h
+++ b/security/nss/lib/pk11wrap/secmodti.h
@@ -175,7 +175,6 @@ struct PK11GenericObjectStr {
PK11GenericObject *next;
PK11SlotInfo *slot;
CK_OBJECT_HANDLE objectID;
- PRBool owner;
};
#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */