From e10349ab8dda8a3f11be6aa19f2b6e29fe814044 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 23 Feb 2018 11:04:39 +0100 Subject: Update NSS to 3.35-RTM --- security/nss/lib/pk11wrap/pk11load.c | 3 +-- security/nss/lib/pk11wrap/pk11merge.c | 6 +++++- security/nss/lib/pk11wrap/pk11obj.c | 39 ++++++++++++++++++++++++++++++++--- security/nss/lib/pk11wrap/pk11pars.c | 3 +-- security/nss/lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++- security/nss/lib/pk11wrap/pk11pk12.c | 23 +++++---------------- security/nss/lib/pk11wrap/pk11pub.h | 4 ++++ security/nss/lib/pk11wrap/pk11skey.c | 4 ++++ security/nss/lib/pk11wrap/pk11slot.c | 5 ++++- security/nss/lib/pk11wrap/pk11util.c | 9 ++++++++ security/nss/lib/pk11wrap/secmodti.h | 1 + 11 files changed, 88 insertions(+), 28 deletions(-) (limited to 'security/nss/lib/pk11wrap') diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c index 91339fad8..d1f6ec442 100644 --- a/security/nss/lib/pk11wrap/pk11load.c +++ b/security/nss/lib/pk11wrap/pk11load.c @@ -64,8 +64,7 @@ secmodUnlockMutext(CK_VOID_PTR mutext) static SECMODModuleID nextModuleID = 1; static const CK_C_INITIALIZE_ARGS secmodLockFunctions = { secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, - secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS | - CKF_OS_LOCKING_OK, + secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS | CKF_OS_LOCKING_OK, NULL }; static const CK_C_INITIALIZE_ARGS secmodNoLockArgs = { diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c index 8c4c5129a..b2101b819 100644 --- a/security/nss/lib/pk11wrap/pk11merge.c +++ b/security/nss/lib/pk11wrap/pk11merge.c @@ -68,8 +68,11 @@ pk11_copyAttributes(PLArenaPool *arena, copyTemplate, copyTemplateCount); /* if we have missing attributes, just skip them and create the object */ if (crv == CKR_ATTRIBUTE_TYPE_INVALID) { - int i, j; + CK_ULONG i, j; newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount); + if (!newTemplate) { + return SECFailure; + } /* remove the unknown attributes. If we don't have enough attributes * PK11_CreateNewObject() will fail */ for (i = 0, j = 0; i < copyTemplateCount; i++) { @@ -1258,6 +1261,7 @@ pk11_newMergeLogNode(PLArenaPool *arena, /* initialize it */ obj->slot = slot; obj->objectID = id; + obj->owner = PR_FALSE; newLog->object = obj; newLog->error = error; diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c index 47c56154d..b97caddd4 100644 --- a/security/nss/lib/pk11wrap/pk11obj.c +++ b/security/nss/lib/pk11wrap/pk11obj.c @@ -201,7 +201,6 @@ PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, /* make pedantic happy... note that it's only used arena != NULL */ void *mark = NULL; CK_RV crv; - PORT_Assert(slot->session != CK_INVALID_SESSION); if (slot->session == CK_INVALID_SESSION) return CKR_SESSION_HANDLE_INVALID; @@ -1506,6 +1505,7 @@ PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass) /* initialize it */ obj->slot = PK11_ReferenceSlot(slot); obj->objectID = objectIDs[i]; + obj->owner = PR_FALSE; obj->next = NULL; obj->prev = NULL; @@ -1586,6 +1586,9 @@ PK11_DestroyGenericObject(PK11GenericObject *object) PK11_UnlinkGenericObject(object); if (object->slot) { + if (object->owner) { + PK11_DestroyObject(object->slot, object->objectID); + } PK11_FreeSlot(object->slot); } PORT_Free(object); @@ -1627,8 +1630,9 @@ PK11_DestroyGenericObjects(PK11GenericObject *objects) * Hand Create a new object and return the Generic object for our new object. */ PK11GenericObject * -PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, - int count, PRBool token) +pk11_CreateGenericObjectHelper(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, + int count, PRBool token, PRBool owner) { CK_OBJECT_HANDLE objectID; PK11GenericObject *obj; @@ -1652,11 +1656,40 @@ PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, /* initialize it */ obj->slot = PK11_ReferenceSlot(slot); obj->objectID = objectID; + obj->owner = owner; obj->next = NULL; obj->prev = NULL; return obj; } +/* This is the classic interface. Applications would call this function to + * create new object that would not be destroyed later. This lead to resource + * leaks (and thus memory leaks in the PKCS #11 module). To solve this we have + * a new interface that automatically marks objects created on the fly to be + * destroyed later. + * The old interface is preserved because applications like Mozilla purposefully + * leak the reference to be found later with PK11_FindGenericObjects. New + * applications should use the new interface PK11_CreateManagedGenericObject */ +PK11GenericObject * +PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, + int count, PRBool token) +{ + return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token, + PR_FALSE); +} + +/* Use this interface. It will automatically destroy any temporary objects + * (token = PR_FALSE) when the PK11GenericObject is freed. Permanent objects still + * need to be destroyed by hand with PK11_DestroyTokenObject. + */ +PK11GenericObject * +PK11_CreateManagedGenericObject(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, int count, PRBool token) +{ + return pk11_CreateGenericObjectHelper(slot, pTemplate, count, token, + !token); +} + /* * Change an attribute on a raw object */ diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c index ee20789cc..fc30222b3 100644 --- a/security/nss/lib/pk11wrap/pk11pars.c +++ b/security/nss/lib/pk11wrap/pk11pars.c @@ -413,8 +413,7 @@ static const policyFlagDef policyFlagList[] = { /* add other signatures in the future */ { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE }, /* enable everything */ - { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | - NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, { CIPHER_NAME("NONE"), 0 } }; diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index bea9333f6..5f68f399e 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { - length = sec_pkcs5v2_aes_key_length(cipherAlg); + /* Previously, the PKCS#12 files created with the old NSS + * releases encoded the maximum key size of AES (that is 32) + * in the keyLength field of PBKDF2-params. That resulted in + * always performing AES-256 even if AES-128-CBC or + * AES-192-CBC is specified in the encryptionScheme field of + * PBES2-params. This is wrong, but for compatibility reasons, + * check the keyLength field and use the value if it is 32. + */ + if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); + } + /* If the keyLength field is present and contains a value + * other than 32, that means the file is created outside of + * NSS, which we don't care about. Note that the following + * also handles the case when the field is absent. */ + if (length != 32) { + length = sec_pkcs5v2_aes_key_length(cipherAlg); + } } else if (p5_param.keyLength.data != NULL) { length = DER_GetInteger(&p5_param.keyLength); } else { diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c index d753b87e5..035143af8 100644 --- a/security/nss/lib/pk11wrap/pk11pk12.c +++ b/security/nss/lib/pk11wrap/pk11pk12.c @@ -153,7 +153,6 @@ const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = { { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) }, }; -#ifndef NSS_DISABLE_ECC SEC_ASN1_MKSUB(SEC_BitStringTemplate) SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) @@ -178,7 +177,6 @@ const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = { SEC_ASN1_SUB(SEC_BitStringTemplate) }, { 0 } }; -#endif /* NSS_DISABLE_ECC */ const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, @@ -346,16 +344,13 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, switch (lpk->keyType) { case rsaKey: keyType = CKK_RSA; - PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? &cktrue - : &ckfalse, + PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? &cktrue - : &ckfalse, + PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue - : &ckfalse, + PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); attrs++; PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, @@ -482,7 +477,6 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, lpk->u.dh.privateValue.len); attrs++; break; -#ifndef NSS_DISABLE_ECC case ecKey: keyType = CKK_EC; if (lpk->u.ec.publicValue.len == 0) { @@ -494,8 +488,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, lpk->u.ec.publicValue.len); attrs++; } - PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue - : &ckfalse, + PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); attrs++; PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, @@ -503,8 +496,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, : &ckfalse, sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue - : &ckfalse, + PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); attrs++; ck_id = PK11_MakeIDFromPubKey(&lpk->u.ec.publicValue); @@ -525,7 +517,6 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, lpk->u.ec.publicValue.len); attrs++; break; -#endif /* NSS_DISABLE_ECC */ default: PORT_SetError(SEC_ERROR_BAD_KEY); goto loser; @@ -606,7 +597,6 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, paramDest = NULL; lpk->keyType = dhKey; break; -#ifndef NSS_DISABLE_ECC case SEC_OID_ANSIX962_EC_PUBLIC_KEY: prepare_ec_priv_key_export_for_asn1(lpk); keyTemplate = SECKEY_ECPrivateKeyExportTemplate; @@ -614,7 +604,6 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, paramDest = NULL; lpk->keyType = ecKey; break; -#endif /* NSS_DISABLE_ECC */ default: keyTemplate = NULL; @@ -633,7 +622,6 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, goto loser; } -#ifndef NSS_DISABLE_ECC if (lpk->keyType == ecKey) { /* Convert length in bits to length in bytes. */ lpk->u.ec.publicValue.len >>= 3; @@ -645,7 +633,6 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, goto loser; } } -#endif /* NSS_DISABLE_ECC */ if (paramDest && paramTemplate) { rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h index edfe82f5a..dbd8da092 100644 --- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -831,6 +831,10 @@ SECStatus PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object); SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object); SECStatus PK11_DestroyGenericObject(PK11GenericObject *object); +PK11GenericObject *PK11_CreateManagedGenericObject(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, + int count, PRBool token); +/* deprecated */ PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, int count, PRBool token); diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 1ef53e1d7..cf2a40a2f 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -182,6 +182,10 @@ PK11_FreeSymKey(PK11SymKey *symKey) PK11SlotInfo *slot; PRBool freeit = PR_TRUE; + if (!symKey) { + return; + } + if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) { PK11SymKey *parent = symKey->parent; diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index 0a6ed6c08..c39abe17e 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -1182,7 +1182,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) /* set the slot flags to the current token values */ slot->series++; /* allow other objects to detect that the - * slot is different */ + * slot is different */ slot->flags = slot->tokenInfo.flags; slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); @@ -1471,6 +1471,9 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) slot->hasRootCerts = PR_TRUE; } } + if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) { + slot->flags |= CKF_USER_PIN_INITIALIZED; + } } /********************************************************************* diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index a962e9bb3..e316f1f1a 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -437,6 +437,11 @@ SECMOD_DeleteInternalModule(const char *name) return rv; } +#ifdef NSS_FIPS_DISABLED + PORT_SetError(PR_OPERATION_NOT_SUPPORTED_ERROR); + return rv; +#endif + SECMOD_GetWriteLock(moduleLock); for (mlpp = &modules, mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { @@ -955,7 +960,11 @@ SECMOD_DestroyModuleList(SECMODModuleList *list) PRBool SECMOD_CanDeleteInternalModule(void) { +#ifdef NSS_FIPS_DISABLED + return PR_FALSE; +#else return (PRBool)(pendingModule == NULL); +#endif } /* diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h index 63c207929..260e6387d 100644 --- a/security/nss/lib/pk11wrap/secmodti.h +++ b/security/nss/lib/pk11wrap/secmodti.h @@ -175,6 +175,7 @@ struct PK11GenericObjectStr { PK11GenericObject *next; PK11SlotInfo *slot; CK_OBJECT_HANDLE objectID; + PRBool owner; }; #define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */ -- cgit v1.2.3