From f017b749ea9f1586d2308504553d40bf4cc5439d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 6 Feb 2018 11:46:26 +0100 Subject: Update NSS to 3.32.1-RTM --- security/nss/lib/certdb/alg1485.c | 21 +++++++---- security/nss/lib/certdb/cert.h | 21 ++++------- security/nss/lib/certdb/certdb.c | 56 ++++++++++++++++++++++++++--- security/nss/lib/certdb/certi.h | 23 ++++++++++++ security/nss/lib/certdb/certv3.c | 2 +- security/nss/lib/certdb/secname.c | 18 +++------- security/nss/lib/certdb/stanpcertdb.c | 67 +++++++++++++++++++++++++---------- 7 files changed, 150 insertions(+), 58 deletions(-) (limited to 'security/nss/lib/certdb') diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index b6736c462..38b2fe4b5 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -341,13 +341,16 @@ hexToBin(PLArenaPool* pool, SECItem* destItem, const char* src, int len) goto loser; } len >>= 1; - if (!SECITEM_AllocItem(pool, destItem, len)) + if (!SECITEM_AllocItem(pool, destItem, len)) { goto loser; + } dest = destItem->data; for (; len > 0; len--, src += 2) { - PRInt16 bin = (x2b[(PRUint8)src[0]] << 4) | x2b[(PRUint8)src[1]]; - if (bin < 0) + PRUint16 bin = ((PRUint16)x2b[(PRUint8)src[0]] << 4); + bin |= (PRUint16)x2b[(PRUint8)src[1]]; + if (bin >> 15) { /* is negative */ goto loser; + } *dest++ = (PRUint8)bin; } return SECSuccess; @@ -372,6 +375,7 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) const char* bp; int vt = -1; int valLen; + PRBool isDottedOid = PR_FALSE; SECOidTag kind = SEC_OID_UNKNOWN; SECStatus rv = SECFailure; SECItem derOid = { 0, NULL, 0 }; @@ -398,8 +402,9 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) } /* is this a dotted decimal OID attribute type ? */ - if (!PL_strncasecmp("oid.", tagBuf, 4)) { + if (!PL_strncasecmp("oid.", tagBuf, 4) || isdigit(tagBuf[0])) { rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf)); + isDottedOid = (PRBool)(rv == SECSuccess); } else { for (n2k = name2kinds; n2k->name; n2k++) { SECOidData* oidrec; @@ -425,8 +430,6 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) goto loser; a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal); } else { - if (kind == SEC_OID_UNKNOWN) - goto loser; if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2) goto loser; if (vt == SEC_ASN1_PRINTABLE_STRING && @@ -442,7 +445,11 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) derVal.data = (unsigned char*)valBuf; derVal.len = valLen; - a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal); + if (kind == SEC_OID_UNKNOWN && isDottedOid) { + a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal); + } else { + a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal); + } } return a; diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index e0af65ab0..4224da108 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -1405,23 +1405,10 @@ void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); void CERT_LockCertRefCount(CERTCertificate *cert); /* - * Free the cert reference count lock + * Release the cert reference count lock */ void CERT_UnlockCertRefCount(CERTCertificate *cert); -/* - * Acquire the cert trust lock - * There is currently one global lock for all certs, but I'm putting a cert - * arg here so that it will be easy to make it per-cert in the future if - * that turns out to be necessary. - */ -void CERT_LockCertTrust(const CERTCertificate *cert); - -/* - * Free the cert trust lock - */ -void CERT_UnlockCertTrust(const CERTCertificate *cert); - /* * Digest the cert's subject public key using the specified algorithm. * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding @@ -1579,6 +1566,12 @@ extern CERTRevocationFlags *CERT_AllocCERTRevocationFlags( */ extern void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); +/* + * Get istemp and isperm fields from a cert in a thread safe way. + */ +extern SECStatus CERT_GetCertIsTemp(const CERTCertificate *cert, PRBool *istemp); +extern SECStatus CERT_GetCertIsPerm(const CERTCertificate *cert, PRBool *isperm); + SEC_END_PROTOS #endif /* _CERT_H_ */ diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index d37334d73..7864edc08 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -2559,9 +2559,9 @@ CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, CERTCertListNode *head; head = CERT_LIST_HEAD(certs); - - if (head == NULL) - return CERT_AddCertToListTail(certs, cert); + if (head == NULL) { + goto loser; + } node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, sizeof(CERTCertListNode)); @@ -2865,7 +2865,18 @@ CERT_LockCertTrust(const CERTCertificate *cert) { PORT_Assert(certTrustLock != NULL); PZ_Lock(certTrustLock); - return; +} + +static PZLock *certTempPermLock = NULL; + +/* + * Acquire the cert temp/perm lock + */ +void +CERT_LockCertTempPerm(const CERTCertificate *cert) +{ + PORT_Assert(certTempPermLock != NULL); + PZ_Lock(certTempPermLock); } SECStatus @@ -2889,6 +2900,18 @@ cert_InitLocks(void) } } + if (certTempPermLock == NULL) { + certTempPermLock = PZ_NewLock(nssILockCertDB); + PORT_Assert(certTempPermLock != NULL); + if (!certTempPermLock) { + PZ_DestroyLock(certTrustLock); + PZ_DestroyLock(certRefCountLock); + certRefCountLock = NULL; + certTrustLock = NULL; + return SECFailure; + } + } + return SECSuccess; } @@ -2912,6 +2935,14 @@ cert_DestroyLocks(void) } else { rv = SECFailure; } + + PORT_Assert(certTempPermLock != NULL); + if (certTempPermLock) { + PZ_DestroyLock(certTempPermLock); + certTempPermLock = NULL; + } else { + rv = SECFailure; + } return rv; } @@ -2933,6 +2964,23 @@ CERT_UnlockCertTrust(const CERTCertificate *cert) #endif } +/* + * Free the temp/perm lock + */ +void +CERT_UnlockCertTempPerm(const CERTCertificate *cert) +{ + PORT_Assert(certTempPermLock != NULL); +#ifdef DEBUG + { + PRStatus prstat = PZ_Unlock(certTempPermLock); + PORT_Assert(prstat == PR_SUCCESS); + } +#else + (void)PZ_Unlock(certTempPermLock); +#endif +} + /* * Get the StatusConfig data for this handle */ diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h index 1cdf4b8fa..456f2fc4e 100644 --- a/security/nss/lib/certdb/certi.h +++ b/security/nss/lib/certdb/certi.h @@ -378,4 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGeneralName* firstName); SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, unsigned int* failedFlags, PRBool* isTrusted); +/* + * Acquire the cert temp/perm lock + */ +void CERT_LockCertTempPerm(const CERTCertificate* cert); + +/* + * Release the temp/perm lock + */ +void CERT_UnlockCertTempPerm(const CERTCertificate* cert); + +/* + * Acquire the cert trust lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +void CERT_LockCertTrust(const CERTCertificate* cert); + +/* + * Release the cert trust lock + */ +void CERT_UnlockCertTrust(const CERTCertificate* cert); + #endif /* _CERTI_H_ */ diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c index bf0bcf96c..d27fc1ba0 100644 --- a/security/nss/lib/certdb/certv3.c +++ b/security/nss/lib/certdb/certv3.c @@ -213,7 +213,7 @@ CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage) if (rv == SECFailure) { rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess : SECFailure; - } else if (!(keyUsage.data[0] & usage)) { + } else if (!keyUsage.data || !(keyUsage.data[0] & usage)) { PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID); rv = SECFailure; } diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c index 6d3e9d372..654dfdf3f 100644 --- a/security/nss/lib/certdb/secname.c +++ b/security/nss/lib/certdb/secname.c @@ -568,8 +568,8 @@ CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b) SECComparison CERT_CompareName(const CERTName *a, const CERTName *b) { - CERTRDN **ardns, *ardn; - CERTRDN **brdns, *brdn; + CERTRDN **ardns; + CERTRDN **brdns; int ac, bc; SECComparison rv = SECEqual; @@ -587,18 +587,8 @@ CERT_CompareName(const CERTName *a, const CERTName *b) if (ac > bc) return SECGreaterThan; - for (;;) { - if (!ardns++ || !brdns++) { - break; - } - ardn = *ardns; - brdn = *brdns; - if (!ardn) { - break; - } - rv = CERT_CompareRDN(ardn, brdn); - if (rv) - return rv; + while (rv == SECEqual && *ardns) { + rv = CERT_CompareRDN(*ardns++, *brdns++); } return rv; } diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 2b1aa97cd..4d42bd50d 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -91,7 +91,7 @@ CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust) { SECStatus rv; CERT_LockCertTrust(cert); - if (cert->trust == NULL) { + if (!cert || cert->trust == NULL) { rv = SECFailure; } else { *trust = *cert->trust; @@ -304,8 +304,10 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, CERT_MapStanError(); return SECFailure; } + CERT_LockCertTempPerm(cert); cert->istemp = PR_FALSE; cert->isperm = PR_TRUE; + CERT_UnlockCertTempPerm(cert); if (!trust) { return SECSuccess; } @@ -436,8 +438,10 @@ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, return NULL; } + CERT_LockCertTempPerm(cc); cc->istemp = PR_TRUE; cc->isperm = PR_FALSE; + CERT_UnlockCertTempPerm(cc); return cc; loser: /* Perhaps this should be nssCertificate_Destroy(c) */ @@ -515,28 +519,25 @@ CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID) { CERTCertList *list; CERTCertificate *cert = NULL; - CERTCertListNode *node, *head; + CERTCertListNode *node; list = CERT_CreateSubjectCertList(NULL, handle, name, 0, PR_FALSE); if (list == NULL) return NULL; - node = head = CERT_LIST_HEAD(list); - if (head) { - do { - if (node->cert && - SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID)) { - cert = CERT_DupCertificate(node->cert); - goto done; - } - node = CERT_LIST_NEXT(node); - } while (node && head != node); + node = CERT_LIST_HEAD(list); + while (!CERT_LIST_END(node, list)) { + if (node->cert && + SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID)) { + cert = CERT_DupCertificate(node->cert); + goto done; + } + node = CERT_LIST_NEXT(node); } PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + done: - if (list) { - CERT_DestroyCertList(list); - } + CERT_DestroyCertList(list); return cert; } @@ -635,8 +636,7 @@ common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, if (certlist) { SECStatus rv = CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE); - if (SECSuccess == rv && - !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { + if (SECSuccess == rv && !CERT_LIST_EMPTY(certlist)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); } CERT_DestroyCertList(certlist); @@ -915,6 +915,7 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, { const char *emailAddr; SECStatus rv; + PRBool isperm = PR_FALSE; if (!cert) { return SECFailure; @@ -936,7 +937,11 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, } } - if (cert->slot && cert->isperm && CERT_IsUserCert(cert) && + rv = CERT_GetCertIsPerm(cert, &isperm); + if (rv != SECSuccess) { + return SECFailure; + } + if (cert->slot && isperm && CERT_IsUserCert(cert) && (!emailProfile || !emailProfile->len)) { /* Don't clobber emailProfile for user certs. */ return SECSuccess; @@ -990,6 +995,32 @@ CERT_FindSMimeProfile(CERTCertificate *cert) return rvItem; } +SECStatus +CERT_GetCertIsPerm(const CERTCertificate *cert, PRBool *isperm) +{ + if (cert == NULL) { + return SECFailure; + } + + CERT_LockCertTempPerm(cert); + *isperm = cert->isperm; + CERT_UnlockCertTempPerm(cert); + return SECSuccess; +} + +SECStatus +CERT_GetCertIsTemp(const CERTCertificate *cert, PRBool *istemp) +{ + if (cert == NULL) { + return SECFailure; + } + + CERT_LockCertTempPerm(cert); + *istemp = cert->istemp; + CERT_UnlockCertTempPerm(cert); + return SECSuccess; +} + /* * deprecated functions that are now just stubs. */ -- cgit v1.2.3