[meego-commits] 14411: Changes to devel:base/nss
Passion Zhao
no_reply at build.meego.com
Wed Mar 2 06:00:18 UTC 2011
Hi,
I have made the following changes to nss in project devel:base. Please review and accept ASAP.
Thank You,
Passion Zhao
[This message was auto-generated]
---
Request #14411:
submit: home:qzhao9:branches:devel:base/nss(r2)(cleanup) -> devel:base/nss
Message:
Update to 3.12.9 from fennec requirement #BMC13425
State: new 2011-03-01T16:58:16 qzhao9
Comment: None
changes files:
--------------
--- nss.changes
+++ nss.changes
@@ -0,0 +1,3 @@
+* Wed 02 Mar 2011 Passion Zhao <passion.zhao at intel.com>
+- Update to 3.12.9 from fennec requirement #BMC13425
+
old:
----
nss-3.12.8-stripped.tar.bz2
nss-pem-20090907.tar.bz2
new:
----
nss-3.12.9-stripped.tar.bz2
nss-pem-20101125.tar.bz2
spec files:
-----------
--- nss.spec
+++ nss.spec
@@ -3,7 +3,7 @@
Summary: Network Security Services
Name: nss
-Version: 3.12.8
+Version: 3.12.9
Release: 3
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
@@ -33,7 +33,7 @@
Source8: system-pkcs11.txt
Source9: setup-nsssysinit.sh
Source11: nss-prelink.conf
-Source12: %{name}-pem-20090907.tar.bz2
+Source12: %{name}-pem-20101125.tar.bz2
Patch1: nss-no-rpath.patch
Patch2: nss-nolocalsql.patch
other changes:
--------------
++++++ nss-3.12.9-stripped.tar.bz2 (new)
++++++ nss-pem-20090907.tar.bz2 -> nss-pem-20101125.tar.bz2
--- security/nss/lib/ckfw/pem/ckpem.h
+++ security/nss/lib/ckfw/pem/ckpem.h
@@ -95,6 +95,7 @@
typedef struct pemTrustObjectStr pemTrustObject;
typedef enum {
+ pemAll = -1, /* matches all types */
pemRaw,
pemCert,
pemBareKey,
--- security/nss/lib/ckfw/pem/constants.c
+++ security/nss/lib/ckfw/pem/constants.c
@@ -49,7 +49,7 @@
#endif /* NSSCKT_H */
#ifndef NSSCKBI_H
-#include "nssckbi.h"
+#include "../builtins/nssckbi.h"
#endif /* NSSCKBI_H */
NSS_IMPLEMENT_DATA const CK_VERSION
--- security/nss/lib/ckfw/pem/nssckbi.h
+++ security/nss/lib/ckfw/pem/nssckbi.h
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef NSSCKBI_H
-#define NSSCKBI_H
-
-/*
- * NSS BUILTINS Version numbers.
- *
- * These are the version numbers for the builtins module packaged with
- * this release on NSS. To determine the version numbers of the builtin
- * module you are using, use the appropriate PKCS #11 calls.
- *
- * These version numbers detail changes to the PKCS #11 interface. They map
- * to the PKCS #11 spec versions.
- */
-#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
-#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
-
-/* These version numbers detail the changes
- * to the list of trusted certificates.
- *
- * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
- * for each NSS minor release AND whenever we change the list of
- * trusted certificates. 10 minor versions are allocated for each
- * NSS 3.x branch as follows, allowing us to change the list of
- * trusted certificates up to 9 times on each branch.
- * - NSS 3.5 branch: 3-9
- * - NSS 3.6 branch: 10-19
- * - NSS 3.7 branch: 20-29
- * - NSS 3.8 branch: 30-39
- * - NSS 3.9 branch: 40-49
- * - NSS 3.10 branch: 50-59
- * - NSS 3.11 branch: 60-69
- * ...
- * - NSS 3.14 branch: 90-99
- * ...
- * - NSS 3.30 branch: 250-255
- *
- * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
- * whether we may use its full range (0-255) or only 0-99 because
- * of the comment in the CK_VERSION type definition.
- */
-#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 62
-#define NSS_BUILTINS_LIBRARY_VERSION "1.62"
-
-/* These version numbers detail the semantic changes to the ckfw engine. */
-#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
-#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
-
-/* These version numbers detail the semantic changes to ckbi itself
- * (new PKCS #11 objects), etc. */
-#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
-#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
-
-#endif /* NSSCKBI_H */
--- security/nss/lib/ckfw/pem/pfind.c
+++ security/nss/lib/ckfw/pem/pfind.c
@@ -313,8 +313,9 @@
plog("CKO_NETSCAPE_BUILTIN_ROOT_LIST\n");
goto done;
case CK_INVALID_HANDLE:
+ type = pemAll; /* look through all objectclasses - ignore the type field */
plog("CK_INVALID_HANDLE\n");
- goto done;
+ break;
default:
plog("no other object types %08x\n", objClass);
goto done; /* no other object types we understand in this module */
@@ -322,15 +323,20 @@
/* find objects */
for (i = 0; i < pem_nobjs; i++) {
+ int match = 1; /* matches type if type not specified */
if (NULL == gobj[i])
continue;
plog(" %d type = %d\n", i, gobj[i]->type);
- if ((type == gobj[i]->type)
- && (slotID == gobj[i]->slotID)
- && (CK_TRUE ==
- pem_match(pTemplate, ulAttributeCount, gobj[i]))) {
-
+ if (type != pemAll) {
+ /* type specified - must match given type */
+ match = (type == gobj[i]->type);
+ }
+ if (match) {
+ match = (slotID == gobj[i]->slotID) &&
+ (CK_TRUE == pem_match(pTemplate, ulAttributeCount, gobj[i]));
+ }
+ if (match) {
pemInternalObject *o = gobj[i];
PUT_Object(o, *pError);
}
--- security/nss/lib/ckfw/pem/pinst.c
+++ security/nss/lib/ckfw/pem/pinst.c
@@ -151,7 +151,7 @@
buf = issuer->data + issuer->len;
/* only wanted issuer/SN */
- if (valid == NULL) {
+ if (subject == NULL || valid == NULL || subjkey == NULL) {
return SECSuccess;
}
/* validity */
@@ -219,53 +219,93 @@
memset(&o->u.trust, 0, sizeof(o->u.trust));
break;
}
+
+ o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
+ if (o->nickname == NULL)
+ goto fail;
+ strcpy(o->nickname, nickname);
+
+ sprintf(id, "%d", objid);
+ len = strlen(id) + 1; /* zero terminate */
+ o->id.data = (void *) nss_ZAlloc(NULL, len);
+ if (o->id.data == NULL)
+ goto fail;
+ (void) nsslibc_memcpy(o->id.data, id, len);
+ o->id.size = len;
+
o->objClass = objClass;
o->type = type;
o->slotID = slotID;
+
o->derCert = nss_ZNEW(NULL, SECItem);
+ if (o->derCert == NULL)
+ goto fail;
o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
+ if (o->derCert->data == NULL)
+ goto fail;
o->derCert->len = certDER->len;
nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
switch (objClass) {
case CKO_CERTIFICATE:
case CKO_NETSCAPE_TRUST:
- GetCertFields(o->derCert->data,
- o->derCert->len, &issuer, &serial,
- &derSN, &subject, &valid, &subjkey);
+ if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
+ &issuer, &serial, &derSN, &subject,
+ &valid, &subjkey))
+ goto fail;
o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
+ if (o->u.cert.subject.data == NULL)
+ goto fail;
o->u.cert.subject.size = subject.len;
nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
+ if (o->u.cert.issuer.data == NULL) {
+ nss_ZFreeIf(o->u.cert.subject.data);
+ goto fail;
+ }
o->u.cert.issuer.size = issuer.len;
nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
+ if (o->u.cert.serial.data == NULL) {
+ nss_ZFreeIf(o->u.cert.issuer.data);
+ nss_ZFreeIf(o->u.cert.subject.data);
+ goto fail;
+ }
o->u.cert.serial.size = serial.len;
nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
break;
case CKO_PRIVATE_KEY:
o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
+ if (o->u.key.key.privateKey == NULL)
+ goto fail;
o->u.key.key.privateKey->data =
(void *) nss_ZAlloc(NULL, keyDER->len);
+ if (o->u.key.key.privateKey->data == NULL) {
+ nss_ZFreeIf(o->u.key.key.privateKey);
+ goto fail;
+ }
o->u.key.key.privateKey->len = keyDER->len;
nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
keyDER->len);
}
- o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
- strcpy(o->nickname, nickname);
-
- sprintf(id, "%d", objid);
-
- len = strlen(id) + 1; /* zero terminate */
- o->id.data = (void *) nss_ZAlloc(NULL, len);
- (void) nsslibc_memcpy(o->id.data, id, len);
- o->id.size = len;
return o;
+
+fail:
+ if (o) {
+ if (o->derCert) {
+ nss_ZFreeIf(o->derCert->data);
+ nss_ZFreeIf(o->derCert);
+ }
+ nss_ZFreeIf(o->id.data);
+ nss_ZFreeIf(o->nickname);
+ nss_ZFreeIf(o);
+ }
+ return NULL;
}
pemInternalObject *
@@ -306,6 +346,8 @@
/* object not found, we need to create it */
pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
filename, objid, slotID);
+ if (io == NULL)
+ return NULL;
io->gobjIndex = count;
--- security/nss/lib/ckfw/pem/pobject.c
+++ security/nss/lib/ckfw/pem/pobject.c
@@ -172,6 +172,8 @@
(void *) &ckt_netscape_trusted, (PRUint32) sizeof(CK_TRUST)
};
+/* SEC_SkipTemplate is already defined and exported by libnssutil */
+#ifdef SEC_SKIP_TEMPLATE
/*
* Template for skipping a subitem.
*
@@ -182,6 +184,7 @@
const SEC_ASN1Template SEC_SkipTemplate[] = {
{SEC_ASN1_SKIP}
};
+#endif
/*
* Find the subjectName in a DER encoded certificate
--- security/nss/lib/ckfw/pem/prsa.c
+++ security/nss/lib/ckfw/pem/prsa.c
@@ -63,6 +63,35 @@
{0}
};
+static const SEC_ASN1Template pem_AttributeTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue),
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
+ { 0 }
+};
+
+static const SEC_ASN1Template pem_SetOfAttributeTemplate[] = {
+ { SEC_ASN1_SET_OF, 0, pem_AttributeTemplate },
+};
+
+const SEC_ASN1Template pem_PrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+ { SEC_ASN1_INTEGER,
+ offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+ pem_SetOfAttributeTemplate },
+ { 0 }
+};
+
/* Declarations */
SECStatus pem_RSA_Sign(pemLOWKEYPrivateKey * key, unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
@@ -116,6 +145,79 @@
nss_ZFreeIf(privk);
}
+/* decode and parse the rawkey into the lpk structure */
+static pemLOWKEYPrivateKey *
+pem_getPrivateKey(PLArenaPool *arena, SECItem *rawkey, CK_RV * pError, NSSItem *modulus)
+{
+ pemLOWKEYPrivateKey *lpk = NULL;
+ SECStatus rv = SECFailure;
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ SECItem *keysrc = NULL;
+
+ /* make sure SECOID is initialized - not sure why we have to do this outside of nss_Init */
+ if (SECSuccess != (rv = SECOID_Init())) {
+ *pError = CKR_GENERAL_ERROR;
+ return NULL; /* wha???? */
+ }
+
+ pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+ if(!pki) {
+ *pError = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ /* let's first see if this is a "raw" RSA private key or an RSA private key in PKCS#8 format */
+ rv = SEC_ASN1DecodeItem(arena, pki, pem_PrivateKeyInfoTemplate, rawkey);
+ if (rv != SECSuccess) {
+ /* not PKCS#8 - assume it's a "raw" RSA private key */
+ keysrc = rawkey;
+ } else if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_ENCRYPTION) {
+ keysrc = &pki->privateKey;
+ } else { /* unsupported */
+ *pError = CKR_FUNCTION_NOT_SUPPORTED;
+ goto done;
+ }
+
+ lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
+ sizeof(pemLOWKEYPrivateKey));
+ if (lpk == NULL) {
+ *pError = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ lpk->arena = arena;
+ lpk->keyType = pemLOWKEYRSAKey;
+ prepare_low_rsa_priv_key_for_asn1(lpk);
+
+ /* I don't know what this is supposed to accomplish. We free the old
+ modulus data and set it again, making a copy of the new data.
+ But we just allocated a new empty key structure above with
+ nss_ZAlloc. So lpk->u.rsa.modulus.data is NULL and
+ lpk->u.rsa.modulus.len. If the intention is to free the old
+ modulus data, why not just set it to NULL after freeing? Why
+ go through this unnecessary and confusing copying code?
+ */
+ if (modulus) {
+ nss_ZFreeIf(modulus->data);
+ modulus->data = (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
+ modulus->size = lpk->u.rsa.modulus.len;
+ nsslibc_memcpy(modulus->data, lpk->u.rsa.modulus.data,
+ lpk->u.rsa.modulus.len);
+ }
+
+ /* decode the private key and any algorithm parameters */
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+ keysrc);
+
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+done:
+ return lpk;
+}
+
void
pem_PopulateModulusExponent(pemInternalObject * io)
{
@@ -123,7 +225,7 @@
const NSSItem *keyType = pem_FetchAttribute(io, CKA_KEY_TYPE);
pemLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
- SECStatus rv;
+ CK_RV pError = 0;
/* make sure we have the right objects */
if (((const NSSItem *) NULL == classItem) ||
@@ -140,26 +242,12 @@
return;
}
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
- sizeof(pemLOWKEYPrivateKey));
+ lpk = pem_getPrivateKey(arena, io->u.key.key.privateKey, &pError, NULL);
if (lpk == NULL) {
PORT_FreeArena(arena, PR_FALSE);
return;
}
- lpk->arena = arena;
- lpk->keyType = pemLOWKEYRSAKey;
- prepare_low_rsa_priv_key_for_asn1(lpk);
-
- /* decode the private key and any algorithm parameters */
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- io->u.key.key.privateKey);
-
- if (rv != SECSuccess) {
- PORT_FreeArena(arena, PR_FALSE);
- return;
- }
-
nss_ZFreeIf(io->u.key.key.modulus.data);
io->u.key.key.modulus.data =
(void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
@@ -252,13 +340,6 @@
pemInternalCryptoOperationRSAPriv *iOperation;
pemLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
- SECStatus rv;
-
- arena = PORT_NewArena(2048);
- if (!arena) {
- *pError = CKR_HOST_MEMORY;
- return (NSSCKMDCryptoOperation *) NULL;
- }
/* make sure we have the right objects */
if (((const NSSItem *) NULL == classItem) ||
@@ -271,30 +352,15 @@
return (NSSCKMDCryptoOperation *) NULL;
}
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
- sizeof (pemLOWKEYPrivateKey));
- if (lpk == NULL) {
+ arena = PORT_NewArena(2048);
+ if (!arena) {
*pError = CKR_HOST_MEMORY;
return (NSSCKMDCryptoOperation *) NULL;
}
- lpk->arena = arena;
- lpk->keyType = pemLOWKEYRSAKey;
- prepare_low_rsa_priv_key_for_asn1(lpk);
- nss_ZFreeIf(iKey->u.key.key.modulus.data);
- iKey->u.key.key.modulus.data =
- (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
- iKey->u.key.key.modulus.size = lpk->u.rsa.modulus.len;
- nsslibc_memcpy(iKey->u.key.key.modulus.data, lpk->u.rsa.modulus.data,
- lpk->u.rsa.modulus.len);
-
- /* decode the private key and any algorithm parameters */
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- iKey->u.key.key.privateKey);
-
- if (rv != SECSuccess) {
+ lpk = pem_getPrivateKey(arena, iKey->u.key.key.privateKey, pError, &iKey->u.key.key.modulus);
+ if (lpk == NULL) {
PORT_FreeArena(arena, PR_FALSE);
- *pError = CKR_HOST_MEMORY;
return (NSSCKMDCryptoOperation *) NULL;
}
@@ -328,7 +394,10 @@
if (iOperation->buffer) {
nssItem_Destroy(iOperation->buffer);
+ iOperation->buffer = NULL;
}
+ pem_DestroyPrivateKey(iOperation->lpk);
+ iOperation->lpk = NULL;
nss_ZFreeIf(iOperation);
}
--- security/nss/lib/ckfw/pem/psession.c
+++ security/nss/lib/ckfw/pem/psession.c
@@ -178,8 +178,16 @@
CK_RV * pError
)
{
+ NSSCKMDObject *rvmdObject = NULL;
pemInternalObject *io = (pemInternalObject *) mdOldObject->etc;
+ /* make a new mdObject */
+ rvmdObject = nss_ZNEW(arena, NSSCKMDObject);
+ if ((NSSCKMDObject *) NULL == rvmdObject) {
+ *pError = CKR_HOST_MEMORY;
+ return (NSSCKMDObject *) NULL;
+ }
+
if (NULL == io->list) {
io->refCount ++;
} else {
@@ -190,7 +198,10 @@
item = item->next;
}
}
- return mdOldObject;
+ /* struct (shallow) copy the old one */
+ *rvmdObject = *mdOldObject;
+
+ return rvmdObject;
}
CK_RV
--- security/nss/lib/ckfw/pem/util.c
+++ security/nss/lib/ckfw/pem/util.c
@@ -164,7 +164,8 @@
int key = 0;
while ((asc) && ((body = strstr(asc, "-----BEGIN")) != NULL)) {
key = 0;
- if (strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) {
+ if ((strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) ||
+ (strncmp(body, "-----BEGIN PRIVATE KEY", 21) == 0)) {
key = 1;
c = body;
body = strchr(body, '\n');
++++++ deleted files:
--- nss-3.12.8-stripped.tar.bz2
More information about the MeeGo-commits
mailing list