Bug 1345368 - land NSS 848abc2061a4, r=me
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Fri, 10 Mar 2017 06:01:18 +0100
changeset 347098 2cc8a6db5ec1ba121b9d389e34e912c054d730e2
parent 346934 c6e386b4db2bfd2ef57923661b1327955964504e
child 347099 560eb8e7d89fcb8d51642dd6b02087c75b119e3e
push id31491
push usercbook@mozilla.com
push dateMon, 13 Mar 2017 14:24:00 +0000
treeherdermozilla-central@8d9fd089cabd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1345368
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1345368 - land NSS 848abc2061a4, r=me
security/nss/TAG-INFO
security/nss/automation/ossfuzz/build.sh
security/nss/automation/taskcluster/scripts/fuzz.sh
security/nss/cmd/smimetools/cmsutil.c
security/nss/cmd/smimetools/smime
security/nss/coreconf/coreconf.dep
security/nss/coreconf/fuzz.sh
security/nss/fuzz/certDN.options
security/nss/fuzz/clone_corpus.sh
security/nss/fuzz/clone_libfuzzer.sh
security/nss/fuzz/config/clone_corpus.sh
security/nss/fuzz/config/clone_libfuzzer.sh
security/nss/fuzz/config/git-copy.sh
security/nss/fuzz/git-copy.sh
security/nss/fuzz/mpi-add.options
security/nss/fuzz/mpi-addmod.options
security/nss/fuzz/mpi-div.options
security/nss/fuzz/mpi-expmod.options
security/nss/fuzz/mpi-invmod.options
security/nss/fuzz/mpi-mod.options
security/nss/fuzz/mpi-mulmod.options
security/nss/fuzz/mpi-sqr.options
security/nss/fuzz/mpi-sqrmod.options
security/nss/fuzz/mpi-sub.options
security/nss/fuzz/mpi-submod.options
security/nss/fuzz/options/certDN.options
security/nss/fuzz/options/mpi-add.options
security/nss/fuzz/options/mpi-addmod.options
security/nss/fuzz/options/mpi-div.options
security/nss/fuzz/options/mpi-expmod.options
security/nss/fuzz/options/mpi-invmod.options
security/nss/fuzz/options/mpi-mod.options
security/nss/fuzz/options/mpi-mulmod.options
security/nss/fuzz/options/mpi-sqr.options
security/nss/fuzz/options/mpi-sqrmod.options
security/nss/fuzz/options/mpi-sub.options
security/nss/fuzz/options/mpi-submod.options
security/nss/fuzz/options/quickder.options
security/nss/fuzz/options/tls-client-no_fuzzer_mode.options
security/nss/fuzz/options/tls-client.options
security/nss/fuzz/quickder.options
security/nss/fuzz/tls-client-no_fuzzer_mode.options
security/nss/fuzz/tls-client.options
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/secsign.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11priv.h
security/nss/lib/pk11wrap/pk11pub.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-6fafb8fd9ff4
+848abc2061a4
--- a/security/nss/automation/ossfuzz/build.sh
+++ b/security/nss/automation/ossfuzz/build.sh
@@ -25,17 +25,17 @@ copy_fuzzer()
     if [ -d "$SRC/nss-corpus/$name" ]; then
         zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/$name/*
     else
         zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/*/*
     fi
 }
 
 # Copy libFuzzer options
-cp fuzz/*.options $OUT/
+cp fuzz/options/*.options $OUT/
 
 # Build the library (non-TLS fuzzing mode).
 CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
     ./build.sh -c -v --fuzz=oss --fuzz --disable-tests
 
 # Copy fuzzing targets.
 for fuzzer in $(find ../dist/Debug/bin -name "nssfuzz-*" -printf "%f\n"); do
     name=${fuzzer:8}
--- a/security/nss/automation/taskcluster/scripts/fuzz.sh
+++ b/security/nss/automation/taskcluster/scripts/fuzz.sh
@@ -4,17 +4,17 @@ source $(dirname "$0")/tools.sh
 
 type="$1"
 shift
 
 # Fetch artifact if needed.
 fetch_dist
 
 # Clone corpus.
-./nss/fuzz/clone_corpus.sh
+./nss/fuzz/config/clone_corpus.sh
 
 # Ensure we have a corpus.
 if [ ! -d "nss/fuzz/corpus/$type" ]; then
   mkdir -p nss/fuzz/corpus/$type
 
   set +x
 
   # Create a corpus out of what we have.
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -79,17 +79,17 @@ Usage(char *progName)
             "  -n           suppress output of content\n"
             "  -h num       display num levels of CMS message info as email headers\n"
             "  -k           keep decoded encryption certs in perm cert db\n"
             " -E            create a CMS enveloped data message\n"
             "  -r id,...    create envelope for these recipients,\n"
             "               where id can be a certificate nickname or email address\n"
             " -S            create a CMS signed data message\n"
             "  -G           include a signing time attribute\n"
-            "  -H hash      use hash (default:SHA1)\n"
+            "  -H hash      use hash (default:SHA256)\n"
             "  -N nick      use certificate named \"nick\" for signing\n"
             "  -P           include a SMIMECapabilities attribute\n"
             "  -T           do not include content in CMS message\n"
             "  -Y nick      include a EncryptionKeyPreference attribute with cert\n"
             "                 (use \"NONE\" to omit)\n"
             " -O            create a CMS signed message containing only certificates\n"
             " General Options:\n"
             " -d dbdir      key/cert database directory (default: ~/.netscape)\n"
@@ -1092,17 +1092,17 @@ main(int argc, char **argv)
     options.certUsage = certUsageEmailSigner;
     options.password = NULL;
     options.pwfile = NULL;
     signOptions.nickname = NULL;
     signOptions.detached = PR_FALSE;
     signOptions.signingTime = PR_FALSE;
     signOptions.smimeProfile = PR_FALSE;
     signOptions.encryptionKeyPreferenceNick = NULL;
-    signOptions.hashAlgTag = SEC_OID_SHA1;
+    signOptions.hashAlgTag = SEC_OID_SHA256;
     envelopeOptions.recipients = NULL;
     encryptOptions.recipients = NULL;
     encryptOptions.envmsg = NULL;
     encryptOptions.envFile = NULL;
     encryptOptions.bulkalgtag = SEC_OID_UNKNOWN;
     encryptOptions.bulkkey = NULL;
     encryptOptions.keysize = -1;
 
--- a/security/nss/cmd/smimetools/smime
+++ b/security/nss/cmd/smimetools/smime
@@ -194,18 +194,18 @@ sub signentity($$)
     }
 
     open (SIG, $tmpsigfile) or die "ERROR: cannot find newly generated signature";
 
     #
     # construct a new multipart/signed MIME entity consisting of the original content and
     # the signature
     #
-    # (we assume that cmsutil generates a SHA1 digest)
-    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
+    # (we assume that cmsutil generates a SHA256 digest)
+    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
     $out .= "\n";		# end of entity header
     $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
     $out .= "\n--${boundary}\n";
     $out .= $entity;
     $out .= "\n--${boundary}\n";
     $out .= "Content-Type: application/pkcs7-signature; name=smime.p7s\n";
     $out .= "Content-Transfer-Encoding: base64\n";
     $out .= "Content-Disposition: attachment; filename=smime.p7s\n";
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/coreconf/fuzz.sh
+++ b/security/nss/coreconf/fuzz.sh
@@ -29,10 +29,10 @@ else
 fi
 
 if [ "$fuzz_tls" = 1 ]; then
   gyp_params+=(-Dfuzz_tls=1)
 fi
 
 if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
   echo "Cloning libFuzzer files ..."
-  run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
+  run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh
 fi
deleted file mode 100755
--- a/security/nss/fuzz/clone_corpus.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-d=$(dirname $0)
-$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/corpus
deleted file mode 100755
--- a/security/nss/fuzz/clone_libfuzzer.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-d=$(dirname $0)
-$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/libFuzzer
-
-# [https://llvm.org/bugs/show_bug.cgi?id=31318]
-# This prevents a known buffer overrun that won't be fixed as the affected code
-# will go away in the near future. Until that is we have to patch it as we seem
-# to constantly run into it.
-cat <<EOF | patch -p0 -d $d
-diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
---- libFuzzer/FuzzerLoop.cpp
-+++ libFuzzer/FuzzerLoop.cpp
-@@ -476,6 +476,9 @@
-   uint8_t dummy;
-   ExecuteCallback(&dummy, 0);
-
-+  // Number of counters might have changed.
-+  PrepareCounters(&MaxCoverage);
-+
-   for (const auto &U : *InitialCorpus) {
-     if (size_t NumFeatures = RunOne(U)) {
-       CheckExitOnSrcPosOrItem();
-EOF
-
-# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
-# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
-# of fuzzers we'll just provide it ourselves.
-cat <<EOF | patch -p0 -d $d
-diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
---- libFuzzer/FuzzerTracePC.cpp
-+++ libFuzzer/FuzzerTracePC.cpp
-@@ -33,6 +33,12 @@
- ATTRIBUTE_INTERFACE
- uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];
-
-+#if defined(__clang_major__) && (__clang_major__ == 3)
-+void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len) {
-+  // SanCov in LLVM 4.x will provide this symbol. Make 3.x work.
-+}
-+#endif
-+
- namespace fuzzer {
-
- TracePC TPC;
-EOF
new file mode 100755
--- /dev/null
+++ b/security/nss/fuzz/config/clone_corpus.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+d=$(dirname $0)
+$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/../corpus
new file mode 100755
--- /dev/null
+++ b/security/nss/fuzz/config/clone_libfuzzer.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+d=$(dirname $0)
+$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/../libFuzzer
+
+# [https://llvm.org/bugs/show_bug.cgi?id=31318]
+# This prevents a known buffer overrun that won't be fixed as the affected code
+# will go away in the near future. Until that is we have to patch it as we seem
+# to constantly run into it.
+cat <<EOF | patch -p0 -d $d/..
+diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
+--- libFuzzer/FuzzerLoop.cpp
++++ libFuzzer/FuzzerLoop.cpp
+@@ -476,6 +476,9 @@
+   uint8_t dummy;
+   ExecuteCallback(&dummy, 0);
+
++  // Number of counters might have changed.
++  PrepareCounters(&MaxCoverage);
++
+   for (const auto &U : *InitialCorpus) {
+     if (size_t NumFeatures = RunOne(U)) {
+       CheckExitOnSrcPosOrItem();
+EOF
+
+# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
+# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
+# of fuzzers we'll just provide it ourselves.
+cat <<EOF | patch -p0 -d $d/..
+diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
+--- libFuzzer/FuzzerTracePC.cpp
++++ libFuzzer/FuzzerTracePC.cpp
+@@ -33,6 +33,12 @@
+ ATTRIBUTE_INTERFACE
+ uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];
+
++#if defined(__clang_major__) && (__clang_major__ == 3)
++void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len) {
++  // SanCov in LLVM 4.x will provide this symbol. Make 3.x work.
++}
++#endif
++
+ namespace fuzzer {
+
+ TracePC TPC;
+EOF
rename from security/nss/fuzz/git-copy.sh
rename to security/nss/fuzz/config/git-copy.sh
deleted file mode 100644
--- a/security/nss/fuzz/mpi-add.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-addmod.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-div.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-mulmod.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-sqr.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-sqrmod.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-sub.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
deleted file mode 100644
--- a/security/nss/fuzz/mpi-submod.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 2048
-
rename from security/nss/fuzz/certDN.options
rename to security/nss/fuzz/options/certDN.options
rename from security/nss/fuzz/mpi-mod.options
rename to security/nss/fuzz/options/mpi-add.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-addmod.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-div.options
rename from security/nss/fuzz/mpi-expmod.options
rename to security/nss/fuzz/options/mpi-expmod.options
rename from security/nss/fuzz/mpi-invmod.options
rename to security/nss/fuzz/options/mpi-invmod.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-mod.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-mulmod.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-sqr.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-sqrmod.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-sub.options
copy from security/nss/fuzz/mpi-mod.options
copy to security/nss/fuzz/options/mpi-submod.options
rename from security/nss/fuzz/quickder.options
rename to security/nss/fuzz/options/quickder.options
rename from security/nss/fuzz/tls-client.options
rename to security/nss/fuzz/options/tls-client-no_fuzzer_mode.options
copy from security/nss/fuzz/tls-client.options
copy to security/nss/fuzz/options/tls-client.options
deleted file mode 100644
--- a/security/nss/fuzz/tls-client-no_fuzzer_mode.options
+++ /dev/null
@@ -1,3 +0,0 @@
-[libfuzzer]
-max_len = 20000
-
--- a/security/nss/lib/cryptohi/keythi.h
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -204,17 +204,17 @@ typedef struct SECKEYPublicKeyStr SECKEY
 
 #define SECKEY_ATTRIBUTE_VALUE(key, attribute) \
     (0 != (key->staticflags & SECKEY_##attribute))
 
 #define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \
     (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)
 
 #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
-    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
+    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
 
 /*
 ** A generic key structure
 */
 struct SECKEYPrivateKeyStr {
     PLArenaPool *arena;
     KeyType keyType;
     PK11SlotInfo *pkcs11Slot;  /* pkcs11 slot this key lives in */
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -307,34 +307,35 @@ SEC_DerSignData(PLArenaPool *arena, SECI
 
     /* XXX We should probably have some asserts here to make sure the key type
      * and algID match
      */
 
     if (algID == SEC_OID_UNKNOWN) {
         switch (pk->keyType) {
             case rsaKey:
-                algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+                algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
                 break;
             case dsaKey:
                 /* get Signature length (= q_len*2) and work from there */
                 switch (PK11_SignatureLen(pk)) {
+                    case 320:
+                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+                        break;
                     case 448:
                         algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
                         break;
                     case 512:
+                    default:
                         algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
                         break;
-                    default:
-                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-                        break;
                 }
                 break;
             case ecKey:
-                algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
+                algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
                 break;
             default:
                 PORT_SetError(SEC_ERROR_INVALID_KEY);
                 return SECFailure;
         }
     }
 
     /* Sign input buffer */
@@ -463,39 +464,39 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
                     sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
                     break;
                 default:
                     break;
             }
             break;
         case dsaKey:
             switch (hashAlgTag) {
-                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
                 case SEC_OID_SHA1:
                     sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
                     break;
                 case SEC_OID_SHA224:
                     sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
                     break;
+                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
                 case SEC_OID_SHA256:
                     sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
                     break;
                 default:
                     break;
             }
             break;
         case ecKey:
             switch (hashAlgTag) {
-                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
                 case SEC_OID_SHA1:
                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE;
                     break;
                 case SEC_OID_SHA224:
                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE;
                     break;
+                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
                 case SEC_OID_SHA256:
                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
                     break;
                 case SEC_OID_SHA384:
                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE;
                     break;
                 case SEC_OID_SHA512:
                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE;
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -151,18 +151,18 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl
     }
     return value;
 }
 
 /*
  * check to see if a bool has been set.
  */
 CK_BBOOL
-PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
+pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+                          CK_ATTRIBUTE_TYPE type, PRBool haslock)
 {
     CK_BBOOL ckvalue = CK_FALSE;
     CK_ATTRIBUTE theTemplate;
     CK_RV crv;
 
     /* Prepare to retrieve the attribute. */
     PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL));
 
@@ -176,16 +176,24 @@ PK11_HasAttributeSet(PK11SlotInfo *slot,
     if (crv != CKR_OK) {
         PORT_SetError(PK11_MapError(crv));
         return CK_FALSE;
     }
 
     return ckvalue;
 }
 
+CK_BBOOL
+PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
+{
+    PR_ASSERT(haslock == PR_FALSE);
+    return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE);
+}
+
 /*
  * returns a full list of attributes. Allocate space for them. If an arena is
  * provided, allocate space out of the arena.
  */
 CK_RV
 PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
                    CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count)
 {
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -113,20 +113,20 @@ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo
 SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot,
                                          SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg);
 SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
 CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
                                                PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
                                                void *wincx);
 CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
                                 CK_OBJECT_CLASS o_class);
-CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
-                              CK_OBJECT_HANDLE id,
-                              CK_ATTRIBUTE_TYPE type,
-                              PRBool haslock);
+CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot,
+                                   CK_OBJECT_HANDLE id,
+                                   CK_ATTRIBUTE_TYPE type,
+                                   PRBool haslock);
 CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
                          CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
 int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
 SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
                                        SECStatus (*callback)(CERTCertificate *, void *), void *arg);
 SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
                                   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
 SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -681,16 +681,20 @@ CK_OBJECT_HANDLE PK11_FindCertInSlot(PK1
                                      void *wincx);
 SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
                                               PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *),
                                               void *arg);
 CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
 CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
 CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
                               int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
+CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
+                              CK_OBJECT_HANDLE id,
+                              CK_ATTRIBUTE_TYPE type,
+                              PRBool haslock /* must be set to PR_FALSE */);
 
 /**********************************************************************
  *                   Sign/Verify
  **********************************************************************/
 
 /*
  * Return the length in bytes of a signature generated with the
  * private key.