artificial changeset: close fixup head 258e70009023 for tag ROGC_20030129_FREEZE PHOTON_MOZ_PR1_BRANCH
authorcvs2hg
Thu, 21 Feb 2013 22:12:46 +0100
branchPHOTON_MOZ_PR1_BRANCH
changeset 10674 16f8d7793a05ac10b73070a086980397590bc841
parent 4059 a7bc329c9fce423691225654496b5f31d0b16c10 (diff)
parent 4061 258e70009023da458db86f2634f904f3e738be8b (current diff)
child 13642 58a0ed5e35f71311d3509301106dab84dd361cdf
push idunknown
push userunknown
push dateunknown
artificial changeset: close fixup head 258e70009023 for tag ROGC_20030129_FREEZE
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -388,17 +388,17 @@ find_objects
   NSSToken *tok,
   nssSession *sessionOpt,
   CK_ATTRIBUTE_PTR obj_template,
   CK_ULONG otsize,
   PRUint32 maximumOpt,
   PRStatus *statusOpt
 )
 {
-    CK_RV ckrv;
+    CK_RV ckrv = CKR_OK;
     CK_ULONG count;
     CK_OBJECT_HANDLE *objectHandles;
     CK_OBJECT_HANDLE staticObjects[OBJECT_STACK_SIZE];
     PRUint32 arraySize, numHandles;
     void *epv = nssToken_GetCryptokiEPV(tok);
     nssCryptokiObject **objects;
     nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
 
@@ -410,16 +410,17 @@ find_objects
     }
     numHandles = 0;
     if (arraySize <= OBJECT_STACK_SIZE) {
 	objectHandles = staticObjects;
     } else {
 	objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
     }
     if (!objectHandles) {
+	ckrv = CKR_HOST_MEMORY;
 	goto loser;
     }
     nssSession_EnterMonitor(session); /* ==== session lock === */
     /* Initialize the find with the template */
     ckrv = CKAPI(epv)->C_FindObjectsInit(session->handle, 
                                          obj_template, otsize);
     if (ckrv != CKR_OK) {
 	nssSession_ExitMonitor(session);
@@ -454,16 +455,17 @@ find_objects
 	    }
 	} else {
 	    objectHandles = nss_ZREALLOCARRAY(objectHandles, 
 	                                  CK_OBJECT_HANDLE, 
 	                                  arraySize);
 	}
 	if (!objectHandles) {
 	    nssSession_ExitMonitor(session);
+	    ckrv = CKR_HOST_MEMORY;
 	    goto loser;
 	}
     }
     ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
     nssSession_ExitMonitor(session); /* ==== end session lock === */
     if (ckrv != CKR_OK) {
 	goto loser;
     }
@@ -478,17 +480,33 @@ find_objects
 	nss_ZFreeIf(objectHandles);
     }
     if (statusOpt) *statusOpt = PR_SUCCESS;
     return objects;
 loser:
     if (objectHandles && objectHandles != staticObjects) {
 	nss_ZFreeIf(objectHandles);
     }
-    if (statusOpt) *statusOpt = PR_FAILURE;
+    /*
+     * These errors should be treated the same as if the objects just weren't
+     * found..
+     */
+    if ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) ||
+	(ckrv == CKR_ATTRIBUTE_VALUE_INVALID) ||
+	(ckrv == CKR_DATA_INVALID) ||
+	(ckrv == CKR_DATA_LEN_RANGE) ||
+	(ckrv == CKR_FUNCTION_NOT_SUPPORTED) ||
+	(ckrv == CKR_TEMPLATE_INCOMPLETE) ||
+	(ckrv == CKR_TEMPLATE_INCONSISTENT)) {
+
+	nss_SetError(NSS_ERROR_NOT_FOUND);
+	if (statusOpt) *statusOpt = PR_SUCCESS;
+    } else {
+	if (statusOpt) *statusOpt = PR_FAILURE;
+    }
     return (nssCryptokiObject **)NULL;
 }
 
 static nssCryptokiObject **
 find_objects_by_template
 (
   NSSToken *token,
   nssSession *sessionOpt,
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -44,21 +44,21 @@ SEC_BEGIN_PROTOS
 
 /*
  * NSS's major version, minor version, patch level, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>] [<Beta>]"
  */
-#define NSS_VERSION  "3.7.1 Beta"
+#define NSS_VERSION  "3.7.1"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   7
 #define NSS_VPATCH   1
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 
 /*
  * Return a boolean that indicates whether the underlying library
  * will perform as the caller expects.
  *
  * The only argument is a string, which should be the verson
  * identifier of the NSS library. That string will be compared
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -125,16 +125,17 @@ void PK11_ClearSlotList(PK11SlotInfo *sl
  ******************************************************************/
 PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
   CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
 PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
 SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
 SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
 SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
 void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
+SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
 
 
 /******************************************************************
  *           Slot info functions
  ******************************************************************/
 PK11SlotInfo *PK11_FindSlotByName(char *name);
 PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
 PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -944,50 +944,52 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key
 
     return privKey;
 }
 
 /* return the keylength if possible.  '0' if not */
 unsigned int
 PK11_GetKeyLength(PK11SymKey *key)
 {
-   if (key->size != 0) return key->size ;
+    CK_KEY_TYPE keyType;
+
+    if (key->size != 0) return key->size;
+
+    /* First try to figure out the key length from its type */
+    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
+    switch (keyType) {
+      case CKK_DES: key->size = 8; break;
+      case CKK_DES2: key->size = 16; break;
+      case CKK_DES3: key->size = 24; break;
+      case CKK_SKIPJACK: key->size = 10; break;
+      case CKK_BATON: key->size = 20; break;
+      case CKK_JUNIPER: key->size = 20; break;
+      case CKK_GENERIC_SECRET:
+	if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
+	    key->size=48;
+	}
+	break;
+      default: break;
+    }
+   if( key->size != 0 ) return key->size;
+
    if (key->data.data == NULL) {
 	PK11_ExtractKeyValue(key);
    }
-   /* key is probably secret. Look up it's type and length */
+   /* key is probably secret. Look up its length */
    /*  this is new PKCS #11 version 2.0 functionality. */
    if (key->size == 0) {
 	CK_ULONG keyLength;
 
 	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
-	/* doesn't have a length field, check the known PKCS #11 key types,
-	 * which don't have this field */
-	if (keyLength == CK_UNAVAILABLE_INFORMATION) {
-	    CK_KEY_TYPE keyType;
-	    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
-	    switch (keyType) {
-	    case CKK_DES: key->size = 8; break;
-	    case CKK_DES2: key->size = 16; break;
-	    case CKK_DES3: key->size = 24; break;
-	    case CKK_SKIPJACK: key->size = 10; break;
-	    case CKK_BATON: key->size = 20; break;
-	    case CKK_JUNIPER: key->size = 20; break;
-	    case CKK_GENERIC_SECRET:
-		if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
-		    key->size=48;
-		}
-		break;
-	    default: break;
-	    }
-	} else {
+	if (keyLength != CK_UNAVAILABLE_INFORMATION) {
 	    key->size = (unsigned int)keyLength;
 	}
     }
-	
+
    return key->size;
 }
 
 /* return the strength of a key. This is different from length in that
  * 1) it returns the size in bits, and 2) it returns only the secret portions
  * of the key minus any checksums or parity.
  */
 unsigned int
@@ -1370,16 +1372,17 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_
 	mechanism.pParameter = param->data;
 	mechanism.ulParameterLen = param->len;
     }
 
     /* Get session and perform locking */
     if (isToken) {
 	PK11_Authenticate(symKey->slot,PR_TRUE,wincx);
         session = PK11_GetRWSession(symKey->slot);  /* Should always be original slot */
+	symKey->owner = PR_FALSE;
     } else {
         session = symKey->session;
         pk11_EnterKeyMonitor(symKey);
     }
 
     crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
 			 &mechanism, genTemplate, count, &symKey->objectID);
 
@@ -4118,32 +4121,42 @@ finalize:
 	                                              buffer, &count);
 	break;
     default:
 	crv = CKR_OPERATION_NOT_INITIALIZED;
 	break;
     }
 
     if (crv != CKR_OK) {
+	if (buffer != stackBuf) {
+	    PORT_Free(buffer);
+	}
 	if (crv == CKR_OPERATION_NOT_INITIALIZED) {
 	    /* if there's no operation, it is finalized */
 	    return SECSuccess;
 	}
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
 
     /* try to finalize the session with a buffer */
-    if (buffer == NULL && count > 0) { 
-	if (count < sizeof stackBuf) {
+    if (buffer == NULL) { 
+	if (count <= sizeof stackBuf) {
 	    buffer = stackBuf;
-	    goto finalize;
 	} else {
-	    return SECFailure;
+	    buffer = PORT_Alloc(count);
+	    if (buffer == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return SECFailure;
+	    }
 	}
+	goto finalize;
+    }
+    if (buffer != stackBuf) {
+	PORT_Free(buffer);
     }
     return SECSuccess;
 }
 
 /*
  *  Return the final digested or signed data...
  *  this routine can either take pre initialized data, or allocate data
  *  either out of an arena or out of the standard heap.
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -2220,39 +2220,44 @@ PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID
     nscSlotList[index][nscSlotCount[index]++] = slotID;
 
     return slot;
 }
 
 static SECStatus
 pk11_set_user(NSSLOWCERTCertificate *cert, SECItem *dummy, void *arg)
 {
-    NSSLOWKEYDBHandle *keydb = (NSSLOWKEYDBHandle *)arg;
-
-    if (nsslowkey_KeyForCertExists(keydb,cert)) {
-	cert->trust->sslFlags |= CERTDB_USER;
-	cert->trust->emailFlags |= CERTDB_USER;
-	cert->trust->objectSigningFlags |= CERTDB_USER;
+    PK11Slot  *slot = (PK11Slot *)arg;
+    NSSLOWCERTCertTrust trust = *cert->trust;
+
+    if (nsslowkey_KeyForCertExists(slot->keyDB,cert)) {
+	trust.sslFlags |= CERTDB_USER;
+	trust.emailFlags |= CERTDB_USER;
+	trust.objectSigningFlags |= CERTDB_USER;
     } else {
-	cert->trust->sslFlags &= ~CERTDB_USER;
-	cert->trust->emailFlags &= ~CERTDB_USER;
-	cert->trust->objectSigningFlags &= ~CERTDB_USER;
+	trust.sslFlags &= ~CERTDB_USER;
+	trust.emailFlags &= ~CERTDB_USER;
+	trust.objectSigningFlags &= ~CERTDB_USER;
+    }
+
+    if (PORT_Memcmp(&trust,cert->trust, sizeof (trust)) != 0) {
+	nsslowcert_ChangeCertTrust(slot->certDB,cert, &trust);
     }
 
     /* should check for email address and make sure we have an s/mime profile */
     return SECSuccess;
 }
 
 static  void
 pk11_DBVerify(PK11Slot *slot)
 {
     /* walk through all the certs and check to see if there are any 
      * user certs, and make sure there are s/mime profiles for all certs with
      * email addresses */
-    nsslowcert_TraversePermCerts(slot->certDB,pk11_set_user,slot->keyDB);
+    nsslowcert_TraversePermCerts(slot->certDB,pk11_set_user,slot);
 
     return;
 }
 
 /*
  * initialize one of the slot structures. figure out which by the ID
  */
 CK_RV