Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA3, r=wtc
authorKai Engert <kaie@kuix.de>
Thu, 20 Nov 2014 20:29:15 +0100
changeset 241011 78275e2f0b36093f6f3fffe1bf9cba943ad7eb08
parent 241010 57e7c5f093ea7b2e0263e09a316dfdc35a0428be
child 241012 7f9005cad6e04e1c9c596389b6d47369c0be1f45
push id4311
push userraliiev@mozilla.com
push dateMon, 12 Jan 2015 19:37:41 +0000
treeherdermozilla-beta@150c9fed433b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs1088969
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA3, r=wtc
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pki3hack.h
security/nss/lib/pki/pkistore.c
security/nss/lib/pki/tdcache.c
security/nss/lib/pki/trustdomain.c
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA2
+NSS_3_18_BETA3
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -242,37 +242,38 @@ STAN_GetCertIdentifierFromDER(NSSArena *
 	return NULL;
     }
     rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
     PORT_FreeArena(arena,PR_FALSE);
     return rvKey;
 }
 
 NSS_IMPLEMENT PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
                                      NSSDER *issuer, NSSDER *serial)
 {
-    SECStatus secrv;
-    SECItem derCert;
+    SECItem derCert   = { 0 };
     SECItem derIssuer = { 0 };
     SECItem derSerial = { 0 };
-    SECITEM_FROM_NSSITEM(&derCert, der);
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    SECStatus secrv;
+    derCert.data = (unsigned char *)der->data;
+    derCert.len = der->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
     if (secrv != SECSuccess) {
 	return PR_FAILURE;
     }
-    (void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
     if (secrv != SECSuccess) {
 	PORT_Free(derSerial.data);
 	return PR_FAILURE;
     }
-    (void)nssItem_Create(arena, issuer, derIssuer.len, derIssuer.data);
-    PORT_Free(derSerial.data);
-    PORT_Free(derIssuer.data);
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
     return PR_SUCCESS;
 }
 
 static NSSItem *
 nss3certificate_getIdentifier(nssDecodedCert *dc)
 {
     NSSItem *rvID;
     CERTCertificate *c = (CERTCertificate *)dc->data;
--- a/security/nss/lib/pki/pki3hack.h
+++ b/security/nss/lib/pki/pki3hack.h
@@ -72,17 +72,17 @@ nssTrust_GetCERTCertTrustForCert(NSSCert
 
 NSS_EXTERN PRStatus
 STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c);
 
 NSS_EXTERN PRStatus
 STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);
 
 NSS_EXTERN PRStatus
-nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, 
+nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der,
                                      NSSDER *issuer, NSSDER *serial);
 
 NSS_EXTERN char *
 STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c);
 
 NSS_EXTERN char *
 STAN_GetCERTCertificateNameForInstance(PLArenaPool *arenaOpt,
                                        NSSCertificate *c,
--- a/security/nss/lib/pki/pkistore.c
+++ b/security/nss/lib/pki/pkistore.c
@@ -18,16 +18,17 @@
 #include "base.h"
 #endif /* BASE_H */
 
 #ifndef PKISTORE_H
 #include "pkistore.h"
 #endif /* PKISTORE_H */
 
 #include "cert.h"
+#include "pki3hack.h"
 
 #include "prbit.h"
 
 /* 
  * Certificate Store
  *
  * This differs from the cache in that it is a true storage facility.  Items
  * stay in until they are explicitly removed.  It is only used by crypto
@@ -549,53 +550,26 @@ nssCertificateStore_FindCertificateByIss
 
     PZ_Lock(store->lock);
     rvCert = nssCertStore_FindCertByIssuerAndSerialNumberLocked (
                            store, issuer, serial);
     PZ_Unlock(store->lock);
     return rvCert;
 }
 
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	PORT_Free(derIssuer.data);
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-
 NSS_IMPLEMENT NSSCertificate *
 nssCertificateStore_FindCertificateByEncodedCertificate (
   nssCertificateStore *store,
   NSSDER *encoding
 )
 {
     PRStatus nssrv = PR_FAILURE;
     NSSDER issuer, serial;
     NSSCertificate *rvCert = NULL;
-    nssrv = issuer_and_serial_from_encoding(encoding, &issuer, &serial);
+    nssrv = nssPKIX509_GetIssuerAndSerialFromDER(encoding, &issuer, &serial);
     if (nssrv != PR_SUCCESS) {
 	return NULL;
     }
     rvCert = nssCertificateStore_FindCertificateByIssuerAndSerialNumber(store, 
                                                                      &issuer, 
                                                                      &serial);
     PORT_Free(issuer.data);
     PORT_Free(serial.data);
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -1041,55 +1041,29 @@ nssTrustDomain_GetCertForIssuerAndSNFrom
 #ifdef DEBUG_CACHE
 	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
 #endif
     }
     PZ_Unlock(td->cache->lock);
     return rvCert;
 }
 
-static PRStatus
-issuer_and_serial_from_encoding (
-  NSSBER *encoding, 
-  NSSDER *issuer, 
-  NSSDER *serial
-)
-{
-    SECItem derCert, derIssuer, derSerial;
-    SECStatus secrv;
-    derCert.data = (unsigned char *)encoding->data;
-    derCert.len = encoding->size;
-    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
-    if (secrv != SECSuccess) {
-	return PR_FAILURE;
-    }
-    issuer->data = derIssuer.data;
-    issuer->size = derIssuer.len;
-    serial->data = derSerial.data;
-    serial->size = derSerial.len;
-    return PR_SUCCESS;
-}
-
 /*
  * Look for a specific cert in the cache
  */
 NSS_IMPLEMENT NSSCertificate *
 nssTrustDomain_GetCertByDERFromCache (
   NSSTrustDomain *td,
   NSSDER *der
 )
 {
     PRStatus nssrv = PR_FAILURE;
     NSSDER issuer, serial;
     NSSCertificate *rvCert;
-    nssrv = issuer_and_serial_from_encoding(der, &issuer, &serial);
+    nssrv = nssPKIX509_GetIssuerAndSerialFromDER(der, &issuer, &serial);
     if (nssrv != PR_SUCCESS) {
 	return NULL;
     }
 #ifdef DEBUG_CACHE
     log_item_dump("looking for cert by DER", der);
 #endif
     rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, 
                                                            &issuer, &serial);
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -826,30 +826,26 @@ nssTrustDomain_FindCertificateByEncodedC
   NSSTrustDomain *td,
   NSSBER *ber
 )
 {
     PRStatus status;
     NSSCertificate *rvCert = NULL;
     NSSDER issuer = { 0 };
     NSSDER serial = { 0 };
-    NSSArena *arena = nssArena_Create();
-    if (!arena) {
-	return (NSSCertificate *)NULL;
-    }
     /* XXX this is not generic...  will any cert crack into issuer/serial? */
-    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, arena, &issuer, &serial);
+    status = nssPKIX509_GetIssuerAndSerialFromDER(ber, &issuer, &serial);
     if (status != PR_SUCCESS) {
-	goto finish;
+	return NULL;
     }
     rvCert = nssTrustDomain_FindCertificateByIssuerAndSerialNumber(td,
                                                                    &issuer,
                                                                    &serial);
-finish:
-    nssArena_Destroy(arena);
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
     return rvCert;
 }
 
 NSS_IMPLEMENT NSSCertificate *
 NSSTrustDomain_FindCertificateByEncodedCertificate (
   NSSTrustDomain *td,
   NSSBER *ber
 )