summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2022-07-27 06:07:45 +0000
committerMoonchild <moonchild@palemoon.org>2022-07-27 06:07:45 +0000
commitb110549cbd2a6f9efd11b33180b4a410f271923a (patch)
treec9b4f9d1106ce31ba75e0c51810db0d6da61345e
parent971047835a5ba34252a0adfbbdc7ed63252bb1d3 (diff)
parentcfe63a24341e345f67e3f02a4dc5ecaa8c53f1d5 (diff)
downloaduxp-b110549cbd2a6f9efd11b33180b4a410f271923a.tar.gz
Merge branch 'master' into releaseRC_20220728RB_20220802
-rw-r--r--dom/performance/PerformanceResourceTiming.h4
-rw-r--r--security/nss/coreconf/coreconf.dep1
-rw-r--r--security/nss/lib/certdb/certdb.c6
-rw-r--r--security/nss/lib/certdb/certv3.c2
-rw-r--r--security/nss/lib/certdb/certxutl.c6
-rw-r--r--security/nss/lib/nss/nss.h4
-rw-r--r--security/nss/lib/softoken/pkcs11.c67
-rw-r--r--security/nss/lib/softoken/pkcs11i.h2
-rw-r--r--security/nss/lib/softoken/sftkdb.c14
-rw-r--r--security/nss/lib/softoken/sftkpwd.c6
-rw-r--r--security/nss/lib/softoken/softkver.h4
-rw-r--r--security/nss/lib/util/nssutil.h4
12 files changed, 88 insertions, 32 deletions
diff --git a/dom/performance/PerformanceResourceTiming.h b/dom/performance/PerformanceResourceTiming.h
index b4775d4322..63a8c24149 100644
--- a/dom/performance/PerformanceResourceTiming.h
+++ b/dom/performance/PerformanceResourceTiming.h
@@ -54,7 +54,9 @@ public:
void GetNextHopProtocol(nsAString& aNextHopProtocol) const
{
- aNextHopProtocol = mNextHopProtocol;
+ if (mTiming && mTiming->TimingAllowed()) {
+ aNextHopProtocol = mNextHopProtocol;
+ }
}
void SetNextHopProtocol(const nsAString& aNextHopProtocol)
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 5182f75552..590d1bfaee 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
*/
#error "Do not include this header file."
+
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 0796fe5d75..80dccee125 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -384,9 +384,9 @@ GetKeyUsage(CERTCertificate *cert)
rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
if (rv == SECSuccess) {
/* remember the actual value of the extension */
- cert->rawKeyUsage = tmpitem.data[0];
+ cert->rawKeyUsage = tmpitem.len ? tmpitem.data[0] : 0;
cert->keyUsagePresent = PR_TRUE;
- cert->keyUsage = tmpitem.data[0];
+ cert->keyUsage = cert->rawKeyUsage;
PORT_Free(tmpitem.data);
tmpitem.data = NULL;
@@ -506,7 +506,7 @@ cert_ComputeCertType(CERTCertificate *cert)
isCA = basicConstraint.isCA;
}
if (tmpitem.data != NULL || extKeyUsage != NULL) {
- if (tmpitem.data == NULL) {
+ if (tmpitem.data == NULL || tmpitem.len == 0) {
nsCertType = 0;
} else {
nsCertType = tmpitem.data[0];
diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c
index d27fc1ba0d..f00b88f1d7 100644
--- a/security/nss/lib/certdb/certv3.c
+++ b/security/nss/lib/certdb/certv3.c
@@ -213,7 +213,7 @@ CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
if (rv == SECFailure) {
rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
: SECFailure;
- } else if (!keyUsage.data || !(keyUsage.data[0] & usage)) {
+ } else if (!keyUsage.data || !keyUsage.len || !(keyUsage.data[0] & usage)) {
PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
rv = SECFailure;
}
diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c
index c53f15cdff..eb1cb1485f 100644
--- a/security/nss/lib/certdb/certxutl.c
+++ b/security/nss/lib/certdb/certxutl.c
@@ -417,12 +417,14 @@ CERT_FindBitStringExtension(CERTCertExtension **extensions, int tag,
goto loser;
}
- retItem->data = (unsigned char *)PORT_Alloc((tmpItem.len + 7) >> 3);
+ retItem->data = (unsigned char *)PORT_ZAlloc((tmpItem.len + 7) >> 3);
if (retItem->data == NULL) {
goto loser;
}
- PORT_Memcpy(retItem->data, tmpItem.data, (tmpItem.len + 7) >> 3);
+ if (tmpItem.len > 0) {
+ PORT_Memcpy(retItem->data, tmpItem.data, (tmpItem.len + 7) >> 3);
+ }
retItem->len = tmpItem.len;
rv = SECSuccess;
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 47e8ddafd8..cd4c48593a 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,10 +22,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.52.7" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.52.8" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 52
-#define NSS_VPATCH 7
+#define NSS_VPATCH 8
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 93150cd789..ed723985a6 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -1652,6 +1652,7 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session)
CK_OBJECT_HANDLE handle;
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE;
+ PRBool isLoggedIn, needLogin;
CK_RV crv;
/* make sure all the base object types are defined. If not set the
@@ -1669,9 +1670,13 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session)
if (crv != CKR_OK)
return crv;
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
/* don't create a private object if we aren't logged in */
- if ((!slot->isLoggedIn) && (slot->needLogin) &&
- (sftk_isTrue(object, CKA_PRIVATE))) {
+ if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
return CKR_USER_NOT_LOGGED_IN;
}
@@ -3617,11 +3622,18 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
static PRBool
sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle)
{
+ PRBool needLogin;
if (sftkdb_PWCached(keyHandle) == SECSuccess) {
- return slot->needLogin;
+ PZ_Lock(slot->slotLock);
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+ } else {
+ needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
+ PZ_Lock(slot->slotLock);
+ slot->needLogin = needLogin;
+ PZ_Unlock(slot->slotLock);
}
- slot->needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
- return (slot->needLogin);
+ return needLogin;
}
static PRBool
@@ -4021,8 +4033,11 @@ NSC_InitPIN(CK_SESSION_HANDLE hSession,
/* Now update our local copy of the pin */
if (rv == SECSuccess) {
- if (ulPinLen == 0)
+ if (ulPinLen == 0) {
+ PZ_Lock(slot->slotLock);
slot->needLogin = PR_FALSE;
+ PZ_Unlock(slot->slotLock);
+ }
/* database has been initialized, now force min password in FIPS
* mode. NOTE: if we are in level1, we may not have a password, but
* forcing it now will prevent an insufficient password from being set.
@@ -4057,6 +4072,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
char newPinStr[SFTK_MAX_PIN + 1], oldPinStr[SFTK_MAX_PIN + 1];
SECStatus rv;
CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+ PRBool needLogin;
PRBool tokenRemoved = PR_FALSE;
CHECK_FORK();
@@ -4077,7 +4093,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */
}
- if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
+ PZ_Lock(slot->slotLock);
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+ if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
crv = CKR_USER_NOT_LOGGED_IN;
goto loser;
}
@@ -4305,6 +4324,8 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_RV crv;
char pinStr[SFTK_MAX_PIN + 1];
PRBool tokenRemoved = PR_FALSE;
+ PRBool isLoggedIn;
+ PRBool needLogin;
CHECK_FORK();
@@ -4328,9 +4349,14 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
return CKR_USER_TYPE_INVALID;
}
- if (slot->isLoggedIn)
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
+ if (isLoggedIn)
return CKR_USER_ALREADY_LOGGED_IN;
- if (!slot->needLogin) {
+ if (!needLogin) {
return ulPinLen ? CKR_PIN_INCORRECT : CKR_OK;
}
slot->ssoLoggedIn = PR_FALSE;
@@ -4793,7 +4819,7 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
SFTKSession *session;
SFTKObject *object;
SFTKAttribute *attribute;
- PRBool sensitive;
+ PRBool sensitive, isLoggedIn, needLogin;
CK_RV crv;
int i;
@@ -4824,9 +4850,13 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
return CKR_OBJECT_HANDLE_INVALID;
}
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
/* don't read a private object if we aren't logged in */
- if ((!slot->isLoggedIn) && (slot->needLogin) &&
- (sftk_isTrue(object, CKA_PRIVATE))) {
+ if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
sftk_FreeObject(object);
return CKR_USER_NOT_LOGGED_IN;
}
@@ -4867,7 +4897,7 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession,
SFTKSession *session;
SFTKAttribute *attribute;
SFTKObject *object;
- PRBool isToken;
+ PRBool isToken, isLoggedIn, needLogin;
CK_RV crv = CKR_OK;
CK_BBOOL legal;
int i;
@@ -4891,9 +4921,13 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession,
return CKR_OBJECT_HANDLE_INVALID;
}
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
/* don't modify a private object if we aren't logged in */
- if ((!slot->isLoggedIn) && (slot->needLogin) &&
- (sftk_isTrue(object, CKA_PRIVATE))) {
+ if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) {
sftk_FreeSession(session);
sftk_FreeObject(object);
return CKR_USER_NOT_LOGGED_IN;
@@ -5171,7 +5205,10 @@ NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
search->index = 0;
search->size = 0;
search->array_size = NSC_SEARCH_BLOCK_SIZE;
+
+ PZ_Lock(slot->slotLock);
isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
+ PZ_Unlock(slot->slotLock);
crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn);
if (crv != CKR_OK) {
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
index 1630442c9f..0e5153b7b0 100644
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -318,7 +318,7 @@ struct SFTKSessionStr {
* object hash tables (sessObjHashTable[] and tokObjHashTable), and
* sessionObjectHandleCount.
* slotLock protects the remaining protected elements:
- * password, isLoggedIn, ssoLoggedIn, and sessionCount,
+ * password, needLogin, isLoggedIn, ssoLoggedIn, and sessionCount,
* and pwCheckLock serializes the key database password checks in
* NSC_SetPIN and NSC_Login.
*
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
index a1a723fe87..60e9621759 100644
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -337,7 +337,7 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID,
if ((keyHandle == NULL) ||
((SFTK_GET_SDB(keyHandle)->sdb_flags & SDB_HAS_META) == 0) ||
- (keyHandle->passwordKey.data == NULL)) {
+ (sftkdb_PWCached(keyHandle) != SECSuccess)) {
checkSig = PR_FALSE;
}
@@ -1601,10 +1601,14 @@ sftkdb_CloseDB(SFTKDBHandle *handle)
}
(*handle->db->sdb_Close)(handle->db);
}
+ if (handle->passwordLock) {
+ PZ_Lock(handle->passwordLock);
+ }
if (handle->passwordKey.data) {
PORT_ZFree(handle->passwordKey.data, handle->passwordKey.len);
}
if (handle->passwordLock) {
+ PZ_Unlock(handle->passwordLock);
SKIP_AFTER_FORK(PZ_DestroyLock(handle->passwordLock));
}
if (handle->updatePasswordKey) {
@@ -2681,7 +2685,7 @@ sftkdb_ResetKeyDB(SFTKDBHandle *handle)
{
CK_RV crv;
- /* only rest the key db */
+ /* only reset the key db */
if (handle->type != SFTK_KEYDB_TYPE) {
return SECFailure;
}
@@ -2690,6 +2694,12 @@ sftkdb_ResetKeyDB(SFTKDBHandle *handle)
/* set error */
return SECFailure;
}
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data) {
+ SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE);
+ handle->passwordKey.data = NULL;
+ }
+ PZ_Unlock(handle->passwordLock);
return SECSuccess;
}
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index 83e881f1d9..73294d4631 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -1085,7 +1085,11 @@ done:
SECStatus
sftkdb_PWCached(SFTKDBHandle *keydb)
{
- return keydb->passwordKey.data ? SECSuccess : SECFailure;
+ SECStatus rv;
+ PZ_Lock(keydb->passwordLock);
+ rv = keydb->passwordKey.data ? SECSuccess : SECFailure;
+ PZ_Unlock(keydb->passwordLock);
+ return rv;
}
static CK_RV
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 06d4e82bfd..cb1a3f1fe9 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,10 +17,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.52.7" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.52.8" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 52
-#define SOFTOKEN_VPATCH 7
+#define SOFTOKEN_VPATCH 8
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 6267f4234a..a7cbf184c8 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.52.7"
+#define NSSUTIL_VERSION "3.52.8"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 52
-#define NSSUTIL_VPATCH 7
+#define NSSUTIL_VPATCH 8
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE