Back out pcertdb patch attached to wrong branch.NSS_3_89_BRANCH

8 files changed, 9 insertions, 69 deletions

diff --git a/lib/dev/ckhelper.c b/lib/dev/ckhelper.c
index 8ebf58fab..4f3972653 100644
--- a/lib/dev/ckhelper.c
+++ b/lib/dev/ckhelper.c
@@ -398,9 +398,6 @@ nssCryptokiTrust_GetAttributes(
     NSSSlot *slot;
     nssSession *session;
     CK_BBOOL isToken = PR_FALSE;
-    /* default values if the trust is record does not exist. In the highly
-     * unlikely case that these change, be sure to update softoken's
-     * 'sftkdb_isNullTrust()' function */
     CK_BBOOL stepUp = PR_FALSE;
     CK_TRUST saTrust = CKT_NSS_TRUST_UNKNOWN;
     CK_TRUST caTrust = CKT_NSS_TRUST_UNKNOWN;
diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c
index 488d0f06c..47778190d 100644
--- a/lib/softoken/legacydb/pcertdb.c
+++ b/lib/softoken/legacydb/pcertdb.c
@@ -4277,7 +4277,6 @@ CreateTrust(void)
     if (trust) {
         trustListCount--;
         trustListHead = trust->next;
-        trust->next = NULL;
     }
     PORT_Assert(trustListCount >= 0);
     nsslowcert_UnlockFreeList();
@@ -5161,11 +5160,9 @@ nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
     if (trust == NULL) {
         return PR_FALSE;
     }
-    /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
-     * we don't have a trust record. */
-    return !(((trust->sslFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) &&
-             ((trust->emailFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) &&
-             ((trust->objectSigningFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0));
+    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&
+             (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&
+             (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
 }
 
 /*
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
index ff80f573f..fae9e1828 100644
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -566,7 +566,7 @@ typedef struct KDFCacheItemStr KDFCacheItem;
 /* Bug 1606992 - Cache the hash result for the common case that we're
  * asked to repeatedly compute the key for the same password item,
  * hash, iterations and salt. */
-#define KDF2_CACHE_COUNT 150
+#define KDF2_CACHE_COUNT 3
 static struct {
     PZLock *lock;
     struct {
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
index 59c5db439..bd6e41aa8 100644
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -124,6 +124,7 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type)
     }
     return PR_FALSE;
 }
+
 /*
  * convert a native ULONG to a database ulong. Database ulong's
  * are all 4 byte big endian values.
@@ -140,7 +141,7 @@ sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
 
 /*
  * convert a database ulong back to a native ULONG. (reverse of the above
- * function).
+ * function.
  */
 static CK_ULONG
 sftk_SDBULong2ULong(unsigned char *data)
@@ -154,39 +155,6 @@ sftk_SDBULong2ULong(unsigned char *data)
     return value;
 }
 
-/* certain trust records are default values, which are the values
- * returned if the signature check fails anyway.
- * In those cases, we can skip the signature check. */
-PRBool
-sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
-{
-    switch (template->type) {
-        case CKA_TRUST_SERVER_AUTH:
-        case CKA_TRUST_CLIENT_AUTH:
-        case CKA_TRUST_EMAIL_PROTECTION:
-        case CKA_TRUST_CODE_SIGNING:
-            if (template->ulValueLen != SDB_ULONG_SIZE) {
-                break;
-            }
-            if (sftk_SDBULong2ULong(template->pValue) ==
-                CKT_NSS_TRUST_UNKNOWN) {
-                return PR_TRUE;
-            }
-            break;
-        case CKA_TRUST_STEP_UP_APPROVED:
-            if (template->ulValueLen != 1) {
-                break;
-            }
-            if (*((unsigned char *)(template->pValue)) == 0) {
-                return PR_TRUE;
-            }
-            break;
-        default:
-            break;
-    }
-    return PR_FALSE;
-}
-
 /*
  * fix up the input templates. Our fixed up ints are stored in data and must
  * be freed by the caller. The new template must also be freed. If there are no
@@ -447,7 +415,7 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID,
             SECITEM_ZfreeItem(plainText, PR_TRUE);
         }
         /* make sure signed attributes are valid */
-        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type) && !sftkdb_isNullTrust(&ntemplate[i])) {
+        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
             SECStatus rv;
             CK_RV local_crv;
             SECItem signText;
@@ -2357,7 +2325,7 @@ sftkdb_updateIntegrity(PLArenaPool *arena, SFTKDBHandle *handle,
             crv = sftkdb_getRawAttributeSignature(handle, source, sourceID, type,
                                                   &signature);
             if (crv != CKR_OK) {
-                /* old databases don't have signature IDs because they are
+                /* old databases don't have signature IDs because they are 
                  * 3DES encrypted. Since we know not to look for integrity
                  * for 3DES records it's OK not to find one here. A new record
                  * will be created when we reencrypt using AES CBC */
@@ -2427,6 +2395,7 @@ sftkdb_mergeObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
 
     objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
                                              max_attributes);
+
     /*
      * Update Object updates the object template if necessary then returns
      * whether or not we need to actually write the object out to our target
diff --git a/tests/dbtests/bigdb/cert9.db b/tests/dbtests/bigdb/cert9.db
deleted file mode 100644
index 461c26c41..000000000
--- a/tests/dbtests/bigdb/cert9.db
+++ /dev/null
diff --git a/tests/dbtests/bigdb/key4.db b/tests/dbtests/bigdb/key4.db
deleted file mode 100644
index b45918d7f..000000000
--- a/tests/dbtests/bigdb/key4.db
+++ /dev/null
diff --git a/tests/dbtests/bigdb/pkcs11.txt b/tests/dbtests/bigdb/pkcs11.txt
deleted file mode 100644
index adbb159ba..000000000
--- a/tests/dbtests/bigdb/pkcs11.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/tmp/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,ECC,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical
-
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
index b0b195d4d..00740d092 100755
--- a/tests/dbtests/dbtests.sh
+++ b/tests/dbtests/dbtests.sh
@@ -51,7 +51,6 @@ dbtest_init()
   EMPTY_DIR=${HOSTDIR}/emptydir
   CONFLICT_DIR=${HOSTDIR}/conflictdir
   THREAD_DIR=${HOSTDIR}/threadir
-  BIG_DIR=${HOSTDIR}/bigdir
 
   html_head "CERT and Key DB Tests"
 
@@ -352,23 +351,6 @@ dbtest_main()
       *)
          html_failed "sdbthreadtst failed with an unrecognized error code."
       esac
-
-      # now verify that we can quickly dump a database that has explicit
-      # default trust values (generated by updating a dbm database with
-      # to a sql database with and older version of NSS).
-      mkdir -p ${BIG_DIR}
-      cp ${QADIR}/dbtests/bigdb/* ${BIG_DIR}/
-      echo "time certutil -K -d ${BIG_DIR} -f ${R_PWFILE}"
-      dtime=$(time -p (certutil -K -d ${BIG_DIR} -f ${R_PWFILE}) 2>&1 1>/dev/null)
-      echo "------------- time ----------------------"
-      echo $dtime
-      # now parse the real time to make sure it's subsecond
-      RARRAY=($dtime)
-      TIMEARRAY=(${RARRAY[1]//./ })
-      echo "${TIMEARRAY[0]} seconds"
-      test ${TIMEARRAY[0]} -lt 2
-      ret=$?
-      html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
     fi
 }