diff options
| author | wtchang%redhat.com <devnull@localhost> | 2006-05-21 20:49:06 +0000 |
|---|---|---|
| committer | wtchang%redhat.com <devnull@localhost> | 2006-05-21 20:49:06 +0000 |
| commit | 684796c0e530e754cbace93c29f074e59fde22e1 (patch) | |
| tree | 0fdf71853706e1b32633144a57d310b9b44b76e9 | |
| parent | a95a3cf81baa4155af0df1a0e12c62c3633ce1b2 (diff) | |
| download | nss-hg-684796c0e530e754cbace93c29f074e59fde22e1.tar.gz | |
Sync the MOZILLA_1_8_BRANCH with the NSS_3_11_20060520_TAG to pick up fixesFIREFOX_2_0a3_RELEASE
for bug 337887 and several coverity bugs. a=wtc for branch-1.8.1.
27 files changed, 162 insertions, 155 deletions
diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk index 423105414..e2c851201 100644 --- a/security/coreconf/WIN32.mk +++ b/security/coreconf/WIN32.mk @@ -89,7 +89,10 @@ endif DLL_SUFFIX = dll ifdef NS_USE_GCC - OS_CFLAGS += -mno-cygwin -mms-bitfields + # The -mnop-fun-dllimport flag allows us to avoid a drawback of + # the dllimport attribute that a pointer to a function marked as + # dllimport cannot be used as as a constant address. + OS_CFLAGS += -mno-cygwin -mms-bitfields -mnop-fun-dllimport _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY) DLLFLAGS += -mno-cygwin -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB)) ifdef BUILD_OPT diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 010a100c5..a5855ffe8 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -2372,6 +2372,7 @@ certutil_main(int argc, char **argv, PRBool initialize) char commandToRun = '\0'; secuPWData pwdata = { PW_NONE, 0 }; PRBool readOnly = PR_FALSE; + PRBool initialized = PR_FALSE; SECKEYPrivateKey *privkey = NULL; SECKEYPublicKey *pubkey = NULL; @@ -2801,6 +2802,7 @@ secuCommandFlag certutil_options[] = rv = SECFailure; goto shutdown; } + initialized = PR_TRUE; SECU_RegisterDynamicOids(); } certHandle = CERT_GetDefaultCertDB(); @@ -3144,7 +3146,7 @@ shutdown: fclose(batchFile); } - if ((initialize == PR_TRUE) && NSS_Shutdown() != SECSuccess) { + if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) { exit(1); } diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h index bd97dd791..8d2908ab1 100644 --- a/security/nss/cmd/lib/SECerrs.h +++ b/security/nss/cmd/lib/SECerrs.h @@ -504,3 +504,13 @@ ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151), ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152), "No new slot event is available at this time.") + +ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153), +"CRL already exists.") + +ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154), +"NSS is not initialized.") + +ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), +"The operation failed because the PKCS#11 token is not logged in.") + diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 734f38d30..8deb8a40d 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -136,6 +136,10 @@ EXTRA_SHARED_LIBS += \ -lnspr4 \ $(NULL) endif + +ifeq ($(OS_TARGET), SunOS) +OS_LIBS += -lbsm +endif endif else # USE_STATIC_LIBS diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 0c30f3a26..c37e1d004 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -2127,7 +2127,6 @@ static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer, } *returned = NULL; cache = PORT_ZAlloc(sizeof(CRLDPCache)); - PORT_Assert(cache); if (!cache) { return SECFailure; @@ -2139,6 +2138,7 @@ static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer, #endif if (!cache->lock) { + PORT_Free(cache); return SECFailure; } if (issuer) diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index ea04bb075..1cf14a84b 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -815,18 +815,10 @@ certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr, emailProfile->data); } else if (profileTime && emailProfile) { PRStatus nssrv; - NSSDER subject; NSSItem profTime, profData; - NSSItem *pprofTime, *pprofData; - NSSITEM_FROM_SECITEM(&subject, &cert->derSubject); - NSSITEM_FROM_SECITEM(&profTime, profileTime); - pprofTime = &profTime; - NSSITEM_FROM_SECITEM(&profData, emailProfile); - pprofData = &profData; - - stanProfile = nssSMIMEProfile_Create(c, pprofTime, pprofData); + stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData); if (!stanProfile) goto loser; nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile); rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index 2a7a88c09..da58c2e57 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -301,14 +301,15 @@ static const char *dllname = /* Should we have platform ifdefs here??? */ #define FILE_SEP '/' -static void nss_FindExternalRootPaths(const char *dbpath, const char* secmodprefix, +static void nss_FindExternalRootPaths(const char *dbpath, + const char* secmodprefix, char** retoldpath, char** retnewpath) { char *path, *oldpath = NULL, *lastsep; int len, path_len, secmod_len, dll_len; path_len = PORT_Strlen(dbpath); - secmod_len = PORT_Strlen(secmodprefix); + secmod_len = secmodprefix ? PORT_Strlen(secmodprefix) : 0; dll_len = PORT_Strlen(dllname); len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */ @@ -321,7 +322,7 @@ static void nss_FindExternalRootPaths(const char *dbpath, const char* secmodpref path[path_len++] = FILE_SEP; } PORT_Strcpy(&path[path_len],dllname); - if (secmodprefix) { + if (secmod_len > 0) { lastsep = PORT_Strrchr(secmodprefix, FILE_SEP); if (lastsep) { int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */ @@ -776,6 +777,11 @@ NSS_Shutdown(void) SECStatus rv; PRStatus status; + if (!nss_IsInitted) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; + } + rv = nss_ShutdownShutdownList(); if (rv != SECSuccess) { shutdownRV = SECFailure; diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 9d47fa9ef..0c8e23bca 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -928,6 +928,7 @@ pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) { + int err; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { { CKA_VALUE, NULL, 0 }, @@ -966,9 +967,9 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, */ needLogin = pk11_LoginStillRequired(slot,wincx); keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY); - if ((keyh == CK_INVALID_HANDLE) && - (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && - needLogin) { + if ((keyh == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { /* try it again authenticated */ rv = PK11_Authenticate(slot, PR_TRUE, wincx); if (rv != SECSuccess) { @@ -995,6 +996,7 @@ PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, CK_OBJECT_HANDLE key; PK11SlotInfo *slot = NULL; SECStatus rv; + int err; keyID = pk11_mkcertKeyID(cert); /* get them all! */ @@ -1016,9 +1018,9 @@ PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, */ PRBool needLogin = pk11_LoginStillRequired(le->slot,wincx); key = pk11_FindPrivateKeyFromCertID(le->slot,keyID); - if ((key == CK_INVALID_HANDLE) && - (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && - needLogin) { + if ((key == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { /* authenticate and try again */ rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); if (rv != SECSuccess) continue; @@ -1104,7 +1106,6 @@ pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, /* get them all! */ list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); if (list == NULL) { - if (list) PK11_FreeSlotList(list); return CK_INVALID_HANDLE; } @@ -1268,7 +1269,6 @@ pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *winc /* get them all! */ list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); if (list == NULL) { - if (list) PK11_FreeSlotList(list); return CK_INVALID_HANDLE; } @@ -1574,6 +1574,7 @@ PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx) SECKEYPrivateKey *privKey = NULL; PRBool needLogin; SECStatus rv; + int err; certHandle = PK11_FindObjectForCert(cert, wincx, &slot); if (certHandle == CK_INVALID_HANDLE) { @@ -1588,9 +1589,9 @@ PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx) */ needLogin = pk11_LoginStillRequired(slot,wincx); keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY); - if ((keyHandle == CK_INVALID_HANDLE) && - (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && - needLogin) { + if ((keyHandle == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err ) ) { /* authenticate and try again */ rv = PK11_Authenticate(slot, PR_TRUE, wincx); if (rv == SECSuccess) { @@ -1976,6 +1977,7 @@ pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, CK_OBJECT_HANDLE key; SECStatus rv; PRBool needLogin; + int err; if((slot == NULL) || (cert == NULL)) { return CK_INVALID_HANDLE; @@ -1995,9 +1997,9 @@ pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, */ needLogin = pk11_LoginStillRequired(slot,wincx); key = pk11_FindPrivateKeyFromCertID(slot, keyID); - if ((key == CK_INVALID_HANDLE) && - (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) && - needLogin) { + if ((key == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { /* authenticate and try again */ rv = PK11_Authenticate(slot, PR_TRUE, wincx); if (rv != SECSuccess) goto loser; @@ -2385,6 +2387,9 @@ listCertsCallback(CERTCertificate* cert, void*arg) NSSCertificate *c = STAN_GetNSSCertificate(cert); instances = nssPKIObject_GetInstances(&c->object); + if (!instances) { + return SECFailure; + } instance = NULL; for (ci = instances; *ci; ci++) { if ((*ci)->token->pk11slot == cdata->slot) { diff --git a/security/nss/lib/pk11wrap/pk11cxt.c b/security/nss/lib/pk11wrap/pk11cxt.c index 1ce648bf7..d4ce2b68d 100644 --- a/security/nss/lib/pk11wrap/pk11cxt.c +++ b/security/nss/lib/pk11wrap/pk11cxt.c @@ -325,15 +325,15 @@ __PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, SECItem *param, void *wincx) { - PK11SymKey *symKey; - PK11Context *context; + PK11SymKey *symKey = NULL; + PK11Context *context = NULL; /* first get a slot */ if (slot == NULL) { slot = PK11_GetBestSlot(type,wincx); if (slot == NULL) { PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; + goto loser; } } else { PK11_ReferenceSlot(slot); @@ -341,12 +341,17 @@ __PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, /* now import the key */ symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx); - if (symKey == NULL) return NULL; + if (symKey == NULL) goto loser; context = PK11_CreateContextBySymKey(type, operation, symKey, param); - PK11_FreeSymKey(symKey); - PK11_FreeSlot(slot); +loser: + if (symKey) { + PK11_FreeSymKey(symKey); + } + if (slot) { + PK11_FreeSlot(slot); + } return context; } diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c index a63475636..588d6512c 100644 --- a/security/nss/lib/pk11wrap/pk11err.c +++ b/security/nss/lib/pk11wrap/pk11err.c @@ -113,7 +113,7 @@ PK11_MapError(CK_RV rv) { MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0) - MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_LIBRARY_FAILURE) /* XXXX */ + MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_TOKEN_NOT_LOGGED_IN) MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN) MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE) MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY) diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c index a0db40729..7664d8071 100644 --- a/security/nss/lib/pk11wrap/pk11kea.c +++ b/security/nss/lib/pk11wrap/pk11kea.c @@ -152,82 +152,6 @@ rsa_failed: return newSymKey; } - /* KEA */ - if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && - PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) { - CERTCertificate *certSource = NULL; - CERTCertificate *certTarget = NULL; - SECKEYPublicKey *pubKeySource = NULL; - SECKEYPublicKey *pubKeyTarget = NULL; - SECKEYPrivateKey *privKeySource = NULL; - SECKEYPrivateKey *privKeyTarget = NULL; - PK11SymKey *tekSource = NULL; - PK11SymKey *tekTarget = NULL; - SECItem Ra,wrap; - - /* can only exchange skipjack keys */ - if ((type != CKM_SKIPJACK_CBC64) || (isPerm)) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - goto kea_failed; - } - - /* find a pair of certs we can use */ - rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget); - if (rv != SECSuccess) goto kea_failed; - - /* get all the key pairs */ - pubKeyTarget = CERT_ExtractPublicKey(certSource); - pubKeySource = CERT_ExtractPublicKey(certTarget); - privKeySource = - PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx); - privKeyTarget = - PK11_FindKeyByDERCert(slot,certTarget,symKey->cx); - - if ((pubKeySource == NULL) || (pubKeyTarget == NULL) || - (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed; - - /* generate the wrapping TEK's */ - Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */); - Ra.len = 128; - if (Ra.data == NULL) goto kea_failed; - - tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL, - CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); - tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL, - CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); - PORT_Free(Ra.data); - - if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; } - - /* wrap the key out of Source into target */ - wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */ - wrap.len = 12; - - /* paranoia to prevent infinite recursion on bugs */ - PORT_Assert(tekSource->slot == symKey->slot); - if (tekSource->slot != symKey->slot) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - goto kea_failed; - } - - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap); - if (rv == SECSuccess) { - newSymKey = PK11_UnwrapSymKeyWithFlags(tekTarget, - CKM_SKIPJACK_WRAP, NULL, - &wrap, type, operation, flags, symKey->size); - } - PORT_Free(wrap.data); -kea_failed: - if (certSource == NULL) CERT_DestroyCertificate(certSource); - if (certTarget == NULL) CERT_DestroyCertificate(certTarget); - if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource); - if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget); - if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource); - if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget); - if (tekSource == NULL) PK11_FreeSymKey(tekSource); - if (tekTarget == NULL) PK11_FreeSymKey(tekTarget); - return newSymKey; - } PORT_SetError( SEC_ERROR_NO_MODULE ); return NULL; } diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index 68220e15d..bcbea25a5 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -2561,7 +2561,7 @@ CERTCertList * SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx) { CERTCertList *certList = NULL; - sec_PKCS12SafeBag **safeBags = p12dcx->safeBags; + sec_PKCS12SafeBag **safeBags; int i; if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) { diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index a669879e7..4229cbed0 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -930,7 +930,8 @@ nssSMIMEProfile_Create ( } return rvProfile; loser: - nssPKIObject_Destroy(object); + if (object) nssPKIObject_Destroy(object); + else if (arena) nssArena_Destroy(arena); return (nssSMIMEProfile *)NULL; } diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index bbbeb5d4b..c274d2e75 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -149,6 +149,12 @@ STAN_LoadDefaultNSS3TrustDomain ( SECMOD_GetReadLock(moduleLock); NSSRWLock_LockWrite(td->tokensLock); td->tokenList = nssList_Create(td->arena, PR_TRUE); + if (!td->tokenList) { + NSSRWLock_UnlockWrite(td->tokensLock); + SECMOD_ReleaseReadLock(moduleLock); + NSSTrustDomain_Destroy(td); + return PR_FAILURE; + } for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]); diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c index 90727d011..1ae5ba6a9 100644 --- a/security/nss/lib/pki/tdcache.c +++ b/security/nss/lib/pki/tdcache.c @@ -1150,6 +1150,9 @@ nssTrustDomain_GetCertsFromCache ( certList = certListOpt; } else { certList = nssList_Create(NULL, PR_FALSE); + if (!certList) { + return NULL; + } } PZ_Lock(td->cache->lock); nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList); diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk index 2e097c8a5..bc48130aa 100644 --- a/security/nss/lib/softoken/config.mk +++ b/security/nss/lib/softoken/config.mk @@ -91,6 +91,7 @@ ifeq ($(OS_TARGET),SunOS) # The -R '$ORIGIN' linker option instructs this library to search for its # dependencies in the same directory where it resides. MKSHLIB += -R '$$ORIGIN' +OS_LIBS += -lbsm endif ifeq ($(OS_TARGET),WINCE) diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index 472b3cad0..fc114f792 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -66,6 +66,11 @@ #include <unistd.h> #endif +#ifdef SOLARIS +#include <bsm/libbsm.h> +#define AUE_FIPS_AUDIT 34444 +#endif + #ifdef LINUX #include <pthread.h> #include <dlfcn.h> @@ -354,6 +359,34 @@ sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg) PR_smprintf_free(message); } #endif /* LINUX */ +#ifdef SOLARIS + { + int rd; + char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg); + + if (!message) { + return; + } + + /* open the record descriptor */ + if ((rd = au_open()) == -1) { + PR_smprintf_free(message); + return; + } + + /* write the audit tokens to the audit record */ + if (au_write(rd, au_to_text(message))) { + (void)au_close(rd, AU_TO_NO_WRITE, AUE_FIPS_AUDIT); + PR_smprintf_free(message); + return; + } + + /* close the record and send it to the audit trail */ + (void)au_close(rd, AU_TO_WRITE, AUE_FIPS_AUDIT); + + PR_smprintf_free(message); + } +#endif /* SOLARIS */ #else /* do nothing */ #endif diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c index cd3d61886..68ba72da0 100644 --- a/security/nss/lib/softoken/keydb.c +++ b/security/nss/lib/softoken/keydb.c @@ -933,7 +933,7 @@ openNewDB(const char *appName, const char *prefix, const char *dbname, * local database we can update from. */ if (appName) { - NSSLOWKEYDBHandle *updateHandle = nsslowkey_NewHandle(updatedb); + NSSLOWKEYDBHandle *updateHandle; updatedb = dbopen( dbname, NO_RDONLY, 0600, DB_HASH, 0 ); if (!updatedb) { goto noupdate; diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c index 7455602a1..3c9959a30 100644 --- a/security/nss/lib/softoken/pcertdb.c +++ b/security/nss/lib/softoken/pcertdb.c @@ -2713,7 +2713,8 @@ nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, entry = ReadDBSubjectEntry(dbhandle,derSubject); if (entry == NULL) { - goto loser; + rv = SECFailure; + goto done; } for (i=0; i < (int)(entry->nemailAddrs); i++) { @@ -2722,25 +2723,27 @@ nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, } } - if (updateType == nsslowcert_remove) { if (index == -1) { - return SECSuccess; + rv = SECSuccess; + goto done; } - entry->nemailAddrs--; for (i=index; i < (int)(entry->nemailAddrs); i++) { entry->emailAddrs[i] = entry->emailAddrs[i+1]; } } else { char **newAddrs = NULL; + if (index != -1) { - return SECSuccess; + rv = SECSuccess; + goto done; } newAddrs = (char **)PORT_ArenaAlloc(entry->common.arena, (entry->nemailAddrs+1)* sizeof(char *)); if (!newAddrs) { - goto loser; + rv = SECFailure; + goto done; } for (i=0; i < (int)(entry->nemailAddrs); i++) { newAddrs[i] = entry->emailAddrs[i]; @@ -2748,7 +2751,8 @@ nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, newAddrs[entry->nemailAddrs] = PORT_ArenaStrdup(entry->common.arena,emailAddr); if (!newAddrs[entry->nemailAddrs]) { - goto loser; + rv = SECFailure; + goto done; } entry->emailAddrs = newAddrs; entry->nemailAddrs++; @@ -2759,18 +2763,11 @@ nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, /* write the new one */ rv = WriteDBSubjectEntry(dbhandle, entry); - if ( rv != SECSuccess ) { - goto loser; - } - - DestroyDBEntry((certDBEntry *)entry); - if (emailAddr) PORT_Free(emailAddr); - return(SECSuccess); -loser: + done: if (entry) DestroyDBEntry((certDBEntry *)entry); if (emailAddr) PORT_Free(emailAddr); - return(SECFailure); + return rv; } /* diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 39ef7de02..b06cb77f7 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1649,6 +1649,9 @@ sftk_handleKeyObject(SFTKSession *session, SFTKObject *object) /* get the key type */ attribute = sftk_FindAttribute(object,CKA_KEY_TYPE); + if (!attribute) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; sftk_FreeAttribute(attribute); @@ -1755,6 +1758,9 @@ sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object) /* get the key type */ attribute = sftk_FindAttribute(object,CKA_KEY_TYPE); + if (!attribute) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; sftk_FreeAttribute(attribute); diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 477b2ab2a..d78dbe2a5 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -2309,6 +2309,7 @@ finish_rsa: } if (crv != CKR_OK) { + if (info) PORT_Free(info); PORT_Free(context); sftk_FreeSession(session); return crv; @@ -5826,7 +5827,9 @@ CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) /* get the key value */ att = sftk_FindAttribute(key,CKA_VALUE); sftk_FreeObject(key); - + if (!att) { + return CKR_KEY_HANDLE_INVALID; + } crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue, att->attrib.ulValueLen); sftk_FreeAttribute(att); diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 586086f27..713d6c6ad 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -569,10 +569,15 @@ ssl3_config_match_init(sslSocket *ss) PRBool isServer; sslServerCerts *svrAuth; + PORT_Assert(ss); + if (!ss) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return 0; + } if (!ss->opt.enableSSL3 && !ss->opt.enableTLS) { return 0; } - isServer = (PRBool)( ss && ss->sec.isServer ); + isServer = (PRBool)(ss->sec.isServer != 0); for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { suite = &ss->cipherSuites[i]; @@ -1869,12 +1874,6 @@ ssl3_CompressMACEncryptRecord(sslSocket * ss, } cipherBytes += cipherBytesPart2; } - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_ENCRYPTION_FAILURE); -spec_locked_loser: - ssl_ReleaseSpecReadLock(ss); - return SECFailure; - } PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); ssl3_BumpSequenceNumber(&cwSpec->write_seq_num); @@ -1889,6 +1888,10 @@ spec_locked_loser: ssl_ReleaseSpecReadLock(ss); /************************************/ return SECSuccess; + +spec_locked_loser: + ssl_ReleaseSpecReadLock(ss); + return SECFailure; } /* Process the plain text before sending it. diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c index 1195189cb..e74ef41ea 100644 --- a/security/nss/lib/ssl/ssl3ecc.c +++ b/security/nss/lib/ssl/ssl3ecc.c @@ -192,6 +192,7 @@ typedef struct Bits2CurveStr { } Bits2Curve; static const Bits2Curve bits2curve [] = { + { 192, ec_secp192r1 /* = 19, fast */ }, { 160, ec_secp160r2 /* = 17, fast */ }, { 160, ec_secp160k1 /* = 15, */ }, { 160, ec_secp160r1 /* = 16, */ }, @@ -199,7 +200,6 @@ static const Bits2Curve bits2curve [] = { { 163, ec_sect163r1 /* = 2, */ }, { 163, ec_sect163r2 /* = 3, */ }, { 192, ec_secp192k1 /* = 18, */ }, - { 192, ec_secp192r1 /* = 19, */ }, { 193, ec_sect193r1 /* = 4, */ }, { 193, ec_sect193r2 /* = 5, */ }, { 224, ec_secp224r1 /* = 21, fast */ }, diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 97069b14e..4ee3a3df8 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -1677,7 +1677,7 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, } \ /* Only a nonblocking socket can have partial sends */ \ PR_ASSERT(!blocking); \ - return sent; \ + return sent + rv; \ } #define SEND(bfr, len) \ do { \ diff --git a/security/nss/lib/util/derenc.c b/security/nss/lib/util/derenc.c index c894ed729..3470f74f7 100644 --- a/security/nss/lib/util/derenc.c +++ b/security/nss/lib/util/derenc.c @@ -124,6 +124,7 @@ header_length(DERTemplate *dtemplate, uint32 contents_len) under_kind = dtemplate->arg; } } else if (encode_kind & DER_INLINE) { + PORT_Assert (dtemplate->sub != NULL); under_kind = dtemplate->sub->kind; if (universal) { encode_kind = under_kind; @@ -229,9 +230,8 @@ contents_length(DERTemplate *dtemplate, void *src) if (under_kind & DER_INDEFINITE) { uint32 sub_len; - void **indp; + void **indp = *(void ***)src; - indp = *(void ***)src; if (indp == NULL) return 0; @@ -239,13 +239,11 @@ contents_length(DERTemplate *dtemplate, void *src) under_kind &= ~DER_INDEFINITE; if (under_kind == DER_SET || under_kind == DER_SEQUENCE) { - DERTemplate *tmpt; - void *sub_src; - - tmpt = dtemplate->sub; + DERTemplate *tmpt = dtemplate->sub; + PORT_Assert (tmpt != NULL); for (; *indp != NULL; indp++) { - sub_src = (void *)((char *)(*indp) + tmpt->offset); + void *sub_src = (void *)((char *)(*indp) + tmpt->offset); sub_len = contents_length (tmpt, sub_src); len += sub_len + header_length (tmpt, sub_len); } @@ -255,8 +253,7 @@ contents_length(DERTemplate *dtemplate, void *src) * DER_INDEFINITE | DER_OCTET_STRING) is right. */ for (; *indp != NULL; indp++) { - SECItem *item; - item = (SECItem *)(*indp); + SECItem *item = (SECItem *)(*indp); sub_len = item->len; if (under_kind == DER_BIT_STRING) { sub_len = (sub_len + 7) >> 3; @@ -391,12 +388,10 @@ der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src) under_kind &= ~DER_INDEFINITE; if (under_kind == DER_SET || under_kind == DER_SEQUENCE) { - DERTemplate *tmpt; - void *sub_src; - - tmpt = dtemplate->sub; + DERTemplate *tmpt = dtemplate->sub; + PORT_Assert (tmpt != NULL); for (; *indp != NULL; indp++) { - sub_src = (void *)((char *)(*indp) + tmpt->offset); + void *sub_src = (void *)((char *)(*indp) + tmpt->offset); buf = der_encode (buf, tmpt, sub_src); } } else { diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index ab0914b5d..91731c843 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -1256,6 +1256,12 @@ regular_string_type: struct subitem *subitem; int len; + PORT_Assert (item); + if (!item) { + PORT_SetError (SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return; + } PORT_Assert (item->len == 0 && item->data == NULL); /* * Check for and handle an ANY which has stashed aside the diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h index 2cc1bcef3..d47734fe1 100644 --- a/security/nss/lib/util/secerr.h +++ b/security/nss/lib/util/secerr.h @@ -204,6 +204,8 @@ SEC_ERROR_UNKNOWN_OBJECT_TYPE = (SEC_ERROR_BASE + 150), SEC_ERROR_INCOMPATIBLE_PKCS11 = (SEC_ERROR_BASE + 151), SEC_ERROR_NO_EVENT = (SEC_ERROR_BASE + 152), SEC_ERROR_CRL_ALREADY_EXISTS = (SEC_ERROR_BASE + 153), +SEC_ERROR_NOT_INITIALIZED = (SEC_ERROR_BASE + 154), +SEC_ERROR_TOKEN_NOT_LOGGED_IN = (SEC_ERROR_BASE + 155), /* Add new error codes above here. */ SEC_ERROR_END_OF_LIST |