Update to NSS_3_13_4_RTM

- Update the nss-pem source archive to the latest version
- Remove no longer needed patches
- Resolves: Bug 806043 - use pem files interchangeably in a single process
- Resolves: Bug 806051 - PEM various flaws detected by Coverity
- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
This commit is contained in:
Elio Maldonado 2012-04-07 10:15:40 -07:00
parent 6b64656264
commit 421ec14b0e
10 changed files with 21 additions and 376 deletions

4
.gitignore vendored
View File

@ -1,8 +1,8 @@
nss-3.13.3-stripped.tar.bz2
nss-pem-20101125.tar.bz2
blank-cert8.db
blank-key3.db
blank-secmod.db
blank-cert9.db
blank-key4.db
PayPalEE.cert
/nss-3.13.4-stripped.tar.bz2
/nss-pem-20120402.tar.bz2

View File

@ -1,107 +0,0 @@
From 5c61cdba435096ee6e65cee4dc9a473430643c07 Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Tue, 12 Apr 2011 09:31:48 -0700
Subject: [PATCH] Bug 695011 PEM logging
Use NSPR logging facilities for PEM logging to fix a segmenation violation
caused when user cannot for write a log file created by root
---
mozilla/security/nss/lib/ckfw/pem/ckpem.h | 7 ++++-
mozilla/security/nss/lib/ckfw/pem/util.c | 30 ++++++++++++++++------------
2 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/mozilla/security/nss/lib/ckfw/pem/ckpem.h b/mozilla/security/nss/lib/ckfw/pem/ckpem.h
index 839d40b..720525e 100644
--- a/mozilla/security/nss/lib/ckfw/pem/ckpem.h
+++ b/mozilla/security/nss/lib/ckfw/pem/ckpem.h
@@ -1,3 +1,6 @@
+#ifndef CKPEM_H
+#define CKPEM_H
+
#include "nssckmdt.h"
#include "nssckfw.h"
#include "ckfwtm.h"
@@ -254,8 +257,8 @@ unsigned int pem_PrivateModulusLen(pemLOWKEYPrivateKey *privk);
/* ptoken.c */
NSSCKMDToken * pem_NewToken(NSSCKFWInstance *fwInstance, CK_RV *pError);
+/* util.c */
void open_log();
-void close_log();
void plog(const char *fmt, ...);
-#define PEM_H 1
+#endif /* CKPEM_H */
diff --git a/mozilla/security/nss/lib/ckfw/pem/util.c b/mozilla/security/nss/lib/ckfw/pem/util.c
index 853f418..fafb924 100644
--- a/mozilla/security/nss/lib/ckfw/pem/util.c
+++ b/mozilla/security/nss/lib/ckfw/pem/util.c
@@ -41,6 +41,7 @@
#include "prtime.h"
#include "prlong.h"
#include "prerror.h"
+#include "prlog.h"
#include "prprf.h"
#include "plgetopt.h"
#include "prenv.h"
@@ -51,6 +52,9 @@
#include "cryptohi.h"
#include "secpkcs7.h"
#include "secerr.h"
+
+#include "ckpem.h"
+
#include <stdarg.h>
#define CHUNK_SIZE 512
@@ -267,34 +271,34 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
return -1;
}
-FILE *plogfile;
+#ifdef DEBUG
+#define LOGGING_BUFFER_SIZE 400
+#define PEM_DEFAULT_LOG_FILE "/tmp/pkcs11.log"
+static const char *pemLogModuleName = "PEM";
+static PRLogModuleInfo* pemLogModule;
+#endif
void open_log()
{
#ifdef DEBUG
- plogfile = fopen("/tmp/pkcs11.log", "a");
-#endif
+ const char *nsprLogFile = PR_GetEnv("NSPR_LOG_FILE");
- return;
-}
+ pemLogModule = PR_NewLogModule(pemLogModuleName);
-void close_log()
-{
-#ifdef DEBUG
- fclose(plogfile);
+ (void) PR_SetLogFile(nsprLogFile ? nsprLogFile : PEM_DEFAULT_LOG_FILE);
+ /* If false, the log file will remain what it was before */
#endif
- return;
}
void plog(const char *fmt, ...)
{
#ifdef DEBUG
+ char buf[LOGGING_BUFFER_SIZE];
va_list ap;
va_start(ap, fmt);
- vfprintf(plogfile, fmt, ap);
+ PR_vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
-
- fflush(plogfile);
+ PR_LOG(pemLogModule, PR_LOG_DEBUG, ("%s", buf));
#endif
}
--
1.7.4.2

View File

@ -1,21 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 ./mozilla/security/nss/lib/ckfw/pem/pobject.c
--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 2011-09-10 10:21:38.819248564 -0700
+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:28:47.970083785 -0700
@@ -1117,7 +1117,7 @@ pem_CreateObject
nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
if (nobjs < 1)
- return (NSSCKMDObject *) NULL;
+ goto loser;
objid = -1;
/* Brute force: find the id of the key, if any, in this slot */
@@ -1176,7 +1176,7 @@ pem_CreateObject
nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */);
if (nobjs < 1)
- return (NSSCKMDObject *) NULL;
+ goto loser;
certDER.len = 0; /* in case there is no equivalent cert */
certDER.data = NULL;

View File

@ -1,15 +0,0 @@
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11skey.c.800676 ./mozilla/security/nss/lib/pk11wrap/pk11skey.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11skey.c.800676 2012-03-07 18:29:16.679551532 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11skey.c 2012-03-07 18:29:42.338733488 -0800
@@ -1664,7 +1664,10 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
keyType = PK11_GetKeyType(target,keySize);
key_size = keySize;
- symKey->size = keySize;
+ /* There's a bug in FreeBL where this size is treated as a max.
+ * if we are using softoken, Don't set that size value here, but
+ * set it to zero we we will query softoken for the size */
+ symKey->size = slot->isInternal ? 0 : keySize;
if (key_size == 0) templateCount--;
mechanism.mechanism = derive;

View File

@ -1,13 +1,13 @@
%global nspr_version 4.9
%global nss_util_version 3.13.3
%global nss_util_version 3.13.4
%global nss_softokn_fips_version 3.12.9
%global nss_softokn_version 3.13.3
%global nss_softokn_version 3.13.4
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
Summary: Network Security Services
Name: nss
Version: 3.13.3
Release: 2%{?dist}
Version: 3.13.4
Release: 1%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@ -52,24 +52,18 @@ Source7: blank-key4.db
Source8: system-pkcs11.txt
Source9: setup-nsssysinit.sh
Source10: PayPalEE.cert
Source12: %{name}-pem-20101125.tar.bz2
Source12: %{name}-pem-20120402.tar.bz2
Patch3: renegotiate-transitional.patch
Patch6: nss-enable-pem.patch
Patch7: nsspem-642433.patch
Patch8: 0001-Bug-695011-PEM-logging.patch
Patch16: nss-539183.patch
Patch18: nss-646045.patch
Patch20: nsspem-createobject-initialize-pointer.patch
Patch21: 0001-libnsspem-rhbz-734760.patch
Patch22: nsspem-init-inform-not-thread-safe.patch
# must statically link pem against the 3.12.x system freebl in the buildroot
# must statically link pem against the freebl in the buildroot
# Needed only when freebl on tree has newe APIS
Patch25: nsspem-use-system-freebl.patch
# don't compile the fipstest application
Patch26: nofipstest.patch
# include this patch in the upstream pem review
Patch28: nsspem-bz754771.patch
# This patch is currently meant for current stable branches
# This patch is currently meant for stable branches
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734492
@ -81,9 +75,6 @@ Patch32: Bug-800674-Unable-to-contact-LDAP-Server-during-winsync.patch
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734492
Patch33: Bug-800682-Qpid-AMQP-daemon-fails-to-load-after-nss-update.patch
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734441
Patch34: Bug-800676-nss-workaround-for-freebl-bug-that-causes-openswan-to-drop-connections.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -159,14 +150,9 @@ low level services.
%patch3 -p0 -b .transitional
%patch6 -p0 -b .libpem
%patch7 -p0 -b .642433
%patch8 -p1 -b .695011
%patch16 -p0 -b .539183
%patch18 -p0 -b .646045
%patch20 -p1 -b .717338
%patch21 -p1 -b .734760
%patch22 -p0 -b .736410
# link pem against buildroot's 3.12 freebl
# link pem against buildroot's freebl, esential wen mixing and matching
%patch25 -p0 -b .systemfreebl
%patch26 -p0 -b .nofipstest
%patch28 -p0 -b .754771
@ -174,7 +160,6 @@ low level services.
%patch30 -p0 -b .784672
%patch32 -p0 -b .800674
%patch33 -p0 -b .800682
%patch34 -p0 -b .800676
%build
@ -593,6 +578,14 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog
* Sat Apr 07 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-1
- Update to NSS_3_13_4_RTM
- Update the nss-pem source archive to the latest version
- Remove no longer needed patches
- Resolves: Bug 806043 - use pem files interchangeably in a single process
- Resolves: Bug 806051 - PEM various flaws detected by Coverity
- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
* Wed Mar 28 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-2
- Resolves: Bug 805723 - Library needs partial RELRO support added

View File

@ -1,52 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 ./mozilla/security/nss/lib/ckfw/pem/util.c
--- ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 2010-11-25 10:49:27.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/util.c 2010-12-08 08:02:02.618304926 -0800
@@ -96,9 +96,6 @@ static SECItem *AllocItem(SECItem * item
return (result);
loser:
- if (result != NULL) {
- SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
- }
return (NULL);
}
@@ -110,7 +107,7 @@ static SECStatus FileToItem(SECItem * ds
prStatus = PR_GetOpenFileInfo(src, &info);
- if (prStatus != PR_SUCCESS) {
+ if (prStatus != PR_SUCCESS || info.type == PR_FILE_DIRECTORY) {
return SECFailure;
}
@@ -126,8 +123,7 @@ static SECStatus FileToItem(SECItem * ds
return SECSuccess;
loser:
- SECITEM_FreeItem(dst, PR_FALSE);
- nss_ZFreeIf(dst);
+ nss_ZFreeIf(dst->data);
return SECFailure;
}
@@ -153,6 +149,10 @@ ReadDERFromFile(SECItem *** derlist, cha
/* Read in ascii data */
rv = FileToItem(&filedata, inFile);
+ if (rv != SECSuccess) {
+ PR_Close(inFile);
+ return -1;
+ }
asc = (char *) filedata.data;
if (!asc) {
PR_Close(inFile);
@@ -252,7 +252,7 @@ ReadDERFromFile(SECItem *** derlist, cha
} else {
/* Read in binary der */
rv = FileToItem(der, inFile);
- if (rv) {
+ if (rv != SECSuccess) {
PR_Close(inFile);
return -1;
}

View File

@ -1,13 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.754771 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.754771 2011-12-12 09:38:51.839104295 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-12-12 09:44:40.437096761 -0800
@@ -350,6 +350,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
if (io == NULL)
return NULL;
+ /* initialize pointers to functions */
+ pem_CreateMDObject(NULL, io, NULL);
+
io->gobjIndex = count;
/* add object to global array */

View File

@ -1,11 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 ./mozilla/security/nss/lib/ckfw/pem/pobject.c
--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 2010-11-25 10:49:27.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:16:58.752726964 -0700
@@ -1179,6 +1179,7 @@ pem_CreateObject
return (NSSCKMDObject *) NULL;
certDER.len = 0; /* in case there is no equivalent cert */
+ certDER.data = NULL;
objid = -1;
for (i = 0; i < pem_nobjs; i++) {

View File

@ -1,129 +0,0 @@
--- mozilla/security/nss/lib/ckfw/pem/pinst.c.736410 2010-11-25 11:51:52.000000000 -0800
+++ mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-09-13 16:59:49.325215540 -0700
@@ -364,39 +364,37 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
size += PEM_ITEM_CHUNK;
}
gobj[count] = io;
count++;
pem_nobjs++;
io->refCount ++;
return io;
}
CK_RV
AddCertificate(char *certfile, char *keyfile, PRBool cacert,
CK_SLOT_ID slotID)
{
pemInternalObject *o;
- SECItem certDER;
CK_RV error = 0;
int objid, i;
int nobjs = 0;
SECItem **objs = NULL;
char *ivstring = NULL;
int cipher;
- certDER.data = NULL;
nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
if (nobjs <= 0) {
nss_ZFreeIf(objs);
return CKR_GENERAL_ERROR;
}
/* For now load as many certs as are in the file for CAs only */
if (cacert) {
for (i = 0; i < nobjs; i++) {
char nickname[1024];
objid = pem_nobjs + 1;
snprintf(nickname, 1024, "%s - %d", certfile, i);
o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL,
@@ -456,72 +454,76 @@ AddCertificate(char *certfile, char *key
loser:
nss_ZFreeIf(objs);
nss_ZFreeIf(o);
return error;
}
CK_RV
pem_Initialize
(
NSSCKMDInstance * mdInstance,
NSSCKFWInstance * fwInstance,
NSSUTF8 * configurationData
)
{
CK_RV rv;
- /* parse the initialization string and initialize CRLInstances */
+ /* parse the initialization string */
char **certstrings = NULL;
+ char *modparms = NULL;
PRInt32 numcerts = 0;
PRBool status, error = PR_FALSE;
int i;
+ CK_C_INITIALIZE_ARGS_PTR modArgs = NULL;
+
+ if (!fwInstance) return CKR_ARGUMENTS_BAD;
+
+ modArgs = NSSCKFWInstance_GetInitArgs(fwInstance);
+ if (modArgs &&
+ ((modArgs->flags & CKF_OS_LOCKING_OK) || (modArgs->CreateMutex != 0))) {
+ return CKR_CANT_LOCK;
+ }
if (pemInitialized) {
return CKR_OK;
}
+
RNG_RNGInit();
open_log();
plog("pem_Initialize\n");
- unsigned char *modparms = NULL;
- if (!fwInstance) {
- return CKR_ARGUMENTS_BAD;
- }
-
- CK_C_INITIALIZE_ARGS_PTR modArgs =
- NSSCKFWInstance_GetInitArgs(fwInstance);
if (!modArgs || !modArgs->LibraryParameters) {
goto done;
}
- modparms = (unsigned char *) modArgs->LibraryParameters;
+ modparms = (char *) modArgs->LibraryParameters;
plog("Initialized with %s\n", modparms);
/*
* The initialization string format is a space-delimited file of
* pairs of paths which are delimited by a semi-colon. The first
* entry of the pair is the path to the certificate file. The
* second is the path to the key file.
*
* CA certificates do not need the semi-colon.
*
* Example:
* /etc/certs/server.pem;/etc/certs/server.key /etc/certs/ca.pem
*
*/
status =
- pem_ParseString((const char *) modparms, ' ', &numcerts,
+ pem_ParseString(modparms, ' ', &numcerts,
&certstrings);
if (status == PR_FALSE) {
return CKR_ARGUMENTS_BAD;
}
for (i = 0; i < numcerts && error != PR_TRUE; i++) {
char *cert = certstrings[i];
PRInt32 attrcount = 0;
char **certattrs = NULL;
status = pem_ParseString(cert, ';', &attrcount, &certattrs);
if (status == PR_FALSE) {
error = PR_TRUE;
break;
}

View File

@ -1,8 +1,8 @@
3d211ab803585d449f94e67cbeca8502 nss-3.13.3-stripped.tar.bz2
e63cddf74c07f0d818d1052ecc6fbb1f nss-pem-20101125.tar.bz2
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert
d19159b7f91b94afaf7fa78bba006c13 nss-pem-20120402.tar.bz2
74bbd7b520179c2e226a021fba8ff365 nss-3.13.4-stripped.tar.bz2