mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 764393: update NSS to NSS_3_13_6_BETA1 to fix the chain-building
looping bug. (Also includes fixes for bugs 489188, 757189, 757197, 762351, 762353.)
This commit is contained in:
Wan-Teh Chang
parent
aac4e34111
commit
10cb95a2ae
@ -42,4 +42,3 @@
|
||||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
||||
@ -1 +1 @@
|
||||
NSS_3_13_5_RTM
|
||||
NSS_3_13_6_BETA1
|
||||
|
||||
@ -1 +1 @@
|
||||
NSS_3_13_5_RTM
|
||||
NSS_3_13_6_BETA1
|
||||
|
||||
@ -1457,9 +1457,10 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
|
||||
error = PKIX_List_AppendItem(policyList,
|
||||
(PKIX_PL_Object *)policyOID, plContext);
|
||||
if (error != NULL) {
|
||||
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
|
||||
goto cleanup;
|
||||
}
|
||||
PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext);
|
||||
policyOID = NULL;
|
||||
}
|
||||
|
||||
error = PKIX_List_SetImmutable(policyList, plContext);
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -77,8 +77,8 @@
|
||||
* of the comment in the CK_VERSION type definition.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 90
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "1.90"
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 91
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "1.91"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
|
||||
@ -3024,6 +3024,7 @@ pkix_Build_CheckInCache(
|
||||
PKIX_PL_Date *testDate = NULL;
|
||||
PKIX_BuildResult *buildResult = NULL;
|
||||
PKIX_ValidateResult *valResult = NULL;
|
||||
PKIX_Error *buildError = NULL;
|
||||
PKIX_TrustAnchor *matchingAnchor = NULL;
|
||||
PKIX_PL_Cert *trustedCert = NULL;
|
||||
PKIX_List *certList = NULL;
|
||||
@ -3132,16 +3133,20 @@ cleanup:
|
||||
/* The anchor of this chain is no longer trusted or
|
||||
* chain cert(s) has been revoked.
|
||||
* Invalidate this result in the cache */
|
||||
buildError = pkixErrorResult;
|
||||
PKIX_CHECK_FATAL(pkix_CacheCertChain_Remove
|
||||
(targetCert,
|
||||
anchors,
|
||||
plContext),
|
||||
PKIX_CACHECERTCHAINREMOVEFAILED);
|
||||
pkixErrorResult = buildError;
|
||||
buildError = NULL;
|
||||
}
|
||||
|
||||
fatal:
|
||||
PKIX_DECREF(buildResult);
|
||||
PKIX_DECREF(valResult);
|
||||
PKIX_DECREF(buildError);
|
||||
PKIX_DECREF(certList);
|
||||
PKIX_DECREF(matchingAnchor);
|
||||
PKIX_DECREF(trustedCert);
|
||||
|
||||
@ -2430,15 +2430,15 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
|
||||
PKIX_DECREF(pkixOID);
|
||||
}
|
||||
|
||||
PKIX_CHECK(PKIX_List_SetImmutable
|
||||
(oidsList, plContext),
|
||||
PKIX_LISTSETIMMUTABLEFAILED);
|
||||
|
||||
/* save a cached copy in case it is asked for again */
|
||||
cert->extKeyUsages = oidsList;
|
||||
oidsList = NULL;
|
||||
}
|
||||
|
||||
PKIX_CHECK(PKIX_List_SetImmutable
|
||||
(cert->extKeyUsages, plContext),
|
||||
PKIX_LISTSETIMMUTABLEFAILED);
|
||||
|
||||
PKIX_OBJECT_UNLOCK(cert);
|
||||
}
|
||||
|
||||
|
||||
@ -328,10 +328,11 @@ PKIX_PL_OID_CreateBySECItem(
|
||||
plContext),
|
||||
PKIX_COULDNOTCREATEOBJECT);
|
||||
rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid);
|
||||
if (rv != SECFailure) {
|
||||
*pOID = oid;
|
||||
oid = NULL;
|
||||
if (rv != SECSuccess) {
|
||||
PKIX_ERROR(PKIX_OUTOFMEMORY);
|
||||
}
|
||||
*pOID = oid;
|
||||
oid = NULL;
|
||||
|
||||
cleanup:
|
||||
PKIX_DECREF(oid);
|
||||
|
||||
@ -36,7 +36,7 @@
|
||||
* the terms of any one of the MPL, the GPL or the LGPL.
|
||||
*
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
/* $Id: nss.h,v 1.92.2.4 2012/05/31 18:29:27 kaie%kuix.de Exp $ */
|
||||
/* $Id: nss.h,v 1.92.2.5 2012/06/01 19:40:00 kaie%kuix.de Exp $ */
|
||||
|
||||
#ifndef __nss_h_
|
||||
#define __nss_h_
|
||||
@ -66,12 +66,12 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define NSS_VERSION "3.13.5.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
|
||||
#define NSS_VERSION "3.13.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
|
||||
#define NSS_VMAJOR 3
|
||||
#define NSS_VMINOR 13
|
||||
#define NSS_VPATCH 5
|
||||
#define NSS_VPATCH 6
|
||||
#define NSS_VBUILD 0
|
||||
#define NSS_BETA PR_FALSE
|
||||
#define NSS_BETA PR_TRUE
|
||||
|
||||
#ifndef RC_INVOKED
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
#ifdef DEBUG
|
||||
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.106.2.1 $ $Date: 2012/05/17 21:40:54 $";
|
||||
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.106.2.2 $ $Date: 2012/07/27 21:48:13 $";
|
||||
#endif /* DEBUG */
|
||||
|
||||
/*
|
||||
@ -444,6 +444,50 @@ nss3certificate_matchUsage(nssDecodedCert *dc, const NSSUsage *usage)
|
||||
return match;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
nss3certificate_isTrustedForUsage(nssDecodedCert *dc, const NSSUsage *usage)
|
||||
{
|
||||
CERTCertificate *cc;
|
||||
PRBool ca;
|
||||
SECStatus secrv;
|
||||
unsigned int requiredFlags;
|
||||
unsigned int trustFlags;
|
||||
SECTrustType trustType;
|
||||
CERTCertTrust trust;
|
||||
|
||||
/* This is for NSS 3.3 functions that do not specify a usage */
|
||||
if (usage->anyUsage) {
|
||||
return PR_FALSE; /* XXX is this right? */
|
||||
}
|
||||
cc = (CERTCertificate *)dc->data;
|
||||
ca = usage->nss3lookingForCA;
|
||||
if (!ca) {
|
||||
PRBool trusted;
|
||||
unsigned int failedFlags;
|
||||
secrv = cert_CheckLeafTrust(cc, usage->nss3usage,
|
||||
&failedFlags, &trusted);
|
||||
return secrv == SECSuccess && trusted;
|
||||
}
|
||||
secrv = CERT_TrustFlagsForCACertUsage(usage->nss3usage, &requiredFlags,
|
||||
&trustType);
|
||||
if (secrv != SECSuccess) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
secrv = CERT_GetCertTrust(cc, &trust);
|
||||
if (secrv != SECSuccess) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
if (trustType == trustTypeNone) {
|
||||
/* normally trustTypeNone usages accept any of the given trust bits
|
||||
* being on as acceptable. */
|
||||
trustFlags = trust.sslFlags | trust.emailFlags |
|
||||
trust.objectSigningFlags;
|
||||
} else {
|
||||
trustFlags = SEC_GET_TRUST_FLAGS(&trust, trustType);
|
||||
}
|
||||
return (trustFlags & requiredFlags) == requiredFlags;
|
||||
}
|
||||
|
||||
static NSSASCII7 *
|
||||
nss3certificate_getEmailAddress(nssDecodedCert *dc)
|
||||
{
|
||||
@ -494,6 +538,7 @@ nssDecodedPKIXCertificate_Create (
|
||||
rvDC->isValidAtTime = nss3certificate_isValidAtTime;
|
||||
rvDC->isNewerThan = nss3certificate_isNewerThan;
|
||||
rvDC->matchUsage = nss3certificate_matchUsage;
|
||||
rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
|
||||
rvDC->getEmailAddress = nss3certificate_getEmailAddress;
|
||||
rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
|
||||
} else {
|
||||
@ -521,7 +566,9 @@ create_decoded_pkix_cert_from_nss3cert (
|
||||
rvDC->isValidAtTime = nss3certificate_isValidAtTime;
|
||||
rvDC->isNewerThan = nss3certificate_isNewerThan;
|
||||
rvDC->matchUsage = nss3certificate_matchUsage;
|
||||
rvDC->isTrustedForUsage = nss3certificate_isTrustedForUsage;
|
||||
rvDC->getEmailAddress = nss3certificate_getEmailAddress;
|
||||
rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
|
||||
}
|
||||
return rvDC;
|
||||
}
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
* ***** END LICENSE BLOCK ***** */
|
||||
|
||||
#ifdef DEBUG
|
||||
static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.33.6.1 $ $Date: 2012/05/17 21:40:54 $";
|
||||
static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.33.6.2 $ $Date: 2012/07/27 21:48:13 $";
|
||||
#endif /* DEBUG */
|
||||
|
||||
#ifndef DEV_H
|
||||
@ -466,9 +466,12 @@ nssCertificateArray_FindBestCertificate (
|
||||
)
|
||||
{
|
||||
NSSCertificate *bestCert = NULL;
|
||||
nssDecodedCert *bestdc = NULL;
|
||||
NSSTime *time, sTime;
|
||||
PRBool haveUsageMatch = PR_FALSE;
|
||||
PRBool bestCertMatches = PR_FALSE;
|
||||
PRBool thisCertMatches;
|
||||
PRBool bestCertIsValidAtTime = PR_FALSE;
|
||||
PRBool bestCertIsTrusted = PR_FALSE;
|
||||
|
||||
if (timeOpt) {
|
||||
time = timeOpt;
|
||||
@ -480,7 +483,7 @@ nssCertificateArray_FindBestCertificate (
|
||||
return (NSSCertificate *)NULL;
|
||||
}
|
||||
for (; *certs; certs++) {
|
||||
nssDecodedCert *dc, *bestdc;
|
||||
nssDecodedCert *dc;
|
||||
NSSCertificate *c = *certs;
|
||||
dc = nssCertificate_GetDecoding(c);
|
||||
if (!dc) continue;
|
||||
@ -490,34 +493,31 @@ nssCertificateArray_FindBestCertificate (
|
||||
* the usage matched
|
||||
*/
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
haveUsageMatch = thisCertMatches;
|
||||
bestCertMatches = thisCertMatches;
|
||||
bestdc = dc;
|
||||
continue;
|
||||
} else {
|
||||
if (haveUsageMatch && !thisCertMatches) {
|
||||
if (bestCertMatches && !thisCertMatches) {
|
||||
/* if already have a cert for this usage, and if this cert
|
||||
* doesn't have the correct usage, continue
|
||||
*/
|
||||
continue;
|
||||
} else if (!haveUsageMatch && thisCertMatches) {
|
||||
} else if (!bestCertMatches && thisCertMatches) {
|
||||
/* this one does match usage, replace the other */
|
||||
nssCertificate_Destroy(bestCert);
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
haveUsageMatch = PR_TRUE;
|
||||
bestCertMatches = thisCertMatches;
|
||||
bestdc = dc;
|
||||
continue;
|
||||
}
|
||||
/* this cert match as well as any cert we've found so far,
|
||||
* defer to time/policies
|
||||
* */
|
||||
}
|
||||
bestdc = nssCertificate_GetDecoding(bestCert);
|
||||
if (!bestdc) {
|
||||
nssCertificate_Destroy(bestCert);
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
continue;
|
||||
}
|
||||
/* time */
|
||||
if (bestdc->isValidAtTime(bestdc, time)) {
|
||||
if (bestCertIsValidAtTime || bestdc->isValidAtTime(bestdc, time)) {
|
||||
/* The current best cert is valid at time */
|
||||
bestCertIsValidAtTime = PR_TRUE;
|
||||
if (!dc->isValidAtTime(dc, time)) {
|
||||
/* If the new cert isn't valid at time, it's not better */
|
||||
continue;
|
||||
@ -528,14 +528,36 @@ nssCertificateArray_FindBestCertificate (
|
||||
/* If the new cert is valid at time, it's better */
|
||||
nssCertificate_Destroy(bestCert);
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
bestdc = dc;
|
||||
bestCertIsValidAtTime = PR_TRUE;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
/* either they are both valid at time, or neither valid;
|
||||
* take the newer one
|
||||
/* Either they are both valid at time, or neither valid.
|
||||
* If only one is trusted for this usage, take it.
|
||||
*/
|
||||
if (bestCertIsTrusted || bestdc->isTrustedForUsage(bestdc, usage)) {
|
||||
bestCertIsTrusted = PR_TRUE;
|
||||
if (!dc->isTrustedForUsage(dc, usage)) {
|
||||
continue;
|
||||
}
|
||||
} else {
|
||||
/* The current best cert is not trusted */
|
||||
if (dc->isTrustedForUsage(dc, usage)) {
|
||||
/* If the new cert is trusted, it's better */
|
||||
nssCertificate_Destroy(bestCert);
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
bestdc = dc;
|
||||
bestCertIsTrusted = PR_TRUE;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
/* Otherwise, take the newer one. */
|
||||
if (!bestdc->isNewerThan(bestdc, dc)) {
|
||||
nssCertificate_Destroy(bestCert);
|
||||
bestCert = nssCertificate_AddRef(c);
|
||||
bestdc = dc;
|
||||
continue;
|
||||
}
|
||||
/* policies */
|
||||
/* XXX later -- defer to policies */
|
||||
|
||||
@ -38,7 +38,7 @@
|
||||
#define PKITM_H
|
||||
|
||||
#ifdef DEBUG
|
||||
static const char PKITM_CVS_ID[] = "@(#) $RCSfile: pkitm.h,v $ $Revision: 1.15 $ $Date: 2007/11/16 05:29:27 $";
|
||||
static const char PKITM_CVS_ID[] = "@(#) $RCSfile: pkitm.h,v $ $Revision: 1.15.64.1 $ $Date: 2012/07/27 21:48:13 $";
|
||||
#endif /* DEBUG */
|
||||
|
||||
/*
|
||||
@ -90,6 +90,9 @@ struct nssDecodedCertStr {
|
||||
PRBool (*isNewerThan)(nssDecodedCert *dc, nssDecodedCert *cmpdc);
|
||||
/* does the usage for this cert match the requested usage? */
|
||||
PRBool (*matchUsage)(nssDecodedCert *dc, const NSSUsage *usage);
|
||||
/* is this cert trusted for the requested usage? */
|
||||
PRBool (*isTrustedForUsage)(nssDecodedCert *dc,
|
||||
const NSSUsage *usage);
|
||||
/* extract the email address */
|
||||
NSSASCII7 *(*getEmailAddress)(nssDecodedCert *dc);
|
||||
/* extract the DER-encoded serial number */
|
||||
|
||||
@ -57,11 +57,11 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define SOFTOKEN_VERSION "3.13.5.0" SOFTOKEN_ECC_STRING
|
||||
#define SOFTOKEN_VERSION "3.13.6.0" SOFTOKEN_ECC_STRING " Beta"
|
||||
#define SOFTOKEN_VMAJOR 3
|
||||
#define SOFTOKEN_VMINOR 13
|
||||
#define SOFTOKEN_VPATCH 5
|
||||
#define SOFTOKEN_VPATCH 6
|
||||
#define SOFTOKEN_VBUILD 0
|
||||
#define SOFTOKEN_BETA PR_FALSE
|
||||
#define SOFTOKEN_BETA PR_TRUE
|
||||
|
||||
#endif /* _SOFTKVER_H_ */
|
||||
|
||||
@ -51,12 +51,12 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
|
||||
*/
|
||||
#define NSSUTIL_VERSION "3.13.5.0"
|
||||
#define NSSUTIL_VERSION "3.13.6.0 Beta"
|
||||
#define NSSUTIL_VMAJOR 3
|
||||
#define NSSUTIL_VMINOR 13
|
||||
#define NSSUTIL_VPATCH 5
|
||||
#define NSSUTIL_VPATCH 6
|
||||
#define NSSUTIL_VBUILD 0
|
||||
#define NSSUTIL_BETA PR_FALSE
|
||||
#define NSSUTIL_BETA PR_TRUE
|
||||
|
||||
SEC_BEGIN_PROTOS
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user