This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-91.8.0esr-11.0-1 in repository tor-browser.
commit 6e69482b8f03763e0cb4c97ecdd00cfbf883cf79 Author: John Schanck jschanck@mozilla.com AuthorDate: Mon Mar 28 17:23:11 2022 +0000
Bug 1760872 - land NSS NSS_3_68_3_RTM UPGRADE_NSS_RELEASE, r=djackson a=RyanVM
2022-03-23 John M. Schanck jschanck@mozilla.com
* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h, lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c: Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea
[e3da860d9d1c] [NSS_3_68_3_RTM] <NSS_3_68_3_BRANCH>
2022-02-24 John M. Schanck jschanck@mozilla.com
* lib/pki/trustdomain.c: Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. r=rrelyea
[1931b2b09b55] <NSS_3_68_3_BRANCH>
2022-02-23 John M. Schanck jschanck@mozilla.com
* lib/certdb/crl.c, lib/certdb/stanpcertdb.c, lib/dev/devtoken.c, lib/dev/devutil.c, lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pk11wrap/secmodti.h, lib/pki/pki3hack.c, lib/pki/trustdomain.c: Bug 1370866 - Check return value of PK11Slot_GetNSSToken. r=djackson
[ba0086e6737d] <NSS_3_68_3_BRANCH>
2022-03-25 John M. Schanck jschanck@mozilla.com
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.68.3 final [c7b7c2f03ef2] <NSS_3_68_3_BRANCH>
2021-12-15 Benjamin Beurdouche bbeurdouche@mozilla.com
* .hgtags: Added tag NSS_3_68_2_RTM for changeset 78d2f4a3339f [c55cf4a0cb0e] <NSS_3_68_2_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D142237 --- security/nss/TAG-INFO | 2 +- security/nss/coreconf/coreconf.dep | 1 - security/nss/lib/certdb/crl.c | 2 + security/nss/lib/certdb/stanpcertdb.c | 6 +++ security/nss/lib/dev/dev.h | 5 --- security/nss/lib/dev/devslot.c | 73 ++++++++++++++++++---------------- security/nss/lib/dev/devt.h | 1 - security/nss/lib/dev/devtoken.c | 20 ++-------- security/nss/lib/dev/devutil.c | 18 +++------ security/nss/lib/nss/nss.h | 4 +- security/nss/lib/pk11wrap/dev3hack.c | 19 --------- security/nss/lib/pk11wrap/pk11auth.c | 9 ++++- security/nss/lib/pk11wrap/pk11cert.c | 74 ++++++++++++++++++++++++----------- security/nss/lib/pk11wrap/pk11nobj.c | 24 +++++++++--- security/nss/lib/pk11wrap/pk11slot.c | 73 ++++++++++++++++++++++++++-------- security/nss/lib/pk11wrap/pk11util.c | 27 ++++++++++--- security/nss/lib/pk11wrap/secmodti.h | 1 + security/nss/lib/pki/pki3hack.c | 23 +++++++++-- security/nss/lib/pki/trustdomain.c | 28 +++++++------ security/nss/lib/softoken/softkver.h | 4 +- security/nss/lib/util/nssutil.h | 4 +- 21 files changed, 256 insertions(+), 162 deletions(-)
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 9e1cc8ce68cc9..3c0affe5d52d1 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_68_2_RTM \ No newline at end of file +NSS_3_68_3_RTM \ No newline at end of file diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 590d1bfaeee3f..5182f75552c81 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,4 +10,3 @@ */
#error "Do not include this header file." - diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index cc5c71f20c843..d110841241630 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -1391,6 +1391,7 @@ TokenCRLStillExists(CERTSignedCrl* crl) arena = NSSArena_Create(); PORT_Assert(arena); if (!arena) { + (void)nssToken_Destroy(instance.token); return PR_FALSE; }
@@ -1412,6 +1413,7 @@ TokenCRLStillExists(CERTSignedCrl* crl) xstatus = PR_FALSE; } NSSArena_Destroy(arena); + (void)nssToken_Destroy(instance.token); return xstatus; }
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 8e1cf279ab23c..e255df10531e3 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -299,9 +299,15 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, /* Import the perm instance onto the internal token */ slot = PK11_GetInternalKeySlot(); internal = PK11Slot_GetNSSToken(slot); + if (!internal) { + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_NO_TOKEN); + return SECFailure; + } permInstance = nssToken_ImportCertificate( internal, NULL, NSSCertificateType_PKIX, &c->id, stanNick, &c->encoding, &c->issuer, &c->subject, &c->serial, cert->emailAddr, PR_TRUE); + (void)nssToken_Destroy(internal); nss_ZFreeIf(stanNick); stanNick = NULL; PK11_FreeSlot(slot); diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 26ac8957e9102..6430511442796 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -146,7 +146,6 @@ nssModule_GetCertOrder( * nssSlot_Destroy * nssSlot_AddRef * nssSlot_GetName - * nssSlot_GetTokenName * nssSlot_IsTokenPresent * nssSlot_IsPermanent * nssSlot_IsFriendly @@ -176,10 +175,6 @@ NSS_EXTERN NSSUTF8 * nssSlot_GetName( NSSSlot *slot);
-NSS_EXTERN NSSUTF8 * -nssSlot_GetTokenName( - NSSSlot *slot); - NSS_EXTERN NSSModule * nssSlot_GetModule( NSSSlot *slot); diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 5021408bf06f2..ccd90ac9729d6 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -12,7 +12,9 @@ #include "ckhelper.h" #endif /* CKHELPER_H */
-#include "pk11pub.h" +#include "pkim.h" +#include "dev3hack.h" +#include "pk11func.h"
/* measured in seconds */ #define NSSSLOT_TOKEN_DELAY_TIME 1 @@ -79,13 +81,6 @@ nssSlot_GetName( return slot->base.name; }
-NSS_IMPLEMENT NSSUTF8 * -nssSlot_GetTokenName( - NSSSlot *slot) -{ - return nssToken_GetName(slot->token); -} - NSS_IMPLEMENT void nssSlot_ResetDelay( NSSSlot *slot) @@ -123,11 +118,13 @@ nssSlot_IsTokenPresent( { CK_RV ckrv; PRStatus nssrv; + NSSToken *nssToken = NULL; /* XXX */ nssSession *session; CK_SLOT_INFO slotInfo; void *epv; PRBool isPresent = PR_FALSE; + PRBool doUpdateCachedCerts = PR_FALSE;
/* permanent slots are always present unless they're disabled */ if (nssSlot_IsPermanent(slot)) { @@ -169,23 +166,24 @@ nssSlot_IsTokenPresent(
PZ_Unlock(slot->isPresentLock);
+ nssToken = PK11Slot_GetNSSToken(slot->pk11slot); + if (!nssToken) { + isPresent = PR_FALSE; + goto done; + } + nssSlot_EnterMonitor(slot); ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo); nssSlot_ExitMonitor(slot); if (ckrv != CKR_OK) { - slot->token->base.name[0] = 0; /* XXX */ + nssToken->base.name[0] = 0; /* XXX */ isPresent = PR_FALSE; goto done; } slot->ckFlags = slotInfo.flags; /* check for the presence of the token */ if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { - if (!slot->token) { - /* token was never present */ - isPresent = PR_FALSE; - goto done; - } - session = nssToken_GetDefaultSession(slot->token); + session = nssToken_GetDefaultSession(nssToken); if (session) { nssSession_EnterMonitor(session); /* token is not present */ @@ -197,21 +195,21 @@ nssSlot_IsTokenPresent( } nssSession_ExitMonitor(session); } - if (slot->token->base.name[0] != 0) { + if (nssToken->base.name[0] != 0) { /* notify the high-level cache that the token is removed */ - slot->token->base.name[0] = 0; /* XXX */ - nssToken_NotifyCertsNotVisible(slot->token); + nssToken->base.name[0] = 0; /* XXX */ + nssToken_NotifyCertsNotVisible(nssToken); } - slot->token->base.name[0] = 0; /* XXX */ + nssToken->base.name[0] = 0; /* XXX */ /* clear the token cache */ - nssToken_Remove(slot->token); + nssToken_Remove(nssToken); isPresent = PR_FALSE; goto done; } /* token is present, use the session info to determine if the card * has been removed and reinserted. */ - session = nssToken_GetDefaultSession(slot->token); + session = nssToken_GetDefaultSession(nssToken); if (session) { PRBool tokenRemoved; nssSession_EnterMonitor(session); @@ -237,17 +235,31 @@ nssSlot_IsTokenPresent( * a token it doesn't recognize. invalidate all the old * information we had on this token, if we can't refresh, clear * the present flag */ - nssToken_NotifyCertsNotVisible(slot->token); - nssToken_Remove(slot->token); - /* token has been removed, need to refresh with new session */ - nssrv = nssSlot_Refresh(slot); - isPresent = PR_TRUE; + nssToken_NotifyCertsNotVisible(nssToken); + nssToken_Remove(nssToken); + if (nssToken->base.name[0] == 0) { + doUpdateCachedCerts = PR_TRUE; + } + if (PK11_InitToken(slot->pk11slot, PR_FALSE) != SECSuccess) { + isPresent = PR_FALSE; + goto done; + } + if (doUpdateCachedCerts) { + nssTrustDomain_UpdateCachedTokenCerts(nssToken->trustDomain, + nssToken); + } + nssrv = nssToken_Refresh(nssToken); if (nssrv != PR_SUCCESS) { - slot->token->base.name[0] = 0; /* XXX */ + nssToken->base.name[0] = 0; /* XXX */ slot->ckFlags &= ~CKF_TOKEN_PRESENT; isPresent = PR_FALSE; + goto done; } + isPresent = PR_TRUE; done: + if (nssToken) { + (void)nssToken_Destroy(nssToken); + } /* Once we've set up the condition variable, * Before returning, it's necessary to: * 1) Set the lastTokenPingTime so that any other threads waiting on this @@ -283,12 +295,7 @@ nssSlot_GetToken( NSSToken *rvToken = NULL;
if (nssSlot_IsTokenPresent(slot)) { - /* Even if a token should be present, check `slot->token` too as it - * might be gone already. This would happen mostly on shutdown. */ - nssSlot_EnterMonitor(slot); - if (slot->token) - rvToken = nssToken_AddRef(slot->token); - nssSlot_ExitMonitor(slot); + rvToken = PK11Slot_GetNSSToken(slot->pk11slot); }
return rvToken; diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h index 06a57ad05b19b..19af26f08177e 100644 --- a/security/nss/lib/dev/devt.h +++ b/security/nss/lib/dev/devt.h @@ -81,7 +81,6 @@ typedef enum { struct NSSSlotStr { struct nssDeviceBaseStr base; NSSModule *module; /* Parent */ - NSSToken *token; /* Peer */ CK_SLOT_ID slotID; CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */ struct nssSlotAuthInfoStr authInfo; diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index fedc44b4b51f3..5e65dfdb1b555 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -32,13 +32,6 @@ nssToken_Destroy( PK11_FreeSlot(tok->pk11slot); PZ_DestroyLock(tok->base.lock); nssTokenObjectCache_Destroy(tok->cache); - - /* We're going away, let the nssSlot know in case it's held - * alive by someone else. Usually we should hold the last ref. */ - nssSlot_EnterMonitor(tok->slot); - tok->slot->token = NULL; - nssSlot_ExitMonitor(tok->slot); - (void)nssSlot_Destroy(tok->slot); return nssArena_Destroy(tok->base.arena); } @@ -53,13 +46,6 @@ nssToken_Remove( nssTokenObjectCache_Clear(tok->cache); }
-NSS_IMPLEMENT void -NSSToken_Destroy( - NSSToken *tok) -{ - (void)nssToken_Destroy(tok); -} - NSS_IMPLEMENT NSSToken * nssToken_AddRef( NSSToken *tok) @@ -996,8 +982,9 @@ sha1_hash(NSSItem *input, NSSItem *output) NSSToken *token = PK11Slot_GetNSSToken(internal); ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL); (void)nssToken_Digest(token, NULL, ap, input, output, NULL); - PK11_FreeSlot(token->pk11slot); nss_ZFreeIf(ap); + (void)nssToken_Destroy(token); + PK11_FreeSlot(internal); }
static void @@ -1008,8 +995,9 @@ md5_hash(NSSItem *input, NSSItem *output) NSSToken *token = PK11Slot_GetNSSToken(internal); ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL); (void)nssToken_Digest(token, NULL, ap, input, output, NULL); - PK11_FreeSlot(token->pk11slot); nss_ZFreeIf(ap); + (void)nssToken_Destroy(token); + PK11_FreeSlot(internal); }
static CK_TRUST diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c index 7c30a0da2cb81..302a6b56270bf 100644 --- a/security/nss/lib/dev/devutil.c +++ b/security/nss/lib/dev/devutil.c @@ -56,7 +56,7 @@ nssCryptokiObject_Destroy( nssCryptokiObject *object) { if (object) { - nssToken_Destroy(object->token); + (void)nssToken_Destroy(object->token); nss_ZFreeIf(object->label); nss_ZFreeIf(object); } @@ -150,19 +150,12 @@ nssTokenArray_Destroy( if (tokens) { NSSToken **tokenp; for (tokenp = tokens; *tokenp; tokenp++) { - nssToken_Destroy(*tokenp); + (void)nssToken_Destroy(*tokenp); } nss_ZFreeIf(tokens); } }
-NSS_IMPLEMENT void -NSSTokenArray_Destroy( - NSSToken **tokens) -{ - nssTokenArray_Destroy(tokens); -} - NSS_IMPLEMENT void nssCryptokiObjectArray_Destroy( nssCryptokiObject **objects) @@ -365,7 +358,7 @@ create_object( /* The cache is tied to the token, and therefore the objects * in it should not hold references to the token. */ - nssToken_Destroy(object->token); + (void)nssToken_Destroy(object->token); rvCachedObject->object = object; rvCachedObject->attributes = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, numTypes); if (!rvCachedObject->attributes) { @@ -568,7 +561,7 @@ get_token_objects_for_cache( &numObjects, &status); if (status != PR_SUCCESS) { - nss_ZFreeIf(objects); + nssCryptokiObjectArray_Destroy(objects); return status; } for (i = 0; i < numObjects; i++) { @@ -584,7 +577,8 @@ get_token_objects_for_cache( } else { PRUint32 j; for (j = 0; j < i; j++) { - /* sigh */ + /* Any token references that were removed in successful loop iterations + * need to be restored before we call nssCryptokiObjectArray_Destroy */ nssToken_AddRef(cache->objects[objectType][j]->object->token); nssArena_Destroy(cache->objects[objectType][j]->arena); } diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index c87fa1ec9725e..d0c1a1f19a28e 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.68.2" _NSS_CUSTOMIZED +#define NSS_VERSION "3.68.3" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 68 -#define NSS_VPATCH 2 +#define NSS_VPATCH 3 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c index 4877f945053a0..2d41a34d85282 100644 --- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -179,7 +179,6 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) if (!rvToken->slot) { goto loser; } - rvToken->slot->token = rvToken; if (rvToken->defaultSession) rvToken->defaultSession->slot = rvToken->slot; return rvToken; @@ -227,24 +226,6 @@ nssToken_Refresh(NSSToken *token) return token->defaultSession ? PR_SUCCESS : PR_FAILURE; }
-NSS_IMPLEMENT PRStatus -nssSlot_Refresh(NSSSlot *slot) -{ - PK11SlotInfo *nss3slot = slot->pk11slot; - PRBool doit = PR_FALSE; - if (slot->token && slot->token->base.name[0] == 0) { - doit = PR_TRUE; - } - if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { - return PR_FAILURE; - } - if (doit) { - nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, - slot->token); - } - return nssToken_Refresh(slot->token); -} - NSS_IMPLEMENT PRStatus nssToken_GetTrustOrder(NSSToken *tok) { diff --git a/security/nss/lib/pk11wrap/pk11auth.c b/security/nss/lib/pk11wrap/pk11auth.c index c633e53f7bc8c..42e64e1c9a575 100644 --- a/security/nss/lib/pk11wrap/pk11auth.c +++ b/security/nss/lib/pk11wrap/pk11auth.c @@ -4,6 +4,8 @@ /* * This file deals with PKCS #11 passwords and authentication. */ +#include "dev.h" +#include "dev3hack.h" #include "seccomon.h" #include "secmod.h" #include "secmodi.h" @@ -637,8 +639,11 @@ PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, } if (rv == SECSuccess) { if (!contextSpecific && !PK11_IsFriendly(slot)) { - nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, - slot->nssToken); + NSSToken *token = PK11Slot_GetNSSToken(slot); + if (token) { + nssTrustDomain_UpdateCachedTokenCerts(token->trustDomain, token); + (void)nssToken_Destroy(token); + } } } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD); diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 9c745d7b824df..84d8300357a4f 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -242,16 +242,17 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, NSSCertificate *c; nssCryptokiObject *co = NULL; nssPKIObject *pkio; - NSSToken *token; NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
/* Get the cryptoki object from the handle */ - token = PK11Slot_GetNSSToken(slot); - if (token && token->defaultSession) { - co = nssCryptokiObject_Create(token, token->defaultSession, certID); - } else { + NSSToken *token = PK11Slot_GetNSSToken(slot); + if (!token || !token->defaultSession) { + (void)nssToken_Destroy(token); /* null token is ok */ PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; } + co = nssCryptokiObject_Create(token, token->defaultSession, certID); + (void)nssToken_Destroy(token); if (!co) { return NULL; } @@ -754,7 +755,7 @@ find_certs_from_uri(const char *uriString, void *wincx) nssPKIObjectCollection_AddInstances(collection, instances, 0); nss_ZFreeIf(instances); } - nssToken_Destroy(*tok); + (void)nssToken_Destroy(*tok); } nss_ZFreeIf(tokens); nssList_Destroy(certList); @@ -863,9 +864,7 @@ find_certs_from_nickname(const char *nickname, void *wincx) } else { slot = PK11_GetInternalKeySlot(); token = PK11Slot_GetNSSToken(slot); - if (token) { - nssToken_AddRef(token); - } else { + if (!token) { PORT_SetError(SEC_ERROR_NO_TOKEN); } } @@ -929,7 +928,7 @@ find_certs_from_nickname(const char *nickname, void *wincx) } loser: if (token) { - nssToken_Destroy(token); + (void)nssToken_Destroy(token); } if (slot) { PK11_FreeSlot(slot); @@ -1129,15 +1128,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, PRStatus status; NSSCertificate *c; nssCryptokiObject *keyobj, *certobj; - NSSToken *token = PK11Slot_GetNSSToken(slot); - SECItem *keyID = pk11_mkcertKeyID(cert); + NSSToken *token = NULL; char *emailAddr = NULL; nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; - + SECItem *keyID = pk11_mkcertKeyID(cert); if (keyID == NULL) { goto loser; /* error code should be set already */ } + token = PK11Slot_GetNSSToken(slot); if (!token) { PORT_SetError(SEC_ERROR_NO_TOKEN); goto loser; @@ -1230,8 +1229,12 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, (void)STAN_ForceCERTCertificateUpdate(c); nssCertificate_Destroy(c); SECITEM_FreeItem(keyID, PR_TRUE); + (void)nssToken_Destroy(token); return SECSuccess; loser: + if (token) { + (void)nssToken_Destroy(token); + } CERT_MapStanError(); SECITEM_FreeItem(keyID, PR_TRUE); if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) { @@ -1466,7 +1469,7 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, NSSCertificate *cert = NULL; NSSDER issuer, serial; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); - NSSToken *token = slot->nssToken; + NSSToken *token = NULL; nssSession *session; nssCryptokiObject *instance = NULL; nssPKIObject *object = NULL; @@ -1481,12 +1484,18 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, return NULL; }
- /* Paranoia */ - if (token == NULL) { + token = PK11Slot_GetNSSToken(slot); + if (!token) { PORT_SetError(SEC_ERROR_NO_TOKEN); return NULL; }
+ session = nssToken_GetDefaultSession(token); /* non-owning */ + if (!session) { + (void)nssToken_Destroy(token); + return NULL; + } + /* PKCS#11 needs to use DER-encoded serial numbers. Create a * CERTIssuerAndSN that actually has the encoded value and pass that * to PKCS#11 (and the crypto context). @@ -1495,20 +1504,17 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, &issuerSN->serialNumber, SEC_ASN1_GET(SEC_IntegerTemplate)); if (!derSerial) { + (void)nssToken_Destroy(token); return NULL; }
NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer); NSSITEM_FROM_SECITEM(&serial, derSerial);
- session = nssToken_GetDefaultSession(token); - if (!session) { - goto loser; - } - instance = nssToken_FindCertificateByIssuerAndSerialNumber(token, session, &issuer, &serial, nssTokenSearchType_TokenForced, &status);
+ (void)nssToken_Destroy(token); SECITEM_FreeItem(derSerial, PR_TRUE);
if (!instance) { @@ -2177,16 +2183,22 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, td = STAN_GetDefaultTrustDomain(); NSSITEM_FROM_SECITEM(&subject, &cert->derSubject); token = PK11Slot_GetNSSToken(slot); + if (!token) { + return SECSuccess; + } if (!nssToken_IsPresent(token)) { + (void)nssToken_Destroy(token); return SECSuccess; } collection = nssCertificateCollection_Create(td, NULL); if (!collection) { + (void)nssToken_Destroy(token); return SECFailure; } subjectList = nssList_Create(NULL, PR_FALSE); if (!subjectList) { nssPKIObjectCollection_Destroy(collection); + (void)nssToken_Destroy(token); return SECFailure; } (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, @@ -2201,6 +2213,7 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, certs = nssPKIObjectCollection_GetCertificates(collection, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); + (void)nssToken_Destroy(token); if (certs) { CERTCertificate *oldie; NSSCertificate **cp; @@ -2234,7 +2247,8 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, nssList *nameList = NULL; nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; token = PK11Slot_GetNSSToken(slot); - if (!nssToken_IsPresent(token)) { + if (!token || !nssToken_IsPresent(token)) { + (void)nssToken_Destroy(token); return SECSuccess; } if (nickname->data[nickname->len - 1] != '\0') { @@ -2264,6 +2278,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, certs = nssPKIObjectCollection_GetCertificates(collection, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); + (void)nssToken_Destroy(token); if (certs) { CERTCertificate *oldie; NSSCertificate **cp; @@ -2283,6 +2298,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, nss_ZFreeIf(nick); return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; loser: + (void)nssToken_Destroy(token); if (created) { nss_ZFreeIf(nick); } @@ -2308,16 +2324,22 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, NSSCertificate **certs; nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; tok = PK11Slot_GetNSSToken(slot); + if (!tok) { + return SECSuccess; + } if (!nssToken_IsPresent(tok)) { + (void)nssToken_Destroy(tok); return SECSuccess; } collection = nssCertificateCollection_Create(td, NULL); if (!collection) { + (void)nssToken_Destroy(tok); return SECFailure; } certList = nssList_Create(NULL, PR_FALSE); if (!certList) { nssPKIObjectCollection_Destroy(collection); + (void)nssToken_Destroy(tok); return SECFailure; } (void)nssTrustDomain_GetCertsFromCache(td, certList); @@ -2330,6 +2352,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, certs = nssPKIObjectCollection_GetCertificates(collection, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); + (void)nssToken_Destroy(tok); if (certs) { CERTCertificate *oldie; NSSCertificate **cp; @@ -2369,7 +2392,6 @@ PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert, SECStatus rv; CERTCertificate *cert = NULL;
- tok = PK11Slot_GetNSSToken(slot); NSSITEM_FROM_SECITEM(&derCert, inDerCert); rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { @@ -2377,8 +2399,14 @@ PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert, return NULL; }
+ tok = PK11Slot_GetNSSToken(slot); + if (!tok) { + PK11_FreeSlot(slot); + return NULL; + } co = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert, nssTokenSearchType_TokenOnly, NULL); + (void)nssToken_Destroy(tok);
if (co) { cert = PK11_MakeCertFromHandle(slot, co->handle, NULL); diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c index 80bc009f78907..586ed80e32aa3 100644 --- a/security/nss/lib/pk11wrap/pk11nobj.c +++ b/security/nss/lib/pk11wrap/pk11nobj.c @@ -413,12 +413,17 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, nssPKIObjectCollection *collection; nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; NSSToken *token = PK11Slot_GetNSSToken(*slot); + if (!token) { + goto loser; + } collection = nssCRLCollection_Create(td, NULL); if (!collection) { + (void)nssToken_Destroy(token); goto loser; } instances = nssToken_FindCRLsBySubject(token, NULL, &subject, tokenOnly, 0, NULL); + (void)nssToken_Destroy(token); nssPKIObjectCollection_AddInstances(collection, instances, 0); nss_ZFreeIf(instances); crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); @@ -482,16 +487,21 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, char *url, int type) { NSSItem derCRL, derSubject; - NSSToken *token = PK11Slot_GetNSSToken(slot); + NSSToken *token; nssCryptokiObject *object; PRBool isKRL = (type == SEC_CRL_TYPE) ? PR_FALSE : PR_TRUE; CK_OBJECT_HANDLE rvH;
NSSITEM_FROM_SECITEM(&derSubject, name); NSSITEM_FROM_SECITEM(&derCRL, crl); - + token = PK11Slot_GetNSSToken(slot); + if (!token) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return CK_INVALID_HANDLE; + } object = nssToken_ImportCRL(token, NULL, &derSubject, &derCRL, isKRL, url, PR_TRUE); + (void)nssToken_Destroy(token);
if (object) { rvH = object->handle; @@ -510,8 +520,8 @@ SECStatus SEC_DeletePermCRL(CERTSignedCrl *crl) { PRStatus status; - NSSToken *token; nssCryptokiObject *object; + NSSToken *token; PK11SlotInfo *slot = crl->slot;
if (slot == NULL) { @@ -520,13 +530,17 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) PORT_SetError(SEC_ERROR_CRL_INVALID); return SECFailure; } - token = PK11Slot_GetNSSToken(slot);
+ token = PK11Slot_GetNSSToken(slot); + if (!token) { + return SECFailure; + } object = nss_ZNEW(NULL, nssCryptokiObject); if (!object) { + (void)nssToken_Destroy(token); return SECFailure; } - object->token = nssToken_AddRef(token); + object->token = token; /* object takes ownership */ object->handle = crl->pkcs11ID; object->isTokenObject = PR_TRUE;
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index c320019f9397d..99be9528f0b34 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -362,19 +362,24 @@ PK11_NewSlotInfo(SECMODModule *mod) PK11SlotInfo *slot;
slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo)); - if (slot == NULL) + if (slot == NULL) { return slot; - - slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession) : mod->refLock; - if (slot->sessionLock == NULL) { - PORT_Free(slot); - return NULL; } slot->freeListLock = PZ_NewLock(nssILockFreelist); if (slot->freeListLock == NULL) { - if (mod->isThreadSafe) { - PZ_DestroyLock(slot->sessionLock); - } + PORT_Free(slot); + return NULL; + } + slot->nssTokenLock = PZ_NewLock(nssILockOther); + if (slot->nssTokenLock == NULL) { + PZ_DestroyLock(slot->freeListLock); + PORT_Free(slot); + return NULL; + } + slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession) : mod->refLock; + if (slot->sessionLock == NULL) { + PZ_DestroyLock(slot->nssTokenLock); + PZ_DestroyLock(slot->freeListLock); PORT_Free(slot); return NULL; } @@ -462,6 +467,10 @@ PK11_DestroySlot(PK11SlotInfo *slot) PZ_DestroyLock(slot->freeListLock); slot->freeListLock = NULL; } + if (slot->nssTokenLock) { + PZ_DestroyLock(slot->nssTokenLock); + slot->nssTokenLock = NULL; + }
/* finally Tell our parent module that we've gone away so it can unload */ if (slot->module) { @@ -1260,6 +1269,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) CK_RV crv; SECStatus rv; PRStatus status; + NSSToken *nssToken;
/* set the slot flags to the current token values */ if (!slot->isThreadSafe) @@ -1297,7 +1307,9 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) slot->maxPassword = slot->tokenInfo.ulMaxPinLen; PORT_Memcpy(slot->serial, slot->tokenInfo.serialNumber, sizeof(slot->serial));
- nssToken_UpdateName(slot->nssToken); + nssToken = PK11Slot_GetNSSToken(slot); + nssToken_UpdateName(nssToken); /* null token is OK */ + (void)nssToken_Destroy(nssToken);
slot->defRWSession = (PRBool)((!slot->readOnly) && (slot->tokenInfo.ulMaxSessionCount == 1)); @@ -1365,7 +1377,9 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) PK11_ExitSlotMonitor(slot); }
- status = nssToken_Refresh(slot->nssToken); + nssToken = PK11Slot_GetNSSToken(slot); + status = nssToken_Refresh(nssToken); /* null token is OK */ + (void)nssToken_Destroy(nssToken); if (status != PR_SUCCESS) return SECFailure;
@@ -1598,8 +1612,11 @@ pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) return PR_TRUE; }
- if (slot->nssToken) { - return nssToken_IsPresent(slot->nssToken); + NSSToken *nssToken = PK11Slot_GetNSSToken(slot); + if (nssToken) { + PRBool present = nssToken_IsPresent(nssToken); + (void)nssToken_Destroy(nssToken); + return present; }
/* removable slots have a flag that says they are present */ @@ -2649,20 +2666,44 @@ PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) PORT_SetError(PK11_MapError(crv)); return SECFailure; } - nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, - slot->nssToken); + NSSToken *token = PK11Slot_GetNSSToken(slot); + if (token) { + nssTrustDomain_UpdateCachedTokenCerts(token->trustDomain, token); + (void)nssToken_Destroy(token); + } return SECSuccess; } + void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) { + NSSToken *old; + if (nsst) { + nsst = nssToken_AddRef(nsst); + } + + PZ_Lock(sl->nssTokenLock); + old = sl->nssToken; sl->nssToken = nsst; + PZ_Unlock(sl->nssTokenLock); + + if (old) { + (void)nssToken_Destroy(old); + } }
NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl) { - return sl->nssToken; + NSSToken *rv = NULL; + + PZ_Lock(sl->nssTokenLock); + if (sl->nssToken) { + rv = nssToken_AddRef(sl->nssToken); + } + PZ_Unlock(sl->nssTokenLock); + + return rv; }
PRBool diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 08c793bf32fa6..0862ee28918d9 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -13,6 +13,7 @@ #include "pki3hack.h" #include "secerr.h" #include "dev.h" +#include "dev3hack.h" #include "utilpars.h" #include "pkcs11uri.h"
@@ -1266,8 +1267,14 @@ SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags, } /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ - if (slot && slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); + if (slot) { + NSSToken *nssToken = PK11Slot_GetNSSToken(slot); + if (nssToken) { + if (nssToken->slot) { + nssSlot_ResetDelay(nssToken->slot); + } + (void)nssToken_Destroy(nssToken); + } } return slot;
@@ -1500,8 +1507,12 @@ SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec) if (slot) { /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ - if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); + NSSToken *nssToken = PK11Slot_GetNSSToken(slot); + if (nssToken) { + if (nssToken->slot) { + nssSlot_ResetDelay(nssToken->slot); + } + (void)nssToken_Destroy(nssToken); } /* force the slot info structures to properly reset */ (void)PK11_IsPresent(slot); @@ -1631,8 +1642,12 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot) PR_smprintf_free(sendSpec); /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ - if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); + NSSToken *nssToken = PK11Slot_GetNSSToken(slot); + if (nssToken) { + if (nssToken->slot) { + nssSlot_ResetDelay(nssToken->slot); + } + (void)nssToken_Destroy(nssToken); /* force the slot info structures to properly reset */ (void)PK11_IsPresent(slot); } diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h index 04c63a8690fd6..5dca1e46cda14 100644 --- a/security/nss/lib/pk11wrap/secmodti.h +++ b/security/nss/lib/pk11wrap/secmodti.h @@ -107,6 +107,7 @@ struct PK11SlotInfoStr { unsigned int lastState; /* for Stan */ NSSToken *nssToken; + PZLock *nssTokenLock; /* the tokeninfo struct */ CK_TOKEN_INFO tokenInfo; /* fast mechanism lookup */ diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index 7fe9113e4a610..5556cd17695f8 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -72,12 +72,16 @@ STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot) } } token = nssToken_CreateFromPK11SlotInfo(td, slot); - PK11Slot_SetNSSToken(slot, token); - /* Don't add nonexistent token to TD's token list */ if (token) { + /* PK11Slot_SetNSSToken increments the refcount on |token| to 2 */ + PK11Slot_SetNSSToken(slot, token); + + /* we give our reference to |td->tokenList| */ NSSRWLock_LockWrite(td->tokensLock); nssList_Add(td->tokenList, token); NSSRWLock_UnlockWrite(td->tokensLock); + } else { + PK11Slot_SetNSSToken(slot, NULL); } return PR_SUCCESS; } @@ -188,7 +192,8 @@ STAN_RemoveModuleFromDefaultTrustDomain( nssList_Remove(td->tokenList, token); NSSRWLock_UnlockWrite(td->tokensLock); PK11Slot_SetNSSToken(module->slots[i], NULL); - nssToken_Destroy(token); + (void)nssToken_Destroy(token); /* for the |td->tokenList| reference */ + (void)nssToken_Destroy(token); /* for our PK11Slot_GetNSSToken reference */ } } NSSRWLock_LockWrite(td->tokensLock); @@ -1076,7 +1081,11 @@ STAN_GetNSSCertificate(CERTCertificate *cc) nssArena_Destroy(arena); return NULL; } - instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot)); + instance->token = PK11Slot_GetNSSToken(cc->slot); + if (!instance->token) { + nssArena_Destroy(arena); + return NULL; + } instance->handle = cc->pkcs11ID; instance->isTokenObject = PR_TRUE; if (cc->nickname) { @@ -1269,6 +1278,10 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust) NSSASCII7 *email = c->email; tok = PK11Slot_GetNSSToken(slot); PK11_FreeSlot(slot); + if (!tok) { + nssrv = PR_FAILURE; + goto done; + }
newInstance = nssToken_ImportCertificate(tok, NULL, NSSCertificateType_PKIX, @@ -1283,6 +1296,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust) nss_ZFreeIf(nickname); nickname = NULL; if (!newInstance) { + (void)nssToken_Destroy(tok); nssrv = PR_FAILURE; goto done; } @@ -1294,6 +1308,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust) nssTrust->codeSigning, nssTrust->emailProtection, nssTrust->stepUpApproved, PR_TRUE); + (void)nssToken_Destroy(tok); } if (newInstance) { nssCryptokiObject_Destroy(newInstance); diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 151b888750d07..c8f9f1d5b988c 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -11,6 +11,7 @@ #endif /* PKIM_H */
#include "cert.h" +#include "dev3hack.h" #include "pki3hack.h" #include "pk11pub.h" #include "nssrwlk.h" @@ -61,11 +62,14 @@ static void token_destructor(void *t) { NSSToken *tok = (NSSToken *)t; - /* The token holds the first/last reference to the slot. - * When the token is actually destroyed (ref count == 0), - * the slot will also be destroyed. - */ - nssToken_Destroy(tok); + /* Remove the token list's reference to the token */ + (void)nssToken_Destroy(tok); + + /* Signal that the slot should not give out any more references to the + * token. The token might still have a positive refcount after this call. + * The token has a reference to the slot, so the slot will not be destroyed + * until after the token's refcount drops to 0. */ + PK11Slot_SetNSSToken(tok->pk11slot, NULL); }
NSS_IMPLEMENT PRStatus @@ -127,7 +131,6 @@ nssTrustDomain_GetActiveSlots( return NULL; } nssList_GetArray(td->tokenList, (void **)tokens, count); - NSSRWLock_UnlockRead(td->tokensLock); count = 0; for (tp = tokens; *tp; tp++) { NSSSlot *slot = nssToken_GetSlot(*tp); @@ -137,6 +140,7 @@ nssTrustDomain_GetActiveSlots( nssSlot_Destroy(slot); } } + NSSRWLock_UnlockRead(td->tokensLock); nss_ZFreeIf(tokens); if (!count) { nss_ZFreeIf(slots); @@ -469,7 +473,7 @@ nssTrustDomain_FindCertificatesByNickname( numRemaining, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { errors++; continue; @@ -618,7 +622,7 @@ nssTrustDomain_FindCertificatesBySubject( numRemaining, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { errors++; continue; @@ -779,7 +783,7 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber( tokenOnly, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { continue; } @@ -1022,7 +1026,7 @@ NSSTrustDomain_TraverseCertificates( collector, collection); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); } }
@@ -1076,7 +1080,7 @@ nssTrustDomain_FindTrustForCertificate( nssCryptokiObject_Destroy(to); } } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); } } if (pkio) { @@ -1126,7 +1130,7 @@ nssTrustDomain_FindCRLsBySubject( instances = nssToken_FindCRLsBySubject(token, session, subject, tokenOnly, 0, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status == PR_SUCCESS) { /* add the found CRL's to the collection */ status = nssPKIObjectCollection_AddInstances(collection, diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index f3506b6e461fd..929b9809e7b4c 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -17,10 +17,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.68.2" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.68.3" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 68 -#define SOFTOKEN_VPATCH 2 +#define SOFTOKEN_VPATCH 3 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 28e0f1e8b4025..8548404b4755d 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,10 +19,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.68.2" +#define NSSUTIL_VERSION "3.68.3" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 68 -#define NSSUTIL_VPATCH 2 +#define NSSUTIL_VPATCH 3 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE