Update to NSS 3.12.7 and NSPR 4.8.6....

nss/mozilla/security/nss/lib/softoken/sftkdb.c

 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 491 matching lines @@
  * The caller is expected to abort any transaction he was in in the
  * event of a failure of this function.
  */
 static CK_RV
 sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle, 
                   PRBool mayBeUpdateDB,
                   CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template,
                   CK_ULONG count)
 {
     int i;
+    CK_RV crv;
     SFTKDBHandle *keyHandle = handle;
     SDB *keyTarget = NULL;
+    PRBool usingPeerDB = PR_FALSE;
+    PRBool inPeerDBTransaction = PR_FALSE;
 
     PORT_Assert(handle);
 
     if (handle->type != SFTK_KEYDB_TYPE) {
         keyHandle = handle->peerDB;
+        usingPeerDB = PR_TRUE;
     }
 
     /* no key DB defined? then no need to sign anything */
     if (keyHandle == NULL) {
-        return CKR_OK;
+        crv = CKR_OK;
+        goto loser;
     }
 
     /* When we are in a middle of an update, we have an update database set, 
      * but we want to write to the real database. The bool mayBeUpdateDB is
      * set to TRUE if it's possible that we want to write an update database
      * rather than a primary */
     keyTarget = (mayBeUpdateDB && keyHandle->update) ? 
                 keyHandle->update : keyHandle->db;
 
     /* skip the the database does not support meta data */
     if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
-        return CKR_OK;
+        crv = CKR_OK;
+        goto loser;
+    }
+
+    /* If we had to switch databases, we need to initialize a transaction. */
+    if (usingPeerDB) {
+        crv = (*keyTarget->sdb_Begin)(keyTarget);
+        if (crv != CKR_OK) {
+            goto loser;
+        }
+        inPeerDBTransaction = PR_TRUE;
     }
 
     for (i=0; i < count; i ++) {
         if (sftkdb_isAuthenticatedAttribute(template[i].type)) {
             SECStatus rv;
             SECItem *signText;
             SECItem plainText;
 
             plainText.data = template[i].pValue;
             plainText.len = template[i].ulValueLen;
             PZ_Lock(keyHandle->passwordLock);
             if (keyHandle->passwordKey.data == NULL) {
                 PZ_Unlock(keyHandle->passwordLock);
-                return CKR_USER_NOT_LOGGED_IN;
+                crv = CKR_USER_NOT_LOGGED_IN;
+                goto loser;
             }
             rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey, 
                                 objectID, template[i].type,
                                 &plainText, &signText);
             PZ_Unlock(keyHandle->passwordLock);
             if (rv != SECSuccess) {
-                return CKR_GENERAL_ERROR; /* better error code here? */
+                crv = CKR_GENERAL_ERROR; /* better error code here? */
+                goto loser;
             }
             rv = sftkdb_PutAttributeSignature(handle, keyTarget, 
                                 objectID, template[i].type, signText);
             if (rv != SECSuccess) {
-                return CKR_GENERAL_ERROR; /* better error code here? */
+                crv = CKR_GENERAL_ERROR; /* better error code here? */
+                goto loser;
             }
         }
     }
-    return CKR_OK;
+    crv = CKR_OK;
+
+    /* If necessary, commit the transaction */
+    if (inPeerDBTransaction) {
+        crv = (*keyTarget->sdb_Commit)(keyTarget);
+        if (crv != CKR_OK) {
+            goto loser;
+        }
+        inPeerDBTransaction = PR_FALSE;
+    }
+
+loser:
+    if (inPeerDBTransaction) {
+        /* The transaction must have failed. Abort. */
+        (*keyTarget->sdb_Abort)(keyTarget);
+        PORT_Assert(crv != CKR_OK);
+        if (crv == CKR_OK) crv = CKR_GENERAL_ERROR;
+    }
+    return crv;
 }
 
 static CK_RV
 sftkdb_CreateObject(PRArenaPool *arena, SFTKDBHandle *handle, 
         SDB *db, CK_OBJECT_HANDLE *objectID,
         CK_ATTRIBUTE *template, CK_ULONG count)
 {
     PRBool inTransaction = PR_FALSE;
     CK_RV crv;
 
@@ skipping 183 matching lines @@
         count = 3;
         break;
         
     case CKO_PRIVATE_KEY:
     case CKO_PUBLIC_KEY:
     case CKO_SECRET_KEY:
         attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, len);
         if (attr == NULL) {
             return CKR_TEMPLATE_INCOMPLETE;
         }
+        if (attr->ulValueLen == 0) {
+            /* key is too generic to determine that it's unique, usually
+             * happens in the key gen case */
+            return CKR_OBJECT_HANDLE_INVALID;
+        }
+        
         findTemplate[1] = *attr;
         count = 2;
         break;
 
     case CKO_NSS_CRL:
         attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len);
         if (attr == NULL) {
             return CKR_TEMPLATE_INCOMPLETE;
         }
         findTemplate[1] = *attr;
@@ skipping 21 matching lines @@
         findTemplate[1] = *attr;
         count = 2;
         break;
     }
     *findCount = count;
 
     return CKR_OK;
 }
 
 /*
- * look to see if this object already exists and return it's object ID if
+ * look to see if this object already exists and return its object ID if
  * it does.
  */
 static CK_RV
 sftkdb_lookupObject(SDB *db, CK_OBJECT_CLASS objectType, 
                  CK_OBJECT_HANDLE *id, CK_ATTRIBUTE *ptemplate, CK_ULONG len)
 {
     CK_ATTRIBUTE findTemplate[3];
     CK_ULONG count = 1;
     CK_ULONG objCount = 0;
     SDBFind *find = NULL;
     unsigned char objTypeData[SDB_ULONG_SIZE];
     CK_RV crv;
 
     *id = CK_INVALID_HANDLE;
     if (objectType == CKO_NSS_CRL) {
         return CKR_OK;
     }
     crv = sftkdb_getFindTemplate(objectType, objTypeData,
                         findTemplate, &count, ptemplate, len);
+
+    if (crv == CKR_OBJECT_HANDLE_INVALID) {
+        /* key is too generic to determine that it's unique, usually
+         * happens in the key gen case, tell the caller to go ahead
+         * and just create it */
+        return CKR_OK;
+    }
     if (crv != CKR_OK) {
         return crv;
     }
 
     /* use the raw find, so we get the correct database */
     crv = (*db->sdb_FindObjectsInit)(db, findTemplate, count, &find);
     if (crv != CKR_OK) {
         return crv;
     }
     (*db->sdb_FindObjects)(db, find, id, 1, &objCount);
@@ skipping 1871 matching lines @@
 }
 
 CK_RV 
 sftkdb_Shutdown(void)
 {
   s_shutdown();
   sftkdbCall_Shutdown();
   return CKR_OK;
 }