Update to NSS 3.15.5 and NSPR 4.10.3.

nss/lib/libpkix/pkix/top/pkix_build.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * pkix_build.c
  *
  * Top level buildChain function
  *
  */
 
@@ skipping 47 matching lines @@
         state->numCerts = 0;
         state->numAias = 0;
         state->certIndex = 0;
         state->aiaIndex = 0;
         state->certCheckedIndex = 0;
         state->checkerIndex = 0;
         state->hintCertIndex = 0;
         state->numFanout = 0;
         state->numDepth = 0;
         state->reasonCode = 0;
-        state->revCheckDelayed = PKIX_FALSE;
         state->canBeCached = PKIX_FALSE;
         state->useOnlyLocal = PKIX_FALSE;
         state->revChecking = PKIX_FALSE;
         state->usingHintCerts = PKIX_FALSE;
         state->certLoopingDetected = PKIX_FALSE;
         PKIX_DECREF(state->validityDate);
         PKIX_DECREF(state->prevCert);
         PKIX_DECREF(state->candidateCert);
         PKIX_DECREF(state->traversedSubjNames);
         PKIX_DECREF(state->trustChain);
@@ skipping 40 matching lines @@
  * DESCRIPTION:
  *  Allocate and initialize a ForwardBuilderState.
  *
  * PARAMETERS
  *  "traversedCACerts"
  *      Number of CA certificates traversed.
  *  "numFanout"
  *      Number of Certs that can be considered at this level (0 = no limit)
  *  "numDepth"
  *      Number of additional levels that can be searched (0 = no limit)
- *  "revCheckDelayed"
- *      Boolean value indicating whether rev check is delayed until after
- *      entire chain is built.
  *  "canBeCached"
  *      Boolean value indicating whether all certs on the chain can be cached.
  *  "validityDate"
  *      Address of Date at which build chain Certs' most restricted validity
  *      time is kept. May be NULL.
  *  "prevCert"
  *      Address of Cert just traversed. Must be non-NULL.
  *  "traversedSubjNames"
  *      Address of List of GeneralNames that have been traversed.
  *      Must be non-NULL.
@@ skipping 10 matching lines @@
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Build Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_ForwardBuilderState_Create(
         PKIX_Int32 traversedCACerts,
         PKIX_UInt32 numFanout,
         PKIX_UInt32 numDepth,
-        PKIX_Boolean revCheckDelayed,
         PKIX_Boolean canBeCached,
         PKIX_PL_Date *validityDate,
         PKIX_PL_Cert *prevCert,
         PKIX_List *traversedSubjNames,
         PKIX_List *trustChain,
         PKIX_ForwardBuilderState *parentState,
         PKIX_ForwardBuilderState **pState,
         void *plContext)
 {
         PKIX_ForwardBuilderState *state = NULL;
@@ skipping 15 matching lines @@
         state->numAias = 0;
         state->certIndex = 0;
         state->aiaIndex = 0;
         state->certCheckedIndex = 0;
         state->checkerIndex = 0;
         state->hintCertIndex = 0;
         state->numFanout = numFanout;
         state->numDepth = numDepth;
         state->reasonCode = 0;
         state->revChecking = numDepth;
-        state->revCheckDelayed = revCheckDelayed;
         state->canBeCached = canBeCached;
         state->useOnlyLocal = PKIX_TRUE;
         state->revChecking = PKIX_FALSE;
         state->usingHintCerts = PKIX_FALSE;
         state->certLoopingDetected = PKIX_FALSE;
 
         PKIX_INCREF(validityDate);
         state->validityDate = validityDate;
 
         PKIX_INCREF(prevCert);
@@ skipping 155 matching lines @@
                 "\t{buildStatus: \t%s\n"
                 "\ttraversedCACerts: \t%d\n"
                 "\tcertStoreIndex: \t%d\n"
                 "\tnumCerts: \t%d\n"
                 "\tnumAias: \t%d\n"
                 "\tcertIndex: \t%d\n"
                 "\taiaIndex: \t%d\n"
                 "\tnumFanout: \t%d\n"
                 "\tnumDepth:  \t%d\n"
                 "\treasonCode:  \t%d\n"
-                "\trevCheckDelayed: \t%d\n"
                 "\tcanBeCached: \t%d\n"
                 "\tuseOnlyLocal: \t%d\n"
                 "\trevChecking: \t%d\n"
                 "\tvalidityDate: \t%s\n"
                 "\tprevCert: \t%s\n"
                 "\tcandidateCert: \t%s\n"
                 "\ttraversedSubjNames: \t%s\n"
                 "\ttrustChain: \t%s\n"
                 "\tcandidateCerts: \t%s\n"
                 "\tcertSel: \t%s\n"
@@ skipping 24 matching lines @@
             case BUILD_AIAPENDING:      asciiStatus = "BUILD_AIAPENDING";
                                         break;
             case BUILD_COLLECTINGCERTS: asciiStatus = "BUILD_COLLECTINGCERTS";
                                         break;
             case BUILD_GATHERPENDING:   asciiStatus = "BUILD_GATHERPENDING";
                                         break;
             case BUILD_CERTVALIDATING:  asciiStatus = "BUILD_CERTVALIDATING";
                                         break;
             case BUILD_ABANDONNODE:     asciiStatus = "BUILD_ABANDONNODE";
                                         break;
-            case BUILD_CRLPREP:         asciiStatus = "BUILD_CRLPREP";
-                                        break;
-            case BUILD_CRL1:            asciiStatus = "BUILD_CRL1";
-                                        break;
             case BUILD_DATEPREP:        asciiStatus = "BUILD_DATEPREP";
                                         break;
             case BUILD_CHECKTRUSTED:    asciiStatus = "BUILD_CHECKTRUSTED";
                                         break;
             case BUILD_CHECKTRUSTED2:   asciiStatus = "BUILD_CHECKTRUSTED2";
                                         break;
             case BUILD_ADDTOCHAIN:      asciiStatus = "BUILD_ADDTOCHAIN";
                                         break;
-            case BUILD_CRL2:            asciiStatus = "BUILD_CRL2";
-                                        break;
             case BUILD_VALCHAIN:        asciiStatus = "BUILD_VALCHAIN";
                                         break;
             case BUILD_VALCHAIN2:       asciiStatus = "BUILD_VALCHAIN2";
                                         break;
             case BUILD_EXTENDCHAIN:     asciiStatus = "BUILD_EXTENDCHAIN";
                                         break;
             case BUILD_GETNEXTCERT:     asciiStatus = "BUILD_GETNEXTCERT";
                                         break;
             default:                    asciiStatus = "INVALID STATUS";
                                         break;
@@ skipping 48 matching lines @@
                 buildStatusString,
                 (PKIX_Int32)state->traversedCACerts,
                 (PKIX_UInt32)state->certStoreIndex,
                 (PKIX_UInt32)state->numCerts,
                 (PKIX_UInt32)state->numAias,
                 (PKIX_UInt32)state->certIndex,
                 (PKIX_UInt32)state->aiaIndex,
                 (PKIX_UInt32)state->numFanout,
                 (PKIX_UInt32)state->numDepth,
                 (PKIX_UInt32)state->reasonCode,
-                state->revCheckDelayed,
                 state->canBeCached,
                 state->useOnlyLocal,
                 state->revChecking,
                 validityDateString,
                 prevCertString,
                 candidateCertString,
                 traversedSubjNamesString,
                 trustChainString,
                 candidateCertsString,
                 certSelString,
@@ skipping 137 matching lines @@
 static PKIX_Error*
 pkix_ForwardBuilderState_IsIOPending(
         PKIX_ForwardBuilderState *state,
         PKIX_Boolean *pPending,
         void *plContext)
 {
         PKIX_ENTER(FORWARDBUILDERSTATE, "pkix_ForwardBuilderState_IsIOPending");
         PKIX_NULLCHECK_TWO(state, pPending);
 
         if ((state->status == BUILD_GATHERPENDING) ||
-            (state->status == BUILD_CRL1) ||
-            (state->status == BUILD_CRL2) ||
             (state->status == BUILD_CHECKTRUSTED2) ||
             (state->status == BUILD_VALCHAIN2) ||
             (state->status == BUILD_AIAPENDING)) {
                 *pPending = PKIX_TRUE;
         } else {
                 *pPending = PKIX_FALSE;
         }
 
         PKIX_RETURN(FORWARDBUILDERSTATE);
 }
@@ skipping 102 matching lines @@
         goto cleanup; \
     }
 
 /*
  * FUNCTION: pkix_Build_VerifyCertificate
  * DESCRIPTION:
  *
  *  Checks whether the previous Cert stored in the ForwardBuilderState pointed
  *  to by "state" successfully chains, including signature verification, to the
  *  candidate Cert also stored in "state", using the Boolean value in "trusted"
- *  to determine whether "candidateCert" is trusted. Using the Boolean value in
- *  "revocationChecking" for the existence of revocation checking, it sets
- *  "pNeedsCRLChecking" to PKIX_TRUE if the candidate Cert needs to be checked
- *  against Certificate Revocation Lists.
+ *  to determine whether "candidateCert" is trusted.
  *
  *  First it checks whether "candidateCert" has already been traversed by
- *  determining whether it is contained in the List of traversed Certs. It
+ *  determining whether it is contained in the List of traversed Certs. It then
  *  checks the candidate Cert with user checkers, if any, in the List pointed to
- *  by "userCheckers". It then runs the signature validation. Finally, it
- *  determines the appropriate value for "pNeedsCRLChecking".
+ *  by "userCheckers". Finally, it runs the signature validation.
  *
  *  If this Certificate fails verification, and state->verifyNode is non-NULL,
  *  this function sets the Error code into the verifyNode.
  *
  * PARAMETERS:
  *  "state"
  *      Address of ForwardBuilderState to be used. Must be non-NULL.
  *  "userCheckers"
  *      Address of a List of CertChainCheckers to be used, if present, to
  *      validate the candidateCert.
- *  "revocationChecking"
- *      Boolean indication of whether revocation checking is available, either
- *      as a CertChainChecker or a List of RevocationCheckers.
  *  "trusted"
  *      Boolean value of trust for the candidate Cert
- *  "pNeedsCRLChecking"
- *      Address where Boolean CRL-checking-needed value is stored.
- *      Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Build Error if the function fails in a non-fatal way
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_Build_VerifyCertificate(
         PKIX_ForwardBuilderState *state,
         PKIX_List *userCheckers,
-        PKIX_Boolean revocationChecking,
         PKIX_Boolean *pTrusted,
-        PKIX_Boolean *pNeedsCRLChecking,
         PKIX_VerifyNode *verifyNode,
         void *plContext)
 {
         PKIX_UInt32 numUserCheckers = 0;
         PKIX_UInt32 i = 0;
         PKIX_Boolean loopFound = PKIX_FALSE;
         PKIX_Boolean supportForwardChecking = PKIX_FALSE;
         PKIX_Boolean trusted = PKIX_FALSE;
         PKIX_PL_Cert *candidateCert = NULL;
         PKIX_PL_PublicKey *candidatePubKey = NULL;
         PKIX_CertChainChecker *userChecker = NULL;
         PKIX_CertChainChecker_CheckCallback checkerCheck = NULL;
         PKIX_PL_TrustAnchorMode trustAnchorMode =
                 PKIX_PL_TrustAnchorMode_Ignore;
         void *nbioContext = NULL;
         
         PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate");
-        PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking);
+        PKIX_NULLCHECK_TWO(state, pTrusted);
         PKIX_NULLCHECK_THREE
                 (state->candidateCerts, state->prevCert, state->trustChain);
 
-        *pNeedsCRLChecking = PKIX_FALSE;
-
         PKIX_INCREF(state->candidateCert);
         candidateCert = state->candidateCert;
 
         if (state->buildConstants.numAnchors) {
             if (state->buildConstants.trustOnlyUserAnchors) {
                 trustAnchorMode = PKIX_PL_TrustAnchorMode_Exclusive;
             } else {
                 trustAnchorMode = PKIX_PL_TrustAnchorMode_Additive;
             }
         } else {
@@ skipping 77 matching lines @@
             PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
                        (candidateCert, &candidatePubKey, plContext),
                        PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
             PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
                        (candidatePubKey, &paramsNeeded, plContext),
                        PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
             if (paramsNeeded) {
                 PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
             }
         }
-        
-        
-        if (revocationChecking) {
-            if (!trusted) {
-                if (state->revCheckDelayed) {
-                    goto cleanup;
-                } else {
-                    PKIX_Boolean isSelfIssued = PKIX_FALSE;
-                    PKIX_CHECK(
-                        pkix_IsCertSelfIssued(candidateCert, &isSelfIssued,
-                                              plContext),
-                        PKIX_ISCERTSELFISSUEDFAILED);
-                    if (isSelfIssued) {
-                        state->revCheckDelayed = PKIX_TRUE;
-                        goto cleanup;
-                    }
-                }
-            }
-            *pNeedsCRLChecking = PKIX_TRUE;
-        }
 
 cleanup:
         PKIX_DECREF(candidateCert);
         PKIX_DECREF(candidatePubKey);
         PKIX_DECREF(userChecker);
 
         PKIX_RETURN(BUILD);
 }
 
 /*
@@ skipping 1095 matching lines @@
 pkix_BuildForwardDepthFirstSearch(
         void **pNBIOContext,
         PKIX_ForwardBuilderState *state,
         PKIX_ValidateResult **pValResult,
         void *plContext)
 {
         PKIX_Boolean outOfOptions = PKIX_FALSE;
         PKIX_Boolean trusted = PKIX_FALSE;
         PKIX_Boolean isSelfIssued = PKIX_FALSE;
         PKIX_Boolean canBeCached = PKIX_FALSE;
-        PKIX_Boolean revocationCheckingExists = PKIX_FALSE;
-        PKIX_Boolean needsCRLChecking = PKIX_FALSE;
         PKIX_Boolean ioPending = PKIX_FALSE;
         PKIX_PL_Date *validityDate = NULL;
         PKIX_PL_Date *currTime  = NULL;
         PKIX_Int32 childTraversedCACerts = 0;
         PKIX_UInt32 numSubjectNames = 0;
         PKIX_UInt32 numChained = 0;
         PKIX_Int32 cmpTimeResult = 0;
         PKIX_UInt32 i = 0;
         PKIX_UInt32 certsSoFar = 0;
         PKIX_List *childTraversedSubjNames = NULL;
@@ skipping 290 matching lines @@
             }
 
             /* ****Phase 2 - Chain building***** */
 
 #if PKIX_FORWARDBUILDERSTATEDEBUG
             PKIX_CHECK(pkix_ForwardBuilderState_DumpState(state, plContext),
                     PKIX_FORWARDBUILDERSTATEDUMPSTATEFAILED);
 #endif
 
             if (state->status == BUILD_CERTVALIDATING) {
-                    revocationCheckingExists =
-                        (state->buildConstants.revChecker != NULL);
-
                     PKIX_DECREF(state->candidateCert);
                     PKIX_CHECK(PKIX_List_GetItem
                             (state->candidateCerts,
                             state->certIndex,
                             (PKIX_PL_Object **)&(state->candidateCert),
                             plContext),
                             PKIX_LISTGETITEMFAILED);
 
                     if ((state->verifyNode) != NULL) {
                             PKIX_CHECK_FATAL(pkix_VerifyNode_Create
                                     (state->candidateCert,
                                     0,
                                     NULL,
                                     &verifyNode,
                                     plContext),
                                     PKIX_VERIFYNODECREATEFAILED);
                     }
 
                     /* If failure, this function sets Error in verifyNode */
                     verifyError = pkix_Build_VerifyCertificate
                             (state,
                             state->buildConstants.userCheckers,
-                            revocationCheckingExists,
                             &trusted,
-                            &needsCRLChecking,
                             verifyNode,
                             plContext);
 
                     if (verifyError) {
                             pkixTempErrorReceived = PKIX_TRUE;
                             pkixErrorClass = verifyError->errClass;
                             if (pkixErrorClass == PKIX_FATAL_ERROR) {
                                 pkixErrorResult = verifyError;
                                 verifyError = NULL;
                                 goto fatal;
@@ skipping 14 matching lines @@
                             }
                             pkixTempErrorReceived = PKIX_FALSE;
                             PKIX_DECREF(finalError);
                             finalError = verifyError;
                             verifyError = NULL;
                             if (state->certLoopingDetected) {
                                 PKIX_ERROR
                                     (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
                             }
                             state->status = BUILD_GETNEXTCERT;
-                    } else if (needsCRLChecking) {
-                            state->status = BUILD_CRLPREP;
                     } else {
                             state->status = BUILD_DATEPREP;
                     }
             }
 
-            if (state->status == BUILD_CRLPREP) {
-                PKIX_RevocationStatus revStatus;
-                PKIX_UInt32 reasonCode;
-
-                verifyError =
-                    PKIX_RevocationChecker_Check(
-                             state->prevCert, state->candidateCert,
-                             state->buildConstants.revChecker,
-                             state->buildConstants.procParams,
-                             PKIX_FALSE,
-                             (state->parentState == NULL) ?
-                                              PKIX_TRUE : PKIX_FALSE,
-                             &revStatus, &reasonCode,
-                             &nbio, plContext);
-                if (nbio != NULL) {
-                    *pNBIOContext = nbio;
-                    goto cleanup;
-                }
-                if (revStatus == PKIX_RevStatus_Revoked || verifyError) {
-                    if (!verifyError) {
-                        /* if verifyError is returned then use it as
-                         * it has a detailed revocation error code.
-                         * Otherwise create a new error */
-                        PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
-                                          verifyError);
-                    }
-                    if (state->verifyNode != NULL) {
-                            PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
-                                    (verifyNode, verifyError, plContext),
-                                    PKIX_VERIFYNODESETERRORFAILED);
-                            PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
-                                    (state->verifyNode,
-                                    verifyNode,
-                                    plContext),
-                                    PKIX_VERIFYNODEADDTOTREEFAILED);
-                            PKIX_DECREF(verifyNode);
-                    }
-                    PKIX_DECREF(finalError);
-                    finalError = verifyError;
-                    verifyError = NULL;
-                    if (state->certLoopingDetected) {
-                            PKIX_ERROR
-                                (PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED);
-                    }
-                    state->status = BUILD_GETNEXTCERT;
-                } else {
-                    state->status = BUILD_DATEPREP;
-                }
-            }
-
             if (state->status == BUILD_DATEPREP) {
                     /* Keep track of whether this chain can be cached */
                     PKIX_CHECK(pkix_Build_UpdateDate(state, plContext),
                             PKIX_BUILDUPDATEDATEFAILED);
     
                     canBeCached = state->canBeCached;
                     PKIX_DECREF(validityDate);
                     PKIX_INCREF(state->validityDate);
                     validityDate = state->validityDate;
                     if (trusted == PKIX_TRUE) {
@@ skipping 181 matching lines @@
                                     PKIX_LISTAPPENDITEMFAILED);
                                 PKIX_DECREF(subjectName);
                             }
                             PKIX_DECREF(subjectNames);
                         }
             
                         PKIX_CHECK(pkix_ForwardBuilderState_Create
                             (childTraversedCACerts,
                             state->buildConstants.maxFanout,
                             state->numDepth - 1,
-                            state->revCheckDelayed,
                             canBeCached,
                             validityDate,
                             state->candidateCert,
                             childTraversedSubjNames,
                             state->trustChain,
                             state,
                             &childState,
                             plContext),
                             PKIX_FORWARDBUILDSTATECREATEFAILED);
 
@@ skipping 789 matching lines @@
             buildConstants.trustOnlyUserAnchors =
                     procParams->useOnlyTrustAnchors;
 
             PKIX_CHECK(pkix_Build_GetResourceLimits(&buildConstants, plContext),
                     PKIX_BUILDGETRESOURCELIMITSFAILED);
     
             PKIX_CHECK(pkix_ForwardBuilderState_Create
                     (0,              /* PKIX_UInt32 traversedCACerts */
                     buildConstants.maxFanout,
                     buildConstants.maxDepth,
-                    PKIX_FALSE,      /* PKIX_Boolean revCheckDelayed */
                     PKIX_TRUE,       /* PKIX_Boolean canBeCached */
                     NULL,            /* PKIX_Date *validityDate */
                     targetCert,      /* PKIX_PL_Cert *prevCert */
                     targetSubjNames, /* PKIX_List *traversedSubjNames */
                     tentativeChain,  /* PKIX_List *trustChain */
                     NULL,            /* PKIX_ForwardBuilderState *parent */
                     &state,          /* PKIX_ForwardBuilderState **pState */
                     plContext),
                     PKIX_BUILDSTATECREATEFAILED);
     
@@ skipping 311 matching lines @@
                 *pBuildResult = buildResult;
                 buildResult = NULL;
         }
 
 cleanup:
         PKIX_DECREF(buildResult);
         PKIX_DECREF(state);
 
         PKIX_RETURN(BUILD);
 }