diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 91f7b39828d5..a68b3dc8f8a3 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_17_1_RTM +NSS_3_17_2_BETA1 diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c index ca53c1ae8874..6af242dc1083 100644 --- a/security/nss/lib/freebl/ec.c +++ b/security/nss/lib/freebl/ec.c @@ -870,6 +870,11 @@ cleanup: /* ** Checks the signature on the given digest using the key provided. +** +** The key argument must represent a valid EC public key (a point on +** the relevant curve). If it is not a valid point, then the behavior +** of this function is undefined. In cases where a public key might +** not be valid, use EC_ValidatePublicKey to check. */ SECStatus ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 628cb640fe7d..ed8267206ee6 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -33,12 +33,12 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.17.1" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.17.2" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 #define NSS_VMINOR 17 -#define NSS_VPATCH 1 +#define NSS_VPATCH 2 #define NSS_VBUILD 0 -#define NSS_BETA PR_FALSE +#define NSS_BETA PR_TRUE #ifndef RC_INVOKED diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 6fa4e4ecce38..f25ca502f25d 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -969,6 +969,17 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, } object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey; + // Check that an imported EC key is valid + if (key_type == CKK_EC) { + NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey*) object->objectInfo; + SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams, + &pubKey->u.ec.publicValue); + + if (rv != SECSuccess) { + return CKR_TEMPLATE_INCONSISTENT; + } + } + if (sftk_isTrue(object,CKA_TOKEN)) { SFTKSlot *slot = session->slot; SFTKDBHandle *certHandle = sftk_getCertDB(slot); diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index 0c3482fc45c4..08d6689e321f 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -25,11 +25,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.17.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.17.2" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 17 -#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VPATCH 2 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_FALSE +#define SOFTOKEN_BETA PR_TRUE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 5e471f7ca10a..f1ae8e3e2c64 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,12 +19,12 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.17.1" +#define NSSUTIL_VERSION "3.17.2 Beta" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 17 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VPATCH 2 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_FALSE +#define NSSUTIL_BETA PR_TRUE SEC_BEGIN_PROTOS diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh old mode 100644 new mode 100755