Add SECMOD_LockedModuleHasRemovableSlots and update version.

backport-Bug-1753315-Add-SECMOD_LockedModuleHasRemovableSlots.patch

@@ -0,0 +1,185 @@
+From f371f1384fa063007513bfb8e0a3966736968c84 Mon Sep 17 00:00:00 2001
+From: "John M. Schanck" <jschanck@mozilla.com>
+Date: Mon, 16 May 2022 18:27:29 +0000
+Subject: [PATCH] Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
+ r=rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D137702
+
+--HG--
+extra : moz-landing-system : lando
+---
+ .../abi-check/expected-report-libnss3.so.txt  |  5 ++++
+ lib/nss/nss.def                               |  6 +++++
+ lib/pk11wrap/pk11list.c                       |  4 +--
+ lib/pk11wrap/pk11util.c                       | 23 +++++++++++-----
+ lib/pk11wrap/secmod.h                         | 27 +++++++++++++++++++
+ lib/util/nssrwlk.h                            |  5 ++--
+ 6 files changed, 60 insertions(+), 10 deletions(-)
+
+diff --git a/automation/abi-check/expected-report-libnss3.so.txt b/automation/abi-check/expected-report-libnss3.so.txt
+index e69de29bb2..57aeb8c7b5 100644
+--- a/automation/abi-check/expected-report-libnss3.so.txt
++++ b/automation/abi-check/expected-report-libnss3.so.txt
+@@ -0,0 +1,5 @@
++
++1 Added function:
++
++  'function PRBool SECMOD_LockedModuleHasRemovableSlots(SECMODModule*)'    {SECMOD_LockedModuleHasRemovableSlots@@NSS_3.79}
++
+diff --git a/lib/nss/nss.def b/lib/nss/nss.def
+index dd352d81a0..35850caeea 100644
+--- a/lib/nss/nss.def
++++ b/lib/nss/nss.def
+@@ -1247,3 +1247,9 @@ PK11_FindObjectForCert;
+ ;+    local:
+ ;+       *;
+ ;+};
++;+NSS_3.79 { 	# NSS 3.79 release
++;+    global:
++SECMOD_LockedModuleHasRemovableSlots;
++;+    local:
++;+       *;
++;+};
+diff --git a/lib/pk11wrap/pk11list.c b/lib/pk11wrap/pk11list.c
+index aaf29f69dd..beca1a71c1 100644
+--- a/lib/pk11wrap/pk11list.c
++++ b/lib/pk11wrap/pk11list.c
+@@ -32,8 +32,8 @@ SECMOD_DestroyListLock(SECMODListLock *lock)
+ }
+ 
+ /*
+- * Lock the List for Read: NOTE: this assumes the reading isn't so common
+- * the writing will be starved.
++ * Lock the list for reading.
++ * Note: this uses a non-reentrant lock. Writers are given preference.
+  */
+ void
+ SECMOD_GetReadLock(SECMODListLock *modLock)
+diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c
+index 0862ee2891..f6b66c3e33 100644
+--- a/lib/pk11wrap/pk11util.c
++++ b/lib/pk11wrap/pk11util.c
+@@ -1002,6 +1002,8 @@ SECMOD_CanDeleteInternalModule(void)
+  * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
+  * grow on the caller. It is permissible for the slots to increase between
+  * successive calls with NULL to get the size.
++ *
++ * Caller must not hold a module list read lock.
+  */
+ SECStatus
+ SECMOD_UpdateSlotList(SECMODModule *mod)
+@@ -1344,14 +1346,27 @@ SECMOD_CancelWait(SECMODModule *mod)
+ PRBool
+ SECMOD_HasRemovableSlots(SECMODModule *mod)
+ {
+-    int i;
+     PRBool ret = PR_FALSE;
+-
+     if (!moduleLock) {
+         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+         return ret;
+     }
+     SECMOD_GetReadLock(moduleLock);
++    ret = SECMOD_LockedModuleHasRemovableSlots(mod);
++    SECMOD_ReleaseReadLock(moduleLock);
++    return ret;
++}
++
++PRBool
++SECMOD_LockedModuleHasRemovableSlots(SECMODModule *mod)
++{
++    int i;
++    PRBool ret;
++    if (mod->slotCount == 0) {
++        return PR_TRUE;
++    }
++
++    ret = PR_FALSE;
+     for (i = 0; i < mod->slotCount; i++) {
+         PK11SlotInfo *slot = mod->slots[i];
+         /* perm modules are not inserted or removed */
+@@ -1361,10 +1376,6 @@ SECMOD_HasRemovableSlots(SECMODModule *mod)
+         ret = PR_TRUE;
+         break;
+     }
+-    if (mod->slotCount == 0) {
+-        ret = PR_TRUE;
+-    }
+-    SECMOD_ReleaseReadLock(moduleLock);
+     return ret;
+ }
+ 
+diff --git a/lib/pk11wrap/secmod.h b/lib/pk11wrap/secmod.h
+index fcc770780c..53181f0118 100644
+--- a/lib/pk11wrap/secmod.h
++++ b/lib/pk11wrap/secmod.h
+@@ -143,7 +143,31 @@ extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
+ extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
+ extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
+ 
++/*
++ * Check to see if the module has removable slots that we may need to
++ * watch for.
++ *
++ * NB: This function acquires the module list lock in order to access
++ * mod->slotCount and mod->slots. Deadlock can occur if the caller holds the
++ * module list lock. Callers that already hold the module list lock must use
++ * SECMOD_LockedModuleHasRemovableSlots instead.
++ */
+ PRBool SECMOD_HasRemovableSlots(SECMODModule *mod);
++
++/*
++ * Like SECMOD_HasRemovableSlots but this function does not acquire the module
++ * list lock.
++ */
++PRBool SECMOD_LockedModuleHasRemovableSlots(SECMODModule *mod);
++
++/*
++ * this function waits for a token event on any slot of a given module
++ * This function should not be called from more than one thread of the
++ * same process (though other threads can make other library calls
++ * on this module while this call is blocked).
++ *
++ * Caller must not hold a module list read lock.
++ */
+ PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod,
+                                           unsigned long flags, PRIntervalTime latency);
+ /*
+@@ -153,6 +177,7 @@ PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod,
+  * shutting down  the module.
+  */
+ SECStatus SECMOD_CancelWait(SECMODModule *mod);
++
+ /*
+  * check to see if the module has added new slots. PKCS 11 v2.20 allows for
+  * modules to add new slots, but never remove them. Slots not be added between
+@@ -160,6 +185,8 @@ SECStatus SECMOD_CancelWait(SECMODModule *mod);
+  * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
+  * grow on the caller. It is permissible for the slots to increase between
+  * corresponding calls with NULL to get the size.
++ *
++ * Caller must not hold a module list read lock.
+  */
+ SECStatus SECMOD_UpdateSlotList(SECMODModule *mod);
+ SEC_END_PROTOS
+diff --git a/lib/util/nssrwlk.h b/lib/util/nssrwlk.h
+index 2ae6931225..8e1fa6fbe1 100644
+--- a/lib/util/nssrwlk.h
++++ b/lib/util/nssrwlk.h
+@@ -5,12 +5,13 @@
+ /*
+ ** File:        nsrwlock.h
+ ** Description: API to basic reader-writer lock functions of NSS.
+-**  These are re-entrant reader writer locks; that is,
++**  These locks allow re-entry from writers but not readers. That is,
+ **  If I hold the write lock, I can ask for it and get it again.
+ **  If I hold the write lock, I can also ask for and get a read lock.
+ **      I can then release the locks in any order (read or write).
++**  If I hold a read lock, I must not ask for another read lock or
++**      the write lock.
+ **  I must release each lock type as many times as I acquired it.
+-**  Otherwise, these are normal reader/writer locks.
+ **
+ ** For deadlock detection, locks should be ranked, and no lock may be aquired
+ ** while I hold a lock of higher rank number.

nss-config

@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=54
+minor_version=72
 patch_version=0
 
 usage()

nss-softokn-config

@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=54
+minor_version=72
 patch_version=0
 
 usage()

nss-softokn.pc

@@ -6,6 +6,6 @@ includedir=/usr/include/nss3
 Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
 Version: 3.54
-Requires: nspr >= 4.20.0, nss-util >= 3.54
+Requires: nspr >= 4.26.0, nss-util >= 3.72
 Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
 Cflags: -I${includedir}

nss-util-config

@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=54
+minor_version=72
 patch_version=0
 
 usage()

nss-util.pc

@@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 
 Name: NSS-UTIL
 Description: Network Security Services Utility Library
-Version: 3.54
-Requires: nspr >= 4.20.0
+Version: 3.72
+Requires: nspr >= 4.26.0
 Libs: -L${libdir} -lnssutil3
 Cflags: -I${includedir}

nss.pc

@@ -6,6 +6,6 @@ includedir=/usr/include/nss3
 Name: NSS
 Description: Network Security Services
 Version: 3.54
-Requires: nspr >= 4.20.0, nss-util >= 3.54
+Requires: nspr >= 4.26.0, nss-util >= 3.72
 Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}

nss.spec

@@ -14,7 +14,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          6
+Release:          7
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Provides:         nss-system-init
@@ -40,6 +40,7 @@ Source14:         blank-key4.db
 Source15:         system-pkcs11.txt
 Source16:         setup-nsssysinit.sh
 Patch0:           nss-539183.patch
+Patch1:           backport-Bug-1753315-Add-SECMOD_LockedModuleHasRemovableSlots.patch
 
 Patch6000:        backport-CVE-2021-43527.patch
 
@@ -132,6 +133,7 @@ Help document for NSS
 
 %patch0 -p0 -b .539183
 pushd nss
+%patch1 -p1
 %patch6000 -p1
 %patch9000 -p1
 %patch9001 -p1
@@ -559,6 +561,9 @@ update-crypto-policies &>/dev/null||:
 %doc %{_mandir}/man*
 
 %changelog
+* Tue Apr 18 2023 jinlun <jinlun@huawei.com> - 3.72.0-7
+- Add SECMOD_LockedModuleHasRemovableSlots and update version.
+
 * Wed Feb 15 2023 zhouchenchen <zhouchenchen@huawei.com> - 3.72.0-6
 - fix spelling mistake