From c951c5c472b274379a71e4449b2c5c0ea44976c4 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Thu, 16 Feb 2012 19:16:42 -0800 Subject: [PATCH] Bug 713936: Update to NSS_3_13_2_RTM (NSS 3.13.2), r=kai --- security/coreconf/coreconf.dep | 1 + security/nss/TAG-INFO | 2 +- security/nss/cmd/tstclnt/tstclnt.c | 3 ++- security/nss/lib/nss/nss.h | 6 +++--- security/nss/lib/softoken/softkver.h | 4 ++-- security/nss/lib/ssl/ssl.h | 25 +++++++++++++++++-------- security/nss/lib/ssl/ssl3con.c | 8 ++++---- security/nss/lib/ssl/ssl3ext.c | 12 ++++++------ security/nss/lib/ssl/sslimpl.h | 4 ++-- security/nss/lib/ssl/sslsecur.c | 6 +++--- security/nss/lib/ssl/sslsock.c | 17 ++++++++++++++++- security/nss/lib/ssl/sslt.h | 4 ++-- security/nss/lib/util/nssutil.h | 4 ++-- 13 files changed, 61 insertions(+), 35 deletions(-) diff --git a/security/coreconf/coreconf.dep b/security/coreconf/coreconf.dep index b75161110bb5..b536cfc01b91 100644 --- a/security/coreconf/coreconf.dep +++ b/security/coreconf/coreconf.dep @@ -42,3 +42,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index ce7da6e81f8d..afb975faf11d 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_13_2_RC0 +NSS_3_13_2_RTM diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 8a8071b371be..52ef9a15f726 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -325,7 +325,8 @@ ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, { ServerCertAuth * serverCertAuth = (ServerCertAuth *) arg; - FPRINTF(stderr, "using asynchronous certificate validation\n"); + FPRINTF(stderr, "%s: using asynchronous certificate validation\n", + progName); PORT_Assert(serverCertAuth->shouldPause); PORT_Assert(!serverCertAuth->isPaused); diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 83393ed8e89f..405c0596df94 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nss.h,v 1.88 2012/02/13 21:34:08 kaie%kuix.de Exp $ */ +/* $Id: nss.h,v 1.89 2012/02/15 21:56:55 kaie%kuix.de Exp $ */ #ifndef __nss_h_ #define __nss_h_ @@ -66,11 +66,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.13.2.0" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.13.2.1" _NSS_ECC_STRING _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 13 #define NSS_VPATCH 2 -#define NSS_VBUILD 0 +#define NSS_VBUILD 1 #define NSS_BETA PR_FALSE #ifndef RC_INVOKED diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index d2c2763c1ea7..4a3bf4c33477 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -57,11 +57,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.13.2.0" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.13.2.1" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 13 #define SOFTOKEN_VPATCH 2 -#define SOFTOKEN_VBUILD 0 +#define SOFTOKEN_VBUILD 1 #define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index f93a2e27f2ce..74da9119b7bc 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.48 2012/02/11 12:58:47 kaie%kuix.de Exp $ */ +/* $Id: ssl.h,v 1.49 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -347,11 +347,14 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); ** ** If the authenticate certificate hook returns SECFailure, then the bad cert ** hook will be called. The bad cert handler is NEVER called if the -** authenticate certificate hook returns SECWouldBlock. +** authenticate certificate hook returns SECWouldBlock. If the application +** needs to handle and/or override a bad cert, it should do so before it +** calls SSL_AuthCertificateComplete (modifying the error it passes to +** SSL_AuthCertificateComplete as needed). ** ** See the documentation for SSL_AuthCertificateComplete for more information ** about the asynchronous behavior that occurs when the authenticate -** certificate hook returns SECWouldBlock +** certificate hook returns SECWouldBlock. */ typedef SECStatus (PR_CALLBACK *SSLAuthCertificate)(void *arg, PRFileDesc *fd, PRBool checkSig, @@ -772,11 +775,11 @@ extern const char *NSSSSL_GetVersion(void); * a connection; it does not work for the server role. * * The application must call SSL_AuthCertificateComplete with 0 as the value of - * status parameter after it has successfully validated the peer's certificate, - * in order to continue the SSL handshake. + * the error parameter after it has successfully validated the peer's + * certificate, in order to continue the SSL handshake. * * The application may call SSL_AuthCertificateComplete with a non-zero value - * for status (e.g. SEC_ERROR_REVOKED_CERTIFICATE) when certificate validation + * for error (e.g. SEC_ERROR_REVOKED_CERTIFICATE) when certificate validation * fails, before it closes the connection. If the application does so, an * alert corresponding to the error (e.g. certificate_revoked) will be sent to * the peer. See the source code of the internal function @@ -816,10 +819,16 @@ extern const char *NSSSSL_GetVersion(void); * Returns SECFailure on failure, SECSuccess on success. Never returns * SECWouldBlock. Note that SSL_AuthCertificateComplete will (usually) return * SECSuccess; do not interpret the return value of SSL_AuthCertificateComplete - * as an indicator of whether it is OK to continue using the connection. + * as an indicator of whether it is OK to continue using the connection. For + * example, SSL_AuthCertificateComplete(fd, SEC_ERROR_REVOKED_CERTIFICATE) will + * return SECSuccess (normally), but that does not mean that the application + * should continue using the connection. If the application passes a non-zero + * value for second argument (error), or if SSL_AuthCertificateComplete returns + * anything other than SECSuccess, then the application should close the + * connection. */ SSL_IMPORT SECStatus SSL_AuthCertificateComplete(PRFileDesc *fd, - PRErrorCode status); + PRErrorCode error); SEC_END_PROTOS #endif /* __ssl_h_ */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index f17d4c1d7242..a9161534c080 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.162 2012/02/11 13:03:08 kaie%kuix.de Exp $ */ +/* $Id: ssl3con.c,v 1.163 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #include "cert.h" #include "ssl.h" @@ -8146,7 +8146,7 @@ ssl3_AlwaysFail(sslSocket * ss) /* Caller must hold 1stHandshakeLock. */ SECStatus -ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode status) +ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error) { SECStatus rv; @@ -8168,9 +8168,9 @@ ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode status) ss->ssl3.hs.authCertificatePending = PR_FALSE; - if (status != 0) { + if (error != 0) { ss->ssl3.hs.restartTarget = ssl3_AlwaysFail; - ssl3_SendAlertForCertError(ss, status); + ssl3_SendAlertForCertError(ss, error); rv = SECSuccess; } else if (ss->ssl3.hs.restartTarget != NULL) { sslRestartTarget target = ss->ssl3.hs.restartTarget; diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index f0cd26e3b00f..6aa00c368b90 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -41,7 +41,7 @@ * ***** END LICENSE BLOCK ***** */ /* TLS extension code moved here from ssl3ecc.c */ -/* $Id: ssl3ext.c,v 1.20 2011/11/16 19:12:35 kaie%kuix.de Exp $ */ +/* $Id: ssl3ext.c,v 1.21 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #include "nssrenam.h" #include "nss.h" @@ -241,7 +241,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = { #endif { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, - { ssl_next_proto_neg_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, + { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, { -1, NULL } }; @@ -252,7 +252,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { /* TODO: add a handler for ssl_ec_point_formats_xtn */ { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, - { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, + { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, { -1, NULL } }; @@ -276,7 +276,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, #endif { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, - { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn } + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn } /* any extra entries will appear as { 0, NULL } */ }; @@ -641,14 +641,14 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, if (append && maxBytes >= extension_length) { SECStatus rv; - rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_neg_xtn, 2); + rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2); if (rv != SECSuccess) goto loser; rv = ssl3_AppendHandshakeNumber(ss, 0, 2); if (rv != SECSuccess) goto loser; ss->xtnData.advertised[ss->xtnData.numAdvertised++] = - ssl_next_proto_neg_xtn; + ssl_next_proto_nego_xtn; } else if (maxBytes < extension_length) { return 0; } diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index f2573536dfcf..123fce810102 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslimpl.h,v 1.93 2012/02/11 12:58:47 kaie%kuix.de Exp $ */ +/* $Id: sslimpl.h,v 1.94 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #ifndef __sslimpl_h_ #define __sslimpl_h_ @@ -1359,7 +1359,7 @@ extern void ssl_FreeSocket(struct sslSocketStr *ssl); extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc); -extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode status); +extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); /* * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index 71b87aba52eb..61148d33408d 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsecur.c,v 1.56 2012/02/11 12:58:47 kaie%kuix.de Exp $ */ +/* $Id: sslsecur.c,v 1.57 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #include "cert.h" #include "secitem.h" #include "keyhi.h" @@ -1488,7 +1488,7 @@ SSL_RestartHandshakeAfterServerCert(sslSocket * ss) /* See documentation in ssl.h */ SECStatus -SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode status) +SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error) { SECStatus rv; sslSocket *ss = ssl_FindSocket(fd); @@ -1508,7 +1508,7 @@ SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode status) PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); rv = SECFailure; } else { - rv = ssl3_AuthCertificateComplete(ss, status); + rv = ssl3_AuthCertificateComplete(ss, error); } ssl_Release1stHandshakeLock(ss); diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index af9dcf506d27..22206f7fa143 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -40,7 +40,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsock.c,v 1.81 2012/02/11 13:20:53 kaie%kuix.de Exp $ */ +/* $Id: sslsock.c,v 1.82 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" @@ -1964,8 +1964,23 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) * the caller to poll the socket unless there is pending write data. */ if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { + /* Ignore any newly-received data on the socket, but do wait for + * the socket to become writable again. Here, it is OK for an error + * to be detected, because our logic for sending pending write data + * will allow us to report the error to the caller without the risk + * of the application spinning. + */ new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT); } else { + /* Unfortunately, clearing new_flags will make it impossible for + * the application to detect errors that it would otherwise be + * able to detect with PR_POLL_EXCEPT, until the asynchronous + * callback completes. However, we must clear all the flags to + * prevent the application from spinning (alternating between + * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv + * which won't actually report the I/O error while we are waiting + * for the asynchronous callback to complete). + */ new_flags = 0; } } diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index 644668801d42..8991fb4e04d1 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslt.h,v 1.17 2011/10/29 00:29:11 bsmith%mozilla.com Exp $ */ +/* $Id: sslt.h,v 1.18 2012/02/15 21:52:08 kaie%kuix.de Exp $ */ #ifndef __sslt_h_ #define __sslt_h_ @@ -203,7 +203,7 @@ typedef enum { ssl_ec_point_formats_xtn = 11, #endif ssl_session_ticket_xtn = 35, - ssl_next_proto_neg_xtn = 13172, + ssl_next_proto_nego_xtn = 13172, ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ } SSLExtensionType; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index f32f270bcd6c..d6cedb3b585e 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -51,11 +51,11 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.13.2.0" +#define NSSUTIL_VERSION "3.13.2.1" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 13 #define NSSUTIL_VPATCH 2 -#define NSSUTIL_VBUILD 0 +#define NSSUTIL_VBUILD 1 #define NSSUTIL_BETA PR_FALSE SEC_BEGIN_PROTOS