mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 504080: Update NSS to the NSS_3_12_4_RTM CVS tag. r=kaie.

This commit is contained in:
Wan-Teh Chang 2009-08-19 06:59:06 -07:00
Родитель 5c032e5046
Коммит d981c68cc2
41 изменённых файлов: 853 добавлений и 494 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
security/coreconf/Darwin.mk
Просмотреть файл

@ -113,6 +113,9 @@ ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
else else
OPTIMIZER = -O2 OPTIMIZER = -O2
endif endif
ifdef MOZ_DEBUG_SYMBOLS
OPTIMIZER += -gdwarf-2 -gfull
endif
endif endif
ARCH = darwin ARCH = darwin

8
security/coreconf/HP-UX.mk
Просмотреть файл

@ -84,8 +84,12 @@ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > $@ sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > $@
DSO_LDOPTS = -b +h $(notdir $@) DSO_LDOPTS = -b +h $(notdir $@)
ifeq ($(USE_64), 1) RPATH = +b '$$ORIGIN'
RPATH = +b '$$ORIGIN' ifneq ($(OS_TEST),ia64)
# pa-risc
ifndef USE_64
RPATH =
endif
endif endif
DSO_LDFLAGS = DSO_LDFLAGS =

11
security/coreconf/Linux.mk
Просмотреть файл

@ -124,7 +124,11 @@ ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
else else
OPTIMIZER = -O2 OPTIMIZER = -O2
endif endif
ifdef MOZ_DEBUG_SYMBOLS
OPTIMIZER += -gstabs+
endif endif
endif
ifeq ($(USE_PTHREADS),1) ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread OS_PTHREAD = -lpthread
@ -140,7 +144,12 @@ endif
ARCH = linux ARCH = linux
DSO_CFLAGS = -fPIC DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,-z,defs DSO_LDOPTS = -shared $(ARCHFLAG)
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.
ZDEFS_FLAG = -Wl,-z,defs
DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
DSO_LDFLAGS = DSO_LDFLAGS =
LDFLAGS += $(ARCHFLAG) LDFLAGS += $(ARCHFLAG)

2
security/coreconf/Linux2.4.mk
Просмотреть файл

@ -45,4 +45,6 @@ ifdef MAPFILE
endif endif
PROCESS_MAP_FILE = grep -v ';-' $< | \ PROCESS_MAP_FILE = grep -v ';-' $< | \
sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
NSS_NO_FORK_CHECK=1

14
security/coreconf/RISCOS.mk
Просмотреть файл

@ -20,6 +20,7 @@
# the Initial Developer. All Rights Reserved. # the Initial Developer. All Rights Reserved.
# #
# Contributor(s): # Contributor(s):
# Peter Naulls
# #
# Alternatively, the contents of this file may be used under the terms of # Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or # either the GNU General Public License Version 2 or later (the "GPL"), or
@ -37,12 +38,19 @@
include $(CORE_DEPTH)/coreconf/UNIX.mk include $(CORE_DEPTH)/coreconf/UNIX.mk
DLL_SUFFIX = a LIB_SUFFIX = a
MKSHLIB = $(GCCSDK_INSTALL_CROSSBIN)/arm-unknown-riscos-ar cr DLL_SUFFIX = so
AR = ar cr $@
LDOPTS += -L$(SOURCE_LIB_DIR)
MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
OS_RELEASE = OS_RELEASE =
OS_TARGET = RISCOS OS_TARGET = RISCOS
DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared
DSO_LDFLAGS =
ifdef BUILD_OPT ifdef BUILD_OPT
OPTIMIZER = -O2 -mpoke-function-name OPTIMIZER = -O3
endif endif

2
security/coreconf/WIN32.mk
Просмотреть файл

@ -63,7 +63,7 @@ else
RC = rc.exe RC = rc.exe
MT = mt.exe MT = mt.exe
# Determine compiler version # Determine compiler version
_MSC_VER_6 = 1200 # MSVC 6 _MSC_VER_6 = 1200
_MSC_VER := $(shell $(CC) 2>&1 | sed -ne \ _MSC_VER := $(shell $(CC) 2>&1 | sed -ne \
's/.*[^0-9.]\([0-9]\{1,\}\)\.\([0-9]\{1,\}\).*/\1\2/p' ) 's/.*[^0-9.]\([0-9]\{1,\}\)\.\([0-9]\{1,\}\).*/\1\2/p' )
endif endif

5
security/coreconf/config.mk
Просмотреть файл

@ -194,6 +194,11 @@ ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM DEFINES += -DNSS_DISABLE_DBM
endif endif
ifdef NSS_NO_FORK_CHECK
DEFINES += -DNO_FORK_CHECK
DEFINES += -DNO_CHECK_FORK
endif
# Avoid building object leak test code for optimized library # Avoid building object leak test code for optimized library
ifndef BUILD_OPT ifndef BUILD_OPT
ifdef PKIX_OBJECT_LEAK_TEST ifdef PKIX_OBJECT_LEAK_TEST

2
security/coreconf/coreconf.dep
Просмотреть файл

@ -43,5 +43,3 @@
#error "Do not include this header file." #error "Do not include this header file."
/* NSS 3.12.4 Beta */

4
security/coreconf/rules.mk
Просмотреть файл

@ -337,12 +337,8 @@ ifdef MT
fi fi
endif # MSVC with manifest tool endif # MSVC with manifest tool
endif endif
else
ifeq ($(OS_TARGET),RISCOS)
$(MKSHLIB) $@ $(OBJS) $(SUB_SHLOBJS)
else else
$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
endif
chmod +x $@ chmod +x $@
ifeq ($(OS_TARGET),Darwin) ifeq ($(OS_TARGET),Darwin)
ifdef MAPFILE ifdef MAPFILE

4
security/nss/cmd/lib/pk11table.h
Просмотреть файл

@ -74,7 +74,7 @@ typedef enum {
F_Help, F_Help,
F_Quit, F_Quit,
F_QuitIf, F_QuitIf,
F_QuitIfString, F_QuitIfString
} FunctionType; } FunctionType;
/* /*
@ -103,7 +103,7 @@ typedef enum {
ArgFile = 0x800, ArgFile = 0x800,
ArgStatic = 0x1000, ArgStatic = 0x1000,
ArgOpt = 0x2000, ArgOpt = 0x2000,
ArgFull = 0x4000, ArgFull = 0x4000
} ArgType; } ArgType;
typedef enum _constType typedef enum _constType

5
security/nss/cmd/pk11mode/pk11mode.c
Просмотреть файл

@ -5275,13 +5275,14 @@ CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
CK_RV crv = CKR_OK; CK_RV crv = CKR_OK;
#ifndef NO_FORK_CHECK #ifndef NO_FORK_CHECK
int rc = -1; int rc = -1;
pid_t child, ret;
NUMTESTS++; /* increment NUMTESTS */ NUMTESTS++; /* increment NUMTESTS */
if (forkAssert) { if (forkAssert) {
putenv("NSS_STRICT_NOFORK=1"); putenv("NSS_STRICT_NOFORK=1");
} else { } else {
putenv("NSS_STRICT_NOFORK=0"); putenv("NSS_STRICT_NOFORK=0");
} }
pid_t child = fork(); child = fork();
switch (child) { switch (child) {
case -1: case -1:
PKM_Error("Fork failed.\n"); PKM_Error("Fork failed.\n");
@ -5316,7 +5317,7 @@ CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
exit(expected & 255); exit(expected & 255);
default: default:
PKM_LogIt("Fork succeeded.\n"); PKM_LogIt("Fork succeeded.\n");
pid_t ret = wait(&rc); ret = wait(&rc);
if (ret != child || (!WIFEXITED(rc)) || if (ret != child || (!WIFEXITED(rc)) ||
( (expected & 255) != (WEXITSTATUS(rc) & 255)) ) { ( (expected & 255) != (WEXITSTATUS(rc) & 255)) ) {
int retStatus = -1; int retStatus = -1;

268
security/nss/cmd/pwdecrypt/pwdecrypt.c
Просмотреть файл

@ -37,7 +37,7 @@
/* /*
* Test program for SDR (Secret Decoder Ring) functions. * Test program for SDR (Secret Decoder Ring) functions.
* *
* $Id: pwdecrypt.c,v 1.5 2008/08/08 23:47:58 julien.pierre.boogz%sun.com Exp $ * $Id: pwdecrypt.c,v 1.7 2009/08/03 07:07:13 nelson%bolyard.com Exp $
*/ */
#include "nspr.h" #include "nspr.h"
@ -116,23 +116,22 @@ long_usage (char *program_name)
* base64 table only used to identify the end of a base64 string * base64 table only used to identify the end of a base64 string
*/ */
static unsigned char b64[256] = { static unsigned char b64[256] = {
/* 0: */ 0, 0, 0, 0, 0, 0, 0, 0, /* 00: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 8: */ 0, 0, 0, 0, 0, 0, 0, 0, /* 08: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 16: */ 0, 0, 0, 0, 0, 0, 0, 0, /* 10: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 24: */ 0, 0, 0, 0, 0, 0, 0, 0, /* 18: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 32: */ 0, 0, 0, 0, 0, 0, 0, 0, /* 20: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 40: */ 0, 0, 0, 1, 0, 0, 0, 1, /* 28: */ 0, 0, 0, 1, 0, 0, 0, 1,
/* 48: */ 1, 1, 1, 1, 1, 1, 1, 1, /* 30: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 56: */ 1, 1, 0, 0, 0, 0, 0, 0, /* 38: */ 1, 1, 0, 0, 0, 0, 0, 0,
/* 64: */ 0, 1, 1, 1, 1, 1, 1, 1, /* 40: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 72: */ 1, 1, 1, 1, 1, 1, 1, 1, /* 48: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 80: */ 1, 1, 1, 1, 1, 1, 1, 1, /* 50: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 88: */ 1, 1, 1, 0, 0, 0, 0, 0, /* 58: */ 1, 1, 1, 0, 0, 0, 0, 0,
/* 96: */ 0, 1, 1, 1, 1, 1, 1, 1, /* 60: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 104: */ 1, 1, 1, 1, 1, 1, 1, 1, /* 68: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 112: */ 1, 1, 1, 1, 1, 1, 1, 1, /* 70: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 120: */ 1, 1, 1, 0, 0, 0, 0, 0, /* 78: */ 1, 1, 1, 0, 0, 0, 0, 0,
/* 128: */ 0, 0, 0, 0, 0, 0, 0, 0
}; };
enum { enum {
@ -140,62 +139,92 @@ enum {
true = 1 true = 1
} bool; } bool;
#define isatobchar(c) (b64[c])
#define MAX_STRING 8192
int int
isatobchar(int c) { return b64[c] != 0; } isBase64(char *inString)
{
unsigned int i;
unsigned char c;
for (i = 0; (c = inString[i]) != 0 && isatobchar(c); ++i)
#define MAX_STRING 256 ;
int if (c == '=') {
getData(FILE *inFile,char **inString) { while ((c = inString[++i]) == '=')
int len = 0; ; /* skip trailing '=' characters */
int space = MAX_STRING;
int oneequal = false;
int c;
char *string = (char *) malloc(space);
string[len++]='M';
while ((c = getc(inFile)) != EOF) {
if (len >= space) {
char *newString;
space *= 2;
newString = (char *)realloc(string,space);
if (newString == NULL) {
ungetc(c,inFile);
break;
}
string = newString;
}
string[len++] = c;
if (!isatobchar(c)) {
if (c == '=') {
if (oneequal) {
break;
}
oneequal = true;
continue;
} else {
ungetc(c,inFile);
len--;
break;
}
}
if (oneequal) {
ungetc(c,inFile);
len--;
break;
}
} }
if (len >= space) { if (c && c != '\n' && c != '\r')
space += 2; return false;
string = (char *)realloc(string,space); if (i == 0 || i % 4)
} return false;
string[len++] = 0;
*inString = string;
return true; return true;
} }
void
doDecrypt(char * dataString, FILE *outFile, FILE *logFile, secuPWData *pwdata)
{
int strLen = strlen(dataString);
SECItem *decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString, strLen);
SECStatus rv;
int err;
unsigned int i;
SECItem result = { siBuffer, NULL, 0 };
if ((decoded == NULL) || (decoded->len == 0)) {
if (logFile) {
err = PORT_GetError();
fprintf(logFile,"Base 64 decode failed on <%s>\n", dataString);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString, outFile);
if (decoded)
SECITEM_FreeItem(decoded, PR_TRUE);
return;
}
rv = PK11SDR_Decrypt(decoded, &result, pwdata);
SECITEM_ZfreeItem(decoded, PR_TRUE);
if (rv == SECSuccess) {
/* result buffer has no extra space for a NULL */
fprintf(outFile, "Decrypted: \"%.*s\"\n", result.len, result.data);
SECITEM_ZfreeItem(&result, PR_FALSE);
return;
}
/* Encryption failed. output raw input. */
if (logFile) {
err = PORT_GetError();
fprintf(logFile,"SDR decrypt failed on <%s>\n", dataString);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString,outFile);
}
void
doDecode(char * dataString, FILE *outFile, FILE *logFile)
{
int strLen = strlen(dataString + 1);
SECItem *decoded;
decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString + 1, strLen);
if ((decoded == NULL) || (decoded->len == 0)) {
if (logFile) {
int err = PORT_GetError();
fprintf(logFile,"Base 64 decode failed on <%s>\n", dataString + 1);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString, outFile);
if (decoded)
SECITEM_FreeItem(decoded, PR_TRUE);
return;
}
fprintf(outFile, "Decoded: \"%.*s\"\n", decoded->len, decoded->data);
SECITEM_ZfreeItem(decoded, PR_TRUE);
}
char dataString[MAX_STRING + 1];
int int
main (int argc, char **argv) main (int argc, char **argv)
{ {
@ -210,11 +239,8 @@ main (int argc, char **argv)
FILE *outFile = stdout; FILE *outFile = stdout;
FILE *logFile = NULL; FILE *logFile = NULL;
PLOptStatus optstatus; PLOptStatus optstatus;
SECItem result;
int c;
secuPWData pwdata = { PW_NONE, NULL }; secuPWData pwdata = { PW_NONE, NULL };
result.data = 0;
program_name = PL_strrchr(argv[0], '/'); program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0]; program_name = program_name ? (program_name + 1) : argv[0];
@ -270,28 +296,31 @@ main (int argc, char **argv)
} }
if (input_file) { if (input_file) {
inFile = fopen(input_file,"r"); inFile = fopen(input_file,"r");
if (inFile == NULL) { if (inFile == NULL) {
perror(input_file); perror(input_file);
return 1; return 1;
} }
PR_Free(input_file); PR_Free(input_file);
} }
if (output_file) { if (output_file) {
outFile = fopen(output_file,"w+"); outFile = fopen(output_file,"w+");
if (outFile == NULL) { if (outFile == NULL) {
perror(output_file); perror(output_file);
return 1; return 1;
} }
PR_Free(output_file); PR_Free(output_file);
} }
if (log_file) { if (log_file) {
logFile = fopen(log_file,"w+"); if (log_file[0] == '-')
if (logFile == NULL) { logFile = stderr;
perror(log_file); else
return 1; logFile = fopen(log_file,"w+");
} if (logFile == NULL) {
PR_Free(log_file); perror(log_file);
return 1;
}
PR_Free(log_file);
} }
/* /*
@ -308,64 +337,29 @@ main (int argc, char **argv)
/* Get the encrypted result, either from the input file /* Get the encrypted result, either from the input file
* or from encrypting the plaintext value * or from encrypting the plaintext value
*/ */
while (fgets(dataString, sizeof dataString, inFile)) {
unsigned char c = dataString[0];
while ((c = getc(inFile)) != EOF) { if (c == 'M' && isBase64(dataString)) {
if (c == 'M') { doDecrypt(dataString, outFile, logFile, &pwdata);
char *dataString = NULL; } else if (c == '~' && isBase64(dataString + 1)) {
SECItem *inText; doDecode(dataString, outFile, logFile);
} else {
rv = getData(inFile, &dataString); fputs(dataString, outFile);
if (!rv) { }
fputs(dataString,outFile);
free(dataString);
continue;
}
inText = NSSBase64_DecodeBuffer(NULL, NULL, dataString,
strlen(dataString));
if ((inText == NULL) || (inText->len == 0)) {
if (logFile) {
fprintf(logFile,"Base 64 decode failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
continue;
}
result.data = NULL;
result.len = 0;
rv = PK11SDR_Decrypt(inText, &result, &pwdata);
SECITEM_FreeItem(inText, PR_TRUE);
if (rv != SECSuccess) {
if (logFile) {
fprintf(logFile,"SDR decrypt failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
SECITEM_ZfreeItem(&result, PR_FALSE);
continue;
}
/* result buffer has no extra space for a NULL */
fprintf(outFile, "%.*s", result.len, result.data);
SECITEM_ZfreeItem(&result, PR_FALSE);
} else {
putc(c,outFile);
}
} }
if (pwdata.data)
PR_Free(pwdata.data);
fclose(outFile); fclose(outFile);
fclose(inFile); fclose(inFile);
if (logFile) { if (logFile && logFile != stderr) {
fclose(logFile); fclose(logFile);
} }
if (NSS_Shutdown() != SECSuccess) { if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError (program_name, "NSS_Shutdown failed"); SECU_PrintError (program_name, "NSS_Shutdown failed");
exit(1); exit(1);
} }
prdone: prdone:

2
security/nss/cmd/shlibsign/Makefile
Просмотреть файл

@ -80,7 +80,9 @@ endif
CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
ifndef NSS_DISABLE_DBM
CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
endif
CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
MD_LIB_RELEASE_FILES = $(CHECKLOC) MD_LIB_RELEASE_FILES = $(CHECKLOC)

31
security/nss/lib/certdb/alg1485.c
Просмотреть файл

@ -1358,18 +1358,35 @@ appendStringToBuf(char *dest, char *src, PRUint32 *pRemaining)
return dest; return dest;
} }
#undef NEEDS_HEX_ESCAPE
#define NEEDS_HEX_ESCAPE(c) (c < 0x20)
static char * static char *
appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining) appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining)
{ {
if (dest && src && src->data && src->len && src->data[0] && if (dest && src && src->data && src->len && src->data[0]) {
*pRemaining > src->len + 1 ) {
PRUint32 len = src->len; PRUint32 len = src->len;
PRUint32 i; PRUint32 i;
for (i = 0; i < len && src->data[i] ; ++i) PRUint32 reqLen = len + 1;
dest[i] = tolower(src->data[i]); /* are there any embedded control characters ? */
dest[len] = 0; for (i = 0; i < len; i++) {
dest += len + 1; if (NEEDS_HEX_ESCAPE(src->data[i]))
*pRemaining -= len + 1; reqLen += 2;
}
if (*pRemaining > reqLen) {
for (i = 0; i < len; ++i) {
PRUint8 c = src->data[i];
if (NEEDS_HEX_ESCAPE(c)) {
*dest++ = C_BACKSLASH;
*dest++ = hexChars[ (c >> 4) & 0x0f ];
*dest++ = hexChars[ c & 0x0f ];
} else {
*dest++ = tolower(c);
}
}
*dest++ = '\0';
*pRemaining -= reqLen;
}
} }
return dest; return dest;
} }

4
security/nss/lib/certdb/certi.h
Просмотреть файл

@ -36,7 +36,7 @@
/* /*
* certi.h - private data structures for the certificate library * certi.h - private data structures for the certificate library
* *
* $Id: certi.h,v 1.30 2009/04/18 05:15:45 alexei.volkov.bugs%sun.com Exp $ * $Id: certi.h,v 1.31 2009/07/31 18:35:30 christophe.ravel.bugs%sun.com Exp $
*/ */
#ifndef _CERTI_H_ #ifndef _CERTI_H_
#define _CERTI_H_ #define _CERTI_H_
@ -368,7 +368,7 @@ struct NamedCRLCacheEntryStr {
typedef enum { typedef enum {
certRevocationStatusRevoked = 0, certRevocationStatusRevoked = 0,
certRevocationStatusValid = 1, certRevocationStatusValid = 1,
certRevocationStatusUnknown = 2, certRevocationStatusUnknown = 2
} CERTRevocationStatus; } CERTRevocationStatus;
/* Returns detailed status of the cert(revStatus variable). Tells if /* Returns detailed status of the cert(revStatus variable). Tells if

50
security/nss/lib/certdb/crl.c
Просмотреть файл

@ -37,7 +37,7 @@
/* /*
* Moved from secpkcs7.c * Moved from secpkcs7.c
* *
* $Id: crl.c,v 1.67 2009/05/13 22:47:28 julien.pierre.boogz%sun.com Exp $ * $Id: crl.c,v 1.68 2009/08/10 22:25:44 julien.pierre.boogz%sun.com Exp $
*/ */
#include "cert.h" #include "cert.h"
@ -1047,48 +1047,38 @@ void PreAllocator_Destroy(PreAllocator* PreAllocator)
{ {
PORT_FreeArena(PreAllocator->arena, PR_TRUE); PORT_FreeArena(PreAllocator->arena, PR_TRUE);
} }
if (PreAllocator->data)
{
PORT_Free(PreAllocator->data);
}
PORT_Free(PreAllocator);
} }
/* constructor for PreAllocator object */ /* constructor for PreAllocator object */
PreAllocator* PreAllocator_Create(PRSize size) PreAllocator* PreAllocator_Create(PRSize size)
{ {
PreAllocator prebuffer; PRArenaPool* arena = NULL;
PreAllocator* prepointer = NULL; PreAllocator* prebuffer = NULL;
memset(&prebuffer, 0, sizeof(PreAllocator)); arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
prebuffer.len = size; if (!arena)
prebuffer.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PORT_Assert(prebuffer.arena);
if (!prebuffer.arena)
{ {
PreAllocator_Destroy(&prebuffer);
return NULL; return NULL;
} }
if (prebuffer.len) prebuffer = (PreAllocator*)PORT_ArenaZAlloc(arena,
sizeof(PreAllocator));
if (!prebuffer)
{ {
prebuffer.data = PORT_Alloc(prebuffer.len); PORT_FreeArena(arena, PR_TRUE);
if (!prebuffer.data) return NULL;
}
prebuffer->arena = arena;
if (size)
{
prebuffer->len = size;
prebuffer->data = PORT_ArenaAlloc(arena, size);
if (!prebuffer->data)
{ {
PreAllocator_Destroy(&prebuffer); PORT_FreeArena(arena, PR_TRUE);
return NULL; return NULL;
} }
} }
else return prebuffer;
{
prebuffer.data = NULL;
}
prepointer = (PreAllocator*)PORT_Alloc(sizeof(PreAllocator));
if (!prepointer)
{
PreAllocator_Destroy(&prebuffer);
return NULL;
}
*prepointer = prebuffer;
return prepointer;
} }
/* global Named CRL cache object */ /* global Named CRL cache object */

8
security/nss/lib/ckfw/builtins/certdata.c
Просмотреть файл

@ -35,7 +35,7 @@
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
#ifdef DEBUG #ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $"; static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $";
#endif /* DEBUG */ #endif /* DEBUG */
#ifndef BUILTINS_H #ifndef BUILTINS_H
@ -908,7 +908,7 @@ static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 }, { (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 }, { (void *)"NSS", (PRUint32)4 },
{ (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $", (PRUint32)160 } { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $", (PRUint32)160 }
}; };
#endif /* DEBUG */ #endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = { static const NSSItem nss_builtins_items_1 [] = {
@ -17981,7 +17981,7 @@ static const NSSItem nss_builtins_items_266 [] = {
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"AC Ra+¡z Certic+ímara S.A.", (PRUint32)27 }, { (void *)"AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.", (PRUint32)39 },
{ (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
{ (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061" { (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061"
"\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144" "\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144"
@ -18115,7 +18115,7 @@ static const NSSItem nss_builtins_items_267 [] = {
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"AC Ra+¡z Certic+ímara S.A.", (PRUint32)27 }, { (void *)"AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.", (PRUint32)39 },
{ (void *)"\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351" { (void *)"\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351"
"\006\020\323\066" "\006\020\323\066"
, (PRUint32)20 }, , (PRUint32)20 },

10
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL. # the terms of any one of the MPL, the GPL or the LGPL.
# #
# ***** END LICENSE BLOCK ***** # ***** END LICENSE BLOCK *****
CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.53 $ $Date: 2009/05/21 19:50:28 $" CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.54 $ $Date: 2009/08/13 23:40:29 $"
# #
# certdata.txt # certdata.txt
@ -18481,13 +18481,13 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
# #
# Certificate "AC Ra+¡z Certic+ímara S.A." # Certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
# #
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "AC Ra+¡z Certic+ímara S.A." CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL CKA_SUBJECT MULTILINE_OCTAL
\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061 \060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
@ -18620,12 +18620,12 @@ CKA_VALUE MULTILINE_OCTAL
\005\211\374\170\326\134\054\046\103\251 \005\211\374\170\326\134\054\046\103\251
END END
# Trust for Certificate "AC Ra+¡z Certic+ímara S.A." # Trust for Certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "AC Ra+¡z Certic+ímara S.A." CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CERT_SHA1_HASH MULTILINE_OCTAL CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351 \313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351
\006\020\323\066 \006\020\323\066

5
security/nss/lib/ckfw/capi/Makefile
Просмотреть файл

@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL. # the terms of any one of the MPL, the GPL or the LGPL.
# #
# ***** END LICENSE BLOCK ***** # ***** END LICENSE BLOCK *****
MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.5 $ $Date: 2007/05/09 00:09:37 $" MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $"
include manifest.mn include manifest.mn
include $(CORE_DEPTH)/coreconf/config.mk include $(CORE_DEPTH)/coreconf/config.mk
@ -54,6 +54,9 @@ EXTRA_LIBS += \
-lplc4 \ -lplc4 \
-lplds4 \ -lplds4 \
-lnspr4 \ -lnspr4 \
-lcrypt32 \
-ladvapi32 \
-lrpcrt4 \
$(NULL) $(NULL)
else else
EXTRA_SHARED_LIBS += \ EXTRA_SHARED_LIBS += \

4
security/nss/lib/ckfw/capi/cobject.c
Просмотреть файл

@ -36,7 +36,7 @@
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
#ifdef DEBUG #ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.5 $ $Date: 2009/02/25 18:37:49 $"; static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $";
#endif /* DEBUG */ #endif /* DEBUG */
#include "ckcapi.h" #include "ckcapi.h"
@ -172,7 +172,7 @@ nss_ckcapi_DERUnwrap
len = (len << 8) | (unsigned) *src++; len = (len << 8) | (unsigned) *src++;
} }
} }
if (len + (src-start) > (unsigned int)size) { if (len + ((unsigned char *)src-start) > (unsigned int)size) {
return start; return start;
} }
if (next) { if (next) {

4
security/nss/lib/libpkix/include/pkixt.h
Просмотреть файл

@ -500,14 +500,14 @@ PKIX_Error* PKIX_ALLOC_ERROR(void);
typedef enum PKIX_RevocationMethodTypeEnum { typedef enum PKIX_RevocationMethodTypeEnum {
PKIX_RevocationMethod_CRL = 0, PKIX_RevocationMethod_CRL = 0,
PKIX_RevocationMethod_OCSP, PKIX_RevocationMethod_OCSP,
PKIX_RevocationMethod_MAX, PKIX_RevocationMethod_MAX
} PKIX_RevocationMethodType; } PKIX_RevocationMethodType;
/* A set of statuses revocation checker operates on */ /* A set of statuses revocation checker operates on */
typedef enum PKIX_RevocationStatusEnum { typedef enum PKIX_RevocationStatusEnum {
PKIX_RevStatus_NoInfo = 0, PKIX_RevStatus_NoInfo = 0,
PKIX_RevStatus_Revoked, PKIX_RevStatus_Revoked,
PKIX_RevStatus_Success, PKIX_RevStatus_Success
} PKIX_RevocationStatus; } PKIX_RevocationStatus;

4
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
Просмотреть файл

@ -187,7 +187,7 @@ pkix_OcspChecker_CheckLocal(
} }
PKIX_CHECK( PKIX_CHECK(
PKIX_PL_OcspCertID_GetFreshCacheStatus(cid, NULL, PKIX_PL_OcspCertID_GetFreshCacheStatus(cid, date,
&hasFreshStatus, &hasFreshStatus,
&statusIsGood, &statusIsGood,
&resultCode, &resultCode,
@ -321,7 +321,7 @@ pkix_OcspChecker_CheckExternal(
} }
PKIX_CHECK( PKIX_CHECK(
pkix_pl_OcspResponse_GetStatusForCert(cid, response, pkix_pl_OcspResponse_GetStatusForCert(cid, response, date,
&passed, &resultCode, &passed, &resultCode,
plContext), plContext),
PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED); PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);

12
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
Просмотреть файл

@ -970,10 +970,12 @@ PKIX_Error *
pkix_pl_OcspResponse_GetStatusForCert( pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid, PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response, PKIX_PL_OcspResponse *response,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed, PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode, SECErrorCodes *pReturnCode,
void *plContext) void *plContext)
{ {
PRTime time = 0;
SECStatus rv = SECFailure; SECStatus rv = SECFailure;
SECStatus rvCache; SECStatus rvCache;
PRBool certIDWasConsumed = PR_FALSE; PRBool certIDWasConsumed = PR_FALSE;
@ -989,11 +991,19 @@ pkix_pl_OcspResponse_GetStatusForCert(
PKIX_NULLCHECK_TWO(response->signerCert, response->request); PKIX_NULLCHECK_TWO(response->signerCert, response->request);
PKIX_NULLCHECK_TWO(cid, cid->certID); PKIX_NULLCHECK_TWO(cid, cid->certID);
if (validity != NULL) {
PKIX_Error *er = pkix_pl_Date_GetPRTime(validity, &time, plContext);
PKIX_DECREF(er);
}
if (!time) {
time = PR_Now();
}
rv = cert_ProcessOCSPResponse(response->handle, rv = cert_ProcessOCSPResponse(response->handle,
response->nssOCSPResponse, response->nssOCSPResponse,
cid->certID, cid->certID,
response->signerCert, response->signerCert,
PR_Now(), time,
&certIDWasConsumed, &certIDWasConsumed,
&rvCache); &rvCache);
if (certIDWasConsumed) { if (certIDWasConsumed) {

1
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
Просмотреть файл

@ -113,6 +113,7 @@ PKIX_Error *
pkix_pl_OcspResponse_GetStatusForCert( pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid, PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response, PKIX_PL_OcspResponse *response,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed, PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode, SECErrorCodes *pReturnCode,
void *plContext); void *plContext);

7
security/nss/lib/nss/nss.def
Просмотреть файл

@ -972,3 +972,10 @@ PK11_GetSymKeyHandle;
;+ local: ;+ local:
;+ *; ;+ *;
;+}; ;+};
;+NSS_3.12.4 { # NSS 3.12.4 release
;+ global:
PK11_IsInternalKeySlot;
SECMOD_OpenNewSlot;
;+ local:
;+ *;
;+};

6
security/nss/lib/nss/nss.h
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL. * the terms of any one of the MPL, the GPL or the LGPL.
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
/* $Id: nss.h,v 1.67 2009/07/20 20:06:57 nelson%bolyard.com Exp $ */ /* $Id: nss.h,v 1.69 2009/08/13 18:11:22 christophe.ravel.bugs%sun.com Exp $ */
#ifndef __nss_h_ #ifndef __nss_h_
#define __nss_h_ #define __nss_h_
@ -66,11 +66,11 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/ */
#define NSS_VERSION "3.12.4.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VERSION "3.12.4.5" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3 #define NSS_VMAJOR 3
#define NSS_VMINOR 12 #define NSS_VMINOR 12
#define NSS_VPATCH 4 #define NSS_VPATCH 4
#define NSS_BETA PR_TRUE #define NSS_BETA PR_FALSE
#ifndef RC_INVOKED #ifndef RC_INVOKED

3
security/nss/lib/nss/nssinit.c
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL. * the terms of any one of the MPL, the GPL or the LGPL.
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
/* $Id: nssinit.c,v 1.98 2009/05/29 19:23:30 wtc%google.com Exp $ */ /* $Id: nssinit.c,v 1.99 2009/07/23 01:56:40 nelson%bolyard.com Exp $ */
#include <ctype.h> #include <ctype.h>
#include <string.h> #include <string.h>
@ -774,6 +774,7 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
(nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP)
*sizeof(struct NSSShutdownFuncPair)); *sizeof(struct NSSShutdownFuncPair));
if (!funcs) { if (!funcs) {
PZ_Unlock(nssShutdownList.lock);
return SECFailure; return SECFailure;
} }
nssShutdownList.funcs = funcs; nssShutdownList.funcs = funcs;

15
security/nss/lib/pk11wrap/pk11auth.c
Просмотреть файл

@ -483,10 +483,17 @@ PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw)
int oldLen; int oldLen;
CK_SESSION_HANDLE rwsession; CK_SESSION_HANDLE rwsession;
if (newpw == NULL) newpw = ""; /* use NULL values to trigger the protected authentication path */
if (oldpw == NULL) oldpw = ""; if (slot->protectedAuthPath) {
newLen = PORT_Strlen(newpw); if (newpw == NULL) newLen = 0;
oldLen = PORT_Strlen(oldpw); if (oldpw == NULL) oldLen = 0;
} else {
if (newpw == NULL) newpw = "";
if (oldpw == NULL) oldpw = "";
newLen = PORT_Strlen(newpw);
oldLen = PORT_Strlen(oldpw);
}
/* get a rwsession */ /* get a rwsession */
rwsession = PK11_GetRWSession(slot); rwsession = PK11_GetRWSession(slot);

10
security/nss/lib/pk11wrap/pk11pub.h
Просмотреть файл

@ -109,6 +109,7 @@ PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
const char* slotName, const char* tokenName, PRBool presentOnly); const char* slotName, const char* tokenName, PRBool presentOnly);
PRBool PK11_IsReadOnly(PK11SlotInfo *slot); PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
PRBool PK11_IsInternal(PK11SlotInfo *slot); PRBool PK11_IsInternal(PK11SlotInfo *slot);
PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot);
char * PK11_GetTokenName(PK11SlotInfo *slot); char * PK11_GetTokenName(PK11SlotInfo *slot);
char * PK11_GetSlotName(PK11SlotInfo *slot); char * PK11_GetSlotName(PK11SlotInfo *slot);
PRBool PK11_NeedLogin(PK11SlotInfo *slot); PRBool PK11_NeedLogin(PK11SlotInfo *slot);
@ -237,6 +238,15 @@ int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec); PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot); SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
/*
* This is exactly the same as OpenUserDB except it can be called on any
* module that understands softoken style new slot entries. The resulting
* slot can be closed using SECMOD_CloseUserDB above. Value of moduleSpec
* is token specific.
*/
PK11SlotInfo *SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec);
/* /*
* merge the permanent objects from on token to another * merge the permanent objects from on token to another
*/ */

16
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -1538,6 +1538,22 @@ PK11_IsInternal(PK11SlotInfo *slot)
return slot->isInternal; return slot->isInternal;
} }
PRBool
PK11_IsInternalKeySlot(PK11SlotInfo *slot)
{
PK11SlotInfo *int_slot;
PRBool result;
if (!slot->isInternal) {
return PR_FALSE;
}
int_slot = PK11_GetInternalKeySlot();
result = (int_slot == slot) ? PR_TRUE : PR_FALSE;
PK11_FreeSlot(int_slot);
return result;
}
PRBool PRBool
PK11_NeedLogin(PK11SlotInfo *slot) PK11_NeedLogin(PK11SlotInfo *slot)
{ {

185
security/nss/lib/pk11wrap/pk11util.c
Просмотреть файл

@ -1248,13 +1248,12 @@ SECMOD_HasRemovableSlots(SECMODModule *mod)
* helper function to actually create and destroy user defined slots * helper function to actually create and destroy user defined slots
*/ */
static SECStatus static SECStatus
secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec) secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass,
const char *sendSpec)
{ {
PK11SlotInfo *slot = PK11_GetInternalSlot();
CK_OBJECT_HANDLE dummy; CK_OBJECT_HANDLE dummy;
CK_ATTRIBUTE template[2] ; CK_ATTRIBUTE template[2] ;
CK_ATTRIBUTE *attrs = template; CK_ATTRIBUTE *attrs = template;
SECStatus rv;
CK_RV crv; CK_RV crv;
PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
@ -1270,13 +1269,10 @@ secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec)
PK11_ExitSlotMonitor(slot); PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) { if (crv != CKR_OK) {
PK11_FreeSlot(slot);
PORT_SetError(PK11_MapError(crv)); PORT_SetError(PK11_MapError(crv));
return SECFailure; return SECFailure;
} }
rv = SECMOD_UpdateSlotList(slot->module); return SECMOD_UpdateSlotList(slot->module);
PK11_FreeSlot(slot);
return rv;
} }
/* /*
@ -1331,6 +1327,112 @@ done:
return retValue; return retValue;
} }
/*
* return true if the selected slot ID is not present or doesn't exist
*/
static PRBool
secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID)
{
PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID);
if (slot) {
PRBool present = PK11_IsPresent(slot);
PK11_FreeSlot(slot);
if (present) {
return PR_FALSE;
}
}
/* it doesn't exist or isn't present, it's available */
return PR_TRUE;
}
/*
* Find an unused slot id in module.
*/
static CK_SLOT_ID
secmod_FindFreeSlot(SECMODModule *mod)
{
CK_SLOT_ID i, minSlotID, maxSlotID;
/* look for a free slot id on the internal module */
if (mod->internal && mod->isFIPS) {
minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
} else {
minSlotID = SFTK_MIN_USER_SLOT_ID;
maxSlotID = SFTK_MAX_USER_SLOT_ID;
}
for (i=minSlotID; i < maxSlotID; i++) {
if (secmod_SlotIsEmpty(mod,i)) {
return i;
}
}
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
return (CK_SLOT_ID) -1;
}
/*
* Attempt to open a new slot.
*
* This works the same os OpenUserDB except it can be called against
* any module that understands the softoken protocol for opening new
* slots, not just the softoken itself. If the selected module does not
* understand the protocol, C_CreateObject will fail with
* CKR_INVALID_ATTRIBUTE, and SECMOD_OpenNewSlot will return NULL and set
* SEC_ERROR_BAD_DATA.
*
* NewSlots can be closed with SECMOD_CloseUserDB();
*
* Modulespec is module dependent.
*/
PK11SlotInfo *
SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec)
{
CK_SLOT_ID slotID = 0;
PK11SlotInfo *slot;
char *escSpec;
char *sendSpec;
SECStatus rv;
slotID = secmod_FindFreeSlot(mod);
if (slotID == (CK_SLOT_ID) -1) {
return NULL;
}
if (mod->slotCount == 0) {
return NULL;
}
/* just grab the first slot in the module, any present slot should work */
slot = PK11_ReferenceSlot(mod->slots[0]);
if (slot == NULL) {
return NULL;
}
/* we've found the slot, now build the moduleSpec */
escSpec = nss_doubleEscape(moduleSpec);
if (escSpec == NULL) {
PK11_FreeSlot(slot);
return NULL;
}
sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
PORT_Free(escSpec);
if (sendSpec == NULL) {
/* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */
PK11_FreeSlot(slot);
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec);
PR_smprintf_free(sendSpec);
PK11_FreeSlot(slot);
if (rv != SECSuccess) {
return NULL;
}
return SECMOD_FindSlotByID(mod, slotID);
}
/* /*
* Open a new database using the softoken. The caller is responsible for making * Open a new database using the softoken. The caller is responsible for making
* sure the module spec is correct and usable. The caller should ask for one * sure the module spec is correct and usable. The caller should ask for one
@ -1383,13 +1485,7 @@ done:
PK11SlotInfo * PK11SlotInfo *
SECMOD_OpenUserDB(const char *moduleSpec) SECMOD_OpenUserDB(const char *moduleSpec)
{ {
CK_SLOT_ID slotID = 0;
char *escSpec;
char *sendSpec;
SECStatus rv;
SECMODModule *mod; SECMODModule *mod;
CK_SLOT_ID i, minSlotID, maxSlotID;
PRBool found = PR_FALSE;
if (moduleSpec == NULL) { if (moduleSpec == NULL) {
return NULL; return NULL;
@ -1403,76 +1499,21 @@ SECMOD_OpenUserDB(const char *moduleSpec)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL; return NULL;
} }
return SECMOD_OpenNewSlot(mod, moduleSpec);
/* look for a free slot id on the internal module */
if (mod->isFIPS) {
minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
} else {
minSlotID = SFTK_MIN_USER_SLOT_ID;
maxSlotID = SFTK_MAX_USER_SLOT_ID;
}
for (i=minSlotID; i < maxSlotID; i++) {
PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, i);
if (slot) {
PRBool present = PK11_IsPresent(slot);
PK11_FreeSlot(slot);
if (present) {
continue;
}
/* not present means it's available */
}
/* it doesn't exist or isn't present, it's available */
slotID = i;
found = PR_TRUE;
break;
}
if (!found) {
/* this could happen if we try to open too many slots */
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
return NULL;
}
/* we've found the slot, now build the moduleSpec */
escSpec = nss_doubleEscape(moduleSpec);
if (escSpec == NULL) {
return NULL;
}
sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
PORT_Free(escSpec);
if (sendSpec == NULL) {
/* PR_smprintf does not set no memory error */
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
rv = secmod_UserDBOp(CKO_NETSCAPE_NEWSLOT, sendSpec);
PR_smprintf_free(sendSpec);
if (rv != SECSuccess) {
return NULL;
}
return SECMOD_FindSlotByID(mod, slotID);
} }
/* /*
* close an already opened user database. NOTE: the database must be * close an already opened user database. NOTE: the database must be
* in the internal token, and must be one created with SECMOD_OpenUserDB(). * in the internal token, and must be one created with SECMOD_OpenUserDB().
* Once the database is closed, the slot will remain as an empty slot * Once the database is closed, the slot will remain as an empty slot
* until it's used again with SECMOD_OpenUserDB(). * until it's used again with SECMOD_OpenUserDB() or SECMOD_OpenNewSlot().
*/ */
SECStatus SECStatus
SECMOD_CloseUserDB(PK11SlotInfo *slot) SECMOD_CloseUserDB(PK11SlotInfo *slot)
{ {
SECStatus rv; SECStatus rv;
char *sendSpec; char *sendSpec;
if (!slot->isInternal) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID); sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID);
if (sendSpec == NULL) { if (sendSpec == NULL) {
@ -1480,7 +1521,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot)
PORT_SetError(SEC_ERROR_NO_MEMORY); PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure; return SECFailure;
} }
rv = secmod_UserDBOp(CKO_NETSCAPE_DELSLOT, sendSpec); rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec);
PR_smprintf_free(sendSpec); PR_smprintf_free(sendSpec);
return rv; return rv;
} }

8
security/nss/lib/pki/pki3hack.c
Просмотреть файл

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
#ifdef DEBUG #ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.96 $ $Date: 2008/08/09 01:26:05 $"; static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.97 $ $Date: 2009/07/30 22:43:32 $";
#endif /* DEBUG */ #endif /* DEBUG */
/* /*
@ -668,7 +668,7 @@ STAN_GetCERTCertificateNameForInstance (
} }
if (stanNick) { if (stanNick) {
/* fill other fields needed by NSS3 functions using CERTCertificate */ /* fill other fields needed by NSS3 functions using CERTCertificate */
if (instance && (!PK11_IsInternal(instance->token->pk11slot) || if (instance && (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
PORT_Strchr(stanNick, ':') != NULL) ) { PORT_Strchr(stanNick, ':') != NULL) ) {
tokenName = nssToken_GetName(instance->token); tokenName = nssToken_GetName(instance->token);
tokenlen = nssUTF8_Size(tokenName, &nssrv); tokenlen = nssUTF8_Size(tokenName, &nssrv);
@ -734,7 +734,7 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
NSSUTF8 *tokenName = NULL; NSSUTF8 *tokenName = NULL;
char *nick; char *nick;
if (instance && if (instance &&
(!PK11_IsInternal(instance->token->pk11slot) || (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
(stanNick && PORT_Strchr(stanNick, ':') != NULL))) { (stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
tokenName = nssToken_GetName(instance->token); tokenName = nssToken_GetName(instance->token);
tokenlen = nssUTF8_Size(tokenName, &nssrv); tokenlen = nssUTF8_Size(tokenName, &nssrv);
@ -1161,7 +1161,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
nssTrust->stepUpApproved, PR_TRUE); nssTrust->stepUpApproved, PR_TRUE);
/* If the selected token can't handle trust, dump the trust on /* If the selected token can't handle trust, dump the trust on
* the internal token */ * the internal token */
if (!newInstance && !PK11_IsInternal(tok->pk11slot)) { if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot(); PK11SlotInfo *slot = PK11_GetInternalKeySlot();
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL); NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
NSSASCII7 *email = c->email; NSSASCII7 *email = c->email;

2
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -57,7 +57,7 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/ */
#define SOFTOKEN_VERSION "3.12.4.4" SOFTOKEN_ECC_STRING #define SOFTOKEN_VERSION "3.12.4.5" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 12 #define SOFTOKEN_VMINOR 12
#define SOFTOKEN_VPATCH 4 #define SOFTOKEN_VPATCH 4

4
security/nss/lib/softoken/softoknt.h
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL. * the terms of any one of the MPL, the GPL or the LGPL.
* *
* ***** END LICENSE BLOCK ***** */ * ***** END LICENSE BLOCK ***** */
/* $Id: softoknt.h,v 1.5 2009/01/27 23:13:21 rrelyea%redhat.com Exp $ */ /* $Id: softoknt.h,v 1.6 2009/08/03 16:58:28 christophe.ravel.bugs%sun.com Exp $ */
#ifndef _SOFTOKNT_H_ #ifndef _SOFTOKNT_H_
#define _SOFTOKNT_H_ #define _SOFTOKNT_H_
@ -88,7 +88,7 @@ typedef enum {
NSS_AUDIT_SELF_TEST, NSS_AUDIT_SELF_TEST,
NSS_AUDIT_SET_PIN, NSS_AUDIT_SET_PIN,
NSS_AUDIT_UNWRAP_KEY, NSS_AUDIT_UNWRAP_KEY,
NSS_AUDIT_WRAP_KEY, NSS_AUDIT_WRAP_KEY
} NSSAuditType; } NSSAuditType;
#endif /* _SOFTOKNT_H_ */ #endif /* _SOFTOKNT_H_ */

4
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -51,10 +51,10 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <Beta>]" * "<major version>.<minor version>[.<patch level>][ <Beta>]"
*/ */
#define NSSUTIL_VERSION "3.12.4.4 Beta" #define NSSUTIL_VERSION "3.12.4.5"
#define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 12 #define NSSUTIL_VMINOR 12
#define NSSUTIL_VPATCH 4 #define NSSUTIL_VPATCH 4
#define NSSUTIL_BETA PR_TRUE #define NSSUTIL_BETA PR_FALSE
#endif /* __nssutil_h_ */ #endif /* __nssutil_h_ */

443
security/nss/lib/util/portreg.c
Просмотреть файл

@ -19,7 +19,9 @@
* the Initial Developer. All Rights Reserved. * the Initial Developer. All Rights Reserved.
* *
* Contributor(s): * Contributor(s):
* Rob McCool (original author)
* Ken Key <key+mozilla@ksquared.net> * Ken Key <key+mozilla@ksquared.net>
* Nelson Bolyard <nelson@bolyard.me>
* *
* Alternatively, the contents of this file may be used under the terms of * Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or * either the GNU General Public License Version 2 or later (the "GPL"), or
@ -38,9 +40,7 @@
/* /*
* shexp.c: shell-like wildcard match routines * shexp.c: shell-like wildcard match routines
* *
*
* See shexp.h for public documentation. * See shexp.h for public documentation.
*
*/ */
#include "seccomon.h" #include "seccomon.h"
@ -50,73 +50,75 @@
static int static int
_valid_subexp(const char *exp, char stop) _valid_subexp(const char *exp, char stop1, char stop2)
{ {
register int x,y,t; register int x;
int nsc,np,tld; int nsc = 0; /* Number of special characters */
int np; /* Number of pipe characters in union */
int tld = 0; /* Number of tilde characters */
x=0;nsc=0;tld=0; for (x = 0; exp[x] && (exp[x] != stop1) && (exp[x] != stop2); ++x) {
while(exp[x] && (exp[x] != stop)) {
switch(exp[x]) { switch(exp[x]) {
case '~': case '~':
if(tld) return INVALID_SXP; if(tld) /* at most one exclusion */
else ++tld; return INVALID_SXP;
case '*': if (stop1) /* no exclusions within unions */
case '?': return INVALID_SXP;
case '^': if (!exp[x+1]) /* exclusion cannot be last character */
case '$': return INVALID_SXP;
if (!x) /* exclusion cannot be first character */
return INVALID_SXP;
++tld;
/* fall through */
case '*':
case '?':
case '$':
++nsc; ++nsc;
break; break;
case '[': case '[':
++nsc; ++nsc;
if((!exp[++x]) || (exp[x] == ']')) if((!exp[++x]) || (exp[x] == ']'))
return INVALID_SXP; return INVALID_SXP;
for(++x;exp[x] && (exp[x] != ']');++x) for(; exp[x] && (exp[x] != ']'); ++x) {
if(exp[x] == '\\') if(exp[x] == '\\' && !exp[++x])
if(!exp[++x]) return INVALID_SXP;
return INVALID_SXP; }
if(!exp[x]) if(!exp[x])
return INVALID_SXP; return INVALID_SXP;
break; break;
case '(': case '(':
++nsc;np = 0; ++nsc;
while(1) { if (stop1) /* no nested unions */
if(exp[++x] == ')') return INVALID_SXP;
return INVALID_SXP; np = -1;
for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y) do {
if(exp[y] == '\\') int t = _valid_subexp(&exp[++x], ')', '|');
if(!exp[++y]) if(t == 0 || t == INVALID_SXP)
return INVALID_SXP;
if(!exp[y])
return INVALID_SXP;
if(exp[y] == '|')
++np;
t = _valid_subexp(&exp[x],exp[y]);
if(t == INVALID_SXP)
return INVALID_SXP; return INVALID_SXP;
x+=t; x+=t;
if(exp[x] == ')') { if(!exp[x])
if(!np) return INVALID_SXP;
return INVALID_SXP; ++np;
break; } while (exp[x] == '|' );
} if(np < 1) /* must be at least one pipe */
} return INVALID_SXP;
break; break;
case ')': case ')':
case ']': case '|':
case ']':
return INVALID_SXP; return INVALID_SXP;
case '\\': case '\\':
++nsc;
if(!exp[++x]) if(!exp[++x])
return INVALID_SXP; return INVALID_SXP;
default: break;
default:
break; break;
} }
++x;
} }
if((!stop) && (!nsc)) if((!stop1) && (!nsc)) /* must be at least one special character */
return NON_SXP; return NON_SXP;
return ((exp[x] == stop) ? x : INVALID_SXP); return ((exp[x] == stop1 || exp[x] == stop2) ? x : INVALID_SXP);
} }
int int
@ -124,7 +126,7 @@ PORT_RegExpValid(const char *exp)
{ {
int x; int x;
x = _valid_subexp(exp, '\0'); x = _valid_subexp(exp, '\0', '\0');
return (x < 0 ? x : VALID_SXP); return (x < 0 ? x : VALID_SXP);
} }
@ -136,156 +138,245 @@ PORT_RegExpValid(const char *exp)
#define NOMATCH 1 #define NOMATCH 1
#define ABORTED -1 #define ABORTED -1
static int _shexp_match(const char *str, const char *exp, PRBool case_insensitive);
static int static int
_handle_union(const char *str, const char *exp, PRBool case_insensitive) _shexp_match(const char *str, const char *exp, PRBool case_insensitive,
{ unsigned int level);
char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
register int t,p2,p1 = 1;
int cp;
while(1) { /* Count characters until we reach a NUL character or either of the
for(cp=1;exp[cp] != ')';cp++) * two delimiter characters, stop1 or stop2. If we encounter a bracketed
if(exp[cp] == '\\') * expression, look only for NUL or ']' inside it. Do not look for stop1
++cp; * or stop2 inside it. Return ABORTED if bracketed expression is unterminated.
for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) { * Handle all escaping.
if(exp[p1] == '\\') * Return index in input string of first stop found, or ABORTED if not found.
e2[p2++] = exp[p1++]; * If "dest" is non-NULL, copy counted characters to it and NUL terminate.
e2[p2] = exp[p1]; */
} static int
for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {} _scan_and_copy(const char *exp, char stop1, char stop2, char *dest)
if(_shexp_match(str,e2, case_insensitive) == MATCH) { {
PORT_Free(e2); register int sx; /* source index */
return MATCH; register char cc;
}
if(p1 == cp) { for (sx = 0; (cc = exp[sx]) && cc != stop1 && cc != stop2; sx++) {
PORT_Free(e2); if (cc == '\\') {
return NOMATCH; if (!exp[++sx])
} return ABORTED; /* should be impossible */
else ++p1; } else if (cc == '[') {
while ((cc = exp[++sx]) && cc != ']') {
if(cc == '\\' && !exp[++sx])
return ABORTED;
}
if (!cc)
return ABORTED; /* should be impossible */
}
} }
if (dest && sx) {
/* Copy all but the closing delimiter. */
memcpy(dest, exp, sx);
dest[sx] = 0;
}
return cc ? sx : ABORTED; /* index of closing delimiter */
} }
/* On input, exp[0] is the opening parenthesis of a union.
* See if any of the alternatives in the union matches as a pattern.
* The strategy is to take each of the alternatives, in turn, and append
* the rest of the expression (after the closing ')' that marks the end of
* this union) to that alternative, and then see if the resultant expression
* matches the input string. Repeat this until some alternative matches,
* or we have an abort.
*/
static int
_handle_union(const char *str, const char *exp, PRBool case_insensitive,
unsigned int level)
{
register int sx; /* source index */
int cp; /* source index of closing parenthesis */
int count;
int ret = NOMATCH;
char *e2;
/* Find the closing parenthesis that ends this union in the expression */
cp = _scan_and_copy(exp, ')', '\0', NULL);
if (cp == ABORTED || cp < 4) /* must be at least "(a|b" before ')' */
return ABORTED;
++cp; /* now index of char after closing parenthesis */
e2 = (char *) PORT_Alloc(1 + strlen(exp));
if (!e2)
return ABORTED;
for (sx = 1; ; ++sx) {
/* Here, exp[sx] is one character past the preceeding '(' or '|'. */
/* Copy everything up to the next delimiter to e2 */
count = _scan_and_copy(exp + sx, ')', '|', e2);
if (count == ABORTED || !count) {
ret = ABORTED;
break;
}
sx += count;
/* Append everything after closing parenthesis to e2. This is safe. */
strcpy(e2+count, exp+cp);
ret = _shexp_match(str, e2, case_insensitive, level + 1);
if (ret != NOMATCH || !exp[sx] || exp[sx] == ')')
break;
}
PORT_Free(e2);
if (sx < 2)
ret = ABORTED;
return ret;
}
/* returns 1 if val is in range from start..end, case insensitive. */
static int
_is_char_in_range(int start, int end, int val)
{
char map[256];
memset(map, 0, sizeof map);
while (start <= end)
map[tolower(start++)] = 1;
return map[tolower(val)];
}
static int static int
_shexp_match(const char *str, const char *exp, PRBool case_insensitive) _shexp_match(const char *str, const char *exp, PRBool case_insensitive,
unsigned int level)
{ {
register int x,y; register int x; /* input string index */
register int y; /* expression index */
int ret,neg; int ret,neg;
ret = 0; if (level > 20) /* Don't let the stack get too deep. */
for(x=0,y=0;exp[y];++y,++x) { return ABORTED;
if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*')) for(x = 0, y = 0; exp[y]; ++y, ++x) {
ret = ABORTED; if((!str[x]) && (exp[y] != '$') && (exp[y] != '*')) {
else { return NOMATCH;
switch(exp[y]) { }
case '$': switch(exp[y]) {
if( (str[x]) ) case '$':
ret = NOMATCH; if(str[x])
else return NOMATCH;
--x; /* we don't want loop to increment x */ --x; /* we don't want loop to increment x */
break; break;
case '*': case '*':
while(exp[++y] == '*'){} while(exp[++y] == '*'){}
if(!exp[y]) if(!exp[y])
return MATCH; return MATCH;
while(str[x]) { while(str[x]) {
switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) { ret = _shexp_match(&str[x++], &exp[y], case_insensitive,
case NOMATCH: level + 1);
continue; switch(ret) {
case ABORTED: case NOMATCH:
ret = ABORTED; continue;
break; case ABORTED:
default: return ABORTED;
return MATCH; default:
} return MATCH;
break; }
} }
if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x])) if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
return MATCH; return MATCH;
else else
ret = ABORTED; return NOMATCH;
break; case '[': {
case '[': int start, end = 0, i;
neg = ((exp[++y] == '^') && (exp[y+1] != ']')); neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
if (neg) if (neg)
++y; ++y;
i = y;
if ((isalnum(exp[y])) && (exp[y+1] == '-') && start = (unsigned char)(exp[i++]);
(isalnum(exp[y+2])) && (exp[y+3] == ']')) if (start == '\\')
{ start = (unsigned char)(exp[i++]);
int start = exp[y], end = exp[y+2]; if (isalnum(start) && exp[i++] == '-') {
end = (unsigned char)(exp[i++]);
/* no safeguards here */ if (end == '\\')
if(neg ^ ((str[x] < start) || (str[x] > end))) { end = (unsigned char)(exp[i++]);
ret = NOMATCH; }
break; if (isalnum(end) && exp[i] == ']') {
} /* This is a range form: a-b */
y+=3; int val = (unsigned char)(str[x]);
} if (end < start) { /* swap them */
else { start ^= end;
int matched; end ^= start;
start ^= end;
for (matched=0;exp[y] != ']';y++) }
matched |= (str[x] == exp[y]); if (case_insensitive && isalpha(val)) {
if (neg ^ (!matched)) val = _is_char_in_range(start, end, val);
ret = NOMATCH; if (neg == val)
} return NOMATCH;
break; } else if (neg != ((val < start) || (val > end))) {
case '(': return NOMATCH;
return _handle_union(&str[x],&exp[y], case_insensitive); }
break; y = i;
case '?': } else {
break; /* Not range form */
case '\\': int matched = 0;
++y; for (; exp[y] != ']'; y++) {
default: if (exp[y] == '\\')
if(case_insensitive) ++y;
{ if(case_insensitive) {
if(toupper(str[x]) != toupper(exp[y])) matched |= (toupper(str[x]) == toupper(exp[y]));
ret = NOMATCH; } else {
} matched |= (str[x] == exp[y]);
else }
{ }
if(str[x] != exp[y]) if (neg == matched)
ret = NOMATCH; return NOMATCH;
} }
break; }
} break;
} case '(':
if(ret) if (!exp[y+1])
break; return ABORTED;
return _handle_union(&str[x], &exp[y], case_insensitive, level);
case '?':
break;
case '|':
case ']':
case ')':
return ABORTED;
case '\\':
++y;
/* fall through */
default:
if(case_insensitive) {
if(toupper(str[x]) != toupper(exp[y]))
return NOMATCH;
} else {
if(str[x] != exp[y])
return NOMATCH;
}
break;
}
} }
return (ret ? ret : (str[x] ? NOMATCH : MATCH)); return (str[x] ? NOMATCH : MATCH);
} }
static int static int
port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive) { port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive)
register int x; {
char *exp = 0; char *exp = 0;
int x, ret = MATCH;
if (!strchr(xp, '~'))
return _shexp_match(str, xp, case_insensitive, 0);
exp = PORT_Strdup(xp); exp = PORT_Strdup(xp);
if(!exp) if(!exp)
return 1; return NOMATCH;
for(x=strlen(exp)-1;x;--x) { x = _scan_and_copy(exp, '~', '\0', NULL);
if((exp[x] == '~') && (exp[x-1] != '\\')) { if (x != ABORTED && exp[x] == '~') {
exp[x] = '\0'; exp[x++] = '\0';
if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH) ret = _shexp_match(str, &exp[x], case_insensitive, 0);
goto punt; switch (ret) {
break; case NOMATCH: ret = MATCH; break;
case MATCH: ret = NOMATCH; break;
default: break;
} }
} }
if(_shexp_match(str,exp, case_insensitive) == MATCH) { if (ret == MATCH)
PORT_Free(exp); ret = _shexp_match(str, exp, case_insensitive, 0);
return 0;
}
punt:
PORT_Free(exp); PORT_Free(exp);
return 1; return ret;
} }

40
security/nss/lib/util/portreg.h
Просмотреть файл

@ -19,6 +19,8 @@
* the Initial Developer. All Rights Reserved. * the Initial Developer. All Rights Reserved.
* *
* Contributor(s): * Contributor(s):
* Rob McCool (original author)
* Nelson Bolyard <nelson@bolyard.me>
* *
* Alternatively, the contents of this file may be used under the terms of * Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or * either the GNU General Public License Version 2 or later (the "GPL"), or
@ -37,7 +39,6 @@
/* /*
* shexp.h: Defines and prototypes for shell exp. match routines * shexp.h: Defines and prototypes for shell exp. match routines
* *
*
* This routine will match a string with a shell expression. The expressions * This routine will match a string with a shell expression. The expressions
* accepted are based loosely on the expressions accepted by zsh. * accepted are based loosely on the expressions accepted by zsh.
* *
@ -45,15 +46,34 @@
* o ? matches one character * o ? matches one character
* o \ will escape a special character * o \ will escape a special character
* o $ matches the end of the string * o $ matches the end of the string
* o [abc] matches one occurence of a, b, or c. The only character that needs * Bracketed expressions:
* to be escaped in this is ], all others are not special. * o [abc] matches one occurence of a, b, or c.
* o [a-z] matches any character between a and z * o [^abc] matches any character except a, b, or c.
* o [^az] matches any character except a or z * To be matched between [ and ], these characters must be escaped: \ ]
* o ~ followed by another shell expression will remove any pattern * No other characters need be escaped between brackets.
* matching the shell expression from the match list * Unnecessary escaping is permitted.
* o (foo|bar) will match either the substring foo, or the substring bar. * o [a-z] matches any character between a and z, inclusive.
* These can be shell expressions as well. * The two range-definition characters must be alphanumeric ASCII.
* * If one is upper case and the other is lower case, then the ASCII
* non-alphanumeric characters between Z and a will also be in range.
* o [^a-z] matches any character except those between a and z, inclusive.
* These forms cannot be combined, e.g [a-gp-z] does not work.
* o Exclusions:
* As a top level, outter-most expression only, the expression
* foo~bar will match the expression foo, provided it does not also
* match the expression bar. Either expression or both may be a union.
* Except between brackets, any unescaped ~ is an exclusion.
* At most one exclusion is permitted.
* Exclusions cannot be nested (contain other exclusions).
* example: *~abc will match any string except abc
* o Unions:
* (foo|bar) will match either the expression foo, or the expression bar.
* At least one '|' separator is required. More are permitted.
* Expressions inside unions may not include unions or exclusions.
* Inside a union, to be matched and not treated as a special character,
* these characters must be escaped: \ ( | ) [ ~ except when they occur
* inside a bracketed expression, where only \ and ] require escaping.
*
* The public interface to these routines is documented below. * The public interface to these routines is documented below.
* *
*/ */

4
security/nss/lib/util/secport.c
Просмотреть файл

@ -41,7 +41,7 @@
* *
* NOTE - These are not public interfaces * NOTE - These are not public interfaces
* *
* $Id: secport.c,v 1.23 2008/08/22 01:33:05 wtc%google.com Exp $ * $Id: secport.c,v 1.24 2009/07/30 23:28:21 nelson%bolyard.com Exp $
*/ */
#include "seccomon.h" #include "seccomon.h"
@ -287,6 +287,8 @@ PORT_FreeArena(PLArenaPool *arena, PRBool zero)
static const PRVersionDescription * pvd; static const PRVersionDescription * pvd;
static PRBool doFreeArenaPool = PR_FALSE; static PRBool doFreeArenaPool = PR_FALSE;
if (!pool)
return;
if (ARENAPOOL_MAGIC == pool->magic ) { if (ARENAPOOL_MAGIC == pool->magic ) {
len = sizeof *pool; len = sizeof *pool;
lock = pool->lock; lock = pool->lock;

16
security/nss/tests/chains/chains.sh
Просмотреть файл

@ -74,7 +74,8 @@ chains_init()
CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//") CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
PK7_NONCE=$CERT_SN_CNT; PK7_NONCE=$CERT_SN_CNT
SCEN_CNT=0
AIA_FILES="${HOSTDIR}/aiafiles" AIA_FILES="${HOSTDIR}/aiafiles"
@ -415,16 +416,16 @@ process_crldp()
" "
for ITEM in ${CRLDP}; do for ITEM in ${CRLDP}; do
CRL_PUBLIC="${HOST}-$$-${ITEM}.crl" CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
EXT_DATA="${EXT_DATA}7 EXT_DATA="${EXT_DATA}7
${NSS_AIA_HTTP}/${CRL_PUBLIC} ${NSS_AIA_HTTP}/${CRL_PUBLIC}
" "
done done
EXT_DATA="${EXT_DATA}0 EXT_DATA="${EXT_DATA}-1
0 -1
0 -1
n n
n n
" "
@ -459,7 +460,7 @@ copy_crl()
fi fi
CRL_LOCAL="${COPYCRL}.crl" CRL_LOCAL="${COPYCRL}.crl"
CRL_PUBLIC="${HOST}-$$-${COPYCRL}.crl" CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC} chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
@ -857,6 +858,7 @@ parse_config()
EXT_KU= EXT_KU=
EXT_NS= EXT_NS=
EXT_EKU= EXT_EKU=
SERIAL=
;; ;;
"type") "type")
TYPE="${VALUE}" TYPE="${VALUE}"
@ -978,6 +980,8 @@ parse_config()
LOGNAME="libpkix-${VALUE}" LOGNAME="libpkix-${VALUE}"
LOGFILE="${LOGDIR}/${LOGNAME}" LOGFILE="${LOGDIR}/${LOGNAME}"
fi fi
SCEN_CNT=$(expr ${SCEN_CNT} + 1)
;; ;;
"sleep") "sleep")
sleep ${VALUE} sleep ${VALUE}

97
security/nss/tests/chains/scenarios/crldp.cfg Normal file
Просмотреть файл

@ -0,0 +1,97 @@
scenario CRLDP
entity Root
type Root
entity CA0
type Intermediate
issuer Root
entity CA1
type Intermediate
crldp CA0
issuer CA0
serial 10
aia CA0:Root
entity EE11
type EE
crldp CA0
issuer CA1
entity CA2
type Intermediate
crldp CA0
issuer CA0
serial 20
aia CA0:Root
entity EE21
type EE
issuer CA2
entity EE1
type EE
crldp CA0
issuer CA0
serial 30
aia CA0:Root
entity EE2
type EE
crldp CA0
issuer CA0
serial 40
aia CA0:Root
crl Root
crl CA0
crl CA1
crl CA2
revoke CA0
serial 20
revoke CA0
serial 40
copycrl CA0
db All
import Root::CTu,CTu,CTu
# intermediate CA - OK, EE - OK
verify EE11:CA1
cert CA1:CA0
trust Root:
fetch
rev_type chain
rev_mtype crl
result pass
# intermediate CA - revoked, EE - OK
verify EE21:CA2
cert CA2:CA0
trust Root:
fetch
rev_type chain
rev_mtype crl
result fail
# direct EE - OK
verify EE1:CA0
trust Root:
fetch
rev_type leaf
rev_mtype crl
result pass
# direct EE - revoked
verify EE2:CA0
trust Root:
fetch
rev_type leaf
rev_mtype crl
result fail

24
security/nss/tests/chains/scenarios/ocsp.cfg
Просмотреть файл

@ -23,6 +23,7 @@ verify OCSPEE11:x
cert OCSPCA1:x cert OCSPCA1:x
trust OCSPRoot trust OCSPRoot
rev_type leaf rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp rev_mtype ocsp
result pass result pass
@ -31,6 +32,7 @@ verify OCSPEE12:x
cert OCSPCA1:x cert OCSPCA1:x
trust OCSPRoot trust OCSPRoot
rev_type leaf rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp rev_mtype ocsp
result fail result fail
@ -51,7 +53,7 @@ verify OCSPEE15:x
rev_mtype ocsp rev_mtype ocsp
result fail result fail
#EE - OK, CA - revoked, leaf #EE - OK, CA - revoked, leaf, no fresh info
verify OCSPEE21:x verify OCSPEE21:x
cert OCSPCA2:x cert OCSPCA2:x
trust OCSPRoot trust OCSPRoot
@ -59,7 +61,16 @@ verify OCSPEE21:x
rev_mtype ocsp rev_mtype ocsp
result pass result pass
#EE - OK, CA - revoked, chain #EE - OK, CA - revoked, leaf, requireFreshInfo
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result fail
#EE - OK, CA - revoked, chain, requireFreshInfo
verify OCSPEE21:x verify OCSPEE21:x
cert OCSPCA2:x cert OCSPCA2:x
trust OCSPRoot trust OCSPRoot
@ -112,6 +123,15 @@ verify OCSPEE15:x
rev_mflags failIfNoInfo rev_mflags failIfNoInfo
result fail result fail
#EE - OK, CA - revoked, leaf, failIfNoInfo
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
rev_mflags failIfNoInfo
result fail
testdb OCSPCA1 testdb OCSPCA1
#EE - OK on OCSP, revoked locally - should fail ?? #EE - OK on OCSP, revoked locally - should fail ??