bug 1470914, NSS 3.39, beta revision 93cbd336eaca UPGRADE_NSS_RELEASE r=me

--HG--
extra : amend_source : 94593e49ce7b37239629e5c9aa5dbf6865c38b7c

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_38_RTM
+93cbd336eaca

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -1,4 +0,0 @@
-
-1 Added function:
-
-  'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)'    {SECITEM_MakeItem@@NSSUTIL_3.38}

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_37_BRANCH
+NSS_3_38_BRANCH

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc

@@ -88,18 +88,30 @@ class TestAgent {
   }
 
   bool ConnectTcp() {
+    // Try IPv6 first, then IPv4 in case of failure.
+    if (!OpenConnection("::1") && !OpenConnection("127.0.0.1")) {
+      return false;
+    }
+
+    ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
+    if (!ssl_fd_) {
+      return false;
+    }
+    pr_fd_ = nullptr;
+
+    return true;
+  }
+
+  bool OpenConnection(const char* ip) {
     PRStatus prv;
     PRNetAddr addr;
 
-    // Try IPv6 first.
-    prv = PR_StringToNetAddr("::1", &addr);
+    prv = PR_StringToNetAddr(ip, &addr);
+
     if (prv != PR_SUCCESS) {
-      // If that fails, try IPv4.
-      prv = PR_StringToNetAddr("127.0.0.1", &addr);
-      if (prv != PR_SUCCESS) {
-        return false;
-      }
+      return false;
     }
+
     addr.inet.port = PR_htons(cfg_.get<int>("port"));
 
     pr_fd_ = PR_OpenTCPSocket(addr.raw.family);
@@ -109,11 +121,6 @@ class TestAgent {
     if (prv != PR_SUCCESS) {
       return false;
     }
-
-    ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
     return true;
   }
 

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.38" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.39" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 38
+#define NSS_VMINOR 39
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 

security/nss/lib/nss/nssinit.c

@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
         if (SECOID_Init() != SECSuccess) {
             goto loser;
         }
+#ifdef POLICY_FILE
+        /* Load the system crypto policy file if it exists,
+         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+         * variable has been set to 1. */
+        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+                SECMODModule *module = SECMOD_LoadModule(
+                    "name=\"Policy File\" "
+                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+                    "secmod='" POLICY_FILE "' "
+                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+                    parent, PR_TRUE);
+                if (module) {
+                    PRBool isLoaded = module->loaded;
+                    SECMOD_DestroyModule(module);
+                    if (!isLoaded) {
+                        goto loser;
+                    }
+                }
+            }
+        }
+#endif
         if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
             goto loser;
         }
@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
                 }
             }
         }
-#ifdef POLICY_FILE
-        /* Load the system crypto policy file if it exists,
-         * unless the NSS_IGNORE_SYSTEM_POLICY environment
-         * variable has been set to 1. */
-        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
-            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
-                SECMODModule *module = SECMOD_LoadModule(
-                    "name=\"Policy File\" "
-                    "parameters=\"configdir='sql:" POLICY_PATH "' "
-                    "secmod='" POLICY_FILE "' "
-                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-                    parent, PR_TRUE);
-                if (module) {
-                    PRBool isLoaded = module->loaded;
-                    SECMOD_DestroyModule(module);
-                    if (!isLoaded) {
-                        goto loser;
-                    }
-                }
-            }
-        }
-#endif
         pk11sdr_Init();
         cert_CreateSubjectKeyIDHashTable();
 

security/nss/lib/pk11wrap/pk11pars.c

@@ -109,6 +109,7 @@ secmod_NewModule(void)
                                                  *other flags are set */
 #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
 
 /* private flags for internal (field in SECMODModule). */
 /* The meaing of these flags is as follows:
@@ -703,6 +704,9 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
         }
+        if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+            flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+        }
         /* additional moduleDB flags could be added here in the future */
         mod->isModuleDB = (PRBool)flags;
     }
@@ -742,6 +746,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
     return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
 }
 
+PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+    char flags = (char)mod->isModuleDB;
+
+    return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
 PRBool
 secmod_IsInternalKeySlot(SECMODModule *mod)
 {
@@ -1660,6 +1672,12 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     if (!module) {
         goto loser;
     }
+
+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
+     * been parsed as a side effect of the CreateModuleEx call */
+    if (secmod_PolicyOnly(module)) {
+        return module;
+    }
     if (parent) {
         module->parent = SECMOD_ReferenceModule(parent);
         if (module->internal && secmod_IsInternalKeySlot(parent)) {

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.38" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.39" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 38
+#define SOFTOKEN_VMINOR 39
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.38"
+#define NSSUTIL_VERSION "3.39 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 38
+#define NSSUTIL_VMINOR 39
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE
 
 SEC_BEGIN_PROTOS