by constant expressions. HP C compiler version B.11.11.08 generates
incorrect code silently if the initializers are non-constant expressions.
r=alexei.volkov,julien.pierre.
Modified files: cmd/crmftest/testcrmf.c lib/ssl/ssl3con.c
instead of SECKEY_PublicKeyStrength to get ECDSA signature lengths.
Removed the 'type' member from the VFYContextStr structure because that
info is in the 'key->keyType' field. Set error codes when functions
fail (return 0). r=nelsonb.
Modified Files:
cryptohi/keyhi.h cryptohi/seckey.c cryptohi/secvfy.c
nss/nss.def ssl/ssl3con.c
SSL now follows NSPR socket semantics and never returns a short write
count on a blocking socket. On a blocking socket, it returns either
the full count or -1 (with an error code set).
For non-blocking sockets, SSL no longer returns a full write count
when some of the data remains buffered in the SSL record layer.
Instead it returns a number is that always at least 1 byte short of a
full write count, so that the caller will keep retrying until it is done.
SSL makes sure that the first byte sent by the caller in the retry
matches the last byte previously buffered. r=rrelyea.
Modified Files: ssl3con.c sslcon.c ssldef.c sslimpl.h sslsecur.c
This patch has a known problem, choosing ephemeral ECDH curves
according to the wrong (suboptimal, non-FIPS) criteria.
Modified Files: ssl3con.c ssl3ecc.c sslimpl.h
ECDSA signatures. Backed out a temporary workaround in
ECDSA_SignDigestWithSeed. Made other changes related to signature lengths.
r=relyea,nelson.bolyard.
Modified Files:
cryptohi/keyhi.h cryptohi/seckey.c cryptohi/secsign.c
freebl/ec.c pk11wrap/pk11obj.c pk11wrap/pk11pub.h
ssl/ssl3con.c
plus upcoming revisions. The patch is contributed by Douglas Stebila
of Sun Labs <douglas@stebila.ca>. r=wtc.
Modified Files:
cmd/selfserv/selfserv.c cmd/strsclnt/strsclnt.c
cmd/tstclnt/tstclnt.c cmd/vfyserv/vfyserv.c lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c lib/ssl/ssl3prot.h lib/ssl/sslenum.c
lib/ssl/sslimpl.h lib/ssl/sslinfo.c lib/ssl/sslproto.h
lib/ssl/sslsock.c tests/ssl/ecssl.sh tests/ssl/ecsslauth.txt
tests/ssl/ecsslcov.txt tests/ssl/ecsslstress.txt
tests/ssl/ssl.sh
Reorganize the SSL Socket structure contents to obviate ssl3 pointer.
Move much of the ECC code from ssl3con to new file ssl3ecc.c. derive.c
implements derivation of the SSL/TLS master secret and the encryption and
MAC keys and IVs without using PKCS11. Bug 305147. r=rrelyea.
Modified Files: ssl/config.mk ssl/manifest.mn ssl/ssl.h ssl/ssl3con.c
ssl/ssl3gthr.c ssl/sslauth.c ssl/sslcon.c ssl/ssldef.c ssl/sslgathr.c
ssl/sslimpl.h ssl/sslinfo.c ssl/sslnonce.c ssl/sslsecur.c ssl/sslsnce.c
ssl/sslsock.c
Added Files: ssl/derive.c ssl/ssl3ecc.c
client auth and SSL3 client doesn't authenticate. The fix is to coalesce
the SSL3 no_certificate alert record with the following records (e.g.
client_key_exchange handshake, change_cipher_spec and finished handshake).
Fix bugs 207313 and 118668.
a) changes selfserv to test the return value from NSS_Shutdown.
b) changes SECMOD_Shutdown to set the error code SEC_ERROR_BUSY before
returning SECFailure.
c) Adds a new function SSL_ShutdownServerSessionIDCache to ssl.h.
d) Changes selfserv to call SSL_ShutdownServerSessionIDCache before calling
NSS_Shutdown.
Modified Files:
cmd/selfserv/selfserv.c lib/pk11wrap/pk11util.c
lib/ssl/ssl.def lib/ssl/ssl.h lib/ssl/ssl3con.c
lib/ssl/sslimpl.h lib/ssl/sslsnce.c
SSL_REQUIRE_CERTIFICATE option. Value 2 has always been the default.
New Value 3 is appropriate for servers that want to re-request, but
still not require, client-auth from a client with whom an SSL session
is already established.
rather than being pointed to by the sslSocket. This reduces the number
of malloc/free calls, and greatly reduces pointer fetches, and null
pointer checks. sslGather and sslSecurityInfo are separately initialized.
2. SSL_ResetHandshake no longer deallocates and reallocates the sslSecurityInfo and all its subcomponents.
3. Many places that formerly did not check for memory allocation failures
now do check, and do the right thing when allocation failed.
1) Implicit declaration of function.
2) Possibly unitialized variables.
These warnings have indicated some real problems in the code, so many changes
are not just to silence the warnings, but to fix the problems. Others were
inocuous, but the warnings were silenced to reduce the noise.
remember the certs it sent back when it established the SSL session.
Bug 78959. Also, hold on the certs in the received cert chain until
the SSL connection is complete. This makes it easier for applications
to look at the entire cert chain after the handshake is over without
having to write their own custom authCert callbacks. It is backwards
compatible with older NSS SSL applications, but may use more memory.
remove lots of depricated files.
move some files to appropriate directories (pcertdb *_rand
associated headers to soft token, for instance)
rename several stan files which had the same name as other nss files.
remove depricated functions.
requires client auth. Work around bug in NT TCP stack by only shutting
down the socket for SEND (not for BOTH) after sending a bad_certificate
alert. This avoids bogus CONNECTION_RESET_BY_PEER errors at the client.
record of application data into a single write, when possible, to avoid
TCP's "Nagle" delays. Fixes bug 67898. r&a: wtc. Modified Files:
ssl3con.c sslimpl.h sslsecur.c sslsock.c
SECHashObjects[] is no longer exported.
New function HASH_GetHashObject returns pointer to selected const object.
SSL statistics are now in a structure whose address is obtained via a
call to SSL_GetStatistics().
On NT, the new symbol NSS_USE_STATIC_LIBS must be declared in programs
that use the static SSL library.
Also, propagate "const" declaration for SECHashObjects.
rolling back from TLS (SSL 3.1) to SSL 3.0. Provide a new SSL socket
option to disable roll-back detection in servers, since certain TLS
clients are doing it incorrectly.