Bug 527659, Update Mozilla-central to NSS 3.12.6

=== r=rrelyea for upgrading to release candidate 1
=== reapplying bug 519550 on top
=== includes PSM makefile tweak to keep TLS disabled (variables changed in the updated NSS snapshot)
=== change configure.in to require the newer system NSS, r=wtc

configure.in

@@ -4366,7 +4366,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.12.0, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
+    AM_PATH_NSS(3.12.6, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then

security/coreconf/Darwin.mk

@@ -131,4 +131,5 @@ DLL_SUFFIX	= dylib
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
-G++INCLUDES	= -I/usr/include/g++
+USE_SYSTEM_ZLIB = 1
+ZLIB_LIBS	= -lz

security/coreconf/coreconf.dep

@@ -42,3 +42,4 @@
  */
 
 #error "Do not include this header file."
+

security/manager/Makefile.in

@@ -243,9 +243,9 @@ ifeq ($(OS_ARCH),Linux)
 DEFAULT_GMAKE_FLAGS += FREEBL_NO_DEPEND=1
 endif
 
-# Turn off TLS compression support because NSS 3.12.5 Beta can't be built
+# Turn off TLS compression support because NSS 3.12.6 can't be built
 # with Mozilla's zlib.h.  See bug 527659 comment 10.
-DEFAULT_GMAKE_FLAGS += USE_SYSTEM_ZLIB=
+DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ZLIB=
 
 # Disable building of the test programs in security/nss/lib/zlib
 DEFAULT_GMAKE_FLAGS += PROGRAMS=

security/nss/cmd/lib/secutil.h

@@ -320,7 +320,6 @@ extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 
 extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
-extern void SEC_Init(void);
 
 extern char *SECU_SECModDBName(void);
 

security/nss/cmd/modutil/Makefile

@@ -57,6 +57,12 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 include ../platlibs.mk
 
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################

security/nss/cmd/p7env/p7env.c

@@ -37,7 +37,7 @@
 /*
  * p7env -- A command to create a pkcs7 enveloped data.
  *
- * $Id: p7env.c,v 1.9 2008/08/08 23:47:56 julien.pierre.boogz%sun.com Exp $
+ * $Id: p7env.c,v 1.10 2010/02/11 02:39:47 wtc%google.com Exp $
  */
 
 #include "nspr.h"
@@ -61,8 +61,6 @@ extern int fwrite(char *, size_t, size_t, FILE*);
 extern int fprintf(FILE *, char *, ...);
 #endif
 
-extern void SEC_Init(void);		/* XXX */
-
 
 static void
 Usage(char *progName)

security/nss/cmd/platlibs.mk

@@ -251,6 +251,4 @@ ifndef USE_SYSTEM_ZLIB
 ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
 endif
 
-JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
-	$(ZLIB_LIBS) \
-	$(NULL)
+JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX)

security/nss/cmd/signtool/Makefile

@@ -58,6 +58,12 @@ include $(CORE_DEPTH)/coreconf/config.mk
 
 include ../platlibs.mk
 
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################

security/nss/cmd/ssltap/ssltap.c

@@ -66,7 +66,7 @@
 #include "cert.h"
 #include "sslproto.h"
 
-#define VERSIONSTRING "$Revision: 1.17 $ ($Date: 2010/01/28 06:19:11 $) $Author: nelson%bolyard.com $"
+#define VERSIONSTRING "$Revision: 1.18 $ ($Date: 2010/02/10 02:00:56 $) $Author: wtc%google.com $"
 
 
 struct _DataBufferList;
@@ -76,10 +76,10 @@ typedef struct _DataBufferList {
   struct _DataBuffer *first,*last;
   int size;
   int isEncrypted;
-  char * msgBuf;
-  int    msgBufOffset;
-  int    msgBufSize;
-  int    hMACsize;
+  unsigned char * msgBuf;
+  int             msgBufOffset;
+  int             msgBufSize;
+  int             hMACsize;
 } DataBufferList;
 
 typedef struct _DataBuffer {
@@ -773,8 +773,8 @@ void print_ssl3_handshake(unsigned char *recordBuf,
   if (s->msgBufOffset && s->msgBuf) {
     /* append recordBuf to msgBuf, then use msgBuf */
     if (s->msgBufOffset + recordLen > s->msgBufSize) {
-      int    newSize = s->msgBufOffset + recordLen;
-      char * newBuf = PORT_Realloc(s->msgBuf, newSize);
+      int             newSize = s->msgBufOffset + recordLen;
+      unsigned char * newBuf = PORT_Realloc(s->msgBuf, newSize);
       if (!newBuf) {
 	PR_ASSERT(newBuf);
 	showErr( "Realloc failed");
@@ -1132,7 +1132,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
       s->msgBufSize = newMsgLen;
       memcpy(s->msgBuf, recordBuf + offset, newMsgLen);
     } else if (newMsgLen > s->msgBufSize) {
-      char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
+      unsigned char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
       if (!newBuf) {
 	PR_ASSERT(newBuf);
 	showErr( "Realloc failed");

security/nss/cmd/strsclnt/strsclnt.c

@@ -229,8 +229,8 @@ errExit(char * funcString)
 void
 disableAllSSLCiphers(void)
 {
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
+    const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
+    int             i            = SSL_GetNumImplementedCiphers();
     SECStatus       rv;
 
     /* disable all the SSL3 cipher suites */

security/nss/cmd/tstclnt/tstclnt.c

@@ -274,8 +274,8 @@ milliPause(PRUint32 milli)
 void
 disableAllSSLCiphers(void)
 {
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
-    int             i            = SSL_NumImplementedCiphers;
+    const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
+    int             i            = SSL_GetNumImplementedCiphers();
     SECStatus       rv;
 
     /* disable all the SSL3 cipher suites */

security/nss/lib/Makefile

@@ -68,6 +68,10 @@ SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
 endif
 endif
 
+ifeq ($(OS_ARCH),Linux)
+SYSINIT_SRCDIR = sysinit  # Add the sysinit directory to DIRS.
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################

security/nss/lib/certdb/alg1485.c

@@ -458,7 +458,7 @@ ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr)
 		vt = SEC_ASN1_UTF8_STRING;
 	}
 
-	derVal.data = valBuf;
+	derVal.data = (unsigned char*) valBuf;
 	derVal.len  = valLen;
 	a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal);
     }
@@ -981,7 +981,7 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
 
     nameLen  = strlen(tagName);
     valueLen = (useHex ? avaValue->len : 
-		cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, 
+		cert_RFC1485_GetRequiredLen((char *)avaValue->data, avaValue->len, 
 					    &mode));
     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
 
@@ -1194,8 +1194,8 @@ avaToString(PRArenaPool *arena, CERTAVA *ava)
     if(!avaValue) {
 	return buf;
     }
-    valueLen = cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, 
-					   NULL) + 1;
+    valueLen = cert_RFC1485_GetRequiredLen((char *)avaValue->data,
+                                           avaValue->len, NULL) + 1;
     if (arena) {
 	buf = (char *)PORT_ArenaZAlloc(arena, valueLen);
     } else {

security/nss/lib/certdb/certdb.c

@@ -39,7 +39,7 @@
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.101 2009/05/18 21:33:25 nelson%bolyard.com Exp $
+ * $Id: certdb.c,v 1.102 2010/02/10 02:00:57 wtc%google.com Exp $
  */
 
 #include "nssilock.h"
@@ -1553,14 +1553,16 @@ cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
 		*/
 		int cnLen = current->name.other.len;
 		rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, 
-					    current->name.other.data, cnLen);
+					    (char *)current->name.other.data,
+					    cnLen);
 		if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) {
 		    cnBufLen = cnLen * 3 + 3; /* big enough for worst case */
 		    cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
 		    if (!cn)
 			goto fail;
 		    rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen, 
-					    current->name.other.data, cnLen);
+					    (char *)current->name.other.data,
+					    cnLen);
 		}
 		if (rv == SECSuccess)
 		    rv = cert_TestHostName(cn ,hn);

security/nss/lib/certdb/secname.c

@@ -590,7 +590,7 @@ CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
     if (ac > bc) return SECGreaterThan;
 
     while (NULL != (aava = *aavas++)) {
-	for (bavas = b->avas; bava = *bavas++; ) {
+	for (bavas = b->avas; NULL != (bava = *bavas++); ) {
 	    rv = SECITEM_CompareItem(&aava->type, &bava->type);
 	    if (SECEqual == rv) {
 		rv = CERT_CompareAVA(aava, bava);

security/nss/lib/cryptohi/cryptohi.h

@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: cryptohi.h,v 1.13 2009/09/23 22:51:56 wtc%google.com Exp $ */
+/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #ifndef _CRYPTOHI_H_
 #define _CRYPTOHI_H_
@@ -137,7 +137,8 @@ extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
 **	"algid" the signature/hash algorithm to sign with 
 **		(must be compatible with the key type).
 */
-extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
+extern SECStatus SEC_SignData(SECItem *result,
+			     const unsigned char *buf, int len,
 			     SECKEYPrivateKey *pk, SECOidTag algid);
 
 /*
@@ -348,8 +349,8 @@ extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig,
 **	    the key type.
 **	"wincx" void pointer to the window context
 */
-extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
-				SECKEYPublicKey *key, SECItem *sig,
+extern SECStatus VFY_VerifyData(const unsigned char *buf, int len,
+				const SECKEYPublicKey *key, const SECItem *sig,
 				SECOidTag sigAlg, void *wincx);
 /*
 ** Verify the signature on a block of data. The signature data is an RSA
@@ -391,7 +392,7 @@ extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len,
 */
 extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, 
 				int len, const SECKEYPublicKey *key,
-				 const SECItem *sig,
+				const SECItem *sig,
 				const SECAlgorithmID *algid, SECOidTag *hash,
 				void *wincx);
 

security/nss/lib/cryptohi/secsign.c

@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secsign.c,v 1.21 2009/09/23 22:51:56 wtc%google.com Exp $ */
+/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
@@ -277,7 +277,7 @@ SGN_End(SGNContext *cx, SECItem *result)
 ** signature. Returns zero on success, an error code on failure.
 */
 SECStatus
-SEC_SignData(SECItem *res, unsigned char *buf, int len,
+SEC_SignData(SECItem *res, const unsigned char *buf, int len,
 	     SECKEYPrivateKey *pk, SECOidTag algid)
 {
     SECStatus rv;

security/nss/lib/cryptohi/secvfy.c

@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secvfy.c,v 1.22 2008/02/28 04:27:36 nelson%bolyard.com Exp $ */
+/* $Id: secvfy.c,v 1.23 2010/02/10 00:49:43 wtc%google.com Exp $ */
 
 #include <stdio.h>
 #include "cryptohi.h"
@@ -721,8 +721,8 @@ VFY_VerifyDataDirect(const unsigned char *buf, int len,
 }
 
 SECStatus
-VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	       SECItem *sig, SECOidTag algid, void *wincx)
+VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key,
+	       const SECItem *sig, SECOidTag algid, void *wincx)
 {
     SECOidTag encAlg, hashAlg;
     SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg);

security/nss/lib/jar/jarver.c

@@ -535,7 +535,7 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
 	    }
 	}
 
-	if (!x_name || !*x_name) {
+	if (!*x_name) {
 	    /* Whatever that was, it wasn't an entry, because we didn't get a 
 	       name. We don't really have anything, so don't record this. */
 	    continue;

security/nss/lib/libpkix/pkix/util/pkix_list.c

@@ -120,7 +120,7 @@ pkix_List_Destroy(
 
         /* We have a valid list. DecRef its item and recurse on next */
         PKIX_DECREF(list->item);
-        while (nextItem = list->next) {
+        while ((nextItem = list->next) != NULL) {
             list->next = nextItem->next;
             nextItem->next = NULL;
             PKIX_DECREF(nextItem);

security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c

@@ -43,6 +43,13 @@
 
 #include "pkix_pl_pk11certstore.h"
 
+/*
+ * PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024) is too small for downloading
+ * CRLs.  We observed CRLs of sizes 338759 and 439035 in practice.  So we
+ * need to use a higher max response length for CRLs.
+ */
+#define PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH (512 * 1024)
+
 /* --Private-Pk11CertStore-Functions---------------------------------- */
 
 /*
@@ -871,6 +878,8 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_CRL **crl,
 
             myHttpResponseDataLen =
                 ((PKIX_PL_NssContext*)plContext)->maxResponseLength;
+            if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH)
+                myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH;
 
             /* We use a non-zero timeout, which means:
                - the client will use blocking I/O

security/nss/lib/manifest.mn

@@ -55,7 +55,7 @@ DIRS =  util freebl $(SQLITE_SRCDIR) softoken \
 	$(ZLIB_SRCDIR) ssl \
 	pkcs12 pkcs7 smime \
 	crmf jar \
-	ckfw      \
+	ckfw $(SYSINIT_SRCDIR) \
 	$(NULL)
 
 #  fortcrypt  is no longer built

security/nss/lib/nss/nss.h

@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.74 2009/11/20 20:15:05 christophe.ravel.bugs%sun.com Exp $ */
+/* $Id: nss.h,v 1.76 2010/02/11 19:12:45 christophe.ravel.bugs%sun.com Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
@@ -66,12 +66,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   12
 #define NSS_VPATCH   6
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
@@ -263,11 +263,7 @@ extern SECStatus NSS_InitReadWrite(const char *configdir);
         NSS_INIT_NOPK11FINALIZE | \
         NSS_INIT_RESERVED
 
-#ifdef macintosh
-#define SECMOD_DB "Security Modules"
-#else
 #define SECMOD_DB "secmod.db"
-#endif
 
 typedef struct NSSInitContextStr NSSInitContext;
 

security/nss/lib/pk11wrap/pk11cert.c

@@ -1945,7 +1945,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
 	nssPKIObjectCollection_Destroy(collection);
 	return SECFailure;
     }
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     transfer_token_certs_to_collection(certList, tok, collection);
     instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
                                      tokenOnly, 0, &nssrv);

security/nss/lib/pk11wrap/pk11pars.c

@@ -1134,6 +1134,12 @@ SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
 
 	    for (; *index; index++) {
 		SECMODModule *child;
+		if (0 == PORT_Strcmp(*index, modulespec)) {
+		    /* avoid trivial infinite recursion */
+		    PORT_SetError(SEC_ERROR_NO_MODULE);
+		    rv = SECFailure;
+		    break;
+		}
 		child = SECMOD_LoadModule(*index,module,PR_TRUE);
 		if (!child) break;
 		if (child->isCritical && !child->loaded) {

security/nss/lib/pkcs7/certread.c

@@ -360,7 +360,7 @@ notder:
 	while ( cl >= NS_CERT_TRAILER_LEN ) {
 	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
 				   NS_CERT_TRAILER_LEN) ) {
-		certend = (unsigned char *)cp;
+		certend = cp;
 		break;
 	    }
 
@@ -383,7 +383,7 @@ notder:
 
 	*certend = 0;
 	/* convert to binary */
-	bincert = ATOB_AsciiToData(certbegin, &binLen);
+	bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
 	if (!bincert) {
 	    rv = SECFailure;
 	    goto loser;

security/nss/lib/pki/tdcache.c

@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.48 $ $Date: 2008/11/19 16:08:05 $";
+static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.49 $ $Date: 2010/02/10 02:04:32 $";
 #endif /* DEBUG */
 
 #ifndef PKIM_H
@@ -499,7 +499,7 @@ nssTrustDomain_UpdateCachedTokenCerts (
     PRUint32 count;
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) return PR_FAILURE;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     count = nssList_Count(certList);
     if (count > 0) {
 	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);

security/nss/lib/pki/trustdomain.c

@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.60 $ $Date: 2008/10/06 02:56:00 $";
+static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.61 $ $Date: 2010/02/10 02:04:32 $";
 #endif /* DEBUG */
 
 #ifndef DEV_H
@@ -1048,7 +1048,7 @@ NSSTrustDomain_TraverseCertificates (
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) 
     	return NULL;
-    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
     cached = get_certs_from_list(certList);
     collection = nssCertificateCollection_Create(td, cached);
     nssCertificateArray_Destroy(cached);

security/nss/lib/ssl/Makefile

@@ -71,11 +71,6 @@ CSRCS	+= unix_err.c
 endif
 endif
 
-ifdef USE_SYSTEM_ZLIB
-DEFINES += -DNSS_ENABLE_ZLIB
-EXTRA_LIBS += $(ZLIB_LIBS)
-endif
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################

security/nss/lib/ssl/config.mk

@@ -43,7 +43,6 @@ ifdef NSS_SURVIVE_DOUBLE_BYPASS_FAILURE
 DEFINES += -DNSS_SURVIVE_DOUBLE_BYPASS_FAILURE
 endif
 
-# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
@@ -82,7 +81,6 @@ endif # NS_USE_GCC
 
 else
 
-# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
@@ -100,3 +98,23 @@ EXTRA_SHARED_LIBS += -lbe
 endif
 
 endif
+
+# Mozilla's mozilla/modules/zlib/src/zconf.h adds the MOZ_Z_ prefix to zlib
+# exported symbols, which causes problem when NSS is built as part of Mozilla.
+# So we add a NSS_ENABLE_ZLIB variable to allow Mozilla to turn this off.
+NSS_ENABLE_ZLIB = 1
+ifdef NSS_ENABLE_ZLIB
+
+DEFINES += -DNSS_ENABLE_ZLIB
+
+# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
+# ZLIB_LIBS to the linker command-line arguments for the system zlib
+# (for example, -lz) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_ZLIB
+OS_LIBS += $(ZLIB_LIBS)
+else
+ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
+EXTRA_LIBS += $(ZLIB_LIBS)
+endif
+
+endif

security/nss/lib/ssl/ssl.def

@@ -142,7 +142,9 @@ SSL_CanBypass;
 ;+NSS_3.12.6 {      # NSS 3.12.6 release
 ;+    global:
 SSL_ConfigServerSessionIDCacheWithOpt;
+SSL_GetImplementedCiphers;
 SSL_GetNegotiatedHostInfo;
+SSL_GetNumImplementedCiphers;
 SSL_HandshakeNegotiatedExtension;
 SSL_ReconfigFD;
 SSL_SetTrustAnchors;

security/nss/lib/ssl/ssl.h

@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl.h,v 1.35 2010/02/04 03:21:11 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.36 2010/02/10 18:07:21 wtc%google.com Exp $ */
 
 #ifndef __ssl_h_
 #define __ssl_h_
@@ -61,9 +61,15 @@ SEC_BEGIN_PROTOS
 /* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
 SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
 
+/* the same as the above, but is a function */
+SSL_IMPORT const PRUint16 *SSL_GetImplementedCiphers(void);
+
 /* number of entries in the above table. */
 SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
 
+/* the same as the above, but is a function */
+SSL_IMPORT PRUint16 SSL_GetNumImplementedCiphers(void);
+
 /* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
 #define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
 

security/nss/lib/ssl/sslenum.c

@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslenum.c,v 1.16 2008/12/17 06:09:19 nelson%bolyard.com Exp $ */
+/* $Id: sslenum.c,v 1.17 2010/02/10 18:07:21 wtc%google.com Exp $ */
 
 #include "ssl.h"
 #include "sslproto.h"
@@ -54,6 +54,9 @@
  * such as AES and RC4 to allow servers that prefer Camellia to negotiate
  * Camellia without having to disable AES and RC4, which are needed for
  * interoperability with clients that don't yet implement Camellia.
+ *
+ * If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
+ * in ssl3ecc.c.
  */
 const PRUint16 SSL_ImplementedCiphers[] = {
     /* 256-bit */
@@ -149,3 +152,14 @@ const PRUint16 SSL_ImplementedCiphers[] = {
 const PRUint16 SSL_NumImplementedCiphers = 
     (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
 
+const PRUint16 *
+SSL_GetImplementedCiphers(void)
+{
+    return SSL_ImplementedCiphers;
+}
+
+PRUint16
+SSL_GetNumImplementedCiphers(void)
+{
+    return SSL_NumImplementedCiphers;
+}

security/nss/lib/ssl/sslimpl.h

@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.76 2010/02/04 03:08:45 wtc%google.com Exp $ */
+/* $Id: sslimpl.h,v 1.77 2010/02/10 00:33:50 wtc%google.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
@@ -130,11 +130,7 @@ extern int Debug;
 #define SSL_DBG(b)
 #endif
 
-#ifdef macintosh
-#include "pprthred.h"
-#else
 #include "private/pprthred.h"	/* for PR_InMonitor() */
-#endif
 #define ssl_InMonitor(m) PZ_InMonitor(m)
 
 #define LSB(x) ((unsigned char) ((x) & 0xff))

security/nss/lib/sysinit/nsssysinit.c

@@ -36,8 +36,7 @@
 #include "seccomon.h"
 #include "prio.h"
 #include "prprf.h"
-
-
+#include "plhash.h"
 
 /*
  * The following provides a default example for operating systems to set up
@@ -52,6 +51,7 @@
  */
 
 #ifdef XP_UNIX
+#include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -110,12 +110,26 @@ getSystemDB(void) {
    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
 }
 
+static PRBool
+userIsRoot()
+{
+   /* this works for linux and all unixes that we know off
+	  though it isn't stated as such in POSIX documentation */
+   return getuid() == 0;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
+}
+
 #else
 #ifdef XP_WIN
 static char *
 getUserDB(void)
 {
-   /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the user's NSS_DIR. if no entry exists, create
     * one in the users Appdir location */
    return NULL;
 }
@@ -123,13 +137,28 @@ getUserDB(void)
 static char *
 getSystemDB(void)
 {
-   /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the system's NSS_DIR. if no entry exists, create
     * one based on the windows system data area */
    return NULL;
 }
 
+static PRBool
+userIsRoot()
+{
+   /* use the registry to find if the user is the system administrator. */
+   return PR_FALSE;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   /* use the registry to find if the user has administrative privilege 
+    * to modify the system's nss database. */
+   return PR_FALSE;
+}
+
 #else
-#error "Need to write getUserDB and get SystemDB functions"
+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
@@ -184,6 +213,25 @@ getFIPSMode(void)
 
 #define NSS_DEFAULT_FLAGS "flags=readonly"
 
+/* configuration flags according to
+ * https://developer.mozilla.org/en/PKCS11_Module_Specs
+ * As stated there the slotParams start with a slot name which is a slotID
+ * Slots 1 through 3 are reserved for the nss internal modules as follows:
+ * 1 for crypto operations slot non-fips,
+ * 2 for the key slot, and
+ * 3 for the crypto operations slot fips
+ */
+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define SLOT_FLAGS \
+	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+	" askpw=any timeout=30 ]"
+ 
+static const char *nssDefaultFlags =
+	ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
+
+static const char *nssDefaultFIPSFlags =
+	ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
+
 /*
  * This function builds the list of databases and modules to load, and sets
  * their configuration. For the sample we have a fixed set.
@@ -201,8 +249,10 @@ getFIPSMode(void)
 static char **
 get_list(char *filename, char *stripped_parameters)
 {
-    char **module_list = PORT_ZNewArray(char *, 4);
-    char *userdb;
+    char **module_list = PORT_ZNewArray(char *, 5);
+    char *userdb, *sysdb;
+    int isFIPS = getFIPSMode();
+    const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
     int next = 0;
 
     /* can't get any space */
@@ -210,15 +260,19 @@ get_list(char *filename, char *stripped_parameters)
 	return NULL;
     }
 
-    userdb  = getUserDB();
-    if (userdb != NULL) {
+    sysdb = getSystemDB();
+    userdb = getUserDB();
+
+    /* Don't open root's user DB */
+    if (userdb != NULL && !userIsRoot()) {
 	/* return a list of databases to open. First the user Database */
 	module_list[next++] = PR_smprintf(
 	    "library= "
 	    "module=\"NSS User database\" "
-	    "parameters=\"configdir='sql:%s' %s\" "
-	    "NSS=\"flags=internal%s\"", 
-		userdb, stripped_parameters, getFIPSMode() ? ",FIPS" : "");
+	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
+        "NSS=\"%sflags=internal%s\"",
+        userdb, stripped_parameters, nssflags,
+        isFIPS ? ",FIPS" : "");
 
 	/* now open the user's defined PKCS #11 modules */
 	/* skip the local user DB entry */
@@ -228,19 +282,47 @@ get_list(char *filename, char *stripped_parameters)
 	    "parameters=\"configdir='sql:%s' %s\" "
 	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
 		userdb, stripped_parameters);
-   }
+	}
 
-    /* now the system database (always read only) */
-    module_list[next++] = PR_smprintf(
-	"library= "
-	"module=\"NSS system database\" "
-	"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
-	"NSS=\"flags=internal,critical\"",filename);
+#if 0
+	/* This doesn't actually work. If we register
+		both this and the sysdb (in either order)
+		then only one of them actually shows up */
+
+    /* Using a NULL filename as a Boolean flag to
+     * prevent registering both an application-defined
+     * db and the system db. rhbz #546211.
+     */
+    PORT_Assert(filename);
+    if (sysdb && PL_CompareStrings(filename, sysdb))
+	    filename = NULL;
+    else if (userdb && PL_CompareStrings(filename, userdb))
+	    filename = NULL;
+
+    if (filename && !userIsRoot()) {
+	    module_list[next++] = PR_smprintf(
+	      "library= "
+	      "module=\"NSS database\" "
+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
+	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
+    }
+#endif
+
+    /* now the system database (always read only unless it's root) */
+    if (sysdb) {
+	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+	    module_list[next++] = PR_smprintf(
+	      "library= "
+	      "module=\"NSS system database\" "
+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
+    }
 
     /* that was the last module */
     module_list[next] = 0;
 
     PORT_Free(userdb);
+    PORT_Free(sysdb);
 
     return module_list;
 }

security/nss/lib/util/manifest.mn

@@ -95,7 +95,6 @@ CSRCS = \
 	secoid.c \
 	sectime.c \
 	secport.c \
-	secinit.c \
 	templates.c \
 	utf8.c \
 	$(NULL)

security/nss/lib/util/nssutil.h

@@ -51,11 +51,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.12.6.0 Beta"
+#define NSSUTIL_VERSION  "3.12.6.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   12
 #define NSSUTIL_VPATCH   6
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 #endif /* __nssutil_h_ */

security/nss/lib/util/secinit.c

@@ -1,53 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nspr.h"
-#include "secport.h"
-
-static int sec_inited = 0;
-
-void 
-SEC_Init(void)
-{
-    /* PR_Init() must be called before SEC_Init() */
-#if !defined(SERVER_BUILD)
-    PORT_Assert(PR_Initialized() == PR_TRUE);
-#endif
-    if (sec_inited)
-	return;
-
-    sec_inited = 1;
-}

security/nss/lib/util/secoid.c

@@ -42,6 +42,26 @@
 #include "prenv.h"
 #include "plhash.h"
 #include "nssrwlk.h"
+#include "nssutil.h"
+
+/* Library identity and versioning */
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_util_rcsid[] = "$Header: NSS " NSSUTIL_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
 
 /* MISSI Mosaic Object ID space */
 #define USGOV                   0x60, 0x86, 0x48, 0x01, 0x65
@@ -1861,6 +1881,9 @@ SECOID_Init(void)
     const SECOidData *oid;
     int i;
     char * envVal;
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_util_rcsid[0] + __nss_util_sccsid[0];
 
     if (oidhash) {
 	return SECSuccess; /* already initialized */

security/nss/tests/memleak/memleak.sh

@@ -426,6 +426,7 @@ run_strsclnt()
 			"Tstclnt produced a returncode of ${ret} - FAILED"
 	fi
 	
+	sleep 20
 	kill $(jobs -p) 2> /dev/null
 }