Bug 527659, Update Mozilla-central to NSS 3.12.6

=== r=rrelyea for upgrading to release candidate 1
=== reapplying bug 519550 on top
=== includes PSM makefile tweak to keep TLS disabled (variables changed in the updated NSS snapshot)
=== change configure.in to require the newer system NSS, r=wtc
This commit is contained in:
Kai Engert 2010-02-12 09:47:51 +01:00
Родитель dd82038f9b
Коммит 5d7a8d0f68
42 изменённых файлов: 257 добавлений и 147 удалений

Просмотреть файл

@ -4366,7 +4366,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
AM_PATH_NSS(3.12.0, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
AM_PATH_NSS(3.12.6, [MOZ_NATIVE_NSS=1], [MOZ_NATIVE_NSS=])
fi
if test -n "$MOZ_NATIVE_NSS"; then

Просмотреть файл

@ -131,4 +131,5 @@ DLL_SUFFIX = dylib
PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
G++INCLUDES = -I/usr/include/g++
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

Просмотреть файл

@ -42,3 +42,4 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -243,9 +243,9 @@ ifeq ($(OS_ARCH),Linux)
DEFAULT_GMAKE_FLAGS += FREEBL_NO_DEPEND=1
endif
# Turn off TLS compression support because NSS 3.12.5 Beta can't be built
# Turn off TLS compression support because NSS 3.12.6 can't be built
# with Mozilla's zlib.h. See bug 527659 comment 10.
DEFAULT_GMAKE_FLAGS += USE_SYSTEM_ZLIB=
DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ZLIB=
# Disable building of the test programs in security/nss/lib/zlib
DEFAULT_GMAKE_FLAGS += PROGRAMS=

Просмотреть файл

@ -320,7 +320,6 @@ extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
extern void SEC_Init(void);
extern char *SECU_SECModDBName(void);

Просмотреть файл

@ -57,6 +57,12 @@ include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
include ../platlibs.mk
ifdef USE_SYSTEM_ZLIB
OS_LIBS += $(ZLIB_LIBS)
else
EXTRA_LIBS += $(ZLIB_LIBS)
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################

Просмотреть файл

@ -37,7 +37,7 @@
/*
* p7env -- A command to create a pkcs7 enveloped data.
*
* $Id: p7env.c,v 1.9 2008/08/08 23:47:56 julien.pierre.boogz%sun.com Exp $
* $Id: p7env.c,v 1.10 2010/02/11 02:39:47 wtc%google.com Exp $
*/
#include "nspr.h"
@ -61,8 +61,6 @@ extern int fwrite(char *, size_t, size_t, FILE*);
extern int fprintf(FILE *, char *, ...);
#endif
extern void SEC_Init(void); /* XXX */
static void
Usage(char *progName)

Просмотреть файл

@ -251,6 +251,4 @@ ifndef USE_SYSTEM_ZLIB
ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
endif
JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX) \
$(ZLIB_LIBS) \
$(NULL)
JAR_LIBS = $(DIST)/lib/$(LIB_PREFIX)jar.$(LIB_SUFFIX)

Просмотреть файл

@ -58,6 +58,12 @@ include $(CORE_DEPTH)/coreconf/config.mk
include ../platlibs.mk
ifdef USE_SYSTEM_ZLIB
OS_LIBS += $(ZLIB_LIBS)
else
EXTRA_LIBS += $(ZLIB_LIBS)
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################

Просмотреть файл

@ -66,7 +66,7 @@
#include "cert.h"
#include "sslproto.h"
#define VERSIONSTRING "$Revision: 1.17 $ ($Date: 2010/01/28 06:19:11 $) $Author: nelson%bolyard.com $"
#define VERSIONSTRING "$Revision: 1.18 $ ($Date: 2010/02/10 02:00:56 $) $Author: wtc%google.com $"
struct _DataBufferList;
@ -76,10 +76,10 @@ typedef struct _DataBufferList {
struct _DataBuffer *first,*last;
int size;
int isEncrypted;
char * msgBuf;
int msgBufOffset;
int msgBufSize;
int hMACsize;
unsigned char * msgBuf;
int msgBufOffset;
int msgBufSize;
int hMACsize;
} DataBufferList;
typedef struct _DataBuffer {
@ -773,8 +773,8 @@ void print_ssl3_handshake(unsigned char *recordBuf,
if (s->msgBufOffset && s->msgBuf) {
/* append recordBuf to msgBuf, then use msgBuf */
if (s->msgBufOffset + recordLen > s->msgBufSize) {
int newSize = s->msgBufOffset + recordLen;
char * newBuf = PORT_Realloc(s->msgBuf, newSize);
int newSize = s->msgBufOffset + recordLen;
unsigned char * newBuf = PORT_Realloc(s->msgBuf, newSize);
if (!newBuf) {
PR_ASSERT(newBuf);
showErr( "Realloc failed");
@ -1132,7 +1132,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
s->msgBufSize = newMsgLen;
memcpy(s->msgBuf, recordBuf + offset, newMsgLen);
} else if (newMsgLen > s->msgBufSize) {
char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
unsigned char * newBuf = PORT_Realloc(s->msgBuf, newMsgLen);
if (!newBuf) {
PR_ASSERT(newBuf);
showErr( "Realloc failed");

Просмотреть файл

@ -229,8 +229,8 @@ errExit(char * funcString)
void
disableAllSSLCiphers(void)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i = SSL_NumImplementedCiphers;
const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
int i = SSL_GetNumImplementedCiphers();
SECStatus rv;
/* disable all the SSL3 cipher suites */

Просмотреть файл

@ -274,8 +274,8 @@ milliPause(PRUint32 milli)
void
disableAllSSLCiphers(void)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i = SSL_NumImplementedCiphers;
const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
int i = SSL_GetNumImplementedCiphers();
SECStatus rv;
/* disable all the SSL3 cipher suites */

Просмотреть файл

@ -68,6 +68,10 @@ SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS.
endif
endif
ifeq ($(OS_ARCH),Linux)
SYSINIT_SRCDIR = sysinit # Add the sysinit directory to DIRS.
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################

Просмотреть файл

@ -458,7 +458,7 @@ ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr)
vt = SEC_ASN1_UTF8_STRING;
}
derVal.data = valBuf;
derVal.data = (unsigned char*) valBuf;
derVal.len = valLen;
a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal);
}
@ -981,7 +981,7 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
nameLen = strlen(tagName);
valueLen = (useHex ? avaValue->len :
cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len,
cert_RFC1485_GetRequiredLen((char *)avaValue->data, avaValue->len,
&mode));
len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
@ -1194,8 +1194,8 @@ avaToString(PRArenaPool *arena, CERTAVA *ava)
if(!avaValue) {
return buf;
}
valueLen = cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len,
NULL) + 1;
valueLen = cert_RFC1485_GetRequiredLen((char *)avaValue->data,
avaValue->len, NULL) + 1;
if (arena) {
buf = (char *)PORT_ArenaZAlloc(arena, valueLen);
} else {

Просмотреть файл

@ -39,7 +39,7 @@
/*
* Certificate handling code
*
* $Id: certdb.c,v 1.101 2009/05/18 21:33:25 nelson%bolyard.com Exp $
* $Id: certdb.c,v 1.102 2010/02/10 02:00:57 wtc%google.com Exp $
*/
#include "nssilock.h"
@ -1553,14 +1553,16 @@ cert_VerifySubjectAltName(CERTCertificate *cert, const char *hn)
*/
int cnLen = current->name.other.len;
rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
current->name.other.data, cnLen);
(char *)current->name.other.data,
cnLen);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_OUTPUT_LEN) {
cnBufLen = cnLen * 3 + 3; /* big enough for worst case */
cn = (char *)PORT_ArenaAlloc(arena, cnBufLen);
if (!cn)
goto fail;
rv = CERT_RFC1485_EscapeAndQuote(cn, cnBufLen,
current->name.other.data, cnLen);
(char *)current->name.other.data,
cnLen);
}
if (rv == SECSuccess)
rv = cert_TestHostName(cn ,hn);

Просмотреть файл

@ -590,7 +590,7 @@ CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
if (ac > bc) return SECGreaterThan;
while (NULL != (aava = *aavas++)) {
for (bavas = b->avas; bava = *bavas++; ) {
for (bavas = b->avas; NULL != (bava = *bavas++); ) {
rv = SECITEM_CompareItem(&aava->type, &bava->type);
if (SECEqual == rv) {
rv = CERT_CompareAVA(aava, bava);

Просмотреть файл

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: cryptohi.h,v 1.13 2009/09/23 22:51:56 wtc%google.com Exp $ */
/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */
#ifndef _CRYPTOHI_H_
#define _CRYPTOHI_H_
@ -137,7 +137,8 @@ extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
** "algid" the signature/hash algorithm to sign with
** (must be compatible with the key type).
*/
extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
extern SECStatus SEC_SignData(SECItem *result,
const unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algid);
/*
@ -348,8 +349,8 @@ extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig,
** the key type.
** "wincx" void pointer to the window context
*/
extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
SECKEYPublicKey *key, SECItem *sig,
extern SECStatus VFY_VerifyData(const unsigned char *buf, int len,
const SECKEYPublicKey *key, const SECItem *sig,
SECOidTag sigAlg, void *wincx);
/*
** Verify the signature on a block of data. The signature data is an RSA
@ -391,7 +392,7 @@ extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len,
*/
extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf,
int len, const SECKEYPublicKey *key,
const SECItem *sig,
const SECItem *sig,
const SECAlgorithmID *algid, SECOidTag *hash,
void *wincx);

Просмотреть файл

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: secsign.c,v 1.21 2009/09/23 22:51:56 wtc%google.com Exp $ */
/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */
#include <stdio.h>
#include "cryptohi.h"
@ -277,7 +277,7 @@ SGN_End(SGNContext *cx, SECItem *result)
** signature. Returns zero on success, an error code on failure.
*/
SECStatus
SEC_SignData(SECItem *res, unsigned char *buf, int len,
SEC_SignData(SECItem *res, const unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algid)
{
SECStatus rv;

Просмотреть файл

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: secvfy.c,v 1.22 2008/02/28 04:27:36 nelson%bolyard.com Exp $ */
/* $Id: secvfy.c,v 1.23 2010/02/10 00:49:43 wtc%google.com Exp $ */
#include <stdio.h>
#include "cryptohi.h"
@ -721,8 +721,8 @@ VFY_VerifyDataDirect(const unsigned char *buf, int len,
}
SECStatus
VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
SECItem *sig, SECOidTag algid, void *wincx)
VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key,
const SECItem *sig, SECOidTag algid, void *wincx)
{
SECOidTag encAlg, hashAlg;
SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg);

Просмотреть файл

@ -535,7 +535,7 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
}
}
if (!x_name || !*x_name) {
if (!*x_name) {
/* Whatever that was, it wasn't an entry, because we didn't get a
name. We don't really have anything, so don't record this. */
continue;

Просмотреть файл

@ -120,7 +120,7 @@ pkix_List_Destroy(
/* We have a valid list. DecRef its item and recurse on next */
PKIX_DECREF(list->item);
while (nextItem = list->next) {
while ((nextItem = list->next) != NULL) {
list->next = nextItem->next;
nextItem->next = NULL;
PKIX_DECREF(nextItem);

Просмотреть файл

@ -43,6 +43,13 @@
#include "pkix_pl_pk11certstore.h"
/*
* PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024) is too small for downloading
* CRLs. We observed CRLs of sizes 338759 and 439035 in practice. So we
* need to use a higher max response length for CRLs.
*/
#define PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH (512 * 1024)
/* --Private-Pk11CertStore-Functions---------------------------------- */
/*
@ -871,6 +878,8 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_CRL **crl,
myHttpResponseDataLen =
((PKIX_PL_NssContext*)plContext)->maxResponseLength;
if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH)
myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH;
/* We use a non-zero timeout, which means:
- the client will use blocking I/O

Просмотреть файл

@ -55,7 +55,7 @@ DIRS = util freebl $(SQLITE_SRCDIR) softoken \
$(ZLIB_SRCDIR) ssl \
pkcs12 pkcs7 smime \
crmf jar \
ckfw \
ckfw $(SYSINIT_SRCDIR) \
$(NULL)
# fortcrypt is no longer built

Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nss.h,v 1.74 2009/11/20 20:15:05 christophe.ravel.bugs%sun.com Exp $ */
/* $Id: nss.h,v 1.76 2010/02/11 19:12:45 christophe.ravel.bugs%sun.com Exp $ */
#ifndef __nss_h_
#define __nss_h_
@ -66,12 +66,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.12.6.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 12
#define NSS_VPATCH 6
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
@ -263,11 +263,7 @@ extern SECStatus NSS_InitReadWrite(const char *configdir);
NSS_INIT_NOPK11FINALIZE | \
NSS_INIT_RESERVED
#ifdef macintosh
#define SECMOD_DB "Security Modules"
#else
#define SECMOD_DB "secmod.db"
#endif
typedef struct NSSInitContextStr NSSInitContext;

Просмотреть файл

@ -1945,7 +1945,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
nssPKIObjectCollection_Destroy(collection);
return SECFailure;
}
(void *)nssTrustDomain_GetCertsFromCache(td, certList);
(void)nssTrustDomain_GetCertsFromCache(td, certList);
transfer_token_certs_to_collection(certList, tok, collection);
instances = nssToken_FindObjects(tok, NULL, CKO_CERTIFICATE,
tokenOnly, 0, &nssrv);

Просмотреть файл

@ -1134,6 +1134,12 @@ SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
for (; *index; index++) {
SECMODModule *child;
if (0 == PORT_Strcmp(*index, modulespec)) {
/* avoid trivial infinite recursion */
PORT_SetError(SEC_ERROR_NO_MODULE);
rv = SECFailure;
break;
}
child = SECMOD_LoadModule(*index,module,PR_TRUE);
if (!child) break;
if (child->isCritical && !child->loaded) {

Просмотреть файл

@ -360,7 +360,7 @@ notder:
while ( cl >= NS_CERT_TRAILER_LEN ) {
if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
NS_CERT_TRAILER_LEN) ) {
certend = (unsigned char *)cp;
certend = cp;
break;
}
@ -383,7 +383,7 @@ notder:
*certend = 0;
/* convert to binary */
bincert = ATOB_AsciiToData(certbegin, &binLen);
bincert = ATOB_AsciiToData((char *)certbegin, &binLen);
if (!bincert) {
rv = SECFailure;
goto loser;

Просмотреть файл

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.48 $ $Date: 2008/11/19 16:08:05 $";
static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.49 $ $Date: 2010/02/10 02:04:32 $";
#endif /* DEBUG */
#ifndef PKIM_H
@ -499,7 +499,7 @@ nssTrustDomain_UpdateCachedTokenCerts (
PRUint32 count;
certList = nssList_Create(NULL, PR_FALSE);
if (!certList) return PR_FAILURE;
(void *)nssTrustDomain_GetCertsFromCache(td, certList);
(void)nssTrustDomain_GetCertsFromCache(td, certList);
count = nssList_Count(certList);
if (count > 0) {
cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);

Просмотреть файл

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.60 $ $Date: 2008/10/06 02:56:00 $";
static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.61 $ $Date: 2010/02/10 02:04:32 $";
#endif /* DEBUG */
#ifndef DEV_H
@ -1048,7 +1048,7 @@ NSSTrustDomain_TraverseCertificates (
certList = nssList_Create(NULL, PR_FALSE);
if (!certList)
return NULL;
(void *)nssTrustDomain_GetCertsFromCache(td, certList);
(void)nssTrustDomain_GetCertsFromCache(td, certList);
cached = get_certs_from_list(certList);
collection = nssCertificateCollection_Create(td, cached);
nssCertificateArray_Destroy(cached);

Просмотреть файл

@ -71,11 +71,6 @@ CSRCS += unix_err.c
endif
endif
ifdef USE_SYSTEM_ZLIB
DEFINES += -DNSS_ENABLE_ZLIB
EXTRA_LIBS += $(ZLIB_LIBS)
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################

Просмотреть файл

@ -43,7 +43,6 @@ ifdef NSS_SURVIVE_DOUBLE_BYPASS_FAILURE
DEFINES += -DNSS_SURVIVE_DOUBLE_BYPASS_FAILURE
endif
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
EXTRA_LIBS += \
@ -82,7 +81,6 @@ endif # NS_USE_GCC
else
# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
@ -100,3 +98,23 @@ EXTRA_SHARED_LIBS += -lbe
endif
endif
# Mozilla's mozilla/modules/zlib/src/zconf.h adds the MOZ_Z_ prefix to zlib
# exported symbols, which causes problem when NSS is built as part of Mozilla.
# So we add a NSS_ENABLE_ZLIB variable to allow Mozilla to turn this off.
NSS_ENABLE_ZLIB = 1
ifdef NSS_ENABLE_ZLIB
DEFINES += -DNSS_ENABLE_ZLIB
# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
# ZLIB_LIBS to the linker command-line arguments for the system zlib
# (for example, -lz) in the platform's config file in coreconf.
ifdef USE_SYSTEM_ZLIB
OS_LIBS += $(ZLIB_LIBS)
else
ZLIB_LIBS = $(DIST)/lib/$(LIB_PREFIX)zlib.$(LIB_SUFFIX)
EXTRA_LIBS += $(ZLIB_LIBS)
endif
endif

Просмотреть файл

@ -142,7 +142,9 @@ SSL_CanBypass;
;+NSS_3.12.6 { # NSS 3.12.6 release
;+ global:
SSL_ConfigServerSessionIDCacheWithOpt;
SSL_GetImplementedCiphers;
SSL_GetNegotiatedHostInfo;
SSL_GetNumImplementedCiphers;
SSL_HandshakeNegotiatedExtension;
SSL_ReconfigFD;
SSL_SetTrustAnchors;

Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: ssl.h,v 1.35 2010/02/04 03:21:11 wtc%google.com Exp $ */
/* $Id: ssl.h,v 1.36 2010/02/10 18:07:21 wtc%google.com Exp $ */
#ifndef __ssl_h_
#define __ssl_h_
@ -61,9 +61,15 @@ SEC_BEGIN_PROTOS
/* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
/* the same as the above, but is a function */
SSL_IMPORT const PRUint16 *SSL_GetImplementedCiphers(void);
/* number of entries in the above table. */
SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
/* the same as the above, but is a function */
SSL_IMPORT PRUint16 SSL_GetNumImplementedCiphers(void);
/* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
#define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)

Просмотреть файл

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslenum.c,v 1.16 2008/12/17 06:09:19 nelson%bolyard.com Exp $ */
/* $Id: sslenum.c,v 1.17 2010/02/10 18:07:21 wtc%google.com Exp $ */
#include "ssl.h"
#include "sslproto.h"
@ -54,6 +54,9 @@
* such as AES and RC4 to allow servers that prefer Camellia to negotiate
* Camellia without having to disable AES and RC4, which are needed for
* interoperability with clients that don't yet implement Camellia.
*
* If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
* in ssl3ecc.c.
*/
const PRUint16 SSL_ImplementedCiphers[] = {
/* 256-bit */
@ -149,3 +152,14 @@ const PRUint16 SSL_ImplementedCiphers[] = {
const PRUint16 SSL_NumImplementedCiphers =
(sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
const PRUint16 *
SSL_GetImplementedCiphers(void)
{
return SSL_ImplementedCiphers;
}
PRUint16
SSL_GetNumImplementedCiphers(void)
{
return SSL_NumImplementedCiphers;
}

Просмотреть файл

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslimpl.h,v 1.76 2010/02/04 03:08:45 wtc%google.com Exp $ */
/* $Id: sslimpl.h,v 1.77 2010/02/10 00:33:50 wtc%google.com Exp $ */
#ifndef __sslimpl_h_
#define __sslimpl_h_
@ -130,11 +130,7 @@ extern int Debug;
#define SSL_DBG(b)
#endif
#ifdef macintosh
#include "pprthred.h"
#else
#include "private/pprthred.h" /* for PR_InMonitor() */
#endif
#define ssl_InMonitor(m) PZ_InMonitor(m)
#define LSB(x) ((unsigned char) ((x) & 0xff))

Двоичные данные
security/nss/lib/sysinit/nsssysinit Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -36,8 +36,7 @@
#include "seccomon.h"
#include "prio.h"
#include "prprf.h"
#include "plhash.h"
/*
* The following provides a default example for operating systems to set up
@ -52,6 +51,7 @@
*/
#ifdef XP_UNIX
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
@ -110,12 +110,26 @@ getSystemDB(void) {
return PORT_Strdup(NSS_DEFAULT_SYSTEM);
}
static PRBool
userIsRoot()
{
/* this works for linux and all unixes that we know off
though it isn't stated as such in POSIX documentation */
return getuid() == 0;
}
static PRBool
userCanModifySystemDB()
{
return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
}
#else
#ifdef XP_WIN
static char *
getUserDB(void)
{
/* use the registry to find the user's NSS_DIR. if no entry exists, creaate
/* use the registry to find the user's NSS_DIR. if no entry exists, create
* one in the users Appdir location */
return NULL;
}
@ -123,13 +137,28 @@ getUserDB(void)
static char *
getSystemDB(void)
{
/* use the registry to find the system's NSS_DIR. if no entry exists, creaate
/* use the registry to find the system's NSS_DIR. if no entry exists, create
* one based on the windows system data area */
return NULL;
}
static PRBool
userIsRoot()
{
/* use the registry to find if the user is the system administrator. */
return PR_FALSE;
}
static PRBool
userCanModifySystemDB()
{
/* use the registry to find if the user has administrative privilege
* to modify the system's nss database. */
return PR_FALSE;
}
#else
#error "Need to write getUserDB and get SystemDB functions"
#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
#endif
#endif
@ -184,6 +213,25 @@ getFIPSMode(void)
#define NSS_DEFAULT_FLAGS "flags=readonly"
/* configuration flags according to
* https://developer.mozilla.org/en/PKCS11_Module_Specs
* As stated there the slotParams start with a slot name which is a slotID
* Slots 1 through 3 are reserved for the nss internal modules as follows:
* 1 for crypto operations slot non-fips,
* 2 for the key slot, and
* 3 for the crypto operations slot fips
*/
#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
#define SLOT_FLAGS \
"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
" askpw=any timeout=30 ]"
static const char *nssDefaultFlags =
ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
static const char *nssDefaultFIPSFlags =
ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
/*
* This function builds the list of databases and modules to load, and sets
* their configuration. For the sample we have a fixed set.
@ -201,8 +249,10 @@ getFIPSMode(void)
static char **
get_list(char *filename, char *stripped_parameters)
{
char **module_list = PORT_ZNewArray(char *, 4);
char *userdb;
char **module_list = PORT_ZNewArray(char *, 5);
char *userdb, *sysdb;
int isFIPS = getFIPSMode();
const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
int next = 0;
/* can't get any space */
@ -210,15 +260,19 @@ get_list(char *filename, char *stripped_parameters)
return NULL;
}
userdb = getUserDB();
if (userdb != NULL) {
sysdb = getSystemDB();
userdb = getUserDB();
/* Don't open root's user DB */
if (userdb != NULL && !userIsRoot()) {
/* return a list of databases to open. First the user Database */
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS User database\" "
"parameters=\"configdir='sql:%s' %s\" "
"NSS=\"flags=internal%s\"",
userdb, stripped_parameters, getFIPSMode() ? ",FIPS" : "");
"parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
"NSS=\"%sflags=internal%s\"",
userdb, stripped_parameters, nssflags,
isFIPS ? ",FIPS" : "");
/* now open the user's defined PKCS #11 modules */
/* skip the local user DB entry */
@ -228,19 +282,47 @@ get_list(char *filename, char *stripped_parameters)
"parameters=\"configdir='sql:%s' %s\" "
"NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"",
userdb, stripped_parameters);
}
}
/* now the system database (always read only) */
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS system database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
"NSS=\"flags=internal,critical\"",filename);
#if 0
/* This doesn't actually work. If we register
both this and the sysdb (in either order)
then only one of them actually shows up */
/* Using a NULL filename as a Boolean flag to
* prevent registering both an application-defined
* db and the system db. rhbz #546211.
*/
PORT_Assert(filename);
if (sysdb && PL_CompareStrings(filename, sysdb))
filename = NULL;
else if (userdb && PL_CompareStrings(filename, userdb))
filename = NULL;
if (filename && !userIsRoot()) {
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
"NSS=\"%sflags=internal\"",filename, filename, nssflags);
}
#endif
/* now the system database (always read only unless it's root) */
if (sysdb) {
const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS system database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
"NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
}
/* that was the last module */
module_list[next] = 0;
PORT_Free(userdb);
PORT_Free(sysdb);
return module_list;
}

Просмотреть файл

@ -95,7 +95,6 @@ CSRCS = \
secoid.c \
sectime.c \
secport.c \
secinit.c \
templates.c \
utf8.c \
$(NULL)

Просмотреть файл

@ -51,11 +51,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.12.6.0 Beta"
#define NSSUTIL_VERSION "3.12.6.0"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 12
#define NSSUTIL_VPATCH 6
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
#endif /* __nssutil_h_ */

Просмотреть файл

@ -1,53 +0,0 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nspr.h"
#include "secport.h"
static int sec_inited = 0;
void
SEC_Init(void)
{
/* PR_Init() must be called before SEC_Init() */
#if !defined(SERVER_BUILD)
PORT_Assert(PR_Initialized() == PR_TRUE);
#endif
if (sec_inited)
return;
sec_inited = 1;
}

Просмотреть файл

@ -42,6 +42,26 @@
#include "prenv.h"
#include "plhash.h"
#include "nssrwlk.h"
#include "nssutil.h"
/* Library identity and versioning */
#if defined(DEBUG)
#define _DEBUG_STRING " (debug)"
#else
#define _DEBUG_STRING ""
#endif
/*
* Version information for the 'ident' and 'what commands
*
* NOTE: the first component of the concatenated rcsid string
* must not end in a '$' to prevent rcs keyword substitution.
*/
const char __nss_util_rcsid[] = "$Header: NSS " NSSUTIL_VERSION _DEBUG_STRING
" " __DATE__ " " __TIME__ " $";
const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
" " __DATE__ " " __TIME__;
/* MISSI Mosaic Object ID space */
#define USGOV 0x60, 0x86, 0x48, 0x01, 0x65
@ -1861,6 +1881,9 @@ SECOID_Init(void)
const SECOidData *oid;
int i;
char * envVal;
volatile char c; /* force a reference that won't get optimized away */
c = __nss_util_rcsid[0] + __nss_util_sccsid[0];
if (oidhash) {
return SECSuccess; /* already initialized */

Просмотреть файл

@ -426,6 +426,7 @@ run_strsclnt()
"Tstclnt produced a returncode of ${ret} - FAILED"
fi
sleep 20
kill $(jobs -p) 2> /dev/null
}