returned by PK11_ListCerts. Instead of allocating them from the heap first
and copying to the arena, allocate them from the arena directly. r=jpierre
Modified Files: certhigh.c pk11cert.c pki3hack.h pki3hack.c
has changed to mean a different thing (the standard GCC meaning, rather
than Apple's earlier hacks). The patch is contributed by Brian Ryner
<bryner@brianryner.com>.
2. Specify the standard AIX libpath, otherwise the directories we pass to
the -L linker flags get added to the libpath. 3. Support building on AIX
5.2. The patch is contributed by Philip K. Warren <pkw@us.ibm.com>. r=wtc.
Modified Files: AIX.mk AIX4.2.mk AIX4.3.mk AIX5.1.mk
Added Files: AIX5.2.mk
during CryptoManager.initialize(), before we add JSS as a provider. The
KeyType class was failing to load properly, because its static initializers
force the class load of KeyWrapAlgorithm, whose signature needed to be
verified, which invoked JSS's signature provider, which accessed KeyType.
Basically, installing JSS as the default signature provider before its
classes have loaded creates a possibility of circular dependencies in class
initialization. The patch is due to Jamie Nicolson. r=wtc.
Modified Files: CryptoManager.java pkcs11/KeyType.java
The fix restores some old code that was removed as part of our
performance work (Bugzilla bug 145322). Thus, there may be a
slight performance hit, but obviously, we need to have correct
code first.
This is a part of the code I really don't like. To summarize,
there was a hack put in a long time ago to make sure that the
PKCS#11 session in which the SSL keys are generated was never
closed until the last key was deleted. This only worked by chance,
and if any part of the code was changed (as was the case here), this
unstable equilibrium would be lost. As with all hacks, it wasn't
really documented, so the problem escaped our notice. As a result of
putting the hack back in, we're going back to the horribly wasteful
operation of opening 4 sessions and immediately closing them. I intend
to have a proper solution in a later release.
counts. The reference count should not be read "naked". Instead, we
should simply use the return value of PR_AtomicDecrement for the result of
the decrement.
Modified Files: dev/devmod.c dev/devslot.c dev/devtoken.c pki/certificate.c
pki/pkibase.c
Merge script principal implementations into one class.
Should reduce footprint, speed up calls to caps a little bit, and fixes several memory leaks.
Also fixes bugs 211174 and 211263
r=jst@netscape.comsr=bzbarsky@mit.edumoa=mstoltz@netscape.com (he looked at an earlier patch and said it looked fine, and will do a retroactive review when he returns from vacation as well)
right way. The basename function that we were using only works when
$(OS_RELEASE) has exactly three components. The patch is contributed by
Ed Catmur <ed@catmur.co.uk>. r=wtc.
add an ok button which can be used to dismiss the window, inherit the ok/help buttons from the dialog
overlay.
Add spacing between the tree control and the edit / delete buttons underneath the tree control.
r=kaie
sr=sspitzer
DB causes NSS_Shutdown to fail. Two files were changed. 1. crl.c: we
should not obtain a slot reference because PK11_FindCrlByName already
obtained a slot reference. 2. pk11cert.c: cleaned up code and fixed a slot
reference leak if the SECITEM_AllocItem call fails. r=nelsonb.
the adoption of session is not thread safe. This eliminates most of the
saving of sessions, but we must be correct first, and then optimize.
r=nicolson,nelsonb.
Modified Files: pk11func.h pk11skey.c
Change loops over RDNs and AVAs to detect NULL pointers.
Change list of attribute type "keywords" to match RFCs and internet
drafts.
Quote attribute values strings that contain adjacent embedded blanks.
Don't quote hex string values.
Always use hex string values when type OID is unrecognized.
because it is a private function. Change the interface for this
function so that it returns a SECStatus, unambiguously indicating the
success or failure of the name constraints test. The function no
longer takes a list of cert subject names, instead, it takes a list
of cert pointers, and optionally outputs one of those pointers when
an error occurs. This eliminates a cert reference leak.
time when the list of cert names is being built and builds a GeneralName
out of it, just as if the rfc822 name had come from a subject alt name
extension. This way, no special handling is needed of either directory
names or rfc822 names in the name constraints code. The special "phase 1"
loop in cert_CompareNameWithConstraints disappears compmletely. And all
the cases in the (former phase 2) loop can now simply assert that the
name's type matches the constraint's type exactly.
This patch also factors out the code that creates new CERTGeneralNames and
that copies a single CERTGeneralName into new separate functions. This
eliminates a lot of duplicated code whose correctness required lengthy
inspection. Now these primitive operations are centralized.
UTF-8 in all XUL files to make them to be genuinely encoded in UTF-8. All the
changes are in comments so that this shouldn't affect anything at run-time.
(r=hwaara)
statements that repeat code for every case. This patch factors out that
common code from the cases, making the switches much smaller and reducing
bloat.
and releases space in the arenas, so the arenas just grow and grow
until the test is completely over. This patch adds comments showing
where mark and release calls could (and probably should) be added.
It also changes CERT_CopyGeneralName to have only two exit paths,
two return statements, in preparation for the eventual use of mark and
release.
b) change all PORT_*Alloc calls that allocate new structs or arrays of
same to use the PORT_*New* macros instead.
c) ifdef out some dead functions that are rife with failure to detect
allocation failures.
to genname.h, and eliminate declarations from cert.h that were also
in genname.h. If we ever decide to make any of these functions public,
we can move their declarations back to cert.h.
Rewrite CERT_CompareAVA to compare the type OIDs first, and then if
the values are not of the same encoding, convert them before comparing.
Also, do comparisons of printableString encoding properly. Bug 208649.
PA-RISC executable calls getcwd() in a network-mounted directory, it fails
with ENOENT. Since nsinstall calls getcwd(), this breaks our 64-bit HP-UX
nightly builds. We worked around this problem by building nsinstall as a
32-bit PA-RISC executable for 64-bit PA-RISC builds. This checkin added a
new make variable INTERNAL_TOOLS which can be set in makefiles whose target
is a tool used only during the build. Such a tool can be built differently
from NSS proper as long as the tool runs on the build machine.
Modified Files: HP-UXB.11.mk nsinstall/Makefile
1, It uses two new symbols SSOCK_FD and STDIN_FD instead of 0 and 1 to
reference members of the poll set array. I just could never remember whether
pollset[0] was the socket or was stdin. Now I don't have to remember.
This changes a lot of lines, but is very simple.
2. It implementa a new flag clientSpeaksFirst, set with the -f option.
The only effect of this flag is whether the value of
pollset[SSOCK_FD].in_flags is initially zero (if true) or PR_POLL_READ (if false). Note that pollset[SSOCK_FD].in_flags is set to PR_POLL_READ after
each succesful write to the socket.
unix_rand.c, and win_rand.c. 2. Make secrng.h and pqgutil.h private.
3. Public header pk11pqg.h can't include private header pqgutil.h.
4. Many files don't need to include secrng.h. A few don't need to include
pqgutil.h. 5. Remove duplicate declarations of PQG_DestroyParams and
PQG_DestroyVerify from blapi.h.
client auth and SSL3 client doesn't authenticate. The fix is to coalesce
the SSL3 no_certificate alert record with the following records (e.g.
client_key_exchange handshake, change_cipher_spec and finished handshake).
Fix bugs 207313 and 118668.
Both selfserv and strsclnt no longer OptimizeSpace. Moved SECMOD_DB
defines from nssinit.c to nss.h, make it availble for public use with
NSS_Initialize().
client does not supply it, so that the client actually will NOT supply
it. Previously, the client was supplying client auth in all these tests,
and the https requests were completing succesfully, when they should have
been failing. Bug 207398.
disabling SSL3 and TLS respectively. With this change, the QA stress
tests that say they're testing SSL3 or TLS can finally test what they
claim they are testing.
wtc%netscape.com
jpierre%netscape.com
darin%meer.net
timeless%mozdev.org
nelsonb%netscape.com
bryner%brianryner.com
nicolson%netscape.com
caillon%returnzero.com
cls%seawood.org
neil%parkwaycc.co.uk
kairo%kairo.at
glen.beasley%sun.com
brendan%mozilla.org
bishakhabanerjee%netscape.com
bzbarsky%mit.edu
jaggernaut%netscape.com
scott%scott-macgregor.org
kaie%netscape.com
jst%netscape.com
jshin%mailaps.org
relyea%netscape.com
seawood%netscape.com
ian.mcgreer%sun.com
kirk.erickson%sun.com