Permalink
Browse files

Bug 698552: Update to NSS 3.13.2 BETA1 (NSS_3_13_2_BETA1), r=kaie, r=…

…honzab
  • Loading branch information...
briansmith committed Dec 1, 2011
1 parent dd40eda commit 050ebaadc01a9df39a2059660cc9a88b4ba71dc2
Showing with 562 additions and 351 deletions.
  1. +1 −0 dbm/src/Makefile.in
  2. +1 −0 security/coreconf/coreconf.dep
  3. +3 −3 security/nss/Makefile
  4. +1 −1 security/nss/TAG-INFO
  5. +1 −1 security/nss/cmd/lib/pppolicy.c
  6. +8 −8 security/nss/cmd/ssltap/ssltap.c
  7. +1 −1 security/nss/lib/certdb/cert.h
  8. +1 −12 security/nss/lib/certdb/certdb.c
  9. +1 −1 security/nss/lib/certdb/certv3.c
  10. +1 −1 security/nss/lib/certdb/polcyxtn.c
  11. +1 −6 security/nss/lib/certhigh/certvfypkix.c
  12. +2 −2 security/nss/lib/ckfw/builtins/certdata.c
  13. +1 −1 security/nss/lib/ckfw/builtins/certdata.txt
  14. +1 −1 security/nss/lib/cryptohi/keyhi.h
  15. +2 −2 security/nss/lib/freebl/blapi.h
  16. +1 −1 security/nss/lib/freebl/jpake.c
  17. +6 −0 security/nss/lib/nss/nss.def
  18. +4 −4 security/nss/lib/nss/nss.h
  19. +28 −1 security/nss/lib/pk11wrap/pk11akey.c
  20. +5 −0 security/nss/lib/pk11wrap/pk11pub.h
  21. +1 −1 security/nss/lib/pkcs7/p7decode.c
  22. +1 −1 security/nss/lib/pkcs7/secpkcs7.h
  23. +1 −5 security/nss/lib/pki/pki3hack.c
  24. +3 −18 security/nss/lib/softoken/jpakesftk.c
  25. +4 −5 security/nss/lib/softoken/legacydb/config.mk
  26. +3 −3 security/nss/lib/softoken/softkver.h
  27. +6 −0 security/nss/lib/ssl/SSLerrs.h
  28. +8 −0 security/nss/lib/ssl/ssl.def
  29. +57 −1 security/nss/lib/ssl/ssl.h
  30. +63 −59 security/nss/lib/ssl/ssl3con.c
  31. +127 −2 security/nss/lib/ssl/ssl3ext.c
  32. +3 −2 security/nss/lib/ssl/ssl3prot.h
  33. +13 −151 security/nss/lib/ssl/sslcon.c
  34. +5 −1 security/nss/lib/ssl/sslerr.h
  35. +17 −10 security/nss/lib/ssl/sslimpl.h
  36. +20 −7 security/nss/lib/ssl/sslsecur.c
  37. +144 −23 security/nss/lib/ssl/sslsock.c
  38. +3 −2 security/nss/lib/ssl/sslt.h
  39. +3 −3 security/nss/lib/util/nssutil.h
  40. +3 −4 security/nss/lib/util/pkcs11n.h
  41. +1 −1 security/nss/lib/util/secder.h
  42. +1 −1 security/nss/lib/util/secoid.h
  43. +5 −5 security/nss/tests/pkits/pkits.sh
View
@@ -79,6 +79,7 @@ endif # WINNT
LOCAL_INCLUDES = -I$(srcdir)/../include
FORCE_STATIC_LIB = 1
+FORCE_USE_PIC = 1
include $(topsrcdir)/config/rules.mk
@@ -42,3 +42,4 @@
*/
#error "Do not include this header file."
+
View
@@ -147,10 +147,10 @@ clobber_nspr: $(NSPR_CONFIG_STATUS)
cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber
build_dbm:
-ifndef NSS_DISABLE_DBM
- cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
+ifdef NSS_DISABLE_DBM
+ @echo "skipping the build of DBM"
else
- echo "skipping the build of DBM"
+ cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs
endif
clobber_dbm:
View
@@ -1 +1 @@
-NSS_3_13_1_RTM
+NSS_3_13_2_BETA1
@@ -37,7 +37,7 @@
/*
* Support for various policy related extensions
*
- * $Id: pppolicy.c,v 1.3 2005/02/22 20:02:22 wtchang%redhat.com Exp $
+ * $Id: pppolicy.c,v 1.5 2011/11/16 19:12:30 kaie%kuix.de Exp $
*/
#include "seccomon.h"
@@ -66,7 +66,7 @@
#include "cert.h"
#include "sslproto.h"
-#define VERSIONSTRING "$Revision: 1.19 $ ($Date: 2010/02/16 18:56:47 $) $Author: wtc%google.com $"
+#define VERSIONSTRING "$Revision: 1.20 $ ($Date: 2011/11/05 23:09:28 $) $Author: wtc%google.com $"
struct _DataBufferList;
@@ -1516,11 +1516,11 @@ int main(int argc, char *argv[])
{
char *hostname=NULL;
PRUint16 rendport=DEFPORT,port;
- PRHostEnt hp;
+ PRAddrInfo *ai;
+ void *iter;
PRStatus r;
PRNetAddr na_client,na_server,na_rend;
PRFileDesc *s_server,*s_client,*s_rend; /*rendezvous */
- char netdbbuf[PR_NETDB_BUF_SIZE];
int c_count=0;
PLOptState *optstate;
PLOptStatus status;
@@ -1591,14 +1591,14 @@ int main(int argc, char *argv[])
PR_fprintf(PR_STDOUT,"<BODY><PRE>\n");
}
PR_fprintf(PR_STDERR,"Looking up \"%s\"...\n", hostname);
- r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp);
- if (r) {
+ ai = PR_GetAddrInfoByName(hostname, PR_AF_UNSPEC, PR_AI_ADDRCONFIG);
+ if (!ai) {
showErr("Host Name lookup failed\n");
exit(5);
}
- PR_EnumerateHostEnt(0,&hp,0,&na_server);
- PR_InitializeNetAddr(PR_IpAddrNull,port,&na_server);
+ iter = NULL;
+ iter = PR_EnumerateAddrInfo(iter, ai, port, &na_server);
/* set up the port which the client will connect to */
r = PR_InitializeNetAddr(PR_IpAddrAny,rendport,&na_rend);
@@ -1641,7 +1641,7 @@ int main(int argc, char *argv[])
exit(7);
}
- s_server = PR_NewTCPSocket();
+ s_server = PR_OpenTCPSocket(na_server.raw.family);
if (s_server == NULL) {
showErr("couldn't open new socket to connect to server \n");
exit(8);
@@ -37,7 +37,7 @@
/*
* cert.h - public data structures and prototypes for the certificate library
*
- * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
+ * $Id: cert.h,v 1.88 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#ifndef _CERT_H_
@@ -39,7 +39,7 @@
/*
* Certificate handling code
*
- * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
+ * $Id: certdb.c,v 1.120 2011/11/17 00:20:20 bsmith%mozilla.com Exp $
*/
#include "nssilock.h"
@@ -596,17 +596,6 @@ cert_ComputeCertType(CERTCertificate *cert)
nsCertType |= NS_CERT_TYPE_SSL_SERVER;
}
}
- /* Treat certs with step-up OID as also having SSL server type. */
- if (findOIDinOIDSeqByTagNum(extKeyUsage,
- SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
- SECSuccess){
- if (basicConstraintPresent == PR_TRUE &&
- (basicConstraint.isCA)) {
- nsCertType |= NS_CERT_TYPE_SSL_CA;
- } else {
- nsCertType |= NS_CERT_TYPE_SSL_SERVER;
- }
- }
if (findOIDinOIDSeqByTagNum(extKeyUsage,
SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
SECSuccess){
@@ -37,7 +37,7 @@
/*
* Code for dealing with X509.V3 extensions.
*
- * $Id: certv3.c,v 1.10 2007/10/12 01:44:40 julien.pierre.boogz%sun.com Exp $
+ * $Id: certv3.c,v 1.12 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#include "cert.h"
@@ -37,7 +37,7 @@
/*
* Support for various policy related extensions
*
- * $Id: polcyxtn.c,v 1.11 2008/02/13 04:03:19 julien.pierre.boogz%sun.com Exp $
+ * $Id: polcyxtn.c,v 1.13 2011/11/16 19:12:32 kaie%kuix.de Exp $
*/
#include "seccomon.h"
@@ -225,9 +225,6 @@ typedef struct {
const SECCertUsageToEku certUsageEkuStringMap[] = {
{certUsageSSLClient, ekuIndexSSLClient},
{certUsageSSLServer, ekuIndexSSLServer},
- {certUsageSSLServerWithStepUp, ekuIndexSSLServer}, /* need to add oids to
- * the list of eku.
- * see 390381*/
{certUsageSSLCA, ekuIndexSSLServer},
{certUsageEmailSigner, ekuIndexEmail},
{certUsageEmailRecipient, ekuIndexEmail},
@@ -239,8 +236,6 @@ const SECCertUsageToEku certUsageEkuStringMap[] = {
{certUsageAnyCA, ekuIndexUnknown},
};
-#define CERT_USAGE_EKU_STRING_MAPS_TOTAL 12
-
/*
* FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU
* DESCRIPTION:
@@ -292,7 +287,7 @@ cert_NssCertificateUsageToPkixKUAndEKU(
PKIX_List_Create(&ekuOidsList, plContext),
PKIX_LISTCREATEFAILED);
- for (;i < CERT_USAGE_EKU_STRING_MAPS_TOTAL;i++) {
+ for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) {
const SECCertUsageToEku *usageToEkuElem =
&certUsageEkuStringMap[i];
if (usageToEkuElem->certUsage == requiredCertUsage) {
@@ -35,7 +35,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $""; @(#) $RCSfile: certdata.perl,v $ $Revision: 1.13 $ $Date: 2010/03/26 22:06:47 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $";
#endif /* DEBUG */
#ifndef BUILTINS_H
@@ -1095,7 +1095,7 @@ static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 },
- { (void *)"@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $""; @(#) $RCSfile: certdata.perl,v $ $Revision: 1.13 $ $Date: 2010/03/26 22:06:47 $", (PRUint32)160 }
+ { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.83 $ $Date: 2011/11/03 15:11:57 $", (PRUint32)160 }
};
#endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = {
@@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.79 $ $Date: 2011/09/02 19:40:56 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.80 $ $Date: 2011/11/03 15:11:58 $"
#
# certdata.txt
@@ -35,7 +35,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: keyhi.h,v 1.18 2011/07/24 13:48:12 wtc%google.com Exp $ */
+/* $Id: keyhi.h,v 1.20 2011/11/16 19:12:33 kaie%kuix.de Exp $ */
#ifndef _KEYHI_H_
#define _KEYHI_H_
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: blapi.h,v 1.42 2011/10/04 22:05:53 wtc%google.com Exp $ */
+/* $Id: blapi.h,v 1.43 2011/10/29 23:28:45 wtc%google.com Exp $ */
#ifndef _BLAPI_H_
#define _BLAPI_H_
@@ -273,7 +273,7 @@ JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
* The arena is *not* optional so do not pass NULL for the arena parameter.
*/
SECStatus
-JPAKE_Verify(PRArenaPool * arena, const PQGParams * pqg,
+JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg,
HASH_HashType hashType, const SECItem * signerID,
const SECItem * peerID, const SECItem * gx,
const SECItem * gv, const SECItem * r);
@@ -222,7 +222,7 @@ JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
/* Verify a Schnorr signature generated by the peer in round 1 or round 2. */
SECStatus
-JPAKE_Verify(PRArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
+JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
const SECItem * signerID, const SECItem * peerID,
const SECItem * gx, const SECItem * gv, const SECItem * r)
{
@@ -1028,3 +1028,9 @@ NSS_GetVersion;
;+ local:
;+ *;
;+};
+;+NSS_3.13.2 { # NSS 3.13.2 release
+;+ global:
+PK11_ImportEncryptedPrivateKeyInfoAndReturnKey;
+;+ local:
+;+ *;
+;+};
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.86 2011/10/27 19:29:44 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.87 2011/10/27 19:39:00 kaie%kuix.de Exp $ */
#ifndef __nss_h_
#define __nss_h_
@@ -66,12 +66,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.13.1.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION "3.13.2.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 13
-#define NSS_VPATCH 1
+#define NSS_VPATCH 2
#define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED
@@ -1574,12 +1574,35 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length)
return pubk;
}
+/*
+ * NOTE: This function doesn't return a SECKEYPrivateKey struct to represent
+ * the new private key object. If it were to create a session object that
+ * could later be looked up by its nickname, it would leak a SECKEYPrivateKey.
+ * So isPerm must be true.
+ */
SECStatus
PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType keyType,
unsigned int keyUsage, void *wincx)
+{
+ if (!isPerm) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ return PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki,
+ pwitem, nickname, publicValue, isPerm, isPrivate, keyType,
+ keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+ SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+ PRBool isPrivate, KeyType keyType,
+ unsigned int keyUsage, SECKEYPrivateKey **privk,
+ void *wincx)
{
CK_MECHANISM_TYPE pbeMechType;
SECItem *crypto_param = NULL;
@@ -1676,7 +1699,11 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
nickname, publicValue, isPerm, isPrivate,
key_type, usage, usageCount, wincx);
if(privKey) {
- SECKEY_DestroyPrivateKey(privKey);
+ if (privk) {
+ *privk = privKey;
+ } else {
+ SECKEY_DestroyPrivateKey(privKey);
+ }
privKey = NULL;
rv = SECSuccess;
goto done;
@@ -571,6 +571,11 @@ SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, void *wincx);
+SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+ SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+ PRBool isPrivate, KeyType type,
+ unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
CERTCertificate *cert, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
@@ -38,7 +38,7 @@
/*
* PKCS7 decoding, verification.
*
- * $Id: p7decode.c,v 1.26 2011/08/21 01:14:17 wtc%google.com Exp $
+ * $Id: p7decode.c,v 1.28 2011/11/16 19:12:34 kaie%kuix.de Exp $
*/
#include "p7local.h"
@@ -37,7 +37,7 @@
/*
* Interface to the PKCS7 implementation.
*
- * $Id: secpkcs7.h,v 1.6 2008/06/14 14:20:25 wtc%google.com Exp $
+ * $Id: secpkcs7.h,v 1.8 2011/11/16 19:12:34 kaie%kuix.de Exp $
*/
#ifndef _SECPKCS7_H_
@@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.102 $ $Date: 2011/04/13 00:10:26 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.105 $ $Date: 2011/11/17 00:20:21 $";
#endif /* DEBUG */
/*
@@ -592,10 +592,6 @@ cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
rvTrust->sslFlags |= client;
rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection);
rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning);
- /* The cert is a valid step-up cert (in addition to/lieu of trust above */
- if (t->stepUpApproved) {
- rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA;
- }
return rvTrust;
}
Oops, something went wrong.

0 comments on commit 050ebaa

Please sign in to comment.