Hello community,
here is the log from the commit of package mozilla-nss
checked in at Sun Aug 6 21:56:12 CEST 2006.
--------
--- GNOME/mozilla-nss/mozilla-nss.changes 2006-08-01 09:13:00.000000000 +0200
+++ mozilla-nss/mozilla-nss.changes 2006-08-05 09:51:30.000000000 +0200
@@ -1,0 +2,6 @@
+Sat Aug 5 09:50:47 CEST 2006 - stark@suse.de
+
+- update to NSS_3_11_20060731_TAG to be in sync with
+ Gecko 1.8.1
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.4Ct9Ya/_old 2006-08-06 21:55:52.000000000 +0200
+++ /var/tmp/diff_new_pack.4Ct9Ya/_new 2006-08-06 21:55:52.000000000 +0200
@@ -14,7 +14,7 @@
BuildRequires: gcc-c++ mozilla-nspr-devel
License: MPL, GPL
Version: 3.11.2
-Release: 3
+Release: 4
Summary: Network (Netscape) Security Services
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System/Libraries
@@ -173,6 +173,9 @@
%exclude %{_bindir}/nss-config
%changelog -n mozilla-nss
+* Sat Aug 05 2006 - stark@suse.de
+- update to NSS_3_11_20060731_TAG to be in sync with
+ Gecko 1.8.1
* Fri Jul 28 2006 - stark@suse.de
- fixed usage of uninitialized pointers (uninit.patch)
- requires NSPR 4.6.2
++++++ nss-3.11.2.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.c new/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.c
--- old/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.c 2006-05-15 15:19:06.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.c 2006-08-05 09:13:29.000000000 +0200
@@ -3012,25 +3012,6 @@
}
-
-SECItem *
-SECU_GetPBEPassword(void *arg)
-{
- char *p = NULL;
- SECItem *pwitem = NULL;
-
- p = SECU_GetPasswordString(arg,"Password: ");
-
- /* NOTE: This function is obviously unfinished. */
-
- if ( pwitem == NULL ) {
- fprintf(stderr, "Error hashing password\n");
- return NULL;
- }
-
- return pwitem;
-}
-
SECStatus
SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd)
{
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.h new/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.h
--- old/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.h 2005-05-09 09:31:44.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/cmd/lib/secutil.h 2006-08-05 09:13:29.000000000 +0200
@@ -289,8 +289,6 @@
extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
#endif
-extern SECItem *SECU_GetPBEPassword(void *arg);
-
extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/cmd/ssltap/ssltap.c new/nss-3.11.2/mozilla/security/nss/cmd/ssltap/ssltap.c
--- old/nss-3.11.2/mozilla/security/nss/cmd/ssltap/ssltap.c 2006-05-15 15:19:06.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/cmd/ssltap/ssltap.c 2006-08-05 09:13:29.000000000 +0200
@@ -62,8 +62,10 @@
#include
#include "plgetopt.h"
+#include "nss.h"
+#include "cert.h"
-#define VERSIONSTRING "$Revision: 1.7.2.1 $ ($Date: 2006/04/24 04:10:57 $) $Author: nelson%bolyard.com $"
+#define VERSIONSTRING "$Revision: 1.7.2.2 $ ($Date: 2006/07/19 01:18:33 $) $Author: nelson%bolyard.com $"
struct _DataBufferList;
@@ -664,7 +666,37 @@
-
+unsigned int print_hello_extension(unsigned char * hsdata,
+ unsigned int length,
+ unsigned int pos)
+{
+ /* pretty print extensions, if any */
+ if (pos < length) {
+ int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
+ PR_fprintf(PR_STDOUT,
+ " extensions[%d] = {\n", exListLen);
+ while (exListLen > 0 && pos < length) {
+ int exLen;
+ int exType = GET_SHORT((hsdata+pos)); pos += 2;
+ exLen = GET_SHORT((hsdata+pos)); pos += 2;
+ /* dump the extension */
+ PR_fprintf(PR_STDOUT,
+ " extension type %s, length [%d]",
+ helloExtensionNameString(exType), exLen);
+ if (exLen > 0) {
+ PR_fprintf(PR_STDOUT, " = {\n");
+ print_hex(exLen, hsdata + pos);
+ PR_fprintf(PR_STDOUT, " }\n");
+ } else {
+ PR_fprintf(PR_STDOUT, "\n");
+ }
+ pos += exLen;
+ exListLen -= 2 + exLen;
+ }
+ PR_fprintf(PR_STDOUT," }\n");
+ }
+ return pos;
+}
void print_ssl3_handshake(unsigned char *tbuf,
@@ -702,6 +734,8 @@
PR_fprintf(PR_STDOUT," length = %d (0x%06x)\n",sslh.length,sslh.length);
switch (sslh.type) {
+ case 0: /* hello_request */ /* not much to show here. */ break;
+
case 1: /* client hello */
switch (sr->ver_maj) {
case 3: /* ssl version 3 */
@@ -760,26 +794,7 @@
}
/* pretty print extensions, if any */
- if (pos < sslh.length) {
- int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
- PR_fprintf(PR_STDOUT,
- " extensions[%d] = {\n", exListLen);
- while (exListLen > 0 && pos < sslh.length) {
- int exLen;
- int exType = GET_SHORT((hsdata+pos)); pos += 2;
- exLen = GET_SHORT((hsdata+pos)); pos += 2;
- /* dump the extension */
- PR_fprintf(PR_STDOUT,
- " extension type %s, length [%d] = {\n",
- helloExtensionNameString(exType), exLen);
- print_hex(exLen, hsdata + pos);
- PR_fprintf(PR_STDOUT,
- " }\n");
- pos += exLen;
- exListLen -= 2 + exLen;
- }
- PR_fprintf(PR_STDOUT," }\n");
- }
+ pos = print_hello_extension(hsdata, sslh.length, pos);
PR_fprintf(PR_STDOUT," }\n");
} /* end of ssl version 3 */
@@ -822,33 +837,12 @@
hsdata[pos++]);
/* pretty print extensions, if any */
- if (pos < sslh.length) {
- int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
- PR_fprintf(PR_STDOUT,
- " extensions[%d] = {\n", exListLen);
- while (exListLen > 0 && pos < sslh.length) {
- int exLen;
- int exType = GET_SHORT((hsdata+pos)); pos += 2;
- exLen = GET_SHORT((hsdata+pos)); pos += 2;
- /* dump the extension */
- PR_fprintf(PR_STDOUT,
- " extension type %s, length [%d] = {\n",
- helloExtensionNameString(exType), exLen);
- print_hex(exLen, hsdata + pos);
- PR_fprintf(PR_STDOUT,
- " }\n");
- pos += exLen;
- exListLen -= 2 + exLen;
- }
- PR_fprintf(PR_STDOUT," }\n");
- }
+ pos = print_hello_extension(hsdata, sslh.length, pos);
PR_fprintf(PR_STDOUT," }\n");
}
break;
-
-
case 11: /* certificate */
{
PRFileDesc *cfd;
@@ -895,14 +889,73 @@
}
break;
+ case 12: /* server_key_exchange */
+ if (sslhexparse) print_hex(sslh.length, hsdata);
+ break;
+
case 13: /* certificate request */
- if (sslhexparse) {
+ {
+ unsigned int pos = 0;
+ int w, reqLength;
+
PR_fprintf(PR_STDOUT," CertificateRequest {\n");
- print_hex(sslh.length, hsdata);
+
+ /* pretty print requested certificate types */
+ reqLength = hsdata[pos];
+ PR_fprintf(PR_STDOUT," certificate types[%d] = {",
+ reqLength);
+ for (w=0; w < reqLength; w++) {
+ PR_fprintf(PR_STDOUT, " %02x", hsdata[pos+1+w]);
+ }
+ pos += 1 + reqLength;
+ PR_fprintf(PR_STDOUT," }\n");
+
+ /* pretty print CA names, if any */
+ if (pos < sslh.length) {
+ int exListLen = GET_SHORT((hsdata+pos)); pos += 2;
+ PR_fprintf(PR_STDOUT,
+ " certificate_authorities[%d] = {\n",
+ exListLen);
+ while (exListLen > 0 && pos < sslh.length) {
+ char * ca_name;
+ SECItem it;
+ int dnLen = GET_SHORT((hsdata+pos)); pos += 2;
+
+ /* dump the CA name */
+ it.type = siBuffer;
+ it.data = hsdata + pos;
+ it.len = dnLen;
+ ca_name = CERT_DerNameToAscii(&it);
+ if (ca_name) {
+ PR_fprintf(PR_STDOUT," %s\n", ca_name);
+ PORT_Free(ca_name);
+ } else {
+ PR_fprintf(PR_STDOUT,
+ " distinguished name [%d]", dnLen);
+ if (dnLen > 0 && sslhexparse) {
+ PR_fprintf(PR_STDOUT, " = {\n");
+ print_hex(dnLen, hsdata + pos);
+ PR_fprintf(PR_STDOUT, " }\n");
+ } else {
+ PR_fprintf(PR_STDOUT, "\n");
+ }
+ }
+ pos += dnLen;
+ exListLen -= 2 + dnLen;
+ }
+ PR_fprintf(PR_STDOUT," }\n");
+ }
+
PR_fprintf(PR_STDOUT," }\n");
}
break;
+ case 14: /* server_hello_done */ /* not much to show here. */ break;
+
+ case 15: /* certificate_verify */
+ if (sslhexparse) print_hex(sslh.length, hsdata);
+ break;
+
case 16: /* client key exchange */
{
PR_fprintf(PR_STDOUT," ClientKeyExchange {\n");
@@ -911,6 +964,18 @@
}
break;
+ case 20: /* finished */
+ if (sslhexparse) print_hex(sslh.length, hsdata);
+ break;
+
+ default:
+ {
+ PR_fprintf(PR_STDOUT," UNKNOWN MESSAGE TYPE %d [%d] {\n",
+ sslh.type, sslh.length);
+ if (sslhexparse) print_hex(sslh.length, hsdata);
+ PR_fprintf(PR_STDOUT," }\n");
+
+ }
} /* end of switch sslh.type */
offset += sslh.length + 4; /* +4 because of length (3 bytes) and type (1 byte) */
} /* while */
@@ -1267,6 +1332,7 @@
int c_count=0;
PLOptState *optstate;
PLOptStatus status;
+ SECStatus rv;
optstate = PL_CreateOptState(argc,argv,"fvxhslp:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
@@ -1349,6 +1415,12 @@
exit(0);
}
+ rv = NSS_NoDB_Init("");
+ if (rv != SECSuccess) {
+ PR_fprintf(PR_STDERR,
+ "NSS_NoDB_Init() failed with error %d\n",PR_GetError());
+ exit(5);
+ }
s_rend = PR_NewTCPSocket();
if (!s_rend) {
@@ -1533,5 +1605,6 @@
get_time_string() );
} while (looparound); /* accept connection and process it. */
PR_Close(s_rend);
+ NSS_Shutdown();
return 0;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/base/arena.c new/nss-3.11.2/mozilla/security/nss/lib/base/arena.c
--- old/nss-3.11.2/mozilla/security/nss/lib/base/arena.c 2005-03-19 13:35:32.000000000 +0100
+++ new/nss-3.11.2/mozilla/security/nss/lib/base/arena.c 2006-08-05 09:13:29.000000000 +0200
@@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: arena.c,v $ $Revision: 1.8 $ $Date: 2005/01/20 02:25:45 $";
+static const char CVS_ID[] = "@(#) $RCSfile: arena.c,v $ $Revision: 1.8.28.1 $ $Date: 2006/07/17 21:50:53 $";
#endif /* DEBUG */
/*
@@ -520,12 +520,12 @@
}
#endif /* NSSDEBUG */
- PR_Lock(arena->lock);
if( (PRLock *)NULL == arena->lock ) {
/* Just got destroyed */
nss_SetError(NSS_ERROR_INVALID_ARENA);
return PR_FAILURE;
}
+ PR_Lock(arena->lock);
#ifdef DEBUG
if( PR_SUCCESS != arena_remove_pointer(arena) ) {
@@ -585,12 +585,12 @@
}
#endif /* NSSDEBUG */
- PR_Lock(arena->lock);
if( (PRLock *)NULL == arena->lock ) {
/* Just got destroyed */
nss_SetError(NSS_ERROR_INVALID_ARENA);
return (nssArenaMark *)NULL;
}
+ PR_Lock(arena->lock);
#ifdef ARENA_THREADMARK
if( (PRThread *)NULL == arena->marking_thread ) {
@@ -668,12 +668,12 @@
return PR_FAILURE;
}
- PR_Lock(arena->lock);
if( (PRLock *)NULL == arena->lock ) {
/* Just got destroyed */
nss_SetError(NSS_ERROR_INVALID_ARENA);
return PR_FAILURE;
}
+ PR_Lock(arena->lock);
#ifdef ARENA_THREADMARK
if( (PRThread *)NULL != arena->marking_thread ) {
@@ -908,12 +908,12 @@
}
#endif /* NSSDEBUG */
- PR_Lock(arenaOpt->lock);
if( (PRLock *)NULL == arenaOpt->lock ) {
/* Just got destroyed */
nss_SetError(NSS_ERROR_INVALID_ARENA);
return (void *)NULL;
}
+ PR_Lock(arenaOpt->lock);
#ifdef ARENA_THREADMARK
if( (PRThread *)NULL != arenaOpt->marking_thread ) {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/certhigh/ocsp.c new/nss-3.11.2/mozilla/security/nss/lib/certhigh/ocsp.c
--- old/nss-3.11.2/mozilla/security/nss/lib/certhigh/ocsp.c 2006-06-08 07:44:41.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/certhigh/ocsp.c 2006-08-05 09:13:29.000000000 +0200
@@ -38,7 +38,7 @@
* Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.)
*
- * $Id: ocsp.c,v 1.21.2.6 2006/05/15 20:51:58 alexei.volkov.bugs%sun.com Exp $
+ * $Id: ocsp.c,v 1.21.2.7 2006/07/19 00:05:53 nelson%bolyard.com Exp $
*/
#include "prerror.h"
@@ -854,6 +854,7 @@
/* prepare for following loser gotos */
rv = SECFailure;
+ PORT_SetError(0);
extensionHandle = cert_StartExtensions(singleRequest,
singleRequest->arena, SetSingleReqExts);
@@ -2442,6 +2443,7 @@
loser:
retval = PR_FALSE;
+ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
goto done;
success:
retval = PR_TRUE;
@@ -2627,7 +2629,7 @@
rv = SECFailure;
if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
/* Make the error a little more specific. */
- PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
+ PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
}
goto finish;
}
@@ -3199,7 +3201,7 @@
* char *
* A copy of the URI for the OCSP method, if found. If either the
* extension is not present or it does not contain an entry for OCSP,
- * SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
+ * SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned.
* Any other error will also result in a NULL being returned.
*
* This result should be freed (via PORT_Free) when no longer in use.
@@ -3227,8 +3229,10 @@
rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
encodedAuthInfoAccess);
- if (rv == SECFailure)
+ if (rv == SECFailure) {
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
goto loser;
+ }
/*
* The rest of the things allocated in the routine will come out of
@@ -3258,7 +3262,7 @@
* not there at all.
*/
if (locname == NULL) {
- PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
goto loser;
}
@@ -3275,7 +3279,7 @@
* this should probably be something more like the extension was
* badly formed.
*/
- PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+ PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
goto loser;
}
@@ -3481,10 +3485,13 @@
*/
location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault);
if (location == NULL) {
- if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
+ int err = PORT_GetError();
+ if (err == SEC_ERROR_EXTENSION_NOT_FOUND ||
+ err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) {
+ PORT_SetError(0);
return SECSuccess;
- else
- return SECFailure;
+ }
+ return SECFailure;
}
/*
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/crmf/challcli.c new/nss-3.11.2/mozilla/security/nss/lib/crmf/challcli.c
--- old/nss-3.11.2/mozilla/security/nss/lib/crmf/challcli.c 2005-03-19 13:35:35.000000000 +0100
+++ new/nss-3.11.2/mozilla/security/nss/lib/crmf/challcli.c 2006-08-05 09:13:29.000000000 +0200
@@ -122,54 +122,39 @@
{
CMMFChallenge *challenge;
SECItem *decryptedRand=NULL;
+ PRArenaPool *poolp = NULL;
SECAlgorithmID *owf;
- PK11SlotInfo *slot;
- PK11SymKey *symKey = NULL;
SECStatus rv = SECFailure;
+ SECOidTag tag;
CMMFRand randStr;
SECItem hashItem;
- SECOidTag tag;
unsigned char hash[HASH_LENGTH_MAX];
- PRArenaPool *poolp = NULL;
PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
|| inPrivKey == NULL){
return SECFailure;
}
- challenge = inChalCont->challenges[inIndex];
- decryptedRand = PORT_ZNew(SECItem);
- if (decryptedRand == NULL) {
+
+ poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+ if (poolp == NULL) {
goto loser;
}
- decryptedRand->data =
- PORT_NewArray(unsigned char, challenge->challenge.len);
- if (decryptedRand->data == NULL) {
+
+ challenge = inChalCont->challenges[inIndex];
+ decryptedRand = SECITEM_AllocItem(poolp, NULL, challenge->challenge.len);
+ if (decryptedRand == NULL) {
goto loser;
}
- slot = inPrivKey->pkcs11Slot;
- symKey = PK11_PubUnwrapSymKey(inPrivKey, &challenge->challenge,
- CKM_RSA_PKCS, CKA_VALUE, 0);
- if (symKey == NULL) {
- rv = SECFailure;
- goto loser;
- }
- rv = PK11_ExtractKeyValue(symKey);
+ rv = PK11_PrivDecryptPKCS1(inPrivKey, decryptedRand->data,
+ &decryptedRand->len, decryptedRand->len,
+ challenge->challenge.data, challenge->challenge.len);
if (rv != SECSuccess) {
- goto loser;
- }
- decryptedRand = PK11_GetKeyData(symKey);
-
- poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
- if (poolp == NULL) {
goto loser;
}
+
rv = SEC_ASN1DecodeItem(poolp, &randStr, CMMFRandTemplate,
decryptedRand);
- /* The decryptedRand returned points to a member within the symKey
- * structure, so we don't want to free it. Let the symKey destruction
- * function deal with freeing that memory.
- */
if (rv != SECSuccess) {
goto loser;
}
@@ -196,6 +181,7 @@
/* The hash for the data we decrypted doesn't match the hash provided
* in the challenge. Bail out.
*/
+ PORT_SetError(SEC_ERROR_BAD_DATA);
rv = SECFailure;
goto loser;
}
@@ -208,6 +194,7 @@
/* The hash for the data we decrypted doesn't match the hash provided
* in the challenge. Bail out.
*/
+ PORT_SetError(SEC_ERROR_BAD_DATA);
rv = SECFailure;
goto loser;
}
@@ -215,9 +202,6 @@
rv = SECITEM_CopyItem(inChalCont->poolp, &challenge->randomNumber,
&randStr.integer);
loser:
- if (symKey != NULL) {
- PK11_FreeSymKey(symKey);
- }
if (poolp) {
PORT_FreeArena(poolp, PR_FALSE);
}
@@ -275,7 +259,10 @@
if (currItem == NULL) {
goto loser;
}
- SEC_ASN1EncodeInteger(poolp, currItem,inDecodedRand[i]);
+ currItem = SEC_ASN1EncodeInteger(poolp, currItem, inDecodedRand[i]);
+ if (currItem == NULL) {
+ goto loser;
+ }
}
rv = cmmf_user_encode(response, inCallback, inArg,
CMMFPOPODecKeyRespContentTemplate);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/crmf/crmfpop.c new/nss-3.11.2/mozilla/security/nss/lib/crmf/crmfpop.c
--- old/nss-3.11.2/mozilla/security/nss/lib/crmf/crmfpop.c 2006-06-08 07:44:41.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/crmf/crmfpop.c 2006-08-05 09:13:29.000000000 +0200
@@ -185,8 +185,8 @@
SECKEYPrivateKey *inKey,
SECAlgorithmID *inAlgId)
{
- SECItem derCertReq;
- SECItem certReqSig;
+ SECItem derCertReq = { siBuffer, NULL, 0 };
+ SECItem certReqSig = { siBuffer, NULL, 0 };
SECStatus rv = SECSuccess;
rv = crmf_encode_certreq(certReq, &derCertReq);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/nss/nss.h new/nss-3.11.2/mozilla/security/nss/lib/nss/nss.h
--- old/nss-3.11.2/mozilla/security/nss/lib/nss/nss.h 2006-07-01 23:35:58.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/nss/nss.h 2006-08-05 09:13:30.000000000 +0200
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.46.2.5 2006/06/23 22:25:12 christophe.ravel.bugs%sun.com Exp $ */
+/* $Id: nss.h,v 1.46.2.6 2006/07/14 21:23:53 wtchang%redhat.com Exp $ */
#ifndef __nss_h_
#define __nss_h_
@@ -53,14 +53,14 @@
* "<major version>.<minor version>[.<patch level>] [<Beta>]"
*/
#ifdef NSS_ENABLE_ECC
-#define NSS_VERSION "3.11.2 ECC"
+#define NSS_VERSION "3.11.3 ECC Beta"
#else
-#define NSS_VERSION "3.11.2"
+#define NSS_VERSION "3.11.3 Beta"
#endif
#define NSS_VMAJOR 3
#define NSS_VMINOR 11
-#define NSS_VPATCH 2
-#define NSS_BETA PR_FALSE
+#define NSS_VPATCH 3
+#define NSS_BETA PR_TRUE
/*
* Return a boolean that indicates whether the underlying library
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/smime/cmsrecinfo.c new/nss-3.11.2/mozilla/security/nss/lib/smime/cmsrecinfo.c
--- old/nss-3.11.2/mozilla/security/nss/lib/smime/cmsrecinfo.c 2006-05-15 15:19:07.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/smime/cmsrecinfo.c 2006-08-05 09:13:30.000000000 +0200
@@ -37,7 +37,7 @@
/*
* CMS recipientInfo methods.
*
- * $Id: cmsrecinfo.c,v 1.16.2.1 2006/03/03 04:03:39 nelson%bolyard.com Exp $
+ * $Id: cmsrecinfo.c,v 1.16.2.2 2006/07/19 00:34:19 nelson%bolyard.com Exp $
*/
#include "cmslocal.h"
@@ -187,24 +187,6 @@
rv = SECFailure;
}
break;
- case SEC_OID_MISSI_KEA_DSS_OLD:
- case SEC_OID_MISSI_KEA_DSS:
- case SEC_OID_MISSI_KEA:
- PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
- if (type != NSSCMSRecipientID_IssuerSN) {
- rv = SECFailure;
- break;
- }
- /* backward compatibility - this is not really a keytrans operation */
- ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
- /* hardcoded issuerSN choice for now */
- ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
- ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
- if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
- rv = SECFailure;
- break;
- }
- break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
if (type != NSSCMSRecipientID_IssuerSN) {
@@ -530,20 +512,6 @@
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
break;
- case SEC_OID_MISSI_KEA_DSS_OLD:
- case SEC_OID_MISSI_KEA_DSS:
- case SEC_OID_MISSI_KEA:
- rv = NSS_CMSUtil_EncryptSymKey_MISSI(poolp, cert, bulkkey,
- bulkalgtag,
- &ri->ri.keyTransRecipientInfo.encKey,
- ¶ms, ri->cmsg->pwfn_arg);
- if (rv != SECSuccess)
- break;
-
- /* here, we DO need to pass the params to the wrap function because, with
- * RSA, there is no funny stuff going on with generation of IV vectors or so */
- rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
- break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
if (rek == NULL) {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/smime/cmsreclist.c new/nss-3.11.2/mozilla/security/nss/lib/smime/cmsreclist.c
--- old/nss-3.11.2/mozilla/security/nss/lib/smime/cmsreclist.c 2005-11-25 22:41:20.000000000 +0100
+++ new/nss-3.11.2/mozilla/security/nss/lib/smime/cmsreclist.c 2006-08-05 09:13:30.000000000 +0200
@@ -37,7 +37,7 @@
/*
* CMS recipient list functions
*
- * $Id: cmsreclist.c,v 1.4 2005/09/16 17:54:31 wtchang%redhat.com Exp $
+ * $Id: cmsreclist.c,v 1.4.2.1 2006/07/17 21:57:12 alexei.volkov.bugs%sun.com Exp $
*/
#include "cmslocal.h"
@@ -66,25 +66,33 @@
switch (ri->recipientInfoType) {
case NSSCMSRecipientInfoID_KeyTrans:
if (recipient_list) {
+ NSSCMSRecipientIdentifier *recipId =
+ &ri->ri.keyTransRecipientInfo.recipientIdentifier;
+
+ if (recipId->identifierType != NSSCMSRecipientID_IssuerSN &&
+ recipId->identifierType != NSSCMSRecipientID_SubjectKeyID) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return -1;
+ }
/* alloc one & fill it out */
rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
- if (rle == NULL)
+ if (!rle)
return -1;
rle->riIndex = i;
rle->subIndex = -1;
- switch (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType) {
+ switch (recipId->identifierType) {
case NSSCMSRecipientID_IssuerSN:
rle->kind = RLIssuerSN;
- rle->id.issuerAndSN = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN;
+ rle->id.issuerAndSN = recipId->id.issuerAndSN;
break;
case NSSCMSRecipientID_SubjectKeyID:
rle->kind = RLSubjKeyID;
- rle->id.subjectKeyID = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.subjectKeyID;
+ rle->id.subjectKeyID = recipId->id.subjectKeyID;
+ break;
+ default: /* we never get here because of identifierType check
+ we done before. Leaving it to kill compiler warning */
break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return -1;
}
recipient_list[rlindex++] = rle;
} else {
@@ -99,7 +107,7 @@
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j];
/* alloc one & fill it out */
rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
- if (rle == NULL)
+ if (!rle)
return -1;
rle->riIndex = i;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstest.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstest.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstest.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstest.c 2006-08-05 09:13:30.000000000 +0200
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: fipstest.c,v 1.13.2.2 2006/05/08 18:34:04 wtchang%redhat.com Exp $ */
+/* $Id: fipstest.c,v 1.13.2.4 2006/07/28 20:50:19 wtchang%redhat.com Exp $ */
#include "softoken.h" /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB, */
/* DES-CBC, DES3-ECB, DES3-CBC, RSA */
@@ -117,6 +117,9 @@
#define FIPS_DSA_PRIME_LENGTH 64 /* 512-bits */
#define FIPS_DSA_BASE_LENGTH 64 /* 512-bits */
+/* FIPS preprocessor directives for RNG. */
+#define FIPS_RNG_XKEY_LENGTH 32 /* 512-bits */
+
static CK_RV
sftk_fips_RC2_PowerUpSelfTest( void )
{
@@ -1767,6 +1770,66 @@
}
+static CK_RV
+sftk_fips_RNG_PowerUpSelfTest( void )
+{
+ static const PRUint8 XKeyValue[] = {
+ 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+ 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+ 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+ 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5};
+ static const PRUint8 XSeed[] = {
+ 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+ 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+ 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+ 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac};
+ static const PRUint8 Q[] = {
+ 0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a,
+ 0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c,
+ 0x9d,0xef,0xeb,0xed};
+ static const PRUint8 rng_known_GENX[] = {
+ 0x65,0x48,0xe3,0xca,0xac,0x64,0x2d,0xf7,
+ 0x7b,0xd3,0x4e,0x79,0xc9,0x7d,0xa6,0xa8,
+ 0xa2,0xc2,0x1f,0x8f,0xe9,0xb9,0xd3,0xa1,
+ 0x3f,0xf7,0x0c,0xcd,0xa6,0xca,0xbf,0xce,
+ 0x84,0x0e,0xb6,0xf1,0x0d,0xbe,0xa9,0xa3};
+ static const PRUint8 rng_known_DSAX[] = {
+ 0x7a,0x86,0xf1,0x7f,0xbd,0x4e,0x6e,0xd9,
+ 0x0a,0x26,0x21,0xd0,0x19,0xcb,0x86,0x73,
+ 0x10,0x1f,0x60,0xd7};
+
+ SECStatus rng_status = SECSuccess;
+ PRUint8 GENX[2*SHA1_LENGTH];
+ PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH];
+ PRUint8 XKey[FIPS_RNG_XKEY_LENGTH];
+
+ PORT_Memcpy (XKey, XKeyValue, FIPS_RNG_XKEY_LENGTH);
+
+ /*******************************************/
+ /* Generate X with a known seed. */
+ /*******************************************/
+ rng_status = FIPS186Change_GenerateX(XKey, XSeed, GENX);
+
+ /* Verify GENX to perform the RNG integrity check */
+ if( ( rng_status != SECSuccess ) ||
+ ( PORT_Memcmp( GENX, rng_known_GENX,
+ (2*SHA1_LENGTH) ) != 0 ) )
+ return( CKR_DEVICE_ERROR );
+
+ /*******************************************/
+ /* Generate DSAX fow given Q. */
+ /*******************************************/
+
+ rng_status = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX);
+
+ /* Verify DSAX to perform the RNG integrity check */
+ if( ( rng_status != SECSuccess ) ||
+ ( PORT_Memcmp( DSAX, rng_known_DSAX,
+ (FIPS_DSA_SUBPRIME_LENGTH) ) != 0 ) )
+ return( CKR_DEVICE_ERROR );
+
+ return( CKR_OK );
+}
CK_RV
sftk_fipsPowerUpSelfTest( void )
@@ -1850,6 +1913,12 @@
if( rv != CKR_OK )
return rv;
+
+ /* RNG Power-Up SelfTest(s). */
+ rv = sftk_fips_RNG_PowerUpSelfTest();
+
+ if( rv != CKR_OK )
+ return rv;
#ifdef NSS_ENABLE_ECC
/* ECDSA Power-Up SelfTest(s). */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstokn.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstokn.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstokn.c 2006-07-01 23:35:59.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/fipstokn.c 2006-08-05 09:13:30.000000000 +0200
@@ -106,7 +106,7 @@
* ******************** Password Utilities *******************************
*/
static PRBool isLoggedIn = PR_FALSE;
-static PRBool fatalError = PR_FALSE;
+PRBool sftk_fatalError = PR_FALSE;
/*
* This function returns
@@ -204,7 +204,7 @@
/* FIPS required checks before any useful cryptographic services */
static CK_RV sftk_fipsCheck(void) {
- if (fatalError)
+ if (sftk_fatalError)
return CKR_DEVICE_ERROR;
if (!isLoggedIn)
return CKR_USER_NOT_LOGGED_IN;
@@ -217,7 +217,7 @@
if ((rv = sftk_fipsCheck()) != CKR_OK) return rv;
#define SFTK_FIPSFATALCHECK() \
- if (fatalError) return CKR_DEVICE_ERROR;
+ if (sftk_fatalError) return CKR_DEVICE_ERROR;
/* grab an attribute out of a raw template */
@@ -424,16 +424,16 @@
/* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/
if (crv != CKR_OK) {
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
return crv;
}
- fatalError = PR_FALSE; /* any error has been reset */
+ sftk_fatalError = PR_FALSE; /* any error has been reset */
crv = sftk_fipsPowerUpSelfTest();
if (crv != CKR_OK) {
nsc_CommonFinalize(NULL, PR_TRUE);
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
if (sftk_audit_enabled) {
char msg[128];
PR_snprintf(msg,sizeof msg,
@@ -536,7 +536,7 @@
CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
CK_RV rv;
- if (fatalError) return CKR_DEVICE_ERROR;
+ if (sftk_fatalError) return CKR_DEVICE_ERROR;
if ((rv = sftk_newPinCheck(pPin,ulPinLen)) == CKR_OK) {
rv = NSC_InitPIN(hSession,pPin,ulPinLen);
}
@@ -616,7 +616,7 @@
CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
CK_RV rv;
- if (fatalError) return CKR_DEVICE_ERROR;
+ if (sftk_fatalError) return CKR_DEVICE_ERROR;
rv = NSC_Login(hSession,userType,pPin,usPinLen);
if (rv == CKR_OK)
isLoggedIn = PR_TRUE;
@@ -629,12 +629,12 @@
if (rv == CKR_OK)
rv = CKR_USER_ALREADY_LOGGED_IN;
else
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
}
if (sftk_audit_enabled) {
char msg[128];
NSSAuditSeverity severity;
- if (fatalError) {
+ if (sftk_fatalError) {
severity = NSS_AUDIT_ERROR;
PR_snprintf(msg,sizeof msg,
"C_Login(hSession=%lu, userType=%lu)=0x%08lX ",
@@ -1107,7 +1107,7 @@
usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
if (crv == CKR_GENERAL_ERROR) {
/* pairwise consistency check failed. */
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
}
return crv;
}
@@ -1183,7 +1183,7 @@
SFTK_FIPSFATALCHECK();
crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
if (crv != CKR_OK) {
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
}
return crv;
}
@@ -1197,7 +1197,7 @@
SFTK_FIPSFATALCHECK();
crv = NSC_GenerateRandom(hSession,pRandomData,ulRandomLen);
if (crv != CKR_OK) {
- fatalError = PR_TRUE;
+ sftk_fatalError = PR_TRUE;
if (sftk_audit_enabled) {
char msg[128];
PR_snprintf(msg,sizeof msg,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/keydb.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/keydb.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/keydb.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/keydb.c 2006-08-05 09:13:35.000000000 +0200
@@ -34,7 +34,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: keydb.c,v 1.40.2.3 2006/05/17 17:56:37 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: keydb.c,v 1.40.2.4 2006/07/31 18:17:14 wtchang%redhat.com Exp $ */
#include "lowkeyi.h"
#include "seccomon.h"
@@ -580,13 +580,18 @@
DBT saltData;
unsigned char saltbuf[16];
int status;
+ SECStatus rv;
saltKey.data = SALT_STRING;
saltKey.size = sizeof(SALT_STRING) - 1;
saltData.data = (void *)saltbuf;
saltData.size = sizeof(saltbuf);
- RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
+ rv = RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
+ if ( rv != SECSuccess ) {
+ sftk_fatalError = PR_TRUE;
+ return(rv);
+ }
/* put global salt into the database now */
status = keydb_Put(handle, &saltKey, &saltData, 0);
@@ -1522,11 +1527,12 @@
if(salt->data != NULL)
{
salt->len = SALT_LENGTH;
- RNG_GenerateGlobalRandomBytes(salt->data, salt->len);
- rv = SECSuccess;
+ rv = RNG_GenerateGlobalRandomBytes(salt->data, salt->len);
+ if(rv != SECSuccess)
+ sftk_fatalError = PR_TRUE;
}
- if(rv == SECFailure)
+ if(rv != SECSuccess)
{
SECITEM_FreeItem(salt, PR_TRUE);
salt = NULL;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11.c 2006-08-05 09:13:35.000000000 +0200
@@ -1537,6 +1537,9 @@
(++retries <= SFTK_KEY_MAX_RETRIES));
if ((rv != SECSuccess) || (retries > SFTK_KEY_MAX_RETRIES)) {
+ if (rv != SECSuccess) {
+ sftk_fatalError = PR_TRUE;
+ }
crv = CKR_DEVICE_ERROR; /* random number generator is bad */
PORT_Free(id->data);
id->data = NULL;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11c.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11c.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11c.c 2006-07-01 23:35:59.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11c.c 2006-08-05 09:13:36.000000000 +0200
@@ -1666,6 +1666,9 @@
digest.data = (unsigned char *)dataBuf;
digest.len = dataLen;
rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
*sigLen = signature.len;
return rv;
}
@@ -1699,6 +1702,9 @@
digest.data = (unsigned char *)dataBuf;
digest.len = dataLen;
rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
*sigLen = signature.len;
return rv;
}
@@ -2604,6 +2610,9 @@
}
if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
return CKR_DEVICE_ERROR;
}
crv = sftk_AddAttributeType(key,CKA_PRIME,
@@ -3432,6 +3441,9 @@
rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
PORT_Free(pubExp.data);
if (rsaPriv == NULL) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
crv = CKR_DEVICE_ERROR;
break;
}
@@ -3548,7 +3560,13 @@
PORT_Free(pqgParam.subPrime.data);
PORT_Free(pqgParam.base.data);
- if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; break; }
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ crv = CKR_DEVICE_ERROR;
+ break;
+ }
/* store the generated key into the attributes */
crv = sftk_AddAttributeType(publicKey,CKA_VALUE,
@@ -3616,6 +3634,9 @@
PORT_Free(dhParam.prime.data);
PORT_Free(dhParam.base.data);
if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
crv = CKR_DEVICE_ERROR;
break;
}
@@ -3665,8 +3686,11 @@
rv = EC_NewKey(ecParams, &ecPriv);
PORT_FreeArena(ecParams->arena, PR_TRUE);
if (rv != SECSuccess) {
- crv = CKR_DEVICE_ERROR;
- break;
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ crv = CKR_DEVICE_ERROR;
+ break;
}
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11i.h new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11i.h
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11i.h 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/pkcs11i.h 2006-08-05 09:13:36.000000000 +0200
@@ -556,7 +556,7 @@
SEC_BEGIN_PROTOS
/* shared functions between pkcs11.c and fipstokn.c */
-extern int nsf_init;
+extern PRBool nsf_init;
extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/rsawrapr.c new/nss-3.11.2/mozilla/security/nss/lib/softoken/rsawrapr.c
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/rsawrapr.c 2006-05-15 15:19:07.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/rsawrapr.c 2006-08-05 09:13:36.000000000 +0200
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: rsawrapr.c,v 1.8.30.1 2006/04/13 22:15:46 wtchang%redhat.com Exp $ */
+/* $Id: rsawrapr.c,v 1.8.30.2 2006/07/31 18:17:14 wtchang%redhat.com Exp $ */
#include "blapi.h"
#include "softoken.h"
@@ -193,6 +193,7 @@
unsigned char *bp;
int padLen;
int i;
+ SECStatus rv;
block = (unsigned char *) PORT_Alloc(modulusLen);
if (block == NULL)
@@ -254,8 +255,13 @@
for (i = 0; i < padLen; i++) {
/* Pad with non-zero random data. */
do {
- RNG_GenerateGlobalRandomBytes(bp + i, 1);
- } while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+ rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+ } while (rv == SECSuccess && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+ if (rv != SECSuccess) {
+ sftk_fatalError = PR_TRUE;
+ PORT_Free (block);
+ return NULL;
+ }
}
bp += padLen;
*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
@@ -292,7 +298,12 @@
/*
* Salt
*/
- RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+ rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+ if (rv != SECSuccess) {
+ sftk_fatalError = PR_TRUE;
+ PORT_Free (block);
+ return NULL;
+ }
bp += OAEP_SALT_LEN;
/*
@@ -310,8 +321,14 @@
/*
* Pad2
*/
- if (bp < (block + modulusLen))
- RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
+ if (bp < (block + modulusLen)) {
+ rv = RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
+ if (rv != SECSuccess) {
+ sftk_fatalError = PR_TRUE;
+ PORT_Free (block);
+ return NULL;
+ }
+ }
/*
* Now we have the following:
@@ -463,6 +480,9 @@
goto done;
rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
*output_len = modulus_len;
goto done;
@@ -665,8 +685,12 @@
goto failure;
rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
goto loser;
+ }
if (buffer[0] != 0 || buffer[1] != 2)
goto loser;
@@ -725,6 +749,9 @@
goto done;
rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
*output_len = modulus_len;
done:
@@ -874,8 +901,12 @@
goto failure;
rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
goto failure;
+ }
*output_len = modulus_len;
return SECSuccess;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/softoken/softoken.h new/nss-3.11.2/mozilla/security/nss/lib/softoken/softoken.h
--- old/nss-3.11.2/mozilla/security/nss/lib/softoken/softoken.h 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/softoken/softoken.h 2006-08-05 09:13:36.000000000 +0200
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: softoken.h,v 1.7.30.3 2006/05/05 20:35:37 wtchang%redhat.com Exp $ */
+/* $Id: softoken.h,v 1.7.30.4 2006/07/31 18:17:14 wtchang%redhat.com Exp $ */
#ifndef _SOFTOKEN_H_
#define _SOFTOKEN_H_
@@ -184,6 +184,11 @@
extern void sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg);
+/*
+** FIPS 140-2 Error state
+*/
+extern PRBool sftk_fatalError;
+
SEC_END_PROTOS
#endif /* _SOFTOKEN_H_ */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3con.c new/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3con.c
--- old/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3con.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3con.c 2006-08-05 09:13:36.000000000 +0200
@@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.76.2.13 2006/06/08 05:42:36 wtchang%redhat.com Exp $ */
+/* $Id: ssl3con.c,v 1.76.2.16 2006/07/20 00:13:50 nelson%bolyard.com Exp $ */
#include "nssrenam.h"
#include "cert.h"
@@ -3507,6 +3507,11 @@
if (total_exten_len > 0)
total_exten_len += 2;
}
+#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+ else { /* SSL3 only */
+ ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
+ }
+#endif
/* how many suites are permitted by policy and user preference? */
num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
@@ -6781,23 +6786,25 @@
if (rv != SECSuccess) {
return rv; /* err set by AppendHandshake. */
}
- for (i = 0; i < certChain->len; i++) {
+ if (certChain) {
+ for (i = 0; i < certChain->len; i++) {
#ifdef NISCC_TEST
- if (fakeCert.len > 0 && i == ndex) {
- rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data, fakeCert.len,
- 3);
- SECITEM_FreeItem(&fakeCert, PR_FALSE);
- } else {
- rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
- certChain->certs[i].len, 3);
- }
+ if (fakeCert.len > 0 && i == ndex) {
+ rv = ssl3_AppendHandshakeVariable(ss, fakeCert.data,
+ fakeCert.len, 3);
+ SECITEM_FreeItem(&fakeCert, PR_FALSE);
+ } else {
+ rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
+ certChain->certs[i].len, 3);
+ }
#else
- rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
- certChain->certs[i].len, 3);
+ rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
+ certChain->certs[i].len, 3);
#endif
- if (rv != SECSuccess) {
- return rv; /* err set by AppendHandshake. */
- }
+ if (rv != SECSuccess) {
+ return rv; /* err set by AppendHandshake. */
+ }
+ }
}
return SECSuccess;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3ecc.c new/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3ecc.c
--- old/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3ecc.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/ssl/ssl3ecc.c 2006-08-05 09:13:36.000000000 +0200
@@ -40,7 +40,7 @@
* ***** END LICENSE BLOCK ***** */
/* ECC code moved here from ssl3con.c */
-/* $Id: ssl3ecc.c,v 1.3.2.7 2006/05/19 04:01:30 nelson%bolyard.com Exp $ */
+/* $Id: ssl3ecc.c,v 1.3.2.8 2006/07/19 01:42:58 nelson%bolyard.com Exp $ */
#include "nssrenam.h"
#include "nss.h"
@@ -955,6 +955,8 @@
SECStatus
ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
{
+ if (!suite)
+ suite = ecSuites;
for (; *suite; ++suite) {
SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslcon.c new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslcon.c
--- old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslcon.c 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslcon.c 2006-08-05 09:13:36.000000000 +0200
@@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslcon.c,v 1.28.2.3 2006/06/07 17:50:22 nelson%bolyard.com Exp $ */
+/* $Id: sslcon.c,v 1.28.2.5 2006/07/20 00:13:50 nelson%bolyard.com Exp $ */
#include "nssrenam.h"
#include "cert.h"
@@ -3120,7 +3120,11 @@
return rv;
}
-
+#if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
+ /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
+ ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
+#endif
+
if (!ss->cipherSpecs) {
rv = ssl2_ConstructCipherSpecs(ss);
if (rv < 0) {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslimpl.h new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslimpl.h
--- old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslimpl.h 2006-06-08 07:44:42.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslimpl.h 2006-08-05 09:13:36.000000000 +0200
@@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.42.2.7 2006/04/28 03:35:32 rrelyea%redhat.com Exp $ */
+/* $Id: sslimpl.h,v 1.42.2.8 2006/07/19 01:42:58 nelson%bolyard.com Exp $ */
#ifndef __sslimpl_h_
#define __sslimpl_h_
@@ -1274,6 +1274,8 @@
#ifdef NSS_ENABLE_ECC
extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
+extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
+ const ssl3CipherSuite * suite);
#endif /* NSS_ENABLE_ECC */
extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslsnce.c new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslsnce.c
--- old/nss-3.11.2/mozilla/security/nss/lib/ssl/sslsnce.c 2006-05-15 15:19:07.000000000 +0200
+++ new/nss-3.11.2/mozilla/security/nss/lib/ssl/sslsnce.c 2006-08-05 09:13:36.000000000 +0200
@@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.36.2.1 2006/02/10 19:34:16 julien.pierre.bugs%sun.com Exp $ */
+/* $Id: sslsnce.c,v 1.36.2.2 2006/07/17 22:15:10 alexei.volkov.bugs%sun.com Exp $ */
/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server
* cache sids!
@@ -892,7 +892,8 @@
** be) in use by multiple processes. We do not wish to destroy
** the mutexes while they are still in use.
*/
- if (PR_FALSE == cache->sharedCache->everInherited) {
+ if (cache->sharedCache &&
+ PR_FALSE == cache->sharedCache->everInherited) {
sidCacheLock *pLock = cache->sidCacheLocks;
for (; locks_initialized > 0; --locks_initialized, ++pLock ) {
sslMutex_Destroy(&pLock->mutex);
@@ -941,6 +942,12 @@
cache->cacheMemMap = cacheMemMap = NULL;
cache->sharedCache = (cacheDesc *)0;
+ cache->numSIDCacheLocksInitialized = 0;
+ cache->nextCertCacheEntry = 0;
+ cache->stopPolling = PR_FALSE;
+ cache->everInherited = PR_FALSE;
+ cache->poller = NULL;
+
cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries
: DEF_SID_CACHE_ENTRIES;
cache->numSIDCacheSets =
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...