author | Kai Engert <kaie@kuix.de> |
Sat, 25 Oct 2014 00:34:34 +0200 | |
changeset 212318 | f8e9b337e5d7ad0aa6d6269d794d9ec1f4ab2df4 |
parent 212317 | 8add8629f76589f7dd4395cf741987e71252f8f2 |
child 212319 | 44aadcfb5f5788e9a815e8fc2b289c1326c3cdb2 |
push id | 50934 |
push user | kaie@kuix.de |
push date | Fri, 24 Oct 2014 22:34:47 +0000 |
treeherder | mozilla-inbound@f8e9b337e5d7 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | wtc |
bugs | 1088969 |
milestone | 36.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1,1 +1,1 @@ -NSS_3_17_2_RTM +NSS_3_18_BETA1
--- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -286,16 +286,19 @@ secu_InitSlotPassword(PK11SlotInfo *slot PR_fprintf(PR_STDERR, "Enter a password which will be used to encrypt your keys.\n" "The password should be at least 8 characters long,\n" "and should contain at least one non-alphabetic character.\n\n"); output = fopen(consoleName, "w"); if (output == NULL) { PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); +#ifndef _WINDOWS + fclose(input); +#endif return NULL; } for (;;) { if (p0) PORT_Free(p0); p0 = SEC_GetPassword(input, output, "Enter new password: ",
--- a/security/nss/cmd/rsaperf/rsaperf.c +++ b/security/nss/cmd/rsaperf/rsaperf.c @@ -396,18 +396,16 @@ main(int argc, char **argv) if ((doPriv && doPub) || (doIters && doTime) || ((useTokenKey + useSessionKey + useBLKey) != PR_TRUE) || (useTokenKey && keybits) || (useTokenKey && doKeyGen) || (keybits && (keybits<MIN_KEY_BITS || keybits>MAX_KEY_BITS))) { Usage(progName); } - if (!doPriv && !doPub) doPriv = PR_TRUE; - if (doIters && doTime) Usage(progName); if (!doTime) { doIters = PR_TRUE; } PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); @@ -425,19 +423,17 @@ main(int argc, char **argv) if (rv != SECSuccess) { fprintf(stderr, "NSS_NoDB_Init failed.\n"); exit(1); } } if (useTokenKey) { CK_OBJECT_HANDLE kh = CK_INVALID_HANDLE; - CERTCertDBHandle* certdb = NULL; - certdb = CERT_GetDefaultCertDB(); - + cert = PK11_FindCertFromNickname(nickname, &pwData); if (cert == NULL) { fprintf(stderr, "Can't find certificate by name \"%s\"\n", nickname); exit(1); } pubHighKey = CERT_ExtractPublicKey(cert); if (pubHighKey == NULL) { @@ -485,19 +481,17 @@ main(int argc, char **argv) void * params; slot = PK11_FindSlotByName(slotname); /* locate target slot */ if (!slot) { fprintf(stderr, "Can't find slot \"%s\"\n", slotname); exit(1); } - doKeyGen = PR_TRUE; /* Always do a keygen for session keys. - Import of hardcoded key is not supported */ - /* do a temporary keygen in selected slot */ + /* do a temporary keygen in selected slot */ if (!keybits) { keybits = DEFAULT_KEY_BITS; } printf("Using PKCS#11 with %ld bits session key in token %s.\n", keybits, PK11_GetTokenName(slot)); rsaparams.keySizeInBits = keybits;
--- a/security/nss/cmd/ssltap/ssltap.c +++ b/security/nss/cmd/ssltap/ssltap.c @@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int) case 0x000098: cs_str = "TLS/DH-RSA/SEED-CBC/SHA"; break; case 0x000099: cs_str = "TLS/DHE-DSS/SEED-CBC/SHA"; break; case 0x00009A: cs_str = "TLS/DHE-RSA/SEED-CBC/SHA"; break; case 0x00009B: cs_str = "TLS/DH-ANON/SEED-CBC/SHA"; break; case 0x00009C: cs_str = "TLS/RSA/AES128-GCM/SHA256"; break; case 0x00009E: cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256"; break; case 0x0000FF: cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break; + case 0x005600: cs_str = "TLS_FALLBACK_SCSV"; break; case 0x00C001: cs_str = "TLS/ECDH-ECDSA/NULL/SHA"; break; case 0x00C002: cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA"; break; case 0x00C003: cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break; case 0x00C004: cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA"; break; case 0x00C005: cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA"; break; case 0x00C006: cs_str = "TLS/ECDHE-ECDSA/NULL/SHA"; break; case 0x00C007: cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA"; break;
--- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void * } } static void PrintUsageHeader(const char *progName) { fprintf(stderr, "Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n" "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n" - "[-V [min-version]:[max-version]] [-T]\n" + "[-V [min-version]:[max-version]] [-K] [-T]\n" "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", progName); } static void PrintParameterUsage(void) { fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n" "%-20s handshake, 2nd_hs_name - at second handshake.\n" @@ -201,16 +201,17 @@ static void PrintParameterUsage(void) fprintf(stderr, "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B"); fprintf(stderr, "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" "%-20s All versions are enabled by default.\n" "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n", "-V [min]:[max]", "", "", ""); + fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K"); fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S"); fprintf(stderr, "%-20s Client speaks first. \n", "-f"); fprintf(stderr, "%-20s Use synchronous certificate validation " "(required for SSL2)\n", "-O"); fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o"); fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s"); fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v"); fprintf(stderr, "%-20s Use export policy.\n", "-x"); @@ -802,16 +803,17 @@ int main(int argc, char **argv) PRBool enableSSL2 = PR_TRUE; int bypassPKCS11 = 0; int disableLocking = 0; int useExportPolicy = 0; int enableSessionTickets = 0; int enableCompression = 0; int enableFalseStart = 0; int enableCertStatus = 0; + int forceFallbackSCSV = 0; PRSocketOptionData opt; PRNetAddr addr; PRPollDesc pollset[2]; PRBool allowIPv4 = PR_TRUE; PRBool allowIPv6 = PR_TRUE; PRBool pingServerFirst = PR_FALSE; int pingTimeoutSeconds = -1; PRBool clientSpeaksFirst = PR_FALSE; @@ -847,17 +849,17 @@ int main(int argc, char **argv) if (sec > 0) { maxInterval = PR_SecondsToInterval(sec); } } SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); optstate = PL_CreateOptState(argc, argv, - "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz"); + "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': default : Usage(progName); break; case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break; case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break; @@ -869,16 +871,18 @@ int main(int argc, char **argv) } serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE; break; case 'I': /* reserved for OCSP multi-stapling */ break; case 'O': serverCertAuth.shouldPause = PR_FALSE; break; + case 'K': forceFallbackSCSV = PR_TRUE; break; + case 'M': switch (atoi(optstate->value)) { case 1: serverCertAuth.allowOCSPSideChannelData = PR_TRUE; serverCertAuth.allowCRLSideChannelData = PR_FALSE; break; case 2: serverCertAuth.allowOCSPSideChannelData = PR_FALSE; serverCertAuth.allowCRLSideChannelData = PR_TRUE; @@ -1213,16 +1217,24 @@ int main(int argc, char **argv) /* enable false start. */ rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling false start"); return 1; } + if (forceFallbackSCSV) { + rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error forcing fallback scsv"); + return 1; + } + } + /* enable cert status (OCSP stapling). */ rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling cert status (OCSP stapling)"); return 1; } SSL_SetPKCS11PinArg(s, &pwdata);
--- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -5,9 +5,8 @@ /* * A dummy header file that is a dependency for all the object files. * Used to force a full recompilation of NSS in Mozilla's Tinderbox * depend builds. See comments in rules.mk. */ #error "Do not include this header file." -
--- a/security/nss/lib/crmf/respcli.c +++ b/security/nss/lib/crmf/respcli.c @@ -87,21 +87,23 @@ CMMF_CertRepContentGetResponseAtIndex(CM PORT_Assert(inCertRepContent != NULL && cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)); if (inCertRepContent == NULL || !cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) { return NULL; } certResponse = PORT_ZNew(CMMFCertResponse); - rv = cmmf_CopyCertResponse(NULL, certResponse, - inCertRepContent->response[inIndex]); - if (rv != SECSuccess) { - CMMF_DestroyCertResponse(certResponse); - certResponse = NULL; + if (certResponse){ + rv = cmmf_CopyCertResponse(NULL, certResponse, + inCertRepContent->response[inIndex]); + if (rv != SECSuccess) { + CMMF_DestroyCertResponse(certResponse); + certResponse = NULL; + } } return certResponse; } CMMFPKIStatus CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp) { PORT_Assert(inCertResp != NULL);
--- a/security/nss/lib/freebl/cts.c +++ b/security/nss/lib/freebl/cts.c @@ -234,17 +234,16 @@ CTS_DecryptUpdate(CTSContext *cts, unsig } *outlen = fullblocks; /* AES low level doesn't set outlen */ inbuf += fullblocks; inlen -= fullblocks; if (inlen == 0) { return SECSuccess; } outbuf += fullblocks; - maxout -= fullblocks; /* recover the stolen text */ PORT_Memset(lastBlock, 0, blocksize); PORT_Memcpy(lastBlock, inbuf, inlen); PORT_Memcpy(Cn_1, inbuf, inlen); Pn = outbuf-blocksize; /* inbuf points to Cn-1* in the input buffer */ /* NOTE: below there are 2 sections marked "make up for the out of order
--- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -1057,8 +1057,14 @@ SECMOD_InternaltoPubMechFlags; ;+ global: CERT_AddExtensionByOID; CERT_GetGeneralNameTypeFromString; PK11_PubEncrypt; PK11_PrivDecrypt; ;+ local: ;+ *; ;+}; +;+NSS_3.18 { # NSS 3.18 release +;+ global: +PK11_SetCertificateNickname; +;+ local: +;+ *; +;+};
--- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -28,22 +28,22 @@ /* * NSS's major version, minor version, patch level, build number, and whether * this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.17.2" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 -#define NSS_VMINOR 17 -#define NSS_VPATCH 2 +#define NSS_VMINOR 18 +#define NSS_VPATCH 0 #define NSS_VBUILD 0 -#define NSS_BETA PR_FALSE +#define NSS_BETA PR_TRUE #ifndef RC_INVOKED #include "seccomon.h" typedef struct NSSInitParametersStr NSSInitParameters; /*
--- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -2148,17 +2148,16 @@ PK11_FindCertFromDERCert(PK11SlotInfo *s CERTCertificate * PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert, void *wincx) { NSSDER derCert; NSSToken *tok; - NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); nssCryptokiObject *co = NULL; SECStatus rv; tok = PK11Slot_GetNSSToken(slot); NSSITEM_FROM_SECITEM(&derCert, inDerCert); rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { PK11_FreeSlot(slot); @@ -2682,8 +2681,19 @@ PK11_GetAllSlotsForCert(CERTCertificate PK11_FreeSlotList(slotList); PORT_SetError(SEC_ERROR_NO_TOKEN); slotList = NULL; } nssCryptokiObjectArray_Destroy(instances); return slotList; } + +SECStatus +PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname) +{ + /* Can't set nickname of temp cert. */ + if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) { + return SEC_ERROR_INVALID_ARGS; + } + return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname); +} +
--- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -453,16 +453,18 @@ SECKEYPrivateKey * PK11_LoadPrivKey(PK11 char * PK11_GetSymKeyNickname(PK11SymKey *symKey); char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey); char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey); SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname); SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname); SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname); +SECStatus PK11_SetCertificateNickname(CERTCertificate *cert, + const char *nickname); /* size to hold key in bytes */ unsigned int PK11_GetKeyLength(PK11SymKey *key); /* size of actual secret parts of key in bits */ /* algid is because RC4 strength is determined by the effective bits as well * as the key bits */ unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid); SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
--- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -1180,17 +1180,17 @@ end_wait: * This function "wakes up" WaitForAnyTokenEvent. It's a pretty drastic * function, possibly bringing down the pkcs #11 module in question. This * should be OK because 1) it does reinitialize, and 2) it should only be * called when we are on our way to tear the whole system down anyway. */ SECStatus SECMOD_CancelWait(SECMODModule *mod) { - unsigned long controlMask = mod->evControlMask; + unsigned long controlMask; SECStatus rv = SECSuccess; CK_RV crv; PZ_Lock(mod->refLock); mod->evControlMask |= SECMOD_END_WAIT; controlMask = mod->evControlMask; if (controlMask & SECMOD_WAIT_PKCS11_EVENT) { if (!pk11_getFinalizeModulesOption()) {
--- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -4728,27 +4728,26 @@ nsslowcert_FindTrustByKey(NSSLOWCERTCert */ NSSLOWCERTCertificate * nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN) { SECItem certKey; SECItem *sn = &issuerAndSN->serialNumber; SECItem *issuer = &issuerAndSN->derIssuer; NSSLOWCERTCertificate *cert; - int data_left = sn->len-1; int data_len = sn->len; int index = 0; /* automatically detect DER encoded serial numbers and remove the der * encoding since the database expects unencoded data. * if it's DER encoded, there must be at least 3 bytes, tag, len, data */ if ((sn->len >= 3) && (sn->data[0] == 0x2)) { /* remove the der encoding of the serial number before generating the * key.. */ - data_left = sn->len-2; + int data_left = sn->len-2; data_len = sn->data[1]; index = 2; /* extended length ? (not very likely for a serial number) */ if (data_len & 0x80) { int len_count = data_len & 0x7f; data_len = 0; @@ -4813,28 +4812,27 @@ NSSLOWCERTTrust * nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN) { SECItem certKey; SECItem *sn = &issuerAndSN->serialNumber; SECItem *issuer = &issuerAndSN->derIssuer; NSSLOWCERTTrust *trust; unsigned char keyBuf[512]; - int data_left = sn->len-1; int data_len = sn->len; int index = 0; int len; /* automatically detect DER encoded serial numbers and remove the der * encoding since the database expects unencoded data. * if it's DER encoded, there must be at least 3 bytes, tag, len, data */ if ((sn->len >= 3) && (sn->data[0] == 0x2)) { /* remove the der encoding of the serial number before generating the * key.. */ - data_left = sn->len-2; + int data_left = sn->len-2; data_len = sn->data[1]; index = 2; /* extended length ? (not very likely for a serial number) */ if (data_len & 0x80) { int len_count = data_len & 0x7f; data_len = 0;
--- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -20,16 +20,16 @@ /* * Softoken's major version, minor version, patch level, build number, * and whether this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.17.2" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.18" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 17 -#define SOFTOKEN_VPATCH 2 +#define SOFTOKEN_VMINOR 18 +#define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_FALSE +#define SOFTOKEN_BETA PR_TRUE #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -5111,17 +5111,16 @@ ssl3_SendClientHello(sslSocket *ss, PRBo PRUint32 maxBytes = 65535; /* 2^16 - 1 */ PRInt32 extLen; extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL); if (extLen < 0) { if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } return SECFailure; } - maxBytes -= extLen; total_exten_len += extLen; if (total_exten_len > 0) total_exten_len += 2; } #ifndef NSS_DISABLE_ECC if (!total_exten_len || !isTLS) {
--- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -14,22 +14,22 @@ /* * NSS utilities's major version, minor version, patch level, build number, * and whether this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.17.2" +#define NSSUTIL_VERSION "3.18 Beta" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 17 -#define NSSUTIL_VPATCH 2 +#define NSSUTIL_VMINOR 18 +#define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_FALSE +#define NSSUTIL_BETA PR_TRUE SEC_BEGIN_PROTOS /* * Returns a const string of the UTIL library version. */ extern const char *NSSUTIL_GetVersion(void);