| author | Brian Smith <brian@briansmith.org> |
| Sun, 09 Mar 2014 19:40:25 -0700 | |
| changeset 172694 | 1624c45df0d9d0bfe685ce5704f5ae681bec3941 |
| parent 172693 | c25dfac7ab7b1d4c14d20340991ebd5cb80f1a42 |
| child 172695 | 31f11525de8ea325881f632f745f428f9c5c9c51 |
| push id | 26375 |
| push user | cbook@mozilla.com |
| push date | Mon, 10 Mar 2014 11:27:51 +0000 |
| treeherder | mozilla-central@19839a359db1 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | me |
| bugs | 967153 |
| milestone | 30.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/nss/Makefile +++ b/security/nss/Makefile @@ -56,16 +56,19 @@ NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/c # ifeq ($(OS_TARGET),Android) NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE) endif ifdef BUILD_OPT NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize endif +ifdef USE_X32 +NSPR_CONFIGURE_OPTS += --enable-x32 +endif ifdef USE_64 NSPR_CONFIGURE_OPTS += --enable-64bit endif ifeq ($(OS_TARGET),WIN95) NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95 endif ifdef USE_DEBUG_RTL NSPR_CONFIGURE_OPTS += --enable-debug-rtl
--- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1,1 +1,1 @@ -NSS_3_16_BETA4 +NSS_3_16_BETA5
--- a/security/nss/cmd/modutil/install.c +++ b/security/nss/cmd/modutil/install.c @@ -772,17 +772,17 @@ loser: PR_Free(dest); } if(modDest) { PR_Free(modDest); } if(tempname) { PRFileInfo info; if(PR_GetFileInfo(tempname, &info) == PR_SUCCESS) { - if((info.type == PR_FILE_DIRECTORY)) { + if(info.type == PR_FILE_DIRECTORY) { /* Recursively remove temporary directory */ if(rm_dash_r(tempname)) { error(PK11_INSTALL_REMOVE_DIR, tempname); ret=PK11_INSTALL_REMOVE_DIR; } }
--- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -102,40 +102,40 @@ const int ssl2CipherSuites[] = { SSL_EN_DES_64_CBC_WITH_MD5, /* E */ SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ 0 }; const int ssl3CipherSuites[] = { -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ - SSL_RSA_WITH_RC4_128_MD5, /* c */ - SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - SSL_RSA_WITH_DES_CBC_SHA, /* e */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ + TLS_RSA_WITH_RC4_128_MD5, /* c */ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + TLS_RSA_WITH_DES_CBC_SHA, /* e */ + TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ - SSL_RSA_WITH_NULL_MD5, /* i */ + TLS_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, * o */ - -1, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, * p */ - -1, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, * q */ - -1, /* SSL_DHE_RSA_WITH_DES_CBC_SHA, * r */ - -1, /* SSL_DHE_DSS_WITH_DES_CBC_SHA, * s */ + -1, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, * p */ + -1, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, * q */ + -1, /* TLS_DHE_RSA_WITH_DES_CBC_SHA, * r */ + -1, /* TLS_DHE_DSS_WITH_DES_CBC_SHA, * s */ -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA, * t */ -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA, * u */ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, * w */ -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA, * x */ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ - SSL_RSA_WITH_NULL_SHA, /* z */ + TLS_RSA_WITH_NULL_SHA, /* z */ 0 }; /* data and structures for shutdown */ static int stopping; static PRBool noDelay; static int requestCert; @@ -1927,19 +1927,19 @@ server_main( errExit("SSL_OptionSet SSL_NO_CACHE"); } } /* This cipher is not on by default. The Acceptance test * would like it to be. Turn this cipher on. */ - secStatus = SSL_CipherPrefSetDefault( SSL_RSA_WITH_NULL_MD5, PR_TRUE); + secStatus = SSL_CipherPrefSetDefault( TLS_RSA_WITH_NULL_MD5, PR_TRUE); if ( secStatus != SECSuccess ) { - errExit("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5"); + errExit("SSL_CipherPrefSetDefault:TLS_RSA_WITH_NULL_MD5"); } if (expectedHostNameVal) { SSL_HandshakeCallback(model_sock, handshakeCallback, (void*)expectedHostNameVal); } if (requestCert) {
--- a/security/nss/cmd/ssltap/ssltap.c +++ b/security/nss/cmd/ssltap/ssltap.c @@ -488,23 +488,23 @@ const char * helloExtensionNameString(in default: sprintf(buf, "%d", ex_num); ex_name = (const char *)buf; break; } return ex_name; } static int isNULLmac(int cs_int) { - return (cs_int == SSL_NULL_WITH_NULL_NULL); + return (cs_int == TLS_NULL_WITH_NULL_NULL); } static int isNULLcipher(int cs_int) { - return ((cs_int == SSL_RSA_WITH_NULL_MD5) || - (cs_int == SSL_RSA_WITH_NULL_SHA) || + return ((cs_int == TLS_RSA_WITH_NULL_MD5) || + (cs_int == TLS_RSA_WITH_NULL_SHA) || (cs_int == SSL_FORTEZZA_DMS_WITH_NULL_SHA) || (cs_int == TLS_ECDH_ECDSA_WITH_NULL_SHA) || (cs_int == TLS_ECDHE_ECDSA_WITH_NULL_SHA) || (cs_int == TLS_ECDH_RSA_WITH_NULL_SHA) || (cs_int == TLS_ECDHE_RSA_WITH_NULL_SHA)); } void partial_packet(int thispacket, int size, int needed)
--- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -54,40 +54,40 @@ int ssl2CipherSuites[] = { SSL_EN_DES_64_CBC_WITH_MD5, /* E */ SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ 0 }; int ssl3CipherSuites[] = { -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ - SSL_RSA_WITH_RC4_128_MD5, /* c */ - SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - SSL_RSA_WITH_DES_CBC_SHA, /* e */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ + TLS_RSA_WITH_RC4_128_MD5, /* c */ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + TLS_RSA_WITH_DES_CBC_SHA, /* e */ + TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA * h */ - SSL_RSA_WITH_NULL_MD5, /* i */ + TLS_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ - SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ - SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ - SSL_RSA_WITH_NULL_SHA, /* z */ + TLS_RSA_WITH_NULL_SHA, /* z */ 0 }; #define NO_FULLHS_PERCENTAGE -1 /* This global string is so that client main can see * which ciphers to use. */
--- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -63,40 +63,40 @@ int ssl2CipherSuites[] = { SSL_EN_DES_64_CBC_WITH_MD5, /* E */ SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ 0 }; int ssl3CipherSuites[] = { -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ - SSL_RSA_WITH_RC4_128_MD5, /* c */ - SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - SSL_RSA_WITH_DES_CBC_SHA, /* e */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ + TLS_RSA_WITH_RC4_128_MD5, /* c */ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + TLS_RSA_WITH_DES_CBC_SHA, /* e */ + TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ - SSL_RSA_WITH_NULL_MD5, /* i */ + TLS_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ - SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ - SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ - SSL_RSA_WITH_NULL_SHA, /* z */ + TLS_RSA_WITH_NULL_SHA, /* z */ 0 }; unsigned long __cmp_umuls; PRBool verbose; int renegotiationsToDo = 0; int renegotiationsDone = 0;
--- a/security/nss/cmd/vfyserv/vfyserv.c +++ b/security/nss/cmd/vfyserv/vfyserv.c @@ -492,17 +492,17 @@ main(int argc, char **argv) goto cleanup; } } } /* All cipher suites except RSA_NULL_MD5 are enabled by * Domestic Policy. */ NSS_SetDomesticPolicy(); - SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); + SSL_CipherPrefSetDefault(TLS_RSA_WITH_NULL_MD5, PR_TRUE); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { int ndx; /* disable all the ciphers, then enable the ones we want. */ disableAllSSLCiphers();
--- a/security/nss/cmd/vfyserv/vfyutil.c +++ b/security/nss/cmd/vfyserv/vfyutil.c @@ -22,40 +22,40 @@ int ssl2CipherSuites[] = { SSL_EN_DES_64_CBC_WITH_MD5, /* E */ SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ 0 }; int ssl3CipherSuites[] = { -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ - SSL_RSA_WITH_RC4_128_MD5, /* c */ - SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - SSL_RSA_WITH_DES_CBC_SHA, /* e */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ + TLS_RSA_WITH_RC4_128_MD5, /* c */ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + TLS_RSA_WITH_DES_CBC_SHA, /* e */ + TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ - SSL_RSA_WITH_NULL_MD5, /* i */ + TLS_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ - SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ - SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ - SSL_RSA_WITH_NULL_SHA, /* z */ + TLS_RSA_WITH_NULL_SHA, /* z */ 0 }; /************************************************************************** ** ** SSL callback routines. ** **************************************************************************/
--- a/security/nss/coreconf/Linux.mk +++ b/security/nss/coreconf/Linux.mk @@ -50,21 +50,28 @@ endif else ifeq ($(OS_TEST),alpha) OS_REL_CFLAGS = -D_ALPHA_ CPU_ARCH = alpha else ifeq ($(OS_TEST),x86_64) ifeq ($(USE_64),1) CPU_ARCH = x86_64 + ARCHFLAG = -m64 +else +ifeq ($(USE_X32),1) + CPU_ARCH = x86_64 + ARCHFLAG = -mx32 + 64BIT_TAG = _x32 else OS_REL_CFLAGS = -Di386 CPU_ARCH = x86 ARCHFLAG = -m32 endif +endif else ifeq ($(OS_TEST),sparc64) CPU_ARCH = sparc else ifeq (,$(filter-out arm% sa110,$(OS_TEST))) CPU_ARCH = arm else ifeq (,$(filter-out parisc%,$(OS_TEST))) @@ -118,22 +125,17 @@ ifdef MOZ_DEBUG_SYMBOLS endif endif ifeq ($(USE_PTHREADS),1) OS_PTHREAD = -lpthread endif -# See bug 537829, in particular comment 23. -# Place -ansi and *_SOURCE before $(DSO_CFLAGS) so DSO_CFLAGS can override -# -ansi on platforms like Android where the system headers are C99 and do -# not build with -ansi. -STANDARDS_CFLAGS = -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE -OS_CFLAGS = $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR OS_LIBS = $(OS_PTHREAD) -ldl -lc ifdef USE_PTHREADS DEFINES += -D_REENTRANT endif ARCH = linux
--- a/security/nss/coreconf/config.mk +++ b/security/nss/coreconf/config.mk @@ -180,8 +180,11 @@ endif # This allows all library and tools code to use the util function # implementations directly from libnssutil3, rather than the wrappers # in libnss3 which are present for binary compatibility only DEFINES += -DUSE_UTIL_DIRECTLY USE_UTIL_DIRECTLY = 1 # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features DEFINES += -DNO_NSPR_10_SUPPORT + +# Hide old, deprecated, TLS cipher suite names when building NSS +DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
--- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -5,8 +5,9 @@ /* * A dummy header file that is a dependency for all the object files. * Used to force a full recompilation of NSS in Mozilla's Tinderbox * depend builds. See comments in rules.mk. */ #error "Do not include this header file." +
--- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1389,18 +1389,18 @@ cert_TestHostName(char * cn, const char /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and * - may be preceded by additional characters, and * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 /* no chars between * and . */ - && secondcndot - firstcndot > 1 /* not .. */ + && firstcndot - wildcard == 1 /* wildcard is last char in first component */ + && secondcndot - firstcndot > 1 /* second component is non-empty */ && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) && !PORT_Strcasecmp(firstcndot, firsthndot) /* If hn starts with xn--, then cn must start with wildcard */ && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; }
--- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -602,29 +602,29 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\065\336\364\317 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."" +# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements." # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US # Serial Number: 1407252 (0x157914) # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US # Not Valid Before: Mon Feb 01 14:54:04 2010 # Not Valid After : Tue Sep 30 00:00:00 2014 # Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC # Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements."" +CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements." CKA_ISSUER MULTILINE_OCTAL \060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061 \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141 \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151 \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151 \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171 END CKA_SERIAL_NUMBER MULTILINE_OCTAL
--- a/security/nss/lib/dbm/include/mcom_db.h +++ b/security/nss/lib/dbm/include/mcom_db.h @@ -40,17 +40,21 @@ #endif #include "prtypes.h" #if !defined(XP_BEOS) && !defined(XP_OS2) && !defined(XP_UNIX) || defined(NTO) typedef PRUintn uint; #endif typedef PRUint8 uint8; typedef PRUint16 uint16; +/* On AIX 5.2, sys/inttypes.h (which is included by sys/types.h) + * defines the types int8, int16, int32, and int64. */ +#if !defined(AIX) typedef PRInt32 int32; +#endif typedef PRUint32 uint32; #include <limits.h> #ifdef __DBINTERFACE_PRIVATE #ifdef HAVE_SYS_CDEFS_H #include <sys/cdefs.h>
--- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -90,17 +90,17 @@ endif ifdef FREEBL_PRELINK_COMMAND DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\" endif # NSS_X86 means the target is a 32-bits x86 CPU architecture # NSS_X64 means the target is a 64-bits 64 CPU architecture # NSS_X86_OR_X64 means the target is either x86 or x64 ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH))) DEFINES += -DNSS_X86_OR_X64 -ifdef USE_64 +ifneq (,$(USE_64)$(USE_X32)) DEFINES += -DNSS_X64 else DEFINES += -DNSS_X86 endif endif ifeq ($(OS_TARGET),OSF1) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD @@ -175,17 +175,17 @@ ifeq ($(CPU_ARCH),x86) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE DEFINES += -DMP_ASSEMBLY_DIV_2DX1D endif endif # Darwin ifeq ($(OS_TARGET),Linux) ifeq ($(CPU_ARCH),x86_64) ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s - ASFLAGS += -m64 -fPIC -Wa,--noexecstack + ASFLAGS += -fPIC -Wa,--noexecstack DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY DEFINES += -DNSS_USE_COMBA DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN # DEFINES += -DMPI_AMD64_ADD # comment the next two lines to turn off intel HW accelleration DEFINES += -DUSE_HW_AES ASFILES += intel-aes.s intel-gcm.s EXTRA_SRCS += intel-gcm-wrap.c
--- a/security/nss/lib/freebl/arcfour.c +++ b/security/nss/lib/freebl/arcfour.c @@ -25,17 +25,17 @@ #if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR) /* Treat array variables as words, not bytes, on CPUs that take * much longer to write bytes than to write words, or when using * assembler code that required it. */ #define USE_WORD #endif -#if (defined(IS_64)) +#if defined(IS_64) || defined(NSS_BEVAND_ARCFOUR) typedef PRUint64 WORD; #else typedef PRUint32 WORD; #endif #define WORDSIZE sizeof(WORD) #if defined(USE_WORD) typedef WORD Stype;
--- a/security/nss/lib/freebl/mpi/mpi.h +++ b/security/nss/lib/freebl/mpi/mpi.h @@ -51,21 +51,21 @@ typedef int mp_err; #if !defined(ULONG_MAX) #error "ULONG_MAX not defined" #elif !defined(UINT_MAX) #error "UINT_MAX not defined" #elif !defined(USHRT_MAX) #error "USHRT_MAX not defined" #endif -#if defined(ULONG_LONG_MAX) /* GCC, HPUX */ -#define MP_ULONG_LONG_MAX ULONG_LONG_MAX -#elif defined(ULLONG_MAX) /* Solaris */ +#if defined(ULLONG_MAX) /* C99, Solaris */ #define MP_ULONG_LONG_MAX ULLONG_MAX /* MP_ULONG_LONG_MAX was defined to be ULLONG_MAX */ +#elif defined(ULONG_LONG_MAX) /* HPUX */ +#define MP_ULONG_LONG_MAX ULONG_LONG_MAX #elif defined(ULONGLONG_MAX) /* IRIX, AIX */ #define MP_ULONG_LONG_MAX ULONGLONG_MAX #endif /* We only use unsigned long for mp_digit iff long is more than 32 bits. */ #if !defined(MP_USE_UINT_DIGIT) && ULONG_MAX > MP_32BIT_MAX typedef unsigned long mp_digit; #define MP_DIGIT_MAX ULONG_MAX
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -1510,17 +1510,17 @@ typedef enum PKIX_PL_TrustAnchorModeEnum PKIX_PL_TrustAnchorMode_Additive, /* Indicates that ONLY trust anchors should be considered as * trustworthy. * Note: If the underlying platform supports marking a certificate as * explicitly untrustworthy, explicitly configured trust anchors * MAY be ignored/rejected. */ - PKIX_PL_TrustAnchorMode_Exclusive, + PKIX_PL_TrustAnchorMode_Exclusive } PKIX_PL_TrustAnchorMode; /* * FUNCTION: PKIX_PL_Cert_IsCertTrusted * DESCRIPTION: * * Checks the Cert specified by "cert" to determine, in a manner that depends * on the underlying platform, whether it is trusted, and stores the result in
--- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -767,17 +767,18 @@ CK_MECHANISM_TYPE PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, SECItem *pwd); /********************************************************************** * Functions to manage secmod flags **********************************************************************/ PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size); SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot, - PK11DefaultArrayEntry *entry, PRBool add); + const PK11DefaultArrayEntry *entry, + PRBool add); /********************************************************************** * Functions to look at PKCS #11 dependent data **********************************************************************/ PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass); PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object); PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
--- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -943,19 +943,20 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK } /* * update a slot to its new attribute according to the slot list * returns: SECSuccess if nothing to do or add/delete is successful */ SECStatus -PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry, - PRBool add) - /* add: PR_TRUE if want to turn on */ +PK11_UpdateSlotAttribute(PK11SlotInfo *slot, + const PK11DefaultArrayEntry *entry, + PRBool add) + /* add: PR_TRUE if want to turn on */ { SECStatus result = SECSuccess; PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); if (add) { /* trying to turn on a mechanism */ /* turn on the default flag in the slot */ slot->defaultFlags |= entry->flag;
--- a/security/nss/lib/ssl/derive.c +++ b/security/nss/lib/ssl/derive.c @@ -629,31 +629,31 @@ SSL_CanBypass(CERTCertificate *cert, SEC srvPubkey = CERT_ExtractPublicKey(cert); if (!srvPubkey) return SECFailure; *pcanbypass = PR_TRUE; rv = SECFailure; /* determine which KEAs to test */ - /* 0 (SSL_NULL_WITH_NULL_NULL) is used as a list terminator because + /* 0 (TLS_NULL_WITH_NULL_NULL) is used as a list terminator because * SSL3 and TLS specs forbid negotiating that cipher suite number. */ for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) { /* skip SSL2 cipher suites and ones NSS doesn't support */ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess || SSL_IS_SSL2_CIPHER(suite) ) continue; switch (csdef.keaType) { case ssl_kea_rsa: switch (csdef.cipherSuite) { case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: - case SSL_RSA_EXPORT_WITH_RC4_40_MD5: - case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: + case TLS_RSA_EXPORT_WITH_RC4_40_MD5: + case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: testrsa_export = PR_TRUE; } if (!testrsa_export) testrsa = PR_TRUE; break; case ssl_kea_ecdh: if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */ testecdhe = PR_TRUE;
--- a/security/nss/lib/ssl/dtlscon.c +++ b/security/nss/lib/ssl/dtlscon.c @@ -34,20 +34,20 @@ static const ssl3CipherSuite nonDTLSSuit TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, #endif /* NSS_DISABLE_ECC */ TLS_DHE_DSS_WITH_RC4_128_SHA, #ifndef NSS_DISABLE_ECC TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, #endif /* NSS_DISABLE_ECC */ - SSL_RSA_WITH_RC4_128_MD5, - SSL_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, - SSL_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC4_40_MD5, 0 /* End of list marker */ }; /* Map back and forth between TLS and DTLS versions in wire format. * Mapping table is: * * TLS DTLS * 1.1 (0302) 1.0 (feff)
--- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -113,18 +113,18 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #ifndef NSS_DISABLE_ECC { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, @@ -138,44 +138,44 @@ static ssl3CipherSuiteCfg cipherSuites[s { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, /* 56-bit DES "domestic" cipher suites */ - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, /* export ciphersuites with 1024-bit public key exchange keys */ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, /* export ciphersuites with 512-bit public key exchange keys */ - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, /* ciphersuites with no encryption */ #ifndef NSS_DISABLE_ECC { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_DISABLE_ECC */ - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, }; /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order. */ #ifdef DEBUG void ssl3_CheckCipherSuiteOrderConsistency() { unsigned int i; @@ -308,59 +308,59 @@ static const ssl3KEADef kea_defs[] = #endif /* NSS_DISABLE_ECC */ }; /* must use ssl_LookupCipherSuiteDef to access */ static const ssl3CipherSuiteDef cipher_suite_defs[] = { /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ - {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, - {SSL_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, - {SSL_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, + {TLS_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, + {TLS_RSA_WITH_NULL_MD5, cipher_null, mac_md5, kea_rsa}, + {TLS_RSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_rsa}, {TLS_RSA_WITH_NULL_SHA256, cipher_null, hmac_sha256, kea_rsa}, - {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, - {SSL_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, - {SSL_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, - {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export}, + {TLS_RSA_WITH_RC4_128_MD5, cipher_rc4, mac_md5, kea_rsa}, + {TLS_RSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_rsa}, + {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, cipher_rc2_40, mac_md5, kea_rsa_export}, #if 0 /* not implemented */ - {SSL_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, - {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, + {TLS_RSA_WITH_IDEA_CBC_SHA, cipher_idea, mac_sha, kea_rsa}, + {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_rsa_export}, #endif - {SSL_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, - {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, - {SSL_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, - {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + {TLS_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa}, + {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa}, + {TLS_DHE_DSS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_dss}, + {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_dhe_dss}, {TLS_DHE_DSS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_dhe_dss}, #if 0 /* not implemented */ - {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_dh_dss_export}, - {SSL_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, - {SSL_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, - {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + {TLS_DH_DSS_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_dss}, + {TLS_DH_DSS_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_dss}, + {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_dh_rsa_export}, - {SSL_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, - {SSL_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, - {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + {TLS_DH_RSA_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_rsa}, + {TLS_DH_RSA_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_rsa}, + {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_dh_dss_export}, - {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_dh_rsa_export}, #endif - {SSL_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, - {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + {TLS_DHE_RSA_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dhe_rsa}, + {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_dhe_rsa}, #if 0 {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export}, - {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, cipher_des40, mac_sha, kea_dh_anon_export}, - {SSL_DH_ANON_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, - {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, + {TLS_DH_anon_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_dh_anon}, + {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, #endif /* New TLS cipher suites */ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, {TLS_RSA_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_rsa}, {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, @@ -368,20 +368,20 @@ static const ssl3CipherSuiteDef cipher_s {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, {TLS_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_rsa}, {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa}, #if 0 {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, - {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, + {TLS_DH_anon_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, - {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, + {TLS_DH_anon_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, #endif {TLS_RSA_WITH_SEED_CBC_SHA, cipher_seed, mac_sha, kea_rsa}, {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa}, {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_dhe_dss}, {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, @@ -617,25 +617,25 @@ ssl3_CipherSuiteAllowedForVersionRange( ssl3CipherSuite cipherSuite, const SSLVersionRange *vrange) { switch (cipherSuite) { /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or * later. This set of cipher suites is similar to, but different from, the * set of cipher suites considered exportable by SSL_IsExportCipherSuite. */ - case SSL_RSA_EXPORT_WITH_RC4_40_MD5: - case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: - /* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented - * SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented - * SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented - * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented - * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented - * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented - * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented + case TLS_RSA_EXPORT_WITH_RC4_40_MD5: + case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: + /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented + * TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented + * TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented + * TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: never implemented + * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: never implemented + * TLS_DH_anon_EXPORT_WITH_RC4_40_MD5: never implemented + * TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: never implemented */ return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_AES_256_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: @@ -9404,27 +9404,31 @@ ssl3_HandleNewSessionTicket(sslSocket *s (void)SSL3_SendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); return SECFailure; } ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint = (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length); - if (length != 0 || rv != SECSuccess) { + if (rv != SECSuccess || length != 0) { (void)SSL3_SendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); return SECFailure; /* malformed */ } - rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket, - &ticketData); - if (rv != SECSuccess) { - return rv; - } - ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE; + /* If the server sent a zero-length ticket, ignore it and keep the + * existing ticket. */ + if (ticketData.len != 0) { + rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket, + &ticketData); + if (rv != SECSuccess) { + return rv; + } + ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE; + } ss->ssl3.hs.ws = wait_change_cipher; return SECSuccess; } #ifdef NISCC_TEST static PRInt32 connNum = 0;
--- a/security/nss/lib/ssl/sslenum.c +++ b/security/nss/lib/ssl/sslenum.c @@ -71,18 +71,18 @@ const PRUint16 SSL_ImplementedCiphers[] TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_RC4_128_SHA, #ifndef NSS_DISABLE_ECC TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, @@ -95,44 +95,44 @@ const PRUint16 SSL_ImplementedCiphers[] TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_RSA_WITH_SEED_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, - SSL_RSA_WITH_3DES_EDE_CBC_SHA, - SSL_RSA_WITH_RC4_128_SHA, - SSL_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_MD5, /* 56-bit DES "domestic" cipher suites */ - SSL_DHE_RSA_WITH_DES_CBC_SHA, - SSL_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, - SSL_RSA_WITH_DES_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, /* export ciphersuites with 1024-bit public key exchange keys */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* export ciphersuites with 512-bit public key exchange keys */ - SSL_RSA_EXPORT_WITH_RC4_40_MD5, - SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* ciphersuites with no encryption */ #ifndef NSS_DISABLE_ECC TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, #endif /* NSS_DISABLE_ECC */ - SSL_RSA_WITH_NULL_SHA, + TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256, - SSL_RSA_WITH_NULL_MD5, + TLS_RSA_WITH_NULL_MD5, /* SSL2 cipher suites. */ SSL_EN_RC4_128_WITH_MD5, SSL_EN_RC2_128_CBC_WITH_MD5, SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* actually 112, not 192 */ SSL_EN_DES_64_CBC_WITH_MD5, SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
--- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -143,38 +143,38 @@ static const SSLCipherSuiteInfo suiteInf {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA), S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, -{0,CS(SSL_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, }, -{0,CS(SSL_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, +{0,CS(TLS_RSA_WITH_RC4_128_SHA), S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, }, +{0,CS(TLS_RSA_WITH_RC4_128_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_RSA, C_AES, B_128, M_SHA256, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_RSA, C_AES, B_128, M_SHA, 1, 0, 0, }, -{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, -{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA), S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, +{0,CS(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, +{0,CS(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA), S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, {0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, }, -{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, +{0,CS(TLS_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, -{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, -{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, +{0,CS(TLS_DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, +{0,CS(TLS_DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 1, }, -{0,CS(SSL_RSA_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, }, +{0,CS(TLS_RSA_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA), S_RSA, K_RSA, C_RC4, B_56, M_SHA, 0, 1, 0, }, {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 1, 0, }, -{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, -{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, 1, 0, }, +{0,CS(TLS_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, +{0,CS(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, 1, 0, }, {0,CS(TLS_RSA_WITH_NULL_SHA256), S_RSA, K_RSA, C_NULL,B_0, M_SHA256, 0, 1, 0, }, -{0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA, 0, 1, 0, }, -{0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, 1, 0, }, +{0,CS(TLS_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA, 0, 1, 0, }, +{0,CS(TLS_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, 1, 0, }, #ifndef NSS_DISABLE_ECC /* ECC cipher suites */ {0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
--- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -478,28 +478,26 @@ ssl_Time(void) } void ssl3_SetSIDSessionTicket(sslSessionID *sid, /*in/out*/ NewSessionTicket *newSessionTicket) { PORT_Assert(sid); PORT_Assert(newSessionTicket); + PORT_Assert(newSessionTicket->ticket.data); + PORT_Assert(newSessionTicket->ticket.len != 0); /* if sid->u.ssl3.lock, we are updating an existing entry that is already * cached or was once cached, so we need to acquire and release the write * lock. Otherwise, this is a new session that isn't shared with anything * yet, so no locking is needed. */ if (sid->u.ssl3.lock) { PR_RWLock_Wlock(sid->u.ssl3.lock); - - /* A server might have sent us an empty ticket, which has the - * effect of clearing the previously known ticket. - */ if (sid->u.ssl3.locked.sessionTicket.ticket.data) { SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket, PR_FALSE); } } PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
--- a/security/nss/lib/ssl/sslproto.h +++ b/security/nss/lib/ssl/sslproto.h @@ -76,94 +76,128 @@ #define SSL_EN_RC4_128_WITH_MD5 0xFF01 #define SSL_EN_RC4_128_EXPORT40_WITH_MD5 0xFF02 #define SSL_EN_RC2_128_CBC_WITH_MD5 0xFF03 #define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 0xFF04 #define SSL_EN_IDEA_128_CBC_WITH_MD5 0xFF05 #define SSL_EN_DES_64_CBC_WITH_MD5 0xFF06 #define SSL_EN_DES_192_EDE3_CBC_WITH_MD5 0xFF07 -/* SSL v3 Cipher Suites */ -#define SSL_NULL_WITH_NULL_NULL 0x0000 +/* Deprecated SSL 3.0 & libssl names replaced by IANA-registered TLS names. */ +#ifndef SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES +#define SSL_NULL_WITH_NULL_NULL TLS_NULL_WITH_NULL_NULL +#define SSL_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_MD5 +#define SSL_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_SHA +#define SSL_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 +#define SSL_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_MD5 +#define SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA +#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 +#define SSL_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_IDEA_CBC_SHA +#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA +#define SSL_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA +#define SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA +#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA +#define SSL_DH_DSS_WITH_DES_CBC_SHA TLS_DH_DSS_WITH_DES_CBC_SHA +#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA +#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA +#define SSL_DH_RSA_WITH_DES_CBC_SHA TLS_DH_RSA_WITH_DES_CBC_SHA +#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA +#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA +#define SSL_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA +#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA +#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA +#define SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA +#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA +#define SSL_DH_ANON_WITH_RC4_128_MD5 TLS_DH_anon_WITH_RC4_128_MD5 +#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA +#define SSL_DH_ANON_WITH_DES_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA +#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA +#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 +#define TLS_DH_ANON_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA +#define TLS_DH_ANON_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA +#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA +#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA +#endif -#define SSL_RSA_WITH_NULL_MD5 0x0001 -#define SSL_RSA_WITH_NULL_SHA 0x0002 -#define SSL_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 -#define SSL_RSA_WITH_RC4_128_MD5 0x0004 -#define SSL_RSA_WITH_RC4_128_SHA 0x0005 -#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 -#define SSL_RSA_WITH_IDEA_CBC_SHA 0x0007 -#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 -#define SSL_RSA_WITH_DES_CBC_SHA 0x0009 -#define SSL_RSA_WITH_3DES_EDE_CBC_SHA 0x000a - -#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000b -#define SSL_DH_DSS_WITH_DES_CBC_SHA 0x000c -#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000d -#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000e -#define SSL_DH_RSA_WITH_DES_CBC_SHA 0x000f -#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 - -#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 -#define SSL_DHE_DSS_WITH_DES_CBC_SHA 0x0012 -#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 -#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 -#define SSL_DHE_RSA_WITH_DES_CBC_SHA 0x0015 -#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 - -#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5 0x0017 -#define SSL_DH_ANON_WITH_RC4_128_MD5 0x0018 -#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA 0x0019 -#define SSL_DH_ANON_WITH_DES_CBC_SHA 0x001a -#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA 0x001b +#define TLS_NULL_WITH_NULL_NULL 0x0000 + +#define TLS_RSA_WITH_NULL_MD5 0x0001 +#define TLS_RSA_WITH_NULL_SHA 0x0002 +#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 +#define TLS_RSA_WITH_RC4_128_MD5 0x0004 +#define TLS_RSA_WITH_RC4_128_SHA 0x0005 +#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 +#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 +#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 +#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 +#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a + +#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000b +#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000c +#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000d +#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000e +#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000f +#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 + +#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 +#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 +#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 +#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 +#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 +#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 + +#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 +#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 +#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 +#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001a +#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001b #define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c /* deprecated */ #define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d /* deprecated */ #define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e /* deprecated */ -/* New TLS cipher suites */ #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F #define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 -#define TLS_DH_ANON_WITH_AES_128_CBC_SHA 0x0034 +#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 -#define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A +#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A #define TLS_RSA_WITH_NULL_SHA256 0x003B #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043 #define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 #define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 -#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA 0x0046 +#define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046 #define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062 #define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064 #define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063 #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x0065 #define TLS_DHE_DSS_WITH_RC4_128_SHA 0x0066 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086 #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 -#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA 0x0089 +#define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
--- a/security/nss/lib/zlib/config.mk +++ b/security/nss/lib/zlib/config.mk @@ -9,8 +9,12 @@ # TARGETS = $(LIBRARY) $(PROGRAMS) SHARED_LIBRARY = IMPORT_LIBRARY = PROGRAM = EXTRA_LIBS = $(LIBRARY) + +ifeq ($(OS_TARGET),Linux) +DEFINES += -DHAVE_UNISTD_H +endif
--- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -935,18 +935,18 @@ cert_ssl() if [ "$CERTFAILED" != 0 ] ; then cert_log "ERROR: SSL failed $RET" else cert_log "SUCCESS: SSL passed" fi echo "$SCRIPTNAME: Creating database for OCSP stapling tests ===============" - echo "cp -rv ${SERVERDIR} ${STAPLINGDIR}" - cp -rv ${R_SERVERDIR} ${R_STAPLINGDIR} + echo "cp -r ${SERVERDIR} ${STAPLINGDIR}" + cp -r ${R_SERVERDIR} ${R_STAPLINGDIR} pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR} pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR} } ############################## cert_stresscerts ################################ # local shell function to create client certs for SSL stresstest ######################################################################## cert_stresscerts() {
--- a/security/nss/tests/common/cleanup.sh +++ b/security/nss/tests/common/cleanup.sh @@ -9,16 +9,19 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = " echo echo "SUMMARY:" echo "========" echo "NSS variables:" echo "--------------" echo "HOST=${HOST}" echo "DOMSUF=${DOMSUF}" echo "BUILD_OPT=${BUILD_OPT}" + if [ "${OS_ARCH}" = "Linux" ]; then + echo "USE_X32=${USE_X32}" + fi echo "USE_64=${USE_64}" echo "NSS_CYCLES=\"${NSS_CYCLES}\"" echo "NSS_TESTS=\"${NSS_TESTS}\"" echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" echo "NSS_AIA_PATH=${NSS_AIA_PATH}" echo "NSS_AIA_HTTP=${NSS_AIA_HTTP}" echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"