Address feedback from ekr, sync. up with the default branch, and prepare for more downstream testing
BUG1168917_BRANCH
Address feedback from ekr, sync. up with the default branch, and prepare for more downstream testing
- cmd/platlibs.mk by using ifdef instead of ifeq for consistency and doesn't change WINNT part
- cmd/platlibs.mk expanded for the case of static libraries
- remove potentially confusing comments from top Makefile
- ready to make experimental source tar ball for more downstream testing
--- a/Makefile
+++ b/Makefile
@@ -21,21 +21,16 @@ include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
-# Note for downstream package maintainers: if building with
-# NSS_BUILD_UTIL_ONLY or NSS_BUILD_SOFTOKEN_ONLY set up
-# export NSS_DISABLE_GTESTS=1 via the spec files or other
-# mechanism controling the build
-
ifdef NSS_DISABLE_GTESTS
DIRS := $(filter-out external_tests,$(DIRS))
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
--- a/cmd/lib/derprint.c
+++ b/cmd/lib/derprint.c
@@ -25,16 +25,23 @@ getInteger256(const unsigned char *data,
break;
case 2:
val = (data[0] << 8) | data[1];
break;
case 3:
val = (data[0] << 16) | (data[1] << 8) | data[2];
break;
case 4:
+ /* If the most significant bit of data[0] is 1, val would be negative.
+ * Treat it as an error.
+ */
+ if (data[0] & 0x80) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return -1;
+ }
val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
break;
default:
PORT_SetError(SEC_ERROR_BAD_DER);
return -1;
}
return val;
@@ -227,16 +234,20 @@ prettyPrintObjectID(FILE *out, const uns
/*
* First print the Object Id in numeric format
*/
rv = prettyIndent(out, level);
if (rv < 0)
return rv;
+ if (len == 0) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return -1;
+ }
val = data[0];
i = val % 40;
val = val / 40;
rv = fprintf(out, "%lu %u ", val, i);
if (rv < 0) {
PORT_SetError(SEC_ERROR_IO);
return rv;
}
@@ -277,34 +288,27 @@ prettyPrintObjectID(FILE *out, const uns
rv = fprintf(out, "(%s)", oiddata->desc);
if (rv < 0) {
PORT_SetError(SEC_ERROR_IO);
return rv;
}
}
- /*
- * Finally, on a new line, print the raw bytes (if requested).
- */
+ rv = prettyNewline(out);
+ if (rv < 0)
+ return rv;
+
if (raw) {
- rv = prettyNewline(out);
- if (rv < 0) {
- PORT_SetError(SEC_ERROR_IO);
+ rv = prettyPrintLeaf(out, data, len, level);
+ if (rv < 0)
return rv;
- }
-
- for (i = 0; i < len; i++) {
- rv = prettyPrintByte(out, *data++, level);
- if (rv < 0)
- return rv;
- }
}
- return prettyNewline(out);
+ return 0;
}
static char *prettyTagType [32] = {
"End of Contents",
"Boolean",
"Integer",
"Bit String",
"Octet String",
@@ -418,16 +422,17 @@ prettyPrintLength(FILE *out, const unsig
if (rv < 0) {
PORT_SetError(SEC_ERROR_IO);
return rv;
}
*indefinitep = PR_FALSE;
lbyte = *data++;
+ lenLen = 1;
if (lbyte >= 0x80) {
/* Multibyte length */
unsigned nb = (unsigned) (lbyte & 0x7f);
if (nb > 4) {
PORT_SetError(SEC_ERROR_BAD_DER);
return -1;
}
if (nb > 0) {
@@ -439,32 +444,31 @@ prettyPrintLength(FILE *out, const unsig
}
il = getInteger256(data, nb);
if (il < 0) return -1;
*lenp = (unsigned) il;
} else {
*lenp = 0;
*indefinitep = PR_TRUE;
}
- lenLen = nb + 1;
+ lenLen += nb;
if (raw) {
unsigned int i;
rv = prettyPrintByte(out, lbyte, lv);
if (rv < 0)
return rv;
for (i = 0; i < nb; i++) {
rv = prettyPrintByte(out, data[i], lv);
if (rv < 0)
return rv;
}
}
} else {
*lenp = lbyte;
- lenLen = 1;
if (raw) {
rv = prettyPrintByte(out, lbyte, lv);
if (rv < 0)
return rv;
}
}
if (*indefinitep)
rv = fprintf(out, "(indefinite)\n");
--- a/cmd/platlibs.mk
+++ b/cmd/platlibs.mk
@@ -46,19 +46,17 @@ else
CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
SOFTOKENLIB=
EXTRA_SHARED_LIBS += \
-L$(SOFTOKEN_LIB_DIR) \
-lsoftokn3 \
$(NULL)
endif
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY), 1)
-PKIXLIB =
-else
+ifndef NSS_BUILD_SOFTOKEN_ONLY)
PKIXLIB = \
$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
@@ -67,28 +65,16 @@ PKIXLIB = \
$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
endif
# can't do this in manifest.mn because OS_ARCH isn't defined there.
ifeq ($(OS_ARCH), WINNT)
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-EXTRA_LIBS += \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(SOFTOKENLIB) \
- $(CRYPTOLIB) \
- $(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
- $(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
- $(NULL)
-else
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
@@ -104,25 +90,24 @@ EXTRA_LIBS += \
$(PKIXLIB) \
$(DBMLIB) \
$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
$(NULL)
-endif
# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
#OS_LIBS += \
wsock32.lib \
winmm.lib \
$(NULL)
else
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+ifdef NSS_BUILD_SOFTOKEN_ONLY
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(SOFTOKENLIB) \
$(CRYPTOLIB) \
$(NULL)
else
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
@@ -170,36 +155,26 @@ EXTRA_SHARED_LIBS += \
$(NULL)
endif
else # USE_STATIC_LIBS
# can't do this in manifest.mn because OS_ARCH isn't defined there.
ifeq ($(OS_ARCH), WINNT)
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY), 1)
-EXTRA_LIBS += \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
- $(NULL)
-else
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
$(NULL)
-endif
# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
#OS_LIBS += \
wsock32.lib \
winmm.lib \
$(NULL)
else
@@ -209,29 +184,41 @@ EXTRA_LIBS += \
$(NULL)
ifeq ($(OS_ARCH), AIX)
EXTRA_SHARED_LIBS += -brtl
endif
# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+ifdef NSS_BUILD_SOFTOKEN_ONLY
+EXTRA_SHARED_LIBS += \
+ -L$(DIST)/lib \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -L$(NSPR_LIB_DIR) \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
+ $(NULL)
+else
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lssl3 \
-lsmime3 \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
$(NULL)
endif
+endif
ifdef SOFTOKEN_LIB_DIR
ifdef NSS_USE_SYSTEM_FREEBL
EXTRA_SHARED_LIBS += -L$(SOFTOKEN_LIB_DIR) -lsoftokn3
endif
endif
endif # USE_STATIC_LIBS
--- a/coreconf/WIN32.mk
+++ b/coreconf/WIN32.mk
@@ -99,17 +99,17 @@ XP_DEFINE += -DXP_PC
ifdef NS_USE_GCC
LIB_SUFFIX = a
else
LIB_SUFFIX = lib
endif
DLL_SUFFIX = dll
ifdef NS_USE_GCC
- OS_CFLAGS += -mwindows -mms-bitfields -Werror
+ OS_CFLAGS += -mwindows -mms-bitfields
_GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
DLLFLAGS += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
ifdef BUILD_OPT
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
OPTIMIZER += -Os
else
OPTIMIZER += -O2
endif
--- a/lib/ssl/dtlscon.c
+++ b/lib/ssl/dtlscon.c
@@ -1018,17 +1018,17 @@ dtls_HandleHelloVerifyRequest(sslSocket
if (rv == SECSuccess)
return rv;
alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
- errCode = ssl_MapLowLevelError(errCode);
+ ssl_MapLowLevelError(errCode);
return SECFailure;
}
/* Initialize the DTLS anti-replay window
*
* Called from:
* ssl3_SetupPendingCipherSpec()
* ssl3_InitCipherSpec()
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6538,17 +6538,18 @@ ssl3_HandleServerHello(sslSocket *ss, SS
errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
goto alert_loser;
}
ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
PORT_Assert(ss->ssl3.hs.suite_def);
if (!ss->ssl3.hs.suite_def) {
- PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
+ errCode = SEC_ERROR_LIBRARY_FAILURE;
+ PORT_SetError(errCode);
goto loser; /* we don't send alerts for our screw-ups. */
}
/* find selected compression method in our list. */
temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
if (temp < 0) {
goto loser; /* alert has been sent */
}
@@ -6799,17 +6800,17 @@ ssl3_HandleServerHello(sslSocket *ss, SS
ss->ssl3.hs.ws = wait_server_key;
}
return SECSuccess;
alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
- errCode = ssl_MapLowLevelError(errCode);
+ ssl_MapLowLevelError(errCode);
return SECFailure;
}
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
* ssl3 ServerKeyExchange message.
* Caller must hold Handshake and RecvBuf locks.
*/
@@ -8995,17 +8996,17 @@ ssl3_SendServerHello(sslSocket *ss)
return rv; /* err set by AppendHandshake. */
}
if (extensions_len) {
PRInt32 sent_len;
extensions_len -= 2;
rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
if (rv != SECSuccess)
- return rv; /* err set by ssl3_SetupPendingCipherSpec */
+ return rv; /* err set by ssl3_AppendHandshakeNumber */
sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
&ss->xtnData.serverSenders[0]);
PORT_Assert(sent_len == extensions_len);
if (sent_len != extensions_len) {
if (sent_len >= 0)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
@@ -10388,18 +10389,16 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
if (arena) PORT_FreeArena(arena, PR_FALSE);
ss->ssl3.peerCertArena = NULL;
ss->ssl3.peerCertChain = NULL;
}
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
* ssl3 CertificateStatus message.
* Caller must hold Handshake and RecvBuf locks.
- * This is always called before ssl3_HandleCertificate, even if the Certificate
- * message is sent first.
*/
static SECStatus
ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
{
PRInt32 status, len;
if (ss->ssl3.hs.ws != wait_certificate_status) {
(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);