Address feedback from ekr, sync. up with the default branch, and prepare for more downstream testing BUG1168917_BRANCH
authorElio Maldonado <emaldona@redhat.com>
Fri, 04 Dec 2015 07:55:24 -0800
branchBUG1168917_BRANCH
changeset 11749 e7bcbbb366842d63fb007b601b90a3de9af64899
parent 11745 c01d0b1309c104d1f91eff4b640480c38ec6302a (current diff)
parent 11748 1a2e8b6e713c728220ad340c871e49e8290a0e0b (diff)
child 11750 a168b53d4d14a43e51ab1fcde62370cb6197d4d8
push id879
push useremaldona@redhat.com
push dateFri, 04 Dec 2015 15:55:41 +0000
Address feedback from ekr, sync. up with the default branch, and prepare for more downstream testing - cmd/platlibs.mk by using ifdef instead of ifeq for consistency and doesn't change WINNT part - cmd/platlibs.mk expanded for the case of static libraries - remove potentially confusing comments from top Makefile - ready to make experimental source tar ball for more downstream testing
Makefile
cmd/platlibs.mk
--- a/Makefile
+++ b/Makefile
@@ -21,21 +21,16 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-# Note for downstream package maintainers: if building with
-# NSS_BUILD_UTIL_ONLY or NSS_BUILD_SOFTOKEN_ONLY set up
-# export NSS_DISABLE_GTESTS=1 via the spec files or other
-# mechanism controling the build
-
 ifdef NSS_DISABLE_GTESTS
 DIRS := $(filter-out external_tests,$(DIRS))
 endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
--- a/cmd/lib/derprint.c
+++ b/cmd/lib/derprint.c
@@ -25,16 +25,23 @@ getInteger256(const unsigned char *data,
 	break;
       case 2:
 	val = (data[0] << 8) | data[1];
 	break;
       case 3:
 	val = (data[0] << 16) | (data[1] << 8) | data[2];
 	break;
       case 4:
+	/* If the most significant bit of data[0] is 1, val would be negative.
+	 * Treat it as an error.
+	 */
+	if (data[0] & 0x80) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return -1;
+	}
 	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
 	break;
       default:
 	PORT_SetError(SEC_ERROR_BAD_DER);
 	return -1;
     }
 
     return val;
@@ -227,16 +234,20 @@ prettyPrintObjectID(FILE *out, const uns
     /*
      * First print the Object Id in numeric format
      */
 
     rv = prettyIndent(out, level);
     if (rv < 0)
 	return rv;
 
+    if (len == 0) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
     val = data[0];
     i   = val % 40;
     val = val / 40;
     rv = fprintf(out, "%lu %u ", val, i);
     if (rv < 0) {
 	PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
@@ -277,34 +288,27 @@ prettyPrintObjectID(FILE *out, const uns
 
 	rv = fprintf(out, "(%s)", oiddata->desc);
 	if (rv < 0) {
 	    PORT_SetError(SEC_ERROR_IO);
 	    return rv;
 	}
     }
 
-    /*
-     * Finally, on a new line, print the raw bytes (if requested).
-     */
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
     if (raw) {
-	rv = prettyNewline(out);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
+	rv = prettyPrintLeaf(out, data, len, level);
+	if (rv < 0)
 	    return rv;
-	}
-
-	for (i = 0; i < len; i++) {
-	    rv = prettyPrintByte(out, *data++, level);
-	    if (rv < 0)
-		return rv;
-	}
     }
 
-    return prettyNewline(out);
+    return 0;
 }
 
 static char *prettyTagType [32] = {
   "End of Contents",
   "Boolean",
   "Integer",
   "Bit String",
   "Octet String",
@@ -418,16 +422,17 @@ prettyPrintLength(FILE *out, const unsig
     if (rv < 0) {
         PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
 
     *indefinitep = PR_FALSE;
 
     lbyte = *data++;
+    lenLen = 1;
     if (lbyte >= 0x80) {
 	/* Multibyte length */
 	unsigned nb = (unsigned) (lbyte & 0x7f);
 	if (nb > 4) {
 	    PORT_SetError(SEC_ERROR_BAD_DER);
 	    return -1;
 	}
 	if (nb > 0) {
@@ -439,32 +444,31 @@ prettyPrintLength(FILE *out, const unsig
 	    }
 	    il = getInteger256(data, nb);
 	    if (il < 0) return -1;
 	    *lenp = (unsigned) il;
 	} else {
 	    *lenp = 0;
 	    *indefinitep = PR_TRUE;
 	}
-	lenLen = nb + 1;
+	lenLen += nb;
 	if (raw) {
 	    unsigned int i;
 
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	    for (i = 0; i < nb; i++) {
 		rv = prettyPrintByte(out, data[i], lv);
 		if (rv < 0)
 		    return rv;
 	    }
 	}
     } else {
 	*lenp = lbyte;
-	lenLen = 1;
 	if (raw) {
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	}
     }
     if (*indefinitep)
 	rv = fprintf(out, "(indefinite)\n");
--- a/cmd/platlibs.mk
+++ b/cmd/platlibs.mk
@@ -46,19 +46,17 @@ else
 CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 SOFTOKENLIB=
 EXTRA_SHARED_LIBS += \
 	-L$(SOFTOKEN_LIB_DIR) \
 	-lsoftokn3 \
 	$(NULL)
 endif
 
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY), 1)
-PKIXLIB =
-else
+ifndef NSS_BUILD_SOFTOKEN_ONLY)
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
@@ -67,28 +65,16 @@ PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
 endif
 
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(SOFTOKENLIB) \
-	$(CRYPTOLIB) \
-	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
-	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
-	$(NULL)
-else
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
@@ -104,25 +90,24 @@ EXTRA_LIBS += \
 	$(PKIXLIB) \
 	$(DBMLIB) \
 	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
 	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
-endif
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+ifdef NSS_BUILD_SOFTOKEN_ONLY
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(SOFTOKENLIB) \
 	$(CRYPTOLIB) \
 	$(NULL)
 else
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
@@ -170,36 +155,26 @@ EXTRA_SHARED_LIBS += \
 	$(NULL)
 endif
 
 else # USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
-ifeq ($(NSS_BUILD_SOFTOKEN_ONLY), 1)
-EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
-	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
-	$(NULL)
-else
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
 	$(NULL)
-endif
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
 
@@ -209,29 +184,41 @@ EXTRA_LIBS += \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+ifdef NSS_BUILD_SOFTOKEN_ONLY
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib \
+	-L$(NSSUTIL_LIB_DIR) \
+	-lnssutil3 \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lssl3 \
 	-lsmime3 \
 	-lnss3 \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
 endif
+endif
 
 ifdef SOFTOKEN_LIB_DIR
 ifdef NSS_USE_SYSTEM_FREEBL
 EXTRA_SHARED_LIBS += -L$(SOFTOKEN_LIB_DIR) -lsoftokn3
 endif
 endif
 
 endif # USE_STATIC_LIBS
--- a/coreconf/WIN32.mk
+++ b/coreconf/WIN32.mk
@@ -99,17 +99,17 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mwindows -mms-bitfields -Werror
+    OS_CFLAGS += -mwindows -mms-bitfields
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
--- a/lib/ssl/dtlscon.c
+++ b/lib/ssl/dtlscon.c
@@ -1018,17 +1018,17 @@ dtls_HandleHelloVerifyRequest(sslSocket 
 
     if (rv == SECSuccess)
         return rv;
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
-    errCode = ssl_MapLowLevelError(errCode);
+    ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
 /* Initialize the DTLS anti-replay window
  *
  * Called from:
  *              ssl3_SetupPendingCipherSpec()
  *              ssl3_InitCipherSpec()
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6538,17 +6538,18 @@ ssl3_HandleServerHello(sslSocket *ss, SS
 	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
 	goto alert_loser;
     }
     ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
     ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
     PORT_Assert(ss->ssl3.hs.suite_def);
     if (!ss->ssl3.hs.suite_def) {
-    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
+	errCode = SEC_ERROR_LIBRARY_FAILURE;
+	PORT_SetError(errCode);
 	goto loser;	/* we don't send alerts for our screw-ups. */
     }
 
     /* find selected compression method in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
     if (temp < 0) {
     	goto loser; 	/* alert has been sent */
     }
@@ -6799,17 +6800,17 @@ ssl3_HandleServerHello(sslSocket *ss, SS
         ss->ssl3.hs.ws = wait_server_key;
     }
     return SECSuccess;
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
-    errCode = ssl_MapLowLevelError(errCode);
+    ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerKeyExchange message.
  * Caller must hold Handshake and RecvBuf locks.
  */
@@ -8995,17 +8996,17 @@ ssl3_SendServerHello(sslSocket *ss)
 	return rv;	/* err set by AppendHandshake. */
     }
     if (extensions_len) {
 	PRInt32 sent_len;
 
     	extensions_len -= 2;
 	rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
 	if (rv != SECSuccess) 
-	    return rv;	/* err set by ssl3_SetupPendingCipherSpec */
+	    return rv;	/* err set by ssl3_AppendHandshakeNumber */
 	sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
 					   &ss->xtnData.serverSenders[0]);
         PORT_Assert(sent_len == extensions_len);
 	if (sent_len != extensions_len) {
 	    if (sent_len >= 0)
 	    	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	    return SECFailure;
 	}
@@ -10388,18 +10389,16 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
     if (arena) PORT_FreeArena(arena, PR_FALSE);
     ss->ssl3.peerCertArena = NULL;
     ss->ssl3.peerCertChain = NULL;
 }
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 CertificateStatus message.
  * Caller must hold Handshake and RecvBuf locks.
- * This is always called before ssl3_HandleCertificate, even if the Certificate
- * message is sent first.
  */
 static SECStatus
 ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     PRInt32 status, len;
 
     if (ss->ssl3.hs.ws != wait_certificate_status) {
         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);