--- a/dbm/include/mcom_db.h
+++ b/dbm/include/mcom_db.h
@@ -151,17 +151,17 @@
#ifdef SNI
/* #include <sys/hetero.h> */
#define BYTE_ORDER BIG_ENDIAN
#define BIG_ENDIAN 4321
#define LITTLE_ENDIAN 1234
#endif
-#ifdef _WINDOWS
+#if defined(_WINDOWS) || defined(XP_OS2_VACPP)
#ifdef BYTE_ORDER
#undef BYTE_ORDER
#endif
#define BYTE_ORDER LITTLE_ENDIAN
#define LITTLE_ENDIAN 1234 /* LSB first: i386, vax, all NT risc */
#define BIG_ENDIAN 4321
#endif
@@ -183,16 +183,24 @@
#if defined(_WINDOWS) || defined(XP_OS2)
#include <stdio.h>
#include <io.h>
#ifndef XP_OS2
#define MAXPATHLEN 1024
#endif
+#ifdef XP_OS2_VACPP
+#include <os2.h>
+#define MAXPATHLEN CCHMAXPATH
+#define EPERM EINVAL
+#define ENOTDIR EBADPOS
+#define S_ISDIR(s) ((s) & S_IFDIR)
+#endif
+
#define EFTYPE EINVAL /* POSIX 1003.1 format errno. */
#ifndef STDERR_FILENO
#define STDIN_FILENO 0 /* ANSI C #defines */
#define STDOUT_FILENO 1
#define STDERR_FILENO 2
#endif
--- a/dbm/src/h_bigkey.c
+++ b/dbm/src/h_bigkey.c
@@ -51,17 +51,17 @@ static char sccsid[] = "@(#)hash_bigkey.
* __big_return
* __big_delete
* __find_last_page
* Internal
* collect_key
* collect_data
*/
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
#include <sys/param.h>
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
--- a/dbm/src/h_page.c
+++ b/dbm/src/h_page.c
@@ -73,17 +73,17 @@ static char sccsid[] = "@(#)hash_page.c
#if defined(_WIN32) || defined(_WINDOWS)
#include <io.h>
#endif
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
#include <unistd.h>
#endif
#include <assert.h>
#include "mcom_db.h"
#include "hash.h"
#include "page.h"
--- a/dbm/src/hash.c
+++ b/dbm/src/hash.c
@@ -33,39 +33,39 @@
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)hash.c 8.9 (Berkeley) 6/16/94";
#endif /* LIBC_SCCS and not lint */
#include "watcomfx.h"
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
#include <sys/param.h>
#endif
#if !defined(macintosh)
-#ifdef XP_OS2
+#ifdef XP_OS2_EMX
#include <sys/types.h>
#endif
#include <sys/stat.h>
#endif
#if defined(macintosh)
#include <unix.h>
#include <unistd.h>
#endif
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
#include <unistd.h>
#endif
#if defined(_WIN32) || defined(_WINDOWS)
#include <windows.h>
#endif
#include <assert.h>
--- a/dbm/src/hash_buf.c
+++ b/dbm/src/hash_buf.c
@@ -48,17 +48,17 @@ static char sccsid[] = "@(#)hash_buf.c 8
* External
* __buf_init
* __get_buf
* __buf_free
* __reclaim_buf
* Internal
* newbuf
*/
-#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh)
+#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP)
#include <sys/param.h>
#endif
#include <errno.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
--- a/dbm/src/mktemp.c
+++ b/dbm/src/mktemp.c
@@ -42,20 +42,24 @@ static char sccsid[] = "@(#)mktemp.c 8.1
#include <sys/stat.h>
#endif
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <ctype.h>
#include "mcom_db.h"
-#ifndef _WINDOWS
+#if !defined(_WINDOWS) && !defined(XP_OS2_VACPP)
#include <unistd.h>
#endif
+#ifdef XP_OS2_VACPP
+#include <process.h>
+#endif
+
#ifdef _WINDOWS
#include <process.h>
#include "winfile.h"
#endif
static int _gettemp(char *path, register int *doopen, int extraFlags);
int
--- a/dbm/src/snprintf.c
+++ b/dbm/src/snprintf.c
@@ -11,40 +11,40 @@
#include "cdefs.h"
#endif
#include "prtypes.h"
#include <ncompat.h>
/* The OS/2 VAC compiler doesn't appear to define __STDC__ and won't let us define it either */
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
#include <stdarg.h>
#else
#include <varargs.h>
#endif
int
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
snprintf(char *str, size_t n, const char *fmt, ...)
#else
snprintf(str, n, fmt, va_alist)
char *str;
size_t n;
const char *fmt;
va_dcl
#endif
{
va_list ap;
#ifdef VSPRINTF_CHARSTAR
char *rp;
#else
int rval;
#endif
-#ifdef __STDC__
+#if defined(__STDC__) || defined(XP_OS2_VACPP)
va_start(ap, fmt);
#else
va_start(ap);
#endif
#ifdef VSPRINTF_CHARSTAR
rp = vsprintf(str, fmt, ap);
va_end(ap);
return (strlen(rp));
--- a/nsprpub/pkg/linux/Makefile.in
+++ b/nsprpub/pkg/linux/Makefile.in
@@ -33,17 +33,17 @@
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
#
-#ident "$Id: Makefile.in,v 1.10 2005/11/18 21:50:20 christophe.ravel.bugs%sun.com Exp $"
+#ident "$Id: Makefile.in,v 1.11 2008/10/20 22:38:45 christophe.ravel.bugs%sun.com Exp $"
#
MOD_DEPTH = ../..
topsrcdir = @top_srcdir@
srcdir = @srcdir@
VPATH = @srcdir@
NAME = sun-nspr
@@ -69,17 +69,17 @@ endif
publish:
$(MAKE) clean
mkdir -p SOURCES SRPMS RPMS BUILD
(cd $(dist_libdir) && tar cphf - libnspr4.so libplds4.so libplc4.so) \
| (mkdir -p opt/sun/private/$(RPMLIBDIR) && cd opt/sun/private/$(RPMLIBDIR) && tar xvfBp -)
(cd $(dist_includedir) && tar cphf - .) \
| (mkdir -p opt/sun/private/include/nspr && cd opt/sun/private/include/nspr && tar xvfBp -)
(cd opt/sun/private/include/nspr && \
- rm -rf md private obsolete/pralarm.h obsolete/probslet.h obsolete/prsem.h)
+ rm -rf md)
tar czvf SOURCES/$(NAME)-$(VERSION).tar.gz opt
echo "%define name $(NAME)" >$(SPECFILE)
echo "%define version $(VERSION)" >>$(SPECFILE)
echo "%define release $(RPM_RELEASE)" >>$(SPECFILE)
echo "%define buildroot `pwd`/$(NAME)-root" >>$(SPECFILE)
echo "%define _topdir `pwd`" >>$(SPECFILE)
echo "%define _unpackaged_files_terminate_build 0" >>$(SPECFILE)
cat $(srcdir)/$(NAME).spec >>$(SPECFILE)
@@ -95,16 +95,17 @@ publish:
echo "%files devel" >>$(SPECFILE)
echo "%defattr(-,root,root)" >>$(SPECFILE)
echo "%dir /opt" >>$(SPECFILE)
echo "%dir /opt/sun" >>$(SPECFILE)
echo "%dir /opt/sun/private" >>$(SPECFILE)
echo "%dir /opt/sun/private/include" >>$(SPECFILE)
echo "%dir /opt/sun/private/include/nspr" >>$(SPECFILE)
echo "%dir /opt/sun/private/include/nspr/obsolete" >>$(SPECFILE)
+ echo "%dir /opt/sun/private/include/nspr/private" >>$(SPECFILE)
find opt -type f \( -name "*.h" \) \
| sed -e "s-^-/-" >>$(SPECFILE)
rpmbuild $(RPMTARGET) -bb $(SPECFILE)
clean:
rm -rf $(TOPDIR)/BUILD/$(NAME)
rm -rf SOURCES SRPMS RPMS BUILD
rm -rf RPMS SRPMS opt
--- a/nsprpub/pkg/solaris/SUNWprd/prototype
+++ b/nsprpub/pkg/solaris/SUNWprd/prototype
@@ -33,17 +33,17 @@
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
#
-#ident "$Id: prototype,v 1.4 2006/04/05 20:57:09 wtchang%redhat.com Exp $"
+#ident "$Id: prototype,v 1.5 2008/10/20 22:38:46 christophe.ravel.bugs%sun.com Exp $"
#
# This required package information file contains a list of package contents.
# The 'pkgmk' command uses this file to identify the contents of a package
# and their location on the development machine when building the package.
# Can be created via a text editor or through use of the 'pkgproto' command.
#!search <pathname pathname ...> # where to find pkg objects
#!include <filename> # include another 'prototype' file
@@ -58,17 +58,21 @@ i depend
# source locations relative to .h 0644 root bine prototype file
#
# SUNWprd
#
d none usr 0755 root sys
d none usr/include 0755 root bin
d none usr/include/mps 0755 root bin
d none usr/include/mps/obsolete 0755 root bin
+d none usr/include/mps/private 0755 root bin
+f none usr/include/mps/obsolete/pralarm.h 0644 root bin
+f none usr/include/mps/obsolete/probslet.h 0644 root bin
f none usr/include/mps/obsolete/protypes.h 0644 root bin
+f none usr/include/mps/obsolete/prsem.h 0644 root bin
f none usr/include/mps/prcpucfg.h 0644 root bin
f none usr/include/mps/nspr.h 0644 root bin
f none usr/include/mps/pratom.h 0644 root bin
f none usr/include/mps/prbit.h 0644 root bin
f none usr/include/mps/prclist.h 0644 root bin
f none usr/include/mps/prcmon.h 0644 root bin
f none usr/include/mps/prcountr.h 0644 root bin
f none usr/include/mps/prcvar.h 0644 root bin
@@ -76,16 +80,19 @@ f none usr/include/mps/prdtoa.h 0644 roo
f none usr/include/mps/prenv.h 0644 root bin
f none usr/include/mps/prerr.h 0644 root bin
f none usr/include/mps/prerror.h 0644 root bin
f none usr/include/mps/prinet.h 0644 root bin
f none usr/include/mps/prinit.h 0644 root bin
f none usr/include/mps/prinrval.h 0644 root bin
f none usr/include/mps/prio.h 0644 root bin
f none usr/include/mps/pripcsem.h 0644 root bin
+f none usr/include/mps/private/pprio.h 0644 root bin
+f none usr/include/mps/private/pprthred.h 0644 root bin
+f none usr/include/mps/private/prpriv.h 0644 root bin
f none usr/include/mps/prlink.h 0644 root bin
f none usr/include/mps/prlock.h 0644 root bin
f none usr/include/mps/prlog.h 0644 root bin
f none usr/include/mps/prlong.h 0644 root bin
f none usr/include/mps/prmem.h 0644 root bin
f none usr/include/mps/prmon.h 0644 root bin
f none usr/include/mps/prmwait.h 0644 root bin
f none usr/include/mps/prnetdb.h 0644 root bin
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -58,21 +58,21 @@ PR_BEGIN_EXTERN_C
/*
** NSPR's version is used to determine the likelihood that the version you
** used to build your component is anywhere close to being compatible with
** what is in the underlying library.
**
** The format of the version string is
** "<major version>.<minor version>[.<patch level>] [<Beta>]"
*/
-#define PR_VERSION "4.7.2 Beta 4"
+#define PR_VERSION "4.7.2"
#define PR_VMAJOR 4
#define PR_VMINOR 7
#define PR_VPATCH 2
-#define PR_BETA PR_TRUE
+#define PR_BETA PR_FALSE
/*
** PRVersionCheck
**
** The basic signature of the function that is called to provide version
** checking. The result will be a boolean that indicates the likelihood
** that the underling library will perform as the caller expects.
**
--- a/nsprpub/pr/src/misc/prtime.c
+++ b/nsprpub/pr/src/misc/prtime.c
@@ -1693,39 +1693,47 @@ PR_ParseTimeString(
*-----------------------------------------------------------------------
*/
PR_IMPLEMENT(PRUint32)
PR_FormatTime(char *buf, int buflen, const char *fmt, const PRExplodedTime *tm)
{
size_t rv;
struct tm a;
- a.tm_sec = tm->tm_sec;
- a.tm_min = tm->tm_min;
- a.tm_hour = tm->tm_hour;
- a.tm_mday = tm->tm_mday;
- a.tm_mon = tm->tm_month;
- a.tm_wday = tm->tm_wday;
- a.tm_year = tm->tm_year - 1900;
- a.tm_yday = tm->tm_yday;
- a.tm_isdst = tm->tm_params.tp_dst_offset ? 1 : 0;
+ struct tm *ap;
-/*
- * On some platforms, for example SunOS 4, struct tm has two additional
- * fields: tm_zone and tm_gmtoff.
- */
+ if (tm) {
+ ap = &a;
+ a.tm_sec = tm->tm_sec;
+ a.tm_min = tm->tm_min;
+ a.tm_hour = tm->tm_hour;
+ a.tm_mday = tm->tm_mday;
+ a.tm_mon = tm->tm_month;
+ a.tm_wday = tm->tm_wday;
+ a.tm_year = tm->tm_year - 1900;
+ a.tm_yday = tm->tm_yday;
+ a.tm_isdst = tm->tm_params.tp_dst_offset ? 1 : 0;
+
+ /*
+ * On some platforms, for example SunOS 4, struct tm has two
+ * additional fields: tm_zone and tm_gmtoff.
+ */
#if defined(SUNOS4) || (__GLIBC__ >= 2) || defined(XP_BEOS) \
|| defined(NETBSD) || defined(OPENBSD) || defined(FREEBSD) \
|| defined(DARWIN) || defined(SYMBIAN)
- a.tm_zone = NULL;
- a.tm_gmtoff = tm->tm_params.tp_gmt_offset + tm->tm_params.tp_dst_offset;
+ a.tm_zone = NULL;
+ a.tm_gmtoff = tm->tm_params.tp_gmt_offset +
+ tm->tm_params.tp_dst_offset;
#endif
+ } else {
+ ap = NULL;
+ }
- rv = strftime(buf, buflen, fmt, &a);
+ rv = strftime(buf, buflen, fmt, ap);
if (!rv && buf && buflen > 0) {
/*
* When strftime fails, the contents of buf are indeterminate.
* Some callers don't check the return value from this function,
* so store an empty string in buf in case they try to print it.
*/
buf[0] = '\0';
}
--- a/nsprpub/pr/tests/formattm.c
+++ b/nsprpub/pr/tests/formattm.c
@@ -39,21 +39,44 @@
#include "prtime.h"
#include <stdio.h>
int main()
{
char buffer[256];
+ char small_buffer[8];
PRTime now;
PRExplodedTime tod;
now = PR_Now();
PR_ExplodeTime(now, PR_LocalTimeParameters, &tod);
- (void)PR_FormatTime(buffer, sizeof(buffer),
- "%a %b %d %H:%M:%S %Z %Y", &tod);
- printf("%s\n", buffer);
+
+ if (PR_FormatTime(buffer, sizeof(buffer),
+ "%a %b %d %H:%M:%S %Z %Y", &tod) != 0) {
+ printf("%s\n", buffer);
+ } else {
+ fprintf(stderr, "PR_FormatTime(buffer) failed\n");
+ return 1;
+ }
+
+ small_buffer[0] = '?';
+ if (PR_FormatTime(small_buffer, sizeof(small_buffer),
+ "%a %b %d %H:%M:%S %Z %Y", &tod) == 0) {
+ if (small_buffer[0] != '\0') {
+ fprintf(stderr, "PR_FormatTime(small_buffer) did not output "
+ "an empty string on failure\n");
+ return 1;
+ }
+ printf("%s\n", small_buffer);
+ } else {
+ fprintf(stderr, "PR_FormatTime(small_buffer) succeeded "
+ "unexpectedly\n");
+ return 1;
+ }
+
(void)PR_FormatTimeUSEnglish(buffer, sizeof(buffer),
"%a %b %d %H:%M:%S %Z %Y", &tod);
printf("%s\n", buffer);
+
return 0;
}
old mode 100644
new mode 100755
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -180,8 +180,11 @@ LDFLAGS += $(ARCHFLAG)
# INCLUDES += -I/usr/include -Y/usr/include/linux
G++INCLUDES = -I/usr/include/g++
#
# Always set CPU_TAG on Linux, OpenVMS, WINCE.
#
CPU_TAG = _$(CPU_ARCH)
+
+USE_SYSTEM_ZLIB = 1
+ZLIB_LIBS = -lz
--- a/security/coreconf/UNIX.mk
+++ b/security/coreconf/UNIX.mk
@@ -41,17 +41,19 @@ DLL_SUFFIX = so
AR = ar cr $@
LDOPTS += -L$(SOURCE_LIB_DIR)
ifdef BUILD_OPT
OPTIMIZER += -O
DEFINES += -UDEBUG -DNDEBUG
else
OPTIMIZER += -g
- DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(shell whoami)
+ USERNAME := $(shell whoami)
+ USERNAME := $(subst -,_,$(USERNAME))
+ DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
endif
ifdef BUILD_TREE
NSINSTALL_DIR = $(BUILD_TREE)/nss
NSINSTALL = $(BUILD_TREE)/nss/nsinstall
else
NSINSTALL_DIR = $(CORE_DEPTH)/coreconf/nsinstall
NSINSTALL = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
--- a/security/coreconf/WINNT6.0.mk
+++ b/security/coreconf/WINNT6.0.mk
@@ -71,82 +71,8 @@ endif
#
# Win NT needs -GT so that fibers can work
#
OS_CFLAGS += -GT
DEFINES += -DWINNT
NSPR31_LIB_PREFIX = lib
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-# Robert Longson <longsonr@gmail.com>
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#
-# Config stuff for WINNT 6.0 (Windows Vista)
-#
-# This makefile defines the following variables:
-# OS_CFLAGS and OS_DLLFLAGS.
-
-include $(CORE_DEPTH)/coreconf/WIN32.mk
-
-ifeq ($(CPU_ARCH), x386)
- OS_CFLAGS += -W3 -nologo
- DEFINES += -D_X86_
-else
- ifeq ($(CPU_ARCH), MIPS)
- #OS_CFLAGS += -W3 -nologo
- #DEFINES += -D_MIPS_
- OS_CFLAGS += -W3 -nologo
- else
- ifeq ($(CPU_ARCH), ALPHA)
- OS_CFLAGS += -W3 -nologo
- DEFINES += -D_ALPHA_=1
- endif
- endif
-endif
-
-OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
-ifndef MOZ_DEBUG_SYMBOLS
- OS_DLLFLAGS += -PDB:NONE
-endif
-
-#
-# Win NT needs -GT so that fibers can work
-#
-OS_CFLAGS += -GT
-DEFINES += -DWINNT
-
-NSPR31_LIB_PREFIX = lib
--- a/security/coreconf/nsinstall/nsinstall.c
+++ b/security/coreconf/nsinstall/nsinstall.c
@@ -354,16 +354,18 @@ retry:
if (rmrv < 0) {
fail("destination exists, cannot remove %s", toname);
}
exists = 0;
}
if (!exists && symlink(name, toname) < 0) {
if (errno == EEXIST) {
fprintf(stderr, "symlink creation race: %s\n", toname);
+ fail("symlink was attempted in working directory %s "
+ "from %s to %s.\n", cwd, name, toname);
goto retry;
}
diagnosePath(toname);
fail("cannot make symbolic link %s", toname);
}
#ifdef HAVE_LCHOWN
if ((owner || group) && lchown(toname, uid, gid) < 0)
fail("cannot change owner of %s", toname);
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/Makefile
+++ /dev/null
@@ -1,48 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# do these once for each target program
-all default export libs program install release_export::
- $(MAKE) -f make.client $@
- $(MAKE) -f make.server $@
-
-# only do these things once for the whole directory
-depend dependclean clean clobber realclean clobber_all release_classes release_clean release_cpdistdir release_export release_jars release_md release_policy show::
- $(MAKE) -f make.client $@
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/README
+++ /dev/null
@@ -1,35 +0,0 @@
-These sample programs can be built in either of two ways:
-1) is the NSS source tree, using the coreconf build system, and
-2) stand alone (as part of the NSS distribution).
-
-The following makefiles are used only when building in the NSS source tree
-using coreconf. These are NOT part of the distribution.
-
-Makefile
-client.mn
-server.mn
-config.mk
-make.client
-make.server
-
-The following source files are common to both build environments and are
-part of the distribution.
-
-NSPRerrs.h
-SECerrs.h
-SSLerrs.h
-client.c
-getopt.c
-server.c
-sslerror.h
-
-In the NSS 2.0 distribution, the sample code and makefiles are in a
-directory named "samples". The directories relevant to building
-in the distributed tree are:
-
-./samples
-./include/dbm
-./include/nspr
-./include/security
-./lib
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/client.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- * SSL client program that sets up a connection to SSL server, transmits *
- * some data and then reads the reply *
- ****************************************************************************/
-
-#include <stdio.h>
-#include <string.h>
-
-#if defined(XP_UNIX)
-#include <unistd.h>
-#endif
-
-#include "prerror.h"
-
-#include "pk11func.h"
-#include "secitem.h"
-
-
-#include <stdlib.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prio.h"
-#include "prnetdb.h"
-#include "nss.h"
-
-#include "sslsample.h"
-
-#define RD_BUF_SIZE (60 * 1024)
-
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-GlobalThreadMgr threadMGR;
-char *certNickname = NULL;
-char *hostName = NULL;
-char *password = NULL;
-unsigned short port = 0;
-
-static void
-Usage(const char *progName)
-{
- fprintf(stderr,
- "Usage: %s [-n rsa_nickname] [-p port] [-d dbdir] [-c connections]\n"
- " [-w dbpasswd] [-C cipher(s)] hostname\n",
- progName);
- exit(1);
-}
-
-PRFileDesc *
-setupSSLSocket(PRNetAddr *addr)
-{
- PRFileDesc *tcpSocket;
- PRFileDesc *sslSocket;
- PRSocketOptionData socketOption;
- PRStatus prStatus;
- SECStatus secStatus;
-
-#if 0
-retry:
-#endif
-
- tcpSocket = PR_NewTCPSocket();
- if (tcpSocket == NULL) {
- errWarn("PR_NewTCPSocket");
- }
-
- /* Make the socket blocking. */
- socketOption.option = PR_SockOpt_Nonblocking;
- socketOption.value.non_blocking = PR_FALSE;
-
- prStatus = PR_SetSocketOption(tcpSocket, &socketOption);
- if (prStatus != PR_SUCCESS) {
- errWarn("PR_SetSocketOption");
- goto loser;
- }
-
-#if 0
- /* Verify that a connection can be made to the socket. */
- prStatus = PR_Connect(tcpSocket, addr, PR_INTERVAL_NO_TIMEOUT);
- if (prStatus != PR_SUCCESS) {
- PRErrorCode err = PR_GetError();
- if (err == PR_CONNECT_REFUSED_ERROR) {
- PR_Close(tcpSocket);
- PR_Sleep(PR_MillisecondsToInterval(10));
- fprintf(stderr, "Connection to port refused, retrying.\n");
- goto retry;
- }
- errWarn("PR_Connect");
- goto loser;
- }
-#endif
-
- /* Import the socket into the SSL layer. */
- sslSocket = SSL_ImportFD(NULL, tcpSocket);
- if (!sslSocket) {
- errWarn("SSL_ImportFD");
- goto loser;
- }
-
- /* Set configuration options. */
- secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_SECURITY");
- goto loser;
- }
-
- secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT");
- goto loser;
- }
-
- /* Set SSL callback routines. */
- secStatus = SSL_GetClientAuthDataHook(sslSocket,
- (SSLGetClientAuthData)myGetClientAuthData,
- (void *)certNickname);
- if (secStatus != SECSuccess) {
- errWarn("SSL_GetClientAuthDataHook");
- goto loser;
- }
-
- secStatus = SSL_AuthCertificateHook(sslSocket,
- (SSLAuthCertificate)myAuthCertificate,
- (void *)CERT_GetDefaultCertDB());
- if (secStatus != SECSuccess) {
- errWarn("SSL_AuthCertificateHook");
- goto loser;
- }
-
- secStatus = SSL_BadCertHook(sslSocket,
- (SSLBadCertHandler)myBadCertHandler, NULL);
- if (secStatus != SECSuccess) {
- errWarn("SSL_BadCertHook");
- goto loser;
- }
-
- secStatus = SSL_HandshakeCallback(sslSocket,
- myHandshakeCallback,
- NULL);
- if (secStatus != SECSuccess) {
- errWarn("SSL_HandshakeCallback");
- goto loser;
- }
-
- return sslSocket;
-
-loser:
-
- PR_Close(tcpSocket);
- return NULL;
-}
-
-
-const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
-
-SECStatus
-handle_connection(PRFileDesc *sslSocket, int connection)
-{
- int countRead = 0;
- PRInt32 numBytes;
- char *readBuffer;
-
- readBuffer = PORT_Alloc(RD_BUF_SIZE);
- if (!readBuffer) {
- exitErr("PORT_Alloc");
- }
-
- /* compose the http request here. */
-
- numBytes = PR_Write(sslSocket, requestString, strlen(requestString));
- if (numBytes <= 0) {
- errWarn("PR_Write");
- PR_Free(readBuffer);
- readBuffer = NULL;
- return SECFailure;
- }
-
- /* read until EOF */
- while (PR_TRUE) {
- numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE);
- if (numBytes == 0) {
- break; /* EOF */
- }
- if (numBytes < 0) {
- errWarn("PR_Read");
- break;
- }
- countRead += numBytes;
- fprintf(stderr, "***** Connection %d read %d bytes (%d total).\n",
- connection, numBytes, countRead );
- readBuffer[numBytes] = '\0';
- fprintf(stderr, "************\n%s\n************\n", readBuffer);
- }
-
- printSecurityInfo(sslSocket);
-
- PR_Free(readBuffer);
- readBuffer = NULL;
-
- /* Caller closes the socket. */
-
- fprintf(stderr,
- "***** Connection %d read %d bytes total.\n",
- connection, countRead);
-
- return SECSuccess; /* success */
-}
-
-/* one copy of this function is launched in a separate thread for each
-** connection to be made.
-*/
-SECStatus
-do_connects(void *a, int connection)
-{
- PRNetAddr *addr = (PRNetAddr *)a;
- PRFileDesc *sslSocket;
- PRHostEnt hostEntry;
- char buffer[PR_NETDB_BUF_SIZE];
- PRStatus prStatus;
- PRIntn hostenum;
- SECStatus secStatus;
-
- /* Set up SSL secure socket. */
- sslSocket = setupSSLSocket(addr);
- if (sslSocket == NULL) {
- errWarn("setupSSLSocket");
- return SECFailure;
- }
-
- secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
- if (secStatus != SECSuccess) {
- errWarn("SSL_SetPKCS11PinArg");
- return secStatus;
- }
-
- secStatus = SSL_SetURL(sslSocket, hostName);
- if (secStatus != SECSuccess) {
- errWarn("SSL_SetURL");
- return secStatus;
- }
-
- /* Prepare and setup network connection. */
- prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry);
- if (prStatus != PR_SUCCESS) {
- errWarn("PR_GetHostByName");
- return SECFailure;
- }
-
- hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr);
- if (hostenum == -1) {
- errWarn("PR_EnumerateHostEnt");
- return SECFailure;
- }
-
- prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT);
- if (prStatus != PR_SUCCESS) {
- errWarn("PR_Connect");
- return SECFailure;
- }
-
- /* Established SSL connection, ready to send data. */
-#if 0
- secStatus = SSL_ForceHandshake(sslSocket);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ForceHandshake");
- return secStatus;
- }
-#endif
-
- secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ResetHandshake");
- prStatus = PR_Close(sslSocket);
- if (prStatus != PR_SUCCESS) {
- errWarn("PR_Close");
- }
- return secStatus;
- }
-
- secStatus = handle_connection(sslSocket, connection);
- if (secStatus != SECSuccess) {
- errWarn("handle_connection");
- return secStatus;
- }
-
- PR_Close(sslSocket);
- return SECSuccess;
-}
-
-void
-client_main(unsigned short port,
- int connections,
- const char * hostName)
-{
- int i;
- SECStatus secStatus;
- PRStatus prStatus;
- PRInt32 rv;
- PRNetAddr addr;
- PRHostEnt hostEntry;
- char buffer[256];
-
- /* Setup network connection. */
- prStatus = PR_GetHostByName(hostName, buffer, 256, &hostEntry);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_GetHostByName");
- }
-
- rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr);
- if (rv < 0) {
- exitErr("PR_EnumerateHostEnt");
- }
-
- secStatus = launch_thread(&threadMGR, do_connects, &addr, 1);
- if (secStatus != SECSuccess) {
- exitErr("launch_thread");
- }
-
- if (connections > 1) {
- /* wait for the first connection to terminate, then launch the rest. */
- reap_threads(&threadMGR);
- /* Start up the connections */
- for (i = 2; i <= connections; ++i) {
- secStatus = launch_thread(&threadMGR, do_connects, &addr, i);
- if (secStatus != SECSuccess) {
- errWarn("launch_thread");
- }
- }
- }
-
- reap_threads(&threadMGR);
- destroy_thread_data(&threadMGR);
-}
-
-int
-main(int argc, char **argv)
-{
- char * certDir = ".";
- char * progName = NULL;
- int connections = 1;
- char * cipherString = NULL;
- SECStatus secStatus;
- PLOptState * optstate;
- PLOptStatus status;
-
- /* Call the NSPR initialization routines */
- PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
- progName = PL_strdup(argv[0]);
-
- hostName = NULL;
- optstate = PL_CreateOptState(argc, argv, "C:c:d:n:p:w:");
- while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
- switch(optstate->option) {
- case 'C' : cipherString = PL_strdup(optstate->value); break;
- case 'c' : connections = PORT_Atoi(optstate->value); break;
- case 'd' : certDir = PL_strdup(optstate->value); break;
- case 'n' : certNickname = PL_strdup(optstate->value); break;
- case 'p' : port = PORT_Atoi(optstate->value); break;
- case 'w' : password = PL_strdup(optstate->value); break;
- case '\0': hostName = PL_strdup(optstate->value); break;
- default : Usage(progName);
- }
- }
-
- if (port == 0 || hostName == NULL)
- Usage(progName);
-
- if (certDir == NULL) {
- certDir = PR_smprintf("%s/.netscape", getenv("HOME"));
- }
-
- /* Set our password function callback. */
- PK11_SetPasswordFunc(myPasswd);
-
- /* Initialize the NSS libraries. */
- secStatus = NSS_Init(certDir);
- if (secStatus != SECSuccess) {
- exitErr("NSS_Init");
- }
-
- /* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */
- NSS_SetDomesticPolicy();
- SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
-
- /* all the SSL2 and SSL3 cipher suites are enabled by default. */
- if (cipherString) {
- int ndx;
-
- /* disable all the ciphers, then enable the ones we want. */
- disableAllSSLCiphers();
-
- while (0 != (ndx = *cipherString++)) {
- int *cptr;
- int cipher;
-
- if (! isalpha(ndx))
- Usage(progName);
- cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
- for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
- /* do nothing */;
- if (cipher) {
- SSL_CipherPrefSetDefault(cipher, PR_TRUE);
- }
- }
- }
-
- client_main(port, connections, hostName);
-
- if (NSS_Shutdown() != SECSuccess) {
- exit(1);
- }
- PR_Cleanup();
- return 0;
-}
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/client.mn
+++ /dev/null
@@ -1,50 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS =
-
-CSRCS = client.c \
- sslsample.c \
- $(NULL)
-
-PROGRAM = client
-
-IMPORTS = nss/lib/nss
-
deleted file mode 100755
--- a/security/nss/cmd/SSLsample/gencerts
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/sh
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-# Directory for db's, use in all subsequent -d flags.
-rm -rf SampleCertDBs
-mkdir SampleCertDBs
-
-# Password to use.
-echo sample > passfile
-
-# Generate the db files, using the above password.
-certutil -N -d SampleCertDBs -f passfile
-
-# Generate the CA cert. This cert is self-signed and only useful for
-# test purposes. Set the trust bits to allow it to sign SSL client/server
-# certs.
-certutil -S -n SampleRootCA -x -t "CTu,CTu,CTu" \
- -s "CN=My Sample Root CA, O=My Organization" \
- -m 25000 -o ./SampleCertDBs/SampleRootCA.crt \
- -d SampleCertDBs -f passfile
-
-# Generate the server cert. This cert is signed by the CA cert generated
-# above. The CN must be hostname.domain.[com|org|net|...].
-certutil -S -n SampleSSLServerCert -c SampleRootCA -t "u,u,u" \
- -s "CN=$HOSTNAME.$MYDOMAIN, O=$HOSTNAME Corp." \
- -m 25001 -o ./SampleCertDBs/SampleSSLServer.crt \
- -d SampleCertDBs -f passfile
-
-# Generate the client cert. This cert is signed by the CA cert generated
-# above.
-certutil -S -n SampleSSLClientCert -c SampleRootCA -t "u,u,u" \
- -s "CN=My Client Cert, O=Client Organization" \
- -m 25002 -o ./SampleCertDBs/SampleSSLClient.crt \
- -d SampleCertDBs -f passfile
-
-# Verify the certificates.
-certutil -V -u V -n SampleSSLServerCert -d SampleCertDBs
-certutil -V -u C -n SampleSSLClientCert -d SampleCertDBs
-
-# Remove unneccessary files.
-rm -f passfile
-rm -f tempcert*
-
-# You are now ready to run your client/server! Example command lines:
-# server -n SampleSSLServerCert -p 8080 -d SampleCertDBs -w sample -c e -R
-# client -n SampleSSLClientCert -p 8080 -d SampleCertDBs -w sample -c 2 trane.mcom.com
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/make.client
+++ /dev/null
@@ -1,81 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY). #
-#######################################################################
-
-include client.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL) #
-#######################################################################
-
-#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL). #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL) #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL). #
-#######################################################################
-
-#CC = cc
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/make.server
+++ /dev/null
@@ -1,80 +0,0 @@
-#! gmake
-#
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY). #
-#######################################################################
-
-include server.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL) #
-#######################################################################
-
-#include $(CORE_DEPTH)/$(MODULE)/config/config.mk
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL). #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL) #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL). #
-#######################################################################
-
-
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/server.c
+++ /dev/null
@@ -1,821 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/****************************************************************************
- * SSL server program listens on a port, accepts client connection, reads *
- * request and responds to it *
- ****************************************************************************/
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "plgetopt.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-#include "sslsample.h"
-
-#ifndef PORT_Sprintf
-#define PORT_Sprintf sprintf
-#endif
-
-#define REQUEST_CERT_ONCE 1
-#define REQUIRE_CERT_ONCE 2
-#define REQUEST_CERT_ALL 3
-#define REQUIRE_CERT_ALL 4
-
-/* Global variables */
-GlobalThreadMgr threadMGR;
-char *password = NULL;
-CERTCertificate *cert = NULL;
-SECKEYPrivateKey *privKey = NULL;
-int stopping;
-
-static void
-Usage(const char *progName)
-{
- fprintf(stderr,
-
-"Usage: %s -n rsa_nickname -p port [-3RFrf] [-w password]\n"
-" [-c ciphers] [-d dbdir] \n"
-"-3 means disable SSL v3\n"
-"-r means request certificate on first handshake.\n"
-"-f means require certificate on first handshake.\n"
-"-R means request certificate on all handshakes.\n"
-"-F means require certificate on all handshakes.\n"
-"-c ciphers Letter(s) chosen from the following list\n"
-"A SSL2 RC4 128 WITH MD5\n"
-"B SSL2 RC4 128 EXPORT40 WITH MD5\n"
-"C SSL2 RC2 128 CBC WITH MD5\n"
-"D SSL2 RC2 128 CBC EXPORT40 WITH MD5\n"
-"E SSL2 DES 64 CBC WITH MD5\n"
-"F SSL2 DES 192 EDE3 CBC WITH MD5\n"
-"\n"
-"c SSL3 RSA WITH RC4 128 MD5\n"
-"d SSL3 RSA WITH 3DES EDE CBC SHA\n"
-"e SSL3 RSA WITH DES CBC SHA\n"
-"f SSL3 RSA EXPORT WITH RC4 40 MD5\n"
-"g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n"
-"i SSL3 RSA WITH NULL MD5\n"
-"j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n"
-"k SSL3 RSA FIPS WITH DES CBC SHA\n"
-"l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
-"m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n",
- progName);
- exit(1);
-}
-
-/* Function: readDataFromSocket()
- *
- * Purpose: Parse an HTTP request by reading data from a GET or POST.
- *
- */
-SECStatus
-readDataFromSocket(PRFileDesc *sslSocket, DataBuffer *buffer, char **fileName)
-{
- char *post;
- int numBytes = 0;
- int newln = 0; /* # of consecutive newlns */
-
- /* Read data while it comes in from the socket. */
- while (PR_TRUE) {
- buffer->index = 0;
- newln = 0;
-
- /* Read the buffer. */
- numBytes = PR_Read(sslSocket, &buffer->data[buffer->index],
- buffer->remaining);
- if (numBytes <= 0) {
- errWarn("PR_Read");
- return SECFailure;
- }
- buffer->dataEnd = buffer->dataStart + numBytes;
-
- /* Parse the input, starting at the beginning of the buffer.
- * Stop when we detect two consecutive \n's (or \r\n's)
- * as this signifies the end of the GET or POST portion.
- * The posted data follows.
- */
- while (buffer->index < buffer->dataEnd && newln < 2) {
- int octet = buffer->data[buffer->index++];
- if (octet == '\n') {
- newln++;
- } else if (octet != '\r') {
- newln = 0;
- }
- }
-
- /* Came to the end of the buffer, or second newline.
- * If we didn't get an empty line ("\r\n\r\n"), then keep on reading.
- */
- if (newln < 2)
- continue;
-
- /* we're at the end of the HTTP request.
- * If the request is a POST, then there will be one more
- * line of data.
- * This parsing is a hack, but ok for SSL test purposes.
- */
- post = PORT_Strstr(buffer->data, "POST ");
- if (!post || *post != 'P')
- break;
-
- /* It's a post, so look for the next and final CR/LF. */
- /* We should parse content length here, but ... */
- while (buffer->index < buffer->dataEnd && newln < 3) {
- int octet = buffer->data[buffer->index++];
- if (octet == '\n') {
- newln++;
- }
- }
-
- if (newln == 3)
- break;
- }
-
- /* Have either (a) a complete get, (b) a complete post, (c) EOF */
-
- /* Execute a "GET " operation. */
- if (buffer->index > 0 && PORT_Strncmp(buffer->data, "GET ", 4) == 0) {
- int fnLength;
-
- /* File name is the part after "GET ". */
- fnLength = strcspn(buffer->data + 5, " \r\n");
- *fileName = (char *)PORT_Alloc(fnLength + 1);
- PORT_Strncpy(*fileName, buffer->data + 5, fnLength);
- (*fileName)[fnLength] = '\0';
- }
-
- return SECSuccess;
-}
-
-/* Function: authenticateSocket()
- *
- * Purpose: Configure a socket for SSL.
- *
- *
- */
-PRFileDesc *
-setupSSLSocket(PRFileDesc *tcpSocket, int requestCert)
-{
- PRFileDesc *sslSocket;
- SSLKEAType certKEA;
- int certErr = 0;
- SECStatus secStatus;
-
- /* Set the appropriate flags. */
-
- sslSocket = SSL_ImportFD(NULL, tcpSocket);
- if (sslSocket == NULL) {
- errWarn("SSL_ImportFD");
- goto loser;
- }
-
- secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet SSL_SECURITY");
- goto loser;
- }
-
- secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_SERVER");
- goto loser;
- }
-
- secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE,
- (requestCert >= REQUEST_CERT_ONCE));
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE");
- goto loser;
- }
-
- secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE,
- (requestCert == REQUIRE_CERT_ONCE));
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE");
- goto loser;
- }
-
- /* Set the appropriate callback routines. */
-
- secStatus = SSL_AuthCertificateHook(sslSocket, myAuthCertificate,
- CERT_GetDefaultCertDB());
- if (secStatus != SECSuccess) {
- errWarn("SSL_AuthCertificateHook");
- goto loser;
- }
-
- secStatus = SSL_BadCertHook(sslSocket,
- (SSLBadCertHandler)myBadCertHandler, &certErr);
- if (secStatus != SECSuccess) {
- errWarn("SSL_BadCertHook");
- goto loser;
- }
-
- secStatus = SSL_HandshakeCallback(sslSocket,
- myHandshakeCallback,
- NULL);
- if (secStatus != SECSuccess) {
- errWarn("SSL_HandshakeCallback");
- goto loser;
- }
-
- secStatus = SSL_SetPKCS11PinArg(sslSocket, password);
- if (secStatus != SECSuccess) {
- errWarn("SSL_HandshakeCallback");
- goto loser;
- }
-
- certKEA = NSS_FindCertKEAType(cert);
-
- secStatus = SSL_ConfigSecureServer(sslSocket, cert, privKey, certKEA);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ConfigSecureServer");
- goto loser;
- }
-
- return sslSocket;
-
-loser:
-
- PR_Close(tcpSocket);
- return NULL;
-}
-
-/* Function: authenticateSocket()
- *
- * Purpose: Perform client authentication on the socket.
- *
- */
-SECStatus
-authenticateSocket(PRFileDesc *sslSocket, PRBool requireCert)
-{
- CERTCertificate *cert;
- SECStatus secStatus;
-
- /* Returns NULL if client authentication is not enabled or if the
- * client had no certificate. */
- cert = SSL_PeerCertificate(sslSocket);
- if (cert) {
- /* Client had a certificate, so authentication is through. */
- CERT_DestroyCertificate(cert);
- return SECSuccess;
- }
-
- /* Request client to authenticate itself. */
- secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE");
- return SECFailure;
- }
-
- /* If desired, require client to authenticate itself. Note
- * SSL_REQUEST_CERTIFICATE must also be on, as above. */
- secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, requireCert);
- if (secStatus != SECSuccess) {
- errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE");
- return SECFailure;
- }
-
- /* Having changed socket configuration parameters, redo handshake. */
- secStatus = SSL_ReHandshake(sslSocket, PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ReHandshake");
- return SECFailure;
- }
-
- /* Force the handshake to complete before moving on. */
- secStatus = SSL_ForceHandshake(sslSocket);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ForceHandshake");
- return SECFailure;
- }
-
- return SECSuccess;
-}
-
-/* Function: writeDataToSocket
- *
- * Purpose: Write the client's request back to the socket. If the client
- * requested a file, dump it to the socket.
- *
- */
-SECStatus
-writeDataToSocket(PRFileDesc *sslSocket, DataBuffer *buffer, char *fileName)
-{
- int headerLength;
- int numBytes;
- char messageBuffer[120];
- PRFileDesc *local_file_fd = NULL;
- char header[] = "<html><body><h1>Sample SSL server</h1><br><br>";
- char filehd[] = "<h2>The file you requested:</h2><br>";
- char reqhd[] = "<h2>This is your request:</h2><br>";
- char link[] = "Try getting a <a HREF=\"../testfile\">file</a><br>";
- char footer[] = "<br><h2>End of request.</h2><br></body></html>";
-
- headerLength = PORT_Strlen(defaultHeader);
-
- /* Write a header to the socket. */
- numBytes = PR_Write(sslSocket, header, PORT_Strlen(header));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- if (fileName) {
- PRFileInfo info;
- PRStatus prStatus;
-
- /* Try to open the local file named.
- * If successful, then write it to the client.
- */
- prStatus = PR_GetFileInfo(fileName, &info);
- if (prStatus != PR_SUCCESS ||
- info.type != PR_FILE_FILE ||
- info.size < 0) {
- PORT_Free(fileName);
- /* Maybe a GET not sent from client.c? */
- goto writerequest;
- }
-
- local_file_fd = PR_Open(fileName, PR_RDONLY, 0);
- if (local_file_fd == NULL) {
- PORT_Free(fileName);
- goto writerequest;
- }
-
- /* Write a header to the socket. */
- numBytes = PR_Write(sslSocket, filehd, PORT_Strlen(filehd));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- /* Transmit the local file prepended by the default header
- * across the socket.
- */
- numBytes = PR_TransmitFile(sslSocket, local_file_fd,
- defaultHeader, headerLength,
- PR_TRANSMITFILE_KEEP_OPEN,
- PR_INTERVAL_NO_TIMEOUT);
-
- /* Error in transmission. */
- if (numBytes < 0) {
- errWarn("PR_TransmitFile");
- /*
- i = PORT_Strlen(errString);
- PORT_Memcpy(buf, errString, i);
- */
- /* Transmitted bytes successfully. */
- } else {
- numBytes -= headerLength;
- fprintf(stderr, "PR_TransmitFile wrote %d bytes from %s\n",
- numBytes, fileName);
- }
-
- PORT_Free(fileName);
- PR_Close(local_file_fd);
- }
-
-writerequest:
-
- /* Write a header to the socket. */
- numBytes = PR_Write(sslSocket, reqhd, PORT_Strlen(reqhd));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- /* Write the buffer data to the socket. */
- if (buffer->index <= 0) {
- /* Reached the EOF. Report incomplete transaction to socket. */
- PORT_Sprintf(messageBuffer,
- "GET or POST incomplete after %d bytes.\r\n",
- buffer->dataEnd);
- numBytes = PR_Write(sslSocket, messageBuffer,
- PORT_Strlen(messageBuffer));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
- } else {
- /* Display the buffer data. */
- fwrite(buffer->data, 1, buffer->index, stdout);
- /* Write the buffer data to the socket. */
- numBytes = PR_Write(sslSocket, buffer->data, buffer->index);
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
- /* Display security information for the socket. */
- printSecurityInfo(sslSocket);
- /* Write any discarded data out to the socket. */
- if (buffer->index < buffer->dataEnd) {
- PORT_Sprintf(buffer->data, "Discarded %d characters.\r\n",
- buffer->dataEnd - buffer->index);
- numBytes = PR_Write(sslSocket, buffer->data,
- PORT_Strlen(buffer->data));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
- }
- }
-
- /* Write a footer to the socket. */
- numBytes = PR_Write(sslSocket, footer, PORT_Strlen(footer));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- /* Write a link to the socket. */
- numBytes = PR_Write(sslSocket, link, PORT_Strlen(link));
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- /* Complete the HTTP transaction. */
- numBytes = PR_Write(sslSocket, "EOF\r\n\r\n\r\n", 9);
- if (numBytes < 0) {
- errWarn("PR_Write");
- goto loser;
- }
-
- /* Do a nice shutdown if asked. */
- if (!strncmp(buffer->data, stopCmd, strlen(stopCmd))) {
- stopping = 1;
- }
- return SECSuccess;
-
-loser:
-
- /* Do a nice shutdown if asked. */
- if (!strncmp(buffer->data, stopCmd, strlen(stopCmd))) {
- stopping = 1;
- }
- return SECFailure;
-}
-
-/* Function: int handle_connection()
- *
- * Purpose: Thread to handle a connection to a socket.
- *
- */
-SECStatus
-handle_connection(void *tcp_sock, int requestCert)
-{
- PRFileDesc * tcpSocket = (PRFileDesc *)tcp_sock;
- PRFileDesc * sslSocket = NULL;
- SECStatus secStatus = SECFailure;
- PRStatus prStatus;
- PRSocketOptionData socketOption;
- DataBuffer buffer;
- char * fileName = NULL;
-
- /* Initialize the data buffer. */
- memset(buffer.data, 0, BUFFER_SIZE);
- buffer.remaining = BUFFER_SIZE;
- buffer.index = 0;
- buffer.dataStart = 0;
- buffer.dataEnd = 0;
-
- /* Make sure the socket is blocking. */
- socketOption.option = PR_SockOpt_Nonblocking;
- socketOption.value.non_blocking = PR_FALSE;
- PR_SetSocketOption(tcpSocket, &socketOption);
-
- sslSocket = setupSSLSocket(tcpSocket, requestCert);
- if (sslSocket == NULL) {
- errWarn("setupSSLSocket");
- goto cleanup;
- }
-
- secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_TRUE);
- if (secStatus != SECSuccess) {
- errWarn("SSL_ResetHandshake");
- goto cleanup;
- }
-
- /* Read data from the socket, parse it for HTTP content.
- * If the user is requesting/requiring authentication, authenticate
- * the socket. Then write the result back to the socket. */
- fprintf(stdout, "\nReading data from socket...\n\n");
- secStatus = readDataFromSocket(sslSocket, &buffer, &fileName);
- if (secStatus != SECSuccess) {
- goto cleanup;
- }
- if (requestCert >= REQUEST_CERT_ALL) {
- fprintf(stdout, "\nAuthentication requested.\n\n");
- secStatus = authenticateSocket(sslSocket,
- (requestCert == REQUIRE_CERT_ALL));
- if (secStatus != SECSuccess) {
- goto cleanup;
- }
- }
-
- fprintf(stdout, "\nWriting data to socket...\n\n");
- secStatus = writeDataToSocket(sslSocket, &buffer, fileName);
-
-cleanup:
-
- /* Close down the socket. */
- prStatus = PR_Close(tcpSocket);
- if (prStatus != PR_SUCCESS) {
- errWarn("PR_Close");
- }
-
- return secStatus;
-}
-
-/* Function: int accept_connection()
- *
- * Purpose: Thread to accept a connection to the socket.
- *
- */
-SECStatus
-accept_connection(void *listener, int requestCert)
-{
- PRFileDesc *listenSocket = (PRFileDesc*)listener;
- PRNetAddr addr;
- PRStatus prStatus;
-
- /* XXX need an SSL socket here? */
- while (!stopping) {
- PRFileDesc *tcpSocket;
- SECStatus result;
-
- fprintf(stderr, "\n\n\nAbout to call accept.\n");
-
- /* Accept a connection to the socket. */
- tcpSocket = PR_Accept(listenSocket, &addr, PR_INTERVAL_NO_TIMEOUT);
- if (tcpSocket == NULL) {
- errWarn("PR_Accept");
- break;
- }
-
- /* Accepted the connection, now handle it. */
- result = launch_thread(&threadMGR, handle_connection,
- tcpSocket, requestCert);
-
- if (result != SECSuccess) {
- prStatus = PR_Close(tcpSocket);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_Close");
- }
- break;
- }
- }
-
- fprintf(stderr, "Closing listen socket.\n");
-
- prStatus = PR_Close(listenSocket);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_Close");
- }
- return SECSuccess;
-}
-
-/* Function: void server_main()
- *
- * Purpose: This is the server's main function. It configures a socket
- * and listens to it.
- *
- */
-void
-server_main(
- unsigned short port,
- int requestCert,
- SECKEYPrivateKey * privKey,
- CERTCertificate * cert,
- PRBool disableSSL3)
-{
- SECStatus secStatus;
- PRStatus prStatus;
- PRFileDesc * listenSocket;
- PRNetAddr addr;
- PRSocketOptionData socketOption;
-
- /* Create a new socket. */
- listenSocket = PR_NewTCPSocket();
- if (listenSocket == NULL) {
- exitErr("PR_NewTCPSocket");
- }
-
- /* Set socket to be blocking -
- * on some platforms the default is nonblocking.
- */
- socketOption.option = PR_SockOpt_Nonblocking;
- socketOption.value.non_blocking = PR_FALSE;
-
- prStatus = PR_SetSocketOption(listenSocket, &socketOption);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_SetSocketOption");
- }
-
- /* This cipher is not on by default. The Acceptance test
- * would like it to be. Turn this cipher on.
- */
- secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
- if (secStatus != SECSuccess) {
- exitErr("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5");
- }
-
- /* Configure the network connection. */
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
-
- /* Bind the address to the listener socket. */
- prStatus = PR_Bind(listenSocket, &addr);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_Bind");
- }
-
- /* Listen for connection on the socket. The second argument is
- * the maximum size of the queue for pending connections.
- */
- prStatus = PR_Listen(listenSocket, 5);
- if (prStatus != PR_SUCCESS) {
- exitErr("PR_Listen");
- }
-
- /* Launch thread to handle connections to the socket. */
- secStatus = launch_thread(&threadMGR, accept_connection,
- listenSocket, requestCert);
- if (secStatus != SECSuccess) {
- PR_Close(listenSocket);
- } else {
- reap_threads(&threadMGR);
- destroy_thread_data(&threadMGR);
- }
-}
-
-/* Function: int main()
- *
- * Purpose: Parses command arguments and configures SSL server.
- *
- */
-int
-main(int argc, char **argv)
-{
- char * progName = NULL;
- char * nickName = NULL;
- char * cipherString = NULL;
- char * dir = ".";
- int requestCert = 0;
- unsigned short port = 0;
- SECStatus secStatus;
- PRBool disableSSL3 = PR_FALSE;
- PLOptState * optstate;
- PLOptStatus status;
-
- /* Zero out the thread manager. */
- PORT_Memset(&threadMGR, 0, sizeof(threadMGR));
-
- progName = PL_strdup(argv[0]);
-
- optstate = PL_CreateOptState(argc, argv, "3FRc:d:fp:n:rw:");
- while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
- switch(optstate->option) {
- case '3': disableSSL3 = PR_TRUE; break;
- case 'F': requestCert = REQUIRE_CERT_ALL; break;
- case 'R': requestCert = REQUEST_CERT_ALL; break;
- case 'c': cipherString = PL_strdup(optstate->value); break;
- case 'd': dir = PL_strdup(optstate->value); break;
- case 'f': requestCert = REQUIRE_CERT_ONCE; break;
- case 'n': nickName = PL_strdup(optstate->value); break;
- case 'p': port = PORT_Atoi(optstate->value); break;
- case 'r': requestCert = REQUEST_CERT_ONCE; break;
- case 'w': password = PL_strdup(optstate->value); break;
- default:
- case '?': Usage(progName);
- }
- }
-
- if (nickName == NULL || port == 0)
- Usage(progName);
-
- /* Call the NSPR initialization routines. */
- PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
-
- /* Set the cert database password callback. */
- PK11_SetPasswordFunc(myPasswd);
-
- /* Initialize NSS. */
- secStatus = NSS_Init(dir);
- if (secStatus != SECSuccess) {
- exitErr("NSS_Init");
- }
-
- /* Set the policy for this server (REQUIRED - no default). */
- secStatus = NSS_SetDomesticPolicy();
- if (secStatus != SECSuccess) {
- exitErr("NSS_SetDomesticPolicy");
- }
-
- /* XXX keep this? */
- /* all the SSL2 and SSL3 cipher suites are enabled by default. */
- if (cipherString) {
- int ndx;
-
- /* disable all the ciphers, then enable the ones we want. */
- disableAllSSLCiphers();
-
- while (0 != (ndx = *cipherString++)) {
- int *cptr;
- int cipher;
-
- if (! isalpha(ndx))
- Usage(progName);
- cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
- for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
- /* do nothing */;
- if (cipher) {
- SECStatus status;
- status = SSL_CipherPrefSetDefault(cipher, PR_TRUE);
- if (status != SECSuccess)
- errWarn("SSL_CipherPrefSetDefault()");
- }
- }
- }
-
- /* Get own certificate and private key. */
- cert = PK11_FindCertFromNickname(nickName, password);
- if (cert == NULL) {
- exitErr("PK11_FindCertFromNickname");
- }
-
- privKey = PK11_FindKeyByAnyCert(cert, password);
- if (privKey == NULL) {
- exitErr("PK11_FindKeyByAnyCert");
- }
-
- /* Configure the server's cache for a multi-process application
- * using default timeout values (24 hrs) and directory location (/tmp).
- */
- SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
-
- /* Launch server. */
- server_main(port, requestCert, privKey, cert, disableSSL3);
-
- /* Shutdown NSS and exit NSPR gracefully. */
- if (NSS_Shutdown() != SECSuccess) {
- exit(1);
- }
- PR_Cleanup();
- return 0;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/server.mn
+++ /dev/null
@@ -1,48 +0,0 @@
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape security libraries.
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1994-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-CORE_DEPTH = ../../..
-
-MODULE = nss
-
-EXPORTS =
-
-CSRCS = server.c \
- sslsample.c \
- $(NULL)
-
-PROGRAM = server
-
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslerror.h
+++ /dev/null
@@ -1,113 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include <stdio.h>
-#include <string.h>
-#include "nspr.h"
-
-struct tuple_str {
- PRErrorCode errNum;
- const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b) {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
-
-/* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
- */
-const char *
-SSL_Strerror(PRErrorCode errNum) {
- PRInt32 low = 0;
- PRInt32 high = numStrings - 1;
- PRInt32 i;
- PRErrorCode num;
- static int initDone;
-
- /* make sure table is in ascending order.
- * binary search depends on it.
- */
- if (!initDone) {
- PRErrorCode lastNum = (PRInt32)0x80000000;
- for (i = low; i <= high; ++i) {
- num = errStrings[i].errNum;
- if (num <= lastNum) {
- fprintf(stderr,
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
- i, lastNum, errStrings[i-1].errString,
- num, errStrings[i].errString);
- }
- lastNum = num;
- }
- initDone = 1;
- }
-
- /* Do binary search of table. */
- while (low + 1 < high) {
- i = (low + high) / 2;
- num = errStrings[i].errNum;
- if (errNum == num)
- return errStrings[i].errString;
- if (errNum < num)
- high = i;
- else
- low = i;
- }
- if (errNum == errStrings[low].errNum)
- return errStrings[low].errString;
- if (errNum == errStrings[high].errNum)
- return errStrings[high].errString;
- return NULL;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslsample.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "sslsample.h"
-#include "sslerror.h"
-
-/* Declare SSL cipher suites. */
-
-int ssl2CipherSuites[] = {
- SSL_EN_RC4_128_WITH_MD5, /* A */
- SSL_EN_RC4_128_EXPORT40_WITH_MD5, /* B */
- SSL_EN_RC2_128_CBC_WITH_MD5, /* C */
- SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */
- SSL_EN_DES_64_CBC_WITH_MD5, /* E */
- SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */
- 0
-};
-
-int ssl3CipherSuites[] = {
- -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA a */
- -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */
- SSL_RSA_WITH_RC4_128_MD5, /* c */
- SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */
- SSL_RSA_WITH_DES_CBC_SHA, /* e */
- SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */
- -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */
- SSL_RSA_WITH_NULL_MD5, /* i */
- SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */
- SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */
- 0
-};
-
-/**************************************************************************
-**
-** SSL callback routines.
-**
-**************************************************************************/
-
-/* Function: char * myPasswd()
- *
- * Purpose: This function is our custom password handler that is called by
- * SSL when retreiving private certs and keys from the database. Returns a
- * pointer to a string that with a password for the database. Password pointer
- * should point to dynamically allocated memory that will be freed later.
- */
-char *
-myPasswd(PK11SlotInfo *info, PRBool retry, void *arg)
-{
- char * passwd = NULL;
-
- if ( (!retry) && arg ) {
- passwd = PORT_Strdup((char *)arg);
- }
-
- return passwd;
-}
-
-/* Function: SECStatus myAuthCertificate()
- *
- * Purpose: This function is our custom certificate authentication handler.
- *
- * Note: This implementation is essentially the same as the default
- * SSL_AuthCertificate().
- */
-SECStatus
-myAuthCertificate(void *arg, PRFileDesc *socket,
- PRBool checksig, PRBool isServer)
-{
-
- SECCertUsage certUsage;
- CERTCertificate * cert;
- void * pinArg;
- char * hostName;
- SECStatus secStatus;
-
- if (!arg || !socket) {
- errWarn("myAuthCertificate");
- return SECFailure;
- }
-
- /* Define how the cert is being used based upon the isServer flag. */
-
- certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
-
- cert = SSL_PeerCertificate(socket);
-
- pinArg = SSL_RevealPinArg(socket);
-
- secStatus = CERT_VerifyCertNow((CERTCertDBHandle *)arg,
- cert,
- checksig,
- certUsage,
- pinArg);
-
- /* If this is a server, we're finished. */
- if (isServer || secStatus != SECSuccess) {
- CERT_DestroyCertificate(cert);
- return secStatus;
- }
-
- /* Certificate is OK. Since this is the client side of an SSL
- * connection, we need to verify that the name field in the cert
- * matches the desired hostname. This is our defense against
- * man-in-the-middle attacks.
- */
-
- /* SSL_RevealURL returns a hostName, not an URL. */
- hostName = SSL_RevealURL(socket);
-
- if (hostName && hostName[0]) {
- secStatus = CERT_VerifyCertName(cert, hostName);
- } else {
- PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0);
- secStatus = SECFailure;
- }
-
- if (hostName)
- PR_Free(hostName);
-
- CERT_DestroyCertificate(cert);
- return secStatus;
-}
-
-/* Function: SECStatus myBadCertHandler()
- *
- * Purpose: This callback is called when the incoming certificate is not
- * valid. We define a certain set of parameters that still cause the
- * certificate to be "valid" for this session, and return SECSuccess to cause
- * the server to continue processing the request when any of these conditions
- * are met. Otherwise, SECFailure is return and the server rejects the
- * request.
- */
-SECStatus
-myBadCertHandler(void *arg, PRFileDesc *socket)
-{
-
- SECStatus secStatus = SECFailure;
- PRErrorCode err;
-
- /* log invalid cert here */
-
- if (!arg) {
- return secStatus;
- }
-
- *(PRErrorCode *)arg = err = PORT_GetError();
-
- /* If any of the cases in the switch are met, then we will proceed */
- /* with the processing of the request anyway. Otherwise, the default */
- /* case will be reached and we will reject the request. */
-
- switch (err) {
- case SEC_ERROR_INVALID_AVA:
- case SEC_ERROR_INVALID_TIME:
- case SEC_ERROR_BAD_SIGNATURE:
- case SEC_ERROR_EXPIRED_CERTIFICATE:
- case SEC_ERROR_UNKNOWN_ISSUER:
- case SEC_ERROR_UNTRUSTED_CERT:
- case SEC_ERROR_CERT_VALID:
- case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
- case SEC_ERROR_CRL_EXPIRED:
- case SEC_ERROR_CRL_BAD_SIGNATURE:
- case SEC_ERROR_EXTENSION_VALUE_INVALID:
- case SEC_ERROR_CA_CERT_INVALID:
- case SEC_ERROR_CERT_USAGES_INVALID:
- case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
- secStatus = SECSuccess;
- break;
- default:
- secStatus = SECFailure;
- break;
- }
-
- printf("Bad certificate: %d, %s\n", err, SSL_Strerror(err));
-
- return secStatus;
-}
-
-/* Function: SECStatus ownGetClientAuthData()
- *
- * Purpose: This callback is used by SSL to pull client certificate
- * information upon server request.
- */
-SECStatus
-myGetClientAuthData(void *arg,
- PRFileDesc *socket,
- struct CERTDistNamesStr *caNames,
- struct CERTCertificateStr **pRetCert,
- struct SECKEYPrivateKeyStr **pRetKey)
-{
-
- CERTCertificate * cert;
- SECKEYPrivateKey * privKey;
- char * chosenNickName = (char *)arg;
- void * proto_win = NULL;
- SECStatus secStatus = SECFailure;
-
- proto_win = SSL_RevealPinArg(socket);
-
- if (chosenNickName) {
- cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
- if (cert) {
- privKey = PK11_FindKeyByAnyCert(cert, proto_win);
- if (privKey) {
- secStatus = SECSuccess;
- } else {
- CERT_DestroyCertificate(cert);
- }
- }
- } else { /* no nickname given, automatically find the right cert */
- CERTCertNicknames *names;
- int i;
-
- names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
- SEC_CERT_NICKNAMES_USER, proto_win);
-
- if (names != NULL) {
- for(i = 0; i < names->numnicknames; i++ ) {
-
- cert = PK11_FindCertFromNickname(names->nicknames[i],
- proto_win);
- if (!cert) {
- continue;
- }
-
- /* Only check unexpired certs */
- if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE)
- != secCertTimeValid ) {
- CERT_DestroyCertificate(cert);
- continue;
- }
-
- secStatus = NSS_CmpCertChainWCANames(cert, caNames);
- if (secStatus == SECSuccess) {
- privKey = PK11_FindKeyByAnyCert(cert, proto_win);
- if (privKey) {
- break;
- }
- secStatus = SECFailure;
- break;
- }
- } /* for loop */
- CERT_FreeNicknames(names);
- }
- }
-
- if (secStatus == SECSuccess) {
- *pRetCert = cert;
- *pRetKey = privKey;
- }
-
- return secStatus;
-}
-
-/* Function: SECStatus myHandshakeCallback()
- *
- * Purpose: Called by SSL to inform application that the handshake is
- * complete. This function is mostly used on the server side of an SSL
- * connection, although it is provided for a client as well.
- * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake
- * is used to initiate a handshake.
- *
- * A typical scenario would be:
- *
- * 1. Server accepts an SSL connection from the client without client auth.
- * 2. Client sends a request.
- * 3. Server determines that to service request it needs to authenticate the
- * client and initiates another handshake requesting client auth.
- * 4. While handshake is in progress, server can do other work or spin waiting
- * for the handshake to complete.
- * 5. Server is notified that handshake has been successfully completed by
- * the custom handshake callback function and it can service the client's
- * request.
- *
- * Note: This function is not implemented in this sample, as we are using
- * blocking sockets.
- */
-void
-myHandshakeCallback(PRFileDesc *socket, void *arg)
-{
- printf("Handshake has completed, ready to send data securely.\n");
-}
-
-
-/**************************************************************************
-**
-** Routines for disabling SSL ciphers.
-**
-**************************************************************************/
-
-void
-disableAllSSLCiphers(void)
-{
- const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
- int i = SSL_NumImplementedCiphers;
- SECStatus rv;
-
- /* disable all the SSL3 cipher suites */
- while (--i >= 0) {
- PRUint16 suite = cipherSuites[i];
- rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
- if (rv != SECSuccess) {
- printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
- suite, i);
- errWarn("SSL_CipherPrefSetDefault");
- exit(2);
- }
- }
-}
-
-/**************************************************************************
-**
-** Error and information routines.
-**
-**************************************************************************/
-
-void
-errWarn(char *function)
-{
- PRErrorCode errorNumber = PR_GetError();
- const char * errorString = SSL_Strerror(errorNumber);
-
- printf("Error in function %s: %d\n - %s\n",
- function, errorNumber, errorString);
-}
-
-void
-exitErr(char *function)
-{
- errWarn(function);
- /* Exit gracefully. */
- /* ignoring return value of NSS_Shutdown as code exits with 1*/
- (void) NSS_Shutdown();
- PR_Cleanup();
- exit(1);
-}
-
-void
-printSecurityInfo(PRFileDesc *fd)
-{
- char * cp; /* bulk cipher name */
- char * ip; /* cert issuer DN */
- char * sp; /* cert subject DN */
- int op; /* High, Low, Off */
- int kp0; /* total key bits */
- int kp1; /* secret key bits */
- int result;
- SSL3Statistics * ssl3stats = SSL_GetStatistics();
-
- result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp);
- if (result != SECSuccess)
- return;
- printf("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n"
- "subject DN: %s\n"
- "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip);
- PR_Free(cp);
- PR_Free(ip);
- PR_Free(sp);
-
- printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n",
- ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses,
- ssl3stats->hch_sid_cache_not_ok);
-
-}
-
-
-/**************************************************************************
-** Begin thread management routines and data.
-**************************************************************************/
-
-void
-thread_wrapper(void * arg)
-{
- GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg;
- perThread *slot = &threadMGR->threads[threadMGR->index];
-
- /* wait for parent to finish launching us before proceeding. */
- PR_Lock(threadMGR->threadLock);
- PR_Unlock(threadMGR->threadLock);
-
- slot->rv = (* slot->startFunc)(slot->a, slot->b);
-
- PR_Lock(threadMGR->threadLock);
- slot->running = rs_zombie;
-
- /* notify the thread exit handler. */
- PR_NotifyCondVar(threadMGR->threadEndQ);
-
- PR_Unlock(threadMGR->threadLock);
-}
-
-SECStatus
-launch_thread(GlobalThreadMgr *threadMGR,
- startFn *startFunc,
- void *a,
- int b)
-{
- perThread *slot;
- int i;
-
- if (!threadMGR->threadStartQ) {
- threadMGR->threadLock = PR_NewLock();
- threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock);
- threadMGR->threadEndQ = PR_NewCondVar(threadMGR->threadLock);
- }
- PR_Lock(threadMGR->threadLock);
- while (threadMGR->numRunning >= MAX_THREADS) {
- PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT);
- }
- for (i = 0; i < threadMGR->numUsed; ++i) {
- slot = &threadMGR->threads[i];
- if (slot->running == rs_idle)
- break;
- }
- if (i >= threadMGR->numUsed) {
- if (i >= MAX_THREADS) {
- /* something's really wrong here. */
- PORT_Assert(i < MAX_THREADS);
- PR_Unlock(threadMGR->threadLock);
- return SECFailure;
- }
- ++(threadMGR->numUsed);
- PORT_Assert(threadMGR->numUsed == i + 1);
- slot = &threadMGR->threads[i];
- }
-
- slot->a = a;
- slot->b = b;
- slot->startFunc = startFunc;
-
- threadMGR->index = i;
-
- slot->prThread = PR_CreateThread(PR_USER_THREAD,
- thread_wrapper, threadMGR,
- PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
- PR_JOINABLE_THREAD, 0);
-
- if (slot->prThread == NULL) {
- PR_Unlock(threadMGR->threadLock);
- printf("Failed to launch thread!\n");
- return SECFailure;
- }
-
- slot->inUse = 1;
- slot->running = 1;
- ++(threadMGR->numRunning);
- PR_Unlock(threadMGR->threadLock);
- printf("Launched thread in slot %d \n", threadMGR->index);
-
- return SECSuccess;
-}
-
-SECStatus
-reap_threads(GlobalThreadMgr *threadMGR)
-{
- perThread * slot;
- int i;
-
- if (!threadMGR->threadLock)
- return 0;
- PR_Lock(threadMGR->threadLock);
- while (threadMGR->numRunning > 0) {
- PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT);
- for (i = 0; i < threadMGR->numUsed; ++i) {
- slot = &threadMGR->threads[i];
- if (slot->running == rs_zombie) {
- /* Handle cleanup of thread here. */
- printf("Thread in slot %d returned %d\n", i, slot->rv);
-
- /* Now make sure the thread has ended OK. */
- PR_JoinThread(slot->prThread);
- slot->running = rs_idle;
- --threadMGR->numRunning;
-
- /* notify the thread launcher. */
- PR_NotifyCondVar(threadMGR->threadStartQ);
- }
- }
- }
-
- /* Safety Sam sez: make sure count is right. */
- for (i = 0; i < threadMGR->numUsed; ++i) {
- slot = &threadMGR->threads[i];
- if (slot->running != rs_idle) {
- fprintf(stderr, "Thread in slot %d is in state %d!\n",
- i, slot->running);
- }
- }
- PR_Unlock(threadMGR->threadLock);
- return 0;
-}
-
-void
-destroy_thread_data(GlobalThreadMgr *threadMGR)
-{
- PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads));
-
- if (threadMGR->threadEndQ) {
- PR_DestroyCondVar(threadMGR->threadEndQ);
- threadMGR->threadEndQ = NULL;
- }
- if (threadMGR->threadStartQ) {
- PR_DestroyCondVar(threadMGR->threadStartQ);
- threadMGR->threadStartQ = NULL;
- }
- if (threadMGR->threadLock) {
- PR_DestroyLock(threadMGR->threadLock);
- threadMGR->threadLock = NULL;
- }
-}
-
-/**************************************************************************
-** End thread management routines.
-**************************************************************************/
-
-void
-lockedVars_Init( lockedVars * lv)
-{
- lv->count = 0;
- lv->waiters = 0;
- lv->lock = PR_NewLock();
- lv->condVar = PR_NewCondVar(lv->lock);
-}
-
-void
-lockedVars_Destroy( lockedVars * lv)
-{
- PR_DestroyCondVar(lv->condVar);
- lv->condVar = NULL;
-
- PR_DestroyLock(lv->lock);
- lv->lock = NULL;
-}
-
-void
-lockedVars_WaitForDone(lockedVars * lv)
-{
- PR_Lock(lv->lock);
- while (lv->count > 0) {
- PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT);
- }
- PR_Unlock(lv->lock);
-}
-
-int /* returns count */
-lockedVars_AddToCount(lockedVars * lv, int addend)
-{
- int rv;
-
- PR_Lock(lv->lock);
- rv = lv->count += addend;
- if (rv <= 0) {
- PR_NotifyCondVar(lv->condVar);
- }
- PR_Unlock(lv->lock);
- return rv;
-}
deleted file mode 100644
--- a/security/nss/cmd/SSLsample/sslsample.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef SSLSAMPLE_H
-#define SSLSAMPLE_H
-
-/* Generic header files */
-
-#include <stdio.h>
-#include <string.h>
-
-/* NSPR header files */
-
-#include "nspr.h"
-#include "prerror.h"
-#include "prnetdb.h"
-
-/* NSS header files */
-
-#include "pk11func.h"
-#include "secitem.h"
-#include "ssl.h"
-#include "certt.h"
-#include "nss.h"
-#include "secder.h"
-#include "key.h"
-#include "sslproto.h"
-
-/* Custom header files */
-
-/*
-#include "sslerror.h"
-*/
-
-#define BUFFER_SIZE 10240
-
-/* Declare SSL cipher suites. */
-
-extern int cipherSuites[];
-extern int ssl2CipherSuites[];
-extern int ssl3CipherSuites[];
-
-/* Data buffer read from a socket. */
-typedef struct DataBufferStr {
- char data[BUFFER_SIZE];
- int index;
- int remaining;
- int dataStart;
- int dataEnd;
-} DataBuffer;
-
-/* SSL callback routines. */
-
-char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg);
-
-SECStatus myAuthCertificate(void *arg, PRFileDesc *socket,
- PRBool checksig, PRBool isServer);
-
-SECStatus myBadCertHandler(void *arg, PRFileDesc *socket);
-
-void myHandshakeCallback(PRFileDesc *socket, void *arg);
-
-SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket,
- struct CERTDistNamesStr *caNames,
- struct CERTCertificateStr **pRetCert,
- struct SECKEYPrivateKeyStr **pRetKey);
-
-/* Disable all v2/v3 SSL ciphers. */
-
-void disableAllSSLCiphers(void);
-
-
-/* Error and information utilities. */
-
-void errWarn(char *function);
-
-void exitErr(char *function);
-
-void printSecurityInfo(PRFileDesc *fd);
-
-/* Some simple thread management routines. */
-
-#define MAX_THREADS 32
-
-typedef SECStatus startFn(void *a, int b);
-
-typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
-
-typedef struct perThreadStr {
- PRFileDesc *a;
- int b;
- int rv;
- startFn *startFunc;
- PRThread *prThread;
- PRBool inUse;
- runState running;
-} perThread;
-
-typedef struct GlobalThreadMgrStr {
- PRLock *threadLock;
- PRCondVar *threadStartQ;
- PRCondVar *threadEndQ;
- perThread threads[MAX_THREADS];
- int index;
- int numUsed;
- int numRunning;
-} GlobalThreadMgr;
-
-void thread_wrapper(void * arg);
-
-SECStatus launch_thread(GlobalThreadMgr *threadMGR,
- startFn *startFunc, void *a, int b);
-
-SECStatus reap_threads(GlobalThreadMgr *threadMGR);
-
-void destroy_thread_data(GlobalThreadMgr *threadMGR);
-
-/* Management of locked variables. */
-
-struct lockedVarsStr {
- PRLock * lock;
- int count;
- int waiters;
- PRCondVar * condVar;
-};
-
-typedef struct lockedVarsStr lockedVars;
-
-void lockedVars_Init(lockedVars *lv);
-
-void lockedVars_Destroy(lockedVars *lv);
-
-void lockedVars_WaitForDone(lockedVars *lv);
-
-int lockedVars_AddToCount(lockedVars *lv, int addend);
-
-/* Buffer stuff. */
-
-static const char stopCmd[] = { "GET /stop " };
-static const char defaultHeader[] = {
- "HTTP/1.0 200 OK\r\n"
- "Server: SSL sample server\r\n"
- "Content-type: text/plain\r\n"
- "\r\n"
-};
-
-#endif
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -532,17 +532,17 @@ listCerts(CERTCertDBHandle *handle, char
}
static SECStatus
ListCerts(CERTCertDBHandle *handle, char *nickname, PK11SlotInfo *slot,
PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
{
SECStatus rv;
- if (!ascii && !raw) {
+ if (!ascii && !raw && !nickname) {
PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n",
"Certificate Nickname", "Trust Attributes", "",
"SSL,S/MIME,JAR/XPI");
}
if (slot == NULL) {
CERTCertList *list;
CERTCertListNode *node;
@@ -2202,17 +2202,17 @@ certutil_main(int argc, char **argv, PRB
"%s: cannot specify both -r and -a when dumping cert.\n",
progName);
return 255;
}
/* If making a cert request, need a subject. */
if ((certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated) &&
- !certutil.options[opt_Subject].activated) {
+ !(certutil.options[opt_Subject].activated || keysource)) {
PR_fprintf(PR_STDERR,
"%s -%c: subject is required to create a cert request.\n",
progName, commandToRun);
return 255;
}
/* If making a cert, need a serial number. */
if ((certutil.commands[cmd_CreateNewCert].activated ||
@@ -2621,24 +2621,38 @@ merge_fail:
SECU_PrintError(progName,
"%s is neither a key-type nor a nickname", keysource);
return SECFailure;
}
}
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
if (privkey)
pubkey = CERT_ExtractPublicKey(keycert);
- CERT_DestroyCertificate(keycert);
if (!pubkey) {
SECU_PrintError(progName,
"Could not get keys from cert %s", keysource);
rv = SECFailure;
+ CERT_DestroyCertificate(keycert);
goto shutdown;
}
keytype = privkey->keyType;
+ /* On CertReq for renewal if no subject has been
+ * specified obtain it from the certificate.
+ */
+ if (certutil.commands[cmd_CertReq].activated && !subject) {
+ subject = CERT_AsciiToName(keycert->subjectName);
+ if (!subject) {
+ SECU_PrintError(progName,
+ "Could not get subject from certificate %s", keysource);
+ CERT_DestroyCertificate(keycert);
+ rv = SECFailure;
+ goto shutdown;
+ }
+ }
+ CERT_DestroyCertificate(keycert);
} else {
privkey =
CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
publicExponent,
certutil.options[opt_NoiseFile].arg,
&pubkey,
certutil.options[opt_PQGFile].arg,
&pwdata);
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -249,17 +249,17 @@ static SECStatus DeleteCRL (CERTCertDBHa
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type,
PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
{
CERTSignedCrl *crl = NULL;
SECItem crlDER;
PK11SlotInfo* slot = NULL;
int rv;
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
PRIntervalTime starttime, endtime, elapsed;
PRUint32 mins, secs, msecs;
#endif
crlDER.data = NULL;
/* Read in the entire file specified with the -f argument */
@@ -268,22 +268,22 @@ SECStatus ImportCRL (CERTCertDBHandle *c
SECU_PrintError(progName, "unable to read input file");
return (SECFailure);
}
decodeOptions |= CRL_DECODE_DONT_COPY_DER;
slot = PK11_GetInternalKeySlot();
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
starttime = PR_IntervalNow();
#endif
crl = PK11_ImportCRL(slot, &crlDER, url, type,
NULL, importOptions, NULL, decodeOptions);
-#if defined(DEBUG_jpierre)
+#if defined(DEBUG_jp96085)
endtime = PR_IntervalNow();
elapsed = endtime - starttime;
mins = PR_IntervalToSeconds(elapsed) / 60;
secs = PR_IntervalToSeconds(elapsed) % 60;
msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
#endif
if (!crl) {
--- a/security/nss/cmd/lib/SECerrs.h
+++ b/security/nss/cmd/lib/SECerrs.h
@@ -541,8 +541,17 @@ ER3(SEC_ERROR_BAD_LDAP_RESPONSE, (S
ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA, (SEC_ERROR_BASE + 164),
"Failed to encode data with ASN1 encoder")
ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165),
"Bad information access location in cert extension")
ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166),
"Libpkix internal error occured during cert validation.")
+
+ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167),
+"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
+
+ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168),
+"A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.")
+
+ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169),
+"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
--- a/security/nss/cmd/lib/ffs.c
+++ b/security/nss/cmd/lib/ffs.c
@@ -28,17 +28,17 @@
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-#ifdef XP_PC
+#if !defined(XP_UNIX) && !defined(XP_OS2)
int ffs( unsigned int i)
{
int rv = 1;
if (!i) return 0;
while (!(i & 1)) {
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -1052,27 +1052,28 @@ static void
secu_PrintTime(FILE *out, int64 time, char *m, int level)
{
PRExplodedTime printableTime;
char *timeString;
/* Convert to local time */
PR_ExplodeTime(time, PR_GMTParameters, &printableTime);
- timeString = PORT_Alloc(100);
+ timeString = PORT_Alloc(256);
if (timeString == NULL)
return;
if (m != NULL) {
SECU_Indent(out, level);
fprintf(out, "%s: ", m);
}
- PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime);
- fprintf(out, timeString);
+ if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) {
+ fprintf(out, timeString);
+ }
if (m != NULL)
fprintf(out, "\n");
PORT_Free(timeString);
}
/*
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -445,16 +445,16 @@ SECU_GetOptionArg(const secuCommand *cmd
/* Return informative error string */
char *SECU_ErrorString(int16 err);
/* Return informative error string. Does not call XP_GetString */
char *SECU_ErrorStringRaw(int16 err);
void printflags(char *trusts, unsigned int flags);
-#ifndef XP_UNIX
+#if !defined(XP_UNIX) && !defined(XP_OS2)
extern int ffs(unsigned int i);
#endif
#include "secerr.h"
#include "sslerr.h"
#endif /* _SEC_UTIL_H_ */
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -67,17 +67,16 @@ DIRS = lib \
pp \
rsaperf \
sdrtest \
selfserv \
signtool \
signver \
shlibsign \
smimetools \
- SSLsample \
ssltap \
strsclnt \
symkeyutil \
tests \
tstclnt \
vfychain \
vfyserv \
modutil \
--- a/security/nss/cmd/modutil/error.h
+++ b/security/nss/cmd/modutil/error.h
@@ -32,16 +32,20 @@
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef MODUTIL_ERROR_H
#define MODUTIL_ERROR_H
+/*
+ * The values of these enumerated constants are immutable and must not be
+ * changed.
+ */
typedef enum {
NO_ERR=0,
INVALID_USAGE_ERR,
UNEXPECTED_ARG_ERR,
UNKNOWN_OPTION_ERR,
MULTIPLE_COMMAND_ERR,
OPTION_NEEDS_ARG_ERR,
DUPLICATE_OPTION_ERR,
@@ -56,17 +60,17 @@ typedef enum {
FILE_DOESNT_EXIST_ERR,
FILE_NOT_READABLE_ERR,
FILE_NOT_WRITEABLE_ERR,
DIR_DOESNT_EXIST_ERR,
DIR_NOT_READABLE_ERR,
DIR_NOT_WRITEABLE_ERR,
INVALID_CONSTANT_ERR,
ADD_MODULE_FAILED_ERR,
- ADD_MODULE_FAILED_STATUS_ERR,
+ UNUSED_ERR, /* reserved for future use */
OUT_OF_MEM_ERR,
DELETE_INTERNAL_ERR,
DELETE_FAILED_ERR,
NO_LIST_LOCK_ERR,
NO_MODULE_LIST_ERR,
NO_SUCH_MODULE_ERR,
MOD_INFO_ERR,
SLOT_INFO_ERR,
@@ -109,18 +113,18 @@ static char *errStrings[] = {
"ERROR: File \"%s\" already exists.\n",
"ERROR: File \"%s\" does not exist.\n",
"ERROR: File \"%s\" is not readable.\n",
"ERROR: File \"%s\" is not writeable.\n",
"ERROR: Directory \"%s\" does not exist.\n",
"ERROR: Directory \"%s\" is not readable.\n",
"ERROR: Directory \"%s\" is not writeable.\n",
"\"%s\" is not a recognized value.\n",
- "ERROR: Failed to add module \"%s\".\n",
"ERROR: Failed to add module \"%s\". Probable cause : \"%s\".\n",
+ "Unused error string",
"ERROR: Out of memory.\n",
"ERROR: Cannot delete internal module.\n",
"ERROR: Failed to delete module \"%s\".\n",
"ERROR: Unable to obtain lock on module list.\n",
"ERROR: Unable to obtain module list.\n",
"ERROR: Module \"%s\" not found in database.\n",
"ERROR: Unable to get information about module \"%s\".\n",
"ERROR: Unable to get information about slot \"%s\".\n",
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -292,22 +292,22 @@ AddModule(char *moduleName, char *libFil
if(status != SECSuccess) {
char* errtxt=NULL;
PRInt32 copied = 0;
if (PR_GetErrorTextLength()) {
errtxt = PR_Malloc(PR_GetErrorTextLength());
copied = PR_GetErrorText(errtxt);
}
if (copied && errtxt) {
- PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_STATUS_ERR],
+ PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR],
moduleName, errtxt);
PR_Free(errtxt);
} else {
PR_fprintf(PR_STDERR, errStrings[ADD_MODULE_FAILED_ERR],
- moduleName);
+ moduleName, SECU_Strerror(PORT_GetError()));
}
return ADD_MODULE_FAILED_ERR;
} else {
PR_fprintf(PR_STDOUT, msgStrings[ADD_MODULE_SUCCESS_MSG], moduleName);
return SUCCESS;
}
}
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -62,18 +62,18 @@ Usage(char *progName)
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-r]\n",
progName);
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
FPS "Usage: %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n",
progName);
- FPS "\t\t [-c key_cipher] [-C cert_cipher] [-k key_leng]\n");
- FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
+ FPS "\t\t [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen]\n");
+ FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filefilepw]\n");
exit(PK12UERR_USAGE);
}
static PRBool
p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
{
if(!p12cxt || !p12cxt->filename) {
@@ -948,18 +948,18 @@ static secuCommandFlag pk12util_options[
{ /* opt_Export */ 'o', PR_TRUE, 0, PR_FALSE },
{ /* opt_Raw */ 'r', PR_FALSE, 0, PR_FALSE },
{ /* opt_P12FilePWFile */ 'w', PR_TRUE, 0, PR_FALSE },
{ /* opt_P12FilePW */ 'W', PR_TRUE, 0, PR_FALSE },
{ /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE },
{ /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE },
{ /* opt_Cipher */ 'c', PR_TRUE, 0, PR_FALSE },
{ /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE },
- { /* opt_KeyLength */ 'k', PR_TRUE, 0, PR_FALSE },
- { /* opt_CertKeyLength */ 'K', PR_TRUE, 0, PR_FALSE }
+ { /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" },
+ { /* opt_CertKeyLength */ 'n', PR_TRUE, 0, PR_FALSE, "cert_key_len" }
};
int
main(int argc, char **argv)
{
secuPWData slotPw = { PW_NONE, NULL };
secuPWData p12FilePw = { PW_NONE, NULL };
PK11SlotInfo *slot;
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -235,36 +235,16 @@ else
EXTRA_LIBS += \
$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(NULL)
ifeq ($(OS_ARCH), AIX)
EXTRA_SHARED_LIBS += -brtl
endif
-# If GNU ld is used, we must use the -rpath-link option to tell
-# the linker where to find libsoftokn3.so, an implicit dependency
-# of libnss3.so.
-ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD, $(OS_ARCH)))
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-
-ifeq ($(OS_ARCH), SunOS)
-ifdef NS_USE_GCC
-ifdef GCC_USE_GNU_LD
-EXTRA_SHARED_LIBS += -Wl,-rpath-link,$(DIST)/lib
-endif
-endif
-endif
-
-ifeq ($(OS_ARCH), Darwin)
-EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
-endif
-
-
# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lssl3 \
-lsmime3 \
-lnss3 \
-lnssutil3 \
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1761,45 +1761,16 @@ beAGoodParent(int argc, char **argv, int
PR_WaitProcess(newProcess, &exitCode);
fprintf(stderr, "Child %d exited with exit code %x\n",
numChildren, exitCode);
numChildren--;
}
exit(0);
}
-#ifdef DEBUG_nelsonb
-
-#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
-#define SSL_GETPID getpid
-#elif defined(_WIN32_WCE)
-#define SSL_GETPID GetCurrentProcessId
-#elif defined(WIN32)
-extern int __cdecl _getpid(void);
-#define SSL_GETPID _getpid
-#else
-#define SSL_GETPID() 0
-#endif
-
-void
-WaitForDebugger(void)
-{
-
- int waiting = 12;
- int myPid = SSL_GETPID();
- PRIntervalTime nrval = PR_SecondsToInterval(5);
-
- while (waiting) {
- printf("child %d is waiting to be debugged!\n", myPid);
- PR_Sleep(nrval);
- --waiting;
- }
-}
-#endif
-
#define HEXCHAR_TO_INT(c, i) \
if (((c) >= '0') && ((c) <= '9')) { \
i = (c) - '0'; \
} else if (((c) >= 'a') && ((c) <= 'f')) { \
i = (c) - 'a' + 10; \
} else if (((c) >= 'A') && ((c) <= 'F')) { \
i = (c) - 'A' + 10; \
} else if ((c) == '\0') { \
@@ -2056,19 +2027,16 @@ main(int argc, char **argv)
but it is OK for a test server such as selfserv.
NSPR should fix it eventually . see bugzilla 101617
and 102077
*/
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
if (prStatus != PR_SUCCESS)
errExit("PR_SetFDInheritable");
#endif
-#ifdef DEBUG_nelsonb
- WaitForDebugger();
-#endif
rv = SSL_InheritMPServerSIDCache(envString);
if (rv != SECSuccess)
errExit("SSL_InheritMPServerSIDCache");
hasSidCache = PR_TRUE;
} else if (maxProcs > 1) {
/* we're going to be the parent in a multi-process server. */
listen_sock = getBoundListenSocket(port);
rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp);
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -32,17 +32,17 @@
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* Test program for SDR (Secret Decoder Ring) functions.
*
- * $Id: shlibsign.c,v 1.16 2008/08/08 23:48:04 julien.pierre.boogz%sun.com Exp $
+ * $Id: shlibsign.c,v 1.17 2008/09/30 04:32:43 nelson%bolyard.com Exp $
*/
#ifdef XP_UNIX
#define USES_LINKS 1
#endif
#include "nspr.h"
#include <stdio.h>
@@ -125,16 +125,110 @@ writeItem(PRFileDesc *fd, SECItem *item,
bytesWritten = PR_Write(fd, item->data, item->len);
if (bytesWritten != item->len) {
lperror(file);
return SECFailure;
}
return SECSuccess;
}
+static const unsigned char prime[] = { 0x00,
+ 0x97, 0x44, 0x1d, 0xcc, 0x0d, 0x39, 0x0d, 0x8d,
+ 0xcb, 0x75, 0xdc, 0x24, 0x25, 0x6f, 0x01, 0x92,
+ 0xa1, 0x11, 0x07, 0x6b, 0x70, 0xac, 0x73, 0xd7,
+ 0x82, 0x28, 0xdf, 0xab, 0x82, 0x0c, 0x41, 0x0c,
+ 0x95, 0xb3, 0x3c, 0x3d, 0xea, 0x8a, 0xe6, 0x44,
+ 0x0a, 0xb8, 0xab, 0x90, 0x15, 0x41, 0x11, 0xe8,
+ 0x48, 0x7b, 0x8d, 0xb0, 0x9c, 0xd3, 0xf2, 0x69,
+ 0x66, 0xff, 0x66, 0x4b, 0x70, 0x2b, 0xbf, 0xfb,
+ 0xd6, 0x68, 0x85, 0x76, 0x1e, 0x34, 0xaa, 0xc5,
+ 0x57, 0x6e, 0x23, 0x02, 0x08, 0x60, 0x6e, 0xfd,
+ 0x67, 0x76, 0xe1, 0x7c, 0xc8, 0xcb, 0x51, 0x77,
+ 0xcf, 0xb1, 0x3b, 0x00, 0x2e, 0xfa, 0x21, 0xcd,
+ 0x34, 0x76, 0x75, 0x01, 0x19, 0xfe, 0xf8, 0x5d,
+ 0x43, 0xc5, 0x34, 0xf3, 0x7a, 0x95, 0xdc, 0xc2,
+ 0x58, 0x07, 0x19, 0x2f, 0x1d, 0x6f, 0x9a, 0x77,
+ 0x7e, 0x55, 0xaa, 0xe7, 0x5a, 0x50, 0x43, 0xd3 };
+
+static const unsigned char subprime[] = { 0x0,
+ 0xd8, 0x16, 0x23, 0x34, 0x8a, 0x9e, 0x3a, 0xf5,
+ 0xd9, 0x10, 0x13, 0x35, 0xaa, 0xf3, 0xf3, 0x54,
+ 0x0b, 0x31, 0x24, 0xf1 };
+
+static const unsigned char base[] = {
+ 0x03, 0x3a, 0xad, 0xfa, 0x3a, 0x0c, 0xea, 0x0a,
+ 0x4e, 0x43, 0x32, 0x92, 0xbb, 0x87, 0xf1, 0x11,
+ 0xc0, 0xad, 0x39, 0x38, 0x56, 0x1a, 0xdb, 0x23,
+ 0x66, 0xb1, 0x08, 0xda, 0xb6, 0x19, 0x51, 0x42,
+ 0x93, 0x4f, 0xc3, 0x44, 0x43, 0xa8, 0x05, 0xc1,
+ 0xf8, 0x71, 0x62, 0x6f, 0x3d, 0xe2, 0xab, 0x6f,
+ 0xd7, 0x80, 0x22, 0x6f, 0xca, 0x0d, 0xf6, 0x9f,
+ 0x45, 0x27, 0x83, 0xec, 0x86, 0x0c, 0xda, 0xaa,
+ 0xd6, 0xe0, 0xd0, 0x84, 0xfd, 0xb1, 0x4f, 0xdc,
+ 0x08, 0xcd, 0x68, 0x3a, 0x77, 0xc2, 0xc5, 0xf1,
+ 0x99, 0x0f, 0x15, 0x1b, 0x6a, 0x8c, 0x3d, 0x18,
+ 0x2b, 0x6f, 0xdc, 0x2b, 0xd8, 0xb5, 0x9b, 0xb8,
+ 0x2d, 0x57, 0x92, 0x1c, 0x46, 0x27, 0xaf, 0x6d,
+ 0xe1, 0x45, 0xcf, 0x0b, 0x3f, 0xfa, 0x07, 0xcc,
+ 0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36,
+ 0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
+
+static const unsigned char h[] = {
+ 0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac,
+ 0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6,
+ 0xc2, 0x29, 0x93, 0x5e, 0xbd, 0xc7, 0xa9, 0x8f,
+ 0x23, 0xa1, 0xc8, 0xee, 0x80, 0x64, 0xd5, 0x67,
+ 0x3c, 0xba, 0x59, 0x9a, 0x06, 0x0c, 0xcc, 0x29,
+ 0x56, 0xc0, 0xb2, 0x21, 0xe0, 0x5b, 0x52, 0xcd,
+ 0x84, 0x73, 0x57, 0xfd, 0xd8, 0xc3, 0x5b, 0x13,
+ 0x54, 0xd7, 0x4a, 0x06, 0x86, 0x63, 0x09, 0xa5,
+ 0xb0, 0x59, 0xe2, 0x32, 0x9e, 0x09, 0xa3, 0x9f,
+ 0x49, 0x62, 0xcc, 0xa6, 0xf9, 0x54, 0xd5, 0xb2,
+ 0xc3, 0x08, 0x71, 0x7e, 0xe3, 0x37, 0x50, 0xd6,
+ 0x7b, 0xa7, 0xc2, 0x60, 0xc1, 0xeb, 0x51, 0x32,
+ 0xfa, 0xad, 0x35, 0x25, 0x17, 0xf0, 0x7f, 0x23,
+ 0xe5, 0xa8, 0x01, 0x52, 0xcf, 0x2f, 0xd9, 0xa9,
+ 0xf6, 0x00, 0x21, 0x15, 0xf1, 0xf7, 0x70, 0xb7,
+ 0x57, 0x8a, 0xd0, 0x59, 0x6a, 0x82, 0xdc, 0x9c };
+
+static const unsigned char seed[] = { 0x00,
+ 0xcc, 0x4c, 0x69, 0x74, 0xf6, 0x72, 0x24, 0x68,
+ 0x24, 0x4f, 0xd7, 0x50, 0x11, 0x40, 0x81, 0xed,
+ 0x19, 0x3c, 0x8a, 0x25, 0xbc, 0x78, 0x0a, 0x85,
+ 0x82, 0x53, 0x70, 0x20, 0xf6, 0x54, 0xa5, 0x1b,
+ 0xf4, 0x15, 0xcd, 0xff, 0xc4, 0x88, 0xa7, 0x9d,
+ 0xf3, 0x47, 0x1c, 0x0a, 0xbe, 0x10, 0x29, 0x83,
+ 0xb9, 0x0f, 0x4c, 0xdf, 0x90, 0x16, 0x83, 0xa2,
+ 0xb3, 0xe3, 0x2e, 0xc1, 0xc2, 0x24, 0x6a, 0xc4,
+ 0x9d, 0x57, 0xba, 0xcb, 0x0f, 0x18, 0x75, 0x00,
+ 0x33, 0x46, 0x82, 0xec, 0xd6, 0x94, 0x77, 0xc3,
+ 0x4f, 0x4c, 0x58, 0x1c, 0x7f, 0x61, 0x3c, 0x36,
+ 0xd5, 0x2f, 0xa5, 0x66, 0xd8, 0x2f, 0xce, 0x6e,
+ 0x8e, 0x20, 0x48, 0x4a, 0xbb, 0xe3, 0xe0, 0xb2,
+ 0x50, 0x33, 0x63, 0x8a, 0x5b, 0x2d, 0x6a, 0xbe,
+ 0x4c, 0x28, 0x81, 0x53, 0x5b, 0xe4, 0xf6, 0xfc,
+ 0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
+
+#define MK_SECITEM(bb) { siBuffer, (unsigned char *)(bb), sizeof(bb) }
+
+static PQGParams pqgParams = {
+ NULL, /* arena */
+ MK_SECITEM(prime), /* P */
+ MK_SECITEM(subprime), /* Q */
+ MK_SECITEM(base) /* G */
+};
+
+static PQGVerify pqgVerify = {
+ NULL, /* arena */
+ 1496, /* counter */
+ MK_SECITEM(seed), /* seed */
+ MK_SECITEM(h) /* h */
+};
+
+
int
main (int argc, char **argv)
{
int retval = 1; /* 0 - test succeeded. 1 - test failed */
SECStatus rv;
PLOptState *optstate;
char *program_name;
@@ -147,20 +241,18 @@ main (int argc, char **argv)
PRFileDesc *fd;
int bytesRead;
int bytesWritten;
unsigned char file_buf[512];
unsigned char hash_buf[SHA1_LENGTH];
unsigned char sign_buf[40]; /* DSA_LENGTH */
SECItem hash,sign;
PK11Context *hashcx = NULL;
- int ks, count=0;
+ int count=0;
int keySize = 1024;
- PQGParams *pqgParams = NULL;
- PQGVerify *pqgVerify = NULL;
const char *nssDir = NULL;
secuPWData pwdata = { PW_NONE, 0 };
#ifdef USES_LINKS
int ret;
struct stat stat_buf;
char link_buf[MAXPATHLEN+1];
char *link_file = NULL;
#endif
@@ -244,23 +336,17 @@ main (int argc, char **argv)
/* Generate a DSA Key pair */
slot = PK11_GetBestSlot(CKM_DSA,&pwdata);
if (slot == NULL) {
lperror("CKM_DSA");
goto loser;
}
printf("Generating DSA Key Pair...."); fflush(stdout);
- ks = PQG_PBITS_TO_INDEX(keySize);
- rv = PK11_PQG_ParamGen(ks,&pqgParams, &pqgVerify);
- if (rv != SECSuccess) {
- lperror("Generating PQG Params");
- goto loser;
- }
- privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams, &pubk,
+ privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, &pqgParams, &pubk,
PR_FALSE, PR_TRUE, &pwdata);
if (privk == NULL) {
lperror("Generating DSA Key");
goto loser;
}
printf("done\n");
--- a/security/nss/cmd/signtool/signtool.c
+++ b/security/nss/cmd/signtool/signtool.c
@@ -180,17 +180,17 @@ ProcessCommandFile()
fd = PR_Open(cmdFile, PR_RDONLY, 0777);
if (!fd) {
PR_fprintf(errorFD, "ERROR: Unable to open command file %s.\n");
errorCount++;
return - 1;
}
- while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd), buf && *buf != '\0') {
+ while (pr_fgets(buf, CMD_FILE_BUFSIZE, fd)) {
char *eol;
linenum++;
/* Chop off final newline */
eol = PL_strchr(buf, '\r');
if (!eol) {
eol = PL_strchr(buf, '\n');
}
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -1104,20 +1104,23 @@ char*
pr_fgets(char *buf, int size, PRFileDesc *file)
{
int i;
int status;
char c;
i = 0;
while (i < size - 1) {
- status = PR_Read(file, (void * ) &c, 1);
+ status = PR_Read(file, &c, 1);
if (status == -1) {
return NULL;
} else if (status == 0) {
+ if (i == 0) {
+ return NULL;
+ }
break;
}
buf[i++] = c;
if (c == '\n') {
break;
}
}
buf[i] = '\0';
--- a/security/nss/cmd/signver/manifest.mn
+++ b/security/nss/cmd/signver/manifest.mn
@@ -49,10 +49,8 @@ PROGRAM = signver
PACKAGE_FILES = README.txt signedForm.html signedForm.pl form.pl
ifeq ($(subst /,_,$(shell uname -s)),WINNT)
PACKAGE_FILES += signedForm.nt.pl signver.exe
else
PACKAGE_FILES += signver
endif
ARCHIVE_NAME = signver
-
-USE_STATIC_LIBS = 1
--- a/security/nss/cmd/signver/pk7print.c
+++ b/security/nss/cmd/signver/pk7print.c
@@ -114,21 +114,22 @@ sv_PrintTime(FILE *out, SECItem *t, char
int rv;
rv = DER_DecodeTimeChoice(&time, t);
if (rv) return rv;
/* Convert to local time */
PR_ExplodeTime(time, PR_LocalTimeParameters, &printableTime);
- timeString = (char *)PORT_Alloc(100);
+ timeString = (char *)PORT_Alloc(256);
if ( timeString ) {
- PR_FormatTime( timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime );
- fprintf(out, "%s%s\n", m, timeString);
+ if (PR_FormatTime( timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime )) {
+ fprintf(out, "%s%s\n", m, timeString);
+ }
PORT_Free(timeString);
return 0;
}
return SECFailure;
}
int
sv_PrintValidity(FILE *out, CERTValidity *v, char *m)
@@ -356,24 +357,26 @@ sv_PrintSubjectPublicKeyInfo(FILE *out,
sv_PrintAlgorithmID(out, &i->algorithm, mm);
pk = (SECKEYPublicKey*) PORT_ZAlloc(sizeof(SECKEYPublicKey));
if (!pk) return PORT_GetError();
DER_ConvertBitString(&i->subjectPublicKey);
switch(SECOID_FindOIDTag(&i->algorithm.algorithm)) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
- rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_RSAPublicKeyTemplate,
+ rv = SEC_ASN1DecodeItem(arena, pk,
+ SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate),
&i->subjectPublicKey);
if (rv) return rv;
sprintf(mm, "%s.rsaPublicKey.", msg);
sv_PrintRSAPublicKey(out, pk, mm);
break;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
- rv = SEC_ASN1DecodeItem(arena, pk, SECKEY_DSAPublicKeyTemplate,
+ rv = SEC_ASN1DecodeItem(arena, pk,
+ SEC_ASN1_GET(SECKEY_DSAPublicKeyTemplate),
&i->subjectPublicKey);
if (rv) return rv;
sprintf(mm, "%s.dsaPublicKey.", msg);
sv_PrintDSAPublicKey(out, pk, mm);
break;
default:
fprintf(out, "%s=bad SPKI algorithm type\n", msg);
return 0;
@@ -386,17 +389,18 @@ SECStatus
sv_PrintInvalidDateExten (FILE *out, SECItem *value, char *msg)
{
SECItem decodedValue;
SECStatus rv;
int64 invalidTime;
char *formattedTime = NULL;
decodedValue.data = NULL;
- rv = SEC_ASN1DecodeItem (NULL, &decodedValue, SEC_GeneralizedTimeTemplate,
+ rv = SEC_ASN1DecodeItem (NULL, &decodedValue,
+ SEC_ASN1_GET(SEC_GeneralizedTimeTemplate),
value);
if (rv == SECSuccess) {
rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue);
if (rv == SECSuccess) {
formattedTime = CERT_GenTime2FormattedAscii(invalidTime, "%a %b %d %H:%M:%S %Y");
fprintf (out, "%s: %s\n", msg, formattedTime);
PORT_Free (formattedTime);
}
@@ -490,17 +494,18 @@ sv_PrintCertificate(FILE *out, SECItem *
/* Decode certificate */
c = (CERTCertificate*) PORT_ZAlloc(sizeof(CERTCertificate));
if (!c) return PORT_GetError();
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) return SEC_ERROR_NO_MEMORY;
- rv = SEC_ASN1DecodeItem(arena, c, CERT_CertificateTemplate, der);
+ rv = SEC_ASN1DecodeItem(arena, c, SEC_ASN1_GET(CERT_CertificateTemplate),
+ der);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
/* Pretty print it out */
iv = DER_GetInteger(&c->version);
fprintf(out, "%sversion=%d (0x%x)\n", m, iv + 1, iv);
@@ -536,17 +541,18 @@ sv_PrintSignedData(FILE *out, SECItem *d
/* Strip off the signature */
sd = (CERTSignedData*) PORT_ZAlloc(sizeof(CERTSignedData));
if (!sd) return PORT_GetError();
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) return SEC_ERROR_NO_MEMORY;
- rv = SEC_ASN1DecodeItem(arena, sd, CERT_SignedDataTemplate, der);
+ rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate),
+ der);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
/* fprintf(out, "%s:\n", m); */
PORT_Strcat(m, "data.");
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/tests/conflict.c
@@ -0,0 +1,58 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2008
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/*
+ * This test verifies that NSS public headers don't conflict with common
+ * identifier names.
+ */
+
+#include "nssilckt.h"
+
+/*
+ * Bug 455424: nssilckt.h used to define the enumeration constant 'Lock',
+ * which conflicts with C++ code that defines a Lock class. This is a
+ * reduced test case in C for that name conflict.
+ */
+typedef struct {
+ int dummy;
+} Lock;
+
+Lock lock;
+
+int main()
+{
+ return 0;
+}
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -36,16 +36,17 @@
# ***** END LICENSE BLOCK *****
CORE_DEPTH = ../../..
# MODULE public and private header directories are implicitly REQUIRED.
MODULE = nss
CSRCS = \
+ conflict.c \
nonspr10.c \
remtest.c \
$(NULL)
# The MODULE is always implicitly required.
# Listing it here in REQUIRES makes it appear twice in the cc command line.
REQUIRES = seccmd dbm
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -33,17 +33,17 @@
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
**
-** Sample client side test program that uses SSL and libsec
+** Sample client side test program that uses SSL and NSS
**
*/
#include "secutil.h"
#if defined(XP_UNIX)
#include <unistd.h>
#else
@@ -121,30 +121,17 @@ int ssl3CipherSuites[] = {
};
unsigned long __cmp_umuls;
PRBool verbose;
int renegotiate = 0;
static char *progName;
-/* This exists only for the automated test suite. It allows us to
- * pass in a password on the command line.
- */
-
-char *password = NULL;
-
-char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
-{
- char *passwd = NULL;
- if ( (!retry) && arg ) {
- passwd = PL_strdup((char *)arg);
- }
- return passwd;
-}
+secuPWData pwdata = { PW_NONE, 0 };
void printSecurityInfo(PRFileDesc *fd)
{
CERTCertificate * cert;
SSL3Statistics * ssl3stats = SSL_GetStatistics();
SECStatus result;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
@@ -198,17 +185,17 @@ handshakeCallback(PRFileDesc *fd, void *
SSL_ReHandshake(fd, PR_FALSE);
}
}
static void Usage(const char *progName)
{
fprintf(stderr,
"Usage: %s -h host [-p port] [-d certdir] [-n nickname] [-23BTfosvxr] \n"
-" [-c ciphers] [-w passwd] [-q]\n", progName);
+" [-c ciphers] [-w passwd] [-W pwfile] [-q]\n", progName);
fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
fprintf(stderr,
"%-20s Directory with cert database (default is ~/.netscape)\n",
"-d certdir");
fprintf(stderr, "%-20s Nickname of key and cert for client auth\n",
"-n nickname");
fprintf(stderr,
@@ -518,17 +505,16 @@ int main(int argc, char **argv)
int disableTLS = 0;
int bypassPKCS11 = 0;
int disableLocking = 0;
int useExportPolicy = 0;
int enableSessionTickets = 0;
PRSocketOptionData opt;
PRNetAddr addr;
PRPollDesc pollset[2];
- PRBool useCommandLinePassword = PR_FALSE;
PRBool pingServerFirst = PR_FALSE;
PRBool clientSpeaksFirst = PR_FALSE;
PRBool wrStarted = PR_FALSE;
PRBool skipProtoHeader = PR_FALSE;
int headerSeparatorPtrnId = 0;
int error = 0;
PRUint16 portno = 443;
PLOptState *optstate;
@@ -543,17 +529,17 @@ int main(int argc, char **argv)
tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
if (tmp && tmp[0]) {
int sec = PORT_Atoi(tmp);
if (sec > 0) {
maxInterval = PR_SecondsToInterval(sec);
}
}
- optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:x");
+ optstate = PL_CreateOptState(argc, argv, "23BTSfc:h:p:d:m:n:oqr:suvw:xW:");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
default : Usage(progName); break;
case '2': disableSSL2 = 1; break;
case '3': disableSSL3 = 1; break;
@@ -589,41 +575,41 @@ int main(int argc, char **argv)
case 's': disableLocking = 1; break;
case 'u': enableSessionTickets = PR_TRUE; break;
case 'v': verbose++; break;
case 'r': renegotiate = atoi(optstate->value); break;
- case 'w':
- password = PORT_Strdup(optstate->value);
- useCommandLinePassword = PR_TRUE;
+ case 'w':
+ pwdata.source = PW_PLAINTEXT;
+ pwdata.data = PORT_Strdup(optstate->value);
break;
+ case 'W':
+ pwdata.source = PW_FROMFILE;
+ pwdata.data = PORT_Strdup(optstate->value);
+ break;
+
case 'x': useExportPolicy = 1; break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD)
Usage(progName);
if (!host || !portno)
Usage(progName);
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
- /* set our password function */
- if ( useCommandLinePassword ) {
- PK11_SetPasswordFunc(ownPasswd);
- } else {
- PK11_SetPasswordFunc(SECU_GetModulePassword);
- }
+ PK11_SetPasswordFunc(SECU_GetModulePassword);
/* open the cert DB, the key DB, and the secmod DB. */
if (!certDir) {
certDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
certDir = SECU_ConfigDirectory(certDir);
} else {
char *certDirTmp = certDir;
certDir = SECU_ConfigDirectory(certDirTmp);
@@ -838,19 +824,17 @@ int main(int argc, char **argv)
/* enable Session Ticket extension. */
rv = SSL_OptionSet(s, SSL_ENABLE_SESSION_TICKETS, enableSessionTickets);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling Session Ticket extension");
return 1;
}
- if (useCommandLinePassword) {
- SSL_SetPKCS11PinArg(s, password);
- }
+ SSL_SetPKCS11PinArg(s, &pwdata);
SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle);
if (override) {
SSL_BadCertHook(s, ownBadCertHandler, NULL);
}
SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
SSL_HandshakeCallback(s, handshakeCallback, NULL);
SSL_SetURL(s, host);
@@ -1059,22 +1043,23 @@ int main(int argc, char **argv)
}
milliPause(50 * multiplier);
}
done:
if (nickname) {
PORT_Free(nickname);
}
- if (password) {
- PORT_Free(password);
+ if (pwdata.data) {
+ PORT_Free(pwdata.data);
}
PORT_Free(host);
PR_Close(s);
SSL_ClearSessionCache();
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
+ FPRINTF(stderr, "tstclnt: exiting with return code %d\n", error);
PR_Cleanup();
return error;
}
--- a/security/nss/lib/base/nssbaset.h
+++ b/security/nss/lib/base/nssbaset.h
@@ -33,17 +33,17 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef NSSBASET_H
#define NSSBASET_H
#ifdef DEBUG
-static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.6 $ $Date: 2005/01/20 02:25:45 $";
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile: nssbaset.h,v $ $Revision: 1.7 $ $Date: 2008/10/05 20:59:16 $";
#endif /* DEBUG */
/*
* nssbaset.h
*
* This file contains the most low-level, fundamental public types.
*/
@@ -56,20 +56,20 @@ static const char NSSBASET_CVS_ID[] = "@
* NSS has its own versions of these NSPR macros, in a form which
* does not confuse ctags and other related utilities. NSPR
* defines these macros to take the type as an argument, because
* of a requirement to support win16 dlls. We do not have that
* requirement, so we can drop that restriction.
*/
#define DUMMY /* dummy */
-#define NSS_EXTERN PR_EXTERN(DUMMY)
-#define NSS_IMPLEMENT PR_IMPLEMENT(DUMMY)
-#define NSS_EXTERN_DATA PR_EXTERN_DATA(DUMMY)
-#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(DUMMY)
+#define NSS_EXTERN extern
+#define NSS_EXTERN_DATA extern
+#define NSS_IMPLEMENT
+#define NSS_IMPLEMENT_DATA
PR_BEGIN_EXTERN_C
/*
* NSSError
*
* Calls to NSS routines may result in one or more errors being placed
* on the calling thread's "error stack." Every possible error that
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -991,38 +991,42 @@ void
return;
}
SECStatus
CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
PRBool readOnly)
{
PORT_Assert("CERT_OpenCertDBFilename is Deprecated" == NULL);
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
return SECFailure;
}
SECItem *
SECKEY_HashPassword(char *pw, SECItem *salt)
{
PORT_Assert("SECKEY_HashPassword is Deprecated" == NULL);
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
return NULL;
}
SECStatus
__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
SECItem *derSubject,
void *cb, void *cbarg)
{
PORT_Assert("CERT_TraversePermCertsForSubject is Deprecated" == NULL);
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
return SECFailure;
}
SECStatus
__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
void *cb, void *cbarg)
{
PORT_Assert("CERT_TraversePermCertsForNickname is Deprecated" == NULL);
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
return SECFailure;
}
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -34,17 +34,17 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.)
*
- * $Id: ocsp.c,v 1.54 2008/07/08 21:34:32 alexei.volkov.bugs%sun.com Exp $
+ * $Id: ocsp.c,v 1.55 2008/10/06 23:37:55 julien.pierre.boogz%sun.com Exp $
*/
#include "prerror.h"
#include "prprf.h"
#include "plarena.h"
#include "prnetdb.h"
#include "seccomon.h"
@@ -200,24 +200,24 @@ ocsp_Trace(const char *format, ...)
va_end(args);
PR_LogPrint("%s", buf);
}
static void
ocsp_dumpStringWithTime(const char *str, int64 time)
{
PRExplodedTime timePrintable;
- char timestr[100];
+ char timestr[256];
if (!wantOcspTrace())
return;
PR_ExplodeTime(time, PR_GMTParameters, &timePrintable);
- PR_FormatTime(timestr, 100, "%a %b %d %H:%M:%S %Y",
- &timePrintable);
- ocsp_Trace("OCSP %s %s\n", str, timestr);
+ if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) {
+ ocsp_Trace("OCSP %s %s\n", str, timestr);
+ }
}
static void
printHexString(const char *prefix, SECItem *hexval)
{
unsigned int i;
char *hexbuf = NULL;
@@ -240,26 +240,28 @@ dumpCertificate(CERTCertificate *cert)
if (!wantOcspTrace())
return;
ocsp_Trace("OCSP ----------------\n");
ocsp_Trace("OCSP ## SUBJECT: %s\n", cert->subjectName);
{
int64 timeBefore, timeAfter;
PRExplodedTime beforePrintable, afterPrintable;
- char beforestr[100], afterstr[100];
+ char beforestr[256], afterstr[256];
+ PRStatus rv1, rv2;
DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore);
DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter);
PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable);
PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable);
- PR_FormatTime(beforestr, 100, "%a %b %d %H:%M:%S %Y",
+ rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y",
&beforePrintable);
- PR_FormatTime(afterstr, 100, "%a %b %d %H:%M:%S %Y",
+ rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y",
&afterPrintable);
- ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", beforestr, afterstr);
+ ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "",
+ rv2 ? afterstr : "");
}
ocsp_Trace("OCSP ## ISSUER: %s\n", cert->issuerName);
printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber);
}
static void
dumpCertID(CERTOCSPCertID *certID)
{
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -30,17 +30,17 @@
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $";
#endif /* DEBUG */
#ifndef BUILTINS_H
#include "builtins.h"
#endif /* BUILTINS_H */
static const CK_BBOOL ck_false = CK_FALSE;
static const CK_BBOOL ck_true = CK_TRUE;
@@ -798,25 +798,31 @@ static const CK_ATTRIBUTE_TYPE nss_built
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_248 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_249 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_250 [] = {
+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_251 [] = {
+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
+};
#ifdef DEBUG
static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 },
- { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.50 $ $Date: 2008/08/14 18:15:56 $", (PRUint32)160 }
+ { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $", (PRUint32)160 }
};
#endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = {
{ (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Mozilla Builtin Roots", (PRUint32)22 }
@@ -16863,16 +16869,119 @@ static const NSSItem nss_builtins_items_
, (PRUint32)136 },
{ (void *)"\002\001\001"
, (PRUint32)3 },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
};
+static const NSSItem nss_builtins_items_250 [] = {
+ { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+ { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)"COMODO ECC Certification Authority", (PRUint32)35 },
+ { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+ { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+ { (void *)"0", (PRUint32)2 },
+ { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+ { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143"
+"\231\052"
+, (PRUint32)18 },
+ { (void *)"\060\202\002\211\060\202\002\017\240\003\002\001\002\002\020\037"
+"\107\257\252\142\000\160\120\124\114\001\236\233\143\231\052\060"
+"\012\006\010\052\206\110\316\075\004\003\003\060\201\205\061\013"
+"\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006"
+"\003\125\004\010\023\022\107\162\145\141\164\145\162\040\115\141"
+"\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004"
+"\007\023\007\123\141\154\146\157\162\144\061\032\060\030\006\003"
+"\125\004\012\023\021\103\117\115\117\104\117\040\103\101\040\114"
+"\151\155\151\164\145\144\061\053\060\051\006\003\125\004\003\023"
+"\042\103\117\115\117\104\117\040\105\103\103\040\103\145\162\164"
+"\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\060\036\027\015\060\070\060\063\060\066\060\060\060"
+"\060\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071"
+"\065\071\132\060\201\205\061\013\060\011\006\003\125\004\006\023"
+"\002\107\102\061\033\060\031\006\003\125\004\010\023\022\107\162"
+"\145\141\164\145\162\040\115\141\156\143\150\145\163\164\145\162"
+"\061\020\060\016\006\003\125\004\007\023\007\123\141\154\146\157"
+"\162\144\061\032\060\030\006\003\125\004\012\023\021\103\117\115"
+"\117\104\117\040\103\101\040\114\151\155\151\164\145\144\061\053"
+"\060\051\006\003\125\004\003\023\042\103\117\115\117\104\117\040"
+"\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\166\060\020\006"
+"\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003"
+"\142\000\004\003\107\173\057\165\311\202\025\205\373\165\344\221"
+"\026\324\253\142\231\365\076\122\013\006\316\101\000\177\227\341"
+"\012\044\074\035\001\004\356\075\322\215\011\227\014\340\165\344"
+"\372\373\167\212\052\365\003\140\113\066\213\026\043\026\255\011"
+"\161\364\112\364\050\120\264\376\210\034\156\077\154\057\057\011"
+"\131\133\245\133\013\063\231\342\303\075\211\371\152\054\357\262"
+"\323\006\351\243\102\060\100\060\035\006\003\125\035\016\004\026"
+"\004\024\165\161\247\031\110\031\274\235\235\352\101\107\337\224"
+"\304\110\167\231\323\171\060\016\006\003\125\035\017\001\001\377"
+"\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377"
+"\004\005\060\003\001\001\377\060\012\006\010\052\206\110\316\075"
+"\004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254"
+"\267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346"
+"\175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316"
+"\231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223"
+"\074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157"
+"\030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346"
+"\334\335\363\377\035\054\072\026\127\331\222\071\326"
+, (PRUint32)653 }
+};
+static const NSSItem nss_builtins_items_251 [] = {
+ { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+ { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+ { (void *)"COMODO ECC Certification Authority", (PRUint32)35 },
+ { (void *)"\237\164\116\237\053\115\272\354\017\061\054\120\266\126\073\216"
+"\055\223\303\021"
+, (PRUint32)20 },
+ { (void *)"\174\142\377\164\235\061\123\136\150\112\325\170\252\036\277\043"
+, (PRUint32)16 },
+ { (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102"
+"\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164"
+"\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060"
+"\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061"
+"\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117"
+"\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006"
+"\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171"
+, (PRUint32)136 },
+ { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143"
+"\231\052"
+, (PRUint32)18 },
+ { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+ { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+ { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+ { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
builtinsInternalObject
nss_builtins_data[] = {
#ifdef DEBUG
{ 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
#endif /* DEBUG */
{ 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
{ 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
@@ -17117,16 +17226,18 @@ nss_builtins_data[] = {
{ 13, nss_builtins_types_241, nss_builtins_items_241, {NULL} },
{ 11, nss_builtins_types_242, nss_builtins_items_242, {NULL} },
{ 13, nss_builtins_types_243, nss_builtins_items_243, {NULL} },
{ 11, nss_builtins_types_244, nss_builtins_items_244, {NULL} },
{ 13, nss_builtins_types_245, nss_builtins_items_245, {NULL} },
{ 11, nss_builtins_types_246, nss_builtins_items_246, {NULL} },
{ 13, nss_builtins_types_247, nss_builtins_items_247, {NULL} },
{ 11, nss_builtins_types_248, nss_builtins_items_248, {NULL} },
- { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} }
+ { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} },
+ { 11, nss_builtins_types_250, nss_builtins_items_250, {NULL} },
+ { 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} }
};
const PRUint32
#ifdef DEBUG
- nss_builtins_nObjects = 249+1;
+ nss_builtins_nObjects = 251+1;
#else
- nss_builtins_nObjects = 249;
+ nss_builtins_nObjects = 251;
#endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -29,17 +29,17 @@
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.49 $ $Date: 2008/08/14 18:15:56 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.50 $ $Date: 2008/10/17 23:06:48 $"
#
# certdata.txt
#
# This file contains the object definitions for the certs and other
# information "built into" NSS.
#
# Object definitions:
@@ -17383,8 +17383,121 @@ CKA_ISSUER MULTILINE_OCTAL
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "COMODO ECC Certification Authority"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO ECC Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
+\231\052
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\211\060\202\002\017\240\003\002\001\002\002\020\037
+\107\257\252\142\000\160\120\124\114\001\236\233\143\231\052\060
+\012\006\010\052\206\110\316\075\004\003\003\060\201\205\061\013
+\060\011\006\003\125\004\006\023\002\107\102\061\033\060\031\006
+\003\125\004\010\023\022\107\162\145\141\164\145\162\040\115\141
+\156\143\150\145\163\164\145\162\061\020\060\016\006\003\125\004
+\007\023\007\123\141\154\146\157\162\144\061\032\060\030\006\003
+\125\004\012\023\021\103\117\115\117\104\117\040\103\101\040\114
+\151\155\151\164\145\144\061\053\060\051\006\003\125\004\003\023
+\042\103\117\115\117\104\117\040\105\103\103\040\103\145\162\164
+\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\060\036\027\015\060\070\060\063\060\066\060\060\060
+\060\060\060\132\027\015\063\070\060\061\061\070\062\063\065\071
+\065\071\132\060\201\205\061\013\060\011\006\003\125\004\006\023
+\002\107\102\061\033\060\031\006\003\125\004\010\023\022\107\162
+\145\141\164\145\162\040\115\141\156\143\150\145\163\164\145\162
+\061\020\060\016\006\003\125\004\007\023\007\123\141\154\146\157
+\162\144\061\032\060\030\006\003\125\004\012\023\021\103\117\115
+\117\104\117\040\103\101\040\114\151\155\151\164\145\144\061\053
+\060\051\006\003\125\004\003\023\042\103\117\115\117\104\117\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\166\060\020\006
+\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003
+\142\000\004\003\107\173\057\165\311\202\025\205\373\165\344\221
+\026\324\253\142\231\365\076\122\013\006\316\101\000\177\227\341
+\012\044\074\035\001\004\356\075\322\215\011\227\014\340\165\344
+\372\373\167\212\052\365\003\140\113\066\213\026\043\026\255\011
+\161\364\112\364\050\120\264\376\210\034\156\077\154\057\057\011
+\131\133\245\133\013\063\231\342\303\075\211\371\152\054\357\262
+\323\006\351\243\102\060\100\060\035\006\003\125\035\016\004\026
+\004\024\165\161\247\031\110\031\274\235\235\352\101\107\337\224
+\304\110\167\231\323\171\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+\004\005\060\003\001\001\377\060\012\006\010\052\206\110\316\075
+\004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
+\267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
+\175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
+\231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
+\074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
+\030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
+\334\335\363\377\035\054\072\026\127\331\222\071\326
+END
+
+# Trust for Certificate "COMODO ECC Certification Authority"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO ECC Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\237\164\116\237\053\115\272\354\017\061\054\120\266\126\073\216
+\055\223\303\021
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\174\142\377\164\235\061\123\136\150\112\325\170\252\036\277\043
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\105\103\103
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
+\231\052
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -70,18 +70,18 @@
* ...
* - NSS 3.30 branch: 250-255
*
* NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 71
-#define NSS_BUILTINS_LIBRARY_VERSION "1.71"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 72
+#define NSS_BUILTINS_LIBRARY_VERSION "1.72"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
/* These version numbers detail the semantic changes to ckbi itself
* (new PKCS #11 objects), etc. */
#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/ckfw/capi/staticobj.c
+++ b/security/nss/lib/ckfw/capi/staticobj.c
@@ -32,17 +32,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/04 02:05:04 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/04 02:05:04 $";
+static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:19 $";
#endif /* DEBUG */
#ifndef CKCAPI_H
#include "ckcapi.h"
#endif /* CKCAPI_H */
static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
@@ -62,13 +62,13 @@ static const CK_ATTRIBUTE_TYPE nss_ckcap
static const NSSItem nss_ckcapi_items_1 [] = {
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Mozilla CAPI Access", (PRUint32)20 }
};
-PR_IMPLEMENT_DATA(ckcapiInternalObject) nss_ckcapi_data[] = {
+ckcapiInternalObject nss_ckcapi_data[] = {
{ ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
};
-PR_IMPLEMENT_DATA(const PRUint32) nss_ckcapi_nObjects = 1;
+const PRUint32 nss_ckcapi_nObjects = 1;
--- a/security/nss/lib/ckfw/nssmkey/staticobj.c
+++ b/security/nss/lib/ckfw/nssmkey/staticobj.c
@@ -32,17 +32,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $";
+static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:22 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.2 $ $Date: 2008/10/05 20:59:22 $";
#endif /* DEBUG */
#ifndef CKMK_H
#include "ckmk.h"
#endif /* CKMK_H */
static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
@@ -62,13 +62,13 @@ static const CK_ATTRIBUTE_TYPE nss_ckmk_
static const NSSItem nss_ckmk_items_1 [] = {
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Mozilla Mac Key Ring Access", (PRUint32)28 }
};
-PR_IMPLEMENT_DATA(ckmkInternalObject) nss_ckmk_data[] = {
+ckmkInternalObject nss_ckmk_data[] = {
{ ckmkRaw, {{ 5, nss_ckmk_types_1, nss_ckmk_items_1}} , CKO_DATA, {NULL} },
};
-PR_IMPLEMENT_DATA(const PRUint32) nss_ckmk_nObjects = 1;
+const PRUint32 nss_ckmk_nObjects = 1;
--- a/security/nss/lib/ckfw/wrap.c
+++ b/security/nss/lib/ckfw/wrap.c
@@ -30,17 +30,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.16 $ $Date: 2008/02/25 20:35:23 $";
+static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.17 $ $Date: 2008/08/25 22:47:32 $";
#endif /* DEBUG */
/*
* wrap.c
*
* This file contains the routines that actually implement the cryptoki
* API, using the internal APIs of the NSS Cryptoki Framework. There is
* one routine here for every cryptoki routine. For linking reasons
@@ -269,16 +269,27 @@ NSSCKFWC_Finalize
case CKR_GENERAL_ERROR:
case CKR_HOST_MEMORY:
break;
default:
error = CKR_GENERAL_ERROR;
break;
}
+ /*
+ * A thread's error stack is automatically destroyed when the thread
+ * terminates or, for the primordial thread, by PR_Cleanup. On
+ * Windows with MinGW, the thread private data destructor PR_Free
+ * registered by this module is actually a thunk for PR_Free defined
+ * in this module. When the thread that unloads this module terminates
+ * or calls PR_Cleanup, the thunk for PR_Free is already gone with the
+ * module. Therefore we need to destroy the error stack before the
+ * module is unloaded.
+ */
+ nss_DestroyErrorStack();
return error;
}
/*
* NSSCKFWC_GetInfo
*
*/
NSS_IMPLEMENT CK_RV
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -30,17 +30,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.37 $ $Date: 2008/05/29 17:24:15 $";
+static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.38 $ $Date: 2008/09/30 04:09:02 $";
#endif /* DEBUG */
#ifndef NSSCKEPV_H
#include "nssckepv.h"
#endif /* NSSCKEPV_H */
#ifndef DEVM_H
#include "devm.h"
@@ -354,16 +354,20 @@ nssCryptokiCertificate_GetAttributes (
status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
certObject, CKO_CERTIFICATE,
cert_template, template_size);
if (status != PR_SUCCESS) {
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(certObject->token);
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(certObject->token);
status = nssCKObject_GetAttributes(certObject->handle,
cert_template, template_size,
arenaOpt, session, slot);
nssSlot_Destroy(slot);
if (status != PR_SUCCESS) {
return status;
@@ -452,16 +456,20 @@ nssCryptokiTrust_GetAttributes (
status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
trustObject,
CKO_NETSCAPE_TRUST,
trust_template, trust_size);
if (status != PR_SUCCESS) {
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(trustObject->token);
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(trustObject->token);
status = nssCKObject_GetAttributes(trustObject->handle,
trust_template, trust_size,
NULL, session, slot);
nssSlot_Destroy(slot);
if (status != PR_SUCCESS) {
return status;
@@ -517,16 +525,20 @@ nssCryptokiCRL_GetAttributes (
status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
crlObject,
CKO_NETSCAPE_CRL,
crl_template, crl_size);
if (status != PR_SUCCESS) {
session = sessionOpt ?
sessionOpt :
nssToken_GetDefaultSession(crlObject->token);
+ if (session == NULL) {
+ nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+ return PR_FAILURE;
+ }
slot = nssToken_GetSlot(crlObject->token);
status = nssCKObject_GetAttributes(crlObject->handle,
crl_template, crl_size,
arenaOpt, session, slot);
nssSlot_Destroy(slot);
if (status != PR_SUCCESS) {
return status;
@@ -575,20 +587,19 @@ nssCryptokiPrivateKey_SetCertificate (
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
if (sessionOpt) {
if (!nssSession_IsReadWrite(sessionOpt)) {
return PR_FAILURE;
- } else {
- session = sessionOpt;
- }
- } else if (nssSession_IsReadWrite(defaultSession)) {
+ }
+ session = sessionOpt;
+ } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
session = defaultSession;
} else {
NSSSlot *slot = nssToken_GetSlot(token);
session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
nssSlot_Destroy(slot);
if (!session) {
return PR_FAILURE;
}
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -30,17 +30,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.50 $ $Date: 2008/08/09 01:25:58 $";
+static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.51 $ $Date: 2008/09/30 04:09:02 $";
#endif /* DEBUG */
#ifndef NSSCKEPV_H
#include "nssckepv.h"
#endif /* NSSCKEPV_H */
#ifndef DEVM_H
#include "devm.h"
@@ -177,17 +177,18 @@ nssToken_DeleteStoredObject (
PRBool createdSession = PR_FALSE;
NSSToken *token = instance->token;
nssSession *session = NULL;
void *epv = nssToken_GetCryptokiEPV(instance->token);
if (token->cache) {
nssTokenObjectCache_RemoveObject(token->cache, instance);
}
if (instance->isTokenObject) {
- if (nssSession_IsReadWrite(token->defaultSession)) {
+ if (token->defaultSession &&
+ nssSession_IsReadWrite(token->defaultSession)) {
session = token->defaultSession;
} else {
session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
createdSession = PR_TRUE;
}
}
if (session == NULL) {
return PR_FAILURE;
@@ -222,20 +223,20 @@ import_object (
CK_OBJECT_HANDLE handle;
CK_RV ckrv;
void *epv = nssToken_GetCryptokiEPV(tok);
if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
if (sessionOpt) {
if (!nssSession_IsReadWrite(sessionOpt)) {
nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
return NULL;
- } else {
- session = sessionOpt;
}
- } else if (nssSession_IsReadWrite(tok->defaultSession)) {
+ session = sessionOpt;
+ } else if (tok->defaultSession &&
+ nssSession_IsReadWrite(tok->defaultSession)) {
session = tok->defaultSession;
} else {
session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
createdSession = PR_TRUE;
}
} else {
session = (sessionOpt) ? sessionOpt : tok->defaultSession;
}
@@ -302,18 +303,17 @@ find_objects (
CK_OBJECT_HANDLE *objectHandles = NULL;
CK_OBJECT_HANDLE staticObjects[OBJECT_STACK_SIZE];
PRUint32 arraySize, numHandles;
void *epv = nssToken_GetCryptokiEPV(tok);
nssCryptokiObject **objects;
nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
/* Don't ask the module to use an invalid session handle. */
- PORT_Assert(session->handle != CK_INVALID_SESSION);
- if (session->handle == CK_INVALID_SESSION) {
+ if (!session || session->handle == CK_INVALID_SESSION) {
ckrv = CKR_SESSION_HANDLE_INVALID;
goto loser;
}
/* the arena is only for the array of object handles */
if (maximumOpt > 0) {
arraySize = maximumOpt;
} else {
@@ -1142,29 +1142,34 @@ nssToken_FindTrustForCertificate (
nssTokenSearchType searchType
)
{
CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE tobj_template[5];
CK_ULONG tobj_size;
nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
- nssCryptokiObject *object, **objects;
+ nssCryptokiObject *object = NULL, **objects;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return object;
+ }
NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
} else if (searchType == nssTokenSearchType_TokenOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
}
NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , certSerial);
NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
- object = NULL;
objects = find_objects_by_template(token, session,
tobj_template, tobj_size,
1, NULL);
if (objects) {
object = objects[0];
nss_ZFreeIf(objects);
}
return object;
@@ -1222,19 +1227,25 @@ nssToken_FindCRLsBySubject (
PRUint32 maximumOpt,
PRStatus *statusOpt
)
{
CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE crlobj_template[3];
CK_ULONG crlobj_size;
- nssCryptokiObject **objects;
+ nssCryptokiObject **objects = NULL;
nssSession *session = sessionOpt ? sessionOpt : token->defaultSession;
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return objects;
+ }
+
NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
} else if (searchType == nssTokenSearchType_TokenOnly ||
searchType == nssTokenSearchType_TokenForced) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
}
NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
@@ -1275,18 +1286,24 @@ nssToken_Digest (
NSSArena *arenaOpt
)
{
CK_RV ckrv;
CK_ULONG digestLen;
CK_BYTE_PTR digest;
NSSItem *rvItem = NULL;
void *epv = nssToken_GetCryptokiEPV(tok);
- nssSession *session;
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return rvItem;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
if (ckrv != CKR_OK) {
nssSession_ExitMonitor(session);
return NULL;
}
#if 0
/* XXX the standard says this should work, but it doesn't */
@@ -1335,36 +1352,48 @@ nssToken_Digest (
NSS_IMPLEMENT PRStatus
nssToken_BeginDigest (
NSSToken *tok,
nssSession *sessionOpt,
NSSAlgorithmAndParameters *ap
)
{
CK_RV ckrv;
- nssSession *session;
void *epv = nssToken_GetCryptokiEPV(tok);
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestInit(session->handle, &ap->mechanism);
nssSession_ExitMonitor(session);
return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
}
NSS_IMPLEMENT PRStatus
nssToken_ContinueDigest (
NSSToken *tok,
nssSession *sessionOpt,
NSSItem *item
)
{
CK_RV ckrv;
- nssSession *session;
void *epv = nssToken_GetCryptokiEPV(tok);
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestUpdate(session->handle,
(CK_BYTE_PTR)item->data,
(CK_ULONG)item->size);
nssSession_ExitMonitor(session);
return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
}
@@ -1376,18 +1405,24 @@ nssToken_FinishDigest (
NSSArena *arenaOpt
)
{
CK_RV ckrv;
CK_ULONG digestLen;
CK_BYTE_PTR digest;
NSSItem *rvItem = NULL;
void *epv = nssToken_GetCryptokiEPV(tok);
- nssSession *session;
- session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+ nssSession *session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return NULL;
+ }
+
nssSession_EnterMonitor(session);
ckrv = CKAPI(epv)->C_DigestFinal(session->handle, NULL, &digestLen);
if (ckrv != CKR_OK || digestLen == 0) {
nssSession_ExitMonitor(session);
return NULL;
}
digest = NULL;
if (rvOpt) {
@@ -1454,16 +1489,22 @@ nssToken_TraverseCertificates (
CK_ULONG ctsize;
NSSArena *arena;
PRStatus status;
PRUint32 arraySize, numHandles;
nssCryptokiObject **objects;
void *epv = nssToken_GetCryptokiEPV(token);
nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
+ /* Don't ask the module to use an invalid session handle. */
+ if (!session || session->handle == CK_INVALID_SESSION) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return PR_FAILURE;
+ }
+
/* template for all certs */
NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
} else if (searchType == nssTokenSearchType_TokenOnly ||
searchType == nssTokenSearchType_TokenForced) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
}
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -30,17 +30,17 @@
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.31 $ $Date: 2008/05/18 01:51:45 $";
+static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.32 $ $Date: 2008/09/30 04:09:02 $";
#endif /* DEBUG */
#ifndef DEVM_H
#include "devm.h"
#endif /* DEVM_H */
#ifndef CKHELPER_H
#include "ckhelper.h"
@@ -382,17 +382,20 @@ create_object (
nssCryptokiObjectAndAttributes *rvCachedObject = NULL;
slot = nssToken_GetSlot(object->token);
if (!slot) {
nss_SetError(NSS_ERROR_INVALID_POINTER);
goto loser;
}
session = nssToken_GetDefaultSession(object->token);
-
+ if (!session) {
+ nss_SetError(NSS_ERROR_INVALID_POINTER);
+ goto loser;
+ }
arena = nssArena_Create();
if (!arena) {
goto loser;
}
rvCachedObject = nss_ZNEW(arena, nssCryptokiObjectAndAttributes);
if (!rvCachedObject) {
goto loser;
}
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -450,17 +450,17 @@ ECL_USERS = ec.c
ECL_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_SRCS:.c=$(OBJ_SUFFIX)) $(ECL_ASM_SRCS:$(ASM_SUFFIX)=$(OBJ_SUFFIX)))
ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
$(ECL_OBJS): $(ECL_HDRS)
-$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c mac_rand.c os2_rand.c
+$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c os2_rand.c
$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
$(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
ifeq ($(SYSV_SPARC),1)
$(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/mpv_sparcv8x.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -85,35 +85,33 @@ SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)
RES = $(OBJDIR)/$(LIBRARY_NAME).res
RESNAME = freebl.rc
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
-lnspr4 \
$(NULL)
else # ! NS_USE_GCC
EXTRA_SHARED_LIBS += \
$(DIST)/lib/nssutil3.lib \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
$(NULL)
endif # NS_USE_GCC
else
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
-lnspr4 \
$(NULL)
endif
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
endif
+
+endif
deleted file mode 100644
--- a/security/nss/lib/freebl/mac_rand.c
+++ /dev/null
@@ -1,318 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifdef notdef
-#include "xp_core.h"
-#include "xp_file.h"
-#endif
-#include "secrng.h"
-#include "mcom_db.h"
-#ifdef XP_MAC
-#include <Events.h>
-#include <OSUtils.h>
-#include <QDOffscreen.h>
-#include <PPCToolbox.h>
-#include <Processes.h>
-#include <LowMem.h>
-#include <Scrap.h>
-
-/* Static prototypes */
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen);
-void FE_ReadScreen();
-
-static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
-{
- union endianness {
- int32 i;
- char c[4];
- } u;
-
- if (srclen <= dstlen) {
- memcpy(dst, src, srclen);
- return srclen;
- }
- u.i = 0x01020304;
- if (u.c[0] == 0x01) {
- /* big-endian case */
- memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
- } else {
- /* little-endian case */
- memcpy(dst, src, dstlen);
- }
- return dstlen;
-}
-
-size_t RNG_GetNoise(void *buf, size_t maxbytes)
-{
- UnsignedWide microTickCount;
- Microseconds(µTickCount);
- return CopyLowBits(buf, maxbytes, µTickCount, sizeof(microTickCount));
-}
-
-void RNG_FileForRNG(const char *filename)
-{
- unsigned char buffer[BUFSIZ];
- size_t bytes;
-#ifdef notdef /*sigh*/
- XP_File file;
- unsigned long totalFileBytes = 0;
-
- if (filename == NULL) /* For now, read in global history if filename is null */
- file = XP_FileOpen(NULL, xpGlobalHistory,XP_FILE_READ_BIN);
- else
- file = XP_FileOpen(NULL, xpURL,XP_FILE_READ_BIN);
- if (file != NULL) {
- for (;;) {
- bytes = XP_FileRead(buffer, sizeof(buffer), file);
- if (bytes == 0) break;
- RNG_RandomUpdate( buffer, bytes);
- totalFileBytes += bytes;
- if (totalFileBytes > 100*1024) break; /* No more than 100 K */
- }
- XP_FileClose(file);
- }
-#endif
- /*
- * Pass yet another snapshot of our highest resolution clock into
- * the hash function.
- */
- bytes = RNG_GetNoise(buffer, sizeof(buffer));
- RNG_RandomUpdate(buffer, sizeof(buffer));
-}
-
-void RNG_SystemInfoForRNG()
-{
-/* Time */
- {
- unsigned long sec;
- size_t bytes;
- GetDateTime(&sec); /* Current time since 1970 */
- RNG_RandomUpdate( &sec, sizeof(sec));
- bytes = RNG_GetNoise(&sec, sizeof(sec));
- RNG_RandomUpdate(&sec, bytes);
- }
-/* User specific variables */
- {
- MachineLocation loc;
- ReadLocation(&loc);
- RNG_RandomUpdate( &loc, sizeof(loc));
- }
-#if !TARGET_CARBON
-/* User name */
- {
- unsigned long userRef;
- Str32 userName;
- GetDefaultUser(&userRef, userName);
- RNG_RandomUpdate( &userRef, sizeof(userRef));
- RNG_RandomUpdate( userName, sizeof(userName));
- }
-#endif
-/* Mouse location */
- {
- Point mouseLoc;
- GetMouse(&mouseLoc);
- RNG_RandomUpdate( &mouseLoc, sizeof(mouseLoc));
- }
-/* Keyboard time threshold */
- {
- SInt16 keyTresh = LMGetKeyThresh();
- RNG_RandomUpdate( &keyTresh, sizeof(keyTresh));
- }
-/* Last key pressed */
- {
- SInt8 keyLast;
- keyLast = LMGetKbdLast();
- RNG_RandomUpdate( &keyLast, sizeof(keyLast));
- }
-/* Volume */
- {
- UInt8 volume = LMGetSdVolume();
- RNG_RandomUpdate( &volume, sizeof(volume));
- }
-#if !TARGET_CARBON
-/* Current directory */
- {
- SInt32 dir = LMGetCurDirStore();
- RNG_RandomUpdate( &dir, sizeof(dir));
- }
-#endif
-/* Process information about all the processes in the machine */
- {
- ProcessSerialNumber process;
- ProcessInfoRec pi;
-
- process.highLongOfPSN = process.lowLongOfPSN = kNoProcess;
-
- while (GetNextProcess(&process) == noErr)
- {
- FSSpec fileSpec;
- pi.processInfoLength = sizeof(ProcessInfoRec);
- pi.processName = NULL;
- pi.processAppSpec = &fileSpec;
- GetProcessInformation(&process, &pi);
- RNG_RandomUpdate( &pi, sizeof(pi));
- RNG_RandomUpdate( &fileSpec, sizeof(fileSpec));
- }
- }
-
-#if !TARGET_CARBON
-/* Heap */
- {
- THz zone = LMGetTheZone();
- RNG_RandomUpdate( &zone, sizeof(zone));
- }
-#endif
-
-/* Screen */
- {
- GDHandle h = GetMainDevice(); /* GDHandle is **GDevice */
- RNG_RandomUpdate( *h, sizeof(GDevice));
- }
-
-#if !TARGET_CARBON
-/* Scrap size */
- {
- SInt32 scrapSize = LMGetScrapSize();
- RNG_RandomUpdate( &scrapSize, sizeof(scrapSize));
- }
-/* Scrap count */
- {
- SInt16 scrapCount = LMGetScrapCount();
- RNG_RandomUpdate( &scrapCount, sizeof(scrapCount));
- }
-#else
- {
- ScrapRef scrap;
- if (GetCurrentScrap(&scrap) == noErr) {
- UInt32 flavorCount;
- if (GetScrapFlavorCount(scrap, &flavorCount) == noErr) {
- ScrapFlavorInfo* flavorInfo = (ScrapFlavorInfo*) malloc(flavorCount * sizeof(ScrapFlavorInfo));
- if (flavorInfo != NULL) {
- if (GetScrapFlavorInfoList(scrap, &flavorCount, flavorInfo) == noErr) {
- UInt32 i;
- RNG_RandomUpdate(&flavorCount, sizeof(flavorCount));
- for (i = 0; i < flavorCount; ++i) {
- Size flavorSize;
- if (GetScrapFlavorSize(scrap, flavorInfo[i].flavorType, &flavorSize) == noErr)
- RNG_RandomUpdate(&flavorSize, sizeof(flavorSize));
- }
- }
- free(flavorInfo);
- }
- }
- }
- }
-#endif
-/* File stuff, last modified, etc. */
- {
- HParamBlockRec pb;
- GetVolParmsInfoBuffer volInfo;
- pb.ioParam.ioVRefNum = 0;
- pb.ioParam.ioNamePtr = nil;
- pb.ioParam.ioBuffer = (Ptr) &volInfo;
- pb.ioParam.ioReqCount = sizeof(volInfo);
- PBHGetVolParmsSync(&pb);
- RNG_RandomUpdate( &volInfo, sizeof(volInfo));
- }
-#if !TARGET_CARBON
-/* Event queue */
- {
- EvQElPtr eventQ;
- for (eventQ = (EvQElPtr) LMGetEventQueue()->qHead;
- eventQ;
- eventQ = (EvQElPtr)eventQ->qLink)
- RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord));
- }
-#endif
- FE_ReadScreen();
- RNG_FileForRNG(NULL);
-}
-
-void FE_ReadScreen()
-{
- UInt16 coords[4];
- PixMapHandle pmap;
- GDHandle gh;
- UInt16 screenHeight;
- UInt16 screenWidth; /* just what they say */
- UInt32 bytesToRead; /* number of bytes we're giving */
- UInt32 offset; /* offset into the graphics buffer */
- UInt16 rowBytes;
- UInt32 rowsToRead;
- float bytesPerPixel; /* dependent on buffer depth */
- Ptr p; /* temporary */
- UInt16 x, y, w, h;
-
- gh = LMGetMainDevice();
- if ( !gh )
- return;
- pmap = (**gh).gdPMap;
- if ( !pmap )
- return;
-
- RNG_GenerateGlobalRandomBytes( coords, sizeof( coords ) );
-
- /* make x and y inside the screen rect */
- screenHeight = (**pmap).bounds.bottom - (**pmap).bounds.top;
- screenWidth = (**pmap).bounds.right - (**pmap).bounds.left;
- x = coords[0] % screenWidth;
- y = coords[1] % screenHeight;
- w = ( coords[2] & 0x7F ) | 0x40; /* Make sure that w is in the range 64..128 */
- h = ( coords[3] & 0x7F ) | 0x40; /* same for h */
-
- bytesPerPixel = (**pmap).pixelSize / 8;
- rowBytes = (**pmap).rowBytes & 0x7FFF;
-
- /* starting address */
- offset = ( rowBytes * y ) + (UInt32)( (float)x * bytesPerPixel );
-
- /* don't read past the end of the pixmap's rowbytes */
- bytesToRead = PR_MIN( (UInt32)( w * bytesPerPixel ),
- (UInt32)( rowBytes - ( x * bytesPerPixel ) ) );
-
- /* don't read past the end of the graphics device pixmap */
- rowsToRead = PR_MIN( h,
- ( screenHeight - y ) );
-
- p = GetPixBaseAddr( pmap ) + offset;
-
- while ( rowsToRead-- )
- {
- RNG_RandomUpdate( p, bytesToRead );
- p += rowBytes;
- }
-}
-#endif
--- a/security/nss/lib/freebl/md2.c
+++ b/security/nss/lib/freebl/md2.c
@@ -95,17 +95,17 @@ MD2_Hash(unsigned char *dest, const char
{
unsigned int len;
MD2Context *cx = MD2_NewContext();
if (!cx) {
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
return SECFailure;
}
MD2_Begin(cx);
- MD2_Update(cx, (unsigned char *)src, PL_strlen(src));
+ MD2_Update(cx, (const unsigned char *)src, PORT_Strlen(src));
MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
MD2_DestroyContext(cx, PR_TRUE);
return SECSuccess;
}
MD2Context *
MD2_NewContext(void)
{
--- a/security/nss/lib/freebl/md5.c
+++ b/security/nss/lib/freebl/md5.c
@@ -217,17 +217,17 @@ struct MD5ContextStr {
} u;
};
#define inBuf u.b
SECStatus
MD5_Hash(unsigned char *dest, const char *src)
{
- return MD5_HashBuf(dest, (unsigned char *)src, PL_strlen(src));
+ return MD5_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
}
SECStatus
MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
{
unsigned int len;
MD5Context cx;
--- a/security/nss/lib/freebl/sysrand.c
+++ b/security/nss/lib/freebl/sysrand.c
@@ -36,14 +36,11 @@
#include "seccomon.h"
#if defined(XP_UNIX) || defined(XP_BEOS)
#include "unix_rand.c"
#endif
#ifdef XP_WIN
#include "win_rand.c"
#endif
-#ifdef XP_MAC
-#include "mac_rand.c"
-#endif
#ifdef XP_OS2
#include "os2_rand.c"
#endif
--- a/security/nss/lib/jar/jarfile.c
+++ b/security/nss/lib/jar/jarfile.c
@@ -355,17 +355,18 @@ static int jar_physical_inflate
long at, chunk;
char *inbuf, *outbuf;
int status = 0;
unsigned long prev_total, ochunk, tin;
- if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL)
+ /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+ if ((inbuf = (char *) PORT_ZAlloc (ICHUNK + 1)) == NULL)
return JAR_ERR_MEMORY;
if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
{
PORT_Free (inbuf);
return JAR_ERR_MEMORY;
}
@@ -395,16 +396,22 @@ static int jar_physical_inflate
JAR_FCLOSE (out);
PORT_Free (inbuf);
PORT_Free (outbuf);
return JAR_ERR_CORRUPT;
}
at += chunk;
+ if (at == length)
+ {
+ /* add an extra dummy byte at the end */
+ inbuf[chunk++] = 0xDD;
+ }
+
zs.next_in = (Bytef *) inbuf;
zs.avail_in = chunk;
zs.avail_out = OCHUNK;
tin = zs.total_in;
while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
{
@@ -626,17 +633,17 @@ static int jar_extract_mf (JAR *jar, jar
JAR_Item *it;
JAR_Physical *phy;
ZZLink *link;
ZZList *list;
char *fn, *e;
- char ZHUGEP *manifest = NULL;
+ char ZHUGEP *manifest;
long length;
int status, ret = 0, num;
list = jar->phy;
if (ZZ_ListEmpty (list))
return JAR_ERR_PNF;
@@ -671,42 +678,43 @@ static int jar_extract_mf (JAR *jar, jar
if (*e == '.') e++;
if (PORT_Strcasecmp (ext, e))
{
/* not the right extension */
continue;
}
- if (phy->length == 0)
+ if (phy->length == 0 || phy->length > 0xFFFF)
{
- /* manifest files cannot be zero length! */
+ /* manifest files cannot be zero length or too big! */
+ /* the 0xFFFF limit is per J2SE SDK */
return JAR_ERR_CORRUPT;
}
/* Read in the manifest and parse it */
- /* limit is per J2SE SDK */
- if (phy->length <= 0xFFFF) {
- manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
- }
+ /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+ manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
if (manifest)
{
JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
num = JAR_FREAD (fp, manifest, phy->length);
if (num != phy->length)
{
/* corrupt archive file */
PORT_Free (manifest);
return JAR_ERR_CORRUPT;
}
if (phy->compression == 8)
{
length = phy->length;
+ /* add an extra dummy byte at the end */
+ manifest[length++] = 0xDD;
status = jar_inflate_memory ((unsigned int) phy->compression, &length, phy->uncompressed_length, &manifest);
if (status < 0)
{
PORT_Free (manifest);
return status;
}
--- a/security/nss/lib/libpkix/pkix/checker/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn
@@ -36,27 +36,43 @@
#
# ***** END LICENSE BLOCK *****
CORE_DEPTH = ../../../../..
EXPORTS = \
$(NULL)
PRIVATE_EXPORTS = \
+ pkix_basicconstraintschecker.h \
pkix_certchainchecker.h \
+ pkix_defaultcrlchecker.h \
pkix_defaultrevchecker.h \
+ pkix_expirationchecker.h \
+ pkix_namechainingchecker.h \
+ pkix_nameconstraintschecker.h \
pkix_ocspchecker.h \
+ pkix_policychecker.h \
pkix_revocationchecker.h \
+ pkix_signaturechecker.h \
+ pkix_targetcertchecker.h \
$(NULL)
MODULE = nss
CSRCS = \
+ pkix_basicconstraintschecker.c \
pkix_certchainchecker.c \
+ pkix_defaultcrlchecker.c \
pkix_defaultrevchecker.c \
+ pkix_expirationchecker.c \
+ pkix_namechainingchecker.c \
+ pkix_nameconstraintschecker.c \
pkix_ocspchecker.c \
pkix_revocationchecker.c \
+ pkix_policychecker.c \
+ pkix_signaturechecker.c \
+ pkix_targetcertchecker.c \
$(NULL)
REQUIRES = dbm
LIBRARY_NAME = pkixchecker
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.c
@@ -0,0 +1,339 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.c
+ *
+ * Functions for basic constraints validation
+ *
+ */
+
+#include "pkix_basicconstraintschecker.h"
+
+/* --Private-BasicConstraintsCheckerState-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ pkix_BasicConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+ "pkix_BasicConstraintsCheckerState_Destroy");
+
+ PKIX_NULLCHECK_ONE(object);
+
+ /* Check that this object is a basic constraints checker state */
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE, plContext),
+ PKIX_OBJECTNOTBASICCONSTRAINTSCHECKERSTATE);
+
+ state = (pkix_BasicConstraintsCheckerState *)object;
+
+ PKIX_DECREF(state->basicConstraintsOID);
+
+cleanup:
+
+ PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_RegisterSelf
+ * DESCRIPTION:
+ * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ * Not Thread Safe - for performance and complexity reasons
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+ extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+ pkix_ClassTable_Entry entry;
+
+ PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+ "pkix_BasicConstraintsCheckerState_RegisterSelf");
+
+ entry.description = "BasicConstraintsCheckerState";
+ entry.objCounter = 0;
+ entry.typeObjectSize = sizeof(pkix_BasicConstraintsCheckerState);
+ entry.destructor = pkix_BasicConstraintsCheckerState_Destroy;
+ entry.equalsFunction = NULL;
+ entry.hashcodeFunction = NULL;
+ entry.toStringFunction = NULL;
+ entry.comparator = NULL;
+ entry.duplicateFunction = NULL;
+
+ systemClasses[PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+ PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsCheckerState_Create
+ * DESCRIPTION:
+ *
+ * Creates a new BasicConstraintsCheckerState using the number of certs in
+ * the chain represented by "certsRemaining" and stores it at "pState".
+ *
+ * PARAMETERS:
+ * "certsRemaining"
+ * Number of certificates in the chain.
+ * "pState"
+ * Address where object pointer will be stored. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a BasicConstraintsCheckerState Error if the function fails in a
+ * non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+static PKIX_Error *
+pkix_BasicConstraintsCheckerState_Create(
+ PKIX_UInt32 certsRemaining,
+ pkix_BasicConstraintsCheckerState **pState,
+ void *plContext)
+{
+ pkix_BasicConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(BASICCONSTRAINTSCHECKERSTATE,
+ "pkix_BasicConstraintsCheckerState_Create");
+
+ PKIX_NULLCHECK_ONE(pState);
+
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+ (PKIX_BASICCONSTRAINTSCHECKERSTATE_TYPE,
+ sizeof (pkix_BasicConstraintsCheckerState),
+ (PKIX_PL_Object **)&state,
+ plContext),
+ PKIX_COULDNOTCREATEBASICCONSTRAINTSSTATEOBJECT);
+
+ /* initialize fields */
+ state->certsRemaining = certsRemaining;
+ state->maxPathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+
+ PKIX_CHECK(PKIX_PL_OID_Create
+ (PKIX_BASICCONSTRAINTS_OID,
+ &state->basicConstraintsOID,
+ plContext),
+ PKIX_OIDCREATEFAILED);
+
+ *pState = state;
+ state = NULL;
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(BASICCONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-BasicConstraintsChecker-Functions------------------------------ */
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Check(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_List *unresolvedCriticalExtensions, /* list of PKIX_PL_OID */
+ void **pNBIOContext,
+ void *plContext)
+{
+ PKIX_PL_CertBasicConstraints *basicConstraints = NULL;
+ pkix_BasicConstraintsCheckerState *state = NULL;
+ PKIX_Boolean caFlag = PKIX_FALSE;
+ PKIX_Int32 pathLength = 0;
+ PKIX_Int32 maxPathLength_now;
+ PKIX_Boolean isSelfIssued = PKIX_FALSE;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Check");
+ PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+ *pNBIOContext = NULL; /* we never block on pending I/O */
+
+ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+ (checker, (PKIX_PL_Object **)&state, plContext),
+ PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+ state->certsRemaining--;
+
+ if (state->certsRemaining != 0) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetBasicConstraints
+ (cert, &basicConstraints, plContext),
+ PKIX_CERTGETBASICCONSTRAINTSFAILED);
+
+ /* get CA Flag and path length */
+ if (basicConstraints != NULL) {
+ PKIX_CHECK(PKIX_PL_BasicConstraints_GetCAFlag
+ (basicConstraints,
+ &caFlag,
+ plContext),
+ PKIX_BASICCONSTRAINTSGETCAFLAGFAILED);
+
+ if (caFlag == PKIX_TRUE) {
+ PKIX_CHECK
+ (PKIX_PL_BasicConstraints_GetPathLenConstraint
+ (basicConstraints,
+ &pathLength,
+ plContext),
+ PKIX_BASICCONSTRAINTSGETPATHLENCONSTRAINTFAILED);
+ }
+
+ }else{
+ caFlag = PKIX_FALSE;
+ pathLength = PKIX_UNLIMITED_PATH_CONSTRAINT;
+ }
+
+ PKIX_CHECK(pkix_IsCertSelfIssued
+ (cert,
+ &isSelfIssued,
+ plContext),
+ PKIX_ISCERTSELFISSUEDFAILED);
+
+ maxPathLength_now = state->maxPathLength;
+
+ if (isSelfIssued != PKIX_TRUE) {
+
+ /* Not last CA Cert, but maxPathLength is down to zero */
+ if (maxPathLength_now == 0) {
+ PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDLN);
+ }
+
+ if (caFlag == PKIX_FALSE) {
+ PKIX_ERROR(PKIX_BASICCONSTRAINTSVALIDATIONFAILEDCA);
+ }
+
+ if (maxPathLength_now > 0) { /* can be unlimited (-1) */
+ maxPathLength_now--;
+ }
+
+ }
+
+ if (caFlag == PKIX_TRUE) {
+ if (maxPathLength_now == PKIX_UNLIMITED_PATH_CONSTRAINT){
+ maxPathLength_now = pathLength;
+ } else {
+ /* If pathLength is not specified, don't set */
+ if (pathLength != PKIX_UNLIMITED_PATH_CONSTRAINT) {
+ maxPathLength_now =
+ (maxPathLength_now > pathLength)?
+ pathLength:maxPathLength_now;
+ }
+ }
+ }
+
+ state->maxPathLength = maxPathLength_now;
+ }
+
+ /* Remove Basic Constraints Extension OID from list */
+ if (unresolvedCriticalExtensions != NULL) {
+
+ PKIX_CHECK(pkix_List_Remove
+ (unresolvedCriticalExtensions,
+ (PKIX_PL_Object *) state->basicConstraintsOID,
+ plContext),
+ PKIX_LISTREMOVEFAILED);
+ }
+
+
+ PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+ (checker, (PKIX_PL_Object *)state, plContext),
+ PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+
+cleanup:
+ PKIX_DECREF(state);
+ PKIX_DECREF(basicConstraints);
+ PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_BasicConstraintsChecker_Initialize
+ * DESCRIPTION:
+ * Registers PKIX_CERT_TYPE and its related functions with systemClasses[]
+ * THREAD SAFETY:
+ * Not Thread Safe - for performance and complexity reasons
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+ PKIX_UInt32 certsRemaining,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext)
+{
+ pkix_BasicConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_BasicConstraintsChecker_Initialize");
+ PKIX_NULLCHECK_ONE(pChecker);
+
+ PKIX_CHECK(pkix_BasicConstraintsCheckerState_Create
+ (certsRemaining, &state, plContext),
+ PKIX_BASICCONSTRAINTSCHECKERSTATECREATEFAILED);
+
+ PKIX_CHECK(PKIX_CertChainChecker_Create
+ (pkix_BasicConstraintsChecker_Check,
+ PKIX_FALSE,
+ PKIX_FALSE,
+ NULL,
+ (PKIX_PL_Object *)state,
+ pChecker,
+ plContext),
+ PKIX_CERTCHAINCHECKERCHECKFAILED);
+
+cleanup:
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_basicconstraintschecker.h
@@ -0,0 +1,75 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_basicconstraintschecker.h
+ *
+ * Header file for basic constraints checker.
+ *
+ */
+
+#ifndef _PKIX_BASICCONSTRAINTSCHECKER_H
+#define _PKIX_BASICCONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_BasicConstraintsCheckerStateStruct \
+ pkix_BasicConstraintsCheckerState;
+
+struct pkix_BasicConstraintsCheckerStateStruct{
+ PKIX_PL_OID *basicConstraintsOID;
+ PKIX_Int32 certsRemaining;
+ PKIX_Int32 maxPathLength;
+};
+
+PKIX_Error *
+pkix_BasicConstraintsChecker_Initialize(
+ PKIX_UInt32 numCerts,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext);
+
+PKIX_Error *
+pkix_BasicConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_BASICCONSTRAINTSCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.c
@@ -0,0 +1,1205 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.c
+ *
+ * Functions for default CRL Checkers
+ *
+ */
+#define CERTCHAINCHECKERDEBUG 1
+
+#include "pkix_defaultcrlchecker.h"
+
+static char *reasonCodeMsgString[] = {
+ "Certificate is revoked by CRL for unspecified reason"
+ "Certificate is revoked by CRL for key compromise",
+ "Certificate is revoked by CRL for CA compromise",
+ "Certificate is revoked by CRL for affiliation changed",
+ "Certificate is revoked by CRL for being superseded",
+ "Certificate is revoked by CRL for cessation of operation",
+ "Certificate is revoked by CRL for certificate hold",
+ "Certificate is revoked by CRL for undefined reason",
+ "Certificate is revoked by CRL for being removed from CRL",
+ "Certificate is revoked by CRL for privilege withdrawn",
+ "Certificate is revoked by CRL for aACompromise",
+};
+
+static const int numReasonCodes =
+ sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]);
+
+/* --Private-DefaultCRLCheckerState-Functions------------------------------- */
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ pkix_DefaultCRLCheckerState *state = NULL;
+
+ PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+ "pkix_DefaultCRLCheckerState_Destroy");
+ PKIX_NULLCHECK_ONE(object);
+
+ /* Check that this object is a default CRL checker state */
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_DEFAULTCRLCHECKERSTATE_TYPE, plContext),
+ PKIX_OBJECTNOTDEFAULTCRLCHECKERSTATE);
+
+ state = (pkix_DefaultCRLCheckerState *)object;
+
+ state->certHasValidCrl = PKIX_FALSE;
+ state->prevCertCrlSign = PKIX_FALSE;
+ state->reasonCodeMask = 0;
+
+ PKIX_DECREF(state->certStores);
+ PKIX_DECREF(state->testDate);
+ PKIX_DECREF(state->prevPublicKey);
+ PKIX_DECREF(state->prevPublicKeyList);
+ PKIX_DECREF(state->crlReasonCodeOID);
+ PKIX_DECREF(state->certIssuer);
+ PKIX_DECREF(state->certSerialNumber);
+ PKIX_DECREF(state->crlSelector);
+ state->crlStoreIndex = 0;
+ state->numCrlStores = 0;
+
+cleanup:
+
+ PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ * Registers PKIX_DEFAULTCRLCHECKERSTATE_TYPE and its related functions
+ * with systemClasses[]
+ *
+ * THREAD SAFETY:
+ * Not Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext)
+{
+ extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+ pkix_ClassTable_Entry entry;
+
+ PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+ "pkix_DefaultCRLCheckerState_RegisterSelf");
+
+ entry.description = "DefaultCRLCheckerState";
+ entry.objCounter = 0;
+ entry.typeObjectSize = sizeof(pkix_DefaultCRLCheckerState);
+ entry.destructor = pkix_DefaultCRLCheckerState_Destroy;
+ entry.equalsFunction = NULL;
+ entry.hashcodeFunction = NULL;
+ entry.toStringFunction = NULL;
+ entry.comparator = NULL;
+ entry.duplicateFunction = NULL;
+
+ systemClasses[PKIX_DEFAULTCRLCHECKERSTATE_TYPE] = entry;
+
+ PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLCheckerState_Create
+ *
+ * DESCRIPTION:
+ * Allocate and initialize DefaultCRLChecker state data.
+ *
+ * PARAMETERS
+ * "certStores"
+ * Address of CertStore List to be stored in state. Must be non-NULL.
+ * "testDate"
+ * Address of PKIX_PL_Date to be checked. May be NULL.
+ * "trustedPubKey"
+ * Trusted Anchor Public Key for verifying first Cert in the chain.
+ * Must be non-NULL.
+ * "certsRemaining"
+ * Number of certificates remaining in the chain.
+ * "nistCRLPolicyEnabled"
+ * If enabled, enforce nist crl policy.
+ * "pCheckerState"
+ * Address of DefaultCRLCheckerState that is returned. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a DefaultCrlCheckerState Error if the function fails in a
+ * non-fatal way.
+ * Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLCheckerState_Create(
+ PKIX_List *certStores,
+ PKIX_PL_Date *testDate,
+ PKIX_PL_PublicKey *trustedPubKey,
+ PKIX_UInt32 certsRemaining,
+ PKIX_Boolean nistCRLPolicyEnabled,
+ pkix_DefaultCRLCheckerState **pCheckerState,
+ void *plContext)
+{
+ pkix_DefaultCRLCheckerState *state = NULL;
+
+ PKIX_ENTER(DEFAULTCRLCHECKERSTATE,
+ "pkix_DefaultCRLCheckerState_Create");
+ PKIX_NULLCHECK_TWO(certStores, pCheckerState);
+
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+ (PKIX_DEFAULTCRLCHECKERSTATE_TYPE,
+ sizeof (pkix_DefaultCRLCheckerState),
+ (PKIX_PL_Object **)&state,
+ plContext),
+ PKIX_COULDNOTCREATEDEFAULTCRLCHECKERSTATEOBJECT);
+
+ /* Initialize fields */
+
+ PKIX_INCREF(certStores);
+ state->certStores = certStores;
+
+ PKIX_INCREF(testDate);
+ state->testDate = testDate;
+
+ PKIX_INCREF(trustedPubKey);
+ state->prevPublicKey = trustedPubKey;
+
+ state->certHasValidCrl = PKIX_FALSE;
+ state->nistCRLPolicyEnabled = nistCRLPolicyEnabled;
+ state->prevCertCrlSign = PKIX_TRUE;
+ state->prevPublicKeyList = NULL;
+ state->reasonCodeMask = 0;
+ state->certsRemaining = certsRemaining;
+
+ PKIX_CHECK(PKIX_PL_OID_Create
+ (PKIX_CRLREASONCODE_OID,
+ &state->crlReasonCodeOID,
+ plContext),
+ PKIX_OIDCREATEFAILED);
+
+ state->certIssuer = NULL;
+ state->certSerialNumber = NULL;
+ state->crlSelector = NULL;
+ state->crlStoreIndex = 0;
+ state->numCrlStores = 0;
+
+ *pCheckerState = state;
+ state = NULL;
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(DEFAULTCRLCHECKERSTATE);
+}
+
+/* --Private-DefaultCRLChecker-Functions------------------------------------ */
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_CheckCRLs
+ *
+ * DESCRIPTION:
+ * Check validity of "cert" based on CRLs at "crlList" that has correct
+ * signature verification with "publicKey".
+ *
+ * PARAMETERS
+ * "cert"
+ * Address of Cert which has the certificate data. Must be non-NULL.
+ * "certIssuer"
+ * Address of Issuer that associates with the Cert. Must be non-NULL.
+ * "certSerialNumber"
+ * Address of Serial Number that associates with the Cert. Must be
+ * non-NULL.
+ * "publicKey"
+ * Address of Public Key that associates with the Cert Issuer.
+ * Must be non-NULL.
+ * "crlList"
+ * A List CRLs that the certificate is verified upon. Must be non-NULL.
+ * "state"
+ * Address of DefaultCRLCheckerState which keeps dynamic state data.
+ * Must be non-NULL.
+ * "pCrlEntryList"
+ * Address of PKIX_PL_CrlEntry List that contains valid CrlEntries for
+ * this Cert. May be NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Conditionally Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_CheckCRLs(
+ PKIX_PL_Cert *cert,
+ PKIX_PL_X500Name *certIssuer,
+ PKIX_PL_BigInt *certSerialNumber,
+ PKIX_PL_PublicKey *publicKey,
+ PKIX_List *crlList,
+ pkix_DefaultCRLCheckerState *state,
+ PKIX_List **pCrlEntryList,
+ void *plContext)
+{
+ PKIX_PL_CRL *crl = NULL;
+ PKIX_PL_CRLEntry *crlEntry = NULL;
+ PKIX_PL_PublicKey *pKey = NULL;
+ PKIX_List *unresCrlCritExtOIDs = NULL;
+ PKIX_List *unresCrlEntryCritExtOIDs = NULL;
+ PKIX_List *crlEntryList = NULL;
+ PKIX_Error *verifyFail = NULL;
+ PKIX_UInt32 numCrls = 0;
+ PKIX_UInt32 numKeys = 0;
+ PKIX_UInt32 numCritExtOIDs = 0;
+ PKIX_Boolean crlVerified = PKIX_FALSE;
+ PKIX_Boolean crlRevoking = PKIX_FALSE;
+ PKIX_Int32 reasonCode = 0;
+ PKIX_UInt32 i;
+ PKIX_Int32 j;
+
+ PKIX_ENTER(CERTCHAINCHECKER,
+ "pkix_DefaultCRLChecker_CheckCRLs");
+ PKIX_NULLCHECK_FOUR(cert, publicKey, crlList, state);
+
+ PKIX_CHECK(PKIX_List_GetLength(crlList, &numCrls, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ if (state->prevPublicKeyList != NULL) {
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (state->prevPublicKeyList, &numKeys, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+ }
+
+ /* Check if Cert is not revoked by any the the CRLs */
+
+ for (i = 0; i < numCrls; i++){
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (crlList, i, (PKIX_PL_Object **)&crl, plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ /*
+ * Checking serial number (issuer done in selector) then
+ * verify signature. If matches, get the CRL reason(s).
+ */
+
+ if (state->prevCertCrlSign == PKIX_TRUE) {
+ verifyFail = PKIX_PL_CRL_VerifySignature
+ (crl, publicKey, plContext);
+ if (verifyFail == NULL) {
+ crlVerified = PKIX_TRUE;
+ } else {
+ crlVerified = PKIX_FALSE;
+ PKIX_DECREF(verifyFail);
+ }
+ }
+
+ if (crlVerified == PKIX_FALSE) {
+
+ /* Verify from old key(s) on the list */
+ for (j = numKeys - 1; j >= 0; j--) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (state->prevPublicKeyList,
+ j,
+ (PKIX_PL_Object **) &pKey,
+ plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ verifyFail = PKIX_PL_CRL_VerifySignature
+ (crl, pKey, plContext);
+
+ if (verifyFail == NULL) {
+ crlVerified = PKIX_TRUE;
+ break;
+ } else {
+ crlVerified = PKIX_FALSE;
+ PKIX_DECREF(verifyFail);
+ }
+
+ PKIX_DECREF(pKey);
+ }
+ }
+
+ if (crlVerified == PKIX_FALSE) {
+ /* try next one ... */
+ goto cleanup_loop;
+ }
+
+ state->certHasValidCrl = PKIX_TRUE;
+
+ PKIX_CHECK(PKIX_PL_CRL_GetCriticalExtensionOIDs
+ (crl, &unresCrlCritExtOIDs, plContext),
+ PKIX_CRLGETCRITICALEXTENSIONOIDSFAILED);
+
+ /*
+ * XXX Advanced CRL work - should put a
+ * Loop here to process and remove critical
+ * extension oids.
+ */
+
+ if (unresCrlCritExtOIDs) {
+
+ PKIX_CHECK(PKIX_List_GetLength(unresCrlCritExtOIDs,
+ &numCritExtOIDs,
+ plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ if (numCritExtOIDs != 0) {
+ PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+ (PKIX_CRLCRITICALEXTENSIONOIDSNOTPROCESSED);
+ /*
+ * Uncomment this after we have implemented
+ * checkers for all the critical extensions.
+ *
+ * PKIX_ERROR
+ * ("Unrecognized CRL Critical Extension");
+ */
+ }
+ }
+
+ PKIX_CHECK(PKIX_PL_CRL_GetCRLEntryForSerialNumber
+ (crl, certSerialNumber, &crlEntry, plContext),
+ PKIX_CRLGETCRLENTRYFORSERIALNUMBERFAILED);
+
+ if (crlEntry == NULL) {
+ goto cleanup_loop;
+ }
+
+ crlRevoking = PKIX_TRUE;
+
+ PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+ (crlEntry,
+ &reasonCode,
+ plContext),
+ PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+ /* This is a valid CRLEntry, return it for caching */
+ if (crlEntryList == NULL) {
+ PKIX_CHECK(PKIX_List_Create(&crlEntryList, plContext),
+ PKIX_LISTCREATEFAILED);
+
+ }
+
+ PKIX_CHECK(PKIX_List_AppendItem
+ (crlEntryList, (PKIX_PL_Object *) crlEntry, plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+
+ /* Set reason code in state for advance CRL reviewing */
+
+ if (reasonCode >= 0) {
+ if (reasonCode >= numReasonCodes)
+ reasonCode = 0;
+
+ state->reasonCodeMask |= 1 << reasonCode;
+ PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+ ("CRL revocation Reason: %s\n ",
+ reasonCodeMsgString[reasonCode]);
+
+ } else {
+ PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+ ("Revoked by Unknown CRL ReasonCode");
+ }
+
+ PKIX_CHECK(PKIX_PL_CRLEntry_GetCriticalExtensionOIDs
+ (crlEntry, &unresCrlEntryCritExtOIDs, plContext),
+ PKIX_CRLENTRYGETCRITICALEXTENSIONOIDSFAILED);
+ if (unresCrlEntryCritExtOIDs) {
+
+ PKIX_CHECK(pkix_List_Remove
+ (unresCrlEntryCritExtOIDs,
+ (PKIX_PL_Object *) state->crlReasonCodeOID,
+ plContext),
+ PKIX_LISTREMOVEFAILED);
+
+ PKIX_CHECK(PKIX_List_GetLength(unresCrlEntryCritExtOIDs,
+ &numCritExtOIDs,
+ plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ if (numCritExtOIDs != 0) {
+
+ PKIX_DEFAULTCRLCHECKERSTATE_DEBUG
+ (PKIX_CRLENTRYCRITICALEXTENSIONWASNOTPROCESSED);
+ PKIX_ERROR(PKIX_UNRECOGNIZEDCRLENTRYCRITICALEXTENSION);
+ }
+ }
+
+ cleanup_loop:
+
+ PKIX_DECREF(pKey);
+ PKIX_DECREF(verifyFail);
+ PKIX_DECREF(pKey);
+ PKIX_DECREF(crlEntry);
+ PKIX_DECREF(crl);
+ PKIX_DECREF(unresCrlCritExtOIDs);
+ PKIX_DECREF(unresCrlEntryCritExtOIDs);
+ }
+
+ *pCrlEntryList = crlEntryList;
+
+ if (crlRevoking == PKIX_TRUE) {
+
+ PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+ }
+
+cleanup:
+
+ PKIX_DECREF(pKey);
+ PKIX_DECREF(verifyFail);
+ PKIX_DECREF(crlEntry);
+ PKIX_DECREF(crl);
+ PKIX_DECREF(unresCrlCritExtOIDs);
+ PKIX_DECREF(unresCrlEntryCritExtOIDs);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_SetSelector
+ *
+ * DESCRIPTION:
+ * This function creates a CRLSelector suitable for finding a CRL for
+ * the Cert pointed to by "cert", setting the result in the
+ * defaultCRLCheckerState pointed to by "state".
+ *
+ * PARAMETERS
+ * "cert"
+ * Address of Cert for which a CRLSelector is to be constructed. Must be
+ * non-NULL.
+ * "state"
+ * Address of defaultCRLCheckerState whose CRLSelector is to be set. Must
+ * be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a DefaultCrlCheckerState Error if the function fails in a
+ * non-fatal way.
+ * Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+ PKIX_PL_Cert *cert,
+ pkix_DefaultCRLCheckerState *state,
+ void *plContext)
+{
+ PKIX_PL_X500Name *certIssuer = NULL;
+ PKIX_PL_BigInt *certSerialNumber = NULL;
+ PKIX_PL_Date *nowDate = NULL;
+ PKIX_ComCRLSelParams *comCrlSelParams = NULL;
+ PKIX_CRLSelector *crlSelector = NULL;
+
+ PKIX_ENTER
+ (CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_SetSelector");
+ PKIX_NULLCHECK_TWO(cert, state);
+
+ PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &certIssuer, plContext),
+ PKIX_CERTGETISSUERFAILED);
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSerialNumber
+ (cert, &certSerialNumber, plContext),
+ PKIX_CERTGETSERIALNUMBERFAILED);
+
+ if (state->testDate != NULL) {
+
+ PKIX_INCREF(state->testDate);
+ nowDate = state->testDate;
+
+ } else {
+
+ PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+ (NULL, &nowDate, plContext),
+ PKIX_DATECREATEUTCTIMEFAILED);
+ }
+
+ PKIX_CHECK(PKIX_ComCRLSelParams_Create
+ (&comCrlSelParams, plContext),
+ PKIX_COMCRLSELPARAMSCREATEFAILED);
+
+ PKIX_CHECK(PKIX_ComCRLSelParams_AddIssuerName
+ (comCrlSelParams, certIssuer, plContext),
+ PKIX_COMCRLSELPARAMSADDISSUERNAMEFAILED);
+
+ PKIX_CHECK(PKIX_ComCRLSelParams_SetDateAndTime
+ (comCrlSelParams, nowDate, plContext),
+ PKIX_COMCRLSELPARAMSSETDATEANDTIMEFAILED);
+
+ PKIX_CHECK(PKIX_ComCRLSelParams_SetNISTPolicyEnabled
+ (comCrlSelParams, state->nistCRLPolicyEnabled, plContext),
+ PKIX_COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED);
+
+ PKIX_CHECK(PKIX_CRLSelector_Create
+ (NULL,
+ NULL, /* never used? (PKIX_PL_Object *)checker, */
+ &crlSelector,
+ plContext),
+ PKIX_CRLSELECTORCREATEFAILED);
+
+ PKIX_CHECK(PKIX_CRLSelector_SetCommonCRLSelectorParams
+ (crlSelector, comCrlSelParams, plContext),
+ PKIX_CRLSELECTORSETCOMMONCRLSELECTORPARAMSFAILED);
+
+ PKIX_DECREF(state->certIssuer);
+ PKIX_INCREF(certIssuer);
+ state->certIssuer = certIssuer;
+ PKIX_DECREF(state->certSerialNumber);
+ PKIX_INCREF(certSerialNumber);
+ state->certSerialNumber = certSerialNumber;
+ PKIX_DECREF(state->crlSelector);
+ PKIX_INCREF(crlSelector);
+ state->crlSelector = crlSelector;
+
+ state->crlStoreIndex = 0;
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (state->certStores, &(state->numCrlStores), plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ state->certHasValidCrl = PKIX_FALSE;
+
+cleanup:
+
+ PKIX_DECREF(certIssuer);
+ PKIX_DECREF(certSerialNumber);
+ PKIX_DECREF(nowDate);
+ PKIX_DECREF(comCrlSelParams);
+ PKIX_DECREF(crlSelector);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Store
+ *
+ * DESCRIPTION:
+ * Checks the certStore pointed to by "certStore" for a CRL that may determine
+ * whether the Cert pointed to by "cert" has been revoked.
+ *
+ * PARAMETERS
+ * "checker"
+ * Address of CertChainChecker which has the state data.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Certificate that is to be validated. Must be non-NULL.
+ * "prevPublicKey"
+ * Address of previous public key in the backward chain. May be NULL.
+ * "state"
+ * Address of DefaultCrlCheckerState. Must be non-NULL.
+ * "unresolvedCriticalExtensions"
+ * A List OIDs. Not **yet** used in this checker function.
+ * "certStore"
+ * Address of the CertStore to be queried for a relevant CRL. Must be
+ * non-NULL.
+ * "pNBIOContext"
+ * Address at which platform-dependent information is stored if processing
+ * is suspended for non-blocking I/O. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a DefaultCrlCheckerState Error if the function fails in a
+ * non-fatal way.
+ * Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check_Store(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_PL_PublicKey *prevPublicKey,
+ pkix_DefaultCRLCheckerState *state,
+ PKIX_List *unresolvedCriticalExtensions,
+ PKIX_CertStore *certStore,
+ void **pNBIOContext,
+ void *plContext)
+{
+
+ PKIX_Boolean cacheFlag = PKIX_FALSE;
+ PKIX_Boolean cacheHit = PKIX_FALSE;
+ PKIX_UInt32 numEntries = 0;
+ PKIX_UInt32 i = 0;
+ PKIX_Int32 reasonCode = 0;
+ PKIX_UInt32 allReasonCodes = 0;
+ PKIX_List *crlList = NULL;
+ PKIX_List *crlEntryList = NULL;
+ PKIX_PL_CRLEntry *crlEntry = NULL;
+ PKIX_Error *checkCrlFail = NULL;
+ PKIX_CertStore_CRLCallback getCrls = NULL;
+ void *nbioContext = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Store");
+ PKIX_NULLCHECK_TWO(checker, cert);
+ PKIX_NULLCHECK_THREE(state, certStore, pNBIOContext);
+
+ nbioContext = *pNBIOContext;
+ *pNBIOContext = NULL;
+
+ /* Are this CertStore's entries in cache? */
+ PKIX_CHECK(PKIX_CertStore_GetCertStoreCacheFlag
+ (certStore, &cacheFlag, plContext),
+ PKIX_CERTSTOREGETCERTSTORECACHEFLAGFAILED);
+
+ if (cacheFlag) {
+
+ PKIX_CHECK(pkix_CacheCrlEntry_Lookup
+ (certStore,
+ state->certIssuer,
+ state->certSerialNumber,
+ &cacheHit,
+ &crlEntryList,
+ plContext),
+ PKIX_CACHECRLENTRYLOOKUPFAILED);
+
+ }
+
+ if (cacheHit) {
+
+ /* Use cached data */
+
+ PKIX_CHECK(PKIX_List_GetLength
+ (crlEntryList, &numEntries, plContext),
+ PKIX_LISTGETLENGTHFAILED);
+
+ for (i = 0; i < numEntries; i++) {
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (crlEntryList,
+ i,
+ (PKIX_PL_Object **)&crlEntry,
+ plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ PKIX_CHECK(PKIX_PL_CRLEntry_GetCRLEntryReasonCode
+ (crlEntry, &reasonCode, plContext),
+ PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED);
+
+ if (reasonCode >= 0) {
+ if (reasonCode >= numReasonCodes)
+ reasonCode = 0;
+
+ allReasonCodes |= (1 << reasonCode);
+
+ PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG
+ ("CRL revocation Reason: %s\n ",
+ reasonCodeMsgString[reasonCode]);
+
+ }
+
+ PKIX_DECREF(crlEntry);
+ }
+
+ state->reasonCodeMask |= allReasonCodes;
+
+ if (allReasonCodes != 0) {
+
+ PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+ }
+
+ PKIX_DECREF(crlEntryList);
+
+ } else {
+
+ if (nbioContext == NULL) {
+ PKIX_CHECK(PKIX_CertStore_GetCRLCallback
+ (certStore, &getCrls, plContext),
+ PKIX_CERTSTOREGETCRLCALLBACKFAILED);
+
+ PKIX_CHECK(getCrls
+ (certStore,
+ state->crlSelector,
+ &nbioContext,
+ &crlList,
+ plContext),
+ PKIX_GETCRLSFAILED);
+ } else {
+ PKIX_CHECK(PKIX_CertStore_CrlContinue
+ (certStore,
+ state->crlSelector,
+ &nbioContext,
+ &crlList,
+ plContext),
+ PKIX_CERTSTORECRLCONTINUEFAILED);
+ }
+
+ /*
+ * Verify Certificate validity: if one CertStore provides
+ * reason code, we stop here. Instead of exhausting all
+ * CertStores to get all possible reason codes associated
+ * with the Cert. May be expanded if desire otherwise.
+ */
+
+ if (crlList == NULL) {
+
+ *pNBIOContext = nbioContext;
+ } else {
+
+ *pNBIOContext = NULL;
+
+ checkCrlFail = pkix_DefaultCRLChecker_CheckCRLs
+ (cert,
+ state->certIssuer,
+ state->certSerialNumber,
+ prevPublicKey,
+ crlList,
+ state,
+ &crlEntryList,
+ plContext);
+
+ if (checkCrlFail) {
+ if (crlEntryList != NULL) {
+ /* Add to cache */
+ PKIX_CHECK(pkix_CacheCrlEntry_Add
+ (certStore,
+ state->certIssuer,
+ state->certSerialNumber,
+ crlEntryList,
+ plContext),
+ PKIX_CACHECRLENTRYADDFAILED);
+ }
+ PKIX_ERROR(PKIX_CERTIFICATEREVOKEDBYCRL);
+ }
+ }
+
+ PKIX_DECREF(crlList);
+
+ }
+
+cleanup:
+ PKIX_DECREF(crlEntryList);
+ PKIX_DECREF(crlEntry);
+ PKIX_DECREF(crlList);
+ PKIX_DECREF(checkCrlFail);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check_Helper
+ *
+ * DESCRIPTION:
+ * Check if the Cert has been revoked based on the CRL's data. It exhausts all
+ * CertStores and match CRLs at those stores for the certificate. It set the
+ * current date and issuer in CRLSelector to fetching CRL data from cache.
+ *
+ * PARAMETERS
+ * "checker"
+ * Address of CertChainChecker which has the state data.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Certificate that is to be validated. Must be non-NULL.
+ * "prevPublicKey"
+ * Address of previous public key in the backward chain. May be NULL.
+ * "state"
+ * Address of DefaultCrlCheckerState. Must be non-NULL.
+ * "unresolvedCriticalExtensions"
+ * A List OIDs. Not **yet** used in this checker function.
+ * "useOnlyLocal"
+ * Boolean value indicating whether to use or bypass remote CertStores
+ * "pNBIOContext"
+ * Address at which platform-dependent information is stored if processing
+ * is suspended for non-blocking I/O. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Not Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_PL_PublicKey *prevPublicKey,
+ pkix_DefaultCRLCheckerState *state,
+ PKIX_List *unresolvedCriticalExtensions,
+ PKIX_Boolean useOnlyLocal,
+ void **pNBIOContext,
+ void *plContext)
+{
+
+ void *nbioContext = NULL;
+ PKIX_Boolean certStoreCanBeUsed = PKIX_FALSE;
+ PKIX_CertStore *certStore = NULL;
+ PKIX_Error *storeError = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check_Helper");
+ PKIX_NULLCHECK_THREE(checker, cert, state);
+
+ nbioContext = *pNBIOContext;
+ *pNBIOContext = NULL; /* prepare for Error exit */
+
+ while ((state->crlStoreIndex) < (state->numCrlStores)) {
+
+ /*
+ * For Basic CRL work, exit the loop when there is a valid
+ * CRL. For advance CRL, need to exhaust CRL until all
+ * reason masks are checked or a revocation is found.
+ */
+
+ if (state->certHasValidCrl == PKIX_TRUE) {
+ break;
+ }
+
+ PKIX_CHECK(PKIX_List_GetItem
+ (state->certStores,
+ state->crlStoreIndex,
+ (PKIX_PL_Object **)&certStore,
+ plContext),
+ PKIX_LISTGETITEMFAILED);
+
+ if (useOnlyLocal == PKIX_FALSE) {
+ certStoreCanBeUsed = PKIX_TRUE;
+ } else {
+ PKIX_CHECK(PKIX_CertStore_GetLocalFlag
+ (certStore, &certStoreCanBeUsed, plContext),
+ PKIX_CERTSTOREGETLOCALFLAGFAILED);
+ }
+
+ if (certStoreCanBeUsed == PKIX_TRUE)
+ {
+ /* Catch and re-throw error to preserve information */
+ storeError = pkix_DefaultCRLChecker_Check_Store
+ (checker,
+ cert,
+ prevPublicKey,
+ state,
+ unresolvedCriticalExtensions,
+ certStore,
+ &nbioContext,
+ plContext);
+ PKIX_CHECK
+ (storeError,
+ PKIX_DEFAULTCRLCHECKERCHECKSTOREFAILED);
+
+ if (nbioContext != NULL) {
+ /* I/O still pending. Exit and resume later. */
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+ }
+
+ PKIX_DECREF(certStore);
+ state->crlStoreIndex++;
+ } /* while ((state->crlStoreIndex) < (state->numCrlStores)) */
+
+ if (state->nistCRLPolicyEnabled != PKIX_FALSE &&
+ state->certHasValidCrl == PKIX_FALSE) {
+ PKIX_ERROR(PKIX_CERTIFICATEDOESNTHAVEVALIDCRL);
+ }
+
+cleanup:
+
+ PKIX_DECREF(certStore);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Check
+ *
+ * DESCRIPTION:
+ * Check if the Cert has been revoked based the CRLs data. This function
+ * maintains the checker state to be current.
+ *
+ * PARAMETERS
+ * "checker"
+ * Address of CertChainChecker which has the state data.
+ * Must be non-NULL.
+ * "cert"
+ * Address of Certificate that is to be validated. Must be non-NULL.
+ * "unresolvedCriticalExtensions"
+ * A List OIDs. Not **yet** used in this checker function.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Not Thread Safe
+ * (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_DefaultCRLChecker_Check(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_List *unresolvedCriticalExtensions,
+ void **pNBIOContext,
+ void *plContext)
+{
+ pkix_DefaultCRLCheckerState *state = NULL;
+ PKIX_PL_PublicKey *publicKey = NULL;
+ PKIX_PL_PublicKey *newPublicKey = NULL;
+ PKIX_Error *checkKeyUsageFail = NULL;
+ PKIX_Boolean selfIssued = PKIX_FALSE;
+ void *nbioContext = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check");
+ PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+ nbioContext = *pNBIOContext;
+ *pNBIOContext = NULL; /* prepare for Error exit */
+
+ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+ (checker, (PKIX_PL_Object **)&state, plContext),
+ PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+ (cert, &publicKey, plContext),
+ PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+
+ /*
+ * If we already have a selector, we were in the middle of checking
+ * when a certStore returned with non-blocking I/O pendning.
+ */
+ if ((state->crlSelector) == NULL) {
+ state->certsRemaining--;
+
+ PKIX_NULLCHECK_ONE(state->prevPublicKey);
+
+ if (state->prevCertCrlSign == PKIX_FALSE) {
+ PKIX_ERROR
+ (PKIX_KEYUSAGEKEYCRLSIGNBITNOTON);
+ }
+
+ /* Set up CRLSelector */
+ PKIX_CHECK(pkix_DefaultCRLChecker_Check_SetSelector
+ (cert, state, plContext),
+ PKIX_DEFAULTCRLCHECKERCHECKSETSELECTORFAILED);
+
+ }
+
+ PKIX_CHECK(pkix_DefaultCRLChecker_Check_Helper
+ (checker,
+ cert,
+ state->prevPublicKey,
+ state,
+ unresolvedCriticalExtensions,
+ PKIX_FALSE,
+ &nbioContext,
+ plContext),
+ PKIX_DEFAULTCRLCHECKERCHECKHELPERFAILED);
+
+ if (nbioContext != NULL) {
+ *pNBIOContext = nbioContext;
+ goto cleanup;
+ }
+
+ PKIX_DECREF(state->crlSelector);
+
+ /*
+ * Some NIST test case in 4.5.* use different publicKeys for
+ * Cert and its CRL on the chain. Self-issued Certs are used
+ * to speciy multiple keys for those cases. That is why we apply
+ * the following algorithm:
+ *
+ * Check if Cert is self-issued. If so, the public key of the Cert
+ * that issues this Cert (old key) can be used together with this
+ * current key (new key) for key verification. If there are multiple
+ * self-issued certs, keys of those Certs (old keys) can also be used
+ * for key verification. Old key(s) is saved in a list (PrevPublickKey-
+ * List) and cleared when a Cert is no longer self-issued.
+ * PrevPublicKey keep key of the previous Cert.
+ * PrevPublicKeyList keep key(s) of Cert before the previous one.
+ */
+ PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+ PKIX_ISCERTSELFISSUEFAILED);
+
+ if (selfIssued == PKIX_TRUE) {
+
+ if (state->prevPublicKeyList == NULL) {
+
+ PKIX_CHECK(PKIX_List_Create
+ (&state->prevPublicKeyList, plContext),
+ PKIX_LISTCREATEFAILED);
+
+ }
+
+ PKIX_CHECK(PKIX_List_AppendItem
+ (state->prevPublicKeyList,
+ (PKIX_PL_Object *) state->prevPublicKey,
+ plContext),
+ PKIX_LISTAPPENDITEMFAILED);
+
+ } else {
+ /* Not self-issued Cert any more, clear old key(s) saved */
+ PKIX_DECREF(state->prevPublicKeyList);
+ }
+
+ /* Make inheritance and save current Public Key */
+ PKIX_CHECK(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey
+ (publicKey, state->prevPublicKey, &newPublicKey, plContext),
+ PKIX_PUBLICKEYMAKEINHERITEDDSAPUBLICKEYFAILED);
+
+ if (newPublicKey == NULL){
+ PKIX_INCREF(publicKey);
+ newPublicKey = publicKey;
+ }
+
+ PKIX_DECREF(state->prevPublicKey);
+ PKIX_INCREF(newPublicKey);
+ state->prevPublicKey = newPublicKey;
+
+ /* Save current Cert's crlSign bit for CRL checking later */
+ if (state->certsRemaining != 0) {
+ checkKeyUsageFail = PKIX_PL_Cert_VerifyKeyUsage
+ (cert, PKIX_CRL_SIGN, plContext);
+
+ state->prevCertCrlSign = (checkKeyUsageFail == NULL)?
+ PKIX_TRUE : PKIX_FALSE;
+
+ PKIX_DECREF(checkKeyUsageFail);
+ }
+
+/*
+ PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+ (checker, (PKIX_PL_Object *)state, plContext),
+ PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+ */
+
+cleanup:
+
+ PKIX_DECREF(state);
+ PKIX_DECREF(publicKey);
+ PKIX_DECREF(newPublicKey);
+ PKIX_DECREF(checkKeyUsageFail);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_DefaultCRLChecker_Initialize
+ *
+ * DESCRIPTION:
+ * Create a CertChainChecker with DefaultCRLCheckerState.
+ *
+ * PARAMETERS
+ * "certStores"
+ * Address of CertStore List to be stored in state. Must be non-NULL.
+ * "testDate"
+ * Address of PKIX_PL_Date to be checked. May be NULL.
+ * "trustedPubKey"
+ * Address of Public Key of Trust Anchor. Must be non-NULL.
+ * "certsRemaining"
+ * Number of certificates remaining in the chain.
+ * "nistPolicyEnabled"
+ * Enable NIST crl policy.
+ * "pChecker"
+ * Address where object pointer will be stored. Must be non-NULL.
+ * Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+ PKIX_List *certStores,
+ PKIX_PL_Date *testDate,
+ PKIX_PL_PublicKey *trustedPubKey,
+ PKIX_UInt32 certsRemaining,
+ PKIX_Boolean nistPolicyEnabled,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext)
+{
+ pkix_DefaultCRLCheckerState *state = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Initialize");
+ PKIX_NULLCHECK_TWO(certStores, pChecker);
+
+ PKIX_CHECK(pkix_DefaultCRLCheckerState_Create
+ (certStores,
+ testDate,
+ trustedPubKey,
+ certsRemaining,
+ nistPolicyEnabled,
+ &state,
+ plContext),
+ PKIX_DEFAULTCRLCHECKERSTATECREATEFAILED);
+
+ PKIX_CHECK(PKIX_CertChainChecker_Create
+ (pkix_DefaultCRLChecker_Check,
+ PKIX_FALSE,
+ PKIX_FALSE,
+ NULL,
+ (PKIX_PL_Object *) state,
+ pChecker,
+ plContext),
+ PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_defaultcrlchecker.h
@@ -0,0 +1,108 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_defaultcrlchecker.h
+ *
+ * Header file for default CRL function
+ *
+ */
+
+#ifndef _PKIX_DEFAULTCRLCHECKER_H
+#define _PKIX_DEFAULTCRLCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_DefaultCRLCheckerState pkix_DefaultCRLCheckerState;
+
+struct pkix_DefaultCRLCheckerState {
+ PKIX_List *certStores; /* list of CertStore */
+ PKIX_PL_Date *testDate;
+ PKIX_Boolean certHasValidCrl;
+ PKIX_Boolean nistCRLPolicyEnabled;
+ PKIX_Boolean prevCertCrlSign;
+ PKIX_PL_PublicKey *prevPublicKey; /* Subject PubKey of last cert */
+ PKIX_List *prevPublicKeyList; /* of PKIX_PL_PublicKey */
+ PKIX_UInt32 reasonCodeMask;
+ PKIX_UInt32 certsRemaining;
+ PKIX_PL_OID *crlReasonCodeOID;
+
+ PKIX_PL_X500Name *certIssuer;
+ PKIX_PL_BigInt *certSerialNumber;
+ PKIX_CRLSelector *crlSelector;
+ PKIX_UInt32 crlStoreIndex;
+ PKIX_UInt32 numCrlStores;
+};
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Initialize(
+ PKIX_List *certStores,
+ PKIX_PL_Date *testDate,
+ PKIX_PL_PublicKey *trustedPubKey,
+ PKIX_UInt32 certsRemaining,
+ PKIX_Boolean nistCRLPolicyEnabled,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_Helper(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_PL_PublicKey *prevPublicKey,
+ pkix_DefaultCRLCheckerState *state,
+ PKIX_List *unresolvedCriticalExtensions,
+ PKIX_Boolean useOnlyLocal,
+ void **pNBIOContext,
+ void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLChecker_Check_SetSelector(
+ PKIX_PL_Cert *cert,
+ pkix_DefaultCRLCheckerState *state,
+ void *plContext);
+
+PKIX_Error *
+pkix_DefaultCRLCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_DEFAULTCRLCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c
@@ -0,0 +1,146 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.c
+ *
+ * Functions for expiration validation
+ *
+ */
+
+
+#include "pkix_expirationchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Check(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_List *unresolvedCriticalExtensions,
+ void **pNBIOContext,
+ void *plContext)
+{
+ PKIX_PL_Date *testDate = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Check");
+ PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+ *pNBIOContext = NULL; /* we never block on pending I/O */
+
+ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+ (checker, (PKIX_PL_Object **)&testDate, plContext),
+ PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+ PKIX_CHECK(PKIX_PL_Cert_CheckValidity(cert, testDate, plContext),
+ PKIX_CERTCHECKVALIDITYFAILED);
+
+cleanup:
+
+ PKIX_DECREF(testDate);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_ExpirationChecker_Initialize
+ * DESCRIPTION:
+ *
+ * Creates a new CertChainChecker and stores it at "pChecker", where it will
+ * used by pkix_ExpirationChecker_Check to check that the certificate has not
+ * expired with respect to the Date pointed to by "testDate." If "testDate"
+ * is NULL, then the CertChainChecker will check that a certificate has not
+ * expired with respect to the current date and time.
+ *
+ * PARAMETERS:
+ * "testDate"
+ * Address of Date representing the point in time at which the cert is to
+ * be validated. If "testDate" is NULL, the current date and time is used.
+ * "pChecker"
+ * Address where object pointer will be stored. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+ PKIX_PL_Date *testDate,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext)
+{
+ PKIX_PL_Date *myDate = NULL;
+ PKIX_PL_Date *nowDate = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_ExpirationChecker_Initialize");
+ PKIX_NULLCHECK_ONE(pChecker);
+
+ /* if testDate is NULL, we use the current time */
+ if (!testDate){
+ PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+ (NULL, &nowDate, plContext),
+ PKIX_DATECREATEUTCTIMEFAILED);
+ myDate = nowDate;
+ } else {
+ myDate = testDate;
+ }
+
+ PKIX_CHECK(PKIX_CertChainChecker_Create
+ (pkix_ExpirationChecker_Check,
+ PKIX_TRUE,
+ PKIX_FALSE,
+ NULL,
+ (PKIX_PL_Object *)myDate,
+ pChecker,
+ plContext),
+ PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+ PKIX_DECREF(nowDate);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_expirationchecker.h
+ *
+ * Header file for validate expiration function
+ *
+ */
+
+#ifndef _PKIX_EXPIRATIONCHECKER_H
+#define _PKIX_EXPIRATIONCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_ExpirationChecker_Initialize(
+ PKIX_PL_Date *testDate,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_EXPIRATIONCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.c
@@ -0,0 +1,154 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.c
+ *
+ * Functions for name chaining validation
+ *
+ */
+
+
+#include "pkix_namechainingchecker.h"
+
+/* --Private-Functions-------------------------------------------- */
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Check(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_List *unresolvedCriticalExtensions,
+ void **pNBIOContext,
+ void *plContext)
+{
+ PKIX_PL_X500Name *prevSubject = NULL;
+ PKIX_PL_X500Name *currIssuer = NULL;
+ PKIX_PL_X500Name *currSubject = NULL;
+ PKIX_Boolean result;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameChainingChecker_Check");
+ PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+ *pNBIOContext = NULL; /* we never block on pending I/O */
+
+ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+ (checker, (PKIX_PL_Object **)&prevSubject, plContext),
+ PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+ PKIX_CHECK(PKIX_PL_Cert_GetIssuer(cert, &currIssuer, plContext),
+ PKIX_CERTGETISSUERFAILED);
+
+ if (prevSubject){
+ PKIX_CHECK(PKIX_PL_X500Name_Match
+ (prevSubject, currIssuer, &result, plContext),
+ PKIX_X500NAMEMATCHFAILED);
+ if (!result){
+ PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+ }
+ } else {
+ PKIX_ERROR(PKIX_NAMECHAININGCHECKFAILED);
+ }
+
+ PKIX_CHECK(PKIX_PL_Cert_GetSubject(cert, &currSubject, plContext),
+ PKIX_CERTGETSUBJECTFAILED);
+
+ PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+ (checker, (PKIX_PL_Object *)currSubject, plContext),
+ PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+ PKIX_DECREF(prevSubject);
+ PKIX_DECREF(currIssuer);
+ PKIX_DECREF(currSubject);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+
+}
+
+/*
+ * FUNCTION: pkix_NameChainingChecker_Initialize
+ * DESCRIPTION:
+ *
+ * Creates a new CertChainChecker and stores it at "pChecker", where it will
+ * be used by pkix_NameChainingChecker_Check to check that the issuer name
+ * of the certificate matches the subject name in the checker's state. The
+ * X500Name pointed to by "trustedCAName" is used to initialize the checker's
+ * state.
+ *
+ * PARAMETERS:
+ * "trustedCAName"
+ * Address of X500Name representing the trusted CA Name used to
+ * initialize the state of this checker. Must be non-NULL.
+ * "pChecker"
+ * Address where object pointer will be stored. Must be non-NULL.
+ * "plContext"
+ * Platform-specific context pointer.
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CertChainChecker Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error if the function fails in an unrecoverable way.
+ */
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+ PKIX_PL_X500Name *trustedCAName,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext)
+{
+ PKIX_ENTER(CERTCHAINCHECKER, "PKIX_NameChainingChecker_Initialize");
+ PKIX_NULLCHECK_TWO(pChecker, trustedCAName);
+
+ PKIX_CHECK(PKIX_CertChainChecker_Create
+ (pkix_NameChainingChecker_Check,
+ PKIX_FALSE,
+ PKIX_FALSE,
+ NULL,
+ (PKIX_PL_Object *)trustedCAName,
+ pChecker,
+ plContext),
+ PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_namechainingchecker.h
@@ -0,0 +1,63 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_namechainingchecker.h
+ *
+ * Header file for name chaining checker.
+ *
+ */
+
+#ifndef _PKIX_NAMECHAININGCHECKER_H
+#define _PKIX_NAMECHAININGCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+PKIX_Error *
+pkix_NameChainingChecker_Initialize(
+ PKIX_PL_X500Name *trustedCAName,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECHAININGCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -0,0 +1,338 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.c
+ *
+ * Functions for Name Constraints Checkers
+ *
+ */
+
+#include "pkix_nameconstraintschecker.h"
+
+/* --Private-NameConstraintsCheckerState-Functions---------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerstate_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ pkix_NameConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+ "pkix_NameConstraintsCheckerState_Destroy");
+ PKIX_NULLCHECK_ONE(object);
+
+ /* Check that object type */
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE, plContext),
+ PKIX_OBJECTNOTNAMECONSTRAINTSCHECKERSTATE);
+
+ state = (pkix_NameConstraintsCheckerState *)object;
+
+ PKIX_DECREF(state->nameConstraints);
+ PKIX_DECREF(state->nameConstraintsOID);
+
+cleanup:
+
+ PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_RegisterSelf
+ *
+ * DESCRIPTION:
+ * Registers PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE and its related
+ * functions with systemClasses[]
+ *
+ * THREAD SAFETY:
+ * Not Thread Safe - for performance and complexity reasons
+ *
+ * Since this function is only called by PKIX_PL_Initialize, which should
+ * only be called once, it is acceptable that this function is not
+ * thread-safe.
+ */
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext)
+{
+ extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
+ pkix_ClassTable_Entry entry;
+
+ PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+ "pkix_NameConstraintsCheckerState_RegisterSelf");
+
+ entry.description = "NameConstraintsCheckerState";
+ entry.objCounter = 0;
+ entry.typeObjectSize = sizeof(pkix_NameConstraintsCheckerState);
+ entry.destructor = pkix_NameConstraintsCheckerState_Destroy;
+ entry.equalsFunction = NULL;
+ entry.hashcodeFunction = NULL;
+ entry.toStringFunction = NULL;
+ entry.comparator = NULL;
+ entry.duplicateFunction = NULL;
+
+ systemClasses[PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE] = entry;
+
+ PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsCheckerState_Create
+ *
+ * DESCRIPTION:
+ * Allocate and initialize NameConstraintsChecker state data.
+ *
+ * PARAMETERS
+ * "nameConstraints"
+ * Address of NameConstraints to be stored in state. May be NULL.
+ * "numCerts"
+ * Number of certificates in the validation chain. This data is used
+ * to identify end-entity.
+ * "pCheckerState"
+ * Address of NameConstraintsCheckerState that is returned. Must be
+ * non-NULL.
+ * "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CERTNAMECONSTRAINTSCHECKERSTATE Error if the function fails in
+ * a non-fatal way.
+ * Returns a Fatal Error
+ */
+static PKIX_Error *
+pkix_NameConstraintsCheckerState_Create(
+ PKIX_PL_CertNameConstraints *nameConstraints,
+ PKIX_UInt32 numCerts,
+ pkix_NameConstraintsCheckerState **pCheckerState,
+ void *plContext)
+{
+ pkix_NameConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(CERTNAMECONSTRAINTSCHECKERSTATE,
+ "pkix_NameConstraintsCheckerState_Create");
+ PKIX_NULLCHECK_ONE(pCheckerState);
+
+ PKIX_CHECK(PKIX_PL_Object_Alloc
+ (PKIX_CERTNAMECONSTRAINTSCHECKERSTATE_TYPE,
+ sizeof (pkix_NameConstraintsCheckerState),
+ (PKIX_PL_Object **)&state,
+ plContext),
+ PKIX_COULDNOTCREATENAMECONSTRAINTSCHECKERSTATEOBJECT);
+
+ /* Initialize fields */
+
+ PKIX_CHECK(PKIX_PL_OID_Create
+ (PKIX_NAMECONSTRAINTS_OID,
+ &state->nameConstraintsOID,
+ plContext),
+ PKIX_OIDCREATEFAILED);
+
+ PKIX_INCREF(nameConstraints);
+
+ state->nameConstraints = nameConstraints;
+ state->certsRemaining = numCerts;
+
+ *pCheckerState = state;
+ state = NULL;
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(CERTNAMECONSTRAINTSCHECKERSTATE);
+}
+
+/* --Private-NameConstraintsChecker-Functions------------------------- */
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Check
+ * (see comments for PKIX_CertChainChecker_CheckCallback in pkix_checker.h)
+ */
+static PKIX_Error *
+pkix_NameConstraintsChecker_Check(
+ PKIX_CertChainChecker *checker,
+ PKIX_PL_Cert *cert,
+ PKIX_List *unresolvedCriticalExtensions,
+ void **pNBIOContext,
+ void *plContext)
+{
+ pkix_NameConstraintsCheckerState *state = NULL;
+ PKIX_PL_CertNameConstraints *nameConstraints = NULL;
+ PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
+ PKIX_Boolean selfIssued = PKIX_FALSE;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
+ PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
+
+ *pNBIOContext = NULL; /* we never block on pending I/O */
+
+ PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
+ (checker, (PKIX_PL_Object **)&state, plContext),
+ PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
+
+ state->certsRemaining--;
+
+ /* Get status of self issued */
+ PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
+ PKIX_ISCERTSELFISSUEDFAILED);
+
+ /* Check on non self-issued and if so only for last cert */
+ if (selfIssued == PKIX_FALSE ||
+ (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+ PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
+ (cert, state->nameConstraints, plContext),
+ PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
+ }
+
+ if (state->certsRemaining != 0) {
+
+ PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+ (cert, &nameConstraints, plContext),
+ PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
+ /* Merge with previous name constraints kept in state */
+
+ if (nameConstraints != NULL) {
+
+ if (state->nameConstraints == NULL) {
+
+ state->nameConstraints = nameConstraints;
+
+ } else {
+
+ PKIX_CHECK(PKIX_PL_Cert_MergeNameConstraints
+ (nameConstraints,
+ state->nameConstraints,
+ &mergedNameConstraints,
+ plContext),
+ PKIX_CERTMERGENAMECONSTRAINTSFAILED);
+
+ PKIX_DECREF(nameConstraints);
+ PKIX_DECREF(state->nameConstraints);
+
+ state->nameConstraints = mergedNameConstraints;
+ }
+
+ /* Remove Name Constraints Extension OID from list */
+ if (unresolvedCriticalExtensions != NULL) {
+ PKIX_CHECK(pkix_List_Remove
+ (unresolvedCriticalExtensions,
+ (PKIX_PL_Object *)state->nameConstraintsOID,
+ plContext),
+ PKIX_LISTREMOVEFAILED);
+ }
+ }
+ }
+
+ PKIX_CHECK(PKIX_CertChainChecker_SetCertChainCheckerState
+ (checker, (PKIX_PL_Object *)state, plContext),
+ PKIX_CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED);
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
+
+/*
+ * FUNCTION: pkix_NameConstraintsChecker_Initialize
+ *
+ * DESCRIPTION:
+ * Create a CertChainChecker with a NameConstraintsCheckerState. The
+ * NameConstraintsCheckerState is created with "trustedNC" and "numCerts"
+ * as its initial state. The CertChainChecker for the NameConstraints is
+ * returned at address of "pChecker".
+ *
+ * PARAMETERS
+ * "trustedNC"
+ * The NameConstraints from trusted anchor Cert is stored at "trustedNC"
+ * for initialization. May be NULL.
+ * "numCerts"
+ * Number of certificates in the validation chain. This data is used
+ * to identify end-entity.
+ * "pChecker"
+ * Address of CertChainChecker to bo created and returned.
+ * Must be non-NULL.
+ * "plContext" - Platform-specific context pointer.
+ *
+ * THREAD SAFETY:
+ * Thread Safe (see Thread Safety Definitions in Programmer's Guide)
+ *
+ * RETURNS:
+ * Returns NULL if the function succeeds.
+ * Returns a CERTCHAINCHECKER Error if the function fails in a non-fatal way.
+ * Returns a Fatal Error
+ */
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+ PKIX_PL_CertNameConstraints *trustedNC,
+ PKIX_UInt32 numCerts,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext)
+{
+ pkix_NameConstraintsCheckerState *state = NULL;
+
+ PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Initialize");
+ PKIX_NULLCHECK_ONE(pChecker);
+
+ PKIX_CHECK(pkix_NameConstraintsCheckerState_Create
+ (trustedNC, numCerts, &state, plContext),
+ PKIX_NAMECONSTRAINTSCHECKERSTATECREATEFAILED);
+
+ PKIX_CHECK(PKIX_CertChainChecker_Create
+ (pkix_NameConstraintsChecker_Check,
+ PKIX_FALSE,
+ PKIX_FALSE,
+ NULL,
+ (PKIX_PL_Object *) state,
+ pChecker,
+ plContext),
+ PKIX_CERTCHAINCHECKERCREATEFAILED);
+
+cleanup:
+
+ PKIX_DECREF(state);
+
+ PKIX_RETURN(CERTCHAINCHECKER);
+}
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.h
@@ -0,0 +1,76 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_nameconstraintschecker.h
+ *
+ * Header file for validate Name Constraints Checker function
+ *
+ */
+
+#ifndef _PKIX_NAMECONSTRAINTSCHECKER_H
+#define _PKIX_NAMECONSTRAINTSCHECKER_H
+
+#include "pkix_tools.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct pkix_NameConstraintsCheckerState \
+ pkix_NameConstraintsCheckerState;
+
+struct pkix_NameConstraintsCheckerState {
+ PKIX_PL_CertNameConstraints *nameConstraints;
+ PKIX_PL_OID *nameConstraintsOID;
+ PKIX_UInt32 certsRemaining;
+};
+
+PKIX_Error *
+pkix_NameConstraintsChecker_Initialize(
+ PKIX_PL_CertNameConstraints *trustedNC,
+ PKIX_UInt32 numCerts,
+ PKIX_CertChainChecker **pChecker,
+ void *plContext);
+
+PKIX_Error *
+pkix_NameConstraintsCheckerState_RegisterSelf(void *plContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKIX_NAMECONSTRAINTSCHECKER_H */
new file mode 100755
--- /dev/null
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_policychecker.c
@@ -0,0 +1,2795 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the PKIX-C library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are
+ * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Sun Microsystems, Inc.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/*
+ * pkix_policychecker.c
+ *
+ * Functions for Policy Checker
+ *
+ */
+#include "pkix_policychecker.h"
+
+/* --Forward declarations----------------------------------------------- */
+
+static PKIX_Error *
+pkix_PolicyChecker_MakeSingleton(
+ PKIX_PL_Object *listItem,
+ PKIX_Boolean immutability,
+ PKIX_List **pList,
+ void *plContext);
+
+/* --Private-PolicyCheckerState-Functions---------------------------------- */
+
+/*
+ * FUNCTION:pkix_PolicyCheckerState_Destroy
+ * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_Destroy(
+ PKIX_PL_Object *object,
+ void *plContext)
+{
+ PKIX_PolicyCheckerState *checkerState = NULL;
+
+ PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_Destroy");
+ PKIX_NULLCHECK_ONE(object);
+
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+ PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+ checkerState = (PKIX_PolicyCheckerState *)object;
+
+ PKIX_DECREF(checkerState->certPoliciesExtension);
+ PKIX_DECREF(checkerState->policyMappingsExtension);
+ PKIX_DECREF(checkerState->policyConstraintsExtension);
+ PKIX_DECREF(checkerState->inhibitAnyPolicyExtension);
+ PKIX_DECREF(checkerState->anyPolicyOID);
+ PKIX_DECREF(checkerState->validPolicyTree);
+ PKIX_DECREF(checkerState->userInitialPolicySet);
+ PKIX_DECREF(checkerState->mappedUserInitialPolicySet);
+
+ checkerState->policyQualifiersRejected = PKIX_FALSE;
+ checkerState->explicitPolicy = 0;
+ checkerState->inhibitAnyPolicy = 0;
+ checkerState->policyMapping = 0;
+ checkerState->numCerts = 0;
+ checkerState->certsProcessed = 0;
+ checkerState->certPoliciesCritical = PKIX_FALSE;
+
+ PKIX_DECREF(checkerState->anyPolicyNodeAtBottom);
+ PKIX_DECREF(checkerState->newAnyPolicyNode);
+ PKIX_DECREF(checkerState->mappedPolicyOIDs);
+
+cleanup:
+
+ PKIX_RETURN(CERTPOLICYCHECKERSTATE);
+}
+
+/*
+ * FUNCTION: pkix_PolicyCheckerState_ToString
+ * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
+ */
+static PKIX_Error *
+pkix_PolicyCheckerState_ToString(
+ PKIX_PL_Object *object,
+ PKIX_PL_String **pCheckerStateString,
+ void *plContext)
+{
+ PKIX_PolicyCheckerState *state = NULL;
+ PKIX_PL_String *resultString = NULL;
+ PKIX_PL_String *policiesExtOIDString = NULL;
+ PKIX_PL_String *policyMapOIDString = NULL;
+ PKIX_PL_String *policyConstrOIDString = NULL;
+ PKIX_PL_String *inhAnyPolOIDString = NULL;
+ PKIX_PL_String *anyPolicyOIDString = NULL;
+ PKIX_PL_String *validPolicyTreeString = NULL;
+ PKIX_PL_String *userInitialPolicySetString = NULL;
+ PKIX_PL_String *mappedUserPolicySetString = NULL;
+ PKIX_PL_String *mappedPolicyOIDsString = NULL;
+ PKIX_PL_String *anyAtBottomString = NULL;
+ PKIX_PL_String *newAnyPolicyString = NULL;
+ PKIX_PL_String *formatString = NULL;
+ PKIX_PL_String *trueString = NULL;
+ PKIX_PL_String *falseString = NULL;
+ PKIX_PL_String *nullString = NULL;
+ PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
+ PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
+ PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
+ PKIX_Boolean initialIsAnyPolicy = PKIX_FALSE;
+ PKIX_Boolean policyQualifiersRejected = PKIX_FALSE;
+ PKIX_Boolean certPoliciesCritical = PKIX_FALSE;
+ char *asciiFormat =
+ "{\n"
+ "\tcertPoliciesExtension: \t%s\n"
+ "\tpolicyMappingsExtension: \t%s\n"
+ "\tpolicyConstraintsExtension:\t%s\n"
+ "\tinhibitAnyPolicyExtension:\t%s\n"
+ "\tanyPolicyOID: \t%s\n"
+ "\tinitialIsAnyPolicy: \t%s\n"
+ "\tvalidPolicyTree: \t%s\n"
+ "\tuserInitialPolicySet: \t%s\n"
+ "\tmappedUserPolicySet: \t%s\n"
+ "\tpolicyQualifiersRejected: \t%s\n"
+ "\tinitialPolMappingInhibit: \t%s\n"
+ "\tinitialExplicitPolicy: \t%s\n"
+ "\tinitialAnyPolicyInhibit: \t%s\n"
+ "\texplicitPolicy: \t%d\n"
+ "\tinhibitAnyPolicy: \t%d\n"
+ "\tpolicyMapping: \t%d\n"
+ "\tnumCerts: \t%d\n"
+ "\tcertsProcessed: \t%d\n"
+ "\tanyPolicyNodeAtBottom: \t%s\n"
+ "\tnewAnyPolicyNode: \t%s\n"
+ "\tcertPoliciesCritical: \t%s\n"
+ "\tmappedPolicyOIDs: \t%s\n"
+ "}";
+
+ PKIX_ENTER(CERTPOLICYCHECKERSTATE, "pkix_PolicyCheckerState_ToString");
+
+ PKIX_NULLCHECK_TWO(object, pCheckerStateString);
+
+ PKIX_CHECK(pkix_CheckType
+ (object, PKIX_CERTPOLICYCHECKERSTATE_TYPE, plContext),
+ PKIX_OBJECTNOTPOLICYCHECKERSTATE);
+
+ state = (PKIX_PolicyCheckerState *)object;
+ PKIX_NULLCHECK_THREE
+ (state->certPoliciesExtension,
+ state->policyMappingsExtension,
+ state->policyConstraintsExtension);
+ PKIX_NULLCHECK_THREE
+ (state->inhibitAnyPolicyExtension,
+ state->anyPolicyOID,
+ state->userInitialPolicySet);
+
+ PKIX_CHECK(PKIX_PL_String_Create
+ (PKIX_ESCASCII, asciiFormat, 0, &formatString, plContext),
+ PKIX_STRINGCREATEFAILED);
+ /*
+ * Create TRUE, FALSE, and "NULL" PKIX_PL_Strings. But creating a
+ * PKIX_PL_String is complicated enough, it's worth checking, for
+ * each, to make sure the string is needed.
+ */
+ initialPolicyMappingInhibit = state->initialPolicyMappingInhibit;
+ initialExplicitPolicy = state->initialExplicitPolicy;
+ initialAnyPolicyInhibit = state->initialAnyPolicyInhibit;
+ initialIsAnyPolicy = state->initialIsAnyPolicy;
+ policyQualifiersRejected = state->policyQualifiersRejected;
+ certPoliciesCritical = state->certPoliciesCritical;
+
+ if (initialPolicyMappingInhibit || initialExplicitPolicy ||
+ initialAnyPolicyInhibit || initialIsAnyPolicy ||
+ policyQualifiersRejected || certPoliciesCritical) {
+ PKIX_CHECK(PKIX_PL_String_Create
+ (PKIX_ESCASCII, "TRUE", 0, &trueString, plContext),
+ PKIX_STRINGCREATEFAILED);
+ }
+ if (!initialPolicyMappingInhibit || !initialExplicitPolicy ||
+ !initialAnyPolicyInhibit || !initialIsAnyPolicy ||
+ !policyQualifiersRejected || !certPoliciesCritical) {
+ PKIX_CHECK(PKIX_PL_String_Create
+ (PKIX_ESCASCII, "FALSE", 0, &falseString, plContext),
+ PKIX_STRINGCREATEFAILED);
+ }
+ if (!(state->anyPolicyNodeAtBottom) || !(state->newAnyPolicyNode)) {
+ PKIX_CHECK(PKIX_PL_String_Create
+ (PKIX_ESCASCII, "(null)", 0, &nullString, plContext),
+ PKIX_STRINGCREATEFAILED);
+ }
+
+ PKIX_TOSTRING
+ (state->certPoliciesExtension, &policiesExtOIDString, plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING
+ (state->policyMappingsExtension,
+ &policyMapOIDString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING
+ (state->policyConstraintsExtension,
+ &policyConstrOIDString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING
+ (state->inhibitAnyPolicyExtension,
+ &inhAnyPolOIDString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING(state->anyPolicyOID, &anyPolicyOIDString, plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING(state->validPolicyTree, &validPolicyTreeString, plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING
+ (state->userInitialPolicySet,
+ &userInitialPolicySetString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_TOSTRING
+ (state->mappedUserInitialPolicySet,
+ &mappedUserPolicySetString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ if (state->anyPolicyNodeAtBottom) {
+ PKIX_CHECK(pkix_SinglePolicyNode_ToString
+ (state->anyPolicyNodeAtBottom,
+ &anyAtBottomString,
+ plContext),
+ PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+ } else {
+ PKIX_INCREF(nullString);
+ anyAtBottomString = nullString;
+ }
+
+ if (state->newAnyPolicyNode) {
+ PKIX_CHECK(pkix_SinglePolicyNode_ToString
+ (state->newAnyPolicyNode,
+ &newAnyPolicyString,
+ plContext),
+ PKIX_SINGLEPOLICYNODETOSTRINGFAILED);
+ } else {
+ PKIX_INCREF(nullString);
+ newAnyPolicyString = nullString;
+ }
+
+ PKIX_TOSTRING
+ (state->mappedPolicyOIDs,
+ &mappedPolicyOIDsString,
+ plContext,
+ PKIX_OBJECTTOSTRINGFAILED);
+
+ PKIX_CHECK(PKIX_PL_Sprintf
+ (&resultString,
+ plContext,
+ formatString,
+ policiesExtOIDString,
+ policyMapOIDString,
+ policyConstrOIDString,
+ inhAnyPolOIDString,
+ anyPolicyOIDString,
+ initialIsAnyPolicy?trueString:falseString,
+ validPolicyTreeString,
+ userInitialPolicySetString,
+ mappedUserPolicySetString,
+ policyQualifiersRejected?trueString:falseString,
+ initialPolicyMappingInhibit?trueString:falseString,
+ initialExplicitPolicy?trueString:falseString,
+ initialAnyPolicyInhibit?trueString:falseString,
+ state->explicitPolicy,
+ state->inhibitAnyPolicy,
+ state->policyMapping,
+ state->numCerts,
+ state->certsProcessed,
+ anyAtBottomString,
+ newAnyPolicyString,
+ certPoliciesCritical?trueString:falseString,
+ mappedPolicyOIDsString),
+ PKIX_SPRINTFFAILED);
+
+ *pCheckerStateString = resultString;
+
+cleanup:
+ PKIX_DECREF(policiesExtOIDString);
+ PKIX_DECREF(policyMapOIDString);
+ PKIX_DECREF(policyConstrOIDString);
+ PKIX_DECREF(inhAnyPolOIDString);
