diff options
| author | cvs2hg <devnull@localhost> | 2001-08-30 21:14:30 +0000 |
|---|---|---|
| committer | cvs2hg <devnull@localhost> | 2001-08-30 21:14:30 +0000 |
| commit | 6a923669b9f5e85a0831ca73ff975b009eabb7a9 (patch) | |
| tree | 03a7b89069c3695ea7ce25a77aa002019fd536e9 | |
| parent | f158b67a35737c6dddd00c56918597721d1a5128 (diff) | |
| download | nss-hg-MOZILLA_0_9_4_BASE.tar.gz | |
fixup commit for branch 'MOZILLA_0_9_4_BRANCH'MOZILLA_0_9_4_BASE
51 files changed, 2180 insertions, 2044 deletions
diff --git a/dbm/tests/Makefile.in b/dbm/tests/Makefile.in index 97d20213e..7ec5caabf 100644 --- a/dbm/tests/Makefile.in +++ b/dbm/tests/Makefile.in @@ -33,11 +33,7 @@ CSRCS = lots.c EXTRA_DSO_LIBS = mozdbm_s -ifeq ($(MOZ_OS2_TOOLS),VACPP) -LIBS = $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) -else LIBS = $(EXTRA_DSO_LIBS) -endif include $(topsrcdir)/config/rules.mk diff --git a/security/coreconf/OpenVMS.mk b/security/coreconf/OpenVMS.mk index f387eeaa9..6fbf93226 100755 --- a/security/coreconf/OpenVMS.mk +++ b/security/coreconf/OpenVMS.mk @@ -53,4 +53,4 @@ endif XCFLAGS += $(OPTIMIZER) # The command to build a shared library in POSIX on OpenVMS. -MKSHLIB = vmsld_psm $(OPTIMIZER) +MKSHLIB = vmsld_psm OBJDIR=$(OBJDIR) $(OPTIMIZER) diff --git a/security/coreconf/tree.mk b/security/coreconf/tree.mk index ae391b7ef..fdcb8ee0e 100644 --- a/security/coreconf/tree.mk +++ b/security/coreconf/tree.mk @@ -53,10 +53,10 @@ ifndef RELEASE_TREE ifdef USE_SHIPS RELEASE_TREE = $(NTBUILD_SHIP) else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif endif @@ -65,10 +65,10 @@ ifndef RELEASE_TREE ifdef USE_SHIPS RELEASE_TREE = $(NTBUILD_SHIP) else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif endif ifeq ($(OS_TARGET), WIN16) @@ -76,10 +76,10 @@ ifndef RELEASE_TREE ifdef USE_SHIPS RELEASE_TREE = $(NTBUILD_SHIP) else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif else - RELEASE_TREE = //blds-sca15a/components + RELEASE_TREE = //redbuild/components endif endif endif diff --git a/security/dbm/Makefile b/security/dbm/Makefile deleted file mode 100644 index 34cd6d899..000000000 --- a/security/dbm/Makefile +++ /dev/null @@ -1,80 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - - - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -coreconf_hack: - cd ../coreconf; gmake - gmake import - -RelEng_bld: coreconf_hack - gmake diff --git a/security/dbm/include/Makefile b/security/dbm/include/Makefile deleted file mode 100644 index 4d34d8832..000000000 --- a/security/dbm/include/Makefile +++ /dev/null @@ -1,86 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - - - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - -DBM_SRCS = $(EXPORTS) $(PRIVATE_EXPORTS) watcomfx.h - -export:: $(DBM_SRCS) - -libs:: $(DBM_SRCS) - -program:: $(DBM_SRCS) - -private_export:: $(DBM_SRCS) - -echo:: - echo "$(DBM_SRCS)" diff --git a/security/dbm/include/manifest.mn b/security/dbm/include/manifest.mn deleted file mode 100644 index 886fedd98..000000000 --- a/security/dbm/include/manifest.mn +++ /dev/null @@ -1,57 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -CORE_DEPTH = ../.. - -VPATH = $(CORE_DEPTH)/../dbm/include - -MODULE = dbm - -EXPORTS = nsres.h \ - cdefs.h \ - mcom_db.h \ - ncompat.h \ - winfile.h \ - $(NULL) - -PRIVATE_EXPORTS = hsearch.h \ - page.h \ - extern.h \ - ndbm.h \ - queue.h \ - hash.h \ - mpool.h \ - search.h \ - $(NULL) - diff --git a/security/dbm/manifest.mn b/security/dbm/manifest.mn deleted file mode 100644 index 4cfffae43..000000000 --- a/security/dbm/manifest.mn +++ /dev/null @@ -1,46 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -CORE_DEPTH = .. - -MODULE = dbm - -#IMPORTS = nspr20/v3.5 -IMPORTS = nspr20/v4.0 - -RELEASE = dbm - -DIRS = include \ - src \ - $(NULL) diff --git a/security/dbm/src/Makefile b/security/dbm/src/Makefile deleted file mode 100644 index b41b41671..000000000 --- a/security/dbm/src/Makefile +++ /dev/null @@ -1,85 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -####################################################################### -# (1) Include initial platform-independent assignments (MANDATORY). # -####################################################################### - -include manifest.mn - -####################################################################### -# (2) Include "global" configuration information. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/config.mk - -####################################################################### -# (3) Include "component" configuration information. (OPTIONAL) # -####################################################################### - - - -####################################################################### -# (4) Include "local" platform-dependent assignments (OPTIONAL). # -####################################################################### - -include config.mk - -####################################################################### -# (5) Execute "global" rules. (OPTIONAL) # -####################################################################### - -include $(CORE_DEPTH)/coreconf/rules.mk - -####################################################################### -# (6) Execute "component" rules. (OPTIONAL) # -####################################################################### - -####################################################################### -# (7) Execute "local" rules. (OPTIONAL). # -####################################################################### - - -DBM_SRCS = $(CSRCS) - -export:: $(DBM_SRCS) - -libs:: $(DBM_SRCS) - -program:: $(DBM_SRCS) - -private_export:: $(DBM_SRCS) - -echo:: - echo "$(DBM_SRCS)" diff --git a/security/dbm/src/config.mk b/security/dbm/src/config.mk deleted file mode 100644 index f6863d966..000000000 --- a/security/dbm/src/config.mk +++ /dev/null @@ -1,66 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG) -DNSPR20=1 - -INCLUDES += -I../include -INCLUDES += -I$(CORE_DEPTH)/../dbm/include - -# -# Currently, override TARGETS variable so that only static libraries -# are specifed as dependencies within rules.mk. -# - -TARGETS = $(LIBRARY) -SHARED_LIBRARY = -IMPORT_LIBRARY = -PURE_LIBRARY = -PROGRAM = - -ifdef SHARED_LIBRARY - ifeq ($(OS_ARCH),WINNT) - ifneq ($(OS_TARGET),WIN16) - DLLBASE=/BASE:0x30000000 - RES=$(OBJDIR)/dbm.res - RESNAME=../include/dbm.rc - endif - endif - ifeq ($(DLL_SUFFIX),dll) - DEFINES += -D_DLL - endif -endif - -ifeq ($(OS_ARCH),AIX) - OS_LIBS += -lc_r -endif diff --git a/security/dbm/src/manifest.mn b/security/dbm/src/manifest.mn deleted file mode 100644 index 4b64ffb4b..000000000 --- a/security/dbm/src/manifest.mn +++ /dev/null @@ -1,57 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# - -CORE_DEPTH = ../.. - -VPATH = $(CORE_DEPTH)/../dbm/src - -MODULE = dbm - -CSRCS = db.c \ - h_bigkey.c \ - h_func.c \ - h_log2.c \ - h_page.c \ - hash.c \ - hash_buf.c \ - hsearch.c \ - memmove.c \ - mktemp.c \ - ndbm.c \ -# snprintf.c \ - strerror.c \ - nsres.c \ - $(NULL) - -LIBRARY_NAME = dbm diff --git a/security/dbm/tests/Makefile b/security/dbm/tests/Makefile deleted file mode 100644 index c095d87c7..000000000 --- a/security/dbm/tests/Makefile +++ /dev/null @@ -1,125 +0,0 @@ -#! gmake -# -# The contents of this file are subject to the Mozilla Public -# License Version 1.1 (the "License"); you may not use this file -# except in compliance with the License. You may obtain a copy of -# the License at http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS -# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or -# implied. See the License for the specific language governing -# rights and limitations under the License. -# -# The Original Code is the Netscape security libraries. -# -# The Initial Developer of the Original Code is Netscape -# Communications Corporation. Portions created by Netscape are -# Copyright (C) 1994-2000 Netscape Communications Corporation. All -# Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the -# terms of the GNU General Public License Version 2 or later (the -# "GPL"), in which case the provisions of the GPL are applicable -# instead of those above. If you wish to allow use of your -# version of this file only under the terms of the GPL and not to -# allow others to use your version of this file under the MPL, -# indicate your decision by deleting the provisions above and -# replace them with the notice and other provisions required by -# the GPL. If you do not delete the provisions above, a recipient -# may use your version of this file under either the MPL or the -# GPL. -# -DEPTH = ../.. -CORE_DEPTH = ../.. - -VPATH = $(CORE_DEPTH)/../dbm/tests - -MODULE = dbm - -CSRCS = lots.c - -PROGRAM = lots - -include $(DEPTH)/coreconf/config.mk - -ifeq ($(OS_ARCH),WINNT) -DEFINES += -DSTDARG -DSTDC_HEADERS -LIBDBM = ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX) -else -LIBDBM = ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX) -endif - -ifeq ($(OS_ARCH),AIX) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),BSD_386) -CFLAGS += -g -I../../../include -DXP_UNIX -g -DBSDI -DHAVE_STRERROR -D__386BSD__ -DDEBUG -DMEMMOVE -D__DBINTERFACE_PRIVATE -endif - -ifeq ($(OS_ARCH),FreeBSD) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),HP-UX) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),IRIX) -CFLAGS += -g -I../../../include -DDEBUG -DSTDARG -endif - -ifeq ($(OS_ARCH),OSF1) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),Linux) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),NCR) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),SCO_SV) -CFLAGS += -DSTDARG -endif - -ifeq ($(OS_ARCH),SunOS) -CFLAGS += -g -I../../../include -D_sun_ -endif - -ifeq ($(OS_ARCH),UNIXWARE) -CFLAGS += -DSTDARG -endif - -INCLUDES += -I../include -INCLUDES += -I$(CORE_DEPTH)/../dbm/include - -LDFLAGS = $(LDOPTS) $(LIBDBM) - -include $(DEPTH)/coreconf/rules.mk - -lots.pure: lots - purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS) - -crash: crash.o $(MYLIBS) - $(CC) -o crash $(CFLAGS) $^ - -crash.pure: crash.o $(MYLIBS) - purify $(CC) -o crash.pure $(CFLAGS) $^ - - - -DBM_SRCS = $(CSRCS) - -export:: $(DBM_SRCS) - -libs:: $(DBM_SRCS) - -program:: $(DBM_SRCS) - -private_export:: $(DBM_SRCS) - diff --git a/security/nss/cmd/signtool/list.c b/security/nss/cmd/signtool/list.c index b21090c2e..83ae4d6a3 100644 --- a/security/nss/cmd/signtool/list.c +++ b/security/nss/cmd/signtool/list.c @@ -46,6 +46,7 @@ static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k, int ListCerts(char *key, int list_certs) { + int failed = 0; SECStatus rv; char *ugly_list; CERTCertDBHandle *db; @@ -85,9 +86,19 @@ ListCerts(char *key, int list_certs) rv = PK11_TraverseSlotCerts(cert_trav_callback, (void*)&list_certs, NULL /*wincx*/); + if (rv) { + PR_fprintf(outputFD, "**Traverse of non-internal DBs failed**\n"); + return -1; + } + /* Traverse Internal DB */ rv = SEC_TraversePermCerts(db, cert_trav_callback, (void*)&list_certs); + if (rv) { + PR_fprintf(outputFD, "**Traverse of internal DB failed**\n"); + return -1; + } + if (num_trav_certs == 0) { PR_fprintf(outputFD, "You don't appear to have any object signing certificates.\n"); @@ -99,10 +110,6 @@ ListCerts(char *key, int list_certs) PR_fprintf(outputFD, "---------------------------------------\n"); } - if (rv) { - return -1; - } - if (list_certs == 1) { PR_fprintf(outputFD, "For a list including CA's, use \"%s -L\"\n", PROGRAM_NAME); @@ -141,6 +148,7 @@ ListCerts(char *key, int list_certs) certUsageObjectSigner, PR_Now(), NULL, &errlog); if (rv != SECSuccess) { + failed = 1; if(errlog.count > 0) { PR_fprintf(outputFD, "**Certificate validation failed for the " @@ -155,6 +163,7 @@ ListCerts(char *key, int list_certs) } else { + failed = 1; PR_fprintf(outputFD, "The certificate with nickname \"%s\" was NOT FOUND\n", key); @@ -165,7 +174,7 @@ ListCerts(char *key, int list_certs) PORT_FreeArena(errlog.arena, PR_FALSE); } - if (rv != SECSuccess) { + if (failed) { return -1; } return 0; diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c index 7a974d2db..b46c2f16a 100644 --- a/security/nss/cmd/signtool/sign.c +++ b/security/nss/cmd/signtool/sign.c @@ -168,6 +168,8 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename, (PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4) ) { if(!infop) { + PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME); + errorCount++; retval = -1; goto finish; } diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c index 6b2da2c90..fd80ef737 100644 --- a/security/nss/cmd/signtool/verify.c +++ b/security/nss/cmd/signtool/verify.c @@ -74,6 +74,7 @@ VerifyJar(char *filename) if (status < 0 || jar->valid < 0) { + failed = 1; PR_fprintf(outputFD, "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n", filename); if (status < 0) { @@ -93,7 +94,7 @@ VerifyJar(char *filename) /* corrupt files should not have their contents listed */ if (status == JAR_ERR_CORRUPT) - return status; + return -1; } PR_fprintf(outputFD, "entries shown below will have their digests checked only.\n"); @@ -140,6 +141,7 @@ VerifyJar(char *filename) if (status < 0 || jar->valid < 0) { + failed = 1; PR_fprintf(outputFD, "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n", filename); give_help (status); @@ -147,10 +149,8 @@ VerifyJar(char *filename) JAR_destroy (jar); - if (status < 0) - return status; - if (jar->valid < 0 || failed) - return ERRX; + if (failed) + return -1; return 0; } @@ -355,7 +355,10 @@ JarWho(char *filename) PR_fprintf(outputFD, "issuer name: %s\n", cert->issuerName); } else + { PR_fprintf(outputFD, "no certificate could be found\n"); + retval = -1; + } prev = cert; } diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 1f2096a1b..5817c39ef 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -633,7 +633,7 @@ int main(int argc, char **argv) if (err != PR_WOULD_BLOCK_ERROR) { SECU_PrintError(progName, "write to SSL socket failed"); - error=2; + error=254; goto done; } cc = 0; diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c index 20ce6f02a..f6601d4cb 100644 --- a/security/nss/lib/certdb/pcertdb.c +++ b/security/nss/lib/certdb/pcertdb.c @@ -7198,6 +7198,13 @@ CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage, } } break; + case certUsageAnyCA: + trust.sslFlags = CERTDB_VALID_CA; + break; + case certUsageSSLCA: + trust.sslFlags = CERTDB_VALID_CA | + CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; + break; default: /* XXX added to quiet warnings; no other cases needed? */ break; } diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 5eb340b28..758141075 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -3704,6 +3704,12 @@ CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, * used const to convey that it does not modify the name. Maybe someday. */ cert = CERT_FindCertByNickname(handle, (char *) name); + if (cert == NULL) { + /* + * look for the cert on an external token. + */ + cert = PK11_FindCertFromNickname(name, NULL); + } if (cert == NULL) return SECFailure; @@ -3831,6 +3837,10 @@ CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) */ cert = CERT_FindCertByNickname(handle, statusContext->defaultResponderNickname); + if (cert == NULL) { + cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname, + NULL); + } /* * We should never have trouble finding the cert, because its * existence should have been proven by SetOCSPDefaultResponder. diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c index 435350fa8..5e3c848ab 100644 --- a/security/nss/lib/ckfw/builtins/certdata.c +++ b/security/nss/lib/ckfw/builtins/certdata.c @@ -598,7 +598,7 @@ static const NSSItem nss_builtins_items_0 [] = { { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"CVS ID", (PRUint32)7 }, { (void *)"NSS", (PRUint32)4 }, - { (void *)"@(#) $RCSfile$ $Revision$ $Date$ $Name$""; @(#) $RCSfile$ $Revision$ $Date$ $Name$", (PRUint32)178 } + { (void *)"@(#) $RCSfile$ $Revision$ $Date$ $Name$""; @(#) $RCSfile$ $Revision$ $Date$ $Name$", (PRUint32)179 } }; #endif /* DEBUG */ static const NSSItem nss_builtins_items_1 [] = { @@ -3513,150 +3513,6 @@ static const NSSItem nss_builtins_items_60 [] = { { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"E-Certify Internet ID", (PRUint32)22 }, - { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, - { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061" -"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" -"\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123" -"\101\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060" -"\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146" -"\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103" -"\154\151\145\156\164" -, (PRUint32)101 }, - { (void *)"0", (PRUint32)2 }, - { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061" -"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" -"\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123" -"\101\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060" -"\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146" -"\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103" -"\154\151\145\156\164" -, (PRUint32)101 }, - { (void *)"\002" -, (PRUint32)1 }, - { (void *)"\060\202\001\312\060\202\001\164\240\003\002\001\002\002\001\002" -"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060" -"\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061\022" -"\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164\151" -"\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123\101" -"\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060\044" -"\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146\171" -"\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103\154" -"\151\145\156\164\060\036\027\015\071\070\061\060\061\066\061\063" -"\063\064\060\070\132\027\015\060\063\061\060\061\066\061\063\063" -"\064\060\070\132\060\143\061\013\060\011\006\003\125\004\006\023" -"\002\103\101\061\022\060\020\006\003\125\004\012\023\011\105\055" -"\103\145\162\164\151\146\171\061\030\060\026\006\003\125\004\013" -"\023\017\122\123\101\040\107\157\154\144\040\103\154\151\145\156" -"\164\061\046\060\044\006\003\125\004\003\023\035\105\055\103\145" -"\162\164\151\146\171\040\122\123\101\040\065\061\062\040\107\157" -"\154\144\040\103\154\151\145\156\164\060\134\060\015\006\011\052" -"\206\110\206\367\015\001\001\001\005\000\003\113\000\060\110\002" -"\101\000\160\011\304\365\211\211\115\310\243\362\300\037\344\175" -"\360\374\172\310\202\314\146\011\305\051\323\135\010\324\351\350" -"\377\137\031\300\373\334\252\217\060\014\076\332\205\167\117\170" -"\300\317\075\126\311\263\365\203\226\110\356\220\237\254\016\002" -"\316\071\002\003\001\000\001\243\023\060\021\060\017\006\003\125" -"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011" -"\052\206\110\206\367\015\001\001\004\005\000\003\101\000\035\222" -"\327\114\344\014\326\373\112\075\351\341\302\037\000\367\121\374" -"\361\076\370\312\304\361\043\210\217\320\116\177\247\214\173\177" -"\004\102\133\367\046\132\264\343\121\162\110\045\125\317\157\360" -"\377\003\313\301\331\031\000\364\370\371\364\273\030\126" -, (PRUint32)462 } -}; -static const NSSItem nss_builtins_items_61 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"E-Certify Internet ID", (PRUint32)22 }, - { (void *)"\077\065\017\377\111\047\260\141\105\312\101\073\101\244\215\235" -"\044\315\125\035" -, (PRUint32)20 }, - { (void *)"\374\012\336\152\227\076\143\333\122\302\131\003\010\060\141\042" -, (PRUint32)16 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } -}; -static const NSSItem nss_builtins_items_62 [] = { - { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"E-Certify Commerce ID", (PRUint32)22 }, - { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, - { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061" -"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" -"\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123" -"\101\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060" -"\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146" -"\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123" -"\145\162\166\145\162" -, (PRUint32)101 }, - { (void *)"0", (PRUint32)2 }, - { (void *)"\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061" -"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" -"\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123" -"\101\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060" -"\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146" -"\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123" -"\145\162\166\145\162" -, (PRUint32)101 }, - { (void *)"\001" -, (PRUint32)1 }, - { (void *)"\060\202\001\312\060\202\001\164\240\003\002\001\002\002\001\001" -"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060" -"\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061\022" -"\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164\151" -"\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123\101" -"\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060\044" -"\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146\171" -"\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123\145" -"\162\166\145\162\060\036\027\015\071\070\061\060\061\066\061\063" -"\063\067\065\063\132\027\015\060\063\061\060\061\066\061\063\063" -"\067\065\063\132\060\143\061\013\060\011\006\003\125\004\006\023" -"\002\103\101\061\022\060\020\006\003\125\004\012\023\011\105\055" -"\103\145\162\164\151\146\171\061\030\060\026\006\003\125\004\013" -"\023\017\122\123\101\040\107\157\154\144\040\123\145\162\166\145" -"\162\061\046\060\044\006\003\125\004\003\023\035\105\055\103\145" -"\162\164\151\146\171\040\122\123\101\040\065\061\062\040\107\157" -"\154\144\040\123\145\162\166\145\162\060\134\060\015\006\011\052" -"\206\110\206\367\015\001\001\001\005\000\003\113\000\060\110\002" -"\101\000\315\125\017\167\022\376\363\200\326\211\001\035\131\356" -"\000\262\165\116\246\223\055\136\374\036\004\155\215\115\261\333" -"\137\262\053\124\365\301\013\252\016\156\104\220\317\003\215\047" -"\010\063\336\073\050\245\326\122\171\067\310\136\221\312\211\002" -"\111\027\002\003\001\000\001\243\023\060\021\060\017\006\003\125" -"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011" -"\052\206\110\206\367\015\001\001\004\005\000\003\101\000\164\365" -"\045\172\071\347\203\020\377\011\173\160\316\054\326\166\341\117" -"\174\064\172\210\005\060\362\007\213\021\244\071\215\164\173\246" -"\373\172\346\340\006\055\316\160\161\033\230\104\112\023\274\365" -"\267\026\213\174\211\264\022\023\032\344\321\016\163\052" -, (PRUint32)462 } -}; -static const NSSItem nss_builtins_items_63 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"E-Certify Commerce ID", (PRUint32)22 }, - { (void *)"\077\025\014\145\325\170\211\025\237\031\377\341\041\331\311\115" -"\150\032\031\205" -, (PRUint32)20 }, - { (void *)"\265\302\221\035\163\344\353\371\326\123\300\004\343\077\243\215" -, (PRUint32)16 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } -}; -static const NSSItem nss_builtins_items_64 [] = { - { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 }, { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061" @@ -3718,7 +3574,7 @@ static const NSSItem nss_builtins_items_64 [] = { "\224" , (PRUint32)577 } }; -static const NSSItem nss_builtins_items_65 [] = { +static const NSSItem nss_builtins_items_61 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3733,7 +3589,7 @@ static const NSSItem nss_builtins_items_65 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_66 [] = { +static const NSSItem nss_builtins_items_62 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3797,7 +3653,7 @@ static const NSSItem nss_builtins_items_66 [] = { "\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330" , (PRUint32)576 } }; -static const NSSItem nss_builtins_items_67 [] = { +static const NSSItem nss_builtins_items_63 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3812,7 +3668,7 @@ static const NSSItem nss_builtins_items_67 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_68 [] = { +static const NSSItem nss_builtins_items_64 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3876,7 +3732,7 @@ static const NSSItem nss_builtins_items_68 [] = { "\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144" , (PRUint32)576 } }; -static const NSSItem nss_builtins_items_69 [] = { +static const NSSItem nss_builtins_items_65 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3891,7 +3747,7 @@ static const NSSItem nss_builtins_items_69 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_70 [] = { +static const NSSItem nss_builtins_items_66 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3980,7 +3836,7 @@ static const NSSItem nss_builtins_items_70 [] = { "\017\061\134\350\362\331" , (PRUint32)774 } }; -static const NSSItem nss_builtins_items_71 [] = { +static const NSSItem nss_builtins_items_67 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3995,7 +3851,7 @@ static const NSSItem nss_builtins_items_71 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_72 [] = { +static const NSSItem nss_builtins_items_68 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4085,7 +3941,7 @@ static const NSSItem nss_builtins_items_72 [] = { "\214\022\173\305\104\264\256" , (PRUint32)775 } }; -static const NSSItem nss_builtins_items_73 [] = { +static const NSSItem nss_builtins_items_69 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4100,7 +3956,7 @@ static const NSSItem nss_builtins_items_73 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_74 [] = { +static const NSSItem nss_builtins_items_70 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4189,7 +4045,7 @@ static const NSSItem nss_builtins_items_74 [] = { "\240\235\235\151\221\375" , (PRUint32)774 } }; -static const NSSItem nss_builtins_items_75 [] = { +static const NSSItem nss_builtins_items_71 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4204,7 +4060,7 @@ static const NSSItem nss_builtins_items_75 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_76 [] = { +static const NSSItem nss_builtins_items_72 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4293,7 +4149,7 @@ static const NSSItem nss_builtins_items_76 [] = { "\117\312\200\221\266\051" , (PRUint32)774 } }; -static const NSSItem nss_builtins_items_77 [] = { +static const NSSItem nss_builtins_items_73 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4308,7 +4164,7 @@ static const NSSItem nss_builtins_items_77 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_78 [] = { +static const NSSItem nss_builtins_items_74 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4390,7 +4246,7 @@ static const NSSItem nss_builtins_items_78 [] = { "\054\166\021\204\106\212\170\243\343" , (PRUint32)889 } }; -static const NSSItem nss_builtins_items_79 [] = { +static const NSSItem nss_builtins_items_75 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4405,7 +4261,7 @@ static const NSSItem nss_builtins_items_79 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_80 [] = { +static const NSSItem nss_builtins_items_76 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4491,7 +4347,7 @@ static const NSSItem nss_builtins_items_80 [] = { "\362\255" , (PRUint32)930 } }; -static const NSSItem nss_builtins_items_81 [] = { +static const NSSItem nss_builtins_items_77 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4506,7 +4362,7 @@ static const NSSItem nss_builtins_items_81 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_82 [] = { +static const NSSItem nss_builtins_items_78 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4592,7 +4448,7 @@ static const NSSItem nss_builtins_items_82 [] = { "\352\143\336\137\124\261\372\363\321\105\313\305\144\264\163\041" , (PRUint32)944 } }; -static const NSSItem nss_builtins_items_83 [] = { +static const NSSItem nss_builtins_items_79 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4607,7 +4463,7 @@ static const NSSItem nss_builtins_items_83 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_84 [] = { +static const NSSItem nss_builtins_items_80 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4693,7 +4549,7 @@ static const NSSItem nss_builtins_items_84 [] = { "\205\014\033\205\276\046\256\253\246\231\274\042\361\163\337\102" , (PRUint32)944 } }; -static const NSSItem nss_builtins_items_85 [] = { +static const NSSItem nss_builtins_items_81 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4708,7 +4564,7 @@ static const NSSItem nss_builtins_items_85 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_86 [] = { +static const NSSItem nss_builtins_items_82 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4794,7 +4650,7 @@ static const NSSItem nss_builtins_items_86 [] = { "\230\166\371\024\114\167\207\202\311\334\176\135\064\325\066\165" , (PRUint32)944 } }; -static const NSSItem nss_builtins_items_87 [] = { +static const NSSItem nss_builtins_items_83 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4809,7 +4665,7 @@ static const NSSItem nss_builtins_items_87 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_88 [] = { +static const NSSItem nss_builtins_items_84 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4894,7 +4750,7 @@ static const NSSItem nss_builtins_items_88 [] = { "\161\202\053\231\317\072\267\365\055\162\310" , (PRUint32)747 } }; -static const NSSItem nss_builtins_items_89 [] = { +static const NSSItem nss_builtins_items_85 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4909,7 +4765,7 @@ static const NSSItem nss_builtins_items_89 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_90 [] = { +static const NSSItem nss_builtins_items_86 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4994,7 +4850,7 @@ static const NSSItem nss_builtins_items_90 [] = { "\276\355\164\114\274\133\325\142\037\103\335" , (PRUint32)747 } }; -static const NSSItem nss_builtins_items_91 [] = { +static const NSSItem nss_builtins_items_87 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5009,7 +4865,7 @@ static const NSSItem nss_builtins_items_91 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_92 [] = { +static const NSSItem nss_builtins_items_88 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5094,7 +4950,7 @@ static const NSSItem nss_builtins_items_92 [] = { "\040\017\105\176\153\242\177\243\214\025\356" , (PRUint32)747 } }; -static const NSSItem nss_builtins_items_93 [] = { +static const NSSItem nss_builtins_items_89 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5109,7 +4965,7 @@ static const NSSItem nss_builtins_items_93 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_94 [] = { +static const NSSItem nss_builtins_items_90 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5410,7 +5266,7 @@ static const NSSItem nss_builtins_items_94 [] = { "\136\311\046\001\231\247" , (PRUint32)4390 } }; -static const NSSItem nss_builtins_items_95 [] = { +static const NSSItem nss_builtins_items_91 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5425,7 +5281,7 @@ static const NSSItem nss_builtins_items_95 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_96 [] = { +static const NSSItem nss_builtins_items_92 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5532,7 +5388,7 @@ static const NSSItem nss_builtins_items_96 [] = { "\113\336\006\226\161\054\362\333\266\037\244\357\077\356" , (PRUint32)1054 } }; -static const NSSItem nss_builtins_items_97 [] = { +static const NSSItem nss_builtins_items_93 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5547,7 +5403,7 @@ static const NSSItem nss_builtins_items_97 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_98 [] = { +static const NSSItem nss_builtins_items_94 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5653,7 +5509,7 @@ static const NSSItem nss_builtins_items_98 [] = { "\311\130\020\371\252\357\132\266\317\113\113\337\052" , (PRUint32)1053 } }; -static const NSSItem nss_builtins_items_99 [] = { +static const NSSItem nss_builtins_items_95 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5668,7 +5524,7 @@ static const NSSItem nss_builtins_items_99 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_100 [] = { +static const NSSItem nss_builtins_items_96 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5775,7 +5631,7 @@ static const NSSItem nss_builtins_items_100 [] = { "\153\271\012\172\116\117\113\204\356\113\361\175\335\021" , (PRUint32)1054 } }; -static const NSSItem nss_builtins_items_101 [] = { +static const NSSItem nss_builtins_items_97 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5790,7 +5646,7 @@ static const NSSItem nss_builtins_items_101 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_102 [] = { +static const NSSItem nss_builtins_items_98 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5897,7 +5753,7 @@ static const NSSItem nss_builtins_items_102 [] = { "\367\146\103\363\236\203\076\040\252\303\065\140\221\316" , (PRUint32)1054 } }; -static const NSSItem nss_builtins_items_103 [] = { +static const NSSItem nss_builtins_items_99 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5912,7 +5768,7 @@ static const NSSItem nss_builtins_items_103 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_104 [] = { +static const NSSItem nss_builtins_items_100 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6030,7 +5886,7 @@ static const NSSItem nss_builtins_items_104 [] = { "\155\055\105\013\367\012\223\352\355\006\371\262" , (PRUint32)1244 } }; -static const NSSItem nss_builtins_items_105 [] = { +static const NSSItem nss_builtins_items_101 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6045,7 +5901,7 @@ static const NSSItem nss_builtins_items_105 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_106 [] = { +static const NSSItem nss_builtins_items_102 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6165,7 +6021,7 @@ static const NSSItem nss_builtins_items_106 [] = { "\354" , (PRUint32)1265 } }; -static const NSSItem nss_builtins_items_107 [] = { +static const NSSItem nss_builtins_items_103 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6180,7 +6036,7 @@ static const NSSItem nss_builtins_items_107 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_108 [] = { +static const NSSItem nss_builtins_items_104 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6288,7 +6144,7 @@ static const NSSItem nss_builtins_items_108 [] = { "\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305" , (PRUint32)1120 } }; -static const NSSItem nss_builtins_items_109 [] = { +static const NSSItem nss_builtins_items_105 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6303,7 +6159,7 @@ static const NSSItem nss_builtins_items_109 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_110 [] = { +static const NSSItem nss_builtins_items_106 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6394,7 +6250,7 @@ static const NSSItem nss_builtins_items_110 [] = { "\246\167\067\270\125\074\255\376\145\260\142\351" , (PRUint32)844 } }; -static const NSSItem nss_builtins_items_111 [] = { +static const NSSItem nss_builtins_items_107 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6409,7 +6265,7 @@ static const NSSItem nss_builtins_items_111 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_112 [] = { +static const NSSItem nss_builtins_items_108 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6496,7 +6352,7 @@ static const NSSItem nss_builtins_items_112 [] = { "\306\003\256\254\343\277\267\300\252\052" , (PRUint32)938 } }; -static const NSSItem nss_builtins_items_113 [] = { +static const NSSItem nss_builtins_items_109 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6511,7 +6367,7 @@ static const NSSItem nss_builtins_items_113 [] = { { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_114 [] = { +static const NSSItem nss_builtins_items_110 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6593,7 +6449,7 @@ static const NSSItem nss_builtins_items_114 [] = { "\347\201\035\031\303\044\102\352\143\071\251" , (PRUint32)891 } }; -static const NSSItem nss_builtins_items_115 [] = { +static const NSSItem nss_builtins_items_111 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6608,7 +6464,7 @@ static const NSSItem nss_builtins_items_115 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_116 [] = { +static const NSSItem nss_builtins_items_112 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6677,7 +6533,7 @@ static const NSSItem nss_builtins_items_116 [] = { "\365" , (PRUint32)641 } }; -static const NSSItem nss_builtins_items_117 [] = { +static const NSSItem nss_builtins_items_113 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6692,7 +6548,7 @@ static const NSSItem nss_builtins_items_117 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_118 [] = { +static const NSSItem nss_builtins_items_114 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6760,7 +6616,7 @@ static const NSSItem nss_builtins_items_118 [] = { "\126\224\251\125" , (PRUint32)660 } }; -static const NSSItem nss_builtins_items_119 [] = { +static const NSSItem nss_builtins_items_115 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6775,7 +6631,7 @@ static const NSSItem nss_builtins_items_119 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_120 [] = { +static const NSSItem nss_builtins_items_116 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6842,7 +6698,7 @@ static const NSSItem nss_builtins_items_120 [] = { "\132\052\202\262\067\171" , (PRUint32)646 } }; -static const NSSItem nss_builtins_items_121 [] = { +static const NSSItem nss_builtins_items_117 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6857,7 +6713,7 @@ static const NSSItem nss_builtins_items_121 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_122 [] = { +static const NSSItem nss_builtins_items_118 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6932,7 +6788,7 @@ static const NSSItem nss_builtins_items_122 [] = { "\221\060\352\315" , (PRUint32)804 } }; -static const NSSItem nss_builtins_items_123 [] = { +static const NSSItem nss_builtins_items_119 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6947,7 +6803,7 @@ static const NSSItem nss_builtins_items_123 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_124 [] = { +static const NSSItem nss_builtins_items_120 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7025,7 +6881,7 @@ static const NSSItem nss_builtins_items_124 [] = { "\177\056\101\307\142\110\327\161\105\073\170\222" , (PRUint32)860 } }; -static const NSSItem nss_builtins_items_125 [] = { +static const NSSItem nss_builtins_items_121 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7040,7 +6896,7 @@ static const NSSItem nss_builtins_items_125 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_126 [] = { +static const NSSItem nss_builtins_items_122 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7125,7 +6981,7 @@ static const NSSItem nss_builtins_items_126 [] = { "\265\314\255\006" , (PRUint32)900 } }; -static const NSSItem nss_builtins_items_127 [] = { +static const NSSItem nss_builtins_items_123 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7140,7 +6996,7 @@ static const NSSItem nss_builtins_items_127 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_128 [] = { +static const NSSItem nss_builtins_items_124 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7225,7 +7081,7 @@ static const NSSItem nss_builtins_items_128 [] = { "\113\211\106\166" , (PRUint32)900 } }; -static const NSSItem nss_builtins_items_129 [] = { +static const NSSItem nss_builtins_items_125 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7240,7 +7096,7 @@ static const NSSItem nss_builtins_items_129 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_130 [] = { +static const NSSItem nss_builtins_items_126 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7308,7 +7164,7 @@ static const NSSItem nss_builtins_items_130 [] = { "\375\345\026\014\364\253\027\110\176\255\353\200\300\125\201" , (PRUint32)639 } }; -static const NSSItem nss_builtins_items_131 [] = { +static const NSSItem nss_builtins_items_127 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7323,7 +7179,7 @@ static const NSSItem nss_builtins_items_131 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_132 [] = { +static const NSSItem nss_builtins_items_128 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7391,7 +7247,7 @@ static const NSSItem nss_builtins_items_132 [] = { "\153\301\221\235\013\364\077\232\021\174\224\026\147\266\230" , (PRUint32)639 } }; -static const NSSItem nss_builtins_items_133 [] = { +static const NSSItem nss_builtins_items_129 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7406,7 +7262,7 @@ static const NSSItem nss_builtins_items_133 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_134 [] = { +static const NSSItem nss_builtins_items_130 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7515,7 +7371,7 @@ static const NSSItem nss_builtins_items_134 [] = { "\043\020\077\041\020\131\267\344\100\335\046\014\043\366\252\256" , (PRUint32)1328 } }; -static const NSSItem nss_builtins_items_135 [] = { +static const NSSItem nss_builtins_items_131 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7530,7 +7386,7 @@ static const NSSItem nss_builtins_items_135 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_136 [] = { +static const NSSItem nss_builtins_items_132 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7607,7 +7463,7 @@ static const NSSItem nss_builtins_items_136 [] = { "\074\351\033\046\033\234\144" , (PRUint32)871 } }; -static const NSSItem nss_builtins_items_137 [] = { +static const NSSItem nss_builtins_items_133 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7622,7 +7478,7 @@ static const NSSItem nss_builtins_items_137 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_138 [] = { +static const NSSItem nss_builtins_items_134 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7685,7 +7541,7 @@ static const NSSItem nss_builtins_items_138 [] = { "\165\112\364\010\054\365\334\146\317\303\070\176" , (PRUint32)620 } }; -static const NSSItem nss_builtins_items_139 [] = { +static const NSSItem nss_builtins_items_135 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7700,7 +7556,7 @@ static const NSSItem nss_builtins_items_139 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_140 [] = { +static const NSSItem nss_builtins_items_136 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7771,7 +7627,7 @@ static const NSSItem nss_builtins_items_140 [] = { "\055\335\051" , (PRUint32)771 } }; -static const NSSItem nss_builtins_items_141 [] = { +static const NSSItem nss_builtins_items_137 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7786,7 +7642,7 @@ static const NSSItem nss_builtins_items_141 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_142 [] = { +static const NSSItem nss_builtins_items_138 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7843,7 +7699,7 @@ static const NSSItem nss_builtins_items_142 [] = { "\041\040\224\150\052\332\214\276" , (PRUint32)520 } }; -static const NSSItem nss_builtins_items_143 [] = { +static const NSSItem nss_builtins_items_139 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7858,7 +7714,7 @@ static const NSSItem nss_builtins_items_143 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_144 [] = { +static const NSSItem nss_builtins_items_140 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7955,7 +7811,7 @@ static const NSSItem nss_builtins_items_144 [] = { "\302\215\302\155\354\334\023\323\106\305\171\174" , (PRUint32)1020 } }; -static const NSSItem nss_builtins_items_145 [] = { +static const NSSItem nss_builtins_items_141 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7970,7 +7826,7 @@ static const NSSItem nss_builtins_items_145 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_146 [] = { +static const NSSItem nss_builtins_items_142 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8069,7 +7925,7 @@ static const NSSItem nss_builtins_items_146 [] = { "\345" , (PRUint32)993 } }; -static const NSSItem nss_builtins_items_147 [] = { +static const NSSItem nss_builtins_items_143 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8084,7 +7940,7 @@ static const NSSItem nss_builtins_items_147 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_148 [] = { +static const NSSItem nss_builtins_items_144 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8183,7 +8039,7 @@ static const NSSItem nss_builtins_items_148 [] = { "\300" , (PRUint32)993 } }; -static const NSSItem nss_builtins_items_149 [] = { +static const NSSItem nss_builtins_items_145 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8198,7 +8054,7 @@ static const NSSItem nss_builtins_items_149 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_150 [] = { +static const NSSItem nss_builtins_items_146 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8329,7 +8185,7 @@ static const NSSItem nss_builtins_items_150 [] = { "\347" , (PRUint32)1505 } }; -static const NSSItem nss_builtins_items_151 [] = { +static const NSSItem nss_builtins_items_147 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8344,7 +8200,7 @@ static const NSSItem nss_builtins_items_151 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_152 [] = { +static const NSSItem nss_builtins_items_148 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8443,7 +8299,7 @@ static const NSSItem nss_builtins_items_152 [] = { "\203" , (PRUint32)993 } }; -static const NSSItem nss_builtins_items_153 [] = { +static const NSSItem nss_builtins_items_149 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8458,7 +8314,7 @@ static const NSSItem nss_builtins_items_153 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_154 [] = { +static const NSSItem nss_builtins_items_150 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8559,7 +8415,7 @@ static const NSSItem nss_builtins_items_154 [] = { "\226\126\160\040\066\300\357\331\152\326\260\147\343" , (PRUint32)1005 } }; -static const NSSItem nss_builtins_items_155 [] = { +static const NSSItem nss_builtins_items_151 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8574,7 +8430,7 @@ static const NSSItem nss_builtins_items_155 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_156 [] = { +static const NSSItem nss_builtins_items_152 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8656,7 +8512,7 @@ static const NSSItem nss_builtins_items_156 [] = { "\273\373\017\154\134\072\310\335\255\216\012\227\035\217" , (PRUint32)862 } }; -static const NSSItem nss_builtins_items_157 [] = { +static const NSSItem nss_builtins_items_153 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8671,7 +8527,7 @@ static const NSSItem nss_builtins_items_157 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_158 [] = { +static const NSSItem nss_builtins_items_154 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8835,7 +8691,7 @@ static const NSSItem nss_builtins_items_158 [] = { "\145\315\351" , (PRUint32)2163 } }; -static const NSSItem nss_builtins_items_159 [] = { +static const NSSItem nss_builtins_items_155 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8850,7 +8706,7 @@ static const NSSItem nss_builtins_items_159 [] = { { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_160 [] = { +static const NSSItem nss_builtins_items_156 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8944,7 +8800,7 @@ static const NSSItem nss_builtins_items_160 [] = { "\065\341\035\026\034\320\274\053\216\326\161\331" , (PRUint32)1052 } }; -static const NSSItem nss_builtins_items_161 [] = { +static const NSSItem nss_builtins_items_157 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8959,7 +8815,7 @@ static const NSSItem nss_builtins_items_161 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_162 [] = { +static const NSSItem nss_builtins_items_158 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9057,7 +8913,7 @@ static const NSSItem nss_builtins_items_162 [] = { "\027\132\173\320\274\307\217\116\206\004" , (PRUint32)1082 } }; -static const NSSItem nss_builtins_items_163 [] = { +static const NSSItem nss_builtins_items_159 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9072,7 +8928,7 @@ static const NSSItem nss_builtins_items_163 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_164 [] = { +static const NSSItem nss_builtins_items_160 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9166,7 +9022,7 @@ static const NSSItem nss_builtins_items_164 [] = { "\116\072\063\014\053\263\055\220\006" , (PRUint32)1049 } }; -static const NSSItem nss_builtins_items_165 [] = { +static const NSSItem nss_builtins_items_161 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9181,7 +9037,7 @@ static const NSSItem nss_builtins_items_165 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_166 [] = { +static const NSSItem nss_builtins_items_162 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9276,7 +9132,7 @@ static const NSSItem nss_builtins_items_166 [] = { "\306\241" , (PRUint32)1058 } }; -static const NSSItem nss_builtins_items_167 [] = { +static const NSSItem nss_builtins_items_163 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9291,7 +9147,7 @@ static const NSSItem nss_builtins_items_167 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_168 [] = { +static const NSSItem nss_builtins_items_164 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9382,7 +9238,7 @@ static const NSSItem nss_builtins_items_168 [] = { "\051\303" , (PRUint32)930 } }; -static const NSSItem nss_builtins_items_169 [] = { +static const NSSItem nss_builtins_items_165 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9397,7 +9253,7 @@ static const NSSItem nss_builtins_items_169 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_170 [] = { +static const NSSItem nss_builtins_items_166 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9488,7 +9344,7 @@ static const NSSItem nss_builtins_items_170 [] = { "\064\215" , (PRUint32)930 } }; -static const NSSItem nss_builtins_items_171 [] = { +static const NSSItem nss_builtins_items_167 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9503,7 +9359,7 @@ static const NSSItem nss_builtins_items_171 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_172 [] = { +static const NSSItem nss_builtins_items_168 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9594,7 +9450,7 @@ static const NSSItem nss_builtins_items_172 [] = { "\116\101\325\226\343\116" , (PRUint32)934 } }; -static const NSSItem nss_builtins_items_173 [] = { +static const NSSItem nss_builtins_items_169 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9609,7 +9465,7 @@ static const NSSItem nss_builtins_items_173 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_174 [] = { +static const NSSItem nss_builtins_items_170 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9701,7 +9557,7 @@ static const NSSItem nss_builtins_items_174 [] = { "\316\324\357" , (PRUint32)931 } }; -static const NSSItem nss_builtins_items_175 [] = { +static const NSSItem nss_builtins_items_171 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9716,7 +9572,7 @@ static const NSSItem nss_builtins_items_175 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_176 [] = { +static const NSSItem nss_builtins_items_172 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9816,7 +9672,7 @@ static const NSSItem nss_builtins_items_176 [] = { "\024" , (PRUint32)977 } }; -static const NSSItem nss_builtins_items_177 [] = { +static const NSSItem nss_builtins_items_173 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9831,7 +9687,7 @@ static const NSSItem nss_builtins_items_177 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; -static const NSSItem nss_builtins_items_178 [] = { +static const NSSItem nss_builtins_items_174 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9906,7 +9762,7 @@ static const NSSItem nss_builtins_items_178 [] = { "\011\254\211\111\323" , (PRUint32)677 } }; -static const NSSItem nss_builtins_items_179 [] = { +static const NSSItem nss_builtins_items_175 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9921,6 +9777,188 @@ static const NSSItem nss_builtins_items_179 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } }; +static const NSSItem nss_builtins_items_176 [] = { + { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"E-Certify CA", (PRUint32)13 }, + { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, + { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\103\101" +, (PRUint32)78 }, + { (void *)"0", (PRUint32)2 }, + { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\103\101" +, (PRUint32)78 }, + { (void *)"\001\115\105\234" +, (PRUint32)4 }, + { (void *)"\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001" +"\115\105\234\060\015\006\011\052\206\110\206\367\015\001\001\005" +"\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143" +"\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145" +"\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011" +"\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125" +"\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101" +"\060\036\027\015\071\071\060\071\062\070\061\066\064\070\062\071" +"\132\027\015\060\064\060\071\062\070\061\066\064\070\062\071\132" +"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\103\101\060\202" +"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005" +"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\272" +"\233\246\161\200\125\164\111\051\125\166\033\307\066\225\060\054" +"\062\011\121\356\060\244\153\150\207\107\330\050\012\027\177\157" +"\250\232\040\266\253\001\322\256\240\105\106\065\002\002\374\332" +"\340\040\162\012\063\015\223\160\270\004\220\111\371\150\070\273" +"\015\021\156\071\135\130\172\306\043\146\351\273\027\062\046\350" +"\354\022\150\207\051\314\271\345\117\314\210\033\355\225\161\241" +"\123\042\056\355\203\134\376\062\127\114\122\123\070\341\025\155" +"\000\125\111\207\044\313\344\026\110\270\231\345\332\172\337\243" +"\205\230\164\302\371\253\153\111\315\377\102\315\270\055\264\200" +"\313\114\172\065\374\220\277\115\323\000\355\317\214\377\117\071" +"\373\172\170\360\016\015\111\177\123\076\024\233\046\250\252\311" +"\273\341\321\033\335\034\060\257\001\346\233\046\006\144\274\357" +"\130\114\132\105\225\120\304\054\076\164\130\351\074\257\373\303" +"\253\122\004\332\044\362\261\304\366\133\323\110\340\301\204\060" +"\174\321\165\077\344\123\163\135\211\330\356\100\117\011\227\227" +"\205\143\215\325\240\256\206\203\153\333\124\150\136\350\113\002" +"\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004" +"\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370" +"\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110" +"\206\367\015\001\001\005\005\000\003\202\001\001\000\163\076\031" +"\174\330\126\321\305\377\012\235\347\266\315\227\363\247\341\101" +"\310\176\202\065\377\233\226\322\013\357\161\362\020\345\104\313" +"\222\350\016\132\346\076\304\364\225\151\002\274\013\126\200\271" +"\161\027\143\036\101\111\052\065\352\034\325\144\253\111\355\013" +"\076\213\124\241\115\050\150\352\275\267\201\077\065\171\202\367" +"\064\274\171\210\045\236\200\347\317\250\025\257\362\341\025\053" +"\007\121\340\324\215\112\112\003\300\042\053\271\150\112\200\303" +"\250\205\010\325\247\052\275\313\247\143\175\243\260\312\126\140" +"\154\105\341\312\277\024\122\012\302\305\145\354\241\075\037\100" +"\371\120\132\344\064\012\157\302\164\254\174\314\047\352\343\207" +"\245\123\310\336\174\076\135\102\122\132\353\005\150\246\030\062" +"\140\040\170\153\160\024\140\041\202\011\075\036\126\300\025\141" +"\000\121\145\262\061\022\371\306\112\006\274\137\364\071\037\166" +"\232\211\170\351\066\202\332\265\157\213\177\211\265\114\367\145" +"\030\134\201\363\356\120\326\335\354\151\110\237\053\265\336\076" +"\275\372\274\154\153\147\123\233\261\223\271\221\106" +, (PRUint32)829 } +}; +static const NSSItem nss_builtins_items_177 [] = { + { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"E-Certify CA", (PRUint32)13 }, + { (void *)"\133\330\153\206\375\275\330\206\371\233\310\120\106\350\052\112" +"\211\152\317\357" +, (PRUint32)20 }, + { (void *)"\256\065\177\222\227\106\174\217\023\051\341\333\236\102\145\152" +, (PRUint32)16 }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } +}; +static const NSSItem nss_builtins_items_178 [] = { + { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"E-Certify RA", (PRUint32)13 }, + { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, + { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\122\101" +, (PRUint32)78 }, + { (void *)"0", (PRUint32)2 }, + { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\103\101" +, (PRUint32)78 }, + { (void *)"\001\117\353\020" +, (PRUint32)4 }, + { (void *)"\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001" +"\117\353\020\060\015\006\011\052\206\110\206\367\015\001\001\005" +"\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143" +"\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145" +"\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011" +"\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125" +"\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101" +"\060\036\027\015\071\071\060\071\063\060\061\066\065\070\065\067" +"\132\027\015\060\064\060\071\062\067\061\066\065\070\065\067\132" +"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061" +"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164" +"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104" +"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003" +"\023\014\105\055\103\145\162\164\151\146\171\040\122\101\060\202" +"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005" +"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\334" +"\260\267\045\373\356\014\272\330\243\162\104\017\052\243\343\110" +"\004\321\364\060\164\006\010\016\137\067\307\066\267\202\232\045" +"\113\254\153\111\231\000\033\027\362\360\337\027\027\351\355\040" +"\152\024\153\375\311\314\017\346\014\153\206\345\365\244\372\333" +"\005\052\000\310\015\352\252\145\100\066\312\363\345\165\071\216" +"\334\146\333\104\034\236\303\213\103\070\313\274\360\232\311\331" +"\312\067\023\312\122\301\055\351\107\040\345\314\044\170\340\346" +"\033\114\270\322\124\202\155\016\271\041\140\357\174\264\000\373" +"\122\304\057\012\367\004\116\204\057\337\030\254\143\006\040\335" +"\332\261\201\301\341\255\177\030\210\167\363\353\370\255\317\172" +"\020\120\126\171\236\124\317\336\034\233\327\102\224\341\317\325" +"\154\365\136\075\315\345\147\023\073\232\315\072\142\204\371\141" +"\036\155\325\130\216\331\371\255\052\076\226\361\355\252\177\020" +"\356\366\000\205\074\261\005\013\064\321\134\142\340\215\022\256" +"\275\114\124\300\342\274\144\161\140\145\206\306\331\204\253\130" +"\140\152\061\156\175\117\261\210\242\376\024\114\072\214\373\002" +"\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004" +"\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370" +"\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110" +"\206\367\015\001\001\005\005\000\003\202\001\001\000\255\030\200" +"\317\060\274\073\350\362\002\025\127\075\350\114\143\346\356\062" +"\243\177\345\001\360\047\271\052\331\301\250\236\043\036\107\231" +"\327\056\104\113\024\313\320\275\046\144\003\362\006\217\237\327" +"\110\250\161\153\026\064\305\076\265\171\230\263\346\340\320\070" +"\021\231\244\021\173\343\071\245\015\077\235\325\322\305\172\057" +"\352\104\024\315\020\116\240\064\263\153\211\137\360\256\237\315" +"\123\325\176\172\120\045\000\041\244\155\351\310\161\000\373\255" +"\064\027\110\042\356\247\050\154\206\162\333\371\233\206\104\170" +"\136\005\351\150\064\060\241\025\145\301\251\332\236\135\236\043" +"\106\116\052\346\116\263\114\237\314\106\010\230\034\074\103\237" +"\264\316\240\140\357\044\316\116\037\350\302\251\162\273\057\332" +"\102\006\041\360\232\345\170\107\054\010\164\120\150\140\375\205" +"\302\373\257\112\222\361\204\235\000\152\310\126\041\216\157\301" +"\061\313\121\354\166\165\172\337\001\016\162\150\241\362\046\216" +"\331\270\306\243\144\122\372\155\373\112\075\132\135\270\124\224" +"\355\125\150\145\235\077\122\114\106\222\026\013\276" +, (PRUint32)829 } +}; +static const NSSItem nss_builtins_items_179 [] = { + { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"E-Certify RA", (PRUint32)13 }, + { (void *)"\217\051\011\013\006\302\070\314\160\305\251\355\227\147\210\315" +"\066\332\335\131" +, (PRUint32)20 }, + { (void *)"\245\273\012\243\320\307\124\025\130\336\153\122\020\121\272\050" +, (PRUint32)16 }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) } +}; PR_IMPLEMENT_DATA(const builtinsInternalObject) nss_builtins_data[] = { diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index ee7273197..b4f78d59d 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -3230,166 +3230,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR # -# Certificate "E-Certify Internet ID" -# -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "E-Certify Internet ID" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061 -\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 -\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123 -\101\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060 -\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146 -\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103 -\154\151\145\156\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061 -\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 -\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123 -\101\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060 -\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146 -\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103 -\154\151\145\156\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\001\312\060\202\001\164\240\003\002\001\002\002\001\002 -\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060 -\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061\022 -\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164\151 -\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123\101 -\040\107\157\154\144\040\103\154\151\145\156\164\061\046\060\044 -\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146\171 -\040\122\123\101\040\065\061\062\040\107\157\154\144\040\103\154 -\151\145\156\164\060\036\027\015\071\070\061\060\061\066\061\063 -\063\064\060\070\132\027\015\060\063\061\060\061\066\061\063\063 -\064\060\070\132\060\143\061\013\060\011\006\003\125\004\006\023 -\002\103\101\061\022\060\020\006\003\125\004\012\023\011\105\055 -\103\145\162\164\151\146\171\061\030\060\026\006\003\125\004\013 -\023\017\122\123\101\040\107\157\154\144\040\103\154\151\145\156 -\164\061\046\060\044\006\003\125\004\003\023\035\105\055\103\145 -\162\164\151\146\171\040\122\123\101\040\065\061\062\040\107\157 -\154\144\040\103\154\151\145\156\164\060\134\060\015\006\011\052 -\206\110\206\367\015\001\001\001\005\000\003\113\000\060\110\002 -\101\000\160\011\304\365\211\211\115\310\243\362\300\037\344\175 -\360\374\172\310\202\314\146\011\305\051\323\135\010\324\351\350 -\377\137\031\300\373\334\252\217\060\014\076\332\205\167\117\170 -\300\317\075\126\311\263\365\203\226\110\356\220\237\254\016\002 -\316\071\002\003\001\000\001\243\023\060\021\060\017\006\003\125 -\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011 -\052\206\110\206\367\015\001\001\004\005\000\003\101\000\035\222 -\327\114\344\014\326\373\112\075\351\341\302\037\000\367\121\374 -\361\076\370\312\304\361\043\210\217\320\116\177\247\214\173\177 -\004\102\133\367\046\132\264\343\121\162\110\045\125\317\157\360 -\377\003\313\301\331\031\000\364\370\371\364\273\030\126 -END - -# Trust for Certificate "E-Certify Internet ID" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "E-Certify Internet ID" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\077\065\017\377\111\047\260\141\105\312\101\073\101\244\215\235 -\044\315\125\035 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\374\012\336\152\227\076\143\333\122\302\131\003\010\060\141\042 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID - -# -# Certificate "E-Certify Commerce ID" -# -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "E-Certify Commerce ID" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061 -\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 -\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123 -\101\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060 -\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146 -\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123 -\145\162\166\145\162 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061 -\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 -\151\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123 -\101\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060 -\044\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146 -\171\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123 -\145\162\166\145\162 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\001\312\060\202\001\164\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060 -\143\061\013\060\011\006\003\125\004\006\023\002\103\101\061\022 -\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164\151 -\146\171\061\030\060\026\006\003\125\004\013\023\017\122\123\101 -\040\107\157\154\144\040\123\145\162\166\145\162\061\046\060\044 -\006\003\125\004\003\023\035\105\055\103\145\162\164\151\146\171 -\040\122\123\101\040\065\061\062\040\107\157\154\144\040\123\145 -\162\166\145\162\060\036\027\015\071\070\061\060\061\066\061\063 -\063\067\065\063\132\027\015\060\063\061\060\061\066\061\063\063 -\067\065\063\132\060\143\061\013\060\011\006\003\125\004\006\023 -\002\103\101\061\022\060\020\006\003\125\004\012\023\011\105\055 -\103\145\162\164\151\146\171\061\030\060\026\006\003\125\004\013 -\023\017\122\123\101\040\107\157\154\144\040\123\145\162\166\145 -\162\061\046\060\044\006\003\125\004\003\023\035\105\055\103\145 -\162\164\151\146\171\040\122\123\101\040\065\061\062\040\107\157 -\154\144\040\123\145\162\166\145\162\060\134\060\015\006\011\052 -\206\110\206\367\015\001\001\001\005\000\003\113\000\060\110\002 -\101\000\315\125\017\167\022\376\363\200\326\211\001\035\131\356 -\000\262\165\116\246\223\055\136\374\036\004\155\215\115\261\333 -\137\262\053\124\365\301\013\252\016\156\104\220\317\003\215\047 -\010\063\336\073\050\245\326\122\171\067\310\136\221\312\211\002 -\111\027\002\003\001\000\001\243\023\060\021\060\017\006\003\125 -\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011 -\052\206\110\206\367\015\001\001\004\005\000\003\101\000\164\365 -\045\172\071\347\203\020\377\011\173\160\316\054\326\166\341\117 -\174\064\172\210\005\060\362\007\213\021\244\071\215\164\173\246 -\373\172\346\340\006\055\316\160\161\033\230\104\112\023\274\365 -\267\026\213\174\211\264\022\023\032\344\321\016\163\052 -END - -# Trust for Certificate "E-Certify Commerce ID" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "E-Certify Commerce ID" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\077\025\014\145\325\170\211\025\237\031\377\341\041\331\311\115 -\150\032\031\205 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\265\302\221\035\163\344\353\371\326\123\300\004\343\077\243\215 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID - -# # Certificate "Verisign Class 1 Public Primary Certification Authority" # CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE @@ -10121,3 +9961,201 @@ END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR + +# +# Certificate "E-Certify CA" +# +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "E-Certify CA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\103\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\001\115\105\234 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001 +\115\105\234\060\015\006\011\052\206\110\206\367\015\001\001\005 +\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143 +\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145 +\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011 +\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125 +\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101 +\060\036\027\015\071\071\060\071\062\070\061\066\064\070\062\071 +\132\027\015\060\064\060\071\062\070\061\066\064\070\062\071\132 +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\103\101\060\202 +\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 +\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\272 +\233\246\161\200\125\164\111\051\125\166\033\307\066\225\060\054 +\062\011\121\356\060\244\153\150\207\107\330\050\012\027\177\157 +\250\232\040\266\253\001\322\256\240\105\106\065\002\002\374\332 +\340\040\162\012\063\015\223\160\270\004\220\111\371\150\070\273 +\015\021\156\071\135\130\172\306\043\146\351\273\027\062\046\350 +\354\022\150\207\051\314\271\345\117\314\210\033\355\225\161\241 +\123\042\056\355\203\134\376\062\127\114\122\123\070\341\025\155 +\000\125\111\207\044\313\344\026\110\270\231\345\332\172\337\243 +\205\230\164\302\371\253\153\111\315\377\102\315\270\055\264\200 +\313\114\172\065\374\220\277\115\323\000\355\317\214\377\117\071 +\373\172\170\360\016\015\111\177\123\076\024\233\046\250\252\311 +\273\341\321\033\335\034\060\257\001\346\233\046\006\144\274\357 +\130\114\132\105\225\120\304\054\076\164\130\351\074\257\373\303 +\253\122\004\332\044\362\261\304\366\133\323\110\340\301\204\060 +\174\321\165\077\344\123\163\135\211\330\356\100\117\011\227\227 +\205\143\215\325\240\256\206\203\153\333\124\150\136\350\113\002 +\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004 +\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370 +\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110 +\206\367\015\001\001\005\005\000\003\202\001\001\000\163\076\031 +\174\330\126\321\305\377\012\235\347\266\315\227\363\247\341\101 +\310\176\202\065\377\233\226\322\013\357\161\362\020\345\104\313 +\222\350\016\132\346\076\304\364\225\151\002\274\013\126\200\271 +\161\027\143\036\101\111\052\065\352\034\325\144\253\111\355\013 +\076\213\124\241\115\050\150\352\275\267\201\077\065\171\202\367 +\064\274\171\210\045\236\200\347\317\250\025\257\362\341\025\053 +\007\121\340\324\215\112\112\003\300\042\053\271\150\112\200\303 +\250\205\010\325\247\052\275\313\247\143\175\243\260\312\126\140 +\154\105\341\312\277\024\122\012\302\305\145\354\241\075\037\100 +\371\120\132\344\064\012\157\302\164\254\174\314\047\352\343\207 +\245\123\310\336\174\076\135\102\122\132\353\005\150\246\030\062 +\140\040\170\153\160\024\140\041\202\011\075\036\126\300\025\141 +\000\121\145\262\061\022\371\306\112\006\274\137\364\071\037\166 +\232\211\170\351\066\202\332\265\157\213\177\211\265\114\367\145 +\030\134\201\363\356\120\326\335\354\151\110\237\053\265\336\076 +\275\372\274\154\153\147\123\233\261\223\271\221\106 +END + +# Trust for Certificate "E-Certify CA" +CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "E-Certify CA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\133\330\153\206\375\275\330\206\371\233\310\120\106\350\052\112 +\211\152\317\357 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\256\065\177\222\227\106\174\217\023\051\341\333\236\102\145\152 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR + +# +# Certificate "E-Certify RA" +# +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "E-Certify RA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\122\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\001\117\353\020 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001 +\117\353\020\060\015\006\011\052\206\110\206\367\015\001\001\005 +\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143 +\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145 +\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011 +\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125 +\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101 +\060\036\027\015\071\071\060\071\063\060\061\066\065\070\065\067 +\132\027\015\060\064\060\071\062\067\061\066\065\070\065\067\132 +\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061 +\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164 +\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104 +\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003 +\023\014\105\055\103\145\162\164\151\146\171\040\122\101\060\202 +\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 +\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\334 +\260\267\045\373\356\014\272\330\243\162\104\017\052\243\343\110 +\004\321\364\060\164\006\010\016\137\067\307\066\267\202\232\045 +\113\254\153\111\231\000\033\027\362\360\337\027\027\351\355\040 +\152\024\153\375\311\314\017\346\014\153\206\345\365\244\372\333 +\005\052\000\310\015\352\252\145\100\066\312\363\345\165\071\216 +\334\146\333\104\034\236\303\213\103\070\313\274\360\232\311\331 +\312\067\023\312\122\301\055\351\107\040\345\314\044\170\340\346 +\033\114\270\322\124\202\155\016\271\041\140\357\174\264\000\373 +\122\304\057\012\367\004\116\204\057\337\030\254\143\006\040\335 +\332\261\201\301\341\255\177\030\210\167\363\353\370\255\317\172 +\020\120\126\171\236\124\317\336\034\233\327\102\224\341\317\325 +\154\365\136\075\315\345\147\023\073\232\315\072\142\204\371\141 +\036\155\325\130\216\331\371\255\052\076\226\361\355\252\177\020 +\356\366\000\205\074\261\005\013\064\321\134\142\340\215\022\256 +\275\114\124\300\342\274\144\161\140\145\206\306\331\204\253\130 +\140\152\061\156\175\117\261\210\242\376\024\114\072\214\373\002 +\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004 +\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370 +\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110 +\206\367\015\001\001\005\005\000\003\202\001\001\000\255\030\200 +\317\060\274\073\350\362\002\025\127\075\350\114\143\346\356\062 +\243\177\345\001\360\047\271\052\331\301\250\236\043\036\107\231 +\327\056\104\113\024\313\320\275\046\144\003\362\006\217\237\327 +\110\250\161\153\026\064\305\076\265\171\230\263\346\340\320\070 +\021\231\244\021\173\343\071\245\015\077\235\325\322\305\172\057 +\352\104\024\315\020\116\240\064\263\153\211\137\360\256\237\315 +\123\325\176\172\120\045\000\041\244\155\351\310\161\000\373\255 +\064\027\110\042\356\247\050\154\206\162\333\371\233\206\104\170 +\136\005\351\150\064\060\241\025\145\301\251\332\236\135\236\043 +\106\116\052\346\116\263\114\237\314\106\010\230\034\074\103\237 +\264\316\240\140\357\044\316\116\037\350\302\251\162\273\057\332 +\102\006\041\360\232\345\170\107\054\010\164\120\150\140\375\205 +\302\373\257\112\222\361\204\235\000\152\310\126\041\216\157\301 +\061\313\121\354\166\165\172\337\001\016\162\150\241\362\046\216 +\331\270\306\243\144\122\372\155\373\112\075\132\135\270\124\224 +\355\125\150\145\235\077\122\114\106\222\026\013\276 +END + +# Trust for Certificate "E-Certify RA" +CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "E-Certify RA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\217\051\011\013\006\302\070\314\160\305\251\355\227\147\210\315 +\066\332\335\131 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\245\273\012\243\320\307\124\025\130\336\153\122\020\121\272\050 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR diff --git a/security/nss/lib/crmf/asn1cmn.c b/security/nss/lib/crmf/asn1cmn.c index 7299bbdc6..0cb0c3c41 100644 --- a/security/nss/lib/crmf/asn1cmn.c +++ b/security/nss/lib/crmf/asn1cmn.c @@ -62,7 +62,8 @@ const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = { { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0, offsetof(CMMFCertifiedKeyPair, privateKey), CRMFEncryptedValueTemplate}, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 1, offsetof (CMMFCertifiedKeyPair, derPublicationInfo), SEC_ASN1_SUB(SEC_AnyTemplate) }, { 0 } diff --git a/security/nss/lib/crmf/crmftmpl.c b/security/nss/lib/crmf/crmftmpl.c index 8cbc9895e..7dffb6e80 100644 --- a/security/nss/lib/crmf/crmftmpl.c +++ b/security/nss/lib/crmf/crmftmpl.c @@ -73,11 +73,11 @@ static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = { static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | + { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 0, offsetof (CRMFOptionalValidity, notBefore), SEC_ASN1_SUB(SEC_UTCTimeTemplate) }, - { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | + { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1, offsetof (CRMFOptionalValidity, notAfter), SEC_ASN1_SUB(SEC_UTCTimeTemplate) }, @@ -113,10 +113,12 @@ static const SEC_ASN1Template CRMFCertTemplateTemplate[] = { { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 6, offsetof (CRMFCertTemplate, publicKey), CERT_SubjectPublicKeyInfoTemplate }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 7, + { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | + SEC_ASN1_XTRN | 7, offsetof (CRMFCertTemplate, issuerUID), SEC_ASN1_SUB(SEC_BitStringTemplate) }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 8, + { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | + SEC_ASN1_XTRN | 8, offsetof (CRMFCertTemplate, subjectUID), SEC_ASN1_SUB(SEC_BitStringTemplate) }, { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | @@ -184,7 +186,8 @@ const SEC_ASN1Template CRMFRAVerifiedTemplate[] = { /* This template will need to add POPOSigningKeyInput eventually, maybe*/ static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 0, offsetof(CRMFPOPOSigningKey, derInput), SEC_ASN1_SUB(SEC_AnyTemplate) }, { SEC_ASN1_POINTER | SEC_ASN1_XTRN, @@ -250,14 +253,16 @@ const SEC_ASN1Template CRMFEncryptedValueTemplate[] = { SEC_ASN1_XTRN | 1, offsetof (CRMFEncryptedValue, symmAlg), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 2, + { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | + SEC_ASN1_XTRN | 2, offsetof(CRMFEncryptedValue, encSymmKey), SEC_ASN1_SUB(SEC_BitStringTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | SEC_ASN1_XTRN | 3, offsetof(CRMFEncryptedValue, keyAlg), SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 4, + { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 4, offsetof(CRMFEncryptedValue, valueHint), SEC_ASN1_SUB(SEC_OctetStringTemplate) }, { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) }, diff --git a/security/nss/lib/freebl/mpi/mpprime.c b/security/nss/lib/freebl/mpi/mpprime.c index 3cdf88aa6..76a64a083 100644 --- a/security/nss/lib/freebl/mpi/mpprime.c +++ b/security/nss/lib/freebl/mpi/mpprime.c @@ -480,11 +480,11 @@ mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, } /* start sieveing with prime value of 3. */ MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, - sieve, sizeof sieve) ); + sieve, SIEVE_SIZE) ); #ifdef DEBUG_SIEVE res = 0; - for (i = 0; i < sizeof sieve; ++i) { + for (i = 0; i < SIEVE_SIZE; ++i) { if (!sieve[i]) ++res; } @@ -495,7 +495,7 @@ mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, #endif res = MP_NO; - for(i = 0; i < sizeof sieve; ++i) { + for(i = 0; i < SIEVE_SIZE; ++i) { if (sieve[i]) /* this number is composite */ continue; MP_CHECKOK( mp_add_d(start, 2 * i, &trial) ); diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 53f87d641..cc0c1095e 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -309,6 +309,8 @@ PK11_ImportEncryptedPrivateKeyInfo; PK11_ImportPrivateKeyInfo; PK11_MapPBEMechanismToCryptoMechanism; PK11_PBEKeyGen; +PK11_CreatePBEParams; +PK11_DestroyPBEParams; PK11_ParamFromAlgid; PK11_ParamToAlgid; PK11_TraverseCertsForNicknameInSlot; @@ -459,8 +461,12 @@ CERT_CreateName; ;+}; ;+NSS_3.3 { # NSS 3.3. release ;+ global: -SECKEY_CreateDHPrivateKey; CERT_CheckCertUsage; +CERT_FindCertIssuer; +PK11_GetModule; +SECKEY_CreateDHPrivateKey; +SECKEY_GetPublicKeyType; +SECMOD_AddNewModule; ;+# ;+# The following symbols are exported only to make JSS work. ;+# These are still private!!! @@ -481,6 +487,7 @@ PK11_CheckSSOPassword; PK11_CopySymKeyForSigning; PK11_DeleteTokenCertAndKey; PK11_DEREncodePublicKey; +PK11_ExtractKeyValue; PK11_FindCertsFromNickname; PK11_FindKeyByKeyID; PK11_GetIVLength; @@ -488,12 +495,16 @@ PK11_GetKeyData; PK11_GetKeyType; PK11_GetLowLevelKeyIDForCert; PK11_GetLowLevelKeyIDForPrivateKey; +PK11_GetSlotPWValues; PK11_ImportCertForKey; PK11_ImportDERCertForKey; PK11_ImportDERPrivateKeyInfo; +PK11_ImportSymKey; PK11_IsLoggedIn; PK11_KeyForDERCertExists; PK11_KeyForCertExists; +PK11_ListPrivateKeysInSlot; +PK11_ListCertsInSlot; PK11_Logout; PK11_NeedPWInit; PK11_MakeIDFromPubKey; @@ -510,15 +521,13 @@ PK11_PQG_NewVerify; PK11_PQG_ParamGen; PK11_PQG_ParamGenSeedLen; PK11_PQG_VerifyParams; +PK11_ReferenceSlot; PK11_SeedRandom; PK11_UnwrapPrivKey; PK11_VerifyRecover; PK11_WrapPrivKey; -PK11_ReferenceSlot; -PK11_GetSlotPWValues; -PK11_ImportSymKey; -PK11_ExtractKeyValue; SEC_CertNicknameConflict; +SEC_PKCS5GetIV; SECMOD_DeleteInternalModule; SECMOD_DestroyModule; SECMOD_GetDefaultModuleList; @@ -527,18 +536,15 @@ SECMOD_GetInternalModule; SECMOD_GetReadLock; SECMOD_ReferenceModule; SECMOD_ReleaseReadLock; -SECKEY_GetPrivateKeyType; +SECKEY_AddPrivateKeyToListTail; SECKEY_EncodeDERSubjectPublicKeyInfo; SECKEY_ExtractPublicKey; +SECKEY_DestroyPrivateKeyList; +SECKEY_GetPrivateKeyType; SECKEY_HashPassword; SECKEY_ImportDERPublicKey; SECKEY_NewPrivateKeyList; -SECKEY_DestroyPrivateKeyList; SECKEY_RemovePrivateKeyListNode; -SECKEY_AddPrivateKeyToListTail; -SEC_PKCS5GetIV; -PK11_ListPrivateKeysInSlot; -PK11_ListCertsInSlot; VFY_EndWithSignature; ;+ local: ;+ *; diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 51d4ae895..a5d5a5199 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -49,11 +49,11 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>] [<Beta>]" */ -#define NSS_VERSION "3.3 Beta" +#define NSS_VERSION "3.3" #define NSS_VMAJOR 3 #define NSS_VMINOR 3 #define NSS_VPATCH 0 -#define NSS_BETA PR_TRUE +#define NSS_BETA PR_FALSE /* diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h index f3411681c..67fb9edc2 100644 --- a/security/nss/lib/pk11wrap/pk11func.h +++ b/security/nss/lib/pk11wrap/pk11func.h @@ -455,6 +455,17 @@ void PK11_SetFortezzaHack(PK11SymKey *symKey) ; /********************************************************************** * PBE functions **********************************************************************/ + +/* This function creates PBE parameters from the given inputs. The result + * can be used to create a password integrity key for PKCS#12, by sending + * the return value to PK11_KeyGen along with the appropriate mechanism. + */ +SECItem * +PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations); + +/* free params created above (can be called after keygen is done */ +void PK11_DestroyPBEParams(SECItem *params); + SECAlgorithmID * PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt); PK11SymKey * diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 618dce8dd..607deeba8 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -1207,7 +1207,7 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, PRBool isToken, void *wincx) { PK11SymKey *symKey; - CK_ATTRIBUTE genTemplate[4]; + CK_ATTRIBUTE genTemplate[5]; CK_ATTRIBUTE *attrs = genTemplate; int count = sizeof(genTemplate)/sizeof(genTemplate[0]); CK_SESSION_HANDLE session; @@ -1216,6 +1216,7 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, PRBool weird = PR_FALSE; /* hack for fortezza */ CK_BBOOL ckfalse = CK_FALSE; CK_BBOOL cktrue = CK_TRUE; + CK_ULONG ck_key_size; /* only used for variable-length keys */ if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) { weird = PR_TRUE; @@ -1227,9 +1228,9 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, ? CKA_ENCRYPT : CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL)); attrs++; if (keySize != 0) { - CK_ULONG key_size = keySize; /* Convert to PK11 type */ + ck_key_size = keySize; /* Convert to PK11 type */ - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); attrs++; } @@ -1242,6 +1243,8 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++; } + PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(cktrue)); attrs++; + count = attrs - genTemplate; PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE)); @@ -4052,6 +4055,49 @@ PK11_DigestFinal(PK11Context *context,unsigned char *data, * ****************************************************************************/ +static void +pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params) +{ + if (pbe_params) { + if (pbe_params->pPassword) + PORT_ZFree(pbe_params->pPassword, PR_FALSE); + if (pbe_params->pSalt) + PORT_ZFree(pbe_params->pSalt, PR_FALSE); + PORT_ZFree(pbe_params, PR_TRUE); + } +} + +SECItem * +PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) +{ + CK_PBE_PARAMS *pbe_params = NULL; + SECItem *paramRV = NULL; + pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)); + pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwd->len); + if (pbe_params->pPassword != NULL) { + PORT_Memcpy(pbe_params->pPassword, pwd->data, pwd->len); + pbe_params->ulPasswordLen = pwd->len; + } else goto loser; + pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len); + if (pbe_params->pSalt != NULL) { + PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len); + pbe_params->ulSaltLen = salt->len; + } else goto loser; + pbe_params->ulIteration = (CK_ULONG)iterations; + paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS)); + paramRV->data = (unsigned char *)pbe_params; + return paramRV; +loser: + pk11_destroy_ck_pbe_params(pbe_params); + return NULL; +} + +void +PK11_DestroyPBEParams(SECItem *params) +{ + pk11_destroy_ck_pbe_params((CK_PBE_PARAMS *)params->data); +} + SECAlgorithmID * PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) { diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index 315c86585..bccb38ac0 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -2829,6 +2829,9 @@ PK11_GetKeyGen(CK_MECHANISM_TYPE type) return CKM_GENERIC_SECRET_KEY_GEN; case CKM_PBE_MD2_DES_CBC: case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_SHA1_DES_CBC: case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 121aaa2a7..a8ee8eeba 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -76,7 +76,7 @@ static PRBool secmod_ModuleHasRoots(SECMODModule *module) */ static char *dllnames[]= { -#if defined(XP_WIN32) +#if defined(XP_WIN32) || defined(XP_OS2) "nssckbi.dll", "roots.dll", "netckbi.dll", @@ -232,6 +232,12 @@ SECMOD_GetInternalModule(void) { void SECMOD_SetInternalModule( SECMODModule *mod) { internalModule = SECMOD_ReferenceModule(mod); + modules = SECMOD_NewModuleListElement(); + modules->module = SECMOD_ReferenceModule(mod); + modules->next = NULL; + if (!moduleLock) { + moduleLock = SECMOD_NewListLock(); + } } /* diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index 9abae13c8..076e722ec 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -1152,14 +1152,16 @@ static SECStatus sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) { SECStatus rv = SECFailure; - PBEBitGenContext *pbeCtxt = NULL; - SECItem *hmacKey = NULL, hmacRes; + SECItem hmacRes; unsigned char buf[IN_BUF_LEN]; unsigned int bufLen; int iteration; PK11Context *pk11cx; - SECOidTag algtag; SECItem ignore = {0}; + PK11SymKey *symKey; + SECItem *params; + SECOidTag algtag; + CK_MECHANISM_TYPE integrityMech; if(!p12dcx || p12dcx->error) { return SECFailure; @@ -1171,28 +1173,28 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) } else { iteration = 1; } - pbeCtxt = PBE_CreateContext(SECOID_GetAlgorithmTag( - &p12dcx->macData.safeMac.digestAlgorithm), - pbeBitGenIntegrityKey, p12dcx->pwitem, - &p12dcx->macData.macSalt, 160, iteration); - if(!pbeCtxt) { - return SECFailure; - } - hmacKey = PBE_GenerateBits(pbeCtxt); - PBE_DestroyContext(pbeCtxt); - pbeCtxt = NULL; - if(!hmacKey) { - return SECFailure; + + params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem, + iteration); + + algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm); + switch (algtag) { + case SEC_OID_SHA1: + integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break; + case SEC_OID_MD5: + integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; break; + case SEC_OID_MD2: + integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; break; + default: + goto loser; } + symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); + PK11_DestroyPBEParams(params); + if (!symKey) goto loser; /* init hmac */ - algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm); - pk11cx = PK11_CreateContextByRawKey(NULL, - sec_pkcs12_algtag_to_mech(algtag), - PK11_OriginDerive, CKA_SIGN, - hmacKey, &ignore, NULL); - SECITEM_ZfreeItem(hmacKey, PR_TRUE); - hmacKey = NULL; + pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag), + CKA_SIGN, symKey, &ignore); if(!pk11cx) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; @@ -1247,10 +1249,6 @@ loser: PK11_DestroyContext(pk11cx, PR_TRUE); } - if(hmacKey) { - SECITEM_ZfreeItem(hmacKey, PR_TRUE); - } - return rv; } diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c index 4e6d76ebf..22ff31104 100644 --- a/security/nss/lib/pkcs12/p12e.c +++ b/security/nss/lib/pkcs12/p12e.c @@ -1660,9 +1660,11 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) /* init password pased integrity mode */ if(p12exp->integrityEnabled) { - SECItem pwd = {siBuffer,NULL, 0}, *key; + SECItem pwd = {siBuffer,NULL, 0}; SECItem *salt = sec_pkcs12_generate_salt(); - PBEBitGenContext *pbeCtxt = NULL; + PK11SymKey *symKey; + SECItem *params; + CK_MECHANISM_TYPE integrityMech; /* zero out macData and set values */ PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData)); @@ -1676,7 +1678,6 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - SECITEM_ZfreeItem(salt, PR_TRUE); /* generate HMAC key */ if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, @@ -1684,25 +1685,32 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) PR_TRUE, PR_TRUE)) { goto loser; } - pbeCtxt = PBE_CreateContext(p12exp->integrityInfo.pwdInfo.algorithm, - pbeBitGenIntegrityKey, &pwd, - &(p12enc->mac.macSalt), 160, 1); + + params = PK11_CreatePBEParams(salt, &pwd, 1); + SECITEM_ZfreeItem(salt, PR_TRUE); SECITEM_ZfreeItem(&pwd, PR_FALSE); - if(!pbeCtxt) { + + switch (p12exp->integrityInfo.pwdInfo.algorithm) { + case SEC_OID_SHA1: + integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break; + case SEC_OID_MD5: + integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; break; + case SEC_OID_MD2: + integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; break; + default: goto loser; } - key = PBE_GenerateBits(pbeCtxt); - PBE_DestroyContext(pbeCtxt); - if(!key) { + + symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); + PK11_DestroyPBEParams(params); + if(!symKey) { goto loser; } /* initialize hmac */ - p12enc->hmacCx = PK11_CreateContextByRawKey(NULL, + p12enc->hmacCx = PK11_CreateContextBySymKey( sec_pkcs12_algtag_to_mech(p12exp->integrityInfo.pwdInfo.algorithm), - PK11_OriginDerive, CKA_SIGN, - key, &ignore, NULL); - SECITEM_ZfreeItem(key, PR_TRUE); + CKA_SIGN, symKey, &ignore); if(!p12enc->hmacCx) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c index 3edbab415..8fe5d9887 100644 --- a/security/nss/lib/smime/cmsrecinfo.c +++ b/security/nss/lib/smime/cmsrecinfo.c @@ -361,7 +361,8 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, SECItem *enckey; int error; - ri->cert = cert; /* mark the recipientInfo so we can find it later */ + ri->cert = CERT_DupCertificate(cert); + /* mark the recipientInfo so we can find it later */ switch (ri->recipientInfoType) { case NSSCMSRecipientInfoID_KeyTrans: diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index e0a73fa2b..f336ff38d 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -406,6 +406,9 @@ static struct mechanismList mechanisms[] = { {CKM_PBE_SHA1_RC2_128_CBC, {128,128, CKF_GENERATE}, PR_TRUE}, {CKM_PBE_SHA1_RC4_40, {40,40, CKF_GENERATE}, PR_TRUE}, {CKM_PBE_SHA1_RC4_128, {128,128, CKF_GENERATE}, PR_TRUE}, + {CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, {1,32, CKF_GENERATE}, PR_TRUE}, + {CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, {1,32, CKF_GENERATE}, PR_TRUE}, + {CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, {1,32, CKF_GENERATE}, PR_TRUE}, }; static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]); /* load up our token database */ @@ -2108,6 +2111,18 @@ pk11_GetPrivKey(PK11Object *object,CK_KEY_TYPE key_type) priv=SECKEY_FindKeyByPublicKey(SECKEY_GetDefaultKeyDB(),&pubKey, (SECKEYGetPasswordKey) pk11_givePass, object->slot); + if (!priv && pubKey.data[0] == 0) { + /* Because of legacy code issues, sometimes the public key has + * a '0' prepended to it, forcing it to be unsigned. The database + * may not store that '0', so remove it and try again. + */ + SECItem tmpPubKey; + tmpPubKey.data = pubKey.data + 1; + tmpPubKey.len = pubKey.len - 1; + priv=SECKEY_FindKeyByPublicKey(SECKEY_GetDefaultKeyDB(),&tmpPubKey, + (SECKEYGetPasswordKey) pk11_givePass, + object->slot); + } if (pubKey.data) PORT_Free(pubKey.data); /* don't 'cache' DB private keys */ diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 8979b6dac..46c554617 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -1999,32 +1999,34 @@ pk11_HashSign(PK11HashSignInfo *info,unsigned char *sig,unsigned int *sigLen, } static SECStatus -nsc_DSA_Verify_Stub(void *ctx, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, - CK_BYTE_PTR pData, CK_ULONG ulDataLen) +nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen, + void *dataBuf, unsigned int dataLen) { SECItem signature, digest; + SECKEYLowPublicKey *key = (SECKEYLowPublicKey *)ctx; - signature.data = pSignature; - signature.len = ulSignatureLen; - digest.data = pData; - digest.len = ulDataLen; - return DSA_VerifyDigest((DSAPublicKey *)ctx, &signature, &digest); + signature.data = (unsigned char *)sigBuf; + signature.len = sigLen; + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest); } static SECStatus -nsc_DSA_Sign_Stub(void *ctx, CK_BYTE_PTR pSignature, - CK_ULONG_PTR ulSignatureLen, CK_ULONG maxulSignatureLen, - CK_BYTE_PTR pData, CK_ULONG ulDataLen) +nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, + unsigned int *sigLen, unsigned int maxSigLen, + void *dataBuf, unsigned int dataLen) { SECItem signature = { 0 }, digest; SECStatus rv; - - (void)SECITEM_AllocItem(NULL, &signature, maxulSignatureLen); - digest.data = pData; - digest.len = ulDataLen; - rv = DSA_SignDigest((DSAPrivateKey *)ctx, &signature, &digest); - *ulSignatureLen = signature.len; - PORT_Memcpy(pSignature, signature.data, signature.len); + SECKEYLowPrivateKey *key = (SECKEYLowPrivateKey *)ctx; + + (void)SECITEM_AllocItem(NULL, &signature, maxSigLen); + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest); + *sigLen = signature.len; + PORT_Memcpy(sigBuf, signature.data, signature.len); SECITEM_FreeItem(&signature, PR_FALSE); return rv; } @@ -2171,11 +2173,11 @@ finish_rsa: crv = CKR_HOST_MEMORY; break; } - context->cipherInfo = &(privKey->u.dsa); + context->cipherInfo = privKey; context->update = (PK11Cipher) nsc_DSA_Sign_Stub; - context->destroy = pk11_Null; + context->destroy = (privKey == key->objectInfo) ? + (PK11Destroy) pk11_Null:(PK11Destroy)pk11_FreePrivKey; - if (key->objectInfo != privKey) SECKEY_LowDestroyPrivateKey(privKey); break; case CKM_MD2_HMAC_GENERAL: crv = pk11_doHMACInit(context,SEC_OID_MD2,key, @@ -2577,7 +2579,7 @@ finish_rsa: crv = CKR_HOST_MEMORY; break; } - context->cipherInfo = &(pubKey->u.dsa); + context->cipherInfo = pubKey; context->verify = (PK11Verify) nsc_DSA_Verify_Stub; context->destroy = pk11_Null; break; @@ -2830,6 +2832,40 @@ CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession, **************************** Key Functions: ************************ */ +CK_RV +pk11_pbe_hmac_key_gen(CK_MECHANISM_PTR pMechanism, char *buf, + unsigned long *len, PRBool faultyPBE3DES) +{ + PBEBitGenContext *pbeCx; + SECItem pwd, salt, *key; + SECOidTag hashAlg; + unsigned long keylenbits; + CK_PBE_PARAMS *pbe_params = NULL; + pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter; + pwd.data = (unsigned char *)pbe_params->pPassword; + pwd.len = (unsigned int)pbe_params->ulPasswordLen; + salt.data = (unsigned char *)pbe_params->pSalt; + salt.len = (unsigned int)pbe_params->ulSaltLen; + switch (pMechanism->mechanism) { + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + hashAlg = SEC_OID_SHA1; keylenbits = 160; break; + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + hashAlg = SEC_OID_MD5; keylenbits = 128; break; + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + hashAlg = SEC_OID_MD2; keylenbits = 128; break; + default: + return CKR_MECHANISM_INVALID; + } + pbeCx = PBE_CreateContext(hashAlg, pbeBitGenIntegrityKey, &pwd, + &salt, keylenbits, pbe_params->ulIteration); + key = PBE_GenerateBits(pbeCx); + PORT_Memcpy(buf, key->data, key->len); + *len = key->len; + PBE_DestroyContext(pbeCx); + SECITEM_ZfreeItem(key, PR_TRUE); + return CKR_OK; +} + /* * generate a password based encryption key. This code uses * PKCS5 to do the work. Note that it calls PBE_PK11ParamToAlgid, which is @@ -3032,14 +3068,14 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, PK11Session *session; PRBool checkWeak = PR_FALSE; CK_ULONG key_length = 0; - CK_KEY_TYPE key_type; + CK_KEY_TYPE key_type = -1; CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; CK_RV crv = CKR_OK; CK_BBOOL cktrue = CK_TRUE; int i; PK11Slot *slot = pk11_SlotFromSessionHandle(hSession); char buf[MAX_KEY_LEN]; - enum {pk11_pbe, pk11_ssl, pk11_bulk} key_gen_type; + enum {pk11_pbe, pk11_pbe_hmac, pk11_ssl, pk11_bulk} key_gen_type; SECOidTag algtag = SEC_OID_UNKNOWN; SSL3RSAPreMasterSecret *rsa_pms; CK_VERSION *version; @@ -3104,6 +3140,12 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, break; case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: faultyPBE3DES = PR_TRUE; + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + key_gen_type = pk11_pbe_hmac; + key_type = CKK_GENERIC_SECRET; + break; case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: case CKM_NETSCAPE_PBE_SHA1_DES_CBC: @@ -3136,10 +3178,18 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } + /* if there was no error, + * key_type *MUST* be set in the switch statement above */ + PORT_Assert( key_type != -1 ); + /* * now to the actual key gen. */ switch (key_gen_type) { + case pk11_pbe_hmac: + crv = pk11_pbe_hmac_key_gen(pMechanism, buf, &key_length, + faultyPBE3DES); + break; case pk11_pbe: crv = pk11_pbe_key_gen(algtag, pMechanism, buf, &key_length, faultyPBE3DES); diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h index c626036c8..6cb3e74c4 100644 --- a/security/nss/lib/softoken/pkcs11t.h +++ b/security/nss/lib/softoken/pkcs11t.h @@ -1112,6 +1112,9 @@ typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; #define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4 0x80000006L #define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4 0x80000007L #define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC 0x80000008L +#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN 0x80000009L +#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN 0x8000000aL +#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN 0x8000000bL #define CKM_TLS_MASTER_KEY_DERIVE 0x80000371L #define CKM_TLS_KEY_AND_MAC_DERIVE 0x80000372L #define CKM_TLS_PRF_GENERAL 0x80000373L diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index d6da65fed..e9dd6f7b3 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -749,6 +749,17 @@ pk11_DestroyObject(PK11Object *object) crv=pk11_Attribute2SecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB); if (crv != CKR_OK) break; rv = SECKEY_DeleteKey(SECKEY_GetDefaultKeyDB(), &pubKey); + if (rv != SECSuccess && pubKey.data[0] == 0) { + /* Because of legacy code issues, sometimes the public key + * has a '0' prepended to it, forcing it to be unsigned. + * The database may not store that '0', so remove it and + * try again. + */ + SECItem tmpPubKey; + tmpPubKey.data = pubKey.data + 1; + tmpPubKey.len = pubKey.len - 1; + rv = SECKEY_DeleteKey(SECKEY_GetDefaultKeyDB(), &tmpPubKey); + } if (rv != SECSuccess) crv= CKR_DEVICE_ERROR; break; case PK11_TOKEN_TYPE_CERT: diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn index 038cff4d5..e76c516f1 100644 --- a/security/nss/lib/ssl/manifest.mn +++ b/security/nss/lib/ssl/manifest.mn @@ -60,7 +60,6 @@ CSRCS = \ sslenum.c \ sslerr.c \ sslgathr.c \ - sslmutex.c \ sslnonce.c \ sslreveal.c \ sslsecur.c \ diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 5c8712f69..0fee478ba 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -105,13 +105,3 @@ NSSSSL_VersionCheck; ;+ local: ;+*; ;+}; -;+NSS_3.3 { # NSS 3.3 release -;+ global: -;+# We have not yet decided whether these functions will be exported -;-# in the final 3.3 release, so please treat them as exported private -;-# functions for now. -SSL_GetMaxServerCacheLocks; -SSL_SetMaxServerCacheLocks; -;+ local: -;+*; -;+}; diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 34a73c4e7..f1cab73eb 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -51,6 +51,8 @@ #define SSL_IMPORT extern #endif +SEC_BEGIN_PROTOS + /* constant table enumerating all implemented SSL 2 and 3 cipher suites. */ SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[]; @@ -77,9 +79,6 @@ typedef struct SSL3StatisticsStr { long hch_sid_cache_not_ok; } SSL3Statistics; -SEC_BEGIN_PROTOS - - /* ** Imports fd into SSL, returning a new socket. Copies SSL configuration ** from model. @@ -299,17 +298,6 @@ SSL_IMPORT SECStatus SSL_ConfigMPServerSIDCache(int maxCacheEntries, PRUint32 ssl3_timeout, const char * directory); -/* Get and set the configured maximum number of mutexes used for the -** server's store of SSL sessions. This value is used by the server -** session ID cache initialization functions shown above. Note that on -** some platforms, these mutexes are actually implemented with POSIX -** semaphores, or with unnamed pipes. The default value varies by platform. -** An attempt to set a too-low maximum will return an error and the -** configured value will not be changed. -*/ -SSL_IMPORT PRUint32 SSL_GetMaxServerCacheLocks(void); -SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks); - /* environment variable set by SSL_ConfigMPServerSIDCache, and queried by * SSL_InheritMPServerSIDCache when envString is NULL. */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index be252d7d6..9aca09ac2 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -2605,7 +2605,8 @@ ssl3_SendClientHello(sslSocket *ss) !PK11_IsPresent(slot) || sid->u.ssl3.clAuthSeries != PK11_GetSlotSeries(slot) || sid->u.ssl3.clAuthSlotID != PK11_GetSlotID(slot) || - sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) ) { + sid->u.ssl3.clAuthModuleID != PK11_GetModuleID(slot) || + !PK11_IsLoggedIn(slot, NULL)) { sidOK = PR_FALSE; } if (slot) { diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 181b03e59..1f0cd8efd 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -2531,7 +2531,7 @@ ssl2_HandleMessage(sslSocket *ss) goto bad_peer; } - if (gs->recordLen - 1 != SSL2_SESSIONID_BYTES) { + if (gs->recordLen - 1 != SSL_SESSIONID_BYTES) { SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d", SSL_GETPID(), ss->fd, gs->recordLen)); goto bad_peer; @@ -3549,7 +3549,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss) /* Invent a session-id */ ci->sid = sid; - PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2); + PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL_SESSIONID_BYTES-2); pid = SSL_GETPID(); sid->u.ssl2.sessionID[0] = MSB(pid); diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index c4e68a4c9..98beb5097 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -113,7 +113,7 @@ typedef enum { SSLAppOpRead = 0, #define SSL_MIN_MASTER_KEY_BYTES 5 #define SSL_MAX_MASTER_KEY_BYTES 64 -#define SSL2_SESSIONID_BYTES 16 +#define SSL_SESSIONID_BYTES 16 #define SSL3_SESSIONID_BYTES 32 #define SSL_MIN_CHALLENGE_BYTES 16 @@ -208,7 +208,7 @@ struct sslBufferStr { ** SSL3 cipher suite policy and preference struct. */ typedef struct { -#if !defined(_WIN32) +#ifdef AIX unsigned int cipher_suite : 16; unsigned int policy : 8; unsigned int enabled : 1; @@ -711,7 +711,7 @@ struct sslSessionIDStr { union { struct { /* the V2 code depends upon the size of sessionID. */ - unsigned char sessionID[SSL2_SESSIONID_BYTES]; + unsigned char sessionID[SSL_SESSIONID_BYTES]; /* Stuff used to recreate key and read/write cipher objects */ SECItem masterKey; @@ -1247,11 +1247,8 @@ void ssl_Trace(const char *format, ...); SEC_END_PROTOS -#if defined(XP_UNIX) +#ifdef XP_UNIX #define SSL_GETPID() getpid() -#elif defined(WIN32) -/* #define SSL_GETPID() GetCurrentProcessId() */ -#define SSL_GETPID() _getpid() #else #define SSL_GETPID() 0 #endif diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c index 4a32012e1..79e6c24c8 100644 --- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -44,9 +44,7 @@ #include "sslproto.h" #include "nssilock.h" #include "nsslocks.h" -#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) -#include <time.h> -#endif + PRUint32 ssl_sid_timeout = 100; PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */ @@ -339,19 +337,14 @@ SSL_ClearSessionCache(void) PRUint32 ssl_Time(void) { - PRUint32 myTime; -#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) - myTime = time(NULL); /* accurate until the year 2038. */ -#else - /* portable, but possibly slower */ PRTime now; PRInt64 ll; + PRUint32 time; now = PR_Now(); LL_I2L(ll, 1000000L); LL_DIV(now, now, ll); - LL_L2UI(myTime, now); -#endif - return myTime; + LL_L2UI(time, now); + return time; } diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index 306838a41..676f7ebf4 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -935,12 +935,6 @@ ssl_SecureClose(sslSocket *ss) !ss->recvdCloseNotify && (ss->ssl3 != NULL)) { - /* We don't want the final alert to be Nagle delayed. */ - if (!ss->delayDisabled) { - ssl_EnableNagleDelay(ss, PR_FALSE); - ss->delayDisabled = 1; - } - (void) SSL3_SendAlert(ss, alert_warning, close_notify); } rv = ssl_DefClose(ss); @@ -1239,7 +1233,7 @@ SSL_GetSessionID(PRFileDesc *fd) sid = ss->sec->ci.sid; item = (SECItem *)PORT_Alloc(sizeof(SECItem)); if (sid->version < SSL_LIBRARY_VERSION_3_0) { - item->len = SSL2_SESSIONID_BYTES; + item->len = SSL_SESSIONID_BYTES; item->data = (unsigned char*)PORT_Alloc(item->len); PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len); } else { diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 9100d740b..28a2f3812 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -43,33 +43,42 @@ * All processes that are part of the same conceptual server (serving on * the same address and port) MUST share a common SSL session cache. * This code makes the content of the shared cache accessible to all - * processes on the same "server". This code works on Unix and Win32 only. + * processes on the same "server". This code works on Unix and Win32 only, + * and is platform specific. * - * We use NSPR anonymous shared memory and move data to & from shared memory. - * We must do explicit locking of the records for all reads and writes. - * The set of Cache entries are divided up into "sets" of 128 entries. - * Each set is protected by a lock. There may be one or more sets protected - * by each lock. That is, locks to sets are 1:N. - * There is one lock for the entire cert cache. - * There is one lock for the set of wrapped sym wrap keys. + * Unix: Multiple processes share a single (inherited) FD for a disk + * file all share one single file position. If one lseeks, the position for + * all processes is changed. Since the set of platforms we support do not + * all share portable lseek-and-read or lseek-and-write functions, a global + * lock must be used to make the lseek call and the subsequent read or write + * call be one atomic operation. It is no longer necessary for cache element + * sizes to be a power of 2, or a multiple of a sector size. * - * The anonymous shared memory is laid out as if it were declared like this: + * For Win32, where (a) disk I/O is not atomic, and (b) we use memory-mapped + * files and move data to & from memory instead of calling read or write, + * we must do explicit locking of the records for all reads and writes. + * We have just one lock, for the entire file, using an NT semaphore. + * We avoid blocking on "local threads" since it's bad to block on a local + * thread - If NSPR offered portable semaphores, it would handle this itself. * - * struct { - * cacheDescriptor desc; - * sidCacheLock sidCacheLocks[ numSIDCacheLocks]; - * sidCacheLock keyCacheLock; - * sidCacheLock certCacheLock; - * sidCacheSet sidCacheSets[ numSIDCacheSets ]; - * sidCacheEntry sidCacheData[ numSIDCacheEntries]; - * certCacheEntry certCacheData[numCertCacheEntries]; - * SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS]; - * } sharedMemCacheData; + * Since this file has to do lots of platform specific I/O, the system + * dependent error codes need to be mapped back into NSPR error codes. + * Since NSPR's error mapping functions are private, the code is necessarily + * duplicated in libSSL. + * + * Note, now that NSPR provides portable anonymous shared memory, for all + * platforms except Mac, the implementation below should be replaced with + * one that uses anonymous shared memory ASAP. This will eliminate most + * platform dependent code in this file, and improve performance big time. + * + * Now that NSPR offers portable cross-process locking (semaphores) on Unix + * and Win32, semaphores should be used here for all platforms. */ #include "nssrenam.h" #include "seccomon.h" #if defined(XP_UNIX) || defined(XP_WIN32) +#ifndef NADA_VERISON #include "cert.h" #include "ssl.h" @@ -86,10 +95,12 @@ #include <fcntl.h> #include <unistd.h> #include <errno.h> -#include <signal.h> #include "unix_err.h" #else /* XP_WIN32 */ +#ifdef MC_HTTPD +#include <ereport.h> +#endif /* MC_HTTPD */ #include <wtypes.h> #include "win32err.h" #endif /* XP_WIN32 */ @@ -99,297 +110,615 @@ #include "nspr.h" #include "nsslocks.h" -#include "sslmutex.h" + +static PZLock *cacheLock; + +/* +** The server session-id cache uses a simple flat cache. The cache is +** sized during initialization. We hash the ip-address + session-id value +** into an index into the cache and do the lookup. No buckets, nothing +** fancy. +*/ + +static PRBool isMultiProcess = PR_FALSE; + +static PRUint32 numSIDCacheEntries = 10000; +static PRUint32 sidCacheFileSize; +static PRUint32 sidCacheWrapOffset; + +static PRUint32 numCertCacheEntries = 250; +static PRUint32 certCacheFileSize; + +#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */ + /* -** Format of a cache entry in the shared memory. +** Format of a cache entry. */ -struct sidCacheEntryStr { -/* 16 */ PRIPv6Addr addr; /* client's IP address */ -/* 4 */ PRUint32 time; /* expiration time of this entry */ -/* 2 */ PRUint16 version; -/* 1 */ PRUint8 valid; -/* 1 */ PRUint8 sessionIDLength; -/* 32 */ PRUint8 sessionID[SSL3_SESSIONID_BYTES]; -/* 56 - common header total */ +typedef struct SIDCacheEntryStr SIDCacheEntry; +struct SIDCacheEntryStr { + PRIPv6Addr addr; + PRUint32 time; union { struct { -/* 64 */ PRUint8 masterKey[SSL_MAX_MASTER_KEY_BYTES]; -/* 32 */ PRUint8 cipherArg[SSL_MAX_CYPHER_ARG_BYTES]; + /* This is gross. We have to have version and valid in both arms + * of the union for alignment reasons. This probably won't work + * on a 64-bit machine. XXXX + */ +/* 2 */ uint16 version; +/* 1 */ unsigned char valid; +/* 1 */ unsigned char cipherType; + +/* 16 */ unsigned char sessionID[SSL_SESSIONID_BYTES]; +/* 64 */ unsigned char masterKey[SSL_MAX_MASTER_KEY_BYTES]; +/* 32 */ unsigned char cipherArg[SSL_MAX_CYPHER_ARG_BYTES]; -/* 1 */ PRUint8 cipherType; -/* 1 */ PRUint8 masterKeyLen; -/* 1 */ PRUint8 keyBits; -/* 1 */ PRUint8 secretKeyBits; -/* 1 */ PRUint8 cipherArgLen; -/*101 */} ssl2; +/* 1 */ unsigned char masterKeyLen; +/* 1 */ unsigned char keyBits; + +/* 1 */ unsigned char secretKeyBits; +/* 1 */ unsigned char cipherArgLen; +/*120 */} ssl2; struct { -/* 2 */ ssl3CipherSuite cipherSuite; -/* 2 */ PRUint16 compression; /* SSL3CompressionMethod */ +/* 2 */ uint16 version; +/* 1 */ unsigned char valid; +/* 1 */ uint8 sessionIDLength; -/*122 */ ssl3SidKeys keys; /* keys and ivs, wrapped as needed. */ -/* 1 */ PRUint8 hasFortezza; -/* 1 */ PRUint8 resumable; +/* 32 */ unsigned char sessionID[SSL3_SESSIONID_BYTES]; -/* 4 */ PRUint32 masterWrapMech; -/* 4 */ SSL3KEAType exchKeyType; -/* 4 */ PRInt32 certIndex; -/*140 */} ssl3; -#if defined(LINUX) +/* 2 */ ssl3CipherSuite cipherSuite; +/* 2 */ uint16 compression; /* SSL3CompressionMethod */ + +/*122 */ ssl3SidKeys keys; /* keys and ivs, wrapped as needed. */ +/* 4 */ PRUint32 masterWrapMech; +/* 4 */ SSL3KEAType exchKeyType; + +/* 2 */ int16 certIndex; +/* 1 */ uint8 hasFortezza; +/* 1 */ uint8 resumable; + } ssl3; + /* We can't make this struct fit in 128 bytes + * so, force the struct size up to the next power of two. + */ struct { - PRUint8 filler[144]; - } forceSize; -#endif + unsigned char filler[256 - sizeof(PRIPv6Addr) - sizeof(PRUint32)]; + } force256; } u; }; -typedef struct sidCacheEntryStr sidCacheEntry; +typedef struct CertCacheEntryStr CertCacheEntry; + /* The length of this struct is supposed to be a power of 2, e.g. 4KB */ -struct certCacheEntryStr { - PRUint16 certLength; /* 2 */ - PRUint16 sessionIDLength; /* 2 */ - PRUint8 sessionID[SSL3_SESSIONID_BYTES]; /* 32 */ - PRUint8 cert[SSL_MAX_CACHED_CERT_LEN]; /* 4060 */ +struct CertCacheEntryStr { + uint16 certLength; /* 2 */ + uint16 sessionIDLength; /* 2 */ + unsigned char sessionID[SSL3_SESSIONID_BYTES]; /* 32 */ + unsigned char cert[SSL_MAX_CACHED_CERT_LEN]; /* 4060 */ }; /* total 4096 */ -typedef struct certCacheEntryStr certCacheEntry; -struct sidCacheLockStr { - PRUint32 timeStamp; - sslMutex mutex; - sslPID pid; -}; -typedef struct sidCacheLockStr sidCacheLock; - -struct sidCacheSetStr { - PRIntn next; -}; -typedef struct sidCacheSetStr sidCacheSet; -struct cacheDescStr { +static void IOError(int rv, char *type); +static PRUint32 Offset(const PRIPv6Addr *addr, unsigned char *s, unsigned nl); +static void Invalidate(SIDCacheEntry *sce); +/************************************************************************/ - PRUint32 sharedMemSize; +static const char envVarName[] = { SSL_ENV_VAR_NAME }; - PRUint32 numSIDCacheLocks; - PRUint32 numSIDCacheSets; - PRUint32 numSIDCacheSetsPerLock; +#ifdef _WIN32 - PRUint32 numSIDCacheEntries; - PRUint32 sidCacheSize; +struct winInheritanceStr { + PRUint32 numSIDCacheEntries; + PRUint32 sidCacheFileSize; + PRUint32 sidCacheWrapOffset; + PRUint32 numCertCacheEntries; + PRUint32 certCacheFileSize; + + DWORD parentProcessID; + HANDLE parentProcessHandle; + HANDLE SIDCacheFDMAP; + HANDLE certCacheFDMAP; + HANDLE svrCacheSem; +}; +typedef struct winInheritanceStr winInheritance; - PRUint32 numCertCacheEntries; - PRUint32 certCacheSize; +static HANDLE svrCacheSem = INVALID_HANDLE_VALUE; - PRUint32 numKeyCacheEntries; - PRUint32 keyCacheSize; +static char * SIDCacheData = NULL; +static HANDLE SIDCacheFD = INVALID_HANDLE_VALUE; +static HANDLE SIDCacheFDMAP = INVALID_HANDLE_VALUE; - PRUint32 ssl2Timeout; - PRUint32 ssl3Timeout; +static char * certCacheData = NULL; +static HANDLE certCacheFD = INVALID_HANDLE_VALUE; +static HANDLE certCacheFDMAP = INVALID_HANDLE_VALUE; - /* These values are volatile, and are accessed through sharedCache-> */ - PRUint32 nextCertCacheEntry; /* certCacheLock protects */ - PRBool stopPolling; +static PRUint32 myPid; - /* The private copies of these values are pointers into shared mem */ - /* The copies of these values in shared memory are merely offsets */ - sidCacheLock * sidCacheLocks; - sidCacheLock * keyCacheLock; - sidCacheLock * certCacheLock; - sidCacheSet * sidCacheSets; - sidCacheEntry * sidCacheData; - certCacheEntry * certCacheData; - SSLWrappedSymWrappingKey * keyCacheData; +/* The presence of the TRUE element in this struct makes the semaphore + * inheritable. The NULL means use process's default security descriptor. + */ +static SECURITY_ATTRIBUTES semaphoreAttributes = + { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE }; - /* Only the private copies of these pointers are valid */ - char * sharedMem; - struct cacheDescStr * sharedCache; /* shared copy of this struct */ - PRFileMap * cacheMemMap; - PRThread * poller; -}; -typedef struct cacheDescStr cacheDesc; +static SECURITY_ATTRIBUTES sidCacheFDMapAttributes = + { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE }; -static cacheDesc globalCache; +static SECURITY_ATTRIBUTES certCacheFDMapAttributes = + { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE }; -static const char envVarName[] = { SSL_ENV_VAR_NAME }; +#define DEFAULT_CACHE_DIRECTORY "\\temp" -static PRBool isMultiProcess = PR_FALSE; +static SECStatus +createServerCacheSemaphore(void) +{ + PR_ASSERT(svrCacheSem == INVALID_HANDLE_VALUE); + + /* inheritable, starts signalled, 1 signal max, no file name. */ + svrCacheSem = CreateSemaphore(&semaphoreAttributes, 1, 1, NULL); + if (svrCacheSem == NULL) { + svrCacheSem = INVALID_HANDLE_VALUE; + /* We could get the error code, but what could be do with it ? */ + nss_MD_win32_map_default_error(GetLastError()); + return SECFailure; + } + return SECSuccess; +} +static SECStatus +_getServerCacheSemaphore(void) +{ + DWORD event; + DWORD lastError; + SECStatus rv; -#define DEF_SID_CACHE_ENTRIES 10000 -#define DEF_CERT_CACHE_ENTRIES 250 -#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */ -#define DEF_KEY_CACHE_ENTRIES 250 + PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE); + if (svrCacheSem == INVALID_HANDLE_VALUE && + SECSuccess != createServerCacheSemaphore()) { + return SECFailure; /* what else ? */ + } + event = WaitForSingleObject(svrCacheSem, INFINITE); + switch (event) { + case WAIT_OBJECT_0: + case WAIT_ABANDONED: + rv = SECSuccess; + break; + + case WAIT_TIMEOUT: + case WAIT_IO_COMPLETION: + default: /* should never happen. nothing we can do. */ + PR_ASSERT(("WaitForSingleObject returned invalid value.", 0)); + /* fall thru */ + + case WAIT_FAILED: /* failure returns this */ + rv = SECFailure; + lastError = GetLastError(); /* for debugging */ + nss_MD_win32_map_default_error(lastError); + break; + } + return rv; +} -#define SID_CACHE_ENTRIES_PER_SET 128 -#define SID_ALIGNMENT 16 +static void +_doGetServerCacheSemaphore(void * arg) +{ + SECStatus * rv = (SECStatus *)arg; + *rv = _getServerCacheSemaphore(); +} -#define DEF_SSL2_TIMEOUT 100 /* seconds */ -#define MAX_SSL2_TIMEOUT 100 /* seconds */ -#define MIN_SSL2_TIMEOUT 5 /* seconds */ +static SECStatus +getServerCacheSemaphore(void) +{ + PRThread * selectThread; + PRThread * me = PR_GetCurrentThread(); + PRThreadScope scope = PR_GetThreadScope(me); + SECStatus rv = SECFailure; -#define DEF_SSL3_TIMEOUT 86400L /* 24 hours */ -#define MAX_SSL3_TIMEOUT 86400L /* 24 hours */ -#define MIN_SSL3_TIMEOUT 5 /* seconds */ + if (scope == PR_GLOBAL_THREAD) { + rv = _getServerCacheSemaphore(); + } else { + selectThread = PR_CreateThread(PR_USER_THREAD, + _doGetServerCacheSemaphore, &rv, + PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, + PR_JOINABLE_THREAD, 0); + if (selectThread != NULL) { + /* rv will be set by _doGetServerCacheSemaphore() */ + PR_JoinThread(selectThread); + } + } + return rv; +} -#if defined(AIX) || defined(LINUX) -#define MAX_SID_CACHE_LOCKS 8 /* two FDs per lock */ -#elif defined(OSF1) -#define MAX_SID_CACHE_LOCKS 16 /* one FD per lock */ -#else -#define MAX_SID_CACHE_LOCKS 256 -#endif +static SECStatus +releaseServerCacheSemaphore(void) +{ + BOOL success = FALSE; -#define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size)) -#define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size))) + PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE); + if (svrCacheSem != INVALID_HANDLE_VALUE) { + /* Add 1, don't want previous value. */ + success = ReleaseSemaphore(svrCacheSem, 1, NULL); + } + if (!success) { + nss_MD_win32_map_default_error(GetLastError()); + return SECFailure; + } + return SECSuccess; +} +static void +destroyServerCacheSemaphore(void) +{ + PR_ASSERT(svrCacheSem != INVALID_HANDLE_VALUE); + if (svrCacheSem != INVALID_HANDLE_VALUE) { + CloseHandle(svrCacheSem); + /* ignore error */ + svrCacheSem = INVALID_HANDLE_VALUE; + } +} -static sslPID myPid; -static PRUint32 ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS; +#define GET_SERVER_CACHE_READ_LOCK(fd, offset, size) \ + if (isMultiProcess) getServerCacheSemaphore(); -/* forward static function declarations */ -static void IOError(int rv, char *type); -static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl); -static SECStatus LaunchLockPoller(cacheDesc *cache); +#define GET_SERVER_CACHE_WRITE_LOCK(fd, offset, size) \ + if (isMultiProcess) getServerCacheSemaphore(); +#define RELEASE_SERVER_CACHE_LOCK(fd, offset, size) \ + if (isMultiProcess) releaseServerCacheSemaphore(); +#endif /* _win32 */ +/************************************************************************/ -struct inheritanceStr { - PRUint32 sharedMemSize; - PRUint16 fmStrLen; -}; +#ifdef XP_UNIX +static int SIDCacheFD = -1; +static int certCacheFD = -1; -typedef struct inheritanceStr inheritance; +static pid_t myPid; -#ifdef _WIN32 +struct unixInheritanceStr { + PRUint32 numSIDCacheEntries; + PRUint32 sidCacheFileSize; + PRUint32 sidCacheWrapOffset; + PRUint32 numCertCacheEntries; + PRUint32 certCacheFileSize; -#define DEFAULT_CACHE_DIRECTORY "\\temp" + PRInt32 SIDCacheFD; + PRInt32 certCacheFD; +}; -#endif /* _win32 */ +typedef struct unixInheritanceStr unixInheritance; -#ifdef XP_UNIX #define DEFAULT_CACHE_DIRECTORY "/tmp" -#endif /* XP_UNIX */ - - -/************************************************************************/ - +#ifdef TRACE static void -IOError(int rv, char *type) +fcntlFailed(struct flock *lock) { -#ifdef XP_UNIX - syslog(LOG_ALERT, - "SSL: %s error with session-id cache, pid=%d, rv=%d, error='%m'", - type, myPid, rv); -#else /* XP_WIN32 */ - /* wish win32 had something like syslog() */ -#endif /* XP_UNIX */ + fprintf(stderr, + "fcntl failed, errno = %d, PR_GetError = %d, lock.l_type = %d\n", + errno, PR_GetError(), lock->l_type); + fflush(stderr); +} +#define FCNTL_FAILED(lock) fcntlFailed(lock) +#else +#define FCNTL_FAILED(lock) +#endif + +/* NOTES: Because there are no atomic seek-and-read and seek-and-write +** functions that are supported on all our UNIX platforms, we need +** to prevent all simultaeous seek-and-read operations. For that reason, +** we use mutually exclusive (write) locks for read and write operations, +** and use them all at the same offset (zero). +*/ +static SECStatus +_getServerCacheLock(int fd, short type, PRUint32 offset, PRUint32 size) +{ + int result; + struct flock lock; + + memset(&lock, 0, sizeof lock); + lock.l_type = /* type */ F_WRLCK; + lock.l_whence = SEEK_SET; /* absolute file offsets. */ + lock.l_start = 0; + lock.l_len = 128; + +#ifdef TRACE + if (ssl_trace) { + fprintf(stderr, "%d: %s lock, offset %8x, size %4d\n", myPid, + (type == F_RDLCK) ? "read " : "write", offset, size); + fflush(stderr); + } +#endif + result = fcntl(fd, F_SETLKW, &lock); + if (result == -1) { + nss_MD_unix_map_default_error(errno); + FCNTL_FAILED(&lock); + return SECFailure; + } +#ifdef TRACE + if (ssl_trace) { + fprintf(stderr, "%d: got lock, offset %8x, size %4d\n", + myPid, offset, size); + fflush(stderr); + } +#endif + return SECSuccess; } -static PRUint32 -LockSidCacheLock(sidCacheLock *lock, PRUint32 now) +typedef struct sslLockArgsStr { + PRUint32 offset; + PRUint32 size; + PRErrorCode err; + SECStatus rv; + int fd; + short type; +} sslLockArgs; + +static void +_doGetServerCacheLock(void * arg) { - SECStatus rv = sslMutex_Lock(&lock->mutex); - if (rv != SECSuccess) - return 0; - if (!now) - now = ssl_Time(); - lock->timeStamp = now; - lock->pid = myPid; - return now; + sslLockArgs * args = (sslLockArgs *)arg; + args->rv = _getServerCacheLock(args->fd, args->type, args->offset, + args->size ); + if (args->rv != SECSuccess) { + args->err = PR_GetError(); + } } static SECStatus -UnlockSidCacheLock(sidCacheLock *lock) +getServerCacheLock(int fd, short type, PRUint32 offset, PRUint32 size) { - SECStatus rv; + PRThread * selectThread; + PRThread * me = PR_GetCurrentThread(); + PRThreadScope scope = PR_GetThreadScope(me); + SECStatus rv = SECFailure; - lock->pid = 0; - rv = sslMutex_Unlock(&lock->mutex); + if (scope == PR_GLOBAL_THREAD) { + rv = _getServerCacheLock(fd, type, offset, size); + } else { + /* Ib some platforms, one thread cannot read local/automatic + ** variables from another thread's stack. So, get this space + ** from the heap, not the stack. + */ + sslLockArgs * args = PORT_New(sslLockArgs); + + if (!args) + return rv; + + args->offset = offset; + args->size = size; + args->rv = SECFailure; + args->fd = fd; + args->type = type; + selectThread = PR_CreateThread(PR_USER_THREAD, + _doGetServerCacheLock, args, + PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, + PR_JOINABLE_THREAD, 0); + if (selectThread != NULL) { + /* rv will be set by _doGetServerCacheLock() */ + PR_JoinThread(selectThread); + rv = args->rv; + if (rv != SECSuccess) { + PORT_SetError(args->err); + } + } + PORT_Free(args); + } return rv; } -/* returns the value of ssl_Time on success, zero on failure. */ -static PRUint32 -LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now) +static SECStatus +releaseServerCacheLock(int fd, PRUint32 offset, PRUint32 size) { - PRUint32 lockNum = set % cache->numSIDCacheLocks; - sidCacheLock * lock = cache->sidCacheLocks + lockNum; - - return LockSidCacheLock(lock, now); + int result; + struct flock lock; + + memset(&lock, 0, sizeof lock); + lock.l_type = F_UNLCK; + lock.l_whence = SEEK_SET; /* absolute file offsets. */ + lock.l_start = 0; + lock.l_len = 128; + +#ifdef TRACE + if (ssl_trace) { + fprintf(stderr, "%d: unlock, offset %8x, size %4d\n", + myPid, offset, size); + fflush(stderr); + } +#endif + result = fcntl(fd, F_SETLK, &lock); + if (result == -1) { + nss_MD_unix_map_default_error(errno); + FCNTL_FAILED(&lock); + return SECFailure; + } + return SECSuccess; } -static SECStatus -UnlockSet(cacheDesc *cache, PRUint32 set) + +/* these defines take the arguments needed to do record locking, + * however the present implementation does only file locking. + */ + +#define GET_SERVER_CACHE_READ_LOCK( fd, offset, size) \ + if (isMultiProcess) getServerCacheLock(fd, F_RDLCK, offset, size); + +#define GET_SERVER_CACHE_WRITE_LOCK(fd, offset, size) \ + if (isMultiProcess) getServerCacheLock(fd, F_WRLCK, offset, size); + +#define RELEASE_SERVER_CACHE_LOCK( fd, offset, size) \ + if (isMultiProcess) releaseServerCacheLock(fd, offset, size); + +/* +** Zero a file out to nb bytes +*/ +static SECStatus +ZeroFile(int fd, int nb) { - PRUint32 lockNum = set % cache->numSIDCacheLocks; - sidCacheLock * lock = cache->sidCacheLocks + lockNum; + off_t off; + int amount, rv; + char buf[16384]; + + PORT_Memset(buf, 0, sizeof(buf)); + off = lseek(fd, 0, SEEK_SET); + if (off != 0) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_FILE_SEEK_ERROR); + return SECFailure; + } - return UnlockSidCacheLock(lock); + while (nb > 0) { + amount = (nb > sizeof buf) ? sizeof buf : nb; + rv = write(fd, buf, amount); + if (rv <= 0) { + if (!rv) + PORT_SetError(PR_IO_ERROR); + else + nss_MD_unix_map_write_error(errno); + IOError(rv, "zero-write"); + return SECFailure; + } + nb -= rv; + } + return SECSuccess; } -/************************************************************************/ +#endif /* XP_UNIX */ + +/************************************************************************/ -/* Put a certificate in the cache. Update the cert index in the sce. +/* +** Reconstitute a cert from the cache +** This is only called from ConvertToSID(). +** Caller must hold the cache lock before calling this. */ -static PRUint32 -CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce) +static CERTCertificate * +GetCertFromCache(SIDCacheEntry *sce, CERTCertDBHandle *dbHandle) { - PRUint32 now; - certCacheEntry cce; + CERTCertificate *cert; + PRUint32 offset; + int rv; +#ifdef XP_UNIX + off_t off; +#endif + SECItem derCert; + CertCacheEntry cce; - if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) || - (cert->derCert.len <= 0) || - (cert->derCert.data == NULL)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return 0; + offset = (PRUint32)sce->u.ssl3.certIndex * sizeof(CertCacheEntry); + GET_SERVER_CACHE_READ_LOCK(certCacheFD, offset, sizeof(CertCacheEntry)); +#ifdef XP_UNIX + off = lseek(certCacheFD, offset, SEEK_SET); + rv = -1; + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_FILE_SEEK_ERROR); + } else { + rv = read(certCacheFD, &cce, sizeof(CertCacheEntry)); + if (rv != sizeof(CertCacheEntry)) { + if (rv == -1) + nss_MD_unix_map_read_error(errno); + else + PORT_SetError(PR_IO_ERROR); + } } +#else /* XP_WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(&cce, &certCacheData[offset], sizeof(CertCacheEntry)); + rv = sizeof cce; +#endif /* XP_WIN32 */ + RELEASE_SERVER_CACHE_LOCK(certCacheFD, offset, sizeof(CertCacheEntry)) - cce.sessionIDLength = sce->sessionIDLength; - PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength); + if (rv != sizeof(CertCacheEntry)) { + IOError(rv, "read"); /* error set above */ + return NULL; + } - cce.certLength = cert->derCert.len; - PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength); + /* See if the session ID matches with that in the sce cache. */ + if((cce.sessionIDLength != sce->u.ssl3.sessionIDLength) || + PORT_Memcmp(cce.sessionID, sce->u.ssl3.sessionID, cce.sessionIDLength)) { + /* this is a cache miss, not an error */ + PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); + return NULL; + } + + derCert.len = cce.certLength; + derCert.data = cce.cert; - /* get lock on cert cache */ - now = LockSidCacheLock(cache->certCacheLock, 0); - if (now) { + cert = CERT_NewTempCertificate(dbHandle, &derCert, NULL, + PR_FALSE, PR_TRUE); - /* Find where to place the next cert cache entry. */ - cacheDesc * sharedCache = cache->sharedCache; - PRUint32 ndx = sharedCache->nextCertCacheEntry; + return cert; +} - /* write the entry */ - cache->certCacheData[ndx] = cce; +/* Put a certificate in the cache. We assume that the certIndex in +** sid is valid. +*/ +static void +CacheCert(CERTCertificate *cert, SIDCacheEntry *sce) +{ + PRUint32 offset; + CertCacheEntry cce; +#ifdef XP_UNIX + off_t off; + int rv; +#endif - /* remember where we put it. */ - sce->u.ssl3.certIndex = ndx; + offset = (PRUint32)sce->u.ssl3.certIndex * sizeof(CertCacheEntry); + if (cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) + return; + + cce.sessionIDLength = sce->u.ssl3.sessionIDLength; + PORT_Memcpy(cce.sessionID, sce->u.ssl3.sessionID, cce.sessionIDLength); - /* update the "next" cache entry index */ - sharedCache->nextCertCacheEntry = - (ndx + 1) % cache->numCertCacheEntries; + cce.certLength = cert->derCert.len; + PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength); - UnlockSidCacheLock(cache->certCacheLock); + GET_SERVER_CACHE_WRITE_LOCK(certCacheFD, offset, sizeof cce); +#ifdef XP_UNIX + off = lseek(certCacheFD, offset, SEEK_SET); + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_FILE_SEEK_ERROR); + } else { + rv = write(certCacheFD, &cce, sizeof cce); + if (rv != sizeof(CertCacheEntry)) { + if (rv == -1) + nss_MD_unix_map_write_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "cert-write"); + Invalidate(sce); + } } - return now; +#else /* WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(&certCacheData[offset], &cce, sizeof cce); +#endif /* XP_UNIX */ + RELEASE_SERVER_CACHE_LOCK(certCacheFD, offset, sizeof cce); + return; } /* ** Convert memory based SID to file based one */ static void -ConvertFromSID(sidCacheEntry *to, sslSessionID *from) +ConvertFromSID(SIDCacheEntry *to, sslSessionID *from) { - to->valid = 1; - to->version = from->version; - to->addr = from->addr; - to->time = from->time; + to->u.ssl2.valid = 1; + to->u.ssl2.version = from->version; + to->addr = from->addr; + to->time = from->time; if (from->version < SSL_LIBRARY_VERSION_3_0) { if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) || @@ -397,7 +726,7 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d", myPid, from->u.ssl2.masterKey.len, from->u.ssl2.cipherArg.len)); - to->valid = 0; + to->u.ssl2.valid = 0; return; } @@ -406,8 +735,8 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) to->u.ssl2.cipherArgLen = from->u.ssl2.cipherArg.len; to->u.ssl2.keyBits = from->u.ssl2.keyBits; to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; - to->sessionIDLength = SSL2_SESSIONID_BYTES; - PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES); + PORT_Memcpy(to->u.ssl2.sessionID, from->u.ssl2.sessionID, + sizeof(to->u.ssl2.sessionID)); PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data, from->u.ssl2.masterKey.len); PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data, @@ -421,12 +750,13 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d " "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid, to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen, - to->time, to->addr.pr_s6_addr32[0], + to->time, to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType)); } else { /* This is an SSL v3 session */ + to->u.ssl3.sessionIDLength = from->u.ssl3.sessionIDLength; to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (uint16)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; @@ -434,14 +764,12 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) to->u.ssl3.keys = from->u.ssl3.keys; to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; - to->sessionIDLength = from->u.ssl3.sessionIDLength; - to->u.ssl3.certIndex = -1; - PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID, - to->sessionIDLength); + PORT_Memcpy(to->u.ssl3.sessionID, + from->u.ssl3.sessionID, + from->u.ssl3.sessionIDLength); - SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x " - "cipherSuite=%d", + SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x cipherSuite=%d", myPid, to->time, to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite)); @@ -454,11 +782,10 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) ** Caller must hold cache lock when calling this. */ static sslSessionID * -ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, - CERTCertDBHandle * dbHandle) +ConvertToSID(SIDCacheEntry *from, CERTCertDBHandle * dbHandle) { sslSessionID *to; - uint16 version = from->version; + uint16 version = from->u.ssl2.version; to = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID)); if (!to) { @@ -473,13 +800,13 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, goto loser; } if (from->u.ssl2.cipherArgLen) { - to->u.ssl2.cipherArg.data = - (unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen); + to->u.ssl2.cipherArg.data = (unsigned char*) + PORT_Alloc(from->u.ssl2.cipherArgLen); if (!to->u.ssl2.cipherArg.data) { goto loser; } PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg, - from->u.ssl2.cipherArgLen); + from->u.ssl2.cipherArgLen); } to->u.ssl2.cipherType = from->u.ssl2.cipherType; @@ -487,22 +814,22 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen; to->u.ssl2.keyBits = from->u.ssl2.keyBits; to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; -/* to->sessionIDLength = SSL2_SESSIONID_BYTES; */ - PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES); + PORT_Memcpy(to->u.ssl2.sessionID, from->u.ssl2.sessionID, + sizeof from->u.ssl2.sessionID); PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey, - from->u.ssl2.masterKeyLen); + from->u.ssl2.masterKeyLen); SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d " "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid, to->u.ssl2.masterKey.len, - to->u.ssl2.cipherArg.len, to->time, + to->u.ssl2.cipherArg.len, to->time, to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1], - to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], + to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType)); } else { /* This is an SSL v3 session */ - to->u.ssl3.sessionIDLength = from->sessionIDLength; + to->u.ssl3.sessionIDLength = from->u.ssl3.sessionIDLength; to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (SSL3CompressionMethod)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; @@ -511,7 +838,9 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; - PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength); + PORT_Memcpy(to->u.ssl3.sessionID, + from->u.ssl3.sessionID, + from->u.ssl3.sessionIDLength); /* the portions of the SID that are only restored on the client * are set to invalid values on the server. @@ -534,21 +863,15 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.clientWriteSaveLen = 0; - if (from->u.ssl3.certIndex != -1 && pcce) { - SECItem derCert; - - derCert.len = pcce->certLength; - derCert.data = pcce->cert; - - to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL, - PR_FALSE, PR_TRUE); + if (from->u.ssl3.certIndex != -1) { + to->peerCert = GetCertFromCache(from, dbHandle); if (to->peerCert == NULL) goto loser; } } - to->version = from->version; - to->time = from->time; /* XXX ??? is expiration time */ + to->version = from->u.ssl2.version; + to->time = from->time; to->cached = in_server_cache; to->addr = from->addr; to->references = 1; @@ -556,6 +879,7 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, return to; loser: + Invalidate(from); if (to) { if (version < SSL_LIBRARY_VERSION_3_0) { if (to->u.ssl2.masterKey.data) @@ -569,82 +893,210 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, } +/* Invalidate a SID cache entry. + * Called from CacheCert, ConvertToSid, and ServerSessionIDUncache. + */ +static void +Invalidate(SIDCacheEntry *sce) +{ + PRUint32 offset; +#ifdef XP_UNIX + off_t off; + int rv; +#endif + + if (sce == NULL) return; + + if (sce->u.ssl2.version < SSL_LIBRARY_VERSION_3_0) { + offset = Offset(&sce->addr, sce->u.ssl2.sessionID, + sizeof sce->u.ssl2.sessionID); + } else { + offset = Offset(&sce->addr, sce->u.ssl3.sessionID, + sce->u.ssl3.sessionIDLength); + } + + sce->u.ssl2.valid = 0; + SSL_TRC(7, ("%d: SSL: uncaching session-id at offset %ld", + myPid, offset)); + + GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *sce); + +#ifdef XP_UNIX + off = lseek(SIDCacheFD, offset, SEEK_SET); + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_FILE_SEEK_ERROR); + } else { + rv = write(SIDCacheFD, sce, sizeof *sce); + if (rv != sizeof *sce) { + if (rv == -1) + nss_MD_unix_map_write_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "invalidate-write"); + } + } +#else /* WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(&SIDCacheData[offset], sce, sizeof *sce); +#endif /* XP_UNIX */ + + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce); +} + + +static void +IOError(int rv, char *type) +{ +#ifdef XP_UNIX + syslog(LOG_ALERT, + "SSL: %s error with session-id cache, pid=%d, rv=%d, error='%m'", + type, myPid, rv); +#else /* XP_WIN32 */ +#ifdef MC_HTTPD + ereport(LOG_FAILURE, "%s error with session-id cache rv=%d\n",type, rv); +#endif /* MC_HTTPD */ +#endif /* XP_UNIX */ +} + +static void +lock_cache(void) +{ + PZ_Lock(cacheLock); +} + +static void +unlock_cache(void) +{ + PZ_Unlock(cacheLock); +} /* ** Perform some mumbo jumbo on the ip-address and the session-id value to ** compute a hash value. */ static PRUint32 -SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl) +Offset(const PRIPv6Addr *addr, unsigned char *s, unsigned nl) { PRUint32 rv; - PRUint32 x[8]; - - memset(x, 0, sizeof x); - if (nl > sizeof x) - nl = sizeof x; - memcpy(x, s, nl); - rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^ - addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^ - x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7]) - % cache->numSIDCacheSets; - return rv; + rv = addr->pr_s6_addr32[3] ^ (((PRUint32)s[0] << 24) | ((PRUint32)s[1] << 16) + | (s[2] << 8) | s[nl-1]); + return (rv % numSIDCacheEntries) * sizeof(SIDCacheEntry); } /* ** Look something up in the cache. This will invalidate old entries -** in the process. Caller has locked the cache set! +** in the process. Caller has locked the cache! ** Returns PR_TRUE if found a valid match. PR_FALSE otherwise. */ -static sidCacheEntry * -FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now, - const PRIPv6Addr *addr, unsigned char *sessionID, - unsigned sessionIDLength) +static PRBool +FindSID(const PRIPv6Addr *addr, unsigned char *sessionID, + unsigned sessionIDLength, SIDCacheEntry *sce) { - PRUint32 ndx = cache->sidCacheSets[setNum].next; - int i; - - sidCacheEntry * set = cache->sidCacheData + - (setNum * SID_CACHE_ENTRIES_PER_SET); - - for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) { - sidCacheEntry * sce; - - ndx = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET; - sce = set + ndx; - - if (!sce->valid) - continue; - - if (now > sce->time) { - /* SessionID has timed out. Invalidate the entry. */ - SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x " - "time+=%x", - myPid, sce->addr.pr_s6_addr32[0], - sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2], - sce->addr.pr_s6_addr32[3], now, - sce->time + ssl_sid_timeout)); - sce->valid = 0; - continue; - } + PRUint32 offset; + PRUint32 now; + int rv; +#ifdef XP_UNIX + off_t off; +#endif - /* - ** Next, examine specific session-id/addr data to see if the cache - ** entry matches our addr+session-id value - */ - if (sessionIDLength == sce->sessionIDLength && - !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) && - !memcmp(sce->sessionID, sessionID, sessionIDLength)) { - /* Found it */ - return sce; + /* Read in cache entry after hashing ip address and session-id value */ + offset = Offset(addr, sessionID, sessionIDLength); + now = ssl_Time(); + GET_SERVER_CACHE_READ_LOCK(SIDCacheFD, offset, sizeof *sce); +#ifdef XP_UNIX + off = lseek(SIDCacheFD, offset, SEEK_SET); + rv = -1; + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_FILE_SEEK_ERROR); + } else { + rv = read(SIDCacheFD, sce, sizeof *sce); + if (rv != sizeof *sce) { + if (rv == -1) + nss_MD_unix_map_read_error(errno); + else + PORT_SetError(PR_IO_ERROR); + } + } +#else /* XP_WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(sce, &SIDCacheData[offset], sizeof *sce); + rv = sizeof *sce; +#endif /* XP_WIN32 */ + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce); + + if (rv != sizeof *sce) { + IOError(rv, "server sid cache read"); + return PR_FALSE; + } + + if (!sce->u.ssl2.valid) { + /* Entry is not valid */ + PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); + return PR_FALSE; + } + + if (((sce->u.ssl2.version < SSL_LIBRARY_VERSION_3_0) && + (now > sce->time + ssl_sid_timeout)) || + ((sce->u.ssl2.version >= SSL_LIBRARY_VERSION_3_0) && + (now > sce->time + ssl3_sid_timeout))) { + /* SessionID has timed out. Invalidate the entry. */ + SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x time+=%x", + myPid, sce->addr.pr_s6_addr32[0], + sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2], + sce->addr.pr_s6_addr32[3], now, + sce->time + ssl_sid_timeout)); + sce->u.ssl2.valid = 0; + + GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *sce); +#ifdef XP_UNIX + off = lseek(SIDCacheFD, offset, SEEK_SET); + rv = -1; + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_IO_ERROR); + } else { + rv = write(SIDCacheFD, sce, sizeof *sce); + if (rv != sizeof *sce) { + if (rv == -1) + nss_MD_unix_map_write_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "timeout-write"); + } } +#else /* WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(&SIDCacheData[offset], sce, sizeof *sce); + rv = sizeof *sce; +#endif /* XP_UNIX */ + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *sce); + if (rv == sizeof *sce) + PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); + return PR_FALSE; } + /* + ** Finally, examine specific session-id/addr data to see if the cache + ** entry matches our addr+session-id value + */ + if (!memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) && + (PORT_Memcmp(sce->u.ssl2.sessionID, sessionID, sessionIDLength) == 0)) { + /* Found it */ + return PR_TRUE; + } PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); - return NULL; + return PR_FALSE; } /************************************************************************/ @@ -654,82 +1106,40 @@ FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now, * pointer ssl_sid_lookup. */ static sslSessionID * -ServerSessionIDLookup(const PRIPv6Addr *addr, +ServerSessionIDLookup( const PRIPv6Addr *addr, unsigned char *sessionID, unsigned int sessionIDLength, CERTCertDBHandle * dbHandle) { - sslSessionID * sid = 0; - sidCacheEntry * psce; - certCacheEntry *pcce = 0; - cacheDesc * cache = &globalCache; - PRUint32 now; - PRUint32 set; - PRInt32 cndx; - sidCacheEntry sce; - certCacheEntry cce; - - set = SIDindex(cache, addr, sessionID, sessionIDLength); - now = LockSet(cache, set, 0); - if (!now) - return NULL; - - psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength); - if (psce) { - if (psce->version >= SSL_LIBRARY_VERSION_3_0 && - (cndx = psce->u.ssl3.certIndex) != -1) { - - PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now); - if (gotLock) { - pcce = &cache->certCacheData[cndx]; - - /* See if the cert's session ID matches the sce cache. */ - if ((pcce->sessionIDLength == psce->sessionIDLength) && - !PORT_Memcmp(pcce->sessionID, psce->sessionID, - pcce->sessionIDLength)) { - cce = *pcce; - } else { - /* The cert doesen't match the SID cache entry, - ** so invalidate the SID cache entry. - */ - psce->valid = 0; - psce = 0; - pcce = 0; - } - UnlockSidCacheLock(cache->certCacheLock); - } else { - /* what the ??. Didn't get the cert cache lock. - ** Don't invalidate the SID cache entry, but don't find it. - */ - PORT_Assert(!("Didn't get cert Cache Lock!")); - psce = 0; - pcce = 0; - } - } - if (psce) { - sce = *psce; /* grab a copy while holding the lock */ - } - } - UnlockSet(cache, set); - if (psce) { - /* sce conains a copy of the cache entry. - ** Convert file format to internal format - */ - sid = ConvertToSID(&sce, pcce ? &cce : 0, dbHandle); + SIDCacheEntry sce; + sslSessionID *sid; + + sid = 0; + lock_cache(); + if (FindSID(addr, sessionID, sessionIDLength, &sce)) { + /* Found it. Convert file format to internal format */ + sid = ConvertToSID(&sce, dbHandle); } + unlock_cache(); return sid; } /* -** Place a sid into the cache, if it isn't already there. +** Place an sid into the cache, if it isn't already there. Note that if +** some other server process has replaced a session-id cache entry that has +** the same cache index as this sid, then all is ok. Somebody has to lose +** when this condition occurs, so it might as well be this sid. */ static void ServerSessionIDCache(sslSessionID *sid) { - sidCacheEntry sce; - PRUint32 now = 0; - uint16 version = sid->version; - cacheDesc * cache = &globalCache; + SIDCacheEntry sce; + PRUint32 offset; +#ifdef XP_UNIX + off_t off; + int rv; +#endif + uint16 version = sid->version; if ((version >= SSL_LIBRARY_VERSION_3_0) && (sid->u.ssl3.sessionIDLength == 0)) { @@ -737,346 +1147,384 @@ ServerSessionIDCache(sslSessionID *sid) } if (sid->cached == never_cached || sid->cached == invalid_cache) { - PRUint32 set; + lock_cache(); + sid->time = ssl_Time(); if (version < SSL_LIBRARY_VERSION_3_0) { - sid->time = ssl_Time() + ssl_sid_timeout; SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x " - "cipher=%d", myPid, sid->cached, + "cipher=%d", myPid, sid->cached, sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], sid->time, sid->u.ssl2.cipherType)); PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID, - SSL2_SESSIONID_BYTES)); + sizeof(sid->u.ssl2.sessionID))); PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len)); PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len)); + /* Write out new cache entry */ + offset = Offset(&sid->addr, sid->u.ssl2.sessionID, + sizeof(sid->u.ssl2.sessionID)); } else { - sid->time = ssl_Time() + ssl3_sid_timeout; SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x " - "cipherSuite=%d", myPid, sid->cached, + "cipherSuite=%d", myPid, sid->cached, sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], - sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], + sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], sid->time, sid->u.ssl3.cipherSuite)); PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength)); + + offset = Offset(&sid->addr, sid->u.ssl3.sessionID, + sid->u.ssl3.sessionIDLength); + } ConvertFromSID(&sce, sid); + if (version >= SSL_LIBRARY_VERSION_3_0) { + if (sid->peerCert == NULL) { + sce.u.ssl3.certIndex = -1; + } else { + sce.u.ssl3.certIndex = (int16) + ((offset / sizeof(SIDCacheEntry)) % numCertCacheEntries); + } + } + + GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof sce); +#ifdef XP_UNIX + off = lseek(SIDCacheFD, offset, SEEK_SET); + if (off != offset) { + if (off == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_IO_ERROR); + } else { + rv = write(SIDCacheFD, &sce, sizeof sce); + if (rv != sizeof(sce)) { + if (rv == -1) + nss_MD_unix_map_write_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "update-write"); + } + } +#else /* WIN32 */ + CopyMemory(&SIDCacheData[offset], &sce, sizeof sce); +#endif /* XP_UNIX */ + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof sce); if ((version >= SSL_LIBRARY_VERSION_3_0) && (sid->peerCert != NULL)) { - now = CacheCert(cache, sid->peerCert, &sce); + CacheCert(sid->peerCert, &sce); } - set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength); - now = LockSet(cache, set, now); - if (now) { - PRUint32 next = cache->sidCacheSets[set].next; - PRUint32 ndx = set * SID_CACHE_ENTRIES_PER_SET + next; - - /* Write out new cache entry */ - cache->sidCacheData[ndx] = sce; - - cache->sidCacheSets[set].next = - (next + 1) % SID_CACHE_ENTRIES_PER_SET; - - UnlockSet(cache, set); - sid->cached = in_server_cache; - } + sid->cached = in_server_cache; + unlock_cache(); } } -/* -** Although this is static, it is called from ssl via global function pointer -** ssl_sid_uncache. This invalidates the referenced cache entry. -*/ static void ServerSessionIDUncache(sslSessionID *sid) { - cacheDesc * cache = &globalCache; - PRUint8 * sessionID; - unsigned int sessionIDLength; - PRErrorCode err; - PRUint32 set; - PRUint32 now; - sidCacheEntry *psce; - - if (sid == NULL) - return; + SIDCacheEntry sce; + PRErrorCode err; + int rv; + + if (sid == NULL) return; /* Uncaching a SID should never change the error code. ** So save it here and restore it before exiting. */ err = PR_GetError(); - + lock_cache(); if (sid->version < SSL_LIBRARY_VERSION_3_0) { - sessionID = sid->u.ssl2.sessionID; - sessionIDLength = SSL2_SESSIONID_BYTES; SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x " - "cipher=%d", myPid, sid->cached, + "cipher=%d", myPid, sid->cached, sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], - sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], + sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], sid->time, sid->u.ssl2.cipherType)); - PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); + PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID, + sizeof(sid->u.ssl2.sessionID))); PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len)); PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len)); + rv = FindSID(&sid->addr, sid->u.ssl2.sessionID, + sizeof(sid->u.ssl2.sessionID), &sce); } else { - sessionID = sid->u.ssl3.sessionID; - sessionIDLength = sid->u.ssl3.sessionIDLength; SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x " - "cipherSuite=%d", myPid, sid->cached, + "cipherSuite=%d", myPid, sid->cached, sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], - sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], + sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], sid->time, sid->u.ssl3.cipherSuite)); - PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); - } - set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength); - now = LockSet(cache, set, 0); - if (now) { - psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength); - if (psce) { - psce->valid = 0; - } - UnlockSet(cache, set); + PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID, + sid->u.ssl3.sessionIDLength)); + rv = FindSID(&sid->addr, sid->u.ssl3.sessionID, + sid->u.ssl3.sessionIDLength, &sce); + } + + if (rv) { + Invalidate(&sce); } sid->cached = invalid_cache; + unlock_cache(); PORT_SetError(err); } static SECStatus -InitCache(cacheDesc *cache, int maxCacheEntries, PRUint32 ssl2_timeout, - PRUint32 ssl3_timeout, const char *directory) +InitSessionIDCache(int maxCacheEntries, PRUint32 timeout, + PRUint32 ssl3_timeout, const char *directory) { - ptrdiff_t ptr; - sidCacheLock *pLock; - char * sharedMem; - PRFileMap * cacheMemMap; - char * cfn = NULL; /* cache file name */ - int locks_initialized = 0; - int locks_to_initialize = 0; - PRUint32 init_time; - - if (cache->sharedMem) { + char *cfn; +#ifdef XP_UNIX + int rv; + if (SIDCacheFD >= 0) { /* Already done */ return SECSuccess; } - - cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries - : DEF_SID_CACHE_ENTRIES; - cache->numSIDCacheSets = - SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET); - - cache->numSIDCacheEntries = - cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET; - - cache->numSIDCacheLocks = - PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks); - - cache->numSIDCacheSetsPerLock = - SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks); - - /* compute size of shared memory, and offsets of all pointers */ - ptr = 0; - cache->sharedMem = (char *)ptr; - ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT); - - cache->sidCacheLocks = (sidCacheLock *)ptr; - cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks; - cache->certCacheLock = cache->keyCacheLock + 1; - ptr = (ptrdiff_t)(cache->certCacheLock + 1); - ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); - - cache->sidCacheSets = (sidCacheSet *)ptr; - ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets); - ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); - - cache->sidCacheData = (sidCacheEntry *)ptr; - ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries); - ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); - - cache->certCacheData = (certCacheEntry *)ptr; - cache->sidCacheSize = - (char *)cache->certCacheData - (char *)cache->sidCacheData; - - /* This is really a poor way to computer this! */ - cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry); - if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) - cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES; - ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries); - ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); - - cache->keyCacheData = (SSLWrappedSymWrappingKey *)ptr; - cache->certCacheSize = - (char *)cache->keyCacheData - (char *)cache->certCacheData; - - cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS; - ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries); - ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); - - cache->sharedMemSize = ptr; - - cache->keyCacheSize = (char *)ptr - (char *)cache->keyCacheData; - - if (ssl2_timeout) { - if (ssl2_timeout > MAX_SSL2_TIMEOUT) { - ssl2_timeout = MAX_SSL2_TIMEOUT; - } - if (ssl2_timeout < MIN_SSL2_TIMEOUT) { - ssl2_timeout = MIN_SSL2_TIMEOUT; +#else /* WIN32 */ + if(SIDCacheFDMAP != INVALID_HANDLE_VALUE) { + /* Already done */ + return SECSuccess; } - cache->ssl2Timeout = ssl2_timeout; - } else { - cache->ssl2Timeout = DEF_SSL2_TIMEOUT; - } +#endif /* XP_UNIX */ - if (ssl3_timeout) { - if (ssl3_timeout > MAX_SSL3_TIMEOUT) { - ssl3_timeout = MAX_SSL3_TIMEOUT; - } - if (ssl3_timeout < MIN_SSL3_TIMEOUT) { - ssl3_timeout = MIN_SSL3_TIMEOUT; - } - cache->ssl3Timeout = ssl3_timeout; - } else { - cache->ssl3Timeout = DEF_SSL3_TIMEOUT; + + if (maxCacheEntries) { + numSIDCacheEntries = maxCacheEntries; } + sidCacheWrapOffset = numSIDCacheEntries * sizeof(SIDCacheEntry); + sidCacheFileSize = sidCacheWrapOffset + + (kt_kea_size * SSL_NUM_WRAP_MECHS * sizeof(SSLWrappedSymWrappingKey)); /* Create file names */ + cfn = (char*) PORT_Alloc(PORT_Strlen(directory) + 100); + if (!cfn) { + return SECFailure; + } #ifdef XP_UNIX - /* there's some confusion here about whether PR_OpenAnonFileMap wants - ** a directory name or a file name for its first argument. - cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid); - */ - cfn = PR_smprintf("%s", directory); + sprintf(cfn, "%s/.sslsidc.%d", directory, getpid()); #else /* XP_WIN32 */ - cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, - GetCurrentThreadId()); + sprintf(cfn, "%s\\ssl.sidc.%d.%d", directory, + GetCurrentProcessId(), GetCurrentThreadId()); #endif /* XP_WIN32 */ - if (!cfn) { + + /* Create session-id cache file */ +#ifdef XP_UNIX + do { + (void) unlink(cfn); + SIDCacheFD = open(cfn, O_EXCL|O_CREAT|O_RDWR, 0600); + } while (SIDCacheFD < 0 && errno == EEXIST); + if (SIDCacheFD < 0) { + nss_MD_unix_map_open_error(errno); + IOError(SIDCacheFD, "create"); goto loser; } - - /* Create cache */ - cacheMemMap = PR_OpenAnonFileMap(cfn, cache->sharedMemSize, - PR_PROT_READWRITE); - PR_smprintf_free(cfn); - if(! cacheMemMap) { + rv = unlink(cfn); + if (rv < 0) { + nss_MD_unix_map_unlink_error(errno); + IOError(rv, "unlink"); goto loser; } - sharedMem = PR_MemMap(cacheMemMap, 0, cache->sharedMemSize); - if (! sharedMem) { +#else /* WIN32 */ + SIDCacheFDMAP = + CreateFileMapping(INVALID_HANDLE_VALUE, /* allocate in swap file */ + &sidCacheFDMapAttributes, /* inheritable. */ + PAGE_READWRITE, + 0, /* size, high word. */ + sidCacheFileSize, /* size, low word. */ + NULL); /* no map name in FS */ + if(! SIDCacheFDMAP) { + nss_MD_win32_map_default_error(GetLastError()); goto loser; } + SIDCacheData = (char *)MapViewOfFile(SIDCacheFDMAP, + FILE_MAP_ALL_ACCESS, /* R/W */ + 0, 0, /* offset */ + sidCacheFileSize); /* size */ + if (! SIDCacheData) { + nss_MD_win32_map_default_error(GetLastError()); + goto loser; + } +#endif /* XP_UNIX */ - /* Initialize shared memory. This may not be necessary on all platforms */ - memset(sharedMem, 0, cache->sharedMemSize); - - /* Copy cache descriptor header into shared memory */ - memcpy(sharedMem, cache, sizeof *cache); + if (!cacheLock) + nss_InitLock(&cacheLock, nssILockCache); + if (!cacheLock) { + SET_ERROR_CODE + goto loser; + } +#ifdef _WIN32 + if (isMultiProcess && (SECSuccess != createServerCacheSemaphore())) { + SET_ERROR_CODE + goto loser; + } +#endif - /* save private copies of these values */ - cache->cacheMemMap = cacheMemMap; - cache->sharedMem = sharedMem; - cache->sharedCache = (cacheDesc *)sharedMem; + if (timeout) { + if (timeout > 100) { + timeout = 100; + } + if (timeout < 5) { + timeout = 5; + } + ssl_sid_timeout = timeout; + } - /* Fix pointers in our private copy of cache descriptor to point to - ** spaces in shared memory - */ - ptr = (ptrdiff_t)cache->sharedMem; - *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr; - *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr; - *(ptrdiff_t *)(&cache->certCacheLock) += ptr; - *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr; - *(ptrdiff_t *)(&cache->sidCacheData ) += ptr; - *(ptrdiff_t *)(&cache->certCacheData) += ptr; - *(ptrdiff_t *)(&cache->keyCacheData ) += ptr; - - /* initialize the locks */ - init_time = ssl_Time(); - pLock = cache->sidCacheLocks; - for (locks_to_initialize = cache->numSIDCacheLocks + 2; - locks_initialized < locks_to_initialize; - ++locks_initialized, ++pLock ) { - - SECStatus err = sslMutex_Init(&pLock->mutex, isMultiProcess); - if (err) - goto loser; - pLock->timeStamp = init_time; - pLock->pid = 0; + if (ssl3_timeout) { + if (ssl3_timeout > 86400L) { + ssl3_timeout = 86400L; + } + if (ssl3_timeout < 5) { + ssl3_timeout = 5; + } + ssl3_sid_timeout = ssl3_timeout; } + GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, 0, sidCacheFileSize); +#ifdef XP_UNIX + /* Initialize the files */ + if (ZeroFile(SIDCacheFD, sidCacheFileSize)) { + /* Bummer */ + close(SIDCacheFD); + SIDCacheFD = -1; + goto loser; + } +#else /* XP_WIN32 */ + ZeroMemory(SIDCacheData, sidCacheFileSize); +#endif /* XP_UNIX */ + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, 0, sidCacheFileSize); + PORT_Free(cfn); return SECSuccess; -loser: - if (cache->cacheMemMap) { - if (cache->sharedMem) { - if (locks_initialized > 0) { - pLock = cache->sidCacheLocks; - for (; locks_initialized > 0; --locks_initialized, ++pLock ) { - sslMutex_Destroy(&pLock->mutex); - } - } - PR_MemUnmap(cache->sharedMem, cache->sharedMemSize); - cache->sharedMem = NULL; - } - PR_CloseFileMap(cache->cacheMemMap); - cache->cacheMemMap = NULL; + loser: +#ifdef _WIN32 + if (svrCacheSem) + destroyServerCacheSemaphore(); +#endif + if (cacheLock) { + PZ_DestroyLock(cacheLock); + cacheLock = NULL; } + PORT_Free(cfn); return SECFailure; } -PRUint32 -SSL_GetMaxServerCacheLocks(void) +static SECStatus +InitCertCache(const char *directory) { - return ssl_max_sid_cache_locks + 2; - /* The extra two are the cert cache lock and the key cache lock. */ -} + char *cfn; +#ifdef XP_UNIX + int rv; + if (certCacheFD >= 0) { + /* Already done */ + return SECSuccess; + } +#else /* WIN32 */ + if(certCacheFDMAP != INVALID_HANDLE_VALUE) { + /* Already done */ + return SECSuccess; + } +#endif /* XP_UNIX */ -SECStatus -SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) -{ - /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock. - ** We'd like to test for a maximum value, but not all platforms' header - ** files provide a symbol or function or other means of determining - ** the maximum, other than trial and error. - */ - if (maxLocks < 3) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); + numCertCacheEntries = sidCacheFileSize / sizeof(CertCacheEntry); + if (numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) + numCertCacheEntries = MIN_CERT_CACHE_ENTRIES; + certCacheFileSize = numCertCacheEntries * sizeof(CertCacheEntry); + + /* Create file names */ + cfn = (char*) PORT_Alloc(PORT_Strlen(directory) + 100); + if (!cfn) { return SECFailure; } - ssl_max_sid_cache_locks = maxLocks - 2; - /* The extra two are the cert cache lock and the key cache lock. */ +#ifdef XP_UNIX + sprintf(cfn, "%s/.sslcertc.%d", directory, getpid()); +#else /* XP_WIN32 */ + sprintf(cfn, "%s\\ssl.certc.%d.%d", directory, + GetCurrentProcessId(), GetCurrentThreadId()); +#endif /* XP_WIN32 */ + + /* Create certificate cache file */ +#ifdef XP_UNIX + do { + (void) unlink(cfn); + certCacheFD = open(cfn, O_EXCL|O_CREAT|O_RDWR, 0600); + } while (certCacheFD < 0 && errno == EEXIST); + if (certCacheFD < 0) { + nss_MD_unix_map_open_error(errno); + IOError(certCacheFD, "create"); + goto loser; + } + rv = unlink(cfn); + if (rv < 0) { + nss_MD_unix_map_unlink_error(errno); + IOError(rv, "unlink"); + goto loser; + } +#else /* WIN32 */ + certCacheFDMAP = + CreateFileMapping(INVALID_HANDLE_VALUE, /* allocate in swap file */ + &certCacheFDMapAttributes, /* inheritable. */ + PAGE_READWRITE, + 0, /* size, high word. */ + certCacheFileSize, /* size, low word. */ + NULL); /* no map name in FS */ + if (! certCacheFDMAP) { + nss_MD_win32_map_default_error(GetLastError()); + goto loser; + } + certCacheData = (char *) MapViewOfFile(certCacheFDMAP, + FILE_MAP_ALL_ACCESS, /* R/W */ + 0, 0, /* offset */ + certCacheFileSize); /* size */ + if (! certCacheData) { + nss_MD_win32_map_default_error(GetLastError()); + goto loser; + } +#endif /* XP_UNIX */ + +/* GET_SERVER_CACHE_WRITE_LOCK(certCacheFD, 0, certCacheFileSize); */ +#ifdef XP_UNIX + /* Initialize the files */ + if (ZeroFile(certCacheFD, certCacheFileSize)) { + /* Bummer */ + close(certCacheFD); + certCacheFD = -1; + goto loser; + } +#else /* XP_WIN32 */ + ZeroMemory(certCacheData, certCacheFileSize); +#endif /* XP_UNIX */ +/* RELEASE_SERVER_CACHE_LOCK(certCacheFD, 0, certCacheFileSize); */ + PORT_Free(cfn); return SECSuccess; + + loser: + PORT_Free(cfn); + return SECFailure; } SECStatus -SSL_ConfigServerSessionIDCacheInstance( cacheDesc *cache, - int maxCacheEntries, - PRUint32 ssl2_timeout, +SSL_ConfigServerSessionIDCache( int maxCacheEntries, + PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory) { SECStatus rv; -#if defined(DEBUG_nelsonb) - printf("sizeof(sidCacheEntry) == %u\n", sizeof(sidCacheEntry)); -#endif -#if !(defined(SOLARIS) && defined(i386)) - PORT_Assert(sizeof(sidCacheEntry) % 8 == 0); -#endif - PORT_Assert(sizeof(certCacheEntry) == 4096); + PORT_Assert(sizeof(SIDCacheEntry) == 256); + PORT_Assert(sizeof(CertCacheEntry) == 4096); myPid = SSL_GETPID(); if (!directory) { directory = DEFAULT_CACHE_DIRECTORY; } - rv = InitCache(cache, maxCacheEntries, ssl2_timeout, ssl3_timeout, - directory); + rv = InitSessionIDCache(maxCacheEntries, timeout, ssl3_timeout, directory); + if (rv) { + SET_ERROR_CODE + return SECFailure; + } + rv = InitCertCache(directory); if (rv) { SET_ERROR_CODE return SECFailure; @@ -1088,93 +1536,87 @@ SSL_ConfigServerSessionIDCacheInstance( cacheDesc *cache, return SECSuccess; } -SECStatus -SSL_ConfigServerSessionIDCache( int maxCacheEntries, - PRUint32 ssl2_timeout, - PRUint32 ssl3_timeout, - const char * directory) -{ - return SSL_ConfigServerSessionIDCacheInstance(&globalCache, - maxCacheEntries, ssl2_timeout, ssl3_timeout, directory); -} - /* Use this function, instead of SSL_ConfigServerSessionIDCache, * if the cache will be shared by multiple processes. */ SECStatus SSL_ConfigMPServerSIDCache( int maxCacheEntries, - PRUint32 ssl2_timeout, + PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory) { char * envValue; - char * inhValue; - cacheDesc * cache = &globalCache; - PRUint32 fmStrLen; SECStatus result; - PRStatus prStatus; SECStatus putEnvFailed; - inheritance inherit; - char fmString[PR_FILEMAP_STRING_BUFSIZE]; isMultiProcess = PR_TRUE; - result = SSL_ConfigServerSessionIDCacheInstance(cache, maxCacheEntries, - ssl2_timeout, ssl3_timeout, directory); - if (result != SECSuccess) - return result; - - prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, - sizeof fmString, fmString); - if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) { - SET_ERROR_CODE - return SECFailure; - } - - inherit.sharedMemSize = cache->sharedMemSize; - inherit.fmStrLen = fmStrLen; - - inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit); - if (!inhValue || !strlen(inhValue)) { - SET_ERROR_CODE - return SECFailure; - } - envValue = PR_smprintf("%s,%s", inhValue, fmString); - if (!envValue || !strlen(envValue)) { - SET_ERROR_CODE - return SECFailure; + result = SSL_ConfigServerSessionIDCache(maxCacheEntries, timeout, + ssl3_timeout, directory); + if (result == SECSuccess) { +#ifdef _WIN32 + winInheritance winherit; + + winherit.numSIDCacheEntries = numSIDCacheEntries; + winherit.sidCacheFileSize = sidCacheFileSize; + winherit.sidCacheWrapOffset = sidCacheWrapOffset; + winherit.numCertCacheEntries = numCertCacheEntries; + winherit.certCacheFileSize = certCacheFileSize; + winherit.SIDCacheFDMAP = SIDCacheFDMAP; + winherit.certCacheFDMAP = certCacheFDMAP; + winherit.svrCacheSem = svrCacheSem; + winherit.parentProcessID = GetCurrentProcessId(); + winherit.parentProcessHandle = + OpenProcess(PROCESS_DUP_HANDLE, TRUE, winherit.parentProcessID); + if (winherit.parentProcessHandle == NULL) { + SET_ERROR_CODE + return SECFailure; + } + envValue = BTOA_DataToAscii((unsigned char *)&winherit, + sizeof winherit); + if (!envValue) { + SET_ERROR_CODE + return SECFailure; + } +#else + unixInheritance uinherit; + + uinherit.numSIDCacheEntries = numSIDCacheEntries; + uinherit.sidCacheFileSize = sidCacheFileSize; + uinherit.sidCacheWrapOffset = sidCacheWrapOffset; + uinherit.numCertCacheEntries = numCertCacheEntries; + uinherit.certCacheFileSize = certCacheFileSize; + uinherit.SIDCacheFD = SIDCacheFD; + uinherit.certCacheFD = certCacheFD; + + envValue = BTOA_DataToAscii((unsigned char *)&uinherit, + sizeof uinherit); + if (!envValue) { + SET_ERROR_CODE + return SECFailure; + } +#endif } - PORT_Free(inhValue); - putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue); - PR_smprintf_free(envValue); + PORT_Free(envValue); if (putEnvFailed) { SET_ERROR_CODE result = SECFailure; } - -#if !defined(WIN32) - /* Launch thread to poll cache for expired locks */ - LaunchLockPoller(cache); -#endif return result; } SECStatus -SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) +SSL_InheritMPServerSIDCache(const char * envString) { unsigned char * decoString = NULL; - char * fmString = NULL; unsigned int decoLen; - ptrdiff_t ptr; - inheritance inherit; - cacheDesc my; +#ifdef _WIN32 + winInheritance inherit; +#else + unixInheritance inherit; +#endif myPid = SSL_GETPID(); - - /* If this child was created by fork(), and not by exec() on unix, - ** then isMultiProcess will already be set. - ** If not, we'll set it below. - */ if (isMultiProcess) return SECSuccess; /* already done. */ @@ -1189,18 +1631,11 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) return SECFailure; } } - envString = PORT_Strdup(envString); - if (!envString) - return SECFailure; - fmString = strchr(envString, ','); - if (!fmString) - goto loser; - *fmString++ = 0; decoString = ATOB_AsciiToData(envString, &decoLen); if (!decoString) { SET_ERROR_CODE - goto loser; + return SECFailure; } if (decoLen != sizeof inherit) { SET_ERROR_CODE @@ -1208,178 +1643,152 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) } PORT_Memcpy(&inherit, decoString, sizeof inherit); + PORT_Free(decoString); - if (strlen(fmString) != inherit.fmStrLen ) { - goto loser; - } + numSIDCacheEntries = inherit.numSIDCacheEntries; + sidCacheFileSize = inherit.sidCacheFileSize; + sidCacheWrapOffset = inherit.sidCacheWrapOffset; + numCertCacheEntries = inherit.numCertCacheEntries; + certCacheFileSize = inherit.certCacheFileSize; - memset(&my, 0, sizeof my); - my.sharedMemSize = inherit.sharedMemSize; +#ifdef _WIN32 + SIDCacheFDMAP = inherit.SIDCacheFDMAP; + certCacheFDMAP = inherit.certCacheFDMAP; + svrCacheSem = inherit.svrCacheSem; + +#if 0 + /* call DuplicateHandle ?? */ + inherit.parentProcessID; + inherit.parentProcessHandle; +#endif - /* Create cache */ - my.cacheMemMap = PR_ImportFileMapFromString(fmString); - if(! my.cacheMemMap) { - goto loser; + if(!SIDCacheFDMAP) { + SET_ERROR_CODE + goto loser; } - my.sharedMem = PR_MemMap(my.cacheMemMap, 0, my.sharedMemSize); - if (! my.sharedMem) { - goto loser; + SIDCacheData = (char *)MapViewOfFile(SIDCacheFDMAP, + FILE_MAP_ALL_ACCESS, /* R/W */ + 0, 0, /* offset */ + sidCacheFileSize); /* size */ + if(!SIDCacheData) { + nss_MD_win32_map_default_error(GetLastError()); + goto loser; } - my.sharedCache = (cacheDesc *)my.sharedMem; - if (my.sharedCache->sharedMemSize != my.sharedMemSize) { - SET_ERROR_CODE + if(!certCacheFDMAP) { + SET_ERROR_CODE + goto loser; + } + certCacheData = (char *) MapViewOfFile(certCacheFDMAP, + FILE_MAP_ALL_ACCESS, /* R/W */ + 0, 0, /* offset */ + certCacheFileSize); /* size */ + if(!certCacheData) { + nss_MD_win32_map_default_error(GetLastError()); goto loser; } - memcpy(cache, my.sharedCache, sizeof *cache); - cache->cacheMemMap = my.cacheMemMap; - cache->sharedMem = my.sharedMem; - cache->sharedCache = my.sharedCache; - - /* Fix pointers in our private copy of cache descriptor to point to - ** spaces in shared memory - */ - ptr = (ptrdiff_t)cache->sharedMem; - *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr; - *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr; - *(ptrdiff_t *)(&cache->certCacheLock) += ptr; - *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr; - *(ptrdiff_t *)(&cache->sidCacheData ) += ptr; - *(ptrdiff_t *)(&cache->certCacheData) += ptr; - *(ptrdiff_t *)(&cache->keyCacheData ) += ptr; +#else /* must be unix */ + SIDCacheFD = inherit.SIDCacheFD; + certCacheFD = inherit.certCacheFD; + if (SIDCacheFD < 0 || certCacheFD < 0) { + SET_ERROR_CODE + goto loser; + } +#endif - PORT_Free(decoString); + if (!cacheLock) { + nss_InitLock(&cacheLock, nssILockCache); + if (!cacheLock) + goto loser; + } isMultiProcess = PR_TRUE; return SECSuccess; loser: if (decoString) PORT_Free(decoString); +#if _WIN32 + if (SIDCacheFDMAP) { + CloseHandle(SIDCacheFDMAP); + SIDCacheFDMAP = NULL; + } + if (certCacheFDMAP) { + CloseHandle(certCacheFDMAP); + certCacheFDMAP = NULL; + } +#else + if (SIDCacheFD >= 0) { + close(SIDCacheFD); + SIDCacheFD = -1; + } + if (certCacheFD >= 0) { + close(certCacheFD); + certCacheFD = -1; + } +#endif return SECFailure; } -SECStatus -SSL_InheritMPServerSIDCache(const char * envString) -{ - return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString); -} - -#if !defined(WIN32) - -#define SID_LOCK_EXPIRATION_TIMEOUT 30 /* seconds */ - -static void -LockPoller(void * arg) -{ - cacheDesc * cache = (cacheDesc *)arg; - cacheDesc * sharedCache = cache->sharedCache; - sidCacheLock * pLock; - const char * timeoutString; - PRIntervalTime timeout; - PRUint32 now; - PRUint32 then; - int locks_polled = 0; - int locks_to_poll = cache->numSIDCacheLocks + 2; - PRUint32 expiration = SID_LOCK_EXPIRATION_TIMEOUT; - - timeoutString = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT"); - if (timeoutString) { - long newTime = strtol(timeoutString, 0, 0); - if (newTime == 0) - return; /* application doesn't want this function */ - if (newTime > 0) - expiration = (PRUint32)newTime; - /* if error (newTime < 0) ignore it and use default */ - } - - timeout = PR_SecondsToInterval(expiration); - while(!sharedCache->stopPolling) { - PR_Sleep(timeout); - if (sharedCache->stopPolling) - break; - - now = ssl_Time(); - then = now - expiration; - for (pLock = cache->sidCacheLocks, locks_polled = 0; - locks_to_poll > locks_polled && !sharedCache->stopPolling; - ++locks_polled, ++pLock ) { - pid_t pid; - - if (pLock->timeStamp < then && - pLock->timeStamp != 0 && - (pid = pLock->pid) != 0) { - - /* maybe we should try the lock? */ - int result = kill(pid, 0); - if (result < 0 && errno == ESRCH) { - SECStatus rv; - /* No process exists by that pid any more. - ** Treat this mutex as abandoned. - */ - pLock->timeStamp = now; - pLock->pid = 0; - rv = sslMutex_Unlock(&pLock->mutex); - if (rv != SECSuccess) { - /* Now what? */ - } - } - } - } /* end of loop over locks */ - } /* end of entire polling loop */ -} - -/* Launch thread to poll cache for expired locks */ -static SECStatus -LaunchLockPoller(cacheDesc *cache) -{ - PRThread * pollerThread; - - pollerThread = - PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, - PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0); - if (!pollerThread) { - return SECFailure; - } - cache->poller = pollerThread; - return SECSuccess; -} -#endif - /************************************************************************ * Code dealing with shared wrapped symmetric wrapping keys below * ************************************************************************/ -/* If now is zero, it implies that the lock is not held, and must be -** aquired here. -*/ + static PRBool -getSvrWrappingKey(PRInt32 symWrapMechIndex, +getWrappingKey(PRInt32 symWrapMechIndex, SSL3KEAType exchKeyType, SSLWrappedSymWrappingKey *wswk, - cacheDesc * cache, - PRUint32 lockTime) + PRBool grabSharedLock) { - PRUint32 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; - SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx; - PRUint32 now = 0; - PRBool rv = PR_FALSE; - - if (!lockTime) { - lockTime = now = LockSidCacheLock(cache->keyCacheLock, now); - if (!lockTime) { - return rv; + PRUint32 offset = sidCacheWrapOffset + + ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) * + sizeof(SSLWrappedSymWrappingKey)); + PRBool rv = PR_TRUE; +#ifdef XP_UNIX + off_t lrv; + ssize_t rrv; +#endif + + if (grabSharedLock) { + GET_SERVER_CACHE_READ_LOCK(SIDCacheFD, offset, sizeof *wswk); + } + +#ifdef XP_UNIX + lrv = lseek(SIDCacheFD, offset, SEEK_SET); + if (lrv != offset) { + if (lrv == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "wrapping-read"); + rv = PR_FALSE; + } else { + rrv = read(SIDCacheFD, wswk, sizeof *wswk); + if (rrv != sizeof *wswk) { + if (rrv == -1) + nss_MD_unix_map_read_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "wrapping-read"); + rv = PR_FALSE; } } - if (pwswk->exchKeyType == exchKeyType && - pwswk->symWrapMechIndex == symWrapMechIndex && - pwswk->wrappedSymKeyLen != 0) { - *wswk = *pwswk; - rv = PR_TRUE; +#else /* XP_WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(wswk, &SIDCacheData[offset], sizeof *wswk); +#endif /* XP_WIN32 */ + if (grabSharedLock) { + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk); } - if (now) { - UnlockSidCacheLock(cache->keyCacheLock); + if (rv) { + if (wswk->exchKeyType != exchKeyType || + wswk->symWrapMechIndex != symWrapMechIndex || + wswk->wrappedSymKeyLen == 0) { + memset(wswk, 0, sizeof *wswk); + rv = PR_FALSE; + } } return rv; } @@ -1391,16 +1800,17 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, { PRBool rv; + lock_cache(); + PORT_Assert( (unsigned)exchKeyType < kt_kea_size); PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); if ((unsigned)exchKeyType < kt_kea_size && (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) { - rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, - &globalCache, 0); + rv = getWrappingKey(symWrapMechIndex, exchKeyType, wswk, PR_TRUE); } else { rv = PR_FALSE; } - + unlock_cache(); return rv; } @@ -1410,19 +1820,17 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, * the disk entry, and returns false. * Otherwise, it overwrites the caller's wswk with the value obtained from * the disk, and returns PR_TRUE. - * This is all done while holding the locks/mutexes necessary to make + * This is all done while holding the locks/semaphores necessary to make * the operation atomic. */ PRBool ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) { - cacheDesc * cache = &globalCache; - PRBool rv = PR_FALSE; + PRBool rv; SSL3KEAType exchKeyType = wswk->exchKeyType; /* type of keys used to wrap SymWrapKey*/ PRInt32 symWrapMechIndex = wswk->symWrapMechIndex; - PRUint32 ndx; - PRUint32 now = 0; + PRUint32 offset; SSLWrappedSymWrappingKey myWswk; PORT_Assert( (unsigned)exchKeyType < kt_kea_size); @@ -1433,26 +1841,57 @@ ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) if ((unsigned)symWrapMechIndex >= SSL_NUM_WRAP_MECHS) return 0; - ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; + offset = sidCacheWrapOffset + + ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) * + sizeof(SSLWrappedSymWrappingKey)); PORT_Memset(&myWswk, 0, sizeof myWswk); /* eliminate UMRs. */ + lock_cache(); + GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *wswk); - now = LockSidCacheLock(cache->keyCacheLock, now); - if (now) { - rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, - &myWswk, cache, now); - if (rv) { - /* we found it on disk, copy it out to the caller. */ - PORT_Memcpy(wswk, &myWswk, sizeof *wswk); + rv = getWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, &myWswk, + PR_FALSE); + if (rv) { + /* we found it on disk, copy it out to the caller. */ + PORT_Memcpy(wswk, &myWswk, sizeof *wswk); + } else { + /* Wasn't on disk, and we're still holding the lock, so write it. */ + +#ifdef XP_UNIX + off_t lrv; + ssize_t rrv; + + lrv = lseek(SIDCacheFD, offset, SEEK_SET); + if (lrv != offset) { + if (lrv == -1) + nss_MD_unix_map_lseek_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "wrapping-read"); + rv = PR_FALSE; } else { - /* Wasn't on disk, and we're still holding the lock, so write it. */ - cache->keyCacheData[ndx] = *wswk; + rrv = write(SIDCacheFD, wswk, sizeof *wswk); + if (rrv != sizeof *wswk) { + if (rrv == -1) + nss_MD_unix_map_read_error(errno); + else + PORT_SetError(PR_IO_ERROR); + IOError(rv, "wrapping-read"); + rv = PR_FALSE; + } } - UnlockSidCacheLock(cache->keyCacheLock); +#else /* XP_WIN32 */ + /* Use memory mapped I/O and just memcpy() the data */ + CopyMemory(&SIDCacheData[offset], wswk, sizeof *wswk); +#endif /* XP_WIN32 */ } + RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk); + unlock_cache(); return rv; } -#else /* MAC version or other platform */ + +#endif /* NADA_VERISON */ +#else #include "seccomon.h" #include "cert.h" @@ -1461,28 +1900,28 @@ ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) SECStatus SSL_ConfigServerSessionIDCache( int maxCacheEntries, - PRUint32 ssl2_timeout, + PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory) { - PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServerSessionIDCache)"); + PR_ASSERT(!"SSL servers are not supported on the platform. (SSL_ConfigServerSessionIDCache)"); return SECFailure; } SECStatus SSL_ConfigMPServerSIDCache( int maxCacheEntries, - PRUint32 ssl2_timeout, + PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory) { - PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPServerSIDCache)"); + PR_ASSERT(!"SSL servers are not supported on the platform. (SSL_ConfigMPServerSIDCache)"); return SECFailure; } SECStatus SSL_InheritMPServerSIDCache(const char * envString) { - PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPServerSIDCache)"); + PR_ASSERT(!"SSL servers are not supported on the platform. (SSL_InheritMPServerSIDCache)"); return SECFailure; } @@ -1492,7 +1931,7 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, SSLWrappedSymWrappingKey *wswk) { PRBool rv = PR_FALSE; - PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)"); + PR_ASSERT(!"SSL servers are not supported on the platform. (ssl_GetWrappingKey)"); return rv; } @@ -1502,14 +1941,14 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, * the disk entry, and returns false. * Otherwise, it overwrites the caller's wswk with the value obtained from * the disk, and returns PR_TRUE. - * This is all done while holding the locks/mutexes necessary to make + * This is all done while holding the locks/semaphores necessary to make * the operation atomic. */ PRBool ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) { PRBool rv = PR_FALSE; - PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)"); + PR_ASSERT(!"SSL servers are not supported on the platform. (ssl_SetWrappingKey)"); return rv; } diff --git a/security/nss/lib/util/mac_rand.c b/security/nss/lib/util/mac_rand.c index c8596a9f0..6198f3407 100644 --- a/security/nss/lib/util/mac_rand.c +++ b/security/nss/lib/util/mac_rand.c @@ -44,6 +44,7 @@ #include <PPCToolbox.h> #include <Processes.h> #include <LowMem.h> +#include <Scrap.h> /* Static prototypes */ static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen); @@ -73,8 +74,9 @@ static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen) size_t RNG_GetNoise(void *buf, size_t maxbytes) { - uint32 c = TickCount(); - return CopyLowBits(buf, maxbytes, &c, sizeof(c)); + UnsignedWide microTickCount; + Microseconds(µTickCount); + return CopyLowBits(buf, maxbytes, µTickCount, sizeof(microTickCount)); } void RNG_FileForRNG(char *filename) @@ -125,6 +127,7 @@ void RNG_SystemInfoForRNG() ReadLocation(&loc); RNG_RandomUpdate( &loc, sizeof(loc)); } +#if !TARGET_CARBON /* User name */ { unsigned long userRef; @@ -133,6 +136,7 @@ void RNG_SystemInfoForRNG() RNG_RandomUpdate( &userRef, sizeof(userRef)); RNG_RandomUpdate( userName, sizeof(userName)); } +#endif /* Mouse location */ { Point mouseLoc; @@ -155,11 +159,13 @@ void RNG_SystemInfoForRNG() UInt8 volume = LMGetSdVolume(); RNG_RandomUpdate( &volume, sizeof(volume)); } +#if !TARGET_CARBON /* Current directory */ { SInt32 dir = LMGetCurDirStore(); RNG_RandomUpdate( &dir, sizeof(dir)); } +#endif /* Process information about all the processes in the machine */ { ProcessSerialNumber process; @@ -179,17 +185,21 @@ void RNG_SystemInfoForRNG() } } +#if !TARGET_CARBON /* Heap */ { THz zone = LMGetTheZone(); RNG_RandomUpdate( &zone, sizeof(zone)); } +#endif /* Screen */ { - GDHandle h = LMGetMainDevice(); /* GDHandle is **GDevice */ + GDHandle h = GetMainDevice(); /* GDHandle is **GDevice */ RNG_RandomUpdate( *h, sizeof(GDevice)); } + +#if !TARGET_CARBON /* Scrap size */ { SInt32 scrapSize = LMGetScrapSize(); @@ -200,6 +210,29 @@ void RNG_SystemInfoForRNG() SInt16 scrapCount = LMGetScrapCount(); RNG_RandomUpdate( &scrapCount, sizeof(scrapCount)); } +#else + { + ScrapRef scrap; + if (GetCurrentScrap(&scrap) == noErr) { + UInt32 flavorCount; + if (GetScrapFlavorCount(scrap, &flavorCount) == noErr) { + ScrapFlavorInfo* flavorInfo = (ScrapFlavorInfo*) malloc(flavorCount * sizeof(ScrapFlavorInfo)); + if (flavorInfo != NULL) { + if (GetScrapFlavorInfoList(scrap, &flavorCount, flavorInfo) == noErr) { + UInt32 i; + RNG_RandomUpdate(&flavorCount, sizeof(flavorCount)); + for (i = 0; i < flavorCount; ++i) { + Size flavorSize; + if (GetScrapFlavorSize(scrap, flavorInfo[i].flavorType, &flavorSize) == noErr) + RNG_RandomUpdate(&flavorSize, sizeof(flavorSize)); + } + } + free(flavorInfo); + } + } + } + } +#endif /* File stuff, last modified, etc. */ { HParamBlockRec pb; @@ -211,6 +244,7 @@ void RNG_SystemInfoForRNG() PBHGetVolParmsSync(&pb); RNG_RandomUpdate( &volInfo, sizeof(volInfo)); } +#if !TARGET_CARBON /* Event queue */ { EvQElPtr eventQ; @@ -219,6 +253,7 @@ void RNG_SystemInfoForRNG() eventQ = (EvQElPtr)eventQ->qLink) RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord)); } +#endif FE_ReadScreen(); RNG_FileForRNG(NULL); } diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c index bc1be4e47..8520a2afe 100644 --- a/security/nss/lib/util/secasn1e.c +++ b/security/nss/lib/util/secasn1e.c @@ -83,7 +83,8 @@ typedef struct sec_asn1e_state_struct { indefinite, /* need end-of-contents */ is_string, /* encoding a simple string or an ANY */ may_stream, /* when streaming, do indefinite encoding */ - optional; /* omit field if it has no contents */ + optional, /* omit field if it has no contents */ + ignore_stream; /* ignore streaming value of sub-template */ } sec_asn1e_state; /* @@ -184,7 +185,7 @@ sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth) static sec_asn1e_state * sec_asn1e_init_state_based_on_template (sec_asn1e_state *state) { - PRBool explicit, is_string, may_stream, optional, universal; + PRBool explicit, is_string, may_stream, optional, universal, ignore_stream; unsigned char tag_modifiers; unsigned long encode_kind, under_kind; unsigned long tag_number; @@ -206,6 +207,9 @@ sec_asn1e_init_state_based_on_template (sec_asn1e_state *state) may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE; encode_kind &= ~SEC_ASN1_MAY_STREAM; + ignore_stream = (encode_kind & SEC_ASN1_NO_STREAM) ? PR_TRUE : PR_FALSE; + encode_kind &= ~SEC_ASN1_NO_STREAM; + /* Just clear this to get it out of the way; we do not need it here */ encode_kind &= ~SEC_ASN1_DYNAMIC; @@ -290,7 +294,8 @@ sec_asn1e_init_state_based_on_template (sec_asn1e_state *state) under_kind = state->theTemplate->kind; if (under_kind & SEC_ASN1_MAY_STREAM) { - may_stream = PR_TRUE; + if (!ignore_stream) + may_stream = PR_TRUE; under_kind &= ~SEC_ASN1_MAY_STREAM; } } else { @@ -363,6 +368,7 @@ sec_asn1e_init_state_based_on_template (sec_asn1e_state *state) state->may_stream = may_stream; state->is_string = is_string; state->optional = optional; + state->ignore_stream = ignore_stream; sec_asn1e_scrub_state (state); @@ -473,12 +479,27 @@ sec_asn1e_which_choice static unsigned long sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, - PRBool *noheaderp) + PRBool ignoresubstream, PRBool *noheaderp) { unsigned long encode_kind, underlying_kind; PRBool explicit, optional, universal, may_stream; unsigned long len; + /* + * This function currently calculates the length in all cases + * except the following: when writing out the contents of a + * template that belongs to a state where it was a sub-template + * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the + * optional bit set. The information that the parent is optional + * and that we should return the length of 0 when that length is + * present since that means the optional field is no longer present. + * So we add the ignoresubstream flag which is passed in when + * writing the contents, but for all recursive calls to + * sec_asn1e_contents_length, we pass PR_FALSE, because this + * function correctly calculates the length for children templates + * from that point on. Confused yet? At least you didn't have + * to figure it out. ;) -javi + */ encode_kind = theTemplate->kind; universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL) @@ -497,6 +518,7 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, /* Just clear this to get it out of the way; we do not need it here */ encode_kind &= ~SEC_ASN1_DYNAMIC; + encode_kind &= ~SEC_ASN1_NO_STREAM; if( encode_kind & SEC_ASN1_CHOICE ) { void *src2; @@ -509,7 +531,8 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, src2 = (void *)((char *)src + theTemplate[indx].offset); - return sec_asn1e_contents_length(&theTemplate[indx], src2, noheaderp); + return sec_asn1e_contents_length(&theTemplate[indx], src2, + PR_FALSE, noheaderp); } if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) { @@ -544,7 +567,8 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, src = (char *)src + theTemplate->offset; if (explicit) { - len = sec_asn1e_contents_length (theTemplate, src, noheaderp); + len = sec_asn1e_contents_length (theTemplate, src, PR_FALSE, + noheaderp); if (len == 0 && optional) { *noheaderp = PR_TRUE; } else if (*noheaderp) { @@ -593,7 +617,8 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, } src2 = (void *)((char *)src - theTemplate->offset + theTemplate[indx].offset); - len = sec_asn1e_contents_length(&theTemplate[indx], src2, noheaderp); + len = sec_asn1e_contents_length(&theTemplate[indx], src2, PR_FALSE, + noheaderp); } else switch (underlying_kind) { @@ -615,7 +640,8 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, for (; *group != NULL; group++) { sub_src = (char *)(*group) + tmpt->offset; - sub_len = sec_asn1e_contents_length (tmpt, sub_src, noheaderp); + sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE, + noheaderp); len += sub_len; /* * XXX The 1 below is the presumed length of the identifier; @@ -637,7 +663,8 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, len = 0; for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) { sub_src = (char *)src + tmpt->offset; - sub_len = sec_asn1e_contents_length (tmpt, sub_src, noheaderp); + sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE, + noheaderp); len += sub_len; /* * XXX The 1 below is the presumed length of the identifier; @@ -659,7 +686,7 @@ sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src, default: len = ((SECItem *)src)->len; - if (may_stream && len == 0) + if (may_stream && len == 0 && !ignoresubstream) len = 1; /* if we're streaming, we may have a secitem w/len 0 as placeholder */ break; } @@ -691,7 +718,6 @@ sec_asn1e_write_header (sec_asn1e_state *state) } if( state->underlying_kind & SEC_ASN1_CHOICE ) { - void *src2; int indx = sec_asn1e_which_choice(state->src, state->theTemplate); if( 0 == indx ) { /* XXX set an error? "choice not found" */ @@ -719,7 +745,9 @@ sec_asn1e_write_header (sec_asn1e_state *state) * walk the data structure to calculate the entire contents length. */ contents_length = sec_asn1e_contents_length (state->theTemplate, - state->src, &noheader); + state->src, + state->ignore_stream, + &noheader); /* * We might be told explicitly not to put out a header. * But it can also be the case, via a pushed subtemplate, that diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h index 45f0eba60..cb56a0bd7 100644 --- a/security/nss/lib/util/secasn1t.h +++ b/security/nss/lib/util/secasn1t.h @@ -178,6 +178,13 @@ typedef struct sec_ASN1Template_struct { #define SEC_ASN1_SKIP_REST 0x80000 /* skip all following fields; only for decoding */ #define SEC_ASN1_CHOICE 0x100000 /* pick one from a template */ +#define SEC_ASN1_NO_STREAM 0X200000 /* This entry will not stream + even if the sub-template says + streaming is possible. Helps + to solve ambiguities with potential + streaming entries that are + optional */ + /* Shorthand/Aliases */ #define SEC_ASN1_SEQUENCE_OF (SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE) diff --git a/security/nss/macbuild/LoadableRoots.mcp b/security/nss/macbuild/LoadableRoots.mcp Binary files differindex 962d99198..f9f6852d3 100644 --- a/security/nss/macbuild/LoadableRoots.mcp +++ b/security/nss/macbuild/LoadableRoots.mcp diff --git a/security/nss/macbuild/NSSckfw.mcp b/security/nss/macbuild/NSSckfw.mcp Binary files differindex cbcaefa23..6624f2319 100644 --- a/security/nss/macbuild/NSSckfw.mcp +++ b/security/nss/macbuild/NSSckfw.mcp diff --git a/security/nss/manifest.mn b/security/nss/manifest.mn index 0b3a2a329..fd91496cf 100644 --- a/security/nss/manifest.mn +++ b/security/nss/manifest.mn @@ -33,7 +33,7 @@ CORE_DEPTH = .. DEPTH = .. -IMPORTS = nspr20/v4.1.1 \ +IMPORTS = nspr20/v4.1.2 \ dbm/DBM_1_55_RTM \ $(NULL) diff --git a/security/nss/tests/ssl/sslauth.txt b/security/nss/tests/ssl/sslauth.txt index f4e088391..8e4a9c585 100644 --- a/security/nss/tests/ssl/sslauth.txt +++ b/security/nss/tests/ssl/sslauth.txt @@ -10,12 +10,12 @@ 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth) 0 -r_-r -w_nss TLS Require client auth (client does not provide auth) # this one should fail - 2 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) + 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password) 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth) 0 -r -T_-w_nss SSL3 Request don't require client auth (client does not provide auth) 0 -r -T_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password) 0 -r -T_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth) 0 -r_-r -T_-w_nss SSL3 Require client auth (client does not provide auth) # this one should fail - 2 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) + 254 -r_-r -T_-n_TestUser_-w_bogus SSL3 Require client auth (bad password) 0 -r_-r -T_-n_TestUser_-w_nss SSL3 Require client auth (client auth) |