diff options
author | christophe.ravel.bugs%sun.com <devnull@localhost> | 2005-08-08 17:40:55 +0000 |
---|---|---|
committer | christophe.ravel.bugs%sun.com <devnull@localhost> | 2005-08-08 17:40:55 +0000 |
commit | d340cac39ed31a626516273f2bd451dbacdd73ab (patch) | |
tree | ed3dd0bd0eb675cfb6cbf084357b0a7130079f7a | |
parent | f10125bac7587d7f106149f29a514337fb7fa788 (diff) | |
download | nss-hg-d340cac39ed31a626516273f2bd451dbacdd73ab.tar.gz |
Backport from NSS 3.4 to NSS 3.3.4.x.
Checkins to directory mozilla/security/nss/lib/ssl by relyea* between 2001-12-05 00:00 and 2001-12-07 00:00
-rw-r--r-- | security/nss/lib/certhigh/certvfy.c | 2 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 2 | ||||
-rw-r--r-- | security/nss/lib/ssl/authcert.c | 4 | ||||
-rw-r--r-- | security/nss/lib/ssl/emulate.c | 10 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl3con.c | 14 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslcon.c | 25 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssldef.c | 6 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslsock.c | 2 |
8 files changed, 43 insertions, 22 deletions
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c index ef5d49270..bd13eea1d 100644 --- a/security/nss/lib/certhigh/certvfy.c +++ b/security/nss/lib/certhigh/certvfy.c @@ -653,7 +653,7 @@ CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert, subjectNameList = CERT_GetCertificateNames(subjectCert, arena); subjectNameListLen = CERT_GetNamesLength(subjectNameList); for (i = 0; i < subjectNameListLen; i++) { - if (namesIndexLen < namesCount + i) { + if (namesIndexLen <= namesCount + i) { namesIndexLen = namesIndexLen * 2; namesIndex = (SECItem *) PORT_Realloc(namesIndex, namesIndexLen * sizeof(SECItem)); diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index e48060a5f..2c0741802 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -49,7 +49,7 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>] [<Beta>]" */ -#define NSS_VERSION "3.3.4.6" +#define NSS_VERSION "3.3.4.7" #define NSS_VMAJOR 3 #define NSS_VMINOR 3 #define NSS_VPATCH 4 diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c index 5a9c45e5a..bd473f11f 100644 --- a/security/nss/lib/ssl/authcert.c +++ b/security/nss/lib/ssl/authcert.c @@ -59,8 +59,8 @@ NSS_GetClientAuthData(void * arg, struct CERTCertificateStr ** pRetCert, struct SECKEYPrivateKeyStr **pRetKey) { - CERTCertificate * cert; - SECKEYPrivateKey * privkey; + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privkey = NULL; char * chosenNickName = (char *)arg; /* CONST */ void * proto_win = NULL; SECStatus rv = SECFailure; diff --git a/security/nss/lib/ssl/emulate.c b/security/nss/lib/ssl/emulate.c index bb6efc140..77c99639f 100644 --- a/security/nss/lib/ssl/emulate.c +++ b/security/nss/lib/ssl/emulate.c @@ -202,7 +202,7 @@ ssl_EmulateTransmitFile( PRFileDesc * sd, PRTransmitFileFlags flags, PRIntervalTime timeout) { - void * addr; + void * addr = NULL; PRFileMap * mapHandle = NULL; PRInt32 count = 0; PRInt32 index = 0; @@ -461,7 +461,7 @@ PRInt32 ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd, PRTransmitFileFlags flags, PRIntervalTime timeout) { - void * addr; + void * addr = NULL; PRFileMap * mapHandle = NULL; PRInt32 count = 0; PRInt32 file_bytes; @@ -529,6 +529,12 @@ ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd, len = mmap_len - addr_offset; } /* + * filebytes is negative or SENDFILE_MMAP_CHUNK is less than pagesize. + * assert so we catch problems in debug builds. + */ + PR_ASSERT(len >= 0); + + /* * Map in (part of) file. Take care of zero-length files. */ if (len > 0) { diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 8ed3e0e8d..df6ef439b 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -444,9 +444,9 @@ ssl3_config_match_init(sslSocket *ss) /* Mark the suites that are backed by real tokens, certs and keys */ suite->isPresent = (PRBool) (((exchKeyType == kt_null) || - (!isServer || (ss->serverKey[exchKeyType] && + ((!isServer || (ss->serverKey[exchKeyType] && ss->serverCertChain[exchKeyType])) && - PK11_TokenExists(kea_alg_defs[exchKeyType])) && + PK11_TokenExists(kea_alg_defs[exchKeyType]))) && ((cipher_alg == calg_null) || PK11_TokenExists(cipher_alg))); if (suite->isPresent) ++numPresent; @@ -2922,6 +2922,10 @@ ssl_UnwrapSymWrappingKey( PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, masterWrapMech, CKA_UNWRAP, 0); break; + default: + /* Assert? */ + SET_ERROR_CODE + goto loser; } loser: return unwrappedWrappingKey; @@ -2954,7 +2958,7 @@ getWrappingKey( sslSocket * ss, SECKEYPublicKey * svrPubKey = NULL; PK11SymKey * unwrappedWrappingKey = NULL; PK11SymKey ** pSymWrapKey; - CK_MECHANISM_TYPE asymWrapMechanism; + CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM; int length; int symWrapMechIndex; SECStatus rv; @@ -3090,6 +3094,8 @@ no_wrapped_key: goto loser; } + PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM); + wswk.symWrapMechanism = masterWrapMech; wswk.symWrapMechIndex = symWrapMechIndex; wswk.asymWrapMechanism = asymWrapMechanism; @@ -3486,7 +3492,7 @@ loser: static SECStatus sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey) { - ssl3CipherSpec * pwSpec; + ssl3CipherSpec * pwSpec = NULL; sslSessionID * sid = ss->sec->ci.sid; PK11SlotInfo * slot = NULL; PK11SymKey * pms = NULL; diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 53575bf68..d0005d269 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -1457,10 +1457,10 @@ loser: static SECStatus ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient) { - sslSecurityInfo * sec; + sslSecurityInfo * sec = NULL; sslConnectInfo * ci; - SECItem * rk; - SECItem * wk; + SECItem * rk = NULL; + SECItem * wk = NULL; SECItem * param; SECStatus rv; int cipherType = sid->u.ssl2.cipherType; @@ -1495,7 +1495,7 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient) SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d", SSL_GETPID(), ss->fd, cipherType)); PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT); - goto loser; + goto sec_loser; } sec = ss->sec; @@ -1580,8 +1580,12 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient) rv = SECFailure; done: - SECITEM_ZfreeItem(rk, PR_FALSE); - SECITEM_ZfreeItem(wk, PR_FALSE); + if (rk) { + SECITEM_ZfreeItem(rk, PR_FALSE); + } + if (wk) { + SECITEM_ZfreeItem(wk, PR_FALSE); + } return rv; } @@ -1613,7 +1617,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits, PRUint8 *ek, unsigned int ekLen, PRUint8 *ca, unsigned int caLen) { - PRUint8 *kk; + PRUint8 *kk = NULL; sslSecurityInfo * sec; sslSessionID * sid; PRUint8 * kbuf = 0; /* buffer for RSA decrypted data. */ @@ -1729,6 +1733,9 @@ hide_loser: * Instead, Generate a completely bogus master key . */ PK11_GenerateRandom(kbuf, ekLen); + if (!kk) { + kk = kbuf + ekLen - (keySize - ckLen); + } } /* @@ -2967,7 +2974,7 @@ ssl2_BeginClientHandshake(sslSocket *ss) PRUint8 *localCipherSpecs = NULL; unsigned int localCipherSize; unsigned int i; - int sendLen, sidLen; + int sendLen, sidLen = 0; SECStatus rv; PORT_Assert( ssl_Have1stHandshakeLock(ss) ); @@ -3747,8 +3754,6 @@ NSSSSL_VersionCheck(const char *importedVersion) * not compatible with future major, minor, or * patch releases. */ - int vmajor = 0, vminor = 0, vpatch = 0; - const char *ptr = importedVersion; volatile char c; /* force a reference that won't get optimized away */ c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c index 81d6db8c8..1d98cac88 100644 --- a/security/nss/lib/ssl/ssldef.c +++ b/security/nss/lib/ssl/ssldef.c @@ -41,8 +41,10 @@ #if defined(WIN32) #define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); } +#define DEFINE_ERROR PRErrorCode err = PR_GetError(); #else #define MAP_ERROR(from,to) +#define DEFINE_ERROR #endif int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa) @@ -88,7 +90,7 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags) rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout); if (rv < 0) { - PRErrorCode err = PR_GetError(); + DEFINE_ERROR MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR) } else if (rv > len) { PORT_Assert(rv <= len); @@ -152,7 +154,7 @@ int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len) rv = lower->methods->read(lower, (void *)buf, len); if (rv < 0) { - PRErrorCode err = PR_GetError(); + DEFINE_ERROR MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR) } return rv; diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index d294a1421..81ec18d99 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -306,7 +306,9 @@ ssl_FreeSocket(sslSocket *ss) int i; sslSocket *fs; +#ifdef DEBUG sslSocket lSock; +#endif /* Get every lock you can imagine! ** Caller already holds these: |