summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorrelyea%netscape.com <devnull@localhost>2001-12-07 01:36:25 +0000
committerrelyea%netscape.com <devnull@localhost>2001-12-07 01:36:25 +0000
commita29c06105eb45d5519fadb2ce261d3498450ae81 (patch)
tree3b4864f1ced4a534816a724f66be6608bcba54bc /security
parent19724b6760c3175a98f2d1807562d708848a59d5 (diff)
downloadnss-hg-a29c06105eb45d5519fadb2ce261d3498450ae81.tar.gz
Clean up compilier warnings on Solaris and Linux, most particularly:
1) Implicit declaration of function. 2) Possibly unitialized variables. These warnings have indicated some real problems in the code, so many changes are not just to silence the warnings, but to fix the problems. Others were inocuous, but the warnings were silenced to reduce the noise.
Diffstat (limited to 'security')
-rw-r--r--security/nss/lib/certdb/cert.h4
-rw-r--r--security/nss/lib/certdb/certdb.h12
-rw-r--r--security/nss/lib/certdb/crl.c2
-rw-r--r--security/nss/lib/certdb/stanpcertdb.c7
-rw-r--r--security/nss/lib/certhigh/ocsp.c8
-rw-r--r--security/nss/lib/ckfw/ckfwm.h6
-rw-r--r--security/nss/lib/ckfw/sessobj.c4
-rw-r--r--security/nss/lib/dev/ckhelper.c4
-rw-r--r--security/nss/lib/dev/devobject.c3
-rw-r--r--security/nss/lib/dev/devslot.c16
-rw-r--r--security/nss/lib/dev/devtoken.c12
-rw-r--r--security/nss/lib/jar/jarevil.c1
-rw-r--r--security/nss/lib/jar/jarjart.c1
-rw-r--r--security/nss/lib/jar/jarver.c1
-rw-r--r--security/nss/lib/nss/nssinit.c5
-rw-r--r--security/nss/lib/pk11wrap/dev3hack.c20
-rw-r--r--security/nss/lib/pk11wrap/manifest.mn1
-rw-r--r--security/nss/lib/pk11wrap/pk11cert.c10
-rw-r--r--security/nss/lib/pk11wrap/pk11func.h3
-rw-r--r--security/nss/lib/pk11wrap/pk11util.c1
-rw-r--r--security/nss/lib/pk11wrap/secmod.h2
-rw-r--r--security/nss/lib/pk11wrap/secmodi.h7
-rw-r--r--security/nss/lib/pk11wrap/secpkcs5.h4
-rw-r--r--security/nss/lib/pkcs12/p12dec.c2
-rw-r--r--security/nss/lib/pkcs12/p12plcy.c2
-rw-r--r--security/nss/lib/pkcs7/p7decode.c2
-rw-r--r--security/nss/lib/pkcs7/p7local.c2
-rw-r--r--security/nss/lib/pki/certdecode.c1
-rw-r--r--security/nss/lib/pki/certificate.c2
-rw-r--r--security/nss/lib/pki/pki3hack.c8
-rw-r--r--security/nss/lib/pki/pkim.h6
-rw-r--r--security/nss/lib/pki/tdcache.c8
-rw-r--r--security/nss/lib/pki1/atav.c3
-rw-r--r--security/nss/lib/pki1/oid.c2
-rw-r--r--security/nss/lib/smime/cmscipher.c2
-rw-r--r--security/nss/lib/smime/cmsencdata.c1
-rw-r--r--security/nss/lib/smime/cmsenvdata.c2
-rw-r--r--security/nss/lib/smime/cmspubkey.c21
-rw-r--r--security/nss/lib/smime/cmsrecinfo.c11
-rw-r--r--security/nss/lib/smime/cmst.h1
-rw-r--r--security/nss/lib/softoken/dbinit.c4
-rw-r--r--security/nss/lib/softoken/keydb.c105
-rw-r--r--security/nss/lib/softoken/keydbi.h2
-rw-r--r--security/nss/lib/softoken/lowcert.c12
-rw-r--r--security/nss/lib/softoken/lowkeyi.h7
-rw-r--r--security/nss/lib/softoken/lowpbe.c2
-rw-r--r--security/nss/lib/softoken/pcert.h51
-rw-r--r--security/nss/lib/softoken/pcertdb.c35
-rw-r--r--security/nss/lib/softoken/pkcs11.c70
-rw-r--r--security/nss/lib/softoken/pkcs11i.h7
-rw-r--r--security/nss/lib/softoken/pkcs11u.c10
-rw-r--r--security/nss/lib/ssl/authcert.c4
-rw-r--r--security/nss/lib/ssl/emulate.c11
-rw-r--r--security/nss/lib/ssl/ssl3con.c14
-rw-r--r--security/nss/lib/ssl/sslcon.c26
-rw-r--r--security/nss/lib/ssl/ssldef.c4
-rw-r--r--security/nss/lib/ssl/sslsock.c2
-rw-r--r--security/nss/lib/util/secitem.c2
58 files changed, 339 insertions, 239 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 394d518f9..0ef35a581 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -327,6 +327,10 @@ extern SECStatus CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECIt
extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
SECItem *sn, SECItem *key);
+extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert,
+ SECItem *derName);
+
+
/*
** Generate a database search key for a crl, based on the
** issuer.
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
index 4222a615d..7340961c2 100644
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -81,6 +81,12 @@ CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
+
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
+
#ifdef notdef
/*
** Add a DER encoded certificate to the permanent database.
@@ -129,12 +135,6 @@ SEC_CertDBKeyConflict(SECItem *derCert, PCERTCertDBHandle *handle);
SECStatus
SEC_GetCrlTimes(PCERTCrl *dates, PRTime *notBefore, PRTime *notAfter);
-SECCertTimeValidity
-SEC_CheckCrlTimes(PCERTCrl *crl, PRTime t);
-
-PRBool
-SEC_CrlIsNewer(PCERTCrl *inNew, PCERTCrl *old);
-
PCERTSignedCrl *
SEC_AddPermCrlToTemp(PCERTCertDBHandle *handle, certDBEntryRevocation *entry);
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index d6c232ec7..d3c1ce883 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -595,7 +595,7 @@ SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
/* Look up the proper crl types */
*nodes = head;
- rv = PK11_LookupCrls(nodes, type, NULL);
+ rv = PK11_LookupCrls(head, type, NULL);
if (rv != SECSuccess) {
if ( arena ) {
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index 27adf61b7..ae92d57ef 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -93,6 +93,7 @@ CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
return(rv);
}
+#ifdef notdef
static char *
cert_parseNickname(char *nickname)
{
@@ -101,6 +102,7 @@ cert_parseNickname(char *nickname)
if (*cp == ':') return cp+1;
return nickname;
}
+#endif
/* XXX needs work */
SECStatus
@@ -137,6 +139,9 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
PORT_Free(cert->nickname);
cert->nickname = PORT_Strdup(nickname);
}
+ return (STAN_ChangeCertTrust(cert, trust ) == PR_SUCCESS) ?
+ SECSuccess: SECFailure;
+#ifdef notdef
/*
nssTrustDomain_AddTempCertToPerm(c);
if (memcmp(cert->trust, trust, sizeof (*trust)) != 0) {
@@ -146,6 +151,7 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
}
*/
return SECFailure;
+#endif
}
SECStatus
@@ -161,7 +167,6 @@ __CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
{
NSSCertificate *c;
NSSCryptoContext *context;
- nssDecodedCert *dc;
NSSArena *arena;
CERTCertificate *cc;
arena = NSSArena_Create();
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index 2dc75e474..4d4c549ac 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2726,8 +2726,8 @@ ocsp_CertIDsMatch(CERTCertDBHandle *handle,
PRBool match = PR_FALSE;
SECItem *foundHash = NULL;
SECOidTag hashAlg;
- SECItem *keyHash;
- SECItem *nameHash;
+ SECItem *keyHash = NULL;
+ SECItem *nameHash = NULL;
/*
* In order to match, they must have the same issuer and the same
@@ -2770,12 +2770,14 @@ ocsp_CertIDsMatch(CERTCertDBHandle *handle,
nameHash = &certID1->issuerMD2NameHash;
break;
default:
- foundHash == NULL;
+ foundHash = NULL;
+ break;
}
if (foundHash == NULL) {
goto done;
}
+ PORT_Assert(keyHash && nameHash);
if ((SECITEM_CompareItem(nameHash, &certID2->issuerNameHash) == SECEqual)
&& (SECITEM_CompareItem(keyHash, &certID2->issuerKeyHash) == SECEqual)) {
diff --git a/security/nss/lib/ckfw/ckfwm.h b/security/nss/lib/ckfw/ckfwm.h
index 82fd74830..615efe2b6 100644
--- a/security/nss/lib/ckfw/ckfwm.h
+++ b/security/nss/lib/ckfw/ckfwm.h
@@ -158,4 +158,10 @@ nssCKFWHash_Iterate
void *closure
);
+NSS_EXTERN void
+nssSetLockArgs(
+ CK_C_INITIALIZE_ARGS_PTR pInitArgs
+);
+
+
#endif /* CKFWM_H */
diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c
index 7e683fd96..6851c1b6e 100644
--- a/security/nss/lib/ckfw/sessobj.c
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -103,6 +103,7 @@ nss_ckmdSessionObject_remove_pointer
return CKR_OK;
}
+#ifdef NSS_DEBUG
static CK_RV
nss_ckmdSessionObject_verifyPointer
(
@@ -111,6 +112,7 @@ nss_ckmdSessionObject_verifyPointer
{
return CKR_OK;
}
+#endif
#endif /* DEBUG */
@@ -819,6 +821,7 @@ nss_ckmdFindSessionObjects_remove_pointer
return CKR_OK;
}
+#ifdef NSS_DEBUG
static CK_RV
nss_ckmdFindSessionObjects_verifyPointer
(
@@ -827,6 +830,7 @@ nss_ckmdFindSessionObjects_verifyPointer
{
return CKR_OK;
}
+#endif
#endif /* DEBUG */
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
index 8f1d200fb..473b442ae 100644
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -86,9 +86,9 @@ nssCKObject_GetAttributes
NSSSlot *slot
)
{
- nssArenaMark *mark;
+ nssArenaMark *mark = NULL;
CK_SESSION_HANDLE hSession;
- CK_ULONG i;
+ CK_ULONG i = 0;
CK_RV ckrv;
PRStatus nssrv;
PRBool alloced = PR_FALSE;
diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c
index 33451a267..2620906a6 100644
--- a/security/nss/lib/dev/devobject.c
+++ b/security/nss/lib/dev/devobject.c
@@ -62,6 +62,7 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
#ifdef NSS_3_4_CODE
#include "pkim.h" /* for cert decoding */
+#include "pk11func.h" /* for PK11_HasRootCerts */
#endif
/* The number of object handles to grab during each call to C_FindObjects */
@@ -75,7 +76,7 @@ nssToken_DeleteStoredObject
{
CK_RV ckrv;
PRStatus nssrv;
- PRBool createdSession;
+ PRBool createdSession = PR_FALSE;
NSSToken *token = instance->token;
nssSession *session = NULL;
if (nssCKObject_IsAttributeTrue(instance->handle, CKA_TOKEN,
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
index 25e16d2c4..a113b46f5 100644
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -62,6 +62,7 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
/* The flags needed to open a read-only session. */
static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
+#ifdef PURE_STAN
/* In pk11slot.c, this was a no-op. So it is here also. */
static CK_RV PR_CALLBACK
nss_ck_slot_notify
@@ -73,6 +74,7 @@ nss_ck_slot_notify
{
return CKR_OK;
}
+#endif
/* maybe this should really inherit completely from the module... I dunno,
* any uses of slots where independence is needed?
@@ -85,10 +87,10 @@ nssSlot_Create
NSSModule *parent
)
{
- NSSArena *arena;
- nssArenaMark *mark;
+ NSSArena *arena = NULL;
+ nssArenaMark *mark = NULL;
NSSSlot *rvSlot;
- NSSToken *token;
+ NSSToken *token = NULL;
NSSUTF8 *slotName = NULL;
PRUint32 length;
PRBool newArena;
@@ -150,9 +152,11 @@ nssSlot_Create
}
}
rvSlot->token = token;
- nssrv = nssArena_Unmark(arena, mark);
- if (nssrv != PR_SUCCESS) {
- goto loser;
+ if (mark) {
+ nssrv = nssArena_Unmark(arena, mark);
+ if (nssrv != PR_SUCCESS) {
+ goto loser;
+ }
}
return rvSlot;
loser:
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index b90dd4c6c..5b5c4b320 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -67,9 +67,9 @@ nssToken_Create
)
{
NSSArena *arena;
- nssArenaMark *mark;
+ nssArenaMark *mark = NULL;
NSSToken *rvToken;
- nssSession *session;
+ nssSession *session = NULL;
NSSUTF8 *tokenName = NULL;
PRUint32 length;
PRBool newArena;
@@ -134,9 +134,11 @@ nssToken_Create
rvToken->name = tokenName;
rvToken->ckFlags = tokenInfo.flags;
rvToken->defaultSession = session;
- nssrv = nssArena_Unmark(arena, mark);
- if (nssrv != PR_SUCCESS) {
- goto loser;
+ if (mark) {
+ nssrv = nssArena_Unmark(arena, mark);
+ if (nssrv != PR_SUCCESS) {
+ goto loser;
+ }
}
return rvToken;
loser:
diff --git a/security/nss/lib/jar/jarevil.c b/security/nss/lib/jar/jarevil.c
index 56dc5dbc3..cced82b7d 100644
--- a/security/nss/lib/jar/jarevil.c
+++ b/security/nss/lib/jar/jarevil.c
@@ -46,6 +46,7 @@
#include "jarint.h"
#include "jarevil.h"
+#include "certdb.h"
/* from libevent.h */
#ifdef MOZILLA_CLIENT_OLD
diff --git a/security/nss/lib/jar/jarjart.c b/security/nss/lib/jar/jarjart.c
index 4b344c0f2..daed4d661 100644
--- a/security/nss/lib/jar/jarjart.c
+++ b/security/nss/lib/jar/jarjart.c
@@ -45,6 +45,7 @@
#include "jarjart.h"
#include "blapi.h" /* JAR is supposed to be above the line!! */
#include "pk11func.h" /* PK11 wrapper funcs are all above the line. */
+#include "certdb.h"
/* from certdb.h */
#define CERTDB_USER (1<<6)
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
index af1a28328..be974a1dd 100644
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -1822,7 +1822,6 @@ static int jar_gather_signers
CERTCertDBHandle *JAR_open_database (void)
{
- int keepcerts = 0;
CERTCertDBHandle *certdb;
certdb = CERT_GetDefaultCertDB();
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index 12b52755f..048bbc26c 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -270,7 +270,10 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
char *moduleSpec = NULL;
char *flags = NULL;
SECStatus rv = SECFailure;
- char *lconfigdir,*lcertPrefix,*lkeyPrefix,*lsecmodName;
+ char *lconfigdir = NULL;
+ char *lcertPrefix = NULL;
+ char *lkeyPrefix = NULL;
+ char *lsecmodName = NULL;
flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
pk11_password_required);
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index 5c40608f3..23dd7b21f 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -47,6 +47,19 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
#include "devt.h"
#endif /* DEVT_H */
+/* copied from devutil.c in dev */
+static PRUint32
+nssdevPKCS11StringLength(CK_CHAR *pkcs11Str, PRUint32 bufLen)
+{
+ PRInt32 i;
+ for (i = bufLen - 1; i>=0; ) {
+ if (pkcs11Str[i] != ' ') break;
+ --i;
+ }
+ return (PRUint32)(i + 1);
+}
+
+
#include "dev3hack.h"
#ifndef BASE_H
@@ -123,7 +136,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
rvSlot->slotID = nss3slot->slotID;
rvSlot->trustDomain = td;
/* Grab the slot name from the PKCS#11 fixed-length buffer */
- length = nssPKCS11StringLength(nss3slot->slot_name,
+ length = nssdevPKCS11StringLength((CK_CHAR *)nss3slot->slot_name,
sizeof(nss3slot->slot_name));
if (length > 0) {
rvSlot->name = nssUTF8_Create(td->arena, nssStringType_UTF8String,
@@ -150,7 +163,7 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
nss3slot->defRWSession);
rvToken->trustDomain = td;
/* Grab the token name from the PKCS#11 fixed-length buffer */
- length = nssPKCS11StringLength(nss3slot->token_name,
+ length = nssdevPKCS11StringLength((CK_CHAR *)nss3slot->token_name,
sizeof(nss3slot->token_name));
if (length > 0) {
rvToken->name = nssUTF8_Create(td->arena, nssStringType_UTF8String,
@@ -180,11 +193,14 @@ nssToken_Nofify
NSSToken *tok,
nssPK11Event event
)
+
{
+#ifdef notdef
switch (event) {
default:
return PR_FAILURE;
}
+#endif
return PR_FAILURE;
}
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
index 1c525506d..9d39d9b75 100644
--- a/security/nss/lib/pk11wrap/manifest.mn
+++ b/security/nss/lib/pk11wrap/manifest.mn
@@ -35,6 +35,7 @@ CORE_DEPTH = ../../..
EXPORTS = \
secmod.h \
secmodt.h \
+ secpkcs5.h \
pk11func.h \
pk11sdr.h \
pk11pqg.h \
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 45aa0a9ec..a40493a07 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -1270,7 +1270,7 @@ PK11_FindCertsFromNickname(char *nickname, void *wincx) {
char *tokenName;
int i;
CERTCertList *certList = NULL;
- NSSCertificate **foundCerts;
+ NSSCertificate **foundCerts = NULL;
NSSCertificate *c;
NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
if ((delimit = PORT_Strchr(nickname,':')) != NULL) {
@@ -3137,7 +3137,6 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
CK_OBJECT_HANDLE crlh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_RV crv;
- SECStatus rv;
SECItem *derCrl = NULL;
PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
@@ -3283,12 +3282,9 @@ PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
};
/* if you change the array, change the variable below as well */
int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
- CK_BBOOL ck_true = CK_TRUE;
- CK_BBOOL ck_false = CK_FALSE;
CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_RV crv;
- SECStatus rv;
SECItem *emailProfile = NULL;
PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
@@ -3385,12 +3381,14 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
{ CKA_VALUE, NULL, 0 }
};
/* if you change the array, change the variable below as well */
- int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
int realSize = 0;
CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_SESSION_HANDLE rwsession;
CK_RV crv;
+#ifdef DEBUG
+ int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+#endif
PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
index bc100af26..48dbed459 100644
--- a/security/nss/lib/pk11wrap/pk11func.h
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -360,6 +360,8 @@ SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
+SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+ CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
void *wincx);
PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
@@ -415,6 +417,7 @@ CERTCertList *
PK11_ListCerts(PK11CertListType type, void *pwarg);
CERTCertList *
PK11_ListCertsInSlot(PK11SlotInfo *slot);
+SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
/**********************************************************************
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
index 5509cbdd3..8c9e40d4b 100644
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -38,6 +38,7 @@
#include "nssilock.h"
#include "secmodi.h"
#include "pk11func.h"
+#include "pki3hack.h"
/* these are for displaying error messages */
diff --git a/security/nss/lib/pk11wrap/secmod.h b/security/nss/lib/pk11wrap/secmod.h
index d0ac74da2..ad3b7e024 100644
--- a/security/nss/lib/pk11wrap/secmod.h
+++ b/security/nss/lib/pk11wrap/secmod.h
@@ -85,6 +85,8 @@ extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
PRBool recurse);
SECMODModule * SECMOD_CreateModule(char *lib, char *name, char *param,
char *nss);
+extern void SECMOD_Shutdown(void);
+
/* Module Management */
char **SECMOD_GetModuleSpecList(SECMODModule *module);
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
index 40415d22f..087d072f2 100644
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -58,7 +58,6 @@ extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
extern void SECMOD_Init(void);
-extern void SECMOD_Shutdown(void);
/* list managment */
extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule);
@@ -92,7 +91,6 @@ CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
CK_ATTRIBUTE *inTemplate,int tsize);
SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
PK11DefaultArrayEntry *entry, PRBool add);
-SEC_END_PROTOS
#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
@@ -101,5 +99,10 @@ SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
CK_ATTRIBUTE *theTemplate, int count,
PRBool token, CK_OBJECT_HANDLE *objectID);
+SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech);
+SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param,
+ PRArenaPool *arena, SECAlgorithmID *algId);
+SEC_END_PROTOS
+
#endif
diff --git a/security/nss/lib/pk11wrap/secpkcs5.h b/security/nss/lib/pk11wrap/secpkcs5.h
index 870d472cc..2b5539be4 100644
--- a/security/nss/lib/pk11wrap/secpkcs5.h
+++ b/security/nss/lib/pk11wrap/secpkcs5.h
@@ -49,5 +49,9 @@ typedef struct PBEBitGenContextStr PBEBitGenContext;
SECAlgorithmID *
SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, SECItem *salt, int iteration);
+SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
+PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
+SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
+int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
#endif /* _SECPKS5_H_ */
diff --git a/security/nss/lib/pkcs12/p12dec.c b/security/nss/lib/pkcs12/p12dec.c
index f1f9fe464..abce05885 100644
--- a/security/nss/lib/pkcs12/p12dec.c
+++ b/security/nss/lib/pkcs12/p12dec.c
@@ -45,7 +45,7 @@
#include "certdb.h"
#include "p12plcy.h"
#include "p12.h"
-/*#include "secpkcs5.h" */
+#include "secpkcs5.h"
/* PFX extraction and validation routines */
diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c
index 26edd16ba..a62be5fe7 100644
--- a/security/nss/lib/pkcs12/p12plcy.c
+++ b/security/nss/lib/pkcs12/p12plcy.c
@@ -35,7 +35,7 @@
#include "p12plcy.h"
#include "secoid.h"
#include "secport.h"
-/*#include "secpkcs5.h" LOTS of PKCS5 calls below. XXX EVIL. */
+#include "secpkcs5.h"
#define PKCS12_NULL 0x0000
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index 0df147a3f..a3a41bb79 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -58,7 +58,7 @@
#include "secerr.h"
#include "sechash.h" /* for HASH_GetHashObject() */
#include "secder.h"
-/*#include "secpkcs5.h" */
+#include "secpkcs5.h"
struct sec_pkcs7_decoder_worker {
int depth;
diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
index 114bf73eb..68376cec0 100644
--- a/security/nss/lib/pkcs7/p7local.c
+++ b/security/nss/lib/pkcs7/p7local.c
@@ -47,7 +47,7 @@
#include "secoid.h"
#include "secitem.h"
#include "pk11func.h"
-/*#include "secpkcs5.h" */
+#include "secpkcs5.h"
#include "secerr.h"
/*
diff --git a/security/nss/lib/pki/certdecode.c b/security/nss/lib/pki/certdecode.c
index 0182216ee..4087d5113 100644
--- a/security/nss/lib/pki/certdecode.c
+++ b/security/nss/lib/pki/certdecode.c
@@ -54,6 +54,7 @@ nssPKIObject_Destroy
{
nssList_Destroy(object->instanceList);
nssArena_Destroy(object->arena);
+ return PR_SUCCESS;
}
#ifdef NSS_3_4_CODE
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
index b1fe10885..b252e9f8f 100644
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@@ -90,8 +90,8 @@ NSSCertificate_Destroy
if (--c->refCount == 0) {
return nssPKIObject_Destroy(&c->object);
}
-#endif
return PR_SUCCESS;
+#endif
}
NSS_IMPLEMENT PRStatus
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index 927627bb3..5155c83d9 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -232,7 +232,7 @@ nss3certificate_matchIdentifier(nssDecodedCert *dc, NSSItem *id)
static NSSUsage *
nss3certificate_getUsage(nssDecodedCert *dc)
{
- CERTCertificate *c = (CERTCertificate *)dc->data;
+ /* CERTCertificate *c = (CERTCertificate *)dc->data; */
return NULL;
}
@@ -659,7 +659,7 @@ nssTrustDomain_TraverseCertificatesBySubject
void *arg
)
{
- PRStatus nssrv;
+ PRStatus nssrv = PR_SUCCESS;
NSSArena *tmpArena;
NSSCertificate **subjectCerts;
NSSCertificate *c;
@@ -687,7 +687,7 @@ nssTrustDomain_TraverseCertificatesByNickname
void *arg
)
{
- PRStatus nssrv;
+ PRStatus nssrv = PR_SUCCESS;
NSSArena *tmpArena;
NSSCertificate **nickCerts;
NSSCertificate *c;
@@ -714,7 +714,7 @@ nssTrustDomain_TraverseCertificates
void *arg
)
{
- PRStatus nssrv;
+ PRStatus nssrv = PR_SUCCESS;
NSSToken *token;
nssList *certList;
nssTokenCertSearch search;
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
index 09d0a75a1..9690385ca 100644
--- a/security/nss/lib/pki/pkim.h
+++ b/security/nss/lib/pki/pkim.h
@@ -149,6 +149,12 @@ nssTrustDomain_FlushCache
PRFloat64 threshold
);
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_DestroyCache
+(
+ NSSTrustDomain *td
+);
+
/*
* Remove all certs for the given token from the cache. This is
* needed if the token is removed.
diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c
index cc4612f41..43814af5b 100644
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -51,6 +51,10 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
#include "base.h"
#endif /* BASE_H */
+#ifdef NSS_3_4_CODE
+#include "cert.h"
+#endif
+
#ifdef DEBUG_CACHE
static PRLogModuleInfo *s_log = NULL;
#endif
@@ -823,7 +827,7 @@ nssTrustDomain_GetCertsForEmailAddressFromCache
{
NSSCertificate **rvArray = NULL;
cache_entry *ce;
- nssList *collectList;
+ nssList *collectList = NULL;
#ifdef DEBUG_CACHE
PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by email %s", email));
#endif
@@ -854,7 +858,7 @@ nssTrustDomain_GetCertsForEmailAddressFromCache
nssListIterator_Finish(iter);
nssListIterator_Destroy(iter);
}
- if (!certListOpt) {
+ if (!certListOpt && collectList) {
PRUint32 count = nssList_Count(collectList);
rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
if (rvArray) {
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
index 5d87efaf6..cd89bc7d6 100644
--- a/security/nss/lib/pki1/atav.c
+++ b/security/nss/lib/pki1/atav.c
@@ -1745,7 +1745,8 @@ nssATAV_Compare
return PR_SUCCESS;
}
- return nsslibc_compare(atav1->value, atav2->value, len1, equalp);
+ *equalp = nsslibc_memequal(atav1->value, atav2->value, len1, &status);
+ return status;
}
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
index 2631682d4..9bddf33ee 100644
--- a/security/nss/lib/pki1/oid.c
+++ b/security/nss/lib/pki1/oid.c
@@ -324,7 +324,7 @@ oid_hash_compare
PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
- rv = (PRIntn)nsslibc_memcmp(i1->data, i2->data, size, (PRStatus *)NULL);
+ rv = (PRIntn)nsslibc_memequal(i1->data, i2->data, size, (PRStatus *)NULL);
if( 0 == rv ) {
rv = i1->size - i2->size;
}
diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
index 8ad4efcc5..27e5668aa 100644
--- a/security/nss/lib/smime/cmscipher.c
+++ b/security/nss/lib/smime/cmscipher.c
@@ -43,7 +43,7 @@
#include "secitem.h"
#include "pk11func.h"
#include "secerr.h"
-/*#include "secpkcs5.h" */
+#include "secpkcs5.h"
/*
* -------------------------------------------------------------------
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
index 0dc23a317..ac41f6052 100644
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -46,6 +46,7 @@
#include "pk11func.h"
#include "prtime.h"
#include "secerr.h"
+#include "secpkcs5.h"
/*
* NSS_CMSEncryptedData_Create - create an empty encryptedData object.
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
index fdd3d821a..e64c829a6 100644
--- a/security/nss/lib/smime/cmsenvdata.c
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -46,7 +46,7 @@
#include "secoid.h"
#include "pk11func.h"
#include "secerr.h"
-/*#include "secpkcs5.h" */
+#include "secpkcs5.h"
/*
* NSS_CMSEnvelopedData_Create - create an enveloped data message
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
index 043b6cfc1..3e06da556 100644
--- a/security/nss/lib/smime/cmspubkey.c
+++ b/security/nss/lib/smime/cmspubkey.c
@@ -64,7 +64,7 @@ NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11Sym
SECStatus rv;
SECKEYPublicKey *publickey;
int data_len;
- void *mark;
+ void *mark = NULL;
/* sanity check */
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
@@ -76,6 +76,8 @@ NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11Sym
goto loser;
mark = PORT_ArenaMark(poolp);
+ if (!mark)
+ goto loser;
/* allocate memory for the encrypted key */
data_len = SECKEY_PublicKeyStrength(publickey); /* block size (assumed to be > keylen) */
@@ -96,7 +98,9 @@ NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11Sym
return SECSuccess;
loser:
- PORT_ArenaRelease(poolp, mark);
+ if (mark) {
+ PORT_ArenaRelease(poolp, mark);
+ }
return SECFailure;
}
@@ -131,9 +135,9 @@ NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11S
CERTCertificate *ourCert;
SECKEYPublicKey *ourPubKey, *publickey = NULL;
SECKEYPrivateKey *ourPrivKey = NULL;
- NSSCMSKEATemplateSelector whichKEA;
+ NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
NSSCMSSMIMEKEAParameters keaParams;
- PLArenaPool *arena;
+ PLArenaPool *arena = NULL;
extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
/* Clear keaParams, since cleanup code checks the lengths */
@@ -252,9 +256,12 @@ NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11S
}
PK11_FreeSymKey(tek);
+
if (err != SECSuccess)
goto loser;
+ PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
/* Encode the KEA parameters into the recipient info. */
params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
if (params == NULL)
@@ -374,7 +381,7 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy
PK11SymKey *tek;
CERTCertificate *ourCert;
SECKEYPublicKey *ourPubKey;
- NSSCMSKEATemplateSelector whichKEA;
+ NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
@@ -455,6 +462,8 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy
break;
default:
/* XXXX what do we do here? Neither RC2 nor 3DES... */
+ err = SECFailure;
+ /* set error */
break;
}
@@ -462,6 +471,8 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy
if (err != SECSuccess)
goto loser;
+ PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
/* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
/* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
index 8fe5d9887..dfe05a07a 100644
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -206,7 +206,7 @@ int
NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
{
unsigned long version;
- SECItem *versionitem;
+ SECItem *versionitem = NULL;
switch (ri->recipientInfoType) {
case NSSCMSRecipientInfoID_KeyTrans:
@@ -221,6 +221,11 @@ NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
versionitem = &(ri->ri.keyAgreeRecipientInfo.version);
break;
}
+
+ PORT_Assert(versionitem);
+ if (versionitem == NULL)
+ return 0;
+
/* always take apart the SECItem */
if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess)
return 0;
@@ -231,7 +236,7 @@ NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
SECItem *
NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
{
- SECItem *enckey;
+ SECItem *enckey = NULL;
switch (ri->recipientInfoType) {
case NSSCMSRecipientInfoID_KeyTrans:
@@ -253,7 +258,7 @@ NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
SECOidTag
NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
{
- SECOidTag encalgtag;
+ SECOidTag encalgtag = SEC_OID_SHA1; /* set to not a valid encryption alg */
switch (ri->recipientInfoType) {
case NSSCMSRecipientInfoID_KeyTrans:
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
index 3872489b7..f963109c9 100644
--- a/security/nss/lib/smime/cmst.h
+++ b/security/nss/lib/smime/cmst.h
@@ -444,6 +444,7 @@ struct NSSCMSEncryptedDataStr {
/* An enumerated type used to select templates based on the encryption
scenario and data specifics. */
typedef enum {
+ NSSCMSKEAInvalid = -1,
NSSCMSKEAUsesSkipjack = 0,
NSSCMSKEAUsesNonSkipjack = 1,
NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
diff --git a/security/nss/lib/softoken/dbinit.c b/security/nss/lib/softoken/dbinit.c
index 87dc9676c..8fa73fef2 100644
--- a/security/nss/lib/softoken/dbinit.c
+++ b/security/nss/lib/softoken/dbinit.c
@@ -43,10 +43,8 @@
#include "pcertt.h"
#include "lowkeyi.h"
#include "pcert.h"
-/*#include "secmodi.h" */
#include "secrng.h"
#include "cdbhdl.h"
-/*#include "pk11func.h" */
#include "pkcs11i.h"
static char *
@@ -108,7 +106,7 @@ static CK_RV
pk11_OpenCertDB(const char * configdir, const char *prefix, PRBool readOnly,
NSSLOWCERTCertDBHandle **certdbPtr)
{
- NSSLOWCERTCertDBHandle *certdb;
+ NSSLOWCERTCertDBHandle *certdb = NULL;
CK_RV crv = CKR_CERTDB_FAILED;
SECStatus rv;
char * name = NULL;
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
index 059115741..ada5a58c8 100644
--- a/security/nss/lib/softoken/keydb.c
+++ b/security/nss/lib/softoken/keydb.c
@@ -719,6 +719,55 @@ done:
}
#endif
+static PRBool
+seckey_HasAServerKey(DB *db)
+{
+ DBT key;
+ DBT data;
+ int ret;
+ PRBool found = PR_FALSE;
+
+ ret = (* db->seq)(db, &key, &data, R_FIRST);
+ if ( ret ) {
+ return PR_FALSE;
+ }
+
+ do {
+ /* skip version record */
+ if ( data.size > 1 ) {
+ /* skip salt */
+ if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+ if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+ continue;
+ }
+ }
+ /* skip pw check entry */
+ if ( key.size == KEYDB_PW_CHECK_LEN ) {
+ if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
+ KEYDB_PW_CHECK_LEN) == 0 ) {
+ continue;
+ }
+ }
+
+ /* keys stored by nickname will have 0 as the last byte of the
+ * db key. Other keys must be stored by modulus. We will not
+ * update those because they are left over from a keygen that
+ * never resulted in a cert.
+ */
+ if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
+ continue;
+ }
+
+ if (PORT_Strcmp(key.data,"Server-Key") == 0) {
+ found = PR_TRUE;
+ break;
+ }
+
+ }
+ } while ( (* db->seq)(db, &key, &data, R_NEXT) == 0 );
+
+ return found;
+}
/*
* currently updates key database from v2 to v3
*/
@@ -1048,7 +1097,9 @@ newdb:
}
+#ifdef NSS_USE_KEY4_DB
skip_v2_db:
+#endif
/* we are using the old salt if we updated from an old db */
if ( ! updated ) {
rv = makeGlobalSalt(handle);
@@ -1064,7 +1115,9 @@ skip_v2_db:
}
}
+#ifdef NSS_USE_KEY4_DB
done:
+#endif
handle->global_salt = GetKeyDBGlobalSalt(handle);
if ( dbname )
PORT_Free( dbname );
@@ -1493,7 +1546,7 @@ seckey_encrypt_private_key(
SECStatus rv = SECFailure;
PLArenaPool *temparena = NULL, *permarena = NULL;
SECItem *der_item = NULL;
- NSSPKCS5PBEParameter *param;
+ NSSPKCS5PBEParameter *param = NULL;
SECItem *dummy = NULL, *dest = NULL;
SECAlgorithmID *algid;
@@ -2146,56 +2199,6 @@ loser:
return(rv);
}
-static PRBool
-seckey_HasAServerKey(DB *db)
-{
- DBT key;
- DBT data;
- int ret;
- PRBool found = PR_FALSE;
-
- ret = (* db->seq)(db, &key, &data, R_FIRST);
- if ( ret ) {
- return PR_FALSE;
- }
-
- do {
- /* skip version record */
- if ( data.size > 1 ) {
- /* skip salt */
- if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
- if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
- continue;
- }
- }
- /* skip pw check entry */
- if ( key.size == KEYDB_PW_CHECK_LEN ) {
- if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
- KEYDB_PW_CHECK_LEN) == 0 ) {
- continue;
- }
- }
-
- /* keys stored by nickname will have 0 as the last byte of the
- * db key. Other keys must be stored by modulus. We will not
- * update those because they are left over from a keygen that
- * never resulted in a cert.
- */
- if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
- continue;
- }
-
- if (PORT_Strcmp(key.data,"Server-Key") == 0) {
- found = PR_TRUE;
- break;
- }
-
- }
- } while ( (* db->seq)(db, &key, &data, R_NEXT) == 0 );
-
- return found;
-}
-
static SECStatus
seckey_CheckKeyDB1Password(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
{
diff --git a/security/nss/lib/softoken/keydbi.h b/security/nss/lib/softoken/keydbi.h
index 28eb962ad..5e8c70fe6 100644
--- a/security/nss/lib/softoken/keydbi.h
+++ b/security/nss/lib/softoken/keydbi.h
@@ -71,7 +71,7 @@ SEC_BEGIN_PROTOS
** "f" is the user function to call for each key
** "udata" is the user's data, which is passed through to "f"
*/
-extern SECStatus NSSLOWKEY_TraverseKeys(NSSLOWKEYDBHandle *handle,
+extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle,
NSSLOWKEYTraverseKeysFunc f,
void *udata);
diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c
index 917eb4e5d..91b7d0dc0 100644
--- a/security/nss/lib/softoken/lowcert.c
+++ b/security/nss/lib/softoken/lowcert.c
@@ -117,18 +117,6 @@ const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
{ 0, }
};
-
-NSSLOWCERTCertificate *
-nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
-{
- if (c) {
- nsslowcert_LockCertRefCount(c);
- ++c->referenceCount;
- nsslowcert_UnlockCertRefCount(c);
- }
- return c;
-}
-
/*
* Allow use of default cert database, so that apps(such as mozilla) don't
* have to pass the handle all over the place.
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
index dd3fda6cc..877c19fe5 100644
--- a/security/nss/lib/softoken/lowkeyi.h
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -59,13 +59,6 @@ extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDBFilename(char *filename,
PRBool readOnly);
/*
-** Update the database
-*/
-extern SECStatus nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle);
-extern SECStatus nsslowkey_UpdateKeyDBPass2(NSSLOWKEYDBHandle *handle,
- SECItem *pwitem);
-
-/*
* Clear out all the keys in the existing database
*/
extern SECStatus nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle);
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
index 6c9824ea6..91d936076 100644
--- a/security/nss/lib/softoken/lowpbe.c
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -1124,7 +1124,7 @@ SECAlgorithmID *
nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm,
NSSPKCS5PBEParameter *pbe_param)
{
- SECAlgorithmID *algid, *ret_algid;
+ SECAlgorithmID *algid, *ret_algid = NULL;
SECItem der_param;
SECStatus rv = SECFailure;
void *dummy = NULL;
diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h
index 51a969f1a..d7e48004e 100644
--- a/security/nss/lib/softoken/pcert.h
+++ b/security/nss/lib/softoken/pcert.h
@@ -141,6 +141,57 @@ SECStatus
nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
+
+/*
+ * is certa newer than certb? If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
+
+
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+ certDBEntryType type,
+ SECStatus (* callback)(SECItem *data, SECItem *key,
+ certDBEntryType type, void *pdata),
+ void *udata );
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject,
+ NSSLOWCERTCertCallback cb, void *cbarg);
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject);
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname);
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
+ NSSLOWCERTCertTrust *trust);
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr,
+ SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertificate *cert);
+
+void
+nsslowcert_DestroyGlobalLocks(void);
SEC_END_PROTOS
diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c
index 8b28e16bb..5663f61e9 100644
--- a/security/nss/lib/softoken/pcertdb.c
+++ b/security/nss/lib/softoken/pcertdb.c
@@ -84,7 +84,7 @@ certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle)
* This lock is currently used for the following operations:
* adding or deleting a cert to either the temp or perm databases
* converting a temp to perm or perm to temp
- * changing(maybe just adding????) the trust of a cert
+ * changing (maybe just adding!?) the trust of a cert
* chaning the DB status checking Configuration
*/
static void
@@ -117,7 +117,7 @@ static PZLock *certRefCountLock = NULL;
* arg here so that it will be easy to make it per-cert in the future if
* that turns out to be necessary.
*/
-void
+static void
nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
{
if ( certRefCountLock == NULL ) {
@@ -132,7 +132,7 @@ nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
/*
* Free the cert reference count lock
*/
-void
+static void
nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
{
PRStatus prstat;
@@ -183,6 +183,16 @@ nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
return;
}
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
+{
+ if (c) {
+ nsslowcert_LockCertRefCount(c);
+ ++c->referenceCount;
+ nsslowcert_UnlockCertRefCount(c);
+ }
+ return c;
+}
static int
certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
@@ -2869,7 +2879,8 @@ nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
}
int
-nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject)
{
certDBEntrySubject *entry;
int ret;
@@ -2888,8 +2899,8 @@ nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle, SECItem *derSu
}
SECStatus
-nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle, char *nickname,
- NSSLOWCERTCertCallback cb, void *cbarg)
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname, NSSLOWCERTCertCallback cb, void *cbarg)
{
certDBEntryNickname *nnentry = NULL;
certDBEntrySMime *smentry = NULL;
@@ -2923,9 +2934,9 @@ nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle, char *ni
return(rv);
}
-
int
-nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, char *nickname)
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname)
{
certDBEntryNickname *entry;
int ret;
@@ -3940,8 +3951,8 @@ nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
* in the database.
*/
SECStatus
-nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
- NSSLOWCERTCertTrust *trust)
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
{
certDBEntryCert *entry;
int rv;
@@ -4297,7 +4308,7 @@ nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey,
SECStatus rv;
SECItem *crl = NULL;
PRArenaPool *arena = NULL;
- certDBEntryRevocation *entry;
+ certDBEntryRevocation *entry = NULL;
certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation
: certDBEntryTypeRevocation;
@@ -4401,7 +4412,7 @@ nsslowcert_hasTrust(NSSLOWCERTCertificate *cert)
*/
SECStatus
nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr,
- SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
+ SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
{
certDBEntrySMime *entry = NULL;
SECStatus rv = SECFailure;;
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index fb31e9801..1913d43e6 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -57,6 +57,7 @@
#include "secder.h"
#include "secport.h"
#include "pcert.h"
+#include "secrng.h"
#include "keydbi.h"
@@ -506,9 +507,6 @@ pk11_handleCertObject(PK11Session *session,PK11Object *object)
CK_CERTIFICATE_TYPE type;
PK11Attribute *attribute;
CK_RV crv;
- PK11SessionObject *sessObject = pk11_narrowToSessionObject(object);
-
- PORT_Assert(sessObject);
/* certificates must have a type */
if ( !pk11_hasAttribute(object,CKA_CERTIFICATE_TYPE) ) {
@@ -621,6 +619,7 @@ pk11_handleCertObject(PK11Session *session,PK11Object *object)
return CKR_OK;
}
+
unsigned int
pk11_MapTrust(CK_TRUST trust, PRBool clientAuth)
{
@@ -2201,7 +2200,6 @@ CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
/* free all the slots */
if (nscSlotList) {
CK_ULONG tmpSlotCount = nscSlotCount;
- CK_ULONG tmpSlotListSize = nscSlotListSize;
CK_SLOT_ID_PTR tmpSlotList = nscSlotList;
PLHashTable *tmpSlotHashTable = nscSlotHashTable;
@@ -3634,64 +3632,6 @@ pk11_searchSMime(PK11Slot *slot, SECItem *email, PK11SearchResults *handles,
return;
}
-static void
-pk11_searchSMimeForCert(PK11Slot *slot, SECItem *email,
- unsigned long classFlags,
- PK11SearchResults *handles,
- CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
-{
- NSSLOWCERTCertDBHandle *certHandle = NULL;
- certDBEntrySMime *entry;
- int i;
-
- certHandle = slot->certDB;
- if (certHandle == NULL) return;
-
- if (email->data != NULL) {
- char *tmp_name = (char*)PORT_Alloc(email->len+1);
-
- if (tmp_name == NULL) {
- return;
- }
- PORT_Memcpy(tmp_name,email->data,email->len);
- tmp_name[email->len] = 0;
-
- entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
- if (entry) {
- int count;
- pk11CertData certData;
- certData.slot = slot;
- certData.max_cert_count = 0;
- certData.certs = NULL;
- certData.cert_count = 0;
- certData.template = pTemplate;
- certData.templ_count = ulCount;
- certData.classFlags = classFlags;
- certData.strict = NSC_STRICT;
- count = nsslowcert_NumPermCertsForSubject(certHandle,&entry->subjectName);
- pk11_CertSetupData(&certData,count);
- nsslowcert_TraversePermCertsForSubject(certHandle,&entry->subjectName,
- pk11_cert_collect, &certData);
-
- /*
- * build the handles
- */
- for (i=0 ; i < certData.cert_count ; i++) {
- NSSLOWCERTCertificate *cert = certData.certs[i];
- pk11_addHandle(handles,
- pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_CERT));
- nsslowcert_DestroyCertificate(cert);
- }
-
- nsslowcert_DestroyDBEntry((certDBEntry *)entry);
- if (certData.certs) PORT_Free(certData.certs);
- }
- PORT_Free(tmp_name);
- }
- return;
-}
-
-
static CK_RV
pk11_searchTokenList(PK11Slot *slot, PK11SearchResults *search,
CK_ATTRIBUTE *pTemplate, CK_LONG ulCount,
@@ -3913,7 +3853,7 @@ pk11_searchTokenList(PK11Slot *slot, PK11SearchResults *search,
CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
{
- PK11SearchResults *search,*freeSearch;
+ PK11SearchResults *search = NULL, *freeSearch = NULL;
PK11Session *session = NULL;
PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
PRBool tokenOnly = PR_FALSE;
@@ -3966,8 +3906,8 @@ CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
return CKR_OK;
loser:
- if (freeSearch) {
- pk11_FreeSearch(freeSearch);
+ if (search) {
+ pk11_FreeSearch(search);
}
if (session) {
pk11_FreeSession(session);
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
index 665f12613..0efc99068 100644
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -508,6 +508,7 @@ extern CK_RV pk11_forceAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
void *value, unsigned int len);
extern CK_RV pk11_defaultAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
void *value, unsigned int len);
+extern unsigned int pk11_MapTrust(CK_TRUST trust, PRBool clientAuth);
extern PK11Object *pk11_NewObject(PK11Slot *slot);
extern CK_RV pk11_CopyObject(PK11Object *destObject, PK11Object *srcObject);
@@ -538,6 +539,7 @@ extern PK11Session *pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
extern void pk11_update_state(PK11Slot *slot,PK11Session *session);
extern void pk11_update_all_states(PK11Slot *slot);
extern void pk11_FreeContext(PK11SessionContext *context);
+extern void pk11_CleanupFreeLists(void);
extern NSSLOWKEYPublicKey *pk11_GetPubKey(PK11Object *object,
CK_KEY_TYPE key_type);
@@ -576,6 +578,9 @@ CK_RV pk11_DBInit(const char *configdir, const char *certPrefix,
PRBool noKeyDB, PRBool forceOpen,
NSSLOWCERTCertDBHandle **certDB, NSSLOWKEYDBHandle **keyDB);
+void pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle,
+ NSSLOWKEYDBHandle *keyHandle);
+
/*
* narrow objects
*/
@@ -592,6 +597,8 @@ CK_OBJECT_HANDLE pk11_mkHandle(PK11Slot *slot,
SECItem *dbKey, CK_OBJECT_HANDLE class);
PK11Object * pk11_NewTokenObject(PK11Slot *slot, SECItem *dbKey,
CK_OBJECT_HANDLE handle);
+PK11TokenObject *pk11_convertSessionToToken(PK11Object *so);
+
SEC_END_PROTOS
#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index 1ad205a2c..26be73d32 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -39,6 +39,7 @@
#include "lowkeyi.h"
#include "pcert.h"
#include "secasn1.h"
+#include "blapi.h"
/*
* ******************** Attribute Utilities *******************************
@@ -1337,11 +1338,11 @@ pk11_SetTrustAttribute(PK11TokenObject *to, CK_ATTRIBUTE_TYPE type,
break;
case CKA_TRUST_CLIENT_AUTH:
dbTrust.sslFlags = flags | (cert->trust->sslFlags &
- CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA);
+ (CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA));
break;
case CKA_TRUST_SERVER_AUTH:
dbTrust.sslFlags = flags | (cert->trust->sslFlags &
- CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA);
+ (CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA));
break;
default:
return CKR_ATTRIBUTE_READ_ONLY;
@@ -2612,10 +2613,11 @@ pk11_tokenMatch(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
}
PK11TokenObject *
-pk11_convertSessionToToken(PK11SessionObject *so)
+pk11_convertSessionToToken(PK11Object *obj)
{
SECItem *key;
- PK11TokenObject *to = pk11_narrowToTokenObject(&so->obj);
+ PK11SessionObject *so = (PK11SessionObject *)obj;
+ PK11TokenObject *to = pk11_narrowToTokenObject(obj);
SECStatus rv;
pk11_DestroySessionObjectData(so);
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
index 5a9c45e5a..bd473f11f 100644
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -59,8 +59,8 @@ NSS_GetClientAuthData(void * arg,
struct CERTCertificateStr ** pRetCert,
struct SECKEYPrivateKeyStr **pRetKey)
{
- CERTCertificate * cert;
- SECKEYPrivateKey * privkey;
+ CERTCertificate * cert = NULL;
+ SECKEYPrivateKey * privkey = NULL;
char * chosenNickName = (char *)arg; /* CONST */
void * proto_win = NULL;
SECStatus rv = SECFailure;
diff --git a/security/nss/lib/ssl/emulate.c b/security/nss/lib/ssl/emulate.c
index bb6efc140..031de3ada 100644
--- a/security/nss/lib/ssl/emulate.c
+++ b/security/nss/lib/ssl/emulate.c
@@ -202,7 +202,7 @@ ssl_EmulateTransmitFile( PRFileDesc * sd,
PRTransmitFileFlags flags,
PRIntervalTime timeout)
{
- void * addr;
+ void * addr = NULL;
PRFileMap * mapHandle = NULL;
PRInt32 count = 0;
PRInt32 index = 0;
@@ -461,7 +461,7 @@ PRInt32
ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
PRTransmitFileFlags flags, PRIntervalTime timeout)
{
- void * addr;
+ void * addr = NULL;
PRFileMap * mapHandle = NULL;
PRInt32 count = 0;
PRInt32 file_bytes;
@@ -529,6 +529,13 @@ ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
len = mmap_len - addr_offset;
}
/*
+ * OK I've convinced myself that length has to be possitive (file_bytes is
+ * negative or SENDFILE_MMAP_CHUNK is less than pagesize). Just assert
+ * that this is the case so we catch problems in debug builds.
+ */
+ PORT_Assert(len >= 0);
+
+ /*
* Map in (part of) file. Take care of zero-length files.
*/
if (len > 0) {
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 191218c0a..b7e3ec024 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -474,9 +474,9 @@ ssl3_config_match_init(sslSocket *ss)
/* Mark the suites that are backed by real tokens, certs and keys */
suite->isPresent = (PRBool)
(((exchKeyType == kt_null) ||
- (!isServer || (svrAuth->serverKey &&
+ ((!isServer || (svrAuth->serverKey &&
svrAuth->serverCertChain)) &&
- PK11_TokenExists(kea_alg_defs[exchKeyType])) &&
+ PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
if (suite->isPresent)
++numPresent;
@@ -2955,6 +2955,10 @@ ssl_UnwrapSymWrappingKey(
PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
masterWrapMech, CKA_UNWRAP, 0);
break;
+ default:
+ /* Assert? */
+ SET_ERROR_CODE
+ goto loser;
}
loser:
return unwrappedWrappingKey;
@@ -2987,7 +2991,7 @@ getWrappingKey( sslSocket * ss,
SECKEYPublicKey * svrPubKey = NULL;
PK11SymKey * unwrappedWrappingKey = NULL;
PK11SymKey ** pSymWrapKey;
- CK_MECHANISM_TYPE asymWrapMechanism;
+ CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM;
int length;
int symWrapMechIndex;
SECStatus rv;
@@ -3121,6 +3125,8 @@ getWrappingKey( sslSocket * ss,
goto loser;
}
+ PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
+
wswk.symWrapMechanism = masterWrapMech;
wswk.symWrapMechIndex = symWrapMechIndex;
wswk.asymWrapMechanism = asymWrapMechanism;
@@ -3517,7 +3523,7 @@ loser:
static SECStatus
sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey)
{
- ssl3CipherSpec * pwSpec;
+ ssl3CipherSpec * pwSpec = NULL;
sslSessionID * sid = ss->sec->ci.sid;
PK11SlotInfo * slot = NULL;
PK11SymKey * pms = NULL;
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
index 1cf901efa..0c5e76130 100644
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -1467,10 +1467,10 @@ loser:
static SECStatus
ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
{
- sslSecurityInfo * sec;
+ sslSecurityInfo * sec = NULL;
sslConnectInfo * ci;
- SECItem * rk;
- SECItem * wk;
+ SECItem * rk = NULL;
+ SECItem * wk = NULL;
SECItem * param;
SECStatus rv;
int cipherType = sid->u.ssl2.cipherType;
@@ -1505,10 +1505,9 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
SSL_GETPID(), ss->fd, cipherType));
PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
- goto loser;
+ goto sec_loser;
}
- sec = ss->sec;
ci = &sec->ci;
rk = isClient ? &readKey : &writeKey;
wk = isClient ? &writeKey : &readKey;
@@ -1590,8 +1589,12 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
rv = SECFailure;
done:
- SECITEM_ZfreeItem(rk, PR_FALSE);
- SECITEM_ZfreeItem(wk, PR_FALSE);
+ if (rk) {
+ SECITEM_ZfreeItem(rk, PR_FALSE);
+ }
+ if (wk) {
+ SECITEM_ZfreeItem(wk, PR_FALSE);
+ }
return rv;
}
@@ -1623,7 +1626,7 @@ ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
PRUint8 *ek, unsigned int ekLen,
PRUint8 *ca, unsigned int caLen)
{
- PRUint8 *kk;
+ PRUint8 *kk = NULL;
sslSecurityInfo * sec;
sslSessionID * sid;
PRUint8 * kbuf = 0; /* buffer for RSA decrypted data. */
@@ -1740,6 +1743,9 @@ hide_loser:
* Instead, Generate a completely bogus master key .
*/
PK11_GenerateRandom(kbuf, ekLen);
+ if (!kk) {
+ kk = kbuf + ekLen - (keySize-ckLen);
+ }
}
/*
@@ -3042,7 +3048,7 @@ ssl2_BeginClientHandshake(sslSocket *ss)
PRUint8 *localCipherSpecs = NULL;
unsigned int localCipherSize;
unsigned int i;
- int sendLen, sidLen;
+ int sendLen, sidLen = 0;
SECStatus rv;
PORT_Assert( ssl_Have1stHandshakeLock(ss) );
@@ -3871,8 +3877,6 @@ NSSSSL_VersionCheck(const char *importedVersion)
* not compatible with future major, minor, or
* patch releases.
*/
- int vmajor = 0, vminor = 0, vpatch = 0;
- const char *ptr = importedVersion;
volatile char c; /* force a reference that won't get optimized away */
c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0];
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
index 81d6db8c8..e5c38b132 100644
--- a/security/nss/lib/ssl/ssldef.c
+++ b/security/nss/lib/ssl/ssldef.c
@@ -88,7 +88,7 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
if (rv < 0) {
- PRErrorCode err = PR_GetError();
+ /* PRErrorCode err = PR_GetError(); */
MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
} else if (rv > len) {
PORT_Assert(rv <= len);
@@ -152,7 +152,7 @@ int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
rv = lower->methods->read(lower, (void *)buf, len);
if (rv < 0) {
- PRErrorCode err = PR_GetError();
+ /* PRErrorCode err = PR_GetError(); */
MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
}
return rv;
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 4e0d5b1e0..6a0160f17 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -317,7 +317,9 @@ ssl_FreeSocket(sslSocket *ss)
int i;
sslSocket *fs;
+#ifdef DEBUG
sslSocket lSock;
+#endif
/* Get every lock you can imagine!
** Caller already holds these:
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index ded548a00..f9fd88da8 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -275,8 +275,6 @@ SECITEM_Hash ( const void *key)
PRIntn PR_CALLBACK
SECITEM_HashCompare ( const void *k1, const void *k2)
{
- PRIntn rv;
-
const SECItem *i1 = (const SECItem *)k1;
const SECItem *i2 = (const SECItem *)k2;