diff options
-rw-r--r-- | dbm/include/mcom_db.h | 12 | ||||
-rw-r--r-- | security/coreconf/Darwin.mk | 2 | ||||
-rw-r--r-- | security/coreconf/OS2.mk | 14 | ||||
-rw-r--r-- | security/coreconf/OpenBSD.mk | 7 | ||||
-rw-r--r-- | security/coreconf/WIN32.mk | 2 | ||||
-rw-r--r-- | security/nss/lib/certdb/alg1485.c | 10 | ||||
-rw-r--r-- | security/nss/lib/certdb/genname.c | 27 | ||||
-rw-r--r-- | security/nss/lib/certhigh/certhigh.c | 2 | ||||
-rw-r--r-- | security/nss/lib/freebl/Makefile | 8 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 4 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/Makefile | 11 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11cert.c | 58 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11func.h | 4 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11skey.c | 29 | ||||
-rw-r--r-- | security/nss/lib/pkcs7/p7decode.c | 5 | ||||
-rw-r--r-- | security/nss/lib/pki/pki3hack.c | 19 | ||||
-rw-r--r-- | security/nss/lib/pki/pki3hack.h | 11 | ||||
-rw-r--r-- | security/nss/lib/pki/tdcache.c | 8 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslmutex.c | 19 | ||||
-rw-r--r-- | security/nss/lib/util/secitem.c | 18 | ||||
-rw-r--r-- | security/nss/tests/ssl/sslreq.txt | 4 |
21 files changed, 175 insertions, 99 deletions
diff --git a/dbm/include/mcom_db.h b/dbm/include/mcom_db.h index 43d21ad9c..97e74260e 100644 --- a/dbm/include/mcom_db.h +++ b/dbm/include/mcom_db.h @@ -190,7 +190,7 @@ #define LITTLE_ENDIAN 1234 #endif -#if defined(_WINDOWS) || defined(XP_OS2) +#if defined(_WINDOWS) #ifdef BYTE_ORDER #undef BYTE_ORDER #endif @@ -222,14 +222,6 @@ #define MAXPATHLEN 1024 #endif -#ifdef XP_OS2_VACPP -#include <os2.h> -#define MAXPATHLEN CCHMAXPATH -#define EPERM EINVAL -#define ENOTDIR EBADPOS -#define S_ISDIR(s) ((s) & S_IFDIR) -#endif - #define EFTYPE EINVAL /* POSIX 1003.1 format errno. */ #ifndef STDERR_FILENO @@ -253,7 +245,7 @@ int mkstemp(const char *path); PR_END_EXTERN_C #endif /* MACINTOSH */ -#if !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2) +#if !defined(_WINDOWS) && !defined(macintosh) #include <sys/stat.h> #include <errno.h> #endif diff --git a/security/coreconf/Darwin.mk b/security/coreconf/Darwin.mk index d58e5c760..edda3effb 100644 --- a/security/coreconf/Darwin.mk +++ b/security/coreconf/Darwin.mk @@ -59,7 +59,7 @@ endif # definitions so that the linker can catch multiply-defined symbols. # Also, common symbols are not allowed with Darwin dynamic libraries. -OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -traditional-cpp -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -no-cpp-precomp -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK ifdef BUILD_OPT OPTIMIZER = -O2 diff --git a/security/coreconf/OS2.mk b/security/coreconf/OS2.mk index 562a81de5..a8eed088f 100644 --- a/security/coreconf/OS2.mk +++ b/security/coreconf/OS2.mk @@ -62,7 +62,7 @@ ifdef XP_OS2_EMX CCC = gcc LINK = gcc -AR = emxomfar -p256 r $@ +AR = emxomfar r $@ # Keep AR_FLAGS blank so that we do not have to change rules.mk AR_FLAGS = RANLIB = @echo OS2 RANLIB @@ -73,6 +73,8 @@ FILTER = emxexp -o # GCC for OS/2 currently predefines these, but we don't want them DEFINES += -Uunix -U__unix -U__unix__ +DEFINES += -DTCPV40HDRS + ifndef NO_SHARED_LIB WRAP_MALLOC_LIB = WRAP_MALLOC_CFLAGS = @@ -82,10 +84,7 @@ MKSHLIB = $(CXX) $(CXXFLAGS) $(DSO_LDOPTS) -o $@ MKCSHLIB = $(CC) $(CFLAGS) $(DSO_LDOPTS) -o $@ MKSHLIB_FORCE_ALL = MKSHLIB_UNFORCE_ALL = -DSO_LDOPTS = -Zomf -Zdll -Zmt -Zcrtdll -ifeq (,$(EMXOMFLD_LINKER)) # using LINK386.EXE - DSO_LDOPTS += -Zlinker /NOO -endif +DSO_LDOPTS = -Zomf -Zdll SHLIB_LDSTARTFILE = SHLIB_LDENDFILE = ifdef MAPFILE @@ -98,11 +97,12 @@ PROCESS_MAP_FILE = \ echo DATA PRELOAD MOVEABLE MULTIPLE NONSHARED >> $@; \ echo EXPORTS >> $@; \ grep -v ';+' $(LIBRARY_NAME).def | grep -v ';-' | \ - sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' >> $@ + sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,\([\t ]*\),\1_,' | \ + awk 'BEGIN {ord=1;} { print($$0 " @" ord " RESIDENTNAME"); ord++;}' >> $@ endif #NO_SHARED_LIB -OS_CFLAGS = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Zmtd -Zomf -Zmt -DDEBUG -DDEBUG_wintrinh -DTRACING -g +OS_CFLAGS = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Zomf -DDEBUG -DTRACING -g # Where the libraries are MOZ_COMPONENT_NSPR_LIBS=-L$(DIST)/lib $(NSPR_LIBS) diff --git a/security/coreconf/OpenBSD.mk b/security/coreconf/OpenBSD.mk index 14fa73489..9c6fb3efc 100644 --- a/security/coreconf/OpenBSD.mk +++ b/security/coreconf/OpenBSD.mk @@ -46,6 +46,13 @@ OS_REL_CFLAGS = -Di386 CPU_ARCH = x86 endif +ifndef CLASSIC_NSPR +USE_PTHREADS = 1 +DEFINES += -D_THREAD_SAFE -pthread +OS_LIBS += -pthread +DSO_LDOPTS += -pthread +endif + DLL_SUFFIX = so.1.0 OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -ansi -Wall -pipe -DOPENBSD diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk index 9487e12f5..42347d850 100644 --- a/security/coreconf/WIN32.mk +++ b/security/coreconf/WIN32.mk @@ -46,7 +46,7 @@ ifdef NS_USE_GCC AR += cr $@ RANLIB = ranlib BSDECHO = echo - RC = windres.exe -O coff + RC = windres.exe -O coff --use-temp-file LINK_DLL = $(CC) $(OS_DLLFLAGS) $(DLLFLAGS) else CC = cl diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index e414f4eb4..b84915f11 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -1130,11 +1130,13 @@ cert_GetCertificateEmailAddresses(CERTCertificate *cert) } /* now copy superstring to cert's arena */ finalLen = (pBuf - addrBuf) + 1; - pBuf = PORT_ArenaAlloc(cert->arena, finalLen); - if (pBuf) { - PORT_Memcpy(pBuf, addrBuf, finalLen); + pBuf = NULL; + if (finalLen > 1) { + pBuf = PORT_ArenaAlloc(cert->arena, finalLen); + if (pBuf) { + PORT_Memcpy(pBuf, addrBuf, finalLen); + } } - loser: if (tmpArena) PORT_FreeArena(tmpArena, PR_FALSE); diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 94cde971a..e8ddcee71 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -193,17 +193,30 @@ CERT_CreateGeneralNameList(CERTGeneralName *name) { } list = (CERTGeneralNameList *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralNameList)); + if (!list) + goto loser; if (name != NULL) { + SECStatus rv; list->name = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName)); + if (!list->name) + goto loser; list->name->l.next = list->name->l.prev = &list->name->l; - CERT_CopyGeneralName(arena, list->name, name); + rv = CERT_CopyGeneralName(arena, list->name, name); + if (rv != SECSuccess) + goto loser; } list->lock = PZ_NewLock(nssILockList); + if (!list->lock) + goto loser; list->arena = arena; list->refCount = 1; done: return list; + +loser: + PORT_FreeArena(arena, PR_FALSE); + return NULL; } CERTGeneralName * @@ -244,7 +257,6 @@ SECItem * CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena) { - PORT_Assert(arena); if (arena == NULL) { goto loser; @@ -290,9 +302,12 @@ CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *are case certDirectoryName: if (genName->derDirectoryName.data == NULL) { /* The field hasn't been encoded yet. */ + SECItem * pre_dest = SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName), &(genName->name.directoryName), CERT_NameTemplate); + if (!pre_dest) + goto loser; } if (genName->derDirectoryName.data == NULL) { goto loser; @@ -570,10 +585,10 @@ cert_DecodeNameConstraint(PRArenaPool *arena, SECStatus rv = SECSuccess; CERTGeneralName *temp; - - PORT_Assert(arena); constraint = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint)); + if (!constraint) + goto loser; rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, encodedConstraint); if (rv != SECSuccess) { goto loser; @@ -700,6 +715,8 @@ CERT_CopyGeneralName(PRArenaPool *arena, rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other); } } + if (rv != SECSuccess) + return rv; src = cert_get_next_general_name(src); /* if there is only one general name, we shouldn't do this */ if (src != srcHead) { @@ -711,6 +728,8 @@ CERT_CopyGeneralName(PRArenaPool *arena, temp = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName)); } + if (!temp) + return SECFailure; temp->l.next = &destHead->l; temp->l.prev = &dest->l; destHead->l.prev = &temp->l; diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index 3b818d370..f9911b81c 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -418,7 +418,7 @@ CollectNicknames( NSSCertificate *c, void *data) * a duplicate */ if ( saveit ) { - nickname = STAN_GetCERTCertificateName(c); + nickname = STAN_GetCERTCertificateName(NULL, c); /* nickname can only be NULL here if we are having memory * alloc problems */ if (nickname == NULL) { diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile index 712b55cf1..7aba1e81e 100644 --- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -338,3 +338,11 @@ release_md:: cd $(PURE32DIR) && $(MAKE) FREEBL_RECURSIVE_BUILD=1 USE_PURE_32=1 FREEBL_PARENT=$(CDDIR) CORE_DEPTH=$(CDDIR)/$(CORE_DEPTH) $@ endif + +# Bugzilla Bug 209827: disable optimization to work around what appears +# to be a VACPP optimizer bug. +ifdef XP_OS2_VACPP +$(OBJDIR)/alg2268.obj: alg2268.c + @$(MAKE_OBJDIR) + $(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<) +endif diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index e6baca71c..f2c73b7c8 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -49,10 +49,10 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>] [<Beta>]" */ -#define NSS_VERSION "3.8.1 Beta" +#define NSS_VERSION "3.8.2 Beta 2" #define NSS_VMAJOR 3 #define NSS_VMINOR 8 -#define NSS_VPATCH 1 +#define NSS_VPATCH 2 #define NSS_BETA PR_TRUE diff --git a/security/nss/lib/pk11wrap/Makefile b/security/nss/lib/pk11wrap/Makefile index a84456e7d..333b07d37 100644 --- a/security/nss/lib/pk11wrap/Makefile +++ b/security/nss/lib/pk11wrap/Makefile @@ -86,3 +86,14 @@ $(OBJDIR)/pk11slot.o: pk11slot.c endif endif endif + +# Bugzilla Bug 209827: disable optimization to work around what appears +# to be a VACPP optimizer bug. +ifdef XP_OS2_VACPP +$(OBJDIR)/pk11skey.obj: pk11skey.c + @$(MAKE_OBJDIR) + $(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<) +$(OBJDIR)/pk11slot.obj: pk11slot.c + @$(MAKE_OBJDIR) + $(CC) -Fo$@ -c $(filter-out /O+, $(CFLAGS)) $(call abspath,$<) +endif diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 33d896ec5..ebe346f99 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -3308,19 +3308,6 @@ struct listCertsStr { CERTCertList *certList; }; -static PRBool -isOnList(CERTCertList *certList,NSSCertificate *c) -{ - CERTCertListNode *cln; - - for (cln = CERT_LIST_HEAD(certList); !CERT_LIST_END(cln,certList); - cln = CERT_LIST_NEXT(cln)) { - if (cln->cert->nssCertificate == c) { - return PR_TRUE; - } - } - return PR_FALSE; -} static PRStatus pk11ListCertCallback(NSSCertificate *c, void *arg) { @@ -3353,12 +3340,6 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) return PR_SUCCESS; } - /* if we want Unique certs and we already have it on our list, skip it */ - if ( isUnique && isOnList(certList,c) ) { - return PR_SUCCESS; - } - - newCert = STAN_GetCERTCertificate(c); if (!newCert) { return PR_SUCCESS; @@ -3367,15 +3348,42 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) if( isCA && (!CERT_IsCACert(newCert, &certType)) ) { return PR_SUCCESS; } - CERT_DupCertificate(newCert); + if (isUnique) { + CERT_DupCertificate(newCert); - nickname = STAN_GetCERTCertificateName(c); + nickname = STAN_GetCERTCertificateName(certList->arena, c); - /* put slot certs at the end */ - if (newCert->slot && !PK11_IsInternal(newCert->slot)) { - CERT_AddCertToListTailWithData(certList,newCert,nickname); + /* put slot certs at the end */ + if (newCert->slot && !PK11_IsInternal(newCert->slot)) { + CERT_AddCertToListTailWithData(certList,newCert,nickname); + } else { + CERT_AddCertToListHeadWithData(certList,newCert,nickname); + } } else { - CERT_AddCertToListHeadWithData(certList,newCert,nickname); + /* add multiple instances to the cert list */ + nssCryptokiObject **ip; + nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object); + if (!instances) { + return PR_SUCCESS; + } + for (ip = instances; *ip; ip++) { + nssCryptokiObject *instance = *ip; + PK11SlotInfo *slot = instance->token->pk11slot; + + /* put the same CERTCertificate in the list for all instances */ + CERT_DupCertificate(newCert); + + nickname = STAN_GetCERTCertificateNameForInstance( + certList->arena, c, instance); + + /* put slot certs at the end */ + if (slot && !PK11_IsInternal(slot)) { + CERT_AddCertToListTailWithData(certList,newCert,nickname); + } else { + CERT_AddCertToListHeadWithData(certList,newCert,nickname); + } + } + nssCryptokiObjectArray_Destroy(instances); } return PR_SUCCESS; } diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h index 115a42bb3..801d26eb7 100644 --- a/security/nss/lib/pk11wrap/pk11func.h +++ b/security/nss/lib/pk11wrap/pk11func.h @@ -264,6 +264,10 @@ PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PRBool owner, void *wincx); PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,int series, void *wincx); +/* + * This function is not thread-safe. It can only be called when only + * one thread has a reference to wrapKey. + */ void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey); CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey); CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 430b40f3e..6d582f874 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -324,6 +324,11 @@ PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type, return symKey; } +/* + * This function is not thread-safe because it sets wrapKey->sessionOwner + * without using a lock or atomic routine. It can only be called when + * only one thread has a reference to wrapKey. + */ void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey) { @@ -3423,20 +3428,7 @@ PK11_ExitContextMonitor(PK11Context *cx) { void PK11_DestroyContext(PK11Context *context, PRBool freeit) { - SECStatus rv = SECFailure; - if (context->ownSession && context->key && /* context owns session & key */ - context->key->session == context->session && /* sharing session */ - !context->key->sessionOwner) /* sanity check */ - { - /* session still valid, let the key free it as necessary */ - rv = PK11_Finalize(context); /* end any ongoing activity */ - if (rv == SECSuccess) { - context->key->sessionOwner = PR_TRUE; - } /* else couldn't finalize the session, close it */ - } - if (rv == SECFailure) { - pk11_CloseSession(context->slot,context->session,context->ownSession); - } + pk11_CloseSession(context->slot,context->session,context->ownSession); /* initialize the critical fields of the context */ if (context->savedData != NULL ) PORT_Free(context->savedData); if (context->key) PK11_FreeSymKey(context->key); @@ -3620,14 +3612,7 @@ static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, context->operation = operation; context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; context->slot = PK11_ReferenceSlot(slot); - if (symKey && symKey->sessionOwner) { - /* The symkey owns a session. Adopt that session. */ - context->session = symKey->session; - context->ownSession = symKey->sessionOwner; - symKey->sessionOwner = PR_FALSE; - } else { - context->session = pk11_GetNewSession(slot, &context->ownSession); - } + context->session = pk11_GetNewSession(slot,&context->ownSession); context->cx = symKey ? symKey->cx : NULL; /* get our session */ context->savedData = NULL; diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index 54c279ca4..be0c56ac4 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -277,11 +277,8 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth, /* * No algorithms means no work to do. - * This is not expected, so cause an assert. - * But if it does happen, just act as if there were - * no algorithms specified. + * Just act as if there were no algorithms specified. */ - PORT_Assert (digcnt != 0); if (digcnt == 0) return SECSuccess; diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index ef378970a..7c91d5c41 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -586,9 +586,12 @@ get_cert_instance(NSSCertificate *c) } char * -STAN_GetCERTCertificateName(NSSCertificate *c) +STAN_GetCERTCertificateNameForInstance ( + PLArenaPool *arenaOpt, + NSSCertificate *c, + nssCryptokiInstance *instance +) { - nssCryptokiInstance *instance = get_cert_instance(c); NSSCryptoContext *context = c->object.cryptoContext; PRStatus nssrv; int nicklen, tokenlen, len; @@ -613,7 +616,11 @@ STAN_GetCERTCertificateName(NSSCertificate *c) } nicklen = nssUTF8_Size(stanNick, &nssrv); len = tokenlen + nicklen; - nickname = PORT_Alloc(len); + if (arenaOpt) { + nickname = PORT_ArenaAlloc(arenaOpt, len); + } else { + nickname = PORT_Alloc(len); + } nick = nickname; if (tokenName) { memcpy(nick, tokenName, tokenlen-1); @@ -626,6 +633,12 @@ STAN_GetCERTCertificateName(NSSCertificate *c) return nickname; } +char * +STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c) +{ + nssCryptokiInstance *instance = get_cert_instance(c); + return STAN_GetCERTCertificateNameForInstance(arenaOpt, c, instance); +} static void fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced) diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h index da68269c3..6e50725d3 100644 --- a/security/nss/lib/pki/pki3hack.h +++ b/security/nss/lib/pki/pki3hack.h @@ -42,6 +42,10 @@ static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name #include "nssdevt.h" #endif /* NSSDEVT_H */ +#ifndef DEVT_H +#include "devt.h" +#endif /* DEVT_H */ + #ifndef NSSPKIT_H #include "nsspkit.h" #endif /* NSSPKIT_H */ @@ -107,7 +111,12 @@ nssPKIX509_GetIssuerAndSerialFromDER(NSSDER *der, NSSArena *arena, NSSDER *issuer, NSSDER *serial); NSS_EXTERN char * -STAN_GetCERTCertificateName(NSSCertificate *c); +STAN_GetCERTCertificateName(PLArenaPool *arenaOpt, NSSCertificate *c); + +NSS_EXTERN char * +STAN_GetCERTCertificateNameForInstance(PLArenaPool *arenaOpt, + NSSCertificate *c, + nssCryptokiInstance *instance); /* exposing this */ NSS_EXTERN NSSCertificate * diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c index 1f1d3fa97..c9fd8012f 100644 --- a/security/nss/lib/pki/tdcache.c +++ b/security/nss/lib/pki/tdcache.c @@ -488,11 +488,15 @@ nssTrustDomain_RemoveTokenCertsFromCache ( for (i=0; i<dtor.numCerts; i++) { if (dtor.certs[i]->object.numInstances == 0) { nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); - } else { - STAN_ForceCERTCertificateUpdate(dtor.certs[i]); + dtor.certs[i] = NULL; /* skip this cert in the second for loop */ } } PZ_Unlock(td->cache->lock); + for (i=0; i<dtor.numCerts; i++) { + if (dtor.certs[i]) { + STAN_ForceCERTCertificateUpdate(dtor.certs[i]); + } + } nss_ZFreeIf(dtor.certs); return PR_SUCCESS; } diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c index d877b074f..6dad7b33b 100644 --- a/security/nss/lib/ssl/sslmutex.c +++ b/security/nss/lib/ssl/sslmutex.c @@ -199,10 +199,17 @@ sslMutex_Destroy(sslMutex *pMutex) #if defined(LINUX) && defined(i386) /* No memory barrier needed for this platform */ +/* nWaiters includes the holder of the lock (if any) and the number +** threads waiting for it. After incrementing nWaiters, if the count +** is exactly 1, then you have the lock and may proceed. If the +** count is greater than 1, then you must wait on the pipe. +*/ + + SECStatus sslMutex_Unlock(sslMutex *pMutex) { - PRInt32 oldValue; + PRInt32 newValue; if (PR_FALSE == pMutex->isMultiProcess) { return single_process_sslMutex_Unlock(pMutex); } @@ -212,8 +219,8 @@ sslMutex_Unlock(sslMutex *pMutex) return SECFailure; } /* Do Memory Barrier here. */ - oldValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters); - if (oldValue > 1) { + newValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters); + if (newValue > 0) { int cc; char c = 1; do { @@ -233,7 +240,7 @@ sslMutex_Unlock(sslMutex *pMutex) SECStatus sslMutex_Lock(sslMutex *pMutex) { - PRInt32 oldValue; + PRInt32 newValue; if (PR_FALSE == pMutex->isMultiProcess) { return single_process_sslMutex_Lock(pMutex); } @@ -242,9 +249,9 @@ sslMutex_Lock(sslMutex *pMutex) PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } - oldValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters); + newValue = PR_AtomicIncrement(&pMutex->u.pipeStr.nWaiters); /* Do Memory Barrier here. */ - if (oldValue > 0) { + if (newValue > 1) { int cc; char c; do { diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c index 012a403af..eb4683ca4 100644 --- a/security/nss/lib/util/secitem.c +++ b/security/nss/lib/util/secitem.c @@ -143,6 +143,11 @@ SECITEM_CompareItem(const SECItem *a, const SECItem *b) unsigned m; SECComparison rv; + if (!a || !a->len || !a->data) + return (!b || !b->len || !b->data) ? SECEqual : SECLessThan; + if (!b || !b->len || !b->data) + return SECGreaterThan; + m = ( ( a->len < b->len ) ? a->len : b->len ); rv = (SECComparison) PORT_Memcmp(a->data, b->data, m); @@ -161,10 +166,15 @@ SECITEM_CompareItem(const SECItem *a, const SECItem *b) PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b) { - if (SECITEM_CompareItem(a, b) == SECEqual) - return PR_TRUE; - - return PR_FALSE; + if (a->len != b->len) + return PR_FALSE; + if (!a->len) + return PR_TRUE; + if (!a->data || !b->data) { + /* avoid null pointer crash. */ + return (PRBool)(a->data == b->data); + } + return (PRBool)!PORT_Memcmp(a->data, b->data, a->len); } SECItem * diff --git a/security/nss/tests/ssl/sslreq.txt b/security/nss/tests/ssl/sslreq.txt index 2f7ad7736..c1da607c0 100644 --- a/security/nss/tests/ssl/sslreq.txt +++ b/security/nss/tests/ssl/sslreq.txt @@ -1,2 +1,2 @@ -GET / HTTP/1.0
-
+GET / HTTP/1.0 + |