From a37ca8f2ef5e33ba9ea039e5192c5be3124660ad Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Fri, 19 Aug 2011 17:27:10 +0200 Subject: [PATCH] Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc --HG-- rename : security/nss/cmd/lib/SSLerrs.h => security/nss/lib/ssl/SSLerrs.h rename : security/nss/cmd/lib/SECerrs.h => security/nss/lib/util/SECerrs.h --- security/coreconf/Darwin.mk | 10 +- security/coreconf/Linux.mk | 5 +- security/coreconf/WIN32.mk | 3 +- security/coreconf/coreconf.dep | 1 + security/nss/TAG-INFO | 2 +- security/nss/cmd/addbuiltin/addbuiltin.c | 40 +- security/nss/cmd/bltest/blapitest.c | 56 +- .../nss/cmd/bltest/tests/sha224/ciphertext0 | 2 + .../nss/cmd/bltest/tests/sha224/ciphertext1 | 2 + security/nss/cmd/bltest/tests/sha224/numtests | 1 + .../nss/cmd/bltest/tests/sha224/plaintext0 | 1 + .../nss/cmd/bltest/tests/sha224/plaintext1 | 1 + security/nss/cmd/certutil/certutil.c | 4 +- security/nss/cmd/chktest/Makefile | 79 + security/nss/cmd/chktest/chktest.c | 76 + security/nss/cmd/chktest/manifest.mn | 59 + security/nss/cmd/lib/Makefile | 1 - security/nss/cmd/lib/NSPRerrs.h | 153 -- security/nss/cmd/lib/manifest.mn | 5 - security/nss/cmd/lib/pk11table.c | 53 +- security/nss/cmd/lib/secerror.c | 73 +- security/nss/cmd/lib/secutil.c | 227 ++- security/nss/cmd/lib/secutil.h | 10 +- security/nss/cmd/manifest.mn | 1 + security/nss/cmd/modutil/install.c | 9 +- security/nss/cmd/modutil/instsec.c | 3 +- security/nss/cmd/pk11mode/pk11mode.c | 5 +- security/nss/cmd/pk12util/pk12util.c | 6 +- security/nss/cmd/pp/pp.c | 7 +- security/nss/cmd/ppcertdata/Makefile | 80 + security/nss/cmd/ppcertdata/manifest.mn | 55 + security/nss/cmd/ppcertdata/ppcertdata.c | 132 ++ security/nss/cmd/selfserv/selfserv.c | 8 +- security/nss/cmd/shlibsign/manifest.mn | 3 - security/nss/cmd/shlibsign/shlibsign.c | 2 +- security/nss/cmd/signtool/sign.c | 2 +- security/nss/cmd/signtool/util.c | 2 +- security/nss/cmd/signtool/verify.c | 4 +- security/nss/cmd/signver/signver.c | 2 +- security/nss/cmd/strsclnt/strsclnt.c | 40 +- security/nss/cmd/symkeyutil/symkey.man | 2 +- security/nss/cmd/tests/encodeinttest.c | 93 ++ security/nss/cmd/tests/manifest.mn | 1 + security/nss/cmd/tstclnt/tstclnt.c | 11 +- security/nss/cmd/vfychain/vfychain.c | 18 +- security/nss/lib/certdb/alg1485.c | 15 +- security/nss/lib/certdb/cert.h | 26 +- security/nss/lib/certdb/certdb.c | 353 +++-- security/nss/lib/certdb/certdb.h | 20 +- security/nss/lib/certdb/certi.h | 11 +- security/nss/lib/certdb/certt.h | 2 +- security/nss/lib/certdb/crl.c | 85 +- security/nss/lib/certdb/genname.c | 105 -- security/nss/lib/certdb/manifest.mn | 2 - security/nss/lib/certhigh/certhtml.c | 2 +- security/nss/lib/certhigh/certvfy.c | 362 +++-- security/nss/lib/certhigh/manifest.mn | 2 - security/nss/lib/certhigh/ocsp.c | 12 +- security/nss/lib/certhigh/ocsp.h | 4 +- security/nss/lib/ckfw/builtins/certdata.c | 1330 ++++++++--------- security/nss/lib/ckfw/builtins/certdata.txt | 1318 ++++++++-------- security/nss/lib/ckfw/capi/cfind.c | 4 +- security/nss/lib/ckfw/capi/ckcapi.h | 12 +- security/nss/lib/ckfw/capi/cobject.c | 63 +- security/nss/lib/ckfw/capi/crsa.c | 10 +- security/nss/lib/ckfw/hash.c | 3 +- security/nss/lib/ckfw/session.c | 12 +- security/nss/lib/crmf/cmmf.h | 2 +- security/nss/lib/crmf/crmf.h | 18 +- security/nss/lib/crmf/crmffut.h | 2 +- security/nss/lib/crmf/crmfi.h | 2 +- security/nss/lib/cryptohi/cryptohi.h | 4 +- security/nss/lib/cryptohi/keyhi.h | 10 +- security/nss/lib/cryptohi/keythi.h | 22 +- security/nss/lib/cryptohi/manifest.mn | 6 +- security/nss/lib/cryptohi/sechash.c | 19 + security/nss/lib/cryptohi/seckey.c | 271 +--- security/nss/lib/cryptohi/secsign.c | 10 +- security/nss/lib/dev/ckhelper.c | 33 +- security/nss/lib/dev/devt.h | 4 +- security/nss/lib/dev/devtoken.c | 38 +- security/nss/lib/freebl/Makefile | 48 +- security/nss/lib/freebl/blapi.h | 37 +- security/nss/lib/freebl/blapii.h | 6 +- security/nss/lib/freebl/blapit.h | 5 +- security/nss/lib/freebl/camellia.c | 36 +- security/nss/lib/freebl/des.c | 13 + security/nss/lib/freebl/dh.c | 9 +- security/nss/lib/freebl/dsa.c | 2 +- security/nss/lib/freebl/ec.c | 17 +- security/nss/lib/freebl/ecl/ecp_mont.c | 6 +- security/nss/lib/freebl/hasht.h | 4 +- security/nss/lib/freebl/ldvector.c | 23 +- security/nss/lib/freebl/loader.c | 136 +- security/nss/lib/freebl/loader.h | 39 +- security/nss/lib/freebl/manifest.mn | 1 + security/nss/lib/freebl/mgf1.c | 91 ++ security/nss/lib/freebl/mpi/Makefile | 4 +- security/nss/lib/freebl/mpi/README | 14 +- security/nss/lib/freebl/mpi/hpma512.s | 6 +- security/nss/lib/freebl/mpi/hppa20.s | 44 +- security/nss/lib/freebl/mpi/make-logtab | 4 +- security/nss/lib/freebl/mpi/make-test-arrays | 4 +- security/nss/lib/freebl/mpi/mpi-config.h | 2 +- security/nss/lib/freebl/mpi/mpi-priv.h | 3 +- security/nss/lib/freebl/mpi/mpi.c | 19 +- security/nss/lib/freebl/mpi/mpi.h | 6 +- security/nss/lib/freebl/mpi/mpi_arm.c | 203 +++ security/nss/lib/freebl/mpi/mpmontg.c | 32 +- security/nss/lib/freebl/mpi/target.mk | 6 + security/nss/lib/freebl/mpi/utils/primegen.c | 12 +- security/nss/lib/freebl/mpi/utils/ptab.pl | 4 +- security/nss/lib/freebl/nsslowhash.c | 21 +- security/nss/lib/freebl/rawhash.c | 11 + security/nss/lib/freebl/ret_cr16.s | 6 +- security/nss/lib/freebl/rijndael.c | 2 +- security/nss/lib/freebl/rsa.c | 10 +- security/nss/lib/freebl/secmpi.h | 7 +- security/nss/lib/freebl/sha512.c | 156 +- security/nss/lib/freebl/sha_fast.h | 21 +- security/nss/lib/freebl/shvfy.c | 243 ++- security/nss/lib/freebl/stubs.c | 18 + security/nss/lib/freebl/stubs.h | 4 +- security/nss/lib/freebl/tlsprfalg.c | 12 +- security/nss/lib/jar/config.mk | 2 +- security/nss/lib/jar/jarver.c | 2 +- security/nss/lib/jar/manifest.mn | 2 - .../nss/lib/libpkix/pkix/certsel/manifest.mn | 2 - .../nss/lib/libpkix/pkix/checker/manifest.mn | 2 - .../nss/lib/libpkix/pkix/crlsel/manifest.mn | 2 - .../nss/lib/libpkix/pkix/params/manifest.mn | 2 - .../nss/lib/libpkix/pkix/results/manifest.mn | 2 - .../nss/lib/libpkix/pkix/store/manifest.mn | 2 - security/nss/lib/libpkix/pkix/top/manifest.mn | 2 - .../nss/lib/libpkix/pkix/util/manifest.mn | 2 - .../libpkix/pkix_pl_nss/module/manifest.mn | 2 - .../module/pkix_pl_httpdefaultclient.c | 15 +- .../lib/libpkix/pkix_pl_nss/pki/manifest.mn | 2 - .../libpkix/pkix_pl_nss/system/manifest.mn | 2 - security/nss/lib/nss/manifest.mn | 2 - security/nss/lib/nss/nss.def | 8 + security/nss/lib/nss/nss.h | 17 +- security/nss/lib/nss/nssinit.c | 19 +- security/nss/lib/pk11wrap/debug_module.c | 49 +- security/nss/lib/pk11wrap/dev3hack.c | 56 +- security/nss/lib/pk11wrap/manifest.mn | 2 - security/nss/lib/pk11wrap/pk11akey.c | 7 +- security/nss/lib/pk11wrap/pk11cert.c | 222 ++- security/nss/lib/pk11wrap/pk11err.c | 8 +- security/nss/lib/pk11wrap/pk11load.c | 6 +- security/nss/lib/pk11wrap/pk11mech.c | 5 +- security/nss/lib/pk11wrap/pk11merge.c | 6 +- security/nss/lib/pk11wrap/pk11nobj.c | 20 +- security/nss/lib/pk11wrap/pk11obj.c | 20 +- security/nss/lib/pk11wrap/pk11pbe.c | 20 +- security/nss/lib/pk11wrap/pk11pk12.c | 13 +- security/nss/lib/pk11wrap/pk11pub.h | 2 +- security/nss/lib/pk11wrap/pk11skey.c | 6 +- security/nss/lib/pkcs12/manifest.mn | 2 - security/nss/lib/pkcs12/p12.h | 5 + security/nss/lib/pkcs12/p12d.c | 33 +- security/nss/lib/pkcs7/manifest.mn | 2 - security/nss/lib/pki/certificate.c | 54 +- security/nss/lib/pki/pki3hack.c | 20 +- security/nss/lib/pki/pki3hack.h | 2 +- security/nss/lib/pki/pkistore.c | 2 +- security/nss/lib/smime/cms.h | 2 +- security/nss/lib/smime/cmsasn1.c | 2 +- security/nss/lib/smime/cmscinfo.c | 2 +- security/nss/lib/smime/cmsdecode.c | 2 +- security/nss/lib/smime/cmsdigdata.c | 2 +- security/nss/lib/smime/cmsencdata.c | 2 +- security/nss/lib/smime/cmsencode.c | 2 +- security/nss/lib/smime/cmsenvdata.c | 2 +- security/nss/lib/smime/cmslocal.h | 2 +- security/nss/lib/smime/cmsmessage.c | 2 +- security/nss/lib/smime/cmssigdata.c | 2 +- security/nss/lib/smime/cmssiginfo.c | 9 +- security/nss/lib/smime/cmst.h | 2 +- security/nss/lib/smime/cmsudf.c | 2 +- security/nss/lib/smime/cmsutil.c | 2 +- security/nss/lib/smime/manifest.mn | 2 - security/nss/lib/smime/smime.def | 6 + security/nss/lib/smime/smime.h | 19 +- security/nss/lib/smime/smimeutil.c | 7 +- security/nss/lib/softoken/fipstest.c | 44 +- security/nss/lib/softoken/legacydb/keydb.c | 54 +- security/nss/lib/softoken/legacydb/lgattr.c | 71 +- security/nss/lib/softoken/legacydb/lgcreate.c | 48 +- security/nss/lib/softoken/legacydb/lgdb.h | 19 +- security/nss/lib/softoken/legacydb/lgfind.c | 6 +- security/nss/lib/softoken/legacydb/lginit.c | 29 +- security/nss/lib/softoken/legacydb/lowcert.c | 36 +- security/nss/lib/softoken/legacydb/lowkey.c | 81 +- security/nss/lib/softoken/legacydb/lowkeyi.h | 34 +- security/nss/lib/softoken/legacydb/lowkeyti.h | 17 +- .../nss/lib/softoken/legacydb/manifest.mn | 2 +- security/nss/lib/softoken/legacydb/pcertdb.c | 7 +- security/nss/lib/softoken/legacydb/pcertt.h | 8 +- security/nss/lib/softoken/legacydb/pk11db.c | 2 +- security/nss/lib/softoken/lowpbe.c | 2 +- security/nss/lib/softoken/manifest.mn | 2 - security/nss/lib/softoken/pk11pars.h | 1 + security/nss/lib/softoken/pkcs11.c | 17 +- security/nss/lib/softoken/pkcs11c.c | 482 +++--- security/nss/lib/softoken/pkcs11i.h | 25 +- security/nss/lib/softoken/rsawrapr.c | 297 +++- security/nss/lib/softoken/sftkdb.c | 18 +- security/nss/lib/softoken/sftkmod.c | 5 +- security/nss/lib/softoken/sftkpwd.c | 2 +- security/nss/lib/softoken/softkver.h | 8 +- security/nss/lib/softoken/softoken.h | 15 +- security/nss/{cmd/lib => lib/ssl}/SSLerrs.h | 0 security/nss/lib/ssl/derive.c | 5 +- security/nss/lib/ssl/manifest.mn | 7 + security/nss/lib/ssl/notes.txt | 4 +- security/nss/lib/ssl/ssl.def | 6 + security/nss/lib/ssl/ssl.h | 19 +- security/nss/lib/ssl/ssl3con.c | 46 +- security/nss/lib/ssl/ssl3ext.c | 2 +- security/nss/lib/ssl/ssl3gthr.c | 2 +- security/nss/lib/ssl/sslauth.c | 2 +- security/nss/lib/ssl/sslcon.c | 8 +- security/nss/lib/ssl/sslerr.h | 2 +- security/nss/lib/ssl/sslerrstrs.c | 66 + security/nss/lib/ssl/sslerrstrs.h | 53 + security/nss/lib/ssl/sslimpl.h | 25 +- security/nss/lib/ssl/sslinfo.c | 2 +- security/nss/lib/ssl/sslinit.c | 60 + security/nss/lib/ssl/sslnonce.c | 2 +- security/nss/lib/ssl/sslreveal.c | 2 +- security/nss/lib/ssl/sslsecur.c | 25 +- security/nss/lib/ssl/sslsnce.c | 13 +- security/nss/lib/ssl/sslsock.c | 30 +- security/nss/lib/ssl/sslutil.h | 53 + security/nss/{cmd/lib => lib/util}/SECerrs.h | 0 security/nss/lib/util/errstrs.c | 183 +++ security/nss/lib/util/errstrs.h | 56 + security/nss/lib/util/manifest.mn | 2 + security/nss/lib/util/nssb64d.c | 2 +- security/nss/lib/util/nssutil.def | 10 + security/nss/lib/util/nssutil.h | 69 +- security/nss/lib/util/pkcs11n.h | 64 +- security/nss/lib/util/quickder.c | 6 +- security/nss/lib/util/secasn1e.c | 2 +- security/nss/lib/util/secdig.c | 3 +- security/nss/lib/util/secitem.c | 6 +- security/nss/lib/util/secoid.c | 29 +- security/nss/lib/util/secoidt.h | 12 +- security/nss/lib/zlib/Makefile | 7 +- security/nss/lib/zlib/README | 86 +- security/nss/lib/zlib/README.nss | 18 + security/nss/lib/zlib/adler32.c | 40 +- security/nss/lib/zlib/compress.c | 7 +- security/nss/lib/zlib/crc32.c | 37 +- security/nss/lib/zlib/deflate.c | 270 ++-- security/nss/lib/zlib/deflate.h | 39 +- security/nss/lib/zlib/example.c | 8 +- security/nss/lib/zlib/gzclose.c | 25 + security/nss/lib/zlib/gzguts.h | 132 ++ security/nss/lib/zlib/gzio.c | 1026 ------------- security/nss/lib/zlib/gzlib.c | 537 +++++++ security/nss/lib/zlib/gzread.c | 653 ++++++++ security/nss/lib/zlib/gzwrite.c | 531 +++++++ security/nss/lib/zlib/infback.c | 93 +- security/nss/lib/zlib/inffast.c | 80 +- security/nss/lib/zlib/inffast.h | 4 +- security/nss/lib/zlib/inflate.c | 282 ++-- security/nss/lib/zlib/inflate.h | 31 +- security/nss/lib/zlib/inftrees.c | 63 +- security/nss/lib/zlib/inftrees.h | 27 +- security/nss/lib/zlib/manifest.mn | 15 +- security/nss/lib/zlib/minigzip.c | 140 +- .../nss/lib/zlib/patches/msvc-vsnprintf.patch | 22 + security/nss/lib/zlib/patches/prune-zlib.sh | 30 + security/nss/lib/zlib/trees.c | 95 +- security/nss/lib/zlib/trees.h | 4 +- security/nss/lib/zlib/uncompr.c | 6 +- security/nss/lib/zlib/zconf.h | 202 ++- security/nss/lib/zlib/zlib.h | 1152 ++++++++------ security/nss/lib/zlib/zutil.c | 34 +- security/nss/lib/zlib/zutil.h | 70 +- security/nss/tests/cert/cert.sh | 20 +- security/nss/tests/cipher/cipher.txt | 1 + .../netscape/suites/security/ssl/sslc.c | 3 +- .../netscape/suites/security/ssl/sslt.c | 4 +- 286 files changed, 9947 insertions(+), 5670 deletions(-) create mode 100644 security/nss/cmd/bltest/tests/sha224/ciphertext0 create mode 100644 security/nss/cmd/bltest/tests/sha224/ciphertext1 create mode 100644 security/nss/cmd/bltest/tests/sha224/numtests create mode 100644 security/nss/cmd/bltest/tests/sha224/plaintext0 create mode 100644 security/nss/cmd/bltest/tests/sha224/plaintext1 create mode 100644 security/nss/cmd/chktest/Makefile create mode 100644 security/nss/cmd/chktest/chktest.c create mode 100644 security/nss/cmd/chktest/manifest.mn delete mode 100644 security/nss/cmd/lib/NSPRerrs.h create mode 100644 security/nss/cmd/ppcertdata/Makefile create mode 100644 security/nss/cmd/ppcertdata/manifest.mn create mode 100644 security/nss/cmd/ppcertdata/ppcertdata.c create mode 100644 security/nss/cmd/tests/encodeinttest.c create mode 100644 security/nss/lib/freebl/mgf1.c create mode 100644 security/nss/lib/freebl/mpi/mpi_arm.c rename security/nss/{cmd/lib => lib/ssl}/SSLerrs.h (100%) create mode 100644 security/nss/lib/ssl/sslerrstrs.c create mode 100644 security/nss/lib/ssl/sslerrstrs.h create mode 100644 security/nss/lib/ssl/sslinit.c create mode 100644 security/nss/lib/ssl/sslutil.h rename security/nss/{cmd/lib => lib/util}/SECerrs.h (100%) create mode 100644 security/nss/lib/util/errstrs.c create mode 100644 security/nss/lib/util/errstrs.h create mode 100644 security/nss/lib/zlib/README.nss create mode 100644 security/nss/lib/zlib/gzclose.c create mode 100644 security/nss/lib/zlib/gzguts.h delete mode 100644 security/nss/lib/zlib/gzio.c create mode 100644 security/nss/lib/zlib/gzlib.c create mode 100644 security/nss/lib/zlib/gzread.c create mode 100644 security/nss/lib/zlib/gzwrite.c create mode 100644 security/nss/lib/zlib/patches/msvc-vsnprintf.patch create mode 100644 security/nss/lib/zlib/patches/prune-zlib.sh diff --git a/security/coreconf/Darwin.mk b/security/coreconf/Darwin.mk index 110d89f2ae1..5524100f916 100644 --- a/security/coreconf/Darwin.mk +++ b/security/coreconf/Darwin.mk @@ -37,10 +37,10 @@ include $(CORE_DEPTH)/coreconf/UNIX.mk -DEFAULT_COMPILER = cc +DEFAULT_COMPILER = gcc -CC = cc -CCC = c++ +CC = gcc +CCC = g++ RANLIB = ranlib ifndef CPU_ARCH @@ -52,9 +52,11 @@ endif ifeq (,$(filter-out i%86,$(CPU_ARCH))) ifdef USE_64 CC += -arch x86_64 +override CPU_ARCH = x86_64 else OS_REL_CFLAGS = -Di386 CC += -arch i386 +override CPU_ARCH = x86 endif else OS_REL_CFLAGS = -Dppc @@ -107,7 +109,7 @@ endif # definitions so that the linker can catch multiply-defined symbols. # Also, common symbols are not allowed with Darwin dynamic libraries. -OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS) +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS) ifdef BUILD_OPT ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) diff --git a/security/coreconf/Linux.mk b/security/coreconf/Linux.mk index 3d48f998716..edea4d83531 100644 --- a/security/coreconf/Linux.mk +++ b/security/coreconf/Linux.mk @@ -202,8 +202,5 @@ PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ ifeq ($(OS_RELEASE),2.4) -# Softoken 3.13 uses NO_FORK_CHECK only. -# Softoken 3.12 uses NO_FORK_CHECK and NO_CHECK_FORK. -# Don't use NO_CHECK_FORK in new code. -DEFINES += -DNO_FORK_CHECK -DNO_CHECK_FORK +DEFINES += -DNO_FORK_CHECK endif diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk index 6f880169840..da9689ea83e 100644 --- a/security/coreconf/WIN32.mk +++ b/security/coreconf/WIN32.mk @@ -143,7 +143,8 @@ ifdef NS_USE_GCC DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME) endif else # !NS_USE_GCC - OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS + OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \ + -D_CRT_NONSTDC_NO_WARNINGS OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS ifeq ($(_MSC_VER),$(_MSC_VER_6)) ifndef MOZ_DEBUG_SYMBOLS diff --git a/security/coreconf/coreconf.dep b/security/coreconf/coreconf.dep index b536cfc01b9..4c796e94d27 100644 --- a/security/coreconf/coreconf.dep +++ b/security/coreconf/coreconf.dep @@ -43,3 +43,4 @@ #error "Do not include this header file." + diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 5af72525122..1ccb78abc1a 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_12_11_RTM +NSS_3_13_BETA1 diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c index 63422f893dc..a331a0a1e0c 100644 --- a/security/nss/cmd/addbuiltin/addbuiltin.c +++ b/security/nss/cmd/addbuiltin/addbuiltin.c @@ -37,7 +37,7 @@ /* * Tool for converting builtin CA certs. * - * $Id: addbuiltin.c,v 1.14.68.1 2011/03/23 20:07:57 kaie%kuix.de Exp $ + * $Id: addbuiltin.c,v 1.16 2011/04/13 00:10:21 rrelyea%redhat.com Exp $ */ #include "nssrenam.h" @@ -68,22 +68,22 @@ char *getTrustString(unsigned int trust) { if (trust & CERTDB_TRUSTED) { if (trust & CERTDB_TRUSTED_CA) { - return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED"; + return "CKT_NSS_TRUSTED_DELEGATOR"; } else { - return "CKT_NETSCAPE_TRUSTED"; + return "CKT_NSS_TRUSTED"; } } else { if (trust & CERTDB_TRUSTED_CA) { - return "CKT_NETSCAPE_TRUSTED_DELEGATOR"; + return "CKT_NSS_TRUSTED_DELEGATOR"; } else if (trust & CERTDB_VALID_CA) { - return "CKT_NETSCAPE_VALID_DELEGATOR"; - } else if (trust & CERTDB_VALID_PEER) { - return "CKT_NETSCAPE_VALID"; + return "CKT_NSS_VALID_DELEGATOR"; + } else if (trust & CERTDB_TERMINAL_RECORD) { + return "CKT_NSS_NOT_TRUSTED"; } else { - return "CKT_NETSCAPE_TRUST_UNKNOWN"; + return "CKT_NSS_MUST_VERIFY_TRUST"; } } - return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */ + return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */ } static const SEC_ASN1Template serialTemplate[] = { @@ -133,7 +133,7 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len); PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len); printf("\n# Trust for Certificate \"%s\"\n",nickname); - printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n"); + printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); @@ -159,13 +159,13 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n", getTrustString(trust->objectSigningFlags)); #ifdef notdef - printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/ - printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); - printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); - printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); - printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); - printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); - printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n"); + printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); + printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); #endif printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n", trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? @@ -215,7 +215,7 @@ void printheader() { "#\n" "# ***** END LICENSE BLOCK *****\n" "#\n" - "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n" + "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.16 $ $Date: 2011/04/13 00:10:21 $\"\n" "\n" "#\n" "# certdata.txt\n" @@ -239,7 +239,7 @@ void printheader() { "# CKA_ISSUER DER+base64 (varies)\n" "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" "# CKA_VALUE DER+base64 (varies)\n" - "# CKA_NETSCAPE_EMAIL ASCII7 (unused here)\n" + "# CKA_NSS_EMAIL ASCII7 (unused here)\n" "#\n" "# Trust\n" "#\n" @@ -276,7 +276,7 @@ void printheader() { "# have to go looking for others.\n" "#\n" "BEGINDATA\n" - "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n" + "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n" "CKA_TOKEN CK_BBOOL CK_TRUE\n" "CKA_PRIVATE CK_BBOOL CK_FALSE\n" "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index a7a48867c24..6bcfef05bba 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -50,7 +50,7 @@ #include "plgetopt.h" #include "softoken.h" #include "nspr.h" -#include "nss.h" +#include "nssutil.h" #include "secoid.h" #ifdef NSS_ENABLE_ECC @@ -78,7 +78,7 @@ char *testdir = NULL; if (rv) { \ PRErrorCode prerror = PR_GetError(); \ PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \ - prerror, SECU_Strerror(prerror), ln); \ + prerror, NSS_Strerror(prerror,formatSimple), ln); \ exit(-1); \ } @@ -692,6 +692,7 @@ typedef enum { bltestMD2, /* Hash algorithms */ bltestMD5, /* . */ bltestSHA1, /* . */ + bltestSHA224, /* . */ bltestSHA256, /* . */ bltestSHA384, /* . */ bltestSHA512, /* . */ @@ -726,6 +727,7 @@ static char *mode_strings[] = "md2", "md5", "sha1", + "sha224", "sha256", "sha384", "sha512", @@ -1765,6 +1767,46 @@ finish: return rv; } +SECStatus +SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length) +{ + SECStatus rv = SECSuccess; + SHA224Context *cx, *cx_cpy; + unsigned char *cxbytes; + unsigned int len; + unsigned int i, quarter; + cx = SHA224_NewContext(); + SHA224_Begin(cx); + /* divide message by 4, restarting 3 times */ + quarter = (src_length + 3) / 4; + for (i=0; i < 4 && src_length > 0; i++) { + SHA224_Update(cx, src + i*quarter, PR_MIN(quarter, src_length)); + len = SHA224_FlattenSize(cx); + cxbytes = PORT_Alloc(len); + SHA224_Flatten(cx, cxbytes); + cx_cpy = SHA224_Resurrect(cxbytes, NULL); + if (!cx_cpy) { + PR_fprintf(PR_STDERR, "%s: SHA224_Resurrect failed!\n", progName); + rv = SECFailure; + goto finish; + } + rv = PORT_Memcmp(cx, cx_cpy, len); + if (rv) { + SHA224_DestroyContext(cx_cpy, PR_TRUE); + PR_fprintf(PR_STDERR, "%s: SHA224_restart failed!\n", progName); + goto finish; + } + + SHA224_DestroyContext(cx_cpy, PR_TRUE); + PORT_Free(cxbytes); + src_length -= quarter; + } + SHA224_End(cx, dest, &len, MD5_LENGTH); +finish: + SHA224_DestroyContext(cx, PR_TRUE); + return rv; +} + SECStatus SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length) { @@ -2057,6 +2099,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt) cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf; return SECSuccess; break; + case bltestSHA224: + restart = cipherInfo->params.hash.restart; + SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, + SHA224_LENGTH); + cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart + : SHA224_HashBuf; + return SECSuccess; + break; case bltestSHA256: restart = cipherInfo->params.hash.restart; SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, @@ -2498,6 +2548,7 @@ cipherFinish(bltestCipherInfo *cipherInfo) case bltestMD2: /* hash contexts are ephemeral */ case bltestMD5: case bltestSHA1: + case bltestSHA224: case bltestSHA256: case bltestSHA384: case bltestSHA512: @@ -2851,6 +2902,7 @@ get_params(PRArenaPool *arena, bltestParams *params, case bltestMD2: case bltestMD5: case bltestSHA1: + case bltestSHA224: case bltestSHA256: case bltestSHA384: case bltestSHA512: diff --git a/security/nss/cmd/bltest/tests/sha224/ciphertext0 b/security/nss/cmd/bltest/tests/sha224/ciphertext0 new file mode 100644 index 00000000000..dfc3d279c57 --- /dev/null +++ b/security/nss/cmd/bltest/tests/sha224/ciphertext0 @@ -0,0 +1,2 @@ +Iwl9IjQF2CKGQqR3vaJVsyqtvOS9oLP342ydpw== + diff --git a/security/nss/cmd/bltest/tests/sha224/ciphertext1 b/security/nss/cmd/bltest/tests/sha224/ciphertext1 new file mode 100644 index 00000000000..bef4714bbea --- /dev/null +++ b/security/nss/cmd/bltest/tests/sha224/ciphertext1 @@ -0,0 +1,2 @@ +dTiLFlEndsxdul2h/YkBULDGRVy09YsZUlIlJQ== + diff --git a/security/nss/cmd/bltest/tests/sha224/numtests b/security/nss/cmd/bltest/tests/sha224/numtests new file mode 100644 index 00000000000..0cfbf08886f --- /dev/null +++ b/security/nss/cmd/bltest/tests/sha224/numtests @@ -0,0 +1 @@ +2 diff --git a/security/nss/cmd/bltest/tests/sha224/plaintext0 b/security/nss/cmd/bltest/tests/sha224/plaintext0 new file mode 100644 index 00000000000..8baef1b4abc --- /dev/null +++ b/security/nss/cmd/bltest/tests/sha224/plaintext0 @@ -0,0 +1 @@ +abc diff --git a/security/nss/cmd/bltest/tests/sha224/plaintext1 b/security/nss/cmd/bltest/tests/sha224/plaintext1 new file mode 100644 index 00000000000..afb5dce5d46 --- /dev/null +++ b/security/nss/cmd/bltest/tests/sha224/plaintext1 @@ -0,0 +1 @@ +abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 4b890446fde..4a3e9063ec3 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -1106,8 +1106,8 @@ static void luCommonDetailsAE() " -t trustargs"); FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", ""); FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", ""); - FPS "%-25s p \t valid peer\n", ""); - FPS "%-25s P \t trusted peer (implies p)\n", ""); + FPS "%-25s p \t prohibited\n", ""); + FPS "%-25s P \t trusted peer\n", ""); FPS "%-25s c \t valid CA\n", ""); FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", ""); FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", ""); diff --git a/security/nss/cmd/chktest/Makefile b/security/nss/cmd/chktest/Makefile new file mode 100644 index 00000000000..3e49e05b65a --- /dev/null +++ b/security/nss/cmd/chktest/Makefile @@ -0,0 +1,79 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include ../platrules.mk diff --git a/security/nss/cmd/chktest/chktest.c b/security/nss/cmd/chktest/chktest.c new file mode 100644 index 00000000000..6fbc3d9f941 --- /dev/null +++ b/security/nss/cmd/chktest/chktest.c @@ -0,0 +1,76 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Kai Engert + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include +#include + +#include "blapi.h" +#include "secutil.h" + +static int Usage() +{ + fprintf(stderr, "Usage: chktest \n"); + fprintf(stderr, " Will test for valid chk file.\n"); + fprintf(stderr, " Will print SUCCESS or FAILURE.\n"); + exit(1); +} + +int main(int argc, char **argv) +{ + SECStatus rv = SECFailure; + PRBool good_result = PR_FALSE; + + if (argc != 2) + return Usage(); + + rv = RNG_RNGInit(); + if (rv != SECSuccess) { + SECU_PrintPRandOSError(""); + return -1; + } + rv = BL_Init(); + if (rv != SECSuccess) { + SECU_PrintPRandOSError(""); + return -1; + } + RNG_SystemInfoForRNG(); + + good_result = BLAPI_SHVerifyFile(argv[1]); + printf("%s\n", + (good_result ? "SUCCESS" : "FAILURE")); + return (good_result) ? SECSuccess : SECFailure; +} diff --git a/security/nss/cmd/chktest/manifest.mn b/security/nss/cmd/chktest/manifest.mn new file mode 100644 index 00000000000..6a0fe45f44a --- /dev/null +++ b/security/nss/cmd/chktest/manifest.mn @@ -0,0 +1,59 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../.. + +MODULE = nss + +#REQUIRES = seccmd dbm softoken +REQUIRES = seccmd dbm + +#INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken + +PROGRAM = chktest + + USE_STATIC_LIBS = 1 + +EXPORTS = \ + $(NULL) + +PRIVATE_EXPORTS = \ + $(NULL) + +CSRCS = \ + chktest.c \ + $(NULL) + diff --git a/security/nss/cmd/lib/Makefile b/security/nss/cmd/lib/Makefile index 54ef29fdf75..5786fbcf05e 100644 --- a/security/nss/cmd/lib/Makefile +++ b/security/nss/cmd/lib/Makefile @@ -78,5 +78,4 @@ include $(CORE_DEPTH)/coreconf/rules.mk export:: private_export -$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h diff --git a/security/nss/cmd/lib/NSPRerrs.h b/security/nss/cmd/lib/NSPRerrs.h deleted file mode 100644 index b11169847c1..00000000000 --- a/security/nss/cmd/lib/NSPRerrs.h +++ /dev/null @@ -1,153 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -/* General NSPR 2.0 errors */ -/* Caller must #include "prerror.h" */ - -ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." ) -ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." ) -ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." ) -ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." ) -ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." ) -ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." ) -ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." ) -ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." ) -ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." ) -ER2( PR_IO_ERROR, "I/O function error." ) -ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." ) -ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." ) -ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." ) -ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." ) -ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." ) -ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." ) -ER2( PR_IS_CONNECTED_ERROR, "Already connected." ) -ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." ) -ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." ) -ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." ) -ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." ) -ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." ) -ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." ) -ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." ) -ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." ) -ER2( PR_FIND_SYMBOL_ERROR, -"Symbol not found in any of the loaded dynamic libraries." ) -ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." ) -ER2( PR_DIRECTORY_LOOKUP_ERROR, -"A directory lookup on a network address has failed." ) -ER2( PR_TPD_RANGE_ERROR, -"Attempt to access a TPD key that is out of range." ) -ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." ) -ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." ) -ER2( PR_NOT_SOCKET_ERROR, -"Network operation attempted on non-network file descriptor." ) -ER2( PR_NOT_TCP_SOCKET_ERROR, -"TCP-specific function attempted on a non-TCP file descriptor." ) -ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." ) -ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." ) -ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, -"The requested operation is not supported by the platform." ) -ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, -"The host operating system does not support the protocol requested." ) -ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." ) -ER2( PR_BUFFER_OVERFLOW_ERROR, -"The value requested is too large to be stored in the data buffer provided." ) -ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." ) -ER2( PR_RANGE_ERROR, "Unused." ) -ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." ) -ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." ) -ER2( PR_FILE_TOO_BIG_ERROR, -"Write would result in file larger than the system allows." ) -ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." ) -ER2( PR_PIPE_ERROR, "Unused." ) -ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." ) -ER2( PR_IS_DIRECTORY_ERROR, -"Cannot perform a normal file operation on a directory." ) -ER2( PR_LOOP_ERROR, "Symbolic link loop." ) -ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." ) -ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." ) -ER2( PR_NOT_DIRECTORY_ERROR, -"Cannot perform directory operation on a normal file." ) -ER2( PR_READ_ONLY_FILESYSTEM_ERROR, -"Cannot write to a read-only file system." ) -ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, -"Cannot delete a directory that is not empty." ) -ER2( PR_FILESYSTEM_MOUNTED_ERROR, -"Cannot delete or rename a file object while the file system is busy." ) -ER2( PR_NOT_SAME_DEVICE_ERROR, -"Cannot rename a file to a file system on another device." ) -ER2( PR_DIRECTORY_CORRUPTED_ERROR, -"The directory object in the file system is corrupted." ) -ER2( PR_FILE_EXISTS_ERROR, -"Cannot create or rename a filename that already exists." ) -ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, -"Directory is full. No additional filenames may be added." ) -ER2( PR_INVALID_DEVICE_STATE_ERROR, -"The required device was in an invalid state." ) -ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." ) -ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." ) -ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." ) -ER2( PR_FILE_SEEK_ERROR, "Seek error." ) -ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." ) -ER2( PR_IN_PROGRESS_ERROR, -"Operation is still in progress (probably a non-blocking connect)." ) -ER2( PR_ALREADY_INITIATED_ERROR, -"Operation has already been initiated (probably a non-blocking connect)." ) - -#ifdef PR_GROUP_EMPTY_ERROR -ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." ) -#endif - -#ifdef PR_INVALID_STATE_ERROR -ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." ) -#endif - -#ifdef PR_NETWORK_DOWN_ERROR -ER2( PR_NETWORK_DOWN_ERROR, "Network is down." ) -#endif - -#ifdef PR_SOCKET_SHUTDOWN_ERROR -ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." ) -#endif - -#ifdef PR_CONNECT_ABORTED_ERROR -ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." ) -#endif - -#ifdef PR_HOST_UNREACHABLE_ERROR -ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." ) -#endif - -/* always last */ -ER2( PR_MAX_ERROR, "Placeholder for the end of the list" ) diff --git a/security/nss/cmd/lib/manifest.mn b/security/nss/cmd/lib/manifest.mn index 767b58a1033..8ea950495de 100644 --- a/security/nss/cmd/lib/manifest.mn +++ b/security/nss/cmd/lib/manifest.mn @@ -44,9 +44,6 @@ MODULE = nss DEFINES = -DNSPR20 PRIVATE_EXPORTS = secutil.h \ - NSPRerrs.h \ - SECerrs.h \ - SSLerrs.h \ pk11table.h \ $(NULL) @@ -60,6 +57,4 @@ CSRCS = secutil.c \ pk11table.c \ $(NULL) -REQUIRES = dbm - NO_MD_RELEASE = 1 diff --git a/security/nss/cmd/lib/pk11table.c b/security/nss/cmd/lib/pk11table.c index 5ec551fb2b9..1016fe593a8 100644 --- a/security/nss/cmd/lib/pk11table.c +++ b/security/nss/cmd/lib/pk11table.c @@ -155,10 +155,10 @@ const Constant _consts[] = { mkEntry(CKO_HW_FEATURE, Object), mkEntry(CKO_DOMAIN_PARAMETERS, Object), mkEntry(CKO_KG_PARAMETERS, Object), - mkEntry(CKO_NETSCAPE_CRL, Object), - mkEntry(CKO_NETSCAPE_SMIME, Object), - mkEntry(CKO_NETSCAPE_TRUST, Object), - mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object), + mkEntry(CKO_NSS_CRL, Object), + mkEntry(CKO_NSS_SMIME, Object), + mkEntry(CKO_NSS_TRUST, Object), + mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object), mkEntry(CKH_MONOTONIC_COUNTER, Hardware), mkEntry(CKH_CLOCK, Hardware), @@ -188,7 +188,7 @@ const Constant _consts[] = { mkEntry(CKK_CDMF, KeyType), mkEntry(CKK_AES, KeyType), mkEntry(CKK_CAMELLIA, KeyType), - mkEntry(CKK_NETSCAPE_PKCS8, KeyType), + mkEntry(CKK_NSS_PKCS8, KeyType), mkEntry(CKC_X_509, CertType), mkEntry(CKC_X_509_ATTR_CERT, CertType), @@ -252,18 +252,18 @@ const Constant _consts[] = { mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware), mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool), mkEntry2(CKA_HAS_RESET, Attribute, Bool), - mkEntry2(CKA_NETSCAPE_URL, Attribute, None), - mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None), - mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None), - mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None), - mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None), - mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None), - mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None), - mkEntry2(CKA_NETSCAPE_KRL, Attribute, None), - mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None), - mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None), - mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None), - mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None), + mkEntry2(CKA_NSS_URL, Attribute, None), + mkEntry2(CKA_NSS_EMAIL, Attribute, None), + mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None), + mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None), + mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None), + mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None), + mkEntry2(CKA_NSS_EXPIRES, Attribute, None), + mkEntry2(CKA_NSS_KRL, Attribute, None), + mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None), + mkEntry2(CKA_NSS_PQG_SEED, Attribute, None), + mkEntry2(CKA_NSS_PQG_H, Attribute, None), + mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None), mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust), mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust), mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust), @@ -492,8 +492,8 @@ const Constant _consts[] = { mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism), mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism), mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism), - mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism), - mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism), + mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism), + mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism), mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism), mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism), mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism), @@ -593,13 +593,12 @@ const Constant _consts[] = { mkEntry(CKR_MUTEX_NOT_LOCKED, Result), mkEntry(CKR_VENDOR_DEFINED, Result), - mkEntry(CKT_NETSCAPE_TRUSTED, Trust), - mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust), - mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust), - mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust), - mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust), - mkEntry(CKT_NETSCAPE_VALID, Trust), - mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust), + mkEntry(CKT_NSS_TRUSTED, Trust), + mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust), + mkEntry(CKT_NSS_NOT_TRUSTED, Trust), + mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust), + mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust), + mkEntry(CKT_NSS_VALID_DELEGATOR, Trust), mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes), mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize), @@ -1252,7 +1251,7 @@ const Commands _commands[] = { ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }}, {"NewMechanism", F_NewMechanism, "NewMechanism varName mechanismType\n\n" -"Create a new CK_MECHANISM object with type NULL paramters and specified type\n" +"Create a new CK_MECHANISM object with type NULL parameters and specified type\n" " varName variable name of the new mechansim\n" " mechanismType CKM_ mechanism type value to set int the type field\n", {ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, diff --git a/security/nss/cmd/lib/secerror.c b/security/nss/cmd/lib/secerror.c index 651cf552019..f1182961d37 100644 --- a/security/nss/cmd/lib/secerror.c +++ b/security/nss/cmd/lib/secerror.c @@ -33,78 +33,13 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -#include "nspr.h" - -struct tuple_str { - PRErrorCode errNum; - const char * errString; -}; - -typedef struct tuple_str tuple_str; - -#define ER2(a,b) {a, b}, -#define ER3(a,b,c) {a, c}, - -#include "secerr.h" -#include "sslerr.h" - -const tuple_str errStrings[] = { - -/* keep this list in asceding order of error numbers */ -#include "SSLerrs.h" -#include "SECerrs.h" -#include "NSPRerrs.h" - -}; - -const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str); +#include "prtypes.h" +#include "nssutil.h" /* Returns a UTF-8 encoded constant error string for "errNum". - * Returns NULL of errNum is unknown. + * Returns NULL if errNum is unknown. */ const char * SECU_Strerror(PRErrorCode errNum) { - PRInt32 low = 0; - PRInt32 high = numStrings - 1; - PRInt32 i; - PRErrorCode num; - static int initDone; - - /* make sure table is in ascending order. - * binary search depends on it. - */ - if (!initDone) { - PRErrorCode lastNum = ((PRInt32)0x80000000); - for (i = low; i <= high; ++i) { - num = errStrings[i].errNum; - if (num <= lastNum) { - fprintf(stderr, -"sequence error in error strings at item %d\n" -"error %d (%s)\n" -"should come after \n" -"error %d (%s)\n", - i, lastNum, errStrings[i-1].errString, - num, errStrings[i].errString); - } - lastNum = num; - } - initDone = 1; - } - - /* Do binary search of table. */ - while (low + 1 < high) { - i = (low + high) / 2; - num = errStrings[i].errNum; - if (errNum == num) - return errStrings[i].errString; - if (errNum < num) - high = i; - else - low = i; - } - if (errNum == errStrings[low].errNum) - return errStrings[low].errString; - if (errNum == errStrings[high].errNum) - return errStrings[high].errString; - return NULL; + return NSS_Strerror(errNum, formatSimple); } diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 2a7d1052af4..6a0c533dcde 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -83,15 +83,9 @@ static char consoleName[] = { #endif }; +#include "nssutil.h" +#include "ssl.h" -char * -SECU_GetString(int16 error_number) -{ - - static char errString[80]; - sprintf(errString, "Unknown error string (%d)", error_number); - return errString; -} void SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) @@ -1515,6 +1509,70 @@ const SEC_ASN1Template secuPBEV2Params[] = { 0 } }; +void +secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) +{ + PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + SECKEYRSAPSSParams param; + SECAlgorithmID maskHashAlg; + + if (m) { + SECU_Indent(out, level); + fprintf (out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + + rv = SEC_QuickDERDecodeItem(pool, ¶m, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate), + value); + if (rv == SECSuccess) { + if (!param.hashAlg) { + SECU_Indent(out, level+1); + fprintf(out, "Hash algorithm: default, SHA-1\n"); + } else { + SECU_PrintObjectID(out, ¶m.hashAlg->algorithm, + "Hash algorithm", level+1); + } + if (!param.maskAlg) { + SECU_Indent(out, level+1); + fprintf(out, "Mask algorithm: default, MGF1\n"); + SECU_Indent(out, level+1); + fprintf(out, "Mask hash algorithm: default, SHA-1\n"); + } else { + SECU_PrintObjectID(out, ¶m.maskAlg->algorithm, + "Mask algorithm", level+1); + rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + ¶m.maskAlg->parameters); + if (rv == SECSuccess) { + SECU_PrintObjectID(out, &maskHashAlg.algorithm, + "Mask hash algorithm", level+1); + } else { + SECU_Indent(out, level+1); + fprintf(out, "Invalid mask generation algorithm parameters\n"); + } + } + if (!param.saltLength.data) { + SECU_Indent(out, level+1); + fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); + } else { + SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level+1); + } + } else { + SECU_Indent(out, level+1); + fprintf(out, "Invalid RSA-PSS parameters\n"); + } + PORT_FreeArena(pool, PR_FALSE); +} + void secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) { @@ -1625,7 +1683,11 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) } return; } - + + if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1); + return; + } if (a->parameters.len == 0 || (a->parameters.len == 2 @@ -2384,7 +2446,7 @@ printflags(char *trusts, unsigned int flags) if (!(flags & CERTDB_TRUSTED_CA) && !(flags & CERTDB_TRUSTED_CLIENT_CA)) PORT_Strcat(trusts, "c"); - if (flags & CERTDB_VALID_PEER) + if (flags & CERTDB_TERMINAL_RECORD) if (!(flags & CERTDB_TRUSTED)) PORT_Strcat(trusts, "p"); if (flags & CERTDB_TRUSTED_CA) @@ -3209,8 +3271,8 @@ SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level) void printFlags(FILE *out, unsigned int flags, int level) { - if ( flags & CERTDB_VALID_PEER ) { - SECU_Indent(out, level); fprintf(out, "Valid Peer\n"); + if ( flags & CERTDB_TERMINAL_RECORD ) { + SECU_Indent(out, level); fprintf(out, "Terminal Record\n"); } if ( flags & CERTDB_TRUSTED ) { SECU_Indent(out, level); fprintf(out, "Trusted\n"); @@ -3250,6 +3312,29 @@ SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level) printFlags(out, trust->objectSigningFlags, level+2); } +int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTName *name; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + name = PORT_ArenaZNew(arena, CERTName); + if (!name) + goto loser; + + rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der); + if (rv) + goto loser; + + SECU_PrintName(out, name, m, level); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, int level, SECU_PPFunc inner) { @@ -3281,7 +3366,6 @@ int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, loser: PORT_FreeArena(arena, PR_FALSE); return rv; - } SECStatus @@ -3511,123 +3595,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum) return NULL; } -static char SECUErrorBuf[64]; - -char * -SECU_ErrorStringRaw(int16 err) -{ - if (err == 0) - SECUErrorBuf[0] = '\0'; - else if (err == SEC_ERROR_BAD_DATA) - sprintf(SECUErrorBuf, "Bad data"); - else if (err == SEC_ERROR_BAD_DATABASE) - sprintf(SECUErrorBuf, "Problem with database"); - else if (err == SEC_ERROR_BAD_DER) - sprintf(SECUErrorBuf, "Problem with DER"); - else if (err == SEC_ERROR_BAD_KEY) - sprintf(SECUErrorBuf, "Problem with key"); - else if (err == SEC_ERROR_BAD_PASSWORD) - sprintf(SECUErrorBuf, "Incorrect password"); - else if (err == SEC_ERROR_BAD_SIGNATURE) - sprintf(SECUErrorBuf, "Bad signature"); - else if (err == SEC_ERROR_EXPIRED_CERTIFICATE) - sprintf(SECUErrorBuf, "Expired certificate"); - else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) - sprintf(SECUErrorBuf, "Invalid extension value"); - else if (err == SEC_ERROR_INPUT_LEN) - sprintf(SECUErrorBuf, "Problem with input length"); - else if (err == SEC_ERROR_INVALID_ALGORITHM) - sprintf(SECUErrorBuf, "Invalid algorithm"); - else if (err == SEC_ERROR_INVALID_ARGS) - sprintf(SECUErrorBuf, "Invalid arguments"); - else if (err == SEC_ERROR_INVALID_AVA) - sprintf(SECUErrorBuf, "Invalid AVA"); - else if (err == SEC_ERROR_INVALID_TIME) - sprintf(SECUErrorBuf, "Invalid time"); - else if (err == SEC_ERROR_IO) - sprintf(SECUErrorBuf, "Security I/O error"); - else if (err == SEC_ERROR_LIBRARY_FAILURE) - sprintf(SECUErrorBuf, "Library failure"); - else if (err == SEC_ERROR_NO_MEMORY) - sprintf(SECUErrorBuf, "Out of memory"); - else if (err == SEC_ERROR_OLD_CRL) - sprintf(SECUErrorBuf, "CRL is older than the current one"); - else if (err == SEC_ERROR_OUTPUT_LEN) - sprintf(SECUErrorBuf, "Problem with output length"); - else if (err == SEC_ERROR_UNKNOWN_ISSUER) - sprintf(SECUErrorBuf, "Unknown issuer"); - else if (err == SEC_ERROR_UNTRUSTED_CERT) - sprintf(SECUErrorBuf, "Untrusted certificate"); - else if (err == SEC_ERROR_UNTRUSTED_ISSUER) - sprintf(SECUErrorBuf, "Untrusted issuer"); - else if (err == SSL_ERROR_BAD_CERTIFICATE) - sprintf(SECUErrorBuf, "Bad certificate"); - else if (err == SSL_ERROR_BAD_CLIENT) - sprintf(SECUErrorBuf, "Bad client"); - else if (err == SSL_ERROR_BAD_SERVER) - sprintf(SECUErrorBuf, "Bad server"); - else if (err == SSL_ERROR_EXPORT_ONLY_SERVER) - sprintf(SECUErrorBuf, "Export only server"); - else if (err == SSL_ERROR_NO_CERTIFICATE) - sprintf(SECUErrorBuf, "No certificate"); - else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) - sprintf(SECUErrorBuf, "No cypher overlap"); - else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE) - sprintf(SECUErrorBuf, "Unsupported certificate type"); - else if (err == SSL_ERROR_UNSUPPORTED_VERSION) - sprintf(SECUErrorBuf, "Unsupported version"); - else if (err == SSL_ERROR_US_ONLY_SERVER) - sprintf(SECUErrorBuf, "U.S. only server"); - else if (err == PR_IO_ERROR) - sprintf(SECUErrorBuf, "I/O error"); - - else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) - sprintf (SECUErrorBuf, "Expired Issuer Certificate"); - else if (err == SEC_ERROR_REVOKED_CERTIFICATE) - sprintf (SECUErrorBuf, "Revoked certificate"); - else if (err == SEC_ERROR_NO_KEY) - sprintf (SECUErrorBuf, "No private key in database for this cert"); - else if (err == SEC_ERROR_CERT_NOT_VALID) - sprintf (SECUErrorBuf, "Certificate is not valid"); - else if (err == SEC_ERROR_EXTENSION_NOT_FOUND) - sprintf (SECUErrorBuf, "Certificate extension was not found"); - else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) - sprintf (SECUErrorBuf, "Certificate extension value invalid"); - else if (err == SEC_ERROR_CA_CERT_INVALID) - sprintf (SECUErrorBuf, "Issuer certificate is invalid"); - else if (err == SEC_ERROR_CERT_USAGES_INVALID) - sprintf (SECUErrorBuf, "Certificate usages is invalid"); - else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) - sprintf (SECUErrorBuf, "Certificate has unknown critical extension"); - else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE) - sprintf (SECUErrorBuf, "Bad PKCS7 signature"); - else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - - return SECUErrorBuf; -} - -char * -SECU_ErrorString(int16 err) -{ - char *error_string; - - *SECUErrorBuf = 0; - SECU_ErrorStringRaw (err); - - if (*SECUErrorBuf == 0) { - error_string = SECU_GetString(err); - if (error_string == NULL || *error_string == '\0') - sprintf(SECUErrorBuf, "No error string found for %d.", err); - else - return error_string; - } - - return SECUErrorBuf; -} - void SECU_PrintPRandOSError(char *progName) diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 8a6ab3cd6ba..c482431b705 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -52,6 +52,7 @@ #define SEC_CT_CERTIFICATE_REQUEST "certificate-request" #define SEC_CT_PKCS7 "pkcs7" #define SEC_CT_CRL "crl" +#define SEC_CT_NAME "name" #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" @@ -259,6 +260,9 @@ extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, /* Dump contents of certificate */ extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level); +/* Dump contents of a DER certificate name (issuer or subject) */ +extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level); + /* print trust flags on a cert */ extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level); @@ -442,12 +446,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum); * */ -/* Return informative error string */ -char *SECU_ErrorString(int16 err); - -/* Return informative error string. Does not call XP_GetString */ -char *SECU_ErrorStringRaw(int16 err); - void printflags(char *trusts, unsigned int flags); #if !defined(XP_UNIX) && !defined(XP_OS2) diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index 4032e813150..f71680fe9eb 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -48,6 +48,7 @@ DIRS = lib \ certcgi \ certutil \ checkcert \ + chktest \ crlutil \ crmftest \ dbtest \ diff --git a/security/nss/cmd/modutil/install.c b/security/nss/cmd/modutil/install.c index 10819190c4d..9f170e2b3bc 100644 --- a/security/nss/cmd/modutil/install.c +++ b/security/nss/cmd/modutil/install.c @@ -36,6 +36,7 @@ #include "install.h" #include "install-ds.h" +#include #include #include #include @@ -61,7 +62,7 @@ extern /*"C"*/ short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out, PRBool query); extern /*"C"*/ -const char* mySECU_ErrorString(int16); +const char* mySECU_ErrorString(PRErrorCode errnum); extern int Pk11Install_yyparse(); @@ -418,7 +419,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir, error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status)); } else { error(PK11_INSTALL_JAR_ERROR, jarFile, - mySECU_ErrorString((int16) PORT_GetError()) ); + mySECU_ErrorString(PORT_GetError())); } ret=PK11_INSTALL_JAR_ERROR; goto loser; @@ -470,7 +471,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir, error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status)); } else { error(PK11_INSTALL_JAR_EXTRACT, installer, - mySECU_ErrorString((int16) PORT_GetError()) ); + mySECU_ErrorString(PORT_GetError())); } ret = PK11_INSTALL_JAR_EXTRACT; goto loser; @@ -692,7 +693,7 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir, JAR_get_error(status)); } else { error(PK11_INSTALL_JAR_EXTRACT, file->jarPath, - mySECU_ErrorString((int16) PORT_GetError()) ); + mySECU_ErrorString(PORT_GetError())); } ret=PK11_INSTALL_JAR_EXTRACT; goto loser; diff --git a/security/nss/cmd/modutil/instsec.c b/security/nss/cmd/modutil/instsec.c index cfc0082342d..9914b2f323e 100644 --- a/security/nss/cmd/modutil/instsec.c +++ b/security/nss/cmd/modutil/instsec.c @@ -35,6 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #include +#include #include #include #include @@ -175,7 +176,7 @@ PR_fgets(char *buf, int size, PRFileDesc *file) * m y S E C U _ E r r o r S t r i n g * */ -const char* mySECU_ErrorString(int16 errnum) +const char* mySECU_ErrorString(PRErrorCode errnum) { return SECU_Strerror(errnum); } diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c index 279809f6cee..761eb540225 100644 --- a/security/nss/cmd/pk11mode/pk11mode.c +++ b/security/nss/cmd/pk11mode/pk11mode.c @@ -883,18 +883,21 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList, mech_str digestMechs[] = { {CKM_SHA_1, "CKM_SHA_1 "}, + {CKM_SHA224, "CKM_SHA224"}, {CKM_SHA256, "CKM_SHA256"}, {CKM_SHA384, "CKM_SHA384"}, {CKM_SHA512, "CKM_SHA512"} }; mech_str hmacMechs[] = { {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, + {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"}, {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"}, {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"}, {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"} }; mech_str sigRSAMechs[] = { {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, + {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"}, {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"}, {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"}, {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"} @@ -5123,7 +5126,7 @@ CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList, CK_BYTE digest2[MAX_DIGEST_SZ]; CK_ULONG digest2Len = 0; - /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */ + /* Tested with CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512 */ memset(digest1, 0, sizeof(digest1)); memset(digest2, 0, sizeof(digest2)); diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c index 686d9036c46..bdca3c8f490 100644 --- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -560,17 +560,17 @@ loser: static void p12u_DoPKCS12ExportErrors() { - int error_value; + PRErrorCode error_value; error_value = PORT_GetError(); if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) || (error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) || (error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) { - fputs(SECU_ErrorStringRaw((int16)error_value), stderr); + fputs(SECU_Strerror(error_value), stderr); } else if(error_value == SEC_ERROR_USER_CANCELLED) { ; } else { - fputs(SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES), stderr); + fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr); } } diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c index 1d3b2c0819c..dc777b207e3 100644 --- a/security/nss/cmd/pp/pp.c +++ b/security/nss/cmd/pp/pp.c @@ -38,7 +38,7 @@ * Pretty-print some well-known BER or DER encoded data (e.g. certificates, * keys, pkcs7) * - * $Id: pp.c,v 1.9 2007/09/25 03:46:23 nelson%bolyard.com Exp $ + * $Id: pp.c,v 1.10 2010/09/03 19:25:02 nelson%bolyard.com Exp $ */ #include "secutil.h" @@ -62,7 +62,8 @@ static void Usage(char *progName) "-t type", SEC_CT_PRIVATE_KEY); fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY, SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST); - fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL); + fprintf(stderr, "%-20s %s, %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL, + SEC_CT_NAME); fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n", "-a"); fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n", @@ -166,6 +167,8 @@ int main(int argc, char **argv) } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) { rv = SECU_PrintPKCS7ContentInfo(outFile, &data, "PKCS #7 Content Info", 0); + } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) { + rv = SECU_PrintDERName(outFile, &data, "Name", 0); } else { fprintf(stderr, "%s: don't know how to print out '%s' files\n", progName, typeTag); diff --git a/security/nss/cmd/ppcertdata/Makefile b/security/nss/cmd/ppcertdata/Makefile new file mode 100644 index 00000000000..8abac8cdbc5 --- /dev/null +++ b/security/nss/cmd/ppcertdata/Makefile @@ -0,0 +1,80 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2010 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/ppcertdata/manifest.mn b/security/nss/cmd/ppcertdata/manifest.mn new file mode 100644 index 00000000000..1912208bb2a --- /dev/null +++ b/security/nss/cmd/ppcertdata/manifest.mn @@ -0,0 +1,55 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2010 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Nelson Bolyard +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +# This next line is used by .mk files +# and gets translated into $LINCS in manifest.mnw +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = seccmd + +#DEFINES = -DNSPR20 + +CSRCS = ppcertdata.c + +PROGRAM = ppcertdata + diff --git a/security/nss/cmd/ppcertdata/ppcertdata.c b/security/nss/cmd/ppcertdata/ppcertdata.c new file mode 100644 index 00000000000..0e74c046aa8 --- /dev/null +++ b/security/nss/cmd/ppcertdata/ppcertdata.c @@ -0,0 +1,132 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the CertData.txt review helper program. + * + * The Initial Developer of the Original Code is + * Nelson Bolyard + * Portions created by the Initial Developer are Copyright (C) 2009-2010 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include +#include +#include +#include +#include "secutil.h" +#include "nss.h" + +unsigned char binary_line[64 * 1024]; + +int +main(int argc, const char ** argv) +{ + int skip_count = 0; + int bytes_read; + char line[133]; + + if (argc > 1) { + skip_count = atoi(argv[1]); + } + if (argc > 2 || skip_count < 0) { + printf("Usage: %s [ skip_columns ] \n", argv[0]); + return 1; + } + + NSS_NoDB_Init(NULL); + + while (fgets(line, 132, stdin) && (bytes_read = strlen(line)) > 0 ) { + int bytes_written; + char * found; + char * in = line + skip_count; + int left = bytes_read - skip_count; + int is_cert; + int is_serial; + int is_name; + int is_hash; + int use_pp = 0; + int out = 0; + SECItem der = {siBuffer, NULL, 0 }; + + line[bytes_read] = 0; + if (bytes_read <= skip_count) + continue; + fwrite(in, 1, left, stdout); + found = strstr(in, "MULTILINE_OCTAL"); + if (!found) + continue; + fflush(stdout); + + is_cert = (NULL != strstr(in, "CKA_VALUE")); + is_serial = (NULL != strstr(in, "CKA_SERIAL_NUMBER")); + is_name = (NULL != strstr(in, "CKA_ISSUER")) || + (NULL != strstr(in, "CKA_SUBJECT")); + is_hash = (NULL != strstr(in, "_HASH")); + while (fgets(line, 132, stdin) && + (bytes_read = strlen(line)) > 0 ) { + in = line + skip_count; + left = bytes_read - skip_count; + + if ((left >= 3) && !strncmp(in, "END", 3)) + break; + while (left >= 4) { + if (in[0] == '\\' && isdigit(in[1]) && + isdigit(in[2]) && isdigit(in[3])) { + left -= 4; + binary_line[out++] = ((in[1] - '0') << 6) | + ((in[2] - '0') << 3) | + (in[3] - '0'); + in += 4; + } else + break; + } + } + der.data = binary_line; + der.len = out; + if (is_cert) + SECU_PrintSignedData(stdout, &der, "Certificate", 0, + SECU_PrintCertificate); + else if (is_name) + SECU_PrintDERName(stdout, &der, "Name", 0); + else if (is_serial) { + if (out > 2 && binary_line[0] == 2 && + out == 2 + binary_line[1]) { + der.data += 2; + der.len -= 2; + SECU_PrintInteger(stdout, &der, "DER Serial Number", 0); + } else + SECU_PrintInteger(stdout, &der, "Raw Serial Number", 0); + } else if (is_hash) + SECU_PrintAsHex(stdout, &der, "Hash", 0); + else + SECU_PrintBuf(stdout, "Other", binary_line, out); + } + NSS_Shutdown(); + return 0; +} + diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index bd1d47b4ced..d78881de254 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -1491,18 +1491,14 @@ getBoundListenSocket(unsigned short port) PRStatus prStatus; PRNetAddr addr; PRSocketOptionData opt; - PRUint16 socketDomain = PR_AF_INET; addr.inet.family = PR_AF_INET; addr.inet.ip = PR_INADDR_ANY; addr.inet.port = PR_htons(port); - if (PR_GetEnv("NSS_USE_SDP")) { - socketDomain = PR_AF_INET_SDP; - } - listen_sock = PR_OpenTCPSocket(socketDomain); + listen_sock = PR_NewTCPSocket(); if (listen_sock == NULL) { - errExit("PR_OpenTCPSocket error"); + errExit("PR_NewTCPSocket"); } opt.option = PR_SockOpt_Nonblocking; diff --git a/security/nss/cmd/shlibsign/manifest.mn b/security/nss/cmd/shlibsign/manifest.mn index ca460771fd6..27c88e65e29 100644 --- a/security/nss/cmd/shlibsign/manifest.mn +++ b/security/nss/cmd/shlibsign/manifest.mn @@ -46,9 +46,6 @@ CSRCS = \ shlibsign.c \ $(NULL) -# headers for the MODULE (defined above) are implicitly required. -REQUIRES = dbm seccmd - # WINNT uses EXTRA_LIBS as the list of libs to link in. # Unix uses OS_LIBS for that purpose. # We can solve this via conditional makefile code, but diff --git a/security/nss/cmd/shlibsign/shlibsign.c b/security/nss/cmd/shlibsign/shlibsign.c index 722cb15a5b3..e4bf4c79bf8 100644 --- a/security/nss/cmd/shlibsign/shlibsign.c +++ b/security/nss/cmd/shlibsign/shlibsign.c @@ -46,7 +46,7 @@ * compute the checksum for the NSS cryptographic boundary libraries * and compare the checksum with the value in .chk file. * - * $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $ + * $Id: shlibsign.c,v 1.19 2011/04/08 04:02:53 wtc%google.com Exp $ */ #ifdef XP_UNIX diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c index 93b2d552ac2..a987846d8d4 100644 --- a/security/nss/cmd/signtool/sign.c +++ b/security/nss/cmd/signtool/sign.c @@ -306,7 +306,7 @@ create_pk7 (char *dir, char *keyName, int *keyType) if (status) { PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n", - PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError())); + PROGRAM_NAME, SECU_Strerror(PORT_GetError())); errorCount++; return - 1; } diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c index be780d29b29..395ce29e086 100644 --- a/security/nss/cmd/signtool/util.c +++ b/security/nss/cmd/signtool/util.c @@ -50,7 +50,7 @@ long *mozilla_event_queue = 0; #ifndef XP_WIN char *XP_GetString (int i) { - return SECU_ErrorStringRaw ((int16) i); + return SECU_Strerror (i); } #endif diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c index 302e9d4971a..a3f698bb6c0 100644 --- a/security/nss/cmd/signtool/verify.c +++ b/security/nss/cmd/signtool/verify.c @@ -84,7 +84,7 @@ VerifyJar(char *filename) if (status >= JAR_BASE && status <= JAR_BASE_END) { errtext = JAR_get_error (status); } else { - errtext = SECU_ErrorString ((int16) PORT_GetError()); + errtext = SECU_Strerror(PORT_GetError()); } PR_fprintf(outputFD, " (reported reason: %s)\n\n", @@ -315,7 +315,7 @@ JarWho(char *filename) if (status >= JAR_BASE && status <= JAR_BASE_END) { errtext = JAR_get_error (status); } else { - errtext = SECU_ErrorString ((int16) PORT_GetError()); + errtext = SECU_Strerror(PORT_GetError()); } PR_fprintf(outputFD, " (reported reason: %s)\n\n", errtext); diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c index cff5272f0dc..cf1fc485d57 100644 --- a/security/nss/cmd/signver/signver.c +++ b/security/nss/cmd/signver/signver.c @@ -320,7 +320,7 @@ int main(int argc, char **argv) fprintf(outFile, "no"); if (verbose) { fprintf(outFile, ":%s", - SECU_ErrorString((int16)PORT_GetError())); + SECU_Strerror(PORT_GetError())); } } fprintf(outFile, "\n"); diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 2e768ec4b77..b54d2e25547 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -280,7 +280,7 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, static SECStatus myBadCertHandler( void *arg, PRFileDesc *fd) { - int err = PR_GetError(); + PRErrorCode err = PR_GetError(); if (!MakeCertOK) fprintf(stderr, "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", @@ -360,7 +360,7 @@ printSecurityInfo(PRFileDesc *fd) #define MAX_THREADS 128 -typedef int startFn(void *a, void *b, int c, int d); +typedef int startFn(void *a, void *b, int c); static PRInt32 numConnected; @@ -374,7 +374,6 @@ typedef struct perThreadStr { startFn * startFunc; PRThread * prThread; PRBool inUse; - PRInt32 socketDomain; } perThread; perThread threads[MAX_THREADS]; @@ -430,8 +429,7 @@ thread_wrapper(void * arg) } PR_Unlock(threadLock); if (doop) { - slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid, - slot->socketDomain); + slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid); PRINTF("strsclnt: Thread in slot %d returned %d\n", slot->tid, slot->rv); } @@ -446,8 +444,7 @@ launch_thread( startFn * startFunc, void * a, void * b, - int tid, - int sockDom) + int tid) { PRUint32 i; perThread * slot; @@ -465,8 +462,7 @@ launch_thread( slot->a = a; slot->b = b; slot->tid = tid; - slot->socketDomain = sockDom; - + slot->startFunc = startFunc; slot->prThread = PR_CreateThread(PR_USER_THREAD, @@ -589,8 +585,7 @@ int do_writes( void * a, void * b, - int c, - int d) + int c) { PRFileDesc * ssl_sock = (PRFileDesc *)a; lockedVars * lv = (lockedVars *)b; @@ -632,7 +627,7 @@ handle_fdx_connection( PRFileDesc * ssl_sock, int connection) lockedVars_AddToCount(&lv, 1); /* Attempt to launch the writer thread. */ - result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/); + result = launch_thread(do_writes, ssl_sock, &lv, connection); if (result != SECSuccess) goto cleanup; @@ -751,8 +746,7 @@ int do_connects( void * a, void * b, - int tid, - PRInt32 socketDomain) + int tid) { PRNetAddr * addr = (PRNetAddr *) a; PRFileDesc * model_sock = (PRFileDesc *) b; @@ -766,7 +760,7 @@ do_connects( retry: - tcp_sock = PR_OpenTCPSocket(socketDomain); + tcp_sock = PR_OpenTCPSocket(addr->raw.family); if (tcp_sock == NULL) { errExit("PR_OpenTCPSocket"); } @@ -1094,7 +1088,6 @@ client_main( int rv; PRStatus status; PRNetAddr addr; - PRInt32 socketDomain; status = PR_StringToNetAddr(hostName, &addr); if (status == PR_SUCCESS) { @@ -1122,13 +1115,6 @@ client_main( } } - /* check if SDP is going to be used */ - if (!PR_GetEnv("NSS_USE_SDP")) { - socketDomain = addr.raw.family; - } else { - socketDomain = PR_AF_INET_SDP; - } - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ NSS_SetDomesticPolicy(); @@ -1185,8 +1171,8 @@ client_main( } /* configure model SSL socket. */ - - model_sock = PR_OpenTCPSocket(socketDomain); + + model_sock = PR_OpenTCPSocket(addr.raw.family); if (model_sock == NULL) { errExit("PR_OpenTCPSocket for model socket"); } @@ -1290,7 +1276,7 @@ client_main( if (!NoReuse) { remaining_connections = 1; - rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain); + rv = launch_thread(do_connects, &addr, model_sock, 0); /* wait for the first connection to terminate, then launch the rest. */ reap_threads(); remaining_connections = total_connections - 1 ; @@ -1299,7 +1285,7 @@ client_main( active_threads = PR_MIN(active_threads, remaining_connections); /* Start up the threads */ for (i=0;i + +#include "secasn1.h" + +struct TestCase { + long value; + unsigned char data[5]; + unsigned int len; +}; + +static struct TestCase testCase[] = { + /* XXX NSS doesn't generate the shortest encoding for negative values. */ +#if 0 + { -128, { 0x80 }, 1 }, + { -129, { 0xFF, 0x7F }, 2 }, +#endif + + { 0, { 0x00 }, 1 }, + { 127, { 0x7F }, 1 }, + { 128, { 0x00, 0x80 }, 2 }, + { 256, { 0x01, 0x00 }, 2 }, + { 32768, { 0x00, 0x80, 0x00 }, 3 } +}; + +int main() +{ + PRBool failed = PR_FALSE; + unsigned int i; + unsigned int j; + + for (i = 0; i < sizeof(testCase)/sizeof(testCase[0]); i++) { + SECItem encoded; + if (SEC_ASN1EncodeInteger(NULL, &encoded, testCase[i].value) == NULL) { + fprintf(stderr, "SEC_ASN1EncodeInteger failed\n"); + failed = PR_TRUE; + continue; + } + if (encoded.len != testCase[i].len || + memcmp(encoded.data, testCase[i].data, encoded.len) != 0) { + fprintf(stderr, "Encoding of %ld is incorrect:", + testCase[i].value); + for (j = 0; j < encoded.len; j++) { + fprintf(stderr, " 0x%02X", (unsigned int)encoded.data[j]); + } + fputs("\n", stderr); + failed = PR_TRUE; + } + PORT_Free(encoded.data); + } + + if (failed) { + fprintf(stderr, "FAIL\n"); + return 1; + } + printf("PASS\n"); + return 0; +} diff --git a/security/nss/cmd/tests/manifest.mn b/security/nss/cmd/tests/manifest.mn index efe5bf21fbe..cce740b8ecd 100644 --- a/security/nss/cmd/tests/manifest.mn +++ b/security/nss/cmd/tests/manifest.mn @@ -44,6 +44,7 @@ CSRCS = \ baddbdir.c \ conflict.c \ dertimetest.c \ + encodeinttest.c \ nonspr10.c \ remtest.c \ $(NULL) diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 1e0453145f2..55684e685fa 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -538,7 +538,6 @@ int main(int argc, char **argv) PLOptState *optstate; PLOptStatus optstatus; PRStatus prStatus; - PRUint16 socketDomain; progName = strrchr(argv[0], '/'); if (!progName) @@ -700,17 +699,11 @@ int main(int argc, char **argv) printHostNameAndAddr(host, &addr); - /* check if SDP is going to be used */ - if (!PR_GetEnv("NSS_USE_SDP")) { - socketDomain = addr.raw.family; - } else { - socketDomain = PR_AF_INET_SDP; - } if (pingServerFirst) { int iter = 0; PRErrorCode err; do { - s = PR_OpenTCPSocket(socketDomain); + s = PR_OpenTCPSocket(addr.raw.family); if (s == NULL) { SECU_PrintError(progName, "Failed to create a TCP socket"); } @@ -748,7 +741,7 @@ int main(int argc, char **argv) } /* Create socket */ - s = PR_OpenTCPSocket(socketDomain); + s = PR_OpenTCPSocket(addr.raw.family); if (s == NULL) { SECU_PrintError(progName, "error creating socket"); return 1; diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index 32612e3efe4..9bf6ca64322 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -129,11 +129,8 @@ Usage(const char *progName) void errWarn(char *function) { - PRErrorCode errorNumber = PR_GetError(); - const char * errorString = SECU_Strerror(errorNumber); - - fprintf(stderr, "Error in function %s: %d\n - %s\n", - function, errorNumber, errorString); + fprintf(stderr, "Error in function %s: %s\n", + function, SECU_Strerror(PR_GetError())); } void @@ -210,7 +207,7 @@ getCert(const char *name, PRBool isAscii, const char * progName) * open a file with such name and get the cert from there.*/ fd = PR_Open(name, PR_RDONLY, 0777); if (!fd) { - PRIntn err = PR_GetError(); + PRErrorCode err = PR_GetError(); fprintf(stderr, "open of %s failed, %d = %s\n", name, err, SECU_Strerror(err)); return cert; @@ -233,7 +230,7 @@ getCert(const char *name, PRBool isAscii, const char * progName) PR_FALSE /* isPerm */, PR_TRUE /* copyDER */); if (!cert) { - PRIntn err = PR_GetError(); + PRErrorCode err = PR_GetError(); fprintf(stderr, "couldn't import %s, %d = %s\n", name, err, SECU_Strerror(err)); } @@ -538,12 +535,12 @@ breakout: if (usePkix < 2) { if (oidStr) { fprintf(stderr, "Policy oid(-o) can be used only with" - " CERT_PKIXVerifyChain(-pp) function.\n"); + " CERT_PKIXVerifyCert(-pp) function.\n"); Usage(progName); } if (trusted) { fprintf(stderr, "Cert trust flag can be used only with" - " CERT_PKIXVerifyChain(-pp) function.\n"); + " CERT_PKIXVerifyCert(-pp) function.\n"); Usage(progName); } } @@ -586,7 +583,7 @@ breakout: case 0 : /* positional parameter */ if (usePkix < 2 && trusted) { fprintf(stderr, "Cert trust flag can be used only with" - " CERT_PKIXVerifyChain(-pp) function.\n"); + " CERT_PKIXVerifyCert(-pp) function.\n"); Usage(progName); } cert = getCert(optstate->value, isAscii, progName); @@ -788,6 +785,7 @@ punt: if (pwdata.data) { PORT_Free(pwdata.data); } + PL_ArenaFinish(); PR_Cleanup(); return rv; } diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index 74f6868d8f7..80f343273a8 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -103,12 +103,19 @@ static const NameToKind name2kinds[] = { /* legacy keywords */ { "E", 128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING}, - -#if 0 /* removed. Not yet in any IETF draft or RFC. */ + { "STREET", 128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS}, { "pseudonym", 64, SEC_OID_AVA_PSEUDONYM, SEC_ASN1_DS}, -#endif - { 0, 256, SEC_OID_UNKNOWN , 0}, +/* values defined by the CAB Forum for EV */ + { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY, + SEC_ASN1_DS}, + { "incorporationState", 128, SEC_OID_EV_INCORPORATION_STATE, + SEC_ASN1_DS}, + { "incorporationCountry", 2, SEC_OID_EV_INCORPORATION_COUNTRY, + SEC_ASN1_PRINTABLE_STRING}, + { "businessCategory", 64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS}, + + { 0, 256, SEC_OID_UNKNOWN, 0}, }; /* Table facilitates conversion of ASCII hex to binary. */ diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index 790abfb0213..4b02f08ea82 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -37,7 +37,7 @@ /* * cert.h - public data structures and prototypes for the certificate library * - * $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $ + * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $ */ #ifndef _CERT_H_ @@ -297,13 +297,6 @@ CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, */ extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert); -/* - * used to get a public key with Key Material ID. Only used for fortezza V1 - * certificates. - */ -extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert); - - /* ** Retrieve the Key Type associated with the cert we're dealing with */ @@ -450,12 +443,12 @@ extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostnam extern CERTCertificate * CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); /* -** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure -** "derSignedCrl" is the DER encoded signed crl/krl. -** "type" is this a CRL or KRL. +** Decode a DER encoded CRL into a CERTSignedCrl structure +** "derSignedCrl" is the DER encoded signed CRL. +** "type" must be SEC_CRL_TYPE. */ #define SEC_CRL_TYPE 1 -#define SEC_KRL_TYPE 0 +#define SEC_KRL_TYPE 0 /* deprecated */ extern CERTSignedCrl * CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type); @@ -521,12 +514,6 @@ SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl); */ SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl); -/* -** Decode a certificate and put it into the temporary certificate database -*/ -extern CERTCertificate * -CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER); - /* ** Find a certificate in the database ** "key" is the database key to look for @@ -1306,9 +1293,6 @@ CERTGeneralName * CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena, PRBool includeSubjectCommonName); -char * -CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena); - /* * Creates or adds to a list of all certs with a give subject name, sorted by * validity time, newest first. Invalid certs are considered older than diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index a4b6dd64cb1..ad821150e21 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -39,7 +39,7 @@ /* * Certificate handling code * - * $Id: certdb.c,v 1.104.2.5 2011/08/05 01:16:27 wtc%google.com Exp $ + * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $ */ #include "nssilock.h" @@ -481,57 +481,6 @@ GetKeyUsage(CERTCertificate *cert) } -/* - * determine if a fortezza V1 Cert is a CA or not. - */ -static PRBool -fortezzaIsCA( CERTCertificate *cert) { - PRBool isCA = PR_FALSE; - CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo; - int tag; - - tag = SECOID_GetAlgorithmTag(&spki->algorithm); - if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) || - (tag == SEC_OID_MISSI_KEA_DSS) || - (tag == SEC_OID_MISSI_DSS_OLD) || - (tag == SEC_OID_MISSI_DSS) ) { - SECItem rawkey; - unsigned char *rawptr; - unsigned char *end; - int len; - - rawkey = spki->subjectPublicKey; - DER_ConvertBitString(&rawkey); - rawptr = rawkey.data; - end = rawkey.data + rawkey.len; - - /* version */ - rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2; - - /* clearance (the string up to the first byte with the hi-bit on */ - while ((rawptr < end) && (*rawptr++ & 0x80)); - if (rawptr >= end) { return PR_FALSE; } - - /* KEAPrivilege (the string up to the first byte with the hi-bit on */ - while ((rawptr < end) && (*rawptr++ & 0x80)); - if (rawptr >= end) { return PR_FALSE; } - - /* skip the key */ - len = (*rawptr << 8) | rawptr[1]; - rawptr += 2 + len; - - /* shared key */ - if (rawptr >= end) { return PR_FALSE; } - /* DSS Version is next */ - rawptr += 2; - - /* DSSPrivilege (the string up to the first byte with the hi-bit on */ - if (*rawptr & 0x30) isCA = PR_TRUE; - - } - return isCA; -} - static SECStatus findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum) { @@ -703,12 +652,6 @@ cert_ComputeCertType(CERTCertificate *cert) /* allow any ssl or email (no ca or object signing. */ nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL; - - /* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */ - if (fortezzaIsCA(cert)) { - nsCertType |= NS_CERT_TYPE_SSL_CA; - nsCertType |= NS_CERT_TYPE_EMAIL_CA; - } } if (encodedExtKeyUsage.data != NULL) { @@ -728,7 +671,6 @@ cert_GetKeyID(CERTCertificate *cert) { SECItem tmpitem; SECStatus rv; - SECKEYPublicKey *key; cert->subjectKeyID.len = 0; @@ -745,26 +687,6 @@ cert_GetKeyID(CERTCertificate *cert) PORT_Free(tmpitem.data); } - /* if the cert doesn't have a key identifier extension and the cert is - * a V1 fortezza certificate, use the cert's 8 byte KMID as the - * key identifier. */ - key = CERT_KMIDPublicKey(cert); - - if (key != NULL) { - - if (key->keyType == fortezzaKey) { - - cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8); - if ( cert->subjectKeyID.data != NULL ) { - PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8); - cert->subjectKeyID.len = 8; - cert->keyIDGenerated = PR_FALSE; - } - } - - SECKEY_DestroyPublicKey(key); - } - /* if the cert doesn't have a key identifier extension, then generate one*/ if ( cert->subjectKeyID.len == 0 ) { /* @@ -1346,8 +1268,6 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) case dsaKey: requiredUsage |= KU_DIGITAL_SIGNATURE; break; - case fortezzaKey: - case keaKey: case dhKey: requiredUsage |= KU_KEY_AGREEMENT; break; @@ -1664,8 +1584,7 @@ finish: * - return value is NULL */ CERTGeneralName * -cert_GetSubjectAltNameList(CERTCertificate *cert, - PRArenaPool *arena) +cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena) { CERTGeneralName * nameList = NULL; SECStatus rv = SECFailure; @@ -2067,80 +1986,68 @@ CERT_MakeCANickname(CERTCertificate *cert) char *nickname = NULL; int count; CERTCertificate *dummycert; - CERTCertDBHandle *handle; - handle = cert->dbhandle; - - nickname = CERT_GetNickName(cert, handle, cert->arena); - if (nickname == NULL) { - firstname = CERT_GetCommonName(&cert->subject); - if ( firstname == NULL ) { - firstname = CERT_GetOrgUnitName(&cert->subject); - } + firstname = CERT_GetCommonName(&cert->subject); + if ( firstname == NULL ) { + firstname = CERT_GetOrgUnitName(&cert->subject); + } - org = CERT_GetOrgName(&cert->issuer); + org = CERT_GetOrgName(&cert->issuer); + if (org == NULL) { + org = CERT_GetDomainComponentName(&cert->issuer); if (org == NULL) { - org = CERT_GetDomainComponentName(&cert->issuer); - if (org == NULL) { - if (firstname) { - org = firstname; - firstname = NULL; - } else { - org = PORT_Strdup("Unknown CA"); - } - } - } - - /* can only fail if PORT_Strdup fails, in which case - * we're having memory problems. */ - if (org == NULL) { - goto loser; - } - - - count = 1; - while ( 1 ) { - - if ( firstname ) { - if ( count == 1 ) { - nickname = PR_smprintf("%s - %s", firstname, org); - } else { - nickname = PR_smprintf("%s - %s #%d", firstname, org, count); - } + if (firstname) { + org = firstname; + firstname = NULL; } else { - if ( count == 1 ) { - nickname = PR_smprintf("%s", org); - } else { - nickname = PR_smprintf("%s #%d", org, count); - } + org = PORT_Strdup("Unknown CA"); } - if ( nickname == NULL ) { - goto loser; - } - - /* look up the nickname to make sure it isn't in use already */ - dummycert = CERT_FindCertByNickname(handle, nickname); - - if ( dummycert == NULL ) { - goto done; - } - - /* found a cert, destroy it and loop */ - CERT_DestroyCertificate(dummycert); - - /* free the nickname */ - PORT_Free(nickname); - - count++; } } -loser: - if ( nickname ) { - PORT_Free(nickname); + + /* can only fail if PORT_Strdup fails, in which case + * we're having memory problems. */ + if (org == NULL) { + goto done; } - nickname = NULL; + count = 1; + while ( 1 ) { + + if ( firstname ) { + if ( count == 1 ) { + nickname = PR_smprintf("%s - %s", firstname, org); + } else { + nickname = PR_smprintf("%s - %s #%d", firstname, org, count); + } + } else { + if ( count == 1 ) { + nickname = PR_smprintf("%s", org); + } else { + nickname = PR_smprintf("%s #%d", org, count); + } + } + if ( nickname == NULL ) { + goto done; + } + + /* look up the nickname to make sure it isn't in use already */ + dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname); + + if ( dummycert == NULL ) { + goto done; + } + + /* found a cert, destroy it and loop */ + CERT_DestroyCertificate(dummycert); + + /* free the nickname */ + PORT_Free(nickname); + + count++; + } + done: if ( firstname ) { PORT_Free(firstname); @@ -2181,7 +2088,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) trust->emailFlags | trust->objectSigningFlags)) { - if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) + if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT; if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) cType |= NS_CERT_TYPE_SSL_CA; @@ -2190,7 +2097,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT| NS_CERT_TYPE_SSL_CA); #endif - if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) + if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) cType |= NS_CERT_TYPE_EMAIL; if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) cType |= NS_CERT_TYPE_EMAIL_CA; @@ -2198,7 +2105,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) if (trust->emailFlags & CERTDB_NOT_TRUSTED) cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA); #endif - if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) + if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) cType |= NS_CERT_TYPE_OBJECT_SIGNING; if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; @@ -2235,10 +2142,9 @@ CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype) } } - /* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */ + /* finally check if it's an X.509 v1 root CA */ if (!ret && - ((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) || - fortezzaIsCA(cert) )) { + (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) { ret = PR_TRUE; cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); } @@ -2449,11 +2355,11 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) for (i=0; i < PORT_Strlen(trusts); i++) { switch (trusts[i]) { case 'p': - *pflags = *pflags | CERTDB_VALID_PEER; + *pflags = *pflags | CERTDB_TERMINAL_RECORD; break; case 'P': - *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER; + *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD; break; case 'w': @@ -2505,7 +2411,7 @@ EncodeFlags(char *trusts, unsigned int flags) if (!(flags & CERTDB_TRUSTED_CA) && !(flags & CERTDB_TRUSTED_CLIENT_CA)) PORT_Strcat(trusts, "c"); - if (flags & CERTDB_VALID_PEER) + if (flags & CERTDB_TERMINAL_RECORD) if (!(flags & CERTDB_TRUSTED)) PORT_Strcat(trusts, "p"); if (flags & CERTDB_TRUSTED_CA) @@ -2589,18 +2495,16 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, if ( keepCerts ) { for ( i = 0; i < fcerts; i++ ) { char* canickname = NULL; - PRBool freeNickname = PR_FALSE; + PRBool isCA; SECKEY_UpdateCertPQG(certs[i]); - if ( CERT_IsCACert(certs[i], NULL) ) { + isCA = CERT_IsCACert(certs[i], NULL); + if ( isCA ) { canickname = CERT_MakeCANickname(certs[i]); - if ( canickname != NULL ) { - freeNickname = PR_TRUE; - } } - if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) { + if(isCA && (fcerts > 1)) { /* if we are importing only a single cert and specifying * a nickname, we want to use that nickname if it a CA, * otherwise if there are more than one cert, we don't @@ -2613,9 +2517,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage, nickname?nickname:canickname, NULL); } - if (PR_TRUE == freeNickname) { - PORT_Free(canickname); - } + PORT_Free(canickname); /* don't care if it fails - keep going */ } } @@ -3124,6 +3026,8 @@ CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig) static PLHashTable *gSubjKeyIDHash = NULL; static PRLock *gSubjKeyIDLock = NULL; +static PLHashTable *gSubjKeyIDSlotCheckHash = NULL; +static PRLock *gSubjKeyIDSlotCheckLock = NULL; static void *cert_AllocTable(void *pool, PRSize size) { @@ -3153,6 +3057,31 @@ static PLHashAllocOps cert_AllocOps = { cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry }; +SECStatus +cert_CreateSubjectKeyIDSlotCheckHash(void) +{ + /* + * This hash is used to remember the series of a slot + * when we last checked for user certs + */ + gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash, + SECITEM_HashCompare, + SECITEM_HashCompare, + &cert_AllocOps, NULL); + if (!gSubjKeyIDSlotCheckHash) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + gSubjKeyIDSlotCheckLock = PR_NewLock(); + if (!gSubjKeyIDSlotCheckLock) { + PL_HashTableDestroy(gSubjKeyIDSlotCheckHash); + gSubjKeyIDSlotCheckHash = NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + return SECSuccess; +} + SECStatus cert_CreateSubjectKeyIDHashTable(void) { @@ -3170,8 +3099,12 @@ cert_CreateSubjectKeyIDHashTable(void) PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } + /* initialize the companion hash (for remembering slot series) */ + if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) { + cert_DestroySubjectKeyIDHashTable(); + return SECFailure; + } return SECSuccess; - } SECStatus @@ -3229,6 +3162,93 @@ cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID) return rv; } +SECStatus +cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series) +{ + SECItem *oldSeries, *newSlotid, *newSeries; + SECStatus rv = SECFailure; + + if (!gSubjKeyIDSlotCheckLock) { + return rv; + } + + newSlotid = SECITEM_DupItem(slotid); + newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int)); + if (!newSlotid || !newSeries ) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(newSeries->data, &series, sizeof(int)); + + PR_Lock(gSubjKeyIDSlotCheckLock); + oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); + if (oldSeries) { + /* + * make sure we don't leak the key of an existing entry + * (similar to cert_AddSubjectKeyIDMapping, see comment there) + */ + PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid); + } + rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ? + SECSuccess : SECFailure; + PR_Unlock(gSubjKeyIDSlotCheckLock); + if (rv == SECSuccess) { + return rv; + } + +loser: + if (newSlotid) { + SECITEM_FreeItem(newSlotid, PR_TRUE); + } + if (newSeries) { + SECITEM_FreeItem(newSeries, PR_TRUE); + } + return rv; +} + +int +cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid) +{ + SECItem *seriesItem = NULL; + int series; + + if (!gSubjKeyIDSlotCheckLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return -1; + } + + PR_Lock(gSubjKeyIDSlotCheckLock); + seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid); + PR_Unlock(gSubjKeyIDSlotCheckLock); + /* getting a null series just means we haven't registered one yet, + * just return 0 */ + if (seriesItem == NULL) { + return 0; + } + /* if we got a series back, assert if it's not the proper length. */ + PORT_Assert(seriesItem->len == sizeof(int)); + if (seriesItem->len != sizeof(int)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return -1; + } + PORT_Memcpy(&series, seriesItem->data, sizeof(int)); + return series; +} + +SECStatus +cert_DestroySubjectKeyIDSlotCheckHash(void) +{ + if (gSubjKeyIDSlotCheckHash) { + PR_Lock(gSubjKeyIDSlotCheckLock); + PL_HashTableDestroy(gSubjKeyIDSlotCheckHash); + gSubjKeyIDSlotCheckHash = NULL; + PR_Unlock(gSubjKeyIDSlotCheckLock); + PR_DestroyLock(gSubjKeyIDSlotCheckLock); + gSubjKeyIDSlotCheckLock = NULL; + } + return SECSuccess; +} + SECStatus cert_DestroySubjectKeyIDHashTable(void) { @@ -3240,6 +3260,7 @@ cert_DestroySubjectKeyIDHashTable(void) PR_DestroyLock(gSubjKeyIDLock); gSubjKeyIDLock = NULL; } + cert_DestroySubjectKeyIDSlotCheckHash(); return SECSuccess; } diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h index c489b0f89ee..be00bb2d271 100644 --- a/security/nss/lib/certdb/certdb.h +++ b/security/nss/lib/certdb/certdb.h @@ -39,7 +39,7 @@ /* common flags for all types of certificates */ -#define CERTDB_VALID_PEER (1<<0) +#define CERTDB_TERMINAL_RECORD (1<<0) #define CERTDB_TRUSTED (1<<1) #define CERTDB_SEND_WARN (1<<2) #define CERTDB_VALID_CA (1<<3) @@ -50,6 +50,24 @@ #define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */ #define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */ +/* old usage, to keep old programs compiling */ +/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile + * time deprecation warnings when applications use the old CERTDB_VALID_PEER + * define */ +#if __GNUC__ > 3 +#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5) +typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated)); +#else +typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated + ("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD"))); +#endif +#define CERTDB_VALID_PEER ((__CERTDB_VALID_PEER) CERTDB_TERMINAL_RECORD) +#else +#ifdef _WIN32 +#pragma deprecated(CERTDB_VALID_PEER) +#endif +#define CERTDB_VALID_PEER CERTDB_TERMINAL_RECORD +#endif SEC_BEGIN_PROTOS diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h index 2b8e5585735..08229ec0365 100644 --- a/security/nss/lib/certdb/certi.h +++ b/security/nss/lib/certdb/certi.h @@ -36,7 +36,7 @@ /* * certi.h - private data structures for the certificate library * - * $Id: certi.h,v 1.34 2010/05/21 00:43:51 wtc%google.com Exp $ + * $Id: certi.h,v 1.35 2011/01/29 22:17:20 nelson%bolyard.com Exp $ */ #ifndef _CERTI_H_ #define _CERTI_H_ @@ -235,7 +235,8 @@ SECStatus ShutdownCRLCache(void); extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert); /* - * These functions are used to map subjectKeyID extension values to certs. + * These functions are used to map subjectKeyID extension values to certs + * and to keep track of the checks for user certificates in each slot */ SECStatus cert_CreateSubjectKeyIDHashTable(void); @@ -243,6 +244,12 @@ cert_CreateSubjectKeyIDHashTable(void); SECStatus cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert); +SECStatus +cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series); + +int +cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid); + /* * Call this function to remove an entry from the mapping table. */ diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index ecf3d629fdc..f510e5ebcdf 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -36,7 +36,7 @@ /* * certt.h - public data structures for the certificate library * - * $Id: certt.h,v 1.54.2.1 2011/07/28 22:19:57 wtc%google.com Exp $ + * $Id: certt.h,v 1.55 2011/07/28 21:38:14 wtc%google.com Exp $ */ #ifndef _CERTT_H_ #define _CERTT_H_ diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 313ac189137..38075465a66 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -37,7 +37,7 @@ /* * Moved from secpkcs7.c * - * $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $ + * $Id: crl.c,v 1.72 2011/07/24 13:48:10 wtc%google.com Exp $ */ #include "cert.h" @@ -75,9 +75,8 @@ static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = { }; /* - * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to - * be tested; Lisa did the obvious translation but they still should be - * verified. + * XXX Also, these templates need to be tested; Lisa did the obvious + * translation but they still should be verified. */ const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = { @@ -93,56 +92,9 @@ const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = { { 0 } }; -static const SEC_ASN1Template cert_KrlEntryTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCrlEntry) }, - { SEC_ASN1_OCTET_STRING, - offsetof(CERTCrlEntry,serialNumber) }, - { SEC_ASN1_UTC_TIME, - offsetof(CERTCrlEntry,revocationDate) }, - { 0 } -}; - SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate) -static const SEC_ASN1Template cert_KrlTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTCrl) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTCrl,signatureAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_SAVE, - offsetof(CERTCrl,derName) }, - { SEC_ASN1_INLINE, - offsetof(CERTCrl,name), - CERT_NameTemplate }, - { SEC_ASN1_UTC_TIME, - offsetof(CERTCrl,lastUpdate) }, - { SEC_ASN1_UTC_TIME, - offsetof(CERTCrl,nextUpdate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF, - offsetof(CERTCrl,entries), - cert_KrlEntryTemplate }, - { 0 } -}; - -static const SEC_ASN1Template cert_SignedKrlTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTSignedCrl) }, - { SEC_ASN1_SAVE, - offsetof(CERTSignedCrl,signatureWrap.data) }, - { SEC_ASN1_INLINE, - offsetof(CERTSignedCrl,crl), - cert_KrlTemplate }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_BIT_STRING, - offsetof(CERTSignedCrl,signatureWrap.signature) }, - { 0 } -}; - static const SEC_ASN1Template cert_CrlKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTCrlKey) }, @@ -470,7 +422,7 @@ SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl) } /* - * take a DER CRL or KRL and decode it into a CRL structure + * take a DER CRL and decode it into a CRL structure * allow reusing the input DER without making a copy */ CERTSignedCrl * @@ -578,11 +530,8 @@ CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl, break; - case SEC_KRL_TYPE: - rv = SEC_QuickDERDecodeItem - (arena, crl, cert_SignedKrlTemplate, derSignedCrl); - break; default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } @@ -614,7 +563,7 @@ loser: } /* - * take a DER CRL or KRL and decode it into a CRL structure + * take a DER CRL and decode it into a CRL structure */ CERTSignedCrl * CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type) @@ -716,6 +665,12 @@ crl_storeCRL (PK11SlotInfo *slot,char *url, PORT_Assert(newCrl); PORT_Assert(derCrl); + PORT_Assert(type == SEC_CRL_TYPE); + + if (type != SEC_CRL_TYPE) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } /* we can't use the cache here because we must look in the same token */ @@ -739,21 +694,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url, goto done; } if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) { - - if (type == SEC_CRL_TYPE) { - PORT_SetError(SEC_ERROR_OLD_CRL); - } else { - PORT_SetError(SEC_ERROR_OLD_KRL); - } - - goto done; - } - - if ((SECITEM_CompareItem(&newCrl->crl.derName, - &oldCrl->crl.derName) != SECEqual) && - (type == SEC_KRL_TYPE) ) { - - PORT_SetError(SEC_ERROR_CKL_CONFLICT); + PORT_SetError(SEC_ERROR_OLD_CRL); goto done; } diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index a7cebd125eb..0c2e1c6da39 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -1685,111 +1685,6 @@ done: return rv; } -/* Search the cert for an X509_SUBJECT_ALT_NAME extension. -** ASN1 Decode it into a list of alternate names. -** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID. -** ASN1 Decode that name. Turn the result into a zString. -** Look for duplicate nickname already in the certdb. -** If one is found, create a nickname string that is not a duplicate. -*/ -char * -CERT_GetNickName(CERTCertificate *cert, - CERTCertDBHandle *handle, - PRArenaPool *nicknameArena) -{ - CERTGeneralName *current; - CERTGeneralName *names; - char *nickname = NULL; - char *returnName = NULL; - char *basename = NULL; - PRArenaPool *arena = NULL; - CERTCertificate *tmpcert; - SECStatus rv; - int count; - int found = 0; - SECItem altNameExtension; - SECItem nick; - - if (handle == NULL) { - handle = CERT_GetDefaultCertDB(); - } - altNameExtension.data = NULL; - rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, - &altNameExtension); - if (rv != SECSuccess) { - goto loser; - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - goto loser; - } - names = CERT_DecodeAltNameExtension(arena, &altNameExtension); - if (names == NULL) { - goto loser; - } - current = names; - do { - if (current->type == certOtherName && - SECOID_FindOIDTag(¤t->name.OthName.oid) == - SEC_OID_NETSCAPE_NICKNAME) { - found = 1; - break; - } - current = CERT_GetNextGeneralName(current); - } while (current != names); - if (!found) - goto loser; - - rv = SEC_QuickDERDecodeItem(arena, &nick, - SEC_ASN1_GET(SEC_IA5StringTemplate), - ¤t->name.OthName.name); - if (rv != SECSuccess) { - goto loser; - } - - /* make a null terminated string out of nick, with room enough at - ** the end to add on a number of up to 21 digits in length, (a signed - ** 64-bit number in decimal) plus a space and a "#". - */ - nickname = (char*)PORT_ZAlloc(nick.len + 24); - if (!nickname) - goto loser; - PORT_Strncpy(nickname, (char *)nick.data, nick.len); - - /* Don't let this cert's nickname duplicate one already in the DB. - ** If it does, create a variant of the nickname that doesn't. - */ - count = 0; - while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) { - CERT_DestroyCertificate(tmpcert); - if (!basename) { - basename = PORT_Strdup(nickname); - if (!basename) - goto loser; - } - count++; - sprintf(nickname, "%s #%d", basename, count); - } - - /* success */ - if (nicknameArena) { - returnName = PORT_ArenaStrdup(nicknameArena, nickname); - } else { - returnName = nickname; - nickname = NULL; - } -loser: - if (arena != NULL) - PORT_FreeArena(arena, PR_FALSE); - if (nickname) - PORT_Free(nickname); - if (basename) - PORT_Free(basename); - if (altNameExtension.data) - PORT_Free(altNameExtension.data); - return returnName; -} - #if 0 /* not exported from shared libs, not used. Turn on if we ever need it. */ SECStatus diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn index 258af04b6f8..a2b92eb7375 100644 --- a/security/nss/lib/certdb/manifest.mn +++ b/security/nss/lib/certdb/manifest.mn @@ -66,8 +66,6 @@ CSRCS = \ xconst.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = certdb # This part of the code, including all sub-dirs, can be optimized for size diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c index 50ced4f65e3..13a4177f81a 100644 --- a/security/nss/lib/certhigh/certhtml.c +++ b/security/nss/lib/certhigh/certhtml.c @@ -37,7 +37,7 @@ /* * certhtml.c --- convert a cert to html * - * $Id: certhtml.c,v 1.8.66.1 2010/08/28 19:49:28 nelson%bolyard.com Exp $ + * $Id: certhtml.c,v 1.10 2010/08/28 18:00:28 nelson%bolyard.com Exp $ */ #include "seccomon.h" diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c index da83899cde7..02d0a38f145 100644 --- a/security/nss/lib/certhigh/certvfy.c +++ b/security/nss/lib/certhigh/certvfy.c @@ -579,6 +579,14 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, if (flags & CERTDB_VALID_CA) { validCAOverride = PR_TRUE; } + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags); + } } else { /* Check if we have any valid trust when cheching for * certUsageAnyCA or certUsageStatusResponder. */ @@ -592,6 +600,22 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, if (flags & CERTDB_VALID_CA) validCAOverride = PR_TRUE; } + /* We have 2 separate loops because we want any single trust + * bit to allow this usage to return trusted. Only if none of + * the trust bits are on do we check to see if the cert is + * untrusted */ + for (trustType = trustSSL; trustType < trustTypeNone; + trustType++) { + flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType); + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags); + } + } } } @@ -826,6 +850,14 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, if (flags & CERTDB_VALID_CA) { validCAOverride = PR_TRUE; } + /* is it explicitly distrusted? */ + if ((flags & CERTDB_TERMINAL_RECORD) && + ((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) { + /* untrusted -- the cert is explicitly untrusted, not + * just that it doesn't chain to a trusted cert */ + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log,cert,0,flags); + } } if (!validCAOverride) { /* @@ -889,6 +921,154 @@ done: NEXT_USAGE(); \ } +/* + * check the leaf cert against trust and usage. + * returns success if the cert is not distrusted. If the cert is + * trusted, then the trusted bool will be true. + * returns failure if the cert is distrusted. If failure, flags + * will return the flag bits that indicated distrust. + */ +SECStatus +cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage, + unsigned int *failedFlags, PRBool *trusted) +{ + unsigned int flags; + + *failedFlags = 0; + *trusted = PR_FALSE; + + /* check trust flags to see if this cert is directly trusted */ + if ( cert->trust ) { + switch ( certUsage ) { + case certUsageSSLClient: + case certUsageSSLServer: + flags = cert->trust->sslFlags; + + /* is the cert directly trusted or not trusted ? */ + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageSSLServerWithStepUp: + /* XXX - step up certs can't be directly trusted, only distrust */ + flags = cert->trust->sslFlags; + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if (( flags & CERTDB_TRUSTED ) == 0) { + /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageSSLCA: + flags = cert->trust->sslFlags; + /* we probably should also not explicitly fail the cert + * if only the trusted DELEGATOR flag is set */ + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if (( flags & CERTDB_TRUSTED_CA ) == 0) { + /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageEmailSigner: + case certUsageEmailRecipient: + flags = cert->trust->emailFlags; + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } + else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + + break; + case certUsageObjectSigner: + flags = cert->trust->objectSigningFlags; + + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ + *trusted = PR_TRUE; + return SECSuccess; + } else { /* don't trust this cert */ + *failedFlags = flags; + return SECFailure; + } + } + break; + case certUsageVerifyCA: + case certUsageStatusResponder: + flags = cert->trust->sslFlags; + /* is the cert directly trusted or not trusted ? */ + if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == + ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { + *trusted = PR_TRUE; + return SECSuccess; + } + flags = cert->trust->emailFlags; + /* is the cert directly trusted or not trusted ? */ + if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == + ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { + *trusted = PR_TRUE; + return SECSuccess; + } + flags = cert->trust->objectSigningFlags; + /* is the cert directly trusted or not trusted ? */ + if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == + ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { + *trusted = PR_TRUE; + return SECSuccess; + } + /* fall through to test distrust */ + case certUsageAnyCA: + case certUsageUserCertImport: + /* do we distrust these certs explicitly */ + flags = cert->trust->sslFlags; + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & CERTDB_TRUSTED_CA) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + flags = cert->trust->emailFlags; + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & CERTDB_TRUSTED_CA) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + case certUsageProtectedObjectSigner: + flags = cert->trust->objectSigningFlags; + if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is + * authoritative */ + if ((flags & CERTDB_TRUSTED_CA) == 0) { + *failedFlags = flags; + return SECFailure; + } + } + break; + } + } + return SECSuccess; +} + /* * verify a certificate by checking if it's valid and that we * trust the issuer. @@ -921,6 +1101,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checkAllUsages = PR_FALSE; PRBool revoked = PR_FALSE; PRBool sigerror = PR_FALSE; + PRBool trusted = PR_FALSE; if (!requiredUsages) { /* there are no required usages, so the user probably wants to @@ -1008,91 +1189,21 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert, INVALID_USAGE(); } - /* check trust flags to see if this cert is directly trusted */ - if ( cert->trust ) { /* the cert is in the DB */ - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - flags = cert->trust->sslFlags; + rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted); + if (rv == SECFailure) { + if (PR_TRUE == requiredUsage) { + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + } + LOG_ERROR(log, cert, 0, flags); + INVALID_USAGE(); + } + if (trusted) { + VALID_USAGE(); + } - /* is the cert directly trusted or not trusted ? */ - if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - VALID_USAGE(); - } else { /* don't trust this cert */ - if (PR_TRUE == requiredUsage) { - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - } - LOG_ERROR(log,cert,0,flags); - INVALID_USAGE(); - } - } - break; - case certUsageSSLServerWithStepUp: - /* XXX - step up certs can't be directly trusted */ - break; - case certUsageSSLCA: - break; - case certUsageEmailSigner: - case certUsageEmailRecipient: - flags = cert->trust->emailFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) == - ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) { - VALID_USAGE(); - } - break; - case certUsageObjectSigner: - flags = cert->trust->objectSigningFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - VALID_USAGE(); - } else { /* don't trust this cert */ - if (PR_TRUE == requiredUsage) { - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - } - LOG_ERROR(log,cert,0,flags); - INVALID_USAGE(); - } - } - break; - case certUsageVerifyCA: - case certUsageStatusResponder: - flags = cert->trust->sslFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - VALID_USAGE(); - } - flags = cert->trust->emailFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - VALID_USAGE(); - } - flags = cert->trust->objectSigningFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - VALID_USAGE(); - } - break; - case certUsageAnyCA: - case certUsageProtectedObjectSigner: - case certUsageUserCertImport: - /* XXX to make the compiler happy. Should these be - * explicitly handled? - */ - break; - } - } - - if (PR_TRUE == revoked || PR_TRUE == sigerror) { - INVALID_USAGE(); - } + if (PR_TRUE == revoked || PR_TRUE == sigerror) { + INVALID_USAGE(); + } rv = cert_VerifyCertChain(handle, cert, checkSig, &sigerror, @@ -1146,6 +1257,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, unsigned int requiredCertType; unsigned int flags; unsigned int certType; + PRBool trusted; PRBool allowOverride; SECCertTimeValidity validity; CERTStatusConfig *statusConfig; @@ -1212,81 +1324,15 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert, LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType); } - /* check trust flags to see if this cert is directly trusted */ - if ( cert->trust ) { /* the cert is in the DB */ - switch ( certUsage ) { - case certUsageSSLClient: - case certUsageSSLServer: - flags = cert->trust->sslFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - goto winner; - } else { /* don't trust this cert */ - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - LOG_ERROR_OR_EXIT(log,cert,0,flags); - } - } - break; - case certUsageSSLServerWithStepUp: - /* XXX - step up certs can't be directly trusted */ - break; - case certUsageSSLCA: - break; - case certUsageEmailSigner: - case certUsageEmailRecipient: - flags = cert->trust->emailFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) == - ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) { - goto winner; - } - break; - case certUsageObjectSigner: - flags = cert->trust->objectSigningFlags; - - /* is the cert directly trusted or not trusted ? */ - if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/ - if ( flags & CERTDB_TRUSTED ) { /* trust this cert */ - goto winner; - } else { /* don't trust this cert */ - PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); - LOG_ERROR_OR_EXIT(log,cert,0,flags); - } - } - break; - case certUsageVerifyCA: - case certUsageStatusResponder: - flags = cert->trust->sslFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - goto winner; - } - flags = cert->trust->emailFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - goto winner; - } - flags = cert->trust->objectSigningFlags; - /* is the cert directly trusted or not trusted ? */ - if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) == - ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) { - goto winner; - } - break; - case certUsageAnyCA: - case certUsageProtectedObjectSigner: - case certUsageUserCertImport: - /* XXX to make the compiler happy. Should these be - * explicitly handled? - */ - break; - } + rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted); + if (rv == SECFailure) { + PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); + LOG_ERROR_OR_EXIT(log,cert,0,flags); } + if (trusted) { + goto winner; + } + rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage, t, wincx, log); diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn index 9c4b42679b4..ed88a887588 100644 --- a/security/nss/lib/certhigh/manifest.mn +++ b/security/nss/lib/certhigh/manifest.mn @@ -60,8 +60,6 @@ CSRCS = \ xcrldist.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = certhi # This part of the code, including all sub-dirs, can be optimized for size diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index e0b352ff54c..eec9748f707 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -39,7 +39,7 @@ * Implementation of OCSP services, for both client and server. * (XXX, really, mostly just for client right now, but intended to do both.) * - * $Id: ocsp.c,v 1.65.2.1 2011/07/13 11:13:55 kaie%kuix.de Exp $ + * $Id: ocsp.c,v 1.67 2011/08/10 12:31:52 kaie%kuix.de Exp $ */ #include "prerror.h" @@ -2950,6 +2950,7 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest) PRFileDesc *sock = NULL; PRFileDesc *returnSock = NULL; char *header = NULL; + char portstr[16]; /* * Take apart the location, getting the hostname, port, and path. @@ -2965,11 +2966,16 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest) if (sock == NULL) goto loser; + portstr[0] = '\0'; + if (port != 80) { + PR_snprintf(portstr, sizeof(portstr), ":%d", port); + } + header = PR_smprintf("POST %s HTTP/1.0\r\n" - "Host: %s:%d\r\n" + "Host: %s%s\r\n" "Content-Type: application/ocsp-request\r\n" "Content-Length: %u\r\n\r\n", - path, hostname, port, encodedRequest->len); + path, hostname, portstr, encodedRequest->len); if (header == NULL) goto loser; diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h index b47243fad2e..a442ab3e95e 100644 --- a/security/nss/lib/certhigh/ocsp.h +++ b/security/nss/lib/certhigh/ocsp.h @@ -37,7 +37,7 @@ /* * Interface to the OCSP implementation. * - * $Id: ocsp.h,v 1.17.2.1 2010/09/27 21:22:20 wtc%google.com Exp $ + * $Id: ocsp.h,v 1.19 2011/01/15 19:47:11 nelson%bolyard.com Exp $ */ #ifndef _OCSP_H_ @@ -588,7 +588,7 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, /* * FUNCTION: CERT_GetOCSPStatusForCertID - * Returns the OCSP status contained in the passed in paramter response + * Returns the OCSP status contained in the passed in parameter response * that corresponds to the certID passed in. * INPUTS: * CERTCertDBHandle *handle diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c index 56301218898..5603a2d50f5 100644 --- a/security/nss/lib/ckfw/builtins/certdata.c +++ b/security/nss/lib/ckfw/builtins/certdata.c @@ -35,7 +35,7 @@ * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $"; +static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $"; #endif /* DEBUG */ #ifndef BUILTINS_H @@ -47,12 +47,12 @@ static const CK_BBOOL ck_true = CK_TRUE; static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509; static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE; static const CK_OBJECT_CLASS cko_data = CKO_DATA; -static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST; -static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST; -static const CK_TRUST ckt_netscape_trust_unknown = CKT_NETSCAPE_TRUST_UNKNOWN; -static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR; -static const CK_TRUST ckt_netscape_untrusted = CKT_NETSCAPE_UNTRUSTED; -static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID; +static const CK_OBJECT_CLASS cko_nss_builtin_root_list = CKO_NSS_BUILTIN_ROOT_LIST; +static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST; +static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST; +static const CK_TRUST ckt_nss_not_trusted = CKT_NSS_NOT_TRUSTED; +static const CK_TRUST ckt_nss_trust_unknown = CKT_NSS_TRUST_UNKNOWN; +static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR; #ifdef DEBUG static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_APPLICATION, CKA_VALUE @@ -1053,11 +1053,11 @@ static const NSSItem nss_builtins_items_0 [] = { { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"CVS ID", (PRUint32)7 }, { (void *)"NSS", (PRUint32)4 }, - { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $", (PRUint32)164 } + { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $", (PRUint32)160 } }; #endif /* DEBUG */ static const NSSItem nss_builtins_items_1 [] = { - { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1132,7 +1132,7 @@ static const NSSItem nss_builtins_items_2 [] = { , (PRUint32)606 } }; static const NSSItem nss_builtins_items_3 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1153,9 +1153,9 @@ static const NSSItem nss_builtins_items_3 [] = { , (PRUint32)119 }, { (void *)"\002\002\001\245" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_4 [] = { @@ -1249,7 +1249,7 @@ static const NSSItem nss_builtins_items_4 [] = { , (PRUint32)791 } }; static const NSSItem nss_builtins_items_5 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1275,9 +1275,9 @@ static const NSSItem nss_builtins_items_5 [] = { , (PRUint32)199 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_6 [] = { @@ -1374,7 +1374,7 @@ static const NSSItem nss_builtins_items_6 [] = { , (PRUint32)811 } }; static const NSSItem nss_builtins_items_7 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1401,9 +1401,9 @@ static const NSSItem nss_builtins_items_7 [] = { , (PRUint32)209 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_8 [] = { @@ -1482,7 +1482,7 @@ static const NSSItem nss_builtins_items_8 [] = { , (PRUint32)804 } }; static const NSSItem nss_builtins_items_9 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1500,9 +1500,9 @@ static const NSSItem nss_builtins_items_9 [] = { , (PRUint32)80 }, { (void *)"\002\004\065\336\364\317" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_10 [] = { @@ -1581,7 +1581,7 @@ static const NSSItem nss_builtins_items_10 [] = { , (PRUint32)813 } }; static const NSSItem nss_builtins_items_11 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1599,9 +1599,9 @@ static const NSSItem nss_builtins_items_11 [] = { , (PRUint32)72 }, { (void *)"\002\004\066\160\025\226" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_12 [] = { @@ -1680,7 +1680,7 @@ static const NSSItem nss_builtins_items_12 [] = { , (PRUint32)813 } }; static const NSSItem nss_builtins_items_13 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1698,9 +1698,9 @@ static const NSSItem nss_builtins_items_13 [] = { , (PRUint32)72 }, { (void *)"\002\004\066\156\323\316" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_14 [] = { @@ -1770,7 +1770,7 @@ static const NSSItem nss_builtins_items_14 [] = { , (PRUint32)577 } }; static const NSSItem nss_builtins_items_15 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1791,9 +1791,9 @@ static const NSSItem nss_builtins_items_15 [] = { { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263" "\162\252\125" , (PRUint32)19 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_16 [] = { @@ -1862,7 +1862,7 @@ static const NSSItem nss_builtins_items_16 [] = { , (PRUint32)576 } }; static const NSSItem nss_builtins_items_17 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1883,9 +1883,9 @@ static const NSSItem nss_builtins_items_17 [] = { { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105" "\276\013" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_18 [] = { @@ -1954,7 +1954,7 @@ static const NSSItem nss_builtins_items_18 [] = { , (PRUint32)576 } }; static const NSSItem nss_builtins_items_19 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -1975,9 +1975,9 @@ static const NSSItem nss_builtins_items_19 [] = { { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314" "\272\277" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_20 [] = { @@ -2071,7 +2071,7 @@ static const NSSItem nss_builtins_items_20 [] = { , (PRUint32)774 } }; static const NSSItem nss_builtins_items_21 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2098,9 +2098,9 @@ static const NSSItem nss_builtins_items_21 [] = { { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211" "\221\222" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_22 [] = { @@ -2194,7 +2194,7 @@ static const NSSItem nss_builtins_items_22 [] = { , (PRUint32)775 } }; static const NSSItem nss_builtins_items_23 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2221,9 +2221,9 @@ static const NSSItem nss_builtins_items_23 [] = { { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160" "\154\212\257" , (PRUint32)19 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_24 [] = { @@ -2317,7 +2317,7 @@ static const NSSItem nss_builtins_items_24 [] = { , (PRUint32)774 } }; static const NSSItem nss_builtins_items_25 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2344,9 +2344,9 @@ static const NSSItem nss_builtins_items_25 [] = { { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211" "\064\306" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_26 [] = { @@ -2440,7 +2440,7 @@ static const NSSItem nss_builtins_items_26 [] = { , (PRUint32)774 } }; static const NSSItem nss_builtins_items_27 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2467,9 +2467,9 @@ static const NSSItem nss_builtins_items_27 [] = { { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067" "\045\370" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_28 [] = { @@ -2555,7 +2555,7 @@ static const NSSItem nss_builtins_items_28 [] = { , (PRUint32)889 } }; static const NSSItem nss_builtins_items_29 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2574,9 +2574,9 @@ static const NSSItem nss_builtins_items_29 [] = { , (PRUint32)89 }, { (void *)"\002\013\004\000\000\000\000\001\025\113\132\303\224" , (PRUint32)13 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_30 [] = { @@ -2664,7 +2664,7 @@ static const NSSItem nss_builtins_items_30 [] = { , (PRUint32)958 } }; static const NSSItem nss_builtins_items_31 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2682,9 +2682,9 @@ static const NSSItem nss_builtins_items_31 [] = { , (PRUint32)78 }, { (void *)"\002\013\004\000\000\000\000\001\017\206\046\346\015" , (PRUint32)13 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_32 [] = { @@ -2773,7 +2773,7 @@ static const NSSItem nss_builtins_items_32 [] = { , (PRUint32)747 } }; static const NSSItem nss_builtins_items_33 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2798,9 +2798,9 @@ static const NSSItem nss_builtins_items_33 [] = { , (PRUint32)190 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_34 [] = { @@ -2889,7 +2889,7 @@ static const NSSItem nss_builtins_items_34 [] = { , (PRUint32)747 } }; static const NSSItem nss_builtins_items_35 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -2914,9 +2914,9 @@ static const NSSItem nss_builtins_items_35 [] = { , (PRUint32)190 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_36 [] = { @@ -3005,7 +3005,7 @@ static const NSSItem nss_builtins_items_36 [] = { , (PRUint32)747 } }; static const NSSItem nss_builtins_items_37 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3030,9 +3030,9 @@ static const NSSItem nss_builtins_items_37 [] = { , (PRUint32)190 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_38 [] = { @@ -3143,7 +3143,7 @@ static const NSSItem nss_builtins_items_38 [] = { , (PRUint32)1054 } }; static const NSSItem nss_builtins_items_39 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3170,9 +3170,9 @@ static const NSSItem nss_builtins_items_39 [] = { { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110" "\316\261\244" , (PRUint32)19 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_40 [] = { @@ -3283,7 +3283,7 @@ static const NSSItem nss_builtins_items_40 [] = { , (PRUint32)1053 } }; static const NSSItem nss_builtins_items_41 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3310,9 +3310,9 @@ static const NSSItem nss_builtins_items_41 [] = { { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120" "\133\172" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_42 [] = { @@ -3423,7 +3423,7 @@ static const NSSItem nss_builtins_items_42 [] = { , (PRUint32)1054 } }; static const NSSItem nss_builtins_items_43 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3450,9 +3450,9 @@ static const NSSItem nss_builtins_items_43 [] = { { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161" "\051\357\127" , (PRUint32)19 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_44 [] = { @@ -3563,7 +3563,7 @@ static const NSSItem nss_builtins_items_44 [] = { , (PRUint32)1054 } }; static const NSSItem nss_builtins_items_45 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3590,9 +3590,9 @@ static const NSSItem nss_builtins_items_45 [] = { { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057" "\224\136\327" , (PRUint32)19 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_46 [] = { @@ -3714,7 +3714,7 @@ static const NSSItem nss_builtins_items_46 [] = { , (PRUint32)1244 } }; static const NSSItem nss_builtins_items_47 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3740,9 +3740,9 @@ static const NSSItem nss_builtins_items_47 [] = { , (PRUint32)198 }, { (void *)"\002\004\067\112\322\103" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_48 [] = { @@ -3854,7 +3854,7 @@ static const NSSItem nss_builtins_items_48 [] = { , (PRUint32)1120 } }; static const NSSItem nss_builtins_items_49 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3879,9 +3879,9 @@ static const NSSItem nss_builtins_items_49 [] = { , (PRUint32)183 }, { (void *)"\002\004\070\143\271\146" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_50 [] = { @@ -3967,7 +3967,7 @@ static const NSSItem nss_builtins_items_50 [] = { , (PRUint32)891 } }; static const NSSItem nss_builtins_items_51 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -3986,9 +3986,9 @@ static const NSSItem nss_builtins_items_51 [] = { , (PRUint32)92 }, { (void *)"\002\004\002\000\000\271" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_52 [] = { @@ -4060,7 +4060,7 @@ static const NSSItem nss_builtins_items_52 [] = { , (PRUint32)660 } }; static const NSSItem nss_builtins_items_53 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4079,9 +4079,9 @@ static const NSSItem nss_builtins_items_53 [] = { , (PRUint32)92 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_54 [] = { @@ -4152,7 +4152,7 @@ static const NSSItem nss_builtins_items_54 [] = { , (PRUint32)646 } }; static const NSSItem nss_builtins_items_55 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4171,9 +4171,9 @@ static const NSSItem nss_builtins_items_55 [] = { , (PRUint32)85 }, { (void *)"\002\001\004" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_56 [] = { @@ -4252,7 +4252,7 @@ static const NSSItem nss_builtins_items_56 [] = { , (PRUint32)804 } }; static const NSSItem nss_builtins_items_57 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4270,9 +4270,9 @@ static const NSSItem nss_builtins_items_57 [] = { , (PRUint32)80 }, { (void *)"\002\004\067\160\317\265" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_58 [] = { @@ -4370,7 +4370,7 @@ static const NSSItem nss_builtins_items_58 [] = { , (PRUint32)1052 } }; static const NSSItem nss_builtins_items_59 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4390,9 +4390,9 @@ static const NSSItem nss_builtins_items_59 [] = { , (PRUint32)103 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_60 [] = { @@ -4494,7 +4494,7 @@ static const NSSItem nss_builtins_items_60 [] = { , (PRUint32)1082 } }; static const NSSItem nss_builtins_items_61 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4515,9 +4515,9 @@ static const NSSItem nss_builtins_items_61 [] = { , (PRUint32)113 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_62 [] = { @@ -4615,7 +4615,7 @@ static const NSSItem nss_builtins_items_62 [] = { , (PRUint32)1049 } }; static const NSSItem nss_builtins_items_63 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4635,9 +4635,9 @@ static const NSSItem nss_builtins_items_63 [] = { , (PRUint32)102 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_64 [] = { @@ -4736,7 +4736,7 @@ static const NSSItem nss_builtins_items_64 [] = { , (PRUint32)1058 } }; static const NSSItem nss_builtins_items_65 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4756,9 +4756,9 @@ static const NSSItem nss_builtins_items_65 [] = { , (PRUint32)105 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_66 [] = { @@ -4874,7 +4874,7 @@ static const NSSItem nss_builtins_items_66 [] = { , (PRUint32)1173 } }; static const NSSItem nss_builtins_items_67 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -4899,9 +4899,9 @@ static const NSSItem nss_builtins_items_67 [] = { , (PRUint32)179 }, { (void *)"\002\004\105\153\120\124" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_68 [] = { @@ -4983,7 +4983,7 @@ static const NSSItem nss_builtins_items_68 [] = { , (PRUint32)869 } }; static const NSSItem nss_builtins_items_69 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5001,9 +5001,9 @@ static const NSSItem nss_builtins_items_69 [] = { { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000" "\000\002" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_70 [] = { @@ -5085,7 +5085,7 @@ static const NSSItem nss_builtins_items_70 [] = { , (PRUint32)856 } }; static const NSSItem nss_builtins_items_71 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5103,9 +5103,9 @@ static const NSSItem nss_builtins_items_71 [] = { , (PRUint32)68 }, { (void *)"\002\003\002\064\126" , (PRUint32)5 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_72 [] = { @@ -5188,7 +5188,7 @@ static const NSSItem nss_builtins_items_72 [] = { , (PRUint32)874 } }; static const NSSItem nss_builtins_items_73 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5206,9 +5206,9 @@ static const NSSItem nss_builtins_items_73 [] = { , (PRUint32)70 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_74 [] = { @@ -5323,7 +5323,7 @@ static const NSSItem nss_builtins_items_74 [] = { , (PRUint32)1388 } }; static const NSSItem nss_builtins_items_75 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5341,9 +5341,9 @@ static const NSSItem nss_builtins_items_75 [] = { , (PRUint32)71 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_76 [] = { @@ -5458,7 +5458,7 @@ static const NSSItem nss_builtins_items_76 [] = { , (PRUint32)1392 } }; static const NSSItem nss_builtins_items_77 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5476,9 +5476,9 @@ static const NSSItem nss_builtins_items_77 [] = { , (PRUint32)73 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_78 [] = { @@ -5590,7 +5590,7 @@ static const NSSItem nss_builtins_items_78 [] = { , (PRUint32)1128 } }; static const NSSItem nss_builtins_items_79 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5615,9 +5615,9 @@ static const NSSItem nss_builtins_items_79 [] = { { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300" "\063\167" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_80 [] = { @@ -5708,7 +5708,7 @@ static const NSSItem nss_builtins_items_80 [] = { , (PRUint32)936 } }; static const NSSItem nss_builtins_items_81 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5728,9 +5728,9 @@ static const NSSItem nss_builtins_items_81 [] = { , (PRUint32)101 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_82 [] = { @@ -5853,7 +5853,7 @@ static const NSSItem nss_builtins_items_82 [] = { , (PRUint32)1448 } }; static const NSSItem nss_builtins_items_83 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5873,9 +5873,9 @@ static const NSSItem nss_builtins_items_83 [] = { , (PRUint32)101 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_84 [] = { @@ -5967,7 +5967,7 @@ static const NSSItem nss_builtins_items_84 [] = { , (PRUint32)934 } }; static const NSSItem nss_builtins_items_85 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -5988,9 +5988,9 @@ static const NSSItem nss_builtins_items_85 [] = { { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220" "\034\142" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_86 [] = { @@ -6086,7 +6086,7 @@ static const NSSItem nss_builtins_items_86 [] = { , (PRUint32)864 } }; static const NSSItem nss_builtins_items_87 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6111,9 +6111,9 @@ static const NSSItem nss_builtins_items_87 [] = { , (PRUint32)191 }, { (void *)"\002\002\003\352" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_88 [] = { @@ -6209,7 +6209,7 @@ static const NSSItem nss_builtins_items_88 [] = { , (PRUint32)864 } }; static const NSSItem nss_builtins_items_89 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6234,9 +6234,9 @@ static const NSSItem nss_builtins_items_89 [] = { , (PRUint32)191 }, { (void *)"\002\002\003\353" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_90 [] = { @@ -6311,7 +6311,7 @@ static const NSSItem nss_builtins_items_90 [] = { , (PRUint32)784 } }; static const NSSItem nss_builtins_items_91 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6328,9 +6328,9 @@ static const NSSItem nss_builtins_items_91 [] = { , (PRUint32)64 }, { (void *)"\002\003\001\000\040" , (PRUint32)5 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_92 [] = { @@ -6432,7 +6432,7 @@ static const NSSItem nss_builtins_items_92 [] = { , (PRUint32)1078 } }; static const NSSItem nss_builtins_items_93 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6453,9 +6453,9 @@ static const NSSItem nss_builtins_items_93 [] = { , (PRUint32)125 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_94 [] = { @@ -6558,7 +6558,7 @@ static const NSSItem nss_builtins_items_94 [] = { , (PRUint32)1091 } }; static const NSSItem nss_builtins_items_95 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6579,9 +6579,9 @@ static const NSSItem nss_builtins_items_95 [] = { , (PRUint32)128 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_96 [] = { @@ -6686,7 +6686,7 @@ static const NSSItem nss_builtins_items_96 [] = { , (PRUint32)1095 } }; static const NSSItem nss_builtins_items_97 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6708,9 +6708,9 @@ static const NSSItem nss_builtins_items_97 [] = { , (PRUint32)129 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_98 [] = { @@ -6840,7 +6840,7 @@ static const NSSItem nss_builtins_items_98 [] = { , (PRUint32)1492 } }; static const NSSItem nss_builtins_items_99 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -6862,9 +6862,9 @@ static const NSSItem nss_builtins_items_99 [] = { , (PRUint32)129 }, { (void *)"\002\004\072\266\120\213" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_100 [] = { @@ -6984,7 +6984,7 @@ static const NSSItem nss_builtins_items_100 [] = { , (PRUint32)1467 } }; static const NSSItem nss_builtins_items_101 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7002,9 +7002,9 @@ static const NSSItem nss_builtins_items_101 [] = { , (PRUint32)71 }, { (void *)"\002\002\005\011" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_102 [] = { @@ -7139,7 +7139,7 @@ static const NSSItem nss_builtins_items_102 [] = { , (PRUint32)1697 } }; static const NSSItem nss_builtins_items_103 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7157,9 +7157,9 @@ static const NSSItem nss_builtins_items_103 [] = { , (PRUint32)71 }, { (void *)"\002\002\005\306" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_104 [] = { @@ -7243,7 +7243,7 @@ static const NSSItem nss_builtins_items_104 [] = { , (PRUint32)862 } }; static const NSSItem nss_builtins_items_105 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7262,9 +7262,9 @@ static const NSSItem nss_builtins_items_105 [] = { , (PRUint32)82 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_106 [] = { @@ -7341,7 +7341,7 @@ static const NSSItem nss_builtins_items_106 [] = { , (PRUint32)804 } }; static const NSSItem nss_builtins_items_107 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7358,9 +7358,9 @@ static const NSSItem nss_builtins_items_107 [] = { , (PRUint32)59 }, { (void *)"\002\001\044" , (PRUint32)3 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_108 [] = { @@ -7437,7 +7437,7 @@ static const NSSItem nss_builtins_items_108 [] = { , (PRUint32)804 } }; static const NSSItem nss_builtins_items_109 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7454,9 +7454,9 @@ static const NSSItem nss_builtins_items_109 [] = { , (PRUint32)59 }, { (void *)"\002\001\035" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_110 [] = { @@ -7546,7 +7546,7 @@ static const NSSItem nss_builtins_items_110 [] = { , (PRUint32)958 } }; static const NSSItem nss_builtins_items_111 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7565,9 +7565,9 @@ static const NSSItem nss_builtins_items_111 [] = { , (PRUint32)87 }, { (void *)"\002\004\000\230\226\212" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_112 [] = { @@ -7662,7 +7662,7 @@ static const NSSItem nss_builtins_items_112 [] = { , (PRUint32)1071 } }; static const NSSItem nss_builtins_items_113 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7680,9 +7680,9 @@ static const NSSItem nss_builtins_items_113 [] = { , (PRUint32)69 }, { (void *)"\002\004\072\314\245\114" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_114 [] = { @@ -7790,7 +7790,7 @@ static const NSSItem nss_builtins_items_114 [] = { , (PRUint32)1309 } }; static const NSSItem nss_builtins_items_115 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7807,9 +7807,9 @@ static const NSSItem nss_builtins_items_115 [] = { , (PRUint32)51 }, { (void *)"\002\004\076\110\275\304" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_116 [] = { @@ -7919,7 +7919,7 @@ static const NSSItem nss_builtins_items_116 [] = { , (PRUint32)1122 } }; static const NSSItem nss_builtins_items_117 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -7943,9 +7943,9 @@ static const NSSItem nss_builtins_items_117 [] = { { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251" "\255\151" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_118 [] = { @@ -8063,7 +8063,7 @@ static const NSSItem nss_builtins_items_118 [] = { , (PRUint32)1190 } }; static const NSSItem nss_builtins_items_119 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8089,9 +8089,9 @@ static const NSSItem nss_builtins_items_119 [] = { { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147" "\311\211" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_120 [] = { @@ -8202,7 +8202,7 @@ static const NSSItem nss_builtins_items_120 [] = { , (PRUint32)1144 } }; static const NSSItem nss_builtins_items_121 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8226,9 +8226,9 @@ static const NSSItem nss_builtins_items_121 [] = { { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145" "\012\375" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_122 [] = { @@ -8338,7 +8338,7 @@ static const NSSItem nss_builtins_items_122 [] = { , (PRUint32)1130 } }; static const NSSItem nss_builtins_items_123 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8362,9 +8362,9 @@ static const NSSItem nss_builtins_items_123 [] = { { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263" "\137\033" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_124 [] = { @@ -8477,7 +8477,7 @@ static const NSSItem nss_builtins_items_124 [] = { , (PRUint32)1217 } }; static const NSSItem nss_builtins_items_125 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8499,9 +8499,9 @@ static const NSSItem nss_builtins_items_125 [] = { , (PRUint32)129 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_126 [] = { @@ -8612,7 +8612,7 @@ static const NSSItem nss_builtins_items_126 [] = { , (PRUint32)1225 } }; static const NSSItem nss_builtins_items_127 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8633,9 +8633,9 @@ static const NSSItem nss_builtins_items_127 [] = { , (PRUint32)127 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_128 [] = { @@ -8789,7 +8789,7 @@ static const NSSItem nss_builtins_items_128 [] = { , (PRUint32)1749 } }; static const NSSItem nss_builtins_items_129 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8815,9 +8815,9 @@ static const NSSItem nss_builtins_items_129 [] = { , (PRUint32)204 }, { (void *)"\002\001\173" , (PRUint32)3 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_130 [] = { @@ -8964,7 +8964,7 @@ static const NSSItem nss_builtins_items_130 [] = { , (PRUint32)1665 } }; static const NSSItem nss_builtins_items_131 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -8989,9 +8989,9 @@ static const NSSItem nss_builtins_items_131 [] = { , (PRUint32)178 }, { (void *)"\002\002\001\003" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_132 [] = { @@ -9114,7 +9114,7 @@ static const NSSItem nss_builtins_items_132 [] = { , (PRUint32)1359 } }; static const NSSItem nss_builtins_items_133 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9137,9 +9137,9 @@ static const NSSItem nss_builtins_items_133 [] = { , (PRUint32)156 }, { (void *)"\002\001\151" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_134 [] = { @@ -9263,7 +9263,7 @@ static const NSSItem nss_builtins_items_134 [] = { , (PRUint32)1363 } }; static const NSSItem nss_builtins_items_135 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9286,9 +9286,9 @@ static const NSSItem nss_builtins_items_135 [] = { , (PRUint32)158 }, { (void *)"\002\001\150" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_136 [] = { @@ -9393,7 +9393,7 @@ static const NSSItem nss_builtins_items_136 [] = { , (PRUint32)1076 } }; static const NSSItem nss_builtins_items_137 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9416,9 +9416,9 @@ static const NSSItem nss_builtins_items_137 [] = { { (void *)"\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217" "\240\255" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_138 [] = { @@ -9515,7 +9515,7 @@ static const NSSItem nss_builtins_items_138 [] = { , (PRUint32)1028 } }; static const NSSItem nss_builtins_items_139 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9535,9 +9535,9 @@ static const NSSItem nss_builtins_items_139 [] = { , (PRUint32)101 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_140 [] = { @@ -9635,7 +9635,7 @@ static const NSSItem nss_builtins_items_140 [] = { , (PRUint32)1043 } }; static const NSSItem nss_builtins_items_141 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9655,9 +9655,9 @@ static const NSSItem nss_builtins_items_141 [] = { , (PRUint32)106 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_142 [] = { @@ -9816,7 +9816,7 @@ static const NSSItem nss_builtins_items_142 [] = { , (PRUint32)1997 } }; static const NSSItem nss_builtins_items_143 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9837,9 +9837,9 @@ static const NSSItem nss_builtins_items_143 [] = { , (PRUint32)127 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_144 [] = { @@ -9956,7 +9956,7 @@ static const NSSItem nss_builtins_items_144 [] = { , (PRUint32)1398 } }; static const NSSItem nss_builtins_items_145 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -9975,9 +9975,9 @@ static const NSSItem nss_builtins_items_145 [] = { { (void *)"\002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343" "\136\366" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_146 [] = { @@ -10085,7 +10085,7 @@ static const NSSItem nss_builtins_items_146 [] = { , (PRUint32)1115 } }; static const NSSItem nss_builtins_items_147 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10108,9 +10108,9 @@ static const NSSItem nss_builtins_items_147 [] = { , (PRUint32)160 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_148 [] = { @@ -10209,7 +10209,7 @@ static const NSSItem nss_builtins_items_148 [] = { , (PRUint32)1001 } }; static const NSSItem nss_builtins_items_149 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10231,9 +10231,9 @@ static const NSSItem nss_builtins_items_149 [] = { , (PRUint32)133 }, { (void *)"\002\004\071\344\227\236" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_150 [] = { @@ -10360,7 +10360,7 @@ static const NSSItem nss_builtins_items_150 [] = { , (PRUint32)1501 } }; static const NSSItem nss_builtins_items_151 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10381,9 +10381,9 @@ static const NSSItem nss_builtins_items_151 [] = { { (void *)"\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235" "\250\066" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_152 [] = { @@ -10476,7 +10476,7 @@ static const NSSItem nss_builtins_items_152 [] = { , (PRUint32)955 } }; static const NSSItem nss_builtins_items_153 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10497,9 +10497,9 @@ static const NSSItem nss_builtins_items_153 [] = { { (void *)"\002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360" "\060\071" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_154 [] = { @@ -10592,7 +10592,7 @@ static const NSSItem nss_builtins_items_154 [] = { , (PRUint32)947 } }; static const NSSItem nss_builtins_items_155 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10613,9 +10613,9 @@ static const NSSItem nss_builtins_items_155 [] = { { (void *)"\002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221" "\307\112" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_156 [] = { @@ -10709,7 +10709,7 @@ static const NSSItem nss_builtins_items_156 [] = { , (PRUint32)969 } }; static const NSSItem nss_builtins_items_157 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10730,9 +10730,9 @@ static const NSSItem nss_builtins_items_157 [] = { { (void *)"\002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106" "\045\167" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_158 [] = { @@ -10817,7 +10817,7 @@ static const NSSItem nss_builtins_items_158 [] = { , (PRUint32)918 } }; static const NSSItem nss_builtins_items_159 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10835,9 +10835,9 @@ static const NSSItem nss_builtins_items_159 [] = { { (void *)"\002\021\000\205\275\113\363\330\332\343\151\366\224\327\137\303" "\245\104\043" , (PRUint32)19 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_160 [] = { @@ -10919,7 +10919,7 @@ static const NSSItem nss_builtins_items_160 [] = { , (PRUint32)846 } }; static const NSSItem nss_builtins_items_161 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -10938,9 +10938,9 @@ static const NSSItem nss_builtins_items_161 [] = { { (void *)"\002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370" "\100\153" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_162 [] = { @@ -11036,7 +11036,7 @@ static const NSSItem nss_builtins_items_162 [] = { , (PRUint32)1037 } }; static const NSSItem nss_builtins_items_163 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11056,9 +11056,9 @@ static const NSSItem nss_builtins_items_163 [] = { { (void *)"\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206" "\025\331" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_164 [] = { @@ -11164,7 +11164,7 @@ static const NSSItem nss_builtins_items_164 [] = { , (PRUint32)1023 } }; static const NSSItem nss_builtins_items_165 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11189,9 +11189,9 @@ static const NSSItem nss_builtins_items_165 [] = { , (PRUint32)186 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_166 [] = { @@ -11303,7 +11303,7 @@ static const NSSItem nss_builtins_items_166 [] = { , (PRUint32)1088 } }; static const NSSItem nss_builtins_items_167 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11329,9 +11329,9 @@ static const NSSItem nss_builtins_items_167 [] = { , (PRUint32)193 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_168 [] = { @@ -11452,7 +11452,7 @@ static const NSSItem nss_builtins_items_168 [] = { , (PRUint32)1477 } }; static const NSSItem nss_builtins_items_169 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11470,9 +11470,9 @@ static const NSSItem nss_builtins_items_169 [] = { , (PRUint32)75 }, { (void *)"\002\010\116\262\000\147\014\003\135\117" , (PRUint32)10 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_170 [] = { @@ -11592,7 +11592,7 @@ static const NSSItem nss_builtins_items_170 [] = { , (PRUint32)1470 } }; static const NSSItem nss_builtins_items_171 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11610,9 +11610,9 @@ static const NSSItem nss_builtins_items_171 [] = { , (PRUint32)71 }, { (void *)"\002\011\000\273\100\034\103\365\136\117\260" , (PRUint32)11 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_172 [] = { @@ -11733,7 +11733,7 @@ static const NSSItem nss_builtins_items_172 [] = { , (PRUint32)1473 } }; static const NSSItem nss_builtins_items_173 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11751,9 +11751,9 @@ static const NSSItem nss_builtins_items_173 [] = { , (PRUint32)73 }, { (void *)"\002\010\117\033\324\057\124\273\057\113" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_174 [] = { @@ -11840,7 +11840,7 @@ static const NSSItem nss_builtins_items_174 [] = { , (PRUint32)896 } }; static const NSSItem nss_builtins_items_175 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11860,9 +11860,9 @@ static const NSSItem nss_builtins_items_175 [] = { { (void *)"\002\020\030\254\265\152\375\151\266\025\072\143\154\257\332\372" "\304\241" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_176 [] = { @@ -11970,7 +11970,7 @@ static const NSSItem nss_builtins_items_176 [] = { , (PRUint32)1060 } }; static const NSSItem nss_builtins_items_177 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -11995,9 +11995,9 @@ static const NSSItem nss_builtins_items_177 [] = { { (void *)"\002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333" "\053\155" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_178 [] = { @@ -12120,7 +12120,7 @@ static const NSSItem nss_builtins_items_178 [] = { , (PRUint32)1239 } }; static const NSSItem nss_builtins_items_179 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12147,9 +12147,9 @@ static const NSSItem nss_builtins_items_179 [] = { { (void *)"\002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153" "\073\112" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_180 [] = { @@ -12238,7 +12238,7 @@ static const NSSItem nss_builtins_items_180 [] = { , (PRUint32)956 } }; static const NSSItem nss_builtins_items_181 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12257,9 +12257,9 @@ static const NSSItem nss_builtins_items_181 [] = { { (void *)"\002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030" "\131\320" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_182 [] = { @@ -12348,7 +12348,7 @@ static const NSSItem nss_builtins_items_182 [] = { , (PRUint32)960 } }; static const NSSItem nss_builtins_items_183 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12367,9 +12367,9 @@ static const NSSItem nss_builtins_items_183 [] = { { (void *)"\002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370" "\352\245" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_184 [] = { @@ -12473,7 +12473,7 @@ static const NSSItem nss_builtins_items_184 [] = { , (PRUint32)1057 } }; static const NSSItem nss_builtins_items_185 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12496,9 +12496,9 @@ static const NSSItem nss_builtins_items_185 [] = { { (void *)"\002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106" "\345\075" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_186 [] = { @@ -12620,7 +12620,7 @@ static const NSSItem nss_builtins_items_186 [] = { , (PRUint32)1422 } }; static const NSSItem nss_builtins_items_187 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12641,9 +12641,9 @@ static const NSSItem nss_builtins_items_187 [] = { { (void *)"\002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223" "\074\114" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_188 [] = { @@ -12739,7 +12739,7 @@ static const NSSItem nss_builtins_items_188 [] = { , (PRUint32)1002 } }; static const NSSItem nss_builtins_items_189 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12760,9 +12760,9 @@ static const NSSItem nss_builtins_items_189 [] = { { (void *)"\002\020\127\313\063\157\302\134\026\346\107\026\027\343\220\061" "\150\340" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_190 [] = { @@ -12875,7 +12875,7 @@ static const NSSItem nss_builtins_items_190 [] = { , (PRUint32)1217 } }; static const NSSItem nss_builtins_items_191 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12897,9 +12897,9 @@ static const NSSItem nss_builtins_items_191 [] = { , (PRUint32)136 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_192 [] = { @@ -12977,7 +12977,7 @@ static const NSSItem nss_builtins_items_192 [] = { , (PRUint32)653 } }; static const NSSItem nss_builtins_items_193 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13000,9 +13000,9 @@ static const NSSItem nss_builtins_items_193 [] = { { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143" "\231\052" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_194 [] = { @@ -13098,7 +13098,7 @@ static const NSSItem nss_builtins_items_194 [] = { , (PRUint32)1078 } }; static const NSSItem nss_builtins_items_195 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13117,9 +13117,9 @@ static const NSSItem nss_builtins_items_195 [] = { , (PRUint32)92 }, { (void *)"\002\001\102" , (PRUint32)3 }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_196 [] = { @@ -13220,7 +13220,7 @@ static const NSSItem nss_builtins_items_196 [] = { , (PRUint32)1030 } }; static const NSSItem nss_builtins_items_197 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13242,9 +13242,9 @@ static const NSSItem nss_builtins_items_197 [] = { , (PRUint32)136 }, { (void *)"\002\005\071\021\105\020\224" , (PRUint32)7 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_198 [] = { @@ -13333,7 +13333,7 @@ static const NSSItem nss_builtins_items_198 [] = { , (PRUint32)897 } }; static const NSSItem nss_builtins_items_199 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13353,9 +13353,9 @@ static const NSSItem nss_builtins_items_199 [] = { , (PRUint32)98 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_200 [] = { @@ -13456,7 +13456,7 @@ static const NSSItem nss_builtins_items_200 [] = { , (PRUint32)1013 } }; static const NSSItem nss_builtins_items_201 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13479,9 +13479,9 @@ static const NSSItem nss_builtins_items_201 [] = { { (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124" "\337\232" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_202 [] = { @@ -13596,7 +13596,7 @@ static const NSSItem nss_builtins_items_202 [] = { , (PRUint32)1151 } }; static const NSSItem nss_builtins_items_203 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13622,9 +13622,9 @@ static const NSSItem nss_builtins_items_203 [] = { { (void *)"\002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333" "\065\267" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_204 [] = { @@ -13782,7 +13782,7 @@ static const NSSItem nss_builtins_items_204 [] = { , (PRUint32)1964 } }; static const NSSItem nss_builtins_items_205 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13804,9 +13804,9 @@ static const NSSItem nss_builtins_items_205 [] = { { (void *)"\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034" "\054\017\021" , (PRUint32)19 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_206 [] = { @@ -13891,7 +13891,7 @@ static const NSSItem nss_builtins_items_206 [] = { , (PRUint32)940 } }; static const NSSItem nss_builtins_items_207 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -13908,9 +13908,9 @@ static const NSSItem nss_builtins_items_207 [] = { , (PRUint32)54 }, { (void *)"\002\011\000\376\334\343\001\017\311\110\377" , (PRUint32)11 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_208 [] = { @@ -14048,7 +14048,7 @@ static const NSSItem nss_builtins_items_208 [] = { , (PRUint32)1642 } }; static const NSSItem nss_builtins_items_209 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14070,9 +14070,9 @@ static const NSSItem nss_builtins_items_209 [] = { { (void *)"\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354" "\014" , (PRUint32)17 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_210 [] = { @@ -14181,7 +14181,7 @@ static const NSSItem nss_builtins_items_210 [] = { , (PRUint32)1198 } }; static const NSSItem nss_builtins_items_211 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14202,9 +14202,9 @@ static const NSSItem nss_builtins_items_211 [] = { , (PRUint32)120 }, { (void *)"\002\016\056\152\000\001\000\002\037\327\122\041\054\021\134\073" , (PRUint32)16 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_212 [] = { @@ -14313,7 +14313,7 @@ static const NSSItem nss_builtins_items_212 [] = { , (PRUint32)1198 } }; static const NSSItem nss_builtins_items_213 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14334,9 +14334,9 @@ static const NSSItem nss_builtins_items_213 [] = { , (PRUint32)120 }, { (void *)"\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277" , (PRUint32)16 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_214 [] = { @@ -14433,7 +14433,7 @@ static const NSSItem nss_builtins_items_214 [] = { , (PRUint32)993 } }; static const NSSItem nss_builtins_items_215 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14454,9 +14454,9 @@ static const NSSItem nss_builtins_items_215 [] = { , (PRUint32)123 }, { (void *)"\002\016\035\242\000\001\000\002\354\267\140\200\170\215\266\006" , (PRUint32)16 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_216 [] = { @@ -14549,7 +14549,7 @@ static const NSSItem nss_builtins_items_216 [] = { , (PRUint32)931 } }; static const NSSItem nss_builtins_items_217 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14570,9 +14570,9 @@ static const NSSItem nss_builtins_items_217 [] = { , (PRUint32)115 }, { (void *)"\002\001\046" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_218 [] = { @@ -14657,7 +14657,7 @@ static const NSSItem nss_builtins_items_218 [] = { , (PRUint32)919 } }; static const NSSItem nss_builtins_items_219 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14675,9 +14675,9 @@ static const NSSItem nss_builtins_items_219 [] = { { (void *)"\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207" "\167\104" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_220 [] = { @@ -14763,7 +14763,7 @@ static const NSSItem nss_builtins_items_220 [] = { , (PRUint32)943 } }; static const NSSItem nss_builtins_items_221 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14781,9 +14781,9 @@ static const NSSItem nss_builtins_items_221 [] = { { (void *)"\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365" "\066\116\351" , (PRUint32)19 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_222 [] = { @@ -14868,7 +14868,7 @@ static const NSSItem nss_builtins_items_222 [] = { , (PRUint32)933 } }; static const NSSItem nss_builtins_items_223 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -14885,9 +14885,9 @@ static const NSSItem nss_builtins_items_223 [] = { , (PRUint32)61 }, { (void *)"\002\013\004\000\000\000\000\001\017\205\252\055\110" , (PRUint32)13 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_224 [] = { @@ -15010,7 +15010,7 @@ static const NSSItem nss_builtins_items_224 [] = { , (PRUint32)1460 } }; static const NSSItem nss_builtins_items_225 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15030,9 +15030,9 @@ static const NSSItem nss_builtins_items_225 [] = { { (void *)"\002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322" "\274\235" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_226 [] = { @@ -15170,7 +15170,7 @@ static const NSSItem nss_builtins_items_226 [] = { , (PRUint32)1307 } }; static const NSSItem nss_builtins_items_227 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15202,9 +15202,9 @@ static const NSSItem nss_builtins_items_227 [] = { , (PRUint32)303 }, { (void *)"\002\001\021" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_228 [] = { @@ -15286,7 +15286,7 @@ static const NSSItem nss_builtins_items_228 [] = { , (PRUint32)855 } }; static const NSSItem nss_builtins_items_229 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15304,9 +15304,9 @@ static const NSSItem nss_builtins_items_229 [] = { , (PRUint32)77 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_230 [] = { @@ -15388,7 +15388,7 @@ static const NSSItem nss_builtins_items_230 [] = { , (PRUint32)855 } }; static const NSSItem nss_builtins_items_231 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15406,9 +15406,9 @@ static const NSSItem nss_builtins_items_231 [] = { , (PRUint32)77 }, { (void *)"\002\001\002" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_232 [] = { @@ -15539,7 +15539,7 @@ static const NSSItem nss_builtins_items_232 [] = { , (PRUint32)1515 } }; static const NSSItem nss_builtins_items_233 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15561,9 +15561,9 @@ static const NSSItem nss_builtins_items_233 [] = { , (PRUint32)131 }, { (void *)"\002\010\114\257\163\102\034\216\164\002" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_234 [] = { @@ -15641,7 +15641,7 @@ static const NSSItem nss_builtins_items_234 [] = { , (PRUint32)828 } }; static const NSSItem nss_builtins_items_235 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15658,9 +15658,9 @@ static const NSSItem nss_builtins_items_235 [] = { , (PRUint32)61 }, { (void *)"\002\006\040\006\005\026\160\002" , (PRUint32)8 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_236 [] = { @@ -15740,7 +15740,7 @@ static const NSSItem nss_builtins_items_236 [] = { , (PRUint32)857 } }; static const NSSItem nss_builtins_items_237 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15757,9 +15757,9 @@ static const NSSItem nss_builtins_items_237 [] = { , (PRUint32)52 }, { (void *)"\002\004\111\063\000\001" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_238 [] = { @@ -15846,7 +15846,7 @@ static const NSSItem nss_builtins_items_238 [] = { , (PRUint32)932 } }; static const NSSItem nss_builtins_items_239 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15864,9 +15864,9 @@ static const NSSItem nss_builtins_items_239 [] = { , (PRUint32)69 }, { (void *)"\002\001\061" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_240 [] = { @@ -15970,7 +15970,7 @@ static const NSSItem nss_builtins_items_240 [] = { , (PRUint32)1026 } }; static const NSSItem nss_builtins_items_241 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -15994,9 +15994,9 @@ static const NSSItem nss_builtins_items_241 [] = { { (void *)"\002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030" "\017\037" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_242 [] = { @@ -16074,7 +16074,7 @@ static const NSSItem nss_builtins_items_242 [] = { , (PRUint32)652 } }; static const NSSItem nss_builtins_items_243 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16097,9 +16097,9 @@ static const NSSItem nss_builtins_items_243 [] = { { (void *)"\002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256" "\327\126" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_244 [] = { @@ -16209,7 +16209,7 @@ static const NSSItem nss_builtins_items_244 [] = { , (PRUint32)1070 } }; static const NSSItem nss_builtins_items_245 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16235,9 +16235,9 @@ static const NSSItem nss_builtins_items_245 [] = { { (void *)"\002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367" "\220\373" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_246 [] = { @@ -16320,7 +16320,7 @@ static const NSSItem nss_builtins_items_246 [] = { , (PRUint32)690 } }; static const NSSItem nss_builtins_items_247 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16344,9 +16344,9 @@ static const NSSItem nss_builtins_items_247 [] = { { (void *)"\002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076" "\303\153" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_248 [] = { @@ -16465,7 +16465,7 @@ static const NSSItem nss_builtins_items_248 [] = { , (PRUint32)1213 } }; static const NSSItem nss_builtins_items_249 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16491,9 +16491,9 @@ static const NSSItem nss_builtins_items_249 [] = { { (void *)"\002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032" "\305\035" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_250 [] = { @@ -16595,7 +16595,7 @@ static const NSSItem nss_builtins_items_250 [] = { , (PRUint32)904 } }; static const NSSItem nss_builtins_items_251 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16622,9 +16622,9 @@ static const NSSItem nss_builtins_items_251 [] = { { (void *)"\002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207" "\254\263" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_252 [] = { @@ -16730,7 +16730,7 @@ static const NSSItem nss_builtins_items_252 [] = { , (PRUint32)1049 } }; static const NSSItem nss_builtins_items_253 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16754,9 +16754,9 @@ static const NSSItem nss_builtins_items_253 [] = { , (PRUint32)170 }, { (void *)"\002\006\111\101\054\344\000\020" , (PRUint32)8 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_254 [] = { @@ -16879,7 +16879,7 @@ static const NSSItem nss_builtins_items_254 [] = { , (PRUint32)1486 } }; static const NSSItem nss_builtins_items_255 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -16898,9 +16898,9 @@ static const NSSItem nss_builtins_items_255 [] = { , (PRUint32)92 }, { (void *)"\002\004\000\230\226\214" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_256 [] = { @@ -16994,7 +16994,7 @@ static const NSSItem nss_builtins_items_256 [] = { , (PRUint32)1043 } }; static const NSSItem nss_builtins_items_257 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17012,9 +17012,9 @@ static const NSSItem nss_builtins_items_257 [] = { , (PRUint32)76 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_258 [] = { @@ -17123,7 +17123,7 @@ static const NSSItem nss_builtins_items_258 [] = { , (PRUint32)1258 } }; static const NSSItem nss_builtins_items_259 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17142,9 +17142,9 @@ static const NSSItem nss_builtins_items_259 [] = { , (PRUint32)95 }, { (void *)"\002\004\073\216\113\374" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_260 [] = { @@ -17224,7 +17224,7 @@ static const NSSItem nss_builtins_items_260 [] = { , (PRUint32)820 } }; static const NSSItem nss_builtins_items_261 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17242,9 +17242,9 @@ static const NSSItem nss_builtins_items_261 [] = { , (PRUint32)73 }, { (void *)"\002\002\003\350" , (PRUint32)4 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_262 [] = { @@ -17330,7 +17330,7 @@ static const NSSItem nss_builtins_items_262 [] = { , (PRUint32)881 } }; static const NSSItem nss_builtins_items_263 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17349,9 +17349,9 @@ static const NSSItem nss_builtins_items_263 [] = { , (PRUint32)90 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_264 [] = { @@ -17471,7 +17471,7 @@ static const NSSItem nss_builtins_items_264 [] = { , (PRUint32)1465 } }; static const NSSItem nss_builtins_items_265 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17489,9 +17489,9 @@ static const NSSItem nss_builtins_items_265 [] = { , (PRUint32)70 }, { (void *)"\002\010\141\215\307\206\073\001\202\005" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_266 [] = { @@ -17560,7 +17560,7 @@ static const NSSItem nss_builtins_items_266 [] = { , (PRUint32)576 } }; static const NSSItem nss_builtins_items_267 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17581,9 +17581,9 @@ static const NSSItem nss_builtins_items_267 [] = { { (void *)"\002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242" "\344\335" , (PRUint32)18 }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_268 [] = { @@ -17652,7 +17652,7 @@ static const NSSItem nss_builtins_items_268 [] = { , (PRUint32)576 } }; static const NSSItem nss_builtins_items_269 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17673,9 +17673,9 @@ static const NSSItem nss_builtins_items_269 [] = { { (void *)"\002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277" "\022\276" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_270 [] = { @@ -17776,7 +17776,7 @@ static const NSSItem nss_builtins_items_270 [] = { , (PRUint32)1038 } }; static const NSSItem nss_builtins_items_271 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17798,9 +17798,9 @@ static const NSSItem nss_builtins_items_271 [] = { , (PRUint32)133 }, { (void *)"\002\011\000\302\176\103\004\116\107\077\031" , (PRUint32)11 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_272 [] = { @@ -17895,7 +17895,7 @@ static const NSSItem nss_builtins_items_272 [] = { , (PRUint32)954 } }; static const NSSItem nss_builtins_items_273 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -17917,9 +17917,9 @@ static const NSSItem nss_builtins_items_273 [] = { { (void *)"\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333" "\254\265" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_274 [] = { @@ -18002,7 +18002,7 @@ static const NSSItem nss_builtins_items_274 [] = { , (PRUint32)867 } }; static const NSSItem nss_builtins_items_275 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18020,9 +18020,9 @@ static const NSSItem nss_builtins_items_275 [] = { , (PRUint32)78 }, { (void *)"\002\013\004\000\000\000\000\001\041\130\123\010\242" , (PRUint32)13 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_276 [] = { @@ -18119,7 +18119,7 @@ static const NSSItem nss_builtins_items_276 [] = { , (PRUint32)997 } }; static const NSSItem nss_builtins_items_277 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18140,9 +18140,9 @@ static const NSSItem nss_builtins_items_277 [] = { , (PRUint32)125 }, { (void *)"\002\016\143\045\000\001\000\002\024\215\063\025\002\344\154\364" , (PRUint32)16 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_278 [] = { @@ -18270,7 +18270,7 @@ static const NSSItem nss_builtins_items_278 [] = { , (PRUint32)1560 } }; static const NSSItem nss_builtins_items_279 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18289,9 +18289,9 @@ static const NSSItem nss_builtins_items_279 [] = { , (PRUint32)83 }, { (void *)"\002\010\123\354\073\356\373\262\110\137" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_280 [] = { @@ -18414,7 +18414,7 @@ static const NSSItem nss_builtins_items_280 [] = { , (PRUint32)1525 } }; static const NSSItem nss_builtins_items_281 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18432,9 +18432,9 @@ static const NSSItem nss_builtins_items_281 [] = { { (void *)"\002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031" "\346\175" , (PRUint32)18 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_282 [] = { @@ -18594,7 +18594,7 @@ static const NSSItem nss_builtins_items_282 [] = { , (PRUint32)1875 } }; static const NSSItem nss_builtins_items_283 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18619,9 +18619,9 @@ static const NSSItem nss_builtins_items_283 [] = { , (PRUint32)177 }, { (void *)"\002\011\000\243\332\102\176\244\261\256\332" , (PRUint32)11 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_284 [] = { @@ -18778,7 +18778,7 @@ static const NSSItem nss_builtins_items_284 [] = { , (PRUint32)1869 } }; static const NSSItem nss_builtins_items_285 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18802,9 +18802,9 @@ static const NSSItem nss_builtins_items_285 [] = { , (PRUint32)175 }, { (void *)"\002\011\000\311\315\323\351\325\175\043\316" , (PRUint32)11 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_286 [] = { @@ -18944,7 +18944,7 @@ static const NSSItem nss_builtins_items_286 [] = { , (PRUint32)1532 } }; static const NSSItem nss_builtins_items_287 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -18968,9 +18968,9 @@ static const NSSItem nss_builtins_items_287 [] = { { (void *)"\002\021\000\222\071\325\064\217\100\321\151\132\164\124\160\341" "\362\077\103" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_288 [] = { @@ -19125,7 +19125,7 @@ static const NSSItem nss_builtins_items_288 [] = { , (PRUint32)1761 } }; static const NSSItem nss_builtins_items_289 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19149,9 +19149,9 @@ static const NSSItem nss_builtins_items_289 [] = { { (void *)"\002\021\000\330\363\137\116\267\207\053\055\253\006\222\343\025" "\070\057\260" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_290 [] = { @@ -19291,7 +19291,7 @@ static const NSSItem nss_builtins_items_290 [] = { , (PRUint32)1522 } }; static const NSSItem nss_builtins_items_291 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19315,9 +19315,9 @@ static const NSSItem nss_builtins_items_291 [] = { { (void *)"\002\020\004\176\313\351\374\245\137\173\320\236\256\066\341\014" "\256\036" , (PRUint32)18 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_292 [] = { @@ -19456,7 +19456,7 @@ static const NSSItem nss_builtins_items_292 [] = { , (PRUint32)1512 } }; static const NSSItem nss_builtins_items_293 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19480,9 +19480,9 @@ static const NSSItem nss_builtins_items_293 [] = { { (void *)"\002\021\000\365\310\152\363\141\142\361\072\144\365\117\155\311" "\130\174\006" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_294 [] = { @@ -19622,7 +19622,7 @@ static const NSSItem nss_builtins_items_294 [] = { , (PRUint32)1523 } }; static const NSSItem nss_builtins_items_295 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19646,9 +19646,9 @@ static const NSSItem nss_builtins_items_295 [] = { { (void *)"\002\021\000\351\002\213\225\170\344\025\334\032\161\012\053\210" "\025\104\107" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_296 [] = { @@ -19788,7 +19788,7 @@ static const NSSItem nss_builtins_items_296 [] = { , (PRUint32)1523 } }; static const NSSItem nss_builtins_items_297 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19812,9 +19812,9 @@ static const NSSItem nss_builtins_items_297 [] = { { (void *)"\002\021\000\327\125\217\332\365\361\020\133\262\023\050\053\160" "\167\051\243" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_298 [] = { @@ -19952,7 +19952,7 @@ static const NSSItem nss_builtins_items_298 [] = { , (PRUint32)1501 } }; static const NSSItem nss_builtins_items_299 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -19976,9 +19976,9 @@ static const NSSItem nss_builtins_items_299 [] = { { (void *)"\002\020\071\052\103\117\016\007\337\037\212\243\005\336\064\340" "\302\051" , (PRUint32)18 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_300 [] = { @@ -20116,7 +20116,7 @@ static const NSSItem nss_builtins_items_300 [] = { , (PRUint32)1501 } }; static const NSSItem nss_builtins_items_301 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20140,9 +20140,9 @@ static const NSSItem nss_builtins_items_301 [] = { { (void *)"\002\020\076\165\316\324\153\151\060\041\041\210\060\256\206\250" "\052\161" , (PRUint32)18 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_302 [] = { @@ -20281,7 +20281,7 @@ static const NSSItem nss_builtins_items_302 [] = { , (PRUint32)1520 } }; static const NSSItem nss_builtins_items_303 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20305,9 +20305,9 @@ static const NSSItem nss_builtins_items_303 [] = { { (void *)"\002\021\000\260\267\023\076\320\226\371\265\157\256\221\310\164" "\275\072\300" , (PRUint32)19 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_304 [] = { @@ -20439,7 +20439,7 @@ static const NSSItem nss_builtins_items_304 [] = { , (PRUint32)1392 } }; static const NSSItem nss_builtins_items_305 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20463,9 +20463,9 @@ static const NSSItem nss_builtins_items_305 [] = { { (void *)"\002\020\162\003\041\005\305\014\010\127\075\216\245\060\116\376" "\350\260" , (PRUint32)18 }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_306 [] = { @@ -20562,7 +20562,7 @@ static const NSSItem nss_builtins_items_306 [] = { , (PRUint32)969 } }; static const NSSItem nss_builtins_items_307 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20584,9 +20584,9 @@ static const NSSItem nss_builtins_items_307 [] = { , (PRUint32)134 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_308 [] = { @@ -20687,7 +20687,7 @@ static const NSSItem nss_builtins_items_308 [] = { , (PRUint32)993 } }; static const NSSItem nss_builtins_items_309 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20710,9 +20710,9 @@ static const NSSItem nss_builtins_items_309 [] = { , (PRUint32)146 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_310 [] = { @@ -20814,7 +20814,7 @@ static const NSSItem nss_builtins_items_310 [] = { , (PRUint32)1011 } }; static const NSSItem nss_builtins_items_311 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20837,9 +20837,9 @@ static const NSSItem nss_builtins_items_311 [] = { , (PRUint32)155 }, { (void *)"\002\001\000" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_312 [] = { @@ -20920,7 +20920,7 @@ static const NSSItem nss_builtins_items_312 [] = { , (PRUint32)848 } }; static const NSSItem nss_builtins_items_313 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -20938,9 +20938,9 @@ static const NSSItem nss_builtins_items_313 [] = { , (PRUint32)70 }, { (void *)"\002\010\167\167\006\047\046\251\261\174" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_314 [] = { @@ -21021,7 +21021,7 @@ static const NSSItem nss_builtins_items_314 [] = { , (PRUint32)848 } }; static const NSSItem nss_builtins_items_315 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21039,9 +21039,9 @@ static const NSSItem nss_builtins_items_315 [] = { , (PRUint32)70 }, { (void *)"\002\010\174\117\004\071\034\324\231\055" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_316 [] = { @@ -21154,7 +21154,7 @@ static const NSSItem nss_builtins_items_316 [] = { , (PRUint32)1354 } }; static const NSSItem nss_builtins_items_317 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21172,9 +21172,9 @@ static const NSSItem nss_builtins_items_317 [] = { , (PRUint32)67 }, { (void *)"\002\010\155\214\024\106\261\246\012\356" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_318 [] = { @@ -21235,7 +21235,7 @@ static const NSSItem nss_builtins_items_318 [] = { , (PRUint32)514 } }; static const NSSItem nss_builtins_items_319 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21253,9 +21253,9 @@ static const NSSItem nss_builtins_items_319 [] = { , (PRUint32)71 }, { (void *)"\002\010\164\227\045\212\307\077\172\124" , (PRUint32)10 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_320 [] = { @@ -21349,7 +21349,7 @@ static const NSSItem nss_builtins_items_320 [] = { , (PRUint32)959 } }; static const NSSItem nss_builtins_items_321 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21370,9 +21370,9 @@ static const NSSItem nss_builtins_items_321 [] = { , (PRUint32)128 }, { (void *)"\002\003\004\104\300" , (PRUint32)5 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_322 [] = { @@ -21494,7 +21494,7 @@ static const NSSItem nss_builtins_items_322 [] = { , (PRUint32)1440 } }; static const NSSItem nss_builtins_items_323 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21514,9 +21514,9 @@ static const NSSItem nss_builtins_items_323 [] = { , (PRUint32)101 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_324 [] = { @@ -21653,7 +21653,7 @@ static const NSSItem nss_builtins_items_324 [] = { , (PRUint32)1679 } }; static const NSSItem nss_builtins_items_325 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21673,9 +21673,9 @@ static const NSSItem nss_builtins_items_325 [] = { , (PRUint32)106 }, { (void *)"\002\004\073\105\345\150" , (PRUint32)6 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_326 [] = { @@ -21773,7 +21773,7 @@ static const NSSItem nss_builtins_items_326 [] = { , (PRUint32)979 } }; static const NSSItem nss_builtins_items_327 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21795,9 +21795,9 @@ static const NSSItem nss_builtins_items_327 [] = { , (PRUint32)144 }, { (void *)"\002\003\001\154\036" , (PRUint32)5 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; static const NSSItem nss_builtins_items_328 [] = { @@ -21885,7 +21885,7 @@ static const NSSItem nss_builtins_items_328 [] = { , (PRUint32)895 } }; static const NSSItem nss_builtins_items_329 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -21905,9 +21905,9 @@ static const NSSItem nss_builtins_items_329 [] = { , (PRUint32)97 }, { (void *)"\002\001\001" , (PRUint32)3 }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 2d9fef59c70..4cd6b243f0e 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -34,7 +34,7 @@ # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01 06:40:04 $" +CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.75 $ $Date: 2011/08/01 06:33:47 $" # # certdata.txt @@ -58,7 +58,7 @@ CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01 # CKA_ISSUER DER+base64 (varies) # CKA_SERIAL_NUMBER DER+base64 (varies) # CKA_VALUE DER+base64 (varies) -# CKA_NETSCAPE_EMAIL ASCII7 (unused here) +# CKA_NSS_EMAIL ASCII7 (unused here) # # Trust # @@ -96,7 +96,7 @@ CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01 # have to go looking for others. # BEGINDATA -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -177,7 +177,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GTE CyberTrust Global Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -202,9 +202,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\001\245 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -304,7 +304,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Thawte Server CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -334,9 +334,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -439,7 +439,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Thawte Premium Server CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -470,9 +470,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -557,7 +557,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Equifax Secure CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -579,9 +579,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\065\336\364\317 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -666,7 +666,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Digital Signature Trust Co. Global CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -688,9 +688,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\066\160\025\226 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -775,7 +775,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Digital Signature Trust Co. Global CA 3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -797,9 +797,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\066\156\323\316 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -875,7 +875,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -900,9 +900,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263 \162\252\125 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -977,7 +977,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1002,9 +1002,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105 \276\013 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1079,7 +1079,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1104,9 +1104,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314 \272\277 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1206,7 +1206,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1237,9 +1237,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211 \221\222 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1339,7 +1339,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1370,9 +1370,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160 \154\212\257 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1472,7 +1472,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1503,9 +1503,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211 \064\306 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1605,7 +1605,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1636,9 +1636,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067 \045\370 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1730,7 +1730,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GlobalSign Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1753,9 +1753,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\004\000\000\000\000\001\025\113\132\303\224 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1849,7 +1849,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GlobalSign Root CA - R2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1871,9 +1871,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\004\000\000\000\000\001\017\206\046\346\015 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1968,7 +1968,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ValiCert Class 1 VA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -1997,9 +1997,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2094,7 +2094,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ValiCert Class 2 VA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2123,9 +2123,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2220,7 +2220,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "RSA Root Certificate 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2249,9 +2249,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2368,7 +2368,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2399,9 +2399,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110 \316\261\244 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2518,7 +2518,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2549,9 +2549,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120 \133\172 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2668,7 +2668,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2699,9 +2699,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161 \051\357\127 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2818,7 +2818,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -2849,9 +2849,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057 \224\136\327 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2979,7 +2979,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Entrust.net Secure Server CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3009,9 +3009,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\067\112\322\103 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3129,7 +3129,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Entrust.net Premium 2048 Secure Server CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3158,9 +3158,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\070\143\271\146 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3252,7 +3252,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Baltimore CyberTrust Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3275,9 +3275,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\002\000\000\271 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3355,7 +3355,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Equifax Secure Global eBusiness CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3378,9 +3378,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3457,7 +3457,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Equifax Secure eBusiness CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3480,9 +3480,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\004 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3567,7 +3567,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Equifax Secure eBusiness CA 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3589,9 +3589,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\067\160\317\265 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3695,7 +3695,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AddTrust Low-Value Services Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3719,9 +3719,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3829,7 +3829,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AddTrust External Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3854,9 +3854,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3960,7 +3960,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AddTrust Public Services Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -3984,9 +3984,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4091,7 +4091,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AddTrust Qualified Certificates Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4115,9 +4115,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4239,7 +4239,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Entrust Root Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4268,9 +4268,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\105\153\120\124 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4358,7 +4358,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "RSA Security 2048 v3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4380,9 +4380,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000 \000\002 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4470,7 +4470,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Global CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4492,9 +4492,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\003\002\064\126 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4583,7 +4583,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Global CA 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4605,9 +4605,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4728,7 +4728,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Universal CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4750,9 +4750,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4873,7 +4873,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Universal CA 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -4895,9 +4895,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5015,7 +5015,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "UTN-USER First-Network Applications" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5044,9 +5044,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300 \063\167 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5143,7 +5143,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "America Online Root Certification Authority 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5167,9 +5167,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5298,7 +5298,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "America Online Root Certification Authority 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5322,9 +5322,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5422,7 +5422,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Visa eCommerce Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5447,9 +5447,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220 \034\142 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5551,7 +5551,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter, Germany, Class 2 CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5580,9 +5580,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\003\352 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5684,7 +5684,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter, Germany, Class 3 CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5713,9 +5713,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\003\353 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5796,7 +5796,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Certum Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5817,9 +5817,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\003\001\000\040 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5927,7 +5927,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Comodo AAA Services root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -5952,9 +5952,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6063,7 +6063,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Comodo Secure Services root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6088,9 +6088,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6201,7 +6201,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Comodo Trusted Services root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6227,9 +6227,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6365,7 +6365,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "QuoVadis Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6391,9 +6391,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\072\266\120\213 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6519,7 +6519,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "QuoVadis Root CA 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6541,9 +6541,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\005\011 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6684,7 +6684,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "QuoVadis Root CA 3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6706,9 +6706,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\005\306 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6798,7 +6798,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Security Communication Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6821,9 +6821,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6906,7 +6906,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Sonera Class 1 Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -6927,9 +6927,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\044 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7012,7 +7012,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Sonera Class 2 Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7033,9 +7033,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\035 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7131,7 +7131,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Staat der Nederlanden Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7154,9 +7154,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\000\230\226\212 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7257,7 +7257,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TDC Internet Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7279,9 +7279,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\072\314\245\114 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7395,7 +7395,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TDC OCES Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7416,9 +7416,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\076\110\275\304 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7534,7 +7534,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "UTN DATACorp SGC Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7562,9 +7562,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251 \255\151 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7688,7 +7688,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "UTN USERFirst Email Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7718,9 +7718,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147 \311\211 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7837,7 +7837,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "UTN USERFirst Hardware Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -7865,9 +7865,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145 \012\375 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7983,7 +7983,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "UTN USERFirst Object Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8011,9 +8011,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263 \137\033 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8132,7 +8132,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Camerfirma Chambers of Commerce Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8158,9 +8158,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8277,7 +8277,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Camerfirma Global Chambersign Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8302,9 +8302,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8464,7 +8464,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "NetLock Qualified (Class QA) Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8494,9 +8494,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\173 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8649,7 +8649,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "NetLock Notary (Class A) Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8678,9 +8678,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\001\003 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8809,7 +8809,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "NetLock Business (Class B) Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8836,9 +8836,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\151 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8968,7 +8968,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "NetLock Express (Class C) Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -8995,9 +8995,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\150 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9108,7 +9108,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "XRamp Global CA Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9135,9 +9135,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217 \240\255 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9240,7 +9240,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Go Daddy Class 2 CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9264,9 +9264,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9370,7 +9370,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Starfield Class 2 CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9394,9 +9394,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9561,7 +9561,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "StartCom Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9586,9 +9586,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9711,7 +9711,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Taiwan GRCA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9734,9 +9734,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343 \136\366 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9850,7 +9850,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Firmaprofesional Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -9877,9 +9877,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9984,7 +9984,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Wells Fargo Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10010,9 +10010,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\071\344\227\236 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10145,7 +10145,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Swisscom Root CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10170,9 +10170,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235 \250\066 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10271,7 +10271,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DigiCert Assured ID Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10296,9 +10296,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360 \060\071 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10397,7 +10397,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DigiCert Global Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10422,9 +10422,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221 \307\112 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10524,7 +10524,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DigiCert High Assurance EV Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10549,9 +10549,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106 \045\167 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10642,7 +10642,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Certplus Class 2 Primary CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10664,9 +10664,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\205\275\113\363\330\332\343\151\366\224\327\137\303 \245\104\043 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10754,7 +10754,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DST Root CA X3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10777,9 +10777,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370 \100\153 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10881,7 +10881,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DST ACES CA X6" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -10905,9 +10905,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206 \025\331 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11019,7 +11019,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TURKTRUST Certificate Services Provider Root 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11048,9 +11048,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11168,7 +11168,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TURKTRUST Certificate Services Provider Root 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11198,9 +11198,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11327,7 +11327,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "SwissSign Platinum CA - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11349,9 +11349,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\116\262\000\147\014\003\135\117 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11477,7 +11477,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "SwissSign Gold CA - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11499,9 +11499,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\273\100\034\103\365\136\117\260 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11628,7 +11628,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "SwissSign Silver CA - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11650,9 +11650,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\117\033\324\057\124\273\057\113 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11745,7 +11745,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11769,9 +11769,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\030\254\265\152\375\151\266\025\072\143\154\257\332\372 \304\241 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11885,7 +11885,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "thawte Primary Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -11914,9 +11914,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333 \053\155 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12045,7 +12045,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12076,9 +12076,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153 \073\112 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12173,7 +12173,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "SecureTrust CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12196,9 +12196,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030 \131\320 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12293,7 +12293,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Secure Global CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12316,9 +12316,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370 \352\245 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12428,7 +12428,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "COMODO Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12455,9 +12455,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106 \345\075 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12585,7 +12585,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "DigiNotar Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12610,9 +12610,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223 \074\114 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12714,7 +12714,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Network Solutions Certificate Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12739,9 +12739,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\127\313\063\157\302\134\026\346\107\026\027\343\220\061 \150\340 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12860,7 +12860,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "WellsSecure Public Root Certificate Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12886,9 +12886,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12972,7 +12972,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "COMODO ECC Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -12999,9 +12999,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143 \231\052 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13103,7 +13103,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "MD5 Collisions Forged Rogue CA 25c3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13126,9 +13126,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\102 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_UNTRUSTED -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_UNTRUSTED +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13235,7 +13235,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "IGC/A" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13261,9 +13261,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\005\071\021\105\020\224 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13358,7 +13358,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Security Communication EV RootCA1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13382,9 +13382,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13491,7 +13491,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "OISTE WISeKey Global Root GA CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13518,9 +13518,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124 \337\232 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13641,7 +13641,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13671,9 +13671,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333 \065\267 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13837,7 +13837,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Microsec e-Szigno Root CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13863,9 +13863,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034 \054\017\021 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13956,7 +13956,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Certigna" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -13977,9 +13977,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\376\334\343\001\017\311\110\377 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14123,7 +14123,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AC Raiz Certicamara S.A." -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14149,9 +14149,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354 \014 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14266,7 +14266,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter Class 2 CA II" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14291,9 +14291,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\016\056\152\000\001\000\002\037\327\122\041\054\021\134\073 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14408,7 +14408,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter Class 3 CA II" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14433,9 +14433,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14538,7 +14538,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter Universal CA I" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14563,9 +14563,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\016\035\242\000\001\000\002\354\267\140\200\170\215\266\006 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14664,7 +14664,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Deutsche Telekom Root CA 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14689,9 +14689,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\046 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14782,7 +14782,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ComSign CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14804,9 +14804,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207 \167\104 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14898,7 +14898,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ComSign Secured CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -14920,9 +14920,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365 \066\116\351 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15013,7 +15013,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Cybertrust Global Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15034,9 +15034,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\004\000\000\000\000\001\017\205\252\055\110 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15165,7 +15165,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ePKI Root Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15189,9 +15189,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322 \274\235 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15335,7 +15335,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15371,9 +15371,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\021 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15461,7 +15461,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Buypass Class 2 CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15483,9 +15483,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15573,7 +15573,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Buypass Class 3 CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15595,9 +15595,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\002 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15734,7 +15734,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15760,9 +15760,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\114\257\163\102\034\216\164\002 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15846,7 +15846,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "certSIGN ROOT CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15867,9 +15867,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\006\040\006\005\026\160\002 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15955,7 +15955,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "CNNIC ROOT" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -15976,9 +15976,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\111\063\000\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16071,7 +16071,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ApplicationCA - Japanese Government" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16093,9 +16093,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\061 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16205,7 +16205,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Primary Certification Authority - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16233,9 +16233,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030 \017\037 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16319,7 +16319,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "thawte Primary Root CA - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16346,9 +16346,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256 \327\126 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16464,7 +16464,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "thawte Primary Root CA - G3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16494,9 +16494,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367 \220\373 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16585,7 +16585,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GeoTrust Primary Certification Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16613,9 +16613,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076 \303\153 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16740,7 +16740,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "VeriSign Universal Root Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16770,9 +16770,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032 \305\035 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16880,7 +16880,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -16911,9 +16911,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207 \254\263 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17025,7 +17025,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsítvány" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17053,9 +17053,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\006\111\101\054\344\000\020 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17184,7 +17184,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Staat der Nederlanden Root CA - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17207,9 +17207,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\000\230\226\214 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17309,7 +17309,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "CA Disig" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17331,9 +17331,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17448,7 +17448,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Juur-SK" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17471,9 +17471,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\073\216\113\374 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17559,7 +17559,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Hongkong Post Root CA 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17581,9 +17581,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\002\003\350 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17675,7 +17675,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "SecureSign RootCA11" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17698,9 +17698,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17826,7 +17826,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "ACEDICOM Root" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17848,9 +17848,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\141\215\307\206\073\001\202\005 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -17926,7 +17926,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -17951,9 +17951,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242 \344\335 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18028,7 +18028,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18053,9 +18053,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277 \022\276 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18162,7 +18162,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Microsec e-Szigno Root CA 2009" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18188,9 +18188,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\302\176\103\004\116\107\077\031 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18291,7 +18291,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18317,9 +18317,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333 \254\265 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18408,7 +18408,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "GlobalSign Root CA - R3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18430,9 +18430,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\004\000\000\000\000\001\041\130\123\010\242 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18535,7 +18535,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TC TrustCenter Universal CA III" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18560,9 +18560,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\016\143\045\000\001\000\002\024\215\063\025\002\344\154\364 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18696,7 +18696,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18719,9 +18719,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\123\354\073\356\373\262\110\137 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18850,7 +18850,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Izenpe.com" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -18872,9 +18872,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031 \346\175 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19040,7 +19040,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Chambers of Commerce Root - 2008" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19069,9 +19069,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\243\332\102\176\244\261\256\332 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19234,7 +19234,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Global Chambersign Root - 2008" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19262,9 +19262,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\311\315\323\351\325\175\043\316 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19410,7 +19410,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Mozilla Addons" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19438,9 +19438,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\222\071\325\064\217\100\321\151\132\164\124\160\341 \362\077\103 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19601,7 +19601,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Global Trustee" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19629,9 +19629,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\330\363\137\116\267\207\053\055\253\006\222\343\025 \070\057\260 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19777,7 +19777,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus GMail" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19805,9 +19805,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\004\176\313\351\374\245\137\173\320\236\256\066\341\014 \256\036 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19952,7 +19952,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Google" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -19980,9 +19980,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\365\310\152\363\141\142\361\072\144\365\117\155\311 \130\174\006 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20128,7 +20128,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Skype" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -20156,9 +20156,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\351\002\213\225\170\344\025\334\032\161\012\053\210 \025\104\107 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20304,7 +20304,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Yahoo 1" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -20332,9 +20332,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\327\125\217\332\365\361\020\133\262\023\050\053\160 \167\051\243 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20478,7 +20478,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Yahoo 2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -20506,9 +20506,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\071\052\103\117\016\007\337\037\212\243\005\336\064\340 \302\051 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20652,7 +20652,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus Yahoo 3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -20680,9 +20680,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\076\165\316\324\153\151\060\041\041\210\060\256\206\250 \052\161 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20827,7 +20827,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus live.com" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -20855,9 +20855,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\260\267\023\076\320\226\371\265\157\256\221\310\164 \275\072\300 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20995,7 +20995,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Bogus kuix.de" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21023,9 +21023,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\162\003\041\005\305\014\010\127\075\216\245\060\116\376 \350\260 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21128,7 +21128,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Go Daddy Root Certificate Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21154,9 +21154,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21263,7 +21263,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Starfield Root Certificate Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21290,9 +21290,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21400,7 +21400,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Starfield Services Root Certificate Authority - G2" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21427,9 +21427,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21516,7 +21516,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AffirmTrust Commercial" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21538,9 +21538,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\167\167\006\047\046\251\261\174 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21627,7 +21627,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AffirmTrust Networking" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21649,9 +21649,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\174\117\004\071\034\324\231\055 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21770,7 +21770,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AffirmTrust Premium" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21792,9 +21792,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\155\214\024\106\261\246\012\356 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21861,7 +21861,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "AffirmTrust Premium ECC" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -21883,9 +21883,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\010\164\227\045\212\307\077\172\124 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21985,7 +21985,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Certum Trusted Network CA" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -22010,9 +22010,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\003\004\104\300 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22140,7 +22140,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Certinomis - Autorité Racine" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -22164,9 +22164,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22309,7 +22309,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "Root CA Generalitat Valenciana" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -22333,9 +22333,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\073\105\345\150 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22439,7 +22439,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "A-Trust-nQual-03" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -22465,9 +22465,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\003\001\154\036 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22561,7 +22561,7 @@ CKA_VALUE MULTILINE_OCTAL END # Trust for Certificate "TWCA Root Certification Authority" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE CKA_MODIFIABLE CK_BBOOL CK_FALSE @@ -22585,7 +22585,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/security/nss/lib/ckfw/capi/cfind.c b/security/nss/lib/ckfw/capi/cfind.c index fd055e65b16..95310c93a1a 100644 --- a/security/nss/lib/ckfw/capi/cfind.c +++ b/security/nss/lib/ckfw/capi/cfind.c @@ -36,7 +36,7 @@ * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.3 $ $Date: 2005/12/16 00:48:02 $"; +static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $"; #endif /* DEBUG */ #ifndef CKCAPI_H @@ -136,7 +136,7 @@ ckcapi_attrmatch if( a->ulValueLen != b->size ) { /* match a decoded serial number */ if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) { - int len; + unsigned int len; unsigned char *data; data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL); diff --git a/security/nss/lib/ckfw/capi/ckcapi.h b/security/nss/lib/ckfw/capi/ckcapi.h index 4ddd49153bb..41dd4739933 100644 --- a/security/nss/lib/ckfw/capi/ckcapi.h +++ b/security/nss/lib/ckfw/capi/ckcapi.h @@ -40,7 +40,7 @@ #define CKCAPI_H 1 #ifdef DEBUG -static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.3 $ $Date: 2008/08/11 08:14:10 $"; +static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $"; #endif /* DEBUG */ #include "nssckmdt.h" @@ -248,13 +248,13 @@ ckcapi_ReverseData /* * unwrap a single DER value */ -char * +unsigned char * nss_ckcapi_DERUnwrap ( - char *src, - int size, - int *outSize, - char **next + unsigned char *src, + unsigned int size, + unsigned int *outSize, + unsigned char **next ); /* diff --git a/security/nss/lib/ckfw/capi/cobject.c b/security/nss/lib/ckfw/capi/cobject.c index 5e8eb6ee265..2a95d2350d8 100644 --- a/security/nss/lib/ckfw/capi/cobject.c +++ b/security/nss/lib/ckfw/capi/cobject.c @@ -20,7 +20,8 @@ * Portions created by Red Hat, Inc, are Copyright (C) 2005 * * Contributor(s): - * Bob Relyea (rrelyea@redhat.com) + * Bob Relyea + * Muzaffar Mahkamov * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -36,7 +37,7 @@ * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $"; +static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.9 $ $Date: 2011/02/02 17:13:40 $"; #endif /* DEBUG */ #include "ckcapi.h" @@ -137,13 +138,13 @@ static const NSSItem ckcapi_emptyItem = { /* * unwrap a single DER value */ -char * +unsigned char * nss_ckcapi_DERUnwrap ( - char *src, - int size, - int *outSize, - char **next + unsigned char *src, + unsigned int size, + unsigned int *outSize, + unsigned char **next ) { unsigned char *start = src; @@ -159,11 +160,11 @@ nss_ckcapi_DERUnwrap if (size < 2) { return start; } - src ++ ; /* skip the tag -- should check it against an expected value! */ + src++; /* skip the tag -- should check it against an expected value! */ len = (unsigned) *src++; if (len & 0x80) { - int count = len & 0x7f; - len =0; + unsigned int count = len & 0x7f; + len = 0; if (count+2 > size) { return start; @@ -172,7 +173,7 @@ nss_ckcapi_DERUnwrap len = (len << 8) | (unsigned) *src++; } } - if (len + ((unsigned char *)src-start) > (unsigned int)size) { + if (len + (src-start) > size) { return start; } if (next) { @@ -360,7 +361,8 @@ nss_ckcapi_GetStringAttribute } /* - * Return the size in bytes of a wide string + * Return the size in bytes of a wide string, including the terminating null + * character */ int nss_ckcapi_WideSize @@ -374,7 +376,7 @@ nss_ckcapi_WideSize return 0; } size = wcslen(wide)+1; - return size*2; + return size*sizeof(WCHAR); } /* @@ -386,7 +388,6 @@ nss_ckcapi_WideToUTF8 LPCWSTR wide ) { - DWORD len; DWORD size; char *buf; @@ -394,14 +395,12 @@ nss_ckcapi_WideToUTF8 return (char *)NULL; } - len = nss_ckcapi_WideSize(wide); - - size = WideCharToMultiByte(CP_UTF8, 0, wide, len, NULL, 0, NULL, 0); + size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, NULL, 0, NULL, 0); if (size == 0) { return (char *)NULL; } buf = nss_ZNEWARRAY(NULL, char, size); - size = WideCharToMultiByte(CP_UTF8, 0, wide, len, buf, size, NULL, 0); + size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, buf, size, NULL, 0); if (size == 0) { nss_ZFreeIf(buf); return (char *)NULL; @@ -418,20 +417,20 @@ nss_ckcapi_WideDup LPCWSTR wide ) { - DWORD len = nss_ckcapi_WideSize(wide); + DWORD len; LPWSTR buf; if ((LPWSTR)NULL == wide) { return (LPWSTR)NULL; } - len = nss_ckcapi_WideSize(wide); + len = wcslen(wide)+1; - buf = (LPWSTR) nss_ZNEWARRAY(NULL, char, len); + buf = nss_ZNEWARRAY(NULL, WCHAR, len); if ((LPWSTR) NULL == buf) { return buf; } - nsslibc_memcpy(buf, wide, len); + nsslibc_memcpy(buf, wide, len*sizeof(WCHAR)); return buf; } @@ -445,21 +444,18 @@ nss_ckcapi_UTF8ToWide ) { DWORD size; - DWORD len = strlen(buf)+1; LPWSTR wide; if ((char *)NULL == buf) { return (LPWSTR) NULL; } - len = strlen(buf)+1; - - size = MultiByteToWideChar(CP_UTF8, 0, buf, len, NULL, 0); + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0); if (size == 0) { return (LPWSTR) NULL; } wide = nss_ZNEWARRAY(NULL, WCHAR, size); - size = MultiByteToWideChar(CP_UTF8, 0, buf, len, wide, size); + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size); if (size == 0) { nss_ZFreeIf(wide); return (LPWSTR) NULL; @@ -572,10 +568,12 @@ ckcapi_CertPopulateModulusExponent { ckcapiKeyParams *kp = &io->u.cert.key; PCCERT_CONTEXT certContext = io->u.cert.certContext; - char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData; - CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData; - CK_ULONG newSize; - char *ptr, *newptr; + unsigned char *pkData = + certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData; + unsigned int size= + certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData; + unsigned int newSize; + unsigned char *ptr, *newptr; /* find the start of the modulus -- this will not give good results if * the key isn't an rsa key! */ @@ -1420,7 +1418,6 @@ ckcapi_mdObject_Destroy goto loser; } rc = CertDeleteCertificateFromStore(certContext); - CertFreeCertificateContext(certContext); } else { char *provName = NULL; char *containerName = NULL; @@ -2299,7 +2296,7 @@ nss_ckcapi_CreateObject ) { CK_OBJECT_CLASS objClass; - ckcapiInternalObject *io; + ckcapiInternalObject *io = NULL; CK_BBOOL isToken; /* diff --git a/security/nss/lib/ckfw/capi/crsa.c b/security/nss/lib/ckfw/capi/crsa.c index 7f3bacbf5ac..bbca590193e 100644 --- a/security/nss/lib/ckfw/capi/crsa.c +++ b/security/nss/lib/ckfw/capi/crsa.c @@ -36,7 +36,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.4 $ $Date: 2010/04/25 23:37:40 $"; +static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.5 $ $Date: 2011/02/02 17:13:40 $"; #endif /* DEBUG */ #include "ckcapi.h" @@ -88,7 +88,7 @@ static char * nss_ckcapi_GetOidString ( unsigned char *oidTag, - int oidTagSize, + unsigned int oidTagSize, CK_RV *pError ) { @@ -96,7 +96,7 @@ nss_ckcapi_GetOidString char *oidStr; char *cstr; unsigned long value; - int oidSize; + unsigned int oidSize; if (DER_OBJECT_ID != *oidTag) { /* wasn't an oid */ @@ -164,8 +164,8 @@ ckcapi_GetRawHash unsigned char *hashData; char *oidStr; CK_RV error; - int oidSize; - int size; + unsigned int oidSize; + unsigned int size; /* * there are 2 types of hashes NSS typically tries to sign, regular * RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes. diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c index 6fd25c3d075..81a1f583592 100644 --- a/security/nss/lib/ckfw/hash.c +++ b/security/nss/lib/ckfw/hash.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:52 $"; +static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.5 $ $Date: 2010/09/09 21:14:24 $"; #endif /* DEBUG */ /* @@ -123,6 +123,7 @@ nssCKFWHash_Create rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError); if (!rv->mutex) { if( CKR_OK == *pError ) { + (void)nss_ZFreeIf(rv); *pError = CKR_GENERAL_ERROR; } return (nssCKFWHash *)NULL; diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c index 0dd32b4f65b..1da6e42eaf6 100644 --- a/security/nss/lib/ckfw/session.c +++ b/security/nss/lib/ckfw/session.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $"; +static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.14 $ $Date: 2010/09/09 21:14:24 $"; #endif /* DEBUG */ /* @@ -1515,14 +1515,14 @@ nssCKFWSession_CopyObject CK_ATTRIBUTE_TYPE_PTR oldTypes; NSSCKFWObject *rv; - tmpArena = NSSArena_Create(); - if (!tmpArena) { - *pError = CKR_HOST_MEMORY; + n = nssCKFWObject_GetAttributeCount(fwObject, pError); + if( (0 == n) && (CKR_OK != *pError) ) { return (NSSCKFWObject *)NULL; } - n = nssCKFWObject_GetAttributeCount(fwObject, pError); - if( (0 == n) && (CKR_OK != *pError) ) { + tmpArena = NSSArena_Create(); + if (!tmpArena) { + *pError = CKR_HOST_MEMORY; return (NSSCKFWObject *)NULL; } diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h index fdaa850fc08..0d39af79c61 100644 --- a/security/nss/lib/crmf/cmmf.h +++ b/security/nss/lib/crmf/cmmf.h @@ -637,7 +637,7 @@ extern int * inIndex * The index of the CMMFCertResponse the user wants a copy of. * NOTES: - * This funciton creates a copy of the CMMFCertResponse at the index + * This function creates a copy of the CMMFCertResponse at the index * corresponding to the parameter 'inIndex'. Indexing is done like a * traditional C array, ie the valid indexes are (0...numResponses-1). * The user must call CMMF_DestroyCertResponse after the return value is diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h index 78f8ecb13a7..6b92bdd7e09 100644 --- a/security/nss/lib/crmf/crmf.h +++ b/security/nss/lib/crmf/crmf.h @@ -84,7 +84,7 @@ extern SECStatus * The function fn will be called, probably multiple times whenever * the ASN1 encoder wants to write out DER-encoded bytes. Look at the * comments in crmft.h where the CRMFEncoderOutputCallback type is - * defined for information on proper behavior of the funciton fn. + * defined for information on proper behavior of the function fn. * RETURN: * SECSuccess if encoding was successful. Any other return value * indicates an error occurred during encoding. @@ -116,7 +116,7 @@ extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest *inCertReq, * OUTPUT: * The function fn will be called, probably multiple times. Look at the * comments in crmft.h where the CRMFEncoderOutputCallback type is - * defined for information on proper behavior of the funciton fn. + * defined for information on proper behavior of the function fn. * * RETURN: * SECSuccess if encoding the Certificate Request Messages was successful. @@ -616,7 +616,7 @@ extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg); * * The last 3 arguments are for future compatibility in case we ever want to * support generating POPOSigningKeyInput. Pass in NULL for all 3 if you - * definitely don't want the funciton to even try to generate + * definitely don't want the function to even try to generate * POPOSigningKeyInput. If you try to use POPOSigningKeyInput, the function * will fail. * @@ -655,10 +655,10 @@ extern SECStatus * Adds Proof Of Possession using the keyEncipherment field of * ProofOfPossession. * - * The funciton looks at the the inKeyChoice parameter and interprets it in + * The function looks at the the inKeyChoice parameter and interprets it in * in the following manner. * - * If a parameter is not mentioned under interpretation, the funciton will not + * If a parameter is not mentioned under interpretation, the function will not * look at its value when implementing that case. * * inKeyChoice Interpretation @@ -709,10 +709,10 @@ extern SECStatus * Adds Proof Of Possession using the keyAgreement field of * ProofOfPossession. * - * The funciton looks at the the inKeyChoice parameter and interprets it in + * The function looks at the the inKeyChoice parameter and interprets it in * in the following manner. * - * If a parameter is not mentioned under interpretation, the funciton will not + * If a parameter is not mentioned under interpretation, the function will not * look at its value when implementing that case. * * inKeyChoice Interpretation @@ -954,7 +954,7 @@ extern SECStatus * RETURN: * If the issuer is present in the cert request cert template, the function * returns SECSuccess and places a copy of the issuer in *destIssuer. - * If there is no issuer present, the funciton returns SECFailure and the + * If there is no issuer present, the function returns SECFailure and the * value at *destIssuer is unchanged. */ extern SECStatus @@ -1766,7 +1766,7 @@ extern SECStatus /* Helper functions that can be used by other libraries. */ /* - * A quick helper funciton to get the best wrap mechanism. + * A quick helper function to get the best wrap mechanism. */ extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h index 561681a939d..4aeea94d505 100644 --- a/security/nss/lib/crmf/crmffut.h +++ b/security/nss/lib/crmf/crmffut.h @@ -41,7 +41,7 @@ /* * Use this function to create the CRMFSinglePubInfo* variables that will - * populate the inPubInfoArray paramter for the funciton + * populate the inPubInfoArray parameter for the function * CRMF_CreatePKIPublicationInfo. * * "inPubMethod" specifies which publication method will be used diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h index 5a4fbe4693a..84fa7e1afe3 100644 --- a/security/nss/lib/crmf/crmfi.h +++ b/security/nss/lib/crmf/crmfi.h @@ -93,7 +93,7 @@ struct crmfEncoderOutput { }; /* - * This funciton is used by the API for encoding functions that are + * This function is used by the API for encoding functions that are * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode* * functions. */ diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h index 52d8f6df54d..0ef11ce3c83 100644 --- a/security/nss/lib/cryptohi/cryptohi.h +++ b/security/nss/lib/cryptohi/cryptohi.h @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */ +/* $Id: cryptohi.h,v 1.15 2010/08/12 01:15:37 wtc%google.com Exp $ */ #ifndef _CRYPTOHI_H_ #define _CRYPTOHI_H_ @@ -164,7 +164,7 @@ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, ** "pk" the private key to encrypt with */ extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, - unsigned char *buf, int len, + const unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algid); /* diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h index b358e073b10..c3b2ab238a0 100644 --- a/security/nss/lib/cryptohi/keyhi.h +++ b/security/nss/lib/cryptohi/keyhi.h @@ -35,7 +35,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: keyhi.h,v 1.17 2008/06/14 14:20:00 wtc%google.com Exp $ */ +/* $Id: keyhi.h,v 1.18 2011/07/24 13:48:12 wtc%google.com Exp $ */ #ifndef _KEYHI_H_ #define _KEYHI_H_ @@ -67,18 +67,12 @@ extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena, /* ** Update the PQG parameters for a cert's public key. -** Only done for DSA and Fortezza certs +** Only done for DSA certs */ extern SECStatus SECKEY_UpdateCertPQG(CERTCertificate * subjectCert); -/* Compare the KEA parameters of two public keys. - * Only used by fortezza. */ - -extern SECStatus -SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2); - /* ** Return the strength of the public key in bytes */ diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h index 545d5ee615b..751cef2738e 100644 --- a/security/nss/lib/cryptohi/keythi.h +++ b/security/nss/lib/cryptohi/keythi.h @@ -43,7 +43,7 @@ #include "prclist.h" /* -** RFC 4055 specifies three different RSA key types. +** RFC 4055 Section 1.2 specifies three different RSA key types. ** ** rsaKey maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and can be used for ** both encryption and signatures with old (PKCS #1 v1.5) and new (PKCS #1 @@ -60,9 +60,9 @@ typedef enum { nullKey = 0, rsaKey = 1, dsaKey = 2, - fortezzaKey = 3, + fortezzaKey = 3, /* deprecated */ dhKey = 4, - keaKey = 5, + keaKey = 5, /* deprecated */ ecKey = 6, rsaPssKey = 7, rsaOaepKey = 8 @@ -74,6 +74,7 @@ typedef enum { SEC_BEGIN_PROTOS extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[]; +extern const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[]; extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[]; extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[]; extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[]; @@ -81,8 +82,9 @@ extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[]; extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[]; /* Windows DLL accessor functions */ -extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate; -extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate; +SEC_ASN1_CHOOSER_DECLARE(SECKEY_DSAPublicKeyTemplate) +SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate) +SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate) SEC_END_PROTOS @@ -98,6 +100,16 @@ struct SECKEYRSAPublicKeyStr { }; typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey; +/* +** RSA-PSS parameters +*/ +struct SECKEYRSAPSSParamsStr { + SECAlgorithmID *hashAlg; + SECAlgorithmID *maskAlg; + SECItem saltLength; + SECItem trailerField; +}; +typedef struct SECKEYRSAPSSParamsStr SECKEYRSAPSSParams; /* ** DSA Public Key and related structures diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn index a6c0303873f..e3bcdb83601 100644 --- a/security/nss/lib/cryptohi/manifest.mn +++ b/security/nss/lib/cryptohi/manifest.mn @@ -38,8 +38,6 @@ CORE_DEPTH = ../../.. MODULE = nss -REQUIRES = dbm - LIBRARY_NAME = cryptohi EXPORTS = \ @@ -54,7 +52,7 @@ EXPORTS = \ PRIVATE_EXPORTS = \ $(NULL) -LIBSRCS = \ +CSRCS = \ sechash.c \ seckey.c \ secsign.c \ @@ -62,7 +60,5 @@ LIBSRCS = \ dsautil.c \ $(NULL) -CSRCS = $(LIBSRCS) - # This part of the code, including all sub-dirs, can be optimized for size export ALLOW_OPT_CODE_SIZE = 1 diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c index af6ea820306..f5974f3d073 100644 --- a/security/nss/lib/cryptohi/sechash.c +++ b/security/nss/lib/cryptohi/sechash.c @@ -91,6 +91,11 @@ sha1_NewContext(void) { return (void *) PK11_CreateDigestContext(SEC_OID_SHA1); } +static void * +sha224_NewContext(void) { + return (void *) PK11_CreateDigestContext(SEC_OID_SHA224); +} + static void * sha256_NewContext(void) { return (void *) PK11_CreateDigestContext(SEC_OID_SHA256); @@ -184,6 +189,17 @@ const SECHashObject SECHashObjects[] = { SHA512_BLOCK_LENGTH, HASH_AlgSHA512 }, + { SHA224_LENGTH, + (void * (*)(void)) sha224_NewContext, + (void * (*)(void *)) PK11_CloneContext, + (void (*)(void *, PRBool)) PK11_DestroyContext, + (void (*)(void *)) PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA224_BLOCK_LENGTH, + HASH_AlgSHA224 + }, }; const SECHashObject * @@ -201,6 +217,7 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid) case SEC_OID_MD2: ht = HASH_AlgMD2; break; case SEC_OID_MD5: ht = HASH_AlgMD5; break; case SEC_OID_SHA1: ht = HASH_AlgSHA1; break; + case SEC_OID_SHA224: ht = HASH_AlgSHA224; break; case SEC_OID_SHA256: ht = HASH_AlgSHA256; break; case SEC_OID_SHA384: ht = HASH_AlgSHA384; break; case SEC_OID_SHA512: ht = HASH_AlgSHA512; break; @@ -220,6 +237,7 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) /* no oid exists for HMAC_MD2 */ /* NSS does not define a oid for HMAC_MD4 */ case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break; + case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break; case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break; case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break; case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break; @@ -239,6 +257,7 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) /* no oid exists for HMAC_MD2 */ /* NSS does not define a oid for HMAC_MD4 */ case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break; + case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break; case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break; case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break; case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break; diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index 42a4cd3f579..5b8fd228cfa 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -51,6 +51,7 @@ #include "keyi.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) +SEC_ASN1_MKSUB(SEC_IntegerTemplate) const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, @@ -78,6 +79,34 @@ const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = { { 0, } }; +static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = { + { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0, + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) } +}; + +/* Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE */ +const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[] = +{ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SECKEYRSAPSSParams, hashAlg), + seckey_PointerToAlgorithmIDTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(SECKEYRSAPSSParams, maskAlg), + seckey_PointerToAlgorithmIDTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(SECKEYRSAPSSParams, saltLength), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3, + offsetof(SECKEYRSAPSSParams, trailerField), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, + { 0 } +}; + const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = { { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), }, { 0, } @@ -107,6 +136,7 @@ const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = { SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate) SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate) +SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPSSParamsTemplate) SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate) /* @@ -296,128 +326,14 @@ SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena, return rv; } -SECStatus -SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) { - - if (pubKey->keyType == fortezzaKey) { - /* the key is a fortezza V1 public key */ - - /* obtain hash of pubkey->u.fortezza.params.prime.data + - pubkey->u.fortezza.params.subPrime.data + - pubkey->u.fortezza.params.base.data */ - - /* store hash in params->hash */ - - } else if (pubKey->keyType == keaKey) { - - /* the key is a new fortezza KEA public key. */ - SECITEM_CopyItem(pubKey->arena, ¶ms->hash, - &pubKey->u.kea.params.hash ); - - } else { - - /* the key has no KEA parameters */ - return SECFailure; - } - return SECSuccess; -} - - -SECStatus -SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) -{ - - SECStatus rv; - - SECKEYPublicKey *pubKey1 = 0; - SECKEYPublicKey *pubKey2 = 0; - - SECKEYKEAParams params1; - SECKEYKEAParams params2; - - - rv = SECFailure; - - /* get cert1's public key */ - pubKey1 = CERT_ExtractPublicKey(cert1); - if ( !pubKey1 ) { - return(SECFailure); - } - - - /* get cert2's public key */ - pubKey2 = CERT_ExtractPublicKey(cert2); - if ( !pubKey2 ) { - return(SECFailure); - } - - /* handle the case when both public keys are new - * fortezza KEA public keys. */ - - if ((pubKey1->keyType == keaKey) && - (pubKey2->keyType == keaKey) ) { - - rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash, - &pubKey2->u.kea.params.hash); - goto done; - } - - /* handle the case when both public keys are old fortezza - * public keys. */ - - if ((pubKey1->keyType == fortezzaKey) && - (pubKey2->keyType == fortezzaKey) ) { - - rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime, - &pubKey2->u.fortezza.keaParams.prime); - - if (rv == SECEqual) { - rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime, - &pubKey2->u.fortezza.keaParams.subPrime); - } - - if (rv == SECEqual) { - rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base, - &pubKey2->u.fortezza.keaParams.base); - } - - goto done; - } - - - /* handle the case when the public keys are a mixture of - * old and new. */ - - rv = SECKEY_KEASetParams(¶ms1, pubKey1); - if (rv != SECSuccess) return rv; - - rv = SECKEY_KEASetParams(¶ms2, pubKey2); - if (rv != SECSuccess) return rv; - - rv = (SECStatus)SECITEM_CompareItem(¶ms1.hash, ¶ms2.hash); - -done: - SECKEY_DestroyPublicKey(pubKey1); - SECKEY_DestroyPublicKey(pubKey2); - - return rv; /* returns SECEqual if parameters are equal */ - -} - - /* Procedure to update the pqg parameters for a cert's public key. - * pqg parameters only need to be updated for DSA and fortezza certificates. + * pqg parameters only need to be updated for DSA certificates. * The procedure uses calls to itself recursively to update a certificate * issuer's pqg parameters. Some important rules are: * - Do nothing if the cert already has PQG parameters. * - If the cert does not have PQG parameters, obtain them from the issuer. - * - A valid cert chain cannot have a DSA or Fortezza cert without - * pqg parameters that has a parent that is not a DSA or Fortezza cert. - * - pqg parameters are stored in two different formats: the standard - * DER encoded format and the fortezza-only wrapped format. The params - * should be copied from issuer to subject cert without modifying the - * formats. The public key extraction code will deal with the different - * formats at the time of extraction. */ + * - A valid cert chain cannot have a DSA cert without + * pqg parameters that has a parent that is not a DSA cert. */ static SECStatus seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) @@ -443,14 +359,10 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) if (oid != NULL) { tag = oid->offset; - /* Check if cert has a DSA or Fortezza public key. If not, return + /* Check if cert has a DSA public key. If not, return * success since no PQG params need to be updated. */ - if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) && - (tag != SEC_OID_MISSI_DSS_OLD) && - (tag != SEC_OID_MISSI_KEA_DSS) && - (tag != SEC_OID_MISSI_DSS) && - (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && + if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && (tag != SEC_OID_SDN702_DSA_SIGNATURE) && @@ -482,21 +394,17 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) return SECFailure; } - /* if parent is not DSA or fortezza, return failure since + /* if parent is not DSA, return failure since we don't allow this case. */ oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm); if (oid != NULL) { tag = oid->offset; - /* Check if issuer cert has a DSA or Fortezza public key. If not, + /* Check if issuer cert has a DSA public key. If not, * return failure. */ - if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) && - (tag != SEC_OID_MISSI_DSS_OLD) && - (tag != SEC_OID_MISSI_KEA_DSS) && - (tag != SEC_OID_MISSI_DSS) && - (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && + if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && (tag != SEC_OID_SDN702_DSA_SIGNATURE) && @@ -511,7 +419,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) /* at this point the subject cert has no pqg parameters and the - * issuer cert has a DSA or fortezza public key. Update the issuer's + * issuer cert has a DSA public key. Update the issuer's * pqg parameters with a recursive call to this same function. */ rv = seckey_UpdateCertPQGChain(issuerCert, count); @@ -780,18 +688,6 @@ CERT_ExtractPublicKey(CERTCertificate *cert) return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo); } -/* - * Get the public key for the fortezza KMID. NOTE this requires the - * PQG parameters to be set. We probably should have a fortezza call that - * just extracts the kmid for us directly so this function can work - * without having the whole cert chain - */ -SECKEYPublicKey * -CERT_KMIDPublicKey(CERTCertificate *cert) -{ - return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo); -} - int SECKEY_ECParamsToKeySize(const SECItem *encodedParams) { @@ -1075,8 +971,7 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk) unsigned char b0; unsigned size; - /* interpret modulus length as key strength... in - * fortezza that's the public key length */ + /* interpret modulus length as key strength */ if (!pubk) goto loser; switch (pubk->keyType) { @@ -1094,8 +989,6 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk) b0 = pubk->u.dh.publicValue.data[0]; return b0 ? pubk->u.dh.publicValue.len : pubk->u.dh.publicValue.len - 1; - case fortezzaKey: - return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len); case ecKey: /* Get the key size in bits and adjust */ size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams); @@ -1117,7 +1010,6 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) case rsaKey: case dsaKey: case dhKey: - case fortezzaKey: return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */ case ecKey: size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams); @@ -1140,7 +1032,6 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk) case rsaKey: b0 = pubk->u.rsa.modulus.data[0]; return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; - case fortezzaKey: case dsaKey: return DSA_SIGNATURE_LEN; case ecKey: @@ -1255,51 +1146,6 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.base, &pubk->u.dsa.params.base); break; - case keaKey: - rv = SECITEM_CopyItem(arena, ©k->u.kea.publicValue, - &pubk->u.kea.publicValue); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.kea.params.hash, - &pubk->u.kea.params.hash); - break; - case fortezzaKey: - copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion; - copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion; - PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID, - sizeof(pubk->u.fortezza.KMID)); - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.clearance, - &pubk->u.fortezza.clearance); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.KEAprivilege, - &pubk->u.fortezza.KEAprivilege); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.DSSprivilege, - &pubk->u.fortezza.DSSprivilege); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.KEAKey, - &pubk->u.fortezza.KEAKey); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.DSSKey, - &pubk->u.fortezza.DSSKey); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.prime, - &pubk->u.fortezza.params.prime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.subPrime, - &pubk->u.fortezza.params.subPrime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.base, - &pubk->u.fortezza.params.base); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.prime, - &pubk->u.fortezza.keaParams.prime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.subPrime, - &pubk->u.fortezza.keaParams.subPrime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.base, - &pubk->u.fortezza.keaParams.base); - break; case dhKey: rv = SECITEM_CopyItem(arena,©k->u.dh.prime,&pubk->u.dh.prime); if (rv != SECSuccess) break; @@ -1366,12 +1212,7 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk) pubk->pkcs11ID = CK_INVALID_HANDLE; pubk->arena = arena; - /* - * fortezza is at the head of this switch, since we don't want to - * allocate an arena... CERT_ExtractPublicKey will to that for us. - */ switch(privk->keyType) { - case fortezzaKey: case nullKey: case dhKey: case dsaKey: @@ -1500,40 +1341,8 @@ SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk) return spki; } break; - case keaKey: case dhKey: /* later... */ - break; - case fortezzaKey: -#ifdef notdef - /* encode the DSS parameters (PQG) */ - rv = FortezzaBuildParams(¶ms,pubk); - if (rv != SECSuccess) break; - - /* set the algorithm */ - rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_MISSI_KEA_DSS, ¶ms); - PORT_Free(params.data); - if (rv == SECSuccess) { - /* - * Encode the public key into the subjectPublicKeyInfo. - * Fortezza key material is not standard DER - */ - rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk); - if (rv == SECSuccess) { - /* - * The stored value is supposed to be a BIT_STRING, - * so convert the length. - */ - spki->subjectPublicKey.len <<= 3; - - /* - * We got a good one; return it. - */ - return spki; - } - } -#endif break; default: break; diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c index 38220ffbf31..37609b19385 100644 --- a/security/nss/lib/cryptohi/secsign.c +++ b/security/nss/lib/cryptohi/secsign.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */ +/* $Id: secsign.c,v 1.26 2011/07/24 13:48:12 wtc%google.com Exp $ */ #include #include "cryptohi.h" @@ -83,8 +83,7 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) /* verify our key type */ if (key->keyType != keyType && - !((key->keyType == dsaKey) && (keyType == fortezzaKey)) && - !((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) { + !((key->keyType == dsaKey) && (keyType == fortezzaKey)) ) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return 0; } @@ -341,7 +340,8 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate) SECStatus SEC_DerSignData(PRArenaPool *arena, SECItem *result, - unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID) + const unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) { SECItem it; CERTSignedData sd; @@ -376,7 +376,7 @@ SEC_DerSignData(PRArenaPool *arena, SECItem *result, /* Fill out SignedData object */ PORT_Memset(&sd, 0, sizeof(sd)); - sd.data.data = buf; + sd.data.data = (unsigned char*) buf; sd.data.len = len; sd.signature.data = it.data; sd.signature.len = it.len << 3; /* convert to bit string */ diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c index 24d10bcc2ce..13988e259a1 100644 --- a/security/nss/lib/dev/ckhelper.c +++ b/security/nss/lib/dev/ckhelper.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.40 $ $Date: 2010/01/08 02:00:58 $"; +static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.41 $ $Date: 2011/04/13 00:10:25 $"; #endif /* DEBUG */ #include "pkcs11.h" @@ -78,7 +78,7 @@ is_string_attribute ( PRBool isString; switch (aType) { case CKA_LABEL: - case CKA_NETSCAPE_EMAIL: + case CKA_NSS_EMAIL: isString = PR_TRUE; break; default: @@ -401,14 +401,13 @@ get_nss_trust ( { nssTrustLevel t; switch (ckt) { - case CKT_NETSCAPE_UNTRUSTED: t = nssTrustLevel_NotTrusted; break; - case CKT_NETSCAPE_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; + case CKT_NSS_NOT_TRUSTED: t = nssTrustLevel_NotTrusted; break; + case CKT_NSS_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; break; - case CKT_NETSCAPE_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break; - case CKT_NETSCAPE_TRUSTED: t = nssTrustLevel_Trusted; break; - case CKT_NETSCAPE_VALID: t = nssTrustLevel_Valid; break; - case CKT_NETSCAPE_MUST_VERIFY: - case CKT_NETSCAPE_TRUST_UNKNOWN: + case CKT_NSS_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break; + case CKT_NSS_TRUSTED: t = nssTrustLevel_Trusted; break; + case CKT_NSS_MUST_VERIFY_TRUST: t = nssTrustLevel_MustVerify; break; + case CKT_NSS_TRUST_UNKNOWN: default: t = nssTrustLevel_Unknown; break; } @@ -432,10 +431,10 @@ nssCryptokiTrust_GetAttributes ( nssSession *session; CK_BBOOL isToken = PR_FALSE; CK_BBOOL stepUp = PR_FALSE; - CK_TRUST saTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST caTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST epTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST csTrust = CKT_NETSCAPE_TRUST_UNKNOWN; + CK_TRUST saTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST caTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST epTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST csTrust = CKT_NSS_TRUST_UNKNOWN; CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE trust_template[7]; CK_ULONG trust_size; @@ -453,7 +452,7 @@ nssCryptokiTrust_GetAttributes ( status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL, trustObject, - CKO_NETSCAPE_TRUST, + CKO_NSS_TRUST, trust_template, trust_size); if (status != PR_SUCCESS) { session = sessionOpt ? @@ -510,10 +509,10 @@ nssCryptokiCRL_GetAttributes ( NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE); } if (urlOpt) { - NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_URL); + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_URL); } if (isKRLOpt) { - NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_KRL); + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_KRL); } if (subjectOpt) { NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT); @@ -522,7 +521,7 @@ nssCryptokiCRL_GetAttributes ( status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL, crlObject, - CKO_NETSCAPE_CRL, + CKO_NSS_CRL, crl_template, crl_size); if (status != PR_SUCCESS) { session = sessionOpt ? diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h index 317069e610b..5cb7e467bcb 100644 --- a/security/nss/lib/dev/devt.h +++ b/security/nss/lib/dev/devt.h @@ -38,7 +38,7 @@ #define DEVT_H #ifdef DEBUG -static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.24 $ $Date: 2010/01/08 02:00:58 $"; +static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.25 $ $Date: 2011/04/13 00:10:25 $"; #endif /* DEBUG */ /* @@ -143,7 +143,7 @@ typedef enum { nssTrustLevel_NotTrusted = 1, nssTrustLevel_Trusted = 2, nssTrustLevel_TrustedDelegator = 3, - nssTrustLevel_Valid = 4, + nssTrustLevel_MustVerify = 4, nssTrustLevel_ValidDelegator = 5 } nssTrustLevel; diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 08ba19849c5..f5edb3b6d34 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.54 $ $Date: 2010/04/03 18:27:30 $"; +static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.56 $ $Date: 2011/07/12 21:29:20 $"; #endif /* DEBUG */ #include "pkcs11.h" @@ -522,7 +522,7 @@ nssToken_ImportCertificate ( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, serial); if (email) { - NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email); + NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email); } NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize); /* see if the cert is already there */ @@ -714,7 +714,7 @@ nssToken_FindCertificatesByNickname ( /* XXX * This function *does not* use the token object cache, because not even - * the softoken will return a value for CKA_NETSCAPE_EMAIL from a call + * the softoken will return a value for CKA_NSS_EMAIL from a call * to GetAttributes. The softoken does allow searches with that attribute, * it just won't return a value for it. */ @@ -733,7 +733,7 @@ nssToken_FindCertificatesByEmail ( CK_ULONG etsize; nssCryptokiObject **objects; NSS_CK_TEMPLATE_START(email_template, attr, etsize); - NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email); + NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email); /* Set the search to token/session only if provided */ if (searchType == nssTokenSearchType_SessionOnly) { NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); @@ -1071,14 +1071,14 @@ get_ck_trust ( { CK_TRUST t; switch (nssTrust) { - case nssTrustLevel_NotTrusted: t = CKT_NETSCAPE_UNTRUSTED; break; - case nssTrustLevel_TrustedDelegator: t = CKT_NETSCAPE_TRUSTED_DELEGATOR; + case nssTrustLevel_NotTrusted: t = CKT_NSS_NOT_TRUSTED; break; + case nssTrustLevel_TrustedDelegator: t = CKT_NSS_TRUSTED_DELEGATOR; break; - case nssTrustLevel_ValidDelegator: t = CKT_NETSCAPE_VALID_DELEGATOR; break; - case nssTrustLevel_Trusted: t = CKT_NETSCAPE_TRUSTED; break; - case nssTrustLevel_Valid: t = CKT_NETSCAPE_VALID; break; + case nssTrustLevel_ValidDelegator: t = CKT_NSS_VALID_DELEGATOR; break; + case nssTrustLevel_Trusted: t = CKT_NSS_TRUSTED; break; + case nssTrustLevel_MustVerify: t = CKT_NSS_MUST_VERIFY_TRUST; break; case nssTrustLevel_Unknown: - default: t = CKT_NETSCAPE_TRUST_UNKNOWN; break; + default: t = CKT_NSS_TRUST_UNKNOWN; break; } return t; } @@ -1099,7 +1099,7 @@ nssToken_ImportTrust ( ) { nssCryptokiObject *object; - CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST; CK_TRUST ckSA, ckCA, ckCS, ckEP; CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE trust_tmpl[11]; @@ -1158,7 +1158,7 @@ nssToken_FindTrustForCertificate ( nssTokenSearchType searchType ) { - CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST; CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE tobj_template[5]; CK_ULONG tobj_size; @@ -1172,9 +1172,7 @@ nssToken_FindTrustForCertificate ( } NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size); - if (searchType == nssTokenSearchType_SessionOnly) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); - } else if (searchType == nssTokenSearchType_TokenOnly) { + if (searchType == nssTokenSearchType_TokenOnly) { NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); } NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc); @@ -1203,7 +1201,7 @@ nssToken_ImportCRL ( ) { nssCryptokiObject *object; - CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL; + CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL; CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE crl_tmpl[6]; CK_ULONG crlsize; @@ -1217,11 +1215,11 @@ nssToken_ImportCRL ( NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding); - NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_URL, url); + NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_URL, url); if (isKRL) { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_true); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_true); } else { - NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_false); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_false); } NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize); @@ -1244,7 +1242,7 @@ nssToken_FindCRLsBySubject ( PRStatus *statusOpt ) { - CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL; + CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL; CK_ATTRIBUTE_PTR attr; CK_ATTRIBUTE crlobj_template[3]; CK_ULONG crlobj_size; diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile index 6e52bb9b11a..c807ec2ea5d 100644 --- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -82,10 +82,48 @@ ifeq ($(FREEBL_NO_DEPEND),1) else MAPFILE_SOURCE = freebl.def endif + +# FREEBL_USE_PRELINK +# +# Most modern version of Linux support a speed optimization scheme where an +# application called prelink modifies programs and shared libraries to quickly +# load if they fit into an already designed address space. In short, prelink +# scans the list of programs and libraries on your system, assigns them a +# predefined space in the the address space, then provides the fixups to the +# library. +# +# The modification of the shared library is correctly detected by the freebl +# FIPS checksum scheme where we check a signed hash of the library against the +# library itself. +# +# The prelink command itself can reverse the process of modification and output +# the prestine shared library as it was before prelink made it's changes. +# This option tells Freebl could use prelink to output the original copy of +# the shared library before prelink modified it. +# +# FREEBL_PRELINK_COMMAND +# +# This is an optional environment variable which can override the default +# prelink command. It could be used on systems that did something similiar to +# prelink but used a different command and syntax. The only requirement is the +# program must take the library as the last argument, the program must output +# the original library to standard out, and the program does not need to take +# any quoted or imbedded spaces in its arguments (except the path to the +# library itself, which can have imbedded spaces or special characters). +# +ifdef FREEBL_USE_PRELINK + DEFINES += -DFREEBL_USE_PRELINK +ifdef LINUX + DEFINES += -D__GNU_SOURCE=1 +endif +endif +ifdef FREEBL_PRELINK_COMMAND + DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\" +endif # NSS_X86 means the target is a 32-bits x86 CPU architecture # NSS_X64 means the target is a 64-bits x64 CPU architecture # NSS_X86_OR_X64 means the target is either x86 or x64 -ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH))) +ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH))) DEFINES += -DNSS_X86_OR_X64 ifdef USE_64 DEFINES += -DNSS_X64 @@ -180,6 +218,12 @@ ifeq ($(CPU_ARCH),x86) # The floating point ECC code doesn't work on Linux x86 (bug 311432). #ECL_USE_FP = 1 endif +ifeq ($(CPU_ARCH),arm) + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_USE_UINT_DIGIT + DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512 + MPI_SRCS += mpi_arm.c +endif endif # Linux ifeq ($(OS_TARGET),AIX) @@ -215,12 +259,14 @@ else MPI_SRCS += mpi_hp.c ASFILES += hpma512.s hppa20.s DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE +ifndef NS_USE_GCC ARCHFLAG = -Aa +e +DA2.0 +DS2.0 endif endif endif endif endif +endif # The blapi functions are defined not only in the freebl shared # libraries but also in the shared libraries linked with loader.c diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h index bfe23f8353b..3a7cf3d9f9e 100644 --- a/security/nss/lib/freebl/blapi.h +++ b/security/nss/lib/freebl/blapi.h @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: blapi.h,v 1.33.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */ +/* $Id: blapi.h,v 1.41 2010/12/06 17:22:49 kaie%kuix.de Exp $ */ #ifndef _BLAPI_H_ #define _BLAPI_H_ @@ -1089,6 +1089,24 @@ extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src); /******************************************/ +extern SHA224Context *SHA224_NewContext(void); +extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit); +extern void SHA224_Begin(SHA224Context *cx); +extern void SHA224_Update(SHA224Context *cx, const unsigned char *input, + unsigned int inputLen); +extern void SHA224_End(SHA224Context *cx, unsigned char *digest, + unsigned int *digestLen, unsigned int maxDigestLen); +extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src, + uint32 src_length); +extern SECStatus SHA224_Hash(unsigned char *dest, const char *src); +extern void SHA224_TraceState(SHA224Context *cx); +extern unsigned int SHA224_FlattenSize(SHA224Context *cx); +extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space); +extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg); +extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src); + +/******************************************/ + extern SHA256Context *SHA256_NewContext(void); extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit); extern void SHA256_Begin(SHA256Context *cx); @@ -1142,13 +1160,17 @@ extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg); extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src); /**************************************** - * implement TLS Pseudo Random Function (PRF) + * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function */ extern SECStatus TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, SECItem *result, PRBool isFIPS); +extern SECStatus +TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label, + SECItem *seed, SECItem *result, PRBool isFIPS); + /******************************************/ /* ** Pseudo Random Number Generation. FIPS compliance desirable. @@ -1235,6 +1257,12 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, extern SECStatus PRNGTEST_Uninstantiate(void); +/* + * Mask generation function MGF1 + */ +extern SECStatus +MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen, + const unsigned char *mgfSeed, unsigned int mgfSeedLen); /* Generate PQGParams and PQGVerify structs. * Length of seed and length of h both equal length of P. @@ -1307,6 +1335,11 @@ extern void BL_Unload(void); **************************************************************************/ PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr); +/************************************************************************** + * Verify a given filename's signature * + **************************************************************************/ +PRBool BLAPI_SHVerifyFile(const char *shName); + /************************************************************************** * Verify Are Own Shared library signature * **************************************************************************/ diff --git a/security/nss/lib/freebl/blapii.h b/security/nss/lib/freebl/blapii.h index a92420f4733..8d636e87ff3 100644 --- a/security/nss/lib/freebl/blapii.h +++ b/security/nss/lib/freebl/blapii.h @@ -42,11 +42,11 @@ SEC_BEGIN_PROTOS -#if defined(XP_UNIX) && !defined(NO_CHECK_FORK) +#if defined(XP_UNIX) && !defined(NO_FORK_CHECK) -extern PRBool parentForkedAfterC_Initialize; +extern PRBool bl_parentForkedAfterC_Initialize; -#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x +#define SKIP_AFTER_FORK(x) if (!bl_parentForkedAfterC_Initialize) x #else diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h index af4ed12b603..83a60edc35d 100644 --- a/security/nss/lib/freebl/blapit.h +++ b/security/nss/lib/freebl/blapit.h @@ -38,7 +38,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: blapit.h,v 1.22.22.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: blapit.h,v 1.24 2011/03/16 18:37:41 alexei.volkov.bugs%sun.com Exp $ */ #ifndef _BLAPIT_H_ #define _BLAPIT_H_ @@ -106,6 +106,7 @@ #define MD2_BLOCK_LENGTH 64 /* bytes */ #define MD5_BLOCK_LENGTH 64 /* bytes */ #define SHA1_BLOCK_LENGTH 64 /* bytes */ +#define SHA224_BLOCK_LENGTH 64 /* bytes */ #define SHA256_BLOCK_LENGTH 64 /* bytes */ #define SHA384_BLOCK_LENGTH 128 /* bytes */ #define SHA512_BLOCK_LENGTH 128 /* bytes */ @@ -206,6 +207,8 @@ typedef struct MD2ContextStr MD2Context; typedef struct MD5ContextStr MD5Context; typedef struct SHA1ContextStr SHA1Context; typedef struct SHA256ContextStr SHA256Context; +/* SHA224Context is really a SHA256ContextStr. This is not a mistake. */ +typedef struct SHA256ContextStr SHA224Context; typedef struct SHA512ContextStr SHA512Context; /* SHA384Context is really a SHA512ContextStr. This is not a mistake. */ typedef struct SHA512ContextStr SHA384Context; diff --git a/security/nss/lib/freebl/camellia.c b/security/nss/lib/freebl/camellia.c index 1379ec24d86..570d225aaf3 100644 --- a/security/nss/lib/freebl/camellia.c +++ b/security/nss/lib/freebl/camellia.c @@ -36,7 +36,7 @@ * ***** END LICENSE BLOCK ***** */ /* - * $Id: camellia.c,v 1.3 2010/04/30 00:10:53 wtc%google.com Exp $ + * $Id: camellia.c,v 1.4 2010/07/20 01:26:02 wtc%google.com Exp $ */ #ifdef FREEBL_NO_DEPEND @@ -50,6 +50,7 @@ #include "prtypes.h" #include "blapi.h" #include "camellia.h" +#include "sha_fast.h" /* for SHA_HTONL and related configuration macros */ /* key constants */ @@ -72,15 +73,18 @@ */ -#if defined(_MSC_VER) && defined(NSS_X86_OR_X64) +#if defined(SHA_ALLOW_UNALIGNED_ACCESS) -/* require a little-endian CPU that allows unaligned access */ +/* require a CPU that allows unaligned access */ -# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) -# define GETU32(p) SWAP(*((PRUint32 *)(p))) -# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SWAP((st));} +#if defined(SHA_NEED_TMP_VARIABLE) +#define CAMELLIA_NEED_TMP_VARIABLE 1 +#endif -#else /* not MSVC or not x86/x64 */ +# define GETU32(p) SHA_HTONL(*((PRUint32 *)(p))) +# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SHA_HTONL(st);} + +#else /* no unaligned access */ # define GETU32(pt) \ (((PRUint32)(pt)[0] << 24) \ @@ -473,6 +477,9 @@ void camellia_setup128(const unsigned char *key, PRUint32 *subkey) PRUint32 kw4l, kw4r, dw, tl, tr; PRUint32 subL[26]; PRUint32 subR[26]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif /** * k == kll || klr || krl || krr (|| is concatination) @@ -685,6 +692,9 @@ void camellia_setup256(const unsigned char *key, PRUint32 *subkey) PRUint32 kw4l, kw4r, dw, tl, tr; PRUint32 subL[34]; PRUint32 subR[34]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif /** * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr) @@ -991,6 +1001,9 @@ camellia_encrypt128(const PRUint32 *subkey, { PRUint32 il, ir, t0, t1; PRUint32 io[4]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif io[0] = GETU32(input); io[1] = GETU32(input+4); @@ -1095,6 +1108,9 @@ camellia_decrypt128(const PRUint32 *subkey, { PRUint32 il,ir,t0,t1; /* temporary valiables */ PRUint32 io[4]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif io[0] = GETU32(input); io[1] = GETU32(input+4); @@ -1202,6 +1218,9 @@ camellia_encrypt256(const PRUint32 *subkey, { PRUint32 il,ir,t0,t1; /* temporary valiables */ PRUint32 io[4]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif io[0] = GETU32(input); io[1] = GETU32(input+4); @@ -1330,6 +1349,9 @@ camellia_decrypt256(const PRUint32 *subkey, { PRUint32 il,ir,t0,t1; /* temporary valiables */ PRUint32 io[4]; +#if defined(CAMELLIA_NEED_TMP_VARIABLE) + PRUint32 tmp; +#endif io[0] = GETU32(input); io[1] = GETU32(input+4); diff --git a/security/nss/lib/freebl/des.c b/security/nss/lib/freebl/des.c index a3541ba7a7a..7ed2203041f 100644 --- a/security/nss/lib/freebl/des.c +++ b/security/nss/lib/freebl/des.c @@ -408,6 +408,19 @@ static const HALF PC2[8][64] = { #pragma intrinsic(_byteswap_ulong) #define BYTESWAP(word, temp) \ word = _byteswap_ulong(word); +#elif defined(__GNUC__) && (defined(__thumb2__) || \ + (!defined(__thumb__) && \ + (defined(__ARM_ARCH_6__) || \ + defined(__ARM_ARCH_6J__) || \ + defined(__ARM_ARCH_6K__) || \ + defined(__ARM_ARCH_6Z__) || \ + defined(__ARM_ARCH_6ZK__) || \ + defined(__ARM_ARCH_6T2__) || \ + defined(__ARM_ARCH_7__) || \ + defined(__ARM_ARCH_7A__) || \ + defined(__ARM_ARCH_7R__)))) +#define BYTESWAP(word, temp) \ + __asm("rev %0, %0" : "+r" (word)); #else #define BYTESWAP(word, temp) \ word = (word >> 16) | (word << 16); \ diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c index 25d3482a331..2569de05dd6 100644 --- a/security/nss/lib/freebl/dh.c +++ b/security/nss/lib/freebl/dh.c @@ -38,7 +38,7 @@ * Diffie-Hellman parameter generation, key generation, and secret derivation. * KEA secret generation and verification. * - * $Id: dh.c,v 1.8 2008/11/18 19:48:22 rrelyea%redhat.com Exp $ + * $Id: dh.c,v 1.9 2010/07/20 01:26:02 wtc%google.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -219,7 +219,8 @@ DH_Derive(SECItem *publicValue, { mp_int p, Xa, Yb, ZZ; mp_err err = MP_OKAY; - unsigned int len = 0, nb; + int len = 0; + unsigned int nb; unsigned char *secret = NULL; if (!publicValue || !prime || !privateValue || !derivedSecret) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -241,6 +242,10 @@ DH_Derive(SECItem *publicValue, CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) ); /* number of bytes in the derived secret */ len = mp_unsigned_octet_size(&ZZ); + if (len <= 0) { + err = MP_BADARG; + goto cleanup; + } /* allocate a buffer which can hold the entire derived secret. */ secret = PORT_Alloc(len); /* grab the derived secret */ diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c index ac5606e1f73..de5896ba740 100644 --- a/security/nss/lib/freebl/dsa.c +++ b/security/nss/lib/freebl/dsa.c @@ -35,7 +35,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: dsa.c,v 1.20.22.1 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */ +/* $Id: dsa.c,v 1.21 2010/12/04 18:57:16 rrelyea%redhat.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c index afd06252fe4..9c74375b478 100644 --- a/security/nss/lib/freebl/ec.c +++ b/security/nss/lib/freebl/ec.c @@ -248,6 +248,7 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, #if EC_DEBUG printf("ec_NewKey called\n"); #endif + MP_DIGITS(&k) = 0; if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -316,7 +317,6 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, } /* Compute corresponding public key */ - MP_DIGITS(&k) = 0; CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, (mp_size) len) ); @@ -578,12 +578,12 @@ ECDH_Derive(SECItem *publicValue, return SECFailure; } + MP_DIGITS(&k) = 0; memset(derivedSecret, 0, sizeof *derivedSecret); len = (ecParams->fieldID.size + 7) >> 3; pointQ.len = 2*len + 1; if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup; - MP_DIGITS(&k) = 0; CHECK_MPI_OK( mp_init(&k) ); CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data, (mp_size) privateValue->len) ); @@ -655,6 +655,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, SECItem kGpoint = { siBuffer, NULL, 0}; int flen = 0; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ + unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; @@ -697,6 +698,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, SECITEM_TO_MPINT( ecParams->order, &n ); SECITEM_TO_MPINT( key->privateValue, &d ); + CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) ); /* Make sure k is in the interval [1, n-1] */ if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) { @@ -758,8 +760,9 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ - if (digest->len*8 > ecParams->fieldID.size) { - mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size); + CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); + if (digest->len*8 > obits) { + mpl_rsh(&s,&s,digest->len*8 - obits); } #if EC_DEBUG @@ -898,6 +901,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, int slen; /* length in bytes of a half signature (r or s) */ int flen; /* length in bytes of the field size */ unsigned olen; /* length in bytes of the base point order */ + unsigned obits; /* length in bits of the base point order */ #if EC_DEBUG char mpstr[256]; @@ -979,8 +983,9 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ - if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */ - mpl_rsh(&u1,&u1,digest->len*8- ecParams->fieldID.size); + CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) ); + if (digest->len*8 > obits) { /* u1 = HASH(M') */ + mpl_rsh(&u1,&u1,digest->len*8 - obits); } #if EC_DEBUG diff --git a/security/nss/lib/freebl/ecl/ecp_mont.c b/security/nss/lib/freebl/ecl/ecp_mont.c index c8829b6d157..c64bc18a771 100644 --- a/security/nss/lib/freebl/ecl/ecp_mont.c +++ b/security/nss/lib/freebl/ecl/ecp_mont.c @@ -77,9 +77,6 @@ GFMethod_consGFp_mont(const mp_int *irr) meth->extra_free = &ec_GFp_extra_free_mont; mmm->N = meth->irr; - i = mpl_significant_bits(&meth->irr); - i += MP_DIGIT_BIT - 1; - mmm->b = i - i % MP_DIGIT_BIT; mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0)); CLEANUP: @@ -160,7 +157,8 @@ ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth) mp_err res = MP_OKAY; mmm = (mp_mont_modulus *) meth->extra1; - MP_CHECKOK(mpl_lsh(a, r, mmm->b)); + MP_CHECKOK(mp_copy(a, r)); + MP_CHECKOK(s_mp_lshd(r, MP_USED(&mmm->N))); MP_CHECKOK(mp_mod(r, &mmm->N, r)); CLEANUP: return res; diff --git a/security/nss/lib/freebl/hasht.h b/security/nss/lib/freebl/hasht.h index fd2332a9606..30f9ad5012e 100644 --- a/security/nss/lib/freebl/hasht.h +++ b/security/nss/lib/freebl/hasht.h @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: hasht.h,v 1.7 2008/12/10 22:48:03 wtchang%redhat.com Exp $ */ +/* $Id: hasht.h,v 1.8 2010/08/18 05:54:57 emaldona%redhat.com Exp $ */ #ifndef _HASHT_H_ #define _HASHT_H_ @@ -54,6 +54,7 @@ typedef enum { HASH_AlgSHA256 = 4, HASH_AlgSHA384 = 5, HASH_AlgSHA512 = 6, + HASH_AlgSHA224 = 7, HASH_AlgTOTAL } HASH_HashType; @@ -63,6 +64,7 @@ typedef enum { #define MD2_LENGTH 16 #define MD5_LENGTH 16 #define SHA1_LENGTH 20 +#define SHA224_LENGTH 28 #define SHA256_LENGTH 32 #define SHA384_LENGTH 48 #define SHA512_LENGTH 64 diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c index a4e683c81e8..b8548d86a8d 100644 --- a/security/nss/lib/freebl/ldvector.c +++ b/security/nss/lib/freebl/ldvector.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ldvector.c,v 1.21.22.3 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */ +/* $Id: ldvector.c,v 1.28 2010/12/06 17:22:49 kaie%kuix.de Exp $ */ #ifdef FREEBL_NO_DEPEND extern int FREEBL_InitStubs(void); @@ -257,6 +257,7 @@ static const struct FREEBLVectorStr vector = PRNGTEST_Instantiate, PRNGTEST_Reseed, PRNGTEST_Generate, + PRNGTEST_Uninstantiate, /* End of Version 3.011. */ @@ -270,7 +271,25 @@ static const struct FREEBLVectorStr vector = JPAKE_Round2, JPAKE_Final, - /* End of Version 3.012. */ + /* End of Version 3.012 */ + + MGF1, + TLS_P_hash, + SHA224_NewContext, + SHA224_DestroyContext, + SHA224_Begin, + SHA224_Update, + SHA224_End, + SHA224_HashBuf, + SHA224_Hash, + SHA224_TraceState, + SHA224_FlattenSize, + SHA224_Flatten, + SHA224_Resurrect, + SHA224_Clone, + BLAPI_SHVerifyFile + + /* End of Version 3.013 */ }; const FREEBLVector * diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c index 2bcf1352e9f..5e9d8aa8109 100644 --- a/security/nss/lib/freebl/loader.c +++ b/security/nss/lib/freebl/loader.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: loader.c,v 1.44.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */ +/* $Id: loader.c,v 1.53 2011/01/15 19:54:49 nelson%bolyard.com Exp $ */ #include "loader.h" #include "prmem.h" @@ -122,7 +122,7 @@ getLibName(void) long cpu = sysconf(_SC_CPU_VERSION); return (cpu == CPU_PA_RISC2_0) ? "libfreebl_32fpu_3.sl" - : "libfreebl_32int32_3.sl" ; + : "libfreebl_32int_3.sl" ; } #else /* default case, for platforms/ABIs that have only one freebl shared lib. */ @@ -1261,13 +1261,14 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr) /* * The Caller is expected to pass NULL as the name, which will - * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. If we really loaded - * from a shared library, BLAPI_VerifySelf will get pick up the real name - * from the static set in freebl_LoadDSO( void ) + * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. Pass the real + * name of the shared library we loaded (the static libraryName set + * in freebl_LoadDSO) to p_BLAPI_VerifySelf. */ PRBool BLAPI_VerifySelf(const char *name) { + PORT_Assert(!name); if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) return PR_FALSE; return vector->p_BLAPI_VerifySelf(libraryName); @@ -1712,6 +1713,7 @@ RSA_PopulatePrivateKey(RSAPrivateKey *key) return (vector->p_RSA_PopulatePrivateKey)(key); } + SECStatus JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, const SECItem * signerID, const SECItem * x, @@ -1755,3 +1757,127 @@ JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem *q, return SECFailure; return (vector->p_JPAKE_Final)(arena, p, q, x2, gx4, x2s, B, K); } + +SECStatus +MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen, + const unsigned char *mgfSeed, unsigned int mgfSeedLen) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return SECFailure; + return (vector->p_MGF1)(hashAlg, mask, maskLen, mgfSeed, mgfSeedLen); +} + +SECStatus +TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label, + SECItem *seed, SECItem *result, PRBool isFIPS) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return SECFailure; + return (vector->p_TLS_P_hash)(hashAlg, secret, label, seed, result, isFIPS); +} + +SECStatus +SHA224_Hash(unsigned char *dest, const char *src) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return SECFailure; + return (vector->p_SHA224_Hash)(dest, src); +} + +SECStatus +SHA224_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return SECFailure; + return (vector->p_SHA224_HashBuf)(dest, src, src_length); +} + +SHA224Context * +SHA224_NewContext(void) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return NULL; + return (vector->p_SHA224_NewContext)(); +} + +void +SHA224_DestroyContext(SHA224Context *cx, PRBool freeit) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_DestroyContext)(cx, freeit); +} + +void +SHA224_Begin(SHA256Context *cx) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_Begin)(cx); +} + +void +SHA224_Update(SHA224Context *cx, const unsigned char *input, + unsigned int inputLen) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_Update)(cx, input, inputLen); +} + +void +SHA224_End(SHA224Context *cx, unsigned char *digest, + unsigned int *digestLen, unsigned int maxDigestLen) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_End)(cx, digest, digestLen, maxDigestLen); +} + +void +SHA224_TraceState(SHA224Context *cx) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_TraceState)(cx); +} + +unsigned int +SHA224_FlattenSize(SHA224Context *cx) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return 0; + return (vector->p_SHA224_FlattenSize)(cx); +} + +SECStatus +SHA224_Flatten(SHA224Context *cx,unsigned char *space) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return SECFailure; + return (vector->p_SHA224_Flatten)(cx, space); +} + +SHA224Context * +SHA224_Resurrect(unsigned char *space, void *arg) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return NULL; + return (vector->p_SHA224_Resurrect)(space, arg); +} + +void +SHA224_Clone(SHA224Context *dest, SHA224Context *src) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return; + (vector->p_SHA224_Clone)(dest, src); +} + +PRBool +BLAPI_SHVerifyFile(const char *name) +{ + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return PR_FALSE; + return vector->p_BLAPI_SHVerifyFile(name); +} diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h index d846be6877b..ed63bf3a748 100644 --- a/security/nss/lib/freebl/loader.h +++ b/security/nss/lib/freebl/loader.h @@ -37,14 +37,14 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: loader.h,v 1.26.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */ +/* $Id: loader.h,v 1.34 2011/03/29 15:12:44 wtc%google.com Exp $ */ #ifndef _LOADER_H_ #define _LOADER_H_ 1 #include "blapi.h" -#define FREEBL_VERSION 0x030C +#define FREEBL_VERSION 0x030D struct FREEBLVectorStr { @@ -541,7 +541,6 @@ struct FREEBLVectorStr { SECStatus (* p_PRNGTEST_Uninstantiate)(void); /* Version 3.011 came to here */ - SECStatus (*p_RSA_PopulatePrivateKey)(RSAPrivateKey *key); SECStatus (*p_DSA_NewRandom)(PLArenaPool * arena, const SECItem * q, @@ -568,8 +567,38 @@ struct FREEBLVectorStr { const SECItem *q, const SECItem * x2, const SECItem * gx4, const SECItem * x2s, const SECItem * B, SECItem * K); - - /* Version 3.012 came to here */ + + /* Version 3.012 came to here */ + + SECStatus (* p_MGF1)(HASH_HashType hashAlg, + unsigned char *mask, unsigned int maskLen, + const unsigned char *mgfSeed, unsigned int mgfSeedLen); + + SECStatus (* p_TLS_P_hash)(HASH_HashType hashAlg, + const SECItem *secret, + const char *label, + SECItem *seed, + SECItem *result, + PRBool isFIPS); + + SHA224Context *(*p_SHA224_NewContext)(void); + void (* p_SHA224_DestroyContext)(SHA224Context *cx, PRBool freeit); + void (* p_SHA224_Begin)(SHA224Context *cx); + void (* p_SHA224_Update)(SHA224Context *cx, const unsigned char *input, + unsigned int inputLen); + void (* p_SHA224_End)(SHA224Context *cx, unsigned char *digest, + unsigned int *digestLen, unsigned int maxDigestLen); + SECStatus (*p_SHA224_HashBuf)(unsigned char *dest, const unsigned char *src, + uint32 src_length); + SECStatus (*p_SHA224_Hash)(unsigned char *dest, const char *src); + void (*p_SHA224_TraceState)(SHA224Context *cx); + unsigned int (* p_SHA224_FlattenSize)(SHA224Context *cx); + SECStatus (* p_SHA224_Flatten)(SHA224Context *cx,unsigned char *space); + SHA224Context * (* p_SHA224_Resurrect)(unsigned char *space, void *arg); + void (* p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src); + PRBool (*p_BLAPI_SHVerifyFile)(const char *name); + + /* Version 3.013 came to here */ }; diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn index 80ba1ae3974..d98867d6de9 100644 --- a/security/nss/lib/freebl/manifest.mn +++ b/security/nss/lib/freebl/manifest.mn @@ -128,6 +128,7 @@ CSRCS = \ md5.c \ sha512.c \ alghmac.c \ + mgf1.c \ rawhash.c \ alg2268.c \ arcfour.c \ diff --git a/security/nss/lib/freebl/mgf1.c b/security/nss/lib/freebl/mgf1.c new file mode 100644 index 00000000000..8e6a4a2689f --- /dev/null +++ b/security/nss/lib/freebl/mgf1.c @@ -0,0 +1,91 @@ +/* + * mgf1.c - implementation of MGF1 as defined in PKCS #1 v2.1 / RFC 3447 + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Hanno Boeck + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: mgf1.c,v 1.2 2010/07/22 23:09:46 wtc%google.com Exp $ */ + +#ifdef FREEBL_NO_DEPEND +#include "stubs.h" +#endif + +#include "blapi.h" +#include "hasht.h" + +SECStatus +MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen, + const unsigned char *mgfSeed, unsigned int mgfSeedLen) +{ + unsigned int digestLen; + PRUint32 counter, rounds; + unsigned char *tempHash, *temp; + const SECHashObject *hash; + void *hashContext; + unsigned char C[4]; + + hash = HASH_GetRawHashObject(hashAlg); + if (hash == NULL) + return SECFailure; + + hashContext = (*hash->create)(); + rounds = (maskLen + hash->length - 1) / hash->length; + for (counter = 0; counter < rounds; counter++) { + C[0] = (unsigned char)((counter >> 24) & 0xff); + C[1] = (unsigned char)((counter >> 16) & 0xff); + C[2] = (unsigned char)((counter >> 8) & 0xff); + C[3] = (unsigned char)(counter & 0xff); + + /* This could be optimized when the clone functions in + * rawhash.c are implemented. */ + (*hash->begin)(hashContext); + (*hash->update)(hashContext, mgfSeed, mgfSeedLen); + (*hash->update)(hashContext, C, sizeof C); + + tempHash = mask + counter * hash->length; + if (counter != (rounds-1)) { + (*hash->end)(hashContext, tempHash, &digestLen, hash->length); + } else { /* we're in the last round and need to cut the hash */ + temp = PORT_Alloc(hash->length); + (*hash->end)(hashContext, temp, &digestLen, hash->length); + PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length); + PORT_Free(temp); + } + } + (*hash->destroy)(hashContext, PR_TRUE); + + return SECSuccess; +} diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile index dd868b3f169..d4ff76f871a 100644 --- a/security/nss/lib/freebl/mpi/Makefile +++ b/security/nss/lib/freebl/mpi/Makefile @@ -41,7 +41,7 @@ # ***** END LICENSE BLOCK ***** # -# $Id: Makefile,v 1.26 2007/05/09 00:09:37 neil.williams%sun.com Exp $ +# $Id: Makefile,v 1.27 2011/02/06 08:42:27 nelson%bolyard.com Exp $ # ## Define CC to be the C compiler you wish to use. The GNU cc @@ -170,6 +170,8 @@ mpv_sparcv8.s: vis_64.il mpv_sparc.c montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s $(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $< +mpi_arm.o: mpi_arm.c $(LIBHDRS) + # This rule is used to build the .s sources, which are then hand optimized. #montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h # $(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README index 50ec394e414..1de002a9bee 100644 --- a/security/nss/lib/freebl/mpi/README +++ b/security/nss/lib/freebl/mpi/README @@ -676,10 +676,7 @@ exptmod.c Computes arbitrary precision modular exponentiation from the command line (exptmod a b m -> a^b (mod m)) Most of these can be built from the Makefile that comes with the -library. Try 'make tools', if your environment supports it. (If you -are compiling on a Macintosh, I'm afraid you'll have to build them by -hand -- fortunately, this is not difficult -- the library itself -should compile just fine under Metrowerks CodeWarrior). +library. Try 'make tools', if your environment supports it. Testing the Library @@ -704,9 +701,9 @@ what platform and compiler you were using, as well as which test failed. If a reason for failure was given, please send me that text as well. -If you're on a system such as the Macintosh, where the standard Unix -build tools don't work, you can build the 'mpi-test' program manually, -and run it by hand. This is tedious and obnoxious, sorry. +If you're on a system where the standard Unix build tools don't work, +you can build the 'mpi-test' program manually, and run it by hand. +This is tedious and obnoxious, sorry. Further manual testing can be performed by building the manual testing programs, whose source is found in the 'tests' subdirectory. Each @@ -736,8 +733,7 @@ cannot use make, here is what needs to be done: (1) Use 'make-test-arrays' to generate the file 'test-info.c' from the 'test-arrays.txt' file. Since Perl can be found everywhere, - even on the Macintosh, this should be no trouble. Under Unix, - this looks like: + this should be no trouble. Under Unix, this looks like: make-test-arrays test-arrays.txt > test-info.c diff --git a/security/nss/lib/freebl/mpi/hpma512.s b/security/nss/lib/freebl/mpi/hpma512.s index 0d88608c17e..b224c77d062 100644 --- a/security/nss/lib/freebl/mpi/hpma512.s +++ b/security/nss/lib/freebl/mpi/hpma512.s @@ -331,7 +331,7 @@ multacc512 .PROC .CALLINFO - .ENTER + .ENTRY fldd 0(pM),M ; multiplier double word ldo ST_SZ(sp),sp ; push stack @@ -636,8 +636,10 @@ $L0 /* end of module */ /* ====================================================================== */ - .LEAVE + bve (rp) + .EXIT + nop .PROCEND .SPACE $TEXT$ .SUBSPA $CODE$ diff --git a/security/nss/lib/freebl/mpi/hppa20.s b/security/nss/lib/freebl/mpi/hppa20.s index 4cabd249b54..1f4d0100e62 100644 --- a/security/nss/lib/freebl/mpi/hppa20.s +++ b/security/nss/lib/freebl/mpi/hppa20.s @@ -40,7 +40,7 @@ #else ; .LEVEL 1.1 ; .ALLOW 2.0N - .LEVEL 2.0N + .LEVEL 2.0 #endif .SPACE $TEXT$,SORT=8 .SUBSPA $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24 @@ -108,17 +108,10 @@ maxpy_little maxpy_big #endif .PROC - .CALLINFO FRAME=120,ENTRY_GR=%r4 - .ENTER - -; Of course, real men don't use the sissy "enter" and "leave" commands. -; They write their own stack manipulation stuff. Unfortunately, -; that doesn't generate complete unwind info, whereas "enter" and -; "leave" (if the documentation is to be believed) do so. Therefore, -; we use the sissy commands. We have verified (by real-man methods) -; that the above command generates what we want: -; STW,MA %r3,128(%sp) -; STW %r4,-124(%sp) + .CALLINFO FRAME=120,ENTRY_GR=4 + .ENTRY + STW,MA %r3,128(%sp) + STW %r4,-124(%sp) ADDIB,< -1,%r26,$L0 ; If N = 0, exit immediately. FLDD 0(%r25),%fr9 ; fr9 = scalar @@ -502,12 +495,10 @@ $JOIN5 ; exit $L0 - .LEAVE - -; We have verified that the above command generates what we want: -; LDW -124(%sp),%r4 -; BVE (%r2) -; LDW,MB -128(%sp),%r3 + LDW -124(%sp),%r4 + BVE (%r2) + .EXIT + LDW,MB -128(%sp),%r3 .PROCEND @@ -529,8 +520,10 @@ add_diag_little add_diag_big #endif .PROC - .CALLINFO FRAME=120,ENTRY_GR=%r4 - .ENTER + .CALLINFO FRAME=120,ENTRY_GR=4 + .ENTRY + STW,MA %r3,128(%sp) + STW %r4,-124(%sp) ADDIB,< -1,%r26,$Z0 ; If N=0, exit immediately. NOP @@ -747,15 +740,24 @@ $FDIAG1 STD %r26,EIGHT(%r24) $Z0 - .LEAVE + LDW -124(%sp),%r4 + BVE (%r2) + .EXIT + LDW,MB -128(%sp),%r3 .PROCEND ; .ALLOW .SPACE $TEXT$ .SUBSPA $CODE$ #ifdef LITTLE_WORDIAN +#ifdef __GNUC__ +; GNU-as (as of 2.19) does not support LONG_RETURN + .EXPORT maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR + .EXPORT add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR +#else .EXPORT maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN .EXPORT add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN +#endif #else .EXPORT maxpy_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN .EXPORT add_diag_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab index fa2702f2d9a..5eb84489f2d 100755 --- a/security/nss/lib/freebl/mpi/make-logtab +++ b/security/nss/lib/freebl/mpi/make-logtab @@ -1,4 +1,4 @@ -#!/usr/linguist/bin/perl +#!/usr/bin/perl # # make-logtab @@ -43,7 +43,7 @@ # # ***** END LICENSE BLOCK ***** -# $Id: make-logtab,v 1.4 2005/02/02 22:28:22 gerv%gerv.net Exp $ +# $Id: make-logtab,v 1.5 2011/05/23 23:45:11 wtc%google.com Exp $ $ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2"; $ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float"; diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays index ced5c541201..da9a8c6ef50 100755 --- a/security/nss/lib/freebl/mpi/make-test-arrays +++ b/security/nss/lib/freebl/mpi/make-test-arrays @@ -1,4 +1,4 @@ -#!/usr/linguist/bin/perl +#!/usr/bin/perl # # make-test-arrays @@ -49,7 +49,7 @@ # # ***** END LICENSE BLOCK ***** -# $Id: make-test-arrays,v 1.2 2005/02/02 22:28:22 gerv%gerv.net Exp $ +# $Id: make-test-arrays,v 1.3 2011/05/23 23:45:11 wtc%google.com Exp $ # # Read parameters from the environment, if available diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h index 08e5c5cc2d0..b39a0eb1ff1 100644 --- a/security/nss/lib/freebl/mpi/mpi-config.h +++ b/security/nss/lib/freebl/mpi/mpi-config.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: mpi-config.h,v 1.5.198.1 2011/04/07 22:31:40 wtc%google.com Exp $ */ +/* $Id: mpi-config.h,v 1.6 2010/07/20 01:26:02 wtc%google.com Exp $ */ #ifndef MPI_CONFIG_H_ #define MPI_CONFIG_H_ diff --git a/security/nss/lib/freebl/mpi/mpi-priv.h b/security/nss/lib/freebl/mpi/mpi-priv.h index cc8c06ef37a..41f253df9c0 100644 --- a/security/nss/lib/freebl/mpi/mpi-priv.h +++ b/security/nss/lib/freebl/mpi/mpi-priv.h @@ -42,7 +42,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: mpi-priv.h,v 1.23 2010/05/02 22:36:41 nelson%bolyard.com Exp $ */ +/* $Id: mpi-priv.h,v 1.24 2010/07/20 01:26:02 wtc%google.com Exp $ */ #ifndef _MPI_PRIV_H_ #define _MPI_PRIV_H_ 1 @@ -294,7 +294,6 @@ mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, typedef struct { mp_int N; /* modulus N */ mp_digit n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */ - mp_size b; /* R == 2 ** b, also b = # significant bits in N */ } mp_mont_modulus; mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c index 25c96564040..168831a1135 100644 --- a/security/nss/lib/freebl/mpi/mpi.c +++ b/security/nss/lib/freebl/mpi/mpi.c @@ -40,13 +40,20 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: mpi.c,v 1.47.2.1 2011/04/07 22:31:40 wtc%google.com Exp $ */ +/* $Id: mpi.c,v 1.50 2011/04/07 22:35:18 wtc%google.com Exp $ */ #include "mpi-priv.h" #if defined(OSF1) #include #endif +#if defined(__arm__) && \ + ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__)) +/* 16-bit thumb or ARM v3 doesn't work inlined assember version */ +#undef MP_ASSEMBLY_MULTIPLY +#undef MP_ASSEMBLY_SQUARE +#endif + #if MP_LOGTAB /* A table of the logs of 2 for various bases (the 0 and 1 entries of @@ -2939,8 +2946,6 @@ void s_mp_exch(mp_int *a, mp_int *b) Shift mp leftward by p digits, growing if needed, and zero-filling the in-shifted digits at the right end. This is a convenient alternative to multiplication by powers of the radix - The value of USED(mp) must already have been set to the value for - the shifted result. */ mp_err s_mp_lshd(mp_int *mp, mp_size p) @@ -4210,6 +4215,7 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ if(mp_cmp_z(div) == 0) return MP_RANGE; + DIGITS(&t) = 0; /* Shortcut if divisor is power of two */ if((ix = s_mp_ispow2(div)) >= 0) { MP_CHECKOK( mp_copy(rem, quot) ); @@ -4219,7 +4225,6 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ return MP_OKAY; } - DIGITS(&t) = 0; MP_SIGN(rem) = ZPOS; MP_SIGN(div) = ZPOS; @@ -4747,7 +4752,7 @@ mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen) ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG); bytes = mp_unsigned_octet_size(mp); - ARGCHK(bytes <= maxlen, MP_BADARG); + ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG); /* Iterate over each digit... */ for(ix = USED(mp) - 1; ix >= 0; ix--) { @@ -4779,7 +4784,7 @@ mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen) ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG); bytes = mp_unsigned_octet_size(mp); - ARGCHK(bytes <= maxlen, MP_BADARG); + ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG); /* Iterate over each digit... */ for(ix = USED(mp) - 1; ix >= 0; ix--) { @@ -4819,7 +4824,7 @@ mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length) ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG); bytes = mp_unsigned_octet_size(mp); - ARGCHK(bytes <= length, MP_BADARG); + ARGCHK(bytes >= 0 && bytes <= length, MP_BADARG); /* place any needed leading zeros */ for (;length > bytes; --length) { diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h index 79503f32562..c872018a87a 100644 --- a/security/nss/lib/freebl/mpi/mpi.h +++ b/security/nss/lib/freebl/mpi/mpi.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: mpi.h,v 1.23 2008/12/04 18:16:34 rrelyea%redhat.com Exp $ */ +/* $Id: mpi.h,v 1.24 2010/07/20 01:26:02 wtc%google.com Exp $ */ #ifndef _H_MPI_ #define _H_MPI_ @@ -62,9 +62,7 @@ #undef ULLONG_MAX #endif -#if defined( macintosh ) -#include -#elif defined( _WIN32_WCE) +#if defined( _WIN32_WCE) /* #include What do we need here ?? */ #else #include diff --git a/security/nss/lib/freebl/mpi/mpi_arm.c b/security/nss/lib/freebl/mpi/mpi_arm.c new file mode 100644 index 00000000000..67aaa209f14 --- /dev/null +++ b/security/nss/lib/freebl/mpi/mpi_arm.c @@ -0,0 +1,203 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Mozilla Japan. + * Portions created by the Initial Developer are Copyright (C) 2010 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Makoto Kato (Original Author) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +/* This inlined version is for 32-bit ARM platform only */ + +#if !defined(__arm__) +#error "This is for ARM only" +#endif + +/* 16-bit thumb doesn't work inlined assember version */ +#if (!defined(__thumb__) || defined(__thumb2__)) && !defined(__ARM_ARCH_3__) + +#include "mpi-priv.h" + +#ifdef MP_ASSEMBLY_MULTIPLY +void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) +{ + __asm__ __volatile__( + "mov r5, #0\n" +#ifdef __thumb2__ + "cbz %1, 2f\n" +#else + "cmp %1, r5\n" /* r5 is 0 now */ + "beq 2f\n" +#endif + + "1:\n" + "mov r4, #0\n" + "ldr r6, [%0], #4\n" + "umlal r5, r4, r6, %2\n" + "str r5, [%3], #4\n" + "mov r5, r4\n" + + "subs %1, #1\n" + "bne 1b\n" + + "2:\n" + "str r5, [%3]\n" + : + : "r"(a), "r"(a_len), "r"(b), "r"(c) + : "memory", "cc", "%r4", "%r5", "%r6"); +} + +void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) +{ + __asm__ __volatile__( + "mov r5, #0\n" +#ifdef __thumb2__ + "cbz %1, 2f\n" +#else + "cmp %1, r5\n" /* r5 is 0 now */ + "beq 2f\n" +#endif + + "1:\n" + "mov r4, #0\n" + "ldr r6, [%3]\n" + "adds r5, r6\n" + "adc r4, #0\n" + + "ldr r6, [%0], #4\n" + "umlal r5, r4, r6, %2\n" + "str r5, [%3], #4\n" + "mov r5, r4\n" + + "subs %1, #1\n" + "bne 1b\n" + + "2:\n" + "str r5, [%3]\n" + : + : "r"(a), "r"(a_len), "r"(b), "r"(c) + : "memory", "cc", "%r4", "%r5", "%r6"); +} + +void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) +{ + if (!a_len) + return; + + __asm__ __volatile__( + "mov r5, #0\n" + + "1:\n" + "mov r4, #0\n" + "ldr r6, [%3]\n" + "adds r5, r6\n" + "adc r4, #0\n" + "ldr r6, [%0], #4\n" + "umlal r5, r4, r6, %2\n" + "str r5, [%3], #4\n" + "mov r5, r4\n" + + "subs %1, #1\n" + "bne 1b\n" + +#ifdef __thumb2__ + "cbz r4, 3f\n" +#else + "cmp r4, #0\n" + "beq 3f\n" +#endif + + "2:\n" + "mov r4, #0\n" + "ldr r6, [%3]\n" + "adds r5, r6\n" + "adc r4, #0\n" + "str r5, [%3], #4\n" + "movs r5, r4\n" + "bne 2b\n" + + "3:\n" + : + : "r"(a), "r"(a_len), "r"(b), "r"(c) + : "memory", "cc", "%r4", "%r5", "%r6"); +} +#endif + +#ifdef MP_ASSEMBLY_SQUARE +void s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps) +{ + if (!a_len) + return; + + __asm__ __volatile__( + "mov r3, #0\n" + + "1:\n" + "mov r4, #0\n" + "ldr r6, [%0], #4\n" + "ldr r5, [%2]\n" + "adds r3, r5\n" + "adc r4, #0\n" + "umlal r3, r4, r6, r6\n" /* w = r3:r4 */ + "str r3, [%2], #4\n" + + "ldr r5, [%2]\n" + "adds r3, r4, r5\n" + "mov r4, #0\n" + "adc r4, #0\n" + "str r3, [%2], #4\n" + "mov r3, r4\n" + + "subs %1, #1\n" + "bne 1b\n" + +#ifdef __thumb2__ + "cbz r3, 3f\n" +#else + "cmp r3, #0\n" + "beq 3f\n" +#endif + + "2:\n" + "mov r4, #0\n" + "ldr r5, [%2]\n" + "adds r3, r5\n" + "adc r4, #0\n" + "str r3, [%2], #4\n" + "movs r3, r4\n" + "bne 2b\n" + + "3:" + : + : "r"(pa), "r"(a_len), "r"(ps) + : "memory", "cc", "%r3", "%r4", "%r5", "%r6"); +} +#endif +#endif diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c index 528b94d9983..5ed0e2d83b9 100644 --- a/security/nss/lib/freebl/mpi/mpmontg.c +++ b/security/nss/lib/freebl/mpi/mpmontg.c @@ -36,11 +36,11 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: mpmontg.c,v 1.22 2010/05/02 22:36:41 nelson%bolyard.com Exp $ */ +/* $Id: mpmontg.c,v 1.23 2010/07/20 01:26:02 wtc%google.com Exp $ */ /* This file implements moduluar exponentiation using Montgomery's * method for modular reduction. This file implements the method - * described as "Improvement 1" in the paper "A Cryptogrpahic Library for + * described as "Improvement 2" in the paper "A Cryptogrpahic Library for * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr. * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90" * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244, @@ -76,13 +76,15 @@ #define ABORT abort() #endif -/* computes T = REDC(T), 2^b == R */ +/*! computes T = REDC(T), 2^b == R + \param T < RN +*/ mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm) { mp_err res; mp_size i; - i = MP_USED(T) + MP_USED(&mmm->N) + 2; + i = (MP_USED(&mmm->N) << 1) + 1; MP_CHECKOK( s_mp_pad(T, i) ); for (i = 0; i < MP_USED(&mmm->N); ++i ) { mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime; @@ -92,7 +94,7 @@ mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm) s_mp_clamp(T); /* T /= R */ - s_mp_div_2d(T, mmm->b); + s_mp_rshd( T, MP_USED(&mmm->N) ); if ((res = s_mp_cmp(T, &mmm->N)) >= 0) { /* T = T - N */ @@ -109,14 +111,20 @@ CLEANUP: return res; } -#if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL) +#if !defined(MP_MONT_USE_MP_MUL) + +/*! c <- REDC( a * b ) mod N + \param a < N i.e. "reduced" + \param b < N i.e. "reduced" + \param mmm modulus N and n0' of N +*/ mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, mp_mont_modulus *mmm) { mp_digit *pb; mp_digit m_i; mp_err res; - mp_size ib; + mp_size ib; /* "index b": index of current digit of B */ mp_size useda, usedb; ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG); @@ -128,7 +136,7 @@ mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, } MP_USED(c) = 1; MP_DIGIT(c, 0) = 0; - ib = MP_USED(a) + MP_MAX(MP_USED(b), MP_USED(&mmm->N)) + 2; + ib = (MP_USED(&mmm->N) << 1) + 1; if((res = s_mp_pad(c, ib)) != MP_OKAY) goto CLEANUP; @@ -157,7 +165,7 @@ mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, } } s_mp_clamp(c); - s_mp_div_2d(c, mmm->b); + s_mp_rshd( c, MP_USED(&mmm->N) ); /* c /= R */ if (s_mp_cmp(c, &mmm->N) >= 0) { MP_CHECKOK( s_mp_sub(c, &mmm->N) ); } @@ -174,7 +182,8 @@ mp_err s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont) mp_err res; /* xMont = x * R mod N where N is modulus */ - MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) ); /* xMont = x << b */ + MP_CHECKOK( mp_copy( x, xMont ) ); + MP_CHECKOK( s_mp_lshd( xMont, MP_USED(&mmm->N) ) ); /* xMont = x << b */ MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) ); /* mod N */ CLEANUP: return res; @@ -1109,9 +1118,6 @@ mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent, MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) ); mmm.N = *modulus; /* a copy of the mp_int struct */ - i = mpl_significant_bits(modulus); - i += MP_DIGIT_BIT - 1; - mmm.b = i - i % MP_DIGIT_BIT; /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX ** where n0 = least significant mp_digit of N, the modulus. diff --git a/security/nss/lib/freebl/mpi/target.mk b/security/nss/lib/freebl/mpi/target.mk index dcc09f0d196..0ad6172e27f 100644 --- a/security/nss/lib/freebl/mpi/target.mk +++ b/security/nss/lib/freebl/mpi/target.mk @@ -218,6 +218,12 @@ CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \ -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN) endif +ifeq ($(TARGET),armLINUX) +MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE +MPICMN += -DMP_USE_UINT_DIGIT +AS_OBJS += mpi_arm.o +endif + ifeq ($(TARGET),AMD64SOLARIS) ASFLAGS += -xarch=generic64 AS_OBJS = mpi_amd64.o mpi_amd64_sun.o diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c index 9e4b90e006b..0bea4f4183b 100644 --- a/security/nss/lib/freebl/mpi/utils/primegen.c +++ b/security/nss/lib/freebl/mpi/utils/primegen.c @@ -46,7 +46,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: primegen.c,v 1.7 2004/04/27 23:04:37 gerv%gerv.net Exp $ */ +/* $Id: primegen.c,v 1.8 2010/07/20 01:26:03 wtc%google.com Exp $ */ #include #include @@ -58,12 +58,6 @@ #include "mplogic.h" #include "mpprime.h" -#undef MACOS /* define if running on a Macintosh */ - -#ifdef MACOS -#include -#endif - #define NUM_TESTS 5 /* Number of Rabin-Miller iterations to test with */ #ifdef DEBUG @@ -83,10 +77,6 @@ int main(int argc, char *argv[]) mp_err res; clock_t start, end; -#ifdef MACOS - argc = ccommand(&argv); -#endif - /* We'll just use the C library's rand() for now, although this won't be good enough for cryptographic purposes */ if((out = getenv("SEED")) == NULL) { diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl index 451b2e86270..84d7da26562 100755 --- a/security/nss/lib/freebl/mpi/utils/ptab.pl +++ b/security/nss/lib/freebl/mpi/utils/ptab.pl @@ -1,4 +1,4 @@ -#!/usr/linguist/bin/perl +#!/usr/bin/perl # ***** BEGIN LICENSE BLOCK ***** # Version: MPL 1.1/GPL 2.0/LGPL 2.1 @@ -36,7 +36,7 @@ # # ***** END LICENSE BLOCK ***** -# $Id: ptab.pl,v 1.2 2005/02/02 22:28:23 gerv%gerv.net Exp $ +# $Id: ptab.pl,v 1.3 2011/05/23 23:45:11 wtc%google.com Exp $ # while(<>) { diff --git a/security/nss/lib/freebl/nsslowhash.c b/security/nss/lib/freebl/nsslowhash.c index db5d99b75b2..bb92c7099c0 100644 --- a/security/nss/lib/freebl/nsslowhash.c +++ b/security/nss/lib/freebl/nsslowhash.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nsslowhash.c,v 1.4.8.1 2011/01/20 18:41:51 emaldona%redhat.com Exp $ */ +/* $Id: nsslowhash.c,v 1.6 2010/09/10 00:42:36 emaldona%redhat.com Exp $ */ #include "stubs.h" #include "prtypes.h" @@ -129,6 +129,13 @@ freebl_fips_SHA_PowerUpSelfTest( void ) 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, 0xe0,0x68,0x47,0x7a}; + /* SHA-224 Known Digest Message (224-bits). */ + static const PRUint8 sha224_known_digest[] = { + 0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, + 0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8, + 0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64, + 0x9a,0xb8,0x98,0x4e}; + /* SHA-256 Known Digest Message (256-bits). */ static const PRUint8 sha256_known_digest[] = { 0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61, @@ -172,6 +179,18 @@ freebl_fips_SHA_PowerUpSelfTest( void ) SHA1_LENGTH ) != 0 ) ) return( CKR_DEVICE_ERROR ); + /***************************************************/ + /* SHA-224 Single-Round Known Answer Hashing Test. */ + /***************************************************/ + + sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message, + FIPS_KNOWN_HASH_MESSAGE_LENGTH ); + + if( ( sha_status != SECSuccess ) || + ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); + /***************************************************/ /* SHA-256 Single-Round Known Answer Hashing Test. */ /***************************************************/ diff --git a/security/nss/lib/freebl/rawhash.c b/security/nss/lib/freebl/rawhash.c index 811be1a2403..de16aafe94c 100644 --- a/security/nss/lib/freebl/rawhash.c +++ b/security/nss/lib/freebl/rawhash.c @@ -155,6 +155,17 @@ const SECHashObject SECRawHashObjects[] = { SHA512_BLOCK_LENGTH, HASH_AlgSHA512 }, + { SHA224_LENGTH, + (void * (*)(void)) SHA224_NewContext, + (void * (*)(void *)) null_hash_clone_context, + (void (*)(void *, PRBool)) SHA224_DestroyContext, + (void (*)(void *)) SHA224_Begin, + (void (*)(void *, const unsigned char *, unsigned int)) SHA224_Update, + (void (*)(void *, unsigned char *, unsigned int *, + unsigned int)) SHA224_End, + SHA224_BLOCK_LENGTH, + HASH_AlgSHA224 + }, }; const SECHashObject * diff --git a/security/nss/lib/freebl/ret_cr16.s b/security/nss/lib/freebl/ret_cr16.s index 7fb37e72502..da738f0dbd7 100644 --- a/security/nss/lib/freebl/ret_cr16.s +++ b/security/nss/lib/freebl/ret_cr16.s @@ -48,10 +48,12 @@ ret_cr16 .PROC .CALLINFO FRAME=0, NO_CALLS .EXPORT ret_cr16,ENTRY - .ENTER + .ENTRY ; BV %r0(%rp) BV 0(%rp) MFCTL %cr16,%ret0 - .LEAVE + BV %r0(%rp) + .EXIT + NOP .PROCEND .END diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c index dea7de31e1d..8d3b5d8f967 100644 --- a/security/nss/lib/freebl/rijndael.c +++ b/security/nss/lib/freebl/rijndael.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: rijndael.c,v 1.25.6.1 2010/11/18 01:33:42 rrelyea%redhat.com Exp $ */ +/* $Id: rijndael.c,v 1.26 2010/11/18 01:33:24 rrelyea%redhat.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c index a8599771202..1f6f3c14ade 100644 --- a/security/nss/lib/freebl/rsa.c +++ b/security/nss/lib/freebl/rsa.c @@ -37,7 +37,7 @@ /* * RSA key generation, public key op, private key op. * - * $Id: rsa.c,v 1.39.22.2 2011/03/30 18:39:44 rrelyea%redhat.com Exp $ + * $Id: rsa.c,v 1.42 2011/03/30 01:20:12 rrelyea%redhat.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -1420,6 +1420,8 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key) mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; + MP_DIGITS(&p) = 0; + MP_DIGITS(&q) = 0; MP_DIGITS(&n) = 0; MP_DIGITS(&psub1)= 0; MP_DIGITS(&qsub1)= 0; @@ -1429,9 +1431,9 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key) MP_DIGITS(&d_q) = 0; MP_DIGITS(&qInv) = 0; MP_DIGITS(&res) = 0; - CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&p) ); CHECK_MPI_OK( mp_init(&q) ); + CHECK_MPI_OK( mp_init(&n) ); CHECK_MPI_OK( mp_init(&psub1)); CHECK_MPI_OK( mp_init(&qsub1)); CHECK_MPI_OK( mp_init(&e) ); @@ -1593,13 +1595,13 @@ void BL_Cleanup(void) RSA_Cleanup(); } -PRBool parentForkedAfterC_Initialize; +PRBool bl_parentForkedAfterC_Initialize; /* * Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms. */ void BL_SetForkState(PRBool forked) { - parentForkedAfterC_Initialize = forked; + bl_parentForkedAfterC_Initialize = forked; } diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h index e343fb8943a..fded41e602d 100644 --- a/security/nss/lib/freebl/secmpi.h +++ b/security/nss/lib/freebl/secmpi.h @@ -47,10 +47,13 @@ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len)) #define MPINT_TO_SECITEM(mp, it, arena) \ - SECITEM_AllocItem(arena, (it), mp_unsigned_octet_size(mp)); \ + do { int mpintLen = mp_unsigned_octet_size(mp); \ + if (mpintLen <= 0) {err = MP_RANGE; goto cleanup;} \ + SECITEM_AllocItem(arena, (it), mpintLen); \ if ((it)->data == NULL) {err = MP_MEM; goto cleanup;} \ err = mp_to_unsigned_octets(mp, (it)->data, (it)->len); \ - if (err < 0) goto cleanup; else err = MP_OKAY; + if (err < 0) goto cleanup; else err = MP_OKAY; \ + } while (0) #define MP_TO_SEC_ERROR(err) \ switch (err) { \ diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c index 567586712bc..871245d8596 100644 --- a/security/nss/lib/freebl/sha512.c +++ b/security/nss/lib/freebl/sha512.c @@ -1,5 +1,5 @@ /* - * sha512.c - implementation of SHA256, SHA384 and SHA512 + * sha512.c - implementation of SHA224, SHA256, SHA384 and SHA512 * * ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sha512.c,v 1.14.6.2 2011/03/30 22:45:05 wtc%google.com Exp $ */ +/* $Id: sha512.c,v 1.18 2011/03/30 22:35:43 wtc%google.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -63,6 +63,7 @@ #define SHL(x,n) (x << n) #define Ch(x,y,z) ((x & y) ^ (~x & z)) #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) +#define SHA_MIN(a,b) (a < b ? a : b) /* Padding used with all flavors of SHA */ static const PRUint8 pad[240] = { @@ -71,7 +72,7 @@ static const PRUint8 pad[240] = { /* compiler will fill the rest in with zeros */ }; -/* ============= SHA256 implemenmtation ================================== */ +/* ============= SHA256 implementation ================================== */ /* SHA-256 constants, K256. */ static const PRUint32 K256[64] = { @@ -135,6 +136,26 @@ static __inline__ PRUint32 swap4b(PRUint32 value) #define SHA_HTONL(x) swap4b(x) #define BYTESWAP4(x) x = SHA_HTONL(x) +#elif defined(__GNUC__) && (defined(__thumb2__) || \ + (!defined(__thumb__) && \ + (defined(__ARM_ARCH_6__) || \ + defined(__ARM_ARCH_6J__) || \ + defined(__ARM_ARCH_6K__) || \ + defined(__ARM_ARCH_6Z__) || \ + defined(__ARM_ARCH_6ZK__) || \ + defined(__ARM_ARCH_6T2__) || \ + defined(__ARM_ARCH_7__) || \ + defined(__ARM_ARCH_7A__) || \ + defined(__ARM_ARCH_7R__)))) +static __inline__ PRUint32 swap4b(PRUint32 value) +{ + PRUint32 ret; + __asm__("rev %0, %1" : "=r" (ret) : "r"(value)); + return ret; +} +#define SHA_HTONL(x) swap4b(x) +#define BYTESWAP4(x) x = SHA_HTONL(x) + #else #define SWAP4MASK 0x00FF00FF #define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \ @@ -523,6 +544,99 @@ void SHA256_Clone(SHA256Context *dest, SHA256Context *src) memcpy(dest, src, sizeof *dest); } +/* ============= SHA224 implementation ================================== */ + +/* SHA-224 initial hash values */ +static const PRUint32 H224[8] = { + 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, + 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4 +}; + +SHA224Context * +SHA224_NewContext(void) +{ + return SHA256_NewContext(); +} + +void +SHA224_DestroyContext(SHA224Context *ctx, PRBool freeit) +{ + SHA256_DestroyContext(ctx, freeit); +} + +void +SHA224_Begin(SHA224Context *ctx) +{ + memset(ctx, 0, sizeof *ctx); + memcpy(H, H224, sizeof H224); +} + +static void +SHA224_Compress(SHA224Context *ctx) +{ + SHA256_Compress(ctx); +} + +void +SHA224_Update(SHA224Context *ctx, const unsigned char *input, + unsigned int inputLen) +{ + SHA256_Update(ctx, input, inputLen); +} + +void +SHA224_End(SHA256Context *ctx, unsigned char *digest, + unsigned int *digestLen, unsigned int maxDigestLen) +{ + unsigned int maxLen = SHA_MIN(maxDigestLen, SHA224_LENGTH); + SHA256_End(ctx, digest, digestLen, maxLen); +} + +SECStatus +SHA224_HashBuf(unsigned char *dest, const unsigned char *src, + uint32 src_length) +{ + SHA256Context ctx; + unsigned int outLen; + + SHA224_Begin(&ctx); + SHA256_Update(&ctx, src, src_length); + SHA256_End(&ctx, dest, &outLen, SHA224_LENGTH); + + return SECSuccess; +} + +SECStatus +SHA224_Hash(unsigned char *dest, const char *src) +{ + return SHA224_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src)); +} + +void SHA224_TraceState(SHA224Context *ctx) { } + +unsigned int +SHA224_FlattenSize(SHA224Context *ctx) +{ + return SHA256_FlattenSize(ctx); +} + +SECStatus +SHA224_Flatten(SHA224Context *ctx, unsigned char *space) +{ + return SHA256_Flatten(ctx, space); +} + +SHA224Context * +SHA224_Resurrect(unsigned char *space, void *arg) +{ + return SHA256_Resurrect(space, arg); +} + +void SHA224_Clone(SHA224Context *dest, SHA224Context *src) +{ + SHA256_Clone(dest, src); +} + /* ======= SHA512 and SHA384 common constants and defines ================= */ @@ -1251,7 +1365,6 @@ void SHA384_End(SHA384Context *ctx, unsigned char *digest, unsigned int *digestLen, unsigned int maxDigestLen) { -#define SHA_MIN(a,b) (a < b ? a : b) unsigned int maxLen = SHA_MIN(maxDigestLen, SHA384_LENGTH); SHA512_End(ctx, digest, digestLen, maxLen); } @@ -1337,6 +1450,38 @@ void test256(void) dumpHash32(outBuf, sizeof outBuf); } +void test224(void) +{ + SHA224Context ctx; + unsigned char a1000times[1000]; + unsigned int outLen; + unsigned char outBuf[SHA224_LENGTH]; + int i; + + /* Test Vector 1 */ + printf("SHA224, input = %s\n", abc); + SHA224_Hash(outBuf, abc); + dumpHash32(outBuf, sizeof outBuf); + + /* Test Vector 2 */ + printf("SHA224, input = %s\n", abcdbc); + SHA224_Hash(outBuf, abcdbc); + dumpHash32(outBuf, sizeof outBuf); + + /* Test Vector 3 */ + + /* to hash one million 'a's perform 1000 + * sha224 updates on a buffer with 1000 'a's + */ + memset(a1000times, 'a', 1000); + printf("SHA224, input = %s\n", "a one million times"); + SHA224_Begin(&ctx); + for (i = 0; i < 1000; i++) + SHA224_Update(&ctx, a1000times, 1000); + SHA224_End(&ctx, outBuf, &outLen, SHA224_LENGTH); + dumpHash32(outBuf, sizeof outBuf); +} + void dumpHash64(const unsigned char *buf, unsigned int bufLen) { @@ -1392,9 +1537,10 @@ int main (int argc, char *argv[], char *envp[]) i = atoi(argv[1]); } if (i < 2) { + test224(); test256(); - test512(); test384(); + test512(); } else { while (i-- > 0) { time512(); diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h index 952d2cf93fa..ade10a09184 100644 --- a/security/nss/lib/freebl/sha_fast.h +++ b/security/nss/lib/freebl/sha_fast.h @@ -93,7 +93,6 @@ swap4b(PRUint32 dwd) #if defined(__GNUC__) /* __x86_64__ and __x86_64 are defined by GCC on x86_64 CPUs */ - #if defined( SHA1_USING_64_BIT ) static __inline__ PRUint64 SHA_ROTL(PRUint64 x, PRUint32 n) { @@ -115,6 +114,26 @@ static __inline__ PRUint32 swap4b(PRUint32 value) return (value); } #define SHA_HTONL(x) swap4b(x) + +#elif defined(__thumb2__) || \ + (!defined(__thumb__) && \ + (defined(__ARM_ARCH_6__) || \ + defined(__ARM_ARCH_6J__) || \ + defined(__ARM_ARCH_6K__) || \ + defined(__ARM_ARCH_6Z__) || \ + defined(__ARM_ARCH_6ZK__) || \ + defined(__ARM_ARCH_6T2__) || \ + defined(__ARM_ARCH_7__) || \ + defined(__ARM_ARCH_7A__) || \ + defined(__ARM_ARCH_7R__))) +static __inline__ PRUint32 swap4b(PRUint32 value) +{ + PRUint32 ret; + __asm__("rev %0, %1" : "=r" (ret) : "r"(value)); + return ret; +} +#define SHA_HTONL(x) swap4b(x) + #endif /* x86 family */ #endif /* __GNUC__ */ diff --git a/security/nss/lib/freebl/shvfy.c b/security/nss/lib/freebl/shvfy.c index 8a62720effa..783b4c5ac39 100644 --- a/security/nss/lib/freebl/shvfy.c +++ b/security/nss/lib/freebl/shvfy.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: shvfy.c,v 1.13 2010/04/29 00:17:52 rrelyea%redhat.com Exp $ */ +/* $Id: shvfy.c,v 1.15 2010/12/06 17:22:49 kaie%kuix.de Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -48,6 +48,208 @@ #include "stdio.h" #include "prmem.h" +/* + * Most modern version of Linux support a speed optimization scheme where an + * application called prelink modifies programs and shared libraries to quickly + * load if they fit into an already designed address space. In short, prelink + * scans the list of programs and libraries on your system, assigns them a + * predefined space in the the address space, then provides the fixups to the + * library. + + * The modification of the shared library is correctly detected by the freebl + * FIPS checksum scheme where we check a signed hash of the library against the + * library itself. + * + * The prelink command itself can reverse the process of modification and + * output the prestine shared library as it was before prelink made it's + * changes. If FREEBL_USE_PRELINK is set Freebl uses prelink to output the + * original copy of the shared library before prelink modified it. + */ +#ifdef FREEBL_USE_PRELINK +#ifndef FREELB_PRELINK_COMMAND +#define FREEBL_PRELINK_COMMAND "/usr/sbin/prelink -u -o -" +#endif +#include "private/pprio.h" + +#include +#include +#include +#include +#include + +/* + * This function returns an NSPR PRFileDesc * which the caller can read to + * obtain the prestine value of the shared library, before any OS related + * changes to it (usually address fixups). + * + * If prelink is installed, this + * file descriptor is a pipe connecting the output of + * /usr/sbin/prelink -u -o - {Library} + * and *pid returns the process id of the prelink child. + * + * If prelink is not installed, it returns a normal readonly handle to the + * library itself and *pid is set to '0'. + */ +PRFileDesc * +bl_OpenUnPrelink(const char *shName, int *pid) +{ + char *command= strdup(FREEBL_PRELINK_COMMAND); + char *argString = NULL; + char **argv = NULL; + char *shNameArg = NULL; + char *cp; + pid_t child; + int argc = 0, argNext = 0; + struct stat statBuf; + int pipefd[2] = {-1,-1}; + int ret; + + *pid = 0; + + /* make sure the prelink command exists first. If not, fall back to + * just reading the file */ + for (cp = command; *cp ; cp++) { + if (*cp == ' ') { + *cp++ = 0; + argString = cp; + break; + } + } + memset (&statBuf, 0, sizeof(statBuf)); + /* stat the file, follow the link */ + ret = stat(command, &statBuf); + if (ret < 0) { + free(command); + return PR_Open(shName, PR_RDONLY, 0); + } + /* file exits, make sure it's an executable */ + if (!S_ISREG(statBuf.st_mode) || + ((statBuf.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) { + free(command); + return PR_Open(shName, PR_RDONLY, 0); + } + + /* OK, the prelink command exists and looks correct, use it */ + /* build the arglist while we can still malloc */ + /* count the args if any */ + if (argString && *argString) { + /* argString may have leading spaces, strip them off*/ + for (cp = argString; *cp && *cp == ' '; cp++); + argString = cp; + if (*cp) { + /* there is at least one arg.. */ + argc = 1; + } + + /* count the rest: Note there is no provision for escaped + * spaces here */ + for (cp = argString; *cp ; cp++) { + if (*cp == ' ') { + while (*cp && *cp == ' ') cp++; + if (*cp) argc++; + } + } + } + + /* add the additional args: argv[0] (command), shName, NULL*/ + argc += 3; + argv = PORT_NewArray(char *, argc); + if (argv == NULL) { + goto loser; + } + + /* fill in the arglist */ + argv[argNext++] = command; + if (argString && *argString) { + argv[argNext++] = argString; + for (cp = argString; *cp; cp++) { + if (*cp == ' ') { + *cp++ = 0; + while (*cp && *cp == ' ') cp++; + if (*cp) argv[argNext++] = cp; + } + } + } + /* exec doesn't advertise taking const char **argv, do the paranoid + * copy */ + shNameArg = strdup(shName); + if (shNameArg == NULL) { + goto loser; + } + argv[argNext++] = shNameArg; + argv[argNext++] = 0; + + ret = pipe(pipefd); + if (ret < 0) { + goto loser; + } + + /* use vfork() so we don't trigger the pthread_at_fork() handlers */ + child = vfork(); + if (child < 0) goto loser; + if (child == 0) { + /* set up the file descriptors */ + /* if we need to support BSD, this will need to be an open of + * /dev/null and dup2(nullFD, 0)*/ + close(0); + /* associate pipefd[1] with stdout */ + if (pipefd[1] != 1) dup2(pipefd[1], 1); + close(2); + close(pipefd[0]); + /* should probably close the other file descriptors? */ + + + execv(command, argv); + /* avoid at_exit() handlers */ + _exit(1); /* shouldn't reach here except on an error */ + } + close(pipefd[1]); + pipefd[1] = -1; + + /* this is safe because either vfork() as full fork() semantics, and thus + * already has it's own address space, or because vfork() has paused + * the parent util the exec or exit */ + free(command); + free(shNameArg); + PORT_Free(argv); + + *pid = child; + + return PR_ImportPipe(pipefd[0]); + +loser: + if (pipefd[0] != -1) { + close(pipefd[0]); + } + if (pipefd[1] != -1) { + close(pipefd[1]); + } + free(command); + free(shNameArg); + PORT_Free(argv); + + return NULL; +} + +/* + * bl_CloseUnPrelink - + * + * This closes the file descripter and reaps and children openned and crated by + * b;_OpenUnprelink. It's primary difference between it and just close is + * that it calls wait on the pid if one is supplied, preventing zombie children + * from hanging around. + */ +void +bl_CloseUnPrelink( PRFileDesc *file, int pid) +{ + /* close the file descriptor */ + PR_Close(file); + /* reap the child */ + if (pid) { + waitpid(pid, NULL, 0); + } +} +#endif /* #define DEBUG_SHVERIFY 1 */ @@ -105,8 +307,26 @@ readItem(PRFileDesc *fd, SECItem *item) PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr) { + PRBool result = PR_FALSE; /* if anything goes wrong, + * the signature does not verify */ /* find our shared library name */ char *shName = PR_GetLibraryFilePathname(name, addr); + if (!shName) { + goto loser; + } + result = BLAPI_SHVerifyFile(shName); + +loser: + if (shName != NULL) { + PR_Free(shName); + } + + return result; +} + +PRBool +BLAPI_SHVerifyFile(const char *shName) +{ char *checkName = NULL; PRFileDesc *checkFD = NULL; PRFileDesc *shFD = NULL; @@ -117,10 +337,13 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr) SECStatus rv; DSAPublicKey key; int count; +#ifdef FREEBL_USE_PRELINK + int pid = 0; +#endif PRBool result = PR_FALSE; /* if anything goes wrong, * the signature does not verify */ - unsigned char buf[512]; + unsigned char buf[4096]; unsigned char hashBuf[SHA1_LENGTH]; PORT_Memset(&key,0,sizeof(key)); @@ -197,7 +420,11 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr) checkFD = NULL; /* open our library file */ +#ifdef FREEBL_USE_PRELINK + shFD = bl_OpenUnPrelink(shName,&pid); +#else shFD = PR_Open(shName, PR_RDONLY, 0); +#endif if (shFD == NULL) { #ifdef DEBUG_SHVERIFY fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", @@ -218,7 +445,11 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr) SHA1_Update(hashcx, buf, bytesRead); count += bytesRead; } +#ifdef FREEBL_USE_PRELINK + bl_CloseUnPrelink(shFD, pid); +#else PR_Close(shFD); +#endif shFD = NULL; SHA1_End(hashcx, hash.data, &hash.len, hash.len); @@ -255,9 +486,6 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr) loser: - if (shName != NULL) { - PR_Free(shName); - } if (checkName != NULL) { PORT_Free(checkName); } @@ -292,8 +520,11 @@ loser: PRBool BLAPI_VerifySelf(const char *name) { - /* to separate shlib to verify if name is NULL */ if (name == NULL) { + /* + * If name is NULL, freebl is statically linked into softoken. + * softoken will call BLAPI_SHVerify next to verify itself. + */ return PR_TRUE; } return BLAPI_SHVerify(name, (PRFuncPtr) decodeInt); diff --git a/security/nss/lib/freebl/stubs.c b/security/nss/lib/freebl/stubs.c index 02d3f04518c..9fd67b887fb 100644 --- a/security/nss/lib/freebl/stubs.c +++ b/security/nss/lib/freebl/stubs.c @@ -70,6 +70,7 @@ #include #include #include +#include #define FREEBL_NO_WEAK 1 @@ -155,6 +156,7 @@ STUB_DECLARE(void,PR_DestroyCondVar,(PRCondVar *cvar)); STUB_DECLARE(void,PR_Free,(void *ptr)); STUB_DECLARE(char * ,PR_GetLibraryFilePathname,(const char *name, PRFuncPtr addr)); +STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd)); STUB_DECLARE(void,PR_Lock,(PRLock *lock)); STUB_DECLARE(PRCondVar *,PR_NewCondVar,(PRLock *lock)); STUB_DECLARE(PRLock *,PR_NewLock,(void)); @@ -170,6 +172,7 @@ STUB_DECLARE(PRStatus,PR_Unlock,(PRLock *lock)); STUB_DECLARE(PRStatus,PR_WaitCondVar,(PRCondVar *cvar, PRIntervalTime timeout)); + STUB_DECLARE(SECItem *,SECITEM_AllocItem_Util,(PRArenaPool *arena, SECItem *item,unsigned int len)); STUB_DECLARE(SECComparison,SECITEM_CompareItem_Util,(const SECItem *a, @@ -303,6 +306,20 @@ PR_Open_stub(const char *name, PRIntn flags, PRIntn mode) return (PRFileDesc *)lfd; } +extern PRFileDesc * +PR_ImportPipe_stub(PROsfd fd) +{ + int *lfd = NULL; + + STUB_SAFE_CALL1(PR_ImportPipe, fd); + + lfd = PORT_New_stub(int); + if (lfd != NULL) { + *lfd = fd; + } + return (PRFileDesc *)lfd; +} + extern PRStatus PR_Close_stub(PRFileDesc *fd) { @@ -549,6 +566,7 @@ freebl_InitNSPR(void *lib) { STUB_FETCH_FUNCTION(PR_Free); STUB_FETCH_FUNCTION(PR_Open); + STUB_FETCH_FUNCTION(PR_ImportPipe); STUB_FETCH_FUNCTION(PR_Close); STUB_FETCH_FUNCTION(PR_Read); STUB_FETCH_FUNCTION(PR_Seek); diff --git a/security/nss/lib/freebl/stubs.h b/security/nss/lib/freebl/stubs.h index d435634ff16..dafa4701771 100644 --- a/security/nss/lib/freebl/stubs.h +++ b/security/nss/lib/freebl/stubs.h @@ -68,16 +68,16 @@ #define SECITEM_CopyItem SECITEM_CopyItem_stub #define SECITEM_FreeItem SECITEM_FreeItem_stub #define SECITEM_ZfreeItem SECITEM_ZfreeItem_stub - #define NSS_SecureMemcmp NSS_SecureMemcmp_stub -#define PR_DestroyCondVar PR_DestroyCondVar_stub #define PR_Assert PR_Assert_stub #define PR_CallOnce PR_CallOnce_stub #define PR_Close PR_Close_stub +#define PR_DestroyCondVar PR_DestroyCondVar_stub #define PR_DestroyLock PR_DestroyLock_stub #define PR_Free PR_Free_stub #define PR_GetLibraryFilePathname PR_GetLibraryFilePathname_stub +#define PR_ImportPipe PR_ImportPipe_stub #define PR_Lock PR_Lock_stub #define PR_NewCondVar PR_NewCondVar_stub #define PR_NewLock PR_NewLock_stub diff --git a/security/nss/lib/freebl/tlsprfalg.c b/security/nss/lib/freebl/tlsprfalg.c index 4208ebc98c0..4eabf459bf6 100644 --- a/security/nss/lib/freebl/tlsprfalg.c +++ b/security/nss/lib/freebl/tlsprfalg.c @@ -35,7 +35,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: tlsprfalg.c,v 1.6 2008/11/18 19:48:24 rrelyea%redhat.com Exp $ */ +/* $Id: tlsprfalg.c,v 1.7 2010/08/10 22:03:36 rrelyea%redhat.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -46,11 +46,11 @@ #include "blapi.h" -#define PHASH_STATE_MAX_LEN SHA1_LENGTH +#define PHASH_STATE_MAX_LEN HASH_LENGTH_MAX /* TLS P_hash function */ -static SECStatus -sftk_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, +SECStatus +TLS_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, SECItem *seed, SECItem *result, PRBool isFIPS) { unsigned char state[PHASH_STATE_MAX_LEN]; @@ -148,11 +148,11 @@ TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, goto loser; tmp.len = result->len; - status = sftk_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS); + status = TLS_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS); if (status != SECSuccess) goto loser; - status = sftk_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS); + status = TLS_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS); if (status != SECSuccess) goto loser; diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk index 331dd190468..1c6538ff479 100644 --- a/security/nss/lib/jar/config.mk +++ b/security/nss/lib/jar/config.mk @@ -48,7 +48,7 @@ PROGRAM = # NSS_X86 means the target is a 32-bits x86 CPU architecture # NSS_X64 means the target is a 64-bits x64 CPU architecture # NSS_X86_OR_X64 means the target is either x86 or x64 -ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH))) +ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH))) DEFINES += -DNSS_X86_OR_X64 ifdef USE_64 DEFINES += -DNSS_X64 diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c index 6aee23a777f..37fe8a7bd83 100644 --- a/security/nss/lib/jar/jarver.c +++ b/security/nss/lib/jar/jarver.c @@ -124,7 +124,7 @@ JAR_parse_manifest(JAR *jar, char *raw_manifest, long length, { int filename_free = 0; - /* fill in the path, if supplied. This is a the location + /* fill in the path, if supplied. This is the location of the jar file on disk, if known */ if (jar->filename == NULL && path) { diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn index 9de67cc115a..2255860c7a8 100644 --- a/security/nss/lib/jar/manifest.mn +++ b/security/nss/lib/jar/manifest.mn @@ -49,8 +49,6 @@ CSRCS = \ jarint.c \ $(NULL) -REQUIRES = dbm - EXPORTS = jar.h jar-ds.h jarfile.h DEFINES = -DMOZILLA_CLIENT=1 diff --git a/security/nss/lib/libpkix/pkix/certsel/manifest.mn b/security/nss/lib/libpkix/pkix/certsel/manifest.mn index c5d1b4e01a4..62f11cb4f5e 100755 --- a/security/nss/lib/libpkix/pkix/certsel/manifest.mn +++ b/security/nss/lib/libpkix/pkix/certsel/manifest.mn @@ -52,7 +52,5 @@ CSRCS = \ pkix_comcertselparams.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixcertsel diff --git a/security/nss/lib/libpkix/pkix/checker/manifest.mn b/security/nss/lib/libpkix/pkix/checker/manifest.mn index 6a270287120..8f3b9b32615 100755 --- a/security/nss/lib/libpkix/pkix/checker/manifest.mn +++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn @@ -74,7 +74,5 @@ CSRCS = \ pkix_targetcertchecker.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixchecker diff --git a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn index 0679f260dbb..a483e04ed18 100755 --- a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn +++ b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn @@ -52,7 +52,5 @@ CSRCS = \ pkix_comcrlselparams.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixcrlsel diff --git a/security/nss/lib/libpkix/pkix/params/manifest.mn b/security/nss/lib/libpkix/pkix/params/manifest.mn index deadc6a1ce9..e3f9c14505b 100755 --- a/security/nss/lib/libpkix/pkix/params/manifest.mn +++ b/security/nss/lib/libpkix/pkix/params/manifest.mn @@ -56,7 +56,5 @@ CSRCS = \ pkix_resourcelimits.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixparams diff --git a/security/nss/lib/libpkix/pkix/results/manifest.mn b/security/nss/lib/libpkix/pkix/results/manifest.mn index bcc97580045..6d16fec9b82 100755 --- a/security/nss/lib/libpkix/pkix/results/manifest.mn +++ b/security/nss/lib/libpkix/pkix/results/manifest.mn @@ -56,7 +56,5 @@ CSRCS = \ pkix_verifynode.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixresults diff --git a/security/nss/lib/libpkix/pkix/store/manifest.mn b/security/nss/lib/libpkix/pkix/store/manifest.mn index 95101f26ca5..025a1b5b966 100755 --- a/security/nss/lib/libpkix/pkix/store/manifest.mn +++ b/security/nss/lib/libpkix/pkix/store/manifest.mn @@ -50,7 +50,5 @@ CSRCS = \ pkix_store.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixstore diff --git a/security/nss/lib/libpkix/pkix/top/manifest.mn b/security/nss/lib/libpkix/pkix/top/manifest.mn index 67efa32fa4b..a9c2729723e 100755 --- a/security/nss/lib/libpkix/pkix/top/manifest.mn +++ b/security/nss/lib/libpkix/pkix/top/manifest.mn @@ -54,7 +54,5 @@ CSRCS = \ pkix_build.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixtop diff --git a/security/nss/lib/libpkix/pkix/util/manifest.mn b/security/nss/lib/libpkix/pkix/util/manifest.mn index 8776310b443..938788b578f 100755 --- a/security/nss/lib/libpkix/pkix/util/manifest.mn +++ b/security/nss/lib/libpkix/pkix/util/manifest.mn @@ -57,7 +57,5 @@ CSRCS = \ pkix_errpaths.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixutil diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn index c757dfe9401..478bc4d680b 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn @@ -75,7 +75,5 @@ CSRCS = \ pkix_pl_socket.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixmodule diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c index 1bd0a5a3808..649d97649a1 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c @@ -1350,6 +1350,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive( PKIX_UInt32 postLen = 0; PRPollDesc *pollDesc = NULL; char *sendbuf = NULL; + char portstr[16]; PKIX_ENTER (HTTPDEFAULTCLIENT, @@ -1393,13 +1394,19 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive( client->rcv_http_data = http_response_data; /* prepare the message */ + portstr[0] = '\0'; + if (client->portnum != 80) { + PR_snprintf(portstr, sizeof(portstr), ":%d", + client->portnum); + } + if (client->send_http_method == HTTP_POST_METHOD) { sendbuf = PR_smprintf - ("POST %s HTTP/1.0\r\nHost: %s:%d\r\n" + ("POST %s HTTP/1.0\r\nHost: %s%s\r\n" "Content-Type: %s\r\nContent-Length: %u\r\n\r\n", client->path, client->host, - client->portnum, + portstr, client->send_http_content_type, client->send_http_data_len); postLen = PORT_Strlen(sendbuf); @@ -1427,10 +1434,10 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive( } else if (client->send_http_method == HTTP_GET_METHOD) { client->GETBuf = PR_smprintf - ("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n", + ("GET %s HTTP/1.0\r\nHost: %s%s\r\n\r\n", client->path, client->host, - client->portnum); + portstr); client->GETLen = PORT_Strlen(client->GETBuf); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn index 322ea85eb9c..338532360cc 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn @@ -83,7 +83,5 @@ CSRCS = \ pkix_pl_ocspcertid.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixpki diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn index bcf03ee37b6..a5c0e1808c8 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn @@ -75,7 +75,5 @@ CSRCS = \ pkix_pl_string.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkixsystem diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn index b3bbd97a29a..a497cd10f24 100644 --- a/security/nss/lib/nss/manifest.mn +++ b/security/nss/lib/nss/manifest.mn @@ -52,8 +52,6 @@ CSRCS = \ utilwrap.c \ $(NULL) -REQUIRES = dbm - MAPFILE = $(OBJDIR)/nss.def LIBRARY_NAME = nss diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 0373d80d560..c7674de5443 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -1020,3 +1020,11 @@ CERT_DestroyCERTRevocationFlags; ;+ local: ;+ *; ;+}; +;+NSS_3.13 { # NSS 3.13 release +;+ global: +;;SECKEY_RSAPSSParamsTemplate DATA ; +NSS_Get_SECKEY_RSAPSSParamsTemplate; +NSS_GetVersion; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 6d9aa870078..c3e119ebea2 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nss.h,v 1.81.2.8 2011/08/09 15:56:30 kaie%kuix.de Exp $ */ +/* $Id: nss.h,v 1.83 2011/08/01 07:08:08 kaie%kuix.de Exp $ */ #ifndef __nss_h_ #define __nss_h_ @@ -66,12 +66,12 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.12.11.0" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.13.0.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 -#define NSS_VMINOR 12 -#define NSS_VPATCH 11 +#define NSS_VMINOR 13 +#define NSS_VPATCH 0 #define NSS_VBUILD 0 -#define NSS_BETA PR_FALSE +#define NSS_BETA PR_TRUE #ifndef RC_INVOKED @@ -157,7 +157,7 @@ SEC_BEGIN_PROTOS * Return a boolean that indicates whether the underlying library * will perform as the caller expects. * - * The only argument is a string, which should be the verson + * The only argument is a string, which should be the version * identifier of the NSS library. That string will be compared * against a string that represents the actual build version of * the NSS library. It also invokes the version checking functions @@ -165,6 +165,11 @@ SEC_BEGIN_PROTOS */ extern PRBool NSS_VersionCheck(const char *importedVersion); +/* + * Returns a const string of the NSS library version. + */ +extern const char *NSS_GetVersion(void); + /* * Open the Cert, Key, and Security Module databases, read only. * Initialize the Random Number Generator. diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index cafa012093e..da05206bfd1 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -36,14 +36,16 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nssinit.c,v 1.106 2010/04/03 20:06:00 nelson%bolyard.com Exp $ */ +/* $Id: nssinit.c,v 1.108 2011/08/17 14:40:49 emaldona%redhat.com Exp $ */ #include #include #include "seccomon.h" +#include "prerror.h" #include "prinit.h" #include "prprf.h" #include "prmem.h" +#include "prtypes.h" #include "cert.h" #include "key.h" #include "secmod.h" @@ -51,7 +53,9 @@ #include "nss.h" #include "pk11func.h" #include "secerr.h" +#include "errstrs.h" #include "nssbase.h" +#include "nssutil.h" #include "pkixt.h" #include "pkix.h" #include "pkix_tools.h" @@ -377,6 +381,7 @@ nss_InitModules(const char *configdir, const char *certPrefix, PRBool isContextInit) { SECStatus rv = SECFailure; + PRStatus status = PR_SUCCESS; char *moduleSpec = NULL; char *flags = NULL; char *lconfigdir = NULL; @@ -389,6 +394,12 @@ nss_InitModules(const char *configdir, const char *certPrefix, char *lupdateID = NULL; char *lupdateName = NULL; + status = NSS_InitializePRErrorTable(); + if (status != PR_SUCCESS) { + PORT_SetError(status); + return SECFailure; + } + flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen, pwRequired, optimizeSpace); if (flags == NULL) return rv; @@ -1204,3 +1215,9 @@ NSS_VersionCheck(const char *importedVersion) } return PR_TRUE; } + +const char * +NSS_GetVersion(void) +{ + return NSS_VERSION; +} diff --git a/security/nss/lib/pk11wrap/debug_module.c b/security/nss/lib/pk11wrap/debug_module.c index 0b29647a6df..cbe8a891d33 100644 --- a/security/nss/lib/pk11wrap/debug_module.c +++ b/security/nss/lib/pk11wrap/debug_module.c @@ -163,18 +163,18 @@ static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len) CASE(CKA_RESET_ON_INIT); CASE(CKA_HAS_RESET); CASE(CKA_VENDOR_DEFINED); - CASE(CKA_NETSCAPE_URL); - CASE(CKA_NETSCAPE_EMAIL); - CASE(CKA_NETSCAPE_SMIME_INFO); - CASE(CKA_NETSCAPE_SMIME_TIMESTAMP); - CASE(CKA_NETSCAPE_PKCS8_SALT); - CASE(CKA_NETSCAPE_PASSWORD_CHECK); - CASE(CKA_NETSCAPE_EXPIRES); - CASE(CKA_NETSCAPE_KRL); - CASE(CKA_NETSCAPE_PQG_COUNTER); - CASE(CKA_NETSCAPE_PQG_SEED); - CASE(CKA_NETSCAPE_PQG_H); - CASE(CKA_NETSCAPE_PQG_SEED_BITS); + CASE(CKA_NSS_URL); + CASE(CKA_NSS_EMAIL); + CASE(CKA_NSS_SMIME_INFO); + CASE(CKA_NSS_SMIME_TIMESTAMP); + CASE(CKA_NSS_PKCS8_SALT); + CASE(CKA_NSS_PASSWORD_CHECK); + CASE(CKA_NSS_EXPIRES); + CASE(CKA_NSS_KRL); + CASE(CKA_NSS_PQG_COUNTER); + CASE(CKA_NSS_PQG_SEED); + CASE(CKA_NSS_PQG_H); + CASE(CKA_NSS_PQG_SEED_BITS); CASE(CKA_TRUST); CASE(CKA_TRUST_DIGITAL_SIGNATURE); CASE(CKA_TRUST_NON_REPUDIATION); @@ -216,10 +216,10 @@ static void get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len) CASE(CKO_SECRET_KEY); CASE(CKO_HW_FEATURE); CASE(CKO_DOMAIN_PARAMETERS); - CASE(CKO_NETSCAPE_CRL); - CASE(CKO_NETSCAPE_SMIME); - CASE(CKO_NETSCAPE_TRUST); - CASE(CKO_NETSCAPE_BUILTIN_ROOT_LIST); + CASE(CKO_NSS_CRL); + CASE(CKO_NSS_SMIME); + CASE(CKO_NSS_TRUST); + CASE(CKO_NSS_BUILTIN_ROOT_LIST); default: break; } if (a) @@ -233,13 +233,12 @@ static void get_trust_val(CK_TRUST trust, char *str, int len) const char * a = NULL; switch (trust) { - CASE(CKT_NETSCAPE_TRUSTED); - CASE(CKT_NETSCAPE_TRUSTED_DELEGATOR); - CASE(CKT_NETSCAPE_UNTRUSTED); - CASE(CKT_NETSCAPE_MUST_VERIFY); - CASE(CKT_NETSCAPE_TRUST_UNKNOWN); - CASE(CKT_NETSCAPE_VALID); - CASE(CKT_NETSCAPE_VALID_DELEGATOR); + CASE(CKT_NSS_TRUSTED); + CASE(CKT_NSS_TRUSTED_DELEGATOR); + CASE(CKT_NSS_NOT_TRUSTED); + CASE(CKT_NSS_MUST_VERIFY_TRUST); + CASE(CKT_NSS_TRUST_UNKNOWN); + CASE(CKT_NSS_VALID_DELEGATOR); default: break; } if (a) @@ -688,8 +687,8 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr) break; } case CKA_LABEL: - case CKA_NETSCAPE_EMAIL: - case CKA_NETSCAPE_URL: + case CKA_NSS_EMAIL: + case CKA_NSS_URL: if (attr->ulValueLen > 0 && attr->pValue) { len = PR_MIN(attr->ulValueLen + 1, sizeof valstr); PR_snprintf(valstr, len, "%s", attr->pValue); diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c index af50b1748e5..8691f651ea2 100644 --- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.25 $ $Date: 2008/09/30 04:09:04 $"; +static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.26 $ $Date: 2010/09/09 21:14:24 $"; #endif /* DEBUG */ #ifndef PKIT_H @@ -85,39 +85,41 @@ nssSlot_CreateSession ) { nssSession *rvSession; + + if (!readWrite) { + /* nss3hack version only returns rw swssions */ + return NULL; + } rvSession = nss_ZNEW(arenaOpt, nssSession); if (!rvSession) { return (nssSession *)NULL; } - if (readWrite) { - rvSession->handle = PK11_GetRWSession(slot->pk11slot); - if (rvSession->handle == CK_INVALID_HANDLE) { + + rvSession->handle = PK11_GetRWSession(slot->pk11slot); + if (rvSession->handle == CK_INVALID_HANDLE) { nss_ZFreeIf(rvSession); return NULL; - } - rvSession->isRW = PR_TRUE; - rvSession->slot = slot; - /* - * The session doesn't need its own lock. Here's why. - * 1. If we are reusing the default RW session of the slot, - * the slot lock is already locked to protect the session. - * 2. If the module is not thread safe, the slot (or rather - * module) lock is already locked. - * 3. If the module is thread safe and we are using a new - * session, no higher-level lock has been locked and we - * would need a lock for the new session. However, the - * current usage of the session is that it is always - * used and destroyed within the same function and never - * shared with another thread. - * So the session is either already protected by another - * lock or only used by one thread. - */ - rvSession->lock = NULL; - rvSession->ownLock = PR_FALSE; - return rvSession; - } else { - return NULL; } + rvSession->isRW = PR_TRUE; + rvSession->slot = slot; + /* + * The session doesn't need its own lock. Here's why. + * 1. If we are reusing the default RW session of the slot, + * the slot lock is already locked to protect the session. + * 2. If the module is not thread safe, the slot (or rather + * module) lock is already locked. + * 3. If the module is thread safe and we are using a new + * session, no higher-level lock has been locked and we + * would need a lock for the new session. However, the + * current usage of the session is that it is always + * used and destroyed within the same function and never + * shared with another thread. + * So the session is either already protected by another + * lock or only used by one thread. + */ + rvSession->lock = NULL; + rvSession->ownLock = PR_FALSE; + return rvSession; } NSS_IMPLEMENT PRStatus diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn index 0fb04d3e476..8f6924c373e 100644 --- a/security/nss/lib/pk11wrap/manifest.mn +++ b/security/nss/lib/pk11wrap/manifest.mn @@ -77,8 +77,6 @@ CSRCS = \ pk11util.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pk11wrap LIBRARY_VERSION = 3 diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index d268146f3c2..6e1dc1712cb 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -223,6 +223,9 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, } break; default: + if (ckaId) { + SECITEM_FreeItem(ckaId,PR_TRUE); + } PORT_SetError( SEC_ERROR_BAD_KEY ); return CK_INVALID_HANDLE; } @@ -272,7 +275,7 @@ pk11_Attr2SecItem(PRArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item) /* * get a curve length from a set of ecParams. * - * We need this so we can reliably determine if a the ecPoint passed to us + * We need this so we can reliably determine if the ecPoint passed to us * was encoded or not. With out this, for many curves, we would incorrectly * identify an unencoded curve as an encoded curve 1 in 65536 times, and for * a few we would make that same mistake 1 in 32768 times. These are bad @@ -465,7 +468,7 @@ pk11_get_Decoded_ECPoint(PRArenaPool *arena, const SECItem *ecParams, * form that's correct, with a preference for the encoded form if we * can't determine for sure. We do this by checking the key we got * back from SEC_QuickDERDecodeItem for defects. If no defects are - * found, we assume the encoded paramter was was passed to us. + * found, we assume the encoded parameter was was passed to us. * our defect tests include: * 1) it didn't decode. * 2) The decode key had an invalid length (must be odd). diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 78acd302c43..43047e78a9b 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -1367,6 +1367,69 @@ loser: return NULL; } +static PRCallOnceType keyIDHashCallOnce; + +static PRStatus PR_CALLBACK +pk11_keyIDHash_populate(void *wincx) +{ + CERTCertList *certList; + CERTCertListNode *node = NULL; + SECItem subjKeyID = {siBuffer, NULL, 0}; + SECItem *slotid = NULL; + SECMODModuleList *modules, *mlp; + SECMODListLock *moduleLock; + int i; + + certList = PK11_ListCerts(PK11CertListUser, wincx); + if (!certList) { + return PR_FAILURE; + } + + for (node = CERT_LIST_HEAD(certList); + !CERT_LIST_END(node, certList); + node = CERT_LIST_NEXT(node)) { + if (CERT_FindSubjectKeyIDExtension(node->cert, + &subjKeyID) == SECSuccess && + subjKeyID.data != NULL) { + cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert); + SECITEM_FreeItem(&subjKeyID, PR_FALSE); + } + } + CERT_DestroyCertList(certList); + + /* + * Record the state of each slot in a hash. The concatenation of slotID + * and moduleID is used as its key, with the slot series as its value. + */ + slotid = SECITEM_AllocItem(NULL, NULL, + sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID)); + if (!slotid) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return PR_FAILURE; + } + moduleLock = SECMOD_GetDefaultModuleListLock(); + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return PR_FAILURE; + } + SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); + for (mlp = modules; mlp; mlp = mlp->next) { + for (i = 0; i < mlp->module->slotCount; i++) { + memcpy(slotid->data, &mlp->module->slots[i]->slotID, + sizeof(CK_SLOT_ID)); + memcpy(&slotid->data[sizeof(CK_SLOT_ID)], &mlp->module->moduleID, + sizeof(SECMODModuleID)); + cert_UpdateSubjectKeyIDSlotCheck(slotid, + mlp->module->slots[i]->series); + } + } + SECMOD_ReleaseReadLock(moduleLock); + SECITEM_FreeItem(slotid, PR_TRUE); + + return PR_SUCCESS; +} + /* * We're looking for a cert which we have the private key for that's on the * list of recipients. This searches one slot. @@ -1379,11 +1442,77 @@ pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipien { NSSCMSRecipient *ri = NULL; int i; + PRBool tokenRescanDone = PR_FALSE; for (i=0; (ri = recipientlist[i]) != NULL; i++) { CERTCertificate *cert = NULL; if (ri->kind == RLSubjKeyID) { SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); + if (!derCert && !tokenRescanDone) { + /* + * We didn't find the cert by its key ID. If we have slots + * with removable tokens, a failure from + * cert_FindDERCertBySubjectKeyID doesn't necessarily imply + * that the cert is unavailable - the token might simply + * have been inserted after the initial run of + * pk11_keyIDHash_populate (wrapped by PR_CallOnceWithArg), + * or a different token might have been present in that + * slot, initially. Let's check for new tokens... + */ + PK11SlotList *sl = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_FALSE, pwarg); + if (sl) { + PK11SlotListElement *le; + SECItem *slotid = SECITEM_AllocItem(NULL, NULL, + sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID)); + if (!slotid) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + for (le = sl->head; le; le = le->next) { + memcpy(slotid->data, &le->slot->slotID, + sizeof(CK_SLOT_ID)); + memcpy(&slotid->data[sizeof(CK_SLOT_ID)], + &le->slot->module->moduleID, + sizeof(SECMODModuleID)); + /* + * Any changes with the slot since our last check? + * If so, re-read the certs in that specific slot. + */ + if (cert_SubjectKeyIDSlotCheckSeries(slotid) + != PK11_GetSlotSeries(le->slot)) { + CERTCertListNode *node = NULL; + SECItem subjKeyID = {siBuffer, NULL, 0}; + CERTCertList *cl = PK11_ListCertsInSlot(le->slot); + if (!cl) { + continue; + } + for (node = CERT_LIST_HEAD(cl); + !CERT_LIST_END(node, cl); + node = CERT_LIST_NEXT(node)) { + if (CERT_IsUserCert(node->cert) && + CERT_FindSubjectKeyIDExtension(node->cert, + &subjKeyID) == SECSuccess) { + if (subjKeyID.data) { + cert_AddSubjectKeyIDMapping(&subjKeyID, + node->cert); + cert_UpdateSubjectKeyIDSlotCheck(slotid, + PK11_GetSlotSeries(le->slot)); + } + SECITEM_FreeItem(&subjKeyID, PR_FALSE); + } + } + CERT_DestroyCertList(cl); + } + } + PK11_FreeSlotList(sl); + SECITEM_FreeItem(slotid, PR_TRUE); + } + /* only check once per message/recipientlist */ + tokenRescanDone = PR_TRUE; + /* do another lookup (hopefully we found that cert...) */ + derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); + } if (derCert) { cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg); SECITEM_FreeItem(derCert, PR_TRUE); @@ -1558,34 +1687,6 @@ loser: return NULL; } -static PRCallOnceType keyIDHashCallOnce; - -static PRStatus PR_CALLBACK -pk11_keyIDHash_populate(void *wincx) -{ - CERTCertList *certList; - CERTCertListNode *node = NULL; - SECItem subjKeyID = {siBuffer, NULL, 0}; - - certList = PK11_ListCerts(PK11CertListUser, wincx); - if (!certList) { - return PR_FAILURE; - } - - for (node = CERT_LIST_HEAD(certList); - !CERT_LIST_END(node, certList); - node = CERT_LIST_NEXT(node)) { - if (CERT_FindSubjectKeyIDExtension(node->cert, - &subjKeyID) == SECSuccess && - subjKeyID.data != NULL) { - cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert); - SECITEM_FreeItem(&subjKeyID, PR_FALSE); - } - } - CERT_DestroyCertList(certList); - return PR_SUCCESS; -} - /* * This is the new version of the above function for NSS SMIME code * this stuff should REALLY be in the SMIME code, but some things in here are not public @@ -2060,14 +2161,14 @@ PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert, } CERTCertificate * -PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert, +PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert, void *wincx) { - NSSCertificate *c; NSSDER derCert; NSSToken *tok; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); + nssCryptokiObject *co = NULL; SECStatus rv; tok = PK11Slot_GetNSSToken(slot); @@ -2077,26 +2178,12 @@ PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert, PK11_FreeSlot(slot); return NULL; } - c = NSSTrustDomain_FindCertificateByEncodedCertificate(td, &derCert); - if (c) { - PRBool isToken = PR_FALSE; - NSSToken **tp; - NSSToken **tokens = nssPKIObject_GetTokens(&c->object, NULL); - if (tokens) { - for (tp = tokens; *tp; tp++) { - if (*tp == tok) { - isToken = PR_TRUE; - break; - } - } - if (!isToken) { - NSSCertificate_Destroy(c); - c = NULL; - } - nssTokenArray_Destroy(tokens); - } - } - return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; + + co = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert, + nssTokenSearchType_TokenOnly, NULL); + + return co ? PK11_MakeCertFromHandle(slot, co->handle, NULL) : NULL; + } /* @@ -2188,11 +2275,8 @@ PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, PRBool KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) { - if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) { - return PR_TRUE; - } else { - return PR_FALSE; - } + /* not implemented */ + return PR_FALSE; } PRBool @@ -2349,6 +2433,7 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) PRBool isCA = PR_FALSE; char *nickname = NULL; unsigned int certType; + SECStatus rv; if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) || (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) { @@ -2391,9 +2476,13 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) /* put slot certs at the end */ if (newCert->slot && !PK11_IsInternal(newCert->slot)) { - CERT_AddCertToListTailWithData(certList,newCert,nickname); + rv = CERT_AddCertToListTailWithData(certList,newCert,nickname); } else { - CERT_AddCertToListHeadWithData(certList,newCert,nickname); + rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname); + } + /* if we didn't add the cert to the list, don't leak it */ + if (rv != SECSuccess) { + CERT_DestroyCertificate(newCert); } } else { /* add multiple instances to the cert list */ @@ -2414,9 +2503,13 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) /* put slot certs at the end */ if (slot && !PK11_IsInternal(slot)) { - CERT_AddCertToListTailWithData(certList,newCert,nickname); + rv = CERT_AddCertToListTailWithData(certList,newCert,nickname); } else { - CERT_AddCertToListHeadWithData(certList,newCert,nickname); + rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname); + } + /* if we didn't add the cert to the list, don't leak it */ + if (rv != SECSuccess) { + CERT_DestroyCertificate(newCert); } } nssCryptokiObjectArray_Destroy(instances); @@ -2498,6 +2591,7 @@ listCertsCallback(CERTCertificate* cert, void*arg) nssCryptokiObject *instance, **ci; nssCryptokiObject **instances; NSSCertificate *c = STAN_GetNSSCertificate(cert); + SECStatus rv; if (c == NULL) { return SECFailure; @@ -2520,11 +2614,15 @@ listCertsCallback(CERTCertificate* cert, void*arg) return SECFailure; } nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena, - c, instance); + c, instance); nssCryptokiObjectArray_Destroy(instances); - return CERT_AddCertToListTailWithData(cdata->list, - CERT_DupCertificate(cert),nickname); + CERT_DupCertificate(cert); + rv = CERT_AddCertToListTailWithData(cdata->list, cert, nickname); + if (rv != SECSuccess) { + CERT_DestroyCertificate(cert); + } + return rv; } CERTCertList * diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c index c87d8a236a5..5299ed3df38 100644 --- a/security/nss/lib/pk11wrap/pk11err.c +++ b/security/nss/lib/pk11wrap/pk11err.c @@ -40,6 +40,10 @@ * operations). If any of these errors need more detail in the upper layers * which call PK11 library functions, we can add more SEC_ERROR_XXX functions * and change there mappings here. + * + * Some PKCS11 errors are mapped to SEC_ERROR_LIBRARY_FAILURE intentionally + * because they indicate that there is a bug in the library (either NSS or + * the token). */ #include "pkcs11t.h" #include "pk11func.h" @@ -147,7 +151,7 @@ PK11_MapError(CK_RV rv) { return pk11_error_map[i].sec_error; } } - return SEC_ERROR_IO; + return SEC_ERROR_UNKNOWN_PKCS11_ERROR; } @@ -156,7 +160,7 @@ PK11_MapError(CK_RV rv) { default: break; } - return SEC_ERROR_IO; + return SEC_ERROR_UNKNOWN_PKCS11_ERROR; } diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c index 80850c11c6d..a0d899d5bd8 100644 --- a/security/nss/lib/pk11wrap/pk11load.c +++ b/security/nss/lib/pk11wrap/pk11load.c @@ -387,7 +387,6 @@ SECStatus secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { PRLibrary *library = NULL; CK_C_GetFunctionList entry = NULL; - char * full_name; CK_INFO info; CK_ULONG slotCount = 0; SECStatus rv; @@ -434,14 +433,11 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { return SECFailure; } - full_name = PORT_Strdup(mod->dllName); - /* load the library. If this succeeds, then we have to remember to * unload the library if anything goes wrong from here on out... */ - library = PR_LoadLibrary(full_name); + library = PR_LoadLibrary(mod->dllName); mod->library = (void *)library; - PORT_Free(full_name); if (library == NULL) { return SECFailure; diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c index f69c7feff70..f12102720de 100644 --- a/security/nss/lib/pk11wrap/pk11mech.c +++ b/security/nss/lib/pk11wrap/pk11mech.c @@ -373,6 +373,7 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len) case CKM_MD2_RSA_PKCS: case CKM_MD5_RSA_PKCS: case CKM_SHA1_RSA_PKCS: + case CKM_SHA224_RSA_PKCS: case CKM_SHA256_RSA_PKCS: case CKM_SHA384_RSA_PKCS: case CKM_SHA512_RSA_PKCS: @@ -407,6 +408,8 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len) case CKM_TLS_KEY_AND_MAC_DERIVE: case CKM_SHA_1_HMAC: case CKM_SHA_1_HMAC_GENERAL: + case CKM_SHA224_HMAC: + case CKM_SHA224_HMAC_GENERAL: case CKM_SHA256_HMAC: case CKM_SHA256_HMAC_GENERAL: case CKM_SHA384_HMAC: @@ -1380,7 +1383,7 @@ pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) { /* - * create a new paramter block from the passed in MECHANISM and the + * create a new parameter block from the passed in MECHANISM and the * key. Use Netscape's S/MIME Rules for the New param block. */ SECItem * diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c index 5a27725571d..3069460b29d 100644 --- a/security/nss/lib/pk11wrap/pk11merge.c +++ b/security/nss/lib/pk11wrap/pk11merge.c @@ -1037,13 +1037,11 @@ pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source) * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID, * CKT_NSS_VALID_DELEGATOR). */ - if ((sourceTrust == CKT_NSS_MUST_VERIFY) - || (sourceTrust == CKT_NSS_VALID) + if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) || (sourceTrust == CKT_NSS_VALID_DELEGATOR)) { return USE_TARGET; } - if ((targetTrust == CKT_NSS_MUST_VERIFY) - || (targetTrust == CKT_NSS_VALID) + if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) || (targetTrust == CKT_NSS_VALID_DELEGATOR)) { /* source overrites the target */ return USE_SOURCE; diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c index ce34de544c3..7cfbecec595 100644 --- a/security/nss/lib/pk11wrap/pk11nobj.c +++ b/security/nss/lib/pk11wrap/pk11nobj.c @@ -138,31 +138,31 @@ pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust /* First implementation: keep it simple for testing. We can study what other * mappings would be appropriate and add them later.. fgmr 20000724 */ - if ( serverAuth == CKT_NETSCAPE_TRUSTED ) { - trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED; + if ( serverAuth == CKT_NSS_TRUSTED ) { + trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; } - if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) { + if ( serverAuth == CKT_NSS_TRUSTED_DELEGATOR ) { trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; } - if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) { + if ( clientAuth == CKT_NSS_TRUSTED_DELEGATOR ) { trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA ; } - if ( emailProtection == CKT_NETSCAPE_TRUSTED ) { - trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED; + if ( emailProtection == CKT_NSS_TRUSTED ) { + trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; } - if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) { + if ( emailProtection == CKT_NSS_TRUSTED_DELEGATOR ) { trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; } - if( codeSigning == CKT_NETSCAPE_TRUSTED ) { - trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED; + if( codeSigning == CKT_NSS_TRUSTED ) { + trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; } - if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) { + if( codeSigning == CKT_NSS_TRUSTED_DELEGATOR ) { trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; } diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c index 4323ebcb3ab..8ee58b8362f 100644 --- a/security/nss/lib/pk11wrap/pk11obj.c +++ b/security/nss/lib/pk11wrap/pk11obj.c @@ -930,7 +930,7 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, CK_OBJECT_HANDLE privKeyID; CK_MECHANISM mechanism; CK_ATTRIBUTE *attrs = keyTemplate; - SECItem *param_free = NULL, *ck_id; + SECItem *param_free = NULL, *ck_id = NULL; CK_RV crv; CK_SESSION_HANDLE rwsession; PK11SymKey *newKey = NULL; @@ -996,10 +996,12 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, if (rwsession != CK_INVALID_SESSION) PK11_EnterSlotMonitor(slot); } + /* This is a lot a work to deal with fussy PKCS #11 modules + * that can't bother to return BAD_DATA when presented with an + * invalid session! */ if (rwsession == CK_INVALID_SESSION) { - PK11_FreeSymKey(newKey); PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + goto loser; } crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, newKey->objectID, @@ -1013,11 +1015,12 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, PK11_ExitSlotMonitor(slot); } PK11_FreeSymKey(newKey); + newKey = NULL; } else { crv = CKR_FUNCTION_NOT_SUPPORTED; } - if(ck_id) { + if (ck_id) { SECITEM_FreeItem(ck_id, PR_TRUE); ck_id = NULL; } @@ -1045,6 +1048,15 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, return NULL; } return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx); + +loser: + if (newKey) { + PK11_FreeSymKey(newKey); + } + if (ck_id) { + SECITEM_FreeItem(ck_id, PR_TRUE); + } + return NULL; } /* diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index 98742865499..973528335ab 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -1348,7 +1348,7 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, { CK_MECHANISM_TYPE type; SECItem *param = NULL; - PK11SymKey *symKey; + PK11SymKey *symKey = NULL; SECOidTag pbeAlg; CK_KEY_TYPE keyType = -1; int keyLen = 0; @@ -1377,14 +1377,15 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, } else { param = PK11_ParamFromAlgid(algid); } + if(param == NULL) { - return NULL; + goto loser; } type = PK11_AlgtagToMechanism(pbeAlg); if (type == CKM_INVALID_MECHANISM) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + goto loser; } if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; @@ -1392,7 +1393,10 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, pwitem, wincx); - SECITEM_ZfreeItem(param, PR_TRUE); +loser: + if (param) { + SECITEM_ZfreeItem(param, PR_TRUE); + } return symKey; } @@ -1442,14 +1446,14 @@ loser: } /* - * public, supports pkcs5 v2 + * Public, supports pkcs5 v2 * - * get a the crypto mechanism directly from the pbe algorithmid. + * Get the crypto mechanism directly from the pbe algorithmid. * - * it's important to go directly from the algorithm id so that we can + * It's important to go directly from the algorithm id so that we can * handle both the PKCS #5 v1, PKCS #12, and PKCS #5 v2 cases. * - * This function returns both the mechanism an the paramter for the mechanism. + * This function returns both the mechanism and the parameter for the mechanism. * The caller is responsible for freeing the parameter. */ CK_MECHANISM_TYPE diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c index c135b7c13e8..3d0feb0e184 100644 --- a/security/nss/lib/pk11wrap/pk11pk12.c +++ b/security/nss/lib/pk11wrap/pk11pk12.c @@ -447,15 +447,6 @@ loser: return rv; } -SECStatus -PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, unsigned int keyUsage, void *wincx) -{ - return PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue, - isPerm, isPrivate, keyUsage, NULL, wincx); -} - SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue, @@ -467,7 +458,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk = NULL; const SEC_ASN1Template *keyTemplate, *paramTemplate; void *paramDest = NULL; - PRArenaPool *arena; + PRArenaPool *arena = NULL; arena = PORT_NewArena(2048); if(!arena) { @@ -540,7 +531,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, loser: - if (lpk!= NULL) { + if (arena != NULL) { PORT_FreeArena(arena, PR_TRUE); } diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h index 2813e370b55..769a76ad5db 100644 --- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -652,7 +652,7 @@ SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx); CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, - SECItem *derCert, void *wincx); + const SECItem *derCert, void *wincx); SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, char *nickname, PRBool addUsage, void *wincx); diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 0cc7cea6039..c67c635507f 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -892,11 +892,11 @@ PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN * attribute for keys with fixed length. The exception is DES2. If you * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN - * paramter and use the key size to determine which underlying DES keygen + * parameter and use the key size to determine which underlying DES keygen * function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN). * * keyType must be -1 for most algorithms. Some PBE algorthims cannot - * determine the correct key type from the mechanism or the paramters, + * determine the correct key type from the mechanism or the parameters, * so key type must be specified. Other PKCS #11 mechanisms may do so in * the future. Currently there is no need to export this publically. * Keep it private until there is a need in case we need to expand the @@ -972,7 +972,7 @@ pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN * attribute for keys with fixed length. The exception is DES2. If you * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN - * paramter and use the key size to determine which underlying DES keygen + * parameter and use the key size to determine which underlying DES keygen * function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN). * * CK_FLAGS flags: key operation flags diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn index fd4bdb1dc80..14f39e8d23d 100644 --- a/security/nss/lib/pkcs12/manifest.mn +++ b/security/nss/lib/pkcs12/manifest.mn @@ -57,8 +57,6 @@ CSRCS = \ p12d.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkcs12 # This part of the code, including all sub-dirs, can be optimized for size diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h index 852047c1f2f..04a67647da3 100644 --- a/security/nss/lib/pkcs12/p12.h +++ b/security/nss/lib/pkcs12/p12.h @@ -64,6 +64,11 @@ typedef void (PR_CALLBACK * SEC_PKCS12EncoderOutputCallback)( typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)( void *arg, const char *buf, unsigned long len); +/* + * In NSS 3.12 or later, 'arg' actually points to a CERTCertificate, + * the 'leafCert' variable in sec_pkcs12_validate_cert in p12d.c. + * See r1.35 of p12d.c ("Patch 2" in bug 321584). + */ typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)( SECItem *old_nickname, PRBool *cancel, diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index cc859068910..98dfbe12bf8 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -1907,8 +1907,7 @@ sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) */ static SECItem * sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert, - sec_PKCS12SafeBag *key, - void *wincx) + sec_PKCS12SafeBag *key) { SECItem *nickname; @@ -1939,8 +1938,7 @@ sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert, static SECStatus sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key, - SECItem *nickname, - void *wincx) + SECItem *nickname) { if(!nickname || !cert) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -2072,7 +2070,7 @@ gatherNicknames(CERTCertificate *cert, void *arg) * If so, return it. */ static SECItem * -sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx) +sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert) { struct certNickInfo *nickArg = NULL; SECItem *derCert, *returnDn = NULL; @@ -2191,7 +2189,7 @@ static void sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key, SEC_PKCS12NicknameCollisionCallback nicknameCb, - void *wincx) + CERTCertificate *leafCert) { SECItem *certNickname, *existingDNNick; PRBool setNickname = PR_FALSE, cancel = PR_FALSE; @@ -2216,8 +2214,8 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert, return; } - certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx); - existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx); + certNickname = sec_pkcs12_get_nickname_for_cert(cert, key); + existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert); /* nickname is already used w/ this dn, so it is safe to return */ if(certNickname && existingDNNick && @@ -2229,7 +2227,7 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert, * this dn. set the nicks in the p12 bags and finish. */ if(existingDNNick) { - sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx); + sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick); goto loser; } @@ -2257,14 +2255,13 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert, if (certNickname && certNickname->data && !sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) { if (setNickname) { - sec_pkcs12_set_nickname_for_cert(cert, key, certNickname, - wincx); + sec_pkcs12_set_nickname_for_cert(cert, key, certNickname); } break; } setNickname = PR_FALSE; - newNickname = (*nicknameCb)(certNickname, &cancel, wincx); + newNickname = (*nicknameCb)(certNickname, &cancel, leafCert); if(cancel) { cert->problem = PR_TRUE; cert->error = SEC_ERROR_USER_CANCELLED; @@ -2304,8 +2301,7 @@ loser: static void sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key, - SEC_PKCS12NicknameCollisionCallback nicknameCb, - void *wincx) + SEC_PKCS12NicknameCollisionCallback nicknameCb) { CERTCertificate *leafCert; @@ -2345,7 +2341,7 @@ sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert, return; } - sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, (void *)leafCert); + sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, leafCert); CERT_DestroyCertificate(leafCert); } @@ -2748,7 +2744,7 @@ sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, cert->error = key->error; continue; } - sec_pkcs12_validate_cert(cert, key, nicknameCb, wincx); + sec_pkcs12_validate_cert(cert, key, nicknameCb); if(cert->problem) { key->problem = cert->problem; key->error = cert->error; @@ -2769,7 +2765,7 @@ sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, switch(bagType) { case SEC_OID_PKCS12_V1_CERT_BAG_ID: - sec_pkcs12_validate_cert(bag, NULL, nicknameCb, wincx); + sec_pkcs12_validate_cert(bag, NULL, nicknameCb); break; case SEC_OID_PKCS12_V1_KEY_BAG_ID: case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: @@ -2936,8 +2932,7 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx) /* use the cert's nickname, if it has one, else use the * key's nickname, else fail. */ - nickName = sec_pkcs12_get_nickname_for_cert(certList[0], - key, wincx); + nickName = sec_pkcs12_get_nickname_for_cert(certList[0], key); } else { nickName = sec_pkcs12_get_nickname(key); } diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn index 7b7ae43a057..1be9018fb37 100644 --- a/security/nss/lib/pkcs7/manifest.mn +++ b/security/nss/lib/pkcs7/manifest.mn @@ -59,8 +59,6 @@ CSRCS = \ secmime.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = pkcs7 # This part of the code, including all sub-dirs, can be optimized for size diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index 38e17acefe5..07ee6e6c76d 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.67 $ $Date: 2010/04/03 18:27:32 $"; +static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.68 $ $Date: 2011/07/12 21:29:17 $"; #endif /* DEBUG */ #ifndef NSSPKI_H @@ -960,6 +960,44 @@ nssCertificateList_AddReferences ( (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL); } + +/* + * Is this trust record safe to apply to all certs of the same issuer/SN + * independent of the cert matching the hash. This is only true is the trust + * is unknown or distrusted. In general this feature is only useful to + * explicitly distrusting certs. It is not safe to use to trust certs, so + * only allow unknown and untrusted trust types. + */ +PRBool +nssTrust_IsSafeToIgnoreCertHash(nssTrustLevel serverAuth, + nssTrustLevel clientAuth, nssTrustLevel codeSigning, + nssTrustLevel email, PRBool stepup) +{ + /* step up is a trust type, if it's on, we must have a hash for the cert */ + if (stepup) { + return PR_FALSE; + } + if ((serverAuth != nssTrustLevel_Unknown) && + (serverAuth != nssTrustLevel_NotTrusted)) { + return PR_FALSE; + } + if ((clientAuth != nssTrustLevel_Unknown) && + (clientAuth != nssTrustLevel_NotTrusted)) { + return PR_FALSE; + } + if ((codeSigning != nssTrustLevel_Unknown) && + (codeSigning != nssTrustLevel_NotTrusted)) { + return PR_FALSE; + } + if ((email != nssTrustLevel_Unknown) && + (email != nssTrustLevel_NotTrusted)) { + return PR_FALSE; + } + /* record only has Unknown and Untrusted entries, ok to accept without a + * hash */ + return PR_TRUE; +} + NSS_IMPLEMENT NSSTrust * nssTrust_Create ( nssPKIObject *object, @@ -1009,7 +1047,19 @@ nssTrust_Create ( nssPKIObject_Unlock(object); return (NSSTrust *)NULL; } - if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) { + /* if no hash is specified, then trust applies to all certs with + * this issuer/SN. NOTE: This is only true for entries that + * have distrust and unknown record */ + if (!( + /* we continue if there is no hash, and the trust type is + * safe to accept without a hash ... or ... */ + ((sha1_hash.size == 0) && + nssTrust_IsSafeToIgnoreCertHash(serverAuth,clientAuth, + codeSigning, emailProtection,stepUp)) + || + /* we have a hash of the correct size, and it matches */ + ((sha1_hash.size == SHA1_LENGTH) && (PORT_Memcmp(sha1_hashin, + sha1_hashcmp,SHA1_LENGTH) == 0)) )) { nssPKIObject_Unlock(object); return (NSSTrust *)NULL; } diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index b13a05ee1b1..7e7693b9228 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.100.2.1 $ $Date: 2011/03/26 16:55:01 $"; +static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.102 $ $Date: 2011/04/13 00:10:26 $"; #endif /* DEBUG */ /* @@ -555,17 +555,17 @@ nssDecodedPKIXCertificate_Destroy ( /* see pk11cert.c:pk11_HandleTrustObject */ static unsigned int -get_nss3trust_from_nss4trust(CK_TRUST t) +get_nss3trust_from_nss4trust(nssTrustLevel t) { unsigned int rt = 0; if (t == nssTrustLevel_Trusted) { - rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED; + rt |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; } if (t == nssTrustLevel_TrustedDelegator) { - rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/; + rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA; } - if (t == nssTrustLevel_Valid) { - rt |= CERTDB_VALID_PEER; + if (t == nssTrustLevel_NotTrusted) { + rt |= CERTDB_TERMINAL_RECORD; } if (t == nssTrustLevel_ValidDelegator) { rt |= CERTDB_VALID_CA; @@ -922,13 +922,13 @@ get_stan_trust(unsigned int t, PRBool isClientAuth) if (t & CERTDB_TRUSTED) { return nssTrustLevel_Trusted; } + if (t & CERTDB_TERMINAL_RECORD) { + return nssTrustLevel_NotTrusted; + } if (t & CERTDB_VALID_CA) { return nssTrustLevel_ValidDelegator; } - if (t & CERTDB_VALID_PEER) { - return nssTrustLevel_Valid; - } - return nssTrustLevel_NotTrusted; + return nssTrustLevel_MustVerify; } NSS_EXTERN NSSCertificate * diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h index b9ce7f7c6ff..45bf97c20e5 100644 --- a/security/nss/lib/pki/pki3hack.h +++ b/security/nss/lib/pki/pki3hack.h @@ -38,7 +38,7 @@ #define PKINSS3HACK_H #ifdef DEBUG -static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.19.192.1 $ $Date: 2011/03/26 16:55:01 $"; +static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.20 $ $Date: 2011/03/26 17:34:22 $"; #endif /* DEBUG */ #ifndef NSSDEVT_H diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c index 3371fdd3615..3909fdc55cd 100644 --- a/security/nss/lib/pki/pkistore.c +++ b/security/nss/lib/pki/pkistore.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.33.40.1 $ $Date: 2010/12/17 20:14:38 $"; +static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.34 $ $Date: 2010/12/17 02:34:07 $"; #endif /* DEBUG */ #ifndef PKIM_H diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h index 896408f72b5..ca662f33727 100644 --- a/security/nss/lib/smime/cms.h +++ b/security/nss/lib/smime/cms.h @@ -37,7 +37,7 @@ /* * Interfaces of the CMS implementation. * - * $Id: cms.h,v 1.23.2.3 2011/02/11 16:44:02 emaldona%redhat.com Exp $ + * $Id: cms.h,v 1.26 2011/02/24 22:06:14 emaldona%redhat.com Exp $ */ #ifndef _CMS_H_ diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c index d924528a594..b9232674668 100644 --- a/security/nss/lib/smime/cmsasn1.c +++ b/security/nss/lib/smime/cmsasn1.c @@ -37,7 +37,7 @@ /* * CMS ASN.1 templates * - * $Id: cmsasn1.c,v 1.7.2.2 2011/02/01 00:33:23 rrelyea%redhat.com Exp $ + * $Id: cmsasn1.c,v 1.9 2011/01/31 23:56:30 rrelyea%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c index bd1cc85b6da..4a8008e93e8 100644 --- a/security/nss/lib/smime/cmscinfo.c +++ b/security/nss/lib/smime/cmscinfo.c @@ -37,7 +37,7 @@ /* * CMS contentInfo methods. * - * $Id: cmscinfo.c,v 1.7.192.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmscinfo.c,v 1.10 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c index 79299dd793e..341516e1b2f 100644 --- a/security/nss/lib/smime/cmsdecode.c +++ b/security/nss/lib/smime/cmsdecode.c @@ -37,7 +37,7 @@ /* * CMS decoding. * - * $Id: cmsdecode.c,v 1.9.66.4 2011/03/15 17:51:01 emaldona%redhat.com Exp $ + * $Id: cmsdecode.c,v 1.13 2011/03/15 17:45:21 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c index 47f5a4ceb4f..1a96973aabe 100644 --- a/security/nss/lib/smime/cmsdigdata.c +++ b/security/nss/lib/smime/cmsdigdata.c @@ -37,7 +37,7 @@ /* * CMS digestedData methods. * - * $Id: cmsdigdata.c,v 1.5.192.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmsdigdata.c,v 1.7 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c index 29d8e39dec9..d131f4b77ad 100644 --- a/security/nss/lib/smime/cmsencdata.c +++ b/security/nss/lib/smime/cmsencdata.c @@ -37,7 +37,7 @@ /* * CMS encryptedData methods. * - * $Id: cmsencdata.c,v 1.11.56.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmsencdata.c,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c index 7e6f036397d..d3471a991a9 100644 --- a/security/nss/lib/smime/cmsencode.c +++ b/security/nss/lib/smime/cmsencode.c @@ -37,7 +37,7 @@ /* * CMS encoding. * - * $Id: cmsencode.c,v 1.6.66.5 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmsencode.c,v 1.11 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c index 1c0c20aade7..dc0b86428d5 100644 --- a/security/nss/lib/smime/cmsenvdata.c +++ b/security/nss/lib/smime/cmsenvdata.c @@ -37,7 +37,7 @@ /* * CMS envelopedData methods. * - * $Id: cmsenvdata.c,v 1.11.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmsenvdata.c,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h index 222f90a15d5..5762d143e26 100644 --- a/security/nss/lib/smime/cmslocal.h +++ b/security/nss/lib/smime/cmslocal.h @@ -42,7 +42,7 @@ * you. If that has a problem, then just move out what you need, changing * its name as appropriate! * - * $Id: cmslocal.h,v 1.5.142.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $ + * $Id: cmslocal.h,v 1.6 2011/01/28 23:03:59 rrelyea%redhat.com Exp $ */ #ifndef _CMSLOCAL_H_ diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c index cb45eba0bba..53a6d36093f 100644 --- a/security/nss/lib/smime/cmsmessage.c +++ b/security/nss/lib/smime/cmsmessage.c @@ -37,7 +37,7 @@ /* * CMS message methods. * - * $Id: cmsmessage.c,v 1.6.192.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $ + * $Id: cmsmessage.c,v 1.7 2011/01/28 23:03:59 rrelyea%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c index 5a1bb4cea8f..e701c8836b3 100644 --- a/security/nss/lib/smime/cmssigdata.c +++ b/security/nss/lib/smime/cmssigdata.c @@ -37,7 +37,7 @@ /* * CMS signedData methods. * - * $Id: cmssigdata.c,v 1.29.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmssigdata.c,v 1.31 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c index 3bc7cd91a04..9c11d833f90 100644 --- a/security/nss/lib/smime/cmssiginfo.c +++ b/security/nss/lib/smime/cmssiginfo.c @@ -38,7 +38,7 @@ /* * CMS signerInfo methods. * - * $Id: cmssiginfo.c,v 1.32.2.1 2010/08/28 19:51:44 nelson%bolyard.com Exp $ + * $Id: cmssiginfo.c,v 1.34 2011/02/07 18:32:19 nelson%bolyard.com Exp $ */ #include "cmslocal.h" @@ -166,7 +166,8 @@ NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si) * */ SECStatus -NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType) +NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, + SECItem *contentType) { CERTCertificate *cert; SECKEYPrivateKey *privkey = NULL; @@ -186,7 +187,8 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c case NSSCMSSignerID_IssuerSN: cert = signerinfo->cert; - if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL) + privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg); + if (privkey == NULL) goto loser; algID = &cert->subjectPublicKeyInfo.algorithm; break; @@ -272,6 +274,7 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, privkey, signAlgTag); PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */ + tmppoolp = 0; } else { rv = SGN_Digest(privkey, digestalgtag, &signature, digest); } diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h index 11b772a3093..7bd415061cf 100644 --- a/security/nss/lib/smime/cmst.h +++ b/security/nss/lib/smime/cmst.h @@ -37,7 +37,7 @@ /* * Header for CMS types. * - * $Id: cmst.h,v 1.10.142.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmst.h,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #ifndef _CMST_H_ diff --git a/security/nss/lib/smime/cmsudf.c b/security/nss/lib/smime/cmsudf.c index 025c0e36b0d..82bfdf0bc77 100644 --- a/security/nss/lib/smime/cmsudf.c +++ b/security/nss/lib/smime/cmsudf.c @@ -37,7 +37,7 @@ /* * CMS User Define Types * - * $Id: cmsudf.c,v 1.1.2.4 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: cmsudf.c,v 1.3 2011/02/11 01:53:17 emaldona%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c index a60255be9da..6d97b38e882 100644 --- a/security/nss/lib/smime/cmsutil.c +++ b/security/nss/lib/smime/cmsutil.c @@ -38,7 +38,7 @@ /* * CMS miscellaneous utility functions. * - * $Id: cmsutil.c,v 1.15.54.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $ + * $Id: cmsutil.c,v 1.16 2011/01/28 23:03:59 rrelyea%redhat.com Exp $ */ #include "cmslocal.h" diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn index 1f5421f35e4..e6c2cd98a48 100644 --- a/security/nss/lib/smime/manifest.mn +++ b/security/nss/lib/smime/manifest.mn @@ -76,8 +76,6 @@ CSRCS = \ smimever.c \ $(NULL) -REQUIRES = dbm - LIBRARY_NAME = smime LIBRARY_VERSION = 3 diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def index 993d108a28b..6bbf812fad7 100644 --- a/security/nss/lib/smime/smime.def +++ b/security/nss/lib/smime/smime.def @@ -293,3 +293,9 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDataTemplate; ;+ local: ;+ *; ;+}; +;+NSS_3.13 { # NSS 3.13 release +;+ global: +NSSSMIME_GetVersion; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h index 0c112c9a10d..8a72b480982 100644 --- a/security/nss/lib/smime/smime.h +++ b/security/nss/lib/smime/smime.h @@ -38,7 +38,7 @@ * Header file for routines specific to S/MIME. Keep things that are pure * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc. * - * $Id: smime.h,v 1.8.192.1 2011/02/11 03:57:50 emaldona%redhat.com Exp $ + * $Id: smime.h,v 1.10 2011/08/01 07:08:09 kaie%kuix.de Exp $ */ #ifndef _SECMIME_H_ @@ -150,6 +150,23 @@ extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCer extern SECStatus NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize); +/* + * Return a boolean that indicates whether the underlying library + * will perform as the caller expects. + * + * The only argument is a string, which should be the version + * identifier of the NSS library. That string will be compared + * against a string that represents the actual build version of + * the S/MIME library. It also invokes the version checking functions + * of the dependent libraries such as NSPR. + */ +extern PRBool NSSSMIME_VersionCheck(const char *importedVersion); + +/* + * Returns a const string of the S/MIME library version. + */ +extern const char *NSSSMIME_GetVersion(void); + /************************************************************************/ SEC_END_PROTOS diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c index 4200842a6ce..2fe02e81f6d 100644 --- a/security/nss/lib/smime/smimeutil.c +++ b/security/nss/lib/smime/smimeutil.c @@ -37,7 +37,7 @@ /* * Stuff specific to S/MIME policy and interoperability. * - * $Id: smimeutil.c,v 1.20 2007/05/10 01:12:21 nelson%bolyard.com Exp $ + * $Id: smimeutil.c,v 1.21 2011/08/01 07:08:09 kaie%kuix.de Exp $ */ #include "secmime.h" @@ -793,3 +793,8 @@ NSSSMIME_VersionCheck(const char *importedVersion) return NSS_VersionCheck(importedVersion); } +const char * +NSSSMIME_GetVersion(void) +{ + return NSS_VERSION; +} diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c index a9ca120a21c..b4354e2f7eb 100644 --- a/security/nss/lib/softoken/fipstest.c +++ b/security/nss/lib/softoken/fipstest.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: fipstest.c,v 1.27 2009/06/19 23:05:48 rrelyea%redhat.com Exp $ */ +/* $Id: fipstest.c,v 1.29 2011/03/29 15:12:43 wtc%google.com Exp $ */ #include "softoken.h" /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB, */ /* DES-CBC, DES3-ECB, DES3-CBC, RSA */ @@ -865,6 +865,13 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) 0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 0x5d, 0x0e, 0x1e, 0x11}; + /* known SHA224 hmac (28 bytes) */ + static const PRUint8 known_SHA224_hmac[] = { + 0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, + 0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8, + 0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64, + 0x9a, 0xb8, 0x98, 0x4e}; + /* known SHA256 hmac (32 bytes) */ static const PRUint8 known_SHA256_hmac[] = { 0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, @@ -911,6 +918,22 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) SHA1_LENGTH ) != 0 ) ) return( CKR_DEVICE_ERROR ); + /***************************************************/ + /* HMAC SHA-224 Single-Round Known Answer Test. */ + /***************************************************/ + + hmac_status = sftk_fips_HMAC(hmac_computed, + HMAC_known_secret_key, + HMAC_known_secret_key_length, + known_hash_message, + FIPS_KNOWN_HASH_MESSAGE_LENGTH, + HASH_AlgSHA224); + + if( ( hmac_status != SECSuccess ) || + ( PORT_Memcmp( hmac_computed, known_SHA224_hmac, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); + /***************************************************/ /* HMAC SHA-256 Single-Round Known Answer Test. */ /***************************************************/ @@ -971,6 +994,13 @@ sftk_fips_SHA_PowerUpSelfTest( void ) 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, 0xe0,0x68,0x47,0x7a}; + /* SHA-224 Known Digest Message (224-bits). */ + static const PRUint8 sha224_known_digest[] = { + 0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f, + 0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f, + 0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f, + 0x8e,0x08,0xe5,0xcb}; + /* SHA-256 Known Digest Message (256-bits). */ static const PRUint8 sha256_known_digest[] = { 0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61, @@ -1014,6 +1044,18 @@ sftk_fips_SHA_PowerUpSelfTest( void ) SHA1_LENGTH ) != 0 ) ) return( CKR_DEVICE_ERROR ); + /***************************************************/ + /* SHA-224 Single-Round Known Answer Hashing Test. */ + /***************************************************/ + + sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message, + FIPS_KNOWN_HASH_MESSAGE_LENGTH ); + + if( ( sha_status != SECSuccess ) || + ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); + /***************************************************/ /* SHA-256 Single-Round Known Answer Hashing Test. */ /***************************************************/ diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c index 8fe9fb5431a..f94f65064e6 100644 --- a/security/nss/lib/softoken/legacydb/keydb.c +++ b/security/nss/lib/softoken/legacydb/keydb.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: keydb.c,v 1.11.22.1 2010/08/07 05:49:16 wtc%google.com Exp $ */ +/* $Id: keydb.c,v 1.12 2010/07/20 01:26:04 wtc%google.com Exp $ */ #include "lowkeyi.h" #include "secasn1.h" @@ -1209,7 +1209,7 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cer PORT_Free(buf); } } - nsslowkey_DestroyPublicKey(pubkey); + lg_nsslowkey_DestroyPublicKey(pubkey); if ( status ) { return PR_FALSE; } @@ -1396,7 +1396,7 @@ loser: if (dbkey) { sec_destroy_dbkey(dbkey); } - if (global_salt && global_salt != &none) { + if (global_salt != &none) { SECITEM_FreeItem(global_salt,PR_TRUE); } return rv; @@ -1535,9 +1535,9 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, /* Encode the key, and set the algorithm (with params) */ switch (pk->keyType) { case NSSLOWKEYRSAKey: - prepare_low_rsa_priv_key_for_asn1(pk); + lg_prepare_low_rsa_priv_key_for_asn1(pk); dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - nsslowkey_RSAPrivateKeyTemplate); + lg_nsslowkey_RSAPrivateKeyTemplate); if (dummy == NULL) { rv = SECFailure; goto loser; @@ -1551,17 +1551,17 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, break; case NSSLOWKEYDSAKey: - prepare_low_dsa_priv_key_for_asn1(pk); + lg_prepare_low_dsa_priv_key_for_asn1(pk); dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - nsslowkey_DSAPrivateKeyTemplate); + lg_nsslowkey_DSAPrivateKeyTemplate); if (dummy == NULL) { rv = SECFailure; goto loser; } - prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params, - nsslowkey_PQGParamsTemplate); + lg_nsslowkey_PQGParamsTemplate); if (dummy == NULL) { rv = SECFailure; goto loser; @@ -1575,9 +1575,9 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, break; case NSSLOWKEYDHKey: - prepare_low_dh_priv_key_for_asn1(pk); + lg_prepare_low_dh_priv_key_for_asn1(pk); dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - nsslowkey_DHPrivateKeyTemplate); + lg_nsslowkey_DHPrivateKeyTemplate); if (dummy == NULL) { rv = SECFailure; goto loser; @@ -1591,7 +1591,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, break; #ifdef NSS_ENABLE_ECC case NSSLOWKEYECKey: - prepare_low_ec_priv_key_for_asn1(pk); + lg_prepare_low_ec_priv_key_for_asn1(pk); /* Public value is encoded as a bit string so adjust length * to be in bits before ASN encoding and readjust * immediately after. @@ -1604,7 +1604,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, savelen = pk->u.ec.ecParams.curveOID.len; pk->u.ec.ecParams.curveOID.len = 0; dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - nsslowkey_ECPrivateKeyTemplate); + lg_nsslowkey_ECPrivateKeyTemplate); pk->u.ec.ecParams.curveOID.len = savelen; pk->u.ec.publicValue.len >>= 3; @@ -1637,7 +1637,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, /* setup encrypted private key info */ dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, - nsslowkey_PrivateKeyInfoTemplate); + lg_nsslowkey_PrivateKeyInfoTemplate); SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", pk->keyType, der_item); @@ -1777,50 +1777,50 @@ seckey_decrypt_private_key(SECItem*epki, dest); rv = SEC_QuickDERDecodeItem(temparena, pki, - nsslowkey_PrivateKeyInfoTemplate, dest); + lg_nsslowkey_PrivateKeyInfoTemplate, dest); if(rv == SECSuccess) { switch(SECOID_GetAlgorithmTag(&pki->algorithm)) { case SEC_OID_X500_RSA_ENCRYPTION: case SEC_OID_PKCS1_RSA_ENCRYPTION: pk->keyType = NSSLOWKEYRSAKey; - prepare_low_rsa_priv_key_for_asn1(pk); + lg_prepare_low_rsa_priv_key_for_asn1(pk); if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, &pki->privateKey) ) break; rv = SEC_QuickDERDecodeItem(permarena, pk, - nsslowkey_RSAPrivateKeyTemplate, + lg_nsslowkey_RSAPrivateKeyTemplate, &newPrivateKey); break; case SEC_OID_ANSIX9_DSA_SIGNATURE: pk->keyType = NSSLOWKEYDSAKey; - prepare_low_dsa_priv_key_for_asn1(pk); + lg_prepare_low_dsa_priv_key_for_asn1(pk); if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, &pki->privateKey) ) break; rv = SEC_QuickDERDecodeItem(permarena, pk, - nsslowkey_DSAPrivateKeyTemplate, + lg_nsslowkey_DSAPrivateKeyTemplate, &newPrivateKey); if (rv != SECSuccess) goto loser; - prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms, &pki->algorithm.parameters) ) break; rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params, - nsslowkey_PQGParamsTemplate, + lg_nsslowkey_PQGParamsTemplate, &newAlgParms); break; case SEC_OID_X942_DIFFIE_HELMAN_KEY: pk->keyType = NSSLOWKEYDHKey; - prepare_low_dh_priv_key_for_asn1(pk); + lg_prepare_low_dh_priv_key_for_asn1(pk); if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, &pki->privateKey) ) break; rv = SEC_QuickDERDecodeItem(permarena, pk, - nsslowkey_DHPrivateKeyTemplate, + lg_nsslowkey_DHPrivateKeyTemplate, &newPrivateKey); break; #ifdef NSS_ENABLE_ECC case SEC_OID_ANSIX962_EC_PUBLIC_KEY: pk->keyType = NSSLOWKEYECKey; - prepare_low_ec_priv_key_for_asn1(pk); + lg_prepare_low_ec_priv_key_for_asn1(pk); fordebug = &pki->privateKey; SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", @@ -1828,12 +1828,12 @@ seckey_decrypt_private_key(SECItem*epki, if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, &pki->privateKey) ) break; rv = SEC_QuickDERDecodeItem(permarena, pk, - nsslowkey_ECPrivateKeyTemplate, + lg_nsslowkey_ECPrivateKeyTemplate, &newPrivateKey); if (rv != SECSuccess) goto loser; - prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams); + lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams); rv = SECITEM_CopyItem(permarena, &pk->u.ec.ecParams.DEREncoding, @@ -1980,7 +1980,7 @@ nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw); if (pk) { - nsslowkey_DestroyPrivateKey(pk); + lg_nsslowkey_DestroyPrivateKey(pk); } /* no need to free dbkey, since its on the stack, and the data it diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c index 344644888fd..0d26bf4e8f4 100644 --- a/security/nss/lib/softoken/legacydb/lgattr.c +++ b/security/nss/lib/softoken/legacydb/lgattr.c @@ -61,7 +61,7 @@ typedef struct LGObjectCacheStr { static const CK_OBJECT_HANDLE lg_classArray[] = { 0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY, - CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME, + CKO_NSS_TRUST, CKO_NSS_CRL, CKO_NSS_SMIME, CKO_CERTIFICATE }; #define handleToClass(handle) \ @@ -290,7 +290,7 @@ lg_getSMime(LGObjectCache *obj) certDBEntrySMime *entry; NSSLOWCERTCertDBHandle *certHandle; - if (obj->objclass != CKO_NETSCAPE_SMIME) { + if (obj->objclass != CKO_NSS_SMIME) { return NULL; } if (obj->objectInfo) { @@ -314,7 +314,7 @@ lg_getCrl(LGObjectCache *obj) PRBool isKrl; NSSLOWCERTCertDBHandle *certHandle; - if (obj->objclass != CKO_NETSCAPE_CRL) { + if (obj->objclass != CKO_NSS_CRL) { return NULL; } if (obj->objectInfo) { @@ -339,7 +339,7 @@ lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle) NSSLOWCERTCertificate *cert; CK_OBJECT_CLASS objClass = obj->objclass; - if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) { + if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NSS_TRUST)) { return NULL; } if (objClass == CKO_CERTIFICATE && obj->objectInfo) { @@ -358,7 +358,7 @@ lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle) { NSSLOWCERTTrust *trust; - if (obj->objclass != CKO_NETSCAPE_TRUST) { + if (obj->objclass != CKO_NSS_TRUST) { return NULL; } if (obj->objectInfo) { @@ -386,10 +386,10 @@ lg_GetPublicKey(LGObjectCache *obj) if (privKey == NULL) { return NULL; } - pubKey = nsslowkey_ConvertToPublicKey(privKey); - nsslowkey_DestroyPrivateKey(privKey); + pubKey = lg_nsslowkey_ConvertToPublicKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); obj->objectInfo = (void *) pubKey; - obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPublicKey ; + obj->infoFree = (LGFreeFunc) lg_nsslowkey_DestroyPublicKey ; return pubKey; } @@ -418,7 +418,7 @@ lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle) return NULL; } obj->objectInfo = (void *) privKey; - obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPrivateKey ; + obj->infoFree = (LGFreeFunc) lg_nsslowkey_DestroyPrivateKey ; return privKey; } @@ -1083,10 +1083,10 @@ lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, case CKA_PRIVATE: case CKA_MODIFIABLE: return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr); - case CKA_NETSCAPE_EMAIL: + case CKA_NSS_EMAIL: return lg_CopyAttribute(attribute,type,obj->dbKey.data, obj->dbKey.len-1); - case CKA_NETSCAPE_SMIME_TIMESTAMP: + case CKA_NSS_SMIME_TIMESTAMP: case CKA_SUBJECT: case CKA_VALUE: break; @@ -1098,7 +1098,7 @@ lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, return CKR_OBJECT_HANDLE_INVALID; } switch (type) { - case CKA_NETSCAPE_SMIME_TIMESTAMP: + case CKA_NSS_SMIME_TIMESTAMP: return lg_CopyAttribute(attribute,type,entry->optionsDate.data, entry->optionsDate.len); case CKA_SUBJECT: @@ -1172,26 +1172,25 @@ lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, trust: if (trustFlags & CERTDB_TRUSTED_CA ) { return lg_ULongAttribute(attribute, type, - CKT_NETSCAPE_TRUSTED_DELEGATOR); + CKT_NSS_TRUSTED_DELEGATOR); } if (trustFlags & CERTDB_TRUSTED) { - return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_TRUSTED); + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUSTED); } - if (trustFlags & CERTDB_NOT_TRUSTED) { - return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_UNTRUSTED); + if (trustFlags & CERTDB_MUST_VERIFY) { + return lg_ULongAttribute(attribute, type, + CKT_NSS_MUST_VERIFY_TRUST); } if (trustFlags & CERTDB_TRUSTED_UNKNOWN) { - return lg_ULongAttribute(attribute, type, - CKT_NETSCAPE_TRUST_UNKNOWN); + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN); } if (trustFlags & CERTDB_VALID_CA) { - return lg_ULongAttribute(attribute, type, - CKT_NETSCAPE_VALID_DELEGATOR); + return lg_ULongAttribute(attribute, type, CKT_NSS_VALID_DELEGATOR); } - if (trustFlags & CERTDB_VALID_PEER) { - return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_VALID); + if (trustFlags & CERTDB_TERMINAL_RECORD) { + return lg_ULongAttribute(attribute, type, CKT_NSS_NOT_TRUSTED); } - return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_MUST_VERIFY); + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN); case CKA_TRUST_STEP_UP_APPROVED: if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) { return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr); @@ -1237,14 +1236,14 @@ lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, case CKA_PRIVATE: case CKA_MODIFIABLE: return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr); - case CKA_NETSCAPE_KRL: + case CKA_NSS_KRL: return ((obj->handle == LG_TOKEN_KRL_HANDLE) ? LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr) : LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr)); case CKA_SUBJECT: return lg_CopyAttribute(attribute,type,obj->dbKey.data, obj->dbKey.len); - case CKA_NETSCAPE_URL: + case CKA_NSS_URL: case CKA_VALUE: break; default: @@ -1255,7 +1254,7 @@ lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, return CKR_OBJECT_HANDLE_INVALID; } switch (type) { - case CKA_NETSCAPE_URL: + case CKA_NSS_URL: if (crl->url == NULL) { return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr); } @@ -1294,7 +1293,7 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, case CKA_SUBJECT: case CKA_ISSUER: case CKA_SERIAL_NUMBER: - case CKA_NETSCAPE_EMAIL: + case CKA_NSS_EMAIL: break; default: return lg_invalidAttribute(attribute); @@ -1323,12 +1322,12 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, if (pubKey == NULL) break; item = lg_GetPubItem(pubKey); if (item == NULL) { - nsslowkey_DestroyPublicKey(pubKey); + lg_nsslowkey_DestroyPublicKey(pubKey); break; } SHA1_HashBuf(hash,item->data,item->len); /* item is imbedded in pubKey, just free the key */ - nsslowkey_DestroyPublicKey(pubKey); + lg_nsslowkey_DestroyPublicKey(pubKey); return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); case CKA_LABEL: return cert->nickname @@ -1344,7 +1343,7 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, case CKA_SERIAL_NUMBER: return lg_CopyAttribute(attribute,type,cert->derSN.data, cert->derSN.len); - case CKA_NETSCAPE_EMAIL: + case CKA_NSS_EMAIL: return (cert->emailAddr && cert->emailAddr[0]) ? lg_CopyAttribute(attribute, type, cert->emailAddr, PORT_Strlen(cert->emailAddr)) @@ -1379,11 +1378,11 @@ lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute) switch (obj->objclass) { case CKO_CERTIFICATE: return lg_FindCertAttribute(obj,type,attribute); - case CKO_NETSCAPE_CRL: + case CKO_NSS_CRL: return lg_FindCrlAttribute(obj,type,attribute); - case CKO_NETSCAPE_TRUST: + case CKO_NSS_TRUST: return lg_FindTrustAttribute(obj,type,attribute); - case CKO_NETSCAPE_SMIME: + case CKO_NSS_SMIME: return lg_FindSMIMEAttribute(obj,type,attribute); case CKO_PUBLIC_KEY: return lg_FindPublicKeyAttribute(obj,type,attribute); @@ -1501,7 +1500,7 @@ lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, /* we can't change the EMAIL values, but let the * upper layers feel better about the fact we tried to set these */ - if (type == CKA_NETSCAPE_EMAIL) { + if (type == CKA_NSS_EMAIL) { return CKR_OK; } @@ -1763,10 +1762,10 @@ lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr, crv = lg_SetCertAttribute(obj,attr->type, attr->pValue,attr->ulValueLen); break; - case CKO_NETSCAPE_CRL: + case CKO_NSS_CRL: /* change URL */ break; - case CKO_NETSCAPE_TRUST: + case CKO_NSS_TRUST: crv = lg_SetTrustAttribute(obj,attr); break; case CKO_PRIVATE_KEY: diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c index ab6c652f7f0..fa76297c176 100644 --- a/security/nss/lib/softoken/legacydb/lgcreate.c +++ b/security/nss/lib/softoken/legacydb/lgcreate.c @@ -143,7 +143,7 @@ lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle, /* * Add a NULL S/MIME profile if necessary. */ - email = lg_getString(CKA_NETSCAPE_EMAIL, templ, count); + email = lg_getString(CKA_NSS_EMAIL, templ, count); if (email) { certDBEntrySMime *entry; @@ -168,17 +168,15 @@ lg_MapTrust(CK_TRUST trust, PRBool clientAuth) unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA : CERTDB_TRUSTED_CA; switch (trust) { - case CKT_NETSCAPE_TRUSTED: - return CERTDB_VALID_PEER|CERTDB_TRUSTED; - case CKT_NETSCAPE_TRUSTED_DELEGATOR: + case CKT_NSS_TRUSTED: + return CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED; + case CKT_NSS_TRUSTED_DELEGATOR: return CERTDB_VALID_CA|trustCA; - case CKT_NETSCAPE_UNTRUSTED: - return CERTDB_NOT_TRUSTED; - case CKT_NETSCAPE_MUST_VERIFY: - return 0; - case CKT_NETSCAPE_VALID: /* implies must verify */ - return CERTDB_VALID_PEER; - case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */ + case CKT_NSS_MUST_VERIFY_TRUST: + return CERTDB_MUST_VERIFY; + case CKT_NSS_NOT_TRUSTED: + return CERTDB_TERMINAL_RECORD; + case CKT_NSS_VALID_DELEGATOR: /* implies must verify */ return CERTDB_VALID_CA; default: break; @@ -198,10 +196,10 @@ lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *serial = NULL; NSSLOWCERTCertificate *cert = NULL; const CK_ATTRIBUTE *trust; - CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN; - CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN; + CK_TRUST sslTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST clientTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST emailTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST signTrust = CKT_NSS_TRUST_UNKNOWN; CK_BBOOL stepUp; NSSLOWCERTCertTrust dbTrust = { 0 }; SECStatus rv; @@ -323,7 +321,7 @@ lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle, } /* lookup Time */ - time = lg_FindAttribute(CKA_NETSCAPE_SMIME_TIMESTAMP,templ,count); + time = lg_FindAttribute(CKA_NSS_SMIME_TIMESTAMP,templ,count); if (time) { rawTime.data = (unsigned char *)time->pValue; rawTime.len = time->ulValueLen ; @@ -332,7 +330,7 @@ lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle, } - email = lg_getString(CKA_NETSCAPE_EMAIL,templ,count); + email = lg_getString(CKA_NSS_EMAIL,templ,count); if (!email) { ck_rv = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; @@ -399,8 +397,8 @@ lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle, derCrl.data = (unsigned char *)crl->pValue; derCrl.len = crl->ulValueLen ; - url = lg_getString(CKA_NETSCAPE_URL,templ,count); - isKRL = lg_isTrue(CKA_NETSCAPE_KRL,templ,count); + url = lg_getString(CKA_NSS_URL,templ,count); + isKRL = lg_isTrue(CKA_NSS_KRL,templ,count); /* Store CRL by SUBJECT */ rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL); @@ -520,7 +518,7 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type, crv = CKR_ATTRIBUTE_VALUE_INVALID; goto done; } - nsslowkey_DestroyPrivateKey(priv); + lg_nsslowkey_DestroyPrivateKey(priv); crv = CKR_OK; *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB); @@ -727,7 +725,7 @@ fail: if (label) PORT_Free(label); *handle = lg_mkHandle(sdb,&pubKey,LG_TOKEN_TYPE_PRIV); if (pubKey.data) PORT_Free(pubKey.data); - nsslowkey_DestroyPrivateKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); if (rv != SECSuccess) return crv; return CKR_OK; @@ -929,7 +927,7 @@ lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type, loser: if (label) PORT_Free(label); - if (privKey) nsslowkey_DestroyPrivateKey(privKey); + if (privKey) lg_nsslowkey_DestroyPrivateKey(privKey); if (pubKey.data) PORT_Free(pubKey.data); return crv; @@ -987,13 +985,13 @@ lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle, case CKO_CERTIFICATE: crv = lg_createCertObject(sdb,handle,templ,count); break; - case CKO_NETSCAPE_TRUST: + case CKO_NSS_TRUST: crv = lg_createTrustObject(sdb,handle,templ,count); break; - case CKO_NETSCAPE_CRL: + case CKO_NSS_CRL: crv = lg_createCrlObject(sdb,handle,templ,count); break; - case CKO_NETSCAPE_SMIME: + case CKO_NSS_SMIME: crv = lg_createSMimeObject(sdb,handle,templ,count); break; case CKO_PRIVATE_KEY: diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h index ed6f1298d4c..26617806675 100644 --- a/security/nss/lib/softoken/legacydb/lgdb.h +++ b/security/nss/lib/softoken/legacydb/lgdb.h @@ -51,18 +51,11 @@ #define MULTIACCESS "multiaccess:" -/* machine dependent path stuff used by dbinit.c and pk11db.c */ -#ifdef macintosh -#define PATH_SEPARATOR ":" -#define SECMOD_DB "Security Modules" -#define CERT_DB_FMT "%sCertificates%s" -#define KEY_DB_FMT "%sKey Database%s" -#else +/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */ #define PATH_SEPARATOR "/" #define SECMOD_DB "secmod.db" #define CERT_DB_FMT "%scert%s.db" #define KEY_DB_FMT "%skey%s.db" -#endif SEC_BEGIN_PROTOS @@ -197,20 +190,20 @@ SEC_END_PROTOS #ifndef XP_UNIX -#define NO_CHECK_FORK +#define NO_FORK_CHECK #endif -#ifndef NO_CHECK_FORK +#ifndef NO_FORK_CHECK -extern PRBool parentForkedAfterC_Initialize; -#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x +extern PRBool lg_parentForkedAfterC_Initialize; +#define SKIP_AFTER_FORK(x) if (!lg_parentForkedAfterC_Initialize) x #else #define SKIP_AFTER_FORK(x) x -#endif /* NO_CHECK_FORK */ +#endif /* NO_FORK_CHECK */ #endif /* _LGDB_H_ */ diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c index 29aab3dd314..3cd8bbe8e44 100644 --- a/security/nss/lib/softoken/legacydb/lgfind.c +++ b/security/nss/lib/softoken/legacydb/lgfind.c @@ -223,7 +223,7 @@ lg_key_collect(DBT *key, DBT *data, void *arg) ~LG_KEY; haveMatch = (PRBool) ((classFlags & (LG_KEY|LG_PRIVATE|LG_PUBLIC)) != 0); - nsslowkey_DestroyPrivateKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); } } else { SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */ @@ -289,7 +289,7 @@ lg_key_collect(DBT *key, DBT *data, void *arg) loser: if ( privKey ) { - nsslowkey_DestroyPrivateKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); } return(SECSuccess); } @@ -327,7 +327,7 @@ lg_searchKeys(SDB *sdb, SECItem *key_id, lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PUB)); found = PR_TRUE; } - nsslowkey_DestroyPrivateKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); } /* don't do the traversal if we have an up to date db */ if (keyHandle->version != 3) { diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c index 6236b7851d6..c1b1578318c 100644 --- a/security/nss/lib/softoken/legacydb/lginit.c +++ b/security/nss/lib/softoken/legacydb/lginit.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: lginit.c,v 1.14.22.1 2011/01/06 19:55:02 wtc%google.com Exp $ */ +/* $Id: lginit.c,v 1.16 2011/01/06 19:33:14 wtc%google.com Exp $ */ #include "lowkeyi.h" #include "pcert.h" @@ -44,6 +44,26 @@ #include "lgdb.h" #include "secoid.h" #include "prenv.h" +#include "softkver.h" + +/* Library identity and versioning */ + +#if defined(DEBUG) +#define _DEBUG_STRING " (debug)" +#else +#define _DEBUG_STRING "" +#endif + +/* + * Version information for the 'ident' and 'what commands + * + * NOTE: the first component of the concatenated rcsid string + * must not end in a '$' to prevent rcs keyword substitution. + */ +const char __nss_dbm_rcsid[] = "$Header: NSS " SOFTOKEN_VERSION _DEBUG_STRING + " " __DATE__ " " __TIME__ " $"; +const char __nss_dbm_sccsid[] = "@(#)NSS " SOFTOKEN_VERSION _DEBUG_STRING + " " __DATE__ " " __TIME__; typedef struct LGPrivateStr { NSSLOWCERTCertDBHandle *certDB; @@ -462,11 +482,11 @@ lg_getKeyDB(SDB *sdb) return lgdb_p->keyDB; } -PRBool parentForkedAfterC_Initialize; +PRBool lg_parentForkedAfterC_Initialize; void lg_SetForkState(PRBool forked) { - parentForkedAfterC_Initialize = forked; + lg_parentForkedAfterC_Initialize = forked; } CK_RV @@ -606,6 +626,9 @@ legacy_Open(const char *configdir, const char *certPrefix, CK_RV crv = CKR_OK; SECStatus rv; PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE; + volatile char c; /* force a reference that won't get optimized away */ + + c = __nss_dbm_rcsid[0] + __nss_dbm_sccsid[0]; rv = SECOID_Init(); if (SECSuccess != rv) { diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c index 703faeb2f7b..aa1d61a955e 100644 --- a/security/nss/lib/softoken/legacydb/lowcert.c +++ b/security/nss/lib/softoken/legacydb/lowcert.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: lowcert.c,v 1.5 2009/04/12 01:31:45 nelson%bolyard.com Exp $ + * $Id: lowcert.c,v 1.6 2010/07/20 01:26:04 wtc%google.com Exp $ */ #include "seccomon.h" @@ -120,6 +120,11 @@ nsslowcert_dataStart(unsigned char *buf, unsigned int length, unsigned char tag; unsigned int used_length= 0; + /* need at least a tag and a 1 byte length */ + if (length < 2) { + return NULL; + } + tag = buf[used_length++]; if (rettag) { @@ -136,6 +141,10 @@ nsslowcert_dataStart(unsigned char *buf, unsigned int length, if (*data_length&0x80) { int len_count = *data_length & 0x7f; + if (len_count+used_length > length) { + return NULL; + } + *data_length = 0; while (len_count-- > 0) { @@ -213,6 +222,9 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length, /* serial number */ if (derSN) { derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL); + /* derSN->data doesn't need to be checked because if it fails so will + * serial->data below. The only difference between the two calls is + * whether or not the tags are included in the returned buffer */ } serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL); if (serial->data == NULL) return SECFailure; @@ -256,7 +268,21 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length, if (buf[0] == 0xa3) { extensions->data = nsslowcert_dataStart(buf,buf_length, &extensions->len, PR_FALSE, NULL); - break; + /* if the DER is bad, we should fail. Previously we accepted + * bad DER here and treated the extension as missin */ + if (extensions->data == NULL || + (extensions->data - buf) + extensions->len != buf_length) + return SECFailure; + buf = extensions->data; + buf_length = extensions->len; + /* now parse the SEQUENCE holding the extensions. */ + dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL); + if (dummy == NULL || + (dummy - buf) + dummylen != buf_length) + return SECFailure; + buf_length -= (dummy - buf); + buf = dummy; + /* Now parse the extensions inside this sequence */ } dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL); if (dummy == NULL) return SECFailure; @@ -628,6 +654,10 @@ nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname) &cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject, &cert->validity, &cert->derSubjKeyInfo, &cert->extensions); + if (rv != SECSuccess) { + goto loser; + } + /* cert->subjectKeyID; x509v3 subject key identifier */ cert->subjectKeyID.data = NULL; cert->subjectKeyID.len = 0; @@ -825,7 +855,7 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert) break; } - nsslowkey_DestroyPublicKey (pubk); + lg_nsslowkey_DestroyPublicKey (pubk); return NULL; } diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c index 5ee64d1f247..28a7ac94cc6 100644 --- a/security/nss/lib/softoken/legacydb/lowkey.c +++ b/security/nss/lib/softoken/legacydb/lowkey.c @@ -59,7 +59,7 @@ static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = { { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate }, }; /* ASN1 Templates for new decoder/encoder */ -const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) }, { SEC_ASN1_INTEGER, @@ -75,7 +75,7 @@ const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = { { 0 } }; -const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) }, { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) }, { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) }, @@ -83,7 +83,7 @@ const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = { { 0, } }; -const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) }, @@ -98,18 +98,14 @@ const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = { }; -const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) }, { 0, } }; -const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = { - { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) }, -}; - -const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) }, @@ -124,9 +120,9 @@ const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = { * generic curves and need full-blown support for parsing EC * parameters. For now, we only support named curves in which * EC params are simply encoded as an object ID and we don't - * use nsslowkey_ECParamsTemplate. + * use lg_nsslowkey_ECParamsTemplate. */ -const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[] = { { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) }, { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named }, { 0, } @@ -138,7 +134,7 @@ const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = { * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo * instead. */ -const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = { +const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) }, { SEC_ASN1_OCTET_STRING, @@ -146,7 +142,7 @@ const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = { /* XXX The following template works for now since we only * support named curves for which the parameters are * encoded as an object ID. When we support generic curves, - * we'll need to define nsslowkey_ECParamsTemplate + * we'll need to define lg_nsslowkey_ECParamsTemplate */ #if 1 { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | @@ -157,7 +153,7 @@ const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = { { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), - nsslowkey_ECParamsTemplate }, + lg_nsslowkey_ECParamsTemplate }, #endif { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | @@ -246,7 +242,7 @@ loser: */ void -prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) { key->u.rsa.modulus.type = siUnsignedInteger; key->u.rsa.publicExponent.type = siUnsignedInteger; @@ -259,7 +255,7 @@ prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) } void -prepare_low_pqg_params_for_asn1(PQGParams *params) +lg_prepare_low_pqg_params_for_asn1(PQGParams *params) { params->prime.type = siUnsignedInteger; params->subPrime.type = siUnsignedInteger; @@ -267,7 +263,7 @@ prepare_low_pqg_params_for_asn1(PQGParams *params) } void -prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) { key->u.dsa.publicValue.type = siUnsignedInteger; key->u.dsa.privateValue.type = siUnsignedInteger; @@ -277,13 +273,7 @@ prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) } void -prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key) -{ - key->u.dsa.privateValue.type = siUnsignedInteger; -} - -void -prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) { key->u.dh.prime.type = siUnsignedInteger; key->u.dh.base.type = siUnsignedInteger; @@ -293,14 +283,14 @@ prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) #ifdef NSS_ENABLE_ECC void -prepare_low_ecparams_for_asn1(ECParams *params) +lg_prepare_low_ecparams_for_asn1(ECParams *params) { params->DEREncoding.type = siUnsignedInteger; params->curveOID.type = siUnsignedInteger; } void -prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) { key->u.ec.version.type = siUnsignedInteger; key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger; @@ -311,7 +301,7 @@ prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) #endif /* NSS_ENABLE_ECC */ void -nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk) +lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk) { if (privk && privk->arena) { PORT_FreeArena(privk->arena, PR_TRUE); @@ -319,48 +309,15 @@ nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk) } void -nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk) +lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk) { if (pubk && pubk->arena) { PORT_FreeArena(pubk->arena, PR_FALSE); } } -unsigned -nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk) -{ - unsigned char b0; - - /* interpret modulus length as key strength... in - * fortezza that's the public key length */ - - switch (pubk->keyType) { - case NSSLOWKEYRSAKey: - b0 = pubk->u.rsa.modulus.data[0]; - return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; - default: - break; - } - return 0; -} - -unsigned -nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk) -{ - - unsigned char b0; - - switch (privk->keyType) { - case NSSLOWKEYRSAKey: - b0 = privk->u.rsa.modulus.data[0]; - return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1; - default: - break; - } - return 0; -} NSSLOWKEYPublicKey * -nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk) +lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk) { NSSLOWKEYPublicKey *pubk; PLArenaPool *arena; diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h index a40ff95153f..3c162714c20 100644 --- a/security/nss/lib/softoken/legacydb/lowkeyi.h +++ b/security/nss/lib/softoken/legacydb/lowkeyi.h @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: lowkeyi.h,v 1.2 2007/06/13 00:24:57 rrelyea%redhat.com Exp $ */ +/* $Id: lowkeyi.h,v 1.4 2010/10/11 19:30:10 wtc%google.com Exp $ */ #ifndef _LOWKEYI_H_ #define _LOWKEYI_H_ @@ -56,14 +56,13 @@ SEC_BEGIN_PROTOS * source or destination (encoding or decoding, respectively) type as * siUnsignedInteger. */ -extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); -extern void prepare_low_pqg_params_for_asn1(PQGParams *params); -extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); -extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key); -extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params); +extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); #ifdef NSS_ENABLE_ECC -extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); -extern void prepare_low_ecparams_for_asn1(ECParams *params); +extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_ecparams_for_asn1(ECParams *params); #endif /* NSS_ENABLE_ECC */ typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion); @@ -96,7 +95,7 @@ extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, /* ** Store a key in the database, indexed by its public key modulus. ** "pk" is the private key to store -** "f" is a the callback function for getting the password +** "f" is the callback function for getting the password ** "arg" is the argument for the callback */ extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, @@ -116,32 +115,21 @@ extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id); ** "key" the object ** "freeit" if PR_TRUE then free the object as well as its sub-objects */ -extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key); +extern void lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key); /* ** Destroy a public key object. ** "key" the object ** "freeit" if PR_TRUE then free the object as well as its sub-objects */ -extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key); - -/* -** Return the modulus length of "pubKey". -*/ -extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey); - - -/* -** Return the modulus length of "privKey". -*/ -extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey); +extern void lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key); /* ** Convert a low private key "privateKey" into a public low key */ extern NSSLOWKEYPublicKey - *nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey); + *lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey); SECStatus diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h index 7fa74da725c..2e2cdf0c967 100644 --- a/security/nss/lib/softoken/legacydb/lowkeyti.h +++ b/security/nss/lib/softoken/legacydb/lowkeyti.h @@ -70,19 +70,18 @@ typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle; /* ** Typedef for callback to get a password "key". */ -extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[]; -extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[]; -extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[]; -extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[]; -extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[]; -extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[]; #ifdef NSS_ENABLE_ECC #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */ -extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[]; -extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[]; #endif /* NSS_ENABLE_ECC */ -extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[]; extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[]; /* diff --git a/security/nss/lib/softoken/legacydb/manifest.mn b/security/nss/lib/softoken/legacydb/manifest.mn index a761c922460..b751c3719c9 100644 --- a/security/nss/lib/softoken/legacydb/manifest.mn +++ b/security/nss/lib/softoken/legacydb/manifest.mn @@ -44,7 +44,7 @@ LIBRARY_NAME = nssdbm LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/nssdbm.def -DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" +DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" CSRCS = \ dbmshim.c \ diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c index 74c8f9d7177..4898819d7e1 100644 --- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -37,7 +37,7 @@ /* * Permanent Certificate database handling code * - * $Id: pcertdb.c,v 1.11 2009/04/13 17:23:15 nelson%bolyard.com Exp $ + * $Id: pcertdb.c,v 1.12 2010/07/20 01:26:04 wtc%google.com Exp $ */ #include "lowkeyti.h" #include "pcert.h" @@ -1032,9 +1032,8 @@ DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey) goto loser; } - if (dbkey.data) { - PORT_Free(dbkey.data); - } + PORT_Free(dbkey.data); + return(SECSuccess); loser: diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h index 6862d36d6e4..37314750b7c 100644 --- a/security/nss/lib/softoken/legacydb/pcertt.h +++ b/security/nss/lib/softoken/legacydb/pcertt.h @@ -36,7 +36,7 @@ /* * certt.h - public data structures for the certificate library * - * $Id: pcertt.h,v 1.3 2009/04/12 01:31:46 nelson%bolyard.com Exp $ + * $Id: pcertt.h,v 1.4 2011/04/13 00:10:27 rrelyea%redhat.com Exp $ */ #ifndef _PCERTT_H_ #define _PCERTT_H_ @@ -431,7 +431,7 @@ typedef union { #define DB_CERT_ENTRY_HEADER_LEN 10 /* common flags for all types of certificates */ -#define CERTDB_VALID_PEER (1<<0) +#define CERTDB_TERMINAL_RECORD (1<<0) #define CERTDB_TRUSTED (1<<1) #define CERTDB_SEND_WARN (1<<2) #define CERTDB_VALID_CA (1<<3) @@ -441,11 +441,11 @@ typedef union { #define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */ #define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */ #define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */ -#define CERTDB_NOT_TRUSTED (1<<10) /* explicitly don't trust this cert */ +#define CERTDB_MUST_VERIFY (1<<10) /* explicitly don't trust this cert */ #define CERTDB_TRUSTED_UNKNOWN (1<<11) /* accept trust from another source */ /* bits not affected by the CKO_NETSCAPE_TRUST object */ -#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \ +#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ CERTDB_GOVT_APPROVED_CA) diff --git a/security/nss/lib/softoken/legacydb/pk11db.c b/security/nss/lib/softoken/legacydb/pk11db.c index f85a0a6c34a..45e599495d3 100644 --- a/security/nss/lib/softoken/legacydb/pk11db.c +++ b/security/nss/lib/softoken/legacydb/pk11db.c @@ -211,7 +211,7 @@ secmod_EncodeData(DBT *data, char * module) SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]); if (ciphers) PORT_Free(ciphers); - offset = (unsigned short) &(((secmodData *)0)->names[0]); + offset = (unsigned short) offsetof(secmodData, names); SECMOD_PUTSHORT(encoded->nameStart,offset); offset = offset + len + len2 + len3 + 3*sizeof(unsigned short); SECMOD_PUTSHORT(encoded->slotOffset,offset); diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c index f918398363b..d499820837f 100644 --- a/security/nss/lib/softoken/lowpbe.c +++ b/security/nss/lib/softoken/lowpbe.c @@ -81,7 +81,7 @@ static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] = struct nsspkcs5V2PBEParameterStr { SECAlgorithmID keyParams; /* parameters of the key generation */ - SECAlgorithmID algParams; /* paramters for the encryption or mac op */ + SECAlgorithmID algParams; /* parameters for the encryption or mac op */ }; typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter; diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn index d70470d8702..8f5c3f6d82c 100644 --- a/security/nss/lib/softoken/manifest.mn +++ b/security/nss/lib/softoken/manifest.mn @@ -39,8 +39,6 @@ CORE_DEPTH = ../../.. MODULE = nss DIRS = legacydb -REQUIRES = dbm - LIBRARY_NAME = softokn LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/softokn.def diff --git a/security/nss/lib/softoken/pk11pars.h b/security/nss/lib/softoken/pk11pars.h index dea16e75317..2d311b74e9d 100644 --- a/security/nss/lib/softoken/pk11pars.h +++ b/security/nss/lib/softoken/pk11pars.h @@ -89,6 +89,7 @@ static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = { SECMOD_ARG_ENTRY(SEED,SECMOD_SEED_FLAG), SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG), SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG), + SECMOD_ARG_ENTRY(Disable, PK11_DISABLE_FLAG), }; #define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \ diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 7a2425c9a9d..361d536ee4f 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -296,6 +296,8 @@ static const struct mechanismList mechanisms[] = { CKF_GENERATE_KEY_PAIR},PR_TRUE}, {CKM_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_DUZ_IT_ALL}, PR_TRUE}, + {CKM_RSA_PKCS_PSS, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_SN_VR}, PR_TRUE}, #ifdef SFTK_RSA9796_SUPPORTED {CKM_RSA_9796, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_DUZ_IT_ALL}, PR_TRUE}, @@ -309,6 +311,8 @@ static const struct mechanismList mechanisms[] = { CKF_SN_VR}, PR_TRUE}, {CKM_SHA1_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA224_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_SN_VR}, PR_TRUE}, {CKM_SHA256_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_SN_VR}, PR_TRUE}, {CKM_SHA384_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, @@ -397,6 +401,9 @@ static const struct mechanismList mechanisms[] = { {CKM_SHA_1, {0, 0, CKF_DIGEST}, PR_FALSE}, {CKM_SHA_1_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, {CKM_SHA_1_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA224, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA224_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA224_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, {CKM_SHA256, {0, 0, CKF_DIGEST}, PR_FALSE}, {CKM_SHA256_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, {CKM_SHA256_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, @@ -2495,7 +2502,7 @@ CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout) --slot->sessionCount; SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); if (session->info.flags & CKF_RW_SESSION) { - PR_AtomicDecrement(&slot->rwSessionCount); + PR_ATOMIC_DECREMENT(&slot->rwSessionCount); } } else { SKIP_AFTER_FORK(PZ_Unlock(lock)); @@ -3571,13 +3578,13 @@ CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, ++slot->sessionCount; PZ_Unlock(slot->slotLock); if (session->info.flags & CKF_RW_SESSION) { - PR_AtomicIncrement(&slot->rwSessionCount); + PR_ATOMIC_INCREMENT(&slot->rwSessionCount); } do { PZLock *lock; do { - sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) & 0xffffff) + sessionID = (PR_ATOMIC_INCREMENT(&slot->sessionIDCount) & 0xffffff) | (slot->index << 24); } while (sessionID == CK_INVALID_HANDLE); lock = SFTK_SESSION_LOCK(slot,sessionID); @@ -3639,7 +3646,7 @@ CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession) sftk_freeDB(handle); } if (session->info.flags & CKF_RW_SESSION) { - PR_AtomicDecrement(&slot->rwSessionCount); + PR_ATOMIC_DECREMENT(&slot->rwSessionCount); } } @@ -3653,7 +3660,7 @@ CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID) { SFTKSlot *slot; -#ifndef NO_CHECK_FORK +#ifndef NO_FORK_CHECK /* skip fork check if we are being called from C_Initialize or C_Finalize */ if (!parentForkedAfterC_Initialize) { CHECK_FORK(); diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 8847c2f797f..ba947c28696 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -388,6 +388,17 @@ sftk_GetContext(CK_SESSION_HANDLE handle,SFTKSessionContext **contextPtr, return CKR_OK; } +/** Terminate operation (in the PKCS#11 spec sense). + * Intuitive name for FreeContext/SetNullContext pair. + */ +static void +sftk_TerminateOp( SFTKSession *session, SFTKContextType ctype, + SFTKSessionContext *context ) +{ + sftk_FreeContext( context ); + sftk_SetContextByType( session, ctype, NULL ); +} + /* ************** Crypto Functions: Encrypt ************************ */ @@ -460,15 +471,16 @@ sftk_InitGeneric(SFTKSession *session,SFTKSessionContext **contextPtr, return CKR_OK; } -/* NSC_CryptInit initializes an encryption/Decryption operation. */ -/* This function is used by NSC_EncryptInit, NSC_DecryptInit, - * NSC_WrapKey, NSC_UnwrapKey, - * NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac), - * The only difference in their uses is the value of etype. +/** NSC_CryptInit initializes an encryption/Decryption operation. + * + * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey. + * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block + * ciphers MAC'ing. */ static CK_RV sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype, + CK_OBJECT_HANDLE hKey, + CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage, SFTKContextType contextType, PRBool isEncrypt) { SFTKSession *session; @@ -487,7 +499,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, PRBool useNewKey=PR_FALSE; int t; - crv = sftk_MechAllowsOperation(pMechanism->mechanism, etype); + crv = sftk_MechAllowsOperation(pMechanism->mechanism, mechUsage ); if (crv != CKR_OK) return crv; @@ -495,7 +507,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, if (session == NULL) return CKR_SESSION_HANDLE_INVALID; crv = sftk_InitGeneric(session,&context,contextType,&key,hKey,&key_type, - isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, etype); + isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, keyUsage); if (crv != CKR_OK) { sftk_FreeSession(session); @@ -845,7 +857,7 @@ CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { CHECK_FORK(); - return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, + return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, CKA_ENCRYPT, SFTK_ENCRYPT, PR_TRUE); } @@ -972,10 +984,8 @@ CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession, } finish: - if (contextFinished) { - sftk_SetContextByType(session, SFTK_ENCRYPT, NULL); - sftk_FreeContext(context); - } + if (contextFinished) + sftk_TerminateOp( session, SFTK_ENCRYPT, context ); sftk_FreeSession(session); return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); } @@ -1055,8 +1065,7 @@ CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, if (pText.data != pData) PORT_ZFree(pText.data, pText.len); fail: - sftk_SetContextByType(session, SFTK_ENCRYPT, NULL); - sftk_FreeContext(context); + sftk_TerminateOp( session, SFTK_ENCRYPT, context ); finish: sftk_FreeSession(session); @@ -1073,8 +1082,7 @@ CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { CHECK_FORK(); - - return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, + return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, CKA_DECRYPT, SFTK_DECRYPT, PR_FALSE); } @@ -1195,8 +1203,7 @@ CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession, } } - sftk_SetContextByType(session, SFTK_DECRYPT, NULL); - sftk_FreeContext(context); + sftk_TerminateOp( session, SFTK_DECRYPT, context ); finish: sftk_FreeSession(session); return (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError()); @@ -1256,8 +1263,7 @@ CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession, outlen -= padding; } *pulDataLen = (CK_ULONG) outlen; - sftk_SetContextByType(session, SFTK_DECRYPT, NULL); - sftk_FreeContext(context); + sftk_TerminateOp( session, SFTK_DECRYPT, context ); finish: sftk_FreeSession(session); return crv; @@ -1310,6 +1316,7 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession, INIT_MECH(CKM_MD2, MD2) INIT_MECH(CKM_MD5, MD5) INIT_MECH(CKM_SHA_1, SHA1) + INIT_MECH(CKM_SHA224, SHA224) INIT_MECH(CKM_SHA256, SHA256) INIT_MECH(CKM_SHA384, SHA384) INIT_MECH(CKM_SHA512, SHA512) @@ -1358,8 +1365,7 @@ CK_RV NSC_Digest(CK_SESSION_HANDLE hSession, (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout); *pulDigestLen = digestLen; - sftk_SetContextByType(session, SFTK_HASH, NULL); - sftk_FreeContext(context); + sftk_TerminateOp( session, SFTK_HASH, context ); finish: sftk_FreeSession(session); return CKR_OK; @@ -1403,8 +1409,7 @@ CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest, if (pDigest != NULL) { (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); *pulDigestLen = digestLen; - sftk_SetContextByType(session, SFTK_HASH, NULL); - sftk_FreeContext(context); + sftk_TerminateOp( session, SFTK_HASH, context ); } else { *pulDigestLen = context->maxLen; } @@ -1435,6 +1440,7 @@ sftk_doSub ## mmm(SFTKSessionContext *context) { \ DOSUB(MD2) DOSUB(MD5) DOSUB(SHA1) +DOSUB(SHA224) DOSUB(SHA256) DOSUB(SHA384) DOSUB(SHA512) @@ -1636,8 +1642,10 @@ sftk_doSSLMACInit(SFTKSessionContext *context,SECOidTag oid, ************** Crypto Functions: Sign ************************ */ -/* +/** * Check if We're using CBCMacing and initialize the session context if we are. + * @param contextType SFTK_SIGN or SFTK_VERIFY + * @param keyUsage check whether key allows this usage */ static CK_RV sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, @@ -1655,7 +1663,7 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE]; SFTKSessionContext *context; CK_RV crv; - int blockSize; + unsigned int blockSize; switch (pMechanism->mechanism) { case CKM_RC2_MAC_GENERAL: @@ -1685,7 +1693,8 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, rc5_params.ulWordsize = rc5_mac->ulWordsize; rc5_params.ulRounds = rc5_mac->ulRounds; rc5_params.pIv = ivBlock; - blockSize = rc5_mac->ulWordsize*2; + if( (blockSize = rc5_mac->ulWordsize*2) > SFTK_MAX_BLOCK_SIZE ) + return CKR_MECHANISM_PARAM_INVALID; rc5_params.ulIvLen = blockSize; PORT_Memset(ivBlock,0,blockSize); cbc_mechanism.mechanism = CKM_RC5_CBC; @@ -1758,8 +1767,18 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, return CKR_FUNCTION_NOT_SUPPORTED; } - crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, keyUsage, - contextType, PR_TRUE); + /* if MAC size is externally supplied, it should be checked. + */ + if (mac_bytes == SFTK_INVALID_MAC_SIZE) + mac_bytes = blockSize >> 1; + else { + if( mac_bytes > blockSize ) + return CKR_MECHANISM_PARAM_INVALID; + } + + crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, + CKA_ENCRYPT, /* CBC mech is able to ENCRYPT, not SIGN/VERIFY */ + keyUsage, contextType, PR_TRUE ); if (crv != CKR_OK) return crv; crv = sftk_GetContext(hSession,&context,contextType,PR_TRUE,NULL); @@ -1767,7 +1786,6 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, PORT_Assert(crv == CKR_OK); if (crv != CKR_OK) return crv; context->blockSize = blockSize; - if (mac_bytes == SFTK_INVALID_MAC_SIZE) mac_bytes = blockSize/2; context->macSize = mac_bytes; return CKR_OK; } @@ -1849,6 +1867,14 @@ RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, return rv; } +static SECStatus +sftk_SignPSS(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen, + unsigned int maxLen,unsigned char *hash, unsigned int hashLen) +{ + return RSA_SignPSS(info->params,info->key,sig,sigLen,maxLen, + hash,hashLen); +} + static SECStatus nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) @@ -1987,6 +2013,7 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession, INIT_RSA_SIGN_MECH(MD5) INIT_RSA_SIGN_MECH(MD2) INIT_RSA_SIGN_MECH(SHA1) + INIT_RSA_SIGN_MECH(SHA224) INIT_RSA_SIGN_MECH(SHA256) INIT_RSA_SIGN_MECH(SHA384) INIT_RSA_SIGN_MECH(SHA512) @@ -1998,13 +2025,12 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession, context->update = (SFTKCipher) RSA_SignRaw; finish_rsa: if (key_type != CKK_RSA) { - if (info) PORT_Free(info); crv = CKR_KEY_TYPE_INCONSISTENT; break; } privKey = sftk_GetPrivKey(key,CKK_RSA,&crv); if (privKey == NULL) { - if (info) PORT_Free(info); + crv = CKR_KEY_TYPE_INCONSISTENT; break; } /* OK, info is allocated only if we're doing hash and sign mechanism. @@ -2021,6 +2047,31 @@ finish_rsa: } context->maxLen = nsslowkey_PrivateModulusLen(privKey); break; + case CKM_RSA_PKCS_PSS: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + info = PORT_New(SFTKHashSignInfo); + if (info == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + info->params = pMechanism->pParameter; + info->key = sftk_GetPrivKey(key,CKK_RSA,&crv); + if (info->key == NULL) { + PORT_Free(info); + break; + } + context->cipherInfo = info; + context->destroy = (SFTKDestroy) sftk_Space; + context->update = (SFTKCipher) sftk_SignPSS; + context->maxLen = nsslowkey_PrivateModulusLen(info->key); + break; case CKM_DSA_SHA1: context->multi = PR_TRUE; @@ -2080,6 +2131,7 @@ finish_rsa: INIT_HMAC_MECH(MD2) INIT_HMAC_MECH(MD5) + INIT_HMAC_MECH(SHA224) INIT_HMAC_MECH(SHA256) INIT_HMAC_MECH(SHA384) INIT_HMAC_MECH(SHA512) @@ -2109,92 +2161,118 @@ finish_rsa: } if (crv != CKR_OK) { + if (info) PORT_Free(info); sftk_FreeContext(context); - sftk_FreeSession(session); - return crv; + sftk_FreeSession(session); + return crv; } sftk_SetContextByType(session, SFTK_SIGN, context); sftk_FreeSession(session); return CKR_OK; } +/** MAC one block of data by block cipher + */ +static CK_RV +sftk_MACBlock( SFTKSessionContext *ctx, void *blk ) +{ + unsigned int outlen; + return ( SECSuccess == (ctx->update)( ctx->cipherInfo, ctx->macBuf, &outlen, + SFTK_MAX_BLOCK_SIZE, blk, ctx->blockSize )) + ? CKR_OK : sftk_MapCryptError(PORT_GetError()); +} -/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate. - * (sign and verify only very in their setup and final operations) */ -static CK_RV +/** MAC last (incomplete) block of data by block cipher + * + * Call once, then terminate MACing operation. + */ +static CK_RV +sftk_MACFinal( SFTKSessionContext *ctx ) +{ + unsigned int padLen = ctx->padDataLength; + /* pad and proceed the residual */ + if( padLen ) { + /* shd clr ctx->padLen to make sftk_MACFinal idempotent */ + PORT_Memset( ctx->padBuf + padLen, 0, ctx->blockSize - padLen ); + return sftk_MACBlock( ctx, ctx->padBuf ); + } else + return CKR_OK; +} + +/** The common implementation for {Sign,Verify}Update. (S/V only vary in their + * setup and final operations). + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ +static CK_RV sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_ULONG ulPartLen,SFTKContextType type) { - unsigned int outlen; + SFTKSession *session; SFTKSessionContext *context; CK_RV crv; - SECStatus rv; /* make sure we're legal */ - crv = sftk_GetContext(hSession,&context,type,PR_TRUE,NULL); + crv = sftk_GetContext(hSession,&context,type, PR_TRUE, &session ); if (crv != CKR_OK) return crv; if (context->hashInfo) { (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); - return CKR_OK; - } + } else { + /* must be block cipher MACing */ - /* must be block cipher macing */ + unsigned int blkSize = context->blockSize; + unsigned char *residual = /* free room in context->padBuf */ + context->padBuf + context->padDataLength; + unsigned int minInput = /* min input for MACing at least one block */ + blkSize - context->padDataLength; - /* deal with previous buffered data */ - if (context->padDataLength != 0) { - int i; - /* fill in the padded to a full block size */ - for (i=context->padDataLength; (ulPartLen != 0) && - i < (int)context->blockSize; i++) { - context->padBuf[i] = *pPart++; - ulPartLen--; - context->padDataLength++; - } + /* not enough data even for one block */ + if( ulPartLen < minInput ) { + PORT_Memcpy( residual, pPart, ulPartLen ); + context->padDataLength += ulPartLen; + goto cleanup; + } + /* MACing residual */ + if( context->padDataLength ) { + PORT_Memcpy( residual, pPart, minInput ); + ulPartLen -= minInput; + pPart += minInput; + if( CKR_OK != (crv = sftk_MACBlock( context, context->padBuf )) ) + goto terminate; + } + /* MACing full blocks */ + while( ulPartLen >= blkSize ) + { + if( CKR_OK != (crv = sftk_MACBlock( context, pPart )) ) + goto terminate; + ulPartLen -= blkSize; + pPart += blkSize; + } + /* save the residual */ + if( (context->padDataLength = ulPartLen) ) + PORT_Memcpy( context->padBuf, pPart, ulPartLen ); + } /* blk cipher MACing */ - /* not enough data to encrypt yet? then return */ - if (context->padDataLength != context->blockSize) return CKR_OK; - /* encrypt the current padded data */ - rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen, - SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize); - if (rv != SECSuccess) return sftk_MapCryptError(PORT_GetError()); - } + goto cleanup; - /* save the residual */ - context->padDataLength = ulPartLen % context->blockSize; - if (context->padDataLength) { - PORT_Memcpy(context->padBuf, - &pPart[ulPartLen-context->padDataLength], - context->padDataLength); - ulPartLen -= context->padDataLength; - } - - /* if we've exhausted our new buffer, we're done */ - if (ulPartLen == 0) { return CKR_OK; } - - /* run the data through out encrypter */ - while (ulPartLen) { - rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, - SFTK_MAX_BLOCK_SIZE, pPart, context->blockSize); - if (rv != SECSuccess) return sftk_MapCryptError(PORT_GetError()); - /* paranoia.. make sure we exit the loop */ - PORT_Assert(ulPartLen >= context->blockSize); - if (ulPartLen < context->blockSize) break; - ulPartLen -= context->blockSize; - } - - return CKR_OK; - +terminate: + sftk_TerminateOp( session, type, context ); +cleanup: + sftk_FreeSession(session); + return crv; } /* NSC_SignUpdate continues a multiple-part signature operation, * where the signature is (will be) an appendix to the data, - * and plaintext cannot be recovered from the signature */ + * and plaintext cannot be recovered from the signature + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { CHECK_FORK(); - return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN); } @@ -2207,51 +2285,47 @@ CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature, SFTKSession *session; SFTKSessionContext *context; unsigned int outlen; - unsigned int digestLen; unsigned int maxoutlen = *pulSignatureLen; - unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; CK_RV crv; - SECStatus rv = SECSuccess; CHECK_FORK(); /* make sure we're legal */ - *pulSignatureLen = 0; crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session); if (crv != CKR_OK) return crv; - if (!pSignature) { - *pulSignatureLen = context->maxLen; - goto finish; - } else if (context->hashInfo) { + if (context->hashInfo) { + unsigned int digestLen; + unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; + + if( !pSignature ) { + outlen = context->maxLen; goto finish; + } (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf)); - rv = (*context->update)(context->cipherInfo, pSignature, - &outlen, maxoutlen, tmpbuf, digestLen); - *pulSignatureLen = (CK_ULONG) outlen; + if( SECSuccess != (context->update)(context->cipherInfo, pSignature, + &outlen, maxoutlen, tmpbuf, digestLen)) + crv = sftk_MapCryptError(PORT_GetError()); + /* CKR_BUFFER_TOO_SMALL here isn't continuable, let operation terminate. + * Keeping "too small" CK_RV intact is a standard violation, but allows + * application read EXACT signature length */ } else { - /* deal with the last block if any residual */ - if (context->padDataLength) { - /* fill out rest of pad buffer with pad magic*/ - int i; - for (i=context->padDataLength; i < (int)context->blockSize; i++) { - context->padBuf[i] = 0; - } - rv = (*context->update)(context->cipherInfo,context->macBuf, - &outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize); - } - if (rv == SECSuccess) { - PORT_Memcpy(pSignature,context->macBuf,context->macSize); - *pulSignatureLen = context->macSize; - } + /* must be block cipher MACing */ + outlen = context->macSize; + /* null or "too small" buf doesn't terminate operation [PKCS#11,v2.11]*/ + if( !pSignature || maxoutlen < outlen ) { + if( pSignature ) crv = CKR_BUFFER_TOO_SMALL; + goto finish; + } + if( CKR_OK == (crv = sftk_MACFinal( context )) ) + PORT_Memcpy(pSignature, context->macBuf, outlen ); } - sftk_FreeContext(context); - sftk_SetContextByType(session, SFTK_SIGN, NULL); - +terminate: + sftk_TerminateOp( session, SFTK_SIGN, context ); finish: + *pulSignatureLen = outlen; sftk_FreeSession(session); - - return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); + return crv; } /* NSC_Sign signs (encrypts with private key) data in a single part, @@ -2263,10 +2337,7 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession, { SFTKSession *session; SFTKSessionContext *context; - unsigned int outlen; - unsigned int maxoutlen = *pulSignatureLen; - CK_RV crv,crv2; - SECStatus rv = SECSuccess; + CK_RV crv; CHECK_FORK(); @@ -2275,30 +2346,35 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession, if (crv != CKR_OK) return crv; if (!pSignature) { - *pulSignatureLen = context->maxLen; + /* see also how C_SignUpdate implements this */ + *pulSignatureLen = (!context->multi || context->hashInfo) + ? context->maxLen + : context->macSize; /* must be block cipher MACing */ goto finish; } /* multi part Signing are completely implemented by SignUpdate and * sign Final */ if (context->multi) { - sftk_FreeSession(session); - crv = NSC_SignUpdate(hSession,pData,ulDataLen); - if (crv != CKR_OK) *pulSignatureLen = 0; - crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen); - return crv == CKR_OK ? crv2 :crv; - } - - rv = (*context->update)(context->cipherInfo, pSignature, - &outlen, maxoutlen, pData, ulDataLen); - *pulSignatureLen = (CK_ULONG) outlen; - sftk_FreeContext(context); - sftk_SetContextByType(session, SFTK_SIGN, NULL); + /* SignFinal can't follow failed SignUpdate */ + if( CKR_OK == (crv = NSC_SignUpdate(hSession,pData,ulDataLen) )) + crv = NSC_SignFinal(hSession, pSignature, pulSignatureLen); + } else { + /* single-part PKC signature (e.g. CKM_ECDSA) */ + unsigned int outlen; + unsigned int maxoutlen = *pulSignatureLen; + if( SECSuccess != (*context->update)(context->cipherInfo, pSignature, + &outlen, maxoutlen, pData, ulDataLen)) + crv = sftk_MapCryptError(PORT_GetError()); + *pulSignatureLen = (CK_ULONG) outlen; + /* "too small" here is certainly continuable */ + if( crv != CKR_BUFFER_TOO_SMALL ) + sftk_TerminateOp(session, SFTK_SIGN, context); + } /* single-part */ finish: sftk_FreeSession(session); - - return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); + return crv; } @@ -2400,6 +2476,14 @@ RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key, return rv; } +static SECStatus +sftk_CheckSignPSS(SFTKHashVerifyInfo *info, unsigned char *sig, + unsigned int sigLen, unsigned char *digest, unsigned int digestLen) +{ + return RSA_CheckSignPSS(info->params, info->key, sig, sigLen, + digest, digestLen); +} + /* NSC_VerifyInit initializes a verification operation, * where the signature is an appendix to the data, * and plaintext cannot be recovered from the signature (e.g. DSA) */ @@ -2446,6 +2530,7 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession, INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) INIT_RSA_VFY_MECH(SHA1) + INIT_RSA_VFY_MECH(SHA224) INIT_RSA_VFY_MECH(SHA256) INIT_RSA_VFY_MECH(SHA384) INIT_RSA_VFY_MECH(SHA512) @@ -2457,11 +2542,14 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession, context->verify = (SFTKVerify) RSA_CheckSignRaw; finish_rsa: if (key_type != CKK_RSA) { + if (info) PORT_Free(info); crv = CKR_KEY_TYPE_INCONSISTENT; break; } pubKey = sftk_GetPubKey(key,CKK_RSA,&crv); if (pubKey == NULL) { + if (info) PORT_Free(info); + crv = CKR_KEY_TYPE_INCONSISTENT; break; } if (info) { @@ -2473,6 +2561,30 @@ finish_rsa: context->destroy = sftk_Null; } break; + case CKM_RSA_PKCS_PSS: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + info = PORT_New(SFTKHashVerifyInfo); + if (info == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + info->params = pMechanism->pParameter; + info->key = sftk_GetPubKey(key,CKK_RSA,&crv); + if (info->key == NULL) { + PORT_Free(info); + break; + } + context->cipherInfo = info; + context->destroy = (SFTKDestroy) sftk_Space; + context->verify = (SFTKVerify) sftk_CheckSignPSS; + break; case CKM_DSA_SHA1: context->multi = PR_TRUE; crv = sftk_doSubSHA1(context); @@ -2515,6 +2627,7 @@ finish_rsa: INIT_HMAC_MECH(MD2) INIT_HMAC_MECH(MD5) + INIT_HMAC_MECH(SHA224) INIT_HMAC_MECH(SHA256) INIT_HMAC_MECH(SHA384) INIT_HMAC_MECH(SHA512) @@ -2546,7 +2659,7 @@ finish_rsa: if (crv != CKR_OK) { if (info) PORT_Free(info); - PORT_Free(context); + sftk_FreeContext(context); sftk_FreeSession(session); return crv; } @@ -2563,8 +2676,7 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, { SFTKSession *session; SFTKSessionContext *context; - CK_RV crv, crv2; - SECStatus rv; + CK_RV crv; CHECK_FORK(); @@ -2575,31 +2687,31 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, /* multi part Verifying are completely implemented by VerifyUpdate and * VerifyFinal */ if (context->multi) { - sftk_FreeSession(session); - crv = NSC_VerifyUpdate(hSession, pData, ulDataLen); - crv2 = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen); - return crv == CKR_OK ? crv2 :crv; + /* VerifyFinal can't follow failed VerifyUpdate */ + if( CKR_OK == (crv = NSC_VerifyUpdate(hSession, pData, ulDataLen))) + crv = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen); + } else { + if (SECSuccess != (*context->verify)(context->cipherInfo,pSignature, + ulSignatureLen, pData, ulDataLen)) + crv = sftk_MapCryptError(PORT_GetError()); + + sftk_TerminateOp( session, SFTK_VERIFY, context ); } - - rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen, - pData, ulDataLen); - sftk_FreeContext(context); - sftk_SetContextByType(session, SFTK_VERIFY, NULL); sftk_FreeSession(session); - - return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError()); - + return crv; } /* NSC_VerifyUpdate continues a multiple-part verification operation, * where the signature is an appendix to the data, - * and plaintext cannot be recovered from the signature */ + * and plaintext cannot be recovered from the signature + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { CHECK_FORK(); - return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY); } @@ -2611,42 +2723,38 @@ CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession, { SFTKSession *session; SFTKSessionContext *context; - unsigned int outlen; - unsigned int digestLen; - unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; CK_RV crv; - SECStatus rv = SECSuccess; CHECK_FORK(); + if (!pSignature) + return CKR_ARGUMENTS_BAD; + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session); - if (crv != CKR_OK) return crv; - + if (crv != CKR_OK) + return crv; + if (context->hashInfo) { + unsigned int digestLen; + unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; + (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf)); - rv = (*context->verify)(context->cipherInfo, pSignature, - ulSignatureLen, tmpbuf, digestLen); - } else { - if (context->padDataLength) { - /* fill out rest of pad buffer with pad magic*/ - int i; - for (i=context->padDataLength; i < (int)context->blockSize; i++) { - context->padBuf[i] = 0; - } - rv = (*context->update)(context->cipherInfo,context->macBuf, - &outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize); - } - if (rv == SECSuccess) { - rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0) - ? SECSuccess : SECFailure; - } + if( SECSuccess != (context->verify)(context->cipherInfo, pSignature, + ulSignatureLen, tmpbuf, digestLen)) + crv = sftk_MapCryptError(PORT_GetError()); + } else if (ulSignatureLen != context->macSize) { + /* must be block cipher MACing */ + crv = CKR_SIGNATURE_LEN_RANGE; + } else if (CKR_OK == (crv = sftk_MACFinal(context))) { + if (PORT_Memcmp(pSignature, context->macBuf, ulSignatureLen)) + crv = CKR_SIGNATURE_INVALID; } - sftk_FreeContext(context); - sftk_SetContextByType(session, SFTK_VERIFY, NULL); +terminate: + sftk_TerminateOp( session, SFTK_VERIFY, context ); sftk_FreeSession(session); - return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError()); + return crv; } @@ -2745,8 +2853,7 @@ CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession, pSignature, ulSignatureLen); *pulDataLen = (CK_ULONG) outlen; - sftk_FreeContext(context); - sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, NULL); + sftk_TerminateOp(session, SFTK_VERIFY_RECOVER, context); finish: sftk_FreeSession(session); return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError()); @@ -2899,9 +3006,8 @@ nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key) if (crv != CKR_OK) goto loser; loser: - if (params) { - PQG_DestroyParams(params); - } + PQG_DestroyParams(params); + if (vfy) { PQG_DestroyVerify(vfy); } @@ -3835,7 +3941,7 @@ kpg_done: sftk_DeleteAttributeType(privateKey,CKA_BASE); key_type = CKK_DSA; - /* extract the necessary paramters and copy them to the private key */ + /* extract the necessary parameters and copy them to the private key */ crv=sftk_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME); if (crv != CKR_OK) break; crv=sftk_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey, @@ -4376,7 +4482,7 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession, break; } crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, - CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); + CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); if (crv != CKR_OK) { sftk_FreeAttribute(attribute); break; @@ -4439,7 +4545,7 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession, } crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, - CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); + CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); if(crv != CKR_OK) { SECITEM_ZfreeItem(bpki, PR_TRUE); crv = CKR_KEY_TYPE_INCONSISTENT; @@ -4755,7 +4861,7 @@ CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession, } crv = sftk_CryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP, - SFTK_DECRYPT, PR_FALSE); + CKA_UNWRAP, SFTK_DECRYPT, PR_FALSE); if (crv != CKR_OK) { sftk_FreeObject(key); return sftk_mapWrap(crv); diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index aead2456f6f..e19c7d1531f 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -266,19 +266,29 @@ typedef enum { SFTK_VERIFY_RECOVER } SFTKContextType; - +/** max block size of supported block ciphers */ #define SFTK_MAX_BLOCK_SIZE 16 -/* currently SHA512 is the biggest hash length */ +/** currently SHA512 is the biggest hash length */ #define SFTK_MAX_MAC_LENGTH 64 #define SFTK_INVALID_MAC_SIZE 0xffffffff +/** Particular ongoing operation in session (sign/verify/digest/encrypt/...) + * + * Understanding sign/verify context: + * multi=1 hashInfo=0 block (symmetric) cipher MACing + * multi=1 hashInfo=X PKC S/V with prior hashing + * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing) + * multi=0 hashInfo=X *** shouldn't happen *** + */ struct SFTKSessionContextStr { SFTKContextType type; PRBool multi; /* is multipart */ PRBool doPad; /* use PKCS padding for block ciphers */ unsigned int blockSize; /* blocksize for padding */ unsigned int padDataLength; /* length of the valid data in padbuf */ + /** latest incomplete block of data for block cipher */ unsigned char padBuf[SFTK_MAX_BLOCK_SIZE]; + /** result of MAC'ing of latest full block of data with block cipher */ unsigned char macBuf[SFTK_MAX_BLOCK_SIZE]; CK_ULONG macSize; /* size of a general block cipher mac*/ void *cipherInfo; @@ -385,11 +395,13 @@ struct SFTKSlotStr { */ struct SFTKHashVerifyInfoStr { SECOidTag hashOid; + void *params; NSSLOWKEYPublicKey *key; }; struct SFTKHashSignInfoStr { SECOidTag hashOid; + void *params; NSSLOWKEYPrivateKey *key; }; @@ -565,18 +577,11 @@ typedef struct sftk_parametersStr { } sftk_parameters; -/* machine dependent path stuff used by dbinit.c and pk11db.c */ -#ifdef macintosh -#define PATH_SEPARATOR ":" -#define SECMOD_DB "Security Modules" -#define CERT_DB_FMT "%sCertificates%s" -#define KEY_DB_FMT "%sKey Database%s" -#else +/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */ #define PATH_SEPARATOR "/" #define SECMOD_DB "secmod.db" #define CERT_DB_FMT "%scert%s.db" #define KEY_DB_FMT "%skey%s.db" -#endif SEC_BEGIN_PROTOS diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c index a40c265dcbf..dcfb2b2a294 100644 --- a/security/nss/lib/softoken/rsawrapr.c +++ b/security/nss/lib/softoken/rsawrapr.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: rsawrapr.c,v 1.11.70.1 2011/04/07 22:54:48 wtc%google.com Exp $ */ +/* $Id: rsawrapr.c,v 1.17 2010/08/07 18:10:35 wtc%google.com Exp $ */ #include "blapi.h" #include "softoken.h" @@ -58,6 +58,9 @@ #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ +/* Needed for RSA-PSS functions */ +static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + static SHA1Context * SHA1_CloneContext(SHA1Context *original) { @@ -940,3 +943,295 @@ RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, failure: return SECFailure; } + +/* + * Encode a RSA-PSS signature. + * Described in RFC 3447, section 9.1.1. + * We use mHash instead of M as input. + * emBits from the RFC is just modBits - 1, see section 8.1.1. + * We only support MGF1 as the MGF. + * + * NOTE: this code assumes modBits is a multiple of 8. + */ +static SECStatus +emsa_pss_encode(unsigned char *em, unsigned int emLen, + const unsigned char *mHash, HASH_HashType hashAlg, + HASH_HashType maskHashAlg, unsigned int sLen) +{ + const SECHashObject *hash; + void *hash_context; + unsigned char *dbMask; + unsigned int dbMaskLen, i; + SECStatus rv; + + hash = HASH_GetRawHashObject(hashAlg); + dbMaskLen = emLen - hash->length - 1; + + /* Step 3 */ + if (emLen < hash->length + sLen + 2) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + + /* Step 4 */ + rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - sLen], sLen); + if (rv != SECSuccess) { + return rv; + } + + /* Step 5 + 6 */ + /* Compute H and store it at its final location &em[dbMaskLen]. */ + hash_context = (*hash->create)(); + if (hash_context == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + (*hash->begin)(hash_context); + (*hash->update)(hash_context, eightZeros, 8); + (*hash->update)(hash_context, mHash, hash->length); + (*hash->update)(hash_context, &em[dbMaskLen - sLen], sLen); + (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length); + (*hash->destroy)(hash_context, PR_TRUE); + + /* Step 7 + 8 */ + memset(em, 0, dbMaskLen - sLen - 1); + em[dbMaskLen - sLen - 1] = 0x01; + + /* Step 9 */ + dbMask = (unsigned char *)PORT_Alloc(dbMaskLen); + if (dbMask == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length); + + /* Step 10 */ + for (i = 0; i < dbMaskLen; i++) + em[i] ^= dbMask[i]; + PORT_Free(dbMask); + + /* Step 11 */ + em[0] &= 0x7f; + + /* Step 12 */ + em[emLen - 1] = 0xbc; + + return SECSuccess; +} + +/* + * Verify a RSA-PSS signature. + * Described in RFC 3447, section 9.1.2. + * We use mHash instead of M as input. + * emBits from the RFC is just modBits - 1, see section 8.1.2. + * We only support MGF1 as the MGF. + * + * NOTE: this code assumes modBits is a multiple of 8. + */ +static SECStatus +emsa_pss_verify(const unsigned char *mHash, + const unsigned char *em, unsigned int emLen, + HASH_HashType hashAlg, HASH_HashType maskHashAlg, + unsigned int sLen) +{ + const SECHashObject *hash; + void *hash_context; + unsigned char *db; + unsigned char *H_; /* H' from the RFC */ + unsigned int i, dbMaskLen; + SECStatus rv; + + hash = HASH_GetRawHashObject(hashAlg); + dbMaskLen = emLen - hash->length - 1; + + /* Step 3 + 4 + 6 */ + if ((emLen < (hash->length + sLen + 2)) || + (em[emLen - 1] != 0xbc) || + ((em[0] & 0x80) != 0)) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + + /* Step 7 */ + db = (unsigned char *)PORT_Alloc(dbMaskLen); + if (db == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + /* &em[dbMaskLen] points to H, used as mgfSeed */ + MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length); + + /* Step 8 */ + for (i = 0; i < dbMaskLen; i++) { + db[i] ^= em[i]; + } + + /* Step 9 */ + db[0] &= 0x7f; + + /* Step 10 */ + for (i = 0; i < (dbMaskLen - sLen - 1); i++) { + if (db[i] != 0) { + PORT_Free(db); + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + } + if (db[dbMaskLen - sLen - 1] != 0x01) { + PORT_Free(db); + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + + /* Step 12 + 13 */ + H_ = (unsigned char *)PORT_Alloc(hash->length); + if (H_ == NULL) { + PORT_Free(db); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + hash_context = (*hash->create)(); + if (hash_context == NULL) { + PORT_Free(db); + PORT_Free(H_); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + (*hash->begin)(hash_context); + (*hash->update)(hash_context, eightZeros, 8); + (*hash->update)(hash_context, mHash, hash->length); + (*hash->update)(hash_context, &db[dbMaskLen - sLen], sLen); + (*hash->end)(hash_context, H_, &i, hash->length); + (*hash->destroy)(hash_context, PR_TRUE); + + PORT_Free(db); + + /* Step 14 */ + if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + rv = SECFailure; + } else { + rv = SECSuccess; + } + + PORT_Free(H_); + return rv; +} + +static HASH_HashType +GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech) +{ + /* TODO(wtc): add SHA-224. */ + switch (mech) { + case CKM_SHA_1: + case CKG_MGF1_SHA1: + return HASH_AlgSHA1; + case CKM_SHA256: + case CKG_MGF1_SHA256: + return HASH_AlgSHA256; + case CKM_SHA384: + case CKG_MGF1_SHA384: + return HASH_AlgSHA384; + case CKM_SHA512: + case CKG_MGF1_SHA512: + return HASH_AlgSHA512; + default: + return HASH_AlgNULL; + } +} + +/* MGF1 is the only supported MGF. */ +SECStatus +RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, + NSSLOWKEYPublicKey *key, + const unsigned char *sign, unsigned int sign_len, + const unsigned char *hash, unsigned int hash_len) +{ + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + SECStatus rv; + unsigned int modulus_len = nsslowkey_PublicModulusLen(key); + unsigned char *buffer; + + if (sign_len != modulus_len) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + + hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg); + maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf); + if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + buffer = (unsigned char *)PORT_Alloc(modulus_len); + if (!buffer) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + + rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); + if (rv != SECSuccess) { + PORT_Free(buffer); + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + + rv = emsa_pss_verify(hash, buffer, modulus_len, hashAlg, + maskHashAlg, pss_params->sLen); + PORT_Free(buffer); + + return rv; +} + +/* MGF1 is the only supported MGF. */ +SECStatus +RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, NSSLOWKEYPrivateKey *key, + unsigned char *output, unsigned int *output_len, + unsigned int max_output_len, + const unsigned char *input, unsigned int input_len) +{ + SECStatus rv = SECSuccess; + unsigned int modulus_len = nsslowkey_PrivateModulusLen(key); + unsigned char *pss_encoded = NULL; + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + + if (max_output_len < modulus_len) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg); + maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf); + if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + pss_encoded = (unsigned char *)PORT_Alloc(modulus_len); + if (pss_encoded == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + rv = emsa_pss_encode(pss_encoded, modulus_len, input, hashAlg, + maskHashAlg, pss_params->sLen); + if (rv != SECSuccess) + goto done; + + rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, pss_encoded); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + *output_len = modulus_len; + +done: + PORT_Free(pss_encoded); + return rv; +} diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index c68ec4ce5ac..c650d06f14b 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -1914,17 +1914,15 @@ sftkdb_reconcileTrustEntry(PRArenaPool *arena, CK_ATTRIBUTE *target, * trust attribute should be, and neither agree exactly. * At this point, we prefer 'hard' attributes over 'soft' ones. * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and - * CKT_NSS_UNTRUTED. Soft ones are ones which don't change the - * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID, + * CKT_NSS_NOT_TRUTED. Soft ones are ones which don't change the + * actual trust of the cert (CKT_MUST_VERIFY_TRUST, * CKT_NSS_VALID_DELEGATOR). */ - if ((sourceTrust == CKT_NSS_MUST_VERIFY) - || (sourceTrust == CKT_NSS_VALID) + if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) || (sourceTrust == CKT_NSS_VALID_DELEGATOR)) { return SFTKDB_DROP_ATTRIBUTE; } - if ((targetTrust == CKT_NSS_MUST_VERIFY) - || (targetTrust == CKT_NSS_VALID) + if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) || (targetTrust == CKT_NSS_VALID_DELEGATOR)) { /* again, overwriting the target in this case is OK */ return SFTKDB_MODIFY_OBJECT; @@ -2424,7 +2422,7 @@ sftk_freeDB(SFTKDBHandle *handle) PRInt32 ref; if (!handle) return; - ref = PR_AtomicDecrement(&handle->ref); + ref = PR_ATOMIC_DECREMENT(&handle->ref); if (ref == 0) { sftkdb_CloseDB(handle); } @@ -2444,7 +2442,7 @@ sftk_getCertDB(SFTKSlot *slot) PZ_Lock(slot->slotLock); dbHandle = slot->certDB; if (dbHandle) { - PR_AtomicIncrement(&dbHandle->ref); + PR_ATOMIC_INCREMENT(&dbHandle->ref); } PZ_Unlock(slot->slotLock); return dbHandle; @@ -2462,7 +2460,7 @@ sftk_getKeyDB(SFTKSlot *slot) SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); dbHandle = slot->keyDB; if (dbHandle) { - PR_AtomicIncrement(&dbHandle->ref); + PR_ATOMIC_INCREMENT(&dbHandle->ref); } SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); return dbHandle; @@ -2480,7 +2478,7 @@ sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID) PZ_Lock(slot->slotLock); dbHandle = objectID & SFTK_KEYDB_TYPE ? slot->keyDB : slot->certDB; if (dbHandle) { - PR_AtomicIncrement(&dbHandle->ref); + PR_ATOMIC_INCREMENT(&dbHandle->ref); } PZ_Unlock(slot->slotLock); return dbHandle; diff --git a/security/nss/lib/softoken/sftkmod.c b/security/nss/lib/softoken/sftkmod.c index c89b7daaed7..e5427d9d739 100644 --- a/security/nss/lib/softoken/sftkmod.c +++ b/security/nss/lib/softoken/sftkmod.c @@ -254,7 +254,7 @@ sftkdb_ReadSecmodDB(SDBType dbType, const char *appName, if (fd == NULL) goto done; /* - * the following loop takes line separated config lines and colapses + * the following loop takes line separated config lines and collapses * the lines to a single string, escaping and quoting as necessary. */ /* loop state variables */ @@ -579,7 +579,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName, /* - * the following loop takes line separated config files and colapses + * the following loop takes line separated config files and collapses * the lines to a single string, escaping and quoting as necessary. */ /* loop state variables */ @@ -638,6 +638,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName, PORT_Free(dbname2); PORT_Free(lib); PORT_Free(name); + PORT_Free(block); return SECSuccess; loser: diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index 9d56f1b1192..4da2d1df5e6 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -482,7 +482,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, signValue.value.len = hmacLength; RNG_GenerateGlobalRandomBytes(saltData,prfLength); - /* initialize our pkcs5 paramter */ + /* initialize our pkcs5 parameter */ param = nsspkcs5_NewParam(signValue.alg, &signValue.salt, 1); if (param == NULL) { rv = SECFailure; diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index 071bdabd7fa..4082b86d4fe 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -57,11 +57,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.12.11.0" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.13.0.0" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 12 -#define SOFTOKEN_VPATCH 11 +#define SOFTOKEN_VMINOR 13 +#define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_FALSE +#define SOFTOKEN_BETA PR_TRUE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h index 6375f9a3060..7968cf29543 100644 --- a/security/nss/lib/softoken/softoken.h +++ b/security/nss/lib/softoken/softoken.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: softoken.h,v 1.23 2009/02/26 06:57:15 nelson%bolyard.com Exp $ */ +/* $Id: softoken.h,v 1.27 2010/08/05 00:19:26 wtc%google.com Exp $ */ #ifndef _SOFTOKEN_H_ #define _SOFTOKEN_H_ @@ -94,6 +94,12 @@ SECStatus RSA_HashSign(SECOidTag hashOid, unsigned int *sigLen, unsigned int maxLen, unsigned char *hash, unsigned int hashLen); extern +SECStatus RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, + NSSLOWKEYPrivateKey *key, + unsigned char *output, unsigned int *output_len, + unsigned int max_output_len, const unsigned char *input, + unsigned int input_len); +extern SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign, unsigned int signLength, unsigned char *hash, unsigned int hashLength); @@ -103,6 +109,11 @@ SECStatus RSA_HashCheckSign(SECOidTag hashOid, unsigned int sigLen, unsigned char *digest, unsigned int digestLen); extern +SECStatus RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, + NSSLOWKEYPublicKey *key, + const unsigned char *sign, unsigned int sign_len, + const unsigned char *hash, unsigned int hash_len); +extern SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data, unsigned int *data_len,unsigned int max_output_len, unsigned char *sign, unsigned int sign_len); @@ -265,7 +276,7 @@ extern PRBool sftk_fatalError; /* ** macros to check for forked child process after C_Initialize */ -#if defined(XP_UNIX) && !defined(NO_CHECK_FORK) +#if defined(XP_UNIX) && !defined(NO_FORK_CHECK) #ifdef DEBUG diff --git a/security/nss/cmd/lib/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h similarity index 100% rename from security/nss/cmd/lib/SSLerrs.h rename to security/nss/lib/ssl/SSLerrs.h diff --git a/security/nss/lib/ssl/derive.c b/security/nss/lib/ssl/derive.c index 8088296a611..d4a1d14d999 100644 --- a/security/nss/lib/ssl/derive.c +++ b/security/nss/lib/ssl/derive.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: derive.c,v 1.12.40.1 2011/03/24 01:39:01 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: derive.c,v 1.13 2011/03/22 22:15:22 alexei.volkov.bugs%sun.com Exp $ */ #include "ssl.h" /* prereq to sslimpl.h */ #include "certt.h" /* prereq to sslimpl.h */ @@ -742,9 +742,6 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, if (enc_pms.data != NULL) { SECITEM_FreeItem(&enc_pms, PR_FALSE); } - if (pms) { - PK11_FreeSymKey(pms); - } #ifdef NSS_ENABLE_ECC for (; (privKeytype == ecKey && ( testecdh || testecdhe)) || (privKeytype == rsaKey && testecdhe); ) { diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn index 84512296dbf..2a2e543fd5f 100644 --- a/security/nss/lib/ssl/manifest.mn +++ b/security/nss/lib/ssl/manifest.mn @@ -46,6 +46,11 @@ EXPORTS = \ preenc.h \ $(NULL) +PRIVATE_EXPORTS = \ + sslerrstrs.h \ + SSLerrs.h \ + $(NULL) + MODULE = nss MAPFILE = $(OBJDIR)/ssl.def @@ -59,6 +64,8 @@ CSRCS = \ ssldef.c \ sslenum.c \ sslerr.c \ + sslerrstrs.c \ + sslinit.c \ ssl3ext.c \ sslgathr.c \ sslmutex.c \ diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt index 772da4d589c..44731bc514b 100644 --- a/security/nss/lib/ssl/notes.txt +++ b/security/nss/lib/ssl/notes.txt @@ -91,8 +91,8 @@ user dialog to finish). It is not the same as EWOULDBLOCK. Rank (order) of locks -[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec" -[WriteLock->]/ xmitbuf / +recvLock ->\ firstHandshake -> recvbuf -> ssl3Handshake -> xmitbuf -> "spec" +sendLock ->/ crypto and hash Data that must be protected while turning plaintext into ciphertext: diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index e2b9005d965..70638eadc9c 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -158,3 +158,9 @@ SSL_ConfigSecureServerWithCertChain; ;+ local: ;+*; ;+}; +;+NSS_3.13 { # NSS 3.13 release +;+ global: +NSSSSL_GetVersion; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 1dcb4a0c9c8..edb8e6fd131 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.38.2.4 2011/04/08 05:44:32 wtc%google.com Exp $ */ +/* $Id: ssl.h,v 1.42 2011/08/01 07:08:09 kaie%kuix.de Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -639,6 +639,23 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, SSLExtensionType extId, PRBool *yes); +/* + * Return a boolean that indicates whether the underlying library + * will perform as the caller expects. + * + * The only argument is a string, which should be the version + * identifier of the NSS library. That string will be compared + * against a string that represents the actual build version of + * the SSL library. It also invokes the version checking functions + * of the dependent libraries such as NSPR. + */ +extern PRBool NSSSSL_VersionCheck(const char *importedVersion); + +/* + * Returns a const string of the SSL library version. + */ +extern const char *NSSSSL_GetVersion(void); + SEC_END_PROTOS #endif /* __ssl_h_ */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 850a54ceeba..e044cf4a2d9 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.142.2.5 2011/01/25 01:49:22 wtc%google.com Exp $ */ +/* $Id: ssl3con.c,v 1.151 2011/07/26 02:13:37 wtc%google.com Exp $ */ #include "cert.h" #include "ssl.h" @@ -86,7 +86,8 @@ static SECStatus ssl3_SendServerHello( sslSocket *ss); static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); static SECStatus ssl3_NewHandshakeHashes( sslSocket *ss); -static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b, +static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, + const unsigned char *b, unsigned int l); static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, @@ -928,8 +929,7 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, key = CERT_ExtractPublicKey(cert); if (key == NULL) { - /* CERT_ExtractPublicKey doesn't set error code */ - PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); + ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); return SECFailure; } @@ -3178,7 +3178,8 @@ loser: ** Caller must hold the ssl3Handshake lock. */ static SECStatus -ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l) +ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, + unsigned int l) { SECStatus rv = SECSuccess; @@ -4741,7 +4742,7 @@ ssl3_SendClientKeyExchange(sslSocket *ss) if (ss->sec.peerKey == NULL) { serverKey = CERT_ExtractPublicKey(ss->sec.peerCert); if (serverKey == NULL) { - PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); + ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); return SECFailure; } } else { @@ -5671,14 +5672,21 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, PRBool ssl3_CanFalseStart(sslSocket *ss) { - return ss->opt.enableFalseStart && - !ss->sec.isServer && - !ss->ssl3.hs.isResuming && - ss->ssl3.cwSpec && - ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && - (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || - ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh); + PRBool rv; + + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); + + ssl_GetSpecReadLock(ss); + rv = ss->opt.enableFalseStart && + !ss->sec.isServer && + !ss->ssl3.hs.isResuming && + ss->ssl3.cwSpec && + ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 && + (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa || + ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh || + ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh); + ssl_ReleaseSpecReadLock(ss); + return rv; } /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete @@ -7760,6 +7768,7 @@ static SECStatus ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) { ssl3CertNode * c; + ssl3CertNode * lastCert = NULL; ssl3CertNode * certs = NULL; PRArenaPool * arena = NULL; CERTCertificate *cert; @@ -7887,8 +7896,13 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (c->cert->trust) trusted = PR_TRUE; - c->next = certs; - certs = c; + c->next = NULL; + if (lastCert) { + lastCert->next = c; + } else { + certs = c; + } + lastCert = c; } if (remaining != 0) diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index 3a92fa0281a..9c3dca6256d 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -41,7 +41,7 @@ * ***** END LICENSE BLOCK ***** */ /* TLS extension code moved here from ssl3ecc.c */ -/* $Id: ssl3ext.c,v 1.14.2.2 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: ssl3ext.c,v 1.16 2011/03/24 01:40:14 alexei.volkov.bugs%sun.com Exp $ */ #include "nssrenam.h" #include "nss.h" diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c index 65d96f8a700..172b3459276 100644 --- a/security/nss/lib/ssl/ssl3gthr.c +++ b/security/nss/lib/ssl/ssl3gthr.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3gthr.c,v 1.9.20.1 2010/07/31 04:33:52 wtc%google.com Exp $ */ +/* $Id: ssl3gthr.c,v 1.10 2010/07/30 03:00:17 wtc%google.com Exp $ */ #include "cert.h" #include "ssl.h" diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c index 6d1eab0f53b..93c11cdfa7c 100644 --- a/security/nss/lib/ssl/sslauth.c +++ b/security/nss/lib/ssl/sslauth.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslauth.c,v 1.16.66.1 2010/08/03 18:52:13 wtc%google.com Exp $ */ +/* $Id: sslauth.c,v 1.17 2010/08/03 18:48:45 wtc%google.com Exp $ */ #include "cert.h" #include "secitem.h" #include "ssl.h" diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 8f3bc06a834..4191c89e30e 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslcon.c,v 1.40.2.1 2011/03/30 17:38:42 wtc%google.com Exp $ */ +/* $Id: sslcon.c,v 1.42 2011/08/01 07:08:09 kaie%kuix.de Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -3852,3 +3852,9 @@ NSSSSL_VersionCheck(const char *importedVersion) c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; return NSS_VersionCheck(importedVersion); } + +const char * +NSSSSL_GetVersion(void) +{ + return NSS_VERSION; +} diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h index a2f6524bf7f..1422e2de7b7 100644 --- a/security/nss/lib/ssl/sslerr.h +++ b/security/nss/lib/ssl/sslerr.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslerr.h,v 1.11.2.2 2010/09/01 19:47:11 wtc%google.com Exp $ */ +/* $Id: sslerr.h,v 1.13 2010/09/01 19:43:48 wtc%google.com Exp $ */ #ifndef __SSL_ERR_H_ #define __SSL_ERR_H_ diff --git a/security/nss/lib/ssl/sslerrstrs.c b/security/nss/lib/ssl/sslerrstrs.c new file mode 100644 index 00000000000..182a2bfd6f5 --- /dev/null +++ b/security/nss/lib/ssl/sslerrstrs.c @@ -0,0 +1,66 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Red Hat, Inc + * Portions created by the Initial Developer are Copyright (C) 2009 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include "prerror.h" +#include "sslerr.h" +#include "prinit.h" +#include "nssutil.h" +#include "ssl.h" +#include "sslerrstrs.h" + +#define ER3(name, value, str) {#name, str}, + +static const struct PRErrorMessage ssltext[] = { +#include "SSLerrs.h" + {0,0} +}; + +static const struct PRErrorTable ssl_et = { + ssltext, "sslerr", SSL_ERROR_BASE, + (sizeof ssltext)/(sizeof ssltext[0]) +}; + +static PRStatus +ssl_InitializePRErrorTableOnce(void) { + return PR_ErrorInstallTable(&ssl_et); +} + +static PRCallOnceType once; + +PRStatus +ssl_InitializePRErrorTable(void) +{ + return PR_CallOnce(&once, ssl_InitializePRErrorTableOnce); +} diff --git a/security/nss/lib/ssl/sslerrstrs.h b/security/nss/lib/ssl/sslerrstrs.h new file mode 100644 index 00000000000..69dbd8230e3 --- /dev/null +++ b/security/nss/lib/ssl/sslerrstrs.h @@ -0,0 +1,53 @@ +/* + * This file contains prototypes for the public SSL functions. + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: sslerrstrs.h,v 1.1 2011/08/17 14:41:02 emaldona%redhat.com Exp $ */ + +#ifndef __sslerrstrs_h_ +#define __sslerrstrs_h_ + +#include "prtypes.h" + +SEC_BEGIN_PROTOS + +extern PRStatus +ssl_InitializePRErrorTable(void); + +SEC_END_PROTOS + +#endif /* __sslerrstrs_h_ */ diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 91070d35c07..782afadfe6f 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslimpl.h,v 1.77.2.2 2011/03/16 18:55:38 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: sslimpl.h,v 1.82 2011/03/10 04:29:04 alexei.volkov.bugs%sun.com Exp $ */ #ifndef __sslimpl_h_ #define __sslimpl_h_ @@ -1258,15 +1258,24 @@ extern PRBool ssl3_CanFalseStart(sslSocket *ss); #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock) #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock) +/* firstHandshakeLock -> recvBufLock */ #define ssl_Get1stHandshakeLock(ss) \ - { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); } + { if (!ss->opt.noLocks) { \ + PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \ + !ssl_HaveRecvBufLock(ss)); \ + PZ_EnterMonitor((ss)->firstHandshakeLock); \ + } } #define ssl_Release1stHandshakeLock(ss) \ { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); } #define ssl_Have1stHandshakeLock(ss) \ (PZ_InMonitor((ss)->firstHandshakeLock)) +/* ssl3HandshakeLock -> xmitBufLock */ #define ssl_GetSSL3HandshakeLock(ss) \ - { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); } + { if (!ss->opt.noLocks) { \ + PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ + PZ_EnterMonitor((ss)->ssl3HandshakeLock); \ + } } #define ssl_ReleaseSSL3HandshakeLock(ss) \ { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); } #define ssl_HaveSSL3HandshakeLock(ss) \ @@ -1276,6 +1285,8 @@ extern PRBool ssl3_CanFalseStart(sslSocket *ss); { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); } #define ssl_ReleaseSpecReadLock(ss) \ { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); } +/* NSSRWLock_HaveReadLock is not exported so there's no + * ssl_HaveSpecReadLock macro. */ #define ssl_GetSpecWriteLock(ss) \ { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); } @@ -1284,13 +1295,19 @@ extern PRBool ssl3_CanFalseStart(sslSocket *ss); #define ssl_HaveSpecWriteLock(ss) \ (NSSRWLock_HaveWriteLock((ss)->specLock)) +/* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */ #define ssl_GetRecvBufLock(ss) \ - { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->recvBufLock); } + { if (!ss->opt.noLocks) { \ + PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \ + PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ + PZ_EnterMonitor((ss)->recvBufLock); \ + } } #define ssl_ReleaseRecvBufLock(ss) \ { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); } #define ssl_HaveRecvBufLock(ss) \ (PZ_InMonitor((ss)->recvBufLock)) +/* xmitBufLock -> specLock */ #define ssl_GetXmitBufLock(ss) \ { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); } #define ssl_ReleaseXmitBufLock(ss) \ diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c index 96377b0d1e8..4253962dfc8 100644 --- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslinfo.c,v 1.23.2.1 2010/09/02 01:13:46 wtc%google.com Exp $ */ +/* $Id: sslinfo.c,v 1.24 2010/09/02 01:12:57 wtc%google.com Exp $ */ #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" diff --git a/security/nss/lib/ssl/sslinit.c b/security/nss/lib/ssl/sslinit.c new file mode 100644 index 00000000000..4ba8e84dc10 --- /dev/null +++ b/security/nss/lib/ssl/sslinit.c @@ -0,0 +1,60 @@ +/* + * NSS utility functions + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Red Hat Inc. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: sslinit.c,v 1.1 2011/08/17 14:41:05 emaldona%redhat.com Exp $ */ + +#include "prtypes.h" +#include "prinit.h" +#include "seccomon.h" +#include "secerr.h" +#include "ssl.h" +#include "sslerrstrs.h" + +static int ssl_inited = 0; + +SECStatus +ssl_Init(void) +{ + if (!ssl_inited) { + if (ssl_InitializePRErrorTable() == PR_FAILURE) { + return (SEC_ERROR_NO_MEMORY); + } + ssl_inited = 1; + } + return SECSuccess; +} diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c index 024651073fc..ca089aaf8f6 100644 --- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslnonce.c,v 1.25.54.1 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: sslnonce.c,v 1.26 2011/03/24 01:40:14 alexei.volkov.bugs%sun.com Exp $ */ #include "cert.h" #include "pk11pub.h" diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c index 94b2c2fd1d3..b66be3db268 100644 --- a/security/nss/lib/ssl/sslreveal.c +++ b/security/nss/lib/ssl/sslreveal.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslreveal.c,v 1.7.2.1 2010/08/03 18:52:13 wtc%google.com Exp $ */ +/* $Id: sslreveal.c,v 1.8 2010/08/03 18:48:45 wtc%google.com Exp $ */ #include "cert.h" #include "ssl.h" diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index a40dd4fc319..70b665b3a24 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsecur.c,v 1.43.2.4 2011/04/08 05:25:21 wtc%google.com Exp $ */ +/* $Id: sslsecur.c,v 1.49 2011/04/08 05:37:44 wtc%google.com Exp $ */ #include "cert.h" #include "secitem.h" #include "keyhi.h" @@ -84,7 +84,8 @@ * * 3. SECWouldBlock was returned by one of the callback functions, via * one of these paths: - * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData() + * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> + * ss->getClientAuthData() * * - ssl2_HandleServerHelloMessage() -> ss->handleBadCert() * @@ -117,6 +118,7 @@ ssl_Do1stHandshake(sslSocket *ss) PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); + PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); if (ss->handshake == 0) { /* Previous handshake finished. Switch to next one */ @@ -157,6 +159,7 @@ ssl_Do1stHandshake(sslSocket *ss) PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); + PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); if (rv == SECWouldBlock) { PORT_SetError(PR_WOULD_BLOCK_ERROR); @@ -235,7 +238,6 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer) /* Reset handshake state */ ssl_Get1stHandshakeLock(ss); - ssl_GetSSL3HandshakeLock(ss); ss->firstHsDone = PR_FALSE; if ( asServer ) { @@ -252,6 +254,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer) status = ssl_InitGather(&ss->gs); ssl_ReleaseRecvBufLock(ss); + ssl_GetSSL3HandshakeLock(ss); + /* ** Blow away old security state and get a fresh setup. */ @@ -1210,12 +1214,15 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) if (!ss->firstHsDone) { PRBool canFalseStart = PR_FALSE; ssl_Get1stHandshakeLock(ss); - if (ss->version >= SSL_LIBRARY_VERSION_3_0 && - (ss->ssl3.hs.ws == wait_change_cipher || - ss->ssl3.hs.ws == wait_finished || - ss->ssl3.hs.ws == wait_new_session_ticket) && - ssl3_CanFalseStart(ss)) { - canFalseStart = PR_TRUE; + if (ss->version >= SSL_LIBRARY_VERSION_3_0) { + ssl_GetSSL3HandshakeLock(ss); + if ((ss->ssl3.hs.ws == wait_change_cipher || + ss->ssl3.hs.ws == wait_finished || + ss->ssl3.hs.ws == wait_new_session_ticket) && + ssl3_CanFalseStart(ss)) { + canFalseStart = PR_TRUE; + } + ssl_ReleaseSSL3HandshakeLock(ss); } if (!canFalseStart && (ss->handshake || ss->nextHandshake || ss->securityHandshake)) { diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index cd318df29da..ee736b282e4 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsnce.c,v 1.54.2.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: sslsnce.c,v 1.56 2011/08/17 14:41:10 emaldona%redhat.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! @@ -83,6 +83,7 @@ #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" +#include "sslutil.h" #include "pk11func.h" #include "base64.h" #include "keyhi.h" @@ -1331,6 +1332,11 @@ ssl_ConfigServerSessionIDCacheInstanceWithOpt(cacheDesc *cache, PORT_Assert(sizeof(certCacheEntry) == 4096); PORT_Assert(sizeof(srvNameCacheEntry) == 1072); + rv = ssl_Init(); + if (rv != SECSuccess) { + return rv; + } + myPid = SSL_GETPID(); if (!directory) { directory = DEFAULT_CACHE_DIRECTORY; @@ -1511,6 +1517,11 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) int locks_initialized = 0; int locks_to_initialize = 0; #endif + SECStatus status = ssl_Init(); + + if (status != SECSuccess) { + return status; + } myPid = SSL_GETPID(); diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 568b500c8ca..b598688b110 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -40,13 +40,14 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsock.c,v 1.67.2.3 2011/07/26 14:42:57 wtc%google.com Exp $ */ +/* $Id: sslsock.c,v 1.72 2011/08/17 14:41:16 emaldona%redhat.com Exp $ */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" +#include "sslutil.h" #include "nspr.h" #include "private/pprio.h" #include "blapi.h" @@ -871,6 +872,12 @@ SSL_EnableDefault(int which, PRBool on) SECStatus SSL_OptionSetDefault(PRInt32 which, PRBool on) { + SECStatus status = ssl_Init(); + + if (status != SECSuccess) { + return status; + } + ssl_SetDefaultsFromEnvironment(); switch (which) { @@ -1043,7 +1050,11 @@ SSL_SetPolicy(long which, int policy) SECStatus SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) { - SECStatus rv; + SECStatus rv = ssl_Init(); + + if (rv != SECSuccess) { + return rv; + } if (ssl_IsRemovedCipherSuite(which)) { rv = SECSuccess; @@ -1098,7 +1109,11 @@ SSL_EnableCipher(long which, PRBool enabled) SECStatus SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) { - SECStatus rv; + SECStatus rv = ssl_Init(); + + if (rv != SECSuccess) { + return rv; + } if (ssl_IsRemovedCipherSuite(which)) return SECSuccess; @@ -1239,6 +1254,11 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) sslSocket * ns = NULL; PRStatus rv; PRNetAddr addr; + SECStatus status = ssl_Init(); + + if (status != SECSuccess) { + return NULL; + } if (model == NULL) { /* Just create a default socket if we're given NULL for the model */ @@ -2179,7 +2199,9 @@ ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) PRStatus status; if (!ssl_inited) { - PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); + status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); + if (status != PR_SUCCESS) + goto loser; } if (ns == NULL) diff --git a/security/nss/lib/ssl/sslutil.h b/security/nss/lib/ssl/sslutil.h new file mode 100644 index 00000000000..26603280881 --- /dev/null +++ b/security/nss/lib/ssl/sslutil.h @@ -0,0 +1,53 @@ +/* + * This file contains prototypes for the public SSL functions. + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: sslutil.h,v 1.1 2011/08/17 14:41:20 emaldona%redhat.com Exp $ */ + +#ifndef __sslutil_h_ +#define __sslutil_h_ + +#include "prtypes.h" + +SEC_BEGIN_PROTOS + +extern PRStatus SSL_InitializePRErrorTable(void); +extern SECStatus ssl_Init(void); + +SEC_END_PROTOS + +#endif /* __sslutil_h_ */ diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/lib/util/SECerrs.h similarity index 100% rename from security/nss/cmd/lib/SECerrs.h rename to security/nss/lib/util/SECerrs.h diff --git a/security/nss/lib/util/errstrs.c b/security/nss/lib/util/errstrs.c new file mode 100644 index 00000000000..689aadb3627 --- /dev/null +++ b/security/nss/lib/util/errstrs.c @@ -0,0 +1,183 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Red Hat, Inc + * Portions created by the Initial Developer are Copyright (C) 2009 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include "prerror.h" +#include "secerr.h" +#include "secport.h" +#include "prinit.h" +#include "prprf.h" +#include "prtypes.h" +#include "prlog.h" +#include "plstr.h" +#include "nssutil.h" +#include + +#define ER3(name, value, str) {#name, str}, + +static const struct PRErrorMessage sectext[] = { +#include "SECerrs.h" + {0,0} +}; + +static const struct PRErrorTable sec_et = { + sectext, "secerrstrings", SEC_ERROR_BASE, + (sizeof sectext)/(sizeof sectext[0]) +}; + +static PRStatus +nss_InitializePRErrorTableOnce(void) { + return PR_ErrorInstallTable(&sec_et); +} + +static PRCallOnceType once; + +PRStatus +NSS_InitializePRErrorTable(void) +{ + return PR_CallOnce(&once, nss_InitializePRErrorTableOnce); +} + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL if either initialization of the error tables + * or formatting fails due to insufficient memory. + * + * This is the simpler common function that the others call. + * It is thread safe and does not preappend anything to the + * mapped error string. + */ +static char * +nss_Strerror(PRErrorCode errNum) +{ + static int initDone; + + if (!initDone) { + /* nspr_InitializePRErrorTable(); done by PR_Init */ + PRStatus rv = NSS_InitializePRErrorTable(); + /* If this calls fails for insufficient memory, just return NULL */ + if (rv != PR_SUCCESS) return NULL; + initDone = 1; + } + + return (char *) PR_ErrorToString(errNum, PR_LANGUAGE_I_DEFAULT); +} + +/* Hope this size is sufficient even with localization */ +#define EBUFF_SIZE 512 +static char ebuf[EBUFF_SIZE]; + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL if either initialization of the error tables + * or formatting fails due to insufficient memory. + * + * The format argument indicates whether extra error information + * is desired. This is useful when localizations are not yet + * available and the mapping would return nothing for a locale. + * + * Specify formatSimple to get just the error string as mapped. + * Specify formatIncludeErrorCode to format the error code + * numeric value plus a bracketed stringized error name + * preappended to the mapped error string. + * + * Additional formatting options may be added in teh future + * + * This string must not be modified by the application, but may be modified by + * a subsequent call to NSS_Perror() or NSS_Strerror(). + */ +char * +NSS_Strerror(PRErrorCode errNum, ReportFormatType format) +{ + PRUint32 count; + char *errname = (char *) PR_ErrorToName(errNum); + char *errstr = nss_Strerror(errNum); + + if (!errstr) return NULL; + + if (format == formatSimple) return errstr; + + count = PR_snprintf(ebuf, EBUFF_SIZE, "[%d %s] %s", + errNum, errname, errstr); + + PR_ASSERT(count != -1); + + return ebuf; +} + +/* NSS_StrerrorTS is a thread safe version of NSS_Strerror. + * It formats output into a buffer allocated at run time. + * The buffer is allocated with PR_smprintf thus the string + * returned should be freed with PR_smprintf_free. + */ +char * +NSS_StrerrorTS(PRErrorCode errNum, ReportFormatType format) +{ + char *errstr = NSS_Strerror(errNum, format); + + return PR_smprintf("[%d %s] %s", + errNum, PR_ErrorToName(errNum), errstr ? errstr : ""); +} + +/* Prints an error message on the standard error output, describing the last + * error encountered during a call to an NSS library function. + * + * A language-dependent error message is written and formatted to + * the standard error stream as follows: + * + * If s is not a NULL or empty, prints the string pointed to by s followed + * by a colon and a space and then the error message string followed by a + * newline. + * + * NSS_Perror is partially modeled after the posix function perror. + */ +void +NSS_Perror(const char *s, ReportFormatType format) +{ + PRErrorCode err; + char *errString; + + if (!s || PORT_Strlen(s) == 0) { + return; + } + + err = PORT_GetError(); + errString = NSS_Strerror(err, format); + + fprintf(stderr, "%s: ", s); + + if (errString != NULL && PORT_Strlen(errString) > 0) { + fprintf(stderr, "%s\n", errString); + } else { + fprintf(stderr, "Unknown error: %d\n", (int)err); + } +} diff --git a/security/nss/lib/util/errstrs.h b/security/nss/lib/util/errstrs.h new file mode 100644 index 00000000000..2e71eed7d36 --- /dev/null +++ b/security/nss/lib/util/errstrs.h @@ -0,0 +1,56 @@ +/* + * NSS utility functions + * + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Network Security Services. + * + * The Initial Developer of the Original Code is + * Red Hat Inc. + * Portions created by the Initial Developer are Copyright (C) 2009 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef __errstrs_h_ +#define __errstrs_h_ + +#include "prerror.h" + +#ifndef RC_INVOKED +#include "seccomon.h" +#endif + +SEC_BEGIN_PROTOS + +extern PRStatus +nss_InitializePRErrorTable(void); + +SEC_END_PROTOS + +#endif /* __errstrs_h_ */ diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn index 74ddd9244e5..aeafda9fc8a 100644 --- a/security/nss/lib/util/manifest.mn +++ b/security/nss/lib/util/manifest.mn @@ -70,6 +70,7 @@ EXPORTS = \ $(NULL) PRIVATE_EXPORTS = \ + errstrs.h \ templates.c \ $(NULL) @@ -80,6 +81,7 @@ CSRCS = \ derenc.c \ dersubr.c \ dertime.c \ + errstrs.c \ nssb64d.c \ nssb64e.c \ nssrwlk.c \ diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c index 6358fbe51f0..c97a55f9609 100644 --- a/security/nss/lib/util/nssb64d.c +++ b/security/nss/lib/util/nssb64d.c @@ -37,7 +37,7 @@ /* * Base64 decoding (ascii to binary). * - * $Id: nssb64d.c,v 1.7.32.1 2011/05/07 18:20:53 kaie%kuix.de Exp $ + * $Id: nssb64d.c,v 1.8 2011/05/07 18:20:45 kaie%kuix.de Exp $ */ #include "nssb64.h" diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index aa965053f69..bc255f35978 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -254,3 +254,13 @@ PORT_RegExpSearch; ;+ local: ;+ *; ;+}; +;+NSS_3.13 { # NSS 3.13 release +;+ global: +NSSUTIL_GetVersion; +NSS_InitializePRErrorTable; +NSS_Strerror; +NSS_StrerrorTS; +NSS_Perror; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 26b474be5ea..afae7e895b8 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -41,6 +41,7 @@ #define __nssutil_h_ #ifndef RC_INVOKED +#include "prerror.h" #include "seccomon.h" #endif @@ -51,11 +52,71 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.12.11.0" +#define NSSUTIL_VERSION "3.13.0.0 Beta" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 12 -#define NSSUTIL_VPATCH 11 +#define NSSUTIL_VMINOR 13 +#define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_FALSE +#define NSSUTIL_BETA PR_TRUE + +typedef enum { + formatSimple = 0, + formatIncludeErrorCode +} ReportFormatType; + + +SEC_BEGIN_PROTOS + +/* + * Returns a const string of the UTIL library version. + */ +extern const char *NSSUTIL_GetVersion(void); + +extern PRStatus +NSS_InitializePRErrorTable(void); + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL if either initialization of the error tables + * or formatting fails due to insufficient memory. + * + * The format argument indicates whether extra error information + * is desired. This is useful when localizations are not yet + * available and the mapping would return nothing for a locale. + * + * Specify formatSimple to get just the error string as mapped. + * Specify formatIncludeErrorCode to format the error code + * numeric value plus a bracketed stringized error name + * preappended to the mapped error string. + * + * Additional formatting options may be added in teh future + * + * This string must not be modified by the application, but may be modified by + * a subsequent call to NSS_Perror() or NSS_Strerror(). + */ +extern char * +NSS_Strerror(PRErrorCode errNum, ReportFormatType format); + +/* NSS_StrerrorTS is a thread safe version of NSS_Strerror. + * It formats output into a buffer allocated at run time. + * The buffer is allocated with PR_smprintf thus the string + * returned should be freed with PR_smprintf_free. + */ +extern char * +NSS_StrerrorTS(PRErrorCode errNum, ReportFormatType format); + +/* Prints an error message on the standard error output, describing the last + * error encountered during a call to an NSS library function. + * + * A language-dependent error message is written and formatted to the standard + * error stream as follows: + * + * If s is not a null pointer or empty, it prints the string pointed to + * by s followed by a colon and a space and then the error message string + * followed by a newline. + */ +extern void +NSS_Perror(const char *s, ReportFormatType format); + +SEC_END_PROTOS #endif /* __nssutil_h_ */ diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h index 833e7008b44..0db95a004e6 100644 --- a/security/nss/lib/util/pkcs11n.h +++ b/security/nss/lib/util/pkcs11n.h @@ -39,7 +39,7 @@ #define _PKCS11N_H_ #ifdef DEBUG -static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.19.22.2 $ $Date: 2010/12/04 19:10:46 $"; +static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.22 $ $Date: 2011/04/13 00:10:27 $"; #endif /* DEBUG */ /* @@ -330,17 +330,72 @@ typedef CK_ULONG CK_TRUST; /* If trust goes standard, these'll probably drop out of vendor space. */ #define CKT_NSS_TRUSTED (CKT_NSS + 1) #define CKT_NSS_TRUSTED_DELEGATOR (CKT_NSS + 2) -#define CKT_NSS_UNTRUSTED (CKT_NSS + 3) -#define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) +#define CKT_NSS_MUST_VERIFY_TRUST (CKT_NSS + 3) +#define CKT_NSS_NOT_TRUSTED (CKT_NSS + 10) #define CKT_NSS_TRUST_UNKNOWN (CKT_NSS + 5) /* default */ /* * These may well remain NSS-specific; I'm only using them * to cache resolution data. */ -#define CKT_NSS_VALID (CKT_NSS + 10) #define CKT_NSS_VALID_DELEGATOR (CKT_NSS + 11) + +/* + * old definitions. They still exist, but the plain meaning of the + * labels have never been accurate to was was really implemented. + * The new labels correctly reflect what the values effectively mean. + */ +#if __GNUC__ > 3 +/* make GCC warn when we use these #defines */ +/* + * This is really painful because GCC doesn't allow us to mark random + * #defines as deprecated. We can only mark the following: + * functions, variables, and types. + * const variables will create extra storage for everyone including this + * header file, so it's undesirable. + * functions could be inlined to prevent storage creation, but will fail + * when constant values are expected (like switch statements). + * enum types do not seem to pay attention to the deprecated attribute. + * + * That leaves typedefs. We declare new types that we then deprecate, then + * cast the resulting value to the deprecated type in the #define, thus + * producting the warning when the #define is used. + */ +#if (__GNUC__ == 4) && (__GNUC_MINOR < 5) +/* The mac doesn't like the friendlier deprecate messages. I'm assuming this + * is a gcc version issue rather than mac or ppc specific */ +typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated)); +typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated)); +typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated)); +#else +/* when possible, get a full deprecation warning. This works on gcc 4.5 + * it may work on earlier versions of gcc */ +typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated + ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST"))); +typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated + ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED"))); +typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated + ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN"))); +#endif +#define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST) +#define CKT_NSS_VALID ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED) +/* keep the old value for compatibility reasons*/ +#define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4)) +#else +#ifdef _WIN32 +/* This magic gets the windows compiler to give us a deprecation + * warning */ +#pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID) +#endif +/* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */ +#define CKT_NSS_UNTRUSTED CKT_NSS_MUST_VERIFY_TRUST +/* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */ +#define CKT_NSS_VALID CKT_NSS_NOT_TRUSTED +/* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */ +#define CKT_NSS_MUST_VERIFY (CKT_NSS + 4) /*really means trust unknown*/ +#endif + /* don't leave old programs in a lurch just yet, give them the old NETSCAPE * synonym */ #define CKO_NETSCAPE_CRL CKO_NSS_CRL @@ -367,6 +422,7 @@ typedef CK_ULONG CK_TRUST; #define CKM_NETSCAPE_AES_KEY_WRAP_PAD CKM_NSS_AES_KEY_WRAP_PAD #define CKR_NETSCAPE_CERTDB_FAILED CKR_NSS_CERTDB_FAILED #define CKR_NETSCAPE_KEYDB_FAILED CKR_NSS_KEYDB_FAILED + #define CKT_NETSCAPE_TRUSTED CKT_NSS_TRUSTED #define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR #define CKT_NETSCAPE_UNTRUSTED CKT_NSS_UNTRUSTED diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c index 29a5821476f..3f4f20ccf84 100644 --- a/security/nss/lib/util/quickder.c +++ b/security/nss/lib/util/quickder.c @@ -102,7 +102,7 @@ static unsigned char* definite_length_decoder(const unsigned char *buf, static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag) { - if ( (!src) || (!dest) || (!src->data) ) + if ( (!src) || (!dest) || (!src->data && src->len) ) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; @@ -136,13 +136,13 @@ static SECStatus MatchComponentType(const SEC_ASN1Template* templateEntry, unsigned long kind = 0; unsigned char tag = 0; - if ( (!item) || (!templateEntry) || (!match) ) + if ( (!item) || (!item->data && item->len) || (!templateEntry) || (!match) ) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - if (!item->len || !item->data) + if (!item->len) { *match = PR_FALSE; return SECSuccess; diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c index 4f058e2b4ed..d0331e31df9 100644 --- a/security/nss/lib/util/secasn1e.c +++ b/security/nss/lib/util/secasn1e.c @@ -38,7 +38,7 @@ * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished * Encoding Rules). * - * $Id: secasn1e.c,v 1.21.66.1 2011/01/13 00:26:57 wtc%google.com Exp $ + * $Id: secasn1e.c,v 1.22 2011/01/13 00:23:33 wtc%google.com Exp $ */ #include "secasn1.h" diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c index 85f5dacb732..aca029a656f 100644 --- a/security/nss/lib/util/secdig.c +++ b/security/nss/lib/util/secdig.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: secdig.c,v 1.9 2007/11/07 02:37:22 julien.pierre.boogz%sun.com Exp $ */ +/* $Id: secdig.c,v 1.10 2010/08/18 05:56:55 emaldona%redhat.com Exp $ */ #include "secdig.h" #include "secoid.h" @@ -74,6 +74,7 @@ SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len) case SEC_OID_MD2: case SEC_OID_MD5: case SEC_OID_SHA1: + case SEC_OID_SHA224: case SEC_OID_SHA256: case SEC_OID_SHA384: case SEC_OID_SHA512: diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c index 382f3c377f8..cbb6f868d6a 100644 --- a/security/nss/lib/util/secitem.c +++ b/security/nss/lib/util/secitem.c @@ -37,7 +37,7 @@ /* * Support routines for SECItem data structure. * - * $Id: secitem.c,v 1.15 2008/11/19 16:04:38 nelson%bolyard.com Exp $ + * $Id: secitem.c,v 1.16 2011/07/22 21:22:40 wtc%google.com Exp $ */ #include "seccomon.h" @@ -251,6 +251,10 @@ SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from) PORT_Memcpy(to->data, from->data, from->len); to->len = from->len; } else { + /* + * If from->data is NULL but from->len is nonzero, this function + * will succeed. Is this right? + */ to->data = 0; to->len = 0; } diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index aabfc8eb378..c72289723cc 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -178,6 +178,7 @@ const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING /* Microsoft Object ID space */ /* { 1.3.6.1.4.1.311 } */ #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 +#define EV_NAME_ATTRIBUTE MICROSOFT_OID, 60, 2, 1 #define CERTICOM_OID 0x2b, 0x81, 0x04 #define SECG_OID CERTICOM_OID, 0x00 @@ -295,6 +296,7 @@ CONST_OID x520StreetAddress[] = { X520_ATTRIBUTE_TYPE, 9 }; CONST_OID x520OrgName[] = { X520_ATTRIBUTE_TYPE, 10 }; CONST_OID x520OrgUnitName[] = { X520_ATTRIBUTE_TYPE, 11 }; CONST_OID x520Title[] = { X520_ATTRIBUTE_TYPE, 12 }; +CONST_OID x520BusinessCategory[] = { X520_ATTRIBUTE_TYPE, 15 }; CONST_OID x520PostalAddress[] = { X520_ATTRIBUTE_TYPE, 16 }; CONST_OID x520PostalCode[] = { X520_ATTRIBUTE_TYPE, 17 }; CONST_OID x520PostOfficeBox[] = { X520_ATTRIBUTE_TYPE, 18 }; @@ -521,6 +523,7 @@ CONST_OID camellia256_KEY_WRAP[] = { CAMELLIA_WRAP_OID, 4}; CONST_OID sha256[] = { SHAXXX, 1 }; CONST_OID sha384[] = { SHAXXX, 2 }; CONST_OID sha512[] = { SHAXXX, 3 }; +CONST_OID sha224[] = { SHAXXX, 4 }; CONST_OID ansix962ECPublicKey[] = { ANSI_X962_OID, 0x02, 0x01 }; CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 }; @@ -602,6 +605,10 @@ CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 }; CONST_OID seed_CBC[] = { SEED_OID, 4 }; +CONST_OID evIncorporationLocality[] = { EV_NAME_ATTRIBUTE, 1 }; +CONST_OID evIncorporationState[] = { EV_NAME_ATTRIBUTE, 2 }; +CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 }; + #define OI(x) { siDEROID, (unsigned char *)x, sizeof x } #ifndef SECOID_NO_STRINGS #define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext } @@ -1636,6 +1643,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD( pkcs1SHA224WithRSAEncryption, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION, "PKCS #1 SHA-224 With RSA Encryption", CKM_SHA224_RSA_PKCS, INVALID_CERT_EXTENSION ), + + OD( sha224, SEC_OID_SHA224, "SHA-224", CKM_SHA224, INVALID_CERT_EXTENSION), + + OD( evIncorporationLocality, SEC_OID_EV_INCORPORATION_LOCALITY, + "Jurisdiction of Incorporation Locality Name", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + OD( evIncorporationState, SEC_OID_EV_INCORPORATION_STATE, + "Jurisdiction of Incorporation State Name", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + OD( evIncorporationCountry, SEC_OID_EV_INCORPORATION_COUNTRY, + "Jurisdiction of Incorporation Country Name", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + OD( x520BusinessCategory, SEC_OID_BUSINESS_CATEGORY, + "Business Category", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + }; /* PRIVATE EXTENDED SECOID Table @@ -2174,4 +2197,8 @@ void UTIL_SetForkState(PRBool forked) parentForkedAfterC_Initialize = forked; } - +const char * +NSSUTIL_GetVersion(void) +{ + return NSSUTIL_VERSION; +} diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index ad31803061e..24c854728b8 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -43,7 +43,7 @@ /* * secoidt.h - public data structures for ASN.1 OID functions * - * $Id: secoidt.h,v 1.31 2010/05/28 01:26:07 wtc%google.com Exp $ + * $Id: secoidt.h,v 1.34 2010/09/18 21:17:53 nelson%bolyard.com Exp $ */ #include "secitem.h" @@ -274,6 +274,9 @@ typedef enum { SEC_OID_X942_DIFFIE_HELMAN_KEY = 174, /* Netscape other name types */ + /* SEC_OID_NETSCAPE_NICKNAME is an otherName field of type IA5String + * in the subjectAltName certificate extension. NSS dropped support + * for SEC_OID_NETSCAPE_NICKNAME in NSS 3.13. */ SEC_OID_NETSCAPE_NICKNAME = 175, /* Cert Server OIDS */ @@ -456,6 +459,13 @@ typedef enum { SEC_OID_PKCS1_RSA_PSS_SIGNATURE = 307, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION = 308, + SEC_OID_SHA224 = 309, + + SEC_OID_EV_INCORPORATION_LOCALITY = 310, + SEC_OID_EV_INCORPORATION_STATE = 311, + SEC_OID_EV_INCORPORATION_COUNTRY = 312, + SEC_OID_BUSINESS_CATEGORY = 313, + SEC_OID_TOTAL } SECOidTag; diff --git a/security/nss/lib/zlib/Makefile b/security/nss/lib/zlib/Makefile index 52596b760fd..2627d9d8cf6 100644 --- a/security/nss/lib/zlib/Makefile +++ b/security/nss/lib/zlib/Makefile @@ -79,10 +79,9 @@ export:: private_export test: $(PROGRAMS) @cd $(OBJDIR); \ - echo hello world | ./minigzip | ./minigzip -d || \ - echo ' *** minigzip test FAILED ***' ; \ - if ./example; then \ + if echo hello world | ./minigzip | ./minigzip -d && ./example; then \ echo ' *** zlib test OK ***'; \ else \ - echo ' *** zlib test FAILED ***'; \ + echo ' *** zlib test FAILED ***'; false; \ fi + -@rm -f foo.gz diff --git a/security/nss/lib/zlib/README b/security/nss/lib/zlib/README index 92639fcea00..d4219bf889f 100644 --- a/security/nss/lib/zlib/README +++ b/security/nss/lib/zlib/README @@ -1,56 +1,52 @@ ZLIB DATA COMPRESSION LIBRARY -zlib 1.2.3 is a general purpose data compression library. All the code is +zlib 1.2.5 is a general purpose data compression library. All the code is thread safe. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format) -and rfc1952.txt (gzip format). These documents are also available in other -formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html +and rfc1952.txt (gzip format). All functions of the compression library are documented in the file zlib.h -(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example +(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example of the library is given in the file example.c which also tests that the library -is working correctly. Another example is given in the file minigzip.c. The +is working correctly. Another example is given in the file minigzip.c. The compression library itself is composed of all source files except example.c and minigzip.c. To compile all files and run the test program, follow the instructions given at -the top of Makefile. In short "make test; make install" should work for most -machines. For Unix: "./configure; make test; make install". For MSDOS, use one -of the special makefiles such as Makefile.msc. +the top of Makefile.in. In short "./configure; make test", and if that goes +well, "make install" should work for most flavors of Unix. For Windows, use one +of the special makefiles in win32/ or contrib/vstudio/ . For VMS, use +make_vms.com. Questions about zlib should be sent to , or to Gilles Vollant - for the Windows DLL version. The zlib home page is -http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem, -please check this site to verify that you have the latest version of zlib; -otherwise get the latest version and check whether the problem still exists or -not. + for the Windows DLL version. The zlib home page is +http://zlib.net/ . Before reporting a problem, please check this site to +verify that you have the latest version of zlib; otherwise get the latest +version and check whether the problem still exists or not. -PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html before asking -for help. +PLEASE read the zlib FAQ http://zlib.net/zlib_faq.html before asking for help. -Mark Nelson wrote an article about zlib for the Jan. 1997 -issue of Dr. Dobb's Journal; a copy of the article is available in -http://dogma.net/markn/articles/zlibtool/zlibtool.htm +Mark Nelson wrote an article about zlib for the Jan. 1997 +issue of Dr. Dobb's Journal; a copy of the article is available at +http://marknelson.us/1997/01/01/zlib-engine/ . -The changes made in version 1.2.3 are documented in the file ChangeLog. +The changes made in version 1.2.5 are documented in the file ChangeLog. -Unsupported third party contributions are provided in directory "contrib". +Unsupported third party contributions are provided in directory contrib/ . -A Java implementation of zlib is available in the Java Development Kit -http://java.sun.com/j2se/1.4.2/docs/api/java/util/zip/package-summary.html -See the zlib home page http://www.zlib.org for details. +zlib is available in Java using the java.util.zip package, documented at +http://java.sun.com/developer/technicalArticles/Programming/compression/ . -A Perl interface to zlib written by Paul Marquess is in the -CPAN (Comprehensive Perl Archive Network) sites -http://www.cpan.org/modules/by-module/Compress/ +A Perl interface to zlib written by Paul Marquess is available +at CPAN (Comprehensive Perl Archive Network) sites, including +http://search.cpan.org/~pmqs/IO-Compress-Zlib/ . A Python interface to zlib written by A.M. Kuchling is available in Python 1.5 and later versions, see -http://www.python.org/doc/lib/module-zlib.html +http://www.python.org/doc/lib/module-zlib.html . -A zlib binding for TCL written by Andreas Kupries is -availlable at http://www.oche.de/~akupries/soft/trf/trf_zip.html +zlib is built into tcl: http://wiki.tcl.tk/4610 . An experimental package to read and write files in .zip format, written on top of zlib by Gilles Vollant , is available in the @@ -74,25 +70,21 @@ Notes for some targets: - zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with other compilers. Use "make test" to check your compiler. -- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers. +- gzdopen is not supported on RISCOS or BEOS. - For PalmOs, see http://palmzlib.sourceforge.net/ -- When building a shared, i.e. dynamic library on Mac OS X, the library must be - installed before testing (do "make install" before "make test"), since the - library location is specified in the library. - Acknowledgments: - The deflate format used by zlib was defined by Phil Katz. The deflate - and zlib specifications were written by L. Peter Deutsch. Thanks to all the - people who reported problems and suggested various improvements in zlib; - they are too numerous to cite here. + The deflate format used by zlib was defined by Phil Katz. The deflate and + zlib specifications were written by L. Peter Deutsch. Thanks to all the + people who reported problems and suggested various improvements in zlib; they + are too numerous to cite here. Copyright notice: - (C) 1995-2004 Jean-loup Gailly and Mark Adler + (C) 1995-2010 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages @@ -113,13 +105,11 @@ Copyright notice: Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu -If you use the zlib library in a product, we would appreciate *not* -receiving lengthy legal documents to sign. The sources are provided -for free but without warranty of any kind. The library has been -entirely written by Jean-loup Gailly and Mark Adler; it does not -include third-party code. +If you use the zlib library in a product, we would appreciate *not* receiving +lengthy legal documents to sign. The sources are provided for free but without +warranty of any kind. The library has been entirely written by Jean-loup +Gailly and Mark Adler; it does not include third-party code. -If you redistribute modified sources, we would appreciate that you include -in the file ChangeLog history information documenting your changes. Please -read the FAQ for more information on the distribution of modified source -versions. +If you redistribute modified sources, we would appreciate that you include in +the file ChangeLog history information documenting your changes. Please read +the FAQ for more information on the distribution of modified source versions. diff --git a/security/nss/lib/zlib/README.nss b/security/nss/lib/zlib/README.nss new file mode 100644 index 00000000000..58ad213a0ab --- /dev/null +++ b/security/nss/lib/zlib/README.nss @@ -0,0 +1,18 @@ +zlib data compression library + +URL: http://zlib.net/ +Version: 1.2.5 +License: zlib License +License File: http://zlib.net/zlib_license.html + +Description: + +NSS uses zlib in libSSL (for the DEFLATE compression method), modutil, and +signtool. + +Local Modifications: + +- patches/prune-zlib.sh: run this shell script to remove unneeded files + from the zlib distribution. +- patches/msvc-vsnprintf.patch: define HAVE_VSNPRINTF for Visual C++ 2008 + (9.0) and later. diff --git a/security/nss/lib/zlib/adler32.c b/security/nss/lib/zlib/adler32.c index b5c0433a4d6..2d78e988c1e 100644 --- a/security/nss/lib/zlib/adler32.c +++ b/security/nss/lib/zlib/adler32.c @@ -1,12 +1,15 @@ /* adler32.c -- compute the Adler-32 checksum of a data stream - * Copyright (C) 1995-2004 Mark Adler + * Copyright (C) 1995-2007 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: adler32.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */ +/* @(#) $Id: adler32.c,v 1.6 2010/08/22 01:07:02 wtc%google.com Exp $ */ -#define ZLIB_INTERNAL -#include "zlib.h" +#include "zutil.h" + +#define local static + +local uLong adler32_combine_(uLong adler1, uLong adler2, z_off64_t len2); #define BASE 65521UL /* largest prime smaller than 65536 */ #define NMAX 5552 @@ -125,10 +128,10 @@ uLong ZEXPORT adler32(adler, buf, len) } /* ========================================================================= */ -uLong ZEXPORT adler32_combine(adler1, adler2, len2) +local uLong adler32_combine_(adler1, adler2, len2) uLong adler1; uLong adler2; - z_off_t len2; + z_off64_t len2; { unsigned long sum1; unsigned long sum2; @@ -141,9 +144,26 @@ uLong ZEXPORT adler32_combine(adler1, adler2, len2) MOD(sum2); sum1 += (adler2 & 0xffff) + BASE - 1; sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem; - if (sum1 > BASE) sum1 -= BASE; - if (sum1 > BASE) sum1 -= BASE; - if (sum2 > (BASE << 1)) sum2 -= (BASE << 1); - if (sum2 > BASE) sum2 -= BASE; + if (sum1 >= BASE) sum1 -= BASE; + if (sum1 >= BASE) sum1 -= BASE; + if (sum2 >= (BASE << 1)) sum2 -= (BASE << 1); + if (sum2 >= BASE) sum2 -= BASE; return sum1 | (sum2 << 16); } + +/* ========================================================================= */ +uLong ZEXPORT adler32_combine(adler1, adler2, len2) + uLong adler1; + uLong adler2; + z_off_t len2; +{ + return adler32_combine_(adler1, adler2, len2); +} + +uLong ZEXPORT adler32_combine64(adler1, adler2, len2) + uLong adler1; + uLong adler2; + z_off64_t len2; +{ + return adler32_combine_(adler1, adler2, len2); +} diff --git a/security/nss/lib/zlib/compress.c b/security/nss/lib/zlib/compress.c index 61827842809..9c336819487 100644 --- a/security/nss/lib/zlib/compress.c +++ b/security/nss/lib/zlib/compress.c @@ -1,9 +1,9 @@ /* compress.c -- compress a memory buffer - * Copyright (C) 1995-2003 Jean-loup Gailly. + * Copyright (C) 1995-2005 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: compress.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */ +/* @(#) $Id: compress.c,v 1.6 2010/08/22 01:07:02 wtc%google.com Exp $ */ #define ZLIB_INTERNAL #include "zlib.h" @@ -75,5 +75,6 @@ int ZEXPORT compress (dest, destLen, source, sourceLen) uLong ZEXPORT compressBound (sourceLen) uLong sourceLen; { - return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + 11; + return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + + (sourceLen >> 25) + 13; } diff --git a/security/nss/lib/zlib/crc32.c b/security/nss/lib/zlib/crc32.c index 3126c689ed0..70663a13707 100644 --- a/security/nss/lib/zlib/crc32.c +++ b/security/nss/lib/zlib/crc32.c @@ -1,5 +1,5 @@ /* crc32.c -- compute the CRC-32 of a data stream - * Copyright (C) 1995-2005 Mark Adler + * Copyright (C) 1995-2006, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h * * Thanks to Rodney Brown for his contribution of faster @@ -9,7 +9,7 @@ * factor of two increase in speed on a Power PC G4 (PPC7455) using gcc -O3. */ -/* @(#) $Id: crc32.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */ +/* @(#) $Id: crc32.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */ /* Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore @@ -53,7 +53,7 @@ /* Definitions for doing the crc four data bytes at a time. */ #ifdef BYFOUR -# define REV(w) (((w)>>24)+(((w)>>8)&0xff00)+ \ +# define REV(w) ((((w)>>24)&0xff)+(((w)>>8)&0xff00)+ \ (((w)&0xff00)<<8)+(((w)&0xff)<<24)) local unsigned long crc32_little OF((unsigned long, const unsigned char FAR *, unsigned)); @@ -68,6 +68,8 @@ local unsigned long gf2_matrix_times OF((unsigned long *mat, unsigned long vec)); local void gf2_matrix_square OF((unsigned long *square, unsigned long *mat)); +local uLong crc32_combine_(uLong crc1, uLong crc2, z_off64_t len2); + #ifdef DYNAMIC_CRC_TABLE @@ -219,7 +221,7 @@ const unsigned long FAR * ZEXPORT get_crc_table() unsigned long ZEXPORT crc32(crc, buf, len) unsigned long crc; const unsigned char FAR *buf; - unsigned len; + uInt len; { if (buf == Z_NULL) return 0UL; @@ -367,22 +369,22 @@ local void gf2_matrix_square(square, mat) } /* ========================================================================= */ -uLong ZEXPORT crc32_combine(crc1, crc2, len2) +local uLong crc32_combine_(crc1, crc2, len2) uLong crc1; uLong crc2; - z_off_t len2; + z_off64_t len2; { int n; unsigned long row; unsigned long even[GF2_DIM]; /* even-power-of-two zeros operator */ unsigned long odd[GF2_DIM]; /* odd-power-of-two zeros operator */ - /* degenerate case */ - if (len2 == 0) + /* degenerate case (also disallow negative lengths) */ + if (len2 <= 0) return crc1; /* put operator for one zero bit in odd */ - odd[0] = 0xedb88320L; /* CRC-32 polynomial */ + odd[0] = 0xedb88320UL; /* CRC-32 polynomial */ row = 1; for (n = 1; n < GF2_DIM; n++) { odd[n] = row; @@ -421,3 +423,20 @@ uLong ZEXPORT crc32_combine(crc1, crc2, len2) crc1 ^= crc2; return crc1; } + +/* ========================================================================= */ +uLong ZEXPORT crc32_combine(crc1, crc2, len2) + uLong crc1; + uLong crc2; + z_off_t len2; +{ + return crc32_combine_(crc1, crc2, len2); +} + +uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + uLong crc1; + uLong crc2; + z_off64_t len2; +{ + return crc32_combine_(crc1, crc2, len2); +} diff --git a/security/nss/lib/zlib/deflate.c b/security/nss/lib/zlib/deflate.c index 663eb0d4383..6b41b51db15 100644 --- a/security/nss/lib/zlib/deflate.c +++ b/security/nss/lib/zlib/deflate.c @@ -1,5 +1,5 @@ /* deflate.c -- compress data using the deflation algorithm - * Copyright (C) 1995-2005 Jean-loup Gailly. + * Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -47,12 +47,12 @@ * */ -/* @(#) $Id: deflate.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */ +/* @(#) $Id: deflate.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */ #include "deflate.h" const char deflate_copyright[] = - " deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly "; + " deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler "; /* If you use the zlib library in a product, an acknowledgment is welcome in the documentation of your product. If for some reason you cannot @@ -79,19 +79,18 @@ local block_state deflate_fast OF((deflate_state *s, int flush)); #ifndef FASTEST local block_state deflate_slow OF((deflate_state *s, int flush)); #endif +local block_state deflate_rle OF((deflate_state *s, int flush)); +local block_state deflate_huff OF((deflate_state *s, int flush)); local void lm_init OF((deflate_state *s)); local void putShortMSB OF((deflate_state *s, uInt b)); local void flush_pending OF((z_streamp strm)); local int read_buf OF((z_streamp strm, Bytef *buf, unsigned size)); -#ifndef FASTEST #ifdef ASMV void match_init OF((void)); /* asm code initialization */ uInt longest_match OF((deflate_state *s, IPos cur_match)); #else local uInt longest_match OF((deflate_state *s, IPos cur_match)); #endif -#endif -local uInt longest_match_fast OF((deflate_state *s, IPos cur_match)); #ifdef DEBUG local void check_match OF((deflate_state *s, IPos start, IPos match, @@ -110,11 +109,6 @@ local void check_match OF((deflate_state *s, IPos start, IPos match, #endif /* Matches of length 3 are discarded if their distance exceeds TOO_FAR */ -#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1) -/* Minimum amount of lookahead, except at the end of the input file. - * See deflate.c for comments about the MIN_MATCH+1. - */ - /* Values for max_lazy_match, good_match and max_chain_length, depending on * the desired pack level (0..9). The values given below have been tuned to * exclude worst case performance for pathological files. Better values may be @@ -288,6 +282,8 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos)); + s->high_water = 0; /* nothing written to s->window yet */ + s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */ overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2); @@ -332,8 +328,8 @@ int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength) strm->adler = adler32(strm->adler, dictionary, dictLength); if (length < MIN_MATCH) return Z_OK; - if (length > MAX_DIST(s)) { - length = MAX_DIST(s); + if (length > s->w_size) { + length = s->w_size; dictionary += dictLength - length; /* use the tail of the dictionary */ } zmemcpy(s->window, dictionary, length); @@ -435,9 +431,10 @@ int ZEXPORT deflateParams(strm, level, strategy) } func = configuration_table[s->level].func; - if (func != configuration_table[level].func && strm->total_in != 0) { + if ((strategy != s->strategy || func != configuration_table[level].func) && + strm->total_in != 0) { /* Flush the last buffer: */ - err = deflate(strm, Z_PARTIAL_FLUSH); + err = deflate(strm, Z_BLOCK); } if (s->level != level) { s->level = level; @@ -481,33 +478,66 @@ int ZEXPORT deflateTune(strm, good_length, max_lazy, nice_length, max_chain) * resulting from using fixed blocks instead of stored blocks, which deflate * can emit on compressed data for some combinations of the parameters. * - * This function could be more sophisticated to provide closer upper bounds - * for every combination of windowBits and memLevel, as well as wrap. - * But even the conservative upper bound of about 14% expansion does not - * seem onerous for output buffer allocation. + * This function could be more sophisticated to provide closer upper bounds for + * every combination of windowBits and memLevel. But even the conservative + * upper bound of about 14% expansion does not seem onerous for output buffer + * allocation. */ uLong ZEXPORT deflateBound(strm, sourceLen) z_streamp strm; uLong sourceLen; { deflate_state *s; - uLong destLen; + uLong complen, wraplen; + Bytef *str; - /* conservative upper bound */ - destLen = sourceLen + - ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 11; + /* conservative upper bound for compressed data */ + complen = sourceLen + + ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 5; - /* if can't get parameters, return conservative bound */ + /* if can't get parameters, return conservative bound plus zlib wrapper */ if (strm == Z_NULL || strm->state == Z_NULL) - return destLen; + return complen + 6; + + /* compute wrapper length */ + s = strm->state; + switch (s->wrap) { + case 0: /* raw deflate */ + wraplen = 0; + break; + case 1: /* zlib wrapper */ + wraplen = 6 + (s->strstart ? 4 : 0); + break; + case 2: /* gzip wrapper */ + wraplen = 18; + if (s->gzhead != Z_NULL) { /* user-supplied gzip header */ + if (s->gzhead->extra != Z_NULL) + wraplen += 2 + s->gzhead->extra_len; + str = s->gzhead->name; + if (str != Z_NULL) + do { + wraplen++; + } while (*str++); + str = s->gzhead->comment; + if (str != Z_NULL) + do { + wraplen++; + } while (*str++); + if (s->gzhead->hcrc) + wraplen += 2; + } + break; + default: /* for compiler happiness */ + wraplen = 6; + } /* if not default parameters, return conservative bound */ - s = strm->state; if (s->w_bits != 15 || s->hash_bits != 8 + 7) - return destLen; + return complen + wraplen; /* default settings: return tight bound for that case */ - return compressBound(sourceLen); + return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + + (sourceLen >> 25) + 13 - 6 + wraplen; } /* ========================================================================= @@ -557,7 +587,7 @@ int ZEXPORT deflate (strm, flush) deflate_state *s; if (strm == Z_NULL || strm->state == Z_NULL || - flush > Z_FINISH || flush < 0) { + flush > Z_BLOCK || flush < 0) { return Z_STREAM_ERROR; } s = strm->state; @@ -581,7 +611,7 @@ int ZEXPORT deflate (strm, flush) put_byte(s, 31); put_byte(s, 139); put_byte(s, 8); - if (s->gzhead == NULL) { + if (s->gzhead == Z_NULL) { put_byte(s, 0); put_byte(s, 0); put_byte(s, 0); @@ -608,7 +638,7 @@ int ZEXPORT deflate (strm, flush) (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ? 4 : 0)); put_byte(s, s->gzhead->os & 0xff); - if (s->gzhead->extra != NULL) { + if (s->gzhead->extra != Z_NULL) { put_byte(s, s->gzhead->extra_len & 0xff); put_byte(s, (s->gzhead->extra_len >> 8) & 0xff); } @@ -650,7 +680,7 @@ int ZEXPORT deflate (strm, flush) } #ifdef GZIP if (s->status == EXTRA_STATE) { - if (s->gzhead->extra != NULL) { + if (s->gzhead->extra != Z_NULL) { uInt beg = s->pending; /* start of bytes to update crc */ while (s->gzindex < (s->gzhead->extra_len & 0xffff)) { @@ -678,7 +708,7 @@ int ZEXPORT deflate (strm, flush) s->status = NAME_STATE; } if (s->status == NAME_STATE) { - if (s->gzhead->name != NULL) { + if (s->gzhead->name != Z_NULL) { uInt beg = s->pending; /* start of bytes to update crc */ int val; @@ -709,7 +739,7 @@ int ZEXPORT deflate (strm, flush) s->status = COMMENT_STATE; } if (s->status == COMMENT_STATE) { - if (s->gzhead->comment != NULL) { + if (s->gzhead->comment != Z_NULL) { uInt beg = s->pending; /* start of bytes to update crc */ int val; @@ -787,7 +817,9 @@ int ZEXPORT deflate (strm, flush) (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) { block_state bstate; - bstate = (*(configuration_table[s->level].func))(s, flush); + bstate = s->strategy == Z_HUFFMAN_ONLY ? deflate_huff(s, flush) : + (s->strategy == Z_RLE ? deflate_rle(s, flush) : + (*(configuration_table[s->level].func))(s, flush)); if (bstate == finish_started || bstate == finish_done) { s->status = FINISH_STATE; @@ -808,13 +840,17 @@ int ZEXPORT deflate (strm, flush) if (bstate == block_done) { if (flush == Z_PARTIAL_FLUSH) { _tr_align(s); - } else { /* FULL_FLUSH or SYNC_FLUSH */ + } else if (flush != Z_BLOCK) { /* FULL_FLUSH or SYNC_FLUSH */ _tr_stored_block(s, (char*)0, 0L, 0); /* For a full flush, this empty block will be recognized * as a special marker by inflate_sync(). */ if (flush == Z_FULL_FLUSH) { CLEAR_HASH(s); /* forget history */ + if (s->lookahead == 0) { + s->strstart = 0; + s->block_start = 0L; + } } } flush_pending(strm); @@ -1167,12 +1203,13 @@ local uInt longest_match(s, cur_match) return s->lookahead; } #endif /* ASMV */ -#endif /* FASTEST */ + +#else /* FASTEST */ /* --------------------------------------------------------------------------- - * Optimized version for level == 1 or strategy == Z_RLE only + * Optimized version for FASTEST only */ -local uInt longest_match_fast(s, cur_match) +local uInt longest_match(s, cur_match) deflate_state *s; IPos cur_match; /* current match */ { @@ -1225,6 +1262,8 @@ local uInt longest_match_fast(s, cur_match) return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead; } +#endif /* FASTEST */ + #ifdef DEBUG /* =========================================================================== * Check that the match at match_start is indeed a match. @@ -1303,7 +1342,6 @@ local void fill_window(s) later. (Using level 0 permanently is not an optimal usage of zlib, so we don't care about this pathological case.) */ - /* %%% avoid this when Z_RLE */ n = s->hash_size; p = &s->head[n]; do { @@ -1355,27 +1393,61 @@ local void fill_window(s) */ } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0); + + /* If the WIN_INIT bytes after the end of the current data have never been + * written, then zero those bytes in order to avoid memory check reports of + * the use of uninitialized (or uninitialised as Julian writes) bytes by + * the longest match routines. Update the high water mark for the next + * time through here. WIN_INIT is set to MAX_MATCH since the longest match + * routines allow scanning to strstart + MAX_MATCH, ignoring lookahead. + */ + if (s->high_water < s->window_size) { + ulg curr = s->strstart + (ulg)(s->lookahead); + ulg init; + + if (s->high_water < curr) { + /* Previous high water mark below current data -- zero WIN_INIT + * bytes or up to end of window, whichever is less. + */ + init = s->window_size - curr; + if (init > WIN_INIT) + init = WIN_INIT; + zmemzero(s->window + curr, (unsigned)init); + s->high_water = curr + init; + } + else if (s->high_water < (ulg)curr + WIN_INIT) { + /* High water mark at or above current data, but below current data + * plus WIN_INIT -- zero out to current data plus WIN_INIT, or up + * to end of window, whichever is less. + */ + init = (ulg)curr + WIN_INIT - s->high_water; + if (init > s->window_size - s->high_water) + init = s->window_size - s->high_water; + zmemzero(s->window + s->high_water, (unsigned)init); + s->high_water += init; + } + } } /* =========================================================================== * Flush the current block, with given end-of-file flag. * IN assertion: strstart is set to the end of the current match. */ -#define FLUSH_BLOCK_ONLY(s, eof) { \ +#define FLUSH_BLOCK_ONLY(s, last) { \ _tr_flush_block(s, (s->block_start >= 0L ? \ (charf *)&s->window[(unsigned)s->block_start] : \ (charf *)Z_NULL), \ (ulg)((long)s->strstart - s->block_start), \ - (eof)); \ + (last)); \ s->block_start = s->strstart; \ flush_pending(s->strm); \ Tracev((stderr,"[FLUSH]")); \ } /* Same but force premature exit if necessary. */ -#define FLUSH_BLOCK(s, eof) { \ - FLUSH_BLOCK_ONLY(s, eof); \ - if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \ +#define FLUSH_BLOCK(s, last) { \ + FLUSH_BLOCK_ONLY(s, last); \ + if (s->strm->avail_out == 0) return (last) ? finish_started : need_more; \ } /* =========================================================================== @@ -1449,7 +1521,7 @@ local block_state deflate_fast(s, flush) deflate_state *s; int flush; { - IPos hash_head = NIL; /* head of the hash chain */ + IPos hash_head; /* head of the hash chain */ int bflush; /* set if current block must be flushed */ for (;;) { @@ -1469,6 +1541,7 @@ local block_state deflate_fast(s, flush) /* Insert the string window[strstart .. strstart+2] in the * dictionary, and set hash_head to the head of the hash chain: */ + hash_head = NIL; if (s->lookahead >= MIN_MATCH) { INSERT_STRING(s, s->strstart, hash_head); } @@ -1481,19 +1554,8 @@ local block_state deflate_fast(s, flush) * of window index 0 (in particular we have to avoid a match * of the string with itself at the start of the input file). */ -#ifdef FASTEST - if ((s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) || - (s->strategy == Z_RLE && s->strstart - hash_head == 1)) { - s->match_length = longest_match_fast (s, hash_head); - } -#else - if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) { - s->match_length = longest_match (s, hash_head); - } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) { - s->match_length = longest_match_fast (s, hash_head); - } -#endif - /* longest_match() or longest_match_fast() sets match_start */ + s->match_length = longest_match (s, hash_head); + /* longest_match() sets match_start */ } if (s->match_length >= MIN_MATCH) { check_match(s, s->strstart, s->match_start, s->match_length); @@ -1555,7 +1617,7 @@ local block_state deflate_slow(s, flush) deflate_state *s; int flush; { - IPos hash_head = NIL; /* head of hash chain */ + IPos hash_head; /* head of hash chain */ int bflush; /* set if current block must be flushed */ /* Process the input block. */ @@ -1576,6 +1638,7 @@ local block_state deflate_slow(s, flush) /* Insert the string window[strstart .. strstart+2] in the * dictionary, and set hash_head to the head of the hash chain: */ + hash_head = NIL; if (s->lookahead >= MIN_MATCH) { INSERT_STRING(s, s->strstart, hash_head); } @@ -1591,12 +1654,8 @@ local block_state deflate_slow(s, flush) * of window index 0 (in particular we have to avoid a match * of the string with itself at the start of the input file). */ - if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) { - s->match_length = longest_match (s, hash_head); - } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) { - s->match_length = longest_match_fast (s, hash_head); - } - /* longest_match() or longest_match_fast() sets match_start */ + s->match_length = longest_match (s, hash_head); + /* longest_match() sets match_start */ if (s->match_length <= 5 && (s->strategy == Z_FILTERED #if TOO_FAR <= 32767 @@ -1674,7 +1733,6 @@ local block_state deflate_slow(s, flush) } #endif /* FASTEST */ -#if 0 /* =========================================================================== * For Z_RLE, simply look for runs of bytes, generate matches only of distance * one. Do not maintain a hash table. (It will be regenerated if this run of @@ -1684,11 +1742,9 @@ local block_state deflate_rle(s, flush) deflate_state *s; int flush; { - int bflush; /* set if current block must be flushed */ - uInt run; /* length of run */ - uInt max; /* maximum length of run */ - uInt prev; /* byte at distance one to match */ - Bytef *scan; /* scan for end of run */ + int bflush; /* set if current block must be flushed */ + uInt prev; /* byte at distance one to match */ + Bytef *scan, *strend; /* scan goes up to strend for length of run */ for (;;) { /* Make sure that we always have enough lookahead, except @@ -1704,23 +1760,33 @@ local block_state deflate_rle(s, flush) } /* See how many times the previous byte repeats */ - run = 0; - if (s->strstart > 0) { /* if there is a previous byte, that is */ - max = s->lookahead < MAX_MATCH ? s->lookahead : MAX_MATCH; + s->match_length = 0; + if (s->lookahead >= MIN_MATCH && s->strstart > 0) { scan = s->window + s->strstart - 1; - prev = *scan++; - do { - if (*scan++ != prev) - break; - } while (++run < max); + prev = *scan; + if (prev == *++scan && prev == *++scan && prev == *++scan) { + strend = s->window + s->strstart + MAX_MATCH; + do { + } while (prev == *++scan && prev == *++scan && + prev == *++scan && prev == *++scan && + prev == *++scan && prev == *++scan && + prev == *++scan && prev == *++scan && + scan < strend); + s->match_length = MAX_MATCH - (int)(strend - scan); + if (s->match_length > s->lookahead) + s->match_length = s->lookahead; + } } /* Emit match if have run of MIN_MATCH or longer, else emit literal */ - if (run >= MIN_MATCH) { - check_match(s, s->strstart, s->strstart - 1, run); - _tr_tally_dist(s, 1, run - MIN_MATCH, bflush); - s->lookahead -= run; - s->strstart += run; + if (s->match_length >= MIN_MATCH) { + check_match(s, s->strstart, s->strstart - 1, s->match_length); + + _tr_tally_dist(s, 1, s->match_length - MIN_MATCH, bflush); + + s->lookahead -= s->match_length; + s->strstart += s->match_length; + s->match_length = 0; } else { /* No match, output a literal byte */ Tracevv((stderr,"%c", s->window[s->strstart])); @@ -1733,4 +1799,36 @@ local block_state deflate_rle(s, flush) FLUSH_BLOCK(s, flush == Z_FINISH); return flush == Z_FINISH ? finish_done : block_done; } -#endif + +/* =========================================================================== + * For Z_HUFFMAN_ONLY, do not look for matches. Do not maintain a hash table. + * (It will be regenerated if this run of deflate switches away from Huffman.) + */ +local block_state deflate_huff(s, flush) + deflate_state *s; + int flush; +{ + int bflush; /* set if current block must be flushed */ + + for (;;) { + /* Make sure that we have a literal to write. */ + if (s->lookahead == 0) { + fill_window(s); + if (s->lookahead == 0) { + if (flush == Z_NO_FLUSH) + return need_more; + break; /* flush the current block */ + } + } + + /* Output a literal byte */ + s->match_length = 0; + Tracevv((stderr,"%c", s->window[s->strstart])); + _tr_tally_lit (s, s->window[s->strstart], bflush); + s->lookahead--; + s->strstart++; + if (bflush) FLUSH_BLOCK(s, 0); + } + FLUSH_BLOCK(s, flush == Z_FINISH); + return flush == Z_FINISH ? finish_done : block_done; +} diff --git a/security/nss/lib/zlib/deflate.h b/security/nss/lib/zlib/deflate.h index 349bbbac538..969bbb91135 100644 --- a/security/nss/lib/zlib/deflate.h +++ b/security/nss/lib/zlib/deflate.h @@ -1,5 +1,5 @@ /* deflate.h -- internal compression state - * Copyright (C) 1995-2004 Jean-loup Gailly + * Copyright (C) 1995-2010 Jean-loup Gailly * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -8,7 +8,7 @@ subject to change. Applications should only use zlib.h. */ -/* @(#) $Id: deflate.h,v 1.6 2010/04/25 23:37:31 nelson%bolyard.com Exp $ */ +/* @(#) $Id: deflate.h,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */ #ifndef DEFLATE_H #define DEFLATE_H @@ -188,7 +188,7 @@ typedef struct internal_state { int nice_match; /* Stop searching when current match exceeds this */ /* used by trees.c: */ - /* Didn't use ct_data typedef below to suppress compiler warning */ + /* Didn't use ct_data typedef below to supress compiler warning */ struct ct_data_s dyn_ltree[HEAP_SIZE]; /* literal and length tree */ struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */ struct ct_data_s bl_tree[2*BL_CODES+1]; /* Huffman tree for bit lengths */ @@ -260,6 +260,13 @@ typedef struct internal_state { * are always zero. */ + ulg high_water; + /* High water mark offset in window for initialized bytes -- bytes above + * this are set to zero in order to avoid memory check warnings when + * longest match routines access bytes past the input. This is then + * updated to the new high water mark. + */ + } FAR deflate_state; /* Output a byte on the stream. @@ -278,14 +285,18 @@ typedef struct internal_state { * distances are limited to MAX_DIST instead of WSIZE. */ +#define WIN_INIT MAX_MATCH +/* Number of bytes after end of data in window to initialize in order to avoid + memory checker errors from longest match routines */ + /* in trees.c */ -void _tr_init OF((deflate_state *s)); -int _tr_tally OF((deflate_state *s, unsigned dist, unsigned lc)); -void _tr_flush_block OF((deflate_state *s, charf *buf, ulg stored_len, - int eof)); -void _tr_align OF((deflate_state *s)); -void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len, - int eof)); +void ZLIB_INTERNAL _tr_init OF((deflate_state *s)); +int ZLIB_INTERNAL _tr_tally OF((deflate_state *s, unsigned dist, unsigned lc)); +void ZLIB_INTERNAL _tr_flush_block OF((deflate_state *s, charf *buf, + ulg stored_len, int last)); +void ZLIB_INTERNAL _tr_align OF((deflate_state *s)); +void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf, + ulg stored_len, int last)); #define d_code(dist) \ ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)]) @@ -298,11 +309,11 @@ void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len, /* Inline versions of _tr_tally for speed: */ #if defined(GEN_TREES_H) || !defined(STDC) - extern uch _length_code[]; - extern uch _dist_code[]; + extern uch ZLIB_INTERNAL _length_code[]; + extern uch ZLIB_INTERNAL _dist_code[]; #else - extern const uch _length_code[]; - extern const uch _dist_code[]; + extern const uch ZLIB_INTERNAL _length_code[]; + extern const uch ZLIB_INTERNAL _dist_code[]; #endif # define _tr_tally_lit(s, c, flush) \ diff --git a/security/nss/lib/zlib/example.c b/security/nss/lib/zlib/example.c index c126d6ebd21..b6857cc972c 100644 --- a/security/nss/lib/zlib/example.c +++ b/security/nss/lib/zlib/example.c @@ -1,19 +1,19 @@ /* example.c -- usage example of the zlib compression library - * Copyright (C) 1995-2004 Jean-loup Gailly. + * Copyright (C) 1995-2006 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: example.c,v 1.6 2009/11/07 01:13:10 nelson%bolyard.com Exp $ */ +/* @(#) $Id: example.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */ -#include #include "zlib.h" +#include #ifdef STDC # include # include #endif -#if defined(RISCOS) +#if defined(VMS) || defined(RISCOS) # define TESTFILE "foo-gz" #else # define TESTFILE "foo.gz" diff --git a/security/nss/lib/zlib/gzclose.c b/security/nss/lib/zlib/gzclose.c new file mode 100644 index 00000000000..caeb99a3177 --- /dev/null +++ b/security/nss/lib/zlib/gzclose.c @@ -0,0 +1,25 @@ +/* gzclose.c -- zlib gzclose() function + * Copyright (C) 2004, 2010 Mark Adler + * For conditions of distribution and use, see copyright notice in zlib.h + */ + +#include "gzguts.h" + +/* gzclose() is in a separate file so that it is linked in only if it is used. + That way the other gzclose functions can be used instead to avoid linking in + unneeded compression or decompression routines. */ +int ZEXPORT gzclose(file) + gzFile file; +{ +#ifndef NO_GZCOMPRESS + gz_statep state; + + if (file == NULL) + return Z_STREAM_ERROR; + state = (gz_statep)file; + + return state->mode == GZ_READ ? gzclose_r(file) : gzclose_w(file); +#else + return gzclose_r(file); +#endif +} diff --git a/security/nss/lib/zlib/gzguts.h b/security/nss/lib/zlib/gzguts.h new file mode 100644 index 00000000000..0f8fb79f87d --- /dev/null +++ b/security/nss/lib/zlib/gzguts.h @@ -0,0 +1,132 @@ +/* gzguts.h -- zlib internal header definitions for gz* operations + * Copyright (C) 2004, 2005, 2010 Mark Adler + * For conditions of distribution and use, see copyright notice in zlib.h + */ + +#ifdef _LARGEFILE64_SOURCE +# ifndef _LARGEFILE_SOURCE +# define _LARGEFILE_SOURCE 1 +# endif +# ifdef _FILE_OFFSET_BITS +# undef _FILE_OFFSET_BITS +# endif +#endif + +#if ((__GNUC__-0) * 10 + __GNUC_MINOR__-0 >= 33) && !defined(NO_VIZ) +# define ZLIB_INTERNAL __attribute__((visibility ("hidden"))) +#else +# define ZLIB_INTERNAL +#endif + +#include +#include "zlib.h" +#ifdef STDC +# include +# include +# include +#endif +#include + +#ifdef NO_DEFLATE /* for compatibility with old definition */ +# define NO_GZCOMPRESS +#endif + +#ifdef _MSC_VER +# include +# define vsnprintf _vsnprintf +#endif + +#ifndef local +# define local static +#endif +/* compile with -Dlocal if your debugger can't find static symbols */ + +/* gz* functions always use library allocation functions */ +#ifndef STDC + extern voidp malloc OF((uInt size)); + extern void free OF((voidpf ptr)); +#endif + +/* get errno and strerror definition */ +#if defined UNDER_CE +# include +# define zstrerror() gz_strwinerror((DWORD)GetLastError()) +#else +# ifdef STDC +# include +# define zstrerror() strerror(errno) +# else +# define zstrerror() "stdio error (consult errno)" +# endif +#endif + +/* provide prototypes for these when building zlib without LFS */ +#if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0 + ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *)); + ZEXTERN z_off64_t ZEXPORT gzseek64 OF((gzFile, z_off64_t, int)); + ZEXTERN z_off64_t ZEXPORT gztell64 OF((gzFile)); + ZEXTERN z_off64_t ZEXPORT gzoffset64 OF((gzFile)); +#endif + +/* default i/o buffer size -- double this for output when reading */ +#define GZBUFSIZE 8192 + +/* gzip modes, also provide a little integrity check on the passed structure */ +#define GZ_NONE 0 +#define GZ_READ 7247 +#define GZ_WRITE 31153 +#define GZ_APPEND 1 /* mode set to GZ_WRITE after the file is opened */ + +/* values for gz_state how */ +#define LOOK 0 /* look for a gzip header */ +#define COPY 1 /* copy input directly */ +#define GZIP 2 /* decompress a gzip stream */ + +/* internal gzip file state data structure */ +typedef struct { + /* used for both reading and writing */ + int mode; /* see gzip modes above */ + int fd; /* file descriptor */ + char *path; /* path or fd for error messages */ + z_off64_t pos; /* current position in uncompressed data */ + unsigned size; /* buffer size, zero if not allocated yet */ + unsigned want; /* requested buffer size, default is GZBUFSIZE */ + unsigned char *in; /* input buffer */ + unsigned char *out; /* output buffer (double-sized when reading) */ + unsigned char *next; /* next output data to deliver or write */ + /* just for reading */ + unsigned have; /* amount of output data unused at next */ + int eof; /* true if end of input file reached */ + z_off64_t start; /* where the gzip data started, for rewinding */ + z_off64_t raw; /* where the raw data started, for seeking */ + int how; /* 0: get header, 1: copy, 2: decompress */ + int direct; /* true if last read direct, false if gzip */ + /* just for writing */ + int level; /* compression level */ + int strategy; /* compression strategy */ + /* seek request */ + z_off64_t skip; /* amount to skip (already rewound if backwards) */ + int seek; /* true if seek request pending */ + /* error information */ + int err; /* error code */ + char *msg; /* error message */ + /* zlib inflate or deflate stream */ + z_stream strm; /* stream structure in-place (not a pointer) */ +} gz_state; +typedef gz_state FAR *gz_statep; + +/* shared functions */ +void ZLIB_INTERNAL gz_error OF((gz_statep, int, const char *)); +#if defined UNDER_CE +char ZLIB_INTERNAL *gz_strwinerror OF((DWORD error)); +#endif + +/* GT_OFF(x), where x is an unsigned value, is true if x > maximum z_off64_t + value -- needed when comparing unsigned to z_off64_t, which is signed + (possible z_off64_t types off_t, off64_t, and long are all signed) */ +#ifdef INT_MAX +# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > INT_MAX) +#else +unsigned ZLIB_INTERNAL gz_intmax OF((void)); +# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax()) +#endif diff --git a/security/nss/lib/zlib/gzio.c b/security/nss/lib/zlib/gzio.c deleted file mode 100644 index 846f957d298..00000000000 --- a/security/nss/lib/zlib/gzio.c +++ /dev/null @@ -1,1026 +0,0 @@ -/* gzio.c -- IO on .gz files - * Copyright (C) 1995-2005 Jean-loup Gailly. - * For conditions of distribution and use, see copyright notice in zlib.h - * - * Compile this file with -DNO_GZCOMPRESS to avoid the compression code. - */ - -/* @(#) $Id: gzio.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */ - -#include - -#include "zutil.h" - -#ifdef NO_DEFLATE /* for compatibility with old definition */ -# define NO_GZCOMPRESS -#endif - -#ifndef NO_DUMMY_DECL -struct internal_state {int dummy;}; /* for buggy compilers */ -#endif - -#ifndef Z_BUFSIZE -# ifdef MAXSEG_64K -# define Z_BUFSIZE 4096 /* minimize memory usage for 16-bit DOS */ -# else -# define Z_BUFSIZE 16384 -# endif -#endif -#ifndef Z_PRINTF_BUFSIZE -# define Z_PRINTF_BUFSIZE 4096 -#endif - -#ifdef __MVS__ -# pragma map (fdopen , "\174\174FDOPEN") - FILE *fdopen(int, const char *); -#endif - -#ifndef STDC -extern voidp malloc OF((uInt size)); -extern void free OF((voidpf ptr)); -#endif - -#define ALLOC(size) malloc(size) -#define TRYFREE(p) {if (p) free(p);} - -static int const gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */ - -/* gzip flag byte */ -#define ASCII_FLAG 0x01 /* bit 0 set: file probably ascii text */ -#define HEAD_CRC 0x02 /* bit 1 set: header CRC present */ -#define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */ -#define ORIG_NAME 0x08 /* bit 3 set: original file name present */ -#define COMMENT 0x10 /* bit 4 set: file comment present */ -#define RESERVED 0xE0 /* bits 5..7: reserved */ - -typedef struct gz_stream { - z_stream stream; - int z_err; /* error code for last stream operation */ - int z_eof; /* set if end of input file */ - FILE *file; /* .gz file */ - Byte *inbuf; /* input buffer */ - Byte *outbuf; /* output buffer */ - uLong crc; /* crc32 of uncompressed data */ - char *msg; /* error message */ - char *path; /* path name for debugging only */ - int transparent; /* 1 if input file is not a .gz file */ - char mode; /* 'w' or 'r' */ - z_off_t start; /* start of compressed data in file (header skipped) */ - z_off_t in; /* bytes into deflate or inflate */ - z_off_t out; /* bytes out of deflate or inflate */ - int back; /* one character push-back */ - int last; /* true if push-back is last character */ -} gz_stream; - - -local gzFile gz_open OF((const char *path, const char *mode, int fd)); -local int do_flush OF((gzFile file, int flush)); -local int get_byte OF((gz_stream *s)); -local void check_header OF((gz_stream *s)); -local int destroy OF((gz_stream *s)); -local void putLong OF((FILE *file, uLong x)); -local uLong getLong OF((gz_stream *s)); - -/* =========================================================================== - Opens a gzip (.gz) file for reading or writing. The mode parameter - is as in fopen ("rb" or "wb"). The file is given either by file descriptor - or path name (if fd == -1). - gz_open returns NULL if the file could not be opened or if there was - insufficient memory to allocate the (de)compression state; errno - can be checked to distinguish the two cases (if errno is zero, the - zlib error is Z_MEM_ERROR). -*/ -local gzFile gz_open (path, mode, fd) - const char *path; - const char *mode; - int fd; -{ - int err; - int level = Z_DEFAULT_COMPRESSION; /* compression level */ - int strategy = Z_DEFAULT_STRATEGY; /* compression strategy */ - char *p = (char*)mode; - gz_stream *s; - char fmode[80]; /* copy of mode, without the compression level */ - char *m = fmode; - - if (!path || !mode) return Z_NULL; - - s = (gz_stream *)ALLOC(sizeof(gz_stream)); - if (!s) return Z_NULL; - - s->stream.zalloc = (alloc_func)0; - s->stream.zfree = (free_func)0; - s->stream.opaque = (voidpf)0; - s->stream.next_in = s->inbuf = Z_NULL; - s->stream.next_out = s->outbuf = Z_NULL; - s->stream.avail_in = s->stream.avail_out = 0; - s->file = NULL; - s->z_err = Z_OK; - s->z_eof = 0; - s->in = 0; - s->out = 0; - s->back = EOF; - s->crc = crc32(0L, Z_NULL, 0); - s->msg = NULL; - s->transparent = 0; - - s->path = (char*)ALLOC(strlen(path)+1); - if (s->path == NULL) { - return destroy(s), (gzFile)Z_NULL; - } - strcpy(s->path, path); /* do this early for debugging */ - - s->mode = '\0'; - do { - if (*p == 'r') s->mode = 'r'; - if (*p == 'w' || *p == 'a') s->mode = 'w'; - if (*p >= '0' && *p <= '9') { - level = *p - '0'; - } else if (*p == 'f') { - strategy = Z_FILTERED; - } else if (*p == 'h') { - strategy = Z_HUFFMAN_ONLY; - } else if (*p == 'R') { - strategy = Z_RLE; - } else { - *m++ = *p; /* copy the mode */ - } - } while (*p++ && m != fmode + sizeof(fmode)); - if (s->mode == '\0') return destroy(s), (gzFile)Z_NULL; - - if (s->mode == 'w') { -#ifdef NO_GZCOMPRESS - err = Z_STREAM_ERROR; -#else - err = deflateInit2(&(s->stream), level, - Z_DEFLATED, -MAX_WBITS, DEF_MEM_LEVEL, strategy); - /* windowBits is passed < 0 to suppress zlib header */ - - s->stream.next_out = s->outbuf = (Byte*)ALLOC(Z_BUFSIZE); -#endif - if (err != Z_OK || s->outbuf == Z_NULL) { - return destroy(s), (gzFile)Z_NULL; - } - } else { - s->stream.next_in = s->inbuf = (Byte*)ALLOC(Z_BUFSIZE); - - err = inflateInit2(&(s->stream), -MAX_WBITS); - /* windowBits is passed < 0 to tell that there is no zlib header. - * Note that in this case inflate *requires* an extra "dummy" byte - * after the compressed stream in order to complete decompression and - * return Z_STREAM_END. Here the gzip CRC32 ensures that 4 bytes are - * present after the compressed stream. - */ - if (err != Z_OK || s->inbuf == Z_NULL) { - return destroy(s), (gzFile)Z_NULL; - } - } - s->stream.avail_out = Z_BUFSIZE; - - errno = 0; - s->file = fd < 0 ? F_OPEN(path, fmode) : (FILE*)fdopen(fd, fmode); - - if (s->file == NULL) { - return destroy(s), (gzFile)Z_NULL; - } - if (s->mode == 'w') { - /* Write a very simple .gz header: - */ - fprintf(s->file, "%c%c%c%c%c%c%c%c%c%c", gz_magic[0], gz_magic[1], - Z_DEFLATED, 0 /*flags*/, 0,0,0,0 /*time*/, 0 /*xflags*/, OS_CODE); - s->start = 10L; - /* We use 10L instead of ftell(s->file) to because ftell causes an - * fflush on some systems. This version of the library doesn't use - * start anyway in write mode, so this initialization is not - * necessary. - */ - } else { - check_header(s); /* skip the .gz header */ - s->start = ftell(s->file) - s->stream.avail_in; - } - - return (gzFile)s; -} - -/* =========================================================================== - Opens a gzip (.gz) file for reading or writing. -*/ -gzFile ZEXPORT gzopen (path, mode) - const char *path; - const char *mode; -{ - return gz_open (path, mode, -1); -} - -/* =========================================================================== - Associate a gzFile with the file descriptor fd. fd is not dup'ed here - to mimic the behavio(u)r of fdopen. -*/ -gzFile ZEXPORT gzdopen (fd, mode) - int fd; - const char *mode; -{ - char name[46]; /* allow for up to 128-bit integers */ - - if (fd < 0) return (gzFile)Z_NULL; - sprintf(name, "", fd); /* for debugging */ - - return gz_open (name, mode, fd); -} - -/* =========================================================================== - * Update the compression level and strategy - */ -int ZEXPORT gzsetparams (file, level, strategy) - gzFile file; - int level; - int strategy; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR; - - /* Make room to allow flushing */ - if (s->stream.avail_out == 0) { - - s->stream.next_out = s->outbuf; - if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) { - s->z_err = Z_ERRNO; - } - s->stream.avail_out = Z_BUFSIZE; - } - - return deflateParams (&(s->stream), level, strategy); -} - -/* =========================================================================== - Read a byte from a gz_stream; update next_in and avail_in. Return EOF - for end of file. - IN assertion: the stream s has been sucessfully opened for reading. -*/ -local int get_byte(s) - gz_stream *s; -{ - if (s->z_eof) return EOF; - if (s->stream.avail_in == 0) { - errno = 0; - s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file); - if (s->stream.avail_in == 0) { - s->z_eof = 1; - if (ferror(s->file)) s->z_err = Z_ERRNO; - return EOF; - } - s->stream.next_in = s->inbuf; - } - s->stream.avail_in--; - return *(s->stream.next_in)++; -} - -/* =========================================================================== - Check the gzip header of a gz_stream opened for reading. Set the stream - mode to transparent if the gzip magic header is not present; set s->err - to Z_DATA_ERROR if the magic header is present but the rest of the header - is incorrect. - IN assertion: the stream s has already been created sucessfully; - s->stream.avail_in is zero for the first time, but may be non-zero - for concatenated .gz files. -*/ -local void check_header(s) - gz_stream *s; -{ - int method; /* method byte */ - int flags; /* flags byte */ - uInt len; - int c; - - /* Assure two bytes in the buffer so we can peek ahead -- handle case - where first byte of header is at the end of the buffer after the last - gzip segment */ - len = s->stream.avail_in; - if (len < 2) { - if (len) s->inbuf[0] = s->stream.next_in[0]; - errno = 0; - len = (uInt)fread(s->inbuf + len, 1, Z_BUFSIZE >> len, s->file); - if (len == 0 && ferror(s->file)) s->z_err = Z_ERRNO; - s->stream.avail_in += len; - s->stream.next_in = s->inbuf; - if (s->stream.avail_in < 2) { - s->transparent = s->stream.avail_in; - return; - } - } - - /* Peek ahead to check the gzip magic header */ - if (s->stream.next_in[0] != gz_magic[0] || - s->stream.next_in[1] != gz_magic[1]) { - s->transparent = 1; - return; - } - s->stream.avail_in -= 2; - s->stream.next_in += 2; - - /* Check the rest of the gzip header */ - method = get_byte(s); - flags = get_byte(s); - if (method != Z_DEFLATED || (flags & RESERVED) != 0) { - s->z_err = Z_DATA_ERROR; - return; - } - - /* Discard time, xflags and OS code: */ - for (len = 0; len < 6; len++) (void)get_byte(s); - - if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */ - len = (uInt)get_byte(s); - len += ((uInt)get_byte(s))<<8; - /* len is garbage if EOF but the loop below will quit anyway */ - while (len-- != 0 && get_byte(s) != EOF) ; - } - if ((flags & ORIG_NAME) != 0) { /* skip the original file name */ - while ((c = get_byte(s)) != 0 && c != EOF) ; - } - if ((flags & COMMENT) != 0) { /* skip the .gz file comment */ - while ((c = get_byte(s)) != 0 && c != EOF) ; - } - if ((flags & HEAD_CRC) != 0) { /* skip the header crc */ - for (len = 0; len < 2; len++) (void)get_byte(s); - } - s->z_err = s->z_eof ? Z_DATA_ERROR : Z_OK; -} - - /* =========================================================================== - * Cleanup then free the given gz_stream. Return a zlib error code. - Try freeing in the reverse order of allocations. - */ -local int destroy (s) - gz_stream *s; -{ - int err = Z_OK; - - if (!s) return Z_STREAM_ERROR; - - TRYFREE(s->msg); - - if (s->stream.state != NULL) { - if (s->mode == 'w') { -#ifdef NO_GZCOMPRESS - err = Z_STREAM_ERROR; -#else - err = deflateEnd(&(s->stream)); -#endif - } else if (s->mode == 'r') { - err = inflateEnd(&(s->stream)); - } - } - if (s->file != NULL && fclose(s->file)) { -#ifdef ESPIPE - if (errno != ESPIPE) /* fclose is broken for pipes in HP/UX */ -#endif - err = Z_ERRNO; - } - if (s->z_err < 0) err = s->z_err; - - TRYFREE(s->inbuf); - TRYFREE(s->outbuf); - TRYFREE(s->path); - TRYFREE(s); - return err; -} - -/* =========================================================================== - Reads the given number of uncompressed bytes from the compressed file. - gzread returns the number of bytes actually read (0 for end of file). -*/ -int ZEXPORT gzread (file, buf, len) - gzFile file; - voidp buf; - unsigned len; -{ - gz_stream *s = (gz_stream*)file; - Bytef *start = (Bytef*)buf; /* starting point for crc computation */ - Byte *next_out; /* == stream.next_out but not forced far (for MSDOS) */ - - if (s == NULL || s->mode != 'r') return Z_STREAM_ERROR; - - if (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO) return -1; - if (s->z_err == Z_STREAM_END) return 0; /* EOF */ - - next_out = (Byte*)buf; - s->stream.next_out = (Bytef*)buf; - s->stream.avail_out = len; - - if (s->stream.avail_out && s->back != EOF) { - *next_out++ = s->back; - s->stream.next_out++; - s->stream.avail_out--; - s->back = EOF; - s->out++; - start++; - if (s->last) { - s->z_err = Z_STREAM_END; - return 1; - } - } - - while (s->stream.avail_out != 0) { - - if (s->transparent) { - /* Copy first the lookahead bytes: */ - uInt n = s->stream.avail_in; - if (n > s->stream.avail_out) n = s->stream.avail_out; - if (n > 0) { - zmemcpy(s->stream.next_out, s->stream.next_in, n); - next_out += n; - s->stream.next_out = next_out; - s->stream.next_in += n; - s->stream.avail_out -= n; - s->stream.avail_in -= n; - } - if (s->stream.avail_out > 0) { - s->stream.avail_out -= - (uInt)fread(next_out, 1, s->stream.avail_out, s->file); - } - len -= s->stream.avail_out; - s->in += len; - s->out += len; - if (len == 0) s->z_eof = 1; - return (int)len; - } - if (s->stream.avail_in == 0 && !s->z_eof) { - - errno = 0; - s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file); - if (s->stream.avail_in == 0) { - s->z_eof = 1; - if (ferror(s->file)) { - s->z_err = Z_ERRNO; - break; - } - } - s->stream.next_in = s->inbuf; - } - s->in += s->stream.avail_in; - s->out += s->stream.avail_out; - s->z_err = inflate(&(s->stream), Z_NO_FLUSH); - s->in -= s->stream.avail_in; - s->out -= s->stream.avail_out; - - if (s->z_err == Z_STREAM_END) { - /* Check CRC and original size */ - s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start)); - start = s->stream.next_out; - - if (getLong(s) != s->crc) { - s->z_err = Z_DATA_ERROR; - } else { - (void)getLong(s); - /* The uncompressed length returned by above getlong() may be - * different from s->out in case of concatenated .gz files. - * Check for such files: - */ - check_header(s); - if (s->z_err == Z_OK) { - inflateReset(&(s->stream)); - s->crc = crc32(0L, Z_NULL, 0); - } - } - } - if (s->z_err != Z_OK || s->z_eof) break; - } - s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start)); - - if (len == s->stream.avail_out && - (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO)) - return -1; - return (int)(len - s->stream.avail_out); -} - - -/* =========================================================================== - Reads one byte from the compressed file. gzgetc returns this byte - or -1 in case of end of file or error. -*/ -int ZEXPORT gzgetc(file) - gzFile file; -{ - unsigned char c; - - return gzread(file, &c, 1) == 1 ? c : -1; -} - - -/* =========================================================================== - Push one byte back onto the stream. -*/ -int ZEXPORT gzungetc(c, file) - int c; - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'r' || c == EOF || s->back != EOF) return EOF; - s->back = c; - s->out--; - s->last = (s->z_err == Z_STREAM_END); - if (s->last) s->z_err = Z_OK; - s->z_eof = 0; - return c; -} - - -/* =========================================================================== - Reads bytes from the compressed file until len-1 characters are - read, or a newline character is read and transferred to buf, or an - end-of-file condition is encountered. The string is then terminated - with a null character. - gzgets returns buf, or Z_NULL in case of error. - - The current implementation is not optimized at all. -*/ -char * ZEXPORT gzgets(file, buf, len) - gzFile file; - char *buf; - int len; -{ - char *b = buf; - if (buf == Z_NULL || len <= 0) return Z_NULL; - - while (--len > 0 && gzread(file, buf, 1) == 1 && *buf++ != '\n') ; - *buf = '\0'; - return b == buf && len > 0 ? Z_NULL : b; -} - - -#ifndef NO_GZCOMPRESS -/* =========================================================================== - Writes the given number of uncompressed bytes into the compressed file. - gzwrite returns the number of bytes actually written (0 in case of error). -*/ -int ZEXPORT gzwrite (file, buf, len) - gzFile file; - voidpc buf; - unsigned len; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR; - - s->stream.next_in = (Bytef*)buf; - s->stream.avail_in = len; - - while (s->stream.avail_in != 0) { - - if (s->stream.avail_out == 0) { - - s->stream.next_out = s->outbuf; - if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) { - s->z_err = Z_ERRNO; - break; - } - s->stream.avail_out = Z_BUFSIZE; - } - s->in += s->stream.avail_in; - s->out += s->stream.avail_out; - s->z_err = deflate(&(s->stream), Z_NO_FLUSH); - s->in -= s->stream.avail_in; - s->out -= s->stream.avail_out; - if (s->z_err != Z_OK) break; - } - s->crc = crc32(s->crc, (const Bytef *)buf, len); - - return (int)(len - s->stream.avail_in); -} - - -/* =========================================================================== - Converts, formats, and writes the args to the compressed file under - control of the format string, as in fprintf. gzprintf returns the number of - uncompressed bytes actually written (0 in case of error). -*/ -#ifdef STDC -#include - -int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...) -{ - char buf[Z_PRINTF_BUFSIZE]; - va_list va; - int len; - - buf[sizeof(buf) - 1] = 0; - va_start(va, format); -#ifdef NO_vsnprintf -# ifdef HAS_vsprintf_void - (void)vsprintf(buf, format, va); - va_end(va); - for (len = 0; len < sizeof(buf); len++) - if (buf[len] == 0) break; -# else - len = vsprintf(buf, format, va); - va_end(va); -# endif -#else -# ifdef HAS_vsnprintf_void - (void)vsnprintf(buf, sizeof(buf), format, va); - va_end(va); - len = strlen(buf); -# else - len = vsnprintf(buf, sizeof(buf), format, va); - va_end(va); -# endif -#endif - if (len <= 0 || len >= (int)sizeof(buf) || buf[sizeof(buf) - 1] != 0) - return 0; - return gzwrite(file, buf, (unsigned)len); -} -#else /* not ANSI C */ - -int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, - a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) - gzFile file; - const char *format; - int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, - a11, a12, a13, a14, a15, a16, a17, a18, a19, a20; -{ - char buf[Z_PRINTF_BUFSIZE]; - int len; - - buf[sizeof(buf) - 1] = 0; -#ifdef NO_snprintf -# ifdef HAS_sprintf_void - sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); - for (len = 0; len < sizeof(buf); len++) - if (buf[len] == 0) break; -# else - len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); -# endif -#else -# ifdef HAS_snprintf_void - snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); - len = strlen(buf); -# else - len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); -# endif -#endif - if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0) - return 0; - return gzwrite(file, buf, len); -} -#endif - -/* =========================================================================== - Writes c, converted to an unsigned char, into the compressed file. - gzputc returns the value that was written, or -1 in case of error. -*/ -int ZEXPORT gzputc(file, c) - gzFile file; - int c; -{ - unsigned char cc = (unsigned char) c; /* required for big endian systems */ - - return gzwrite(file, &cc, 1) == 1 ? (int)cc : -1; -} - - -/* =========================================================================== - Writes the given null-terminated string to the compressed file, excluding - the terminating null character. - gzputs returns the number of characters written, or -1 in case of error. -*/ -int ZEXPORT gzputs(file, s) - gzFile file; - const char *s; -{ - return gzwrite(file, (char*)s, (unsigned)strlen(s)); -} - - -/* =========================================================================== - Flushes all pending output into the compressed file. The parameter - flush is as in the deflate() function. -*/ -local int do_flush (file, flush) - gzFile file; - int flush; -{ - uInt len; - int done = 0; - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR; - - s->stream.avail_in = 0; /* should be zero already anyway */ - - for (;;) { - len = Z_BUFSIZE - s->stream.avail_out; - - if (len != 0) { - if ((uInt)fwrite(s->outbuf, 1, len, s->file) != len) { - s->z_err = Z_ERRNO; - return Z_ERRNO; - } - s->stream.next_out = s->outbuf; - s->stream.avail_out = Z_BUFSIZE; - } - if (done) break; - s->out += s->stream.avail_out; - s->z_err = deflate(&(s->stream), flush); - s->out -= s->stream.avail_out; - - /* Ignore the second of two consecutive flushes: */ - if (len == 0 && s->z_err == Z_BUF_ERROR) s->z_err = Z_OK; - - /* deflate has finished flushing only when it hasn't used up - * all the available space in the output buffer: - */ - done = (s->stream.avail_out != 0 || s->z_err == Z_STREAM_END); - - if (s->z_err != Z_OK && s->z_err != Z_STREAM_END) break; - } - return s->z_err == Z_STREAM_END ? Z_OK : s->z_err; -} - -int ZEXPORT gzflush (file, flush) - gzFile file; - int flush; -{ - gz_stream *s = (gz_stream*)file; - int err = do_flush (file, flush); - - if (err) return err; - fflush(s->file); - return s->z_err == Z_STREAM_END ? Z_OK : s->z_err; -} -#endif /* NO_GZCOMPRESS */ - -/* =========================================================================== - Sets the starting position for the next gzread or gzwrite on the given - compressed file. The offset represents a number of bytes in the - gzseek returns the resulting offset location as measured in bytes from - the beginning of the uncompressed stream, or -1 in case of error. - SEEK_END is not implemented, returns error. - In this version of the library, gzseek can be extremely slow. -*/ -z_off_t ZEXPORT gzseek (file, offset, whence) - gzFile file; - z_off_t offset; - int whence; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || whence == SEEK_END || - s->z_err == Z_ERRNO || s->z_err == Z_DATA_ERROR) { - return -1L; - } - - if (s->mode == 'w') { -#ifdef NO_GZCOMPRESS - return -1L; -#else - if (whence == SEEK_SET) { - offset -= s->in; - } - if (offset < 0) return -1L; - - /* At this point, offset is the number of zero bytes to write. */ - if (s->inbuf == Z_NULL) { - s->inbuf = (Byte*)ALLOC(Z_BUFSIZE); /* for seeking */ - if (s->inbuf == Z_NULL) return -1L; - zmemzero(s->inbuf, Z_BUFSIZE); - } - while (offset > 0) { - uInt size = Z_BUFSIZE; - if (offset < Z_BUFSIZE) size = (uInt)offset; - - size = gzwrite(file, s->inbuf, size); - if (size == 0) return -1L; - - offset -= size; - } - return s->in; -#endif - } - /* Rest of function is for reading only */ - - /* compute absolute position */ - if (whence == SEEK_CUR) { - offset += s->out; - } - if (offset < 0) return -1L; - - if (s->transparent) { - /* map to fseek */ - s->back = EOF; - s->stream.avail_in = 0; - s->stream.next_in = s->inbuf; - if (fseek(s->file, offset, SEEK_SET) < 0) return -1L; - - s->in = s->out = offset; - return offset; - } - - /* For a negative seek, rewind and use positive seek */ - if (offset >= s->out) { - offset -= s->out; - } else if (gzrewind(file) < 0) { - return -1L; - } - /* offset is now the number of bytes to skip. */ - - if (offset != 0 && s->outbuf == Z_NULL) { - s->outbuf = (Byte*)ALLOC(Z_BUFSIZE); - if (s->outbuf == Z_NULL) return -1L; - } - if (offset && s->back != EOF) { - s->back = EOF; - s->out++; - offset--; - if (s->last) s->z_err = Z_STREAM_END; - } - while (offset > 0) { - int size = Z_BUFSIZE; - if (offset < Z_BUFSIZE) size = (int)offset; - - size = gzread(file, s->outbuf, (uInt)size); - if (size <= 0) return -1L; - offset -= size; - } - return s->out; -} - -/* =========================================================================== - Rewinds input file. -*/ -int ZEXPORT gzrewind (file) - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'r') return -1; - - s->z_err = Z_OK; - s->z_eof = 0; - s->back = EOF; - s->stream.avail_in = 0; - s->stream.next_in = s->inbuf; - s->crc = crc32(0L, Z_NULL, 0); - if (!s->transparent) (void)inflateReset(&s->stream); - s->in = 0; - s->out = 0; - return fseek(s->file, s->start, SEEK_SET); -} - -/* =========================================================================== - Returns the starting position for the next gzread or gzwrite on the - given compressed file. This position represents a number of bytes in the - uncompressed data stream. -*/ -z_off_t ZEXPORT gztell (file) - gzFile file; -{ - return gzseek(file, 0L, SEEK_CUR); -} - -/* =========================================================================== - Returns 1 when EOF has previously been detected reading the given - input stream, otherwise zero. -*/ -int ZEXPORT gzeof (file) - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - /* With concatenated compressed files that can have embedded - * crc trailers, z_eof is no longer the only/best indicator of EOF - * on a gz_stream. Handle end-of-stream error explicitly here. - */ - if (s == NULL || s->mode != 'r') return 0; - if (s->z_eof) return 1; - return s->z_err == Z_STREAM_END; -} - -/* =========================================================================== - Returns 1 if reading and doing so transparently, otherwise zero. -*/ -int ZEXPORT gzdirect (file) - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL || s->mode != 'r') return 0; - return s->transparent; -} - -/* =========================================================================== - Outputs a long in LSB order to the given file -*/ -local void putLong (file, x) - FILE *file; - uLong x; -{ - int n; - for (n = 0; n < 4; n++) { - fputc((int)(x & 0xff), file); - x >>= 8; - } -} - -/* =========================================================================== - Reads a long in LSB order from the given gz_stream. Sets z_err in case - of error. -*/ -local uLong getLong (s) - gz_stream *s; -{ - uLong x = (uLong)get_byte(s); - int c; - - x += ((uLong)get_byte(s))<<8; - x += ((uLong)get_byte(s))<<16; - c = get_byte(s); - if (c == EOF) s->z_err = Z_DATA_ERROR; - x += ((uLong)c)<<24; - return x; -} - -/* =========================================================================== - Flushes all pending output if necessary, closes the compressed file - and deallocates all the (de)compression state. -*/ -int ZEXPORT gzclose (file) - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL) return Z_STREAM_ERROR; - - if (s->mode == 'w') { -#ifdef NO_GZCOMPRESS - return Z_STREAM_ERROR; -#else - if (do_flush (file, Z_FINISH) != Z_OK) - return destroy((gz_stream*)file); - - putLong (s->file, s->crc); - putLong (s->file, (uLong)(s->in & 0xffffffff)); -#endif - } - return destroy((gz_stream*)file); -} - -#ifdef STDC -# define zstrerror(errnum) strerror(errnum) -#else -# define zstrerror(errnum) "" -#endif - -/* =========================================================================== - Returns the error message for the last error which occurred on the - given compressed file. errnum is set to zlib error number. If an - error occurred in the file system and not in the compression library, - errnum is set to Z_ERRNO and the application may consult errno - to get the exact error code. -*/ -const char * ZEXPORT gzerror (file, errnum) - gzFile file; - int *errnum; -{ - char *m; - gz_stream *s = (gz_stream*)file; - - if (s == NULL) { - *errnum = Z_STREAM_ERROR; - return (const char*)ERR_MSG(Z_STREAM_ERROR); - } - *errnum = s->z_err; - if (*errnum == Z_OK) return (const char*)""; - - m = (char*)(*errnum == Z_ERRNO ? zstrerror(errno) : s->stream.msg); - - if (m == NULL || *m == '\0') m = (char*)ERR_MSG(s->z_err); - - TRYFREE(s->msg); - s->msg = (char*)ALLOC(strlen(s->path) + strlen(m) + 3); - if (s->msg == Z_NULL) return (const char*)ERR_MSG(Z_MEM_ERROR); - strcpy(s->msg, s->path); - strcat(s->msg, ": "); - strcat(s->msg, m); - return (const char*)s->msg; -} - -/* =========================================================================== - Clear the error and end-of-file flags, and do the same for the real file. -*/ -void ZEXPORT gzclearerr (file) - gzFile file; -{ - gz_stream *s = (gz_stream*)file; - - if (s == NULL) return; - if (s->z_err != Z_STREAM_END) s->z_err = Z_OK; - s->z_eof = 0; - clearerr(s->file); -} diff --git a/security/nss/lib/zlib/gzlib.c b/security/nss/lib/zlib/gzlib.c new file mode 100644 index 00000000000..603e60ed544 --- /dev/null +++ b/security/nss/lib/zlib/gzlib.c @@ -0,0 +1,537 @@ +/* gzlib.c -- zlib functions common to reading and writing gzip files + * Copyright (C) 2004, 2010 Mark Adler + * For conditions of distribution and use, see copyright notice in zlib.h + */ + +#include "gzguts.h" + +#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0 +# define LSEEK lseek64 +#else +# define LSEEK lseek +#endif + +/* Local functions */ +local void gz_reset OF((gz_statep)); +local gzFile gz_open OF((const char *, int, const char *)); + +#if defined UNDER_CE + +/* Map the Windows error number in ERROR to a locale-dependent error message + string and return a pointer to it. Typically, the values for ERROR come + from GetLastError. + + The string pointed to shall not be modified by the application, but may be + overwritten by a subsequent call to gz_strwinerror + + The gz_strwinerror function does not change the current setting of + GetLastError. */ +char ZLIB_INTERNAL *gz_strwinerror (error) + DWORD error; +{ + static char buf[1024]; + + wchar_t *msgbuf; + DWORD lasterr = GetLastError(); + DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM + | FORMAT_MESSAGE_ALLOCATE_BUFFER, + NULL, + error, + 0, /* Default language */ + (LPVOID)&msgbuf, + 0, + NULL); + if (chars != 0) { + /* If there is an \r\n appended, zap it. */ + if (chars >= 2 + && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') { + chars -= 2; + msgbuf[chars] = 0; + } + + if (chars > sizeof (buf) - 1) { + chars = sizeof (buf) - 1; + msgbuf[chars] = 0; + } + + wcstombs(buf, msgbuf, chars + 1); + LocalFree(msgbuf); + } + else { + sprintf(buf, "unknown win32 error (%ld)", error); + } + + SetLastError(lasterr); + return buf; +} + +#endif /* UNDER_CE */ + +/* Reset gzip file state */ +local void gz_reset(state) + gz_statep state; +{ + if (state->mode == GZ_READ) { /* for reading ... */ + state->have = 0; /* no output data available */ + state->eof = 0; /* not at end of file */ + state->how = LOOK; /* look for gzip header */ + state->direct = 1; /* default for empty file */ + } + state->seek = 0; /* no seek request pending */ + gz_error(state, Z_OK, NULL); /* clear error */ + state->pos = 0; /* no uncompressed data yet */ + state->strm.avail_in = 0; /* no input data yet */ +} + +/* Open a gzip file either by name or file descriptor. */ +local gzFile gz_open(path, fd, mode) + const char *path; + int fd; + const char *mode; +{ + gz_statep state; + + /* allocate gzFile structure to return */ + state = malloc(sizeof(gz_state)); + if (state == NULL) + return NULL; + state->size = 0; /* no buffers allocated yet */ + state->want = GZBUFSIZE; /* requested buffer size */ + state->msg = NULL; /* no error message yet */ + + /* interpret mode */ + state->mode = GZ_NONE; + state->level = Z_DEFAULT_COMPRESSION; + state->strategy = Z_DEFAULT_STRATEGY; + while (*mode) { + if (*mode >= '0' && *mode <= '9') + state->level = *mode - '0'; + else + switch (*mode) { + case 'r': + state->mode = GZ_READ; + break; +#ifndef NO_GZCOMPRESS + case 'w': + state->mode = GZ_WRITE; + break; + case 'a': + state->mode = GZ_APPEND; + break; +#endif + case '+': /* can't read and write at the same time */ + free(state); + return NULL; + case 'b': /* ignore -- will request binary anyway */ + break; + case 'f': + state->strategy = Z_FILTERED; + break; + case 'h': + state->strategy = Z_HUFFMAN_ONLY; + break; + case 'R': + state->strategy = Z_RLE; + break; + case 'F': + state->strategy = Z_FIXED; + default: /* could consider as an error, but just ignore */ + ; + } + mode++; + } + + /* must provide an "r", "w", or "a" */ + if (state->mode == GZ_NONE) { + free(state); + return NULL; + } + + /* save the path name for error messages */ + state->path = malloc(strlen(path) + 1); + if (state->path == NULL) { + free(state); + return NULL; + } + strcpy(state->path, path); + + /* open the file with the appropriate mode (or just use fd) */ + state->fd = fd != -1 ? fd : + open(path, +#ifdef O_LARGEFILE + O_LARGEFILE | +#endif +#ifdef O_BINARY + O_BINARY | +#endif + (state->mode == GZ_READ ? + O_RDONLY : + (O_WRONLY | O_CREAT | ( + state->mode == GZ_WRITE ? + O_TRUNC : + O_APPEND))), + 0666); + if (state->fd == -1) { + free(state->path); + free(state); + return NULL; + } + if (state->mode == GZ_APPEND) + state->mode = GZ_WRITE; /* simplify later checks */ + + /* save the current position for rewinding (only if reading) */ + if (state->mode == GZ_READ) { + state->start = LSEEK(state->fd, 0, SEEK_CUR); + if (state->start == -1) state->start = 0; + } + + /* initialize stream */ + gz_reset(state); + + /* return stream */ + return (gzFile)state; +} + +/* -- see zlib.h -- */ +gzFile ZEXPORT gzopen(path, mode) + const char *path; + const char *mode; +{ + return gz_open(path, -1, mode); +} + +/* -- see zlib.h -- */ +gzFile ZEXPORT gzopen64(path, mode) + const char *path; + const char *mode; +{ + return gz_open(path, -1, mode); +} + +/* -- see zlib.h -- */ +gzFile ZEXPORT gzdopen(fd, mode) + int fd; + const char *mode; +{ + char *path; /* identifier for error messages */ + gzFile gz; + + if (fd == -1 || (path = malloc(7 + 3 * sizeof(int))) == NULL) + return NULL; + sprintf(path, "", fd); /* for debugging */ + gz = gz_open(path, fd, mode); + free(path); + return gz; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzbuffer(file, size) + gzFile file; + unsigned size; +{ + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return -1; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return -1; + + /* make sure we haven't already allocated memory */ + if (state->size != 0) + return -1; + + /* check and set requested size */ + if (size == 0) + return -1; + state->want = size; + return 0; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzrewind(file) + gzFile file; +{ + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + + /* check that we're reading and that there's no error */ + if (state->mode != GZ_READ || state->err != Z_OK) + return -1; + + /* back up and start over */ + if (LSEEK(state->fd, state->start, SEEK_SET) == -1) + return -1; + gz_reset(state); + return 0; +} + +/* -- see zlib.h -- */ +z_off64_t ZEXPORT gzseek64(file, offset, whence) + gzFile file; + z_off64_t offset; + int whence; +{ + unsigned n; + z_off64_t ret; + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return -1; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return -1; + + /* check that there's no error */ + if (state->err != Z_OK) + return -1; + + /* can only seek from start or relative to current position */ + if (whence != SEEK_SET && whence != SEEK_CUR) + return -1; + + /* normalize offset to a SEEK_CUR specification */ + if (whence == SEEK_SET) + offset -= state->pos; + else if (state->seek) + offset += state->skip; + state->seek = 0; + + /* if within raw area while reading, just go there */ + if (state->mode == GZ_READ && state->how == COPY && + state->pos + offset >= state->raw) { + ret = LSEEK(state->fd, offset - state->have, SEEK_CUR); + if (ret == -1) + return -1; + state->have = 0; + state->eof = 0; + state->seek = 0; + gz_error(state, Z_OK, NULL); + state->strm.avail_in = 0; + state->pos += offset; + return state->pos; + } + + /* calculate skip amount, rewinding if needed for back seek when reading */ + if (offset < 0) { + if (state->mode != GZ_READ) /* writing -- can't go backwards */ + return -1; + offset += state->pos; + if (offset < 0) /* before start of file! */ + return -1; + if (gzrewind(file) == -1) /* rewind, then skip to offset */ + return -1; + } + + /* if reading, skip what's in output buffer (one less gzgetc() check) */ + if (state->mode == GZ_READ) { + n = GT_OFF(state->have) || (z_off64_t)state->have > offset ? + (unsigned)offset : state->have; + state->have -= n; + state->next += n; + state->pos += n; + offset -= n; + } + + /* request skip (if not zero) */ + if (offset) { + state->seek = 1; + state->skip = offset; + } + return state->pos + offset; +} + +/* -- see zlib.h -- */ +z_off_t ZEXPORT gzseek(file, offset, whence) + gzFile file; + z_off_t offset; + int whence; +{ + z_off64_t ret; + + ret = gzseek64(file, (z_off64_t)offset, whence); + return ret == (z_off_t)ret ? (z_off_t)ret : -1; +} + +/* -- see zlib.h -- */ +z_off64_t ZEXPORT gztell64(file) + gzFile file; +{ + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return -1; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return -1; + + /* return position */ + return state->pos + (state->seek ? state->skip : 0); +} + +/* -- see zlib.h -- */ +z_off_t ZEXPORT gztell(file) + gzFile file; +{ + z_off64_t ret; + + ret = gztell64(file); + return ret == (z_off_t)ret ? (z_off_t)ret : -1; +} + +/* -- see zlib.h -- */ +z_off64_t ZEXPORT gzoffset64(file) + gzFile file; +{ + z_off64_t offset; + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return -1; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return -1; + + /* compute and return effective offset in file */ + offset = LSEEK(state->fd, 0, SEEK_CUR); + if (offset == -1) + return -1; + if (state->mode == GZ_READ) /* reading */ + offset -= state->strm.avail_in; /* don't count buffered input */ + return offset; +} + +/* -- see zlib.h -- */ +z_off_t ZEXPORT gzoffset(file) + gzFile file; +{ + z_off64_t ret; + + ret = gzoffset64(file); + return ret == (z_off_t)ret ? (z_off_t)ret : -1; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzeof(file) + gzFile file; +{ + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return 0; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return 0; + + /* return end-of-file state */ + return state->mode == GZ_READ ? + (state->eof && state->strm.avail_in == 0 && state->have == 0) : 0; +} + +/* -- see zlib.h -- */ +const char * ZEXPORT gzerror(file, errnum) + gzFile file; + int *errnum; +{ + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return NULL; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return NULL; + + /* return error information */ + if (errnum != NULL) + *errnum = state->err; + return state->msg == NULL ? "" : state->msg; +} + +/* -- see zlib.h -- */ +void ZEXPORT gzclearerr(file) + gzFile file; +{ + gz_statep state; + + /* get internal structure and check integrity */ + if (file == NULL) + return; + state = (gz_statep)file; + if (state->mode != GZ_READ && state->mode != GZ_WRITE) + return; + + /* clear error and end-of-file */ + if (state->mode == GZ_READ) + state->eof = 0; + gz_error(state, Z_OK, NULL); +} + +/* Create an error message in allocated memory and set state->err and + state->msg accordingly. Free any previous error message already there. Do + not try to free or allocate space if the error is Z_MEM_ERROR (out of + memory). Simply save the error message as a static string. If there is an + allocation failure constructing the error message, then convert the error to + out of memory. */ +void ZLIB_INTERNAL gz_error(state, err, msg) + gz_statep state; + int err; + const char *msg; +{ + /* free previously allocated message and clear */ + if (state->msg != NULL) { + if (state->err != Z_MEM_ERROR) + free(state->msg); + state->msg = NULL; + } + + /* set error code, and if no message, then done */ + state->err = err; + if (msg == NULL) + return; + + /* for an out of memory error, save as static string */ + if (err == Z_MEM_ERROR) { + state->msg = (char *)msg; + return; + } + + /* construct error message with path */ + if ((state->msg = malloc(strlen(state->path) + strlen(msg) + 3)) == NULL) { + state->err = Z_MEM_ERROR; + state->msg = (char *)"out of memory"; + return; + } + strcpy(state->msg, state->path); + strcat(state->msg, ": "); + strcat(state->msg, msg); + return; +} + +#ifndef INT_MAX +/* portably return maximum value for an int (when limits.h presumed not + available) -- we need to do this to cover cases where 2's complement not + used, since C standard permits 1's complement and sign-bit representations, + otherwise we could just use ((unsigned)-1) >> 1 */ +unsigned ZLIB_INTERNAL gz_intmax() +{ + unsigned p, q; + + p = 1; + do { + q = p; + p <<= 1; + p++; + } while (p > q); + return q >> 1; +} +#endif diff --git a/security/nss/lib/zlib/gzread.c b/security/nss/lib/zlib/gzread.c new file mode 100644 index 00000000000..548201ab009 --- /dev/null +++ b/security/nss/lib/zlib/gzread.c @@ -0,0 +1,653 @@ +/* gzread.c -- zlib functions for reading gzip files + * Copyright (C) 2004, 2005, 2010 Mark Adler + * For conditions of distribution and use, see copyright notice in zlib.h + */ + +#include "gzguts.h" + +/* Local functions */ +local int gz_load OF((gz_statep, unsigned char *, unsigned, unsigned *)); +local int gz_avail OF((gz_statep)); +local int gz_next4 OF((gz_statep, unsigned long *)); +local int gz_head OF((gz_statep)); +local int gz_decomp OF((gz_statep)); +local int gz_make OF((gz_statep)); +local int gz_skip OF((gz_statep, z_off64_t)); + +/* Use read() to load a buffer -- return -1 on error, otherwise 0. Read from + state->fd, and update state->eof, state->err, and state->msg as appropriate. + This function needs to loop on read(), since read() is not guaranteed to + read the number of bytes requested, depending on the type of descriptor. */ +local int gz_load(state, buf, len, have) + gz_statep state; + unsigned char *buf; + unsigned len; + unsigned *have; +{ + int ret; + + *have = 0; + do { + ret = read(state->fd, buf + *have, len - *have); + if (ret <= 0) + break; + *have += ret; + } while (*have < len); + if (ret < 0) { + gz_error(state, Z_ERRNO, zstrerror()); + return -1; + } + if (ret == 0) + state->eof = 1; + return 0; +} + +/* Load up input buffer and set eof flag if last data loaded -- return -1 on + error, 0 otherwise. Note that the eof flag is set when the end of the input + file is reached, even though there may be unused data in the buffer. Once + that data has been used, no more attempts will be made to read the file. + gz_avail() assumes that strm->avail_in == 0. */ +local int gz_avail(state) + gz_statep state; +{ + z_streamp strm = &(state->strm); + + if (state->err != Z_OK) + return -1; + if (state->eof == 0) { + if (gz_load(state, state->in, state->size, + (unsigned *)&(strm->avail_in)) == -1) + return -1; + strm->next_in = state->in; + } + return 0; +} + +/* Get next byte from input, or -1 if end or error. */ +#define NEXT() ((strm->avail_in == 0 && gz_avail(state) == -1) ? -1 : \ + (strm->avail_in == 0 ? -1 : \ + (strm->avail_in--, *(strm->next_in)++))) + +/* Get a four-byte little-endian integer and return 0 on success and the value + in *ret. Otherwise -1 is returned and *ret is not modified. */ +local int gz_next4(state, ret) + gz_statep state; + unsigned long *ret; +{ + int ch; + unsigned long val; + z_streamp strm = &(state->strm); + + val = NEXT(); + val += (unsigned)NEXT() << 8; + val += (unsigned long)NEXT() << 16; + ch = NEXT(); + if (ch == -1) + return -1; + val += (unsigned long)ch << 24; + *ret = val; + return 0; +} + +/* Look for gzip header, set up for inflate or copy. state->have must be zero. + If this is the first time in, allocate required memory. state->how will be + left unchanged if there is no more input data available, will be set to COPY + if there is no gzip header and direct copying will be performed, or it will + be set to GZIP for decompression, and the gzip header will be skipped so + that the next available input data is the raw deflate stream. If direct + copying, then leftover input data from the input buffer will be copied to + the output buffer. In that case, all further file reads will be directly to + either the output buffer or a user buffer. If decompressing, the inflate + state and the check value will be initialized. gz_head() will return 0 on + success or -1 on failure. Failures may include read errors or gzip header + errors. */ +local int gz_head(state) + gz_statep state; +{ + z_streamp strm = &(state->strm); + int flags; + unsigned len; + + /* allocate read buffers and inflate memory */ + if (state->size == 0) { + /* allocate buffers */ + state->in = malloc(state->want); + state->out = malloc(state->want << 1); + if (state->in == NULL || state->out == NULL) { + if (state->out != NULL) + free(state->out); + if (state->in != NULL) + free(state->in); + gz_error(state, Z_MEM_ERROR, "out of memory"); + return -1; + } + state->size = state->want; + + /* allocate inflate memory */ + state->strm.zalloc = Z_NULL; + state->strm.zfree = Z_NULL; + state->strm.opaque = Z_NULL; + state->strm.avail_in = 0; + state->strm.next_in = Z_NULL; + if (inflateInit2(&(state->strm), -15) != Z_OK) { /* raw inflate */ + free(state->out); + free(state->in); + state->size = 0; + gz_error(state, Z_MEM_ERROR, "out of memory"); + return -1; + } + } + + /* get some data in the input buffer */ + if (strm->avail_in == 0) { + if (gz_avail(state) == -1) + return -1; + if (strm->avail_in == 0) + return 0; + } + + /* look for the gzip magic header bytes 31 and 139 */ + if (strm->next_in[0] == 31) { + strm->avail_in--; + strm->next_in++; + if (strm->avail_in == 0 && gz_avail(state) == -1) + return -1; + if (strm->avail_in && strm->next_in[0] == 139) { + /* we have a gzip header, woo hoo! */ + strm->avail_in--; + strm->next_in++; + + /* skip rest of header */ + if (NEXT() != 8) { /* compression method */ + gz_error(state, Z_DATA_ERROR, "unknown compression method"); + return -1; + } + flags = NEXT(); + if (flags & 0xe0) { /* reserved flag bits */ + gz_error(state, Z_DATA_ERROR, "unknown header flags set"); + return -1; + } + NEXT(); /* modification time */ + NEXT(); + NEXT(); + NEXT(); + NEXT(); /* extra flags */ + NEXT(); /* operating system */ + if (flags & 4) { /* extra field */ + len = (unsigned)NEXT(); + len += (unsigned)NEXT() << 8; + while (len--) + if (NEXT() < 0) + break; + } + if (flags & 8) /* file name */ + while (NEXT() > 0) + ; + if (flags & 16) /* comment */ + while (NEXT() > 0) + ; + if (flags & 2) { /* header crc */ + NEXT(); + NEXT(); + } + /* an unexpected end of file is not checked for here -- it will be + noticed on the first request for uncompressed data */ + + /* set up for decompression */ + inflateReset(strm); + strm->adler = crc32(0L, Z_NULL, 0); + state->how = GZIP; + state->direct = 0; + return 0; + } + else { + /* not a gzip file -- save first byte (31) and fall to raw i/o */ + state->out[0] = 31; + state->have = 1; + } + } + + /* doing raw i/o, save start of raw data for seeking, copy any leftover + input to output -- this assumes that the output buffer is larger than + the input buffer, which also assures space for gzungetc() */ + state->raw = state->pos; + state->next = state->out; + if (strm->avail_in) { + memcpy(state->next + state->have, strm->next_in, strm->avail_in); + state->have += strm->avail_in; + strm->avail_in = 0; + } + state->how = COPY; + state->direct = 1; + return 0; +} + +/* Decompress from input to the provided next_out and avail_out in the state. + If the end of the compressed data is reached, then verify the gzip trailer + check value and length (modulo 2^32). state->have and state->next are set + to point to the just decompressed data, and the crc is updated. If the + trailer is verified, state->how is reset to LOOK to look for the next gzip + stream or raw data, once state->have is depleted. Returns 0 on success, -1 + on failure. Failures may include invalid compressed data or a failed gzip + trailer verification. */ +local int gz_decomp(state) + gz_statep state; +{ + int ret; + unsigned had; + unsigned long crc, len; + z_streamp strm = &(state->strm); + + /* fill output buffer up to end of deflate stream */ + had = strm->avail_out; + do { + /* get more input for inflate() */ + if (strm->avail_in == 0 && gz_avail(state) == -1) + return -1; + if (strm->avail_in == 0) { + gz_error(state, Z_DATA_ERROR, "unexpected end of file"); + return -1; + } + + /* decompress and handle errors */ + ret = inflate(strm, Z_NO_FLUSH); + if (ret == Z_STREAM_ERROR || ret == Z_NEED_DICT) { + gz_error(state, Z_STREAM_ERROR, + "internal error: inflate stream corrupt"); + return -1; + } + if (ret == Z_MEM_ERROR) { + gz_error(state, Z_MEM_ERROR, "out of memory"); + return -1; + } + if (ret == Z_DATA_ERROR) { /* deflate stream invalid */ + gz_error(state, Z_DATA_ERROR, + strm->msg == NULL ? "compressed data error" : strm->msg); + return -1; + } + } while (strm->avail_out && ret != Z_STREAM_END); + + /* update available output and crc check value */ + state->have = had - strm->avail_out; + state->next = strm->next_out - state->have; + strm->adler = crc32(strm->adler, state->next, state->have); + + /* check gzip trailer if at end of deflate stream */ + if (ret == Z_STREAM_END) { + if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { + gz_error(state, Z_DATA_ERROR, "unexpected end of file"); + return -1; + } + if (crc != strm->adler) { + gz_error(state, Z_DATA_ERROR, "incorrect data check"); + return -1; + } + if (len != (strm->total_out & 0xffffffffL)) { + gz_error(state, Z_DATA_ERROR, "incorrect length check"); + return -1; + } + state->how = LOOK; /* ready for next stream, once have is 0 (leave + state->direct unchanged to remember how) */ + } + + /* good decompression */ + return 0; +} + +/* Make data and put in the output buffer. Assumes that state->have == 0. + Data is either copied from the input file or decompressed from the input + file depending on state->how. If state->how is LOOK, then a gzip header is + looked for (and skipped if found) to determine wither to copy or decompress. + Returns -1 on error, otherwise 0. gz_make() will leave state->have as COPY + or GZIP unless the end of the input file has been reached and all data has + been processed. */ +local int gz_make(state) + gz_statep state; +{ + z_streamp strm = &(state->strm); + + if (state->how == LOOK) { /* look for gzip header */ + if (gz_head(state) == -1) + return -1; + if (state->have) /* got some data from gz_head() */ + return 0; + } + if (state->how == COPY) { /* straight copy */ + if (gz_load(state, state->out, state->size << 1, &(state->have)) == -1) + return -1; + state->next = state->out; + } + else if (state->how == GZIP) { /* decompress */ + strm->avail_out = state->size << 1; + strm->next_out = state->out; + if (gz_decomp(state) == -1) + return -1; + } + return 0; +} + +/* Skip len uncompressed bytes of output. Return -1 on error, 0 on success. */ +local int gz_skip(state, len) + gz_statep state; + z_off64_t len; +{ + unsigned n; + + /* skip over len bytes or reach end-of-file, whichever comes first */ + while (len) + /* skip over whatever is in output buffer */ + if (state->have) { + n = GT_OFF(state->have) || (z_off64_t)state->have > len ? + (unsigned)len : state->have; + state->have -= n; + state->next += n; + state->pos += n; + len -= n; + } + + /* output buffer empty -- return if we're at the end of the input */ + else if (state->eof && state->strm.avail_in == 0) + break; + + /* need more data to skip -- load up output buffer */ + else { + /* get more output, looking for header if required */ + if (gz_make(state) == -1) + return -1; + } + return 0; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzread(file, buf, len) + gzFile file; + voidp buf; + unsigned len; +{ + unsigned got, n; + gz_statep state; + z_streamp strm; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're reading and that there's no error */ + if (state->mode != GZ_READ || state->err != Z_OK) + return -1; + + /* since an int is returned, make sure len fits in one, otherwise return + with an error (this avoids the flaw in the interface) */ + if ((int)len < 0) { + gz_error(state, Z_BUF_ERROR, "requested length does not fit in int"); + return -1; + } + + /* if len is zero, avoid unnecessary operations */ + if (len == 0) + return 0; + + /* process a skip request */ + if (state->seek) { + state->seek = 0; + if (gz_skip(state, state->skip) == -1) + return -1; + } + + /* get len bytes to buf, or less than len if at the end */ + got = 0; + do { + /* first just try copying data from the output buffer */ + if (state->have) { + n = state->have > len ? len : state->have; + memcpy(buf, state->next, n); + state->next += n; + state->have -= n; + } + + /* output buffer empty -- return if we're at the end of the input */ + else if (state->eof && strm->avail_in == 0) + break; + + /* need output data -- for small len or new stream load up our output + buffer */ + else if (state->how == LOOK || len < (state->size << 1)) { + /* get more output, looking for header if required */ + if (gz_make(state) == -1) + return -1; + continue; /* no progress yet -- go back to memcpy() above */ + /* the copy above assures that we will leave with space in the + output buffer, allowing at least one gzungetc() to succeed */ + } + + /* large len -- read directly into user buffer */ + else if (state->how == COPY) { /* read directly */ + if (gz_load(state, buf, len, &n) == -1) + return -1; + } + + /* large len -- decompress directly into user buffer */ + else { /* state->how == GZIP */ + strm->avail_out = len; + strm->next_out = buf; + if (gz_decomp(state) == -1) + return -1; + n = state->have; + state->have = 0; + } + + /* update progress */ + len -= n; + buf = (char *)buf + n; + got += n; + state->pos += n; + } while (len); + + /* return number of bytes read into user buffer (will fit in int) */ + return (int)got; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzgetc(file) + gzFile file; +{ + int ret; + unsigned char buf[1]; + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + + /* check that we're reading and that there's no error */ + if (state->mode != GZ_READ || state->err != Z_OK) + return -1; + + /* try output buffer (no need to check for skip request) */ + if (state->have) { + state->have--; + state->pos++; + return *(state->next)++; + } + + /* nothing there -- try gzread() */ + ret = gzread(file, buf, 1); + return ret < 1 ? -1 : buf[0]; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzungetc(c, file) + int c; + gzFile file; +{ + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + + /* check that we're reading and that there's no error */ + if (state->mode != GZ_READ || state->err != Z_OK) + return -1; + + /* process a skip request */ + if (state->seek) { + state->seek = 0; + if (gz_skip(state, state->skip) == -1) + return -1; + } + + /* can't push EOF */ + if (c < 0) + return -1; + + /* if output buffer empty, put byte at end (allows more pushing) */ + if (state->have == 0) { + state->have = 1; + state->next = state->out + (state->size << 1) - 1; + state->next[0] = c; + state->pos--; + return c; + } + + /* if no room, give up (must have already done a gzungetc()) */ + if (state->have == (state->size << 1)) { + gz_error(state, Z_BUF_ERROR, "out of room to push characters"); + return -1; + } + + /* slide output data if needed and insert byte before existing data */ + if (state->next == state->out) { + unsigned char *src = state->out + state->have; + unsigned char *dest = state->out + (state->size << 1); + while (src > state->out) + *--dest = *--src; + state->next = dest; + } + state->have++; + state->next--; + state->next[0] = c; + state->pos--; + return c; +} + +/* -- see zlib.h -- */ +char * ZEXPORT gzgets(file, buf, len) + gzFile file; + char *buf; + int len; +{ + unsigned left, n; + char *str; + unsigned char *eol; + gz_statep state; + + /* check parameters and get internal structure */ + if (file == NULL || buf == NULL || len < 1) + return NULL; + state = (gz_statep)file; + + /* check that we're reading and that there's no error */ + if (state->mode != GZ_READ || state->err != Z_OK) + return NULL; + + /* process a skip request */ + if (state->seek) { + state->seek = 0; + if (gz_skip(state, state->skip) == -1) + return NULL; + } + + /* copy output bytes up to new line or len - 1, whichever comes first -- + append a terminating zero to the string (we don't check for a zero in + the contents, let the user worry about that) */ + str = buf; + left = (unsigned)len - 1; + if (left) do { + /* assure that something is in the output buffer */ + if (state->have == 0) { + if (gz_make(state) == -1) + return NULL; /* error */ + if (state->have == 0) { /* end of file */ + if (buf == str) /* got bupkus */ + return NULL; + break; /* got something -- return it */ + } + } + + /* look for end-of-line in current output buffer */ + n = state->have > left ? left : state->have; + eol = memchr(state->next, '\n', n); + if (eol != NULL) + n = (unsigned)(eol - state->next) + 1; + + /* copy through end-of-line, or remainder if not found */ + memcpy(buf, state->next, n); + state->have -= n; + state->next += n; + state->pos += n; + left -= n; + buf += n; + } while (left && eol == NULL); + + /* found end-of-line or out of space -- terminate string and return it */ + buf[0] = 0; + return str; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzdirect(file) + gzFile file; +{ + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return 0; + state = (gz_statep)file; + + /* check that we're reading */ + if (state->mode != GZ_READ) + return 0; + + /* if the state is not known, but we can find out, then do so (this is + mainly for right after a gzopen() or gzdopen()) */ + if (state->how == LOOK && state->have == 0) + (void)gz_head(state); + + /* return 1 if reading direct, 0 if decompressing a gzip stream */ + return state->direct; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzclose_r(file) + gzFile file; +{ + int ret; + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return Z_STREAM_ERROR; + state = (gz_statep)file; + + /* check that we're reading */ + if (state->mode != GZ_READ) + return Z_STREAM_ERROR; + + /* free memory and close file */ + if (state->size) { + inflateEnd(&(state->strm)); + free(state->out); + free(state->in); + } + gz_error(state, Z_OK, NULL); + free(state->path); + ret = close(state->fd); + free(state); + return ret ? Z_ERRNO : Z_OK; +} diff --git a/security/nss/lib/zlib/gzwrite.c b/security/nss/lib/zlib/gzwrite.c new file mode 100644 index 00000000000..e8defc6887a --- /dev/null +++ b/security/nss/lib/zlib/gzwrite.c @@ -0,0 +1,531 @@ +/* gzwrite.c -- zlib functions for writing gzip files + * Copyright (C) 2004, 2005, 2010 Mark Adler + * For conditions of distribution and use, see copyright notice in zlib.h + */ + +#include "gzguts.h" + +/* Local functions */ +local int gz_init OF((gz_statep)); +local int gz_comp OF((gz_statep, int)); +local int gz_zero OF((gz_statep, z_off64_t)); + +/* Initialize state for writing a gzip file. Mark initialization by setting + state->size to non-zero. Return -1 on failure or 0 on success. */ +local int gz_init(state) + gz_statep state; +{ + int ret; + z_streamp strm = &(state->strm); + + /* allocate input and output buffers */ + state->in = malloc(state->want); + state->out = malloc(state->want); + if (state->in == NULL || state->out == NULL) { + if (state->out != NULL) + free(state->out); + if (state->in != NULL) + free(state->in); + gz_error(state, Z_MEM_ERROR, "out of memory"); + return -1; + } + + /* allocate deflate memory, set up for gzip compression */ + strm->zalloc = Z_NULL; + strm->zfree = Z_NULL; + strm->opaque = Z_NULL; + ret = deflateInit2(strm, state->level, Z_DEFLATED, + 15 + 16, 8, state->strategy); + if (ret != Z_OK) { + free(state->in); + gz_error(state, Z_MEM_ERROR, "out of memory"); + return -1; + } + + /* mark state as initialized */ + state->size = state->want; + + /* initialize write buffer */ + strm->avail_out = state->size; + strm->next_out = state->out; + state->next = strm->next_out; + return 0; +} + +/* Compress whatever is at avail_in and next_in and write to the output file. + Return -1 if there is an error writing to the output file, otherwise 0. + flush is assumed to be a valid deflate() flush value. If flush is Z_FINISH, + then the deflate() state is reset to start a new gzip stream. */ +local int gz_comp(state, flush) + gz_statep state; + int flush; +{ + int ret, got; + unsigned have; + z_streamp strm = &(state->strm); + + /* allocate memory if this is the first time through */ + if (state->size == 0 && gz_init(state) == -1) + return -1; + + /* run deflate() on provided input until it produces no more output */ + ret = Z_OK; + do { + /* write out current buffer contents if full, or if flushing, but if + doing Z_FINISH then don't write until we get to Z_STREAM_END */ + if (strm->avail_out == 0 || (flush != Z_NO_FLUSH && + (flush != Z_FINISH || ret == Z_STREAM_END))) { + have = (unsigned)(strm->next_out - state->next); + if (have && ((got = write(state->fd, state->next, have)) < 0 || + (unsigned)got != have)) { + gz_error(state, Z_ERRNO, zstrerror()); + return -1; + } + if (strm->avail_out == 0) { + strm->avail_out = state->size; + strm->next_out = state->out; + } + state->next = strm->next_out; + } + + /* compress */ + have = strm->avail_out; + ret = deflate(strm, flush); + if (ret == Z_STREAM_ERROR) { + gz_error(state, Z_STREAM_ERROR, + "internal error: deflate stream corrupt"); + return -1; + } + have -= strm->avail_out; + } while (have); + + /* if that completed a deflate stream, allow another to start */ + if (flush == Z_FINISH) + deflateReset(strm); + + /* all done, no errors */ + return 0; +} + +/* Compress len zeros to output. Return -1 on error, 0 on success. */ +local int gz_zero(state, len) + gz_statep state; + z_off64_t len; +{ + int first; + unsigned n; + z_streamp strm = &(state->strm); + + /* consume whatever's left in the input buffer */ + if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1) + return -1; + + /* compress len zeros (len guaranteed > 0) */ + first = 1; + while (len) { + n = GT_OFF(state->size) || (z_off64_t)state->size > len ? + (unsigned)len : state->size; + if (first) { + memset(state->in, 0, n); + first = 0; + } + strm->avail_in = n; + strm->next_in = state->in; + state->pos += n; + if (gz_comp(state, Z_NO_FLUSH) == -1) + return -1; + len -= n; + } + return 0; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzwrite(file, buf, len) + gzFile file; + voidpc buf; + unsigned len; +{ + unsigned put = len; + unsigned n; + gz_statep state; + z_streamp strm; + + /* get internal structure */ + if (file == NULL) + return 0; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return 0; + + /* since an int is returned, make sure len fits in one, otherwise return + with an error (this avoids the flaw in the interface) */ + if ((int)len < 0) { + gz_error(state, Z_BUF_ERROR, "requested length does not fit in int"); + return 0; + } + + /* if len is zero, avoid unnecessary operations */ + if (len == 0) + return 0; + + /* allocate memory if this is the first time through */ + if (state->size == 0 && gz_init(state) == -1) + return 0; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return 0; + } + + /* for small len, copy to input buffer, otherwise compress directly */ + if (len < state->size) { + /* copy to input buffer, compress when full */ + do { + if (strm->avail_in == 0) + strm->next_in = state->in; + n = state->size - strm->avail_in; + if (n > len) + n = len; + memcpy(strm->next_in + strm->avail_in, buf, n); + strm->avail_in += n; + state->pos += n; + buf = (char *)buf + n; + len -= n; + if (len && gz_comp(state, Z_NO_FLUSH) == -1) + return 0; + } while (len); + } + else { + /* consume whatever's left in the input buffer */ + if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1) + return 0; + + /* directly compress user buffer to file */ + strm->avail_in = len; + strm->next_in = (voidp)buf; + state->pos += len; + if (gz_comp(state, Z_NO_FLUSH) == -1) + return 0; + } + + /* input was all buffered or compressed (put will fit in int) */ + return (int)put; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzputc(file, c) + gzFile file; + int c; +{ + unsigned char buf[1]; + gz_statep state; + z_streamp strm; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return -1; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return -1; + } + + /* try writing to input buffer for speed (state->size == 0 if buffer not + initialized) */ + if (strm->avail_in < state->size) { + if (strm->avail_in == 0) + strm->next_in = state->in; + strm->next_in[strm->avail_in++] = c; + state->pos++; + return c; + } + + /* no room in buffer or not initialized, use gz_write() */ + buf[0] = c; + if (gzwrite(file, buf, 1) != 1) + return -1; + return c; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzputs(file, str) + gzFile file; + const char *str; +{ + int ret; + unsigned len; + + /* write string */ + len = (unsigned)strlen(str); + ret = gzwrite(file, str, len); + return ret == 0 && len != 0 ? -1 : ret; +} + +#ifdef STDC +#include + +/* -- see zlib.h -- */ +int ZEXPORTVA gzprintf (gzFile file, const char *format, ...) +{ + int size, len; + gz_statep state; + z_streamp strm; + va_list va; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return 0; + + /* make sure we have some buffer space */ + if (state->size == 0 && gz_init(state) == -1) + return 0; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return 0; + } + + /* consume whatever's left in the input buffer */ + if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1) + return 0; + + /* do the printf() into the input buffer, put length in len */ + size = (int)(state->size); + state->in[size - 1] = 0; + va_start(va, format); +#ifdef NO_vsnprintf +# ifdef HAS_vsprintf_void + (void)vsprintf(state->in, format, va); + va_end(va); + for (len = 0; len < size; len++) + if (state->in[len] == 0) break; +# else + len = vsprintf(state->in, format, va); + va_end(va); +# endif +#else +# ifdef HAS_vsnprintf_void + (void)vsnprintf(state->in, size, format, va); + va_end(va); + len = strlen(state->in); +# else + len = vsnprintf((char *)(state->in), size, format, va); + va_end(va); +# endif +#endif + + /* check that printf() results fit in buffer */ + if (len <= 0 || len >= (int)size || state->in[size - 1] != 0) + return 0; + + /* update buffer and position, defer compression until needed */ + strm->avail_in = (unsigned)len; + strm->next_in = state->in; + state->pos += len; + return len; +} + +#else /* !STDC */ + +/* -- see zlib.h -- */ +int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, + a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) + gzFile file; + const char *format; + int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, + a11, a12, a13, a14, a15, a16, a17, a18, a19, a20; +{ + int size, len; + gz_statep state; + z_streamp strm; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return 0; + + /* make sure we have some buffer space */ + if (state->size == 0 && gz_init(state) == -1) + return 0; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return 0; + } + + /* consume whatever's left in the input buffer */ + if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1) + return 0; + + /* do the printf() into the input buffer, put length in len */ + size = (int)(state->size); + state->in[size - 1] = 0; +#ifdef NO_snprintf +# ifdef HAS_sprintf_void + sprintf(state->in, format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); + for (len = 0; len < size; len++) + if (state->in[len] == 0) break; +# else + len = sprintf(state->in, format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); +# endif +#else +# ifdef HAS_snprintf_void + snprintf(state->in, size, format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); + len = strlen(state->in); +# else + len = snprintf(state->in, size, format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); +# endif +#endif + + /* check that printf() results fit in buffer */ + if (len <= 0 || len >= (int)size || state->in[size - 1] != 0) + return 0; + + /* update buffer and position, defer compression until needed */ + strm->avail_in = (unsigned)len; + strm->next_in = state->in; + state->pos += len; + return len; +} + +#endif + +/* -- see zlib.h -- */ +int ZEXPORT gzflush(file, flush) + gzFile file; + int flush; +{ + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return -1; + state = (gz_statep)file; + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return Z_STREAM_ERROR; + + /* check flush parameter */ + if (flush < 0 || flush > Z_FINISH) + return Z_STREAM_ERROR; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return -1; + } + + /* compress remaining data with requested flush */ + gz_comp(state, flush); + return state->err; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzsetparams(file, level, strategy) + gzFile file; + int level; + int strategy; +{ + gz_statep state; + z_streamp strm; + + /* get internal structure */ + if (file == NULL) + return Z_STREAM_ERROR; + state = (gz_statep)file; + strm = &(state->strm); + + /* check that we're writing and that there's no error */ + if (state->mode != GZ_WRITE || state->err != Z_OK) + return Z_STREAM_ERROR; + + /* if no change is requested, then do nothing */ + if (level == state->level && strategy == state->strategy) + return Z_OK; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + if (gz_zero(state, state->skip) == -1) + return -1; + } + + /* change compression parameters for subsequent input */ + if (state->size) { + /* flush previous input with previous parameters before changing */ + if (strm->avail_in && gz_comp(state, Z_PARTIAL_FLUSH) == -1) + return state->err; + deflateParams(strm, level, strategy); + } + state->level = level; + state->strategy = strategy; + return Z_OK; +} + +/* -- see zlib.h -- */ +int ZEXPORT gzclose_w(file) + gzFile file; +{ + int ret = 0; + gz_statep state; + + /* get internal structure */ + if (file == NULL) + return Z_STREAM_ERROR; + state = (gz_statep)file; + + /* check that we're writing */ + if (state->mode != GZ_WRITE) + return Z_STREAM_ERROR; + + /* check for seek request */ + if (state->seek) { + state->seek = 0; + ret += gz_zero(state, state->skip); + } + + /* flush, free memory, and close file */ + ret += gz_comp(state, Z_FINISH); + (void)deflateEnd(&(state->strm)); + free(state->out); + free(state->in); + gz_error(state, Z_OK, NULL); + free(state->path); + ret += close(state->fd); + free(state); + return ret ? Z_ERRNO : Z_OK; +} diff --git a/security/nss/lib/zlib/infback.c b/security/nss/lib/zlib/infback.c index 455dbc9ee84..af3a8c965d5 100644 --- a/security/nss/lib/zlib/infback.c +++ b/security/nss/lib/zlib/infback.c @@ -1,5 +1,5 @@ /* infback.c -- inflate using a call-back interface - * Copyright (C) 1995-2005 Mark Adler + * Copyright (C) 1995-2009 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -55,7 +55,7 @@ int stream_size; state->wbits = windowBits; state->wsize = 1U << windowBits; state->window = window; - state->write = 0; + state->wnext = 0; state->whave = 0; return Z_OK; } @@ -253,7 +253,7 @@ void FAR *out_desc; unsigned bits; /* bits in bit buffer */ unsigned copy; /* number of stored or match bytes to copy */ unsigned char FAR *from; /* where to copy match bytes from */ - code this; /* current decoding table entry */ + code here; /* current decoding table entry */ code last; /* parent table entry */ unsigned len; /* length to copy for repeats, bits to drop */ int ret; /* return code */ @@ -389,19 +389,19 @@ void FAR *out_desc; state->have = 0; while (state->have < state->nlen + state->ndist) { for (;;) { - this = state->lencode[BITS(state->lenbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->lencode[BITS(state->lenbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if (this.val < 16) { - NEEDBITS(this.bits); - DROPBITS(this.bits); - state->lens[state->have++] = this.val; + if (here.val < 16) { + NEEDBITS(here.bits); + DROPBITS(here.bits); + state->lens[state->have++] = here.val; } else { - if (this.val == 16) { - NEEDBITS(this.bits + 2); - DROPBITS(this.bits); + if (here.val == 16) { + NEEDBITS(here.bits + 2); + DROPBITS(here.bits); if (state->have == 0) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; @@ -411,16 +411,16 @@ void FAR *out_desc; copy = 3 + BITS(2); DROPBITS(2); } - else if (this.val == 17) { - NEEDBITS(this.bits + 3); - DROPBITS(this.bits); + else if (here.val == 17) { + NEEDBITS(here.bits + 3); + DROPBITS(here.bits); len = 0; copy = 3 + BITS(3); DROPBITS(3); } else { - NEEDBITS(this.bits + 7); - DROPBITS(this.bits); + NEEDBITS(here.bits + 7); + DROPBITS(here.bits); len = 0; copy = 11 + BITS(7); DROPBITS(7); @@ -438,7 +438,16 @@ void FAR *out_desc; /* handle error breaks in while */ if (state->mode == BAD) break; - /* build code tables */ + /* check for end-of-block code (better have one) */ + if (state->lens[256] == 0) { + strm->msg = (char *)"invalid code -- missing end-of-block"; + state->mode = BAD; + break; + } + + /* build code tables -- note: do not change the lenbits or distbits + values here (9 and 6) without reading the comments in inftrees.h + concerning the ENOUGH constants, which depend on those values */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); state->lenbits = 9; @@ -474,28 +483,28 @@ void FAR *out_desc; /* get a literal, length, or end-of-block code */ for (;;) { - this = state->lencode[BITS(state->lenbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->lencode[BITS(state->lenbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if (this.op && (this.op & 0xf0) == 0) { - last = this; + if (here.op && (here.op & 0xf0) == 0) { + last = here; for (;;) { - this = state->lencode[last.val + + here = state->lencode[last.val + (BITS(last.bits + last.op) >> last.bits)]; - if ((unsigned)(last.bits + this.bits) <= bits) break; + if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); } - DROPBITS(this.bits); - state->length = (unsigned)this.val; + DROPBITS(here.bits); + state->length = (unsigned)here.val; /* process literal */ - if (this.op == 0) { - Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ? + if (here.op == 0) { + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : - "inflate: literal 0x%02x\n", this.val)); + "inflate: literal 0x%02x\n", here.val)); ROOM(); *put++ = (unsigned char)(state->length); left--; @@ -504,21 +513,21 @@ void FAR *out_desc; } /* process end of block */ - if (this.op & 32) { + if (here.op & 32) { Tracevv((stderr, "inflate: end of block\n")); state->mode = TYPE; break; } /* invalid code */ - if (this.op & 64) { + if (here.op & 64) { strm->msg = (char *)"invalid literal/length code"; state->mode = BAD; break; } /* length code -- get extra bits, if any */ - state->extra = (unsigned)(this.op) & 15; + state->extra = (unsigned)(here.op) & 15; if (state->extra != 0) { NEEDBITS(state->extra); state->length += BITS(state->extra); @@ -528,30 +537,30 @@ void FAR *out_desc; /* get distance code */ for (;;) { - this = state->distcode[BITS(state->distbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->distcode[BITS(state->distbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if ((this.op & 0xf0) == 0) { - last = this; + if ((here.op & 0xf0) == 0) { + last = here; for (;;) { - this = state->distcode[last.val + + here = state->distcode[last.val + (BITS(last.bits + last.op) >> last.bits)]; - if ((unsigned)(last.bits + this.bits) <= bits) break; + if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); } - DROPBITS(this.bits); - if (this.op & 64) { + DROPBITS(here.bits); + if (here.op & 64) { strm->msg = (char *)"invalid distance code"; state->mode = BAD; break; } - state->offset = (unsigned)this.val; + state->offset = (unsigned)here.val; /* get distance extra bits, if any */ - state->extra = (unsigned)(this.op) & 15; + state->extra = (unsigned)(here.op) & 15; if (state->extra != 0) { NEEDBITS(state->extra); state->offset += BITS(state->extra); diff --git a/security/nss/lib/zlib/inffast.c b/security/nss/lib/zlib/inffast.c index bbee92ed1e6..2f1d60b43b8 100644 --- a/security/nss/lib/zlib/inffast.c +++ b/security/nss/lib/zlib/inffast.c @@ -1,5 +1,5 @@ /* inffast.c -- fast decoding - * Copyright (C) 1995-2004 Mark Adler + * Copyright (C) 1995-2008, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -64,7 +64,7 @@ requires strm->avail_out >= 258 for each loop to avoid checking for output space. */ -void inflate_fast(strm, start) +void ZLIB_INTERNAL inflate_fast(strm, start) z_streamp strm; unsigned start; /* inflate()'s starting value for strm->avail_out */ { @@ -79,7 +79,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ #endif unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ - unsigned write; /* window write index */ + unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if wsize != 0 */ unsigned long hold; /* local strm->hold */ unsigned bits; /* local strm->bits */ @@ -87,7 +87,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ code const FAR *dcode; /* local strm->distcode */ unsigned lmask; /* mask for first level of length codes */ unsigned dmask; /* mask for first level of distance codes */ - code this; /* retrieved table entry */ + code here; /* retrieved table entry */ unsigned op; /* code bits, operation, extra bits, or */ /* window position, window bytes to copy */ unsigned len; /* match length, unused bytes */ @@ -106,7 +106,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ #endif wsize = state->wsize; whave = state->whave; - write = state->write; + wnext = state->wnext; window = state->window; hold = state->hold; bits = state->bits; @@ -124,20 +124,20 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ hold += (unsigned long)(PUP(in)) << bits; bits += 8; } - this = lcode[hold & lmask]; + here = lcode[hold & lmask]; dolen: - op = (unsigned)(this.bits); + op = (unsigned)(here.bits); hold >>= op; bits -= op; - op = (unsigned)(this.op); + op = (unsigned)(here.op); if (op == 0) { /* literal */ - Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ? + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : - "inflate: literal 0x%02x\n", this.val)); - PUP(out) = (unsigned char)(this.val); + "inflate: literal 0x%02x\n", here.val)); + PUP(out) = (unsigned char)(here.val); } else if (op & 16) { /* length base */ - len = (unsigned)(this.val); + len = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (op) { if (bits < op) { @@ -155,14 +155,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ hold += (unsigned long)(PUP(in)) << bits; bits += 8; } - this = dcode[hold & dmask]; + here = dcode[hold & dmask]; dodist: - op = (unsigned)(this.bits); + op = (unsigned)(here.bits); hold >>= op; bits -= op; - op = (unsigned)(this.op); + op = (unsigned)(here.op); if (op & 16) { /* distance base */ - dist = (unsigned)(this.val); + dist = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (bits < op) { hold += (unsigned long)(PUP(in)) << bits; @@ -187,12 +187,34 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ if (dist > op) { /* see if copy from window */ op = dist - op; /* distance back in window */ if (op > whave) { - strm->msg = (char *)"invalid distance too far back"; - state->mode = BAD; - break; + if (state->sane) { + strm->msg = + (char *)"invalid distance too far back"; + state->mode = BAD; + break; + } +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + if (len <= op - whave) { + do { + PUP(out) = 0; + } while (--len); + continue; + } + len -= op - whave; + do { + PUP(out) = 0; + } while (--op > whave); + if (op == 0) { + from = out - dist; + do { + PUP(out) = PUP(from); + } while (--len); + continue; + } +#endif } from = window - OFF; - if (write == 0) { /* very common case */ + if (wnext == 0) { /* very common case */ from += wsize - op; if (op < len) { /* some from window */ len -= op; @@ -202,17 +224,17 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ from = out - dist; /* rest from output */ } } - else if (write < op) { /* wrap around window */ - from += wsize + write - op; - op -= write; + else if (wnext < op) { /* wrap around window */ + from += wsize + wnext - op; + op -= wnext; if (op < len) { /* some from end of window */ len -= op; do { PUP(out) = PUP(from); } while (--op); from = window - OFF; - if (write < len) { /* some from start of window */ - op = write; + if (wnext < len) { /* some from start of window */ + op = wnext; len -= op; do { PUP(out) = PUP(from); @@ -222,7 +244,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ } } else { /* contiguous in window */ - from += write - op; + from += wnext - op; if (op < len) { /* some from window */ len -= op; do { @@ -259,7 +281,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ } } else if ((op & 64) == 0) { /* 2nd level distance code */ - this = dcode[this.val + (hold & ((1U << op) - 1))]; + here = dcode[here.val + (hold & ((1U << op) - 1))]; goto dodist; } else { @@ -269,7 +291,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ } } else if ((op & 64) == 0) { /* 2nd level length code */ - this = lcode[this.val + (hold & ((1U << op) - 1))]; + here = lcode[here.val + (hold & ((1U << op) - 1))]; goto dolen; } else if (op & 32) { /* end-of-block */ @@ -305,7 +327,7 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe): - Using bit fields for code structure - Different op definition to avoid & for extra bits (do & for table bits) - - Three separate decoding do-loops for direct, window, and write == 0 + - Three separate decoding do-loops for direct, window, and wnext == 0 - Special case for distance > 1 copies to do overlapped load and store copy - Explicit branch predictions (based on measured branch probabilities) - Deferring match copy and interspersed it with decoding subsequent codes diff --git a/security/nss/lib/zlib/inffast.h b/security/nss/lib/zlib/inffast.h index 1e88d2d97b5..e5c1aa4ca8c 100644 --- a/security/nss/lib/zlib/inffast.h +++ b/security/nss/lib/zlib/inffast.h @@ -1,5 +1,5 @@ /* inffast.h -- header to use inffast.c - * Copyright (C) 1995-2003 Mark Adler + * Copyright (C) 1995-2003, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -8,4 +8,4 @@ subject to change. Applications should only use zlib.h. */ -void inflate_fast OF((z_streamp strm, unsigned start)); +void ZLIB_INTERNAL inflate_fast OF((z_streamp strm, unsigned start)); diff --git a/security/nss/lib/zlib/inflate.c b/security/nss/lib/zlib/inflate.c index 792fdee8e9c..a8431abeacf 100644 --- a/security/nss/lib/zlib/inflate.c +++ b/security/nss/lib/zlib/inflate.c @@ -1,5 +1,5 @@ /* inflate.c -- zlib decompression - * Copyright (C) 1995-2005 Mark Adler + * Copyright (C) 1995-2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -45,7 +45,7 @@ * - Rearrange window copies in inflate_fast() for speed and simplification * - Unroll last copy for window match in inflate_fast() * - Use local copies of window variables in inflate_fast() for speed - * - Pull out common write == 0 case for speed in inflate_fast() + * - Pull out common wnext == 0 case for speed in inflate_fast() * - Make op and len in inflate_fast() unsigned for consistency * - Add FAR to lcode and dcode declarations in inflate_fast() * - Simplified bad distance check in inflate_fast() @@ -117,28 +117,52 @@ z_streamp strm; state->head = Z_NULL; state->wsize = 0; state->whave = 0; - state->write = 0; + state->wnext = 0; state->hold = 0; state->bits = 0; state->lencode = state->distcode = state->next = state->codes; + state->sane = 1; + state->back = -1; Tracev((stderr, "inflate: reset\n")); return Z_OK; } -int ZEXPORT inflatePrime(strm, bits, value) +int ZEXPORT inflateReset2(strm, windowBits) z_streamp strm; -int bits; -int value; +int windowBits; { + int wrap; struct inflate_state FAR *state; + /* get the state */ if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; - if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR; - value &= (1L << bits) - 1; - state->hold += value << state->bits; - state->bits += bits; - return Z_OK; + + /* extract wrap request from windowBits parameter */ + if (windowBits < 0) { + wrap = 0; + windowBits = -windowBits; + } + else { + wrap = (windowBits >> 4) + 1; +#ifdef GUNZIP + if (windowBits < 48) + windowBits &= 15; +#endif + } + + /* set number of window bits, free window if different */ + if (windowBits && (windowBits < 8 || windowBits > 15)) + return Z_STREAM_ERROR; + if (state->window != Z_NULL && state->wbits != (unsigned)windowBits) { + ZFREE(strm, state->window); + state->window = Z_NULL; + } + + /* update state and reset the rest of it */ + state->wrap = wrap; + state->wbits = (unsigned)windowBits; + return inflateReset(strm); } int ZEXPORT inflateInit2_(strm, windowBits, version, stream_size) @@ -147,6 +171,7 @@ int windowBits; const char *version; int stream_size; { + int ret; struct inflate_state FAR *state; if (version == Z_NULL || version[0] != ZLIB_VERSION[0] || @@ -164,24 +189,13 @@ int stream_size; if (state == Z_NULL) return Z_MEM_ERROR; Tracev((stderr, "inflate: allocated\n")); strm->state = (struct internal_state FAR *)state; - if (windowBits < 0) { - state->wrap = 0; - windowBits = -windowBits; - } - else { - state->wrap = (windowBits >> 4) + 1; -#ifdef GUNZIP - if (windowBits < 48) windowBits &= 15; -#endif - } - if (windowBits < 8 || windowBits > 15) { + state->window = Z_NULL; + ret = inflateReset2(strm, windowBits); + if (ret != Z_OK) { ZFREE(strm, state); strm->state = Z_NULL; - return Z_STREAM_ERROR; } - state->wbits = (unsigned)windowBits; - state->window = Z_NULL; - return inflateReset(strm); + return ret; } int ZEXPORT inflateInit_(strm, version, stream_size) @@ -192,6 +206,27 @@ int stream_size; return inflateInit2_(strm, DEF_WBITS, version, stream_size); } +int ZEXPORT inflatePrime(strm, bits, value) +z_streamp strm; +int bits; +int value; +{ + struct inflate_state FAR *state; + + if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR; + state = (struct inflate_state FAR *)strm->state; + if (bits < 0) { + state->hold = 0; + state->bits = 0; + return Z_OK; + } + if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR; + value &= (1L << bits) - 1; + state->hold += value << state->bits; + state->bits += bits; + return Z_OK; +} + /* Return state with length and distance decoding tables and index sizes set to fixed code decoding. Normally this returns fixed tables from inffixed.h. @@ -340,7 +375,7 @@ unsigned out; /* if window not in use yet, initialize */ if (state->wsize == 0) { state->wsize = 1U << state->wbits; - state->write = 0; + state->wnext = 0; state->whave = 0; } @@ -348,22 +383,22 @@ unsigned out; copy = out - strm->avail_out; if (copy >= state->wsize) { zmemcpy(state->window, strm->next_out - state->wsize, state->wsize); - state->write = 0; + state->wnext = 0; state->whave = state->wsize; } else { - dist = state->wsize - state->write; + dist = state->wsize - state->wnext; if (dist > copy) dist = copy; - zmemcpy(state->window + state->write, strm->next_out - copy, dist); + zmemcpy(state->window + state->wnext, strm->next_out - copy, dist); copy -= dist; if (copy) { zmemcpy(state->window, strm->next_out - copy, copy); - state->write = copy; + state->wnext = copy; state->whave = state->wsize; } else { - state->write += dist; - if (state->write == state->wsize) state->write = 0; + state->wnext += dist; + if (state->wnext == state->wsize) state->wnext = 0; if (state->whave < state->wsize) state->whave += dist; } } @@ -564,7 +599,7 @@ int flush; unsigned in, out; /* save starting available input and output */ unsigned copy; /* number of stored or match bytes to copy */ unsigned char FAR *from; /* where to copy match bytes from */ - code this; /* current decoding table entry */ + code here; /* current decoding table entry */ code last; /* parent table entry */ unsigned len; /* length to copy for repeats, bits to drop */ int ret; /* return code */ @@ -619,7 +654,9 @@ int flush; } DROPBITS(4); len = BITS(4) + 8; - if (len > state->wbits) { + if (state->wbits == 0) + state->wbits = len; + else if (len > state->wbits) { strm->msg = (char *)"invalid window size"; state->mode = BAD; break; @@ -771,7 +808,7 @@ int flush; strm->adler = state->check = adler32(0L, Z_NULL, 0); state->mode = TYPE; case TYPE: - if (flush == Z_BLOCK) goto inf_leave; + if (flush == Z_BLOCK || flush == Z_TREES) goto inf_leave; case TYPEDO: if (state->last) { BYTEBITS(); @@ -791,7 +828,11 @@ int flush; fixedtables(state); Tracev((stderr, "inflate: fixed codes block%s\n", state->last ? " (last)" : "")); - state->mode = LEN; /* decode codes */ + state->mode = LEN_; /* decode codes */ + if (flush == Z_TREES) { + DROPBITS(2); + goto inf_leave; + } break; case 2: /* dynamic block */ Tracev((stderr, "inflate: dynamic codes block%s\n", @@ -816,6 +857,9 @@ int flush; Tracev((stderr, "inflate: stored length %u\n", state->length)); INITBITS(); + state->mode = COPY_; + if (flush == Z_TREES) goto inf_leave; + case COPY_: state->mode = COPY; case COPY: copy = state->length; @@ -876,19 +920,19 @@ int flush; case CODELENS: while (state->have < state->nlen + state->ndist) { for (;;) { - this = state->lencode[BITS(state->lenbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->lencode[BITS(state->lenbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if (this.val < 16) { - NEEDBITS(this.bits); - DROPBITS(this.bits); - state->lens[state->have++] = this.val; + if (here.val < 16) { + NEEDBITS(here.bits); + DROPBITS(here.bits); + state->lens[state->have++] = here.val; } else { - if (this.val == 16) { - NEEDBITS(this.bits + 2); - DROPBITS(this.bits); + if (here.val == 16) { + NEEDBITS(here.bits + 2); + DROPBITS(here.bits); if (state->have == 0) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; @@ -898,16 +942,16 @@ int flush; copy = 3 + BITS(2); DROPBITS(2); } - else if (this.val == 17) { - NEEDBITS(this.bits + 3); - DROPBITS(this.bits); + else if (here.val == 17) { + NEEDBITS(here.bits + 3); + DROPBITS(here.bits); len = 0; copy = 3 + BITS(3); DROPBITS(3); } else { - NEEDBITS(this.bits + 7); - DROPBITS(this.bits); + NEEDBITS(here.bits + 7); + DROPBITS(here.bits); len = 0; copy = 11 + BITS(7); DROPBITS(7); @@ -925,7 +969,16 @@ int flush; /* handle error breaks in while */ if (state->mode == BAD) break; - /* build code tables */ + /* check for end-of-block code (better have one) */ + if (state->lens[256] == 0) { + strm->msg = (char *)"invalid code -- missing end-of-block"; + state->mode = BAD; + break; + } + + /* build code tables -- note: do not change the lenbits or distbits + values here (9 and 6) without reading the comments in inftrees.h + concerning the ENOUGH constants, which depend on those values */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); state->lenbits = 9; @@ -946,88 +999,102 @@ int flush; break; } Tracev((stderr, "inflate: codes ok\n")); + state->mode = LEN_; + if (flush == Z_TREES) goto inf_leave; + case LEN_: state->mode = LEN; case LEN: if (have >= 6 && left >= 258) { RESTORE(); inflate_fast(strm, out); LOAD(); + if (state->mode == TYPE) + state->back = -1; break; } + state->back = 0; for (;;) { - this = state->lencode[BITS(state->lenbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->lencode[BITS(state->lenbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if (this.op && (this.op & 0xf0) == 0) { - last = this; + if (here.op && (here.op & 0xf0) == 0) { + last = here; for (;;) { - this = state->lencode[last.val + + here = state->lencode[last.val + (BITS(last.bits + last.op) >> last.bits)]; - if ((unsigned)(last.bits + this.bits) <= bits) break; + if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); + state->back += last.bits; } - DROPBITS(this.bits); - state->length = (unsigned)this.val; - if ((int)(this.op) == 0) { - Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ? + DROPBITS(here.bits); + state->back += here.bits; + state->length = (unsigned)here.val; + if ((int)(here.op) == 0) { + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : - "inflate: literal 0x%02x\n", this.val)); + "inflate: literal 0x%02x\n", here.val)); state->mode = LIT; break; } - if (this.op & 32) { + if (here.op & 32) { Tracevv((stderr, "inflate: end of block\n")); + state->back = -1; state->mode = TYPE; break; } - if (this.op & 64) { + if (here.op & 64) { strm->msg = (char *)"invalid literal/length code"; state->mode = BAD; break; } - state->extra = (unsigned)(this.op) & 15; + state->extra = (unsigned)(here.op) & 15; state->mode = LENEXT; case LENEXT: if (state->extra) { NEEDBITS(state->extra); state->length += BITS(state->extra); DROPBITS(state->extra); + state->back += state->extra; } Tracevv((stderr, "inflate: length %u\n", state->length)); + state->was = state->length; state->mode = DIST; case DIST: for (;;) { - this = state->distcode[BITS(state->distbits)]; - if ((unsigned)(this.bits) <= bits) break; + here = state->distcode[BITS(state->distbits)]; + if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } - if ((this.op & 0xf0) == 0) { - last = this; + if ((here.op & 0xf0) == 0) { + last = here; for (;;) { - this = state->distcode[last.val + + here = state->distcode[last.val + (BITS(last.bits + last.op) >> last.bits)]; - if ((unsigned)(last.bits + this.bits) <= bits) break; + if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); + state->back += last.bits; } - DROPBITS(this.bits); - if (this.op & 64) { + DROPBITS(here.bits); + state->back += here.bits; + if (here.op & 64) { strm->msg = (char *)"invalid distance code"; state->mode = BAD; break; } - state->offset = (unsigned)this.val; - state->extra = (unsigned)(this.op) & 15; + state->offset = (unsigned)here.val; + state->extra = (unsigned)(here.op) & 15; state->mode = DISTEXT; case DISTEXT: if (state->extra) { NEEDBITS(state->extra); state->offset += BITS(state->extra); DROPBITS(state->extra); + state->back += state->extra; } #ifdef INFLATE_STRICT if (state->offset > state->dmax) { @@ -1036,11 +1103,6 @@ int flush; break; } #endif - if (state->offset > state->whave + out - left) { - strm->msg = (char *)"invalid distance too far back"; - state->mode = BAD; - break; - } Tracevv((stderr, "inflate: distance %u\n", state->offset)); state->mode = MATCH; case MATCH: @@ -1048,12 +1110,32 @@ int flush; copy = out - left; if (state->offset > copy) { /* copy from window */ copy = state->offset - copy; - if (copy > state->write) { - copy -= state->write; + if (copy > state->whave) { + if (state->sane) { + strm->msg = (char *)"invalid distance too far back"; + state->mode = BAD; + break; + } +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + Trace((stderr, "inflate.c too far\n")); + copy -= state->whave; + if (copy > state->length) copy = state->length; + if (copy > left) copy = left; + left -= copy; + state->length -= copy; + do { + *put++ = 0; + } while (--copy); + if (state->length == 0) state->mode = LEN; + break; +#endif + } + if (copy > state->wnext) { + copy -= state->wnext; from = state->window + (state->wsize - copy); } else - from = state->window + (state->write - copy); + from = state->window + (state->wnext - copy); if (copy > state->length) copy = state->length; } else { /* copy from output */ @@ -1146,7 +1228,8 @@ int flush; strm->adler = state->check = UPDATE(state->check, strm->next_out - out, out); strm->data_type = state->bits + (state->last ? 64 : 0) + - (state->mode == TYPE ? 128 : 0); + (state->mode == TYPE ? 128 : 0) + + (state->mode == LEN_ || state->mode == COPY_ ? 256 : 0); if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK) ret = Z_BUF_ERROR; return ret; @@ -1366,3 +1449,32 @@ z_streamp source; dest->state = (struct internal_state FAR *)copy; return Z_OK; } + +int ZEXPORT inflateUndermine(strm, subvert) +z_streamp strm; +int subvert; +{ + struct inflate_state FAR *state; + + if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR; + state = (struct inflate_state FAR *)strm->state; + state->sane = !subvert; +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + return Z_OK; +#else + state->sane = 1; + return Z_DATA_ERROR; +#endif +} + +long ZEXPORT inflateMark(strm) +z_streamp strm; +{ + struct inflate_state FAR *state; + + if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; + state = (struct inflate_state FAR *)strm->state; + return ((long)(state->back) << 16) + + (state->mode == COPY ? state->length : + (state->mode == MATCH ? state->was - state->length : 0)); +} diff --git a/security/nss/lib/zlib/inflate.h b/security/nss/lib/zlib/inflate.h index 07bd3e78a7c..95f4986d400 100644 --- a/security/nss/lib/zlib/inflate.h +++ b/security/nss/lib/zlib/inflate.h @@ -1,5 +1,5 @@ /* inflate.h -- internal inflate state definition - * Copyright (C) 1995-2004 Mark Adler + * Copyright (C) 1995-2009 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -32,11 +32,13 @@ typedef enum { TYPE, /* i: waiting for type bits, including last-flag bit */ TYPEDO, /* i: same, but skip check to exit inflate on new block */ STORED, /* i: waiting for stored size (length and complement) */ + COPY_, /* i/o: same as COPY below, but only first time in */ COPY, /* i/o: waiting for input or output to copy stored block */ TABLE, /* i: waiting for dynamic block table lengths */ LENLENS, /* i: waiting for code length code lengths */ CODELENS, /* i: waiting for length/lit and distance code lengths */ - LEN, /* i: waiting for length/lit code */ + LEN_, /* i: same as LEN below, but only first time in */ + LEN, /* i: waiting for length/lit/eob code */ LENEXT, /* i: waiting for length extra bits */ DIST, /* i: waiting for distance code */ DISTEXT, /* i: waiting for distance extra bits */ @@ -53,19 +55,21 @@ typedef enum { /* State transitions between above modes - - (most modes can go to the BAD or MEM mode -- not shown for clarity) + (most modes can go to BAD or MEM on error -- not shown for clarity) Process header: - HEAD -> (gzip) or (zlib) - (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME - NAME -> COMMENT -> HCRC -> TYPE + HEAD -> (gzip) or (zlib) or (raw) + (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME -> COMMENT -> + HCRC -> TYPE (zlib) -> DICTID or TYPE DICTID -> DICT -> TYPE + (raw) -> TYPEDO Read deflate blocks: - TYPE -> STORED or TABLE or LEN or CHECK - STORED -> COPY -> TYPE - TABLE -> LENLENS -> CODELENS -> LEN - Read deflate codes: + TYPE -> TYPEDO -> STORED or TABLE or LEN_ or CHECK + STORED -> COPY_ -> COPY -> TYPE + TABLE -> LENLENS -> CODELENS -> LEN_ + LEN_ -> LEN + Read deflate codes in fixed or dynamic block: LEN -> LENEXT or LIT or TYPE LENEXT -> DIST -> DISTEXT -> MATCH -> LEN LIT -> LEN @@ -73,7 +77,7 @@ typedef enum { CHECK -> LENGTH -> DONE */ -/* state maintained between inflate() calls. Approximately 7K bytes. */ +/* state maintained between inflate() calls. Approximately 10K bytes. */ struct inflate_state { inflate_mode mode; /* current inflate mode */ int last; /* true if processing last block */ @@ -88,7 +92,7 @@ struct inflate_state { unsigned wbits; /* log base 2 of requested window size */ unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ - unsigned write; /* window write index */ + unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if needed */ /* bit accumulator */ unsigned long hold; /* input bit accumulator */ @@ -112,4 +116,7 @@ struct inflate_state { unsigned short lens[320]; /* temporary storage for code lengths */ unsigned short work[288]; /* work area for code table building */ code codes[ENOUGH]; /* space for code tables */ + int sane; /* if false, allow invalid distance too far */ + int back; /* bits back of last unprocessed length/lit */ + unsigned was; /* initial length of match */ }; diff --git a/security/nss/lib/zlib/inftrees.c b/security/nss/lib/zlib/inftrees.c index 8a9c13ff03d..11e9c52accb 100644 --- a/security/nss/lib/zlib/inftrees.c +++ b/security/nss/lib/zlib/inftrees.c @@ -1,5 +1,5 @@ /* inftrees.c -- generate Huffman trees for efficient decoding - * Copyright (C) 1995-2005 Mark Adler + * Copyright (C) 1995-2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -9,7 +9,7 @@ #define MAXBITS 15 const char inflate_copyright[] = - " inflate 1.2.3 Copyright 1995-2005 Mark Adler "; + " inflate 1.2.5 Copyright 1995-2010 Mark Adler "; /* If you use the zlib library in a product, an acknowledgment is welcome in the documentation of your product. If for some reason you cannot @@ -29,7 +29,7 @@ const char inflate_copyright[] = table index bits. It will differ if the request is greater than the longest code or if it is less than the shortest code. */ -int inflate_table(type, lens, codes, table, bits, work) +int ZLIB_INTERNAL inflate_table(type, lens, codes, table, bits, work) codetype type; unsigned short FAR *lens; unsigned codes; @@ -50,7 +50,7 @@ unsigned short FAR *work; unsigned fill; /* index for replicating entries */ unsigned low; /* low bits for current root entry */ unsigned mask; /* mask for low root bits */ - code this; /* table entry for duplication */ + code here; /* table entry for duplication */ code FAR *next; /* next available space in table */ const unsigned short FAR *base; /* base value table to use */ const unsigned short FAR *extra; /* extra bits table to use */ @@ -62,7 +62,7 @@ unsigned short FAR *work; 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0}; static const unsigned short lext[31] = { /* Length codes 257..285 extra */ 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18, - 19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 201, 196}; + 19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 73, 195}; static const unsigned short dbase[32] = { /* Distance codes 0..29 base */ 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, @@ -115,15 +115,15 @@ unsigned short FAR *work; if (count[max] != 0) break; if (root > max) root = max; if (max == 0) { /* no symbols to code at all */ - this.op = (unsigned char)64; /* invalid code marker */ - this.bits = (unsigned char)1; - this.val = (unsigned short)0; - *(*table)++ = this; /* make a table to force an error */ - *(*table)++ = this; + here.op = (unsigned char)64; /* invalid code marker */ + here.bits = (unsigned char)1; + here.val = (unsigned short)0; + *(*table)++ = here; /* make a table to force an error */ + *(*table)++ = here; *bits = 1; return 0; /* no symbols, but wait for decoding to report error */ } - for (min = 1; min <= MAXBITS; min++) + for (min = 1; min < max; min++) if (count[min] != 0) break; if (root < min) root = min; @@ -166,11 +166,10 @@ unsigned short FAR *work; entered in the tables. used keeps track of how many table entries have been allocated from the - provided *table space. It is checked when a LENS table is being made - against the space in *table, ENOUGH, minus the maximum space needed by - the worst case distance code, MAXD. This should never happen, but the - sufficiency of ENOUGH has not been proven exhaustively, hence the check. - This assumes that when type == LENS, bits == 9. + provided *table space. It is checked for LENS and DIST tables against + the constants ENOUGH_LENS and ENOUGH_DISTS to guard against changes in + the initial root table size constants. See the comments in inftrees.h + for more information. sym increments through all symbols, and the loop terminates when all codes of length max, i.e. all codes, have been processed. This @@ -209,24 +208,25 @@ unsigned short FAR *work; mask = used - 1; /* mask for comparing low */ /* check available table space */ - if (type == LENS && used >= ENOUGH - MAXD) + if ((type == LENS && used >= ENOUGH_LENS) || + (type == DISTS && used >= ENOUGH_DISTS)) return 1; /* process all codes and make table entries */ for (;;) { /* create table entry */ - this.bits = (unsigned char)(len - drop); + here.bits = (unsigned char)(len - drop); if ((int)(work[sym]) < end) { - this.op = (unsigned char)0; - this.val = work[sym]; + here.op = (unsigned char)0; + here.val = work[sym]; } else if ((int)(work[sym]) > end) { - this.op = (unsigned char)(extra[work[sym]]); - this.val = base[work[sym]]; + here.op = (unsigned char)(extra[work[sym]]); + here.val = base[work[sym]]; } else { - this.op = (unsigned char)(32 + 64); /* end of block */ - this.val = 0; + here.op = (unsigned char)(32 + 64); /* end of block */ + here.val = 0; } /* replicate for those indices with low len bits equal to huff */ @@ -235,7 +235,7 @@ unsigned short FAR *work; min = fill; /* save offset to next table */ do { fill -= incr; - next[(huff >> drop) + fill] = this; + next[(huff >> drop) + fill] = here; } while (fill != 0); /* backwards increment the len-bit code huff */ @@ -277,7 +277,8 @@ unsigned short FAR *work; /* check for enough space */ used += 1U << curr; - if (type == LENS && used >= ENOUGH - MAXD) + if ((type == LENS && used >= ENOUGH_LENS) || + (type == DISTS && used >= ENOUGH_DISTS)) return 1; /* point entry in root table to sub-table */ @@ -295,20 +296,20 @@ unsigned short FAR *work; through high index bits. When the current sub-table is filled, the loop drops back to the root table to fill in any remaining entries there. */ - this.op = (unsigned char)64; /* invalid code marker */ - this.bits = (unsigned char)(len - drop); - this.val = (unsigned short)0; + here.op = (unsigned char)64; /* invalid code marker */ + here.bits = (unsigned char)(len - drop); + here.val = (unsigned short)0; while (huff != 0) { /* when done with sub-table, drop back to root table */ if (drop != 0 && (huff & mask) != low) { drop = 0; len = root; next = *table; - this.bits = (unsigned char)len; + here.bits = (unsigned char)len; } /* put invalid code marker in table */ - next[huff >> drop] = this; + next[huff >> drop] = here; /* backwards increment the len-bit code huff */ incr = 1U << (len - 1); diff --git a/security/nss/lib/zlib/inftrees.h b/security/nss/lib/zlib/inftrees.h index b1104c87e76..baa53a0b1a1 100644 --- a/security/nss/lib/zlib/inftrees.h +++ b/security/nss/lib/zlib/inftrees.h @@ -1,5 +1,5 @@ /* inftrees.h -- header to use inftrees.c - * Copyright (C) 1995-2005 Mark Adler + * Copyright (C) 1995-2005, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -35,21 +35,28 @@ typedef struct { 01000000 - invalid code */ -/* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1444 code structures (852 for length/literals - and 592 for distances, the latter actually the result of an - exhaustive search). The true maximum is not known, but the value - below is more than safe. */ -#define ENOUGH 2048 -#define MAXD 592 +/* Maximum size of the dynamic table. The maximum number of code structures is + 1444, which is the sum of 852 for literal/length codes and 592 for distance + codes. These values were found by exhaustive searches using the program + examples/enough.c found in the zlib distribtution. The arguments to that + program are the number of symbols, the initial root table size, and the + maximum bit length of a code. "enough 286 9 15" for literal/length codes + returns returns 852, and "enough 30 6 15" for distance codes returns 592. + The initial root table size (9 or 6) is found in the fifth argument of the + inflate_table() calls in inflate.c and infback.c. If the root table size is + changed, then these maximum sizes would be need to be recalculated and + updated. */ +#define ENOUGH_LENS 852 +#define ENOUGH_DISTS 592 +#define ENOUGH (ENOUGH_LENS+ENOUGH_DISTS) -/* Type of code to build for inftable() */ +/* Type of code to build for inflate_table() */ typedef enum { CODES, LENS, DISTS } codetype; -extern int inflate_table OF((codetype type, unsigned short FAR *lens, +int ZLIB_INTERNAL inflate_table OF((codetype type, unsigned short FAR *lens, unsigned codes, code FAR * FAR *table, unsigned FAR *bits, unsigned short FAR *work)); diff --git a/security/nss/lib/zlib/manifest.mn b/security/nss/lib/zlib/manifest.mn index ae4348295b4..1f4c9e4b9d4 100644 --- a/security/nss/lib/zlib/manifest.mn +++ b/security/nss/lib/zlib/manifest.mn @@ -44,15 +44,18 @@ PRIVATE_EXPORTS = zlib.h zconf.h CSRCS = adler32.c \ compress.c \ crc32.c \ - gzio.c \ - uncompr.c \ deflate.c \ - trees.c \ - zutil.c \ - inflate.c \ + gzclose.c \ + gzlib.c \ + gzread.c \ + gzwrite.c \ infback.c \ + inffast.c \ + inflate.c \ inftrees.c \ - inffast.c \ + trees.c \ + uncompr.c \ + zutil.c \ $(NULL) LIBRARY_NAME = zlib diff --git a/security/nss/lib/zlib/minigzip.c b/security/nss/lib/zlib/minigzip.c index 19ec0c99cf7..a158d52a88e 100644 --- a/security/nss/lib/zlib/minigzip.c +++ b/security/nss/lib/zlib/minigzip.c @@ -1,5 +1,5 @@ /* minigzip.c -- simulate gzip using the zlib compression library - * Copyright (C) 1995-2005 Jean-loup Gailly. + * Copyright (C) 1995-2006, 2010 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -13,10 +13,10 @@ * or in pipe mode. */ -/* @(#) $Id: minigzip.c,v 1.6 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */ +/* @(#) $Id: minigzip.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */ -#include #include "zlib.h" +#include #ifdef STDC # include @@ -32,11 +32,18 @@ #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__) # include # include +# ifdef UNDER_CE +# include +# endif # define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY) #else # define SET_BINARY_MODE(file) #endif +#ifdef VMS +# define unlink delete +# define GZ_SUFFIX "-gz" +#endif #ifdef RISCOS # define unlink remove # define GZ_SUFFIX "-gz" @@ -46,9 +53,75 @@ # include /* for fileno */ #endif +#if !defined(Z_HAVE_UNISTD_H) && !defined(_LARGEFILE64_SOURCE) #ifndef WIN32 /* unlink already in stdio.h for WIN32 */ extern int unlink OF((const char *)); #endif +#endif + +#if defined(UNDER_CE) +# include +# define perror(s) pwinerror(s) + +/* Map the Windows error number in ERROR to a locale-dependent error + message string and return a pointer to it. Typically, the values + for ERROR come from GetLastError. + + The string pointed to shall not be modified by the application, + but may be overwritten by a subsequent call to strwinerror + + The strwinerror function does not change the current setting + of GetLastError. */ + +static char *strwinerror (error) + DWORD error; +{ + static char buf[1024]; + + wchar_t *msgbuf; + DWORD lasterr = GetLastError(); + DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM + | FORMAT_MESSAGE_ALLOCATE_BUFFER, + NULL, + error, + 0, /* Default language */ + (LPVOID)&msgbuf, + 0, + NULL); + if (chars != 0) { + /* If there is an \r\n appended, zap it. */ + if (chars >= 2 + && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') { + chars -= 2; + msgbuf[chars] = 0; + } + + if (chars > sizeof (buf) - 1) { + chars = sizeof (buf) - 1; + msgbuf[chars] = 0; + } + + wcstombs(buf, msgbuf, chars + 1); + LocalFree(msgbuf); + } + else { + sprintf(buf, "unknown win32 error (%ld)", error); + } + + SetLastError(lasterr); + return buf; +} + +static void pwinerror (s) + const char *s; +{ + if (s && *s) + fprintf(stderr, "%s: %s\n", s, strwinerror(GetLastError ())); + else + fprintf(stderr, "%s\n", strwinerror(GetLastError ())); +} + +#endif /* UNDER_CE */ #ifndef GZ_SUFFIX # define GZ_SUFFIX ".gz" @@ -194,6 +267,11 @@ void file_compress(file, mode) FILE *in; gzFile out; + if (strlen(file) + strlen(GZ_SUFFIX) >= sizeof(outfile)) { + fprintf(stderr, "%s: filename too long\n", prog); + exit(1); + } + strcpy(outfile, file); strcat(outfile, GZ_SUFFIX); @@ -223,7 +301,12 @@ void file_uncompress(file) char *infile, *outfile; FILE *out; gzFile in; - uInt len = (uInt)strlen(file); + size_t len = strlen(file); + + if (len + strlen(GZ_SUFFIX) >= sizeof(buf)) { + fprintf(stderr, "%s: filename too long\n", prog); + exit(1); + } strcpy(buf, file); @@ -254,7 +337,8 @@ void file_uncompress(file) /* =========================================================================== - * Usage: minigzip [-d] [-f] [-h] [-r] [-1 to -9] [files...] + * Usage: minigzip [-c] [-d] [-f] [-h] [-r] [-1 to -9] [files...] + * -c : write to standard output * -d : decompress * -f : compress with Z_FILTERED * -h : compress with Z_HUFFMAN_ONLY @@ -266,17 +350,30 @@ int main(argc, argv) int argc; char *argv[]; { + int copyout = 0; int uncompr = 0; gzFile file; - char outmode[20]; + char *bname, outmode[20]; strcpy(outmode, "wb6 "); prog = argv[0]; + bname = strrchr(argv[0], '/'); + if (bname) + bname++; + else + bname = argv[0]; argc--, argv++; + if (!strcmp(bname, "gunzip")) + uncompr = 1; + else if (!strcmp(bname, "zcat")) + copyout = uncompr = 1; + while (argc > 0) { - if (strcmp(*argv, "-d") == 0) + if (strcmp(*argv, "-c") == 0) + copyout = 1; + else if (strcmp(*argv, "-d") == 0) uncompr = 1; else if (strcmp(*argv, "-f") == 0) outmode[3] = 'f'; @@ -306,11 +403,36 @@ int main(argc, argv) gz_compress(stdin, file); } } else { + if (copyout) { + SET_BINARY_MODE(stdout); + } do { if (uncompr) { - file_uncompress(*argv); + if (copyout) { + file = gzopen(*argv, "rb"); + if (file == NULL) + fprintf(stderr, "%s: can't gzopen %s\n", prog, *argv); + else + gz_uncompress(file, stdout); + } else { + file_uncompress(*argv); + } } else { - file_compress(*argv, outmode); + if (copyout) { + FILE * in = fopen(*argv, "rb"); + + if (in == NULL) { + perror(*argv); + } else { + file = gzdopen(fileno(stdout), outmode); + if (file == NULL) error("can't gzdopen stdout"); + + gz_compress(in, file); + } + + } else { + file_compress(*argv, outmode); + } } } while (argv++, --argc); } diff --git a/security/nss/lib/zlib/patches/msvc-vsnprintf.patch b/security/nss/lib/zlib/patches/msvc-vsnprintf.patch new file mode 100644 index 00000000000..2b8d2a646c0 --- /dev/null +++ b/security/nss/lib/zlib/patches/msvc-vsnprintf.patch @@ -0,0 +1,22 @@ +--- zlib-1.2.5/zutil.h 2010-04-18 12:29:24 -0700 ++++ zlib/zutil.h 2010-08-21 18:07:03 -0700 +@@ -172,17 +172,18 @@ + #endif + + #ifndef F_OPEN + # define F_OPEN(name, mode) fopen((name), (mode)) + #endif + + /* functions */ + +-#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) ++#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) || \ ++ (defined(_MSC_VER) && _MSC_VER >= 1500) + # ifndef HAVE_VSNPRINTF + # define HAVE_VSNPRINTF + # endif + #endif + #if defined(__CYGWIN__) + # ifndef HAVE_VSNPRINTF + # define HAVE_VSNPRINTF + # endif diff --git a/security/nss/lib/zlib/patches/prune-zlib.sh b/security/nss/lib/zlib/patches/prune-zlib.sh new file mode 100644 index 00000000000..c4d3799d685 --- /dev/null +++ b/security/nss/lib/zlib/patches/prune-zlib.sh @@ -0,0 +1,30 @@ +files_to_remove=" +CMakeLists.txt +ChangeLog +FAQ +INDEX +Makefile +Makefile.in +amiga +configure +contrib +doc +examples +make_vms.com +msdos +nintendods +old +qnx +treebuild.xml +watcom +win32 +zconf.h.cmakein +zconf.h.in +zlib.3 +zlib.3.pdf +zlib.map +zlib.pc.in +zlib2ansi +" + +rm -rf $files_to_remove diff --git a/security/nss/lib/zlib/trees.c b/security/nss/lib/zlib/trees.c index cb289e78f6b..2813741c8c3 100644 --- a/security/nss/lib/zlib/trees.c +++ b/security/nss/lib/zlib/trees.c @@ -1,5 +1,6 @@ /* trees.c -- output deflated data using Huffman coding - * Copyright (C) 1995-2005 Jean-loup Gailly + * Copyright (C) 1995-2010 Jean-loup Gailly + * detect_data_type() function provided freely by Cosmin Truta, 2006 * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -29,7 +30,7 @@ * Addison-Wesley, 1983. ISBN 0-201-06672-6. */ -/* @(#) $Id: trees.c,v 1.5 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */ +/* @(#) $Id: trees.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */ /* #define GEN_TREES_H */ @@ -152,7 +153,7 @@ local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes, int blcodes)); local void compress_block OF((deflate_state *s, ct_data *ltree, ct_data *dtree)); -local void set_data_type OF((deflate_state *s)); +local int detect_data_type OF((deflate_state *s)); local unsigned bi_reverse OF((unsigned value, int length)); local void bi_windup OF((deflate_state *s)); local void bi_flush OF((deflate_state *s)); @@ -203,12 +204,12 @@ local void send_bits(s, value, length) * unused bits in value. */ if (s->bi_valid > (int)Buf_size - length) { - s->bi_buf |= (value << s->bi_valid); + s->bi_buf |= (ush)value << s->bi_valid; put_short(s, s->bi_buf); s->bi_buf = (ush)value >> (Buf_size - s->bi_valid); s->bi_valid += length - Buf_size; } else { - s->bi_buf |= value << s->bi_valid; + s->bi_buf |= (ush)value << s->bi_valid; s->bi_valid += length; } } @@ -218,12 +219,12 @@ local void send_bits(s, value, length) { int len = length;\ if (s->bi_valid > (int)Buf_size - len) {\ int val = value;\ - s->bi_buf |= (val << s->bi_valid);\ + s->bi_buf |= (ush)val << s->bi_valid;\ put_short(s, s->bi_buf);\ s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\ s->bi_valid += len - Buf_size;\ } else {\ - s->bi_buf |= (value) << s->bi_valid;\ + s->bi_buf |= (ush)(value) << s->bi_valid;\ s->bi_valid += len;\ }\ } @@ -250,11 +251,13 @@ local void tr_static_init() if (static_init_done) return; /* For some embedded targets, global variables are not initialized: */ +#ifdef NO_INIT_GLOBAL_POINTERS static_l_desc.static_tree = static_ltree; static_l_desc.extra_bits = extra_lbits; static_d_desc.static_tree = static_dtree; static_d_desc.extra_bits = extra_dbits; static_bl_desc.extra_bits = extra_blbits; +#endif /* Initialize the mapping length (0..255) -> length code (0..28) */ length = 0; @@ -348,13 +351,14 @@ void gen_trees_header() static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5)); } - fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n"); + fprintf(header, "const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {\n"); for (i = 0; i < DIST_CODE_LEN; i++) { fprintf(header, "%2u%s", _dist_code[i], SEPARATOR(i, DIST_CODE_LEN-1, 20)); } - fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n"); + fprintf(header, + "const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {\n"); for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) { fprintf(header, "%2u%s", _length_code[i], SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20)); @@ -379,7 +383,7 @@ void gen_trees_header() /* =========================================================================== * Initialize the tree data structures for a new zlib stream. */ -void _tr_init(s) +void ZLIB_INTERNAL _tr_init(s) deflate_state *s; { tr_static_init(); @@ -864,13 +868,13 @@ local void send_all_trees(s, lcodes, dcodes, blcodes) /* =========================================================================== * Send a stored block */ -void _tr_stored_block(s, buf, stored_len, eof) +void ZLIB_INTERNAL _tr_stored_block(s, buf, stored_len, last) deflate_state *s; charf *buf; /* input block */ ulg stored_len; /* length of input block */ - int eof; /* true if this is the last block for a file */ + int last; /* one if this is the last block for a file */ { - send_bits(s, (STORED_BLOCK<<1)+eof, 3); /* send block type */ + send_bits(s, (STORED_BLOCK<<1)+last, 3); /* send block type */ #ifdef DEBUG s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L; s->compressed_len += (stored_len + 4) << 3; @@ -889,7 +893,7 @@ void _tr_stored_block(s, buf, stored_len, eof) * To simplify the code, we assume the worst case of last real code encoded * on one bit only. */ -void _tr_align(s) +void ZLIB_INTERNAL _tr_align(s) deflate_state *s; { send_bits(s, STATIC_TREES<<1, 3); @@ -918,11 +922,11 @@ void _tr_align(s) * Determine the best encoding for the current block: dynamic trees, static * trees or store, and output the encoded block to the zip file. */ -void _tr_flush_block(s, buf, stored_len, eof) +void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last) deflate_state *s; charf *buf; /* input block, or NULL if too old */ ulg stored_len; /* length of input block */ - int eof; /* true if this is the last block for a file */ + int last; /* one if this is the last block for a file */ { ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */ int max_blindex = 0; /* index of last bit length code of non zero freq */ @@ -931,8 +935,8 @@ void _tr_flush_block(s, buf, stored_len, eof) if (s->level > 0) { /* Check if the file is binary or text */ - if (stored_len > 0 && s->strm->data_type == Z_UNKNOWN) - set_data_type(s); + if (s->strm->data_type == Z_UNKNOWN) + s->strm->data_type = detect_data_type(s); /* Construct the literal and distance trees */ build_tree(s, (tree_desc *)(&(s->l_desc))); @@ -978,20 +982,20 @@ void _tr_flush_block(s, buf, stored_len, eof) * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to * transform a block into a stored block. */ - _tr_stored_block(s, buf, stored_len, eof); + _tr_stored_block(s, buf, stored_len, last); #ifdef FORCE_STATIC } else if (static_lenb >= 0) { /* force static trees */ #else } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) { #endif - send_bits(s, (STATIC_TREES<<1)+eof, 3); + send_bits(s, (STATIC_TREES<<1)+last, 3); compress_block(s, (ct_data *)static_ltree, (ct_data *)static_dtree); #ifdef DEBUG s->compressed_len += 3 + s->static_len; #endif } else { - send_bits(s, (DYN_TREES<<1)+eof, 3); + send_bits(s, (DYN_TREES<<1)+last, 3); send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1, max_blindex+1); compress_block(s, (ct_data *)s->dyn_ltree, (ct_data *)s->dyn_dtree); @@ -1005,21 +1009,21 @@ void _tr_flush_block(s, buf, stored_len, eof) */ init_block(s); - if (eof) { + if (last) { bi_windup(s); #ifdef DEBUG s->compressed_len += 7; /* align on byte boundary */ #endif } Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3, - s->compressed_len-7*eof)); + s->compressed_len-7*last)); } /* =========================================================================== * Save the match info and tally the frequency counts. Return true if * the current block must be flushed. */ -int _tr_tally (s, dist, lc) +int ZLIB_INTERNAL _tr_tally (s, dist, lc) deflate_state *s; unsigned dist; /* distance of matched string */ unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */ @@ -1118,24 +1122,45 @@ local void compress_block(s, ltree, dtree) } /* =========================================================================== - * Set the data type to BINARY or TEXT, using a crude approximation: - * set it to Z_TEXT if all symbols are either printable characters (33 to 255) - * or white spaces (9 to 13, or 32); or set it to Z_BINARY otherwise. + * Check if the data type is TEXT or BINARY, using the following algorithm: + * - TEXT if the two conditions below are satisfied: + * a) There are no non-portable control characters belonging to the + * "black list" (0..6, 14..25, 28..31). + * b) There is at least one printable character belonging to the + * "white list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255). + * - BINARY otherwise. + * - The following partially-portable control characters form a + * "gray list" that is ignored in this detection algorithm: + * (7 {BEL}, 8 {BS}, 11 {VT}, 12 {FF}, 26 {SUB}, 27 {ESC}). * IN assertion: the fields Freq of dyn_ltree are set. */ -local void set_data_type(s) +local int detect_data_type(s) deflate_state *s; { + /* black_mask is the bit mask of black-listed bytes + * set bits 0..6, 14..25, and 28..31 + * 0xf3ffc07f = binary 11110011111111111100000001111111 + */ + unsigned long black_mask = 0xf3ffc07fUL; int n; - for (n = 0; n < 9; n++) + /* Check for non-textual ("black-listed") bytes. */ + for (n = 0; n <= 31; n++, black_mask >>= 1) + if ((black_mask & 1) && (s->dyn_ltree[n].Freq != 0)) + return Z_BINARY; + + /* Check for textual ("white-listed") bytes. */ + if (s->dyn_ltree[9].Freq != 0 || s->dyn_ltree[10].Freq != 0 + || s->dyn_ltree[13].Freq != 0) + return Z_TEXT; + for (n = 32; n < LITERALS; n++) if (s->dyn_ltree[n].Freq != 0) - break; - if (n == 9) - for (n = 14; n < 32; n++) - if (s->dyn_ltree[n].Freq != 0) - break; - s->strm->data_type = (n == 32) ? Z_TEXT : Z_BINARY; + return Z_TEXT; + + /* There are no "black-listed" or "white-listed" bytes: + * this stream either is empty or has tolerated ("gray-listed") bytes only. + */ + return Z_BINARY; } /* =========================================================================== diff --git a/security/nss/lib/zlib/trees.h b/security/nss/lib/zlib/trees.h index 72facf900f7..d35639d82a2 100644 --- a/security/nss/lib/zlib/trees.h +++ b/security/nss/lib/zlib/trees.h @@ -70,7 +70,7 @@ local const ct_data static_dtree[D_CODES] = { {{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}} }; -const uch _dist_code[DIST_CODE_LEN] = { +const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = { 0, 1, 2, 3, 4, 4, 5, 5, 6, 6, 6, 6, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, @@ -99,7 +99,7 @@ const uch _dist_code[DIST_CODE_LEN] = { 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29 }; -const uch _length_code[MAX_MATCH-MIN_MATCH+1]= { +const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= { 0, 1, 2, 3, 4, 5, 6, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 12, 12, 13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, diff --git a/security/nss/lib/zlib/uncompr.c b/security/nss/lib/zlib/uncompr.c index 398f3e0b9a0..81219d7d578 100644 --- a/security/nss/lib/zlib/uncompr.c +++ b/security/nss/lib/zlib/uncompr.c @@ -1,9 +1,9 @@ /* uncompr.c -- decompress a memory buffer - * Copyright (C) 1995-2003 Jean-loup Gailly. + * Copyright (C) 1995-2003, 2010 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: uncompr.c,v 1.5 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */ +/* @(#) $Id: uncompr.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */ #define ZLIB_INTERNAL #include "zlib.h" @@ -16,8 +16,6 @@ been saved previously by the compressor and transmitted to the decompressor by some mechanism outside the scope of this compression library.) Upon exit, destLen is the actual size of the compressed buffer. - This function can be used to decompress a whole file at once if the - input file is mmap'ed. uncompress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output diff --git a/security/nss/lib/zlib/zconf.h b/security/nss/lib/zlib/zconf.h index 224aaaa2ba6..17a245edc2c 100644 --- a/security/nss/lib/zlib/zconf.h +++ b/security/nss/lib/zlib/zconf.h @@ -1,9 +1,9 @@ /* zconf.h -- configuration of the zlib compression library - * Copyright (C) 1995-2005 Jean-loup Gailly. + * Copyright (C) 1995-2010 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: zconf.h,v 1.7 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */ +/* @(#) $Id: zconf.h,v 1.8 2010/08/22 01:07:03 wtc%google.com Exp $ */ #ifndef ZCONF_H #define ZCONF_H @@ -11,52 +11,124 @@ /* * If you *really* need a unique prefix for all types and library functions, * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. + * Even better than compiling with -DZ_PREFIX would be to use configure to set + * this permanently in zconf.h using "./configure --zprefix". */ -#ifdef Z_PREFIX -# define deflateInit_ z_deflateInit_ -# define deflate z_deflate -# define deflateEnd z_deflateEnd -# define inflateInit_ z_inflateInit_ -# define inflate z_inflate -# define inflateEnd z_inflateEnd -# define deflateInit2_ z_deflateInit2_ -# define deflateSetDictionary z_deflateSetDictionary -# define deflateCopy z_deflateCopy -# define deflateReset z_deflateReset -# define deflateParams z_deflateParams -# define deflateBound z_deflateBound -# define deflatePrime z_deflatePrime -# define inflateInit2_ z_inflateInit2_ -# define inflateSetDictionary z_inflateSetDictionary -# define inflateSync z_inflateSync -# define inflateSyncPoint z_inflateSyncPoint -# define inflateCopy z_inflateCopy -# define inflateReset z_inflateReset -# define inflateBack z_inflateBack -# define inflateBackEnd z_inflateBackEnd +#ifdef Z_PREFIX /* may be set to #if 1 by ./configure */ + +/* all linked symbols */ +# define _dist_code z__dist_code +# define _length_code z__length_code +# define _tr_align z__tr_align +# define _tr_flush_block z__tr_flush_block +# define _tr_init z__tr_init +# define _tr_stored_block z__tr_stored_block +# define _tr_tally z__tr_tally +# define adler32 z_adler32 +# define adler32_combine z_adler32_combine +# define adler32_combine64 z_adler32_combine64 # define compress z_compress # define compress2 z_compress2 # define compressBound z_compressBound -# define uncompress z_uncompress -# define adler32 z_adler32 # define crc32 z_crc32 +# define crc32_combine z_crc32_combine +# define crc32_combine64 z_crc32_combine64 +# define deflate z_deflate +# define deflateBound z_deflateBound +# define deflateCopy z_deflateCopy +# define deflateEnd z_deflateEnd +# define deflateInit2_ z_deflateInit2_ +# define deflateInit_ z_deflateInit_ +# define deflateParams z_deflateParams +# define deflatePrime z_deflatePrime +# define deflateReset z_deflateReset +# define deflateSetDictionary z_deflateSetDictionary +# define deflateSetHeader z_deflateSetHeader +# define deflateTune z_deflateTune +# define deflate_copyright z_deflate_copyright # define get_crc_table z_get_crc_table +# define gz_error z_gz_error +# define gz_intmax z_gz_intmax +# define gz_strwinerror z_gz_strwinerror +# define gzbuffer z_gzbuffer +# define gzclearerr z_gzclearerr +# define gzclose z_gzclose +# define gzclose_r z_gzclose_r +# define gzclose_w z_gzclose_w +# define gzdirect z_gzdirect +# define gzdopen z_gzdopen +# define gzeof z_gzeof +# define gzerror z_gzerror +# define gzflush z_gzflush +# define gzgetc z_gzgetc +# define gzgets z_gzgets +# define gzoffset z_gzoffset +# define gzoffset64 z_gzoffset64 +# define gzopen z_gzopen +# define gzopen64 z_gzopen64 +# define gzprintf z_gzprintf +# define gzputc z_gzputc +# define gzputs z_gzputs +# define gzread z_gzread +# define gzrewind z_gzrewind +# define gzseek z_gzseek +# define gzseek64 z_gzseek64 +# define gzsetparams z_gzsetparams +# define gztell z_gztell +# define gztell64 z_gztell64 +# define gzungetc z_gzungetc +# define gzwrite z_gzwrite +# define inflate z_inflate +# define inflateBack z_inflateBack +# define inflateBackEnd z_inflateBackEnd +# define inflateBackInit_ z_inflateBackInit_ +# define inflateCopy z_inflateCopy +# define inflateEnd z_inflateEnd +# define inflateGetHeader z_inflateGetHeader +# define inflateInit2_ z_inflateInit2_ +# define inflateInit_ z_inflateInit_ +# define inflateMark z_inflateMark +# define inflatePrime z_inflatePrime +# define inflateReset z_inflateReset +# define inflateReset2 z_inflateReset2 +# define inflateSetDictionary z_inflateSetDictionary +# define inflateSync z_inflateSync +# define inflateSyncPoint z_inflateSyncPoint +# define inflateUndermine z_inflateUndermine +# define inflate_copyright z_inflate_copyright +# define inflate_fast z_inflate_fast +# define inflate_table z_inflate_table +# define uncompress z_uncompress # define zError z_zError +# define zcalloc z_zcalloc +# define zcfree z_zcfree +# define zlibCompileFlags z_zlibCompileFlags +# define zlibVersion z_zlibVersion -# define alloc_func z_alloc_func -# define free_func z_free_func -# define in_func z_in_func -# define out_func z_out_func +/* all zlib typedefs in zlib.h and zconf.h */ # define Byte z_Byte -# define uInt z_uInt -# define uLong z_uLong # define Bytef z_Bytef +# define alloc_func z_alloc_func # define charf z_charf +# define free_func z_free_func +# define gzFile z_gzFile +# define gz_header z_gz_header +# define gz_headerp z_gz_headerp +# define in_func z_in_func # define intf z_intf +# define out_func z_out_func +# define uInt z_uInt # define uIntf z_uIntf +# define uLong z_uLong # define uLongf z_uLongf -# define voidpf z_voidpf # define voidp z_voidp +# define voidpc z_voidpc +# define voidpf z_voidpf + +/* all zlib structs in zlib.h and zconf.h */ +# define gz_header_s z_gz_header_s +# define internal_state z_internal_state + #endif #if defined(__MSDOS__) && !defined(MSDOS) @@ -284,41 +356,73 @@ typedef uLong FAR uLongf; typedef Byte *voidp; #endif +#ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */ +# define Z_HAVE_UNISTD_H +#endif + +#ifdef STDC +# include /* for off_t */ +#endif + +/* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and + * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even + * though the former does not conform to the LFS document), but considering + * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as + * equivalently requesting no 64-bit operations + */ +#if -_LARGEFILE64_SOURCE - -1 == 1 +# undef _LARGEFILE64_SOURCE +#endif + +#if defined(Z_HAVE_UNISTD_H) || defined(_LARGEFILE64_SOURCE) +# include /* for SEEK_* and off_t */ +# ifdef VMS +# include /* for off_t */ +# endif +# ifndef z_off_t +# define z_off_t off_t +# endif +#endif + #ifndef SEEK_SET # define SEEK_SET 0 /* Seek from beginning of file. */ # define SEEK_CUR 1 /* Seek from current position. */ # define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ #endif + #ifndef z_off_t # define z_off_t long #endif +#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0 +# define z_off64_t off64_t +#else +# define z_off64_t z_off_t +#endif + #if defined(__OS400__) # define NO_vsnprintf #endif #if defined(__MVS__) # define NO_vsnprintf -# ifdef FAR -# undef FAR -# endif #endif /* MVS linker does not support external names larger than 8 bytes */ #if defined(__MVS__) -# pragma map(deflateInit_,"DEIN") -# pragma map(deflateInit2_,"DEIN2") -# pragma map(deflateEnd,"DEEND") -# pragma map(deflateBound,"DEBND") -# pragma map(inflateInit_,"ININ") -# pragma map(inflateInit2_,"ININ2") -# pragma map(inflateEnd,"INEND") -# pragma map(inflateSync,"INSY") -# pragma map(inflateSetDictionary,"INSEDI") -# pragma map(compressBound,"CMBND") -# pragma map(inflate_table,"INTABL") -# pragma map(inflate_fast,"INFA") -# pragma map(inflate_copyright,"INCOPY") + #pragma map(deflateInit_,"DEIN") + #pragma map(deflateInit2_,"DEIN2") + #pragma map(deflateEnd,"DEEND") + #pragma map(deflateBound,"DEBND") + #pragma map(inflateInit_,"ININ") + #pragma map(inflateInit2_,"ININ2") + #pragma map(inflateEnd,"INEND") + #pragma map(inflateSync,"INSY") + #pragma map(inflateSetDictionary,"INSEDI") + #pragma map(compressBound,"CMBND") + #pragma map(inflate_table,"INTABL") + #pragma map(inflate_fast,"INFA") + #pragma map(inflate_copyright,"INCOPY") #endif #endif /* ZCONF_H */ diff --git a/security/nss/lib/zlib/zlib.h b/security/nss/lib/zlib/zlib.h index 022817927ce..bfbba83e8ee 100644 --- a/security/nss/lib/zlib/zlib.h +++ b/security/nss/lib/zlib/zlib.h @@ -1,7 +1,7 @@ /* zlib.h -- interface of the 'zlib' general purpose compression library - version 1.2.3, July 18th, 2005 + version 1.2.5, April 19th, 2010 - Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler + Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages @@ -37,41 +37,44 @@ extern "C" { #endif -#define ZLIB_VERSION "1.2.3" -#define ZLIB_VERNUM 0x1230 +#define ZLIB_VERSION "1.2.5" +#define ZLIB_VERNUM 0x1250 +#define ZLIB_VER_MAJOR 1 +#define ZLIB_VER_MINOR 2 +#define ZLIB_VER_REVISION 5 +#define ZLIB_VER_SUBREVISION 0 /* - The 'zlib' compression library provides in-memory compression and - decompression functions, including integrity checks of the uncompressed - data. This version of the library supports only one compression method - (deflation) but other algorithms will be added later and will have the same - stream interface. + The 'zlib' compression library provides in-memory compression and + decompression functions, including integrity checks of the uncompressed data. + This version of the library supports only one compression method (deflation) + but other algorithms will be added later and will have the same stream + interface. - Compression can be done in a single step if the buffers are large - enough (for example if an input file is mmap'ed), or can be done by - repeated calls of the compression function. In the latter case, the - application must provide more input and/or consume the output + Compression can be done in a single step if the buffers are large enough, + or can be done by repeated calls of the compression function. In the latter + case, the application must provide more input and/or consume the output (providing more output space) before each call. - The compressed data format used by default by the in-memory functions is + The compressed data format used by default by the in-memory functions is the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped around a deflate stream, which is itself documented in RFC 1951. - The library also supports reading and writing files in gzip (.gz) format + The library also supports reading and writing files in gzip (.gz) format with an interface similar to that of stdio using the functions that start with "gz". The gzip format is different from the zlib format. gzip is a gzip wrapper, documented in RFC 1952, wrapped around a deflate stream. - This library can optionally read and write gzip streams in memory as well. + This library can optionally read and write gzip streams in memory as well. - The zlib format was designed to be compact and fast for use in memory + The zlib format was designed to be compact and fast for use in memory and on communications channels. The gzip format was designed for single- file compression on file systems, has a larger header than zlib to maintain directory information, and uses a different, slower check method than zlib. - The library does not install any signal handler. The decoder checks - the consistency of the compressed data, so the library should never - crash even in case of corrupted input. + The library does not install any signal handler. The decoder checks + the consistency of the compressed data, so the library should never crash + even in case of corrupted input. */ typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size)); @@ -126,45 +129,45 @@ typedef struct gz_header_s { typedef gz_header FAR *gz_headerp; /* - The application must update next_in and avail_in when avail_in has - dropped to zero. It must update next_out and avail_out when avail_out - has dropped to zero. The application must initialize zalloc, zfree and - opaque before calling the init function. All other fields are set by the - compression library and must not be updated by the application. + The application must update next_in and avail_in when avail_in has dropped + to zero. It must update next_out and avail_out when avail_out has dropped + to zero. The application must initialize zalloc, zfree and opaque before + calling the init function. All other fields are set by the compression + library and must not be updated by the application. - The opaque value provided by the application will be passed as the first - parameter for calls of zalloc and zfree. This can be useful for custom - memory management. The compression library attaches no meaning to the + The opaque value provided by the application will be passed as the first + parameter for calls of zalloc and zfree. This can be useful for custom + memory management. The compression library attaches no meaning to the opaque value. - zalloc must return Z_NULL if there is not enough memory for the object. + zalloc must return Z_NULL if there is not enough memory for the object. If zlib is used in a multi-threaded application, zalloc and zfree must be thread safe. - On 16-bit systems, the functions zalloc and zfree must be able to allocate - exactly 65536 bytes, but will not be required to allocate more than this - if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS, - pointers returned by zalloc for objects of exactly 65536 bytes *must* - have their offset normalized to zero. The default allocation function - provided by this library ensures this (see zutil.c). To reduce memory - requirements and avoid any allocation of 64K objects, at the expense of - compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h). + On 16-bit systems, the functions zalloc and zfree must be able to allocate + exactly 65536 bytes, but will not be required to allocate more than this if + the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS, pointers + returned by zalloc for objects of exactly 65536 bytes *must* have their + offset normalized to zero. The default allocation function provided by this + library ensures this (see zutil.c). To reduce memory requirements and avoid + any allocation of 64K objects, at the expense of compression ratio, compile + the library with -DMAX_WBITS=14 (see zconf.h). - The fields total_in and total_out can be used for statistics or - progress reports. After compression, total_in holds the total size of - the uncompressed data and may be saved for use in the decompressor - (particularly if the decompressor wants to decompress everything in - a single step). + The fields total_in and total_out can be used for statistics or progress + reports. After compression, total_in holds the total size of the + uncompressed data and may be saved for use in the decompressor (particularly + if the decompressor wants to decompress everything in a single step). */ /* constants */ #define Z_NO_FLUSH 0 -#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */ +#define Z_PARTIAL_FLUSH 1 #define Z_SYNC_FLUSH 2 #define Z_FULL_FLUSH 3 #define Z_FINISH 4 #define Z_BLOCK 5 +#define Z_TREES 6 /* Allowed flush values; see deflate() and inflate() below for details */ #define Z_OK 0 @@ -176,8 +179,8 @@ typedef gz_header FAR *gz_headerp; #define Z_MEM_ERROR (-4) #define Z_BUF_ERROR (-5) #define Z_VERSION_ERROR (-6) -/* Return codes for the compression/decompression functions. Negative - * values are errors, positive values are used for special but normal events. +/* Return codes for the compression/decompression functions. Negative values + * are errors, positive values are used for special but normal events. */ #define Z_NO_COMPRESSION 0 @@ -207,119 +210,140 @@ typedef gz_header FAR *gz_headerp; #define zlib_version zlibVersion() /* for compatibility with versions < 1.0.2 */ + /* basic functions */ ZEXTERN const char * ZEXPORT zlibVersion OF((void)); /* The application can compare zlibVersion and ZLIB_VERSION for consistency. - If the first character differs, the library code actually used is - not compatible with the zlib.h header file used by the application. - This check is automatically made by deflateInit and inflateInit. + If the first character differs, the library code actually used is not + compatible with the zlib.h header file used by the application. This check + is automatically made by deflateInit and inflateInit. */ /* ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level)); - Initializes the internal stream state for compression. The fields - zalloc, zfree and opaque must be initialized before by the caller. - If zalloc and zfree are set to Z_NULL, deflateInit updates them to - use default allocation functions. + Initializes the internal stream state for compression. The fields + zalloc, zfree and opaque must be initialized before by the caller. If + zalloc and zfree are set to Z_NULL, deflateInit updates them to use default + allocation functions. The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9: - 1 gives best speed, 9 gives best compression, 0 gives no compression at - all (the input data is simply copied a block at a time). - Z_DEFAULT_COMPRESSION requests a default compromise between speed and - compression (currently equivalent to level 6). + 1 gives best speed, 9 gives best compression, 0 gives no compression at all + (the input data is simply copied a block at a time). Z_DEFAULT_COMPRESSION + requests a default compromise between speed and compression (currently + equivalent to level 6). - deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not - enough memory, Z_STREAM_ERROR if level is not a valid compression level, + deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough + memory, Z_STREAM_ERROR if level is not a valid compression level, or Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible - with the version assumed by the caller (ZLIB_VERSION). - msg is set to null if there is no error message. deflateInit does not - perform any compression: this will be done by deflate(). + with the version assumed by the caller (ZLIB_VERSION). msg is set to null + if there is no error message. deflateInit does not perform any compression: + this will be done by deflate(). */ ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush)); /* deflate compresses as much data as possible, and stops when the input - buffer becomes empty or the output buffer becomes full. It may introduce some - output latency (reading input without producing any output) except when + buffer becomes empty or the output buffer becomes full. It may introduce + some output latency (reading input without producing any output) except when forced to flush. - The detailed semantics are as follows. deflate performs one or both of the + The detailed semantics are as follows. deflate performs one or both of the following actions: - Compress more input starting at next_in and update next_in and avail_in - accordingly. If not all input can be processed (because there is not + accordingly. If not all input can be processed (because there is not enough room in the output buffer), next_in and avail_in are updated and processing will resume at this point for the next call of deflate(). - Provide more output starting at next_out and update next_out and avail_out - accordingly. This action is forced if the parameter flush is non zero. + accordingly. This action is forced if the parameter flush is non zero. Forcing flush frequently degrades the compression ratio, so this parameter - should be set only when necessary (in interactive applications). - Some output may be provided even if flush is not set. + should be set only when necessary (in interactive applications). Some + output may be provided even if flush is not set. - Before the call of deflate(), the application should ensure that at least - one of the actions is possible, by providing more input and/or consuming - more output, and updating avail_in or avail_out accordingly; avail_out - should never be zero before the call. The application can consume the - compressed output when it wants, for example when the output buffer is full - (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK - and with zero avail_out, it must be called again after making room in the - output buffer because there might be more output pending. + Before the call of deflate(), the application should ensure that at least + one of the actions is possible, by providing more input and/or consuming more + output, and updating avail_in or avail_out accordingly; avail_out should + never be zero before the call. The application can consume the compressed + output when it wants, for example when the output buffer is full (avail_out + == 0), or after each call of deflate(). If deflate returns Z_OK and with + zero avail_out, it must be called again after making room in the output + buffer because there might be more output pending. Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to - decide how much data to accumualte before producing output, in order to + decide how much data to accumulate before producing output, in order to maximize compression. If the parameter flush is set to Z_SYNC_FLUSH, all pending output is flushed to the output buffer and the output is aligned on a byte boundary, so - that the decompressor can get all input data available so far. (In particular - avail_in is zero after the call if enough output space has been provided - before the call.) Flushing may degrade compression for some compression - algorithms and so it should be used only when necessary. + that the decompressor can get all input data available so far. (In + particular avail_in is zero after the call if enough output space has been + provided before the call.) Flushing may degrade compression for some + compression algorithms and so it should be used only when necessary. This + completes the current deflate block and follows it with an empty stored block + that is three bits plus filler bits to the next byte, followed by four bytes + (00 00 ff ff). + + If flush is set to Z_PARTIAL_FLUSH, all pending output is flushed to the + output buffer, but the output is not aligned to a byte boundary. All of the + input data so far will be available to the decompressor, as for Z_SYNC_FLUSH. + This completes the current deflate block and follows it with an empty fixed + codes block that is 10 bits long. This assures that enough bytes are output + in order for the decompressor to finish the block before the empty fixed code + block. + + If flush is set to Z_BLOCK, a deflate block is completed and emitted, as + for Z_SYNC_FLUSH, but the output is not aligned on a byte boundary, and up to + seven bits of the current block are held to be written as the next byte after + the next deflate block is completed. In this case, the decompressor may not + be provided enough bits at this point in order to complete decompression of + the data provided so far to the compressor. It may need to wait for the next + block to be emitted. This is for advanced applications that need to control + the emission of deflate blocks. If flush is set to Z_FULL_FLUSH, all output is flushed as with Z_SYNC_FLUSH, and the compression state is reset so that decompression can restart from this point if previous compressed data has been damaged or if - random access is desired. Using Z_FULL_FLUSH too often can seriously degrade + random access is desired. Using Z_FULL_FLUSH too often can seriously degrade compression. If deflate returns with avail_out == 0, this function must be called again with the same value of the flush parameter and more output space (updated avail_out), until the flush is complete (deflate returns with non-zero - avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that + avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that avail_out is greater than six to avoid repeated flush markers due to avail_out == 0 on return. If the parameter flush is set to Z_FINISH, pending input is processed, - pending output is flushed and deflate returns with Z_STREAM_END if there - was enough output space; if deflate returns with Z_OK, this function must be + pending output is flushed and deflate returns with Z_STREAM_END if there was + enough output space; if deflate returns with Z_OK, this function must be called again with Z_FINISH and more output space (updated avail_out) but no - more input data, until it returns with Z_STREAM_END or an error. After - deflate has returned Z_STREAM_END, the only possible operations on the - stream are deflateReset or deflateEnd. + more input data, until it returns with Z_STREAM_END or an error. After + deflate has returned Z_STREAM_END, the only possible operations on the stream + are deflateReset or deflateEnd. Z_FINISH can be used immediately after deflateInit if all the compression - is to be done in a single step. In this case, avail_out must be at least - the value returned by deflateBound (see below). If deflate does not return + is to be done in a single step. In this case, avail_out must be at least the + value returned by deflateBound (see below). If deflate does not return Z_STREAM_END, then it must be called again as described above. deflate() sets strm->adler to the adler32 checksum of all input read so far (that is, total_in bytes). deflate() may update strm->data_type if it can make a good guess about - the input data type (Z_BINARY or Z_TEXT). In doubt, the data is considered - binary. This field is only for information purposes and does not affect - the compression algorithm in any manner. + the input data type (Z_BINARY or Z_TEXT). In doubt, the data is considered + binary. This field is only for information purposes and does not affect the + compression algorithm in any manner. deflate() returns Z_OK if some progress has been made (more input processed or more output produced), Z_STREAM_END if all input has been consumed and all output has been produced (only when flush is set to Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example - if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible - (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not + if next_in or next_out was Z_NULL), Z_BUF_ERROR if no progress is possible + (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not fatal, and deflate() can be called again with more input and more output space to continue compressing. */ @@ -328,13 +352,13 @@ ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush)); ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm)); /* All dynamically allocated data structures for this stream are freed. - This function discards any unprocessed input and does not flush any - pending output. + This function discards any unprocessed input and does not flush any pending + output. deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state was inconsistent, Z_DATA_ERROR if the stream was freed - prematurely (some input or output was discarded). In the error case, - msg may be set but then points to a static string (which must not be + prematurely (some input or output was discarded). In the error case, msg + may be set but then points to a static string (which must not be deallocated). */ @@ -342,10 +366,10 @@ ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm)); /* ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm)); - Initializes the internal stream state for decompression. The fields + Initializes the internal stream state for decompression. The fields next_in, avail_in, zalloc, zfree and opaque must be initialized before by - the caller. If next_in is not Z_NULL and avail_in is large enough (the exact - value depends on the compression method), inflateInit determines the + the caller. If next_in is not Z_NULL and avail_in is large enough (the + exact value depends on the compression method), inflateInit determines the compression method from the zlib header and allocates all data structures accordingly; otherwise the allocation will be deferred to the first call of inflate. If zalloc and zfree are set to Z_NULL, inflateInit updates them to @@ -353,95 +377,108 @@ ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm)); inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_VERSION_ERROR if the zlib library version is incompatible with the - version assumed by the caller. msg is set to null if there is no error - message. inflateInit does not perform any decompression apart from reading - the zlib header if present: this will be done by inflate(). (So next_in and - avail_in may be modified, but next_out and avail_out are unchanged.) + version assumed by the caller, or Z_STREAM_ERROR if the parameters are + invalid, such as a null pointer to the structure. msg is set to null if + there is no error message. inflateInit does not perform any decompression + apart from possibly reading the zlib header if present: actual decompression + will be done by inflate(). (So next_in and avail_in may be modified, but + next_out and avail_out are unused and unchanged.) The current implementation + of inflateInit() does not process any header information -- that is deferred + until inflate() is called. */ ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush)); /* inflate decompresses as much data as possible, and stops when the input - buffer becomes empty or the output buffer becomes full. It may introduce + buffer becomes empty or the output buffer becomes full. It may introduce some output latency (reading input without producing any output) except when forced to flush. - The detailed semantics are as follows. inflate performs one or both of the + The detailed semantics are as follows. inflate performs one or both of the following actions: - Decompress more input starting at next_in and update next_in and avail_in - accordingly. If not all input can be processed (because there is not - enough room in the output buffer), next_in is updated and processing - will resume at this point for the next call of inflate(). + accordingly. If not all input can be processed (because there is not + enough room in the output buffer), next_in is updated and processing will + resume at this point for the next call of inflate(). - Provide more output starting at next_out and update next_out and avail_out - accordingly. inflate() provides as much output as possible, until there - is no more input data or no more space in the output buffer (see below - about the flush parameter). + accordingly. inflate() provides as much output as possible, until there is + no more input data or no more space in the output buffer (see below about + the flush parameter). - Before the call of inflate(), the application should ensure that at least - one of the actions is possible, by providing more input and/or consuming - more output, and updating the next_* and avail_* values accordingly. - The application can consume the uncompressed output when it wants, for - example when the output buffer is full (avail_out == 0), or after each - call of inflate(). If inflate returns Z_OK and with zero avail_out, it - must be called again after making room in the output buffer because there - might be more output pending. + Before the call of inflate(), the application should ensure that at least + one of the actions is possible, by providing more input and/or consuming more + output, and updating the next_* and avail_* values accordingly. The + application can consume the uncompressed output when it wants, for example + when the output buffer is full (avail_out == 0), or after each call of + inflate(). If inflate returns Z_OK and with zero avail_out, it must be + called again after making room in the output buffer because there might be + more output pending. - The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, - Z_FINISH, or Z_BLOCK. Z_SYNC_FLUSH requests that inflate() flush as much - output as possible to the output buffer. Z_BLOCK requests that inflate() stop - if and when it gets to the next deflate block boundary. When decoding the - zlib or gzip format, this will cause inflate() to return immediately after - the header and before the first block. When doing a raw inflate, inflate() - will go ahead and process the first block, and will return when it gets to - the end of that block, or when it runs out of data. + The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, Z_FINISH, + Z_BLOCK, or Z_TREES. Z_SYNC_FLUSH requests that inflate() flush as much + output as possible to the output buffer. Z_BLOCK requests that inflate() + stop if and when it gets to the next deflate block boundary. When decoding + the zlib or gzip format, this will cause inflate() to return immediately + after the header and before the first block. When doing a raw inflate, + inflate() will go ahead and process the first block, and will return when it + gets to the end of that block, or when it runs out of data. The Z_BLOCK option assists in appending to or combining deflate streams. Also to assist in this, on return inflate() will set strm->data_type to the - number of unused bits in the last byte taken from strm->next_in, plus 64 - if inflate() is currently decoding the last block in the deflate stream, - plus 128 if inflate() returned immediately after decoding an end-of-block - code or decoding the complete header up to just before the first byte of the - deflate stream. The end-of-block will not be indicated until all of the - uncompressed data from that block has been written to strm->next_out. The - number of unused bits may in general be greater than seven, except when - bit 7 of data_type is set, in which case the number of unused bits will be - less than eight. + number of unused bits in the last byte taken from strm->next_in, plus 64 if + inflate() is currently decoding the last block in the deflate stream, plus + 128 if inflate() returned immediately after decoding an end-of-block code or + decoding the complete header up to just before the first byte of the deflate + stream. The end-of-block will not be indicated until all of the uncompressed + data from that block has been written to strm->next_out. The number of + unused bits may in general be greater than seven, except when bit 7 of + data_type is set, in which case the number of unused bits will be less than + eight. data_type is set as noted here every time inflate() returns for all + flush options, and so can be used to determine the amount of currently + consumed input in bits. + + The Z_TREES option behaves as Z_BLOCK does, but it also returns when the + end of each deflate block header is reached, before any actual data in that + block is decoded. This allows the caller to determine the length of the + deflate block header for later use in random access within a deflate block. + 256 is added to the value of strm->data_type when inflate() returns + immediately after reaching the end of the deflate block header. inflate() should normally be called until it returns Z_STREAM_END or an - error. However if all decompression is to be performed in a single step - (a single call of inflate), the parameter flush should be set to - Z_FINISH. In this case all pending input is processed and all pending - output is flushed; avail_out must be large enough to hold all the - uncompressed data. (The size of the uncompressed data may have been saved - by the compressor for this purpose.) The next operation on this stream must - be inflateEnd to deallocate the decompression state. The use of Z_FINISH - is never required, but can be used to inform inflate that a faster approach - may be used for the single inflate() call. + error. However if all decompression is to be performed in a single step (a + single call of inflate), the parameter flush should be set to Z_FINISH. In + this case all pending input is processed and all pending output is flushed; + avail_out must be large enough to hold all the uncompressed data. (The size + of the uncompressed data may have been saved by the compressor for this + purpose.) The next operation on this stream must be inflateEnd to deallocate + the decompression state. The use of Z_FINISH is never required, but can be + used to inform inflate that a faster approach may be used for the single + inflate() call. In this implementation, inflate() always flushes as much output as possible to the output buffer, and always uses the faster approach on the - first call. So the only effect of the flush parameter in this implementation + first call. So the only effect of the flush parameter in this implementation is on the return value of inflate(), as noted below, or when it returns early - because Z_BLOCK is used. + because Z_BLOCK or Z_TREES is used. If a preset dictionary is needed after this call (see inflateSetDictionary below), inflate sets strm->adler to the adler32 checksum of the dictionary chosen by the compressor and returns Z_NEED_DICT; otherwise it sets strm->adler to the adler32 checksum of all output produced so far (that is, total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described - below. At the end of the stream, inflate() checks that its computed adler32 + below. At the end of the stream, inflate() checks that its computed adler32 checksum is equal to that saved by the compressor and returns Z_STREAM_END only if the checksum is correct. - inflate() will decompress and check either zlib-wrapped or gzip-wrapped - deflate data. The header type is detected automatically. Any information - contained in the gzip header is not retained, so applications that need that - information should instead use raw inflate, see inflateInit2() below, or - inflateBack() and perform their own processing of the gzip header and - trailer. + inflate() can decompress and check either zlib-wrapped or gzip-wrapped + deflate data. The header type is detected automatically, if requested when + initializing with inflateInit2(). Any information contained in the gzip + header is not retained, so applications that need that information should + instead use raw inflate, see inflateInit2() below, or inflateBack() and + perform their own processing of the gzip header and trailer. inflate() returns Z_OK if some progress has been made (more input processed or more output produced), Z_STREAM_END if the end of the compressed data has @@ -449,27 +486,28 @@ ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush)); preset dictionary is needed at this point, Z_DATA_ERROR if the input data was corrupted (input stream not conforming to the zlib format or incorrect check value), Z_STREAM_ERROR if the stream structure was inconsistent (for example - if next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory, + next_in or next_out was Z_NULL), Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if no progress is possible or if there was not enough room in the - output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and + output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and inflate() can be called again with more input and more output space to - continue decompressing. If Z_DATA_ERROR is returned, the application may then - call inflateSync() to look for a good compression block if a partial recovery - of the data is desired. + continue decompressing. If Z_DATA_ERROR is returned, the application may + then call inflateSync() to look for a good compression block if a partial + recovery of the data is desired. */ ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm)); /* All dynamically allocated data structures for this stream are freed. - This function discards any unprocessed input and does not flush any - pending output. + This function discards any unprocessed input and does not flush any pending + output. inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state - was inconsistent. In the error case, msg may be set but then points to a + was inconsistent. In the error case, msg may be set but then points to a static string (which must not be deallocated). */ + /* Advanced functions */ /* @@ -484,55 +522,57 @@ ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm, int memLevel, int strategy)); - This is another version of deflateInit with more compression options. The - fields next_in, zalloc, zfree and opaque must be initialized before by - the caller. + This is another version of deflateInit with more compression options. The + fields next_in, zalloc, zfree and opaque must be initialized before by the + caller. - The method parameter is the compression method. It must be Z_DEFLATED in + The method parameter is the compression method. It must be Z_DEFLATED in this version of the library. The windowBits parameter is the base two logarithm of the window size - (the size of the history buffer). It should be in the range 8..15 for this - version of the library. Larger values of this parameter result in better - compression at the expense of memory usage. The default value is 15 if + (the size of the history buffer). It should be in the range 8..15 for this + version of the library. Larger values of this parameter result in better + compression at the expense of memory usage. The default value is 15 if deflateInit is used instead. - windowBits can also be -8..-15 for raw deflate. In this case, -windowBits - determines the window size. deflate() will then generate raw deflate data + windowBits can also be -8..-15 for raw deflate. In this case, -windowBits + determines the window size. deflate() will then generate raw deflate data with no zlib header or trailer, and will not compute an adler32 check value. - windowBits can also be greater than 15 for optional gzip encoding. Add + windowBits can also be greater than 15 for optional gzip encoding. Add 16 to windowBits to write a simple gzip header and trailer around the - compressed data instead of a zlib wrapper. The gzip header will have no - file name, no extra data, no comment, no modification time (set to zero), - no header crc, and the operating system will be set to 255 (unknown). If a + compressed data instead of a zlib wrapper. The gzip header will have no + file name, no extra data, no comment, no modification time (set to zero), no + header crc, and the operating system will be set to 255 (unknown). If a gzip stream is being written, strm->adler is a crc32 instead of an adler32. The memLevel parameter specifies how much memory should be allocated - for the internal compression state. memLevel=1 uses minimum memory but - is slow and reduces compression ratio; memLevel=9 uses maximum memory - for optimal speed. The default value is 8. See zconf.h for total memory - usage as a function of windowBits and memLevel. + for the internal compression state. memLevel=1 uses minimum memory but is + slow and reduces compression ratio; memLevel=9 uses maximum memory for + optimal speed. The default value is 8. See zconf.h for total memory usage + as a function of windowBits and memLevel. - The strategy parameter is used to tune the compression algorithm. Use the + The strategy parameter is used to tune the compression algorithm. Use the value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no string match), or Z_RLE to limit match distances to one (run-length - encoding). Filtered data consists mostly of small values with a somewhat - random distribution. In this case, the compression algorithm is tuned to - compress them better. The effect of Z_FILTERED is to force more Huffman + encoding). Filtered data consists mostly of small values with a somewhat + random distribution. In this case, the compression algorithm is tuned to + compress them better. The effect of Z_FILTERED is to force more Huffman coding and less string matching; it is somewhat intermediate between - Z_DEFAULT and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as - Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy - parameter only affects the compression ratio but not the correctness of the - compressed output even if it is not set appropriately. Z_FIXED prevents the - use of dynamic Huffman codes, allowing for a simpler decoder for special - applications. + Z_DEFAULT_STRATEGY and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as + fast as Z_HUFFMAN_ONLY, but give better compression for PNG image data. The + strategy parameter only affects the compression ratio but not the + correctness of the compressed output even if it is not set appropriately. + Z_FIXED prevents the use of dynamic Huffman codes, allowing for a simpler + decoder for special applications. - deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough - memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid - method). msg is set to null if there is no error message. deflateInit2 does - not perform any compression: this will be done by deflate(). + deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough + memory, Z_STREAM_ERROR if any parameter is invalid (such as an invalid + method), or Z_VERSION_ERROR if the zlib library version (zlib_version) is + incompatible with the version assumed by the caller (ZLIB_VERSION). msg is + set to null if there is no error message. deflateInit2 does not perform any + compression: this will be done by deflate(). */ ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm, @@ -540,37 +580,37 @@ ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm, uInt dictLength)); /* Initializes the compression dictionary from the given byte sequence - without producing any compressed output. This function must be called - immediately after deflateInit, deflateInit2 or deflateReset, before any - call of deflate. The compressor and decompressor must use exactly the same + without producing any compressed output. This function must be called + immediately after deflateInit, deflateInit2 or deflateReset, before any call + of deflate. The compressor and decompressor must use exactly the same dictionary (see inflateSetDictionary). The dictionary should consist of strings (byte sequences) that are likely to be encountered later in the data to be compressed, with the most commonly - used strings preferably put towards the end of the dictionary. Using a + used strings preferably put towards the end of the dictionary. Using a dictionary is most useful when the data to be compressed is short and can be predicted with good accuracy; the data can then be compressed better than with the default empty dictionary. Depending on the size of the compression data structures selected by deflateInit or deflateInit2, a part of the dictionary may in effect be - discarded, for example if the dictionary is larger than the window size in - deflate or deflate2. Thus the strings most likely to be useful should be - put at the end of the dictionary, not at the front. In addition, the - current implementation of deflate will use at most the window size minus - 262 bytes of the provided dictionary. + discarded, for example if the dictionary is larger than the window size + provided in deflateInit or deflateInit2. Thus the strings most likely to be + useful should be put at the end of the dictionary, not at the front. In + addition, the current implementation of deflate will use at most the window + size minus 262 bytes of the provided dictionary. Upon return of this function, strm->adler is set to the adler32 value of the dictionary; the decompressor may later use this value to determine - which dictionary has been used by the compressor. (The adler32 value + which dictionary has been used by the compressor. (The adler32 value applies to the whole dictionary even if only a subset of the dictionary is actually used by the compressor.) If a raw deflate was requested, then the adler32 value is not computed and strm->adler is not set. deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a - parameter is invalid (such as NULL dictionary) or the stream state is + parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is inconsistent (for example if deflate has already been called for this stream - or if the compression method is bsort). deflateSetDictionary does not + or if the compression method is bsort). deflateSetDictionary does not perform any compression: this will be done by deflate(). */ @@ -581,26 +621,26 @@ ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest, This function can be useful when several compression strategies will be tried, for example when there are several ways of pre-processing the input - data with a filter. The streams that will be discarded should then be freed + data with a filter. The streams that will be discarded should then be freed by calling deflateEnd. Note that deflateCopy duplicates the internal - compression state which can be quite large, so this strategy is slow and - can consume lots of memory. + compression state which can be quite large, so this strategy is slow and can + consume lots of memory. deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if the source stream state was inconsistent - (such as zalloc being NULL). msg is left unchanged in both source and + (such as zalloc being Z_NULL). msg is left unchanged in both source and destination. */ ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm)); /* This function is equivalent to deflateEnd followed by deflateInit, - but does not free and reallocate all the internal compression state. - The stream will keep the same compression level and any other attributes - that may have been set by deflateInit2. + but does not free and reallocate all the internal compression state. The + stream will keep the same compression level and any other attributes that + may have been set by deflateInit2. - deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source - stream state was inconsistent (such as zalloc or state being NULL). + deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source + stream state was inconsistent (such as zalloc or state being Z_NULL). */ ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm, @@ -610,18 +650,18 @@ ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm, Dynamically update the compression level and compression strategy. The interpretation of level and strategy is as in deflateInit2. This can be used to switch between compression and straight copy of the input data, or - to switch to a different kind of input data requiring a different - strategy. If the compression level is changed, the input available so far - is compressed with the old level (and may be flushed); the new level will - take effect only at the next call of deflate(). + to switch to a different kind of input data requiring a different strategy. + If the compression level is changed, the input available so far is + compressed with the old level (and may be flushed); the new level will take + effect only at the next call of deflate(). Before the call of deflateParams, the stream state must be set as for - a call of deflate(), since the currently available input may have to - be compressed and flushed. In particular, strm->avail_out must be non-zero. + a call of deflate(), since the currently available input may have to be + compressed and flushed. In particular, strm->avail_out must be non-zero. deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source - stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR - if strm->avail_out was zero. + stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR if + strm->avail_out was zero. */ ZEXTERN int ZEXPORT deflateTune OF((z_streamp strm, @@ -645,9 +685,10 @@ ZEXTERN uLong ZEXPORT deflateBound OF((z_streamp strm, uLong sourceLen)); /* deflateBound() returns an upper bound on the compressed size after - deflation of sourceLen bytes. It must be called after deflateInit() - or deflateInit2(). This would be used to allocate an output buffer - for deflation in a single pass, and so would be called before deflate(). + deflation of sourceLen bytes. It must be called after deflateInit() or + deflateInit2(), and after deflateSetHeader(), if used. This would be used + to allocate an output buffer for deflation in a single pass, and so would be + called before deflate(). */ ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm, @@ -655,21 +696,21 @@ ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm, int value)); /* deflatePrime() inserts bits in the deflate output stream. The intent - is that this function is used to start off the deflate output with the - bits leftover from a previous deflate stream when appending to it. As such, - this function can only be used for raw deflate, and must be used before the - first deflate() call after a deflateInit2() or deflateReset(). bits must be - less than or equal to 16, and that many of the least significant bits of - value will be inserted in the output. + is that this function is used to start off the deflate output with the bits + leftover from a previous deflate stream when appending to it. As such, this + function can only be used for raw deflate, and must be used before the first + deflate() call after a deflateInit2() or deflateReset(). bits must be less + than or equal to 16, and that many of the least significant bits of value + will be inserted in the output. - deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source + deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm, gz_headerp head)); /* - deflateSetHeader() provides gzip header information for when a gzip + deflateSetHeader() provides gzip header information for when a gzip stream is requested by deflateInit2(). deflateSetHeader() may be called after deflateInit2() or deflateReset() and before the first call of deflate(). The text, time, os, extra field, name, and comment information @@ -682,11 +723,11 @@ ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm, 1.3.x) do not support header crc's, and will report that it is a "multi-part gzip file" and give up. - If deflateSetHeader is not used, the default gzip header has text false, + If deflateSetHeader is not used, the default gzip header has text false, the time set to zero, and os set to 255, with no extra, name, or comment fields. The gzip header is returned to the default state by deflateReset(). - deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source + deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ @@ -694,43 +735,50 @@ ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm, ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm, int windowBits)); - This is another version of inflateInit with an extra parameter. The + This is another version of inflateInit with an extra parameter. The fields next_in, avail_in, zalloc, zfree and opaque must be initialized before by the caller. The windowBits parameter is the base two logarithm of the maximum window size (the size of the history buffer). It should be in the range 8..15 for - this version of the library. The default value is 15 if inflateInit is used - instead. windowBits must be greater than or equal to the windowBits value + this version of the library. The default value is 15 if inflateInit is used + instead. windowBits must be greater than or equal to the windowBits value provided to deflateInit2() while compressing, or it must be equal to 15 if - deflateInit2() was not used. If a compressed stream with a larger window + deflateInit2() was not used. If a compressed stream with a larger window size is given as input, inflate() will return with the error code Z_DATA_ERROR instead of trying to allocate a larger window. - windowBits can also be -8..-15 for raw inflate. In this case, -windowBits - determines the window size. inflate() will then process raw deflate data, + windowBits can also be zero to request that inflate use the window size in + the zlib header of the compressed stream. + + windowBits can also be -8..-15 for raw inflate. In this case, -windowBits + determines the window size. inflate() will then process raw deflate data, not looking for a zlib or gzip header, not generating a check value, and not - looking for any check values for comparison at the end of the stream. This + looking for any check values for comparison at the end of the stream. This is for use with other formats that use the deflate compressed data format - such as zip. Those formats provide their own check values. If a custom + such as zip. Those formats provide their own check values. If a custom format is developed using the raw deflate format for compressed data, it is recommended that a check value such as an adler32 or a crc32 be applied to the uncompressed data as is done in the zlib, gzip, and zip formats. For - most applications, the zlib format should be used as is. Note that comments + most applications, the zlib format should be used as is. Note that comments above on the use in deflateInit2() applies to the magnitude of windowBits. - windowBits can also be greater than 15 for optional gzip decoding. Add + windowBits can also be greater than 15 for optional gzip decoding. Add 32 to windowBits to enable zlib and gzip decoding with automatic header detection, or add 16 to decode only the gzip format (the zlib format will - return a Z_DATA_ERROR). If a gzip stream is being decoded, strm->adler is - a crc32 instead of an adler32. + return a Z_DATA_ERROR). If a gzip stream is being decoded, strm->adler is a + crc32 instead of an adler32. inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough - memory, Z_STREAM_ERROR if a parameter is invalid (such as a null strm). msg - is set to null if there is no error message. inflateInit2 does not perform - any decompression apart from reading the zlib header if present: this will - be done by inflate(). (So next_in and avail_in may be modified, but next_out - and avail_out are unchanged.) + memory, Z_VERSION_ERROR if the zlib library version is incompatible with the + version assumed by the caller, or Z_STREAM_ERROR if the parameters are + invalid, such as a null pointer to the structure. msg is set to null if + there is no error message. inflateInit2 does not perform any decompression + apart from possibly reading the zlib header if present: actual decompression + will be done by inflate(). (So next_in and avail_in may be modified, but + next_out and avail_out are unused and unchanged.) The current implementation + of inflateInit2() does not process any header information -- that is + deferred until inflate() is called. */ ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm, @@ -738,8 +786,8 @@ ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm, uInt dictLength)); /* Initializes the decompression dictionary from the given uncompressed byte - sequence. This function must be called immediately after a call of inflate, - if that call returned Z_NEED_DICT. The dictionary chosen by the compressor + sequence. This function must be called immediately after a call of inflate, + if that call returned Z_NEED_DICT. The dictionary chosen by the compressor can be determined from the adler32 value returned by that call of inflate. The compressor and decompressor must use exactly the same dictionary (see deflateSetDictionary). For raw inflate, this function can be called @@ -748,26 +796,26 @@ ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm, dictionary that was used for compression is provided. inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a - parameter is invalid (such as NULL dictionary) or the stream state is + parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the - expected one (incorrect adler32 value). inflateSetDictionary does not + expected one (incorrect adler32 value). inflateSetDictionary does not perform any decompression: this will be done by subsequent calls of inflate(). */ ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm)); /* - Skips invalid compressed data until a full flush point (see above the - description of deflate with Z_FULL_FLUSH) can be found, or until all - available input is skipped. No output is provided. + Skips invalid compressed data until a full flush point (see above the + description of deflate with Z_FULL_FLUSH) can be found, or until all + available input is skipped. No output is provided. - inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR - if no more input was provided, Z_DATA_ERROR if no flush point has been found, - or Z_STREAM_ERROR if the stream structure was inconsistent. In the success - case, the application may save the current current value of total_in which - indicates where valid compressed data was found. In the error case, the - application may repeatedly call inflateSync, providing more input each time, - until success or end of the input data. + inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR + if no more input was provided, Z_DATA_ERROR if no flush point has been + found, or Z_STREAM_ERROR if the stream structure was inconsistent. In the + success case, the application may save the current current value of total_in + which indicates where valid compressed data was found. In the error case, + the application may repeatedly call inflateSync, providing more input each + time, until success or end of the input data. */ ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest, @@ -782,18 +830,30 @@ ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest, inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if the source stream state was inconsistent - (such as zalloc being NULL). msg is left unchanged in both source and + (such as zalloc being Z_NULL). msg is left unchanged in both source and destination. */ ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm)); /* This function is equivalent to inflateEnd followed by inflateInit, - but does not free and reallocate all the internal decompression state. - The stream will keep attributes that may have been set by inflateInit2. + but does not free and reallocate all the internal decompression state. The + stream will keep attributes that may have been set by inflateInit2. - inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source - stream state was inconsistent (such as zalloc or state being NULL). + inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source + stream state was inconsistent (such as zalloc or state being Z_NULL). +*/ + +ZEXTERN int ZEXPORT inflateReset2 OF((z_streamp strm, + int windowBits)); +/* + This function is the same as inflateReset, but it also permits changing + the wrap and window size requests. The windowBits parameter is interpreted + the same as it is for inflateInit2. + + inflateReset2 returns Z_OK if success, or Z_STREAM_ERROR if the source + stream state was inconsistent (such as zalloc or state being Z_NULL), or if + the windowBits parameter is invalid. */ ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm, @@ -801,54 +861,87 @@ ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm, int value)); /* This function inserts bits in the inflate input stream. The intent is - that this function is used to start inflating at a bit position in the - middle of a byte. The provided bits will be used before any bytes are used - from next_in. This function should only be used with raw inflate, and - should be used before the first inflate() call after inflateInit2() or - inflateReset(). bits must be less than or equal to 16, and that many of the - least significant bits of value will be inserted in the input. + that this function is used to start inflating at a bit position in the + middle of a byte. The provided bits will be used before any bytes are used + from next_in. This function should only be used with raw inflate, and + should be used before the first inflate() call after inflateInit2() or + inflateReset(). bits must be less than or equal to 16, and that many of the + least significant bits of value will be inserted in the input. - inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source + If bits is negative, then the input stream bit buffer is emptied. Then + inflatePrime() can be called again to put bits in the buffer. This is used + to clear out bits leftover after feeding inflate a block description prior + to feeding inflate codes. + + inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ +ZEXTERN long ZEXPORT inflateMark OF((z_streamp strm)); +/* + This function returns two values, one in the lower 16 bits of the return + value, and the other in the remaining upper bits, obtained by shifting the + return value down 16 bits. If the upper value is -1 and the lower value is + zero, then inflate() is currently decoding information outside of a block. + If the upper value is -1 and the lower value is non-zero, then inflate is in + the middle of a stored block, with the lower value equaling the number of + bytes from the input remaining to copy. If the upper value is not -1, then + it is the number of bits back from the current bit position in the input of + the code (literal or length/distance pair) currently being processed. In + that case the lower value is the number of bytes already emitted for that + code. + + A code is being processed if inflate is waiting for more input to complete + decoding of the code, or if it has completed decoding but is waiting for + more output space to write the literal or match data. + + inflateMark() is used to mark locations in the input data for random + access, which may be at bit positions, and to note those cases where the + output of a code may span boundaries of random access blocks. The current + location in the input stream can be determined from avail_in and data_type + as noted in the description for the Z_BLOCK flush parameter for inflate. + + inflateMark returns the value noted above or -1 << 16 if the provided + source stream state was inconsistent. +*/ + ZEXTERN int ZEXPORT inflateGetHeader OF((z_streamp strm, gz_headerp head)); /* - inflateGetHeader() requests that gzip header information be stored in the + inflateGetHeader() requests that gzip header information be stored in the provided gz_header structure. inflateGetHeader() may be called after inflateInit2() or inflateReset(), and before the first call of inflate(). As inflate() processes the gzip stream, head->done is zero until the header is completed, at which time head->done is set to one. If a zlib stream is being decoded, then head->done is set to -1 to indicate that there will be - no gzip header information forthcoming. Note that Z_BLOCK can be used to - force inflate() to return immediately after header processing is complete - and before any actual data is decompressed. + no gzip header information forthcoming. Note that Z_BLOCK or Z_TREES can be + used to force inflate() to return immediately after header processing is + complete and before any actual data is decompressed. - The text, time, xflags, and os fields are filled in with the gzip header + The text, time, xflags, and os fields are filled in with the gzip header contents. hcrc is set to true if there is a header CRC. (The header CRC - was valid if done is set to one.) If extra is not Z_NULL, then extra_max + was valid if done is set to one.) If extra is not Z_NULL, then extra_max contains the maximum number of bytes to write to extra. Once done is true, extra_len contains the actual extra field length, and extra contains the extra field, or that field truncated if extra_max is less than extra_len. If name is not Z_NULL, then up to name_max characters are written there, terminated with a zero unless the length is greater than name_max. If comment is not Z_NULL, then up to comm_max characters are written there, - terminated with a zero unless the length is greater than comm_max. When - any of extra, name, or comment are not Z_NULL and the respective field is - not present in the header, then that field is set to Z_NULL to signal its + terminated with a zero unless the length is greater than comm_max. When any + of extra, name, or comment are not Z_NULL and the respective field is not + present in the header, then that field is set to Z_NULL to signal its absence. This allows the use of deflateSetHeader() with the returned structure to duplicate the header. However if those fields are set to allocated memory, then the application will need to save those pointers elsewhere so that they can be eventually freed. - If inflateGetHeader is not used, then the header information is simply + If inflateGetHeader is not used, then the header information is simply discarded. The header is always checked for validity, including the header CRC if present. inflateReset() will reset the process to discard the header information. The application would need to call inflateGetHeader() again to retrieve the header from the next gzip stream. - inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source + inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ @@ -869,9 +962,9 @@ ZEXTERN int ZEXPORT inflateBackInit OF((z_streamp strm, int windowBits, See inflateBack() for the usage of these routines. inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of - the paramaters are invalid, Z_MEM_ERROR if the internal state could not - be allocated, or Z_VERSION_ERROR if the version of the library does not - match the version of the header file. + the paramaters are invalid, Z_MEM_ERROR if the internal state could not be + allocated, or Z_VERSION_ERROR if the version of the library does not match + the version of the header file. */ typedef unsigned (*in_func) OF((void FAR *, unsigned char FAR * FAR *)); @@ -891,15 +984,15 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm, inflateBackInit() must be called first to allocate the internal state and to initialize the state with the user-provided window buffer. inflateBack() may then be used multiple times to inflate a complete, raw - deflate stream with each call. inflateBackEnd() is then called to free - the allocated state. + deflate stream with each call. inflateBackEnd() is then called to free the + allocated state. A raw deflate stream is one with no zlib or gzip header or trailer. This routine would normally be used in a utility that reads zip or gzip files and writes out uncompressed files. The utility would decode the - header and process the trailer on its own, hence this routine expects - only the raw deflate stream to decompress. This is different from the - normal behavior of inflate(), which expects either a zlib or gzip header and + header and process the trailer on its own, hence this routine expects only + the raw deflate stream to decompress. This is different from the normal + behavior of inflate(), which expects either a zlib or gzip header and trailer around the deflate stream. inflateBack() uses two subroutines supplied by the caller that are then @@ -925,7 +1018,7 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm, calling inflateBack(). If strm->next_in is Z_NULL, then in() will be called immediately for input. If strm->next_in is not Z_NULL, then strm->avail_in must also be initialized, and then if strm->avail_in is not zero, input will - initially be taken from strm->next_in[0 .. strm->avail_in - 1]. + initially be taken from strm->next_in[0 .. strm->avail_in - 1]. The in_desc and out_desc parameters of inflateBack() is passed as the first parameter of in() and out() respectively when they are called. These @@ -935,15 +1028,15 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm, On return, inflateBack() will set strm->next_in and strm->avail_in to pass back any unused input that was provided by the last in() call. The return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR - if in() or out() returned an error, Z_DATA_ERROR if there was a format - error in the deflate stream (in which case strm->msg is set to indicate the - nature of the error), or Z_STREAM_ERROR if the stream was not properly - initialized. In the case of Z_BUF_ERROR, an input or output error can be - distinguished using strm->next_in which will be Z_NULL only if in() returned - an error. If strm->next is not Z_NULL, then the Z_BUF_ERROR was due to - out() returning non-zero. (in() will always be called before out(), so - strm->next_in is assured to be defined if out() returns non-zero.) Note - that inflateBack() cannot return Z_OK. + if in() or out() returned an error, Z_DATA_ERROR if there was a format error + in the deflate stream (in which case strm->msg is set to indicate the nature + of the error), or Z_STREAM_ERROR if the stream was not properly initialized. + In the case of Z_BUF_ERROR, an input or output error can be distinguished + using strm->next_in which will be Z_NULL only if in() returned an error. If + strm->next_in is not Z_NULL, then the Z_BUF_ERROR was due to out() returning + non-zero. (in() will always be called before out(), so strm->next_in is + assured to be defined if out() returns non-zero.) Note that inflateBack() + cannot return Z_OK. */ ZEXTERN int ZEXPORT inflateBackEnd OF((z_streamp strm)); @@ -999,23 +1092,22 @@ ZEXTERN uLong ZEXPORT zlibCompileFlags OF((void)); /* utility functions */ /* - The following utility functions are implemented on top of the - basic stream-oriented functions. To simplify the interface, some - default options are assumed (compression level and memory usage, - standard memory allocation functions). The source code of these - utility functions can easily be modified if you need special options. + The following utility functions are implemented on top of the basic + stream-oriented functions. To simplify the interface, some default options + are assumed (compression level and memory usage, standard memory allocation + functions). The source code of these utility functions can be modified if + you need special options. */ ZEXTERN int ZEXPORT compress OF((Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen)); /* Compresses the source buffer into the destination buffer. sourceLen is - the byte length of the source buffer. Upon entry, destLen is the total - size of the destination buffer, which must be at least the value returned - by compressBound(sourceLen). Upon exit, destLen is the actual size of the + the byte length of the source buffer. Upon entry, destLen is the total size + of the destination buffer, which must be at least the value returned by + compressBound(sourceLen). Upon exit, destLen is the actual size of the compressed buffer. - This function can be used to compress a whole file at once if the - input file is mmap'ed. + compress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output buffer. @@ -1025,11 +1117,11 @@ ZEXTERN int ZEXPORT compress2 OF((Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen, int level)); /* - Compresses the source buffer into the destination buffer. The level + Compresses the source buffer into the destination buffer. The level parameter has the same meaning as in deflateInit. sourceLen is the byte - length of the source buffer. Upon entry, destLen is the total size of the + length of the source buffer. Upon entry, destLen is the total size of the destination buffer, which must be at least the value returned by - compressBound(sourceLen). Upon exit, destLen is the actual size of the + compressBound(sourceLen). Upon exit, destLen is the actual size of the compressed buffer. compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough @@ -1040,22 +1132,20 @@ ZEXTERN int ZEXPORT compress2 OF((Bytef *dest, uLongf *destLen, ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen)); /* compressBound() returns an upper bound on the compressed size after - compress() or compress2() on sourceLen bytes. It would be used before - a compress() or compress2() call to allocate the destination buffer. + compress() or compress2() on sourceLen bytes. It would be used before a + compress() or compress2() call to allocate the destination buffer. */ ZEXTERN int ZEXPORT uncompress OF((Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen)); /* Decompresses the source buffer into the destination buffer. sourceLen is - the byte length of the source buffer. Upon entry, destLen is the total - size of the destination buffer, which must be large enough to hold the - entire uncompressed data. (The size of the uncompressed data must have - been saved previously by the compressor and transmitted to the decompressor - by some mechanism outside the scope of this compression library.) - Upon exit, destLen is the actual size of the compressed buffer. - This function can be used to decompress a whole file at once if the - input file is mmap'ed. + the byte length of the source buffer. Upon entry, destLen is the total size + of the destination buffer, which must be large enough to hold the entire + uncompressed data. (The size of the uncompressed data must have been saved + previously by the compressor and transmitted to the decompressor by some + mechanism outside the scope of this compression library.) Upon exit, destLen + is the actual size of the uncompressed buffer. uncompress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output @@ -1063,136 +1153,199 @@ ZEXTERN int ZEXPORT uncompress OF((Bytef *dest, uLongf *destLen, */ -typedef voidp gzFile; + /* gzip file access functions */ -ZEXTERN gzFile ZEXPORT gzopen OF((const char *path, const char *mode)); /* - Opens a gzip (.gz) file for reading or writing. The mode parameter - is as in fopen ("rb" or "wb") but can also include a compression level - ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for - Huffman only compression as in "wb1h", or 'R' for run-length encoding - as in "wb1R". (See the description of deflateInit2 for more information - about the strategy parameter.) + This library supports reading and writing files in gzip (.gz) format with + an interface similar to that of stdio, using the functions that start with + "gz". The gzip format is different from the zlib format. gzip is a gzip + wrapper, documented in RFC 1952, wrapped around a deflate stream. +*/ + +typedef voidp gzFile; /* opaque gzip file descriptor */ + +/* +ZEXTERN gzFile ZEXPORT gzopen OF((const char *path, const char *mode)); + + Opens a gzip (.gz) file for reading or writing. The mode parameter is as + in fopen ("rb" or "wb") but can also include a compression level ("wb9") or + a strategy: 'f' for filtered data as in "wb6f", 'h' for Huffman-only + compression as in "wb1h", 'R' for run-length encoding as in "wb1R", or 'F' + for fixed code compression as in "wb9F". (See the description of + deflateInit2 for more information about the strategy parameter.) Also "a" + can be used instead of "w" to request that the gzip stream that will be + written be appended to the file. "+" will result in an error, since reading + and writing to the same gzip file is not supported. gzopen can be used to read a file which is not in gzip format; in this case gzread will directly read from the file without decompression. - gzopen returns NULL if the file could not be opened or if there was - insufficient memory to allocate the (de)compression state; errno - can be checked to distinguish the two cases (if errno is zero, the - zlib error is Z_MEM_ERROR). */ + gzopen returns NULL if the file could not be opened, if there was + insufficient memory to allocate the gzFile state, or if an invalid mode was + specified (an 'r', 'w', or 'a' was not provided, or '+' was provided). + errno can be checked to determine if the reason gzopen failed was that the + file could not be opened. +*/ -ZEXTERN gzFile ZEXPORT gzdopen OF((int fd, const char *mode)); +ZEXTERN gzFile ZEXPORT gzdopen OF((int fd, const char *mode)); /* - gzdopen() associates a gzFile with the file descriptor fd. File - descriptors are obtained from calls like open, dup, creat, pipe or - fileno (in the file has been previously opened with fopen). - The mode parameter is as in gzopen. - The next call of gzclose on the returned gzFile will also close the - file descriptor fd, just like fclose(fdopen(fd), mode) closes the file - descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode). - gzdopen returns NULL if there was insufficient memory to allocate - the (de)compression state. + gzdopen associates a gzFile with the file descriptor fd. File descriptors + are obtained from calls like open, dup, creat, pipe or fileno (if the file + has been previously opened with fopen). The mode parameter is as in gzopen. + + The next call of gzclose on the returned gzFile will also close the file + descriptor fd, just like fclose(fdopen(fd, mode)) closes the file descriptor + fd. If you want to keep fd open, use fd = dup(fd_keep); gz = gzdopen(fd, + mode);. The duplicated descriptor should be saved to avoid a leak, since + gzdopen does not close fd if it fails. + + gzdopen returns NULL if there was insufficient memory to allocate the + gzFile state, if an invalid mode was specified (an 'r', 'w', or 'a' was not + provided, or '+' was provided), or if fd is -1. The file descriptor is not + used until the next gz* read, write, seek, or close operation, so gzdopen + will not detect if fd is invalid (unless fd is -1). +*/ + +ZEXTERN int ZEXPORT gzbuffer OF((gzFile file, unsigned size)); +/* + Set the internal buffer size used by this library's functions. The + default buffer size is 8192 bytes. This function must be called after + gzopen() or gzdopen(), and before any other calls that read or write the + file. The buffer memory allocation is always deferred to the first read or + write. Two buffers are allocated, either both of the specified size when + writing, or one of the specified size and the other twice that size when + reading. A larger buffer size of, for example, 64K or 128K bytes will + noticeably increase the speed of decompression (reading). + + The new buffer size also affects the maximum length for gzprintf(). + + gzbuffer() returns 0 on success, or -1 on failure, such as being called + too late. */ ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy)); /* - Dynamically update the compression level or strategy. See the description + Dynamically update the compression level or strategy. See the description of deflateInit2 for the meaning of these parameters. + gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not opened for writing. */ -ZEXTERN int ZEXPORT gzread OF((gzFile file, voidp buf, unsigned len)); +ZEXTERN int ZEXPORT gzread OF((gzFile file, voidp buf, unsigned len)); /* - Reads the given number of uncompressed bytes from the compressed file. - If the input file was not in gzip format, gzread copies the given number - of bytes into the buffer. - gzread returns the number of uncompressed bytes actually read (0 for - end of file, -1 for error). */ + Reads the given number of uncompressed bytes from the compressed file. If + the input file was not in gzip format, gzread copies the given number of + bytes into the buffer. -ZEXTERN int ZEXPORT gzwrite OF((gzFile file, - voidpc buf, unsigned len)); -/* - Writes the given number of uncompressed bytes into the compressed file. - gzwrite returns the number of uncompressed bytes actually written - (0 in case of error). + After reaching the end of a gzip stream in the input, gzread will continue + to read, looking for another gzip stream, or failing that, reading the rest + of the input file directly without decompression. The entire input file + will be read if gzread is called until it returns less than the requested + len. + + gzread returns the number of uncompressed bytes actually read, less than + len for end of file, or -1 for error. */ -ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...)); +ZEXTERN int ZEXPORT gzwrite OF((gzFile file, + voidpc buf, unsigned len)); /* - Converts, formats, and writes the args to the compressed file under - control of the format string, as in fprintf. gzprintf returns the number of - uncompressed bytes actually written (0 in case of error). The number of - uncompressed bytes written is limited to 4095. The caller should assure that - this limit is not exceeded. If it is exceeded, then gzprintf() will return - return an error (0) with nothing written. In this case, there may also be a - buffer overflow with unpredictable consequences, which is possible only if - zlib was compiled with the insecure functions sprintf() or vsprintf() - because the secure snprintf() or vsnprintf() functions were not available. + Writes the given number of uncompressed bytes into the compressed file. + gzwrite returns the number of uncompressed bytes written or 0 in case of + error. +*/ + +ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...)); +/* + Converts, formats, and writes the arguments to the compressed file under + control of the format string, as in fprintf. gzprintf returns the number of + uncompressed bytes actually written, or 0 in case of error. The number of + uncompressed bytes written is limited to 8191, or one less than the buffer + size given to gzbuffer(). The caller should assure that this limit is not + exceeded. If it is exceeded, then gzprintf() will return an error (0) with + nothing written. In this case, there may also be a buffer overflow with + unpredictable consequences, which is possible only if zlib was compiled with + the insecure functions sprintf() or vsprintf() because the secure snprintf() + or vsnprintf() functions were not available. This can be determined using + zlibCompileFlags(). */ ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s)); /* - Writes the given null-terminated string to the compressed file, excluding + Writes the given null-terminated string to the compressed file, excluding the terminating null character. - gzputs returns the number of characters written, or -1 in case of error. + + gzputs returns the number of characters written, or -1 in case of error. */ ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len)); /* - Reads bytes from the compressed file until len-1 characters are read, or - a newline character is read and transferred to buf, or an end-of-file - condition is encountered. The string is then terminated with a null - character. - gzgets returns buf, or Z_NULL in case of error. + Reads bytes from the compressed file until len-1 characters are read, or a + newline character is read and transferred to buf, or an end-of-file + condition is encountered. If any characters are read or if len == 1, the + string is terminated with a null character. If no characters are read due + to an end-of-file or len < 1, then the buffer is left untouched. + + gzgets returns buf which is a null-terminated string, or it returns NULL + for end-of-file or in case of error. If there was an error, the contents at + buf are indeterminate. */ -ZEXTERN int ZEXPORT gzputc OF((gzFile file, int c)); +ZEXTERN int ZEXPORT gzputc OF((gzFile file, int c)); /* - Writes c, converted to an unsigned char, into the compressed file. - gzputc returns the value that was written, or -1 in case of error. + Writes c, converted to an unsigned char, into the compressed file. gzputc + returns the value that was written, or -1 in case of error. */ -ZEXTERN int ZEXPORT gzgetc OF((gzFile file)); +ZEXTERN int ZEXPORT gzgetc OF((gzFile file)); /* - Reads one byte from the compressed file. gzgetc returns this byte - or -1 in case of end of file or error. + Reads one byte from the compressed file. gzgetc returns this byte or -1 + in case of end of file or error. */ -ZEXTERN int ZEXPORT gzungetc OF((int c, gzFile file)); +ZEXTERN int ZEXPORT gzungetc OF((int c, gzFile file)); /* - Push one character back onto the stream to be read again later. - Only one character of push-back is allowed. gzungetc() returns the - character pushed, or -1 on failure. gzungetc() will fail if a - character has been pushed but not read yet, or if c is -1. The pushed - character will be discarded if the stream is repositioned with gzseek() - or gzrewind(). + Push one character back onto the stream to be read as the first character + on the next read. At least one character of push-back is allowed. + gzungetc() returns the character pushed, or -1 on failure. gzungetc() will + fail if c is -1, and may fail if a character has been pushed but not read + yet. If gzungetc is used immediately after gzopen or gzdopen, at least the + output buffer size of pushed characters is allowed. (See gzbuffer above.) + The pushed character will be discarded if the stream is repositioned with + gzseek() or gzrewind(). */ -ZEXTERN int ZEXPORT gzflush OF((gzFile file, int flush)); +ZEXTERN int ZEXPORT gzflush OF((gzFile file, int flush)); /* - Flushes all pending output into the compressed file. The parameter - flush is as in the deflate() function. The return value is the zlib - error number (see function gzerror below). gzflush returns Z_OK if - the flush parameter is Z_FINISH and all output could be flushed. - gzflush should be called only when strictly necessary because it can - degrade compression. + Flushes all pending output into the compressed file. The parameter flush + is as in the deflate() function. The return value is the zlib error number + (see function gzerror below). gzflush is only permitted when writing. + + If the flush parameter is Z_FINISH, the remaining data is written and the + gzip stream is completed in the output. If gzwrite() is called again, a new + gzip stream will be started in the output. gzread() is able to read such + concatented gzip streams. + + gzflush should be called only when strictly necessary because it will + degrade compression if called too often. */ -ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile file, - z_off_t offset, int whence)); /* - Sets the starting position for the next gzread or gzwrite on the - given compressed file. The offset represents a number of bytes in the - uncompressed data stream. The whence parameter is defined as in lseek(2); +ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile file, + z_off_t offset, int whence)); + + Sets the starting position for the next gzread or gzwrite on the given + compressed file. The offset represents a number of bytes in the + uncompressed data stream. The whence parameter is defined as in lseek(2); the value SEEK_END is not supported. + If the file is opened for reading, this function is emulated but can be - extremely slow. If the file is opened for writing, only forward seeks are + extremely slow. If the file is opened for writing, only forward seeks are supported; gzseek then compresses a sequence of zeroes up to the new starting position. - gzseek returns the resulting offset location as measured in bytes from + gzseek returns the resulting offset location as measured in bytes from the beginning of the uncompressed stream, or -1 in case of error, in particular if the file is opened for writing and the new starting position would be before the current position. @@ -1202,68 +1355,127 @@ ZEXTERN int ZEXPORT gzrewind OF((gzFile file)); /* Rewinds the given file. This function is supported only for reading. - gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET) + gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET) */ -ZEXTERN z_off_t ZEXPORT gztell OF((gzFile file)); /* - Returns the starting position for the next gzread or gzwrite on the - given compressed file. This position represents a number of bytes in the - uncompressed data stream. +ZEXTERN z_off_t ZEXPORT gztell OF((gzFile file)); - gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR) + Returns the starting position for the next gzread or gzwrite on the given + compressed file. This position represents a number of bytes in the + uncompressed data stream, and is zero when starting, even if appending or + reading a gzip stream from the middle of a file using gzdopen(). + + gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR) +*/ + +/* +ZEXTERN z_off_t ZEXPORT gzoffset OF((gzFile file)); + + Returns the current offset in the file being read or written. This offset + includes the count of bytes that precede the gzip stream, for example when + appending or when using gzdopen() for reading. When reading, the offset + does not include as yet unused buffered input. This information can be used + for a progress indicator. On error, gzoffset() returns -1. */ ZEXTERN int ZEXPORT gzeof OF((gzFile file)); /* - Returns 1 when EOF has previously been detected reading the given - input stream, otherwise zero. + Returns true (1) if the end-of-file indicator has been set while reading, + false (0) otherwise. Note that the end-of-file indicator is set only if the + read tried to go past the end of the input, but came up short. Therefore, + just like feof(), gzeof() may return false even if there is no more data to + read, in the event that the last read request was for the exact number of + bytes remaining in the input file. This will happen if the input file size + is an exact multiple of the buffer size. + + If gzeof() returns true, then the read functions will return no more data, + unless the end-of-file indicator is reset by gzclearerr() and the input file + has grown since the previous end of file was detected. */ ZEXTERN int ZEXPORT gzdirect OF((gzFile file)); /* - Returns 1 if file is being read directly without decompression, otherwise - zero. + Returns true (1) if file is being copied directly while reading, or false + (0) if file is a gzip stream being decompressed. This state can change from + false to true while reading the input file if the end of a gzip stream is + reached, but is followed by data that is not another gzip stream. + + If the input file is empty, gzdirect() will return true, since the input + does not contain a gzip stream. + + If gzdirect() is used immediately after gzopen() or gzdopen() it will + cause buffers to be allocated to allow reading the file to determine if it + is a gzip file. Therefore if gzbuffer() is used, it should be called before + gzdirect(). */ ZEXTERN int ZEXPORT gzclose OF((gzFile file)); /* - Flushes all pending output if necessary, closes the compressed file - and deallocates all the (de)compression state. The return value is the zlib - error number (see function gzerror below). + Flushes all pending output if necessary, closes the compressed file and + deallocates the (de)compression state. Note that once file is closed, you + cannot call gzerror with file, since its structures have been deallocated. + gzclose must not be called more than once on the same file, just as free + must not be called more than once on the same allocation. + + gzclose will return Z_STREAM_ERROR if file is not valid, Z_ERRNO on a + file operation error, or Z_OK on success. +*/ + +ZEXTERN int ZEXPORT gzclose_r OF((gzFile file)); +ZEXTERN int ZEXPORT gzclose_w OF((gzFile file)); +/* + Same as gzclose(), but gzclose_r() is only for use when reading, and + gzclose_w() is only for use when writing or appending. The advantage to + using these instead of gzclose() is that they avoid linking in zlib + compression or decompression code that is not used when only reading or only + writing respectively. If gzclose() is used, then both compression and + decompression code will be included the application when linking to a static + zlib library. */ ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum)); /* - Returns the error message for the last error which occurred on the - given compressed file. errnum is set to zlib error number. If an - error occurred in the file system and not in the compression library, - errnum is set to Z_ERRNO and the application may consult errno - to get the exact error code. + Returns the error message for the last error which occurred on the given + compressed file. errnum is set to zlib error number. If an error occurred + in the file system and not in the compression library, errnum is set to + Z_ERRNO and the application may consult errno to get the exact error code. + + The application must not modify the returned string. Future calls to + this function may invalidate the previously returned string. If file is + closed, then the string previously returned by gzerror will no longer be + available. + + gzerror() should be used to distinguish errors from end-of-file for those + functions above that do not distinguish those cases in their return values. */ ZEXTERN void ZEXPORT gzclearerr OF((gzFile file)); /* - Clears the error and end-of-file flags for file. This is analogous to the - clearerr() function in stdio. This is useful for continuing to read a gzip + Clears the error and end-of-file flags for file. This is analogous to the + clearerr() function in stdio. This is useful for continuing to read a gzip file that is being written concurrently. */ + /* checksum functions */ /* These functions are not related to compression but are exported - anyway because they might be useful in applications using the - compression library. + anyway because they might be useful in applications using the compression + library. */ ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len)); /* Update a running Adler-32 checksum with the bytes buf[0..len-1] and - return the updated checksum. If buf is NULL, this function returns - the required initial value for the checksum. - An Adler-32 checksum is almost as reliable as a CRC32 but can be computed - much faster. Usage example: + return the updated checksum. If buf is Z_NULL, this function returns the + required initial value for the checksum. + + An Adler-32 checksum is almost as reliable as a CRC32 but can be computed + much faster. + + Usage example: uLong adler = adler32(0L, Z_NULL, 0); @@ -1273,9 +1485,10 @@ ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len)); if (adler != original_adler) error(); */ +/* ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2, z_off_t len2)); -/* + Combine two Adler-32 checksums into one. For two sequences of bytes, seq1 and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for each, adler1 and adler2. adler32_combine() returns the Adler-32 checksum of @@ -1285,9 +1498,11 @@ ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2, ZEXTERN uLong ZEXPORT crc32 OF((uLong crc, const Bytef *buf, uInt len)); /* Update a running CRC-32 with the bytes buf[0..len-1] and return the - updated CRC-32. If buf is NULL, this function returns the required initial - value for the for the crc. Pre- and post-conditioning (one's complement) is - performed within this function so it shouldn't be done by the application. + updated CRC-32. If buf is Z_NULL, this function returns the required + initial value for the for the crc. Pre- and post-conditioning (one's + complement) is performed within this function so it shouldn't be done by the + application. + Usage example: uLong crc = crc32(0L, Z_NULL, 0); @@ -1298,9 +1513,9 @@ ZEXTERN uLong ZEXPORT crc32 OF((uLong crc, const Bytef *buf, uInt len)); if (crc != original_crc) error(); */ +/* ZEXTERN uLong ZEXPORT crc32_combine OF((uLong crc1, uLong crc2, z_off_t len2)); -/* Combine two CRC-32 check values into one. For two sequences of bytes, seq1 and seq2 with lengths len1 and len2, CRC-32 check values were calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32 @@ -1339,16 +1554,57 @@ ZEXTERN int ZEXPORT inflateBackInit_ OF((z_streamp strm, int windowBits, inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream)) #define inflateBackInit(strm, windowBits, window) \ inflateBackInit_((strm), (windowBits), (window), \ - ZLIB_VERSION, sizeof(z_stream)) + ZLIB_VERSION, sizeof(z_stream)) - -#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL) - struct internal_state {int dummy;}; /* hack for buggy compilers */ +/* provide 64-bit offset functions if _LARGEFILE64_SOURCE defined, and/or + * change the regular functions to 64 bits if _FILE_OFFSET_BITS is 64 (if + * both are true, the application gets the *64 functions, and the regular + * functions are changed to 64 bits) -- in case these are set on systems + * without large file support, _LFS64_LARGEFILE must also be true + */ +#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0 + ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *)); + ZEXTERN z_off64_t ZEXPORT gzseek64 OF((gzFile, z_off64_t, int)); + ZEXTERN z_off64_t ZEXPORT gztell64 OF((gzFile)); + ZEXTERN z_off64_t ZEXPORT gzoffset64 OF((gzFile)); + ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off64_t)); + ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off64_t)); #endif +#if !defined(ZLIB_INTERNAL) && _FILE_OFFSET_BITS-0 == 64 && _LFS64_LARGEFILE-0 +# define gzopen gzopen64 +# define gzseek gzseek64 +# define gztell gztell64 +# define gzoffset gzoffset64 +# define adler32_combine adler32_combine64 +# define crc32_combine crc32_combine64 +# ifdef _LARGEFILE64_SOURCE + ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *)); + ZEXTERN z_off_t ZEXPORT gzseek64 OF((gzFile, z_off_t, int)); + ZEXTERN z_off_t ZEXPORT gztell64 OF((gzFile)); + ZEXTERN z_off_t ZEXPORT gzoffset64 OF((gzFile)); + ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off_t)); + ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off_t)); +# endif +#else + ZEXTERN gzFile ZEXPORT gzopen OF((const char *, const char *)); + ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile, z_off_t, int)); + ZEXTERN z_off_t ZEXPORT gztell OF((gzFile)); + ZEXTERN z_off_t ZEXPORT gzoffset OF((gzFile)); + ZEXTERN uLong ZEXPORT adler32_combine OF((uLong, uLong, z_off_t)); + ZEXTERN uLong ZEXPORT crc32_combine OF((uLong, uLong, z_off_t)); +#endif + +/* hack for buggy compilers */ +#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL) + struct internal_state {int dummy;}; +#endif + +/* undocumented functions */ ZEXTERN const char * ZEXPORT zError OF((int)); -ZEXTERN int ZEXPORT inflateSyncPoint OF((z_streamp z)); +ZEXTERN int ZEXPORT inflateSyncPoint OF((z_streamp)); ZEXTERN const uLongf * ZEXPORT get_crc_table OF((void)); +ZEXTERN int ZEXPORT inflateUndermine OF((z_streamp, int)); #ifdef __cplusplus } diff --git a/security/nss/lib/zlib/zutil.c b/security/nss/lib/zlib/zutil.c index 4ae72283379..697efa60da3 100644 --- a/security/nss/lib/zlib/zutil.c +++ b/security/nss/lib/zlib/zutil.c @@ -1,9 +1,9 @@ /* zutil.c -- target dependent utility functions for the compression library - * Copyright (C) 1995-2005 Jean-loup Gailly. + * Copyright (C) 1995-2005, 2010 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: zutil.c,v 1.6 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */ +/* @(#) $Id: zutil.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */ #include "zutil.h" @@ -34,25 +34,25 @@ uLong ZEXPORT zlibCompileFlags() uLong flags; flags = 0; - switch (sizeof(uInt)) { + switch ((int)(sizeof(uInt))) { case 2: break; case 4: flags += 1; break; case 8: flags += 2; break; default: flags += 3; } - switch (sizeof(uLong)) { + switch ((int)(sizeof(uLong))) { case 2: break; case 4: flags += 1 << 2; break; case 8: flags += 2 << 2; break; default: flags += 3 << 2; } - switch (sizeof(voidpf)) { + switch ((int)(sizeof(voidpf))) { case 2: break; case 4: flags += 1 << 4; break; case 8: flags += 2 << 4; break; default: flags += 3 << 4; } - switch (sizeof(z_off_t)) { + switch ((int)(sizeof(z_off_t))) { case 2: break; case 4: flags += 1 << 6; break; case 8: flags += 2 << 6; break; @@ -117,9 +117,9 @@ uLong ZEXPORT zlibCompileFlags() # ifndef verbose # define verbose 0 # endif -int z_verbose = verbose; +int ZLIB_INTERNAL z_verbose = verbose; -void z_error (m) +void ZLIB_INTERNAL z_error (m) char *m; { fprintf(stderr, "%s\n", m); @@ -146,7 +146,7 @@ const char * ZEXPORT zError(err) #ifndef HAVE_MEMCPY -void zmemcpy(dest, source, len) +void ZLIB_INTERNAL zmemcpy(dest, source, len) Bytef* dest; const Bytef* source; uInt len; @@ -157,7 +157,7 @@ void zmemcpy(dest, source, len) } while (--len != 0); } -int zmemcmp(s1, s2, len) +int ZLIB_INTERNAL zmemcmp(s1, s2, len) const Bytef* s1; const Bytef* s2; uInt len; @@ -170,7 +170,7 @@ int zmemcmp(s1, s2, len) return 0; } -void zmemzero(dest, len) +void ZLIB_INTERNAL zmemzero(dest, len) Bytef* dest; uInt len; { @@ -213,7 +213,7 @@ local ptr_table table[MAX_PTR]; * a protected system like OS/2. Use Microsoft C instead. */ -voidpf zcalloc (voidpf opaque, unsigned items, unsigned size) +voidpf ZLIB_INTERNAL zcalloc (voidpf opaque, unsigned items, unsigned size) { voidpf buf = opaque; /* just to make some compilers happy */ ulg bsize = (ulg)items*size; @@ -237,7 +237,7 @@ voidpf zcalloc (voidpf opaque, unsigned items, unsigned size) return buf; } -void zcfree (voidpf opaque, voidpf ptr) +void ZLIB_INTERNAL zcfree (voidpf opaque, voidpf ptr) { int n; if (*(ush*)&ptr != 0) { /* object < 64K */ @@ -272,13 +272,13 @@ void zcfree (voidpf opaque, voidpf ptr) # define _hfree hfree #endif -voidpf zcalloc (voidpf opaque, unsigned items, unsigned size) +voidpf ZLIB_INTERNAL zcalloc (voidpf opaque, uInt items, uInt size) { if (opaque) opaque = 0; /* to make compiler happy */ return _halloc((long)items, size); } -void zcfree (voidpf opaque, voidpf ptr) +void ZLIB_INTERNAL zcfree (voidpf opaque, voidpf ptr) { if (opaque) opaque = 0; /* to make compiler happy */ _hfree(ptr); @@ -297,7 +297,7 @@ extern voidp calloc OF((uInt items, uInt size)); extern void free OF((voidpf ptr)); #endif -voidpf zcalloc (opaque, items, size) +voidpf ZLIB_INTERNAL zcalloc (opaque, items, size) voidpf opaque; unsigned items; unsigned size; @@ -307,7 +307,7 @@ voidpf zcalloc (opaque, items, size) (voidpf)calloc(items, size); } -void zcfree (opaque, ptr) +void ZLIB_INTERNAL zcfree (opaque, ptr) voidpf opaque; voidpf ptr; { diff --git a/security/nss/lib/zlib/zutil.h b/security/nss/lib/zlib/zutil.h index c132c12d11c..e6668bba9ce 100644 --- a/security/nss/lib/zlib/zutil.h +++ b/security/nss/lib/zlib/zutil.h @@ -1,5 +1,5 @@ /* zutil.h -- internal interface and configuration of the compression library - * Copyright (C) 1995-2005 Jean-loup Gailly. + * Copyright (C) 1995-2010 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ @@ -8,36 +8,26 @@ subject to change. Applications should only use zlib.h. */ -/* @(#) $Id: zutil.h,v 1.8 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */ +/* @(#) $Id: zutil.h,v 1.9 2010/08/22 01:07:03 wtc%google.com Exp $ */ #ifndef ZUTIL_H #define ZUTIL_H -#define ZLIB_INTERNAL +#if ((__GNUC__-0) * 10 + __GNUC_MINOR__-0 >= 33) && !defined(NO_VIZ) +# define ZLIB_INTERNAL __attribute__((visibility ("hidden"))) +#else +# define ZLIB_INTERNAL +#endif + #include "zlib.h" #ifdef STDC -# ifndef _WIN32_WCE +# if !(defined(_WIN32_WCE) && defined(_MSC_VER)) # include # endif # include # include #endif -#ifdef NO_ERRNO_H -# ifdef _WIN32_WCE - /* The Microsoft C Run-Time Library for Windows CE doesn't have - * errno. We define it as a global variable to simplify porting. - * Its value is always 0 and should not be used. We rename it to - * avoid conflict with other libraries that use the same workaround. - */ -# define errno z_errno -# endif - extern int errno; -#else -# ifndef _WIN32_WCE -# include -# endif -#endif #ifndef local # define local static @@ -89,7 +79,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ #if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32)) # define OS_CODE 0x00 # if defined(__TURBOC__) || defined(__BORLANDC__) -# if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__)) +# if (__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__)) /* Allow compilation with ANSI keywords only enabled */ void _Cdecl farfree( void *block ); void *_Cdecl farmalloc( unsigned long nbytes ); @@ -105,7 +95,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ # define OS_CODE 0x01 #endif -#if defined(VAXC) +#if defined(VAXC) || defined(VMS) # define OS_CODE 0x02 # define F_OPEN(name, mode) \ fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512") @@ -118,7 +108,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ #ifdef OS2 # define OS_CODE 0x06 # ifdef M_I86 - #include +# include # endif #endif @@ -151,7 +141,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ # define fdopen(fd,mode) NULL /* No fdopen() */ #endif -#if (defined(_MSC_VER) && (_MSC_VER > 600)) +#if (defined(_MSC_VER) && (_MSC_VER > 600)) && !defined __INTERIX # if defined(_WIN32_WCE) # define fdopen(fd,mode) NULL /* No fdopen() */ # ifndef _PTRDIFF_T_DEFINED @@ -163,6 +153,18 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ # endif #endif +#if defined(__BORLANDC__) + #pragma warn -8004 + #pragma warn -8008 + #pragma warn -8066 +#endif + +/* provide prototypes for these when building zlib without LFS */ +#if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0 + ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off_t)); + ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off_t)); +#endif + /* common defaults */ #ifndef OS_CODE @@ -198,13 +200,18 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ # ifdef WIN32 /* In Win32, vsnprintf is available as the "non-ANSI" _vsnprintf. */ # if !defined(vsnprintf) && !defined(NO_vsnprintf) -# define vsnprintf _vsnprintf +# if !defined(_MSC_VER) || ( defined(_MSC_VER) && _MSC_VER < 1500 ) +# define vsnprintf _vsnprintf +# endif # endif # endif # ifdef __SASC # define NO_vsnprintf # endif #endif +#ifdef VMS +# define NO_vsnprintf +#endif #if defined(pyr) # define NO_MEMCPY @@ -230,16 +237,16 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ # define zmemzero(dest, len) memset(dest, 0, len) # endif #else - extern void zmemcpy OF((Bytef* dest, const Bytef* source, uInt len)); - extern int zmemcmp OF((const Bytef* s1, const Bytef* s2, uInt len)); - extern void zmemzero OF((Bytef* dest, uInt len)); + void ZLIB_INTERNAL zmemcpy OF((Bytef* dest, const Bytef* source, uInt len)); + int ZLIB_INTERNAL zmemcmp OF((const Bytef* s1, const Bytef* s2, uInt len)); + void ZLIB_INTERNAL zmemzero OF((Bytef* dest, uInt len)); #endif /* Diagnostic functions */ #ifdef DEBUG # include - extern int z_verbose; - extern void z_error OF((char *m)); + extern int ZLIB_INTERNAL z_verbose; + extern void ZLIB_INTERNAL z_error OF((char *m)); # define Assert(cond,msg) {if(!(cond)) z_error(msg);} # define Trace(x) {if (z_verbose>=0) fprintf x ;} # define Tracev(x) {if (z_verbose>0) fprintf x ;} @@ -256,8 +263,9 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ #endif -voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size)); -void zcfree OF((voidpf opaque, voidpf ptr)); +voidpf ZLIB_INTERNAL zcalloc OF((voidpf opaque, unsigned items, + unsigned size)); +void ZLIB_INTERNAL zcfree OF((voidpf opaque, voidpf ptr)); #define ZALLOC(strm, items, size) \ (*((strm)->zalloc))((strm)->opaque, (items), (size)) diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index e835999475a..65473588fb3 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -645,48 +645,48 @@ cert_smime_client() # echo "$SCRIPTNAME: Importing Certificates ==============================" CU_ACTION="Import Bob's cert into Alice's db" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_BOBDIR}/Bob.cert 2>&1 CU_ACTION="Import Dave's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave.cert 2>&1 CU_ACTION="Import Dave's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave.cert 2>&1 CU_ACTION="Import Eve's cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 CU_ACTION="Import Eve's cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_EVEDIR}/Eve.cert 2>&1 if [ -n "$NSS_ENABLE_ECC" ] ; then echo "$SCRIPTNAME: Importing EC Certificates ==============================" CU_ACTION="Import Bob's EC cert into Alice's db" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_BOBDIR}/Bob-ec.cert 2>&1 CU_ACTION="Import Dave's EC cert into Alice's DB" - certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 CU_ACTION="Import Dave's EC cert into Bob's DB" - certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ + certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ -i ${R_DAVEDIR}/Dave-ec.cert 2>&1 ## XXXX Do not import Eve's EC cert until we can make sure that ## the email addresses listed in the Subject Alt Name Extension ## inside Eve's ECC and non-ECC certs are different. # CU_ACTION="Import Eve's EC cert into Alice's DB" -# certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ +# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \ # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 # CU_ACTION="Import Eve's EC cert into Bob's DB" -# certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \ +# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \ # -i ${R_EVEDIR}/Eve-ec.cert 2>&1 fi diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt index 44fdfd0c85e..5085fe07875 100644 --- a/security/nss/tests/cipher/cipher.txt +++ b/security/nss/tests/cipher/cipher.txt @@ -73,6 +73,7 @@ 0 md2_-H MD2_Hash 0 md5_-H MD5_Hash 0 sha1_-H SHA1_Hash + 0 sha224_-H SHA224_Hash 0 sha256_-H SHA256_Hash 0 sha384_-H SHA384_Hash 0 sha512_-H SHA512_Hash diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c index 2fcb02e7cd7..2abaed2df16 100644 --- a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c +++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c @@ -259,8 +259,7 @@ int SetServerSecParms(struct ThreadData *td) { if ( (NULL == td->cert) && ( NO_CERT != REP_ServerCert )) { PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]); - PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n", - SECU_ErrorString ((int16) PR_GetError())); + PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n", SECU_Strerror(PR_GetError())); return Error(12); } diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c index a3150ac6e4f..19e9cd395f8 100755 --- a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c +++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c @@ -1006,7 +1006,7 @@ int Client() { r = PR_Connect(cl.s, &cl.na, PR_SecondsToInterval(50)); if (PR_FAILURE == r) { - dbmsg((PR_STDERR, "Client: Seclib error: %s\n",SECU_ErrorString ((int16) PR_GetError()))); + dbmsg((PR_STDERR, "Client: Seclib error: %s\n",SECU_Strerror(PR_GetError()))); return Error(104); } @@ -1015,7 +1015,7 @@ int Client() { r = SSL_ForceHandshake(cl.s); if (PR_FAILURE == r) { dbmsg((PR_STDERR, "Client: Seclib error: %s\n", - SECU_ErrorString ((int16) PR_GetError()))); + SECU_Strerror(PR_GetError()))); return Error(105); } }