wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 834741, NSPR_4_9_5_BETA2 and NSS_3_14_2_BETA2, r=wtc

Browse Source
This commit is contained in:
Kai Engert 2013-01-25 17:26:46 +01:00
parent fd861268ea
commit d4ddc18806
64 changed files with 2654 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
dbm/src/mktemp.c
View File

@ -84,9 +84,6 @@ mkstempflags(char *path, int extraFlags)
static int
_gettemp(char *path, register int *doopen, int extraFlags)
{
#if !defined(_WINDOWS) || defined(_WIN32)
extern int errno;
#endif
register char *start, *trv;
struct stat sbuf;
unsigned int pid;

2
nsprpub/TAG-INFO
View File

@ -1 +1 @@
NSPR_4_9_5_BETA1
NSPR_4_9_5_BETA2

1
nsprpub/config/prdepend.h
View File

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

228
nsprpub/configure vendored
View File

@ -878,7 +878,7 @@ arm-linux*-android*|*-linuxandroid*)
android_tool_prefix="arm-linux-androideabi"
;;
i?86-*android*)
android_tool_prefix="i686-android-linux"
android_tool_prefix="i686-linux-android"
;;
mipsel-*android*)
android_tool_prefix="mipsel-linux-android"
@ -973,6 +973,14 @@ echo "configure:954: checking for android platform directory" >&5
fi
fi
case "$target_cpu" in
i?86)
if ! test -e "$android_toolchain"/bin/"$android_tool_prefix"-gcc; then
android_tool_prefix="i686-android-linux"
fi
;;
esac
AS="$android_toolchain"/bin/"$android_tool_prefix"-as
CC="$android_toolchain"/bin/"$android_tool_prefix"-gcc
CXX="$android_toolchain"/bin/"$android_tool_prefix"-g++
@ -1304,7 +1312,7 @@ if test -z "$SKIP_PATH_CHECKS"; then
# Extract the first word of "$WHOAMI whoami", so it can be a program name with args.
set dummy $WHOAMI whoami; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1308: checking for $ac_word" >&5
echo "configure:1316: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_WHOAMI'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1376,13 +1384,13 @@ if test "$target" != "$host" -o -n "$CROSS_COMPILE"; then
_SAVE_LDFLAGS="$LDFLAGS"
echo $ac_n "checking for $host compiler""... $ac_c" 1>&6
echo "configure:1380: checking for $host compiler" >&5
echo "configure:1388: checking for $host compiler" >&5
for ac_prog in $HOST_CC gcc cc /usr/ucb/cc
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1386: checking for $ac_word" >&5
echo "configure:1394: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_HOST_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1428,16 +1436,16 @@ test -n "$HOST_CC" || HOST_CC=""""
LDFLAGS="$HOST_LDFLAGS"
echo $ac_n "checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works""... $ac_c" 1>&6
echo "configure:1432: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
echo "configure:1440: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
cat > conftest.$ac_ext <<EOF
#line 1434 "configure"
#line 1442 "configure"
#include "confdefs.h"
int main() {
return(0);
; return 0; }
EOF
if { (eval echo configure:1441: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:1449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
ac_cv_prog_host_cc_works=1 echo "$ac_t""yes" 1>&6
else
@ -1472,7 +1480,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1476: checking for $ac_word" >&5
echo "configure:1484: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1506,7 +1514,7 @@ test -n "$CC" || CC="echo"
# Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1510: checking for $ac_word" >&5
echo "configure:1518: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1536,7 +1544,7 @@ if test -z "$CC"; then
# Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1540: checking for $ac_word" >&5
echo "configure:1548: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1587,7 +1595,7 @@ fi
# Extract the first word of "cl", so it can be a program name with args.
set dummy cl; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1591: checking for $ac_word" >&5
echo "configure:1599: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1619,7 +1627,7 @@ fi
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
echo "configure:1623: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
echo "configure:1631: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
ac_ext=c
# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@ -1630,12 +1638,12 @@ cross_compiling=$ac_cv_prog_cc_cross
cat > conftest.$ac_ext << EOF
#line 1634 "configure"
#line 1642 "configure"
#include "confdefs.h"
main(){return(0);}
EOF
if { (eval echo configure:1639: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:1647: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cc_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
@ -1661,12 +1669,12 @@ if test $ac_cv_prog_cc_works = no; then
{ echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
echo "configure:1665: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "configure:1673: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
cross_compiling=$ac_cv_prog_cc_cross
echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
echo "configure:1670: checking whether we are using GNU C" >&5
echo "configure:1678: checking whether we are using GNU C" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1675,7 +1683,7 @@ else
yes;
#endif
EOF
if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1679: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1687: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gcc=yes
else
ac_cv_prog_gcc=no
@ -1694,7 +1702,7 @@ ac_test_CFLAGS="${CFLAGS+set}"
ac_save_CFLAGS="$CFLAGS"
CFLAGS=
echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
echo "configure:1698: checking whether ${CC-cc} accepts -g" >&5
echo "configure:1706: checking whether ${CC-cc} accepts -g" >&5
if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1731,7 +1739,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1735: checking for $ac_word" >&5
echo "configure:1743: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1767,7 +1775,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1771: checking for $ac_word" >&5
echo "configure:1779: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1799,7 +1807,7 @@ test -n "$CXX" || CXX="gcc"
echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
echo "configure:1803: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
echo "configure:1811: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
ac_ext=C
# CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@ -1810,12 +1818,12 @@ cross_compiling=$ac_cv_prog_cxx_cross
cat > conftest.$ac_ext << EOF
#line 1814 "configure"
#line 1822 "configure"
#include "confdefs.h"
int main(){return(0);}
EOF
if { (eval echo configure:1819: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:1827: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cxx_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
@ -1841,12 +1849,12 @@ if test $ac_cv_prog_cxx_works = no; then
{ echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
echo "configure:1845: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "configure:1853: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
cross_compiling=$ac_cv_prog_cxx_cross
echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
echo "configure:1850: checking whether we are using GNU C++" >&5
echo "configure:1858: checking whether we are using GNU C++" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1855,7 +1863,7 @@ else
yes;
#endif
EOF
if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1859: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1867: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gxx=yes
else
ac_cv_prog_gxx=no
@ -1874,7 +1882,7 @@ ac_test_CXXFLAGS="${CXXFLAGS+set}"
ac_save_CXXFLAGS="$CXXFLAGS"
CXXFLAGS=
echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
echo "configure:1878: checking whether ${CXX-g++} accepts -g" >&5
echo "configure:1886: checking whether ${CXX-g++} accepts -g" >&5
if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1919,7 +1927,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1923: checking for $ac_word" >&5
echo "configure:1931: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1954,7 +1962,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1958: checking for $ac_word" >&5
echo "configure:1966: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -1989,7 +1997,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:1993: checking for $ac_word" >&5
echo "configure:2001: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_AS'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2024,7 +2032,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2028: checking for $ac_word" >&5
echo "configure:2036: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_LD'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2059,7 +2067,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2063: checking for $ac_word" >&5
echo "configure:2071: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_STRIP'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2094,7 +2102,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2098: checking for $ac_word" >&5
echo "configure:2106: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_WINDRES'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2129,7 +2137,7 @@ else
# Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2133: checking for $ac_word" >&5
echo "configure:2141: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2159,7 +2167,7 @@ if test -z "$CC"; then
# Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2163: checking for $ac_word" >&5
echo "configure:2171: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2210,7 +2218,7 @@ fi
# Extract the first word of "cl", so it can be a program name with args.
set dummy cl; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2214: checking for $ac_word" >&5
echo "configure:2222: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2242,7 +2250,7 @@ fi
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
echo "configure:2246: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
echo "configure:2254: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
ac_ext=c
# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@ -2253,12 +2261,12 @@ cross_compiling=$ac_cv_prog_cc_cross
cat > conftest.$ac_ext << EOF
#line 2257 "configure"
#line 2265 "configure"
#include "confdefs.h"
main(){return(0);}
EOF
if { (eval echo configure:2262: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:2270: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cc_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
@ -2284,12 +2292,12 @@ if test $ac_cv_prog_cc_works = no; then
{ echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
echo "configure:2288: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "configure:2296: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
cross_compiling=$ac_cv_prog_cc_cross
echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
echo "configure:2293: checking whether we are using GNU C" >&5
echo "configure:2301: checking whether we are using GNU C" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2298,7 +2306,7 @@ else
yes;
#endif
EOF
if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2302: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2310: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gcc=yes
else
ac_cv_prog_gcc=no
@ -2317,7 +2325,7 @@ ac_test_CFLAGS="${CFLAGS+set}"
ac_save_CFLAGS="$CFLAGS"
CFLAGS=
echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
echo "configure:2321: checking whether ${CC-cc} accepts -g" >&5
echo "configure:2329: checking whether ${CC-cc} accepts -g" >&5
if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2357,7 +2365,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2361: checking for $ac_word" >&5
echo "configure:2369: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2389,7 +2397,7 @@ test -n "$CXX" || CXX="gcc"
echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
echo "configure:2393: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
echo "configure:2401: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
ac_ext=C
# CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@ -2400,12 +2408,12 @@ cross_compiling=$ac_cv_prog_cxx_cross
cat > conftest.$ac_ext << EOF
#line 2404 "configure"
#line 2412 "configure"
#include "confdefs.h"
int main(){return(0);}
EOF
if { (eval echo configure:2409: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:2417: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
ac_cv_prog_cxx_works=yes
# If we can't run a trivial program, we are probably using a cross compiler.
if (./conftest; exit) 2>/dev/null; then
@ -2431,12 +2439,12 @@ if test $ac_cv_prog_cxx_works = no; then
{ echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
fi
echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
echo "configure:2435: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "configure:2443: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
cross_compiling=$ac_cv_prog_cxx_cross
echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
echo "configure:2440: checking whether we are using GNU C++" >&5
echo "configure:2448: checking whether we are using GNU C++" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2445,7 +2453,7 @@ else
yes;
#endif
EOF
if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2449: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2457: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
ac_cv_prog_gxx=yes
else
ac_cv_prog_gxx=no
@ -2464,7 +2472,7 @@ ac_test_CXXFLAGS="${CXXFLAGS+set}"
ac_save_CXXFLAGS="$CXXFLAGS"
CXXFLAGS=
echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
echo "configure:2468: checking whether ${CXX-g++} accepts -g" >&5
echo "configure:2476: checking whether ${CXX-g++} accepts -g" >&5
if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2498,7 +2506,7 @@ fi
fi
fi
echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
echo "configure:2502: checking how to run the C preprocessor" >&5
echo "configure:2510: checking how to run the C preprocessor" >&5
# On Suns, sometimes $CPP names a directory.
if test -n "$CPP" && test -d "$CPP"; then
CPP=
@ -2513,13 +2521,13 @@ else
# On the NeXT, cc -E runs the code through the compiler's parser,
# not just through cpp.
cat > conftest.$ac_ext <<EOF
#line 2517 "configure"
#line 2525 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:2523: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:2531: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
@ -2530,13 +2538,13 @@ else
rm -rf conftest*
CPP="${CC-cc} -E -traditional-cpp"
cat > conftest.$ac_ext <<EOF
#line 2534 "configure"
#line 2542 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:2540: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:2548: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
@ -2547,13 +2555,13 @@ else
rm -rf conftest*
CPP="${CC-cc} -nologo -E"
cat > conftest.$ac_ext <<EOF
#line 2551 "configure"
#line 2559 "configure"
#include "confdefs.h"
#include <assert.h>
Syntax Error
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:2557: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:2565: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
:
@ -2580,7 +2588,7 @@ echo "$ac_t""$CPP" 1>&6
# Extract the first word of "ranlib", so it can be a program name with args.
set dummy ranlib; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2584: checking for $ac_word" >&5
echo "configure:2592: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2612,7 +2620,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2616: checking for $ac_word" >&5
echo "configure:2624: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_AS'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2653,7 +2661,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2657: checking for $ac_word" >&5
echo "configure:2665: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2694,7 +2702,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2698: checking for $ac_word" >&5
echo "configure:2706: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2735,7 +2743,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2739: checking for $ac_word" >&5
echo "configure:2747: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_STRIP'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2776,7 +2784,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:2780: checking for $ac_word" >&5
echo "configure:2788: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_WINDRES'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2844,7 +2852,7 @@ else
fi
echo $ac_n "checking for gcc -pipe support""... $ac_c" 1>&6
echo "configure:2848: checking for gcc -pipe support" >&5
echo "configure:2856: checking for gcc -pipe support" >&5
if test -n "$GNU_CC" && test -n "$GNU_CXX" && test -n "$GNU_AS"; then
echo '#include <stdio.h>' > dummy-hello.c
echo 'int main() { printf("Hello World\n"); return 0; }' >> dummy-hello.c
@ -2859,14 +2867,14 @@ if test -n "$GNU_CC" && test -n "$GNU_CXX" && test -n "$GNU_AS"; then
_SAVE_CFLAGS=$CFLAGS
CFLAGS="$CFLAGS -pipe"
cat > conftest.$ac_ext <<EOF
#line 2863 "configure"
#line 2871 "configure"
#include "confdefs.h"
#include <stdio.h>
int main() {
printf("Hello World\n");
; return 0; }
EOF
if { (eval echo configure:2870: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:2878: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
_res_gcc_pipe="yes"
else
@ -2896,16 +2904,16 @@ _SAVE_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -fprofile-generate -fprofile-correction"
echo $ac_n "checking whether C compiler supports -fprofile-generate""... $ac_c" 1>&6
echo "configure:2900: checking whether C compiler supports -fprofile-generate" >&5
echo "configure:2908: checking whether C compiler supports -fprofile-generate" >&5
cat > conftest.$ac_ext <<EOF
#line 2902 "configure"
#line 2910 "configure"
#include "confdefs.h"
int main() {
return 0;
; return 0; }
EOF
if { (eval echo configure:2909: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:2917: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
PROFILE_GEN_CFLAGS="-fprofile-generate"
result="yes"
@ -2928,7 +2936,7 @@ CFLAGS="$_SAVE_CFLAGS"
if test "$GNU_CC"; then
echo $ac_n "checking for visibility(hidden) attribute""... $ac_c" 1>&6
echo "configure:2932: checking for visibility(hidden) attribute" >&5
echo "configure:2940: checking for visibility(hidden) attribute" >&5
if eval "test \"`echo '$''{'ac_cv_visibility_hidden'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -2952,7 +2960,7 @@ echo "$ac_t""$ac_cv_visibility_hidden" 1>&6
EOF
echo $ac_n "checking for visibility pragma support""... $ac_c" 1>&6
echo "configure:2956: checking for visibility pragma support" >&5
echo "configure:2964: checking for visibility pragma support" >&5
if eval "test \"`echo '$''{'ac_cv_visibility_pragma'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -3005,7 +3013,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:3009: checking for $ac_word" >&5
echo "configure:3017: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -3327,14 +3335,14 @@ no)
_SAVE_CFLAGS="$CFLAGS"
CFLAGS="$arch_flag"
cat > conftest.$ac_ext <<EOF
#line 3331 "configure"
#line 3339 "configure"
#include "confdefs.h"
int main() {
return sizeof(__thumb2__);
; return 0; }
EOF
if { (eval echo configure:3338: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:3346: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
MOZ_THUMB2=1
else
@ -3396,16 +3404,16 @@ if test -n "$all_flags"; then
_SAVE_CFLAGS="$CFLAGS"
CFLAGS="$all_flags"
echo $ac_n "checking whether the chosen combination of compiler flags ($all_flags) works""... $ac_c" 1>&6
echo "configure:3400: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
echo "configure:3408: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
cat > conftest.$ac_ext <<EOF
#line 3402 "configure"
#line 3410 "configure"
#include "confdefs.h"
int main() {
return 0;
; return 0; }
EOF
if { (eval echo configure:3409: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
if { (eval echo configure:3417: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
rm -rf conftest*
echo "$ac_t""yes" 1>&6
else
@ -3462,17 +3470,17 @@ EOF
DSO_LDOPTS='-brtl -bnortllib -bM:SRE -bnoentry -bexpall -blibpath:/usr/lib:/lib'
ac_safe=`echo "sys/atomic_op.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for sys/atomic_op.h""... $ac_c" 1>&6
echo "configure:3466: checking for sys/atomic_op.h" >&5
echo "configure:3474: checking for sys/atomic_op.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 3471 "configure"
#line 3479 "configure"
#include "confdefs.h"
#include <sys/atomic_op.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:3476: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:3484: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -3629,7 +3637,7 @@ EOF
_DEBUG_FLAGS='-gdwarf-2 -O0'
MKSHLIB='$(CCC) $(DSO_LDOPTS) -o $@'
echo $ac_n "checking for gethostbyaddr in -lbind""... $ac_c" 1>&6
echo "configure:3633: checking for gethostbyaddr in -lbind" >&5
echo "configure:3641: checking for gethostbyaddr in -lbind" >&5
ac_lib_var=`echo bind'_'gethostbyaddr | sed 'y%./+-%__p_%'`
if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
@ -3637,7 +3645,7 @@ else
ac_save_LIBS="$LIBS"
LIBS="-lbind $LIBS"
cat > conftest.$ac_ext <<EOF
#line 3641 "configure"
#line 3649 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
@ -3648,7 +3656,7 @@ int main() {
gethostbyaddr()
; return 0; }
EOF
if { (eval echo configure:3652: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:3660: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
@ -3857,17 +3865,17 @@ EOF
fi
ac_safe=`echo "crt_externs.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for crt_externs.h""... $ac_c" 1>&6
echo "configure:3861: checking for crt_externs.h" >&5
echo "configure:3869: checking for crt_externs.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 3866 "configure"
#line 3874 "configure"
#include "confdefs.h"
#include <crt_externs.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:3871: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:3879: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -4911,17 +4919,17 @@ EOF
_OPTIMIZE_FLAGS="$_OPTIMIZE_FLAGS -Olimit 4000"
ac_safe=`echo "machine/builtins.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for machine/builtins.h""... $ac_c" 1>&6
echo "configure:4915: checking for machine/builtins.h" >&5
echo "configure:4923: checking for machine/builtins.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 4920 "configure"
#line 4928 "configure"
#include "confdefs.h"
#include <machine/builtins.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:4925: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:4933: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -5480,7 +5488,7 @@ case $target in
;;
*)
echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
echo "configure:5484: checking for dlopen in -ldl" >&5
echo "configure:5492: checking for dlopen in -ldl" >&5
ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'`
if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
@ -5488,7 +5496,7 @@ else
ac_save_LIBS="$LIBS"
LIBS="-ldl $LIBS"
cat > conftest.$ac_ext <<EOF
#line 5492 "configure"
#line 5500 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
@ -5499,7 +5507,7 @@ int main() {
dlopen()
; return 0; }
EOF
if { (eval echo configure:5503: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:5511: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
@ -5516,17 +5524,17 @@ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
echo "$ac_t""yes" 1>&6
ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
echo "configure:5520: checking for dlfcn.h" >&5
echo "configure:5528: checking for dlfcn.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 5525 "configure"
#line 5533 "configure"
#include "confdefs.h"
#include <dlfcn.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:5530: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:5538: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -5559,13 +5567,13 @@ esac
if test $ac_cv_prog_gcc = yes; then
echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
echo "configure:5563: checking whether ${CC-cc} needs -traditional" >&5
echo "configure:5571: checking whether ${CC-cc} needs -traditional" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_pattern="Autoconf.*'x'"
cat > conftest.$ac_ext <<EOF
#line 5569 "configure"
#line 5577 "configure"
#include "confdefs.h"
#include <sgtty.h>
Autoconf TIOCGETP
@ -5583,7 +5591,7 @@ rm -f conftest*
if test $ac_cv_prog_gcc_traditional = no; then
cat > conftest.$ac_ext <<EOF
#line 5587 "configure"
#line 5595 "configure"
#include "confdefs.h"
#include <termio.h>
Autoconf TCGETA
@ -5609,12 +5617,12 @@ LIBS="$LIBS $OS_LIBS"
for ac_func in lchown strerror dladdr
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:5613: checking for $ac_func" >&5
echo "configure:5621: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 5618 "configure"
#line 5626 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
@ -5637,7 +5645,7 @@ $ac_func();
; return 0; }
EOF
if { (eval echo configure:5641: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:5649: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
@ -5689,7 +5697,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:5693: checking for $ac_word" >&5
echo "configure:5701: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -5748,7 +5756,7 @@ hpux*)
if test -z "$GNU_CC"; then
echo $ac_n "checking for +Olit support""... $ac_c" 1>&6
echo "configure:5752: checking for +Olit support" >&5
echo "configure:5760: checking for +Olit support" >&5
if eval "test \"`echo '$''{'ac_cv_hpux_usable_olit_option'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -5790,7 +5798,7 @@ wince*)
*)
echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
echo "configure:5794: checking for pthread_create in -lpthreads" >&5
echo "configure:5802: checking for pthread_create in -lpthreads" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5812,7 +5820,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
echo "configure:5816: checking for pthread_create in -lpthread" >&5
echo "configure:5824: checking for pthread_create in -lpthread" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5834,7 +5842,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
echo "configure:5838: checking for pthread_create in -lc_r" >&5
echo "configure:5846: checking for pthread_create in -lc_r" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5856,7 +5864,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
echo "configure:5860: checking for pthread_create in -lc" >&5
echo "configure:5868: checking for pthread_create in -lc" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5974,7 +5982,7 @@ if test -n "$USE_PTHREADS"; then
rm -f conftest*
ac_cv_have_dash_pthread=no
echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
echo "configure:5978: checking whether ${CC-cc} accepts -pthread" >&5
echo "configure:5986: checking whether ${CC-cc} accepts -pthread" >&5
echo 'int main() { return 0; }' | cat > conftest.c
${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
if test $? -eq 0; then
@ -5997,7 +6005,7 @@ echo "configure:5978: checking whether ${CC-cc} accepts -pthread" >&5
ac_cv_have_dash_pthreads=no
if test "$ac_cv_have_dash_pthread" = "no"; then
echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
echo "configure:6001: checking whether ${CC-cc} accepts -pthreads" >&5
echo "configure:6009: checking whether ${CC-cc} accepts -pthreads" >&5
echo 'int main() { return 0; }' | cat > conftest.c
${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
if test $? -eq 0; then

13
nsprpub/configure.in
View File

@ -127,7 +127,7 @@ arm-linux*-android*|*-linuxandroid*)
android_tool_prefix="arm-linux-androideabi"
;;
i?86-*android*)
android_tool_prefix="i686-android-linux"
android_tool_prefix="i686-linux-android"
;;
mipsel-*android*)
android_tool_prefix="mipsel-linux-android"
@ -221,6 +221,17 @@ case "$target" in
fi
fi
dnl Old NDK support. If minimum requirement is changed to NDK r8b,
dnl please remove this.
case "$target_cpu" in
i?86)
if ! test -e "$android_toolchain"/bin/"$android_tool_prefix"-gcc; then
dnl Old NDK toolchain name
android_tool_prefix="i686-android-linux"
fi
;;
esac
dnl set up compilers
AS="$android_toolchain"/bin/"$android_tool_prefix"-as
CC="$android_toolchain"/bin/"$android_tool_prefix"-gcc

6
nsprpub/pr/src/Makefile.in
View File

@ -118,7 +118,8 @@ OS_LIBS += -lc_r
endif
endif
ifeq ($(OS_ARCH),Linux)
# Linux, GNU/Hurd, and GNU/kFreeBSD systems
ifneq (,$(filter Linux GNU%,$(OS_ARCH)))
ifeq ($(USE_PTHREADS), 1)
ifeq ($(OS_TARGET),Android)
# Android has no libpthread.so in NDK
@ -129,8 +130,11 @@ endif
else
OS_LIBS = -ldl
endif
ifneq ($(OS_TARGET),Android)
# Android has no librt - realtime functions are in libc
OS_LIBS += -lrt
endif
endif
ifeq ($(OS_ARCH),HP-UX)
ifeq ($(USE_PTHREADS), 1)

2
nsprpub/pr/src/pthreads/ptio.c
View File

@ -1150,7 +1150,7 @@ void _PR_InitIO(void)
osfd = socket(AF_INET6, SOCK_STREAM, 0);
if (osfd != -1) {
int on;
int optlen = sizeof(on);
socklen_t optlen = sizeof(on);
if (getsockopt(osfd, IPPROTO_IPV6, IPV6_V6ONLY,
&on, &optlen) == 0) {
_pr_ipv6_v6only_on_by_default = on;

6
security/coreconf/Android.mk Normal file
View File

@ -0,0 +1,6 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
include $(CORE_DEPTH)/coreconf/Linux.mk

30
security/coreconf/Linux.mk
View File

@ -8,7 +8,9 @@ include $(CORE_DEPTH)/coreconf/UNIX.mk
#
# The default implementation strategy for Linux is now pthreads
#
USE_PTHREADS = 1
ifneq ($(OS_TARGET),Android)
USE_PTHREADS = 1
endif
ifeq ($(USE_PTHREADS),1)
IMPL_STRATEGY = _PTH
@ -20,6 +22,26 @@ RANLIB = ranlib
DEFAULT_COMPILER = gcc
ifeq ($(OS_TARGET),Android)
ifndef ANDROID_NDK
$(error Must set ANDROID_NDK to the path to the android NDK first)
endif
ANDROID_PREFIX=$(OS_TEST)-linux-androideabi
ANDROID_TARGET=$(ANDROID_PREFIX)-4.4.3
# should autodetect which linux we are on, currently android only
# supports linux-x86 prebuilts
ANDROID_TOOLCHAIN=$(ANDROID_NDK)/toolchains/$(ANDROID_TARGET)/prebuilt/linux-x86
ANDROID_SYSROOT=$(ANDROID_NDK)/platforms/android-$(OS_TARGET_RELEASE)/arch-$(OS_TEST)
ANDROID_CC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-gcc
# internal tools need to be built with the native compiler
ifndef INTERNAL_TOOLS
CC = $(ANDROID_CC) --sysroot=$(ANDROID_SYSROOT)
DEFAULT_COMPILER=$(ANDROID_PREFIX)-gcc
ARCHFLAG = --sysroot=$(ANDROID_SYSROOT)
DEFINES += -DNO_SYSINFO -DNO_FORK_CHECK -DANDROID
CROSS_COMPILE = 1
endif
endif
ifeq ($(OS_TEST),ppc64)
CPU_ARCH = ppc
ifeq ($(USE_64),1)
@ -67,7 +89,9 @@ endif
endif
ifneq ($(OS_TARGET),Android)
LIBC_TAG = _glibc
endif
ifeq ($(OS_RELEASE),2.0)
OS_REL_CFLAGS += -DLINUX2_0
@ -103,7 +127,7 @@ endif
# Place -ansi and *_SOURCE before $(DSO_CFLAGS) so DSO_CFLAGS can override
# -ansi on platforms like Android where the system headers are C99 and do
# not build with -ansi.
STANDARDS_CFLAGS = -ansi -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
STANDARDS_CFLAGS = -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
OS_CFLAGS = $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
OS_LIBS = $(OS_PTHREAD) -ldl -lc
@ -141,12 +165,14 @@ CPU_TAG = _$(CPU_ARCH)
# dependencies by default. Set FREEBL_NO_DEPEND to 0 in the environment to
# override this.
#
ifneq ($(OS_TARGET),Android)
ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
ifndef FREEBL_NO_DEPEND
FREEBL_NO_DEPEND = 1
FREEBL_LOWHASH = 1
endif
endif
endif
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

2
security/coreconf/SunOS5.mk
View File

@ -63,8 +63,6 @@ else
endif
endif
INCLUDES += -I/usr/dt/include -I/usr/openwin/include
RANLIB = echo
CPU_ARCH = sparc
OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT

11
security/coreconf/arch.mk
View File

@ -249,6 +249,17 @@ ifeq (MINGW32_NT,$(findstring MINGW32_NT,$(OS_ARCH)))
endif
endif
ifeq ($(OS_TARGET),Android)
#
# this should be configurable from the user
#
OS_TEST := arm
OS_ARCH = Android
ifndef OS_TARGET_RELEASE
OS_TARGET_RELEASE := 8
endif
endif
ifndef OS_TARGET
OS_TARGET = $(OS_ARCH)
endif

2
security/coreconf/config.mk
View File

@ -31,7 +31,7 @@ endif
#######################################################################
TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
AIX RISCOS WINNT WIN95 Linux
AIX RISCOS WINNT WIN95 Linux Android
ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk

2
security/coreconf/coreconf.dep
View File

@ -10,5 +10,3 @@
*/
#error "Do not include this header file."

31
security/nss/Makefile
View File

@ -61,6 +61,9 @@ NSPR_CONFIGURE = $(CORE_DEPTH)/../nsprpub/configure
# Translate coreconf build options to NSPR configure options.
#
ifeq ($(OS_TARGET),Android)
NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE)
endif
ifdef BUILD_OPT
NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
endif
@ -150,31 +153,3 @@ nss_RelEng_bld: build_coreconf import build_dbm all
package:
$(MAKE) -C pkg publish
TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
package_for_testing:
echo "export OBJDIR=$(OBJDIR_NAME)" > $(DIST)/platform.cfg
echo "export OS_ARCH=$(ANDROID)" >> $(DIST)/platform.cfg
echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(DIST)/platform.cfg
echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(DIST)/platform.cfg
ifeq ($(OS_TARGET),Android)
# Android doesn't support FIPS tests, so don't run them
echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
endif
echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"; sleep 5' > $(DIST)/../../runtests.sh
echo 'export NSS_TESTS=$(NSS_TESTS)' >> $(DIST)/../../runtests.sh
echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(DIST)/../../runtests.sh
echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)' >> $(DIST)/../../runtests.sh
echo 'export NSS_CYCLES=$(NSS_CYCLES)' >> $(DIST)/../../runtests.sh
echo 'export OBJDIR=$(OBJDIR_NAME)' >> $(DIST)/../../runtests.sh
echo 'export USE_64=$(USE_64)' >> $(DIST)/../../runtests.sh
echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(DIST)/../../runtests.sh
echo 'rm -rf test_results' >> $(DIST)/../../runtests.sh
echo 'echo "running tests"' >> $(DIST)/../../runtests.sh
echo 'cd security/nss/tests; ./all.sh > ../../../logfile 2>&1 ; cd ../../../' >> $(DIST)/../../runtests.sh
echo 'tar czf tests_results.tgz tests_results' >> $(DIST)/../../runtests.sh
echo 'echo "created tests_results.tgz"' >> $(DIST)/../../runtests.sh
echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(DIST)/../../runtests.sh
echo 'echo -n "number of PASSED tests: "; grep -cw PASSED logfile;' >> $(DIST)/../../runtests.sh
echo 'echo -n "number of FAILED tests: "; grep -cw FAILED logfile;' >> $(DIST)/../../runtests.sh
rm -f $(TESTPACKAGE)
(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public security/nss/tests security/nss/cmd/bltest/tests; echo "created "`pwd`"/dist/$(TESTPACKAGE)")

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_14_2_BETA1
NSS_3_14_2_BETA2

2
security/nss/TAG-INFO-CKBI
View File

@ -1 +1 @@
NSS_3_14_CKBI_1_93_RTM
NSS_3_14_2_BETA2

6
security/nss/cmd/certutil/certutil.c
View File

@ -477,8 +477,7 @@ listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot,
}
rv = SECSuccess;
} else {
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
the_cert->trust);
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}
@ -516,8 +515,7 @@ listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot,
rv = SECFailure;
}
} else {
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate",
the_cert->trust);
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}

19
security/nss/cmd/lib/secutil.c
View File

@ -2143,7 +2143,7 @@ printflags(char *trusts, unsigned int flags)
SECStatus
SECU_PrintCertNickname(CERTCertListNode *node, void *data)
{
CERTCertTrust *trust;
CERTCertTrust trust;
CERTCertificate* cert;
FILE *out;
char trusts[30];
@ -2165,13 +2165,12 @@ SECU_PrintCertNickname(CERTCertListNode *node, void *data)
name = "(NULL)";
}
trust = cert->trust;
if (trust) {
printflags(trusts, trust->sslFlags);
if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
printflags(trusts, trust.sslFlags);
PORT_Strcat(trusts, ",");
printflags(trusts, trust->emailFlags);
printflags(trusts, trust.emailFlags);
PORT_Strcat(trusts, ",");
printflags(trusts, trust->objectSigningFlags);
printflags(trusts, trust.objectSigningFlags);
} else {
PORT_Memcpy(trusts,",,",3);
}
@ -3068,6 +3067,7 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
{
SECStatus rv;
SECItem data;
CERTCertTrust certTrust;
data.data = cert->derCert.data;
data.len = cert->derCert.len;
@ -3080,8 +3080,8 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
if (trust) {
SECU_PrintTrustFlags(stdout, trust,
"Certificate Trust Flags", 1);
} else if (cert->trust) {
SECU_PrintTrustFlags(stdout, cert->trust,
} else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
SECU_PrintTrustFlags(stdout, &certTrust,
"Certificate Trust Flags", 1);
}
@ -3463,6 +3463,7 @@ SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
{
CERTCertificate *issuerCert = NULL;
CERTCertList *certList = NULL;
CERTCertTrust trust;
if (!subject) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@ -3481,7 +3482,7 @@ SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject,
/* check cert CERTCertTrust data is allocated, check cert
usage extension, check that cert has pkey in db. Select
the first (newest) user cert */
if (cert->trust &&
if (CERT_GetCertTrust(cert, &trust) == SECSuccess &&
CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess &&
CERT_IsUserCert(cert)) {

9
security/nss/cmd/multinit/multinit.c
View File

@ -492,6 +492,7 @@ do_list_certs(const char *progName, int log)
CERTCertList *list;
CERTCertList *sorted;
CERTCertListNode *node;
CERTCertTrust trust;
int i;
list = PK11_ListCerts(PK11CertListUnique, NULL);
@ -543,10 +544,10 @@ do_list_certs(const char *progName, int log)
commonName = CERT_GetCommonName(&cert->subject);
appendString(commonName?commonName:"*NoName*");
PORT_Free(commonName);
if (cert->trust) {
appendFlags(cert->trust->sslFlags);
appendFlags(cert->trust->emailFlags);
appendFlags(cert->trust->objectSigningFlags);
if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
appendFlags(trust.sslFlags);
appendFlags(trust.emailFlags);
appendFlags(trust.objectSigningFlags);
}
}
CERT_DestroyCertList(list);

17
security/nss/cmd/ocspclnt/ocspclnt.c
View File

@ -5,7 +5,7 @@
/*
* Test program for client-side OCSP.
*
* $Id: ocspclnt.c,v 1.13 2012/03/20 14:47:10 gerv%gerv.net Exp $
* $Id: ocspclnt.c,v 1.14 2013/01/23 23:05:50 kaie%kuix.de Exp $
*/
#include "secutil.h"
@ -828,8 +828,7 @@ static char *responseStatusNames[] = {
"tryLater (Try again later)",
"unused ((4) is not used)",
"sigRequired (Must sign the request)",
"unauthorized (Request unauthorized)",
"other (Status value out of defined range)"
"unauthorized (Request unauthorized)"
};
/*
@ -853,9 +852,15 @@ print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
if (response == NULL)
return SECFailure;
PORT_Assert (response->statusValue <= ocspResponse_other);
fprintf (out_file, "Response Status: %s\n",
responseStatusNames[response->statusValue]);
if (response->statusValue >= ocspResponse_min &&
response->statusValue <= ocspResponse_max) {
fprintf (out_file, "Response Status: %s\n",
responseStatusNames[response->statusValue]);
} else {
fprintf (out_file,
"Response Status: other (Status value %d out of defined range)\n",
(int)response->statusValue);
}
if (response->statusValue == ocspResponse_successful) {
ocspResponseBytes *responseBytes = response->responseBytes;

4
security/nss/cmd/shlibsign/Makefile
View File

@ -83,9 +83,13 @@ ifeq ($(OS_TARGET), OS2)
$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
else
ifeq ($(CROSS_COMPILE),1)
# do nothing
else
cd $(OBJDIR) ; sh $(SRCDIR)/sign.sh $(call core_abspath,$(DIST)) \
$(call core_abspath,$(OBJDIR)) $(OS_TARGET) \
$(call core_abspath,$(NSPR_LIB_DIR)) $(call core_abspath,$<)
endif
endif
libs install :: $(CHECKLOC)

7
security/nss/cmd/shlibsign/sign.sh
View File

@ -3,6 +3,13 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# arguments:
# 1: full path to DIST/OBJDIR (parent dir of "lib")
# 2: full path to shlibsign executable (DIST/OBJDIR/bin)
# 3: OS_TARGET
# 4: full path to DIST/OBJDIR/lib
# 5: full path to library that is to be signed
case "${3}" in
WIN*)
if echo "${PATH}" | grep -c \; >/dev/null; then

5
security/nss/cmd/ssltap/ssltap.c
View File

@ -34,7 +34,7 @@
#include "cert.h"
#include "sslproto.h"
#define VERSIONSTRING "$Revision: 1.22 $ ($Date: 2012/06/14 18:16:05 $) $Author: wtc%google.com $"
#define VERSIONSTRING "$Revision: 1.23 $ ($Date: 2013/01/23 20:53:58 $) $Author: wtc%google.com $"
struct _DataBufferList;
@ -333,8 +333,11 @@ const char * V2CipherString(int cs_int)
case 0x000039: cs_str = "TLS/DHE-RSA/AES256-CBC/SHA"; break;
case 0x00003A: cs_str = "TLS/DH-ANON/AES256-CBC/SHA"; break;
case 0x00003B: cs_str = "TLS/RSA/NULL/SHA256"; break;
case 0x00003C: cs_str = "TLS/RSA/AES128-CBC/SHA256"; break;
case 0x00003D: cs_str = "TLS/RSA/AES256-CBC/SHA256"; break;
case 0x00003E: cs_str = "TLS/DH-DSS/AES128-CBC/SHA256"; break;
case 0x00003F: cs_str = "TLS/DH-RSA/AES128-CBC/SHA256"; break;
case 0x000040: cs_str = "TLS/DHE-DSS/AES128-CBC/SHA256"; break;
case 0x000041: cs_str = "TLS/RSA/CAMELLIA128-CBC/SHA"; break;

20
security/nss/cmd/vfychain/vfychain.c
View File

@ -66,6 +66,9 @@ Usage(const char *progName)
"\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
"\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
"\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
"\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
"\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
"\t\t\t or to trust the database if there are certificates marked -t.)\n"
"\t-v\t\t Verbose mode. Prints root cert subject(double the\n"
"\t\t\t argument for whole root cert info)\n"
"\t-w password\t Database password.\n"
@ -423,13 +426,14 @@ main(int argc, char *argv[], char *envp[])
int revDataIndex = 0;
PRBool ocsp_fetchingFailureIsAFailure = PR_TRUE;
PRBool useDefaultRevFlags = PR_TRUE;
PRBool onlyTrustAnchors = PR_TRUE;
int vfyCounts = 1;
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
progName = PL_strdup(argv[0]);
optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:");
optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tTu:vw:W:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch(optstate->option) {
case 0 : /* positional parameter */ goto breakout;
@ -478,6 +482,7 @@ main(int argc, char *argv[], char *envp[])
revMethodsData[revDataIndex].
methodFlagsStr = PL_strdup(optstate->value); break;
case 't' : trusted = PR_TRUE; break;
case 'T' : onlyTrustAnchors = PR_FALSE; break;
case 'u' : usage = PORT_Atoi(optstate->value);
if (usage < 0 || usage > 62) Usage(progName);
certUsage = ((SECCertificateUsage)1) << usage;
@ -511,6 +516,11 @@ breakout:
" CERT_PKIXVerifyCert(-pp) function.\n");
Usage(progName);
}
if (!onlyTrustAnchors) {
fprintf(stderr, "Cert trust anchor exclusiveness can be"
" used only with CERT_PKIXVerifyCert(-pp)"
" function.\n");
}
}
if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
@ -593,7 +603,7 @@ breakout:
NULL);/* returned usages */
} else do {
static CERTValOutParam cvout[4];
static CERTValInParam cvin[6];
static CERTValInParam cvin[7];
SECOidTag oidTag;
int inParamIndex = 0;
static PRUint64 revFlagsLeaf[2];
@ -667,6 +677,12 @@ breakout:
cvin[inParamIndex].value.scalar.time = time;
inParamIndex++;
}
if (!onlyTrustAnchors) {
cvin[inParamIndex].type = cert_pi_useOnlyTrustAnchors;
cvin[inParamIndex].value.scalar.b = onlyTrustAnchors;
inParamIndex++;
}
cvin[inParamIndex].type = cert_pi_end;

43
security/nss/lib/certdb/certdb.c
View File

@ -5,7 +5,7 @@
/*
* Certificate handling code
*
* $Id: certdb.c,v 1.123 2012/04/25 14:49:26 gerv%gerv.net Exp $
* $Id: certdb.c,v 1.124 2013/01/07 04:11:50 ryan.sleevi%gmail.com Exp $
*/
#include "nssilock.h"
@ -2051,35 +2051,38 @@ cert_Version(CERTCertificate *cert)
static unsigned int
cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
{
CERTCertTrust *trust = cert->trust;
CERTCertTrust trust;
SECStatus rv = SECFailure;
if (trust && (trust->sslFlags |
trust->emailFlags |
trust->objectSigningFlags)) {
rv = CERT_GetCertTrust(cert, &trust);
if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
if (rv == SECSuccess && (trust.sslFlags |
trust.emailFlags |
trust.objectSigningFlags)) {
if (trust.sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
if (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_SSL_CA;
#if defined(CERTDB_NOT_TRUSTED)
if (trust->sslFlags & CERTDB_NOT_TRUSTED)
if (trust.sslFlags & CERTDB_NOT_TRUSTED)
cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
NS_CERT_TYPE_SSL_CA);
#endif
if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
if (trust.emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_EMAIL;
if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
if (trust.emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_EMAIL_CA;
#if defined(CERTDB_NOT_TRUSTED)
if (trust->emailFlags & CERTDB_NOT_TRUSTED)
if (trust.emailFlags & CERTDB_NOT_TRUSTED)
cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
#endif
if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
if (trust.objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_OBJECT_SIGNING;
if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
if (trust.objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
#if defined(CERTDB_NOT_TRUSTED)
if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED)
if (trust.objectSigningFlags & CERTDB_NOT_TRUSTED)
cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING|
NS_CERT_TYPE_OBJECT_SIGNING_CA);
#endif
@ -2818,10 +2821,14 @@ loser:
PRBool CERT_IsUserCert(CERTCertificate* cert)
{
if ( cert->trust &&
((cert->trust->sslFlags & CERTDB_USER ) ||
(cert->trust->emailFlags & CERTDB_USER ) ||
(cert->trust->objectSigningFlags & CERTDB_USER )) ) {
CERTCertTrust trust;
SECStatus rv = SECFailure;
rv = CERT_GetCertTrust(cert, &trust);
if (rv == SECSuccess &&
((trust.sslFlags & CERTDB_USER ) ||
(trust.emailFlags & CERTDB_USER ) ||
(trust.objectSigningFlags & CERTDB_USER )) ) {
return PR_TRUE;
} else {
return PR_FALSE;

14
security/nss/lib/certdb/certt.h
View File

@ -4,7 +4,7 @@
/*
* certt.h - public data structures for the certificate library
*
* $Id: certt.h,v 1.57 2012/09/28 23:40:14 rrelyea%redhat.com Exp $
* $Id: certt.h,v 1.58 2013/01/07 03:56:12 ryan.sleevi%gmail.com Exp $
*/
#ifndef _CERTT_H_
#define _CERTT_H_
@ -955,6 +955,8 @@ typedef enum {
* the following cases:
* * when the parameter is not set.
* * when the list of trust anchors is empty.
* Note that this handling can be further altered by altering the
* cert_pi_useOnlyTrustAnchors flag
* Specified in value.pointer.chain */
cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
* In NSS 3.12.1 or later. Default is off.
@ -963,6 +965,16 @@ typedef enum {
/* The callback container for doing extra
* validation on the currently calculated chain.
* Value is in value.pointer.chainVerifyCallback */
cert_pi_useOnlyTrustAnchors = 14,/* If true, disables trusting any
* certificates other than the ones passed in via cert_pi_trustAnchors.
* If false, then the certificates specified via cert_pi_trustAnchors
* will be combined with the pre-existing trusted roots, but only for
* the certificate validation being performed.
* If no value has been supplied via cert_pi_trustAnchors, this has no
* effect.
* The default value is true, meaning if this is not supplied, only
* trust anchors supplied via cert_pi_trustAnchors are trusted.
* Specified in value.scalar.b */
cert_pi_max /* SPECIAL: signifies maximum allowed value,
* can increase in future releases */
} CERTValParamInType;

2
security/nss/lib/certdb/stanpcertdb.c
View File

@ -240,9 +240,7 @@ CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
SECStatus rv = SECSuccess;
PRStatus ret;
CERT_LockCertTrust(cert);
ret = STAN_ChangeCertTrust(cert, trust);
CERT_UnlockCertTrust(cert);
if (ret != PR_SUCCESS) {
rv = SECFailure;
CERT_MapStanError();

8
security/nss/lib/certhigh/certhigh.c
View File

@ -542,17 +542,15 @@ CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
{
CERTDistNames *names;
PRBool saveit = PR_FALSE;
CERTCertTrust *trust;
CERTCertTrust trust;
dnameNode *node;
int len;
names = (CERTDistNames *)data;
if ( cert->trust ) {
trust = cert->trust;
if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
/* only collect names of CAs trusted for issuing SSL clients */
if ( trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ) {
if ( trust.sslFlags & CERTDB_TRUSTED_CLIENT_CA ) {
saveit = PR_TRUE;
}
}

44
security/nss/lib/certhigh/certvfy.c
View File

@ -328,6 +328,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
int certsListLen = 16;
int namesCount = 0;
PRBool subjectCertIsSelfIssued;
CERTCertTrust issuerTrust;
if (revoked) {
*revoked = PR_FALSE;
@ -528,7 +529,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
LOG_ERROR(log,subjectCert,count,0);
}
if ( issuerCert->trust ) {
if ( CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
/* we have some trust info, but this does NOT imply that this
* cert is actually trusted for any purpose. The cert may be
* explicitly UNtrusted. We won't know until we examine the
@ -552,7 +553,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
}
}
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
if (( flags & requiredFlags ) == requiredFlags) {
/* we found a trusted one, so return */
rv = rvFinal;
@ -574,7 +575,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
* certUsageAnyCA or certUsageStatusResponder. */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
if ((flags & requiredFlags) == requiredFlags) {
rv = rvFinal;
goto done;
@ -588,7 +589,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
* untrusted */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
/* is it explicitly distrusted? */
if ((flags & CERTDB_TERMINAL_RECORD) &&
((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0)) {
@ -729,6 +730,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
unsigned int requiredCAKeyUsage;
unsigned int requiredFlags;
CERTCertificate *issuerCert;
CERTCertTrust certTrust;
if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
@ -794,7 +796,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
isca = PR_TRUE;
}
if ( cert->trust ) {
if ( CERT_GetCertTrust(cert, &certTrust) == SECSuccess ) {
/* we have some trust info, but this does NOT imply that this
* cert is actually trusted for any purpose. The cert may be
* explicitly UNtrusted. We won't know until we examine the
@ -823,7 +825,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
/*
* check the trust params of the issuer
*/
flags = SEC_GET_TRUST_FLAGS(cert->trust, trustType);
flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
if ( ( flags & requiredFlags ) == requiredFlags) {
/* we found a trusted one, so return */
rv = rvFinal;
@ -915,16 +917,17 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
unsigned int *failedFlags, PRBool *trusted)
{
unsigned int flags;
CERTCertTrust trust;
*failedFlags = 0;
*trusted = PR_FALSE;
/* check trust flags to see if this cert is directly trusted */
if ( cert->trust ) {
if ( CERT_GetCertTrust(cert, &trust) == SECSuccess ) {
switch ( certUsage ) {
case certUsageSSLClient:
case certUsageSSLServer:
flags = cert->trust->sslFlags;
flags = trust.sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
@ -940,7 +943,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
break;
case certUsageSSLServerWithStepUp:
/* XXX - step up certs can't be directly trusted, only distrust */
flags = cert->trust->sslFlags;
flags = trust.sslFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if (( flags & CERTDB_TRUSTED ) == 0) {
@ -951,7 +954,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
}
break;
case certUsageSSLCA:
flags = cert->trust->sslFlags;
flags = trust.sslFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if (( flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA) ) == 0) {
@ -963,7 +966,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
break;
case certUsageEmailSigner:
case certUsageEmailRecipient:
flags = cert->trust->emailFlags;
flags = trust.emailFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
@ -978,7 +981,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
break;
case certUsageObjectSigner:
flags = cert->trust->objectSigningFlags;
flags = trust.objectSigningFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
@ -993,21 +996,21 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
break;
case certUsageVerifyCA:
case certUsageStatusResponder:
flags = cert->trust->sslFlags;
flags = trust.sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
*trusted = PR_TRUE;
return SECSuccess;
}
flags = cert->trust->emailFlags;
flags = trust.emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
*trusted = PR_TRUE;
return SECSuccess;
}
flags = cert->trust->objectSigningFlags;
flags = trust.objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
@ -1018,7 +1021,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
case certUsageAnyCA:
case certUsageUserCertImport:
/* do we distrust these certs explicitly */
flags = cert->trust->sslFlags;
flags = trust.sslFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
@ -1026,7 +1029,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
return SECFailure;
}
}
flags = cert->trust->emailFlags;
flags = trust.emailFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
@ -1036,7 +1039,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
}
/* fall through */
case certUsageProtectedObjectSigner:
flags = cert->trust->objectSigningFlags;
flags = trust.objectSigningFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & (CERTDB_TRUSTED|CERTDB_TRUSTED_CA)) == 0) {
@ -1387,6 +1390,7 @@ CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
{
CERTCertList *certList = NULL;
CERTCertificate *cert = NULL;
CERTCertTrust certTrust;
unsigned int requiredTrustFlags;
SECTrustType requiredTrustType;
unsigned int flags;
@ -1428,10 +1432,10 @@ CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
if ( ( owner == certOwnerCA ) && preferTrusted &&
( requiredTrustType != trustTypeNone ) ) {
if ( cert->trust == NULL ) {
if ( CERT_GetCertTrust(cert, &certTrust) != SECSuccess ) {
flags = 0;
} else {
flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
}
if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {

7
security/nss/lib/certhigh/certvfypkix.c
View File

@ -1711,6 +1711,13 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
}
break;
case cert_pi_useOnlyTrustAnchors:
error =
PKIX_ProcessingParams_SetUseOnlyTrustAnchors(procParams,
(PRBool)(param->value.scalar.b != 0),
plContext);
break;
default:
PORT_SetError(errCode);
r = SECFailure;

3
security/nss/lib/certhigh/ocsp.c
View File

@ -6,7 +6,7 @@
* Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.)
*
* $Id: ocsp.c,v 1.76 2012/12/12 19:29:40 wtc%google.com Exp $
* $Id: ocsp.c,v 1.77 2013/01/23 23:05:50 kaie%kuix.de Exp $
*/
#include "prerror.h"
@ -5691,7 +5691,6 @@ CERT_GetOCSPResponseStatus(CERTOCSPResponse *response)
case ocspResponse_unauthorized:
PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
break;
case ocspResponse_other:
case ocspResponse_unused:
default:
PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);

10
security/nss/lib/certhigh/ocspti.h
View File

@ -5,7 +5,7 @@
/*
* Private header defining OCSP types.
*
* $Id: ocspti.h,v 1.9 2012/12/12 16:03:44 wtc%google.com Exp $
* $Id: ocspti.h,v 1.11 2013/01/23 23:05:51 kaie%kuix.de Exp $
*/
#ifndef _OCSPTI_H_
@ -189,14 +189,18 @@ struct CERTOCSPCertIDStr {
* }
*/
typedef enum {
ocspResponse_other = -1, /* unknown/unrecognized value */
ocspResponse_min = 0,
ocspResponse_successful = 0,
ocspResponse_malformedRequest = 1,
ocspResponse_internalError = 2,
ocspResponse_tryLater = 3,
ocspResponse_unused = 4,
ocspResponse_sigRequired = 5,
ocspResponse_unauthorized = 6
ocspResponse_unauthorized = 6,
ocspResponse_max = 6 /* Please update max when adding values.
* Remember to also update arrays, e.g.
* "responseStatusNames" in ocspclnt.c
* and potentially other places. */
} ocspResponseStatus;
/*

23
security/nss/lib/freebl/Makefile
View File

@ -91,7 +91,7 @@ ifdef FREEBL_PRELINK_COMMAND
DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
endif
# NSS_X86 means the target is a 32-bits x86 CPU architecture
# NSS_X64 means the target is a 64-bits x64 CPU architecture
# NSS_X64 means the target is a 64-bits 64 CPU architecture
# NSS_X86_OR_X64 means the target is either x86 or x64
ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
DEFINES += -DNSS_X86_OR_X64
@ -187,7 +187,9 @@ ifeq ($(CPU_ARCH),x86_64)
# DEFINES += -DMPI_AMD64_ADD
# comment the next two lines to turn off intel HW accelleration
DEFINES += -DUSE_HW_AES
ASFILES += intel-aes.s
ASFILES += intel-aes.s intel-gcm.s
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM=1
MPI_SRCS += mpi_amd64.c mp_comba.c
endif
ifeq ($(CPU_ARCH),x86)
@ -442,7 +444,9 @@ else
DEFINES += -DNSS_USE_COMBA -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
# comment the next two lines to turn off intel HW accelleration
DEFINES += -DUSE_HW_AES
ASFILES += intel-aes.s
ASFILES += intel-aes.s intel-gcm.s
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM=1
MPI_SRCS += mpi_amd64.c
else
# Solaris x86
@ -643,3 +647,16 @@ else
endif
endif
endif
ifdef INTEL_GCM
#
# GCM binary needs -msse4
#
$(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): intel-gcm-wrap.c
@$(MAKE_OBJDIR)
ifdef NEED_ABSOLUTE_PATH
$(CC) -o $@ -c -mssse3 $(CFLAGS) $(call core_abspath,$<)
else
$(CC) -o $@ -c -mssse3 $(CFLAGS) $<
endif
endif

2
security/nss/lib/freebl/arcfour.c
View File

@ -126,7 +126,7 @@ RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
/* verify the key length. */
PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
if (len < 0 || len >= ARCFOUR_STATE_SIZE) {
if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}

4
security/nss/lib/freebl/desblapi.c
View File

@ -243,7 +243,7 @@ DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
{
if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx ||
if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
cx->direction != DES_ENCRYPT) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@ -260,7 +260,7 @@ DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
{
if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx ||
if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
cx->direction != DES_DECRYPT) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;

235
security/nss/lib/freebl/intel-gcm-wrap.c Normal file
View File

@ -0,0 +1,235 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Wrapper funcions for Intel optimized implementation of AES-GCM */
#ifdef USE_HW_AES
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include "blapii.h"
#include "blapit.h"
#include "gcm.h"
#include "ctr.h"
#include "secerr.h"
#include "prtypes.h"
#include "pkcs11t.h"
#include <limits.h>
#include "intel-gcm.h"
#include "rijndael.h"
#if defined(__INTEL_COMPILER)
#include <ia32intrin.h>
#elif defined(__GNUC__)
#include <emmintrin.h>
#include <tmmintrin.h>
#endif
struct intel_AES_GCMContextStr{
unsigned char Htbl[16*AES_BLOCK_SIZE];
unsigned char X0[AES_BLOCK_SIZE];
unsigned char T[AES_BLOCK_SIZE];
unsigned char CTR[AES_BLOCK_SIZE];
AESContext *aes_context;
unsigned long tagBits;
unsigned long Alen;
unsigned long Mlen;
};
intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context,
freeblCipherFunc cipher,
const unsigned char *params,
unsigned int blocksize)
{
intel_AES_GCMContext *gcm = NULL;
AESContext *aes = (AESContext*)context;
const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params;
unsigned char buff[AES_BLOCK_SIZE]; /* aux buffer */
int IV_whole_len = gcmParams->ulIvLen&(~0xf);
int IV_remainder_len = gcmParams->ulIvLen&0xf;
int AAD_whole_len = gcmParams->ulAADLen&(~0xf);
int AAD_remainder_len = gcmParams->ulAADLen&0xf;
__m128i BSWAP_MASK = _mm_setr_epi8(15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0);
__m128i ONE = _mm_set_epi32(0,0,0,1);
unsigned int j;
SECStatus rv;
if (blocksize != AES_BLOCK_SIZE) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
gcm = PORT_ZNew(intel_AES_GCMContext);
if (gcm == NULL) {
return NULL;
}
/* initialize context fields */
gcm->aes_context = aes;
gcm->tagBits = gcmParams->ulTagBits;
gcm->Alen = 0;
gcm->Mlen = 0;
/* first prepare H and its derivatives for ghash */
intel_aes_gcmINIT(gcm->Htbl, (unsigned char*)aes->expandedKey, aes->Nr);
/* Initial TAG value is zero*/
_mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
_mm_storeu_si128((__m128i*)gcm->X0, _mm_setzero_si128());
/* Init the counter */
if(gcmParams->ulIvLen == 12) {
_mm_storeu_si128((__m128i*)gcm->CTR, _mm_setr_epi32(((unsigned int*)gcmParams->pIv)[0], ((unsigned int*)gcmParams->pIv)[1], ((unsigned int*)gcmParams->pIv)[2], 0x01000000));
} else {
/* If IV size is not 96 bits, then the initial counter value is GHASH of the IV */
intel_aes_gcmAAD(gcm->Htbl, gcmParams->pIv, IV_whole_len, gcm->T);
/* Partial block */
if(IV_remainder_len) {
PORT_Memset(buff, 0, AES_BLOCK_SIZE);
PORT_Memcpy(buff, gcmParams->pIv + IV_whole_len, IV_remainder_len);
intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
}
intel_aes_gcmTAG
(
gcm->Htbl,
gcm->T,
gcmParams->ulIvLen,
0,
gcm->X0,
gcm->CTR
);
/* TAG should be zero again */
_mm_storeu_si128((__m128i*)gcm->T, _mm_setzero_si128());
}
/* Encrypt the initial counter, will be used to encrypt the GHASH value, in the end */
rv = (*cipher)(context, gcm->X0, &j, AES_BLOCK_SIZE, gcm->CTR, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
if (rv != SECSuccess) {
goto loser;
}
/* Promote the counter by 1 */
_mm_storeu_si128((__m128i*)gcm->CTR, _mm_shuffle_epi8(_mm_add_epi32(ONE, _mm_shuffle_epi8(_mm_loadu_si128((__m128i*)gcm->CTR), BSWAP_MASK)), BSWAP_MASK));
/* Now hash AAD - it would actually make sense to seperate the context creation from the AAD,
* because that would allow to reuse the H, which only changes when the AES key changes,
* and not every package, like the IV and AAD */
intel_aes_gcmAAD(gcm->Htbl, gcmParams->pAAD, AAD_whole_len, gcm->T);
if(AAD_remainder_len) {
PORT_Memset(buff, 0, AES_BLOCK_SIZE);
PORT_Memcpy(buff, gcmParams->pAAD + AAD_whole_len, AAD_remainder_len);
intel_aes_gcmAAD(gcm->Htbl, buff, AES_BLOCK_SIZE, gcm->T);
}
gcm->Alen += gcmParams->ulAADLen;
return gcm;
loser:
if (gcm) {
PORT_Free(gcm);
}
return NULL;
}
void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
{
if (freeit) {
PORT_Free(gcm);
}
}
SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm,
unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
const unsigned char *inbuf, unsigned int inlen,
unsigned int blocksize)
{
unsigned int tagBytes;
unsigned char T[AES_BLOCK_SIZE];
int j;
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
if (UINT_MAX - inlen < tagBytes) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return SECFailure;
}
if (maxout < inlen + tagBytes) {
*outlen = inlen + tagBytes;
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
return SECFailure;
}
intel_aes_gcmENC(
inbuf,
outbuf,
gcm,
inlen);
gcm->Mlen += inlen;
intel_aes_gcmTAG(
gcm->Htbl,
gcm->T,
gcm->Mlen,
gcm->Alen,
gcm->X0,
T);
*outlen = inlen + tagBytes;
for(j=0; j<tagBytes; j++)
{
outbuf[inlen+j] = T[j];
}
return SECSuccess;
}
SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm,
unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
const unsigned char *inbuf, unsigned int inlen,
unsigned int blocksize)
{
unsigned int tagBytes;
unsigned char T[AES_BLOCK_SIZE];
const unsigned char *intag;
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE-1)) / PR_BITS_PER_BYTE;
/* get the authentication block */
if (inlen < tagBytes) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
inlen -= tagBytes;
intag = inbuf + inlen;
intel_aes_gcmDEC(
inbuf,
outbuf,
gcm,
inlen);
gcm->Mlen += inlen;
intel_aes_gcmTAG(
gcm->Htbl,
gcm->T,
gcm->Mlen,
gcm->Alen,
gcm->X0,
T);
if (NSS_SecureMemcmp(T, intag, tagBytes) != 0) {
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
PORT_SetError(SEC_ERROR_BAD_DATA);
return SECFailure;
}
*outlen = inlen;
return SECSuccess;
}
#endif

62
security/nss/lib/freebl/intel-gcm.h Normal file
View File

@ -0,0 +1,62 @@
#ifndef INTEL_GCM_H
#define INTEL_GCM_H 1
#include "blapii.h"
typedef struct intel_AES_GCMContextStr intel_AES_GCMContext;
intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *params, unsigned int blocksize);
void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit);
SECStatus intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm, unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
const unsigned char *inbuf, unsigned int inlen,
unsigned int blocksize);
SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
const unsigned char *inbuf, unsigned int inlen,
unsigned int blocksize);
/* Prorotypes of functions in the assembler file for fast AES-GCM, using
Intel AES-NI and CLMUL-NI, as described in [1]
[1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication
Instruction and its Usage for Computing the GCM Mode */
/* Prepares the constants used in the aggregated reduction method */
void intel_aes_gcmINIT(unsigned char Htbl[16*16],
unsigned char *KS,
int NR);
/* Produces the final GHASH value */
void intel_aes_gcmTAG(unsigned char Htbl[16*16],
unsigned char *Tp,
unsigned long Mlen,
unsigned long Alen,
unsigned char* X0,
unsigned char* TAG);
/* Hashes the Additional Authenticated Data, should be used before enc/dec.
Operates on whole blocks only. Partial blocks should be padded externally. */
void intel_aes_gcmAAD(unsigned char Htbl[16*16],
unsigned char *AAD,
unsigned long Alen,
unsigned char *Tp);
/* Encrypts and hashes the Plaintext.
Operates on any length of data, however partial block should only be encrypted
at the last call, otherwise the result will be incorrect. */
void intel_aes_gcmENC(const unsigned char* PT,
unsigned char* CT,
void *Gctx,
unsigned long len);
/* Similar to ENC, but decrypts the Ciphertext. */
void intel_aes_gcmDEC(const unsigned char* CT,
unsigned char* PT,
void *Gctx,
unsigned long len);
#endif

1335
security/nss/lib/freebl/intel-gcm.s Normal file
View File

File diff suppressed because it is too large Load Diff

1
security/nss/lib/freebl/manifest.mn
View File

@ -119,6 +119,7 @@ CSRCS = \
$(ECL_SRCS) \
$(STUBS_SRCS) \
$(LOWHASH_SRCS) \
$(EXTRA_SRCS) \
$(NULL)
ALL_CSRCS := $(CSRCS)

31
security/nss/lib/freebl/rijndael.c
View File

@ -1,7 +1,7 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: rijndael.c,v 1.28 2012/09/28 22:46:32 rrelyea%redhat.com Exp $ */
/* $Id: rijndael.c,v 1.29 2013/01/15 02:36:11 rrelyea%redhat.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -20,8 +20,16 @@
#include "gcm.h"
#if USE_HW_AES
#include "intel-gcm.h"
#include "intel-aes.h"
#include "mpi.h"
static int has_intel_aes = 0;
static int has_intel_avx = 0;
static int has_intel_clmul = 0;
static PRBool use_hw_aes = PR_FALSE;
static PRBool use_hw_avx = PR_FALSE;
static PRBool use_hw_gcm = PR_FALSE;
#endif
/*
@ -970,10 +978,6 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
const unsigned char *iv, int mode, unsigned int encrypt,
unsigned int blocksize)
{
#if USE_HW_AES
static int has_intel_aes;
PRBool use_hw_aes = PR_FALSE;
#endif
unsigned int Nk;
/* According to Rijndael AES Proposal, section 12.1, block and key
* lengths between 128 and 256 bits are supported, as long as the
@ -1009,12 +1013,18 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
if (disable_hw_aes == NULL) {
freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
has_intel_avx = (ecx & (1 << 28)) != 0 ? 1 : -1;
} else {
has_intel_aes = -1;
has_intel_avx = -1;
has_intel_clmul = -1;
}
}
use_hw_aes = (PRBool)
(has_intel_aes > 0 && (keysize % 8) == 0 && blocksize == 16);
use_hw_gcm = (PRBool)
(use_hw_aes && has_intel_avx>0 && has_intel_clmul>0);
#endif
/* Nb = (block size in bits) / 32 */
cx->Nb = blocksize / 4;
@ -1117,11 +1127,22 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
cx->isBlock = PR_FALSE;
break;
case NSS_AES_GCM:
#if USE_HW_AES
if(use_hw_gcm) {
cx->worker_cx = intel_AES_GCM_CreateContext(cx, cx->worker, iv, blocksize);
cx->worker = (freeblCipherFunc)
(encrypt ? intel_AES_GCM_EncryptUpdate : intel_AES_GCM_DecryptUpdate);
cx->destroy = (freeblDestroyFunc) intel_AES_GCM_DestroyContext;
cx->isBlock = PR_FALSE;
} else
#endif
{
cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv, blocksize);
cx->worker = (freeblCipherFunc)
(encrypt ? GCM_EncryptUpdate : GCM_DecryptUpdate);
cx->destroy = (freeblDestroyFunc) GCM_DestroyContext;
cx->isBlock = PR_FALSE;
}
break;
case NSS_AES_CTR:
cx->worker_cx = CTR_CreateContext(cx, cx->worker, iv, blocksize);

2
security/nss/lib/freebl/unix_rand.c
View File

@ -358,10 +358,12 @@ GetHighResClock(void *buf, size_t maxbytes)
static void
GiveSystemInfo(void)
{
#ifndef NO_SYSINFO
struct sysinfo si;
if (sysinfo(&si) == 0) {
RNG_RandomUpdate(&si, sizeof(si));
}
#endif
}
#endif /* LINUX */

73
security/nss/lib/libpkix/include/pkix_params.h
View File

@ -636,9 +636,11 @@ PKIX_ProcessingParams_GetTrustAnchors(
* FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
* DESCRIPTION:
*
* Sets user defined set of trust anchors. A certificate will be considered
* invalid if it does not chain to a trusted anchor from this list.
*
* Sets user defined set of trust anchors. The handling of the trust anchors
* may be furthered alter via PKIX_ProcessingParams_SetUseOnlyTrustAnchors.
* By default, a certificate will be considered invalid if it does not chain
* to a trusted anchor from this list.
*
* PARAMETERS:
* "params"
* Address of ProcessingParams whose List of TrustAnchors are to
@ -661,6 +663,71 @@ PKIX_ProcessingParams_SetTrustAnchors(
PKIX_List *pAnchors, /* list of TrustAnchor */
void *plContext);
/*
* FUNCTION: PKIX_ProcessingParams_GetUseOnlyTrustAnchors
* DESCRIPTION:
*
* Retrieves a pointer to the Boolean. The boolean value represents
* the switch value that is used to identify whether trust anchors, if
* specified, should be the exclusive source of trust information.
* If the function succeeds, the pointer to the Boolean is guaranteed to be
* non-NULL.
*
* PARAMETERS:
* "params"
* Address of ProcessingParams. Must be non-NULL.
* "pUseOnlyTrustAnchors"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Params Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ProcessingParams_GetUseOnlyTrustAnchors(
PKIX_ProcessingParams *params,
PKIX_Boolean *pUseOnlyTrustAnchors,
void *plContext);
/*
* FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
* DESCRIPTION:
*
* Configures whether trust anchors are used as the exclusive source of trust.
*
* PARAMETERS:
* "params"
* Address of ProcessingParams. Must be non-NULL.
* "useOnlyTrustAnchors"
* If true, indicates that trust anchors should be used exclusively when
* they have been specified via PKIX_ProcessingParams_SetTrustAnchors. A
* certificate will be considered invalid if it does not chain to a
* trusted anchor from that list.
* If false, indicates that the trust anchors are additive to whatever
* existing trust stores are configured. A certificate is considered
* valid if it chains to EITHER a trusted anchor from that list OR a
* certificate marked trusted in a trust store.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Params Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ProcessingParams_SetUseOnlyTrustAnchors(
PKIX_ProcessingParams *params,
PKIX_Boolean useOnlyTrustAnchors,
void *plContext);
/*
* FUNCTION: PKIX_ProcessingParams_GetUseAIAForCertFetching
* DESCRIPTION:

39
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
View File

@ -556,6 +556,7 @@ PKIX_ProcessingParams_Create(
params->useAIAForCertFetching = PKIX_FALSE;
params->qualifyTargetCert = PKIX_TRUE;
params->useOnlyTrustAnchors = PKIX_TRUE;
*pParams = params;
params = NULL;
@ -687,6 +688,44 @@ cleanup:
PKIX_RETURN(PROCESSINGPARAMS);
}
/**
* FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_GetUseOnlyTrustAnchors(
PKIX_ProcessingParams *params,
PKIX_Boolean *pUseOnlyTrustAnchors,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_SetUseTrustAnchorsOnly");
PKIX_NULLCHECK_TWO(params, pUseOnlyTrustAnchors);
*pUseOnlyTrustAnchors = params->useOnlyTrustAnchors;
PKIX_RETURN(PROCESSINGPARAMS);
}
/**
* FUNCTION: PKIX_ProcessingParams_SetUseOnlyTrustAnchors
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_SetUseOnlyTrustAnchors(
PKIX_ProcessingParams *params,
PKIX_Boolean useOnlyTrustAnchors,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_SetUseTrustAnchorsOnly");
PKIX_NULLCHECK_ONE(params);
params->useOnlyTrustAnchors = useOnlyTrustAnchors;
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_ProcessingParams_GetDate (see comments in pkix_params.h)
*/

1
security/nss/lib/libpkix/pkix/params/pkix_procparams.h
View File

@ -36,6 +36,7 @@ struct PKIX_ProcessingParamsStruct {
PKIX_ResourceLimits *resourceLimits;
PKIX_Boolean useAIAForCertFetching;
PKIX_Boolean qualifyTargetCert;
PKIX_Boolean useOnlyTrustAnchors;
};
/* see source file for function documentation */

12
security/nss/lib/libpkix/pkix/top/pkix_build.c
View File

@ -263,6 +263,8 @@ pkix_ForwardBuilderState_Create(
parentState->buildConstants.revChecker;
state->buildConstants.aiaMgr =
parentState->buildConstants.aiaMgr;
state->buildConstants.trustOnlyUserAnchors =
parentState->buildConstants.trustOnlyUserAnchors;
}
*pState = state;
@ -847,10 +849,8 @@ pkix_Build_VerifyCertificate(
PKIX_INCREF(state->candidateCert);
candidateCert = state->candidateCert;
/* If user defined trust anchor list is not empty, do not
* trust any certs except to the ones that are in the list */
if (state->buildConstants.numAnchors) {
trustOnlyUserAnchors = PKIX_TRUE;
trustOnlyUserAnchors = state->buildConstants.trustOnlyUserAnchors;
}
PKIX_CHECK(
@ -3477,7 +3477,9 @@ pkix_Build_InitiateBuildChain(
buildConstants.hintCerts = hintCerts;
buildConstants.revChecker = revChecker;
buildConstants.aiaMgr = aiaMgr;
buildConstants.trustOnlyUserAnchors =
procParams->useOnlyTrustAnchors;
PKIX_CHECK(pkix_Build_GetResourceLimits(&buildConstants, plContext),
PKIX_BUILDGETRESOURCELIMITSFAILED);
@ -3524,6 +3526,8 @@ pkix_Build_InitiateBuildChain(
state->buildConstants.revChecker = buildConstants.revChecker;
state->buildConstants.aiaMgr = buildConstants.aiaMgr;
aiaMgr = NULL;
state->buildConstants.trustOnlyUserAnchors =
buildConstants.trustOnlyUserAnchors;
if (buildConstants.maxTime != 0) {
PKIX_CHECK(PKIX_PL_Date_Create_CurrentOffBySeconds

1
security/nss/lib/libpkix/pkix/top/pkix_build.h
View File

@ -68,6 +68,7 @@ struct BuildConstantsStruct {
PKIX_RevocationChecker *revChecker;
PKIX_PL_AIAMgr *aiaMgr;
PKIX_Boolean useAIAForCertFetching;
PKIX_Boolean trustOnlyUserAnchors;
};
struct PKIX_ForwardBuilderStateStruct{

2
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
View File

@ -3315,7 +3315,7 @@ PKIX_PL_Cert_IsCertTrusted(
PKIX_ERROR(PKIX_CERTISCERTTRUSTEDFAILED);
}
if (trustOnlyUserAnchors) {
if (trustOnlyUserAnchors || cert->isUserTrustAnchor) {
/* discard our |trusted| value since we are using the anchors */
*pTrusted = cert->isUserTrustAnchor;
goto cleanup;

2
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
View File

@ -823,7 +823,7 @@ pkix_pl_InfoAccess_ParseLocation(
nameComponent->attrType = (unsigned char *)avaPtr;
while ((*avaPtr != '=') && (*avaPtr != '\0')) {
avaPtr++;
if (avaPtr == '\0') {
if (*avaPtr == '\0') {
PKIX_ERROR(PKIX_NAMECOMPONENTWITHNOEQ);
}
}

20
security/nss/lib/pk11wrap/pk11cert.c
View File

@ -324,7 +324,6 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
if (trust == NULL)
goto loser;
PORT_Memset(trust,0, sizeof(CERTCertTrust));
cert->trust = trust;
if(! pk11_HandleTrustObject(slot, cert, trust) ) {
unsigned int type;
@ -365,6 +364,10 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
trust->emailFlags |= CERTDB_USER;
/* trust->objectSigningFlags |= CERTDB_USER; */
}
CERT_LockCertTrust(cert);
cert->trust = trust;
CERT_UnlockCertTrust(cert);
return cert;
loser:
@ -1410,6 +1413,7 @@ pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipien
NSSCMSRecipient *ri = NULL;
int i;
PRBool tokenRescanDone = PR_FALSE;
CERTCertTrust trust;
for (i=0; (ri = recipientlist[i]) != NULL; i++) {
CERTCertificate *cert = NULL;
@ -1490,8 +1494,8 @@ pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipien
}
if (cert) {
/* this isn't our cert */
if ((cert->trust == NULL) ||
((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
CERT_DestroyCertificate(cert);
continue;
}
@ -1550,6 +1554,7 @@ pk11_FindCertObjectByRecipient(PK11SlotInfo *slot,
SEC_PKCS7RecipientInfo **rip, void *pwarg)
{
SEC_PKCS7RecipientInfo *ri = NULL;
CERTCertTrust trust;
int i;
for (i=0; (ri = recipientArray[i]) != NULL; i++) {
@ -1559,8 +1564,8 @@ pk11_FindCertObjectByRecipient(PK11SlotInfo *slot,
pwarg);
if (cert) {
/* this isn't our cert */
if ((cert->trust == NULL) ||
((cert->trust->emailFlags & CERTDB_USER) != CERTDB_USER)) {
if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) {
CERT_DestroyCertificate(cert);
continue;
}
@ -2260,9 +2265,10 @@ PK11_FortezzaHasKEA(CERTCertificate *cert)
{
/* look at the subject and see if it is a KEA for MISSI key */
SECOidData *oid;
CERTCertTrust trust;
if ((cert->trust == NULL) ||
((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
if (CERT_GetCertTrust(cert, &trust) != SECSuccess ||
((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) {
return PR_FALSE;
}

6
security/nss/lib/pk11wrap/pk11merge.c
View File

@ -429,6 +429,7 @@ pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
SECItem *sourceOutput = NULL;
SECItem *targetOutput = NULL;
SECItem *param = NULL;
int blockSize;
SECItem input;
CK_OBJECT_HANDLE targetKeyID;
CK_FLAGS flags;
@ -491,11 +492,12 @@ pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot,
/* set up the input test */
input.data = (unsigned char *)testString;
input.len = PK11_GetBlockSize(cryptoMechType, NULL);
if (input.len < 0) {
blockSize = PK11_GetBlockSize(cryptoMechType, NULL);
if (blockSize < 0) {
rv = SECFailure;
goto done;
}
input.len = blockSize;
if (input.len == 0) {
input.len = sizeof (testString);
}

50
security/nss/lib/pkcs7/certread.c
View File

@ -145,9 +145,6 @@ static const char NS_CERT_TRAILER[] = "-----END CERTIFICATE-----";
#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1)
#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1)
static const char CERTIFICATE_TYPE_STRING[] = "certificate";
#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
/*
* read an old style ascii or binary certificate chain
*/
@ -163,6 +160,22 @@ CERT_DecodeCertPackage(char *certbuf,
SECStatus rv;
if ( certbuf == NULL ) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return(SECFailure);
}
/*
* Make sure certlen is long enough to handle the longest possible
* reference in the code below:
* 0x30 0x84 l1 l2 l3 l4 +
* tag 9 o1 o2 o3 o4 o5 o6 o7 o8 o9
* 6 + 11 = 17. 17 bytes is clearly too small to code any kind of
* certificate (a 128 bit ECC certificate contains at least an 8 byte
* key and a 16 byte signature, plus coding overhead). Typically a cert
* is much larger. So it's safe to require certlen to be at least 17
* bytes.
*/
if (certlen < 17) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return(SECFailure);
}
@ -194,9 +207,12 @@ CERT_DecodeCertPackage(char *certbuf,
case 1:
seqLen = cp[1];
break;
default:
case 0:
/* indefinite length */
seqLen = 0;
break;
default:
goto notder;
}
cp += ( seqLenLen + 1 );
@ -217,26 +233,20 @@ CERT_DecodeCertPackage(char *certbuf,
}
}
/* check the type string */
/* netscape wrapped DER cert */
if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
( cp[1] == CERTIFICATE_TYPE_LEN ) &&
( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
cp += ( CERTIFICATE_TYPE_LEN + 2 );
/* it had better be a certificate by now!! */
certitem.data = cp;
certitem.len = certlen - ( cp - (unsigned char *)certbuf );
rv = (* f)(arg, &pcertitem, 1);
return(rv);
} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
/* check the type oid */
if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
SECOidData *oiddata;
SECItem oiditem;
/* XXX - assume DER encoding of OID len!! */
oiditem.len = cp[1];
/* if we add an oid below that is longer than 9 bytes, then we
* need to change the certlen check at the top of the function
* to prevent a buffer overflow
*/
if ( oiditem.len > 9 ) {
PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
return(SECFailure);
}
oiditem.data = (unsigned char *)&cp[2];
oiddata = SECOID_FindOID(&oiditem);
if ( oiddata == NULL ) {

23
security/nss/lib/pki/pki3hack.c
View File

@ -3,7 +3,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.110 $ $Date: 2012/12/12 19:22:40 $";
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.111 $ $Date: 2013/01/07 04:11:51 $";
#endif /* DEBUG */
/*
@ -805,7 +805,9 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
/* we should destroy cc->trust before replacing it, but it's
allocated in cc->arena, so memory growth will occur on each
refresh */
CERT_LockCertTrust(cc);
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
nssTrust_Destroy(nssTrust);
}
@ -826,7 +828,9 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
/* we should destroy cc->trust before replacing it, but it's
allocated in cc->arena, so memory growth will occur on each
refresh */
CERT_LockCertTrust(cc);
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
nssCryptokiObject_Destroy(instance);
}
@ -853,6 +857,7 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
{
nssDecodedCert *dc = NULL;
CERTCertificate *cc = NULL;
CERTCertTrust certTrust;
nssPKIObject_Lock(&c->object);
@ -887,14 +892,18 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
} else if (!cc->trust && !c->object.cryptoContext) {
} else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
!c->object.cryptoContext) {
/* if it's a perm cert, it might have been stored before the
* trust, so look for the trust again. But a temp cert can be
* ignored.
*/
CERTCertTrust* trust = NULL;
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
CERT_LockCertTrust(cc);
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
loser:
@ -1086,6 +1095,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
NSSTrust *nssTrust;
NSSArena *arena;
CERTCertTrust *oldTrust;
CERTCertTrust *newTrust;
nssListIterator *tokens;
PRBool moving_object;
nssCryptokiObject *newInstance;
@ -1101,12 +1111,15 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
return PR_SUCCESS;
} else {
/* take over memory already allocated in cc's arena */
cc->trust = oldTrust;
newTrust = oldTrust;
}
} else {
cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
newTrust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
}
memcpy(cc->trust, trust, sizeof(CERTCertTrust));
memcpy(newTrust, trust, sizeof(CERTCertTrust));
CERT_LockCertTrust(cc);
cc->trust = newTrust;
CERT_UnlockCertTrust(cc);
/* Set the NSSCerticate's trust */
arena = nssArena_Create();
if (!arena) return PR_FAILURE;

107
security/nss/lib/softoken/sdb.c
View File

@ -24,12 +24,13 @@
#include <sqlite3.h>
#include "prthread.h"
#include "prio.h"
#include "stdio.h"
#include <stdio.h>
#include "secport.h"
#include "prmon.h"
#include "prenv.h"
#include "prprf.h"
#include "prsystem.h" /* for PR_GetDirectorySeparator() */
#include "sys/stat.h"
#include <sys/stat.h>
#if defined(_WIN32)
#include <io.h>
#include <windows.h>
@ -195,7 +196,7 @@ sdb_done(int err, int *count)
*/
#if defined(_WIN32)
static char *
sdb_getTempDir(void)
sdb_getFallbackTempDir(void)
{
/* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have
* access to sqlite3_temp_directory because it is not exported from
@ -219,7 +220,7 @@ sdb_getTempDir(void)
}
#elif defined(XP_UNIX)
static char *
sdb_getTempDir(void)
sdb_getFallbackTempDir(void)
{
const char *azDirs[] = {
NULL,
@ -250,9 +251,52 @@ sdb_getTempDir(void)
return PORT_Strdup(zDir);
}
#else
#error "sdb_getTempDir not implemented"
#error "sdb_getFallbackTempDir not implemented"
#endif
static char *
sdb_getTempDir(sqlite3 *sqlDB)
{
int sqlrv;
char *result = NULL;
char *tempName = NULL;
char *foundSeparator = NULL;
/* Obtain temporary filename in sqlite's directory for temporary tables */
sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME,
(void*)&tempName);
if (sqlrv == SQLITE_NOTFOUND) {
/* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using
* an older SQLite. */
return sdb_getFallbackTempDir();
}
if (sqlrv != SQLITE_OK) {
return NULL;
}
/* We'll extract the temporary directory from tempName */
foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator());
if (foundSeparator) {
/* We shorten the temp filename string to contain only
* the directory name (including the trailing separator).
* We know the byte after the foundSeparator position is
* safe to use, in the shortest scenario it contains the
* end-of-string byte.
* By keeping the separator at the found position, it will
* even work if tempDir consists of the separator, only.
* (In this case the toplevel directory will be used for
* access speed testing). */
++foundSeparator;
*foundSeparator = 0;
/* Now we copy the directory name for our caller */
result = PORT_Strdup(tempName);
}
sqlite3_free(tempName);
return result;
}
/*
* Map SQL_LITE errors to PKCS #11 errors as best we can.
*/
@ -291,11 +335,13 @@ sdb_mapSQLError(sdbDataType type, int sqlerr)
*/
static char *sdb_BuildFileName(const char * directory,
const char *prefix, const char *type,
int version, int flags)
int version)
{
char *dbname = NULL;
/* build the full dbname */
dbname = sqlite3_mprintf("%s/%s%s%d.db",directory, prefix, type, version);
dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory,
(int)(unsigned char)PR_GetDirectorySeparator(),
prefix, type, version);
return dbname;
}
@ -311,29 +357,64 @@ sdb_measureAccess(const char *directory)
PRIntervalTime time;
PRIntervalTime delta;
PRIntervalTime duration = PR_MillisecondsToInterval(33);
const char *doesntExistName = "_dOeSnotExist_.db";
char *temp, *tempStartOfFilename;
size_t maxTempLen, maxFileNameLen, directoryLength;
/* no directory, just return one */
if (directory == NULL) {
return 1;
}
/* our calculation assumes time is a 4 bytes == 32 bit integer */
PORT_Assert(sizeof(time) == 4);
directoryLength = strlen(directory);
maxTempLen = directoryLength + strlen(doesntExistName)
+ 1 /* potential additional separator char */
+ 11 /* max chars for 32 bit int plus potential sign */
+ 1; /* zero terminator */
temp = PORT_Alloc(maxTempLen);
if (!temp) {
return 1;
}
/* We'll copy directory into temp just once, then ensure it ends
* with the directory separator, then remember the position after
* the separator, and calculate the number of remaining bytes. */
strcpy(temp, directory);
if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) {
temp[directoryLength++] = PR_GetDirectorySeparator();
}
tempStartOfFilename = temp + directoryLength;
maxFileNameLen = maxTempLen - directoryLength;
/* measure number of Access operations that can be done in 33 milliseconds
* (1/30'th of a second), or 10000 operations, which ever comes first.
*/
time = PR_IntervalNow();
for (i=0; i < 10000u; i++) {
char *temp;
PRIntervalTime next;
temp = sdb_BuildFileName(directory,"","._dOeSnotExist_", time+i, 0);
/* We'll use the variable part first in the filename string, just in
* case it's longer than assumed, so if anything gets cut off, it
* will be cut off from the constant part.
* This code assumes the directory name at the beginning of
* temp remains unchanged during our loop. */
PR_snprintf(tempStartOfFilename, maxFileNameLen,
".%lu%s", (PRUint32)(time+i), doesntExistName);
PR_Access(temp,PR_ACCESS_EXISTS);
sqlite3_free(temp);
next = PR_IntervalNow();
delta = next - time;
if (delta >= duration)
break;
}
PORT_Free(temp);
/* always return 1 or greater */
return i ? i : 1u;
}
@ -1792,7 +1873,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
* is to check for the existance of a local file compared to the same
* check in the temp directory. If the temp directory is faster, cache
* the database there. */
tempDir = sdb_getTempDir();
tempDir = sdb_getTempDir(sqlDB);
if (tempDir) {
tempOps = sdb_measureAccess(tempDir);
PORT_Free(tempDir);
@ -1901,9 +1982,9 @@ s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
SDB **certdb, SDB **keydb, int *newInit)
{
char *cert = sdb_BuildFileName(directory, certPrefix,
"cert", cert_version, flags);
"cert", cert_version);
char *key = sdb_BuildFileName(directory, keyPrefix,
"key", key_version, flags);
"key", key_version);
CK_RV error = CKR_OK;
int inUpdate;
PRUint32 accessOps;

10
security/nss/lib/ssl/ssl3con.c
View File

@ -5,7 +5,7 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: ssl3con.c,v 1.195 2012/11/15 18:49:01 wtc%google.com Exp $ */
/* $Id: ssl3con.c,v 1.197 2013/01/18 19:31:42 bsmith%mozilla.com Exp $ */
/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
@ -8342,7 +8342,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
PRInt32 size;
SECStatus rv;
PRBool isServer = (PRBool)(!!ss->sec.isServer);
PRBool trusted = PR_FALSE;
PRBool isTLS;
SSL3AlertDescription desc;
int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
@ -8385,8 +8384,10 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
}
if (!remaining) {
if (!(isTLS && isServer))
if (!(isTLS && isServer)) {
desc = bad_certificate;
goto alert_loser;
}
/* This is TLS's version of a no_certificate alert. */
/* I'm a server. I've requested a client cert. He hasn't got one. */
rv = ssl3_HandleNoCertificate(ss);
@ -8459,9 +8460,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
goto ambiguous_err;
}
if (c->cert->trust)
trusted = PR_TRUE;
c->next = NULL;
if (lastCert) {
lastCert->next = c;

4
security/nss/lib/util/secasn1t.h
View File

@ -6,7 +6,7 @@
* Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
* Encoding Rules).
*
* $Id: secasn1t.h,v 1.11 2012/04/25 14:50:16 gerv%gerv.net Exp $
* $Id: secasn1t.h,v 1.12 2013/01/08 16:19:09 kaie%kuix.de Exp $
*/
#ifndef _SECASN1T_H_
@ -183,7 +183,7 @@ typedef struct sec_ASN1Template_struct {
typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
#if defined(_WIN32)
#if defined(_WIN32) || defined(ANDROID)
#define SEC_ASN1_GET(x) NSS_Get_##x(NULL, PR_FALSE)
#define SEC_ASN1_SUB(x) &p_NSS_Get_##x
#define SEC_ASN1_XTRN SEC_ASN1_DYNAMIC

1
security/nss/lib/util/secoid.c
View File

@ -3,7 +3,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secoid.h"
#include "secoidt.h"
#include "pkcs11t.h"
#include "secitem.h"
#include "secerr.h"

8
security/nss/tests/cert/cert.sh
View File

@ -1079,12 +1079,12 @@ cert_extensions_test()
echo
echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
-t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
-t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
-z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
echo "certutil options:"
cat ${TARG_FILE}
${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
-t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
-t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
-z "${R_NOISE_FILE}" -${OPT} < ${TARG_FILE}
RET=$?
if [ "${RET}" -ne 0 ]; then
@ -1485,7 +1485,9 @@ cert_all_CA
cert_extended_ssl
cert_ssl
cert_smime_client
cert_fips
if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
cert_fips
fi
cert_eccurves
cert_extensions
cert_test_password

22
security/nss/tests/chains/chains.sh
View File

@ -186,9 +186,13 @@ chains_init()
if [ -n "${NSS_AIA_PATH}" ]; then
HTTPPID=${NSS_AIA_PATH}/http_pid.$$
mkdir -p "${NSS_AIA_PATH}"
pushd "${NSS_AIA_PATH}"
SAVEPWD=`pwd`
cd "${NSS_AIA_PATH}"
# Start_httpserv sets environment variables, which are required for
# correct cleanup. (Running it in a subshell doesn't work, the
# value of $SHELL_HTTPPID wouldn't arrive in this scope.)
start_httpserv
popd
cd "${SAVEPWD}"
fi
html_head "Certificate Chains Tests"
@ -790,6 +794,7 @@ revoke_cert()
# FETCH - fetch flag (used with AIA extension)
# POLICY - list of policies
# TRUST - trust anchor
# TRUST_AND_DB - Examine both trust anchors and the cert db for trust
# VERIFY - list of certificates to use as vfychain parameters
# EXP_RESULT - expected result
# REV_OPTS - revocation options
@ -806,6 +811,7 @@ verify_cert()
TRUST_OPT=
VFY_CERTS=
VFY_LIST=
TRUST_AND_DB_OPT=
if [ -n "${DB}" ]; then
DB_OPT="-d ${DB}"
@ -819,6 +825,10 @@ verify_cert()
fi
fi
if [ -n "${TRUST_AND_DB}" ]; then
TRUST_AND_DB_OPT="-T"
fi
for ITEM in ${POLICY}; do
POLICY_OPT="${POLICY_OPT} -o ${ITEM}"
done
@ -851,8 +861,8 @@ verify_cert()
fi
done
VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
VFY_OPTS_TNAME="${TRUST_AND_DB_OPT} ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
VFY_OPTS_ALL="${DB_OPT} -pp -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
echo "${SCRIPTNAME}: ${TESTNAME}"
@ -1045,6 +1055,7 @@ parse_config()
"verify")
VERIFY="${VALUE}"
TRUST=
TRUST_AND_DB=
POLICY=
FETCH=
EXP_RESULT=
@ -1064,6 +1075,9 @@ parse_config()
"trust")
TRUST="${TRUST} ${VALUE}"
;;
"trust_and_db")
TRUST_AND_DB=1
;;
"fetch")
FETCH=1
;;

2
security/nss/tests/chains/scenarios/scenarios
View File

@ -19,6 +19,7 @@
#
# Contributor(s):
# Slavomir Katuscak <slavomir.katuscak@sun.com>, Sun Microsystems
# Ryan Sleevi <ryan.sleevi@gmail.com>, Google
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -51,3 +52,4 @@ dsa.cfg
revoc.cfg
ocsp.cfg
crldp.cfg
trustanchors.cfg

114
security/nss/tests/chains/scenarios/trustanchors.cfg Normal file
View File

@ -0,0 +1,114 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
scenario TrustAnchors
entity RootCA
type Root
entity CA1
type Intermediate
issuer RootCA
entity CA2
type Intermediate
issuer CA1
entity EE1
type EE
issuer CA2
entity OtherRoot
type Root
entity OtherIntermediate
type Intermediate
issuer OtherRoot
entity EE2
type EE
issuer OtherIntermediate
# Scenarios where trust only comes from the DB
db DBOnly
import RootCA::CT,C,C
import CA1:RootCA:
# Simple chaining - no trust anchors
verify EE1:CA2
cert CA2:CA1
result pass
# Simple trust anchors - ignore the Cert DB
verify EE1:CA2
trust CA2:CA1
result pass
# Redundant trust - trust anchor and DB
verify EE1:CA2
cert CA2:CA1
trust RootCA
result pass
# Scenarios where trust only comes from trust anchors
db TrustOnly
# Simple checking - direct trust anchor
verify EE1:CA2
cert CA2:CA1
cert CA1:RootCA:
trust RootCA:
result pass
# Partial chain (not self-signed), with a trust anchor
verify EE1:CA2
trust CA2:CA1
result pass
# Scenarios where trust comes from both trust anchors and the DB
db TrustAndDB
import RootCA::CT,C,C
import CA1:RootCA:
# Check that trust in the DB works
verify EE1:CA2
cert CA2:CA1
result pass
# Check that trust anchors work
verify EE2:OtherIntermediate
cert OtherIntermediate:OtherRoot
trust OtherRoot:
result pass
# Check that specifying a trust anchor still allows searching the cert DB
verify EE1:CA2
trust_and_db
cert CA2:CA1
trust OtherIntermediate:OtherRoot
trust OtherRoot:
result pass
# Scenarios where the trust DB has explicitly distrusted one or more certs,
# even when the trust anchors indicate trust
db ExplicitDistrust
import RootCA::CT,C,C
import CA1:RootCA:p,p,p
import OtherRoot::p,p,p
# Verify that a distrusted intermediate, but trusted root, is rejected.
verify EE1:CA2
cert CA2:CA1
trust CA1:RootCA
result fail
# Verify that a trusted intermediate, but distrusted root, is accepted.
verify EE2:OtherIntermediate
trust OtherIntermediate:OtherRoot
result pass

50
security/nss/tests/common/init.sh
View File

@ -250,18 +250,35 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
COMMON=${TEST_COMMON-$common}
export COMMON
MAKE=gmake
$MAKE -v >/dev/null 2>&1 || MAKE=make
$MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
MAKE="$MAKE --no-print-directory"
DIST=${DIST-${MOZILLA_ROOT}/dist}
SECURITY_ROOT=${SECURITY_ROOT-${MOZILLA_ROOT}/security/nss}
TESTDIR=${TESTDIR-${MOZILLA_ROOT}/tests_results/security}
OBJDIR=`(cd $COMMON; $MAKE objdir_name)`
OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
# Allow for override options from a config file
if [ -n "${OBJDIR}" -a -f ${DIST}/${OBJDIR}/platform.cfg ]; then
. ${DIST}/${OBJDIR}/platform.cfg
fi
# only need make if we don't already have certain variables set
if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then
MAKE=gmake
$MAKE -v >/dev/null 2>&1 || MAKE=make
$MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; }
MAKE="$MAKE --no-print-directory"
fi
if [ "${OBJDIR}" = "" ]; then
OBJDIR=`(cd $COMMON; $MAKE objdir_name)`
fi
if [ "${OS_ARCH}" = "" ]; then
OS_ARCH=`(cd $COMMON; $MAKE os_arch)`
fi
if [ "${DLL_PREFIX}" = "" ]; then
DLL_PREFIX=`(cd $COMMON; $MAKE dll_prefix)`
fi
if [ "${DLL_SUFFIX}" = "" ]; then
DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)`
fi
OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"`
BINDIR="${DIST}/${OBJDIR}/bin"
@ -296,7 +313,10 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then
PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH
PATH=`perl ../path_uniq -d ';' "$PATH"`
else
elif [ "${OS_ARCH}" = "Android" ]; then
# android doesn't have perl, skip the uniq step
PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:$PATH
else
PATH=.:${DIST}/${OBJDIR}/bin:${DIST}/${OBJDIR}/lib:/bin:/usr/bin:$PATH
# added /bin and /usr/bin in the beginning so a local perl will
# be used
@ -349,7 +369,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
;;
esac
if [ -z "${DOMSUF}" ]; then
if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
exit 1 #does not need to be Exit, very early in script
fi
@ -358,7 +378,11 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
#not needed anymore (purpose: be able to use IP address for the server
#cert instead of PC name which was not in the DNS because of dyn IP address
if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
HOSTADDR=${HOST}.${DOMSUF}
if [ -z "${DOMSUF}" ]; then
HOSTADDR=${HOST}
else
HOSTADDR=${HOST}.${DOMSUF}
fi
else
HOSTADDR=${IP_ADDRESS}
fi
@ -618,7 +642,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
fi
#################################################
if [ "${OS_ARCH}" != "WINNT" ]; then
if [ "${OS_ARCH}" != "WINNT" -a "${OS_ARCH}" != "Android" ]; then
ulimit -c unlimited
fi

19
security/nss/tests/dummy/dummy.sh Normal file
View File

@ -0,0 +1,19 @@
#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
########################################################################
#
# mozilla/security/nss/tests/dummy/dummy.sh
#
# Minimal test that doesn't do anything
#
# NSS_TESTS="dummy" can be used for quick testing of the
# test script infrastructure, without running any of the tests
#
########################################################################
# html_failed "dummy test fail"
html_passed "dummy test ok"

154
security/nss/tests/remote/Makefile Normal file
View File

@ -0,0 +1,154 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
TESTPACKAGE="nss-$(OS_TARGET)$(CPU_TAG).tgz"
RTSH=$(DIST)/../../runtests.sh
PCFG=$(DIST)/platform.cfg
#Hint: In order to test the Makefiles without running the tests, use:
# make NSS_CYCLES="standard" NSS_TESTS="dummy"
ifeq ($(OS_TARGET),Android)
TEST_SHELL?=$$HOME/bin/sh
ANDROID_PORT?="2222"
#Define the subset of tests that is known to work on Android
NSS_CYCLES?="standard pkix upgradedb sharedb"
NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains"
NSS_SSL_TESTS?="crl normal_normal iopr"
NSS_SSL_RUN?="cov auth stress"
else
TEST_SHELL?="/bin/sh"
endif
# Create a package for test execution on a separate system.
package_for_testing:
echo "export OBJDIR=$(OBJDIR_NAME)" > $(PCFG)
echo "export OS_ARCH=$(OS_ARCH)" >> $(PCFG)
echo "export OS_TARGET=$(OS_TARGET)" >> $(PCFG)
echo "export DLL_PREFIX=$(DLL_PREFIX)" >> $(PCFG)
echo "export DLL_SUFFIX=$(DLL_SUFFIX)" >> $(PCFG)
echo 'echo "set HOST and DOMSUF if your system is not registered in DNS"' > $(RTSH)
cat $(PCFG) >> $(RTSH)
echo 'export NSS_TESTS=$(NSS_TESTS)' >> $(RTSH)
echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)' >> $(RTSH)
echo 'export NSS_CYCLES=$(NSS_CYCLES)' >> $(RTSH)
echo 'export USE_64=$(USE_64)' >> $(RTSH)
echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(RTSH)
echo 'export PKITS_DATA=$(PKITS_DATA)' >> $(RTSH)
echo 'export NSS_ENABLE_ECC=$(NSS_ENABLE_ECC)' >> $(RTSH)
echo 'export NSS_ECC_MORE_THAN_SUITE_B=$(NSS_ECC_MORE_THAN_SUITE_B)' >> $(RTSH)
echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)' >> $(RTSH)
ifeq ($(OS_TARGET),Android)
# Android doesn't support FIPS tests, because
# dladdr does not return a full path for implicitly loaded libraries
echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
endif
ifeq ($(CROSS_COMPILE),1)
# execute signing on test system
echo 'export DIST=$${HOME}/nsstest/dist/' >> $(RTSH)
echo 'export NSPR_LIB_DIR=$${DIST}/$${OBJDIR}/lib/' >> $(RTSH)
echo 'echo "signing"' >> $(RTSH)
# work around a bug in Android ash that has a corrupted work directory after login
echo 'cd $${HOME}/nsstest' >> $(RTSH)
echo 'cd security/nss/cmd/shlibsign' >> $(RTSH)
echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}freebl3.$${DLL_SUFFIX}' >> $(RTSH)
echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}softokn3.$${DLL_SUFFIX}' >> $(RTSH)
echo '$(TEST_SHELL) ./sign.sh $${DIST}/$${OBJDIR}/ $${DIST}/$${OBJDIR}/bin $${OS_TARGET} $${NSPR_LIB_DIR} $${NSPR_LIB_DIR}$${DLL_PREFIX}nssdbm3.$${DLL_SUFFIX}' >> $(RTSH)
ifneq ($(OS_TARGET),Android)
# Android's ash doesn't support "export -n" yet
echo 'export -n DIST' >> $(RTSH)
echo 'export -n NSPR_LIB_DIR' >> $(RTSH)
endif
echo 'cd ../../../../' >> $(RTSH)
endif
echo 'rm -rf tests_results' >> $(RTSH)
echo 'echo "running tests"' >> $(RTSH)
echo 'cd security/nss/tests' >> $(RTSH)
# We require progress indication on stdout while running the tests (to avoid timeouts).
set -o pipefail
echo '$(TEST_SHELL) ./all.sh | tee ../../../logfile 2>&1 |grep ": #"' >> $(RTSH)
RETVAL=$?
echo 'cd ../../../' >> $(RTSH)
# dump test summary from end of logfile
echo 'echo "=========="; tail -100 logfile' >> $(RTSH)
echo 'tar czf tests_results.tgz tests_results' >> $(RTSH)
echo 'echo "created tests_results.tgz"' >> $(RTSH)
echo 'echo "results are in directory: "`ls -1d tests_results/security/*.1`' >> $(RTSH)
echo 'echo exit status: $${RETVAL}' >> $(RTSH)
echo 'exit $${RETVAL}' >> $(RTSH)
rm -f $(TESTPACKAGE)
(cd $(DIST)/../.. ; tar czhf dist/$(TESTPACKAGE) runtests.sh dist/$(OBJDIR_NAME) dist/public security/nss/tests security/nss/cmd/bltest/tests security/nss/cmd/shlibsign; echo "created "`pwd`"/dist/$(TESTPACKAGE)" )
android_run_tests:
ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'pwd; cd; pwd; cd nsstest; export PATH=$$HOME/bin:$$PATH ; $(TEST_SHELL) runtests.sh'
android_install:
rm -f $(DIST)/android.sftp
echo '-mkdir nsstest' > $(DIST)/android.sftp
echo '-rm nsstest/$(TESTPACKAGE)' >> $(DIST)/android.sftp
echo 'progress' >> $(DIST)/android.sftp
echo 'put $(DIST)/../$(TESTPACKAGE) nsstest' >> $(DIST)/android.sftp
sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(DIST)/android.sftp $(ANDROID_ADDR)
ssh -p $(ANDROID_PORT) -o CheckHostIP=no $(ANDROID_ADDR) 'cd nsstest ; $$HOME/bin/rm -rf logfile runtests.sh dist security tests_results tests_results.tgz; $$HOME/bin/tar xzf $(TESTPACKAGE)'
WORKDIR="$(DIST)/../../"
RESULTSPACKAGE=tests_results.tgz
android_get_result:
rm -f $(WORKDIR)/result.sftp $(WORKDIR)/$(RESULTSPACKAGE)
echo "progress" > $(WORKDIR)/result.sftp
echo 'get nsstest/$(RESULTSPACKAGE) $(WORKDIR)' >> $(WORKDIR)/result.sftp
sftp -o Port=$(ANDROID_PORT) -o CheckHostIP=no -b $(WORKDIR)/result.sftp $(ANDROID_ADDR)
(cd $(WORKDIR); tar xzf $(RESULTSPACKAGE); rm -f result.sftp $(RESULTSPACKAGE) )
# Android testing assumes having built with: OS_TARGET=Android CROSS_COMPILE=1
# Connectivity tested with Android app: SSHDroid
# Provide appropriate ANDROID_ADDR variable, e.g.:
# make test_android ANDROID_ADDR=root@192.168.4.5
# See also: https://wiki.mozilla.org/NSS:Android
test_android: package_for_testing android_install android_run_tests android_get_result

6
security/nss/tests/remote/manifest.mn Normal file
View File

@ -0,0 +1,6 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../../..
DEPTH = ../../..