mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 03:30:17 +01:00
cherry-picked mozilla NSS upstream changes (to rev a245a4cc):
bug1201704, bug1171631, bug572412, bug1119618, bug1177770, bug1148374, bug1208243(part-of), bug1117022, bug1205688, bug1209443, bug1208508, bug1208503, bug1209435, bug1209451, bug1209456, bug1209541, bug1208503, bug1209546
This commit is contained in:
parent
430790c1b1
commit
5c0160b5fb
File diff suppressed because it is too large
Load Diff
@ -503,9 +503,10 @@ prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end,
|
||||
data += lenLen;
|
||||
|
||||
/*
|
||||
* Just quit now if slen more bytes puts us off the end.
|
||||
* Just quit now if slen more bytes puts us off the end,
|
||||
* or if there's no more data to process.
|
||||
*/
|
||||
if ((data + slen) > end) {
|
||||
if ((data + slen) >= end) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return -1;
|
||||
}
|
||||
|
@ -2090,8 +2090,8 @@ CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
|
||||
}
|
||||
PKM_LogIt("C_GetMechanismList returned the mechanism types:\n");
|
||||
if (verbose) {
|
||||
for (i = 1; i <= mechanismCount; i++) {
|
||||
mechName = getName(pMechanismList[(i-1)], ConstMechanism);
|
||||
for (i = 0; i < mechanismCount; i++) {
|
||||
mechName = getName(pMechanismList[(i)], ConstMechanism);
|
||||
|
||||
/* output two mechanism name on each line */
|
||||
/* currently the longest known mechansim name length is 37 */
|
||||
@ -2100,7 +2100,7 @@ CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
|
||||
} else {
|
||||
printf("Unknown mechanism: 0x%08lX ", pMechanismList[i]);
|
||||
}
|
||||
if ((i != 0) && ((i % 2) == 0 )) printf("\n");
|
||||
if ((i % 2) == 1 ) printf("\n");
|
||||
}
|
||||
printf("\n\n");
|
||||
}
|
||||
|
@ -1454,7 +1454,6 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
|
||||
CERTCertListNode *node;
|
||||
PKIX_PL_Cert *certPkix = NULL;
|
||||
PKIX_TrustAnchor *trustAnchor = NULL;
|
||||
PKIX_PL_Date *revDate = NULL;
|
||||
PKIX_RevocationChecker *revChecker = NULL;
|
||||
PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
|
||||
|
||||
@ -1664,9 +1663,6 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
|
||||
if (date != NULL)
|
||||
PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
|
||||
|
||||
if (revDate != NULL)
|
||||
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext);
|
||||
|
||||
if (revChecker != NULL)
|
||||
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);
|
||||
|
||||
|
@ -559,7 +559,7 @@ SINGLE_SHLIB_DIR = $(OBJDIR)/$(OS_TARGET)_SINGLE_SHLIB
|
||||
ALL_TRASH += $(SINGLE_SHLIB_DIR)
|
||||
|
||||
$(SINGLE_SHLIB_DIR):
|
||||
-mkdir $(SINGLE_SHLIB_DIR)
|
||||
-mkdir -p $(SINGLE_SHLIB_DIR)
|
||||
|
||||
release_md libs:: $(SINGLE_SHLIB_DIR)
|
||||
$(MAKE) FREEBL_CHILD_BUILD=1 \
|
||||
|
@ -8,6 +8,9 @@
|
||||
* Also NOTE: this only works with Hashing. Only the FIPS interface is enabled.
|
||||
*/
|
||||
|
||||
#ifndef _NSSLOWHASH_H_
|
||||
#define _NSSLOWHASH_H_
|
||||
|
||||
typedef struct NSSLOWInitContextStr NSSLOWInitContext;
|
||||
typedef struct NSSLOWHASHContextStr NSSLOWHASHContext;
|
||||
|
||||
@ -26,3 +29,5 @@ void NSSLOWHASH_End(NSSLOWHASHContext *context,
|
||||
unsigned int *ret, unsigned int len);
|
||||
void NSSLOWHASH_Destroy(NSSLOWHASHContext *context);
|
||||
unsigned int NSSLOWHASH_Length(NSSLOWHASHContext *context);
|
||||
|
||||
#endif
|
||||
|
@ -65,12 +65,10 @@ extern "C" {
|
||||
* FUNCTION: PKIX_RevocationChecker_Create
|
||||
* DESCRIPTION:
|
||||
*
|
||||
* Creates revocation checker object with a given flags.
|
||||
* Creates a revocation checker object with the given flags. Revocation will
|
||||
* be checked at the current date.
|
||||
*
|
||||
* PARAMETERS:
|
||||
* "revDate"
|
||||
* Revocation will be checked at this date. Current date is taken if the
|
||||
* parameter is not specified.
|
||||
* "leafMethodListFlags"
|
||||
* Defines a set of method independent flags that will be used to check
|
||||
* revocation of the leaf cert in the chain.
|
||||
|
@ -1381,6 +1381,7 @@ pk11_keyIDHash_populate(void *wincx)
|
||||
}
|
||||
moduleLock = SECMOD_GetDefaultModuleListLock();
|
||||
if (!moduleLock) {
|
||||
SECITEM_FreeItem(slotid, PR_TRUE);
|
||||
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
|
||||
return PR_FAILURE;
|
||||
}
|
||||
|
@ -400,6 +400,7 @@ PK11_NewSlotInfo(SECMODModule *mod)
|
||||
slot->minPassword = 0;
|
||||
slot->maxPassword = 0;
|
||||
slot->hasRootCerts = PR_FALSE;
|
||||
slot->hasRootTrust = PR_FALSE;
|
||||
slot->nssToken = NULL;
|
||||
return slot;
|
||||
}
|
||||
|
@ -566,7 +566,7 @@ SEC_PKCS7DecryptContents(PLArenaPool *poolp,
|
||||
{
|
||||
SECAlgorithmID *algid = NULL;
|
||||
SECStatus rv = SECFailure;
|
||||
SECItem *result = NULL, *dest, *src;
|
||||
SECItem *dest, *src;
|
||||
void *mark;
|
||||
|
||||
PK11SymKey *eKey = NULL;
|
||||
@ -645,9 +645,6 @@ SEC_PKCS7DecryptContents(PLArenaPool *poolp,
|
||||
|
||||
loser:
|
||||
/* let success fall through */
|
||||
if(result != NULL)
|
||||
SECITEM_ZfreeItem(result, PR_TRUE);
|
||||
|
||||
if(rv == SECFailure)
|
||||
PORT_ArenaRelease(poolp, mark);
|
||||
else
|
||||
|
@ -227,7 +227,7 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
|
||||
void *
|
||||
NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
SECOidTag tag = (cinfo && cinfo->contentTypeTag)
|
||||
SECOidTag tag = cinfo->contentTypeTag
|
||||
? cinfo->contentTypeTag->offset
|
||||
: SEC_OID_UNKNOWN;
|
||||
switch (tag) {
|
||||
|
@ -404,6 +404,7 @@ NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo,
|
||||
if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr),
|
||||
&encoded_attrs) == NULL ||
|
||||
encoded_attrs.data == NULL || encoded_attrs.len == 0) {
|
||||
PORT_FreeArena(poolp, PR_FALSE);
|
||||
vs = NSSCMSVS_ProcessingError;
|
||||
goto loser;
|
||||
}
|
||||
|
@ -20,7 +20,19 @@ include $(CORE_DEPTH)/coreconf/config.mk
|
||||
# (3) Include "component" configuration information. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
|
||||
ifdef NSS_NO_INIT_SUPPORT
|
||||
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
endif
|
||||
ifeq ($(OS_TARGET),Linux)
|
||||
ifeq ($(CPU_ARCH),ppc)
|
||||
ifdef USE_64
|
||||
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
endif # USE_64
|
||||
endif # ppc
|
||||
else # !Linux
|
||||
# turn off no init support everywhere for now
|
||||
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
endif # Linux
|
||||
|
||||
#######################################################################
|
||||
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
|
||||
|
@ -479,14 +479,6 @@ lg_HashNumber(const void *key)
|
||||
return (PLHashNumber)((char *)key - (char *)NULL);
|
||||
}
|
||||
|
||||
PRIntn
|
||||
lg_CompareValues(const void *v1, const void *v2)
|
||||
{
|
||||
PLHashNumber value1 = lg_HashNumber(v1);
|
||||
PLHashNumber value2 = lg_HashNumber(v2);
|
||||
return (value1 == value2);
|
||||
}
|
||||
|
||||
/*
|
||||
* helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle
|
||||
* with and sdb structure.
|
||||
@ -515,7 +507,7 @@ lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr,
|
||||
if (lgdb_p->dbLock == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, lg_CompareValues,
|
||||
lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues,
|
||||
SECITEM_HashCompare, NULL, 0);
|
||||
if (lgdb_p->hashTable == NULL) {
|
||||
goto loser;
|
||||
|
@ -303,8 +303,10 @@ lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
|
||||
/* there is only one KRL, use a fixed handle for it */
|
||||
if (handle != LG_TOKEN_KRL_HANDLE) {
|
||||
lg_XORHash(hashBuf,dbKey->data,dbKey->len);
|
||||
handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) |
|
||||
(hashBuf[2] << 8) | hashBuf[3];
|
||||
handle = ((CK_OBJECT_HANDLE)hashBuf[0] << 24) |
|
||||
((CK_OBJECT_HANDLE)hashBuf[1] << 16) |
|
||||
((CK_OBJECT_HANDLE)hashBuf[2] << 8) |
|
||||
(CK_OBJECT_HANDLE)hashBuf[3];
|
||||
handle = class | (handle & ~(LG_TOKEN_TYPE_MASK|LG_TOKEN_MASK));
|
||||
/* we have a CRL who's handle has randomly matched the reserved KRL
|
||||
* handle, increment it */
|
||||
|
@ -3381,13 +3381,10 @@ AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
|
||||
loser:
|
||||
/* don't leave partial entry in the database */
|
||||
if ( state > 0 ) {
|
||||
rv = DeleteDBCertEntry(handle, &cert->certKey);
|
||||
DeleteDBCertEntry(handle, &cert->certKey);
|
||||
}
|
||||
if ( ( state > 1 ) && donnentry ) {
|
||||
rv = DeleteDBNicknameEntry(handle, nickname);
|
||||
}
|
||||
if ( state > 2 ) {
|
||||
rv = DeleteDBSubjectEntry(handle, &cert->derSubject);
|
||||
DeleteDBNicknameEntry(handle, nickname);
|
||||
}
|
||||
if ( certEntry ) {
|
||||
DestroyDBEntry((certDBEntry *)certEntry);
|
||||
|
@ -2577,6 +2577,7 @@ finish_rsa:
|
||||
}
|
||||
intpointer = PORT_New(CK_ULONG);
|
||||
if (intpointer == NULL) {
|
||||
PORT_Free(ctx);
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
@ -2606,6 +2607,7 @@ finish_rsa:
|
||||
}
|
||||
intpointer = PORT_New(CK_ULONG);
|
||||
if (intpointer == NULL) {
|
||||
PORT_Free(ctx);
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
|
@ -94,19 +94,19 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
||||
/* cipher_suite policy enabled isPresent */
|
||||
|
||||
#ifndef NSS_DISABLE_ECC
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
|
||||
* bug 946147.
|
||||
*/
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
@ -4731,6 +4731,11 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss,
|
||||
SSL3Opaque sha_inner[MAX_MAC_LENGTH];
|
||||
|
||||
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
|
||||
if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
hashes->hashAlg = ssl_hash_none;
|
||||
|
||||
#ifndef NO_PKCS11_BYPASS
|
||||
@ -4769,7 +4774,6 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss,
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
|
||||
s[0] = (unsigned char)(sender >> 24);
|
||||
s[1] = (unsigned char)(sender >> 16);
|
||||
s[2] = (unsigned char)(sender >> 8);
|
||||
@ -4906,7 +4910,6 @@ tls12_loser:
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
|
||||
s[0] = (unsigned char)(sender >> 24);
|
||||
s[1] = (unsigned char)(sender >> 16);
|
||||
s[2] = (unsigned char)(sender >> 8);
|
||||
@ -6958,7 +6961,6 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
|
||||
peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
||||
if (peerKey == NULL) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
goto no_memory;
|
||||
}
|
||||
|
||||
@ -6969,7 +6971,6 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus, &modulus) ||
|
||||
SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
|
||||
{
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
goto no_memory;
|
||||
}
|
||||
ss->sec.peerKey = peerKey;
|
||||
@ -7069,7 +7070,7 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
goto no_memory;
|
||||
}
|
||||
|
||||
ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
||||
peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
||||
if (peerKey == NULL) {
|
||||
goto no_memory;
|
||||
}
|
||||
@ -7083,7 +7084,6 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
SECITEM_CopyItem(arena, &peerKey->u.dh.base, &dh_g) ||
|
||||
SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue, &dh_Ys))
|
||||
{
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
goto no_memory;
|
||||
}
|
||||
ss->sec.peerKey = peerKey;
|
||||
@ -7106,10 +7106,16 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
alert_loser:
|
||||
(void)SSL3_SendAlert(ss, alert_fatal, desc);
|
||||
loser:
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
PORT_SetError( errCode );
|
||||
return SECFailure;
|
||||
|
||||
no_memory: /* no-memory error has already been set. */
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
@ -9555,6 +9561,13 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
if (!hashes) {
|
||||
PORT_Assert(0);
|
||||
desc = internal_error;
|
||||
errCode = SEC_ERROR_LIBRARY_FAILURE;
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
if (isTLS12) {
|
||||
rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
|
||||
&sigAndHash);
|
||||
@ -11215,6 +11228,13 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
if (!hashes) {
|
||||
PORT_Assert(0);
|
||||
SSL3_SendAlert(ss, alert_fatal, internal_error);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
|
||||
if (isTLS) {
|
||||
TLSFinished tlsFinished;
|
||||
@ -11440,6 +11460,7 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
SECStatus rv = SECSuccess;
|
||||
SSL3HandshakeType type = ss->ssl3.hs.msg_type;
|
||||
SSL3Hashes hashes; /* computed hashes are put here. */
|
||||
SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */
|
||||
PRUint8 hdr[4];
|
||||
PRUint8 dtlsData[8];
|
||||
|
||||
@ -11450,7 +11471,8 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
* current message.
|
||||
*/
|
||||
ssl_GetSpecReadLock(ss); /************************************/
|
||||
if((type == finished) || (type == certificate_verify)) {
|
||||
if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) ||
|
||||
((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) {
|
||||
SSL3Sender sender = (SSL3Sender)0;
|
||||
ssl3CipherSpec *rSpec = ss->ssl3.prSpec;
|
||||
|
||||
@ -11459,6 +11481,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
rSpec = ss->ssl3.crSpec;
|
||||
}
|
||||
rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
|
||||
if (rv == SECSuccess) {
|
||||
hashesPtr = &hashes;
|
||||
}
|
||||
}
|
||||
ssl_ReleaseSpecReadLock(ss); /************************************/
|
||||
if (rv != SECSuccess) {
|
||||
@ -11609,7 +11634,7 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
|
||||
return SECFailure;
|
||||
}
|
||||
rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
|
||||
rv = ssl3_HandleCertificateVerify(ss, b, length, hashesPtr);
|
||||
break;
|
||||
case client_key_exchange:
|
||||
if (!ss->sec.isServer) {
|
||||
@ -11628,7 +11653,7 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
rv = ssl3_HandleNewSessionTicket(ss, b, length);
|
||||
break;
|
||||
case finished:
|
||||
rv = ssl3_HandleFinished(ss, b, length, &hashes);
|
||||
rv = ssl3_HandleFinished(ss, b, length, hashesPtr);
|
||||
break;
|
||||
default:
|
||||
(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
|
||||
|
@ -704,7 +704,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
goto no_memory;
|
||||
}
|
||||
|
||||
ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
||||
peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
|
||||
if (peerKey == NULL) {
|
||||
goto no_memory;
|
||||
}
|
||||
@ -725,7 +725,6 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
/* copy publicValue in peerKey */
|
||||
if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue, &ec_point))
|
||||
{
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
goto no_memory;
|
||||
}
|
||||
peerKey->pkcs11Slot = NULL;
|
||||
@ -739,10 +738,16 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
alert_loser:
|
||||
(void)SSL3_SendAlert(ss, alert_fatal, desc);
|
||||
loser:
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
PORT_SetError( errCode );
|
||||
return SECFailure;
|
||||
|
||||
no_memory: /* no-memory error has already been set. */
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -201,7 +201,7 @@ run_cycle_upgrade_db()
|
||||
|
||||
# run the subset of tests with the upgraded database
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains"
|
||||
TESTS_SKIP="cipher libpkix cert dbtests sdr ocsp pkits chains ssl_gtests"
|
||||
|
||||
echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null
|
||||
RET=$?
|
||||
@ -232,7 +232,7 @@ run_cycle_shared_db()
|
||||
|
||||
# run the tests for native sharedb support
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
|
||||
TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits ssl_gtests"
|
||||
|
||||
echo "${NSS_SSL_TESTS}" | grep "_" > /dev/null
|
||||
RET=$?
|
||||
@ -273,7 +273,7 @@ run_cycles()
|
||||
cycles="standard pkix upgradedb sharedb"
|
||||
CYCLES=${NSS_CYCLES:-$cycles}
|
||||
|
||||
tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ssl_gtests"
|
||||
TESTS=${NSS_TESTS:-$tests}
|
||||
|
||||
ALL_TESTS=${TESTS}
|
||||
|
@ -234,7 +234,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
||||
HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
|
||||
HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
|
||||
HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
|
||||
HTML_UNKNOWN='</TD><TD>Unknown/TD><TR>'
|
||||
HTML_UNKNOWN='</TD><TD>Unknown</TD><TR>'
|
||||
TABLE_ARGS=
|
||||
|
||||
|
||||
|
@ -437,10 +437,10 @@ ssl_stapling_sub()
|
||||
start_selfserv
|
||||
|
||||
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
|
||||
echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
|
||||
echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
|
||||
-d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
|
||||
-d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
|
||||
>${TMP}/$HOST.tmp.$$ 2>&1
|
||||
ret=$?
|
||||
cat ${TMP}/$HOST.tmp.$$
|
||||
|
@ -65,12 +65,12 @@
|
||||
# SNI Tests
|
||||
#
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
|
||||
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
|
||||
|
Loading…
Reference in New Issue
Block a user