Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 584429 Details for
Bug 689918
Build NSS without any softoken or util sources present in the tree
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Disable ssl pkcs11 bypass at build time and preserve ABI
Bug-806588-disable-sslbypass.patch (text/plain), 18.24 KB, created by
Elio Maldonado Batiz
on 2012-05-14 18:13:55 UTC
(
hide
)
Description:
Disable ssl pkcs11 bypass at build time and preserve ABI
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2012-05-14 18:13:55 UTC
Size:
18.24 KB
patch
obsolete
>Index: ./mozilla/security/nss/cmd/selfserv/selfserv.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v >retrieving revision 1.99 >diff -u -p -r1.99 selfserv.c >--- ./mozilla/security/nss/cmd/selfserv/selfserv.c 1 Mar 2012 18:38:24 -0000 1.99 >+++ ./mozilla/security/nss/cmd/selfserv/selfserv.c 13 May 2012 07:06:17 -0000 >@@ -1684,7 +1684,7 @@ server_main( > } > if (bypassPKCS11) { > rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE); >- if (rv != SECSuccess) { >+ if (rv != SECSuccess && (PR_NOT_IMPLEMENTED_ERROR != PORT_GetError())) { > errExit("error enabling PKCS11 bypass "); > } > } >Index: ./mozilla/security/nss/cmd/strsclnt/strsclnt.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/strsclnt/strsclnt.c,v >retrieving revision 1.70 >diff -u -p -r1.70 strsclnt.c >--- ./mozilla/security/nss/cmd/strsclnt/strsclnt.c 6 Oct 2011 22:42:32 -0000 1.70 >+++ ./mozilla/security/nss/cmd/strsclnt/strsclnt.c 13 May 2012 07:06:17 -0000 >@@ -1226,7 +1226,7 @@ client_main( > > if (bypassPKCS11) { > rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, 1); >- if (rv < 0) { >+ if (rv < 0 && (PR_NOT_IMPLEMENTED_ERROR != PORT_GetError())) { > errExit("SSL_OptionSet SSL_BYPASS_PKCS11"); > } > } >Index: ./mozilla/security/nss/cmd/tstclnt/tstclnt.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/cmd/tstclnt/tstclnt.c,v >retrieving revision 1.69 >diff -u -p -r1.69 tstclnt.c >--- ./mozilla/security/nss/cmd/tstclnt/tstclnt.c 15 Feb 2012 21:52:08 -0000 1.69 >+++ ./mozilla/security/nss/cmd/tstclnt/tstclnt.c 13 May 2012 07:06:17 -0000 >@@ -905,7 +905,7 @@ int main(int argc, char **argv) > > /* enable PKCS11 bypass */ > rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11); >- if (rv != SECSuccess) { >+ if (rv != SECSuccess && (PR_NOT_IMPLEMENTED_ERROR != PORT_GetError())) { > SECU_PrintError(progName, "error enabling PKCS11 bypass"); > return 1; > } >Index: ./mozilla/security/nss/lib/ssl/config.mk >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/ssl/config.mk,v >retrieving revision 1.31 >diff -u -p -r1.31 config.mk >--- ./mozilla/security/nss/lib/ssl/config.mk 4 Feb 2010 19:09:08 -0000 1.31 >+++ ./mozilla/security/nss/lib/ssl/config.mk 13 May 2012 07:06:17 -0000 >@@ -39,6 +39,13 @@ ifdef NISCC_TEST > DEFINES += -DNISCC_TEST > endif > >+ifdef NSS_NO_PKCS11_BYPASS >+DEFINES += -DNO_PKCS11_BYPASS >+ifdef NSS_PRESERVE_ABI >+DEFINES += -DPRESERVE_ABI >+endif >+endif >+ > ifdef NSS_SURVIVE_DOUBLE_BYPASS_FAILURE > DEFINES += -DNSS_SURVIVE_DOUBLE_BYPASS_FAILURE > endif >Index: ./mozilla/security/nss/lib/ssl/derive.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/ssl/derive.c,v >retrieving revision 1.13 >diff -u -p -r1.13 derive.c >--- ./mozilla/security/nss/lib/ssl/derive.c 22 Mar 2011 22:15:22 -0000 1.13 >+++ ./mozilla/security/nss/lib/ssl/derive.c 13 May 2012 07:06:17 -0000 >@@ -587,7 +587,21 @@ SECStatus > SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, > PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, > PRBool *pcanbypass, void *pwArg) >-{ SECStatus rv; >+{ >+#ifdef NO_PKCS11_BYPASS >+ if (!pcanbypass) { >+ PORT_SetError(SEC_ERROR_INVALID_ARGS); >+ return SECFailure; >+ } >+#ifdef PRESERVE_ABI >+ return PR_SUCCESS; >+#else >+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); >+ *pcanbypass = PR_FALSE; >+ return PR_FAILURE; >+#endif /* PRESERVE_ABI */ >+#else >+ SECStatus rv; > int i; > PRUint16 suite; > PK11SymKey * pms = NULL; >@@ -877,5 +890,6 @@ SSL_CanBypass(CERTCertificate *cert, SEC > > > return rv; >+#endif /* ndef NO_PKCS11_BYPASS */ > } > >Index: ./mozilla/security/nss/lib/ssl/ssl3con.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v >retrieving revision 1.167 >diff -u -p -r1.167 ssl3con.c >--- ./mozilla/security/nss/lib/ssl/ssl3con.c 6 Mar 2012 02:23:25 -0000 1.167 >+++ ./mozilla/security/nss/lib/ssl/ssl3con.c 13 May 2012 07:06:18 -0000 >@@ -1007,10 +1007,12 @@ ssl3_ComputeCommonKeyHash(PRUint8 * hash > { > SECStatus rv = SECSuccess; > >+#ifndef NO_PKCS11_BYPASS > if (bypassPKCS11) { > MD5_HashBuf (hashes->md5, hashBuf, bufLen); > SHA1_HashBuf(hashes->sha, hashBuf, bufLen); > } else { >+#endif > rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen); > if (rv != SECSuccess) { > ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); >@@ -1023,7 +1025,9 @@ ssl3_ComputeCommonKeyHash(PRUint8 * hash > ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); > rv = SECFailure; > } >+#ifndef NO_PKCS11_BYPASS > } >+#endif > done: > return rv; > } >@@ -1788,6 +1792,7 @@ ssl3_InitPendingCipherSpec(sslSocket *ss > goto done; /* err code set by ssl3_DeriveMasterSecret */ > } > } >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { > /* Double Bypass succeeded in extracting the master_secret */ > const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; >@@ -1803,6 +1808,9 @@ ssl3_InitPendingCipherSpec(sslSocket *ss > rv = ssl3_InitPendingContextsBypass(ss); > } > } else if (pwSpec->master_secret) { >+#else >+ if (pwSpec->master_secret) { >+#endif > rv = ssl3_DeriveConnectionKeysPKCS11(ss); > if (rv == SECSuccess) { > rv = ssl3_InitPendingContextsPKCS11(ss); >@@ -1915,6 +1923,21 @@ ssl3_ComputeRecordMAC( > rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); > } else { > /* bypass version */ >+/* NOTE: An assertion here would cause a memory leak detected by the >+ * SSL2 RC4 128 with MD5 stress test. The stress passe but when trying >+ * to shutdown the server a numLeaks=0 assertion would fail causing a >+ * coredump. >+ */ >+#ifdef NO_PKCS11_BYPASS >+#ifdef PRESERVE_ABI >+ rv = SECFailure; >+#else >+ /* Should this code path have been prevented? */ >+ /*PORT_Assert(!ss->opt.bypassPKCS11); */ >+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); >+ return SECFailure; >+#endif >+#else > const SECHashObject *hashObj = NULL; > unsigned int pad_bytes = 0; > PRUint64 write_mac_context[MAX_MAC_CONTEXT_LLONGS]; >@@ -1996,6 +2019,7 @@ ssl3_ComputeRecordMAC( > } > #undef cx > } >+#endif > } > > PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size); >@@ -2995,6 +3019,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P > ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); > return rv; > } >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > SECItem * keydata; > /* In hope of doing a "double bypass", >@@ -3030,6 +3055,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, P > return SECFailure; > } > } >+#endif > return SECSuccess; > } > >@@ -3177,11 +3203,13 @@ ssl3_RestartHandshakeHashes(sslSocket *s > { > SECStatus rv = SECSuccess; > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > ss->ssl3.hs.messages.len = 0; > MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx); > SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx); > } else { >+#endif > rv = PK11_DigestBegin(ss->ssl3.hs.md5); > if (rv != SECSuccess) { > ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); >@@ -3192,7 +3220,9 @@ ssl3_RestartHandshakeHashes(sslSocket *s > ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); > return rv; > } >+#ifndef NO_PKCS11_BYPASS > } >+#endif > return rv; > } > >@@ -3208,11 +3238,13 @@ ssl3_NewHandshakeHashes(sslSocket *ss) > * that the master secret will wind up in ... > */ > SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space); > ss->ssl3.hs.messages.buf = NULL; > ss->ssl3.hs.messages.space = 0; > } else { >+#endif > ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5); > ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1); > if (md5 == NULL) { >@@ -3223,7 +3255,9 @@ ssl3_NewHandshakeHashes(sslSocket *ss) > ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); > goto loser; > } >+#ifndef NO_PKCS11_BYPASS > } >+#endif > if (SECSuccess == ssl3_RestartHandshakeHashes(ss)) { > return SECSuccess; > } >@@ -3260,6 +3294,7 @@ ssl3_UpdateHandshakeHashes(sslSocket *ss > > PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l)); > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); > SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); >@@ -3268,6 +3303,7 @@ ssl3_UpdateHandshakeHashes(sslSocket *ss > #endif > return rv; > } >+#endif > rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); > if (rv != SECSuccess) { > ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); >@@ -3524,6 +3560,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * > > PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > /* compute them without PKCS11 */ > PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; >@@ -3607,6 +3644,9 @@ ssl3_ComputeHandshakeHashes(sslSocket * > #undef md5cx > #undef shacx > } else { >+#else >+ { >+#endif /* notdef NO_PKCS11_BYPASS */ > /* compute hases with PKCS11 */ > PK11Context * md5; > PK11Context * sha = NULL; >@@ -5139,12 +5179,14 @@ ssl3_HandleServerHello(sslSocket *ss, SS > PK11SymKey * wrapKey; /* wrapping key */ > CK_FLAGS keyFlags = 0; > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > /* we cannot restart a non-bypass session in a > ** bypass socket. > */ > break; > } >+#endif > /* unwrap master secret with PKCS11 */ > slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID, > sid->u.ssl3.masterSlotID); >@@ -5179,6 +5221,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS > if (pwSpec->master_secret == NULL) { > break; /* errorCode set just after call to UnwrapSymKey. */ > } >+#ifndef NO_PKCS11_BYPASS > } else if (ss->opt.bypassPKCS11) { > /* MS is not wrapped */ > wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; >@@ -5186,6 +5229,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS > memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); > pwSpec->msItem.data = pwSpec->raw_master_secret; > pwSpec->msItem.len = wrappedMS.len; >+#endif > } else { > /* We CAN restart a bypass session in a non-bypass socket. */ > /* need to import the raw master secret to session object */ >@@ -6453,12 +6497,14 @@ compression_found: > if (pwSpec->master_secret == NULL) { > break; /* not an error */ > } >+#ifndef NO_PKCS11_BYPASS > } else if (ss->opt.bypassPKCS11) { > wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret; > wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len; > memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len); > pwSpec->msItem.data = pwSpec->raw_master_secret; > pwSpec->msItem.len = wrappedMS.len; >+#endif > } else { > /* We CAN restart a bypass session in a non-bypass socket. */ > /* need to import the raw master secret to session object */ >@@ -7410,6 +7456,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocke > isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0); > } > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > /* TRIPLE BYPASS, get PMS directly from RSA decryption. > * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, >@@ -7443,6 +7490,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocke > rv = ssl3_InitPendingCipherSpec(ss, NULL); > } else { > double_bypass: >+#endif > /* > * unwrap pms out of the incoming buffer > * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do >@@ -7474,7 +7522,9 @@ double_bypass: > /* This step will derive the MS from the PMS, among other things. */ > rv = ssl3_InitPendingCipherSpec(ss, pms); > PK11_FreeSymKey(pms); >+#ifndef NO_PKCS11_BYPASS > } >+#endif > > if (rv != SECSuccess) { > SEND_ALERT >@@ -9587,10 +9637,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) > } > > /* clean up handshake */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE); > MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE); > } >+#endif > if (ss->ssl3.hs.md5) { > PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE); > } >Index: ./mozilla/security/nss/lib/ssl/ssl3ext.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v >retrieving revision 1.22 >diff -u -p -r1.22 ssl3ext.c >--- ./mozilla/security/nss/lib/ssl/ssl3ext.c 12 Mar 2012 19:14:12 -0000 1.22 >+++ ./mozilla/security/nss/lib/ssl/ssl3ext.c 13 May 2012 07:06:18 -0000 >@@ -721,6 +721,7 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > rv = PK11_GenerateRandom(iv, sizeof(iv)); > if (rv != SECSuccess) goto loser; > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, > &mac_key, &mac_key_length); >@@ -728,6 +729,9 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, > &mac_key_pkcs11); > } >+#else >+ rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, &mac_key_pkcs11); >+#endif > if (rv != SECSuccess) goto loser; > > if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) { >@@ -891,6 +895,7 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > } > > /* Generate encrypted portion of ticket. */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > aes_ctx = (AESContext *)aes_ctx_buf; > rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, >@@ -902,6 +907,7 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > plaintext_item.len); > if (rv != SECSuccess) goto loser; > } else { >+#endif > aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech, > CKA_ENCRYPT, aes_key_pkcs11, &ivItem); > if (!aes_ctx_pkcs11) >@@ -913,13 +919,16 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > PK11_Finalize(aes_ctx_pkcs11); > PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE); > if (rv != SECSuccess) goto loser; >+#ifndef NO_PKCS11_BYPASS > } >+#endif > > /* Convert ciphertext length to network order. */ > length_buf[0] = (ciphertext.len >> 8) & 0xff; > length_buf[1] = (ciphertext.len ) & 0xff; > > /* Compute MAC. */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > hmac_ctx = (HMACContext *)hmac_ctx_buf; > hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); >@@ -935,6 +944,9 @@ ssl3_SendNewSessionTicket(sslSocket *ss) > HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length, > sizeof(computed_mac)); > } else { >+#else >+ { >+#endif > SECItem macParam; > macParam.data = NULL; > macParam.len = 0; >@@ -1074,6 +1086,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > return SECFailure; > > /* Get session ticket keys. */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length, > &mac_key, &mac_key_length); >@@ -1081,6 +1094,10 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, > &mac_key_pkcs11); > } >+#else >+ rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11, >+ &mac_key_pkcs11); >+#endif > if (rv != SECSuccess) { > SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", > SSL_GETPID(), ss->fd)); >@@ -1100,6 +1117,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > /* Verify the MAC on the ticket. MAC verification may also > * fail if the MAC key has been recently refreshed. > */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > hmac_ctx = (HMACContext *)hmac_ctx_buf; > hashObj = HASH_GetRawHashObject(HASH_AlgSHA256); >@@ -1113,6 +1131,9 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > sizeof(computed_mac)) != SECSuccess) > goto no_ticket; > } else { >+#else >+ { >+#endif > SECItem macParam; > macParam.data = NULL; > macParam.len = 0; >@@ -1156,6 +1177,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > decrypted_state = SECITEM_AllocItem(NULL, NULL, > enc_session_ticket.encrypted_state.len); > >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11) { > aes_ctx = (AESContext *)aes_ctx_buf; > rv = AES_InitContext(aes_ctx, aes_key, >@@ -1174,6 +1196,9 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > if (rv != SECSuccess) > goto no_ticket; > } else { >+#else >+ { >+#endif > SECItem ivItem; > ivItem.data = enc_session_ticket.iv; > ivItem.len = AES_BLOCK_SIZE; >@@ -1347,9 +1372,11 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc > sid->keaKeyBits = parsed_session_ticket->keaKeyBits; > > /* Copy master secret. */ >+#ifndef NO_PKCS11_BYPASS > if (ss->opt.bypassPKCS11 && > parsed_session_ticket->ms_is_wrapped) > goto no_ticket; >+#endif > if (parsed_session_ticket->ms_length > > sizeof(sid->u.ssl3.keys.wrapped_master_secret)) > goto no_ticket; >Index: ./mozilla/security/nss/lib/ssl/sslsock.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v >retrieving revision 1.82.2.1 >diff -u -p -r1.82.2.1 sslsock.c >--- ./mozilla/security/nss/lib/ssl/sslsock.c 31 Mar 2012 23:16:38 -0000 1.82.2.1 >+++ ./mozilla/security/nss/lib/ssl/sslsock.c 13 May 2012 07:06:18 -0000 >@@ -559,7 +559,16 @@ static PRStatus SSL_BypassRegisterShutdo > > static PRStatus SSL_BypassSetup(void) > { >+#ifdef NO_PKCS11_BYPASS >+#ifdef PRESERVE_ABI >+ return PR_SUCCESS; >+#else >+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); >+ return PR_FAILURE; >+#endif >+#else > return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); >+#endif > } > > SECStatus >@@ -688,7 +697,11 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh > } else { > if (PR_FALSE != on) { > if (PR_SUCCESS == SSL_BypassSetup() ) { >+#ifdef NO_PKCS11_BYPASS >+ ss->opt.bypassPKCS11 = PR_FALSE; >+#else > ss->opt.bypassPKCS11 = on; >+#endif > } else { > rv = SECFailure; > } >@@ -972,7 +984,11 @@ SSL_OptionSetDefault(PRInt32 which, PRBo > case SSL_BYPASS_PKCS11: > if (PR_FALSE != on) { > if (PR_SUCCESS == SSL_BypassSetup()) { >+#ifdef NO_PKCS11_BYPASS >+ ssl_defaults.bypassPKCS11 = PR_FALSE; >+#else > ssl_defaults.bypassPKCS11 = on; >+#endif > } else { > return SECFailure; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 689918
:
552424
|
552425
|
552428
|
552434
|
552436
|
552443
|
561692
|
561694
|
561696
|
561697
|
561698
|
561699
|
561700
|
572565
|
574101
|
584429
|
643175
|
643180
|
643202
|
643203
|
643660
|
643794
|
643807
|
669709
|
669710
|
669711
|
669712
|
669713
|
762643
|
762645
|
762646