diff --git a/.cvsignore b/.cvsignore index e5a1fc4..3aad1a8 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,4 +1,4 @@ -nss-3.12.5-stripped.tar.bz2 +nss-3.12.6-stripped.tar.bz2 nss-pem-20091210.tar.bz2 blank-cert8.db blank-key3.db diff --git a/533125-ammend.patch b/533125-ammend.patch deleted file mode 100644 index 73846ab..0000000 --- a/533125-ammend.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: mozilla/security/nss/lib/ssl/ssl3con.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v -retrieving revision 1.121 -diff -u -p -r1.121 ssl3con.c ---- mozilla/security/nss/lib/ssl/ssl3con.c 12 Nov 2009 05:08:27 -0000 1.121 -+++ mozilla/security/nss/lib/ssl/ssl3con.c 20 Nov 2009 19:36:30 -0000 -@@ -4004,6 +4004,7 @@ ssl3_HandleHelloRequest(sslSocket *ss) - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST); - return SECFailure; - } -+ /* - if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) { - ssl_GetXmitBufLock(ss); - rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation); -@@ -4011,6 +4012,7 @@ ssl3_HandleHelloRequest(sslSocket *ss) - PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED); - return SECFailure; - } -+ */ - - if (sid) { - ss->sec.uncache(sid); diff --git a/540387.patch b/540387.patch deleted file mode 100644 index 6133526..0000000 --- a/540387.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/mozilla/security/nss/lib/pk11wrap/pk11pars.c b/mozilla/security/nss/lib/pk11wrap/pk11pars.c -index c36cd25..5855084 100644 ---- a/mozilla/security/nss/lib/pk11wrap/pk11pars.c -+++ b/mozilla/security/nss/lib/pk11wrap/pk11pars.c -@@ -1134,6 +1134,12 @@ SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse) - - for (; *index; index++) { - SECMODModule *child; -+ if (0 == PORT_Strcmp(*index, modulespec)) { -+ /* avoid trivial infinite recursion */ -+ PORT_SetError(SEC_ERROR_NO_MODULE); -+ rv = SECFailure; -+ break; -+ } - child = SECMOD_LoadModule(*index,module,PR_TRUE); - if (!child) break; - if (child->isCritical && !child->loaded) { diff --git a/545779.patch b/545779.patch deleted file mode 100644 index 53477b6..0000000 --- a/545779.patch +++ /dev/null @@ -1,49 +0,0 @@ -Index: mozilla/security/nss/lib/sysinit/nsssysinit.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v -retrieving revision 1.1 -diff -u -p -r1.1 nsssysinit.c ---- mozilla/security/nss/lib/sysinit/nsssysinit.c 8 Oct 2009 17:08:36 -0000 1.1 -+++ mozilla/security/nss/lib/sysinit/nsssysinit.c 12 Dec 2009 03:34:17 -0000 -@@ -198,11 +198,20 @@ getFIPSMode(void) - * the decision making process. - * - */ -+static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \ -+slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \ -+askpw=any timeout=30 ] } "; -+static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \ -+slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \ -+askpw=any timeout=30 ] } "; -+ - static char ** - get_list(char *filename, char *stripped_parameters) - { - char **module_list = PORT_ZNewArray(char *, 4); - char *userdb; -+ int isFIPS = getFIPSMode(); -+ const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags; - int next = 0; - - /* can't get any space */ -@@ -217,8 +226,9 @@ get_list(char *filename, char *stripped_ - "library= " - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s\" " -- "NSS=\"flags=internal%s\"", -- userdb, stripped_parameters, getFIPSMode() ? ",FIPS" : ""); -+ "NSS=\"%sflags=internal%s\"", -+ userdb, stripped_parameters, nssflags, -+ isFIPS ? ",FIPS" : ""); - - /* now open the user's defined PKCS #11 modules */ - /* skip the local user DB entry */ -@@ -235,7 +245,7 @@ get_list(char *filename, char *stripped_ - "library= " - "module=\"NSS system database\" " - "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" " -- "NSS=\"flags=internal,critical\"",filename); -+ "NSS=\"%sflags=internal,critical\"",filename, nssDefaultFlags); - - /* that was the last module */ - module_list[next] = 0; diff --git a/546221.patch b/546221.patch deleted file mode 100644 index 21be24a..0000000 --- a/546221.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.546221 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c ---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.546221 2009-12-19 21:11:06.590930221 -0800 -+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2009-12-19 21:17:29.019931181 -0800 -@@ -37,8 +37,6 @@ - #include "prio.h" - #include "prprf.h" - -- -- - /* - * The following provides a default example for operating systems to set up - * and manage applications loading NSS on their OS globally. -@@ -208,8 +206,8 @@ askpw=any timeout=30 ] } "; - static char ** - get_list(char *filename, char *stripped_parameters) - { -- char **module_list = PORT_ZNewArray(char *, 4); -- char *userdb; -+ char **module_list = PORT_ZNewArray(char *, 5); -+ char *userdb, *sysdb; - int isFIPS = getFIPSMode(); - const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags; - int next = 0; -@@ -219,13 +217,20 @@ get_list(char *filename, char *stripped_ - return NULL; - } - -- userdb = getUserDB(); -+ sysdb = getSystemDB(); -+ userdb = getUserDB(); -+ -+ if (sysdb && !strcmp(filename, sysdb)) -+ filename = NULL; -+ if (userdb && !strcmp(filename, userdb)) -+ filename = NULL; -+ - if (userdb != NULL) { - /* return a list of databases to open. First the user Database */ - module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS User database\" " -- "parameters=\"configdir='sql:%s' %s\" " -+ "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " - "NSS=\"%sflags=internal%s\"", - userdb, stripped_parameters, nssflags, - isFIPS ? ",FIPS" : ""); -@@ -238,19 +243,32 @@ get_list(char *filename, char *stripped_ - "parameters=\"configdir='sql:%s' %s\" " - "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", - userdb, stripped_parameters); -- } -+ } -+ -+ if (filename && 0 /* This doesn't actually work. If we register -+ both this and the sysdb (in either order) -+ then only one of them actually shows up */) { -+ module_list[next++] = PR_smprintf( -+ "library= " -+ "module=\"NSS database\" " -+ "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " -+ "NSS=\"%sflags=internal\"",filename, filename, nssflags); -+ } - - /* now the system database (always read only) */ -- module_list[next++] = PR_smprintf( -- "library= " -- "module=\"NSS system database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" " -- "NSS=\"%sflags=internal,critical\"",filename, nssDefaultFlags); -+ if (sysdb) { -+ module_list[next++] = PR_smprintf( -+ "library= " -+ "module=\"NSS system database\" " -+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" " -+ "NSS=\"%sflags=internal,critical\"",sysdb, nssflags); -+ } - - /* that was the last module */ - module_list[next] = 0; - - PORT_Free(userdb); -+ PORT_Free(sysdb); - - return module_list; - } diff --git a/547860.patch b/547860.patch deleted file mode 100644 index 4954880..0000000 --- a/547860.patch +++ /dev/null @@ -1,109 +0,0 @@ -diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c ---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 2010-01-06 17:57:30.722388282 -0800 -+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-01-06 18:20:59.713397530 -0800 -@@ -50,6 +50,7 @@ - */ - - #ifdef XP_UNIX -+#include - #include - #include - -@@ -108,12 +109,26 @@ getSystemDB(void) { - return PORT_Strdup(NSS_DEFAULT_SYSTEM); - } - -+static PRBool -+userIsRoot() -+{ -+ /* this works for linux and all unixes that we know off -+ though it isn't stated as such in POSIX documentation */ -+ return getuid() == 0; -+} -+ -+static PRBool -+userCanModifySystemDB() -+{ -+ return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0); -+} -+ - #else - #ifdef XP_WIN - static char * - getUserDB(void) - { -- /* use the registry to find the user's NSS_DIR. if no entry exists, creaate -+ /* use the registry to find the user's NSS_DIR. if no entry exists, create - * one in the users Appdir location */ - return NULL; - } -@@ -121,13 +136,28 @@ getUserDB(void) - static char * - getSystemDB(void) - { -- /* use the registry to find the system's NSS_DIR. if no entry exists, creaate -+ /* use the registry to find the system's NSS_DIR. if no entry exists, create - * one based on the windows system data area */ - return NULL; - } - -+static PRBool -+userIsRoot() -+{ -+ /* use the registry to find if the user is the system administrator. */ -+ return PR_FALSE; -+} -+ -+static PRBool -+userCanModifySystemDB() -+{ -+ /* use the registry to find if the user has administrative privilege -+ * to modify the system's nss database. */ -+ return PR_FALSE; -+} -+ - #else --#error "Need to write getUserDB and get SystemDB functions" -+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions" - #endif - #endif - -@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_ - if (userdb && !strcmp(filename, userdb)) - filename = NULL; - -- if (userdb != NULL) { -+ /* Don't open root's user DB */ -+ if (userdb != NULL && !userIsRoot()) { - /* return a list of databases to open. First the user Database */ - module_list[next++] = PR_smprintf( - "library= " -@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_ - userdb, stripped_parameters); - } - -- if (filename && 0 /* This doesn't actually work. If we register -+ if (filename && !userIsRoot() && 0 -+ /* This doesn't actually work. If we register - both this and the sysdb (in either order) - then only one of them actually shows up */) { - module_list[next++] = PR_smprintf( -@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_ - "NSS=\"%sflags=internal\"",filename, filename, nssflags); - } - -- /* now the system database (always read only) */ -+ /* now the system database (always read only unless it's root) */ - if (sysdb) { -- module_list[next++] = PR_smprintf( -+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; -+ module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS system database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" " -- "NSS=\"%sflags=internal,critical\"",sysdb, nssflags); -+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags); - } - - /* that was the last module */ diff --git a/553638.patch b/553638.patch deleted file mode 100644 index 2eb09db..0000000 --- a/553638.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c ---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 2010-01-25 08:58:42.358325102 -0800 -+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-01-25 09:07:20.028324059 -0800 -@@ -36,6 +36,7 @@ - #include "seccomon.h" - #include "prio.h" - #include "prprf.h" -+#include "plhash.h" - - /* - * The following provides a default example for operating systems to set up -@@ -212,6 +213,25 @@ getFIPSMode(void) - - #define NSS_DEFAULT_FLAGS "flags=readonly" - -+/* configuration flags according to -+ * https://developer.mozilla.org/en/PKCS11_Module_Specs -+ * As stated there the slotParams start with a slot name which is a slotID -+ * Slots 1 through 3 are reserved for the nss internal modules as follows: -+ * 1 for crypto operations slot non-fips, -+ * 2 for the key slot, and -+ * 3 for the crypto operations slot fips -+ */ -+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100" -+#define SLOT_FLAGS \ -+ "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \ -+ " askpw=any timeout=30 ]" -+ -+static const char *nssDefaultFlags = -+ ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } "; -+ -+static const char *nssDefaultFIPSFlags = -+ ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } "; -+ - /* - * This function builds the list of databases and modules to load, and sets - * their configuration. For the sample we have a fixed set. -@@ -226,13 +246,6 @@ getFIPSMode(void) - * the decision making process. - * - */ --static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \ --slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \ --askpw=any timeout=30 ] } "; --static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \ --slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \ --askpw=any timeout=30 ] } "; -- - static char ** - get_list(char *filename, char *stripped_parameters) - { -@@ -250,11 +263,6 @@ get_list(char *filename, char *stripped_ - sysdb = getSystemDB(); - userdb = getUserDB(); - -- if (sysdb && !strcmp(filename, sysdb)) -- filename = NULL; -- if (userdb && !strcmp(filename, userdb)) -- filename = NULL; -- - /* Don't open root's user DB */ - if (userdb != NULL && !userIsRoot()) { - /* return a list of databases to open. First the user Database */ -@@ -276,16 +284,29 @@ get_list(char *filename, char *stripped_ - userdb, stripped_parameters); - } - -- if (filename && !userIsRoot() && 0 -- /* This doesn't actually work. If we register -- both this and the sysdb (in either order) -- then only one of them actually shows up */) { -+#if 0 -+ /* This doesn't actually work. If we register -+ both this and the sysdb (in either order) -+ then only one of them actually shows up */ -+ -+ /* Using a NULL filename as a Boolean flag to -+ * prevent registering both an application-defined -+ * db and the system db. rhbz #546211. -+ */ -+ PORT_Assert(filename); -+ if (sysdb && PL_CompareStrings(filename, sysdb)) -+ filename = NULL; -+ else if (userdb && PL_CompareStrings(filename, userdb)) -+ filename = NULL; -+ -+ if (filename && !userIsRoot()) { - module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS database\" " - "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " - "NSS=\"%sflags=internal\"",filename, filename, nssflags); - } -+#endif - - /* now the system database (always read only unless it's root) */ - if (sysdb) { diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch deleted file mode 100644 index 35ea573..0000000 --- a/nss-no-rpath.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- ./mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100 -+++ ./mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100 -@@ -52,9 +52,9 @@ - - ifeq ($(OS_ARCH), Linux) - ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib' - else --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib' - endif - endif - diff --git a/nss-nolocalsql.patch b/nss-nolocalsql.patch index 21101fa..dc75a22 100644 --- a/nss-nolocalsql.patch +++ b/nss-nolocalsql.patch @@ -1,26 +1,26 @@ diff -up ./mozilla/security/nss/lib/Makefile.nolocalsql ./mozilla/security/nss/lib/Makefile ---- ./mozilla/security/nss/lib/Makefile.nolocalsql 2007-07-19 23:36:49.000000000 +0200 -+++ ./mozilla/security/nss/lib/Makefile 2009-04-14 17:07:40.000000000 +0200 -@@ -62,11 +62,11 @@ ifeq ($(OS_TARGET), WINCE) - DIRS := $(filter-out fortcrypt,$(DIRS)) +--- ./mozilla/security/nss/lib/Makefile.nolocalsql 2010-02-27 16:40:25.891777537 -0800 ++++ ./mozilla/security/nss/lib/Makefile 2010-02-27 16:41:59.175902327 -0800 +@@ -62,11 +62,11 @@ ifndef USE_SYSTEM_ZLIB + ZLIB_SRCDIR = zlib # Add the zlib directory to DIRS. endif -ifndef MOZILLA_CLIENT -ifndef NSS_USE_SYSTEM_SQLITE --DIRS := sqlite $(DIRS) +-SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS. -endif -endif +#ifndef MOZILLA_CLIENT +#ifndef NSS_USE_SYSTEM_SQLITE -+#DIRS := sqlite $(DIRS) ++#SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS. +#endif +#endif - ####################################################################### - # (5) Execute "global" rules. (OPTIONAL) # + ifndef MOZILLA_CLIENT + ifeq ($(OS_ARCH),Linux) diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn ---- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql 2007-07-19 23:36:50.000000000 +0200 -+++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn 2009-04-14 17:07:40.000000000 +0200 +--- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql 2010-02-27 16:44:24.998777709 -0800 ++++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn 2010-02-27 16:45:08.533803472 -0800 @@ -46,9 +46,9 @@ MAPFILE = $(OBJDIR)/nssdbm.def DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" @@ -35,8 +35,8 @@ diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./m CSRCS = \ dbmshim.c \ diff -up ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/manifest.mn ---- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql 2009-03-25 17:21:37.000000000 +0100 -+++ ./mozilla/security/nss/lib/softoken/manifest.mn 2009-04-14 17:07:40.000000000 +0200 +--- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql 2010-02-27 16:42:52.213902231 -0800 ++++ ./mozilla/security/nss/lib/softoken/manifest.mn 2010-02-27 16:43:34.040776788 -0800 @@ -47,9 +47,9 @@ MAPFILE = $(OBJDIR)/softokn.def DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" diff --git a/nss-sysinit.patch b/nss-sysinit.patch deleted file mode 100644 index 6e4eed3..0000000 --- a/nss-sysinit.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: mozilla/security/nss/lib/manifest.mn -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/manifest.mn,v -retrieving revision 1.20 -diff -u -p -r1.20 manifest.mn ---- mozilla/security/nss/lib/manifest.mn 7 Nov 2009 05:57:41 -0000 1.20 -+++ mozilla/security/nss/lib/manifest.mn 4 Dec 2009 02:27:20 -0000 -@@ -56,6 +56,7 @@ DIRS = util freebl softoken \ - pkcs12 pkcs7 smime \ - crmf jar \ - ckfw \ -+ sysinit \ - $(NULL) - - # fortcrypt is no longer built diff --git a/nss.spec b/nss.spec index 5f26c50..6ca873c 100644 --- a/nss.spec +++ b/nss.spec @@ -1,24 +1,24 @@ -%global nspr_version 4.8 -%global nss_util_version 3.12.5 +%global nspr_version 4.8.4 +%global nss_util_version 3.12.6 %global nss_softokn_version 3.12.4 %global nss_softokn_fips_version 3.12.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools Summary: Network Security Services Name: nss -Version: 3.12.5 -Release: 9%{?dist} +Version: 3.12.6 +Release: 1.1%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries Requires: nspr >= %{nspr_version} -Requires: nss-util >= %{nss_util_version} +Requires: nss-util = %{nss_util_version} Requires: nss-softokn%{_isa} = %{nss_softokn_fips_version} Requires: nss-system-init BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: nspr-devel >= %{nspr_version} BuildRequires: nss-softokn-devel = %{nss_softokn_version} -BuildRequires: nss-util-devel >= %{nss_util_version} +BuildRequires: nss-util-devel = %{nss_util_version} BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig @@ -40,14 +40,9 @@ Source9: setup-nsssysinit.sh Source12: %{name}-pem-20091210.tar.bz2 Patch2: nss-nolocalsql.patch +Patch3: renegotiate-transitional.patch +Patch4: validate-arguments.patch Patch6: nss-enable-pem.patch -Patch7: 533125-ammend.patch -Patch8: nss-sysinit.patch -Patch9: 540387.patch -Patch10: 545779.patch -Patch11: 546221.patch -Patch12: 547860.patch -Patch13: 553638.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -112,15 +107,11 @@ low level services. %setup -q %setup -q -T -D -n %{name}-%{version} -a 12 -%patch2 -p0 +%patch2 -p0 -b .nolocalsql +%patch3 -p0 -b .transitional +%patch4 -p0 -b .validate %patch6 -p0 -b .libpem -%patch7 -p0 -b .533125 -%patch8 -p0 -b .sysinit -%patch9 -p1 -b .540387 -%patch10 -p0 -b .545779 -%patch11 -p1 -b .546221 -%patch12 -p1 -b .547860 -%patch13 -p1 -b .553638 + %build @@ -242,6 +233,12 @@ rm -rf ./mozilla/tests_results cd ./mozilla/security/nss/tests/ # all.sh is the test suite script +# don't need to run all the tests when testing packaging +# nss_cycles: standard pkix upgradedb sharedb +# nss_tests: cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr +# nss_ssl_run: cov auth stress + # Temporarily disabling the ssl test suites # until bug 539183 gets resolved %global nss_ssl_tests " " @@ -487,6 +484,11 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.1 +- Update to 3.12.6 +- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period +- Patch tools to validate command line options arguments + * Mon Jan 25 2010 Elio Maldonado - 3.12.5-8 - Fix curl related regression and general patch code clean up diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch new file mode 100644 index 0000000..e0c5189 --- /dev/null +++ b/renegotiate-transitional.patch @@ -0,0 +1,16 @@ +Index: ./mozilla/security/nss/lib/ssl/sslsock.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v +retrieving revision 1.66 +diff -u -p -r1.66 sslsock.c +--- ./mozilla/security/nss/lib/ssl/sslsock.c 26 Feb 2010 20:44:54 -0000 1.66 ++++ ./mozilla/security/nss/lib/ssl/sslsock.c 1 Mar 2010 18:05:10 -0000 +@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) + PR_FALSE, /* requireSafeNegotiation */ + }; + diff --git a/sources b/sources index e499ab7..64ba459 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -51c5958153b6c01fada2e74cedc66835 nss-3.12.5-stripped.tar.bz2 +3902499c8e02b02d4944f21d3c6a839f nss-3.12.6-stripped.tar.bz2 82c2c72c961f2783c8e975a42fa939cf nss-pem-20091210.tar.bz2 a5ae49867124ac75f029a9a33af31bad blank-cert8.db 9315689bbd9f28ceebd47894f99fccbd blank-key3.db diff --git a/validate-arguments.patch b/validate-arguments.patch new file mode 100644 index 0000000..25c2bd8 --- /dev/null +++ b/validate-arguments.patch @@ -0,0 +1,720 @@ +Index: ./mozilla/security/nss/cmd/p7content/p7content.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/p7content/p7content.c,v +retrieving revision 1.12 +diff -u -p -r1.12 p7content.c +--- ./mozilla/security/nss/cmd/p7content/p7content.c 4 Aug 2008 22:58:31 -0000 1.12 ++++ ./mozilla/security/nss/cmd/p7content/p7content.c 2 Mar 2010 18:29:48 -0000 +@@ -64,7 +64,7 @@ extern int fprintf(FILE *, char *, ...); + + + static void +-Usage(char *progName) ++Usage(const char *progName) + { + fprintf(stderr, + "Usage: %s [-d dbdir] [-i input] [-o output]\n", +@@ -195,6 +195,15 @@ DecodeAndPrintFile(FILE *out, PRFileDesc + return 0; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + /* + * Print the contents of a PKCS7 message, indicating signatures, etc. + */ +@@ -222,10 +231,12 @@ main(int argc, char **argv) + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); + SECU_ConfigDirectory(optstate->value); + break; + + case 'i': ++ REQUIRE_ARG(optstate->option, optstate->value); + inFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!inFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", +@@ -235,6 +246,7 @@ main(int argc, char **argv) + break; + + case 'o': ++ REQUIRE_ARG(optstate->option, optstate->value); + outFile = fopen(optstate->value, "w"); + if (!outFile) { + fprintf(stderr, "%s: unable to open \"%s\" for writing\n", +@@ -244,11 +256,13 @@ main(int argc, char **argv) + break; + + case 'p': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup (optstate->value); + break; + + case 'f': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup (optstate->value); + break; +Index: ./mozilla/security/nss/cmd/p7env/p7env.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/p7env/p7env.c,v +retrieving revision 1.10 +diff -u -p -r1.10 p7env.c +--- ./mozilla/security/nss/cmd/p7env/p7env.c 11 Feb 2010 02:39:47 -0000 1.10 ++++ ./mozilla/security/nss/cmd/p7env/p7env.c 2 Mar 2010 18:29:48 -0000 +@@ -63,7 +63,7 @@ extern int fprintf(FILE *, char *, ...); + + + static void +-Usage(char *progName) ++Usage(const char *progName) + { + fprintf(stderr, + "Usage: %s -r recipient [-d dbdir] [-i input] [-o output]\n", +@@ -159,6 +159,15 @@ EncryptFile(FILE *outFile, FILE *inFile, + return 0; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int + main(int argc, char **argv) + { +@@ -194,10 +203,12 @@ main(int argc, char **argv) + break; + + case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); + SECU_ConfigDirectory(optstate->value); + break; + + case 'i': ++ REQUIRE_ARG(optstate->option, optstate->value); + inFile = fopen(optstate->value, "r"); + if (!inFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", +@@ -207,6 +218,7 @@ main(int argc, char **argv) + break; + + case 'o': ++ REQUIRE_ARG(optstate->option, optstate->value); + outFile = fopen(optstate->value, "wb"); + if (!outFile) { + fprintf(stderr, "%s: unable to open \"%s\" for writing\n", +@@ -216,6 +228,7 @@ main(int argc, char **argv) + break; + + case 'r': ++ REQUIRE_ARG(optstate->option, optstate->value); + if (rcpt == NULL) { + recipients = rcpt = PORT_Alloc (sizeof(struct recipient)); + } else { +Index: ./mozilla/security/nss/cmd/p7sign/p7sign.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/p7sign/p7sign.c,v +retrieving revision 1.14 +diff -u -p -r1.14 p7sign.c +--- ./mozilla/security/nss/cmd/p7sign/p7sign.c 4 Aug 2008 22:58:28 -0000 1.14 ++++ ./mozilla/security/nss/cmd/p7sign/p7sign.c 2 Mar 2010 18:29:48 -0000 +@@ -67,7 +67,7 @@ extern int fprintf(FILE *, char *, ...); + static secuPWData pwdata = { PW_NONE, 0 }; + + static void +-Usage(char *progName) ++Usage(const char *progName) + { + fprintf(stderr, + "Usage: %s -k keyname [-d keydir] [-i input] [-o output]\n", +@@ -173,6 +173,15 @@ SignFile(FILE *outFile, PRFileDesc *inFi + return 0; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int + main(int argc, char **argv) + { +@@ -210,10 +219,12 @@ main(int argc, char **argv) + break; + + case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); + SECU_ConfigDirectory(optstate->value); + break; + + case 'i': ++ REQUIRE_ARG(optstate->option, optstate->value); + inFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!inFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", +@@ -223,10 +234,12 @@ main(int argc, char **argv) + break; + + case 'k': ++ REQUIRE_ARG(optstate->option, optstate->value); + keyName = strdup(optstate->value); + break; + + case 'o': ++ REQUIRE_ARG(optstate->option, optstate->value); + outFile = fopen(optstate->value, "wb"); + if (!outFile) { + fprintf(stderr, "%s: unable to open \"%s\" for writing\n", +@@ -235,11 +248,13 @@ main(int argc, char **argv) + } + break; + case 'p': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup (optstate->value); + break; + + case 'f': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup (optstate->value); + break; +Index: ./mozilla/security/nss/cmd/p7verify/p7verify.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/p7verify/p7verify.c,v +retrieving revision 1.10 +diff -u -p -r1.10 p7verify.c +--- ./mozilla/security/nss/cmd/p7verify/p7verify.c 8 Aug 2008 23:47:57 -0000 1.10 ++++ ./mozilla/security/nss/cmd/p7verify/p7verify.c 2 Mar 2010 18:29:48 -0000 +@@ -126,7 +126,7 @@ DigestFile(unsigned char *digest, unsign + + + static void +-Usage(char *progName) ++Usage(const char *progName) + { + fprintf(stderr, + "Usage: %s -c content -s signature [-d dbdir] [-u certusage]\n", +@@ -209,6 +209,14 @@ HashDecodeAndVerify(FILE *out, FILE *con + return 0; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,arg) if (!(arg)) PrintMsgAndExit(progName, opt) + + int + main(int argc, char **argv) +@@ -239,6 +247,7 @@ main(int argc, char **argv) + break; + + case 'c': ++ REQUIRE_ARG(optstate->option, optstate->value); + contentFile = fopen(optstate->value, "r"); + if (!contentFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", +@@ -248,10 +257,12 @@ main(int argc, char **argv) + break; + + case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); + SECU_ConfigDirectory(optstate->value); + break; + + case 'o': ++ REQUIRE_ARG(optstate->option, optstate->value); + outFile = fopen(optstate->value, "w"); + if (!outFile) { + fprintf(stderr, "%s: unable to open \"%s\" for writing\n", +@@ -261,6 +272,7 @@ main(int argc, char **argv) + break; + + case 's': ++ REQUIRE_ARG(optstate->option, optstate->value); + signatureFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!signatureFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", +@@ -271,7 +283,7 @@ main(int argc, char **argv) + + case 'u': { + int usageType; +- ++ REQUIRE_ARG(optstate->option, optstate->value); + usageType = atoi (strdup(optstate->value)); + if (usageType < certUsageSSLClient || usageType > certUsageAnyCA) + return -1; +Index: ./mozilla/security/nss/cmd/strsclnt/strsclnt.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/strsclnt/strsclnt.c,v +retrieving revision 1.66 +diff -u -p -r1.66 strsclnt.c +--- ./mozilla/security/nss/cmd/strsclnt/strsclnt.c 10 Feb 2010 18:07:20 -0000 1.66 ++++ ./mozilla/security/nss/cmd/strsclnt/strsclnt.c 2 Mar 2010 18:29:51 -0000 +@@ -1325,6 +1325,15 @@ done: + return rv; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int + main(int argc, char **argv) + { +@@ -1364,33 +1373,57 @@ main(int argc, char **argv) + + case 'B': bypassPKCS11 = PR_TRUE; break; + +- case 'C': cipherString = optstate->value; break; ++ case 'C': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ cipherString = optstate->value; ++ break; + + case 'D': NoDelay = PR_TRUE; break; + + case 'N': NoReuse = 1; break; + +- case 'P': fullhs = PORT_Atoi(optstate->value); break; ++ case 'P': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ fullhs = PORT_Atoi(optstate->value); ++ break; + + case 'T': disableTLS = PR_TRUE; break; + + case 'U': ThrottleUp = PR_TRUE; break; + +- case 'a': sniHostName = PL_strdup(optstate->value); break; ++ case 'a': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ sniHostName = PL_strdup(optstate->value); ++ break; + +- case 'c': connections = PORT_Atoi(optstate->value); break; ++ case 'c': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ connections = PORT_Atoi(optstate->value); ++ break; + +- case 'd': dir = optstate->value; break; ++ case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ dir = optstate->value; ++ break; + +- case 'f': fileName = optstate->value; break; ++ case 'f': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ fileName = optstate->value; ++ break; + + case 'i': ignoreErrors = PR_TRUE; break; + +- case 'n': nickName = PL_strdup(optstate->value); break; ++ case 'n': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ nickName = PL_strdup(optstate->value); ++ break; + + case 'o': MakeCertOK++; break; + +- case 'p': port = PORT_Atoi(optstate->value); break; ++ case 'p': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ port = PORT_Atoi(optstate->value); ++ break; + + case 'q': QuitOnTimeout = PR_TRUE; break; + +@@ -1407,11 +1440,13 @@ main(int argc, char **argv) + case 'v': verbose++; break; + + case 'w': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_PLAINTEXT; + pwdata.data = PL_strdup(optstate->value); + break; + + case 'W': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_FROMFILE; + pwdata.data = PL_strdup(optstate->value); + break; +@@ -1419,6 +1454,7 @@ main(int argc, char **argv) + case 'z': enableCompression = PR_TRUE; break; + + case 0: /* positional parameter */ ++ REQUIRE_ARG(optstate->option, optstate->value); + if (hostName) { + Usage(progName); + } +Index: ./mozilla/security/nss/cmd/tests/remtest.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/tests/remtest.c,v +retrieving revision 1.5 +diff -u -p -r1.5 remtest.c +--- ./mozilla/security/nss/cmd/tests/remtest.c 8 Aug 2008 23:48:09 -0000 1.5 ++++ ./mozilla/security/nss/cmd/tests/remtest.c 2 Mar 2010 18:29:51 -0000 +@@ -69,6 +69,15 @@ Usage(char *progName) + exit(1); + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int main(int argc, char **argv) + { + char * certDir = NULL; +@@ -92,10 +101,12 @@ int main(int argc, char **argv) + switch (optstate->option) { + + case 'd': ++ REQUIRE_ARG(optstate->option, optstate->value); + certDir = strdup(optstate->value); + certDir = SECU_ConfigDirectory(certDir); + break; + case 't': ++ REQUIRE_ARG(optstate->option, optstate->value); + tokenName = strdup(optstate->value); + break; + case 'r': +Index: ./mozilla/security/nss/cmd/tstclnt/tstclnt.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/tstclnt/tstclnt.c,v +retrieving revision 1.62 +diff -u -p -r1.62 tstclnt.c +--- ./mozilla/security/nss/cmd/tstclnt/tstclnt.c 10 Feb 2010 18:07:21 -0000 1.62 ++++ ./mozilla/security/nss/cmd/tstclnt/tstclnt.c 2 Mar 2010 18:29:51 -0000 +@@ -497,6 +497,15 @@ separateReqHeader(const PRFileDesc* outF + Usage(progName); \ + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int main(int argc, char **argv) + { + PRFileDesc * s; +@@ -563,38 +572,56 @@ int main(int argc, char **argv) + + case 'B': bypassPKCS11 = 1; break; + +- case 'S': skipProtoHeader = PR_TRUE; break; ++ case 'S': skipProtoHeader = PR_TRUE; break; + + case 'T': disableTLS = 1; break; + +- case 'a': if (!hs1SniHostName) { +- hs1SniHostName = PORT_Strdup(optstate->value); +- } else if (!hs2SniHostName) { +- hs2SniHostName = PORT_Strdup(optstate->value); +- } else { +- Usage(progName); +- } +- break; +- +- case 'c': cipherString = PORT_Strdup(optstate->value); break; +- +- case 'd': certDir = PORT_Strdup(optstate->value); break; ++ case 'a': ++ REQUIRE_ARG(optstate->option, optstate->value); ++ if (!hs1SniHostName) { ++ hs1SniHostName = PORT_Strdup(optstate->value); ++ } else if (!hs2SniHostName) { ++ hs2SniHostName = PORT_Strdup(optstate->value); ++ } else { ++ Usage(progName); ++ } ++ break; ++ ++ case 'c': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ cipherString = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'd': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ certDir = PORT_Strdup(optstate->value); ++ break; + + case 'f': clientSpeaksFirst = PR_TRUE; break; + +- case 'h': host = PORT_Strdup(optstate->value); break; ++ case 'h': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ host = PORT_Strdup(optstate->value); ++ break; + + case 'm': ++ REQUIRE_ARG(optstate->option,optstate->value); + multiplier = atoi(optstate->value); + if (multiplier < 0) + multiplier = 0; + break; + +- case 'n': nickname = PORT_Strdup(optstate->value); break; ++ case 'n': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ nickname = PORT_Strdup(optstate->value); ++ break; + + case 'o': override = 1; break; + +- case 'p': portno = (PRUint16)atoi(optstate->value); break; ++ case 'p': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ portno = (PRUint16)atoi(optstate->value); ++ break; + + case 'q': pingServerFirst = PR_TRUE; break; + +@@ -604,17 +631,22 @@ int main(int argc, char **argv) + + case 'v': verbose++; break; + +- case 'r': renegotiationsToDo = atoi(optstate->value); break; +- +- case 'w': +- pwdata.source = PW_PLAINTEXT; +- pwdata.data = PORT_Strdup(optstate->value); +- break; +- +- case 'W': +- pwdata.source = PW_FROMFILE; +- pwdata.data = PORT_Strdup(optstate->value); +- break; ++ case 'r': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ renegotiationsToDo = atoi(optstate->value); ++ break; ++ ++ case 'w': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ pwdata.source = PW_PLAINTEXT; ++ pwdata.data = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'W': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ pwdata.source = PW_FROMFILE; ++ pwdata.data = PORT_Strdup(optstate->value); ++ break; + + case 'x': useExportPolicy = 1; break; + +Index: ./mozilla/security/nss/cmd/vfychain/vfychain.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v +retrieving revision 1.30 +diff -u -p -r1.30 vfychain.c +--- ./mozilla/security/nss/cmd/vfychain/vfychain.c 1 Apr 2009 20:41:29 -0000 1.30 ++++ ./mozilla/security/nss/cmd/vfychain/vfychain.c 2 Mar 2010 18:29:52 -0000 +@@ -432,6 +432,15 @@ isOCSPEnabled() + return PR_FALSE; + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int + main(int argc, char *argv[], char *envp[]) + { +@@ -469,12 +478,19 @@ main(int argc, char *argv[], char *envp[ + switch(optstate->option) { + case 0 : /* positional parameter */ goto breakout; + case 'a' : isAscii = PR_TRUE; break; +- case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); +- if (secStatus != SECSuccess) Usage(progName); break; +- case 'd' : certDir = PL_strdup(optstate->value); break; ++ case 'b' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ secStatus = DER_AsciiToTime(&time, optstate->value); ++ if (secStatus != SECSuccess) Usage(progName); ++ break; ++ case 'd' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ certDir = PL_strdup(optstate->value); ++ break; + case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; + case 'f' : certFetching = PR_TRUE; break; + case 'g' : ++ REQUIRE_ARG(optstate->option, optstate->value); + if (revMethodsData[revDataIndex].testTypeStr || + revMethodsData[revDataIndex].methodTypeStr) { + revDataIndex += 1; +@@ -489,11 +505,13 @@ main(int argc, char *argv[], char *envp[ + revMethodsData[revDataIndex]. + testTypeStr = PL_strdup(optstate->value); break; + case 'h' : ++ REQUIRE_ARG(optstate->option, optstate->value); + revMethodsData[revDataIndex]. + testFlagsStr = PL_strdup(optstate->value);break; + case 'i' : vfyCounts = PORT_Atoi(optstate->value); break; + break; + case 'm' : ++ REQUIRE_ARG(optstate->option, optstate->value); + if (revMethodsData[revDataIndex].methodTypeStr) { + revDataIndex += 1; + if (revDataIndex == REV_METHOD_INDEX_MAX) { +@@ -506,24 +524,33 @@ main(int argc, char *argv[], char *envp[ + useDefaultRevFlags = PR_FALSE; + revMethodsData[revDataIndex]. + methodTypeStr = PL_strdup(optstate->value); break; +- case 'o' : oidStr = PL_strdup(optstate->value); break; ++ case 'o' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ oidStr = PL_strdup(optstate->value); ++ break; + case 'p' : usePkix += 1; break; + case 'r' : isAscii = PR_FALSE; break; + case 's' : ++ REQUIRE_ARG(optstate->option, optstate->value); + revMethodsData[revDataIndex]. +- methodFlagsStr = PL_strdup(optstate->value); break; ++ methodFlagsStr = PL_strdup(optstate->value); ++ break; + case 't' : trusted = PR_TRUE; break; +- case 'u' : usage = PORT_Atoi(optstate->value); ++ case 'u' : ++ REQUIRE_ARG(optstate->option,optstate->value); ++ usage = PORT_Atoi(optstate->value); + if (usage < 0 || usage > 62) Usage(progName); + certUsage = ((SECCertificateUsage)1) << usage; + if (certUsage > certificateUsageHighest) Usage(progName); + break; + case 'w': ++ REQUIRE_ARG(optstate->option,optstate->value); + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; + + case 'W': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup(optstate->value); + break; +Index: ./mozilla/security/nss/cmd/vfyserv/vfyserv.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/vfyserv/vfyserv.c,v +retrieving revision 1.17 +diff -u -p -r1.17 vfyserv.c +--- ./mozilla/security/nss/cmd/vfyserv/vfyserv.c 8 Aug 2008 23:48:12 -0000 1.17 ++++ ./mozilla/security/nss/cmd/vfyserv/vfyserv.c 2 Mar 2010 18:29:52 -0000 +@@ -419,6 +419,15 @@ client_main(unsigned short port, + Usage(progName); \ + } + ++static void ++PrintMsgAndExit(const char *progName, char opt) ++{ ++ fprintf(stderr, "%s: option -%c requires argument\n", progName, opt); ++ Usage(progName); ++} ++ ++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt) ++ + int + main(int argc, char **argv) + { +@@ -442,23 +451,43 @@ main(int argc, char **argv) + optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch(optstate->option) { +- case 'C' : cipherString = PL_strdup(optstate->value); break; +- case 'c' : dumpChain = PR_TRUE; break; +- case 'd' : certDir = PL_strdup(optstate->value); break; +- case 'l' : respUrl = PL_strdup(optstate->value); break; +- case 'p' : port = PORT_Atoi(optstate->value); break; +- case 'o' : doOcspCheck = PR_TRUE; break; +- case 't' : respCertName = PL_strdup(optstate->value); break; +- case 'w': ++ case 'C' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ cipherString = PL_strdup(optstate->value); ++ break; ++ case 'c' : dumpChain = PR_TRUE; ++ break; ++ case 'd' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ certDir = PL_strdup(optstate->value); ++ break; ++ case 'l' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ respUrl = PL_strdup(optstate->value); ++ break; ++ case 'p' : ++ REQUIRE_ARG(optstate->option,optstate->value); ++ port = PORT_Atoi(optstate->value); ++ break; ++ case 'o' : doOcspCheck = PR_TRUE; ++ break; ++ case 't' : ++ REQUIRE_ARG(optstate->option, optstate->value); ++ respCertName = PL_strdup(optstate->value); ++ break; ++ case 'w' : ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; +- + case 'f': ++ REQUIRE_ARG(optstate->option, optstate->value); + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup(optstate->value); + break; +- case '\0': hostName = PL_strdup(optstate->value); break; ++ case '\0': ++ REQUIRE_ARG(optstate->option,optstate->value); ++ hostName = PL_strdup(optstate->value); break; + default : Usage(progName); + } + }