Require nss-softoken-version 3.12.6 and fix pem seg violation within

CreateObject (#596674)

.cvsignore

@@ -1,2 +1,8 @@
-nss-3.12.4-stripped.tar.bz2
-nss-pem-20090907.tar.bz2
+nss-3.12.6-stripped.tar.bz2
+nss-pem-20100412.tar.bz2
+blank-cert8.db
+blank-key3.db
+blank-secmod.db
+blank-cert9.db
+blank-key4.db
+PayPalEE.cert

Makefile

@@ -1,10 +1,10 @@
 # Makefile for source rpm: nss
-# $Id: Makefile,v 1.1 2005/12/15 19:34:51 caillon Exp $
+# $Id: Makefile,v 1.2 2007/10/15 19:11:25 notting Exp $
 NAME := nss
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

branch

@@ -0,0 +1 @@
+F-12

newargs.patch

@@ -1,159 +0,0 @@
-Index: mozilla/security/nss/lib/pk11wrap/pk11pars.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pars.c,v
-retrieving revision 1.21
-diff -u -p -r1.21 pk11pars.c
---- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c	12 Nov 2005 00:14:25 -0000	1.21
-+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c	1 Sep 2009 21:55:18 -0000
-@@ -107,6 +107,41 @@ secmod_NewModule(void)
-     
- }
- 
-+/* private flags. */
-+/* The meaing of these flags is as follows:
-+ *
-+ * SECMOD_FLAG_IS_MODULE_DB - This is a module that accesses the database of
-+ *   other modules to load. Module DBs are loadable modules that tells
-+ *   NSS which PKCS #11 modules to load and when. These module DBs are 
-+ *   chainable. That is, one module DB can load another one. NSS system init 
-+ *   design takes advantage of this feature. In system NSS, a fixed system 
-+ *   module DB loads the system defined libraries, then chains out to the 
-+ *   traditional module DBs to load any system or user configured modules 
-+ *   (like smart cards). This bit is the same as the already existing meaning 
-+ *   of  isModuleDB = PR_TRUE. None of the other flags should be set if this
-+ *   flag isn't on.
-+ *
-+ * SECMOD_FLAG_SKIP_FIRST - This flag tells NSS to skip the first 
-+ *   PKCS #11 module presented by a module DB. This allows the OS to load a 
-+ *   softoken from the system module, then ask the existing module DB code to 
-+ *   load the other PKCS #11 modules in that module DB (skipping it's request 
-+ *   to load softoken). This gives the system init finer control over the 
-+ *   configuration of that softoken module.
-+ *
-+ * SECMOD_FLAG_DEFAULT_MODDB - This flag allows system init to mark a 
-+ *   different module DB as the 'default' module DB (the one in which 
-+ *   'Add module' changes will go). Without this flag NSS takes the first 
-+ *   module as the default Module DB, but in system NSS, that first module 
-+ *   is the system module, which is likely read only (at least to the user).
-+ *   This  allows system NSS to delegate those changes to the user's module DB, 
-+ *   preserving the user's ability to load new PKCS #11 modules (which only 
-+ *   affect him), from existing applications like Firefox.
-+ */
-+#define SECMOD_FLAG_IS_MODULE_DB  0x01 /* must be set if any of the other flags
-+                                        * are set */
-+#define SECMOD_FLAG_SKIP_FIRST    0x02
-+#define SECMOD_FLAG_DEFAULT_MODDB 0x04
-+
- /*
-  * for 3.4 we continue to use the old SECMODModule structure
-  */
-@@ -137,15 +172,33 @@ SECMOD_CreateModule(const char *library,
-     if (slotParams) PORT_Free(slotParams);
-     /* new field */
-     mod->trustOrder  = secmod_argReadLong("trustOrder",nssc,
--						SECMOD_DEFAULT_TRUST_ORDER,NULL);
-+					SECMOD_DEFAULT_TRUST_ORDER,NULL);
-     /* new field */
-     mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
--						SECMOD_DEFAULT_CIPHER_ORDER,NULL);
-+					SECMOD_DEFAULT_CIPHER_ORDER,NULL);
-     /* new field */
-     mod->isModuleDB   = secmod_argHasFlag("flags","moduleDB",nssc);
-     mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
-     if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
- 
-+    /* we need more bits, but we also want to preserve binary compatibility 
-+     * so we overload the isModuleDB PRBool with additional flags. 
-+     * These flags are only valid if mod->isModuleDB is already set.
-+     * NOTE: this depends on the fact that PRBool is at least a char on 
-+     * all platforms. These flags are only valid if moduleDB is set, so 
-+     * code checking if (mod->isModuleDB) will continue to work correctly. */
-+    if (mod->isModuleDB) {
-+	char flags = SECMOD_FLAG_IS_MODULE_DB;
-+	if (secmod_argHasFlag("flags","skipFirst",nssc)) {
-+	    flags |= SECMOD_FLAG_SKIP_FIRST;
-+	}
-+	if (secmod_argHasFlag("flags","defaultModDB",nssc)) {
-+	    flags |= SECMOD_FLAG_DEFAULT_MODDB;
-+	}
-+	/* additional moduleDB flags could be added here in the future */
-+	mod->isModuleDB = (PRBool) flags;
-+    }
-+
-     ciphers = secmod_argGetParamValue("ciphers",nssc);
-     secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
-     if (ciphers) PORT_Free(ciphers);
-@@ -155,6 +208,22 @@ SECMOD_CreateModule(const char *library,
-     return mod;
- }
- 
-+PRBool
-+SECMOD_GetSkipFirstFlag(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_SKIP_FIRST) ? PR_TRUE : PR_FALSE;
-+}
-+
-+PRBool
-+SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
-+}
-+
- static char *
- secmod_mkModuleSpec(SECMODModule * module)
- {
-@@ -333,7 +402,12 @@ SECMOD_LoadModule(char *modulespec,SECMO
- 	if (moduleSpecList) {
- 	    char **index;
- 
--	    for (index = moduleSpecList; *index; index++) {
-+	    index = moduleSpecList;
-+	    if (*index && SECMOD_GetSkipFirstFlag(module)) {
-+		index++;
-+	    }
-+
-+	    for (; *index; index++) {
- 		SECMODModule *child;
- 		child = SECMOD_LoadModule(*index,module,PR_TRUE);
- 		if (!child) break;
-Index: mozilla/security/nss/lib/pk11wrap/pk11util.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11util.c,v
-retrieving revision 1.55
-diff -u -p -r1.55 pk11util.c
---- ./mozilla/security/nss/lib/pk11wrap/pk11util.c	30 Jul 2009 00:29:35 -0000	1.55
-+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c	1 Sep 2009 21:55:18 -0000
-@@ -179,7 +179,10 @@ SECMOD_AddModuleToList(SECMODModule *new
- SECStatus
- SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule)
- {
--    if (defaultDBModule == NULL) {
-+    if (defaultDBModule && SECMOD_GetDefaultModDBFlag(newModule)) {
-+	SECMOD_DestroyModule(defaultDBModule);
-+	defaultDBModule = SECMOD_ReferenceModule(newModule);
-+    } else if (defaultDBModule == NULL) {
- 	defaultDBModule = SECMOD_ReferenceModule(newModule);
-     }
-     return secmod_AddModuleToList(&modulesDB,newModule);
-Index: mozilla/security/nss/lib/pk11wrap/secmod.h
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/secmod.h,v
-retrieving revision 1.26
-diff -u -p -r1.26 secmod.h
---- ./mozilla/security/nss/lib/pk11wrap/secmod.h	17 Dec 2008 06:09:16 -0000	1.26
-+++ ./mozilla/security/nss/lib/pk11wrap/secmod.h	1 Sep 2009 21:55:18 -0000
-@@ -151,6 +151,10 @@ extern PK11SlotInfo *SECMOD_FindSlot(SEC
- /* of modType has been installed */
- PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
- 
-+/* accessors */
-+PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod);
-+PRBool SECMOD_GetDefaultModDBFlag(SECMODModule *mod);
-+
- /* Functions used to convert between internal & public representation
-  * of Mechanism Flags and Cipher Enable Flags */
- extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);

nss-no-rpath.patch

@@ -1,14 +0,0 @@
---- ./mozilla/security/nss/cmd/platlibs.mk.withrpath	2007-02-19 07:17:06.000000000 +0100
-+++ ./mozilla/security/nss/cmd/platlibs.mk	2007-02-19 07:18:07.000000000 +0100
-@@ -52,9 +52,9 @@
- 
- ifeq ($(OS_ARCH), Linux)
- ifeq ($(USE_64), 1)
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
- else
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
- endif
- endif
- 

nss-nolocalsql.patch

@@ -1,26 +1,26 @@
 diff -up ./mozilla/security/nss/lib/Makefile.nolocalsql ./mozilla/security/nss/lib/Makefile
---- ./mozilla/security/nss/lib/Makefile.nolocalsql	2007-07-19 23:36:49.000000000 +0200
-+++ ./mozilla/security/nss/lib/Makefile	2009-04-14 17:07:40.000000000 +0200
-@@ -62,11 +62,11 @@ ifeq ($(OS_TARGET), WINCE)
- DIRS := $(filter-out fortcrypt,$(DIRS))
+--- ./mozilla/security/nss/lib/Makefile.nolocalsql	2010-02-27 16:40:25.891777537 -0800
++++ ./mozilla/security/nss/lib/Makefile	2010-02-27 16:41:59.175902327 -0800
+@@ -62,11 +62,11 @@ ifndef USE_SYSTEM_ZLIB
+ ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
  endif
  
 -ifndef MOZILLA_CLIENT
 -ifndef NSS_USE_SYSTEM_SQLITE
--DIRS := sqlite $(DIRS)
+-SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
 -endif
 -endif
 +#ifndef MOZILLA_CLIENT
 +#ifndef NSS_USE_SYSTEM_SQLITE
-+#DIRS := sqlite $(DIRS)
++#SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
 +#endif
 +#endif
  
- #######################################################################
- # (5) Execute "global" rules. (OPTIONAL)                              #
+ ifndef MOZILLA_CLIENT
+ ifeq ($(OS_ARCH),Linux)
 diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn
---- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql	2007-07-19 23:36:50.000000000 +0200
-+++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn	2009-04-14 17:07:40.000000000 +0200
+--- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql	2010-02-27 16:44:24.998777709 -0800
++++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn	2010-02-27 16:45:08.533803472 -0800
 @@ -46,9 +46,9 @@ MAPFILE = $(OBJDIR)/nssdbm.def
  
  DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
@@ -35,8 +35,8 @@ diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./m
  CSRCS = \
  	dbmshim.c \
 diff -up ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/manifest.mn
---- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql	2009-03-25 17:21:37.000000000 +0100
-+++ ./mozilla/security/nss/lib/softoken/manifest.mn	2009-04-14 17:07:40.000000000 +0200
+--- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql	2010-02-27 16:42:52.213902231 -0800
++++ ./mozilla/security/nss/lib/softoken/manifest.mn	2010-02-27 16:43:34.040776788 -0800
 @@ -47,9 +47,9 @@ MAPFILE = $(OBJDIR)/softokn.def
  
  DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"

nss.pc.in

@@ -6,6 +6,6 @@ includedir=%includedir%
 Name: NSS
 Description: Network Security Services
 Version: %NSS_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%, nss-softokn >= %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
 Libs: -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}

nss.spec

@@ -1,22 +1,23 @@
-%global nspr_version 4.8
-%global nss_util_version 3.12.4
-%global nss_softokn_version 3.12.4
+%global nspr_version 4.8.4
+%global nss_util_version 3.12.6
+%global nss_softokn_version 3.12.6
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.12.4
-Release:          12%{?dist}
+Version:          3.12.6
+Release:          7%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
-Requires:         nss-util >= %{nss_util_version}
-Requires:         nss-softokn >= %{nss_softokn_version}
+Requires:         nss-util = %{nss_util_version}
+Requires:         nss-softokn%{_isa} = %{nss_softokn_version}
+Requires:         nss-system-init
 BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:    nspr-devel >= %{nspr_version}
-BuildRequires:    nss-softokn-devel >= %{version}                                                  
-BuildRequires:    nss-util-devel >= %{nss_util_version}
+BuildRequires:    nss-softokn-devel = 3.12.4
+BuildRequires:    nss-util-devel = %{nss_util_version}
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
 BuildRequires:    pkgconfig
@@ -35,12 +36,14 @@ Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
-Source12:         %{name}-pem-20090907.tar.bz2
+Source10:         PayPalEE.cert
+Source12:         %{name}-pem-20100412.tar.bz2
 
 Patch2:           nss-nolocalsql.patch
+Patch3:           renegotiate-transitional.patch
+Patch4:           validate-arguments.patch
 Patch6:           nss-enable-pem.patch
-Patch7:           newargs.patch
-Patch8:           sysinit.patch
+Patch7:           nsspem-596674.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -68,8 +71,9 @@ manipulate the NSS certificate and key database.
 %package sysinit
 Summary:          System NSS Initilization
 Group:            System Environment/Base
-Provides:         nss-sysinit = %{version}-%{release}
+Provides:         nss-system-init
 Requires:         nss = %{version}-%{release}
+Requires(post):   coreutils, sed
 
 %description sysinit
 Default Operating System module that manages applications loading
@@ -102,12 +106,15 @@ low level services.
 
 %prep
 %setup -q
+%{__cp} %{SOURCE10} -f ./mozilla/security/nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12
 
-%patch2 -p0
+%patch2 -p0 -b .nolocalsql
+%patch3 -p0 -b .transitional
+%patch4 -p0 -b .validate
 %patch6 -p0 -b .libpem
-%patch7 -p0 -b .newargs
-%patch8 -p0 -b .sysinit
+%patch7 -p0 -b .596674
+
 
 %build
 
@@ -137,8 +144,8 @@ export NSPR_LIB_DIR
 NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
 NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss-util | sed 's/-L//'`
 
-export NSS_INCLUDE_DIR
-export NSS_LIB_DIR
+#export NSS_INCLUDE_DIR
+#export NSS_LIB_DIR
 
 %ifarch x86_64 ppc64 ia64 s390x sparc64
 USE_64=1
@@ -229,6 +236,17 @@ rm -rf ./mozilla/tests_results
 cd ./mozilla/security/nss/tests/
 # all.sh is the test suite script
 
+#  don't need to run all the tests when testing packaging
+#  nss_cycles: standard pkix upgradedb sharedb
+#  nss_tests: cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains
+#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
+#  nss_ssl_run: cov auth stress
+
+# Temporarily disabling the ssl test suites
+# until bug 539183 gets resolved
+#%global nss_ssl_tests " "
+#%global nss_ssl_run " "
+
 HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
 
 cd ../../../../
@@ -469,6 +487,82 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Tue Jun 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-7
+- Require nss-softoken-version 3.12.6
+- Fix SIGSEGV within CreateObject (#596674)
+
+* Sat Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
+- Update pem source tar to pick up the following bug fixes:
+- PEM - Allow collect objects to search through all objects
+- PEM - Make CopyObject return a new shallow copy
+- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-4
+- Update the test cert in the setup phase
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-3
+- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071)
+- Update PayPalEE test cert with unexpired one (#580207)
+
+* Fri Mar 19 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
+- Fix nss.pc to not require nss-softokn (#575001)
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.2
+- Rebuilt with all tests enabled
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.1
+- Update to 3.12.6
+- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
+- Patch tools to validate command line options arguments
+
+* Mon Jan 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-8
+- Fix curl related regression and general patch code clean up
+
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-7
+- Retagged
+
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-6
+- retagging
+
+* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-2.1
+- Fix SIGSEGV on call of NSS_Initialize (#553638)
+
+* Wed Jan 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-2
+- bump release number and rebuild
+
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.14
+- Fix nsssysinit to allow root to modify the nss system database (#547860)
+
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.12.1
+- Temporarily disabling the ssl tests until Bug 539183 is resolved
+
+* Sat Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
+- Fix an error introduced when adapting the patch for 546211
+
+* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.10
+- Remove some left over trace statements from nsssysinit patching
+
+* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.8
+- Fix nsssysinit to set the default flags on the crypto module (#545779)
+- Fix nsssysinit to enable apps to use the system cert store, patch contributed by David Woodhouse (#546221)
+- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
+- Sysinit requires coreutils for post install scriplet (#547067)
+- Remove redundant header from the pem module
+
+* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.1
+- Remove unneeded patch
+
+* Thu Dec 04 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.2
+- Update to 3.12.5
+- CVE-2009-3555 TLS: MITM attacks via session renegotiation
+
+* Mon Oct 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-15
+- Require nss-softoken of same arch as nss (#527867)
+
+* Mon Oct 06 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14
+- Fix bug where user was prompted for a password when listing keys on an empty system database (#527048)
+- Fix setup-nsssysinit to handle more general flags formats (#527051)
+
 * Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-12
 - Fix syntax error in setup-nsssysinit.sh
 

nsspem-596674.patch

@@ -0,0 +1,127 @@
+diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
+--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783	2010-06-06 18:27:27.256318318 -0700
++++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c	2010-06-06 20:45:28.158442982 -0700
+@@ -151,7 +151,7 @@ GetCertFields(unsigned char *cert, int c
+     buf = issuer->data + issuer->len;
+ 
+     /* only wanted issuer/SN */
+-    if (valid == NULL) {
++    if (subject == NULL || valid == NULL || subjkey == NULL) {
+         return SECSuccess;
+     }
+     /* validity */
+@@ -219,53 +219,93 @@ CreateObject(CK_OBJECT_CLASS objClass,
+         memset(&o->u.trust, 0, sizeof(o->u.trust));
+         break;
+     }
++
++    o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
++    if (o->nickname == NULL)
++        goto fail;
++    strcpy(o->nickname, nickname);
++
++    sprintf(id, "%d", objid);
++    len = strlen(id) + 1;       /* zero terminate */
++    o->id.data = (void *) nss_ZAlloc(NULL, len);
++    if (o->id.data == NULL)
++        goto fail;
++    (void) nsslibc_memcpy(o->id.data, id, len);
++    o->id.size = len;
++
+     o->objClass = objClass;
+     o->type = type;
+     o->slotID = slotID;
++
+     o->derCert = nss_ZNEW(NULL, SECItem);
++    if (o->derCert == NULL)
++        goto fail;
+     o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
++    if (o->derCert->data == NULL)
++        goto fail;
+     o->derCert->len = certDER->len;
+     nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
+ 
+     switch (objClass) {
+     case CKO_CERTIFICATE:
+     case CKO_NETSCAPE_TRUST:
+-        GetCertFields(o->derCert->data,
+-                      o->derCert->len, &issuer, &serial,
+-                      &derSN, &subject, &valid, &subjkey);
++        if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
++                                        &issuer, &serial, &derSN, &subject,
++                                        &valid, &subjkey))
++            goto fail;
+ 
+         o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
++        if (o->u.cert.subject.data == NULL)
++            goto fail;
+         o->u.cert.subject.size = subject.len;
+         nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
+ 
+         o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
++        if (o->u.cert.issuer.data == NULL) {
++            nss_ZFreeIf(o->u.cert.subject.data);
++            goto fail;
++        }
+         o->u.cert.issuer.size = issuer.len;
+         nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
+ 
+         o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
++        if (o->u.cert.serial.data == NULL) {
++            nss_ZFreeIf(o->u.cert.issuer.data);
++            nss_ZFreeIf(o->u.cert.subject.data);
++            goto fail;
++        }
+         o->u.cert.serial.size = serial.len;
+         nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
+         break;
+     case CKO_PRIVATE_KEY:
+         o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
++        if (o->u.key.key.privateKey == NULL)
++            goto fail;
+         o->u.key.key.privateKey->data =
+             (void *) nss_ZAlloc(NULL, keyDER->len);
++        if (o->u.key.key.privateKey->data == NULL) {
++            nss_ZFreeIf(o->u.key.key.privateKey);
++            goto fail;
++        }
+         o->u.key.key.privateKey->len = keyDER->len;
+         nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
+                        keyDER->len);
+     }
+ 
+-    o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
+-    strcpy(o->nickname, nickname);
+-
+-    sprintf(id, "%d", objid);
+-
+-    len = strlen(id) + 1;       /* zero terminate */
+-    o->id.data = (void *) nss_ZAlloc(NULL, len);
+-    (void) nsslibc_memcpy(o->id.data, id, len);
+-    o->id.size = len;
+ 
+     return o;
++
++fail:
++    if (o) {
++        if (o->derCert) {
++            nss_ZFreeIf(o->derCert->data);
++            nss_ZFreeIf(o->derCert);
++        }
++        nss_ZFreeIf(o->id.data);
++        nss_ZFreeIf(o->nickname);
++        nss_ZFreeIf(o);
++    }
++    return NULL;
+ }
+ 
+ pemInternalObject *
+@@ -306,6 +346,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
+     /* object not found, we need to create it */
+     pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
+                                          filename, objid, slotID);
++    if (io == NULL)
++        return NULL;
+ 
+     io->gobjIndex = count;
+ 

renegotiate-transitional.patch

@@ -0,0 +1,16 @@
+Index: ./mozilla/security/nss/lib/ssl/sslsock.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
+retrieving revision 1.66
+diff -u -p -r1.66 sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c	26 Feb 2010 20:44:54 -0000	1.66
++++ ./mozilla/security/nss/lib/ssl/sslsock.c	1 Mar 2010 18:05:10 -0000
+@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* noLocks            */
+     PR_FALSE,   /* enableSessionTickets */
+     PR_FALSE,   /* enableDeflate      */
+-    2,          /* enableRenegotiation (default: requires extension) */
++    3,          /* enableRenegotiation (default: transitional)
+     PR_FALSE,   /* requireSafeNegotiation */
+ };
+ 

setup-nsssysinit.sh

@@ -22,13 +22,6 @@ if test $# -eq 0; then
   usage 1 1>&2
 fi
 
-on="1"
-case "$1" in
-  on  | ON )  on="1";;
-  off | OFF ) on="";;
-  * )         usage 1 1>&2;;
-esac
-
 # the system-wide configuration file
 p11conf="/etc/pki/nssdb/pkcs11.txt"
 # must exist, otherwise report it and exit with failure
@@ -37,19 +30,26 @@ if [ ! -f $p11conf ]; then
   exit 1
 fi
 
-# turn on or off
-if [ on = "1" ]; then 
-  cat ${p11conf} | sed -e 's/^library=$/library=libnsssysinit.so/' \
-                       -e 'g/^NSS/ s; Flags=internal,critical; Flags=internal,moduleDBOnly,critical;' > \
-                       ${p11conf}.on
-  mv ${p11conf}.on ${p11conf}
-else
-  if [ `grep "^library=libnsssysinit" ${p11conf}` == ""]; then
-    exit 0
-  fi
-  cat ${p11conf} | sed -e 's/^library=libnsssysinit.so/library=/' \
-                       -e 'g/^NSS/ s; Flags=internal,moduleDBOnly,critical; Flags=internal,critical;' > \
-                       ${p11conf}.off
-  mv ${p11conf}.off ${p11conf}
-fi
-
+on="1"
+case "$1" in
+  on | ON )
+    cat ${p11conf} | \
+     sed -e 's/^library=$/library=libnsssysinit.so/' \
+         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+    ${p11conf}.on
+    mv ${p11conf}.on ${p11conf}
+    ;;
+  off | OFF )
+    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
+      exit 0
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=libnsssysinit.so/library=/' \
+        -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+        ${p11conf}.off
+    mv ${p11conf}.off ${p11conf}
+    ;;
+  * )
+    usage 1 1>&2
+    ;;
+esac

sources

@@ -1,2 +1,8 @@
-954834f7b173bdab366a19880c671c39  nss-3.12.4-stripped.tar.bz2
-895ef804e11c14868e86df80c2dd9b66  nss-pem-20090907.tar.bz2
+3902499c8e02b02d4944f21d3c6a839f  nss-3.12.6-stripped.tar.bz2
+f32d884d178082ce8201f01e21f0d050  nss-pem-20100412.tar.bz2
+a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
+9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
+73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
+691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
+2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+9bbc62615e6b2b22547375b5d39ddfe7  PayPalEE.cert

validate-arguments.patch

@@ -0,0 +1,720 @@
+Index: ./mozilla/security/nss/cmd/p7content/p7content.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7content/p7content.c,v
+retrieving revision 1.12
+diff -u -p -r1.12 p7content.c
+--- ./mozilla/security/nss/cmd/p7content/p7content.c	4 Aug 2008 22:58:31 -0000	1.12
++++ ./mozilla/security/nss/cmd/p7content/p7content.c	2 Mar 2010 18:29:48 -0000
+@@ -64,7 +64,7 @@ extern int fprintf(FILE *, char *, ...);
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s [-d dbdir] [-i input] [-o output]\n",
+@@ -195,6 +195,15 @@ DecodeAndPrintFile(FILE *out, PRFileDesc
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ /*
+  * Print the contents of a PKCS7 message, indicating signatures, etc.
+  */
+@@ -222,10 +231,12 @@ main(int argc, char **argv)
+     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ 	switch (optstate->option) {
+ 	  case 'd':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -235,6 +246,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'o':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "w");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -244,11 +256,13 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'p':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = PORT_Strdup (optstate->value);
+             break;
+ 
+           case 'f':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_FROMFILE;
+             pwdata.data = PORT_Strdup (optstate->value);
+             break;
+Index: ./mozilla/security/nss/cmd/p7env/p7env.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7env/p7env.c,v
+retrieving revision 1.10
+diff -u -p -r1.10 p7env.c
+--- ./mozilla/security/nss/cmd/p7env/p7env.c	11 Feb 2010 02:39:47 -0000	1.10
++++ ./mozilla/security/nss/cmd/p7env/p7env.c	2 Mar 2010 18:29:48 -0000
+@@ -63,7 +63,7 @@ extern int fprintf(FILE *, char *, ...);
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -r recipient [-d dbdir] [-i input] [-o output]\n",
+@@ -159,6 +159,15 @@ EncryptFile(FILE *outFile, FILE *inFile,
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -194,10 +203,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = fopen(optstate->value, "r");
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -207,6 +218,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "wb");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -216,6 +228,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'r':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    if (rcpt == NULL) {
+ 		recipients = rcpt = PORT_Alloc (sizeof(struct recipient));
+ 	    } else {
+Index: ./mozilla/security/nss/cmd/p7sign/p7sign.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7sign/p7sign.c,v
+retrieving revision 1.14
+diff -u -p -r1.14 p7sign.c
+--- ./mozilla/security/nss/cmd/p7sign/p7sign.c	4 Aug 2008 22:58:28 -0000	1.14
++++ ./mozilla/security/nss/cmd/p7sign/p7sign.c	2 Mar 2010 18:29:48 -0000
+@@ -67,7 +67,7 @@ extern int fprintf(FILE *, char *, ...);
+ static secuPWData  pwdata          = { PW_NONE, 0 };
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
+@@ -173,6 +173,15 @@ SignFile(FILE *outFile, PRFileDesc *inFi
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -210,10 +219,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -223,10 +234,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'k':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    keyName = strdup(optstate->value);
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "wb");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -235,11 +248,13 @@ main(int argc, char **argv)
+ 	    }
+ 	    break;
+ 	  case 'p':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = strdup (optstate->value);
+             break;
+ 
+ 	  case 'f':
++              REQUIRE_ARG(optstate->option, optstate->value);
+               pwdata.source = PW_FROMFILE;
+               pwdata.data = PORT_Strdup (optstate->value);
+               break;
+Index: ./mozilla/security/nss/cmd/p7verify/p7verify.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7verify/p7verify.c,v
+retrieving revision 1.10
+diff -u -p -r1.10 p7verify.c
+--- ./mozilla/security/nss/cmd/p7verify/p7verify.c	8 Aug 2008 23:47:57 -0000	1.10
++++ ./mozilla/security/nss/cmd/p7verify/p7verify.c	2 Mar 2010 18:29:48 -0000
+@@ -126,7 +126,7 @@ DigestFile(unsigned char *digest, unsign
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -c content -s signature [-d dbdir] [-u certusage]\n",
+@@ -209,6 +209,14 @@ HashDecodeAndVerify(FILE *out, FILE *con
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,arg) if (!(arg)) PrintMsgAndExit(progName, opt)
+ 
+ int
+ main(int argc, char **argv)
+@@ -239,6 +247,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'c':
++        REQUIRE_ARG(optstate->option, optstate->value);
+ 	    contentFile = fopen(optstate->value, "r");
+ 	    if (!contentFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -248,10 +257,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "w");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -261,6 +272,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 's':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    signatureFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!signatureFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -271,7 +283,7 @@ main(int argc, char **argv)
+ 
+ 	  case 'u': {
+ 	    int usageType;
+-
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    usageType = atoi (strdup(optstate->value));
+ 	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
+ 		return -1;
+Index: ./mozilla/security/nss/cmd/strsclnt/strsclnt.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/strsclnt/strsclnt.c,v
+retrieving revision 1.66
+diff -u -p -r1.66 strsclnt.c
+--- ./mozilla/security/nss/cmd/strsclnt/strsclnt.c	10 Feb 2010 18:07:20 -0000	1.66
++++ ./mozilla/security/nss/cmd/strsclnt/strsclnt.c	2 Mar 2010 18:29:51 -0000
+@@ -1325,6 +1325,15 @@ done:
+     return rv;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -1364,33 +1373,57 @@ main(int argc, char **argv)
+ 
+ 	case 'B': bypassPKCS11 = PR_TRUE; break;
+ 
+-	case 'C': cipherString = optstate->value; break;
++	case 'C': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    cipherString = optstate->value;
++	    break;
+ 
+ 	case 'D': NoDelay = PR_TRUE; break;
+ 
+ 	case 'N': NoReuse = 1; break;
+         
+-	case 'P': fullhs = PORT_Atoi(optstate->value); break;
++	case 'P': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    fullhs = PORT_Atoi(optstate->value);
++	    break;
+ 
+ 	case 'T': disableTLS = PR_TRUE; break;
+             
+ 	case 'U': ThrottleUp = PR_TRUE; break;
+ 
+-	case 'a': sniHostName = PL_strdup(optstate->value); break;
++	case 'a': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    sniHostName = PL_strdup(optstate->value);
++	    break;
+ 
+-	case 'c': connections = PORT_Atoi(optstate->value); break;
++	case 'c': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    connections = PORT_Atoi(optstate->value); 
++	    break;
+ 
+-	case 'd': dir = optstate->value; break;
++	case 'd': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    dir = optstate->value;
++	    break;
+ 
+-	case 'f': fileName = optstate->value; break;
++	case 'f': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    fileName = optstate->value;
++	    break;
+ 
+ 	case 'i': ignoreErrors = PR_TRUE; break;
+ 
+-        case 'n': nickName = PL_strdup(optstate->value); break;
++        case 'n': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    nickName = PL_strdup(optstate->value);
++	    break;
+ 
+ 	case 'o': MakeCertOK++; break;
+ 
+-	case 'p': port = PORT_Atoi(optstate->value); break;
++	case 'p': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    port = PORT_Atoi(optstate->value);
++	    break;
+ 
+ 	case 'q': QuitOnTimeout = PR_TRUE; break;
+ 
+@@ -1407,11 +1440,13 @@ main(int argc, char **argv)
+ 	case 'v': verbose++; break;
+ 
+         case 'w':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = PL_strdup(optstate->value);
+             break;
+ 
+         case 'W':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_FROMFILE;
+             pwdata.data = PL_strdup(optstate->value);
+             break;
+@@ -1419,6 +1454,7 @@ main(int argc, char **argv)
+ 	case 'z': enableCompression = PR_TRUE; break;
+ 
+ 	case 0:   /* positional parameter */
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    if (hostName) {
+ 		Usage(progName);
+ 	    }
+Index: ./mozilla/security/nss/cmd/tests/remtest.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/tests/remtest.c,v
+retrieving revision 1.5
+diff -u -p -r1.5 remtest.c
+--- ./mozilla/security/nss/cmd/tests/remtest.c	8 Aug 2008 23:48:09 -0000	1.5
++++ ./mozilla/security/nss/cmd/tests/remtest.c	2 Mar 2010 18:29:51 -0000
+@@ -69,6 +69,15 @@ Usage(char *progName) 
+     exit(1);
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int main(int argc, char **argv)
+ {
+     char *             certDir  =  NULL;
+@@ -92,10 +101,12 @@ int main(int argc, char **argv)
+ 	switch (optstate->option) {
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    certDir = strdup(optstate->value);
+ 	    certDir = SECU_ConfigDirectory(certDir);
+ 	    break;
+ 	  case 't':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    tokenName = strdup(optstate->value);
+ 	    break;
+ 	  case 'r':
+Index: ./mozilla/security/nss/cmd/tstclnt/tstclnt.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/tstclnt/tstclnt.c,v
+retrieving revision 1.62
+diff -u -p -r1.62 tstclnt.c
+--- ./mozilla/security/nss/cmd/tstclnt/tstclnt.c	10 Feb 2010 18:07:21 -0000	1.62
++++ ./mozilla/security/nss/cmd/tstclnt/tstclnt.c	2 Mar 2010 18:29:51 -0000
+@@ -497,6 +497,15 @@ separateReqHeader(const PRFileDesc* outF
+ 	Usage(progName); \
+     }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int main(int argc, char **argv)
+ {
+     PRFileDesc *       s;
+@@ -563,38 +572,56 @@ int main(int argc, char **argv)
+ 
+           case 'B': bypassPKCS11 = 1; 			break;
+ 
+-          case 'S': skipProtoHeader = PR_TRUE;                 break;
++          case 'S': skipProtoHeader = PR_TRUE;  break;
+ 
+           case 'T': disableTLS  = 1; 			break;
+ 
+-          case 'a': if (!hs1SniHostName) {
+-                        hs1SniHostName = PORT_Strdup(optstate->value);
+-                    } else if (!hs2SniHostName) {
+-                        hs2SniHostName =  PORT_Strdup(optstate->value);
+-                    } else {
+-                        Usage(progName);
+-                    }
+-                    break;
+-
+-          case 'c': cipherString = PORT_Strdup(optstate->value); break;
+-
+-          case 'd': certDir = PORT_Strdup(optstate->value);   break;
++          case 'a':
++              REQUIRE_ARG(optstate->option, optstate->value);
++              if (!hs1SniHostName) {
++                  hs1SniHostName = PORT_Strdup(optstate->value);
++              } else if (!hs2SniHostName) {
++                  hs2SniHostName =  PORT_Strdup(optstate->value);
++              } else {
++                  Usage(progName);
++              }
++              break;
++
++          case 'c':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              cipherString = PORT_Strdup(optstate->value);
++              break;
++
++          case 'd':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              certDir = PORT_Strdup(optstate->value);
++              break;
+ 
+           case 'f': clientSpeaksFirst = PR_TRUE;        break;
+ 
+-          case 'h': host = PORT_Strdup(optstate->value);	break;
++          case 'h':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              host = PORT_Strdup(optstate->value);
++              break;
+ 
+ 	  case 'm':
++	    REQUIRE_ARG(optstate->option,optstate->value);
+ 	    multiplier = atoi(optstate->value);
+ 	    if (multiplier < 0)
+ 	    	multiplier = 0;
+ 	    break;
+ 
+-	  case 'n': nickname = PORT_Strdup(optstate->value);	break;
++	  case 'n':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          nickname = PORT_Strdup(optstate->value);
++          break;
+ 
+ 	  case 'o': override = 1; 			break;
+ 
+-	  case 'p': portno = (PRUint16)atoi(optstate->value);	break;
++	  case 'p':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          portno = (PRUint16)atoi(optstate->value);
++          break;
+ 
+ 	  case 'q': pingServerFirst = PR_TRUE;          break;
+ 
+@@ -604,17 +631,22 @@ int main(int argc, char **argv)
+ 
+ 	  case 'v': verbose++;	 			break;
+ 
+-	  case 'r': renegotiationsToDo = atoi(optstate->value);	break;
+-
+-          case 'w':
+-                pwdata.source = PW_PLAINTEXT;
+-		pwdata.data = PORT_Strdup(optstate->value);
+-		break;
+-
+-          case 'W':
+-                pwdata.source = PW_FROMFILE;
+-                pwdata.data = PORT_Strdup(optstate->value);
+-                break;
++	  case 'r':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          renegotiationsToDo = atoi(optstate->value);
++          break;
++
++      case 'w':
++          REQUIRE_ARG(optstate->option,optstate->value);
++          pwdata.source = PW_PLAINTEXT;
++          pwdata.data = PORT_Strdup(optstate->value);
++          break;
++
++      case 'W':
++          REQUIRE_ARG(optstate->option,optstate->value);
++          pwdata.source = PW_FROMFILE;
++          pwdata.data = PORT_Strdup(optstate->value);
++          break;
+ 
+ 	  case 'x': useExportPolicy = 1; 		break;
+ 
+Index: ./mozilla/security/nss/cmd/vfychain/vfychain.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v
+retrieving revision 1.30
+diff -u -p -r1.30 vfychain.c
+--- ./mozilla/security/nss/cmd/vfychain/vfychain.c	1 Apr 2009 20:41:29 -0000	1.30
++++ ./mozilla/security/nss/cmd/vfychain/vfychain.c	2 Mar 2010 18:29:52 -0000
+@@ -432,6 +432,15 @@ isOCSPEnabled()
+     return PR_FALSE;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char *argv[], char *envp[])
+ {
+@@ -469,12 +478,19 @@ main(int argc, char *argv[], char *envp[
+ 	switch(optstate->option) {
+ 	case  0  : /* positional parameter */  goto breakout;
+ 	case 'a' : isAscii  = PR_TRUE;                        break;
+-	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
+-	           if (secStatus != SECSuccess) Usage(progName); break;
+-	case 'd' : certDir  = PL_strdup(optstate->value);     break;
++	case 'b' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           secStatus = DER_AsciiToTime(&time, optstate->value);
++	           if (secStatus != SECSuccess) Usage(progName);
++	           break;
++	case 'd' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           certDir  = PL_strdup(optstate->value);
++	           break;
+ 	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
+ 	case 'f' : certFetching = PR_TRUE;                    break;
+ 	case 'g' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    if (revMethodsData[revDataIndex].testTypeStr ||
+                        revMethodsData[revDataIndex].methodTypeStr) {
+                        revDataIndex += 1;
+@@ -489,11 +505,13 @@ main(int argc, char *argv[], char *envp[
+                    revMethodsData[revDataIndex].
+                        testTypeStr = PL_strdup(optstate->value); break;
+ 	case 'h' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    revMethodsData[revDataIndex].
+                        testFlagsStr = PL_strdup(optstate->value);break;
+         case 'i' : vfyCounts = PORT_Atoi(optstate->value);       break;
+                    break;
+ 	case 'm' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    if (revMethodsData[revDataIndex].methodTypeStr) {
+                        revDataIndex += 1;
+                        if (revDataIndex == REV_METHOD_INDEX_MAX) {
+@@ -506,24 +524,33 @@ main(int argc, char *argv[], char *envp[
+                    useDefaultRevFlags = PR_FALSE;
+                    revMethodsData[revDataIndex].
+                        methodTypeStr = PL_strdup(optstate->value); break;
+-	case 'o' : oidStr = PL_strdup(optstate->value);       break;
++	case 'o' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           oidStr = PL_strdup(optstate->value);
++	           break;
+ 	case 'p' : usePkix += 1;                              break;
+ 	case 'r' : isAscii  = PR_FALSE;                       break;
+ 	case 's' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    revMethodsData[revDataIndex].
+-                       methodFlagsStr = PL_strdup(optstate->value); break;
++                       methodFlagsStr = PL_strdup(optstate->value);
++	           break;
+ 	case 't' : trusted  = PR_TRUE;                        break;
+-	case 'u' : usage    = PORT_Atoi(optstate->value);
++	case 'u' : 
++	           REQUIRE_ARG(optstate->option,optstate->value);
++	           usage    = PORT_Atoi(optstate->value);
+ 	           if (usage < 0 || usage > 62) Usage(progName);
+ 		   certUsage = ((SECCertificateUsage)1) << usage; 
+ 		   if (certUsage > certificateUsageHighest) Usage(progName);
+ 		   break;
+         case 'w':
++	          REQUIRE_ARG(optstate->option,optstate->value);
+                   pwdata.source = PW_PLAINTEXT;
+                   pwdata.data = PORT_Strdup(optstate->value);
+                   break;
+ 
+         case 'W':
++	          REQUIRE_ARG(optstate->option, optstate->value);
+                   pwdata.source = PW_FROMFILE;
+                   pwdata.data = PORT_Strdup(optstate->value);
+                   break;
+Index: ./mozilla/security/nss/cmd/vfyserv/vfyserv.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/vfyserv/vfyserv.c,v
+retrieving revision 1.17
+diff -u -p -r1.17 vfyserv.c
+--- ./mozilla/security/nss/cmd/vfyserv/vfyserv.c	8 Aug 2008 23:48:12 -0000	1.17
++++ ./mozilla/security/nss/cmd/vfyserv/vfyserv.c	2 Mar 2010 18:29:52 -0000
+@@ -419,6 +419,15 @@ client_main(unsigned short      port, 
+ 	Usage(progName); \
+     }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -442,23 +451,43 @@ main(int argc, char **argv)
+ 	optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
+ 	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ 		switch(optstate->option) {
+-		case 'C' : cipherString = PL_strdup(optstate->value); break;
+- 		case 'c' : dumpChain = PR_TRUE;                       break;
+-		case 'd' : certDir = PL_strdup(optstate->value);      break;
+-		case 'l' : respUrl = PL_strdup(optstate->value);      break;
+-		case 'p' : port = PORT_Atoi(optstate->value);         break;
+-		case 'o' : doOcspCheck = PR_TRUE;                     break;
+-		case 't' : respCertName = PL_strdup(optstate->value); break;
+-                case 'w':
++		case 'C' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           cipherString = PL_strdup(optstate->value);
++                           break;
++ 		case 'c' : dumpChain = PR_TRUE;
++                           break;
++		case 'd' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           certDir = PL_strdup(optstate->value);
++                           break;
++		case 'l' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           respUrl = PL_strdup(optstate->value);
++                           break;
++		case 'p' : 
++                           REQUIRE_ARG(optstate->option,optstate->value);
++                           port = PORT_Atoi(optstate->value);
++                           break;
++		case 'o' : doOcspCheck = PR_TRUE;
++                           break;
++		case 't' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           respCertName = PL_strdup(optstate->value);
++                           break;
++                case 'w' :
++                           REQUIRE_ARG(optstate->option, optstate->value);
+                            pwdata.source = PW_PLAINTEXT;
+                            pwdata.data = PORT_Strdup(optstate->value);
+                            break;
+-
+                 case 'f':
++                           REQUIRE_ARG(optstate->option, optstate->value);
+                            pwdata.source = PW_FROMFILE;
+                            pwdata.data = PORT_Strdup(optstate->value);
+                            break;
+-		case '\0': hostName = PL_strdup(optstate->value);     break;
++		case '\0': 
++                           REQUIRE_ARG(optstate->option,optstate->value);
++                           hostName = PL_strdup(optstate->value);     break;
+ 		default  : Usage(progName);
+ 		}
+ 	}