--- mozilla.firefox.1.5.0.6.rpmdist/embedding/browser/photon/src/Makefile.in 2005-04-26 10:37:02.000000000 -0700
+++ mozilla/embedding/browser/photon/src/Makefile.in 2006-08-23 19:01:13.000000000 -0700
@@ -100,6 +100,7 @@
XP_LIBS += \
$(PNG_LIBS) \
$(JPEG_LIBS) \
+ $(VAL_LIBS) \
$(ZLIB_LIBS) \
$(NULL)
--- mozilla.firefox.1.5.0.6.rpmdist/modules/libpr0n/build/Makefile.in 2004-12-09 11:28:21.000000000 -0800
+++ mozilla/modules/libpr0n/build/Makefile.in 2006-08-23 19:01:13.000000000 -0700
@@ -89,6 +89,7 @@
EXTRA_DSO_LDOPTS = \
$(LIBS_DIR) \
$(JPEG_LIBS) \
+ $(VAL_LIBS) \
$(PNG_LIBS) $(ZLIB_LIBS) \
$(EXTRA_DSO_LIBS) \
$(MOZ_COMPONENT_LIBS) \
--- mozilla.firefox.1.5.0.6.rpmdist/nsprpub/config/autoconf.mk.in 2006-02-22 15:03:11.000000000 -0800
+++ mozilla/nsprpub/config/autoconf.mk.in 2006-08-23 19:01:13.000000000 -0700
@@ -34,6 +34,7 @@
LIBNSPR = @LIBNSPR@
LIBPLC = @LIBPLC@
+VAL_LIBS = @VAL_LIBS@
CROSS_COMPILE = @CROSS_COMPILE@
BUILD_OPT = @MOZ_OPTIMIZE@
--- mozilla.firefox.1.5.0.6.rpmdist/nsprpub/config/nspr-config.in 2005-05-10 18:03:44.000000000 -0700
+++ mozilla/nsprpub/config/nspr-config.in 2006-08-23 19:01:13.000000000 -0700
@@ -138,6 +138,6 @@
libdirs="$libdirs $i"
fi
done
- echo $libdirs @OS_LIBS@
+ echo $libdirs @VAL_LIBS@ @OS_LIBS@
fi
--- mozilla.firefox.1.5.0.6.rpmdist/nsprpub/configure.in 2006-02-22 15:03:11.000000000 -0800
+++ mozilla/nsprpub/configure.in 2006-08-23 19:01:13.000000000 -0700
@@ -2138,6 +2138,52 @@
dnl AC_CHECK_LIB(thread, main)
dnl AC_CHECK_LIB(vms_jackets, main)
+dnl Check for libval, the DNSSEC validation library
+dnl ========================================================
+AC_ARG_WITH(system-val,
+[ --with-system-val[=PFX]
+ Use system libval [installed at prefix PFX]],
+ VAL_DIR=$withval)
+
+AC_ARG_WITH(system-sres,
+[ --with-system-sres[=PFX]
+ Use system libsres [installed at prefix PFX]],
+ SRES_DIR=$withval)
+
+AC_ARG_WITH(system-openssl,
+[ --with-system-openssl[=PFX]
+ Use system openssl libraries [installed at prefix PFX]],
+ OPENSSL_DIR=$withval)
+
+_SAVE_CFLAGS=$CFLAGS
+_SAVE_LDFLAGS=$LDFLAGS
+_SAVE_LIBS=$LIBS
+
+if test -n "${OPENSSL_DIR}"; then
+ CFLAGS="-I${OPENSSL_DIR}/include $CFLAGS"
+ LDFLAGS="-L${OPENSSL_DIR}/lib $LDFLAGS"
+fi
+if test -n "${VAL_DIR}"; then
+ CFLAGS="-I${VAL_DIR}/include $CFLAGS"
+ LDFLAGS="-L${VAL_DIR}/lib $LDFLAGS"
+fi
+if test -n "${SRES_DIR}"; then
+ CFLAGS="-I${SRES_DIR}/include $CFLAGS"
+ LDFLAGS="-L${SRES_DIR}/lib $LDFLAGS"
+fi
+AC_CHECK_LIB(crypto, EVP_md5, OPENSSL_LIBS="-lcrypto", OPENSSL_LIBS="")
+AC_CHECK_LIB(sres, __res_init, SRES_LIBS=" -lpthread -lsres", SRES_LIBS="",
+ $OPENSSL_LIBS -lpthread)
+AC_CHECK_LIB(val-threads, val_gethostbyname,
+ [SYSTEM_VAL=1
+ VAL_LIBS="-lval-threads $VAL_LIBS $SRES_LIBS $OPENSSL_LIBS"
+ NSPR_LIBS="$NSPR_LIBS $VAL_LIBS $SRES_LIBS $OPENSSL_LIBS"
+ AC_DEFINE(MOZ_DNSSEC)], SYSTEM_VAL=,
+ $SRES_LIBS $OPENSSL_LIBS)
+
+CFLAGS=$_SAVE_CFLAGS
+LDFLAGS=$_SAVE_LDFLAGS
+LIBS=$_SAVE_LIBS
dnl We don't want anything to link with libdl even if it's present on OS X,
dnl since it's not used and not part of the default installation.
@@ -2677,6 +2723,7 @@
AC_SUBST(OBJECT_MODE)
AC_SUBST(GC_LEAK_DETECTOR)
AC_SUBST(ENABLE_STRIP)
+AC_SUBST(VAL_LIBS)
AC_SUBST(USE_PTHREADS)
AC_SUBST(USE_BTHREADS)
--- mozilla.firefox.1.5.0.6.rpmdist/security/nss/cmd/platlibs.mk 2005-04-06 14:35:41.000000000 -0700
+++ mozilla/security/nss/cmd/platlibs.mk 2006-08-23 19:01:13.000000000 -0700
@@ -246,6 +246,8 @@
endif # USE_STATIC_LIBS
+OS_LIBS += -lval-threads -lsres -lcrypto
+
# If a platform has a system zlib, set USE_SYSTEM_ZLIB to 1 and
# ZLIB_LIBS to the linker command-line arguments for the system zlib
# (for example, -lz) in the platform's config file in coreconf.
--- old-mozilla/nsprpub/pr/include/prnetdb.h.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/nsprpub/pr/include/prnetdb.h 2008-01-09 09:25:07.000000000 -0800
@@ -85,6 +85,13 @@
#define PR_NETDB_BUF_SIZE 1024
#endif
+enum
+{
+ PR_DNSSEC_NO_FLAGS = 0,
+ PR_DNSSEC_IS_TRUSTED = 1 << 0,
+ PR_DNSSEC_IS_VALIDATED = 1 << 1
+};
+
/***********************************************************************
** FUNCTION:
** DESCRIPTION: PR_GetHostByName()
@@ -111,6 +118,33 @@
/***********************************************************************
** FUNCTION:
+** DESCRIPTION: PR_GetHostByNameExtended()
+** Lookup a host by name and provide extended error information
+**
+** INPUTS:
+** char *hostname Character string defining the host name of interest
+** char *buf A scratch buffer for the runtime to return result.
+** This buffer is allocated by the caller.
+** PRIntn bufsize Number of bytes in 'buf'. A recommnded value to
+** use is PR_NETDB_BUF_SIZE.
+** OUTPUTS:
+** PRHostEnt *hostentry
+** This structure is filled in by the runtime if
+** the function returns PR_SUCCESS. This structure
+** is allocated by the caller.
+** RETURN:
+** PRStatus PR_SUCCESS if the lookup succeeds. If it fails
+** the result will be PR_FAILURE and the reason
+** for the failure can be retrieved by PR_GetError().
+** This function is identical to the PR_GetHostByName
+** function but returns additional error codes via
+** PR_GetError() and may return even more in the future.
+***********************************************************************/
+NSPR_API(PRStatus) PR_GetHostByNameExtended(
+ const char *hostname, char *buf, PRIntn bufsize, PRHostEnt *hostentry);
+
+/***********************************************************************
+** FUNCTION:
** DESCRIPTION: PR_GetIPNodeByName()
** Lookup a host by name. Equivalent to getipnodebyname(AI_DEFAULT)
** of RFC 2553.
@@ -153,6 +187,44 @@
/***********************************************************************
** FUNCTION:
+** DESCRIPTION: PR_GetIPNodeByNameExtended()
+** Lookup a host by name. Equivalent to getipnodebyname(AI_DEFAULT)
+** of RFC 2553.
+**
+** INPUTS:
+** char *hostname Character string defining the host name of interest
+** PRUint16 af Address family (either PR_AF_INET or PR_AF_INET6)
+** PRIntn flags Specifies the types of addresses that are searched
+** for and the types of addresses that are returned.
+** The only supported flag is PR_AI_DEFAULT.
+** char *buf A scratch buffer for the runtime to return result.
+** This buffer is allocated by the caller.
+** PRIntn bufsize Number of bytes in 'buf'. A recommnded value to
+** use is PR_NETDB_BUF_SIZE.
+** OUTPUTS:
+** PRHostEnt *hostentry
+** This structure is filled in by the runtime if
+** the function returns PR_SUCCESS. This structure
+** is allocated by the caller.
+** RETURN:
+** PRStatus PR_SUCCESS if the lookup succeeds. If it fails
+** the result will be PR_FAILURE and the reason
+** for the failure can be retrieved by PR_GetError().
+** This function is identical to the PR_GetIPNodeByName
+** function but returns additional error codes via
+** PR_GetError() and may return even more in the future.
+***********************************************************************/
+NSPR_API(PRStatus) PR_GetIPNodeByNameExtended(
+ const char *hostname,
+ PRUint16 af,
+ PRIntn flags,
+ char *buf,
+ PRIntn bufsize,
+ PRHostEnt *hostentry);
+
+
+/***********************************************************************
+** FUNCTION:
** DESCRIPTION: PR_GetHostByAddr()
** Lookup a host entry by its network address.
**
@@ -417,6 +489,33 @@
/***********************************************************************
** FUNCTION:
+** DESCRIPTION: PR_GetAddrInfoByNameExtended()
+** Lookup a host by name. Equivalent to getaddrinfo(host, NULL, ...) of
+** RFC 3493.
+**
+** INPUTS:
+** char *hostname Character string defining the host name of interest
+** PRUint16 af May be PR_AF_UNSPEC or PR_AF_INET.
+** PRIntn flags May be either PR_AI_ADDRCONFIG or
+** PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME. Include
+** PR_AI_NOCANONNAME to suppress the determination of
+** the canonical name corresponding to hostname.
+** RETURN:
+** PRAddrInfo* Handle to a data structure containing the results
+** of the host lookup. Use PR_EnumerateAddrInfo to
+** inspect the PRNetAddr values stored in this object.
+** When no longer needed, this handle must be destroyed
+** with a call to PR_FreeAddrInfo. If a lookup error
+** occurs, then NULL will be returned.
+** This function is identical to the PR_GetAddrInfoByNameFB
+** function but returns additional error codes via
+** PR_GetError() and may return even more in the future.
+***********************************************************************/
+NSPR_API(PRAddrInfo*) PR_GetAddrInfoByNameExtended(
+ const char *hostname, PRUint16 af, PRIntn flags, PRUint16 *security_flags);
+
+/***********************************************************************
+** FUNCTION:
** DESCRIPTION: PR_FreeAddrInfo()
** Destroy the PRAddrInfo handle allocated by PR_GetAddrInfoByName().
**
@@ -494,6 +593,15 @@
NSPR_API(PRUint32) PR_htonl(PRUint32);
NSPR_API(PRUint64) PR_htonll(PRUint64);
+/***********************************************************************
+** FUNCTIONS: PR_set_dnssec_validate_policy
+**
+** DESCRIPTION: set the DNS resolution policy
+**
+** XXX
+***********************************************************************/
+NSPR_API(void) PR_set_dnssec_validate_policy(PRInt32);
+
PR_END_EXTERN_C
#endif /* prnetdb_h___ */
--- old-mozilla/netwerk/dns/src/nsHostResolver.cpp.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/netwerk/dns/src/nsHostResolver.cpp 2008-01-09 09:25:07.000000000 -0800
@@ -58,6 +58,7 @@
#include "pratom.h"
#include "prthread.h"
#include "prerror.h"
+#include "prerr.h"
#include "prcvar.h"
#include "prtime.h"
#include "prlong.h"
@@ -154,7 +155,7 @@
// this macro filters out any flags that are not used when constructing the
// host key. the significant flags are those that would affect the resulting
// host record (i.e., the flags that are passed down to PR_GetAddrInfoByName).
-#define RES_KEY_FLAGS(_f) ((_f) & nsHostResolver::RES_CANON_NAME)
+#define RES_KEY_FLAGS(_f) ((_f) & (nsHostResolver::RES_CANON_NAME|nsHostResolver::RES_EXTENDED_ERRS))
nsresult
nsHostRecord::Create(const nsHostKey *key, nsHostRecord **result)
@@ -642,17 +643,49 @@
LOG(("resolving %s ...\n", rec->host));
PRIntn flags = PR_AI_ADDRCONFIG;
+ PRUint16 security_status_flags;
if (!(rec->flags & RES_CANON_NAME))
flags |= PR_AI_NOCANONNAME;
-
- ai = PR_GetAddrInfoByName(rec->host, rec->af, flags);
+
+ if (rec->flags & RES_EXTENDED_ERRS) {
+ ai = PR_GetAddrInfoByNameExtended(rec->host, rec->af, flags,
+ &rec->security_status_flags);
#if defined(RES_RETRY_ON_FAILURE)
- if (!ai && rs.Reset())
+ if (!ai && rs.Reset())
+ ai = PR_GetAddrInfoByNameExtended(rec->host, rec->af, flags,
+ &rec->security_status_flags);
+#endif
+ } else {
ai = PR_GetAddrInfoByName(rec->host, rec->af, flags);
+#if defined(RES_RETRY_ON_FAILURE)
+ if (!ai && rs.Reset())
+ ai = PR_GetAddrInfoByName(rec->host, rec->af, flags);
#endif
+ }
// convert error code to nsresult.
- nsresult status = ai ? NS_OK : NS_ERROR_UNKNOWN_HOST;
+ nsresult status;
+
+ if (!ai) {
+ // handle errors
+ PRErrorCode err = PR_GetError();
+ switch(err) {
+ case PR_DNSSEC_VALIDATION_ERROR:
+ status = NS_ERROR_DNSSEC_VALIDATION_ERROR;
+ break;
+
+ case PR_DNSSEC_DNE_ERROR:
+ status = NS_ERROR_DNSSEC_DNE_ERROR;
+ break;
+
+ default:
+ status = NS_ERROR_UNKNOWN_HOST;
+ break;
+ }
+ } else {
+ status = NS_OK;
+ }
+
resolver->OnLookupComplete(rec, status, ai);
}
NS_RELEASE(resolver);
--- old-mozilla/netwerk/dns/src/nsHostResolver.h.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/dns/src/nsHostResolver.h 2008-05-20 14:59:36.000000000 -0700
@@ -108,9 +108,21 @@
int addr_info_gencnt; /* generation count of |addr_info| */
PRNetAddr *addr;
PRUint32 expiration; /* measured in minutes since epoch */
+ PRUint16 security_status_flags; /* DNSSEC information (bitmask) */
PRBool HasResult() const { return addr_info || addr; }
+ /* These MUST match the similar PR_ values in prnetdb.h */
+ enum {
+ /* Set in security_status if the answer was trusted due to
+ policy, regardless of whether validation was done or succeeded */
+ DNSSEC_IS_TRUSTED = 1 << 0,
+ /* Set in security_status if the answer was validated
+ cryptographically to a trust anchor */
+ DNSSEC_IS_VALIDATED = 1 << 1
+ };
+
+
private:
friend class nsHostResolver;
--- old-mozilla/netwerk/dns/public/nsIDNSService.idl.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/netwerk/dns/public/nsIDNSService.idl 2008-01-09 09:25:07.000000000 -0800
@@ -107,4 +107,9 @@
* if set, the canonical name of the specified host will be queried.
*/
const unsigned long RESOLVE_CANONICAL_NAME = (1 << 1);
+
+ /**
+ * if set, the canonical name of the specified host will be queried.
+ */
+ const unsigned long RESOLVE_EXTENDED_ERRS = (1 << 2);
};
--- old-mozilla/netwerk/dns/public/nsIDNSRecord.idl.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/netwerk/dns/public/nsIDNSRecord.idl 2008-01-09 09:25:07.000000000 -0800
@@ -88,4 +88,14 @@
* address in the record.
*/
void rewind();
+
+ /**
+ * True if policy said this result could be trusted.
+ */
+ boolean isTrusted();
+
+ /**
+ * True if the result was cryptographically validated
+ */
+ boolean isValidated();
};
--- old-mozilla/netwerk/base/src/nsSocketTransport2.cpp.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/base/src/nsSocketTransport2.cpp 2008-05-20 15:07:12.000000000 -0700
@@ -70,6 +70,8 @@
#include "nsIPipe.h"
#include "nsIProgrammingLanguage.h"
#include "nsIClassInfoImpl.h"
+#include "nsIDNSService.h"
+#include "nsISupportsPrimitives.h"
#if defined(XP_WIN)
#include "nsNativeConnectionHelper.h"
@@ -1418,7 +1420,9 @@
// For SOCKS proxies (mProxyTransparent == true), the socket
// transport resolves the real host here, so there's no fixup
// (see bug 226943).
- if ((status == NS_ERROR_UNKNOWN_HOST) && !mProxyTransparent &&
+ if ((status == NS_ERROR_UNKNOWN_HOST ||
+ status == NS_ERROR_DNSSEC_VALIDATION_ERROR ||
+ status == NS_ERROR_DNSSEC_DNE_ERROR) && !mProxyTransparent &&
!mProxyHost.IsEmpty())
mCondition = NS_ERROR_UNKNOWN_PROXY_HOST;
else
@@ -1426,6 +1430,38 @@
}
else if (mState == STATE_RESOLVING)
mCondition = InitiateSocket();
+
+
+ if (!mObserverService)
+ mObserverService = do_GetService("@mozilla.org/observer-service;1");
+ if (mObserverService) {
+ char *topic = "";
+ if (!NS_FAILED(status)) {
+ PRBool valflag;
+ PRBool trustflag;
+
+ mDNSRecord->IsValidated(&valflag);
+ mDNSRecord->IsTrusted(&trustflag);
+ if (valflag && trustflag) {
+ topic = MSG_DNSSEC_BOTH_TOPIC;
+ } else if (valflag) {
+ topic = MSG_DNSSEC_VALIDATED_TOPIC;
+ } else if (trustflag) {
+ topic = MSG_DNSSEC_TRUSTED_TOPIC;
+ } else {
+ topic = MSG_DNSSEC_NEITHER_TOPIC;
+ }
+ } else {
+ topic = MSG_DNSSEC_NEITHER_TOPIC;
+ }
+ LOG((" DNS Validator sending: %s\n", topic));
+ mObserverService->NotifyObservers(nsnull,
+ topic,
+ ToNewUnicode(SocketHost()));
+ // ObserverService.NotifyObservers(null, topic, "");
+ } else {
+ LOG((" failure to obtain observer service\n"));
+ }
break;
case MSG_RETRY_INIT_SOCKET:
--- old-mozilla/netwerk/base/src/nsSocketTransport2.h.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/base/src/nsSocketTransport2.h 2008-05-20 15:08:06.000000000 -0700
@@ -55,6 +55,7 @@
#include "nsIDNSRecord.h"
#include "nsICancelable.h"
#include "nsIClassInfo.h"
+#include "nsIObserverService.h"
class nsSocketTransport;
--- old-mozilla/netwerk/dns/src/nsDNSService2.cpp.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/dns/src/nsDNSService2.cpp 2008-05-20 13:43:06.000000000 -0700
@@ -127,6 +127,23 @@
}
NS_IMETHODIMP
+nsDNSRecord::IsTrusted(PRBool *result)
+{
+ *result = (mHostRecord->security_status_flags &
+ nsHostRecord::DNSSEC_IS_TRUSTED) ? PR_TRUE : PR_FALSE;
+ return NS_OK;
+
+}
+
+NS_IMETHODIMP
+nsDNSRecord::IsValidated(PRBool *result)
+{
+ *result = (mHostRecord->security_status_flags &
+ nsHostRecord::DNSSEC_IS_VALIDATED) ? PR_TRUE : PR_FALSE;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
nsDNSRecord::GetNextAddr(PRUint16 port, PRNetAddr *addr)
{
// not a programming error to poke the DNS record when it has no more
@@ -158,6 +175,7 @@
// Both mHostRecord->addr_info and mHostRecord->addr are null.
// This can happen if mHostRecord->addr_info expired and the
// attempt to reresolve it failed.
+ mDone = !mIter;
return NS_ERROR_NOT_AVAILABLE;
}
memcpy(addr, mHostRecord->addr, sizeof(PRNetAddr));
--- old-mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp 2008-05-20 15:08:28.000000000 -0700
@@ -76,6 +76,7 @@
#include "nsIOService.h"
#include "nsAuthInformationHolder.h"
#include "nsICacheService.h"
+#include "nsIDNSService.h"
// True if the local cache should be bypassed when processing a request.
#define BYPASS_LOCAL_CACHE(loadFlags) \
--- old-mozilla/docshell/base/nsWebShell.cpp.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/docshell/base/nsWebShell.cpp 2008-01-09 09:25:07.000000000 -0800
@@ -837,6 +837,8 @@
// Errors to be shown only on top-level frames
if ((aStatus == NS_ERROR_UNKNOWN_HOST ||
+ aStatus == NS_ERROR_DNSSEC_VALIDATION_ERROR ||
+ aStatus == NS_ERROR_DNSSEC_DNE_ERROR ||
aStatus == NS_ERROR_CONNECTION_REFUSED ||
aStatus == NS_ERROR_UNKNOWN_PROXY_HOST ||
aStatus == NS_ERROR_PROXY_CONNECTION_REFUSED) &&
--- old-mozilla/netwerk/base/src/nsPACMan.cpp.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/netwerk/base/src/nsPACMan.cpp 2008-05-20 15:09:28.000000000 -0700
@@ -119,7 +119,8 @@
if (NS_FAILED(rv))
return rv;
- rv = dns->AsyncResolve(host, 0, this, NS_GetCurrentThread(),
+ rv = dns->AsyncResolve(host, nsIDNSService::RESOLVE_EXTENDED_ERRS,
+ this, NS_GetCurrentThread(),
getter_AddRefs(mDNSRequest));
if (NS_FAILED(rv))
NS_WARNING("DNS AsyncResolve failed");
--- old-mozilla/docshell/resources/content/netError.xhtml.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/docshell/resources/content/netError.xhtml 2008-01-09 09:25:07.000000000 -0800
@@ -150,6 +150,8 @@
<div id="errorContainer">
<div id="errorTitlesContainer">
<h1 id="et_generic">&generic.title;</h1>
+ <h1 id="et_dnsDNSSECValidationError">&dnsDNSSECValidationError.title;</h1>
+ <h1 id="et_dnsDNSSECDNEError">&dnsDNSSECDNEError.title;</h1>
<h1 id="et_dnsNotFound">&dnsNotFound.title;</h1>
<h1 id="et_fileNotFound">&fileNotFound.title;</h1>
<h1 id="et_malformedURI">&malformedURI.title;</h1>
@@ -168,6 +170,8 @@
<div id="errorDescriptionsContainer">
<div id="ed_generic">&generic.longDesc;</div>
<div id="ed_dnsNotFound">&dnsNotFound.longDesc;</div>
+ <div id="ed_dnsDNSSECValidationError">&dnsDNSSECValidationError.longDesc;</div>
+ <div id="ed_dnsDNSSECDNEError">&dnsDNSSECDNEError.longDesc;</div>
<div id="ed_fileNotFound">&fileNotFound.longDesc;</div>
<div id="ed_malformedURI">&malformedURI.longDesc;</div>
<div id="ed_protocolNotFound">&protocolNotFound.longDesc;</div>
--- old-mozilla/dom/locales/en-US/chrome/appstrings.properties.orig 2008-05-08 14:04:48.000000000 -0700
+++ mozilla/dom/locales/en-US/chrome/appstrings.properties 2008-01-09 09:25:07.000000000 -0800
@@ -37,6 +37,8 @@
malformedURI=The URL is not valid and cannot be loaded.
fileNotFound=The file %S cannot be found. Please check the location and try again.
dnsNotFound=%S could not be found. Please check the name and try again.
+dnsDNSSECValidationError=%S failed its DNSSEC security check validation. Please contact a security or system administrator for help.
+dnsDNSSECDNEError=%S does not exist within the DNS. Please check the name and try again.
protocolNotFound=%S is not a registered protocol.
connectionFailure=The connection was refused when attempting to contact %S.
netInterrupt=The connection to %S has terminated unexpectedly. Some data may have been transferred.
--- old-mozilla/nsprpub/pr/src/misc/prerr.c.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/nsprpub/pr/src/misc/prerr.c 2008-05-20 15:17:01.000000000 -0700
@@ -118,11 +118,13 @@
{"PR_HOST_UNREACHABLE_ERROR", "Host is unreachable"},
{"PR_LIBRARY_NOT_LOADED_ERROR", "The library is not loaded"},
{"PR_CALL_ONCE_ERROR", "The one-time function was previously called and failed. Its error code is no longer available"},
+ {"PR_DNSSEC_VALIDATION_ERROR", "The DNS record failed DNSSEC validation"},
+ {"PR_DNSSEC_DNE_ERROR", "The DNS record does not exist"},
{"PR_MAX_ERROR", "Placeholder for the end of the list"},
{0, 0}
};
-static const struct PRErrorTable et = { text, "prerr", -6000L, 77 };
+static const struct PRErrorTable et = { text, "prerr", -6000L, 79 };
void nspr_InitializePRErrorTable(void) {
PR_ErrorInstallTable(&et);
--- old-mozilla/nsprpub/pr/include/prerr.h.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/nsprpub/pr/include/prerr.h 2008-05-20 15:17:31.000000000 -0700
@@ -272,6 +272,12 @@
/* The one-time function was previously called and failed. Its error code is no longer available */
#define PR_CALL_ONCE_ERROR (-5925L)
+/* The DNS record failed DNSSEC validation */
+#define PR_DNSSEC_VALIDATION_ERROR (-5925L)
+
+/* The DNS record failed DNSSEC validation */
+#define PR_DNSSEC_DNE_ERROR (-5924L)
+
/* Placeholder for the end of the list */
#define PR_MAX_ERROR (-5924L)
--- old-mozilla/nsprpub/pr/src/misc/prerr.et.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/nsprpub/pr/src/misc/prerr.et 2008-05-20 15:17:55.000000000 -0700
@@ -134,6 +134,8 @@
ec PR_HOST_UNREACHABLE_ERROR, "Host is unreachable"
ec PR_LIBRARY_NOT_LOADED_ERROR, "The library is not loaded"
ec PR_CALL_ONCE_ERROR, "The one-time function was previously called and failed. Its error code is no longer available"
+ec PR_DNSSEC_VALIDATION_ERROR, "The DNS record failed DNSSEC validation"
+ec PR_DNSSEC_DNE_ERROR, "The DNS record does not exist"
ec PR_MAX_ERROR, "Placeholder for the end of the list"
--- old-mozilla/nsprpub/pr/src/misc/prerr.properties.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/nsprpub/pr/src/misc/prerr.properties 2008-05-20 15:18:17.000000000 -0700
@@ -114,4 +114,6 @@
PR_HOST_UNREACHABLE_ERROR=Host is unreachable
PR_LIBRARY_NOT_LOADED_ERROR=The library is not loaded
PR_CALL_ONCE_ERROR=The one-time function was previously called and failed. Its error code is no longer available
+PR_DNSSEC_VALIDATION_ERROR=The DNS record failed DNSSEC validation
+PR_DNSSEC_DNE_ERROR=The DNS record does not exist
PR_MAX_ERROR=Placeholder for the end of the list
--- old-mozilla/docshell/base/nsDocShell.cpp.orig 2008-05-20 16:25:56.000000000 -0700
+++ mozilla/docshell/base/nsDocShell.cpp 2008-05-20 16:28:50.000000000 -0700
@@ -2986,6 +2986,24 @@
formatStrCount = 1;
error.AssignLiteral("dnsNotFound");
}
+ else if (NS_ERROR_DNSSEC_VALIDATION_ERROR == aError) {
+ NS_ENSURE_ARG_POINTER(aURI);
+ // Get the host
+ nsCAutoString host;
+ aURI->GetHost(host);
+ CopyUTF8toUTF16(host, formatStrs[0]);
+ formatStrCount = 1;
+ error.Assign(NS_LITERAL_STRING("dnsDNSSECValidationError"));
+ }
+ else if (NS_ERROR_DNSSEC_DNE_ERROR == aError) {
+ NS_ENSURE_ARG_POINTER(aURI);
+ // Get the host
+ nsCAutoString host;
+ aURI->GetHost(host);
+ CopyUTF8toUTF16(host, formatStrs[0]);
+ formatStrCount = 1;
+ error.Assign(NS_LITERAL_STRING("dnsDNSSECDNEError"));
+ }
else if(NS_ERROR_CONNECTION_REFUSED == aError) {
NS_ENSURE_ARG_POINTER(aURI);
addHostPort = PR_TRUE;
--- old-mozilla/netwerk/base/public/nsNetError.h.orig 2008-05-08 14:04:49.000000000 -0700
+++ mozilla/netwerk/base/public/nsNetError.h 2008-01-09 09:25:07.000000000 -0800
@@ -259,6 +259,12 @@
#define NS_ERROR_UNKNOWN_HOST \
NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 30)
+#define NS_ERROR_DNSSEC_VALIDATION_ERROR \
+ NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 31)
+
+#define NS_ERROR_DNSSEC_DNE_ERROR \
+ NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_NETWORK, 32)
+
/**
* The lookup of a proxy hostname failed.
*
--- old-mozilla/dom/locales/en-US/chrome/netError.dtd.orig 2008-05-08 14:04:49.000000000 -0700
+++ mozilla/dom/locales/en-US/chrome/netError.dtd 2008-01-09 09:25:07.000000000 -0800
@@ -12,6 +12,12 @@
<!ENTITY dnsNotFound.title "Address Not Found">
<!ENTITY dnsNotFound.longDesc "<p>The browser could not find the host server for the provided address.</p><ul><li>Did you make a mistake when typing the domain? (e.g. <q><strong>ww</strong>.mozilla.org</q> instead of <q><strong>www</strong>.mozilla.org</q>)</li><li>Are you certain this domain address exists? Its registration may have expired.</li><li>Are you unable to browse other sites? Check your network connection and DNS server settings.</li><li>Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.</li></ul>">
+<!ENTITY dnsDNSSECValidationError.title "DNSSEC Validation Error">
+<!ENTITY dnsDNSSECValidationError.longDesc "The address (URL) failed its DNSSEC security check validation. Please contact a system administrator for help.">
+
+<!ENTITY dnsDNSSECDNEError.title "Server Does Not Exist">
+<!ENTITY dnsDNSSECDNEError.longDesc "<p>The browser verified that there is no server for the provided address.</p><ul><li>Did you make a mistake when typing the domain? (e.g. <q><strong>ww</strong>.mozilla.org</q> instead of <q><strong>www</strong>.mozilla.org</q>)</li><li>This domain address does not exist. Are you sure it is supposed to? Maybe it used to but it no longer does?</li></ul>">
+
<!ENTITY fileNotFound.title "File Not Found">
<!ENTITY fileNotFound.longDesc "<ul><li>Could the item have been renamed, removed, or relocated?</li><li>Is there a spelling, capitalization, or other typographical error in the address?</li><li>Do you have sufficient access permissions to the requested item?</li></ul>">
--- old-mozilla/config/autoconf.mk.in.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/config/autoconf.mk.in 2008-05-20 13:18:15.000000000 -0700
@@ -277,7 +277,7 @@
OS_COMPILE_CXXFLAGS = $(OS_CPPFLAGS) @COMPILE_CXXFLAGS@
OS_INCLUDES = $(NSPR_CFLAGS) $(JPEG_CFLAGS) $(PNG_CFLAGS) $(ZLIB_CFLAGS) $(LCMS_CFLAGS)
-OS_LIBS = @LIBS@
+OS_LIBS = @VAL_LIBS@ @LIBS@
ACDEFINES = @MOZ_DEFINES@
WARNINGS_AS_ERRORS = @WARNINGS_AS_ERRORS@
@@ -522,6 +522,9 @@
MOZ_PANGO_CFLAGS = @MOZ_PANGO_CFLAGS@
MOZ_PANGO_LIBS = @MOZ_PANGO_LIBS@
+VALIDAT_LIBS = @VALIDAT_LIBS@
+SYSTEM_VALIDAT = @SYSTEM
+
MOZ_XIE_LIBS = @MOZ_XIE_LIBS@
XT_LIBS = @XT_LIBS@
--- old-mozilla/configure.in.orig 2008-05-20 13:22:26.000000000 -0700
+++ mozilla/configure.in 2008-05-20 14:57:23.000000000 -0700
@@ -2966,6 +2966,53 @@
;;
esac
+dnl Check for libval, the DNSSEC validation library
+dnl ========================================================
+AC_ARG_WITH(system-val,
+[ --with-system-val[=PFX]
+ Use system libval [installed at prefix PFX]],
+ VAL_DIR=$withval)
+
+AC_ARG_WITH(system-sres,
+[ --with-system-sres[=PFX]
+ Use system libsres [installed at prefix PFX]],
+ SRES_DIR=$withval)
+
+AC_ARG_WITH(system-openssl,
+[ --with-system-openssl[=PFX]
+ Use system openssl libraries [installed at prefix PFX]],
+ OPENSSL_DIR=$withval)
+
+_SAVE_CFLAGS=$CFLAGS
+_SAVE_LDFLAGS=$LDFLAGS
+_SAVE_LIBS=$LIBS
+
+if test -n "${OPENSSL_DIR}"; then
+ CFLAGS="-I${OPENSSL_DIR}/include $CFLAGS"
+ LDFLAGS="-L${OPENSSL_DIR}/lib $LDFLAGS"
+fi
+if test -n "${VAL_DIR}"; then
+ CFLAGS="-I${VAL_DIR}/include $CFLAGS"
+ LDFLAGS="-L${VAL_DIR}/lib $LDFLAGS"
+fi
+if test -n "${SRES_DIR}"; then
+ CFLAGS="-I${SRES_DIR}/include $CFLAGS"
+ LDFLAGS="-L${SRES_DIR}/lib $LDFLAGS"
+fi
+AC_CHECK_LIB(crypto, EVP_md5, OPENSSL_LIBS="-lcrypto", OPENSSL_LIBS="")
+AC_CHECK_LIB(sres, __res_init, SRES_LIBS=" -lpthread -lsres", SRES_LIBS="",
+ $OPENSSL_LIBS -lpthread)
+AC_CHECK_LIB(val-threads, val_gethostbyname,
+ [SYSTEM_VAL=1
+ VAL_LIBS="-lval-threads $VAL_LIBS $SRES_LIBS $OPENSSL_LIBS"
+ NSPR_LIBS="$NSPR_LIBS $VAL_LIBS $SRES_LIBS $OPENSSL_LIBS"
+ AC_DEFINE(MOZ_DNSSEC)], SYSTEM_VAL=,
+ $SRES_LIBS $OPENSSL_LIBS)
+
+CFLAGS=$_SAVE_CFLAGS
+LDFLAGS=$_SAVE_LDFLAGS
+LIBS=$_SAVE_LIBS
+
dnl We don't want to link with libdl even if it's present on OS X, since
dnl it's not used and not part of the default installation.
dnl The same goes for BeOS.
@@ -7885,6 +7932,7 @@
AC_SUBST(MOZ_CRASHREPORTER)
AC_SUBST(MOZ_MOCHITEST)
+AC_SUBST(VAL_LIBS)
AC_SUBST(ENABLE_STRIP)
AC_SUBST(PKG_SKIP_STRIP)
AC_SUBST(USE_ELF_DYNSTR_GC)
--- old-mozilla/nsprpub/pr/src/misc/prnetdb.c.orig 2008-05-20 16:29:00.000000000 -0700
+++ mozilla/nsprpub/pr/src/misc/prnetdb.c 2008-05-20 16:29:00.000000000 -0700
@@ -2133,11 +2133,18 @@
* provide getaddrinfo in all versions that NSPR cares to support.
*/
-#if defined(_PR_HAVE_GETADDRINFO)
+#ifdef MOZ_DNSSEC
+#define GETADDRINFO(a,b,c,d) val_getaddrinfo(NULL, a, b, c, d, &val_status)
+#define FREEADDRINFO val_freeaddrinfo
+typedef struct addrinfo PRADDRINFO;
+typedef struct val_addrinfo DNSSECPRADDRINFO;
+
+#elif defined(_PR_HAVE_GETADDRINFO)
#if defined(_PR_INET6)
typedef struct addrinfo PRADDRINFO;
+typedef struct addrinfo DNSSECPRADDRINFO;
#define GETADDRINFO getaddrinfo
#define FREEADDRINFO freeaddrinfo
#define GETNAMEINFO getnameinfo
@@ -2145,6 +2152,7 @@
#elif defined(_PR_INET6_PROBE)
typedef struct addrinfo PRADDRINFO;
+typedef struct addrinfo DNSSECPRADDRINFO;
/* getaddrinfo/freeaddrinfo/getnameinfo prototypes */
#if defined(WIN32)
@@ -2238,8 +2246,6 @@
#endif
}
-#define GETADDRINFO (*_pr_getaddrinfo)
-#define FREEADDRINFO (*_pr_freeaddrinfo)
#define GETNAMEINFO (*_pr_getnameinfo)
#endif /* _PR_INET6 */
@@ -2265,46 +2271,60 @@
{
PRStatus rv;
PRAddrInfoFB *ai;
+ DNSSECFUNDEBUG((stderr, "input=%s", hostname));
/* fallback on PR_GetHostByName */
ai = PR_NEW(PRAddrInfoFB);
if (!ai) {
PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
return NULL;
}
+ DNSSECDEBUG((stderr, "DNSSECgethostbyname: %d %s\n", __LINE__, hostname));
rv = PR_GetHostByName(hostname, ai->buf, sizeof ai->buf, &ai->hostent);
if (rv == PR_FAILURE) {
PR_Free(ai);
+ DNSSECFUNRETURN(NULL);
return NULL;
}
ai->has_cname = !(flags & PR_AI_NOCANONNAME);
- return (PRAddrInfo *) ai;
+ DNSSECFUNRETURN((PRAddrInfo *) ai);
}
#endif /* !_PR_HAVE_GETADDRINFO || _PR_INET6_PROBE */
PR_IMPLEMENT(PRAddrInfo *) PR_GetAddrInfoByName(const char *hostname,
PRUint16 af,
- PRIntn flags)
+ PRIntn flags,
+ PRUint16 *security_flags)
{
+#ifdef MOZ_DNSSEC
+ val_status_t val_status;
+#endif
+ DNSSECFUNDEBUG((stderr, "input=%s\n", hostname));
+
+ /* wipe the security flags */
+ if (security_flags)
+ *security_flags = PR_DNSSEC_NO_FLAGS;
+
/* restrict input to supported values */
if ((af != PR_AF_INET && af != PR_AF_UNSPEC) ||
(flags & ~ PR_AI_NOCANONNAME) != PR_AI_ADDRCONFIG) {
PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
- return NULL;
+ DNSSECFUNRETURN(NULL);
}
if (!_pr_initialized) _PR_ImplicitInitialization();
#if !defined(_PR_HAVE_GETADDRINFO)
- return pr_GetAddrInfoByNameFB(hostname, af, flags);
+ DNSSECFUNRETURN(pr_GetAddrInfoByNameFB(hostname, af, flags));
#else
#if defined(_PR_INET6_PROBE)
if (!_pr_ipv6_is_present()) {
- return pr_GetAddrInfoByNameFB(hostname, af, flags);
+ DNSSECFUNRETURN(pr_GetAddrInfoByNameFB(hostname, af, flags));
}
#endif
{
- PRADDRINFO *res, hints;
+ PRADDRINFO hints;
+ PRADDRINFO *res;
PRStatus rv;
/*
@@ -2327,18 +2347,73 @@
hints.ai_socktype = SOCK_STREAM;
rv = GETADDRINFO(hostname, NULL, &hints, &res);
- if (rv == 0)
- return (PRAddrInfo *) res;
+ if (rv == EAI_AGAIN) {
+ /* temporary failure... odd... try again? */
+ PR_Sleep(1000);
+ DNSSECDEBUG((stderr, "DNSSECgetaddrinfo reted/trying again: %d %d\n", rv, (unsigned int) res));
+ rv = GETADDRINFO(hostname, NULL, &hints, &res);
+ }
+ DNSSECDEBUG((stderr, "DNSSECgetaddrinfo returned: %d\n", (unsigned int) res));
+
+#ifdef MOZ_DNSSEC
+ if (dnssec_check_policy(val_status, global_policy) != DNSSEC_SUCCESS){
+ /* DNSsec validation failed */
+ PR_SetErrorText(0, "Host DNSsec validation failed");
+ PR_SetError(PR_DNSSEC_VALIDATION_ERROR, 0);
+ DNSSECDEBUG((stderr, "DNSSECgetaddrinfo: returning failure line:%d %s => val_status:%d\n", __LINE__, hostname, val_status));
+ if(res)
+ val_freeaddrinfo(res);
+ DNSSECFUNRETURN(NULL);
+ }
+
+ if (!res && val_status == VAL_VALIDATED_ANSWER) {
+ /* DNSSEC has proven that the record does not exist; we
+ return a different error message to show that the lookup
+ succeeded and there is officially no results */
+ PR_SetErrorText(0, "Address does not exist");
+ PR_SetError(PR_DNSSEC_DNE_ERROR, 0);
+ DNSSECDEBUG((stderr, "DNSSECgetaddrinfo: returning DNE failure:%d %s => val_status:%d\n", __LINE__, hostname, val_status));
+ DNSSECFUNRETURN(NULL);
+ }
+
+ /* set the security flags to how the results were achieved */
+ if (security_flags) {
+ if (val_isvalidated(val_status))
+ *security_flags |= PR_DNSSEC_IS_VALIDATED;
+
+ if (val_istrusted(val_status))
+ *security_flags |= PR_DNSSEC_IS_TRUSTED;
+ }
+#endif
+
+ if (rv == 0) {
+ DNSSECFUNRETURN((PRAddrInfo *) res);
+ }
+
+ DNSSECDEBUG((stderr, "DNSSECgetaddrinfo failed: %d\n", rv));
PR_SetError(PR_DIRECTORY_LOOKUP_ERROR, rv);
}
- return NULL;
+ DNSSECFUNRETURN(NULL);
#endif
}
+PR_IMPLEMENT(PRAddrInfo *) PR_GetAddrInfoByName(const char *hostname,
+ PRUint16 af,
+ PRIntn flags)
+{
+ struct PRAddrInfo *result;
+ DNSSECFUNDEBUG((stderr, "input=%s\n", hostname));
+ result = PR_GetAddrInfoByNameExtended(hostname, af, flags, NULL);
+ simplify_return_value();
+ DNSSECFUNRETURN(result);
+}
+
PR_IMPLEMENT(void) PR_FreeAddrInfo(PRAddrInfo *ai)
{
-#if defined(_PR_HAVE_GETADDRINFO)
+#if defined(MOZ_DNSSEC)
+ FREEADDRINFO((DNSSECPRADDRINFO *) ai);
+#elif defined(_PR_HAVE_GETADDRINFO)
#if defined(_PR_INET6_PROBE)
if (!_pr_ipv6_is_present())
PR_Free((PRAddrInfoFB *) ai);
@@ -2355,9 +2430,9 @@
PRUint16 port,
PRNetAddr *result)
{
-#if defined(_PR_HAVE_GETADDRINFO)
- PRADDRINFO *ai;
-#if defined(_PR_INET6_PROBE)
+#if defined(_PR_HAVE_GETADDRINFO) || defined(MOZ_DNSSEC)
+ DNSSECPRADDRINFO *ai;
+#if defined(_PR_INET6_PROBE) && !defined(MOZ_DNSSEC)
if (!_pr_ipv6_is_present()) {
/* using PRAddrInfoFB */
PRIntn iter = (PRIntn)(PRPtrdiff) iterPtr;
@@ -2369,9 +2444,9 @@
#endif
if (iterPtr)
- ai = ((PRADDRINFO *) iterPtr)->ai_next;
+ ai = ((DNSSECPRADDRINFO *) iterPtr)->ai_next;
else
- ai = (PRADDRINFO *) base;
+ ai = (DNSSECPRADDRINFO *) base;
while (ai && ai->ai_addrlen > sizeof(PRNetAddr))
ai = ai->ai_next;
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
ccd6d20295ff28f0d90115b0394355f1
>
files
>
32
