diff --git a/accessible/src/windows/ia2/ia2AccessibleHyperlink.cpp b/accessible/src/windows/ia2/ia2AccessibleHyperlink.cpp index 173857261c2..fe2af824333 100644 --- a/accessible/src/windows/ia2/ia2AccessibleHyperlink.cpp +++ b/accessible/src/windows/ia2/ia2AccessibleHyperlink.cpp @@ -11,6 +11,7 @@ #include "AccessibleWrap.h" #include "IUnknownImpl.h" +#include "nsIURI.h" using namespace mozilla::a11y; diff --git a/b2g/installer/package-manifest.in b/b2g/installer/package-manifest.in index 08a44acdff0..8b03419aef1 100644 --- a/b2g/installer/package-manifest.in +++ b/b2g/installer/package-manifest.in @@ -196,7 +196,6 @@ @BINPATH@/components/dom_offline.xpt @BINPATH@/components/dom_payment.xpt @BINPATH@/components/dom_json.xpt -@BINPATH@/components/dom_browserelement.xpt @BINPATH@/components/dom_messages.xpt @BINPATH@/components/dom_power.xpt @BINPATH@/components/dom_quota.xpt diff --git a/browser/components/nsBrowserGlue.js b/browser/components/nsBrowserGlue.js index 0cd1aa3ecd2..731b0c72f7f 100644 --- a/browser/components/nsBrowserGlue.js +++ b/browser/components/nsBrowserGlue.js @@ -1733,16 +1733,21 @@ ContentPermissionPrompt.prototype = { QueryInterface: XPCOMUtils.generateQI([Ci.nsIContentPermissionPrompt]), - _getChromeWindow: function CPP_getChromeWindow(aWindow) { - var chromeWin = aWindow - .QueryInterface(Ci.nsIInterfaceRequestor) - .getInterface(Ci.nsIWebNavigation) - .QueryInterface(Ci.nsIDocShellTreeItem) - .rootTreeItem - .QueryInterface(Ci.nsIInterfaceRequestor) - .getInterface(Ci.nsIDOMWindow) - .QueryInterface(Ci.nsIDOMChromeWindow); - return chromeWin; + _getBrowserForRequest: function (aRequest) { + var browser; + try { + // "element" is only defined in e10s mode, otherwise it throws. + browser = aRequest.element; + } catch (e) {} + if (!browser) { + var requestingWindow = aRequest.window.top; + // find the requesting browser or iframe + browser = requestingWindow.QueryInterface(Ci.nsIInterfaceRequestor) + .getInterface(Ci.nsIWebNavigation) + .QueryInterface(Ci.nsIDocShell) + .chromeEventHandler; + } + return browser; }, /** @@ -1767,19 +1772,7 @@ ContentPermissionPrompt.prototype = { var browserBundle = Services.strings.createBundle("chrome://browser/locale/browser.properties"); - var browser; - try { - // "element" is only defined in e10s mode, otherwise it throws. - browser = aRequest.element; - } catch (e) {} - if (!browser) { - var requestingWindow = aRequest.window.top; - // find the requesting browser or iframe - browser = requestingWindow.QueryInterface(Ci.nsIInterfaceRequestor) - .getInterface(Ci.nsIWebNavigation) - .QueryInterface(Ci.nsIDocShell) - .chromeEventHandler; - } + var browser = this._getBrowserForRequest(aRequest); var chromeWin = browser.ownerDocument.defaultView; var requestPrincipal = aRequest.principal; @@ -1896,8 +1889,7 @@ ContentPermissionPrompt.prototype = { }); } - var requestingWindow = aRequest.window.top; - var chromeWin = this._getChromeWindow(requestingWindow).wrappedJSObject; + var chromeWin = this._getBrowserForRequest(aRequest).ownerDocument.defaultView; var link = chromeWin.document.getElementById("geolocation-learnmore-link"); link.value = browserBundle.GetStringFromName("geolocation.learnMore"); link.href = Services.urlFormatter.formatURLPref("browser.geolocation.warning.infoURL"); diff --git a/browser/config/mozconfigs/win64/beta b/browser/config/mozconfigs/win64/beta new file mode 100644 index 00000000000..d3b072d6420 --- /dev/null +++ b/browser/config/mozconfigs/win64/beta @@ -0,0 +1,7 @@ +. "$topsrcdir/browser/config/mozconfigs/win64/common-opt" + +mk_add_options MOZ_PGO=1 + +ac_add_options --enable-official-branding + +. "$topsrcdir/build/mozconfig.common.override" diff --git a/browser/config/mozconfigs/win64/common-opt b/browser/config/mozconfigs/win64/common-opt new file mode 100644 index 00000000000..743bc703b2b --- /dev/null +++ b/browser/config/mozconfigs/win64/common-opt @@ -0,0 +1,20 @@ +# This file is sourced by the nightly, beta, and release mozconfigs. + +. "$topsrcdir/browser/config/mozconfigs/common" + +ac_add_options --enable-update-channel=${MOZ_UPDATE_CHANNEL} +ac_add_options --enable-update-packaging +ac_add_options --enable-jemalloc +ac_add_options --with-google-api-keyfile=/e/builds/gapi.data + +# Needed to enable breakpad in application.ini +export MOZILLA_OFFICIAL=1 + +export MOZ_TELEMETRY_REPORTING=1 + +if test -z "${_PYMAKE}"; then + mk_add_options MOZ_MAKE_FLAGS=-j1 +fi + +# Package js shell. +export MOZ_PACKAGE_JSSHELL=1 diff --git a/browser/config/mozconfigs/win64/common-win64 b/browser/config/mozconfigs/win64/common-win64 new file mode 100644 index 00000000000..8f167cad1c5 --- /dev/null +++ b/browser/config/mozconfigs/win64/common-win64 @@ -0,0 +1,5 @@ +# This file is used by all Win64 builds + +ac_add_options --target=x86_64-pc-mingw32 +ac_add_options --host=x86_64-pc-mingw32 + diff --git a/browser/config/mozconfigs/win64/nightly b/browser/config/mozconfigs/win64/nightly index cefa49b037b..1fd63d92f2d 100644 --- a/browser/config/mozconfigs/win64/nightly +++ b/browser/config/mozconfigs/win64/nightly @@ -1,11 +1,6 @@ -. "$topsrcdir/browser/config/mozconfigs/common" +. "$topsrcdir/browser/config/mozconfigs/win64/common-win64" +. "$topsrcdir/browser/config/mozconfigs/win64/common-opt" -ac_add_options --target=x86_64-pc-mingw32 -ac_add_options --host=x86_64-pc-mingw32 - -ac_add_options --enable-update-channel=${MOZ_UPDATE_CHANNEL} -ac_add_options --enable-update-packaging -ac_add_options --enable-jemalloc ac_add_options --enable-signmar ac_add_options --enable-profiling ac_add_options --enable-metro @@ -13,18 +8,6 @@ ac_add_options --enable-metro # Nightlies only since this has a cost in performance ac_add_options --enable-js-diagnostics -# Needed to enable breakpad in application.ini -export MOZILLA_OFFICIAL=1 - -export MOZ_TELEMETRY_REPORTING=1 - -if test -z "${_PYMAKE}"; then - mk_add_options MOZ_MAKE_FLAGS=-j1 -fi - -# Package js shell. -export MOZ_PACKAGE_JSSHELL=1 - . $topsrcdir/build/win64/mozconfig.vs2010 . "$topsrcdir/build/mozconfig.common.override" diff --git a/browser/config/mozconfigs/win64/release b/browser/config/mozconfigs/win64/release new file mode 100644 index 00000000000..c977b83f1c8 --- /dev/null +++ b/browser/config/mozconfigs/win64/release @@ -0,0 +1,13 @@ +# This make file should be identical to the beta mozconfig, apart from the +# safeguard below +. "$topsrcdir/browser/config/mozconfigs/win64/common-opt" + +mk_add_options MOZ_PGO=1 + +ac_add_options --enable-official-branding + +# safeguard against someone forgetting to re-set EARLY_BETA_OR_EARLIER in +# defines.sh during the beta cycle +export BUILDING_RELEASE=1 + +. "$topsrcdir/build/mozconfig.common.override" diff --git a/browser/devtools/debugger/test/Makefile.in b/browser/devtools/debugger/test/Makefile.in index 1420aed37d6..bf122e9b223 100644 --- a/browser/devtools/debugger/test/Makefile.in +++ b/browser/devtools/debugger/test/Makefile.in @@ -24,6 +24,7 @@ MOCHITEST_BROWSER_TESTS = \ browser_dbg_cmd_blackbox.js \ browser_dbg_cmd_break.js \ browser_dbg_debuggerstatement.js \ + browser_dbg_listaddons.js \ browser_dbg_listtabs-01.js \ browser_dbg_listtabs-02.js \ browser_dbg_tabactor-01.js \ @@ -130,6 +131,8 @@ MOCHITEST_BROWSER_PAGES = \ testactors.js \ browser_dbg_tab1.html \ browser_dbg_tab2.html \ + browser_dbg_addon1.xpi \ + browser_dbg_addon2.xpi \ browser_dbg_debuggerstatement.html \ browser_dbg_stack.html \ browser_dbg_script-switching.html \ diff --git a/browser/devtools/debugger/test/browser_dbg_addon1.xpi b/browser/devtools/debugger/test/browser_dbg_addon1.xpi new file mode 100644 index 00000000000..b77ec953125 Binary files /dev/null and b/browser/devtools/debugger/test/browser_dbg_addon1.xpi differ diff --git a/browser/devtools/debugger/test/browser_dbg_addon2.xpi b/browser/devtools/debugger/test/browser_dbg_addon2.xpi new file mode 100644 index 00000000000..460eaca8a28 Binary files /dev/null and b/browser/devtools/debugger/test/browser_dbg_addon2.xpi differ diff --git a/browser/devtools/debugger/test/browser_dbg_listaddons.js b/browser/devtools/debugger/test/browser_dbg_listaddons.js new file mode 100644 index 00000000000..a6909b0dc10 --- /dev/null +++ b/browser/devtools/debugger/test/browser_dbg_listaddons.js @@ -0,0 +1,100 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +// Make sure the listAddons request works as specified. + +var gAddon1 = null; +var gAddon1Actor = null; + +var gAddon2 = null; +var gAddon2Actor = null; + +var gClient = null; + +function test() +{ + let transport = DebuggerServer.connectPipe(); + gClient = new DebuggerClient(transport); + gClient.connect(function (aType, aTraits) { + is(aType, "browser", "Root actor should identify itself as a browser."); + test_first_addon(); + }) +} + +function test_first_addon() +{ + let addonListChanged = false; + gClient.addOneTimeListener("addonListChanged", function () { + addonListChanged = true; + }); + addAddon(ADDON1_URL, function(aAddon) { + gAddon1 = aAddon; + gClient.listAddons(function(aResponse) { + for each (let addon in aResponse.addons) { + if (addon.url == ADDON1_URL) { + gAddon1Actor = addon.actor; + } + } + ok(!addonListChanged, "Should not yet be notified that list of addons changed."); + ok(gAddon1Actor, "Should find an addon actor for addon1."); + test_second_addon(); + }); + }); +} + +function test_second_addon() +{ + let addonListChanged = false; + gClient.addOneTimeListener("addonListChanged", function () { + addonListChanged = true; + }); + addAddon(ADDON2_URL, function(aAddon) { + gAddon2 = aAddon; + gClient.listAddons(function(aResponse) { + let foundAddon1 = false; + for each (let addon in aResponse.addons) { + if (addon.url == ADDON1_URL) { + is(addon.actor, gAddon1Actor, "Addon1's actor shouldn't have changed."); + foundAddon1 = true; + } + if (addon.url == ADDON2_URL) { + gAddon2Actor = addon.actor; + } + } + ok(addonListChanged, "Should be notified that list of addons changed."); + ok(foundAddon1, "Should find an addon actor for addon1."); + ok(gAddon2Actor, "Should find an actor for addon2."); + test_remove_addon(); + }); + }); +} + +function test_remove_addon() +{ + let addonListChanged = false; + gClient.addOneTimeListener("addonListChanged", function () { + addonListChanged = true; + }); + removeAddon(gAddon1, function() { + gClient.listAddons(function(aResponse) { + let foundAddon1 = false; + for each (let addon in aResponse.addons) { + if (addon.url == ADDON1_URL) { + foundAddon1 = true; + } + } + ok(addonListChanged, "Should be notified that list of addons changed."); + ok(!foundAddon1, "Addon1 should be gone"); + finish_test(); + }); + }); +} + +function finish_test() +{ + removeAddon(gAddon2, function() { + gClient.close(function() { + finish(); + }); + }); +} diff --git a/browser/devtools/debugger/test/head.js b/browser/devtools/debugger/test/head.js index 0ad25164961..fc1046b1144 100644 --- a/browser/devtools/debugger/test/head.js +++ b/browser/devtools/debugger/test/head.js @@ -19,10 +19,12 @@ Cu.import("resource://gre/modules/devtools/dbg-client.jsm", tempScope); Cu.import("resource:///modules/source-editor.jsm", tempScope); Cu.import("resource:///modules/devtools/gDevTools.jsm", tempScope); Cu.import("resource://gre/modules/devtools/Loader.jsm", tempScope); +Cu.import("resource://gre/modules/AddonManager.jsm", tempScope); let SourceEditor = tempScope.SourceEditor; let DebuggerServer = tempScope.DebuggerServer; let DebuggerTransport = tempScope.DebuggerTransport; let DebuggerClient = tempScope.DebuggerClient; +let AddonManager = tempScope.AddonManager; let gDevTools = tempScope.gDevTools; let devtools = tempScope.devtools; let TargetFactory = devtools.TargetFactory; @@ -34,6 +36,8 @@ Services.scriptloader.loadSubScript(testDir + "../../../commandline/test/helpers const EXAMPLE_URL = "http://example.com/browser/browser/devtools/debugger/test/"; const TAB1_URL = EXAMPLE_URL + "browser_dbg_tab1.html"; const TAB2_URL = EXAMPLE_URL + "browser_dbg_tab2.html"; +const ADDON1_URL = EXAMPLE_URL + "browser_dbg_addon1.xpi"; +const ADDON2_URL = EXAMPLE_URL + "browser_dbg_addon2.xpi"; const STACK_URL = EXAMPLE_URL + "browser_dbg_stack.html"; // Enable remote debugging for the relevant tests. @@ -106,6 +110,32 @@ function removeTab(aTab, aWindow) { targetBrowser.removeTab(aTab); } +function addAddon(aURL, aOnInstallEnded) { + AddonManager.getInstallForURL(aURL, function(aInstall) { + aInstall.install(); + var listener = { + onInstallEnded: function(aAddon, aAddonInstall) { + aInstall.removeListener(listener); + aOnInstallEnded(aAddonInstall); + } + }; + aInstall.addListener(listener); + }, "application/x-xpinstall"); +} + +function removeAddon(aAddon, aOnUninstalled) { + var listener = { + onUninstalled: function(aUninstalledAddon) { + if (aUninstalledAddon != aAddon) + return; + AddonManager.removeAddonListener(listener); + aOnUninstalled(); + } + }; + AddonManager.addAddonListener(listener); + aAddon.uninstall(); +} + function closeDebuggerAndFinish(aRemoteFlag, aCallback, aWindow) { let debuggerClosed = false; let debuggerDisconnected = false; diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in index 28b51cf46ad..e8945c32dce 100644 --- a/browser/installer/package-manifest.in +++ b/browser/installer/package-manifest.in @@ -203,7 +203,6 @@ @BINPATH@/components/dom_indexeddb.xpt @BINPATH@/components/dom_offline.xpt @BINPATH@/components/dom_json.xpt -@BINPATH@/components/dom_browserelement.xpt @BINPATH@/components/dom_power.xpt @BINPATH@/components/dom_quota.xpt @BINPATH@/components/dom_range.xpt diff --git a/content/base/public/nsContentPolicyUtils.h b/content/base/public/nsContentPolicyUtils.h index 3c9e785d068..dabb8d1ae75 100644 --- a/content/base/public/nsContentPolicyUtils.h +++ b/content/base/public/nsContentPolicyUtils.h @@ -19,6 +19,7 @@ #include "nsIContent.h" #include "nsIScriptSecurityManager.h" #include "nsIPrincipal.h" +#include "nsIURI.h" //XXXtw sadly, this makes consumers of nsContentPolicyUtils depend on widget #include "nsIDocument.h" diff --git a/content/base/public/nsContentUtils.h b/content/base/public/nsContentUtils.h index 93eb1cb9a4b..b9b171b5e8b 100644 --- a/content/base/public/nsContentUtils.h +++ b/content/base/public/nsContentUtils.h @@ -96,7 +96,6 @@ struct JSContext; struct JSPropertyDescriptor; struct JSRuntime; struct nsIntMargin; -struct nsNativeKeyEvent; // Don't include nsINativeKeyBindings.h here: it will force strange compilation error! template class nsCOMArray; template class nsTArray; @@ -1386,14 +1385,11 @@ public: static const nsDependentString GetLocalizedEllipsis(); /** - * The routine GetNativeEvent is used to fill nsNativeKeyEvent. - * It's also used in DOMEventToNativeKeyEvent. - * See bug 406407 for details. + * The routine GetNativeEvent returns the result of + * aDOMEvent->GetInternalNSEvent(). + * XXX Is this necessary? */ static nsEvent* GetNativeEvent(nsIDOMEvent* aDOMEvent); - static bool DOMEventToNativeKeyEvent(nsIDOMKeyEvent* aKeyEvent, - nsNativeKeyEvent* aNativeEvent, - bool aGetCharCode); /** * Get the candidates for accelkeys for aDOMKeyEvent. diff --git a/content/base/public/nsIDocument.h b/content/base/public/nsIDocument.h index 623fa3026be..be1bc4339fc 100644 --- a/content/base/public/nsIDocument.h +++ b/content/base/public/nsIDocument.h @@ -269,12 +269,7 @@ public: } return mDocumentBaseURI ? mDocumentBaseURI : mDocumentURI; } - virtual already_AddRefed GetBaseURI() const MOZ_OVERRIDE - { - nsCOMPtr uri = GetDocBaseURI(); - - return uri.forget(); - } + virtual already_AddRefed GetBaseURI() const MOZ_OVERRIDE; virtual nsresult SetBaseURI(nsIURI* aURI) = 0; diff --git a/content/base/src/Link.cpp b/content/base/src/Link.cpp index 6d9848ccd2a..288182d0057 100644 --- a/content/base/src/Link.cpp +++ b/content/base/src/Link.cpp @@ -111,27 +111,20 @@ Link::LinkState() const return nsEventStates(); } -already_AddRefed +nsIURI* Link::GetURI() const { - nsCOMPtr uri(mCachedURI); - // If we have this URI cached, use it. - if (uri) { - return uri.forget(); + if (mCachedURI) { + return mCachedURI; } // Otherwise obtain it. Link *self = const_cast(this); Element *element = self->mElement; - uri = element->GetHrefURI(); + mCachedURI = element->GetHrefURI(); - // We want to cache the URI if we have it - if (uri) { - mCachedURI = uri; - } - - return uri.forget(); + return mCachedURI; } void diff --git a/content/base/src/Link.h b/content/base/src/Link.h index 4edceb0cada..aa41d6bac27 100644 --- a/content/base/src/Link.h +++ b/content/base/src/Link.h @@ -20,9 +20,9 @@ namespace dom { class Element; -#define MOZILLA_DOM_LINK_IMPLEMENTATION_IID \ - { 0x7EA57721, 0xE373, 0x458E, \ - {0x8F, 0x44, 0xF8, 0x96, 0x56, 0xB4, 0x14, 0xF5 } } +#define MOZILLA_DOM_LINK_IMPLEMENTATION_IID \ +{ 0xb25edee6, 0xdd35, 0x4f8b, \ + { 0xab, 0x90, 0x66, 0xd0, 0xbd, 0x3c, 0x22, 0xd5 } } class Link : public nsISupports { @@ -45,8 +45,8 @@ public: /** * @return the URI this link is for, if available. */ - already_AddRefed GetURI() const; - virtual already_AddRefed GetURIExternal() const { + nsIURI* GetURI() const; + virtual nsIURI* GetURIExternal() const { return GetURI(); } @@ -111,11 +111,11 @@ protected: */ bool HasURI() const { - if (mCachedURI) + if (HasCachedURI()) { return true; + } - nsCOMPtr uri(GetURI()); - return !!uri; + return !!GetURI(); } nsIURI* GetCachedURI() const { return mCachedURI; } diff --git a/content/base/src/nsContentUtils.cpp b/content/base/src/nsContentUtils.cpp index af25f46661f..41346fd9e31 100644 --- a/content/base/src/nsContentUtils.cpp +++ b/content/base/src/nsContentUtils.cpp @@ -116,7 +116,6 @@ #include "nsILoadGroup.h" #include "nsIMEStateManager.h" #include "nsIMIMEService.h" -#include "nsINativeKeyBindings.h" #include "nsINode.h" #include "nsINodeInfo.h" #include "nsIObjectLoadingContent.h" @@ -4551,39 +4550,6 @@ nsContentUtils::GetNativeEvent(nsIDOMEvent* aDOMEvent) return aDOMEvent ? aDOMEvent->GetInternalNSEvent() : nullptr; } -//static -bool -nsContentUtils::DOMEventToNativeKeyEvent(nsIDOMKeyEvent* aKeyEvent, - nsNativeKeyEvent* aNativeEvent, - bool aGetCharCode) -{ - bool defaultPrevented; - aKeyEvent->GetDefaultPrevented(&defaultPrevented); - if (defaultPrevented) - return false; - - bool trusted = false; - aKeyEvent->GetIsTrusted(&trusted); - if (!trusted) - return false; - - if (aGetCharCode) { - aKeyEvent->GetCharCode(&aNativeEvent->charCode); - } else { - aNativeEvent->charCode = 0; - } - aKeyEvent->GetKeyCode(&aNativeEvent->keyCode); - aKeyEvent->GetAltKey(&aNativeEvent->altKey); - aKeyEvent->GetCtrlKey(&aNativeEvent->ctrlKey); - aKeyEvent->GetShiftKey(&aNativeEvent->shiftKey); - aKeyEvent->GetMetaKey(&aNativeEvent->metaKey); - - aNativeEvent->mGeckoEvent = - static_cast(GetNativeEvent(aKeyEvent)); - - return true; -} - static bool HasASCIIDigit(const nsTArray& aCandidates) { diff --git a/content/base/src/nsDocument.cpp b/content/base/src/nsDocument.cpp index ebcd7e91a51..f97fc65f507 100644 --- a/content/base/src/nsDocument.cpp +++ b/content/base/src/nsDocument.cpp @@ -3259,6 +3259,13 @@ nsIDocument::ReleaseCapture() const } } +already_AddRefed +nsIDocument::GetBaseURI() const +{ + nsCOMPtr uri = GetDocBaseURI(); + return uri.forget(); +} + nsresult nsDocument::SetBaseURI(nsIURI* aURI) { diff --git a/content/base/src/nsGenConImageContent.cpp b/content/base/src/nsGenConImageContent.cpp index 11939443804..8d6645136b2 100644 --- a/content/base/src/nsGenConImageContent.cpp +++ b/content/base/src/nsGenConImageContent.cpp @@ -16,6 +16,7 @@ #include "imgIRequest.h" #include "nsEventStates.h" #include "nsEventDispatcher.h" +#include "nsGUIEvent.h" class nsGenConImageContent MOZ_FINAL : public nsXMLElement, public nsImageLoadingContent diff --git a/content/base/test/chrome/cpows_child.js b/content/base/test/chrome/cpows_child.js index a53c7c1940d..d8a27bbfb6a 100644 --- a/content/base/test/chrome/cpows_child.js +++ b/content/base/test/chrome/cpows_child.js @@ -5,7 +5,10 @@ content.document.title = "Hello, Kitty"; (function start() { sync_test(); async_test(); - sendAsyncMessage("cpows:done", {}); + // The sync-ness of this call is important, because otherwise + // we tear down the child's document while we are + // still in the async test in the parent. + sendSyncMessage("cpows:done", {}); } )(); diff --git a/content/base/test/chrome/cpows_parent.xul b/content/base/test/chrome/cpows_parent.xul index 7d9592a8f96..e98b08b29e0 100644 --- a/content/base/test/chrome/cpows_parent.xul +++ b/content/base/test/chrome/cpows_parent.xul @@ -17,6 +17,11 @@ return opener.wrappedJSObject.ok(condition, message); } + // Make sure that an error in this file actually causes the test to fail. + window.onerror = function (msg, url, line) { + ok(false, "Error while executing: \n" + msg + "\n" + url + ":" + line); + }; + function testCpowMessage(message) { ok(message.json.check == "ok", "correct json"); diff --git a/content/base/test/chrome/test_cpows.xul b/content/base/test/chrome/test_cpows.xul index 0f10f509439..f47f0c57534 100644 --- a/content/base/test/chrome/test_cpows.xul +++ b/content/base/test/chrome/test_cpows.xul @@ -21,7 +21,10 @@ } addLoadEvent(function() { - window.open("cpows_parent.xul", "", "chrome"); + // We don't want to set browser.tabs.remote to true, but still have CPOWs enabled. + SpecialPowers.pushPrefEnv({"set": [["dom.ipc.cpows.force-enabled", true]]}, function() { + window.open("cpows_parent.xul", "", "chrome"); + }); }); ]]> diff --git a/content/canvas/src/CanvasUtils.h b/content/canvas/src/CanvasUtils.h index 11364277ee6..68487aeae9e 100644 --- a/content/canvas/src/CanvasUtils.h +++ b/content/canvas/src/CanvasUtils.h @@ -7,6 +7,7 @@ #define _CANVASUTILS_H_ #include "mozilla/CheckedInt.h" +#include "jsapi.h" class nsIPrincipal; diff --git a/content/events/src/nsEventStateManager.cpp b/content/events/src/nsEventStateManager.cpp index c6954ffb13f..e21487c376f 100644 --- a/content/events/src/nsEventStateManager.cpp +++ b/content/events/src/nsEventStateManager.cpp @@ -2596,7 +2596,7 @@ nsEventStateManager::ComputeScrollTarget(nsIFrame* aTargetFrame, return frameToScroll; } - nsPresContext::ScrollbarStyles ss = frameToScroll->GetScrollbarStyles(); + ScrollbarStyles ss = frameToScroll->GetScrollbarStyles(); bool hiddenForV = (NS_STYLE_OVERFLOW_HIDDEN == ss.mVertical); bool hiddenForH = (NS_STYLE_OVERFLOW_HIDDEN == ss.mHorizontal); if ((hiddenForV && hiddenForH) || @@ -2705,8 +2705,7 @@ nsEventStateManager::DoScrollText(nsIScrollableFrame* aScrollableFrame, ComputeScrollAmountForDefaultAction(aEvent, scrollAmountInDevPixels); // Don't scroll around the axis whose overflow style is hidden. - nsPresContext::ScrollbarStyles overflowStyle = - aScrollableFrame->GetScrollbarStyles(); + ScrollbarStyles overflowStyle = aScrollableFrame->GetScrollbarStyles(); if (overflowStyle.mHorizontal == NS_STYLE_OVERFLOW_HIDDEN) { actualDevPixelScrollAmount.x = 0; } diff --git a/content/html/content/src/HTMLAnchorElement.cpp b/content/html/content/src/HTMLAnchorElement.cpp index 488018c3461..b70ad2905f4 100644 --- a/content/html/content/src/HTMLAnchorElement.cpp +++ b/content/html/content/src/HTMLAnchorElement.cpp @@ -15,6 +15,7 @@ #include "nsIDocument.h" #include "nsIPresShell.h" #include "nsPresContext.h" +#include "nsIURI.h" NS_IMPL_NS_NEW_HTML_ELEMENT(Anchor) diff --git a/content/html/content/src/HTMLFieldSetElement.cpp b/content/html/content/src/HTMLFieldSetElement.cpp index 0e8c2df469f..a8951f93202 100644 --- a/content/html/content/src/HTMLFieldSetElement.cpp +++ b/content/html/content/src/HTMLFieldSetElement.cpp @@ -7,6 +7,7 @@ #include "mozilla/dom/HTMLFieldSetElementBinding.h" #include "nsContentList.h" #include "nsEventDispatcher.h" +#include "nsGUIEvent.h" NS_IMPL_NS_NEW_HTML_ELEMENT(FieldSet) diff --git a/content/html/content/src/HTMLFormElement.h b/content/html/content/src/HTMLFormElement.h index e5512b7bfbe..eae6fe95f76 100644 --- a/content/html/content/src/HTMLFormElement.h +++ b/content/html/content/src/HTMLFormElement.h @@ -21,6 +21,7 @@ #include "nsRefPtrHashtable.h" #include "nsDataHashtable.h" #include "nsAsyncDOMEvent.h" +#include "jsfriendapi.h" // For js::ExpandoAndGeneration class nsIMutableArray; class nsIURI; diff --git a/content/html/content/src/HTMLInputElement.cpp b/content/html/content/src/HTMLInputElement.cpp index cd14f42f851..db90c55e8d6 100644 --- a/content/html/content/src/HTMLInputElement.cpp +++ b/content/html/content/src/HTMLInputElement.cpp @@ -1162,6 +1162,9 @@ HTMLInputElement::TabIndexDefault() uint32_t HTMLInputElement::Height() { + if (mType != NS_FORM_INPUT_IMAGE) { + return 0; + } return GetWidthHeightForImage(mCurrentRequest).height; } @@ -1213,6 +1216,9 @@ HTMLInputElement::SetIndeterminate(bool aValue) uint32_t HTMLInputElement::Width() { + if (mType != NS_FORM_INPUT_IMAGE) { + return 0; + } return GetWidthHeightForImage(mCurrentRequest).width; } diff --git a/content/html/content/src/HTMLLabelElement.cpp b/content/html/content/src/HTMLLabelElement.cpp index be2ea171820..eb6c72f1887 100644 --- a/content/html/content/src/HTMLLabelElement.cpp +++ b/content/html/content/src/HTMLLabelElement.cpp @@ -10,6 +10,8 @@ #include "mozilla/dom/HTMLLabelElementBinding.h" #include "nsEventDispatcher.h" #include "nsFocusManager.h" +#include "nsGUIEvent.h" +#include "nsIDOMMouseEvent.h" // construction, destruction diff --git a/content/html/content/src/HTMLLinkElement.cpp b/content/html/content/src/HTMLLinkElement.cpp index 81c3ca2f3ff..4ab9b1c85d4 100644 --- a/content/html/content/src/HTMLLinkElement.cpp +++ b/content/html/content/src/HTMLLinkElement.cpp @@ -329,7 +329,8 @@ HTMLLinkElement::GetStyleSheetURL(bool* aIsInline) if (href.IsEmpty()) { return nullptr; } - return Link::GetURI(); + nsCOMPtr uri = Link::GetURI(); + return uri.forget(); } void diff --git a/content/html/content/src/HTMLMenuElement.cpp b/content/html/content/src/HTMLMenuElement.cpp index 625b2022458..5f3ebcf6f70 100644 --- a/content/html/content/src/HTMLMenuElement.cpp +++ b/content/html/content/src/HTMLMenuElement.cpp @@ -10,7 +10,9 @@ #include "nsAttrValueInlines.h" #include "nsContentUtils.h" #include "nsEventDispatcher.h" +#include "nsGUIEvent.h" #include "nsXULContextMenuBuilder.h" +#include "nsIURI.h" NS_IMPL_NS_NEW_HTML_ELEMENT(Menu) diff --git a/content/html/content/src/HTMLMenuItemElement.cpp b/content/html/content/src/HTMLMenuItemElement.cpp index a941c0b2cef..73543f76b1a 100644 --- a/content/html/content/src/HTMLMenuItemElement.cpp +++ b/content/html/content/src/HTMLMenuItemElement.cpp @@ -9,6 +9,7 @@ #include "nsAttrValueInlines.h" #include "nsContentUtils.h" #include "nsEventDispatcher.h" +#include "nsGUIEvent.h" NS_IMPL_NS_NEW_HTML_ELEMENT_CHECK_PARSER(MenuItem) diff --git a/content/html/content/src/nsDOMStringMap.h b/content/html/content/src/nsDOMStringMap.h index 0ce50430d60..7542656f9c1 100644 --- a/content/html/content/src/nsDOMStringMap.h +++ b/content/html/content/src/nsDOMStringMap.h @@ -13,6 +13,7 @@ #include "nsString.h" #include "nsWrapperCache.h" #include "nsGenericHTMLElement.h" +#include "jsfriendapi.h" // For js::ExpandoAndGeneration namespace mozilla { class ErrorResult; diff --git a/content/html/content/src/nsTextEditorState.cpp b/content/html/content/src/nsTextEditorState.cpp index 2c7e5587df2..4daa3918545 100644 --- a/content/html/content/src/nsTextEditorState.cpp +++ b/content/html/content/src/nsTextEditorState.cpp @@ -809,29 +809,41 @@ DoCommandCallback(const char *aCommand, void *aData) NS_IMETHODIMP nsTextInputListener::HandleEvent(nsIDOMEvent* aEvent) { - nsCOMPtr keyEvent(do_QueryInterface(aEvent)); - NS_ENSURE_TRUE(keyEvent, NS_ERROR_INVALID_ARG); + bool defaultPrevented = false; + nsresult rv = aEvent->GetDefaultPrevented(&defaultPrevented); + NS_ENSURE_SUCCESS(rv, rv); + if (defaultPrevented) { + return NS_OK; + } - nsAutoString eventType; - aEvent->GetType(eventType); + bool isTrusted = false; + rv = aEvent->GetIsTrusted(&isTrusted); + NS_ENSURE_SUCCESS(rv, rv); + if (!isTrusted) { + return NS_OK; + } + + nsKeyEvent* keyEvent = + static_cast(aEvent->GetInternalNSEvent()); + if (keyEvent->eventStructType != NS_KEY_EVENT) { + return NS_ERROR_UNEXPECTED; + } - nsNativeKeyEvent nativeEvent; nsINativeKeyBindings *bindings = GetKeyBindings(); - if (bindings && - nsContentUtils::DOMEventToNativeKeyEvent(keyEvent, &nativeEvent, false)) { - + if (bindings) { bool handled = false; - if (eventType.EqualsLiteral("keydown")) { - handled = bindings->KeyDown(nativeEvent, DoCommandCallback, mFrame); - } - else if (eventType.EqualsLiteral("keyup")) { - handled = bindings->KeyUp(nativeEvent, DoCommandCallback, mFrame); - } - else if (eventType.EqualsLiteral("keypress")) { - handled = bindings->KeyPress(nativeEvent, DoCommandCallback, mFrame); - } - else { - NS_ABORT(); + switch (keyEvent->message) { + case NS_KEY_DOWN: + handled = bindings->KeyDown(*keyEvent, DoCommandCallback, mFrame); + break; + case NS_KEY_UP: + handled = bindings->KeyUp(*keyEvent, DoCommandCallback, mFrame); + break; + case NS_KEY_PRESS: + handled = bindings->KeyPress(*keyEvent, DoCommandCallback, mFrame); + break; + default: + MOZ_CRASH("Unknown key message"); } if (handled) { aEvent->PreventDefault(); diff --git a/content/html/content/test/forms/test_input_attributes_reflection.html b/content/html/content/test/forms/test_input_attributes_reflection.html index bda9ff20557..89a0c342b8a 100644 --- a/content/html/content/test/forms/test_input_attributes_reflection.html +++ b/content/html/content/test/forms/test_input_attributes_reflection.html @@ -8,7 +8,7 @@

-

Usage and Examples

Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the -H option to show the complete list of arguments for each command option.

Creating New Security Databases

Certificates, keys, and security modules related to managing certificates are stored in three related databases: @@ -144,44 +142,25 @@ of the attribute codes: The new certificate request can be output in ASCII format (-a) or can be written to a specified file (-o).

For example: - 

$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
+	
$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer
 
 Generating key.  This may take a few moments...
 
-
-Certificate request generated by Netscape 
-Phone: 650-555-0123
-Common Name: John Smith
-Email: (not ed)
-Organization: Example Corp
-State: California
-Country: US
-
------BEGIN NEW CERTIFICATE REQUEST-----
-MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
-MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
-EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
-KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
-CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
-qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
-1hP9Gg==
------END NEW CERTIFICATE REQUEST-----
Creating a Certificate

+

Creating a Certificate

A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (-c) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the -x argument with the -S command option. 

$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]

- The series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the CA. + The series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result.

For example, this creates a self-signed certificate: 

$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650

+The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity. +

From there, new certificates can reference the self-signed certificate: 

$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730

Generating a Certificate from a Certificate Request

When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the -c argument). The issuing certificate must be in the certificate database in the specified directory. 

certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]

For example: - 

$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com

Generating Key Pairs

- Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the -G command option. - 

certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name

- For example: - 

$ certutil -G -h lunasa -k ec -g 256 -q sect193r2

Listing Certificates

+ 

$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com

Listing Certificates

The -L command option lists all of the certificates listed in the certificate database. The path to the directory (-d) is required. 

$ certutil -L -d sql:/home/my/sharednssdb
 
@@ -193,34 +172,89 @@ TPS Administrator's Example Domain ID                        u,u,u
 Google Internet Authority                                    ,,   
 Certificate Authority - Example Domain                       CT,C,C

Using additional arguments with -L can return and print the information for a single, specific certificate. For example, the -n argument passes the certificate name, while the -a argument prints the certificate in ASCII format: - 

$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
-
+	
+$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert
 -----BEGIN CERTIFICATE-----
-MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
-cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
-MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
-b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
-Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
-RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
-udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
-bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
-3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
-qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
-rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
-LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
-L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
-lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
-JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
-bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
-U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
-nI7q5n1USM3eWQlVXw==
------END CERTIFICATE-----
Listing Keys

+MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
+bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
+BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
+JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
+XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
+0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
+AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
+AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
+XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
+ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
+-----END CERTIFICATE-----
+

For a human-readable display

$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3650 (0xe42)
+        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+        Issuer: "CN=Example CA"
+        Validity:
+            Not Before: Wed Mar 13 19:10:29 2013
+            Not After : Thu Jun 13 19:10:29 2013
+        Subject: "CN=Example CA"
+        Subject Public Key Info:
+            Public Key Algorithm: PKCS #1 RSA Encryption
+            RSA Public Key:
+                Modulus:
+                    9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30:
+                    4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07:
+                    12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f:
+                    ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49:
+                    3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30:
+                    56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7:
+                    d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74:
+                    11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b
+                Exponent: 65537 (0x10001)
+        Signed Extensions:
+            Name: Certificate Type
+            Data: none
+
+            Name: Certificate Basic Constraints
+            Data: Is a CA with no maximum path length.
+
+            Name: Certificate Key Usage
+            Critical: True
+            Usages: Certificate Signing
+
+    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+    Signature:
+        3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91:
+        1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6:
+        79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60:
+        a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6:
+        36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de:
+        25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52:
+        64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33:
+        ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e
+    Fingerprint (MD5):
+        86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80
+    Fingerprint (SHA1):
+        48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7
+
+    Certificate Trust Flags:
+        SSL Flags:
+            Valid CA
+            Trusted CA
+            User
+        Email Flags:
+            Valid CA
+            Trusted CA
+            User
+        Object Signing Flags:
+            Valid CA
+            Trusted CA
+            User
+
+

Listing Keys

Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database.

To list all keys in the database, use the -K command option and the (required) -d argument to give the path to the directory. - 

$ certutil -K -d sql:/home/my/sharednssdb
+	
$ certutil -K -d sql:$HOME/nssdb
 certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
 < 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
 < 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
@@ -291,12 +325,12 @@ The last versions of these legacy databas

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than -BerkleyDB. These new databases provide more accessibility and performance:

  • +BerkeleyDB. These new databases provide more accessibility and performance:

    • cert9.db for certificates

    • key4.db for keys

    • - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory

    Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

    By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

    $ certutil -L -d sql:/home/my/sharednssdb

    To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

    export NSS_DEFAULT_DB_TYPE="sql"

    This line can be set added to the ~/.bashrc file to make the change permanent.

    Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

    • https://wiki.mozilla.org/NSS_Shared_DB_Howto

    For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

    • @@ -310,9 +344,7 @@ Using the SQLite databases must be manually specified by using the

      • https://wiki.mozilla.org/NSS_Shared_DB_Howto

      • https://wiki.mozilla.org/NSS_Shared_DB -

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/cmsutil.html b/security/nss/doc/html/cmsutil.html index ac5ea6b9488..2b5249cadcd 100644 --- a/security/nss/doc/html/cmsutil.html +++ b/security/nss/doc/html/cmsutil.html @@ -1,4 +1,4 @@ -CMSUTIL
CMSUTIL

Name

cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.

Synopsis

cmsutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +CMSUTIL

CMSUTIL

Name

cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.

Synopsis

cmsutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The cmsutil command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.

To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. @@ -8,10 +8,10 @@ To see a usage string, issue the command without options.

Options

Options specify an action. Option arguments modify an action. The options and arguments for the cmsutil command are defined as follows: -

-D

Decode a message.

-C

Encrypt a message.

-E

Envelope a message.

-O

Create a certificates-only message.

-S

Sign a message.

Arguments

Option arguments modify an action and are lowercase.

-c content

Use this detached content (decode only).

-d dbdir

Specify the key/certificate database directory (default is ".")

-e envfile

Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).

-G

Include a signing time attribute (sign only).

-h num

Generate email headers with info about CMS message (decode only).

-i infile

Use infile as a source of data (default is stdin).

-N nickname

Specify nickname of certificate to sign with (sign only).

-n

Suppress output of contents (decode only).

-o outfile

Use outfile as a destination of data (default is stdout).

-P

Include an S/MIME capabilities attribute.

-p password

Use password as key database password.

-r recipient1,recipient2, ...

+

-D

Decode a message.

-C

Encrypt a message.

-E

Envelope a message.

-O

Create a certificates-only message.

-S

Sign a message.

Arguments

Option arguments modify an action.

-b

Decode a batch of files named in infile.

-c content

Use this detached content (decode only).

-d dbdir

Specify the key/certificate database directory (default is ".")

-e envfile

Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).

-f pwfile

Use password file to set password on all PKCS#11 tokens.

-G

Include a signing time attribute (sign only).

-H hash

Use specified hash algorithm (default:SHA1).

-h num

Generate email headers with info about CMS message (decode only).

-i infile

Use infile as a source of data (default is stdin).

-k

Keep decoded encryption certs in permanent cert db.

-N nickname

Specify nickname of certificate to sign with (sign only).

-n

Suppress output of contents (decode only).

-o outfile

Use outfile as a destination of data (default is stdout).

-P

Include an S/MIME capabilities attribute.

-p password

Use password as key database password.

-r recipient1,recipient2, ...

Specify list of recipients (email addresses) for an encrypted or enveloped message. For certificates-only message, list of certificates to send. -

-T

Suppress content in CMS message (sign only).

-u certusage

Set type of cert usage (default is certUsageEmailSigner).

-Y ekprefnick

Specify an encryption key preference by nickname.

Usage

Encrypt Example

+          
-T
Suppress content in CMS message (sign only).
-u certusage
Set type of cert usage (default is certUsageEmailSigner).
-v
Print debugging information.
-Y ekprefnick
Specify an encryption key preference by nickname.

Usage

Encrypt Example

 cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile

Decode Example

 cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
@@ -21,12 +21,10 @@ cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,reci
 cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."

Sign Message Example

 cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
-

See also

certutil(1)

See Also

+

See also

certutil(1)

See Also

-

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/crlutil.html b/security/nss/doc/html/crlutil.html index 0b36ffc9fbc..3f39545e6b8 100644 --- a/security/nss/doc/html/crlutil.html +++ b/security/nss/doc/html/crlutil.html @@ -1,6 +1,6 @@ -CRLUTIL
CRLUTIL

Name

crlutil — +CRLUTIL

CRLUTIL

Name

crlutil — List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. -

Synopsis

crlutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Synopsis

crlutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The Certificate Revocation List (CRL) Management Tool, crlutil, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.

The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation. @@ -58,7 +58,7 @@ Specify the output file name for new CRL. Bracket the output-file string with qu Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete

-u url

Specify the url. -

CRL Generation script syntax

CRL generation script file has the following syntax:

+

-w pwd-string

Provide db password in command line.

-Z algorithm

Specify the hash algorithm to use for signing the CRL.

CRL Generation script syntax

CRL generation script file has the following syntax:

* Line with comments should have # as a first symbol of a line

* Set "this update" or "next update" CRL fields:

@@ -200,12 +200,10 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr * Import CRL from file: 

           crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] 
-

See also

certutil(1)

See Also

+

See also

certutil(1)

See Also

-

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/modutil.html b/security/nss/doc/html/modutil.html index 37a6e42cdae..2d16199c4b1 100644 --- a/security/nss/doc/html/modutil.html +++ b/security/nss/doc/html/modutil.html @@ -1,4 +1,4 @@ -MODUTIL
MODUTIL

Name

modutil — Manage PKCS #11 module information within the security module database.

Synopsis

modutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +MODUTIL

MODUTIL

Name

modutil — Manage PKCS #11 module information within the security module database.

Synopsis

modutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The Security Module Database Tool, modutil, is a command-line utility for managing PKCS #11 module information both within secmod.db files and within hardware tokens. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

Options

Running modutil always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.

Options

-add modulename

Add the named PKCS #11 module to the database. Use this option with the -libfile, -ciphers, and -mechanisms arguments.

-changepw tokenname

Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the -pwfile and -newpwfile arguments. A password is equivalent to a personal identification number (PIN).

-chkfips

Verify whether the module is in the given FIPS mode. true means to verify that the module is in FIPS mode, while false means to verify that the module is not in FIPS mode.

-create

Create new certificate, key, and module databases. Use the -dbdir directory argument to specify a directory. If any of these databases already exist in a specified directory, modutil returns an error message.

-default modulename

Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the -mechanisms argument.

-delete modulename

Delete the named module. The default NSS PKCS #11 module cannot be deleted.

-disable modulename

Disable all slots on the named module. Use the -slot argument to disable a specific slot.

-enable modulename

Enable all slots on the named module. Use the -slot argument to enable a specific slot.

-fips [true | false]

Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.

-force

Disable modutil's interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.

-jar JAR-file

Add a new PKCS #11 module to the database using the named JAR file. Use this command with the -installdir and -tempdir arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with modutil.

-list [modulename]

Display basic information about the contents of the secmod.db file. Specifying a modulename displays detailed information about a particular module and its slots and tokens.

-rawadd

Add the module spec string to the secmod.db database.

-rawlist

Display the module specs for a specified module or for all loadable modules.

-undefault modulename

Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the -mechanisms argument.

Arguments

MODULE

Give the security module to access.

MODULESPEC

Give the security module spec to load into the security database.

-ciphers cipher-enable-list

Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.

-dbdir [sql:]directory

Specify the database directory in which to access or create security module database files.

modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

--dbprefix prefix

Specify the prefix used on the database files, such as my_ for my_cert8.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

-installdir root-installation-directory

Specify the root installation directory relative to which files will be installed by the -jar option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.

-libfile library-file

Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.

-mechanisms mechanism-list

Specify the security mechanisms for which a particular module will be flagged as a default provider. The mechanism-list is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.

The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.

modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).

-newpwfile new-password-file

Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the -changepw option.

-nocertdb

Do not open the certificate or key databases. This has several effects:

  • With the -create command, only a module security file is created; certificate and key databases are not created.

  • With the -jar command, signatures on the JAR file are not checked.

  • With the -changepw command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.

-pwfile old-password-file

Specify a text file containing a token's existing password so that a password can be entered automatically when the -changepw option is used to change passwords.

-secmod secmodname

Give the name of the security module database (like secmod.db) to load.

-slot slotname

Specify a particular slot to be enabled or disabled with the -enable or -disable options.

-string CONFIG_STRING

Pass a configuration string for the module being added to the database.

-tempdir temporary-directory

Give a directory location where temporary files are created during the installation by the -jar option. If no temporary directory is specified, the current directory is used.

Usage and Examples

Creating Database Files

Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located.

modutil -create -dbdir [sql:]directory

Adding a Cryptographic Module

Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library:

modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]

For example: @@ -242,9 +242,7 @@ Using the SQLite databases must be manually specified by using the

See Also

certutil (1)

pk12util (1)

signtool (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • https://wiki.mozilla.org/NSS_Shared_DB -

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/pk12util.html b/security/nss/doc/html/pk12util.html index e13a31d9aa4..e943bad368d 100644 --- a/security/nss/doc/html/pk12util.html +++ b/security/nss/doc/html/pk12util.html @@ -1,10 +1,10 @@ -PK12UTIL
PK12UTIL

Name

pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

Synopsis

pk12util [-i p12File [-h tokenname] [-v] [common-options] ] [ +PK12UTIL

PK12UTIL

Name

pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

Synopsis

pk12util [-i p12File [-h tokenname] [-v] [common-options] ] [ -l p12File [-h tokenname] [-r] [common-options] ] [ -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] ] [ common-options are: [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - ]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + ]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.

Options and Arguments

Options

-i p12file

Import keys and certificates from a PKCS#12 file into a security database.

-l p12file

List the keys and certificates in PKCS#12 file.

-o p12file

Export keys and certificates from the security database to a PKCS#12 file.

Arguments

-n certname

Specify the nickname of the cert and private key to export.

-d [sql:]directory

Specify the database directory into which to import to or export from certificates and keys.

pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

-P prefix

Specify the prefix used on the certificate and key databases. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

-h tokenname

Specify the name of the token to import into or export from.

-v

Enable debug logging when importing.

-k slotPasswordFile

Specify the text file containing the slot's password.

-K slotPassword

Specify the slot's password.

-w p12filePasswordFile

Specify the text file containing the pkcs #12 file password.

-W p12filePassword

Specify the pkcs #12 file password.

-c keyCipher

Specify the key encryption algorithm.

-C certCipher

Specify the key cert (overall package) encryption algorithm.

-m | --key-len keyLength

Specify the desired length of the symmetric key to be used to encrypt the private key.

-n | --cert-key-len certKeyLength

Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

-r

Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

Return Codes

  • 0 - No error

  • 1 - User Cancelled

  • 2 - Usage error

  • 6 - NLS init error

  • 8 - Certificate DB open error

  • 9 - Key DB open error

  • 10 - File initialization error

  • 11 - Unicode conversion error

  • 12 - Temporary file creation error

  • 13 - PKCS11 get slot error

  • 14 - PKCS12 decoder start error

  • 15 - error read from import file

  • 16 - pkcs12 decode error

  • 17 - pkcs12 decoder verify error

  • 18 - pkcs12 decoder validate bags error

  • 19 - pkcs12 decoder import bags error

  • 20 - key db conversion version 3 to version 2 error

  • 21 - cert db conversion version 7 to version 5 error

  • 22 - cert and key dbs patch error

  • 23 - get default cert db error

  • 24 - find cert by nickname error

  • 25 - create export context error

  • 26 - PKCS12 add password itegrity error

  • 27 - cert and key Safes creation error

  • 28 - PKCS12 add cert and key error

  • 29 - PKCS12 encode error

Examples

Importing Keys and Certificates

The most basic usage of pk12util for importing a certificate or key is the PKCS#12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token). 

pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

For example:

# pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
@@ -74,9 +74,7 @@ Using the SQLite databases must be manually specified by using the 
See Also
certutil (1)
modutil (1)
The NSS wiki has information on the new database design and how to configure applications to use it.
  • 
 			https://wiki.mozilla.org/NSS_Shared_DB_Howto
  • 
 			https://wiki.mozilla.org/NSS_Shared_DB
-

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/pp.html b/security/nss/doc/html/pp.html index b613520ad42..e03902f310a 100644 --- a/security/nss/doc/html/pp.html +++ b/security/nss/doc/html/pp.html @@ -1,9 +1,7 @@ -PP
PP

Name

pp — Prints certificates, keys, crls, and pkcs7 files

Synopsis

pp -t type [-a] [-i input] [-o output]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

pp pretty-prints private and public key, certificate, certificate-request, +PP

PP

Name

pp — Prints certificates, keys, crls, and pkcs7 files

Synopsis

pp -t type [-a] [-i input] [-o output]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

pp pretty-prints private and public key, certificate, certificate-request, pkcs7 or crl files -

Options

-t type

specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}

-a
Input is in ascii encoded form (RFC1113)
-i inputfile
Define an input file to use (default is stdin)
-u outputfile
Define an output file to use (default is stdout)

Additional Resources

NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Options

-t type

specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}

-a
Input is in ascii encoded form (RFC1113)
-i inputfile
Define an input file to use (default is stdin)
-u outputfile
Define an output file to use (default is stdout)

Additional Resources

NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/signtool.html b/security/nss/doc/html/signtool.html index 8d762139a1c..9fb932c38b1 100644 --- a/security/nss/doc/html/signtool.html +++ b/security/nss/doc/html/signtool.html @@ -1,4 +1,4 @@ -signtool
signtool

Name

signtool — Digitally sign objects and files.

Synopsis

signtool [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +signtool

signtool

Name

signtool — Digitally sign objects and files.

Synopsis

signtool [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The Signing Tool, signtool, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:

* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files

* Check whether the files have been tampered with since being signed

If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.

An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.

For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.

Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:

* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.

* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.

You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.

When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.

Options

-b basename

Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, -b signatures causes the files to be named signatures.rsa and signatures.sf. The default is signtool.

-c#

Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. @@ -278,9 +278,7 @@ token: Communicator Certificate DB -----------------------------------------------

See Also

signver (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • https://wiki.mozilla.org/NSS_Shared_DB -

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/signver.html b/security/nss/doc/html/signver.html index 7af22ce2e6f..4f0a9c3c6f5 100644 --- a/security/nss/doc/html/signver.html +++ b/security/nss/doc/html/signver.html @@ -1,7 +1,7 @@ -SIGNVER
SIGNVER

Name

signver — Verify a detached PKCS#7 signature for a file.

Synopsis

signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.

Options

-A

Displays all of the information in the PKCS#7 signature.

-V

Verifies the digital signature.

-d [sql:]directory

Specify the database directory which contains the certificates and keys.

signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

-a

Sets that the given signature file is in ASCII format.

-i input_file

Gives the input file for the object with signed data.

-o output_file

Gives the output file to which to write the results.

-s signature_file

Gives the input file for the digital signature.

-v

Enables verbose output.

Extended Examples

Verifying a Signature

The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).

signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb
+SIGNVER
SIGNVER
Name
signver — Verify a detached PKCS#7 signature for a file.
Synopsis
signtool    -A  |   -V    -d directory  [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]
STATUS
This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477
+    
Description
The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.
Options
-A
Displays all of the information in the PKCS#7 signature.
-V
Verifies the digital signature.
-d [sql:]directory
Specify the database directory which contains the certificates and keys.
signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.
-a
Sets that the given signature file is in ASCII format.
-i input_file
Gives the input file for the object with signed data.
-o output_file
Gives the output file to which to write the results.
-s signature_file
Gives the input file for the digital signature.
-v
Enables verbose output.
Extended Examples
Verifying a Signature
The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).
signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb
 
-signatureValid=yes
Printing Signature Data

+signatureValid=yes

Printing Signature Data

The -A option prints all of the information contained in a signature file. Using the -o option prints the signature file information to the given output file rather than stdout. 

signver -A -s signature_file -o output_file

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. The last versions of these legacy databases are:

  • @@ -27,9 +27,7 @@ Using the SQLite databases must be manually specified by using the

    Additional Resources

    For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

    Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

    IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/ssltap.html b/security/nss/doc/html/ssltap.html index 48b77920b4c..a3e9b911308 100644 --- a/security/nss/doc/html/ssltap.html +++ b/security/nss/doc/html/ssltap.html @@ -1,4 +1,4 @@ -SSLTAP
SSLTAP

Name

ssltap — Tap into SSL connections and display the data going by

Synopsis

libssltap [-vhfsxl] [-p port] [hostname:port]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +SSLTAP

SSLTAP

Name

ssltap — Tap into SSL connections and display the data going by

Synopsis

libssltap [-vhfsxl] [-p port] [hostname:port]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking

Options

-v

Print a version string for the tool.

-h

Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.

-f

@@ -414,9 +414,7 @@ If you run the tool on a machine other than the SSL server to which you are tryi the browser will complain that the host name you are trying to connect to is different from the certificate. If you are using the default BadCert callback, you can still connect through a dialog. If you are not using the default BadCert callback, the one you supply must allow for this possibility. -

See Also

The NSS Security Tools are also documented at http://www.mozilla.org/projects/security/pki/nss/.

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

See Also

The NSS Security Tools are also documented at http://www.mozilla.org/projects/security/pki/nss/.

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/vfychain.html b/security/nss/doc/html/vfychain.html index d33003fbacb..6d62b9ad3b8 100644 --- a/security/nss/doc/html/vfychain.html +++ b/security/nss/doc/html/vfychain.html @@ -1,4 +1,4 @@ -VFYCHAIN
VFYCHAIN

Name

vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...

Synopsis

vfychain

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +VFYCHAIN

VFYCHAIN

Name

vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...

Synopsis

vfychain

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477

Description

The verification Tool, vfychain, verifies certificate chains. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

Options

-a
the following certfile is base64 encoded
-b YYMMDDHHMMZ
Validate date (default: now)
-d directory
database directory
-f
Enable cert fetching from AIA URL
-o oid
Set policy OID for cert validation(Format OID.1.2.3)
-p

Use PKIX Library to validate certificate by calling:

* CERT_VerifyCertificate if specified once,

* CERT_PKIXVerifyCert if specified twice and more.

-r
Following certfile is raw binary DER (default)
-t
Following cert is explicitly trusted (overrides db trust)
-u usage

0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, @@ -20,9 +20,7 @@

-s method flags
Sets revocation flags for the method it follows. Possible types are "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". -

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/html/vfyserv.html b/security/nss/doc/html/vfyserv.html index 331cf81ead4..e7cef7a6676 100644 --- a/security/nss/doc/html/vfyserv.html +++ b/security/nss/doc/html/vfyserv.html @@ -1,7 +1,5 @@ -VFYSERV
VFYSERV

Name

vfyserv — TBD

Synopsis

vfyserv

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The vfyserv tool verifies a certificate chain

Options

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.

+VFYSERV

VFYSERV

Name

vfyserv — TBD

Synopsis

vfyserv

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The vfyserv tool verifies a certificate chain

Options

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

LICENSE

Licensed under the Mozilla Public License, version 1.1, - and/or the GNU General Public License, version 2 or later, - and/or the GNU Lesser General Public License, version 2.1 or later. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1 index 1e1331d1086..3ee702b8ecc 100644 --- a/security/nss/doc/nroff/certutil.1 +++ b/security/nss/doc/nroff/certutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: CERTUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CERTUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "CERTUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -28,7 +28,7 @@ .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" -certutil \- Manage keys and certificate in the the NSS database\&. +certutil \- Manage keys and certificate in both NSS databases and other NSS tokens .SH "SYNOPSIS" .HP \w'\fBcertutil\fR\ 'u \fBcertutil\fR [\fIoptions\fR] [[\fIarguments\fR]] @@ -39,23 +39,21 @@ This documentation is still work in progress\&. Please contribute to the initial .SH "DESCRIPTION" .PP The Certificate Database Tool, -\fBcertutil\fR, is a command\-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards)\&. It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database\&. +\fBcertutil\fR, is a command\-line utility that can create and modify certificate and key databases\&. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database\&. .PP -The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database\&. This document discusses certificate and key database management\&. For information security module database management, see the +Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database\&. This document discusses certificate and key database management\&. For information on the security module database management, see the \fBmodutil\fR manpage\&. -.SH "OPTIONS AND ARGUMENTS" +.SH "COMMAND OPTIONS AND ARGUMENTS" .PP Running \fBcertutil\fR -always requires one and only one option to specify the type of certificate operation\&. Each option may take arguments, anywhere from none to multiple arguments\&. Run the command option and +always requires one and only one command option to specify the type of certificate operation\&. Each command option may take zero or more arguments\&. The command option \fB\-H\fR -to see the arguments available for each command option\&. +will list all the command options and their relevant arguments\&. .PP \fBCommand Options\fR .PP -Command options are typically upper case\&. -.PP \-A .RS 4 Add an existing certificate to a certificate database\&. The certificate database should already exist; if one is not present, this command option will initialize one by default\&. @@ -102,12 +100,12 @@ When you delete keys, be sure to also remove any certificates associated with th .PP \-G .RS 4 -Generate a new public and private key pair within a key database\&. The key database should already exist; if one is not present, this option will initialize one by default\&. Some smart cards can store only one key pair\&. If you create a new key pair for such a card, the previous pair is overwritten\&. +Generate a new public and private key pair within a key database\&. The key database should already exist; if one is not present, this command option will initialize one by default\&. Some smart cards can store only one key pair\&. If you create a new key pair for such a card, the previous pair is overwritten\&. .RE .PP \-H .RS 4 -Display a list of the command options and arguments used by the Certificate Database Tool\&. +Display a list of the command options and arguments\&. .RE .PP \-K @@ -167,11 +165,7 @@ Change the password to a key database\&. .PP \-\-merge .RS 4 -Merge a source database into the target database\&. This is used to merge legacy NSS databases (cert8\&.db -and -key3\&.db) into the newer SQLite databases (cert9\&.db -and -key4\&.db)\&. +Merge two databases into one\&. .RE .PP \-\-upgrade\-merge @@ -223,9 +217,7 @@ supports two types of databases: the legacy security databases (cert8\&.db, key3\&.db, and secmod\&.db) and new SQLite databases (cert9\&.db, key4\&.db, and -pkcs11\&.txt)\&. If the prefix -\fBsql:\fR -is not used, then the tool assumes that the given databases are in the old format\&. +pkcs11\&.txt)\&. .sp NSS recognizes the following prefixes: .sp @@ -237,7 +229,7 @@ NSS recognizes the following prefixes: .sp -1 .IP \(bu 2.3 .\} -\fBsql: explicitly requests the newer database\fR +\fBsql: requests the newer database\fR .RE .sp .RS 4 @@ -248,19 +240,10 @@ NSS recognizes the following prefixes: .sp -1 .IP \(bu 2.3 .\} -\fBdbm: explicitly requests the older database\fR +\fBdbm: requests the legacy database\fR .RE .sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -\fBextern: explicitly reserved for future use\fR -.RE +If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default\&. .RE .PP \-e @@ -280,7 +263,7 @@ Set a key size to use when generating new public and private key pairs\&. The mi .PP \-h tokenname .RS 4 -Specify the name of a token to use or act on\&. Unless specified otherwise the default token is an internal slot\&. +Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&. .RE .PP \-i input_file @@ -288,18 +271,11 @@ Specify the name of a token to use or act on\&. Unless specified otherwise the d Pass an input file to the command\&. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands\&. .RE .PP -\-k rsa|dsa|ec|all -.RS 4 -Specify the type of a key\&. The valid options are RSA, DSA, ECC, or all\&. The default value is rsa\&. Specifying the type of key can avoid mistakes caused by duplicate nicknames\&. -.RE -.PP \-k key\-type\-or\-id .RS 4 Specify the type or specific ID of a key\&. .sp -The valid key type options are RSA, DSA, ECC, or all\&. The default value is rsa\&. Specifying the type of key can avoid mistakes caused by duplicate nicknames\&. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates)\&. -.sp -The valid key type options are RSA, DSA, ECC, or all\&. The default value is rsa\&. Specifying the type of key can avoid mistakes caused by duplicate nicknames\&. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates)\&. +The valid key type options are rsa, dsa, ec, or all\&. The default value is rsa\&. Specifying the type of key can avoid mistakes caused by duplicate nicknames\&. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates)\&. .RE .PP \-l @@ -367,7 +343,6 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBp\fR \- Valid peer .RE @@ -380,7 +355,6 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBP\fR \- Trusted peer (implies p) .RE @@ -393,7 +367,6 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBc\fR \- Valid CA .RE @@ -406,7 +379,6 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBT\fR \- Trusted CA (implies c) .RE @@ -419,9 +391,8 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBC\fR -\- rusted CA for client authentication (ssl server only) +\- trusted CA for client authentication (ssl server only) .RE .sp .RS 4 @@ -432,7 +403,6 @@ for each trust setting\&. In each category position, use none, any, or all of th .sp -1 .IP \(bu 2.3 .\} - \fBu\fR \- user .RE @@ -930,6 +900,21 @@ Add the Inhibit Any Policy Access extension to the certificate\&. X\&.509 certif Add the Subject Key ID extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. .RE .PP +\-\-extNC +.RS 4 +Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-keyAttrFlags attrflags +.RS 4 +PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} +.RE +.PP +\-\-keyFlagsOn opflags, \-\-keyFlagsOff opflags +.RS 4 +PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} +.RE +.PP \-\-source\-dir certdir .RS 4 Identify the certificate database directory to upgrade\&. @@ -1035,7 +1020,6 @@ command options requires four arguments: .sp -1 .IP \(bu 2.3 .\} - \fB\-k\fR to specify either the key type to generate or, when renewing a certificate, the existing key pair to use .RE @@ -1048,7 +1032,6 @@ to specify either the key type to generate or, when renewing a certificate, the .sp -1 .IP \(bu 2.3 .\} - \fB\-g\fR to set the keysize of the key to generate .RE @@ -1061,7 +1044,6 @@ to set the keysize of the key to generate .sp -1 .IP \(bu 2.3 .\} - \fB\-s\fR to set the subject name of the certificate .RE @@ -1074,7 +1056,6 @@ to set the subject name of the certificate .sp -1 .IP \(bu 2.3 .\} - \fB\-d\fR to give the security database directory .RE @@ -1087,28 +1068,10 @@ For example: .RS 4 .\} .nf -$ certutil \-R \-k ec \-q nistb409 \-g 512 \-s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" \-d sql:/home/my/sharednssdb \-p 650\-555\-0123 \-a \-o cert\&.cer +$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" \-d sql:$HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer Generating key\&. This may take a few moments\&.\&.\&. - -Certificate request generated by Netscape -Phone: 650\-555\-0123 -Common Name: John Smith -Email: (not ed) -Organization: Example Corp -State: California -Country: US - -\-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\- -MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW -MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw -EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ -KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J -CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny -qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB -1hP9Gg== -\-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\- .fi .if n \{\ .RE @@ -1134,7 +1097,7 @@ $ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t tru .PP The series of numbers and \fB\-\-ext*\fR -options set certificate extensions that can be added to the certificate when it is generated by the CA\&. +options set certificate extensions that can be added to the certificate when it is generated by the CA\&. Interactive prompts will result\&. .PP For example, this creates a self\-signed certificate: .sp @@ -1148,6 +1111,8 @@ $ certutil \-S \-s "CN=Example CA" \-n my\-ca\-cert \-x \-t "C,C,C" \-1 \-2 \-5 .RE .\} .PP +The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity\&. +.PP From there, new certificates can reference the self\-signed certificate: .sp .if n \{\ @@ -1184,35 +1149,7 @@ For example: .RS 4 .\} .nf -$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m 010 \-v 12 \-w 1 \-d sql:/home/my/sharednssdb \-1 nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7 jsmith@example\&.com -.fi -.if n \{\ -.RE -.\} -.PP -\fBGenerating Key Pairs\fR -.PP -Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the -\fB\-G\fR -command option\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -certutil \-G \-d [sql:]directory | \-h tokenname \-k key\-type \-g key\-size [\-y exponent\-value] \-q pqgfile|curve\-name -.fi -.if n \{\ -.RE -.\} -.PP -For example: -.sp -.if n \{\ -.RS 4 -.\} -.nf -$ certutil \-G \-h lunasa \-k ec \-g 256 \-q sect193r2 +$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m 010 \-v 12 \-w 1 \-d sql:$HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7 jsmith@example\&.com .fi .if n \{\ .RE @@ -1254,30 +1191,94 @@ argument prints the certificate in ASCII format: .RS 4 .\} .nf -$ certutil \-L \-d sql:/home/my/sharednssdb \-a \-n "Certificate Authority \- Example Domain" - +$ certutil \-L \-d sql:$HOME/nssdb \-a \-n my\-ca\-cert \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt -cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw -MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE -b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf -Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 -RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI -udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 -bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb -3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB -qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ -rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0 -LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk -L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe -lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX -JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76 -bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu -U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a -nI7q5n1USM3eWQlVXw== +MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh +bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV +BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz +JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x +XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk +0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB +AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B +AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 +XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF +ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +For a human\-readable display +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-L \-d sql:$HOME/nssdb \-n my\-ca\-cert +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3650 (0xe42) + Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption + Issuer: "CN=Example CA" + Validity: + Not Before: Wed Mar 13 19:10:29 2013 + Not After : Thu Jun 13 19:10:29 2013 + Subject: "CN=Example CA" + Subject Public Key Info: + Public Key Algorithm: PKCS #1 RSA Encryption + RSA Public Key: + Modulus: + 9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30: + 4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07: + 12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f: + ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49: + 3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30: + 56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7: + d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74: + 11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b + Exponent: 65537 (0x10001) + Signed Extensions: + Name: Certificate Type + Data: none + + Name: Certificate Basic Constraints + Data: Is a CA with no maximum path length\&. + + Name: Certificate Key Usage + Critical: True + Usages: Certificate Signing + + Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption + Signature: + 3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91: + 1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6: + 79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60: + a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6: + 36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de: + 25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52: + 64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33: + ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e + Fingerprint (MD5): + 86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80 + Fingerprint (SHA1): + 48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7 + + Certificate Trust Flags: + SSL Flags: + Valid CA + Trusted CA + User + Email Flags: + Valid CA + Trusted CA + User + Object Signing Flags: + Valid CA + Trusted CA + User + .fi .if n \{\ .RE @@ -1297,7 +1298,7 @@ argument to give the path to the directory\&. .RS 4 .\} .nf -$ certutil \-K \-d sql:/home/my/sharednssdb +$ certutil \-K \-d sql:$HOME/nssdb certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert @@ -1318,8 +1319,7 @@ There are ways to narrow the keys listed in the search results: .IP \(bu 2.3 .\} To return a specific key, use the -\fB\-n\fR -\fIname\fR +\fB\-n\fR\fIname\fR argument with the name of the key\&. .RE .sp @@ -1332,8 +1332,7 @@ argument with the name of the key\&. .IP \(bu 2.3 .\} If there are multiple security devices loaded, then the -\fB\-h\fR -\fItokenname\fR +\fB\-h\fR\fItokenname\fR argument can search a specific token or all tokens\&. .RE .sp @@ -1346,8 +1345,7 @@ argument can search a specific token or all tokens\&. .IP \(bu 2.3 .\} If there are multiple key types available, then the -\fB\-k\fR -\fIkey\-type\fR +\fB\-k\fR\fIkey\-type\fR argument can search a specific type of key, like RSA, DSA, or ECC\&. .RE .PP @@ -1671,7 +1669,7 @@ secmod\&.db for PKCS #11 module information .PP BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&. .PP -In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance: +In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkeleyDB\&. These new databases provide more accessibility and performance: .sp .RS 4 .ie n \{\ @@ -1703,7 +1701,7 @@ key4\&.db for keys .sp -1 .IP \(bu 2.3 .\} -pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +pkcs11\&.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory .RE .PP Because the SQLite databases are designed to be shared, these are the @@ -1845,12 +1843,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/cmsutil.1 b/security/nss/doc/nroff/cmsutil.1 index 216f4df796c..2093d6796c5 100644 --- a/security/nss/doc/nroff/cmsutil.1 +++ b/security/nss/doc/nroff/cmsutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: CMSUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CMSUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "CMSUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -77,7 +77,12 @@ Sign a message\&. .PP \fBArguments\fR .PP -Option arguments modify an action and are lowercase\&. +Option arguments modify an action\&. +.PP +\-b +.RS 4 +Decode a batch of files named in infile\&. +.RE .PP \-c content .RS 4 @@ -94,11 +99,21 @@ Specify the key/certificate database directory (default is "\&.") Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message\&. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only)\&. .RE .PP +\-f pwfile +.RS 4 +Use password file to set password on all PKCS#11 tokens\&. +.RE +.PP \-G .RS 4 Include a signing time attribute (sign only)\&. .RE .PP +\-H hash +.RS 4 +Use specified hash algorithm (default:SHA1)\&. +.RE +.PP \-h num .RS 4 Generate email headers with info about CMS message (decode only)\&. @@ -109,6 +124,11 @@ Generate email headers with info about CMS message (decode only)\&. Use infile as a source of data (default is stdin)\&. .RE .PP +\-k +.RS 4 +Keep decoded encryption certs in permanent cert db\&. +.RE +.PP \-N nickname .RS 4 Specify nickname of certificate to sign with (sign only)\&. @@ -149,6 +169,11 @@ Suppress content in CMS message (sign only)\&. Set type of cert usage (default is certUsageEmailSigner)\&. .RE .PP +\-v +.RS 4 +Print debugging information\&. +.RE +.PP \-Y ekprefnick .RS 4 Specify an encryption key preference by nickname\&. @@ -237,12 +262,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/crlutil.1 b/security/nss/doc/nroff/crlutil.1 index 73041741d06..3e2c3ee32a2 100644 --- a/security/nss/doc/nroff/crlutil.1 +++ b/security/nss/doc/nroff/crlutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: CRLUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CRLUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "CRLUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -161,6 +161,16 @@ Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\ .RS 4 Specify the url\&. .RE +.PP +\-w pwd\-string +.RS 4 +Provide db password in command line\&. +.RE +.PP +\-Z algorithm +.RS 4 +Specify the hash algorithm to use for signing the CRL\&. +.RE .SH "CRL GENERATION SCRIPT SYNTAX" .PP CRL generation script file has the following syntax: @@ -374,12 +384,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1 index 28d347be701..132bdd08eed 100644 --- a/security/nss/doc/nroff/pk12util.1 +++ b/security/nss/doc/nroff/pk12util.1 @@ -1,13 +1,13 @@ '\" t .\" Title: PK12UTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PK12UTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "PK12UTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -1017,12 +1017,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/pp.1 b/security/nss/doc/nroff/pp.1 index b074f1c390e..b6fd6a5ef48 100644 --- a/security/nss/doc/nroff/pp.1 +++ b/security/nss/doc/nroff/pp.1 @@ -1,13 +1,13 @@ '\" t .\" Title: PP .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PP" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "PP" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -63,7 +63,7 @@ Define an output file to use (default is stdout) .RE .SH "ADDITIONAL RESOURCES" .PP -NSS is maintained in conjunction with PKI and security\-related projects through Mozilla dn Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at +NSS is maintained in conjunction with PKI and security\-related projects through Mozilla and Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at \m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&. .PP For information specifically about NSS, the NSS project wiki is located at @@ -74,12 +74,12 @@ Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/signtool.1 b/security/nss/doc/nroff/signtool.1 index 3a51b91da95..26e2eabe0cf 100644 --- a/security/nss/doc/nroff/signtool.1 +++ b/security/nss/doc/nroff/signtool.1 @@ -1,13 +1,13 @@ '\" t .\" Title: signtool .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SIGNTOOL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "SIGNTOOL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -667,12 +667,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/signver.1 b/security/nss/doc/nroff/signver.1 index e98fe4abb9f..53c75a4d0ae 100644 --- a/security/nss/doc/nroff/signver.1 +++ b/security/nss/doc/nroff/signver.1 @@ -1,13 +1,13 @@ '\" t .\" Title: SIGNVER .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SIGNVER" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "SIGNVER" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -306,12 +306,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/ssltap.1 b/security/nss/doc/nroff/ssltap.1 index cbe94642278..89c1c50faab 100644 --- a/security/nss/doc/nroff/ssltap.1 +++ b/security/nss/doc/nroff/ssltap.1 @@ -1,13 +1,13 @@ '\" t .\" Title: SSLTAP .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SSLTAP" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "SSLTAP" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -590,12 +590,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/vfychain.1 b/security/nss/doc/nroff/vfychain.1 index c38293a69be..977669b0a9e 100644 --- a/security/nss/doc/nroff/vfychain.1 +++ b/security/nss/doc/nroff/vfychain.1 @@ -1,13 +1,13 @@ '\" t .\" Title: VFYCHAIN .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "VFYCHAIN" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "VFYCHAIN" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -155,12 +155,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/doc/nroff/vfyserv.1 b/security/nss/doc/nroff/vfyserv.1 index faa38023749..2dc0c0e7838 100644 --- a/security/nss/doc/nroff/vfyserv.1 +++ b/security/nss/doc/nroff/vfyserv.1 @@ -1,13 +1,13 @@ '\" t .\" Title: VFYSERV .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 19 July 2013 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "VFYSERV" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "VFYSERV" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -56,12 +56,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado , Deon Lackey \&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 1814d728554..c78f8ca28b4 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -3805,38 +3805,35 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, SECItem *tbsResponseDataDER, void *pwArg) { - SECItem rawSignature; SECKEYPublicKey *signerKey = NULL; SECStatus rv = SECFailure; + CERTSignedData signedData; /* * Now get the public key from the signer's certificate; we need * it to perform the verification. */ signerKey = CERT_ExtractPublicKey(signerCert); - if (signerKey == NULL) - return SECFailure; + if (signerKey == NULL) { + return SECFailure; + } + /* * We copy the signature data *pointer* and length, so that we can * modify the length without damaging the original copy. This is a * simple copy, not a dup, so no destroy/free is necessary. */ - rawSignature = signature->signature; - /* - * The raw signature is a bit string, but we need to represent its - * length in bytes, because that is what the verify function expects. - */ - DER_ConvertBitString(&rawSignature); + signedData.signature = signature->signature; + signedData.signatureAlgorithm = signature->signatureAlgorithm; + signedData.data = *tbsResponseDataDER; - rv = VFY_VerifyDataWithAlgorithmID(tbsResponseDataDER->data, - tbsResponseDataDER->len, - signerKey, &rawSignature, - &signature->signatureAlgorithm, - NULL, pwArg); - if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_BAD_SIGNATURE) { + rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); + if (rv != SECSuccess && + (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || + PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); } - + if (signerKey != NULL) { SECKEY_DestroyPublicKey(signerKey); } diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h index 8379848e942..09297ea6a27 100644 --- a/security/nss/lib/cryptohi/cryptohi.h +++ b/security/nss/lib/cryptohi/cryptohi.h @@ -63,7 +63,7 @@ extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey); /* ** Destroy a signature-context object -** "key" the object +** "cx" the object ** "freeit" if PR_TRUE then free the object as well as its sub-objects */ extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit); @@ -112,7 +112,7 @@ extern SECStatus SEC_SignData(SECItem *result, ** The given signature/hash algorithm. ** "result" the final signature data (memory is allocated) ** "digest" the digest to sign -** "pk" the private key to encrypt with +** "privKey" the private key to encrypt with ** "algtag" The algorithm tag to encode (need for RSA only) */ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README index 1de002a9bee..156356bcc2d 100644 --- a/security/nss/lib/freebl/mpi/README +++ b/security/nss/lib/freebl/mpi/README @@ -156,10 +156,6 @@ output parameter, without confusing anything. The basic numeric type defined by the library is an mp_int. Virtually all the functions in the library take a pointer to an mp_int as one of their parameters. An explanation of how to create and use these -
- -

Problem 23:

- structures follows. And so, without further ado... diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 03f9fbb6483..27b6370b66c 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -33,12 +33,12 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.15.1" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.15.2" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 #define NSS_VMINOR 15 -#define NSS_VPATCH 1 +#define NSS_VPATCH 2 #define NSS_VBUILD 0 -#define NSS_BETA PR_FALSE +#define NSS_BETA PR_TRUE #ifndef RC_INVOKED diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h index 53b501c2466..41bdd556235 100644 --- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -702,6 +702,7 @@ SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, SECStatus PK11_Finalize(PK11Context *context); SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, unsigned int *outLen, unsigned int length); +#define PK11_CipherFinal PK11_DigestFinal SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save, int *len, int saveLength); diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index b540f47d4ba..744c95aa662 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -3116,6 +3116,7 @@ SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, SECOID_CopyAlgorithmID(NULL, p12dcx->decitem.shroudAlg, &bag->safeBagContent.pkcs8ShroudedKeyBag->algorithm); } + /* fall through */ case SEC_OID_PKCS12_V1_KEY_BAG_ID: p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); break; diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 89b5bd85e89..0591ca5db13 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -3510,6 +3510,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, case CKM_DES2_KEY_GEN: case CKM_DES3_KEY_GEN: checkWeak = PR_TRUE; + /* fall through */ case CKM_RC2_KEY_GEN: case CKM_RC4_KEY_GEN: case CKM_GENERIC_SECRET_KEY_GEN: @@ -3536,6 +3537,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, break; case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: faultyPBE3DES = PR_TRUE; + /* fall through */ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: case CKM_NETSCAPE_PBE_SHA1_DES_CBC: diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index 4cb6d994f7f..3902324c6df 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -25,11 +25,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.15.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.15.2" SOFTOKEN_ECC_STRING " Beta" #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 15 -#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VPATCH 2 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_FALSE +#define SOFTOKEN_BETA PR_TRUE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 6f7664ac9c8..b1df773a38b 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -328,7 +328,7 @@ SSL_IMPORT SECStatus SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange); -/* Values for "policy" argument to SSL_PolicySet */ +/* Values for "policy" argument to SSL_CipherPolicySet */ /* Values returned by SSL_CipherPolicyGet. */ #define SSL_NOT_ALLOWED 0 /* or invalid or unimplemented */ #define SSL_ALLOWED 1 @@ -845,24 +845,20 @@ SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); /* Set cipher policies to a predefined Domestic (U.S.A.) policy. - * This essentially enables all supported ciphers. + * This essentially allows all supported ciphers. */ SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); /* Set cipher policies to a predefined Policy that is exportable from the USA * according to present U.S. policies as we understand them. - * See documentation for the list. - * Note that your particular application program may be able to obtain - * an export license with more or fewer capabilities than those allowed - * by this function. In that case, you should use SSL_SetPolicy() - * to explicitly allow those ciphers you may legally export. + * It is the same as NSS_SetDomesticPolicy now. */ SSL_IMPORT SECStatus NSS_SetExportPolicy(void); /* Set cipher policies to a predefined Policy that is exportable from the USA * according to present U.S. policies as we understand them, and that the * nation of France will permit to be imported into their country. - * See documentation for the list. + * It is the same as NSS_SetDomesticPolicy now. */ SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 53b6f237aec..cac55d87f09 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -67,6 +67,13 @@ static int ssl3_OIDToTLSHashAlgorithm(SECOidTag oid); static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, const unsigned char *input, int inputLen); +#ifndef NO_PKCS11_BYPASS +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, + unsigned char *out, int *outlen, int maxout, + const unsigned char *in, int inlen, + const unsigned char *additionalData, + int additionalDataLen); +#endif #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ #define MIN_SEND_BUF_LENGTH 4000 @@ -77,85 +84,91 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c) */ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { - /* cipher_suite policy enabled is_present*/ + /* cipher_suite policy enabled isPresent */ #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, -#ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, -#endif /* NSS_ENABLE_ECC */ - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - - - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ - { SSL_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { TLS_RSA_WITH_NULL_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_RSA_WITH_NULL_MD5, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +#ifdef NSS_ENABLE_ECC + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +#endif /* NSS_ENABLE_ECC */ + { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + + { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + + { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + +#ifdef NSS_ENABLE_ECC + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +#endif /* NSS_ENABLE_ECC */ + { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, }; /* This list of SSL3 compression methods is sorted in descending order of @@ -222,23 +235,30 @@ static SSL3Statistics ssl3stats; /* indexed by SSL3BulkCipher */ static const ssl3BulkCipherDef bulk_cipher_defs[] = { - /* cipher calg keySz secretSz type ivSz BlkSz keygen */ - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, - {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, - {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, - {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, - {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, - {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, - {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, - {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, - {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, - {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, - {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, + /* |--------- Lengths --------| */ + /* cipher calg k s type i b t n */ + /* e e v l a o */ + /* y c | o g n */ + /* | r | c | c */ + /* | e | k | e */ + /* | t | | | | */ + {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, + {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, + {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, + {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, + {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, + {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, + {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, + {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, + {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, + {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, }; static const ssl3KEADef kea_defs[] = @@ -360,6 +380,11 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, + #ifdef NSS_ENABLE_ECC {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, @@ -423,10 +448,11 @@ static const SSLCipher2Mech alg2Mech[] = { { calg_aes , CKM_AES_CBC }, { calg_camellia , CKM_CAMELLIA_CBC }, { calg_seed , CKM_SEED_CBC }, + { calg_aes_gcm , CKM_AES_GCM }, /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ }; -#define mmech_null (CK_MECHANISM_TYPE)0x80000000L +#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L #define mmech_md5 CKM_SSL3_MD5_MAC #define mmech_sha CKM_SSL3_SHA1_MAC #define mmech_md5_hmac CKM_MD5_HMAC @@ -436,12 +462,13 @@ static const SSLCipher2Mech alg2Mech[] = { static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ /* mac mmech pad_size mac_size */ - { mac_null, mmech_null, 0, 0 }, + { mac_null, mmech_invalid, 0, 0 }, { mac_md5, mmech_md5, 48, MD5_LENGTH }, { mac_sha, mmech_sha, 40, SHA1_LENGTH}, {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, + { mac_aead, mmech_invalid, 0, 0 }, }; /* indexed by SSL3BulkCipher */ @@ -461,6 +488,7 @@ const char * const ssl3_cipherName[] = { "Camellia-128", "Camellia-256", "SEED-CBC", + "AES-128-GCM", "missing" }; @@ -587,9 +615,13 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_AES_256_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: case TLS_RSA_WITH_AES_128_CBC_SHA256: + case TLS_RSA_WITH_AES_128_GCM_SHA256: case TLS_RSA_WITH_NULL_SHA256: return version >= SSL_LIBRARY_VERSION_TLS_1_2; default: @@ -761,7 +793,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) int i, count = 0; if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) { - return 0; + return 0; } for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { if (config_match(&ss->cipherSuites[i], policy, enabled)) @@ -1349,7 +1381,7 @@ ssl3_SetupPendingCipherSpec(sslSocket *ss) cipher = suite_def->bulk_cipher_alg; kea = suite_def->key_exchange_alg; mac = suite_def->mac_alg; - if (mac <= ssl_mac_sha && isTLS) + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) mac += 2; ss->ssl3.hs.suite_def = suite_def; @@ -1543,7 +1575,6 @@ ssl3_InitPendingContextsBypass(sslSocket *ss) unsigned int optArg2 = 0; PRBool server_encrypts = ss->sec.isServer; SSLCipherAlgorithm calg; - SSLCompressionMethod compression_method; SECStatus rv; PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); @@ -1554,7 +1585,17 @@ ssl3_InitPendingContextsBypass(sslSocket *ss) cipher_def = pwSpec->cipher_def; calg = cipher_def->calg; - compression_method = pwSpec->compression_method; + + if (calg == calg_aes_gcm) { + pwSpec->encode = NULL; + pwSpec->decode = NULL; + pwSpec->destroy = NULL; + pwSpec->encodeContext = NULL; + pwSpec->decodeContext = NULL; + pwSpec->aead = ssl3_AESGCMBypass; + ssl3_InitCompressionContext(pwSpec); + return SECSuccess; + } serverContext = pwSpec->server.cipher_context; clientContext = pwSpec->client.cipher_context; @@ -1710,6 +1751,195 @@ ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits) return param; } +/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data + * which is included in the MAC or AEAD additional data) to |out| and returns + * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the + * definition of the AEAD additional data. + * + * TLS pseudo-header includes the record's version field, SSL's doesn't. Which + * pseudo-header defintiion to use should be decided based on the version of + * the protocol that was negotiated when the cipher spec became current, NOT + * based on the version value in the record itself, and the decision is passed + * to this function as the |includesVersion| argument. But, the |version| + * argument should be the record's version value. + */ +static unsigned int +ssl3_BuildRecordPseudoHeader(unsigned char *out, + SSL3SequenceNumber seq_num, + SSL3ContentType type, + PRBool includesVersion, + SSL3ProtocolVersion version, + PRBool isDTLS, + int length) +{ + out[0] = (unsigned char)(seq_num.high >> 24); + out[1] = (unsigned char)(seq_num.high >> 16); + out[2] = (unsigned char)(seq_num.high >> 8); + out[3] = (unsigned char)(seq_num.high >> 0); + out[4] = (unsigned char)(seq_num.low >> 24); + out[5] = (unsigned char)(seq_num.low >> 16); + out[6] = (unsigned char)(seq_num.low >> 8); + out[7] = (unsigned char)(seq_num.low >> 0); + out[8] = type; + + /* SSL3 MAC doesn't include the record's version field. */ + if (!includesVersion) { + out[9] = MSB(length); + out[10] = LSB(length); + return 11; + } + + /* TLS MAC and AEAD additional data include version. */ + if (isDTLS) { + SSL3ProtocolVersion dtls_version; + + dtls_version = dtls_TLSVersionToDTLSVersion(version); + out[9] = MSB(dtls_version); + out[10] = LSB(dtls_version); + } else { + out[9] = MSB(version); + out[10] = LSB(version); + } + out[11] = MSB(length); + out[12] = LSB(length); + return 13; +} + +static SECStatus +ssl3_AESGCM(ssl3KeyMaterial *keys, + PRBool doDecrypt, + unsigned char *out, + int *outlen, + int maxout, + const unsigned char *in, + int inlen, + const unsigned char *additionalData, + int additionalDataLen) +{ + SECItem param; + SECStatus rv = SECFailure; + unsigned char nonce[12]; + unsigned int uOutLen; + CK_GCM_PARAMS gcmParams; + + static const int tagSize = 16; + static const int explicitNonceLen = 8; + + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the + * nonce is formed. */ + memcpy(nonce, keys->write_iv, 4); + if (doDecrypt) { + memcpy(nonce + 4, in, explicitNonceLen); + in += explicitNonceLen; + inlen -= explicitNonceLen; + *outlen = 0; + } else { + if (maxout < explicitNonceLen) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + /* Use the 64-bit sequence number as the explicit nonce. */ + memcpy(nonce + 4, additionalData, explicitNonceLen); + memcpy(out, additionalData, explicitNonceLen); + out += explicitNonceLen; + maxout -= explicitNonceLen; + *outlen = explicitNonceLen; + } + + param.type = siBuffer; + param.data = (unsigned char *) &gcmParams; + param.len = sizeof(gcmParams); + gcmParams.pIv = nonce; + gcmParams.ulIvLen = sizeof(nonce); + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ + gcmParams.ulAADLen = additionalDataLen; + gcmParams.ulTagBits = tagSize * 8; + + if (doDecrypt) { + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, + maxout, in, inlen); + } else { + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, + maxout, in, inlen); + } + *outlen += (int) uOutLen; + + return rv; +} + +#ifndef NO_PKCS11_BYPASS +static SECStatus +ssl3_AESGCMBypass(ssl3KeyMaterial *keys, + PRBool doDecrypt, + unsigned char *out, + int *outlen, + int maxout, + const unsigned char *in, + int inlen, + const unsigned char *additionalData, + int additionalDataLen) +{ + SECStatus rv = SECFailure; + unsigned char nonce[12]; + unsigned int uOutLen; + AESContext *cx; + CK_GCM_PARAMS gcmParams; + + static const int tagSize = 16; + static const int explicitNonceLen = 8; + + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the + * nonce is formed. */ + PORT_Assert(keys->write_iv_item.len == 4); + if (keys->write_iv_item.len != 4) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + memcpy(nonce, keys->write_iv_item.data, 4); + if (doDecrypt) { + memcpy(nonce + 4, in, explicitNonceLen); + in += explicitNonceLen; + inlen -= explicitNonceLen; + *outlen = 0; + } else { + if (maxout < explicitNonceLen) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + /* Use the 64-bit sequence number as the explicit nonce. */ + memcpy(nonce + 4, additionalData, explicitNonceLen); + memcpy(out, additionalData, explicitNonceLen); + out += explicitNonceLen; + maxout -= explicitNonceLen; + *outlen = explicitNonceLen; + } + + gcmParams.pIv = nonce; + gcmParams.ulIvLen = sizeof(nonce); + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ + gcmParams.ulAADLen = additionalDataLen; + gcmParams.ulTagBits = tagSize * 8; + + cx = (AESContext *)keys->cipher_context; + rv = AES_InitContext(cx, keys->write_key_item.data, + keys->write_key_item.len, + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, + AES_BLOCK_SIZE); + if (rv != SECSuccess) { + return rv; + } + if (doDecrypt) { + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); + } else { + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); + } + AES_DestroyContext(cx, PR_FALSE); + *outlen += (int) uOutLen; + + return rv; +} +#endif + /* Initialize encryption and MAC contexts for pending spec. * Master Secret already is derived. * Caller holds Spec write lock. @@ -1737,14 +1967,27 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) pwSpec = ss->ssl3.pwSpec; cipher_def = pwSpec->cipher_def; macLength = pwSpec->mac_size; + calg = cipher_def->calg; + PORT_Assert(alg2Mech[calg].calg == calg); + + pwSpec->client.write_mac_context = NULL; + pwSpec->server.write_mac_context = NULL; + + if (calg == calg_aes_gcm) { + pwSpec->encode = NULL; + pwSpec->decode = NULL; + pwSpec->destroy = NULL; + pwSpec->encodeContext = NULL; + pwSpec->decodeContext = NULL; + pwSpec->aead = ssl3_AESGCM; + return SECSuccess; + } /* ** Now setup the MAC contexts, ** crypto contexts are setup below. */ - pwSpec->client.write_mac_context = NULL; - pwSpec->server.write_mac_context = NULL; mac_mech = pwSpec->mac_def->mmech; mac_param.data = (unsigned char *)&macLength; mac_param.len = sizeof(macLength); @@ -1767,9 +2010,6 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) ** Now setup the crypto contexts. */ - calg = cipher_def->calg; - PORT_Assert(alg2Mech[calg].calg == calg); - if (calg == calg_null) { pwSpec->encode = Null_Cipher; pwSpec->decode = Null_Cipher; @@ -1977,10 +2217,8 @@ static SECStatus ssl3_ComputeRecordMAC( ssl3CipherSpec * spec, PRBool useServerMacKey, - PRBool isDTLS, - SSL3ContentType type, - SSL3ProtocolVersion version, - SSL3SequenceNumber seq_num, + const unsigned char *header, + unsigned int headerLen, const SSL3Opaque * input, int inputLength, unsigned char * outbuf, @@ -1988,56 +2226,8 @@ ssl3_ComputeRecordMAC( { const ssl3MACDef * mac_def; SECStatus rv; -#ifndef NO_PKCS11_BYPASS - PRBool isTLS; -#endif - unsigned int tempLen; - unsigned char temp[MAX_MAC_LENGTH]; - temp[0] = (unsigned char)(seq_num.high >> 24); - temp[1] = (unsigned char)(seq_num.high >> 16); - temp[2] = (unsigned char)(seq_num.high >> 8); - temp[3] = (unsigned char)(seq_num.high >> 0); - temp[4] = (unsigned char)(seq_num.low >> 24); - temp[5] = (unsigned char)(seq_num.low >> 16); - temp[6] = (unsigned char)(seq_num.low >> 8); - temp[7] = (unsigned char)(seq_num.low >> 0); - temp[8] = type; - - /* TLS MAC includes the record's version field, SSL's doesn't. - ** We decide which MAC defintiion to use based on the version of - ** the protocol that was negotiated when the spec became current, - ** NOT based on the version value in the record itself. - ** But, we use the record'v version value in the computation. - */ - if (spec->version <= SSL_LIBRARY_VERSION_3_0) { - temp[9] = MSB(inputLength); - temp[10] = LSB(inputLength); - tempLen = 11; -#ifndef NO_PKCS11_BYPASS - isTLS = PR_FALSE; -#endif - } else { - /* New TLS hash includes version. */ - if (isDTLS) { - SSL3ProtocolVersion dtls_version; - - dtls_version = dtls_TLSVersionToDTLSVersion(version); - temp[9] = MSB(dtls_version); - temp[10] = LSB(dtls_version); - } else { - temp[9] = MSB(version); - temp[10] = LSB(version); - } - temp[11] = MSB(inputLength); - temp[12] = LSB(inputLength); - tempLen = 13; -#ifndef NO_PKCS11_BYPASS - isTLS = PR_TRUE; -#endif - } - - PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); + PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); mac_def = spec->mac_def; @@ -2082,7 +2272,10 @@ ssl3_ComputeRecordMAC( return SECFailure; } - if (!isTLS) { + if (spec->version <= SSL_LIBRARY_VERSION_3_0) { + unsigned int tempLen; + unsigned char temp[MAX_MAC_LENGTH]; + /* compute "inner" part of SSL3 MAC */ hashObj->begin(write_mac_context); if (useServerMacKey) @@ -2094,7 +2287,7 @@ ssl3_ComputeRecordMAC( spec->client.write_mac_key_item.data, spec->client.write_mac_key_item.len); hashObj->update(write_mac_context, mac_pad_1, pad_bytes); - hashObj->update(write_mac_context, temp, tempLen); + hashObj->update(write_mac_context, header, headerLen); hashObj->update(write_mac_context, input, inputLength); hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); @@ -2125,7 +2318,7 @@ ssl3_ComputeRecordMAC( } if (rv == SECSuccess) { HMAC_Begin(cx); - HMAC_Update(cx, temp, tempLen); + HMAC_Update(cx, header, headerLen); HMAC_Update(cx, input, inputLength); rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); HMAC_Destroy(cx, PR_FALSE); @@ -2139,7 +2332,7 @@ ssl3_ComputeRecordMAC( (useServerMacKey ? spec->server.write_mac_context : spec->client.write_mac_context); rv = PK11_DigestBegin(mac_context); - rv |= PK11_DigestOp(mac_context, temp, tempLen); + rv |= PK11_DigestOp(mac_context, header, headerLen); rv |= PK11_DigestOp(mac_context, input, inputLength); rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); } @@ -2165,10 +2358,8 @@ static SECStatus ssl3_ComputeRecordMACConstantTime( ssl3CipherSpec * spec, PRBool useServerMacKey, - PRBool isDTLS, - SSL3ContentType type, - SSL3ProtocolVersion version, - SSL3SequenceNumber seq_num, + const unsigned char *header, + unsigned int headerLen, const SSL3Opaque * input, int inputLen, int originalLen, @@ -2179,9 +2370,7 @@ ssl3_ComputeRecordMACConstantTime( CK_NSS_MAC_CONSTANT_TIME_PARAMS params; SECItem param, inputItem, outputItem; SECStatus rv; - unsigned char header[13]; PK11SymKey * key; - int recordLength; PORT_Assert(inputLen >= spec->mac_size); PORT_Assert(originalLen >= inputLen); @@ -2197,42 +2386,15 @@ ssl3_ComputeRecordMACConstantTime( return SECSuccess; } - header[0] = (unsigned char)(seq_num.high >> 24); - header[1] = (unsigned char)(seq_num.high >> 16); - header[2] = (unsigned char)(seq_num.high >> 8); - header[3] = (unsigned char)(seq_num.high >> 0); - header[4] = (unsigned char)(seq_num.low >> 24); - header[5] = (unsigned char)(seq_num.low >> 16); - header[6] = (unsigned char)(seq_num.low >> 8); - header[7] = (unsigned char)(seq_num.low >> 0); - header[8] = type; - macType = CKM_NSS_HMAC_CONSTANT_TIME; - recordLength = inputLen - spec->mac_size; if (spec->version <= SSL_LIBRARY_VERSION_3_0) { macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; - header[9] = recordLength >> 8; - header[10] = recordLength; - params.ulHeaderLen = 11; - } else { - if (isDTLS) { - SSL3ProtocolVersion dtls_version; - - dtls_version = dtls_TLSVersionToDTLSVersion(version); - header[9] = dtls_version >> 8; - header[10] = dtls_version; - } else { - header[9] = version >> 8; - header[10] = version; - } - header[11] = recordLength >> 8; - header[12] = recordLength; - params.ulHeaderLen = 13; } params.macAlg = spec->mac_def->mmech; params.ulBodyTotalLen = originalLen; - params.pHeader = header; + params.pHeader = (unsigned char *) header; /* const cast */ + params.ulHeaderLen = headerLen; param.data = (unsigned char*) ¶ms; param.len = sizeof(params); @@ -2272,9 +2434,8 @@ fallback: /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the * length already. */ inputLen -= spec->mac_size; - return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, - version, seq_num, input, inputLen, - outbuf, outLen); + return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, + input, inputLen, outbuf, outLen); } static PRBool @@ -2323,6 +2484,8 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, PRUint16 headerLen; int ivLen = 0; int cipherBytes = 0; + unsigned char pseudoHeader[13]; + unsigned int pseudoHeaderLen; cipher_def = cwSpec->cipher_def; headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; @@ -2368,86 +2531,117 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, contentLen = outlen; } - /* - * Add the MAC - */ - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, - wrBuf->buf + headerLen + ivLen + contentLen, &macLen); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); - return SECFailure; - } - p1Len = contentLen; - p2Len = macLen; - fragLen = contentLen + macLen; /* needs to be encrypted */ - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); + pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( + pseudoHeader, cwSpec->write_seq_num, type, + cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, + isDTLS, contentLen); + PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); + if (cipher_def->type == type_aead) { + const int nonceLen = cipher_def->explicit_nonce_size; + const int tagLen = cipher_def->tag_size; - /* - * Pad the text (if we're doing a block cipher) - * then Encrypt it - */ - if (cipher_def->type == type_block) { - unsigned char * pBuf; - int padding_length; - int i; - - oddLen = contentLen % cipher_def->block_size; - /* Assume blockSize is a power of two */ - padding_length = cipher_def->block_size - 1 - - ((fragLen) & (cipher_def->block_size - 1)); - fragLen += padding_length + 1; - PORT_Assert((fragLen % cipher_def->block_size) == 0); - - /* Pad according to TLS rules (also acceptable to SSL3). */ - pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; - for (i = padding_length + 1; i > 0; --i) { - *pBuf-- = padding_length; + if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + cipherBytes = contentLen; + rv = cwSpec->aead( + isServer ? &cwSpec->server : &cwSpec->client, + PR_FALSE, /* do encrypt */ + wrBuf->buf + headerLen, /* output */ + &cipherBytes, /* out len */ + wrBuf->space - headerLen, /* max out */ + pIn, contentLen, /* input */ + pseudoHeader, pseudoHeaderLen); + if (rv != SECSuccess) { + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); + return SECFailure; } - /* now, if contentLen is not a multiple of block size, fix it */ - p2Len = fragLen - p1Len; - } - if (p1Len < 256) { - oddLen = p1Len; - p1Len = 0; } else { - p1Len -= oddLen; - } - if (oddLen) { - p2Len += oddLen; - PORT_Assert( (cipher_def->block_size < 2) || \ - (p2Len % cipher_def->block_size) == 0); - memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); - } - if (p1Len > 0) { - int cipherBytesPart1 = -1; - rv = cwSpec->encode( cwSpec->encodeContext, - wrBuf->buf + headerLen + ivLen, /* output */ - &cipherBytesPart1, /* actual outlen */ - p1Len, /* max outlen */ - pIn, p1Len); /* input, and inputlen */ - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); + /* + * Add the MAC + */ + rv = ssl3_ComputeRecordMAC(cwSpec, isServer, + pseudoHeader, pseudoHeaderLen, pIn, contentLen, + wrBuf->buf + headerLen + ivLen + contentLen, &macLen); + if (rv != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); return SECFailure; } - cipherBytes += cipherBytesPart1; - } - if (p2Len > 0) { - int cipherBytesPart2 = -1; - rv = cwSpec->encode( cwSpec->encodeContext, - wrBuf->buf + headerLen + ivLen + p1Len, - &cipherBytesPart2, /* output and actual outLen */ - p2Len, /* max outlen */ - wrBuf->buf + headerLen + ivLen + p1Len, - p2Len); /* input and inputLen*/ - PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); - return SECFailure; + p1Len = contentLen; + p2Len = macLen; + fragLen = contentLen + macLen; /* needs to be encrypted */ + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); + + /* + * Pad the text (if we're doing a block cipher) + * then Encrypt it + */ + if (cipher_def->type == type_block) { + unsigned char * pBuf; + int padding_length; + int i; + + oddLen = contentLen % cipher_def->block_size; + /* Assume blockSize is a power of two */ + padding_length = cipher_def->block_size - 1 - + ((fragLen) & (cipher_def->block_size - 1)); + fragLen += padding_length + 1; + PORT_Assert((fragLen % cipher_def->block_size) == 0); + + /* Pad according to TLS rules (also acceptable to SSL3). */ + pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; + for (i = padding_length + 1; i > 0; --i) { + *pBuf-- = padding_length; + } + /* now, if contentLen is not a multiple of block size, fix it */ + p2Len = fragLen - p1Len; } - cipherBytes += cipherBytesPart2; - } + if (p1Len < 256) { + oddLen = p1Len; + p1Len = 0; + } else { + p1Len -= oddLen; + } + if (oddLen) { + p2Len += oddLen; + PORT_Assert( (cipher_def->block_size < 2) || \ + (p2Len % cipher_def->block_size) == 0); + memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, + oddLen); + } + if (p1Len > 0) { + int cipherBytesPart1 = -1; + rv = cwSpec->encode( cwSpec->encodeContext, + wrBuf->buf + headerLen + ivLen, /* output */ + &cipherBytesPart1, /* actual outlen */ + p1Len, /* max outlen */ + pIn, p1Len); /* input, and inputlen */ + PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); + if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); + return SECFailure; + } + cipherBytes += cipherBytesPart1; + } + if (p2Len > 0) { + int cipherBytesPart2 = -1; + rv = cwSpec->encode( cwSpec->encodeContext, + wrBuf->buf + headerLen + ivLen + p1Len, + &cipherBytesPart2, /* output and actual outLen */ + p2Len, /* max outlen */ + wrBuf->buf + headerLen + ivLen + p1Len, + p2Len); /* input and inputLen*/ + PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); + if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); + return SECFailure; + } + cipherBytes += cipherBytesPart2; + } + } + PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); wrBuf->len = cipherBytes + headerLen; @@ -2990,9 +3184,6 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) static SECStatus ssl3_IllegalParameter(sslSocket *ss) { - PRBool isTLS; - - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER ); @@ -3516,7 +3707,6 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss) } key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ key_material_params.RandomInfo.pClientRandom = cr; key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; @@ -7455,7 +7645,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; suite_found: - /* Look for a matching compression algorithm. */ + /* Select a compression algorithm. */ for (i = 0; i < comps.len; i++) { if (!compressionEnabled(ss, comps.data[i])) continue; @@ -9707,7 +9897,6 @@ ssl3_SendNextProto(sslSocket *ss) static void ssl3_RecordKeyLog(sslSocket *ss) { - sslSessionID *sid; SECStatus rv; SECItem *keyData; char buf[14 /* "CLIENT_RANDOM " */ + @@ -9719,8 +9908,6 @@ ssl3_RecordKeyLog(sslSocket *ss) PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - sid = ss->sec.ci.sid; - if (!ssl_keylog_iob) return; @@ -10539,7 +10726,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext, /* SSLv3 padding bytes are random and cannot be checked. */ t = plaintext->len; t -= paddingLength+overhead; - /* If len >= padding_length+overhead then the MSB of t is zero. */ + /* If len >= paddingLength+overhead then the MSB of t is zero. */ good = DUPLICATE_MSB_TO_ALL(~t); /* SSLv3 requires that the padding is minimal. */ t = blockSize - (paddingLength+1); @@ -10705,6 +10892,8 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) unsigned int originalLen = 0; unsigned int good; unsigned int minLength; + unsigned char header[13]; + unsigned int headerLen; PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); @@ -10772,7 +10961,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) } } - good = (unsigned)-1; + good = ~0U; minLength = crSpec->mac_size; if (cipher_def->type == type_block) { /* CBC records have a padding length byte at the end. */ @@ -10781,19 +10970,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) /* With >= TLS 1.1, CBC records have an explicit IV. */ minLength += cipher_def->iv_size; } + } else if (cipher_def->type == type_aead) { + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; } /* We can perform this test in variable time because the record's total * length and the ciphersuite are both public knowledge. */ if (cText->buf->len < minLength) { - SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.", - SSL_GETPID(), ss->fd)); - /* must not hold spec lock when calling SSL3_SendAlert. */ - ssl_ReleaseSpecReadLock(ss); - SSL3_SendAlert(ss, alert_fatal, bad_record_mac); - /* always log mac error, in case attacker can read server logs. */ - PORT_SetError(SSL_ERROR_BAD_MAC_READ); - return SECFailure; + goto decrypt_loser; } if (cipher_def->type == type_block && @@ -10861,78 +11045,112 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) return SECFailure; } - /* decrypt from cText buf to plaintext. */ - rv = crSpec->decode( - crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, - plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); - good &= SECStatusToMask(rv); + rType = cText->type; + if (cipher_def->type == type_aead) { + /* XXX For many AEAD ciphers, the plaintext is shorter than the + * ciphertext by a fixed byte count, but it is not true in general. + * Each AEAD cipher should provide a function that returns the + * plaintext length for a given ciphertext. */ + unsigned int decryptedLen = + cText->buf->len - cipher_def->explicit_nonce_size - + cipher_def->tag_size; + headerLen = ssl3_BuildRecordPseudoHeader( + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, + rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); + PORT_Assert(headerLen <= sizeof(header)); + rv = crSpec->aead( + ss->sec.isServer ? &crSpec->client : &crSpec->server, + PR_TRUE, /* do decrypt */ + plaintext->buf, /* out */ + (int*) &plaintext->len, /* outlen */ + plaintext->space, /* maxout */ + cText->buf->buf, /* in */ + cText->buf->len, /* inlen */ + header, headerLen); + if (rv != SECSuccess) { + good = 0; + } + } else { + if (cipher_def->type == type_block && + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { + goto decrypt_loser; + } - PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); + /* decrypt from cText buf to plaintext. */ + rv = crSpec->decode( + crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, + plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); + if (rv != SECSuccess) { + goto decrypt_loser; + } - originalLen = plaintext->len; + PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); - /* If it's a block cipher, check and strip the padding. */ - if (cipher_def->type == type_block) { - const unsigned int blockSize = cipher_def->iv_size; - const unsigned int macSize = crSpec->mac_size; + originalLen = plaintext->len; - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( - plaintext, blockSize, macSize)); + /* If it's a block cipher, check and strip the padding. */ + if (cipher_def->type == type_block) { + const unsigned int blockSize = cipher_def->block_size; + const unsigned int macSize = crSpec->mac_size; + + if (!isTLS) { + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( + plaintext, blockSize, macSize)); + } else { + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( + plaintext, macSize)); + } + } + + /* compute the MAC */ + headerLen = ssl3_BuildRecordPseudoHeader( + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, + rType, isTLS, cText->version, IS_DTLS(ss), + plaintext->len - crSpec->mac_size); + PORT_Assert(headerLen <= sizeof(header)); + if (cipher_def->type == type_block) { + rv = ssl3_ComputeRecordMACConstantTime( + crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, + plaintext->buf, plaintext->len, originalLen, + hash, &hashBytes); + + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, + crSpec->mac_size); + givenHash = givenHashBuf; + + /* plaintext->len will always have enough space to remove the MAC + * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust + * plaintext->len if the result has enough space for the MAC and we + * tested the unadjusted size against minLength, above. */ + plaintext->len -= crSpec->mac_size; } else { - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( - plaintext, macSize)); + /* This is safe because we checked the minLength above. */ + plaintext->len -= crSpec->mac_size; + + rv = ssl3_ComputeRecordMAC( + crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, + plaintext->buf, plaintext->len, hash, &hashBytes); + + /* We can read the MAC directly from the record because its location + * is public when a stream cipher is used. */ + givenHash = plaintext->buf + plaintext->len; + } + + good &= SECStatusToMask(rv); + + if (hashBytes != (unsigned)crSpec->mac_size || + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { + /* We're allowed to leak whether or not the MAC check was correct */ + good = 0; } } - /* compute the MAC */ - rType = cText->type; - if (cipher_def->type == type_block) { - rv = ssl3_ComputeRecordMACConstantTime( - crSpec, (PRBool)(!ss->sec.isServer), - IS_DTLS(ss), rType, cText->version, - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, - plaintext->buf, plaintext->len, originalLen, - hash, &hashBytes); - - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, - crSpec->mac_size); - givenHash = givenHashBuf; - - /* plaintext->len will always have enough space to remove the MAC - * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust - * plaintext->len if the result has enough space for the MAC and we - * tested the unadjusted size against minLength, above. */ - plaintext->len -= crSpec->mac_size; - } else { - /* This is safe because we checked the minLength above. */ - plaintext->len -= crSpec->mac_size; - - rv = ssl3_ComputeRecordMAC( - crSpec, (PRBool)(!ss->sec.isServer), - IS_DTLS(ss), rType, cText->version, - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, - plaintext->buf, plaintext->len, - hash, &hashBytes); - - /* We can read the MAC directly from the record because its location is - * public when a stream cipher is used. */ - givenHash = plaintext->buf + plaintext->len; - } - - good &= SECStatusToMask(rv); - - if (hashBytes != (unsigned)crSpec->mac_size || - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { - /* We're allowed to leak whether or not the MAC check was correct */ - good = 0; - } - if (good == 0) { +decrypt_loser: /* must not hold spec lock when calling SSL3_SendAlert. */ ssl_ReleaseSpecReadLock(ss); - SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd)); + SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); if (!IS_DTLS(ss)) { SSL3_SendAlert(ss, alert_fatal, bad_record_mac); diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c index 65a428f9fe2..6380cfe3c85 100644 --- a/security/nss/lib/ssl/ssl3ecc.c +++ b/security/nss/lib/ssl/ssl3ecc.c @@ -896,6 +896,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, @@ -906,6 +907,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, @@ -917,12 +919,14 @@ static const ssl3CipherSuite ecSuites[] = { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index f6e9e2b787c..616ca4c6fd1 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -1411,7 +1411,7 @@ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, goto no_ticket; /* Allow for the wrapped master secret to be longer. */ - if (buffer_len < sizeof(SSL3_MASTER_SECRET_LENGTH)) + if (buffer_len < parsed_session_ticket->ms_length) goto no_ticket; PORT_Memcpy(parsed_session_ticket->master_secret, buffer, parsed_session_ticket->ms_length); diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 2fc6602a2b6..bd0ffb8c87c 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -20,7 +20,6 @@ #include "prinit.h" #include "prtime.h" /* for PR_Now() */ -#define XXX static PRBool policyWasSet; /* This ordered list is indexed by (SSL_CK_xx * 3) */ diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c index b460f2631dc..597ec072399 100644 --- a/security/nss/lib/ssl/sslenum.c +++ b/security/nss/lib/ssl/sslenum.c @@ -29,6 +29,14 @@ * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. */ const PRUint16 SSL_ImplementedCiphers[] = { + /* AES-GCM */ +#ifdef NSS_ENABLE_ECC + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +#endif /* NSS_ENABLE_ECC */ + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_GCM_SHA256, + /* 256-bit */ #ifdef NSS_ENABLE_ECC TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index b3e36e67e7d..32616750d4a 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -54,6 +54,7 @@ typedef SSLSignType SSL3SignType; #define calg_aes ssl_calg_aes #define calg_camellia ssl_calg_camellia #define calg_seed ssl_calg_seed +#define calg_aes_gcm ssl_calg_aes_gcm #define mac_null ssl_mac_null #define mac_md5 ssl_mac_md5 @@ -61,6 +62,7 @@ typedef SSLSignType SSL3SignType; #define hmac_md5 ssl_hmac_md5 #define hmac_sha ssl_hmac_sha #define hmac_sha256 ssl_hmac_sha256 +#define mac_aead ssl_mac_aead #define SET_ERROR_CODE /* reminder */ #define SEND_ALERT /* reminder */ @@ -280,9 +282,9 @@ typedef struct { } ssl3CipherSuiteCfg; #ifdef NSS_ENABLE_ECC -#define ssl_V3_SUITES_IMPLEMENTED 57 +#define ssl_V3_SUITES_IMPLEMENTED 61 #else -#define ssl_V3_SUITES_IMPLEMENTED 35 +#define ssl_V3_SUITES_IMPLEMENTED 37 #endif /* NSS_ENABLE_ECC */ #define MAX_DTLS_SRTP_CIPHER_SUITES 4 @@ -430,20 +432,6 @@ struct sslGatherStr { #define GS_DATA 3 #define GS_PAD 4 -typedef SECStatus (*SSLCipher)(void * context, - unsigned char * out, - int * outlen, - int maxout, - const unsigned char *in, - int inlen); -typedef SECStatus (*SSLCompressor)(void * context, - unsigned char * out, - int * outlen, - int maxout, - const unsigned char *in, - int inlen); -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); - /* @@ -467,11 +455,12 @@ typedef enum { cipher_camellia_128, cipher_camellia_256, cipher_seed, + cipher_aes_128_gcm, cipher_missing /* reserved for no such supported cipher */ /* This enum must match ssl3_cipherName[] in ssl3con.c. */ } SSL3BulkCipher; -typedef enum { type_stream, type_block } CipherType; +typedef enum { type_stream, type_block, type_aead } CipherType; #define MAX_IV_LENGTH 24 @@ -513,6 +502,30 @@ typedef struct { PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; } ssl3KeyMaterial; +typedef SECStatus (*SSLCipher)(void * context, + unsigned char * out, + int * outlen, + int maxout, + const unsigned char *in, + int inlen); +typedef SECStatus (*SSLAEADCipher)( + ssl3KeyMaterial * keys, + PRBool doDecrypt, + unsigned char * out, + int * outlen, + int maxout, + const unsigned char *in, + int inlen, + const unsigned char *additionalData, + int additionalDataLen); +typedef SECStatus (*SSLCompressor)(void * context, + unsigned char * out, + int * outlen, + int maxout, + const unsigned char *in, + int inlen); +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); + /* The DTLS anti-replay window. Defined here because we need it in * the cipher spec. Note that this is a ring buffer but left and * right represent the true window, with modular arithmetic used to @@ -539,6 +552,7 @@ typedef struct { int mac_size; SSLCipher encode; SSLCipher decode; + SSLAEADCipher aead; SSLDestroy destroy; void * encodeContext; void * decodeContext; @@ -685,8 +699,6 @@ typedef struct { PRBool tls_keygen; } ssl3KEADef; -typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode; - /* ** There are tables of these, all const. */ @@ -698,7 +710,8 @@ struct ssl3BulkCipherDefStr { CipherType type; int iv_size; int block_size; - SSL3KeyGenMode keygen_mode; + int tag_size; /* authentication tag size for AEAD ciphers. */ + int explicit_nonce_size; /* for AEAD ciphers. */ }; /* @@ -1737,7 +1750,7 @@ extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); extern void ssl_FreePRSocket(PRFileDesc *fd); -/* Internal config function so SSL2 can initialize the present state of +/* Internal config function so SSL3 can initialize the present state of * various ciphers */ extern int ssl3_config_match_init(sslSocket *); diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c index d0c23b73382..89545e0c8c1 100644 --- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -101,7 +101,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) #define K_ECDHE "ECDHE", kt_ecdh #define C_SEED "SEED", calg_seed -#define C_CAMELLIA "CAMELLIA", calg_camellia +#define C_CAMELLIA "CAMELLIA", calg_camellia #define C_AES "AES", calg_aes #define C_RC4 "RC4", calg_rc4 #define C_RC2 "RC2", calg_rc2 @@ -109,6 +109,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) #define C_3DES "3DES", calg_3des #define C_NULL "NULL", calg_null #define C_SJ "SKIPJACK", calg_sj +#define C_AESGCM "AES-GCM", calg_aes_gcm #define B_256 256, 256, 256 #define B_128 128, 128, 128 @@ -119,12 +120,16 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) #define B_40 128, 40, 40 #define B_0 0, 0, 0 +#define M_AEAD_128 "AEAD", ssl_mac_aead, 128 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 #define M_SHA "SHA1", ssl_mac_sha, 160 #define M_MD5 "MD5", ssl_mac_md5, 128 +#define M_NULL "NULL", ssl_mac_null, 0 static const SSLCipherSuiteInfo suiteInfo[] = { /* <------ Cipher suite --------------------> */ +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, @@ -138,6 +143,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, @@ -167,6 +173,9 @@ static const SSLCipherSuiteInfo suiteInfo[] = { #ifdef NSS_ENABLE_ECC /* ECC cipher suites */ +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h index b037887acf9..53bba011bb9 100644 --- a/security/nss/lib/ssl/sslproto.h +++ b/security/nss/lib/ssl/sslproto.h @@ -162,6 +162,10 @@ #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 + /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending * back an empty Renegotiation Info (RI) server hello extension. @@ -204,6 +208,11 @@ #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 + /* Netscape "experimental" cipher suites. */ #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 488b7f2a0a9..4424221f852 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -21,88 +21,6 @@ #define SET_ERROR_CODE /* reminder */ -struct cipherPolicyStr { - int cipher; - unsigned char export; /* policy value for export policy */ - unsigned char france; /* policy value for france policy */ -}; - -typedef struct cipherPolicyStr cipherPolicy; - -/* This table contains two preconfigured policies: Export and France. -** It is used only by the functions NSS_SetDomesticPolicy, -** NSS_SetExportPolicy, and NSS_SetFrancePolicy. -** Order of entries is not important. -*/ -static cipherPolicy ssl_ciphers[] = { /* Export France */ - { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, - { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, -#ifdef NSS_ENABLE_ECC - { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, -#endif /* NSS_ENABLE_ECC */ - { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } -}; - static const sslSocketOps ssl_default_ops = { /* No SSL. */ ssl_DefConnect, NULL, @@ -1338,10 +1256,10 @@ SECStatus NSS_SetDomesticPolicy(void) { SECStatus status = SECSuccess; - cipherPolicy * policy; + const PRUint16 *cipher; - for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { - status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); + for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { + status = SSL_SetPolicy(*cipher, SSL_ALLOWED); if (status != SECSuccess) break; } @@ -2951,6 +2869,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) ss->opt.useSocks = PR_FALSE; ss->opt.noLocks = !makeLocks; ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); + ss->protocolVariant = protocolVariant; ss->peerID = NULL; ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; @@ -3004,7 +2923,6 @@ loser: PORT_Free(ss); ss = NULL; } - ss->protocolVariant = protocolVariant; } return ss; } diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index 613983f31d5..6b93629340e 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -78,9 +78,10 @@ typedef enum { ssl_calg_3des = 4, ssl_calg_idea = 5, ssl_calg_fortezza = 6, /* deprecated, now unused */ - ssl_calg_aes = 7, /* coming soon */ + ssl_calg_aes = 7, ssl_calg_camellia = 8, - ssl_calg_seed = 9 + ssl_calg_seed = 9, + ssl_calg_aes_gcm = 10 } SSLCipherAlgorithm; typedef enum { @@ -89,7 +90,8 @@ typedef enum { ssl_mac_sha = 2, ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ - ssl_hmac_sha256 = 5 + ssl_hmac_sha256 = 5, + ssl_mac_aead = 6 } SSLMACAlgorithm; typedef enum { @@ -145,6 +147,9 @@ typedef struct SSLCipherSuiteInfoStr { PRUint16 effectiveKeyBits; /* MAC info */ + /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName + * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in + * bits of the authentication tag. */ const char * macAlgorithmName; SSLMACAlgorithm macAlgorithm; PRUint16 macBits; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index cb150bfa526..8e9bd2a79c7 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,12 +19,12 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.15.1" +#define NSSUTIL_VERSION "3.15.2 Beta" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 15 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VPATCH 2 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_FALSE +#define NSSUTIL_BETA PR_TRUE SEC_BEGIN_PROTOS diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c index cbf777ff1a5..d2cd3e04ae7 100644 --- a/security/nss/lib/util/utilpars.c +++ b/security/nss/lib/util/utilpars.c @@ -677,7 +677,7 @@ nssutil_mkSlotFlags(unsigned long defaultFlags) int i,j; for (i=0; i < sizeof(defaultFlags)*8; i++) { - if (defaultFlags & (1< -Link::GetURI() const +nsIURI* +Link::GetURI() const { NS_NOTREACHED("Unexpected call to Link::GetURI"); return nullptr; // suppress compiler warning diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index df3d7162a64..ba8f68342a9 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -3450,6 +3450,18 @@ "n_buckets": "1000", "description": "The time (in milliseconds) that it took a 'listTabs' request to go round trip." }, + "DEVTOOLS_DEBUGGER_RDP_LOCAL_LISTADDONS_MS": { + "kind": "exponential", + "high": "10000", + "n_buckets": "1000", + "description": "The time (in milliseconds) that it took a 'listAddons' request to go round trip." + }, + "DEVTOOLS_DEBUGGER_RDP_REMOTE_LISTADDONS_MS": { + "kind": "exponential", + "high": "10000", + "n_buckets": "1000", + "description": "The time (in milliseconds) that it took a 'listAddons' request to go round trip." + }, "DEVTOOLS_DEBUGGER_RDP_LOCAL_DELETE_MS": { "kind": "exponential", "high": "10000", diff --git a/toolkit/content/license.html b/toolkit/content/license.html index 7dabc2256e1..9d195be7535 100644 --- a/toolkit/content/license.html +++ b/toolkit/content/license.html @@ -71,7 +71,6 @@
  • Chromium License
  • dtoa License
  • Dutch Spellchecking Dictionary License
    • -
  • EasyEXIF License
  • Eclipse Distribution License
  • Estonian Spellchecking Dictionary License
  • Expat License
    • @@ -1737,42 +1736,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -
    - -

    EasyEXIF License

    - -

    This license applies to certain files in the directory - media/easyexif/.

    - -
    -Copyright (c) 2010 Mayank Lahiri
-mlahiri@gmail.com
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
--- Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
--- Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ``AS IS'' AND ANY EXPRESS
-OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
-NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
-OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
    - - -

    Eclipse Distribution License

    diff --git a/toolkit/devtools/client/dbg-client.jsm b/toolkit/devtools/client/dbg-client.jsm index 109e9c7126d..2ea2ae920ef 100644 --- a/toolkit/devtools/client/dbg-client.jsm +++ b/toolkit/devtools/client/dbg-client.jsm @@ -194,6 +194,7 @@ const UnsolicitedNotifications = { "newSource": "newSource", "tabDetached": "tabDetached", "tabListChanged": "tabListChanged", + "addonListChanged": "addonListChanged", "tabNavigated": "tabNavigated", "pageError": "pageError", "webappsEvent": "webappsEvent", @@ -426,6 +427,12 @@ DebuggerClient.prototype = { */ listTabs: function(aOnResponse) { return this.mainRoot.listTabs(aOnResponse); }, + /* + * This function exists only to preserve DebuggerClient's interface; + * new code should say 'client.mainRoot.listAddons()'. + */ + listAddons: function(aOnResponse) { return this.mainRoot.listAddons(aOnResponse); }, + /** * Attach to a tab actor. * @@ -1029,6 +1036,15 @@ RootClient.prototype = { listTabs: DebuggerClient.requester({ type: "listTabs" }, { telemetry: "LISTTABS" }), + /** + * List the installed addons. + * + * @param function aOnResponse + * Called with the response packet. + */ + listAddons: DebuggerClient.requester({ type: "listAddons" }, + { telemetry: "LISTADDONS" }), + /* * Methods constructed by DebuggerClient.requester require these forwards * on their 'this'. @@ -1037,7 +1053,6 @@ RootClient.prototype = { get request() { return this._client.request; } }; - /** * Creates a thread client for the remote debugging protocol server. This client * is a front to the thread actor created in the server side, hiding the diff --git a/toolkit/devtools/server/actors/root.js b/toolkit/devtools/server/actors/root.js index 72e884e9a1c..f2114bafaef 100644 --- a/toolkit/devtools/server/actors/root.js +++ b/toolkit/devtools/server/actors/root.js @@ -97,6 +97,11 @@ function CommonAppendExtraActors(aObject) { * notifications when the live list's contents change. One actor in * this list must have a true '.selected' property. * + * - addonList: a live list (see below) of addon actors. If present, the + * new root actor supports the 'listAddons' request, providing the live + * list's elements as its addon actors, and sending 'addonListchanged' + * notifications when the live list's contents change. + * * - globalActorFactories: an object |A| describing further actors to * attach to the 'listTabs' reply. This is the type accumulated by * DebuggerServer.addGlobalActor. For each own property |P| of |A|, @@ -150,6 +155,7 @@ function RootActor(aConnection, aParameters) { this.conn = aConnection; this._parameters = aParameters; this._onTabListChanged = this.onTabListChanged.bind(this); + this._onAddonListChanged = this.onAddonListChanged.bind(this); this._extraActors = {}; } @@ -190,6 +196,9 @@ RootActor.prototype = { if (this._parameters.tabList) { this._parameters.tabList.onListChanged = null; } + if (this._parameters.addonList) { + this._parameters.addonList.onListChanged = null; + } if (typeof this._parameters.onShutdown === 'function') { this._parameters.onShutdown(); } @@ -245,7 +254,7 @@ RootActor.prototype = { let reply = { "from": this.actorID, "selected": selected || 0, - "tabs": [actor.grip() for (actor of tabActorList)], + "tabs": [actor.form() for (actor of tabActorList)], }; /* DebuggerServer.addGlobalActor support: name actors in 'listTabs' reply. */ @@ -268,6 +277,39 @@ RootActor.prototype = { this._parameters.tabList.onListChanged = null; }, + onListAddons: function () { + let addonList = this._parameters.addonList; + if (!addonList) { + return { from: this.actorID, error: "noAddons", + message: "This root actor has no browser addons." }; + } + + return addonList.getList().then((addonActors) => { + let addonActorPool = new ActorPool(this.conn); + for (let addonActor of addonActors) { + addonActorPool.addActor(addonActor); + } + + if (this._addonActorPool) { + this.conn.removeActorPool(this._addonActorPool); + } + this._addonActorPool = addonActorPool; + this.conn.addActorPool(this._addonActorPool); + + addonList.onListChanged = this._onAddonListChanged; + + return { + "from": this.actorID, + "addons": [addonActor.form() for (addonActor of addonActors)] + }; + }); + }, + + onAddonListChanged: function () { + this.conn.send({ from: this.actorID, type: "addonListChanged" }); + this._parameters.addonList.onListChanged = null; + }, + /* This is not in the spec, but it's used by tests. */ onEcho: function (aRequest) { /* @@ -340,5 +382,6 @@ RootActor.prototype = { RootActor.prototype.requestTypes = { "listTabs": RootActor.prototype.onListTabs, + "listAddons": RootActor.prototype.onListAddons, "echo": RootActor.prototype.onEcho }; diff --git a/toolkit/devtools/server/actors/webbrowser.js b/toolkit/devtools/server/actors/webbrowser.js index 49837c5e2ac..a86ead8d5aa 100644 --- a/toolkit/devtools/server/actors/webbrowser.js +++ b/toolkit/devtools/server/actors/webbrowser.js @@ -60,6 +60,7 @@ function createRootActor(aConnection) return new RootActor(aConnection, { tabList: new BrowserTabList(aConnection), + addonList: new BrowserAddonList(aConnection), globalActorFactories: DebuggerServer.globalActorFactories, onShutdown: sendShutdownEvent }); @@ -545,7 +546,7 @@ BrowserTabActor.prototype = { } }, - grip: function BTA_grip() { + form: function BTA_form() { dbg_assert(!this.exited, "grip() shouldn't be called on exited browser actor."); dbg_assert(this.actorID, @@ -820,6 +821,94 @@ BrowserTabActor.prototype.requestTypes = { "navigateTo": BrowserTabActor.prototype.onNavigateTo }; +Components.utils.import("resource://gre/modules/AddonManager.jsm"); + +function BrowserAddonList(aConnection) +{ + this._connection = aConnection; + this._actorByAddonId = new Map(); + this._onListChanged = null; +} + +BrowserAddonList.prototype.getList = function() { + var deferred = promise.defer(); + AddonManager.getAllAddons((addons) => { + for (let addon of addons) { + let actor = this._actorByAddonId.get(addon.id); + if (!actor) { + actor = new BrowserAddonActor(this._connection, addon); + this._actorByAddonId.set(addon.id, actor); + } + } + deferred.resolve([actor for ([_, actor] of this._actorByAddonId)]); + }); + return deferred.promise; +} + +Object.defineProperty(BrowserAddonList.prototype, "onListChanged", { + enumerable: true, configurable: true, + get: function() { return this._onListChanged; }, + set: function(v) { + if (v !== null && typeof v != "function") { + throw Error("onListChanged property may only be set to 'null' or a function"); + } + this._onListChanged = v; + if (this._onListChanged) { + AddonManager.addAddonListener(this); + } else { + AddonManager.removeAddonListener(this); + } + } +}); + +BrowserAddonList.prototype.onInstalled = function (aAddon) { + this._onListChanged(); +}; + +BrowserAddonList.prototype.onUninstalled = function (aAddon) { + this._actorByAddonId.delete(aAddon.id); + this._onListChanged(); +}; + +function BrowserAddonActor(aConnection, aAddon) { + this.conn = aConnection; + this._addon = aAddon; + AddonManager.addAddonListener(this); +} + +BrowserAddonActor.prototype = { + actorPrefix: "addon", + + get id() { + return this._addon.id; + }, + + get url() { + return this._addon.sourceURI ? this._addon.sourceURI.spec : undefined; + }, + + form: function BAA_form() { + dbg_assert(this.actorID, "addon should have an actorID."); + + return { + actor: this.actorID, + id: this.id, + url: this.url + }; + }, + + disconnect: function BAA_disconnect() { + AddonManager.removeAddonListener(this); + }, + + onUninstalled: function BAA_onUninstalled(aAddon) { + if (aAddon != this._addon) + return; + this._addon = null; + AddonManager.removeAddonListener(this); + }, +}; + /** * The DebuggerProgressListener object is an nsIWebProgressListener which * handles onStateChange events for the inspected browser. If the user tries to diff --git a/toolkit/devtools/server/tests/unit/testactors.js b/toolkit/devtools/server/tests/unit/testactors.js index e95e8c0f41d..5421ca06ddf 100644 --- a/toolkit/devtools/server/tests/unit/testactors.js +++ b/toolkit/devtools/server/tests/unit/testactors.js @@ -71,7 +71,7 @@ TestTabActor.prototype = { return { wrappedJSObject: this._global }; }, - grip: function() { + form: function() { let response = { actor: this.actorID, title: this._global.__name }; // Walk over tab actors added by extensions and add them to a new ActorPool. diff --git a/toolkit/modules/Http.jsm b/toolkit/modules/Http.jsm index 12eb44477a7..807250cd459 100644 --- a/toolkit/modules/Http.jsm +++ b/toolkit/modules/Http.jsm @@ -34,14 +34,12 @@ function httpRequest(aUrl, aOptions) { let xhr = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"] .createInstance(Ci.nsIXMLHttpRequest); xhr.mozBackgroundRequest = true; // no error dialogs - let hasPostData = "postData" in aOptions && aOptions.postData; - xhr.open("method" in aOptions ? aOptions.method : - (hasPostData ? "POST" : "GET"), aUrl); + xhr.open(aOptions.method || (aOptions.postData ? "POST" : "GET"), aUrl); xhr.channel.loadFlags = Ci.nsIChannel.LOAD_ANONYMOUS | // don't send cookies Ci.nsIChannel.LOAD_BYPASS_CACHE | Ci.nsIChannel.INHIBIT_CACHING; xhr.onerror = function(aProgressEvent) { - if ("onError" in aOptions) { + if (aOptions.onError) { // adapted from toolkit/mozapps/extensions/nsBlocklistService.js let request = aProgressEvent.target; let status; @@ -58,10 +56,10 @@ function httpRequest(aUrl, aOptions) { aOptions.onError(statusText, null, this); } }; - xhr.onload = function (aRequest) { + xhr.onload = function(aRequest) { try { let target = aRequest.target; - if ("logger" in aOptions) + if (aOptions.logger) aOptions.logger.debug("Received response: " + target.responseText); if (target.status < 200 || target.status >= 300) { let errorText = target.responseText; @@ -69,23 +67,23 @@ function httpRequest(aUrl, aOptions) { errorText = target.statusText; throw target.status + " - " + errorText; } - if ("onLoad" in aOptions) + if (aOptions.onLoad) aOptions.onLoad(target.responseText, this); } catch (e) { Cu.reportError(e); - if ("onError" in aOptions) + if (aOptions.onError) aOptions.onError(e, aRequest.target.responseText, this); } }; - if ("headers" in aOptions) { + if (aOptions.headers) { aOptions.headers.forEach(function(header) { xhr.setRequestHeader(header[0], header[1]); }); } // Handle adding postData as defined above. - let POSTData = hasPostData ? aOptions.postData : ""; + let POSTData = aOptions.postData || ""; if (Array.isArray(POSTData)) { xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8"); @@ -93,7 +91,7 @@ function httpRequest(aUrl, aOptions) { .join("&"); } - if ("logger" in aOptions) { + if (aOptions.logger) { aOptions.logger.log("sending request to " + aUrl + " (POSTData = " + POSTData + ")"); } diff --git a/toolkit/modules/tests/xpcshell/test_Http.js b/toolkit/modules/tests/xpcshell/test_Http.js index 6b51a784332..3cf8f00769d 100644 --- a/toolkit/modules/tests/xpcshell/test_Http.js +++ b/toolkit/modules/tests/xpcshell/test_Http.js @@ -142,6 +142,18 @@ add_test(function test_GetData() { httpRequest(kGetUrl, options); }); +add_test(function test_OptionalParameters() { + let options = { + onLoad: null, + onError: null, + logger: null + }; + // Just make sure that nothing throws when doing this (i.e. httpRequest + // doesn't try to access null options). + httpRequest(kGetUrl, options); + run_next_test(); +}); + function run_test() { // Set up a mock HTTP server to serve a success page. server = new HttpServer(); diff --git a/tools/profiler/GeckoProfiler.h b/tools/profiler/GeckoProfiler.h index 8fe665d8cd2..485a7c35e65 100644 --- a/tools/profiler/GeckoProfiler.h +++ b/tools/profiler/GeckoProfiler.h @@ -50,7 +50,10 @@ #define SAMPLER_H #include "mozilla/NullPtr.h" -#include "mozilla/TimeStamp.h" + +namespace mozilla { +class TimeStamp; +} #ifndef MOZ_ENABLE_PROFILER_SPS diff --git a/tools/profiler/GeckoProfilerFunc.h b/tools/profiler/GeckoProfilerFunc.h index 3e6130867af..56e1410cfeb 100644 --- a/tools/profiler/GeckoProfilerFunc.h +++ b/tools/profiler/GeckoProfilerFunc.h @@ -8,7 +8,11 @@ #include "mozilla/NullPtr.h" #include -#include "mozilla/TimeStamp.h" + +namespace mozilla { +class TimeDuration; +class TimeStamp; +} using mozilla::TimeStamp; using mozilla::TimeDuration; diff --git a/tools/profiler/GeckoProfilerImpl.h b/tools/profiler/GeckoProfilerImpl.h index 25dd8400db1..93d49de9ef2 100644 --- a/tools/profiler/GeckoProfilerImpl.h +++ b/tools/profiler/GeckoProfilerImpl.h @@ -13,7 +13,6 @@ #include #include "mozilla/ThreadLocal.h" #include "mozilla/Assertions.h" -#include "mozilla/TimeStamp.h" #include "mozilla/Util.h" #include "nsAlgorithm.h" #include "nscore.h" @@ -37,6 +36,10 @@ struct PseudoStack; class TableTicker; class JSCustomObject; +namespace mozilla { +class TimeStamp; +} + extern mozilla::ThreadLocal tlsPseudoStack; extern mozilla::ThreadLocal tlsTicker; extern bool stack_key_initialized; diff --git a/uriloader/exthandler/nsExternalHelperAppService.cpp b/uriloader/exthandler/nsExternalHelperAppService.cpp index f4c900534a9..6fa46f69b0f 100644 --- a/uriloader/exthandler/nsExternalHelperAppService.cpp +++ b/uriloader/exthandler/nsExternalHelperAppService.cpp @@ -397,6 +397,7 @@ static nsDefaultMimeTypeEntry defaultMimeEntries [] = { TEXT_CSS, "css" }, { IMAGE_JPEG, "jpeg" }, { IMAGE_JPEG, "jpg" }, + { IMAGE_SVG_XML, "svg" }, { TEXT_HTML, "html" }, { TEXT_HTML, "htm" }, { APPLICATION_XPINSTALL, "xpi" }, @@ -480,7 +481,7 @@ static nsExtraMimeTypeEntry extraMimeEntries [] = { IMAGE_PNG, "png", "PNG Image" }, { IMAGE_TIFF, "tiff,tif", "TIFF Image" }, { IMAGE_XBM, "xbm", "XBM Image" }, - { "image/svg+xml", "svg", "Scalable Vector Graphics" }, + { IMAGE_SVG_XML, "svg", "Scalable Vector Graphics" }, { MESSAGE_RFC822, "eml", "RFC-822 data" }, { TEXT_PLAIN, "txt,text", "Text File" }, { TEXT_HTML, "html,htm,shtml,ehtml", "HyperText Markup Language" }, diff --git a/widget/cocoa/NativeKeyBindings.h b/widget/cocoa/NativeKeyBindings.h index a914fb4e585..1ae12ba726f 100644 --- a/widget/cocoa/NativeKeyBindings.h +++ b/widget/cocoa/NativeKeyBindings.h @@ -50,15 +50,15 @@ public: NS_IMETHOD Init(NativeKeyBindingsType aType); // nsINativeKeyBindings - NS_IMETHOD_(bool) KeyDown(const nsNativeKeyEvent& aEvent, + NS_IMETHOD_(bool) KeyDown(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData); - NS_IMETHOD_(bool) KeyPress(const nsNativeKeyEvent& aEvent, + NS_IMETHOD_(bool) KeyPress(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData); - NS_IMETHOD_(bool) KeyUp(const nsNativeKeyEvent& aEvent, + NS_IMETHOD_(bool) KeyUp(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData); diff --git a/widget/cocoa/NativeKeyBindings.mm b/widget/cocoa/NativeKeyBindings.mm index 70cb150e2a9..1861318b3fc 100644 --- a/widget/cocoa/NativeKeyBindings.mm +++ b/widget/cocoa/NativeKeyBindings.mm @@ -169,14 +169,14 @@ NativeKeyBindings::Init(NativeKeyBindingsType aType) NS_IMPL_ISUPPORTS1(NativeKeyBindings, nsINativeKeyBindings) NS_IMETHODIMP_(bool) -NativeKeyBindings::KeyDown(const nsNativeKeyEvent& aEvent, +NativeKeyBindings::KeyDown(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData) { return false; } NS_IMETHODIMP_(bool) -NativeKeyBindings::KeyPress(const nsNativeKeyEvent& aEvent, +NativeKeyBindings::KeyPress(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData) { PR_LOG(gNativeKeyBindingsLog, PR_LOG_ALWAYS, @@ -184,11 +184,8 @@ NativeKeyBindings::KeyPress(const nsNativeKeyEvent& aEvent, // Recover the current event, which should always be the key down we are // responding to. - nsKeyEvent* geckoEvent = aEvent.mGeckoEvent; - MOZ_ASSERT(geckoEvent); - - NSEvent* cocoaEvent = reinterpret_cast(geckoEvent->mNativeKeyEvent); + NSEvent* cocoaEvent = reinterpret_cast(aEvent.mNativeKeyEvent); if (!cocoaEvent || [cocoaEvent type] != NSKeyDown) { PR_LOG(gNativeKeyBindingsLog, PR_LOG_ALWAYS, @@ -270,7 +267,7 @@ NativeKeyBindings::KeyPress(const nsNativeKeyEvent& aEvent, } NS_IMETHODIMP_(bool) -NativeKeyBindings::KeyUp(const nsNativeKeyEvent& aEvent, +NativeKeyBindings::KeyUp(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void* aCallbackData) { return false; diff --git a/widget/cocoa/TextInputHandler.mm b/widget/cocoa/TextInputHandler.mm index 4201c3c2048..c6841ed2a32 100644 --- a/widget/cocoa/TextInputHandler.mm +++ b/widget/cocoa/TextInputHandler.mm @@ -914,6 +914,7 @@ TISInputSourceWrapper::InitKeyEvent(NSEvent *aNativeKeyEvent, case kVK_ANSI_KeypadDivide: case kVK_ANSI_KeypadEquals: case kVK_ANSI_KeypadEnter: + case kVK_JIS_KeypadComma: case kVK_Powerbook_KeypadEnter: aKeyEvent.location = nsIDOMKeyEvent::DOM_KEY_LOCATION_NUMPAD; break; @@ -1223,6 +1224,8 @@ TISInputSourceWrapper::ComputeGeckoKeyCode(UInt32 aNativeKeyCode, case kVK_ANSI_KeypadDecimal: return NS_VK_DECIMAL; case kVK_ANSI_KeypadDivide: return NS_VK_DIVIDE; + case kVK_JIS_KeypadComma: return NS_VK_SEPARATOR; + // IME keys case kVK_JIS_Eisu: return NS_VK_EISU; case kVK_JIS_Kana: return NS_VK_KANA; diff --git a/widget/gtk2/nsGtkKeyUtils.cpp b/widget/gtk2/nsGtkKeyUtils.cpp index 90bd89b78a6..facd4c637e0 100644 --- a/widget/gtk2/nsGtkKeyUtils.cpp +++ b/widget/gtk2/nsGtkKeyUtils.cpp @@ -33,152 +33,9 @@ PRLogModuleInfo* gKeymapWrapperLog = nullptr; namespace mozilla { namespace widget { -struct KeyPair { - uint32_t DOMKeyCode; - guint GDKKeyval; -}; - #define IS_ASCII_ALPHABETICAL(key) \ ((('a' <= key) && (key <= 'z')) || (('A' <= key) && (key <= 'Z'))) -// -// Netscape keycodes are defined in widget/public/nsGUIEvent.h -// GTK keycodes are defined in -// -static const KeyPair kKeyPairs[] = { - { NS_VK_CANCEL, GDK_Cancel }, - { NS_VK_BACK, GDK_BackSpace }, - { NS_VK_TAB, GDK_Tab }, - { NS_VK_TAB, GDK_ISO_Left_Tab }, - { NS_VK_CLEAR, GDK_Clear }, - { NS_VK_RETURN, GDK_Return }, - { NS_VK_SHIFT, GDK_Shift_L }, - { NS_VK_SHIFT, GDK_Shift_R }, - { NS_VK_SHIFT, GDK_Shift_Lock }, - { NS_VK_CONTROL, GDK_Control_L }, - { NS_VK_CONTROL, GDK_Control_R }, - { NS_VK_ALT, GDK_Alt_L }, - { NS_VK_ALT, GDK_Alt_R }, - { NS_VK_META, GDK_Meta_L }, - { NS_VK_META, GDK_Meta_R }, - - // Assume that Super or Hyper is always mapped to physical Win key. - { NS_VK_WIN, GDK_Super_L }, - { NS_VK_WIN, GDK_Super_R }, - { NS_VK_WIN, GDK_Hyper_L }, - { NS_VK_WIN, GDK_Hyper_R }, - - // GTK's AltGraph key is similar to Mac's Option (Alt) key. However, - // unfortunately, browsers on Mac are using NS_VK_ALT for it even though - // it's really different from Alt key on Windows. - // On the other hand, GTK's AltGrapsh keys are really different from - // Alt key. However, there is no AltGrapsh key on Windows. On Windows, - // both Ctrl and Alt keys are pressed internally when AltGr key is pressed. - // For some languages' users, AltGraph key is important, so, web - // applications on such locale may want to know AltGraph key press. - // Therefore, we should map AltGr keycode for them only on GTK. - { NS_VK_ALTGR, GDK_ISO_Level3_Shift }, - { NS_VK_ALTGR, GDK_ISO_Level5_Shift }, - // We assume that Mode_switch is always used for level3 shift. - { NS_VK_ALTGR, GDK_Mode_switch }, - - { NS_VK_PAUSE, GDK_Pause }, - { NS_VK_CAPS_LOCK, GDK_Caps_Lock }, - { NS_VK_KANA, GDK_Kana_Lock }, - { NS_VK_KANA, GDK_Kana_Shift }, - { NS_VK_HANGUL, GDK_Hangul }, - // { NS_VK_JUNJA, GDK_XXX }, - // { NS_VK_FINAL, GDK_XXX }, - { NS_VK_HANJA, GDK_Hangul_Hanja }, - { NS_VK_KANJI, GDK_Kanji }, - { NS_VK_ESCAPE, GDK_Escape }, - { NS_VK_CONVERT, GDK_Henkan }, - { NS_VK_NONCONVERT, GDK_Muhenkan }, - // { NS_VK_ACCEPT, GDK_XXX }, - // { NS_VK_MODECHANGE, GDK_XXX }, - { NS_VK_SPACE, GDK_space }, - { NS_VK_PAGE_UP, GDK_Page_Up }, - { NS_VK_PAGE_DOWN, GDK_Page_Down }, - { NS_VK_END, GDK_End }, - { NS_VK_HOME, GDK_Home }, - { NS_VK_LEFT, GDK_Left }, - { NS_VK_UP, GDK_Up }, - { NS_VK_RIGHT, GDK_Right }, - { NS_VK_DOWN, GDK_Down }, - { NS_VK_SELECT, GDK_Select }, - { NS_VK_PRINT, GDK_Print }, - { NS_VK_EXECUTE, GDK_Execute }, - { NS_VK_PRINTSCREEN, GDK_Print }, - { NS_VK_INSERT, GDK_Insert }, - { NS_VK_DELETE, GDK_Delete }, - { NS_VK_HELP, GDK_Help }, - - // keypad keys - { NS_VK_LEFT, GDK_KP_Left }, - { NS_VK_RIGHT, GDK_KP_Right }, - { NS_VK_UP, GDK_KP_Up }, - { NS_VK_DOWN, GDK_KP_Down }, - { NS_VK_PAGE_UP, GDK_KP_Page_Up }, - // Not sure what these are - //{ NS_VK_, GDK_KP_Prior }, - //{ NS_VK_, GDK_KP_Next }, - { NS_VK_CLEAR, GDK_KP_Begin }, // Num-unlocked 5 - { NS_VK_PAGE_DOWN, GDK_KP_Page_Down }, - { NS_VK_HOME, GDK_KP_Home }, - { NS_VK_END, GDK_KP_End }, - { NS_VK_INSERT, GDK_KP_Insert }, - { NS_VK_DELETE, GDK_KP_Delete }, - { NS_VK_RETURN, GDK_KP_Enter }, - - { NS_VK_NUM_LOCK, GDK_Num_Lock }, - { NS_VK_SCROLL_LOCK,GDK_Scroll_Lock }, - - // Function keys - { NS_VK_F1, GDK_F1 }, - { NS_VK_F2, GDK_F2 }, - { NS_VK_F3, GDK_F3 }, - { NS_VK_F4, GDK_F4 }, - { NS_VK_F5, GDK_F5 }, - { NS_VK_F6, GDK_F6 }, - { NS_VK_F7, GDK_F7 }, - { NS_VK_F8, GDK_F8 }, - { NS_VK_F9, GDK_F9 }, - { NS_VK_F10, GDK_F10 }, - { NS_VK_F11, GDK_F11 }, - { NS_VK_F12, GDK_F12 }, - { NS_VK_F13, GDK_F13 }, - { NS_VK_F14, GDK_F14 }, - { NS_VK_F15, GDK_F15 }, - { NS_VK_F16, GDK_F16 }, - { NS_VK_F17, GDK_F17 }, - { NS_VK_F18, GDK_F18 }, - { NS_VK_F19, GDK_F19 }, - { NS_VK_F20, GDK_F20 }, - { NS_VK_F21, GDK_F21 }, - { NS_VK_F22, GDK_F22 }, - { NS_VK_F23, GDK_F23 }, - { NS_VK_F24, GDK_F24 }, - - // context menu key, keysym 0xff67, typically keycode 117 on 105-key (Microsoft) - // x86 keyboards, located between right 'Windows' key and right Ctrl key - { NS_VK_CONTEXT_MENU, GDK_Menu }, - { NS_VK_SLEEP, GDK_Sleep }, - - { NS_VK_ATTN, GDK_3270_Attn }, - { NS_VK_CRSEL, GDK_3270_CursorSelect }, - { NS_VK_EXSEL, GDK_3270_ExSelect }, - { NS_VK_EREOF, GDK_3270_EraseEOF }, - { NS_VK_PLAY, GDK_3270_Play }, - //{ NS_VK_ZOOM, GDK_XXX }, - { NS_VK_PA1, GDK_3270_PA1 }, -}; - -// map Sun Keyboard special keysyms on to NS_VK keys -static const KeyPair kSunKeyPairs[] = { - {NS_VK_F11, 0x1005ff10 }, //Sun F11 key generates SunF36(0x1005ff10) keysym - {NS_VK_F12, 0x1005ff11 } //Sun F12 key generates SunF37(0x1005ff11) keysym -}; - #define MOZ_MODIFIER_KEYS "MozKeymapWrapper" KeymapWrapper* KeymapWrapper::sInstance = nullptr; @@ -848,88 +705,6 @@ KeymapWrapper::ComputeDOMKeyNameIndex(const GdkEventKey* aGdkKeyEvent) return ch ? KEY_NAME_INDEX_PrintableKey : KEY_NAME_INDEX_Unidentified; } -/* static */ guint -KeymapWrapper::GuessGDKKeyval(uint32_t aDOMKeyCode) -{ - // First, try to handle alphanumeric input, not listed in nsKeycodes: - // most likely, more letters will be getting typed in than things in - // the key list, so we will look through these first. - - if (aDOMKeyCode >= NS_VK_A && aDOMKeyCode <= NS_VK_Z) { - // gdk and DOM both use the ASCII codes for these keys. - return aDOMKeyCode; - } - - // numbers - if (aDOMKeyCode >= NS_VK_0 && aDOMKeyCode <= NS_VK_9) { - // gdk and DOM both use the ASCII codes for these keys. - return aDOMKeyCode - NS_VK_0 + GDK_0; - } - - switch (aDOMKeyCode) { - // keys in numpad - case NS_VK_MULTIPLY: return GDK_KP_Multiply; - case NS_VK_ADD: return GDK_KP_Add; - case NS_VK_SEPARATOR: return GDK_KP_Separator; - case NS_VK_SUBTRACT: return GDK_KP_Subtract; - case NS_VK_DECIMAL: return GDK_KP_Decimal; - case NS_VK_DIVIDE: return GDK_KP_Divide; - case NS_VK_NUMPAD0: return GDK_KP_0; - case NS_VK_NUMPAD1: return GDK_KP_1; - case NS_VK_NUMPAD2: return GDK_KP_2; - case NS_VK_NUMPAD3: return GDK_KP_3; - case NS_VK_NUMPAD4: return GDK_KP_4; - case NS_VK_NUMPAD5: return GDK_KP_5; - case NS_VK_NUMPAD6: return GDK_KP_6; - case NS_VK_NUMPAD7: return GDK_KP_7; - case NS_VK_NUMPAD8: return GDK_KP_8; - case NS_VK_NUMPAD9: return GDK_KP_9; - // other prinable keys - case NS_VK_SPACE: return GDK_space; - case NS_VK_COLON: return GDK_colon; - case NS_VK_SEMICOLON: return GDK_semicolon; - case NS_VK_LESS_THAN: return GDK_less; - case NS_VK_EQUALS: return GDK_equal; - case NS_VK_GREATER_THAN: return GDK_greater; - case NS_VK_QUESTION_MARK: return GDK_question; - case NS_VK_AT: return GDK_at; - case NS_VK_CIRCUMFLEX: return GDK_asciicircum; - case NS_VK_EXCLAMATION: return GDK_exclam; - case NS_VK_DOUBLE_QUOTE: return GDK_quotedbl; - case NS_VK_HASH: return GDK_numbersign; - case NS_VK_DOLLAR: return GDK_dollar; - case NS_VK_PERCENT: return GDK_percent; - case NS_VK_AMPERSAND: return GDK_ampersand; - case NS_VK_UNDERSCORE: return GDK_underscore; - case NS_VK_OPEN_PAREN: return GDK_parenleft; - case NS_VK_CLOSE_PAREN: return GDK_parenright; - case NS_VK_ASTERISK: return GDK_asterisk; - case NS_VK_PLUS: return GDK_plus; - case NS_VK_PIPE: return GDK_bar; - case NS_VK_HYPHEN_MINUS: return GDK_minus; - case NS_VK_OPEN_CURLY_BRACKET: return GDK_braceleft; - case NS_VK_CLOSE_CURLY_BRACKET: return GDK_braceright; - case NS_VK_TILDE: return GDK_asciitilde; - case NS_VK_COMMA: return GDK_comma; - case NS_VK_PERIOD: return GDK_period; - case NS_VK_SLASH: return GDK_slash; - case NS_VK_BACK_QUOTE: return GDK_grave; - case NS_VK_OPEN_BRACKET: return GDK_bracketleft; - case NS_VK_BACK_SLASH: return GDK_backslash; - case NS_VK_CLOSE_BRACKET: return GDK_bracketright; - case NS_VK_QUOTE: return GDK_apostrophe; - } - - // misc other things - for (uint32_t i = 0; i < ArrayLength(kKeyPairs); ++i) { - if (kKeyPairs[i].DOMKeyCode == aDOMKeyCode) { - return kKeyPairs[i].GDKKeyval; - } - } - - return 0; -} - /* static */ void KeymapWrapper::InitKeyEvent(nsKeyEvent& aKeyEvent, GdkEventKey* aGdkKeyEvent) @@ -1057,6 +832,7 @@ KeymapWrapper::InitKeyEvent(nsKeyEvent& aKeyEvent, // (An XEvent would be nice but the GdkEvent is good enough.) aKeyEvent.pluginEvent = (void *)aGdkKeyEvent; aKeyEvent.time = aGdkKeyEvent->time; + aKeyEvent.mNativeKeyEvent = static_cast(aGdkKeyEvent); } /* static */ uint32_t @@ -1205,21 +981,141 @@ KeymapWrapper::GetGDKKeyvalWithoutModifier(const GdkEventKey *aGdkKeyEvent) /* static */ uint32_t KeymapWrapper::GetDOMKeyCodeFromKeyPairs(guint aGdkKeyval) { - // map Sun Keyboard special keysyms first. - for (uint32_t i = 0; i < ArrayLength(kSunKeyPairs); i++) { - if (kSunKeyPairs[i].GDKKeyval == aGdkKeyval) { - return kSunKeyPairs[i].DOMKeyCode; - } - } + switch (aGdkKeyval) { + case GDK_Cancel: return NS_VK_CANCEL; + case GDK_BackSpace: return NS_VK_BACK; + case GDK_Tab: + case GDK_ISO_Left_Tab: return NS_VK_TAB; + case GDK_Clear: return NS_VK_CLEAR; + case GDK_Return: return NS_VK_RETURN; + case GDK_Shift_L: + case GDK_Shift_R: + case GDK_Shift_Lock: return NS_VK_SHIFT; + case GDK_Control_L: + case GDK_Control_R: return NS_VK_CONTROL; + case GDK_Alt_L: + case GDK_Alt_R: return NS_VK_ALT; + case GDK_Meta_L: + case GDK_Meta_R: return NS_VK_META; - // misc other things - for (uint32_t i = 0; i < ArrayLength(kKeyPairs); i++) { - if (kKeyPairs[i].GDKKeyval == aGdkKeyval) { - return kKeyPairs[i].DOMKeyCode; - } - } + // Assume that Super or Hyper is always mapped to physical Win key. + case GDK_Super_L: + case GDK_Super_R: + case GDK_Hyper_L: + case GDK_Hyper_R: return NS_VK_WIN; - return 0; + // GTK's AltGraph key is similar to Mac's Option (Alt) key. However, + // unfortunately, browsers on Mac are using NS_VK_ALT for it even though + // it's really different from Alt key on Windows. + // On the other hand, GTK's AltGrapsh keys are really different from + // Alt key. However, there is no AltGrapsh key on Windows. On Windows, + // both Ctrl and Alt keys are pressed internally when AltGr key is + // pressed. For some languages' users, AltGraph key is important, so, + // web applications on such locale may want to know AltGraph key press. + // Therefore, we should map AltGr keycode for them only on GTK. + case GDK_ISO_Level3_Shift: + case GDK_ISO_Level5_Shift: + // We assume that Mode_switch is always used for level3 shift. + case GDK_Mode_switch: return NS_VK_ALTGR; + + case GDK_Pause: return NS_VK_PAUSE; + case GDK_Caps_Lock: return NS_VK_CAPS_LOCK; + case GDK_Kana_Lock: + case GDK_Kana_Shift: return NS_VK_KANA; + case GDK_Hangul: return NS_VK_HANGUL; + // case GDK_XXX: return NS_VK_JUNJA; + // case GDK_XXX: return NS_VK_FINAL; + case GDK_Hangul_Hanja: return NS_VK_HANJA; + case GDK_Kanji: return NS_VK_KANJI; + case GDK_Escape: return NS_VK_ESCAPE; + case GDK_Henkan: return NS_VK_CONVERT; + case GDK_Muhenkan: return NS_VK_NONCONVERT; + // case GDK_XXX: return NS_VK_ACCEPT; + // case GDK_XXX: return NS_VK_MODECHANGE; + case GDK_space: return NS_VK_SPACE; + case GDK_Page_Up: return NS_VK_PAGE_UP; + case GDK_Page_Down: return NS_VK_PAGE_DOWN; + case GDK_End: return NS_VK_END; + case GDK_Home: return NS_VK_HOME; + case GDK_Left: return NS_VK_LEFT; + case GDK_Up: return NS_VK_UP; + case GDK_Right: return NS_VK_RIGHT; + case GDK_Down: return NS_VK_DOWN; + case GDK_Select: return NS_VK_SELECT; + case GDK_Print: return NS_VK_PRINT; + case GDK_Execute: return NS_VK_EXECUTE; + case GDK_Insert: return NS_VK_INSERT; + case GDK_Delete: return NS_VK_DELETE; + case GDK_Help: return NS_VK_HELP; + + // keypad keys + case GDK_KP_Left: return NS_VK_LEFT; + case GDK_KP_Right: return NS_VK_RIGHT; + case GDK_KP_Up: return NS_VK_UP; + case GDK_KP_Down: return NS_VK_DOWN; + case GDK_KP_Page_Up: return NS_VK_PAGE_UP; + // Not sure what these are + // case GDK_KP_Prior: return NS_VK_; + // case GDK_KP_Next: return NS_VK_; + case GDK_KP_Begin: return NS_VK_CLEAR; // Num-unlocked 5 + case GDK_KP_Page_Down: return NS_VK_PAGE_DOWN; + case GDK_KP_Home: return NS_VK_HOME; + case GDK_KP_End: return NS_VK_END; + case GDK_KP_Insert: return NS_VK_INSERT; + case GDK_KP_Delete: return NS_VK_DELETE; + case GDK_KP_Enter: return NS_VK_RETURN; + + case GDK_Num_Lock: return NS_VK_NUM_LOCK; + case GDK_Scroll_Lock: return NS_VK_SCROLL_LOCK; + + // Function keys + case GDK_F1: return NS_VK_F1; + case GDK_F2: return NS_VK_F2; + case GDK_F3: return NS_VK_F3; + case GDK_F4: return NS_VK_F4; + case GDK_F5: return NS_VK_F5; + case GDK_F6: return NS_VK_F6; + case GDK_F7: return NS_VK_F7; + case GDK_F8: return NS_VK_F8; + case GDK_F9: return NS_VK_F9; + case GDK_F10: return NS_VK_F10; + case GDK_F11: return NS_VK_F11; + case GDK_F12: return NS_VK_F12; + case GDK_F13: return NS_VK_F13; + case GDK_F14: return NS_VK_F14; + case GDK_F15: return NS_VK_F15; + case GDK_F16: return NS_VK_F16; + case GDK_F17: return NS_VK_F17; + case GDK_F18: return NS_VK_F18; + case GDK_F19: return NS_VK_F19; + case GDK_F20: return NS_VK_F20; + case GDK_F21: return NS_VK_F21; + case GDK_F22: return NS_VK_F22; + case GDK_F23: return NS_VK_F23; + case GDK_F24: return NS_VK_F24; + + // context menu key, keysym 0xff67, typically keycode 117 on 105-key + // (Microsoft) x86 keyboards, located between right 'Windows' key and + // right Ctrl key + case GDK_Menu: return NS_VK_CONTEXT_MENU; + case GDK_Sleep: return NS_VK_SLEEP; + + case GDK_3270_Attn: return NS_VK_ATTN; + case GDK_3270_CursorSelect: return NS_VK_CRSEL; + case GDK_3270_ExSelect: return NS_VK_EXSEL; + case GDK_3270_EraseEOF: return NS_VK_EREOF; + case GDK_3270_Play: return NS_VK_PLAY; + // case GDK_XXX: return NS_VK_ZOOM; + case GDK_3270_PA1: return NS_VK_PA1; + + // map Sun Keyboard special keysyms on to NS_VK keys + + // Sun F11 key generates SunF36(0x1005ff10) keysym + case 0x1005ff10: return NS_VK_F11; + // Sun F12 key generates SunF37(0x1005ff11) keysym + case 0x1005ff11: return NS_VK_F12; + default: return 0; + } } void diff --git a/widget/gtk2/nsGtkKeyUtils.h b/widget/gtk2/nsGtkKeyUtils.h index 6a8cf9e294e..3660283801a 100644 --- a/widget/gtk2/nsGtkKeyUtils.h +++ b/widget/gtk2/nsGtkKeyUtils.h @@ -40,13 +40,6 @@ public: */ KeyNameIndex ComputeDOMKeyNameIndex(const GdkEventKey* aGdkKeyEvent); - /** - * Returns a GDK keyval which is related to the aDOMKeyCode. However, - * it may not be same as original value since there are some lost - * information. - */ - static guint GuessGDKKeyval(uint32_t aDOMKeyCode); - /** * Modifier is list of modifiers which we support in widget level. */ diff --git a/widget/gtk2/nsNativeKeyBindings.cpp b/widget/gtk2/nsNativeKeyBindings.cpp index 08f4e890067..0cb4603c111 100644 --- a/widget/gtk2/nsNativeKeyBindings.cpp +++ b/widget/gtk2/nsNativeKeyBindings.cpp @@ -236,74 +236,74 @@ nsNativeKeyBindings::~nsNativeKeyBindings() NS_IMPL_ISUPPORTS1(nsNativeKeyBindings, nsINativeKeyBindings) bool -nsNativeKeyBindings::KeyDown(const nsNativeKeyEvent& aEvent, +nsNativeKeyBindings::KeyDown(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData) { return false; } bool -nsNativeKeyBindings::KeyPress(const nsNativeKeyEvent& aEvent, +nsNativeKeyBindings::KeyPress(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData) { - uint32_t keyCode; - - if (aEvent.charCode != 0) - keyCode = gdk_unicode_to_keyval(aEvent.charCode); - else - keyCode = KeymapWrapper::GuessGDKKeyval(aEvent.keyCode); - - if (KeyPressInternal(aEvent, aCallback, aCallbackData, keyCode)) - return true; - - nsKeyEvent *nativeKeyEvent = aEvent.mGeckoEvent; - if (!nativeKeyEvent || - (nativeKeyEvent->eventStructType != NS_KEY_EVENT && - nativeKeyEvent->message != NS_KEY_PRESS)) { + // If the native key event is set, it must be synthesized for tests. + // We just ignore such events because this behavior depends on system + // settings. + if (!aEvent.mNativeKeyEvent) { + // It must be synthesized event or dispatched DOM event from chrome. return false; } - for (uint32_t i = 0; i < nativeKeyEvent->alternativeCharCodes.Length(); ++i) { - uint32_t ch = nativeKeyEvent->IsShift() ? - nativeKeyEvent->alternativeCharCodes[i].mShiftedCharCode : - nativeKeyEvent->alternativeCharCodes[i].mUnshiftedCharCode; + guint keyval; + + if (aEvent.charCode) { + keyval = gdk_unicode_to_keyval(aEvent.charCode); + } else { + keyval = + static_cast(aEvent.mNativeKeyEvent)->keyval; + } + + if (KeyPressInternal(aEvent, aCallback, aCallbackData, keyval)) { + return true; + } + + for (uint32_t i = 0; i < aEvent.alternativeCharCodes.Length(); ++i) { + uint32_t ch = aEvent.IsShift() ? + aEvent.alternativeCharCodes[i].mShiftedCharCode : + aEvent.alternativeCharCodes[i].mUnshiftedCharCode; if (ch && ch != aEvent.charCode) { - keyCode = gdk_unicode_to_keyval(ch); - if (KeyPressInternal(aEvent, aCallback, aCallbackData, keyCode)) + keyval = gdk_unicode_to_keyval(ch); + if (KeyPressInternal(aEvent, aCallback, aCallbackData, keyval)) { return true; + } } } -/* gtk_bindings_activate_event is preferable, but it has unresolved bug: http://bugzilla.gnome.org/show_bug.cgi?id=162726 -Also gtk_bindings_activate may work with some non-shortcuts operations (todo: check it) -See bugs 411005 406407 +/* +gtk_bindings_activate_event is preferable, but it has unresolved bug: +http://bugzilla.gnome.org/show_bug.cgi?id=162726 +The bug was already marked as FIXED. However, somebody reports that the +bug still exists. +Also gtk_bindings_activate may work with some non-shortcuts operations +(todo: check it). See bug 411005 and bug 406407. - Code, which should be used after fixing http://bugzilla.gnome.org/show_bug.cgi?id=162726: - const nsGUIEvent *guiEvent = aEvent.mGeckoEvent; - if (guiEvent && - (guiEvent->message == NS_KEY_PRESS || guiEvent->message == NS_KEY_UP || guiEvent->message == NS_KEY_DOWN) && - guiEvent->pluginEvent) - gtk_bindings_activate_event(GTK_OBJECT(mNativeTarget), - static_cast(guiEvent->pluginEvent)); +Code, which should be used after fixing GNOME bug 162726: + + gtk_bindings_activate_event(GTK_OBJECT(mNativeTarget), + static_cast(aEvent.mNativeKeyEvent)); */ return false; } bool -nsNativeKeyBindings::KeyPressInternal(const nsNativeKeyEvent& aEvent, +nsNativeKeyBindings::KeyPressInternal(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData, - uint32_t aKeyCode) + guint aKeyval) { - int modifiers = 0; - if (aEvent.altKey) - modifiers |= GDK_MOD1_MASK; - if (aEvent.ctrlKey) - modifiers |= GDK_CONTROL_MASK; - if (aEvent.shiftKey) - modifiers |= GDK_SHIFT_MASK; - // we don't support meta + guint modifiers = + static_cast(aEvent.mNativeKeyEvent)->state; gCurrentCallback = aCallback; gCurrentCallbackData = aCallbackData; @@ -311,10 +311,10 @@ nsNativeKeyBindings::KeyPressInternal(const nsNativeKeyEvent& aEvent, gHandled = false; #if (MOZ_WIDGET_GTK == 2) gtk_bindings_activate(GTK_OBJECT(mNativeTarget), - aKeyCode, GdkModifierType(modifiers)); + aKeyval, GdkModifierType(modifiers)); #else gtk_bindings_activate(G_OBJECT(mNativeTarget), - aKeyCode, GdkModifierType(modifiers)); + aKeyval, GdkModifierType(modifiers)); #endif gCurrentCallback = nullptr; @@ -324,7 +324,7 @@ nsNativeKeyBindings::KeyPressInternal(const nsNativeKeyEvent& aEvent, } bool -nsNativeKeyBindings::KeyUp(const nsNativeKeyEvent& aEvent, +nsNativeKeyBindings::KeyUp(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData) { return false; diff --git a/widget/gtk2/nsNativeKeyBindings.h b/widget/gtk2/nsNativeKeyBindings.h index 2500d7bc760..343c026ff41 100644 --- a/widget/gtk2/nsNativeKeyBindings.h +++ b/widget/gtk2/nsNativeKeyBindings.h @@ -37,25 +37,25 @@ public: NS_DECL_ISUPPORTS // nsINativeKeyBindings - virtual NS_HIDDEN_(bool) KeyDown(const nsNativeKeyEvent& aEvent, - DoCommandCallback aCallback, - void *aCallbackData); - - virtual NS_HIDDEN_(bool) KeyPress(const nsNativeKeyEvent& aEvent, - DoCommandCallback aCallback, - void *aCallbackData); - - virtual NS_HIDDEN_(bool) KeyUp(const nsNativeKeyEvent& aEvent, + virtual NS_HIDDEN_(bool) KeyDown(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData); + virtual NS_HIDDEN_(bool) KeyPress(const nsKeyEvent& aEvent, + DoCommandCallback aCallback, + void *aCallbackData); + + virtual NS_HIDDEN_(bool) KeyUp(const nsKeyEvent& aEvent, + DoCommandCallback aCallback, + void *aCallbackData); + private: ~nsNativeKeyBindings() NS_HIDDEN; - bool KeyPressInternal(const nsNativeKeyEvent& aEvent, - DoCommandCallback aCallback, - void *aCallbackData, - uint32_t aKeyCode); + bool KeyPressInternal(const nsKeyEvent& aEvent, + DoCommandCallback aCallback, + void *aCallbackData, + guint aKeyval); GtkWidget *mNativeTarget; }; diff --git a/widget/nsINativeKeyBindings.h b/widget/nsINativeKeyBindings.h index d29b9c01331..3d6914bb20a 100644 --- a/widget/nsINativeKeyBindings.h +++ b/widget/nsINativeKeyBindings.h @@ -10,7 +10,7 @@ #include "nsEvent.h" #define NS_INATIVEKEYBINDINGS_IID \ -{0x606c54e7, 0x0593, 0x4750, {0x99, 0xd9, 0x4e, 0x1b, 0xcc, 0xec, 0x98, 0xd9}} +{0xc2baecc3, 0x1758, 0x4211, {0x96, 0xbe, 0xee, 0x1b, 0x1b, 0x7c, 0xd7, 0x6d}} #define NS_NATIVEKEYBINDINGS_CONTRACTID_PREFIX \ "@mozilla.org/widget/native-key-bindings;1?type=" @@ -24,17 +24,6 @@ NS_NATIVEKEYBINDINGS_CONTRACTID_PREFIX "textarea" #define NS_NATIVEKEYBINDINGSEDITOR_CONTRACTID \ NS_NATIVEKEYBINDINGS_CONTRACTID_PREFIX "editor" -struct nsNativeKeyEvent -{ - nsKeyEvent* mGeckoEvent; // see bug 406407 to see how this is used - uint32_t keyCode; - uint32_t charCode; - bool altKey; - bool ctrlKey; - bool shiftKey; - bool metaKey; -}; - class nsINativeKeyBindings : public nsISupports { public: @@ -42,17 +31,17 @@ class nsINativeKeyBindings : public nsISupports NS_DECLARE_STATIC_IID_ACCESSOR(NS_INATIVEKEYBINDINGS_IID) - virtual NS_HIDDEN_(bool) KeyDown(const nsNativeKeyEvent& aEvent, - DoCommandCallback aCallback, - void *aCallbackData) = 0; - - virtual NS_HIDDEN_(bool) KeyPress(const nsNativeKeyEvent& aEvent, - DoCommandCallback aCallback, - void *aCallbackData) = 0; - - virtual NS_HIDDEN_(bool) KeyUp(const nsNativeKeyEvent& aEvent, + virtual NS_HIDDEN_(bool) KeyDown(const nsKeyEvent& aEvent, DoCommandCallback aCallback, void *aCallbackData) = 0; + + virtual NS_HIDDEN_(bool) KeyPress(const nsKeyEvent& aEvent, + DoCommandCallback aCallback, + void *aCallbackData) = 0; + + virtual NS_HIDDEN_(bool) KeyUp(const nsKeyEvent& aEvent, + DoCommandCallback aCallback, + void *aCallbackData) = 0; }; NS_DEFINE_STATIC_IID_ACCESSOR(nsINativeKeyBindings, NS_INATIVEKEYBINDINGS_IID) diff --git a/widget/tests/test_keycodes.xul b/widget/tests/test_keycodes.xul index 3c1e2ac0ce6..8acefe28225 100644 --- a/widget/tests/test_keycodes.xul +++ b/widget/tests/test_keycodes.xul @@ -1195,6 +1195,14 @@ function runKeyEventTests() nsIDOMKeyEvent.DOM_VK_RETURN, "", SHOULD_DELIVER_ALL, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); testKey({layout:"US", keyCode:MAC_VK_ANSI_KeypadEnter, numLock:1, command:1, chars:"\u0003", unmodifiedChars:"\u0003"}, nsIDOMKeyEvent.DOM_VK_RETURN, "", SHOULD_DELIVER_KEYDOWN_KEYPRESS, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); + testKey({layout:"US", keyCode:MAC_VK_JIS_KeypadComma, numLock:1, shift:1, chars:",", unmodifiedChars:","}, + nsIDOMKeyEvent.DOM_VK_SEPARATOR, ",", SHOULD_DELIVER_ALL, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); + testKey({layout:"US", keyCode:MAC_VK_JIS_KeypadComma, numLock:1, ctrl:1, chars:",", unmodifiedChars:","}, + nsIDOMKeyEvent.DOM_VK_SEPARATOR, ",", SHOULD_DELIVER_ALL, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); + testKey({layout:"US", keyCode:MAC_VK_JIS_KeypadComma, numLock:1, alt:1, chars:",", unmodifiedChars:","}, + nsIDOMKeyEvent.DOM_VK_SEPARATOR, ",", SHOULD_DELIVER_ALL, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); + testKey({layout:"US", keyCode:MAC_VK_JIS_KeypadComma, numLock:1, command:1, chars:",", unmodifiedChars:","}, + nsIDOMKeyEvent.DOM_VK_SEPARATOR, ",", SHOULD_DELIVER_KEYDOWN_KEYPRESS, KeyboardEvent.DOM_KEY_LOCATION_NUMPAD); // French, numeric testKey({layout:"French", keyCode:MAC_VK_ANSI_1, chars:"\u0026", unmodifiedChars:"\u0026"}, diff --git a/widget/windows/winrt/FrameworkView.h b/widget/windows/winrt/FrameworkView.h index b03eca507f6..36e3dfbb33e 100644 --- a/widget/windows/winrt/FrameworkView.h +++ b/widget/windows/winrt/FrameworkView.h @@ -6,7 +6,6 @@ #pragma once #include "nsGUIEvent.h" -#include "mozilla/TimeStamp.h" #include "MetroWidget.h" #include "gfxWindowsPlatform.h" #include "gfxD2DSurface.h" diff --git a/widget/windows/winrt/MetroAppShell.h b/widget/windows/winrt/MetroAppShell.h index f714f1d8700..79b0b5239c6 100644 --- a/widget/windows/winrt/MetroAppShell.h +++ b/widget/windows/winrt/MetroAppShell.h @@ -7,7 +7,6 @@ #include "nsBaseAppShell.h" #include -#include "mozilla/TimeStamp.h" #include "nsWindowsHelpers.h" #include "nsIObserver.h" diff --git a/xpcom/build/XPCOM.h b/xpcom/build/XPCOM.h index 5477fb9e364..5afca04ff20 100644 --- a/xpcom/build/XPCOM.h +++ b/xpcom/build/XPCOM.h @@ -54,7 +54,6 @@ #include "nsInterfaceHashtable.h" #include "nsClassHashtable.h" #include "nsRefPtrHashtable.h" -#include "mozilla/TimeStamp.h" // interfaces that inherit directly from nsISupports diff --git a/xpcom/ds/nsCharSeparatedTokenizer.h b/xpcom/ds/nsCharSeparatedTokenizer.h index 80cb154d50f..67dae241c91 100644 --- a/xpcom/ds/nsCharSeparatedTokenizer.h +++ b/xpcom/ds/nsCharSeparatedTokenizer.h @@ -6,6 +6,8 @@ #ifndef __nsCharSeparatedTokenizer_h #define __nsCharSeparatedTokenizer_h +#include "mozilla/RangedPtr.h" + #include "nsDependentSubstring.h" #include "nsCRT.h" @@ -40,17 +42,17 @@ public: nsCharSeparatedTokenizerTemplate(const nsSubstring& aSource, PRUnichar aSeparatorChar, uint32_t aFlags = 0) - : mFirstTokenBeganWithWhitespace(false), + : mIter(aSource.Data(), aSource.Length()), + mEnd(aSource.Data() + aSource.Length(), aSource.Data(), + aSource.Length()), + mFirstTokenBeganWithWhitespace(false), mLastTokenEndedWithWhitespace(false), mLastTokenEndedWithSeparator(false), mSeparatorChar(aSeparatorChar), mFlags(aFlags) { - aSource.BeginReading(mIter); - aSource.EndReading(mEnd); - // Skip initial whitespace - while (mIter != mEnd && IsWhitespace(*mIter)) { + while (mIter < mEnd && IsWhitespace(*mIter)) { mFirstTokenBeganWithWhitespace = true; ++mIter; } @@ -64,7 +66,7 @@ public: NS_ASSERTION(mIter == mEnd || !IsWhitespace(*mIter), "Should be at beginning of token if there is one"); - return mIter != mEnd; + return mIter < mEnd; } bool firstTokenBeganWithWhitespace() const @@ -87,24 +89,24 @@ public: */ const nsDependentSubstring nextToken() { - nsSubstring::const_char_iterator end = mIter, begin = mIter; + mozilla::RangedPtr tokenStart = mIter, tokenEnd = mIter; NS_ASSERTION(mIter == mEnd || !IsWhitespace(*mIter), "Should be at beginning of token if there is one"); // Search until we hit separator or end (or whitespace, if separator // isn't required -- see clause with 'break' below). - while (mIter != mEnd && *mIter != mSeparatorChar) { + while (mIter < mEnd && *mIter != mSeparatorChar) { // Skip to end of current word. - while (mIter != mEnd && + while (mIter < mEnd && !IsWhitespace(*mIter) && *mIter != mSeparatorChar) { ++mIter; } - end = mIter; + tokenEnd = mIter; // Skip whitespace after current word. mLastTokenEndedWithWhitespace = false; - while (mIter != mEnd && IsWhitespace(*mIter)) { + while (mIter < mEnd && IsWhitespace(*mIter)) { mLastTokenEndedWithWhitespace = true; ++mIter; } @@ -118,7 +120,7 @@ public: mLastTokenEndedWithSeparator = (mIter != mEnd && *mIter == mSeparatorChar); NS_ASSERTION((mFlags & SEPARATOR_OPTIONAL) || - (mLastTokenEndedWithSeparator == (mIter != mEnd)), + (mLastTokenEndedWithSeparator == (mIter < mEnd)), "If we require a separator and haven't hit the end of " "our string, then we shouldn't have left the loop " "unless we hit a separator"); @@ -127,16 +129,17 @@ public: if (mLastTokenEndedWithSeparator) { ++mIter; - while (mIter != mEnd && IsWhitespace(*mIter)) { + while (mIter < mEnd && IsWhitespace(*mIter)) { ++mIter; } } - return Substring(begin, end); + return Substring(tokenStart.get(), tokenEnd.get()); } private: - nsSubstring::const_char_iterator mIter, mEnd; + mozilla::RangedPtr mIter; + const mozilla::RangedPtr mEnd; bool mFirstTokenBeganWithWhitespace; bool mLastTokenEndedWithWhitespace; bool mLastTokenEndedWithSeparator; @@ -160,12 +163,13 @@ class nsCCharSeparatedTokenizer public: nsCCharSeparatedTokenizer(const nsCSubstring& aSource, char aSeparatorChar) - : mSeparatorChar(aSeparatorChar) + : mIter(aSource.Data(), aSource.Length()), + mEnd(aSource.Data() + aSource.Length(), aSource.Data(), + aSource.Length()), + mSeparatorChar(aSeparatorChar) { - aSource.BeginReading(mIter); - aSource.EndReading(mEnd); - while (mIter != mEnd && isWhitespace(*mIter)) { + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } } @@ -175,7 +179,7 @@ public: */ bool hasMoreTokens() { - return mIter != mEnd; + return mIter < mEnd; } /** @@ -183,36 +187,37 @@ public: */ const nsDependentCSubstring nextToken() { - nsCSubstring::const_char_iterator end = mIter, begin = mIter; + mozilla::RangedPtr tokenStart = mIter, tokenEnd = mIter; // Search until we hit separator or end. - while (mIter != mEnd && *mIter != mSeparatorChar) { - while (mIter != mEnd && + while (mIter < mEnd && *mIter != mSeparatorChar) { + while (mIter < mEnd && !isWhitespace(*mIter) && *mIter != mSeparatorChar) { ++mIter; } - end = mIter; + tokenEnd = mIter; - while (mIter != mEnd && isWhitespace(*mIter)) { + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } } // Skip separator (and any whitespace after it). - if (mIter != mEnd) { + if (mIter < mEnd) { NS_ASSERTION(*mIter == mSeparatorChar, "Ended loop too soon"); ++mIter; - while (mIter != mEnd && isWhitespace(*mIter)) { + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } } - return Substring(begin, end); + return Substring(tokenStart.get(), tokenEnd.get()); } private: - nsCSubstring::const_char_iterator mIter, mEnd; + mozilla::RangedPtr mIter; + const mozilla::RangedPtr mEnd; char mSeparatorChar; bool isWhitespace(unsigned char aChar) diff --git a/xpcom/ds/nsWhitespaceTokenizer.h b/xpcom/ds/nsWhitespaceTokenizer.h index 5f2e8aba592..085827890bf 100644 --- a/xpcom/ds/nsWhitespaceTokenizer.h +++ b/xpcom/ds/nsWhitespaceTokenizer.h @@ -6,17 +6,18 @@ #ifndef __nsWhitespaceTokenizer_h #define __nsWhitespaceTokenizer_h +#include "mozilla/RangedPtr.h" #include "nsDependentSubstring.h" class nsWhitespaceTokenizer { public: nsWhitespaceTokenizer(const nsSubstring& aSource) + : mIter(aSource.Data(), aSource.Length()), + mEnd(aSource.Data() + aSource.Length(), aSource.Data(), + aSource.Length()) { - aSource.BeginReading(mIter); - aSource.EndReading(mEnd); - - while (mIter != mEnd && isWhitespace(*mIter)) { + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } } @@ -26,7 +27,7 @@ public: */ bool hasMoreTokens() { - return mIter != mEnd; + return mIter < mEnd; } /** @@ -34,19 +35,20 @@ public: */ const nsDependentSubstring nextToken() { - nsSubstring::const_char_iterator begin = mIter; - while (mIter != mEnd && !isWhitespace(*mIter)) { + const mozilla::RangedPtr tokenStart = mIter; + while (mIter < mEnd && !isWhitespace(*mIter)) { ++mIter; } - nsSubstring::const_char_iterator end = mIter; - while (mIter != mEnd && isWhitespace(*mIter)) { + const mozilla::RangedPtr tokenEnd = mIter; + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } - return Substring(begin, end); + return Substring(tokenStart.get(), tokenEnd.get()); } private: - nsSubstring::const_char_iterator mIter, mEnd; + mozilla::RangedPtr mIter; + const mozilla::RangedPtr mEnd; bool isWhitespace(PRUnichar aChar) { @@ -60,11 +62,11 @@ class nsCWhitespaceTokenizer { public: nsCWhitespaceTokenizer(const nsCSubstring& aSource) + : mIter(aSource.Data(), aSource.Length()), + mEnd(aSource.Data() + aSource.Length(), aSource.Data(), + aSource.Length()) { - aSource.BeginReading(mIter); - aSource.EndReading(mEnd); - - while (mIter != mEnd && isWhitespace(*mIter)) { + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } } @@ -74,7 +76,7 @@ public: */ bool hasMoreTokens() { - return mIter != mEnd; + return mIter < mEnd; } /** @@ -82,19 +84,20 @@ public: */ const nsDependentCSubstring nextToken() { - nsCSubstring::const_char_iterator begin = mIter; - while (mIter != mEnd && !isWhitespace(*mIter)) { + const mozilla::RangedPtr tokenStart = mIter; + while (mIter < mEnd && !isWhitespace(*mIter)) { ++mIter; } - nsCSubstring::const_char_iterator end = mIter; - while (mIter != mEnd && isWhitespace(*mIter)) { + const mozilla::RangedPtr tokenEnd = mIter; + while (mIter < mEnd && isWhitespace(*mIter)) { ++mIter; } - return Substring(begin, end); + return Substring(tokenStart.get(), tokenEnd.get()); } private: - nsCSubstring::const_char_iterator mIter, mEnd; + mozilla::RangedPtr mIter; + const mozilla::RangedPtr mEnd; bool isWhitespace(char aChar) { diff --git a/xpcom/threads/TimerThread.h b/xpcom/threads/TimerThread.h index aba1e4ba8ed..81d4f6cd9ca 100644 --- a/xpcom/threads/TimerThread.h +++ b/xpcom/threads/TimerThread.h @@ -18,7 +18,10 @@ #include "mozilla/Atomics.h" #include "mozilla/Attributes.h" #include "mozilla/Monitor.h" -#include "mozilla/TimeStamp.h" + +namespace mozilla { +class TimeStamp; +} class TimerThread MOZ_FINAL : public nsIRunnable, public nsIObserver