wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backed out changeset c288fb0952fb (bug 1211568) for build bustage CLOSED TREE

Browse Source
This commit is contained in:
Wes Kocher 2015-10-05 15:56:08 -07:00
parent 9b92f778ac
commit 07dede6792
267 changed files with 4104 additions and 7767 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/nss/.gitignore vendored
View File

@ -1,5 +0,0 @@
*~
*.swp
*OPT.OBJ/
*DBG.OBJ/
*DBG.OBJD/

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_21_Beta2
NSS_3_20_RTM

18
security/nss/circle.yml
View File

@ -1,18 +0,0 @@
checkout:
post:
- cd ..; hg clone https://hg.mozilla.org/projects/nspr
test:
override:
- make nss_build_all
- cd tests; NSS_TESTS=ssl_gtests NSS_CYCLES=standard ./all.sh
machine:
environment:
{ USE_64: 1,
NSS_ENABLE_TLS_1_3: 1,
NSS_BUILD_GTESTS: 1,
}
hosts:

37
security/nss/cmd/bltest/blapitest.c
View File

@ -56,7 +56,8 @@ char *testdir = NULL;
#define TIMEMARK(seconds) \
time1 = PR_SecondsToInterval(seconds); \
{ \
PRInt64 tmp; \
PRInt64 tmp, L100; \
LL_I2L(L100, 100); \
if (time2 == 0) { \
time2 = 1; \
} \
@ -312,6 +313,7 @@ serialize_key(SECItem *it, int ni, PRFileDesc *file)
{
unsigned char len[4];
int i;
SECStatus status;
NSSBase64Encoder *cx;
cx = NSSBase64Encoder_Create(output_ascii, file);
for (i=0; i<ni; i++, it++) {
@ -319,11 +321,11 @@ serialize_key(SECItem *it, int ni, PRFileDesc *file)
len[1] = (it->len >> 16) & 0xff;
len[2] = (it->len >> 8) & 0xff;
len[3] = (it->len & 0xff);
NSSBase64Encoder_Update(cx, len, 4);
NSSBase64Encoder_Update(cx, it->data, it->len);
status = NSSBase64Encoder_Update(cx, len, 4);
status = NSSBase64Encoder_Update(cx, it->data, it->len);
}
NSSBase64Encoder_Destroy(cx, PR_FALSE);
PR_Write(file, "\r\n", 2);
status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
status = PR_Write(file, "\r\n", 2);
}
void
@ -1434,7 +1436,7 @@ bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
int minorMode;
int i;
int keylen = aesp->key.buf.len;
unsigned int blocklen = AES_BLOCK_SIZE;
int blocklen = AES_BLOCK_SIZE;
PRIntervalTime time1, time2;
unsigned char *params;
int len;
@ -1633,8 +1635,6 @@ bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP
: rsa_decryptOAEP;
break;
default:
break;
}
return SECSuccess;
}
@ -2569,6 +2569,8 @@ printPR_smpString(const char *sformat, char *reportStr,
fprintf(stdout, sformat, reportStr);
PR_smprintf_free(reportStr);
} else {
int prnRes;
LL_L2I(prnRes, rNum);
fprintf(stdout, nformat, rNum);
}
}
@ -2789,8 +2791,8 @@ mode_str_to_hash_alg(const SECItem *modeStr)
case bltestSHA256: return HASH_AlgSHA256;
case bltestSHA384: return HASH_AlgSHA384;
case bltestSHA512: return HASH_AlgSHA512;
default: return HASH_AlgNULL;
}
return HASH_AlgNULL;
}
void
@ -3002,7 +3004,7 @@ blapi_selftest(bltestCipherMode *modes, int numModes, int inoff, int outoff,
bltestIO pt, ct;
bltestCipherMode mode;
bltestParams *params;
unsigned int i, j, nummodes, numtests;
int i, j, nummodes, numtests;
char *modestr;
char filename[256];
PLArenaPool *arena;
@ -3455,12 +3457,13 @@ static secuCommandFlag bltest_options[] =
int main(int argc, char **argv)
{
char *infileName, *outfileName, *keyfileName, *ivfileName;
SECStatus rv = SECFailure;
double totalTime = 0.0;
double totalTime;
PRIntervalTime time1, time2;
PRFileDesc *outfile = NULL;
bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL;
bltestCipherInfo *cipherInfoListHead, *cipherInfo;
bltestIOMode ioMode;
int bufsize, exponent, curThrdNum;
#ifndef NSS_DISABLE_ECC
@ -3508,6 +3511,8 @@ int main(int argc, char **argv)
cipherInfo = PORT_ZNew(bltestCipherInfo);
cipherInfoListHead = cipherInfo;
/* set some defaults */
infileName = outfileName = keyfileName = ivfileName = NULL;
/* Check the number of commands entered on the command line. */
commandsEntered = 0;
@ -3552,7 +3557,7 @@ int main(int argc, char **argv)
unsigned int keySize = 1024;
unsigned long exponent = 65537;
int rounds = 1;
int ret = -1;
int ret;
if (bltest.options[opt_KeySize].activated) {
keySize = PORT_Atoi(bltest.options[opt_KeySize].arg);
@ -3707,10 +3712,8 @@ int main(int argc, char **argv)
fprintf(stderr, "%s: You must specify a signature file with -f.\n",
progName);
print_usage:
if (cipherInfo) {
PORT_Free(cipherInfo);
}
print_usage:
PORT_Free(cipherInfo);
Usage();
}

156
security/nss/cmd/certcgi/certcgi.c
View File

@ -356,6 +356,81 @@ find_field_bool(Pair *data,
}
}
static char *
update_data_by_name(Pair *data,
char *field_name,
char *new_data)
/* replaces the data in the data structure associated with
a name with new data, returns null if not found */
{
int i = 0;
int found = 0;
int length = 100;
char *new;
while (return_name(data, i) != NULL) {
if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
new = make_copy_string( new_data, length, '\0');
PORT_Free(return_data(data, i));
found = 1;
(*(data + i)).data = new;
break;
}
i++;
}
if (!found) {
new = NULL;
}
return new;
}
static char *
update_data_by_index(Pair *data,
int n,
char *new_data)
/* replaces the data of a particular index in the data structure */
{
int length = 100;
char *new;
new = make_copy_string(new_data, length, '\0');
PORT_Free(return_data(data, n));
(*(data + n)).data = new;
return new;
}
static Pair *
add_field(Pair *data,
char* field_name,
char* field_data)
/* adds a new name/data pair to the data structure */
{
int i = 0;
int j;
int name_length = 100;
int data_length = 100;
while(return_name(data, i) != NULL) {
i++;
}
j = START_FIELDS;
while ( j < (i + 1) ) {
j = j * 2;
}
if (j == (i + 1)) {
data = (Pair *) PORT_Realloc(data, (j * 2) * sizeof(Pair));
if (data == NULL) {
error_allocate();
}
}
(*(data + i)).name = make_copy_string(field_name, name_length, '\0');
(*(data + i)).data = make_copy_string(field_data, data_length, '\0');
(data + i + 1)->name = NULL;
return data;
}
static CERTCertificateRequest *
makeCertReq(Pair *form_data,
int which_priv_key)
@ -452,6 +527,10 @@ MakeV1Cert(CERTCertDBHandle *handle,
PRExplodedTime printableTime;
PRTime now,
after;
SECStatus rv;
if ( !selfsign ) {
issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
if (!issuerCert) {
@ -460,7 +539,7 @@ MakeV1Cert(CERTCertDBHandle *handle,
}
}
if (find_field_bool(data, "manValidity", PR_TRUE)) {
(void)DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
rv = DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
} else {
now = PR_Now();
}
@ -471,7 +550,7 @@ MakeV1Cert(CERTCertDBHandle *handle,
PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
}
if (find_field_bool(data, "manValidity", PR_TRUE)) {
(void)DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
rv = DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
PR_ExplodeTime (after, PR_GMTParameters, &printableTime);
} else {
printableTime.tm_month += 3;
@ -508,11 +587,11 @@ get_serial_number(Pair *data)
if (find_field_bool(data, "serial-auto", PR_TRUE)) {
serialFile = fopen(filename, "r");
if (serialFile != NULL) {
size_t nread = fread(&serial, sizeof(int), 1, serialFile);
if (ferror(serialFile) != 0 || nread != 1) {
fread(&serial, sizeof(int), 1, serialFile);
if (ferror(serialFile) != 0) {
error_out("Error: Unable to read serial number file");
}
if (serial == -1) {
if (serial == 4294967295) {
serial = 21;
}
fclose(serialFile);
@ -1338,49 +1417,52 @@ string_to_ipaddress(char *string)
return ipaddress;
}
static int
chr_to_hex(char c) {
if (isdigit(c)) {
return c - '0';
}
if (isxdigit(c)) {
return toupper(c) - 'A' + 10;
}
return -1;
}
static SECItem *
string_to_binary(char *string)
string_to_binary(char *string)
{
SECItem *rv;
int high_digit;
int low_digit;
rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
if (rv == NULL) {
error_allocate();
}
rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2);
rv->len = 0;
while (*string && !isxdigit(*string)) {
while (!isxdigit(*string)) {
string++;
}
while (*string) {
int high, low;
high = chr_to_hex(*string++);
low = chr_to_hex(*string++);
if (high < 0 || low < 0) {
error_out("ERROR: Improperly formated binary encoding");
}
rv->data[(rv->len)++] = high << 4 | low;
if (*string != ':') {
break;
}
++string;
}
while (*string == ' ') {
++string;
}
if (*string) {
error_out("ERROR: Junk after binary encoding");
rv->len = 0;
while (*string != '\0') {
if (isxdigit(*string)) {
if (*string >= '0' && *string <= '9') {
high_digit = *string - '0';
} else {
*string = toupper(*string);
high_digit = *string - 'A' + 10;
}
string++;
if (*string >= '0' && *string <= '9') {
low_digit = *string - '0';
} else {
*string = toupper(*string);
low_digit = *string - 'A' + 10;
}
(rv->len)++;
} else {
if (*string == ':') {
string++;
} else {
if (*string == ' ') {
while (*string == ' ') {
string++;
}
}
if (*string != '\0') {
error_out("ERROR: Improperly formated binary encoding");
}
}
}
}
return rv;

71
security/nss/cmd/certutil/certutil.c
View File

@ -609,27 +609,6 @@ DeleteCert(CERTCertDBHandle *handle, char *name)
return rv;
}
static SECStatus
RenameCert(CERTCertDBHandle *handle, char *name, char *newName)
{
SECStatus rv;
CERTCertificate *cert;
cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
if (!cert) {
SECU_PrintError(progName, "could not find certificate named \"%s\"",
name);
return SECFailure;
}
rv = __PK11_SetCertificateNickname(cert, newName);
CERT_DestroyCertificate(cert);
if (rv) {
SECU_PrintError(progName, "unable to rename certificate");
}
return rv;
}
static SECStatus
ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
char *certUsage, PRBool checkSig, PRBool logit,
@ -1005,8 +984,6 @@ PrintSyntax(char *progName)
"\t\t [-8 dns-names] [-a]\n",
progName);
FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s --rename -n cert-name --new-n new-cert-name\n"
"\t\t [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
@ -1573,25 +1550,6 @@ static void luW(enum usage_level ul, const char *command)
FPS "\n");
}
static void luRename(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "rename"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Change the database nickname of a certificate\n",
"--rename");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The old nickname of the cert to rename\n",
" -n cert-name");
FPS "%-20s The new nickname of the cert to rename\n",
" --new-n new-name");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "\n");
}
static void luUpgradeMerge(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "upgrade-merge"));
@ -1754,7 +1712,6 @@ static void LongUsage(char *progName, enum usage_level ul, const char *command)
luC(ul, command);
luG(ul, command);
luD(ul, command);
luRename(ul, command);
luF(ul, command);
luU(ul, command);
luK(ul, command);
@ -2254,7 +2211,6 @@ enum {
cmd_Batch,
cmd_Merge,
cmd_UpgradeMerge, /* test only */
cmd_Rename,
max_cmd
};
@ -2323,7 +2279,6 @@ enum certutilOpts {
opt_AddSubjectAltNameExt,
opt_DumpExtensionValue,
opt_GenericExtensions,
opt_NewNickname,
opt_Help
};
@ -2354,9 +2309,7 @@ secuCommandFlag commands_init[] =
{ /* cmd_Batch */ 'B', PR_FALSE, 0, PR_FALSE },
{ /* cmd_Merge */ 0, PR_FALSE, 0, PR_FALSE, "merge" },
{ /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE,
"upgrade-merge" },
{ /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE,
"rename" }
"upgrade-merge" }
};
#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
@ -2442,8 +2395,6 @@ secuCommandFlag options_init[] =
"dump-ext-val"},
{ /* opt_GenericExtensions */ 0, PR_TRUE, 0, PR_FALSE,
"extGeneric"},
{ /* opt_NewNickname */ 0, PR_TRUE, 0, PR_FALSE,
"new-n"},
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@ -2477,7 +2428,6 @@ certutil_main(int argc, char **argv, PRBool initialize)
char * upgradeTokenName = "";
KeyType keytype = rsaKey;
char * name = NULL;
char * newName = NULL;
char * email = NULL;
char * keysource = NULL;
SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
@ -2836,19 +2786,6 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255;
}
/* Rename needs an old and a new nickname */
if (certutil.commands[cmd_Rename].activated &&
!(certutil.options[opt_Nickname].activated &&
certutil.options[opt_NewNickname].activated)) {
PR_fprintf(PR_STDERR,
"%s --rename: specify an old nickname (-n) and\n"
" a new nickname (--new-n).\n",
progName);
return 255;
}
/* Upgrade/Merge needs a source database and a upgrade id. */
if (certutil.commands[cmd_UpgradeMerge].activated &&
!(certutil.options[opt_SourceDir].activated &&
@ -2930,7 +2867,6 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
name = SECU_GetOptionArg(&certutil, opt_Nickname);
newName = SECU_GetOptionArg(&certutil, opt_NewNickname);
email = SECU_GetOptionArg(&certutil, opt_Emailaddress);
PK11_SetPasswordFunc(SECU_GetModulePassword);
@ -3169,11 +3105,6 @@ merge_fail:
rv = DeleteCert(certHandle, name);
goto shutdown;
}
/* Rename cert (--rename) */
if (certutil.commands[cmd_Rename].activated) {
rv = RenameCert(certHandle, name, newName);
goto shutdown;
}
/* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) {
rv = DeleteKey(name, &pwdata);

5
security/nss/cmd/checkcert/checkcert.c
View File

@ -122,6 +122,7 @@ OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
SECStatus rv;
VFYContext *cx;
SECOidData *sigAlgOid, *oiddata;
SECOidTag sigAlgTag;
SECOidTag hashAlgTag;
int showDigestOid=0;
@ -133,6 +134,8 @@ OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
if (sigAlgOid == 0)
return SECFailure;
sigAlgTag = sigAlgOid->offset;
if (showDigestOid) {
oiddata = SECOID_FindOIDByTag(hashAlgTag);
@ -385,7 +388,7 @@ int main(int argc, char **argv)
SECU_RegisterDynamicOids();
rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
if (rv) {
fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",

15
security/nss/cmd/crlutil/crlgen.c
View File

@ -545,7 +545,7 @@ crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,
{
SECItem *encodedItem;
void *dummy;
void *mark = NULL;
void *mark;
int code = 0;
PORT_Assert(arena && dataArr);
@ -583,9 +583,7 @@ crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,
return encodedItem;
loser:
if (mark) {
PORT_ArenaRelease (arena, mark);
}
PORT_ArenaRelease (arena, mark);
return NULL;
}
@ -597,7 +595,7 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
{
SECItem *encodedItem;
int length = 0;
void *mark = NULL;
void *mark;
PORT_Assert(arena && dataArr);
if (!arena || !dataArr) {
@ -626,9 +624,7 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
return encodedItem;
loser:
if (mark) {
PORT_ArenaRelease(arena, mark);
}
PORT_ArenaRelease(arena, mark);
return NULL;
}
@ -1083,6 +1079,7 @@ static SECStatus
crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
{
PRUint64 i = 0;
PLArenaPool *arena;
PORT_Assert(crlGenData && certId);
if (!crlGenData || !certId) {
@ -1090,6 +1087,8 @@ crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
return SECFailure;
}
arena = crlGenData->signCrl->arena;
if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
certId) {
return SECFailure;

8
security/nss/cmd/crlutil/crlutil.c
View File

@ -128,7 +128,7 @@ static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool dele
while (crlNode) {
char* asciiname = NULL;
CERTCertificate *cert = NULL;
if (crlNode->crl && crlNode->crl->crl.derName.data != NULL) {
if (crlNode->crl && &crlNode->crl->crl.derName) {
cert = CERT_FindCertByName(certHandle,
&crlNode->crl->crl.derName);
if (!cert) {
@ -698,7 +698,6 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
inFile, decodeOptions, importOptions);
if (signCrl == NULL) {
rv = SECFailure;
goto loser;
}
}
@ -706,7 +705,6 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
if (!cert) {
cert = FindSigningCert(certHandle, signCrl, certNickName);
if (cert == NULL) {
rv = SECFailure;
goto loser;
}
}
@ -723,10 +721,8 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
outFileName);
}
signCrl = CreateNewCrl(arena, certHandle, cert);
if (!signCrl) {
rv = SECFailure;
if (!signCrl)
goto loser;
}
}
rv = UpdateCrl(signCrl, inCrlInitFile);

30
security/nss/cmd/crmftest/testcrmf.c
View File

@ -127,17 +127,13 @@ debug_test(SECItem *src, char *filePath)
SECStatus
get_serial_number(long *dest)
{
SECStatus rv;
SECStatus rv;
if (dest == NULL) {
if (dest == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
}
rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
if (rv != SECSuccess) {
/* PK11_GenerateRandom calls PORT_SetError */
return SECFailure;
}
/* make serial number positive */
if (*dest < 0L)
*dest = - *dest;
@ -941,6 +937,18 @@ DoCMMFStuff(void)
return rv;
}
static CK_MECHANISM_TYPE
mapWrapKeyType(KeyType keyType)
{
switch (keyType) {
case rsaKey:
return CKM_RSA_PKCS;
default:
break;
}
return CKM_INVALID_MECHANISM;
}
#define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
int
@ -1525,6 +1533,10 @@ main(int argc, char **argv)
PRUint32 flags = 0;
SECStatus rv;
PRBool nssInit = PR_FALSE;
PRBool pArg = PR_FALSE;
PRBool eArg = PR_FALSE;
PRBool sArg = PR_FALSE;
PRBool PArg = PR_FALSE;
memset( &signPair, 0, sizeof signPair);
memset( &cryptPair, 0, sizeof cryptPair);
@ -1547,6 +1559,7 @@ main(int argc, char **argv)
printf ("-p failed\n");
return 603;
}
pArg = PR_TRUE;
break;
case 'e':
recoveryEncrypter = PORT_Strdup(optstate->value);
@ -1554,6 +1567,7 @@ main(int argc, char **argv)
printf ("-e failed\n");
return 602;
}
eArg = PR_TRUE;
break;
case 's':
caCertName = PORT_Strdup(optstate->value);
@ -1561,6 +1575,7 @@ main(int argc, char **argv)
printf ("-s failed\n");
return 604;
}
sArg = PR_TRUE;
break;
case 'P':
password = PORT_Strdup(optstate->value);
@ -1570,6 +1585,7 @@ main(int argc, char **argv)
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = password;
PArg = PR_TRUE;
break;
case 'f':
pwfile = PORT_Strdup(optstate->value);

3946
security/nss/cmd/fipstest/fipstest.c
View File

File diff suppressed because it is too large Load Diff

5
security/nss/cmd/httpserv/httpserv.c
View File

@ -339,6 +339,7 @@ static enum {
static const char stopCmd[] = { "GET /stop " };
static const char getCmd[] = { "GET " };
static const char EOFmsg[] = { "EOF\r\n\r\n\r\n" };
static const char outHeader[] = {
"HTTP/1.0 200 OK\r\n"
"Server: Generic Web Server\r\n"
@ -711,8 +712,8 @@ handle_connection(
/* else good status response */
if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
unknown = PR_TRUE;
nextUpdate = PR_Now() + (PRTime)60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
revoDate = PR_Now() - (PRTime)60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
nextUpdate = PR_Now() + 60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
revoDate = PR_Now() - 60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
}
}
}

2
security/nss/cmd/lib/basicutil.c
View File

@ -684,7 +684,7 @@ static unsigned char nibble(char c) {
SECStatus
SECU_SECItemHexStringToBinary(SECItem* srcdest)
{
unsigned int i;
int i;
if (!srcdest) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);

7
security/nss/cmd/lib/derprint.c
View File

@ -446,7 +446,7 @@ prettyPrintLength(FILE *out, const unsigned char *data, const unsigned char *end
}
lenLen = nb + 1;
if (raw) {
unsigned int i;
int i;
rv = prettyPrintByte(out, lbyte, lv);
if (rv < 0)
@ -503,10 +503,9 @@ prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end,
data += lenLen;
/*
* Just quit now if slen more bytes puts us off the end,
* or if there's no more data to process.
* Just quit now if slen more bytes puts us off the end.
*/
if ((data + slen) >= end) {
if ((data + slen) > end) {
PORT_SetError(SEC_ERROR_BAD_DER);
return -1;
}

10
security/nss/cmd/lib/pk11table.c
View File

@ -577,7 +577,7 @@ const Constant _consts[] = {
};
const Constant *consts = &_consts[0];
const unsigned int constCount = sizeof(_consts)/sizeof(_consts[0]);
const int constCount = sizeof(_consts)/sizeof(_consts[0]);
const Commands _commands[] = {
{"C_Initialize", F_C_Initialize,
@ -1389,7 +1389,7 @@ const int topicCount = sizeof(_topics) / sizeof(_topics[0]);
const char *
getName(CK_ULONG value, ConstType type)
{
unsigned int i;
int i;
for (i=0; i < constCount; i++) {
if (consts[i].type == type && consts[i].value == value) {
@ -1409,9 +1409,9 @@ getNameFromAttribute(CK_ATTRIBUTE_TYPE type)
return getName(type, ConstAttribute);
}
unsigned int totalKnownType(ConstType type) {
unsigned int count = 0;
unsigned int i;
int totalKnownType(ConstType type) {
int count = 0;
int i;
for (i=0; i < constCount; i++) {
if (consts[i].type == type) count++;

4
security/nss/cmd/lib/pk11table.h
View File

@ -162,7 +162,7 @@ extern const int valueCount;
extern const char **constTypeString;
extern const int constTypeCount;
extern const Constant *consts;
extern const unsigned int constCount;
extern const int constCount;
extern const Commands *commands;
extern const int commandCount;
extern const Topics *topics;
@ -174,7 +174,7 @@ getName(CK_ULONG value, ConstType type);
extern const char *
getNameFromAttribute(CK_ATTRIBUTE_TYPE type);
extern unsigned int totalKnownType(ConstType type);
extern int totalKnownType(ConstType type);
#endif /* _PK11_TABLE_H_ */

6
security/nss/cmd/lib/secpwd.c
View File

@ -74,9 +74,7 @@ char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
echoOff(infd);
}
if (QUIET_FGETS(phrase, sizeof(phrase), input) == NULL) {
return NULL;
}
QUIET_FGETS ( phrase, sizeof(phrase), input);
if (isTTY) {
fprintf(output, "\n");
@ -89,7 +87,7 @@ char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
/* Validate password */
if (!(*ok)(phrase)) {
/* Not weird enough */
if (!isTTY) return NULL;
if (!isTTY) return 0;
fprintf(output, "Password must be at least 8 characters long with one or more\n");
fprintf(output, "non-alphabetic characters\n");
continue;

32
security/nss/cmd/lib/secutil.c
View File

@ -375,8 +375,7 @@ SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
PR_fprintf(PR_STDERR, "Invalid password.\n");
PORT_Memset(oldpw, 0, PL_strlen(oldpw));
PORT_Free(oldpw);
rv = SECFailure;
goto done;
return SECFailure;
}
} else
break;
@ -386,22 +385,20 @@ SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
rv = PK11_ChangePW(slot, oldpw, newpw);
if (rv != SECSuccess) {
if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
PR_fprintf(PR_STDERR, "Failed to change password.\n");
} else {
PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
return SECFailure;
}
PORT_Memset(oldpw, 0, PL_strlen(oldpw));
PORT_Free(oldpw);
PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
done:
if (newpw) {
PORT_Memset(newpw, 0, PL_strlen(newpw));
PORT_Free(newpw);
}
return rv;
PORT_Memset(newpw, 0, PL_strlen(newpw));
PORT_Free(newpw);
return SECSuccess;
}
struct matchobj {
@ -1553,7 +1550,7 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len);
{
unsigned int i;
int i;
for (i=0; i < c->serialNumber.len; ++i) {
unsigned char *chardata = (unsigned char*)(c->serialNumber.data);
unsigned char c = *(chardata + i);
@ -2420,6 +2417,7 @@ SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTCertificate *c;
int rv = SEC_ERROR_NO_MEMORY;
int iv;
if (!arena)
return rv;
@ -2745,7 +2743,7 @@ secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src,
while ((aCert = src->rawCerts[iv++]) != NULL) {
sprintf(om, "Certificate (%x)", iv);
rv = SECU_PrintSignedData(out, aCert, om, level + 2,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
if (rv)
return rv;
}
@ -2864,7 +2862,7 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *out,
while ((aCert = src->rawCerts[iv++]) != NULL) {
sprintf(om, "Certificate (%x)", iv);
rv = SECU_PrintSignedData(out, aCert, om, level + 2,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
if (rv)
return rv;
}
@ -3194,7 +3192,7 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
data.len = cert->derCert.len;
rv = SECU_PrintSignedData(stdout, &data, label, 0,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
if (rv) {
return(SECFailure);
}
@ -3285,7 +3283,7 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
errstr = NULL;
switch (node->error) {
case SEC_ERROR_INADEQUATE_KEY_USAGE:
flags = (unsigned int)((char *)node->arg - (char *)NULL);
flags = (unsigned int)node->arg;
switch (flags) {
case KU_DIGITAL_SIGNATURE:
errstr = "Cert cannot sign.";
@ -3301,7 +3299,7 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
break;
}
case SEC_ERROR_INADEQUATE_CERT_TYPE:
flags = (unsigned int)((char *)node->arg - (char *)NULL);
flags = (unsigned int)node->arg;
switch (flags) {
case NS_CERT_TYPE_SSL_CLIENT:
case NS_CERT_TYPE_SSL_SERVER:

22
security/nss/cmd/modutil/error.h
View File

@ -133,7 +133,25 @@ typedef enum {
LAST_MSG /* must be last */
} Message;
/* defined in modutil.c */
extern char *msgStrings[];
static char *msgStrings[] = {
"FIPS mode enabled.\n",
"FIPS mode disabled.\n",
"Using database directory %s...\n",
"Creating \"%s\"...",
"Module \"%s\" added to database.\n",
"Module \"%s\" deleted from database.\n",
"Token \"%s\" password changed successfully.\n",
"Incorrect password, try again...\n",
"Passwords do not match, try again...\n",
"done.\n",
"Slot \"%s\" %s.\n",
"Successfully changed defaults.\n",
"Successfully changed defaults.\n",
"\nWARNING: Performing this operation while the browser is running could cause"
"\ncorruption of your security databases. If the browser is currently running,"
"\nyou should exit browser before continuing this operation. Type "
"\n'q <enter>' to abort, or <enter> to continue: ",
"\nAborting...\n"
};
#endif /* MODUTIL_ERROR_H */

4
security/nss/cmd/modutil/installparse.c
View File

@ -203,7 +203,7 @@ yyparse()
register char *yys;
extern char *getenv();
if ((yys = getenv("YYDEBUG")) != NULL)
if (yys = getenv("YYDEBUG"))
{
yyn = *yys;
if (yyn >= '0' && yyn <= '9')
@ -220,7 +220,7 @@ yyparse()
*yyssp = yystate = 0;
yyloop:
if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
if (yyn = yydefred[yystate]) goto yyreduce;
if (yychar < 0)
{
if ((yychar = yylex()) < 0) yychar = 0;

2
security/nss/cmd/modutil/lex.Pk11Install_yy.c
View File

@ -1100,7 +1100,6 @@ register char *yy_bp;
#endif /* ifndef YY_NO_UNPUT */
#ifndef YY_NO_INPUT
#ifdef __cplusplus
static int yyinput()
#else
@ -1172,7 +1171,6 @@ static int input()
return c;
}
#endif /* ifndef YY_NO_INPUT */
#ifdef YY_USE_PROTOS

2
security/nss/cmd/modutil/manifest.mn
View File

@ -24,7 +24,7 @@ PROGRAM = modutil
REQUIRES = seccmd nss dbm
DEFINES = -DNSPR20 -DYY_NO_UNPUT -DYY_NO_INPUT
DEFINES = -DNSPR20
# sigh
#INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap

21
security/nss/cmd/modutil/modutil.c
View File

@ -122,27 +122,6 @@ static char *optionStrings[] = {
"-chkfips",
};
char *msgStrings[] = {
"FIPS mode enabled.\n",
"FIPS mode disabled.\n",
"Using database directory %s...\n",
"Creating \"%s\"...",
"Module \"%s\" added to database.\n",
"Module \"%s\" deleted from database.\n",
"Token \"%s\" password changed successfully.\n",
"Incorrect password, try again...\n",
"Passwords do not match, try again...\n",
"done.\n",
"Slot \"%s\" %s.\n",
"Successfully changed defaults.\n",
"Successfully changed defaults.\n",
"\nWARNING: Performing this operation while the browser is running could cause"
"\ncorruption of your security databases. If the browser is currently running,"
"\nyou should exit browser before continuing this operation. Type "
"\n'q <enter>' to abort, or <enter> to continue: ",
"\nAborting...\n"
};
/* Increment i if doing so would have i still be less than j. If you
are able to do this, return 0. Otherwise return 1. */
#define TRY_INC(i,j) ( ((i+1)<j) ? (++i, 0) : 1 )

23
security/nss/cmd/multinit/multinit.c
View File

@ -313,6 +313,27 @@ appendHex(unsigned char nibble)
}
}
/*
* append a secitem as colon separated hex bytes.
*/
static void
appendItem(SECItem *item)
{
int i;
if (!buffer.data) {
return;
}
appendLabel(':');
for (i=0; i < item->len; i++) {
unsigned char byte=item->data[i];
appendHex(byte >> 4);
appendHex(byte & 0xf);
appendLabel(':');
}
}
/*
* append a 32 bit integer (even on a 64 bit platform).
* for simplicity append it as a hex value, full extension with 0x prefix.
@ -472,7 +493,7 @@ do_list_certs(const char *progName, int log)
CERTCertList *sorted;
CERTCertListNode *node;
CERTCertTrust trust;
unsigned int i;
int i;
list = PK11_ListCerts(PK11CertListUnique, NULL);
if (list == NULL) {

4
security/nss/cmd/ocspclnt/ocspclnt.c
View File

@ -562,7 +562,7 @@ print_raw_certificates (FILE *out_file, SECItem **raw_certs, int level)
while ((raw_cert = raw_certs[i++]) != NULL) {
sprintf (cert_label, "Certificate (%d)", i);
(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
}
}
@ -964,7 +964,7 @@ main (int argc, char **argv)
PLOptState *optstate;
SECStatus rv;
CERTCertDBHandle *handle = NULL;
SECCertUsage cert_usage = certUsageSSLClient;
SECCertUsage cert_usage;
PRTime verify_time;
CERTCertificate *cert = NULL;
PRBool ascii = PR_FALSE;

50
security/nss/cmd/ocspresp/ocspresp.c
View File

@ -129,12 +129,15 @@ main(int argc, char **argv)
SECItem *encoded = NULL;
CERTOCSPResponse *decoded = NULL;
SECStatus statusDecoded;
SECItem *encodedRev = NULL;
CERTOCSPResponse *decodedRev = NULL;
SECStatus statusDecodedRev;
SECItem *encodedFail = NULL;
CERTOCSPResponse *decodedFail = NULL;
SECStatus statusDecodedFail;
CERTCertificate *obtainedSignerCert = NULL;
@ -178,47 +181,40 @@ main(int argc, char **argv)
encoded = encode(arena, cid, caCert);
PORT_Assert(encoded);
decoded = CERT_DecodeOCSPResponse(encoded);
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decoded));
statusDecoded = CERT_GetOCSPResponseStatus(decoded);
PORT_Assert(statusDecoded == SECSuccess);
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
&obtainedSignerCert, caCert));
PORT_CheckSuccess(CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
obtainedSignerCert, now));
statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
&obtainedSignerCert, caCert);
PORT_Assert(statusDecoded == SECSuccess);
statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
obtainedSignerCert, now);
PORT_Assert(statusDecoded == SECSuccess);
CERT_DestroyCertificate(obtainedSignerCert);
encodedRev = encodeRevoked(arena, cid, caCert);
PORT_Assert(encodedRev);
decodedRev = CERT_DecodeOCSPResponse(encodedRev);
PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev);
PORT_Assert(statusDecodedRev == SECSuccess);
PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
&obtainedSignerCert, caCert));
#ifdef DEBUG
{
SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
&obtainedSignerCert, caCert);
PORT_Assert(statusDecodedRev == SECSuccess);
statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
}
#else
(void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
#endif
PORT_Assert(statusDecodedRev == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
CERT_DestroyCertificate(obtainedSignerCert);
encodedFail = CERT_CreateEncodedOCSPErrorResponse(
arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
PORT_Assert(encodedFail);
decodedFail = CERT_DecodeOCSPResponse(encodedFail);
#ifdef DEBUG
{
SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
}
#else
(void)CERT_GetOCSPResponseStatus(decodedFail);
#endif
statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(statusDecodedFail == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
retval = 0;
loser:
if (retval != 0)

4
security/nss/cmd/oidcalc/oidcalc.c
View File

@ -44,13 +44,13 @@ main(int argc, char **argv)
secondval = atoi(curstr);
if ( firstval > 2 ) {
if ( ( firstval < 0 ) || ( firstval > 2 ) ) {
fprintf(stderr, "first component out of range\n");
exit(-1);
}
if ( secondval > 39 ) {
if ( ( secondval < 0 ) || ( secondval > 39 ) ) {
fprintf(stderr, "second component out of range\n");
exit(-1);
}

2
security/nss/cmd/p7env/p7env.c
View File

@ -130,6 +130,7 @@ main(int argc, char **argv)
{
char *progName;
FILE *inFile, *outFile;
char *certName;
CERTCertDBHandle *certHandle;
struct recipient *recipients, *rcpt;
PLOptState *optstate;
@ -141,6 +142,7 @@ main(int argc, char **argv)
inFile = NULL;
outFile = NULL;
certName = NULL;
recipients = NULL;
rcpt = NULL;

12
security/nss/cmd/pk11gcmtest/pk11gcmtest.c
View File

@ -166,22 +166,22 @@ aes_gcm_kat(const char *respfn)
FILE *aesresp; /* input stream from the RESPONSE file */
int i, j;
unsigned int test_group = 0;
unsigned int num_tests = 0;
unsigned int num_tests;
PRBool is_encrypt;
unsigned char key[32]; /* 128, 192, or 256 bits */
unsigned int keysize = 16;
unsigned int keysize;
unsigned char iv[10*16]; /* 1 to 10 blocks */
unsigned int ivsize = 12;
unsigned int ivsize;
unsigned char plaintext[10*16]; /* 1 to 10 blocks */
unsigned int plaintextlen = 0;
unsigned char aad[10*16]; /* 1 to 10 blocks */
unsigned int aadlen = 0;
unsigned char ciphertext[10*16]; /* 1 to 10 blocks */
unsigned int ciphertextlen = 0;
unsigned int ciphertextlen;
unsigned char tag[16];
unsigned int tagsize = 16;
unsigned int tagsize;
unsigned char output[10*16]; /* 1 to 10 blocks */
unsigned int outputlen = 0;
unsigned int outputlen;
unsigned int expected_keylen = 0;
unsigned int expected_ivlen = 0;

14
security/nss/cmd/pk11mode/pk11mode.c
View File

@ -2090,8 +2090,8 @@ CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
}
PKM_LogIt("C_GetMechanismList returned the mechanism types:\n");
if (verbose) {
for (i = 0; i < mechanismCount; i++) {
mechName = getName(pMechanismList[(i)], ConstMechanism);
for (i = 1; i <= mechanismCount; i++) {
mechName = getName(pMechanismList[(i-1)], ConstMechanism);
/* output two mechanism name on each line */
/* currently the longest known mechansim name length is 37 */
@ -2100,7 +2100,7 @@ CK_RV PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
} else {
printf("Unknown mechanism: 0x%08lX ", pMechanismList[i]);
}
if ((i % 2) == 1 ) printf("\n");
if ((i != 0) && ((i % 2) == 0 )) printf("\n");
}
printf("\n\n");
}
@ -3506,8 +3506,8 @@ CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG tnObjects = 0;
int curMode;
unsigned int i;
unsigned int number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
int i;
int number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
NUMTESTS++; /* increment NUMTESTS */
@ -4558,7 +4558,7 @@ PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
CK_SESSION_HANDLE hSession;
CK_RV crv;
CK_MECHANISM mk_mech;
CK_VERSION version;
CK_VERSION expected_version, version;
CK_OBJECT_CLASS class = CKO_SECRET_KEY;
CK_KEY_TYPE type = CKK_GENERIC_SECRET;
CK_BBOOL derive_bool = true;
@ -4625,6 +4625,8 @@ PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
case CKM_TLS_MASTER_KEY_DERIVE:
attrs[3].pValue = NULL;
attrs[3].ulValueLen = 0;
expected_version.major = 3;
expected_version.minor = 1;
mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom;
mkd_params.RandomInfo.ulClientRandomLen =

2
security/nss/cmd/pk12util/pk12util.c
View File

@ -756,7 +756,7 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
} else
if (SECU_PrintSignedData(stdout, dip->der,
(dip->hasKey) ? "(has private key)" : "",
0, (SECU_PPFunc)SECU_PrintCertificate) != 0) {
0, SECU_PrintCertificate) != 0) {
SECU_PrintError(progName,"PKCS12 print cert bag failed");
}
if (dip->friendlyName != NULL) {

2
security/nss/cmd/pk1sign/pk1sign.c
View File

@ -175,7 +175,7 @@ main(int argc, char **argv)
PRFileDesc *inFile;
char *keyName = NULL;
CERTCertDBHandle *certHandle;
CERTCertificate *cert = NULL;
CERTCertificate *cert;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;

9
security/nss/cmd/pp/pp.c
View File

@ -25,11 +25,8 @@ static void Usage(char *progName)
"Usage: %s [-t type] [-a] [-i input] [-o output] [-w] [-u]\n",
progName);
fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
fprintf(stderr, "%-14s Specify input and display type:", "-t type");
#ifdef HAVE_EPV_TEMPLATE
fprintf(stderr, " %s (sk),", SEC_CT_PRIVATE_KEY);
#endif
fprintf(stderr, "\n");
fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
"-t type", SEC_CT_PRIVATE_KEY);
fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
@ -139,7 +136,7 @@ int main(int argc, char **argv)
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 ||
PORT_Strcmp(typeTag, "c") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
(SECU_PPFunc)SECU_PrintCertificate);
SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 ||
PORT_Strcmp(typeTag, "ci") == 0) {
rv = SECU_PrintSignedContent(outFile, &data, 0, 0,

4
security/nss/cmd/sdrtest/sdrtest.c
View File

@ -71,9 +71,9 @@ long_usage (char *program_name)
int
readStdin(SECItem * result)
{
unsigned int bufsize = 0;
int bufsize = 0;
int cc;
unsigned int wanted = 8192U;
int wanted = 8192;
result->len = 0;
result->data = NULL;

44
security/nss/cmd/selfserv/selfserv.c
View File

@ -65,7 +65,7 @@ static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
#define MAX_BULK_TEST 1048576 /* 1 MB */
static PRBool testBulk;
static PRUint32 testBulkSize = DEFAULT_BULK_TEST;
static PRInt32 testBulkTotal;
static PRUint32 testBulkTotal;
static char* testBulkBuf;
static PRDescIdentity log_layer_id = PR_INVALID_IO_LAYER;
static PRFileDesc *loggingFD;
@ -74,10 +74,10 @@ static PRIOMethods loggingMethods;
static PRBool logStats;
static PRBool loggingLayer;
static int logPeriod = 30;
static PRInt32 loggerOps;
static PRInt32 loggerBytes;
static PRInt32 loggerBytesTCP;
static PRInt32 bulkSentChunks;
static PRUint32 loggerOps;
static PRUint32 loggerBytes;
static PRUint32 loggerBytesTCP;
static PRUint32 bulkSentChunks;
static enum ocspStaplingModeEnum {
osm_disabled, /* server doesn't support stapling */
osm_good, /* supply a signed good status */
@ -428,11 +428,10 @@ printSecurityInfo(PRFileDesc *fd)
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"selfserv: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n"
" Compression: %s, Extended Master Secret: %s\n",
" Compression: %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName,
channel.compressionMethodName,
channel.extendedMasterSecretUsed ? "Yes": "No");
channel.compressionMethodName);
}
}
if (verbose) {
@ -503,8 +502,8 @@ mySSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
pwdata = SSL_RevealPinArg(fd);
for (;current && (PRUint32)i < sniNameArrSize;i++) {
unsigned int j = 0;
for (;current && i < sniNameArrSize;i++) {
int j = 0;
for (;j < MAX_VIRT_SERVER_NAME_ARRAY_INDEX && nameArr[j];j++) {
if (!PORT_Strncmp(nameArr[j],
(const char *)current[i].data,
@ -752,8 +751,8 @@ logger(void *arg)
PRIntervalTime period;
PRIntervalTime previousTime;
PRIntervalTime latestTime;
PRInt32 previousOps;
PRInt32 ops;
PRUint32 previousOps;
PRUint32 ops;
PRIntervalTime logPeriodTicks = PR_TicksPerSecond();
PRFloat64 secondsPerTick = 1.0 / (PRFloat64)logPeriodTicks;
int iterations = 0;
@ -772,7 +771,7 @@ logger(void *arg)
*/
PR_Sleep(logPeriodTicks);
secondsElapsed++;
totalPeriodBytes += PR_ATOMIC_SET(&loggerBytes, 0);
totalPeriodBytes += PR_ATOMIC_SET(&loggerBytes, 0);
totalPeriodBytesTCP += PR_ATOMIC_SET(&loggerBytesTCP, 0);
if (secondsElapsed != logPeriod) {
continue;
@ -838,8 +837,6 @@ PRBool testbypass = PR_FALSE;
PRBool enableSessionTickets = PR_FALSE;
PRBool enableCompression = PR_FALSE;
PRBool failedToNegotiateName = PR_FALSE;
PRBool enableExtendedMasterSecret = PR_FALSE;
static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
static int virtServerNameIndex = 1;
@ -1132,7 +1129,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
SECItemArray *result = NULL;
SECItem *ocspResponse = NULL;
CERTOCSPSingleResponse **singleResponses;
CERTOCSPSingleResponse *sr = NULL;
CERTOCSPSingleResponse *sr;
CERTOCSPCertID *cid = NULL;
CERTCertificate *ca;
PRTime now = PR_Now();
@ -1148,7 +1145,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
if (!cid)
errExit("cannot created cid");
nextUpdate = now + (PRTime)60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
nextUpdate = now + 60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
switch (osm) {
case osm_good:
@ -1163,7 +1160,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
case osm_revoked:
sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now,
&nextUpdate,
now - (PRTime)60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
now - 60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
NULL);
break;
default:
@ -1945,13 +1942,6 @@ server_main(
}
}
if (enableExtendedMasterSecret) {
rv = SSL_OptionSet(model_sock, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
if (rv != SECSuccess) {
errExit("error enabling extended master secret ");
}
}
for (kea = kt_rsa; kea < kt_kea_size; kea++) {
if (cert[kea] != NULL) {
secStatus = SSL_ConfigSecureServer(model_sock,
@ -2228,7 +2218,7 @@ main(int argc, char **argv)
** numbers, then capital letters, then lower case, alphabetical.
*/
optstate = PL_CreateOptState(argc, argv,
"2:A:BC:DEGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
"2:A:BC:DEH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch(optstate->option) {
@ -2244,8 +2234,6 @@ main(int argc, char **argv)
case 'E': disableStepDown = PR_TRUE; break;
case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break;
case 'G': enableExtendedMasterSecret = PR_TRUE; break;
case 'I': /* reserved for OCSP multi-stapling */ break;
case 'L':

14
security/nss/cmd/shlibsign/shlibsign.c
View File

@ -195,10 +195,6 @@ static const unsigned char base[] = {
0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36,
0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
/*
* The constants h, seed, & counter aren't used in the code; they're provided
* here (commented-out) so that human readers can verify that our our PQG
* parameters were generated properly.
static const unsigned char h[] = {
0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac,
0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6,
@ -236,7 +232,6 @@ static const unsigned char seed[] = { 0x00,
0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
static const unsigned int counter=1496;
*/
static const unsigned char prime2[] = { 0x00,
0xa4, 0xc2, 0x83, 0x4f, 0x36, 0xd3, 0x4f, 0xae,
@ -312,10 +307,6 @@ static const unsigned char base2[] = { 0x00,
0x1c, 0xd3, 0xff, 0x4e, 0x2c, 0x38, 0x1c, 0xaa,
0x2e, 0x66, 0xbe, 0x32, 0x3e, 0x3c, 0x06, 0x5f };
/*
* The constants h2, seed2, & counter2 aren't used in the code; they're provided
* here (commented-out) so that human readers can verify that our our PQG
* parameters were generated properly.
static const unsigned char h2[] = {
0x30, 0x91, 0xa1, 0x2e, 0x40, 0xa5, 0x7d, 0xf7,
0xdc, 0xed, 0xee, 0x05, 0xc2, 0x31, 0x91, 0x37,
@ -385,7 +376,6 @@ static const unsigned char seed2[] = { 0x00,
0xc3, 0x29, 0x7d, 0xb7, 0x89, 0xbf, 0xe3, 0xde };
static const unsigned int counter2=210;
*/
struct tuple_str {
CK_RV errNum;
@ -522,7 +512,7 @@ CK_RVtoStr(CK_RV errNum) {
/* Do binary search of table. */
while (low + 1 < high) {
i = low + (high - low) / 2;
i = (low + high) / 2;
num = errStrings[i].errNum;
if (errNum == num)
return errStrings[i].errString;
@ -707,7 +697,7 @@ int main(int argc, char **argv)
int bytesWritten;
unsigned char file_buf[512];
int count=0;
unsigned int keySize = 0;
int keySize = 0;
int i;
PRBool verify = PR_FALSE;
static PRBool FIPSMODE = PR_FALSE;

34
security/nss/cmd/signtool/certgen.c
View File

@ -73,9 +73,6 @@ GenerateCert(char *nickname, int keysize, char *token)
LL_L2UI(serial, PR_Now());
subject = GetSubjectFromUser(serial);
if (!subject) {
FatalError("Unable to get subject from user");
}
cert = GenerateSelfSignedObjectSigningCert(nickname, db, subject,
serial, keysize, token);
@ -125,9 +122,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "certificate common name: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp == '\0') {
sprintf(common_name_buf, "%s (%lu)", DEFAULT_COMMON_NAME,
@ -149,9 +144,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "organization: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp != '\0') {
org = PORT_ZAlloc(strlen(cp) + 5);
@ -170,9 +163,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "organization unit: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp != '\0') {
orgunit = PORT_ZAlloc(strlen(cp) + 6);
@ -190,9 +181,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "state or province: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp != '\0') {
state = PORT_ZAlloc(strlen(cp) + 6);
@ -210,9 +199,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "country (must be exactly 2 characters): ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(cp);
if (strlen(cp) != 2) {
*cp = '\0'; /* country code must be 2 chars */
@ -233,9 +220,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "username: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp != '\0') {
uid = PORT_ZAlloc(strlen(cp) + 7);
@ -253,9 +238,7 @@ GetSubjectFromUser(unsigned long serial)
#else
PR_fprintf(PR_STDOUT, "email address: ");
#endif
if (!fgets(buf, STDIN_BUF_SIZE, stdin)) {
return NULL;
}
fgets(buf, STDIN_BUF_SIZE, stdin);
cp = chop(buf);
if (*cp != '\0') {
email = PORT_ZAlloc(strlen(cp) + 5);
@ -437,6 +420,7 @@ sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
SECItem der2;
SECItem * result2;
void *dummy;
SECOidTag alg = SEC_OID_UNKNOWN;
alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
@ -456,7 +440,7 @@ sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
der2.len = 0;
der2.data = NULL;
(void)SEC_ASN1EncodeItem
dummy = SEC_ASN1EncodeItem
(cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
if (rv != SECSuccess) {

6
security/nss/cmd/signtool/util.c
View File

@ -16,11 +16,9 @@ static int is_dir (char *filename);
long *mozilla_event_queue = 0;
#ifndef XP_WIN
char *XP_GetString (int i)
char *XP_GetString (int i)
{
/* nasty hackish cast to avoid changing the signature of
* JAR_init_callbacks() */
return (char *)SECU_Strerror (i);
return SECU_Strerror (i);
}
#endif

22
security/nss/cmd/ssltap/ssltap.c
View File

@ -41,12 +41,12 @@ struct _DataBuffer;
typedef struct _DataBufferList {
struct _DataBuffer *first,*last;
unsigned int size;
int size;
int isEncrypted;
unsigned char * msgBuf;
unsigned int msgBufOffset;
unsigned int msgBufSize;
unsigned int hMACsize;
int msgBufOffset;
int msgBufSize;
int hMACsize;
} DataBufferList;
typedef struct _DataBuffer {
@ -566,7 +566,7 @@ void print_sslv2(DataBufferList *s, unsigned char *recordBuf, unsigned int recor
(PRUint32)(GET_SHORT((chv2->rndlength))),
(PRUint32)(GET_SHORT((chv2->rndlength))));
PR_fprintf(PR_STDOUT," cipher-suites = { \n");
for (p=0;p<(PRUint32)GET_SHORT((chv2->cslength));p+=3) {
for (p=0;p<GET_SHORT((chv2->cslength));p+=3) {
PRUint32 cs_int = GET_24((&chv2->csuites[p]));
const char *cs_str = V2CipherString(cs_int);
@ -575,17 +575,17 @@ void print_sslv2(DataBufferList *s, unsigned char *recordBuf, unsigned int recor
}
q = p;
PR_fprintf(PR_STDOUT," }\n");
if (GET_SHORT((chv2->sidlength))) {
if (chv2->sidlength) {
PR_fprintf(PR_STDOUT," session-id = { ");
for (p=0;p<(PRUint32)GET_SHORT((chv2->sidlength));p+=2) {
for (p=0;p<GET_SHORT((chv2->sidlength));p+=2) {
PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
}
}
q += p;
PR_fprintf(PR_STDOUT,"}\n");
if (GET_SHORT((chv2->rndlength))) {
if (chv2->rndlength) {
PR_fprintf(PR_STDOUT," challenge = { ");
for (p=0;p<(PRUint32)GET_SHORT((chv2->rndlength));p+=2) {
for (p=0;p<GET_SHORT((chv2->rndlength));p+=2) {
PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
}
PR_fprintf(PR_STDOUT,"}\n");
@ -978,7 +978,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
{
struct sslhandshake sslh;
unsigned char * hsdata;
unsigned int offset=0;
int offset=0;
PR_fprintf(PR_STDOUT," handshake {\n");
@ -1365,7 +1365,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
offset += sslh.length + 4;
} /* while */
if (offset < recordLen) { /* stuff left over */
unsigned int newMsgLen = recordLen - offset;
int newMsgLen = recordLen - offset;
if (!s->msgBuf) {
s->msgBuf = PORT_Alloc(newMsgLen);
if (!s->msgBuf) {

15
security/nss/cmd/strsclnt/strsclnt.c
View File

@ -498,6 +498,7 @@ init_thread_data(void)
PRBool useModelSocket = PR_TRUE;
static const char stopCmd[] = { "GET /stop " };
static const char outHeader[] = {
"HTTP/1.0 200 OK\r\n"
"Server: Netscape-Enterprise/2.0a\r\n"
@ -566,8 +567,8 @@ do_writes(
{
PRFileDesc * ssl_sock = (PRFileDesc *)a;
lockedVars * lv = (lockedVars *)b;
unsigned int sent = 0;
int count = 0;
int sent = 0;
int count = 0;
while (sent < bigBuf.len) {
@ -711,7 +712,7 @@ PRInt32 lastFullHandshakePeerID;
void
myHandshakeCallback(PRFileDesc *socket, void *arg)
{
PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32)((char *)arg - (char *)NULL));
PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32) arg);
}
#endif
@ -731,6 +732,7 @@ do_connects(
PRFileDesc * tcp_sock = 0;
PRStatus prStatus;
PRUint32 sleepInterval = 50; /* milliseconds */
SECStatus result;
int rv = SECSuccess;
PRSocketOptionData opt;
@ -837,8 +839,7 @@ retry:
PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d",
thisPeerID);
SSL_SetSockPeerID(ssl_sock, sockPeerIDString);
SSL_HandshakeCallback(ssl_sock, myHandshakeCallback,
(char *)NULL + thisPeerID);
SSL_HandshakeCallback(ssl_sock, myHandshakeCallback, (void*)thisPeerID);
#else
/* force a full handshake by setting the no cache option */
SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1);
@ -853,9 +854,9 @@ retry:
PR_ATOMIC_INCREMENT(&numConnected);
if (bigBuf.data != NULL) {
(void)handle_fdx_connection( ssl_sock, tid);
result = handle_fdx_connection( ssl_sock, tid);
} else {
(void)handle_connection( ssl_sock, tid);
result = handle_connection( ssl_sock, tid);
}
PR_ATOMIC_DECREMENT(&numConnected);

3
security/nss/cmd/symkeyutil/symkeyutil.c
View File

@ -1015,7 +1015,8 @@ main(int argc, char **argv)
}
}
if (se) {
PORT_CheckSuccess(PK11_FreeSlotListElement(slotList, se));
SECStatus rv2 = PK11_FreeSlotListElement(slotList, se);
PORT_Assert(SECSuccess == rv2);
}
PK11_FreeSlotList(slotList);
}

33
security/nss/cmd/tstclnt/tstclnt.c
View File

@ -129,11 +129,10 @@ void printSecurityInfo(PRFileDesc *fd)
suite.macBits, suite.macAlgorithmName);
FPRINTF(stderr,
"tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n"
" Compression: %s, Extended Master Secret: %s\n",
" Compression: %s\n",
channel.authKeyBits, suite.authAlgorithmName,
channel.keaKeyBits, suite.keaTypeName,
channel.compressionMethodName,
channel.extendedMasterSecretUsed ? "Yes": "No");
channel.compressionMethodName);
}
}
cert = SSL_RevealCert(fd);
@ -232,7 +231,6 @@ static void PrintParameterUsage(void)
fprintf(stderr, "%-20s Enable compression.\n", "-z");
fprintf(stderr, "%-20s Enable false start.\n", "-g");
fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
fprintf(stderr, "%-20s Enable the extended master secret extension (session hash).\n", "-G");
fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
"%-20s -F once means: require for server cert only\n"
"%-20s -F twice means: require for intermediates, too\n"
@ -536,9 +534,9 @@ dumpServerCertificateChain(PRFileDesc *fd)
return;
}
else if (dumpServerChain == 1) {
dumpFunction = (SECU_PPFunc)SECU_PrintCertificateBasicInfo;
dumpFunction = SECU_PrintCertificateBasicInfo;
} else {
dumpFunction = (SECU_PPFunc)SECU_PrintCertificate;
dumpFunction = SECU_PrintCertificate;
if (dumpServerChain > 2) {
dumpCertPEM = PR_TRUE;
}
@ -568,7 +566,7 @@ dumpServerCertificateChain(PRFileDesc *fd)
PR_TRUE);
}
if (foundChain) {
unsigned int count = 0;
int count = 0;
fprintf(stderr, "==== locally found issuer certificate(s): ====\n");
for(count = 0; count < (unsigned int)foundChain->len; count++) {
CERTCertificate *c;
@ -621,7 +619,7 @@ ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
if (!serverCertAuth->shouldPause) {
CERTCertificate *cert;
unsigned int i;
int i;
const SECItemArray *csa;
if (!serverCertAuth->testFreshStatusFromSideChannel) {
@ -646,7 +644,8 @@ ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
if (CERT_CacheOCSPResponseFromSideChannel(
serverCertAuth->dbHandle, cert, PR_Now(),
&csa->items[i], arg) != SECSuccess) {
PORT_Assert(PR_GetError() != 0);
PRErrorCode error = PR_GetError();
PORT_Assert(error != 0);
}
}
}
@ -921,7 +920,6 @@ int main(int argc, char **argv)
int enableFalseStart = 0;
int enableCertStatus = 0;
int forceFallbackSCSV = 0;
int enableExtendedMasterSecret = 0;
PRSocketOptionData opt;
PRNetAddr addr;
PRPollDesc pollset[2];
@ -970,7 +968,7 @@ int main(int argc, char **argv)
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
optstate = PL_CreateOptState(argc, argv,
"46BCDFGKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
"46BCDFKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -992,8 +990,6 @@ int main(int argc, char **argv)
serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
break;
case 'G': enableExtendedMasterSecret = PR_TRUE; break;
case 'I': /* reserved for OCSP multi-stapling */ break;
case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
@ -1287,7 +1283,7 @@ int main(int argc, char **argv)
int cipher;
if (ndx == ':') {
int ctmp = 0;
int ctmp;
cipher = 0;
HEXCHAR_TO_INT(*cipherString, ctmp)
@ -1391,15 +1387,6 @@ int main(int argc, char **argv)
return 1;
}
/* enable extended master secret mode */
if (enableExtendedMasterSecret) {
rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling extended master secret");
return 1;
}
}
SSL_SetPKCS11PinArg(s, &pwdata);
serverCertAuth.dbHandle = CERT_GetDefaultCertDB();

2
security/nss/cmd/vfychain/vfychain.c
View File

@ -333,7 +333,7 @@ configureRevocationParams(CERTRevocationFlags *flags)
int i;
unsigned int testType = REVCONFIG_TEST_UNDEFINED;
static CERTRevocationTests *revTests = NULL;
PRUint64 *revFlags = NULL;
PRUint64 *revFlags;
for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) {

2
security/nss/cmd/vfyserv/vfyserv.c
View File

@ -510,7 +510,7 @@ main(int argc, char **argv)
int cipher;
if (ndx == ':') {
int ctmp = 0;
int ctmp;
cipher = 0;
HEXCHAR_TO_INT(*cipherString, ctmp)

2
security/nss/cmd/vfyserv/vfyutil.c
View File

@ -603,7 +603,7 @@ void
dumpCertChain(CERTCertificate *cert, SECCertUsage usage)
{
CERTCertificateList *certList;
unsigned int count = 0;
int count = 0;
certList = CERT_CertChainFromCert(cert, usage, PR_TRUE);
if (certList == NULL) {

20
security/nss/coreconf/Darwin.mk
View File

@ -83,26 +83,6 @@ endif
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
ifeq (clang,$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'))
NSS_HAS_GCC48 = true
endif
ifndef NSS_HAS_GCC48
NSS_HAS_GCC48 := $(shell \
[ `$(CC) -dumpversion | cut -f 1 -d . -` -eq 4 -a \
`$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \
`$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \
echo true || echo false)
export NSS_HAS_GCC48
endif
ifeq (true,$(NSS_HAS_GCC48))
OS_CFLAGS += -Werror
else
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
# Use this to disable use of that #pragma and the warnings it suppresses.
OS_CFLAGS += -DNSS_NO_GCC48 -Wno-unused-variable -Wno-strict-aliasing
$(warning Unable to find gcc >= 4.8 disabling -Werror)
endif
ifdef BUILD_OPT
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
OPTIMIZER = -Oz

38
security/nss/coreconf/Linux.mk
View File

@ -125,50 +125,14 @@ ifdef MOZ_DEBUG_SYMBOLS
endif
endif
ifndef COMPILER_TAG
COMPILER_TAG = _$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
CCC_COMPILER_TAG = _$(shell $(CCC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
endif
ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread
endif
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
OS_LIBS = $(OS_PTHREAD) -ldl -lc
ifeq ($(COMPILER_TAG),_clang)
# -Qunused-arguments : clang objects to arguments that it doesn't understand
# and fixing this would require rearchitecture
# -Wno-parentheses-equality : because clang warns about macro expansions
OS_CFLAGS += -Qunused-arguments -Wno-parentheses-equality
ifdef BUILD_OPT
# clang is unable to handle glib's expansion of strcmp and similar for optimized
# builds, so ignore the resulting errors.
# See https://llvm.org/bugs/show_bug.cgi?id=20144
OS_CFLAGS += -Wno-array-bounds -Wno-unevaluated-expression
endif
# Clang reports its version as an older gcc, but it's OK
NSS_HAS_GCC48 = true
endif
ifndef NSS_HAS_GCC48
NSS_HAS_GCC48 := $(shell \
[ `$(CC) -dumpversion | cut -f 1 -d . -` -eq 4 -a \
`$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \
`$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \
echo true || echo false)
export NSS_HAS_GCC48
endif
ifeq (true,$(NSS_HAS_GCC48))
OS_CFLAGS += -Werror
else
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
# Use this to disable use of that #pragma and the warnings it suppresses.
OS_CFLAGS += -DNSS_NO_GCC48
$(warning Unable to find gcc >= 4.8 disabling -Werror)
endif
ifdef USE_PTHREADS
DEFINES += -D_REENTRANT
endif

56
security/nss/coreconf/WIN32.mk
View File

@ -24,9 +24,8 @@ else
CC = cl
CCC = cl
LINK = link
LDFLAGS += -nologo
AR = lib
AR += -nologo -OUT:$@
AR += -NOLOGO -OUT:$@
RANLIB = echo
BSDECHO = echo
RC = rc.exe
@ -104,7 +103,10 @@ endif
DLL_SUFFIX = dll
ifdef NS_USE_GCC
OS_CFLAGS += -mwindows -mms-bitfields -Werror
# The -mnop-fun-dllimport flag allows us to avoid a drawback of
# the dllimport attribute that a pointer to a function marked as
# dllimport cannot be used as as a constant address.
OS_CFLAGS += -mwindows -mms-bitfields -mnop-fun-dllimport
_GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
DLLFLAGS += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
ifdef BUILD_OPT
@ -123,7 +125,7 @@ ifdef NS_USE_GCC
DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
endif
else # !NS_USE_GCC
OS_CFLAGS += -W3 -WX -nologo -D_CRT_SECURE_NO_WARNINGS \
OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
-D_CRT_NONSTDC_NO_WARNINGS
OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
ifeq ($(_MSC_VER),$(_MSC_VER_6))
@ -188,11 +190,11 @@ endif
LDFLAGS += /FIXED:NO
endif
ifneq ($(_MSC_VER),$(_MSC_VER_6))
# NSS has too many of these to fix, downgrade the warning
# Disable C4267: conversion from 'size_t' to 'type', possible loss of data
# Disable C4244: conversion from 'type1' to 'type2', possible loss of data
# Disable C4018: 'expression' : signed/unsigned mismatch
OS_CFLAGS += -w44267 -w44244 -w44018
# Convert certain deadly warnings to errors (see list at end of file)
OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 -we4013 \
-we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \
-we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715
ifeq ($(_MSC_VER_GE_12),1)
OS_CFLAGS += -FS
endif
@ -215,13 +217,10 @@ ifdef USE_64
else
DEFINES += -D_X86_
# VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring
# SSE2. Clang-cl gets confused by -arch:IA32, so don't add it.
# (See https://llvm.org/bugs/show_bug.cgi?id=24335)
# SSE2.
# Use subsystem 5.01 to allow running on Windows XP.
ifeq ($(_MSC_VER_GE_11),1)
ifneq ($(CLANG_CL),1)
OS_CFLAGS += -arch:IA32
endif
OS_CFLAGS += -arch:IA32
LDFLAGS += -SUBSYSTEM:CONSOLE,5.01
endif
endif
@ -367,3 +366,32 @@ endif
ifndef TARGETS
TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
endif
# list of MSVC warnings converted to errors above:
# 4002: too many actual parameters for macro 'identifier'
# 4003: not enough actual parameters for macro 'identifier'
# 4004: incorrect construction after 'defined'
# 4006: #undef expected an identifier
# 4009: string too big; trailing characters truncated
# 4015: 'identifier' : type of bit field must be integral
# 4028: formal parameter different from declaration
# 4033: 'function' must return a value
# 4035: 'function' : no return value
# 4045: 'identifier' : array bounds overflow
# 4047: 'function' : 'type 1' differs in levels of indirection from 'type 2'
# 4053: one void operand for '?:'
# 4054: 'conversion' : from function pointer 'type1' to data pointer 'type2'
# 4059: pascal string too big, length byte is length % 256
# 4063: case 'identifier' is not a valid value for switch of enum 'identifier'
# 4064: switch of incomplete enum 'identifier'
# 4078: case constant 'value' too big for the type of the switch expression
# 4087: 'function' : declared with 'void' parameter list
# 4090: 'function' : different 'const' qualifiers
# 4098: 'function' : void function returning a value
# 4390: ';' : empty controlled statement found; is this the intent?
# 4541: RTTI train wreck
# 4715: not all control paths return a value
# 4013: function undefined; assuming extern returning int
# 4553: '==' : operator has no effect; did you intend '='?
# 4551: function call missing argument list

1
security/nss/coreconf/coreconf.dep
View File

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

4
security/nss/coreconf/mkdepend/parse.c
View File

@ -350,7 +350,7 @@ define2(char *name, char *val, struct inclist *file)
/* Fast inline binary search */
register char *s1;
register char *s2;
register int middle = first + (last - first) / 2;
register int middle = (first + last) / 2;
/* Fast inline strchr() */
s1 = name;
@ -436,7 +436,7 @@ slookup(char *symbol, struct inclist *file)
/* Fast inline binary search */
register char *s1;
register char *s2;
register int middle = first + (last - first) / 2;
register int middle = (first + last) / 2;
/* Fast inline strchr() */
s1 = symbol;

38
security/nss/coreconf/rules.mk
View File

@ -272,10 +272,6 @@ $(IMPORT_LIBRARY): $(MAPFILE)
$(IMPLIB) $@ $<
$(RANLIB) $@
endif
ifeq ($(OS_ARCH),WINNT)
$(IMPORT_LIBRARY): $(LIBRARY)
cp -f $< $@
endif
ifdef SHARED_LIBRARY_LIBS
ifdef BUILD_TREE
@ -424,12 +420,12 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
$(OBJDIR)/$(PROG_PREFIX)%: %.cpp
@$(MAKE_OBJDIR)
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
$(CCC) -o $@ -c $(CFLAGS) $<
endif
endif
@ -437,43 +433,29 @@ endif
# Please keep the next two rules in sync.
#
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
$(MAKE_OBJDIR)
ifdef STRICT_CPLUSPLUS_SUFFIX
echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
rm -f $(OBJDIR)/t_$*.cc
else
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
endif
endif
endif #STRICT_CPLUSPLUS_SUFFIX
@$(MAKE_OBJDIR)
$(CCC) -o $@ -c $(CFLAGS) $<
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
@$(MAKE_OBJDIR)
ifdef STRICT_CPLUSPLUS_SUFFIX
echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
rm -f $(OBJDIR)/t_$*.cc
else
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
$(CCC) -o $@ -c $(CFLAGS) $<
endif
endif
endif #STRICT_CPLUSPLUS_SUFFIX
%.i: %.cpp
$(CCC) -C -E $(CFLAGS) $(CXXFLAGS) $< > $@
$(CCC) -C -E $(CFLAGS) $< > $@
%.i: %.c
ifeq (,$(filter-out WIN%,$(OS_TARGET)))

10
security/nss/doc/certutil.xml
View File

@ -72,11 +72,6 @@
<listitem><para>Delete a certificate from the certificate database.</para></listitem>
</varlistentry>
<varlistentry>
<term>--rename </term>
<listitem><para>Change the database nickname of a certificate.</para></listitem>
</varlistentry>
<varlistentry>
<term>-E </term>
<listitem><para>Add an email certificate to the certificate database.</para></listitem>
@ -736,11 +731,6 @@ Comma separated list of one or more of the following:
</para></listitem>
</varlistentry>
<varlistentry>
<term>--new-n nickname</term>
<listitem><para>A new nickname, used when renaming a certificate.</para></listitem>
</varlistentry>
<varlistentry>
<term>--source-dir certdir</term>
<listitem><para>Identify the certificate database directory to upgrade.</para></listitem>

6
security/nss/doc/html/certutil.html
View File

@ -1,5 +1,5 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139984205904704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139713586320592"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p>
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
@ -120,7 +120,7 @@ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected f
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:
{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
</p></dd><dt><span class="term">--new-n nickname</span></dt><dd><p>A new nickname, used when renaming a certificate.</p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
</p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <code class="option">-H</code> option to show the complete list of arguments for each command option.
</p><p><span class="command"><strong>Creating New Security Databases</strong></span></p><p>
Certificates, keys, and security modules related to managing certificates are stored in three related databases:

14
security/nss/doc/nroff/certutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 13 August 2015
.\" Date: 23 February 2015
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "CERTUTIL" "1" "13 August 2015" "nss-tools" "NSS Security Tools"
.TH "CERTUTIL" "1" "23 February 2015" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -80,11 +80,6 @@ prompts for a filename\&.
Delete a certificate from the certificate database\&.
.RE
.PP
\-\-rename
.RS 4
Change the database nickname of a certificate\&.
.RE
.PP
\-E
.RS 4
Add an email certificate to the certificate database\&.
@ -1113,11 +1108,6 @@ PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected
PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE
.PP
\-\-new\-n nickname
.RS 4
A new nickname, used when renaming a certificate\&.
.RE
.PP
\-\-source\-dir certdir
.RS 4
Identify the certificate database directory to upgrade\&.

32
security/nss/external_tests/README
View File

@ -1,15 +1,31 @@
GTest-based Unit Tests
This directory contains GTest-based unit tests for NSS libssl.
This directory contains GTest-based unit tests for NSS.
These aren't built by default, because they require C++.
To build them, set ``NSS_BUILD_GTESTS=1''
Currently, these are only loopback-type tests of libsssl,
but could be expanded to other types of tests. To make these
work do:
Once built, they are run as part of running ``test/all.sh''
You can run just the GTests by running ``tests/ssl_gtests/ssl_gtests.sh''
- Set NSS_BUILD_GTESTS=1 before starting your build
They can be run standalone or under a debugger by invoking the ssl_gtest
executable with a ``-d'' option pointing to the directory created by either
of the above options. You can find that in
- cd tests/
- Set NSS_TESTS=ssl_gtests and NSS_CYCLES=standard
- run ./all.sh
This will run the certutil tests (generating a test db) and
will finalize with a call to the ssl_gtest
You should be able to run the unit tests manually as:
ssl_gtest -d ${SSLGTESTDIR}
Where $SSLGTESTDIR is a directory with a database containing:
- an RSA certificate called server (with its private key)
- an ECDSA certificate called ecdsa (with its private key)
A directory like this is created by ./all.sh and can be found
in a directory named something like
tests_results/security/${hostname}.${NUMBER}/ssl_gtests

11
security/nss/external_tests/google_test/Makefile
View File

@ -42,13 +42,4 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
MKSHLIB = $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
ifeq (WINNT,$(OS_ARCH))
# -MTd (not -MD) because that makes it link to the right library
# -EHsc because gtest has exception handlers
OS_CFLAGS := $(filterout -MD,$(OS_CFLAGS))
OS_CFLAGS += -MTd -EHsc
# On windows, we need to create the parent directory
# Needed because we include files from a subdirectory
MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
endif
MKSHLIB = $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)

17
security/nss/external_tests/ssl_gtest/Makefile
View File

@ -42,20 +42,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
MKPROG = $(CCC)
CXXFLAGS += -std=c++0x
CFLAGS += -I$(CORE_DEPTH)/lib/ssl
MKPROG = $(CXX)
CFLAGS += -std=c++0x
include ../../cmd/platrules.mk
ifeq (WINNT,$(OS_ARCH))
# -MTd (not -MD) because that makes it link to the right library
# -EHsc because gtest has exception handlers
OS_CFLAGS := $(filterout -MD,$(OS_CFLAGS))
OS_CFLAGS += -MTd -EHsc -nologo
# http://www.suodenjoki.dk/us/archive/2010/min-max.htm
OS_CFLAGS += -DNOMINMAX
# Linking to winsock to get htonl
OS_LIBS += Ws2_32.lib
endif

27
security/nss/external_tests/ssl_gtest/databuffer.h
View File

@ -12,11 +12,6 @@
#include <cstring>
#include <iomanip>
#include <iostream>
#if defined(WIN32) || defined(WIN64)
#include <winsock2.h>
#else
#include <arpa/inet.h>
#endif
namespace nss_test {
@ -27,13 +22,13 @@ class DataBuffer {
Assign(data, len);
}
explicit DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
Assign(other);
Assign(other.data(), other.len());
}
~DataBuffer() { delete[] data_; }
DataBuffer& operator=(const DataBuffer& other) {
if (&other != this) {
Assign(other);
Assign(other.data(), other.len());
}
return *this;
}
@ -48,9 +43,6 @@ class DataBuffer {
len_ = std::min(len_, len);
}
void Assign(const DataBuffer& other) {
Assign(other.data(), other.len());
}
void Assign(const uint8_t* data, size_t len) {
Allocate(len);
memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
@ -86,21 +78,6 @@ class DataBuffer {
Write(index, addr + sizeof(uint32_t) - count, count);
}
// This can't use the same trick as Write(), since we might be reading from a
// smaller data source.
bool Read(size_t index, size_t count, uint32_t* val) const {
assert(count < sizeof(uint32_t));
assert(val);
if ((index > len()) || (count > (len() - index))) {
return false;
}
*val = 0;
for (size_t i = 0; i < count; ++i) {
*val = (*val << 8) | data()[index + i];
}
return true;
}
// Starting at |index|, remove |remove| bytes and replace them with the
// contents of |buf|.
void Splice(const DataBuffer& buf, size_t index, size_t remove = 0) {

26
security/nss/external_tests/ssl_gtest/libssl_internals.c
View File

@ -1,26 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
/* This file contains functions for frobbing the internals of libssl */
#include "libssl_internals.h"
#include "seccomon.h"
#include "ssl.h"
#include "sslimpl.h"
SECStatus
SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd)
{
sslSocket *ss = (sslSocket *)fd->secret;
if (!ss) {
return SECFailure;
}
++ss->clientHelloVersion;
return SECSuccess;
}

17
security/nss/external_tests/ssl_gtest/libssl_internals.h
View File

@ -1,17 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef libssl_internals_h_
#define libssl_internals_h_
#include "prio.h"
#include "seccomon.h"
SECStatus SSLInt_IncrementClientHandshakeVersion(PRFileDesc *fd);
#endif

7
security/nss/external_tests/ssl_gtest/manifest.mn
View File

@ -6,16 +6,9 @@ CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss
# These sources have access to libssl internals
CSRCS = \
libssl_internals.c \
$(NULL)
CPPSRCS = \
ssl_agent_unittest.cc \
ssl_loopback_unittest.cc \
ssl_extension_unittest.cc \
ssl_prf_unittest.cc \
ssl_skip_unittest.cc \
ssl_gtest.cc \
test_io.cc \

58
security/nss/external_tests/ssl_gtest/ssl_agent_unittest.cc
View File

@ -1,58 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include <memory>
#include "databuffer.h"
#include "tls_agent.h"
#include "tls_connect.h"
#include "tls_parser.h"
namespace nss_test {
void MakeTrivialHandshakeMessage(uint8_t hs_type, size_t hs_len,
DataBuffer* out) {
size_t total_len = 5 + 4 + hs_len;
out->Allocate(total_len);
size_t index = 0;
out->Write(index, kTlsHandshakeType, 1); ++index; // Content Type
out->Write(index, 3, 1); ++index; // Version high
out->Write(index, 1, 1); ++index; // Version low
out->Write(index, 4 + hs_len, 2); index += 2; // Length
out->Write(index, hs_type, 1); ++index; // Handshake record type.
out->Write(index, hs_len, 3); index += 3; // Handshake length
for (; index < total_len; ++index) {
out->Write(index, 1, 1);
}
}
TEST_P(TlsAgentTest, EarlyFinished) {
DataBuffer buffer;
MakeTrivialHandshakeMessage(kTlsHandshakeFinished, 0, &buffer);
ProcessMessage(buffer, TlsAgent::STATE_ERROR,
SSL_ERROR_RX_UNEXPECTED_FINISHED);
}
TEST_P(TlsAgentTest, EarlyCertificateVerify) {
DataBuffer buffer;
MakeTrivialHandshakeMessage(kTlsHandshakeCertificateVerify, 0, &buffer);
ProcessMessage(buffer, TlsAgent::STATE_ERROR,
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
}
INSTANTIATE_TEST_CASE_P(AgentTests, TlsAgentTest,
::testing::Combine(
TlsAgentTestBase::kTlsRolesAll,
TlsConnectTestBase::kTlsModesStream));
} // namespace nss_test

58
security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
View File

@ -196,8 +196,8 @@ class TlsExtensionReplacer : public TlsExtensionFilter {
return true;
}
private:
const uint16_t extension_;
const DataBuffer data_;
uint16_t extension_;
DataBuffer data_;
};
class TlsExtensionInjector : public TlsHandshakeFilter {
@ -251,27 +251,7 @@ class TlsExtensionInjector : public TlsHandshakeFilter {
}
private:
const uint16_t extension_;
const DataBuffer data_;
};
class TlsExtensionCapture : public TlsExtensionFilter {
public:
TlsExtensionCapture(uint16_t ext)
: extension_(ext), data_() {}
virtual bool FilterExtension(uint16_t extension_type,
const DataBuffer& input, DataBuffer* output) {
if (extension_type == extension_) {
data_.Assign(input);
}
return false;
}
const DataBuffer& extension() const { return data_; }
private:
const uint16_t extension_;
uint16_t extension_;
DataBuffer data_;
};
@ -514,6 +494,7 @@ TEST_P(TlsExtensionTest12Plus, DISABLED_SignatureAlgorithmsSigUnsupported) {
}
TEST_P(TlsExtensionTestGeneric, SupportedCurvesShort) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x00, 0x01, 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
@ -521,6 +502,7 @@ TEST_P(TlsExtensionTestGeneric, SupportedCurvesShort) {
}
TEST_P(TlsExtensionTestGeneric, SupportedCurvesBadLength) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x09, 0x99, 0x00, 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
@ -528,6 +510,7 @@ TEST_P(TlsExtensionTestGeneric, SupportedCurvesBadLength) {
}
TEST_P(TlsExtensionTestGeneric, SupportedCurvesTrailingData) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x00, 0x02, 0x00, 0x00, 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
@ -535,6 +518,7 @@ TEST_P(TlsExtensionTestGeneric, SupportedCurvesTrailingData) {
}
TEST_P(TlsExtensionTestGeneric, SupportedPointsEmpty) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
@ -542,6 +526,7 @@ TEST_P(TlsExtensionTestGeneric, SupportedPointsEmpty) {
}
TEST_P(TlsExtensionTestGeneric, SupportedPointsBadLength) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x99, 0x00, 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
@ -549,6 +534,7 @@ TEST_P(TlsExtensionTestGeneric, SupportedPointsBadLength) {
}
TEST_P(TlsExtensionTestGeneric, SupportedPointsTrailingData) {
EnableSomeEcdheCiphers();
const uint8_t val[] = { 0x01, 0x00, 0x00 };
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
@ -576,32 +562,6 @@ TEST_P(TlsExtensionTestGeneric, RenegotiationInfoExtensionEmpty) {
extension));
}
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmConfiguration) {
const SSLSignatureAndHashAlg algorithms[] = {
{ssl_hash_sha512, ssl_sign_rsa},
{ssl_hash_sha384, ssl_sign_ecdsa}
};
TlsExtensionCapture *capture =
new TlsExtensionCapture(ssl_signature_algorithms_xtn);
client_->SetSignatureAlgorithms(algorithms, PR_ARRAY_SIZE(algorithms));
client_->SetPacketFilter(capture);
DisableDheAndEcdheCiphers();
Connect();
const DataBuffer& ext = capture->extension();
EXPECT_EQ(2 + PR_ARRAY_SIZE(algorithms) * 2, ext.len());
for (size_t i = 0, cursor = 2;
i < PR_ARRAY_SIZE(algorithms) && cursor < ext.len();
++i) {
uint32_t v;
EXPECT_TRUE(ext.Read(cursor++, 1, &v));
EXPECT_EQ(algorithms[i].hashAlg, static_cast<SSLHashType>(v));
EXPECT_TRUE(ext.Read(cursor++, 1, &v));
EXPECT_EQ(algorithms[i].sigAlg, static_cast<SSLSignType>(v));
}
}
INSTANTIATE_TEST_CASE_P(ExtensionTls10, TlsExtensionTestGeneric,
::testing::Combine(
TlsConnectTestBase::kTlsModesStream,

3
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
View File

@ -16,9 +16,6 @@ int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
g_working_dir_path = ".";
// Temporarily disable asserts for PKCS#11 slot leakage until
// Bug 1168425 is fixed.
unsetenv("NSS_STRICT_SHUTDOWN");
char* workdir = getenv("NSS_GTEST_WORKDIR");
if (workdir)
g_working_dir_path = workdir;

451
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
View File

@ -5,62 +5,16 @@
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ssl.h"
#include "sslerr.h"
#include "sslproto.h"
#include <memory>
extern "C" {
// This is not something that should make you happy.
#include "libssl_internals.h"
}
#include <memory>
#include "tls_parser.h"
#include "tls_filter.h"
#include "tls_connect.h"
#include "gtest_utils.h"
namespace nss_test {
uint8_t kBogusClientKeyExchange[] = {
0x01, 0x00,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
};
// When we see the ClientKeyExchange from |client|, increment the
// ClientHelloVersion on |server|.
class TlsInspectorClientHelloVersionChanger : public TlsHandshakeFilter {
public:
TlsInspectorClientHelloVersionChanger(TlsAgent* server) : server_(server) {}
virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
const DataBuffer& input, DataBuffer* output) {
if (handshake_type == kTlsHandshakeClientKeyExchange) {
EXPECT_EQ(
SECSuccess,
SSLInt_IncrementClientHandshakeVersion(server_->ssl_fd()));
}
return false;
}
private:
TlsAgent* server_;
};
class TlsServerKeyExchangeEcdhe {
public:
bool Parse(const DataBuffer& buffer) {
@ -89,54 +43,42 @@ class TlsServerKeyExchangeEcdhe {
TEST_P(TlsConnectGeneric, SetupOnly) {}
TEST_P(TlsConnectGeneric, Connect) {
SetExpectedVersion(std::get<1>(GetParam()));
Connect();
client_->CheckVersion(std::get<1>(GetParam()));
client_->CheckAuthType(ssl_auth_rsa);
}
TEST_P(TlsConnectGeneric, ConnectEcdsa) {
SetExpectedVersion(std::get<1>(GetParam()));
ResetEcdsa();
Connect();
client_->CheckAuthType(ssl_auth_ecdsa);
}
TEST_P(TlsConnectGeneric, ConnectFalseStart) {
client_->EnableFalseStart();
Connect();
}
TEST_P(TlsConnectGeneric, ConnectResumed) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
Connect();
ResetRsa();
ExpectResumption(RESUME_SESSIONID);
Connect();
CheckResumption(RESUME_SESSIONID);
}
TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) {
ConfigureSessionCache(RESUME_NONE, RESUME_SESSIONID);
Connect();
ResetRsa();
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_NONE);
Connect();
ResetRsa();
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) {
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
Connect();
ResetRsa();
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
@ -146,8 +88,8 @@ TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
ResetRsa();
ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
ExpectResumption(RESUME_TICKET);
Connect();
CheckResumption(RESUME_TICKET);
}
TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
@ -158,8 +100,8 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
ResetRsa();
ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
@ -169,8 +111,8 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
ResetRsa();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_TICKET);
Connect();
CheckResumption(RESUME_TICKET);
}
TEST_P(TlsConnectGeneric, ConnectClientServerTicketOnly) {
@ -181,8 +123,8 @@ TEST_P(TlsConnectGeneric, ConnectClientServerTicketOnly) {
ResetRsa();
ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectClientBothServerNone) {
@ -191,8 +133,8 @@ TEST_P(TlsConnectGeneric, ConnectClientBothServerNone) {
ResetRsa();
ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectClientNoneServerBoth) {
@ -201,13 +143,12 @@ TEST_P(TlsConnectGeneric, ConnectClientNoneServerBoth) {
ResetRsa();
ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
ExpectResumption(RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ResumeWithHigherVersion) {
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_1);
@ -217,119 +158,13 @@ TEST_P(TlsConnectGeneric, ResumeWithHigherVersion) {
ResetRsa();
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_2);
ExpectResumption(RESUME_NONE);
Connect();
}
TEST_P(TlsConnectGeneric, ClientAuth) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
server_->CheckAuthType(ssl_auth_rsa);
}
TEST_P(TlsConnectGeneric, ClientAuthEcdsa) {
ResetEcdsa();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
Connect();
server_->CheckAuthType(ssl_auth_ecdsa);
}
static const SSLSignatureAndHashAlg SignatureEcdsaSha384[] = {
{ssl_hash_sha384, ssl_sign_ecdsa}
};
static const SSLSignatureAndHashAlg SignatureEcdsaSha256[] = {
{ssl_hash_sha256, ssl_sign_ecdsa}
};
static const SSLSignatureAndHashAlg SignatureRsaSha384[] = {
{ssl_hash_sha384, ssl_sign_rsa}
};
static const SSLSignatureAndHashAlg SignatureRsaSha256[] = {
{ssl_hash_sha256, ssl_sign_rsa}
};
// When signature algorithms match up, this should connect successfully; even
// for TLS 1.1 and 1.0, where they should be ignored.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
ResetEcdsa();
Connect();
}
// Here the client picks a single option, which should work in all versions.
// Defaults on the server include the first option.
TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
const SSLSignatureAndHashAlg clientAlgorithms[] = {
{ssl_hash_sha384, ssl_sign_ecdsa},
{ssl_hash_sha384, ssl_sign_rsa}, // supported but unusable
{ssl_hash_md5, ssl_sign_ecdsa} // unsupported and ignored
};
client_->SetSignatureAlgorithms(clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms));
ResetEcdsa();
Connect();
}
// Here the server picks a single option, which should work in all versions.
// Defaults on the client include the provided option.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
ResetEcdsa();
Connect();
}
// There is no need for overlap on signatures; since we don't actually use the
// signatures for static RSA, this should still connect successfully.
// This should also work in TLS 1.0 and 1.1 where the algorithms aren't used.
TEST_P(TlsConnectGeneric, SignatureAlgorithmNoOverlapStaticRsa) {
client_->SetSignatureAlgorithms(SignatureRsaSha384,
PR_ARRAY_SIZE(SignatureRsaSha384));
server_->SetSignatureAlgorithms(SignatureRsaSha256,
PR_ARRAY_SIZE(SignatureRsaSha256));
DisableDheAndEcdheCiphers();
Connect();
client_->CheckKEAType(ssl_kea_rsa);
client_->CheckAuthType(ssl_auth_rsa);
}
// Signature algorithms governs both verification and generation of signatures.
// With ECDSA, we need to at least have a common signature algorithm configured.
TEST_P(TlsConnectTls12, SignatureAlgorithmNoOverlapEcdsa) {
ResetEcdsa();
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
PR_ARRAY_SIZE(SignatureEcdsaSha256));
ConnectExpectFail();
}
// Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
ResetEcdsa();
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
PR_ARRAY_SIZE(SignatureEcdsaSha256));
Connect();
}
// The server requests client auth but doesn't offer a SHA-256 option.
// This fails because NSS only uses SHA-256 for handshake transcript hashes.
TEST_P(TlsConnectTls12, RequestClientAuthWithoutSha256) {
server_->SetSignatureAlgorithms(SignatureRsaSha384,
PR_ARRAY_SIZE(SignatureRsaSha384));
server_->RequestClientAuth(false);
ConnectExpectFail();
CheckResumption(RESUME_NONE);
client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
}
TEST_P(TlsConnectGeneric, ConnectAlpn) {
@ -339,87 +174,27 @@ TEST_P(TlsConnectGeneric, ConnectAlpn) {
server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
}
TEST_P(TlsConnectGeneric, ConnectEcdsa) {
ResetEcdsa();
Connect();
client_->CheckVersion(std::get<1>(GetParam()));
client_->CheckAuthType(ssl_auth_ecdsa);
}
TEST_P(TlsConnectDatagram, ConnectSrtp) {
EnableSrtp();
Connect();
CheckSrtp();
}
TEST_P(TlsConnectStream, ConnectAndClientRenegotiate) {
Connect();
server_->PrepareForRenegotiate();
client_->StartRenegotiate();
Handshake();
CheckConnected();
}
TEST_P(TlsConnectStream, ConnectAndServerRenegotiate) {
Connect();
client_->PrepareForRenegotiate();
server_->StartRenegotiate();
Handshake();
CheckConnected();
}
TEST_P(TlsConnectStream, ConnectStaticRSA) {
DisableDheAndEcdheCiphers();
Connect();
client_->CheckKEAType(ssl_kea_rsa);
}
TEST_P(TlsConnectStream, ConnectDhe) {
DisableEcdheCiphers();
Connect();
client_->CheckKEAType(ssl_kea_dh);
}
// Test that a totally bogus EPMS is handled correctly.
// This test is stream so we can catch the bad_record_mac alert.
TEST_P(TlsConnectStream, ConnectStaticRSABogusCKE) {
DisableDheAndEcdheCiphers();
TlsInspectorReplaceHandshakeMessage* i1 =
new TlsInspectorReplaceHandshakeMessage(kTlsHandshakeClientKeyExchange,
DataBuffer(
kBogusClientKeyExchange,
sizeof(kBogusClientKeyExchange)));
client_->SetPacketFilter(i1);
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
ConnectExpectFail();
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
}
// Test that a PMS with a bogus version number is handled correctly.
// This test is stream so we can catch the bad_record_mac alert.
TEST_P(TlsConnectStream, ConnectStaticRSABogusPMSVersionDetect) {
DisableDheAndEcdheCiphers();
client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
server_));
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
ConnectExpectFail();
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
}
// Test that a PMS with a bogus version number is ignored when
// rollback detection is disabled. This is a positive control for
// ConnectStaticRSABogusPMSVersionDetect.
TEST_P(TlsConnectGeneric, ConnectStaticRSABogusPMSVersionIgnore) {
DisableDheAndEcdheCiphers();
client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
server_));
server_->DisableRollbackDetection();
Connect();
}
TEST_P(TlsConnectStream, ConnectEcdhe) {
EnableSomeEcdheCiphers();
Connect();
client_->CheckKEAType(ssl_kea_ecdh);
}
TEST_P(TlsConnectStream, ConnectEcdheTwiceReuseKey) {
EnableSomeEcdheCiphers();
TlsInspectorRecordHandshakeMessage* i1 =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetPacketFilter(i1);
@ -433,6 +208,7 @@ TEST_P(TlsConnectStream, ConnectEcdheTwiceReuseKey) {
TlsInspectorRecordHandshakeMessage* i2 =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetPacketFilter(i2);
EnableSomeEcdheCiphers();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
Connect();
client_->CheckKEAType(ssl_kea_ecdh);
@ -447,7 +223,7 @@ TEST_P(TlsConnectStream, ConnectEcdheTwiceReuseKey) {
}
TEST_P(TlsConnectStream, ConnectEcdheTwiceNewKey) {
server_->EnsureTlsSetup();
EnableSomeEcdheCiphers();
SECStatus rv =
SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
EXPECT_EQ(SECSuccess, rv);
@ -461,7 +237,7 @@ TEST_P(TlsConnectStream, ConnectEcdheTwiceNewKey) {
// Restart
ResetRsa();
server_->EnsureTlsSetup();
EnableSomeEcdheCiphers();
rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
EXPECT_EQ(SECSuccess, rv);
TlsInspectorRecordHandshakeMessage* i2 =
@ -480,167 +256,6 @@ TEST_P(TlsConnectStream, ConnectEcdheTwiceNewKey) {
dhe1.public_key_.len())));
}
TEST_P(TlsConnectGeneric, ConnectSendReceive) {
Connect();
SendReceive();
}
// The next two tests takes advantage of the fact that we
// automatically read the first 1024 bytes, so if
// we provide 1200 bytes, they overrun the read buffer
// provided by the calling test.
// DTLS should return an error.
TEST_P(TlsConnectDatagram, ShortRead) {
Connect();
client_->SetExpectedReadError(true);
server_->SendData(1200, 1200);
WAIT_(client_->error_code() == SSL_ERROR_RX_SHORT_DTLS_READ, 2000);
// Don't call CheckErrorCode() because it requires us to being
// in state ERROR.
ASSERT_EQ(SSL_ERROR_RX_SHORT_DTLS_READ, client_->error_code());
// Now send and receive another packet.
client_->SetExpectedReadError(false);
server_->ResetSentBytes(); // Reset the counter.
SendReceive();
}
// TLS should get the write in two chunks.
TEST_P(TlsConnectStream, ShortRead) {
// This test behaves oddly with TLS 1.0 because of 1/n+1 splitting,
// so skip in that case.
if (version_ < SSL_LIBRARY_VERSION_TLS_1_1)
return;
Connect();
server_->SendData(1200, 1200);
// Read the first tranche.
WAIT_(client_->received_bytes() == 1024, 2000);
ASSERT_EQ(1024U, client_->received_bytes());
// The second tranche should now immediately be available.
client_->ReadBytes();
ASSERT_EQ(1200U, client_->received_bytes());
}
TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecret) {
EnableExtendedMasterSecret();
Connect();
ResetRsa();
ExpectResumption(RESUME_SESSIONID);
EnableExtendedMasterSecret();
Connect();
}
TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretStaticRSA) {
DisableDheAndEcdheCiphers();
EnableExtendedMasterSecret();
Connect();
}
// This test is stream so we can catch the bad_record_mac alert.
TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusCKE) {
DisableDheAndEcdheCiphers();
EnableExtendedMasterSecret();
TlsInspectorReplaceHandshakeMessage* inspect =
new TlsInspectorReplaceHandshakeMessage(kTlsHandshakeClientKeyExchange,
DataBuffer(
kBogusClientKeyExchange,
sizeof(kBogusClientKeyExchange)));
client_->SetPacketFilter(inspect);
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
ConnectExpectFail();
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
}
// This test is stream so we can catch the bad_record_mac alert.
TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionDetect) {
DisableDheAndEcdheCiphers();
EnableExtendedMasterSecret();
client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
server_));
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
ConnectExpectFail();
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description());
}
TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionIgnore) {
DisableDheAndEcdheCiphers();
EnableExtendedMasterSecret();
client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger(
server_));
server_->DisableRollbackDetection();
Connect();
}
TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretECDHE) {
EnableExtendedMasterSecret();
Connect();
ResetRsa();
EnableExtendedMasterSecret();
ExpectResumption(RESUME_SESSIONID);
Connect();
}
TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretTicket) {
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
EnableExtendedMasterSecret();
Connect();
ResetRsa();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
EnableExtendedMasterSecret();
ExpectResumption(RESUME_TICKET);
Connect();
}
TEST_P(TlsConnectGeneric,
ConnectExtendedMasterSecretClientOnly) {
client_->EnableExtendedMasterSecret();
ExpectExtendedMasterSecret(false);
Connect();
}
TEST_P(TlsConnectGeneric,
ConnectExtendedMasterSecretServerOnly) {
server_->EnableExtendedMasterSecret();
ExpectExtendedMasterSecret(false);
Connect();
}
TEST_P(TlsConnectGeneric,
ConnectExtendedMasterSecretResumeWithout) {
EnableExtendedMasterSecret();
Connect();
ResetRsa();
server_->EnableExtendedMasterSecret();
auto alert_recorder = new TlsAlertRecorder();
server_->SetPacketFilter(alert_recorder);
ConnectExpectFail();
EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
EXPECT_EQ(kTlsAlertHandshakeFailure, alert_recorder->description());
}
TEST_P(TlsConnectGeneric,
ConnectNormalResumeWithExtendedMasterSecret) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
ExpectExtendedMasterSecret(false);
Connect();
ResetRsa();
EnableExtendedMasterSecret();
ExpectResumption(RESUME_NONE);
Connect();
}
INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric,
::testing::Combine(
TlsConnectTestBase::kTlsModesStream,
@ -651,19 +266,7 @@ INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric,
TlsConnectTestBase::kTlsV11V12));
INSTANTIATE_TEST_CASE_P(VersionsDatagram, TlsConnectDatagram,
TlsConnectTestBase::kTlsV11V12);
INSTANTIATE_TEST_CASE_P(Variants12, TlsConnectTls12,
TlsConnectTestBase::kTlsModesAll);
INSTANTIATE_TEST_CASE_P(Pre12Stream, TlsConnectPre12,
::testing::Combine(
TlsConnectTestBase::kTlsModesStream,
TlsConnectTestBase::kTlsV10));
INSTANTIATE_TEST_CASE_P(Pre12All, TlsConnectPre12,
::testing::Combine(
TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV11));
INSTANTIATE_TEST_CASE_P(VersionsStream10, TlsConnectStream,
TlsConnectTestBase::kTlsV10);
INSTANTIATE_TEST_CASE_P(VersionsStream, TlsConnectStream,
INSTANTIATE_TEST_CASE_P(VersionsDatagram, TlsConnectStream,
TlsConnectTestBase::kTlsV11V12);
} // namespace nspr_test

253
security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
View File

@ -1,253 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nss.h"
#include "pk11pub.h"
#include <memory>
#include "gtest_utils.h"
namespace nss_test {
#define CONST_UINT8_TO_UCHAR(a) const_cast<unsigned char*>( \
static_cast<const unsigned char *>(a))
const size_t kPmsSize = 48;
const size_t kMasterSecretSize = 48;
const size_t kPrfSeedSizeSha256 = 32;
const size_t kPrfSeedSizeTlsPrf = 36;
// This is not the right size for anything
const size_t kIncorrectSize = 17;
const uint8_t kPmsData[] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
};
const uint8_t kPrfSeed[] = {
0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
0xd0,0xd1,0xd2,0xd3
};
const uint8_t kExpectedOutputEmsSha256[] = {
0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
};
const uint8_t kExpectedOutputEmsTlsPrf[] = {
0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
};
static unsigned char* toUcharPtr(const uint8_t* v) {
return const_cast<unsigned char*>(
static_cast<const unsigned char *>(v));
}
class TlsPrfTest : public ::testing::Test {
public:
TlsPrfTest()
: params_({siBuffer, nullptr, 0})
, pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
, key_mech_(0)
, slot_(nullptr)
, pms_(nullptr)
, ms_(nullptr)
, pms_version_({0, 0}) {}
~TlsPrfTest() {
if (slot_) { PK11_FreeSlot(slot_); }
ClearTempVars();
}
void ClearTempVars() {
if (pms_) { PK11_FreeSymKey(pms_); }
if (ms_) { PK11_FreeSymKey(ms_); }
}
void Init() {
params_.type = siBuffer;
pms_item_.type = siBuffer;
pms_item_.data = const_cast<unsigned char*>(
static_cast<const unsigned char *>(kPmsData));
slot_ = PK11_GetInternalSlot();
ASSERT_NE(nullptr, slot_);
}
void CheckForError(CK_MECHANISM_TYPE hash_mech,
size_t seed_len,
size_t pms_len,
size_t output_len) {
// Error tests don't depend on the derivation mechansim
Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
seed_len, pms_len, output_len, nullptr, nullptr);
}
void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
CK_MECHANISM_TYPE hash_mech,
CK_VERSION* version,
const uint8_t* expected) {
// Infer seed length from mechanism
int seed_len = 0;
switch (hash_mech) {
case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
case CKM_SHA256: seed_len = kPrfSeedSizeSha256; break;
default: ASSERT_TRUE(false);
}
Inner(derive_mech, hash_mech, seed_len,
kPmsSize, 0, version, expected);
}
// Set output == nullptr to test when errors occur
void Inner(
CK_MECHANISM_TYPE derive_mech,
CK_MECHANISM_TYPE hash_mech,
size_t seed_len,
size_t pms_len,
size_t output_len,
CK_VERSION* version,
const uint8_t* expected) {
ClearTempVars();
// Infer the key mechanism from the hash type
switch (hash_mech) {
case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
case CKM_SHA256: key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
default: ASSERT_TRUE(false);
}
// Import the params
CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
hash_mech,
toUcharPtr(kPrfSeed),
seed_len,
version
};
params_.data = reinterpret_cast<unsigned char*>(&master_params);
params_.len = sizeof(master_params);
// Import the PMS
pms_item_.len = pms_len;
pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
CKA_DERIVE, &pms_item_, NULL);
ASSERT_NE(nullptr, pms_);
// Compute the EMS
ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
// Verify the EMS has the expected value (null or otherwise)
if (!expected) {
EXPECT_EQ(nullptr, ms_);
} else {
ASSERT_NE(nullptr, ms_);
SECStatus rv = PK11_ExtractKeyValue(ms_);
ASSERT_EQ(SECSuccess, rv);
SECItem *msData = PK11_GetKeyData(ms_);
ASSERT_NE(nullptr, msData);
ASSERT_EQ(kMasterSecretSize, msData->len);
EXPECT_EQ(0,
memcmp(msData->data, expected, kMasterSecretSize));
}
}
protected:
SECItem params_;
SECItem pms_item_;
CK_MECHANISM_TYPE key_mech_;
PK11SlotInfo *slot_;
PK11SymKey *pms_;
PK11SymKey *ms_;
CK_VERSION pms_version_;
};
TEST_F(TlsPrfTest, ExtendedMsParamErr) {
Init();
// This should fail; it's the correct set from which the below are derived
// CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
// Output key size != 0, SSL3_MASTER_SECRET_LENGTH
CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
// not-DH && pms size != SSL3_PMS_LENGTH
CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
// CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
// !CKM_TLS_PRF && seed length != hash output length
CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
}
// Test matrix:
//
// DH RSA
// TLS_PRF 1 2
// SHA256 3 4
TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
CKM_TLS_PRF,
nullptr,
kExpectedOutputEmsTlsPrf);
}
TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
CKM_TLS_PRF,
&pms_version_,
kExpectedOutputEmsTlsPrf);
EXPECT_EQ(0, pms_version_.major);
EXPECT_EQ(1, pms_version_.minor);
}
TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
CKM_SHA256,
nullptr,
kExpectedOutputEmsSha256);
}
TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
Init();
ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
CKM_SHA256,
&pms_version_,
kExpectedOutputEmsSha256);
EXPECT_EQ(0, pms_version_.major);
EXPECT_EQ(1, pms_version_.minor);
}
} // namespace nss_test

5
security/nss/external_tests/ssl_gtest/ssl_skip_unittest.cc
View File

@ -109,7 +109,7 @@ class TlsSkipTest
};
TEST_P(TlsSkipTest, SkipCertificateRsa) {
DisableDheAndEcdheCiphers();
DisableDheCiphers();
ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
}
@ -120,6 +120,7 @@ TEST_P(TlsSkipTest, SkipCertificateDhe) {
}
TEST_P(TlsSkipTest, SkipCertificateEcdhe) {
EnableSomeEcdheCiphers();
ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
}
@ -131,6 +132,8 @@ TEST_P(TlsSkipTest, SkipCertificateEcdsa) {
}
TEST_P(TlsSkipTest, SkipServerKeyExchange) {
// Have to enable some ephemeral suites, or ServerKeyExchange doesn't appear.
EnableSomeEcdheCiphers();
ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
}

33
security/nss/external_tests/ssl_gtest/test_io.cc
View File

@ -125,9 +125,8 @@ static PRStatus DummyListen(PRFileDesc *f, int32_t depth) {
}
static PRStatus DummyShutdown(PRFileDesc *f, int32_t how) {
DummyPrSocket *io = reinterpret_cast<DummyPrSocket *>(f->secret);
io->Reset();
return PR_SUCCESS;
UNIMPLEMENTED();
return PR_FAILURE;
}
// This function does not support peek.
@ -251,12 +250,7 @@ static int32_t DummyReserved(PRFileDesc *f) {
}
DummyPrSocket::~DummyPrSocket() {
Reset();
}
void DummyPrSocket::Reset() {
delete filter_;
peer_ = nullptr;
while (!input_.empty())
{
Packet* front = input_.front();
@ -401,29 +395,6 @@ void Poller::Wait(Event event, DummyPrSocket *adapter, PollTarget *target,
waiters_[adapter] = waiter;
}
void Poller::Cancel(Event event, DummyPrSocket *adapter) {
auto it = waiters_.find(adapter);
Waiter *waiter;
if (it == waiters_.end()) {
return;
}
waiter = it->second;
waiter->targets_[event] = nullptr;
waiter->callbacks_[event] = nullptr;
// Clean up if there are no callbacks.
for (size_t i=0; i<TIMER_EVENT; ++i) {
if (waiter->callbacks_[i])
return;
}
delete waiter;
waiters_.erase(adapter);
}
void Poller::SetTimer(uint32_t timer_ms, PollTarget *target, PollCallback cb,
Timer **timer) {
Timer *t = new Timer(PR_Now() + timer_ms * 1000, target, cb);

4
security/nss/external_tests/ssl_gtest/test_io.h
View File

@ -50,9 +50,8 @@ class DummyPrSocket {
static DummyPrSocket* GetAdapter(PRFileDesc* fd);
void SetPeer(DummyPrSocket* peer) { peer_ = peer; }
void SetPacketFilter(PacketFilter* filter) { filter_ = filter; }
// Drops peer, packet filter and any outstanding packets.
void Reset();
void PacketReceived(const DataBuffer& data);
int32_t Read(void* data, int32_t len);
@ -103,7 +102,6 @@ class Poller {
void Wait(Event event, DummyPrSocket* adapter, PollTarget* target,
PollCallback cb);
void Cancel(Event event, DummyPrSocket* adapter);
void SetTimer(uint32_t timer_ms, PollTarget* target, PollCallback cb,
Timer** handle);
bool Poll();

405
security/nss/external_tests/ssl_gtest/tls_agent.cc
View File

@ -17,53 +17,8 @@
namespace nss_test {
const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea)
: name_(name),
mode_(mode),
kea_(kea),
pr_fd_(nullptr),
adapter_(nullptr),
ssl_fd_(nullptr),
role_(role),
state_(STATE_INIT),
falsestart_enabled_(false),
expected_version_(0),
expected_cipher_suite_(0),
expect_resumption_(false),
can_falsestart_hook_called_(false),
sni_hook_called_(false),
auth_certificate_hook_called_(false),
handshake_callback_called_(false),
error_code_(0),
send_ctr_(0),
recv_ctr_(0),
expected_read_error_(false) {
memset(&info_, 0, sizeof(info_));
memset(&csinfo_, 0, sizeof(csinfo_));
SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
ssl_variant_stream : ssl_variant_datagram,
&vrange_);
EXPECT_EQ(SECSuccess, rv);
}
TlsAgent::~TlsAgent() {
if (adapter_) {
Poller::Instance()->Cancel(READABLE_EVENT, adapter_);
}
if (pr_fd_) {
PR_Close(pr_fd_);
}
if (ssl_fd_) {
PR_Close(ssl_fd_);
}
}
bool TlsAgent::EnsureTlsSetup() {
// Don't set up twice
if (ssl_fd_) return true;
@ -94,7 +49,8 @@ bool TlsAgent::EnsureTlsSetup() {
SECKEY_DestroyPrivateKey(priv);
CERT_DestroyCertificate(cert);
rv = SSL_SNISocketConfigHook(ssl_fd_, SniHook, this);
rv = SSL_SNISocketConfigHook(ssl_fd_, SniHook,
reinterpret_cast<void*>(this));
EXPECT_EQ(SECSuccess, rv); // don't abort, just fail
} else {
SECStatus rv = SSL_SetURL(ssl_fd_, "server");
@ -106,87 +62,49 @@ bool TlsAgent::EnsureTlsSetup() {
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this);
rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
reinterpret_cast<void*>(this));
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
return true;
}
void TlsAgent::SetupClientAuth() {
EXPECT_TRUE(EnsureTlsSetup());
ASSERT_EQ(CLIENT, role_);
EXPECT_EQ(SECSuccess,
SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook,
reinterpret_cast<void*>(this)));
}
bool TlsAgent::GetClientAuthCredentials(CERTCertificate **cert,
SECKEYPrivateKey **priv) const {
*cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
EXPECT_NE(nullptr, *cert);
if (!*cert) return false;
*priv = PK11_FindKeyByAnyCert(*cert, nullptr);
EXPECT_NE(nullptr, *priv);
if (!*priv) return false; // Leak cert.
return true;
}
SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
CERTDistNames* caNames,
CERTCertificate** cert,
SECKEYPrivateKey** privKey) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(self);
if (agent->GetClientAuthCredentials(cert, privKey)) {
return SECSuccess;
}
return SECFailure;
}
void TlsAgent::RequestClientAuth(bool requireAuth) {
EXPECT_TRUE(EnsureTlsSetup());
ASSERT_EQ(SERVER, role_);
EXPECT_EQ(SECSuccess,
SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE));
EXPECT_EQ(SECSuccess,
SSL_OptionSet(ssl_fd_, SSL_REQUIRE_CERTIFICATE,
requireAuth ? PR_TRUE : PR_FALSE));
EXPECT_EQ(SECSuccess,
SSL_AuthCertificateHook(ssl_fd_, &TlsAgent::ClientAuthenticated,
this));
expect_client_auth_ = true;
}
void TlsAgent::StartConnect() {
EXPECT_TRUE(EnsureTlsSetup());
SECStatus rv;
rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
EXPECT_EQ(SECSuccess, rv);
SetState(STATE_CONNECTING);
SetState(CONNECTING);
}
void TlsAgent::DisableCiphersByKeyExchange(SSLKEAType kea) {
void TlsAgent::EnableSomeEcdheCiphers() {
EXPECT_TRUE(EnsureTlsSetup());
for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
const uint32_t EcdheCiphers[] = {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
for (size_t i = 0; i < PR_ARRAY_SIZE(EcdheCiphers); ++i) {
SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EcdheCiphers[i], PR_TRUE);
EXPECT_EQ(SECSuccess, rv);
}
}
void TlsAgent::DisableDheCiphers() {
EXPECT_TRUE(EnsureTlsSetup());
for (size_t i=0; i < SSL_NumImplementedCiphers; ++i) {
SSLCipherSuiteInfo csinfo;
SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i],
&csinfo, sizeof(csinfo));
ASSERT_EQ(SECSuccess, rv);
if (csinfo.keaType == kea) {
if (csinfo.keaType == ssl_kea_dh) {
rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_FALSE);
EXPECT_EQ(SECSuccess, rv);
}
@ -219,77 +137,19 @@ void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
}
}
void TlsAgent::SetExpectedVersion(uint16_t version) {
expected_version_ = version;
}
void TlsAgent::SetExpectedReadError(bool err) {
expected_read_error_ = err;
}
void TlsAgent::SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
size_t count) {
EXPECT_TRUE(EnsureTlsSetup());
EXPECT_LE(count, SSL_SignatureMaxCount());
EXPECT_EQ(SECSuccess, SSL_SignaturePrefSet(ssl_fd_, algorithms,
static_cast<unsigned int>(count)));
EXPECT_EQ(SECFailure, SSL_SignaturePrefSet(ssl_fd_, algorithms, 0))
<< "setting no algorithms should fail and do nothing";
unsigned int configuredCount;
SSLSignatureAndHashAlg configuredAlgorithms[count];
EXPECT_EQ(SECFailure,
SSL_SignaturePrefGet(ssl_fd_, nullptr, &configuredCount, 1))
<< "get algorithms, algorithms is nullptr";
EXPECT_EQ(SECFailure,
SSL_SignaturePrefGet(ssl_fd_, configuredAlgorithms,
&configuredCount, 0))
<< "get algorithms, too little space";
EXPECT_EQ(SECFailure,
SSL_SignaturePrefGet(ssl_fd_, configuredAlgorithms, nullptr,
PR_ARRAY_SIZE(configuredAlgorithms)))
<< "get algorithms, algCountOut is nullptr";
EXPECT_EQ(SECSuccess,
SSL_SignaturePrefGet(ssl_fd_, configuredAlgorithms,
&configuredCount,
PR_ARRAY_SIZE(configuredAlgorithms)));
// SignaturePrefSet drops unsupported algorithms silently, so the number that
// are configured might be fewer.
EXPECT_LE(configuredCount, count);
unsigned int i = 0;
for (unsigned int j = 0; j < count && i < configuredCount; ++j) {
if (i < configuredCount &&
algorithms[j].hashAlg == configuredAlgorithms[i].hashAlg &&
algorithms[j].sigAlg == configuredAlgorithms[i].sigAlg) {
++i;
}
}
EXPECT_EQ(i, configuredCount) << "algorithms in use were all set";
}
void TlsAgent::CheckKEAType(SSLKEAType type) const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(CONNECTED, state_);
EXPECT_EQ(type, csinfo_.keaType);
}
void TlsAgent::CheckAuthType(SSLAuthType type) const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(CONNECTED, state_);
EXPECT_EQ(type, csinfo_.authAlgorithm);
}
void TlsAgent::EnableFalseStart() {
EXPECT_TRUE(EnsureTlsSetup());
falsestart_enabled_ = true;
EXPECT_EQ(SECSuccess,
SSL_SetCanFalseStartCallback(ssl_fd_, CanFalseStartCallback, this));
EXPECT_EQ(SECSuccess,
SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALSE_START, PR_TRUE));
}
void TlsAgent::ExpectResumption() {
expect_resumption_ = true;
void TlsAgent::CheckVersion(uint16_t version) const {
EXPECT_EQ(CONNECTED, state_);
EXPECT_EQ(version, info_.protocolVersion);
}
void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
@ -300,7 +160,7 @@ void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
}
void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
const std::string& expected) const {
const std::string& expected) {
SSLNextProtoState state;
char chosen[10];
unsigned int chosen_len;
@ -319,114 +179,31 @@ void TlsAgent::EnableSrtp() {
};
EXPECT_EQ(SECSuccess, SSL_SetSRTPCiphers(ssl_fd_, ciphers,
PR_ARRAY_SIZE(ciphers)));
}
void TlsAgent::CheckSrtp() const {
void TlsAgent::CheckSrtp() {
uint16_t actual;
EXPECT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
EXPECT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
}
void TlsAgent::CheckErrorCode(int32_t expected) const {
EXPECT_EQ(STATE_ERROR, state_);
EXPECT_EQ(ERROR, state_);
EXPECT_EQ(expected, error_code_);
}
void TlsAgent::CheckPreliminaryInfo() {
SSLPreliminaryChannelInfo info;
EXPECT_EQ(SECSuccess,
SSL_GetPreliminaryChannelInfo(ssl_fd_, &info, sizeof(info)));
EXPECT_TRUE(info.valuesSet & ssl_preinfo_version);
EXPECT_TRUE(info.valuesSet & ssl_preinfo_cipher_suite);
// A version of 0 is invalid and indicates no expectation. This value is
// initialized to 0 so that tests that don't explicitly set an expected
// version can negotiate a version.
if (!expected_version_) {
expected_version_ = info.protocolVersion;
}
EXPECT_EQ(expected_version_, info.protocolVersion);
// As with the version; 0 is the null cipher suite (and also invalid).
if (!expected_cipher_suite_) {
expected_cipher_suite_ = info.cipherSuite;
}
EXPECT_EQ(expected_cipher_suite_, info.cipherSuite);
}
// Check that all the expected callbacks have been called.
void TlsAgent::CheckCallbacks() const {
// If false start happens, the handshake is reported as being complete at the
// point that false start happens.
if (expect_resumption_ || !falsestart_enabled_) {
EXPECT_TRUE(handshake_callback_called_);
}
// These callbacks shouldn't fire if we are resuming.
if (role_ == SERVER) {
EXPECT_EQ(!expect_resumption_, sni_hook_called_);
} else {
EXPECT_EQ(!expect_resumption_, auth_certificate_hook_called_);
// Note that this isn't unconditionally called, even with false start on.
// But the callback is only skipped if a cipher that is ridiculously weak
// (80 bits) is chosen. Don't test that: plan to remove bad ciphers.
EXPECT_EQ(falsestart_enabled_ && !expect_resumption_,
can_falsestart_hook_called_);
}
}
void TlsAgent::Connected() {
LOG("Handshake success");
CheckCallbacks();
SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
EXPECT_EQ(SECSuccess, rv);
// Preliminary values are exposed through callbacks during the handshake.
// If either expected values were set or the callbacks were called, check
// that the final values are correct.
EXPECT_EQ(expected_version_, info_.protocolVersion);
EXPECT_EQ(expected_cipher_suite_, info_.cipherSuite);
rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
EXPECT_EQ(SECSuccess, rv);
SetState(STATE_CONNECTED);
}
void TlsAgent::EnableExtendedMasterSecret() {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_OptionSet(ssl_fd_,
SSL_ENABLE_EXTENDED_MASTER_SECRET,
PR_TRUE);
ASSERT_EQ(SECSuccess, rv);
}
void TlsAgent::CheckExtendedMasterSecret(bool expected) {
ASSERT_EQ(expected, info_.extendedMasterSecretUsed)
<< "unexpected extended master secret state for " << name_;
}
void TlsAgent::DisableRollbackDetection() {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_OptionSet(ssl_fd_,
SSL_ROLLBACK_DETECTION,
PR_FALSE);
ASSERT_EQ(SECSuccess, rv);
}
void TlsAgent::Handshake() {
SECStatus rv = SSL_ForceHandshake(ssl_fd_);
if (rv == SECSuccess) {
Connected();
LOG("Handshake success");
SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
EXPECT_EQ(SECSuccess, rv);
Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
&TlsAgent::ReadableCallback);
rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
EXPECT_EQ(SECSuccess, rv);
SetState(CONNECTED);
return;
}
@ -443,81 +220,13 @@ void TlsAgent::Handshake() {
// TODO(ekr@rtfm.com): needs special case for DTLS
case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
default:
if (IS_SSL_ERROR(err)) {
LOG("Handshake failed with SSL error " << err - SSL_ERROR_BASE);
} else {
LOG("Handshake failed with error " << err);
}
LOG("Handshake failed with error " << err);
error_code_ = err;
SetState(STATE_ERROR);
SetState(ERROR);
return;
}
}
void TlsAgent::PrepareForRenegotiate() {
EXPECT_EQ(STATE_CONNECTED, state_);
SetState(STATE_CONNECTING);
}
void TlsAgent::StartRenegotiate() {
PrepareForRenegotiate();
SECStatus rv = SSL_ReHandshake(ssl_fd_, PR_TRUE);
EXPECT_EQ(SECSuccess, rv);
}
void TlsAgent::SendData(size_t bytes, size_t blocksize) {
uint8_t block[4096];
ASSERT_LT(blocksize, sizeof(block));
while(bytes) {
size_t tosend = std::min(blocksize, bytes);
for(size_t i = 0; i < tosend; ++i) {
block[i] = 0xff & send_ctr_;
++send_ctr_;
}
LOG("Writing " << tosend << " bytes");
int32_t rv = PR_Write(ssl_fd_, block, tosend);
ASSERT_EQ(tosend, static_cast<size_t>(rv));
bytes -= tosend;
}
}
void TlsAgent::ReadBytes() {
uint8_t block[1024];
LOG("Reading application data from socket");
int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
int32_t err = PR_GetError();
if (err != PR_WOULD_BLOCK_ERROR) {
if (expected_read_error_) {
error_code_ = err;
} else {
ASSERT_LE(0, rv);
size_t count = static_cast<size_t>(rv);
LOG("Read " << count << " bytes");
for (size_t i = 0; i < count; ++i) {
ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
recv_ctr_++;
}
}
}
Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
&TlsAgent::ReadableCallback);
}
void TlsAgent::ResetSentBytes() {
send_ctr_ = 0;
}
void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
EXPECT_TRUE(EnsureTlsSetup());
@ -534,39 +243,5 @@ void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
EXPECT_EQ(SECSuccess, rv);
}
static const std::string kTlsRolesAllArr[] = {"CLIENT", "SERVER"};
::testing::internal::ParamGenerator<std::string>
TlsAgentTestBase::kTlsRolesAll = ::testing::ValuesIn(kTlsRolesAllArr);
void TlsAgentTestBase::Init() {
agent_ = new TlsAgent(
role_ == TlsAgent::CLIENT ? "client" : "server",
role_, mode_, kea_);
agent_->Init();
fd_ = DummyPrSocket::CreateFD("dummy", mode_);
agent_->adapter()->SetPeer(
DummyPrSocket::GetAdapter(fd_));
agent_->StartConnect();
}
void TlsAgentTestBase::EnsureInit() {
if (!agent_) {
Init();
}
}
void TlsAgentTestBase::ProcessMessage(const DataBuffer& buffer,
TlsAgent::State expected_state,
int32_t error_code) {
EnsureInit();
agent_->adapter()->PacketReceived(buffer);
agent_->Handshake();
ASSERT_EQ(expected_state, agent_->state());
if (expected_state == TlsAgent::STATE_ERROR) {
ASSERT_EQ(error_code, agent_->error_code());
}
}
} // namespace nss_test

195
security/nss/external_tests/ssl_gtest/tls_agent.h
View File

@ -31,10 +31,35 @@ enum SessionResumptionMode {
class TlsAgent : public PollTarget {
public:
enum Role { CLIENT, SERVER };
enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
enum State { INIT, CONNECTING, CONNECTED, ERROR };
TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
virtual ~TlsAgent();
TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea)
: name_(name),
mode_(mode),
kea_(kea),
pr_fd_(nullptr),
adapter_(nullptr),
ssl_fd_(nullptr),
role_(role),
state_(INIT),
error_code_(0) {
memset(&info_, 0, sizeof(info_));
memset(&csinfo_, 0, sizeof(csinfo_));
SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
ssl_variant_stream : ssl_variant_datagram,
&vrange_);
EXPECT_EQ(SECSuccess, rv);
}
~TlsAgent() {
if (pr_fd_) {
PR_Close(pr_fd_);
}
if (ssl_fd_) {
PR_Close(ssl_fd_);
}
}
bool Init() {
pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
@ -56,43 +81,23 @@ class TlsAgent : public PollTarget {
void StartConnect();
void CheckKEAType(SSLKEAType type) const;
void CheckAuthType(SSLAuthType type) const;
void CheckVersion(uint16_t version) const;
void Handshake();
// Marks the internal state as CONNECTING in anticipation of renegotiation.
void PrepareForRenegotiate();
// Prepares for renegotiation, then actually triggers it.
void StartRenegotiate();
void DisableCiphersByKeyExchange(SSLKEAType kea);
void EnableSomeEcdheCiphers();
void DisableDheCiphers();
bool EnsureTlsSetup();
void SetupClientAuth();
void RequestClientAuth(bool requireAuth);
bool GetClientAuthCredentials(CERTCertificate** cert,
SECKEYPrivateKey** priv) const;
void ConfigureSessionCache(SessionResumptionMode mode);
void SetSessionTicketsEnabled(bool en);
void SetSessionCacheEnabled(bool en);
void SetVersionRange(uint16_t minver, uint16_t maxver);
void CheckPreliminaryInfo();
void SetExpectedVersion(uint16_t version);
void SetExpectedReadError(bool err);
void EnableFalseStart();
void ExpectResumption();
void SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
size_t count);
void EnableAlpn(const uint8_t* val, size_t len);
void CheckAlpn(SSLNextProtoState expected_state,
const std::string& expected) const;
const std::string& expected);
void EnableSrtp();
void CheckSrtp() const;
void CheckSrtp();
void CheckErrorCode(int32_t expected) const;
void SendData(size_t bytes, size_t blocksize = 1024);
void ReadBytes();
void ResetSentBytes(); // Hack to test drops.
void EnableExtendedMasterSecret();
void CheckExtendedMasterSecret(bool expected);
void DisableRollbackDetection();
State state() const { return state_; }
@ -101,24 +106,33 @@ class TlsAgent : public PollTarget {
const char* state_str(State state) const { return states[state]; }
PRFileDesc* ssl_fd() { return ssl_fd_; }
DummyPrSocket* adapter() { return adapter_; }
uint16_t min_version() const { return vrange_.min; }
uint16_t max_version() const { return vrange_.max; }
bool version(uint16_t* version) const {
if (state_ != CONNECTED) return false;
*version = info_.protocolVersion;
return true;
}
uint16_t version() const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(CONNECTED, state_);
return info_.protocolVersion;
}
bool cipher_suite(int16_t* cipher_suite) const {
if (state_ != STATE_CONNECTED) return false;
if (state_ != CONNECTED) return false;
*cipher_suite = info_.cipherSuite;
return true;
}
std::string cipher_suite_name() const {
if (state_ != STATE_CONNECTED) return "UNKNOWN";
if (state_ != CONNECTED) return "UNKNOWN";
return csinfo_.cipherSuiteName;
}
@ -128,9 +142,6 @@ class TlsAgent : public PollTarget {
info_.sessionID + info_.sessionIDLength);
}
size_t received_bytes() const { return recv_ctr_; }
int32_t error_code() const { return error_code_; }
private:
const static char* states[];
@ -145,74 +156,25 @@ class TlsAgent : public PollTarget {
// Dummy auth certificate hook.
static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
PRBool checksig, PRBool isServer) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
agent->CheckPreliminaryInfo();
agent->auth_certificate_hook_called_ = true;
return SECSuccess;
}
// Client auth certificate hook.
static SECStatus ClientAuthenticated(void* arg, PRFileDesc* fd,
PRBool checksig, PRBool isServer) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
EXPECT_TRUE(agent->expect_client_auth_);
EXPECT_TRUE(isServer);
return SECSuccess;
}
static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
CERTDistNames* caNames,
CERTCertificate** cert,
SECKEYPrivateKey** privKey);
static void ReadableCallback(PollTarget* self, Event event) {
TlsAgent* agent = static_cast<TlsAgent*>(self);
agent->ReadableCallback_int();
}
void ReadableCallback_int() {
LOG("Readable");
switch (state_) {
case STATE_CONNECTING:
Handshake();
break;
case STATE_CONNECTED:
ReadBytes();
break;
default:
break;
}
Handshake();
}
static PRInt32 SniHook(PRFileDesc *fd, const SECItem *srvNameArr,
PRUint32 srvNameArrSize,
void *arg) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
agent->CheckPreliminaryInfo();
agent->sni_hook_called_ = true;
return SSL_SNI_CURRENT_CONFIG_IS_USED;
}
static SECStatus CanFalseStartCallback(PRFileDesc *fd, void *arg,
PRBool *canFalseStart) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
agent->CheckPreliminaryInfo();
EXPECT_TRUE(agent->falsestart_enabled_);
agent->can_falsestart_hook_called_ = true;
*canFalseStart = true;
return SECSuccess;
}
static void HandshakeCallback(PRFileDesc *fd, void *arg) {
TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
agent->CheckPreliminaryInfo();
agent->handshake_callback_called_ = true;
}
void CheckCallbacks() const;
void Connected();
const std::string name_;
Mode mode_;
SSLKEAType kea_;
@ -221,73 +183,10 @@ class TlsAgent : public PollTarget {
PRFileDesc* ssl_fd_;
Role role_;
State state_;
bool falsestart_enabled_;
uint16_t expected_version_;
uint16_t expected_cipher_suite_;
bool expect_resumption_;
bool expect_client_auth_;
bool can_falsestart_hook_called_;
bool sni_hook_called_;
bool auth_certificate_hook_called_;
bool handshake_callback_called_;
SSLChannelInfo info_;
SSLCipherSuiteInfo csinfo_;
SSLVersionRange vrange_;
int32_t error_code_;
size_t send_ctr_;
size_t recv_ctr_;
bool expected_read_error_;
};
class TlsAgentTestBase : public ::testing::Test {
public:
static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
TlsAgentTestBase(TlsAgent::Role role,
Mode mode) : agent_(nullptr),
fd_(nullptr),
role_(role),
mode_(mode),
kea_(ssl_kea_rsa) {}
~TlsAgentTestBase() {
delete agent_;
if (fd_) {
PR_Close(fd_);
}
}
static inline TlsAgent::Role ToRole(const std::string& str) {
return str == "CLIENT" ? TlsAgent::CLIENT : TlsAgent::SERVER;
}
static inline Mode ToMode(const std::string& str) {
return str == "TLS" ? STREAM : DGRAM;
}
void Init();
protected:
void EnsureInit();
void ProcessMessage(const DataBuffer& buffer,
TlsAgent::State expected_state,
int32_t error_code = 0);
TlsAgent* agent_;
PRFileDesc* fd_;
TlsAgent::Role role_;
Mode mode_;
SSLKEAType kea_;
};
class TlsAgentTest :
public TlsAgentTestBase,
public ::testing::WithParamInterface
<std::tuple<std::string,std::string>> {
public:
TlsAgentTest() :
TlsAgentTestBase(ToRole(std::get<0>(GetParam())),
ToMode(std::get<1>(GetParam()))) {}
};
} // namespace nss_test

100
security/nss/external_tests/ssl_gtest/tls_connect.cc
View File

@ -24,9 +24,6 @@ static const std::string kTlsModesAllArr[] = {"TLS", "DTLS"};
static const uint16_t kTlsV10Arr[] = {SSL_LIBRARY_VERSION_TLS_1_0};
::testing::internal::ParamGenerator<uint16_t>
TlsConnectTestBase::kTlsV10 = ::testing::ValuesIn(kTlsV10Arr);
static const uint16_t kTlsV11Arr[] = {SSL_LIBRARY_VERSION_TLS_1_1};
::testing::internal::ParamGenerator<uint16_t>
TlsConnectTestBase::kTlsV11 = ::testing::ValuesIn(kTlsV11Arr);
static const uint16_t kTlsV11V12Arr[] = {SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_2};
::testing::internal::ParamGenerator<uint16_t>
@ -58,13 +55,13 @@ TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
client_(new TlsAgent("client", TlsAgent::CLIENT, mode_, ssl_kea_rsa)),
server_(new TlsAgent("server", TlsAgent::SERVER, mode_, ssl_kea_rsa)),
version_(version),
expected_resumption_mode_(RESUME_NONE),
session_ids_(),
expect_extended_master_secret_(false) {
session_ids_() {
std::cerr << "Version: " << mode_ << " " << VersionString(version_) << std::endl;
}
TlsConnectTestBase::~TlsConnectTestBase() {
delete client_;
delete server_;
}
void TlsConnectTestBase::SetUp() {
@ -79,8 +76,8 @@ void TlsConnectTestBase::SetUp() {
}
void TlsConnectTestBase::TearDown() {
delete client_;
delete server_;
client_ = nullptr;
server_ = nullptr;
SSL_ClearSessionCache();
SSL_ShutdownServerSessionIDCache();
@ -115,14 +112,7 @@ void TlsConnectTestBase::ResetRsa() {
void TlsConnectTestBase::ResetEcdsa() {
Reset("ecdsa", ssl_kea_ecdh);
}
void TlsConnectTestBase::ExpectResumption(SessionResumptionMode expected) {
expected_resumption_mode_ = expected;
if (expected != RESUME_NONE) {
client_->ExpectResumption();
server_->ExpectResumption();
}
EnableSomeEcdheCiphers();
}
void TlsConnectTestBase::EnsureTlsSetup() {
@ -131,36 +121,28 @@ void TlsConnectTestBase::EnsureTlsSetup() {
}
void TlsConnectTestBase::Handshake() {
server_->StartConnect();
client_->StartConnect();
client_->Handshake();
server_->Handshake();
ASSERT_TRUE_WAIT((client_->state() != TlsAgent::STATE_CONNECTING) &&
(server_->state() != TlsAgent::STATE_CONNECTING),
ASSERT_TRUE_WAIT((client_->state() != TlsAgent::CONNECTING) &&
(server_->state() != TlsAgent::CONNECTING),
5000);
}
void TlsConnectTestBase::EnableExtendedMasterSecret() {
client_->EnableExtendedMasterSecret();
server_->EnableExtendedMasterSecret();
ExpectExtendedMasterSecret(true);
}
void TlsConnectTestBase::Connect() {
server_->StartConnect();
client_->StartConnect();
Handshake();
CheckConnected();
}
void TlsConnectTestBase::CheckConnected() {
// Check the version is as expected
EXPECT_EQ(client_->version(), server_->version());
EXPECT_EQ(std::min(client_->max_version(),
server_->max_version()),
client_->version());
EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
EXPECT_EQ(TlsAgent::CONNECTED, client_->state());
EXPECT_EQ(TlsAgent::CONNECTED, server_->state());
int16_t cipher_suite1, cipher_suite2;
bool ret = client_->cipher_suite(&cipher_suite1);
@ -180,39 +162,23 @@ void TlsConnectTestBase::CheckConnected() {
EXPECT_EQ(32U, sid_s1.size());
EXPECT_EQ(sid_c1, sid_s1);
session_ids_.push_back(sid_c1);
CheckResumption(expected_resumption_mode_);
// Check whether the extended master secret extension was negotiated.
CheckExtendedMasterSecret();
}
void TlsConnectTestBase::ConnectExpectFail() {
server_->StartConnect();
client_->StartConnect();
Handshake();
ASSERT_EQ(TlsAgent::STATE_ERROR, client_->state());
ASSERT_EQ(TlsAgent::STATE_ERROR, server_->state());
ASSERT_EQ(TlsAgent::ERROR, client_->state());
ASSERT_EQ(TlsAgent::ERROR, server_->state());
}
void TlsConnectTestBase::SetExpectedVersion(uint16_t version) {
client_->SetExpectedVersion(version);
server_->SetExpectedVersion(version);
void TlsConnectTestBase::EnableSomeEcdheCiphers() {
client_->EnableSomeEcdheCiphers();
server_->EnableSomeEcdheCiphers();
}
void TlsConnectTestBase::DisableDheCiphers() {
client_->DisableCiphersByKeyExchange(ssl_kea_dh);
server_->DisableCiphersByKeyExchange(ssl_kea_dh);
}
void TlsConnectTestBase::DisableEcdheCiphers() {
client_->DisableCiphersByKeyExchange(ssl_kea_ecdh);
server_->DisableCiphersByKeyExchange(ssl_kea_ecdh);
}
void TlsConnectTestBase::DisableDheAndEcdheCiphers() {
DisableDheCiphers();
DisableEcdheCiphers();
client_->DisableDheCiphers();
server_->DisableDheCiphers();
}
void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client,
@ -257,39 +223,13 @@ void TlsConnectTestBase::EnableSrtp() {
server_->EnableSrtp();
}
void TlsConnectTestBase::CheckSrtp() const {
void TlsConnectTestBase::CheckSrtp() {
client_->CheckSrtp();
server_->CheckSrtp();
}
void TlsConnectTestBase::SendReceive() {
client_->SendData(50);
server_->SendData(50);
WAIT_(client_->received_bytes() == 50U &&
server_->received_bytes() == 50U, 2000);
ASSERT_EQ(50U, client_->received_bytes());
ASSERT_EQ(50U, server_->received_bytes());
}
void TlsConnectTestBase::ExpectExtendedMasterSecret(bool expected) {
expect_extended_master_secret_ = expected;
}
void TlsConnectTestBase::CheckExtendedMasterSecret() {
client_->CheckExtendedMasterSecret(expect_extended_master_secret_);
server_->CheckExtendedMasterSecret(expect_extended_master_secret_);
}
TlsConnectGeneric::TlsConnectGeneric()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
TlsConnectPre12::TlsConnectPre12()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
TlsConnectTls12::TlsConnectTls12()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(GetParam()),
SSL_LIBRARY_VERSION_TLS_1_2) {}
} // namespace nss_test

38
security/nss/external_tests/ssl_gtest/tls_connect.h
View File

@ -24,7 +24,6 @@ class TlsConnectTestBase : public ::testing::Test {
static ::testing::internal::ParamGenerator<std::string> kTlsModesStream;
static ::testing::internal::ParamGenerator<std::string> kTlsModesAll;
static ::testing::internal::ParamGenerator<uint16_t> kTlsV10;
static ::testing::internal::ParamGenerator<uint16_t> kTlsV11;
static ::testing::internal::ParamGenerator<uint16_t> kTlsV11V12;
static ::testing::internal::ParamGenerator<uint16_t> kTlsV12Plus;
@ -52,40 +51,27 @@ class TlsConnectTestBase : public ::testing::Test {
void Handshake();
// Connect and check that it works.
void Connect();
// Check that the connection was successfully established.
void CheckConnected();
// Connect and expect it to fail.
void ConnectExpectFail();
void SetExpectedVersion(uint16_t version);
// Expect resumption of a particular type.
void ExpectResumption(SessionResumptionMode expected);
void DisableDheAndEcdheCiphers();
void EnableSomeEcdheCiphers();
void DisableDheCiphers();
void DisableEcdheCiphers();
void EnableExtendedMasterSecret();
void ConfigureSessionCache(SessionResumptionMode client,
SessionResumptionMode server);
void CheckResumption(SessionResumptionMode expected);
void EnableAlpn();
void EnableSrtp();
void CheckSrtp() const;
void SendReceive();
void ExpectExtendedMasterSecret(bool expected);
void CheckSrtp();
protected:
Mode mode_;
TlsAgent* client_;
TlsAgent* server_;
uint16_t version_;
SessionResumptionMode expected_resumption_mode_;
std::vector<std::vector<uint8_t>> session_ids_;
private:
void Reset(const std::string& server_name, SSLKEAType kea);
void CheckResumption(SessionResumptionMode expected);
void CheckExtendedMasterSecret();
bool expect_extended_master_secret_;
};
// A TLS-only test base.
@ -112,22 +98,6 @@ class TlsConnectGeneric
TlsConnectGeneric();
};
// A Pre TLS 1.2 generic test.
class TlsConnectPre12
: public TlsConnectTestBase,
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
public:
TlsConnectPre12();
};
// A TLS 1.2 only generic test.
class TlsConnectTls12
: public TlsConnectTestBase,
public ::testing::WithParamInterface<std::string> {
public:
TlsConnectTls12();
};
} // namespace nss_test
#endif

12
security/nss/external_tests/ssl_gtest/tls_filter.cc
View File

@ -187,18 +187,6 @@ bool TlsInspectorRecordHandshakeMessage::FilterHandshake(
return false;
}
bool TlsInspectorReplaceHandshakeMessage::FilterHandshake(
uint16_t version, uint8_t handshake_type,
const DataBuffer& input, DataBuffer* output) {
if (handshake_type == handshake_type_) {
*output = buffer_;
return true;
}
return false;
}
bool TlsAlertRecorder::FilterRecord(uint8_t content_type, uint16_t version,
const DataBuffer& input, DataBuffer* output) {
if (level_ == kTlsAlertFatal) { // already fatal

15
security/nss/external_tests/ssl_gtest/tls_filter.h
View File

@ -75,21 +75,6 @@ class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
DataBuffer buffer_;
};
// Replace all instances of a handshake message.
class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
public:
TlsInspectorReplaceHandshakeMessage(uint8_t handshake_type,
const DataBuffer& replacement)
: handshake_type_(handshake_type), buffer_(replacement) {}
virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
const DataBuffer& input, DataBuffer* output);
private:
uint8_t handshake_type_;
DataBuffer buffer_;
};
// Records an alert. If an alert has already been recorded, it won't save the
// new alert unless the old alert is a warning and the new one is fatal.
class TlsAlertRecorder : public TlsRecordFilter {

8
security/nss/external_tests/ssl_gtest/tls_parser.h
View File

@ -10,11 +10,7 @@
#include <memory>
#include <cstdint>
#include <cstring>
#if defined(WIN32) || defined(WIN64)
#include <winsock2.h>
#else
#include <arpa/inet.h>
#endif
#include "databuffer.h"
namespace nss_test {
@ -27,15 +23,11 @@ const uint8_t kTlsHandshakeClientHello = 1;
const uint8_t kTlsHandshakeServerHello = 2;
const uint8_t kTlsHandshakeCertificate = 11;
const uint8_t kTlsHandshakeServerKeyExchange = 12;
const uint8_t kTlsHandshakeCertificateVerify = 15;
const uint8_t kTlsHandshakeClientKeyExchange = 16;
const uint8_t kTlsHandshakeFinished = 20;
const uint8_t kTlsAlertWarning = 1;
const uint8_t kTlsAlertFatal = 2;
const uint8_t kTlsAlertUnexpectedMessage = 10;
const uint8_t kTlsAlertBadRecordMac = 20;
const uint8_t kTlsAlertHandshakeFailure = 40;
const uint8_t kTlsAlertIllegalParameter = 47;
const uint8_t kTlsAlertDecodeError = 50;

4
security/nss/lib/base/hash.c
View File

@ -51,7 +51,9 @@ nss_identity_hash
const void *key
)
{
return (PLHashNumber)((char *)key - (char *)NULL);
PRUint32 i = (PRUint32)key;
PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
return (PLHashNumber)i;
}
static PLHashNumber

3
security/nss/lib/base/list.c
View File

@ -217,8 +217,9 @@ nsslist_add_element(nssList *list, void *data)
NSS_IMPLEMENT PRStatus
nssList_Add(nssList *list, void *data)
{
PRStatus nssrv;
NSSLIST_LOCK_IF(list);
(void)nsslist_add_element(list, data);
nssrv = nsslist_add_element(list, data);
NSSLIST_UNLOCK_IF(list);
return PR_SUCCESS;
}

2
security/nss/lib/base/tracker.c
View File

@ -29,7 +29,7 @@ identity_hash
const void *key
)
{
return (PLHashNumber)((char *)key - (char *)NULL);
return (PLHashNumber)key;
}
/*

40
security/nss/lib/certdb/certdb.c
View File

@ -2443,6 +2443,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
{
unsigned int i;
CERTCertificate **certs = NULL;
SECStatus rv;
unsigned int fcerts = 0;
if ( ncerts ) {
@ -2490,11 +2491,10 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
* know which cert it belongs to. But we still may try
* the individual canickname from the cert itself.
*/
/* Bug 1192442 - propagate errors from these calls. */
(void)CERT_AddTempCertToPerm(certs[i], canickname, NULL);
rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
} else {
(void)CERT_AddTempCertToPerm(certs[i],
nickname?nickname:canickname, NULL);
rv = CERT_AddTempCertToPerm(certs[i],
nickname?nickname:canickname, NULL);
}
PORT_Free(canickname);
@ -2511,7 +2511,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
}
}
return (fcerts || !ncerts) ? SECSuccess : SECFailure;
return ((fcerts || !ncerts) ? SECSuccess : SECFailure);
}
/*
@ -2893,16 +2893,15 @@ CERT_LockCertRefCount(CERTCertificate *cert)
void
CERT_UnlockCertRefCount(CERTCertificate *cert)
{
PRStatus prstat;
PORT_Assert(certRefCountLock != NULL);
#ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certRefCountLock);
PORT_Assert(prstat == PR_SUCCESS);
}
#else
PZ_Unlock(certRefCountLock);
#endif
prstat = PZ_Unlock(certRefCountLock);
PORT_Assert(prstat == PR_SUCCESS);
return;
}
static PZLock *certTrustLock = NULL;
@ -2974,16 +2973,15 @@ cert_DestroyLocks(void)
void
CERT_UnlockCertTrust(const CERTCertificate *cert)
{
PRStatus prstat;
PORT_Assert(certTrustLock != NULL);
#ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certTrustLock);
PORT_Assert(prstat == PR_SUCCESS);
}
#else
PZ_Unlock(certTrustLock);
#endif
prstat = PZ_Unlock(certTrustLock);
PORT_Assert(prstat == PR_SUCCESS);
return;
}

21
security/nss/lib/certdb/crl.c
View File

@ -627,6 +627,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
CERTSignedCrl *oldCrl = NULL, *crl = NULL;
PRBool deleteOldCrl = PR_FALSE;
CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
SECStatus rv;
PORT_Assert(newCrl);
PORT_Assert(derCrl);
@ -639,8 +640,8 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
/* we can't use the cache here because we must look in the same
token */
(void)SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
&oldCrl, CRL_DECODE_SKIP_ENTRIES);
rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
&oldCrl, CRL_DECODE_SKIP_ENTRIES);
/* if there is an old crl on the token, make sure the one we are
installing is newer. If not, exit out, otherwise delete the
old crl.
@ -2692,7 +2693,7 @@ cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
}
if (SECFailure == rv)
{
(void)CERT_FindCRLEntryReasonExten(entry, &reason);
SECStatus rv2 = CERT_FindCRLEntryReasonExten(entry, &reason);
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
}
break;
@ -3049,7 +3050,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
{
NamedCRLCacheEntry* oldEntry, * newEntry = NULL;
NamedCRLCache* ncc = NULL;
SECStatus rv = SECSuccess;
SECStatus rv = SECSuccess, rv2;
PORT_Assert(namedCRLCache.lock);
PORT_Assert(namedCRLCache.entries);
@ -3087,7 +3088,8 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
(void*) newEntry))
{
PORT_Assert(0);
NamedCRLCacheEntry_Destroy(newEntry);
rv2 = NamedCRLCacheEntry_Destroy(newEntry);
PORT_Assert(SECSuccess == rv2);
rv = SECFailure;
}
}
@ -3110,7 +3112,8 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
}
else
{
PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
PORT_Assert(SECSuccess == rv2);
}
if (NULL == PL_HashTableAdd(namedCRLCache.entries,
(void*) newEntry->canonicalizedName,
@ -3157,7 +3160,8 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
}
else
{
PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
PORT_Assert(SECSuccess == rv2);
}
if (NULL == PL_HashTableAdd(namedCRLCache.entries,
(void*) newEntry->canonicalizedName,
@ -3169,7 +3173,8 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
}
}
}
PORT_CheckSuccess(cert_ReleaseNamedCRLCache(ncc));
rv2 = cert_ReleaseNamedCRLCache(ncc);
PORT_Assert(SECSuccess == rv2);
return rv;
}

10
security/nss/lib/certdb/genname.c
View File

@ -67,6 +67,16 @@ static const SEC_ASN1Template CERTOtherNameTemplate[] = {
sizeof(CERTGeneralName) }
};
static const SEC_ASN1Template CERTOtherName2Template[] = {
{ SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
0, NULL, sizeof(CERTGeneralName) },
{ SEC_ASN1_OBJECT_ID,
offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
{ SEC_ASN1_ANY,
offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
{ 0, }
};
static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
{ SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
offsetof(CERTGeneralName, name.other),

8
security/nss/lib/certdb/secname.c
View File

@ -240,6 +240,14 @@ CERT_CopyAVA(PLArenaPool *arena, CERTAVA *from)
return 0;
}
/************************************************************************/
/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
static const SEC_ASN1Template cert_RDNTemplate[] = {
{ SEC_ASN1_SET_OF,
offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
};
CERTRDN *
CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...)
{

7
security/nss/lib/certhigh/certhigh.c
View File

@ -24,6 +24,8 @@ CERT_MatchNickname(char *name1, char *name2) {
char *nickname2 = NULL;
char *token1;
char *token2;
char *token = NULL;
int len;
/* first deal with the straight comparison */
if (PORT_Strcmp(name1, name2) == 0) {
@ -38,17 +40,20 @@ CERT_MatchNickname(char *name1, char *name2) {
return PR_FALSE;
}
if (token1) {
token=name1;
nickname1=token1;
nickname2=name2;
} else {
token=name2;
nickname1=token2;
nickname2=name1;
}
len = nickname1-token;
nickname1++;
if (PORT_Strcmp(nickname1,nickname2) != 0) {
return PR_FALSE;
}
/* Bug 1192443 - compare the other token with the internal slot here */
/* compare the other token with the internal slot here */
return PR_TRUE;
}

98
security/nss/lib/certhigh/certvfy.c
View File

@ -23,7 +23,6 @@
#include "pkim.h"
#include "pki3hack.h"
#include "base.h"
#include "keyhi.h"
/*
* Check the validity times of a certificate
@ -35,94 +34,6 @@ CERT_CertTimesValid(CERTCertificate *c)
return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
}
SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
{
SECStatus rv;
SECOidTag sigAlg;
SECOidTag curve;
PRUint32 policyFlags = 0;
PRInt32 minLen, len;
sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
switch(sigAlg) {
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
if (key->keyType != ecKey) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams);
if (curve != 0) {
if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
!(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
return SECFailure;
} else {
return SECSuccess;
}
} else {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
return SECSuccess;
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
len = 8 * key->u.rsa.modulus.len;
rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen);
if (rv != SECSuccess) {
return SECFailure;
}
if (len < minLen) {
return SECFailure;
}
return SECSuccess;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_SDN702_DSA_SIGNATURE:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
if (key->keyType != dsaKey) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
len = 8 * key->u.dsa.params.prime.len;
rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen);
if (rv != SECSuccess) {
return SECFailure;
}
if (len < minLen) {
return SECFailure;
}
return SECSuccess;
default:
return SECSuccess;
}
}
/*
* verify the signature of a signed data object with the given DER publickey
*/
@ -139,6 +50,7 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
return SECFailure;
}
/* check the signature */
sig = sd->signature;
/* convert sig->len from bit counts to byte count. */
@ -149,17 +61,11 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
if (rv == SECSuccess) {
/* Are we honoring signatures for this algorithm? */
PRUint32 policyFlags = 0;
rv = checkKeyParams(&sd->signatureAlgorithm, pubKey);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
return SECFailure;
}
rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
if (rv == SECSuccess &&
!(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
return SECFailure;
rv = SECFailure;
}
}
return rv;

10
security/nss/lib/certhigh/certvfypkix.c
View File

@ -1412,13 +1412,13 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
{
PKIX_UInt32 methodFlags = 0;
PKIX_Error *error = NULL;
PKIX_UInt32 priority = 0;
int priority = 0;
if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
if (revTest->number_of_defined_methods <= certRevMethod) {
return NULL;
}
if (revTest->preferred_methods) {
unsigned int i = 0;
int i = 0;
for (;i < revTest->number_of_preferred_methods;i++) {
if (revTest->preferred_methods[i] == certRevMethod)
break;
@ -1454,6 +1454,7 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
CERTCertListNode *node;
PKIX_PL_Cert *certPkix = NULL;
PKIX_TrustAnchor *trustAnchor = NULL;
PKIX_PL_Date *revDate = NULL;
PKIX_RevocationChecker *revChecker = NULL;
PKIX_PL_NssContext *nssContext = (PKIX_PL_NssContext *)plContext;
@ -1663,6 +1664,9 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
if (date != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext);
if (revDate != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext);
if (revChecker != NULL)
PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext);

13
security/nss/lib/certhigh/ocsp.c
View File

@ -559,19 +559,14 @@ ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
* because of an allocation failure, or it could get removed because we're
* cleaning up.
*/
PRBool couldRemoveFromHashTable;
OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
PR_EnterMonitor(OCSP_Global.monitor);
ocsp_RemoveCacheItemFromLinkedList(cache, item);
#ifdef DEBUG
{
PRBool couldRemoveFromHashTable = PL_HashTableRemove(cache->entries,
item->certID);
PORT_Assert(couldRemoveFromHashTable);
}
#else
PL_HashTableRemove(cache->entries, item->certID);
#endif
couldRemoveFromHashTable = PL_HashTableRemove(cache->entries,
item->certID);
PORT_Assert(couldRemoveFromHashTable);
--cache->numberOfEntries;
ocsp_FreeCacheItem(item);
PR_ExitMonitor(OCSP_Global.monitor);

3
security/nss/lib/certhigh/xcrldist.c
View File

@ -101,6 +101,9 @@ CERT_EncodeCRLDistributionPoints (PLArenaPool *arena,
rv = SECFailure;
break;
/* distributionPointName is omitted */
case 0: break;
default:
PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
rv = SECFailure;

6
security/nss/lib/ckfw/builtins/binst.c
View File

@ -65,8 +65,10 @@ builtins_mdInstance_GetLibraryVersion
NSSCKFWInstance *fwInstance
)
{
#define NSS_VERSION_VARIABLE __nss_builtins_version
#include "verref.h"
extern const char __nss_builtins_version[];
volatile char c; /* force a reference that won't get optimized away */
c = __nss_builtins_version[0];
return nss_builtins_LibraryVersion;
}

1
security/nss/lib/ckfw/builtins/certdata.perl
View File

@ -11,6 +11,7 @@ my $o;
my @objects = ();
my @objsize;
$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";

4
security/nss/lib/ckfw/hash.c
View File

@ -48,7 +48,9 @@ nss_ckfw_identity_hash
const void *key
)
{
return (PLHashNumber)((char *)key - (char *)NULL);
PRUint32 i = (PRUint32)key;
PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
return (PLHashNumber)i;
}
/*

3
security/nss/lib/ckfw/token.c
View File

@ -1258,7 +1258,7 @@ nssCKFWToken_GetUTCTime
{
/* Format is YYYYMMDDhhmmss00 */
int i;
int Y, M, D, h, m, s;
int Y, M, D, h, m, s, z;
static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
for( i = 0; i < 16; i++ ) {
@ -1274,6 +1274,7 @@ nssCKFWToken_GetUTCTime
h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem. heh heh heh */
if( (M < 1) || (M > 12) ) goto badtime;

3
security/nss/lib/crmf/cmmfchal.c
View File

@ -30,6 +30,7 @@ cmmf_create_witness_and_challenge(PLArenaPool *poolp,
CMMFRand randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
PK11SlotInfo *slot;
PK11SymKey *symKey = NULL;
CK_OBJECT_HANDLE id;
CERTSubjectPublicKeyInfo *spki = NULL;
@ -75,7 +76,7 @@ cmmf_create_witness_and_challenge(PLArenaPool *poolp,
rv = SECFailure;
goto loser;
}
(void)PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
/* In order to properly encrypt the data, we import as a symmetric
* key, and then wrap that key. That in essence encrypts the data.
* This is the method recommended in the PK11 world in order

16
security/nss/lib/crmf/crmfcont.c
View File

@ -857,6 +857,7 @@ CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
{
SECKEYPublicKey *caPubKey = NULL;
CRMFEncryptedKey *encKey = NULL;
CRMFEncryptedValue *dummy;
PORT_Assert(inPrivKey != NULL && inCACert != NULL);
if (inPrivKey == NULL || inCACert == NULL) {
@ -872,17 +873,10 @@ CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
if (encKey == NULL) {
goto loser;
}
#ifdef DEBUG
{
CRMFEncryptedValue *dummy =
crmf_create_encrypted_value_wrapped_privkey(
inPrivKey, caPubKey, &encKey->value.encryptedValue);
PORT_Assert(dummy == &encKey->value.encryptedValue);
}
#else
crmf_create_encrypted_value_wrapped_privkey(
inPrivKey, caPubKey, &encKey->value.encryptedValue);
#endif
dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
caPubKey,
&encKey->value.encryptedValue);
PORT_Assert(dummy == &encKey->value.encryptedValue);
/* We won't add the der value here, but rather when it
* becomes part of a certificate request.
*/

2
security/nss/lib/crmf/crmfi.h
View File

@ -52,7 +52,7 @@
struct crmfEncoderArg {
SECItem *buffer;
unsigned long allocatedLen;
long allocatedLen;
};
struct crmfEncoderOutput {

9
security/nss/lib/crmf/crmfpop.c
View File

@ -10,7 +10,7 @@
#include "keyhi.h"
#include "cryptohi.h"
#define CRMF_DEFAULT_ALLOC_SIZE 1024U
#define CRMF_DEFAULT_ALLOC_SIZE 1024
SECStatus
crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
@ -33,6 +33,7 @@ crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
SECStatus
CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
{
SECItem *dummy;
CRMFProofOfPossession *pop;
PLArenaPool *poolp;
void *mark;
@ -51,9 +52,9 @@ CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
pop->popChoice.raVerified.data = NULL;
pop->popChoice.raVerified.len = 0;
inCertReqMsg->pop = pop;
(void)SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
&(pop->popChoice.raVerified),
CRMFRAVerifiedTemplate);
dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
&(pop->popChoice.raVerified),
CRMFRAVerifiedTemplate);
return SECSuccess;
loser:
PORT_ArenaRelease(poolp, mark);

29
security/nss/lib/crmf/crmftmpl.c
View File

@ -138,6 +138,19 @@ const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
};
static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
{ SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(CRMFPOPOSigningKeyInput, publicKey),
SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
{ 0 }
};
const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
{ SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN,
0,
@ -239,3 +252,19 @@ const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
CRMFEncryptedValueTemplate},
{ 0 }
};
static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
{ SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
offsetof(CRMFSinglePubInfo, pubLocation) },
{ 0 }
};
static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
{ SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
{ SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
CRMFSinglePubInfoTemplate},
{ 0 }
};

8
security/nss/lib/cryptohi/keyhi.h
View File

@ -260,14 +260,6 @@ extern int SECKEY_ECParamsToKeySize(const SECItem *params);
*/
extern int SECKEY_ECParamsToBasePointOrderLen(const SECItem *params);
/*
* Returns the object identifier of the curve, of the provided
* elliptic curve parameters structures.
*
* Return 0 on failure (unknown EC domain parameters).
*/
SECOidTag SECKEY_GetECCOid(const SECKEYECParams * params);
SEC_END_PROTOS
#endif /* _KEYHI_H_ */

27
security/nss/lib/cryptohi/seckey.c
View File

@ -1565,7 +1565,7 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
* this yet.
*/
PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
PORT_Memset(pvk, 0, sizeof(*pvk));
PORT_Memset((char *)pvk, 0, sizeof(*pvk));
if(freeit == PR_TRUE) {
PORT_FreeArena(poolp, PR_TRUE);
} else {
@ -1575,7 +1575,7 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
PORT_Memset(pvk, 0, sizeof(*pvk));
PORT_Memset((char *)pvk, 0, sizeof(*pvk));
if(freeit == PR_TRUE) {
PORT_Free(pvk);
}
@ -1596,7 +1596,7 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
* this yet.
*/
PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
PORT_Memset(epki, 0, sizeof(*epki));
PORT_Memset((char *)epki, 0, sizeof(*epki));
if(freeit == PR_TRUE) {
PORT_FreeArena(poolp, PR_TRUE);
} else {
@ -1605,7 +1605,7 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
} else {
SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
PORT_Memset(epki, 0, sizeof(*epki));
PORT_Memset((char *)epki, 0, sizeof(*epki));
if(freeit == PR_TRUE) {
PORT_Free(epki);
}
@ -1904,22 +1904,3 @@ SECKEY_CacheStaticFlags(SECKEYPrivateKey* key)
}
return rv;
}
SECOidTag
SECKEY_GetECCOid(const SECKEYECParams * params)
{
SECItem oid = { siBuffer, NULL, 0};
SECOidData *oidData = NULL;
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing a named curve. Here, we strip away everything
* before the actual OID and use the OID to look up a named curve.
*/
if (params->data[0] != SEC_ASN1_OBJECT_ID) return 0;
oid.len = params->len - 2;
oid.data = params->data + 2;
if ((oidData = SECOID_FindOID(&oid)) == NULL) return 0;
return oidData->offset;
}

29
security/nss/lib/dbm/src/h_page.c
View File

@ -158,11 +158,10 @@ long new_lseek(int fd, long offset, int origin)
{
char buffer[1024];
long len = seek_pos-end_pos;
memset(buffer, 0, 1024);
memset(&buffer, 0, 1024);
while(len > 0)
{
if(write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0)
return(-1);
write(fd, (char*)&buffer, (size_t)(1024 > len ? len : 1024));
len -= 1024;
}
return(lseek(fd, seek_pos, SEEK_SET));
@ -721,6 +720,23 @@ __get_page(HTAB *hashp,
PAGE_INIT(p);
} else {
#ifdef DEBUG
if(BYTE_ORDER == LITTLE_ENDIAN)
{
int is_little_endian;
is_little_endian = BYTE_ORDER;
}
else if(BYTE_ORDER == BIG_ENDIAN)
{
int is_big_endian;
is_big_endian = BYTE_ORDER;
}
else
{
assert(0);
}
#endif
if (hashp->LORDER != BYTE_ORDER) {
register int i, max;
@ -982,7 +998,7 @@ overflow_page(HTAB *hashp)
if (offset > SPLITMASK) {
if (++splitnum >= NCACHED) {
#ifndef macintosh
(void)fwrite(OVMSG, 1, sizeof(OVMSG) - 1, stderr);
(void)write(STDERR_FILENO, OVMSG, sizeof(OVMSG) - 1);
#endif
return (0);
}
@ -997,7 +1013,7 @@ overflow_page(HTAB *hashp)
free_page++;
if (free_page >= NCACHED) {
#ifndef macintosh
(void)fwrite(OVMSG, 1, sizeof(OVMSG) - 1, stderr);
(void)write(STDERR_FILENO, OVMSG, sizeof(OVMSG) - 1);
#endif
return (0);
}
@ -1023,7 +1039,8 @@ overflow_page(HTAB *hashp)
if (offset > SPLITMASK) {
if (++splitnum >= NCACHED) {
#ifndef macintosh
(void)fwrite(OVMSG, 1, sizeof(OVMSG) - 1, stderr);
(void)write(STDERR_FILENO, OVMSG,
sizeof(OVMSG) - 1);
#endif
return (0);
}

Some files were not shown because too many files have changed in this diff Show More