wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 669061, Upgrade to NSS 3.13, starting with NSS_3_13_BETA1, r=wtc

Browse Source 
--HG--
rename : security/nss/cmd/lib/SSLerrs.h => security/nss/lib/ssl/SSLerrs.h
rename : security/nss/cmd/lib/SECerrs.h => security/nss/lib/util/SECerrs.h
This commit is contained in:
Kai Engert 2011-08-19 17:27:10 +02:00
parent 13f1f66694
commit a37ca8f2ef
286 changed files with 9947 additions and 5670 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
security/coreconf/Darwin.mk
View File

@ -37,10 +37,10 @@
include $(CORE_DEPTH)/coreconf/UNIX.mk
DEFAULT_COMPILER = cc
DEFAULT_COMPILER = gcc
CC = cc
CCC = c++
CC = gcc
CCC = g++
RANLIB = ranlib
ifndef CPU_ARCH
@ -52,9 +52,11 @@ endif
ifeq (,$(filter-out i%86,$(CPU_ARCH)))
ifdef USE_64
CC += -arch x86_64
override CPU_ARCH = x86_64
else
OS_REL_CFLAGS = -Di386
CC += -arch i386
override CPU_ARCH = x86
endif
else
OS_REL_CFLAGS = -Dppc
@ -107,7 +109,7 @@ endif
# definitions so that the linker can catch multiply-defined symbols.
# Also, common symbols are not allowed with Darwin dynamic libraries.
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
ifdef BUILD_OPT
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))

5
security/coreconf/Linux.mk
View File

@ -202,8 +202,5 @@ PROCESS_MAP_FILE = grep -v ';-' $< | \
sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
ifeq ($(OS_RELEASE),2.4)
# Softoken 3.13 uses NO_FORK_CHECK only.
# Softoken 3.12 uses NO_FORK_CHECK and NO_CHECK_FORK.
# Don't use NO_CHECK_FORK in new code.
DEFINES += -DNO_FORK_CHECK -DNO_CHECK_FORK
DEFINES += -DNO_FORK_CHECK
endif

3
security/coreconf/WIN32.mk
View File

@ -143,7 +143,8 @@ ifdef NS_USE_GCC
DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
endif
else # !NS_USE_GCC
OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS
OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
-D_CRT_NONSTDC_NO_WARNINGS
OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
ifeq ($(_MSC_VER),$(_MSC_VER_6))
ifndef MOZ_DEBUG_SYMBOLS

1
security/coreconf/coreconf.dep
View File

@ -43,3 +43,4 @@
#error "Do not include this header file."

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_12_11_RTM
NSS_3_13_BETA1

40
security/nss/cmd/addbuiltin/addbuiltin.c
View File

@ -37,7 +37,7 @@
/*
* Tool for converting builtin CA certs.
*
* $Id: addbuiltin.c,v 1.14.68.1 2011/03/23 20:07:57 kaie%kuix.de Exp $
* $Id: addbuiltin.c,v 1.16 2011/04/13 00:10:21 rrelyea%redhat.com Exp $
*/
#include "nssrenam.h"
@ -68,22 +68,22 @@ char *getTrustString(unsigned int trust)
{
if (trust & CERTDB_TRUSTED) {
if (trust & CERTDB_TRUSTED_CA) {
return "CKT_NETSCAPE_TRUSTED_DELEGATOR|CKT_NETSCAPE_TRUSTED";
return "CKT_NSS_TRUSTED_DELEGATOR";
} else {
return "CKT_NETSCAPE_TRUSTED";
return "CKT_NSS_TRUSTED";
}
} else {
if (trust & CERTDB_TRUSTED_CA) {
return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
return "CKT_NSS_TRUSTED_DELEGATOR";
} else if (trust & CERTDB_VALID_CA) {
return "CKT_NETSCAPE_VALID_DELEGATOR";
} else if (trust & CERTDB_VALID_PEER) {
return "CKT_NETSCAPE_VALID";
return "CKT_NSS_VALID_DELEGATOR";
} else if (trust & CERTDB_TERMINAL_RECORD) {
return "CKT_NSS_NOT_TRUSTED";
} else {
return "CKT_NETSCAPE_TRUST_UNKNOWN";
return "CKT_NSS_MUST_VERIFY_TRUST";
}
}
return "CKT_NETSCAPE_TRUST_UNKNOWN"; /* not reached */
return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
}
static const SEC_ASN1Template serialTemplate[] = {
@ -133,7 +133,7 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len);
PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
printf("\n# Trust for Certificate \"%s\"\n",nickname);
printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
@ -159,13 +159,13 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
getTrustString(trust->objectSigningFlags));
#ifdef notdef
printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
#endif
printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
trust->sslFlags & CERTDB_GOVT_APPROVED_CA ?
@ -215,7 +215,7 @@ void printheader() {
"#\n"
"# ***** END LICENSE BLOCK *****\n"
"#\n"
"CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n"
"CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.16 $ $Date: 2011/04/13 00:10:21 $\"\n"
"\n"
"#\n"
"# certdata.txt\n"
@ -239,7 +239,7 @@ void printheader() {
"# CKA_ISSUER DER+base64 (varies)\n"
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
"# CKA_VALUE DER+base64 (varies)\n"
"# CKA_NETSCAPE_EMAIL ASCII7 (unused here)\n"
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
"#\n"
"# Trust\n"
"#\n"
@ -276,7 +276,7 @@ void printheader() {
"# have to go looking for others.\n"
"#\n"
"BEGINDATA\n"
"CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
"CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
"CKA_TOKEN CK_BBOOL CK_TRUE\n"
"CKA_PRIVATE CK_BBOOL CK_FALSE\n"
"CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"

56
security/nss/cmd/bltest/blapitest.c
View File

@ -50,7 +50,7 @@
#include "plgetopt.h"
#include "softoken.h"
#include "nspr.h"
#include "nss.h"
#include "nssutil.h"
#include "secoid.h"
#ifdef NSS_ENABLE_ECC
@ -78,7 +78,7 @@ char *testdir = NULL;
if (rv) { \
PRErrorCode prerror = PR_GetError(); \
PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
prerror, SECU_Strerror(prerror), ln); \
prerror, NSS_Strerror(prerror,formatSimple), ln); \
exit(-1); \
}
@ -692,6 +692,7 @@ typedef enum {
bltestMD2, /* Hash algorithms */
bltestMD5, /* . */
bltestSHA1, /* . */
bltestSHA224, /* . */
bltestSHA256, /* . */
bltestSHA384, /* . */
bltestSHA512, /* . */
@ -726,6 +727,7 @@ static char *mode_strings[] =
"md2",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
@ -1765,6 +1767,46 @@ finish:
return rv;
}
SECStatus
SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
{
SECStatus rv = SECSuccess;
SHA224Context *cx, *cx_cpy;
unsigned char *cxbytes;
unsigned int len;
unsigned int i, quarter;
cx = SHA224_NewContext();
SHA224_Begin(cx);
/* divide message by 4, restarting 3 times */
quarter = (src_length + 3) / 4;
for (i=0; i < 4 && src_length > 0; i++) {
SHA224_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
len = SHA224_FlattenSize(cx);
cxbytes = PORT_Alloc(len);
SHA224_Flatten(cx, cxbytes);
cx_cpy = SHA224_Resurrect(cxbytes, NULL);
if (!cx_cpy) {
PR_fprintf(PR_STDERR, "%s: SHA224_Resurrect failed!\n", progName);
rv = SECFailure;
goto finish;
}
rv = PORT_Memcmp(cx, cx_cpy, len);
if (rv) {
SHA224_DestroyContext(cx_cpy, PR_TRUE);
PR_fprintf(PR_STDERR, "%s: SHA224_restart failed!\n", progName);
goto finish;
}
SHA224_DestroyContext(cx_cpy, PR_TRUE);
PORT_Free(cxbytes);
src_length -= quarter;
}
SHA224_End(cx, dest, &len, MD5_LENGTH);
finish:
SHA224_DestroyContext(cx, PR_TRUE);
return rv;
}
SECStatus
SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
{
@ -2057,6 +2099,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
return SECSuccess;
break;
case bltestSHA224:
restart = cipherInfo->params.hash.restart;
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
SHA224_LENGTH);
cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart
: SHA224_HashBuf;
return SECSuccess;
break;
case bltestSHA256:
restart = cipherInfo->params.hash.restart;
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
@ -2498,6 +2548,7 @@ cipherFinish(bltestCipherInfo *cipherInfo)
case bltestMD2: /* hash contexts are ephemeral */
case bltestMD5:
case bltestSHA1:
case bltestSHA224:
case bltestSHA256:
case bltestSHA384:
case bltestSHA512:
@ -2851,6 +2902,7 @@ get_params(PRArenaPool *arena, bltestParams *params,
case bltestMD2:
case bltestMD5:
case bltestSHA1:
case bltestSHA224:
case bltestSHA256:
case bltestSHA384:
case bltestSHA512:

2
security/nss/cmd/bltest/tests/sha224/ciphertext0 Normal file
View File

@ -0,0 +1,2 @@
Iwl9IjQF2CKGQqR3vaJVsyqtvOS9oLP342ydpw==

2
security/nss/cmd/bltest/tests/sha224/ciphertext1 Normal file
View File

@ -0,0 +1,2 @@
dTiLFlEndsxdul2h/YkBULDGRVy09YsZUlIlJQ==

1
security/nss/cmd/bltest/tests/sha224/numtests Normal file
View File

@ -0,0 +1 @@
2

1
security/nss/cmd/bltest/tests/sha224/plaintext0 Normal file
View File

@ -0,0 +1 @@
abc

1
security/nss/cmd/bltest/tests/sha224/plaintext1 Normal file
View File

@ -0,0 +1 @@
abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq

4
security/nss/cmd/certutil/certutil.c
View File

@ -1106,8 +1106,8 @@ static void luCommonDetailsAE()
" -t trustargs");
FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", "");
FPS "%-25s p \t valid peer\n", "");
FPS "%-25s P \t trusted peer (implies p)\n", "");
FPS "%-25s p \t prohibited\n", "");
FPS "%-25s P \t trusted peer\n", "");
FPS "%-25s c \t valid CA\n", "");
FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");

79
security/nss/cmd/chktest/Makefile Normal file
View File

@ -0,0 +1,79 @@
#! gmake
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../platlibs.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
include ../platrules.mk

76
security/nss/cmd/chktest/chktest.c Normal file
View File

@ -0,0 +1,76 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Kai Engert <kengert@redhat.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include <stdio.h>
#include <stdlib.h>
#include "blapi.h"
#include "secutil.h"
static int Usage()
{
fprintf(stderr, "Usage: chktest <full-path-to-shared-library>\n");
fprintf(stderr, " Will test for valid chk file.\n");
fprintf(stderr, " Will print SUCCESS or FAILURE.\n");
exit(1);
}
int main(int argc, char **argv)
{
SECStatus rv = SECFailure;
PRBool good_result = PR_FALSE;
if (argc != 2)
return Usage();
rv = RNG_RNGInit();
if (rv != SECSuccess) {
SECU_PrintPRandOSError("");
return -1;
}
rv = BL_Init();
if (rv != SECSuccess) {
SECU_PrintPRandOSError("");
return -1;
}
RNG_SystemInfoForRNG();
good_result = BLAPI_SHVerifyFile(argv[1]);
printf("%s\n",
(good_result ? "SUCCESS" : "FAILURE"));
return (good_result) ? SECSuccess : SECFailure;
}

59
security/nss/cmd/chktest/manifest.mn Normal file
View File

@ -0,0 +1,59 @@
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
CORE_DEPTH = ../../..
MODULE = nss
#REQUIRES = seccmd dbm softoken
REQUIRES = seccmd dbm
#INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
PROGRAM = chktest
USE_STATIC_LIBS = 1
EXPORTS = \
$(NULL)
PRIVATE_EXPORTS = \
$(NULL)
CSRCS = \
chktest.c \
$(NULL)

1
security/nss/cmd/lib/Makefile
View File

@ -78,5 +78,4 @@ include $(CORE_DEPTH)/coreconf/rules.mk
export:: private_export
$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h

153
security/nss/cmd/lib/NSPRerrs.h
View File

@ -1,153 +0,0 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* General NSPR 2.0 errors */
/* Caller must #include "prerror.h" */
ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." )
ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." )
ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." )
ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." )
ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." )
ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." )
ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." )
ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." )
ER2( PR_IO_ERROR, "I/O function error." )
ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." )
ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." )
ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." )
ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
ER2( PR_IS_CONNECTED_ERROR, "Already connected." )
ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." )
ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." )
ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." )
ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." )
ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." )
ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." )
ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." )
ER2( PR_FIND_SYMBOL_ERROR,
"Symbol not found in any of the loaded dynamic libraries." )
ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
ER2( PR_DIRECTORY_LOOKUP_ERROR,
"A directory lookup on a network address has failed." )
ER2( PR_TPD_RANGE_ERROR,
"Attempt to access a TPD key that is out of range." )
ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
ER2( PR_NOT_SOCKET_ERROR,
"Network operation attempted on non-network file descriptor." )
ER2( PR_NOT_TCP_SOCKET_ERROR,
"TCP-specific function attempted on a non-TCP file descriptor." )
ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
ER2( PR_OPERATION_NOT_SUPPORTED_ERROR,
"The requested operation is not supported by the platform." )
ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR,
"The host operating system does not support the protocol requested." )
ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." )
ER2( PR_BUFFER_OVERFLOW_ERROR,
"The value requested is too large to be stored in the data buffer provided." )
ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." )
ER2( PR_RANGE_ERROR, "Unused." )
ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." )
ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." )
ER2( PR_FILE_TOO_BIG_ERROR,
"Write would result in file larger than the system allows." )
ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." )
ER2( PR_PIPE_ERROR, "Unused." )
ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." )
ER2( PR_IS_DIRECTORY_ERROR,
"Cannot perform a normal file operation on a directory." )
ER2( PR_LOOP_ERROR, "Symbolic link loop." )
ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." )
ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." )
ER2( PR_NOT_DIRECTORY_ERROR,
"Cannot perform directory operation on a normal file." )
ER2( PR_READ_ONLY_FILESYSTEM_ERROR,
"Cannot write to a read-only file system." )
ER2( PR_DIRECTORY_NOT_EMPTY_ERROR,
"Cannot delete a directory that is not empty." )
ER2( PR_FILESYSTEM_MOUNTED_ERROR,
"Cannot delete or rename a file object while the file system is busy." )
ER2( PR_NOT_SAME_DEVICE_ERROR,
"Cannot rename a file to a file system on another device." )
ER2( PR_DIRECTORY_CORRUPTED_ERROR,
"The directory object in the file system is corrupted." )
ER2( PR_FILE_EXISTS_ERROR,
"Cannot create or rename a filename that already exists." )
ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR,
"Directory is full. No additional filenames may be added." )
ER2( PR_INVALID_DEVICE_STATE_ERROR,
"The required device was in an invalid state." )
ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." )
ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." )
ER2( PR_FILE_SEEK_ERROR, "Seek error." )
ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." )
ER2( PR_IN_PROGRESS_ERROR,
"Operation is still in progress (probably a non-blocking connect)." )
ER2( PR_ALREADY_INITIATED_ERROR,
"Operation has already been initiated (probably a non-blocking connect)." )
#ifdef PR_GROUP_EMPTY_ERROR
ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." )
#endif
#ifdef PR_INVALID_STATE_ERROR
ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." )
#endif
#ifdef PR_NETWORK_DOWN_ERROR
ER2( PR_NETWORK_DOWN_ERROR, "Network is down." )
#endif
#ifdef PR_SOCKET_SHUTDOWN_ERROR
ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." )
#endif
#ifdef PR_CONNECT_ABORTED_ERROR
ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." )
#endif
#ifdef PR_HOST_UNREACHABLE_ERROR
ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." )
#endif
/* always last */
ER2( PR_MAX_ERROR, "Placeholder for the end of the list" )

5
security/nss/cmd/lib/manifest.mn
View File

@ -44,9 +44,6 @@ MODULE = nss
DEFINES = -DNSPR20
PRIVATE_EXPORTS = secutil.h \
NSPRerrs.h \
SECerrs.h \
SSLerrs.h \
pk11table.h \
$(NULL)
@ -60,6 +57,4 @@ CSRCS = secutil.c \
pk11table.c \
$(NULL)
REQUIRES = dbm
NO_MD_RELEASE = 1

53
security/nss/cmd/lib/pk11table.c
View File

@ -155,10 +155,10 @@ const Constant _consts[] = {
mkEntry(CKO_HW_FEATURE, Object),
mkEntry(CKO_DOMAIN_PARAMETERS, Object),
mkEntry(CKO_KG_PARAMETERS, Object),
mkEntry(CKO_NETSCAPE_CRL, Object),
mkEntry(CKO_NETSCAPE_SMIME, Object),
mkEntry(CKO_NETSCAPE_TRUST, Object),
mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
mkEntry(CKO_NSS_CRL, Object),
mkEntry(CKO_NSS_SMIME, Object),
mkEntry(CKO_NSS_TRUST, Object),
mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object),
mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
mkEntry(CKH_CLOCK, Hardware),
@ -188,7 +188,7 @@ const Constant _consts[] = {
mkEntry(CKK_CDMF, KeyType),
mkEntry(CKK_AES, KeyType),
mkEntry(CKK_CAMELLIA, KeyType),
mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
mkEntry(CKK_NSS_PKCS8, KeyType),
mkEntry(CKC_X_509, CertType),
mkEntry(CKC_X_509_ATTR_CERT, CertType),
@ -252,18 +252,18 @@ const Constant _consts[] = {
mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
mkEntry2(CKA_HAS_RESET, Attribute, Bool),
mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
mkEntry2(CKA_NSS_URL, Attribute, None),
mkEntry2(CKA_NSS_EMAIL, Attribute, None),
mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None),
mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None),
mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None),
mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None),
mkEntry2(CKA_NSS_EXPIRES, Attribute, None),
mkEntry2(CKA_NSS_KRL, Attribute, None),
mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None),
mkEntry2(CKA_NSS_PQG_SEED, Attribute, None),
mkEntry2(CKA_NSS_PQG_H, Attribute, None),
mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None),
mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
@ -492,8 +492,8 @@ const Constant _consts[] = {
mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism),
mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
@ -593,13 +593,12 @@ const Constant _consts[] = {
mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
mkEntry(CKR_VENDOR_DEFINED, Result),
mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
mkEntry(CKT_NETSCAPE_VALID, Trust),
mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
mkEntry(CKT_NSS_TRUSTED, Trust),
mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust),
mkEntry(CKT_NSS_NOT_TRUSTED, Trust),
mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust),
mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust),
mkEntry(CKT_NSS_VALID_DELEGATOR, Trust),
mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
@ -1252,7 +1251,7 @@ const Commands _commands[] = {
ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
{"NewMechanism", F_NewMechanism,
"NewMechanism varName mechanismType\n\n"
"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
"Create a new CK_MECHANISM object with type NULL parameters and specified type\n"
" varName variable name of the new mechansim\n"
" mechanismType CKM_ mechanism type value to set int the type field\n",
{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone,

73
security/nss/cmd/lib/secerror.c
View File

@ -33,78 +33,13 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include "nspr.h"
struct tuple_str {
PRErrorCode errNum;
const char * errString;
};
typedef struct tuple_str tuple_str;
#define ER2(a,b) {a, b},
#define ER3(a,b,c) {a, c},
#include "secerr.h"
#include "sslerr.h"
const tuple_str errStrings[] = {
/* keep this list in asceding order of error numbers */
#include "SSLerrs.h"
#include "SECerrs.h"
#include "NSPRerrs.h"
};
const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
#include "prtypes.h"
#include "nssutil.h"
/* Returns a UTF-8 encoded constant error string for "errNum".
* Returns NULL of errNum is unknown.
* Returns NULL if errNum is unknown.
*/
const char *
SECU_Strerror(PRErrorCode errNum) {
PRInt32 low = 0;
PRInt32 high = numStrings - 1;
PRInt32 i;
PRErrorCode num;
static int initDone;
/* make sure table is in ascending order.
* binary search depends on it.
*/
if (!initDone) {
PRErrorCode lastNum = ((PRInt32)0x80000000);
for (i = low; i <= high; ++i) {
num = errStrings[i].errNum;
if (num <= lastNum) {
fprintf(stderr,
"sequence error in error strings at item %d\n"
"error %d (%s)\n"
"should come after \n"
"error %d (%s)\n",
i, lastNum, errStrings[i-1].errString,
num, errStrings[i].errString);
}
lastNum = num;
}
initDone = 1;
}
/* Do binary search of table. */
while (low + 1 < high) {
i = (low + high) / 2;
num = errStrings[i].errNum;
if (errNum == num)
return errStrings[i].errString;
if (errNum < num)
high = i;
else
low = i;
}
if (errNum == errStrings[low].errNum)
return errStrings[low].errString;
if (errNum == errStrings[high].errNum)
return errStrings[high].errString;
return NULL;
return NSS_Strerror(errNum, formatSimple);
}

227
security/nss/cmd/lib/secutil.c
View File

@ -83,15 +83,9 @@ static char consoleName[] = {
#endif
};
#include "nssutil.h"
#include "ssl.h"
char *
SECU_GetString(int16 error_number)
{
static char errString[80];
sprintf(errString, "Unknown error string (%d)", error_number);
return errString;
}
void
SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
@ -1515,6 +1509,70 @@ const SEC_ASN1Template secuPBEV2Params[] =
{ 0 }
};
void
secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
{
PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
SECStatus rv;
SECKEYRSAPSSParams param;
SECAlgorithmID maskHashAlg;
if (m) {
SECU_Indent(out, level);
fprintf (out, "%s:\n", m);
}
if (!pool) {
SECU_Indent(out, level);
fprintf(out, "Out of memory\n");
return;
}
PORT_Memset(&param, 0, sizeof param);
rv = SEC_QuickDERDecodeItem(pool, &param,
SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
value);
if (rv == SECSuccess) {
if (!param.hashAlg) {
SECU_Indent(out, level+1);
fprintf(out, "Hash algorithm: default, SHA-1\n");
} else {
SECU_PrintObjectID(out, &param.hashAlg->algorithm,
"Hash algorithm", level+1);
}
if (!param.maskAlg) {
SECU_Indent(out, level+1);
fprintf(out, "Mask algorithm: default, MGF1\n");
SECU_Indent(out, level+1);
fprintf(out, "Mask hash algorithm: default, SHA-1\n");
} else {
SECU_PrintObjectID(out, &param.maskAlg->algorithm,
"Mask algorithm", level+1);
rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
&param.maskAlg->parameters);
if (rv == SECSuccess) {
SECU_PrintObjectID(out, &maskHashAlg.algorithm,
"Mask hash algorithm", level+1);
} else {
SECU_Indent(out, level+1);
fprintf(out, "Invalid mask generation algorithm parameters\n");
}
}
if (!param.saltLength.data) {
SECU_Indent(out, level+1);
fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
} else {
SECU_PrintInteger(out, &param.saltLength, "Salt Length", level+1);
}
} else {
SECU_Indent(out, level+1);
fprintf(out, "Invalid RSA-PSS parameters\n");
}
PORT_FreeArena(pool, PR_FALSE);
}
void
secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
{
@ -1625,7 +1683,11 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
}
return;
}
if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
return;
}
if (a->parameters.len == 0
|| (a->parameters.len == 2
@ -2384,7 +2446,7 @@ printflags(char *trusts, unsigned int flags)
if (!(flags & CERTDB_TRUSTED_CA) &&
!(flags & CERTDB_TRUSTED_CLIENT_CA))
PORT_Strcat(trusts, "c");
if (flags & CERTDB_VALID_PEER)
if (flags & CERTDB_TERMINAL_RECORD)
if (!(flags & CERTDB_TRUSTED))
PORT_Strcat(trusts, "p");
if (flags & CERTDB_TRUSTED_CA)
@ -3209,8 +3271,8 @@ SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
void
printFlags(FILE *out, unsigned int flags, int level)
{
if ( flags & CERTDB_VALID_PEER ) {
SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
if ( flags & CERTDB_TERMINAL_RECORD ) {
SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
}
if ( flags & CERTDB_TRUSTED ) {
SECU_Indent(out, level); fprintf(out, "Trusted\n");
@ -3250,6 +3312,29 @@ SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
printFlags(out, trust->objectSigningFlags, level+2);
}
int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
{
PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTName *name;
int rv = SEC_ERROR_NO_MEMORY;
if (!arena)
return rv;
name = PORT_ArenaZNew(arena, CERTName);
if (!name)
goto loser;
rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
if (rv)
goto loser;
SECU_PrintName(out, name, m, level);
loser:
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
int level, SECU_PPFunc inner)
{
@ -3281,7 +3366,6 @@ int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
loser:
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
SECStatus
@ -3511,123 +3595,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum)
return NULL;
}
static char SECUErrorBuf[64];
char *
SECU_ErrorStringRaw(int16 err)
{
if (err == 0)
SECUErrorBuf[0] = '\0';
else if (err == SEC_ERROR_BAD_DATA)
sprintf(SECUErrorBuf, "Bad data");
else if (err == SEC_ERROR_BAD_DATABASE)
sprintf(SECUErrorBuf, "Problem with database");
else if (err == SEC_ERROR_BAD_DER)
sprintf(SECUErrorBuf, "Problem with DER");
else if (err == SEC_ERROR_BAD_KEY)
sprintf(SECUErrorBuf, "Problem with key");
else if (err == SEC_ERROR_BAD_PASSWORD)
sprintf(SECUErrorBuf, "Incorrect password");
else if (err == SEC_ERROR_BAD_SIGNATURE)
sprintf(SECUErrorBuf, "Bad signature");
else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
sprintf(SECUErrorBuf, "Expired certificate");
else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
sprintf(SECUErrorBuf, "Invalid extension value");
else if (err == SEC_ERROR_INPUT_LEN)
sprintf(SECUErrorBuf, "Problem with input length");
else if (err == SEC_ERROR_INVALID_ALGORITHM)
sprintf(SECUErrorBuf, "Invalid algorithm");
else if (err == SEC_ERROR_INVALID_ARGS)
sprintf(SECUErrorBuf, "Invalid arguments");
else if (err == SEC_ERROR_INVALID_AVA)
sprintf(SECUErrorBuf, "Invalid AVA");
else if (err == SEC_ERROR_INVALID_TIME)
sprintf(SECUErrorBuf, "Invalid time");
else if (err == SEC_ERROR_IO)
sprintf(SECUErrorBuf, "Security I/O error");
else if (err == SEC_ERROR_LIBRARY_FAILURE)
sprintf(SECUErrorBuf, "Library failure");
else if (err == SEC_ERROR_NO_MEMORY)
sprintf(SECUErrorBuf, "Out of memory");
else if (err == SEC_ERROR_OLD_CRL)
sprintf(SECUErrorBuf, "CRL is older than the current one");
else if (err == SEC_ERROR_OUTPUT_LEN)
sprintf(SECUErrorBuf, "Problem with output length");
else if (err == SEC_ERROR_UNKNOWN_ISSUER)
sprintf(SECUErrorBuf, "Unknown issuer");
else if (err == SEC_ERROR_UNTRUSTED_CERT)
sprintf(SECUErrorBuf, "Untrusted certificate");
else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
sprintf(SECUErrorBuf, "Untrusted issuer");
else if (err == SSL_ERROR_BAD_CERTIFICATE)
sprintf(SECUErrorBuf, "Bad certificate");
else if (err == SSL_ERROR_BAD_CLIENT)
sprintf(SECUErrorBuf, "Bad client");
else if (err == SSL_ERROR_BAD_SERVER)
sprintf(SECUErrorBuf, "Bad server");
else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
sprintf(SECUErrorBuf, "Export only server");
else if (err == SSL_ERROR_NO_CERTIFICATE)
sprintf(SECUErrorBuf, "No certificate");
else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
sprintf(SECUErrorBuf, "No cypher overlap");
else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
sprintf(SECUErrorBuf, "Unsupported certificate type");
else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
sprintf(SECUErrorBuf, "Unsupported version");
else if (err == SSL_ERROR_US_ONLY_SERVER)
sprintf(SECUErrorBuf, "U.S. only server");
else if (err == PR_IO_ERROR)
sprintf(SECUErrorBuf, "I/O error");
else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
sprintf (SECUErrorBuf, "Expired Issuer Certificate");
else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
sprintf (SECUErrorBuf, "Revoked certificate");
else if (err == SEC_ERROR_NO_KEY)
sprintf (SECUErrorBuf, "No private key in database for this cert");
else if (err == SEC_ERROR_CERT_NOT_VALID)
sprintf (SECUErrorBuf, "Certificate is not valid");
else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
sprintf (SECUErrorBuf, "Certificate extension was not found");
else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
sprintf (SECUErrorBuf, "Certificate extension value invalid");
else if (err == SEC_ERROR_CA_CERT_INVALID)
sprintf (SECUErrorBuf, "Issuer certificate is invalid");
else if (err == SEC_ERROR_CERT_USAGES_INVALID)
sprintf (SECUErrorBuf, "Certificate usages is invalid");
else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
sprintf (SECUErrorBuf, "Bad PKCS7 signature");
else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
sprintf (SECUErrorBuf, "Certificate not approved for this operation");
else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
sprintf (SECUErrorBuf, "Certificate not approved for this operation");
return SECUErrorBuf;
}
char *
SECU_ErrorString(int16 err)
{
char *error_string;
*SECUErrorBuf = 0;
SECU_ErrorStringRaw (err);
if (*SECUErrorBuf == 0) {
error_string = SECU_GetString(err);
if (error_string == NULL || *error_string == '\0')
sprintf(SECUErrorBuf, "No error string found for %d.", err);
else
return error_string;
}
return SECUErrorBuf;
}
void
SECU_PrintPRandOSError(char *progName)

10
security/nss/cmd/lib/secutil.h
View File

@ -52,6 +52,7 @@
#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
#define SEC_CT_PKCS7 "pkcs7"
#define SEC_CT_CRL "crl"
#define SEC_CT_NAME "name"
#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
@ -259,6 +260,9 @@ extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
/* Dump contents of certificate */
extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
/* Dump contents of a DER certificate name (issuer or subject) */
extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
/* print trust flags on a cert */
extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
int level);
@ -442,12 +446,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
*
*/
/* Return informative error string */
char *SECU_ErrorString(int16 err);
/* Return informative error string. Does not call XP_GetString */
char *SECU_ErrorStringRaw(int16 err);
void printflags(char *trusts, unsigned int flags);
#if !defined(XP_UNIX) && !defined(XP_OS2)

1
security/nss/cmd/manifest.mn
View File

@ -48,6 +48,7 @@ DIRS = lib \
certcgi \
certutil \
checkcert \
chktest \
crlutil \
crmftest \
dbtest \

9
security/nss/cmd/modutil/install.c
View File

@ -36,6 +36,7 @@
#include "install.h"
#include "install-ds.h"
#include <prerror.h>
#include <prlock.h>
#include <prio.h>
#include <prmem.h>
@ -61,7 +62,7 @@ extern /*"C"*/
short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
PRBool query);
extern /*"C"*/
const char* mySECU_ErrorString(int16);
const char* mySECU_ErrorString(PRErrorCode errnum);
extern
int Pk11Install_yyparse();
@ -418,7 +419,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
} else {
error(PK11_INSTALL_JAR_ERROR, jarFile,
mySECU_ErrorString((int16) PORT_GetError()) );
mySECU_ErrorString(PORT_GetError()));
}
ret=PK11_INSTALL_JAR_ERROR;
goto loser;
@ -470,7 +471,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
} else {
error(PK11_INSTALL_JAR_EXTRACT, installer,
mySECU_ErrorString((int16) PORT_GetError()) );
mySECU_ErrorString(PORT_GetError()));
}
ret = PK11_INSTALL_JAR_EXTRACT;
goto loser;
@ -692,7 +693,7 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
JAR_get_error(status));
} else {
error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
mySECU_ErrorString((int16) PORT_GetError()) );
mySECU_ErrorString(PORT_GetError()));
}
ret=PK11_INSTALL_JAR_EXTRACT;
goto loser;

3
security/nss/cmd/modutil/instsec.c
View File

@ -35,6 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#include <plarena.h>
#include <prerror.h>
#include <prio.h>
#include <prprf.h>
#include <seccomon.h>
@ -175,7 +176,7 @@ PR_fgets(char *buf, int size, PRFileDesc *file)
* m y S E C U _ E r r o r S t r i n g
*
*/
const char* mySECU_ErrorString(int16 errnum)
const char* mySECU_ErrorString(PRErrorCode errnum)
{
return SECU_Strerror(errnum);
}

5
security/nss/cmd/pk11mode/pk11mode.c
View File

@ -883,18 +883,21 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
mech_str digestMechs[] = {
{CKM_SHA_1, "CKM_SHA_1 "},
{CKM_SHA224, "CKM_SHA224"},
{CKM_SHA256, "CKM_SHA256"},
{CKM_SHA384, "CKM_SHA384"},
{CKM_SHA512, "CKM_SHA512"}
};
mech_str hmacMechs[] = {
{CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"},
{CKM_SHA224_HMAC, "CKM_SHA224_HMAC"},
{CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
{CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
{CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
};
mech_str sigRSAMechs[] = {
{CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"},
{CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"},
{CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
{CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
{CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
@ -5123,7 +5126,7 @@ CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList,
CK_BYTE digest2[MAX_DIGEST_SZ];
CK_ULONG digest2Len = 0;
/* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
/* Tested with CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
memset(digest1, 0, sizeof(digest1));
memset(digest2, 0, sizeof(digest2));

6
security/nss/cmd/pk12util/pk12util.c
View File

@ -560,17 +560,17 @@ loser:
static void
p12u_DoPKCS12ExportErrors()
{
int error_value;
PRErrorCode error_value;
error_value = PORT_GetError();
if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
fputs(SECU_ErrorStringRaw((int16)error_value), stderr);
fputs(SECU_Strerror(error_value), stderr);
} else if(error_value == SEC_ERROR_USER_CANCELLED) {
;
} else {
fputs(SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
}
}

7
security/nss/cmd/pp/pp.c
View File

@ -38,7 +38,7 @@
* Pretty-print some well-known BER or DER encoded data (e.g. certificates,
* keys, pkcs7)
*
* $Id: pp.c,v 1.9 2007/09/25 03:46:23 nelson%bolyard.com Exp $
* $Id: pp.c,v 1.10 2010/09/03 19:25:02 nelson%bolyard.com Exp $
*/
#include "secutil.h"
@ -62,7 +62,8 @@ static void Usage(char *progName)
"-t type", SEC_CT_PRIVATE_KEY);
fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);
fprintf(stderr, "%-20s %s, %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL,
SEC_CT_NAME);
fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
"-a");
fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
@ -166,6 +167,8 @@ int main(int argc, char **argv)
} else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
"PKCS #7 Content Info", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
rv = SECU_PrintDERName(outFile, &data, "Name", 0);
} else {
fprintf(stderr, "%s: don't know how to print out '%s' files\n",
progName, typeTag);

80
security/nss/cmd/ppcertdata/Makefile Normal file
View File

@ -0,0 +1,80 @@
#! gmake
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2010
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../platlibs.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
include ../platrules.mk

55
security/nss/cmd/ppcertdata/manifest.mn Normal file
View File

@ -0,0 +1,55 @@
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2010
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Nelson Bolyard <nelson@bolyard.me>
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
CORE_DEPTH = ../../..
# MODULE public and private header directories are implicitly REQUIRED.
MODULE = nss
# This next line is used by .mk files
# and gets translated into $LINCS in manifest.mnw
# The MODULE is always implicitly required.
# Listing it here in REQUIRES makes it appear twice in the cc command line.
REQUIRES = seccmd
#DEFINES = -DNSPR20
CSRCS = ppcertdata.c
PROGRAM = ppcertdata

132
security/nss/cmd/ppcertdata/ppcertdata.c Normal file
View File

@ -0,0 +1,132 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the CertData.txt review helper program.
*
* The Initial Developer of the Original Code is
* Nelson Bolyard
* Portions created by the Initial Developer are Copyright (C) 2009-2010
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#include "secutil.h"
#include "nss.h"
unsigned char binary_line[64 * 1024];
int
main(int argc, const char ** argv)
{
int skip_count = 0;
int bytes_read;
char line[133];
if (argc > 1) {
skip_count = atoi(argv[1]);
}
if (argc > 2 || skip_count < 0) {
printf("Usage: %s [ skip_columns ] \n", argv[0]);
return 1;
}
NSS_NoDB_Init(NULL);
while (fgets(line, 132, stdin) && (bytes_read = strlen(line)) > 0 ) {
int bytes_written;
char * found;
char * in = line + skip_count;
int left = bytes_read - skip_count;
int is_cert;
int is_serial;
int is_name;
int is_hash;
int use_pp = 0;
int out = 0;
SECItem der = {siBuffer, NULL, 0 };
line[bytes_read] = 0;
if (bytes_read <= skip_count)
continue;
fwrite(in, 1, left, stdout);
found = strstr(in, "MULTILINE_OCTAL");
if (!found)
continue;
fflush(stdout);
is_cert = (NULL != strstr(in, "CKA_VALUE"));
is_serial = (NULL != strstr(in, "CKA_SERIAL_NUMBER"));
is_name = (NULL != strstr(in, "CKA_ISSUER")) ||
(NULL != strstr(in, "CKA_SUBJECT"));
is_hash = (NULL != strstr(in, "_HASH"));
while (fgets(line, 132, stdin) &&
(bytes_read = strlen(line)) > 0 ) {
in = line + skip_count;
left = bytes_read - skip_count;
if ((left >= 3) && !strncmp(in, "END", 3))
break;
while (left >= 4) {
if (in[0] == '\\' && isdigit(in[1]) &&
isdigit(in[2]) && isdigit(in[3])) {
left -= 4;
binary_line[out++] = ((in[1] - '0') << 6) |
((in[2] - '0') << 3) |
(in[3] - '0');
in += 4;
} else
break;
}
}
der.data = binary_line;
der.len = out;
if (is_cert)
SECU_PrintSignedData(stdout, &der, "Certificate", 0,
SECU_PrintCertificate);
else if (is_name)
SECU_PrintDERName(stdout, &der, "Name", 0);
else if (is_serial) {
if (out > 2 && binary_line[0] == 2 &&
out == 2 + binary_line[1]) {
der.data += 2;
der.len -= 2;
SECU_PrintInteger(stdout, &der, "DER Serial Number", 0);
} else
SECU_PrintInteger(stdout, &der, "Raw Serial Number", 0);
} else if (is_hash)
SECU_PrintAsHex(stdout, &der, "Hash", 0);
else
SECU_PrintBuf(stdout, "Other", binary_line, out);
}
NSS_Shutdown();
return 0;
}

8
security/nss/cmd/selfserv/selfserv.c
View File

@ -1491,18 +1491,14 @@ getBoundListenSocket(unsigned short port)
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
PRUint16 socketDomain = PR_AF_INET;
addr.inet.family = PR_AF_INET;
addr.inet.ip = PR_INADDR_ANY;
addr.inet.port = PR_htons(port);
if (PR_GetEnv("NSS_USE_SDP")) {
socketDomain = PR_AF_INET_SDP;
}
listen_sock = PR_OpenTCPSocket(socketDomain);
listen_sock = PR_NewTCPSocket();
if (listen_sock == NULL) {
errExit("PR_OpenTCPSocket error");
errExit("PR_NewTCPSocket");
}
opt.option = PR_SockOpt_Nonblocking;

3
security/nss/cmd/shlibsign/manifest.mn
View File

@ -46,9 +46,6 @@ CSRCS = \
shlibsign.c \
$(NULL)
# headers for the MODULE (defined above) are implicitly required.
REQUIRES = dbm seccmd
# WINNT uses EXTRA_LIBS as the list of libs to link in.
# Unix uses OS_LIBS for that purpose.
# We can solve this via conditional makefile code, but

2
security/nss/cmd/shlibsign/shlibsign.c
View File

@ -46,7 +46,7 @@
* compute the checksum for the NSS cryptographic boundary libraries
* and compare the checksum with the value in .chk file.
*
* $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $
* $Id: shlibsign.c,v 1.19 2011/04/08 04:02:53 wtc%google.com Exp $
*/
#ifdef XP_UNIX

2
security/nss/cmd/signtool/sign.c
View File

@ -306,7 +306,7 @@ create_pk7 (char *dir, char *keyName, int *keyType)
if (status) {
PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
PROGRAM_NAME, SECU_Strerror(PORT_GetError()));
errorCount++;
return - 1;
}

2
security/nss/cmd/signtool/util.c
View File

@ -50,7 +50,7 @@ long *mozilla_event_queue = 0;
#ifndef XP_WIN
char *XP_GetString (int i)
{
return SECU_ErrorStringRaw ((int16) i);
return SECU_Strerror (i);
}
#endif

4
security/nss/cmd/signtool/verify.c
View File

@ -84,7 +84,7 @@ VerifyJar(char *filename)
if (status >= JAR_BASE && status <= JAR_BASE_END) {
errtext = JAR_get_error (status);
} else {
errtext = SECU_ErrorString ((int16) PORT_GetError());
errtext = SECU_Strerror(PORT_GetError());
}
PR_fprintf(outputFD, " (reported reason: %s)\n\n",
@ -315,7 +315,7 @@ JarWho(char *filename)
if (status >= JAR_BASE && status <= JAR_BASE_END) {
errtext = JAR_get_error (status);
} else {
errtext = SECU_ErrorString ((int16) PORT_GetError());
errtext = SECU_Strerror(PORT_GetError());
}
PR_fprintf(outputFD, " (reported reason: %s)\n\n", errtext);

2
security/nss/cmd/signver/signver.c
View File

@ -320,7 +320,7 @@ int main(int argc, char **argv)
fprintf(outFile, "no");
if (verbose) {
fprintf(outFile, ":%s",
SECU_ErrorString((int16)PORT_GetError()));
SECU_Strerror(PORT_GetError()));
}
}
fprintf(outFile, "\n");

40
security/nss/cmd/strsclnt/strsclnt.c
View File

@ -280,7 +280,7 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
static SECStatus
myBadCertHandler( void *arg, PRFileDesc *fd)
{
int err = PR_GetError();
PRErrorCode err = PR_GetError();
if (!MakeCertOK)
fprintf(stderr,
"strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n",
@ -360,7 +360,7 @@ printSecurityInfo(PRFileDesc *fd)
#define MAX_THREADS 128
typedef int startFn(void *a, void *b, int c, int d);
typedef int startFn(void *a, void *b, int c);
static PRInt32 numConnected;
@ -374,7 +374,6 @@ typedef struct perThreadStr {
startFn * startFunc;
PRThread * prThread;
PRBool inUse;
PRInt32 socketDomain;
} perThread;
perThread threads[MAX_THREADS];
@ -430,8 +429,7 @@ thread_wrapper(void * arg)
}
PR_Unlock(threadLock);
if (doop) {
slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid,
slot->socketDomain);
slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
PRINTF("strsclnt: Thread in slot %d returned %d\n",
slot->tid, slot->rv);
}
@ -446,8 +444,7 @@ launch_thread(
startFn * startFunc,
void * a,
void * b,
int tid,
int sockDom)
int tid)
{
PRUint32 i;
perThread * slot;
@ -465,8 +462,7 @@ launch_thread(
slot->a = a;
slot->b = b;
slot->tid = tid;
slot->socketDomain = sockDom;
slot->startFunc = startFunc;
slot->prThread = PR_CreateThread(PR_USER_THREAD,
@ -589,8 +585,7 @@ int
do_writes(
void * a,
void * b,
int c,
int d)
int c)
{
PRFileDesc * ssl_sock = (PRFileDesc *)a;
lockedVars * lv = (lockedVars *)b;
@ -632,7 +627,7 @@ handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
lockedVars_AddToCount(&lv, 1);
/* Attempt to launch the writer thread. */
result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/);
result = launch_thread(do_writes, ssl_sock, &lv, connection);
if (result != SECSuccess)
goto cleanup;
@ -751,8 +746,7 @@ int
do_connects(
void * a,
void * b,
int tid,
PRInt32 socketDomain)
int tid)
{
PRNetAddr * addr = (PRNetAddr *) a;
PRFileDesc * model_sock = (PRFileDesc *) b;
@ -766,7 +760,7 @@ do_connects(
retry:
tcp_sock = PR_OpenTCPSocket(socketDomain);
tcp_sock = PR_OpenTCPSocket(addr->raw.family);
if (tcp_sock == NULL) {
errExit("PR_OpenTCPSocket");
}
@ -1094,7 +1088,6 @@ client_main(
int rv;
PRStatus status;
PRNetAddr addr;
PRInt32 socketDomain;
status = PR_StringToNetAddr(hostName, &addr);
if (status == PR_SUCCESS) {
@ -1122,13 +1115,6 @@ client_main(
}
}
/* check if SDP is going to be used */
if (!PR_GetEnv("NSS_USE_SDP")) {
socketDomain = addr.raw.family;
} else {
socketDomain = PR_AF_INET_SDP;
}
/* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
NSS_SetDomesticPolicy();
@ -1185,8 +1171,8 @@ client_main(
}
/* configure model SSL socket. */
model_sock = PR_OpenTCPSocket(socketDomain);
model_sock = PR_OpenTCPSocket(addr.raw.family);
if (model_sock == NULL) {
errExit("PR_OpenTCPSocket for model socket");
}
@ -1290,7 +1276,7 @@ client_main(
if (!NoReuse) {
remaining_connections = 1;
rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain);
rv = launch_thread(do_connects, &addr, model_sock, 0);
/* wait for the first connection to terminate, then launch the rest. */
reap_threads();
remaining_connections = total_connections - 1 ;
@ -1299,7 +1285,7 @@ client_main(
active_threads = PR_MIN(active_threads, remaining_connections);
/* Start up the threads */
for (i=0;i<active_threads;i++) {
rv = launch_thread(do_connects, &addr, model_sock, i, socketDomain);
rv = launch_thread(do_connects, &addr, model_sock, i);
}
reap_threads();
}

2
security/nss/cmd/symkeyutil/symkey.man
View File

@ -27,7 +27,7 @@ DESCRIPTION
Exceptions to these catagories are listed first:
-H takes no additional options. It lists a more detailed help message.
-L takes the standard set of options. It lists all the keys in a the
-L takes the standard set of options. It lists all the keys in the
specified token (NSS Internal DB Token is the default). Only the
-L option accepts the all option for tokens to list all the fixed
keys.

93
security/nss/cmd/tests/encodeinttest.c Normal file
View File

@ -0,0 +1,93 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 2011
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#include <stdio.h>
#include "secasn1.h"
struct TestCase {
long value;
unsigned char data[5];
unsigned int len;
};
static struct TestCase testCase[] = {
/* XXX NSS doesn't generate the shortest encoding for negative values. */
#if 0
{ -128, { 0x80 }, 1 },
{ -129, { 0xFF, 0x7F }, 2 },
#endif
{ 0, { 0x00 }, 1 },
{ 127, { 0x7F }, 1 },
{ 128, { 0x00, 0x80 }, 2 },
{ 256, { 0x01, 0x00 }, 2 },
{ 32768, { 0x00, 0x80, 0x00 }, 3 }
};
int main()
{
PRBool failed = PR_FALSE;
unsigned int i;
unsigned int j;
for (i = 0; i < sizeof(testCase)/sizeof(testCase[0]); i++) {
SECItem encoded;
if (SEC_ASN1EncodeInteger(NULL, &encoded, testCase[i].value) == NULL) {
fprintf(stderr, "SEC_ASN1EncodeInteger failed\n");
failed = PR_TRUE;
continue;
}
if (encoded.len != testCase[i].len ||
memcmp(encoded.data, testCase[i].data, encoded.len) != 0) {
fprintf(stderr, "Encoding of %ld is incorrect:",
testCase[i].value);
for (j = 0; j < encoded.len; j++) {
fprintf(stderr, " 0x%02X", (unsigned int)encoded.data[j]);
}
fputs("\n", stderr);
failed = PR_TRUE;
}
PORT_Free(encoded.data);
}
if (failed) {
fprintf(stderr, "FAIL\n");
return 1;
}
printf("PASS\n");
return 0;
}

1
security/nss/cmd/tests/manifest.mn
View File

@ -44,6 +44,7 @@ CSRCS = \
baddbdir.c \
conflict.c \
dertimetest.c \
encodeinttest.c \
nonspr10.c \
remtest.c \
$(NULL)

11
security/nss/cmd/tstclnt/tstclnt.c
View File

@ -538,7 +538,6 @@ int main(int argc, char **argv)
PLOptState *optstate;
PLOptStatus optstatus;
PRStatus prStatus;
PRUint16 socketDomain;
progName = strrchr(argv[0], '/');
if (!progName)
@ -700,17 +699,11 @@ int main(int argc, char **argv)
printHostNameAndAddr(host, &addr);
/* check if SDP is going to be used */
if (!PR_GetEnv("NSS_USE_SDP")) {
socketDomain = addr.raw.family;
} else {
socketDomain = PR_AF_INET_SDP;
}
if (pingServerFirst) {
int iter = 0;
PRErrorCode err;
do {
s = PR_OpenTCPSocket(socketDomain);
s = PR_OpenTCPSocket(addr.raw.family);
if (s == NULL) {
SECU_PrintError(progName, "Failed to create a TCP socket");
}
@ -748,7 +741,7 @@ int main(int argc, char **argv)
}
/* Create socket */
s = PR_OpenTCPSocket(socketDomain);
s = PR_OpenTCPSocket(addr.raw.family);
if (s == NULL) {
SECU_PrintError(progName, "error creating socket");
return 1;

18
security/nss/cmd/vfychain/vfychain.c
View File

@ -129,11 +129,8 @@ Usage(const char *progName)
void
errWarn(char *function)
{
PRErrorCode errorNumber = PR_GetError();
const char * errorString = SECU_Strerror(errorNumber);
fprintf(stderr, "Error in function %s: %d\n - %s\n",
function, errorNumber, errorString);
fprintf(stderr, "Error in function %s: %s\n",
function, SECU_Strerror(PR_GetError()));
}
void
@ -210,7 +207,7 @@ getCert(const char *name, PRBool isAscii, const char * progName)
* open a file with such name and get the cert from there.*/
fd = PR_Open(name, PR_RDONLY, 0777);
if (!fd) {
PRIntn err = PR_GetError();
PRErrorCode err = PR_GetError();
fprintf(stderr, "open of %s failed, %d = %s\n",
name, err, SECU_Strerror(err));
return cert;
@ -233,7 +230,7 @@ getCert(const char *name, PRBool isAscii, const char * progName)
PR_FALSE /* isPerm */,
PR_TRUE /* copyDER */);
if (!cert) {
PRIntn err = PR_GetError();
PRErrorCode err = PR_GetError();
fprintf(stderr, "couldn't import %s, %d = %s\n",
name, err, SECU_Strerror(err));
}
@ -538,12 +535,12 @@ breakout:
if (usePkix < 2) {
if (oidStr) {
fprintf(stderr, "Policy oid(-o) can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
" CERT_PKIXVerifyCert(-pp) function.\n");
Usage(progName);
}
if (trusted) {
fprintf(stderr, "Cert trust flag can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
" CERT_PKIXVerifyCert(-pp) function.\n");
Usage(progName);
}
}
@ -586,7 +583,7 @@ breakout:
case 0 : /* positional parameter */
if (usePkix < 2 && trusted) {
fprintf(stderr, "Cert trust flag can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
" CERT_PKIXVerifyCert(-pp) function.\n");
Usage(progName);
}
cert = getCert(optstate->value, isAscii, progName);
@ -788,6 +785,7 @@ punt:
if (pwdata.data) {
PORT_Free(pwdata.data);
}
PL_ArenaFinish();
PR_Cleanup();
return rv;
}

15
security/nss/lib/certdb/alg1485.c
View File

@ -103,12 +103,19 @@ static const NameToKind name2kinds[] = {
/* legacy keywords */
{ "E", 128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
#if 0 /* removed. Not yet in any IETF draft or RFC. */
{ "STREET", 128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
{ "pseudonym", 64, SEC_OID_AVA_PSEUDONYM, SEC_ASN1_DS},
#endif
{ 0, 256, SEC_OID_UNKNOWN , 0},
/* values defined by the CAB Forum for EV */
{ "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
SEC_ASN1_DS},
{ "incorporationState", 128, SEC_OID_EV_INCORPORATION_STATE,
SEC_ASN1_DS},
{ "incorporationCountry", 2, SEC_OID_EV_INCORPORATION_COUNTRY,
SEC_ASN1_PRINTABLE_STRING},
{ "businessCategory", 64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
{ 0, 256, SEC_OID_UNKNOWN, 0},
};
/* Table facilitates conversion of ASCII hex to binary. */

26
security/nss/lib/certdb/cert.h
View File

@ -37,7 +37,7 @@
/*
* cert.h - public data structures and prototypes for the certificate library
*
* $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $
* $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
*/
#ifndef _CERT_H_
@ -297,13 +297,6 @@ CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
*/
extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
/*
* used to get a public key with Key Material ID. Only used for fortezza V1
* certificates.
*/
extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
/*
** Retrieve the Key Type associated with the cert we're dealing with
*/
@ -450,12 +443,12 @@ extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostnam
extern CERTCertificate *
CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
/*
** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
** "derSignedCrl" is the DER encoded signed crl/krl.
** "type" is this a CRL or KRL.
** Decode a DER encoded CRL into a CERTSignedCrl structure
** "derSignedCrl" is the DER encoded signed CRL.
** "type" must be SEC_CRL_TYPE.
*/
#define SEC_CRL_TYPE 1
#define SEC_KRL_TYPE 0
#define SEC_KRL_TYPE 0 /* deprecated */
extern CERTSignedCrl *
CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
@ -521,12 +514,6 @@ SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
*/
SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
/*
** Decode a certificate and put it into the temporary certificate database
*/
extern CERTCertificate *
CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
/*
** Find a certificate in the database
** "key" is the database key to look for
@ -1306,9 +1293,6 @@ CERTGeneralName *
CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
PRBool includeSubjectCommonName);
char *
CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
/*
* Creates or adds to a list of all certs with a give subject name, sorted by
* validity time, newest first. Invalid certs are considered older than

353
security/nss/lib/certdb/certdb.c
View File

@ -39,7 +39,7 @@
/*
* Certificate handling code
*
* $Id: certdb.c,v 1.104.2.5 2011/08/05 01:16:27 wtc%google.com Exp $
* $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
*/
#include "nssilock.h"
@ -481,57 +481,6 @@ GetKeyUsage(CERTCertificate *cert)
}
/*
* determine if a fortezza V1 Cert is a CA or not.
*/
static PRBool
fortezzaIsCA( CERTCertificate *cert) {
PRBool isCA = PR_FALSE;
CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
int tag;
tag = SECOID_GetAlgorithmTag(&spki->algorithm);
if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
(tag == SEC_OID_MISSI_KEA_DSS) ||
(tag == SEC_OID_MISSI_DSS_OLD) ||
(tag == SEC_OID_MISSI_DSS) ) {
SECItem rawkey;
unsigned char *rawptr;
unsigned char *end;
int len;
rawkey = spki->subjectPublicKey;
DER_ConvertBitString(&rawkey);
rawptr = rawkey.data;
end = rawkey.data + rawkey.len;
/* version */
rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
/* clearance (the string up to the first byte with the hi-bit on */
while ((rawptr < end) && (*rawptr++ & 0x80));
if (rawptr >= end) { return PR_FALSE; }
/* KEAPrivilege (the string up to the first byte with the hi-bit on */
while ((rawptr < end) && (*rawptr++ & 0x80));
if (rawptr >= end) { return PR_FALSE; }
/* skip the key */
len = (*rawptr << 8) | rawptr[1];
rawptr += 2 + len;
/* shared key */
if (rawptr >= end) { return PR_FALSE; }
/* DSS Version is next */
rawptr += 2;
/* DSSPrivilege (the string up to the first byte with the hi-bit on */
if (*rawptr & 0x30) isCA = PR_TRUE;
}
return isCA;
}
static SECStatus
findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
{
@ -703,12 +652,6 @@ cert_ComputeCertType(CERTCertificate *cert)
/* allow any ssl or email (no ca or object signing. */
nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
NS_CERT_TYPE_EMAIL;
/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
if (fortezzaIsCA(cert)) {
nsCertType |= NS_CERT_TYPE_SSL_CA;
nsCertType |= NS_CERT_TYPE_EMAIL_CA;
}
}
if (encodedExtKeyUsage.data != NULL) {
@ -728,7 +671,6 @@ cert_GetKeyID(CERTCertificate *cert)
{
SECItem tmpitem;
SECStatus rv;
SECKEYPublicKey *key;
cert->subjectKeyID.len = 0;
@ -745,26 +687,6 @@ cert_GetKeyID(CERTCertificate *cert)
PORT_Free(tmpitem.data);
}
/* if the cert doesn't have a key identifier extension and the cert is
* a V1 fortezza certificate, use the cert's 8 byte KMID as the
* key identifier. */
key = CERT_KMIDPublicKey(cert);
if (key != NULL) {
if (key->keyType == fortezzaKey) {
cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
if ( cert->subjectKeyID.data != NULL ) {
PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
cert->subjectKeyID.len = 8;
cert->keyIDGenerated = PR_FALSE;
}
}
SECKEY_DestroyPublicKey(key);
}
/* if the cert doesn't have a key identifier extension, then generate one*/
if ( cert->subjectKeyID.len == 0 ) {
/*
@ -1346,8 +1268,6 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
case dsaKey:
requiredUsage |= KU_DIGITAL_SIGNATURE;
break;
case fortezzaKey:
case keaKey:
case dhKey:
requiredUsage |= KU_KEY_AGREEMENT;
break;
@ -1664,8 +1584,7 @@ finish:
* - return value is NULL
*/
CERTGeneralName *
cert_GetSubjectAltNameList(CERTCertificate *cert,
PRArenaPool *arena)
cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena)
{
CERTGeneralName * nameList = NULL;
SECStatus rv = SECFailure;
@ -2067,80 +1986,68 @@ CERT_MakeCANickname(CERTCertificate *cert)
char *nickname = NULL;
int count;
CERTCertificate *dummycert;
CERTCertDBHandle *handle;
handle = cert->dbhandle;
nickname = CERT_GetNickName(cert, handle, cert->arena);
if (nickname == NULL) {
firstname = CERT_GetCommonName(&cert->subject);
if ( firstname == NULL ) {
firstname = CERT_GetOrgUnitName(&cert->subject);
}
firstname = CERT_GetCommonName(&cert->subject);
if ( firstname == NULL ) {
firstname = CERT_GetOrgUnitName(&cert->subject);
}
org = CERT_GetOrgName(&cert->issuer);
org = CERT_GetOrgName(&cert->issuer);
if (org == NULL) {
org = CERT_GetDomainComponentName(&cert->issuer);
if (org == NULL) {
org = CERT_GetDomainComponentName(&cert->issuer);
if (org == NULL) {
if (firstname) {
org = firstname;
firstname = NULL;
} else {
org = PORT_Strdup("Unknown CA");
}
}
}
/* can only fail if PORT_Strdup fails, in which case
* we're having memory problems. */
if (org == NULL) {
goto loser;
}
count = 1;
while ( 1 ) {
if ( firstname ) {
if ( count == 1 ) {
nickname = PR_smprintf("%s - %s", firstname, org);
} else {
nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
}
if (firstname) {
org = firstname;
firstname = NULL;
} else {
if ( count == 1 ) {
nickname = PR_smprintf("%s", org);
} else {
nickname = PR_smprintf("%s #%d", org, count);
}
org = PORT_Strdup("Unknown CA");
}
if ( nickname == NULL ) {
goto loser;
}
/* look up the nickname to make sure it isn't in use already */
dummycert = CERT_FindCertByNickname(handle, nickname);
if ( dummycert == NULL ) {
goto done;
}
/* found a cert, destroy it and loop */
CERT_DestroyCertificate(dummycert);
/* free the nickname */
PORT_Free(nickname);
count++;
}
}
loser:
if ( nickname ) {
PORT_Free(nickname);
/* can only fail if PORT_Strdup fails, in which case
* we're having memory problems. */
if (org == NULL) {
goto done;
}
nickname = NULL;
count = 1;
while ( 1 ) {
if ( firstname ) {
if ( count == 1 ) {
nickname = PR_smprintf("%s - %s", firstname, org);
} else {
nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
}
} else {
if ( count == 1 ) {
nickname = PR_smprintf("%s", org);
} else {
nickname = PR_smprintf("%s #%d", org, count);
}
}
if ( nickname == NULL ) {
goto done;
}
/* look up the nickname to make sure it isn't in use already */
dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname);
if ( dummycert == NULL ) {
goto done;
}
/* found a cert, destroy it and loop */
CERT_DestroyCertificate(dummycert);
/* free the nickname */
PORT_Free(nickname);
count++;
}
done:
if ( firstname ) {
PORT_Free(firstname);
@ -2181,7 +2088,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
trust->emailFlags |
trust->objectSigningFlags)) {
if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_SSL_CA;
@ -2190,7 +2097,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
NS_CERT_TYPE_SSL_CA);
#endif
if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_EMAIL;
if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_EMAIL_CA;
@ -2198,7 +2105,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
if (trust->emailFlags & CERTDB_NOT_TRUSTED)
cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
#endif
if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED))
if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED))
cType |= NS_CERT_TYPE_OBJECT_SIGNING;
if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA))
cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
@ -2235,10 +2142,9 @@ CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
}
}
/* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */
/* finally check if it's an X.509 v1 root CA */
if (!ret &&
((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) ||
fortezzaIsCA(cert) )) {
(cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) {
ret = PR_TRUE;
cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
}
@ -2449,11 +2355,11 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
for (i=0; i < PORT_Strlen(trusts); i++) {
switch (trusts[i]) {
case 'p':
*pflags = *pflags | CERTDB_VALID_PEER;
*pflags = *pflags | CERTDB_TERMINAL_RECORD;
break;
case 'P':
*pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
*pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
break;
case 'w':
@ -2505,7 +2411,7 @@ EncodeFlags(char *trusts, unsigned int flags)
if (!(flags & CERTDB_TRUSTED_CA) &&
!(flags & CERTDB_TRUSTED_CLIENT_CA))
PORT_Strcat(trusts, "c");
if (flags & CERTDB_VALID_PEER)
if (flags & CERTDB_TERMINAL_RECORD)
if (!(flags & CERTDB_TRUSTED))
PORT_Strcat(trusts, "p");
if (flags & CERTDB_TRUSTED_CA)
@ -2589,18 +2495,16 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
if ( keepCerts ) {
for ( i = 0; i < fcerts; i++ ) {
char* canickname = NULL;
PRBool freeNickname = PR_FALSE;
PRBool isCA;
SECKEY_UpdateCertPQG(certs[i]);
if ( CERT_IsCACert(certs[i], NULL) ) {
isCA = CERT_IsCACert(certs[i], NULL);
if ( isCA ) {
canickname = CERT_MakeCANickname(certs[i]);
if ( canickname != NULL ) {
freeNickname = PR_TRUE;
}
}
if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
if(isCA && (fcerts > 1)) {
/* if we are importing only a single cert and specifying
* a nickname, we want to use that nickname if it a CA,
* otherwise if there are more than one cert, we don't
@ -2613,9 +2517,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
nickname?nickname:canickname, NULL);
}
if (PR_TRUE == freeNickname) {
PORT_Free(canickname);
}
PORT_Free(canickname);
/* don't care if it fails - keep going */
}
}
@ -3124,6 +3026,8 @@ CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
static PLHashTable *gSubjKeyIDHash = NULL;
static PRLock *gSubjKeyIDLock = NULL;
static PLHashTable *gSubjKeyIDSlotCheckHash = NULL;
static PRLock *gSubjKeyIDSlotCheckLock = NULL;
static void *cert_AllocTable(void *pool, PRSize size)
{
@ -3153,6 +3057,31 @@ static PLHashAllocOps cert_AllocOps = {
cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
};
SECStatus
cert_CreateSubjectKeyIDSlotCheckHash(void)
{
/*
* This hash is used to remember the series of a slot
* when we last checked for user certs
*/
gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash,
SECITEM_HashCompare,
SECITEM_HashCompare,
&cert_AllocOps, NULL);
if (!gSubjKeyIDSlotCheckHash) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
gSubjKeyIDSlotCheckLock = PR_NewLock();
if (!gSubjKeyIDSlotCheckLock) {
PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
gSubjKeyIDSlotCheckHash = NULL;
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
return SECSuccess;
}
SECStatus
cert_CreateSubjectKeyIDHashTable(void)
{
@ -3170,8 +3099,12 @@ cert_CreateSubjectKeyIDHashTable(void)
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
/* initialize the companion hash (for remembering slot series) */
if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) {
cert_DestroySubjectKeyIDHashTable();
return SECFailure;
}
return SECSuccess;
}
SECStatus
@ -3229,6 +3162,93 @@ cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID)
return rv;
}
SECStatus
cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series)
{
SECItem *oldSeries, *newSlotid, *newSeries;
SECStatus rv = SECFailure;
if (!gSubjKeyIDSlotCheckLock) {
return rv;
}
newSlotid = SECITEM_DupItem(slotid);
newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int));
if (!newSlotid || !newSeries ) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
PORT_Memcpy(newSeries->data, &series, sizeof(int));
PR_Lock(gSubjKeyIDSlotCheckLock);
oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
if (oldSeries) {
/*
* make sure we don't leak the key of an existing entry
* (similar to cert_AddSubjectKeyIDMapping, see comment there)
*/
PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid);
}
rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ?
SECSuccess : SECFailure;
PR_Unlock(gSubjKeyIDSlotCheckLock);
if (rv == SECSuccess) {
return rv;
}
loser:
if (newSlotid) {
SECITEM_FreeItem(newSlotid, PR_TRUE);
}
if (newSeries) {
SECITEM_FreeItem(newSeries, PR_TRUE);
}
return rv;
}
int
cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid)
{
SECItem *seriesItem = NULL;
int series;
if (!gSubjKeyIDSlotCheckLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return -1;
}
PR_Lock(gSubjKeyIDSlotCheckLock);
seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
PR_Unlock(gSubjKeyIDSlotCheckLock);
/* getting a null series just means we haven't registered one yet,
* just return 0 */
if (seriesItem == NULL) {
return 0;
}
/* if we got a series back, assert if it's not the proper length. */
PORT_Assert(seriesItem->len == sizeof(int));
if (seriesItem->len != sizeof(int)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return -1;
}
PORT_Memcpy(&series, seriesItem->data, sizeof(int));
return series;
}
SECStatus
cert_DestroySubjectKeyIDSlotCheckHash(void)
{
if (gSubjKeyIDSlotCheckHash) {
PR_Lock(gSubjKeyIDSlotCheckLock);
PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
gSubjKeyIDSlotCheckHash = NULL;
PR_Unlock(gSubjKeyIDSlotCheckLock);
PR_DestroyLock(gSubjKeyIDSlotCheckLock);
gSubjKeyIDSlotCheckLock = NULL;
}
return SECSuccess;
}
SECStatus
cert_DestroySubjectKeyIDHashTable(void)
{
@ -3240,6 +3260,7 @@ cert_DestroySubjectKeyIDHashTable(void)
PR_DestroyLock(gSubjKeyIDLock);
gSubjKeyIDLock = NULL;
}
cert_DestroySubjectKeyIDSlotCheckHash();
return SECSuccess;
}

20
security/nss/lib/certdb/certdb.h
View File

@ -39,7 +39,7 @@
/* common flags for all types of certificates */
#define CERTDB_VALID_PEER (1<<0)
#define CERTDB_TERMINAL_RECORD (1<<0)
#define CERTDB_TRUSTED (1<<1)
#define CERTDB_SEND_WARN (1<<2)
#define CERTDB_VALID_CA (1<<3)
@ -50,6 +50,24 @@
#define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */
#define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */
/* old usage, to keep old programs compiling */
/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
* time deprecation warnings when applications use the old CERTDB_VALID_PEER
* define */
#if __GNUC__ > 3
#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
#else
typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated
("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));
#endif
#define CERTDB_VALID_PEER ((__CERTDB_VALID_PEER) CERTDB_TERMINAL_RECORD)
#else
#ifdef _WIN32
#pragma deprecated(CERTDB_VALID_PEER)
#endif
#define CERTDB_VALID_PEER CERTDB_TERMINAL_RECORD
#endif
SEC_BEGIN_PROTOS

11
security/nss/lib/certdb/certi.h
View File

@ -36,7 +36,7 @@
/*
* certi.h - private data structures for the certificate library
*
* $Id: certi.h,v 1.34 2010/05/21 00:43:51 wtc%google.com Exp $
* $Id: certi.h,v 1.35 2011/01/29 22:17:20 nelson%bolyard.com Exp $
*/
#ifndef _CERTI_H_
#define _CERTI_H_
@ -235,7 +235,8 @@ SECStatus ShutdownCRLCache(void);
extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
/*
* These functions are used to map subjectKeyID extension values to certs.
* These functions are used to map subjectKeyID extension values to certs
* and to keep track of the checks for user certificates in each slot
*/
SECStatus
cert_CreateSubjectKeyIDHashTable(void);
@ -243,6 +244,12 @@ cert_CreateSubjectKeyIDHashTable(void);
SECStatus
cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
SECStatus
cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
int
cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
/*
* Call this function to remove an entry from the mapping table.
*/

2
security/nss/lib/certdb/certt.h
View File

@ -36,7 +36,7 @@
/*
* certt.h - public data structures for the certificate library
*
* $Id: certt.h,v 1.54.2.1 2011/07/28 22:19:57 wtc%google.com Exp $
* $Id: certt.h,v 1.55 2011/07/28 21:38:14 wtc%google.com Exp $
*/
#ifndef _CERTT_H_
#define _CERTT_H_

85
security/nss/lib/certdb/crl.c
View File

@ -37,7 +37,7 @@
/*
* Moved from secpkcs7.c
*
* $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $
* $Id: crl.c,v 1.72 2011/07/24 13:48:10 wtc%google.com Exp $
*/
#include "cert.h"
@ -75,9 +75,8 @@ static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
};
/*
* XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
* be tested; Lisa did the obvious translation but they still should be
* verified.
* XXX Also, these templates need to be tested; Lisa did the obvious
* translation but they still should be verified.
*/
const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
@ -93,56 +92,9 @@ const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
{ 0 }
};
static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CERTCrlEntry) },
{ SEC_ASN1_OCTET_STRING,
offsetof(CERTCrlEntry,serialNumber) },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrlEntry,revocationDate) },
{ 0 }
};
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
static const SEC_ASN1Template cert_KrlTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CERTCrl) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(CERTCrl,signatureAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_SAVE,
offsetof(CERTCrl,derName) },
{ SEC_ASN1_INLINE,
offsetof(CERTCrl,name),
CERT_NameTemplate },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,lastUpdate) },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,nextUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
offsetof(CERTCrl,entries),
cert_KrlEntryTemplate },
{ 0 }
};
static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CERTSignedCrl) },
{ SEC_ASN1_SAVE,
offsetof(CERTSignedCrl,signatureWrap.data) },
{ SEC_ASN1_INLINE,
offsetof(CERTSignedCrl,crl),
cert_KrlTemplate },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_BIT_STRING,
offsetof(CERTSignedCrl,signatureWrap.signature) },
{ 0 }
};
static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CERTCrlKey) },
@ -470,7 +422,7 @@ SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl)
}
/*
* take a DER CRL or KRL and decode it into a CRL structure
* take a DER CRL and decode it into a CRL structure
* allow reusing the input DER without making a copy
*/
CERTSignedCrl *
@ -578,11 +530,8 @@ CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
break;
case SEC_KRL_TYPE:
rv = SEC_QuickDERDecodeItem
(arena, crl, cert_SignedKrlTemplate, derSignedCrl);
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
break;
}
@ -614,7 +563,7 @@ loser:
}
/*
* take a DER CRL or KRL and decode it into a CRL structure
* take a DER CRL and decode it into a CRL structure
*/
CERTSignedCrl *
CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
@ -716,6 +665,12 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
PORT_Assert(newCrl);
PORT_Assert(derCrl);
PORT_Assert(type == SEC_CRL_TYPE);
if (type != SEC_CRL_TYPE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
/* we can't use the cache here because we must look in the same
token */
@ -739,21 +694,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
goto done;
}
if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
if (type == SEC_CRL_TYPE) {
PORT_SetError(SEC_ERROR_OLD_CRL);
} else {
PORT_SetError(SEC_ERROR_OLD_KRL);
}
goto done;
}
if ((SECITEM_CompareItem(&newCrl->crl.derName,
&oldCrl->crl.derName) != SECEqual) &&
(type == SEC_KRL_TYPE) ) {
PORT_SetError(SEC_ERROR_CKL_CONFLICT);
PORT_SetError(SEC_ERROR_OLD_CRL);
goto done;
}

105
security/nss/lib/certdb/genname.c
View File

@ -1685,111 +1685,6 @@ done:
return rv;
}
/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
** ASN1 Decode it into a list of alternate names.
** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
** ASN1 Decode that name. Turn the result into a zString.
** Look for duplicate nickname already in the certdb.
** If one is found, create a nickname string that is not a duplicate.
*/
char *
CERT_GetNickName(CERTCertificate *cert,
CERTCertDBHandle *handle,
PRArenaPool *nicknameArena)
{
CERTGeneralName *current;
CERTGeneralName *names;
char *nickname = NULL;
char *returnName = NULL;
char *basename = NULL;
PRArenaPool *arena = NULL;
CERTCertificate *tmpcert;
SECStatus rv;
int count;
int found = 0;
SECItem altNameExtension;
SECItem nick;
if (handle == NULL) {
handle = CERT_GetDefaultCertDB();
}
altNameExtension.data = NULL;
rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
&altNameExtension);
if (rv != SECSuccess) {
goto loser;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
goto loser;
}
names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
if (names == NULL) {
goto loser;
}
current = names;
do {
if (current->type == certOtherName &&
SECOID_FindOIDTag(&current->name.OthName.oid) ==
SEC_OID_NETSCAPE_NICKNAME) {
found = 1;
break;
}
current = CERT_GetNextGeneralName(current);
} while (current != names);
if (!found)
goto loser;
rv = SEC_QuickDERDecodeItem(arena, &nick,
SEC_ASN1_GET(SEC_IA5StringTemplate),
&current->name.OthName.name);
if (rv != SECSuccess) {
goto loser;
}
/* make a null terminated string out of nick, with room enough at
** the end to add on a number of up to 21 digits in length, (a signed
** 64-bit number in decimal) plus a space and a "#".
*/
nickname = (char*)PORT_ZAlloc(nick.len + 24);
if (!nickname)
goto loser;
PORT_Strncpy(nickname, (char *)nick.data, nick.len);
/* Don't let this cert's nickname duplicate one already in the DB.
** If it does, create a variant of the nickname that doesn't.
*/
count = 0;
while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
CERT_DestroyCertificate(tmpcert);
if (!basename) {
basename = PORT_Strdup(nickname);
if (!basename)
goto loser;
}
count++;
sprintf(nickname, "%s #%d", basename, count);
}
/* success */
if (nicknameArena) {
returnName = PORT_ArenaStrdup(nicknameArena, nickname);
} else {
returnName = nickname;
nickname = NULL;
}
loser:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
if (nickname)
PORT_Free(nickname);
if (basename)
PORT_Free(basename);
if (altNameExtension.data)
PORT_Free(altNameExtension.data);
return returnName;
}
#if 0
/* not exported from shared libs, not used. Turn on if we ever need it. */
SECStatus

2
security/nss/lib/certdb/manifest.mn
View File

@ -66,8 +66,6 @@ CSRCS = \
xconst.c \
$(NULL)
REQUIRES = dbm
LIBRARY_NAME = certdb
# This part of the code, including all sub-dirs, can be optimized for size

2
security/nss/lib/certhigh/certhtml.c
View File

@ -37,7 +37,7 @@
/*
* certhtml.c --- convert a cert to html
*
* $Id: certhtml.c,v 1.8.66.1 2010/08/28 19:49:28 nelson%bolyard.com Exp $
* $Id: certhtml.c,v 1.10 2010/08/28 18:00:28 nelson%bolyard.com Exp $
*/
#include "seccomon.h"

362
security/nss/lib/certhigh/certvfy.c
View File

@ -579,6 +579,14 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
if (flags & CERTDB_VALID_CA) {
validCAOverride = PR_TRUE;
}
/* is it explicitly distrusted? */
if ((flags & CERTDB_TERMINAL_RECORD) &&
((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
/* untrusted -- the cert is explicitly untrusted, not
* just that it doesn't chain to a trusted cert */
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
}
} else {
/* Check if we have any valid trust when cheching for
* certUsageAnyCA or certUsageStatusResponder. */
@ -592,6 +600,22 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
if (flags & CERTDB_VALID_CA)
validCAOverride = PR_TRUE;
}
/* We have 2 separate loops because we want any single trust
* bit to allow this usage to return trusted. Only if none of
* the trust bits are on do we check to see if the cert is
* untrusted */
for (trustType = trustSSL; trustType < trustTypeNone;
trustType++) {
flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
/* is it explicitly distrusted? */
if ((flags & CERTDB_TERMINAL_RECORD) &&
((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
/* untrusted -- the cert is explicitly untrusted, not
* just that it doesn't chain to a trusted cert */
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
}
}
}
}
@ -826,6 +850,14 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
if (flags & CERTDB_VALID_CA) {
validCAOverride = PR_TRUE;
}
/* is it explicitly distrusted? */
if ((flags & CERTDB_TERMINAL_RECORD) &&
((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
/* untrusted -- the cert is explicitly untrusted, not
* just that it doesn't chain to a trusted cert */
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,cert,0,flags);
}
}
if (!validCAOverride) {
/*
@ -889,6 +921,154 @@ done:
NEXT_USAGE(); \
}
/*
* check the leaf cert against trust and usage.
* returns success if the cert is not distrusted. If the cert is
* trusted, then the trusted bool will be true.
* returns failure if the cert is distrusted. If failure, flags
* will return the flag bits that indicated distrust.
*/
SECStatus
cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
unsigned int *failedFlags, PRBool *trusted)
{
unsigned int flags;
*failedFlags = 0;
*trusted = PR_FALSE;
/* check trust flags to see if this cert is directly trusted */
if ( cert->trust ) {
switch ( certUsage ) {
case certUsageSSLClient:
case certUsageSSLServer:
flags = cert->trust->sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
*trusted = PR_TRUE;
return SECSuccess;
} else { /* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
case certUsageSSLServerWithStepUp:
/* XXX - step up certs can't be directly trusted, only distrust */
flags = cert->trust->sslFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if (( flags & CERTDB_TRUSTED ) == 0) {
/* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
case certUsageSSLCA:
flags = cert->trust->sslFlags;
/* we probably should also not explicitly fail the cert
* if only the trusted DELEGATOR flag is set */
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if (( flags & CERTDB_TRUSTED_CA ) == 0) {
/* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
case certUsageEmailSigner:
case certUsageEmailRecipient:
flags = cert->trust->emailFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
*trusted = PR_TRUE;
return SECSuccess;
}
else { /* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
case certUsageObjectSigner:
flags = cert->trust->objectSigningFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
*trusted = PR_TRUE;
return SECSuccess;
} else { /* don't trust this cert */
*failedFlags = flags;
return SECFailure;
}
}
break;
case certUsageVerifyCA:
case certUsageStatusResponder:
flags = cert->trust->sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
*trusted = PR_TRUE;
return SECSuccess;
}
flags = cert->trust->emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
*trusted = PR_TRUE;
return SECSuccess;
}
flags = cert->trust->objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
*trusted = PR_TRUE;
return SECSuccess;
}
/* fall through to test distrust */
case certUsageAnyCA:
case certUsageUserCertImport:
/* do we distrust these certs explicitly */
flags = cert->trust->sslFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & CERTDB_TRUSTED_CA) == 0) {
*failedFlags = flags;
return SECFailure;
}
}
flags = cert->trust->emailFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & CERTDB_TRUSTED_CA) == 0) {
*failedFlags = flags;
return SECFailure;
}
}
case certUsageProtectedObjectSigner:
flags = cert->trust->objectSigningFlags;
if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
* authoritative */
if ((flags & CERTDB_TRUSTED_CA) == 0) {
*failedFlags = flags;
return SECFailure;
}
}
break;
}
}
return SECSuccess;
}
/*
* verify a certificate by checking if it's valid and that we
* trust the issuer.
@ -921,6 +1101,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
PRBool checkAllUsages = PR_FALSE;
PRBool revoked = PR_FALSE;
PRBool sigerror = PR_FALSE;
PRBool trusted = PR_FALSE;
if (!requiredUsages) {
/* there are no required usages, so the user probably wants to
@ -1008,91 +1189,21 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
INVALID_USAGE();
}
/* check trust flags to see if this cert is directly trusted */
if ( cert->trust ) { /* the cert is in the DB */
switch ( certUsage ) {
case certUsageSSLClient:
case certUsageSSLServer:
flags = cert->trust->sslFlags;
rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
if (rv == SECFailure) {
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
}
LOG_ERROR(log, cert, 0, flags);
INVALID_USAGE();
}
if (trusted) {
VALID_USAGE();
}
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
VALID_USAGE();
} else { /* don't trust this cert */
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
}
LOG_ERROR(log,cert,0,flags);
INVALID_USAGE();
}
}
break;
case certUsageSSLServerWithStepUp:
/* XXX - step up certs can't be directly trusted */
break;
case certUsageSSLCA:
break;
case certUsageEmailSigner:
case certUsageEmailRecipient:
flags = cert->trust->emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
VALID_USAGE();
}
break;
case certUsageObjectSigner:
flags = cert->trust->objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
VALID_USAGE();
} else { /* don't trust this cert */
if (PR_TRUE == requiredUsage) {
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
}
LOG_ERROR(log,cert,0,flags);
INVALID_USAGE();
}
}
break;
case certUsageVerifyCA:
case certUsageStatusResponder:
flags = cert->trust->sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
VALID_USAGE();
}
flags = cert->trust->emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
VALID_USAGE();
}
flags = cert->trust->objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
VALID_USAGE();
}
break;
case certUsageAnyCA:
case certUsageProtectedObjectSigner:
case certUsageUserCertImport:
/* XXX to make the compiler happy. Should these be
* explicitly handled?
*/
break;
}
}
if (PR_TRUE == revoked || PR_TRUE == sigerror) {
INVALID_USAGE();
}
if (PR_TRUE == revoked || PR_TRUE == sigerror) {
INVALID_USAGE();
}
rv = cert_VerifyCertChain(handle, cert,
checkSig, &sigerror,
@ -1146,6 +1257,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
unsigned int requiredCertType;
unsigned int flags;
unsigned int certType;
PRBool trusted;
PRBool allowOverride;
SECCertTimeValidity validity;
CERTStatusConfig *statusConfig;
@ -1212,81 +1324,15 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
}
/* check trust flags to see if this cert is directly trusted */
if ( cert->trust ) { /* the cert is in the DB */
switch ( certUsage ) {
case certUsageSSLClient:
case certUsageSSLServer:
flags = cert->trust->sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
goto winner;
} else { /* don't trust this cert */
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,cert,0,flags);
}
}
break;
case certUsageSSLServerWithStepUp:
/* XXX - step up certs can't be directly trusted */
break;
case certUsageSSLCA:
break;
case certUsageEmailSigner:
case certUsageEmailRecipient:
flags = cert->trust->emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
goto winner;
}
break;
case certUsageObjectSigner:
flags = cert->trust->objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
if ( flags & CERTDB_TRUSTED ) { /* trust this cert */
goto winner;
} else { /* don't trust this cert */
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,cert,0,flags);
}
}
break;
case certUsageVerifyCA:
case certUsageStatusResponder:
flags = cert->trust->sslFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
goto winner;
}
flags = cert->trust->emailFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
goto winner;
}
flags = cert->trust->objectSigningFlags;
/* is the cert directly trusted or not trusted ? */
if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
goto winner;
}
break;
case certUsageAnyCA:
case certUsageProtectedObjectSigner:
case certUsageUserCertImport:
/* XXX to make the compiler happy. Should these be
* explicitly handled?
*/
break;
}
rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted);
if (rv == SECFailure) {
PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
LOG_ERROR_OR_EXIT(log,cert,0,flags);
}
if (trusted) {
goto winner;
}
rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
t, wincx, log);

2
security/nss/lib/certhigh/manifest.mn
View File

@ -60,8 +60,6 @@ CSRCS = \
xcrldist.c \
$(NULL)
REQUIRES = dbm
LIBRARY_NAME = certhi
# This part of the code, including all sub-dirs, can be optimized for size

12
security/nss/lib/certhigh/ocsp.c
View File

@ -39,7 +39,7 @@
* Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.)
*
* $Id: ocsp.c,v 1.65.2.1 2011/07/13 11:13:55 kaie%kuix.de Exp $
* $Id: ocsp.c,v 1.67 2011/08/10 12:31:52 kaie%kuix.de Exp $
*/
#include "prerror.h"
@ -2950,6 +2950,7 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
PRFileDesc *sock = NULL;
PRFileDesc *returnSock = NULL;
char *header = NULL;
char portstr[16];
/*
* Take apart the location, getting the hostname, port, and path.
@ -2965,11 +2966,16 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
if (sock == NULL)
goto loser;
portstr[0] = '\0';
if (port != 80) {
PR_snprintf(portstr, sizeof(portstr), ":%d", port);
}
header = PR_smprintf("POST %s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Host: %s%s\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %u\r\n\r\n",
path, hostname, port, encodedRequest->len);
path, hostname, portstr, encodedRequest->len);
if (header == NULL)
goto loser;

4
security/nss/lib/certhigh/ocsp.h
View File

@ -37,7 +37,7 @@
/*
* Interface to the OCSP implementation.
*
* $Id: ocsp.h,v 1.17.2.1 2010/09/27 21:22:20 wtc%google.com Exp $
* $Id: ocsp.h,v 1.19 2011/01/15 19:47:11 nelson%bolyard.com Exp $
*/
#ifndef _OCSP_H_
@ -588,7 +588,7 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
/*
* FUNCTION: CERT_GetOCSPStatusForCertID
* Returns the OCSP status contained in the passed in paramter response
* Returns the OCSP status contained in the passed in parameter response
* that corresponds to the certID passed in.
* INPUTS:
* CERTCertDBHandle *handle

1330
security/nss/lib/ckfw/builtins/certdata.c
View File

File diff suppressed because it is too large Load Diff

1318
security/nss/lib/ckfw/builtins/certdata.txt
View File

File diff suppressed because it is too large Load Diff

4
security/nss/lib/ckfw/capi/cfind.c
View File

@ -36,7 +36,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.3 $ $Date: 2005/12/16 00:48:02 $";
static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $";
#endif /* DEBUG */
#ifndef CKCAPI_H
@ -136,7 +136,7 @@ ckcapi_attrmatch
if( a->ulValueLen != b->size ) {
/* match a decoded serial number */
if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
int len;
unsigned int len;
unsigned char *data;
data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);

12
security/nss/lib/ckfw/capi/ckcapi.h
View File

@ -40,7 +40,7 @@
#define CKCAPI_H 1
#ifdef DEBUG
static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.3 $ $Date: 2008/08/11 08:14:10 $";
static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $";
#endif /* DEBUG */
#include "nssckmdt.h"
@ -248,13 +248,13 @@ ckcapi_ReverseData
/*
* unwrap a single DER value
*/
char *
unsigned char *
nss_ckcapi_DERUnwrap
(
char *src,
int size,
int *outSize,
char **next
unsigned char *src,
unsigned int size,
unsigned int *outSize,
unsigned char **next
);
/*

63
security/nss/lib/ckfw/capi/cobject.c
View File

@ -20,7 +20,8 @@
* Portions created by Red Hat, Inc, are Copyright (C) 2005
*
* Contributor(s):
* Bob Relyea (rrelyea@redhat.com)
* Bob Relyea <rrelyea@redhat.com>
* Muzaffar Mahkamov <mmahkamov@eisst.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
@ -36,7 +37,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $";
static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.9 $ $Date: 2011/02/02 17:13:40 $";
#endif /* DEBUG */
#include "ckcapi.h"
@ -137,13 +138,13 @@ static const NSSItem ckcapi_emptyItem = {
/*
* unwrap a single DER value
*/
char *
unsigned char *
nss_ckcapi_DERUnwrap
(
char *src,
int size,
int *outSize,
char **next
unsigned char *src,
unsigned int size,
unsigned int *outSize,
unsigned char **next
)
{
unsigned char *start = src;
@ -159,11 +160,11 @@ nss_ckcapi_DERUnwrap
if (size < 2) {
return start;
}
src ++ ; /* skip the tag -- should check it against an expected value! */
src++; /* skip the tag -- should check it against an expected value! */
len = (unsigned) *src++;
if (len & 0x80) {
int count = len & 0x7f;
len =0;
unsigned int count = len & 0x7f;
len = 0;
if (count+2 > size) {
return start;
@ -172,7 +173,7 @@ nss_ckcapi_DERUnwrap
len = (len << 8) | (unsigned) *src++;
}
}
if (len + ((unsigned char *)src-start) > (unsigned int)size) {
if (len + (src-start) > size) {
return start;
}
if (next) {
@ -360,7 +361,8 @@ nss_ckcapi_GetStringAttribute
}
/*
* Return the size in bytes of a wide string
* Return the size in bytes of a wide string, including the terminating null
* character
*/
int
nss_ckcapi_WideSize
@ -374,7 +376,7 @@ nss_ckcapi_WideSize
return 0;
}
size = wcslen(wide)+1;
return size*2;
return size*sizeof(WCHAR);
}
/*
@ -386,7 +388,6 @@ nss_ckcapi_WideToUTF8
LPCWSTR wide
)
{
DWORD len;
DWORD size;
char *buf;
@ -394,14 +395,12 @@ nss_ckcapi_WideToUTF8
return (char *)NULL;
}
len = nss_ckcapi_WideSize(wide);
size = WideCharToMultiByte(CP_UTF8, 0, wide, len, NULL, 0, NULL, 0);
size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, NULL, 0, NULL, 0);
if (size == 0) {
return (char *)NULL;
}
buf = nss_ZNEWARRAY(NULL, char, size);
size = WideCharToMultiByte(CP_UTF8, 0, wide, len, buf, size, NULL, 0);
size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, buf, size, NULL, 0);
if (size == 0) {
nss_ZFreeIf(buf);
return (char *)NULL;
@ -418,20 +417,20 @@ nss_ckcapi_WideDup
LPCWSTR wide
)
{
DWORD len = nss_ckcapi_WideSize(wide);
DWORD len;
LPWSTR buf;
if ((LPWSTR)NULL == wide) {
return (LPWSTR)NULL;
}
len = nss_ckcapi_WideSize(wide);
len = wcslen(wide)+1;
buf = (LPWSTR) nss_ZNEWARRAY(NULL, char, len);
buf = nss_ZNEWARRAY(NULL, WCHAR, len);
if ((LPWSTR) NULL == buf) {
return buf;
}
nsslibc_memcpy(buf, wide, len);
nsslibc_memcpy(buf, wide, len*sizeof(WCHAR));
return buf;
}
@ -445,21 +444,18 @@ nss_ckcapi_UTF8ToWide
)
{
DWORD size;
DWORD len = strlen(buf)+1;
LPWSTR wide;
if ((char *)NULL == buf) {
return (LPWSTR) NULL;
}
len = strlen(buf)+1;
size = MultiByteToWideChar(CP_UTF8, 0, buf, len, NULL, 0);
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
if (size == 0) {
return (LPWSTR) NULL;
}
wide = nss_ZNEWARRAY(NULL, WCHAR, size);
size = MultiByteToWideChar(CP_UTF8, 0, buf, len, wide, size);
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
if (size == 0) {
nss_ZFreeIf(wide);
return (LPWSTR) NULL;
@ -572,10 +568,12 @@ ckcapi_CertPopulateModulusExponent
{
ckcapiKeyParams *kp = &io->u.cert.key;
PCCERT_CONTEXT certContext = io->u.cert.certContext;
char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
CK_ULONG newSize;
char *ptr, *newptr;
unsigned char *pkData =
certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
unsigned int size=
certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
unsigned int newSize;
unsigned char *ptr, *newptr;
/* find the start of the modulus -- this will not give good results if
* the key isn't an rsa key! */
@ -1420,7 +1418,6 @@ ckcapi_mdObject_Destroy
goto loser;
}
rc = CertDeleteCertificateFromStore(certContext);
CertFreeCertificateContext(certContext);
} else {
char *provName = NULL;
char *containerName = NULL;
@ -2299,7 +2296,7 @@ nss_ckcapi_CreateObject
)
{
CK_OBJECT_CLASS objClass;
ckcapiInternalObject *io;
ckcapiInternalObject *io = NULL;
CK_BBOOL isToken;
/*

10
security/nss/lib/ckfw/capi/crsa.c
View File

@ -36,7 +36,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.4 $ $Date: 2010/04/25 23:37:40 $";
static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.5 $ $Date: 2011/02/02 17:13:40 $";
#endif /* DEBUG */
#include "ckcapi.h"
@ -88,7 +88,7 @@ static char *
nss_ckcapi_GetOidString
(
unsigned char *oidTag,
int oidTagSize,
unsigned int oidTagSize,
CK_RV *pError
)
{
@ -96,7 +96,7 @@ nss_ckcapi_GetOidString
char *oidStr;
char *cstr;
unsigned long value;
int oidSize;
unsigned int oidSize;
if (DER_OBJECT_ID != *oidTag) {
/* wasn't an oid */
@ -164,8 +164,8 @@ ckcapi_GetRawHash
unsigned char *hashData;
char *oidStr;
CK_RV error;
int oidSize;
int size;
unsigned int oidSize;
unsigned int size;
/*
* there are 2 types of hashes NSS typically tries to sign, regular
* RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.

3
security/nss/lib/ckfw/hash.c
View File

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:52 $";
static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.5 $ $Date: 2010/09/09 21:14:24 $";
#endif /* DEBUG */
/*
@ -123,6 +123,7 @@ nssCKFWHash_Create
rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
if (!rv->mutex) {
if( CKR_OK == *pError ) {
(void)nss_ZFreeIf(rv);
*pError = CKR_GENERAL_ERROR;
}
return (nssCKFWHash *)NULL;

12
security/nss/lib/ckfw/session.c
View File

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $";
static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.14 $ $Date: 2010/09/09 21:14:24 $";
#endif /* DEBUG */
/*
@ -1515,14 +1515,14 @@ nssCKFWSession_CopyObject
CK_ATTRIBUTE_TYPE_PTR oldTypes;
NSSCKFWObject *rv;
tmpArena = NSSArena_Create();
if (!tmpArena) {
*pError = CKR_HOST_MEMORY;
n = nssCKFWObject_GetAttributeCount(fwObject, pError);
if( (0 == n) && (CKR_OK != *pError) ) {
return (NSSCKFWObject *)NULL;
}
n = nssCKFWObject_GetAttributeCount(fwObject, pError);
if( (0 == n) && (CKR_OK != *pError) ) {
tmpArena = NSSArena_Create();
if (!tmpArena) {
*pError = CKR_HOST_MEMORY;
return (NSSCKFWObject *)NULL;
}

2
security/nss/lib/crmf/cmmf.h
View File

@ -637,7 +637,7 @@ extern int
* inIndex
* The index of the CMMFCertResponse the user wants a copy of.
* NOTES:
* This funciton creates a copy of the CMMFCertResponse at the index
* This function creates a copy of the CMMFCertResponse at the index
* corresponding to the parameter 'inIndex'. Indexing is done like a
* traditional C array, ie the valid indexes are (0...numResponses-1).
* The user must call CMMF_DestroyCertResponse after the return value is

18
security/nss/lib/crmf/crmf.h
View File

@ -84,7 +84,7 @@ extern SECStatus
* The function fn will be called, probably multiple times whenever
* the ASN1 encoder wants to write out DER-encoded bytes. Look at the
* comments in crmft.h where the CRMFEncoderOutputCallback type is
* defined for information on proper behavior of the funciton fn.
* defined for information on proper behavior of the function fn.
* RETURN:
* SECSuccess if encoding was successful. Any other return value
* indicates an error occurred during encoding.
@ -116,7 +116,7 @@ extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest *inCertReq,
* OUTPUT:
* The function fn will be called, probably multiple times. Look at the
* comments in crmft.h where the CRMFEncoderOutputCallback type is
* defined for information on proper behavior of the funciton fn.
* defined for information on proper behavior of the function fn.
*
* RETURN:
* SECSuccess if encoding the Certificate Request Messages was successful.
@ -616,7 +616,7 @@ extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
*
* The last 3 arguments are for future compatibility in case we ever want to
* support generating POPOSigningKeyInput. Pass in NULL for all 3 if you
* definitely don't want the funciton to even try to generate
* definitely don't want the function to even try to generate
* POPOSigningKeyInput. If you try to use POPOSigningKeyInput, the function
* will fail.
*
@ -655,10 +655,10 @@ extern SECStatus
* Adds Proof Of Possession using the keyEncipherment field of
* ProofOfPossession.
*
* The funciton looks at the the inKeyChoice parameter and interprets it in
* The function looks at the the inKeyChoice parameter and interprets it in
* in the following manner.
*
* If a parameter is not mentioned under interpretation, the funciton will not
* If a parameter is not mentioned under interpretation, the function will not
* look at its value when implementing that case.
*
* inKeyChoice Interpretation
@ -709,10 +709,10 @@ extern SECStatus
* Adds Proof Of Possession using the keyAgreement field of
* ProofOfPossession.
*
* The funciton looks at the the inKeyChoice parameter and interprets it in
* The function looks at the the inKeyChoice parameter and interprets it in
* in the following manner.
*
* If a parameter is not mentioned under interpretation, the funciton will not
* If a parameter is not mentioned under interpretation, the function will not
* look at its value when implementing that case.
*
* inKeyChoice Interpretation
@ -954,7 +954,7 @@ extern SECStatus
* RETURN:
* If the issuer is present in the cert request cert template, the function
* returns SECSuccess and places a copy of the issuer in *destIssuer.
* If there is no issuer present, the funciton returns SECFailure and the
* If there is no issuer present, the function returns SECFailure and the
* value at *destIssuer is unchanged.
*/
extern SECStatus
@ -1766,7 +1766,7 @@ extern SECStatus
/* Helper functions that can be used by other libraries. */
/*
* A quick helper funciton to get the best wrap mechanism.
* A quick helper function to get the best wrap mechanism.
*/
extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot);

2
security/nss/lib/crmf/crmffut.h
View File

@ -41,7 +41,7 @@
/*
* Use this function to create the CRMFSinglePubInfo* variables that will
* populate the inPubInfoArray paramter for the funciton
* populate the inPubInfoArray parameter for the function
* CRMF_CreatePKIPublicationInfo.
*
* "inPubMethod" specifies which publication method will be used

2
security/nss/lib/crmf/crmfi.h
View File

@ -93,7 +93,7 @@ struct crmfEncoderOutput {
};
/*
* This funciton is used by the API for encoding functions that are
* This function is used by the API for encoding functions that are
* exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
* functions.
*/

4
security/nss/lib/cryptohi/cryptohi.h
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */
/* $Id: cryptohi.h,v 1.15 2010/08/12 01:15:37 wtc%google.com Exp $ */
#ifndef _CRYPTOHI_H_
#define _CRYPTOHI_H_
@ -164,7 +164,7 @@ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
** "pk" the private key to encrypt with
*/
extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result,
unsigned char *buf, int len,
const unsigned char *buf, int len,
SECKEYPrivateKey *pk, SECOidTag algid);
/*

10
security/nss/lib/cryptohi/keyhi.h
View File

@ -35,7 +35,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: keyhi.h,v 1.17 2008/06/14 14:20:00 wtc%google.com Exp $ */
/* $Id: keyhi.h,v 1.18 2011/07/24 13:48:12 wtc%google.com Exp $ */
#ifndef _KEYHI_H_
#define _KEYHI_H_
@ -67,18 +67,12 @@ extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena,
/*
** Update the PQG parameters for a cert's public key.
** Only done for DSA and Fortezza certs
** Only done for DSA certs
*/
extern SECStatus
SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
/* Compare the KEA parameters of two public keys.
* Only used by fortezza. */
extern SECStatus
SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
/*
** Return the strength of the public key in bytes
*/

22
security/nss/lib/cryptohi/keythi.h
View File

@ -43,7 +43,7 @@
#include "prclist.h"
/*
** RFC 4055 specifies three different RSA key types.
** RFC 4055 Section 1.2 specifies three different RSA key types.
**
** rsaKey maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and can be used for
** both encryption and signatures with old (PKCS #1 v1.5) and new (PKCS #1
@ -60,9 +60,9 @@ typedef enum {
nullKey = 0,
rsaKey = 1,
dsaKey = 2,
fortezzaKey = 3,
fortezzaKey = 3, /* deprecated */
dhKey = 4,
keaKey = 5,
keaKey = 5, /* deprecated */
ecKey = 6,
rsaPssKey = 7,
rsaOaepKey = 8
@ -74,6 +74,7 @@ typedef enum {
SEC_BEGIN_PROTOS
extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[];
extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
@ -81,8 +82,9 @@ extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
/* Windows DLL accessor functions */
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
SEC_ASN1_CHOOSER_DECLARE(SECKEY_DSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate)
SEC_END_PROTOS
@ -98,6 +100,16 @@ struct SECKEYRSAPublicKeyStr {
};
typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
/*
** RSA-PSS parameters
*/
struct SECKEYRSAPSSParamsStr {
SECAlgorithmID *hashAlg;
SECAlgorithmID *maskAlg;
SECItem saltLength;
SECItem trailerField;
};
typedef struct SECKEYRSAPSSParamsStr SECKEYRSAPSSParams;
/*
** DSA Public Key and related structures

6
security/nss/lib/cryptohi/manifest.mn
View File

@ -38,8 +38,6 @@ CORE_DEPTH = ../../..
MODULE = nss
REQUIRES = dbm
LIBRARY_NAME = cryptohi
EXPORTS = \
@ -54,7 +52,7 @@ EXPORTS = \
PRIVATE_EXPORTS = \
$(NULL)
LIBSRCS = \
CSRCS = \
sechash.c \
seckey.c \
secsign.c \
@ -62,7 +60,5 @@ LIBSRCS = \
dsautil.c \
$(NULL)
CSRCS = $(LIBSRCS)
# This part of the code, including all sub-dirs, can be optimized for size
export ALLOW_OPT_CODE_SIZE = 1

19
security/nss/lib/cryptohi/sechash.c
View File

@ -91,6 +91,11 @@ sha1_NewContext(void) {
return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
}
static void *
sha224_NewContext(void) {
return (void *) PK11_CreateDigestContext(SEC_OID_SHA224);
}
static void *
sha256_NewContext(void) {
return (void *) PK11_CreateDigestContext(SEC_OID_SHA256);
@ -184,6 +189,17 @@ const SECHashObject SECHashObjects[] = {
SHA512_BLOCK_LENGTH,
HASH_AlgSHA512
},
{ SHA224_LENGTH,
(void * (*)(void)) sha224_NewContext,
(void * (*)(void *)) PK11_CloneContext,
(void (*)(void *, PRBool)) PK11_DestroyContext,
(void (*)(void *)) PK11_DigestBegin,
(void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
(void (*)(void *, unsigned char *, unsigned int *, unsigned int))
PK11_DigestFinal,
SHA224_BLOCK_LENGTH,
HASH_AlgSHA224
},
};
const SECHashObject *
@ -201,6 +217,7 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
case SEC_OID_MD2: ht = HASH_AlgMD2; break;
case SEC_OID_MD5: ht = HASH_AlgMD5; break;
case SEC_OID_SHA1: ht = HASH_AlgSHA1; break;
case SEC_OID_SHA224: ht = HASH_AlgSHA224; break;
case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
@ -220,6 +237,7 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break;
case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break;
case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break;
case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break;
case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break;
@ -239,6 +257,7 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break;
case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break;
case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break;
case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break;
case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break;

271
security/nss/lib/cryptohi/seckey.c
View File

@ -51,6 +51,7 @@
#include "keyi.h"
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
@ -78,6 +79,34 @@ const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
{ 0, }
};
static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0,
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }
};
/* Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE */
const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(SECKEYRSAPSSParams, hashAlg),
seckey_PointerToAlgorithmIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | 1,
offsetof(SECKEYRSAPSSParams, maskAlg),
seckey_PointerToAlgorithmIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2,
offsetof(SECKEYRSAPSSParams, saltLength),
SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3,
offsetof(SECKEYRSAPSSParams, trailerField),
SEC_ASN1_SUB(SEC_IntegerTemplate) },
{ 0 }
};
const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
{ SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
{ 0, }
@ -107,6 +136,7 @@ const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPSSParamsTemplate)
SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
/*
@ -296,128 +326,14 @@ SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
return rv;
}
SECStatus
SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) {
if (pubKey->keyType == fortezzaKey) {
/* the key is a fortezza V1 public key */
/* obtain hash of pubkey->u.fortezza.params.prime.data +
pubkey->u.fortezza.params.subPrime.data +
pubkey->u.fortezza.params.base.data */
/* store hash in params->hash */
} else if (pubKey->keyType == keaKey) {
/* the key is a new fortezza KEA public key. */
SECITEM_CopyItem(pubKey->arena, &params->hash,
&pubKey->u.kea.params.hash );
} else {
/* the key has no KEA parameters */
return SECFailure;
}
return SECSuccess;
}
SECStatus
SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2)
{
SECStatus rv;
SECKEYPublicKey *pubKey1 = 0;
SECKEYPublicKey *pubKey2 = 0;
SECKEYKEAParams params1;
SECKEYKEAParams params2;
rv = SECFailure;
/* get cert1's public key */
pubKey1 = CERT_ExtractPublicKey(cert1);
if ( !pubKey1 ) {
return(SECFailure);
}
/* get cert2's public key */
pubKey2 = CERT_ExtractPublicKey(cert2);
if ( !pubKey2 ) {
return(SECFailure);
}
/* handle the case when both public keys are new
* fortezza KEA public keys. */
if ((pubKey1->keyType == keaKey) &&
(pubKey2->keyType == keaKey) ) {
rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
&pubKey2->u.kea.params.hash);
goto done;
}
/* handle the case when both public keys are old fortezza
* public keys. */
if ((pubKey1->keyType == fortezzaKey) &&
(pubKey2->keyType == fortezzaKey) ) {
rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
&pubKey2->u.fortezza.keaParams.prime);
if (rv == SECEqual) {
rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
&pubKey2->u.fortezza.keaParams.subPrime);
}
if (rv == SECEqual) {
rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
&pubKey2->u.fortezza.keaParams.base);
}
goto done;
}
/* handle the case when the public keys are a mixture of
* old and new. */
rv = SECKEY_KEASetParams(&params1, pubKey1);
if (rv != SECSuccess) return rv;
rv = SECKEY_KEASetParams(&params2, pubKey2);
if (rv != SECSuccess) return rv;
rv = (SECStatus)SECITEM_CompareItem(&params1.hash, &params2.hash);
done:
SECKEY_DestroyPublicKey(pubKey1);
SECKEY_DestroyPublicKey(pubKey2);
return rv; /* returns SECEqual if parameters are equal */
}
/* Procedure to update the pqg parameters for a cert's public key.
* pqg parameters only need to be updated for DSA and fortezza certificates.
* pqg parameters only need to be updated for DSA certificates.
* The procedure uses calls to itself recursively to update a certificate
* issuer's pqg parameters. Some important rules are:
* - Do nothing if the cert already has PQG parameters.
* - If the cert does not have PQG parameters, obtain them from the issuer.
* - A valid cert chain cannot have a DSA or Fortezza cert without
* pqg parameters that has a parent that is not a DSA or Fortezza cert.
* - pqg parameters are stored in two different formats: the standard
* DER encoded format and the fortezza-only wrapped format. The params
* should be copied from issuer to subject cert without modifying the
* formats. The public key extraction code will deal with the different
* formats at the time of extraction. */
* - A valid cert chain cannot have a DSA cert without
* pqg parameters that has a parent that is not a DSA cert. */
static SECStatus
seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
@ -443,14 +359,10 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
if (oid != NULL) {
tag = oid->offset;
/* Check if cert has a DSA or Fortezza public key. If not, return
/* Check if cert has a DSA public key. If not, return
* success since no PQG params need to be updated. */
if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
(tag != SEC_OID_MISSI_DSS_OLD) &&
(tag != SEC_OID_MISSI_KEA_DSS) &&
(tag != SEC_OID_MISSI_DSS) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
@ -482,21 +394,17 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
return SECFailure;
}
/* if parent is not DSA or fortezza, return failure since
/* if parent is not DSA, return failure since
we don't allow this case. */
oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
if (oid != NULL) {
tag = oid->offset;
/* Check if issuer cert has a DSA or Fortezza public key. If not,
/* Check if issuer cert has a DSA public key. If not,
* return failure. */
if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
(tag != SEC_OID_MISSI_DSS_OLD) &&
(tag != SEC_OID_MISSI_KEA_DSS) &&
(tag != SEC_OID_MISSI_DSS) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
@ -511,7 +419,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
/* at this point the subject cert has no pqg parameters and the
* issuer cert has a DSA or fortezza public key. Update the issuer's
* issuer cert has a DSA public key. Update the issuer's
* pqg parameters with a recursive call to this same function. */
rv = seckey_UpdateCertPQGChain(issuerCert, count);
@ -780,18 +688,6 @@ CERT_ExtractPublicKey(CERTCertificate *cert)
return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
}
/*
* Get the public key for the fortezza KMID. NOTE this requires the
* PQG parameters to be set. We probably should have a fortezza call that
* just extracts the kmid for us directly so this function can work
* without having the whole cert chain
*/
SECKEYPublicKey *
CERT_KMIDPublicKey(CERTCertificate *cert)
{
return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
}
int
SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
{
@ -1075,8 +971,7 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
unsigned char b0;
unsigned size;
/* interpret modulus length as key strength... in
* fortezza that's the public key length */
/* interpret modulus length as key strength */
if (!pubk)
goto loser;
switch (pubk->keyType) {
@ -1094,8 +989,6 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
b0 = pubk->u.dh.publicValue.data[0];
return b0 ? pubk->u.dh.publicValue.len :
pubk->u.dh.publicValue.len - 1;
case fortezzaKey:
return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
case ecKey:
/* Get the key size in bits and adjust */
size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
@ -1117,7 +1010,6 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
case rsaKey:
case dsaKey:
case dhKey:
case fortezzaKey:
return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */
case ecKey:
size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
@ -1140,7 +1032,6 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
case rsaKey:
b0 = pubk->u.rsa.modulus.data[0];
return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
case fortezzaKey:
case dsaKey:
return DSA_SIGNATURE_LEN;
case ecKey:
@ -1255,51 +1146,6 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.base,
&pubk->u.dsa.params.base);
break;
case keaKey:
rv = SECITEM_CopyItem(arena, &copyk->u.kea.publicValue,
&pubk->u.kea.publicValue);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.kea.params.hash,
&pubk->u.kea.params.hash);
break;
case fortezzaKey:
copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
sizeof(pubk->u.fortezza.KMID));
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.clearance,
&pubk->u.fortezza.clearance);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAprivilege,
&pubk->u.fortezza.KEAprivilege);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSprivilege,
&pubk->u.fortezza.DSSprivilege);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAKey,
&pubk->u.fortezza.KEAKey);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSKey,
&pubk->u.fortezza.DSSKey);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.prime,
&pubk->u.fortezza.params.prime);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.subPrime,
&pubk->u.fortezza.params.subPrime);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.base,
&pubk->u.fortezza.params.base);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.prime,
&pubk->u.fortezza.keaParams.prime);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.subPrime,
&pubk->u.fortezza.keaParams.subPrime);
if (rv != SECSuccess) break;
rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.base,
&pubk->u.fortezza.keaParams.base);
break;
case dhKey:
rv = SECITEM_CopyItem(arena,&copyk->u.dh.prime,&pubk->u.dh.prime);
if (rv != SECSuccess) break;
@ -1366,12 +1212,7 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
pubk->pkcs11ID = CK_INVALID_HANDLE;
pubk->arena = arena;
/*
* fortezza is at the head of this switch, since we don't want to
* allocate an arena... CERT_ExtractPublicKey will to that for us.
*/
switch(privk->keyType) {
case fortezzaKey:
case nullKey:
case dhKey:
case dsaKey:
@ -1500,40 +1341,8 @@ SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
return spki;
}
break;
case keaKey:
case dhKey: /* later... */
break;
case fortezzaKey:
#ifdef notdef
/* encode the DSS parameters (PQG) */
rv = FortezzaBuildParams(&params,pubk);
if (rv != SECSuccess) break;
/* set the algorithm */
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
SEC_OID_MISSI_KEA_DSS, &params);
PORT_Free(params.data);
if (rv == SECSuccess) {
/*
* Encode the public key into the subjectPublicKeyInfo.
* Fortezza key material is not standard DER
*/
rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
if (rv == SECSuccess) {
/*
* The stored value is supposed to be a BIT_STRING,
* so convert the length.
*/
spki->subjectPublicKey.len <<= 3;
/*
* We got a good one; return it.
*/
return spki;
}
}
#endif
break;
default:
break;

10
security/nss/lib/cryptohi/secsign.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */
/* $Id: secsign.c,v 1.26 2011/07/24 13:48:12 wtc%google.com Exp $ */
#include <stdio.h>
#include "cryptohi.h"
@ -83,8 +83,7 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
/* verify our key type */
if (key->keyType != keyType &&
!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
!((key->keyType == dsaKey) && (keyType == fortezzaKey)) ) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return 0;
}
@ -341,7 +340,8 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
SECStatus
SEC_DerSignData(PRArenaPool *arena, SECItem *result,
unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
const unsigned char *buf, int len, SECKEYPrivateKey *pk,
SECOidTag algID)
{
SECItem it;
CERTSignedData sd;
@ -376,7 +376,7 @@ SEC_DerSignData(PRArenaPool *arena, SECItem *result,
/* Fill out SignedData object */
PORT_Memset(&sd, 0, sizeof(sd));
sd.data.data = buf;
sd.data.data = (unsigned char*) buf;
sd.data.len = len;
sd.signature.data = it.data;
sd.signature.len = it.len << 3; /* convert to bit string */

33
security/nss/lib/dev/ckhelper.c
View File

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.40 $ $Date: 2010/01/08 02:00:58 $";
static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.41 $ $Date: 2011/04/13 00:10:25 $";
#endif /* DEBUG */
#include "pkcs11.h"
@ -78,7 +78,7 @@ is_string_attribute (
PRBool isString;
switch (aType) {
case CKA_LABEL:
case CKA_NETSCAPE_EMAIL:
case CKA_NSS_EMAIL:
isString = PR_TRUE;
break;
default:
@ -401,14 +401,13 @@ get_nss_trust (
{
nssTrustLevel t;
switch (ckt) {
case CKT_NETSCAPE_UNTRUSTED: t = nssTrustLevel_NotTrusted; break;
case CKT_NETSCAPE_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator;
case CKT_NSS_NOT_TRUSTED: t = nssTrustLevel_NotTrusted; break;
case CKT_NSS_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator;
break;
case CKT_NETSCAPE_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
case CKT_NETSCAPE_TRUSTED: t = nssTrustLevel_Trusted; break;
case CKT_NETSCAPE_VALID: t = nssTrustLevel_Valid; break;
case CKT_NETSCAPE_MUST_VERIFY:
case CKT_NETSCAPE_TRUST_UNKNOWN:
case CKT_NSS_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
case CKT_NSS_TRUSTED: t = nssTrustLevel_Trusted; break;
case CKT_NSS_MUST_VERIFY_TRUST: t = nssTrustLevel_MustVerify; break;
case CKT_NSS_TRUST_UNKNOWN:
default:
t = nssTrustLevel_Unknown; break;
}
@ -432,10 +431,10 @@ nssCryptokiTrust_GetAttributes (
nssSession *session;
CK_BBOOL isToken = PR_FALSE;
CK_BBOOL stepUp = PR_FALSE;
CK_TRUST saTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
CK_TRUST caTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
CK_TRUST epTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
CK_TRUST csTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
CK_TRUST saTrust = CKT_NSS_TRUST_UNKNOWN;
CK_TRUST caTrust = CKT_NSS_TRUST_UNKNOWN;
CK_TRUST epTrust = CKT_NSS_TRUST_UNKNOWN;
CK_TRUST csTrust = CKT_NSS_TRUST_UNKNOWN;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE trust_template[7];
CK_ULONG trust_size;
@ -453,7 +452,7 @@ nssCryptokiTrust_GetAttributes (
status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
trustObject,
CKO_NETSCAPE_TRUST,
CKO_NSS_TRUST,
trust_template, trust_size);
if (status != PR_SUCCESS) {
session = sessionOpt ?
@ -510,10 +509,10 @@ nssCryptokiCRL_GetAttributes (
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
}
if (urlOpt) {
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_URL);
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_URL);
}
if (isKRLOpt) {
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_KRL);
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_KRL);
}
if (subjectOpt) {
NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
@ -522,7 +521,7 @@ nssCryptokiCRL_GetAttributes (
status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
crlObject,
CKO_NETSCAPE_CRL,
CKO_NSS_CRL,
crl_template, crl_size);
if (status != PR_SUCCESS) {
session = sessionOpt ?

4
security/nss/lib/dev/devt.h
View File

@ -38,7 +38,7 @@
#define DEVT_H
#ifdef DEBUG
static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.24 $ $Date: 2010/01/08 02:00:58 $";
static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.25 $ $Date: 2011/04/13 00:10:25 $";
#endif /* DEBUG */
/*
@ -143,7 +143,7 @@ typedef enum {
nssTrustLevel_NotTrusted = 1,
nssTrustLevel_Trusted = 2,
nssTrustLevel_TrustedDelegator = 3,
nssTrustLevel_Valid = 4,
nssTrustLevel_MustVerify = 4,
nssTrustLevel_ValidDelegator = 5
} nssTrustLevel;

38
security/nss/lib/dev/devtoken.c
View File

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.54 $ $Date: 2010/04/03 18:27:30 $";
static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.56 $ $Date: 2011/07/12 21:29:20 $";
#endif /* DEBUG */
#include "pkcs11.h"
@ -522,7 +522,7 @@ nssToken_ImportCertificate (
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, serial);
if (email) {
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email);
}
NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
/* see if the cert is already there */
@ -714,7 +714,7 @@ nssToken_FindCertificatesByNickname (
/* XXX
* This function *does not* use the token object cache, because not even
* the softoken will return a value for CKA_NETSCAPE_EMAIL from a call
* the softoken will return a value for CKA_NSS_EMAIL from a call
* to GetAttributes. The softoken does allow searches with that attribute,
* it just won't return a value for it.
*/
@ -733,7 +733,7 @@ nssToken_FindCertificatesByEmail (
CK_ULONG etsize;
nssCryptokiObject **objects;
NSS_CK_TEMPLATE_START(email_template, attr, etsize);
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email);
/* Set the search to token/session only if provided */
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
@ -1071,14 +1071,14 @@ get_ck_trust (
{
CK_TRUST t;
switch (nssTrust) {
case nssTrustLevel_NotTrusted: t = CKT_NETSCAPE_UNTRUSTED; break;
case nssTrustLevel_TrustedDelegator: t = CKT_NETSCAPE_TRUSTED_DELEGATOR;
case nssTrustLevel_NotTrusted: t = CKT_NSS_NOT_TRUSTED; break;
case nssTrustLevel_TrustedDelegator: t = CKT_NSS_TRUSTED_DELEGATOR;
break;
case nssTrustLevel_ValidDelegator: t = CKT_NETSCAPE_VALID_DELEGATOR; break;
case nssTrustLevel_Trusted: t = CKT_NETSCAPE_TRUSTED; break;
case nssTrustLevel_Valid: t = CKT_NETSCAPE_VALID; break;
case nssTrustLevel_ValidDelegator: t = CKT_NSS_VALID_DELEGATOR; break;
case nssTrustLevel_Trusted: t = CKT_NSS_TRUSTED; break;
case nssTrustLevel_MustVerify: t = CKT_NSS_MUST_VERIFY_TRUST; break;
case nssTrustLevel_Unknown:
default: t = CKT_NETSCAPE_TRUST_UNKNOWN; break;
default: t = CKT_NSS_TRUST_UNKNOWN; break;
}
return t;
}
@ -1099,7 +1099,7 @@ nssToken_ImportTrust (
)
{
nssCryptokiObject *object;
CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST;
CK_TRUST ckSA, ckCA, ckCS, ckEP;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE trust_tmpl[11];
@ -1158,7 +1158,7 @@ nssToken_FindTrustForCertificate (
nssTokenSearchType searchType
)
{
CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE tobj_template[5];
CK_ULONG tobj_size;
@ -1172,9 +1172,7 @@ nssToken_FindTrustForCertificate (
}
NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
if (searchType == nssTokenSearchType_SessionOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
} else if (searchType == nssTokenSearchType_TokenOnly) {
if (searchType == nssTokenSearchType_TokenOnly) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
}
NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
@ -1203,7 +1201,7 @@ nssToken_ImportCRL (
)
{
nssCryptokiObject *object;
CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE crl_tmpl[6];
CK_ULONG crlsize;
@ -1217,11 +1215,11 @@ nssToken_ImportCRL (
NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, crlobjc);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding);
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_URL, url);
NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_URL, url);
if (isKRL) {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_true);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_true);
} else {
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_false);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_false);
}
NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
@ -1244,7 +1242,7 @@ nssToken_FindCRLsBySubject (
PRStatus *statusOpt
)
{
CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
CK_ATTRIBUTE_PTR attr;
CK_ATTRIBUTE crlobj_template[3];
CK_ULONG crlobj_size;

48
security/nss/lib/freebl/Makefile
View File

@ -82,10 +82,48 @@ ifeq ($(FREEBL_NO_DEPEND),1)
else
MAPFILE_SOURCE = freebl.def
endif
# FREEBL_USE_PRELINK
#
# Most modern version of Linux support a speed optimization scheme where an
# application called prelink modifies programs and shared libraries to quickly
# load if they fit into an already designed address space. In short, prelink
# scans the list of programs and libraries on your system, assigns them a
# predefined space in the the address space, then provides the fixups to the
# library.
#
# The modification of the shared library is correctly detected by the freebl
# FIPS checksum scheme where we check a signed hash of the library against the
# library itself.
#
# The prelink command itself can reverse the process of modification and output
# the prestine shared library as it was before prelink made it's changes.
# This option tells Freebl could use prelink to output the original copy of
# the shared library before prelink modified it.
#
# FREEBL_PRELINK_COMMAND
#
# This is an optional environment variable which can override the default
# prelink command. It could be used on systems that did something similiar to
# prelink but used a different command and syntax. The only requirement is the
# program must take the library as the last argument, the program must output
# the original library to standard out, and the program does not need to take
# any quoted or imbedded spaces in its arguments (except the path to the
# library itself, which can have imbedded spaces or special characters).
#
ifdef FREEBL_USE_PRELINK
DEFINES += -DFREEBL_USE_PRELINK
ifdef LINUX
DEFINES += -D__GNU_SOURCE=1
endif
endif
ifdef FREEBL_PRELINK_COMMAND
DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
endif
# NSS_X86 means the target is a 32-bits x86 CPU architecture
# NSS_X64 means the target is a 64-bits x64 CPU architecture
# NSS_X86_OR_X64 means the target is either x86 or x64
ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
DEFINES += -DNSS_X86_OR_X64
ifdef USE_64
DEFINES += -DNSS_X64
@ -180,6 +218,12 @@ ifeq ($(CPU_ARCH),x86)
# The floating point ECC code doesn't work on Linux x86 (bug 311432).
#ECL_USE_FP = 1
endif
ifeq ($(CPU_ARCH),arm)
DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
DEFINES += -DMP_USE_UINT_DIGIT
DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
MPI_SRCS += mpi_arm.c
endif
endif # Linux
ifeq ($(OS_TARGET),AIX)
@ -215,12 +259,14 @@ else
MPI_SRCS += mpi_hp.c
ASFILES += hpma512.s hppa20.s
DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
ifndef NS_USE_GCC
ARCHFLAG = -Aa +e +DA2.0 +DS2.0
endif
endif
endif
endif
endif
endif
# The blapi functions are defined not only in the freebl shared
# libraries but also in the shared libraries linked with loader.c

37
security/nss/lib/freebl/blapi.h
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: blapi.h,v 1.33.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
/* $Id: blapi.h,v 1.41 2010/12/06 17:22:49 kaie%kuix.de Exp $ */
#ifndef _BLAPI_H_
#define _BLAPI_H_
@ -1089,6 +1089,24 @@ extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
/******************************************/
extern SHA224Context *SHA224_NewContext(void);
extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit);
extern void SHA224_Begin(SHA224Context *cx);
extern void SHA224_Update(SHA224Context *cx, const unsigned char *input,
unsigned int inputLen);
extern void SHA224_End(SHA224Context *cx, unsigned char *digest,
unsigned int *digestLen, unsigned int maxDigestLen);
extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src,
uint32 src_length);
extern SECStatus SHA224_Hash(unsigned char *dest, const char *src);
extern void SHA224_TraceState(SHA224Context *cx);
extern unsigned int SHA224_FlattenSize(SHA224Context *cx);
extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space);
extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg);
extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src);
/******************************************/
extern SHA256Context *SHA256_NewContext(void);
extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit);
extern void SHA256_Begin(SHA256Context *cx);
@ -1142,13 +1160,17 @@ extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg);
extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
/****************************************
* implement TLS Pseudo Random Function (PRF)
* implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function
*/
extern SECStatus
TLS_PRF(const SECItem *secret, const char *label, SECItem *seed,
SECItem *result, PRBool isFIPS);
extern SECStatus
TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label,
SECItem *seed, SECItem *result, PRBool isFIPS);
/******************************************/
/*
** Pseudo Random Number Generation. FIPS compliance desirable.
@ -1235,6 +1257,12 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
extern SECStatus
PRNGTEST_Uninstantiate(void);
/*
* Mask generation function MGF1
*/
extern SECStatus
MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
const unsigned char *mgfSeed, unsigned int mgfSeedLen);
/* Generate PQGParams and PQGVerify structs.
* Length of seed and length of h both equal length of P.
@ -1307,6 +1335,11 @@ extern void BL_Unload(void);
**************************************************************************/
PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr);
/**************************************************************************
* Verify a given filename's signature *
**************************************************************************/
PRBool BLAPI_SHVerifyFile(const char *shName);
/**************************************************************************
* Verify Are Own Shared library signature *
**************************************************************************/

6
security/nss/lib/freebl/blapii.h
View File

@ -42,11 +42,11 @@
SEC_BEGIN_PROTOS
#if defined(XP_UNIX) && !defined(NO_CHECK_FORK)
#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
extern PRBool parentForkedAfterC_Initialize;
extern PRBool bl_parentForkedAfterC_Initialize;
#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
#define SKIP_AFTER_FORK(x) if (!bl_parentForkedAfterC_Initialize) x
#else

5
security/nss/lib/freebl/blapit.h
View File

@ -38,7 +38,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: blapit.h,v 1.22.22.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */
/* $Id: blapit.h,v 1.24 2011/03/16 18:37:41 alexei.volkov.bugs%sun.com Exp $ */
#ifndef _BLAPIT_H_
#define _BLAPIT_H_
@ -106,6 +106,7 @@
#define MD2_BLOCK_LENGTH 64 /* bytes */
#define MD5_BLOCK_LENGTH 64 /* bytes */
#define SHA1_BLOCK_LENGTH 64 /* bytes */
#define SHA224_BLOCK_LENGTH 64 /* bytes */
#define SHA256_BLOCK_LENGTH 64 /* bytes */
#define SHA384_BLOCK_LENGTH 128 /* bytes */
#define SHA512_BLOCK_LENGTH 128 /* bytes */
@ -206,6 +207,8 @@ typedef struct MD2ContextStr MD2Context;
typedef struct MD5ContextStr MD5Context;
typedef struct SHA1ContextStr SHA1Context;
typedef struct SHA256ContextStr SHA256Context;
/* SHA224Context is really a SHA256ContextStr. This is not a mistake. */
typedef struct SHA256ContextStr SHA224Context;
typedef struct SHA512ContextStr SHA512Context;
/* SHA384Context is really a SHA512ContextStr. This is not a mistake. */
typedef struct SHA512ContextStr SHA384Context;

36
security/nss/lib/freebl/camellia.c
View File

@ -36,7 +36,7 @@
* ***** END LICENSE BLOCK ***** */
/*
* $Id: camellia.c,v 1.3 2010/04/30 00:10:53 wtc%google.com Exp $
* $Id: camellia.c,v 1.4 2010/07/20 01:26:02 wtc%google.com Exp $
*/
#ifdef FREEBL_NO_DEPEND
@ -50,6 +50,7 @@
#include "prtypes.h"
#include "blapi.h"
#include "camellia.h"
#include "sha_fast.h" /* for SHA_HTONL and related configuration macros */
/* key constants */
@ -72,15 +73,18 @@
*/
#if defined(_MSC_VER) && defined(NSS_X86_OR_X64)
#if defined(SHA_ALLOW_UNALIGNED_ACCESS)
/* require a little-endian CPU that allows unaligned access */
/* require a CPU that allows unaligned access */
# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
# define GETU32(p) SWAP(*((PRUint32 *)(p)))
# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SWAP((st));}
#if defined(SHA_NEED_TMP_VARIABLE)
#define CAMELLIA_NEED_TMP_VARIABLE 1
#endif
#else /* not MSVC or not x86/x64 */
# define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SHA_HTONL(st);}
#else /* no unaligned access */
# define GETU32(pt) \
(((PRUint32)(pt)[0] << 24) \
@ -473,6 +477,9 @@ void camellia_setup128(const unsigned char *key, PRUint32 *subkey)
PRUint32 kw4l, kw4r, dw, tl, tr;
PRUint32 subL[26];
PRUint32 subR[26];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
/**
* k == kll || klr || krl || krr (|| is concatination)
@ -685,6 +692,9 @@ void camellia_setup256(const unsigned char *key, PRUint32 *subkey)
PRUint32 kw4l, kw4r, dw, tl, tr;
PRUint32 subL[34];
PRUint32 subR[34];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
/**
* key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
@ -991,6 +1001,9 @@ camellia_encrypt128(const PRUint32 *subkey,
{
PRUint32 il, ir, t0, t1;
PRUint32 io[4];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
io[0] = GETU32(input);
io[1] = GETU32(input+4);
@ -1095,6 +1108,9 @@ camellia_decrypt128(const PRUint32 *subkey,
{
PRUint32 il,ir,t0,t1; /* temporary valiables */
PRUint32 io[4];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
io[0] = GETU32(input);
io[1] = GETU32(input+4);
@ -1202,6 +1218,9 @@ camellia_encrypt256(const PRUint32 *subkey,
{
PRUint32 il,ir,t0,t1; /* temporary valiables */
PRUint32 io[4];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
io[0] = GETU32(input);
io[1] = GETU32(input+4);
@ -1330,6 +1349,9 @@ camellia_decrypt256(const PRUint32 *subkey,
{
PRUint32 il,ir,t0,t1; /* temporary valiables */
PRUint32 io[4];
#if defined(CAMELLIA_NEED_TMP_VARIABLE)
PRUint32 tmp;
#endif
io[0] = GETU32(input);
io[1] = GETU32(input+4);

13
security/nss/lib/freebl/des.c
View File

@ -408,6 +408,19 @@ static const HALF PC2[8][64] = {
#pragma intrinsic(_byteswap_ulong)
#define BYTESWAP(word, temp) \
word = _byteswap_ulong(word);
#elif defined(__GNUC__) && (defined(__thumb2__) || \
(!defined(__thumb__) && \
(defined(__ARM_ARCH_6__) || \
defined(__ARM_ARCH_6J__) || \
defined(__ARM_ARCH_6K__) || \
defined(__ARM_ARCH_6Z__) || \
defined(__ARM_ARCH_6ZK__) || \
defined(__ARM_ARCH_6T2__) || \
defined(__ARM_ARCH_7__) || \
defined(__ARM_ARCH_7A__) || \
defined(__ARM_ARCH_7R__))))
#define BYTESWAP(word, temp) \
__asm("rev %0, %0" : "+r" (word));
#else
#define BYTESWAP(word, temp) \
word = (word >> 16) | (word << 16); \

9
security/nss/lib/freebl/dh.c
View File

@ -38,7 +38,7 @@
* Diffie-Hellman parameter generation, key generation, and secret derivation.
* KEA secret generation and verification.
*
* $Id: dh.c,v 1.8 2008/11/18 19:48:22 rrelyea%redhat.com Exp $
* $Id: dh.c,v 1.9 2010/07/20 01:26:02 wtc%google.com Exp $
*/
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -219,7 +219,8 @@ DH_Derive(SECItem *publicValue,
{
mp_int p, Xa, Yb, ZZ;
mp_err err = MP_OKAY;
unsigned int len = 0, nb;
int len = 0;
unsigned int nb;
unsigned char *secret = NULL;
if (!publicValue || !prime || !privateValue || !derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@ -241,6 +242,10 @@ DH_Derive(SECItem *publicValue,
CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
/* number of bytes in the derived secret */
len = mp_unsigned_octet_size(&ZZ);
if (len <= 0) {
err = MP_BADARG;
goto cleanup;
}
/* allocate a buffer which can hold the entire derived secret. */
secret = PORT_Alloc(len);
/* grab the derived secret */

2
security/nss/lib/freebl/dsa.c
View File

@ -35,7 +35,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: dsa.c,v 1.20.22.1 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
/* $Id: dsa.c,v 1.21 2010/12/04 18:57:16 rrelyea%redhat.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"

17
security/nss/lib/freebl/ec.c
View File

@ -248,6 +248,7 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
#if EC_DEBUG
printf("ec_NewKey called\n");
#endif
MP_DIGITS(&k) = 0;
if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@ -316,7 +317,6 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
}
/* Compute corresponding public key */
MP_DIGITS(&k) = 0;
CHECK_MPI_OK( mp_init(&k) );
CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data,
(mp_size) len) );
@ -578,12 +578,12 @@ ECDH_Derive(SECItem *publicValue,
return SECFailure;
}
MP_DIGITS(&k) = 0;
memset(derivedSecret, 0, sizeof *derivedSecret);
len = (ecParams->fieldID.size + 7) >> 3;
pointQ.len = 2*len + 1;
if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup;
MP_DIGITS(&k) = 0;
CHECK_MPI_OK( mp_init(&k) );
CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data,
(mp_size) privateValue->len) );
@ -655,6 +655,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
SECItem kGpoint = { siBuffer, NULL, 0};
int flen = 0; /* length in bytes of the field size */
unsigned olen; /* length in bytes of the base point order */
unsigned obits; /* length in bits of the base point order */
#if EC_DEBUG
char mpstr[256];
@ -697,6 +698,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
SECITEM_TO_MPINT( ecParams->order, &n );
SECITEM_TO_MPINT( key->privateValue, &d );
CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );
/* Make sure k is in the interval [1, n-1] */
if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {
@ -758,8 +760,9 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
/* In the definition of EC signing, digests are truncated
* to the length of n in bits.
* (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
if (digest->len*8 > ecParams->fieldID.size) {
mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size);
CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) );
if (digest->len*8 > obits) {
mpl_rsh(&s,&s,digest->len*8 - obits);
}
#if EC_DEBUG
@ -898,6 +901,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
int slen; /* length in bytes of a half signature (r or s) */
int flen; /* length in bytes of the field size */
unsigned olen; /* length in bytes of the base point order */
unsigned obits; /* length in bits of the base point order */
#if EC_DEBUG
char mpstr[256];
@ -979,8 +983,9 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
/* In the definition of EC signing, digests are truncated
* to the length of n in bits.
* (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */
mpl_rsh(&u1,&u1,digest->len*8- ecParams->fieldID.size);
CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) );
if (digest->len*8 > obits) { /* u1 = HASH(M') */
mpl_rsh(&u1,&u1,digest->len*8 - obits);
}
#if EC_DEBUG

6
security/nss/lib/freebl/ecl/ecp_mont.c
View File

@ -77,9 +77,6 @@ GFMethod_consGFp_mont(const mp_int *irr)
meth->extra_free = &ec_GFp_extra_free_mont;
mmm->N = meth->irr;
i = mpl_significant_bits(&meth->irr);
i += MP_DIGIT_BIT - 1;
mmm->b = i - i % MP_DIGIT_BIT;
mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0));
CLEANUP:
@ -160,7 +157,8 @@ ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
mp_err res = MP_OKAY;
mmm = (mp_mont_modulus *) meth->extra1;
MP_CHECKOK(mpl_lsh(a, r, mmm->b));
MP_CHECKOK(mp_copy(a, r));
MP_CHECKOK(s_mp_lshd(r, MP_USED(&mmm->N)));
MP_CHECKOK(mp_mod(r, &mmm->N, r));
CLEANUP:
return res;

4
security/nss/lib/freebl/hasht.h
View File

@ -33,7 +33,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: hasht.h,v 1.7 2008/12/10 22:48:03 wtchang%redhat.com Exp $ */
/* $Id: hasht.h,v 1.8 2010/08/18 05:54:57 emaldona%redhat.com Exp $ */
#ifndef _HASHT_H_
#define _HASHT_H_
@ -54,6 +54,7 @@ typedef enum {
HASH_AlgSHA256 = 4,
HASH_AlgSHA384 = 5,
HASH_AlgSHA512 = 6,
HASH_AlgSHA224 = 7,
HASH_AlgTOTAL
} HASH_HashType;
@ -63,6 +64,7 @@ typedef enum {
#define MD2_LENGTH 16
#define MD5_LENGTH 16
#define SHA1_LENGTH 20
#define SHA224_LENGTH 28
#define SHA256_LENGTH 32
#define SHA384_LENGTH 48
#define SHA512_LENGTH 64

23
security/nss/lib/freebl/ldvector.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: ldvector.c,v 1.21.22.3 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
/* $Id: ldvector.c,v 1.28 2010/12/06 17:22:49 kaie%kuix.de Exp $ */
#ifdef FREEBL_NO_DEPEND
extern int FREEBL_InitStubs(void);
@ -257,6 +257,7 @@ static const struct FREEBLVectorStr vector =
PRNGTEST_Instantiate,
PRNGTEST_Reseed,
PRNGTEST_Generate,
PRNGTEST_Uninstantiate,
/* End of Version 3.011. */
@ -270,7 +271,25 @@ static const struct FREEBLVectorStr vector =
JPAKE_Round2,
JPAKE_Final,
/* End of Version 3.012. */
/* End of Version 3.012 */
MGF1,
TLS_P_hash,
SHA224_NewContext,
SHA224_DestroyContext,
SHA224_Begin,
SHA224_Update,
SHA224_End,
SHA224_HashBuf,
SHA224_Hash,
SHA224_TraceState,
SHA224_FlattenSize,
SHA224_Flatten,
SHA224_Resurrect,
SHA224_Clone,
BLAPI_SHVerifyFile
/* End of Version 3.013 */
};
const FREEBLVector *

136
security/nss/lib/freebl/loader.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: loader.c,v 1.44.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
/* $Id: loader.c,v 1.53 2011/01/15 19:54:49 nelson%bolyard.com Exp $ */
#include "loader.h"
#include "prmem.h"
@ -122,7 +122,7 @@ getLibName(void)
long cpu = sysconf(_SC_CPU_VERSION);
return (cpu == CPU_PA_RISC2_0)
? "libfreebl_32fpu_3.sl"
: "libfreebl_32int32_3.sl" ;
: "libfreebl_32int_3.sl" ;
}
#else
/* default case, for platforms/ABIs that have only one freebl shared lib. */
@ -1261,13 +1261,14 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
/*
* The Caller is expected to pass NULL as the name, which will
* trigger the p_BLAPI_VerifySelf() to return 'TRUE'. If we really loaded
* from a shared library, BLAPI_VerifySelf will get pick up the real name
* from the static set in freebl_LoadDSO( void )
* trigger the p_BLAPI_VerifySelf() to return 'TRUE'. Pass the real
* name of the shared library we loaded (the static libraryName set
* in freebl_LoadDSO) to p_BLAPI_VerifySelf.
*/
PRBool
BLAPI_VerifySelf(const char *name)
{
PORT_Assert(!name);
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return PR_FALSE;
return vector->p_BLAPI_VerifySelf(libraryName);
@ -1712,6 +1713,7 @@ RSA_PopulatePrivateKey(RSAPrivateKey *key)
return (vector->p_RSA_PopulatePrivateKey)(key);
}
SECStatus
JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
const SECItem * signerID, const SECItem * x,
@ -1755,3 +1757,127 @@ JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem *q,
return SECFailure;
return (vector->p_JPAKE_Final)(arena, p, q, x2, gx4, x2s, B, K);
}
SECStatus
MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
const unsigned char *mgfSeed, unsigned int mgfSeedLen)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return (vector->p_MGF1)(hashAlg, mask, maskLen, mgfSeed, mgfSeedLen);
}
SECStatus
TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label,
SECItem *seed, SECItem *result, PRBool isFIPS)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return (vector->p_TLS_P_hash)(hashAlg, secret, label, seed, result, isFIPS);
}
SECStatus
SHA224_Hash(unsigned char *dest, const char *src)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return (vector->p_SHA224_Hash)(dest, src);
}
SECStatus
SHA224_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return (vector->p_SHA224_HashBuf)(dest, src, src_length);
}
SHA224Context *
SHA224_NewContext(void)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return NULL;
return (vector->p_SHA224_NewContext)();
}
void
SHA224_DestroyContext(SHA224Context *cx, PRBool freeit)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_DestroyContext)(cx, freeit);
}
void
SHA224_Begin(SHA256Context *cx)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_Begin)(cx);
}
void
SHA224_Update(SHA224Context *cx, const unsigned char *input,
unsigned int inputLen)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_Update)(cx, input, inputLen);
}
void
SHA224_End(SHA224Context *cx, unsigned char *digest,
unsigned int *digestLen, unsigned int maxDigestLen)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_End)(cx, digest, digestLen, maxDigestLen);
}
void
SHA224_TraceState(SHA224Context *cx)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_TraceState)(cx);
}
unsigned int
SHA224_FlattenSize(SHA224Context *cx)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return 0;
return (vector->p_SHA224_FlattenSize)(cx);
}
SECStatus
SHA224_Flatten(SHA224Context *cx,unsigned char *space)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return (vector->p_SHA224_Flatten)(cx, space);
}
SHA224Context *
SHA224_Resurrect(unsigned char *space, void *arg)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return NULL;
return (vector->p_SHA224_Resurrect)(space, arg);
}
void
SHA224_Clone(SHA224Context *dest, SHA224Context *src)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_Clone)(dest, src);
}
PRBool
BLAPI_SHVerifyFile(const char *name)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return PR_FALSE;
return vector->p_BLAPI_SHVerifyFile(name);
}

39
security/nss/lib/freebl/loader.h
View File

@ -37,14 +37,14 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: loader.h,v 1.26.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
/* $Id: loader.h,v 1.34 2011/03/29 15:12:44 wtc%google.com Exp $ */
#ifndef _LOADER_H_
#define _LOADER_H_ 1
#include "blapi.h"
#define FREEBL_VERSION 0x030C
#define FREEBL_VERSION 0x030D
struct FREEBLVectorStr {
@ -541,7 +541,6 @@ struct FREEBLVectorStr {
SECStatus (* p_PRNGTEST_Uninstantiate)(void);
/* Version 3.011 came to here */
SECStatus (*p_RSA_PopulatePrivateKey)(RSAPrivateKey *key);
SECStatus (*p_DSA_NewRandom)(PLArenaPool * arena, const SECItem * q,
@ -568,8 +567,38 @@ struct FREEBLVectorStr {
const SECItem *q, const SECItem * x2,
const SECItem * gx4, const SECItem * x2s,
const SECItem * B, SECItem * K);
/* Version 3.012 came to here */
/* Version 3.012 came to here */
SECStatus (* p_MGF1)(HASH_HashType hashAlg,
unsigned char *mask, unsigned int maskLen,
const unsigned char *mgfSeed, unsigned int mgfSeedLen);
SECStatus (* p_TLS_P_hash)(HASH_HashType hashAlg,
const SECItem *secret,
const char *label,
SECItem *seed,
SECItem *result,
PRBool isFIPS);
SHA224Context *(*p_SHA224_NewContext)(void);
void (* p_SHA224_DestroyContext)(SHA224Context *cx, PRBool freeit);
void (* p_SHA224_Begin)(SHA224Context *cx);
void (* p_SHA224_Update)(SHA224Context *cx, const unsigned char *input,
unsigned int inputLen);
void (* p_SHA224_End)(SHA224Context *cx, unsigned char *digest,
unsigned int *digestLen, unsigned int maxDigestLen);
SECStatus (*p_SHA224_HashBuf)(unsigned char *dest, const unsigned char *src,
uint32 src_length);
SECStatus (*p_SHA224_Hash)(unsigned char *dest, const char *src);
void (*p_SHA224_TraceState)(SHA224Context *cx);
unsigned int (* p_SHA224_FlattenSize)(SHA224Context *cx);
SECStatus (* p_SHA224_Flatten)(SHA224Context *cx,unsigned char *space);
SHA224Context * (* p_SHA224_Resurrect)(unsigned char *space, void *arg);
void (* p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src);
PRBool (*p_BLAPI_SHVerifyFile)(const char *name);
/* Version 3.013 came to here */
};

1
security/nss/lib/freebl/manifest.mn
View File

@ -128,6 +128,7 @@ CSRCS = \
md5.c \
sha512.c \
alghmac.c \
mgf1.c \
rawhash.c \
alg2268.c \
arcfour.c \

91
security/nss/lib/freebl/mgf1.c Normal file
View File

@ -0,0 +1,91 @@
/*
* mgf1.c - implementation of MGF1 as defined in PKCS #1 v2.1 / RFC 3447
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Hanno Boeck <hanno@hboeck.de>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: mgf1.c,v 1.2 2010/07/22 23:09:46 wtc%google.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include "blapi.h"
#include "hasht.h"
SECStatus
MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
const unsigned char *mgfSeed, unsigned int mgfSeedLen)
{
unsigned int digestLen;
PRUint32 counter, rounds;
unsigned char *tempHash, *temp;
const SECHashObject *hash;
void *hashContext;
unsigned char C[4];
hash = HASH_GetRawHashObject(hashAlg);
if (hash == NULL)
return SECFailure;
hashContext = (*hash->create)();
rounds = (maskLen + hash->length - 1) / hash->length;
for (counter = 0; counter < rounds; counter++) {
C[0] = (unsigned char)((counter >> 24) & 0xff);
C[1] = (unsigned char)((counter >> 16) & 0xff);
C[2] = (unsigned char)((counter >> 8) & 0xff);
C[3] = (unsigned char)(counter & 0xff);
/* This could be optimized when the clone functions in
* rawhash.c are implemented. */
(*hash->begin)(hashContext);
(*hash->update)(hashContext, mgfSeed, mgfSeedLen);
(*hash->update)(hashContext, C, sizeof C);
tempHash = mask + counter * hash->length;
if (counter != (rounds-1)) {
(*hash->end)(hashContext, tempHash, &digestLen, hash->length);
} else { /* we're in the last round and need to cut the hash */
temp = PORT_Alloc(hash->length);
(*hash->end)(hashContext, temp, &digestLen, hash->length);
PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
PORT_Free(temp);
}
}
(*hash->destroy)(hashContext, PR_TRUE);
return SECSuccess;
}

4
security/nss/lib/freebl/mpi/Makefile
View File

@ -41,7 +41,7 @@
# ***** END LICENSE BLOCK *****
#
# $Id: Makefile,v 1.26 2007/05/09 00:09:37 neil.williams%sun.com Exp $
# $Id: Makefile,v 1.27 2011/02/06 08:42:27 nelson%bolyard.com Exp $
#
## Define CC to be the C compiler you wish to use. The GNU cc
@ -170,6 +170,8 @@ mpv_sparcv8.s: vis_64.il mpv_sparc.c
montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s
$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $<
mpi_arm.o: mpi_arm.c $(LIBHDRS)
# This rule is used to build the .s sources, which are then hand optimized.
#montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h
# $(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c

14
security/nss/lib/freebl/mpi/README
View File

@ -676,10 +676,7 @@ exptmod.c Computes arbitrary precision modular exponentiation
from the command line (exptmod a b m -> a^b (mod m))
Most of these can be built from the Makefile that comes with the
library. Try 'make tools', if your environment supports it. (If you
are compiling on a Macintosh, I'm afraid you'll have to build them by
hand -- fortunately, this is not difficult -- the library itself
should compile just fine under Metrowerks CodeWarrior).
library. Try 'make tools', if your environment supports it.
Testing the Library
@ -704,9 +701,9 @@ what platform and compiler you were using, as well as which test
failed. If a reason for failure was given, please send me that text
as well.
If you're on a system such as the Macintosh, where the standard Unix
build tools don't work, you can build the 'mpi-test' program manually,
and run it by hand. This is tedious and obnoxious, sorry.
If you're on a system where the standard Unix build tools don't work,
you can build the 'mpi-test' program manually, and run it by hand.
This is tedious and obnoxious, sorry.
Further manual testing can be performed by building the manual testing
programs, whose source is found in the 'tests' subdirectory. Each
@ -736,8 +733,7 @@ cannot use make, here is what needs to be done:
(1) Use 'make-test-arrays' to generate the file 'test-info.c' from
the 'test-arrays.txt' file. Since Perl can be found everywhere,
even on the Macintosh, this should be no trouble. Under Unix,
this looks like:
this should be no trouble. Under Unix, this looks like:
make-test-arrays test-arrays.txt > test-info.c

6
security/nss/lib/freebl/mpi/hpma512.s
View File

@ -331,7 +331,7 @@
multacc512
.PROC
.CALLINFO
.ENTER
.ENTRY
fldd 0(pM),M ; multiplier double word
ldo ST_SZ(sp),sp ; push stack
@ -636,8 +636,10 @@ $L0
/* end of module */
/* ====================================================================== */
.LEAVE
bve (rp)
.EXIT
nop
.PROCEND
.SPACE $TEXT$
.SUBSPA $CODE$

Some files were not shown because too many files have changed in this diff Show More