Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-12 10:40:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 642148 - Upgrade Mozilla to NSPR 4.8.8 beta 3 and NSS 3.12.10 beta 1, r=wtc, r=kaie

Browse Source
This commit is contained in:
Kai Engert 2011-05-04 11:49:38 +02:00
parent 6320673fdd
commit 3e0416be8e
108 changed files with 8182 additions and 5760 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nsprpub/TAG-INFO
View File

@ -1 +1 @@
NSPR_4_8_8_BETA2
NSPR_4_8_8_BETA3

1
nsprpub/config/prdepend.h
View File

@ -42,3 +42,4 @@
*/
#error "Do not include this header file."

48
nsprpub/configure vendored
View File

@ -3541,10 +3541,12 @@ EOF
CC="$CC -arch x86_64"
else
CPU_ARCH=i386
CC="$CC -arch i386"
fi
;;
*)
CPU_ARCH=ppc
CC="$CC -arch ppc"
;;
esac
DSO_CFLAGS=-fPIC
@ -4739,17 +4741,17 @@ EOF
_OPTIMIZE_FLAGS="$_OPTIMIZE_FLAGS -Olimit 4000"
ac_safe=`echo "machine/builtins.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for machine/builtins.h""... $ac_c" 1>&6
echo "configure:4743: checking for machine/builtins.h" >&5
echo "configure:4745: checking for machine/builtins.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 4748 "configure"
#line 4750 "configure"
#include "confdefs.h"
#include <machine/builtins.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:4753: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:4755: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -5398,7 +5400,7 @@ case $target in
;;
*)
echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
echo "configure:5402: checking for dlopen in -ldl" >&5
echo "configure:5404: checking for dlopen in -ldl" >&5
ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'`
if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
@ -5406,7 +5408,7 @@ else
ac_save_LIBS="$LIBS"
LIBS="-ldl $LIBS"
cat > conftest.$ac_ext <<EOF
#line 5410 "configure"
#line 5412 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
@ -5417,7 +5419,7 @@ int main() {
dlopen()
; return 0; }
EOF
if { (eval echo configure:5421: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:5423: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_lib_$ac_lib_var=yes"
else
@ -5434,17 +5436,17 @@ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
echo "$ac_t""yes" 1>&6
ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
echo "configure:5438: checking for dlfcn.h" >&5
echo "configure:5440: checking for dlfcn.h" >&5
if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 5443 "configure"
#line 5445 "configure"
#include "confdefs.h"
#include <dlfcn.h>
EOF
ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
{ (eval echo configure:5448: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
{ (eval echo configure:5450: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
if test -z "$ac_err"; then
rm -rf conftest*
@ -5477,13 +5479,13 @@ esac
if test $ac_cv_prog_gcc = yes; then
echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
echo "configure:5481: checking whether ${CC-cc} needs -traditional" >&5
echo "configure:5483: checking whether ${CC-cc} needs -traditional" >&5
if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
ac_pattern="Autoconf.*'x'"
cat > conftest.$ac_ext <<EOF
#line 5487 "configure"
#line 5489 "configure"
#include "confdefs.h"
#include <sgtty.h>
Autoconf TIOCGETP
@ -5501,7 +5503,7 @@ rm -f conftest*
if test $ac_cv_prog_gcc_traditional = no; then
cat > conftest.$ac_ext <<EOF
#line 5505 "configure"
#line 5507 "configure"
#include "confdefs.h"
#include <termio.h>
Autoconf TCGETA
@ -5525,12 +5527,12 @@ fi
for ac_func in lchown strerror
do
echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
echo "configure:5529: checking for $ac_func" >&5
echo "configure:5531: checking for $ac_func" >&5
if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
cat > conftest.$ac_ext <<EOF
#line 5534 "configure"
#line 5536 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char $ac_func(); below. */
@ -5553,7 +5555,7 @@ $ac_func();
; return 0; }
EOF
if { (eval echo configure:5557: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
if { (eval echo configure:5559: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
rm -rf conftest*
eval "ac_cv_func_$ac_func=yes"
else
@ -5604,7 +5606,7 @@ do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
echo "configure:5608: checking for $ac_word" >&5
echo "configure:5610: checking for $ac_word" >&5
if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -5663,7 +5665,7 @@ hpux*)
if test -z "$GNU_CC"; then
echo $ac_n "checking for +Olit support""... $ac_c" 1>&6
echo "configure:5667: checking for +Olit support" >&5
echo "configure:5669: checking for +Olit support" >&5
if eval "test \"`echo '$''{'ac_cv_hpux_usable_olit_option'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
else
@ -5705,7 +5707,7 @@ wince*)
*)
echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
echo "configure:5709: checking for pthread_create in -lpthreads" >&5
echo "configure:5711: checking for pthread_create in -lpthreads" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5727,7 +5729,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
echo "configure:5731: checking for pthread_create in -lpthread" >&5
echo "configure:5733: checking for pthread_create in -lpthread" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5749,7 +5751,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
echo "configure:5753: checking for pthread_create in -lc_r" >&5
echo "configure:5755: checking for pthread_create in -lc_r" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5771,7 +5773,7 @@ echo "
echo "$ac_t""no" 1>&6
echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
echo "configure:5775: checking for pthread_create in -lc" >&5
echo "configure:5777: checking for pthread_create in -lc" >&5
echo "
#include <pthread.h>
void *foo(void *v) { return v; }
@ -5889,7 +5891,7 @@ if test -n "$USE_PTHREADS"; then
rm -f conftest*
ac_cv_have_dash_pthread=no
echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
echo "configure:5893: checking whether ${CC-cc} accepts -pthread" >&5
echo "configure:5895: checking whether ${CC-cc} accepts -pthread" >&5
echo 'int main() { return 0; }' | cat > conftest.c
${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
if test $? -eq 0; then
@ -5912,7 +5914,7 @@ echo "configure:5893: checking whether ${CC-cc} accepts -pthread" >&5
ac_cv_have_dash_pthreads=no
if test "$ac_cv_have_dash_pthread" = "no"; then
echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
echo "configure:5916: checking whether ${CC-cc} accepts -pthreads" >&5
echo "configure:5918: checking whether ${CC-cc} accepts -pthreads" >&5
echo 'int main() { return 0; }' | cat > conftest.c
${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
if test $? -eq 0; then

2
nsprpub/configure.in
View File

@ -1144,10 +1144,12 @@ case "$target" in
CC="$CC -arch x86_64"
else
CPU_ARCH=i386
CC="$CC -arch i386"
fi
;;
*)
CPU_ARCH=ppc
CC="$CC -arch ppc"
;;
esac
DSO_CFLAGS=-fPIC

3
nsprpub/pr/include/prio.h
View File

@ -142,6 +142,9 @@ typedef enum PRTransmitFileFlags {
#define PR_AF_INET6 100
#endif
#define PR_AF_INET_SDP 101
#define PR_AF_INET6_SDP 102
#ifndef PR_AF_UNSPEC
#define PR_AF_UNSPEC 0
#endif

22
nsprpub/pr/include/prtypes.h
View File

@ -235,7 +235,7 @@ PR_BEGIN_EXTERN_C
** PRInt8
** DESCRIPTION:
** The int8 types are known to be 8 bits each. There is no type that
** is equivalent to a plain "char".
** is equivalent to a plain "char".
************************************************************************/
#if PR_BYTES_PER_BYTE == 1
typedef unsigned char PRUint8;
@ -274,7 +274,7 @@ typedef signed char PRInt8;
** TYPES: PRUint16
** PRInt16
** DESCRIPTION:
** The int16 types are known to be 16 bits each.
** The int16 types are known to be 16 bits each.
************************************************************************/
#if PR_BYTES_PER_SHORT == 2
typedef unsigned short PRUint16;
@ -299,7 +299,7 @@ typedef short PRInt16;
** TYPES: PRUint32
** PRInt32
** DESCRIPTION:
** The int32 types are known to be 32 bits each.
** The int32 types are known to be 32 bits each.
************************************************************************/
#if PR_BYTES_PER_INT == 4
typedef unsigned int PRUint32;
@ -372,7 +372,7 @@ typedef PRInt64 PRUint64;
** The PRIntn types are most appropriate for automatic variables. They are
** guaranteed to be at least 16 bits, though various architectures may
** define them to be wider (e.g., 32 or even 64 bits). These types are
** never valid for fields of a structure.
** never valid for fields of a structure.
************************************************************************/
#if PR_BYTES_PER_INT >= 2
typedef int PRIntn;
@ -384,14 +384,14 @@ typedef unsigned int PRUintn;
/************************************************************************
** TYPES: PRFloat64
** DESCRIPTION:
** NSPR's floating point type is always 64 bits.
** NSPR's floating point type is always 64 bits.
************************************************************************/
typedef double PRFloat64;
/************************************************************************
** TYPES: PRSize
** DESCRIPTION:
** A type for representing the size of objects.
** A type for representing the size of objects.
************************************************************************/
typedef size_t PRSize;
@ -399,7 +399,7 @@ typedef size_t PRSize;
/************************************************************************
** TYPES: PROffset32, PROffset64
** DESCRIPTION:
** A type for representing byte offsets from some location.
** A type for representing byte offsets from some location.
************************************************************************/
typedef PRInt32 PROffset32;
typedef PRInt64 PROffset64;
@ -408,7 +408,7 @@ typedef PRInt64 PROffset64;
** TYPES: PRPtrDiff
** DESCRIPTION:
** A type for pointer difference. Variables of this type are suitable
** for storing a pointer or pointer subtraction.
** for storing a pointer or pointer subtraction.
************************************************************************/
typedef ptrdiff_t PRPtrdiff;
@ -416,7 +416,7 @@ typedef ptrdiff_t PRPtrdiff;
** TYPES: PRUptrdiff
** DESCRIPTION:
** A type for pointer difference. Variables of this type are suitable
** for storing a pointer or pointer sutraction.
** for storing a pointer or pointer sutraction.
************************************************************************/
#ifdef _WIN64
typedef PRUint64 PRUptrdiff;
@ -430,7 +430,7 @@ typedef unsigned long PRUptrdiff;
** Use PRBool for variables and parameter types. Use PR_FALSE and PR_TRUE
** for clarity of target type in assignments and actual arguments. Use
** 'if (bool)', 'while (!bool)', '(bool) ? x : y' etc., to test booleans
** just as you would C int-valued conditions.
** just as you would C int-valued conditions.
************************************************************************/
typedef PRIntn PRBool;
#define PR_TRUE 1
@ -445,7 +445,7 @@ typedef PRIntn PRBool;
typedef PRUint8 PRPackedBool;
/*
** Status code used by some routines that have a single point of failure or
** Status code used by some routines that have a single point of failure or
** special status return.
*/
typedef enum { PR_FAILURE = -1, PR_SUCCESS = 0 } PRStatus;

34
nsprpub/pr/src/pthreads/ptio.c
View File

@ -218,6 +218,20 @@ static PRBool _pr_ipv6_v6only_on_by_default;
#error "Cannot determine architecture"
#endif
#if defined(SOLARIS)
#ifndef PROTO_SDP
/* on solaris, SDP is a new type of protocol */
#define PROTO_SDP 257
#endif
#define _PR_HAVE_SDP
#elif defined(LINUX)
#ifndef AF_INET_SDP
/* on linux, SDP is a new type of address family */
#define AF_INET_SDP 27
#endif
#define _PR_HAVE_SDP
#endif /* LINUX */
static PRFileDesc *pt_SetMethods(
PRIntn osfd, PRDescType type, PRBool isAcceptedSocket, PRBool imported);
@ -3462,6 +3476,12 @@ PR_IMPLEMENT(PRFileDesc*) PR_Socket(PRInt32 domain, PRInt32 type, PRInt32 proto)
if (PF_INET != domain
&& PR_AF_INET6 != domain
#if defined(_PR_HAVE_SDP)
&& PR_AF_INET_SDP != domain
#if defined(SOLARIS)
&& PR_AF_INET6_SDP != domain
#endif /* SOLARIS */
#endif /* _PR_HAVE_SDP */
&& PF_UNIX != domain)
{
PR_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR, 0);
@ -3474,6 +3494,20 @@ PR_IMPLEMENT(PRFileDesc*) PR_Socket(PRInt32 domain, PRInt32 type, PRInt32 proto)
(void)PR_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR, 0);
return fd;
}
#if defined(_PR_HAVE_SDP)
#if defined(LINUX)
if (PR_AF_INET_SDP == domain)
domain = AF_INET_SDP;
#elif defined(SOLARIS)
if (PR_AF_INET_SDP == domain) {
domain = AF_INET;
proto = PROTO_SDP;
} else if(PR_AF_INET6_SDP == domain) {
domain = AF_INET6;
proto = PROTO_SDP;
}
#endif /* SOLARIS */
#endif /* _PR_HAVE_SDP */
#if defined(_PR_INET6_PROBE)
if (PR_AF_INET6 == domain)
domain = _pr_ipv6_is_present() ? AF_INET6 : AF_INET;

4
security/coreconf/Darwin.mk
View File

@ -54,13 +54,15 @@ ifdef USE_64
CC += -arch x86_64
else
OS_REL_CFLAGS = -Di386
CC += -arch i386
endif
else
OS_REL_CFLAGS = -Dppc
CC += -arch ppc
endif
ifneq (,$(MACOS_SDK_DIR))
GCC_VERSION_FULL := $(shell $(CC) -v 2>&1 | grep "gcc version" | sed -e "s/^.*gcc version[ ]*//" | awk '{ print $$1 }')
GCC_VERSION_FULL := $(shell $(CC) -dumpversion)
GCC_VERSION_MAJOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$1 }')
GCC_VERSION_MINOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$2 }')
GCC_VERSION = $(GCC_VERSION_MAJOR).$(GCC_VERSION_MINOR)

2
security/coreconf/coreconf.dep
View File

@ -43,5 +43,3 @@
#error "Do not include this header file."

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_12_9_RTM
NSS_3_12_10_BETA1

6
security/nss/cmd/addbuiltin/addbuiltin.c
View File

@ -37,7 +37,7 @@
/*
* Tool for converting builtin CA certs.
*
* $Id: addbuiltin.c,v 1.14 2007/02/14 00:35:52 alexei.volkov.bugs%sun.com Exp $
* $Id: addbuiltin.c,v 1.14.68.1 2011/03/23 20:07:57 kaie%kuix.de Exp $
*/
#include "nssrenam.h"
@ -77,6 +77,8 @@ char *getTrustString(unsigned int trust)
return "CKT_NETSCAPE_TRUSTED_DELEGATOR";
} else if (trust & CERTDB_VALID_CA) {
return "CKT_NETSCAPE_VALID_DELEGATOR";
} else if (trust & CERTDB_VALID_PEER) {
return "CKT_NETSCAPE_VALID";
} else {
return "CKT_NETSCAPE_TRUST_UNKNOWN";
}
@ -213,7 +215,7 @@ void printheader() {
"#\n"
"# ***** END LICENSE BLOCK *****\n"
"#\n"
"CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14 $ $Date: 2007/02/14 00:35:52 $\"\n"
"CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n"
"\n"
"#\n"
"# certdata.txt\n"

544
security/nss/cmd/certutil/certutil.c
View File

@ -985,7 +985,7 @@ ListModules(void)
}
static void
Usage(char *progName)
PrintSyntax(char *progName)
{
#define FPS fprintf(stderr,
FPS "Type %s -H for more detailed descriptions\n", progName);
@ -1055,22 +1055,57 @@ Usage(char *progName)
exit(1);
}
static void LongUsage(char *progName)
{
enum usage_level {
usage_all = 0, usage_selected = 1
};
static void luCommonDetailsAE();
static void luA(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "A"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Add a certificate to the database (create if needed)\n",
"-A");
"-A");
if (ul == usage_selected && !is_my_command)
return;
if (ul == usage_all) {
FPS "%-20s\n", " All options under -E apply");
}
else {
luCommonDetailsAE();
}
}
static void luB(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "B"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Run a series of certutil commands from a batch file\n", "-B");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Specify the batch file\n", " -i batch-file");
}
static void luE(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "E"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Add an Email certificate to the database (create if needed)\n",
"-E");
"-E");
if (ul == usage_selected && !is_my_command)
return;
luCommonDetailsAE();
}
static void luCommonDetailsAE()
{
FPS "%-20s Specify the nickname of the certificate to add\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s Set the certificate trust attributes:\n",
" -t trustargs");
" -t trustargs");
FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
FPS "%-25s and z is for code signing\n", "");
FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", "");
FPS "%-25s p \t valid peer\n", "");
FPS "%-25s P \t trusted peer (implies p)\n", "");
FPS "%-25s c \t valid CA\n", "");
@ -1080,39 +1115,46 @@ static void LongUsage(char *progName)
FPS "%-25s w \t send warning\n", "");
FPS "%-25s g \t make step-up cert\n", "");
FPS "%-20s Specify the password file\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s The input certificate is encoded in ASCII (RFC1113)\n",
" -a");
" -a");
FPS "%-20s Specify the certificate file (default is stdin)\n",
" -i input");
" -i input");
FPS "\n");
}
static void luC(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "C"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Create a new binary certificate from a BINARY cert request\n",
"-C");
"-C");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the issuer cert\n",
" -c issuer-name");
" -c issuer-name");
FPS "%-20s The BINARY certificate request file\n",
" -i cert-request ");
" -i cert-request ");
FPS "%-20s Output binary cert to this file (default is stdout)\n",
" -o output-cert");
" -o output-cert");
FPS "%-20s Self sign\n",
" -x");
" -x");
FPS "%-20s Cert serial number\n",
" -m serial-number");
" -m serial-number");
FPS "%-20s Time Warp\n",
" -w warp-months");
" -w warp-months");
FPS "%-20s Months valid (default is 3)\n",
" -v months-valid");
FPS "%-20s Specify the password file\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s \n"
"%-20s Create key usage extension. Possible keywords:\n"
"%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
@ -1120,11 +1162,11 @@ static void LongUsage(char *progName)
"%-20s \"crlSigning\", \"critical\"\n",
" -1 | --keyUsage keyword,keyword,...", "", "", "", "");
FPS "%-20s Create basic constraint extension\n",
" -2 ");
" -2 ");
FPS "%-20s Create authority key ID extension\n",
" -3 ");
" -3 ");
FPS "%-20s Create crl distribution point extension\n",
" -4 ");
" -4 ");
FPS "%-20s \n"
"%-20s Create netscape cert type extension. Possible keywords:\n"
"%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
@ -1135,41 +1177,48 @@ static void LongUsage(char *progName)
"%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
"%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
"%-20s \"stepUp\", \"critical\"\n",
" -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
" -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
FPS "%-20s Create an email subject alt name extension\n",
" -7 emailAddrs");
" -7 emailAddrs");
FPS "%-20s Create an dns subject alt name extension\n",
" -8 dnsNames");
" -8 dnsNames");
FPS "%-20s The input certificate request is encoded in ASCII (RFC1113)\n",
" -a");
" -a");
FPS "\n");
}
static void luG(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "G"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Generate a new key pair\n",
"-G");
"-G");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
" -h token-name");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
" -k key-type");
" -k key-type");
FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
#else
FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
" -k key-type");
" -k key-type");
FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
#endif /* NSS_ENABLE_ECC */
FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
" -y exp");
" -y exp");
FPS "%-20s Specify the password file\n",
" -f password-file");
FPS "%-20s Specify the noise file to be used\n",
" -z noisefile");
" -z noisefile");
FPS "%-20s read PQG value from pqgfile (dsa only)\n",
" -q pqgfile");
" -q pqgfile");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
" -q curve-name");
FPS "%-20s One of nistp256, nistp384, nistp521\n", "");
#ifdef NSS_ECC_MORE_THAN_SUITE_B
FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
@ -1192,167 +1241,239 @@ static void LongUsage(char *progName)
#endif /* NSS_ECC_MORE_THAN_SUITE_B */
#endif
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "\n");
}
static void luD(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "D"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Delete a certificate from the database\n",
"-D");
"-D");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the cert to delete\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "\n");
}
static void luU(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "U"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s List all modules\n", /*, or print out a single named module\n",*/
"-U");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Module database directory (default is '~/.netscape')\n",
" -d moddir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
" -X");
FPS "\n");
}
static void luK(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "K"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s List all private keys\n",
"-K");
FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
" -h token-name ");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
" -h token-name ");
FPS "%-20s Key type (\"all\" (default), \"dsa\","
#ifdef NSS_ENABLE_ECC
" \"ec\","
#endif
" \"rsa\")\n",
" -k key-type");
" \"rsa\")\n",
" -k key-type");
FPS "%-20s The nickname of the key or associated certificate\n",
" -n name");
" -n name");
FPS "%-20s Specify the password file\n",
" -f password-file");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
" -X");
FPS "\n");
}
static void luL(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "L"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s List all certs, or print out a single named cert\n",
"-L");
"-L");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Pretty print named cert (list all if unspecified)\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s \n"
"%-20s Pretty print cert with email address (list all if unspecified)\n",
" --email email-address", "");
" --email email-address", "");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
" -X");
FPS "%-20s For single cert, print binary DER encoding\n",
" -r");
" -r");
FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n",
" -a");
" -a");
FPS "\n");
}
static void luM(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "M"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Modify trust attributes of certificate\n",
"-M");
"-M");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the cert to modify\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s Set the certificate trust attributes (see -A above)\n",
" -t trustargs");
" -t trustargs");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "\n");
}
static void luN(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "N"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Create a new certificate database\n",
"-N");
"-N");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "\n");
}
static void luT(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "T"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Reset the Key database or token\n",
"-T");
"-T");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s Token to reset (default is internal)\n",
" -h token-name");
" -h token-name");
FPS "%-20s Set token's Site Security Officer password\n",
" -0 SSO-password");
" -0 SSO-password");
FPS "\n");
}
FPS "\n");
static void luO(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "O"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Print the chain of a certificate\n",
"-O");
"-O");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the cert to modify\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Input the certificate in ASCII (RFC1113); default is binary\n",
" -a");
" -a");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
" -X");
FPS "\n");
}
static void luR(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "R"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Generate a certificate request (stdout)\n",
"-R");
"-R");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Specify the subject name (using RFC1485)\n",
" -s subject");
" -s subject");
FPS "%-20s Output the cert request to this file\n",
" -o output-req");
" -o output-req");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
#else
FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
#endif /* NSS_ENABLE_ECC */
" -k key-type-or-id");
" -k key-type-or-id");
FPS "%-20s or nickname of the cert key to use \n",
"");
"");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
" -q pqgfile");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
"");
#endif /* NSS_ENABLE_ECC */
FPS "%-20s Specify the password file\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
" -p phone");
" -p phone");
FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n",
" -a");
" -a");
FPS "%-20s \n",
" See -S for available extension options");
" See -S for available extension options");
FPS "\n");
}
static void luV(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "V"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Validate a certificate\n",
"-V");
"-V");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the cert to Validate\n",
" -n cert-name");
" -n cert-name");
FPS "%-20s validity time (\"YYMMDDHHMMSS[+HHMM|-HHMM|Z]\")\n",
" -b time");
" -b time");
FPS "%-20s Check certificate signature \n",
" -e ");
" -e ");
FPS "%-20s Specify certificate usage:\n", " -u certusage");
FPS "%-25s C \t SSL Client\n", "");
FPS "%-25s V \t SSL Server\n", "");
@ -1361,140 +1482,205 @@ static void LongUsage(char *progName)
FPS "%-25s O \t OCSP status responder\n", "");
FPS "%-25s J \t Object signer\n", "");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Input the certificate in ASCII (RFC1113); default is binary\n",
" -a");
" -a");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
" -X");
FPS "\n");
}
static void luW(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "W"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Change the key database password\n",
"-W");
"-W");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s cert and key database directory\n",
" -d certdir");
" -d certdir");
FPS "%-20s Specify a file with the current password\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s Specify a file with the new password in two lines\n",
" -@ newpwfile");
" -@ newpwfile");
FPS "\n");
}
static void luUpgradeMerge(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "upgrade-merge"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Upgrade an old database and merge it into a new one\n",
"--upgrade-merge");
"--upgrade-merge");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Cert database directory to merge into (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix of the target database\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s Specify the password file for the target database\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s \n%-20s Cert database directory to upgrade from\n",
" --source-dir certdir", "");
" --source-dir certdir", "");
FPS "%-20s \n%-20s Cert & Key database prefix of the upgrade database\n",
" --soruce-prefix dbprefix", "");
" --soruce-prefix dbprefix", "");
FPS "%-20s \n%-20s Unique identifier for the upgrade database\n",
" --upgrade-id uniqueID", "");
" --upgrade-id uniqueID", "");
FPS "%-20s \n%-20s Name of the token while it is in upgrade state\n",
" --upgrade-token-name name", "");
" --upgrade-token-name name", "");
FPS "%-20s Specify the password file for the upgrade database\n",
" -@ pwfile");
" -@ pwfile");
FPS "\n");
}
static void luMerge(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "merge"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Merge source database into the target database\n",
"--merge");
"--merge");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Cert database directory of target (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix of the target database\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s Specify the password file for the target database\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s \n%-20s Cert database directory of the source database\n",
" --source-dir certdir", "");
" --source-dir certdir", "");
FPS "%-20s \n%-20s Cert & Key database prefix of the source database\n",
" --source-prefix dbprefix", "");
" --source-prefix dbprefix", "");
FPS "%-20s Specify the password file for the source database\n",
" -@ pwfile");
" -@ pwfile");
FPS "\n");
}
static void luS(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "S"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Make a certificate and add to database\n",
"-S");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Specify the nickname of the cert\n",
" -n key-name");
FPS "%-20s Specify the subject name (using RFC1485)\n",
" -s subject");
FPS "%-20s The nickname of the issuer cert\n",
" -c issuer-name");
" -c issuer-name");
FPS "%-20s Set the certificate trust attributes (see -A above)\n",
" -t trustargs");
" -t trustargs");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
#else
FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
#endif /* NSS_ENABLE_ECC */
" -k key-type-or-id");
" -k key-type-or-id");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
" -q pqgfile");
#ifdef NSS_ENABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
"");
#endif /* NSS_ENABLE_ECC */
FPS "%-20s Self sign\n",
" -x");
" -x");
FPS "%-20s Cert serial number\n",
" -m serial-number");
" -m serial-number");
FPS "%-20s Time Warp\n",
" -w warp-months");
" -w warp-months");
FPS "%-20s Months valid (default is 3)\n",
" -v months-valid");
FPS "%-20s Specify the password file\n",
" -f pwfile");
" -f pwfile");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
" -P dbprefix");
FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
" -p phone");
" -p phone");
FPS "%-20s Create key usage extension\n",
" -1 ");
" -1 ");
FPS "%-20s Create basic constraint extension\n",
" -2 ");
" -2 ");
FPS "%-20s Create authority key ID extension\n",
" -3 ");
" -3 ");
FPS "%-20s Create crl distribution point extension\n",
" -4 ");
" -4 ");
FPS "%-20s Create netscape cert type extension\n",
" -5 ");
" -5 ");
FPS "%-20s Create extended key usage extension\n",
" -6 ");
" -6 ");
FPS "%-20s Create an email subject alt name extension\n",
" -7 emailAddrs ");
" -7 emailAddrs ");
FPS "%-20s Create a DNS subject alt name extension\n",
" -8 DNS-names");
" -8 DNS-names");
FPS "%-20s Create an Authority Information Access extension\n",
" --extAIA ");
" --extAIA ");
FPS "%-20s Create a Subject Information Access extension\n",
" --extSIA ");
" --extSIA ");
FPS "%-20s Create a Certificate Policies extension\n",
" --extCP ");
" --extCP ");
FPS "%-20s Create a Policy Mappings extension\n",
" --extPM ");
" --extPM ");
FPS "%-20s Create a Policy Constraints extension\n",
" --extPC ");
" --extPC ");
FPS "%-20s Create an Inhibit Any Policy extension\n",
" --extIA ");
" --extIA ");
FPS "%-20s Create a subject key ID extension\n",
" --extSKID ");
" --extSKID ");
FPS "\n");
}
exit(1);
static void LongUsage(char *progName, enum usage_level ul, const char *command)
{
luA(ul, command);
luB(ul, command);
luE(ul, command);
luC(ul, command);
luG(ul, command);
luD(ul, command);
luU(ul, command);
luK(ul, command);
luL(ul, command);
luM(ul, command);
luN(ul, command);
luT(ul, command);
luO(ul, command);
luR(ul, command);
luV(ul, command);
luW(ul, command);
luUpgradeMerge(ul, command);
luMerge(ul, command);
luS(ul, command);
#undef FPS
}
static void
Usage(char *progName)
{
PR_fprintf(PR_STDERR,
"%s - Utility to manipulate NSS certificate databases\n\n"
"Usage: %s <command> -d <database-directory> <options>\n\n"
"Valid commands:\n", progName, progName);
LongUsage(progName, usage_selected, NULL);
PR_fprintf(PR_STDERR, "\n"
"%s -H <command> : Print available options for the given command\n"
"%s -H : Print complete help output of all commands and options\n"
"%s --syntax : Print a short summary of all commands and options\n",
progName, progName, progName);
exit(1);
}
static CERTCertificate *
MakeV1Cert( CERTCertDBHandle * handle,
@ -1829,6 +2015,7 @@ enum {
cmd_DeleteKey,
cmd_GenKeyPair,
cmd_PrintHelp,
cmd_PrintSyntax,
cmd_ListKeys,
cmd_ListCerts,
cmd_ModifyCertTrust,
@ -1843,7 +2030,8 @@ enum {
cmd_Version,
cmd_Batch,
cmd_Merge,
cmd_UpgradeMerge /* test only */
cmd_UpgradeMerge, /* test only */
max_cmd
};
/* Certutil options */
@ -1901,7 +2089,8 @@ enum certutilOpts {
opt_SourceDir,
opt_SourcePrefix,
opt_UpgradeID,
opt_UpgradeTokenName
opt_UpgradeTokenName,
opt_Help
};
static const
@ -1913,7 +2102,9 @@ secuCommandFlag commands_init[] =
{ /* cmd_AddEmailCert */ 'E', PR_FALSE, 0, PR_FALSE },
{ /* cmd_DeleteKey */ 'F', PR_FALSE, 0, PR_FALSE },
{ /* cmd_GenKeyPair */ 'G', PR_FALSE, 0, PR_FALSE },
{ /* cmd_PrintHelp */ 'H', PR_FALSE, 0, PR_FALSE },
{ /* cmd_PrintHelp */ 'H', PR_FALSE, 0, PR_FALSE, "help" },
{ /* cmd_PrintSyntax */ 0, PR_FALSE, 0, PR_FALSE,
"syntax" },
{ /* cmd_ListKeys */ 'K', PR_FALSE, 0, PR_FALSE },
{ /* cmd_ListCerts */ 'L', PR_FALSE, 0, PR_FALSE },
{ /* cmd_ModifyCertTrust */ 'M', PR_FALSE, 0, PR_FALSE },
@ -2063,8 +2254,32 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (rv != SECSuccess)
Usage(progName);
if (certutil.commands[cmd_PrintHelp].activated)
LongUsage(progName);
if (certutil.commands[cmd_PrintSyntax].activated) {
PrintSyntax(progName);
}
if (certutil.commands[cmd_PrintHelp].activated) {
int i;
char buf[2];
const char *command = NULL;
for (i = 0; i < max_cmd; i++) {
if (i == cmd_PrintHelp)
continue;
if (certutil.commands[i].activated) {
if (certutil.commands[i].flag) {
buf[0] = certutil.commands[i].flag;
buf[1] = 0;
command = buf;
}
else {
command = certutil.commands[i].longform;
}
break;
}
}
LongUsage(progName, (command ? usage_selected : usage_all), command);
exit(1);
}
if (certutil.options[opt_PasswordFile].arg) {
pwdata.source = PW_FROMFILE;
@ -2247,7 +2462,6 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255;
}
if (commandsEntered == 0) {
PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
Usage(progName);
}

18
security/nss/cmd/lib/secutil.c
View File

@ -981,7 +981,7 @@ SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level)
}
static void
secu_PrintRawString(FILE *out, SECItem *si, char *m, int level)
secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level)
{
int column;
unsigned int i;
@ -2094,23 +2094,25 @@ secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level)
CRLDistributionPoint ** pPoints = dPoints->distPoints;
CRLDistributionPoint * pPoint;
while (NULL != (pPoint = *pPoints++)) {
SECU_Indent(out, level); fputs("Distribution point:\n", out);
if (pPoint->distPointType == generalName &&
pPoint->distPoint.fullName != NULL) {
secu_PrintGeneralNames(out, pPoint->distPoint.fullName, NULL,
level);
level + 1);
} else if (pPoint->distPointType == relativeDistinguishedName &&
pPoint->distPoint.relativeName.avas) {
SECU_PrintRDN(out, &pPoint->distPoint.relativeName, "RDN",
level);
level + 1);
} else if (pPoint->derDistPoint.data) {
SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level);
SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level + 1);
}
if (pPoint->reasons.data) {
secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons",
level);
level + 1);
}
if (pPoint->crlIssuer) {
secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level);
secu_PrintGeneralName(out, pPoint->crlIssuer, "CRL issuer",
level + 1);
}
}
} else {
@ -2332,7 +2334,7 @@ SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
* print those, so make a directory name out of the RDN, and print it.
*/
void
SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level)
SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level)
{
CERTName name;
CERTRDN *rdns[2];
@ -2345,7 +2347,7 @@ SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level)
}
void
SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level)
{
char *nameStr = NULL;
char *str;

5
security/nss/cmd/lib/secutil.h
View File

@ -309,8 +309,9 @@ extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
char *msg, int level);
extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level);
extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level);
extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg,
int level);
extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level);
#ifdef SECU_GetPassword
/* Convert a High public Key to a Low public Key */

8
security/nss/cmd/selfserv/selfserv.c
View File

@ -1491,14 +1491,18 @@ getBoundListenSocket(unsigned short port)
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
PRUint16 socketDomain = PR_AF_INET;
addr.inet.family = PR_AF_INET;
addr.inet.ip = PR_INADDR_ANY;
addr.inet.port = PR_htons(port);
listen_sock = PR_NewTCPSocket();
if (PR_GetEnv("NSS_USE_SDP")) {
socketDomain = PR_AF_INET_SDP;
}
listen_sock = PR_OpenTCPSocket(socketDomain);
if (listen_sock == NULL) {
errExit("PR_NewTCPSocket");
errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;

4
security/nss/cmd/shlibsign/shlibsign.c
View File

@ -46,7 +46,7 @@
* compute the checksum for the NSS cryptographic boundary libraries
* and compare the checksum with the value in .chk file.
*
* $Id: shlibsign.c,v 1.18 2008/11/20 15:44:12 glen.beasley%sun.com Exp $
* $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $
*/
#ifdef XP_UNIX
@ -1012,7 +1012,7 @@ int main(int argc, char **argv)
}
/* open the target signature file */
fd = PR_OpenFile(output_file,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0666);
fd = PR_Open(output_file,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0666);
if (fd == NULL ) {
lperror(output_file);
goto cleanup;

38
security/nss/cmd/strsclnt/strsclnt.c
View File

@ -360,7 +360,7 @@ printSecurityInfo(PRFileDesc *fd)
#define MAX_THREADS 128
typedef int startFn(void *a, void *b, int c);
typedef int startFn(void *a, void *b, int c, int d);
static PRInt32 numConnected;
@ -374,6 +374,7 @@ typedef struct perThreadStr {
startFn * startFunc;
PRThread * prThread;
PRBool inUse;
PRInt32 socketDomain;
} perThread;
perThread threads[MAX_THREADS];
@ -429,7 +430,8 @@ thread_wrapper(void * arg)
}
PR_Unlock(threadLock);
if (doop) {
slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid,
slot->socketDomain);
PRINTF("strsclnt: Thread in slot %d returned %d\n",
slot->tid, slot->rv);
}
@ -444,7 +446,8 @@ launch_thread(
startFn * startFunc,
void * a,
void * b,
int tid)
int tid,
int sockDom)
{
PRUint32 i;
perThread * slot;
@ -462,7 +465,8 @@ launch_thread(
slot->a = a;
slot->b = b;
slot->tid = tid;
slot->socketDomain = sockDom;
slot->startFunc = startFunc;
slot->prThread = PR_CreateThread(PR_USER_THREAD,
@ -585,7 +589,8 @@ int
do_writes(
void * a,
void * b,
int c)
int c,
int d)
{
PRFileDesc * ssl_sock = (PRFileDesc *)a;
lockedVars * lv = (lockedVars *)b;
@ -627,7 +632,7 @@ handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
lockedVars_AddToCount(&lv, 1);
/* Attempt to launch the writer thread. */
result = launch_thread(do_writes, ssl_sock, &lv, connection);
result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/);
if (result != SECSuccess)
goto cleanup;
@ -746,7 +751,8 @@ int
do_connects(
void * a,
void * b,
int tid)
int tid,
PRInt32 socketDomain)
{
PRNetAddr * addr = (PRNetAddr *) a;
PRFileDesc * model_sock = (PRFileDesc *) b;
@ -760,7 +766,7 @@ do_connects(
retry:
tcp_sock = PR_OpenTCPSocket(addr->raw.family);
tcp_sock = PR_OpenTCPSocket(socketDomain);
if (tcp_sock == NULL) {
errExit("PR_OpenTCPSocket");
}
@ -1088,6 +1094,7 @@ client_main(
int rv;
PRStatus status;
PRNetAddr addr;
PRInt32 socketDomain;
status = PR_StringToNetAddr(hostName, &addr);
if (status == PR_SUCCESS) {
@ -1115,6 +1122,13 @@ client_main(
}
}
/* check if SDP is going to be used */
if (!PR_GetEnv("NSS_USE_SDP")) {
socketDomain = addr.raw.family;
} else {
socketDomain = PR_AF_INET_SDP;
}
/* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
NSS_SetDomesticPolicy();
@ -1171,8 +1185,8 @@ client_main(
}
/* configure model SSL socket. */
model_sock = PR_OpenTCPSocket(addr.raw.family);
model_sock = PR_OpenTCPSocket(socketDomain);
if (model_sock == NULL) {
errExit("PR_OpenTCPSocket for model socket");
}
@ -1276,7 +1290,7 @@ client_main(
if (!NoReuse) {
remaining_connections = 1;
rv = launch_thread(do_connects, &addr, model_sock, 0);
rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain);
/* wait for the first connection to terminate, then launch the rest. */
reap_threads();
remaining_connections = total_connections - 1 ;
@ -1285,7 +1299,7 @@ client_main(
active_threads = PR_MIN(active_threads, remaining_connections);
/* Start up the threads */
for (i=0;i<active_threads;i++) {
rv = launch_thread(do_connects, &addr, model_sock, i);
rv = launch_thread(do_connects, &addr, model_sock, i, socketDomain);
}
reap_threads();
}

11
security/nss/cmd/tstclnt/tstclnt.c
View File

@ -538,6 +538,7 @@ int main(int argc, char **argv)
PLOptState *optstate;
PLOptStatus optstatus;
PRStatus prStatus;
PRUint16 socketDomain;
progName = strrchr(argv[0], '/');
if (!progName)
@ -699,11 +700,17 @@ int main(int argc, char **argv)
printHostNameAndAddr(host, &addr);
/* check if SDP is going to be used */
if (!PR_GetEnv("NSS_USE_SDP")) {
socketDomain = addr.raw.family;
} else {
socketDomain = PR_AF_INET_SDP;
}
if (pingServerFirst) {
int iter = 0;
PRErrorCode err;
do {
s = PR_OpenTCPSocket(addr.raw.family);
s = PR_OpenTCPSocket(socketDomain);
if (s == NULL) {
SECU_PrintError(progName, "Failed to create a TCP socket");
}
@ -741,7 +748,7 @@ int main(int argc, char **argv)
}
/* Create socket */
s = PR_OpenTCPSocket(addr.raw.family);
s = PR_OpenTCPSocket(socketDomain);
if (s == NULL) {
SECU_PrintError(progName, "error creating socket");
return 1;

35
security/nss/lib/certdb/cert.h
View File

@ -37,7 +37,7 @@
/*
* cert.h - public data structures and prototypes for the certificate library
*
* $Id: cert.h,v 1.80.2.1 2010/09/24 13:31:57 kaie%kuix.de Exp $
* $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $
*/
#ifndef _CERT_H_
@ -1112,7 +1112,7 @@ extern CERTCertificateList *
CERT_CertListFromCert(CERTCertificate *cert);
extern CERTCertificateList *
CERT_DupCertList(CERTCertificateList * oldList);
CERT_DupCertList(const CERTCertificateList * oldList);
extern void CERT_DestroyCertificateList(CERTCertificateList *list);
@ -1665,26 +1665,33 @@ extern SECStatus CERT_PKIXVerifyCert(
CERTValInParam *paramsIn,
CERTValOutParam *paramsOut,
void *wincx);
/*
* This function changes the application defaults for the Verify function.
* It should be called once at app initialization time, and only changes
* if the default configuration changes.
*
* This changes the default values for the parameters specified. These
* defaults can be overridden in CERT_PKIXVerifyCert() by explicitly
* setting the value in paramsIn.
*/
extern SECStatus CERT_PKIXSetDefaults(CERTValInParam *paramsIn);
/* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate)
* to use libpkix validation engine. The function should be called ones at
* application initialization time.
* Function is not thread safe.*/
SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
extern SECStatus CERT_SetUsePKIXForValidation(PRBool enable);
/* The function return PR_TRUE if cert validation should use
* libpkix cert validation engine. */
PRBool CERT_GetUsePKIXForValidation(void);
extern PRBool CERT_GetUsePKIXForValidation(void);
/*
* Allocate a parameter container of type CERTRevocationFlags,
* and allocate the inner arrays of the given sizes.
* To cleanup call CERT_DestroyCERTRevocationFlags.
*/
extern CERTRevocationFlags *
CERT_AllocCERTRevocationFlags(
PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods);
/*
* Destroy the arrays inside flags,
* and destroy the object pointed to by flags, too.
*/
extern void
CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags);
SEC_END_PROTOS

15
security/nss/lib/certdb/stanpcertdb.c
View File

@ -37,6 +37,7 @@
#include "prtime.h"
#include "cert.h"
#include "certi.h"
#include "certdb.h"
#include "secitem.h"
#include "secder.h"
@ -86,12 +87,26 @@ SEC_DeletePermCertificate(CERTCertificate *cert)
PRStatus nssrv;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSCertificate *c = STAN_GetNSSCertificate(cert);
CERTCertTrust *certTrust;
if (c == NULL) {
/* error code is set */
return SECFailure;
}
certTrust = nssTrust_GetCERTCertTrustForCert(c, cert);
if (certTrust) {
NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
if (nssTrust) {
nssrv = STAN_DeleteCertTrustMatchingSlot(c);
if (nssrv != PR_SUCCESS) {
CERT_MapStanError();
}
/* This call always returns PR_SUCCESS! */
(void) nssTrust_Destroy(nssTrust);
}
}
/* get rid of the token instances */
nssrv = NSSCertificate_DeleteStoredObject(c, NULL);

2
security/nss/lib/certhigh/certhigh.c
View File

@ -1176,7 +1176,7 @@ loser:
}
CERTCertificateList *
CERT_DupCertList(CERTCertificateList * oldList)
CERT_DupCertList(const CERTCertificateList * oldList)
{
CERTCertificateList *newList = NULL;
PRArenaPool *arena = NULL;

57
security/nss/lib/certhigh/certvfypkix.c
View File

@ -1986,6 +1986,63 @@ CERT_GetPKIXVerifyNistRevocationPolicy()
return &certRev_PKIX_Verify_Nist_Policy;
}
CERTRevocationFlags *
CERT_AllocCERTRevocationFlags(
PRUint32 number_leaf_methods, PRUint32 number_leaf_pref_methods,
PRUint32 number_chain_methods, PRUint32 number_chain_pref_methods)
{
CERTRevocationFlags *flags;
flags = PORT_New(CERTRevocationFlags);
if (!flags)
return(NULL);
flags->leafTests.number_of_defined_methods = number_leaf_methods;
flags->leafTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_leaf_methods);
flags->leafTests.number_of_preferred_methods = number_leaf_pref_methods;
flags->leafTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_leaf_pref_methods);
flags->chainTests.number_of_defined_methods = number_chain_methods;
flags->chainTests.cert_rev_flags_per_method =
PORT_NewArray(PRUint64, number_chain_methods);
flags->chainTests.number_of_preferred_methods = number_chain_pref_methods;
flags->chainTests.preferred_methods =
PORT_NewArray(CERTRevocationMethodIndex, number_chain_pref_methods);
if (!flags->leafTests.cert_rev_flags_per_method
|| !flags->leafTests.preferred_methods
|| !flags->chainTests.cert_rev_flags_per_method
|| !flags->chainTests.preferred_methods) {
CERT_DestroyCERTRevocationFlags(flags);
return (NULL);
}
return flags;
}
void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags)
{
if (!flags)
return;
if (flags->leafTests.cert_rev_flags_per_method)
PORT_Free(flags->leafTests.cert_rev_flags_per_method);
if (flags->leafTests.preferred_methods)
PORT_Free(flags->leafTests.preferred_methods);
if (flags->chainTests.cert_rev_flags_per_method)
PORT_Free(flags->chainTests.cert_rev_flags_per_method);
if (flags->chainTests.preferred_methods)
PORT_Free(flags->chainTests.preferred_methods);
PORT_Free(flags);
}
/*
* CERT_PKIXVerifyCert

5421
security/nss/lib/ckfw/builtins/certdata.c
View File

File diff suppressed because it is too large Load Diff

5120
security/nss/lib/ckfw/builtins/certdata.txt
View File

File diff suppressed because it is too large Load Diff

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@ -77,8 +77,8 @@
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 81
#define NSS_BUILTINS_LIBRARY_VERSION "1.81"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 83
#define NSS_BUILTINS_LIBRARY_VERSION "1.83"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

37
security/nss/lib/cryptohi/seckey.c
View File

@ -460,7 +460,7 @@ done:
* - If the cert does not have PQG parameters, obtain them from the issuer.
* - A valid cert chain cannot have a DSA or Fortezza cert without
* pqg parameters that has a parent that is not a DSA or Fortezza cert.
* - pqg paramters are stored in two different formats: the standard
* - pqg parameters are stored in two different formats: the standard
* DER encoded format and the fortezza-only wrapped format. The params
* should be copied from issuer to subject cert without modifying the
* formats. The public key extraction code will deal with the different
@ -1000,6 +1000,15 @@ seckey_GetKeyType (SECOidTag tag) {
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
keyType = ecKey;
break;
/* accommodate applications that hand us a signature type when they
* should be handing us a cipher type */
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
keyType = rsaKey;
break;
default:
keyType = nullKey;
}
@ -1187,7 +1196,7 @@ CERT_ExtractPublicKey(CERTCertificate *cert)
/*
* Get the public key for the fortezza KMID. NOTE this requires the
* PQG paramters to be set. We probably should have a fortezza call that
* PQG parameters to be set. We probably should have a fortezza call that
* just extracts the kmid for us directly so this function can work
* without having the whole cert chain
*/
@ -2225,7 +2234,7 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
PORT_Memset((char *)pvk, 0, sizeof(pvk));
PORT_Memset((char *)pvk, 0, sizeof(*pvk));
if(freeit == PR_TRUE) {
PORT_Free(pvk);
}
@ -2255,7 +2264,7 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
} else {
SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
PORT_Memset((char *)epki, 0, sizeof(epki));
PORT_Memset((char *)epki, 0, sizeof(*epki));
if(freeit == PR_TRUE) {
PORT_Free(epki);
}
@ -2325,19 +2334,24 @@ SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type)
SECKEYPublicKey *pubk = NULL;
SECStatus rv = SECFailure;
SECItem newDerKey;
PRArenaPool *arena = NULL;
if (!derKey) {
return NULL;
}
pubk = PORT_ZNew(SECKEYPublicKey);
if(pubk == NULL) {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto finish;
}
pubk->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (NULL == pubk->arena) {
pubk = PORT_ArenaZNew(arena, SECKEYPublicKey);
if (pubk == NULL) {
goto finish;
}
pubk->arena = arena;
rv = SECITEM_CopyItem(pubk->arena, &newDerKey, derKey);
if (SECSuccess != rv) {
goto finish;
@ -2368,11 +2382,10 @@ SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type)
}
finish:
if( rv != SECSuccess && pubk != NULL) {
if (pubk->arena) {
PORT_FreeArena(pubk->arena, PR_TRUE);
if (rv != SECSuccess) {
if (arena != NULL) {
PORT_FreeArena(arena, PR_TRUE);
}
PORT_Free(pubk);
pubk = NULL;
}
return pubk;

6
security/nss/lib/freebl/blapit.h
View File

@ -38,7 +38,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: blapit.h,v 1.22 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */
/* $Id: blapit.h,v 1.22.22.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */
#ifndef _BLAPIT_H_
#define _BLAPIT_H_
@ -115,6 +115,10 @@
#define AES_KEY_WRAP_BLOCK_SIZE 8 /* bytes */
#define AES_BLOCK_SIZE 16 /* bytes */
#define AES_128_KEY_LENGTH 16 /* bytes */
#define AES_192_KEY_LENGTH 24 /* bytes */
#define AES_256_KEY_LENGTH 32 /* bytes */
#define CAMELLIA_BLOCK_SIZE 16 /* bytes */
#define SEED_BLOCK_SIZE 16 /* bytes */

4
security/nss/lib/freebl/mpi/mpi-config.h
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: mpi-config.h,v 1.5 2004/04/25 15:03:10 gerv%gerv.net Exp $ */
/* $Id: mpi-config.h,v 1.5.198.1 2011/04/07 22:31:40 wtc%google.com Exp $ */
#ifndef MPI_CONFIG_H_
#define MPI_CONFIG_H_
@ -100,7 +100,7 @@
#endif
#ifndef MP_MACRO
#define MP_MACRO 0 /* use macros for frequent calls? */
#define MP_MACRO 1 /* use macros for frequent calls? */
#endif
#ifndef MP_SQUARE

4
security/nss/lib/freebl/mpi/mpi.c
View File

@ -40,7 +40,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: mpi.c,v 1.47 2010/05/02 22:36:41 nelson%bolyard.com Exp $ */
/* $Id: mpi.c,v 1.47.2.1 2011/04/07 22:31:40 wtc%google.com Exp $ */
#include "mpi-priv.h"
#if defined(OSF1)
@ -206,7 +206,6 @@ mp_err mp_copy(const mp_int *from, mp_int *to)
if(from == to)
return MP_OKAY;
++mp_copies;
{ /* copy */
mp_digit *tmp;
@ -2864,6 +2863,7 @@ void s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count)
#else
memcpy(dp, sp, count * sizeof(mp_digit));
#endif
++mp_copies;
} /* end s_mp_copy() */
#endif

4
security/nss/lib/freebl/mpi/mpi_amd64_gas.s
View File

@ -202,7 +202,7 @@
movq %r9, %rax
ret
.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
.size s_mpv_mul_set_vec64, .-s_mpv_mul_set_vec64
# ------------------------------------------------------------------------
#
@ -415,7 +415,7 @@
movq %r9, %rax
ret
.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
.size s_mpv_mul_add_vec64, .-s_mpv_mul_add_vec64
# Magic indicating no need for an executable stack
.section .note.GNU-stack, "", @progbits

4
security/nss/lib/freebl/mpi/mpi_amd64_sun.s
View File

@ -202,7 +202,7 @@
movq %r9, %rax
ret
.size s_mpv_mul_set_vec64, [.-s_mpv_mul_set_vec64]
.size s_mpv_mul_set_vec64, .-s_mpv_mul_set_vec64
/ ------------------------------------------------------------------------
/
@ -415,4 +415,4 @@
movq %r9, %rax
ret
.size s_mpv_mul_add_vec64, [.-s_mpv_mul_add_vec64]
.size s_mpv_mul_add_vec64, .-s_mpv_mul_add_vec64

4
security/nss/lib/freebl/nsslowhash.c
View File

@ -33,7 +33,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nsslowhash.c,v 1.4 2009/06/09 23:34:06 rrelyea%redhat.com Exp $ */
/* $Id: nsslowhash.c,v 1.4.8.1 2011/01/20 18:41:51 emaldona%redhat.com Exp $ */
#include "stubs.h"
#include "prtypes.h"
@ -275,7 +275,7 @@ static int nsslow_GetFIPSEnabled(void) {
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (!f)
return 1;
return 0;
size = fread(&d, 1, 1, f);
fclose(f);

335
security/nss/lib/freebl/rsa.c
View File

@ -37,7 +37,7 @@
/*
* RSA key generation, public key op, private key op.
*
* $Id: rsa.c,v 1.39.22.1 2010/11/16 19:06:38 rrelyea%redhat.com Exp $
* $Id: rsa.c,v 1.39.22.2 2011/03/30 18:39:44 rrelyea%redhat.com Exp $
*/
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -67,11 +67,23 @@
*/
#define MAX_KEY_GEN_ATTEMPTS 10
/* Blinding Parameters max cache size */
#define RSA_BLINDING_PARAMS_MAX_CACHE_SIZE 20
/* exponent should not be greater than modulus */
#define BAD_RSA_KEY_SIZE(modLen, expLen) \
((expLen) > (modLen) || (modLen) > RSA_MAX_MODULUS_BITS/8 || \
(expLen) > RSA_MAX_EXPONENT_BITS/8)
struct blindingParamsStr;
typedef struct blindingParamsStr blindingParams;
struct blindingParamsStr {
blindingParams *next;
mp_int f, g; /* blinding parameter */
int counter; /* number of remaining uses of (f, g) */
};
/*
** RSABlindingParamsStr
**
@ -85,9 +97,10 @@ struct RSABlindingParamsStr
/* Blinding-specific parameters */
PRCList link; /* link to list of structs */
SECItem modulus; /* list element "key" */
mp_int f, g; /* Blinding parameters */
int counter; /* number of remaining uses of (f, g) */
blindingParams *free, *bp; /* Blinding parameters queue */
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
};
typedef struct RSABlindingParamsStr RSABlindingParams;
/*
** RSABlindingParamsListStr
@ -100,6 +113,8 @@ struct RSABlindingParamsStr
struct RSABlindingParamsListStr
{
PZLock *lock; /* Lock for the list */
PRCondVar *cVar; /* Condidtion Variable */
int waitCount; /* Number of threads waiting on cVar */
PRCList head; /* Pointer to the list */
};
@ -271,7 +286,7 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
key = PORT_ArenaZNew(arena, RSAPrivateKey);
if (!key) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
PORT_FreeArena(arena, PR_TRUE);
@ -1026,18 +1041,25 @@ init_blinding_params_list(void)
PORT_SetError(SEC_ERROR_NO_MEMORY);
return PR_FAILURE;
}
blindingParamsList.cVar = PR_NewCondVar( blindingParamsList.lock );
if (!blindingParamsList.cVar) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return PR_FAILURE;
}
blindingParamsList.waitCount = 0;
PR_INIT_CLIST(&blindingParamsList.head);
return PR_SUCCESS;
}
static SECStatus
generate_blinding_params(struct RSABlindingParamsStr *rsabp,
RSAPrivateKey *key, mp_int *n, unsigned int modLen)
generate_blinding_params(RSAPrivateKey *key, mp_int* f, mp_int* g, mp_int *n,
unsigned int modLen)
{
SECStatus rv = SECSuccess;
mp_int e, k;
mp_err err = MP_OKAY;
unsigned char *kb = NULL;
MP_DIGITS(&e) = 0;
MP_DIGITS(&k) = 0;
CHECK_MPI_OK( mp_init(&e) );
@ -1054,11 +1076,9 @@ generate_blinding_params(struct RSABlindingParamsStr *rsabp,
/* k < n */
CHECK_MPI_OK( mp_mod(&k, n, &k) );
/* f = k**e mod n */
CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );
CHECK_MPI_OK( mp_exptmod(&k, &e, n, f) );
/* g = k**-1 mod n */
CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );
/* Initialize the counter for this (f, g) */
rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
CHECK_MPI_OK( mp_invmod(&k, n, g) );
cleanup:
if (kb)
PORT_ZFree(kb, modLen);
@ -1072,114 +1092,202 @@ cleanup:
}
static SECStatus
init_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,
init_blinding_params(RSABlindingParams *rsabp, RSAPrivateKey *key,
mp_int *n, unsigned int modLen)
{
blindingParams * bp = rsabp->array;
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
MP_DIGITS(&rsabp->f) = 0;
MP_DIGITS(&rsabp->g) = 0;
/* initialize blinding parameters */
CHECK_MPI_OK( mp_init(&rsabp->f) );
CHECK_MPI_OK( mp_init(&rsabp->g) );
int i = 0;
/* Initialize the list pointer for the element */
PR_INIT_CLIST(&rsabp->link);
for (i = 0; i < RSA_BLINDING_PARAMS_MAX_CACHE_SIZE; ++i, ++bp) {
bp->next = bp + 1;
MP_DIGITS(&bp->f) = 0;
MP_DIGITS(&bp->g) = 0;
bp->counter = 0;
}
/* The last bp->next value was initialized with out
* of rsabp->array pointer and must be set to NULL
*/
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
bp = rsabp->array;
rsabp->bp = NULL;
rsabp->free = bp;
/* List elements are keyed using the modulus */
SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
return SECSuccess;
cleanup:
mp_clear(&rsabp->f);
mp_clear(&rsabp->g);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}
static SECStatus
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
mp_int *f, mp_int *g)
{
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
int cmp;
PRCList *el;
struct RSABlindingParamsStr *rsabp = NULL;
/* Init the list if neccessary (the init function is only called once!) */
if (blindingParamsList.lock == NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Acquire the list lock */
PZ_Lock(blindingParamsList.lock);
/* Walk the list looking for the private key */
for (el = PR_NEXT_LINK(&blindingParamsList.head);
el != &blindingParamsList.head;
el = PR_NEXT_LINK(el)) {
rsabp = (struct RSABlindingParamsStr *)el;
cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);
if (cmp == 0) {
/* Check the usage counter for the parameters */
if (--rsabp->counter <= 0) {
/* Regenerate the blinding parameters */
CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
}
/* Return the parameters */
CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
/* Now that the params are located, release the list lock. */
PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
return SECSuccess;
} else if (cmp > 0) {
/* The key is not in the list. Break to param creation. */
break;
RSABlindingParams *rsabp = NULL;
blindingParams *bpUnlinked = NULL;
blindingParams *bp, *prevbp = NULL;
PRCList *el;
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
int cmp = -1;
PRBool holdingLock = PR_FALSE;
do {
if (blindingParamsList.lock == NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
}
/* At this point, the key is not in the list. el should point to the
** list element that this key should be inserted before. NOTE: the list
** lock is still held, so there cannot be a race condition here.
*/
rsabp = (struct RSABlindingParamsStr *)
PORT_ZAlloc(sizeof(struct RSABlindingParamsStr));
if (!rsabp) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto cleanup;
}
/* Initialize the list pointer for the element */
PR_INIT_CLIST(&rsabp->link);
/* Initialize the blinding parameters
** This ties up the list lock while doing some heavy, element-specific
** operations, but we don't want to insert the element until it is valid,
** which requires computing the blinding params. If this proves costly,
** it could be done after the list lock is released, and then if it fails
** the lock would have to be reobtained and the invalid element removed.
*/
rv = init_blinding_params(rsabp, key, n, modLen);
if (rv != SECSuccess) {
PORT_ZFree(rsabp, sizeof(struct RSABlindingParamsStr));
goto cleanup;
}
/* Insert the new element into the list
** If inserting in the middle of the list, el points to the link
** to insert before. Otherwise, the link needs to be appended to
** the end of the list, which is the same as inserting before the
** head (since el would have looped back to the head).
*/
PR_INSERT_BEFORE(&rsabp->link, el);
/* Return the parameters */
CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
/* Release the list lock */
PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
return SECSuccess;
/* Acquire the list lock */
PZ_Lock(blindingParamsList.lock);
holdingLock = PR_TRUE;
/* Walk the list looking for the private key */
for (el = PR_NEXT_LINK(&blindingParamsList.head);
el != &blindingParamsList.head;
el = PR_NEXT_LINK(el)) {
rsabp = (RSABlindingParams *)el;
cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);
if (cmp >= 0) {
/* The key is found or not in the list. */
break;
}
}
if (cmp) {
/* At this point, the key is not in the list. el should point to
** the list element before which this key should be inserted.
*/
rsabp = PORT_ZNew(RSABlindingParams);
if (!rsabp) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto cleanup;
}
rv = init_blinding_params(rsabp, key, n, modLen);
if (rv != SECSuccess) {
PORT_ZFree(rsabp, sizeof(RSABlindingParams));
goto cleanup;
}
/* Insert the new element into the list
** If inserting in the middle of the list, el points to the link
** to insert before. Otherwise, the link needs to be appended to
** the end of the list, which is the same as inserting before the
** head (since el would have looped back to the head).
*/
PR_INSERT_BEFORE(&rsabp->link, el);
}
/* We've found (or created) the RSAblindingParams struct for this key.
* Now, search its list of ready blinding params for a usable one.
*/
while (0 != (bp = rsabp->bp)) {
if (--(bp->counter) > 0) {
/* Found a match and there are still remaining uses left */
/* Return the parameters */
CHECK_MPI_OK( mp_copy(&bp->f, f) );
CHECK_MPI_OK( mp_copy(&bp->g, g) );
PZ_Unlock(blindingParamsList.lock);
return SECSuccess;
}
/* exhausted this one, give its values to caller, and
* then retire it.
*/
mp_exch(&bp->f, f);
mp_exch(&bp->g, g);
mp_clear( &bp->f );
mp_clear( &bp->g );
bp->counter = 0;
/* Move to free list */
rsabp->bp = bp->next;
bp->next = rsabp->free;
rsabp->free = bp;
/* In case there're threads waiting for new blinding
* value - notify 1 thread the value is ready
*/
if (blindingParamsList.waitCount > 0) {
PR_NotifyCondVar( blindingParamsList.cVar );
blindingParamsList.waitCount--;
}
PZ_Unlock(blindingParamsList.lock);
return SECSuccess;
}
/* We did not find a usable set of blinding params. Can we make one?
/* Find a free bp struct. */
prevbp = NULL;
if ((bp = rsabp->free) != NULL) {
/* unlink this bp */
rsabp->free = bp->next;
bp->next = NULL;
bpUnlinked = bp; /* In case we fail */
PZ_Unlock(blindingParamsList.lock);
holdingLock = PR_FALSE;
/* generate blinding parameter values for the current thread */
CHECK_SEC_OK( generate_blinding_params(key, f, g, n, modLen ) );
/* put the blinding parameter values into cache */
CHECK_MPI_OK( mp_init( &bp->f) );
CHECK_MPI_OK( mp_init( &bp->g) );
CHECK_MPI_OK( mp_copy( f, &bp->f) );
CHECK_MPI_OK( mp_copy( g, &bp->g) );
/* Put this at head of queue of usable params. */
PZ_Lock(blindingParamsList.lock);
holdingLock = PR_TRUE;
/* initialize RSABlindingParamsStr */
bp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
bp->next = rsabp->bp;
rsabp->bp = bp;
bpUnlinked = NULL;
/* In case there're threads waiting for new blinding value
* just notify them the value is ready
*/
if (blindingParamsList.waitCount > 0) {
PR_NotifyAllCondVar( blindingParamsList.cVar );
blindingParamsList.waitCount = 0;
}
PZ_Unlock(blindingParamsList.lock);
return SECSuccess;
}
/* Here, there are no usable blinding parameters available,
* and no free bp blocks, presumably because they're all
* actively having parameters generated for them.
* So, we need to wait here and not eat up CPU until some
* change happens.
*/
blindingParamsList.waitCount++;
PR_WaitCondVar( blindingParamsList.cVar, PR_INTERVAL_NO_TIMEOUT );
PZ_Unlock(blindingParamsList.lock);
holdingLock = PR_FALSE;
} while (1);
cleanup:
/* It is possible to reach this after the lock is already released.
** Ignore the error in that case.
*/
PZ_Unlock(blindingParamsList.lock);
/* It is possible to reach this after the lock is already released. */
if (bpUnlinked) {
if (!holdingLock) {
PZ_Lock(blindingParamsList.lock);
holdingLock = PR_TRUE;
}
bp = bpUnlinked;
mp_clear( &bp->f );
mp_clear( &bp->g );
bp->counter = 0;
/* Must put the unlinked bp back on the free list */
bp->next = rsabp->free;
rsabp->free = bp;
}
if (holdingLock) {
PZ_Unlock(blindingParamsList.lock);
holdingLock = PR_FALSE;
}
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return SECFailure;
}
@ -1441,22 +1549,31 @@ SECStatus BL_Init(void)
/* cleanup at shutdown */
void RSA_Cleanup(void)
{
blindingParams * bp = NULL;
if (!coBPInit.initialized)
return;
while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head))
{
struct RSABlindingParamsStr * rsabp = (struct RSABlindingParamsStr *)
PR_LIST_HEAD(&blindingParamsList.head);
while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head)) {
RSABlindingParams *rsabp =
(RSABlindingParams *)PR_LIST_HEAD(&blindingParamsList.head);
PR_REMOVE_LINK(&rsabp->link);
mp_clear(&rsabp->f);
mp_clear(&rsabp->g);
/* clear parameters cache */
while (rsabp->bp != NULL) {
bp = rsabp->bp;
rsabp->bp = rsabp->bp->next;
mp_clear( &bp->f );
mp_clear( &bp->g );
}
SECITEM_FreeItem(&rsabp->modulus,PR_FALSE);
PORT_Free(rsabp);
}
if (blindingParamsList.lock)
{
if (blindingParamsList.cVar) {
PR_DestroyCondVar(blindingParamsList.cVar);
blindingParamsList.cVar = NULL;
}
if (blindingParamsList.lock) {
SKIP_AFTER_FORK(PZ_DestroyLock(blindingParamsList.lock));
blindingParamsList.lock = NULL;
}

4
security/nss/lib/freebl/sha512.c
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sha512.c,v 1.14.6.1 2010/11/18 18:32:52 kaie%kuix.de Exp $ */
/* $Id: sha512.c,v 1.14.6.2 2011/03/30 22:45:05 wtc%google.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -135,7 +135,7 @@ static __inline__ PRUint32 swap4b(PRUint32 value)
#define SHA_HTONL(x) swap4b(x)
#define BYTESWAP4(x) x = SHA_HTONL(x)
#else /* neither windows nor Linux PC */
#else
#define SWAP4MASK 0x00FF00FF
#define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \
((t1 & SWAP4MASK) << 8) | ((t1 >> 8) & SWAP4MASK))

54
security/nss/lib/freebl/stubs.c
View File

@ -63,6 +63,7 @@
#include <prsystem.h>
#include <prinrval.h>
#include <prtime.h>
#include <prcvar.h>
#include <secasn1.h>
#include <secoid.h>
#include <secdig.h>
@ -150,11 +151,15 @@ STUB_DECLARE(void,PR_Assert,(const char *s, const char *file, PRIntn ln));
STUB_DECLARE(PRStatus,PR_CallOnce,(PRCallOnceType *once, PRCallOnceFN func));
STUB_DECLARE(PRStatus,PR_Close,(PRFileDesc *fd));
STUB_DECLARE(void,PR_DestroyLock,(PRLock *lock));
STUB_DECLARE(void,PR_DestroyCondVar,(PRCondVar *cvar));
STUB_DECLARE(void,PR_Free,(void *ptr));
STUB_DECLARE(char * ,PR_GetLibraryFilePathname,(const char *name,
PRFuncPtr addr));
STUB_DECLARE(void,PR_Lock,(PRLock *lock));
STUB_DECLARE(PRCondVar *,PR_NewCondVar,(PRLock *lock));
STUB_DECLARE(PRLock *,PR_NewLock,(void));
STUB_DECLARE(PRStatus,PR_NotifyCondVar,(PRCondVar *cvar));
STUB_DECLARE(PRStatus,PR_NotifyAllCondVar,(PRCondVar *cvar));
STUB_DECLARE(PRFileDesc *,PR_Open,(const char *name, PRIntn flags,
PRIntn mode));
STUB_DECLARE(PRInt32,PR_Read,(PRFileDesc *fd, void *buf, PRInt32 amount));
@ -162,6 +167,8 @@ STUB_DECLARE(PROffset32,PR_Seek,(PRFileDesc *fd, PROffset32 offset,
PRSeekWhence whence));
STUB_DECLARE(PRStatus,PR_Sleep,(PRIntervalTime ticks));
STUB_DECLARE(PRStatus,PR_Unlock,(PRLock *lock));
STUB_DECLARE(PRStatus,PR_WaitCondVar,(PRCondVar *cvar,
PRIntervalTime timeout));
STUB_DECLARE(SECItem *,SECITEM_AllocItem_Util,(PRArenaPool *arena,
SECItem *item,unsigned int len));
@ -430,6 +437,48 @@ PR_DestroyLock_stub(PRLock *lock)
return;
}
extern PRCondVar *
PR_NewCondVar_stub(PRLock *lock)
{
STUB_SAFE_CALL1(PR_NewCondVar, lock);
abort();
return NULL;
}
extern PRStatus
PR_NotifyCondVar_stub(PRCondVar *cvar)
{
STUB_SAFE_CALL1(PR_NotifyCondVar, cvar);
abort();
return PR_FAILURE;
}
extern PRStatus
PR_NotifyAllCondVar_stub(PRCondVar *cvar)
{
STUB_SAFE_CALL1(PR_NotifyAllCondVar, cvar);
abort();
return PR_FAILURE;
}
extern PRStatus
PR_WaitCondVar_stub(PRCondVar *cvar, PRIntervalTime timeout)
{
STUB_SAFE_CALL2(PR_WaitCondVar, cvar, timeout);
abort();
return PR_FAILURE;
}
extern void
PR_DestroyCondVar_stub(PRCondVar *cvar)
{
STUB_SAFE_CALL1(PR_DestroyCondVar, cvar);
abort();
return;
}
/*
* NOTE: this presupposes GCC 4.1
*/
@ -507,6 +556,11 @@ freebl_InitNSPR(void *lib)
STUB_FETCH_FUNCTION(PR_Assert);
STUB_FETCH_FUNCTION(PR_Sleep);
STUB_FETCH_FUNCTION(PR_CallOnce);
STUB_FETCH_FUNCTION(PR_NewCondVar);
STUB_FETCH_FUNCTION(PR_NotifyCondVar);
STUB_FETCH_FUNCTION(PR_NotifyAllCondVar);
STUB_FETCH_FUNCTION(PR_WaitCondVar);
STUB_FETCH_FUNCTION(PR_DestroyCondVar);
STUB_FETCH_FUNCTION(PR_NewLock);
STUB_FETCH_FUNCTION(PR_Unlock);
STUB_FETCH_FUNCTION(PR_Lock);

5
security/nss/lib/freebl/stubs.h
View File

@ -71,6 +71,7 @@
#define NSS_SecureMemcmp NSS_SecureMemcmp_stub
#define PR_DestroyCondVar PR_DestroyCondVar_stub
#define PR_Assert PR_Assert_stub
#define PR_CallOnce PR_CallOnce_stub
#define PR_Close PR_Close_stub
@ -78,12 +79,16 @@
#define PR_Free PR_Free_stub
#define PR_GetLibraryFilePathname PR_GetLibraryFilePathname_stub
#define PR_Lock PR_Lock_stub
#define PR_NewCondVar PR_NewCondVar_stub
#define PR_NewLock PR_NewLock_stub
#define PR_NotifyCondVar PR_NotifyCondVar_stub
#define PR_NotifyAllCondVar PR_NotifyAllCondVar_stub
#define PR_Open PR_Open_stub
#define PR_Read PR_Read_stub
#define PR_Seek PR_Seek_stub
#define PR_Sleep PR_Sleep_stub
#define PR_Unlock PR_Unlock_stub
#define PR_WaitCondVar PR_WaitCondVar_stub
extern int FREEBL_InitStubs(void);

3
security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
View File

@ -399,6 +399,9 @@ pkix_CrlChecker_CheckExternal(
if (!localStore) {
PKIX_ERROR_FATAL(PKIX_CRLCHECKERNOLOCALCERTSTOREFOUND);
}
PKIX_CHECK(
PKIX_PL_Cert_VerifyKeyUsage(issuer, PKIX_CRL_SIGN, plContext),
PKIX_CERTCHECKKEYUSAGEFAILED);
PKIX_CHECK(
PKIX_PL_Cert_GetCrlDp(cert, &dpList, plContext),
PKIX_CERTGETCRLDPFAILED);

34
security/nss/lib/libpkix/pkix/top/pkix_build.c
View File

@ -1981,6 +1981,18 @@ cleanup:
PKIX_RETURN(BUILD);
}
/* Prepare 'state' for the AIA round. */
static void
pkix_PrepareForwardBuilderStateForAIA(
PKIX_ForwardBuilderState *state)
{
PORT_Assert(state->useOnlyLocal == PKIX_TRUE);
state->useOnlyLocal = PKIX_FALSE;
state->certStoreIndex = 0;
state->numFanout = state->buildConstants.maxFanout;
state->status = BUILD_TRYAIA;
}
/*
* FUNCTION: pkix_BuildForwardDepthFirstSearch
* DESCRIPTION:
@ -2101,6 +2113,7 @@ pkix_BuildForwardDepthFirstSearch(
PKIX_Error *verifyError = NULL;
PKIX_Error *finalError = NULL;
void *nbio = NULL;
PKIX_UInt32 numIterations = 0;
PKIX_ENTER(BUILD, "pkix_BuildForwardDepthFirstSearch");
PKIX_NULLCHECK_THREE(pNBIOContext, state, pValResult);
@ -2117,6 +2130,13 @@ pkix_BuildForwardDepthFirstSearch(
* of this "while" clause our search has failed.
*/
while (outOfOptions == PKIX_FALSE) {
/*
* The maximum number of iterations works around a bug that
* causes this while loop to never exit when AIA and cross
* certificates are involved. See bug xxxxx.
*/
if (numIterations++ > 250)
PKIX_ERROR(PKIX_TIMECONSUMEDEXCEEDSRESOURCELIMITS);
if (state->buildConstants.maxTime != 0) {
PKIX_DECREF(currTime);
@ -2728,7 +2748,6 @@ pkix_BuildForwardDepthFirstSearch(
* chain, delete it and go to the certStores.
*/
if (state->usingHintCerts == PKIX_TRUE) {
PKIX_DECREF(state->candidateCerts);
PKIX_CHECK(PKIX_List_Create
(&state->candidateCerts, plContext),
@ -2738,9 +2757,7 @@ pkix_BuildForwardDepthFirstSearch(
state->usingHintCerts = PKIX_FALSE;
state->status = BUILD_TRYAIA;
continue;
} else if (++(state->certIndex) < (state->numCerts)) {
if ((state->buildConstants.maxFanout != 0) &&
(--(state->numFanout) == 0)) {
@ -2775,16 +2792,12 @@ pkix_BuildForwardDepthFirstSearch(
* parent cert, and see if there are any more to try.
*/
if (state->useOnlyLocal == PKIX_TRUE) {
state->useOnlyLocal = PKIX_FALSE;
state->certStoreIndex = 0;
state->numFanout = state->buildConstants.maxFanout;
state->status = BUILD_TRYAIA;
pkix_PrepareForwardBuilderStateForAIA(state);
} else do {
if (state->parentState == NULL) {
/* We are at the top level, and can't back up! */
outOfOptions = PKIX_TRUE;
} else {
/*
* Try the next cert, if any, for this parent.
* Otherwise keep backing up until we reach a
@ -2848,10 +2861,7 @@ pkix_BuildForwardDepthFirstSearch(
}
if (state->useOnlyLocal == PKIX_TRUE) {
/* Clean up and go for AIA round. */
state->useOnlyLocal = PKIX_FALSE;
state->certStoreIndex = 0;
state->numFanout = state->buildConstants.maxFanout;
state->status = BUILD_TRYAIA;
pkix_PrepareForwardBuilderStateForAIA(state);
break;
}
}

6
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
View File

@ -1143,13 +1143,13 @@ pkix_pl_Socket_Poll(
if ((pBytesWritten) &&
((sock->status == SOCKET_SENDPENDING) ||
(sock->status = SOCKET_SENDRCVPENDING))) {
(sock->status == SOCKET_SENDRCVPENDING))) {
pollDesc.in_flags = PR_POLL_WRITE;
}
if ((pBytesRead) &&
((sock->status = SOCKET_RCVPENDING) ||
(sock->status = SOCKET_SENDRCVPENDING))) {
((sock->status == SOCKET_RCVPENDING) ||
(sock->status == SOCKET_SENDRCVPENDING))) {
pollDesc.in_flags |= PR_POLL_READ;
}

75
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
View File

@ -573,10 +573,8 @@ pkix_pl_InfoAccess_ParseTokens(
char terminator,
void *plContext)
{
PKIX_UInt32 len = 0;
PKIX_UInt32 numFilters = 0;
char *endPos = NULL;
char *p = NULL;
char **filterP = NULL;
PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseTokens");
@ -597,8 +595,8 @@ pkix_pl_InfoAccess_ParseTokens(
PKIX_ERROR(PKIX_LOCATIONSTRINGNOTPROPERLYTERMINATED);
}
/* Last one doesn't have a "," as separator, although we allow it */
if (*(endPos-1) != ',') {
/* Last component doesn't need a separator, although we allow it */
if (endPos > *startPos && *(endPos-1) != separator) {
numFilters++;
}
@ -619,36 +617,23 @@ pkix_pl_InfoAccess_ParseTokens(
while (numFilters) {
if (*endPos == separator || *endPos == terminator) {
len = endPos - *startPos;
p = PORT_ArenaZAlloc(arena, len+1);
PKIX_UInt32 len = endPos - *startPos;
char *p = PORT_ArenaZAlloc(arena, len+1);
if (p == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}
PORT_Memcpy(p, *startPos, len);
p[len] = '\0';
*filterP = p;
while (len) {
if (**startPos == '%' &&
strncmp(*startPos, "%20", 3) == 0) {
/* replace %20 by blank */
*p = ' ';
*startPos += 3;
len -= 3;
} else {
*p = **startPos;
(*startPos)++;
len--;
}
p++;
}
*p = '\0';
filterP++;
numFilters--;
separator = terminator;
if (endPos == '\0') {
*startPos = endPos;
break;
} else {
endPos++;
@ -666,6 +651,44 @@ cleanup:
PKIX_RETURN(INFOACCESS);
}
static int
pkix_pl_HexDigitToInt(
int ch)
{
if (isdigit(ch)) {
ch = ch - '0';
} else if (isupper(ch)) {
ch = ch - 'A' + 10;
} else {
ch = ch - 'a' + 10;
}
return ch;
}
/*
* Convert the "%" hex hex escape sequences in the URL 'location' in place.
*/
static void
pkix_pl_UnescapeURL(
char *location)
{
const char *src;
char *dst;
for (src = dst = location; *src != '\0'; src++, dst++) {
if (*src == '%' && isxdigit((unsigned char)*(src+1)) &&
isxdigit((unsigned char)*(src+2))) {
*dst = pkix_pl_HexDigitToInt((unsigned char)*(src+1));
*dst *= 16;
*dst += pkix_pl_HexDigitToInt((unsigned char)*(src+2));
src += 2;
} else {
*dst = *src;
}
}
*dst = *src; /* the terminating null */
}
/*
* FUNCTION: pkix_pl_InfoAccess_ParseLocation
* DESCRIPTION:
@ -742,11 +765,7 @@ pkix_pl_InfoAccess_ParseLocation(
plContext),
PKIX_STRINGGETENCODEDFAILED);
#if 0
/* For testing inside the firewall... */
locationAscii = "ldap://nss.red.iplanet.com:1389/cn=Good%20CA,o="
"Test%20Certificates,c=US?caCertificate;binary";
#endif
pkix_pl_UnescapeURL(locationAscii);
/* Skip "ldap:" */
endPos = locationAscii;

7
security/nss/lib/nss/nss.def
View File

@ -1013,3 +1013,10 @@ SECMOD_RestartModules;
;+ local:
;+ *;
;+};
;+NSS_3.12.10 { # NSS 3.12.10 release
;+ global:
CERT_AllocCERTRevocationFlags;
CERT_DestroyCERTRevocationFlags;
;+ local:
;+ *;
;+};

8
security/nss/lib/nss/nss.h
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nss.h,v 1.81.2.4 2011/01/06 18:04:16 christophe.ravel.bugs%sun.com Exp $ */
/* $Id: nss.h,v 1.81.2.5 2011/01/12 21:39:21 christophe.ravel.bugs%sun.com Exp $ */
#ifndef __nss_h_
#define __nss_h_
@ -66,12 +66,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.12.9.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VERSION "3.12.10.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 12
#define NSS_VPATCH 9
#define NSS_VPATCH 10
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

2
security/nss/lib/pk11wrap/Makefile
View File

@ -78,6 +78,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
export:: private_export
$(OBJDIR)/pk11load$(OBJ_SUFFIX): debug_module.c
# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
# pk11slot.c in 64-bit mode for unknown reasons. A workaround is
# to compile it with optimizations turned on. (Bugzilla bug #63815)

27
security/nss/lib/pk11wrap/debug_module.c
View File

@ -92,6 +92,7 @@ STRING fmt_fwVersion[] = " firmware version: %d.%d";
STRING fmt_hwVersion[] = " hardware version: %d.%d";
STRING fmt_s_qsq_d[] = " %s = \"%s\" [%d]";
STRING fmt_s_s_d[] = " %s = %s [%d]";
STRING fmt_s_lu[] = " %s = %lu";
STRING fmt_invalid_handle[] = " (CK_INVALID_HANDLE)";
@ -110,6 +111,7 @@ static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len)
CASE(CKA_VALUE);
CASE(CKA_OBJECT_ID);
CASE(CKA_CERTIFICATE_TYPE);
CASE(CKA_CERTIFICATE_CATEGORY);
CASE(CKA_ISSUER);
CASE(CKA_SERIAL_NUMBER);
CASE(CKA_AC_ISSUER);
@ -144,7 +146,7 @@ static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len)
CASE(CKA_SUBPRIME);
CASE(CKA_BASE);
CASE(CKA_PRIME_BITS);
CASE(CKA_SUB_PRIME_BITS);
CASE(CKA_SUBPRIME_BITS);
CASE(CKA_VALUE_BITS);
CASE(CKA_VALUE_LEN);
CASE(CKA_EXTRACTABLE);
@ -666,6 +668,25 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr)
atype, valstr, attr->ulValueLen));
break;
}
case CKA_PIXEL_X:
case CKA_PIXEL_Y:
case CKA_RESOLUTION:
case CKA_CHAR_ROWS:
case CKA_CHAR_COLUMNS:
case CKA_BITS_PER_PIXEL:
case CKA_CERTIFICATE_CATEGORY: /* should print as enum/string */
case CKA_JAVA_MIDP_SECURITY_DOMAIN: /* should print as enum/string */
case CKA_MODULUS_BITS:
case CKA_PRIME_BITS:
case CKA_SUBPRIME_BITS:
case CKA_VALUE_BITS:
case CKA_VALUE_LEN:
if (attr->ulValueLen > 0 && attr->pValue) {
CK_ULONG valueLen = *((CK_ULONG *)attr->pValue);
/* XXX check for the special value CK_UNAVAILABLE_INFORMATION */
PR_LOG(modlog, 4, (fmt_s_lu, atype, (PRUint32)valueLen));
break;
}
case CKA_LABEL:
case CKA_NETSCAPE_EMAIL:
case CKA_NETSCAPE_URL:
@ -691,7 +712,8 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr)
PORT_Free(asciiName);
break;
}
/* else fall through and treat like a binary buffer */
/* else treat like a binary buffer */
goto binary_buffer;
}
case CKA_ID:
if (attr->ulValueLen > 0 && attr->pValue) {
@ -713,6 +735,7 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr)
}
/* else fall through and treat like a binary buffer */
}
binary_buffer:
case CKA_SERIAL_NUMBER:
default:
if (attr->ulValueLen > 0 && attr->pValue) {

9
security/nss/lib/pk11wrap/pk11load.c
View File

@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldModule, SECMODModule *newModule)
char *oldModuleSpec;
if (secmod_IsInternalKeySlot(newModule)) {
pk11_SetInternalKeySlot(slot);
}
pk11_SetInternalKeySlotIfFirst(slot);
}
newID = slot->slotID;
PK11_FreeSlot(slot);
for (thisChild=children, thisID=ids; thisChild && *thisChild;
@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
/* look down the slot info table */
PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
SECMOD_SetRootCerts(mod->slots[i],mod);
/* explicitly mark the internal slot as such if IsInternalKeySlot()
* is set */
if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) {
pk11_SetInternalKeySlotIfFirst(mod->slots[i]);
}
}
mod->slotCount = slotCount;
mod->slotInfoCount = 0;

13
security/nss/lib/pk11wrap/pk11pars.c
View File

@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *mod)
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
}
void
secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
{
char flags = (char) mod->internal;
if (val) {
flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
} else {
flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
}
mod->internal = flags;
}
/* forward declarations */
static int secmod_escapeSize(const char *string, char quote);
static char *secmod_addEscape(const char *string, char quote);

2
security/nss/lib/pk11wrap/pk11priv.h
View File

@ -115,6 +115,8 @@ void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
/*********************************************************************
* Mechanism Mapping functions

34
security/nss/lib/pk11wrap/pk11slot.c
View File

@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot)
* times as tokens are removed and re-inserted.
*/
void
PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
{
SECStatus rv;
char *tmp;
@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot)
}
static PK11SlotInfo *pk11InternalKeySlot = NULL;
/*
* Set a new default internal keyslot. If one has already been set, clear it.
* Passing NULL falls back to the NSS normally selected default internal key
* slot.
*/
void
pk11_SetInternalKeySlot(PK11SlotInfo *slot)
{
@ -1735,6 +1741,32 @@ pk11_SetInternalKeySlot(PK11SlotInfo *slot)
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
}
/*
* Set a new default internal keyslot if the normal key slot has not already
* been overridden. Subsequent calls to this function will be ignored unless
* pk11_SetInternalKeySlot is used to clear the current default.
*/
void
pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot)
{
if (pk11InternalKeySlot) {
return;
}
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
}
/*
* Swap out a default internal keyslot. Caller owns the Slot Reference
*/
PK11SlotInfo *
pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
{
PK11SlotInfo *swap = pk11InternalKeySlot;
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
return swap;
}
/* get the internal key slot. FIPS has only one slot for both key slots and
* default slots */

12
security/nss/lib/pk11wrap/pk11util.c
View File

@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *name)
NULL, SECMOD_FIPS_FLAGS);
}
if (newModule) {
PK11SlotInfo *slot;
newModule->libraryParams =
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
/* if an explicit internal key slot has been set, reset it */
slot = pk11_SwapInternalKeySlot(NULL);
if (slot) {
secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
}
rv = SECMOD_AddModule(newModule);
if (rv != SECSuccess) {
/* load failed, restore the internal key slot */
pk11_SetInternalKeySlot(slot);
SECMOD_DestroyModule(newModule);
newModule = NULL;
}
/* free the old explicit internal key slot, we now have a new one */
if (slot) {
PK11_FreeSlot(slot);
}
}
if (newModule == NULL) {
SECMODModuleList *last = NULL,*mlp2;

2
security/nss/lib/pk11wrap/secmodi.h
View File

@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMODModule *, SECMODModule **oldModule);
SECStatus SECMOD_UnloadModule(SECMODModule *);
void SECMOD_SetInternalModule(SECMODModule *);
PRBool secmod_IsInternalKeySlot(SECMODModule *);
void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
/* tools for checking if we are loading the same database twice */
typedef struct SECMODConfigListStr SECMODConfigList;

94
security/nss/lib/pki/pki3hack.c
View File

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.100 $ $Date: 2010/05/18 19:38:40 $";
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.100.2.1 $ $Date: 2011/03/26 16:55:01 $";
#endif /* DEBUG */
/*
@ -1215,6 +1215,98 @@ done:
return nssrv;
}
/*
** Delete trust objects matching the given slot.
** Returns error if a device fails to delete.
**
** This function has the side effect of moving the
** surviving entries to the front of the object list
** and nullifying the rest.
*/
static PRStatus
DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
{
int numNotDestroyed = 0; /* the ones skipped plus the failures */
int failureCount = 0; /* actual deletion failures by devices */
int index;
nssPKIObject_Lock(tObject);
/* Keep going even if a module fails to delete. */
for (index = 0; index < tObject->numInstances; index++) {
nssCryptokiObject *instance = tObject->instances[index];
if (!instance) {
continue;
}
/* ReadOnly and not matched treated the same */
if (PK11_IsReadOnly(instance->token->pk11slot) ||
pk11slot != instance->token->pk11slot) {
tObject->instances[numNotDestroyed++] = instance;
continue;
}
/* Here we have found a matching one */
tObject->instances[index] = NULL;
if (nssToken_DeleteStoredObject(instance) == PR_SUCCESS) {
nssCryptokiObject_Destroy(instance);
} else {
tObject->instances[numNotDestroyed++] = instance;
failureCount++;
}
}
if (numNotDestroyed == 0) {
nss_ZFreeIf(tObject->instances);
tObject->numInstances = 0;
} else {
tObject->numInstances = numNotDestroyed;
}
nssPKIObject_Unlock(tObject);
return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
}
/*
** Delete trust objects matching the slot of the given certificate.
** Returns an error if any device fails to delete.
*/
NSS_EXTERN PRStatus
STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c)
{
PRStatus nssrv = PR_SUCCESS;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
/* caller made sure nssTrust isn't NULL */
nssPKIObject *tobject = &nssTrust->object;
nssPKIObject *cobject = &c->object;
int i;
/* Iterate through the cert and trust object instances looking for
* those with matching pk11 slots to delete. Even if some device
* can't delete we keep going. Keeping a status variable for the
* loop so that once it's failed the other gets set.
*/
NSSRWLock_LockRead(td->tokensLock);
nssPKIObject_Lock(cobject);
for (i = 0; i < cobject->numInstances; i++) {
nssCryptokiObject *cInstance = cobject->instances[i];
if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
PRStatus status;
if (!tobject->numInstances || !tobject->instances) continue;
status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
if (status == PR_FAILURE) {
/* set the outer one but keep going */
nssrv = PR_FAILURE;
}
}
}
nssPKIObject_Unlock(cobject);
NSSRWLock_UnlockRead(td->tokensLock);
return nssrv;
}
/* CERT_TraversePermCertsForSubject */
NSS_IMPLEMENT PRStatus
nssTrustDomain_TraverseCertificatesBySubject (

5
security/nss/lib/pki/pki3hack.h
View File

@ -38,7 +38,7 @@
#define PKINSS3HACK_H
#ifdef DEBUG
static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.19 $ $Date: 2005/01/20 02:25:49 $";
static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.19.192.1 $ $Date: 2011/03/26 16:55:01 $";
#endif /* DEBUG */
#ifndef NSSDEVT_H
@ -106,6 +106,9 @@ STAN_GetNSSCertificate(CERTCertificate *c);
NSS_EXTERN CERTCertTrust *
nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc);
NSS_EXTERN PRStatus
STAN_DeleteCertTrustMatchingSlot(NSSCertificate *c);
NSS_EXTERN PRStatus
STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);

55
security/nss/lib/smime/cms.h
View File

@ -37,7 +37,7 @@
/*
* Interfaces of the CMS implementation.
*
* $Id: cms.h,v 1.23 2010/04/25 23:37:38 nelson%bolyard.com Exp $
* $Id: cms.h,v 1.23.2.3 2011/02/11 16:44:02 emaldona%redhat.com Exp $
*/
#ifndef _CMS_H_
@ -302,6 +302,14 @@ NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInf
extern SECStatus
NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd);
/*
* turn off streaming for this content type.
* This could fail with SEC_ERROR_NO_MEMORY in memory constrained conditions.
*/
extern SECStatus
NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream);
/*
* NSS_CMSContentInfo_GetContent - get pointer to inner content
*
@ -1128,6 +1136,51 @@ NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut,
PLArenaPool *arena);
/************************************************************************
*
************************************************************************/
/*
* define new S/MIME content type entries
*
* S/MIME uses the builtin PKCS7 oid types for encoding and decoding the
* various S/MIME content. Some applications have their own content type
* which is different from the standard content type defined by S/MIME.
*
* This function allows you to register new content types. There are basically
* Two different types of content, Wrappping content, and Data.
*
* For data types, All the functions below can be zero or NULL excext
* type and is isData, which should be your oid tag and PR_FALSE respectively
*
* For wrapping types, everything must be provided, or you will get encoder
* failures.
*
* If NSS doesn't already define the OID that you need, you can register
* your own with SECOID_AddEntry.
*
* Once you have defined your new content type, you can pass your new content
* type to NSS_CMSContentInfo_SetContent().
*
* If you are using a wrapping type you can pass your own data structure in
* the ptr field, but it must contain and embedded NSSCMSGenericWrappingData
* structure as the first element. The size you pass to
* NSS_CMSType_RegisterContentType is the total size of your self defined
* data structure. NSS_CMSContentInfo_GetContent will return that data
* structure from the content info. Your ASN1Template will be evaluated
* against that data structure.
*/
SECStatus NSS_CMSType_RegisterContentType(SECOidTag type,
SEC_ASN1Template *asn1Template, size_t size,
NSSCMSGenericWrapperDataDestroy destroy,
NSSCMSGenericWrapperDataCallback decode_before,
NSSCMSGenericWrapperDataCallback decode_after,
NSSCMSGenericWrapperDataCallback decode_end,
NSSCMSGenericWrapperDataCallback encode_start,
NSSCMSGenericWrapperDataCallback encode_before,
NSSCMSGenericWrapperDataCallback encode_after,
PRBool isData);
/************************************************************************/
SEC_END_PROTOS

22
security/nss/lib/smime/cmsasn1.c
View File

@ -37,7 +37,7 @@
/*
* CMS ASN.1 templates
*
* $Id: cmsasn1.c,v 1.7 2010/06/06 22:36:35 nelson%bolyard.com Exp $
* $Id: cmsasn1.c,v 1.7.2.2 2011/02/01 00:33:23 rrelyea%redhat.com Exp $
*/
#include "cmslocal.h"
@ -479,6 +479,20 @@ const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = {
{ SEC_ASN1_POINTER, 0, NSSCMSEncryptedDataTemplate }
};
const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[] = {
{ SEC_ASN1_INLINE,
offsetof(NSSCMSGenericWrapperData,contentInfo),
NSSCMSEncapsulatedContentInfoTemplate },
};
SEC_ASN1_CHOOSER_IMPLEMENT(NSSCMSGenericWrapperDataTemplate);
const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[] = {
{ SEC_ASN1_POINTER, 0, NSSCMSGenericWrapperDataTemplate }
};
SEC_ASN1_CHOOSER_IMPLEMENT(NSS_PointerToCMSGenericWrapperDataTemplate);
/* -----------------------------------------------------------------------------
* FORTEZZA KEA
*/
@ -547,15 +561,17 @@ nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
{
const SEC_ASN1Template *theTemplate;
NSSCMSContentInfo *cinfo;
SECOidTag type;
PORT_Assert (src_or_dest != NULL);
if (src_or_dest == NULL)
return NULL;
cinfo = (NSSCMSContentInfo *)src_or_dest;
switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
type = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (type) {
default:
theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
theTemplate = NSS_CMSType_GetTemplate(type);
break;
case SEC_OID_PKCS7_DATA:
theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);

123
security/nss/lib/smime/cmscinfo.c
View File

@ -37,7 +37,7 @@
/*
* CMS contentInfo methods.
*
* $Id: cmscinfo.c,v 1.7 2004/04/25 15:03:16 gerv%gerv.net Exp $
* $Id: cmscinfo.c,v 1.7.192.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -47,11 +47,37 @@
#include "secoid.h"
#include "secerr.h"
/*
* NSS_CMSContentInfo_Create - create a content info
*
* version is set in the _Finalize procedures for each content type
*/
SECStatus
NSS_CMSContentInfo_Private_Init(NSSCMSContentInfo *cinfo)
{
if (cinfo->privateInfo) {
return SECSuccess;
}
cinfo->privateInfo = PORT_ZNew(NSSCMSContentInfoPrivate);
return (cinfo->privateInfo) ? SECSuccess : SECFailure;
}
static void
nss_cmsContentInfo_private_destroy(NSSCMSContentInfoPrivate *privateInfo)
{
if (privateInfo->digcx) {
/* must destroy digest objects */
NSS_CMSDigestContext_Cancel(privateInfo->digcx);
privateInfo->digcx = NULL;
}
if (privateInfo->ciphcx) {
NSS_CMSCipherContext_Destroy(privateInfo->ciphcx);
privateInfo->ciphcx = NULL;
}
PORT_Free(privateInfo);
}
/*
* NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
@ -76,23 +102,17 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
NSS_CMSDigestedData_Destroy(cinfo->content.digestedData);
break;
default:
NSS_CMSGenericWrapperData_Destroy(kind, cinfo->content.genericData);
/* XXX Anything else that needs to be "manually" freed/destroyed? */
break;
}
if (cinfo->digcx) {
/* must destroy digest objects */
NSS_CMSDigestContext_Cancel(cinfo->digcx);
cinfo->digcx = NULL;
if (cinfo->privateInfo) {
nss_cmsContentInfo_private_destroy(cinfo->privateInfo);
cinfo->privateInfo = NULL;
}
if (cinfo->bulkkey)
if (cinfo->bulkkey) {
PK11_FreeSymKey(cinfo->bulkkey);
if (cinfo->ciphcx) {
NSS_CMSCipherContext_Destroy(cinfo->ciphcx);
cinfo->ciphcx = NULL;
}
/* we live in a pool, so no need to worry about storage */
}
/*
@ -101,31 +121,56 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
NSSCMSContentInfo *
NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
{
void * ptr = NULL;
NSSCMSContentInfo * ccinfo = NULL;
SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (tag) {
case SEC_OID_PKCS7_SIGNED_DATA:
ptr = (void *)cinfo->content.signedData;
ccinfo = &(cinfo->content.signedData->contentInfo);
if (cinfo->content.signedData != NULL) {
ccinfo = &(cinfo->content.signedData->contentInfo);
}
break;
case SEC_OID_PKCS7_ENVELOPED_DATA:
ptr = (void *)cinfo->content.envelopedData;
ccinfo = &(cinfo->content.envelopedData->contentInfo);
if (cinfo->content.envelopedData != NULL) {
ccinfo = &(cinfo->content.envelopedData->contentInfo);
}
break;
case SEC_OID_PKCS7_DIGESTED_DATA:
ptr = (void *)cinfo->content.digestedData;
ccinfo = &(cinfo->content.digestedData->contentInfo);
if (cinfo->content.digestedData != NULL) {
ccinfo = &(cinfo->content.digestedData->contentInfo);
}
break;
case SEC_OID_PKCS7_ENCRYPTED_DATA:
ptr = (void *)cinfo->content.encryptedData;
ccinfo = &(cinfo->content.encryptedData->contentInfo);
if (cinfo->content.encryptedData != NULL) {
ccinfo = &(cinfo->content.encryptedData->contentInfo);
}
break;
case SEC_OID_PKCS7_DATA:
default:
if (NSS_CMSType_IsWrapper(tag)) {
if (cinfo->content.genericData != NULL) {
ccinfo = &(cinfo->content.genericData->contentInfo);
}
}
break;
}
return (ptr ? ccinfo : NULL);
if (ccinfo && !ccinfo->privateInfo) {
NSS_CMSContentInfo_Private_Init(ccinfo);
}
return ccinfo;
}
SECStatus
NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
{
SECStatus rv;
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
/* default is streaming, failure to get ccinfo will not effect this */
return dontStream ? SECFailure : SECSuccess ;
}
cinfo->privateInfo->dontStream = dontStream;
return SECSuccess;
}
/*
@ -147,7 +192,9 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SEC
cinfo->content.pointer = ptr;
if (type != SEC_OID_PKCS7_DATA) {
if (NSS_CMSType_IsData(type) && ptr) {
cinfo->rawContent = ptr;
} else {
/* as we always have some inner data,
* we need to set it to something, just to fool the encoder enough to work on it
* and get us into nss_cms_encoder_notify at that point */
@ -174,9 +221,10 @@ NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo
{
if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
return SECFailure;
cinfo->rawContent = (detached) ?
NULL : (data) ?
data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
if (detached) {
cinfo->rawContent = NULL;
}
return SECSuccess;
}
@ -204,6 +252,7 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd);
}
/*
* NSS_CMSContentInfo_GetContent - get pointer to inner content
*
@ -223,7 +272,7 @@ NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
case SEC_OID_PKCS7_ENCRYPTED_DATA:
return cinfo->content.pointer;
default:
return NULL;
return NSS_CMSType_IsWrapper(tag) ? cinfo->content.pointer : (NSS_CMSType_IsData(tag) ? cinfo->rawContent : NULL);
}
}
@ -232,6 +281,7 @@ NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
*
* this is typically only called by NSS_CMSMessage_GetContent()
*/
SECItem *
NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
{
@ -240,26 +290,21 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
SECItem *pItem = NULL;
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (tag) {
case SEC_OID_PKCS7_DATA:
/* end of recursion - every message has to have a data cinfo */
if (NSS_CMSType_IsData(tag)) {
pItem = cinfo->content.data;
break;
case SEC_OID_PKCS7_DIGESTED_DATA:
case SEC_OID_PKCS7_ENCRYPTED_DATA:
case SEC_OID_PKCS7_ENVELOPED_DATA:
case SEC_OID_PKCS7_SIGNED_DATA:
} else if (NSS_CMSType_IsWrapper(tag)) {
ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
if (ccinfo != NULL)
if (ccinfo != NULL) {
pItem = NSS_CMSContentInfo_GetContent(ccinfo);
break;
default:
}
} else {
PORT_Assert(0);
break;
}
return pItem;
}
/*
* NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
* for future reference) and return the inner content type.

143
security/nss/lib/smime/cmsdecode.c
View File

@ -37,7 +37,7 @@
/*
* CMS decoding.
*
* $Id: cmsdecode.c,v 1.9.66.1 2010/12/23 18:03:41 kaie%kuix.de Exp $
* $Id: cmsdecode.c,v 1.9.66.4 2011/03/15 17:51:01 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -120,8 +120,7 @@ nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
#endif
/* so what are we working on right now? */
switch (p7dcx->type) {
case SEC_OID_UNKNOWN:
if (p7dcx->type == SEC_OID_UNKNOWN) {
/*
* right now, we are still decoding the OUTER (root) cinfo
* As soon as we know the inner content type, set up the info,
@ -136,8 +135,7 @@ nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
/* is this ready already ? need to alloc? */
/* XXX yes we need to alloc -- continue here */
}
break;
case SEC_OID_PKCS7_DATA:
} else if (NSS_CMSType_IsData(p7dcx->type)) {
/* this can only happen if the outermost cinfo has DATA in it */
/* otherwise, we handle this type implicitely in the inner decoders */
@ -150,86 +148,71 @@ nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
nss_cms_decoder_update_filter,
p7dcx,
(PRBool)(p7dcx->cb != NULL));
break;
}
if (after && dest == &(rootcinfo->content.data)) {
} else if (after && dest == &(rootcinfo->content.data)) {
/* remove the filter */
SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
}
break;
} else if (NSS_CMSType_IsWrapper(p7dcx->type)) {
if (!before || dest != &(rootcinfo->content)) {
case SEC_OID_PKCS7_SIGNED_DATA:
case SEC_OID_PKCS7_ENVELOPED_DATA:
case SEC_OID_PKCS7_DIGESTED_DATA:
case SEC_OID_PKCS7_ENCRYPTED_DATA:
if (p7dcx->content.pointer == NULL)
p7dcx->content = rootcinfo->content;
if (before && dest == &(rootcinfo->content))
break; /* we're not there yet */
if (p7dcx->content.pointer == NULL)
p7dcx->content = rootcinfo->content;
/* get this data type's inner contentInfo */
cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer,
/* get this data type's inner contentInfo */
cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer,
p7dcx->type);
if (before && dest == &(cinfo->contentType)) {
/* at this point, set up the &%$&$ back pointer */
/* we cannot do it later, because the content itself is optional! */
/* please give me C++ */
switch (p7dcx->type) {
case SEC_OID_PKCS7_SIGNED_DATA:
p7dcx->content.signedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_DIGESTED_DATA:
p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_ENVELOPED_DATA:
p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_ENCRYPTED_DATA:
p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
break;
default:
PORT_Assert(0);
break;
if (before && dest == &(cinfo->contentType)) {
/* at this point, set up the &%$&$ back pointer */
/* we cannot do it later, because the content itself
* is optional! */
switch (p7dcx->type) {
case SEC_OID_PKCS7_SIGNED_DATA:
p7dcx->content.signedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_DIGESTED_DATA:
p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_ENVELOPED_DATA:
p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
break;
case SEC_OID_PKCS7_ENCRYPTED_DATA:
p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
break;
default:
p7dcx->content.genericData->cmsg = p7dcx->cmsg;
break;
}
}
}
if (before && dest == &(cinfo->rawContent)) {
/* we want the ASN.1 decoder to deliver the decoded bytes to us
** from now on
*/
SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
if (before && dest == &(cinfo->rawContent)) {
/* we want the ASN.1 decoder to deliver the decoded bytes to us
** from now on
*/
SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
nss_cms_decoder_update_filter,
p7dcx, (PRBool)(p7dcx->cb != NULL));
/* we're right in front of the data */
if (nss_cms_before_data(p7dcx) != SECSuccess) {
SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
/* stop all processing */
p7dcx->error = PORT_GetError();
/* we're right in front of the data */
if (nss_cms_before_data(p7dcx) != SECSuccess) {
SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
/* stop all processing */
p7dcx->error = PORT_GetError();
}
}
if (after && dest == &(cinfo->rawContent)) {
/* we're right after of the data */
if (nss_cms_after_data(p7dcx) != SECSuccess)
p7dcx->error = PORT_GetError();
/* we don't need to see the contents anymore */
SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
}
}
if (after && dest == &(cinfo->rawContent)) {
/* we're right after of the data */
if (nss_cms_after_data(p7dcx) != SECSuccess)
p7dcx->error = PORT_GetError();
/* we don't need to see the contents anymore */
SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
}
break;
#if 0 /* NIH */
case SEC_OID_PKCS7_AUTHENTICATED_DATA:
#endif
default:
} else {
/* unsupported or unknown message type - fail gracefully */
p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
break;
}
}
@ -269,7 +252,8 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
p7dcx->content.encryptedData);
break;
default:
return SECFailure;
rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type,
p7dcx->content.genericData);
}
if (rv != SECSuccess)
return SECFailure;
@ -280,7 +264,7 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
if (childtype == SEC_OID_PKCS7_DATA) {
if (NSS_CMSType_IsData(childtype)) {
cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp);
if (cinfo->content.pointer == NULL)
/* set memory error */
@ -307,6 +291,9 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
if (childp7dcx->content.pointer == NULL)
goto loser;
/* give the parent a copy of the pointer so that it doesn't get lost */
cinfo->content.pointer = childp7dcx->content.pointer;
/* start the child decoder */
childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer,
template);
@ -395,7 +382,8 @@ nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
/* do nothing */
break;
default:
rv = SECFailure;
rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type,
p7dcx->content.genericData);
break;
}
done:
@ -430,7 +418,8 @@ nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
case SEC_OID_PKCS7_DATA:
break;
default:
rv = SECFailure; /* we should not have got that far... */
rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type,
p7dcx->content.genericData);
break;
}
return rv;
@ -469,7 +458,7 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
goto loser;
}
if (cinfo->ciphcx != NULL) {
if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {
/*
* we are decrypting.
*
@ -483,7 +472,7 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
unsigned int buflen; /* length available for decrypted data */
/* find out about the length of decrypted data */
buflen = NSS_CMSCipherContext_DecryptLength(cinfo->ciphcx, len, final);
buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final);
/*
* it might happen that we did not provide enough data for a full
@ -514,7 +503,7 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
* any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
* keep track of incoming data
*/
rv = NSS_CMSCipherContext_Decrypt(cinfo->ciphcx, buf, &outlen, buflen,
rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen,
data, len, final);
if (rv != SECSuccess) {
p7dcx->error = PORT_GetError();
@ -534,8 +523,8 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
/*
* Update the running digests with plaintext bytes (if we need to).
*/
if (cinfo->digcx)
NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
if (cinfo->privateInfo && cinfo->privateInfo->digcx)
NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len);
/* at this point, we have the plain decoded & decrypted data
** which is either more encoded DER (which we need to hand to the child

37
security/nss/lib/smime/cmsdigdata.c
View File

@ -37,7 +37,7 @@
/*
* CMS digestedData methods.
*
* $Id: cmsdigdata.c,v 1.5 2004/04/25 15:03:16 gerv%gerv.net Exp $
* $Id: cmsdigdata.c,v 1.5.192.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -117,7 +117,8 @@ NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
SECItem *dummy;
version = NSS_CMS_DIGESTED_DATA_VERSION_DATA;
if (NSS_CMSContentInfo_GetContentTypeTag(&(digd->contentInfo)) != SEC_OID_PKCS7_DATA)
if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(
&(digd->contentInfo))))
version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP;
dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version);
@ -134,11 +135,16 @@ NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
SECStatus
NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd)
{
SECStatus rv =NSS_CMSContentInfo_Private_Init(&digd->contentInfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* set up the digests */
if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) {
/* if digest is already there, do nothing */
digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
if (digd->contentInfo.digcx == NULL)
digd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
if (digd->contentInfo.privateInfo->digcx == NULL)
return SECFailure;
}
return SECSuccess;
@ -156,12 +162,12 @@ NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
{
SECStatus rv = SECSuccess;
/* did we have digest calculation going on? */
if (digd->contentInfo.digcx) {
rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
if (digd->contentInfo.privateInfo && digd->contentInfo.privateInfo->digcx) {
rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx,
digd->cmsg->poolp,
&(digd->digest));
/* error has been set by NSS_CMSDigestContext_FinishSingle */
digd->contentInfo.digcx = NULL;
digd->contentInfo.privateInfo->digcx = NULL;
}
return rv;
@ -177,12 +183,19 @@ NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
SECStatus
NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd)
{
SECStatus rv;
/* is there a digest algorithm yet? */
if (digd->digestAlg.algorithm.len == 0)
return SECFailure;
digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
if (digd->contentInfo.digcx == NULL)
rv = NSS_CMSContentInfo_Private_Init(&digd->contentInfo);
if (rv != SECSuccess) {
return SECFailure;
}
digd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
if (digd->contentInfo.privateInfo->digcx == NULL)
return SECFailure;
return SECSuccess;
@ -200,12 +213,12 @@ NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd)
{
SECStatus rv = SECSuccess;
/* did we have digest calculation going on? */
if (digd->contentInfo.digcx) {
rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
if (digd->contentInfo.privateInfo && digd->contentInfo.privateInfo->digcx) {
rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx,
digd->cmsg->poolp,
&(digd->cdigest));
/* error has been set by NSS_CMSDigestContext_FinishSingle */
digd->contentInfo.digcx = NULL;
digd->contentInfo.privateInfo->digcx = NULL;
}
return rv;

33
security/nss/lib/smime/cmsencdata.c
View File

@ -37,7 +37,7 @@
/*
* CMS encryptedData methods.
*
* $Id: cmsencdata.c,v 1.11 2008/02/03 06:08:49 nelson%bolyard.com Exp $
* $Id: cmsencdata.c,v 1.11.56.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -181,6 +181,7 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
NSSCMSContentInfo *cinfo;
PK11SymKey *bulkkey;
SECAlgorithmID *algid;
SECStatus rv;
cinfo = &(encd->contentInfo);
@ -192,12 +193,16 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
if (algid == NULL)
return SECFailure;
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* this may modify algid (with IVs generated in a token).
* it is therefore essential that algid is a pointer to the "real" contentEncAlg,
* not just to a copy */
cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
PK11_FreeSymKey(bulkkey);
if (cinfo->ciphcx == NULL)
if (cinfo->privateInfo->ciphcx == NULL)
return SECFailure;
return SECSuccess;
@ -209,9 +214,9 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
SECStatus
NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
{
if (encd->contentInfo.ciphcx) {
NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
encd->contentInfo.ciphcx = NULL;
if (encd->contentInfo.privateInfo && encd->contentInfo.privateInfo->ciphcx) {
NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx);
encd->contentInfo.privateInfo->ciphcx = NULL;
}
/* nothing to do after data */
@ -244,8 +249,14 @@ NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd)
NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
if (cinfo->ciphcx == NULL)
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
goto loser;
}
rv = SECFailure;
cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
if (cinfo->privateInfo->ciphcx == NULL)
goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */
@ -264,9 +275,9 @@ loser:
SECStatus
NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
{
if (encd->contentInfo.ciphcx) {
NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
encd->contentInfo.ciphcx = NULL;
if (encd->contentInfo.privateInfo && encd->contentInfo.privateInfo->ciphcx) {
NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx);
encd->contentInfo.privateInfo->ciphcx = NULL;
}
return SECSuccess;

185
security/nss/lib/smime/cmsencode.c
View File

@ -37,7 +37,7 @@
/*
* CMS encoding.
*
* $Id: cmsencode.c,v 1.6.66.1 2010/12/23 18:03:41 kaie%kuix.de Exp $
* $Id: cmsencode.c,v 1.6.66.5 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -92,8 +92,23 @@ nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,
#ifdef CMSDEBUG
int i;
const char *data_name = "unknown";
fprintf(stderr, "kind = %d, depth = %d, len = %d\n", data_kind, depth, len);
switch (data_kind) {
case SEC_ASN1_Identifier:
data_name = "identifier";
break;
case SEC_ASN1_Length:
data_name = "length";
break;
case SEC_ASN1_Contents:
data_name = "contents";
break;
case SEC_ASN1_EndOfContents:
data_name = "end-of-contents";
break;
}
fprintf(stderr, "kind = %s, depth = %d, len = %d\n", data_name, depth, len);
for (i=0; i < len; i++) {
fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");
}
@ -159,34 +174,17 @@ nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
* Watch for the content field, at which point we want to instruct
* the ASN.1 encoder to start taking bytes from the buffer.
*/
switch (p7ecx->type) {
default:
case SEC_OID_UNKNOWN:
/* we're still in the root message */
if (after && dest == &(rootcinfo->contentType)) {
/* got the content type OID now - so find out the type tag */
p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
/* set up a pointer to our current content */
p7ecx->content = rootcinfo->content;
}
break;
case SEC_OID_PKCS7_DATA:
if (before && dest == &(rootcinfo->rawContent)) {
if (NSS_CMSType_IsData(p7ecx->type)) {
cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
if (before && dest == &(cinfo->rawContent)) {
/* just set up encoder to grab from user - no encryption or digesting */
if ((item = rootcinfo->content.data) != NULL)
if ((item = cinfo->content.data) != NULL)
(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
else
SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */
}
break;
case SEC_OID_PKCS7_SIGNED_DATA:
case SEC_OID_PKCS7_ENVELOPED_DATA:
case SEC_OID_PKCS7_DIGESTED_DATA:
case SEC_OID_PKCS7_ENCRYPTED_DATA:
} else if (NSS_CMSType_IsWrapper(p7ecx->type)) {
/* when we know what the content is, we encode happily until we reach the inner content */
cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
@ -199,19 +197,32 @@ nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
p7ecx->error = PORT_GetError();
}
if (before && dest == &(cinfo->rawContent)) {
if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL)
/* we have data - feed it in */
(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
else
/* else try to get it from user */
if (p7ecx->childp7ecx == NULL) {
if ((NSS_CMSType_IsData(childtype) && (item = cinfo->content.data) != NULL)) {
/* we are the innermost non-data and we have data - feed it in */
(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
} else {
/* else we'll have to get data from user */
SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
}
} else {
/* if we have a nested encoder, wait for its data */
SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
}
}
if (after && dest == &(cinfo->rawContent)) {
if (nss_cms_after_data(p7ecx) != SECSuccess)
p7ecx->error = PORT_GetError();
SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */
}
break;
} else {
/* we're still in the root message */
if (after && dest == &(rootcinfo->contentType)) {
/* got the content type OID now - so find out the type tag */
p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
/* set up a pointer to our current content */
p7ecx->content = rootcinfo->content;
}
}
}
@ -247,7 +258,11 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);
break;
default:
rv = SECFailure;
if (NSS_CMSType_IsWrapper(p7ecx->type)) {
rv = NSS_CMSGenericWrapperData_Encode_BeforeData(p7ecx->type, p7ecx->content.genericData);
} else {
rv = SECFailure;
}
}
if (rv != SECSuccess)
return SECFailure;
@ -258,14 +273,7 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (childtype) {
case SEC_OID_PKCS7_SIGNED_DATA:
case SEC_OID_PKCS7_ENVELOPED_DATA:
case SEC_OID_PKCS7_ENCRYPTED_DATA:
case SEC_OID_PKCS7_DIGESTED_DATA:
#if 0
case SEC_OID_PKCS7_DATA: /* XXX here also??? maybe yes! */
#endif
if (NSS_CMSType_IsWrapper(childtype)) {
/* in these cases, we need to set up a child encoder! */
/* create new encoder context */
childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
@ -284,6 +292,8 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
childp7ecx->output.destpoolp = NULL;
childp7ecx->output.dest = NULL;
childp7ecx->cmsg = p7ecx->cmsg;
childp7ecx->ecxupdated = PR_FALSE;
childp7ecx->childp7ecx = NULL;
template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);
if (template == NULL)
@ -303,11 +313,8 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
case SEC_OID_PKCS7_ENCRYPTED_DATA:
rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
break;
case SEC_OID_PKCS7_DATA:
rv = SECSuccess;
break;
default:
PORT_Assert(0);
rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(childp7ecx->type, cinfo->content.genericData);
break;
}
if (rv != SECSuccess)
@ -321,17 +328,17 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
if (childp7ecx->ecx == NULL)
goto loser;
childp7ecx->ecxupdated = PR_FALSE;
/*
* Indicate that we are streaming. We will be streaming until we
* get past the contents bytes.
*/
SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream)
SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
/*
* The notify function will watch for the contents field.
*/
p7ecx->childp7ecx = childp7ecx;
SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);
/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */
@ -339,22 +346,11 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
/* otherwise we'd be encoding data from a call of the notify function of the */
/* parent encoder (which would not work) */
/* this will kick off the encoding process & encode everything up to the content bytes,
* at which point the notify function sets streaming mode (and possibly creates
* another child encoder). */
if (SEC_ASN1EncoderUpdate(childp7ecx->ecx, NULL, 0) != SECSuccess)
goto loser;
p7ecx->childp7ecx = childp7ecx;
break;
case SEC_OID_PKCS7_DATA:
} else if (NSS_CMSType_IsData(childtype)) {
p7ecx->childp7ecx = NULL;
break;
default:
} else {
/* we do not know this type */
p7ecx->error = SEC_ERROR_BAD_DER;
break;
}
return SECSuccess;
@ -364,6 +360,7 @@ loser:
if (childp7ecx->ecx)
SEC_ASN1EncoderFinish(childp7ecx->ecx);
PORT_Free(childp7ecx);
p7ecx->childp7ecx = NULL;
}
return SECFailure;
}
@ -387,11 +384,12 @@ nss_cms_after_data(NSSCMSEncoderContext *p7ecx)
case SEC_OID_PKCS7_ENCRYPTED_DATA:
rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);
break;
case SEC_OID_PKCS7_DATA:
/* do nothing */
break;
default:
rv = SECFailure;
if (NSS_CMSType_IsWrapper(p7ecx->type)) {
rv = NSS_CMSGenericWrapperData_Encode_AfterData(p7ecx->type, p7ecx->content.genericData);
} else {
rv = SECFailure;
}
break;
}
return rv;
@ -432,23 +430,23 @@ nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
}
/* Update the running digest. */
if (len && cinfo->digcx != NULL)
NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
if (len && cinfo->privateInfo && cinfo->privateInfo->digcx != NULL)
NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len);
/* Encrypt this chunk. */
if (cinfo->ciphcx != NULL) {
if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {
unsigned int inlen; /* length of data being encrypted */
unsigned int outlen; /* length of encrypted data */
unsigned int buflen; /* length available for encrypted data */
inlen = len;
buflen = NSS_CMSCipherContext_EncryptLength(cinfo->ciphcx, inlen, final);
buflen = NSS_CMSCipherContext_EncryptLength(cinfo->privateInfo->ciphcx, inlen, final);
if (buflen == 0) {
/*
* No output is expected, but the input data may be buffered
* so we still have to call Encrypt.
*/
rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, NULL, NULL, 0,
rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, NULL, NULL, 0,
data, inlen, final);
if (final) {
len = 0;
@ -465,7 +463,7 @@ nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
if (buf == NULL) {
rv = SECFailure;
} else {
rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, buf, &outlen, buflen,
rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen,
data, inlen, final);
data = buf;
len = outlen;
@ -481,12 +479,12 @@ nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
* (which will encode it, then hand it back to the user or the parent encoder)
* We don't encode the data if we're innermost and we're told not to include the data
*/
if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != NULL))
if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != cinfo->content.pointer))
rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);
done:
if (cinfo->ciphcx != NULL) {
if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {
if (dest != NULL) {
dest->data = buf;
dest->len = len;
@ -532,6 +530,7 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
NSSCMSEncoderContext *p7ecx;
SECStatus rv;
NSSCMSContentInfo *cinfo;
SECOidTag tag;
NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
detached_digestalgs, detached_digests);
@ -551,7 +550,8 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (tag) {
case SEC_OID_PKCS7_SIGNED_DATA:
rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
break;
@ -565,7 +565,12 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
break;
default:
rv = SECFailure;
if (NSS_CMSType_IsWrapper(tag)) {
rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(tag,
p7ecx->content.genericData);
} else {
rv = SECFailure;
}
break;
}
if (rv != SECSuccess) {
@ -587,7 +592,8 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
* Indicate that we are streaming. We will be streaming until we
* get past the contents bytes.
*/
SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream)
SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
/*
* The notify function will watch for the contents field.
@ -597,6 +603,7 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
/* this will kick off the encoding process & encode everything up to the content bytes,
* at which point the notify function sets streaming mode (and possibly creates
* a child encoder). */
p7ecx->ecxupdated = PR_TRUE;
if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {
PORT_Free (p7ecx);
return NULL;
@ -627,6 +634,13 @@ NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned lo
/* hand data to the innermost decoder */
if (p7ecx->childp7ecx) {
/* tell the child to start encoding, up to its first data byte, if it
* hasn't started yet */
if (!p7ecx->childp7ecx->ecxupdated) {
p7ecx->childp7ecx->ecxupdated = PR_TRUE;
if (SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0) != SECSuccess)
return SECFailure;
}
/* recursion here */
rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
} else {
@ -640,7 +654,7 @@ NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned lo
}
childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
if (childtype != SEC_OID_PKCS7_DATA)
if (!NSS_CMSType_IsData(childtype))
return SECFailure;
/* and we must not have preset data */
if (cinfo->content.data != NULL)
@ -721,6 +735,16 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
* while we are already in NSS_CMSEncoder_Finish, but that's allright.
*/
if (p7ecx->childp7ecx) {
/* tell the child to start encoding, up to its first data byte, if it
* hasn't yet */
if (!p7ecx->childp7ecx->ecxupdated) {
p7ecx->childp7ecx->ecxupdated = PR_TRUE;
rv = SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0);
if (rv != SECSuccess) {
NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
goto loser;
}
}
rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
if (rv != SECSuccess)
goto loser;
@ -737,7 +761,6 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
p7ecx->childp7ecx = NULL;
/* find out about our inner content type - must be data */
cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
if (!cinfo) {
/* The original programmer didn't expect this to happen */
@ -745,14 +768,10 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
rv = SECFailure;
goto loser;
}
childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
}
SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
if (p7ecx->error)
rv = SECFailure;

32
security/nss/lib/smime/cmsenvdata.c
View File

@ -37,7 +37,7 @@
/*
* CMS envelopedData methods.
*
* $Id: cmsenvdata.c,v 1.11 2005/10/03 22:01:57 relyea%netscape.com Exp $
* $Id: cmsenvdata.c,v 1.11.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -270,6 +270,7 @@ NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
NSSCMSContentInfo *cinfo;
PK11SymKey *bulkkey;
SECAlgorithmID *algid;
SECStatus rv;
cinfo = &(envd->contentInfo);
@ -281,12 +282,16 @@ NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
if (algid == NULL)
return SECFailure;
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* this may modify algid (with IVs generated in a token).
* it is essential that algid is a pointer to the contentEncAlg data, not a
* pointer to a copy! */
cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
PK11_FreeSymKey(bulkkey);
if (cinfo->ciphcx == NULL)
if (cinfo->privateInfo->ciphcx == NULL)
return SECFailure;
return SECSuccess;
@ -298,9 +303,9 @@ NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
SECStatus
NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd)
{
if (envd->contentInfo.ciphcx) {
NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
envd->contentInfo.ciphcx = NULL;
if (envd->contentInfo.privateInfo && envd->contentInfo.privateInfo->ciphcx) {
NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx);
envd->contentInfo.privateInfo->ciphcx = NULL;
}
/* nothing else to do after data */
@ -380,8 +385,13 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
if (cinfo->ciphcx == NULL)
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
goto loser;
}
rv = SECFailure;
cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
if (cinfo->privateInfo->ciphcx == NULL)
goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */
@ -401,9 +411,9 @@ loser:
SECStatus
NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd)
{
if (envd && envd->contentInfo.ciphcx) {
NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
envd->contentInfo.ciphcx = NULL;
if (envd && envd->contentInfo.privateInfo && envd->contentInfo.privateInfo->ciphcx) {
NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx);
envd->contentInfo.privateInfo->ciphcx = NULL;
}
return SECSuccess;

45
security/nss/lib/smime/cmslocal.h
View File

@ -42,7 +42,7 @@
* you. If that has a problem, then just move out what you need, changing
* its name as appropriate!
*
* $Id: cmslocal.h,v 1.5 2005/06/27 22:21:18 julien.pierre.bugs%sun.com Exp $
* $Id: cmslocal.h,v 1.5.142.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
*/
#ifndef _CMSLOCAL_H_
@ -54,9 +54,25 @@
extern const SEC_ASN1Template NSSCMSContentInfoTemplate[];
struct NSSCMSContentInfoPrivateStr {
NSSCMSCipherContext *ciphcx;
NSSCMSDigestContext *digcx;
PRBool dontStream;
};
/************************************************************************/
SEC_BEGIN_PROTOS
/*
* private content Info stuff
*/
/* initialize the private content info field. If this returns
* SECSuccess, the cinfo->private field is safe to dereference.
*/
SECStatus NSS_CMSContentInfo_Private_Init(NSSCMSContentInfo *cinfo);
/***********************************************************************
* cmscipher.c - en/decryption routines
***********************************************************************/
@ -340,7 +356,34 @@ NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECO
extern SECStatus
NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
/************************************************************************/
/*
* local functions to handle user defined S/MIME content types
*/
PRBool NSS_CMSType_IsWrapper(SECOidTag type);
PRBool NSS_CMSType_IsData(SECOidTag type);
size_t NSS_CMSType_GetContentSize(SECOidTag type);
const SEC_ASN1Template * NSS_CMSType_GetTemplate(SECOidTag type);
void NSS_CMSGenericWrapperData_Destroy(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SECStatus NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type,
NSSCMSGenericWrapperData *gd);
SEC_END_PROTOS
#endif /* _CMSLOCAL_H_ */

8
security/nss/lib/smime/cmsmessage.c
View File

@ -37,7 +37,7 @@
/*
* CMS message methods.
*
* $Id: cmsmessage.c,v 1.6 2004/04/25 15:03:16 gerv%gerv.net Exp $
* $Id: cmsmessage.c,v 1.6.192.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
*/
#include "cmslocal.h"
@ -81,6 +81,7 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
PORT_FreeArena(poolp, PR_FALSE);
return NULL;
}
NSS_CMSContentInfo_Private_Init(&(cmsg->contentInfo));
cmsg->poolp = poolp;
cmsg->poolp_is_ours = poolp_is_ours;
@ -234,11 +235,12 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
/* descend into CMS message */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(cinfo)))
continue; /* next level */
if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
return PR_TRUE;
/* callback here for generic wrappers? */
}
return PR_FALSE;
}
@ -259,6 +261,7 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
case SEC_OID_PKCS7_ENCRYPTED_DATA:
return PR_TRUE;
default:
/* callback here for generic wrappers? */
break;
}
}
@ -289,6 +292,7 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
return PR_TRUE;
break;
default:
/* callback here for generic wrappers? */
break;
}
}

34
security/nss/lib/smime/cmssigdata.c
View File

@ -37,7 +37,7 @@
/*
* CMS signedData methods.
*
* $Id: cmssigdata.c,v 1.29 2005/06/27 22:21:18 julien.pierre.bugs%sun.com Exp $
* $Id: cmssigdata.c,v 1.29.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
@ -217,17 +217,22 @@ loser:
SECStatus
NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
{
SECStatus rv;
if (!sigd) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* set up the digests */
if (sigd->digests && sigd->digests[0]) {
sigd->contentInfo.digcx = NULL; /* don't attempt to make new ones. */
sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */
} else if (sigd->digestAlgorithms != NULL) {
sigd->contentInfo.digcx =
sigd->contentInfo.privateInfo->digcx =
NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
if (sigd->contentInfo.digcx == NULL)
if (sigd->contentInfo.privateInfo->digcx == NULL)
return SECFailure;
}
return SECSuccess;
@ -267,11 +272,11 @@ NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
cinfo = &(sigd->contentInfo);
/* did we have digest calculation going on? */
if (cinfo->digcx) {
rv = NSS_CMSDigestContext_FinishMultiple(cinfo->digcx, poolp,
if (cinfo->privateInfo && cinfo->privateInfo->digcx) {
rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp,
&(sigd->digests));
/* error has been set by NSS_CMSDigestContext_FinishMultiple */
cinfo->digcx = NULL;
cinfo->privateInfo->digcx = NULL;
if (rv != SECSuccess)
goto loser;
}
@ -392,15 +397,20 @@ loser:
SECStatus
NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
{
SECStatus rv;
if (!sigd) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* set up the digests */
if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
/* if digests are already there, do nothing */
sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
if (sigd->contentInfo.digcx == NULL)
sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
if (sigd->contentInfo.privateInfo->digcx == NULL)
return SECFailure;
}
return SECSuccess;
@ -421,11 +431,11 @@ NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
}
/* did we have digest calculation going on? */
if (sigd->contentInfo.digcx) {
rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.digcx,
if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) {
rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx,
sigd->cmsg->poolp, &(sigd->digests));
/* error set by NSS_CMSDigestContext_FinishMultiple */
sigd->contentInfo.digcx = NULL;
sigd->contentInfo.privateInfo->digcx = NULL;
}
return rv;
}

36
security/nss/lib/smime/cmst.h
View File

@ -37,7 +37,7 @@
/*
* Header for CMS types.
*
* $Id: cmst.h,v 1.10 2005/06/27 22:21:19 julien.pierre.bugs%sun.com Exp $
* $Id: cmst.h,v 1.10.142.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#ifndef _CMST_H_
@ -98,6 +98,8 @@ typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
typedef struct NSSCMSAttributeStr NSSCMSAttribute;
@ -108,6 +110,21 @@ typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
typedef SECStatus (*NSSCMSGenericWrapperDataCallback)
(NSSCMSGenericWrapperData *);
typedef void (*NSSCMSGenericWrapperDataDestroy)
(NSSCMSGenericWrapperData *);
extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
/*
* Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
* If specified, this is where the content bytes (only) will be "sent"
@ -142,6 +159,7 @@ union NSSCMSContentUnion {
NSSCMSEncryptedData * encryptedData;
NSSCMSEnvelopedData * envelopedData;
NSSCMSSignedData * signedData;
NSSCMSGenericWrapperData * genericData;
/* or anonymous pointer to something */
void * pointer;
};
@ -164,8 +182,8 @@ struct NSSCMSContentInfoStr {
* (only used by creation code) */
SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
* (only used by creation code) */
NSSCMSCipherContext *ciphcx; /* context for en/decryption going on */
NSSCMSDigestContext *digcx; /* context for digesting going on */
NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */
void *reserved; /* keep binary compatibility */
};
/* =============================================================================
@ -186,6 +204,18 @@ struct NSSCMSMessageStr {
void * decrypt_key_cb_arg;
};
/* ============================================================================
* GENERIC WRAPPER
*
* used for user defined types.
*/
struct NSSCMSGenericWrapperDataStr {
NSSCMSContentInfo contentInfo;
/* ---- local; not part of encoding ------ */
NSSCMSMessage * cmsg;
/* wrapperspecific data starts here */
};
/* =============================================================================
* SIGNEDDATA
*/

480
security/nss/lib/smime/cmsudf.c Normal file
View File

@ -0,0 +1,480 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* CMS User Define Types
*
* $Id: cmsudf.c,v 1.1.2.4 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#include "cmslocal.h"
#include "prinit.h"
#include "pk11func.h"
#include "secitem.h"
#include "secoid.h"
#include "secerr.h"
#include "nss.h"
typedef struct nsscmstypeInfoStr nsscmstypeInfo;
struct nsscmstypeInfoStr {
SECOidTag type;
SEC_ASN1Template *template;
size_t size;
PRBool isData;
NSSCMSGenericWrapperDataDestroy destroy;
NSSCMSGenericWrapperDataCallback decode_before;
NSSCMSGenericWrapperDataCallback decode_after;
NSSCMSGenericWrapperDataCallback decode_end;
NSSCMSGenericWrapperDataCallback encode_start;
NSSCMSGenericWrapperDataCallback encode_before;
NSSCMSGenericWrapperDataCallback encode_after;
};
/* make sure the global tables are only initialized once */
static PRCallOnceType nsscmstypeOnce;
static PRCallOnceType nsscmstypeClearOnce;
/* lock for adding a new entry */
static PRLock *nsscmstypeAddLock;
/* lock for the hash table */
static PRLock *nsscmstypeHashLock;
/* the hash table itself */
static PLHashTable *nsscmstypeHash;
/* arena to hold all the hash table data */
static PRArenaPool *nsscmstypeArena;
/*
* clean up our global tables
*/
SECStatus
nss_cmstype_shutdown(void *appData, void *reserved)
{
if (nsscmstypeHashLock) {
PR_Lock(nsscmstypeHashLock);
}
if (nsscmstypeHash) {
PL_HashTableDestroy(nsscmstypeHash);
nsscmstypeHash = NULL;
}
if (nsscmstypeArena) {
PORT_FreeArena(nsscmstypeArena, PR_FALSE);
nsscmstypeArena = NULL;
}
if (nsscmstypeAddLock) {
PR_DestroyLock(nsscmstypeAddLock);
}
if (nsscmstypeHashLock) {
PRLock *oldLock = nsscmstypeHashLock;
nsscmstypeHashLock = NULL;
PR_Unlock(oldLock);
PR_DestroyLock(oldLock);
}
/* don't clear out the PR_ONCE data if we failed our inital call */
if (appData == NULL) {
nsscmstypeOnce = nsscmstypeClearOnce;
}
return SECSuccess;
}
static PLHashNumber
nss_cmstype_hash_key(const void *key)
{
return (PLHashNumber) key;
}
static PRIntn
nss_cmstype_compare_keys(const void *v1, const void *v2)
{
PLHashNumber value1 = (PLHashNumber) v1;
PLHashNumber value2 = (PLHashNumber) v2;
return (value1 == value2);
}
/*
* initialize our hash tables, called once on the first attemat to register
* a new SMIME type.
*/
static PRStatus
nss_cmstype_init(void)
{
SECStatus rv;
nsscmstypeHashLock = PR_NewLock();
if (nsscmstypeHashLock == NULL) {
return PR_FAILURE;
}
nsscmstypeAddLock = PR_NewLock();
if (nsscmstypeHashLock == NULL) {
goto fail;
}
nsscmstypeHash = PL_NewHashTable(64, nss_cmstype_hash_key,
nss_cmstype_compare_keys, PL_CompareValues, NULL, NULL);
if (nsscmstypeHash == NULL) {
goto fail;
}
nsscmstypeArena = PORT_NewArena(2048);
if (nsscmstypeArena == NULL) {
goto fail;
}
rv = NSS_RegisterShutdown(nss_cmstype_shutdown, NULL);
if (rv != SECSuccess) {
goto fail;
}
return PR_SUCCESS;
fail:
nss_cmstype_shutdown(&nsscmstypeOnce, NULL);
return PR_FAILURE;
}
/*
* look up and registered SIME type
*/
static const nsscmstypeInfo *
nss_cmstype_lookup(SECOidTag type)
{
nsscmstypeInfo *typeInfo = NULL;;
if (!nsscmstypeHash) {
return NULL;
}
PR_Lock(nsscmstypeHashLock);
if (nsscmstypeHash) {
typeInfo = PL_HashTableLookupConst(nsscmstypeHash, (void *)type);
}
PR_Unlock(nsscmstypeHashLock);
return typeInfo;
}
/*
* add a new type to the SMIME type table
*/
static SECStatus
nss_cmstype_add(SECOidTag type, nsscmstypeInfo *typeinfo)
{
PLHashEntry *entry;
if (!nsscmstypeHash) {
/* assert? this shouldn't happen */
return SECFailure;
}
PR_Lock(nsscmstypeHashLock);
/* this is really paranoia. If we really are racing nsscmstypeHash, we'll
* also be racing nsscmstypeHashLock... */
if (!nsscmstypeHash) {
PR_Unlock(nsscmstypeHashLock);
return SECFailure;
}
entry = PL_HashTableAdd(nsscmstypeHash, (void *)type, typeinfo);
PR_Unlock(nsscmstypeHashLock);
return entry ? SECSuccess : SECFailure;
}
/* helper functions to manage new content types
*/
PRBool
NSS_CMSType_IsWrapper(SECOidTag type)
{
const nsscmstypeInfo *typeInfo = NULL;
switch (type) {
case SEC_OID_PKCS7_SIGNED_DATA:
case SEC_OID_PKCS7_ENVELOPED_DATA:
case SEC_OID_PKCS7_DIGESTED_DATA:
case SEC_OID_PKCS7_ENCRYPTED_DATA:
return PR_TRUE;
default:
typeInfo = nss_cmstype_lookup(type);
if (typeInfo && !typeInfo->isData) {
return PR_TRUE;
}
}
return PR_FALSE;
}
PRBool
NSS_CMSType_IsData(SECOidTag type)
{
const nsscmstypeInfo *typeInfo = NULL;
switch (type) {
case SEC_OID_PKCS7_DATA:
return PR_TRUE;
default:
typeInfo = nss_cmstype_lookup(type);
if (typeInfo && typeInfo->isData) {
return PR_TRUE;
}
}
return PR_FALSE;
}
const SEC_ASN1Template *
NSS_CMSType_GetTemplate(SECOidTag type)
{
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
if (typeInfo && typeInfo->template) {
return typeInfo->template;
}
return SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
}
size_t
NSS_CMSType_GetContentSize(SECOidTag type)
{
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
return typeInfo->size;
}
return sizeof(SECItem *);
}
void
NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
if (typeInfo && typeInfo->destroy) {
(*typeInfo->destroy)(gd);
}
}
SECStatus
NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->decode_before) {
return (*typeInfo->decode_before)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->decode_after) {
return (*typeInfo->decode_after)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->decode_end) {
return (*typeInfo->decode_end)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->encode_start) {
return (*typeInfo->encode_start)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->encode_before) {
return (*typeInfo->encode_before)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type,
NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo;
/* short cut common case */
if (type == SEC_OID_PKCS7_DATA) {
return SECSuccess;
}
typeInfo = nss_cmstype_lookup(type);
if (typeInfo) {
if (typeInfo->encode_after) {
return (*typeInfo->encode_after)(gd);
}
/* decoder ops optional for data tags */
if (typeInfo->isData) {
return SECSuccess;
}
}
/* expected a function, but none existed */
return SECFailure;
}
SECStatus
NSS_CMSType_RegisterContentType(SECOidTag type,
SEC_ASN1Template *asn1Template, size_t size,
NSSCMSGenericWrapperDataDestroy destroy,
NSSCMSGenericWrapperDataCallback decode_before,
NSSCMSGenericWrapperDataCallback decode_after,
NSSCMSGenericWrapperDataCallback decode_end,
NSSCMSGenericWrapperDataCallback encode_start,
NSSCMSGenericWrapperDataCallback encode_before,
NSSCMSGenericWrapperDataCallback encode_after,
PRBool isData)
{
PRStatus rc;
SECStatus rv;
nsscmstypeInfo *typeInfo;
const nsscmstypeInfo *exists;
rc = PR_CallOnce( &nsscmstypeOnce, nss_cmstype_init);
if (rc == PR_FAILURE) {
return SECFailure;
}
PR_Lock(nsscmstypeAddLock);
exists = nss_cmstype_lookup(type);
if (exists) {
PR_Unlock(nsscmstypeAddLock);
/* already added */
return SECSuccess;
}
typeInfo = PORT_ArenaNew(nsscmstypeArena, nsscmstypeInfo);
typeInfo->type = type;
typeInfo->size = size;
typeInfo->isData = isData;
typeInfo->template = asn1Template;
typeInfo->destroy = destroy;
typeInfo->decode_before = decode_before;
typeInfo->decode_after = decode_after;
typeInfo->decode_end = decode_end;
typeInfo->encode_start = encode_start;
typeInfo->encode_before = encode_before;
typeInfo->encode_after = encode_after;
rv = nss_cmstype_add(type, typeInfo);
PR_Unlock(nsscmstypeAddLock);
return rv;
}

11
security/nss/lib/smime/cmsutil.c
View File

@ -38,7 +38,7 @@
/*
* CMS miscellaneous utility functions.
*
* $Id: cmsutil.c,v 1.15 2008/03/10 00:01:27 wtc%google.com Exp $
* $Id: cmsutil.c,v 1.15.54.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
*/
#include "cmslocal.h"
@ -243,8 +243,7 @@ NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type)
template = NSSCMSDigestedDataTemplate;
break;
default:
case SEC_OID_PKCS7_DATA:
template = NULL;
template = NSS_CMSType_GetTemplate(type);
break;
}
return template;
@ -269,8 +268,7 @@ NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type)
size = sizeof(NSSCMSDigestedData);
break;
default:
case SEC_OID_PKCS7_DATA:
size = 0;
size = NSS_CMSType_GetContentSize(type);
break;
}
return size;
@ -300,6 +298,9 @@ NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type)
break;
default:
cinfo = NULL;
if (NSS_CMSType_IsWrapper(type)) {
cinfo = &(c.genericData->contentInfo);
}
}
return cinfo;
}

1
security/nss/lib/smime/manifest.mn
View File

@ -69,6 +69,7 @@ CSRCS = \
cmsreclist.c \
cmssigdata.c \
cmssiginfo.c \
cmsudf.c \
cmsutil.c \
smimemessage.c \
smimeutil.c \

20
security/nss/lib/smime/smime.def
View File

@ -273,3 +273,23 @@ SEC_PKCS12AddCertOrChainAndKey;
;+ local:
;+ *;
;+};
;+NSS_3.12.10 { # NSS 3.12.10 release
;+ global:
NSS_CMSType_RegisterContentType;
NSS_CMSContentInfo_SetDontStream;
NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs;
;+#
;+# Data objects
;+#
;+# Don't export these DATA symbols on Windows because they don't work right.
;+# Use the SEC_ASN1_GET / SEC_ASN1_SUB / SEC_ASN1_XTRN macros to access them.
;+#
;+# See nssutil for other examples.
;+#
;;NSSCMSGenericWrapperDataTemplate DATA ;
;;NSS_PointerToCMSGenericWrapperDataTemplate DATA ;
NSS_Get_NSSCMSGenericWrapperDataTemplate;
NSS_Get_NSS_PointerToCMSGenericWrapperDataTemplate;
;+ local:
;+ *;
;+};

4
security/nss/lib/smime/smime.h
View File

@ -38,7 +38,7 @@
* Header file for routines specific to S/MIME. Keep things that are pure
* pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
*
* $Id: smime.h,v 1.8 2004/04/25 15:03:16 gerv%gerv.net Exp $
* $Id: smime.h,v 1.8.192.1 2011/02/11 03:57:50 emaldona%redhat.com Exp $
*/
#ifndef _SECMIME_H_
@ -83,7 +83,7 @@ extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
* Initialize the local recording of the S/MIME policy.
* This function is called to allow/disallow a particular cipher.
*
* XXX This is for a the current module, I think, so local, static storage
* XXX This is for the current module, I think, so local, static storage
* XXX is okay. Is that correct, or could multiple uses of the same
* XXX library expect to operate under different policies?
*

45
security/nss/lib/softoken/pkcs11.c
View File

@ -4315,7 +4315,7 @@ sftk_expandSearchList(SFTKSearchResults *search, int count)
static CK_RV
sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search,
const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
{
CK_RV crv;
int objectListSize = search->array_size-search->size;
@ -4349,7 +4349,7 @@ sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search,
*/
CK_RV
sftk_emailhack(SFTKSlot *slot, SFTKDBHandle *handle,
SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
{
PRBool isCert = PR_FALSE;
int emailIndex = -1;
@ -4438,22 +4438,47 @@ loser:
return crv;
}
static void
sftk_pruneSearch(CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount,
PRBool *searchCertDB, PRBool *searchKeyDB) {
CK_ULONG i;
*searchCertDB = PR_TRUE;
*searchKeyDB = PR_TRUE;
for (i = 0; i < ulCount; i++) {
if (pTemplate[i].type == CKA_CLASS && pTemplate[i].pValue != NULL) {
CK_OBJECT_CLASS class = *((CK_OBJECT_CLASS*)pTemplate[i].pValue);
if (class == CKO_PRIVATE_KEY || class == CKO_SECRET_KEY) {
*searchCertDB = PR_FALSE;
} else {
*searchKeyDB = PR_FALSE;
}
break;
}
}
}
static CK_RV
sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search,
CK_ATTRIBUTE *pTemplate, CK_LONG ulCount,
CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount,
PRBool *tokenOnly, PRBool isLoggedIn)
{
CK_RV crv;
CK_RV crv = CKR_OK;
CK_RV crv2;
SFTKDBHandle *certHandle = sftk_getCertDB(slot);
PRBool searchCertDB;
PRBool searchKeyDB;
sftk_pruneSearch(pTemplate, ulCount, &searchCertDB, &searchKeyDB);
crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount);
crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount);
if (crv == CKR_OK) crv2 = crv;
sftk_freeDB(certHandle);
if (searchCertDB) {
SFTKDBHandle *certHandle = sftk_getCertDB(slot);
crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount);
crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount);
if (crv == CKR_OK) crv = crv2;
sftk_freeDB(certHandle);
}
if (crv == CKR_OK && isLoggedIn) {
if (crv == CKR_OK && isLoggedIn && searchKeyDB) {
SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
crv = sftk_searchDatabase(keyHandle, search, pTemplate, ulCount);
sftk_freeDB(keyHandle);

51
security/nss/lib/softoken/rsawrapr.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: rsawrapr.c,v 1.11 2006/10/23 21:24:38 wtchang%redhat.com Exp $ */
/* $Id: rsawrapr.c,v 1.11.70.1 2011/04/07 22:54:48 wtc%google.com Exp $ */
#include "blapi.h"
#include "softoken.h"
@ -193,7 +193,7 @@ rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
unsigned char *block;
unsigned char *bp;
int padLen;
int i;
int i, j;
SECStatus rv;
block = (unsigned char *) PORT_Alloc(modulusLen);
@ -246,28 +246,53 @@ rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
* 0x00 || BT || Pad || 0x00 || ActualData
* 1 1 padLen 1 data->len
* Pad is all non-zero random bytes.
*
* Build the block left to right.
* Fill the entire block from Pad to the end with random bytes.
* Use the bytes after Pad as a supply of extra random bytes from
* which to find replacements for the zero bytes in Pad.
* If we need more than that, refill the bytes after Pad with
* new random bytes as necessary.
*/
padLen = modulusLen - data->len - 3;
padLen = modulusLen - (data->len + 3);
PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
PORT_Free (block);
return NULL;
}
for (i = 0; i < padLen; i++) {
/* Pad with non-zero random data. */
do {
rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
} while (rv == SECSuccess && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
if (rv != SECSuccess) {
sftk_fatalError = PR_TRUE;
PORT_Free (block);
return NULL;
j = modulusLen - 2;
rv = RNG_GenerateGlobalRandomBytes(bp, j);
if (rv == SECSuccess) {
for (i = 0; i < padLen; ) {
unsigned char repl;
/* Pad with non-zero random data. */
if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
++i;
continue;
}
if (j <= padLen) {
rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
modulusLen - (2 + padLen));
if (rv != SECSuccess)
break;
j = modulusLen - 2;
}
do {
repl = bp[--j];
} while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
bp[i++] = repl;
}
}
}
if (rv != SECSuccess) {
sftk_fatalError = PR_TRUE;
PORT_Free (block);
return NULL;
}
bp += padLen;
*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
PORT_Memcpy (bp, data->data, data->len);
break;
/*

6
security/nss/lib/softoken/softkver.h
View File

@ -57,11 +57,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.12.9.0" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.12.10.0" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 12
#define SOFTOKEN_VPATCH 9
#define SOFTOKEN_VPATCH 10
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

43
security/nss/lib/ssl/derive.c
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: derive.c,v 1.12 2008/06/06 01:16:31 wtc%google.com Exp $ */
/* $Id: derive.c,v 1.12.40.1 2011/03/24 01:39:01 alexei.volkov.bugs%sun.com Exp $ */
#include "ssl.h" /* prereq to sslimpl.h */
#include "certt.h" /* prereq to sslimpl.h */
@ -604,6 +604,9 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
PRBool testrsa_export = PR_FALSE;
PRBool testecdh = PR_FALSE;
PRBool testecdhe = PR_FALSE;
#ifdef NSS_ENABLE_ECC
SECKEYECParams ecParams = { siBuffer, NULL, 0 };
#endif
if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@ -703,10 +706,15 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
/* now wrap it */
enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey);
enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
if (enc_pms.data == NULL) {
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
break;
}
irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms);
if (irv != SECSuccess)
break;
PK11_FreeSymKey(pms);
pms = NULL;
/* now do the server side--check the triple bypass first */
rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen,
sizeof rsaPmsBuf,
@ -727,6 +735,16 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
goto done;
break;
}
/* Check for NULL to avoid double free.
* SECItem_FreeItem sets data NULL in secitem.c#265
*/
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
if (pms) {
PK11_FreeSymKey(pms);
}
#ifdef NSS_ENABLE_ECC
for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
(privKeytype == rsaKey && testecdhe); ) {
@ -735,8 +753,7 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
SECKEYPrivateKey *keapriv;
SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */
SECKEYPrivateKey *cpriv = NULL;
SECKEYECParams ecParams = { siBuffer, NULL, 0 },
*pecParams;
SECKEYECParams *pecParams = NULL;
if (privKeytype == ecKey && testecdhe) {
/* TLS_ECDHE_ECDSA */
@ -821,13 +838,16 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
if (testecdhe) {
SECKEY_DestroyPrivateKey(keapriv);
SECKEY_DestroyPublicKey(keapub);
if (privKeytype == rsaKey)
PORT_Free(ecParams.data);
}
if (rv == SECSuccess && *pcanbypass == PR_FALSE)
goto done;
break;
}
/* Check for NULL to avoid double free. */
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif /* NSS_ENABLE_ECC */
if (pms)
PK11_FreeSymKey(pms);
@ -840,7 +860,18 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
if (pms)
PK11_FreeSymKey(pms);
SECITEM_FreeItem(&enc_pms, PR_FALSE);
/* Check for NULL to avoid double free.
* SECItem_FreeItem sets data NULL in secitem.c#265
*/
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
#ifdef NSS_ENABLE_ECC
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif /* NSS_ENABLE_ECC */
if (srvPubkey) {
SECKEY_DestroyPublicKey(srvPubkey);

6
security/nss/lib/ssl/ssl.def
View File

@ -152,3 +152,9 @@ SSL_SNISocketConfigHook;
;+ local:
;+*;
;+};
;+NSS_3.12.10 { # NSS 3.12.10 release
;+ global:
SSL_ConfigSecureServerWithCertChain;
;+ local:
;+*;
;+};

11
security/nss/lib/ssl/ssl.h
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: ssl.h,v 1.38.2.1 2010/07/31 04:33:52 wtc%google.com Exp $ */
/* $Id: ssl.h,v 1.38.2.4 2011/04/08 05:44:32 wtc%google.com Exp $ */
#ifndef __ssl_h_
#define __ssl_h_
@ -372,6 +372,15 @@ SSL_IMPORT SECStatus SSL_ConfigSecureServer(
PRFileDesc *fd, CERTCertificate *cert,
SECKEYPrivateKey *key, SSLKEAType kea);
/*
** Allows SSL socket configuration with caller-supplied certificate chain.
** If certChainOpt is NULL, tries to find one.
*/
SSL_IMPORT SECStatus
SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
const CERTCertificateList *certChainOpt,
SECKEYPrivateKey *key, SSLKEAType kea);
/*
** Configure a secure server's session-id cache. Define the maximum number
** of entries in the cache, the longevity of the entires, and the directory

42
security/nss/lib/ssl/ssl3con.c
View File

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: ssl3con.c,v 1.142.2.4 2010/09/01 19:47:11 wtc%google.com Exp $ */
/* $Id: ssl3con.c,v 1.142.2.5 2011/01/25 01:49:22 wtc%google.com Exp $ */
#include "cert.h"
#include "ssl.h"
@ -4837,14 +4837,8 @@ ssl3_SendCertificateVerify(sslSocket *ss)
sid->u.ssl3.clAuthValid = PR_TRUE;
PK11_FreeSlot(slot);
}
/* If we're doing RSA key exchange, we're all done with the private key
* here. Diffie-Hellman key exchanges need the client's
* private key for the key exchange.
*/
if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_SignHashes */
}
@ -4899,6 +4893,20 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
goto alert_loser;
}
/* clean up anything left from previous handshake. */
if (ss->ssl3.clientCertChain != NULL) {
CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
ss->ssl3.clientCertChain = NULL;
}
if (ss->ssl3.clientCertificate != NULL) {
CERT_DestroyCertificate(ss->ssl3.clientCertificate);
ss->ssl3.clientCertificate = NULL;
}
if (ss->ssl3.clientPrivateKey != NULL) {
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
goto loser; /* alert has been sent */
@ -5454,19 +5462,9 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
goto alert_loser;
}
/* clean up anything left from previous handshake. */
if (ss->ssl3.clientCertChain != NULL) {
CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
ss->ssl3.clientCertChain = NULL;
}
if (ss->ssl3.clientCertificate != NULL) {
CERT_DestroyCertificate(ss->ssl3.clientCertificate);
ss->ssl3.clientCertificate = NULL;
}
if (ss->ssl3.clientPrivateKey != NULL) {
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
PORT_Assert(ss->ssl3.clientCertChain == NULL);
PORT_Assert(ss->ssl3.clientCertificate == NULL);
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);

15
security/nss/lib/ssl/ssl3ext.c
View File

@ -41,7 +41,7 @@
* ***** END LICENSE BLOCK ***** */
/* TLS extension code moved here from ssl3ecc.c */
/* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */
/* $Id: ssl3ext.c,v 1.14.2.2 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */
#include "nssrenam.h"
#include "nss.h"
@ -56,7 +56,7 @@ static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN];
static PK11SymKey *session_ticket_enc_key_pkcs11 = NULL;
static PK11SymKey *session_ticket_mac_key_pkcs11 = NULL;
static unsigned char session_ticket_enc_key[32];
static unsigned char session_ticket_enc_key[AES_256_KEY_LENGTH];
static unsigned char session_ticket_mac_key[SHA256_LENGTH];
static PRBool session_ticket_keys_initialized = PR_FALSE;
@ -1266,14 +1266,17 @@ no_ticket:
SSL_GETPID(), ss->fd));
ssl3stats = SSL_GetStatistics();
SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
if (sid) {
ssl_FreeSID(sid);
sid = NULL;
}
}
rv = SECSuccess;
loser:
/* ss->sec.ci.sid == sid if it did NOT come here via goto statement
* in that case do not free sid
*/
if (sid && (ss->sec.ci.sid != sid)) {
ssl_FreeSID(sid);
sid = NULL;
}
if (decrypted_state != NULL) {
SECITEM_FreeItem(decrypted_state, PR_TRUE);
decrypted_state = NULL;

6
security/nss/lib/ssl/sslcon.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslcon.c,v 1.40 2010/04/25 23:37:38 nelson%bolyard.com Exp $ */
/* $Id: sslcon.c,v 1.40.2.1 2011/03/30 17:38:42 wtc%google.com Exp $ */
#include "nssrenam.h"
#include "cert.h"
@ -3125,11 +3125,11 @@ ssl2_BeginClientHandshake(sslSocket *ss)
/* ssl3_SendClientHello will override this if it succeeds. */
ss->version = SSL_LIBRARY_VERSION_3_0;
ssl_GetXmitBufLock(ss); /***************************************/
ssl_GetSSL3HandshakeLock(ss);
ssl_GetXmitBufLock(ss);
rv = ssl3_SendClientHello(ss);
ssl_ReleaseXmitBufLock(ss);
ssl_ReleaseSSL3HandshakeLock(ss);
ssl_ReleaseXmitBufLock(ss); /***************************************/
return rv;
}

4
security/nss/lib/ssl/sslimpl.h
View File

@ -39,7 +39,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslimpl.h,v 1.77.2.1 2010/07/31 04:33:52 wtc%google.com Exp $ */
/* $Id: sslimpl.h,v 1.77.2.2 2011/03/16 18:55:38 alexei.volkov.bugs%sun.com Exp $ */
#ifndef __sslimpl_h_
#define __sslimpl_h_
@ -1515,7 +1515,7 @@ extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
* fails to do so. If cert and keyPair are NULL - unconfigures
* sslSocket of kea type.*/
extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
CERTCertificateList *certChain,
const CERTCertificateList *certChain,
ssl3KeyPair *keyPair, SSLKEAType kea);
/* Return key type for the cert */
extern SSLKEAType ssl_FindCertKEAType(CERTCertificate * cert);

5
security/nss/lib/ssl/sslnonce.c
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslnonce.c,v 1.25 2008/03/10 00:01:28 wtc%google.com Exp $ */
/* $Id: sslnonce.c,v 1.25.54.1 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */
#include "cert.h"
#include "pk11pub.h"
@ -222,6 +222,9 @@ ssl_DestroySID(sslSessionID *sid)
if (sid->u.ssl3.sessionTicket.ticket.data) {
SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
}
if (sid->u.ssl3.srvName.data) {
SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
}
PORT_ZFree(sid, sizeof(sslSessionID));
}

15
security/nss/lib/ssl/sslsecur.c
View File

@ -37,7 +37,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslsecur.c,v 1.43.2.2 2010/08/26 18:06:55 wtc%google.com Exp $ */
/* $Id: sslsecur.c,v 1.43.2.4 2011/04/08 05:25:21 wtc%google.com Exp $ */
#include "cert.h"
#include "secitem.h"
#include "keyhi.h"
@ -674,7 +674,7 @@ static PRStatus serverCAListSetup(void *arg)
SECStatus
ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
CERTCertificateList *certChain,
const CERTCertificateList *certChain,
ssl3KeyPair *keyPair, SSLKEAType kea)
{
CERTCertificateList *localCertChain = NULL;
@ -752,6 +752,15 @@ SECStatus
SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
SECKEYPrivateKey *key, SSL3KEAType kea)
{
return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);
}
SECStatus
SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,
const CERTCertificateList *certChainOpt,
SECKEYPrivateKey *key, SSL3KEAType kea)
{
sslSocket *ss;
SECKEYPublicKey *pubKey = NULL;
ssl3KeyPair *keyPair = NULL;
@ -822,7 +831,7 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
}
pubKey = NULL; /* adopted by serverKeyPair */
}
if (ssl_ConfigSecureServer(ss, cert, NULL,
if (ssl_ConfigSecureServer(ss, cert, certChainOpt,
keyPair, kea) == SECFailure) {
goto loser;
}

124
security/nss/lib/ssl/sslsnce.c
View File

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslsnce.c,v 1.54 2010/07/05 19:31:56 alexei.volkov.bugs%sun.com Exp $ */
/* $Id: sslsnce.c,v 1.54.2.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */
/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server
* cache sids!
@ -1863,17 +1863,25 @@ WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey,
}
static PRBool
GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
unsigned char *keyName, PK11SymKey **aesKey,
PK11SymKey **macKey)
GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey,
PK11SymKey **macKey)
{
PK11SlotInfo *slot;
CK_MECHANISM_TYPE mechanismArray[2];
PK11SymKey *aesKeyTmp = NULL;
PK11SymKey *macKeyTmp = NULL;
cacheDesc *cache = &globalCache;
uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
uint8 *ticketKeyNameSuffix;
if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
if (!cache->cacheMem) {
/* cache is not initalized. Use stack buffer */
ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
} else {
ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
}
if (PK11_GenerateRandom(ticketKeyNameSuffix,
SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) {
SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.",
SSL_GETPID(), "unknown"));
@ -1885,9 +1893,10 @@ GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg);
if (slot) {
aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL, 32, pwArg);
macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL, SHA256_LENGTH,
pwArg);
aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL,
AES_256_KEY_LENGTH, pwArg);
macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL,
SHA256_LENGTH, pwArg);
PK11_FreeSlot(slot);
}
@ -1896,15 +1905,39 @@ GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
SSL_GETPID(), "unknown"));
goto loser;
}
PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN);
*aesKey = aesKeyTmp;
*macKey = macKeyTmp;
return PR_TRUE;
/* Export the keys to the shared cache in wrapped form. */
if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey))
goto loser;
if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey))
goto loser;
loser:
if (aesKeyTmp)
PK11_FreeSymKey(aesKeyTmp);
if (macKeyTmp)
PK11_FreeSymKey(macKeyTmp);
return PR_FALSE;
}
PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
SESS_TICKET_KEY_VAR_NAME_LEN);
static PRBool
GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
unsigned char *keyName, PK11SymKey **aesKey,
PK11SymKey **macKey)
{
PK11SymKey *aesKeyTmp = NULL;
PK11SymKey *macKeyTmp = NULL;
cacheDesc *cache = &globalCache;
if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) {
goto loser;
}
if (cache->cacheMem) {
/* Export the keys to the shared cache in wrapped form. */
if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey))
goto loser;
if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey))
goto loser;
}
*aesKey = aesKeyTmp;
*macKey = macKeyTmp;
return PR_TRUE;
@ -1971,6 +2004,12 @@ ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
PRBool keysGenerated = PR_FALSE;
cacheDesc *cache = &globalCache;
if (!cache->cacheMem) {
/* cache is uninitialized. Generate keys and return them
* without caching. */
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
}
now = LockSidCacheLock(cache->keyCacheLock, now);
if (!now)
return rv;
@ -2000,33 +2039,58 @@ ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
PRBool rv = PR_FALSE;
PRUint32 now = 0;
cacheDesc *cache = &globalCache;
uint8 ticketMacKey[AES_256_KEY_LENGTH], ticketEncKey[SHA256_LENGTH];
uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
uint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix;
PRBool cacheIsEnabled = PR_TRUE;
/* Grab lock. */
now = LockSidCacheLock(cache->keyCacheLock, now);
if (!now)
return rv;
if (!cache->cacheMem) { /* cache is uninitialized */
cacheIsEnabled = PR_FALSE;
ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
ticketEncKeyPtr = ticketEncKey;
ticketMacKeyPtr = ticketMacKey;
} else {
/* these values have constant memory locations in the cache.
* Ok to reference them without holding the lock. */
ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
ticketEncKeyPtr = cache->ticketEncKey->bytes;
ticketMacKeyPtr = cache->ticketMacKey->bytes;
}
if (!*(cache->ticketKeysValid)) {
if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
if (cacheIsEnabled) {
/* Grab lock if initialized. */
now = LockSidCacheLock(cache->keyCacheLock, now);
if (!now)
return rv;
}
/* Going to regenerate keys on every call if cache was not
* initialized. */
if (!cacheIsEnabled || !*(cache->ticketKeysValid)) {
if (PK11_GenerateRandom(ticketKeyNameSuffix,
SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess)
goto loser;
if (PK11_GenerateRandom(cache->ticketEncKey->bytes, 32) != SECSuccess)
if (PK11_GenerateRandom(ticketEncKeyPtr,
AES_256_KEY_LENGTH) != SECSuccess)
goto loser;
if (PK11_GenerateRandom(cache->ticketMacKey->bytes,
SHA256_LENGTH) != SECSuccess)
if (PK11_GenerateRandom(ticketMacKeyPtr,
SHA256_LENGTH) != SECSuccess)
goto loser;
*(cache->ticketKeysValid) = 1;
if (cacheIsEnabled) {
*(cache->ticketKeysValid) = 1;
}
}
rv = PR_TRUE;
loser:
UnlockSidCacheLock(cache->keyCacheLock);
if (cacheIsEnabled) {
UnlockSidCacheLock(cache->keyCacheLock);
}
if (rv) {
PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
SESS_TICKET_KEY_VAR_NAME_LEN);
PORT_Memcpy(encKey, cache->ticketEncKey->bytes, 32);
PORT_Memcpy(macKey, cache->ticketMacKey->bytes, SHA256_LENGTH);
PORT_Memcpy(keyName, ticketKeyNameSuffix,
SESS_TICKET_KEY_VAR_NAME_LEN);
PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH);
PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH);
}
return rv;
}

10
security/nss/lib/ssl/sslsock.c
View File

@ -40,7 +40,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sslsock.c,v 1.67.2.1 2010/07/31 04:33:52 wtc%google.com Exp $ */
/* $Id: sslsock.c,v 1.67.2.2 2011/03/16 19:04:02 alexei.volkov.bugs%sun.com Exp $ */
#include "seccomon.h"
#include "cert.h"
#include "keyhi.h"
@ -1271,8 +1271,8 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
{
sslSocket * sm = NULL, *ss = NULL;
int i;
sslServerCerts * mc = sm->serverCerts;
sslServerCerts * sc = ss->serverCerts;
sslServerCerts * mc = NULL;
sslServerCerts * sc = NULL;
if (model == NULL) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
@ -1301,7 +1301,9 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
/* This int should be SSLKEAType, but CC on Irix complains,
* during the for loop.
*/
for (i=kt_null; i < kt_kea_size; i++, mc++, sc++) {
for (i=kt_null; i < kt_kea_size; i++) {
mc = &(sm->serverCerts[i]);
sc = &(ss->serverCerts[i]);
if (mc->serverCert && mc->serverCertChain) {
if (sc->serverCert) {
CERT_DestroyCertificate(sc->serverCert);

40
security/nss/lib/sysinit/nsssysinit.c
View File

@ -221,16 +221,16 @@ getFIPSMode(void)
* 2 for the key slot, and
* 3 for the crypto operations slot fips
*/
#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
#define CIPHER_ORDER_FLAGS "cipherOrder=100"
#define SLOT_FLAGS \
"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
" askpw=any timeout=30 ]"
static const char *nssDefaultFlags =
ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
static const char *nssDefaultFIPSFlags =
ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
/*
* This function builds the list of databases and modules to load, and sets
@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_parameters)
"library= "
"module=\"NSS User database\" "
"parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
"NSS=\"%sflags=internal%s\"",
"NSS=\"trustOrder=75 %sflags=internal%s\"",
userdb, stripped_parameters, nssflags,
isFIPS ? ",FIPS" : "");
@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_parameters)
userdb, stripped_parameters);
}
#if 0
/* This doesn't actually work. If we register
both this and the sysdb (in either order)
then only one of them actually shows up */
/* Using a NULL filename as a Boolean flag to
* prevent registering both an application-defined
* db and the system db. rhbz #546211.
*/
PORT_Assert(filename);
if (sysdb && PL_CompareStrings(filename, sysdb))
filename = NULL;
else if (userdb && PL_CompareStrings(filename, userdb))
filename = NULL;
if (filename && !userIsRoot()) {
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
"NSS=\"%sflags=internal\"",filename, filename, nssflags);
}
#endif
/* now the system database (always read only unless it's root) */
if (sysdb) {
const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_parameters)
"library= "
"module=\"NSS system database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
"NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
"NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
}
/* that was the last module */
@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src)
/* determine what options the user was trying to open this database with */
/* filename is the directory pointed to by configdir= */
/* stripped is the rest of the paramters with configdir= stripped out */
/* stripped is the rest of the parameters with configdir= stripped out */
static SECStatus
parse_paramters(char *parameters, char **filename, char **stripped)
parse_parameters(char *parameters, char **filename, char **stripped)
{
char *sourcePrev;
char *sourceCurr;
@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long function, char *parameters, void *args)
char **retString = NULL;
SECStatus rv;
rv = parse_paramters(parameters, &filename, &stripped);
rv = parse_parameters(parameters, &filename, &stripped);
if (rv != SECSuccess) {
/* use defaults */
filename = getSystemDB();

10
security/nss/lib/util/nssb64d.c
View File

@ -1,4 +1,3 @@
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
@ -563,14 +562,9 @@ PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
PLBase64Decoder *data = NULL;
PRStatus status;
if (srclen == 0) {
*output_destlen = 0;
if (dest == NULL) {
/* PR_Malloc(0) is undefined */
return (unsigned char *) PR_Malloc(1);
}
PR_ASSERT(srclen > 0);
if (srclen == 0)
return dest;
}
/*
* How much space could we possibly need for decoding this input?

6
security/nss/lib/util/nssutil.h
View File

@ -51,11 +51,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.12.9.0"
#define NSSUTIL_VERSION "3.12.10.0 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 12
#define NSSUTIL_VPATCH 9
#define NSSUTIL_VPATCH 10
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
#endif /* __nssutil_h_ */

8
security/nss/lib/util/secasn1e.c
View File

@ -38,7 +38,7 @@
* Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
* Encoding Rules).
*
* $Id: secasn1e.c,v 1.21 2006/04/07 11:41:18 kaie%kuix.de Exp $
* $Id: secasn1e.c,v 1.21.66.1 2011/01/13 00:26:57 wtc%google.com Exp $
*/
#include "secasn1.h"
@ -1587,7 +1587,7 @@ SEC_ASN1EncodeItem (PRArenaPool *poolp, SECItem *dest, const void *src,
static SECItem *
sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
PRBool make_unsigned)
PRBool is_unsigned)
{
unsigned long copy;
unsigned char sign;
@ -1604,11 +1604,11 @@ sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
} while (copy);
/*
* If this is an unsigned encoding, and the high bit of the last
* If 'value' is non-negative, and the high bit of the last
* byte we counted was set, we need to add one to the length so
* we put a high-order zero byte in the encoding.
*/
if (sign && make_unsigned)
if (sign && (is_unsigned || (long)value >= 0))
len++;
/*

24
security/nss/tests/chains/ocspd-config/readme
View File

@ -1,16 +1,18 @@
This script is used to generate certificates used by ocspd.
Some steps to run (only once - before all OCSP testing):
1. Edit security/nss/tests/chains/scenarios/scenarios to have there only ocspd.cfg
2. Set environment variable to run only chains tests: export NSS_TESTS=all.sh
3. Run tests: ./all.sh
4. Go to results directory: cd tests_results/security/${HOST}.${ID}/chains
5. Copy ocspd-certs.sh and ocspd.conf.template to this directory
6. Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}:
Example: ./ocspd-certs.sh OCSPD /export/iopr/openca-ocsp-responder/etc/ocspdPKIX \
1. Edit security/nss/tests/chains/scenarios/scenarios to have there only ocspd.cfg
2. Set environment variable to run only chains tests: export NSS_TESTS=chains.sh
3. Set environment variable to have the correct URI in the certificates: export NSS_AIA_OCSP=http://dochinups.us.oracle.com
4. Run tests: ./all.sh
5. Go to results directory: cd tests_results/security/${HOST}.${ID}/chains
6. Copy ocspd-certs.sh and ocspd.conf.template to this directory
7. Run: ./ocspd-certs.sh OCSPD ${OCSPD_ETC_DIR} ${LIBPKIX_CERTS_DIR}:
Example: ./ocspd-certs.sh OCSPD /export/iopr/openca-ocsp-responder/etc/ocspdPKIX \
~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
7. Copy config files and keys/certs/crls to ocspd etc directory:
cp *.conf /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX
cp *.pem *.key /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX/OCSPD
8. Start ocsp deamons on dochinups (for all configs).
8. Commit the new certificates that have been generated under ~/nss/securitytip/mozilla/security/nss/tests/libpkix/certs
9. Copy config files and keys/certs/crls to ocspd etc directory:
cp *.conf /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX
cp *.pem *.key /Volumes/dochinups.red.iplanet.com/openca-ocsp-responder/etc/ocspdPKIX/OCSPD
10. Start ocsp deamons on dochinups (for all configs).

BIN
security/nss/tests/libpkix/certs/OCSPCA1.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPCA1.p12
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPCA2.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPCA2.p12
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPCA3.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPCA3.p12
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE11.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE12.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE13.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE14.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE15.cert
View File

Binary file not shown.

BIN
security/nss/tests/libpkix/certs/OCSPEE21.cert
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More