Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-12 04:45:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1215779 - Remove broken (non-EC) DSA keygen code. r=keeler

Browse Source
This commit is contained in:
Cykesiopka 2015-10-19 22:54:00 +02:00
parent ca59daf031
commit f21d36e95a
2 changed files with 5 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/external/nss/nss.def vendored
View File

@ -403,9 +403,6 @@ PK11_NeedLogin
PK11_NeedUserInit
PK11_ParamFromIV
PK11_PBEKeyGen
PK11_PQG_DestroyParams
PK11_PQG_DestroyVerify
PK11_PQG_ParamGen
PK11_PrivDecrypt
PK11_PrivDecryptPKCS1
PK11_ProtectedAuthenticationPath
@ -685,4 +682,3 @@ VFY_VerifyData
VFY_VerifyDataWithAlgorithmID
VFY_VerifyDigestDirect
_SGN_VerifyPKCS1DigestInfo
PK11_PQG_ParamGenV2

112
security/manager/ssl/nsKeygenHandler.cpp
View File

@ -12,7 +12,6 @@
#include "cryptohi.h"
#include "base64.h"
#include "secasn1.h"
#include "pk11pqg.h"
#include "nsKeygenHandler.h"
#include "nsKeygenHandlerContent.h"
#include "nsIServiceManager.h"
@ -32,7 +31,6 @@
//These defines are taken from the PKCS#11 spec
#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
#define CKM_DSA_KEY_PAIR_GEN 0x00000010
DERTemplate SECAlgorithmIDTemplate[] = {
{ DER_SEQUENCE,
@ -63,72 +61,6 @@ DERTemplate CERTPublicKeyAndChallengeTemplate[] =
{ 0, }
};
const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, nullptr, sizeof(PQGParams) },
{ SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
{ SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
{ SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
{ 0, }
};
static PQGParams *
decode_pqg_params(char *aStr)
{
unsigned char *buf = nullptr;
unsigned int len;
PLArenaPool *arena = nullptr;
PQGParams *params = nullptr;
SECStatus status;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
return nullptr;
params = static_cast<PQGParams*>(PORT_ArenaZAlloc(arena, sizeof(PQGParams)));
if (!params)
goto loser;
params->arena = arena;
buf = ATOB_AsciiToData(aStr, &len);
if ((!buf) || (len == 0))
goto loser;
status = SEC_ASN1Decode(arena, params, SECKEY_PQGParamsTemplate, (const char*)buf, len);
if (status != SECSuccess)
goto loser;
return params;
loser:
if (arena) {
PORT_FreeArena(arena, false);
}
if (buf) {
PR_Free(buf);
}
return nullptr;
}
static int
pqg_prime_bits(char *str)
{
PQGParams *params = nullptr;
int primeBits = 0, i;
params = decode_pqg_params(str);
if (!params)
goto done; /* lose */
for (i = 0; params->prime.data[i] == 0; i++)
/* empty */;
primeBits = (params->prime.len - i) * 8;
done:
if (params)
PK11_PQG_DestroyParams(params);
return primeBits;
}
typedef struct curveNameTagPairStr {
const char *curveName;
SECOidTag curveOidTag;
@ -325,15 +257,12 @@ uint32_t MapGenMechToAlgoMech(uint32_t mechanism)
/* We are interested in slots based on the ability to perform
a given algorithm, not on their ability to generate keys usable
by that algorithm. Therefore, map keygen-specific mechanism tags
to tags for the corresponding crypto algorthm. */
to tags for the corresponding crypto algorithm. */
switch(mechanism)
{
case CKM_RSA_PKCS_KEY_PAIR_GEN:
searchMech = CKM_RSA_PKCS;
break;
case CKM_DSA_KEY_PAIR_GEN:
searchMech = CKM_DSA;
break;
case CKM_RC4_KEY_GEN:
searchMech = CKM_RC4;
break;
@ -509,8 +438,8 @@ GatherKeygenTelemetry(uint32_t keyGenMechanism, int keysize, char* curve)
mozilla::Telemetry::KEYGEN_GENERATED_KEY_TYPE, NS_LITERAL_CSTRING("other_ec"));
}
}
} else if (keyGenMechanism == CKM_DSA_KEY_PAIR_GEN) {
MOZ_CRASH("DSA key generation is currently unimplemented");
} else {
MOZ_CRASH("Unknown keygen algorithm");
return;
}
}
@ -525,9 +454,8 @@ nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
nsNSSShutDownPreventionLock locker;
nsresult rv = NS_ERROR_FAILURE;
char *keystring = nullptr;
char *keyparamsString = nullptr, *str = nullptr;
char *keyparamsString = nullptr;
uint32_t keyGenMechanism;
int32_t primeBits;
PK11SlotInfo *slot = nullptr;
PK11RSAGenParams rsaParams;
SECOidTag algTag;
@ -546,7 +474,7 @@ nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
nsIGeneratingKeypairInfoDialogs * dialogs;
nsKeygenThread *KeygenRunnable = 0;
nsCOMPtr<nsIKeygenThread> runnable;
// permanent and sensitive flags for keygen
PK11AttrFlags attrFlags = PK11_ATTR_TOKEN | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE;
@ -569,33 +497,6 @@ nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
// Set the keygen mechanism
if (aKeyType.IsEmpty() || aKeyType.LowerCaseEqualsLiteral("rsa")) {
keyGenMechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
} else if (aKeyType.LowerCaseEqualsLiteral("dsa")) {
char * end;
keyparamsString = ToNewCString(aKeyParams);
if (!keyparamsString) {
rv = NS_ERROR_OUT_OF_MEMORY;
goto loser;
}
keyGenMechanism = CKM_DSA_KEY_PAIR_GEN;
if (strcmp(keyparamsString, "null") == 0)
goto loser;
str = keyparamsString;
bool found_match = false;
do {
end = strchr(str, ',');
if (end)
*end = '\0';
primeBits = pqg_prime_bits(str);
if (keysize == primeBits) {
found_match = true;
break;
}
str = end + 1;
} while (end);
if (!found_match) {
goto loser;
}
} else if (aKeyType.LowerCaseEqualsLiteral("ec")) {
keyparamsString = ToNewCString(aKeyParams);
if (!keyparamsString) {
@ -621,9 +522,6 @@ nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
algTag = DEFAULT_RSA_KEYGEN_ALG;
params = &rsaParams;
break;
case CKM_DSA_KEY_PAIR_GEN:
// XXX Fix this! XXX //
goto loser;
case CKM_EC_KEY_PAIR_GEN:
/* XXX We ought to rethink how the KEYGEN tag is
* displayed. The pulldown selections presented