mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 19:35:51 +00:00
696043affe
2019-11-13 J.C. Jones <jjones@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen r=keeler Caused in commit 7ef8d2604494. [87f35ba4c82f] [tip] 2019-11-07 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/ctr.c: Bug 1592869 - Use NEON for ctr_xor. r=kjacobs Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode time on Cortex-A72. [d244c7287908] 2019-11-12 Marcus Burghardt <mburghardt@mozilla.com> * gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c: Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj A memory leak was reported and confirmed in this bug. However, during the "manual" analysis of the flow, another possible leak was found. I created a patch for both leaks, added gtests for unexpected keySizes and adjusted the general syntax of the gtest file. [7ef8d2604494] 2019-11-11 Tom Prince <mozilla@hocat.ca> * automation/taskcluster/graph/src/extend.js, automation/taskcluster/windows/setup.sh: Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj [c33b214b2ec8] 2019-11-08 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_dhe_unittest.cc, gtests/ssl_gtest/ssl_ecdh_unittest.cc, gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c: Bug 1566131, check policy against hash algorithms used for ServerKeyExchange, r=mt Summary: This adds necessary policy checks in `ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note that it currently doesn't check MD5 as it still needs to be allowed in TLS 1.1 or earlier and many tests fail if we change that. Reviewers: mt Reviewed By: mt Bug #: 1566131 [c08947c6af57] 2019-11-08 Kai Engert <kaie@kuix.de> * coreconf/coreconf.dep: Dummy change, trigger a build to test latest NSPR commits. [e766899c72a5] * automation/taskcluster/graph/src/extend.js: Bug 1579836 - Execute NSPR tests as part of NSS continuous integration. r=jcj [46bfbabf7e75] 2019-11-08 Dustin J. Mitchell <dustin@mozilla.com> * automation/taskcluster/graph/npm-shrinkwrap.json, automation/taskcluster/graph/package.json, automation/taskcluster/graph/src/image_builder.js, automation/taskcluster/graph/src/queue.js, automation/taskcluster/scripts/tools.sh, automation/taskcluster/windows/gen_certs.sh, automation/taskcluster/windows/run_tests.sh: Bug 1594891 - Updates to run correctly on the new TC deployment r=jcj * Update the Taskcluster client used in the decision task to one that understands Taskcluster rootUrls. * Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL * the absence of this variale signals an "old" worker so we use an "old" URL [67d630e7cb7c] 2019-11-07 Tom Prince <mozilla@hocat.ca> * .taskcluster.yml, automation/taskcluster/graph/src/extend.js, automation/taskcluster/graph/src/queue.js: Bug 1591275: Switch workers to use AWS Provder; r=kjacobs [a2bebaad41dd] 2019-11-06 Daiki Ueno <dueno@redhat.com> * gtests/pk11_gtest/pk11_module_unittest.cc: Bug 1577803, clang-format, a=bustage [c9014b2892d5] * gtests/pk11_gtest/pk11_module_unittest.cc, gtests/pkcs11testmodule/pkcs11testmodule.cpp, lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h, lib/util/pkcs11t.h: Bug 1577803, pk11wrap: set friendly flag if token implements CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea Summary: This makes NSS look for CKO_PROFILE object at token initialization time to check if it implements the [[ https://docs .oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf | Public Certificates Token profile ]] as defined in PKCS #11 v3.0. If it is found, the token is automatically marked as friendly so no authentication attempts will be made when accessing certificates. Reviewers: rrelyea Reviewed By: rrelyea Subscribers: reviewbot Bug #: 1577803 [b39c8eeabe6a] 2019-11-06 Martin Thomson <mt@lowentropy.net> * lib/freebl/blinit.c, lib/freebl/gcm-ppc.c: Bug 1566126 - clang-format, a=bustage [6125200fbc88] 2019-11-06 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile, lib/freebl/altivec-types.h, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h: Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt Implementation for POWER8 adapted from the ARM paper: https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \ -v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz. NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001 30Mb mode in symmkey opreps cxreps context op time(sec) thrgput aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb Notable operf results, sw: samples % image name symbol name 226033 59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so gcm_HashMult_sftw hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233 11.8853 libfreeblpriv3.so gcm_HashMult_hw So the ghash part is ~5.6x faster. Signed-off-by: Lauri Kasanen <cand@gmx.com> [3d7e509d6d20] 2019-11-05 Marcus Burghardt <mburghardt@mozilla.com> * lib/certdb/certdb.c, lib/util/secport.h: Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt Bug 1588015 introduced in NSPR a new way to ASSERT values where the arguments are always used avoiding "unused variable" errors. This was implemented in NSS, at certdb.c. [73c28cad3dbb] 2019-11-05 Daiki Ueno <dueno@redhat.com> * cpputil/nss_scoped_ptrs.h, gtests/manifest.mn, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_module_unittest.cc, gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk, gtests/pkcs11testmodule/manifest.mn, gtests/pkcs11testmodule/pkcs11testmodule.cpp, gtests/pkcs11testmodule/pkcs11testmodule.def, gtests/pkcs11testmodule/pkcs11testmodule.gyp, gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp: Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea Summary: This adds a mock PKCS #11 module from Firefox and add basic tests around it. This is needed for proper testing of PKCS #11 v3.0 profile objects (D45669). Reviewers: rrelyea Reviewed By: rrelyea Subscribers: reviewbot Bug #: 1577803 [0a86945adf74] Differential Revision: https://phabricator.services.mozilla.com/D52779 --HG-- extra : moz-landing-system : lando
189 lines
8.2 KiB
C
189 lines
8.2 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
/*
|
|
* Internal header file included only by files in pkcs11 dir, or in
|
|
* pkcs11 specific client and server files.
|
|
*/
|
|
|
|
#ifndef _SECMODTI_H_
|
|
#define _SECMODTI_H_ 1
|
|
#include "prmon.h"
|
|
#include "prtypes.h"
|
|
#include "nssilckt.h"
|
|
#include "secmodt.h"
|
|
#include "pkcs11t.h"
|
|
|
|
#include "nssdevt.h"
|
|
|
|
/* internal data structures */
|
|
|
|
/* Traverse slots callback */
|
|
typedef struct pk11TraverseSlotStr {
|
|
SECStatus (*callback)(PK11SlotInfo *, CK_OBJECT_HANDLE, void *);
|
|
void *callbackArg;
|
|
CK_ATTRIBUTE *findTemplate;
|
|
int templateCount;
|
|
} pk11TraverseSlot;
|
|
|
|
/* represent a pkcs#11 slot reference counted. */
|
|
struct PK11SlotInfoStr {
|
|
/* the PKCS11 function list for this slot */
|
|
void *functionList;
|
|
SECMODModule *module; /* our parent module */
|
|
/* Boolean to indicate the current state of this slot */
|
|
PRBool needTest; /* Has this slot been tested for Export complience */
|
|
PRBool isPerm; /* is this slot a permanment device */
|
|
PRBool isHW; /* is this slot a hardware device */
|
|
PRBool isInternal; /* is this slot one of our internal PKCS #11 devices */
|
|
PRBool disabled; /* is this slot disabled... */
|
|
PK11DisableReasons reason; /* Why this slot is disabled */
|
|
PRBool readOnly; /* is the token in this slot read-only */
|
|
PRBool needLogin; /* does the token of the type that needs
|
|
* authentication (still true even if token is logged
|
|
* in) */
|
|
PRBool hasRandom; /* can this token generated random numbers */
|
|
PRBool defRWSession; /* is the default session RW (we open our default
|
|
* session rw if the token can only handle one session
|
|
* at a time. */
|
|
PRBool isThreadSafe; /* copied from the module */
|
|
/* The actual flags (many of which are distilled into the above PRBools) */
|
|
CK_FLAGS flags; /* flags from PKCS #11 token Info */
|
|
/* a default session handle to do quick and dirty functions */
|
|
CK_SESSION_HANDLE session;
|
|
PZLock *sessionLock; /* lock for this session */
|
|
/* our ID */
|
|
CK_SLOT_ID slotID;
|
|
/* persistant flags saved from startup to startup */
|
|
unsigned long defaultFlags;
|
|
/* keep track of who is using us so we don't accidently get freed while
|
|
* still in use */
|
|
PRInt32 refCount; /* to be in/decremented by atomic calls ONLY! */
|
|
PZLock *freeListLock;
|
|
PK11SymKey *freeSymKeysWithSessionHead;
|
|
PK11SymKey *freeSymKeysHead;
|
|
int keyCount;
|
|
int maxKeyCount;
|
|
/* Password control functions for this slot. many of these are only
|
|
* active if the appropriate flag is on in defaultFlags */
|
|
int askpw; /* what our password options are */
|
|
int timeout; /* If we're ask_timeout, what is our timeout time is
|
|
* seconds */
|
|
int authTransact; /* allow multiple authentications off one password if
|
|
* they are all part of the same transaction */
|
|
PRTime authTime; /* when were we last authenticated */
|
|
int minPassword; /* smallest legal password */
|
|
int maxPassword; /* largest legal password */
|
|
PRUint16 series; /* break up the slot info into various groups of
|
|
* inserted tokens so that keys and certs can be
|
|
* invalidated */
|
|
PRUint16 flagSeries; /* record the last series for the last event
|
|
* returned for this slot */
|
|
PRBool flagState; /* record the state of the last event returned for this
|
|
* slot. */
|
|
PRUint16 wrapKey; /* current wrapping key for SSL master secrets */
|
|
CK_MECHANISM_TYPE wrapMechanism;
|
|
/* current wrapping mechanism for current wrapKey */
|
|
CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
|
|
CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
|
|
* token */
|
|
int mechanismCount;
|
|
/* cache the certificates stored on the token of this slot */
|
|
CERTCertificate **cert_array;
|
|
int array_size;
|
|
int cert_count;
|
|
char serial[16];
|
|
/* since these are odd sizes, keep them last. They are odd sizes to
|
|
* allow them to become null terminated strings */
|
|
char slot_name[65];
|
|
char token_name[33];
|
|
PRBool hasRootCerts;
|
|
PRBool hasRootTrust;
|
|
PRBool hasRSAInfo;
|
|
CK_FLAGS RSAInfoFlags;
|
|
PRBool protectedAuthPath;
|
|
PRBool isActiveCard;
|
|
PRIntervalTime lastLoginCheck;
|
|
unsigned int lastState;
|
|
/* for Stan */
|
|
NSSToken *nssToken;
|
|
/* the tokeninfo struct */
|
|
CK_TOKEN_INFO tokenInfo;
|
|
/* fast mechanism lookup */
|
|
char mechanismBits[256];
|
|
CK_PROFILE_ID *profileList;
|
|
int profileCount;
|
|
};
|
|
|
|
/* Symetric Key structure. Reference Counted */
|
|
struct PK11SymKeyStr {
|
|
CK_MECHANISM_TYPE type; /* type of operation this key was created for*/
|
|
CK_OBJECT_HANDLE objectID; /* object id of this key in the slot */
|
|
PK11SlotInfo *slot; /* Slot this key is loaded into */
|
|
void *cx; /* window context in case we need to loggin */
|
|
PK11SymKey *next;
|
|
PRBool owner;
|
|
SECItem data; /* raw key data if available */
|
|
CK_SESSION_HANDLE session;
|
|
PRBool sessionOwner;
|
|
PRInt32 refCount; /* number of references to this key */
|
|
int size; /* key size in bytes */
|
|
PK11Origin origin; /* where this key came from
|
|
* (see def in secmodt.h) */
|
|
PK11SymKey *parent; /* potential owner key of the session */
|
|
PRUint16 series; /* break up the slot info into various groups
|
|
* of inserted tokens so that keys and certs
|
|
* can be invalidated */
|
|
void *userData; /* random data the application can attach to
|
|
* this key */
|
|
PK11FreeDataFunc freeFunc; /* function to free the user data */
|
|
};
|
|
|
|
/*
|
|
* hold a hash, encryption or signing context for multi-part operations.
|
|
* hold enough information so that multiple contexts can be interleaved
|
|
* if necessary. ... Not RefCounted.
|
|
*/
|
|
struct PK11ContextStr {
|
|
CK_ATTRIBUTE_TYPE operation; /* type of operation this context is doing
|
|
* (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */
|
|
PK11SymKey *key; /* symetric key used in this context */
|
|
PK11SlotInfo *slot; /* slot this context is operationing on */
|
|
CK_SESSION_HANDLE session; /* session this context is using */
|
|
PZLock *sessionLock; /* lock before accessing a PKCS #11
|
|
* session */
|
|
PRBool ownSession; /* do we own the session? */
|
|
void *cx; /* window context in case we need to loggin*/
|
|
void *savedData; /* save data when we are multiplexing on a
|
|
* single context */
|
|
unsigned long savedLength; /* length of the saved context */
|
|
SECItem *param; /* mechanism parameters used to build this
|
|
context */
|
|
PRBool init; /* has this contexted been initialized */
|
|
CK_MECHANISM_TYPE type; /* what is the PKCS #11 this context is
|
|
* representing (usually what algorithm is
|
|
* being used (CKM_RSA_PKCS, CKM_DES,
|
|
* CKM_SHA, etc.*/
|
|
PRBool fortezzaHack; /* Fortezza SSL has some special
|
|
* non-standard semantics*/
|
|
};
|
|
|
|
/*
|
|
* structure to hold a pointer to a unique PKCS #11 object
|
|
* (pointer to the slot and the object id).
|
|
*/
|
|
struct PK11GenericObjectStr {
|
|
PK11GenericObject *prev;
|
|
PK11GenericObject *next;
|
|
PK11SlotInfo *slot;
|
|
CK_OBJECT_HANDLE objectID;
|
|
PRBool owner;
|
|
};
|
|
|
|
#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
|
|
|
|
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
|
|
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
|
|
|
|
#endif /* _SECMODTI_H_ */
|