diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-06 11:46:26 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-06 11:46:26 +0100 |
commit | f017b749ea9f1586d2308504553d40bf4cc5439d (patch) | |
tree | c6033924a0de9be1ab140596e305898c651bf57e /security/nss/lib | |
parent | 7c728b3c7680662fc4e92b5d03697b8339560b08 (diff) | |
download | uxp-f017b749ea9f1586d2308504553d40bf4cc5439d.tar.gz |
Update NSS to 3.32.1-RTM
Diffstat (limited to 'security/nss/lib')
235 files changed, 7652 insertions, 13090 deletions
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c index ea1d5e3e8d..95a76cf799 100644 --- a/security/nss/lib/base/error.c +++ b/security/nss/lib/base/error.c @@ -55,6 +55,7 @@ static PRUintn error_stack_index = INVALID_TPD_INDEX; */ static PRCallOnceType error_call_once; +static const PRCallOnceType error_call_again; /* * error_once_function @@ -264,6 +265,8 @@ nss_DestroyErrorStack(void) { if (INVALID_TPD_INDEX != error_stack_index) { PR_SetThreadPrivate(error_stack_index, NULL); + error_stack_index = INVALID_TPD_INDEX; + error_call_once = error_call_again; /* allow to init again */ } return; } diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index b6736c4626..38b2fe4b51 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -341,13 +341,16 @@ hexToBin(PLArenaPool* pool, SECItem* destItem, const char* src, int len) goto loser; } len >>= 1; - if (!SECITEM_AllocItem(pool, destItem, len)) + if (!SECITEM_AllocItem(pool, destItem, len)) { goto loser; + } dest = destItem->data; for (; len > 0; len--, src += 2) { - PRInt16 bin = (x2b[(PRUint8)src[0]] << 4) | x2b[(PRUint8)src[1]]; - if (bin < 0) + PRUint16 bin = ((PRUint16)x2b[(PRUint8)src[0]] << 4); + bin |= (PRUint16)x2b[(PRUint8)src[1]]; + if (bin >> 15) { /* is negative */ goto loser; + } *dest++ = (PRUint8)bin; } return SECSuccess; @@ -372,6 +375,7 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) const char* bp; int vt = -1; int valLen; + PRBool isDottedOid = PR_FALSE; SECOidTag kind = SEC_OID_UNKNOWN; SECStatus rv = SECFailure; SECItem derOid = { 0, NULL, 0 }; @@ -398,8 +402,9 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) } /* is this a dotted decimal OID attribute type ? */ - if (!PL_strncasecmp("oid.", tagBuf, 4)) { + if (!PL_strncasecmp("oid.", tagBuf, 4) || isdigit(tagBuf[0])) { rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf)); + isDottedOid = (PRBool)(rv == SECSuccess); } else { for (n2k = name2kinds; n2k->name; n2k++) { SECOidData* oidrec; @@ -425,8 +430,6 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) goto loser; a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal); } else { - if (kind == SEC_OID_UNKNOWN) - goto loser; if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2) goto loser; if (vt == SEC_ASN1_PRINTABLE_STRING && @@ -442,7 +445,11 @@ ParseRFC1485AVA(PLArenaPool* arena, const char** pbp, const char* endptr) derVal.data = (unsigned char*)valBuf; derVal.len = valLen; - a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal); + if (kind == SEC_OID_UNKNOWN && isDottedOid) { + a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal); + } else { + a = CERT_CreateAVAFromSECItem(arena, kind, vt, &derVal); + } } return a; diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index e0af65ab06..4224da1080 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config); void CERT_LockCertRefCount(CERTCertificate *cert); /* - * Free the cert reference count lock + * Release the cert reference count lock */ void CERT_UnlockCertRefCount(CERTCertificate *cert); /* - * Acquire the cert trust lock - * There is currently one global lock for all certs, but I'm putting a cert - * arg here so that it will be easy to make it per-cert in the future if - * that turns out to be necessary. - */ -void CERT_LockCertTrust(const CERTCertificate *cert); - -/* - * Free the cert trust lock - */ -void CERT_UnlockCertTrust(const CERTCertificate *cert); - -/* * Digest the cert's subject public key using the specified algorithm. * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding * the tag, length, and number of unused bits) rather than the whole @@ -1579,6 +1566,12 @@ extern CERTRevocationFlags *CERT_AllocCERTRevocationFlags( */ extern void CERT_DestroyCERTRevocationFlags(CERTRevocationFlags *flags); +/* + * Get istemp and isperm fields from a cert in a thread safe way. + */ +extern SECStatus CERT_GetCertIsTemp(const CERTCertificate *cert, PRBool *istemp); +extern SECStatus CERT_GetCertIsPerm(const CERTCertificate *cert, PRBool *isperm); + SEC_END_PROTOS #endif /* _CERT_H_ */ diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index d37334d739..7864edc08e 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -2559,9 +2559,9 @@ CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert, CERTCertListNode *head; head = CERT_LIST_HEAD(certs); - - if (head == NULL) - return CERT_AddCertToListTail(certs, cert); + if (head == NULL) { + goto loser; + } node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena, sizeof(CERTCertListNode)); @@ -2865,7 +2865,18 @@ CERT_LockCertTrust(const CERTCertificate *cert) { PORT_Assert(certTrustLock != NULL); PZ_Lock(certTrustLock); - return; +} + +static PZLock *certTempPermLock = NULL; + +/* + * Acquire the cert temp/perm lock + */ +void +CERT_LockCertTempPerm(const CERTCertificate *cert) +{ + PORT_Assert(certTempPermLock != NULL); + PZ_Lock(certTempPermLock); } SECStatus @@ -2889,6 +2900,18 @@ cert_InitLocks(void) } } + if (certTempPermLock == NULL) { + certTempPermLock = PZ_NewLock(nssILockCertDB); + PORT_Assert(certTempPermLock != NULL); + if (!certTempPermLock) { + PZ_DestroyLock(certTrustLock); + PZ_DestroyLock(certRefCountLock); + certRefCountLock = NULL; + certTrustLock = NULL; + return SECFailure; + } + } + return SECSuccess; } @@ -2912,6 +2935,14 @@ cert_DestroyLocks(void) } else { rv = SECFailure; } + + PORT_Assert(certTempPermLock != NULL); + if (certTempPermLock) { + PZ_DestroyLock(certTempPermLock); + certTempPermLock = NULL; + } else { + rv = SECFailure; + } return rv; } @@ -2934,6 +2965,23 @@ CERT_UnlockCertTrust(const CERTCertificate *cert) } /* + * Free the temp/perm lock + */ +void +CERT_UnlockCertTempPerm(const CERTCertificate *cert) +{ + PORT_Assert(certTempPermLock != NULL); +#ifdef DEBUG + { + PRStatus prstat = PZ_Unlock(certTempPermLock); + PORT_Assert(prstat == PR_SUCCESS); + } +#else + (void)PZ_Unlock(certTempPermLock); +#endif +} + +/* * Get the StatusConfig data for this handle */ CERTStatusConfig * diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h index 1cdf4b8faa..456f2fc4ea 100644 --- a/security/nss/lib/certdb/certi.h +++ b/security/nss/lib/certdb/certi.h @@ -378,4 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGeneralName* firstName); SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, unsigned int* failedFlags, PRBool* isTrusted); +/* + * Acquire the cert temp/perm lock + */ +void CERT_LockCertTempPerm(const CERTCertificate* cert); + +/* + * Release the temp/perm lock + */ +void CERT_UnlockCertTempPerm(const CERTCertificate* cert); + +/* + * Acquire the cert trust lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +void CERT_LockCertTrust(const CERTCertificate* cert); + +/* + * Release the cert trust lock + */ +void CERT_UnlockCertTrust(const CERTCertificate* cert); + #endif /* _CERTI_H_ */ diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c index bf0bcf96ca..d27fc1ba0d 100644 --- a/security/nss/lib/certdb/certv3.c +++ b/security/nss/lib/certdb/certv3.c @@ -213,7 +213,7 @@ CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage) if (rv == SECFailure) { rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess : SECFailure; - } else if (!(keyUsage.data[0] & usage)) { + } else if (!keyUsage.data || !(keyUsage.data[0] & usage)) { PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID); rv = SECFailure; } diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c index 6d3e9d3720..654dfdf3f0 100644 --- a/security/nss/lib/certdb/secname.c +++ b/security/nss/lib/certdb/secname.c @@ -568,8 +568,8 @@ CERT_CompareRDN(const CERTRDN *a, const CERTRDN *b) SECComparison CERT_CompareName(const CERTName *a, const CERTName *b) { - CERTRDN **ardns, *ardn; - CERTRDN **brdns, *brdn; + CERTRDN **ardns; + CERTRDN **brdns; int ac, bc; SECComparison rv = SECEqual; @@ -587,18 +587,8 @@ CERT_CompareName(const CERTName *a, const CERTName *b) if (ac > bc) return SECGreaterThan; - for (;;) { - if (!ardns++ || !brdns++) { - break; - } - ardn = *ardns; - brdn = *brdns; - if (!ardn) { - break; - } - rv = CERT_CompareRDN(ardn, brdn); - if (rv) - return rv; + while (rv == SECEqual && *ardns) { + rv = CERT_CompareRDN(*ardns++, *brdns++); } return rv; } diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 2b1aa97cd5..4d42bd50d8 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -91,7 +91,7 @@ CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust) { SECStatus rv; CERT_LockCertTrust(cert); - if (cert->trust == NULL) { + if (!cert || cert->trust == NULL) { rv = SECFailure; } else { *trust = *cert->trust; @@ -304,8 +304,10 @@ __CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname, CERT_MapStanError(); return SECFailure; } + CERT_LockCertTempPerm(cert); cert->istemp = PR_FALSE; cert->isperm = PR_TRUE; + CERT_UnlockCertTempPerm(cert); if (!trust) { return SECSuccess; } @@ -436,8 +438,10 @@ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, return NULL; } + CERT_LockCertTempPerm(cc); cc->istemp = PR_TRUE; cc->isperm = PR_FALSE; + CERT_UnlockCertTempPerm(cc); return cc; loser: /* Perhaps this should be nssCertificate_Destroy(c) */ @@ -515,28 +519,25 @@ CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID) { CERTCertList *list; CERTCertificate *cert = NULL; - CERTCertListNode *node, *head; + CERTCertListNode *node; list = CERT_CreateSubjectCertList(NULL, handle, name, 0, PR_FALSE); if (list == NULL) return NULL; - node = head = CERT_LIST_HEAD(list); - if (head) { - do { - if (node->cert && - SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID)) { - cert = CERT_DupCertificate(node->cert); - goto done; - } - node = CERT_LIST_NEXT(node); - } while (node && head != node); + node = CERT_LIST_HEAD(list); + while (!CERT_LIST_END(node, list)) { + if (node->cert && + SECITEM_ItemsAreEqual(&node->cert->subjectKeyID, keyID)) { + cert = CERT_DupCertificate(node->cert); + goto done; + } + node = CERT_LIST_NEXT(node); } PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + done: - if (list) { - CERT_DestroyCertList(list); - } + CERT_DestroyCertList(list); return cert; } @@ -635,8 +636,7 @@ common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, if (certlist) { SECStatus rv = CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE); - if (SECSuccess == rv && - !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { + if (SECSuccess == rv && !CERT_LIST_EMPTY(certlist)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); } CERT_DestroyCertList(certlist); @@ -915,6 +915,7 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, { const char *emailAddr; SECStatus rv; + PRBool isperm = PR_FALSE; if (!cert) { return SECFailure; @@ -936,7 +937,11 @@ CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile, } } - if (cert->slot && cert->isperm && CERT_IsUserCert(cert) && + rv = CERT_GetCertIsPerm(cert, &isperm); + if (rv != SECSuccess) { + return SECFailure; + } + if (cert->slot && isperm && CERT_IsUserCert(cert) && (!emailProfile || !emailProfile->len)) { /* Don't clobber emailProfile for user certs. */ return SECSuccess; @@ -990,6 +995,32 @@ CERT_FindSMimeProfile(CERTCertificate *cert) return rvItem; } +SECStatus +CERT_GetCertIsPerm(const CERTCertificate *cert, PRBool *isperm) +{ + if (cert == NULL) { + return SECFailure; + } + + CERT_LockCertTempPerm(cert); + *isperm = cert->isperm; + CERT_UnlockCertTempPerm(cert); + return SECSuccess; +} + +SECStatus +CERT_GetCertIsTemp(const CERTCertificate *cert, PRBool *istemp) +{ + if (cert == NULL) { + return SECFailure; + } + + CERT_LockCertTempPerm(cert); + *istemp = cert->istemp; + CERT_UnlockCertTempPerm(cert); + return SECSuccess; +} + /* * deprecated functions that are now just stubs. */ diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index 55259898b6..7ae80b193e 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -11,6 +11,7 @@ #include "cert.h" #include "certxutl.h" +#include "certi.h" #include "nsspki.h" #include "pki.h" #include "pkit.h" @@ -289,7 +290,7 @@ CERT_FindUserCertByUsage(CERTCertDBHandle *handle, goto loser; } - if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) { + if (!CERT_LIST_EMPTY(certList)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert); } @@ -872,6 +873,7 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool PRBool isca; char *nickname; unsigned int certtype; + PRBool istemp = PR_FALSE; handle = CERT_GetDefaultCertDB(); @@ -949,7 +951,11 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool } /* if the cert is temp, make it perm; otherwise we're done */ - if (cert->istemp) { + rv = CERT_GetCertIsTemp(cert, &istemp); + if (rv != SECSuccess) { + goto loser; + } + if (istemp) { /* get a default nickname for it */ nickname = CERT_MakeCANickname(cert); @@ -963,9 +969,6 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool rv = SECSuccess; } - CERT_DestroyCertificate(cert); - cert = NULL; - if (rv != SECSuccess) { goto loser; } @@ -1080,7 +1083,10 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, derCert.len = (unsigned int)stanCert->encoding.size; derCert.data = (unsigned char *)stanCert->encoding.data; derCert.type = siBuffer; - SECITEM_CopyItem(arena, &chain->certs[i], &derCert); + if (SECITEM_CopyItem(arena, &chain->certs[i], &derCert) != SECSuccess) { + CERT_DestroyCertificate(cCert); + goto loser; + } stanCert = stanChain[++i]; if (!stanCert && !cCert->isRoot) { /* reached the end of the chain, but the final cert is diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c index a522f69255..2d708cc950 100644 --- a/security/nss/lib/certhigh/certhtml.c +++ b/security/nss/lib/certhigh/certhtml.c @@ -102,6 +102,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += cn->len; + // cn will always have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_COUNTRY_NAME: if (country) { @@ -112,6 +114,10 @@ CERT_FormatName(CERTName *name) goto loser; } len += country->len; + // country may have COMMA after it (if we over-count len, + // that's fine - we'll just allocate a buffer larger than we + // need) + len += COMMALEN; break; case SEC_OID_AVA_LOCALITY: if (loc) { @@ -122,6 +128,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += loc->len; + // loc may have COMMA after it + len += COMMALEN; break; case SEC_OID_AVA_STATE_OR_PROVINCE: if (state) { @@ -132,6 +140,9 @@ CERT_FormatName(CERTName *name) goto loser; } len += state->len; + // state currently won't have COMMA after it, but this is a + // (probably vain) attempt to future-proof this code + len += COMMALEN; break; case SEC_OID_AVA_ORGANIZATION_NAME: if (org) { @@ -142,6 +153,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += org->len; + // org will have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_DN_QUALIFIER: if (dq) { @@ -152,6 +165,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += dq->len; + // dq will have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME: if (ou_count < MAX_OUS) { @@ -160,6 +175,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += orgunit[ou_count++]->len; + // each ou will have BREAK after it + len += BREAKLEN; } break; case SEC_OID_AVA_DC: @@ -169,6 +186,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += dc[dc_count++]->len; + // each dc will have BREAK after it + len += BREAKLEN; } break; case SEC_OID_PKCS9_EMAIL_ADDRESS: @@ -181,6 +200,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += email->len; + // email will have BREAK after it + len += BREAKLEN; break; default: break; @@ -188,8 +209,8 @@ CERT_FormatName(CERTName *name) } } - /* XXX - add some for formatting */ - len += 128; + // there may be a final BREAK + len += BREAKLEN; /* allocate buffer */ buf = (char *)PORT_Alloc(len); diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 10485137b4..cea8456606 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2195,7 +2195,7 @@ SetRequestExts(void *object, CERTCertExtension **exts) request->tbsRequest->requestExtensions = exts; } -#if defined(__GNUC__) +#if defined(__GNUC__) && !defined(NSS_NO_GCC48) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wvarargs" #endif @@ -2265,7 +2265,7 @@ loser: (void)CERT_FinishExtensions(extHandle); return rv; } -#if defined(__GNUC__) +#if defined(__GNUC__) && !defined(NSS_NO_GCC48) #pragma GCC diagnostic pop #endif diff --git a/security/nss/lib/ckfw/builtins/builtins.gyp b/security/nss/lib/ckfw/builtins/builtins.gyp index d854425857..f8dbc11704 100644 --- a/security/nss/lib/ckfw/builtins/builtins.gyp +++ b/security/nss/lib/ckfw/builtins/builtins.gyp @@ -19,7 +19,7 @@ 'btoken.c', 'ckbiver.c', 'constants.c', - '<(INTERMEDIATE_DIR)/certdata.c' + '<(certdata_c)', ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', @@ -30,23 +30,25 @@ { 'msvs_cygwin_shell': 0, 'action': [ - 'perl', - 'certdata.perl', + 'python', + 'certdata.py', 'certdata.txt', '<@(_outputs)', ], 'inputs': [ + 'certdata.py', 'certdata.perl', 'certdata.txt' ], 'outputs': [ - '<(INTERMEDIATE_DIR)/certdata.c' + '<(certdata_c)' ], 'action_name': 'generate_certdata_c' } ], 'variables': { - 'mapfile': 'nssckbi.def' + 'mapfile': 'nssckbi.def', + 'certdata_c': '<(INTERMEDIATE_DIR)/certdata.c', } } ], diff --git a/security/nss/lib/ckfw/builtins/certdata.py b/security/nss/lib/ckfw/builtins/certdata.py new file mode 100644 index 0000000000..077824793b --- /dev/null +++ b/security/nss/lib/ckfw/builtins/certdata.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import subprocess +import os +import sys + +def main(): + args = [os.path.realpath(x) for x in sys.argv[1:]] + script = os.path.dirname(os.path.abspath(__file__))+'/certdata.perl' + subprocess.check_call([os.environ.get('PERL', 'perl'), script] + args, + env=os.environ) + +if __name__ == '__main__': + main() diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 9018179d3e..45b659b7aa 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -191,6 +191,7 @@ CKA_VALUE MULTILINE_OCTAL \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146 \125\342\374\110\311\051\046\151\340 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GlobalSign Root CA" # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE @@ -225,7 +226,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -324,6 +325,7 @@ CKA_VALUE MULTILINE_OCTAL \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214 \152\374\176\102\070\100\144\022\367\236\201\341\223\056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GlobalSign Root CA - R2" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 @@ -357,7 +359,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -479,6 +481,7 @@ CKA_VALUE MULTILINE_OCTAL \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243 \113\336\006\226\161\054\362\333\266\037\244\357\077\356 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -643,6 +646,7 @@ CKA_VALUE MULTILINE_OCTAL \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125 \311\130\020\371\252\357\132\266\317\113\113\337\052 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -807,6 +811,7 @@ CKA_VALUE MULTILINE_OCTAL \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255 \153\271\012\172\116\117\113\204\356\113\361\175\335\021 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -849,7 +854,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)" @@ -1081,6 +1086,7 @@ CKA_VALUE MULTILINE_OCTAL \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053 \174\136\232\166\351\131\220\305\174\203\065\021\145\121 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Entrust.net Premium 2048 Secure Server CA" # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net @@ -1121,7 +1127,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1218,6 +1224,7 @@ CKA_VALUE MULTILINE_OCTAL \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374 \347\201\035\031\303\044\102\352\143\071\251 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Baltimore CyberTrust Root" # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE @@ -1361,6 +1368,7 @@ CKA_VALUE MULTILINE_OCTAL \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344 \065\341\035\026\034\320\274\053\216\326\161\331 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AddTrust Low-Value Services Root" # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE @@ -1394,7 +1402,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -1509,6 +1517,7 @@ CKA_VALUE MULTILINE_OCTAL \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202 \027\132\173\320\274\307\217\116\206\004 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AddTrust External Root" # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE @@ -1545,296 +1554,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "AddTrust Public Services Root" -# -# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Serial Number: 1 (0x1) -# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Not Valid Before: Tue May 30 10:41:50 2000 -# Not Valid After : Sat May 30 10:41:50 2020 -# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F -# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AddTrust Public Services Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101 -\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103 -\101\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101 -\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103 -\101\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024 -\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163 -\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101 -\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167 -\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144 -\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101 -\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061 -\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060 -\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006 -\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101 -\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003 -\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124 -\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125 -\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142 -\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060 -\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202 -\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217 -\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151 -\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125 -\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362 -\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305 -\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327 -\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167 -\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325 -\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317 -\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121 -\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136 -\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207 -\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263 -\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320 -\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105 -\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353 -\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000 -\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026 -\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252 -\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003 -\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060 -\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060 -\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253 -\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013 -\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006 -\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101 -\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124 -\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153 -\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162 -\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157 -\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001 -\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332 -\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272 -\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332 -\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262 -\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277 -\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175 -\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132 -\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050 -\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307 -\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146 -\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341 -\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266 -\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120 -\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046 -\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035 -\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362 -\116\072\063\014\053\263\055\220\006 -END - -# Trust for Certificate "AddTrust Public Services Root" -# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Serial Number: 1 (0x1) -# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Not Valid Before: Tue May 30 10:41:50 2000 -# Not Valid After : Sat May 30 10:41:50 2020 -# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F -# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AddTrust Public Services Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231 -\162\054\226\345 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177 -END -CKA_ISSUER MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101 -\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103 -\101\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "AddTrust Qualified Certificates Root" -# -# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Serial Number: 1 (0x1) -# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Not Valid Before: Tue May 30 10:44:50 2000 -# Not Valid After : Sat May 30 10:44:50 2020 -# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB -# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AddTrust Qualified Certificates Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101 -\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145 -\144\040\103\101\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101 -\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145 -\144\040\103\101\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024 -\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163 -\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101 -\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167 -\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144 -\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144 -\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065 -\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063 -\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003 -\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012 -\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060 -\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164 -\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041 -\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040 -\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157 -\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001 -\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001 -\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137 -\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052 -\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322 -\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022 -\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106 -\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050 -\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052 -\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042 -\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076 -\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255 -\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024 -\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370 -\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341 -\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065 -\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113 -\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145 -\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006 -\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324 -\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003 -\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023 -\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125 -\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134 -\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153 -\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123 -\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124 -\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013 -\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116 -\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023 -\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146 -\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015 -\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001 -\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357 -\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125 -\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263 -\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146 -\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043 -\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152 -\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227 -\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311 -\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262 -\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267 -\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056 -\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033 -\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130 -\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335 -\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336 -\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350 -\306\241 -END - -# Trust for Certificate "AddTrust Qualified Certificates Root" -# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Serial Number: 1 (0x1) -# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE -# Not Valid Before: Tue May 30 10:44:50 2000 -# Not Valid After : Sat May 30 10:44:50 2020 -# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB -# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "AddTrust Qualified Certificates Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036 -\305\115\213\317 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273 -END -CKA_ISSUER MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061 -\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165 -\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024 -\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164 -\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101 -\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145 -\144\040\103\101\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1961,6 +1681,7 @@ CKA_VALUE MULTILINE_OCTAL \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376 \036\177\132\264\074 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Entrust Root Certification Authority" # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US @@ -2094,6 +1815,7 @@ CKA_VALUE MULTILINE_OCTAL \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355 \302\005\146\200\241\313\346\063 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Global CA" # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US @@ -2127,134 +1849,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "GeoTrust Global CA 2" -# -# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US -# Serial Number: 1 (0x1) -# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US -# Not Valid Before: Thu Mar 04 05:00:00 2004 -# Not Valid After : Mon Mar 04 05:00:00 2019 -# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9 -# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust Global CA 2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165 -\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003 -\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141 -\154\040\103\101\040\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165 -\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003 -\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141 -\154\040\103\101\040\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\146\060\202\002\116\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061\026 -\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165\163 -\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003\023 -\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141\154 -\040\103\101\040\062\060\036\027\015\060\064\060\063\060\064\060 -\065\060\060\060\060\132\027\015\061\071\060\063\060\064\060\065 -\060\060\060\060\132\060\104\061\013\060\011\006\003\125\004\006 -\023\002\125\123\061\026\060\024\006\003\125\004\012\023\015\107 -\145\157\124\162\165\163\164\040\111\156\143\056\061\035\060\033 -\006\003\125\004\003\023\024\107\145\157\124\162\165\163\164\040 -\107\154\157\142\141\154\040\103\101\040\062\060\202\001\042\060 -\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202 -\001\017\000\060\202\001\012\002\202\001\001\000\357\074\115\100 -\075\020\337\073\123\000\341\147\376\224\140\025\076\205\210\361 -\211\015\220\310\050\043\231\005\350\053\040\235\306\363\140\106 -\330\301\262\325\214\061\331\334\040\171\044\201\277\065\062\374 -\143\151\333\261\052\153\356\041\130\362\010\351\170\313\157\313 -\374\026\122\310\221\304\377\075\163\336\261\076\247\302\175\146 -\301\365\176\122\044\032\342\325\147\221\320\202\020\327\170\113 -\117\053\102\071\275\144\055\100\240\260\020\323\070\110\106\210 -\241\014\273\072\063\052\142\230\373\000\235\023\131\177\157\073 -\162\252\356\246\017\206\371\005\141\352\147\177\014\067\226\213 -\346\151\026\107\021\302\047\131\003\263\246\140\302\041\100\126 -\372\240\307\175\072\023\343\354\127\307\263\326\256\235\211\200 -\367\001\347\054\366\226\053\023\015\171\054\331\300\344\206\173 -\113\214\014\162\202\212\373\027\315\000\154\072\023\074\260\204 -\207\113\026\172\051\262\117\333\035\324\013\363\146\067\275\330 -\366\127\273\136\044\172\270\074\213\271\372\222\032\032\204\236 -\330\164\217\252\033\177\136\364\376\105\042\041\002\003\001\000 -\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004 -\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004 -\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251\020 -\025\130\040\005\011\060\037\006\003\125\035\043\004\030\060\026 -\200\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251 -\020\025\130\040\005\011\060\016\006\003\125\035\017\001\001\377 -\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015 -\001\001\005\005\000\003\202\001\001\000\003\367\265\053\253\135 -\020\374\173\262\262\136\254\233\016\176\123\170\131\076\102\004 -\376\165\243\255\254\201\116\327\002\213\136\304\055\310\122\166 -\307\054\037\374\201\062\230\321\113\306\222\223\063\065\061\057 -\374\330\035\104\335\340\201\177\235\351\213\341\144\221\142\013 -\071\010\214\254\164\235\131\331\172\131\122\227\021\271\026\173 -\157\105\323\226\331\061\175\002\066\017\234\073\156\317\054\015 -\003\106\105\353\240\364\177\110\104\306\010\100\314\336\033\160 -\265\051\255\272\213\073\064\145\165\033\161\041\035\054\024\012 -\260\226\225\270\326\352\362\145\373\051\272\117\352\221\223\164 -\151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227 -\136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126 -\000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005 -\043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133 -\105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152 -\107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363 -\342\042\051\256\175\203\100\250\272\154 -END - -# Trust for Certificate "GeoTrust Global CA 2" -# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US -# Serial Number: 1 (0x1) -# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US -# Not Valid Before: Thu Mar 04 05:00:00 2004 -# Not Valid After : Mon Mar 04 05:00:00 2019 -# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9 -# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GeoTrust Global CA 2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\251\351\170\010\024\067\130\210\362\005\031\260\155\053\015\053 -\140\026\220\175 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\016\100\247\154\336\003\135\217\321\017\344\321\215\371\154\251 -END -CKA_ISSUER MULTILINE_OCTAL -\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165 -\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003 -\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141 -\154\040\103\101\040\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2380,6 +1975,7 @@ CKA_VALUE MULTILINE_OCTAL \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157 \244\346\216\330\371\051\110\212\316\163\376\054 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Universal CA" # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US @@ -2413,7 +2009,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2539,6 +2135,7 @@ CKA_VALUE MULTILINE_OCTAL \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246 \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Universal CA 2" # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US @@ -2572,7 +2169,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2675,6 +2272,7 @@ CKA_VALUE MULTILINE_OCTAL \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026 \222\340\134\366\007\017 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Visa eCommerce Root" # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US @@ -2711,7 +2309,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2797,6 +2395,7 @@ CKA_VALUE MULTILINE_OCTAL \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054 \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Certum Root CA" # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL @@ -2829,7 +2428,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2942,6 +2541,7 @@ CKA_VALUE MULTILINE_OCTAL \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237 \225\351\066\226\230\156 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Comodo AAA Services root" # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -2978,310 +2578,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "Comodo Secure Services root" -# -# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Serial Number: 1 (0x1) -# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Not Valid Before: Thu Jan 01 00:00:00 2004 -# Not Valid After : Sun Dec 31 23:59:59 2028 -# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD -# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo Secure Services root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003 -\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164 -\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003 -\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164 -\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\077\060\202\003\047\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033 -\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162 -\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006 -\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060 -\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103 -\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125 -\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151 -\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060 -\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060\132 -\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132\060 -\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033 -\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162 -\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006 -\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060 -\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103 -\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125 -\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151 -\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060 -\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 -\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 -\300\161\063\202\212\320\160\353\163\207\202\100\325\035\344\313 -\311\016\102\220\371\336\064\271\241\272\021\364\045\205\363\314 -\162\155\362\173\227\153\263\007\361\167\044\221\137\045\217\366 -\164\075\344\200\302\370\074\015\363\277\100\352\367\310\122\321 -\162\157\357\310\253\101\270\156\056\027\052\225\151\014\315\322 -\036\224\173\055\224\035\252\165\327\263\230\313\254\274\144\123 -\100\274\217\254\254\066\313\134\255\273\335\340\224\027\354\321 -\134\320\277\357\245\225\311\220\305\260\254\373\033\103\337\172 -\010\135\267\270\362\100\033\053\047\236\120\316\136\145\202\210 -\214\136\323\116\014\172\352\010\221\266\066\252\053\102\373\352 -\302\243\071\345\333\046\070\255\213\012\356\031\143\307\034\044 -\337\003\170\332\346\352\301\107\032\013\013\106\011\335\002\374 -\336\313\207\137\327\060\143\150\241\256\334\062\241\272\276\376 -\104\253\150\266\245\027\025\375\275\325\247\247\232\344\104\063 -\351\210\216\374\355\121\353\223\161\116\255\001\347\104\216\253 -\055\313\250\376\001\111\110\360\300\335\307\150\330\222\376\075 -\002\003\001\000\001\243\201\307\060\201\304\060\035\006\003\125 -\035\016\004\026\004\024\074\330\223\210\302\300\202\011\314\001 -\231\006\223\040\351\236\160\011\143\117\060\016\006\003\125\035 -\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035 -\023\001\001\377\004\005\060\003\001\001\377\060\201\201\006\003 -\125\035\037\004\172\060\170\060\073\240\071\240\067\206\065\150 -\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157 -\143\141\056\143\157\155\057\123\145\143\165\162\145\103\145\162 -\164\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163 -\056\143\162\154\060\071\240\067\240\065\206\063\150\164\164\160 -\072\057\057\143\162\154\056\143\157\155\157\144\157\056\156\145 -\164\057\123\145\143\165\162\145\103\145\162\164\151\146\151\143 -\141\164\145\123\145\162\166\151\143\145\163\056\143\162\154\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202 -\001\001\000\207\001\155\043\035\176\133\027\175\301\141\062\317 -\217\347\363\212\224\131\146\340\236\050\250\136\323\267\364\064 -\346\252\071\262\227\026\305\202\157\062\244\351\214\347\257\375 -\357\302\350\271\113\252\243\364\346\332\215\145\041\373\272\200 -\353\046\050\205\032\376\071\214\336\133\004\004\264\124\371\243 -\147\236\101\372\011\122\314\005\110\250\311\077\041\004\036\316 -\110\153\374\205\350\302\173\257\177\267\314\370\137\072\375\065 -\306\015\357\227\334\114\253\021\341\153\313\061\321\154\373\110 -\200\253\334\234\067\270\041\024\113\015\161\075\354\203\063\156 -\321\156\062\026\354\230\307\026\213\131\246\064\253\005\127\055 -\223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011 -\150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217 -\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344 -\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345 -\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315 -\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174 -\354\375\051 -END - -# Trust for Certificate "Comodo Secure Services root" -# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Serial Number: 1 (0x1) -# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Not Valid Before: Thu Jan 01 00:00:00 2004 -# Not Valid After : Sun Dec 31 23:59:59 2028 -# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD -# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo Secure Services root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063 -\317\307\241\321 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275 -END -CKA_ISSUER MULTILINE_OCTAL -\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003 -\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164 -\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "Comodo Trusted Services root" -# -# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Serial Number: 1 (0x1) -# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Not Valid Before: Thu Jan 01 00:00:00 2004 -# Not Valid After : Sun Dec 31 23:59:59 2028 -# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27 -# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo Trusted Services root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003 -\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162 -\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145 -\163 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003 -\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162 -\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145 -\163 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\103\060\202\003\053\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033 -\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162 -\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006 -\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060 -\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103 -\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003\125 -\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162\164 -\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163 -\060\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060 -\132\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132 -\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003 -\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162 -\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145 -\163\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001 -\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001 -\001\000\337\161\157\066\130\123\132\362\066\124\127\200\304\164 -\010\040\355\030\177\052\035\346\065\232\036\045\254\234\345\226 -\176\162\122\240\025\102\333\131\335\144\172\032\320\270\173\335 -\071\025\274\125\110\304\355\072\000\352\061\021\272\362\161\164 -\032\147\270\317\063\314\250\061\257\243\343\327\177\277\063\055 -\114\152\074\354\213\303\222\322\123\167\044\164\234\007\156\160 -\374\275\013\133\166\272\137\362\377\327\067\113\112\140\170\367 -\360\372\312\160\264\352\131\252\243\316\110\057\251\303\262\013 -\176\027\162\026\014\246\007\014\033\070\317\311\142\267\077\240 -\223\245\207\101\362\267\160\100\167\330\276\024\174\343\250\300 -\172\216\351\143\152\321\017\232\306\322\364\213\072\024\004\126 -\324\355\270\314\156\365\373\342\054\130\275\177\117\153\053\367 -\140\044\130\044\316\046\357\064\221\072\325\343\201\320\262\360 -\004\002\327\133\267\076\222\254\153\022\212\371\344\005\260\073 -\221\111\134\262\353\123\352\370\237\107\206\356\277\225\300\300 -\006\237\322\133\136\021\033\364\307\004\065\051\322\125\134\344 -\355\353\002\003\001\000\001\243\201\311\060\201\306\060\035\006 -\003\125\035\016\004\026\004\024\305\173\130\275\355\332\045\151 -\322\367\131\026\250\263\062\300\173\047\133\364\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 -\125\035\023\001\001\377\004\005\060\003\001\001\377\060\201\203 -\006\003\125\035\037\004\174\060\172\060\074\240\072\240\070\206 -\066\150\164\164\160\072\057\057\143\162\154\056\143\157\155\157 -\144\157\143\141\056\143\157\155\057\124\162\165\163\164\145\144 -\103\145\162\164\151\146\151\143\141\164\145\123\145\162\166\151 -\143\145\163\056\143\162\154\060\072\240\070\240\066\206\064\150 -\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157 -\056\156\145\164\057\124\162\165\163\164\145\144\103\145\162\164 -\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056 -\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005 -\005\000\003\202\001\001\000\310\223\201\073\211\264\257\270\204 -\022\114\215\322\360\333\160\272\127\206\025\064\020\271\057\177 -\036\260\250\211\140\241\212\302\167\014\120\112\233\000\213\330 -\213\364\101\342\320\203\212\112\034\024\006\260\243\150\005\160 -\061\060\247\123\233\016\351\112\240\130\151\147\016\256\235\366 -\245\054\101\277\074\006\153\344\131\314\155\020\361\226\157\037 -\337\364\004\002\244\237\105\076\310\330\372\066\106\104\120\077 -\202\227\221\037\050\333\030\021\214\052\344\145\203\127\022\022 -\214\027\077\224\066\376\135\260\300\004\167\023\270\364\025\325 -\077\070\314\224\072\125\320\254\230\365\272\000\137\340\206\031 -\201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076 -\306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261 -\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336 -\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047 -\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335 -\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230 -\160\136\310\304\170\260\142 -END - -# Trust for Certificate "Comodo Trusted Services root" -# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Serial Number: 1 (0x1) -# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB -# Not Valid Before: Thu Jan 01 00:00:00 2004 -# Not Valid After : Sun Dec 31 23:59:59 2028 -# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27 -# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Comodo Trusted Services root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272 -\156\024\011\275 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047 -END -CKA_ISSUER MULTILINE_OCTAL -\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061 -\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145 -\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016 -\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032 -\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040 -\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003 -\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162 -\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145 -\163 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3422,6 +2719,7 @@ CKA_VALUE MULTILINE_OCTAL \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212 \112\164\066\371 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "QuoVadis Root CA" # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM @@ -3459,7 +2757,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3590,6 +2888,7 @@ CKA_VALUE MULTILINE_OCTAL \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122 \020\005\145\325\202\020\352\302\061\315\056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "QuoVadis Root CA 2" # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM @@ -3623,7 +2922,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3769,6 +3068,7 @@ CKA_VALUE MULTILINE_OCTAL \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022 \332 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "QuoVadis Root CA 3" # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM @@ -3802,7 +3102,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3897,6 +3197,7 @@ CKA_VALUE MULTILINE_OCTAL \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026 \057\317\246\356\311\160\042\024\275\375\276\154\013\003 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Security Communication Root CA" # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP @@ -3931,7 +3232,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4019,6 +3320,7 @@ CKA_VALUE MULTILINE_OCTAL \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132 \160\254\337\114 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Sonera Class 2 Root CA" # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI @@ -4180,6 +3482,7 @@ CKA_VALUE MULTILINE_OCTAL \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303 \005\323\312\003\112\124 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "UTN USERFirst Email Root CA" # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US @@ -4225,327 +3528,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "UTN USERFirst Hardware Root CA" -# -# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd -# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Not Valid Before: Fri Jul 09 18:10:42 1999 -# Not Valid After : Tue Jul 09 18:19:22 2019 -# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39 -# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125 -\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\110\141\162\144\167\141\162\145 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125 -\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\110\141\162\144\167\141\162\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145 -\012\375 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\164\060\202\003\134\240\003\002\001\002\002\020\104 -\276\014\213\120\000\044\264\021\323\066\052\376\145\012\375\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201 -\227\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013 -\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006 -\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040 -\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124 -\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164 -\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150 -\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162 -\165\163\164\056\143\157\155\061\037\060\035\006\003\125\004\003 -\023\026\125\124\116\055\125\123\105\122\106\151\162\163\164\055 -\110\141\162\144\167\141\162\145\060\036\027\015\071\071\060\067 -\060\071\061\070\061\060\064\062\132\027\015\061\071\060\067\060 -\071\061\070\061\071\062\062\132\060\201\227\061\013\060\011\006 -\003\125\004\006\023\002\125\123\061\013\060\011\006\003\125\004 -\010\023\002\125\124\061\027\060\025\006\003\125\004\007\023\016 -\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\036 -\060\034\006\003\125\004\012\023\025\124\150\145\040\125\123\105 -\122\124\122\125\123\124\040\116\145\164\167\157\162\153\061\041 -\060\037\006\003\125\004\013\023\030\150\164\164\160\072\057\057 -\167\167\167\056\165\163\145\162\164\162\165\163\164\056\143\157 -\155\061\037\060\035\006\003\125\004\003\023\026\125\124\116\055 -\125\123\105\122\106\151\162\163\164\055\110\141\162\144\167\141 -\162\145\060\202\001\042\060\015\006\011\052\206\110\206\367\015 -\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202 -\001\001\000\261\367\303\070\077\264\250\177\317\071\202\121\147 -\320\155\237\322\377\130\363\347\237\053\354\015\211\124\231\271 -\070\231\026\367\340\041\171\110\302\273\141\164\022\226\035\074 -\152\162\325\074\020\147\072\071\355\053\023\315\146\353\225\011 -\063\244\154\227\261\350\306\354\301\165\171\234\106\136\215\253 -\320\152\375\271\052\125\027\020\124\263\031\360\232\366\361\261 -\135\266\247\155\373\340\161\027\153\242\210\373\000\337\376\032 -\061\167\014\232\001\172\261\062\343\053\001\007\070\156\303\245 -\136\043\274\105\233\173\120\301\311\060\217\333\345\053\172\323 -\133\373\063\100\036\240\325\230\027\274\213\207\303\211\323\135 -\240\216\262\252\252\366\216\151\210\006\305\372\211\041\363\010 -\235\151\056\011\063\233\051\015\106\017\214\314\111\064\260\151 -\121\275\371\006\315\150\255\146\114\274\076\254\141\275\012\210 -\016\310\337\075\356\174\004\114\235\012\136\153\221\326\356\307 -\355\050\215\253\115\207\211\163\320\156\244\320\036\026\213\024 -\341\166\104\003\177\143\254\344\315\111\234\305\222\364\253\062 -\241\110\133\002\003\001\000\001\243\201\271\060\201\266\060\013 -\006\003\125\035\017\004\004\003\002\001\306\060\017\006\003\125 -\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003 -\125\035\016\004\026\004\024\241\162\137\046\033\050\230\103\225 -\135\007\067\325\205\226\235\113\322\303\105\060\104\006\003\125 -\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150\164 -\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162\165 -\163\164\056\143\157\155\057\125\124\116\055\125\123\105\122\106 -\151\162\163\164\055\110\141\162\144\167\141\162\145\056\143\162 -\154\060\061\006\003\125\035\045\004\052\060\050\006\010\053\006 -\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003\005 -\006\010\053\006\001\005\005\007\003\006\006\010\053\006\001\005 -\005\007\003\007\060\015\006\011\052\206\110\206\367\015\001\001 -\005\005\000\003\202\001\001\000\107\031\017\336\164\306\231\227 -\257\374\255\050\136\165\216\353\055\147\356\116\173\053\327\014 -\377\366\336\313\125\242\012\341\114\124\145\223\140\153\237\022 -\234\255\136\203\054\353\132\256\300\344\055\364\000\143\035\270 -\300\154\362\317\111\273\115\223\157\006\246\012\042\262\111\142 -\010\116\377\310\310\024\262\210\026\135\347\001\344\022\225\345 -\105\064\263\213\151\275\317\264\205\217\165\121\236\175\072\070 -\072\024\110\022\306\373\247\073\032\215\015\202\100\007\350\004 -\010\220\241\211\313\031\120\337\312\034\001\274\035\004\031\173 -\020\166\227\073\356\220\220\312\304\016\037\026\156\165\357\063 -\370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055 -\335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136 -\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120 -\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222 -\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251 -\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020 -\062\234\036\273\235\370\146\250 -END - -# Trust for Certificate "UTN USERFirst Hardware Root CA" -# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd -# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Not Valid Before: Fri Jul 09 18:10:42 1999 -# Not Valid After : Tue Jul 09 18:19:22 2019 -# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39 -# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000 -\343\276\371\327 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125 -\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\110\141\162\144\167\141\162\145 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145 -\012\375 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "UTN USERFirst Object Root CA" -# -# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b -# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Not Valid Before: Fri Jul 09 18:31:20 1999 -# Not Valid After : Tue Jul 09 18:40:36 2019 -# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9 -# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UTN USERFirst Object Root CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125 -\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\117\142\152\145\143\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125 -\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\117\142\152\145\143\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263 -\137\033 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\146\060\202\003\116\240\003\002\001\002\002\020\104 -\276\014\213\120\000\044\264\021\323\066\055\340\263\137\033\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201 -\225\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013 -\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006 -\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040 -\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124 -\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164 -\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150 -\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162 -\165\163\164\056\143\157\155\061\035\060\033\006\003\125\004\003 -\023\024\125\124\116\055\125\123\105\122\106\151\162\163\164\055 -\117\142\152\145\143\164\060\036\027\015\071\071\060\067\060\071 -\061\070\063\061\062\060\132\027\015\061\071\060\067\060\071\061 -\070\064\060\063\066\132\060\201\225\061\013\060\011\006\003\125 -\004\006\023\002\125\123\061\013\060\011\006\003\125\004\010\023 -\002\125\124\061\027\060\025\006\003\125\004\007\023\016\123\141 -\154\164\040\114\141\153\145\040\103\151\164\171\061\036\060\034 -\006\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124 -\122\125\123\124\040\116\145\164\167\157\162\153\061\041\060\037 -\006\003\125\004\013\023\030\150\164\164\160\072\057\057\167\167 -\167\056\165\163\145\162\164\162\165\163\164\056\143\157\155\061 -\035\060\033\006\003\125\004\003\023\024\125\124\116\055\125\123 -\105\122\106\151\162\163\164\055\117\142\152\145\143\164\060\202 -\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005 -\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\316 -\252\201\077\243\243\141\170\252\061\000\125\225\021\236\047\017 -\037\034\337\072\233\202\150\060\300\112\141\035\361\057\016\372 -\276\171\367\245\043\357\125\121\226\204\315\333\343\271\156\076 -\061\330\012\040\147\307\364\331\277\224\353\107\004\076\002\316 -\052\242\135\207\004\011\366\060\235\030\212\227\262\252\034\374 -\101\322\241\066\313\373\075\221\272\347\331\160\065\372\344\347 -\220\303\233\243\233\323\074\365\022\231\167\261\267\011\340\150 -\346\034\270\363\224\143\210\152\152\376\013\166\311\276\364\042 -\344\147\271\253\032\136\167\301\205\007\335\015\154\277\356\006 -\307\167\152\101\236\247\017\327\373\356\224\027\267\374\205\276 -\244\253\304\034\061\335\327\266\321\344\360\357\337\026\217\262 -\122\223\327\241\324\211\241\007\056\277\341\001\022\102\036\032 -\341\330\225\064\333\144\171\050\377\272\056\021\302\345\350\133 -\222\110\373\107\013\302\154\332\255\062\203\101\363\245\345\101 -\160\375\145\220\155\372\372\121\304\371\275\226\053\031\004\054 -\323\155\247\334\360\177\157\203\145\342\152\253\207\206\165\002 -\003\001\000\001\243\201\257\060\201\254\060\013\006\003\125\035 -\017\004\004\003\002\001\306\060\017\006\003\125\035\023\001\001 -\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004 -\026\004\024\332\355\144\164\024\234\024\074\253\335\231\251\275 -\133\050\115\213\074\311\330\060\102\006\003\125\035\037\004\073 -\060\071\060\067\240\065\240\063\206\061\150\164\164\160\072\057 -\057\143\162\154\056\165\163\145\162\164\162\165\163\164\056\143 -\157\155\057\125\124\116\055\125\123\105\122\106\151\162\163\164 -\055\117\142\152\145\143\164\056\143\162\154\060\051\006\003\125 -\035\045\004\042\060\040\006\010\053\006\001\005\005\007\003\003 -\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004 -\001\202\067\012\003\004\060\015\006\011\052\206\110\206\367\015 -\001\001\005\005\000\003\202\001\001\000\010\037\122\261\067\104 -\170\333\375\316\271\332\225\226\230\252\125\144\200\265\132\100 -\335\041\245\305\301\363\137\054\114\310\107\132\151\352\350\360 -\065\065\364\320\045\363\310\246\244\207\112\275\033\261\163\010 -\275\324\303\312\266\065\273\131\206\167\061\315\247\200\024\256 -\023\357\374\261\110\371\153\045\045\055\121\266\054\155\105\301 -\230\310\212\126\135\076\356\103\116\076\153\047\216\320\072\113 -\205\013\137\323\355\152\247\165\313\321\132\207\057\071\165\023 -\132\162\260\002\201\237\276\360\017\204\124\040\142\154\151\324 -\341\115\306\015\231\103\001\015\022\226\214\170\235\277\120\242 -\261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360 -\064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271 -\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223 -\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327 -\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221 -\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170 -\275\023\122\035\250\076\315\000\037\310 -END - -# Trust for Certificate "UTN USERFirst Object Root CA" -# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b -# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US -# Not Valid Before: Fri Jul 09 18:31:20 1999 -# Not Valid After : Tue Jul 09 18:40:36 2019 -# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9 -# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "UTN USERFirst Object Root CA" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330 -\070\136\055\106 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060 -\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153 -\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023 -\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116 -\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023 -\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162 -\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125 -\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163 -\164\055\117\142\152\145\143\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263 -\137\033 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# # Certificate "Camerfirma Chambers of Commerce Root" # # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -4666,6 +3648,7 @@ CKA_VALUE MULTILINE_OCTAL \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370 \334 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Camerfirma Chambers of Commerce Root" # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -4703,7 +3686,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4825,6 +3808,7 @@ CKA_VALUE MULTILINE_OCTAL \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111 \166\135\165\220\032\365\046\217\360 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Camerfirma Global Chambersign Root" # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -4861,7 +3845,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -4977,6 +3961,7 @@ CKA_VALUE MULTILINE_OCTAL \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311 \264\003\045\274 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "XRamp Global CA Root" # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US @@ -5015,7 +4000,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5123,6 +4108,7 @@ CKA_VALUE MULTILINE_OCTAL \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035 \177\333\275\237 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Go Daddy Class 2 CA" # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US @@ -5158,7 +4144,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5267,6 +4253,7 @@ CKA_VALUE MULTILINE_OCTAL \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057 \037\027\224 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Starfield Class 2 CA" # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US @@ -5302,7 +4289,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5472,6 +4459,7 @@ CKA_VALUE MULTILINE_OCTAL \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060 \152\263\364\210\034\200\015\374\162\212\350\203\136 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "StartCom Certification Authority" # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL @@ -5508,7 +4496,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5636,6 +4624,7 @@ CKA_VALUE MULTILINE_OCTAL \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045 \245\206\054\174\364\022 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Taiwan GRCA" # Issuer: O=Government Root Certification Authority,C=TW @@ -5670,181 +4659,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "Swisscom Root CA 1" -# -# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch -# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36 -# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch -# Not Valid Before: Thu Aug 18 12:06:20 2005 -# Not Valid After : Mon Aug 18 22:06:20 2025 -# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9 -# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Swisscom Root CA 1" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125 -\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\103\101\040\061 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125 -\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\103\101\040\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235 -\250\066 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\331\060\202\003\301\240\003\002\001\002\002\020\134 -\013\205\134\013\347\131\101\337\127\314\077\177\235\250\066\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\144 -\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021\060 -\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157\155 -\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151\164 -\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040\123 -\145\162\166\151\143\145\163\061\033\060\031\006\003\125\004\003 -\023\022\123\167\151\163\163\143\157\155\040\122\157\157\164\040 -\103\101\040\061\060\036\027\015\060\065\060\070\061\070\061\062 -\060\066\062\060\132\027\015\062\065\060\070\061\070\062\062\060 -\066\062\060\132\060\144\061\013\060\011\006\003\125\004\006\023 -\002\143\150\061\021\060\017\006\003\125\004\012\023\010\123\167 -\151\163\163\143\157\155\061\045\060\043\006\003\125\004\013\023 -\034\104\151\147\151\164\141\154\040\103\145\162\164\151\146\151 -\143\141\164\145\040\123\145\162\166\151\143\145\163\061\033\060 -\031\006\003\125\004\003\023\022\123\167\151\163\163\143\157\155 -\040\122\157\157\164\040\103\101\040\061\060\202\002\042\060\015 -\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 -\017\000\060\202\002\012\002\202\002\001\000\320\271\260\250\014 -\331\273\077\041\370\033\325\063\223\200\026\145\040\165\262\075 -\233\140\155\106\310\214\061\157\027\303\372\232\154\126\355\074 -\305\221\127\303\315\253\226\111\220\052\031\113\036\243\155\127 -\335\361\053\142\050\165\105\136\252\326\133\372\013\045\330\241 -\026\371\034\304\056\346\225\052\147\314\320\051\156\074\205\064 -\070\141\111\261\000\237\326\072\161\137\115\155\316\137\271\251 -\344\211\177\152\122\372\312\233\362\334\251\371\235\231\107\077 -\116\051\137\264\246\215\135\173\013\231\021\003\003\376\347\333 -\333\243\377\035\245\315\220\036\001\037\065\260\177\000\333\220 -\157\306\176\173\321\356\172\172\247\252\014\127\157\244\155\305 -\023\073\260\245\331\355\062\034\264\136\147\213\124\334\163\207 -\345\323\027\174\146\120\162\135\324\032\130\301\331\317\330\211 -\002\157\247\111\264\066\135\320\244\336\007\054\266\165\267\050 -\221\326\227\276\050\365\230\036\352\133\046\311\275\260\227\163 -\332\256\221\046\353\150\301\371\071\025\326\147\113\012\155\117 -\313\317\260\344\102\161\214\123\171\347\356\341\333\035\240\156 -\035\214\032\167\065\134\026\036\053\123\037\064\213\321\154\374 -\362\147\007\172\365\255\355\326\232\253\241\261\113\341\314\067 -\137\375\177\315\115\256\270\037\234\103\371\052\130\125\103\105 -\274\226\315\160\016\374\311\343\146\272\116\215\073\201\313\025 -\144\173\271\224\350\135\063\122\205\161\056\117\216\242\006\021 -\121\311\343\313\241\156\061\010\144\014\302\322\074\365\066\350 -\327\320\016\170\043\040\221\311\044\052\145\051\133\042\367\041 -\316\203\136\244\363\336\113\323\150\217\106\165\134\203\011\156 -\051\153\304\160\214\365\235\327\040\057\377\106\322\053\070\302 -\057\165\034\075\176\332\245\357\036\140\205\151\102\323\314\370 -\143\376\036\103\071\205\246\266\143\101\020\263\163\036\274\323 -\372\312\175\026\107\342\247\325\320\243\212\012\010\226\142\126 -\156\064\333\331\002\271\060\165\343\004\322\347\217\302\260\021 -\100\012\254\325\161\002\142\213\061\276\335\306\043\130\061\102 -\103\055\164\371\306\236\246\212\017\351\376\277\203\346\103\127 -\044\272\357\106\064\252\327\022\001\070\355\002\003\001\000\001 -\243\201\206\060\201\203\060\016\006\003\125\035\017\001\001\377 -\004\004\003\002\001\206\060\035\006\003\125\035\041\004\026\060 -\024\060\022\006\007\140\205\164\001\123\000\001\006\007\140\205 -\164\001\123\000\001\060\022\006\003\125\035\023\001\001\377\004 -\010\060\006\001\001\377\002\001\007\060\037\006\003\125\035\043 -\004\030\060\026\200\024\003\045\057\336\157\202\001\072\134\054 -\334\053\241\151\265\147\324\214\323\375\060\035\006\003\125\035 -\016\004\026\004\024\003\045\057\336\157\202\001\072\134\054\334 -\053\241\151\265\147\324\214\323\375\060\015\006\011\052\206\110 -\206\367\015\001\001\005\005\000\003\202\002\001\000\065\020\313 -\354\246\004\015\015\017\315\300\333\253\250\362\210\227\014\337 -\223\057\115\174\100\126\061\172\353\244\017\140\315\172\363\276 -\303\047\216\003\076\244\335\022\357\176\036\164\006\074\077\061 -\362\034\173\221\061\041\264\360\320\154\227\324\351\227\262\044 -\126\036\126\303\065\275\210\005\017\133\020\032\144\341\307\202 -\060\371\062\255\236\120\054\347\170\005\320\061\261\132\230\212 -\165\116\220\134\152\024\052\340\122\107\202\140\346\036\332\201 -\261\373\024\013\132\361\237\322\225\272\076\320\033\326\025\035 -\243\276\206\325\333\017\300\111\144\273\056\120\031\113\322\044 -\370\335\036\007\126\320\070\240\225\160\040\166\214\327\335\036 -\336\237\161\304\043\357\203\023\134\243\044\025\115\051\100\074 -\152\304\251\330\267\246\104\245\015\364\340\235\167\036\100\160 -\046\374\332\331\066\344\171\344\265\077\274\233\145\276\273\021 -\226\317\333\306\050\071\072\010\316\107\133\123\132\305\231\376 -\135\251\335\357\114\324\306\245\255\002\346\214\007\022\036\157 -\003\321\157\240\243\363\051\275\022\307\120\242\260\177\210\251 -\231\167\232\261\300\245\071\056\134\174\151\342\054\260\352\067 -\152\244\341\132\341\365\120\345\203\357\245\273\052\210\347\214 -\333\375\155\136\227\031\250\176\146\165\153\161\352\277\261\307 -\157\240\364\216\244\354\064\121\133\214\046\003\160\241\167\325 -\001\022\127\000\065\333\043\336\016\212\050\231\375\261\020\157 -\113\377\070\055\140\116\054\234\353\147\265\255\111\356\113\037 -\254\257\373\015\220\132\146\140\160\135\252\315\170\324\044\356 -\310\101\240\223\001\222\234\152\236\374\271\044\305\263\025\202 -\176\276\256\225\053\353\261\300\332\343\001\140\013\136\151\254 -\204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376 -\062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260 -\262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030 -\316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311 -\376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146 -\201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372 -\060\032\365\232\154\364\016\123\371\072\133\321\034 -END - -# Trust for Certificate "Swisscom Root CA 1" -# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch -# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36 -# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch -# Not Valid Before: Thu Aug 18 12:06:20 2005 -# Not Valid After : Mon Aug 18 22:06:20 2025 -# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9 -# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Swisscom Root CA 1" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\137\072\374\012\213\144\366\206\147\064\164\337\176\251\242\376 -\371\372\172\121 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\370\070\174\167\210\337\054\026\150\056\302\342\122\113\270\371 -END -CKA_ISSUER MULTILINE_OCTAL -\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125 -\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\103\101\040\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235 -\250\066 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -5948,6 +4763,7 @@ CKA_VALUE MULTILINE_OCTAL \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056 \346\120\262\247\372\012\105\057\242\360\362 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "DigiCert Assured ID Root CA" # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -5984,7 +4800,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6088,6 +4904,7 @@ CKA_VALUE MULTILINE_OCTAL \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225 \225\155\336 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "DigiCert Global Root CA" # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6124,7 +4941,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6229,6 +5046,7 @@ CKA_VALUE MULTILINE_OCTAL \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251 \370\351\056\023\243\167\350\037\112 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "DigiCert High Assurance EV Root CA" # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -6265,7 +5083,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6361,6 +5179,7 @@ CKA_VALUE MULTILINE_OCTAL \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273 \227\277\242\216\264\124 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Certplus Class 2 Primary CA" # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR @@ -6487,6 +5306,7 @@ CKA_VALUE MULTILINE_OCTAL \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221 \013\004\216\007\333\051\266\012\356\235\202\065\065\020 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "DST Root CA X3" # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. @@ -6628,6 +5448,7 @@ CKA_VALUE MULTILINE_OCTAL \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101 \363\267\240\247\315\345\172\063\066\152\372\232\053 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "DST ACES CA X6" # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US @@ -6795,6 +5616,7 @@ CKA_VALUE MULTILINE_OCTAL \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251 \205\206\171\145\322 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "SwissSign Platinum CA - G2" # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH @@ -6828,7 +5650,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -6959,6 +5781,7 @@ CKA_VALUE MULTILINE_OCTAL \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362 \111\044\133\311\260\320\127\301\372\076\172\341\227\311 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "SwissSign Gold CA - G2" # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH @@ -6992,7 +5815,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7124,6 +5947,7 @@ CKA_VALUE MULTILINE_OCTAL \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056 \156 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "SwissSign Silver CA - G2" # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH @@ -7157,7 +5981,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7255,6 +6079,7 @@ CKA_VALUE MULTILINE_OCTAL \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215 \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Primary Certification Authority" # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US @@ -7409,6 +6234,7 @@ CKA_VALUE MULTILINE_OCTAL \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173 \215\126\214\150 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "thawte Primary Root CA" # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -7449,7 +6275,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7583,6 +6409,7 @@ CKA_VALUE MULTILINE_OCTAL \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362 \254\021\326\250\355\143\152 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -7625,7 +6452,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7725,6 +6552,7 @@ CKA_VALUE MULTILINE_OCTAL \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050 \113\035\236\054\302\270\150\274\355\002\356\061 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "SecureTrust CA" # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US @@ -7759,7 +6587,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -7859,6 +6687,7 @@ CKA_VALUE MULTILINE_OCTAL \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362 \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Secure Global CA" # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US @@ -7893,7 +6722,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8008,6 +6837,7 @@ CKA_VALUE MULTILINE_OCTAL \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001 \145 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "COMODO Certification Authority" # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -8046,7 +6876,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8153,6 +6983,7 @@ CKA_VALUE MULTILINE_OCTAL \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313 \244\140\114\260\125\240\240\173\127\262 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Network Solutions Certificate Authority" # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US @@ -8278,6 +7109,7 @@ CKA_VALUE MULTILINE_OCTAL \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346 \334\335\363\377\035\054\072\026\127\331\222\071\326 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "COMODO ECC Certification Authority" # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -8316,7 +7148,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -8585,6 +7417,7 @@ CKA_VALUE MULTILINE_OCTAL \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217 \164 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Security Communication EV RootCA1" # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -8732,6 +7565,7 @@ CKA_VALUE MULTILINE_OCTAL \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311 \374\276\337\012\015 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "OISTE WISeKey Global Root GA CA" # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH @@ -8866,6 +7700,7 @@ CKA_VALUE MULTILINE_OCTAL \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225 \300\226\130\057\352\273\106\327\273\344\331\056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Certigna" # Issuer: CN=Certigna,O=Dhimyotis,C=FR @@ -9047,6 +7882,7 @@ CKA_VALUE MULTILINE_OCTAL \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144 \005\211\374\170\326\134\054\046\103\251 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AC Raiz Certicamara S.A." # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO @@ -9084,7 +7920,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9204,6 +8040,7 @@ CKA_VALUE MULTILINE_OCTAL \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154 \016\121\075\157\373\226\126\200\342\066\027\321\334\344 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "TC TrustCenter Class 3 CA II" # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE @@ -9344,6 +8181,7 @@ CKA_VALUE MULTILINE_OCTAL \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005 \126\144\127 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Deutsche Telekom Root CA 2" # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE @@ -9380,7 +8218,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -9476,6 +8314,7 @@ CKA_VALUE MULTILINE_OCTAL \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224 \000\147\240\161\000\202\110 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "ComSign CA" # Issuer: C=IL,O=ComSign,CN=ComSign CA @@ -9513,136 +8352,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # -# Certificate "ComSign Secured CA" -# -# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA -# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9 -# Subject: C=IL,O=ComSign,CN=ComSign Secured CA -# Not Valid Before: Wed Mar 24 11:37:20 2004 -# Not Valid After : Fri Mar 16 15:04:56 2029 -# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5 -# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ComSign Secured CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155 -\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061 -\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147 -\156\061\013\060\011\006\003\125\004\006\023\002\111\114 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155 -\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061 -\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147 -\156\061\013\060\011\006\003\125\004\006\023\002\111\114 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365 -\066\116\351 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\253\060\202\002\223\240\003\002\001\002\002\021\000 -\307\050\107\011\263\270\154\105\214\035\372\044\365\066\116\351 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155\123 -\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061\020 -\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147\156 -\061\013\060\011\006\003\125\004\006\023\002\111\114\060\036\027 -\015\060\064\060\063\062\064\061\061\063\067\062\060\132\027\015 -\062\071\060\063\061\066\061\065\060\064\065\066\132\060\074\061 -\033\060\031\006\003\125\004\003\023\022\103\157\155\123\151\147 -\156\040\123\145\143\165\162\145\144\040\103\101\061\020\060\016 -\006\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013 -\060\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060 -\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202 -\001\017\000\060\202\001\012\002\202\001\001\000\306\265\150\137 -\035\224\025\303\244\010\125\055\343\240\127\172\357\351\164\052 -\273\271\174\127\111\032\021\136\117\051\207\014\110\326\152\347 -\217\324\176\127\044\271\006\211\344\034\074\352\254\343\332\041 -\200\163\041\012\357\171\230\154\037\010\377\241\120\175\362\230 -\033\311\124\157\076\245\050\354\041\004\017\105\273\007\075\241 -\300\372\052\230\035\116\006\223\373\365\210\073\253\137\313\026 -\277\346\363\236\112\207\355\031\352\302\237\103\344\361\201\245 -\177\020\117\076\321\112\142\255\123\033\313\203\377\007\145\245 -\222\055\146\251\133\270\132\364\035\264\041\221\112\027\173\236 -\062\376\126\044\071\262\124\204\103\365\204\302\330\274\101\220 -\314\235\326\150\332\351\202\120\251\073\150\317\265\135\002\224 -\140\026\261\103\331\103\135\335\135\207\156\352\273\263\311\153 -\366\003\224\011\160\336\026\021\172\053\350\166\217\111\020\230 -\167\271\143\134\213\063\227\165\366\013\214\262\253\133\336\164 -\040\045\077\343\363\021\371\207\150\206\065\161\303\035\214\055 -\353\345\032\254\017\163\325\202\131\100\200\323\002\003\001\000 -\001\243\201\247\060\201\244\060\014\006\003\125\035\023\004\005 -\060\003\001\001\377\060\104\006\003\125\035\037\004\075\060\073 -\060\071\240\067\240\065\206\063\150\164\164\160\072\057\057\146 -\145\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056 -\151\154\057\143\162\154\057\103\157\155\123\151\147\156\123\145 -\143\165\162\145\144\103\101\056\143\162\154\060\016\006\003\125 -\035\017\001\001\377\004\004\003\002\001\206\060\037\006\003\125 -\035\043\004\030\060\026\200\024\301\113\355\160\266\367\076\174 -\000\073\000\217\307\076\016\105\237\036\135\354\060\035\006\003 -\125\035\016\004\026\004\024\301\113\355\160\266\367\076\174\000 -\073\000\217\307\076\016\105\237\036\135\354\060\015\006\011\052 -\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\026 -\317\356\222\023\120\253\173\024\236\063\266\102\040\152\324\025 -\275\011\253\374\162\350\357\107\172\220\254\121\301\144\116\351 -\210\275\103\105\201\343\146\043\077\022\206\115\031\344\005\260 -\346\067\302\215\332\006\050\311\017\211\244\123\251\165\077\260 -\226\373\253\114\063\125\371\170\046\106\157\033\066\230\373\102 -\166\301\202\271\216\336\373\105\371\143\033\142\073\071\006\312 -\167\172\250\074\011\317\154\066\075\017\012\105\113\151\026\032 -\105\175\063\003\145\371\122\161\220\046\225\254\114\014\365\213 -\223\077\314\165\164\205\230\272\377\142\172\115\037\211\376\256 -\275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141 -\035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113 -\205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320 -\256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142 -\237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063 -\072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053 -\316\145\006\056\135\322\052\123\164\136\323\156\047\236\217 -END - -# Trust for Certificate "ComSign Secured CA" -# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA -# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9 -# Subject: C=IL,O=ComSign,CN=ComSign Secured CA -# Not Valid Before: Wed Mar 24 11:37:20 2004 -# Not Valid After : Fri Mar 16 15:04:56 2029 -# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5 -# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ComSign Secured CA" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\371\315\016\054\332\166\044\301\217\275\360\360\253\266\105\270 -\367\376\325\172 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\100\001\045\006\215\041\103\152\016\103\000\234\347\103\363\325 -END -CKA_ISSUER MULTILINE_OCTAL -\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155 -\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061 -\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147 -\156\061\013\060\011\006\003\125\004\006\023\002\111\114 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365 -\066\116\351 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# # Certificate "Cybertrust Global Root" # # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" @@ -9735,6 +8444,7 @@ CKA_VALUE MULTILINE_OCTAL \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264 \246\210\070\316\125 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Cybertrust Global Root" # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" @@ -9901,6 +8611,7 @@ CKA_VALUE MULTILINE_OCTAL \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352 \201\370\021\234 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "ePKI Root Certification Authority" # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW @@ -9936,7 +8647,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10085,6 +8796,7 @@ CKA_VALUE MULTILINE_OCTAL \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054 \311\234\220\332\354\251\102\074\255\266\002 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR @@ -10221,6 +8933,7 @@ CKA_VALUE MULTILINE_OCTAL \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115 \366\356\260\132\116\111\104\124\130\137\102\203 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "certSIGN ROOT CA" # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO @@ -10253,129 +8966,6 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "CNNIC ROOT" -# -# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN -# Serial Number: 1228079105 (0x49330001) -# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN -# Not Valid Before: Mon Apr 16 07:09:14 2007 -# Not Valid After : Fri Apr 16 07:09:14 2027 -# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19 -# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC ROOT" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 -\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 -\122\117\117\124 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 -\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 -\122\117\117\124 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\004\111\063\000\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\125\060\202\002\075\240\003\002\001\002\002\004\111 -\063\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005 -\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103 -\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111 -\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111 -\103\040\122\117\117\124\060\036\027\015\060\067\060\064\061\066 -\060\067\060\071\061\064\132\027\015\062\067\060\064\061\066\060 -\067\060\071\061\064\132\060\062\061\013\060\011\006\003\125\004 -\006\023\002\103\116\061\016\060\014\006\003\125\004\012\023\005 -\103\116\116\111\103\061\023\060\021\006\003\125\004\003\023\012 -\103\116\116\111\103\040\122\117\117\124\060\202\001\042\060\015 -\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001 -\017\000\060\202\001\012\002\202\001\001\000\323\065\367\077\163 -\167\255\350\133\163\027\302\321\157\355\125\274\156\352\350\244 -\171\262\154\303\243\357\341\237\261\073\110\205\365\232\134\041 -\042\020\054\305\202\316\332\343\232\156\067\341\207\054\334\271 -\014\132\272\210\125\337\375\252\333\037\061\352\001\361\337\071 -\001\301\023\375\110\122\041\304\125\337\332\330\263\124\166\272 -\164\261\267\175\327\300\350\366\131\305\115\310\275\255\037\024 -\332\337\130\104\045\062\031\052\307\176\176\216\256\070\260\060 -\173\107\162\011\061\360\060\333\303\033\166\051\273\151\166\116 -\127\371\033\144\242\223\126\267\157\231\156\333\012\004\234\021 -\343\200\037\313\143\224\020\012\251\341\144\202\061\371\214\047 -\355\246\231\000\366\160\223\030\370\241\064\206\243\335\172\302 -\030\171\366\172\145\065\317\220\353\275\063\223\237\123\253\163 -\073\346\233\064\040\057\035\357\251\035\143\032\240\200\333\003 -\057\371\046\032\206\322\215\273\251\276\122\072\207\147\110\015 -\277\264\240\330\046\276\043\137\163\067\177\046\346\222\004\243 -\177\317\040\247\267\363\072\312\313\231\313\002\003\001\000\001 -\243\163\060\161\060\021\006\011\140\206\110\001\206\370\102\001 -\001\004\004\003\002\000\007\060\037\006\003\125\035\043\004\030 -\060\026\200\024\145\362\061\255\052\367\367\335\122\226\012\307 -\002\301\016\357\246\325\073\021\060\017\006\003\125\035\023\001 -\001\377\004\005\060\003\001\001\377\060\013\006\003\125\035\017 -\004\004\003\002\001\376\060\035\006\003\125\035\016\004\026\004 -\024\145\362\061\255\052\367\367\335\122\226\012\307\002\301\016 -\357\246\325\073\021\060\015\006\011\052\206\110\206\367\015\001 -\001\005\005\000\003\202\001\001\000\113\065\356\314\344\256\277 -\303\156\255\237\225\073\113\077\133\036\337\127\051\242\131\312 -\070\342\271\032\377\236\346\156\062\335\036\256\352\065\267\365 -\223\221\116\332\102\341\303\027\140\120\362\321\134\046\271\202 -\267\352\155\344\234\204\347\003\171\027\257\230\075\224\333\307 -\272\000\347\270\277\001\127\301\167\105\062\014\073\361\264\034 -\010\260\375\121\240\241\335\232\035\023\066\232\155\267\307\074 -\271\341\305\331\027\372\203\325\075\025\240\074\273\036\013\342 -\310\220\077\250\206\014\374\371\213\136\205\313\117\133\113\142 -\021\107\305\105\174\005\057\101\261\236\020\151\033\231\226\340 -\125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313 -\156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356 -\343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311 -\022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143 -\330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256 -\056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125 -\011\333\212\101\202\236\146\233\021 -END - -# Trust for Certificate "CNNIC ROOT" -# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN -# Serial Number: 1228079105 (0x49330001) -# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN -# Not Valid Before: Mon Apr 16 07:09:14 2007 -# Not Valid After : Fri Apr 16 07:09:14 2027 -# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19 -# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CNNIC ROOT" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\213\257\114\233\035\360\052\222\367\332\022\216\271\033\254\364 -\230\140\113\157 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\041\274\202\253\111\304\023\073\113\262\053\134\153\220\234\031 -END -CKA_ISSUER MULTILINE_OCTAL -\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 -\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 -\122\117\117\124 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\004\111\063\000\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -10491,6 +9081,7 @@ CKA_VALUE MULTILINE_OCTAL \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031 \021\055 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Primary Certification Authority - G3" # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -10530,7 +9121,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10619,6 +9210,7 @@ CKA_VALUE MULTILINE_OCTAL \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022 \367\130\077\056\162\002\127\243\217\241\024\056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "thawte Primary Root CA - G2" # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US @@ -10657,7 +9249,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10778,6 +9370,7 @@ CKA_VALUE MULTILINE_OCTAL \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156 \061\324\100\032\142\064\066\077\065\001\256\254\143\240 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "thawte Primary Root CA - G3" # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -10819,7 +9412,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -10913,6 +9506,7 @@ CKA_VALUE MULTILINE_OCTAL \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004 \017\212 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GeoTrust Primary Certification Authority - G2" # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -10952,7 +9546,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11082,6 +9676,7 @@ CKA_VALUE MULTILINE_OCTAL \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267 \354\315\202\141\361\070\346\117\227\230\052\132\215 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "VeriSign Universal Root Certification Authority" # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -11123,7 +9718,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11236,6 +9831,7 @@ CKA_VALUE MULTILINE_OCTAL \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252 \055\247\330\206\052\335\056\020 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -11278,7 +9874,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11395,6 +9991,7 @@ CKA_VALUE MULTILINE_OCTAL \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233 \330\316\304\143\165\077\131\107\261 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsÃtvány" # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU @@ -11434,7 +10031,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11568,6 +10165,7 @@ CKA_VALUE MULTILINE_OCTAL \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265 \370\161\012\334\271\374\175\062\140\346\353\257\212\001 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Staat der Nederlanden Root CA - G2" # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL @@ -11602,7 +10200,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -11693,6 +10291,7 @@ CKA_VALUE MULTILINE_OCTAL \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342 \002\153\331\132 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Hongkong Post Root CA 1" # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK @@ -11823,6 +10422,7 @@ CKA_VALUE MULTILINE_OCTAL \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003 \362 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "SecureSign RootCA11" # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP @@ -11988,6 +10588,7 @@ CKA_VALUE MULTILINE_OCTAL \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176 \113\076\053\070\007\125\230\136\244 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "ACEDICOM Root" # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root @@ -12021,7 +10622,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -12134,6 +10735,7 @@ CKA_VALUE MULTILINE_OCTAL \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311 \202\042\055\172\124\253\160\303\175\042\145\202\160\226 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Microsec e-Szigno Root CA 2009" # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU @@ -12171,7 +10773,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12265,6 +10867,7 @@ CKA_VALUE MULTILINE_OCTAL \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107 \130\077\137 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "GlobalSign Root CA - R3" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 @@ -12298,7 +10901,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12437,6 +11040,7 @@ CKA_VALUE MULTILINE_OCTAL \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156 \156\117\022\176\012\074\235\225 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES @@ -12471,7 +11075,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12605,6 +11209,7 @@ CKA_VALUE MULTILINE_OCTAL \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154 \333\374\046\210\307 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Izenpe.com" # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES @@ -12638,7 +11243,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -12809,6 +11414,7 @@ CKA_VALUE MULTILINE_OCTAL \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331 \167\110\320 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Chambers of Commerce Root - 2008" # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -12849,7 +11455,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -13017,6 +11623,7 @@ CKA_VALUE MULTILINE_OCTAL \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364 \351\233\256\325\124\300\164\200\321\013\102\237\301 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Global Chambersign Root - 2008" # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -13056,7 +11663,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -14883,6 +13490,7 @@ CKA_VALUE MULTILINE_OCTAL \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210 \342\342\104\276\134\367\352\034\365 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Go Daddy Root Certificate Authority - G2" # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -14920,7 +13528,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15032,6 +13640,7 @@ CKA_VALUE MULTILINE_OCTAL \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151 \364 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Starfield Root Certificate Authority - G2" # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -15070,7 +13679,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15183,6 +13792,7 @@ CKA_VALUE MULTILINE_OCTAL \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215 \261\050\272 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Starfield Services Root Certificate Authority - G2" # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -15221,7 +13831,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -15313,6 +13923,7 @@ CKA_VALUE MULTILINE_OCTAL \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236 \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AffirmTrust Commercial" # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US @@ -15438,6 +14049,7 @@ CKA_VALUE MULTILINE_OCTAL \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064 \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AffirmTrust Networking" # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US @@ -15595,6 +14207,7 @@ CKA_VALUE MULTILINE_OCTAL \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236 \051\340\266\270\011\150\031\034\030\103 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AffirmTrust Premium" # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US @@ -15700,6 +14313,7 @@ CKA_VALUE MULTILINE_OCTAL \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002 \214\171 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "AffirmTrust Premium ECC" # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US @@ -15838,6 +14452,7 @@ CKA_VALUE MULTILINE_OCTAL \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106 \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Certum Trusted Network CA" # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -15874,7 +14489,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -16007,6 +14622,7 @@ CKA_VALUE MULTILINE_OCTAL \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143 \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Certinomis - Autorité Racine" # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR @@ -16141,6 +14757,7 @@ CKA_VALUE MULTILINE_OCTAL \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316 \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "TWCA Root Certification Authority" # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW @@ -16176,7 +14793,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17531,6 +16148,7 @@ CKA_VALUE MULTILINE_OCTAL \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136 \201\050\174\247\175\047\353\000\256\215\067 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Security Communication RootCA2" # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -17565,7 +16183,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -17713,6 +16331,7 @@ CKA_VALUE MULTILINE_OCTAL \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133 \371\210\075\176\270\157\156\003\344\102 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "EC-ACC" # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES @@ -17875,6 +16494,7 @@ CKA_VALUE MULTILINE_OCTAL \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071 \113\321\047\327\270 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR @@ -17913,7 +16533,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 @@ -18110,6 +16730,7 @@ CKA_VALUE MULTILINE_OCTAL \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056 \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Actalis Authentication Root CA" # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT @@ -18145,7 +16766,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18240,6 +16861,7 @@ CKA_VALUE MULTILINE_OCTAL \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015 \145\353\127\331\363\127\226\273\110\315\201 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Trustis FPS Root CA" # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB @@ -18440,6 +17062,7 @@ CKA_VALUE MULTILINE_OCTAL \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346 \177\045\245\362\110\000\300\244\001\332\077 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "StartCom Certification Authority" # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL @@ -18476,7 +17099,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18604,6 +17227,7 @@ CKA_VALUE MULTILINE_OCTAL \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123 \127\055\366\320\341\327\110 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "StartCom Certification Authority G2" # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL @@ -18638,7 +17262,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18763,6 +17387,7 @@ CKA_VALUE MULTILINE_OCTAL \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277 \327\201\011\361\311\307\046\015\254\230\026\126\240 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Buypass Class 2 Root CA" # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO @@ -18921,6 +17546,7 @@ CKA_VALUE MULTILINE_OCTAL \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351 \061\356\006\274\163\277\023\142\012\237\307\271\227 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Buypass Class 3 Root CA" # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO @@ -19062,6 +17688,7 @@ CKA_VALUE MULTILINE_OCTAL \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051 \116\223\303\244\124\024\133 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "T-TeleSec GlobalRoot Class 3" # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -19210,6 +17837,7 @@ CKA_VALUE MULTILINE_OCTAL \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220 \307\314\165\301\226\305\235 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "EE Certification Centre Root CA" # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE @@ -19247,7 +17875,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 @@ -19439,6 +18067,7 @@ CKA_VALUE MULTILINE_OCTAL \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071 \175 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "TURKTRUST Certificate Services Provider Root 2007" # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. @@ -19480,7 +18109,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -19587,6 +18216,7 @@ CKA_VALUE MULTILINE_OCTAL \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136 \164\145\327\134\376\243\342 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "D-TRUST Root Class 3 CA 2 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE @@ -19730,6 +18360,7 @@ CKA_VALUE MULTILINE_OCTAL \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041 \352\237\026\361\054\124\265 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "D-TRUST Root Class 3 CA 2 EV 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE @@ -19979,6 +18610,7 @@ CKA_VALUE MULTILINE_OCTAL \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335 \376\206\364\274\340\032\161\263\142\246 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "PSCProcert" # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano @@ -20026,154 +18658,6 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "China Internet Network Information Center EV Certificates Root" -# -# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN -# Serial Number: 1218379777 (0x489f0001) -# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN -# Not Valid Before: Tue Aug 31 07:11:25 2010 -# Not Valid After : Sat Aug 31 07:11:25 2030 -# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15 -# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116 -\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141 -\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162 -\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145 -\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103 -\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145 -\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157 -\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164 -\151\146\151\143\141\164\145\163\040\122\157\157\164 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116 -\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141 -\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162 -\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145 -\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103 -\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145 -\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157 -\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164 -\151\146\151\143\141\164\145\163\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\004\110\237\000\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\367\060\202\002\337\240\003\002\001\002\002\004\110 -\237\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005 -\005\000\060\201\212\061\013\060\011\006\003\125\004\006\023\002 -\103\116\061\062\060\060\006\003\125\004\012\014\051\103\150\151 -\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164\167 -\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156\040 -\103\145\156\164\145\162\061\107\060\105\006\003\125\004\003\014 -\076\103\150\151\156\141\040\111\156\164\145\162\156\145\164\040 -\116\145\164\167\157\162\153\040\111\156\146\157\162\155\141\164 -\151\157\156\040\103\145\156\164\145\162\040\105\126\040\103\145 -\162\164\151\146\151\143\141\164\145\163\040\122\157\157\164\060 -\036\027\015\061\060\060\070\063\061\060\067\061\061\062\065\132 -\027\015\063\060\060\070\063\061\060\067\061\061\062\065\132\060 -\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116\061 -\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141\040 -\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162\153 -\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145\156 -\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103\150 -\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164 -\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156 -\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164\151 -\146\151\143\141\164\145\163\040\122\157\157\164\060\202\001\042 -\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 -\202\001\017\000\060\202\001\012\002\202\001\001\000\233\176\163 -\356\275\073\170\252\144\103\101\365\120\337\224\362\056\262\215 -\112\216\106\124\322\041\022\310\071\062\102\006\351\203\325\237 -\122\355\345\147\003\073\124\301\214\231\231\314\351\300\017\377 -\015\331\204\021\262\270\321\313\133\334\036\371\150\061\144\341 -\233\372\164\353\150\271\040\225\367\306\017\215\107\254\132\006 -\335\141\253\342\354\330\237\027\055\234\312\074\065\227\125\161 -\315\103\205\261\107\026\365\054\123\200\166\317\323\000\144\275 -\100\231\335\314\330\333\304\237\326\023\137\101\203\213\371\015 -\207\222\126\064\154\032\020\013\027\325\132\034\227\130\204\074 -\204\032\056\134\221\064\156\031\137\177\027\151\305\145\357\153 -\041\306\325\120\072\277\141\271\005\215\357\157\064\072\262\157 -\024\143\277\026\073\233\251\052\375\267\053\070\146\006\305\054 -\342\252\147\036\105\247\215\004\146\102\366\217\053\357\210\040 -\151\217\062\214\024\163\332\053\206\221\143\042\232\362\247\333 -\316\211\213\253\135\307\024\301\133\060\152\037\261\267\236\056 -\201\001\002\355\317\226\136\143\333\250\346\070\267\002\003\001 -\000\001\243\143\060\141\060\037\006\003\125\035\043\004\030\060 -\026\200\024\174\162\113\071\307\300\333\142\245\117\233\252\030 -\064\222\242\312\203\202\131\060\017\006\003\125\035\023\001\001 -\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001 -\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004 -\026\004\024\174\162\113\071\307\300\333\142\245\117\233\252\030 -\064\222\242\312\203\202\131\060\015\006\011\052\206\110\206\367 -\015\001\001\005\005\000\003\202\001\001\000\052\303\307\103\067 -\217\335\255\244\262\014\356\334\024\155\217\050\244\230\111\313 -\014\200\352\363\355\043\146\165\175\305\323\041\147\171\321\163 -\305\265\003\267\130\254\014\124\057\306\126\023\017\061\332\006 -\347\145\073\035\157\066\333\310\035\371\375\200\006\312\243\075 -\146\026\250\235\114\026\175\300\225\106\265\121\344\342\037\327 -\352\006\115\143\215\226\214\357\347\063\127\102\072\353\214\301 -\171\310\115\166\175\336\366\261\267\201\340\240\371\241\170\106 -\027\032\126\230\360\116\075\253\034\355\354\071\334\007\110\367 -\143\376\006\256\302\244\134\152\133\062\210\305\307\063\205\254 -\146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326 -\135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276 -\172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310 -\316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276 -\256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367 -\126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362 -\303\055\375\024\052\220\231\271\007\314\237 -END - -# Trust for "China Internet Network Information Center EV Certificates Root" -# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN -# Serial Number: 1218379777 (0x489f0001) -# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN -# Not Valid Before: Tue Aug 31 07:11:25 2010 -# Not Valid After : Sat Aug 31 07:11:25 2030 -# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15 -# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\117\231\252\223\373\053\321\067\046\241\231\112\316\177\360\005 -\362\223\135\036 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\125\135\143\000\227\275\152\227\365\147\253\113\373\156\143\025 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116 -\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141 -\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162 -\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145 -\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103 -\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145 -\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157 -\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164 -\151\146\151\143\141\164\145\163\040\122\157\157\164 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\004\110\237\000\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -20312,6 +18796,7 @@ CKA_VALUE MULTILINE_OCTAL \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071 \301\053\022\236\246\236\033\305\346\016\331\061\331 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Swisscom Root CA 2" # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch @@ -20346,184 +18831,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\036\236\050\350\110\362\345\357\303\174\112\036\132\030 \147\266 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "Swisscom Root EV CA 2" -# -# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch -# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58 -# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch -# Not Valid Before: Fri Jun 24 09:45:08 2011 -# Not Valid After : Wed Jun 25 08:45:08 2031 -# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC -# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Swisscom Root EV CA 2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125 -\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\105\126\040\103\101\040\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125 -\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\105\126\040\103\101\040\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037 -\166\312\130 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\340\060\202\003\310\240\003\002\001\002\002\021\000 -\362\372\144\342\164\143\323\215\375\020\035\004\037\166\312\130 -\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060 -\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021 -\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157 -\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151 -\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040 -\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125\004 -\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157\164 -\040\105\126\040\103\101\040\062\060\036\027\015\061\061\060\066 -\062\064\060\071\064\065\060\070\132\027\015\063\061\060\066\062 -\065\060\070\064\065\060\070\132\060\147\061\013\060\011\006\003 -\125\004\006\023\002\143\150\061\021\060\017\006\003\125\004\012 -\023\010\123\167\151\163\163\143\157\155\061\045\060\043\006\003 -\125\004\013\023\034\104\151\147\151\164\141\154\040\103\145\162 -\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145 -\163\061\036\060\034\006\003\125\004\003\023\025\123\167\151\163 -\163\143\157\155\040\122\157\157\164\040\105\126\040\103\101\040 -\062\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001 -\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002 -\001\000\304\367\035\057\127\352\127\154\367\160\135\143\260\161 -\122\011\140\104\050\063\243\172\116\012\372\330\352\154\213\121 -\026\032\125\256\124\046\304\314\105\007\101\117\020\171\177\161 -\322\172\116\077\070\116\263\000\306\225\312\133\315\301\052\203 -\327\047\037\061\016\043\026\267\045\313\034\264\271\200\062\136 -\032\235\223\361\350\074\140\054\247\136\127\031\130\121\136\274 -\054\126\013\270\330\357\213\202\264\074\270\302\044\250\023\307 -\240\041\066\033\172\127\051\050\247\056\277\161\045\220\363\104 -\203\151\120\244\344\341\033\142\031\224\011\243\363\303\274\357 -\364\275\354\333\023\235\317\235\110\011\122\147\300\067\051\021 -\036\373\322\021\247\205\030\164\171\344\117\205\024\353\122\067 -\342\261\105\330\314\015\103\177\256\023\322\153\053\077\247\302 -\342\250\155\166\133\103\237\276\264\235\263\046\206\073\037\177 -\345\362\350\146\050\026\045\320\113\227\070\247\344\317\011\321 -\066\303\013\276\332\073\104\130\215\276\361\236\011\153\076\363 -\062\307\053\207\306\354\136\234\366\207\145\255\063\051\304\057 -\211\331\271\313\311\003\235\373\154\224\121\227\020\033\206\013 -\032\033\077\366\002\176\173\324\305\121\144\050\235\365\323\254 -\203\201\210\323\164\264\131\235\301\353\141\063\132\105\321\313 -\071\320\006\152\123\140\035\257\366\373\151\274\152\334\001\317 -\275\371\217\331\275\133\301\072\137\216\332\017\113\251\233\235 -\052\050\153\032\012\174\074\253\042\013\345\167\055\161\366\202 -\065\201\256\370\173\201\346\352\376\254\364\032\233\164\134\350 -\217\044\366\135\235\106\304\054\322\036\053\041\152\203\047\147 -\125\112\244\343\310\062\227\146\220\162\332\343\324\144\056\137 -\343\241\152\366\140\324\347\065\315\312\304\150\215\327\161\310 -\323\044\063\163\261\154\371\152\341\050\333\137\306\075\350\276 -\125\346\067\033\355\044\331\017\031\217\137\143\030\130\120\201 -\121\145\157\362\237\176\152\004\347\064\044\161\272\166\113\130 -\036\031\275\025\140\105\252\014\022\100\001\235\020\342\307\070 -\007\162\012\145\300\266\273\045\051\332\026\236\213\065\213\141 -\355\345\161\127\203\265\074\161\237\343\117\277\176\036\201\237 -\101\227\002\003\001\000\001\243\201\206\060\201\203\060\016\006 -\003\125\035\017\001\001\377\004\004\003\002\001\206\060\035\006 -\003\125\035\041\004\026\060\024\060\022\006\007\140\205\164\001 -\123\002\002\006\007\140\205\164\001\123\002\002\060\022\006\003 -\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\003 -\060\035\006\003\125\035\016\004\026\004\024\105\331\245\201\156 -\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235\060 -\037\006\003\125\035\043\004\030\060\026\200\024\105\331\245\201 -\156\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235 -\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003 -\202\002\001\000\224\072\163\006\237\122\113\060\134\324\376\261 -\134\045\371\327\216\157\365\207\144\237\355\024\216\270\004\216 -\050\113\217\252\173\216\071\264\331\130\366\173\241\065\012\241 -\235\212\367\143\345\353\275\071\202\324\343\172\055\157\337\023 -\074\272\376\176\126\230\013\363\124\237\315\104\116\156\074\341 -\076\025\277\006\046\235\344\360\220\266\324\302\236\060\056\037 -\357\307\172\304\120\307\352\173\332\120\313\172\046\313\000\264 -\132\253\265\223\037\200\211\204\004\225\215\215\177\011\223\277 -\324\250\250\344\143\155\331\144\344\270\051\132\010\277\120\341 -\204\017\125\173\137\010\042\033\365\275\231\036\024\366\316\364 -\130\020\202\263\012\075\031\301\277\133\253\252\231\330\362\061 -\275\345\070\146\334\130\005\307\355\143\032\056\012\227\174\207 -\223\053\262\212\343\361\354\030\345\165\266\051\207\347\334\213 -\032\176\264\330\311\323\212\027\154\175\051\104\276\212\252\365 -\176\072\056\150\061\223\271\152\332\232\340\333\351\056\245\204 -\315\034\012\270\112\010\371\234\361\141\046\230\223\267\173\146 -\354\221\136\335\121\077\333\163\017\255\004\130\011\335\004\002 -\225\012\076\323\166\337\246\020\036\200\075\350\315\244\144\321 -\063\307\222\307\342\116\104\343\011\311\116\302\135\207\016\022 -\236\277\017\311\005\020\336\172\243\261\074\362\077\245\252\047 -\171\255\061\175\037\375\374\031\151\305\335\271\077\174\315\306 -\264\302\060\036\176\156\222\327\177\141\166\132\217\353\225\115 -\274\021\156\041\174\131\067\231\320\006\274\371\006\155\062\026 -\245\331\151\250\341\334\074\200\036\140\121\334\327\124\041\036 -\312\142\167\117\372\330\217\263\053\072\015\170\162\311\150\101 -\132\107\112\302\243\353\032\327\012\253\074\062\125\310\012\021 -\234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370 -\042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310 -\174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357 -\361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036 -\344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033 -\043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255 -\046\277\242\367 -END - -# Trust for "Swisscom Root EV CA 2" -# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch -# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58 -# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch -# Not Valid Before: Fri Jun 24 09:45:08 2011 -# Not Valid After : Wed Jun 25 08:45:08 2031 -# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC -# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Swisscom Root EV CA 2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\347\241\220\051\323\325\122\334\015\017\306\222\323\352\210\015 -\025\056\032\153 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\173\060\064\237\335\012\113\153\065\312\061\121\050\135\256\354 -END -CKA_ISSUER MULTILINE_OCTAL -\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061 -\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143 -\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147 -\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145 -\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125 -\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157 -\164\040\105\126\040\103\101\040\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037 -\166\312\130 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20651,6 +18961,7 @@ CKA_VALUE MULTILINE_OCTAL \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342 \360\343\355\144\236\075\057\226\122\117\200\123\213 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "CA Disig Root R1" # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK @@ -20685,7 +18996,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -20813,6 +19124,7 @@ CKA_VALUE MULTILINE_OCTAL \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375 \363\154\033\165\106\243\345\112\027\351\244\327\013 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "CA Disig Root R2" # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK @@ -20847,7 +19159,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21012,6 +19324,7 @@ CKA_VALUE MULTILINE_OCTAL \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113 \125\064\106\052\213\206\073 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "ACCVRAIZ1" # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 @@ -21045,7 +19358,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21171,6 +19484,7 @@ CKA_VALUE MULTILINE_OCTAL \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262 \053\006\320\004\315 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "TWCA Global Root CA" # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW @@ -21205,7 +19519,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21327,6 +19641,7 @@ CKA_VALUE MULTILINE_OCTAL \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211 \245\240\314\277\323\366\165\244\165\226\155\126 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "TeliaSonera Root CA v1" # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera @@ -21514,6 +19829,7 @@ CKA_VALUE MULTILINE_OCTAL \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073 \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "E-Tugra Certification Authority" # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR @@ -21554,7 +19870,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21662,6 +19978,7 @@ CKA_VALUE MULTILINE_OCTAL \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117 \005\047\216\023\241\156\302 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "T-TeleSec GlobalRoot Class 2" # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -21792,6 +20109,7 @@ CKA_VALUE MULTILINE_OCTAL \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140 \035\362\376\011\021\260\360\207\173\247\235 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Atos TrustedRoot 2011" # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 @@ -21824,7 +20142,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -21951,6 +20269,7 @@ CKA_VALUE MULTILINE_OCTAL \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207 \063\140\345\303 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "QuoVadis Root CA 1 G3" # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM @@ -21985,7 +20304,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22112,6 +20431,7 @@ CKA_VALUE MULTILINE_OCTAL \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151 \203\336\177\214 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "QuoVadis Root CA 2 G3" # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM @@ -22146,7 +20466,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22273,6 +20593,7 @@ CKA_VALUE MULTILINE_OCTAL \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375 \130\371\230\364 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "QuoVadis Root CA 3 G3" # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM @@ -22307,7 +20628,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22409,6 +20730,7 @@ CKA_VALUE MULTILINE_OCTAL \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050 \042\023\163\154\317\046\365\212\051\347 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "DigiCert Assured ID Root G2" # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -22445,7 +20767,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22526,6 +20848,7 @@ CKA_VALUE MULTILINE_OCTAL \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057 \352\226\143\152\145\105\222\225\001\264 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "DigiCert Assured ID Root G3" # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -22562,7 +20885,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22664,6 +20987,7 @@ CKA_VALUE MULTILINE_OCTAL \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345 \062\266 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "DigiCert Global Root G2" # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -22700,7 +21024,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22781,6 +21105,7 @@ CKA_VALUE MULTILINE_OCTAL \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174 \263\047\027 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "DigiCert Global Root G3" # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -22817,7 +21142,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -22951,6 +21276,7 @@ CKA_VALUE MULTILINE_OCTAL \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274 \317\363\146\176 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "DigiCert Trusted Root G4" # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -22987,7 +21313,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23117,6 +21443,7 @@ CKA_VALUE MULTILINE_OCTAL \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223 \171\356\104\206\276\327\036\344\036\373 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "WoSign" # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN @@ -23152,7 +21479,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23278,6 +21605,7 @@ CKA_VALUE MULTILINE_OCTAL \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327 \234\313\051\213\070\112\013\016\220\215\272\241 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "WoSign China" # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN @@ -23312,7 +21640,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23454,6 +21782,7 @@ CKA_VALUE MULTILINE_OCTAL \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301 \065\123\205\006\112\135\237\255\273\033\137\164 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "COMODO RSA Certification Authority" # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -23492,7 +21821,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23635,6 +21964,7 @@ CKA_VALUE MULTILINE_OCTAL \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220 \250\375 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "USERTrust RSA Certification Authority" # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -23673,7 +22003,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23763,6 +22093,7 @@ CKA_VALUE MULTILINE_OCTAL \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135 \127\152\030 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "USERTrust ECC Certification Authority" # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -23801,7 +22132,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23874,6 +22205,7 @@ CKA_VALUE MULTILINE_OCTAL \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354 \173\013\370\237\204 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "GlobalSign ECC Root CA - R4" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 @@ -23909,7 +22241,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -23986,6 +22318,7 @@ CKA_VALUE MULTILINE_OCTAL \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146 \220\067 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "GlobalSign ECC Root CA - R5" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 @@ -24021,7 +22354,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -24160,6 +22493,7 @@ CKA_VALUE MULTILINE_OCTAL \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333 \145\110\041\012\057\327\334\176\240\314\145\176\171 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -24331,6 +22665,7 @@ CKA_VALUE MULTILINE_OCTAL \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014 \367\200\173\041\147\047\060\131 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Staat der Nederlanden Root CA - G3" # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL @@ -24494,6 +22829,7 @@ CKA_VALUE MULTILINE_OCTAL \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034 \356\354\327\056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Staat der Nederlanden EV Root CA" # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL @@ -24655,6 +22991,7 @@ CKA_VALUE MULTILINE_OCTAL \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030 \272\204\156\207 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "IdenTrust Commercial Root CA 1" # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US @@ -24816,6 +23153,7 @@ CKA_VALUE MULTILINE_OCTAL \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245 \267\254\266\255\267\312\076\001\357\234 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "IdenTrust Public Sector Root CA 1" # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US @@ -24960,6 +23298,7 @@ CKA_VALUE MULTILINE_OCTAL \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161 \073\303\035\374\377\262\117\250\342\366\060\036 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "S-TRUST Universal Root CA" # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE @@ -25122,6 +23461,7 @@ CKA_VALUE MULTILINE_OCTAL \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213 \105\366 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Entrust Root Certification Authority - G2" # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -25163,7 +23503,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -25266,6 +23606,7 @@ CKA_VALUE MULTILINE_OCTAL \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270 \231\267\046\101\133\045\140\256\320\110\032\356\006 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Entrust Root Certification Authority - EC1" # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -25307,7 +23648,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -25438,6 +23779,7 @@ CKA_VALUE MULTILINE_OCTAL \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173 \056 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "CFCA EV ROOT" # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN @@ -25735,6 +24077,7 @@ CKA_VALUE MULTILINE_OCTAL \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226 \372\253\101\341\113\266\065\013\300\233\025 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "TÃœRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı H5" # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR @@ -25775,7 +24118,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -25906,6 +24249,7 @@ CKA_VALUE MULTILINE_OCTAL \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305 \153\206\102\006\271\101 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Certinomis - Root CA" # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR @@ -26044,6 +24388,7 @@ CKA_VALUE MULTILINE_OCTAL \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176 \065\255\201\307\116\161\272\210\023 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "OISTE WISeKey Global Root GB CA" # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH @@ -26080,7 +24425,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -26178,6 +24523,7 @@ CKA_VALUE MULTILINE_OCTAL \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340 \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Certification Authority of WoSign G2" # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN @@ -26213,7 +24559,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -26286,6 +24632,7 @@ CKA_VALUE MULTILINE_OCTAL \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046 \056\153\361\221\262\220\145\364\232\346\220\356\112 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "CA WoSign ECC Root" # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN @@ -26320,7 +24667,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -26418,6 +24765,7 @@ CKA_VALUE MULTILINE_OCTAL \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212 \326\040\036\343\163\267 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "SZAFIR ROOT CA2" # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL @@ -26595,6 +24943,7 @@ CKA_VALUE MULTILINE_OCTAL \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342 \016\265\271\276\044\217 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Certum Trusted Network CA 2" # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -26781,6 +25130,7 @@ CKA_VALUE MULTILINE_OCTAL \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264 \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Hellenic Academic and Research Institutions RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -26916,6 +25266,7 @@ CKA_VALUE MULTILINE_OCTAL \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312 \342\174\352\002\130\042\221 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -27080,6 +25431,7 @@ CKA_VALUE MULTILINE_OCTAL \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300 \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Certplus Root CA G1" # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR @@ -27185,6 +25537,7 @@ CKA_VALUE MULTILINE_OCTAL \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245 \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Certplus Root CA G2" # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR @@ -27346,6 +25699,7 @@ CKA_VALUE MULTILINE_OCTAL \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043 \326\214\161 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "OpenTrust Root CA G1" # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR @@ -27508,6 +25862,7 @@ CKA_VALUE MULTILINE_OCTAL \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014 \113\122\012 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "OpenTrust Root CA G2" # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR @@ -27617,6 +25972,7 @@ CKA_VALUE MULTILINE_OCTAL \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352 \315\215\361\373\301 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "OpenTrust Root CA G3" # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR @@ -27780,6 +26136,7 @@ CKA_VALUE MULTILINE_OCTAL \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137 \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "ISRG Root X1" # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US @@ -27942,6 +26299,7 @@ CKA_VALUE MULTILINE_OCTAL \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121 \072\117\110\366\213\266\263 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "AC RAIZ FNMT-RCM" # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES @@ -28066,6 +26424,7 @@ CKA_VALUE MULTILINE_OCTAL \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353 \304\220\276\361\271 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Amazon Root CA 1" # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US @@ -28222,6 +26581,7 @@ CKA_VALUE MULTILINE_OCTAL \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323 \340\373\011\140\154 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Amazon Root CA 2" # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US @@ -28321,6 +26681,7 @@ CKA_VALUE MULTILINE_OCTAL \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214 \143\044\110\034\337\060\175\325\150\073 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Amazon Root CA 3" # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US @@ -28424,6 +26785,7 @@ CKA_VALUE MULTILINE_OCTAL \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265 \012\166\324\245\274\020 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Amazon Root CA 4" # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US @@ -28590,6 +26952,7 @@ CKA_VALUE MULTILINE_OCTAL \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154 \045\307\043\200\203\012\353 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "LuxTrust Global Root 2" # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU @@ -28738,6 +27101,7 @@ CKA_VALUE MULTILINE_OCTAL \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364 \322\063\340\377\275\321\124\071\051\017 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Symantec Class 1 Public Primary Certification Authority - G6" # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -28891,6 +27255,7 @@ CKA_VALUE MULTILINE_OCTAL \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376 \157\374\132\344\202\125\131\257\061\251 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Symantec Class 2 Public Primary Certification Authority - G6" # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -29023,6 +27388,7 @@ CKA_VALUE MULTILINE_OCTAL \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150 \362\014\105\111\071\277\231\004\034\323\020\240 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Symantec Class 1 Public Primary Certification Authority - G4" # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -29155,6 +27521,7 @@ CKA_VALUE MULTILINE_OCTAL \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377 \051\246\330\107\331\240\226\030\333\362\105\263 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "Symantec Class 2 Public Primary Certification Authority - G4" # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -29299,6 +27666,7 @@ CKA_VALUE MULTILINE_OCTAL \047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111 \137\134 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "D-TRUST Root CA 3 2013" # Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE @@ -29460,6 +27828,7 @@ CKA_VALUE MULTILINE_OCTAL \226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302 \237\042\136\242\017\241\343 END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE # Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" # Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index 6e7aa2b61b..498751d13d 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14 -#define NSS_BUILTINS_LIBRARY_VERSION "2.14" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 16 +#define NSS_BUILTINS_LIBRARY_VERSION "2.16" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/cryptohi/dsautil.c b/security/nss/lib/cryptohi/dsautil.c index db397dfd5f..df4d9a9a70 100644 --- a/security/nss/lib/cryptohi/dsautil.c +++ b/security/nss/lib/cryptohi/dsautil.c @@ -166,12 +166,16 @@ static SECItem * common_DecodeDerSig(const SECItem *item, unsigned int len) { SECItem *result = NULL; + PORTCheapArenaPool arena; SECStatus status; DSA_ASN1Signature sig; SECItem dst; PORT_Memset(&sig, 0, sizeof(sig)); + /* Make enough room for r + s. */ + PORT_InitCheapArena(&arena, PR_MAX(2 * MAX_ECKEY_LEN, DSA_MAX_SIGNATURE_LEN)); + result = PORT_ZNew(SECItem); if (result == NULL) goto loser; @@ -183,7 +187,7 @@ common_DecodeDerSig(const SECItem *item, unsigned int len) sig.r.type = siUnsignedInteger; sig.s.type = siUnsignedInteger; - status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item); + status = SEC_QuickDERDecodeItem(&arena.arena, &sig, DSA_SignatureTemplate, item); if (status != SECSuccess) goto loser; @@ -202,10 +206,7 @@ common_DecodeDerSig(const SECItem *item, unsigned int len) goto loser; done: - if (sig.r.data != NULL) - PORT_Free(sig.r.data); - if (sig.s.data != NULL) - PORT_Free(sig.s.data); + PORT_DestroyCheapArena(&arena); return result; diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h index 36896540f2..f6170bb787 100644 --- a/security/nss/lib/cryptohi/keythi.h +++ b/security/nss/lib/cryptohi/keythi.h @@ -209,7 +209,7 @@ typedef struct SECKEYPublicKeyStr SECKEYPublicKey; (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE) #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) + (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) /* ** A generic key structure diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index 359de8e462..9ea48b7677 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -1260,6 +1260,19 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk) break; return pubk; break; + case ecKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + break; + } + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_POINT, arena, &pubk->u.ec.publicValue); + if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) { + break; + } + pubk->u.ec.encoding = ECPoint_Undefined; + return pubk; default: break; } diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c index 1bbdd5384a..d06cb2e852 100644 --- a/security/nss/lib/cryptohi/secsign.c +++ b/security/nss/lib/cryptohi/secsign.c @@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, if (algID == SEC_OID_UNKNOWN) { switch (pk->keyType) { case rsaKey: - algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; break; case dsaKey: /* get Signature length (= q_len*2) and work from there */ switch (PK11_SignatureLen(pk)) { + case 320: + algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + break; case 448: algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; case 512: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; - break; default: - algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; } break; case ecKey: - algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; + algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; default: PORT_SetError(SEC_ERROR_INVALID_KEY); @@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) break; case dsaKey: switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for DSA if not specified */ case SEC_OID_SHA1: sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break; case SEC_OID_SHA224: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; + case SEC_OID_UNKNOWN: /* default for DSA if not specified */ case SEC_OID_SHA256: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; @@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) break; case ecKey: switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ case SEC_OID_SHA1: sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break; case SEC_OID_SHA224: sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break; + case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ case SEC_OID_SHA256: sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 7e64e7612b..26ac8957e9 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -312,6 +312,15 @@ NSS_EXTERN PRBool nssToken_NeedsPINInitialization( NSSToken *token); +NSS_EXTERN nssCryptokiObject ** +nssToken_FindObjectsByTemplate( + NSSToken *token, + nssSession *sessionOpt, + CK_ATTRIBUTE_PTR obj_template, + CK_ULONG otsize, + PRUint32 maximumOpt, + PRStatus *statusOpt); + NSS_EXTERN nssCryptokiObject * nssToken_ImportCertificate( NSSToken *tok, diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c index 5b0bb371ac..9f0bd82265 100644 --- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -31,6 +31,7 @@ nssSlot_Destroy( { if (slot) { if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) { + PK11_FreeSlot(slot->pk11slot); PZ_DestroyLock(slot->base.lock); return nssArena_Destroy(slot->base.arena); } @@ -91,7 +92,7 @@ nssSlot_ResetDelay( } static PRBool -within_token_delay_period(NSSSlot *slot) +within_token_delay_period(const NSSSlot *slot) { PRIntervalTime time, lastTime; /* Set the delay time for checking the token presence */ @@ -103,7 +104,6 @@ within_token_delay_period(NSSSlot *slot) if ((lastTime) && ((time - lastTime) < s_token_delay_time)) { return PR_TRUE; } - slot->lastTokenPing = time; return PR_FALSE; } @@ -136,6 +136,7 @@ nssSlot_IsTokenPresent( nssSlot_ExitMonitor(slot); if (ckrv != CKR_OK) { slot->token->base.name[0] = 0; /* XXX */ + slot->lastTokenPing = PR_IntervalNow(); return PR_FALSE; } slot->ckFlags = slotInfo.flags; @@ -143,6 +144,7 @@ nssSlot_IsTokenPresent( if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { if (!slot->token) { /* token was never present */ + slot->lastTokenPing = PR_IntervalNow(); return PR_FALSE; } session = nssToken_GetDefaultSession(slot->token); @@ -165,6 +167,7 @@ nssSlot_IsTokenPresent( slot->token->base.name[0] = 0; /* XXX */ /* clear the token cache */ nssToken_Remove(slot->token); + slot->lastTokenPing = PR_IntervalNow(); return PR_FALSE; } /* token is present, use the session info to determine if the card @@ -187,8 +190,10 @@ nssSlot_IsTokenPresent( isPresent = session->handle != CK_INVALID_SESSION; nssSession_ExitMonitor(session); /* token not removed, finished */ - if (isPresent) + if (isPresent) { + slot->lastTokenPing = PR_IntervalNow(); return PR_TRUE; + } } /* the token has been removed, and reinserted, or the slot contains * a token it doesn't recognize. invalidate all the old @@ -201,8 +206,11 @@ nssSlot_IsTokenPresent( if (nssrv != PR_SUCCESS) { slot->token->base.name[0] = 0; /* XXX */ slot->ckFlags &= ~CKF_TOKEN_PRESENT; + /* TODO: insert a barrier here to avoid reordering of the assingments */ + slot->lastTokenPing = PR_IntervalNow(); return PR_FALSE; } + slot->lastTokenPing = PR_IntervalNow(); return PR_TRUE; } @@ -217,10 +225,18 @@ NSS_IMPLEMENT NSSToken * nssSlot_GetToken( NSSSlot *slot) { + NSSToken *rvToken = NULL; + if (nssSlot_IsTokenPresent(slot)) { - return nssToken_AddRef(slot->token); + /* Even if a token should be present, check `slot->token` too as it + * might be gone already. This would happen mostly on shutdown. */ + nssSlot_EnterMonitor(slot); + if (slot->token) + rvToken = nssToken_AddRef(slot->token); + nssSlot_ExitMonitor(slot); } - return (NSSToken *)NULL; + + return rvToken; } NSS_IMPLEMENT PRStatus diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 0adbca8bc7..0d4c3b5a72 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -29,11 +29,16 @@ nssToken_Destroy( { if (tok) { if (PR_ATOMIC_DECREMENT(&tok->base.refCount) == 0) { + PK11_FreeSlot(tok->pk11slot); PZ_DestroyLock(tok->base.lock); nssTokenObjectCache_Destroy(tok->cache); - /* The token holds the first/last reference to the slot. - * When the token is actually destroyed, that ref must go too. - */ + + /* We're going away, let the nssSlot know in case it's held + * alive by someone else. Usually we should hold the last ref. */ + nssSlot_EnterMonitor(tok->slot); + tok->slot->token = NULL; + nssSlot_ExitMonitor(tok->slot); + (void)nssSlot_Destroy(tok->slot); return nssArena_Destroy(tok->base.arena); } @@ -368,8 +373,8 @@ loser: return (nssCryptokiObject **)NULL; } -static nssCryptokiObject ** -find_objects_by_template( +NSS_IMPLEMENT nssCryptokiObject ** +nssToken_FindObjectsByTemplate( NSSToken *token, nssSession *sessionOpt, CK_ATTRIBUTE_PTR obj_template, @@ -581,9 +586,9 @@ nssToken_FindObjects( obj_template, obj_size, maximumOpt, statusOpt); } else { - objects = find_objects_by_template(token, sessionOpt, - obj_template, obj_size, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + obj_template, obj_size, + maximumOpt, statusOpt); } return objects; } @@ -612,9 +617,9 @@ nssToken_FindCertificatesBySubject( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject); NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize); /* now locate the token certs matching this template */ - objects = find_objects_by_template(token, sessionOpt, - subj_template, stsize, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + subj_template, stsize, + maximumOpt, statusOpt); return objects; } @@ -642,9 +647,9 @@ nssToken_FindCertificatesByNickname( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert); NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize); /* now locate the token certs matching this template */ - objects = find_objects_by_template(token, sessionOpt, - nick_template, ntsize, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + nick_template, ntsize, + maximumOpt, statusOpt); if (!objects) { /* This is to workaround the fact that PKCS#11 doesn't specify * whether the '\0' should be included. XXX Is that still true? @@ -653,9 +658,9 @@ nssToken_FindCertificatesByNickname( * well, its needed by the builtin token... */ nick_template[0].ulValueLen++; - objects = find_objects_by_template(token, sessionOpt, - nick_template, ntsize, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + nick_template, ntsize, + maximumOpt, statusOpt); } return objects; } @@ -732,9 +737,9 @@ nssToken_FindCertificatesByID( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert); NSS_CK_TEMPLATE_FINISH(id_template, attr, idtsize); /* now locate the token certs matching this template */ - objects = find_objects_by_template(token, sessionOpt, - id_template, idtsize, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + id_template, idtsize, + maximumOpt, statusOpt); return objects; } @@ -822,9 +827,9 @@ nssToken_FindCertificateByIssuerAndSerialNumber( cert_template, ctsize, 1, statusOpt); } else { - objects = find_objects_by_template(token, sessionOpt, - cert_template, ctsize, - 1, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + cert_template, ctsize, + 1, statusOpt); } if (objects) { rvObject = objects[0]; @@ -849,9 +854,9 @@ nssToken_FindCertificateByIssuerAndSerialNumber( cert_template, ctsize, 1, statusOpt); } else { - objects = find_objects_by_template(token, sessionOpt, - cert_template, ctsize, - 1, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + cert_template, ctsize, + 1, statusOpt); } if (objects) { rvObject = objects[0]; @@ -885,9 +890,9 @@ nssToken_FindCertificateByEncodedCertificate( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate); NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize); /* get the object handle */ - objects = find_objects_by_template(token, sessionOpt, - cert_template, ctsize, - 1, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + cert_template, ctsize, + 1, statusOpt); if (objects) { rvObject = objects[0]; nss_ZFreeIf(objects); @@ -917,9 +922,9 @@ nssToken_FindPrivateKeys( } NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize); - objects = find_objects_by_template(token, sessionOpt, - key_template, ktsize, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + key_template, ktsize, + maximumOpt, statusOpt); return objects; } @@ -942,9 +947,9 @@ nssToken_FindPrivateKeyByID( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID); NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize); - objects = find_objects_by_template(token, sessionOpt, - key_template, ktsize, - 1, NULL); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + key_template, ktsize, + 1, NULL); if (objects) { rvKey = objects[0]; nss_ZFreeIf(objects); @@ -971,9 +976,9 @@ nssToken_FindPublicKeyByID( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, keyID); NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize); - objects = find_objects_by_template(token, sessionOpt, - key_template, ktsize, - 1, NULL); + objects = nssToken_FindObjectsByTemplate(token, sessionOpt, + key_template, ktsize, + 1, NULL); if (objects) { rvKey = objects[0]; nss_ZFreeIf(objects); @@ -1130,9 +1135,9 @@ nssToken_FindTrustForCertificate( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, certSerial); NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size); - objects = find_objects_by_template(token, session, - tobj_template, tobj_size, - 1, NULL); + objects = nssToken_FindObjectsByTemplate(token, session, + tobj_template, tobj_size, + 1, NULL); if (objects) { object = objects[0]; nss_ZFreeIf(objects); @@ -1215,9 +1220,9 @@ nssToken_FindCRLsBySubject( NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject); NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size); - objects = find_objects_by_template(token, session, - crlobj_template, crlobj_size, - maximumOpt, statusOpt); + objects = nssToken_FindObjectsByTemplate(token, session, + crlobj_template, crlobj_size, + maximumOpt, statusOpt); return objects; } diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile index 0ce1425f19..914a0119c2 100644 --- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -110,6 +110,7 @@ endif # NSS_X86_OR_X64 means the target is either x86 or x64 ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH))) DEFINES += -DNSS_X86_OR_X64 + CFLAGS += -mpclmul -maes ifneq (,$(USE_64)$(USE_X32)) DEFINES += -DNSS_X64 else @@ -232,8 +233,6 @@ ifeq ($(CPU_ARCH),x86) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT DEFINES += -DMP_IS_LITTLE_ENDIAN - # The floating point ECC code doesn't work on Linux x86 (bug 311432). - #ECL_USE_FP = 1 endif ifeq ($(CPU_ARCH),arm) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE @@ -430,7 +429,6 @@ ifeq ($(CPU_ARCH),sparc) ASFILES = mpv_sparcv8.s montmulfv8.s DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY DEFINES += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL - ECL_USE_FP = 1 endif ifdef USE_ABI64_INT # this builds for Sparc v9a pure 64-bit architecture @@ -443,7 +441,6 @@ ifeq ($(CPU_ARCH),sparc) ASFILES = mpv_sparcv9.s montmulfv9.s DEFINES += -DMP_NO_MP_WORD -DMP_USE_UINT_DIGIT -DMP_ASSEMBLY_MULTIPLY DEFINES += -DMP_USING_MONT_MULF -DMP_MONT_USE_MP_MUL - ECL_USE_FP = 1 endif else @@ -491,16 +488,7 @@ else endif endif endif # Solaris for non-sparc family CPUs -endif # target == SunOS - -ifndef NSS_DISABLE_ECC - ifdef ECL_USE_FP - #enable floating point ECC code - DEFINES += -DECL_USE_FP - ECL_SRCS += ecp_fp160.c ecp_fp192.c ecp_fp224.c ecp_fp.c - ECL_HDRS += ecp_fp.h - endif -endif +endif # target == SunO # poly1305-donna-x64-sse2-incremental-source.c requires __int128 support # in GCC 4.6.0. @@ -601,7 +589,7 @@ $(ECL_OBJS): $(ECL_HDRS) -$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c os2_rand.c +$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c $(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c diff --git a/security/nss/lib/freebl/aeskeywrap.c b/security/nss/lib/freebl/aeskeywrap.c index 79ff8a852a..ee909dbd05 100644 --- a/security/nss/lib/freebl/aeskeywrap.c +++ b/security/nss/lib/freebl/aeskeywrap.c @@ -22,8 +22,9 @@ #include "rijndael.h" struct AESKeyWrapContextStr { - unsigned char iv[AES_KEY_WRAP_IV_BYTES]; AESContext aescx; + unsigned char iv[AES_KEY_WRAP_IV_BYTES]; + void *mem; /* Pointer to beginning of allocated memory. */ }; /******************************************/ @@ -34,8 +35,14 @@ struct AESKeyWrapContextStr { AESKeyWrapContext * AESKeyWrap_AllocateContext(void) { - AESKeyWrapContext *cx = PORT_New(AESKeyWrapContext); - return cx; + /* aligned_alloc is C11 so we have to do it the old way. */ + AESKeyWrapContext *ctx = PORT_ZAlloc(sizeof(AESKeyWrapContext) + 15); + if (ctx == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + ctx->mem = ctx; + return (AESKeyWrapContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F); } SECStatus @@ -77,7 +84,7 @@ AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, return NULL; /* error is already set */ rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0); if (rv != SECSuccess) { - PORT_Free(cx); + PORT_Free(cx->mem); cx = NULL; /* error should already be set */ } return cx; @@ -94,8 +101,9 @@ AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit) if (cx) { AES_DestroyContext(&cx->aescx, PR_FALSE); /* memset(cx, 0, sizeof *cx); */ - if (freeit) - PORT_Free(cx); + if (freeit) { + PORT_Free(cx->mem); + } } } diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h index e5a6cf30e0..31e471ac43 100644 --- a/security/nss/lib/freebl/blapi.h +++ b/security/nss/lib/freebl/blapi.h @@ -801,8 +801,7 @@ SEED_Decrypt(SEEDContext *cx, unsigned char *output, ** Create a new AES context suitable for AES encryption/decryption. ** "key" raw key data ** "keylen" the number of bytes of key data (16, 24, or 32) -** "blocklen" is the blocksize to use (16, 24, or 32) -** XXX currently only blocksize==16 has been tested! +** "blocklen" is the blocksize to use. NOTE: only 16 is supported! */ extern AESContext * AES_CreateContext(const unsigned char *key, const unsigned char *iv, @@ -1429,8 +1428,6 @@ extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes); */ extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len); -extern SECStatus RNG_ResetForFuzzing(void); - /* Destroy the global RNG context. After a call to RNG_RNGShutdown() ** a call to RNG_RNGInit() is required in order to use the generator again, ** along with seed data (see the comment above RNG_RNGInit()). diff --git a/security/nss/lib/freebl/blapii.h b/security/nss/lib/freebl/blapii.h index 6ad2e2892e..b1be7bedf7 100644 --- a/security/nss/lib/freebl/blapii.h +++ b/security/nss/lib/freebl/blapii.h @@ -9,6 +9,7 @@ #define _BLAPII_H_ #include "blapit.h" +#include "mpi.h" /* max block size of supported block ciphers */ #define MAX_BLOCK_SIZE 16 @@ -50,6 +51,18 @@ SEC_END_PROTOS #define HAVE_NO_SANITIZE_ATTR 0 #endif +/* Alignment helpers. */ +#if defined(_WINDOWS) && defined(NSS_X86_OR_X64) +#define pre_align __declspec(align(16)) +#define post_align +#elif defined(NSS_X86_OR_X64) +#define pre_align +#define post_align __attribute__((aligned(16))) +#else +#define pre_align +#define post_align +#endif + #if defined(HAVE_UNALIGNED_ACCESS) && HAVE_NO_SANITIZE_ATTR #define NO_SANITIZE_ALIGNMENT __attribute__((no_sanitize("alignment"))) #else @@ -58,4 +71,12 @@ SEC_END_PROTOS #undef HAVE_NO_SANITIZE_ATTR +SECStatus RSA_Init(); +SECStatus generate_prime(mp_int *prime, int primeLen); + +/* Freebl state. */ +PRBool aesni_support(); +PRBool clmul_support(); +PRBool avx_support(); + #endif /* _BLAPII_H_ */ diff --git a/security/nss/lib/freebl/blinit.c b/security/nss/lib/freebl/blinit.c new file mode 100644 index 0000000000..d7f2ec53a7 --- /dev/null +++ b/security/nss/lib/freebl/blinit.c @@ -0,0 +1,119 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifdef FREEBL_NO_DEPEND +#include "stubs.h" +#endif + +#include "blapii.h" +#include "mpi.h" +#include "secerr.h" +#include "prtypes.h" +#include "prinit.h" +#include "prenv.h" + +#if defined(_MSC_VER) && !defined(_M_IX86) +#include <intrin.h> /* for _xgetbv() */ +#endif + +static PRCallOnceType coFreeblInit; + +/* State variables. */ +static PRBool aesni_support_ = PR_FALSE; +static PRBool clmul_support_ = PR_FALSE; +static PRBool avx_support_ = PR_FALSE; + +#ifdef NSS_X86_OR_X64 +/* + * Adapted from the example code in "How to detect New Instruction support in + * the 4th generation Intel Core processor family" by Max Locktyukhin. + * + * XGETBV: + * Reads an extended control register (XCR) specified by ECX into EDX:EAX. + */ +static PRBool +check_xcr0_ymm() +{ + PRUint32 xcr0; +#if defined(_MSC_VER) +#if defined(_M_IX86) + __asm { + mov ecx, 0 + xgetbv + mov xcr0, eax + } +#else + xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */ +#endif /* _M_IX86 */ +#else /* _MSC_VER */ + /* Old OSX compilers don't support xgetbv. Use byte form. */ + __asm__(".byte 0x0F, 0x01, 0xd0" + : "=a"(xcr0) + : "c"(0) + : "%edx"); +#endif /* _MSC_VER */ + /* Check if xmm and ymm state are enabled in XCR0. */ + return (xcr0 & 6) == 6; +} + +#define ECX_AESNI (1 << 25) +#define ECX_CLMUL (1 << 1) +#define ECX_XSAVE (1 << 26) +#define ECX_OSXSAVE (1 << 27) +#define ECX_AVX (1 << 28) +#define AVX_BITS (ECX_XSAVE | ECX_OSXSAVE | ECX_AVX) + +void +CheckX86CPUSupport() +{ + unsigned long eax, ebx, ecx, edx; + char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES"); + char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL"); + char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX"); + freebl_cpuid(1, &eax, &ebx, &ecx, &edx); + aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL); + clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL); + /* For AVX we check AVX, OSXSAVE, and XSAVE + * as well as XMM and YMM state. */ + avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() && + disable_avx == NULL; +} +#endif /* NSS_X86_OR_X64 */ + +PRBool +aesni_support() +{ + return aesni_support_; +} +PRBool +clmul_support() +{ + return clmul_support_; +} +PRBool +avx_support() +{ + return avx_support_; +} + +static PRStatus +FreeblInit(void) +{ +#ifdef NSS_X86_OR_X64 + CheckX86CPUSupport(); +#endif + return PR_SUCCESS; +} + +SECStatus +BL_Init() +{ + if (PR_CallOnce(&coFreeblInit, FreeblInit) != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + RSA_Init(); + + return SECSuccess; +} diff --git a/security/nss/lib/freebl/ctr.c b/security/nss/lib/freebl/ctr.c index d5715a505f..b7167d4c4a 100644 --- a/security/nss/lib/freebl/ctr.c +++ b/security/nss/lib/freebl/ctr.c @@ -19,30 +19,30 @@ SECStatus CTR_InitContext(CTRContext *ctr, void *context, freeblCipherFunc cipher, - const unsigned char *param, unsigned int blocksize) + const unsigned char *param) { const CK_AES_CTR_PARAMS *ctrParams = (const CK_AES_CTR_PARAMS *)param; if (ctrParams->ulCounterBits == 0 || - ctrParams->ulCounterBits > blocksize * PR_BITS_PER_BYTE) { + ctrParams->ulCounterBits > AES_BLOCK_SIZE * PR_BITS_PER_BYTE) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - /* Invariant: 0 < ctr->bufPtr <= blocksize */ + /* Invariant: 0 < ctr->bufPtr <= AES_BLOCK_SIZE */ ctr->checkWrap = PR_FALSE; - ctr->bufPtr = blocksize; /* no unused data in the buffer */ + ctr->bufPtr = AES_BLOCK_SIZE; /* no unused data in the buffer */ ctr->cipher = cipher; ctr->context = context; ctr->counterBits = ctrParams->ulCounterBits; - if (blocksize > sizeof(ctr->counter) || - blocksize > sizeof(ctrParams->cb)) { + if (AES_BLOCK_SIZE > sizeof(ctr->counter) || + AES_BLOCK_SIZE > sizeof(ctrParams->cb)) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } - PORT_Memcpy(ctr->counter, ctrParams->cb, blocksize); + PORT_Memcpy(ctr->counter, ctrParams->cb, AES_BLOCK_SIZE); if (ctr->counterBits < 64) { - PORT_Memcpy(ctr->counterFirst, ctr->counter, blocksize); + PORT_Memcpy(ctr->counterFirst, ctr->counter, AES_BLOCK_SIZE); ctr->checkWrap = PR_TRUE; } return SECSuccess; @@ -50,7 +50,7 @@ CTR_InitContext(CTRContext *ctr, void *context, freeblCipherFunc cipher, CTRContext * CTR_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *param, unsigned int blocksize) + const unsigned char *param) { CTRContext *ctr; SECStatus rv; @@ -60,7 +60,7 @@ CTR_CreateContext(void *context, freeblCipherFunc cipher, if (ctr == NULL) { return NULL; } - rv = CTR_InitContext(ctr, context, cipher, param, blocksize); + rv = CTR_InitContext(ctr, context, cipher, param); if (rv != SECSuccess) { CTR_DestroyContext(ctr, PR_TRUE); ctr = NULL; diff --git a/security/nss/lib/freebl/ctr.h b/security/nss/lib/freebl/ctr.h index a97da144e5..a397e690e6 100644 --- a/security/nss/lib/freebl/ctr.h +++ b/security/nss/lib/freebl/ctr.h @@ -23,8 +23,7 @@ struct CTRContextStr { typedef struct CTRContextStr CTRContext; SECStatus CTR_InitContext(CTRContext *ctr, void *context, - freeblCipherFunc cipher, const unsigned char *param, - unsigned int blocksize); + freeblCipherFunc cipher, const unsigned char *param); /* * The context argument is the inner cipher context to use with cipher. The @@ -34,7 +33,7 @@ SECStatus CTR_InitContext(CTRContext *ctr, void *context, * The cipher argument is a block cipher in the ECB encrypt mode. */ CTRContext *CTR_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *param, unsigned int blocksize); + const unsigned char *param); void CTR_DestroyContext(CTRContext *ctr, PRBool freeit); diff --git a/security/nss/lib/freebl/cts.c b/security/nss/lib/freebl/cts.c index 99ccebb603..774294b7a1 100644 --- a/security/nss/lib/freebl/cts.c +++ b/security/nss/lib/freebl/cts.c @@ -20,19 +20,15 @@ struct CTSContextStr { CTSContext * CTS_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *iv, unsigned int blocksize) + const unsigned char *iv) { CTSContext *cts; - if (blocksize > MAX_BLOCK_SIZE) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } cts = PORT_ZNew(CTSContext); if (cts == NULL) { return NULL; } - PORT_Memcpy(cts->iv, iv, blocksize); + PORT_Memcpy(cts->iv, iv, MAX_BLOCK_SIZE); cts->cipher = cipher; cts->context = context; return cts; diff --git a/security/nss/lib/freebl/cts.h b/security/nss/lib/freebl/cts.h index a3ec180af8..ddd56197f6 100644 --- a/security/nss/lib/freebl/cts.h +++ b/security/nss/lib/freebl/cts.h @@ -17,7 +17,7 @@ typedef struct CTSContextStr CTSContext; * The cipher argument is a block cipher in the CBC mode. */ CTSContext *CTS_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *iv, unsigned int blocksize); + const unsigned char *iv); void CTS_DestroyContext(CTSContext *cts, PRBool freeit); diff --git a/security/nss/lib/freebl/det_rng.c b/security/nss/lib/freebl/det_rng.c index fcbf9b34a8..04fce30e80 100644 --- a/security/nss/lib/freebl/det_rng.c +++ b/security/nss/lib/freebl/det_rng.c @@ -9,10 +9,32 @@ #include "seccomon.h" #include "secerr.h" +#define GLOBAL_BYTES_SIZE 100 +static PRUint8 globalBytes[GLOBAL_BYTES_SIZE]; static unsigned long globalNumCalls = 0; +static PZLock *rng_lock = NULL; SECStatus -prng_ResetForFuzzing(PZLock *rng_lock) +RNG_RNGInit(void) +{ + rng_lock = PZ_NewLock(nssILockOther); + if (!rng_lock) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + /* --- LOCKED --- */ + PZ_Lock(rng_lock); + memset(globalBytes, 0, GLOBAL_BYTES_SIZE); + PZ_Unlock(rng_lock); + /* --- UNLOCKED --- */ + + return SECSuccess; +} + +/* Take min(size, GLOBAL_BYTES_SIZE) bytes from data and use as seed and reset + * the rng state. */ +SECStatus +RNG_RandomUpdate(const void *data, size_t bytes) { /* Check for a valid RNG lock. */ PORT_Assert(rng_lock != NULL); @@ -23,7 +45,11 @@ prng_ResetForFuzzing(PZLock *rng_lock) /* --- LOCKED --- */ PZ_Lock(rng_lock); + memset(globalBytes, 0, GLOBAL_BYTES_SIZE); globalNumCalls = 0; + if (data) { + memcpy(globalBytes, (PRUint8 *)data, PR_MIN(bytes, GLOBAL_BYTES_SIZE)); + } PZ_Unlock(rng_lock); /* --- UNLOCKED --- */ @@ -31,9 +57,9 @@ prng_ResetForFuzzing(PZLock *rng_lock) } SECStatus -prng_GenerateDeterministicRandomBytes(PZLock *rng_lock, void *dest, size_t len) +RNG_GenerateGlobalRandomBytes(void *dest, size_t len) { - static const uint8_t key[32]; + static const uint8_t key[32] = { 0 }; uint8_t nonce[12] = { 0 }; /* Check for a valid RNG lock. */ @@ -58,10 +84,60 @@ prng_GenerateDeterministicRandomBytes(PZLock *rng_lock, void *dest, size_t len) } memset(dest, 0, len); + memcpy(dest, globalBytes, PR_MIN(len, GLOBAL_BYTES_SIZE)); ChaCha20XOR(dest, dest, len, key, nonce, 0); ChaCha20Poly1305_DestroyContext(cx, PR_TRUE); PZ_Unlock(rng_lock); /* --- UNLOCKED --- */ + return SECSuccess; } + +void +RNG_RNGShutdown(void) +{ + PZ_DestroyLock(rng_lock); + rng_lock = NULL; +} + +/* Test functions are not implemented! */ +SECStatus +PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len, + const PRUint8 *nonce, unsigned int nonce_len, + const PRUint8 *personal_string, unsigned int ps_len) +{ + return SECFailure; +} + +SECStatus +PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, + const PRUint8 *additional, unsigned int additional_len) +{ + return SECFailure; +} + +SECStatus +PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, + const PRUint8 *additional, unsigned int additional_len) +{ + return SECFailure; +} + +SECStatus +PRNGTEST_Uninstantiate() +{ + return SECFailure; +} + +SECStatus +PRNGTEST_RunHealthTests() +{ + return SECFailure; +} + +SECStatus +PRNGTEST_Instantiate_Kat() +{ + return SECFailure; +} diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c index 97025c7e25..6f2bafda20 100644 --- a/security/nss/lib/freebl/dh.c +++ b/security/nss/lib/freebl/dh.c @@ -14,9 +14,9 @@ #include "secerr.h" #include "blapi.h" +#include "blapii.h" #include "secitem.h" #include "mpi.h" -#include "mpprime.h" #include "secmpi.h" #define KEA_DERIVED_SECRET_LEN 128 @@ -46,9 +46,7 @@ DH_GenParam(int primeLen, DHParams **params) { PLArenaPool *arena; DHParams *dhparams; - unsigned char *pb = NULL; unsigned char *ab = NULL; - unsigned long counter = 0; mp_int p, q, a, h, psub1, test; mp_err err = MP_OKAY; SECStatus rv = SECSuccess; @@ -81,17 +79,17 @@ DH_GenParam(int primeLen, DHParams **params) CHECK_MPI_OK(mp_init(&psub1)); CHECK_MPI_OK(mp_init(&test)); /* generate prime with MPI, uses Miller-Rabin to generate strong prime. */ - pb = PORT_Alloc(primeLen); - CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(pb, primeLen)); - pb[0] |= 0x80; /* set high-order bit */ - pb[primeLen - 1] |= 0x01; /* set low-order bit */ - CHECK_MPI_OK(mp_read_unsigned_octets(&p, pb, primeLen)); - CHECK_MPI_OK(mpp_make_prime(&p, primeLen * 8, PR_TRUE, &counter)); + CHECK_SEC_OK(generate_prime(&p, primeLen)); /* construct Sophie-Germain prime q = (p-1)/2. */ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); CHECK_MPI_OK(mp_div_2(&psub1, &q)); /* construct a generator from the prime. */ ab = PORT_Alloc(primeLen); + if (!ab) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + rv = SECFailure; + goto cleanup; + } /* generate a candidate number a in p's field */ CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(ab, primeLen)); CHECK_MPI_OK(mp_read_unsigned_octets(&a, ab, primeLen)); @@ -121,16 +119,16 @@ cleanup: mp_clear(&h); mp_clear(&psub1); mp_clear(&test); - if (pb) - PORT_ZFree(pb, primeLen); - if (ab) + if (ab) { PORT_ZFree(ab, primeLen); + } if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; } - if (rv) + if (rv != SECSuccess) { PORT_FreeArena(arena, PR_TRUE); + } return rv; } diff --git a/security/nss/lib/freebl/drbg.c b/security/nss/lib/freebl/drbg.c index ac0bba6e09..224bbe87d8 100644 --- a/security/nss/lib/freebl/drbg.c +++ b/security/nss/lib/freebl/drbg.c @@ -20,10 +20,6 @@ #include "secrng.h" /* for RNG_SystemRNG() */ #include "secmpi.h" -#ifdef UNSAFE_FUZZER_MODE -#include "det_rng.h" -#endif - /* PRNG_SEEDLEN defined in NIST SP 800-90 section 10.1 * for SHA-1, SHA-224, and SHA-256 it's 440 bits. * for SHA-384 and SHA-512 it's 888 bits */ @@ -438,10 +434,10 @@ rng_init(void) globalrng = NULL; return PR_FAILURE; } - if (rv != SECSuccess) { return PR_FAILURE; } + /* the RNG is in a valid state */ globalrng->isValid = PR_TRUE; globalrng->isKatTest = PR_FALSE; @@ -658,21 +654,7 @@ prng_GenerateGlobalRandomBytes(RNGContext *rng, SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len) { -#ifdef UNSAFE_FUZZER_MODE - return prng_GenerateDeterministicRandomBytes(globalrng->lock, dest, len); -#else return prng_GenerateGlobalRandomBytes(globalrng, dest, len); -#endif -} - -SECStatus -RNG_ResetForFuzzing(void) -{ -#ifdef UNSAFE_FUZZER_MODE - return prng_ResetForFuzzing(globalrng->lock); -#else - return SECFailure; -#endif } void diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c index 12bfeed416..669c9b147c 100644 --- a/security/nss/lib/freebl/ec.c +++ b/security/nss/lib/freebl/ec.c @@ -565,6 +565,15 @@ ECDH_Derive(SECItem *publicValue, return SECFailure; } + /* + * Make sure the point is on the requested curve to avoid + * certain small subgroup attacks. + */ + if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } + /* Perform curve specific multiplication using ECMethod */ if (ecParams->fieldID.type == ec_field_plain) { const ECMethod *method; @@ -580,10 +589,6 @@ ECDH_Derive(SECItem *publicValue, PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); return SECFailure; } - if (method->validate(publicValue) != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } return method->mul(derivedSecret, privateValue, publicValue); } @@ -1001,9 +1006,14 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, } slen = signature->len / 2; + /* + * The incoming point has been verified in sftk_handlePublicKeyObject. + */ + SECITEM_AllocItem(NULL, &pointC, EC_GetPointSize(ecParams)); - if (pointC.data == NULL) + if (pointC.data == NULL) { goto cleanup; + } CHECK_MPI_OK(mp_init(&r_)); CHECK_MPI_OK(mp_init(&s_)); diff --git a/security/nss/lib/freebl/ecdecode.c b/security/nss/lib/freebl/ecdecode.c index e1f1eb8a55..54b3e111ba 100644 --- a/security/nss/lib/freebl/ecdecode.c +++ b/security/nss/lib/freebl/ecdecode.c @@ -22,57 +22,6 @@ if (SECSuccess != (rv = func)) \ goto cleanup -/* - * Initializes a SECItem from a hexadecimal string - * - * Warning: This function ignores leading 00's, so any leading 00's - * in the hexadecimal string must be optional. - */ -static SECItem * -hexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) -{ - int i = 0; - int byteval = 0; - int tmp = PORT_Strlen(str); - - PORT_Assert(arena); - PORT_Assert(item); - - if ((tmp % 2) != 0) - return NULL; - - /* skip leading 00's unless the hex string is "00" */ - while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) { - str += 2; - tmp -= 2; - } - - item->data = (unsigned char *)PORT_ArenaAlloc(arena, tmp / 2); - if (item->data == NULL) - return NULL; - item->len = tmp / 2; - - while (str[i]) { - if ((str[i] >= '0') && (str[i] <= '9')) - tmp = str[i] - '0'; - else if ((str[i] >= 'a') && (str[i] <= 'f')) - tmp = str[i] - 'a' + 10; - else if ((str[i] >= 'A') && (str[i] <= 'F')) - tmp = str[i] - 'A' + 10; - else - return NULL; - - byteval = byteval * 16 + tmp; - if ((i % 2) != 0) { - item->data[i / 2] = byteval; - byteval = 0; - } - i++; - } - - return item; -} - /* Copy all of the fields from srcParams into dstParams */ SECStatus @@ -120,12 +69,10 @@ cleanup: } static SECStatus -gf_populate_params(ECCurveName name, ECFieldType field_type, ECParams *params) +gf_populate_params_bytes(ECCurveName name, ECFieldType field_type, ECParams *params) { SECStatus rv = SECFailure; - const ECCurveParams *curveParams; - /* 2 ['0'+'4'] + MAX_ECKEY_LEN * 2 [x,y] * 2 [hex string] + 1 ['\0'] */ - char genenc[3 + 2 * 2 * MAX_ECKEY_LEN]; + const ECCurveBytes *curveParams; if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve)) goto cleanup; @@ -134,26 +81,19 @@ gf_populate_params(ECCurveName name, ECFieldType field_type, ECParams *params) CHECK_OK(curveParams); params->fieldID.size = curveParams->size; params->fieldID.type = field_type; - if (field_type == ec_field_GFp || - field_type == ec_field_plain) { - CHECK_OK(hexString2SECItem(params->arena, ¶ms->fieldID.u.prime, - curveParams->irr)); - } else { - CHECK_OK(hexString2SECItem(params->arena, ¶ms->fieldID.u.poly, - curveParams->irr)); + if (field_type != ec_field_GFp && field_type != ec_field_plain) { + return SECFailure; } - CHECK_OK(hexString2SECItem(params->arena, ¶ms->curve.a, - curveParams->curvea)); - CHECK_OK(hexString2SECItem(params->arena, ¶ms->curve.b, - curveParams->curveb)); - genenc[0] = '0'; - genenc[1] = '4'; - genenc[2] = '\0'; - strcat(genenc, curveParams->genx); - strcat(genenc, curveParams->geny); - CHECK_OK(hexString2SECItem(params->arena, ¶ms->base, genenc)); - CHECK_OK(hexString2SECItem(params->arena, ¶ms->order, - curveParams->order)); + params->fieldID.u.prime.len = curveParams->scalarSize; + params->fieldID.u.prime.data = (unsigned char *)curveParams->irr; + params->curve.a.len = curveParams->scalarSize; + params->curve.a.data = (unsigned char *)curveParams->curvea; + params->curve.b.len = curveParams->scalarSize; + params->curve.b.data = (unsigned char *)curveParams->curveb; + params->base.len = curveParams->pointSize; + params->base.data = (unsigned char *)curveParams->base; + params->order.len = curveParams->scalarSize; + params->order.data = (unsigned char *)curveParams->order; params->cofactor = curveParams->cofactor; rv = SECSuccess; @@ -216,29 +156,30 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, /* Populate params for prime256v1 aka secp256r1 * (the NIST P-256 curve) */ - CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_256V1, ec_field_GFp, - params)); + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_X9_62_PRIME_256V1, + ec_field_GFp, params)); break; case SEC_OID_SECG_EC_SECP384R1: /* Populate params for secp384r1 * (the NIST P-384 curve) */ - CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_384R1, ec_field_GFp, - params)); + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, + ec_field_GFp, params)); break; case SEC_OID_SECG_EC_SECP521R1: /* Populate params for secp521r1 * (the NIST P-521 curve) */ - CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_521R1, ec_field_GFp, - params)); + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, + ec_field_GFp, params)); break; case SEC_OID_CURVE25519: /* Populate params for Curve25519 */ - CHECK_SEC_OK(gf_populate_params(ECCurve25519, ec_field_plain, params)); + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, + params)); break; default: @@ -296,16 +237,20 @@ int EC_GetPointSize(const ECParams *params) { ECCurveName name = params->name; - const ECCurveParams *curveParams; + const ECCurveBytes *curveParams; if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve) || ((curveParams = ecCurve_map[name]) == NULL)) { - /* unknown curve, calculate point size from params. assume standard curves with 2 points + /* unknown curve, calculate point size from params. assume standard curves with 2 points * and a point compression indicator byte */ int sizeInBytes = (params->fieldID.size + 7) / 8; return sizeInBytes * 2 + 1; } - return curveParams->pointSize; + if (name == ECCurve25519) { + /* Only X here */ + return curveParams->scalarSize; + } + return curveParams->pointSize - 1; } #endif /* NSS_DISABLE_ECC */ diff --git a/security/nss/lib/freebl/ecl/README b/security/nss/lib/freebl/ecl/README index 04a8b3b011..2996822c88 100644 --- a/security/nss/lib/freebl/ecl/README +++ b/security/nss/lib/freebl/ecl/README @@ -90,20 +90,6 @@ the linear coefficient in the curve defining equation). ecp_192.c and ecp_224.c provide optimized field arithmetic. -Point Arithmetic over Binary Polynomial Fields ----------------------------------------------- - -ec2_aff.c provides point arithmetic using affine coordinates. - -ec2_proj.c provides point arithmetic using projective coordinates. -(Projective coordinates represent a point (x, y) as (X, Y, Z), where -x=X/Z, y=Y/Z^2). - -ec2_mont.c provides point multiplication using Montgomery projective -coordinates. - -ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field arithmetic. - Field Arithmetic ---------------- @@ -126,18 +112,6 @@ fields defined by nistp192 and nistp224 primes. ecl_gf.c provides wrappers around the basic field operations. -Binary Polynomial Field Arithmetic ----------------------------------- - -../mpi/mp_gf2m.c provides basic binary polynomial field arithmetic, -including addition, multiplication, squaring, mod, and division, as well -as conversion ob polynomial representations between bitstring and int[]. - -ec2_163.c, ec2_193.c, and ec2_233.c provide optimized field mod, mul, -and sqr operations. - -ecl_gf.c provides wrappers around the basic field operations. - Field Encoding -------------- @@ -187,81 +161,3 @@ arithmetic. Instead, they use basic field arithmetic with their optimized reduction (as in ecp_192.c and ecp_224.c). They use the same point multiplication and simultaneous point multiplication algorithms as other curves over prime fields. - -Curves over binary polynomial fields by default use generic field -arithmetic with montgomery point multiplication and basic kP + lQ -computation (multiply, multiply, and add). (Wiring in function -ECGroup_cons_GF2m in ecl.c.) - -Curves over binary polynomial fields that have optimized field -arithmetic (i.e., any 163-, 193, or 233-bit field) use their optimized -field arithmetic. They use the same point multiplication and -simultaneous point multiplication algorithms as other curves over binary -fields. - -Example -------- - -We provide an example for plugging in an optimized implementation for -the Koblitz curve nistk163. - -Suppose the file ec2_k163.c contains the optimized implementation. In -particular it contains a point multiplication function: - - mp_err ec_GF2m_nistk163_pt_mul(const mp_int *n, const mp_int *px, - const mp_int *py, mp_int *rx, mp_int *ry, const ECGroup *group); - -Since only a pt_mul function is provided, the generic pt_add function -will be used. - -There are two options for handling the optimized field arithmetic used -by the ..._pt_mul function. Say the optimized field arithmetic includes -the following functions: - - mp_err ec_GF2m_nistk163_add(const mp_int *a, const mp_int *b, - mp_int *r, const GFMethod *meth); - mp_err ec_GF2m_nistk163_mul(const mp_int *a, const mp_int *b, - mp_int *r, const GFMethod *meth); - mp_err ec_GF2m_nistk163_sqr(const mp_int *a, const mp_int *b, - mp_int *r, const GFMethod *meth); - mp_err ec_GF2m_nistk163_div(const mp_int *a, const mp_int *b, - mp_int *r, const GFMethod *meth); - -First, the optimized field arithmetic could simply be called directly -by the ..._pt_mul function. This would be accomplished by changing -the ecgroup_fromNameAndHex function in ecl.c to include the following -statements: - - if (name == ECCurve_NIST_K163) { - group = ECGroup_consGF2m(&irr, NULL, &curvea, &curveb, &genx, - &geny, &order, params->cofactor); - if (group == NULL) { res = MP_UNDEF; goto CLEANUP; } - MP_CHECKOK( ec_group_set_nistk163(group) ); - } - -and including in ec2_k163.c the following function: - - mp_err ec_group_set_nistk163(ECGroup *group) { - group->point_mul = &ec_GF2m_nistk163_pt_mul; - return MP_OKAY; - } - -As a result, ec_GF2m_pt_add and similar functions would use the -basic binary polynomial field arithmetic ec_GF2m_add, ec_GF2m_mul, -ec_GF2m_sqr, and ec_GF2m_div. - -Alternatively, the optimized field arithmetic could be wired into the -group's GFMethod. This would be accomplished by putting the following -function in ec2_k163.c: - - mp_err ec_group_set_nistk163(ECGroup *group) { - group->meth->field_add = &ec_GF2m_nistk163_add; - group->meth->field_mul = &ec_GF2m_nistk163_mul; - group->meth->field_sqr = &ec_GF2m_nistk163_sqr; - group->meth->field_div = &ec_GF2m_nistk163_div; - group->point_mul = &ec_GF2m_nistk163_pt_mul; - return MP_OKAY; - } - -For an example of functions that use special field encodings, take a -look at ecp_mont.c. diff --git a/security/nss/lib/freebl/ecl/curve25519_64.c b/security/nss/lib/freebl/ecl/curve25519_64.c index 89327ad1cf..65f6bd41b5 100644 --- a/security/nss/lib/freebl/ecl/curve25519_64.c +++ b/security/nss/lib/freebl/ecl/curve25519_64.c @@ -206,7 +206,7 @@ fexpand(felem *output, const u8 *in) output[1] = (*((const uint64_t *)(in + 6)) >> 3) & MASK51; output[2] = (*((const uint64_t *)(in + 12)) >> 6) & MASK51; output[3] = (*((const uint64_t *)(in + 19)) >> 1) & MASK51; - output[4] = (*((const uint64_t *)(in + 25)) >> 4) & MASK51; + output[4] = (*((const uint64_t *)(in + 24)) >> 12) & MASK51; } /* Take a fully reduced polynomial form number and contract it into a diff --git a/security/nss/lib/freebl/ecl/ecl-curve.h b/security/nss/lib/freebl/ecl/ecl-curve.h index df061396c1..fc8003f5d8 100644 --- a/security/nss/lib/freebl/ecl/ecl-curve.h +++ b/security/nss/lib/freebl/ecl/ecl-curve.h @@ -3,6 +3,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "ecl-exp.h" +#include "eclt.h" #include <stdlib.h> #ifndef __ecl_curve_h_ @@ -12,52 +13,201 @@ #define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */ #define KU_KEY_AGREEMENT (0x08) /* bit 4 */ -static const ECCurveParams ecCurve_NIST_P256 = { +static const PRUint8 irr256[32] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; +static const PRUint8 a256[32] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC }; +static const PRUint8 b256[32] = + { 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, + 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, + 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B }; +static const PRUint8 x256[32] = + { 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, + 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, + 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96 }; +static const PRUint8 y256[32] = + { 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, + 0x7C, 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, + 0xCB, 0xB6, 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5 }; +static const PRUint8 order256[32] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, + 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 }; +static const PRUint8 base256[66] = + { 0x04, 0x00, + 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, + 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, + 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, + 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, + 0x7C, 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, + 0xCB, 0xB6, 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5 }; + +static const ECCurveBytes ecCurve_NIST_P256 = { "NIST-P256", ECField_GFp, 256, - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", - "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC", - "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", - "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296", - "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5", - "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551", - 1, 128, 65, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT + irr256, a256, b256, x256, y256, order256, base256, + 1, 128, 66, 32, + KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT }; -static const ECCurveParams ecCurve_NIST_P384 = { +static const PRUint8 irr384[48] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF }; +static const PRUint8 a384[48] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC }; +static const PRUint8 b384[48] = + { 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, + 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, + 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, + 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF }; +static const PRUint8 x384[48] = + { 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, + 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, + 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, + 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7 }; +static const PRUint8 y384[48] = + { 0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, + 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, + 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, + 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F }; +static const PRUint8 order384[48] = + { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, + 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 }; +static const PRUint8 base384[98] = + { 0x04, 0x00, + 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, + 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, + 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, + 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, + 0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, + 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, + 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, + 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F }; + +static const ECCurveBytes ecCurve_NIST_P384 = { "NIST-P384", ECField_GFp, 384, - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF", - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC", - "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF", - "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7", - "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F", - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973", - 1, 192, 97, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT + irr384, a384, b384, x384, y384, order384, base384, + 1, 192, 98, 48, + KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT }; -static const ECCurveParams ecCurve_NIST_P521 = { +static const PRUint8 irr521[66] = + { 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; +static const PRUint8 a521[66] = + { 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC }; +static const PRUint8 b521[66] = + { 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, + 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, + 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, + 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, + 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, + 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00 }; +static const PRUint8 x521[66] = + { 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, + 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, + 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, + 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, + 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, + 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66 }; +static const PRUint8 y521[66] = + { 0x01, 0x18, 0x39, 0x29, 0x6A, 0x78, 0x9A, 0x3B, 0xC0, 0x04, 0x5C, 0x8A, + 0x5F, 0xB4, 0x2C, 0x7D, 0x1B, 0xD9, 0x98, 0xF5, 0x44, 0x49, 0x57, 0x9B, + 0x44, 0x68, 0x17, 0xAF, 0xBD, 0x17, 0x27, 0x3E, 0x66, 0x2C, 0x97, 0xEE, + 0x72, 0x99, 0x5E, 0xF4, 0x26, 0x40, 0xC5, 0x50, 0xB9, 0x01, 0x3F, 0xAD, + 0x07, 0x61, 0x35, 0x3C, 0x70, 0x86, 0xA2, 0x72, 0xC2, 0x40, 0x88, 0xBE, + 0x94, 0x76, 0x9F, 0xD1, 0x66, 0x50 }; +static const PRUint8 order521[66] = + { 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, + 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, + 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, + 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 }; +static const PRUint8 base521[134] = + { + 0x04, 0x00, + 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, + 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, + 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, + 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, + 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, + 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, + 0x01, 0x18, 0x39, 0x29, 0x6A, 0x78, 0x9A, 0x3B, 0xC0, 0x04, 0x5C, 0x8A, + 0x5F, 0xB4, 0x2C, 0x7D, 0x1B, 0xD9, 0x98, 0xF5, 0x44, 0x49, 0x57, 0x9B, + 0x44, 0x68, 0x17, 0xAF, 0xBD, 0x17, 0x27, 0x3E, 0x66, 0x2C, 0x97, 0xEE, + 0x72, 0x99, 0x5E, 0xF4, 0x26, 0x40, 0xC5, 0x50, 0xB9, 0x01, 0x3F, 0xAD, + 0x07, 0x61, 0x35, 0x3C, 0x70, 0x86, 0xA2, 0x72, 0xC2, 0x40, 0x88, 0xBE, + 0x94, 0x76, 0x9F, 0xD1, 0x66, 0x50 + }; + +static const ECCurveBytes ecCurve_NIST_P521 = { "NIST-P521", ECField_GFp, 521, - "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", - "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC", - "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00", - "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66", - "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650", - "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409", - 1, 256, 133, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT + irr521, a521, b521, x521, y521, order521, base521, + 1, 256, 134, 66, + KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT }; -static const ECCurveParams ecCurve25519 = { +static const PRUint8 irr25519[32] = + { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }; +static const PRUint8 a25519[32] = + { 0x06, 0x6d, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +static const PRUint8 b25519[32] = + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +static const PRUint8 x25519[32] = + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09 }; +static const PRUint8 y25519[32] = + { 0xd9, 0xd3, 0xce, 0x7e, 0xa2, 0xc5, 0xe9, 0x29, 0xb2, 0x61, 0x7c, 0x6d, + 0x7e, 0x4d, 0x3d, 0x92, 0x4c, 0xd1, 0x48, 0x77, 0x2c, 0xdd, 0x1e, 0xe0, + 0xb4, 0x86, 0xa0, 0xb8, 0xa1, 0x19, 0xae, 0x20 }; +static const PRUint8 order25519[32] = + { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, + 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 }; +static const PRUint8 base25519[66] = + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, + 0xd9, 0xd3, 0xce, 0x7e, 0xa2, 0xc5, 0xe9, 0x29, 0xb2, 0x61, 0x7c, 0x6d, + 0x7e, 0x4d, 0x3d, 0x92, 0x4c, 0xd1, 0x48, 0x77, 0x2c, 0xdd, 0x1e, 0xe0, + 0xb4, 0x86, 0xa0, 0xb8, 0xa1, 0x19, 0xae, 0x20, 0x00, 0x04 }; + +static const ECCurveBytes ecCurve_25519 = { "Curve25519", ECField_GFp, 255, - "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", - "076D06", - "00", - "0900000000000000000000000000000000000000000000000000000000000000", - "20AE19A1B8A086B4E01EDD2C7748D14C923D4D7E6D7C61B229E9C5A27ECED3D9", - "1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", - 8, 128, 32, KU_KEY_AGREEMENT + irr25519, a25519, b25519, x25519, y25519, order25519, base25519, + 8, 128, 66, 32, + KU_KEY_AGREEMENT }; /* mapping between ECCurveName enum and pointers to ECCurveParams */ -static const ECCurveParams *ecCurve_map[] = { +static const ECCurveBytes *ecCurve_map[] = { NULL, /* ECCurve_noName */ NULL, /* ECCurve_NIST_P192 */ NULL, /* ECCurve_NIST_P224 */ @@ -116,7 +266,7 @@ static const ECCurveParams *ecCurve_map[] = { NULL, /* ECCurve_WTLS_1 */ NULL, /* ECCurve_WTLS_8 */ NULL, /* ECCurve_WTLS_9 */ - &ecCurve25519, /* ECCurve25519 */ + &ecCurve_25519, /* ECCurve25519 */ NULL /* ECCurve_pastLastCurve */ }; diff --git a/security/nss/lib/freebl/ecl/ecl-priv.h b/security/nss/lib/freebl/ecl/ecl-priv.h index f43f193276..21685599db 100644 --- a/security/nss/lib/freebl/ecl/ecl-priv.h +++ b/security/nss/lib/freebl/ecl/ecl-priv.h @@ -246,12 +246,5 @@ mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name); /* Optimized point multiplication */ mp_err ec_group_set_gfp256_32(ECGroup *group, ECCurveName name); -/* Optimized floating-point arithmetic */ -#ifdef ECL_USE_FP -mp_err ec_group_set_secp160r1_fp(ECGroup *group); -mp_err ec_group_set_nistp192_fp(ECGroup *group); -mp_err ec_group_set_nistp224_fp(ECGroup *group); -#endif - SECStatus ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p); #endif /* __ecl_priv_h_ */ diff --git a/security/nss/lib/freebl/ecl/ecl.c b/security/nss/lib/freebl/ecl/ecl.c index 3540af7812..ca87b490cd 100644 --- a/security/nss/lib/freebl/ecl/ecl.c +++ b/security/nss/lib/freebl/ecl/ecl.c @@ -2,11 +2,16 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifdef FREEBL_NO_DEPEND +#include "../stubs.h" +#endif + #include "mpi.h" #include "mplogic.h" #include "ecl.h" #include "ecl-priv.h" #include "ecp.h" +#include "ecl-curve.h" #include <stdlib.h> #include <string.h> @@ -128,37 +133,16 @@ CLEANUP: return group; } -/* Construct ECGroup from hex parameters and name, if any. Called by - * ECGroup_fromHex and ECGroup_fromName. */ +/* Construct an ECGroup. */ ECGroup * -ecgroup_fromNameAndHex(const ECCurveName name, - const ECCurveParams *params) +construct_ecgroup(const ECCurveName name, mp_int irr, mp_int curvea, + mp_int curveb, mp_int genx, mp_int geny, mp_int order, + int cofactor, ECField field, const char *text) { - mp_int irr, curvea, curveb, genx, geny, order; int bits; ECGroup *group = NULL; mp_err res = MP_OKAY; - /* initialize values */ - MP_DIGITS(&irr) = 0; - MP_DIGITS(&curvea) = 0; - MP_DIGITS(&curveb) = 0; - MP_DIGITS(&genx) = 0; - MP_DIGITS(&geny) = 0; - MP_DIGITS(&order) = 0; - MP_CHECKOK(mp_init(&irr)); - MP_CHECKOK(mp_init(&curvea)); - MP_CHECKOK(mp_init(&curveb)); - MP_CHECKOK(mp_init(&genx)); - MP_CHECKOK(mp_init(&geny)); - MP_CHECKOK(mp_init(&order)); - MP_CHECKOK(mp_read_radix(&irr, params->irr, 16)); - MP_CHECKOK(mp_read_radix(&curvea, params->curvea, 16)); - MP_CHECKOK(mp_read_radix(&curveb, params->curveb, 16)); - MP_CHECKOK(mp_read_radix(&genx, params->genx, 16)); - MP_CHECKOK(mp_read_radix(&geny, params->geny, 16)); - MP_CHECKOK(mp_read_radix(&order, params->order, 16)); - /* determine number of bits */ bits = mpl_significant_bits(&irr) - 1; if (bits < MP_OKAY) { @@ -167,12 +151,12 @@ ecgroup_fromNameAndHex(const ECCurveName name, } /* determine which optimizations (if any) to use */ - if (params->field == ECField_GFp) { + if (field == ECField_GFp) { switch (name) { case ECCurve_SECG_PRIME_256R1: group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, - &order, params->cofactor); + &order, cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; @@ -183,7 +167,7 @@ ecgroup_fromNameAndHex(const ECCurveName name, case ECCurve_SECG_PRIME_521R1: group = ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, - &order, params->cofactor); + &order, cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; @@ -194,7 +178,7 @@ ecgroup_fromNameAndHex(const ECCurveName name, /* use generic arithmetic */ group = ECGroup_consGFp_mont(&irr, &curvea, &curveb, &genx, &geny, - &order, params->cofactor); + &order, cofactor); if (group == NULL) { res = MP_UNDEF; goto CLEANUP; @@ -206,62 +190,95 @@ ecgroup_fromNameAndHex(const ECCurveName name, } /* set name, if any */ - if ((group != NULL) && (params->text != NULL)) { - group->text = strdup(params->text); + if ((group != NULL) && (text != NULL)) { + group->text = strdup(text); if (group->text == NULL) { res = MP_MEM; } } CLEANUP: + if (group && res != MP_OKAY) { + ECGroup_free(group); + return NULL; + } + return group; +} + +/* Construct ECGroup from parameters and name, if any. */ +ECGroup * +ecgroup_fromName(const ECCurveName name, + const ECCurveBytes *params) +{ + mp_int irr, curvea, curveb, genx, geny, order; + ECGroup *group = NULL; + mp_err res = MP_OKAY; + + /* initialize values */ + MP_DIGITS(&irr) = 0; + MP_DIGITS(&curvea) = 0; + MP_DIGITS(&curveb) = 0; + MP_DIGITS(&genx) = 0; + MP_DIGITS(&geny) = 0; + MP_DIGITS(&order) = 0; + MP_CHECKOK(mp_init(&irr)); + MP_CHECKOK(mp_init(&curvea)); + MP_CHECKOK(mp_init(&curveb)); + MP_CHECKOK(mp_init(&genx)); + MP_CHECKOK(mp_init(&geny)); + MP_CHECKOK(mp_init(&order)); + MP_CHECKOK(mp_read_unsigned_octets(&irr, params->irr, params->scalarSize)); + MP_CHECKOK(mp_read_unsigned_octets(&curvea, params->curvea, params->scalarSize)); + MP_CHECKOK(mp_read_unsigned_octets(&curveb, params->curveb, params->scalarSize)); + MP_CHECKOK(mp_read_unsigned_octets(&genx, params->genx, params->scalarSize)); + MP_CHECKOK(mp_read_unsigned_octets(&geny, params->geny, params->scalarSize)); + MP_CHECKOK(mp_read_unsigned_octets(&order, params->order, params->scalarSize)); + + group = construct_ecgroup(name, irr, curvea, curveb, genx, geny, order, + params->cofactor, params->field, params->text); + +CLEANUP: mp_clear(&irr); mp_clear(&curvea); mp_clear(&curveb); mp_clear(&genx); mp_clear(&geny); mp_clear(&order); - if (res != MP_OKAY) { + if (group && res != MP_OKAY) { ECGroup_free(group); return NULL; } return group; } -/* Construct ECGroup from hexadecimal representations of parameters. */ -ECGroup * -ECGroup_fromHex(const ECCurveParams *params) +/* Construct ECCurveBytes from an ECCurveName */ +const ECCurveBytes * +ec_GetNamedCurveParams(const ECCurveName name) { - return ecgroup_fromNameAndHex(ECCurve_noName, params); + if ((name <= ECCurve_noName) || (ECCurve_pastLastCurve <= name) || + (ecCurve_map[name] == NULL)) { + return NULL; + } else { + return ecCurve_map[name]; + } } /* Construct ECGroup from named parameters. */ ECGroup * ECGroup_fromName(const ECCurveName name) { - ECGroup *group = NULL; - ECCurveParams *params = NULL; - mp_err res = MP_OKAY; + const ECCurveBytes *params = NULL; - params = EC_GetNamedCurveParams(name); + /* This doesn't work with Curve25519 but it's not necessary to. */ + PORT_Assert(name != ECCurve25519); + + params = ec_GetNamedCurveParams(name); if (params == NULL) { - res = MP_UNDEF; - goto CLEANUP; + return NULL; } /* construct actual group */ - group = ecgroup_fromNameAndHex(name, params); - if (group == NULL) { - res = MP_UNDEF; - goto CLEANUP; - } - -CLEANUP: - EC_FreeCurveParams(params); - if (res != MP_OKAY) { - ECGroup_free(group); - return NULL; - } - return group; + return ecgroup_fromName(name, params); } /* Validates an EC public key as described in Section 5.2.2 of X9.62. */ diff --git a/security/nss/lib/freebl/ecl/ecl.h b/security/nss/lib/freebl/ecl/ecl.h index ddcbb1f3a2..f6d5bc4eaf 100644 --- a/security/nss/lib/freebl/ecl/ecl.h +++ b/security/nss/lib/freebl/ecl/ecl.h @@ -11,28 +11,17 @@ #include "blapi.h" #include "ecl-exp.h" #include "mpi.h" +#include "eclt.h" struct ECGroupStr; typedef struct ECGroupStr ECGroup; -/* Construct ECGroup from hexadecimal representations of parameters. */ -ECGroup *ECGroup_fromHex(const ECCurveParams *params); - /* Construct ECGroup from named parameters. */ ECGroup *ECGroup_fromName(const ECCurveName name); /* Free an allocated ECGroup. */ void ECGroup_free(ECGroup *group); -/* Construct ECCurveParams from an ECCurveName */ -ECCurveParams *EC_GetNamedCurveParams(const ECCurveName name); - -/* Duplicates an ECCurveParams */ -ECCurveParams *ECCurveParams_dup(const ECCurveParams *params); - -/* Free an allocated ECCurveParams */ -void EC_FreeCurveParams(ECCurveParams *params); - /* Elliptic curve scalar-point multiplication. Computes Q(x, y) = k * P(x, * y). If x, y = NULL, then P is assumed to be the generator (base point) * of the group of points on the elliptic curve. Input and output values diff --git a/security/nss/lib/freebl/ecl/ecl_curve.c b/security/nss/lib/freebl/ecl/ecl_curve.c deleted file mode 100644 index cf090cfc34..0000000000 --- a/security/nss/lib/freebl/ecl/ecl_curve.c +++ /dev/null @@ -1,93 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "ecl.h" -#include "ecl-curve.h" -#include "ecl-priv.h" -#include <stdlib.h> -#include <string.h> - -#define CHECK(func) \ - if ((func) == NULL) { \ - res = 0; \ - goto CLEANUP; \ - } - -/* Duplicates an ECCurveParams */ -ECCurveParams * -ECCurveParams_dup(const ECCurveParams *params) -{ - int res = 1; - ECCurveParams *ret = NULL; - - CHECK(ret = (ECCurveParams *)calloc(1, sizeof(ECCurveParams))); - if (params->text != NULL) { - CHECK(ret->text = strdup(params->text)); - } - ret->field = params->field; - ret->size = params->size; - if (params->irr != NULL) { - CHECK(ret->irr = strdup(params->irr)); - } - if (params->curvea != NULL) { - CHECK(ret->curvea = strdup(params->curvea)); - } - if (params->curveb != NULL) { - CHECK(ret->curveb = strdup(params->curveb)); - } - if (params->genx != NULL) { - CHECK(ret->genx = strdup(params->genx)); - } - if (params->geny != NULL) { - CHECK(ret->geny = strdup(params->geny)); - } - if (params->order != NULL) { - CHECK(ret->order = strdup(params->order)); - } - ret->cofactor = params->cofactor; - -CLEANUP: - if (res != 1) { - EC_FreeCurveParams(ret); - return NULL; - } - return ret; -} - -#undef CHECK - -/* Construct ECCurveParams from an ECCurveName */ -ECCurveParams * -EC_GetNamedCurveParams(const ECCurveName name) -{ - if ((name <= ECCurve_noName) || (ECCurve_pastLastCurve <= name) || - (ecCurve_map[name] == NULL)) { - return NULL; - } else { - return ECCurveParams_dup(ecCurve_map[name]); - } -} - -/* Free the memory allocated (if any) to an ECCurveParams object. */ -void -EC_FreeCurveParams(ECCurveParams *params) -{ - if (params == NULL) - return; - if (params->text != NULL) - free(params->text); - if (params->irr != NULL) - free(params->irr); - if (params->curvea != NULL) - free(params->curvea); - if (params->curveb != NULL) - free(params->curveb); - if (params->genx != NULL) - free(params->genx); - if (params->geny != NULL) - free(params->geny); - if (params->order != NULL) - free(params->order); - free(params); -} diff --git a/security/nss/lib/freebl/ecl/eclt.h b/security/nss/lib/freebl/ecl/eclt.h new file mode 100644 index 0000000000..e763706f26 --- /dev/null +++ b/security/nss/lib/freebl/ecl/eclt.h @@ -0,0 +1,30 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This header holds ECC types and must not be exported publicly. */ + +#ifndef __eclt_h_ +#define __eclt_h_ + +/* byte encoding of curve parameters */ +struct ECCurveBytesStr { + char *text; + ECField field; + size_t size; + const PRUint8 *irr; + const PRUint8 *curvea; + const PRUint8 *curveb; + const PRUint8 *genx; + const PRUint8 *geny; + const PRUint8 *order; + const PRUint8 *base; + int cofactor; + int security; + size_t pointSize; + size_t scalarSize; + unsigned int usage; +}; +typedef struct ECCurveBytesStr ECCurveBytes; + +#endif /* __ecl_h_ */ diff --git a/security/nss/lib/freebl/ecl/ecp_25519.c b/security/nss/lib/freebl/ecl/ecp_25519.c index a8d41520eb..1e7875fff2 100644 --- a/security/nss/lib/freebl/ecl/ecp_25519.c +++ b/security/nss/lib/freebl/ecl/ecp_25519.c @@ -79,8 +79,7 @@ ec_Curve25519_pt_validate(const SECItem *px) 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, }; - /* The point must not be longer than 32 (it can be smaller). */ - if (px->len <= 32) { + if (px->len == 32) { p = px->data; } else { return SECFailure; diff --git a/security/nss/lib/freebl/ecl/ecp_jm.c b/security/nss/lib/freebl/ecl/ecp_jm.c index a1106cea83..bd13fa0508 100644 --- a/security/nss/lib/freebl/ecl/ecp_jm.c +++ b/security/nss/lib/freebl/ecl/ecp_jm.c @@ -127,6 +127,17 @@ ec_GFp_pt_add_jm_aff(const mp_int *px, const mp_int *py, const mp_int *pz, MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth)); MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth)); + /* Check P == Q */ + if (mp_cmp(A, px) == 0) { + if (mp_cmp(B, py) == 0) { + /* If Px == Qx && Py == Qy, double P. */ + return ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4, + scratch, group); + } + /* If Px == Qx && Py != Qy, return point at infinity. */ + return ec_GFp_pt_set_inf_jac(rx, ry, rz); + } + /* C = A - px, D = B - py */ MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth)); MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth)); diff --git a/security/nss/lib/freebl/ecl/tests/ec_naft.c b/security/nss/lib/freebl/ecl/tests/ec_naft.c deleted file mode 100644 index 61ef15c36e..0000000000 --- a/security/nss/lib/freebl/ecl/tests/ec_naft.c +++ /dev/null @@ -1,121 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "mpi.h" -#include "mplogic.h" -#include "ecl.h" -#include "ecp.h" -#include "ecl-priv.h" - -#include <sys/types.h> -#include <stdio.h> -#include <time.h> -#include <sys/time.h> -#include <sys/resource.h> - -/* Returns 2^e as an integer. This is meant to be used for small powers of - * two. */ -int ec_twoTo(int e); - -/* Number of bits of scalar to test */ -#define BITSIZE 160 - -/* Time k repetitions of operation op. */ -#define M_TimeOperation(op, k) \ - { \ - double dStart, dNow, dUserTime; \ - struct rusage ru; \ - int i; \ - getrusage(RUSAGE_SELF, &ru); \ - dStart = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \ - for (i = 0; i < k; i++) { \ - { \ - op; \ - } \ - }; \ - getrusage(RUSAGE_SELF, &ru); \ - dNow = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \ - dUserTime = dNow - dStart; \ - if (dUserTime) \ - printf(" %-45s\n k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \ - } - -/* Tests wNAF computation. Non-adjacent-form is discussed in the paper: D. - * Hankerson, J. Hernandez and A. Menezes, "Software implementation of - * elliptic curve cryptography over binary fields", Proc. CHES 2000. */ - -mp_err -main(void) -{ - signed char naf[BITSIZE + 1]; - ECGroup *group = NULL; - mp_int k; - mp_int *scalar; - int i, count; - int res; - int w = 5; - char s[1000]; - - /* Get a 160 bit scalar to compute wNAF from */ - group = ECGroup_fromName(ECCurve_SECG_PRIME_160R1); - scalar = &group->genx; - - /* Compute wNAF representation of scalar */ - ec_compute_wNAF(naf, BITSIZE, scalar, w); - - /* Verify correctness of representation */ - mp_init(&k); /* init k to 0 */ - - for (i = BITSIZE; i >= 0; i--) { - mp_add(&k, &k, &k); - /* digits in mp_???_d are unsigned */ - if (naf[i] >= 0) { - mp_add_d(&k, naf[i], &k); - } else { - mp_sub_d(&k, -naf[i], &k); - } - } - - if (mp_cmp(&k, scalar) != 0) { - printf("Error: incorrect NAF value.\n"); - MP_CHECKOK(mp_toradix(&k, s, 16)); - printf("NAF value %s\n", s); - MP_CHECKOK(mp_toradix(scalar, s, 16)); - printf("original value %s\n", s); - goto CLEANUP; - } - - /* Verify digits of representation are valid */ - for (i = 0; i <= BITSIZE; i++) { - if (naf[i] % 2 == 0 && naf[i] != 0) { - printf("Error: Even non-zero digit found.\n"); - goto CLEANUP; - } - if (naf[i] < -(ec_twoTo(w - 1)) || naf[i] >= ec_twoTo(w - 1)) { - printf("Error: Magnitude of naf digit too large.\n"); - goto CLEANUP; - } - } - - /* Verify sparsity of representation */ - count = w - 1; - for (i = 0; i <= BITSIZE; i++) { - if (naf[i] != 0) { - if (count < w - 1) { - printf("Error: Sparsity failed.\n"); - goto CLEANUP; - } - count = 0; - } else - count++; - } - - /* Check timing */ - M_TimeOperation(ec_compute_wNAF(naf, BITSIZE, scalar, w), 10000); - - printf("Test passed.\n"); -CLEANUP: - ECGroup_free(group); - return MP_OKAY; -} diff --git a/security/nss/lib/freebl/ecl/tests/ecp_test.c b/security/nss/lib/freebl/ecl/tests/ecp_test.c deleted file mode 100644 index dcec4d7475..0000000000 --- a/security/nss/lib/freebl/ecl/tests/ecp_test.c +++ /dev/null @@ -1,409 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "mpi.h" -#include "mplogic.h" -#include "mpprime.h" -#include "ecl.h" -#include "ecl-curve.h" -#include "ecp.h" -#include <stdio.h> -#include <strings.h> -#include <assert.h> - -#include <time.h> -#include <sys/time.h> -#include <sys/resource.h> - -/* Time k repetitions of operation op. */ -#define M_TimeOperation(op, k) \ - { \ - double dStart, dNow, dUserTime; \ - struct rusage ru; \ - int i; \ - getrusage(RUSAGE_SELF, &ru); \ - dStart = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \ - for (i = 0; i < k; i++) { \ - { \ - op; \ - } \ - }; \ - getrusage(RUSAGE_SELF, &ru); \ - dNow = (double)ru.ru_utime.tv_sec + (double)ru.ru_utime.tv_usec * 0.000001; \ - dUserTime = dNow - dStart; \ - if (dUserTime) \ - printf(" %-45s k: %6i, t: %6.2f sec\n", #op, k, dUserTime); \ - } - -/* Test curve using generic field arithmetic. */ -#define ECTEST_GENERIC_GFP(name_c, name) \ - printf("Testing %s using generic implementation...\n", name_c); \ - params = EC_GetNamedCurveParams(name); \ - if (params == NULL) { \ - printf(" Error: could not construct params.\n"); \ - res = MP_NO; \ - goto CLEANUP; \ - } \ - ECGroup_free(group); \ - group = ECGroup_fromHex(params); \ - if (group == NULL) { \ - printf(" Error: could not construct group.\n"); \ - res = MP_NO; \ - goto CLEANUP; \ - } \ - MP_CHECKOK(ectest_curve_GFp(group, ectestPrint, ectestTime, 1)); \ - printf("... okay.\n"); - -/* Test curve using specific field arithmetic. */ -#define ECTEST_NAMED_GFP(name_c, name) \ - printf("Testing %s using specific implementation...\n", name_c); \ - ECGroup_free(group); \ - group = ECGroup_fromName(name); \ - if (group == NULL) { \ - printf(" Warning: could not construct group.\n"); \ - printf("... failed; continuing with remaining tests.\n"); \ - } else { \ - MP_CHECKOK(ectest_curve_GFp(group, ectestPrint, ectestTime, 0)); \ - printf("... okay.\n"); \ - } - -/* Performs basic tests of elliptic curve cryptography over prime fields. - * If tests fail, then it prints an error message, aborts, and returns an - * error code. Otherwise, returns 0. */ -int -ectest_curve_GFp(ECGroup *group, int ectestPrint, int ectestTime, - int generic) -{ - - mp_int one, order_1, gx, gy, rx, ry, n; - int size; - mp_err res; - char s[1000]; - - /* initialize values */ - MP_CHECKOK(mp_init(&one)); - MP_CHECKOK(mp_init(&order_1)); - MP_CHECKOK(mp_init(&gx)); - MP_CHECKOK(mp_init(&gy)); - MP_CHECKOK(mp_init(&rx)); - MP_CHECKOK(mp_init(&ry)); - MP_CHECKOK(mp_init(&n)); - - MP_CHECKOK(mp_set_int(&one, 1)); - MP_CHECKOK(mp_sub(&group->order, &one, &order_1)); - - /* encode base point */ - if (group->meth->field_dec) { - MP_CHECKOK(group->meth->field_dec(&group->genx, &gx, group->meth)); - MP_CHECKOK(group->meth->field_dec(&group->geny, &gy, group->meth)); - } else { - MP_CHECKOK(mp_copy(&group->genx, &gx)); - MP_CHECKOK(mp_copy(&group->geny, &gy)); - } - if (ectestPrint) { - /* output base point */ - printf(" base point P:\n"); - MP_CHECKOK(mp_toradix(&gx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&gy, s, 16)); - printf(" %s\n", s); - if (group->meth->field_enc) { - printf(" base point P (encoded):\n"); - MP_CHECKOK(mp_toradix(&group->genx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&group->geny, s, 16)); - printf(" %s\n", s); - } - } - -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF - /* multiply base point by order - 1 and check for negative of base - * point */ - MP_CHECKOK(ec_GFp_pt_mul_aff(&order_1, &group->genx, &group->geny, &rx, &ry, group)); - if (ectestPrint) { - printf(" (order-1)*P (affine):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth)); - if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) { - printf(" Error: invalid result (expected (- base point)).\n"); - res = MP_NO; - goto CLEANUP; - } -#endif - -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF - /* multiply base point by order - 1 and check for negative of base - * point */ - MP_CHECKOK(ec_GFp_pt_mul_jac(&order_1, &group->genx, &group->geny, &rx, &ry, group)); - if (ectestPrint) { - printf(" (order-1)*P (jacobian):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - MP_CHECKOK(group->meth->field_neg(&ry, &ry, group->meth)); - if ((mp_cmp(&rx, &group->genx) != 0) || (mp_cmp(&ry, &group->geny) != 0)) { - printf(" Error: invalid result (expected (- base point)).\n"); - res = MP_NO; - goto CLEANUP; - } -#endif - - /* multiply base point by order - 1 and check for negative of base - * point */ - MP_CHECKOK(ECPoint_mul(group, &order_1, NULL, NULL, &rx, &ry)); - if (ectestPrint) { - printf(" (order-1)*P (ECPoint_mul):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); - if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { - printf(" Error: invalid result (expected (- base point)).\n"); - res = MP_NO; - goto CLEANUP; - } - - /* multiply base point by order - 1 and check for negative of base - * point */ - MP_CHECKOK(ECPoint_mul(group, &order_1, &gx, &gy, &rx, &ry)); - if (ectestPrint) { - printf(" (order-1)*P (ECPoint_mul):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); - if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { - printf(" Error: invalid result (expected (- base point)).\n"); - res = MP_NO; - goto CLEANUP; - } - -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF - /* multiply base point by order and check for point at infinity */ - MP_CHECKOK(ec_GFp_pt_mul_aff(&group->order, &group->genx, &group->geny, &rx, &ry, - group)); - if (ectestPrint) { - printf(" (order)*P (affine):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { - printf(" Error: invalid result (expected point at infinity).\n"); - res = MP_NO; - goto CLEANUP; - } -#endif - -#ifdef ECL_ENABLE_GFP_PT_MUL_JAC - /* multiply base point by order and check for point at infinity */ - MP_CHECKOK(ec_GFp_pt_mul_jac(&group->order, &group->genx, &group->geny, &rx, &ry, - group)); - if (ectestPrint) { - printf(" (order)*P (jacobian):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { - printf(" Error: invalid result (expected point at infinity).\n"); - res = MP_NO; - goto CLEANUP; - } -#endif - - /* multiply base point by order and check for point at infinity */ - MP_CHECKOK(ECPoint_mul(group, &group->order, NULL, NULL, &rx, &ry)); - if (ectestPrint) { - printf(" (order)*P (ECPoint_mul):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { - printf(" Error: invalid result (expected point at infinity).\n"); - res = MP_NO; - goto CLEANUP; - } - - /* multiply base point by order and check for point at infinity */ - MP_CHECKOK(ECPoint_mul(group, &group->order, &gx, &gy, &rx, &ry)); - if (ectestPrint) { - printf(" (order)*P (ECPoint_mul):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - if (ec_GFp_pt_is_inf_aff(&rx, &ry) != MP_YES) { - printf(" Error: invalid result (expected point at infinity).\n"); - res = MP_NO; - goto CLEANUP; - } - - /* check that (order-1)P + (order-1)P + P == (order-1)P */ - MP_CHECKOK(ECPoints_mul(group, &order_1, &order_1, &gx, &gy, &rx, &ry)); - MP_CHECKOK(ECPoints_mul(group, &one, &one, &rx, &ry, &rx, &ry)); - if (ectestPrint) { - printf(" (order-1)*P + (order-1)*P + P == (order-1)*P (ECPoints_mul):\n"); - MP_CHECKOK(mp_toradix(&rx, s, 16)); - printf(" %s\n", s); - MP_CHECKOK(mp_toradix(&ry, s, 16)); - printf(" %s\n", s); - } - MP_CHECKOK(mp_submod(&group->meth->irr, &ry, &group->meth->irr, &ry)); - if ((mp_cmp(&rx, &gx) != 0) || (mp_cmp(&ry, &gy) != 0)) { - printf(" Error: invalid result (expected (- base point)).\n"); - res = MP_NO; - goto CLEANUP; - } - - /* test validate_point function */ - if (ECPoint_validate(group, &gx, &gy) != MP_YES) { - printf(" Error: validate point on base point failed.\n"); - res = MP_NO; - goto CLEANUP; - } - MP_CHECKOK(mp_add_d(&gy, 1, &ry)); - if (ECPoint_validate(group, &gx, &ry) != MP_NO) { - printf(" Error: validate point on invalid point passed.\n"); - res = MP_NO; - goto CLEANUP; - } - - if (ectestTime) { - /* compute random scalar */ - size = mpl_significant_bits(&group->meth->irr); - if (size < MP_OKAY) { - goto CLEANUP; - } - MP_CHECKOK(mpp_random_size(&n, (size + ECL_BITS - 1) / ECL_BITS)); - MP_CHECKOK(group->meth->field_mod(&n, &n, group->meth)); - /* timed test */ - if (generic) { -#ifdef ECL_ENABLE_GFP_PT_MUL_AFF - M_TimeOperation(MP_CHECKOK(ec_GFp_pt_mul_aff(&n, &group->genx, &group->geny, &rx, &ry, - group)), - 100); -#endif - M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)), - 100); - M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100); - } else { - M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, NULL, NULL, &rx, &ry)), - 100); - M_TimeOperation(MP_CHECKOK(ECPoint_mul(group, &n, &gx, &gy, &rx, &ry)), - 100); - M_TimeOperation(MP_CHECKOK(ECPoints_mul(group, &n, &n, &gx, &gy, &rx, &ry)), 100); - } - } - -CLEANUP: - mp_clear(&one); - mp_clear(&order_1); - mp_clear(&gx); - mp_clear(&gy); - mp_clear(&rx); - mp_clear(&ry); - mp_clear(&n); - if (res != MP_OKAY) { - printf(" Error: exiting with error value %i\n", res); - } - return res; -} - -/* Prints help information. */ -void -printUsage() -{ - printf("Usage: ecp_test [--print] [--time]\n"); - printf(" --print Print out results of each point arithmetic test.\n"); - printf(" --time Benchmark point operations and print results.\n"); -} - -/* Performs tests of elliptic curve cryptography over prime fields If - * tests fail, then it prints an error message, aborts, and returns an - * error code. Otherwise, returns 0. */ -int -main(int argv, char **argc) -{ - - int ectestTime = 0; - int ectestPrint = 0; - int i; - ECGroup *group = NULL; - ECCurveParams *params = NULL; - mp_err res; - - /* read command-line arguments */ - for (i = 1; i < argv; i++) { - if ((strcasecmp(argc[i], "time") == 0) || (strcasecmp(argc[i], "-time") == 0) || (strcasecmp(argc[i], "--time") == 0)) { - ectestTime = 1; - } else if ((strcasecmp(argc[i], "print") == 0) || (strcasecmp(argc[i], "-print") == 0) || (strcasecmp(argc[i], "--print") == 0)) { - ectestPrint = 1; - } else { - printUsage(); - return 0; - } - } - - /* generic arithmetic tests */ - ECTEST_GENERIC_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1); - - /* specific arithmetic tests */ - ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192); - ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224); - ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256); - ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384); - ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3); - ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1); - ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1); - ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2); - ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1); - ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2); - ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1); - ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1); - ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2); - ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1); - ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1); - ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1); - ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1); - ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1); - ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1); - ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1); - ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1); - ECTEST_NAMED_GFP("WTLS-6 (112)", ECCurve_WTLS_6); - ECTEST_NAMED_GFP("WTLS-7 (160)", ECCurve_WTLS_7); - ECTEST_NAMED_GFP("WTLS-8 (112)", ECCurve_WTLS_8); - ECTEST_NAMED_GFP("WTLS-9 (160)", ECCurve_WTLS_9); - ECTEST_NAMED_GFP("WTLS-12 (224)", ECCurve_WTLS_12); - ECTEST_NAMED_GFP("Curve25519", ECCurve25519); - -CLEANUP: - EC_FreeCurveParams(params); - ECGroup_free(group); - if (res != MP_OKAY) { - printf("Error: exiting with error value %i\n", res); - } - return res; -} diff --git a/security/nss/lib/freebl/ecl/uint128.c b/security/nss/lib/freebl/ecl/uint128.c index 22cbd023c1..5465875ade 100644 --- a/security/nss/lib/freebl/ecl/uint128.c +++ b/security/nss/lib/freebl/ecl/uint128.c @@ -31,6 +31,9 @@ init128x(uint64_t x) return ret; } +#define CONSTANT_TIME_CARRY(a, b) \ + ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1)) + /* arithmetic */ uint128_t @@ -38,7 +41,7 @@ add128(uint128_t a, uint128_t b) { uint128_t ret; ret.lo = a.lo + b.lo; - ret.hi = a.hi + b.hi + (ret.lo < b.lo); + ret.hi = a.hi + b.hi + CONSTANT_TIME_CARRY(ret.lo, b.lo); return ret; } diff --git a/security/nss/lib/freebl/exports.gyp b/security/nss/lib/freebl/exports.gyp index ef81685b04..aded6bfb6a 100644 --- a/security/nss/lib/freebl/exports.gyp +++ b/security/nss/lib/freebl/exports.gyp @@ -33,6 +33,7 @@ 'ec.h', 'ecl/ecl-curve.h', 'ecl/ecl.h', + 'ecl/eclt.h', 'hmacct.h', 'secmpi.h', 'secrng.h' diff --git a/security/nss/lib/freebl/fipsfreebl.c b/security/nss/lib/freebl/fipsfreebl.c index b3ae6865b4..0945135605 100644 --- a/security/nss/lib/freebl/fipsfreebl.c +++ b/security/nss/lib/freebl/fipsfreebl.c @@ -1707,7 +1707,7 @@ BL_FIPSEntryOK(PRBool freebl_only) return SECSuccess; } /* standalone freebl can initialize */ - if (freebl_only & self_tests_freebl_success) { + if (freebl_only && self_tests_freebl_success) { return SECSuccess; } PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp index f5ae232ecd..8c0d0dcd5d 100644 --- a/security/nss/lib/freebl/freebl.gyp +++ b/security/nss/lib/freebl/freebl.gyp @@ -32,121 +32,55 @@ '<(DEPTH)/exports.gyp:nss_exports' ] }, + # For test builds, build a static freebl library so we can statically + # link it into the test build binary. This way we don't have to + # dlopen() the shared lib but can directly call freebl functions. { - 'target_name': '<(freebl_name)', - 'type': 'shared_library', - 'sources': [ - 'aeskeywrap.c', - 'alg2268.c', - 'alghmac.c', - 'arcfive.c', - 'arcfour.c', - 'camellia.c', - 'chacha20poly1305.c', - 'ctr.c', - 'cts.c', - 'des.c', - 'desblapi.c', - 'dh.c', - 'drbg.c', - 'dsa.c', - 'ec.c', - 'ecdecode.c', - 'ecl/ec_naf.c', - 'ecl/ecl.c', - 'ecl/ecl_curve.c', - 'ecl/ecl_gf.c', - 'ecl/ecl_mult.c', - 'ecl/ecp_25519.c', - 'ecl/ecp_256.c', - 'ecl/ecp_256_32.c', - 'ecl/ecp_384.c', - 'ecl/ecp_521.c', - 'ecl/ecp_aff.c', - 'ecl/ecp_jac.c', - 'ecl/ecp_jm.c', - 'ecl/ecp_mont.c', - 'fipsfreebl.c', - 'freeblver.c', - 'gcm.c', - 'hmacct.c', - 'jpake.c', - 'ldvector.c', - 'md2.c', - 'md5.c', - 'mpi/mp_gf2m.c', - 'mpi/mpcpucache.c', - 'mpi/mpi.c', - 'mpi/mplogic.c', - 'mpi/mpmontg.c', - 'mpi/mpprime.c', - 'pqg.c', - 'rawhash.c', - 'rijndael.c', - 'rsa.c', - 'rsapkcs.c', - 'seed.c', - 'sha512.c', - 'sha_fast.c', - 'shvfy.c', - 'sysrand.c', - 'tlsprfalg.c' + 'target_name': 'freebl_static', + 'type': 'static_library', + 'includes': [ + 'freebl_base.gypi', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', ], 'conditions': [ [ 'OS=="linux"', { - 'sources': [ - 'nsslowhash.c', - 'stubs.c', + 'defines!': [ + 'FREEBL_NO_DEPEND', + 'FREEBL_LOWHASH', + 'USE_HW_AES', + 'INTEL_GCM', ], 'conditions': [ - [ 'test_build==1', { - 'dependencies': [ - '<(DEPTH)/lib/util/util.gyp:nssutil3', - ], - }], [ 'target_arch=="x64"', { - 'sources': [ - 'arcfour-amd64-gas.s', + # The AES assembler code doesn't work in static test builds. + # The linker complains about non-relocatable code, and I + # currently don't know how to fix this properly. + 'sources!': [ 'intel-aes.s', 'intel-gcm.s', - 'mpi/mpi_amd64.c', - 'mpi/mpi_amd64_gas.s', - 'mpi/mp_comba.c', - ], - 'dependencies': [ - 'intel-gcm-wrap_c_lib', - ], - 'conditions': [ - [ 'cc_is_clang==1', { - 'cflags': [ - '-no-integrated-as', - ], - 'cflags_mozilla': [ - '-no-integrated-as', - ], - 'asflags_mozilla': [ - '-no-integrated-as', - ], - }], - ], - }], - [ 'target_arch=="ia32"', { - 'sources': [ - 'mpi/mpi_x86.s', - ], - }], - [ 'target_arch=="arm"', { - 'sources': [ - 'mpi/mpi_arm.c', ], }], ], - }, { - # not Linux + }], + ], + }, + { + 'target_name': '<(freebl_name)', + 'type': 'shared_library', + 'includes': [ + 'freebl_base.gypi', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + ], + 'conditions': [ + [ 'OS!="linux" and OS!="android"', { 'conditions': [ [ 'moz_fold_libs==0', { 'dependencies': [ - '../util/util.gyp:nssutil3', + '<(DEPTH)/lib/util/util.gyp:nssutil3', ], }, { 'libraries': [ @@ -154,97 +88,23 @@ ], }], ], - }], - [ 'OS=="win"', { - 'sources': [ - #TODO: building with mingw should not need this. - 'ecl/uint128.c', - #TODO: clang-cl needs -msse3 here - 'intel-gcm-wrap.c', - ], - 'libraries': [ - 'advapi32.lib', - ], - 'conditions': [ - [ 'target_arch=="x64"', { - 'sources': [ - 'arcfour-amd64-masm.asm', - 'mpi/mpi_amd64.c', - 'mpi/mpi_amd64_masm.asm', - 'mpi/mp_comba_amd64_masm.asm', - 'intel-aes-x64-masm.asm', - 'intel-gcm-x64-masm.asm', - ], - }, { - # not x64 - 'sources': [ - 'mpi/mpi_x86_asm.c', - 'intel-aes-x86-masm.asm', - 'intel-gcm-x86-masm.asm', - ], - }], - ], - }], - ['target_arch=="ia32" or target_arch=="x64"', { - 'sources': [ - # All intel architectures get the 64 bit version - 'ecl/curve25519_64.c', - ], - }, { - 'sources': [ - # All non intel architectures get the generic 32 bit implementation (slow!) - 'ecl/curve25519_32.c', + }, 'target_arch=="x64"', { + 'dependencies': [ + 'intel-gcm-wrap_c_lib', ], }], - #TODO uint128.c - [ 'disable_chachapoly==0', { - 'conditions': [ - [ 'OS!="win" and target_arch=="x64"', { - 'sources': [ - 'chacha20_vec.c', - 'poly1305-donna-x64-sse2-incremental-source.c', - ], - }, { - # not x64 - 'sources': [ - 'chacha20.c', - 'poly1305.c', - ], - }], + [ 'OS=="win" and cc_is_clang==1', { + 'dependencies': [ + 'intel-gcm-wrap_c_lib', ], }], - [ 'fuzz==1', { + [ 'OS=="linux"', { 'sources': [ - 'det_rng.c', - ], - 'defines': [ - 'UNSAFE_FUZZER_MODE', - ], - }], - [ 'test_build==1', { - 'defines': [ - 'CT_VERIF', - ], - }], - [ 'OS=="mac"', { - 'conditions': [ - [ 'target_arch=="ia32"', { - 'sources': [ - 'mpi/mpi_sse2.s', - ], - 'defines': [ - 'MP_USE_UINT_DIGIT', - 'MP_ASSEMBLY_MULTIPLY', - 'MP_ASSEMBLY_SQUARE', - 'MP_ASSEMBLY_DIV_2DX1D', - ], - }], + 'nsslowhash.c', + 'stubs.c', ], }], ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - ], 'variables': { 'conditions': [ [ 'OS=="linux"', { @@ -254,9 +114,6 @@ }], ] }, - 'ldflags': [ - '-Wl,-Bsymbolic' - ] }, ], 'conditions': [ @@ -296,13 +153,27 @@ 'MP_API_COMPATIBLE' ], 'conditions': [ + [ 'target_arch=="ia32" or target_arch=="x64"', { + 'cflags_mozilla': [ + '-mpclmul', + '-maes', + ], + }], + [ 'OS=="mac"', { + 'xcode_settings': { + # I'm not sure since when this is supported. + # But I hope that doesn't matter. We also assume this is x86/x64. + 'OTHER_CFLAGS': [ + '-mpclmul', + '-maes', + ], + }, + }], [ 'OS=="win" and target_arch=="ia32"', { 'msvs_settings': { 'VCCLCompilerTool': { #TODO: -Ox optimize flags 'PreprocessorDefinitions': [ - 'NSS_X86_OR_X64', - 'NSS_X86', 'MP_ASSEMBLY_MULTIPLY', 'MP_ASSEMBLY_SQUARE', 'MP_ASSEMBLY_DIV_2DX1D', @@ -319,9 +190,7 @@ 'VCCLCompilerTool': { #TODO: -Ox optimize flags 'PreprocessorDefinitions': [ - 'NSS_USE_64', - 'NSS_X86_OR_X64', - 'NSS_X64', + # Should be copied to mingw defines below 'MP_IS_LITTLE_ENDIAN', 'NSS_BEVAND_ARCFOUR', 'MPI_AMD64', @@ -333,13 +202,21 @@ }, }, }], + [ 'cc_use_gnu_ld==1 and OS=="win" and target_arch=="x64"', { + 'defines': [ + 'MP_IS_LITTLE_ENDIAN', + 'NSS_BEVAND_ARCFOUR', + 'MPI_AMD64', + 'MP_ASSEMBLY_MULTIPLY', + 'NSS_USE_COMBA', + 'USE_HW_AES', + 'INTEL_GCM', + ], + }], [ 'OS!="win"', { 'conditions': [ - [ 'target_arch=="x64"', { + [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { 'defines': [ - 'NSS_USE_64', - 'NSS_X86_OR_X64', - 'NSS_X64', # The Makefile does version-tests on GCC, but we're not doing that here. 'HAVE_INT128_SUPPORT', ], @@ -348,24 +225,16 @@ 'ecl/uint128.c', ], }], - [ 'target_arch=="ia32"', { - 'defines': [ - 'NSS_X86_OR_X64', - 'NSS_X86', - ], - }], ], }], [ 'OS=="linux"', { 'defines': [ 'FREEBL_LOWHASH', + 'FREEBL_NO_DEPEND', ], + }], + [ 'OS=="linux" or OS=="android"', { 'conditions': [ - [ 'test_build==0', { - 'defines': [ - 'FREEBL_NO_DEPEND', - ], - }], [ 'target_arch=="x64"', { 'defines': [ 'MP_IS_LITTLE_ENDIAN', @@ -375,7 +244,7 @@ 'NSS_USE_COMBA', ], }], - [ 'target_arch=="x64" and use_msan==0', { + [ 'target_arch=="x64"', { 'defines': [ 'USE_HW_AES', 'INTEL_GCM', @@ -390,12 +259,21 @@ 'MP_USE_UINT_DIGIT', ], }], + [ 'target_arch=="ia32" or target_arch=="x64"', { + 'cflags': [ + # enable isa option for pclmul am aes-ni; supported since gcc 4.4 + # This is only support by x84/x64. It's not needed for Windows. + '-mpclmul', + '-maes', + ], + }], [ 'target_arch=="arm"', { 'defines': [ 'MP_ASSEMBLY_MULTIPLY', 'MP_ASSEMBLY_SQUARE', 'MP_USE_UINT_DIGIT', 'SHA_NO_LONG_LONG', + 'ARMHF', ], }], ], diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi new file mode 100644 index 0000000000..027aa2702c --- /dev/null +++ b/security/nss/lib/freebl/freebl_base.gypi @@ -0,0 +1,201 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'sources': [ + 'aeskeywrap.c', + 'alg2268.c', + 'alghmac.c', + 'arcfive.c', + 'arcfour.c', + 'camellia.c', + 'chacha20poly1305.c', + 'ctr.c', + 'cts.c', + 'des.c', + 'desblapi.c', + 'dh.c', + 'drbg.c', + 'dsa.c', + 'ec.c', + 'ecdecode.c', + 'ecl/ec_naf.c', + 'ecl/ecl.c', + 'ecl/ecl_gf.c', + 'ecl/ecl_mult.c', + 'ecl/ecp_25519.c', + 'ecl/ecp_256.c', + 'ecl/ecp_256_32.c', + 'ecl/ecp_384.c', + 'ecl/ecp_521.c', + 'ecl/ecp_aff.c', + 'ecl/ecp_jac.c', + 'ecl/ecp_jm.c', + 'ecl/ecp_mont.c', + 'fipsfreebl.c', + 'blinit.c', + 'freeblver.c', + 'gcm.c', + 'hmacct.c', + 'jpake.c', + 'ldvector.c', + 'md2.c', + 'md5.c', + 'mpi/mp_gf2m.c', + 'mpi/mpcpucache.c', + 'mpi/mpi.c', + 'mpi/mplogic.c', + 'mpi/mpmontg.c', + 'mpi/mpprime.c', + 'pqg.c', + 'rawhash.c', + 'rijndael.c', + 'rsa.c', + 'rsapkcs.c', + 'seed.c', + 'sha512.c', + 'sha_fast.c', + 'shvfy.c', + 'sysrand.c', + 'tlsprfalg.c' + ], + 'conditions': [ + [ 'OS=="linux" or OS=="android"', { + 'conditions': [ + [ 'target_arch=="x64"', { + 'sources': [ + 'arcfour-amd64-gas.s', + 'intel-aes.s', + 'intel-gcm.s', + 'mpi/mpi_amd64.c', + 'mpi/mpi_amd64_gas.s', + 'mpi/mp_comba.c', + ], + 'conditions': [ + [ 'cc_is_clang==1', { + 'cflags': [ + '-no-integrated-as', + ], + 'cflags_mozilla': [ + '-no-integrated-as', + ], + 'asflags_mozilla': [ + '-no-integrated-as', + ], + }], + ], + }], + [ 'target_arch=="ia32"', { + 'sources': [ + 'mpi/mpi_x86.s', + ], + }], + [ 'target_arch=="arm"', { + 'sources': [ + 'mpi/mpi_arm.c', + ], + }], + ], + }], + [ 'OS=="win"', { + 'sources': [ + #TODO: building with mingw should not need this. + 'ecl/uint128.c', + ], + 'libraries': [ + 'advapi32.lib', + ], + 'conditions': [ + [ 'cc_use_gnu_ld!=1 and target_arch=="x64"', { + 'sources': [ + 'arcfour-amd64-masm.asm', + 'mpi/mpi_amd64.c', + 'mpi/mpi_amd64_masm.asm', + 'mpi/mp_comba_amd64_masm.asm', + 'intel-aes-x64-masm.asm', + 'intel-gcm-x64-masm.asm', + ], + }], + [ 'cc_use_gnu_ld!=1 and target_arch!="x64"', { + # not x64 + 'sources': [ + 'mpi/mpi_x86_asm.c', + 'intel-aes-x86-masm.asm', + 'intel-gcm-x86-masm.asm', + ], + }], + [ 'cc_is_clang!=1', { + # MSVC + 'sources': [ + 'intel-gcm-wrap.c', + ], + }], + ], + }], + ['target_arch=="ia32" or target_arch=="x64"', { + 'sources': [ + # All intel architectures get the 64 bit version + 'ecl/curve25519_64.c', + ], + }, { + 'sources': [ + # All non intel architectures get the generic 32 bit implementation (slow!) + 'ecl/curve25519_32.c', + ], + }], + #TODO uint128.c + [ 'disable_chachapoly==0', { + 'conditions': [ + [ 'OS!="win" and target_arch=="x64"', { + 'sources': [ + 'chacha20_vec.c', + 'poly1305-donna-x64-sse2-incremental-source.c', + ], + }, { + # not x64 + 'sources': [ + 'chacha20.c', + 'poly1305.c', + ], + }], + ], + }], + [ 'fuzz==1', { + 'sources!': [ 'drbg.c' ], + 'sources': [ 'det_rng.c' ], + }], + [ 'fuzz_tls==1', { + 'defines': [ + 'UNSAFE_FUZZER_MODE', + ], + }], + [ 'ct_verif==1', { + 'defines': [ + 'CT_VERIF', + ], + }], + [ 'only_dev_random==1', { + 'defines': [ + 'SEED_ONLY_DEV_URANDOM', + ] + }], + [ 'OS=="mac"', { + 'conditions': [ + [ 'target_arch=="ia32"', { + 'sources': [ + 'mpi/mpi_sse2.s', + ], + 'defines': [ + 'MP_USE_UINT_DIGIT', + 'MP_ASSEMBLY_MULTIPLY', + 'MP_ASSEMBLY_SQUARE', + 'MP_ASSEMBLY_DIV_2DX1D', + ], + }], + ], + }], + ], + 'ldflags': [ + '-Wl,-Bsymbolic' + ], +} diff --git a/security/nss/lib/freebl/gcm.c b/security/nss/lib/freebl/gcm.c index 22121001b6..0fdb0fd487 100644 --- a/security/nss/lib/freebl/gcm.c +++ b/security/nss/lib/freebl/gcm.c @@ -1,6 +1,8 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* Thanks to Thomas Pornin for the ideas how to implement the constat time + * binary multiplication. */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -15,440 +17,378 @@ #include <limits.h> -/************************************************************************** - * First implement the Galois hash function of GCM (gcmHash) * - **************************************************************************/ -#define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */ - -typedef struct gcmHashContextStr gcmHashContext; - -static SECStatus gcmHash_InitContext(gcmHashContext *hash, - const unsigned char *H, - unsigned int blocksize); -static void gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit); -static SECStatus gcmHash_Update(gcmHashContext *ghash, - const unsigned char *buf, unsigned int len, - unsigned int blocksize); -static SECStatus gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize); -static SECStatus gcmHash_Final(gcmHashContext *gcm, unsigned char *outbuf, - unsigned int *outlen, unsigned int maxout, - unsigned int blocksize); -static SECStatus gcmHash_Reset(gcmHashContext *ghash, - const unsigned char *inbuf, - unsigned int inbufLen, unsigned int blocksize); - -/* compile time defines to select how the GF2 multiply is calculated. - * There are currently 2 algorithms implemented here: MPI and ALGORITHM_1. - * - * MPI uses the GF2m implemented in mpi to support GF2 ECC. - * ALGORITHM_1 is the Algorithm 1 in both NIST SP 800-38D and - * "The Galois/Counter Mode of Operation (GCM)", McGrew & Viega. - */ -#if !defined(GCM_USE_ALGORITHM_1) && !defined(GCM_USE_MPI) -#define GCM_USE_MPI 1 /* MPI is about 5x faster with the \ - * same or less complexity. It's possible to use \ - * tables to speed things up even more */ -#endif - -/* GCM defines the bit string to be LSB first, which is exactly - * opposite everyone else, including hardware. build array - * to reverse everything. */ -static const unsigned char gcm_byte_rev[256] = { - 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, - 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, - 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, - 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, - 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, - 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, - 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, - 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, - 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, - 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, - 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, - 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, - 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, - 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, - 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, - 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, - 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, - 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, - 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, - 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, - 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, - 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, - 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, - 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, - 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, - 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, - 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, - 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, - 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, - 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, - 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, - 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff -}; - -#ifdef GCM_TRACE -#include <stdio.h> - -#define GCM_TRACE_X(ghash, label) \ - { \ - unsigned char _X[MAX_BLOCK_SIZE]; \ - int i; \ - gcm_getX(ghash, _X, blocksize); \ - printf(label, (ghash)->m); \ - for (i = 0; i < blocksize; i++) \ - printf("%02x", _X[i]); \ - printf("\n"); \ - } -#define GCM_TRACE_BLOCK(label, buf, blocksize) \ - { \ - printf(label); \ - for (i = 0; i < blocksize; i++) \ - printf("%02x", buf[i]); \ - printf("\n"); \ - } -#else -#define GCM_TRACE_X(ghash, label) -#define GCM_TRACE_BLOCK(label, buf, blocksize) +#ifdef NSS_X86_OR_X64 +#include <wmmintrin.h> /* clmul */ #endif -#ifdef GCM_USE_MPI +/* Forward declarations */ +SECStatus gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count); +SECStatus gcm_HashMult_sftw(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count); +SECStatus gcm_HashMult_sftw32(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count); -#ifdef GCM_USE_ALGORITHM_1 -#error "Only define one of GCM_USE_MPI, GCM_USE_ALGORITHM_1" -#endif -/* use the MPI functions to calculate Xn = (Xn-1^C_i)*H mod poly */ -#include "mpi.h" -#include "secmpi.h" -#include "mplogic.h" -#include "mp_gf2m.h" - -/* state needed to handle GCM Hash function */ -struct gcmHashContextStr { - mp_int H; - mp_int X; - mp_int C_i; - const unsigned int *poly; - unsigned char buffer[MAX_BLOCK_SIZE]; - unsigned int bufLen; - int m; /* XXX what is m? */ - unsigned char counterBuf[2 * GCM_HASH_LEN_LEN]; - PRUint64 cLen; -}; - -/* f = x^128 + x^7 + x^2 + x + 1 */ -static const unsigned int poly_128[] = { 128, 7, 2, 1, 0 }; - -/* sigh, GCM defines the bit strings exactly backwards from everything else */ -static void -gcm_reverse(unsigned char *target, const unsigned char *src, - unsigned int blocksize) +uint64_t +get64(const unsigned char *bytes) { - unsigned int i; - for (i = 0; i < blocksize; i++) { - target[blocksize - i - 1] = gcm_byte_rev[src[i]]; - } + return ((uint64_t)bytes[0]) << 56 | + ((uint64_t)bytes[1]) << 48 | + ((uint64_t)bytes[2]) << 40 | + ((uint64_t)bytes[3]) << 32 | + ((uint64_t)bytes[4]) << 24 | + ((uint64_t)bytes[5]) << 16 | + ((uint64_t)bytes[6]) << 8 | + ((uint64_t)bytes[7]); } /* Initialize a gcmHashContext */ -static SECStatus -gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, - unsigned int blocksize) +SECStatus +gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, PRBool sw) { - mp_err err = MP_OKAY; - unsigned char H_rev[MAX_BLOCK_SIZE]; - - MP_DIGITS(&ghash->H) = 0; - MP_DIGITS(&ghash->X) = 0; - MP_DIGITS(&ghash->C_i) = 0; - CHECK_MPI_OK(mp_init(&ghash->H)); - CHECK_MPI_OK(mp_init(&ghash->X)); - CHECK_MPI_OK(mp_init(&ghash->C_i)); - - mp_zero(&ghash->X); - gcm_reverse(H_rev, H, blocksize); - CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->H, H_rev, blocksize)); - - /* set the irreducible polynomial. Each blocksize has its own polynomial. - * for now only blocksize 16 (=128 bits) is defined */ - switch (blocksize) { - case 16: /* 128 bits */ - ghash->poly = poly_128; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto cleanup; - } ghash->cLen = 0; ghash->bufLen = 0; - ghash->m = 0; PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf)); - return SECSuccess; -cleanup: - gcmHash_DestroyContext(ghash, PR_FALSE); - return SECFailure; -} -/* Destroy a HashContext (Note we zero the digits so this function - * is idempotent if called with freeit == PR_FALSE */ -static void -gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit) -{ - mp_clear(&ghash->H); - mp_clear(&ghash->X); - mp_clear(&ghash->C_i); - PORT_Memset(ghash, 0, sizeof(gcmHashContext)); - if (freeit) { - PORT_Free(ghash); - } -} - -static SECStatus -gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize) -{ - int len; - mp_err err; - unsigned char tmp_buf[MAX_BLOCK_SIZE]; - unsigned char *X; - - len = mp_unsigned_octet_size(&ghash->X); - if (len <= 0) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - X = tmp_buf; - PORT_Assert((unsigned int)len <= blocksize); - if ((unsigned int)len > blocksize) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } - /* zero pad the result */ - if (len != blocksize) { - PORT_Memset(X, 0, blocksize - len); - X += blocksize - len; - } - - err = mp_to_unsigned_octets(&ghash->X, X, len); - if (err < 0) { + ghash->h_low = get64(H + 8); + ghash->h_high = get64(H); + if (clmul_support() && !sw) { +#ifdef NSS_X86_OR_X64 + ghash->ghash_mul = gcm_HashMult_hw; + ghash->x = _mm_setzero_si128(); + /* MSVC requires __m64 to load epi64. */ + ghash->h = _mm_set_epi32(ghash->h_high >> 32, (uint32_t)ghash->h_high, + ghash->h_low >> 32, (uint32_t)ghash->h_low); + ghash->hw = PR_TRUE; +#else PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; +#endif /* NSS_X86_OR_X64 */ + } else { +/* We fall back to the software implementation if we can't use / don't + * want to use pclmul. */ +#ifdef HAVE_INT128_SUPPORT + ghash->ghash_mul = gcm_HashMult_sftw; +#else + ghash->ghash_mul = gcm_HashMult_sftw32; +#endif + ghash->x_high = ghash->x_low = 0; + ghash->hw = PR_FALSE; } - gcm_reverse(T, tmp_buf, blocksize); return SECSuccess; } -static SECStatus -gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf, - unsigned int count, unsigned int blocksize) -{ - SECStatus rv = SECFailure; - mp_err err = MP_OKAY; - unsigned char tmp_buf[MAX_BLOCK_SIZE]; - unsigned int i; - - for (i = 0; i < count; i++, buf += blocksize) { - ghash->m++; - gcm_reverse(tmp_buf, buf, blocksize); - CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->C_i, tmp_buf, blocksize)); - CHECK_MPI_OK(mp_badd(&ghash->X, &ghash->C_i, &ghash->C_i)); - /* - * Looking to speed up GCM, this the the place to do it. - * There are two areas that can be exploited to speed up this code. - * - * 1) H is a constant in this multiply. We can precompute H * (0 - 255) - * at init time and this becomes an blockize xors of our table lookup. - * - * 2) poly is a constant for each blocksize. We can calculate the - * modulo reduction by a series of adds and shifts. - * - * For now we are after functionality, so we will go ahead and use - * the builtin bmulmod from mpi - */ - CHECK_MPI_OK(mp_bmulmod(&ghash->C_i, &ghash->H, - ghash->poly, &ghash->X)); - GCM_TRACE_X(ghash, "X%d = ") - } - rv = SECSuccess; -cleanup: - PORT_Memset(tmp_buf, 0, sizeof(tmp_buf)); - if (rv != SECSuccess) { - MP_TO_SEC_ERROR(err); - } - return rv; -} - -static void -gcm_zeroX(gcmHashContext *ghash) +#ifdef HAVE_INT128_SUPPORT +/* Binary multiplication x * y = r_high << 64 | r_low. */ +void +bmul(uint64_t x, uint64_t y, uint64_t *r_high, uint64_t *r_low) { - mp_zero(&ghash->X); - ghash->m = 0; + uint128_t x1, x2, x3, x4, x5; + uint128_t y1, y2, y3, y4, y5; + uint128_t r, z; + + uint128_t m1 = (uint128_t)0x2108421084210842 << 64 | 0x1084210842108421; + uint128_t m2 = (uint128_t)0x4210842108421084 << 64 | 0x2108421084210842; + uint128_t m3 = (uint128_t)0x8421084210842108 << 64 | 0x4210842108421084; + uint128_t m4 = (uint128_t)0x0842108421084210 << 64 | 0x8421084210842108; + uint128_t m5 = (uint128_t)0x1084210842108421 << 64 | 0x0842108421084210; + + x1 = x & m1; + y1 = y & m1; + x2 = x & m2; + y2 = y & m2; + x3 = x & m3; + y3 = y & m3; + x4 = x & m4; + y4 = y & m4; + x5 = x & m5; + y5 = y & m5; + + z = (x1 * y1) ^ (x2 * y5) ^ (x3 * y4) ^ (x4 * y3) ^ (x5 * y2); + r = z & m1; + z = (x1 * y2) ^ (x2 * y1) ^ (x3 * y5) ^ (x4 * y4) ^ (x5 * y3); + r |= z & m2; + z = (x1 * y3) ^ (x2 * y2) ^ (x3 * y1) ^ (x4 * y5) ^ (x5 * y4); + r |= z & m3; + z = (x1 * y4) ^ (x2 * y3) ^ (x3 * y2) ^ (x4 * y1) ^ (x5 * y5); + r |= z & m4; + z = (x1 * y5) ^ (x2 * y4) ^ (x3 * y3) ^ (x4 * y2) ^ (x5 * y1); + r |= z & m5; + + *r_high = (uint64_t)(r >> 64); + *r_low = (uint64_t)r; } -#endif - -#ifdef GCM_USE_ALGORITHM_1 -/* use algorithm 1 of McGrew & Viega "The Galois/Counter Mode of Operation" */ - -#define GCM_ARRAY_SIZE (MAX_BLOCK_SIZE / sizeof(unsigned long)) - -struct gcmHashContextStr { - unsigned long H[GCM_ARRAY_SIZE]; - unsigned long X[GCM_ARRAY_SIZE]; - unsigned long R; - unsigned char buffer[MAX_BLOCK_SIZE]; - unsigned int bufLen; - int m; - unsigned char counterBuf[2 * GCM_HASH_LEN_LEN]; - PRUint64 cLen; -}; - -static void -gcm_bytes_to_longs(unsigned long *l, const unsigned char *c, unsigned int len) +SECStatus +gcm_HashMult_sftw(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count) { - int i, j; - int array_size = len / sizeof(unsigned long); - - PORT_Assert(len % sizeof(unsigned long) == 0); - for (i = 0; i < array_size; i++) { - unsigned long tmp = 0; - int byte_offset = i * sizeof(unsigned long); - for (j = sizeof(unsigned long) - 1; j >= 0; j--) { - tmp = (tmp << PR_BITS_PER_BYTE) | gcm_byte_rev[c[byte_offset + j]]; - } - l[i] = tmp; - } + uint64_t ci_low, ci_high; + size_t i; + uint64_t z2_low, z2_high, z0_low, z0_high, z1a_low, z1a_high; + uint128_t z_high = 0, z_low = 0; + + ci_low = ghash->x_low; + ci_high = ghash->x_high; + for (i = 0; i < count; i++, buf += 16) { + ci_low ^= get64(buf + 8); + ci_high ^= get64(buf); + + /* Do binary mult ghash->X = C * ghash->H (Karatsuba). */ + bmul(ci_high, ghash->h_high, &z2_high, &z2_low); + bmul(ci_low, ghash->h_low, &z0_high, &z0_low); + bmul(ci_high ^ ci_low, ghash->h_high ^ ghash->h_low, &z1a_high, &z1a_low); + z1a_high ^= z2_high ^ z0_high; + z1a_low ^= z2_low ^ z0_low; + z_high = ((uint128_t)z2_high << 64) | (z2_low ^ z1a_high); + z_low = (((uint128_t)z0_high << 64) | z0_low) ^ (((uint128_t)z1a_low) << 64); + + /* Shift one (multiply by x) as gcm spec is stupid. */ + z_high = (z_high << 1) | (z_low >> 127); + z_low <<= 1; + + /* Reduce */ + z_low ^= (z_low << 127) ^ (z_low << 126) ^ (z_low << 121); + z_high ^= z_low ^ (z_low >> 1) ^ (z_low >> 2) ^ (z_low >> 7); + ci_low = (uint64_t)z_high; + ci_high = (uint64_t)(z_high >> 64); + } + ghash->x_low = ci_low; + ghash->x_high = ci_high; + return SECSuccess; } - -static void -gcm_longs_to_bytes(const unsigned long *l, unsigned char *c, unsigned int len) +#else +/* Binary multiplication x * y = r_high << 32 | r_low. */ +void +bmul32(uint32_t x, uint32_t y, uint32_t *r_high, uint32_t *r_low) { - int i, j; - int array_size = len / sizeof(unsigned long); - - PORT_Assert(len % sizeof(unsigned long) == 0); - for (i = 0; i < array_size; i++) { - unsigned long tmp = l[i]; - int byte_offset = i * sizeof(unsigned long); - for (j = 0; j < sizeof(unsigned long); j++) { - c[byte_offset + j] = gcm_byte_rev[tmp & 0xff]; - tmp = (tmp >> PR_BITS_PER_BYTE); - } - } + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t m1 = (uint32_t)0x11111111; + uint32_t m2 = (uint32_t)0x22222222; + uint32_t m4 = (uint32_t)0x44444444; + uint32_t m8 = (uint32_t)0x88888888; + uint64_t z0, z1, z2, z3; + uint64_t z; + + x0 = x & m1; + x1 = x & m2; + x2 = x & m4; + x3 = x & m8; + y0 = y & m1; + y1 = y & m2; + y2 = y & m4; + y3 = y & m8; + z0 = ((uint64_t)x0 * y0) ^ ((uint64_t)x1 * y3) ^ + ((uint64_t)x2 * y2) ^ ((uint64_t)x3 * y1); + z1 = ((uint64_t)x0 * y1) ^ ((uint64_t)x1 * y0) ^ + ((uint64_t)x2 * y3) ^ ((uint64_t)x3 * y2); + z2 = ((uint64_t)x0 * y2) ^ ((uint64_t)x1 * y1) ^ + ((uint64_t)x2 * y0) ^ ((uint64_t)x3 * y3); + z3 = ((uint64_t)x0 * y3) ^ ((uint64_t)x1 * y2) ^ + ((uint64_t)x2 * y1) ^ ((uint64_t)x3 * y0); + z0 &= ((uint64_t)m1 << 32) | m1; + z1 &= ((uint64_t)m2 << 32) | m2; + z2 &= ((uint64_t)m4 << 32) | m4; + z3 &= ((uint64_t)m8 << 32) | m8; + z = z0 | z1 | z2 | z3; + *r_high = (uint32_t)(z >> 32); + *r_low = (uint32_t)z; } -/* Initialize a gcmHashContext */ -static SECStatus -gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, - unsigned int blocksize) +SECStatus +gcm_HashMult_sftw32(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count) { - PORT_Memset(ghash->X, 0, sizeof(ghash->X)); - PORT_Memset(ghash->H, 0, sizeof(ghash->H)); - gcm_bytes_to_longs(ghash->H, H, blocksize); - - /* set the irreducible polynomial. Each blocksize has its own polynommial - * for now only blocksize 16 (=128 bits) is defined */ - switch (blocksize) { - case 16: /* 128 bits */ - ghash->R = (unsigned long)0x87; /* x^7 + x^2 + x +1 */ - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto cleanup; + size_t i; + uint64_t ci_low, ci_high; + uint64_t z_high_h, z_high_l, z_low_h, z_low_l; + uint32_t ci_high_h, ci_high_l, ci_low_h, ci_low_l; + uint32_t b_a_h, b_a_l, a_a_h, a_a_l, b_b_h, b_b_l; + uint32_t a_b_h, a_b_l, b_c_h, b_c_l, a_c_h, a_c_l, c_c_h, c_c_l; + uint32_t ci_highXlow_h, ci_highXlow_l, c_a_h, c_a_l, c_b_h, c_b_l; + + uint32_t h_high_h = (uint32_t)(ghash->h_high >> 32); + uint32_t h_high_l = (uint32_t)ghash->h_high; + uint32_t h_low_h = (uint32_t)(ghash->h_low >> 32); + uint32_t h_low_l = (uint32_t)ghash->h_low; + uint32_t h_highXlow_h = h_high_h ^ h_low_h; + uint32_t h_highXlow_l = h_high_l ^ h_low_l; + uint32_t h_highX_xored = h_highXlow_h ^ h_highXlow_l; + + for (i = 0; i < count; i++, buf += 16) { + ci_low = ghash->x_low ^ get64(buf + 8); + ci_high = ghash->x_high ^ get64(buf); + ci_low_h = (uint32_t)(ci_low >> 32); + ci_low_l = (uint32_t)ci_low; + ci_high_h = (uint32_t)(ci_high >> 32); + ci_high_l = (uint32_t)ci_high; + ci_highXlow_h = ci_high_h ^ ci_low_h; + ci_highXlow_l = ci_high_l ^ ci_low_l; + + /* Do binary mult ghash->X = C * ghash->H (recursive Karatsuba). */ + bmul32(ci_high_h, h_high_h, &a_a_h, &a_a_l); + bmul32(ci_high_l, h_high_l, &a_b_h, &a_b_l); + bmul32(ci_high_h ^ ci_high_l, h_high_h ^ h_high_l, &a_c_h, &a_c_l); + a_c_h ^= a_a_h ^ a_b_h; + a_c_l ^= a_a_l ^ a_b_l; + a_a_l ^= a_c_h; + a_b_h ^= a_c_l; + /* ci_high * h_high = a_a_h:a_a_l:a_b_h:a_b_l */ + + bmul32(ci_low_h, h_low_h, &b_a_h, &b_a_l); + bmul32(ci_low_l, h_low_l, &b_b_h, &b_b_l); + bmul32(ci_low_h ^ ci_low_l, h_low_h ^ h_low_l, &b_c_h, &b_c_l); + b_c_h ^= b_a_h ^ b_b_h; + b_c_l ^= b_a_l ^ b_b_l; + b_a_l ^= b_c_h; + b_b_h ^= b_c_l; + /* ci_low * h_low = b_a_h:b_a_l:b_b_h:b_b_l */ + + bmul32(ci_highXlow_h, h_highXlow_h, &c_a_h, &c_a_l); + bmul32(ci_highXlow_l, h_highXlow_l, &c_b_h, &c_b_l); + bmul32(ci_highXlow_h ^ ci_highXlow_l, h_highX_xored, &c_c_h, &c_c_l); + c_c_h ^= c_a_h ^ c_b_h; + c_c_l ^= c_a_l ^ c_b_l; + c_a_l ^= c_c_h; + c_b_h ^= c_c_l; + /* (ci_high ^ ci_low) * (h_high ^ h_low) = c_a_h:c_a_l:c_b_h:c_b_l */ + + c_a_h ^= b_a_h ^ a_a_h; + c_a_l ^= b_a_l ^ a_a_l; + c_b_h ^= b_b_h ^ a_b_h; + c_b_l ^= b_b_l ^ a_b_l; + z_high_h = ((uint64_t)a_a_h << 32) | a_a_l; + z_high_l = (((uint64_t)a_b_h << 32) | a_b_l) ^ + (((uint64_t)c_a_h << 32) | c_a_l); + z_low_h = (((uint64_t)b_a_h << 32) | b_a_l) ^ + (((uint64_t)c_b_h << 32) | c_b_l); + z_low_l = ((uint64_t)b_b_h << 32) | b_b_l; + + /* Shift one (multiply by x) as gcm spec is stupid. */ + z_high_h = z_high_h << 1 | z_high_l >> 63; + z_high_l = z_high_l << 1 | z_low_h >> 63; + z_low_h = z_low_h << 1 | z_low_l >> 63; + z_low_l <<= 1; + + /* Reduce */ + z_low_h ^= (z_low_l << 63) ^ (z_low_l << 62) ^ (z_low_l << 57); + z_high_h ^= z_low_h ^ (z_low_h >> 1) ^ (z_low_h >> 2) ^ (z_low_h >> 7); + z_high_l ^= z_low_l ^ (z_low_l >> 1) ^ (z_low_l >> 2) ^ (z_low_l >> 7) ^ + (z_low_h << 63) ^ (z_low_h << 62) ^ (z_low_h << 57); + ghash->x_high = z_high_h; + ghash->x_low = z_high_l; } - ghash->cLen = 0; - ghash->bufLen = 0; - ghash->m = 0; - PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf)); return SECSuccess; -cleanup: - return SECFailure; -} - -/* Destroy a HashContext (Note we zero the digits so this function - * is idempotent if called with freeit == PR_FALSE */ -static void -gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit) -{ - PORT_Memset(ghash, 0, sizeof(gcmHashContext)); - if (freeit) { - PORT_Free(ghash); - } } +#endif /* HAVE_INT128_SUPPORT */ -static unsigned long -gcm_shift_one(unsigned long *t, unsigned int count) +SECStatus +gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf, + unsigned int count) { - unsigned long carry = 0; - unsigned long nextcarry = 0; - unsigned int i; - for (i = 0; i < count; i++) { - nextcarry = t[i] >> ((sizeof(unsigned long) * PR_BITS_PER_BYTE) - 1); - t[i] = (t[i] << 1) | carry; - carry = nextcarry; +#ifdef NSS_X86_OR_X64 + size_t i; + pre_align __m128i z_high post_align; + pre_align __m128i z_low post_align; + pre_align __m128i C post_align; + pre_align __m128i D post_align; + pre_align __m128i E post_align; + pre_align __m128i F post_align; + pre_align __m128i bin post_align; + pre_align __m128i Ci post_align; + pre_align __m128i tmp post_align; + + for (i = 0; i < count; i++, buf += 16) { + bin = _mm_set_epi16(((uint16_t)buf[0] << 8) | buf[1], + ((uint16_t)buf[2] << 8) | buf[3], + ((uint16_t)buf[4] << 8) | buf[5], + ((uint16_t)buf[6] << 8) | buf[7], + ((uint16_t)buf[8] << 8) | buf[9], + ((uint16_t)buf[10] << 8) | buf[11], + ((uint16_t)buf[12] << 8) | buf[13], + ((uint16_t)buf[14] << 8) | buf[15]); + Ci = _mm_xor_si128(bin, ghash->x); + + /* Do binary mult ghash->X = Ci * ghash->H. */ + C = _mm_clmulepi64_si128(Ci, ghash->h, 0x00); + D = _mm_clmulepi64_si128(Ci, ghash->h, 0x11); + E = _mm_clmulepi64_si128(Ci, ghash->h, 0x01); + F = _mm_clmulepi64_si128(Ci, ghash->h, 0x10); + tmp = _mm_xor_si128(E, F); + z_high = _mm_xor_si128(tmp, _mm_slli_si128(D, 8)); + z_high = _mm_unpackhi_epi64(z_high, D); + z_low = _mm_xor_si128(_mm_slli_si128(tmp, 8), C); + z_low = _mm_unpackhi_epi64(_mm_slli_si128(C, 8), z_low); + + /* Shift one to the left (multiply by x) as gcm spec is stupid. */ + C = _mm_slli_si128(z_low, 8); + E = _mm_srli_epi64(C, 63); + D = _mm_slli_si128(z_high, 8); + F = _mm_srli_epi64(D, 63); + /* Carry over */ + C = _mm_srli_si128(z_low, 8); + D = _mm_srli_epi64(C, 63); + z_low = _mm_or_si128(_mm_slli_epi64(z_low, 1), E); + z_high = _mm_or_si128(_mm_or_si128(_mm_slli_epi64(z_high, 1), F), D); + + /* Reduce */ + C = _mm_slli_si128(z_low, 8); + /* D = z_low << 127 */ + D = _mm_slli_epi64(C, 63); + /* E = z_low << 126 */ + E = _mm_slli_epi64(C, 62); + /* F = z_low << 121 */ + F = _mm_slli_epi64(C, 57); + /* z_low ^= (z_low << 127) ^ (z_low << 126) ^ (z_low << 121); */ + z_low = _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(z_low, D), E), F); + C = _mm_srli_si128(z_low, 8); + /* D = z_low >> 1 */ + D = _mm_slli_epi64(C, 63); + D = _mm_or_si128(_mm_srli_epi64(z_low, 1), D); + /* E = z_low >> 2 */ + E = _mm_slli_epi64(C, 62); + E = _mm_or_si128(_mm_srli_epi64(z_low, 2), E); + /* F = z_low >> 7 */ + F = _mm_slli_epi64(C, 57); + F = _mm_or_si128(_mm_srli_epi64(z_low, 7), F); + /* ghash->x ^= z_low ^ (z_low >> 1) ^ (z_low >> 2) ^ (z_low >> 7); */ + ghash->x = _mm_xor_si128(_mm_xor_si128( + _mm_xor_si128(_mm_xor_si128(z_high, z_low), D), E), + F); } - return carry; -} - -static SECStatus -gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize) -{ - gcm_longs_to_bytes(ghash->X, T, blocksize); return SECSuccess; +#else + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; +#endif /* NSS_X86_OR_X64 */ } -#define GCM_XOR(t, s, len) \ - for (l = 0; l < len; l++) \ - t[l] ^= s[l] - static SECStatus -gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf, - unsigned int count, unsigned int blocksize) +gcm_zeroX(gcmHashContext *ghash) { - unsigned long C_i[GCM_ARRAY_SIZE]; - unsigned int arraysize = blocksize / sizeof(unsigned long); - unsigned int i, j, k, l; - - for (i = 0; i < count; i++, buf += blocksize) { - ghash->m++; - gcm_bytes_to_longs(C_i, buf, blocksize); - GCM_XOR(C_i, ghash->X, arraysize); - /* multiply X = C_i * H */ - PORT_Memset(ghash->X, 0, sizeof(ghash->X)); - for (j = 0; j < arraysize; j++) { - unsigned long H = ghash->H[j]; - for (k = 0; k < sizeof(unsigned long) * PR_BITS_PER_BYTE; k++) { - if (H & 1) { - GCM_XOR(ghash->X, C_i, arraysize); - } - if (gcm_shift_one(C_i, arraysize)) { - C_i[0] = C_i[0] ^ ghash->R; - } - H = H >> 1; - } - } - GCM_TRACE_X(ghash, "X%d = ") + if (ghash->hw) { +#ifdef NSS_X86_OR_X64 + ghash->x = _mm_setzero_si128(); + return SECSuccess; +#else + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; +#endif /* NSS_X86_OR_X64 */ } - PORT_Memset(C_i, 0, sizeof(C_i)); - return SECSuccess; -} -static void -gcm_zeroX(gcmHashContext *ghash) -{ - PORT_Memset(ghash->X, 0, sizeof(ghash->X)); - ghash->m = 0; + ghash->x_high = ghash->x_low = 0; + return SECSuccess; } -#endif /* * implement GCM GHASH using the freebl GHASH function. The gcm_HashMult - * function always takes blocksize lengths of data. gcmHash_Update will + * function always takes AES_BLOCK_SIZE lengths of data. gcmHash_Update will * format the data properly. */ -static SECStatus +SECStatus gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, - unsigned int len, unsigned int blocksize) + unsigned int len) { unsigned int blocks; SECStatus rv; @@ -458,7 +398,7 @@ gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, /* first deal with the current buffer of data. Try to fill it out so * we can hash it */ if (ghash->bufLen) { - unsigned int needed = PR_MIN(len, blocksize - ghash->bufLen); + unsigned int needed = PR_MIN(len, AES_BLOCK_SIZE - ghash->bufLen); if (needed != 0) { PORT_Memcpy(ghash->buffer + ghash->bufLen, buf, needed); } @@ -469,24 +409,24 @@ gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, /* didn't add enough to hash the data, nothing more do do */ return SECSuccess; } - PORT_Assert(ghash->bufLen == blocksize); + PORT_Assert(ghash->bufLen == AES_BLOCK_SIZE); /* hash the buffer and clear it */ - rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize); - PORT_Memset(ghash->buffer, 0, blocksize); + rv = ghash->ghash_mul(ghash, ghash->buffer, 1); + PORT_Memset(ghash->buffer, 0, AES_BLOCK_SIZE); ghash->bufLen = 0; if (rv != SECSuccess) { return SECFailure; } } /* now hash any full blocks remaining in the data stream */ - blocks = len / blocksize; + blocks = len / AES_BLOCK_SIZE; if (blocks) { - rv = gcm_HashMult(ghash, buf, blocks, blocksize); + rv = ghash->ghash_mul(ghash, buf, blocks); if (rv != SECSuccess) { return SECFailure; } - buf += blocks * blocksize; - len -= blocks * blocksize; + buf += blocks * AES_BLOCK_SIZE; + len -= blocks * AES_BLOCK_SIZE; } /* save any remainder in the buffer to be hashed with the next call */ @@ -502,7 +442,7 @@ gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, * save the lengths for the final completion of the hash */ static SECStatus -gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize) +gcmHash_Sync(gcmHashContext *ghash) { int i; SECStatus rv; @@ -519,9 +459,9 @@ gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize) /* now zero fill the buffer and hash the last block */ if (ghash->bufLen) { - PORT_Memset(ghash->buffer + ghash->bufLen, 0, blocksize - ghash->bufLen); - rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize); - PORT_Memset(ghash->buffer, 0, blocksize); + PORT_Memset(ghash->buffer + ghash->bufLen, 0, AES_BLOCK_SIZE - ghash->bufLen); + rv = ghash->ghash_mul(ghash, ghash->buffer, 1); + PORT_Memset(ghash->buffer, 0, AES_BLOCK_SIZE); ghash->bufLen = 0; if (rv != SECSuccess) { return SECFailure; @@ -530,38 +470,56 @@ gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize) return SECSuccess; } +#define WRITE64(x, bytes) \ + (bytes)[0] = (x) >> 56; \ + (bytes)[1] = (x) >> 48; \ + (bytes)[2] = (x) >> 40; \ + (bytes)[3] = (x) >> 32; \ + (bytes)[4] = (x) >> 24; \ + (bytes)[5] = (x) >> 16; \ + (bytes)[6] = (x) >> 8; \ + (bytes)[7] = (x); + /* * This does the final sync, hashes the lengths, then returns * "T", the hashed output. */ -static SECStatus +SECStatus gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf, - unsigned int *outlen, unsigned int maxout, - unsigned int blocksize) + unsigned int *outlen, unsigned int maxout) { unsigned char T[MAX_BLOCK_SIZE]; SECStatus rv; - rv = gcmHash_Sync(ghash, blocksize); + rv = gcmHash_Sync(ghash); if (rv != SECSuccess) { goto cleanup; } - rv = gcm_HashMult(ghash, ghash->counterBuf, (GCM_HASH_LEN_LEN * 2) / blocksize, - blocksize); + rv = ghash->ghash_mul(ghash, ghash->counterBuf, + (GCM_HASH_LEN_LEN * 2) / AES_BLOCK_SIZE); if (rv != SECSuccess) { goto cleanup; } - GCM_TRACE_X(ghash, "GHASH(H,A,C) = ") - - rv = gcm_getX(ghash, T, blocksize); - if (rv != SECSuccess) { - goto cleanup; + if (ghash->hw) { +#ifdef NSS_X86_OR_X64 + uint64_t tmp_out[2]; + _mm_storeu_si128((__m128i *)tmp_out, ghash->x); + WRITE64(tmp_out[0], T + 8); + WRITE64(tmp_out[1], T); +#else + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; +#endif /* NSS_X86_OR_X64 */ + } else { + WRITE64(ghash->x_low, T + 8); + WRITE64(ghash->x_high, T); } - if (maxout > blocksize) - maxout = blocksize; + if (maxout > AES_BLOCK_SIZE) { + maxout = AES_BLOCK_SIZE; + } PORT_Memcpy(outbuf, T, maxout); *outlen = maxout; rv = SECSuccess; @@ -573,22 +531,25 @@ cleanup: SECStatus gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD, - unsigned int AADLen, unsigned int blocksize) + unsigned int AADLen) { SECStatus rv; ghash->cLen = 0; PORT_Memset(ghash->counterBuf, 0, GCM_HASH_LEN_LEN * 2); ghash->bufLen = 0; - gcm_zeroX(ghash); + rv = gcm_zeroX(ghash); + if (rv != SECSuccess) { + return rv; + } /* now kick things off by hashing the Additional Authenticated Data */ if (AADLen != 0) { - rv = gcmHash_Update(ghash, AAD, AADLen, blocksize); + rv = gcmHash_Update(ghash, AAD, AADLen); if (rv != SECSuccess) { return SECFailure; } - rv = gcmHash_Sync(ghash, blocksize); + rv = gcmHash_Sync(ghash); if (rv != SECSuccess) { return SECFailure; } @@ -602,7 +563,7 @@ gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD, /* state to handle the full GCM operation (hash and counter) */ struct GCMContextStr { - gcmHashContext ghash_context; + gcmHashContext *ghash_context; CTRContext ctr_context; unsigned long tagBits; unsigned char tagKey[MAX_BLOCK_SIZE]; @@ -610,58 +571,69 @@ struct GCMContextStr { GCMContext * GCM_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *params, unsigned int blocksize) + const unsigned char *params) { GCMContext *gcm = NULL; - gcmHashContext *ghash; + gcmHashContext *ghash = NULL; unsigned char H[MAX_BLOCK_SIZE]; unsigned int tmp; PRBool freeCtr = PR_FALSE; - PRBool freeHash = PR_FALSE; const CK_GCM_PARAMS *gcmParams = (const CK_GCM_PARAMS *)params; CK_AES_CTR_PARAMS ctrParams; SECStatus rv; +#ifdef DISABLE_HW_GCM + const PRBool sw = PR_TRUE; +#else + const PRBool sw = PR_FALSE; +#endif - if (blocksize > MAX_BLOCK_SIZE || blocksize > sizeof(ctrParams.cb)) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + if (gcmParams->ulIvLen == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } gcm = PORT_ZNew(GCMContext); if (gcm == NULL) { return NULL; } - /* first fill in the ghash context */ - ghash = &gcm->ghash_context; - PORT_Memset(H, 0, blocksize); - rv = (*cipher)(context, H, &tmp, blocksize, H, blocksize, blocksize); + /* aligned_alloc is C11 so we have to do it the old way. */ + ghash = PORT_ZAlloc(sizeof(gcmHashContext) + 15); + if (ghash == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + ghash->mem = ghash; + ghash = (gcmHashContext *)(((uintptr_t)ghash + 15) & ~(uintptr_t)0x0F); + + /* first plug in the ghash context */ + gcm->ghash_context = ghash; + PORT_Memset(H, 0, AES_BLOCK_SIZE); + rv = (*cipher)(context, H, &tmp, AES_BLOCK_SIZE, H, AES_BLOCK_SIZE, AES_BLOCK_SIZE); if (rv != SECSuccess) { goto loser; } - rv = gcmHash_InitContext(ghash, H, blocksize); + rv = gcmHash_InitContext(ghash, H, sw); if (rv != SECSuccess) { goto loser; } - freeHash = PR_TRUE; /* fill in the Counter context */ ctrParams.ulCounterBits = 32; PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb)); - if ((blocksize == 16) && (gcmParams->ulIvLen == 12)) { + if (gcmParams->ulIvLen == 12) { PORT_Memcpy(ctrParams.cb, gcmParams->pIv, gcmParams->ulIvLen); - ctrParams.cb[blocksize - 1] = 1; + ctrParams.cb[AES_BLOCK_SIZE - 1] = 1; } else { - rv = gcmHash_Update(ghash, gcmParams->pIv, gcmParams->ulIvLen, - blocksize); + rv = gcmHash_Update(ghash, gcmParams->pIv, gcmParams->ulIvLen); if (rv != SECSuccess) { goto loser; } - rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, blocksize, blocksize); + rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, AES_BLOCK_SIZE); if (rv != SECSuccess) { goto loser; } } rv = CTR_InitContext(&gcm->ctr_context, context, cipher, - (unsigned char *)&ctrParams, blocksize); + (unsigned char *)&ctrParams); if (rv != SECSuccess) { goto loser; } @@ -671,14 +643,14 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher, gcm->tagBits = gcmParams->ulTagBits; /* save for final step */ /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with. * if this assumption changes, we would need to explicitly clear it here */ - rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, blocksize, - gcm->tagKey, blocksize, blocksize); + rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, AES_BLOCK_SIZE, + gcm->tagKey, AES_BLOCK_SIZE, AES_BLOCK_SIZE); if (rv != SECSuccess) { goto loser; } /* finally mix in the AAD data */ - rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen, blocksize); + rv = gcmHash_Reset(ghash, gcmParams->pAAD, gcmParams->ulAADLen); if (rv != SECSuccess) { goto loser; } @@ -689,8 +661,8 @@ loser: if (freeCtr) { CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); } - if (freeHash) { - gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE); + if (ghash && ghash->mem) { + PORT_Free(ghash->mem); } if (gcm) { PORT_Free(gcm); @@ -705,7 +677,7 @@ GCM_DestroyContext(GCMContext *gcm, PRBool freeit) * gcm. call their destroy functions to free up any locally * allocated data (like mp_int's) */ CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); - gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE); + PORT_Free(gcm->ghash_context->mem); PORT_Memset(&gcm->tagBits, 0, sizeof(gcm->tagBits)); PORT_Memset(gcm->tagKey, 0, sizeof(gcm->tagKey)); if (freeit) { @@ -715,8 +687,7 @@ GCM_DestroyContext(GCMContext *gcm, PRBool freeit) static SECStatus gcm_GetTag(GCMContext *gcm, unsigned char *outbuf, - unsigned int *outlen, unsigned int maxout, - unsigned int blocksize) + unsigned int *outlen, unsigned int maxout) { unsigned int tagBytes; unsigned int extra; @@ -738,18 +709,14 @@ gcm_GetTag(GCMContext *gcm, unsigned char *outbuf, return SECFailure; } maxout = tagBytes; - rv = gcmHash_Final(&gcm->ghash_context, outbuf, outlen, maxout, blocksize); + rv = gcmHash_Final(gcm->ghash_context, outbuf, outlen, maxout); if (rv != SECSuccess) { return SECFailure; } - GCM_TRACE_BLOCK("GHASH=", outbuf, blocksize); - GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize); for (i = 0; i < *outlen; i++) { outbuf[i] ^= gcm->tagKey[i]; } - GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize); - GCM_TRACE_BLOCK("T=", outbuf, blocksize); /* mask off any extra bits we got */ if (extra) { outbuf[tagBytes - 1] &= ~((1 << extra) - 1); @@ -772,6 +739,12 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf, unsigned int tagBytes; unsigned int len; + PORT_Assert(blocksize == AES_BLOCK_SIZE); + if (blocksize != AES_BLOCK_SIZE) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; if (UINT_MAX - inlen < tagBytes) { PORT_SetError(SEC_ERROR_INPUT_LEN); @@ -784,17 +757,17 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf, } rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, blocksize); + inbuf, inlen, AES_BLOCK_SIZE); if (rv != SECSuccess) { return SECFailure; } - rv = gcmHash_Update(&gcm->ghash_context, outbuf, *outlen, blocksize); + rv = gcmHash_Update(gcm->ghash_context, outbuf, *outlen); if (rv != SECSuccess) { PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */ *outlen = 0; return SECFailure; } - rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen, blocksize); + rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen); if (rv != SECSuccess) { PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */ *outlen = 0; @@ -824,6 +797,12 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, const unsigned char *intag; unsigned int len; + PORT_Assert(blocksize == AES_BLOCK_SIZE); + if (blocksize != AES_BLOCK_SIZE) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; /* get the authentication block */ @@ -836,11 +815,11 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, intag = inbuf + inlen; /* verify the block */ - rv = gcmHash_Update(&gcm->ghash_context, inbuf, inlen, blocksize); + rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen); if (rv != SECSuccess) { return SECFailure; } - rv = gcm_GetTag(gcm, tag, &len, blocksize, blocksize); + rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE); if (rv != SECSuccess) { return SECFailure; } @@ -856,5 +835,5 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, PORT_Memset(tag, 0, sizeof(tag)); /* finish the decryption */ return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, blocksize); + inbuf, inlen, AES_BLOCK_SIZE); } diff --git a/security/nss/lib/freebl/gcm.h b/security/nss/lib/freebl/gcm.h index 1cdba534d0..0c707a0811 100644 --- a/security/nss/lib/freebl/gcm.h +++ b/security/nss/lib/freebl/gcm.h @@ -6,6 +6,17 @@ #define GCM_H 1 #include "blapii.h" +#include <stdint.h> + +#ifdef NSS_X86_OR_X64 +#include <emmintrin.h> /* __m128i */ +#endif + +SEC_BEGIN_PROTOS + +#ifdef HAVE_INT128_SUPPORT +typedef unsigned __int128 uint128_t; +#endif typedef struct GCMContextStr GCMContext; @@ -17,7 +28,7 @@ typedef struct GCMContextStr GCMContext; * The cipher argument is a block cipher in the ECB encrypt mode. */ GCMContext *GCM_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *params, unsigned int blocksize); + const unsigned char *params); void GCM_DestroyContext(GCMContext *gcm, PRBool freeit); SECStatus GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf, unsigned int *outlen, unsigned int maxout, @@ -28,4 +39,34 @@ SECStatus GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, const unsigned char *inbuf, unsigned int inlen, unsigned int blocksize); +/* These functions are here only so we can test them */ +#define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */ +typedef struct gcmHashContextStr gcmHashContext; +typedef SECStatus (*ghash_t)(gcmHashContext *, const unsigned char *, + unsigned int); +pre_align struct gcmHashContextStr { +#ifdef NSS_X86_OR_X64 + __m128i x, h; +#endif + uint64_t x_low, x_high, h_high, h_low; + unsigned char buffer[MAX_BLOCK_SIZE]; + unsigned int bufLen; + uint8_t counterBuf[16]; + uint64_t cLen; + ghash_t ghash_mul; + PRBool hw; + gcmHashContext *mem; +} post_align; + +SECStatus gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, + unsigned int len); +SECStatus gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, + PRBool sw); +SECStatus gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD, + unsigned int AADLen); +SECStatus gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf, + unsigned int *outlen, unsigned int maxout); + +SEC_END_PROTOS + #endif diff --git a/security/nss/lib/freebl/intel-aes-x64-masm.asm b/security/nss/lib/freebl/intel-aes-x64-masm.asm index ef5c76ba28..fe183bca03 100644 --- a/security/nss/lib/freebl/intel-aes-x64-masm.asm +++ b/security/nss/lib/freebl/intel-aes-x64-masm.asm @@ -91,8 +91,6 @@ LOCAL bail movdqu [rsp + 1*16], xmm7 movdqu [rsp + 2*16], xmm8 - lea ctx, [48+ctx] - loop8: cmp inputLen, 8*16 jb loop1 @@ -555,9 +553,7 @@ LOCAL bail movdqu [rsp + 1*16], xmm7 movdqu [rsp + 2*16], xmm8 - lea ctx, [48+ctx] - - movdqu xmm0, [-32+ctx] + movdqu xmm0, [256+ctx] movdqu xmm2, [0*16 + ctx] movdqu xmm3, [1*16 + ctx] @@ -597,7 +593,7 @@ loop1: jmp loop1 bail: - movdqu [-32+ctx], xmm0 + movdqu [256+ctx], xmm0 xor rax, rax @@ -625,8 +621,6 @@ LOCAL bail movdqu [rsp + 1*16], xmm7 movdqu [rsp + 2*16], xmm8 - lea ctx, [48+ctx] - loop8: cmp inputLen, 8*16 jb dec1 @@ -657,7 +651,7 @@ loop8: ENDM aes_dec_last_rnd rnds - movdqu xmm8, [-32 + ctx] + movdqu xmm8, [256 + ctx] pxor xmm0, xmm8 movdqu xmm8, [0*16 + input] pxor xmm1, xmm8 @@ -683,7 +677,7 @@ loop8: movdqu [5*16 + output], xmm5 movdqu [6*16 + output], xmm6 movdqu [7*16 + output], xmm7 - movdqu [-32 + ctx], xmm8 + movdqu [256 + ctx], xmm8 lea input, [8*16 + input] lea output, [8*16 + output] @@ -691,7 +685,7 @@ loop8: jmp loop8 dec1: - movdqu xmm3, [-32 + ctx] + movdqu xmm3, [256 + ctx] loop1: cmp inputLen, 1*16 @@ -721,7 +715,7 @@ loop1: jmp loop1 bail: - movdqu [-32 + ctx], xmm3 + movdqu [256 + ctx], xmm3 xor rax, rax movdqu xmm6, [rsp + 0*16] @@ -773,7 +767,6 @@ LOCAL bail mov ctrCtx, ctx mov ctx, [8+ctrCtx] - lea ctx, [48+ctx] sub rsp, 3*16 movdqu [rsp + 0*16], xmm6 diff --git a/security/nss/lib/freebl/intel-aes-x86-masm.asm b/security/nss/lib/freebl/intel-aes-x86-masm.asm index 7d805e7660..790c951e7c 100644 --- a/security/nss/lib/freebl/intel-aes-x86-masm.asm +++ b/security/nss/lib/freebl/intel-aes-x86-masm.asm @@ -87,8 +87,6 @@ LOCAL bail mov input, [esp + 2*4 + 4*4] mov inputLen, [esp + 2*4 + 5*4] - lea ctx, [44+ctx] - loop7: cmp inputLen, 7*16 jb loop1 @@ -557,9 +555,7 @@ LOCAL bail mov input, [esp + 2*4 + 4*4] mov inputLen, [esp + 2*4 + 5*4] - lea ctx, [44+ctx] - - movdqu xmm0, [-32+ctx] + movdqu xmm0, [252+ctx] movdqu xmm2, [0*16 + ctx] movdqu xmm3, [1*16 + ctx] @@ -597,7 +593,7 @@ loop1: jmp loop1 bail: - movdqu [-32+ctx], xmm0 + movdqu [252+ctx], xmm0 xor eax, eax pop inputLen @@ -619,8 +615,6 @@ LOCAL bail mov input, [esp + 2*4 + 4*4] mov inputLen, [esp + 2*4 + 5*4] - lea ctx, [44+ctx] - loop7: cmp inputLen, 7*16 jb dec1 @@ -649,7 +643,7 @@ loop7: ENDM aes_dec_last_rnd rnds - movdqu xmm7, [-32 + ctx] + movdqu xmm7, [252 + ctx] pxor xmm0, xmm7 movdqu xmm7, [0*16 + input] pxor xmm1, xmm7 @@ -672,7 +666,7 @@ loop7: movdqu [4*16 + output], xmm4 movdqu [5*16 + output], xmm5 movdqu [6*16 + output], xmm6 - movdqu [-32 + ctx], xmm7 + movdqu [252 + ctx], xmm7 lea input, [7*16 + input] lea output, [7*16 + output] @@ -680,7 +674,7 @@ loop7: jmp loop7 dec1: - movdqu xmm3, [-32 + ctx] + movdqu xmm3, [252 + ctx] loop1: cmp inputLen, 1*16 @@ -710,7 +704,7 @@ loop1: jmp loop1 bail: - movdqu [-32 + ctx], xmm3 + movdqu [252 + ctx], xmm3 xor eax, eax pop inputLen ret @@ -769,7 +763,6 @@ LOCAL bail mov inputLen, [esp + 4*5 + 5*4] mov ctx, [4+ctrCtx] - lea ctx, [44+ctx] mov ebp, esp sub esp, 7*16 diff --git a/security/nss/lib/freebl/intel-aes.s b/security/nss/lib/freebl/intel-aes.s index 2dfcfa15b4..b242d233fe 100644 --- a/security/nss/lib/freebl/intel-aes.s +++ b/security/nss/lib/freebl/intel-aes.s @@ -4,8 +4,7 @@ .text -#define IV_OFFSET 16 -#define EXPANDED_KEY_OFFSET 48 +#define IV_OFFSET 256 /* * Warning: the length values used in this module are "unsigned int" @@ -144,9 +143,6 @@ key_expansion128: .globl intel_aes_encrypt_ecb_128 .align 16 intel_aes_encrypt_ecb_128: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 160(%rdi), %xmm12 xor %eax, %eax @@ -328,9 +324,6 @@ intel_aes_encrypt_ecb_128: .globl intel_aes_decrypt_ecb_128 .align 16 intel_aes_decrypt_ecb_128: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 160(%rdi), %xmm12 xorl %eax, %eax @@ -516,9 +509,7 @@ intel_aes_encrypt_cbc_128: je 2f // leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 movdqu (%rdi), %xmm2 @@ -575,9 +566,7 @@ intel_aes_encrypt_cbc_128: .align 16 intel_aes_decrypt_cbc_128: // leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 /* iv */ movdqu (%rdi), %xmm2 /* first key block */ @@ -902,9 +891,6 @@ key_expansion192: .globl intel_aes_encrypt_ecb_192 .align 16 intel_aes_encrypt_ecb_192: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 192(%rdi), %xmm14 xorl %eax, %eax @@ -1109,9 +1095,6 @@ intel_aes_encrypt_ecb_192: .globl intel_aes_decrypt_ecb_192 .align 16 intel_aes_decrypt_ecb_192: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 192(%rdi), %xmm14 xorl %eax, %eax @@ -1320,9 +1303,7 @@ intel_aes_encrypt_cbc_192: je 2f // leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 movdqu (%rdi), %xmm2 @@ -1382,8 +1363,8 @@ intel_aes_encrypt_cbc_192: .globl intel_aes_decrypt_cbc_192 .align 16 intel_aes_decrypt_cbc_192: - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi +// leaq IV_OFFSET(%rdi), %rdx + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 movdqu (%rdi), %xmm2 @@ -1738,9 +1719,6 @@ key_expansion256: .globl intel_aes_encrypt_ecb_256 .align 16 intel_aes_encrypt_ecb_256: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 224(%rdi), %xmm15 xorl %eax, %eax @@ -1970,9 +1948,6 @@ intel_aes_encrypt_ecb_256: .globl intel_aes_decrypt_ecb_256 .align 16 intel_aes_decrypt_ecb_256: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - movdqu (%rdi), %xmm2 movdqu 224(%rdi), %xmm15 xorl %eax, %eax @@ -2206,9 +2181,7 @@ intel_aes_encrypt_cbc_256: je 2f // leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 movdqu (%rdi), %xmm8 @@ -2274,9 +2247,7 @@ intel_aes_encrypt_cbc_256: .align 16 intel_aes_decrypt_cbc_256: // leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi + leaq 256(%rdi), %rdx movdqu (%rdx), %xmm0 movdqu (%rdi), %xmm2 diff --git a/security/nss/lib/freebl/intel-gcm-wrap.c b/security/nss/lib/freebl/intel-gcm-wrap.c index 8c5eaf0214..37a1af7652 100644 --- a/security/nss/lib/freebl/intel-gcm-wrap.c +++ b/security/nss/lib/freebl/intel-gcm-wrap.c @@ -41,8 +41,7 @@ struct intel_AES_GCMContextStr { intel_AES_GCMContext * intel_AES_GCM_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *params, - unsigned int blocksize) + const unsigned char *params) { intel_AES_GCMContext *gcm = NULL; AESContext *aes = (AESContext *)context; @@ -59,12 +58,11 @@ intel_AES_GCM_CreateContext(void *context, unsigned int j; SECStatus rv; - if (blocksize != AES_BLOCK_SIZE) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + if (gcmParams->ulIvLen == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } gcm = PORT_ZNew(intel_AES_GCMContext); - if (gcm == NULL) { return NULL; } diff --git a/security/nss/lib/freebl/intel-gcm-x64-masm.asm b/security/nss/lib/freebl/intel-gcm-x64-masm.asm index 8b68b76e58..07ddefbc1e 100644 --- a/security/nss/lib/freebl/intel-gcm-x64-masm.asm +++ b/security/nss/lib/freebl/intel-gcm-x64-masm.asm @@ -496,8 +496,8 @@ LbeginENC: vmovdqu CTR0, XMMWORD PTR[16*16 + 2*16 + Gctx] vmovdqu BSWAPMASK, XMMWORD PTR[Lbswap_mask] mov KS, [16*16 + 3*16 + Gctx] - mov NR, [4 + KS] - lea KS, [48 + KS] + mov NR, [244 + KS] + lea KS, [KS] vpshufb CTR0, CTR0, BSWAPMASK @@ -994,8 +994,7 @@ LbeginDEC: vmovdqu CTR0, XMMWORD PTR[16*16 + 2*16 + Gctx] vmovdqu BSWAPMASK, XMMWORD PTR[Lbswap_mask] mov KS, [16*16 + 3*16 + Gctx] - mov NR, [4 + KS] - lea KS, [48 + KS] + mov NR, [244 + KS] vpshufb CTR0, CTR0, BSWAPMASK diff --git a/security/nss/lib/freebl/intel-gcm-x86-masm.asm b/security/nss/lib/freebl/intel-gcm-x86-masm.asm index 6362ad8595..32f4257884 100644 --- a/security/nss/lib/freebl/intel-gcm-x86-masm.asm +++ b/security/nss/lib/freebl/intel-gcm-x86-masm.asm @@ -390,7 +390,7 @@ Htbl textequ <edx> Gctx textequ <edx> len textequ <DWORD PTR[ebp + 5*4 + 3*4]> KS textequ <esi> -NR textequ <DWORD PTR[-40 + KS]> +NR textequ <DWORD PTR[244+KS]> aluCTR textequ <ebx> aluTMP textequ <edi> @@ -463,7 +463,6 @@ LbeginENC: mov Gctx, [ebp + 5*4 + 2*4] mov KS, [16*16 + 3*16 + Gctx] - lea KS, [44 + KS] mov aluCTR, [16*16 + 2*16 + 3*4 + Gctx] bswap aluCTR @@ -931,7 +930,6 @@ LbeginDEC: mov Gctx, [ebp + 5*4 + 2*4] mov KS, [16*16 + 3*16 + Gctx] - lea KS, [44 + KS] mov aluCTR, [16*16 + 2*16 + 3*4 + Gctx] bswap aluCTR diff --git a/security/nss/lib/freebl/intel-gcm.h b/security/nss/lib/freebl/intel-gcm.h index 566e544d87..05f52f297d 100644 --- a/security/nss/lib/freebl/intel-gcm.h +++ b/security/nss/lib/freebl/intel-gcm.h @@ -27,7 +27,7 @@ typedef struct intel_AES_GCMContextStr intel_AES_GCMContext; intel_AES_GCMContext *intel_AES_GCM_CreateContext(void *context, freeblCipherFunc cipher, - const unsigned char *params, unsigned int blocksize); + const unsigned char *params); void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit); diff --git a/security/nss/lib/freebl/intel-gcm.s b/security/nss/lib/freebl/intel-gcm.s index 1a31060914..5b5cf5d4bb 100644 --- a/security/nss/lib/freebl/intel-gcm.s +++ b/security/nss/lib/freebl/intel-gcm.s @@ -467,8 +467,8 @@ intel_aes_gcmENC: vmovdqu 288(Gctx), CTR vmovdqu 272(Gctx), T mov 304(Gctx), KS - mov 4(KS), NR - lea 48(KS), KS +# AESContext->Nr + mov 244(KS), NR vpshufb .Lbswap_mask(%rip), CTR, CTR vpshufb .Lbswap_mask(%rip), T, T @@ -1001,8 +1001,8 @@ intel_aes_gcmDEC: vmovdqu 288(Gctx), CTR vmovdqu 272(Gctx), T mov 304(Gctx), KS - mov 4(KS), NR - lea 48(KS), KS +# AESContext->Nr + mov 244(KS), NR vpshufb .Lbswap_mask(%rip), CTR, CTR vpshufb .Lbswap_mask(%rip), T, T diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn index 1ef9839076..bf81442182 100644 --- a/security/nss/lib/freebl/manifest.mn +++ b/security/nss/lib/freebl/manifest.mn @@ -94,6 +94,7 @@ PRIVATE_EXPORTS = \ ec.h \ ecl.h \ ecl-curve.h \ + eclt.h \ $(NULL) MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h @@ -102,7 +103,7 @@ MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h ifndef NSS_DISABLE_ECC -ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \ +ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ ecp_aff.c ecp_jac.c ecp_mont.c \ ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ ecp_256_32.c ecp_25519.c @@ -131,6 +132,7 @@ CSRCS = \ chacha20poly1305.c \ cts.c \ ctr.c \ + blinit.c \ fipsfreebl.c \ gcm.c \ hmacct.c \ diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile deleted file mode 100644 index 0dee5bed19..0000000000 --- a/security/nss/lib/freebl/mpi/Makefile +++ /dev/null @@ -1,244 +0,0 @@ -# -# Makefile for MPI library - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -## Define CC to be the C compiler you wish to use. The GNU cc -## compiler (gcc) should work, at the very least -#CC=cc -#CC=gcc - -## -## Define PERL to point to your local Perl interpreter. It -## should be Perl 5.x, although it's conceivable that Perl 4 -## might work ... I haven't tested it. -## -#PERL=/usr/bin/perl -#PERL=perl - -include target.mk - -CFLAGS+= $(XCFLAGS) - -## -## Define LIBS to include any libraries you need to link against. -## If NO_TABLE is define, LIBS should include '-lm' or whatever is -## necessary to bring in the math library. Otherwise, it can be -## left alone, unless your system has other peculiar requirements. -## -LIBS=#-lmalloc#-lefence#-lm - -## -## Define RANLIB to be the library header randomizer; you might not -## need this on some systems (just set it to 'echo' on these systems, -## such as IRIX) -## -RANLIB=echo - -## -## This is the version string used for the documentation and -## building the distribution tarball. Don't mess with it unless -## you are releasing a new version -VERS=1.7p6 - -## ---------------------------------------------------------------------- -## You probably don't need to change anything below this line... -## - -## -## This is the list of source files that need to be packed into -## the distribution file -SRCS= mpi.c mpprime.c mplogic.c mp_gf2m.c mpmontg.c mpi-test.c primes.c \ - mpcpucache.c tests/ \ - utils/gcd.c utils/invmod.c utils/lap.c \ - utils/ptab.pl utils/sieve.c utils/isprime.c\ - utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \ - utils/bbsrand.c utils/prng.c utils/primegen.c \ - utils/basecvt.c utils/makeprime.c\ - utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \ - utils/mpi.h utils/mpprime.h mulsqr.c \ - make-test-arrays test-arrays.txt all-tests make-logtab \ - types.pl stats timetest multest - -## These are the header files that go into the distribution file -HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h mp_gf2m.h \ - mp_gf2m-priv.h utils/bbs_rand.h tests/mpi.h tests/mpprime.h - -## These are the documentation files that go into the distribution file -DOCS=README doc utils/README utils/PRIMES - -## This is the list of tools built by 'make tools' -TOOLS=gcd invmod isprime lap dec2hex hex2dec primegen prng \ - basecvt fact exptmod pi makeprime identest - -LIBOBJS = mpprime.o mpmontg.o mplogic.o mp_gf2m.o mpi.o mpcpucache.o $(AS_OBJS) -LIBHDRS = mpi-config.h mpi-priv.h mpi.h -APPHDRS = mpi-config.h mpi.h mplogic.h mp_gf2m.h mpprime.h - -help: - @ echo "" - @ echo "The following targets can be built with this Makefile:" - @ echo "" - @ echo "libmpi.a - arithmetic and prime testing library" - @ echo "mpi-test - test driver (requires MP_IOFUNC)" - @ echo "tools - command line tools" - @ echo "doc - manual pages for tools" - @ echo "clean - clean up objects and such" - @ echo "distclean - get ready for distribution" - @ echo "dist - distribution tarball" - @ echo "" - -.SUFFIXES: .c .o .i - -.c.i: - $(CC) $(CFLAGS) -E $< > $@ - -#.c.o: $*.h $*.c -# $(CC) $(CFLAGS) -c $< - -#--------------------------------------- - -$(LIBOBJS): $(LIBHDRS) - -logtab.h: make-logtab - $(PERL) make-logtab > logtab.h - -mpi.o: mpi.c logtab.h $(LIBHDRS) - -mplogic.o: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS) - -mp_gf2m.o: mp_gf2m.c mpi-priv.h mp_gf2m.h mp_gf2m-priv.h $(LIBHDRS) - -mpmontg.o: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS) - -mpprime.o: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS) - -mpcpucache.o: mpcpucache.c $(LIBHDRS) - -mpi_mips.o: mpi_mips.s - $(CC) -o $@ $(ASFLAGS) -c mpi_mips.s - -mpi_sparc.o : montmulf.h - -mpv_sparcv9.s: vis_64.il mpv_sparc.c - $(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_64.il mpv_sparc.c - -mpv_sparcv8.s: vis_64.il mpv_sparc.c - $(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_32.il mpv_sparc.c - -montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s - $(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $< - -mpi_arm.o: mpi_arm.c $(LIBHDRS) - -# This rule is used to build the .s sources, which are then hand optimized. -#montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h -# $(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c - - -libmpi.a: $(LIBOBJS) - ar -cvr libmpi.a $(LIBOBJS) - $(RANLIB) libmpi.a - -lib libs: libmpi.a - -mpi.i: mpi.h - -#--------------------------------------- - -MPTESTOBJS = mptest1.o mptest2.o mptest3.o mptest3a.o mptest4.o mptest4a.o \ - mptest4b.o mptest6.o mptest7.o mptest8.o mptest9.o mptestb.o -MPTESTS = $(MPTESTOBJS:.o=) - -$(MPTESTOBJS): mptest%.o: tests/mptest-%.c $(LIBHDRS) - $(CC) $(CFLAGS) -o $@ -c $< - -$(MPTESTS): mptest%: mptest%.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -tests: mptest1 mptest2 mptest3 mptest3a mptest4 mptest4a mptest4b mptest6 \ - mptestb bbsrand - -utests: mptest7 mptest8 mptest9 - -#--------------------------------------- - -EXTRAOBJS = bbsrand.o bbs_rand.o prng.o -UTILOBJS = primegen.o metime.o identest.o basecvt.o fact.o exptmod.o pi.o \ - makeprime.o gcd.o invmod.o lap.o isprime.o \ - dec2hex.o hex2dec.o -UTILS = $(UTILOBJS:.o=) - -$(UTILS): % : %.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -$(UTILOBJS) $(EXTRAOBJS): %.o : utils/%.c $(LIBHDRS) - $(CC) $(CFLAGS) -o $@ -c $< - -prng: prng.o bbs_rand.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -bbsrand: bbsrand.o bbs_rand.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -utils: $(UTILS) prng bbsrand - -#--------------------------------------- - -test-info.c: test-arrays.txt - $(PERL) make-test-arrays test-arrays.txt > test-info.c - -mpi-test.o: mpi-test.c test-info.c $(LIBHDRS) - $(CC) $(CFLAGS) -o $@ -c $< - -mpi-test: mpi-test.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -mdxptest.o: mdxptest.c $(LIBHDRS) mpi-priv.h - -mdxptest: mdxptest.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -mulsqr.o: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h - $(CC) $(CFLAGS) -DMP_SQUARE=1 -o $@ -c mulsqr.c - -mulsqr: mulsqr.o libmpi.a - $(CC) $(CFLAGS) -o $@ $^ $(LIBS) - -#--------------------------------------- - -alltests: tests utests mpi-test - -tools: $(TOOLS) - -doc: - (cd doc; ./build) - -clean: - rm -f *.o *.a *.i - rm -f core - rm -f *~ .*~ - rm -f utils/*.o - rm -f utils/core - rm -f utils/*~ utils/.*~ - -clobber: clean - rm -f $(TOOLS) $(UTILS) - -distclean: clean - rm -f mptest? mpi-test metime mulsqr karatsuba - rm -f mptest?a mptest?b - rm -f utils/mptest? - rm -f test-info.c logtab.h - rm -f libmpi.a - rm -f $(TOOLS) - -dist: Makefile $(HDRS) $(SRCS) $(DOCS) - tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS) - pgps -ab mpi-$(VERS).tar - chmod +r mpi-$(VERS).tar.asc - gzip -9 mpi-$(VERS).tar - -# END diff --git a/security/nss/lib/freebl/mpi/Makefile.os2 b/security/nss/lib/freebl/mpi/Makefile.os2 deleted file mode 100644 index fa705ee08d..0000000000 --- a/security/nss/lib/freebl/mpi/Makefile.os2 +++ /dev/null @@ -1,243 +0,0 @@ -# -# Makefile.win - gmake Makefile for building MPI with VACPP on OS/2 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -## Define CC to be the C compiler you wish to use. The GNU cc -## compiler (gcc) should work, at the very least -#CC=cc -#CC=gcc -CC=icc.exe -AS=alp.exe - -## -## Define PERL to point to your local Perl interpreter. It -## should be Perl 5.x, although it's conceivable that Perl 4 -## might work ... I haven't tested it. -## -#PERL=/usr/bin/perl -#PERL=perl - -## -## Define CFLAGS to contain any local options your compiler -## setup requires. -## -## Conditional compilation options are no longer here; see -## the file 'mpi-config.h' instead. -## -MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD - -#OS/2 -AS_SRCS = mpi_x86.asm -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D -#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \ - -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -CFLAGS = /Ti+ -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - $(MPICMN) -ASFLAGS = - -## -## Define LIBS to include any libraries you need to link against. -## If NO_TABLE is define, LIBS should include '-lm' or whatever is -## necessary to bring in the math library. Otherwise, it can be -## left alone, unless your system has other peculiar requirements. -## -LIBS=#-lmalloc#-lefence#-lm - -## -## Define RANLIB to be the library header randomizer; you might not -## need this on some systems (just set it to 'echo' on these systems, -## such as IRIX) -## -RANLIB=echo - -## -## This is the version string used for the documentation and -## building the distribution tarball. Don't mess with it unless -## you are releasing a new version -VERS=1.7p6 - -## ---------------------------------------------------------------------- -## You probably don't need to change anything below this line... -## - -## -## This is the list of source files that need to be packed into -## the distribution file -SRCS= mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \ - utils/gcd.c utils/invmod.c utils/lap.c \ - utils/ptab.pl utils/sieve.c utils/isprime.c\ - utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \ - utils/bbsrand.c utils/prng.c utils/primegen.c \ - utils/basecvt.c utils/makeprime.c\ - utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \ - utils/mpi.h utils/mpprime.h mulsqr.c \ - make-test-arrays test-arrays.txt all-tests make-logtab \ - types.pl stats timetest multest - -## These are the header files that go into the distribution file -HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \ - utils/bbs_rand.h tests/mpi.h tests/mpprime.h - -## These are the documentation files that go into the distribution file -DOCS=README doc utils/README utils/PRIMES - -## This is the list of tools built by 'make tools' -TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \ - primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe - -AS_OBJS = $(AS_SRCS:.asm=.obj) -LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS) -LIBHDRS = mpi-config.h mpi-priv.h mpi.h -APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h - - -help: - @ echo "" - @ echo "The following targets can be built with this Makefile:" - @ echo "" - @ echo "mpi.lib - arithmetic and prime testing library" - @ echo "mpi-test.exe - test driver (requires MP_IOFUNC)" - @ echo "tools - command line tools" - @ echo "doc - manual pages for tools" - @ echo "clean - clean up objects and such" - @ echo "distclean - get ready for distribution" - @ echo "dist - distribution tarball" - @ echo "" - -.SUFFIXES: .c .obj .i .lib .exe .asm - -.c.i: - $(CC) $(CFLAGS) -E $< > $@ - -.c.obj: - $(CC) $(CFLAGS) -c $< - -.asm.obj: - $(AS) $(ASFLAGS) $< - -.obj.exe: - $(CC) $(CFLAGS) -Fo$@ $< - -#--------------------------------------- - -$(LIBOBJS): $(LIBHDRS) - -logtab.h: make-logtab - $(PERL) make-logtab > logtab.h - -mpi.obj: mpi.c logtab.h $(LIBHDRS) - -mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS) - -mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS) - -mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS) - -mpi_mips.obj: mpi_mips.s - $(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s - -mpi.lib: $(LIBOBJS) - ilib /out:mpi.lib $(LIBOBJS) - $(RANLIB) mpi.lib - -lib libs: mpi.lib - -#--------------------------------------- - -MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \ - mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj -MPTESTS = $(MPTESTOBJS:.obj=.exe) - -$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \ - mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe - -utests: mptest7.exe mptest8.exe mptest9.exe - -#--------------------------------------- - -EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj -UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \ - exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \ - isprime.obj dec2hex.obj hex2dec.obj -UTILS = $(UTILOBJS:.obj=.exe) - -$(UTILS): %.exe : %.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -utils: $(UTILS) prng.exe bbsrand.exe - -#--------------------------------------- - -test-info.c: test-arrays.txt - $(PERL) make-test-arrays test-arrays.txt > test-info.c - -mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -mpi-test.exe: mpi-test.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h - -mdxptest.exe: mdxptest.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h - $(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c - -mulsqr.exe: mulsqr.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -#--------------------------------------- - -alltests: tests utests mpi-test.exe - -tools: $(TOOLS) - -doc: - (cd doc; ./build) - -clean: - rm -f *.obj *.lib *.pdb *.ilk - cd utils; rm -f *.obj *.lib *.pdb *.ilk - -distclean: clean - rm -f mptest? mpi-test metime mulsqr karatsuba - rm -f mptest?a mptest?b - rm -f utils/mptest? - rm -f test-info.c logtab.h - rm -f mpi.lib - rm -f $(TOOLS) - -dist: Makefile $(HDRS) $(SRCS) $(DOCS) - tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS) - pgps -ab mpi-$(VERS).tar - chmod +r mpi-$(VERS).tar.asc - gzip -9 mpi-$(VERS).tar - - -print: - @echo LIBOBJS = $(LIBOBJS) -# END diff --git a/security/nss/lib/freebl/mpi/Makefile.win b/security/nss/lib/freebl/mpi/Makefile.win deleted file mode 100644 index cd41dfab81..0000000000 --- a/security/nss/lib/freebl/mpi/Makefile.win +++ /dev/null @@ -1,254 +0,0 @@ -# -# Makefile.win - gmake Makefile for building MPI with MSVC on NT - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -## Define CC to be the C compiler you wish to use. The GNU cc -## compiler (gcc) should work, at the very least -#CC=cc -#CC=gcc -CC=cl.exe -ifeq ($(CPU_ARCH),x86_64) -AS=ml64.exe -else -AS=ml.exe -endif - -## -## Define PERL to point to your local Perl interpreter. It -## should be Perl 5.x, although it's conceivable that Perl 4 -## might work ... I haven't tested it. -## -#PERL=/usr/bin/perl -#PERL=perl - -## -## Define CFLAGS to contain any local options your compiler -## setup requires. -## -## Conditional compilation options are no longer here; see -## the file 'mpi-config.h' instead. -## -MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC - -ifeq ($(CPU_ARCH),x86_64) -AS_SRCS = mpi_x86_64.asm -CFLAGS = -O2 -Z7 -MD -W3 -nologo -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WIN64 -D_AMD64_ -D_M_AMD64 -D_WINDOWS -DWIN95 $(MPICMN) -ASFLAGS = -Cp -Sn -Zi -I. -else -#NT -AS_SRCS = mpi_x86.asm -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D -#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \ - -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -CFLAGS = -O2 -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \ - -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN) -ASFLAGS = -Cp -Sn -Zi -coff -I. -endif - -## -## Define LIBS to include any libraries you need to link against. -## If NO_TABLE is define, LIBS should include '-lm' or whatever is -## necessary to bring in the math library. Otherwise, it can be -## left alone, unless your system has other peculiar requirements. -## -LIBS=#-lmalloc#-lefence#-lm - -## -## Define RANLIB to be the library header randomizer; you might not -## need this on some systems (just set it to 'echo' on these systems, -## such as IRIX) -## -RANLIB=echo - -## -## This is the version string used for the documentation and -## building the distribution tarball. Don't mess with it unless -## you are releasing a new version -VERS=1.7p6 - -## ---------------------------------------------------------------------- -## You probably don't need to change anything below this line... -## - -## -## This is the list of source files that need to be packed into -## the distribution file -SRCS= mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \ - utils/gcd.c utils/invmod.c utils/lap.c \ - utils/ptab.pl utils/sieve.c utils/isprime.c\ - utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \ - utils/bbsrand.c utils/prng.c utils/primegen.c \ - utils/basecvt.c utils/makeprime.c\ - utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \ - utils/mpi.h utils/mpprime.h mulsqr.c \ - make-test-arrays test-arrays.txt all-tests make-logtab \ - types.pl stats timetest multest - -## These are the header files that go into the distribution file -HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \ - utils/bbs_rand.h tests/mpi.h tests/mpprime.h - -## These are the documentation files that go into the distribution file -DOCS=README doc utils/README utils/PRIMES - -## This is the list of tools built by 'make tools' -TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \ - primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe - -AS_OBJS = $(AS_SRCS:.asm=.obj) -LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS) -LIBHDRS = mpi-config.h mpi-priv.h mpi.h -APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h - - -help: - @ echo "" - @ echo "The following targets can be built with this Makefile:" - @ echo "" - @ echo "mpi.lib - arithmetic and prime testing library" - @ echo "mpi-test - test driver (requires MP_IOFUNC)" - @ echo "tools - command line tools" - @ echo "doc - manual pages for tools" - @ echo "clean - clean up objects and such" - @ echo "distclean - get ready for distribution" - @ echo "dist - distribution tarball" - @ echo "" - -.SUFFIXES: .c .obj .i .lib .exe .asm - -.c.i: - $(CC) $(CFLAGS) -E $< > $@ - -.c.obj: - $(CC) $(CFLAGS) -c $< - -.asm.obj: - $(AS) $(ASFLAGS) -c $< - -.obj.exe: - $(CC) $(CFLAGS) -Fo$@ $< - -#--------------------------------------- - -$(LIBOBJS): $(LIBHDRS) - -logtab.h: make-logtab - $(PERL) make-logtab > logtab.h - -mpi.obj: mpi.c logtab.h $(LIBHDRS) - -mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS) - -mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS) - -mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS) - -mpi_mips.obj: mpi_mips.s - $(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s - -mpi.lib: $(LIBOBJS) - ar -cvr mpi.lib $(LIBOBJS) - $(RANLIB) mpi.lib - -lib libs: mpi.lib - -#--------------------------------------- - -MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \ - mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj -MPTESTS = $(MPTESTOBJS:.obj=.exe) - -$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \ - mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe - -utests: mptest7.exe mptest8.exe mptest9.exe - -#--------------------------------------- - -EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj -UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \ - exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \ - isprime.obj dec2hex.obj hex2dec.obj -UTILS = $(UTILOBJS:.obj=.exe) - -$(UTILS): %.exe : %.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -utils: $(UTILS) prng.exe bbsrand.exe - -#--------------------------------------- - -test-info.c: test-arrays.txt - $(PERL) make-test-arrays test-arrays.txt > test-info.c - -mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS) - $(CC) $(CFLAGS) -Fo$@ -c $< - -mpi-test.exe: mpi-test.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h - -mdxptest.exe: mdxptest.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h - $(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c - -mulsqr.exe: mulsqr.obj mpi.lib $(LIBS) - $(CC) $(CFLAGS) -Fo$@ $^ - -#--------------------------------------- - -alltests: tests utests mpi-test.exe - -tools: $(TOOLS) - -doc: - (cd doc; ./build) - -clean: - rm -f *.obj *.lib *.pdb *.ilk - cd utils; rm -f *.obj *.lib *.pdb *.ilk - -distclean: clean - rm -f mptest? mpi-test metime mulsqr karatsuba - rm -f mptest?a mptest?b - rm -f utils/mptest? - rm -f test-info.c logtab.h - rm -f mpi.lib - rm -f $(TOOLS) - -dist: Makefile $(HDRS) $(SRCS) $(DOCS) - tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS) - pgps -ab mpi-$(VERS).tar - chmod +r mpi-$(VERS).tar.asc - gzip -9 mpi-$(VERS).tar - - -print: - @echo LIBOBJS = $(LIBOBJS) -# END diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README index 475549bade..776ba713a1 100644 --- a/security/nss/lib/freebl/mpi/README +++ b/security/nss/lib/freebl/mpi/README @@ -67,14 +67,6 @@ assumptions about the sizes of things, but there is little if any reason to change the other parameters, so I would recommend you leave them as you found them. -The library comes with a Perl script, 'types.pl', which will scan your -current Makefile settings, and attempt to find good definitions for -these types. It relies on a Unix sort of build environment, so it -probably won't work under MacOS or Windows, but it can be convenient -if you're porting to a new flavour of Unix. Just run 'types.pl' at -the command line, and it will spit out its results to the standard -output. - Conventions ----------- @@ -503,9 +495,6 @@ MP_MODARITH - Define true to include the modular arithmetic in your application, you can set this to zero to leave out all the modular routines. -MP_NUMTH - Define true to include number theoretic functions - such as mp_gcd(), mp_lcm(), and mp_invmod(). - MP_LOGTAB - If true, the file "logtab.h" is included, which is basically a static table of base 2 logarithms. These are used to compute how big the buffers for @@ -633,92 +622,6 @@ Most of these can be built from the Makefile that comes with the library. Try 'make tools', if your environment supports it. -Testing the Library -------------------- - -Automatic test vectors are included, in the form of a program called -'mpi-test'. To build this program and run all the tests, simply -invoke the shell script 'all-tests'. If all the tests pass, you -should see a message: - - All tests passed - -If something went wrong, you'll get: - - One or more tests failed. - -If this happens, scan back through the preceding lines, to see which -test failed. Any failure indicates a bug in the library, which needs -to be fixed before it will give accurate results. If you get any such -thing, please let me know, and I'll try to fix it. Please let me know -what platform and compiler you were using, as well as which test -failed. If a reason for failure was given, please send me that text -as well. - -If you're on a system where the standard Unix build tools don't work, -you can build the 'mpi-test' program manually, and run it by hand. -This is tedious and obnoxious, sorry. - -Further manual testing can be performed by building the manual testing -programs, whose source is found in the 'tests' subdirectory. Each -test is in a source file called 'mptest-X.c'. The Makefile contains a -target to build all of them at once: - - make tests - -Read the comments at the top of each source file to see what the -driver is supposed to test. You probably don't need to do this; these -programs were only written to help me as I was developing the library. - -The relevant files are: - -mpi-test.c The source for the test driver - -make-test-arrays A Perl script to generate some of the internal - data structures used by mpi-test.c - -test-arrays.txt The source file for make-test-arrays - -all-tests A Bourne shell script which runs all the - tests in the mpi-test suite - -Running 'make mpi-test' should build the mpi-test program. If you -cannot use make, here is what needs to be done: - -(1) Use 'make-test-arrays' to generate the file 'test-info.c' from - the 'test-arrays.txt' file. Since Perl can be found everywhere, - this should be no trouble. Under Unix, this looks like: - - make-test-arrays test-arrays.txt > test-info.c - -(2) Build the MPI library: - - gcc -ansi -pedantic -Wall -c mpi.c - -(3) Build the mpi-test program: - - gcc -ansi -pedantic -Wall -o mpi-test mpi.o mpi-test.c - -When you've got mpi-test, you can use 'all-tests' to run all the tests -made available by mpi-test. If any of them fail, there should be a -diagnostic indicating what went wrong. These are fairly high-level -diagnostics, and won't really help you debug the problem; they're -simply intended to help you isolate which function caused the problem. -If you encounter a problem of this sort, feel free to e-mail me, and I -will certainly attempt to help you debug it. - -Note: Several of the tests hard-wired into 'mpi-test' operate under ----- the assumption that you are using at least a 16-bit mp_digit - type. If that is not true, several tests might fail, because - of range problems with the maximum digit value. - - If you are using an 8-bit digit, you will also need to - modify the code for mp_read_raw(), which assumes that - multiplication by 256 can be done with mp_mul_d(), a - fact that fails when DIGIT_MAX is 255. You can replace - the call with s_mp_lshd(), which will give you the same - effect, and without doing as much work. :) - Acknowledgements: ---------------- diff --git a/security/nss/lib/freebl/mpi/all-tests b/security/nss/lib/freebl/mpi/all-tests deleted file mode 100755 index 3429a15c0a..0000000000 --- a/security/nss/lib/freebl/mpi/all-tests +++ /dev/null @@ -1,83 +0,0 @@ -#!/bin/sh -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -ECHO=/bin/echo -MAKE=gmake - -$ECHO "\n** Running unit tests for MPI library\n" - -# Build the mpi-test program, which comprises all the unit tests for -# the MPI library... - -$ECHO "Bringing mpi-test up to date ... " -if $MAKE mpi-test ; then - : -else - $ECHO " " - $ECHO "Make failed to build mpi-test." - $ECHO " " - exit 1 -fi - -if [ ! -x mpi-test ] ; then - $ECHO " " - $ECHO "Cannot find 'mpi-test' program, testing cannot continue." - $ECHO " " - exit 1 -fi - -# Get the list of available test suites... -tests=`./mpi-test list | awk '{print $1}'` -errs=0 - -# Run each test suite and check the result code of mpi-test -for test in $tests ; do - $ECHO "$test ... \c" - if ./mpi-test $test ; then - $ECHO "passed" - else - $ECHO "FAILED" - errs=1 - fi -done - -# If any tests failed, we'll stop at this point -if [ "$errs" = "0" ] ; then - $ECHO "All unit tests passed" -else - $ECHO "One or more tests failed" - exit 1 -fi - -# Now try to build the 'pi' program, and see if it can compute the -# first thousand digits of pi correctly -$ECHO "\n** Running other tests\n" - -$ECHO "Bringing 'pi' up to date ... " -if $MAKE pi ; then - : -else - $ECHO "\nMake failed to build pi.\n" - exit 1 -fi - -if [ ! -x pi ] ; then - $ECHO "\nCannot find 'pi' program; testing cannot continue.\n" - exit 1 -fi - -./pi 2000 > /tmp/pi.tmp.$$ -if cmp tests/pi2k.txt /tmp/pi.tmp.$$ ; then - $ECHO "Okay! The pi test passes." -else - $ECHO "Oops! The pi test failed. :(" - exit 1 -fi - -rm -f /tmp/pi.tmp.$$ - -exit 0 - -# Here there be dragons diff --git a/security/nss/lib/freebl/mpi/hppatch.adb b/security/nss/lib/freebl/mpi/hppatch.adb deleted file mode 100644 index 6875032ef3..0000000000 --- a/security/nss/lib/freebl/mpi/hppatch.adb +++ /dev/null @@ -1,21 +0,0 @@ -#/bin/sh -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# script to change the system id in an object file from PA-RISC 2.0 to 1.1 - -adb -w $1 << EOF -?m 0 -1 0 -0x0?X -0x0?W (@0x0&~0x40000)|(~@0x0&0x40000) - -0?"change checksum" -0x7c?X -0x7c?W (@0x7c&~0x40000)|(~@0x7c&0x40000) -$q -EOF - -exit 0 - diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab deleted file mode 100755 index fadba1c86d..0000000000 --- a/security/nss/lib/freebl/mpi/make-logtab +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/perl - -# -# make-logtab -# -# Generate a table of logarithms of 2 in various bases, for use in -# estimating the output sizes of various bases. - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -$ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2"; -$ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float"; - -printf("const %s %s[] = {\n %0.9ff, %0.9ff, ", - $ARRAYTYPE, $ARRAYNAME, 0, 0); -$brk = 2; -for($ix = 2; $ix < 64; $ix++) { - printf("%0.9ff, ", (log(2)/log($ix))); - $brk = ($brk + 1) & 3; - if(!$brk) { - printf(" /* %2d %2d %2d %2d */\n ", - $ix - 3, $ix - 2, $ix - 1, $ix); - } -} -printf("%0.9ff\n};\n\n", (log(2)/log($ix))); - -exit 0; diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays deleted file mode 100755 index ecdd552024..0000000000 --- a/security/nss/lib/freebl/mpi/make-test-arrays +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/perl - -# -# make-test-arrays -# -# Given a test-arrays file, which specifies the test suite names, the -# names of the functions which perform those test suites, and -# descriptive comments, this script generates C structures for the -# mpi-test program. The input consists of lines of the form: -# -# suite-name:function-name:comment -# -# The output is written to the standard output. Blank lines are -# ignored, and comments beginning with '#' are stripped. - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# Read parameters from the environment, if available -$NAMEVAR = $ENV{'NAMEVAR'} || "g_names"; -$COUNTVAR = $ENV{'COUNTVAR'} || "g_count"; -$FUNCVAR = $ENV{'FUNCVAR'} || "g_tests"; -$DESCVAR = $ENV{'DESCVAR'} || "g_descs"; -$FUNCLEN = 13; -$NAMELEN = 18; -$DESCLEN = 45; - -#------------------------------------------------------------------------ -# Suck in input from the files on the command line, or standard input -while(<>) { - chomp; - s/\#.*$//; - next if /^\s*$/; - - ($suite, $func, $desc) = split(/:/, $_); - - $tmp = { "suite" => $suite, - "func" => $func, - "desc" => $desc }; - - push(@item, $tmp); -} -$count = scalar(@item); -$last = pop(@item); - -#------------------------------------------------------------------------ -# Output the table of names -print "/* Table mapping test suite names to index numbers */\n"; -printf("const int %s = %d;\n", $COUNTVAR, $count); -printf("const char *%s[] = {\n", $NAMEVAR); - -foreach $elt (@item) { - printf(" \"%s\",%s/* %s%s */\n", $elt->{"suite"}, - " " x ($NAMELEN - length($elt->{"suite"})), - $elt->{"desc"}, - " " x ($DESCLEN - length($elt->{"desc"}))); -} -printf(" \"%s\" %s/* %s%s */\n", $last->{"suite"}, - " " x ($NAMELEN - length($last->{"suite"})), - $last->{"desc"}, - " " x ($DESCLEN - length($last->{"desc"}))); -print "};\n\n"; - -#------------------------------------------------------------------------ -# Output the driver function prototypes -print "/* Test function prototypes */\n"; -foreach $elt (@item, $last) { - printf("int %s(void);\n", $elt->{"func"}); -} -print "\n"; - -#------------------------------------------------------------------------ -# Output the table of functions -print "/* Table mapping index numbers to functions */\n"; -printf("int (*%s[])(void) = {\n ", $FUNCVAR); -$brk = 0; - -foreach $elt (@item) { - print($elt->{"func"}, ", ", - " " x ($FUNCLEN - length($elt->{"func"}))); - $brk = ($brk + 1) & 3; - print "\n " unless($brk); -} -print $last->{"func"}, "\n};\n\n"; - -#------------------------------------------------------------------------ -# Output the table of descriptions -print "/* Table mapping index numbers to descriptions */\n"; -printf("const char *%s[] = {\n", $DESCVAR); - -foreach $elt (@item) { - printf(" \"%s\",\n", $elt->{"desc"}); -} -printf(" \"%s\"\n};\n\n", $last->{"desc"}); - -exit 0; - diff --git a/security/nss/lib/freebl/mpi/mdxptest.c b/security/nss/lib/freebl/mpi/mdxptest.c deleted file mode 100644 index adbcfc3d1c..0000000000 --- a/security/nss/lib/freebl/mpi/mdxptest.c +++ /dev/null @@ -1,306 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include "mpi.h" -#include "mpi-priv.h" - -/* #define OLD_WAY 1 */ - -/* This key is the 1024-bit test key used for speed testing of RSA private -** key ops. -*/ - -#define CONST const - -static CONST unsigned char default_n[128] = { - 0xc2, 0xae, 0x96, 0x89, 0xaf, 0xce, 0xd0, 0x7b, 0x3b, 0x35, 0xfd, 0x0f, 0xb1, 0xf4, 0x7a, 0xd1, - 0x3c, 0x7d, 0xb5, 0x86, 0xf2, 0x68, 0x36, 0xc9, 0x97, 0xe6, 0x82, 0x94, 0x86, 0xaa, 0x05, 0x39, - 0xec, 0x11, 0x51, 0xcc, 0x5c, 0xa1, 0x59, 0xba, 0x29, 0x18, 0xf3, 0x28, 0xf1, 0x9d, 0xe3, 0xae, - 0x96, 0x5d, 0x6d, 0x87, 0x73, 0xf6, 0xf6, 0x1f, 0xd0, 0x2d, 0xfb, 0x2f, 0x7a, 0x13, 0x7f, 0xc8, - 0x0c, 0x7a, 0xe9, 0x85, 0xfb, 0xce, 0x74, 0x86, 0xf8, 0xef, 0x2f, 0x85, 0x37, 0x73, 0x0f, 0x62, - 0x4e, 0x93, 0x17, 0xb7, 0x7e, 0x84, 0x9a, 0x94, 0x11, 0x05, 0xca, 0x0d, 0x31, 0x4b, 0x2a, 0xc8, - 0xdf, 0xfe, 0xe9, 0x0c, 0x13, 0xc7, 0xf2, 0xad, 0x19, 0x64, 0x28, 0x3c, 0xb5, 0x6a, 0xc8, 0x4b, - 0x79, 0xea, 0x7c, 0xce, 0x75, 0x92, 0x45, 0x3e, 0xa3, 0x9d, 0x64, 0x6f, 0x04, 0x69, 0x19, 0x17 -}; - -static CONST unsigned char default_d[128] = { - 0x13, 0xcb, 0xbc, 0xf2, 0xf3, 0x35, 0x8c, 0x6d, 0x7b, 0x6f, 0xd9, 0xf3, 0xa6, 0x9c, 0xbd, 0x80, - 0x59, 0x2e, 0x4f, 0x2f, 0x11, 0xa7, 0x17, 0x2b, 0x18, 0x8f, 0x0f, 0xe8, 0x1a, 0x69, 0x5f, 0x6e, - 0xac, 0x5a, 0x76, 0x7e, 0xd9, 0x4c, 0x6e, 0xdb, 0x47, 0x22, 0x8a, 0x57, 0x37, 0x7a, 0x5e, 0x94, - 0x7a, 0x25, 0xb5, 0xe5, 0x78, 0x1d, 0x3c, 0x99, 0xaf, 0x89, 0x7d, 0x69, 0x2e, 0x78, 0x9d, 0x1d, - 0x84, 0xc8, 0xc1, 0xd7, 0x1a, 0xb2, 0x6d, 0x2d, 0x8a, 0xd9, 0xab, 0x6b, 0xce, 0xae, 0xb0, 0xa0, - 0x58, 0x55, 0xad, 0x5c, 0x40, 0x8a, 0xd6, 0x96, 0x08, 0x8a, 0xe8, 0x63, 0xe6, 0x3d, 0x6c, 0x20, - 0x49, 0xc7, 0xaf, 0x0f, 0x25, 0x73, 0xd3, 0x69, 0x43, 0x3b, 0xf2, 0x32, 0xf8, 0x3d, 0x5e, 0xee, - 0x7a, 0xca, 0xd6, 0x94, 0x55, 0xe5, 0xbd, 0x25, 0x34, 0x8d, 0x63, 0x40, 0xb5, 0x8a, 0xc3, 0x01 -}; - -#define DEFAULT_ITERS 50 - -typedef clock_t timetype; -#define gettime(x) *(x) = clock() -#define subtime(a, b) a -= b -#define msec(x) ((clock_t)((double)x * 1000.0 / CLOCKS_PER_SEC)) -#define sec(x) (x / CLOCKS_PER_SEC) - -struct TimingContextStr { - timetype start; - timetype end; - timetype interval; - - int minutes; - int seconds; - int millisecs; -}; - -typedef struct TimingContextStr TimingContext; - -TimingContext * -CreateTimingContext(void) -{ - return (TimingContext *)malloc(sizeof(TimingContext)); -} - -void -DestroyTimingContext(TimingContext *ctx) -{ - free(ctx); -} - -void -TimingBegin(TimingContext *ctx) -{ - gettime(&ctx->start); -} - -static void -timingUpdate(TimingContext *ctx) -{ - - ctx->millisecs = msec(ctx->interval) % 1000; - ctx->seconds = sec(ctx->interval); - ctx->minutes = ctx->seconds / 60; - ctx->seconds %= 60; -} - -void -TimingEnd(TimingContext *ctx) -{ - gettime(&ctx->end); - ctx->interval = ctx->end; - subtime(ctx->interval, ctx->start); - timingUpdate(ctx); -} - -char * -TimingGenerateString(TimingContext *ctx) -{ - static char sBuf[4096]; - - sprintf(sBuf, "%d minutes, %d.%03d seconds", ctx->minutes, - ctx->seconds, ctx->millisecs); - return sBuf; -} - -static void -dumpBytes(unsigned char *b, int l) -{ - int i; - if (l <= 0) - return; - for (i = 0; i < l; ++i) { - if (i % 16 == 0) - printf("\t"); - printf(" %02x", b[i]); - if (i % 16 == 15) - printf("\n"); - } - if ((i % 16) != 0) - printf("\n"); - printf("\n"); -} - -static mp_err -testNewFuncs(const unsigned char *modulusBytes, int modulus_len) -{ - mp_err mperr = MP_OKAY; - mp_int modulus; - unsigned char buf[512]; - - mperr = mp_init(&modulus); - mperr = mp_read_unsigned_octets(&modulus, modulusBytes, modulus_len); - mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len); - mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len + 1); - mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len + 4); - mperr = mp_to_unsigned_octets(&modulus, buf, modulus_len); - mperr = mp_to_signed_octets(&modulus, buf, modulus_len + 1); - mp_clear(&modulus); - return mperr; -} - -int -testModExp(const unsigned char *modulusBytes, - const unsigned int expo, - const unsigned char *input, - unsigned char *output, - int modulus_len) -{ - mp_err mperr = MP_OKAY; - mp_int modulus; - mp_int base; - mp_int exponent; - mp_int result; - - mperr = mp_init(&modulus); - mperr += mp_init(&base); - mperr += mp_init(&exponent); - mperr += mp_init(&result); - /* we initialize all mp_ints unconditionally, even if some fail. - ** This guarantees that the DIGITS pointer is valid (even if null). - ** So, mp_clear will do the right thing below. - */ - if (mperr == MP_OKAY) { - mperr = mp_read_unsigned_octets(&modulus, - modulusBytes + (sizeof default_n - modulus_len), modulus_len); - mperr += mp_read_unsigned_octets(&base, input, modulus_len); - mp_set(&exponent, expo); - if (mperr == MP_OKAY) { -#if OLD_WAY - mperr = s_mp_exptmod(&base, &exponent, &modulus, &result); -#else - mperr = mp_exptmod(&base, &exponent, &modulus, &result); -#endif - if (mperr == MP_OKAY) { - mperr = mp_to_fixlen_octets(&result, output, modulus_len); - } - } - } - mp_clear(&base); - mp_clear(&result); - - mp_clear(&modulus); - mp_clear(&exponent); - - return (int)mperr; -} - -int -doModExp(const unsigned char *modulusBytes, - const unsigned char *exponentBytes, - const unsigned char *input, - unsigned char *output, - int modulus_len) -{ - mp_err mperr = MP_OKAY; - mp_int modulus; - mp_int base; - mp_int exponent; - mp_int result; - - mperr = mp_init(&modulus); - mperr += mp_init(&base); - mperr += mp_init(&exponent); - mperr += mp_init(&result); - /* we initialize all mp_ints unconditionally, even if some fail. - ** This guarantees that the DIGITS pointer is valid (even if null). - ** So, mp_clear will do the right thing below. - */ - if (mperr == MP_OKAY) { - mperr = mp_read_unsigned_octets(&modulus, - modulusBytes + (sizeof default_n - modulus_len), modulus_len); - mperr += mp_read_unsigned_octets(&exponent, exponentBytes, modulus_len); - mperr += mp_read_unsigned_octets(&base, input, modulus_len); - if (mperr == MP_OKAY) { -#if OLD_WAY - mperr = s_mp_exptmod(&base, &exponent, &modulus, &result); -#else - mperr = mp_exptmod(&base, &exponent, &modulus, &result); -#endif - if (mperr == MP_OKAY) { - mperr = mp_to_fixlen_octets(&result, output, modulus_len); - } - } - } - mp_clear(&base); - mp_clear(&result); - - mp_clear(&modulus); - mp_clear(&exponent); - - return (int)mperr; -} - -int -main(int argc, char **argv) -{ - TimingContext *timeCtx; - char *progName; - long iters = DEFAULT_ITERS; - unsigned int modulus_len; - int i; - int rv; - unsigned char buf[1024]; - unsigned char buf2[1024]; - - progName = strrchr(argv[0], '/'); - if (!progName) - progName = strrchr(argv[0], '\\'); - progName = progName ? progName + 1 : argv[0]; - - if (argc >= 2) { - iters = atol(argv[1]); - } - - if (argc >= 3) { - modulus_len = atol(argv[2]); - } else - modulus_len = sizeof default_n; - - /* no library init function !? */ - - memset(buf, 0x41, sizeof buf); - - if (iters < 2) { - testNewFuncs(default_n, modulus_len); - testNewFuncs(default_n + 1, modulus_len - 1); - testNewFuncs(default_n + 2, modulus_len - 2); - testNewFuncs(default_n + 3, modulus_len - 3); - - rv = testModExp(default_n, 0, buf, buf2, modulus_len); - dumpBytes((unsigned char *)buf2, modulus_len); - - rv = testModExp(default_n, 1, buf, buf2, modulus_len); - dumpBytes((unsigned char *)buf2, modulus_len); - - rv = testModExp(default_n, 2, buf, buf2, modulus_len); - dumpBytes((unsigned char *)buf2, modulus_len); - - rv = testModExp(default_n, 3, buf, buf2, modulus_len); - dumpBytes((unsigned char *)buf2, modulus_len); - } - rv = doModExp(default_n, default_d, buf, buf2, modulus_len); - if (rv != 0) { - fprintf(stderr, "Error in modexp operation:\n"); - exit(1); - } - dumpBytes((unsigned char *)buf2, modulus_len); - - timeCtx = CreateTimingContext(); - TimingBegin(timeCtx); - i = iters; - while (i--) { - rv = doModExp(default_n, default_d, buf, buf2, modulus_len); - if (rv != 0) { - fprintf(stderr, "Error in modexp operation\n"); - exit(1); - } - } - TimingEnd(timeCtx); - printf("%ld iterations in %s\n", iters, TimingGenerateString(timeCtx)); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/mpcpucache.c b/security/nss/lib/freebl/mpi/mpcpucache.c index 6fed352391..336b4cc559 100644 --- a/security/nss/lib/freebl/mpi/mpcpucache.c +++ b/security/nss/lib/freebl/mpi/mpcpucache.c @@ -17,7 +17,7 @@ * * Currently the file returns good data for most modern x86 processors, and * reasonable data on 64-bit ppc processors. All other processors are assumed - * to have a cache line size of 32 bytes unless modified by target.mk. + * to have a cache line size of 32 bytes. * */ @@ -775,18 +775,6 @@ s_mpi_getProcessorLineSize() * */ -/* target.mk can define MPI_CACHE_LINE_SIZE if it's common for the family or - * OS */ -#if defined(MPI_CACHE_LINE_SIZE) && !defined(MPI_GET_PROCESSOR_LINE_SIZE_DEFINED) - -unsigned long -s_mpi_getProcessorLineSize() -{ - return MPI_CACHE_LINE_SIZE; -} -#define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1 -#endif - /* If no way to get the processor cache line size has been defined, assume * it's 32 bytes (most common value, does not significantly impact performance) */ @@ -797,12 +785,3 @@ s_mpi_getProcessorLineSize() return 32; } #endif - -#ifdef TEST_IT -#include <stdio.h> - -main() -{ - printf("line size = %d\n", s_mpi_getProcessorLineSize()); -} -#endif diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h index f365592a42..c6f72b206f 100644 --- a/security/nss/lib/freebl/mpi/mpi-config.h +++ b/security/nss/lib/freebl/mpi/mpi-config.h @@ -24,10 +24,6 @@ #define MP_MODARITH 1 /* include modular arithmetic ? */ #endif -#ifndef MP_NUMTH -#define MP_NUMTH 1 /* include number theoretic functions? */ -#endif - #ifndef MP_LOGTAB #define MP_LOGTAB 1 /* use table of logs instead of log()? */ #endif diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c index f6f75439c1..f7784c8d9d 100644 --- a/security/nss/lib/freebl/mpi/mpi.c +++ b/security/nss/lib/freebl/mpi/mpi.c @@ -1695,7 +1695,6 @@ mp_iseven(const mp_int *a) /*------------------------------------------------------------------------*/ /* {{{ Number theoretic functions */ -#if MP_NUMTH /* {{{ mp_gcd(a, b, c) */ /* @@ -2376,7 +2375,6 @@ mp_invmod(const mp_int *a, const mp_int *m, mp_int *c) } /* end mp_invmod() */ /* }}} */ -#endif /* if MP_NUMTH */ /* }}} */ @@ -2861,6 +2859,9 @@ void s_mp_exch(mp_int *a, mp_int *b) { mp_int tmp; + if (!a || !b) { + return; + } tmp = *a; *a = *b; @@ -4088,7 +4089,7 @@ s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps) } #endif -#if (defined(MP_NO_MP_WORD) || defined(MP_NO_DIV_WORD)) && !defined(MP_ASSEMBLY_DIV_2DX1D) +#if !defined(MP_ASSEMBLY_DIV_2DX1D) /* ** Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized ** so its high bit is 1. This code is from NSPR. @@ -4166,11 +4167,7 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ mp_int *quot) /* i: 0; o: quotient */ { mp_int part, t; -#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD) - mp_word q_msd; -#else mp_digit q_msd; -#endif mp_err res; mp_digit d; mp_digit div_msd; @@ -4215,7 +4212,7 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ MP_USED(&part) = MP_USED(div); /* We have now truncated the part of the remainder to the same length as - * the divisor. If part is smaller than div, extend part by one digit. */ + * the divisor. If part is smaller than div, extend part by one digit. */ if (s_mp_cmp(&part, div) < 0) { --unusedRem; #if MP_ARGCHK == 2 @@ -4232,18 +4229,12 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ div_msd = MP_DIGIT(div, MP_USED(div) - 1); if (!partExtended) { /* In this case, q_msd /= div_msd is always 1. First, since div_msd is - * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since - * we didn't extend part, q_msd >= div_msd. Therefore we know that - * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we - * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */ + * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since + * we didn't extend part, q_msd >= div_msd. Therefore we know that + * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we + * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */ q_msd = 1; } else { -#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD) - q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2); - q_msd /= div_msd; - if (q_msd == RADIX) - --q_msd; -#else if (q_msd == div_msd) { q_msd = MP_DIGIT_MAX; } else { @@ -4251,7 +4242,6 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ MP_CHECKOK(s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2), div_msd, &q_msd, &r)); } -#endif } #if MP_ARGCHK == 2 assert(q_msd > 0); /* This case should never occur any more. */ @@ -4261,15 +4251,15 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ /* See what that multiplies out to */ mp_copy(div, &t); - MP_CHECKOK(s_mp_mul_d(&t, (mp_digit)q_msd)); + MP_CHECKOK(s_mp_mul_d(&t, q_msd)); /* - If it's too big, back it off. We should not have to do this - more than once, or, in rare cases, twice. Knuth describes a - method by which this could be reduced to a maximum of once, but - I didn't implement that here. - * When using s_mpv_div_2dx1d, we may have to do this 3 times. - */ + If it's too big, back it off. We should not have to do this + more than once, or, in rare cases, twice. Knuth describes a + method by which this could be reduced to a maximum of once, but + I didn't implement that here. + When using s_mpv_div_2dx1d, we may have to do this 3 times. + */ for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) { --q_msd; MP_CHECKOK(s_mp_sub(&t, div)); /* t -= div */ @@ -4284,11 +4274,11 @@ mp_err s_mp_div(mp_int *rem, /* i: dividend, o: remainder */ s_mp_clamp(rem); /* - Include the digit in the quotient. We allocated enough memory - for any quotient we could ever possibly get, so we should not - have to check for failures here - */ - MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd; + Include the digit in the quotient. We allocated enough memory + for any quotient we could ever possibly get, so we should not + have to check for failures here + */ + MP_DIGIT(quot, unusedRem) = q_msd; } /* Denormalize remainder */ diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h index 64ffe75d52..97af0f069b 100644 --- a/security/nss/lib/freebl/mpi/mpi.h +++ b/security/nss/lib/freebl/mpi/mpi.h @@ -225,13 +225,11 @@ int mp_isodd(const mp_int *a); int mp_iseven(const mp_int *a); /* Number theoretic */ -#if MP_NUMTH mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c); mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c); mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y); mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c); mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c); -#endif /* end MP_NUMTH */ /* Input and output */ #if MP_IOFUNC diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c index 06fd41b3a3..3acdc9fef1 100644 --- a/security/nss/lib/freebl/mpi/mpmontg.c +++ b/security/nss/lib/freebl/mpi/mpmontg.c @@ -205,7 +205,11 @@ mp_exptmod_f(const mp_int *montBase, dTmpSize = 2 * oddPowSize; dSize = sizeof(double) * (nLen * 4 + 1 + ((odd_ints + 1) * oddPowSize) + dTmpSize); - dBuf = (double *)malloc(dSize); + dBuf = malloc(dSize); + if (!dBuf) { + res = MP_MEM; + goto CLEANUP; + } dm1 = dBuf; /* array of d32 */ dn = dBuf + nLen; /* array of d32 */ dSqr = dn + nLen; /* array of d32 */ diff --git a/security/nss/lib/freebl/mpi/mpprime.c b/security/nss/lib/freebl/mpi/mpprime.c index 58287192e2..9d6232c29c 100644 --- a/security/nss/lib/freebl/mpi/mpprime.c +++ b/security/nss/lib/freebl/mpi/mpprime.c @@ -402,8 +402,7 @@ mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, #define SIEVE_SIZE 32 * 1024 mp_err -mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, - unsigned long *nTries) +mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong) { mp_digit np; mp_err res; @@ -548,8 +547,6 @@ mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, CLEANUP: mp_clear(&trial); mp_clear(&q); - if (nTries) - *nTries += i; if (sieve != NULL) { memset(sieve, 0, SIEVE_SIZE); free(sieve); diff --git a/security/nss/lib/freebl/mpi/mpprime.h b/security/nss/lib/freebl/mpi/mpprime.h index c47c618360..acd888d4ac 100644 --- a/security/nss/lib/freebl/mpi/mpprime.h +++ b/security/nss/lib/freebl/mpi/mpprime.h @@ -13,6 +13,8 @@ #include "mpi.h" +SEC_BEGIN_PROTOS + extern const int prime_tab_size; /* number of primes available */ extern const mp_digit prime_tab[]; @@ -32,7 +34,8 @@ mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes); mp_err mpp_pprime(mp_int *a, int nt); mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, unsigned char *sieve, mp_size nSieve); -mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, - unsigned long *nTries); +mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong); + +SEC_END_PROTOS #endif /* end _H_MP_PRIME_ */ diff --git a/security/nss/lib/freebl/mpi/multest b/security/nss/lib/freebl/mpi/multest deleted file mode 100755 index 24752e019a..0000000000 --- a/security/nss/lib/freebl/mpi/multest +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/sh -# -# multest -# -# Run multiply and square timing tests, to compute a chart for the -# current processor and compiler combination. - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -ECHO=/bin/echo -MAKE=gmake - -$ECHO "\n** Running multiply and square timing tests\n" - -$ECHO "Bringing 'mulsqr' up to date ... " -if $MAKE mulsqr ; then - : -else - $ECHO "\nMake failed to build mulsqr.\n" - exit 1 -fi - -if [ ! -x ./mulsqr ] ; then - $ECHO "\nCannot find 'mulsqr' program, testing cannot continue.\n" - exit 1 -fi - -sizes='64 128 192 256 320 384 448 512 640 768 896 1024 1536 2048' -ntests=500000 - -$ECHO "Running timing tests, please wait ... " - -trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP - -touch tt$$.tmp -$ECHO $ntests tests >> tt$$.tmp -for size in $sizes ; do - $ECHO "$size bits ... \c" - set -A res `./mulsqr $ntests $size|head -3|tr -d '%'|awk '{print $2}'` - $ECHO $size"\t"${res[0]}"\t"${res[1]}"\t"${res[2]} >> tt$$.tmp - $ECHO "(done)" -done -mv tt$$.tmp mulsqr-results.txt -rm -f tt$$.tmp - -$ECHO "\n** Running Karatsuba-Ofman multiplication tests\n" - -$ECHO "Brining 'karatsuba' up to date ... " -if $MAKE karatsuba ; then - : -else - $ECHO "\nMake failed to build karatsuba.\n" - exit 1 -fi - -if [ ! -x ./karatsuba ] ; then - $ECHO "\nCannot find 'karatsuba' program, testing cannot continue.\n" - exit 1 -fi - -ntests=100000 - -trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP - -touch tt$$.tmp -for size in $sizes ; do - $ECHO "$size bits ... " - ./karatsuba $ntests $size >> tt$$.tmp - tail -2 tt$$.tmp -done -mv tt$$.tmp karatsuba-results.txt -rm -f tt$$.tmp - -exit 0 diff --git a/security/nss/lib/freebl/mpi/stats b/security/nss/lib/freebl/mpi/stats deleted file mode 100755 index a5deb94c03..0000000000 --- a/security/nss/lib/freebl/mpi/stats +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/perl - -# -# Treat each line as a sequence of comma and/or space delimited -# floating point numbers, and compute basic statistics on them. -# These are written to standard output - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -$min = 1.7976931348623157E+308; -$max = 2.2250738585072014E-308; -$sum = $num = 0; - -while(<>) { - chomp; - - @nums = split(/[\s,]+/, $_); - next if($#nums < 0); - - $num += scalar @nums; - foreach (@nums) { - $min = $_ if($_ < $min); - $max = $_ if($_ > $max); - $sum += $_; - } -} - -if($num) { - $avg = $sum / $num; -} else { - $min = $max = 0; -} - -printf "%d\tmin=%.2f, avg=%.2f, max=%.2f, sum=%.2f\n", - $num, $min, $avg, $max, $sum; - -# end diff --git a/security/nss/lib/freebl/mpi/target.mk b/security/nss/lib/freebl/mpi/target.mk deleted file mode 100644 index dd74564b1a..0000000000 --- a/security/nss/lib/freebl/mpi/target.mk +++ /dev/null @@ -1,233 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -## -## Define CFLAGS to contain any local options your compiler -## setup requires. -## -## Conditional compilation options are no longer here; see -## the file 'mpi-config.h' instead. -## -MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC -CFLAGS= -O $(MPICMN) -#CFLAGS=-ansi -fullwarn -woff 1521 -O3 $(MPICMN) -#CFLAGS=-ansi -pedantic -Wall -O3 $(MPICMN) -#CFLAGS=-ansi -pedantic -Wall -g -O2 -DMP_DEBUG=1 $(MPICMN) - -ifeq ($(TARGET),mipsIRIX) -#IRIX -#MPICMN += -DMP_MONT_USE_MP_MUL -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -MPICMN += -DMP_USE_UINT_DIGIT -#MPICMN += -DMP_NO_MP_WORD -AS_OBJS = mpi_mips.o -#ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 -exceptions -ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 -#CFLAGS=-ansi -n32 -O3 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN) -CFLAGS=-ansi -n32 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN) -#CFLAGS=-ansi -n32 -g -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN) -#CFLAGS=-ansi -64 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE -DMP_NO_MP_WORD \ - $(MPICMN) -endif - -ifeq ($(TARGET),alphaOSF1) -#Alpha/OSF1 -MPICMN += -DMP_ASSEMBLY_MULTIPLY -AS_OBJS+= mpvalpha.o -#CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT $(MPICMN) -CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT \ - -DMP_NO_MP_WORD $(MPICMN) -endif - -ifeq ($(TARGET),v9SOLARIS) -#Solaris 64 -SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xchip=ultra -xarch=v9a -KPIC -mt -#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v9a -KPIC -mt -SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v9a -KPIC -mt -AS_OBJS += montmulfv9.o -AS_OBJS += mpi_sparc.o mpv_sparcv9.o -MPICMN += -DMP_USE_UINT_DIGIT -#MPICMN += -DMP_NO_MP_WORD -MPICMN += -DMP_ASSEMBLY_MULTIPLY -MPICMN += -DMP_USING_MONT_MULF -CFLAGS= -O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \ - -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN) -#CFLAGS= -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \ - -DSOLARIS2_8 -xarch=v9 -DXP_UNIX $(MPICMN) -endif - -ifeq ($(TARGET),v8plusSOLARIS) -#Solaris 32 -SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8plusa -KPIC -mt -SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt -AS_OBJS += montmulfv8.o -AS_OBJS += mpi_sparc.o mpv_sparcv8.o -#AS_OBJS = montmulf.o -MPICMN += -DMP_ASSEMBLY_MULTIPLY -MPICMN += -DMP_USING_MONT_MULF -MPICMN += -DMP_USE_UINT_DIGIT -MPICMN += -DMP_NO_MP_WORD -CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \ - -DSOLARIS2_6 -xarch=v8plus -DXP_UNIX $(MPICMN) -endif - -ifeq ($(TARGET),v8SOLARIS) -#Solaris 32 -#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8 -KPIC -mt -#SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt -#AS_OBJS = montmulfv8.o mpi_sparc.o mpv_sparcv8.o -#AS_OBJS = montmulf.o -#MPICMN += -DMP_USING_MONT_MULF -#MPICMN += -DMP_ASSEMBLY_MULTIPLY -MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -DMP_USE_UINT_DIGIT -MPICMN += -DMP_NO_MP_WORD -CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \ - -DSOLARIS2_6 -xarch=v8 -DXP_UNIX $(MPICMN) -endif - -ifeq ($(TARGET),ia64HPUX) -#HPUX 32 on ia64 -- 64 bit digits SCREAM. -# This one is for DD32 which is the 32-bit ABI with 64-bit registers. -CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN) -#CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN) -#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +p +DD32 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN) -endif - -ifeq ($(TARGET),ia64HPUX64) -#HPUX 32 on ia64 -# This one is for DD64 which is the 64-bit ABI -CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Aa +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN) -#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +p +DD64 -DHPUX11 -DXP_UNIX -Wl,+k $(MPICMN) -endif - -ifeq ($(TARGET),PA2.0WHPUX) -#HPUX64 (HP PA 2.0 Wide) using MAXPY and 64-bit digits -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -AS_OBJS = mpi_hp.o hpma512.o hppa20.o -CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +O3 +DChpux -DHPUX11 -DXP_UNIX \ - $(MPICMN) -#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +DChpux -DHPUX11 -DXP_UNIX \ - $(MPICMN) -AS = $(CC) $(CFLAGS) -c -endif - -ifeq ($(TARGET),PA2.0NHPUX) -#HPUX32 (HP PA 2.0 Narrow) hybrid model, using 32-bit digits -# This one is for DA2.0 (N) which is the 32-bit ABI with 64-bit registers. -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -AS_OBJS = mpi_hp.o hpma512.o hppa20.o -CFLAGS= +O3 -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11 -DXP_UNIX \ - -Wl,+k $(MPICMN) -#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11 -DXP_UNIX \ - -Wl,+k $(MPICMN) -AS = $(CC) $(CFLAGS) -c -endif - -ifeq ($(TARGET),PA1.1HPUX) -#HPUX32 (HP PA 1.1) Pure 32 bit -MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD -#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ - -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN) -##CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \ -# -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN) -endif - -ifeq ($(TARGET),32AIX) -# -CC = xlC_r -MPICMN += -DMP_USE_UINT_DIGIT -MPICMN += -DMP_NO_DIV_WORD -#MPICMN += -DMP_NO_MUL_WORD -MPICMN += -DMP_NO_ADD_WORD -MPICMN += -DMP_NO_SUB_WORD -#MPICMN += -DMP_NO_MP_WORD -#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -CFLAGS = -O -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN) -#CFLAGS = -g -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN) -#CFLAGS += -pg -endif - -ifeq ($(TARGET),64AIX) -# -CC = xlC_r -MPICMN += -DMP_USE_UINT_DIGIT -CFLAGS = -O -O2 -DAIX -DSYSV -qarch=com -DAIX_64BIT -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN) -OBJECT_MODE=64 -export OBJECT_MODE -endif - -ifeq ($(TARGET),x86LINUX) -#Linux -AS_OBJS = mpi_x86.o -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D -MPICMN += -DMP_MONT_USE_MP_MUL -DMP_IS_LITTLE_ENDIAN -CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \ - -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \ - -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN) -#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \ - -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \ - -DXP_UNIX -DDEBUG -UNDEBUG -D_REENTRANT $(MPICMN) -#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \ - -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \ - -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN) -endif - -ifeq ($(TARGET),armLINUX) -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -MPICMN += -DMP_USE_UINT_DIGIT -AS_OBJS += mpi_arm.o -endif - -ifeq ($(TARGET),AMD64SOLARIS) -ASFLAGS += -xarch=generic64 -AS_OBJS = mpi_amd64.o mpi_amd64_sun.o -MP_CONFIG = -DMP_ASSEMBLY_MULTIPLY -DMPI_AMD64 -MP_CONFIG += -DMP_IS_LITTLE_ENDIAN -CFLAGS = -xarch=generic64 -xO4 -I. -DMP_API_COMPATIBLE -DMP_IOFUNC $(MP_CONFIG) -MPICMN += $(MP_CONFIG) - -mpi_amd64_asm.o: mpi_amd64_sun.s - $(AS) -xarch=generic64 -P -D_ASM mpi_amd64_sun.s -endif - -ifeq ($(TARGET),WIN32) -ifeq ($(CPU_ARCH),x86_64) -AS_OBJS = mpi_amd64.obj mpi_amd64_masm.obj mp_comba_amd64_masm.asm -CFLAGS = -Od -Z7 -MDd -W3 -nologo -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USER) -CFLAGS += -DWIN32 -DWIN64 -D_WINDOWS -D_AMD_64_ -D_M_AMD64 -DWIN95 -DXP_PC -CFLAGS += $(MPICMN) - -$(AS_OBJS): %.obj : %.asm - ml64 -Cp -Sn -Zi -coff -nologo -c $< - -$(LIBOBJS): %.obj : %.c - cl $(CFLAGS) -Fo$@ -c $< -else -AS_OBJS = mpi_x86.obj -MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D -MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD -DMP_API_COMPATIBLE -MPICMN += -DMP_MONT_USE_MP_MUL -MPICMN += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN -CFLAGS = -Od -Z7 -MDd -W3 -nologo -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USER) -CFLAGS += -DWIN32 -D_WINDOWS -D_X86_ -DWIN95 -DXP_PC -CFLAGS += $(MPICMN) - -$(AS_OBJS): %.obj : %.asm - ml -Cp -Sn -Zi -coff -nologo -c $< - -$(LIBOBJS): %.obj : %.c - cl $(CFLAGS) -Fo$@ -c $< - -endif -endif diff --git a/security/nss/lib/freebl/mpi/test-arrays.txt b/security/nss/lib/freebl/mpi/test-arrays.txt deleted file mode 100644 index 6c8908c1a1..0000000000 --- a/security/nss/lib/freebl/mpi/test-arrays.txt +++ /dev/null @@ -1,55 +0,0 @@ -# -# Test suite table for MPI library -# -# Format of entries: -# suite-name:function-name:description -# -# suite-name The name used to identify this test in mpi-test -# function-name The function called to perform this test in mpi-test.c -# description A brief description of what the suite tests - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -list:test_list:print out a list of the available test suites -copy:test_copy:test assignment of mp-int structures -exchange:test_exch:test exchange of mp-int structures -zero:test_zero:test zeroing of an mp-int -set:test_set:test setting an mp-int to a small constant -absolute-value:test_abs:test the absolute value function -negate:test_neg:test the arithmetic negation function -add-digit:test_add_d:test digit addition -add:test_add:test full addition -subtract-digit:test_sub_d:test digit subtraction -subtract:test_sub:test full subtraction -multiply-digit:test_mul_d:test digit multiplication -multiply:test_mul:test full multiplication -square:test_sqr:test full squaring function -divide-digit:test_div_d:test digit division -divide-2:test_div_2:test division by two -divide-2d:test_div_2d:test division & remainder by 2^d -divide:test_div:test full division -expt-digit:test_expt_d:test digit exponentiation -expt:test_expt:test full exponentiation -expt-2:test_2expt:test power-of-two exponentiation -modulo-digit:test_mod_d:test digit modular reduction -modulo:test_mod:test full modular reduction -mod-add:test_addmod:test modular addition -mod-subtract:test_submod:test modular subtraction -mod-multiply:test_mulmod:test modular multiplication -mod-square:test_sqrmod:test modular squaring function -mod-expt:test_exptmod:test full modular exponentiation -mod-expt-digit:test_exptmod_d:test digit modular exponentiation -mod-inverse:test_invmod:test modular inverse function -compare-digit:test_cmp_d:test digit comparison function -compare-zero:test_cmp_z:test zero comparison function -compare:test_cmp:test general signed comparison -compare-magnitude:test_cmp_mag:test general magnitude comparison -parity:test_parity:test parity comparison functions -gcd:test_gcd:test greatest common divisor functions -lcm:test_lcm:test least common multiple function -conversion:test_convert:test general radix conversion facilities -binary:test_raw:test raw output format -pprime:test_pprime:test probabilistic primality tester -fermat:test_fermat:test Fermat pseudoprimality tester diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE b/security/nss/lib/freebl/mpi/tests/LICENSE deleted file mode 100644 index c2c5d01902..0000000000 --- a/security/nss/lib/freebl/mpi/tests/LICENSE +++ /dev/null @@ -1,6 +0,0 @@ -Within this directory, each of the file listed below is licensed under -the terms given in the file LICENSE-MPL, also in this directory. - -pi1k.txt -pi2k.txt -pi5k.txt diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL deleted file mode 100644 index 41dc2327f1..0000000000 --- a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL +++ /dev/null @@ -1,3 +0,0 @@ -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/security/nss/lib/freebl/mpi/tests/mptest-1.c b/security/nss/lib/freebl/mpi/tests/mptest-1.c deleted file mode 100644 index 4491346688..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-1.c +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 1: Simple input test (drives single-digit multiply and add, - * as well as I/O routines) - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#ifdef MAC_CW_SIOUX -#include <console.h> -#endif - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - int ix; - mp_int mp; - -#ifdef MAC_CW_SIOUX - argc = ccommand(&argv); -#endif - - mp_init(&mp); - - for (ix = 1; ix < argc; ix++) { - mp_read_radix(&mp, argv[ix], 10); - mp_print(&mp, stdout); - fputc('\n', stdout); - } - - mp_clear(&mp); - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-2.c b/security/nss/lib/freebl/mpi/tests/mptest-2.c deleted file mode 100644 index 1505e6afd2..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-2.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 2: Basic addition and subtraction test - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a, b, c; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]); - return 1; - } - - printf("Test 2: Basic addition and subtraction\n\n"); - - mp_init(&a); - mp_init(&b); - - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&b, argv[2], 10); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - mp_init(&c); - printf("c = a + b\n"); - - mp_add(&a, &b, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("c = a - b\n"); - - mp_sub(&a, &b, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mp_clear(&c); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3.c b/security/nss/lib/freebl/mpi/tests/mptest-3.c deleted file mode 100644 index 86fb24654b..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-3.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 3: Multiplication, division, and exponentiation test - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include <time.h> - -#include "mpi.h" - -#define EXPT 0 /* define nonzero to get exponentiate test */ - -int -main(int argc, char *argv[]) -{ - int ix; - mp_int a, b, c, d; - mp_digit r; - mp_err res; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]); - return 1; - } - - printf("Test 3: Multiplication and division\n\n"); - srand(time(NULL)); - - mp_init(&a); - mp_init(&b); - - mp_read_variable_radix(&a, argv[1], 10); - mp_read_variable_radix(&b, argv[2], 10); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - mp_init(&c); - printf("\nc = a * b\n"); - - mp_mul(&a, &b, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = b * 32523\n"); - - mp_mul_d(&b, 32523, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mp_init(&d); - printf("\nc = a / b, d = a mod b\n"); - - mp_div(&a, &b, &c, &d); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("d = "); - mp_print(&d, stdout); - fputc('\n', stdout); - - ix = rand() % 256; - printf("\nc = a / %d, r = a mod %d\n", ix, ix); - mp_div_d(&a, (mp_digit)ix, &c, &r); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("r = %04X\n", r); - -#if EXPT - printf("\nc = a ** b\n"); - mp_expt(&a, &b, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); -#endif - - ix = rand() % 256; - printf("\nc = 2^%d\n", ix); - mp_2expt(&c, ix); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mp_clear(&d); - mp_clear(&c); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3a.c b/security/nss/lib/freebl/mpi/tests/mptest-3a.c deleted file mode 100644 index c6cea7046f..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-3a.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 3a: Multiplication vs. squaring timing test - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include <time.h> - -#include "mpi.h" -#include "mpprime.h" - -int -main(int argc, char *argv[]) -{ - int ix, num, prec = 8; - double d1, d2; - clock_t start, finish; - time_t seed; - mp_int a, c, d; - - seed = time(NULL); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]); - return 1; - } - - if ((num = atoi(argv[1])) < 0) - num = -num; - - if (!num) { - fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]); - return 1; - } - - if (argc > 2) { - if ((prec = atoi(argv[2])) <= 0) - prec = 8; - else - prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT; - } - - printf("Test 3a: Multiplication vs squaring timing test\n" - "Precision: %d digits (%u bits)\n" - "# of tests: %d\n\n", - prec, prec * DIGIT_BIT, num); - - mp_init_size(&a, prec); - - mp_init(&c); - mp_init(&d); - - printf("Verifying accuracy ... \n"); - srand((unsigned int)seed); - for (ix = 0; ix < num; ix++) { - mpp_random_size(&a, prec); - mp_mul(&a, &a, &c); - mp_sqr(&a, &d); - - if (mp_cmp(&c, &d) != 0) { - printf("Error! Results not accurate:\n"); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("d = "); - mp_print(&d, stdout); - fputc('\n', stdout); - mp_sub(&c, &d, &d); - printf("dif "); - mp_print(&d, stdout); - fputc('\n', stdout); - mp_clear(&c); - mp_clear(&d); - mp_clear(&a); - return 1; - } - } - printf("Accuracy is confirmed for the %d test samples\n", num); - mp_clear(&d); - - printf("Testing squaring ... \n"); - srand((unsigned int)seed); - start = clock(); - for (ix = 0; ix < num; ix++) { - mpp_random_size(&a, prec); - mp_sqr(&a, &c); - } - finish = clock(); - - d2 = (double)(finish - start) / CLOCKS_PER_SEC; - - printf("Testing multiplication ... \n"); - srand((unsigned int)seed); - start = clock(); - for (ix = 0; ix < num; ix++) { - mpp_random(&a); - mp_mul(&a, &a, &c); - } - finish = clock(); - - d1 = (double)(finish - start) / CLOCKS_PER_SEC; - - printf("Multiplication time: %.3f sec (%.3f each)\n", d1, d1 / num); - printf("Squaring time: %.3f sec (%.3f each)\n", d2, d2 / num); - printf("Improvement: %.2f%%\n", (1.0 - (d2 / d1)) * 100.0); - - mp_clear(&c); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4.c b/security/nss/lib/freebl/mpi/tests/mptest-4.c deleted file mode 100644 index 0f326ac2c3..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-4.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 4: Modular arithmetic tests - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - int ix; - mp_int a, b, c, m; - mp_digit r; - - if (argc < 4) { - fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]); - return 1; - } - - printf("Test 4: Modular arithmetic\n\n"); - - mp_init(&a); - mp_init(&b); - mp_init(&m); - - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&b, argv[2], 10); - mp_read_radix(&m, argv[3], 10); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("m = "); - mp_print(&m, stdout); - fputc('\n', stdout); - - mp_init(&c); - printf("\nc = a (mod m)\n"); - - mp_mod(&a, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = b (mod m)\n"); - - mp_mod(&b, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = b (mod 1853)\n"); - - mp_mod_d(&b, 1853, &r); - printf("c = %04X\n", r); - - printf("\nc = (a + b) mod m\n"); - - mp_addmod(&a, &b, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = (a - b) mod m\n"); - - mp_submod(&a, &b, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = (a * b) mod m\n"); - - mp_mulmod(&a, &b, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nc = (a ** b) mod m\n"); - - mp_exptmod(&a, &b, &m, &c); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - printf("\nIn-place modular squaring test:\n"); - for (ix = 0; ix < 5; ix++) { - printf("a = (a * a) mod m a = "); - mp_sqrmod(&a, &m, &a); - mp_print(&a, stdout); - fputc('\n', stdout); - } - - mp_clear(&c); - mp_clear(&m); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4a.c b/security/nss/lib/freebl/mpi/tests/mptest-4a.c deleted file mode 100644 index 0c8e18872b..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-4a.c +++ /dev/null @@ -1,109 +0,0 @@ -/* - * mptest4a - modular exponentiation speed test - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <limits.h> -#include <time.h> - -#include <sys/time.h> - -#include "mpi.h" -#include "mpprime.h" - -typedef struct { - unsigned int sec; - unsigned int usec; -} instant_t; - -instant_t -now(void) -{ - struct timeval clk; - instant_t res; - - res.sec = res.usec = 0; - - if (gettimeofday(&clk, NULL) != 0) - return res; - - res.sec = clk.tv_sec; - res.usec = clk.tv_usec; - - return res; -} - -extern mp_err s_mp_pad(); - -int -main(int argc, char *argv[]) -{ - int ix, num, prec = 8; - unsigned int d; - instant_t start, finish; - time_t seed; - mp_int a, m, c; - - seed = time(NULL); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]); - return 1; - } - - if ((num = atoi(argv[1])) < 0) - num = -num; - - if (!num) { - fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]); - return 1; - } - - if (argc > 2) { - if ((prec = atoi(argv[2])) <= 0) - prec = 8; - } - - printf("Test 3a: Modular exponentiation timing test\n" - "Precision: %d digits (%d bits)\n" - "# of tests: %d\n\n", - prec, prec * DIGIT_BIT, num); - - mp_init_size(&a, prec); - mp_init_size(&m, prec); - mp_init_size(&c, prec); - s_mp_pad(&a, prec); - s_mp_pad(&m, prec); - s_mp_pad(&c, prec); - - printf("Testing modular exponentiation ... \n"); - srand((unsigned int)seed); - - start = now(); - for (ix = 0; ix < num; ix++) { - mpp_random(&a); - mpp_random(&c); - mpp_random(&m); - mp_exptmod(&a, &c, &m, &c); - } - finish = now(); - - d = (finish.sec - start.sec) * 1000000; - d -= start.usec; - d += finish.usec; - - printf("Total time elapsed: %u usec\n", d); - printf("Time per exponentiation: %u usec (%.3f sec)\n", - (d / num), (double)(d / num) / 1000000); - - mp_clear(&c); - mp_clear(&a); - mp_clear(&m); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4b.c b/security/nss/lib/freebl/mpi/tests/mptest-4b.c deleted file mode 100644 index 1bb2f911fd..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-4b.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * mptest-4b.c - * - * Test speed of a large modular exponentiation of a primitive element - * modulo a prime. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <limits.h> -#include <time.h> - -#include <sys/time.h> - -#include "mpi.h" -#include "mpprime.h" - -char *g_prime = - "34BD53C07350E817CCD49721020F1754527959C421C1533244769D4CF060A8B1C3DA" - "25094BE723FB1E2369B55FEEBBE0FAC16425161BF82684062B5EC5D7D47D1B23C117" - "0FA19745E44A55E148314E582EB813AC9EE5126295E2E380CACC2F6D206B293E5ED9" - "23B54EE961A8C69CD625CE4EC38B70C649D7F014432AEF3A1C93"; -char *g_gen = "5"; - -typedef struct { - unsigned int sec; - unsigned int usec; -} instant_t; - -instant_t -now(void) -{ - struct timeval clk; - instant_t res; - - res.sec = res.usec = 0; - - if (gettimeofday(&clk, NULL) != 0) - return res; - - res.sec = clk.tv_sec; - res.usec = clk.tv_usec; - - return res; -} - -extern mp_err s_mp_pad(); - -int -main(int argc, char *argv[]) -{ - instant_t start, finish; - mp_int prime, gen, expt, res; - unsigned int ix, diff; - int num; - - srand(time(NULL)); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]); - return 1; - } - - if ((num = atoi(argv[1])) < 0) - num = -num; - - if (num == 0) - ++num; - - mp_init(&prime); - mp_init(&gen); - mp_init(&res); - mp_read_radix(&prime, g_prime, 16); - mp_read_radix(&gen, g_gen, 16); - - mp_init_size(&expt, USED(&prime) - 1); - s_mp_pad(&expt, USED(&prime) - 1); - - printf("Testing %d modular exponentations ... \n", num); - - start = now(); - for (ix = 0; ix < num; ix++) { - mpp_random(&expt); - mp_exptmod(&gen, &expt, &prime, &res); - } - finish = now(); - - diff = (finish.sec - start.sec) * 1000000; - diff += finish.usec; - diff -= start.usec; - - printf("%d operations took %u usec (%.3f sec)\n", - num, diff, (double)diff / 1000000.0); - printf("That is %.3f sec per operation.\n", - ((double)diff / 1000000.0) / num); - - mp_clear(&expt); - mp_clear(&res); - mp_clear(&gen); - mp_clear(&prime); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5.c b/security/nss/lib/freebl/mpi/tests/mptest-5.c deleted file mode 100644 index dff3ed4701..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-5.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 5: Other number theoretic functions - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a, b, c, x, y; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]); - return 1; - } - - printf("Test 5: Number theoretic functions\n\n"); - - mp_init(&a); - mp_init(&b); - - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&b, argv[2], 10); - - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - mp_init(&c); - printf("\nc = (a, b)\n"); - - mp_gcd(&a, &b, &c); - printf("Euclid: c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - /* - mp_bgcd(&a, &b, &c); - printf("Binary: c = "); mp_print(&c, stdout); fputc('\n', stdout); - */ - mp_init(&x); - mp_init(&y); - printf("\nc = (a, b) = ax + by\n"); - - mp_xgcd(&a, &b, &c, &x, &y); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("x = "); - mp_print(&x, stdout); - fputc('\n', stdout); - printf("y = "); - mp_print(&y, stdout); - fputc('\n', stdout); - - printf("\nc = a^-1 (mod b)\n"); - if (mp_invmod(&a, &b, &c) == MP_UNDEF) { - printf("a has no inverse mod b\n"); - } else { - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - } - - mp_clear(&y); - mp_clear(&x); - mp_clear(&c); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5a.c b/security/nss/lib/freebl/mpi/tests/mptest-5a.c deleted file mode 100644 index c410a6a843..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-5a.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 5a: Greatest common divisor speed test, binary vs. Euclid - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> -#include <time.h> - -#include <sys/time.h> - -#include "mpi.h" -#include "mpprime.h" - -typedef struct { - unsigned int sec; - unsigned int usec; -} instant_t; - -instant_t -now(void) -{ - struct timeval clk; - instant_t res; - - res.sec = res.usec = 0; - - if (gettimeofday(&clk, NULL) != 0) - return res; - - res.sec = clk.tv_sec; - res.usec = clk.tv_usec; - - return res; -} - -#define PRECISION 16 - -int -main(int argc, char *argv[]) -{ - int ix, num, prec = PRECISION; - mp_int a, b, c, d; - instant_t start, finish; - time_t seed; - unsigned int d1, d2; - - seed = time(NULL); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]); - return 1; - } - - if ((num = atoi(argv[1])) < 0) - num = -num; - - printf("Test 5a: Euclid vs. Binary, a GCD speed test\n\n" - "Number of tests: %d\n" - "Precision: %d digits\n\n", - num, prec); - - mp_init_size(&a, prec); - mp_init_size(&b, prec); - mp_init(&c); - mp_init(&d); - - printf("Verifying accuracy ... \n"); - srand((unsigned int)seed); - for (ix = 0; ix < num; ix++) { - mpp_random_size(&a, prec); - mpp_random_size(&b, prec); - - mp_gcd(&a, &b, &c); - mp_bgcd(&a, &b, &d); - - if (mp_cmp(&c, &d) != 0) { - printf("Error! Results not accurate:\n"); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("d = "); - mp_print(&d, stdout); - fputc('\n', stdout); - - mp_clear(&a); - mp_clear(&b); - mp_clear(&c); - mp_clear(&d); - return 1; - } - } - mp_clear(&d); - printf("Accuracy confirmed for the %d test samples\n", num); - - printf("Testing Euclid ... \n"); - srand((unsigned int)seed); - start = now(); - for (ix = 0; ix < num; ix++) { - mpp_random_size(&a, prec); - mpp_random_size(&b, prec); - mp_gcd(&a, &b, &c); - } - finish = now(); - - d1 = (finish.sec - start.sec) * 1000000; - d1 -= start.usec; - d1 += finish.usec; - - printf("Testing binary ... \n"); - srand((unsigned int)seed); - start = now(); - for (ix = 0; ix < num; ix++) { - mpp_random_size(&a, prec); - mpp_random_size(&b, prec); - mp_bgcd(&a, &b, &c); - } - finish = now(); - - d2 = (finish.sec - start.sec) * 1000000; - d2 -= start.usec; - d2 += finish.usec; - - printf("Euclidean algorithm time: %u usec\n", d1); - printf("Binary algorithm time: %u usec\n", d2); - printf("Improvement: %.2f%%\n", - (1.0 - ((double)d2 / (double)d1)) * 100.0); - - mp_clear(&c); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-6.c b/security/nss/lib/freebl/mpi/tests/mptest-6.c deleted file mode 100644 index 4febf39c54..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-6.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 6: Output functions - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include "mpi.h" - -void -print_buf(FILE *ofp, char *buf, int len) -{ - int ix, brk = 0; - - for (ix = 0; ix < len; ix++) { - fprintf(ofp, "%02X ", buf[ix]); - - brk = (brk + 1) & 0xF; - if (!brk) - fputc('\n', ofp); - } - - if (brk) - fputc('\n', ofp); -} - -int -main(int argc, char *argv[]) -{ - int ix, size; - mp_int a; - char *buf; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <a>\n", argv[0]); - return 1; - } - - printf("Test 6: Output functions\n\n"); - - mp_init(&a); - - mp_read_radix(&a, argv[1], 10); - - printf("\nConverting to a string:\n"); - - printf("Rx Size Representation\n"); - for (ix = 2; ix <= MAX_RADIX; ix++) { - size = mp_radix_size(&a, ix); - - buf = calloc(size, sizeof(char)); - mp_toradix(&a, buf, ix); - printf("%2d: %3d: %s\n", ix, size, buf); - free(buf); - } - - printf("\nRaw output:\n"); - size = mp_raw_size(&a); - buf = calloc(size, sizeof(char)); - - printf("Size: %d bytes\n", size); - - mp_toraw(&a, buf); - print_buf(stdout, buf, size); - free(buf); - - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-7.c b/security/nss/lib/freebl/mpi/tests/mptest-7.c deleted file mode 100644 index 1e83fbf96f..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-7.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 7: Random and divisibility tests - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> -#include <time.h> - -#define MP_IOFUNC 1 -#include "mpi.h" - -#include "mpprime.h" - -int -main(int argc, char *argv[]) -{ - mp_digit num; - mp_int a, b; - - srand(time(NULL)); - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]); - return 1; - } - - printf("Test 7: Random & divisibility tests\n\n"); - - mp_init(&a); - mp_init(&b); - - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&b, argv[2], 10); - - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - if (mpp_divis(&a, &b) == MP_YES) - printf("a is divisible by b\n"); - else - printf("a is not divisible by b\n"); - - if (mpp_divis(&b, &a) == MP_YES) - printf("b is divisible by a\n"); - else - printf("b is not divisible by a\n"); - - printf("\nb = mpp_random()\n"); - mpp_random(&b); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - mpp_random(&b); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - mpp_random(&b); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - printf("\nTesting a for divisibility by first 170 primes\n"); - num = 170; - if (mpp_divis_primes(&a, &num) == MP_YES) - printf("It is divisible by at least one of them\n"); - else - printf("It is not divisible by any of them\n"); - - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-8.c b/security/nss/lib/freebl/mpi/tests/mptest-8.c deleted file mode 100644 index a9d3afff9c..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-8.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test 8: Probabilistic primality tester - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> -#include <time.h> - -#define MP_IOFUNC 1 -#include "mpi.h" - -#include "mpprime.h" - -int -main(int argc, char *argv[]) -{ - int ix; - mp_digit num; - mp_int a; - - srand(time(NULL)); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <a>\n", argv[0]); - return 1; - } - - printf("Test 8: Probabilistic primality testing\n\n"); - - mp_init(&a); - - mp_read_radix(&a, argv[1], 10); - - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - - printf("\nChecking for divisibility by small primes ... \n"); - num = 170; - if (mpp_divis_primes(&a, &num) == MP_YES) { - printf("it is not prime\n"); - goto CLEANUP; - } - printf("Passed that test (not divisible by any small primes).\n"); - - for (ix = 0; ix < 10; ix++) { - printf("\nPerforming Rabin-Miller test, iteration %d\n", ix + 1); - - if (mpp_pprime(&a, 5) == MP_NO) { - printf("it is not prime\n"); - goto CLEANUP; - } - } - printf("All tests passed; a is probably prime\n"); - -CLEANUP: - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-9.c b/security/nss/lib/freebl/mpi/tests/mptest-9.c deleted file mode 100644 index 133264e89c..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-9.c +++ /dev/null @@ -1,109 +0,0 @@ -/* - * mptest-9.c - * - * Test logical functions - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> -#include <time.h> - -#include "mpi.h" -#include "mplogic.h" - -int -main(int argc, char *argv[]) -{ - mp_int a, b, c; - int pco; - mp_err res; - - printf("Test 9: Logical functions\n\n"); - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_init(&b); - mp_init(&c); - mp_read_radix(&a, argv[1], 16); - mp_read_radix(&b, argv[2], 16); - - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - - mpl_not(&a, &c); - printf("~a = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_and(&a, &b, &c); - printf("a & b = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_or(&a, &b, &c); - printf("a | b = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_xor(&a, &b, &c); - printf("a ^ b = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_rsh(&a, &c, 1); - printf("a >> 1 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - mpl_rsh(&a, &c, 5); - printf("a >> 5 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - mpl_rsh(&a, &c, 16); - printf("a >> 16 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_lsh(&a, &c, 1); - printf("a << 1 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - mpl_lsh(&a, &c, 5); - printf("a << 5 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - mpl_lsh(&a, &c, 16); - printf("a << 16 = "); - mp_print(&c, stdout); - fputc('\n', stdout); - - mpl_num_set(&a, &pco); - printf("population(a) = %d\n", pco); - mpl_num_set(&b, &pco); - printf("population(b) = %d\n", pco); - - res = mpl_parity(&a); - if (res == MP_EVEN) - printf("a has even parity\n"); - else - printf("a has odd parity\n"); - - mp_clear(&c); - mp_clear(&b); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/mptest-b.c b/security/nss/lib/freebl/mpi/tests/mptest-b.c deleted file mode 100644 index 07f30eaf82..0000000000 --- a/security/nss/lib/freebl/mpi/tests/mptest-b.c +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Simple test driver for MPI library - * - * Test GF2m: Binary Polynomial Arithmetic - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <limits.h> - -#include "mp_gf2m.h" - -int -main(int argc, char *argv[]) -{ - int ix; - mp_int pp, a, b, x, y, order; - mp_int c, d, e; - mp_digit r; - mp_err res; - unsigned int p[] = { 163, 7, 6, 3, 0 }; - unsigned int ptemp[10]; - - printf("Test b: Binary Polynomial Arithmetic\n\n"); - - mp_init(&pp); - mp_init(&a); - mp_init(&b); - mp_init(&x); - mp_init(&y); - mp_init(&order); - - mp_read_radix(&pp, "0800000000000000000000000000000000000000C9", 16); - mp_read_radix(&a, "1", 16); - mp_read_radix(&b, "020A601907B8C953CA1481EB10512F78744A3205FD", 16); - mp_read_radix(&x, "03F0EBA16286A2D57EA0991168D4994637E8343E36", 16); - mp_read_radix(&y, "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", 16); - mp_read_radix(&order, "040000000000000000000292FE77E70C12A4234C33", 16); - printf("pp = "); - mp_print(&pp, stdout); - fputc('\n', stdout); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("x = "); - mp_print(&x, stdout); - fputc('\n', stdout); - printf("y = "); - mp_print(&y, stdout); - fputc('\n', stdout); - printf("order = "); - mp_print(&order, stdout); - fputc('\n', stdout); - - mp_init(&c); - mp_init(&d); - mp_init(&e); - - /* Test polynomial conversion */ - ix = mp_bpoly2arr(&pp, ptemp, 10); - if ( - (ix != 5) || - (ptemp[0] != p[0]) || - (ptemp[1] != p[1]) || - (ptemp[2] != p[2]) || - (ptemp[3] != p[3]) || - (ptemp[4] != p[4])) { - printf("Polynomial to array conversion not correct\n"); - return -1; - } - - printf("Polynomial conversion test #1 successful.\n"); - MP_CHECKOK(mp_barr2poly(p, &c)); - if (mp_cmp(&pp, &c) != 0) { - printf("Array to polynomial conversion not correct\n"); - return -1; - } - printf("Polynomial conversion test #2 successful.\n"); - - /* Test addition */ - MP_CHECKOK(mp_badd(&a, &a, &c)); - if (mp_cmp_z(&c) != 0) { - printf("a+a should equal zero\n"); - return -1; - } - printf("Addition test #1 successful.\n"); - MP_CHECKOK(mp_badd(&a, &b, &c)); - MP_CHECKOK(mp_badd(&b, &c, &c)); - if (mp_cmp(&c, &a) != 0) { - printf("c = (a + b) + b should equal a\n"); - printf("a = "); - mp_print(&a, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Addition test #2 successful.\n"); - - /* Test multiplication */ - mp_set(&c, 2); - MP_CHECKOK(mp_bmul(&b, &c, &c)); - MP_CHECKOK(mp_badd(&b, &c, &c)); - mp_set(&d, 3); - MP_CHECKOK(mp_bmul(&b, &d, &d)); - if (mp_cmp(&c, &d) != 0) { - printf("c = (2 * b) + b should equal c = 3 * b\n"); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("d = "); - mp_print(&d, stdout); - fputc('\n', stdout); - return -1; - } - printf("Multiplication test #1 successful.\n"); - - /* Test modular reduction */ - MP_CHECKOK(mp_bmod(&b, p, &c)); - if (mp_cmp(&b, &c) != 0) { - printf("c = b mod p should equal b\n"); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular reduction test #1 successful.\n"); - MP_CHECKOK(mp_badd(&b, &pp, &c)); - MP_CHECKOK(mp_bmod(&c, p, &c)); - if (mp_cmp(&b, &c) != 0) { - printf("c = (b + p) mod p should equal b\n"); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular reduction test #2 successful.\n"); - MP_CHECKOK(mp_bmul(&b, &pp, &c)); - MP_CHECKOK(mp_bmod(&c, p, &c)); - if (mp_cmp_z(&c) != 0) { - printf("c = (b * p) mod p should equal 0\n"); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular reduction test #3 successful.\n"); - - /* Test modular multiplication */ - MP_CHECKOK(mp_bmulmod(&b, &pp, p, &c)); - if (mp_cmp_z(&c) != 0) { - printf("c = (b * p) mod p should equal 0\n"); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular multiplication test #1 successful.\n"); - mp_set(&c, 1); - MP_CHECKOK(mp_badd(&pp, &c, &c)); - MP_CHECKOK(mp_bmulmod(&b, &c, p, &c)); - if (mp_cmp(&b, &c) != 0) { - printf("c = (b * (p + 1)) mod p should equal b\n"); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular multiplication test #2 successful.\n"); - - /* Test modular squaring */ - MP_CHECKOK(mp_copy(&b, &c)); - MP_CHECKOK(mp_bmulmod(&b, &c, p, &c)); - MP_CHECKOK(mp_bsqrmod(&b, p, &d)); - if (mp_cmp(&c, &d) != 0) { - printf("c = (b * b) mod p should equal d = b^2 mod p\n"); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - printf("d = "); - mp_print(&d, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular squaring test #1 successful.\n"); - - /* Test modular division */ - MP_CHECKOK(mp_bdivmod(&b, &x, &pp, p, &c)); - MP_CHECKOK(mp_bmulmod(&c, &x, p, &c)); - if (mp_cmp(&b, &c) != 0) { - printf("c = (b / x) * x mod p should equal b\n"); - printf("b = "); - mp_print(&b, stdout); - fputc('\n', stdout); - printf("c = "); - mp_print(&c, stdout); - fputc('\n', stdout); - return -1; - } - printf("Modular division test #1 successful.\n"); - -CLEANUP: - - mp_clear(&order); - mp_clear(&y); - mp_clear(&x); - mp_clear(&b); - mp_clear(&a); - mp_clear(&pp); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/tests/pi1k.txt b/security/nss/lib/freebl/mpi/tests/pi1k.txt deleted file mode 100644 index 5ff6209ffc..0000000000 --- a/security/nss/lib/freebl/mpi/tests/pi1k.txt +++ /dev/null @@ -1 +0,0 @@ -31415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989 diff --git a/security/nss/lib/freebl/mpi/tests/pi2k.txt b/security/nss/lib/freebl/mpi/tests/pi2k.txt deleted file mode 100644 index 9ce82acd13..0000000000 --- a/security/nss/lib/freebl/mpi/tests/pi2k.txt +++ /dev/null @@ -1 +0,0 @@ -314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759010 diff --git a/security/nss/lib/freebl/mpi/tests/pi5k.txt b/security/nss/lib/freebl/mpi/tests/pi5k.txt deleted file mode 100644 index 901fac2ea6..0000000000 --- a/security/nss/lib/freebl/mpi/tests/pi5k.txt +++ /dev/null @@ -1 +0,0 @@ -314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759009946576407895126946839835259570982582262052248940772671947826848260147699090264013639443745530506820349625245174939965143142980919065925093722169646151570985838741059788595977297549893016175392846813826868386894277415599185592524595395943104997252468084598727364469584865383673622262609912460805124388439045124413654976278079771569143599770012961608944169486855584840635342207222582848864815845602850601684273945226746767889525213852254995466672782398645659611635488623057745649803559363456817432411251507606947945109659609402522887971089314566913686722874894056010150330861792868092087476091782493858900971490967598526136554978189312978482168299894872265880485756401427047755513237964145152374623436454285844479526586782105114135473573952311342716610213596953623144295248493718711014576540359027993440374200731057853906219838744780847848968332144571386875194350643021845319104848100537061468067491927819119793995206141966342875444064374512371819217999839101591956181467514269123974894090718649423196156794520809514655022523160388193014209376213785595663893778708303906979207734672218256259966150142150306803844773454920260541466592520149744285073251866600213243408819071048633173464965145390579626856100550810665879699816357473638405257145910289706414011097120628043903975951567715770042033786993600723055876317635942187312514712053292819182618612586732157919841484882916447060957527069572209175671167229109816909152801735067127485832228718352093539657251210835791513698820914442100675103346711031412671113699086585163983150197016515116851714376576183515565088490998985998238734552833163550764791853589322618548963213293308985706420467525907091548141654985946163718027098199430992448895757128289059232332609729971208443357326548938239119325974636673058360414281388303203824903758985243744170291327656180937734440307074692112019130203303801976211011004492932151608424448596376698389522868478312355265821314495768572624334418930396864262434107732269780280731891544110104468232527162010526522721116603966655730925471105578537634668206531098965269186205647693125705863566201855810072936065987648611791045334885034611365768675324944166803962657978771855608455296541266540853061434443185867697514566140680070023787765913440171274947042056223053899456131407112700040785473326993908145466464588079727082668306343285878569830523580893306575740679545716377525420211495576158140025012622859413021647155097925923099079654737612551765675135751782966645477917450112996148903046399471329621073404375189573596145890193897131117904297828564750320319869151402870808599048010941214722131794764777262241425485454033215718530614228813758504306332175182979866223717215916077166925474873898665494945011465406284336639379003976926567214638530673609657120918076383271664162748888007869256029022847210403172118608204190004229661711963779213375751149595015660496318629472654736425230817703675159067350235072835405670403867435136222247715891504953098444893330963408780769325993978054193414473774418426312986080998886874132604721 diff --git a/security/nss/lib/freebl/mpi/timetest b/security/nss/lib/freebl/mpi/timetest deleted file mode 100755 index c6f07bb308..0000000000 --- a/security/nss/lib/freebl/mpi/timetest +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/sh - -# Simple timing test for the MPI library. Basically, we use prime -# generation as a timing test, since it exercises most of the pathways -# of the library fairly heavily. The 'primegen' tool outputs a line -# summarizing timing results. We gather these and process them for -# statistical information, which is collected into a file. - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# Avoid using built-in shell echoes -ECHO=/bin/echo -MAKE=gmake -PERL=perl - -# Use a fixed seed so timings will be more consistent -# This one is the 11th-18th decimal digits of 'e' -#export SEED=45904523 -SEED=45904523; export SEED - -#------------------------------------------------------------------------ - -$ECHO "\n** Running timing tests for MPI library\n" - -$ECHO "Bringing 'metime' up to date ... " -if $MAKE metime ; then - : -else - $ECHO "\nMake failed to build metime.\n" - exit 1 -fi - -if [ ! -x ./metime ] ; then - $ECHO "\nCannot find 'metime' program, testing cannot continue.\n" - exit 1 -fi - -#------------------------------------------------------------------------ - -$ECHO "Bringing 'primegen' up to date ... " -if $MAKE primegen ; then - : -else - $ECHO "\nMake failed to build primegen.\n" - exit 1 -fi - -if [ ! -x ./primegen ] ; then - $ECHO "\nCannot find 'primegen' program, testing cannot continue.\n" - exit 1 -fi - -#------------------------------------------------------------------------ - -rm -f timing-results.txt -touch timing-results.txt - -sizes="256 512 1024 2048" -ntests=10 - -trap 'echo "oop!";rm -f tt*.tmp timing-results.txt;exit 0' INT HUP - -$ECHO "\n-- Modular exponentiation\n" -$ECHO "Modular exponentiation:" >> timing-results.txt - -$ECHO "Running $ntests modular exponentiations per test:" -for size in $sizes ; do - $ECHO "- Gathering statistics for $size bits ... " - secs=`./metime $ntests $size | tail -1 | awk '{print $2}'` - $ECHO "$size: " $secs " seconds per op" >> timing-results.txt - tail -1 timing-results.txt -done - -$ECHO "<done>"; - -sizes="256 512 1024" -ntests=1 - -$ECHO "\n-- Prime generation\n" -$ECHO "Prime generation:" >> timing-results.txt - -$ECHO "Generating $ntests prime values per test:" -for size in $sizes ; do - $ECHO "- Gathering statistics for $size bits ... " - ./primegen $size $ntests | grep ticks | awk '{print $7}' | tr -d '(' > tt$$.tmp - $ECHO "$size:" >> timing-results.txt - $PERL stats tt$$.tmp >> timing-results.txt - tail -1 timing-results.txt - rm -f tt$$.tmp -done - -$ECHO "<done>" - -trap 'rm -f tt*.tmp timing-results.txt' INT HUP - -exit 0 - diff --git a/security/nss/lib/freebl/mpi/types.pl b/security/nss/lib/freebl/mpi/types.pl deleted file mode 100755 index c5f38afa5d..0000000000 --- a/security/nss/lib/freebl/mpi/types.pl +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/perl - -# -# types.pl - find recommended type definitions for digits and words -# -# This script scans the Makefile for the C compiler and compilation -# flags currently in use, and using this combination, attempts to -# compile a simple test program that outputs the sizes of the various -# unsigned integer types, in bytes. Armed with these, it finds all -# the "viable" type combinations for mp_digit and mp_word, where -# viability is defined by the requirement that mp_word be at least two -# times the precision of mp_digit. -# -# Of these, the one with the largest digit size is chosen, and -# appropriate typedef statements are written to standard output. - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -@_=split(/\//,$0);chomp($prog=pop(@_)); - -# The array of integer types to be considered... -@TYPES = ( - "unsigned char", - "unsigned short", - "unsigned int", - "unsigned long" -); - -# Macro names for the maximum unsigned value of each type -%TMAX = ( - "unsigned char" => "UCHAR_MAX", - "unsigned short" => "USHRT_MAX", - "unsigned int" => "UINT_MAX", - "unsigned long" => "ULONG_MAX" -); - -# Read the Makefile to find out which C compiler to use -open(MFP, "<Makefile") or die "$prog: Makefile: $!\n"; -while(<MFP>) { - chomp; - if(/^CC=(.*)$/) { - $cc = $1; - last if $cflags; - } elsif(/^CFLAGS=(.*)$/) { - $cflags = $1; - last if $cc; - } -} -close(MFP); - -# If we couldn't find that, use 'cc' by default -$cc = "cc" unless $cc; - -printf STDERR "Using '%s' as the C compiler.\n", $cc; - -print STDERR "Determining type sizes ... \n"; -open(OFP, ">tc$$.c") or die "$prog: tc$$.c: $!\n"; -print OFP "#include <stdio.h>\n\nint main(void)\n{\n"; -foreach $type (@TYPES) { - printf OFP "\tprintf(\"%%d\\n\", (int)sizeof(%s));\n", $type; -} -print OFP "\n\treturn 0;\n}\n"; -close(OFP); - -system("$cc $cflags -o tc$$ tc$$.c"); - -die "$prog: unable to build test program\n" unless(-x "tc$$"); - -open(IFP, "./tc$$|") or die "$prog: can't execute test program\n"; -$ix = 0; -while(<IFP>) { - chomp; - $size{$TYPES[$ix++]} = $_; -} -close(IFP); - -unlink("tc$$"); -unlink("tc$$.c"); - -print STDERR "Selecting viable combinations ... \n"; -while(($type, $size) = each(%size)) { - push(@ts, [ $size, $type ]); -} - -# Sort them ascending by size -@ts = sort { $a->[0] <=> $b->[0] } @ts; - -# Try all possible combinations, finding pairs in which the word size -# is twice the digit size. The number of possible pairs is too small -# to bother doing this more efficiently than by brute force -for($ix = 0; $ix <= $#ts; $ix++) { - $w = $ts[$ix]; - - for($jx = 0; $jx <= $#ts; $jx++) { - $d = $ts[$jx]; - - if($w->[0] == 2 * $d->[0]) { - push(@valid, [ $d, $w ]); - } - } -} - -# Sort descending by digit size -@valid = sort { $b->[0]->[0] <=> $a->[0]->[0] } @valid; - -# Select the maximum as the recommended combination -$rec = shift(@valid); - -printf("typedef %-18s mp_sign;\n", "char"); -printf("typedef %-18s mp_digit; /* %d byte type */\n", - $rec->[0]->[1], $rec->[0]->[0]); -printf("typedef %-18s mp_word; /* %d byte type */\n", - $rec->[1]->[1], $rec->[1]->[0]); -printf("typedef %-18s mp_size;\n", "unsigned int"); -printf("typedef %-18s mp_err;\n\n", "int"); - -printf("#define %-18s (CHAR_BIT*sizeof(mp_digit))\n", "DIGIT_BIT"); -printf("#define %-18s %s\n", "DIGIT_MAX", $TMAX{$rec->[0]->[1]}); -printf("#define %-18s (CHAR_BIT*sizeof(mp_word))\n", "MP_WORD_BIT"); -printf("#define %-18s %s\n\n", "MP_WORD_MAX", $TMAX{$rec->[1]->[1]}); -printf("#define %-18s (DIGIT_MAX+1)\n\n", "RADIX"); - -printf("#define %-18s \"%%0%dX\"\n", "DIGIT_FMT", (2 * $rec->[0]->[0])); - -exit 0; diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE b/security/nss/lib/freebl/mpi/utils/LICENSE deleted file mode 100644 index 5f96df7ab9..0000000000 --- a/security/nss/lib/freebl/mpi/utils/LICENSE +++ /dev/null @@ -1,4 +0,0 @@ -Within this directory, each of the file listed below is licensed under -the terms given in the file LICENSE-MPL, also in this directory. - -PRIMES diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL deleted file mode 100644 index 41dc2327f1..0000000000 --- a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL +++ /dev/null @@ -1,3 +0,0 @@ -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/security/nss/lib/freebl/mpi/utils/PRIMES b/security/nss/lib/freebl/mpi/utils/PRIMES deleted file mode 100644 index ed65703ff0..0000000000 --- a/security/nss/lib/freebl/mpi/utils/PRIMES +++ /dev/null @@ -1,41 +0,0 @@ -Probable primes (sorted by number of significant bits) - - 128: 81386202757205669562183851789305348631 - - 128: 180241813863264101444573802809858694397 - - 128: 245274683055224433281596312431122059021 - - 128: 187522309397665259809392608791686659539 - - 256: 83252422946206411852330647237287722547866360773229941071371588246436\ - 513990159 - - 256: 79132571131322331023736933767063051273085304521895229780914612117520\ - 058517909 - - 256: 72081815425552909748220041100909735706208853818662000557743644603407\ - 965465527 - - 256: 87504602391905701494845474079163412737334477797316409702279059573654\ - 274811271 - - 512: 12233064210800062190450937494718705259777386009095453001870729392786\ - 63450255179083524798507997690270500580265258111668148238355016411719\ - 9168737693316468563 - - 512: 12003639081420725322369909586347545220275253633035565716386136197501\ - 88208318984400479275215620499883521216480724155582768193682335576385\ - 2069481074929084063 - -1024: 16467877625718912296741904171202513097057724053648819680815842057593\ - 20371835940722471475475803725455063836431454757000451907612224427007\ - 63984592414360595161051906727075047683803534852982766542661204179549\ - 77327573530800542562611753617736693359790119074768292178493884576587\ - 0230450429880021317876149636714743053 - -1024: 16602953991090311275234291158294516471009930684624948451178742895360\ - 86073703307475884280944414508444679430090561246728195735962931545473\ - 40743240318558456247740186704660778277799687988031119436541068736925\ - 20563780233711166724859277827382391527748470939542560819625727876091\ - 5372193745283891895989104479029844957 diff --git a/security/nss/lib/freebl/mpi/utils/README b/security/nss/lib/freebl/mpi/utils/README deleted file mode 100644 index 61c8e2efa5..0000000000 --- a/security/nss/lib/freebl/mpi/utils/README +++ /dev/null @@ -1,206 +0,0 @@ -This Source Code Form is subject to the terms of the Mozilla Public -License, v. 2.0. If a copy of the MPL was not distributed with this -file, You can obtain one at http://mozilla.org/MPL/2.0/. - -Additional MPI utilities ------------------------- - -The files 'mpprime.h' and 'mpprime.c' define some useful extensions to -the MPI library for dealing with prime numbers (in particular, testing -for divisbility, and the Rabin-Miller probabilistic primality test). - -The files 'mplogic.h' and 'mplogic.c' define extensions to the MPI -library for doing bitwise logical operations and shifting. - -This document assumes you have read the help file for the MPI library -and understand its conventions. - -Divisibility (mpprime.h) ------------- - -To test a number for divisibility by another number: - -mpp_divis(a, b) - test if b|a -mpp_divis_d(a, d) - test if d|a - -Each of these functions returns MP_YES if its initial argument is -divisible by its second, or MP_NO if it is not. Other errors may be -returned as appropriate (such as MP_RANGE if you try to test for -divisibility by zero). - -Randomness (mpprime.h) ----------- - -To generate random data: - -mpp_random(a) - fill a with random data -mpp_random_size(a, p) - fill a with p digits of random data - -The mpp_random_size() function increases the precision of a to at -least p, then fills all those digits randomly. The mp_random() -function fills a to its current precision (as determined by the number -of significant digits, USED(a)) - -Note that these functions simply use the C library's rand() function -to fill a with random digits up to its precision. This should be -adequate for primality testing, but should not be used for -cryptographic applications where truly random values are required for -security. - -You should call srand() in your driver program in order to seed the -random generator; this function doesn't call it. - -Primality Testing (mpprime.h) ------------------ - -mpp_divis_vector(a, v, s, w) - is a divisible by any of the s values - in v, and if so, w = which. -mpp_divis_primes(a, np) - is a divisible by any of the first np primes? -mpp_fermat(a, w) - is a pseudoprime with respect to witness w? -mpp_pprime(a, nt) - run nt iterations of Rabin-Miller on a. - -The mpp_divis_vector() function tests a for divisibility by each -member of an array of digits. The array is v, the size of that array -is s. Returns MP_YES if a is divisible, and stores the index of the -offending digit in w. Returns MP_NO if a is not divisible by any of -the digits in the array. - -A small table of primes is compiled into the library (typically the -first 128 primes, although you can change this by editing the file -'primes.c' before you build). The global variable prime_tab_size -contains the number of primes in the table, and the values themselves -are in the array prime_tab[], which is an array of mp_digit. - -The mpp_divis_primes() function is basically just a wrapper around -mpp_divis_vector() that uses prime_tab[] as the test vector. The np -parameter is a pointer to an mp_digit -- on input, it should specify -the number of primes to be tested against. If a is divisible by any -of the primes, MP_YES is returned and np is given the prime value that -divided a (you can use this if you're factoring, for example). -Otherwise, MP_NO is returned and np is untouched. - -The function mpp_fermat() performs Fermat's test, using w as a -witness. This test basically relies on the fact that if a is prime, -and w is relatively prime to a, then: - - w^a = w (mod a) - -That is, - - w^(a - 1) = 1 (mod a) - -The function returns MP_YES if the test passes, MP_NO if it fails. If -w is relatively prime to a, and the test fails, a is definitely -composite. If w is relatively prime to a and the test passes, then a -is either prime, or w is a false witness (the probability of this -happening depends on the choice of w and of a ... consult a number -theory textbook for more information about this). - -Note: If (w, a) != 1, the output of this test is meaningless. ----- - -The function mpp_pprime() performs the Rabin-Miller probabilistic -primality test for nt rounds. If all the tests pass, MP_YES is -returned, and a is probably prime. The probability that an answer of -MP_YES is incorrect is no greater than 1 in 4^nt, and in fact is -usually much less than that (this is a pessimistic estimate). If any -test fails, MP_NO is returned, and a is definitely composite. - -Bruce Schneier recommends at least 5 iterations of this test for most -cryptographic applications; Knuth suggests that 25 are reasonable. -Run it as many times as you feel are necessary. - -See the programs 'makeprime.c' and 'isprime.c' for reasonable examples -of how to use these functions for primality testing. - - -Bitwise Logic (mplogic.c) -------------- - -The four commonest logical operations are implemented as: - -mpl_not(a, b) - Compute bitwise (one's) complement, b = ~a - -mpl_and(a, b, c) - Compute bitwise AND, c = a & b - -mpl_or(a, b, c) - Compute bitwise OR, c = a | b - -mpl_xor(a, b, c) - Compute bitwise XOR, c = a ^ b - -Left and right shifts are available as well. These take a number to -shift, a destination, and a shift amount. The shift amount must be a -digit value between 0 and DIGIT_BIT inclusive; if it is not, MP_RANGE -will be returned and the shift will not happen. - -mpl_rsh(a, b, d) - Compute logical right shift, b = a >> d - -mpl_lsh(a, b, d) - Compute logical left shift, b = a << d - -Since these are logical shifts, they fill with zeroes (the library -uses a signed magnitude representation, so there are no sign bits to -extend anyway). - - -Command-line Utilities ----------------------- - -A handful of interesting command-line utilities are provided. These -are: - -lap.c - Find the order of a mod m. Usage is 'lap <a> <m>'. - This uses a dumb algorithm, so don't use it for - a really big modulus. - -invmod.c - Find the inverse of a mod m, if it exists. Usage - is 'invmod <a> <m>' - -sieve.c - A simple bitmap-based implementation of the Sieve - of Eratosthenes. Used to generate the table of - primes in primes.c. Usage is 'sieve <nbits>' - -prng.c - Uses the routines in bbs_rand.{h,c} to generate - one or more 32-bit pseudo-random integers. This - is mainly an example, not intended for use in a - cryptographic application (the system time is - the only source of entropy used) - -dec2hex.c - Convert decimal to hexadecimal - -hex2dec.c - Convert hexadecimal to decimal - -basecvt.c - General radix conversion tool (supports 2-64) - -isprime.c - Probabilistically test an integer for primality - using the Rabin-Miller pseudoprime test combined - with division by small primes. - -primegen.c - Generate primes at random. - -exptmod.c - Perform modular exponentiation - -ptab.pl - A Perl script to munge the output of the sieve - program into a compilable C structure. - - -Other Files ------------ - -PRIMES - Some randomly generated numbers which are prime with - extremely high probability. - -README - You're reading me already. - - -About the Author ----------------- - -This software was written by Michael J. Fromberger. You can contact -the author as follows: - -E-mail: <sting@linguist.dartmouth.edu> - -Postal: 8000 Cummings Hall, Thayer School of Engineering - Dartmouth College, Hanover, New Hampshire, USA - -PGP key: http://linguist.dartmouth.edu/~sting/keys/mjf.html - 9736 188B 5AFA 23D6 D6AA BE0D 5856 4525 289D 9907 diff --git a/security/nss/lib/freebl/mpi/utils/basecvt.c b/security/nss/lib/freebl/mpi/utils/basecvt.c deleted file mode 100644 index 0e9915406f..0000000000 --- a/security/nss/lib/freebl/mpi/utils/basecvt.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * basecvt.c - * - * Convert integer values specified on the command line from one input - * base to another. Accepts input and output bases between 2 and 36 - * inclusive. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -#define IBASE 10 -#define OBASE 16 -#define USAGE "Usage: %s ibase obase [value]\n" -#define MAXBASE 64 -#define MINBASE 2 - -int -main(int argc, char *argv[]) -{ - int ix, ibase = IBASE, obase = OBASE; - mp_int val; - - ix = 1; - if (ix < argc) { - ibase = atoi(argv[ix++]); - - if (ibase < MINBASE || ibase > MAXBASE) { - fprintf(stderr, "%s: input radix must be between %d and %d inclusive\n", - argv[0], MINBASE, MAXBASE); - return 1; - } - } - if (ix < argc) { - obase = atoi(argv[ix++]); - - if (obase < MINBASE || obase > MAXBASE) { - fprintf(stderr, "%s: output radix must be between %d and %d inclusive\n", - argv[0], MINBASE, MAXBASE); - return 1; - } - } - - mp_init(&val); - while (ix < argc) { - char *out; - int outlen; - - mp_read_radix(&val, argv[ix++], ibase); - - outlen = mp_radix_size(&val, obase); - out = calloc(outlen, sizeof(char)); - mp_toradix(&val, out, obase); - - printf("%s\n", out); - free(out); - } - - mp_clear(&val); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.c b/security/nss/lib/freebl/mpi/utils/bbs_rand.c deleted file mode 100644 index fed2fe2e6a..0000000000 --- a/security/nss/lib/freebl/mpi/utils/bbs_rand.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Blum, Blum & Shub PRNG using the MPI library - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "bbs_rand.h" - -#define SEED 1 -#define MODULUS 2 - -/* This modulus is the product of two randomly generated 512-bit - prime integers, each of which is congruent to 3 (mod 4). */ -static char *bbs_modulus = - "75A2A6E1D27393B86562B9CE7279A8403CB4258A637DAB5233465373E37837383EDC" - "332282B8575927BC4172CE8C147B4894050EE9D2BDEED355C121037270CA2570D127" - "7D2390CD1002263326635CC6B259148DE3A1A03201980A925E395E646A5E9164B0EC" - "28559EBA58C87447245ADD0651EDA507056A1129E3A3E16E903D64B437"; - -static int bbs_init = 0; /* flag set when library is initialized */ -static mp_int bbs_state; /* the current state of the generator */ - -/* Suggested size of random seed data */ -int bbs_seed_size = (sizeof(bbs_modulus) / 2); - -void -bbs_srand(unsigned char *data, int len) -{ - if ((bbs_init & SEED) == 0) { - mp_init(&bbs_state); - bbs_init |= SEED; - } - - mp_read_raw(&bbs_state, (char *)data, len); - -} /* end bbs_srand() */ - -unsigned int -bbs_rand(void) -{ - static mp_int modulus; - unsigned int result = 0, ix; - - if ((bbs_init & MODULUS) == 0) { - mp_init(&modulus); - mp_read_radix(&modulus, bbs_modulus, 16); - bbs_init |= MODULUS; - } - - for (ix = 0; ix < sizeof(unsigned int); ix++) { - mp_digit d; - - mp_sqrmod(&bbs_state, &modulus, &bbs_state); - d = DIGIT(&bbs_state, 0); - - result = (result << CHAR_BIT) | (d & UCHAR_MAX); - } - - return result; - -} /* end bbs_rand() */ - -/*------------------------------------------------------------------------*/ -/* HERE THERE BE DRAGONS */ diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.h b/security/nss/lib/freebl/mpi/utils/bbs_rand.h deleted file mode 100644 index d12269bf93..0000000000 --- a/security/nss/lib/freebl/mpi/utils/bbs_rand.h +++ /dev/null @@ -1,24 +0,0 @@ -/* - * bbs_rand.h - * - * Blum, Blum & Shub PRNG using the MPI library - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef _H_BBSRAND_ -#define _H_BBSRAND_ - -#include <limits.h> -#include "mpi.h" - -#define BBS_RAND_MAX UINT_MAX - -/* Suggested length of seed data */ -extern int bbs_seed_size; - -void bbs_srand(unsigned char *data, int len); -unsigned int bbs_rand(void); - -#endif /* end _H_BBSRAND_ */ diff --git a/security/nss/lib/freebl/mpi/utils/bbsrand.c b/security/nss/lib/freebl/mpi/utils/bbsrand.c deleted file mode 100644 index d9151e0056..0000000000 --- a/security/nss/lib/freebl/mpi/utils/bbsrand.c +++ /dev/null @@ -1,35 +0,0 @@ -/* - * bbsrand.c - * - * Test driver for routines in bbs_rand.h - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <limits.h> - -#include "bbs_rand.h" - -#define NUM_TESTS 100 - -int -main(void) -{ - unsigned int seed, result, ix; - - seed = time(NULL); - bbs_srand((unsigned char *)&seed, sizeof(seed)); - - for (ix = 0; ix < NUM_TESTS; ix++) { - result = bbs_rand(); - - printf("Test %3u: %08X\n", ix + 1, result); - } - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/dec2hex.c b/security/nss/lib/freebl/mpi/utils/dec2hex.c deleted file mode 100644 index ef3a520957..0000000000 --- a/security/nss/lib/freebl/mpi/utils/dec2hex.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * dec2hex.c - * - * Convert decimal integers into hexadecimal - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a; - char *buf; - int len; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <a>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_read_radix(&a, argv[1], 10); - len = mp_radix_size(&a, 16); - buf = malloc(len); - mp_toradix(&a, buf, 16); - - printf("%s\n", buf); - - free(buf); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/exptmod.c b/security/nss/lib/freebl/mpi/utils/exptmod.c deleted file mode 100644 index 3ac9078f42..0000000000 --- a/security/nss/lib/freebl/mpi/utils/exptmod.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * exptmod.c - * - * Command line tool to perform modular exponentiation on arbitrary - * precision integers. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a, b, m; - mp_err res; - char *str; - int len, rval = 0; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_init(&b); - mp_init(&m); - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&b, argv[2], 10); - mp_read_radix(&m, argv[3], 10); - - if ((res = mp_exptmod(&a, &b, &m, &a)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res)); - rval = 1; - } else { - len = mp_radix_size(&a, 10); - str = calloc(len, sizeof(char)); - mp_toradix(&a, str, 10); - - printf("%s\n", str); - - free(str); - } - - mp_clear(&a); - mp_clear(&b); - mp_clear(&m); - - return rval; -} diff --git a/security/nss/lib/freebl/mpi/utils/fact.c b/security/nss/lib/freebl/mpi/utils/fact.c deleted file mode 100644 index da8e61a32f..0000000000 --- a/security/nss/lib/freebl/mpi/utils/fact.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * fact.c - * - * Compute factorial of input integer - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -mp_err mp_fact(mp_int *a, mp_int *b); - -int -main(int argc, char *argv[]) -{ - mp_int a; - mp_err res; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <number>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_read_radix(&a, argv[1], 10); - - if ((res = mp_fact(&a, &a)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", argv[0], - mp_strerror(res)); - mp_clear(&a); - return 1; - } - - { - char *buf; - int len; - - len = mp_radix_size(&a, 10); - buf = malloc(len); - mp_todecimal(&a, buf); - - puts(buf); - - free(buf); - } - - mp_clear(&a); - return 0; -} - -mp_err -mp_fact(mp_int *a, mp_int *b) -{ - mp_int ix, s; - mp_err res = MP_OKAY; - - if (mp_cmp_z(a) < 0) - return MP_UNDEF; - - mp_init(&s); - mp_add_d(&s, 1, &s); /* s = 1 */ - mp_init(&ix); - mp_add_d(&ix, 1, &ix); /* ix = 1 */ - - for (/* */; mp_cmp(&ix, a) <= 0; mp_add_d(&ix, 1, &ix)) { - if ((res = mp_mul(&s, &ix, &s)) != MP_OKAY) - break; - } - - mp_clear(&ix); - - /* Copy out results if we got them */ - if (res == MP_OKAY) - mp_copy(&s, b); - - mp_clear(&s); - - return res; -} diff --git a/security/nss/lib/freebl/mpi/utils/gcd.c b/security/nss/lib/freebl/mpi/utils/gcd.c deleted file mode 100644 index 9f11a250b1..0000000000 --- a/security/nss/lib/freebl/mpi/utils/gcd.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * gcd.c - * - * Greatest common divisor - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -char *g_prog = NULL; - -void print_mp_int(mp_int *mp, FILE *ofp); - -int -main(int argc, char *argv[]) -{ - mp_int a, b, x, y; - mp_err res; - int ext = 0; - - g_prog = argv[0]; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <b>\n", g_prog); - return 1; - } - - mp_init(&a); - mp_read_radix(&a, argv[1], 10); - mp_init(&b); - mp_read_radix(&b, argv[2], 10); - - /* If we were called 'xgcd', compute x, y so that g = ax + by */ - if (strcmp(g_prog, "xgcd") == 0) { - ext = 1; - mp_init(&x); - mp_init(&y); - } - - if (ext) { - if ((res = mp_xgcd(&a, &b, &a, &x, &y)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", g_prog, mp_strerror(res)); - mp_clear(&a); - mp_clear(&b); - mp_clear(&x); - mp_clear(&y); - return 1; - } - } else { - if ((res = mp_gcd(&a, &b, &a)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", g_prog, - mp_strerror(res)); - mp_clear(&a); - mp_clear(&b); - return 1; - } - } - - print_mp_int(&a, stdout); - if (ext) { - fputs("x = ", stdout); - print_mp_int(&x, stdout); - fputs("y = ", stdout); - print_mp_int(&y, stdout); - } - - mp_clear(&a); - mp_clear(&b); - - if (ext) { - mp_clear(&x); - mp_clear(&y); - } - - return 0; -} - -void -print_mp_int(mp_int *mp, FILE *ofp) -{ - char *buf; - int len; - - len = mp_radix_size(mp, 10); - buf = calloc(len, sizeof(char)); - mp_todecimal(mp, buf); - fprintf(ofp, "%s\n", buf); - free(buf); -} diff --git a/security/nss/lib/freebl/mpi/utils/hex2dec.c b/security/nss/lib/freebl/mpi/utils/hex2dec.c deleted file mode 100644 index 9b21d22e0e..0000000000 --- a/security/nss/lib/freebl/mpi/utils/hex2dec.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * hex2dec.c - * - * Convert decimal integers into hexadecimal - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a; - char *buf; - int len; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <a>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_read_radix(&a, argv[1], 16); - len = mp_radix_size(&a, 10); - buf = malloc(len); - mp_toradix(&a, buf, 10); - - printf("%s\n", buf); - - free(buf); - mp_clear(&a); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/identest.c b/security/nss/lib/freebl/mpi/utils/identest.c deleted file mode 100644 index 321d2c2b05..0000000000 --- a/security/nss/lib/freebl/mpi/utils/identest.c +++ /dev/null @@ -1,84 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include "mpi.h" -#include "mpprime.h" -#include <sys/types.h> -#include <time.h> - -#define MAX_PREC (4096 / MP_DIGIT_BIT) - -mp_err -identity_test(void) -{ - mp_size preca, precb; - mp_err res; - mp_int a, b; - mp_int t1, t2, t3, t4, t5; - - preca = (rand() % MAX_PREC) + 1; - precb = (rand() % MAX_PREC) + 1; - - MP_DIGITS(&a) = 0; - MP_DIGITS(&b) = 0; - MP_DIGITS(&t1) = 0; - MP_DIGITS(&t2) = 0; - MP_DIGITS(&t3) = 0; - MP_DIGITS(&t4) = 0; - MP_DIGITS(&t5) = 0; - - MP_CHECKOK(mp_init(&a)); - MP_CHECKOK(mp_init(&b)); - MP_CHECKOK(mp_init(&t1)); - MP_CHECKOK(mp_init(&t2)); - MP_CHECKOK(mp_init(&t3)); - MP_CHECKOK(mp_init(&t4)); - MP_CHECKOK(mp_init(&t5)); - - MP_CHECKOK(mpp_random_size(&a, preca)); - MP_CHECKOK(mpp_random_size(&b, precb)); - - if (mp_cmp(&a, &b) < 0) - mp_exch(&a, &b); - - MP_CHECKOK(mp_mod(&a, &b, &t1)); /* t1 = a%b */ - MP_CHECKOK(mp_div(&a, &b, &t2, NULL)); /* t2 = a/b */ - MP_CHECKOK(mp_mul(&b, &t2, &t3)); /* t3 = (a/b)*b */ - MP_CHECKOK(mp_add(&t1, &t3, &t4)); /* t4 = a%b + (a/b)*b */ - MP_CHECKOK(mp_sub(&t4, &a, &t5)); /* t5 = a%b + (a/b)*b - a */ - if (mp_cmp_z(&t5) != 0) { - res = MP_UNDEF; - goto CLEANUP; - } - -CLEANUP: - mp_clear(&t5); - mp_clear(&t4); - mp_clear(&t3); - mp_clear(&t2); - mp_clear(&t1); - mp_clear(&b); - mp_clear(&a); - return res; -} - -int -main(void) -{ - unsigned int seed = (unsigned int)time(NULL); - unsigned long count = 0; - mp_err res; - - srand(seed); - - while (MP_OKAY == (res = identity_test())) { - if ((++count % 100) == 0) - fputc('.', stderr); - } - - fprintf(stderr, "\ntest failed, err %d\n", res); - return res; -} diff --git a/security/nss/lib/freebl/mpi/utils/invmod.c b/security/nss/lib/freebl/mpi/utils/invmod.c deleted file mode 100644 index 9b4b04d3f5..0000000000 --- a/security/nss/lib/freebl/mpi/utils/invmod.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * invmod.c - * - * Compute modular inverses - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> - -#include "mpi.h" - -int -main(int argc, char *argv[]) -{ - mp_int a, m; - mp_err res; - char *buf; - int len, out = 0; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_init(&m); - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&m, argv[2], 10); - - if (mp_cmp(&a, &m) > 0) - mp_mod(&a, &m, &a); - - switch ((res = mp_invmod(&a, &m, &a))) { - case MP_OKAY: - len = mp_radix_size(&a, 10); - buf = malloc(len); - - mp_toradix(&a, buf, 10); - printf("%s\n", buf); - free(buf); - break; - - case MP_UNDEF: - printf("No inverse\n"); - out = 1; - break; - - default: - printf("error: %s (%d)\n", mp_strerror(res), res); - out = 2; - break; - } - - mp_clear(&a); - mp_clear(&m); - - return out; -} diff --git a/security/nss/lib/freebl/mpi/utils/isprime.c b/security/nss/lib/freebl/mpi/utils/isprime.c deleted file mode 100644 index d2d86957e2..0000000000 --- a/security/nss/lib/freebl/mpi/utils/isprime.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * isprime.c - * - * Probabilistic primality tester command-line tool - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "mpi.h" -#include "mpprime.h" - -#define RM_TESTS 15 /* how many iterations of Rabin-Miller? */ -#define MINIMUM 1024 /* don't bother us with a < this */ - -int g_tests = RM_TESTS; -char *g_prog = NULL; - -int -main(int argc, char *argv[]) -{ - mp_int a; - mp_digit np = prime_tab_size; /* from mpprime.h */ - int res = 0; - - g_prog = argv[0]; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <a>, where <a> is a decimal integer\n" - "Use '0x' prefix for a hexadecimal value\n", - g_prog); - return 1; - } - - /* Read number of tests from environment, if present */ - { - char *tmp; - - if ((tmp = PR_GetEnvSecure("RM_TESTS")) != NULL) { - if ((g_tests = atoi(tmp)) <= 0) - g_tests = RM_TESTS; - } - } - - mp_init(&a); - if (argv[1][0] == '0' && argv[1][1] == 'x') - mp_read_radix(&a, argv[1] + 2, 16); - else - mp_read_radix(&a, argv[1], 10); - - if (mp_cmp_d(&a, MINIMUM) <= 0) { - fprintf(stderr, "%s: please use a value greater than %d\n", - g_prog, MINIMUM); - mp_clear(&a); - return 1; - } - - /* Test for divisibility by small primes */ - if (mpp_divis_primes(&a, &np) != MP_NO) { - printf("Not prime (divisible by small prime %d)\n", np); - res = 2; - goto CLEANUP; - } - - /* Test with Fermat's test, using 2 as a witness */ - if (mpp_fermat(&a, 2) != MP_YES) { - printf("Not prime (failed Fermat test)\n"); - res = 2; - goto CLEANUP; - } - - /* Test with Rabin-Miller probabilistic test */ - if (mpp_pprime(&a, g_tests) == MP_NO) { - printf("Not prime (failed pseudoprime test)\n"); - res = 2; - goto CLEANUP; - } - - printf("Probably prime, 1 in 4^%d chance of false positive\n", g_tests); - -CLEANUP: - mp_clear(&a); - - return res; -} diff --git a/security/nss/lib/freebl/mpi/utils/lap.c b/security/nss/lib/freebl/mpi/utils/lap.c deleted file mode 100644 index 501e4531dd..0000000000 --- a/security/nss/lib/freebl/mpi/utils/lap.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * lap.c - * - * Find least annihilating power of a mod m - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <signal.h> - -#include "mpi.h" - -void sig_catch(int ign); - -int g_quit = 0; - -int -main(int argc, char *argv[]) -{ - mp_int a, m, p, k; - - if (argc < 3) { - fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]); - return 1; - } - - mp_init(&a); - mp_init(&m); - mp_init(&p); - mp_add_d(&p, 1, &p); - - mp_read_radix(&a, argv[1], 10); - mp_read_radix(&m, argv[2], 10); - - mp_init_copy(&k, &a); - - signal(SIGINT, sig_catch); -#ifndef __OS2__ - signal(SIGHUP, sig_catch); -#endif - signal(SIGTERM, sig_catch); - - while (mp_cmp(&p, &m) < 0) { - if (g_quit) { - int len; - char *buf; - - len = mp_radix_size(&p, 10); - buf = malloc(len); - mp_toradix(&p, buf, 10); - - fprintf(stderr, "Terminated at: %s\n", buf); - free(buf); - return 1; - } - if (mp_cmp_d(&k, 1) == 0) { - int len; - char *buf; - - len = mp_radix_size(&p, 10); - buf = malloc(len); - mp_toradix(&p, buf, 10); - - printf("%s\n", buf); - - free(buf); - break; - } - - mp_mulmod(&k, &a, &m, &k); - mp_add_d(&p, 1, &p); - } - - if (mp_cmp(&p, &m) >= 0) - printf("No annihilating power.\n"); - - mp_clear(&p); - mp_clear(&m); - mp_clear(&a); - return 0; -} - -void -sig_catch(int ign) -{ - g_quit = 1; -} diff --git a/security/nss/lib/freebl/mpi/utils/makeprime.c b/security/nss/lib/freebl/mpi/utils/makeprime.c deleted file mode 100644 index 401b7532ba..0000000000 --- a/security/nss/lib/freebl/mpi/utils/makeprime.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * makeprime.c - * - * A simple prime generator function (and test driver). Prints out the - * first prime it finds greater than or equal to the starting value. - * - * Usage: makeprime <start> - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> - -/* These two must be included for make_prime() to work */ - -#include "mpi.h" -#include "mpprime.h" - -/* - make_prime(p, nr) - - Find the smallest prime integer greater than or equal to p, where - primality is verified by 'nr' iterations of the Rabin-Miller - probabilistic primality test. The caller is responsible for - generating the initial value of p. - - Returns MP_OKAY if a prime has been generated, otherwise the error - code indicates some other problem. The value of p is clobbered; the - caller should keep a copy if the value is needed. - */ -mp_err make_prime(mp_int *p, int nr); - -/* The main() is not required -- it's just a test driver */ -int -main(int argc, char *argv[]) -{ - mp_int start; - mp_err res; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <start-value>\n", argv[0]); - return 1; - } - - mp_init(&start); - if (argv[1][0] == '0' && tolower(argv[1][1]) == 'x') { - mp_read_radix(&start, argv[1] + 2, 16); - } else { - mp_read_radix(&start, argv[1], 10); - } - mp_abs(&start, &start); - - if ((res = make_prime(&start, 5)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res)); - mp_clear(&start); - - return 1; - - } else { - char *buf = malloc(mp_radix_size(&start, 10)); - - mp_todecimal(&start, buf); - printf("%s\n", buf); - free(buf); - - mp_clear(&start); - - return 0; - } - -} /* end main() */ - -/*------------------------------------------------------------------------*/ - -mp_err -make_prime(mp_int *p, int nr) -{ - mp_err res; - - if (mp_iseven(p)) { - mp_add_d(p, 1, p); - } - - do { - mp_digit which = prime_tab_size; - - /* First test for divisibility by a few small primes */ - if ((res = mpp_divis_primes(p, &which)) == MP_YES) - continue; - else if (res != MP_NO) - goto CLEANUP; - - /* If that passes, try one iteration of Fermat's test */ - if ((res = mpp_fermat(p, 2)) == MP_NO) - continue; - else if (res != MP_YES) - goto CLEANUP; - - /* If that passes, run Rabin-Miller as often as requested */ - if ((res = mpp_pprime(p, nr)) == MP_YES) - break; - else if (res != MP_NO) - goto CLEANUP; - - } while ((res = mp_add_d(p, 2, p)) == MP_OKAY); - -CLEANUP: - return res; - -} /* end make_prime() */ - -/*------------------------------------------------------------------------*/ -/* HERE THERE BE DRAGONS */ diff --git a/security/nss/lib/freebl/mpi/utils/metime.c b/security/nss/lib/freebl/mpi/utils/metime.c deleted file mode 100644 index 122875ee0d..0000000000 --- a/security/nss/lib/freebl/mpi/utils/metime.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * metime.c - * - * Modular exponentiation timing test - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <limits.h> -#include <time.h> - -#include "mpi.h" -#include "mpprime.h" - -double clk_to_sec(clock_t start, clock_t stop); - -int -main(int argc, char *argv[]) -{ - int ix, num, prec = 8; - unsigned int seed; - clock_t start, stop; - double sec; - - mp_int a, m, c; - - if (PR_GetEnvSecure("SEED") != NULL) - seed = abs(atoi(PR_GetEnvSecure("SEED"))); - else - seed = (unsigned int)time(NULL); - - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-tests> [<nbits>]\n", argv[0]); - return 1; - } - - if ((num = atoi(argv[1])) < 0) - num = -num; - - if (!num) { - fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]); - return 1; - } - - if (argc > 2) { - if ((prec = atoi(argv[2])) <= 0) - prec = 8; - else - prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT; - } - - printf("Modular exponentiation timing test\n" - "Precision: %d digits (%d bits)\n" - "# of tests: %d\n\n", - prec, prec * DIGIT_BIT, num); - - mp_init_size(&a, prec); - mp_init_size(&m, prec); - mp_init_size(&c, prec); - - srand(seed); - - start = clock(); - for (ix = 0; ix < num; ix++) { - - mpp_random_size(&a, prec); - mpp_random_size(&c, prec); - mpp_random_size(&m, prec); - /* set msb and lsb of m */ - DIGIT(&m, 0) |= 1; - DIGIT(&m, USED(&m) - 1) |= (mp_digit)1 << (DIGIT_BIT - 1); - if (mp_cmp(&a, &m) > 0) - mp_sub(&a, &m, &a); - - mp_exptmod(&a, &c, &m, &c); - } - stop = clock(); - - sec = clk_to_sec(start, stop); - - printf("Total: %.3f seconds\n", sec); - printf("Individual: %.3f seconds\n", sec / num); - - mp_clear(&c); - mp_clear(&a); - mp_clear(&m); - - return 0; -} - -double -clk_to_sec(clock_t start, clock_t stop) -{ - return (double)(stop - start) / CLOCKS_PER_SEC; -} - -/*------------------------------------------------------------------------*/ -/* HERE THERE BE DRAGONS */ diff --git a/security/nss/lib/freebl/mpi/utils/pi.c b/security/nss/lib/freebl/mpi/utils/pi.c deleted file mode 100644 index 7e3109786f..0000000000 --- a/security/nss/lib/freebl/mpi/utils/pi.c +++ /dev/null @@ -1,171 +0,0 @@ -/* - * pi.c - * - * Compute pi to an arbitrary number of digits. Uses Machin's formula, - * like everyone else on the planet: - * - * pi = 16 * arctan(1/5) - 4 * arctan(1/239) - * - * This is pretty effective for up to a few thousand digits, but it - * gets pretty slow after that. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <limits.h> -#include <time.h> - -#include "mpi.h" - -mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum); - -int -main(int argc, char *argv[]) -{ - mp_err res; - mp_digit ndigits; - mp_int sum1, sum2; - clock_t start, stop; - int out = 0; - - /* Make the user specify precision on the command line */ - if (argc < 2) { - fprintf(stderr, "Usage: %s <num-digits>\n", argv[0]); - return 1; - } - - if ((ndigits = abs(atoi(argv[1]))) == 0) { - fprintf(stderr, "%s: you must request at least 1 digit\n", argv[0]); - return 1; - } - - start = clock(); - mp_init(&sum1); - mp_init(&sum2); - - /* sum1 = 16 * arctan(1/5) */ - if ((res = arctan(16, 5, ndigits, &sum1)) != MP_OKAY) { - fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res)); - out = 1; - goto CLEANUP; - } - - /* sum2 = 4 * arctan(1/239) */ - if ((res = arctan(4, 239, ndigits, &sum2)) != MP_OKAY) { - fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res)); - out = 1; - goto CLEANUP; - } - - /* pi = sum1 - sum2 */ - if ((res = mp_sub(&sum1, &sum2, &sum1)) != MP_OKAY) { - fprintf(stderr, "%s: mp_sub: %s\n", argv[0], mp_strerror(res)); - out = 1; - goto CLEANUP; - } - stop = clock(); - - /* Write the output in decimal */ - { - char *buf = malloc(mp_radix_size(&sum1, 10)); - - if (buf == NULL) { - fprintf(stderr, "%s: out of memory\n", argv[0]); - out = 1; - goto CLEANUP; - } - mp_todecimal(&sum1, buf); - printf("%s\n", buf); - free(buf); - } - - fprintf(stderr, "Computation took %.2f sec.\n", - (double)(stop - start) / CLOCKS_PER_SEC); - -CLEANUP: - mp_clear(&sum1); - mp_clear(&sum2); - - return out; -} - -/* Compute sum := mul * arctan(1/x), to 'prec' digits of precision */ -mp_err -arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum) -{ - mp_int t, v; - mp_digit q = 1, rd; - mp_err res; - int sign = 1; - - prec += 3; /* push inaccuracies off the end */ - - mp_init(&t); - mp_set(&t, 10); - mp_init(&v); - if ((res = mp_expt_d(&t, prec, &t)) != MP_OKAY || /* get 10^prec */ - (res = mp_mul_d(&t, mul, &t)) != MP_OKAY || /* ... times mul */ - (res = mp_mul_d(&t, x, &t)) != MP_OKAY) /* ... times x */ - goto CLEANUP; - - /* - The extra multiplication by x in the above takes care of what - would otherwise have to be a special case for 1 / x^1 during the - first loop iteration. A little sneaky, but effective. - - We compute arctan(1/x) by the formula: - - 1 1 1 1 - - - ----- + ----- - ----- + ... - x 3 x^3 5 x^5 7 x^7 - - We multiply through by 'mul' beforehand, which gives us a couple - more iterations and more precision - */ - - x *= x; /* works as long as x < sqrt(RADIX), which it is here */ - - mp_zero(sum); - - do { - if ((res = mp_div_d(&t, x, &t, &rd)) != MP_OKAY) - goto CLEANUP; - - if (sign < 0 && rd != 0) - mp_add_d(&t, 1, &t); - - if ((res = mp_div_d(&t, q, &v, &rd)) != MP_OKAY) - goto CLEANUP; - - if (sign < 0 && rd != 0) - mp_add_d(&v, 1, &v); - - if (sign > 0) - res = mp_add(sum, &v, sum); - else - res = mp_sub(sum, &v, sum); - - if (res != MP_OKAY) - goto CLEANUP; - - sign *= -1; - q += 2; - - } while (mp_cmp_z(&t) != 0); - - /* Chop off inaccurate low-order digits */ - mp_div_d(sum, 1000, sum, NULL); - -CLEANUP: - mp_clear(&v); - mp_clear(&t); - - return res; -} - -/*------------------------------------------------------------------------*/ -/* HERE THERE BE DRAGONS */ diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c deleted file mode 100644 index f62a56a4ee..0000000000 --- a/security/nss/lib/freebl/mpi/utils/primegen.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - * primegen.c - * - * Generates random integers which are prime with a high degree of - * probability using the Miller-Rabin probabilistic primality testing - * algorithm. - * - * Usage: - * primegen <bits> [<num>] - * - * <bits> - number of significant bits each prime should have - * <num> - number of primes to generate - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <limits.h> -#include <time.h> - -#include "mpi.h" -#include "mplogic.h" -#include "mpprime.h" - -#define NUM_TESTS 5 /* Number of Rabin-Miller iterations to test with */ - -#ifdef DEBUG -#define FPUTC(x, y) fputc(x, y) -#else -#define FPUTC(x, y) -#endif - -int -main(int argc, char *argv[]) -{ - unsigned char *raw; - char *out; - unsigned long nTries; - int rawlen, bits, outlen, ngen, ix, jx; - int g_strong = 0; - mp_int testval; - mp_err res; - clock_t start, end; - - /* We'll just use the C library's rand() for now, although this - won't be good enough for cryptographic purposes */ - if ((out = PR_GetEnvSecure("SEED")) == NULL) { - srand((unsigned int)time(NULL)); - } else { - srand((unsigned int)atoi(out)); - } - - if (argc < 2) { - fprintf(stderr, "Usage: %s <bits> [<count> [strong]]\n", argv[0]); - return 1; - } - - if ((bits = abs(atoi(argv[1]))) < CHAR_BIT) { - fprintf(stderr, "%s: please request at least %d bits.\n", - argv[0], CHAR_BIT); - return 1; - } - - /* If optional third argument is given, use that as the number of - primes to generate; otherwise generate one prime only. - */ - if (argc < 3) { - ngen = 1; - } else { - ngen = abs(atoi(argv[2])); - } - - /* If fourth argument is given, and is the word "strong", we'll - generate strong (Sophie Germain) primes. - */ - if (argc > 3 && strcmp(argv[3], "strong") == 0) - g_strong = 1; - - /* testval - candidate being tested; nTries - number tried so far */ - if ((res = mp_init(&testval)) != MP_OKAY) { - fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res)); - return 1; - } - - if (g_strong) { - printf("Requested %d strong prime value(s) of %d bits.\n", - ngen, bits); - } else { - printf("Requested %d prime value(s) of %d bits.\n", ngen, bits); - } - - rawlen = (bits / CHAR_BIT) + ((bits % CHAR_BIT) ? 1 : 0) + 1; - - if ((raw = calloc(rawlen, sizeof(unsigned char))) == NULL) { - fprintf(stderr, "%s: out of memory, sorry.\n", argv[0]); - return 1; - } - - /* This loop is one for each prime we need to generate */ - for (jx = 0; jx < ngen; jx++) { - - raw[0] = 0; /* sign is positive */ - - /* Pack the initializer with random bytes */ - for (ix = 1; ix < rawlen; ix++) - raw[ix] = (rand() * rand()) & UCHAR_MAX; - - raw[1] |= 0x80; /* set high-order bit of test value */ - raw[rawlen - 1] |= 1; /* set low-order bit of test value */ - - /* Make an mp_int out of the initializer */ - mp_read_raw(&testval, (char *)raw, rawlen); - - /* Initialize candidate counter */ - nTries = 0; - - start = clock(); /* time generation for this prime */ - do { - res = mpp_make_prime(&testval, bits, g_strong, &nTries); - if (res != MP_NO) - break; - /* This code works whether digits are 16 or 32 bits */ - res = mp_add_d(&testval, 32 * 1024, &testval); - res = mp_add_d(&testval, 32 * 1024, &testval); - FPUTC(',', stderr); - } while (1); - end = clock(); - - if (res != MP_YES) { - break; - } - FPUTC('\n', stderr); - puts("The following value is probably prime:"); - outlen = mp_radix_size(&testval, 10); - out = calloc(outlen, sizeof(unsigned char)); - mp_toradix(&testval, (char *)out, 10); - printf("10: %s\n", out); - mp_toradix(&testval, (char *)out, 16); - printf("16: %s\n\n", out); - free(out); - - printf("Number of candidates tried: %lu\n", nTries); - printf("This computation took %ld clock ticks (%.2f seconds)\n", - (end - start), ((double)(end - start) / CLOCKS_PER_SEC)); - - FPUTC('\n', stderr); - } /* end of loop to generate all requested primes */ - - if (res != MP_OKAY) - fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res)); - - free(raw); - mp_clear(&testval); - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/prng.c b/security/nss/lib/freebl/mpi/utils/prng.c deleted file mode 100644 index 38748d18eb..0000000000 --- a/security/nss/lib/freebl/mpi/utils/prng.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * prng.c - * - * Command-line pseudo-random number generator - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <limits.h> -#include <time.h> - -#ifdef __OS2__ -#include <types.h> -#include <process.h> -#else -#include <unistd.h> -#endif - -#include "bbs_rand.h" - -int -main(int argc, char *argv[]) -{ - unsigned char *seed; - unsigned int ix, num = 1; - pid_t pid; - - if (argc > 1) { - num = atoi(argv[1]); - if (num <= 0) - num = 1; - } - - pid = getpid(); - srand(time(NULL) * (unsigned int)pid); - - /* Not a perfect seed, but not bad */ - seed = malloc(bbs_seed_size); - for (ix = 0; ix < bbs_seed_size; ix++) { - seed[ix] = rand() % UCHAR_MAX; - } - - bbs_srand(seed, bbs_seed_size); - memset(seed, 0, bbs_seed_size); - free(seed); - - while (num-- > 0) { - ix = bbs_rand(); - - printf("%u\n", ix); - } - - return 0; -} diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl deleted file mode 100755 index ef2e565be3..0000000000 --- a/security/nss/lib/freebl/mpi/utils/ptab.pl +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/perl - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -while(<>) { - chomp; - push(@primes, $_); -} - -printf("mp_size prime_tab_size = %d;\n", ($#primes + 1)); -print "mp_digit prime_tab[] = {\n"; - -print "\t"; -$last = pop(@primes); -foreach $prime (sort {$a<=>$b} @primes) { - printf("0x%04X, ", $prime); - $brk = ($brk + 1) % 8; - print "\n\t" if(!$brk); -} -printf("0x%04X", $last); -print "\n" if($brk); -print "};\n\n"; - -exit 0; diff --git a/security/nss/lib/freebl/mpi/utils/sieve.c b/security/nss/lib/freebl/mpi/utils/sieve.c deleted file mode 100644 index 57768af9ef..0000000000 --- a/security/nss/lib/freebl/mpi/utils/sieve.c +++ /dev/null @@ -1,243 +0,0 @@ -/* - * sieve.c - * - * Finds prime numbers using the Sieve of Eratosthenes - * - * This implementation uses a bitmap to represent all odd integers in a - * given range. We iterate over this bitmap, crossing off the - * multiples of each prime we find. At the end, all the remaining set - * bits correspond to prime integers. - * - * Here, we make two passes -- once we have generated a sieve-ful of - * primes, we copy them out, reset the sieve using the highest - * generated prime from the first pass as a base. Then we cross out - * all the multiples of all the primes we found the first time through, - * and re-sieve. In this way, we get double use of the memory we - * allocated for the sieve the first time though. Since we also - * implicitly ignore multiples of 2, this amounts to 4 times the - * values. - * - * This could (and probably will) be generalized to re-use the sieve a - * few more times. - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <stdio.h> -#include <stdlib.h> -#include <limits.h> - -typedef unsigned char byte; - -typedef struct { - int size; - byte *bits; - long base; - int next; - int nbits; -} sieve; - -void sieve_init(sieve *sp, long base, int nbits); -void sieve_grow(sieve *sp, int nbits); -long sieve_next(sieve *sp); -void sieve_reset(sieve *sp, long base); -void sieve_cross(sieve *sp, long val); -void sieve_clear(sieve *sp); - -#define S_ISSET(S, B) (((S)->bits[(B) / CHAR_BIT] >> ((B) % CHAR_BIT)) & 1) -#define S_SET(S, B) ((S)->bits[(B) / CHAR_BIT] |= (1 << ((B) % CHAR_BIT))) -#define S_CLR(S, B) ((S)->bits[(B) / CHAR_BIT] &= ~(1 << ((B) % CHAR_BIT))) -#define S_VAL(S, B) ((S)->base + (2 * (B))) -#define S_BIT(S, V) (((V) - ((S)->base)) / 2) - -int -main(int argc, char *argv[]) -{ - sieve s; - long pr, *p; - int c, ix, cur = 0; - - if (argc < 2) { - fprintf(stderr, "Usage: %s <width>\n", argv[0]); - return 1; - } - - c = atoi(argv[1]); - if (c < 0) - c = -c; - - fprintf(stderr, "%s: sieving to %d positions\n", argv[0], c); - - sieve_init(&s, 3, c); - - c = 0; - while ((pr = sieve_next(&s)) > 0) { - ++c; - } - - p = calloc(c, sizeof(long)); - if (!p) { - fprintf(stderr, "%s: out of memory after first half\n", argv[0]); - sieve_clear(&s); - exit(1); - } - - fprintf(stderr, "%s: half done ... \n", argv[0]); - - for (ix = 0; ix < s.nbits; ix++) { - if (S_ISSET(&s, ix)) { - p[cur] = S_VAL(&s, ix); - printf("%ld\n", p[cur]); - ++cur; - } - } - - sieve_reset(&s, p[cur - 1]); - fprintf(stderr, "%s: crossing off %d found primes ... \n", argv[0], cur); - for (ix = 0; ix < cur; ix++) { - sieve_cross(&s, p[ix]); - if (!(ix % 1000)) - fputc('.', stderr); - } - fputc('\n', stderr); - - free(p); - - fprintf(stderr, "%s: sieving again from %ld ... \n", argv[0], p[cur - 1]); - c = 0; - while ((pr = sieve_next(&s)) > 0) { - ++c; - } - - fprintf(stderr, "%s: done!\n", argv[0]); - for (ix = 0; ix < s.nbits; ix++) { - if (S_ISSET(&s, ix)) { - printf("%ld\n", S_VAL(&s, ix)); - } - } - - sieve_clear(&s); - - return 0; -} - -void -sieve_init(sieve *sp, long base, int nbits) -{ - sp->size = (nbits / CHAR_BIT); - - if (nbits % CHAR_BIT) - ++sp->size; - - sp->bits = calloc(sp->size, sizeof(byte)); - memset(sp->bits, UCHAR_MAX, sp->size); - if (!(base & 1)) - ++base; - sp->base = base; - - sp->next = 0; - sp->nbits = sp->size * CHAR_BIT; -} - -void -sieve_grow(sieve *sp, int nbits) -{ - int ns = (nbits / CHAR_BIT); - - if (nbits % CHAR_BIT) - ++ns; - - if (ns > sp->size) { - byte *tmp; - int ix; - - tmp = calloc(ns, sizeof(byte)); - if (tmp == NULL) { - fprintf(stderr, "Error: out of memory in sieve_grow\n"); - return; - } - - memcpy(tmp, sp->bits, sp->size); - for (ix = sp->size; ix < ns; ix++) { - tmp[ix] = UCHAR_MAX; - } - - free(sp->bits); - sp->bits = tmp; - sp->size = ns; - - sp->nbits = sp->size * CHAR_BIT; - } -} - -long -sieve_next(sieve *sp) -{ - long out; - int ix = 0; - long val; - - if (sp->next > sp->nbits) - return -1; - - out = S_VAL(sp, sp->next); -#ifdef DEBUG - fprintf(stderr, "Sieving %ld\n", out); -#endif - - /* Sieve out all multiples of the current prime */ - val = out; - while (ix < sp->nbits) { - val += out; - ix = S_BIT(sp, val); - if ((val & 1) && ix < sp->nbits) { /* && S_ISSET(sp, ix)) { */ - S_CLR(sp, ix); -#ifdef DEBUG - fprintf(stderr, "Crossing out %ld (bit %d)\n", val, ix); -#endif - } - } - - /* Scan ahead to the next prime */ - ++sp->next; - while (sp->next < sp->nbits && !S_ISSET(sp, sp->next)) - ++sp->next; - - return out; -} - -void -sieve_cross(sieve *sp, long val) -{ - int ix = 0; - long cur = val; - - while (cur < sp->base) - cur += val; - - ix = S_BIT(sp, cur); - while (ix < sp->nbits) { - if (cur & 1) - S_CLR(sp, ix); - cur += val; - ix = S_BIT(sp, cur); - } -} - -void -sieve_reset(sieve *sp, long base) -{ - memset(sp->bits, UCHAR_MAX, sp->size); - sp->base = base; - sp->next = 0; -} - -void -sieve_clear(sieve *sp) -{ - if (sp->bits) - free(sp->bits); - - sp->bits = NULL; -} diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c deleted file mode 100644 index 407b08014a..0000000000 --- a/security/nss/lib/freebl/os2_rand.c +++ /dev/null @@ -1,334 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#define INCL_DOS -#define INCL_DOSERRORS -#include <os2.h> -#include "secrng.h" -#include "prerror.h" -#include <stdlib.h> -#include <time.h> -#include <stdio.h> -#include <sys/stat.h> - -static BOOL -clockTickTime(unsigned long *phigh, unsigned long *plow) -{ - APIRET rc = NO_ERROR; - QWORD qword = { 0, 0 }; - - rc = DosTmrQueryTime(&qword); - if (rc != NO_ERROR) - return FALSE; - - *phigh = qword.ulHi; - *plow = qword.ulLo; - - return TRUE; -} - -size_t -RNG_GetNoise(void *buf, size_t maxbuf) -{ - unsigned long high = 0; - unsigned long low = 0; - clock_t val = 0; - int n = 0; - int nBytes = 0; - time_t sTime; - - if (maxbuf <= 0) - return 0; - - clockTickTime(&high, &low); - - /* get the maximally changing bits first */ - nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low); - memcpy(buf, &low, nBytes); - n += nBytes; - maxbuf -= nBytes; - - if (maxbuf <= 0) - return n; - - nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high); - memcpy(((char *)buf) + n, &high, nBytes); - n += nBytes; - maxbuf -= nBytes; - - if (maxbuf <= 0) - return n; - - /* get the number of milliseconds that have elapsed since application started */ - val = clock(); - - nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val); - memcpy(((char *)buf) + n, &val, nBytes); - n += nBytes; - maxbuf -= nBytes; - - if (maxbuf <= 0) - return n; - - /* get the time in seconds since midnight Jan 1, 1970 */ - time(&sTime); - nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime); - memcpy(((char *)buf) + n, &sTime, nBytes); - n += nBytes; - - return n; -} - -static BOOL -EnumSystemFiles(void (*func)(const char *)) -{ - APIRET rc; - ULONG sysInfo = 0; - char bootLetter[2]; - char sysDir[_MAX_PATH] = ""; - char filename[_MAX_PATH]; - HDIR hdir = HDIR_CREATE; - ULONG numFiles = 1; - FILEFINDBUF3 fileBuf = { 0 }; - ULONG buflen = sizeof(FILEFINDBUF3); - - if (DosQuerySysInfo(QSV_BOOT_DRIVE, QSV_BOOT_DRIVE, (PVOID)&sysInfo, - sizeof(ULONG)) == NO_ERROR) { - bootLetter[0] = sysInfo + 'A' - 1; - bootLetter[1] = '\0'; - strcpy(sysDir, bootLetter); - strcpy(sysDir + 1, ":\\OS2\\"); - - strcpy(filename, sysDir); - strcat(filename, "*.*"); - } - - rc = DosFindFirst(filename, &hdir, FILE_NORMAL, &fileBuf, buflen, - &numFiles, FIL_STANDARD); - if (rc == NO_ERROR) { - do { - // pass the full pathname to the callback - sprintf(filename, "%s%s", sysDir, fileBuf.achName); - (*func)(filename); - - numFiles = 1; - rc = DosFindNext(hdir, &fileBuf, buflen, &numFiles); - if (rc != NO_ERROR && rc != ERROR_NO_MORE_FILES) - printf("DosFindNext errod code = %d\n", rc); - } while (rc == NO_ERROR); - - rc = DosFindClose(hdir); - if (rc != NO_ERROR) - printf("DosFindClose error code = %d", rc); - } else - printf("DosFindFirst error code = %d", rc); - - return TRUE; -} - -static int dwNumFiles, dwReadEvery, dwFileToRead = 0; - -static void -CountFiles(const char *file) -{ - dwNumFiles++; -} - -static void -ReadFiles(const char *file) -{ - if ((dwNumFiles % dwReadEvery) == 0) - RNG_FileForRNG(file); - - dwNumFiles++; -} - -static void -ReadSingleFile(const char *filename) -{ - unsigned char buffer[1024]; - FILE *file; - - file = fopen((char *)filename, "rb"); - if (file != NULL) { - while (fread(buffer, 1, sizeof(buffer), file) > 0) - ; - fclose(file); - } -} - -static void -ReadOneFile(const char *file) -{ - if (dwNumFiles == dwFileToRead) { - ReadSingleFile(file); - } - - dwNumFiles++; -} - -static void -ReadSystemFiles(void) -{ - // first count the number of files - dwNumFiles = 0; - if (!EnumSystemFiles(CountFiles)) - return; - - RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles)); - - // now read 10 files - if (dwNumFiles == 0) - return; - - dwReadEvery = dwNumFiles / 10; - if (dwReadEvery == 0) - dwReadEvery = 1; // less than 10 files - - dwNumFiles = 0; - EnumSystemFiles(ReadFiles); -} - -void -RNG_SystemInfoForRNG(void) -{ - unsigned long *plong = 0; - PTIB ptib; - PPIB ppib; - APIRET rc = NO_ERROR; - DATETIME dt; - COUNTRYCODE cc = { 0 }; - COUNTRYINFO ci = { 0 }; - unsigned long actual = 0; - char path[_MAX_PATH] = ""; - char fullpath[_MAX_PATH] = ""; - unsigned long pathlength = sizeof(path); - FSALLOCATE fsallocate; - FILESTATUS3 fstatus; - unsigned long defaultdrive = 0; - unsigned long logicaldrives = 0; - unsigned long sysInfo[QSV_MAX] = { 0 }; - char buffer[20]; - int nBytes = 0; - - nBytes = RNG_GetNoise(buffer, sizeof(buffer)); - RNG_RandomUpdate(buffer, nBytes); - - /* allocate memory and use address and memory */ - plong = (unsigned long *)malloc(sizeof(*plong)); - RNG_RandomUpdate(&plong, sizeof(plong)); - RNG_RandomUpdate(plong, sizeof(*plong)); - free(plong); - - /* process info */ - rc = DosGetInfoBlocks(&ptib, &ppib); - if (rc == NO_ERROR) { - RNG_RandomUpdate(ptib, sizeof(*ptib)); - RNG_RandomUpdate(ppib, sizeof(*ppib)); - } - - /* time */ - rc = DosGetDateTime(&dt); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&dt, sizeof(dt)); - } - - /* country */ - rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&cc, sizeof(cc)); - RNG_RandomUpdate(&ci, sizeof(ci)); - RNG_RandomUpdate(&actual, sizeof(actual)); - } - - /* current directory */ - rc = DosQueryCurrentDir(0, path, &pathlength); - strcat(fullpath, "\\"); - strcat(fullpath, path); - if (rc == NO_ERROR) { - RNG_RandomUpdate(fullpath, strlen(fullpath)); - // path info - rc = DosQueryPathInfo(fullpath, FIL_STANDARD, &fstatus, sizeof(fstatus)); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&fstatus, sizeof(fstatus)); - } - } - - /* file system info */ - rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate)); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&fsallocate, sizeof(fsallocate)); - } - - /* drive info */ - rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive)); - RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives)); - } - - /* system info */ - rc = DosQuerySysInfo(1L, QSV_MAX, (PVOID)&sysInfo, sizeof(ULONG) * QSV_MAX); - if (rc == NO_ERROR) { - RNG_RandomUpdate(&sysInfo, sizeof(sysInfo)); - } - - // now let's do some files - ReadSystemFiles(); - - /* more noise */ - nBytes = RNG_GetNoise(buffer, sizeof(buffer)); - RNG_RandomUpdate(buffer, nBytes); -} - -void -RNG_FileForRNG(const char *filename) -{ - struct stat stat_buf; - unsigned char buffer[1024]; - FILE *file = 0; - int nBytes = 0; - static int totalFileBytes = 0; - - if (stat((char *)filename, &stat_buf) < 0) - return; - - RNG_RandomUpdate((unsigned char *)&stat_buf, sizeof(stat_buf)); - - file = fopen((char *)filename, "r"); - if (file != NULL) { - for (;;) { - size_t bytes = fread(buffer, 1, sizeof(buffer), file); - - if (bytes == 0) - break; - - RNG_RandomUpdate(buffer, bytes); - totalFileBytes += bytes; - if (totalFileBytes > 250000) - break; - } - fclose(file); - } - - nBytes = RNG_GetNoise(buffer, 20); - RNG_RandomUpdate(buffer, nBytes); -} - -static void -rng_systemJitter(void) -{ - dwNumFiles = 0; - EnumSystemFiles(ReadOneFile); - dwFileToRead++; - if (dwFileToRead >= dwNumFiles) { - dwFileToRead = 0; - } -} - -size_t -RNG_SystemRNG(void *dest, size_t maxLen) -{ - return rng_systemFromNoise(dest, maxLen); -} diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c index 4bb1826930..e4ad60388f 100644 --- a/security/nss/lib/freebl/rijndael.c +++ b/security/nss/lib/freebl/rijndael.c @@ -18,27 +18,14 @@ #include "cts.h" #include "ctr.h" #include "gcm.h" +#include "mpi.h" #ifdef USE_HW_AES #include "intel-aes.h" #endif - -#include "mpi.h" - -#ifdef USE_HW_AES -static int has_intel_aes = 0; -static PRBool use_hw_aes = PR_FALSE; - #ifdef INTEL_GCM #include "intel-gcm.h" -static int has_intel_avx = 0; -static int has_intel_clmul = 0; -static PRBool use_hw_gcm = PR_FALSE; -#if defined(_MSC_VER) && !defined(_M_IX86) -#include <intrin.h> /* for _xgetbv() */ -#endif -#endif -#endif /* USE_HW_AES */ +#endif /* INTEL_GCM */ /* * There are currently five ways to build this code, varying in performance @@ -379,7 +366,7 @@ init_rijndael_tables(void) * Nk == 8 where it happens twice in every key word, in the same positions). * For now, I'm implementing this case "dumbly", w/o any unrolling. */ -static SECStatus +static void rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int Nk) { unsigned int i; @@ -400,14 +387,169 @@ rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int N tmp = SUBBYTE(tmp); *pW = W[i - Nk] ^ tmp; } - return SECSuccess; +} + +#if defined(NSS_X86_OR_X64) +#define EXPAND_KEY128(k, rcon, res) \ + tmp_key = _mm_aeskeygenassist_si128(k, rcon); \ + tmp_key = _mm_shuffle_epi32(tmp_key, 0xFF); \ + tmp = _mm_xor_si128(k, _mm_slli_si128(k, 4)); \ + tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \ + tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \ + res = _mm_xor_si128(tmp, tmp_key) + +static void +native_key_expansion128(AESContext *cx, const unsigned char *key) +{ + __m128i *keySchedule = cx->keySchedule; + pre_align __m128i tmp_key post_align; + pre_align __m128i tmp post_align; + keySchedule[0] = _mm_loadu_si128((__m128i *)key); + EXPAND_KEY128(keySchedule[0], 0x01, keySchedule[1]); + EXPAND_KEY128(keySchedule[1], 0x02, keySchedule[2]); + EXPAND_KEY128(keySchedule[2], 0x04, keySchedule[3]); + EXPAND_KEY128(keySchedule[3], 0x08, keySchedule[4]); + EXPAND_KEY128(keySchedule[4], 0x10, keySchedule[5]); + EXPAND_KEY128(keySchedule[5], 0x20, keySchedule[6]); + EXPAND_KEY128(keySchedule[6], 0x40, keySchedule[7]); + EXPAND_KEY128(keySchedule[7], 0x80, keySchedule[8]); + EXPAND_KEY128(keySchedule[8], 0x1B, keySchedule[9]); + EXPAND_KEY128(keySchedule[9], 0x36, keySchedule[10]); +} + +#define EXPAND_KEY192_PART1(res, k0, kt, rcon) \ + tmp2 = _mm_slli_si128(k0, 4); \ + tmp1 = _mm_xor_si128(k0, tmp2); \ + tmp2 = _mm_slli_si128(tmp2, 4); \ + tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \ + tmp2 = _mm_aeskeygenassist_si128(kt, rcon); \ + res = _mm_xor_si128(tmp1, _mm_shuffle_epi32(tmp2, 0x55)) + +#define EXPAND_KEY192_PART2(res, k1, k2) \ + tmp2 = _mm_xor_si128(k1, _mm_slli_si128(k1, 4)); \ + res = _mm_xor_si128(tmp2, _mm_shuffle_epi32(k2, 0xFF)) + +#define EXPAND_KEY192(k0, res1, res2, res3, carry, rcon1, rcon2) \ + EXPAND_KEY192_PART1(tmp3, k0, res1, rcon1); \ + EXPAND_KEY192_PART2(carry, res1, tmp3); \ + res1 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(res1), \ + _mm_castsi128_pd(tmp3), 0)); \ + res2 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(tmp3), \ + _mm_castsi128_pd(carry), 1)); \ + EXPAND_KEY192_PART1(res3, tmp3, carry, rcon2) + +static void +native_key_expansion192(AESContext *cx, const unsigned char *key) +{ + __m128i *keySchedule = cx->keySchedule; + pre_align __m128i tmp1 post_align; + pre_align __m128i tmp2 post_align; + pre_align __m128i tmp3 post_align; + pre_align __m128i carry post_align; + keySchedule[0] = _mm_loadu_si128((__m128i *)key); + keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16)); + EXPAND_KEY192(keySchedule[0], keySchedule[1], keySchedule[2], + keySchedule[3], carry, 0x1, 0x2); + EXPAND_KEY192_PART2(keySchedule[4], carry, keySchedule[3]); + EXPAND_KEY192(keySchedule[3], keySchedule[4], keySchedule[5], + keySchedule[6], carry, 0x4, 0x8); + EXPAND_KEY192_PART2(keySchedule[7], carry, keySchedule[6]); + EXPAND_KEY192(keySchedule[6], keySchedule[7], keySchedule[8], + keySchedule[9], carry, 0x10, 0x20); + EXPAND_KEY192_PART2(keySchedule[10], carry, keySchedule[9]); + EXPAND_KEY192(keySchedule[9], keySchedule[10], keySchedule[11], + keySchedule[12], carry, 0x40, 0x80); +} + +#define EXPAND_KEY256_PART(res, rconx, k1x, k2x, X) \ + tmp_key = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(k2x, rconx), X); \ + tmp2 = _mm_slli_si128(k1x, 4); \ + tmp1 = _mm_xor_si128(k1x, tmp2); \ + tmp2 = _mm_slli_si128(tmp2, 4); \ + tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \ + res = _mm_xor_si128(tmp1, tmp_key); + +#define EXPAND_KEY256(res1, res2, k1, k2, rcon) \ + EXPAND_KEY256_PART(res1, rcon, k1, k2, 0xFF); \ + EXPAND_KEY256_PART(res2, 0x00, k2, res1, 0xAA) + +static void +native_key_expansion256(AESContext *cx, const unsigned char *key) +{ + __m128i *keySchedule = cx->keySchedule; + pre_align __m128i tmp_key post_align; + pre_align __m128i tmp1 post_align; + pre_align __m128i tmp2 post_align; + keySchedule[0] = _mm_loadu_si128((__m128i *)key); + keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16)); + EXPAND_KEY256(keySchedule[2], keySchedule[3], keySchedule[0], + keySchedule[1], 0x01); + EXPAND_KEY256(keySchedule[4], keySchedule[5], keySchedule[2], + keySchedule[3], 0x02); + EXPAND_KEY256(keySchedule[6], keySchedule[7], keySchedule[4], + keySchedule[5], 0x04); + EXPAND_KEY256(keySchedule[8], keySchedule[9], keySchedule[6], + keySchedule[7], 0x08); + EXPAND_KEY256(keySchedule[10], keySchedule[11], keySchedule[8], + keySchedule[9], 0x10); + EXPAND_KEY256(keySchedule[12], keySchedule[13], keySchedule[10], + keySchedule[11], 0x20); + EXPAND_KEY256_PART(keySchedule[14], 0x40, keySchedule[12], + keySchedule[13], 0xFF); +} + +#endif /* NSS_X86_OR_X64 */ + +/* + * AES key expansion using aes-ni instructions. + */ +static void +native_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk) +{ +#ifdef NSS_X86_OR_X64 + switch (Nk) { + case 4: + native_key_expansion128(cx, key); + return; + case 6: + native_key_expansion192(cx, key); + return; + case 8: + native_key_expansion256(cx, key); + return; + default: + /* This shouldn't happen. */ + PORT_Assert(0); + } +#else + PORT_Assert(0); +#endif /* NSS_X86_OR_X64 */ +} + +static void +native_encryptBlock(AESContext *cx, + unsigned char *output, + const unsigned char *input) +{ +#ifdef NSS_X86_OR_X64 + int i; + pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input); + m = _mm_xor_si128(m, cx->keySchedule[0]); + for (i = 1; i < cx->Nr; ++i) { + m = _mm_aesenc_si128(m, cx->keySchedule[i]); + } + m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]); + _mm_storeu_si128((__m128i *)output, m); +#else + PORT_Assert(0); +#endif /* NSS_X86_OR_X64 */ } /* rijndael_key_expansion * * Generate the expanded key from the key input by the user. */ -static SECStatus +static void rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk) { unsigned int i; @@ -415,8 +557,10 @@ rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk PRUint32 *pW; PRUint32 tmp; unsigned int round_key_words = cx->Nb * (cx->Nr + 1); - if (Nk == 7) - return rijndael_key_expansion7(cx, key, Nk); + if (Nk == 7) { + rijndael_key_expansion7(cx, key, Nk); + return; + } W = cx->expandedKey; /* The first Nk words contain the input cipher key */ memcpy(W, key, Nk * 4); @@ -475,7 +619,6 @@ rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk *pW = W[i - Nk] ^ tmp; } } - return SECSuccess; } /* rijndael_invkey_expansion @@ -483,7 +626,7 @@ rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk * Generate the expanded key for the inverse cipher from the key input by * the user. */ -static SECStatus +static void rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk) { unsigned int r; @@ -491,8 +634,7 @@ rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int PRUint8 *b; int Nb = cx->Nb; /* begins like usual key expansion ... */ - if (rijndael_key_expansion(cx, key, Nk) != SECSuccess) - return SECFailure; + rijndael_key_expansion(cx, key, Nk); /* ... but has the additional step of InvMixColumn, * excepting the first and last round keys. */ @@ -534,12 +676,11 @@ rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int IMXC2(b[2]) ^ IMXC3(b[3]); } } - return SECSuccess; } + /************************************************************************** * - * Stuff related to Rijndael encryption/decryption, optimized for - * a 128-bit blocksize. + * Stuff related to Rijndael encryption/decryption. * *************************************************************************/ @@ -567,7 +708,7 @@ typedef union { #define STATE_BYTE(i) state.b[i] -static SECStatus NO_SANITIZE_ALIGNMENT +static void NO_SANITIZE_ALIGNMENT rijndael_encryptBlock128(AESContext *cx, unsigned char *output, const unsigned char *input) @@ -660,7 +801,6 @@ rijndael_encryptBlock128(AESContext *cx, memcpy(output, outBuf, sizeof outBuf); } #endif - return SECSuccess; } static SECStatus NO_SANITIZE_ALIGNMENT @@ -757,104 +897,6 @@ rijndael_decryptBlock128(AESContext *cx, /************************************************************************** * - * Stuff related to general Rijndael encryption/decryption, for blocksizes - * greater than 128 bits. - * - * XXX This code is currently untested! So far, AES specs have only been - * released for 128 bit blocksizes. This will be tested, but for now - * only the code above has been tested using known values. - * - *************************************************************************/ - -#define COLUMN(array, j) *((PRUint32 *)(array + j)) - -SECStatus -rijndael_encryptBlock(AESContext *cx, - unsigned char *output, - const unsigned char *input) -{ - return SECFailure; -#ifdef rijndael_large_blocks_fixed - unsigned int j, r, Nb; - unsigned int c2 = 0, c3 = 0; - PRUint32 *roundkeyw; - PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE]; - Nb = cx->Nb; - roundkeyw = cx->expandedKey; - /* Step 1: Add Round Key 0 to initial state */ - for (j = 0; j < 4 * Nb; j += 4) { - COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw++; - } - /* Step 2: Loop over rounds [1..NR-1] */ - for (r = 1; r < cx->Nr; ++r) { - for (j = 0; j < Nb; ++j) { - COLUMN(output, j) = T0(STATE_BYTE(4 * j)) ^ - T1(STATE_BYTE(4 * ((j + 1) % Nb) + 1)) ^ - T2(STATE_BYTE(4 * ((j + c2) % Nb) + 2)) ^ - T3(STATE_BYTE(4 * ((j + c3) % Nb) + 3)); - } - for (j = 0; j < 4 * Nb; j += 4) { - COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw++; - } - } - /* Step 3: Do the last round */ - /* Final round does not employ MixColumn */ - for (j = 0; j < Nb; ++j) { - COLUMN(output, j) = ((BYTE0WORD(T2(STATE_BYTE(4 * j)))) | - (BYTE1WORD(T3(STATE_BYTE(4 * (j + 1) % Nb) + 1))) | - (BYTE2WORD(T0(STATE_BYTE(4 * (j + c2) % Nb) + 2))) | - (BYTE3WORD(T1(STATE_BYTE(4 * (j + c3) % Nb) + 3)))) ^ - *roundkeyw++; - } - return SECSuccess; -#endif -} - -SECStatus -rijndael_decryptBlock(AESContext *cx, - unsigned char *output, - const unsigned char *input) -{ - return SECFailure; -#ifdef rijndael_large_blocks_fixed - int j, r, Nb; - int c2 = 0, c3 = 0; - PRUint32 *roundkeyw; - PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE]; - Nb = cx->Nb; - roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3; - /* reverse key addition */ - for (j = 4 * Nb; j >= 0; j -= 4) { - COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw--; - } - /* Loop over rounds in reverse [NR..1] */ - for (r = cx->Nr; r > 1; --r) { - /* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */ - for (j = 0; j < Nb; ++j) { - COLUMN(output, 4 * j) = TInv0(STATE_BYTE(4 * j)) ^ - TInv1(STATE_BYTE(4 * (j + Nb - 1) % Nb) + 1) ^ - TInv2(STATE_BYTE(4 * (j + Nb - c2) % Nb) + 2) ^ - TInv3(STATE_BYTE(4 * (j + Nb - c3) % Nb) + 3); - } - /* Invert the key addition step */ - for (j = 4 * Nb; j >= 0; j -= 4) { - COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw--; - } - } - /* inverse sub */ - for (j = 0; j < 4 * Nb; ++j) { - output[j] = SINV(clone[j]); - } - /* final key addition */ - for (j = 4 * Nb; j >= 0; j -= 4) { - COLUMN(output, j) ^= *roundkeyw--; - } - return SECSuccess; -#endif -} - -/************************************************************************** - * * Rijndael modes of operation (ECB and CBC) * *************************************************************************/ @@ -862,22 +904,21 @@ rijndael_decryptBlock(AESContext *cx, static SECStatus rijndael_encryptECB(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen, - unsigned int blocksize) + const unsigned char *input, unsigned int inputLen) { - SECStatus rv; AESBlockFunc *encryptor; - encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) - ? &rijndael_encryptBlock128 - : &rijndael_encryptBlock; + if (aesni_support()) { + /* Use hardware acceleration for normal AES parameters. */ + encryptor = &native_encryptBlock; + } else { + encryptor = &rijndael_encryptBlock128; + } while (inputLen > 0) { - rv = (*encryptor)(cx, output, input); - if (rv != SECSuccess) - return rv; - output += blocksize; - input += blocksize; - inputLen -= blocksize; + (*encryptor)(cx, output, input); + output += AES_BLOCK_SIZE; + input += AES_BLOCK_SIZE; + inputLen -= AES_BLOCK_SIZE; } return SECSuccess; } @@ -885,58 +926,44 @@ rijndael_encryptECB(AESContext *cx, unsigned char *output, static SECStatus rijndael_encryptCBC(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen, - unsigned int blocksize) + const unsigned char *input, unsigned int inputLen) { unsigned int j; - SECStatus rv; - AESBlockFunc *encryptor; unsigned char *lastblock; - unsigned char inblock[RIJNDAEL_MAX_STATE_SIZE * 8]; + unsigned char inblock[AES_BLOCK_SIZE * 8]; if (!inputLen) return SECSuccess; lastblock = cx->iv; - encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) - ? &rijndael_encryptBlock128 - : &rijndael_encryptBlock; while (inputLen > 0) { /* XOR with the last block (IV if first block) */ - for (j = 0; j < blocksize; ++j) + for (j = 0; j < AES_BLOCK_SIZE; ++j) { inblock[j] = input[j] ^ lastblock[j]; + } /* encrypt */ - rv = (*encryptor)(cx, output, inblock); - if (rv != SECSuccess) - return rv; + rijndael_encryptBlock128(cx, output, inblock); /* move to the next block */ lastblock = output; - output += blocksize; - input += blocksize; - inputLen -= blocksize; + output += AES_BLOCK_SIZE; + input += AES_BLOCK_SIZE; + inputLen -= AES_BLOCK_SIZE; } - memcpy(cx->iv, lastblock, blocksize); + memcpy(cx->iv, lastblock, AES_BLOCK_SIZE); return SECSuccess; } static SECStatus rijndael_decryptECB(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen, - unsigned int blocksize) + const unsigned char *input, unsigned int inputLen) { - SECStatus rv; - AESBlockFunc *decryptor; - - decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) - ? &rijndael_decryptBlock128 - : &rijndael_decryptBlock; while (inputLen > 0) { - rv = (*decryptor)(cx, output, input); - if (rv != SECSuccess) - return rv; - output += blocksize; - input += blocksize; - inputLen -= blocksize; + if (rijndael_decryptBlock128(cx, output, input) != SECSuccess) { + return SECFailure; + } + output += AES_BLOCK_SIZE; + input += AES_BLOCK_SIZE; + inputLen -= AES_BLOCK_SIZE; } return SECSuccess; } @@ -944,43 +971,37 @@ rijndael_decryptECB(AESContext *cx, unsigned char *output, static SECStatus rijndael_decryptCBC(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen, - unsigned int blocksize) + const unsigned char *input, unsigned int inputLen) { - SECStatus rv; - AESBlockFunc *decryptor; const unsigned char *in; unsigned char *out; unsigned int j; - unsigned char newIV[RIJNDAEL_MAX_BLOCKSIZE]; + unsigned char newIV[AES_BLOCK_SIZE]; if (!inputLen) return SECSuccess; PORT_Assert(output - input >= 0 || input - output >= (int)inputLen); - decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) - ? &rijndael_decryptBlock128 - : &rijndael_decryptBlock; - in = input + (inputLen - blocksize); - memcpy(newIV, in, blocksize); - out = output + (inputLen - blocksize); - while (inputLen > blocksize) { - rv = (*decryptor)(cx, out, in); - if (rv != SECSuccess) - return rv; - for (j = 0; j < blocksize; ++j) - out[j] ^= in[(int)(j - blocksize)]; - out -= blocksize; - in -= blocksize; - inputLen -= blocksize; + in = input + (inputLen - AES_BLOCK_SIZE); + memcpy(newIV, in, AES_BLOCK_SIZE); + out = output + (inputLen - AES_BLOCK_SIZE); + while (inputLen > AES_BLOCK_SIZE) { + if (rijndael_decryptBlock128(cx, out, in) != SECSuccess) { + return SECFailure; + } + for (j = 0; j < AES_BLOCK_SIZE; ++j) + out[j] ^= in[(int)(j - AES_BLOCK_SIZE)]; + out -= AES_BLOCK_SIZE; + in -= AES_BLOCK_SIZE; + inputLen -= AES_BLOCK_SIZE; } if (in == input) { - rv = (*decryptor)(cx, out, in); - if (rv != SECSuccess) - return rv; - for (j = 0; j < blocksize; ++j) + if (rijndael_decryptBlock128(cx, out, in) != SECSuccess) { + return SECFailure; + } + for (j = 0; j < AES_BLOCK_SIZE; ++j) out[j] ^= cx->iv[j]; } - memcpy(cx->iv, newIV, blocksize); + memcpy(cx->iv, newIV, AES_BLOCK_SIZE); return SECSuccess; } @@ -996,41 +1017,15 @@ rijndael_decryptCBC(AESContext *cx, unsigned char *output, AESContext * AES_AllocateContext(void) { - return PORT_ZNew(AESContext); -} - -#ifdef INTEL_GCM -/* - * Adapted from the example code in "How to detect New Instruction support in - * the 4th generation Intel Core processor family" by Max Locktyukhin. - * - * XGETBV: - * Reads an extended control register (XCR) specified by ECX into EDX:EAX. - */ -static PRBool -check_xcr0_ymm() -{ - PRUint32 xcr0; -#if defined(_MSC_VER) -#if defined(_M_IX86) - __asm { - mov ecx, 0 - xgetbv - mov xcr0, eax + /* aligned_alloc is C11 so we have to do it the old way. */ + AESContext *ctx = PORT_ZAlloc(sizeof(AESContext) + 15); + if (ctx == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } -#else - xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */ -#endif -#else - __asm__("xgetbv" - : "=a"(xcr0) - : "c"(0) - : "%edx"); -#endif - /* Check if xmm and ymm state are enabled in XCR0. */ - return (xcr0 & 6) == 6; + ctx->mem = ctx; + return (AESContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F); } -#endif /* ** Initialize a new AES context suitable for AES encryption/decryption in @@ -1039,21 +1034,19 @@ check_xcr0_ymm() */ static SECStatus aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, - const unsigned char *iv, int mode, unsigned int encrypt, - unsigned int blocksize) + const unsigned char *iv, int mode, unsigned int encrypt) { unsigned int Nk; - /* According to Rijndael AES Proposal, section 12.1, block and key - * lengths between 128 and 256 bits are supported, as long as the + PRBool use_hw_aes; + /* According to AES, block lengths are 128 and key lengths are 128, 192, or + * 256 bits. We support other key sizes as well [128, 256] as long as the * length in bytes is divisible by 4. */ + if (key == NULL || - keysize < RIJNDAEL_MIN_BLOCKSIZE || - keysize > RIJNDAEL_MAX_BLOCKSIZE || - keysize % 4 != 0 || - blocksize < RIJNDAEL_MIN_BLOCKSIZE || - blocksize > RIJNDAEL_MAX_BLOCKSIZE || - blocksize % 4 != 0) { + keysize < AES_BLOCK_SIZE || + keysize > 32 || + keysize % 4 != 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } @@ -1069,45 +1062,16 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } -#ifdef USE_HW_AES - if (has_intel_aes == 0) { - unsigned long eax, ebx, ecx, edx; - char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES"); - - if (disable_hw_aes == NULL) { - freebl_cpuid(1, &eax, &ebx, &ecx, &edx); - has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1; -#ifdef INTEL_GCM - has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1; - if ((ecx & (1 << 27)) != 0 && (ecx & (1 << 28)) != 0 && - check_xcr0_ymm()) { - has_intel_avx = 1; - } else { - has_intel_avx = -1; - } -#endif - } else { - has_intel_aes = -1; -#ifdef INTEL_GCM - has_intel_avx = -1; - has_intel_clmul = -1; -#endif - } - } - use_hw_aes = (PRBool)(has_intel_aes > 0 && (keysize % 8) == 0 && blocksize == 16); -#ifdef INTEL_GCM - use_hw_gcm = (PRBool)(use_hw_aes && has_intel_avx > 0 && has_intel_clmul > 0); -#endif -#endif /* USE_HW_AES */ + use_hw_aes = aesni_support() && (keysize % 8) == 0; /* Nb = (block size in bits) / 32 */ - cx->Nb = blocksize / 4; + cx->Nb = AES_BLOCK_SIZE / 4; /* Nk = (key size in bits) / 32 */ Nk = keysize / 4; /* Obtain number of rounds from "table" */ cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb); /* copy in the iv, if neccessary */ if (mode == NSS_AES_CBC) { - memcpy(cx->iv, iv, blocksize); + memcpy(cx->iv, iv, AES_BLOCK_SIZE); #ifdef USE_HW_AES if (use_hw_aes) { cx->worker = (freeblCipherFunc) @@ -1135,7 +1099,7 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, PORT_Assert((cx->Nb * (cx->Nr + 1)) <= RIJNDAEL_MAX_EXP_KEY_SIZE); if ((cx->Nb * (cx->Nr + 1)) > RIJNDAEL_MAX_EXP_KEY_SIZE) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - goto cleanup; + return SECFailure; } #ifdef USE_HW_AES if (use_hw_aes) { @@ -1148,25 +1112,28 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, defined(RIJNDAEL_GENERATE_TABLES_MACRO) if (rijndaelTables == NULL) { if (PR_CallOnce(&coRTInit, init_rijndael_tables) != PR_SUCCESS) { - return SecFailure; + return SECFailure; } } #endif /* Generate expanded key */ if (encrypt) { - if (rijndael_key_expansion(cx, key, Nk) != SECSuccess) - goto cleanup; + if (use_hw_aes && (cx->mode == NSS_AES_GCM || cx->mode == NSS_AES || + cx->mode == NSS_AES_CTR)) { + PORT_Assert(keysize == 16 || keysize == 24 || keysize == 32); + /* Prepare hardware key for normal AES parameters. */ + native_key_expansion(cx, key, Nk); + } else { + rijndael_key_expansion(cx, key, Nk); + } } else { - if (rijndael_invkey_expansion(cx, key, Nk) != SECSuccess) - goto cleanup; + rijndael_invkey_expansion(cx, key, Nk); } } cx->worker_cx = cx; cx->destroy = NULL; cx->isBlock = PR_TRUE; return SECSuccess; -cleanup: - return SECFailure; } SECStatus @@ -1178,6 +1145,11 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, PRBool baseencrypt = encrypt; SECStatus rv; + if (blocksize != AES_BLOCK_SIZE) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + switch (mode) { case NSS_AES_CTS: basemode = NSS_AES_CBC; @@ -1188,45 +1160,47 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, baseencrypt = PR_TRUE; break; } - /* make sure enough is initializes so we can safely call Destroy */ + /* Make sure enough is initialized so we can safely call Destroy. */ cx->worker_cx = NULL; cx->destroy = NULL; - rv = aes_InitContext(cx, key, keysize, iv, basemode, - baseencrypt, blocksize); + cx->mode = mode; + rv = aes_InitContext(cx, key, keysize, iv, basemode, baseencrypt); if (rv != SECSuccess) { AES_DestroyContext(cx, PR_FALSE); return rv; } - cx->mode = mode; /* finally, set up any mode specific contexts */ switch (mode) { case NSS_AES_CTS: - cx->worker_cx = CTS_CreateContext(cx, cx->worker, iv, blocksize); + cx->worker_cx = CTS_CreateContext(cx, cx->worker, iv); cx->worker = (freeblCipherFunc)(encrypt ? CTS_EncryptUpdate : CTS_DecryptUpdate); cx->destroy = (freeblDestroyFunc)CTS_DestroyContext; cx->isBlock = PR_FALSE; break; case NSS_AES_GCM: -#ifdef INTEL_GCM - if (use_hw_gcm) { - cx->worker_cx = intel_AES_GCM_CreateContext(cx, cx->worker, iv, blocksize); - cx->worker = (freeblCipherFunc)(encrypt ? intel_AES_GCM_EncryptUpdate : intel_AES_GCM_DecryptUpdate); +#if defined(INTEL_GCM) && defined(USE_HW_AES) + if (aesni_support() && (keysize % 8) == 0 && avx_support() && + clmul_support()) { + cx->worker_cx = intel_AES_GCM_CreateContext(cx, cx->worker, iv); + cx->worker = (freeblCipherFunc)(encrypt ? intel_AES_GCM_EncryptUpdate + : intel_AES_GCM_DecryptUpdate); cx->destroy = (freeblDestroyFunc)intel_AES_GCM_DestroyContext; cx->isBlock = PR_FALSE; } else #endif { - cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv, blocksize); - cx->worker = (freeblCipherFunc)(encrypt ? GCM_EncryptUpdate : GCM_DecryptUpdate); + cx->worker_cx = GCM_CreateContext(cx, cx->worker, iv); + cx->worker = (freeblCipherFunc)(encrypt ? GCM_EncryptUpdate + : GCM_DecryptUpdate); cx->destroy = (freeblDestroyFunc)GCM_DestroyContext; cx->isBlock = PR_FALSE; } break; case NSS_AES_CTR: - cx->worker_cx = CTR_CreateContext(cx, cx->worker, iv, blocksize); + cx->worker_cx = CTR_CreateContext(cx, cx->worker, iv); #if defined(USE_HW_AES) && defined(_MSC_VER) - if (use_hw_aes) { + if (aesni_support() && (keysize % 8) == 0) { cx->worker = (freeblCipherFunc)CTR_Update_HW_AES; } else #endif @@ -1238,7 +1212,7 @@ AES_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize, break; default: /* everything has already been set up by aes_InitContext, just - * return */ + * return */ return SECSuccess; } /* check to see if we succeeded in getting the worker context */ @@ -1287,8 +1261,9 @@ AES_DestroyContext(AESContext *cx, PRBool freeit) cx->worker_cx = NULL; cx->destroy = NULL; } - if (freeit) - PORT_Free(cx); + if (freeit) { + PORT_Free(cx->mem); + } } /* @@ -1302,14 +1277,12 @@ AES_Encrypt(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, const unsigned char *input, unsigned int inputLen) { - int blocksize; /* Check args */ if (cx == NULL || output == NULL || (input == NULL && inputLen != 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - blocksize = 4 * cx->Nb; - if (cx->isBlock && (inputLen % blocksize != 0)) { + if (cx->isBlock && (inputLen % AES_BLOCK_SIZE != 0)) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } @@ -1340,7 +1313,7 @@ AES_Encrypt(AESContext *cx, unsigned char *output, #endif return (*cx->worker)(cx->worker_cx, output, outputLen, maxOutputLen, - input, inputLen, blocksize); + input, inputLen, AES_BLOCK_SIZE); } /* @@ -1354,14 +1327,12 @@ AES_Decrypt(AESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, const unsigned char *input, unsigned int inputLen) { - int blocksize; /* Check args */ if (cx == NULL || output == NULL || (input == NULL && inputLen != 0)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - blocksize = 4 * cx->Nb; - if (cx->isBlock && (inputLen % blocksize != 0)) { + if (cx->isBlock && (inputLen % AES_BLOCK_SIZE != 0)) { PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } @@ -1371,5 +1342,5 @@ AES_Decrypt(AESContext *cx, unsigned char *output, } *outputLen = inputLen; return (*cx->worker)(cx->worker_cx, output, outputLen, maxOutputLen, - input, inputLen, blocksize); + input, inputLen, AES_BLOCK_SIZE); } diff --git a/security/nss/lib/freebl/rijndael.h b/security/nss/lib/freebl/rijndael.h index 0e14ec2fc3..1f4a8a9f73 100644 --- a/security/nss/lib/freebl/rijndael.h +++ b/security/nss/lib/freebl/rijndael.h @@ -6,13 +6,15 @@ #define _RIJNDAEL_H_ 1 #include "blapii.h" +#include <stdint.h> -#define RIJNDAEL_MIN_BLOCKSIZE 16 /* bytes */ -#define RIJNDAEL_MAX_BLOCKSIZE 32 /* bytes */ +#ifdef NSS_X86_OR_X64 +#include <wmmintrin.h> /* aes-ni */ +#endif -typedef SECStatus AESBlockFunc(AESContext *cx, - unsigned char *output, - const unsigned char *input); +typedef void AESBlockFunc(AESContext *cx, + unsigned char *output, + const unsigned char *input); /* RIJNDAEL_NUM_ROUNDS * @@ -23,24 +25,18 @@ typedef SECStatus AESBlockFunc(AESContext *cx, #define RIJNDAEL_NUM_ROUNDS(Nk, Nb) \ (PR_MAX(Nk, Nb) + 6) -/* RIJNDAEL_MAX_STATE_SIZE - * - * Maximum number of bytes in the state (spec includes up to 256-bit block - * size) - */ -#define RIJNDAEL_MAX_STATE_SIZE 32 - /* * This magic number is (Nb_max * (Nr_max + 1)) * where Nb_max is the maximum block size in 32-bit words, * Nr_max is the maximum number of rounds, which is Nb_max + 6 */ -#define RIJNDAEL_MAX_EXP_KEY_SIZE (8 * 15) +#define RIJNDAEL_MAX_EXP_KEY_SIZE (4 * 15) /* AESContextStr * * Values which maintain the state for Rijndael encryption/decryption. * + * keySchedule - 128-bit registers for the key-schedule * iv - initialization vector for CBC mode * Nb - the number of bytes in a block, specified by user * Nr - the number of rounds, specified by a table @@ -51,17 +47,23 @@ typedef SECStatus AESBlockFunc(AESContext *cx, * isBlock - is the mode of operation a block cipher or a stream cipher? */ struct AESContextStr { + /* NOTE: Offsets to members in this struct are hardcoded in assembly. + * Don't change the struct without updating intel-aes.s and intel-gcm.s. */ + union { +#if defined(NSS_X86_OR_X64) + __m128i keySchedule[15]; +#endif + PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE]; + }; unsigned int Nb; unsigned int Nr; freeblCipherFunc worker; - /* NOTE: The offsets of iv and expandedKey are hardcoded in intel-aes.s. - * Don't add new members before them without updating intel-aes.s. */ - unsigned char iv[RIJNDAEL_MAX_BLOCKSIZE]; - PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE]; + unsigned char iv[AES_BLOCK_SIZE]; freeblDestroyFunc destroy; void *worker_cx; PRBool isBlock; int mode; + void *mem; /* Start of the allocated memory to free. */ }; #endif /* _RIJNDAEL_H_ */ diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c index ff8c40ed9a..7354d93179 100644 --- a/security/nss/lib/freebl/rsa.c +++ b/security/nss/lib/freebl/rsa.c @@ -190,12 +190,12 @@ cleanup: } return rv; } -static SECStatus + +SECStatus generate_prime(mp_int *prime, int primeLen) { mp_err err = MP_OKAY; SECStatus rv = SECSuccess; - unsigned long counter = 0; int piter; unsigned char *pb = NULL; pb = PORT_Alloc(primeLen); @@ -208,7 +208,7 @@ generate_prime(mp_int *prime, int primeLen) pb[0] |= 0xC0; /* set two high-order bits */ pb[primeLen - 1] |= 0x01; /* set low-order bit */ CHECK_MPI_OK(mp_read_unsigned_octets(prime, pb, primeLen)); - err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter); + err = mpp_make_prime(prime, primeLen * 8, PR_FALSE); if (err != MP_NO) goto cleanup; /* keep going while err == MP_NO */ @@ -321,7 +321,6 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) kiter = 0; max_attempts = 5 * (keySizeInBits / 2); /* FIPS 186-4 B.3.3 steps 4.7 and 5.8 */ do { - prerr = 0; PORT_SetError(0); CHECK_SEC_OK(generate_prime(&p, primeLen)); CHECK_SEC_OK(generate_prime(&q, primeLen)); @@ -348,8 +347,7 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) kiter++; /* loop until have primes */ } while (prerr == SEC_ERROR_NEED_RANDOM && kiter < max_attempts); - if (prerr) - goto cleanup; + cleanup: mp_clear(&p); mp_clear(&q); @@ -1236,7 +1234,10 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, * Now, search its list of ready blinding params for a usable one. */ while (0 != (bp = rsabp->bp)) { - if (--(bp->counter) > 0) { +#ifndef UNSAFE_FUZZER_MODE + if (--(bp->counter) > 0) +#endif + { /* Found a match and there are still remaining uses left */ /* Return the parameters */ CHECK_MPI_OK(mp_copy(&bp->f, f)); @@ -1548,7 +1549,7 @@ cleanup: return rv; } -static SECStatus +SECStatus RSA_Init(void) { if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) { @@ -1558,12 +1559,6 @@ RSA_Init(void) return SECSuccess; } -SECStatus -BL_Init(void) -{ - return RSA_Init(); -} - /* cleanup at shutdown */ void RSA_Cleanup(void) diff --git a/security/nss/lib/freebl/rsapkcs.c b/security/nss/lib/freebl/rsapkcs.c index 577fe1f614..ad18c8b733 100644 --- a/security/nss/lib/freebl/rsapkcs.c +++ b/security/nss/lib/freebl/rsapkcs.c @@ -85,6 +85,25 @@ rsa_modulusLen(SECItem *modulus) return modLen; } +static unsigned int +rsa_modulusBits(SECItem *modulus) +{ + unsigned char byteZero = modulus->data[0]; + unsigned int numBits = (modulus->len - 1) * 8; + + if (byteZero == 0) { + numBits -= 8; + byteZero = modulus->data[1]; + } + + while (byteZero > 0) { + numBits++; + byteZero >>= 1; + } + + return numBits; +} + /* * Format one block of data for public/private key encryption using * the rules defined in PKCS #1. @@ -271,10 +290,12 @@ MGF1(HASH_HashType hashAlg, const SECHashObject *hash; void *hashContext; unsigned char C[4]; + SECStatus rv = SECSuccess; hash = HASH_GetRawHashObject(hashAlg); - if (hash == NULL) + if (hash == NULL) { return SECFailure; + } hashContext = (*hash->create)(); rounds = (maskLen + hash->length - 1) / hash->length; @@ -295,14 +316,19 @@ MGF1(HASH_HashType hashAlg, (*hash->end)(hashContext, tempHash, &digestLen, hash->length); } else { /* we're in the last round and need to cut the hash */ temp = (unsigned char *)PORT_Alloc(hash->length); + if (!temp) { + rv = SECFailure; + goto done; + } (*hash->end)(hashContext, temp, &digestLen, hash->length); PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length); PORT_Free(temp); } } - (*hash->destroy)(hashContext, PR_TRUE); - return SECSuccess; +done: + (*hash->destroy)(hashContext, PR_TRUE); + return rv; } /* XXX Doesn't set error code */ @@ -962,12 +988,11 @@ failure: * We use mHash instead of M as input. * emBits from the RFC is just modBits - 1, see section 8.1.1. * We only support MGF1 as the MGF. - * - * NOTE: this code assumes modBits is a multiple of 8. */ static SECStatus emsa_pss_encode(unsigned char *em, unsigned int emLen, + unsigned int emBits, const unsigned char *mHash, HASH_HashType hashAlg, HASH_HashType maskHashAlg, @@ -1032,7 +1057,7 @@ emsa_pss_encode(unsigned char *em, PORT_Free(dbMask); /* Step 11 */ - em[0] &= 0x7f; + em[0] &= 0xff >> (8 * emLen - emBits); /* Step 12 */ em[emLen - 1] = 0xbc; @@ -1046,13 +1071,12 @@ emsa_pss_encode(unsigned char *em, * We use mHash instead of M as input. * emBits from the RFC is just modBits - 1, see section 8.1.2. * We only support MGF1 as the MGF. - * - * NOTE: this code assumes modBits is a multiple of 8. */ static SECStatus emsa_pss_verify(const unsigned char *mHash, const unsigned char *em, unsigned int emLen, + unsigned int emBits, HASH_HashType hashAlg, HASH_HashType maskHashAlg, unsigned int saltLen) @@ -1063,15 +1087,22 @@ emsa_pss_verify(const unsigned char *mHash, unsigned char *H_; /* H' from the RFC */ unsigned int i; unsigned int dbMaskLen; + unsigned int zeroBits; SECStatus rv; hash = HASH_GetRawHashObject(hashAlg); dbMaskLen = emLen - hash->length - 1; - /* Step 3 + 4 + 6 */ + /* Step 3 + 4 */ if ((emLen < (hash->length + saltLen + 2)) || - (em[emLen - 1] != 0xbc) || - ((em[0] & 0x80) != 0)) { + (em[emLen - 1] != 0xbc)) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + + /* Step 6 */ + zeroBits = 8 * emLen - emBits; + if (em[0] >> (8 - zeroBits)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); return SECFailure; } @@ -1091,7 +1122,7 @@ emsa_pss_verify(const unsigned char *mHash, } /* Step 9 */ - db[0] &= 0x7f; + db[0] &= 0xff >> zeroBits; /* Step 10 */ for (i = 0; i < (dbMaskLen - saltLen - 1); i++) { @@ -1156,7 +1187,9 @@ RSA_SignPSS(RSAPrivateKey *key, { SECStatus rv = SECSuccess; unsigned int modulusLen = rsa_modulusLen(&key->modulus); - unsigned char *pssEncoded = NULL; + unsigned int modulusBits = rsa_modulusBits(&key->modulus); + unsigned int emLen = modulusLen; + unsigned char *pssEncoded, *em; if (maxOutputLen < modulusLen) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); @@ -1168,16 +1201,24 @@ RSA_SignPSS(RSAPrivateKey *key, return SECFailure; } - pssEncoded = (unsigned char *)PORT_Alloc(modulusLen); + pssEncoded = em = (unsigned char *)PORT_Alloc(modulusLen); if (pssEncoded == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } - rv = emsa_pss_encode(pssEncoded, modulusLen, input, hashAlg, + + /* len(em) == ceil((modulusBits - 1) / 8). */ + if (modulusBits % 8 == 1) { + em[0] = 0; + emLen--; + em++; + } + rv = emsa_pss_encode(em, emLen, modulusBits - 1, input, hashAlg, maskHashAlg, salt, saltLength); if (rv != SECSuccess) goto done; + // This sets error codes upon failure. rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded); *outputLen = modulusLen; @@ -1198,7 +1239,9 @@ RSA_CheckSignPSS(RSAPublicKey *key, { SECStatus rv; unsigned int modulusLen = rsa_modulusLen(&key->modulus); - unsigned char *buffer; + unsigned int modulusBits = rsa_modulusBits(&key->modulus); + unsigned int emLen = modulusLen; + unsigned char *buffer, *em; if (sigLen != modulusLen) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); @@ -1210,7 +1253,7 @@ RSA_CheckSignPSS(RSAPublicKey *key, return SECFailure; } - buffer = (unsigned char *)PORT_Alloc(modulusLen); + buffer = em = (unsigned char *)PORT_Alloc(modulusLen); if (!buffer) { PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; @@ -1223,14 +1266,18 @@ RSA_CheckSignPSS(RSAPublicKey *key, return SECFailure; } - rv = emsa_pss_verify(hash, buffer, modulusLen, hashAlg, + /* len(em) == ceil((modulusBits - 1) / 8). */ + if (modulusBits % 8 == 1) { + emLen--; + em++; + } + rv = emsa_pss_verify(hash, em, emLen, modulusBits - 1, hashAlg, maskHashAlg, saltLength); - PORT_Free(buffer); + PORT_Free(buffer); return rv; } -/* XXX Doesn't set error code */ SECStatus RSA_Sign(RSAPrivateKey *key, unsigned char *output, @@ -1239,34 +1286,34 @@ RSA_Sign(RSAPrivateKey *key, const unsigned char *input, unsigned int inputLen) { - SECStatus rv = SECSuccess; + SECStatus rv = SECFailure; unsigned int modulusLen = rsa_modulusLen(&key->modulus); - SECItem formatted; - SECItem unformatted; + SECItem formatted = { siBuffer, NULL, 0 }; + SECItem unformatted = { siBuffer, (unsigned char *)input, inputLen }; - if (maxOutputLen < modulusLen) - return SECFailure; + if (maxOutputLen < modulusLen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + goto done; + } - unformatted.len = inputLen; - unformatted.data = (unsigned char *)input; - formatted.data = NULL; rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate, &unformatted); - if (rv != SECSuccess) + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); goto done; + } + // This sets error codes upon failure. rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data); *outputLen = modulusLen; - goto done; - done: - if (formatted.data != NULL) + if (formatted.data != NULL) { PORT_ZFree(formatted.data, modulusLen); + } return rv; } -/* XXX Doesn't set error code */ SECStatus RSA_CheckSign(RSAPublicKey *key, const unsigned char *sig, @@ -1274,60 +1321,71 @@ RSA_CheckSign(RSAPublicKey *key, const unsigned char *data, unsigned int dataLen) { - SECStatus rv; + SECStatus rv = SECFailure; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; - unsigned char *buffer; + unsigned char *buffer = NULL; + + if (sigLen != modulusLen) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } - if (sigLen != modulusLen) - goto failure; /* * 0x00 || BT || Pad || 0x00 || ActualData * * The "3" below is the first octet + the second octet + the 0x00 * octet that always comes just before the ActualData. */ - if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) - goto failure; + if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) { + PORT_SetError(SEC_ERROR_BAD_DATA); + goto done; + } buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); - if (!buffer) - goto failure; + if (!buffer) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto done; + } - rv = RSA_PublicKeyOp(key, buffer, sig); - if (rv != SECSuccess) - goto loser; + if (RSA_PublicKeyOp(key, buffer, sig) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } /* * check the padding that was used */ if (buffer[0] != RSA_BLOCK_FIRST_OCTET || buffer[1] != (unsigned char)RSA_BlockPrivate) { - goto loser; + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; } for (i = 2; i < modulusLen - dataLen - 1; i++) { - if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) - goto loser; + if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } + } + if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; } - if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET) - goto loser; /* * make sure we get the same results */ - if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0) - goto loser; - - PORT_Free(buffer); - return SECSuccess; + if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) == 0) { + rv = SECSuccess; + } -loser: - PORT_Free(buffer); -failure: - return SECFailure; +done: + if (buffer) { + PORT_Free(buffer); + } + return rv; } -/* XXX Doesn't set error code */ SECStatus RSA_CheckSignRecover(RSAPublicKey *key, unsigned char *output, @@ -1336,21 +1394,27 @@ RSA_CheckSignRecover(RSAPublicKey *key, const unsigned char *sig, unsigned int sigLen) { - SECStatus rv; + SECStatus rv = SECFailure; unsigned int modulusLen = rsa_modulusLen(&key->modulus); unsigned int i; - unsigned char *buffer; + unsigned char *buffer = NULL; - if (sigLen != modulusLen) - goto failure; + if (sigLen != modulusLen) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } buffer = (unsigned char *)PORT_Alloc(modulusLen + 1); - if (!buffer) - goto failure; + if (!buffer) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto done; + } + + if (RSA_PublicKeyOp(key, buffer, sig) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } - rv = RSA_PublicKeyOp(key, buffer, sig); - if (rv != SECSuccess) - goto loser; *outputLen = 0; /* @@ -1358,28 +1422,34 @@ RSA_CheckSignRecover(RSAPublicKey *key, */ if (buffer[0] != RSA_BLOCK_FIRST_OCTET || buffer[1] != (unsigned char)RSA_BlockPrivate) { - goto loser; + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; } for (i = 2; i < modulusLen; i++) { if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) { *outputLen = modulusLen - i - 1; break; } - if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) - goto loser; + if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } + } + if (*outputLen == 0) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto done; + } + if (*outputLen > maxOutputLen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + goto done; } - if (*outputLen == 0) - goto loser; - if (*outputLen > maxOutputLen) - goto loser; PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen); + rv = SECSuccess; - PORT_Free(buffer); - return SECSuccess; - -loser: - PORT_Free(buffer); -failure: - return SECFailure; +done: + if (buffer) { + PORT_Free(buffer); + } + return rv; } diff --git a/security/nss/lib/freebl/shvfy.c b/security/nss/lib/freebl/shvfy.c index af4a34fb0b..bd9cd1c94a 100644 --- a/security/nss/lib/freebl/shvfy.c +++ b/security/nss/lib/freebl/shvfy.c @@ -12,6 +12,7 @@ #include "prio.h" #include "blapi.h" #include "seccomon.h" +#include "secerr.h" #include "stdio.h" #include "prmem.h" #include "hasht.h" @@ -233,8 +234,12 @@ static char * mkCheckFileName(const char *libName) { int ln_len = PORT_Strlen(libName); - char *output = PORT_Alloc(ln_len + sizeof(SGN_SUFFIX)); int index = ln_len + 1 - sizeof("." SHLIB_SUFFIX); + char *output = PORT_Alloc(ln_len + sizeof(SGN_SUFFIX)); + if (!output) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } if ((index > 0) && (PORT_Strncmp(&libName[index], diff --git a/security/nss/lib/freebl/sysrand.c b/security/nss/lib/freebl/sysrand.c index 0128fa0ee8..763f6af119 100644 --- a/security/nss/lib/freebl/sysrand.c +++ b/security/nss/lib/freebl/sysrand.c @@ -8,42 +8,11 @@ #include "seccomon.h" -#ifndef XP_WIN -static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen); -#endif - -#if defined(XP_UNIX) || defined(XP_BEOS) +#if (defined(XP_UNIX) || defined(XP_BEOS)) && defined(SEED_ONLY_DEV_URANDOM) +#include "unix_urandom.c" +#elif defined(XP_UNIX) || defined(XP_BEOS) #include "unix_rand.c" #endif #ifdef XP_WIN #include "win_rand.c" #endif -#ifdef XP_OS2 -#include "os2_rand.c" -#endif - -#ifndef XP_WIN -/* - * Normal RNG_SystemRNG() isn't available, use the system noise to collect - * the required amount of entropy. - */ -static size_t -rng_systemFromNoise(unsigned char *dest, size_t maxLen) -{ - size_t retBytes = maxLen; - - while (maxLen) { - size_t nbytes = RNG_GetNoise(dest, maxLen); - - PORT_Assert(nbytes != 0); - - dest += nbytes; - maxLen -= nbytes; - - /* some hw op to try to introduce more entropy into the next - * RNG_GetNoise call */ - rng_systemJitter(); - } - return retBytes; -} -#endif diff --git a/security/nss/lib/freebl/unix_rand.c b/security/nss/lib/freebl/unix_rand.c index ea3b6af3de..24381cb26e 100644 --- a/security/nss/lib/freebl/unix_rand.c +++ b/security/nss/lib/freebl/unix_rand.c @@ -160,11 +160,9 @@ RNG_kstat(PRUint32 *fed) #endif -#if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) || defined(NETBSD) || defined(DARWIN) || defined(OPENBSD) || defined(NTO) || defined(__riscos__) +#if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) || defined(NETBSD) || defined(DARWIN) || defined(OPENBSD) || defined(NTO) || defined(__riscos__) || defined(__GNU__) || defined(__FreeBSD_kernel__) || defined(__NetBSD_kernel__) #include <sys/times.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static size_t GetHighResClock(void *buf, size_t maxbytes) { @@ -198,8 +196,6 @@ GiveSystemInfo(void) #if defined(__svr4) || defined(SVR4) #include <sys/systeminfo.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static void GiveSystemInfo(void) { @@ -255,8 +251,6 @@ GiveSystemInfo(void) #if defined(__hpux) #include <sys/unistd.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - #if defined(__ia64) #include <ia64/sys/inline.h> @@ -376,8 +370,6 @@ GiveSystemInfo(void) #include <sys/utsname.h> #include <sys/systeminfo.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static size_t GetHighResClock(void *buf, size_t maxbytes) { @@ -529,8 +521,6 @@ GetHighResClock(void *buf, size_t maxbuf) #if defined(sony) #include <sys/systeminfo.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static size_t GetHighResClock(void *buf, size_t maxbytes) { @@ -565,8 +555,6 @@ GiveSystemInfo(void) int gettimeofday(struct timeval *, struct timezone *); int gethostname(char *, int); -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static size_t GetHighResClock(void *buf, size_t maxbytes) { @@ -634,8 +622,6 @@ GiveSystemInfo(void) #if defined(nec_ews) #include <sys/systeminfo.h> -#define getdtablesize() sysconf(_SC_OPEN_MAX) - static size_t GetHighResClock(void *buf, size_t maxbytes) { @@ -682,134 +668,6 @@ RNG_GetNoise(void *buf, size_t maxbytes) return n; } -#define SAFE_POPEN_MAXARGS 10 /* must be at least 2 */ - -/* - * safe_popen is static to this module and we know what arguments it is - * called with. Note that this version only supports a single open child - * process at any time. - */ -static pid_t safe_popen_pid; -static struct sigaction oldact; - -static FILE * -safe_popen(char *cmd) -{ - int p[2], fd, argc; - pid_t pid; - char *argv[SAFE_POPEN_MAXARGS + 1]; - FILE *fp; - static char blank[] = " \t"; - static struct sigaction newact; - - if (pipe(p) < 0) - return 0; - - fp = fdopen(p[0], "r"); - if (fp == 0) { - close(p[0]); - close(p[1]); - return 0; - } - - /* Setup signals so that SIGCHLD is ignored as we want to do waitpid */ - newact.sa_handler = SIG_DFL; - newact.sa_flags = 0; - sigfillset(&newact.sa_mask); - sigaction(SIGCHLD, &newact, &oldact); - - pid = fork(); - switch (pid) { - int ndesc; - - case -1: - fclose(fp); /* this closes p[0], the fd associated with fp */ - close(p[1]); - sigaction(SIGCHLD, &oldact, NULL); - return 0; - - case 0: - /* dup write-side of pipe to stderr and stdout */ - if (p[1] != 1) - dup2(p[1], 1); - if (p[1] != 2) - dup2(p[1], 2); - - /* - * close the other file descriptors, except stdin which we - * try reassociating with /dev/null, first (bug 174993) - */ - if (!freopen("/dev/null", "r", stdin)) - close(0); - ndesc = getdtablesize(); - for (fd = PR_MIN(65536, ndesc); --fd > 2; close(fd)) - ; - - /* clean up environment in the child process */ - putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc"); - putenv("SHELL=/bin/sh"); - putenv("IFS= \t"); - - /* - * The caller may have passed us a string that is in text - * space. It may be illegal to modify the string - */ - cmd = strdup(cmd); - /* format argv */ - argv[0] = strtok(cmd, blank); - argc = 1; - while ((argv[argc] = strtok(0, blank)) != 0) { - if (++argc == SAFE_POPEN_MAXARGS) { - argv[argc] = 0; - break; - } - } - - /* and away we go */ - execvp(argv[0], argv); - exit(127); - break; - - default: - close(p[1]); - break; - } - - /* non-zero means there's a cmd running */ - safe_popen_pid = pid; - return fp; -} - -static int -safe_pclose(FILE *fp) -{ - pid_t pid; - int status = -1, rv; - - if ((pid = safe_popen_pid) == 0) - return -1; - safe_popen_pid = 0; - - fclose(fp); - - /* yield the processor so the child gets some time to exit normally */ - PR_Sleep(PR_INTERVAL_NO_WAIT); - - /* if the child hasn't exited, kill it -- we're done with its output */ - while ((rv = waitpid(pid, &status, WNOHANG)) == -1 && errno == EINTR) - ; - if (rv == 0) { - kill(pid, SIGKILL); - while ((rv = waitpid(pid, &status, 0)) == -1 && errno == EINTR) - ; - } - - /* Reset SIGCHLD signal hander before returning */ - sigaction(SIGCHLD, &oldact, NULL); - - return status; -} - #ifdef DARWIN #include <TargetConditionals.h> #if !TARGET_OS_IPHONE @@ -817,15 +675,9 @@ safe_pclose(FILE *fp) #endif #endif -/* Fork netstat to collect its output by default. Do not unset this unless - * another source of entropy is available - */ -#define DO_NETSTAT 1 - void RNG_SystemInfoForRNG(void) { - FILE *fp; char buf[BUFSIZ]; size_t bytes; const char *const *cp; @@ -860,12 +712,6 @@ RNG_SystemInfoForRNG(void) }; #endif -#if defined(BSDI) - static char netstat_ni_cmd[] = "netstat -nis"; -#else - static char netstat_ni_cmd[] = "netstat -ni"; -#endif - GiveSystemInfo(); bytes = RNG_GetNoise(buf, sizeof(buf)); @@ -890,10 +736,12 @@ RNG_SystemInfoForRNG(void) if (gethostname(buf, sizeof(buf)) == 0) { RNG_RandomUpdate(buf, strlen(buf)); } - GiveSystemInfo(); /* grab some data from system's PRNG before any other files. */ bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT); + if (!bytes) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + } /* If the user points us to a random file, pass it through the rng */ randfile = PR_GetEnvSecure("NSRANDFILE"); @@ -911,33 +759,12 @@ RNG_SystemInfoForRNG(void) for (cp = files; *cp; cp++) RNG_FileForRNG(*cp); -/* - * Bug 100447: On BSD/OS 4.2 and 4.3, we have problem calling safe_popen - * in a pthreads environment. Therefore, we call safe_popen last and on - * BSD/OS we do not call safe_popen when we succeeded in getting data - * from /dev/urandom. - * - * Bug 174993: On platforms providing /dev/urandom, don't fork netstat - * either, if data has been gathered successfully. - */ - #if defined(BSDI) || defined(FREEBSD) || defined(NETBSD) || defined(OPENBSD) || defined(DARWIN) || defined(LINUX) || defined(HPUX) if (bytes) return; #endif #ifdef SOLARIS - -/* - * On Solaris, NSS may be initialized automatically from libldap in - * applications that are unaware of the use of NSS. safe_popen forks, and - * sometimes creates issues with some applications' pthread_atfork handlers. - * We always have /dev/urandom on Solaris 9 and above as an entropy source, - * and for Solaris 8 we have the libkstat interface, so we don't need to - * fork netstat. - */ - -#undef DO_NETSTAT if (!bytes) { /* On Solaris 8, /dev/urandom isn't available, so we use libkstat. */ PRUint32 kstat_bytes = 0; @@ -948,15 +775,6 @@ RNG_SystemInfoForRNG(void) PORT_Assert(bytes); } #endif - -#ifdef DO_NETSTAT - fp = safe_popen(netstat_ni_cmd); - if (fp != NULL) { - while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0) - RNG_RandomUpdate(buf, bytes); - safe_pclose(fp); - } -#endif } #define TOTAL_FILE_LIMIT 1000000 /* one million */ @@ -1022,20 +840,6 @@ RNG_FileForRNG(const char *fileName) RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT); } -void -ReadSingleFile(const char *fileName) -{ - FILE *file; - unsigned char buffer[BUFSIZ]; - - file = fopen(fileName, "rb"); - if (file != NULL) { - while (fread(buffer, 1, sizeof(buffer), file) > 0) - ; - fclose(file); - } -} - #define _POSIX_PTHREAD_SEMANTICS #include <dirent.h> @@ -1055,89 +859,6 @@ ReadFileOK(char *dir, char *file) return S_ISREG(stat_buf.st_mode) ? PR_TRUE : PR_FALSE; } -/* - * read one file out of either /etc or the user's home directory. - * fileToRead tells which file to read. - * - * return 1 if it's time to reset the fileToRead (no more files to read). - */ -static int -ReadOneFile(int fileToRead) -{ - char *dir = "/etc"; - DIR *fd = opendir(dir); - int resetCount = 0; - struct dirent *entry; -#if defined(__sun) - char firstName[256]; -#else - char firstName[NAME_MAX + 1]; -#endif - const char *name = NULL; - int i; - - if (fd == NULL) { - dir = PR_GetEnvSecure("HOME"); - if (dir) { - fd = opendir(dir); - } - } - if (fd == NULL) { - return 1; - } - - firstName[0] = '\0'; - for (i = 0; i <= fileToRead; i++) { - do { - /* readdir() isn't guaranteed to be thread safe on every platform; - * this code assumes the same directory isn't read concurrently. - * This usage is confirmed safe on Linux, see bug 1254334. */ - entry = readdir(fd); - } while (entry != NULL && !ReadFileOK(dir, &entry->d_name[0])); - if (entry == NULL) { - resetCount = 1; /* read to the end, start again at the beginning */ - if (firstName[0]) { - /* ran out of entries in the directory, use the first one */ - name = firstName; - } - break; - } - name = entry->d_name; - if (i == 0) { - /* copy the name of the first in case we run out of entries */ - PORT_Assert(PORT_Strlen(name) < sizeof(firstName)); - PORT_Strncpy(firstName, name, sizeof(firstName) - 1); - firstName[sizeof(firstName) - 1] = '\0'; - } - } - - if (name) { - char filename[PATH_MAX]; - int count = snprintf(filename, sizeof(filename), "%s/%s", dir, name); - if (count >= 1) { - ReadSingleFile(filename); - } - } - - closedir(fd); - return resetCount; -} - -/* - * do something to try to introduce more noise into the 'GetNoise' call - */ -static void -rng_systemJitter(void) -{ - static int fileToRead = 1; - - if (ReadOneFile(fileToRead)) { - fileToRead = 1; - } else { - fileToRead++; - } -} - size_t RNG_SystemRNG(void *dest, size_t maxLen) { @@ -1149,7 +870,8 @@ RNG_SystemRNG(void *dest, size_t maxLen) file = fopen("/dev/urandom", "r"); if (file == NULL) { - return rng_systemFromNoise(dest, maxLen); + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; } /* Read from the underlying file descriptor directly to bypass stdio * buffering and avoid reading more bytes than we need from /dev/urandom. diff --git a/security/nss/lib/freebl/unix_urandom.c b/security/nss/lib/freebl/unix_urandom.c new file mode 100644 index 0000000000..25e6ad91cf --- /dev/null +++ b/security/nss/lib/freebl/unix_urandom.c @@ -0,0 +1,50 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <fcntl.h> +#include <unistd.h> +#include "secerr.h" +#include "secrng.h" +#include "prprf.h" + +void +RNG_SystemInfoForRNG(void) +{ + PRUint8 bytes[SYSTEM_RNG_SEED_COUNT]; + size_t numBytes = RNG_SystemRNG(bytes, SYSTEM_RNG_SEED_COUNT); + if (!numBytes) { + /* error is set */ + return; + } + RNG_RandomUpdate(bytes, numBytes); +} + +size_t +RNG_SystemRNG(void *dest, size_t maxLen) +{ + int fd; + int bytes; + size_t fileBytes = 0; + unsigned char *buffer = dest; + + fd = open("/dev/urandom", O_RDONLY); + if (fd < 0) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; + } + while (fileBytes < maxLen) { + bytes = read(fd, buffer, maxLen - fileBytes); + if (bytes <= 0) { + break; + } + fileBytes += bytes; + buffer += bytes; + } + (void)close(fd); + if (fileBytes != maxLen) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; + } + return fileBytes; +} diff --git a/security/nss/lib/jar/jar.gyp b/security/nss/lib/jar/jar.gyp index e38b4ab99e..ee8734aca8 100644 --- a/security/nss/lib/jar/jar.gyp +++ b/security/nss/lib/jar/jar.gyp @@ -26,49 +26,6 @@ 'defines': [ 'MOZILLA_CLIENT=1', ], - 'conditions': [ - [ 'OS=="win"', { - 'configurations': { - 'x86_Base': { - 'msvs_settings': { - 'VCCLCompilerTool': { - 'PreprocessorDefinitions': [ - 'NSS_X86_OR_X64', - 'NSS_X86', - ], - }, - }, - }, - 'x64_Base': { - 'msvs_settings': { - 'VCCLCompilerTool': { - 'PreprocessorDefinitions': [ - 'NSS_USE_64', - 'NSS_X86_OR_X64', - 'NSS_X64', - ], - }, - }, - }, - }, - }, { - 'conditions': [ - [ 'target_arch=="x64"', { - 'defines': [ - 'NSS_USE_64', - 'NSS_X86_OR_X64', - 'NSS_X64', - ], - }], - [ 'target_arch=="ia32"', { - 'defines': [ - 'NSS_X86_OR_X64', - 'NSS_X86', - ], - }], - ], - }], - ], }, 'variables': { 'module': 'nss' diff --git a/security/nss/lib/libpkix/libpkix.gyp b/security/nss/lib/libpkix/libpkix.gyp new file mode 100644 index 0000000000..ec6e006179 --- /dev/null +++ b/security/nss/lib/libpkix/libpkix.gyp @@ -0,0 +1,31 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'libpkix', + 'type': 'none', + 'conditions': [ + [ 'disable_libpkix==0', { + 'dependencies': [ + 'pkix/certsel/certsel.gyp:pkixcertsel', + 'pkix/checker/checker.gyp:pkixchecker', + 'pkix/crlsel/crlsel.gyp:pkixcrlsel', + 'pkix/params/params.gyp:pkixparams', + 'pkix/results/results.gyp:pkixresults', + 'pkix/store/store.gyp:pkixstore', + 'pkix/top/top.gyp:pkixtop', + 'pkix/util/util.gyp:pkixutil', + 'pkix_pl_nss/module/module.gyp:pkixmodule', + 'pkix_pl_nss/pki/pki.gyp:pkixpki', + 'pkix_pl_nss/system/system.gyp:pkixsystem', + ], + }], + ], + }, + ], +}
\ No newline at end of file diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c index 171a3d2d97..28b6953a76 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c @@ -89,8 +89,8 @@ pkix_pl_OcspRequest_Hashcode( PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext, PKIX_CERTHASHCODEFAILED); - *pHashcode = (((((extensionHash << 8) || certHash) << 8) || - dateHash) << 8) || signerHash; + *pHashcode = (((((extensionHash << 8) | certHash) << 8) | + dateHash) << 8) | signerHash; cleanup: diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 1760b96e41..e1453cc84e 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -1097,3 +1097,21 @@ PK11_VerifyWithMechanism; ;+ local: ;+ *; ;+}; +;+NSS_3.30 { # NSS 3.30 release +;+ global: +CERT_CompareAVA; +PK11_HasAttributeSet; +;+ local: +;+ *; +;+}; +;+NSS_3.31 { # NSS 3.31 release +;+ global: +CERT_GetCertIsPerm; +CERT_GetCertIsTemp; +PK11_FindCertFromURI; +PK11_FindCertsFromURI; +PK11_GetModuleURI; +PK11_GetTokenURI; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/nss/nss.gyp b/security/nss/lib/nss/nss.gyp index 56984d9f14..8f4415701b 100644 --- a/security/nss/lib/nss/nss.gyp +++ b/security/nss/lib/nss/nss.gyp @@ -33,24 +33,8 @@ '<(DEPTH)/lib/pki/pki.gyp:nsspki', '<(DEPTH)/lib/dev/dev.gyp:nssdev', '<(DEPTH)/lib/base/base.gyp:nssb', + '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix', ], - 'conditions': [ - [ 'disable_libpkix==0', { - 'dependencies': [ - '<(DEPTH)/lib/libpkix/pkix/certsel/certsel.gyp:pkixcertsel', - '<(DEPTH)/lib/libpkix/pkix/checker/checker.gyp:pkixchecker', - '<(DEPTH)/lib/libpkix/pkix/params/params.gyp:pkixparams', - '<(DEPTH)/lib/libpkix/pkix/results/results.gyp:pkixresults', - '<(DEPTH)/lib/libpkix/pkix/top/top.gyp:pkixtop', - '<(DEPTH)/lib/libpkix/pkix/util/util.gyp:pkixutil', - '<(DEPTH)/lib/libpkix/pkix/crlsel/crlsel.gyp:pkixcrlsel', - '<(DEPTH)/lib/libpkix/pkix/store/store.gyp:pkixstore', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/pki/pki.gyp:pkixpki', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/system/system.gyp:pkixsystem', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/module/module.gyp:pkixmodule' - ], - }], - ], }, { 'target_name': 'nss3', diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index e4f9facdeb..8238faca7e 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.28.6" _NSS_CUSTOMIZED +#define NSS_VERSION "3.32.1" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 -#define NSS_VMINOR 28 -#define NSS_VPATCH 6 +#define NSS_VMINOR 32 +#define NSS_VPATCH 1 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c index 27325a55a9..39afd67430 100644 --- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -114,7 +114,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) rvSlot->base.refCount = 1; rvSlot->base.lock = PZ_NewLock(nssILockOther); rvSlot->base.arena = arena; - rvSlot->pk11slot = nss3slot; + rvSlot->pk11slot = PK11_ReferenceSlot(nss3slot); rvSlot->epv = nss3slot->functionList; rvSlot->slotID = nss3slot->slotID; /* Grab the slot name from the PKCS#11 fixed-length buffer */ @@ -150,7 +150,7 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) return NULL; } rvToken->base.arena = arena; - rvToken->pk11slot = nss3slot; + rvToken->pk11slot = PK11_ReferenceSlot(nss3slot); rvToken->epv = nss3slot->functionList; rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena, nss3slot->session, diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index 01d1d7fd99..c45901ec39 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -886,6 +886,10 @@ PK11_GetPrivateModulusLen(SECKEYPrivateKey *key) PORT_SetError(PK11_MapError(crv)); return -1; } + if (theTemplate.pValue == NULL) { + PORT_SetError(PK11_MapError(CKR_ATTRIBUTE_VALUE_INVALID)); + return -1; + } length = theTemplate.ulValueLen; if (*(unsigned char *)theTemplate.pValue == 0) { length--; diff --git a/security/nss/lib/pk11wrap/pk11auth.c b/security/nss/lib/pk11wrap/pk11auth.c index 4ccfad6f18..625fa2dc62 100644 --- a/security/nss/lib/pk11wrap/pk11auth.c +++ b/security/nss/lib/pk11wrap/pk11auth.c @@ -704,9 +704,11 @@ PRBool PK11_NeedPWInit() { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); - PRBool ret = PK11_NeedPWInitForSlot(slot); - - PK11_FreeSlot(slot); + PRBool ret = PR_FALSE; + if (slot) { + ret = PK11_NeedPWInitForSlot(slot); + PK11_FreeSlot(slot); + } return ret; } diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 6968ae70a7..c1caf5e60b 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -34,6 +34,8 @@ #include "pkitm.h" #include "pkistore.h" /* to remove temp cert */ #include "devt.h" +#include "ckhelper.h" +#include "pkcs11uri.h" extern const NSSError NSS_ERROR_NOT_FOUND; extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; @@ -507,15 +509,231 @@ transfer_token_certs_to_collection(nssList *certList, NSSToken *token, nss_ZFreeIf(certs); } -CERTCertificate * -PK11_FindCertFromNickname(const char *nickname, void *wincx) +static void +transfer_uri_certs_to_collection(nssList *certList, PK11URI *uri, + nssPKIObjectCollection *collection) +{ + + NSSCertificate **certs; + PRUint32 i, count; + NSSToken **tokens, **tp; + PK11SlotInfo *slot; + const char *id; + + id = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_ID); + count = nssList_Count(certList); + if (count == 0) { + return; + } + certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count); + if (!certs) { + return; + } + nssList_GetArray(certList, (void **)certs, count); + for (i = 0; i < count; i++) { + /* + * Filter the subject matched certs based on the + * CKA_ID from the URI + */ + if (id && (strlen(id) != certs[i]->id.size || + memcmp(id, certs[i]->id.data, certs[i]->id.size))) + continue; + tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL); + if (tokens) { + for (tp = tokens; *tp; tp++) { + const char *value; + slot = (*tp)->pk11slot; + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TOKEN); + if (value && + !pk11_MatchString(value, + (char *)slot->tokenInfo.label, + sizeof(slot->tokenInfo.label))) { + continue; + } + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MANUFACTURER); + if (value && + !pk11_MatchString(value, + (char *)slot->tokenInfo.manufacturerID, + sizeof(slot->tokenInfo.manufacturerID))) { + continue; + } + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MODEL); + if (value && + !pk11_MatchString(value, + (char *)slot->tokenInfo.model, + sizeof(slot->tokenInfo.model))) { + continue; + } + + nssPKIObjectCollection_AddObject(collection, + (nssPKIObject *)certs[i]); + break; + } + nssTokenArray_Destroy(tokens); + } + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i])); + } + nss_ZFreeIf(certs); +} + +static NSSCertificate ** +find_certs_from_uri(const char *uriString, void *wincx) { + PK11URI *uri = NULL; + CK_ATTRIBUTE attributes[10]; + CK_ULONG nattributes = 0; + const char *label; + PK11SlotInfo *slotinfo; + nssCryptokiObject **instances; PRStatus status; - CERTCertificate *rvCert = NULL; - NSSCertificate *cert = NULL; + nssPKIObjectCollection *collection = NULL; + NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain(); NSSCertificate **certs = NULL; + nssList *certList = NULL; + SECStatus rv; + CK_OBJECT_CLASS s_class = CKO_CERTIFICATE; + static const CK_BBOOL s_true = CK_TRUE; + NSSToken **tokens, **tok; + + uri = PK11URI_ParseURI(uriString); + if (uri == NULL) { + goto loser; + } + + collection = nssCertificateCollection_Create(defaultTD, NULL); + if (!collection) { + goto loser; + } + certList = nssList_Create(NULL, PR_FALSE); + if (!certList) { + goto loser; + } + + label = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_OBJECT); + if (label) { + (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, + (const char *)label, + certList); + } else { + (void)nssTrustDomain_GetCertsFromCache(defaultTD, certList); + } + + transfer_uri_certs_to_collection(certList, uri, collection); + + /* add the CKA_CLASS and CKA_TOKEN attributes manually */ + attributes[nattributes].type = CKA_CLASS; + attributes[nattributes].pValue = (void *)&s_class; + attributes[nattributes].ulValueLen = sizeof(s_class); + nattributes++; + + attributes[nattributes].type = CKA_TOKEN; + attributes[nattributes].pValue = (void *)&s_true; + attributes[nattributes].ulValueLen = sizeof(s_true); + nattributes++; + + if (label) { + attributes[nattributes].type = CKA_LABEL; + attributes[nattributes].pValue = (void *)label; + attributes[nattributes].ulValueLen = strlen(label); + nattributes++; + } + + tokens = NSSTrustDomain_FindTokensByURI(defaultTD, uri); + for (tok = tokens; tok && *tok; tok++) { + if (nssToken_IsPresent(*tok)) { + slotinfo = (*tok)->pk11slot; + + rv = pk11_AuthenticateUnfriendly(slotinfo, PR_TRUE, wincx); + if (rv != SECSuccess) { + continue; + } + instances = nssToken_FindObjectsByTemplate(*tok, NULL, + attributes, + nattributes, + 0, &status); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); + } + nssToken_Destroy(*tok); + } + nss_ZFreeIf(tokens); + nssList_Destroy(certList); + certs = nssPKIObjectCollection_GetCertificates(collection, NULL, 0, NULL); + +loser: + if (collection) { + nssPKIObjectCollection_Destroy(collection); + } + if (uri) { + PK11URI_DestroyURI(uri); + } + return certs; +} + +CERTCertificate * +PK11_FindCertFromURI(const char *uri, void *wincx) +{ static const NSSUsage usage = { PR_TRUE /* ... */ }; - NSSToken *token; + NSSCertificate *cert = NULL; + NSSCertificate **certs = NULL; + CERTCertificate *rvCert = NULL; + + certs = find_certs_from_uri(uri, wincx); + if (certs) { + cert = nssCertificateArray_FindBestCertificate(certs, NULL, + &usage, NULL); + if (cert) { + rvCert = STAN_GetCERTCertificateOrRelease(cert); + } + nssCertificateArray_Destroy(certs); + } + return rvCert; +} + +CERTCertList * +PK11_FindCertsFromURI(const char *uri, void *wincx) +{ + int i; + CERTCertList *certList = NULL; + NSSCertificate **foundCerts; + NSSCertificate *c; + + foundCerts = find_certs_from_uri(uri, wincx); + if (foundCerts) { + PRTime now = PR_Now(); + certList = CERT_NewCertList(); + for (i = 0, c = *foundCerts; c; c = foundCerts[++i]) { + if (certList) { + CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); + /* c may be invalid after this, don't reference it */ + if (certCert) { + /* CERT_AddCertToListSorted adopts certCert */ + CERT_AddCertToListSorted(certList, certCert, + CERT_SortCBValidity, &now); + } + } else { + nssCertificate_Destroy(c); + } + } + if (certList && CERT_LIST_HEAD(certList) == NULL) { + CERT_DestroyCertList(certList); + certList = NULL; + } + /* all the certs have been adopted or freed, free the raw array */ + nss_ZFreeIf(foundCerts); + } + return certList; +} + +static NSSCertificate ** +find_certs_from_nickname(const char *nickname, void *wincx) +{ + PRStatus status; + NSSCertificate **certs = NULL; + NSSToken *token = NULL; NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain(); PK11SlotInfo *slot = NULL; SECStatus rv; @@ -523,6 +741,11 @@ PK11_FindCertFromNickname(const char *nickname, void *wincx) char *delimit = NULL; char *tokenName; + if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) { + certs = find_certs_from_uri(nickname, wincx); + if (certs) + return certs; + } nickCopy = PORT_Strdup(nickname); if (!nickCopy) { /* error code is set */ @@ -543,6 +766,11 @@ PK11_FindCertFromNickname(const char *nickname, void *wincx) } else { slot = PK11_GetInternalKeySlot(); token = PK11Slot_GetNSSToken(slot); + if (token) { + nssToken_AddRef(token); + } else { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } } if (token) { nssList *certList; @@ -600,29 +828,38 @@ PK11_FindCertFromNickname(const char *nickname, void *wincx) certs = nssPKIObjectCollection_GetCertificates(collection, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); - if (certs) { - cert = nssCertificateArray_FindBestCertificate(certs, NULL, - &usage, NULL); - if (cert) { - rvCert = STAN_GetCERTCertificateOrRelease(cert); - } - nssCertificateArray_Destroy(certs); - } nssList_Destroy(certList); } - if (slot) { - PK11_FreeSlot(slot); - } - if (nickCopy) - PORT_Free(nickCopy); - return rvCert; loser: + if (token) { + nssToken_Destroy(token); + } if (slot) { PK11_FreeSlot(slot); } if (nickCopy) PORT_Free(nickCopy); - return NULL; + return certs; +} + +CERTCertificate * +PK11_FindCertFromNickname(const char *nickname, void *wincx) +{ + CERTCertificate *rvCert = NULL; + NSSCertificate *cert = NULL; + NSSCertificate **certs = NULL; + static const NSSUsage usage = { PR_TRUE /* ... */ }; + + certs = find_certs_from_nickname(nickname, wincx); + if (certs) { + cert = nssCertificateArray_FindBestCertificate(certs, NULL, + &usage, NULL); + if (cert) { + rvCert = STAN_GetCERTCertificateOrRelease(cert); + } + nssCertificateArray_Destroy(certs); + } + return rvCert; } /* Traverse slots callback */ @@ -690,8 +927,7 @@ PK11_FindCertsFromEmailAddress(const char *email, void *wincx) } /* empty list? */ - if (CERT_LIST_HEAD(cbparam.certList) == NULL || - CERT_LIST_END(CERT_LIST_HEAD(cbparam.certList), cbparam.certList)) { + if (CERT_LIST_EMPTY(cbparam.certList)) { CERT_DestroyCertList(cbparam.certList); cbparam.certList = NULL; } @@ -703,111 +939,12 @@ PK11_FindCertsFromEmailAddress(const char *email, void *wincx) CERTCertList * PK11_FindCertsFromNickname(const char *nickname, void *wincx) { - char *nickCopy; - char *delimit = NULL; - char *tokenName; int i; CERTCertList *certList = NULL; - nssPKIObjectCollection *collection = NULL; NSSCertificate **foundCerts = NULL; - NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain(); NSSCertificate *c; - NSSToken *token; - PK11SlotInfo *slot; - SECStatus rv; - - nickCopy = PORT_Strdup(nickname); - if (!nickCopy) { - /* error code is set */ - return NULL; - } - if ((delimit = PORT_Strchr(nickCopy, ':')) != NULL) { - tokenName = nickCopy; - nickname = delimit + 1; - *delimit = '\0'; - /* find token by name */ - token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName); - if (token) { - slot = PK11_ReferenceSlot(token->pk11slot); - } else { - PORT_SetError(SEC_ERROR_NO_TOKEN); - slot = NULL; - } - *delimit = ':'; - } else { - slot = PK11_GetInternalKeySlot(); - token = PK11Slot_GetNSSToken(slot); - } - if (token) { - PRStatus status; - nssList *nameList; - nssCryptokiObject **instances; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - PK11_FreeSlot(slot); - if (nickCopy) - PORT_Free(nickCopy); - return NULL; - } - collection = nssCertificateCollection_Create(defaultTD, NULL); - if (!collection) { - PK11_FreeSlot(slot); - if (nickCopy) - PORT_Free(nickCopy); - return NULL; - } - nameList = nssList_Create(NULL, PR_FALSE); - if (!nameList) { - PK11_FreeSlot(slot); - if (nickCopy) - PORT_Free(nickCopy); - return NULL; - } - (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, - nickname, - nameList); - transfer_token_certs_to_collection(nameList, token, collection); - instances = nssToken_FindCertificatesByNickname(token, - NULL, - nickname, - tokenOnly, - 0, - &status); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - - /* if it wasn't found, repeat the process for email address */ - if (nssPKIObjectCollection_Count(collection) == 0 && - PORT_Strchr(nickname, '@') != NULL) { - char *lowercaseName = CERT_FixupEmailAddr(nickname); - if (lowercaseName) { - (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, - lowercaseName, - nameList); - transfer_token_certs_to_collection(nameList, token, collection); - instances = nssToken_FindCertificatesByEmail(token, - NULL, - lowercaseName, - tokenOnly, - 0, - &status); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - PORT_Free(lowercaseName); - } - } - nssList_Destroy(nameList); - foundCerts = nssPKIObjectCollection_GetCertificates(collection, - NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); - } - if (slot) { - PK11_FreeSlot(slot); - } - if (nickCopy) - PORT_Free(nickCopy); + foundCerts = find_certs_from_nickname(nickname, wincx); if (foundCerts) { PRTime now = PR_Now(); certList = CERT_NewCertList(); @@ -824,10 +961,6 @@ PK11_FindCertsFromNickname(const char *nickname, void *wincx) nssCertificate_Destroy(c); } } - if (certList && CERT_LIST_HEAD(certList) == NULL) { - CERT_DestroyCertList(certList); - certList = NULL; - } /* all the certs have been adopted or freed, free the raw array */ nss_ZFreeIf(foundCerts); } @@ -979,8 +1112,10 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace); c->object.cryptoContext = NULL; + CERT_LockCertTempPerm(cert); cert->istemp = PR_FALSE; cert->isperm = PR_TRUE; + CERT_UnlockCertTempPerm(cert); } /* add the new instance to the cert, force an update of the diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c index f12d0fd4fe..91339fad8f 100644 --- a/security/nss/lib/pk11wrap/pk11load.c +++ b/security/nss/lib/pk11wrap/pk11load.c @@ -17,6 +17,10 @@ #include "secerr.h" #include "prenv.h" #include "utilparst.h" +#include "prio.h" +#include "prprf.h" +#include <stdio.h> +#include "prsystem.h" #define DEBUG_MODULE 1 @@ -350,6 +354,7 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) } } +#ifndef NSS_TEST_BUILD static const char *my_shlib_name = SHLIB_PREFIX "nss" SHLIB_VERSION "." SHLIB_SUFFIX; static const char *softoken_shlib_name = @@ -359,11 +364,6 @@ static PRCallOnceType loadSoftokenOnce; static PRLibrary *softokenLib; static PRInt32 softokenLoadCount; -#include "prio.h" -#include "prprf.h" -#include <stdio.h> -#include "prsystem.h" - /* This function must be run only once. */ /* determine if hybrid platform, then actually load the DSO. */ static PRStatus @@ -380,6 +380,10 @@ softoken_LoadDSO(void) } return PR_FAILURE; } +#else +CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); +char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args); +#endif /* * load a new module into our address space and initialize it. @@ -398,8 +402,11 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) if (mod->loaded) return SECSuccess; - /* intenal modules get loaded from their internal list */ + /* internal modules get loaded from their internal list */ if (mod->internal && (mod->dllName == NULL)) { +#ifdef NSS_TEST_BUILD + entry = (CK_C_GetFunctionList)NSC_GetFunctionList; +#else /* * Loads softoken as a dynamic library, * even though the rest of NSS assumes this as the "internal" module. @@ -420,10 +427,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) if (!entry) return SECFailure; +#endif if (mod->isModuleDB) { mod->moduleDBFunc = (CK_C_GetFunctionList) +#ifdef NSS_TEST_BUILD + NSC_ModuleDBFunc; +#else PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); +#endif } if (mod->moduleDBOnly) { @@ -601,6 +613,7 @@ SECMOD_UnloadModule(SECMODModule *mod) * if not, we should change this to SECFailure and move it above the * mod->loaded = PR_FALSE; */ if (mod->internal && (mod->dllName == NULL)) { +#ifndef NSS_TEST_BUILD if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { if (softokenLib) { disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); @@ -616,6 +629,7 @@ SECMOD_UnloadModule(SECMODModule *mod) } loadSoftokenOnce = pristineCallOnce; } +#endif return SECSuccess; } diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c index 4db05ff392..48e50dff45 100644 --- a/security/nss/lib/pk11wrap/pk11mech.c +++ b/security/nss/lib/pk11wrap/pk11mech.c @@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size) case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_SHA1_DES_CBC: case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c index 18850b29d1..47c56154d4 100644 --- a/security/nss/lib/pk11wrap/pk11obj.c +++ b/security/nss/lib/pk11wrap/pk11obj.c @@ -156,8 +156,8 @@ PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, * check to see if a bool has been set. */ CK_BBOOL -PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, PRBool haslock) +pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, PRBool haslock) { CK_BBOOL ckvalue = CK_FALSE; CK_ATTRIBUTE theTemplate; @@ -181,6 +181,14 @@ PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, return ckvalue; } +CK_BBOOL +PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, PRBool haslock) +{ + PR_ASSERT(haslock == PR_FALSE); + return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE); +} + /* * returns a full list of attributes. Allocate space for them. If an arena is * provided, allocate space out of the arena. @@ -2020,6 +2028,9 @@ PK11_FindObjectsFromNickname(char *nickname, PK11SlotInfo **slotptr, if ((delimit = PORT_Strchr(nickname, ':')) != NULL) { int len = delimit - nickname; tokenName = (char *)PORT_Alloc(len + 1); + if (!tokenName) { + return CK_INVALID_HANDLE; + } PORT_Memcpy(tokenName, nickname, len); tokenName[len] = 0; diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index 7837bfe9c7..bea9333f62 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -4,6 +4,7 @@ #include "plarena.h" +#include "blapit.h" #include "seccomon.h" #include "secitem.h" #include "secport.h" @@ -301,17 +302,49 @@ SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen) return SEC_OID_UNKNOWN; } +static PRBool +sec_pkcs5_is_algorithm_v2_aes_algorithm(SECOidTag algorithm) +{ + switch (algorithm) { + case SEC_OID_AES_128_CBC: + case SEC_OID_AES_192_CBC: + case SEC_OID_AES_256_CBC: + return PR_TRUE; + default: + return PR_FALSE; + } +} + +static int +sec_pkcs5v2_aes_key_length(SECOidTag algorithm) +{ + switch (algorithm) { + /* The key length for the AES-CBC-Pad algorithms are + * determined from the undelying cipher algorithm. */ + case SEC_OID_AES_128_CBC: + return AES_128_KEY_LENGTH; + case SEC_OID_AES_192_CBC: + return AES_192_KEY_LENGTH; + case SEC_OID_AES_256_CBC: + return AES_256_KEY_LENGTH; + default: + break; + } + return 0; +} + /* * get the key length in bytes from a PKCS5 PBE */ -int -sec_pkcs5v2_key_length(SECAlgorithmID *algid) +static int +sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) { SECOidTag algorithm; PLArenaPool *arena = NULL; SEC_PKCS5PBEParameter p5_param; SECStatus rv; int length = -1; + SECOidTag cipherAlg = SEC_OID_UNKNOWN; algorithm = SECOID_GetAlgorithmTag(algid); /* sanity check, they should all be PBKDF2 here */ @@ -330,8 +363,20 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid) goto loser; } - if (p5_param.keyLength.data != NULL) { + if (cipherAlgId) + cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); + + if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { + length = sec_pkcs5v2_aes_key_length(cipherAlg); + } else if (p5_param.keyLength.data != NULL) { length = DER_GetInteger(&p5_param.keyLength); + } else { + CK_MECHANISM_TYPE cipherMech; + cipherMech = PK11_AlgtagToMechanism(cipherAlg); + if (cipherMech == CKM_INVALID_MECHANISM) { + goto loser; + } + length = PK11_GetMaxKeyLength(cipherMech); } loser: @@ -375,14 +420,15 @@ SEC_PKCS5GetKeyLength(SECAlgorithmID *algid) case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: return 16; case SEC_OID_PKCS5_PBKDF2: - return sec_pkcs5v2_key_length(algid); + return sec_pkcs5v2_key_length(algid, NULL); case SEC_OID_PKCS5_PBES2: case SEC_OID_PKCS5_PBMAC1: { sec_pkcs5V2Parameter *pbeV2_param; int length = -1; pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); if (pbeV2_param != NULL) { - length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); + length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId, + &pbeV2_param->cipherAlgId); sec_pkcs5_v2_destroy_v2_param(pbeV2_param); } return length; @@ -614,6 +660,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); if (hashAlg != SEC_OID_UNKNOWN) { keyLength = HASH_ResultLenByOidTag(hashAlg); + } else if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlgorithm)) { + keyLength = sec_pkcs5v2_aes_key_length(cipherAlgorithm); } else { CK_MECHANISM_TYPE cryptoMech; cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c index 1683cc564c..d753b87e58 100644 --- a/security/nss/lib/pk11wrap/pk11pk12.c +++ b/security/nss/lib/pk11wrap/pk11pk12.c @@ -65,6 +65,19 @@ struct SECKEYDHPrivateKeyStr { typedef struct SECKEYDHPrivateKeyStr SECKEYDHPrivateKey; /* +** Elliptic Curve Private Key structures +** <https://tools.ietf.org/html/rfc5915#section-3> +*/ +struct SECKEYECPrivateKeyStr { + PLArenaPool *arena; + SECItem version; + SECItem curveOID; /* optional/ignored */ + SECItem publicValue; /* required (for now) */ + SECItem privateValue; +}; +typedef struct SECKEYECPrivateKeyStr SECKEYECPrivateKey; + +/* ** raw private key object */ struct SECKEYRawPrivateKeyStr { @@ -74,6 +87,7 @@ struct SECKEYRawPrivateKeyStr { SECKEYRSAPrivateKey rsa; SECKEYDSAPrivateKey dsa; SECKEYDHPrivateKey dh; + SECKEYECPrivateKey ec; } u; }; typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey; @@ -139,6 +153,33 @@ const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = { { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) }, }; +#ifndef NSS_DISABLE_ECC +SEC_ASN1_MKSUB(SEC_BitStringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) + +const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.ec.version) }, + { SEC_ASN1_OCTET_STRING, + offsetof(SECKEYRawPrivateKey, u.ec.privateValue) }, + /* This value will always be ignored. u.ec.curveOID will always be + * overriden with the outer AlgorithmID.parameters. */ + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 0, + offsetof(SECKEYRawPrivateKey, u.ec.curveOID), + SEC_ASN1_SUB(SEC_ObjectIDTemplate) }, + /* The public value is optional per RFC, but required in NSS. We + * can't do scalar mult on ECs to get a raw point with PK11 APIs. */ + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 1, + offsetof(SECKEYRawPrivateKey, u.ec.publicValue), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { 0 } +}; +#endif /* NSS_DISABLE_ECC */ + const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) }, @@ -198,6 +239,15 @@ prepare_dh_priv_key_export_for_asn1(SECKEYRawPrivateKey *key) key->u.dh.base.type = siUnsignedInteger; } +static void +prepare_ec_priv_key_export_for_asn1(SECKEYRawPrivateKey *key) +{ + key->u.ec.version.type = siUnsignedInteger; + key->u.ec.curveOID.type = siUnsignedInteger; + key->u.ec.privateValue.type = siUnsignedInteger; + key->u.ec.publicValue.type = siUnsignedInteger; +} + SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, SECItem *nickname, SECItem *publicValue, PRBool isPerm, @@ -432,7 +482,50 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, lpk->u.dh.privateValue.len); attrs++; break; - /* what about fortezza??? */ +#ifndef NSS_DISABLE_ECC + case ecKey: + keyType = CKK_EC; + if (lpk->u.ec.publicValue.len == 0) { + goto loser; + } + if (PK11_IsInternal(slot)) { + PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, + lpk->u.ec.publicValue.data, + lpk->u.ec.publicValue.len); + attrs++; + } + PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, + (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + ck_id = PK11_MakeIDFromPubKey(&lpk->u.ec.publicValue); + if (ck_id == NULL) { + goto loser; + } + PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); + attrs++; + signedattr = attrs; + /* curveOID always is a copy of AlgorithmID.parameters. */ + PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data, + lpk->u.ec.curveOID.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.ec.privateValue.data, + lpk->u.ec.privateValue.len); + attrs++; + PK11_SETATTRS(attrs, CKA_EC_POINT, lpk->u.ec.publicValue.data, + lpk->u.ec.publicValue.len); + attrs++; + break; +#endif /* NSS_DISABLE_ECC */ default: PORT_SetError(SEC_ERROR_BAD_KEY); goto loser; @@ -513,6 +606,15 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, paramDest = NULL; lpk->keyType = dhKey; break; +#ifndef NSS_DISABLE_ECC + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + prepare_ec_priv_key_export_for_asn1(lpk); + keyTemplate = SECKEY_ECPrivateKeyExportTemplate; + paramTemplate = NULL; + paramDest = NULL; + lpk->keyType = ecKey; + break; +#endif /* NSS_DISABLE_ECC */ default: keyTemplate = NULL; @@ -526,10 +628,25 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, } /* decode the private key and any algorithm parameters */ - rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey); + rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey); if (rv != SECSuccess) { goto loser; } + +#ifndef NSS_DISABLE_ECC + if (lpk->keyType == ecKey) { + /* Convert length in bits to length in bytes. */ + lpk->u.ec.publicValue.len >>= 3; + + /* Always override curveOID, we're ignoring any given value. */ + rv = SECITEM_CopyItem(arena, &lpk->u.ec.curveOID, + &pki->algorithm.parameters); + if (rv != SECSuccess) { + goto loser; + } + } +#endif /* NSS_DISABLE_ECC */ + if (paramDest && paramTemplate) { rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, &(pki->algorithm.parameters)); diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h index 45a60b42a4..9281923fac 100644 --- a/security/nss/lib/pk11wrap/pk11priv.h +++ b/security/nss/lib/pk11wrap/pk11priv.h @@ -14,6 +14,7 @@ #include "seccomon.h" #include "pkcs7t.h" #include "cmsreclist.h" +#include "pkcs11uri.h" /* * These are the private NSS functions. They are not exported by nss.def, and @@ -39,12 +40,15 @@ int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type); * Generic Slot Management ************************************************************/ CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject); +PRBool pk11_MatchUriTokenInfo(PK11SlotInfo *slot, PK11URI *uri); SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result); CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type); char *PK11_MakeString(PLArenaPool *arena, char *space, char *staticSring, int stringLen); +PRBool pk11_MatchString(const char *string, + const char *staticString, int staticStringLen); int PK11_MapError(CK_RV error); CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot); void PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession); @@ -106,6 +110,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot); PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); +unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType); /********************************************************************** * Certs @@ -118,10 +123,10 @@ CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname, void *wincx); CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer, CK_OBJECT_CLASS o_class); -CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, - CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, - PRBool haslock); +CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, + PRBool haslock); CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count); int PK11_NumberCertsForCertSubject(CERTCertificate *cert); diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h index e11af86ada..edfe82f5ae 100644 --- a/security/nss/lib/pk11wrap/pk11pub.h +++ b/security/nss/lib/pk11wrap/pk11pub.h @@ -76,6 +76,7 @@ PRBool PK11_IsReadOnly(PK11SlotInfo *slot); PRBool PK11_IsInternal(PK11SlotInfo *slot); PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot); char *PK11_GetTokenName(PK11SlotInfo *slot); +char *PK11_GetTokenURI(PK11SlotInfo *slot); char *PK11_GetSlotName(PK11SlotInfo *slot); PRBool PK11_NeedLogin(PK11SlotInfo *slot); PRBool PK11_IsFriendly(PK11SlotInfo *slot); @@ -135,6 +136,7 @@ PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, PRBool PK11_NeedPWInit(void); PRBool PK11_TokenExists(CK_MECHANISM_TYPE); SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info); +char *PK11_GetModuleURI(SECMODModule *mod); PRBool PK11_IsFIPS(void); SECMODModule *PK11_GetModule(PK11SlotInfo *slot); @@ -642,6 +644,8 @@ SECStatus PK11_TraverseSlotCerts( SECStatus (*callback)(CERTCertificate *, SECItem *, void *), void *arg, void *wincx); CERTCertificate *PK11_FindCertFromNickname(const char *nickname, void *wincx); +CERTCertificate *PK11_FindCertFromURI(const char *uri, void *wincx); +CERTCertList *PK11_FindCertsFromURI(const char *uri, void *wincx); CERTCertList *PK11_FindCertsFromEmailAddress(const char *email, void *wincx); CERTCertList *PK11_FindCertsFromNickname(const char *nickname, void *wincx); CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey); @@ -686,6 +690,10 @@ CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg); CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot); CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions); +CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, + PRBool haslock /* must be set to PR_FALSE */); /********************************************************************** * Sign/Verify diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index e6301388e1..1ef53e1d76 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -18,6 +18,8 @@ #include "secerr.h" #include "hasht.h" +static ECPointEncoding pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey); + static void pk11_EnterKeyMonitor(PK11SymKey *symKey) { @@ -2005,7 +2007,7 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, /* old PKCS #11 spec was ambiguous on what needed to be passed, * try this again with and encoded public key */ - if (crv != CKR_OK) { + if (crv != CKR_OK && pk11_ECGetPubkeyEncoding(pubKey) != ECPoint_XOnly) { SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, &pubKey->u.ec.publicValue, SEC_ASN1_GET(SEC_OctetStringTemplate)); @@ -2211,6 +2213,11 @@ pk11_PubDeriveECKeyWithKDF( /* old PKCS #11 spec was ambiguous on what needed to be passed, * try this again with an encoded public key */ if (crv != CKR_OK) { + /* For curves that only use X as public value and no encoding we don't + * have to try again. (Currently only Curve25519) */ + if (pk11_ECGetPubkeyEncoding(pubKey) == ECPoint_XOnly) { + goto loser; + } SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, &pubKey->u.ec.publicValue, SEC_ASN1_GET(SEC_OctetStringTemplate)); diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index c66ae275ca..0a6ed6c087 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -18,6 +18,7 @@ #include "dev3hack.h" #include "pkim.h" #include "utilpars.h" +#include "pkcs11uri.h" /************************************************************* * local static and global data @@ -409,6 +410,7 @@ PK11_NewSlotInfo(SECMODModule *mod) slot->slot_name[0] = 0; slot->token_name[0] = 0; PORT_Memset(slot->serial, ' ', sizeof(slot->serial)); + PORT_Memset(&slot->tokenInfo, 0, sizeof(slot->tokenInfo)); slot->module = NULL; slot->authTransact = 0; slot->authTime = LL_ZERO; @@ -1077,6 +1079,29 @@ PK11_MakeString(PLArenaPool *arena, char *space, } /* + * check if a null-terminated string matches with a PKCS11 Static Label + */ +PRBool +pk11_MatchString(const char *string, + const char *staticString, int staticStringLen) +{ + int i; + + for (i = (staticStringLen - 1); i >= 0; i--) { + if (staticString[i] != ' ') + break; + } + /* move i to point to the last space */ + i++; + + if (strlen(string) == i && memcmp(string, staticString, i) == 0) { + return PR_TRUE; + } + + return PR_FALSE; +} + +/* * Reads in the slots mechanism list for later use */ SECStatus @@ -1140,7 +1165,6 @@ PK11_ReadMechanismList(PK11SlotInfo *slot) SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) { - CK_TOKEN_INFO tokenInfo; CK_RV crv; SECStatus rv; PRStatus status; @@ -1148,7 +1172,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) /* set the slot flags to the current token values */ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { @@ -1159,13 +1183,13 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) /* set the slot flags to the current token values */ slot->series++; /* allow other objects to detect that the * slot is different */ - slot->flags = tokenInfo.flags; - slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); - slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); + slot->flags = slot->tokenInfo.flags; + slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); + slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); - slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); + slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = - ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? PR_TRUE : PR_FALSE); slot->lastLoginCheck = 0; @@ -1176,15 +1200,15 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) slot->protectedAuthPath = PR_FALSE; } (void)PK11_MakeString(NULL, slot->token_name, - (char *)tokenInfo.label, sizeof(tokenInfo.label)); - slot->minPassword = tokenInfo.ulMinPinLen; - slot->maxPassword = tokenInfo.ulMaxPinLen; - PORT_Memcpy(slot->serial, tokenInfo.serialNumber, sizeof(slot->serial)); + (char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label)); + slot->minPassword = slot->tokenInfo.ulMinPinLen; + slot->maxPassword = slot->tokenInfo.ulMaxPinLen; + PORT_Memcpy(slot->serial, slot->tokenInfo.serialNumber, sizeof(slot->serial)); nssToken_UpdateName(slot->nssToken); slot->defRWSession = (PRBool)((!slot->readOnly) && - (tokenInfo.ulMaxSessionCount == 1)); + (slot->tokenInfo.ulMaxSessionCount == 1)); rv = PK11_ReadMechanismList(slot); if (rv != SECSuccess) return rv; @@ -1193,13 +1217,13 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) slot->RSAInfoFlags = 0; /* initialize the maxKeyCount value */ - if (tokenInfo.ulMaxSessionCount == 0) { + if (slot->tokenInfo.ulMaxSessionCount == 0) { slot->maxKeyCount = 800; /* should be #define or a config param */ - } else if (tokenInfo.ulMaxSessionCount < 20) { + } else if (slot->tokenInfo.ulMaxSessionCount < 20) { /* don't have enough sessions to keep that many keys around */ slot->maxKeyCount = 0; } else { - slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2; + slot->maxKeyCount = slot->tokenInfo.ulMaxSessionCount / 2; } /* Make sure our session handle is valid */ @@ -1331,13 +1355,12 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) SECStatus PK11_TokenRefresh(PK11SlotInfo *slot) { - CK_TOKEN_INFO tokenInfo; CK_RV crv; /* set the slot flags to the current token values */ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { @@ -1345,12 +1368,12 @@ PK11_TokenRefresh(PK11SlotInfo *slot) return SECFailure; } - slot->flags = tokenInfo.flags; - slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); - slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); - slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); + slot->flags = slot->tokenInfo.flags; + slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); + slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); + slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = - ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? PR_TRUE : PR_FALSE); /* on some platforms Active Card incorrectly sets the @@ -1666,6 +1689,63 @@ PK11_GetTokenName(PK11SlotInfo *slot) } char * +PK11_GetTokenURI(PK11SlotInfo *slot) +{ + PK11URI *uri; + char *ret = NULL; + char label[32 + 1], manufacturer[32 + 1], serial[16 + 1], model[16 + 1]; + PK11URIAttribute attrs[4]; + size_t nattrs = 0; + + PK11_MakeString(NULL, label, (char *)slot->tokenInfo.label, + sizeof(slot->tokenInfo.label)); + if (*label != '\0') { + attrs[nattrs].name = PK11URI_PATTR_TOKEN; + attrs[nattrs].value = label; + nattrs++; + } + + PK11_MakeString(NULL, manufacturer, (char *)slot->tokenInfo.manufacturerID, + sizeof(slot->tokenInfo.manufacturerID)); + if (*manufacturer != '\0') { + attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER; + attrs[nattrs].value = manufacturer; + nattrs++; + } + + PK11_MakeString(NULL, serial, (char *)slot->tokenInfo.serialNumber, + sizeof(slot->tokenInfo.serialNumber)); + if (*serial != '\0') { + attrs[nattrs].name = PK11URI_PATTR_SERIAL; + attrs[nattrs].value = serial; + nattrs++; + } + + PK11_MakeString(NULL, model, (char *)slot->tokenInfo.model, + sizeof(slot->tokenInfo.model)); + if (*model != '\0') { + attrs[nattrs].name = PK11URI_PATTR_MODEL; + attrs[nattrs].value = model; + nattrs++; + } + + uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0); + if (uri == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + ret = PK11URI_FormatURI(NULL, uri); + PK11URI_DestroyURI(uri); + + if (ret == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + } + + return ret; +} + +char * PK11_GetSlotName(PK11SlotInfo *slot) { return slot->slot_name; @@ -1771,6 +1851,46 @@ PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) return SECSuccess; } +PRBool +pk11_MatchUriTokenInfo(PK11SlotInfo *slot, PK11URI *uri) +{ + const char *value; + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TOKEN); + if (value) { + if (!pk11_MatchString(value, (char *)slot->tokenInfo.label, + sizeof(slot->tokenInfo.label))) { + return PR_FALSE; + } + } + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MANUFACTURER); + if (value) { + if (!pk11_MatchString(value, (char *)slot->tokenInfo.manufacturerID, + sizeof(slot->tokenInfo.manufacturerID))) { + return PR_FALSE; + } + } + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_SERIAL); + if (value) { + if (!pk11_MatchString(value, (char *)slot->tokenInfo.serialNumber, + sizeof(slot->tokenInfo.serialNumber))) { + return PR_FALSE; + } + } + + value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MODEL); + if (value) { + if (!pk11_MatchString(value, (char *)slot->tokenInfo.model, + sizeof(slot->tokenInfo.model))) { + return PR_FALSE; + } + } + + return PR_TRUE; +} + /* Find out if we need to initialize the user's pin */ PRBool PK11_NeedUserInit(PK11SlotInfo *slot) @@ -2291,6 +2411,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism) } } } + + /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */ + if (keyLength == 0) { + CK_KEY_TYPE keyType; + keyType = PK11_GetKeyType(mechanism, 0); + keyLength = pk11_GetPredefinedKeyLength(keyType); + } + if (le) PK11_FreeSlotListElement(list, le); if (freeit) @@ -2356,7 +2484,11 @@ PK11_RandomUpdate(void *data, size_t bytes) if (!bestIsInternal) { /* do internal slot, too. */ - slot = PK11_GetInternalSlot(); /* can't fail */ + slot = PK11_GetInternalSlot(); + PORT_Assert(slot); + if (!slot) { + return SECFailure; + } status = PK11_SeedRandom(slot, data, bytes); PK11_FreeSlot(slot); } diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 9636b073c3..a962e9bb3d 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -14,6 +14,7 @@ #include "secerr.h" #include "dev.h" #include "utilpars.h" +#include "pkcs11uri.h" /* these are for displaying error messages */ @@ -590,6 +591,58 @@ PK11_GetModInfo(SECMODModule *mod, CK_INFO *info) return (crv == CKR_OK) ? SECSuccess : SECFailure; } +char * +PK11_GetModuleURI(SECMODModule *mod) +{ + CK_INFO info; + PK11URI *uri; + char *ret = NULL; + PK11URIAttribute attrs[3]; + size_t nattrs = 0; + char libraryManufacturer[32 + 1], libraryDescription[32 + 1], libraryVersion[8]; + + if (PK11_GetModInfo(mod, &info) == SECFailure) { + return NULL; + } + + PK11_MakeString(NULL, libraryManufacturer, (char *)info.manufacturerID, + sizeof(info.manufacturerID)); + if (*libraryManufacturer != '\0') { + attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER; + attrs[nattrs].value = libraryManufacturer; + nattrs++; + } + + PK11_MakeString(NULL, libraryDescription, (char *)info.libraryDescription, + sizeof(info.libraryDescription)); + if (*libraryDescription != '\0') { + attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION; + attrs[nattrs].value = libraryDescription; + nattrs++; + } + + PR_snprintf(libraryVersion, sizeof(libraryVersion), "%d.%d", + info.libraryVersion.major, info.libraryVersion.minor); + attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION; + attrs[nattrs].value = libraryVersion; + nattrs++; + + uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0); + if (uri == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + ret = PK11URI_FormatURI(NULL, uri); + PK11URI_DestroyURI(uri); + if (ret == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + return ret; +} + /* Determine if we have the FIP's module loaded as the default * module to trigger other bogus FIPS requirements in PKCS #12 and * SSL diff --git a/security/nss/lib/pk11wrap/pk11wrap.gyp b/security/nss/lib/pk11wrap/pk11wrap.gyp index 2af27a0521..35fdacef9c 100644 --- a/security/nss/lib/pk11wrap/pk11wrap.gyp +++ b/security/nss/lib/pk11wrap/pk11wrap.gyp @@ -7,35 +7,54 @@ ], 'targets': [ { - 'target_name': 'pk11wrap', + 'target_name': 'pk11wrap_static', 'type': 'static_library', - 'sources': [ - 'dev3hack.c', - 'pk11akey.c', - 'pk11auth.c', - 'pk11cert.c', - 'pk11cxt.c', - 'pk11err.c', - 'pk11kea.c', - 'pk11list.c', - 'pk11load.c', - 'pk11mech.c', - 'pk11merge.c', - 'pk11nobj.c', - 'pk11obj.c', - 'pk11pars.c', - 'pk11pbe.c', - 'pk11pk12.c', - 'pk11pqg.c', - 'pk11sdr.c', - 'pk11skey.c', - 'pk11slot.c', - 'pk11util.c' + 'defines': [ + 'NSS_TEST_BUILD', + ], + 'dependencies': [ + 'pk11wrap_base', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/softoken/softoken.gyp:softokn_static', ], + }, + { + 'target_name': 'pk11wrap', + 'type': 'static_library', 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports' - ] - } + 'pk11wrap_base', + '<(DEPTH)/exports.gyp:nss_exports', + ], + }, + { + 'target_name': 'pk11wrap_base', + 'type': 'none', + 'direct_dependent_settings': { + 'sources': [ + 'dev3hack.c', + 'pk11akey.c', + 'pk11auth.c', + 'pk11cert.c', + 'pk11cxt.c', + 'pk11err.c', + 'pk11kea.c', + 'pk11list.c', + 'pk11load.c', + 'pk11mech.c', + 'pk11merge.c', + 'pk11nobj.c', + 'pk11obj.c', + 'pk11pars.c', + 'pk11pbe.c', + 'pk11pk12.c', + 'pk11pqg.c', + 'pk11sdr.c', + 'pk11skey.c', + 'pk11slot.c', + 'pk11util.c' + ], + }, + }, ], 'target_defaults': { 'defines': [ @@ -48,4 +67,4 @@ 'variables': { 'module': 'nss' } -}
\ No newline at end of file +} diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h index 5201655731..63c2079297 100644 --- a/security/nss/lib/pk11wrap/secmodti.h +++ b/security/nss/lib/pk11wrap/secmodti.h @@ -107,6 +107,8 @@ struct PK11SlotInfoStr { unsigned int lastState; /* for Stan */ NSSToken *nssToken; + /* the tokeninfo struct */ + CK_TOKEN_INFO tokenInfo; /* fast mechanism lookup */ char mechanismBits[256]; }; diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index d0b647615b..57333ac371 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -177,6 +177,8 @@ sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid) SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg; PK11SlotInfo *slot; PK11SymKey *bulkKey; + SECItem pwitem = { 0 }; + SECOidTag algorithm; if (!p12dcx) { return NULL; @@ -189,8 +191,11 @@ sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid) slot = PK11_GetInternalKeySlot(); } - bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, - PR_FALSE, p12dcx->wincx); + algorithm = SECOID_GetAlgorithmTag(algid); + if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) + return NULL; + + bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); /* some tokens can't generate PBE keys on their own, generate the * key in the internal slot, and let the Import code deal with it, * (if the slot can't generate PBEs, then we need to use the internal @@ -198,8 +203,7 @@ sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid) if (!bulkKey && !PK11_IsInternal(slot)) { PK11_FreeSlot(slot); slot = PK11_GetInternalKeySlot(); - bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem, - PR_FALSE, p12dcx->wincx); + bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx); } PK11_FreeSlot(slot); @@ -208,6 +212,10 @@ sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid) PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL); } + if (pwitem.data) { + SECITEM_ZfreeItem(&pwitem, PR_FALSE); + } + return bulkKey; } @@ -1335,11 +1343,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx) case SEC_OID_MD2: integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; break; + case SEC_OID_SHA224: + integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN; + break; + case SEC_OID_SHA256: + integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN; + break; + case SEC_OID_SHA384: + integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN; + break; + case SEC_OID_SHA512: + integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN; + break; default: goto loser; } - symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); + symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL); PK11_DestroyPBEParams(params); params = NULL; if (!symKey) @@ -2440,13 +2460,25 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey, nickName, publicValue, PR_TRUE, PR_TRUE, keyUsage, wincx); break; - case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: + case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: { + SECItem pwitem = { 0 }; + SECAlgorithmID *algid = + &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm; + SECOidTag algorithm = SECOID_GetAlgorithmTag(algid); + + if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, + key->pwitem)) + return SECFailure; rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot, key->safeBagContent.pkcs8ShroudedKeyBag, - key->pwitem, nickName, publicValue, + &pwitem, nickName, publicValue, PR_TRUE, PR_TRUE, keyType, keyUsage, wincx); + if (pwitem.data) { + SECITEM_ZfreeItem(&pwitem, PR_FALSE); + } break; + } default: key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION; key->problem = PR_TRUE; diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c index cce1ff7c09..4a21d8955d 100644 --- a/security/nss/lib/pkcs12/p12e.c +++ b/security/nss/lib/pkcs12/p12e.c @@ -10,6 +10,7 @@ #include "seccomon.h" #include "secport.h" #include "cert.h" +#include "secpkcs5.h" #include "secpkcs7.h" #include "secasn1.h" #include "secerr.h" @@ -378,17 +379,25 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, safeInfo->itemCount = 0; /* create the encrypted safe */ - safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, - p12ctxt->pwfnarg); + if (!SEC_PKCS5IsAlgorithmPBEAlgTag(privAlg) && + PK11_AlgtagToMechanism(privAlg) == CKM_AES_CBC) { + safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2, + privAlg, + SEC_OID_UNKNOWN, + 0, + p12ctxt->pwfn, + p12ctxt->pwfnarg); + } else { + safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, + p12ctxt->pwfnarg); + } if (!safeInfo->cinfo) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } safeInfo->arena = p12ctxt->arena; - /* convert the password to unicode */ - if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem, - PR_TRUE, PR_TRUE, PR_TRUE)) { + if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } @@ -1203,8 +1212,8 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa SECKEYEncryptedPrivateKeyInfo *epki = NULL; PK11SlotInfo *slot = NULL; - if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem, - pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) { + if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm, + pwitem)) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } diff --git a/security/nss/lib/pkcs12/p12local.c b/security/nss/lib/pkcs12/p12local.c index d7f0d9e9af..a94c08be18 100644 --- a/security/nss/lib/pkcs12/p12local.c +++ b/security/nss/lib/pkcs12/p12local.c @@ -949,6 +949,73 @@ sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest, return PR_TRUE; } +PRBool +sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm) +{ + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + /* those are actually PKCS #5 v1.5 PBEs, but we + * historically treat them in the same way as PKCS #12 + * PBEs */ + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + return PR_TRUE; + default: + return PR_FALSE; + } +} + +/* this function decodes a password from Unicode if necessary, + * according to the PBE algorithm. + * + * we assume that the pwitem is already encoded in Unicode by the + * caller. if the encryption scheme is not the one defined in PKCS + * #12, decode the pwitem back into UTF-8. */ +PRBool +sec_pkcs12_decode_password(PLArenaPool *arena, + SECItem *result, + SECOidTag algorithm, + const SECItem *pwitem) +{ + if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) + return sec_pkcs12_convert_item_to_unicode(arena, result, + (SECItem *)pwitem, + PR_TRUE, PR_FALSE, PR_FALSE); + + return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; +} + +/* this function encodes a password into Unicode if necessary, + * according to the PBE algorithm. + * + * we assume that the pwitem holds a raw password. if the encryption + * scheme is the one defined in PKCS #12, encode the password into + * BMPString. */ +PRBool +sec_pkcs12_encode_password(PLArenaPool *arena, + SECItem *result, + SECOidTag algorithm, + const SECItem *pwitem) +{ + if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) + return sec_pkcs12_convert_item_to_unicode(arena, result, + (SECItem *)pwitem, + PR_TRUE, PR_TRUE, PR_TRUE); + + return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; +} + /* pkcs 12 templates */ static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser = sec_pkcs12_choose_shroud_type; diff --git a/security/nss/lib/pkcs12/p12local.h b/security/nss/lib/pkcs12/p12local.h index f07122a28a..06a56d13b9 100644 --- a/security/nss/lib/pkcs12/p12local.h +++ b/security/nss/lib/pkcs12/p12local.h @@ -55,4 +55,15 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPool *arena, PK11SlotInfo *slot, void *wincx, SEC_PKCS12SafeContents *safe, SEC_PKCS12Baggage *baggage); +extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm); + +extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena, + SECItem *result, + SECOidTag algorithm, + const SECItem *pwitem); +extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena, + SECItem *result, + SECOidTag algorithm, + const SECItem *pwitem); + #endif diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c index fef288c3ec..97970abc4d 100644 --- a/security/nss/lib/pkcs12/p12plcy.c +++ b/security/nss/lib/pkcs12/p12plcy.c @@ -24,6 +24,9 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] = { { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE }, { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE }, { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE }, + { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE }, + { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE }, + { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE }, { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE }, { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE } }; diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c index fcf0cad5bb..96ada5c0f5 100644 --- a/security/nss/lib/pkcs7/p7create.c +++ b/security/nss/lib/pkcs7/p7create.c @@ -1245,3 +1245,56 @@ SEC_PKCS7CreateEncryptedData(SECOidTag algorithm, int keysize, return cinfo; } + +SEC_PKCS7ContentInfo * +SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, + SECOidTag cipher_algorithm, + SECOidTag prf_algorithm, + int keysize, + SECKEYGetPasswordKey pwfn, void *pwfn_arg) +{ + SEC_PKCS7ContentInfo *cinfo; + SECAlgorithmID *algid; + SEC_PKCS7EncryptedData *enc_data; + SECStatus rv; + + PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm)); + + cinfo = sec_pkcs7_create_content_info(SEC_OID_PKCS7_ENCRYPTED_DATA, + PR_FALSE, pwfn, pwfn_arg); + if (cinfo == NULL) + return NULL; + + enc_data = cinfo->content.encryptedData; + algid = &(enc_data->encContentInfo.contentEncAlg); + + SECAlgorithmID *pbe_algid; + pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm, + cipher_algorithm, + prf_algorithm, + keysize, + NSS_PBE_DEFAULT_ITERATION_COUNT, + NULL); + if (pbe_algid == NULL) { + rv = SECFailure; + } else { + rv = SECOID_CopyAlgorithmID(cinfo->poolp, algid, pbe_algid); + SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE); + } + + if (rv != SECSuccess) { + SEC_PKCS7DestroyContentInfo(cinfo); + return NULL; + } + + rv = sec_pkcs7_init_encrypted_content_info(&(enc_data->encContentInfo), + cinfo->poolp, + SEC_OID_PKCS7_DATA, PR_FALSE, + cipher_algorithm, keysize); + if (rv != SECSuccess) { + SEC_PKCS7DestroyContentInfo(cinfo); + return NULL; + } + + return cinfo; +} diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c index bdbc343d33..af3da59187 100644 --- a/security/nss/lib/pkcs7/p7encode.c +++ b/security/nss/lib/pkcs7/p7encode.c @@ -510,7 +510,7 @@ sec_pkcs7_encoder_work_data(SEC_PKCS7EncoderContext *p7ecx, SECItem *dest, * No output is expected, but the input data may be buffered * so we still have to call Encrypt. */ - rv = sec_PKCS7Encrypt(p7ecx->encryptobj, NULL, NULL, 0, + rv = sec_PKCS7Encrypt(p7ecx->encryptobj, NULL, &outlen, 0, data, inlen, final); if (final) { len = 0; diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h index d95c7d891b..78270bd150 100644 --- a/security/nss/lib/pkcs7/secpkcs7.h +++ b/security/nss/lib/pkcs7/secpkcs7.h @@ -287,6 +287,26 @@ SEC_PKCS7CreateEncryptedData(SECOidTag algorithm, int keysize, SECKEYGetPasswordKey pwfn, void *pwfn_arg); /* + * Create an empty PKCS7 encrypted content info. + * + * Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of + * creating encrypted content for PKCS #5 v2 algorithms. + * + * "pbe_algorithm" specifies the PBE algorithm to use. + * "cipher_algorithm" specifies the bulk encryption algorithm to use. + * "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses. + * + * An error results in a return value of NULL and an error set. + * (Retrieve specific errors via PORT_GetError()/XP_GetError().) + */ +extern SEC_PKCS7ContentInfo * +SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm, + SECOidTag cipher_algorithm, + SECOidTag prf_algorithm, + int keysize, + SECKEYGetPasswordKey pwfn, void *pwfn_arg); + +/* * All of the following things return SECStatus to signal success or failure. * Failure should have a more specific error status available via * PORT_GetError()/XP_GetError(). diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c index 074eb74359..0ec4f2f9b0 100644 --- a/security/nss/lib/pki/cryptocontext.c +++ b/security/nss/lib/pki/cryptocontext.c @@ -47,7 +47,10 @@ NSS_IMPLEMENT PRStatus NSSCryptoContext_Destroy(NSSCryptoContext *cc) { PRStatus status = PR_SUCCESS; - PORT_Assert(cc->certStore); + PORT_Assert(cc && cc->certStore); + if (!cc) { + return PR_FAILURE; + } if (cc->certStore) { status = nssCertificateStore_Destroy(cc->certStore); if (status == PR_FAILURE) { @@ -93,8 +96,8 @@ NSSCryptoContext_FindOrImportCertificate( { NSSCertificate *rvCert = NULL; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { nss_SetError(NSS_ERROR_INVALID_ARGUMENT); return rvCert; } @@ -146,8 +149,8 @@ nssCryptoContext_ImportTrust( NSSTrust *trust) { PRStatus nssrv; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return PR_FAILURE; } nssrv = nssCertificateStore_AddTrust(cc->certStore, trust); @@ -165,8 +168,8 @@ nssCryptoContext_ImportSMIMEProfile( nssSMIMEProfile *profile) { PRStatus nssrv; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return PR_FAILURE; } nssrv = nssCertificateStore_AddSMIMEProfile(cc->certStore, profile); @@ -189,8 +192,8 @@ NSSCryptoContext_FindBestCertificateByNickname( { NSSCertificate **certs; NSSCertificate *rvCert = NULL; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } certs = nssCertificateStore_FindCertificatesByNickname(cc->certStore, @@ -215,8 +218,8 @@ NSSCryptoContext_FindCertificatesByNickname( NSSArena *arenaOpt) { NSSCertificate **rvCerts; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } rvCerts = nssCertificateStore_FindCertificatesByNickname(cc->certStore, @@ -233,8 +236,8 @@ NSSCryptoContext_FindCertificateByIssuerAndSerialNumber( NSSDER *issuer, NSSDER *serialNumber) { - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } return nssCertificateStore_FindCertificateByIssuerAndSerialNumber( @@ -253,8 +256,8 @@ NSSCryptoContext_FindBestCertificateBySubject( { NSSCertificate **certs; NSSCertificate *rvCert = NULL; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } certs = nssCertificateStore_FindCertificatesBySubject(cc->certStore, @@ -279,8 +282,8 @@ nssCryptoContext_FindCertificatesBySubject( NSSArena *arenaOpt) { NSSCertificate **rvCerts; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } rvCerts = nssCertificateStore_FindCertificatesBySubject(cc->certStore, @@ -333,8 +336,8 @@ NSSCryptoContext_FindCertificateByEncodedCertificate( NSSCryptoContext *cc, NSSBER *encodedCertificate) { - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } return nssCertificateStore_FindCertificateByEncodedCertificate( @@ -353,8 +356,8 @@ NSSCryptoContext_FindBestCertificateByEmail( NSSCertificate **certs; NSSCertificate *rvCert = NULL; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } certs = nssCertificateStore_FindCertificatesByEmail(cc->certStore, @@ -379,8 +382,8 @@ NSSCryptoContext_FindCertificatesByEmail( NSSArena *arenaOpt) { NSSCertificate **rvCerts; - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } rvCerts = nssCertificateStore_FindCertificatesByEmail(cc->certStore, @@ -488,8 +491,8 @@ nssCryptoContext_FindTrustForCertificate( NSSCryptoContext *cc, NSSCertificate *cert) { - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } return nssCertificateStore_FindTrustForCertificate(cc->certStore, cert); @@ -500,8 +503,8 @@ nssCryptoContext_FindSMIMEProfileForCertificate( NSSCryptoContext *cc, NSSCertificate *cert) { - PORT_Assert(cc->certStore); - if (!cc->certStore) { + PORT_Assert(cc && cc->certStore); + if (!cc || !cc->certStore) { return NULL; } return nssCertificateStore_FindSMIMEProfileForCertificate(cc->certStore, diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h index 28780c3757..0ecec08260 100644 --- a/security/nss/lib/pki/nsspki.h +++ b/security/nss/lib/pki/nsspki.h @@ -23,6 +23,8 @@ #include "base.h" #endif /* BASE_H */ +#include "pkcs11uri.h" + PR_BEGIN_EXTERN_C /* @@ -1302,6 +1304,16 @@ NSSTrustDomain_IsTokenEnabled( NSSError *whyOpt); /* + * NSSTrustDomain_FindTokensByURI + * + */ + +NSS_EXTERN NSSToken ** +NSSTrustDomain_FindTokensByURI( + NSSTrustDomain *td, + PK11URI *uri); + +/* * NSSTrustDomain_FindSlotByName * */ diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index 0826b7f5ed..548853970b 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -831,8 +831,10 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced cc->dbhandle = c->object.trustDomain; /* subjectList ? */ /* istemp and isperm are supported in NSS 3.4 */ + CERT_LockCertTempPerm(cc); cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */ cc->isperm = PR_TRUE; /* by default */ + CERT_UnlockCertTempPerm(cc); /* pointer back */ cc->nssCertificate = c; if (trust) { diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 49f7dc5ba0..151b888750 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -14,6 +14,7 @@ #include "pki3hack.h" #include "pk11pub.h" #include "nssrwlk.h" +#include "pk11priv.h" #define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32 @@ -234,6 +235,37 @@ NSSTrustDomain_FindSlotByName( return NULL; } +NSS_IMPLEMENT NSSToken ** +NSSTrustDomain_FindTokensByURI( + NSSTrustDomain *td, + PK11URI *uri) +{ + NSSToken *tok = NULL; + PK11SlotInfo *slotinfo; + NSSToken **tokens; + int count, i = 0; + + NSSRWLock_LockRead(td->tokensLock); + count = nssList_Count(td->tokenList); + tokens = nss_ZNEWARRAY(NULL, NSSToken *, count + 1); + if (!tokens) { + return NULL; + } + for (tok = (NSSToken *)nssListIterator_Start(td->tokens); + tok != (NSSToken *)NULL; + tok = (NSSToken *)nssListIterator_Next(td->tokens)) { + if (nssToken_IsPresent(tok)) { + slotinfo = tok->pk11slot; + if (pk11_MatchUriTokenInfo(slotinfo, uri)) + tokens[i++] = nssToken_AddRef(tok); + } + } + tokens[i] = NULL; + nssListIterator_Finish(td->tokens); + NSSRWLock_UnlockRead(td->tokensLock); + return tokens; +} + NSS_IMPLEMENT NSSToken * NSSTrustDomain_FindTokenByName( NSSTrustDomain *td, @@ -248,8 +280,10 @@ NSSTrustDomain_FindTokenByName( tok = (NSSToken *)nssListIterator_Next(td->tokens)) { if (nssToken_IsPresent(tok)) { myName = nssToken_GetName(tok); - if (nssUTF8_Equal(tokenName, myName, &nssrv)) + if (nssUTF8_Equal(tokenName, myName, &nssrv)) { + tok = nssToken_AddRef(tok); break; + } } } nssListIterator_Finish(td->tokens); diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index 12ff77cf88..fd4fd4207c 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -36,7 +36,7 @@ #ifdef LINUX #include <pthread.h> #include <dlfcn.h> -#define LIBAUDIT_NAME "libaudit.so.0" +#define LIBAUDIT_NAME "libaudit.so.1" #ifndef AUDIT_CRYPTO_TEST_USER #define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */ #define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */ diff --git a/security/nss/lib/softoken/legacydb/dbmshim.c b/security/nss/lib/softoken/legacydb/dbmshim.c index ae498faea8..cca24bc6be 100644 --- a/security/nss/lib/softoken/legacydb/dbmshim.c +++ b/security/nss/lib/softoken/legacydb/dbmshim.c @@ -47,9 +47,6 @@ struct DBSStr { char *blobdir; int mode; PRBool readOnly; - PRFileMap *dbs_mapfile; - unsigned char *dbs_addr; - PRUint32 dbs_len; char staticBlobArea[BLOB_BUF_LEN]; }; @@ -244,43 +241,6 @@ loser: } /* - * we need to keep a address map in memory between calls to DBM. - * remember what we have mapped can close it when we get another dbm - * call. - * - * NOTE: Not all platforms support mapped files. This code is designed to - * detect this at runtime. If map files aren't supported the OS will indicate - * this by failing the PR_Memmap call. In this case we emulate mapped files - * by just reading in the file into regular memory. We signal this state by - * making dbs_mapfile NULL and dbs_addr non-NULL. - */ - -static void -dbs_freemap(DBS *dbsp) -{ - if (dbsp->dbs_mapfile) { - PR_MemUnmap(dbsp->dbs_addr, dbsp->dbs_len); - PR_CloseFileMap(dbsp->dbs_mapfile); - dbsp->dbs_mapfile = NULL; - dbsp->dbs_addr = NULL; - dbsp->dbs_len = 0; - } else if (dbsp->dbs_addr) { - PORT_Free(dbsp->dbs_addr); - dbsp->dbs_addr = NULL; - dbsp->dbs_len = 0; - } - return; -} - -static void -dbs_setmap(DBS *dbsp, PRFileMap *mapfile, unsigned char *addr, PRUint32 len) -{ - dbsp->dbs_mapfile = mapfile; - dbsp->dbs_addr = addr; - dbsp->dbs_len = len; -} - -/* * platforms that cannot map the file need to read it into a temp buffer. */ static unsigned char * @@ -317,7 +277,6 @@ dbs_readBlob(DBS *dbsp, DBT *data) { char *file = NULL; PRFileDesc *filed = NULL; - PRFileMap *mapfile = NULL; unsigned char *addr = NULL; int error; int len = -1; @@ -344,7 +303,6 @@ dbs_readBlob(DBS *dbsp, DBT *data) goto loser; } PR_Close(filed); - dbs_setmap(dbsp, mapfile, addr, len); data->data = addr; data->size = len; @@ -353,9 +311,6 @@ dbs_readBlob(DBS *dbsp, DBT *data) loser: /* preserve the error code */ error = PR_GetError(); - if (mapfile) { - PR_CloseFileMap(mapfile); - } if (filed) { PR_Close(filed); } @@ -373,8 +328,6 @@ dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags) DBS *dbsp = (DBS *)dbs; DB *db = (DB *)dbs->internal; - dbs_freemap(dbsp); - ret = (*db->get)(db, key, data, flags); if ((ret == 0) && dbs_IsBlob(data)) { ret = dbs_readBlob(dbsp, data); @@ -391,8 +344,6 @@ dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags) DBS *dbsp = (DBS *)dbs; DB *db = (DB *)dbs->internal; - dbs_freemap(dbsp); - /* If the db is readonly, just pass the data down to rdb and let it fail */ if (!dbsp->readOnly) { DBT oldData; @@ -425,10 +376,6 @@ static int dbs_sync(const DB *dbs, unsigned int flags) { DB *db = (DB *)dbs->internal; - DBS *dbsp = (DBS *)dbs; - - dbs_freemap(dbsp); - return (*db->sync)(db, flags); } @@ -439,8 +386,6 @@ dbs_del(const DB *dbs, const DBT *key, unsigned int flags) DBS *dbsp = (DBS *)dbs; DB *db = (DB *)dbs->internal; - dbs_freemap(dbsp); - if (!dbsp->readOnly) { DBT oldData; ret = (*db->get)(db, key, &oldData, 0); @@ -459,8 +404,6 @@ dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags) DBS *dbsp = (DBS *)dbs; DB *db = (DB *)dbs->internal; - dbs_freemap(dbsp); - ret = (*db->seq)(db, key, data, flags); if ((ret == 0) && dbs_IsBlob(data)) { /* don't return a blob read as an error so traversals keep going */ @@ -477,7 +420,6 @@ dbs_close(DB *dbs) DB *db = (DB *)dbs->internal; int ret; - dbs_freemap(dbsp); ret = (*db->close)(db); PORT_Free(dbsp->blobdir); PORT_Free(dbsp); @@ -568,9 +510,6 @@ dbsopen(const char *dbname, int flags, int mode, DBTYPE type, } dbsp->mode = mode; dbsp->readOnly = (PRBool)(flags == NO_RDONLY); - dbsp->dbs_mapfile = NULL; - dbsp->dbs_addr = NULL; - dbsp->dbs_len = 0; /* the real dbm call */ db = dbopen(dbname, flags, mode, type, &dbs_hashInfo); diff --git a/security/nss/lib/softoken/legacydb/legacydb.gyp b/security/nss/lib/softoken/legacydb/legacydb.gyp index 6431fb5c1e..34c0235bdd 100644 --- a/security/nss/lib/softoken/legacydb/legacydb.gyp +++ b/security/nss/lib/softoken/legacydb/legacydb.gyp @@ -57,7 +57,7 @@ 'defines': [ 'SHLIB_SUFFIX=\"<(dll_suffix)\"', 'SHLIB_PREFIX=\"<(dll_prefix)\"', - 'LG_LIB_NAME=\"libnssdbm3.so\"' + 'LG_LIB_NAME=\"<(dll_prefix)nssdbm3.<(dll_suffix)\"' ] }, 'variables': { diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c index 65da51687c..f1444bf048 100644 --- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -733,6 +733,12 @@ DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry) entry->derCert.len += lenoff; } + /* Is data long enough? */ + if (dbentry->len < headerlen + entry->derCert.len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + /* copy the dercert */ entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen], entry->derCert.len, entry->derCertSpace, sizeof(entry->derCertSpace)); @@ -743,6 +749,11 @@ DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry) /* copy the nickname */ if (nnlen > 1) { + /* Is data long enough? */ + if (dbentry->len < headerlen + entry->derCert.len + nnlen) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } entry->nickname = (char *)pkcs11_copyStaticData( &dbentry->data[headerlen + entry->derCert.len], nnlen, (unsigned char *)entry->nicknameSpace, diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c index b78302ed7a..0a47804bf1 100644 --- a/security/nss/lib/softoken/lowpbe.c +++ b/security/nss/lib/softoken/lowpbe.c @@ -408,7 +408,6 @@ loser: return result; } -#define HMAC_BUFFER 64 #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y)) #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y)) /* @@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, int iter; unsigned char *iterBuf; void *hash = NULL; + unsigned int bufferLength; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, /* how many hash object lengths are needed */ c = (bytesNeeded + (hashLength - 1)) / hashLength; + /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */ + bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64); + /* initialize our buffers */ - D.len = HMAC_BUFFER; + D.len = bufferLength; /* B and D are the same length, use one alloc go get both */ D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2); B.len = D.len; @@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, goto loser; } - SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER); - PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER); + SLen = NSSPBE_ROUNDUP(salt->len, bufferLength); + PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength); I.len = SLen + PLen; I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len); if (I.data == NULL) { diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index ee255cf212..a594fd501b 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -480,6 +480,10 @@ static const struct mechanismList mechanisms[] = { { CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, { 20, 20, CKF_GENERATE }, PR_TRUE }, { CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, { CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 28, 28, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 64, 64, CKF_GENERATE }, PR_TRUE }, /* ------------------ AES Key Wrap (also encrypt) ------------------- */ { CKM_NETSCAPE_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, { CKM_NETSCAPE_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, @@ -3145,9 +3149,11 @@ nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS) * this call doesn't force freebl to be reloaded. */ BL_SetForkState(PR_FALSE); +#ifndef NSS_TEST_BUILD /* unload freeBL shared library from memory. This may only decrement the * OS refcount if it's been loaded multiple times, eg. by libssl */ BL_Unload(); +#endif /* clean up the default OID table */ SECOID_Shutdown(); @@ -4757,7 +4763,7 @@ sftk_pruneSearch(CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, static CK_RV sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, - PRBool *tokenOnly, PRBool isLoggedIn) + PRBool isLoggedIn) { CK_RV crv = CKR_OK; CK_RV crv2; @@ -4792,7 +4798,6 @@ NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, SFTKSearchResults *search = NULL, *freeSearch = NULL; SFTKSession *session = NULL; SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); - PRBool tokenOnly = PR_FALSE; CK_RV crv = CKR_OK; PRBool isLoggedIn; @@ -4823,18 +4828,15 @@ NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, search->array_size = NSC_SEARCH_BLOCK_SIZE; isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn); - crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, &tokenOnly, - isLoggedIn); + crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn); if (crv != CKR_OK) { goto loser; } /* build list of found objects in the session */ - if (!tokenOnly) { - crv = sftk_searchObjectList(search, slot->sessObjHashTable, - slot->sessObjHashSize, slot->objectLock, - pTemplate, ulCount, isLoggedIn); - } + crv = sftk_searchObjectList(search, slot->sessObjHashTable, + slot->sessObjHashSize, slot->objectLock, + pTemplate, ulCount, isLoggedIn); if (crv != CKR_OK) { goto loser; } diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 5c696115b2..0234aa4310 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -2639,6 +2639,11 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, #define INIT_HMAC_MECH(mmm) \ case CKM_##mmm##_HMAC_GENERAL: \ + PORT_Assert(pMechanism->pParameter); \ + if (!pMechanism->pParameter) { \ + crv = CKR_MECHANISM_PARAM_INVALID; \ + break; \ + } \ crv = sftk_doHMACInit(context, HASH_Alg##mmm, key, \ *(CK_ULONG *)pMechanism->pParameter); \ break; \ @@ -2654,6 +2659,11 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, INIT_HMAC_MECH(SHA512) case CKM_SHA_1_HMAC_GENERAL: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doHMACInit(context, HASH_AlgSHA1, key, *(CK_ULONG *)pMechanism->pParameter); break; @@ -2662,10 +2672,20 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, break; case CKM_SSL3_MD5_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key, *(CK_ULONG *)pMechanism->pParameter); break; case CKM_SSL3_SHA1_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key, *(CK_ULONG *)pMechanism->pParameter); break; @@ -3314,6 +3334,11 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession, INIT_HMAC_MECH(SHA512) case CKM_SHA_1_HMAC_GENERAL: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doHMACInit(context, HASH_AlgSHA1, key, *(CK_ULONG *)pMechanism->pParameter); break; @@ -3322,10 +3347,20 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession, break; case CKM_SSL3_MD5_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key, *(CK_ULONG *)pMechanism->pParameter); break; case CKM_SSL3_SHA1_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key, *(CK_ULONG *)pMechanism->pParameter); break; @@ -3971,6 +4006,22 @@ nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe) params->hashType = HASH_AlgMD2; params->keyLen = 16; break; + case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA224; + params->keyLen = 28; + break; + case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA256; + params->keyLen = 32; + break; + case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA384; + params->keyLen = 48; + break; + case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA512; + params->keyLen = 64; + break; default: PORT_FreeArena(arena, PR_TRUE); return CKR_MECHANISM_INVALID; @@ -4189,6 +4240,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSession, case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: key_gen_type = nsc_pbe; key_type = CKK_GENERIC_SECRET; crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param); @@ -5571,6 +5626,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki) switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: keyTemplate = nsslowkey_RSAPrivateKeyTemplate; paramTemplate = NULL; paramDest = NULL; @@ -7222,12 +7278,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, pubKeyLen = EC_GetPointSize(&privKey->u.ec.ecParams); - /* if the len is too small, can't be a valid point */ - if (ecPoint.len < pubKeyLen) { - goto ec_loser; - } - /* if the len is too large, must be an encoded point (length is - * equal case just falls through */ + /* if the len is too large, might be an encoded point */ if (ecPoint.len > pubKeyLen) { SECItem newPoint; @@ -7247,14 +7298,6 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) { withCofactor = PR_TRUE; - } else { - /* When not using cofactor derivation, one should - * validate the public key to avoid small subgroup - * attacks. - */ - if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) != SECSuccess) { - goto ec_loser; - } } rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar, diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index a5694ee382..c51211b6c8 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -1649,10 +1649,8 @@ sftk_searchObjectList(SFTKSearchResults *search, SFTKObject **head, SFTKObject *object; CK_RV crv = CKR_OK; + PZ_Lock(lock); for (i = 0; i < size; i++) { - /* We need to hold the lock to copy a consistant version of - * the linked list. */ - PZ_Lock(lock); for (object = head[i]; object != NULL; object = object->next) { if (sftk_objectMatch(object, theTemplate, count)) { /* don't return objects that aren't yet visible */ @@ -1661,8 +1659,8 @@ sftk_searchObjectList(SFTKSearchResults *search, SFTKObject **head, sftk_addHandle(search, object->handle); } } - PZ_Unlock(lock); } + PZ_Unlock(lock); return crv; } diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c index 0e321dd524..8690df34ca 100644 --- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -674,8 +674,8 @@ struct SDBFindStr { sqlite3_stmt *findstmt; }; -static const char FIND_OBJECTS_CMD[] = "SELECT ALL * FROM %s WHERE %s;"; -static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL * FROM %s;"; +static const char FIND_OBJECTS_CMD[] = "SELECT ALL id FROM %s WHERE %s;"; +static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL id FROM %s;"; CK_RV sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count, SDBFind **find) diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index cc46891a4c..fb2e5bda5f 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -21,10 +21,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.28.6" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.32.1" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 28 -#define SOFTOKEN_VPATCH 6 +#define SOFTOKEN_VMINOR 32 +#define SOFTOKEN_VPATCH 1 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff --git a/security/nss/lib/softoken/softoken.gyp b/security/nss/lib/softoken/softoken.gyp index 8d72e60c5e..ba917cfc85 100644 --- a/security/nss/lib/softoken/softoken.gyp +++ b/security/nss/lib/softoken/softoken.gyp @@ -7,35 +7,65 @@ ], 'targets': [ { - 'target_name': 'softokn', + 'target_name': 'softokn_static', 'type': 'static_library', - 'sources': [ - 'fipsaudt.c', - 'fipstest.c', - 'fipstokn.c', - 'jpakesftk.c', - 'lgglue.c', - 'lowkey.c', - 'lowpbe.c', - 'padbuf.c', - 'pkcs11.c', - 'pkcs11c.c', - 'pkcs11u.c', - 'sdb.c', - 'sftkdb.c', - 'sftkhmac.c', - 'sftkpars.c', - 'sftkpwd.c', - 'softkver.c', - 'tlsprf.c' + 'defines': [ + 'NSS_TEST_BUILD', + ], + 'dependencies': [ + 'softokn_base', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/freebl/freebl.gyp:freebl_static', + ], + 'conditions': [ + [ 'use_system_sqlite==1', { + 'dependencies': [ + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', + ], + }, { + 'dependencies': [ + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite', + ], + }], ], + }, + { + 'target_name': 'softokn', + 'type': 'static_library', 'dependencies': [ + 'softokn_base', '<(DEPTH)/exports.gyp:nss_exports', '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', '<(DEPTH)/lib/freebl/freebl.gyp:freebl', ] }, { + 'target_name': 'softokn_base', + 'type': 'none', + 'direct_dependent_settings': { + 'sources': [ + 'fipsaudt.c', + 'fipstest.c', + 'fipstokn.c', + 'jpakesftk.c', + 'lgglue.c', + 'lowkey.c', + 'lowpbe.c', + 'padbuf.c', + 'pkcs11.c', + 'pkcs11c.c', + 'pkcs11u.c', + 'sdb.c', + 'sftkdb.c', + 'sftkhmac.c', + 'sftkpars.c', + 'sftkpwd.c', + 'softkver.c', + 'tlsprf.c' + ], + }, + }, + { 'target_name': 'softokn3', 'type': 'shared_library', 'dependencies': [ @@ -61,7 +91,7 @@ 'defines': [ 'SHLIB_SUFFIX=\"<(dll_suffix)\"', 'SHLIB_PREFIX=\"<(dll_prefix)\"', - 'SOFTOKEN_LIB_NAME=\"libsoftokn3.so\"', + 'SOFTOKEN_LIB_NAME=\"<(dll_prefix)softokn3.<(dll_suffix)\"', 'SHLIB_VERSION=\"3\"' ] }, diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h index 0e943d3cbc..4626e78497 100644 --- a/security/nss/lib/softoken/softoken.h +++ b/security/nss/lib/softoken/softoken.h @@ -183,7 +183,7 @@ extern PRBool sftk_fatalError; #define CHECK_FORK_MIXED -#elif defined(LINUX) +#elif defined(LINUX) || defined(__GLIBC__) || defined(FREEBSD) || defined(OPENBSD) #define CHECK_FORK_PTHREAD diff --git a/security/nss/lib/ssl/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h index b0319b86cb..b73fb6bd04 100644 --- a/security/nss/lib/ssl/SSLerrs.h +++ b/security/nss/lib/ssl/SSLerrs.h @@ -504,4 +504,10 @@ ER3(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 158), "SSL received a malformed PSK key exchange modes extension.") ER3(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 159), - "SSL expected a missing PSK key exchange modes extension.") + "SSL expected a PSK key exchange modes extension.") + +ER3(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA, (SSL_ERROR_BASE + 160), + "SSL got a pre-TLS 1.3 version even though we sent early data.") + +ER3(SSL_ERROR_TOO_MUCH_EARLY_DATA, (SSL_ERROR_BASE + 161), + "SSL received more early data than permitted.") diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk index 339cc80dfe..c8b053cabb 100644 --- a/security/nss/lib/ssl/config.mk +++ b/security/nss/lib/ssl/config.mk @@ -62,10 +62,6 @@ DEFINES += -DNSS_SSL_ENABLE_ZLIB include $(CORE_DEPTH)/coreconf/zlib.mk endif -ifndef NSS_ENABLE_TLS_1_3 -NSS_DISABLE_TLS_1_3=1 -endif - ifdef NSS_DISABLE_TLS_1_3 DEFINES += -DNSS_DISABLE_TLS_1_3 endif diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c index 09ceeac23c..fbd1779dbb 100644 --- a/security/nss/lib/ssl/dtlscon.c +++ b/security/nss/lib/ssl/dtlscon.c @@ -235,6 +235,26 @@ dtls_RetransmitDetected(sslSocket *ss) return rv; } +static SECStatus +dtls_HandleHandshakeMessage(sslSocket *ss, PRUint8 *data, PRBool last) +{ + + /* At this point we are advancing our state machine, so we can free our last + * flight of messages. */ + dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); + ss->ssl3.hs.recvdHighWater = -1; + + /* Reset the timer to the initial value if the retry counter + * is 0, per Sec. 4.2.4.1 */ + dtls_CancelTimer(ss); + if (ss->ssl3.hs.rtRetries == 0) { + ss->ssl3.hs.rtTimeoutMs = DTLS_RETRANSMIT_INITIAL_MS; + } + + return ssl3_HandleHandshakeMessage(ss, data, ss->ssl3.hs.msg_len, + last); +} + /* Called only from ssl3_HandleRecord, for each (deciphered) DTLS record. * origBuf is the decrypted ssl record content and is expected to contain * complete handshake records @@ -329,23 +349,10 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) ss->ssl3.hs.msg_type = (SSL3HandshakeType)type; ss->ssl3.hs.msg_len = message_length; - /* At this point we are advancing our state machine, so - * we can free our last flight of messages */ - dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); - ss->ssl3.hs.recvdHighWater = -1; - dtls_CancelTimer(ss); - - /* Reset the timer to the initial value if the retry counter - * is 0, per Sec. 4.2.4.1 */ - if (ss->ssl3.hs.rtRetries == 0) { - ss->ssl3.hs.rtTimeoutMs = DTLS_RETRANSMIT_INITIAL_MS; - } - - rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len, + rv = dtls_HandleHandshakeMessage(ss, buf.buf, buf.len == fragment_length); if (rv == SECFailure) { - /* Do not attempt to process rest of messages in this record */ - break; + break; /* Discard the remainder of the record. */ } } else { if (message_seq < ss->ssl3.hs.recvMessageSeq) { @@ -446,24 +453,11 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) /* If we have all the bytes, then we are good to go */ if (ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) { - ss->ssl3.hs.recvdHighWater = -1; + rv = dtls_HandleHandshakeMessage(ss, ss->ssl3.hs.msg_body.buf, + buf.len == fragment_length); - rv = ssl3_HandleHandshakeMessage( - ss, - ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len, - buf.len == fragment_length); - if (rv == SECFailure) - break; /* Skip rest of record */ - - /* At this point we are advancing our state machine, so - * we can free our last flight of messages */ - dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); - dtls_CancelTimer(ss); - - /* If there have been no retries this time, reset the - * timer value to the default per Section 4.2.4.1 */ - if (ss->ssl3.hs.rtRetries == 0) { - ss->ssl3.hs.rtTimeoutMs = DTLS_RETRANSMIT_INITIAL_MS; + if (rv == SECFailure) { + break; /* Discard the rest of the record. */ } } } @@ -488,7 +482,7 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) */ SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type, - const SSL3Opaque *pIn, PRInt32 nIn) + const PRUint8 *pIn, PRInt32 nIn) { SECStatus rv = SECSuccess; DTLSQueuedMessage *msg = NULL; @@ -947,7 +941,7 @@ dtls_SetMTU(sslSocket *ss, PRUint16 advertised) * Caller must hold Handshake and RecvBuf locks. */ SECStatus -dtls_HandleHelloVerifyRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +dtls_HandleHelloVerifyRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) { int errCode = SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST; SECStatus rv; diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn index e7564edb2b..fbb88baffa 100644 --- a/security/nss/lib/ssl/manifest.mn +++ b/security/nss/lib/ssl/manifest.mn @@ -25,6 +25,7 @@ CSRCS = \ sslauth.c \ sslcon.c \ ssldef.c \ + ssl3encode.c \ sslenum.c \ sslerr.c \ sslerrstrs.c \ @@ -41,6 +42,7 @@ CSRCS = \ sslver.c \ authcert.c \ cmpcert.c \ + selfencrypt.c \ sslinfo.c \ ssl3ecc.c \ tls13con.c \ diff --git a/security/nss/lib/ssl/selfencrypt.c b/security/nss/lib/ssl/selfencrypt.c new file mode 100644 index 0000000000..6d6e25cfc6 --- /dev/null +++ b/security/nss/lib/ssl/selfencrypt.c @@ -0,0 +1,314 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is PRIVATE to SSL. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nss.h" +#include "blapit.h" +#include "pk11func.h" +#include "ssl.h" +#include "sslt.h" +#include "ssl3encode.h" +#include "sslimpl.h" +#include "selfencrypt.h" + +static SECStatus +ssl_MacBuffer(PK11SymKey *key, CK_MECHANISM_TYPE mech, + const unsigned char *in, unsigned int len, + unsigned char *mac, unsigned int *macLen, unsigned int maxMacLen) +{ + PK11Context *ctx; + SECItem macParam = { 0, NULL, 0 }; + unsigned int computedLen; + SECStatus rv; + + ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, key, &macParam); + if (!ctx) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + goto loser; + } + + rv = PK11_DigestOp(ctx, in, len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + goto loser; + } + + rv = PK11_DigestFinal(ctx, mac, &computedLen, maxMacLen); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + goto loser; + } + + *macLen = maxMacLen; + PK11_DestroyContext(ctx, PR_TRUE); + return SECSuccess; + +loser: + PK11_DestroyContext(ctx, PR_TRUE); + return SECFailure; +} + +#ifdef UNSAFE_FUZZER_MODE +SECStatus +ssl_SelfEncryptProtectInt( + PK11SymKey *encKey, PK11SymKey *macKey, + const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + if (inLen > maxOutLen) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + PORT_Memcpy(out, in, inLen); + *outLen = inLen; + + return 0; +} + +SECStatus +ssl_SelfEncryptUnprotectInt( + PK11SymKey *encKey, PK11SymKey *macKey, const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + if (inLen > maxOutLen) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + PORT_Memcpy(out, in, inLen); + *outLen = inLen; + + return 0; +} + +#else +/* + * Structure is. + * + * struct { + * opaque keyName[16]; + * opaque iv[16]; + * opaque ciphertext<16..2^16-1>; + * opaque mac[32]; + * } SelfEncrypted; + * + * We are using AES-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for + * two reasons: + * + * 1. It's what we already used for tickets. + * 2. We don't have to worry about nonce collisions as much + * (the chance is lower because we have a random 128-bit nonce + * and they are less serious than with AES-GCM). + */ +SECStatus +ssl_SelfEncryptProtectInt( + PK11SymKey *encKey, PK11SymKey *macKey, + const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + unsigned int len; + unsigned char iv[AES_BLOCK_SIZE]; + SECItem ivItem = { siBuffer, iv, sizeof(iv) }; + unsigned char mac[SHA256_LENGTH]; /* SHA-256 */ + unsigned int macLen; + SECItem outItem = { siBuffer, out, maxOutLen }; + SECItem lengthBytesItem; + SECStatus rv; + + /* Generate a random IV */ + rv = PK11_GenerateRandom(iv, sizeof(iv)); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + /* Add header. */ + rv = ssl3_AppendToItem(&outItem, keyName, SELF_ENCRYPT_KEY_NAME_LEN); + if (rv != SECSuccess) { + return SECFailure; + } + rv = ssl3_AppendToItem(&outItem, iv, sizeof(iv)); + if (rv != SECSuccess) { + return SECFailure; + } + + /* Skip forward by two so we can encode the ciphertext in place. */ + lengthBytesItem = outItem; + rv = ssl3_AppendNumberToItem(&outItem, 0, 2); + if (rv != SECSuccess) { + return SECFailure; + } + + rv = PK11_Encrypt(encKey, CKM_AES_CBC_PAD, &ivItem, + outItem.data, &len, outItem.len, in, inLen); + if (rv != SECSuccess) { + return SECFailure; + } + + outItem.data += len; + outItem.len -= len; + + /* Now encode the ciphertext length. */ + rv = ssl3_AppendNumberToItem(&lengthBytesItem, len, 2); + if (rv != SECSuccess) { + return SECFailure; + } + + /* MAC the entire output buffer and append the MAC to the end. */ + rv = ssl_MacBuffer(macKey, CKM_SHA256_HMAC, + out, outItem.data - out, + mac, &macLen, sizeof(mac)); + if (rv != SECSuccess) { + return SECFailure; + } + PORT_Assert(macLen == sizeof(mac)); + + rv = ssl3_AppendToItem(&outItem, mac, macLen); + if (rv != SECSuccess) { + return SECFailure; + } + + *outLen = outItem.data - out; + return SECSuccess; +} + +SECStatus +ssl_SelfEncryptUnprotectInt( + PK11SymKey *encKey, PK11SymKey *macKey, const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + unsigned char *encodedKeyName; + unsigned char *iv; + SECItem ivItem = { siBuffer, NULL, 0 }; + SECItem inItem = { siBuffer, (unsigned char *)in, inLen }; + unsigned char *cipherText; + PRUint32 cipherTextLen; + unsigned char *encodedMac; + unsigned char computedMac[SHA256_LENGTH]; + unsigned int computedMacLen; + unsigned int bytesToMac; + SECStatus rv; + + rv = ssl3_ConsumeFromItem(&inItem, &encodedKeyName, + SELF_ENCRYPT_KEY_NAME_LEN); + if (rv != SECSuccess) { + return SECFailure; + } + + rv = ssl3_ConsumeFromItem(&inItem, &iv, AES_BLOCK_SIZE); + if (rv != SECSuccess) { + return SECFailure; + } + + rv = ssl3_ConsumeNumberFromItem(&inItem, &cipherTextLen, 2); + if (rv != SECSuccess) { + return SECFailure; + } + + rv = ssl3_ConsumeFromItem(&inItem, &cipherText, cipherTextLen); + if (rv != SECSuccess) { + return SECFailure; + } + bytesToMac = inItem.data - in; + + rv = ssl3_ConsumeFromItem(&inItem, &encodedMac, SHA256_LENGTH); + if (rv != SECSuccess) { + return SECFailure; + } + + /* Make sure we're at the end of the block. */ + if (inItem.len) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + /* Now that everything is decoded, we can make progress. */ + /* 1. Check that we have the right key. */ + if (PORT_Memcmp(keyName, encodedKeyName, SELF_ENCRYPT_KEY_NAME_LEN)) { + PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT); + return SECFailure; + } + + /* 2. Check the MAC */ + rv = ssl_MacBuffer(macKey, CKM_SHA256_HMAC, in, bytesToMac, + computedMac, &computedMacLen, sizeof(computedMac)); + if (rv != SECSuccess) { + return SECFailure; + } + PORT_Assert(computedMacLen == SHA256_LENGTH); + if (NSS_SecureMemcmp(computedMac, encodedMac, computedMacLen) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + /* 3. OK, it verifies, now decrypt. */ + ivItem.data = iv; + ivItem.len = AES_BLOCK_SIZE; + rv = PK11_Decrypt(encKey, CKM_AES_CBC_PAD, &ivItem, + out, outLen, maxOutLen, cipherText, cipherTextLen); + if (rv != SECSuccess) { + return SECFailure; + } + + return SECSuccess; +} +#endif + +SECStatus +ssl_SelfEncryptProtect( + sslSocket *ss, const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN]; + PK11SymKey *encKey; + PK11SymKey *macKey; + SECStatus rv; + + /* Get session ticket keys. */ + rv = ssl_GetSelfEncryptKeys(ss, keyName, &encKey, &macKey); + if (rv != SECSuccess) { + SSL_DBG(("%d: SSL[%d]: Unable to get/generate self-encrypt keys.", + SSL_GETPID(), ss->fd)); + return SECFailure; + } + + return ssl_SelfEncryptProtectInt(encKey, macKey, keyName, + in, inLen, out, outLen, maxOutLen); +} + +SECStatus +ssl_SelfEncryptUnprotect( + sslSocket *ss, const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen) +{ + PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN]; + PK11SymKey *encKey; + PK11SymKey *macKey; + SECStatus rv; + + /* Get session ticket keys. */ + rv = ssl_GetSelfEncryptKeys(ss, keyName, &encKey, &macKey); + if (rv != SECSuccess) { + SSL_DBG(("%d: SSL[%d]: Unable to get/generate self-encrypt keys.", + SSL_GETPID(), ss->fd)); + return SECFailure; + } + + return ssl_SelfEncryptUnprotectInt(encKey, macKey, keyName, + in, inLen, out, outLen, maxOutLen); +} diff --git a/security/nss/lib/ssl/selfencrypt.h b/security/nss/lib/ssl/selfencrypt.h new file mode 100644 index 0000000000..5bc8e4348a --- /dev/null +++ b/security/nss/lib/ssl/selfencrypt.h @@ -0,0 +1,31 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is PRIVATE to SSL. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __selfencrypt_h_ +#define __selfencrypt_h_ + +#include "secmodt.h" + +SECStatus ssl_SelfEncryptProtect( + sslSocket *ss, const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen); +SECStatus ssl_SelfEncryptUnprotect( + sslSocket *ss, const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen); + +/* Exported for use in unit tests.*/ +SECStatus ssl_SelfEncryptProtectInt( + PK11SymKey *encKey, PK11SymKey *macKey, const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen); +SECStatus ssl_SelfEncryptUnprotectInt( + PK11SymKey *encKey, PK11SymKey *macKey, const unsigned char *keyName, + const PRUint8 *in, unsigned int inLen, + PRUint8 *out, unsigned int *outLen, unsigned int maxOutLen); + +#endif diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 6aa8b64377..94d3042239 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -221,3 +221,16 @@ SSL_SignatureSchemePrefGet; ;+ local: ;+*; ;+}; +;+NSS_3.30 { # NSS 3.30 release +;+ global: +SSL_SetSessionTicketKeyPair; +;+ local: +;+*; +;+}; +;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release +;+ global: +SSL_AlertReceivedCallback; +SSL_AlertSentCallback; +;+ local: +;+*; +;+}; diff --git a/security/nss/lib/ssl/ssl.gyp b/security/nss/lib/ssl/ssl.gyp index 0306ab6670..03b2d6014a 100644 --- a/security/nss/lib/ssl/ssl.gyp +++ b/security/nss/lib/ssl/ssl.gyp @@ -14,8 +14,10 @@ 'cmpcert.c', 'dtlscon.c', 'prelib.c', + 'selfencrypt.c', 'ssl3con.c', 'ssl3ecc.c', + 'ssl3encode.c', 'ssl3ext.c', 'ssl3exthandle.c', 'ssl3gthr.c', @@ -63,7 +65,7 @@ 'NSS_SSL_ENABLE_ZLIB', ], }], - [ 'fuzz==1', { + [ 'fuzz_tls==1', { 'defines': [ 'UNSAFE_FUZZER_MODE', ], @@ -71,7 +73,6 @@ ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/lib/freebl/freebl.gyp:freebl', ], }, { @@ -81,6 +82,7 @@ 'ssl', '<(DEPTH)/lib/nss/nss.gyp:nss3', '<(DEPTH)/lib/util/util.gyp:nssutil3', + '<(DEPTH)/lib/freebl/freebl.gyp:freebl', ], 'variables': { 'mapfile': 'ssl.def' diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 9394adcca0..7e538ac1fc 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -228,7 +228,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); * on the server to read that data. Calls to * SSL_GetPreliminaryChannelInfo() and SSL_GetNextProto() * can be made used during this period to learn about the channel - * parameters [TODO(ekr@rtfm.com): This hasn't landed yet]. + * parameters. * * The transition between the 0-RTT and 1-RTT modes is marked by the * handshake callback. @@ -394,7 +394,7 @@ SSL_IMPORT SECStatus SSL_SignaturePrefGet( ** can be set or retrieved using SSL_SignatureSchemePrefSet or ** SSL_SignatureSchemePrefGet. */ -SSL_IMPORT unsigned int SSL_SignatureMaxCount(); +SSL_IMPORT unsigned int SSL_SignatureMaxCount(void); /* ** Define custom priorities for EC and FF groups used in DH key exchange and EC @@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd); SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); /* +** These are callbacks for dealing with SSL alerts. + */ + +typedef PRUint8 SSLAlertLevel; +typedef PRUint8 SSLAlertDescription; + +typedef struct { + SSLAlertLevel level; + SSLAlertDescription description; +} SSLAlert; + +typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg, + const SSLAlert *alert); + +SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, + void *arg); +SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, + void *arg); +/* ** This is a callback for dealing with server certs that are not authenticated ** by the client. The client app can decide that it actually likes the ** cert by some external means and restart the connection. @@ -915,6 +934,22 @@ SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert, SECKEYPrivateKey *key, SSLKEAType kea); /* +** SSL_SetSessionTicketKeyPair configures an asymmetric key pair for use in +** wrapping session ticket keys, used by the server. This function currently +** only accepts an RSA public/private key pair. +** +** Prior to the existence of this function, NSS used an RSA private key +** associated with a configured certificate to perform session ticket +** encryption. If this function isn't used, the keys provided with a configured +** RSA certificate are used for wrapping session ticket keys. +** +** NOTE: This key is used for all self-encryption but is named for +** session tickets for historical reasons. +*/ +SSL_IMPORT SECStatus +SSL_SetSessionTicketKeyPair(SECKEYPublicKey *pubKey, SECKEYPrivateKey *privKey); + +/* ** Configure a secure server's session-id cache. Define the maximum number ** of entries in the cache, the longevity of the entires, and the directory ** where the cache files will be placed. These values can be zero, and diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 186ce23f3d..5cbe2bd094 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -38,13 +38,6 @@ #include "zlib.h" #endif -#ifndef PK11_SETATTRS -#define PK11_SETATTRS(x, id, v, l) \ - (x)->type = (id); \ - (x)->pValue = (v); \ - (x)->ulValueLen = (l); -#endif - static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, PK11SlotInfo *serverKeySlot); static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); @@ -64,7 +57,7 @@ static SECStatus ssl3_HandleServerHelloPart2(sslSocket *ss, const SECItem *sidBytes, int *retErrCode); static SECStatus ssl3_HandlePostHelloHandshakeMessage(sslSocket *ss, - SSL3Opaque *b, + PRUint8 *b, PRUint32 length, SSL3Hashes *hashesPtr); static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); @@ -273,10 +266,6 @@ static const /*SSL3ClientCertificateType */ PRUint8 certificate_types[] = { ct_DSS_sign, }; -/* This global item is used only in servers. It is is initialized by -** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). -*/ -CERTDistNames *ssl3_server_ca_list = NULL; static SSL3Statistics ssl3stats; /* Record protection algorithms, indexed by SSL3BulkCipher. @@ -863,12 +852,10 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType) cursor != &ss->serverCerts; cursor = PR_NEXT_LINK(cursor)) { sslServerCert *cert = (sslServerCert *)cursor; - if (cert->certType.authType != authType) { - continue; - } if (!cert->serverKeyPair || !cert->serverKeyPair->privKey || - !cert->serverCertChain) { + !cert->serverCertChain || + !SSL_CERT_IS(cert, authType)) { continue; } /* When called from ssl3_config_match_init(), all the EC curves will be @@ -879,7 +866,7 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType) if ((authType == ssl_auth_ecdsa || authType == ssl_auth_ecdh_ecdsa || authType == ssl_auth_ecdh_rsa) && - !ssl_NamedGroupEnabled(ss, cert->certType.namedCurve)) { + !ssl_NamedGroupEnabled(ss, cert->namedCurve)) { continue; } return PR_TRUE; @@ -1044,8 +1031,9 @@ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, return SECFailure; } *outputLen = inputLen; - if (input != output) + if (inputLen > 0 && input != output) { PORT_Memcpy(output, input, inputLen); + } return SECSuccess; } @@ -1084,14 +1072,15 @@ ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, /* Used by the client when the server produces a version number. * This reads, validates, and normalizes the value. */ SECStatus -ssl_ClientReadVersion(sslSocket *ss, SSL3Opaque **b, unsigned int *len, +ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b, unsigned int *len, SSL3ProtocolVersion *version) { SSL3ProtocolVersion v; - PRInt32 temp; + PRUint32 temp; + SECStatus rv; - temp = ssl3_ConsumeHandshakeNumber(ss, 2, b, len); - if (temp < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, b, len); + if (rv != SECSuccess) { return SECFailure; /* alert has been sent */ } @@ -1624,10 +1613,6 @@ ssl3_SetupPendingCipherSpec(sslSocket *ss) pwSpec->compressContext = NULL; pwSpec->decompressContext = NULL; - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { - PORT_Assert(ss->ssl3.hs.kea_def->ephemeral); - PORT_Assert(pwSpec->cipher_def->type == type_aead); - } ssl_ReleaseSpecWriteLock(ss); /*******************************/ return SECSuccess; } @@ -1777,29 +1762,6 @@ ssl3_InitCompressionContext(ssl3CipherSpec *pwSpec) return SECSuccess; } -/* This function should probably be moved to pk11wrap and be named - * PK11_ParamFromIVAndEffectiveKeyBits - */ -static SECItem * -ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits) -{ - SECItem *param = PK11_ParamFromIV(mtype, iv); - if (param && param->data && param->len >= sizeof(CK_RC2_PARAMS)) { - switch (mtype) { - case CKM_RC2_KEY_GEN: - case CKM_RC2_ECB: - case CKM_RC2_CBC: - case CKM_RC2_MAC: - case CKM_RC2_MAC_GENERAL: - case CKM_RC2_CBC_PAD: - *(CK_RC2_PARAMS *)param->data = ulEffectiveBits; - default: - break; - } - } - return param; -} - /* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data * which is included in the MAC or AEAD additional data) to |out| and returns * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the @@ -1981,7 +1943,6 @@ ssl3_InitPendingContexts(sslSocket *ss) CK_MECHANISM_TYPE mechanism; CK_MECHANISM_TYPE mac_mech; CK_ULONG macLength; - CK_ULONG effKeyBits; SECItem iv; SECItem mac_param; SSLCipherAlgorithm calg; @@ -2051,14 +2012,13 @@ ssl3_InitPendingContexts(sslSocket *ss) return SECSuccess; } mechanism = ssl3_Alg2Mech(calg); - effKeyBits = cipher_def->key_size * BPB; /* * build the server context */ iv.data = pwSpec->server.write_iv; iv.len = cipher_def->iv_size; - param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); + param = PK11_ParamFromIV(mechanism, &iv); if (param == NULL) { ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); goto fail; @@ -2082,7 +2042,7 @@ ssl3_InitPendingContexts(sslSocket *ss) iv.data = pwSpec->client.write_iv; iv.len = cipher_def->iv_size; - param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits); + param = PK11_ParamFromIV(mechanism, &iv); if (param == NULL) { ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE); goto fail; @@ -2256,7 +2216,7 @@ ssl3_ComputeRecordMAC( PRBool useServerMacKey, const unsigned char *header, unsigned int headerLen, - const SSL3Opaque *input, + const PRUint8 *input, int inputLength, unsigned char *outbuf, unsigned int *outLength) @@ -2303,7 +2263,7 @@ ssl3_ComputeRecordMACConstantTime( PRBool useServerMacKey, const unsigned char *header, unsigned int headerLen, - const SSL3Opaque *input, + const PRUint8 *input, int inputLen, int originalLen, unsigned char *outbuf, @@ -2408,7 +2368,7 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *cwSpec, PRBool isDTLS, PRBool capRecordVersion, SSL3ContentType type, - const SSL3Opaque *pIn, + const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf) { @@ -2577,7 +2537,7 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec *cwSpec, SECStatus ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, PRBool capRecordVersion, SSL3ContentType type, - const SSL3Opaque *pIn, PRUint32 contentLen, sslBuffer *wrBuf) + const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf) { const ssl3BulkCipherDef *cipher_def = cwSpec->cipher_def; PRUint16 headerLen; @@ -2694,14 +2654,15 @@ PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, /* non-NULL for DTLS retransmits */ SSL3ContentType type, - const SSL3Opaque *pIn, /* input buffer */ - PRInt32 nIn, /* bytes of input */ + const PRUint8 *pIn, /* input buffer */ + PRInt32 nIn, /* bytes of input */ PRInt32 flags) { sslBuffer *wrBuf = &ss->sec.writeBuf; SECStatus rv; PRInt32 totalSent = 0; PRBool capRecordVersion; + ssl3CipherSpec *spec; SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), @@ -2733,10 +2694,7 @@ ssl3_SendRecord(sslSocket *ss, ** trying to send an alert. */ PR_ASSERT(type == content_alert); - rv = ssl3_InitState(ss); - if (rv != SECSuccess) { - return SECFailure; /* ssl3_InitState has set the error code. */ - } + ssl3_InitState(ss); } /* check for Token Presence */ @@ -2806,11 +2764,12 @@ ssl3_SendRecord(sslSocket *ss, PORT_Assert(IS_DTLS(ss) && (type == content_handshake || type == content_change_cipher_spec)); + spec = cwSpec; } else { - cwSpec = ss->ssl3.cwSpec; + spec = ss->ssl3.cwSpec; } - rv = ssl_ProtectRecord(ss, cwSpec, !IS_DTLS(ss) && capRecordVersion, + rv = ssl_ProtectRecord(ss, spec, !IS_DTLS(ss) && capRecordVersion, type, pIn, contentLen, wrBuf); if (rv == SECSuccess) { PRINT_BUF(50, (ss, "send (encrypted) record data:", @@ -2941,6 +2900,7 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in, ssl_GetXmitBufLock(ss); } toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH); + /* * Note that the 0 epoch is OK because flags will never require * its use, as guaranteed by the PORT_Assert above. @@ -3077,7 +3037,9 @@ ssl3_HandleNoCertificate(sslSocket *ss) (ss->opt.requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) { PRFileDesc *lower; - ss->sec.uncache(ss->sec.ci.sid); + if (!ss->opt.noCache) { + ss->sec.uncache(ss->sec.ci.sid); + } SSL3_SendAlert(ss, alert_fatal, bad_certificate); lower = ss->fd->lower; @@ -3124,6 +3086,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) { PRUint8 bytes[2]; SECStatus rv; + PRBool needHsLock = !ssl_HaveSSL3HandshakeLock(ss); + + /* Check that if I need the HS lock I also need the Xmit lock */ + PORT_Assert(!needHsLock || !ssl_HaveXmitBufLock(ss)); SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d", SSL_GETPID(), ss->fd, level, desc)); @@ -3131,7 +3097,9 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) bytes[0] = level; bytes[1] = desc; - ssl_GetSSL3HandshakeLock(ss); + if (needHsLock) { + ssl_GetSSL3HandshakeLock(ss); + } if (level == alert_fatal) { if (!ss->opt.noCache && ss->sec.ci.sid) { ss->sec.uncache(ss->sec.ci.sid); @@ -3149,7 +3117,13 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc) ss->ssl3.fatalAlertSent = PR_TRUE; } ssl_ReleaseXmitBufLock(ss); - ssl_ReleaseSSL3HandshakeLock(ss); + if (needHsLock) { + ssl_ReleaseSSL3HandshakeLock(ss); + } + if (rv == SECSuccess && ss->alertSentCallback) { + SSLAlert alert = { level, desc }; + ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert); + } return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */ } @@ -3262,6 +3236,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf) SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d", SSL_GETPID(), ss->fd, level, desc)); + if (ss->alertReceivedCallback) { + SSLAlert alert = { level, desc }; + ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert); + } + switch (desc) { case close_notify: ss->recvdCloseNotify = 1; @@ -4088,11 +4067,9 @@ ssl3_InitHandshakeHashes(sslSocket *ss) return SECSuccess; } -SECStatus +void ssl3_RestartHandshakeHashes(sslSocket *ss) { - SECStatus rv = SECSuccess; - SSL_TRC(30, ("%d: SSL3[%d]: reset handshake hashes", SSL_GETPID(), ss->fd)); ss->ssl3.hs.hashType = handshake_hash_unknown; @@ -4105,7 +4082,6 @@ ssl3_RestartHandshakeHashes(sslSocket *ss) PK11_DestroyContext(ss->ssl3.hs.sha, PR_TRUE); ss->ssl3.hs.sha = NULL; } - return rv; } /* @@ -4243,7 +4219,7 @@ ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize) SECStatus ssl3_AppendHandshakeVariable( - sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize) + sslSocket *ss, const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize) { SECStatus rv; @@ -4330,7 +4306,7 @@ ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length) * override the generic error code by setting another. */ SECStatus -ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b, +ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes, PRUint8 **b, PRUint32 *length) { PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); @@ -4348,37 +4324,33 @@ ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b, /* Read up the next "bytes" number of bytes from the (decrypted) input * stream "b" (which is *length bytes long), and interpret them as an - * integer in network byte order. Returns the received value. + * integer in network byte order. Sets *num to the received value. * Reduces *length by bytes. Advances *b by bytes. * - * Returns SECFailure (-1) on failure. - * This value is indistinguishable from the equivalent received value. - * Only positive numbers are to be received this way. - * Thus, the largest value that may be sent this way is 0x7fffffff. * On error, an alert has been sent, and a generic error code has been set. */ -PRInt32 -ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b, - PRUint32 *length) +SECStatus +ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRUint32 *num, PRUint32 bytes, + PRUint8 **b, PRUint32 *length) { PRUint8 *buf = *b; int i; - PRInt32 num = 0; PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - PORT_Assert(bytes <= sizeof num); - if ((PRUint32)bytes > *length) { + *num = 0; + if (bytes > *length || bytes > sizeof(*num)) { return ssl3_DecodeError(ss); } PRINT_BUF(60, (ss, "consume bytes:", *b, bytes)); - for (i = 0; i < bytes; i++) - num = (num << 8) + buf[i]; + for (i = 0; i < bytes; i++) { + *num = (*num << 8) + buf[i]; + } *b += bytes; *length -= bytes; - return num; + return SECSuccess; } /* Read in two values from the incoming decrypted byte stream "b", which is @@ -4396,21 +4368,22 @@ ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b, * point to the values in the buffer **b. */ SECStatus -ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length) +ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRUint32 bytes, + PRUint8 **b, PRUint32 *length) { - PRInt32 count; + PRUint32 count; + SECStatus rv; PORT_Assert(bytes <= 3); i->len = 0; i->data = NULL; i->type = siBuffer; - count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length); - if (count < 0) { /* Can't test for SECSuccess here. */ + rv = ssl3_ConsumeHandshakeNumber(ss, &count, bytes, b, length); + if (rv != SECSuccess) { return SECFailure; } if (count > 0) { - if ((PRUint32)count > *length) { + if (count > *length) { return ssl3_DecodeError(ss); } i->data = *b; @@ -4421,19 +4394,6 @@ ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes, return SECSuccess; } -/* Helper function to encode an unsigned integer into a buffer. */ -PRUint8 * -ssl_EncodeUintX(PRUint64 value, unsigned int bytes, PRUint8 *to) -{ - PRUint64 encoded; - - PORT_Assert(bytes > 0 && bytes <= sizeof(encoded)); - - encoded = PR_htonll(value); - memcpy(to, ((unsigned char *)(&encoded)) + (sizeof(encoded) - bytes), bytes); - return to + bytes; -} - /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value. * If the hash is not recognised, SEC_OID_UNKNOWN is returned. * @@ -4678,13 +4638,14 @@ ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme) * * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ SECStatus -ssl_ConsumeSignatureScheme(sslSocket *ss, SSL3Opaque **b, +ssl_ConsumeSignatureScheme(sslSocket *ss, PRUint8 **b, PRUint32 *length, SSLSignatureScheme *out) { - PRInt32 tmp; + PRUint32 tmp; + SECStatus rv; - tmp = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); - if (tmp < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &tmp, 2, b, length); + if (rv != SECSuccess) { return SECFailure; /* Error code set already. */ } if (!ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) { @@ -4743,8 +4704,8 @@ ssl3_ComputeHandshakeHashes(sslSocket *ss, SECStatus rv = SECSuccess; PRBool isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); unsigned int outLength; - SSL3Opaque md5_inner[MAX_MAC_LENGTH]; - SSL3Opaque sha_inner[MAX_MAC_LENGTH]; + PRUint8 md5_inner[MAX_MAC_LENGTH]; + PRUint8 sha_inner[MAX_MAC_LENGTH]; PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); if (ss->ssl3.hs.hashType == handshake_hash_unknown) { @@ -4990,7 +4951,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) PRBool isTLS = PR_FALSE; PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE; PRInt32 total_exten_len = 0; - unsigned paddingExtensionLen; unsigned numCompressionMethods; PRUint16 version; PRInt32 flags; @@ -5013,15 +4973,8 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) if (ss->ssl3.hs.helloRetry) { PORT_Assert(type == client_hello_retry); } else { - rv = ssl3_InitState(ss); - if (rv != SECSuccess) { - return rv; /* ssl3_InitState has set the error code. */ - } - - rv = ssl3_RestartHandshakeHashes(ss); - if (rv != SECSuccess) { - return rv; - } + ssl3_InitState(ss); + ssl3_RestartHandshakeHashes(ss); } /* These must be reset every handshake. */ @@ -5293,19 +5246,12 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) length += 1 + ss->ssl3.hs.cookie.len; } - /* A padding extension may be included to ensure that the record containing - * the ClientHello doesn't have a length between 256 and 511 bytes - * (inclusive). Initial, ClientHello records with such lengths trigger bugs - * in F5 devices. - * - * This is not done for DTLS, for renegotiation, or when there are no - * extensions. */ - if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone && total_exten_len) { - paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length); - total_exten_len += paddingExtensionLen; - length += paddingExtensionLen; - } else { - paddingExtensionLen = 0; + if (total_exten_len > 0) { + ssl3_CalculatePaddingExtLen(ss, length); + if (ss->xtnData.paddingLen) { + total_exten_len += 4 + ss->xtnData.paddingLen; + length += 4 + ss->xtnData.paddingLen; + } } rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); @@ -5476,15 +5422,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type) return rv; /* err set by AppendHandshake. */ } - extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes); - if (extLen < 0) { - if (sid->u.ssl3.lock) { - PR_RWLock_Unlock(sid->u.ssl3.lock); - } - return SECFailure; - } - maxBytes -= extLen; - extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL); if (extLen < 0) { if (sid->u.ssl3.lock) { @@ -5579,8 +5516,6 @@ ssl3_HandleHelloRequest(sslSocket *ss) return rv; } -#define UNKNOWN_WRAP_MECHANISM 0x7fffffff - static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { CKM_DES3_ECB, CKM_CAST5_ECB, @@ -5596,27 +5531,58 @@ static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = { CKM_SKIPJACK_CBC64, CKM_AES_ECB, CKM_CAMELLIA_ECB, - CKM_SEED_ECB, - UNKNOWN_WRAP_MECHANISM + CKM_SEED_ECB }; -static int -ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech) +static SECStatus +ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech, unsigned int *wrapMechIndex) { - const CK_MECHANISM_TYPE *pMech = wrapMechanismList; + unsigned int i; + for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { + if (wrapMechanismList[i] == mech) { + *wrapMechIndex = i; + return SECSuccess; + } + } + PORT_Assert(0); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; +} - while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) { - ++pMech; +/* Each process sharing the server session ID cache has its own array of SymKey + * pointers for the symmetric wrapping keys that are used to wrap the master + * secrets. There is one key for each authentication type. These Symkeys + * correspond to the wrapped SymKeys kept in the server session cache. + */ +const SSLAuthType ssl_wrap_key_auth_type[SSL_NUM_WRAP_KEYS] = { + ssl_auth_rsa_decrypt, + ssl_auth_rsa_sign, + ssl_auth_rsa_pss, + ssl_auth_ecdsa, + ssl_auth_ecdh_rsa, + ssl_auth_ecdh_ecdsa +}; + +static SECStatus +ssl_FindIndexByWrapKey(const sslServerCert *serverCert, unsigned int *wrapKeyIndex) +{ + unsigned int i; + for (i = 0; i < SSL_NUM_WRAP_KEYS; ++i) { + if (SSL_CERT_IS(serverCert, ssl_wrap_key_auth_type[i])) { + *wrapKeyIndex = i; + return SECSuccess; + } } - return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1 - : (pMech - wrapMechanismList); + /* Can't assert here because we still get people using DSA certificates. */ + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } static PK11SymKey * ssl_UnwrapSymWrappingKey( SSLWrappedSymWrappingKey *pWswk, SECKEYPrivateKey *svrPrivKey, - SSLAuthType authType, + unsigned int wrapKeyIndex, CK_MECHANISM_TYPE masterWrapMech, void *pwArg) { @@ -5628,9 +5594,9 @@ ssl_UnwrapSymWrappingKey( /* found the wrapping key on disk. */ PORT_Assert(pWswk->symWrapMechanism == masterWrapMech); - PORT_Assert(pWswk->authType == authType); + PORT_Assert(pWswk->wrapKeyIndex == wrapKeyIndex); if (pWswk->symWrapMechanism != masterWrapMech || - pWswk->authType != authType) { + pWswk->wrapKeyIndex != wrapKeyIndex) { goto loser; } wrappedKey.type = siBuffer; @@ -5638,7 +5604,7 @@ ssl_UnwrapSymWrappingKey( wrappedKey.len = pWswk->wrappedSymKeyLen; PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); - switch (authType) { + switch (ssl_wrap_key_auth_type[wrapKeyIndex]) { case ssl_auth_rsa_decrypt: case ssl_auth_rsa_sign: /* bad: see Bug 1248320 */ @@ -5711,14 +5677,8 @@ loser: return unwrappedWrappingKey; } -/* Each process sharing the server session ID cache has its own array of SymKey - * pointers for the symmetric wrapping keys that are used to wrap the master - * secrets. There is one key for each authentication type. These Symkeys - * correspond to the wrapped SymKeys kept in the server session cache. - */ - typedef struct { - PK11SymKey *symWrapKey[ssl_auth_size]; + PK11SymKey *symWrapKey[SSL_NUM_WRAP_KEYS]; } ssl3SymWrapKey; static PZLock *symWrapKeysLock = NULL; @@ -5746,7 +5706,7 @@ SSL3_ShutdownServerCache(void) PZ_Lock(symWrapKeysLock); /* get rid of all symWrapKeys */ for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { - for (j = 0; j < ssl_auth_size; ++j) { + for (j = 0; j < SSL_NUM_WRAP_KEYS; ++j) { PK11SymKey **pSymWrapKey; pSymWrapKey = &symWrapKeys[i].symWrapKey[j]; if (*pSymWrapKey) { @@ -5780,7 +5740,6 @@ ssl_InitSymWrapKeysLock(void) PK11SymKey * ssl3_GetWrappingKey(sslSocket *ss, PK11SlotInfo *masterSecretSlot, - const sslServerCert *serverCert, CK_MECHANISM_TYPE masterWrapMech, void *pwArg) { @@ -5791,7 +5750,8 @@ ssl3_GetWrappingKey(sslSocket *ss, PK11SymKey **pSymWrapKey; CK_MECHANISM_TYPE asymWrapMechanism = CKM_INVALID_MECHANISM; int length; - int symWrapMechIndex; + unsigned int wrapMechIndex; + unsigned int wrapKeyIndex; SECStatus rv; SECItem wrappedKey; SSLWrappedSymWrappingKey wswk; @@ -5799,6 +5759,7 @@ ssl3_GetWrappingKey(sslSocket *ss, SECKEYPublicKey *pubWrapKey = NULL; SECKEYPrivateKey *privWrapKey = NULL; ECCWrappedKeyInfo *ecWrapped; + const sslServerCert *serverCert = ss->sec.serverCert; PORT_Assert(serverCert); PORT_Assert(serverCert->serverKeyPair); @@ -5810,15 +5771,18 @@ ssl3_GetWrappingKey(sslSocket *ss, PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return NULL; /* hmm */ } - authType = serverCert->certType.authType; - svrPrivKey = serverCert->serverKeyPair->privKey; - symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech); - PORT_Assert(symWrapMechIndex >= 0); - if (symWrapMechIndex < 0) + rv = ssl_FindIndexByWrapKey(serverCert, &wrapKeyIndex); + if (rv != SECSuccess) + return NULL; /* unusable wrapping key. */ + + rv = ssl_FindIndexByWrapMechanism(masterWrapMech, &wrapMechIndex); + if (rv != SECSuccess) return NULL; /* invalid masterWrapMech. */ - pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[authType]; + authType = ssl_wrap_key_auth_type[wrapKeyIndex]; + svrPrivKey = serverCert->serverKeyPair->privKey; + pSymWrapKey = &symWrapKeys[wrapMechIndex].symWrapKey[wrapKeyIndex]; ssl_InitSessionCacheLocks(PR_TRUE); @@ -5837,10 +5801,11 @@ ssl3_GetWrappingKey(sslSocket *ss, /* Try to get wrapped SymWrapping key out of the (disk) cache. */ /* Following call fills in wswk on success. */ - if (ssl_GetWrappingKey(symWrapMechIndex, authType, &wswk)) { + rv = ssl_GetWrappingKey(wrapMechIndex, wrapKeyIndex, &wswk); + if (rv == SECSuccess) { /* found the wrapped sym wrapping key on disk. */ unwrappedWrappingKey = - ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, authType, + ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, wrapKeyIndex, masterWrapMech, pwArg); if (unwrappedWrappingKey) { goto install; @@ -5989,9 +5954,9 @@ ssl3_GetWrappingKey(sslSocket *ss, PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM); wswk.symWrapMechanism = masterWrapMech; - wswk.symWrapMechIndex = symWrapMechIndex; wswk.asymWrapMechanism = asymWrapMechanism; - wswk.authType = authType; + wswk.wrapMechIndex = wrapMechIndex; + wswk.wrapKeyIndex = wrapKeyIndex; wswk.wrappedSymKeyLen = wrappedKey.len; /* put it on disk. */ @@ -5999,7 +5964,8 @@ ssl3_GetWrappingKey(sslSocket *ss, * then abandon the value we just computed and * use the one we got from the disk. */ - if (ssl_SetWrappingKey(&wswk)) { + rv = ssl_SetWrappingKey(&wswk); + if (rv == SECSuccess) { /* somebody beat us to it. The original contents of our wswk * has been replaced with the content on disk. Now, discard * the key we just created and unwrap this new one. @@ -6007,7 +5973,7 @@ ssl3_GetWrappingKey(sslSocket *ss, PK11_FreeSymKey(unwrappedWrappingKey); unwrappedWrappingKey = - ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, authType, + ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, wrapKeyIndex, masterWrapMech, pwArg); } @@ -6411,6 +6377,33 @@ ssl_PickSignatureScheme(sslSocket *ss, return SECFailure; } +static SECStatus +ssl_PickFallbackSignatureScheme(sslSocket *ss, SECKEYPublicKey *pubKey) +{ + PRBool isTLS12 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_2; + + switch (SECKEY_GetPublicKeyType(pubKey)) { + case rsaKey: + if (isTLS12) { + ss->ssl3.hs.signatureScheme = ssl_sig_rsa_pkcs1_sha1; + } else { + ss->ssl3.hs.signatureScheme = ssl_sig_rsa_pkcs1_sha1md5; + } + break; + case ecKey: + ss->ssl3.hs.signatureScheme = ssl_sig_ecdsa_sha1; + break; + case dsaKey: + ss->ssl3.hs.signatureScheme = ssl_sig_dsa_sha1; + break; + default: + PORT_Assert(0); + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + return SECSuccess; +} + /* ssl3_PickServerSignatureScheme selects a signature scheme for signing the * handshake. Most of this is determined by the key pair we are using. * Prior to TLS 1.2, the MD5/SHA1 combination is always used. With TLS 1.2, a @@ -6424,26 +6417,7 @@ ssl3_PickServerSignatureScheme(sslSocket *ss) if (!isTLS12 || !ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) { /* If the client didn't provide any signature_algorithms extension then * we can assume that they support SHA-1: RFC5246, Section 7.4.1.4.1. */ - switch (SECKEY_GetPublicKeyType(keyPair->pubKey)) { - case rsaKey: - if (isTLS12) { - ss->ssl3.hs.signatureScheme = ssl_sig_rsa_pkcs1_sha1; - } else { - ss->ssl3.hs.signatureScheme = ssl_sig_rsa_pkcs1_sha1md5; - } - break; - case ecKey: - ss->ssl3.hs.signatureScheme = ssl_sig_ecdsa_sha1; - break; - case dsaKey: - ss->ssl3.hs.signatureScheme = ssl_sig_dsa_sha1; - break; - default: - PORT_Assert(0); - PORT_SetError(SEC_ERROR_INVALID_KEY); - return SECFailure; - } - return SECSuccess; + return ssl_PickFallbackSignatureScheme(ss, keyPair->pubKey); } /* Sets error code, if needed. */ @@ -6461,9 +6435,21 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes, SECKEYPublicKey *pubKey; SECStatus rv; + PRBool isTLS13 = (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); PORT_Assert(pubKey); - if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 && + + if (!isTLS13 && numSchemes == 0) { + /* If the server didn't provide any signature algorithms + * then let's assume they support SHA-1. */ + rv = ssl_PickFallbackSignatureScheme(ss, pubKey); + SECKEY_DestroyPublicKey(pubKey); + return rv; + } + + PORT_Assert(schemes && numSchemes > 0); + + if (!isTLS13 && (SECKEY_GetPublicKeyType(pubKey) == rsaKey || SECKEY_GetPublicKeyType(pubKey) == dsaKey) && SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) { @@ -6604,9 +6590,9 @@ ssl3_SetCipherSuite(sslSocket *ss, ssl3CipherSuite chosenSuite, * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length) { - PRInt32 temp; /* allow for consume number failure */ + PRUint32 temp; PRBool suite_found = PR_FALSE; int i; int errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; @@ -6649,11 +6635,21 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto loser; /* alert has been sent */ } - /* We got a HelloRetryRequest, but the server didn't pick 1.3. Scream. */ - if (ss->ssl3.hs.helloRetry && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { - desc = illegal_parameter; - errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; - goto alert_loser; + /* The server didn't pick 1.3 although we either received a + * HelloRetryRequest, or we prepared to send early app data. */ + if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { + if (ss->ssl3.hs.helloRetry) { + /* SSL3_SendAlert() will uncache the SID. */ + desc = illegal_parameter; + errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; + goto alert_loser; + } + if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { + /* SSL3_SendAlert() will uncache the SID. */ + desc = illegal_parameter; + errCode = SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA; + goto alert_loser; + } } /* Check that the server negotiated the same version as it did @@ -6721,8 +6717,8 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } /* find selected cipher suite in our list. */ - temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (temp < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, &b, &length); + if (rv != SECSuccess) { goto loser; /* alert has been sent */ } i = ssl3_config_match_init(ss); @@ -6767,8 +6763,8 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { /* find selected compression method in our list. */ - temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); - if (temp < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 1, &b, &length); + if (rv != SECSuccess) { goto loser; /* alert has been sent */ } suite_found = PR_FALSE; @@ -7010,6 +7006,19 @@ ssl3_HandleServerHelloPart2(sslSocket *ss, const SECItem *sidBytes, else SSL_AtomicIncrementLong(&ssl3stats.hsh_sid_cache_misses); + /* We tried to resume a 1.3 session but the server negotiated 1.2. */ + if (ss->statelessResume) { + PORT_Assert(sid->version == SSL_LIBRARY_VERSION_TLS_1_3); + PORT_Assert(ss->ssl3.hs.currentSecret); + + /* Reset resumption state, only used by 1.3 code. */ + ss->statelessResume = PR_FALSE; + + /* Clear TLS 1.3 early data traffic key. */ + PK11_FreeSymKey(ss->ssl3.hs.currentSecret); + ss->ssl3.hs.currentSecret = NULL; + } + /* throw the old one away */ sid->u.ssl3.keys.resumable = PR_FALSE; ss->sec.uncache(sid); @@ -7062,7 +7071,7 @@ loser: } static SECStatus -ssl_HandleDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; int errCode = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH; @@ -7222,7 +7231,7 @@ loser: * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; @@ -7273,19 +7282,20 @@ typedef struct dnameNode { * tls13_HandleCertificateRequest */ SECStatus -ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b, PRUint32 *length, +ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b, PRUint32 *length, PLArenaPool *arena, CERTDistNames *ca_list) { - PRInt32 remaining; + PRUint32 remaining; int nnames = 0; dnameNode *node; + SECStatus rv; int i; - remaining = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); - if (remaining < 0) + rv = ssl3_ConsumeHandshakeNumber(ss, &remaining, 2, b, length); + if (rv != SECSuccess) return SECFailure; /* malformed, alert has been sent */ - if ((PRUint32)remaining > *length) + if (remaining > *length) goto alert_loser; ca_list->head = node = PORT_ArenaZNew(arena, dnameNode); @@ -7293,19 +7303,19 @@ ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b, PRUint32 *length, goto no_mem; while (remaining > 0) { - PRInt32 len; + PRUint32 len; if (remaining < 2) goto alert_loser; /* malformed */ - node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); - if (len <= 0) + rv = ssl3_ConsumeHandshakeNumber(ss, &len, 2, b, length); + if (rv != SECSuccess) return SECFailure; /* malformed, alert has been sent */ - - remaining -= 2; - if (remaining < len) + if (len == 0 || remaining < len + 2) goto alert_loser; /* malformed */ + remaining -= 2; + node->name.len = len; node->name.data = *b; *b += len; *length -= len; @@ -7353,7 +7363,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena, { SECStatus rv; SECItem buf; - SSLSignatureScheme *schemes; + SSLSignatureScheme *schemes = NULL; unsigned int numSchemes = 0; unsigned int max; @@ -7361,12 +7371,17 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena, if (rv != SECSuccess) { return SECFailure; } - /* An empty or odd-length value is invalid. */ - if (buf.len == 0 || (buf.len & 1) != 0) { + /* An odd-length value is invalid. */ + if ((buf.len & 1) != 0) { ssl3_ExtSendAlert(ss, alert_fatal, decode_error); return SECFailure; } + /* Let the caller decide whether to alert here. */ + if (buf.len == 0) { + goto done; + } + /* Limit the number of schemes we read. */ max = PR_MIN(buf.len / 2, MAX_SIGNATURE_SCHEMES); @@ -7381,9 +7396,9 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena, } for (; max; --max) { - PRInt32 tmp; - tmp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buf.data, &buf.len); - if (tmp < 0) { + PRUint32 tmp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &buf.data, &buf.len); + if (rv != SECSuccess) { PORT_Assert(0); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; @@ -7400,6 +7415,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena, schemes = NULL; } +done: *schemesOut = schemes; *numSchemesOut = numSchemes; return SECSuccess; @@ -7410,7 +7426,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena, * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) { PLArenaPool *arena = NULL; PRBool isTLS = PR_FALSE; @@ -8227,19 +8243,17 @@ ssl3_SelectServerCert(sslSocket *ss) cursor != &ss->serverCerts; cursor = PR_NEXT_LINK(cursor)) { sslServerCert *cert = (sslServerCert *)cursor; - if (cert->certType.authType != kea_def->authKeyType) { + if (!SSL_CERT_IS(cert, kea_def->authKeyType)) { continue; } - if ((cert->certType.authType == ssl_auth_ecdsa || - cert->certType.authType == ssl_auth_ecdh_rsa || - cert->certType.authType == ssl_auth_ecdh_ecdsa) && - !ssl_NamedGroupEnabled(ss, cert->certType.namedCurve)) { + if (SSL_CERT_IS_EC(cert) && + !ssl_NamedGroupEnabled(ss, cert->namedCurve)) { continue; } /* Found one. */ ss->sec.serverCert = cert; - ss->sec.authType = cert->certType.authType; + ss->sec.authType = kea_def->authKeyType; ss->sec.authKeyBits = cert->serverKeyBits; /* Don't pick a signature scheme if we aren't going to use it. */ @@ -8258,10 +8272,10 @@ ssl3_SelectServerCert(sslSocket *ss) * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length) { sslSessionID *sid = NULL; - PRInt32 tmp; + PRUint32 tmp; unsigned int i; SECStatus rv; int errCode = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO; @@ -8321,8 +8335,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) dtls_RehandshakeCleanup(ss); } - tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (tmp < 0) + rv = ssl3_ConsumeHandshakeNumber(ss, &tmp, 2, &b, &length); + if (rv != SECSuccess) goto loser; /* malformed, alert already sent */ /* Translate the version. */ @@ -8375,9 +8389,9 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (length) { /* Get length of hello extensions */ - PRInt32 extension_length; - extension_length = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (extension_length < 0) { + PRUint32 extension_length; + rv = ssl3_ConsumeHandshakeNumber(ss, &extension_length, 2, &b, &length); + if (rv != SECSuccess) { goto loser; /* alert already sent */ } if (extension_length != length) { @@ -8479,7 +8493,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* If the ClientHello version is less than our maximum version, check for a * TLS_FALLBACK_SCSV and reject the connection if found. */ - if (ss->vrange.max > ss->clientHelloVersion) { + if (ss->vrange.max > ss->version) { for (i = 0; i + 1 < suites.len; i += 2) { PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; if (suite_i != TLS_FALLBACK_SCSV) @@ -8505,7 +8519,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) for (i = 0; i + 1 < suites.len; i += 2) { PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { - SSL3Opaque *b2 = (SSL3Opaque *)emptyRIext; + PRUint8 *b2 = (PRUint8 *)emptyRIext; PRUint32 L2 = sizeof emptyRIext; (void)ssl3_HandleExtensions(ss, &b2, &L2, client_hello); break; @@ -8763,7 +8777,6 @@ compression_found: do { ssl3CipherSpec *pwSpec; SECItem wrappedMS; /* wrapped key */ - const sslServerCert *serverCert; if (sid->version != ss->version || sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite || @@ -8771,8 +8784,13 @@ compression_found: break; /* not an error */ } - serverCert = ssl_FindServerCert(ss, &sid->certType); - if (!serverCert || !serverCert->serverCert) { + /* server sids don't remember the server cert we previously sent, + ** but they do remember the slot we originally used, so we + ** can locate it again, provided that the current ssl socket + ** has had its server certs configured the same as the previous one. + */ + ss->sec.serverCert = ssl_FindServerCert(ss, sid->authType, sid->namedCurve); + if (!ss->sec.serverCert || !ss->sec.serverCert->serverCert) { /* A compatible certificate must not have been configured. It * might not be the same certificate, but we only find that out * when the ticket fails to decrypt. */ @@ -8820,7 +8838,7 @@ compression_found: PK11SymKey *wrapKey; /* wrapping key */ CK_FLAGS keyFlags = 0; - wrapKey = ssl3_GetWrappingKey(ss, NULL, serverCert, + wrapKey = ssl3_GetWrappingKey(ss, NULL, sid->u.ssl3.masterWrapMech, ss->pkcs11PinArg); if (!wrapKey) { @@ -8879,13 +8897,8 @@ compression_found: ss->sec.keaType = sid->keaType; ss->sec.keaKeyBits = sid->keaKeyBits; - /* server sids don't remember the server cert we previously sent, - ** but they do remember the slot we originally used, so we - ** can locate it again, provided that the current ssl socket - ** has had its server certs configured the same as the previous one. - */ - ss->sec.serverCert = serverCert; - ss->sec.localCert = CERT_DupCertificate(serverCert->serverCert); + ss->sec.localCert = + CERT_DupCertificate(ss->sec.serverCert->serverCert); /* Copy cached name in to pending spec */ if (sid != NULL && @@ -9077,16 +9090,8 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length, goto loser; } - rv = ssl3_InitState(ss); - if (rv != SECSuccess) { - ssl_ReleaseSSL3HandshakeLock(ss); - return rv; /* ssl3_InitState has set the error code. */ - } - rv = ssl3_RestartHandshakeHashes(ss); - if (rv != SECSuccess) { - ssl_ReleaseSSL3HandshakeLock(ss); - return rv; - } + ssl3_InitState(ss); + ssl3_RestartHandshakeHashes(ss); if (ss->ssl3.hs.ws != wait_client_hello) { desc = unexpected_message; @@ -9202,7 +9207,7 @@ suite_found: for (i = 0; i + 2 < suite_length; i += 3) { PRUint32 suite_i = (suites[i] << 16) | (suites[i + 1] << 8) | suites[i + 2]; if (suite_i == TLS_EMPTY_RENEGOTIATION_INFO_SCSV) { - SSL3Opaque *b2 = (SSL3Opaque *)emptyRIext; + PRUint8 *b2 = (PRUint8 *)emptyRIext; PRUint32 L2 = sizeof emptyRIext; (void)ssl3_HandleExtensions(ss, &b2, &L2, client_hello); break; @@ -9603,34 +9608,6 @@ ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint8 *buf, unsigned maxLen, PRUint32 return SECSuccess; } -void -ssl3_GetCertificateRequestCAs(sslSocket *ss, int *calen, SECItem **names, - int *nnames) -{ - SECItem *name; - CERTDistNames *ca_list; - int i; - - *calen = 0; - *names = NULL; - *nnames = 0; - - /* ssl3.ca_list is initialized to NULL, and never changed. */ - ca_list = ss->ssl3.ca_list; - if (!ca_list) { - ca_list = ssl3_server_ca_list; - } - - if (ca_list != NULL) { - *names = ca_list->names; - *nnames = ca_list->nnames; - } - - for (i = 0, name = *names; i < *nnames; i++, name++) { - *calen += 2 + name->len; - } -} - static SECStatus ssl3_SendCertificateRequest(sslSocket *ss) { @@ -9639,8 +9616,8 @@ ssl3_SendCertificateRequest(sslSocket *ss) SECStatus rv; int length; SECItem *names; - int calen; - int nnames; + unsigned int calen; + unsigned int nnames; SECItem *name; int i; int certTypesLength; @@ -9655,7 +9632,10 @@ ssl3_SendCertificateRequest(sslSocket *ss) isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); - ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames); + rv = ssl_GetCertificateRequestCAs(ss, &calen, &names, &nnames); + if (rv != SECSuccess) { + return rv; + } certTypes = certificate_types; certTypesLength = sizeof certificate_types; @@ -9723,7 +9703,7 @@ ssl3_SendServerHelloDone(sslSocket *ss) * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +ssl3_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashes) { SECItem signed_hash = { siBuffer, NULL, 0 }; @@ -9741,17 +9721,15 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ - PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); - - isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); - if (ss->ssl3.hs.ws != wait_cert_verify) { desc = unexpected_message; errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; goto alert_loser; } + /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ + PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); + if (!hashes) { PORT_Assert(0); desc = internal_error; @@ -9798,6 +9776,8 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, goto loser; /* malformed. */ } + isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); + /* XXX verify that the key & kea match */ rv = ssl3_VerifySignedHashes(ss, sigScheme, hashesForVerify, &signed_hash); if (rv != SECSuccess) { @@ -9910,7 +9890,7 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, */ static SECStatus ssl3_HandleRSAClientKeyExchange(sslSocket *ss, - SSL3Opaque *b, + PRUint8 *b, PRUint32 length, sslKeyPair *serverKeyPair) { @@ -9928,9 +9908,9 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, enc_pms.len = length; if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ - PRInt32 kLen; - kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len); - if (kLen < 0) { + PRUint32 kLen; + rv = ssl3_ConsumeHandshakeNumber(ss, &kLen, 2, &enc_pms.data, &enc_pms.len); + if (rv != SECSuccess) { PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); return SECFailure; } @@ -10037,7 +10017,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, static SECStatus ssl3_HandleDHClientKeyExchange(sslSocket *ss, - SSL3Opaque *b, + PRUint8 *b, PRUint32 length, sslKeyPair *serverKeyPair) { @@ -10095,7 +10075,7 @@ ssl3_HandleDHClientKeyExchange(sslSocket *ss, * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleClientKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) { sslKeyPair *serverKeyPair = NULL; SECStatus rv; @@ -10227,7 +10207,7 @@ ssl3_SendNewSessionTicket(sslSocket *ss) goto loser; /* This is a fixed value. */ - rv = ssl3_AppendHandshakeNumber(ss, TLS_EX_SESS_TICKET_LIFETIME_HINT, 4); + rv = ssl3_AppendHandshakeNumber(ss, ssl_ticket_lifetime, 4); if (rv != SECSuccess) goto loser; @@ -10246,10 +10226,11 @@ loser: } static SECStatus -ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; SECItem ticketData; + PRUint32 temp; SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake", SSL_GETPID(), ss->fd)); @@ -10270,14 +10251,19 @@ ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) * until it has verified the server's Finished message." See the comment in * ssl3_FinishHandshake for more details. */ - ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time(); + ss->ssl3.hs.newSessionTicket.received_timestamp = PR_Now(); if (length < 4) { (void)SSL3_SendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); return SECFailure; } - ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint = - (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); + + rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 4, &b, &length); + if (rv != SECSuccess) { + PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET); + return SECFailure; + } + ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint = temp; rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length); if (rv != SECSuccess || length != 0) { @@ -10551,7 +10537,7 @@ ssl3_CleanupPeerCerts(sslSocket *ss) * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleCertificateStatus(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; @@ -10570,23 +10556,22 @@ ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } SECStatus -ssl_ReadCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b, PRUint32 length) { - PRInt32 status, len; + PRUint32 status, len; + SECStatus rv; PORT_Assert(!ss->sec.isServer); /* Consume the CertificateStatusType enum */ - status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length); - if (status != 1 /* ocsp */) { - ssl3_DecodeError(ss); /* sets error code */ - return SECFailure; + rv = ssl3_ConsumeHandshakeNumber(ss, &status, 1, &b, &length); + if (rv != SECSuccess || status != 1 /* ocsp */) { + return ssl3_DecodeError(ss); } - len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (len != length) { - ssl3_DecodeError(ss); /* sets error code */ - return SECFailure; + rv = ssl3_ConsumeHandshakeNumber(ss, &len, 3, &b, &length); + if (rv != SECSuccess || len != length) { + return ssl3_DecodeError(ss); } #define MAX_CERTSTATUS_LEN 0x1ffff /* 128k - 1 */ @@ -10619,7 +10604,7 @@ ssl_ReadCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length) { SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake", SSL_GETPID(), ss->fd)); @@ -10639,12 +10624,12 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* Called from ssl3_HandleCertificate */ SECStatus -ssl3_CompleteHandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_CompleteHandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length) { ssl3CertNode *c; ssl3CertNode *lastCert = NULL; - PRInt32 remaining = 0; - PRInt32 size; + PRUint32 remaining = 0; + PRUint32 size; SECStatus rv; PRBool isServer = ss->sec.isServer; PRBool isTLS; @@ -10660,10 +10645,10 @@ ssl3_CompleteHandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ** normal no_certificates message to maximize interoperability. */ if (length) { - remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (remaining < 0) + rv = ssl3_ConsumeHandshakeNumber(ss, &remaining, 3, &b, &length); + if (rv != SECSuccess) goto loser; /* fatal alert already sent by ConsumeHandshake. */ - if ((PRUint32)remaining > length) + if (remaining > length) goto decode_loser; } @@ -10694,15 +10679,14 @@ ssl3_CompleteHandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } /* First get the peer cert. */ - remaining -= 3; - if (remaining < 0) + if (remaining < 3) goto decode_loser; - size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (size <= 0) + remaining -= 3; + rv = ssl3_ConsumeHandshakeNumber(ss, &size, 3, &b, &length); + if (rv != SECSuccess) goto loser; /* fatal alert already sent by ConsumeHandshake. */ - - if (remaining < size) + if (size == 0 || remaining < size) goto decode_loser; certItem.data = b; @@ -10722,15 +10706,14 @@ ssl3_CompleteHandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* Now get all of the CA certs. */ while (remaining > 0) { - remaining -= 3; - if (remaining < 0) + if (remaining < 3) goto decode_loser; - size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (size <= 0) + remaining -= 3; + rv = ssl3_ConsumeHandshakeNumber(ss, &size, 3, &b, &length); + if (rv != SECSuccess) goto loser; /* fatal alert already sent by ConsumeHandshake. */ - - if (remaining < size) + if (size == 0 || remaining < size) goto decode_loser; certItem.data = b; @@ -10759,9 +10742,6 @@ ssl3_CompleteHandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) lastCert = c; } - if (remaining != 0) - goto decode_loser; - SECKEY_UpdateCertPQG(ss->sec.peerCert); if (!isServer && @@ -11049,13 +11029,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, PK11Context *prf_context; unsigned int retLen; + PORT_Assert(spec->master_secret); if (!spec->master_secret) { - const char *label = isServer ? "server finished" : "client finished"; - unsigned int len = 15; - HASH_HashType hashType = ssl3_GetTls12HashType(ss); - return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw, - hashes->len, tlsFinished->verify_data, - sizeof tlsFinished->verify_data, hashType); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) { @@ -11088,9 +11065,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec, * ss->ssl3.crSpec). */ SECStatus -ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, - unsigned int labelLen, const unsigned char *val, unsigned int valLen, - unsigned char *out, unsigned int outLen, HASH_HashType tls12HashType) +ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec, + const char *label, unsigned int labelLen, + const unsigned char *val, unsigned int valLen, + unsigned char *out, unsigned int outLen) { SECStatus rv = SECSuccess; @@ -11101,6 +11079,12 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, unsigned int retLen; if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { + /* Bug 1312976 non-SHA256 exporters are broken. */ + if (ssl3_GetPrfHashMechanism(ss) != CKM_SHA256) { + PORT_Assert(0); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } mech = CKM_NSS_TLS_PRF_GENERAL_SHA256; } prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN, @@ -11143,9 +11127,7 @@ ssl3_SendNextProto(sslSocket *ss) padding_len = 32 - ((ss->xtnData.nextProto.len + 2) % 32); - rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->xtnData.nextProto.len + - 2 + - padding_len); + rv = ssl3_AppendHandshakeHeader(ss, next_proto, ss->xtnData.nextProto.len + 2 + padding_len); if (rv != SECSuccess) { return rv; /* error code set by AppendHandshakeHeader */ } @@ -11298,7 +11280,7 @@ fail: */ SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid, - ssl3CipherSpec *spec, SSLAuthType authType) + ssl3CipherSpec *spec) { PK11SymKey *wrappingKey = NULL; PK11SlotInfo *symKeySlot; @@ -11352,8 +11334,7 @@ ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid, mechanism = PK11_GetBestWrapMechanism(symKeySlot); if (mechanism != CKM_INVALID_MECHANISM) { wrappingKey = - ssl3_GetWrappingKey(ss, symKeySlot, ss->sec.serverCert, - mechanism, pwArg); + ssl3_GetWrappingKey(ss, symKeySlot, mechanism, pwArg); if (wrappingKey) { mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */ } @@ -11382,7 +11363,7 @@ ssl3_CacheWrappedMasterSecret(sslSocket *ss, sslSessionID *sid, * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +ssl3_HandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes) { sslSessionID *sid = ss->sec.ci.sid; @@ -11560,9 +11541,7 @@ ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid) sid->expirationTime = sid->creationTime + ssl3_sid_timeout; sid->localCert = CERT_DupCertificate(ss->sec.localCert); if (ss->sec.isServer) { - memcpy(&sid->certType, &ss->sec.serverCert->certType, sizeof(sid->certType)); - } else { - sid->certType.authType = ssl_auth_null; + sid->namedCurve = ss->sec.serverCert->namedCurve; } if (ss->xtnData.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && @@ -11586,8 +11565,7 @@ ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid) rv = SECSuccess; } else { rv = ssl3_CacheWrappedMasterSecret(ss, ss->sec.ci.sid, - ss->ssl3.crSpec, - ss->ssl3.hs.kea_def->authKeyType); + ss->ssl3.crSpec); sid->u.ssl3.keys.msIsWrapped = PR_TRUE; } ssl_ReleaseSpecReadLock(ss); /*************************************/ @@ -11646,7 +11624,7 @@ ssl3_FinishHandshake(sslSocket *ss) * Caller must hold Handshake and RecvBuf locks. */ SECStatus -ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +ssl3_HandleHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool endOfRecord) { SECStatus rv = SECSuccess; @@ -11732,10 +11710,7 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length, /* Start new handshake hashes when we start a new handshake. Unless this is * TLS 1.3 and we sent a HelloRetryRequest. */ if (ss->ssl3.hs.msg_type == client_hello && !ss->ssl3.hs.helloRetry) { - rv = ssl3_RestartHandshakeHashes(ss); - if (rv != SECSuccess) { - return rv; - } + ssl3_RestartHandshakeHashes(ss); } /* We should not include hello_request and hello_verify_request messages * in the handshake hashes */ @@ -11835,7 +11810,7 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length, } static SECStatus -ssl3_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b, +ssl3_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashesPtr) { SECStatus rv; @@ -12203,7 +12178,7 @@ ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize) static void ssl_CBCExtractMAC(sslBuffer *plaintext, unsigned int originalLength, - SSL3Opaque *out, + PRUint8 *out, unsigned int macSize) { unsigned char rotatedMac[MAX_MAC_LENGTH]; @@ -12314,9 +12289,9 @@ ssl3_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext, unsigned int originalLen = 0; unsigned char header[13]; unsigned int headerLen; - SSL3Opaque hash[MAX_MAC_LENGTH]; - SSL3Opaque givenHashBuf[MAX_MAC_LENGTH]; - SSL3Opaque *givenHash; + PRUint8 hash[MAX_MAC_LENGTH]; + PRUint8 givenHashBuf[MAX_MAC_LENGTH]; + PRUint8 *givenHash; unsigned int hashBytes = MAX_MAC_LENGTH + 1; SECStatus rv; @@ -12347,7 +12322,7 @@ ssl3_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext, * component." Instead, we decrypt the first cipher block and then * discard it before decrypting the rest. */ - SSL3Opaque iv[MAX_IV_LENGTH]; + PRUint8 iv[MAX_IV_LENGTH]; int decoded; ivLen = cipher_def->iv_size; @@ -12521,17 +12496,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) ssl3CipherSpec *crSpec; SSL3ContentType rType; sslBuffer *plaintext; - sslBuffer temp_buf; + sslBuffer temp_buf = { NULL, 0, 0 }; SSL3AlertDescription alert = internal_error; PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); if (!ss->ssl3.initialized) { ssl_GetSSL3HandshakeLock(ss); - rv = ssl3_InitState(ss); + ssl3_InitState(ss); ssl_ReleaseSSL3HandshakeLock(ss); - if (rv != SECSuccess) { - return rv; /* ssl3_InitState has set the error code. */ - } } /* check for Token Presence */ @@ -12578,25 +12550,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) /* If we will be decompressing the buffer we need to decrypt somewhere * other than into databuf */ if (crSpec->decompressor) { - temp_buf.buf = NULL; - temp_buf.space = 0; plaintext = &temp_buf; } else { plaintext = databuf; } - plaintext->len = 0; /* filled in by Unprotect call below. */ - if (plaintext->space < MAX_FRAGMENT_LENGTH) { - rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); - if (rv != SECSuccess) { - ssl_ReleaseSpecReadLock(ss); /*************************/ - SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", - SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); - /* sslBuffer_Grow has set a memory error code. */ - /* Perhaps we should send an alert. (but we have no memory!) */ - return SECFailure; - } - } /* We're waiting for another ClientHello, which will appear unencrypted. * Use the content type to tell whether this is should be discarded. @@ -12611,6 +12569,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) return SECSuccess; } + if (plaintext->space < MAX_FRAGMENT_LENGTH) { + rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048); + if (rv != SECSuccess) { + ssl_ReleaseSpecReadLock(ss); /*************************/ + SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes", + SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048)); + /* sslBuffer_Grow has set a memory error code. */ + /* Perhaps we should send an alert. (but we have no memory!) */ + return SECFailure; + } + } + #ifdef UNSAFE_FUZZER_MODE rv = Null_Cipher(NULL, plaintext->buf, (int *)&plaintext->len, plaintext->space, cText->buf->buf, cText->buf->len); @@ -12632,6 +12602,9 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd)); + /* Clear the temp buffer used for decompression upon failure. */ + sslBuffer_Clear(&temp_buf); + if (IS_DTLS(ss) || (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_trial)) { @@ -12676,7 +12649,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) SSL3_COMPRESSION_MAX_EXPANSION)); /* sslBuffer_Grow has set a memory error code. */ /* Perhaps we should send an alert. (but we have no memory!) */ - PORT_Free(plaintext->buf); + sslBuffer_Clear(&temp_buf); return SECFailure; } } @@ -12714,12 +12687,12 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf) } } - PORT_Free(plaintext->buf); + sslBuffer_Clear(&temp_buf); PORT_SetError(err); return SECFailure; } - PORT_Free(plaintext->buf); + sslBuffer_Clear(&temp_buf); } /* @@ -12849,16 +12822,14 @@ ssl3_InitCipherSpec(ssl3CipherSpec *spec) ** ssl3_HandleRecord() ** ** This function should perhaps acquire and release the SpecWriteLock. -** -** */ -SECStatus +void ssl3_InitState(sslSocket *ss) { PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); if (ss->ssl3.initialized) - return SECSuccess; /* Function should be idempotent */ + return; /* Function should be idempotent */ ss->ssl3.policy = SSL_ALLOWED; @@ -12913,7 +12884,6 @@ ssl3_InitState(sslSocket *ss) ssl_FilterSupportedGroups(ss); ss->ssl3.initialized = PR_TRUE; - return SECSuccess; } /* record the export policy for this cipher suite */ @@ -13136,7 +13106,7 @@ SSL_SignaturePrefGet(PRFileDesc *fd, SSLSignatureAndHashAlg *algorithms, } unsigned int -SSL_SignatureMaxCount() +SSL_SignatureMaxCount(void) { return MAX_SIGNATURE_SCHEMES; } diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c index 9f2f4d6211..b440b4b024 100644 --- a/security/nss/lib/ssl/ssl3ecc.c +++ b/security/nss/lib/ssl/ssl3ecc.c @@ -31,13 +31,6 @@ #include <stdio.h> -#ifndef PK11_SETATTRS -#define PK11_SETATTRS(x, id, v, l) \ - (x)->type = (id); \ - (x)->pValue = (v); \ - (x)->ulValueLen = (l); -#endif - SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup, SECKEYECParams *params) @@ -257,16 +250,6 @@ loser: return SECFailure; } -/* This function returns the size of the key_exchange field in - * the KeyShareEntry structure, i.e.: - * opaque point <1..2^8-1>; */ -unsigned int -tls13_SizeOfECDHEKeyShareKEX(const SECKEYPublicKey *pubKey) -{ - PORT_Assert(pubKey->keyType == ecKey); - return pubKey->u.ec.publicValue.len; -} - /* This function encodes the key_exchange field in * the KeyShareEntry structure. */ SECStatus @@ -284,7 +267,7 @@ tls13_EncodeECDHEKeyShareKEX(const sslSocket *ss, const SECKEYPublicKey *pubKey) ** Called from ssl3_HandleClientKeyExchange() */ SECStatus -ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, +ssl3_HandleECDHClientKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length, sslKeyPair *serverKeyPair) { @@ -358,7 +341,7 @@ ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b, */ SECStatus ssl_ImportECDHKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, const sslNamedGroupDef *ecGroup) { SECStatus rv; @@ -436,23 +419,19 @@ ssl_GetECGroupForServerSocket(sslSocket *ss) return NULL; } - if (cert->certType.authType == ssl_auth_rsa_sign) { + if (SSL_CERT_IS(cert, ssl_auth_rsa_sign) || + SSL_CERT_IS(cert, ssl_auth_rsa_pss)) { certKeySize = SECKEY_PublicKeyStrengthInBits(cert->serverKeyPair->pubKey); - certKeySize = - SSL_RSASTRENGTH_TO_ECSTRENGTH(certKeySize); - } else if (cert->certType.authType == ssl_auth_ecdsa || - cert->certType.authType == ssl_auth_ecdh_rsa || - cert->certType.authType == ssl_auth_ecdh_ecdsa) { - const sslNamedGroupDef *groupDef = cert->certType.namedCurve; - + certKeySize = SSL_RSASTRENGTH_TO_ECSTRENGTH(certKeySize); + } else if (SSL_CERT_IS_EC(cert)) { /* We won't select a certificate unless the named curve has been * negotiated (or supported_curves was absent), double check that. */ - PORT_Assert(groupDef->keaType == ssl_kea_ecdh); - PORT_Assert(ssl_NamedGroupEnabled(ss, groupDef)); - if (!ssl_NamedGroupEnabled(ss, groupDef)) { + PORT_Assert(cert->namedCurve->keaType == ssl_kea_ecdh); + PORT_Assert(ssl_NamedGroupEnabled(ss, cert->namedCurve)); + if (!ssl_NamedGroupEnabled(ss, cert->namedCurve)) { return NULL; } - certKeySize = groupDef->bits; + certKeySize = cert->namedCurve->bits; } else { PORT_Assert(0); return NULL; @@ -519,7 +498,7 @@ ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss, } SECStatus -ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) { PLArenaPool *arena = NULL; SECKEYPublicKey *peerKey = NULL; diff --git a/security/nss/lib/ssl/ssl3encode.c b/security/nss/lib/ssl/ssl3encode.c new file mode 100644 index 0000000000..960208a0f7 --- /dev/null +++ b/security/nss/lib/ssl/ssl3encode.c @@ -0,0 +1,85 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is PRIVATE to SSL. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "prnetdb.h" +#include "seccomon.h" +#include "secerr.h" +#include "ssl3encode.h" + +SECStatus +ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) +{ + if (bytes > item->len) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + PORT_Memcpy(item->data, buf, bytes); + item->data += bytes; + item->len -= bytes; + return SECSuccess; +} + +SECStatus +ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) +{ + SECStatus rv; + PRUint8 b[4]; + + ssl_EncodeUintX(num, lenSize, b); + rv = ssl3_AppendToItem(item, &b[0], lenSize); + return rv; +} + +SECStatus +ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) +{ + if (bytes > item->len) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + *buf = item->data; + item->data += bytes; + item->len -= bytes; + return SECSuccess; +} + +SECStatus +ssl3_ConsumeNumberFromItem(SECItem *item, PRUint32 *num, PRUint32 bytes) +{ + int i; + + if (bytes > item->len || bytes > sizeof(*num)) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + *num = 0; + for (i = 0; i < bytes; i++) { + *num = (*num << 8) + item->data[i]; + } + + item->data += bytes; + item->len -= bytes; + + return SECSuccess; +} + +/* Helper function to encode an unsigned integer into a buffer. */ +PRUint8 * +ssl_EncodeUintX(PRUint64 value, unsigned int bytes, PRUint8 *to) +{ + PRUint64 encoded; + + PORT_Assert(bytes > 0 && bytes <= sizeof(encoded)); + + encoded = PR_htonll(value); + memcpy(to, ((unsigned char *)(&encoded)) + (sizeof(encoded) - bytes), bytes); + return to + bytes; +} diff --git a/security/nss/lib/ssl/ssl3encode.h b/security/nss/lib/ssl/ssl3encode.h new file mode 100644 index 0000000000..3b88f7e7b3 --- /dev/null +++ b/security/nss/lib/ssl/ssl3encode.h @@ -0,0 +1,26 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* + * This file is PRIVATE to SSL. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef __ssl3encode_h_ +#define __ssl3encode_h_ + +#include "seccomon.h" + +/* All of these functions modify the underlying SECItem, and so should + * be performed on a shallow copy.*/ +SECStatus ssl3_AppendToItem(SECItem *item, + const unsigned char *buf, PRUint32 bytes); +SECStatus ssl3_AppendNumberToItem(SECItem *item, + PRUint32 num, PRInt32 lenSize); +SECStatus ssl3_ConsumeFromItem(SECItem *item, + unsigned char **buf, PRUint32 bytes); +SECStatus ssl3_ConsumeNumberFromItem(SECItem *item, + PRUint32 *num, PRUint32 bytes); +PRUint8 *ssl_EncodeUintX(PRUint64 value, unsigned int bytes, PRUint8 *to); + +#endif diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index 0da41be12d..271084cf73 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -87,6 +87,10 @@ static const ssl3ExtensionHandler serverCertificateHandlers[] = { { -1, NULL } }; +static const ssl3ExtensionHandler certificateRequestHandlers[] = { + { -1, NULL } +}; + /* Tables of functions to format TLS hello extensions, one function per * extension. * These static tables are for the formatting of client hello extensions. @@ -122,6 +126,7 @@ static const ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] { ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn }, { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskKeyExchangeModesXtn }, + { ssl_padding_xtn, &ssl3_ClientSendPaddingExtension }, /* The pre_shared_key extension MUST be last. */ { ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn }, /* any extra entries will appear as { 0, NULL } */ @@ -167,22 +172,22 @@ ssl3_ClientExtensionAdvertised(const sslSocket *ss, PRUint16 ex_type) * buffer so they can only be used during ClientHello processing. */ SECStatus -ssl3_ParseExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length) +ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length) { /* Clean out the extensions list. */ ssl3_DestroyRemoteExtensions(&ss->ssl3.hs.remoteExtensions); while (*length) { SECStatus rv; - PRInt32 extension_type; + PRUint32 extension_type; SECItem extension_data = { siBuffer, NULL, 0 }; TLSExtension *extension; PRCList *cursor; /* Get the extension's type field */ - extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length); - if (extension_type < 0) { /* failure to decode extension_type */ - return SECFailure; /* alert already sent */ + rv = ssl3_ConsumeHandshakeNumber(ss, &extension_type, 2, b, length); + if (rv != SECSuccess) { + return SECFailure; /* alert already sent */ } SSL_TRC(10, ("%d: SSL3[%d]: parsing extension %d", @@ -249,7 +254,10 @@ ssl3_HandleParsedExtensions(sslSocket *ss, SSL3HandshakeType handshakeMessage) { const ssl3ExtensionHandler *handlers; - PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3; + /* HelloRetryRequest doesn't set ss->version. It might be safe to + * do so, but we weren't entirely sure. TODO(ekr@rtfm.com). */ + PRBool isTLS13 = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) || + (handshakeMessage == hello_retry_request); PRCList *cursor; switch (handshakeMessage) { @@ -277,6 +285,10 @@ ssl3_HandleParsedExtensions(sslSocket *ss, PORT_Assert(!ss->sec.isServer); handlers = serverCertificateHandlers; break; + case certificate_request: + PORT_Assert(!ss->sec.isServer); + handlers = certificateRequestHandlers; + break; default: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_Assert(0); @@ -348,7 +360,7 @@ ssl3_HandleParsedExtensions(sslSocket *ss, * ssl3_HandleParsedExtensions. */ SECStatus ssl3_HandleExtensions(sslSocket *ss, - SSL3Opaque **b, PRUint32 *length, + PRUint8 **b, PRUint32 *length, SSL3HandshakeType handshakeMessage) { SECStatus rv; @@ -488,7 +500,7 @@ ssl3_ExtAppendHandshakeNumber(const sslSocket *ss, PRInt32 num, SECStatus ssl3_ExtAppendHandshakeVariable(const sslSocket *ss, - const SSL3Opaque *src, PRInt32 bytes, + const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize) { return ssl3_AppendHandshakeVariable((sslSocket *)ss, src, bytes, lenSize); @@ -508,22 +520,22 @@ ssl3_ExtDecodeError(const sslSocket *ss) } SECStatus -ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length) +ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRUint32 bytes, + PRUint8 **b, PRUint32 *length) { return ssl3_ConsumeHandshake((sslSocket *)ss, v, bytes, b, length); } -PRInt32 -ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length) +SECStatus +ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRUint32 *num, + PRUint32 bytes, PRUint8 **b, PRUint32 *length) { - return ssl3_ConsumeHandshakeNumber((sslSocket *)ss, bytes, b, length); + return ssl3_ConsumeHandshakeNumber((sslSocket *)ss, num, bytes, b, length); } SECStatus ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i, - PRInt32 bytes, SSL3Opaque **b, + PRUint32 bytes, PRUint8 **b, PRUint32 *length) { return ssl3_ConsumeHandshakeVariable((sslSocket *)ss, i, bytes, b, length); diff --git a/security/nss/lib/ssl/ssl3ext.h b/security/nss/lib/ssl/ssl3ext.h index f93ad65bdf..90407375ad 100644 --- a/security/nss/lib/ssl/ssl3ext.h +++ b/security/nss/lib/ssl/ssl3ext.h @@ -54,6 +54,9 @@ struct TLSExtensionDataStr { PRUint16 advertised[SSL_MAX_EXTENSIONS]; PRUint16 negotiated[SSL_MAX_EXTENSIONS]; + /* Amount of padding we need to add. */ + PRUint16 paddingLen; + /* SessionTicket Extension related data. */ PRBool ticketTimestampVerified; PRBool emptySessionTicket; @@ -108,10 +111,10 @@ typedef struct TLSExtensionStr { } TLSExtension; SECStatus ssl3_HandleExtensions(sslSocket *ss, - SSL3Opaque **b, PRUint32 *length, + PRUint8 **b, PRUint32 *length, SSL3HandshakeType handshakeMessage); SECStatus ssl3_ParseExtensions(sslSocket *ss, - SSL3Opaque **b, PRUint32 *length); + PRUint8 **b, PRUint32 *length); SECStatus ssl3_HandleParsedExtensions(sslSocket *ss, SSL3HandshakeType handshakeMessage); TLSExtension *ssl3_FindExtension(sslSocket *ss, @@ -130,9 +133,8 @@ SECStatus ssl3_RegisterExtensionSender(const sslSocket *ss, PRInt32 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, const ssl3HelloExtensionSender *sender); -unsigned int ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength); -PRInt32 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, - PRUint32 maxBytes); +void ssl3_CalculatePaddingExtLen(sslSocket *ss, + unsigned int clientHelloLength); /* Thunks to let us operate on const sslSocket* objects. */ SECStatus ssl3_ExtAppendHandshake(const sslSocket *ss, const void *void_src, @@ -140,17 +142,18 @@ SECStatus ssl3_ExtAppendHandshake(const sslSocket *ss, const void *void_src, SECStatus ssl3_ExtAppendHandshakeNumber(const sslSocket *ss, PRInt32 num, PRInt32 lenSize); SECStatus ssl3_ExtAppendHandshakeVariable(const sslSocket *ss, - const SSL3Opaque *src, PRInt32 bytes, + const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize); void ssl3_ExtSendAlert(const sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc); void ssl3_ExtDecodeError(const sslSocket *ss); -SECStatus ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length); -PRInt32 ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length); +SECStatus ssl3_ExtConsumeHandshake(const sslSocket *ss, void *v, PRUint32 bytes, + PRUint8 **b, PRUint32 *length); +SECStatus ssl3_ExtConsumeHandshakeNumber(const sslSocket *ss, PRUint32 *num, + PRUint32 bytes, PRUint8 **b, + PRUint32 *length); SECStatus ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i, - PRInt32 bytes, SSL3Opaque **b, + PRUint32 bytes, PRUint8 **b, PRUint32 *length); #endif diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c index 2a80e2690c..370bd8b3e4 100644 --- a/security/nss/lib/ssl/ssl3exthandle.c +++ b/security/nss/lib/ssl/ssl3exthandle.c @@ -12,147 +12,12 @@ #include "pk11pub.h" #include "blapit.h" #include "prinit.h" +#include "selfencrypt.h" +#include "ssl3encode.h" #include "ssl3ext.h" #include "ssl3exthandle.h" #include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */ -static unsigned char key_name[SESS_TICKET_KEY_NAME_LEN]; -static PK11SymKey *session_ticket_enc_key = NULL; -static PK11SymKey *session_ticket_mac_key = NULL; - -static PRCallOnceType generate_session_keys_once; - -static SECStatus ssl3_ParseEncryptedSessionTicket(sslSocket *ss, - SECItem *data, EncryptedSessionTicket *enc_session_ticket); -static SECStatus ssl3_AppendToItem(SECItem *item, const unsigned char *buf, - PRUint32 bytes); -static SECStatus ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes); -static SECStatus ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, - PRInt32 lenSize); -static SECStatus ssl3_GetSessionTicketKeys(sslSocket *ss, - PK11SymKey **aes_key, PK11SymKey **mac_key); -static SECStatus ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes); - -/* - * Write bytes. Using this function means the SECItem structure - * cannot be freed. The caller is expected to call this function - * on a shallow copy of the structure. - */ -static SECStatus -ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes) -{ - if (bytes > item->len) - return SECFailure; - - PORT_Memcpy(item->data, buf, bytes); - item->data += bytes; - item->len -= bytes; - return SECSuccess; -} - -/* - * Write a number in network byte order. Using this function means the - * SECItem structure cannot be freed. The caller is expected to call - * this function on a shallow copy of the structure. - */ -static SECStatus -ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize) -{ - SECStatus rv; - PRUint8 b[4]; - PRUint8 *p = b; - - switch (lenSize) { - case 4: - *p++ = (PRUint8)(num >> 24); - case 3: - *p++ = (PRUint8)(num >> 16); - case 2: - *p++ = (PRUint8)(num >> 8); - case 1: - *p = (PRUint8)num; - } - rv = ssl3_AppendToItem(item, &b[0], lenSize); - return rv; -} - -SECStatus -ssl3_SessionTicketShutdown(void *appData, void *nssData) -{ - if (session_ticket_enc_key) { - PK11_FreeSymKey(session_ticket_enc_key); - session_ticket_enc_key = NULL; - } - if (session_ticket_mac_key) { - PK11_FreeSymKey(session_ticket_mac_key); - session_ticket_mac_key = NULL; - } - PORT_Memset(&generate_session_keys_once, 0, - sizeof(generate_session_keys_once)); - return SECSuccess; -} - -static PRStatus -ssl3_GenerateSessionTicketKeys(void *data) -{ - SECStatus rv; - sslSocket *ss = (sslSocket *)data; - sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL }; - const sslServerCert *sc; - SECKEYPrivateKey *svrPrivKey; - SECKEYPublicKey *svrPubKey; - - sc = ssl_FindServerCert(ss, &certType); - if (!sc || !sc->serverKeyPair) { - SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair", - SSL_GETPID(), ss->fd)); - goto loser; - } - svrPrivKey = sc->serverKeyPair->privKey; - svrPubKey = sc->serverKeyPair->pubKey; - if (svrPrivKey == NULL || svrPubKey == NULL) { - SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", - SSL_GETPID(), ss->fd)); - goto loser; - } - - /* Get a copy of the session keys from shared memory. */ - PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX, - sizeof(SESS_TICKET_KEY_NAME_PREFIX)); - if (!ssl_GetSessionTicketKeys(svrPrivKey, svrPubKey, ss->pkcs11PinArg, - &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN], - &session_ticket_enc_key, &session_ticket_mac_key)) - return PR_FAILURE; - - rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL); - if (rv != SECSuccess) - goto loser; - - return PR_SUCCESS; - -loser: - ssl3_SessionTicketShutdown(NULL, NULL); - return PR_FAILURE; -} - -static SECStatus -ssl3_GetSessionTicketKeys(sslSocket *ss, PK11SymKey **aes_key, - PK11SymKey **mac_key) -{ - if (PR_CallOnceWithArg(&generate_session_keys_once, - ssl3_GenerateSessionTicketKeys, ss) != - PR_SUCCESS) - return SECFailure; - - if (session_ticket_enc_key == NULL || - session_ticket_mac_key == NULL) - return SECFailure; - - *aes_key = session_ticket_enc_key; - *mac_key = session_ticket_mac_key; - return SECSuccess; -} - /* Format an SNI extension, using the name from the socket's URL, * unless that name is a dotted decimal string. * Used by client and server. @@ -223,7 +88,8 @@ SECStatus ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { SECItem *names = NULL; - PRInt32 listLenBytes = 0; + PRUint32 listLenBytes = 0; + SECStatus rv; if (!ss->sec.isServer) { return SECSuccess; /* ignore extension */ @@ -236,8 +102,8 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint1 } /* length of server_name_list */ - listLenBytes = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (listLenBytes < 0) { + rv = ssl3_ExtConsumeHandshakeNumber(ss, &listLenBytes, 2, &data->data, &data->len); + if (rv != SECSuccess) { goto loser; /* alert already sent */ } if (listLenBytes == 0 || listLenBytes != data->len) { @@ -247,12 +113,11 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint1 /* Read ServerNameList. */ while (data->len > 0) { SECItem tmp; - SECStatus rv; - PRInt32 type; + PRUint32 type; /* Read Name Type. */ - type = ssl3_ExtConsumeHandshakeNumber(ss, 1, &data->data, &data->len); - if (type < 0) { /* i.e., SECFailure cast to PRint32 */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &type, 1, &data->data, &data->len); + if (rv != SECSuccess) { /* alert sent in ConsumeHandshakeNumber */ goto loser; } @@ -372,11 +237,7 @@ ssl3_SendSessionTicketXtn( if (session_ticket->ticket.data) { if (xtnData->ticketTimestampVerified) { extension_length += session_ticket->ticket.len; - } else if (!append && - (session_ticket->ticket_lifetime_hint == 0 || - (session_ticket->ticket_lifetime_hint + - session_ticket->received_timestamp > - ssl_Time()))) { + } else if (!append && ssl_TicketTimeValid(session_ticket)) { extension_length += session_ticket->ticket.len; xtnData->ticketTimestampVerified = PR_TRUE; } @@ -417,30 +278,25 @@ loser: return -1; } -static SECStatus -ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data, - EncryptedSessionTicket *enc_session_ticket) +PRBool +ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag) { - if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name, - SESS_TICKET_KEY_NAME_LEN) != - SECSuccess) - return SECFailure; - if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv, - AES_BLOCK_SIZE) != - SECSuccess) - return SECFailure; - if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state, - 2, &data->data, &data->len) != - SECSuccess) - return SECFailure; - if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac, - TLS_EX_SESS_TICKET_MAC_LENGTH) != - SECSuccess) - return SECFailure; - if (data->len != 0) /* Make sure that we have consumed all bytes. */ - return SECFailure; + const unsigned char *data = ss->opt.nextProtoNego.data; + unsigned int length = ss->opt.nextProtoNego.len; + unsigned int offset = 0; - return SECSuccess; + if (!tag->len) + return PR_TRUE; + + while (offset < length) { + unsigned int taglen = (unsigned int)data[offset]; + if ((taglen == tag->len) && + !PORT_Memcmp(data + offset + 1, tag->data, tag->len)) + return PR_TRUE; + offset += 1 + taglen; + } + + return PR_FALSE; } /* handle an incoming Next Protocol Negotiation extension. */ @@ -542,7 +398,7 @@ ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData, SECStatus ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { - int count; + PRUint32 count; SECStatus rv; /* We expressly don't want to allow ALPN on renegotiation, @@ -556,8 +412,8 @@ ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU /* Unlike NPN, ALPN has extra redundant length information so that * the extension is the same in both ClientHello and ServerHello. */ - count = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (count != data->len) { + rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len); + if (rv != SECSuccess || count != data->len) { ssl3_ExtDecodeError(ss); return SECFailure; } @@ -621,7 +477,7 @@ SECStatus ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { SECStatus rv; - PRInt32 list_len; + PRUint32 list_len; SECItem protocol_name; if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { @@ -639,9 +495,10 @@ ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU return SECFailure; } - list_len = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); + rv = ssl3_ExtConsumeHandshakeNumber(ss, &list_len, 2, &data->data, + &data->len); /* The list has to be the entire extension. */ - if (list_len != data->len) { + if (rv != SECSuccess || list_len != data->len) { ssl3_ExtSendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); return SECFailure; @@ -656,6 +513,12 @@ ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRU return SECFailure; } + if (!ssl_AlpnTagAllowed(ss, &protocol_name)) { + ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); + PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); + return SECFailure; + } + SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED; xtnData->negotiated[xtnData->numNegotiated++] = ex_type; @@ -938,6 +801,9 @@ ssl3_ClientHandleStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData return SECSuccess; } +PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; /* 2 days in seconds */ +#define TLS_EX_SESS_TICKET_VERSION (0x0105) + /* * Called from ssl3_SendNewSessionTicket, tls13_SendNewSessionTicket */ @@ -946,40 +812,21 @@ ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket, SECItem *ticket_data) { - PRUint32 i; SECStatus rv; SECItem plaintext; SECItem plaintext_item = { 0, NULL, 0 }; - SECItem ciphertext = { 0, NULL, 0 }; - PRUint32 ciphertext_length; + PRUint32 plaintext_length; SECItem ticket_buf = { 0, NULL, 0 }; - SECItem ticket_tmp = { 0, NULL, 0 }; - SECItem macParam = { 0, NULL, 0 }; PRBool ms_is_wrapped; unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; SECItem ms_item = { 0, NULL, 0 }; - PRUint32 padding_length; - PRUint32 ticket_length; PRUint32 cert_length = 0; - PRUint8 length_buf[4]; PRUint32 now; - PK11SymKey *aes_key = NULL; - PK11SymKey *mac_key = NULL; - CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; - PK11Context *aes_ctx; - CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; - PK11Context *hmac_ctx = NULL; - unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; - unsigned int computed_mac_length; - unsigned char iv[AES_BLOCK_SIZE]; - SECItem ivItem; SECItem *srvName = NULL; - PRUint32 srvNameLen = 0; CK_MECHANISM_TYPE msWrapMech = 0; /* dummy default value, * must be >= 0 */ ssl3CipherSpec *spec; - const sslServerCertType *certType; - SECItem alpnSelection = { siBuffer, NULL, 0 }; + SECItem *alpnSelection = NULL; SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake", SSL_GETPID(), ss->fd)); @@ -988,20 +835,9 @@ ssl3_EncodeSessionTicket(sslSocket *ss, PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { - cert_length = 3 + ss->sec.ci.sid->peerCert->derCert.len; + cert_length = 2 + ss->sec.ci.sid->peerCert->derCert.len; } - /* Get IV and encryption keys */ - ivItem.data = iv; - ivItem.len = sizeof(iv); - rv = PK11_GenerateRandom(iv, sizeof(iv)); - if (rv != SECSuccess) - goto loser; - - rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key); - if (rv != SECSuccess) - goto loser; - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { spec = ss->ssl3.cwSpec; } else { @@ -1017,8 +853,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, sslSessionID sid; PORT_Memset(&sid, 0, sizeof(sslSessionID)); - rv = ssl3_CacheWrappedMasterSecret(ss, &sid, spec, - ss->ssl3.hs.kea_def->authKeyType); + rv = ssl3_CacheWrappedMasterSecret(ss, &sid, spec); if (rv == SECSuccess) { if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms)) goto loser; @@ -1035,17 +870,14 @@ ssl3_EncodeSessionTicket(sslSocket *ss, } /* Prep to send negotiated name */ srvName = &ss->sec.ci.sid->u.ssl3.srvName; - if (srvName->data && srvName->len) { - srvNameLen = 2 + srvName->len; /* len bytes + name len */ - } - if (ss->xtnData.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && - ss->xtnData.nextProto.data) { - alpnSelection = ss->xtnData.nextProto; - } + PORT_Assert(ss->xtnData.nextProtoState == SSL_NEXT_PROTO_SELECTED || + ss->xtnData.nextProtoState == SSL_NEXT_PROTO_NEGOTIATED || + ss->xtnData.nextProto.len == 0); + alpnSelection = &ss->xtnData.nextProto; - ciphertext_length = - sizeof(PRUint16) /* ticket_version */ + plaintext_length = + sizeof(PRUint16) /* ticket version */ + sizeof(SSL3ProtocolVersion) /* ssl_version */ + sizeof(ssl3CipherSuite) /* ciphersuite */ + 1 /* compression */ @@ -1057,23 +889,19 @@ ssl3_EncodeSessionTicket(sslSocket *ss, + ms_item.len /* master_secret */ + 1 /* client_auth_type */ + cert_length /* cert */ - + 1 /* server name type */ - + srvNameLen /* name len + length field */ + + 2 + srvName->len /* name len + length field */ + 1 /* extendedMasterSecretUsed */ + sizeof(ticket->ticket_lifetime_hint) /* ticket lifetime hint */ + sizeof(ticket->flags) /* ticket flags */ - + 1 + alpnSelection.len; /* npn value + length field. */ - padding_length = AES_BLOCK_SIZE - - (ciphertext_length % - AES_BLOCK_SIZE); - ciphertext_length += padding_length; + + 1 + alpnSelection->len /* alpn value + length field */ + + 4; /* maxEarlyData */ - if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL) + if (SECITEM_AllocItem(NULL, &plaintext_item, plaintext_length) == NULL) goto loser; plaintext = plaintext_item; - /* ticket_version */ + /* ticket version */ rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION, sizeof(PRUint16)); if (rv != SECSuccess) @@ -1111,22 +939,15 @@ ssl3_EncodeSessionTicket(sslSocket *ss, goto loser; /* certificate type */ - certType = &ss->sec.serverCert->certType; - PORT_Assert(certType->authType == ss->sec.authType); - switch (ss->sec.authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - PORT_Assert(certType->namedCurve); - PORT_Assert(certType->namedCurve->keaType == ssl_kea_ecdh); - /* EC curves only use the second of the two bytes. */ - PORT_Assert(certType->namedCurve->name < 256); - rv = ssl3_AppendNumberToItem(&plaintext, - certType->namedCurve->name, 1); - break; - default: - rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); - break; + PORT_Assert(SSL_CERT_IS(ss->sec.serverCert, ss->sec.authType)); + if (SSL_CERT_IS_EC(ss->sec.serverCert)) { + const sslServerCert *cert = ss->sec.serverCert; + PORT_Assert(cert->namedCurve); + /* EC curves only use the second of the two bytes. */ + PORT_Assert(cert->namedCurve->name < 256); + rv = ssl3_AppendNumberToItem(&plaintext, cert->namedCurve->name, 1); + } else { + rv = ssl3_AppendNumberToItem(&plaintext, 0, 1); } if (rv != SECSuccess) goto loser; @@ -1145,13 +966,13 @@ ssl3_EncodeSessionTicket(sslSocket *ss, if (rv != SECSuccess) goto loser; - /* client_identity */ + /* client identity */ if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) { rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1); if (rv != SECSuccess) goto loser; rv = ssl3_AppendNumberToItem(&plaintext, - ss->sec.ci.sid->peerCert->derCert.len, 3); + ss->sec.ci.sid->peerCert->derCert.len, 2); if (rv != SECSuccess) goto loser; rv = ssl3_AppendToItem(&plaintext, @@ -1172,23 +993,14 @@ ssl3_EncodeSessionTicket(sslSocket *ss, if (rv != SECSuccess) goto loser; - if (srvNameLen) { - /* Name Type (sni_host_name) */ - rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1); - if (rv != SECSuccess) - goto loser; - /* HostName (length and value) */ - rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); - if (rv != SECSuccess) - goto loser; + /* HostName (length and value) */ + rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2); + if (rv != SECSuccess) + goto loser; + if (srvName->len) { rv = ssl3_AppendToItem(&plaintext, srvName->data, srvName->len); if (rv != SECSuccess) goto loser; - } else { - /* No Name */ - rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME, 1); - if (rv != SECSuccess) - goto loser; } /* extendedMasterSecretUsed */ @@ -1203,123 +1015,52 @@ ssl3_EncodeSessionTicket(sslSocket *ss, if (rv != SECSuccess) goto loser; - /* NPN value. */ - PORT_Assert(alpnSelection.len < 256); - rv = ssl3_AppendNumberToItem(&plaintext, alpnSelection.len, 1); + /* ALPN value. */ + PORT_Assert(alpnSelection->len < 256); + rv = ssl3_AppendNumberToItem(&plaintext, alpnSelection->len, 1); if (rv != SECSuccess) goto loser; - if (alpnSelection.len) { - rv = ssl3_AppendToItem(&plaintext, alpnSelection.data, alpnSelection.len); + if (alpnSelection->len) { + rv = ssl3_AppendToItem(&plaintext, alpnSelection->data, + alpnSelection->len); if (rv != SECSuccess) goto loser; } - PORT_Assert(plaintext.len == padding_length); - for (i = 0; i < padding_length; i++) - plaintext.data[i] = (unsigned char)padding_length; - - if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) { - rv = SECFailure; - goto loser; - } - - /* Generate encrypted portion of ticket. */ - PORT_Assert(aes_key); - aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, aes_key, &ivItem); - if (!aes_ctx) - goto loser; - - rv = PK11_CipherOp(aes_ctx, ciphertext.data, - (int *)&ciphertext.len, ciphertext.len, - plaintext_item.data, plaintext_item.len); - PK11_Finalize(aes_ctx); - PK11_DestroyContext(aes_ctx, PR_TRUE); - if (rv != SECSuccess) - goto loser; - - /* Convert ciphertext length to network order. */ - length_buf[0] = (ciphertext.len >> 8) & 0xff; - length_buf[1] = (ciphertext.len) & 0xff; - - /* Compute MAC. */ - PORT_Assert(mac_key); - hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam); - if (!hmac_ctx) - goto loser; - - rv = PK11_DigestBegin(hmac_ctx); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx, iv, sizeof(iv)); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx, (unsigned char *)length_buf, 2); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestOp(hmac_ctx, ciphertext.data, ciphertext.len); - if (rv != SECSuccess) - goto loser; - rv = PK11_DigestFinal(hmac_ctx, computed_mac, - &computed_mac_length, sizeof(computed_mac)); + rv = ssl3_AppendNumberToItem(&plaintext, ssl_max_early_data_size, 4); if (rv != SECSuccess) goto loser; - ticket_length = - +SESS_TICKET_KEY_NAME_LEN /* key_name */ - + AES_BLOCK_SIZE /* iv */ - + 2 /* length field for NewSessionTicket.ticket.encrypted_state */ - + ciphertext_length /* encrypted_state */ - + TLS_EX_SESS_TICKET_MAC_LENGTH; /* mac */ + /* Check that we are totally full. */ + PORT_Assert(plaintext.len == 0); - if (SECITEM_AllocItem(NULL, &ticket_buf, ticket_length) == NULL) { - rv = SECFailure; + /* 128 just gives us enough room for overhead. */ + if (SECITEM_AllocItem(NULL, &ticket_buf, plaintext_length + 128) == NULL) { goto loser; } - ticket_tmp = ticket_buf; /* Shallow copy because AppendToItem is - * destructive. */ - rv = ssl3_AppendToItem(&ticket_tmp, key_name, SESS_TICKET_KEY_NAME_LEN); - if (rv != SECSuccess) - goto loser; - - rv = ssl3_AppendToItem(&ticket_tmp, iv, sizeof(iv)); - if (rv != SECSuccess) - goto loser; - - rv = ssl3_AppendNumberToItem(&ticket_tmp, ciphertext.len, 2); - if (rv != SECSuccess) - goto loser; - - rv = ssl3_AppendToItem(&ticket_tmp, ciphertext.data, ciphertext.len); - if (rv != SECSuccess) - goto loser; - - rv = ssl3_AppendToItem(&ticket_tmp, computed_mac, computed_mac_length); - if (rv != SECSuccess) + /* Finally, encrypt the ticket. */ + rv = ssl_SelfEncryptProtect(ss, plaintext_item.data, plaintext_item.len, + ticket_buf.data, &ticket_buf.len, ticket_buf.len); + if (rv != SECSuccess) { goto loser; + } /* Give ownership of memory to caller. */ *ticket_data = ticket_buf; - ticket_buf.data = NULL; + + SECITEM_FreeItem(&plaintext_item, PR_FALSE); + return SECSuccess; loser: - if (hmac_ctx) { - PK11_DestroyContext(hmac_ctx, PR_TRUE); - } if (plaintext_item.data) { SECITEM_FreeItem(&plaintext_item, PR_FALSE); } - if (ciphertext.data) { - SECITEM_FreeItem(&ciphertext, PR_FALSE); - } if (ticket_buf.data) { SECITEM_FreeItem(&ticket_buf, PR_FALSE); } - return rv; + return SECFailure; } /* When a client receives a SessionTicket extension a NewSessionTicket @@ -1338,434 +1079,375 @@ ssl3_ClientHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData return SECSuccess; } -/* Generic ticket processing code, common to TLS 1.0-1.2 and - * TLS 1.3. */ -SECStatus -ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) +static SECStatus +ssl_ParseSessionTicket(sslSocket *ss, const SECItem *decryptedTicket, + SessionTicket *parsedTicket) { + PRUint32 temp; SECStatus rv; - SECItem *decrypted_state = NULL; - SessionTicket *parsed_session_ticket = NULL; - sslSessionID *sid = NULL; - SSL3Statistics *ssl3stats; - PRUint32 i; - SECItem extension_data; - EncryptedSessionTicket enc_session_ticket; - unsigned char computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH]; - unsigned int computed_mac_length; - PK11SymKey *aes_key = NULL; - PK11SymKey *mac_key = NULL; - PK11Context *hmac_ctx; - CK_MECHANISM_TYPE macMech = CKM_SHA256_HMAC; - PK11Context *aes_ctx; - CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC; - unsigned char *padding; - PRUint32 padding_length; - unsigned char *buffer; - unsigned int buffer_len; - PRInt32 temp; - SECItem cert_item; - PRInt8 nameType = TLS_STE_NO_SERVER_NAME; - SECItem macParam = { siBuffer, NULL, 0 }; - SECItem alpn_item; - SECItem ivItem; - - /* Turn off stateless session resumption if the client sends a - * SessionTicket extension, even if the extension turns out to be - * malformed (ss->sec.ci.sid is non-NULL when doing session - * renegotiation.) - */ - if (ss->sec.ci.sid != NULL) { - ss->sec.uncache(ss->sec.ci.sid); - ssl_FreeSID(ss->sec.ci.sid); - ss->sec.ci.sid = NULL; - } - extension_data.data = data->data; /* Keep a copy for future use. */ - extension_data.len = data->len; + PRUint8 *buffer = decryptedTicket->data; + unsigned int len = decryptedTicket->len; + + PORT_Memset(parsedTicket, 0, sizeof(*parsedTicket)); + parsedTicket->valid = PR_FALSE; - if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket) != - SECSuccess) { - return SECSuccess; /* Pretend it isn't there */ + /* If the decrypted ticket is empty, then report success, but leave the + * ticket marked as invalid. */ + if (decryptedTicket->len == 0) { + return SECSuccess; } - /* Get session ticket keys. */ - rv = ssl3_GetSessionTicketKeys(ss, &aes_key, &mac_key); + /* Read ticket version. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); if (rv != SECSuccess) { - SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.", - SSL_GETPID(), ss->fd)); - goto loser; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } - /* If the ticket sent by the client was generated under a key different - * from the one we have, bypass ticket processing. - */ - if (PORT_Memcmp(enc_session_ticket.key_name, key_name, - SESS_TICKET_KEY_NAME_LEN) != 0) { - SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.", - SSL_GETPID(), ss->fd)); - goto no_ticket; + /* Skip the ticket if the version is wrong. This won't result in a + * handshake failure, just a failure to resume. */ + if (temp != TLS_EX_SESS_TICKET_VERSION) { + return SECSuccess; } - /* Verify the MAC on the ticket. MAC verification may also - * fail if the MAC key has been recently refreshed. - */ - PORT_Assert(mac_key); - hmac_ctx = PK11_CreateContextBySymKey(macMech, CKA_SIGN, mac_key, &macParam); - if (!hmac_ctx) { - SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.", - SSL_GETPID(), ss->fd, PORT_GetError())); - goto no_ticket; - } else { - SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.", - SSL_GETPID(), ss->fd)); - } - rv = PK11_DigestBegin(hmac_ctx); + /* Read SSLVersion. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); if (rv != SECSuccess) { - PK11_DestroyContext(hmac_ctx, PR_TRUE); - goto no_ticket; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } - rv = PK11_DigestOp(hmac_ctx, extension_data.data, - extension_data.len - - TLS_EX_SESS_TICKET_MAC_LENGTH); - if (rv != SECSuccess) { - PK11_DestroyContext(hmac_ctx, PR_TRUE); - goto no_ticket; + parsedTicket->ssl_version = (SSL3ProtocolVersion)temp; + if (!ssl3_VersionIsSupported(ss->protocolVariant, + parsedTicket->ssl_version)) { + /* This socket doesn't support the version from the ticket. */ + return SECSuccess; } - rv = PK11_DigestFinal(hmac_ctx, computed_mac, - &computed_mac_length, sizeof(computed_mac)); - PK11_DestroyContext(hmac_ctx, PR_TRUE); - if (rv != SECSuccess) - goto no_ticket; - if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac, - computed_mac_length) != - 0) { - SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.", - SSL_GETPID(), ss->fd)); - goto no_ticket; + /* Read cipher_suite. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } + parsedTicket->cipher_suite = (ssl3CipherSuite)temp; - /* We ignore key_name for now. - * This is ok as MAC verification succeeded. - */ - - /* Decrypt the ticket. */ - - /* Plaintext is shorter than the ciphertext due to padding. */ - decrypted_state = SECITEM_AllocItem(NULL, NULL, - enc_session_ticket.encrypted_state.len); - - PORT_Assert(aes_key); - ivItem.data = enc_session_ticket.iv; - ivItem.len = AES_BLOCK_SIZE; - aes_ctx = PK11_CreateContextBySymKey(cipherMech, CKA_DECRYPT, - aes_key, &ivItem); - if (!aes_ctx) { - SSL_DBG(("%d: SSL[%d]: Unable to create AES context.", - SSL_GETPID(), ss->fd)); - goto no_ticket; + /* Read compression_method. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } + parsedTicket->compression_method = (SSLCompressionMethod)temp; - rv = PK11_CipherOp(aes_ctx, decrypted_state->data, - (int *)&decrypted_state->len, decrypted_state->len, - enc_session_ticket.encrypted_state.data, - enc_session_ticket.encrypted_state.len); - PK11_Finalize(aes_ctx); - PK11_DestroyContext(aes_ctx, PR_TRUE); - if (rv != SECSuccess) - goto no_ticket; - - /* Check padding. */ - padding_length = - (PRUint32)decrypted_state->data[decrypted_state->len - 1]; - if (padding_length == 0 || padding_length > AES_BLOCK_SIZE) - goto no_ticket; - - padding = &decrypted_state->data[decrypted_state->len - padding_length]; - for (i = 0; i < padding_length; i++, padding++) { - if (padding_length != (PRUint32)*padding) - goto no_ticket; + /* Read cipher spec parameters. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } - - /* Deserialize session state. */ - buffer = decrypted_state->data; - buffer_len = decrypted_state->len; - - parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket)); - if (parsed_session_ticket == NULL) { - rv = SECFailure; - goto loser; + parsedTicket->authType = (SSLAuthType)temp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } + parsedTicket->authKeyBits = temp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->keaType = (SSLKEAType)temp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->keaKeyBits = temp; - /* Read ticket_version and reject if the version is wrong */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); - if (temp != TLS_EX_SESS_TICKET_VERSION) - goto no_ticket; - - parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp; - - /* Read SSLVersion. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp; + /* Read the optional named curve. */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + if (parsedTicket->authType == ssl_auth_ecdsa || + parsedTicket->authType == ssl_auth_ecdh_rsa || + parsedTicket->authType == ssl_auth_ecdh_ecdsa) { + const sslNamedGroupDef *group = + ssl_LookupNamedGroup((SSLNamedGroup)temp); + if (!group || group->keaType != ssl_kea_ecdh) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->namedCurve = group; + } - /* Read cipher_suite. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp; + /* Read the master secret (and how it is wrapped). */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); + parsedTicket->ms_is_wrapped = (PRBool)temp; - /* Read compression_method. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->compression_method = (SSLCompressionMethod)temp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->msWrapMech = (CK_MECHANISM_TYPE)temp; - /* Read cipher spec parameters. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->authType = (SSLAuthType)temp; - temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->authKeyBits = (PRUint32)temp; - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->keaType = (SSLKEAType)temp; - temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->keaKeyBits = (PRUint32)temp; - - /* Read certificate slot */ - parsed_session_ticket->certType.authType = parsed_session_ticket->authType; - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - switch (parsed_session_ticket->authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: { - const sslNamedGroupDef *group = - ssl_LookupNamedGroup((SSLNamedGroup)temp); - if (!group || group->keaType != ssl_kea_ecdh) { - goto no_ticket; - } - parsed_session_ticket->certType.namedCurve = group; - } break; - default: - break; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 2, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } + if (temp == 0 || temp > sizeof(parsedTicket->master_secret)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->ms_length = (PRUint16)temp; - /* Read wrapped master_secret. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->ms_is_wrapped = (PRBool)temp; - - temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp; - - temp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->ms_length = (PRUint16)temp; - if (parsed_session_ticket->ms_length == 0 || /* sanity check MS. */ - parsed_session_ticket->ms_length > - sizeof(parsed_session_ticket->master_secret)) - goto no_ticket; - - /* Allow for the wrapped master secret to be longer. */ - if (buffer_len < parsed_session_ticket->ms_length) - goto no_ticket; - PORT_Memcpy(parsed_session_ticket->master_secret, buffer, - parsed_session_ticket->ms_length); - buffer += parsed_session_ticket->ms_length; - buffer_len -= parsed_session_ticket->ms_length; - - /* Read client_identity */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->client_identity.client_auth_type = - (ClientAuthenticationType)temp; - switch (parsed_session_ticket->client_identity.client_auth_type) { + /* Read the master secret. */ + rv = ssl3_ExtConsumeHandshake(ss, parsedTicket->master_secret, + parsedTicket->ms_length, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + /* Read client identity */ + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->client_auth_type = (ClientAuthenticationType)temp; + switch (parsedTicket->client_auth_type) { case CLIENT_AUTH_ANONYMOUS: break; case CLIENT_AUTH_CERTIFICATE: - rv = ssl3_ExtConsumeHandshakeVariable(ss, &cert_item, 3, - &buffer, &buffer_len); - if (rv != SECSuccess) - goto no_ticket; - rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert, - &cert_item); - if (rv != SECSuccess) - goto no_ticket; + rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->peer_cert, 2, + &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } break; default: - goto no_ticket; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } /* Read timestamp. */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; - parsed_session_ticket->timestamp = (PRUint32)temp; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->timestamp = temp; /* Read server name */ - nameType = - ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (nameType != TLS_STE_NO_SERVER_NAME) { - SECItem name_item; - rv = ssl3_ExtConsumeHandshakeVariable(ss, &name_item, 2, &buffer, - &buffer_len); - if (rv != SECSuccess) - goto no_ticket; - rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName, - &name_item); - if (rv != SECSuccess) - goto no_ticket; - parsed_session_ticket->srvName.type = nameType; + rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->srvName, 2, + &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } /* Read extendedMasterSecretUsed */ - temp = ssl3_ExtConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); - if (temp < 0) - goto no_ticket; + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 1, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } PORT_Assert(temp == PR_TRUE || temp == PR_FALSE); - parsed_session_ticket->extendedMasterSecretUsed = (PRBool)temp; + parsedTicket->extendedMasterSecretUsed = (PRBool)temp; - rv = ssl3_ExtConsumeHandshake(ss, &parsed_session_ticket->flags, 4, - &buffer, &buffer_len); - if (rv != SECSuccess) - goto no_ticket; - parsed_session_ticket->flags = PR_ntohl(parsed_session_ticket->flags); + rv = ssl3_ExtConsumeHandshake(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + parsedTicket->flags = PR_ntohl(temp); - rv = ssl3_ExtConsumeHandshakeVariable(ss, &alpn_item, 1, &buffer, &buffer_len); - if (rv != SECSuccess) - goto no_ticket; - if (alpn_item.len != 0) { - rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->alpnSelection, - &alpn_item); - if (rv != SECSuccess) - goto no_ticket; - if (alpn_item.len >= 256) - goto no_ticket; + rv = ssl3_ExtConsumeHandshakeVariable(ss, &parsedTicket->alpnSelection, 1, + &buffer, &len); + PORT_Assert(parsedTicket->alpnSelection.len < 256); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + rv = ssl3_ExtConsumeHandshakeNumber(ss, &temp, 4, &buffer, &len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } + parsedTicket->maxEarlyData = temp; +#ifndef UNSAFE_FUZZER_MODE /* Done parsing. Check that all bytes have been consumed. */ - if (buffer_len != padding_length) - goto no_ticket; + if (len != 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +#endif - /* Use the ticket if it has not expired, otherwise free the allocated - * memory since the ticket is of no use. - */ - if (parsed_session_ticket->timestamp != 0 && - parsed_session_ticket->timestamp + - TLS_EX_SESS_TICKET_LIFETIME_HINT > - ssl_Time()) { - - sid = ssl3_NewSessionID(ss, PR_TRUE); - if (sid == NULL) { - rv = SECFailure; + parsedTicket->valid = PR_TRUE; + return SECSuccess; +} + +static SECStatus +ssl_CreateSIDFromTicket(sslSocket *ss, const SECItem *rawTicket, + SessionTicket *parsedTicket, sslSessionID **out) +{ + sslSessionID *sid; + SECStatus rv; + + sid = ssl3_NewSessionID(ss, PR_TRUE); + if (sid == NULL) { + return SECFailure; + } + + /* Copy over parameters. */ + sid->version = parsedTicket->ssl_version; + sid->u.ssl3.cipherSuite = parsedTicket->cipher_suite; + sid->u.ssl3.compression = parsedTicket->compression_method; + sid->authType = parsedTicket->authType; + sid->authKeyBits = parsedTicket->authKeyBits; + sid->keaType = parsedTicket->keaType; + sid->keaKeyBits = parsedTicket->keaKeyBits; + sid->namedCurve = parsedTicket->namedCurve; + + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket, + rawTicket); + if (rv != SECSuccess) { + goto loser; + } + sid->u.ssl3.locked.sessionTicket.flags = parsedTicket->flags; + sid->u.ssl3.locked.sessionTicket.max_early_data_size = + parsedTicket->maxEarlyData; + + if (parsedTicket->ms_length > + sizeof(sid->u.ssl3.keys.wrapped_master_secret)) { + goto loser; + } + PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, + parsedTicket->master_secret, parsedTicket->ms_length); + sid->u.ssl3.keys.wrapped_master_secret_len = parsedTicket->ms_length; + sid->u.ssl3.masterWrapMech = parsedTicket->msWrapMech; + sid->u.ssl3.keys.msIsWrapped = parsedTicket->ms_is_wrapped; + sid->u.ssl3.masterValid = PR_TRUE; + sid->u.ssl3.keys.resumable = PR_TRUE; + sid->u.ssl3.keys.extendedMasterSecretUsed = parsedTicket->extendedMasterSecretUsed; + + /* Copy over client cert from session ticket if there is one. */ + if (parsedTicket->peer_cert.data != NULL) { + PORT_Assert(!sid->peerCert); + sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, + &parsedTicket->peer_cert, + NULL, PR_FALSE, PR_TRUE); + if (!sid->peerCert) { goto loser; } + } - /* Copy over parameters. */ - sid->version = parsed_session_ticket->ssl_version; - sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite; - sid->u.ssl3.compression = parsed_session_ticket->compression_method; - sid->authType = parsed_session_ticket->authType; - sid->authKeyBits = parsed_session_ticket->authKeyBits; - sid->keaType = parsed_session_ticket->keaType; - sid->keaKeyBits = parsed_session_ticket->keaKeyBits; - memcpy(&sid->certType, &parsed_session_ticket->certType, - sizeof(sslServerCertType)); - - if (SECITEM_CopyItem(NULL, &sid->u.ssl3.locked.sessionTicket.ticket, - &extension_data) != SECSuccess) - goto no_ticket; - sid->u.ssl3.locked.sessionTicket.flags = parsed_session_ticket->flags; - - if (parsed_session_ticket->ms_length > - sizeof(sid->u.ssl3.keys.wrapped_master_secret)) - goto no_ticket; - PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret, - parsed_session_ticket->master_secret, - parsed_session_ticket->ms_length); - sid->u.ssl3.keys.wrapped_master_secret_len = - parsed_session_ticket->ms_length; - sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech; - sid->u.ssl3.keys.msIsWrapped = - parsed_session_ticket->ms_is_wrapped; - sid->u.ssl3.masterValid = PR_TRUE; - sid->u.ssl3.keys.resumable = PR_TRUE; - sid->u.ssl3.keys.extendedMasterSecretUsed = parsed_session_ticket->extendedMasterSecretUsed; - - /* Copy over client cert from session ticket if there is one. */ - if (parsed_session_ticket->peer_cert.data != NULL) { - if (sid->peerCert != NULL) - CERT_DestroyCertificate(sid->peerCert); - sid->peerCert = CERT_NewTempCertificate(ss->dbHandle, - &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE); - if (sid->peerCert == NULL) { - rv = SECFailure; - goto loser; - } + /* Transfer ownership of the remaining items. */ + if (parsedTicket->srvName.data != NULL) { + SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.srvName, + &parsedTicket->srvName); + if (rv != SECSuccess) { + goto loser; } - if (parsed_session_ticket->srvName.data != NULL) { - if (sid->u.ssl3.srvName.data) { - SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); - } - sid->u.ssl3.srvName = parsed_session_ticket->srvName; + } + if (parsedTicket->alpnSelection.data != NULL) { + rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.alpnSelection, + &parsedTicket->alpnSelection); + if (rv != SECSuccess) { + goto loser; } - if (parsed_session_ticket->alpnSelection.data != NULL) { - sid->u.ssl3.alpnSelection = parsed_session_ticket->alpnSelection; - /* So we don't free below. */ - parsed_session_ticket->alpnSelection.data = NULL; + } + + *out = sid; + return SECSuccess; + +loser: + ssl_FreeSID(sid); + return SECFailure; +} + +/* Generic ticket processing code, common to all TLS versions. */ +SECStatus +ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data) +{ + SECItem decryptedTicket = { siBuffer, NULL, 0 }; + SessionTicket parsedTicket; + SECStatus rv; + + if (ss->sec.ci.sid != NULL) { + ss->sec.uncache(ss->sec.ci.sid); + ssl_FreeSID(ss->sec.ci.sid); + ss->sec.ci.sid = NULL; + } + + if (!SECITEM_AllocItem(NULL, &decryptedTicket, data->len)) { + return SECFailure; + } + + /* Decrypt the ticket. */ + rv = ssl_SelfEncryptUnprotect(ss, data->data, data->len, + decryptedTicket.data, + &decryptedTicket.len, + decryptedTicket.len); + if (rv != SECSuccess) { + SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); + + /* Fail with no ticket if we're not a recipient. Otherwise + * it's a hard failure. */ + if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) { + SSL3_SendAlert(ss, alert_fatal, illegal_parameter); + return SECFailure; } - ss->statelessResume = PR_TRUE; - ss->sec.ci.sid = sid; + + /* We didn't have the right key, so pretend we don't have a + * ticket. */ } - if (0) { - no_ticket: + rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket); + if (rv != SECSuccess) { + SSL3Statistics *ssl3stats; + SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.", SSL_GETPID(), ss->fd)); ssl3stats = SSL_GetStatistics(); SSL_AtomicIncrementLong(&ssl3stats->hch_sid_ticket_parse_failures); + goto loser; /* code already set */ } - rv = SECSuccess; -loser: - /* ss->sec.ci.sid == sid if it did NOT come here via goto statement - * in that case do not free sid - */ - if (sid && (ss->sec.ci.sid != sid)) { - ssl_FreeSID(sid); - sid = NULL; - } - if (decrypted_state != NULL) { - SECITEM_FreeItem(decrypted_state, PR_TRUE); - decrypted_state = NULL; - } + /* Use the ticket if it is valid and unexpired. */ + if (parsedTicket.valid && + parsedTicket.timestamp + ssl_ticket_lifetime > ssl_Time()) { + sslSessionID *sid; - if (parsed_session_ticket != NULL) { - if (parsed_session_ticket->peer_cert.data) { - SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE); - } - if (parsed_session_ticket->alpnSelection.data) { - SECITEM_FreeItem(&parsed_session_ticket->alpnSelection, PR_FALSE); + rv = ssl_CreateSIDFromTicket(ss, data, &parsedTicket, &sid); + if (rv != SECSuccess) { + goto loser; /* code already set */ } - PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket)); + ss->statelessResume = PR_TRUE; + ss->sec.ci.sid = sid; } - return rv; + SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); + PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket)); + return SECSuccess; + +loser: + SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE); + PORT_Memset(&parsedTicket, 0, sizeof(parsedTicket)); + return SECFailure; } SECStatus @@ -1798,23 +1480,6 @@ ssl3_ServerHandleSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData return ssl3_ProcessSessionTicketCommon(CONST_CAST(sslSocket, ss), data); } -/* - * Read bytes. Using this function means the SECItem structure - * cannot be freed. The caller is expected to call this function - * on a shallow copy of the structure. - */ -static SECStatus -ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes) -{ - if (bytes > item->len) - return SECFailure; - - *buf = item->data; - item->data += bytes; - item->len -= bytes; - return SECSuccess; -} - /* Extension format: * Extension number: 2 bytes * Extension length: 2 bytes @@ -2145,7 +1810,8 @@ ssl3_ServerHandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUi &xtnData->clientSigSchemes, &xtnData->numClientSigScheme, &data->data, &data->len); - if (rv != SECSuccess) { + if (rv != SECSuccess || xtnData->numClientSigScheme == 0) { + ssl3_ExtSendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); return SECFailure; } @@ -2216,55 +1882,73 @@ ssl3_ClientSendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool /* Takes the size of the ClientHello, less the record header, and determines how * much padding is required. */ -unsigned int -ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength) +void +ssl3_CalculatePaddingExtLen(sslSocket *ss, + unsigned int clientHelloLength) { unsigned int recordLength = 1 /* handshake message type */ + 3 /* handshake message length */ + clientHelloLength; - unsigned int extensionLength; + unsigned int extensionLen; + + /* Don't pad for DTLS, for SSLv3, or for renegotiation. */ + if (IS_DTLS(ss) || + ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_0 || + ss->firstHsDone) { + return; + } + /* A padding extension may be included to ensure that the record containing + * the ClientHello doesn't have a length between 256 and 511 bytes + * (inclusive). Initial ClientHello records with such lengths trigger bugs + * in F5 devices. */ if (recordLength < 256 || recordLength >= 512) { - return 0; + return; } - extensionLength = 512 - recordLength; + extensionLen = 512 - recordLength; /* Extensions take at least four bytes to encode. Always include at least - * one byte of data if including the extension. Some servers (e.g. - * WebSphere Application Server 7.0 and Tomcat) will time out or terminate - * the connection if the last extension in the client hello is empty. */ - if (extensionLength < 4 + 1) { - extensionLength = 4 + 1; + * one byte of data if we are padding. Some servers will time out or + * terminate the connection if the last ClientHello extension is empty. */ + if (extensionLen < 4 + 1) { + extensionLen = 4 + 1; } - return extensionLength; + ss->xtnData.paddingLen = extensionLen - 4; } -/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a +/* ssl3_SendPaddingExtension possibly adds an extension which ensures that a * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures * that we don't trigger bugs in F5 products. */ PRInt32 -ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, - PRUint32 maxBytes) +ssl3_ClientSendPaddingExtension(const sslSocket *ss, TLSExtensionData *xtnData, + PRBool append, PRUint32 maxBytes) { - unsigned int paddingLen = extensionLen - 4; - static unsigned char padding[252]; + static unsigned char padding[252] = { 0 }; + unsigned int extensionLen; + SECStatus rv; - if (extensionLen == 0) { + /* On the length-calculation pass, report zero total length. The record + * will be larger on the second pass if needed. */ + if (!append || !xtnData->paddingLen) { return 0; } + extensionLen = xtnData->paddingLen + 4; if (extensionLen > maxBytes || - !paddingLen || - paddingLen > sizeof(padding)) { + xtnData->paddingLen > sizeof(padding)) { PORT_Assert(0); return -1; } - if (SECSuccess != ssl3_ExtAppendHandshakeNumber(ss, ssl_padding_xtn, 2)) + rv = ssl3_ExtAppendHandshakeNumber(ss, ssl_padding_xtn, 2); + if (rv != SECSuccess) { return -1; - if (SECSuccess != ssl3_ExtAppendHandshakeVariable(ss, padding, paddingLen, 2)) + } + rv = ssl3_ExtAppendHandshakeVariable(ss, padding, xtnData->paddingLen, 2); + if (rv != SECSuccess) { return -1; + } return extensionLen; } @@ -2321,6 +2005,7 @@ ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss, TLSExtensionData *xtnDat if (data->len != 0) { SSL_TRC(30, ("%d: SSL3[%d]: Bogus extended master secret extension", SSL_GETPID(), ss->fd)); + ssl3_ExtSendAlert(ss, alert_fatal, decode_error); return SECFailure; } @@ -2445,6 +2130,12 @@ ssl3_ServerHandleSignedCertTimestampXtn(const sslSocket *ss, PRUint16 ex_type, SECItem *data) { + if (data->len != 0) { + ssl3_ExtSendAlert(ss, alert_fatal, decode_error); + PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); + return SECFailure; + } + xtnData->negotiated[xtnData->numNegotiated++] = ex_type; PORT_Assert(ss->sec.isServer); return ssl3_RegisterExtensionSender( @@ -2484,7 +2175,8 @@ ssl3_HandleSupportedPointFormatsXtn(const sslSocket *ss, TLSExtensionData *xtnDa static SECStatus ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data) { - PRInt32 list_len; + SECStatus rv; + PRUint32 list_len; unsigned int i; const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 }; PORT_Assert(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(enabled)); @@ -2495,8 +2187,8 @@ ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data) } /* get the length of elliptic_curve_list */ - list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &list_len, 2, &data->data, &data->len); + if (rv != SECSuccess || data->len != list_len || (data->len % 2) != 0) { (void)ssl3_DecodeError(ss); return SECFailure; } @@ -2510,9 +2202,10 @@ ssl_UpdateSupportedGroups(sslSocket *ss, SECItem *data) /* Read groups from data and enable if in |enabled| */ while (data->len) { const sslNamedGroupDef *group; - PRInt32 curve_name = - ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (curve_name < 0) { + PRUint32 curve_name; + rv = ssl3_ConsumeHandshakeNumber(ss, &curve_name, 2, &data->data, + &data->len); + if (rv != SECSuccess) { return SECFailure; /* fatal alert already sent */ } group = ssl_LookupNamedGroup(curve_name); diff --git a/security/nss/lib/ssl/ssl3exthandle.h b/security/nss/lib/ssl/ssl3exthandle.h index 65223d6fd1..5fdbe9053a 100644 --- a/security/nss/lib/ssl/ssl3exthandle.h +++ b/security/nss/lib/ssl/ssl3exthandle.h @@ -49,6 +49,9 @@ PRInt32 ssl3_ClientSendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData SECStatus ssl3_ServerHandleSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data); +PRInt32 ssl3_ClientSendPaddingExtension(const sslSocket *ss, TLSExtensionData *xtnData, + PRBool append, PRUint32 maxBytes); + PRInt32 ssl3_ClientSendSignedCertTimestampXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRBool append, PRUint32 maxBytes); diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c index 2bcc1d0aad..cf6f4cb33e 100644 --- a/security/nss/lib/ssl/ssl3gthr.c +++ b/security/nss/lib/ssl/ssl3gthr.c @@ -32,6 +32,7 @@ ssl3_InitGather(sslGather *gs) gs->readOffset = 0; gs->dtlsPacketOffset = 0; gs->dtlsPacket.len = 0; + gs->rejectV2Records = PR_FALSE; status = sslBuffer_Grow(&gs->buf, 4096); return status; } @@ -147,8 +148,11 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags, ssl2Gather *ssl2gs) switch (gs->state) { case GS_HEADER: /* Check for SSLv2 handshakes. Always assume SSLv3 on clients, - * support SSLv2 handshakes only when ssl2gs != NULL. */ - if (!ssl2gs || ssl3_isLikelyV3Hello(gs->hdr)) { + * support SSLv2 handshakes only when ssl2gs != NULL. + * Always assume v3 after we received the first record. */ + if (!ssl2gs || + ss->gs.rejectV2Records || + ssl3_isLikelyV3Hello(gs->hdr)) { /* Should have a non-SSLv2 record header in gs->hdr. Extract * the length of the following encrypted data, and then * read in the rest of the record into gs->inbuf. */ @@ -183,7 +187,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags, ssl2Gather *ssl2gs) /* This is the max length for an encrypted SSLv3+ fragment. */ if (!v2HdrLength && gs->remainder > (MAX_FRAGMENT_LENGTH + 2048)) { - SSL3_SendAlert(ss, alert_fatal, unexpected_message); + SSL3_SendAlert(ss, alert_fatal, record_overflow); gs->state = GS_INIT; PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); return SECFailure; @@ -205,13 +209,28 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags, ssl2Gather *ssl2gs) * many into the gs->hdr[] buffer. Copy them over into inbuf so * that we can properly process the hello record later. */ if (v2HdrLength) { + /* Reject v2 records that don't even carry enough data to + * resemble a valid ClientHello header. */ + if (gs->remainder < SSL_HL_CLIENT_HELLO_HBYTES) { + SSL3_SendAlert(ss, alert_fatal, illegal_parameter); + PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); + return SECFailure; + } + + PORT_Assert(lbp); gs->inbuf.len = 5 - v2HdrLength; PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len); gs->remainder -= gs->inbuf.len; lbp += gs->inbuf.len; } - break; /* End this case. Continue around the loop. */ + if (gs->remainder > 0) { + break; /* End this case. Continue around the loop. */ + } + + /* FALL THROUGH if (gs->remainder == 0) as we just received + * an empty record and there's really no point in calling + * ssl_DefRecv() with buf=NULL and len=0. */ case GS_DATA: /* @@ -219,6 +238,10 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags, ssl2Gather *ssl2gs) */ SSL_TRC(10, ("%d: SSL[%d]: got record of %d bytes", SSL_GETPID(), ss->fd, gs->inbuf.len)); + + /* reject any v2 records from now on */ + ss->gs.rejectV2Records = PR_TRUE; + gs->state = GS_INIT; return 1; } diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h index 35c7e547d2..ac31cf2630 100644 --- a/security/nss/lib/ssl/ssl3prot.h +++ b/security/nss/lib/ssl/ssl3prot.h @@ -10,8 +10,6 @@ #ifndef __ssl3proto_h_ #define __ssl3proto_h_ -typedef PRUint8 SSL3Opaque; - typedef PRUint16 SSL3ProtocolVersion; /* version numbers are defined in sslproto.h */ @@ -62,12 +60,12 @@ typedef struct { typedef struct { SECItem content; - SSL3Opaque MAC[MAX_MAC_LENGTH]; + PRUint8 MAC[MAX_MAC_LENGTH]; } SSL3GenericStreamCipher; typedef struct { SECItem content; - SSL3Opaque MAC[MAX_MAC_LENGTH]; + PRUint8 MAC[MAX_MAC_LENGTH]; PRUint8 padding[MAX_PADDING_LENGTH]; PRUint8 padding_length; } SSL3GenericBlockCipher; @@ -153,11 +151,11 @@ typedef struct { } SSL3HelloRequest; typedef struct { - SSL3Opaque rand[SSL3_RANDOM_LENGTH]; + PRUint8 rand[SSL3_RANDOM_LENGTH]; } SSL3Random; typedef struct { - SSL3Opaque id[32]; + PRUint8 id[32]; PRUint8 length; } SSL3SessionID; @@ -243,7 +241,7 @@ typedef struct { typedef struct { union { - SSL3Opaque anonymous; + PRUint8 anonymous; SSL3Hashes certified; } u; } SSL3ServerKeyExchange; @@ -262,11 +260,11 @@ typedef enum { } SSL3ClientCertificateType; typedef struct { - SSL3Opaque client_version[2]; - SSL3Opaque random[46]; + PRUint8 client_version[2]; + PRUint8 random[46]; } SSL3RSAPreMasterSecret; -typedef SSL3Opaque SSL3MasterSecret[48]; +typedef PRUint8 SSL3MasterSecret[48]; typedef enum { sender_client = 0x434c4e54, @@ -276,7 +274,7 @@ typedef enum { typedef SSL3HashesIndividually SSL3Finished; typedef struct { - SSL3Opaque verify_data[12]; + PRUint8 verify_data[12]; } TLSFinished; /* @@ -287,7 +285,7 @@ typedef struct { /* NewSessionTicket handshake message. */ typedef struct { - PRUint32 received_timestamp; + PRTime received_timestamp; PRUint32 ticket_lifetime_hint; PRUint32 flags; PRUint32 ticket_age_add; @@ -305,27 +303,9 @@ typedef enum { CLIENT_AUTH_CERTIFICATE = 1 } ClientAuthenticationType; -typedef struct { - ClientAuthenticationType client_auth_type; - union { - SSL3Opaque *certificate_list; - } identity; -} ClientIdentity; - -#define SESS_TICKET_KEY_NAME_LEN 16 -#define SESS_TICKET_KEY_NAME_PREFIX "NSS!" -#define SESS_TICKET_KEY_NAME_PREFIX_LEN 4 -#define SESS_TICKET_KEY_VAR_NAME_LEN 12 - -typedef struct { - unsigned char *key_name; - unsigned char *iv; - SECItem encrypted_state; - unsigned char *mac; -} EncryptedSessionTicket; - -#define TLS_EX_SESS_TICKET_MAC_LENGTH 32 - -#define TLS_STE_NO_SERVER_NAME -1 +#define SELF_ENCRYPT_KEY_NAME_LEN 16 +#define SELF_ENCRYPT_KEY_NAME_PREFIX "NSS!" +#define SELF_ENCRYPT_KEY_NAME_PREFIX_LEN 4 +#define SELF_ENCRYPT_KEY_VAR_NAME_LEN 12 #endif /* __ssl3proto_h_ */ diff --git a/security/nss/lib/ssl/sslcert.c b/security/nss/lib/ssl/sslcert.c index ea524552da..cc1d3c6830 100644 --- a/security/nss/lib/ssl/sslcert.c +++ b/security/nss/lib/ssl/sslcert.c @@ -13,42 +13,91 @@ #include "nss.h" /* for NSS_RegisterShutdown */ #include "prinit.h" /* for PR_CallOnceWithArg */ -static const PRCallOnceType pristineCallOnce; -static PRCallOnceType setupServerCAListOnce; +/* This global item is used only in servers. It is is initialized by + * SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). + */ +static struct { + PRCallOnceType setup; + CERTDistNames *names; +} ssl_server_ca_list; static SECStatus -serverCAListShutdown(void *appData, void *nssData) +ssl_ServerCAListShutdown(void *appData, void *nssData) { - PORT_Assert(ssl3_server_ca_list); - if (ssl3_server_ca_list) { - CERT_FreeDistNames(ssl3_server_ca_list); - ssl3_server_ca_list = NULL; + PORT_Assert(ssl_server_ca_list.names); + if (ssl_server_ca_list.names) { + CERT_FreeDistNames(ssl_server_ca_list.names); } - setupServerCAListOnce = pristineCallOnce; + PORT_Memset(&ssl_server_ca_list, 0, sizeof(ssl_server_ca_list)); return SECSuccess; } static PRStatus -serverCAListSetup(void *arg) +ssl_SetupCAListOnce(void *arg) { CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg; - SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL); + SECStatus rv = NSS_RegisterShutdown(ssl_ServerCAListShutdown, NULL); PORT_Assert(SECSuccess == rv); if (SECSuccess == rv) { - ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle); + ssl_server_ca_list.names = CERT_GetSSLCACerts(dbHandle); return PR_SUCCESS; } return PR_FAILURE; } +SECStatus +ssl_SetupCAList(sslSocket *ss) +{ + if (PR_SUCCESS != PR_CallOnceWithArg(&ssl_server_ca_list.setup, + &ssl_SetupCAListOnce, + (void *)(ss->dbHandle))) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return SECSuccess; +} + +SECStatus +ssl_GetCertificateRequestCAs(sslSocket *ss, unsigned int *calen, + SECItem **names, unsigned int *nnames) +{ + SECItem *name; + CERTDistNames *ca_list; + unsigned int i; + + *calen = 0; + *names = NULL; + *nnames = 0; + + /* ssl3.ca_list is initialized to NULL, and never changed. */ + ca_list = ss->ssl3.ca_list; + if (!ca_list) { + if (ssl_SetupCAList(ss) != SECSuccess) { + return SECFailure; + } + ca_list = ssl_server_ca_list.names; + } + + if (ca_list != NULL) { + *names = ca_list->names; + *nnames = ca_list->nnames; + } + + for (i = 0, name = *names; i < *nnames; i++, name++) { + *calen += 2 + name->len; + } + return SECSuccess; +} + sslServerCert * -ssl_NewServerCert(const sslServerCertType *certType) +ssl_NewServerCert() { sslServerCert *sc = PORT_ZNew(sslServerCert); if (!sc) { return NULL; } - memcpy(&sc->certType, certType, sizeof(sc->certType)); + sc->authTypes = 0; + sc->namedCurve = NULL; sc->serverCert = NULL; sc->serverCertChain = NULL; sc->certStatusArray = NULL; @@ -61,11 +110,14 @@ ssl_CopyServerCert(const sslServerCert *oc) { sslServerCert *sc; - sc = ssl_NewServerCert(&oc->certType); + sc = ssl_NewServerCert(); if (!sc) { return NULL; } + sc->authTypes = oc->authTypes; + sc->namedCurve = oc->namedCurve; + if (oc->serverCert && oc->serverCertChain) { sc->serverCert = CERT_DupCertificate(oc->serverCert); if (!sc->serverCert) @@ -129,9 +181,9 @@ ssl_FreeServerCert(sslServerCert *sc) PORT_ZFree(sc, sizeof(*sc)); } -sslServerCert * -ssl_FindServerCert(const sslSocket *ss, - const sslServerCertType *certType) +const sslServerCert * +ssl_FindServerCert(const sslSocket *ss, SSLAuthType authType, + const sslNamedGroupDef *namedCurve) { PRCList *cursor; @@ -139,68 +191,21 @@ ssl_FindServerCert(const sslSocket *ss, cursor != &ss->serverCerts; cursor = PR_NEXT_LINK(cursor)) { sslServerCert *cert = (sslServerCert *)cursor; - if (cert->certType.authType != certType->authType) { + if (!SSL_CERT_IS(cert, authType)) { continue; } - switch (cert->certType.authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - /* Note: For deprecated APIs, we need to be able to find and - match a slot with any named curve. */ - if (certType->namedCurve && - cert->certType.namedCurve != certType->namedCurve) { - continue; - } - break; - default: - break; + if (SSL_CERT_IS_EC(cert)) { + /* Note: For deprecated APIs, we need to be able to find and + match a slot with any named curve. */ + if (namedCurve && cert->namedCurve != namedCurve) { + continue; + } } return cert; } return NULL; } -sslServerCert * -ssl_FindServerCertByAuthType(const sslSocket *ss, SSLAuthType authType) -{ - sslServerCertType certType; - certType.authType = authType; - /* Setting the named curve to NULL ensures that all EC certificates - * are matched when searching for this slot. */ - certType.namedCurve = NULL; - return ssl_FindServerCert(ss, &certType); -} - -SECStatus -ssl_OneTimeCertSetup(sslSocket *ss, const sslServerCert *sc) -{ - if (PR_SUCCESS != PR_CallOnceWithArg(&setupServerCAListOnce, - &serverCAListSetup, - (void *)(ss->dbHandle))) { - return SECFailure; - } - return SECSuccess; -} - -/* Determine which slot a certificate fits into. SSLAuthType is known, but - * extra information needs to be worked out from the cert and key. */ -static void -ssl_PopulateCertType(sslServerCertType *certType, SSLAuthType authType, - CERTCertificate *cert, sslKeyPair *keyPair) -{ - certType->authType = authType; - switch (authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - certType->namedCurve = ssl_ECPubKey2NamedGroup(keyPair->pubKey); - break; - default: - break; - } -} - static SECStatus ssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert, const CERTCertificateList *certChain) @@ -232,21 +237,43 @@ ssl_PopulateServerCert(sslServerCert *sc, CERTCertificate *cert, static SECStatus ssl_PopulateKeyPair(sslServerCert *sc, sslKeyPair *keyPair) { - /* Copy over the key pair. */ if (sc->serverKeyPair) { ssl_FreeKeyPair(sc->serverKeyPair); + sc->serverKeyPair = NULL; } if (keyPair) { + KeyType keyType = SECKEY_GetPublicKeyType(keyPair->pubKey); + PORT_Assert(keyType == SECKEY_GetPrivateKeyType(keyPair->privKey)); + + if (keyType == ecKey) { + sc->namedCurve = ssl_ECPubKey2NamedGroup(keyPair->pubKey); + if (!sc->namedCurve) { + /* Unsupported curve. */ + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + } + /* Get the size of the cert's public key, and remember it. */ sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->pubKey); if (sc->serverKeyBits == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } SECKEY_CacheStaticFlags(keyPair->privKey); sc->serverKeyPair = ssl_GetKeyPairRef(keyPair); + + if (SSL_CERT_IS(sc, ssl_auth_rsa_decrypt)) { + /* This will update the global session ticket key pair with this + * key, if a value hasn't been set already. */ + if (ssl_MaybeSetSelfEncryptKeyPair(keyPair) != SECSuccess) { + return SECFailure; + } + } } else { sc->serverKeyPair = NULL; + sc->namedCurve = NULL; } return SECSuccess; } @@ -281,12 +308,39 @@ ssl_PopulateSignedCertTimestamps(sslServerCert *sc, return SECSuccess; } +/* Find any existing certificates that overlap with the new certificate and + * either remove any supported authentication types that overlap with the new + * certificate or - if they have no types left - remove them entirely. */ +static void +ssl_ClearMatchingCerts(sslSocket *ss, sslAuthTypeMask authTypes, + const sslNamedGroupDef *namedCurve) +{ + PRCList *cursor = PR_NEXT_LINK(&ss->serverCerts); + + while (cursor != &ss->serverCerts) { + sslServerCert *sc = (sslServerCert *)cursor; + cursor = PR_NEXT_LINK(cursor); + if ((sc->authTypes & authTypes) == 0) { + continue; + } + /* namedCurve will be NULL only for legacy functions. */ + if (namedCurve != NULL && sc->namedCurve != namedCurve) { + continue; + } + + sc->authTypes &= ~authTypes; + if (sc->authTypes == 0) { + PR_REMOVE_LINK(&sc->link); + ssl_FreeServerCert(sc); + } + } +} + static SECStatus -ssl_ConfigCert(sslSocket *ss, CERTCertificate *cert, - sslKeyPair *keyPair, const SSLExtraServerCertData *data) +ssl_ConfigCert(sslSocket *ss, sslAuthTypeMask authTypes, + CERTCertificate *cert, sslKeyPair *keyPair, + const SSLExtraServerCertData *data) { - sslServerCert *oldsc; - sslServerCertType certType; SECStatus rv; sslServerCert *sc = NULL; int error_code = SEC_ERROR_NO_MEMORY; @@ -294,34 +348,26 @@ ssl_ConfigCert(sslSocket *ss, CERTCertificate *cert, PORT_Assert(cert); PORT_Assert(keyPair); PORT_Assert(data); - PORT_Assert(data->authType != ssl_auth_null); + PORT_Assert(authTypes); - if (!cert || !keyPair || !data || data->authType == ssl_auth_null) { + if (!cert || !keyPair || !data || !authTypes) { error_code = SEC_ERROR_INVALID_ARGS; goto loser; } - ssl_PopulateCertType(&certType, data->authType, cert, keyPair); - - /* Delete any existing certificate that matches this one, since we can only - * use one certificate of a given type. */ - oldsc = ssl_FindServerCert(ss, &certType); - if (oldsc) { - PR_REMOVE_LINK(&oldsc->link); - ssl_FreeServerCert(oldsc); - } - sc = ssl_NewServerCert(&certType); + sc = ssl_NewServerCert(); if (!sc) { goto loser; } + sc->authTypes = authTypes; rv = ssl_PopulateServerCert(sc, cert, data->certChain); if (rv != SECSuccess) { goto loser; } rv = ssl_PopulateKeyPair(sc, keyPair); if (rv != SECSuccess) { - error_code = SEC_ERROR_INVALID_ARGS; + error_code = PORT_GetError(); goto loser; } rv = ssl_PopulateOCSPResponses(sc, data->stapledOCSPResponses); @@ -332,23 +378,12 @@ ssl_ConfigCert(sslSocket *ss, CERTCertificate *cert, if (rv != SECSuccess) { goto loser; } + ssl_ClearMatchingCerts(ss, sc->authTypes, sc->namedCurve); PR_APPEND_LINK(&sc->link, &ss->serverCerts); - - /* This one-time setup depends on having the certificate in place. */ - rv = ssl_OneTimeCertSetup(ss, sc); - if (rv != SECSuccess) { - PR_REMOVE_LINK(&sc->link); - error_code = PORT_GetError(); - goto loser; - } return SECSuccess; loser: - if (sc) { - ssl_FreeServerCert(sc); - } - /* This is the only way any of the calls above can fail, except the one time - * setup, which doesn't land here. */ + ssl_FreeServerCert(sc); PORT_SetError(error_code); return SECFailure; } @@ -382,114 +417,55 @@ ssl_GetEcdhAuthType(CERTCertificate *cert) } } -/* This function examines the key usages of the given RSA-PKCS1 certificate - * and configures one or multiple server certificates based on that data. - * - * If the data argument contains an authType value other than ssl_auth_null, - * then only that slot will be used. If that choice is invalid, - * then this will fail. */ -static SECStatus -ssl_ConfigRsaPkcs1CertByUsage(sslSocket *ss, CERTCertificate *cert, - sslKeyPair *keyPair, - SSLExtraServerCertData *data) -{ - SECStatus rv = SECFailure; - - PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE); - PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT); - - if ((data->authType == ssl_auth_rsa_sign && ku_sig) || - (data->authType == ssl_auth_rsa_pss && ku_sig) || - (data->authType == ssl_auth_rsa_decrypt && ku_enc)) { - return ssl_ConfigCert(ss, cert, keyPair, data); - } - - if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (ku_sig) { - data->authType = ssl_auth_rsa_sign; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } - - /* This certificate is RSA, assume that it's also PSS. */ - data->authType = ssl_auth_rsa_pss; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } - } - - if (ku_enc) { - /* If ku_sig=true we configure signature and encryption slots with the - * same cert. This is bad form, but there are enough dual-usage RSA - * certs that we can't really break by limiting this to one type. */ - data->authType = ssl_auth_rsa_decrypt; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } - } - - return rv; -} - /* This function examines the type of certificate and its key usage and - * configures a certificate based on that information. For some certificates - * this can mean that multiple server certificates are configured. + * chooses which authTypes apply. For some certificates + * this can mean that multiple authTypes. * - * If the data argument contains an authType value other than ssl_auth_null, - * then only that slot will be used. If that choice is invalid, - * then this will fail. */ -static SECStatus -ssl_ConfigCertByUsage(sslSocket *ss, CERTCertificate *cert, - sslKeyPair *keyPair, const SSLExtraServerCertData *data) + * If the targetAuthType is not ssl_auth_null, then only that type will be used. + * If that choice is invalid, then this function will fail. */ +static sslAuthTypeMask +ssl_GetCertificateAuthTypes(CERTCertificate *cert, SSLAuthType targetAuthType) { - SECStatus rv = SECFailure; - SSLExtraServerCertData arg; + sslAuthTypeMask authTypes = 0; SECOidTag tag; - PORT_Assert(data); - /* Take a (shallow) copy so that we can play with it */ - memcpy(&arg, data, sizeof(arg)); - tag = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm); switch (tag) { case SEC_OID_X500_RSA_ENCRYPTION: case SEC_OID_PKCS1_RSA_ENCRYPTION: - return ssl_ConfigRsaPkcs1CertByUsage(ss, cert, keyPair, &arg); + if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { + authTypes |= 1 << ssl_auth_rsa_sign; + /* This certificate is RSA, assume that it's also PSS. */ + authTypes |= 1 << ssl_auth_rsa_pss; + } + + if (cert->keyUsage & KU_KEY_ENCIPHERMENT) { + /* If ku_sig=true we configure signature and encryption slots with the + * same cert. This is bad form, but there are enough dual-usage RSA + * certs that we can't really break by limiting this to one type. */ + authTypes |= 1 << ssl_auth_rsa_decrypt; + } + break; case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { - arg.authType = ssl_auth_rsa_pss; + authTypes |= 1 << ssl_auth_rsa_pss; } break; case SEC_OID_ANSIX9_DSA_SIGNATURE: if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { - arg.authType = ssl_auth_dsa; + authTypes |= 1 << ssl_auth_dsa; } break; case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { + authTypes |= 1 << ssl_auth_ecdsa; + } + /* Again, bad form to have dual usage and we don't prevent it. */ if (cert->keyUsage & KU_KEY_ENCIPHERMENT) { - if ((cert->keyUsage & KU_DIGITAL_SIGNATURE) && - arg.authType == ssl_auth_null) { - /* See above regarding bad practice. */ - arg.authType = ssl_auth_ecdsa; - rv = ssl_ConfigCert(ss, cert, keyPair, &arg); - if (rv != SECSuccess) { - return rv; - } - } - - arg.authType = ssl_GetEcdhAuthType(cert); - } else if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { - arg.authType = ssl_auth_ecdsa; + authTypes |= 1 << ssl_GetEcdhAuthType(cert); } break; @@ -498,27 +474,33 @@ ssl_ConfigCertByUsage(sslSocket *ss, CERTCertificate *cert, } /* Check that we successfully picked an authType */ - if (arg.authType == ssl_auth_null) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - /* |data->authType| has to either agree or be ssl_auth_null. */ - if (data && data->authType != ssl_auth_null && - data->authType != arg.authType) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + if (targetAuthType != ssl_auth_null) { + authTypes &= 1 << targetAuthType; } - return ssl_ConfigCert(ss, cert, keyPair, &arg); + return authTypes; } /* This function adopts pubKey and destroys it if things go wrong. */ static sslKeyPair * -ssl_MakeKeyPairForCert(SECKEYPrivateKey *key, SECKEYPublicKey *pubKey) +ssl_MakeKeyPairForCert(SECKEYPrivateKey *key, CERTCertificate *cert) { sslKeyPair *keyPair = NULL; + SECKEYPublicKey *pubKey = NULL; SECKEYPrivateKey *privKeyCopy = NULL; PK11SlotInfo *bestSlot; + pubKey = CERT_ExtractPublicKey(cert); + if (!pubKey) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + if (SECKEY_GetPublicKeyType(pubKey) != SECKEY_GetPrivateKeyType(key)) { + SECKEY_DestroyPublicKey(pubKey); + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + if (key->pkcs11Slot) { bestSlot = PK11_ReferenceSlot(key->pkcs11Slot); if (bestSlot) { @@ -545,20 +527,18 @@ ssl_MakeKeyPairForCert(SECKEYPrivateKey *key, SECKEYPublicKey *pubKey) if (privKeyCopy) { SECKEY_DestroyPrivateKey(privKeyCopy); } - /* We adopted the public key, so we're responsible. */ - if (pubKey) { - SECKEY_DestroyPublicKey(pubKey); - } + SECKEY_DestroyPublicKey(pubKey); + PORT_SetError(SEC_ERROR_NO_MEMORY); } return keyPair; } /* Configure a certificate and private key. * - * This function examines the certificate and key to determine which slot (or - * slots) to place the information in. As long as certificates are different - * (based on having different values of sslServerCertType), then this function - * can be called multiple times and the certificates will all be remembered. + * This function examines the certificate and key to determine the type (or + * types) of authentication the certificate supports. As long as certificates + * are different (different authTypes and maybe keys in different ec groups), + * then this function can be called multiple times. */ SECStatus SSL_ConfigServerCert(PRFileDesc *fd, CERTCertificate *cert, @@ -566,12 +546,12 @@ SSL_ConfigServerCert(PRFileDesc *fd, CERTCertificate *cert, const SSLExtraServerCertData *data, unsigned int data_len) { sslSocket *ss; - SECKEYPublicKey *pubKey; sslKeyPair *keyPair; SECStatus rv; SSLExtraServerCertData dataCopy = { ssl_auth_null, NULL, NULL, NULL }; + sslAuthTypeMask authTypes; ss = ssl_FindSocket(fd); if (!ss) { @@ -591,21 +571,23 @@ SSL_ConfigServerCert(PRFileDesc *fd, CERTCertificate *cert, PORT_Memcpy(&dataCopy, data, data_len); } - pubKey = CERT_ExtractPublicKey(cert); - if (!pubKey) { + authTypes = ssl_GetCertificateAuthTypes(cert, dataCopy.authType); + if (!authTypes) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - keyPair = ssl_MakeKeyPairForCert(key, pubKey); + keyPair = ssl_MakeKeyPairForCert(key, cert); if (!keyPair) { - /* pubKey is adopted by ssl_MakeKeyPairForCert() */ - PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } - rv = ssl_ConfigCertByUsage(ss, cert, keyPair, &dataCopy); + rv = ssl_ConfigCert(ss, authTypes, cert, keyPair, &dataCopy); ssl_FreeKeyPair(keyPair); - return rv; + if (rv != SECSuccess) { + return SECFailure; + } + return SECSuccess; } /*******************************************************************/ @@ -630,164 +612,148 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, * ssl_ConfigCertByUsage(), only checking against the type of key and ignoring * things like usage. */ static PRBool -ssl_CertSuitableForAuthType(CERTCertificate *cert, SSLAuthType authType) +ssl_CertSuitableForAuthType(CERTCertificate *cert, sslAuthTypeMask authTypes) { SECOidTag tag = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm); - switch (authType) { - case ssl_auth_rsa_decrypt: - case ssl_auth_rsa_sign: - return tag == SEC_OID_X500_RSA_ENCRYPTION || - tag == SEC_OID_PKCS1_RSA_ENCRYPTION; - case ssl_auth_dsa: - return tag == SEC_OID_ANSIX9_DSA_SIGNATURE; - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - return tag == SEC_OID_ANSIX962_EC_PUBLIC_KEY; - case ssl_auth_null: - case ssl_auth_kea: - case ssl_auth_rsa_pss: /* not supported with deprecated APIs */ - return PR_FALSE; + sslAuthTypeMask mask = 0; + switch (tag) { + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + mask |= 1 << ssl_auth_rsa_decrypt; + mask |= 1 << ssl_auth_rsa_sign; + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + mask |= 1 << ssl_auth_dsa; + break; + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + mask |= 1 << ssl_auth_ecdsa; + mask |= 1 << ssl_auth_ecdh_rsa; + mask |= 1 << ssl_auth_ecdh_ecdsa; + break; default: - PORT_Assert(0); - return PR_FALSE; + break; + } + PORT_Assert(authTypes); + /* Simply test that no inappropriate auth types are set. */ + return (authTypes & ~mask) == 0; +} + +/* Lookup a cert for the legacy configuration functions. An exact match on + * authTypes and ignoring namedCurve will ensure that values configured using + * legacy functions are overwritten by other legacy functions. */ +static sslServerCert * +ssl_FindCertWithMask(sslSocket *ss, sslAuthTypeMask authTypes) +{ + PRCList *cursor; + + for (cursor = PR_NEXT_LINK(&ss->serverCerts); + cursor != &ss->serverCerts; + cursor = PR_NEXT_LINK(cursor)) { + sslServerCert *cert = (sslServerCert *)cursor; + if (cert->authTypes == authTypes) { + return cert; + } } + return NULL; } -/* This finds an existing server cert slot and unlinks it, or it makes a new +/* This finds an existing server cert in a matching slot that can be reused. + * Failing that, it removes any other certs that might conflict and makes a new * server cert slot of the right type. */ static sslServerCert * -ssl_FindOrMakeCertType(sslSocket *ss, SSLAuthType authType) +ssl_FindOrMakeCert(sslSocket *ss, sslAuthTypeMask authTypes) { sslServerCert *sc; - sslServerCertType certType; - certType.authType = authType; - /* Setting the named curve to NULL ensures that all EC certificates - * are matched when searching for this slot. */ - certType.namedCurve = NULL; - sc = ssl_FindServerCert(ss, &certType); + /* Reuse a perfect match. Note that there is a problem here with use of + * multiple EC certificates that have keys on different curves: these + * deprecated functions will match the first found and overwrite that + * certificate, potentially leaving the other values with a duplicate curve. + * Configuring multiple EC certificates are only possible with the new + * functions, so this is not something that is worth fixing. */ + sc = ssl_FindCertWithMask(ss, authTypes); if (sc) { PR_REMOVE_LINK(&sc->link); return sc; } - return ssl_NewServerCert(&certType); + /* Ignore the namedCurve parameter. Like above, this means that legacy + * functions will clobber values set with the new functions blindly. */ + ssl_ClearMatchingCerts(ss, authTypes, NULL); + + sc = ssl_NewServerCert(); + if (sc) { + sc->authTypes = authTypes; + } + return sc; } -static void -ssl_RemoveCertAndKeyByAuthType(sslSocket *ss, SSLAuthType authType) +static sslAuthTypeMask +ssl_KeaTypeToAuthTypeMask(SSLKEAType keaType) { - sslServerCert *sc; + switch (keaType) { + case ssl_kea_rsa: + return (1 << ssl_auth_rsa_decrypt) | + (1 << ssl_auth_rsa_sign); - sc = ssl_FindServerCertByAuthType(ss, authType); - if (sc) { - (void)ssl_PopulateServerCert(sc, NULL, NULL); - (void)ssl_PopulateKeyPair(sc, NULL); - /* Leave the entry linked here because the old API expects that. There - * might be OCSP stapling values or signed certificate timestamps still - * present that will subsequently be used. */ - /* For ECC certificates, also leave the namedCurve parameter on the slot - * unchanged; the value will be updated when a key is added. */ + case ssl_kea_dh: + return 1 << ssl_auth_dsa; + + case ssl_kea_ecdh: + return (1 << ssl_auth_ecdsa) | + (1 << ssl_auth_ecdh_rsa) | + (1 << ssl_auth_ecdh_ecdsa); + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); } + return 0; } static SECStatus -ssl_AddCertAndKeyByAuthType(sslSocket *ss, SSLAuthType authType, - CERTCertificate *cert, - const CERTCertificateList *certChainOpt, - sslKeyPair *keyPair) +ssl_AddCertChain(sslSocket *ss, CERTCertificate *cert, + const CERTCertificateList *certChainOpt, + SECKEYPrivateKey *key, sslAuthTypeMask authTypes) { sslServerCert *sc; + sslKeyPair *keyPair; SECStatus rv; + PRErrorCode err = SEC_ERROR_NO_MEMORY; - if (!ssl_CertSuitableForAuthType(cert, authType)) { + if (!ssl_CertSuitableForAuthType(cert, authTypes)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - sc = ssl_FindOrMakeCertType(ss, authType); + sc = ssl_FindOrMakeCert(ss, authTypes); if (!sc) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } - rv = ssl_PopulateKeyPair(sc, keyPair); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); goto loser; } - /* Now that we have a key pair, update the details of the slot. Many of the - * legacy functions create a slot with a namedCurve of NULL, which - * makes the slot unusable; this corrects that. */ - ssl_PopulateCertType(&sc->certType, authType, cert, keyPair); + rv = ssl_PopulateServerCert(sc, cert, certChainOpt); if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - PR_APPEND_LINK(&sc->link, &ss->serverCerts); - return ssl_OneTimeCertSetup(ss, sc); -loser: - ssl_FreeServerCert(sc); - return SECFailure; -} - -static SECStatus -ssl_AddCertsByKEA(sslSocket *ss, CERTCertificate *cert, - const CERTCertificateList *certChainOpt, - SECKEYPrivateKey *key, SSLKEAType certType) -{ - SECKEYPublicKey *pubKey; - sslKeyPair *keyPair; - SECStatus rv; - pubKey = CERT_ExtractPublicKey(cert); - if (!pubKey) { - return SECFailure; - } - - keyPair = ssl_MakeKeyPairForCert(key, pubKey); + keyPair = ssl_MakeKeyPairForCert(key, cert); if (!keyPair) { - /* Note: pubKey is adopted or freed by ssl_MakeKeyPairForCert() - * depending on whether it succeeds or not. */ - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + /* Error code is set by ssl_MakeKeyPairForCert */ + goto loser; } - - switch (certType) { - case ssl_kea_rsa: - rv = ssl_AddCertAndKeyByAuthType(ss, ssl_auth_rsa_decrypt, - cert, certChainOpt, keyPair); - if (rv != SECSuccess) { - return SECFailure; - } - rv = ssl_AddCertAndKeyByAuthType(ss, ssl_auth_rsa_sign, - cert, certChainOpt, keyPair); - break; - - case ssl_kea_dh: - rv = ssl_AddCertAndKeyByAuthType(ss, ssl_auth_dsa, - cert, certChainOpt, keyPair); - break; - - case ssl_kea_ecdh: - rv = ssl_AddCertAndKeyByAuthType(ss, ssl_auth_ecdsa, - cert, certChainOpt, keyPair); - if (rv != SECSuccess) { - return SECFailure; - } - rv = ssl_AddCertAndKeyByAuthType(ss, ssl_GetEcdhAuthType(cert), - cert, certChainOpt, keyPair); - break; - - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - break; + rv = ssl_PopulateKeyPair(sc, keyPair); + ssl_FreeKeyPair(keyPair); + if (rv != SECSuccess) { + err = PORT_GetError(); + goto loser; } - ssl_FreeKeyPair(keyPair); - return rv; + PR_APPEND_LINK(&sc->link, &ss->serverCerts); + return SECSuccess; + +loser: + ssl_FreeServerCert(sc); + PORT_SetError(err); + return SECFailure; } /* Public deprecated function */ @@ -797,6 +763,7 @@ SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert, SECKEYPrivateKey *key, SSLKEAType certType) { sslSocket *ss; + sslAuthTypeMask authTypes; ss = ssl_FindSocket(fd); if (!ss) { @@ -808,52 +775,25 @@ SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert, return SECFailure; } + authTypes = ssl_KeaTypeToAuthTypeMask(certType); + if (!authTypes) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + if (!cert) { - switch (certType) { - case ssl_kea_rsa: - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_rsa_decrypt); - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_rsa_sign); - break; - - case ssl_kea_dh: - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_dsa); - break; - - case ssl_kea_ecdh: - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_ecdsa); - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_ecdh_rsa); - ssl_RemoveCertAndKeyByAuthType(ss, ssl_auth_ecdh_ecdsa); - break; - - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + sslServerCert *sc = ssl_FindCertWithMask(ss, authTypes); + if (sc) { + (void)ssl_PopulateServerCert(sc, NULL, NULL); + (void)ssl_PopulateKeyPair(sc, NULL); + /* Leave the entry linked here because the old API expects that. + * There might be OCSP stapling values or signed certificate + * timestamps still present that will subsequently be used. */ } return SECSuccess; } - return ssl_AddCertsByKEA(ss, cert, certChainOpt, key, certType); -} - -static SECStatus -ssl_SetOCSPResponsesInSlot(sslSocket *ss, SSLAuthType authType, - const SECItemArray *responses) -{ - sslServerCert *sc; - SECStatus rv; - - sc = ssl_FindOrMakeCertType(ss, authType); - if (!sc) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } - rv = ssl_PopulateOCSPResponses(sc, responses); - if (rv == SECSuccess) { - PR_APPEND_LINK(&sc->link, &ss->serverCerts); - } else { - ssl_FreeServerCert(sc); - } - return rv; + return ssl_AddCertChain(ss, cert, certChainOpt, key, authTypes); } /* Public deprecated function */ @@ -862,6 +802,8 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, SSLKEAType certType) { sslSocket *ss; + sslServerCert *sc; + sslAuthTypeMask authTypes; SECStatus rv; ss = ssl_FindSocket(fd); @@ -871,49 +813,28 @@ SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses, return SECFailure; } - switch (certType) { - case ssl_kea_rsa: - rv = ssl_SetOCSPResponsesInSlot(ss, ssl_auth_rsa_decrypt, responses); - if (rv != SECSuccess) { - return SECFailure; - } - return ssl_SetOCSPResponsesInSlot(ss, ssl_auth_rsa_sign, responses); - - case ssl_kea_dh: - return ssl_SetOCSPResponsesInSlot(ss, ssl_auth_dsa, responses); - - case ssl_kea_ecdh: - rv = ssl_SetOCSPResponsesInSlot(ss, ssl_auth_ecdsa, responses); - if (rv != SECSuccess) { - return SECFailure; - } - rv = ssl_SetOCSPResponsesInSlot(ss, ssl_auth_ecdh_rsa, responses); - if (rv != SECSuccess) { - return SECFailure; - } - return ssl_SetOCSPResponsesInSlot(ss, ssl_auth_ecdh_ecdsa, responses); - - default: - SSL_DBG(("%d: SSL[%d]: invalid cert type in SSL_SetStapledOCSPResponses", - SSL_GETPID(), fd)); - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + authTypes = ssl_KeaTypeToAuthTypeMask(certType); + if (!authTypes) { + SSL_DBG(("%d: SSL[%d]: invalid cert type in SSL_SetStapledOCSPResponses", + SSL_GETPID(), fd)); + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } -} -static SECStatus -ssl_SetSignedTimestampsInSlot(sslSocket *ss, SSLAuthType authType, - const SECItem *scts) -{ - sslServerCert *sc; - SECStatus rv; + if (!responses) { + sc = ssl_FindCertWithMask(ss, authTypes); + if (sc) { + (void)ssl_PopulateOCSPResponses(sc, NULL); + } + return SECSuccess; + } - sc = ssl_FindOrMakeCertType(ss, authType); + sc = ssl_FindOrMakeCert(ss, authTypes); if (!sc) { - PORT_SetError(SEC_ERROR_NO_MEMORY); return SECFailure; } - rv = ssl_PopulateSignedCertTimestamps(sc, scts); + + rv = ssl_PopulateOCSPResponses(sc, responses); if (rv == SECSuccess) { PR_APPEND_LINK(&sc->link, &ss->serverCerts); } else { @@ -928,6 +849,8 @@ SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, SSLKEAType certType) { sslSocket *ss; + sslServerCert *sc; + sslAuthTypeMask authTypes; SECStatus rv; ss = ssl_FindSocket(fd); @@ -937,34 +860,34 @@ SSL_SetSignedCertTimestamps(PRFileDesc *fd, const SECItem *scts, return SECFailure; } - switch (certType) { - case ssl_kea_rsa: - rv = ssl_SetSignedTimestampsInSlot(ss, ssl_auth_rsa_decrypt, scts); - if (rv != SECSuccess) { - return SECFailure; - } - return ssl_SetSignedTimestampsInSlot(ss, ssl_auth_rsa_sign, scts); + authTypes = ssl_KeaTypeToAuthTypeMask(certType); + if (!authTypes) { + SSL_DBG(("%d: SSL[%d]: invalid cert type in SSL_SetSignedCertTimestamps", + SSL_GETPID(), fd)); + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } - case ssl_kea_dh: - return ssl_SetSignedTimestampsInSlot(ss, ssl_auth_dsa, scts); + if (!scts) { + sc = ssl_FindCertWithMask(ss, authTypes); + if (sc) { + (void)ssl_PopulateSignedCertTimestamps(sc, NULL); + } + return SECSuccess; + } - case ssl_kea_ecdh: - rv = ssl_SetSignedTimestampsInSlot(ss, ssl_auth_ecdsa, scts); - if (rv != SECSuccess) { - return SECFailure; - } - rv = ssl_SetSignedTimestampsInSlot(ss, ssl_auth_ecdh_rsa, scts); - if (rv != SECSuccess) { - return SECFailure; - } - return ssl_SetSignedTimestampsInSlot(ss, ssl_auth_ecdh_ecdsa, scts); + sc = ssl_FindOrMakeCert(ss, authTypes); + if (!sc) { + return SECFailure; + } - default: - SSL_DBG(("%d: SSL[%d]: invalid cert type in SSL_SetSignedCertTimestamps", - SSL_GETPID(), fd)); - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + rv = ssl_PopulateSignedCertTimestamps(sc, scts); + if (rv == SECSuccess) { + PR_APPEND_LINK(&sc->link, &ss->serverCerts); + } else { + ssl_FreeServerCert(sc); } + return rv; } /* Public deprecated function. */ diff --git a/security/nss/lib/ssl/sslcert.h b/security/nss/lib/ssl/sslcert.h index 052c7d6db0..fb31d1389d 100644 --- a/security/nss/lib/ssl/sslcert.h +++ b/security/nss/lib/ssl/sslcert.h @@ -13,26 +13,21 @@ #include "secitem.h" #include "keyhi.h" -/* The following struct identifies a single slot into which a certificate can be -** loaded. The authType field determines the basic slot, then additional -** parameters further narrow the slot. -** -** An EC key (ssl_auth_ecdsa or ssl_auth_ecdh_*) is assigned to a slot based on -** the named curve of the key. -*/ -typedef struct sslServerCertTypeStr { - SSLAuthType authType; +/* This type is a bitvector that is indexed by SSLAuthType values. Note that + * the bit for ssl_auth_null(0) - the least significant bit - isn't used. */ +typedef PRUint16 sslAuthTypeMask; +PR_STATIC_ASSERT(sizeof(sslAuthTypeMask) * 8 >= ssl_auth_size); + +typedef struct sslServerCertStr { + PRCList link; /* The linked list link */ + + /* The auth types that this certificate provides. */ + sslAuthTypeMask authTypes; /* For ssl_auth_ecdsa and ssl_auth_ecdh_*. This is only the named curve * of the end-entity certificate key. The keys in other certificates in * the chain aren't directly relevant to the operation of TLS (though it * might make certificate validation difficult, libssl doesn't care). */ const sslNamedGroupDef *namedCurve; -} sslServerCertType; - -typedef struct sslServerCertStr { - PRCList link; /* The linked list link */ - - sslServerCertType certType; /* The certificate slot this occupies */ /* Configuration state for server sockets */ CERTCertificate *serverCert; @@ -48,12 +43,18 @@ typedef struct sslServerCertStr { SECItem signedCertTimestamps; } sslServerCert; -extern sslServerCert *ssl_NewServerCert(const sslServerCertType *slot); +#define SSL_CERT_IS(c, t) ((c)->authTypes & (1 << (t))) +#define SSL_CERT_IS_ONLY(c, t) ((c)->authTypes == (1 << (t))) +#define SSL_CERT_IS_EC(c) \ + ((c)->authTypes & ((1 << ssl_auth_ecdsa) | \ + (1 << ssl_auth_ecdh_rsa) | \ + (1 << ssl_auth_ecdh_ecdsa))) + +extern sslServerCert *ssl_NewServerCert(); extern sslServerCert *ssl_CopyServerCert(const sslServerCert *oc); -extern sslServerCert *ssl_FindServerCert(const sslSocket *ss, - const sslServerCertType *slot); -extern sslServerCert *ssl_FindServerCertByAuthType(const sslSocket *ss, - SSLAuthType authType); +extern const sslServerCert *ssl_FindServerCert( + const sslSocket *ss, SSLAuthType authType, + const sslNamedGroupDef *namedCurve); extern void ssl_FreeServerCert(sslServerCert *sc); #endif /* __sslcert_h_ */ diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c index 77a744cc7a..be5bcb2694 100644 --- a/security/nss/lib/ssl/ssldef.c +++ b/security/nss/lib/ssl/ssldef.c @@ -66,6 +66,8 @@ ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags) PRFileDesc *lower = ss->fd->lower; int rv; + PORT_Assert(buf && len > 0); + rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout); if (rv < 0) { DEFINE_ERROR diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h index 751c33541d..865077cda6 100644 --- a/security/nss/lib/ssl/sslerr.h +++ b/security/nss/lib/ssl/sslerr.h @@ -244,6 +244,8 @@ typedef enum { SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION = (SSL_ERROR_BASE + 157), SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 158), SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 159), + SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA = (SSL_ERROR_BASE + 160), + SSL_ERROR_TOO_MUCH_EARLY_DATA = (SSL_ERROR_BASE + 161), SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ } SSLErrorCodes; #endif /* NO_SECURITY_ERROR_ENUM */ diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 09c37832a4..64694b0df9 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -34,7 +34,7 @@ #include "sslt.h" /* for some formerly private types, now public */ typedef struct sslSocketStr sslSocket; - +typedef struct ssl3CipherSpecStr ssl3CipherSpec; #include "ssl3ext.h" /* to make some of these old enums public without namespace pollution, @@ -125,7 +125,8 @@ typedef enum { SSLAppOpRead = 0, #define SSL3_MASTER_SECRET_LENGTH 48 /* number of wrap mechanisms potentially used to wrap master secrets. */ -#define SSL_NUM_WRAP_MECHS 16 +#define SSL_NUM_WRAP_MECHS 15 +#define SSL_NUM_WRAP_KEYS 6 /* This makes the cert cache entry exactly 4k. */ #define SSL_MAX_CACHED_CERT_LEN 4060 @@ -200,6 +201,9 @@ typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr, unsigned char *sid, unsigned int sidLen, CERTCertDBHandle *dbHandle); +typedef void (*sslCipherSpecChangedFunc)(void *arg, + PRBool sending, + ssl3CipherSpec *newSpec); /* Socket ops */ struct sslSocketOpsStr { @@ -367,6 +371,10 @@ struct sslGatherStr { /* the start of the buffered DTLS record in dtlsPacket */ unsigned int dtlsPacketOffset; + + /* tracks whether we've seen a v3-type record before and must reject + * any further v2-type records. */ + PRBool rejectV2Records; }; /* sslGather.state */ @@ -408,7 +416,7 @@ typedef PRUint16 DTLSEpoch; typedef void (*DTLSTimerCb)(sslSocket *); typedef struct { - SSL3Opaque wrapped_master_secret[48]; + PRUint8 wrapped_master_secret[48]; PRUint16 wrapped_master_secret_len; PRUint8 msIsWrapped; PRUint8 resumable; @@ -422,7 +430,7 @@ typedef struct { SECItem write_key_item; SECItem write_iv_item; SECItem write_mac_key_item; - SSL3Opaque write_iv[MAX_IV_LENGTH]; + PRUint8 write_iv[MAX_IV_LENGTH]; } ssl3KeyMaterial; typedef SECStatus (*SSLCipher)(void *context, @@ -469,7 +477,7 @@ typedef struct DTLSRecvdRecordsStr { ** Access to the pointers to these specs, and all the specs' contents ** (direct and indirect) is protected by the reader/writer lock ss->specLock. */ -typedef struct { +struct ssl3CipherSpecStr { PRCList link; const ssl3BulkCipherDef *cipher_def; const ssl3MACDef *mac_def; @@ -496,10 +504,13 @@ typedef struct { SECItem msItem; DTLSEpoch epoch; DTLSRecvdRecords recvdRecords; + /* The number of 0-RTT bytes that can be sent or received in TLS 1.3. This + * will be zero for everything but 0-RTT. */ + PRUint32 earlyDataRemaining; PRUint8 refCt; const char *phase; -} ssl3CipherSpec; +}; typedef enum { never_cached, in_client_cache, @@ -523,10 +534,10 @@ struct sslSessionIDStr { */ CERTCertificate *peerCert; - SECItemArray peerCertStatus; /* client only */ - const char *peerID; /* client only */ - const char *urlSvrName; /* client only */ - sslServerCertType certType; + SECItemArray peerCertStatus; /* client only */ + const char *peerID; /* client only */ + const char *urlSvrName; /* client only */ + const sslNamedGroupDef *namedCurve; /* (server) for certificate lookup */ CERTCertificate *localCert; PRIPv6Addr addr; @@ -546,7 +557,7 @@ struct sslSessionIDStr { struct { /* values that are copied into the server's on-disk SID cache. */ PRUint8 sessionIDLength; - SSL3Opaque sessionID[SSL3_SESSIONID_BYTES]; + PRUint8 sessionID[SSL3_SESSIONID_BYTES]; ssl3CipherSuite cipherSuite; SSLCompressionMethod compression; @@ -804,7 +815,7 @@ typedef struct SSL3HandshakeStateStr { union { TLSFinished tFinished[2]; /* client, then server */ SSL3Finished sFinished[2]; - SSL3Opaque data[72]; + PRUint8 data[72]; } finishedMsgs; PRBool authCertificatePending; @@ -862,7 +873,6 @@ typedef struct SSL3HandshakeStateStr { TLS13CertificateRequest *certificateRequest; PRCList cipherSpecs; /* The cipher specs in the sequence they * will be applied. */ - ssl3CipherSpec *nullSpec; /* In case 0-RTT is rejected. */ sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */ sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */ ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */ @@ -894,6 +904,11 @@ struct ssl3StateStr { ssl3CipherSpec *cwSpec; /* current write spec. */ ssl3CipherSpec *pwSpec; /* pending write spec. */ + /* Internal callback for when we do a cipher suite change. Used for + * debugging in TLS 1.3. This can only be set by non-public functions. */ + sslCipherSpecChangedFunc changedCipherSpecFunc; + void *changedCipherSpecArg; + CERTCertificate *clientCertificate; /* used by client */ SECKEYPrivateKey *clientPrivateKey; /* used by client */ CERTCertificateList *clientCertChain; /* used by client */ @@ -965,19 +980,19 @@ struct ssl3DHParamsStr { }; typedef struct SSLWrappedSymWrappingKeyStr { - SSL3Opaque wrappedSymmetricWrappingkey[512]; + PRUint8 wrappedSymmetricWrappingkey[512]; CK_MECHANISM_TYPE symWrapMechanism; /* unwrapped symmetric wrapping key uses this mechanism */ CK_MECHANISM_TYPE asymWrapMechanism; /* mechanism used to wrap the SymmetricWrappingKey using * server's public and/or private keys. */ - SSLAuthType authType; /* type of keys used to wrap SymWrapKey*/ - PRInt32 symWrapMechIndex; + PRInt16 wrapMechIndex; + PRUint16 wrapKeyIndex; PRUint16 wrappedSymKeyLen; } SSLWrappedSymWrappingKey; typedef struct SessionTicketStr { - PRUint16 ticket_version; + PRBool valid; SSL3ProtocolVersion ssl_version; ssl3CipherSuite cipher_suite; SSLCompressionMethod compression_method; @@ -985,21 +1000,23 @@ typedef struct SessionTicketStr { PRUint32 authKeyBits; SSLKEAType keaType; PRUint32 keaKeyBits; - sslServerCertType certType; + const sslNamedGroupDef *namedCurve; /* For certificate lookup. */ + /* * msWrapMech contains a meaningful value only if ms_is_wrapped is true. */ PRUint8 ms_is_wrapped; CK_MECHANISM_TYPE msWrapMech; PRUint16 ms_length; - SSL3Opaque master_secret[48]; + PRUint8 master_secret[48]; PRBool extendedMasterSecretUsed; - ClientIdentity client_identity; + ClientAuthenticationType client_auth_type; SECItem peer_cert; PRUint32 timestamp; PRUint32 flags; SECItem srvName; /* negotiated server name */ SECItem alpnSelection; + PRUint32 maxEarlyData; } SessionTicket; /* @@ -1121,6 +1138,10 @@ struct sslSocketStr { void *getClientAuthDataArg; SSLSNISocketConfig sniSocketConfig; void *sniSocketConfigArg; + SSLAlertCallback alertReceivedCallback; + void *alertReceivedCallbackArg; + SSLAlertCallback alertSentCallback; + void *alertSentCallbackArg; SSLBadCertHandler handleBadCert; void *badCertArg; SSLHandshakeCallback handshakeCallback; @@ -1208,17 +1229,21 @@ struct sslSocketStr { SSLProtocolVariant protocolVariant; }; -/* All the global data items declared here should be protected using the -** ssl_global_data_lock, which is a reader/writer lock. -*/ -extern NSSRWLock *ssl_global_data_lock; +struct sslSelfEncryptKeysStr { + PRCallOnceType setup; + PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN]; + PK11SymKey *encKey; + PK11SymKey *macKey; +}; +typedef struct sslSelfEncryptKeysStr sslSelfEncryptKeys; + extern char ssl_debug; extern char ssl_trace; extern FILE *ssl_trace_iob; extern FILE *ssl_keylog_iob; -extern CERTDistNames *ssl3_server_ca_list; -extern PRUint32 ssl_sid_timeout; extern PRUint32 ssl3_sid_timeout; +extern PRUint32 ssl_ticket_lifetime; +extern PRUint32 ssl_max_early_data_size; extern const char *const ssl3_cipherName[]; @@ -1338,8 +1363,8 @@ extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled); extern SECStatus ssl3_ConstrainRangeByPolicy(void); -extern SECStatus ssl3_InitState(sslSocket *ss); -extern SECStatus ssl3_RestartHandshakeHashes(sslSocket *ss); +extern void ssl3_InitState(sslSocket *ss); +extern void ssl3_RestartHandshakeHashes(sslSocket *ss); extern SECStatus ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l); @@ -1352,7 +1377,7 @@ extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss); extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type, - const SSL3Opaque *pIn, PRInt32 nIn, + const PRUint8 *pIn, PRInt32 nIn, PRInt32 flags); #ifdef NSS_SSL_ENABLE_ZLIB @@ -1479,6 +1504,14 @@ extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, */ #define SSL_LIBRARY_VERSION_NONE 0 +/* SSL_LIBRARY_VERSION_MIN_SUPPORTED is the minimum version that this version + * of libssl supports. Applications should use SSL_VersionRangeGetSupported at + * runtime to determine which versions are supported by the version of libssl + * in use. + */ +#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM SSL_LIBRARY_VERSION_TLS_1_1 +#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM SSL_LIBRARY_VERSION_3_0 + /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version * of libssl supports. Applications should use SSL_VersionRangeGetSupported at * runtime to determine which versions are supported by the version of libssl @@ -1600,13 +1633,13 @@ extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); extern void ssl3_InitSocketPolicy(sslSocket *ss); extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache); -extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, +extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length, PRBool endOfRecord); extern void ssl3_DestroySSL3Info(sslSocket *ss); -extern SECStatus ssl_ClientReadVersion(sslSocket *ss, SSL3Opaque **b, +extern SECStatus ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b, PRUint32 *length, SSL3ProtocolVersion *version); extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, @@ -1619,15 +1652,14 @@ extern SECStatus ssl_GetPeerInfo(sslSocket *ss); extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey); extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, - SSL3Opaque *b, PRUint32 length); + PRUint8 *b, PRUint32 length); extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, sslKeyPair *serverKeys); extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss); extern SECStatus ssl_ImportECDHKeyShare( sslSocket *ss, SECKEYPublicKey *peerKey, - SSL3Opaque *b, PRUint32 length, const sslNamedGroupDef *curve); -unsigned int tls13_SizeOfECDHEKeyShareKEX(const SECKEYPublicKey *pubKey); + PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve); SECStatus tls13_EncodeECDHEKeyShareKEX(const sslSocket *ss, const SECKEYPublicKey *pubKey); @@ -1644,15 +1676,16 @@ extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize); extern SECStatus ssl3_AppendHandshakeVariable(sslSocket *ss, - const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize); + const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize); extern SECStatus ssl3_AppendSignatureAndHashAlgorithm( sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash); -extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length); -extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, - SSL3Opaque **b, PRUint32 *length); +extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes, + PRUint8 **b, PRUint32 *length); +extern SECStatus ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRUint32 *num, + PRUint32 bytes, PRUint8 **b, + PRUint32 *length); extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, - PRInt32 bytes, SSL3Opaque **b, + PRUint32 bytes, PRUint8 **b, PRUint32 *length); extern PRUint8 *ssl_EncodeUintX(PRUint64 value, unsigned int bytes, PRUint8 *to); @@ -1665,14 +1698,13 @@ extern SECStatus ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *are unsigned char **b, unsigned int *len); extern SECStatus ssl_ConsumeSignatureScheme( - sslSocket *ss, SSL3Opaque **b, PRUint32 *length, SSLSignatureScheme *out); + sslSocket *ss, PRUint8 **b, PRUint32 *length, SSLSignatureScheme *out); extern SECStatus ssl3_SignHashes(sslSocket *ss, SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf); extern SECStatus ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme, SSL3Hashes *hash, SECItem *buf); extern SECStatus ssl3_CacheWrappedMasterSecret( - sslSocket *ss, sslSessionID *sid, - ssl3CipherSpec *spec, SSLAuthType authType); + sslSocket *ss, sslSessionID *sid, ssl3CipherSpec *spec); extern void ssl3_FreeSniNameArray(TLSExtensionData *xtnData); /* Hello Extension related routines. */ @@ -1681,15 +1713,11 @@ extern void ssl3_SetSIDSessionTicket(sslSessionID *sid, SECStatus ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket_input, SECItem *ticket_data); -extern PRBool ssl_GetSessionTicketKeys(SECKEYPrivateKey *svrPrivKey, - SECKEYPublicKey *svrPubKey, void *pwArg, - unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey); -extern SECStatus ssl3_SessionTicketShutdown(void *appData, void *nssData); -/* Tell clients to consider tickets valid for this long. */ -#define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */ -#define TLS_EX_SESS_TICKET_VERSION (0x0103) +SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair); +SECStatus ssl_GetSelfEncryptKeys(sslSocket *ss, unsigned char *keyName, + PK11SymKey **encKey, PK11SymKey **macKey); +void ssl_ResetSelfEncryptKeys(); extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length); @@ -1703,8 +1731,8 @@ extern void ssl_FreePRSocket(PRFileDesc *fd); extern int ssl3_config_match_init(sslSocket *); /* calls for accessing wrapping keys across processes. */ -extern PRBool -ssl_GetWrappingKey(PRInt32 symWrapMechIndex, SSLAuthType authType, +extern SECStatus +ssl_GetWrappingKey(unsigned int symWrapMechIndex, unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk); /* The caller passes in the new value it wants @@ -1716,7 +1744,7 @@ ssl_GetWrappingKey(PRInt32 symWrapMechIndex, SSLAuthType authType, * This is all done while holding the locks/semaphores necessary to make * the operation atomic. */ -extern PRBool +extern SECStatus ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); /* get rid of the symmetric wrapping key references. */ @@ -1736,10 +1764,10 @@ extern void dtls_FreeHandshakeMessages(PRCList *lst); extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf); extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss, - SSL3Opaque *b, PRUint32 length); + PRUint8 *b, PRUint32 length); extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss); extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type, - const SSL3Opaque *pIn, PRInt32 nIn); + const PRUint8 *pIn, PRInt32 nIn); extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss); extern SECStatus dtls_StartHolddownTimer(sslSocket *ss); @@ -1770,20 +1798,20 @@ SECStatus ssl3_ServerCallSNICallback(sslSocket *ss); SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss); SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss, - SSL3Opaque *b, PRUint32 length); + PRUint8 *b, PRUint32 length); void ssl3_SendAlertForCertError(sslSocket *ss, PRErrorCode errCode); SECStatus ssl3_HandleNoCertificate(sslSocket *ss); SECStatus ssl3_SendEmptyCertificate(sslSocket *ss); void ssl3_CleanupPeerCerts(sslSocket *ss); SECStatus ssl3_SendCertificateStatus(sslSocket *ss); SECStatus ssl3_AuthCertificate(sslSocket *ss); -SECStatus ssl_ReadCertificateStatus(sslSocket *ss, SSL3Opaque *b, +SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b, PRUint32 length); SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint8 *buf, unsigned maxLen, PRUint32 *len); -void ssl3_GetCertificateRequestCAs(sslSocket *ss, int *calenp, SECItem **namesp, - int *nnamesp); -SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b, +SECStatus ssl_GetCertificateRequestCAs(sslSocket *ss, unsigned int *calenp, + SECItem **namesp, unsigned int *nnamesp); +SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b, PRUint32 *length, PLArenaPool *arena, CERTDistNames *ca_list); SECStatus ssl3_CompleteHandleCertificateRequest( @@ -1802,7 +1830,6 @@ SECStatus ssl_CreateStaticECDHEKey(sslSocket *ss, SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss, PK11SlotInfo *masterSecretSlot, - const sslServerCert *serverCert, CK_MECHANISM_TYPE masterWrapMech, void *pwArg); SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid); @@ -1835,6 +1862,7 @@ extern void ssl3_CheckCipherSuiteOrderConsistency(); extern int ssl_MapLowLevelError(int hiLevelError); extern PRUint32 ssl_Time(void); +extern PRBool ssl_TicketTimeValid(const NewSessionTicket *ticket); extern void SSL_AtomicIncrementLong(long *x); @@ -1844,11 +1872,12 @@ extern HASH_HashType ssl3_GetTls12HashType(sslSocket *ss); extern SECStatus -ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, +ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec, const char *label, unsigned int labelLen, const unsigned char *val, unsigned int valLen, - unsigned char *out, unsigned int outLen, - HASH_HashType tls12HashType); + unsigned char *out, unsigned int outLen); + +PRBool ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag); #ifdef TRACE #define SSL_TRACE(msg) ssl_Trace msg diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c index 665109d658..88162d8146 100644 --- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -140,6 +140,20 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, inf.valuesSet = ss->ssl3.hs.preliminaryInfo; inf.protocolVersion = ss->version; inf.cipherSuite = ss->ssl3.hs.cipher_suite; + inf.canSendEarlyData = !ss->sec.isServer && + (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || + ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted); + /* We shouldn't be able to send early data if the handshake is done. */ + PORT_Assert(!ss->firstHsDone || !inf.canSendEarlyData); + + if (ss->sec.ci.sid && + (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || + ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)) { + inf.maxEarlyDataSize = + ss->sec.ci.sid->u.ssl3.locked.sessionTicket.max_early_data_size; + } else { + inf.maxEarlyDataSize = 0; + } memcpy(info, &inf, inf.length); return SECSuccess; @@ -219,6 +233,9 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, #define F_NFIPS_NSTD 0, 0, 1, 0 /* i.e., trash */ #define F_EXPORT 0, 1, 0, 0 /* i.e., trash */ +// RFC 5705 +#define MAX_CONTEXT_LEN PR_UINT16_MAX - 1 + static const SSLCipherSuiteInfo suiteInfo[] = { /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */ { 0, CS_(TLS_AES_128_GCM_SHA256), S_ANY, K_ANY, C_AESGCM, B_128, M_AEAD_128, F_FIPS_STD, A_ANY }, @@ -425,6 +442,11 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd, out, outLen); } + if (hasContext && contextLen > MAX_CONTEXT_LEN) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + /* construct PRF arguments */ valLen = SSL3_RANDOM_LENGTH * 2; if (hasContext) { @@ -455,9 +477,8 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd, PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED); rv = SECFailure; } else { - HASH_HashType ht = ssl3_GetTls12HashType(ss); - rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val, - valLen, out, outLen, ht); + rv = ssl3_TLSPRFWithMasterSecret(ss, ss->ssl3.cwSpec, label, labelLen, + val, valLen, out, outLen); } ssl_ReleaseSpecReadLock(ss); diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c index 560a9e823b..10b6cf55f9 100644 --- a/security/nss/lib/ssl/sslmutex.c +++ b/security/nss/lib/ssl/sslmutex.c @@ -60,7 +60,8 @@ single_process_sslMutex_Lock(sslMutex* pMutex) return SECSuccess; } -#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || \ + (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) || defined(__GLIBC__) #include <unistd.h> #include <fcntl.h> diff --git a/security/nss/lib/ssl/sslmutex.h b/security/nss/lib/ssl/sslmutex.h index 7611148adc..3f63ed80da 100644 --- a/security/nss/lib/ssl/sslmutex.h +++ b/security/nss/lib/ssl/sslmutex.h @@ -49,7 +49,8 @@ typedef struct { typedef int sslPID; -#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || \ + (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) || defined(__GLIBC__) #include <sys/types.h> #include "prtypes.h" diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c index 91cc870407..7ad1c6bc7a 100644 --- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -1,3 +1,4 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* * This file implements the CLIENT Session ID cache. * @@ -18,7 +19,6 @@ #include <time.h> #endif -PRUint32 ssl_sid_timeout = 100; PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */ static sslSessionID *cache = NULL; @@ -460,6 +460,20 @@ ssl_Time(void) return myTime; } +PRBool +ssl_TicketTimeValid(const NewSessionTicket *ticket) +{ + PRTime endTime; + + if (ticket->ticket_lifetime_hint == 0) { + return PR_TRUE; + } + + endTime = ticket->received_timestamp + + (PRTime)(ticket->ticket_lifetime_hint * PR_USEC_PER_SEC); + return endTime > PR_Now(); +} + void ssl3_SetSIDSessionTicket(sslSessionID *sid, /*in/out*/ NewSessionTicket *newSessionTicket) diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index eecf443967..8bec3d327a 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -478,7 +478,7 @@ sslBuffer_Append(sslBuffer *b, const void *data, unsigned int len) void sslBuffer_Clear(sslBuffer *b) { - if (b->len > 0) { + if (b->buf) { PORT_Free(b->buf); b->buf = NULL; b->len = 0; @@ -884,6 +884,7 @@ int ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) { int rv = 0; + PRBool zeroRtt = PR_FALSE; SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes", SSL_GETPID(), ss->fd, len)); @@ -923,19 +924,20 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) * Case 2: TLS 1.3 0-RTT */ if (!ss->firstHsDone) { - PRBool falseStart = PR_FALSE; + PRBool allowEarlySend = PR_FALSE; + ssl_Get1stHandshakeLock(ss); if (ss->opt.enableFalseStart || (ss->opt.enable0RttData && !ss->sec.isServer)) { ssl_GetSSL3HandshakeLock(ss); /* The client can sometimes send before the handshake is fully * complete. In TLS 1.2: false start; in TLS 1.3: 0-RTT. */ - falseStart = ss->ssl3.hs.canFalseStart || - ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || - ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted; + zeroRtt = ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || + ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted; + allowEarlySend = ss->ssl3.hs.canFalseStart || zeroRtt; ssl_ReleaseSSL3HandshakeLock(ss); } - if (!falseStart && ss->handshake) { + if (!allowEarlySend && ss->handshake) { rv = ssl_Do1stHandshake(ss); } ssl_Release1stHandshakeLock(ss); @@ -945,6 +947,20 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) goto done; } + if (zeroRtt) { + /* There's a limit to the number of early data octets we can send. + * + * Note that taking this lock doesn't prevent the cipher specs from + * being changed out between here and when records are ultimately + * encrypted. The only effect of that is to occasionally do an + * unnecessary short write when data is identified as 0-RTT here but + * 1-RTT later. + */ + ssl_GetSpecReadLock(ss); + len = tls13_LimitEarlyData(ss, content_application_data, len); + ssl_ReleaseSpecReadLock(ss); + } + /* Check for zero length writes after we do housekeeping so we make forward * progress. */ @@ -959,19 +975,6 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) goto done; } - if (!ss->firstHsDone) { -#ifdef DEBUG - ssl_GetSSL3HandshakeLock(ss); - PORT_Assert(!ss->sec.isServer && - (ss->ssl3.hs.canFalseStart || - ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || - ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)); - ssl_ReleaseSSL3HandshakeLock(ss); -#endif - SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start", - SSL_GETPID(), ss->fd)); - } - ssl_GetXmitBufLock(ss); rv = ssl3_SendApplicationData(ss, buf, len, flags); ssl_ReleaseXmitBufLock(ss); @@ -994,6 +997,42 @@ ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len) } SECStatus +SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) +{ + sslSocket *ss; + + ss = ssl_FindSocket(fd); + if (!ss) { + SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback", + SSL_GETPID(), fd)); + return SECFailure; + } + + ss->alertReceivedCallback = cb; + ss->alertReceivedCallbackArg = arg; + + return SECSuccess; +} + +SECStatus +SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg) +{ + sslSocket *ss; + + ss = ssl_FindSocket(fd); + if (!ss) { + SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback", + SSL_GETPID(), fd)); + return SECFailure; + } + + ss->alertSentCallback = cb; + ss->alertSentCallbackArg = arg; + + return SECSuccess; +} + +SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg) { sslSocket *ss; diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 4a4005c2d9..3ef11f7a73 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -1,3 +1,4 @@ +/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* This file implements the SERVER Session ID cache. * NOTE: The contents of this file are NOT used by the client. * @@ -33,8 +34,8 @@ * sidCacheSet sidCacheSets[ numSIDCacheSets ]; * sidCacheEntry sidCacheData[ numSIDCacheEntries]; * certCacheEntry certCacheData[numCertCacheEntries]; - * SSLWrappedSymWrappingKey keyCacheData[ssl_auth_size][SSL_NUM_WRAP_MECHS]; - * PRUint8 keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN] + * SSLWrappedSymWrappingKey keyCacheData[SSL_NUM_WRAP_KEYS][SSL_NUM_WRAP_MECHS]; + * PRUint8 keyNameSuffix[SELF_ENCRYPT_KEY_VAR_NAME_LEN] * encKeyCacheEntry ticketEncKey; // Wrapped * encKeyCacheEntry ticketMacKey; // Wrapped * PRBool ticketKeysValid; @@ -54,8 +55,9 @@ #include "base64.h" #include "keyhi.h" #include "blapit.h" +#include "nss.h" /* for NSS_RegisterShutdown */ #include "sechash.h" - +#include "selfencrypt.h" #include <stdio.h> #if defined(XP_UNIX) || defined(XP_BEOS) @@ -109,7 +111,7 @@ struct sidCacheEntryStr { /* 4 */ PRInt32 certIndex; /* 4 */ PRInt32 srvNameIndex; /* 32 */ PRUint8 srvNameHash[SHA256_LENGTH]; /* SHA256 name hash */ - /* 2 */ PRUint16 certTypeArgs; + /* 2 */ PRUint16 namedCurve; /*104 */} ssl3; /* force sizeof(sidCacheEntry) to be a multiple of cache line size */ @@ -440,17 +442,12 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) to->u.ssl3.srvNameIndex = -1; PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID, to->sessionIDLength); - to->u.ssl3.certTypeArgs = 0U; - switch (from->authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - PORT_Assert(from->certType.namedCurve); - to->u.ssl3.certTypeArgs = - (PRUint16)from->certType.namedCurve->name; - break; - default: - break; + to->u.ssl3.namedCurve = 0U; + if (from->authType == ssl_auth_ecdsa || + from->authType == ssl_auth_ecdh_rsa || + from->authType == ssl_auth_ecdh_ecdsa) { + PORT_Assert(from->namedCurve); + to->u.ssl3.namedCurve = (PRUint16)from->namedCurve->name; } SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x " @@ -526,16 +523,11 @@ ConvertToSID(sidCacheEntry *from, if (to->peerCert == NULL) goto loser; } - to->certType.authType = from->authType; - switch (from->authType) { - case ssl_auth_ecdsa: - case ssl_auth_ecdh_rsa: - case ssl_auth_ecdh_ecdsa: - to->certType.namedCurve = - ssl_LookupNamedGroup((SSLNamedGroup)from->u.ssl3.certTypeArgs); - break; - default: - break; + if (from->authType == ssl_auth_ecdsa || + from->authType == ssl_auth_ecdh_rsa || + from->authType == ssl_auth_ecdh_ecdsa) { + to->namedCurve = + ssl_LookupNamedGroup((SSLNamedGroup)from->u.ssl3.namedCurve); } to->version = from->version; @@ -983,7 +975,7 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, cache->certCacheSize = (char *)cache->keyCacheData - (char *)cache->certCacheData; - cache->numKeyCacheEntries = ssl_auth_size * SSL_NUM_WRAP_MECHS; + cache->numKeyCacheEntries = SSL_NUM_WRAP_KEYS * SSL_NUM_WRAP_MECHS; ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries); ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); @@ -991,7 +983,7 @@ InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, cache->ticketKeyNameSuffix = (PRUint8 *)ptr; ptr = (ptrdiff_t)(cache->ticketKeyNameSuffix + - SESS_TICKET_KEY_VAR_NAME_LEN); + SELF_ENCRYPT_KEY_VAR_NAME_LEN); ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); cache->ticketEncKey = (encKeyCacheEntry *)ptr; @@ -1608,36 +1600,260 @@ StopLockPoller(cacheDesc *cache) * Code dealing with shared wrapped symmetric wrapping keys below * ************************************************************************/ -/* If now is zero, it implies that the lock is not held, and must be -** aquired here. -*/ +/* The asymmetric key we use for wrapping the self-encryption keys. This is a + * global structure that can be initialized without a socket. Access is + * synchronized on the reader-writer lock. This is setup either by calling + * SSL_SetSessionTicketKeyPair() or by configuring a certificate of the + * ssl_auth_rsa_decrypt type. */ +static struct { + PRCallOnceType setup; + PRRWLock *lock; + SECKEYPublicKey *pubKey; + SECKEYPrivateKey *privKey; + PRBool configured; +} ssl_self_encrypt_key_pair; + +/* The symmetric self-encryption keys. This requires a socket to construct + * and requires that the global structure be initialized before use. + */ +static sslSelfEncryptKeys ssl_self_encrypt_keys; + +/* Externalize the self encrypt keys. Purely used for testing. */ +sslSelfEncryptKeys * +ssl_GetSelfEncryptKeysInt() +{ + return &ssl_self_encrypt_keys; +} + +static void +ssl_CleanupSelfEncryptKeyPair() +{ + if (ssl_self_encrypt_key_pair.pubKey) { + PORT_Assert(ssl_self_encrypt_key_pair.privKey); + SECKEY_DestroyPublicKey(ssl_self_encrypt_key_pair.pubKey); + SECKEY_DestroyPrivateKey(ssl_self_encrypt_key_pair.privKey); + } +} + +void +ssl_ResetSelfEncryptKeys() +{ + if (ssl_self_encrypt_keys.encKey) { + PORT_Assert(ssl_self_encrypt_keys.macKey); + PK11_FreeSymKey(ssl_self_encrypt_keys.encKey); + PK11_FreeSymKey(ssl_self_encrypt_keys.macKey); + } + PORT_Memset(&ssl_self_encrypt_keys, 0, + sizeof(ssl_self_encrypt_keys)); +} + +static SECStatus +ssl_SelfEncryptShutdown(void *appData, void *nssData) +{ + ssl_CleanupSelfEncryptKeyPair(); + PR_DestroyRWLock(ssl_self_encrypt_key_pair.lock); + PORT_Memset(&ssl_self_encrypt_key_pair, 0, + sizeof(ssl_self_encrypt_key_pair)); + + ssl_ResetSelfEncryptKeys(); + return SECSuccess; +} + +static PRStatus +ssl_SelfEncryptSetup(void) +{ + SECStatus rv = NSS_RegisterShutdown(ssl_SelfEncryptShutdown, NULL); + if (rv != SECSuccess) { + return PR_FAILURE; + } + ssl_self_encrypt_key_pair.lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, NULL); + if (!ssl_self_encrypt_key_pair.lock) { + return PR_FAILURE; + } + return PR_SUCCESS; +} + +/* Configure a self encryption key pair. |explicitConfig| is set to true for + * calls to SSL_SetSessionTicketKeyPair(), false for implicit configuration. + * This assumes that the setup has been run. */ +static SECStatus +ssl_SetSelfEncryptKeyPair(SECKEYPublicKey *pubKey, + SECKEYPrivateKey *privKey, + PRBool explicitConfig) +{ + SECKEYPublicKey *pubKeyCopy; + SECKEYPrivateKey *privKeyCopy; + + PORT_Assert(ssl_self_encrypt_key_pair.lock); + + pubKeyCopy = SECKEY_CopyPublicKey(pubKey); + if (!pubKeyCopy) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + + privKeyCopy = SECKEY_CopyPrivateKey(privKey); + if (!privKeyCopy) { + SECKEY_DestroyPublicKey(pubKeyCopy); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + + PR_RWLock_Wlock(ssl_self_encrypt_key_pair.lock); + ssl_CleanupSelfEncryptKeyPair(); + ssl_self_encrypt_key_pair.pubKey = pubKeyCopy; + ssl_self_encrypt_key_pair.privKey = privKeyCopy; + ssl_self_encrypt_key_pair.configured = explicitConfig; + PR_RWLock_Unlock(ssl_self_encrypt_key_pair.lock); + return SECSuccess; +} + +/* This is really the self-encryption keys but it has the + * wrong name for historical API stability reasons. */ +SECStatus +SSL_SetSessionTicketKeyPair(SECKEYPublicKey *pubKey, + SECKEYPrivateKey *privKey) +{ + if (SECKEY_GetPublicKeyType(pubKey) != rsaKey || + SECKEY_GetPrivateKeyType(privKey) != rsaKey) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (PR_SUCCESS != PR_CallOnce(&ssl_self_encrypt_key_pair.setup, + &ssl_SelfEncryptSetup)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + return ssl_SetSelfEncryptKeyPair(pubKey, privKey, PR_TRUE); +} + +/* When configuring a server cert, we should save the RSA key in case it is + * needed for self-encryption. This saves the latest copy, unless there has + * been an explicit call to SSL_SetSessionTicketKeyPair(). */ +SECStatus +ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair) +{ + PRBool configured; + + if (PR_SUCCESS != PR_CallOnce(&ssl_self_encrypt_key_pair.setup, + &ssl_SelfEncryptSetup)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + PR_RWLock_Rlock(ssl_self_encrypt_key_pair.lock); + configured = ssl_self_encrypt_key_pair.configured; + PR_RWLock_Unlock(ssl_self_encrypt_key_pair.lock); + if (configured) { + return SECSuccess; + } + return ssl_SetSelfEncryptKeyPair(keyPair->pubKey, + keyPair->privKey, PR_FALSE); +} + +static SECStatus +ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey, + SECKEYPrivateKey **privKey) +{ + if (PR_SUCCESS != PR_CallOnce(&ssl_self_encrypt_key_pair.setup, + &ssl_SelfEncryptSetup)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + PR_RWLock_Rlock(ssl_self_encrypt_key_pair.lock); + *pubKey = ssl_self_encrypt_key_pair.pubKey; + *privKey = ssl_self_encrypt_key_pair.privKey; + PR_RWLock_Unlock(ssl_self_encrypt_key_pair.lock); + if (!*pubKey) { + PORT_Assert(!*privKey); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + PORT_Assert(*privKey); + return SECSuccess; +} + static PRBool -getSvrWrappingKey(PRInt32 symWrapMechIndex, - SSLAuthType authType, +ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + +static PRStatus +ssl_GenerateSelfEncryptKeysOnce(void *arg) +{ + SECStatus rv; + + /* Get a copy of the session keys from shared memory. */ + PORT_Memcpy(ssl_self_encrypt_keys.keyName, + SELF_ENCRYPT_KEY_NAME_PREFIX, + sizeof(SELF_ENCRYPT_KEY_NAME_PREFIX)); + /* This function calls ssl_GetSelfEncryptKeyPair(), which initializes the + * key pair stuff. That allows this to use the same shutdown function. */ + rv = ssl_GenerateSelfEncryptKeys(arg, ssl_self_encrypt_keys.keyName, + &ssl_self_encrypt_keys.encKey, + &ssl_self_encrypt_keys.macKey); + if (rv != SECSuccess) { + return PR_FAILURE; + } + + return PR_SUCCESS; +} + +SECStatus +ssl_GetSelfEncryptKeys(sslSocket *ss, PRUint8 *keyName, + PK11SymKey **encKey, PK11SymKey **macKey) +{ + if (PR_SUCCESS != PR_CallOnceWithArg(&ssl_self_encrypt_keys.setup, + &ssl_GenerateSelfEncryptKeysOnce, + ss->pkcs11PinArg)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + if (!ssl_self_encrypt_keys.encKey || !ssl_self_encrypt_keys.macKey) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + PORT_Memcpy(keyName, ssl_self_encrypt_keys.keyName, + sizeof(ssl_self_encrypt_keys.keyName)); + *encKey = ssl_self_encrypt_keys.encKey; + *macKey = ssl_self_encrypt_keys.macKey; + return SECSuccess; +} + +/* If lockTime is zero, it implies that the lock is not held, and must be + * aquired here. + */ +static SECStatus +getSvrWrappingKey(unsigned int symWrapMechIndex, + unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk, cacheDesc *cache, PRUint32 lockTime) { - PRUint32 ndx = (authType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; + PRUint32 ndx = (wrapKeyIndex * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx; PRUint32 now = 0; - PRBool rv = PR_FALSE; + PRBool rv = SECFailure; if (!cache->cacheMem) { /* cache is uninitialized */ PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); - return rv; + return SECFailure; } if (!lockTime) { - lockTime = now = LockSidCacheLock(cache->keyCacheLock, now); - if (!lockTime) { - return rv; + now = LockSidCacheLock(cache->keyCacheLock, 0); + if (!now) { + return SECFailure; } } - if (pwswk->authType == authType && - pwswk->symWrapMechIndex == symWrapMechIndex && + if (pwswk->wrapKeyIndex == wrapKeyIndex && + pwswk->wrapMechIndex == symWrapMechIndex && pwswk->wrappedSymKeyLen != 0) { *wswk = *pwswk; - rv = PR_TRUE; + rv = SECSuccess; } if (now) { UnlockSidCacheLock(cache->keyCacheLock); @@ -1645,30 +1861,27 @@ getSvrWrappingKey(PRInt32 symWrapMechIndex, return rv; } -PRBool -ssl_GetWrappingKey(PRInt32 symWrapMechIndex, - SSLAuthType authType, +SECStatus +ssl_GetWrappingKey(unsigned int wrapMechIndex, + unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk) { - PRBool rv; - - PORT_Assert((unsigned)authType < ssl_auth_size); - PORT_Assert((unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); - if ((unsigned)authType < ssl_auth_size && - (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) { - rv = getSvrWrappingKey(symWrapMechIndex, authType, wswk, - &globalCache, 0); - } else { - rv = PR_FALSE; + PORT_Assert(wrapMechIndex < SSL_NUM_WRAP_MECHS); + PORT_Assert(wrapKeyIndex < SSL_NUM_WRAP_KEYS); + if (wrapMechIndex >= SSL_NUM_WRAP_MECHS || + wrapKeyIndex >= SSL_NUM_WRAP_KEYS) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } - return rv; + return getSvrWrappingKey(wrapMechIndex, wrapKeyIndex, wswk, + &globalCache, 0); } /* Wrap and cache a session ticket key. */ -static PRBool -WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey, - const char *keyName, encKeyCacheEntry *cacheEntry) +static SECStatus +WrapSelfEncryptKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey, + const char *keyName, encKeyCacheEntry *cacheEntry) { SECItem wrappedKey = { siBuffer, NULL, 0 }; @@ -1680,24 +1893,24 @@ WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey, if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey) != SECSuccess) { - SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.", + SSL_DBG(("%d: SSL[%s]: Unable to wrap self encrypt key %s.", SSL_GETPID(), "unknown", keyName)); - return PR_FALSE; + return SECFailure; } cacheEntry->length = wrappedKey.len; - return PR_TRUE; + return SECSuccess; } -static PRBool -GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey) +static SECStatus +GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, PK11SymKey **aesKey, + PK11SymKey **macKey) { PK11SlotInfo *slot; CK_MECHANISM_TYPE mechanismArray[2]; PK11SymKey *aesKeyTmp = NULL; PK11SymKey *macKeyTmp = NULL; cacheDesc *cache = &globalCache; - PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN]; + PRUint8 ticketKeyNameSuffixLocal[SELF_ENCRYPT_KEY_VAR_NAME_LEN]; PRUint8 *ticketKeyNameSuffix; if (!cache->cacheMem) { @@ -1708,11 +1921,11 @@ GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey, } if (PK11_GenerateRandom(ticketKeyNameSuffix, - SESS_TICKET_KEY_VAR_NAME_LEN) != + SELF_ENCRYPT_KEY_VAR_NAME_LEN) != SECSuccess) { SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.", SSL_GETPID(), "unknown")); - goto loser; + return SECFailure; } mechanismArray[0] = CKM_AES_CBC; @@ -1732,54 +1945,58 @@ GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey, SSL_GETPID(), "unknown")); goto loser; } - PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN); + PORT_Memcpy(keyName, ticketKeyNameSuffix, SELF_ENCRYPT_KEY_VAR_NAME_LEN); *aesKey = aesKeyTmp; *macKey = macKeyTmp; - return PR_TRUE; + return SECSuccess; loser: if (aesKeyTmp) PK11_FreeSymKey(aesKeyTmp); if (macKeyTmp) PK11_FreeSymKey(macKeyTmp); - return PR_FALSE; + return SECFailure; } -static PRBool -GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg, - unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey) +static SECStatus +GenerateAndWrapSelfEncryptKeys(SECKEYPublicKey *svrPubKey, void *pwArg, + PRUint8 *keyName, PK11SymKey **aesKey, + PK11SymKey **macKey) { PK11SymKey *aesKeyTmp = NULL; PK11SymKey *macKeyTmp = NULL; cacheDesc *cache = &globalCache; + SECStatus rv; - if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) { - goto loser; + rv = GenerateSelfEncryptKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp); + if (rv != SECSuccess) { + return SECFailure; } if (cache->cacheMem) { /* Export the keys to the shared cache in wrapped form. */ - if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey)) + rv = WrapSelfEncryptKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey); + if (rv != SECSuccess) { goto loser; - if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey)) + } + rv = WrapSelfEncryptKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey); + if (rv != SECSuccess) { goto loser; + } } *aesKey = aesKeyTmp; *macKey = macKeyTmp; - return PR_TRUE; + return SECSuccess; loser: - if (aesKeyTmp) - PK11_FreeSymKey(aesKeyTmp); - if (macKeyTmp) - PK11_FreeSymKey(macKeyTmp); - return PR_FALSE; + PK11_FreeSymKey(aesKeyTmp); + PK11_FreeSymKey(macKeyTmp); + return SECFailure; } -static PRBool -UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName, - PK11SymKey **aesKey, PK11SymKey **macKey) +static SECStatus +UnwrapCachedSelfEncryptKeys(SECKEYPrivateKey *svrPrivKey, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey) { SECItem wrappedKey = { siBuffer, NULL, 0 }; PK11SymKey *aesKeyTmp = NULL; @@ -1807,55 +2024,51 @@ UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName, SSL_GETPID(), "unknown")); PORT_Memcpy(keyName, cache->ticketKeyNameSuffix, - SESS_TICKET_KEY_VAR_NAME_LEN); + SELF_ENCRYPT_KEY_VAR_NAME_LEN); *aesKey = aesKeyTmp; *macKey = macKeyTmp; - return PR_TRUE; + return SECSuccess; loser: if (aesKeyTmp) PK11_FreeSymKey(aesKeyTmp); if (macKeyTmp) PK11_FreeSymKey(macKeyTmp); - return PR_FALSE; + return SECFailure; } -PRBool -ssl_GetSessionTicketKeys(SECKEYPrivateKey *svrPrivKey, - SECKEYPublicKey *svrPubKey, void *pwArg, - unsigned char *keyName, PK11SymKey **aesKey, - PK11SymKey **macKey) +static SECStatus +ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **encKey, PK11SymKey **macKey) { - PRUint32 now = 0; - PRBool rv = PR_FALSE; - PRBool keysGenerated = PR_FALSE; + SECKEYPrivateKey *svrPrivKey; + SECKEYPublicKey *svrPubKey; + PRUint32 now; + SECStatus rv; cacheDesc *cache = &globalCache; - if (!cache->cacheMem) { - /* cache is uninitialized. Generate keys and return them - * without caching. */ - return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); + rv = ssl_GetSelfEncryptKeyPair(&svrPubKey, &svrPrivKey); + if (rv != SECSuccess || !cache->cacheMem) { + /* No key pair for wrapping, or the cache is uninitialized. Generate + * keys and return them without caching. */ + return GenerateSelfEncryptKeys(pwArg, keyName, encKey, macKey); } - now = LockSidCacheLock(cache->keyCacheLock, now); + now = LockSidCacheLock(cache->keyCacheLock, 0); if (!now) - return rv; + return SECFailure; - if (!*(cache->ticketKeysValid)) { + if (*(cache->ticketKeysValid)) { + rv = UnwrapCachedSelfEncryptKeys(svrPrivKey, keyName, encKey, macKey); + } else { /* Keys do not exist, create them. */ - if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName, - aesKey, macKey)) - goto loser; - keysGenerated = PR_TRUE; - *(cache->ticketKeysValid) = 1; + rv = GenerateAndWrapSelfEncryptKeys(svrPubKey, pwArg, keyName, + encKey, macKey); + if (rv == SECSuccess) { + *(cache->ticketKeysValid) = 1; + } } - - rv = PR_TRUE; - -loser: UnlockSidCacheLock(cache->keyCacheLock); - if (rv && !keysGenerated) - rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey); return rv; } @@ -1868,47 +2081,45 @@ loser: * This is all done while holding the locks/mutexes necessary to make * the operation atomic. */ -PRBool +SECStatus ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) { cacheDesc *cache = &globalCache; - PRBool rv = PR_FALSE; - SSLAuthType authType = wswk->authType; - /* type of keys used to wrap SymWrapKey*/ - PRInt32 symWrapMechIndex = wswk->symWrapMechIndex; + PRBool rv = SECFailure; PRUint32 ndx; - PRUint32 now = 0; + PRUint32 now; SSLWrappedSymWrappingKey myWswk; if (!cache->cacheMem) { /* cache is uninitialized */ PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); - return 0; + return SECFailure; } - PORT_Assert((unsigned)authType < ssl_auth_size); - if ((unsigned)authType >= ssl_auth_size) - return 0; - - PORT_Assert((unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); - if ((unsigned)symWrapMechIndex >= SSL_NUM_WRAP_MECHS) - return 0; + PORT_Assert(wswk->wrapMechIndex < SSL_NUM_WRAP_MECHS); + PORT_Assert(wswk->wrapKeyIndex < SSL_NUM_WRAP_KEYS); + if (wswk->wrapMechIndex >= SSL_NUM_WRAP_MECHS || + wswk->wrapKeyIndex >= SSL_NUM_WRAP_KEYS) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } - ndx = (authType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; + ndx = (wswk->wrapKeyIndex * SSL_NUM_WRAP_MECHS) + wswk->wrapMechIndex; PORT_Memset(&myWswk, 0, sizeof myWswk); /* eliminate UMRs. */ - now = LockSidCacheLock(cache->keyCacheLock, now); - if (now) { - rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->authType, - &myWswk, cache, now); - if (rv) { - /* we found it on disk, copy it out to the caller. */ - PORT_Memcpy(wswk, &myWswk, sizeof *wswk); - } else { - /* Wasn't on disk, and we're still holding the lock, so write it. */ - cache->keyCacheData[ndx] = *wswk; - } - UnlockSidCacheLock(cache->keyCacheLock); + now = LockSidCacheLock(cache->keyCacheLock, 0); + if (!now) { + return SECFailure; + } + rv = getSvrWrappingKey(wswk->wrapMechIndex, wswk->wrapKeyIndex, + &myWswk, cache, now); + if (rv == SECSuccess) { + /* we found it on disk, copy it out to the caller. */ + PORT_Memcpy(wswk, &myWswk, sizeof *wswk); + } else { + /* Wasn't on disk, and we're still holding the lock, so write it. */ + cache->keyCacheData[ndx] = *wswk; } + UnlockSidCacheLock(cache->keyCacheLock); return rv; } @@ -1946,14 +2157,13 @@ SSL_InheritMPServerSIDCache(const char *envString) return SECFailure; } -PRBool -ssl_GetWrappingKey(PRInt32 symWrapMechIndex, - SSLAuthType authType, +SECStatus +ssl_GetWrappingKey(unsigned int wrapMechIndex, + unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk) { - PRBool rv = PR_FALSE; PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)"); - return rv; + return SECFailure; } /* This is a kind of test-and-set. The caller passes in the new value it wants @@ -1965,12 +2175,11 @@ ssl_GetWrappingKey(PRInt32 symWrapMechIndex, * This is all done while holding the locks/mutexes necessary to make * the operation atomic. */ -PRBool +SECStatus ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) { - PRBool rv = PR_FALSE; PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)"); - return rv; + return SECFailure; } PRUint32 diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index f089c75e01..99828c85b1 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os) ss->getClientAuthDataArg = os->getClientAuthDataArg; ss->sniSocketConfig = os->sniSocketConfig; ss->sniSocketConfigArg = os->sniSocketConfigArg; + ss->alertReceivedCallback = os->alertReceivedCallback; + ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg; + ss->alertSentCallback = os->alertSentCallback; + ss->alertSentCallbackArg = os->alertSentCallbackArg; ss->handleBadCert = os->handleBadCert; ss->badCertArg = os->badCertArg; ss->handshakeCallback = os->handshakeCallback; @@ -2148,6 +2152,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) ss->sniSocketConfig = sm->sniSocketConfig; if (sm->sniSocketConfigArg) ss->sniSocketConfigArg = sm->sniSocketConfigArg; + if (sm->alertReceivedCallback) { + ss->alertReceivedCallback = sm->alertReceivedCallback; + ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; + } + if (sm->alertSentCallback) { + ss->alertSentCallback = sm->alertSentCallback; + ss->alertSentCallbackArg = sm->alertSentCallbackArg; + } if (sm->handleBadCert) ss->handleBadCert = sm->handleBadCert; if (sm->badCertArg) @@ -2161,61 +2173,82 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) return fd; } -/* - * Get the user supplied range - */ -static SECStatus -ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange) +SECStatus +ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant, + SSLVersionRange *effectivePolicy) { SECStatus rv; - PRUint32 policy; - PRInt32 option; + PRUint32 policyFlag; + PRInt32 minPolicy, maxPolicy; - /* only use policy constraints if we've set the apply ssl policy bit */ - rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); - if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) { - return SECFailure; + if (variant == ssl_variant_stream) { + effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; + effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; + } else { + effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; + effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; } - rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option); + + rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policyFlag); + if ((rv != SECSuccess) || !(policyFlag & NSS_USE_POLICY_IN_SSL)) { + /* Policy is not active, report library extents. */ + return SECSuccess; + } + + rv = NSS_OptionGet(VERSIONS_POLICY_MIN(variant), &minPolicy); if (rv != SECSuccess) { - return rv; + return SECFailure; } - prange->min = (PRUint16)option; - rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option); + rv = NSS_OptionGet(VERSIONS_POLICY_MAX(variant), &maxPolicy); if (rv != SECSuccess) { - return rv; + return SECFailure; } - prange->max = (PRUint16)option; - if (prange->max < prange->min) { - return SECFailure; /* don't accept an invalid policy */ + + if (minPolicy > effectivePolicy->max || + maxPolicy < effectivePolicy->min || + minPolicy > maxPolicy) { + return SECFailure; } + effectivePolicy->min = PR_MAX(effectivePolicy->min, minPolicy); + effectivePolicy->max = PR_MIN(effectivePolicy->max, maxPolicy); return SECSuccess; } -/* - * Constrain a single protocol variant's range based on the user policy +/* + * Assumes that rangeParam values are within the supported boundaries, + * but should contain all potentially allowed versions, even if they contain + * conflicting versions. + * Will return the overlap, or a NONE range if system policy is invalid. */ static SECStatus -ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant) +ssl3_CreateOverlapWithPolicy(SSLProtocolVariant protocolVariant, + SSLVersionRange *input, + SSLVersionRange *overlap) { - SSLVersionRange vrange; - SSLVersionRange pvrange; SECStatus rv; + SSLVersionRange effectivePolicyBoundary; + SSLVersionRange vrange; - vrange = *VERSIONS_DEFAULTS(protocolVariant); - rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); - if (rv != SECSuccess) { - return SECSuccess; /* we don't have any policy */ + PORT_Assert(input != NULL); + + rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, + &effectivePolicyBoundary); + if (rv == SECFailure) { + /* SECFailure means internal failure or invalid configuration. */ + overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; + return SECFailure; } - vrange.min = PR_MAX(vrange.min, pvrange.min); - vrange.max = PR_MIN(vrange.max, pvrange.max); - if (vrange.max >= vrange.min) { - *VERSIONS_DEFAULTS(protocolVariant) = vrange; - } else { + + vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min); + vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max); + + if (vrange.max < vrange.min) { /* there was no overlap, turn off range altogether */ - pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE; - *VERSIONS_DEFAULTS(protocolVariant) = pvrange; + overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; + return SECFailure; } + + *overlap = vrange; return SECSuccess; } @@ -2223,16 +2256,17 @@ static PRBool ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version) { - SSLVersionRange pvrange; SECStatus rv; + SSLVersionRange effectivePolicyBoundary; - rv = ssl3_GetRangePolicy(protocolVariant, &pvrange); - if (rv == SECSuccess) { - if ((version > pvrange.max) || (version < pvrange.min)) { - return PR_FALSE; /* disallowed by policy */ - } + rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, + &effectivePolicyBoundary); + if (rv == SECFailure) { + /* SECFailure means internal failure or invalid configuration. */ + return PR_FALSE; } - return PR_TRUE; + return version >= effectivePolicyBoundary.min && + version <= effectivePolicyBoundary.max; } /* @@ -2242,52 +2276,44 @@ ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, SECStatus ssl3_ConstrainRangeByPolicy(void) { - SECStatus rv; - rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream); - if (rv != SECSuccess) { - return rv; - } - rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram); - if (rv != SECSuccess) { - return rv; - } + /* We ignore failures in ssl3_CreateOverlapWithPolicy. Although an empty + * overlap disables all connectivity, it's an allowed state. + */ + ssl3_CreateOverlapWithPolicy(ssl_variant_stream, + VERSIONS_DEFAULTS(ssl_variant_stream), + VERSIONS_DEFAULTS(ssl_variant_stream)); + ssl3_CreateOverlapWithPolicy(ssl_variant_datagram, + VERSIONS_DEFAULTS(ssl_variant_datagram), + VERSIONS_DEFAULTS(ssl_variant_datagram)); return SECSuccess; } PRBool -ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, - SSL3ProtocolVersion version) +ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant, + SSL3ProtocolVersion version) { - if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { - return PR_FALSE; - } switch (protocolVariant) { case ssl_variant_stream: - return (version >= SSL_LIBRARY_VERSION_3_0 && + return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM && version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); case ssl_variant_datagram: - return (version >= SSL_LIBRARY_VERSION_TLS_1_1 && + return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM && version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); - default: - /* Can't get here */ - PORT_Assert(PR_FALSE); - return PR_FALSE; } + + /* Can't get here */ + PORT_Assert(PR_FALSE); + return PR_FALSE; } -/* Returns PR_TRUE if the given version range is valid and -** fully supported; otherwise, returns PR_FALSE. -*/ -static PRBool -ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant, - const SSLVersionRange *vrange) +PRBool +ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, + SSL3ProtocolVersion version) { - return vrange && - vrange->min <= vrange->max && - ssl3_VersionIsSupported(protocolVariant, vrange->min) && - ssl3_VersionIsSupported(protocolVariant, vrange->max) && - (vrange->min > SSL_LIBRARY_VERSION_3_0 || - vrange->max < SSL_LIBRARY_VERSION_TLS_1_3); + if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { + return PR_FALSE; + } + return ssl3_VersionIsSupportedByCode(protocolVariant, version); } const SECItem * @@ -2313,6 +2339,8 @@ SECStatus SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, SSLVersionRange *vrange) { + SECStatus rv; + if (!vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; @@ -2320,15 +2348,15 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, switch (protocolVariant) { case ssl_variant_stream: - vrange->min = SSL_LIBRARY_VERSION_3_0; + vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; - // We don't allow SSLv3 and TLSv1.3 together. - if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) { - vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; - } + /* We don't allow SSLv3 and TLSv1.3 together. + * However, don't check yet, apply the policy first. + * Because if the effective supported range doesn't use TLS 1.3, + * then we don't need to increase the minimum. */ break; case ssl_variant_datagram: - vrange->min = SSL_LIBRARY_VERSION_TLS_1_1; + vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; break; default: @@ -2336,6 +2364,17 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, return SECFailure; } + rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); + if (rv != SECSuccess) { + /* Library default and policy don't overlap. */ + return rv; + } + + /* We don't allow SSLv3 and TLSv1.3 together */ + if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { + vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); + } + return SECSuccess; } @@ -2351,6 +2390,43 @@ SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, } *vrange = *VERSIONS_DEFAULTS(protocolVariant); + return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); +} + +static PRBool +ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange) +{ + return (vrange->min <= SSL_LIBRARY_VERSION_3_0 && + vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3); +} + +static SECStatus +ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant, + SSLVersionRange *vrange) +{ + SECStatus rv; + + if (vrange->min > vrange->max || + !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) || + !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) || + ssl3_HasConflictingSSLVersions(vrange)) { + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); + return SECFailure; + } + + /* Try to adjust the received range using our policy. + * If there's overlap, we'll use the (possibly reduced) range. + * If there isn't overlap, it's failure. */ + + rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); + if (rv != SECSuccess) { + return rv; + } + + /* We don't allow SSLv3 and TLSv1.3 together */ + if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { + vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); + } return SECSuccess; } @@ -2359,13 +2435,21 @@ SECStatus SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, const SSLVersionRange *vrange) { - if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) { - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); + SSLVersionRange constrainedRange; + SECStatus rv; + + if (!vrange) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - *VERSIONS_DEFAULTS(protocolVariant) = *vrange; + constrainedRange = *vrange; + rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant, + &constrainedRange); + if (rv != SECSuccess) + return rv; + *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange; return SECSuccess; } @@ -2393,24 +2477,33 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); - return SECSuccess; + return ssl3_CreateOverlapWithPolicy(ss->protocolVariant, vrange, vrange); } SECStatus SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) { - sslSocket *ss = ssl_FindSocket(fd); + SSLVersionRange constrainedRange; + sslSocket *ss; + SECStatus rv; + + if (!vrange) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet", SSL_GETPID(), fd)); return SECFailure; } - if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) { - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); - return SECFailure; - } + constrainedRange = *vrange; + rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant, + &constrainedRange); + if (rv != SECSuccess) + return rv; ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); @@ -2423,7 +2516,7 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) return SECFailure; } - ss->vrange = *vrange; + ss->vrange = constrainedRange; ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); @@ -3672,7 +3765,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) ss->opt.noLocks = !makeLocks; ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); ss->protocolVariant = protocolVariant; - + /* Ignore overlap failures, because returning NULL would trigger assertion + * failures elsewhere. We don't want this scenario to be fatal, it's just + * a state where no SSL connectivity is possible. */ + ssl3_CreateOverlapWithPolicy(ss->protocolVariant, &ss->vrange, &ss->vrange); ss->peerID = NULL; ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; @@ -3690,6 +3786,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) ss->sniSocketConfig = NULL; ss->sniSocketConfigArg = NULL; ss->getClientAuthData = NULL; + ss->alertReceivedCallback = NULL; + ss->alertReceivedCallbackArg = NULL; + ss->alertSentCallback = NULL; + ss->alertSentCallbackArg = NULL; ss->handleBadCert = NULL; ss->badCertArg = NULL; ss->pkcs11PinArg = NULL; diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index 506b78d649..bd9a2ae88a 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -298,6 +298,21 @@ typedef struct SSLPreliminaryChannelInfoStr { /* Cipher suite: test (valuesSet & ssl_preinfo_cipher_suite) */ PRUint16 cipherSuite; + /* The following fields were added in NSS 3.29. */ + /* |canSendEarlyData| is true when a 0-RTT is enabled. This can only be + * true after sending the ClientHello and before the handshake completes. + */ + PRBool canSendEarlyData; + + /* The following fields were added in NSS 3.31. */ + /* The number of early data octets that a client is permitted to send on + * this connection. The value will be zero if the connection was not + * resumed or early data is not permitted. For a client, this value only + * has meaning if |canSendEarlyData| is true. For a server, this indicates + * the value that was advertised in the session ticket that was used to + * resume this session. */ + PRUint32 maxEarlyDataSize; + /* When adding new fields to this structure, please document the * NSS version in which they were added. */ } SSLPreliminaryChannelInfo; @@ -395,11 +410,10 @@ typedef enum { /* This is the old name for the supported_groups extensions. */ #define ssl_elliptic_curves_xtn ssl_supported_groups_xtn -/* SSL_MAX_EXTENSIONS doesn't include ssl_padding_xtn. It includes the maximum - * number of extensions that are supported for any single message type. That - * is, a ClientHello; ServerHello and TLS 1.3 NewSessionTicket and - * HelloRetryRequest extensions are smaller. */ -#define SSL_MAX_EXTENSIONS 19 +/* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are + * supported for any single message type. That is, a ClientHello; ServerHello + * and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */ +#define SSL_MAX_EXTENSIONS 20 /* Deprecated */ typedef enum { diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c index c6a5847488..560493848b 100644 --- a/security/nss/lib/ssl/tls13con.c +++ b/security/nss/lib/ssl/tls13con.c @@ -22,9 +22,10 @@ #include "tls13exthandle.h" typedef enum { - TrafficKeyEarlyApplicationData, - TrafficKeyHandshake, - TrafficKeyApplicationData + TrafficKeyClearText = 0, + TrafficKeyEarlyApplicationData = 1, + TrafficKeyHandshake = 2, + TrafficKeyApplicationData = 3 } TrafficKeyType; typedef enum { @@ -56,17 +57,17 @@ static SECStatus tls13_SendHelloRetryRequest(sslSocket *ss, const sslNamedGroupDef *selectedGroup); static SECStatus tls13_HandleServerKeyShare(sslSocket *ss); -static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, +static SECStatus tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length); static SECStatus tls13_SendCertificate(sslSocket *ss); static SECStatus tls13_HandleCertificate( - sslSocket *ss, SSL3Opaque *b, PRUint32 length); -static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, + sslSocket *ss, PRUint8 *b, PRUint32 length); +static SECStatus tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length); static SECStatus tls13_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey); static SECStatus tls13_HandleCertificateVerify( - sslSocket *ss, SSL3Opaque *b, PRUint32 length, + sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashes); static SECStatus tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid); @@ -76,7 +77,6 @@ tls13_DeriveSecret(sslSocket *ss, PK11SymKey *key, const char *suffix, const SSL3Hashes *hashes, PK11SymKey **dest); -static void tls13_SetNullCipherSpec(sslSocket *ss, ssl3CipherSpec **specp); static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss); static SECStatus tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey); static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, @@ -84,15 +84,15 @@ static SECStatus tls13_ComputePskBinderHash(sslSocket *ss, SSL3Hashes *hashes); static SECStatus tls13_VerifyFinished(sslSocket *ss, SSL3HandshakeType message, PK11SymKey *secret, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes); static SECStatus tls13_ClientHandleFinished(sslSocket *ss, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes); static SECStatus tls13_ServerHandleFinished(sslSocket *ss, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes); -static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, +static SECStatus tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length); static SECStatus tls13_ComputeHandshakeHashes(sslSocket *ss, SSL3Hashes *hashes); @@ -132,7 +132,7 @@ const SSL3ProtocolVersion kDtlsRecordVersion = SSL_LIBRARY_VERSION_TLS_1_1; PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <= SSL_LIBRARY_VERSION_TLS_1_3); -/* Use this instead of FATAL_ERROR when an alert isn't possible. */ +/* Use this instead of FATAL_ERROR when no alert shall be sent. */ #define LOG_ERROR(ss, prError) \ do { \ SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)", \ @@ -163,15 +163,21 @@ static char * tls13_HandshakeState(SSL3WaitState st) { switch (st) { + STATE_CASE(idle_handshake); STATE_CASE(wait_client_hello); STATE_CASE(wait_client_cert); + STATE_CASE(wait_client_key); STATE_CASE(wait_cert_verify); + STATE_CASE(wait_change_cipher); STATE_CASE(wait_finished); STATE_CASE(wait_server_hello); + STATE_CASE(wait_certificate_status); STATE_CASE(wait_server_cert); + STATE_CASE(wait_server_key); STATE_CASE(wait_cert_request); + STATE_CASE(wait_hello_done); + STATE_CASE(wait_new_session_ticket); STATE_CASE(wait_encrypted_extensions); - STATE_CASE(idle_handshake); default: break; } @@ -426,10 +432,7 @@ tls13_SetupClientHello(sslSocket *ss) session_ticket = &sid->u.ssl3.locked.sessionTicket; PORT_Assert(session_ticket && session_ticket->ticket.data); - if (session_ticket->ticket_lifetime_hint == 0 || - (session_ticket->ticket_lifetime_hint + - session_ticket->received_timestamp > - ssl_Time())) { + if (ssl_TicketTimeValid(session_ticket)) { ss->statelessResume = PR_TRUE; } @@ -465,7 +468,7 @@ tls13_SetupClientHello(sslSocket *ss) static SECStatus tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, SECKEYPublicKey *pubKey) { SECStatus rv; @@ -556,7 +559,7 @@ loser: } SECStatus -tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b, +tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashesPtr) { if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) { @@ -625,13 +628,9 @@ tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid) hashType = tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite); /* If we are the server, we compute the wrapping key, but if we - * are the client, it's coordinates are stored with the ticket. */ + * are the client, its coordinates are stored with the ticket. */ if (ss->sec.isServer) { - const sslServerCert *serverCert; - - serverCert = ssl_FindServerCert(ss, &sid->certType); - PORT_Assert(serverCert); - wrapKey = ssl3_GetWrappingKey(ss, NULL, serverCert, + wrapKey = ssl3_GetWrappingKey(ss, NULL, sid->u.ssl3.masterWrapMech, ss->pkcs11PinArg); } else { @@ -934,7 +933,7 @@ tls13_CanResume(sslSocket *ss, const sslSessionID *sid) * do remember the type of certificate we originally used, so we can locate * it again, provided that the current ssl socket has had its server certs * configured the same as the previous one. */ - sc = ssl_FindServerCert(ss, &sid->certType); + sc = ssl_FindServerCert(ss, sid->authType, sid->namedCurve); if (!sc || !sc->serverCert) { return PR_FALSE; } @@ -943,27 +942,6 @@ tls13_CanResume(sslSocket *ss, const sslSessionID *sid) } static PRBool -tls13_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag) -{ - const unsigned char *data = ss->opt.nextProtoNego.data; - unsigned int length = ss->opt.nextProtoNego.len; - unsigned int offset = 0; - - if (!tag->len) - return PR_TRUE; - - while (offset < length) { - unsigned int taglen = (unsigned int)data[offset]; - if ((taglen == tag->len) && - !PORT_Memcmp(data + offset + 1, tag->data, tag->len)) - return PR_TRUE; - offset += 1 + taglen; - } - - return PR_FALSE; -} - -static PRBool tls13_CanNegotiateZeroRtt(sslSocket *ss, const sslSessionID *sid) { PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_sent); @@ -1158,6 +1136,30 @@ tls13_NegotiateKeyExchange(sslSocket *ss, TLS13KeyShareEntry **clientShare) return SECSuccess; } +SSLAuthType +ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme) +{ + switch (scheme) { + case ssl_sig_rsa_pkcs1_sha1: + case ssl_sig_rsa_pkcs1_sha256: + case ssl_sig_rsa_pkcs1_sha384: + case ssl_sig_rsa_pkcs1_sha512: + /* We report PSS signatures as being just RSA signatures. */ + case ssl_sig_rsa_pss_sha256: + case ssl_sig_rsa_pss_sha384: + case ssl_sig_rsa_pss_sha512: + return ssl_auth_rsa_sign; + case ssl_sig_ecdsa_secp256r1_sha256: + case ssl_sig_ecdsa_secp384r1_sha384: + case ssl_sig_ecdsa_secp521r1_sha512: + case ssl_sig_ecdsa_sha1: + return ssl_auth_ecdsa; + default: + PORT_Assert(0); + } + return ssl_auth_null; +} + SECStatus tls13_SelectServerCert(sslSocket *ss) { @@ -1181,8 +1183,7 @@ tls13_SelectServerCert(sslSocket *ss) cursor = PR_NEXT_LINK(cursor)) { sslServerCert *cert = (sslServerCert *)cursor; - if (cert->certType.authType == ssl_auth_rsa_pss || - cert->certType.authType == ssl_auth_rsa_decrypt) { + if (SSL_CERT_IS_ONLY(cert, ssl_auth_rsa_decrypt)) { continue; } @@ -1195,8 +1196,8 @@ tls13_SelectServerCert(sslSocket *ss) if (rv == SECSuccess) { /* Found one. */ ss->sec.serverCert = cert; - ss->sec.authType = cert->certType.authType; - ss->ssl3.hs.kea_def_mutable.authKeyType = cert->certType.authType; + ss->sec.authType = ss->ssl3.hs.kea_def_mutable.authKeyType = + ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme); ss->sec.authKeyBits = cert->serverKeyBits; return SECSuccess; } @@ -1227,8 +1228,6 @@ tls13_NegotiateAuthentication(sslSocket *ss) if (rv != SECSuccess) { return SECFailure; } - ss->ssl3.hs.kea_def_mutable.authKeyType = - ss->sec.serverCert->certType.authType; return SECSuccess; } @@ -1248,16 +1247,6 @@ tls13_HandleClientHelloPart2(sslSocket *ss, if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) { ss->ssl3.hs.zeroRttState = ssl_0rtt_sent; - - if (IS_DTLS(ss)) { - /* Save the null spec, which we should be currently reading. We will - * use this when 0-RTT sending is over. */ - ssl_GetSpecReadLock(ss); - ss->ssl3.hs.nullSpec = ss->ssl3.crSpec; - tls13_CipherSpecAddRef(ss->ssl3.hs.nullSpec); - PORT_Assert(ss->ssl3.hs.nullSpec->cipher_def->cipher == cipher_null); - ssl_ReleaseSpecReadLock(ss); - } } #ifndef PARANOID @@ -1340,6 +1329,10 @@ tls13_HandleClientHelloPart2(sslSocket *ss, goto loser; } + ss->sec.serverCert = ssl_FindServerCert(ss, sid->authType, + sid->namedCurve); + PORT_Assert(ss->sec.serverCert); + rv = tls13_RecoverWrappedSharedSecret(ss, sid); if (rv != SECSuccess) { SSL_AtomicIncrementLong(&ssl3stats->hch_sid_cache_not_ok); @@ -1348,12 +1341,11 @@ tls13_HandleClientHelloPart2(sslSocket *ss, } tls13_RestoreCipherInfo(ss, sid); - ss->sec.serverCert = ssl_FindServerCert(ss, &sid->certType); - PORT_Assert(ss->sec.serverCert); ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); if (sid->peerCert != NULL) { ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); } + ssl3_RegisterExtensionSender( ss, &ss->xtnData, ssl_tls13_pre_shared_key_xtn, tls13_ServerSendPreSharedKeyXtn); @@ -1614,9 +1606,9 @@ static SECStatus tls13_SendCertificateRequest(sslSocket *ss) { SECStatus rv; - int calen; + unsigned int calen; SECItem *names; - int nnames; + unsigned int nnames; SECItem *name; int i; PRUint8 sigSchemes[MAX_SIGNATURE_SCHEMES * 2]; @@ -1632,7 +1624,10 @@ tls13_SendCertificateRequest(sslSocket *ss) return rv; } - ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames); + rv = ssl_GetCertificateRequestCAs(ss, &calen, &names, &nnames); + if (rv != SECSuccess) { + return rv; + } length = 1 + 0 /* length byte for empty request context */ + 2 + sigSchemesLength + 2 + calen + 2; @@ -1667,10 +1662,10 @@ tls13_SendCertificateRequest(sslSocket *ss) } SECStatus -tls13_HandleHelloRetryRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +tls13_HandleHelloRetryRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; - PRInt32 tmp; + PRUint32 tmp; SSL3ProtocolVersion version; SSL_TRC(3, ("%d: TLS13[%d]: handle hello retry request", @@ -1700,9 +1695,13 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) { - /* Oh well, back to the start. */ - tls13_SetNullCipherSpec(ss, &ss->ssl3.cwSpec); ss->ssl3.hs.zeroRttState = ssl_0rtt_ignored; + /* Restore the null cipher spec for writing. */ + ssl_GetSpecWriteLock(ss); + tls13_CipherSpecRelease(ss->ssl3.cwSpec); + ss->ssl3.cwSpec = ss->ssl3.crSpec; + PORT_Assert(ss->ssl3.cwSpec->cipher_def->cipher == cipher_null); + ssl_ReleaseSpecWriteLock(ss); } else { PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none); } @@ -1719,8 +1718,8 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } /* Extensions. */ - tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (tmp < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &tmp, 2, &b, &length); + if (rv != SECSuccess) { return SECFailure; /* error code already set */ } /* Extensions must be non-empty and use the remainder of the message. @@ -1752,13 +1751,13 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } static SECStatus -tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; TLS13CertificateRequest *certRequest = NULL; SECItem context = { siBuffer, NULL, 0 }; PLArenaPool *arena; - PRInt32 extensionsLength; + SECItem extensionsData = { siBuffer, NULL, 0 }; SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence", SSL_GETPID(), ss->fd)); @@ -1805,7 +1804,7 @@ tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) &certRequest->signatureSchemes, &certRequest->signatureSchemeCount, &b, &length); - if (rv != SECSuccess) { + if (rv != SECSuccess || certRequest->signatureSchemeCount == 0) { FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, decode_error); goto loser; @@ -1816,14 +1815,16 @@ tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (rv != SECSuccess) goto loser; /* alert already sent */ - /* Verify that the extensions length is correct. */ - extensionsLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (extensionsLength < 0) { - goto loser; /* alert already sent */ + /* Verify that the extensions are sane. */ + rv = ssl3_ConsumeHandshakeVariable(ss, &extensionsData, 2, &b, &length); + if (rv != SECSuccess) { + goto loser; } - if (extensionsLength != length) { - FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST, - illegal_parameter); + + /* Process all the extensions (note: currently a no-op). */ + rv = ssl3_HandleExtensions(ss, &extensionsData.data, &extensionsData.len, + certificate_request); + if (rv != SECSuccess) { goto loser; } @@ -2327,7 +2328,7 @@ tls13_HandleCertificateEntry(sslSocket *ss, SECItem *data, PRBool first, * Caller must hold Handshake and RecvBuf locks. */ static SECStatus -tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +tls13_HandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; SECItem context = { siBuffer, NULL, 0 }; @@ -2758,7 +2759,7 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, if ((*specp)->epoch == PR_UINT16_MAX) { return SECFailure; } - spec->epoch = (*specp)->epoch + 1; + spec->epoch = (PRUint16)type; if (!IS_DTLS(ss)) { spec->read_seq_num = spec->write_seq_num = 0; @@ -2770,6 +2771,11 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, dtls_InitRecvdRecords(&spec->recvdRecords); } + if (type == TrafficKeyEarlyApplicationData) { + spec->earlyDataRemaining = + ss->sec.ci.sid->u.ssl3.locked.sessionTicket.max_early_data_size; + } + /* Now that we've set almost everything up, finally cut over. */ ssl_GetSpecWriteLock(ss); tls13_CipherSpecRelease(*specp); /* May delete old cipher. */ @@ -2781,6 +2787,10 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, spec->phase, spec->epoch, direction == CipherSpecRead ? "read" : "write")); + if (ss->ssl3.changedCipherSpecFunc) { + ss->ssl3.changedCipherSpecFunc(ss->ssl3.changedCipherSpecArg, + direction == CipherSpecWrite, spec); + } return SECSuccess; } @@ -2929,6 +2939,7 @@ tls13_WriteNonce(ssl3KeyMaterial *keys, for (i = 0; i < 8; ++i) { nonce[4 + i] ^= seqNumBuf[i]; } + PRINT_BUF(50, (NULL, "Nonce", nonce, nonceLen)); } /* Implement the SSLAEADCipher interface defined in sslimpl.h. @@ -3015,10 +3026,10 @@ tls13_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt, } static SECStatus -tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; - PRInt32 innerLength; + PRUint32 innerLength; SECItem oldNpn = { siBuffer, NULL, 0 }; PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); @@ -3033,8 +3044,8 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, SSL3Opaque *b, PRUint32 length) return SECFailure; } - innerLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); - if (innerLength < 0) { + rv = ssl3_ConsumeHandshakeNumber(ss, &innerLength, 2, &b, &length); + if (rv != SECSuccess) { return SECFailure; /* Alert already sent. */ } if (innerLength != length) { @@ -3227,7 +3238,7 @@ done: * Caller must hold Handshake and RecvBuf locks. */ SECStatus -tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +tls13_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashes) { SECItem signed_hash = { siBuffer, NULL, 0 }; @@ -3286,16 +3297,7 @@ tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, /* Set the auth type. */ if (!ss->sec.isServer) { - switch (ssl_SignatureSchemeToKeyType(sigScheme)) { - case rsaKey: - ss->sec.authType = ssl_auth_rsa_sign; - break; - case ecKey: - ss->sec.authType = ssl_auth_ecdsa; - break; - default: - PORT_Assert(PR_FALSE); - } + ss->sec.authType = ssl_SignatureSchemeToAuthType(sigScheme); } /* Request a client certificate now if one was requested. */ @@ -3477,7 +3479,7 @@ tls13_SendFinished(sslSocket *ss, PK11SymKey *baseKey) static SECStatus tls13_VerifyFinished(sslSocket *ss, SSL3HandshakeType message, PK11SymKey *secret, - SSL3Opaque *b, PRUint32 length, + PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes) { SECStatus rv; @@ -3515,7 +3517,7 @@ tls13_VerifyFinished(sslSocket *ss, SSL3HandshakeType message, } static SECStatus -tls13_ClientHandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +tls13_ClientHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes) { SECStatus rv; @@ -3542,7 +3544,7 @@ tls13_ClientHandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, } static SECStatus -tls13_ServerHandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, +tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length, const SSL3Hashes *hashes) { SECStatus rv; @@ -3715,17 +3717,10 @@ tls13_SendClientSecondRound(sslSocket *ss) return SECWouldBlock; } - if (ss->ssl3.hs.zeroRttState != ssl_0rtt_none) { - if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { - rv = tls13_SendEndOfEarlyData(ss); - if (rv != SECSuccess) { - return SECFailure; /* Error code already set. */ - } - } - if (IS_DTLS(ss) && !ss->ssl3.hs.helloRetry) { - /* Reset the counters so that the next epoch isn't set - * incorrectly. */ - tls13_SetNullCipherSpec(ss, &ss->ssl3.cwSpec); + if (ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) { + rv = tls13_SendEndOfEarlyData(ss); + if (rv != SECSuccess) { + return SECFailure; /* Error code already set. */ } } @@ -3787,7 +3782,7 @@ tls13_SendClientSecondRound(sslSocket *ss) * } NewSessionTicket; */ -#define MAX_EARLY_DATA_SIZE (2 << 16) /* Arbitrary limit. */ +PRUint32 ssl_max_early_data_size = (2 << 16); /* Arbitrary limit. */ SECStatus tls13_SendNewSessionTicket(sslSocket *ss) @@ -3802,7 +3797,7 @@ tls13_SendNewSessionTicket(sslSocket *ss) ticket.flags |= ticket_allow_early_data; max_early_data_size_len = 8; /* type + len + value. */ } - ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT; + ticket.ticket_lifetime_hint = ssl_ticket_lifetime; rv = ssl3_EncodeSessionTicket(ss, &ticket, &ticket_data); if (rv != SECSuccess) @@ -3821,7 +3816,7 @@ tls13_SendNewSessionTicket(sslSocket *ss) goto loser; /* This is a fixed value. */ - rv = ssl3_AppendHandshakeNumber(ss, TLS_EX_SESS_TICKET_LIFETIME_HINT, 4); + rv = ssl3_AppendHandshakeNumber(ss, ssl_ticket_lifetime, 4); if (rv != SECSuccess) goto loser; @@ -3857,7 +3852,7 @@ tls13_SendNewSessionTicket(sslSocket *ss) if (rv != SECSuccess) goto loser; - rv = ssl3_AppendHandshakeNumber(ss, MAX_EARLY_DATA_SIZE, 4); + rv = ssl3_AppendHandshakeNumber(ss, ssl_max_early_data_size, 4); if (rv != SECSuccess) goto loser; } @@ -3873,10 +3868,9 @@ loser: } static SECStatus -tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) +tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length) { SECStatus rv; - PRInt32 tmp; PRUint32 utmp; NewSessionTicket ticket = { 0 }; SECItem data; @@ -3896,14 +3890,14 @@ tls13_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length) return SECFailure; } - ticket.received_timestamp = ssl_Time(); - tmp = ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length); - if (tmp < 0) { + ticket.received_timestamp = PR_Now(); + rv = ssl3_ConsumeHandshakeNumber(ss, &ticket.ticket_lifetime_hint, 4, &b, + &length); + if (rv != SECSuccess) { FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, decode_error); return SECFailure; } - ticket.ticket_lifetime_hint = (PRUint32)tmp; ticket.ticket.type = siBuffer; rv = ssl3_ConsumeHandshake(ss, &utmp, sizeof(utmp), @@ -4042,7 +4036,8 @@ tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message) (message == hello_retry_request) || (message == encrypted_extensions) || (message == new_session_ticket) || - (message == certificate)); + (message == certificate) || + (message == certificate_request)); for (i = 0; i < PR_ARRAY_SIZE(KnownExtensions); i++) { if (KnownExtensions[i].ex_value == extension) @@ -4102,11 +4097,33 @@ tls13_FormatAdditionalData(PRUint8 *aad, unsigned int length, PORT_Assert((ptr - aad) == length); } +PRInt32 +tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend) +{ + PRInt32 reduced; + + PORT_Assert(type == content_application_data); + PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3); + PORT_Assert(!ss->firstHsDone); + if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) { + return toSend; + } + + if (IS_DTLS(ss) && toSend > ss->ssl3.cwSpec->earlyDataRemaining) { + /* Don't split application data records in DTLS. */ + return 0; + } + + reduced = PR_MIN(toSend, ss->ssl3.cwSpec->earlyDataRemaining); + ss->ssl3.cwSpec->earlyDataRemaining -= reduced; + return reduced; +} + SECStatus tls13_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type, - const SSL3Opaque *pIn, + const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf) { @@ -4253,6 +4270,17 @@ tls13_UnprotectRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *plaintext cText->type = plaintext->buf[plaintext->len - 1]; --plaintext->len; + /* Check that we haven't received too much 0-RTT data. */ + if (crSpec->epoch == TrafficKeyEarlyApplicationData && + cText->type == content_application_data) { + if (plaintext->len > crSpec->earlyDataRemaining) { + *alert = unexpected_message; + PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA); + return SECFailure; + } + crSpec->earlyDataRemaining -= plaintext->len; + } + SSL_TRC(10, ("%d: TLS13[%d]: %s received record of length=%d type=%d", SSL_GETPID(), ss->fd, SSL_ROLE(ss), @@ -4288,7 +4316,7 @@ tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid) return PR_FALSE; if ((sid->u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) == 0) return PR_FALSE; - return tls13_AlpnTagAllowed(ss, &sid->u.ssl3.alpnSelection); + return ssl_AlpnTagAllowed(ss, &sid->u.ssl3.alpnSelection); } SECStatus @@ -4317,15 +4345,8 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss) return rv; } - /* Null spec... */ - ssl_GetSpecReadLock(ss); - ss->ssl3.hs.nullSpec = ss->ssl3.cwSpec; - tls13_CipherSpecAddRef(ss->ssl3.hs.nullSpec); - ssl_ReleaseSpecReadLock(ss); - /* Cipher suite already set in tls13_SetupClientHello. */ - ss->ssl3.hs.preliminaryInfo = 0; /* TODO(ekr@rtfm.com) Fill this in. - * bug 1281255. */ + ss->ssl3.hs.preliminaryInfo = 0; rv = tls13_DeriveSecret(ss, ss->ssl3.hs.currentSecret, kHkdfLabelClient, @@ -4366,21 +4387,6 @@ tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len) return len; } -/* 0-RTT data will be followed by a different cipher spec; this resets the - * current spec to the null spec so that the following state can be set as - * though 0-RTT didn't happen. TODO: work out if this is the best plan. */ -static void -tls13_SetNullCipherSpec(sslSocket *ss, ssl3CipherSpec **specp) -{ - PORT_Assert(ss->ssl3.hs.nullSpec); - - ssl_GetSpecWriteLock(ss); - tls13_CipherSpecRelease(*specp); - *specp = ss->ssl3.hs.nullSpec; - ssl_ReleaseSpecWriteLock(ss); - ss->ssl3.hs.nullSpec = NULL; -} - static SECStatus tls13_SendEndOfEarlyData(sslSocket *ss) { @@ -4413,11 +4419,6 @@ tls13_HandleEndOfEarlyData(sslSocket *ss) PORT_Assert(TLS13_IN_HS_STATE(ss, ss->opt.requestCertificate ? wait_client_cert : wait_finished)); - if (IS_DTLS(ss)) { - /* Reset the cipher spec so that the epoch counter is properly reset. */ - tls13_SetNullCipherSpec(ss, &ss->ssl3.crSpec); - } - rv = tls13_SetCipherSpec(ss, TrafficKeyHandshake, CipherSpecRead, PR_FALSE); if (rv != SECSuccess) { diff --git a/security/nss/lib/ssl/tls13con.h b/security/nss/lib/ssl/tls13con.h index c39c62a69f..92eb545b00 100644 --- a/security/nss/lib/ssl/tls13con.h +++ b/security/nss/lib/ssl/tls13con.h @@ -45,6 +45,7 @@ void tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc); SECStatus tls13_SetupClientHello(sslSocket *ss); SECStatus tls13_MaybeDo0RTTHandshake(sslSocket *ss); +PRInt32 tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend); PRBool tls13_AllowPskCipher(const sslSocket *ss, const ssl3CipherSuiteDef *cipher_def); PRBool tls13_PskSuiteEnabled(sslSocket *ss); @@ -56,10 +57,10 @@ SECStatus tls13_HandleClientHelloPart2(sslSocket *ss, const SECItem *suites, sslSessionID *sid); SECStatus tls13_HandleServerHelloPart2(sslSocket *ss); -SECStatus tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, SSL3Opaque *b, +SECStatus tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length, SSL3Hashes *hashesPtr); -SECStatus tls13_HandleHelloRetryRequest(sslSocket *ss, SSL3Opaque *b, +SECStatus tls13_HandleHelloRetryRequest(sslSocket *ss, PRUint8 *b, PRUint32 length); void tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *entry); void tls13_DestroyKeyShares(PRCList *list); @@ -72,7 +73,7 @@ PRBool tls13_ExtensionAllowed(PRUint16 extension, SSL3HandshakeType message); SECStatus tls13_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type, - const SSL3Opaque *pIn, + const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf); PRInt32 tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len); diff --git a/security/nss/lib/ssl/tls13exthandle.c b/security/nss/lib/ssl/tls13exthandle.c index be93b97db4..c2ce390fff 100644 --- a/security/nss/lib/ssl/tls13exthandle.c +++ b/security/nss/lib/ssl/tls13exthandle.c @@ -208,13 +208,13 @@ static SECStatus tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data) { SECStatus rv; - PRInt32 group; + PRUint32 group; const sslNamedGroupDef *groupDef; TLS13KeyShareEntry *ks = NULL; SECItem share = { siBuffer, NULL, 0 }; - group = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (group < 0) { + rv = ssl3_ExtConsumeHandshakeNumber(ss, &group, 2, &data->data, &data->len); + if (rv != SECSuccess) { PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE); goto loser; } @@ -256,11 +256,10 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PR PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); PORT_Assert(!ss->sec.isServer); + + /* The server must not send this extension when negotiating < TLS 1.3. */ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { - /* This can't happen because the extension processing - * code filters out TLS 1.3 extensions when not in - * TLS 1.3 mode. */ - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); return SECFailure; } @@ -285,7 +284,7 @@ SECStatus tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { SECStatus rv; - PRInt32 tmp; + PRUint32 tmp; const sslNamedGroupDef *group; PORT_Assert(!ss->sec.isServer); @@ -294,8 +293,8 @@ tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData, SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension in HRR", SSL_GETPID(), ss->fd)); - tmp = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (tmp < 0) { + rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &data->data, &data->len); + if (rv != SECSuccess) { return SECFailure; /* error code already set */ } if (data->len) { @@ -335,7 +334,7 @@ SECStatus tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { SECStatus rv; - PRInt32 length; + PRUint32 length; PORT_Assert(ss->sec.isServer); PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares)); @@ -349,9 +348,9 @@ tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, PR /* Redundant length because of TLS encoding (this vector consumes * the entire extension.) */ - length = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, - &data->len); - if (length < 0) + rv = ssl3_ExtConsumeHandshakeNumber(ss, &length, 2, &data->data, + &data->len); + if (rv != SECSuccess) goto loser; if (length != data->len) { /* Check for consistency */ @@ -487,7 +486,7 @@ tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, if (append) { SECStatus rv; - PRUint32 age; + PRTime age; unsigned int prefixLength; PRUint8 binder[TLS13_MAX_FINISHED_SIZE]; unsigned int binderLen; @@ -508,7 +507,8 @@ tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, goto loser; /* Obfuscated age. */ - age = ssl_Time() - session_ticket->received_timestamp; + age = PR_Now() - session_ticket->received_timestamp; + age /= PR_USEC_PER_MSEC; age += session_ticket->ticket_age_add; rv = ssl3_ExtAppendHandshakeNumber(ss, age, 4); if (rv != SECSuccess) @@ -684,18 +684,20 @@ SECStatus tls13_ClientHandlePreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { - PRInt32 index; + PRUint32 index; + SECStatus rv; SSL_TRC(3, ("%d: SSL3[%d]: handle pre_shared_key extension", SSL_GETPID(), ss->fd)); - /* If we are doing < TLS 1.3, then ignore this. */ + /* The server must not send this extension when negotiating < TLS 1.3. */ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { - return SECSuccess; + PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); + return SECFailure; } - index = ssl3_ExtConsumeHandshakeNumber(ss, 2, &data->data, &data->len); - if (index < 0) + rv = ssl3_ExtConsumeHandshakeNumber(ss, &index, 2, &data->data, &data->len); + if (rv != SECSuccess) return SECFailure; /* This should be the end of the extension. */ @@ -746,10 +748,10 @@ tls13_ClientSendEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, rv = ssl3_ExtAppendHandshakeNumber(ss, 0, 2); if (rv != SECSuccess) return -1; - } - xtnData->advertised[xtnData->numAdvertised++] = - ssl_tls13_early_data_xtn; + xtnData->advertised[xtnData->numAdvertised++] = + ssl_tls13_early_data_xtn; + } return extension_length; } @@ -766,6 +768,12 @@ tls13_ServerHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, P return SECSuccess; } + if (ss->ssl3.hs.helloRetry) { + ssl3_ExtSendAlert(ss, alert_fatal, unsupported_extension); + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_EXTENSION); + return SECFailure; + } + if (data->len) { PORT_SetError(SSL_ERROR_MALFORMED_EARLY_DATA); return SECFailure; @@ -814,7 +822,7 @@ tls13_ClientHandleEarlyDataXtn(const sslSocket *ss, TLSExtensionData *xtnData, P SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", SSL_GETPID(), ss->fd)); - /* If we are doing < TLS 1.3, then ignore this. */ + /* The server must not send this extension when negotiating < TLS 1.3. */ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); return SECFailure; @@ -841,7 +849,7 @@ tls13_ClientHandleTicketEarlyDataInfoXtn(const sslSocket *ss, TLSExtensionData * SSL_TRC(3, ("%d: TLS13[%d]: handle early_data_info extension", SSL_GETPID(), ss->fd)); - /* If we are doing < TLS 1.3, then ignore this. */ + /* The server must not send this extension when negotiating < TLS 1.3. */ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { PORT_SetError(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION); return SECFailure; @@ -912,6 +920,9 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD if (rv != SECSuccess) return -1; } + + xtnData->advertised[xtnData->numAdvertised++] = + ssl_tls13_supported_versions_xtn; } return extensions_len; @@ -1091,6 +1102,13 @@ tls13_SendShortHeaderXtn(const sslSocket *ss, return 0; } + /* Don't send this if TLS 1.3 isn't at least possible. */ + if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) { + /* This should only happen on the client. */ + PORT_Assert(!ss->sec.isServer); + return 0; + } + SSL_TRC(3, ("%d: TLS13[%d]: send short_header extension", SSL_GETPID(), ss->fd)); @@ -1122,10 +1140,10 @@ tls13_HandleShortHeaderXtn( const sslSocket *ss, TLSExtensionData *xtnData, PRUint16 ex_type, SECItem *data) { - SSL_TRC(3, ("%d: TLS13[%d]: handle early_data extension", + SSL_TRC(3, ("%d: TLS13[%d]: handle short_header extension", SSL_GETPID(), ss->fd)); - /* If we are doing < TLS 1.3, then ignore this. */ + /* The client might have asked for this, but we didn't negotiate TLS 1.3. */ if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { return SECSuccess; } diff --git a/security/nss/lib/util/ciferfam.h b/security/nss/lib/util/ciferfam.h index 559e92f1df..68caa4f8bb 100644 --- a/security/nss/lib/util/ciferfam.h +++ b/security/nss/lib/util/ciferfam.h @@ -52,6 +52,9 @@ #define PKCS12_RC4_128 (CIPHER_FAMILYID_PKCS12 | 0012) #define PKCS12_DES_56 (CIPHER_FAMILYID_PKCS12 | 0021) #define PKCS12_DES_EDE3_168 (CIPHER_FAMILYID_PKCS12 | 0022) +#define PKCS12_AES_CBC_128 (CIPHER_FAMILYID_PKCS12 | 0031) +#define PKCS12_AES_CBC_192 (CIPHER_FAMILYID_PKCS12 | 0032) +#define PKCS12_AES_CBC_256 (CIPHER_FAMILYID_PKCS12 | 0033) /* SMIME version numbers are negative, to avoid colliding with SSL versions */ #define SMIME_LIBRARY_VERSION_1_0 -0x0100 diff --git a/security/nss/lib/util/exports.gyp b/security/nss/lib/util/exports.gyp index eb220d2db7..9ed0c1685a 100644 --- a/security/nss/lib/util/exports.gyp +++ b/security/nss/lib/util/exports.gyp @@ -30,6 +30,7 @@ 'pkcs11p.h', 'pkcs11t.h', 'pkcs11u.h', + 'pkcs11uri.h', 'pkcs1sig.h', 'portreg.h', 'secasn1.h', diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn index f0a9fd0f2d..b33a2049d5 100644 --- a/security/nss/lib/util/manifest.mn +++ b/security/nss/lib/util/manifest.mn @@ -41,6 +41,7 @@ EXPORTS = \ utilrename.h \ utilpars.h \ utilparst.h \ + pkcs11uri.h \ $(NULL) PRIVATE_EXPORTS = \ @@ -76,6 +77,7 @@ CSRCS = \ utf8.c \ utilmod.c \ utilpars.c \ + pkcs11uri.c \ $(NULL) MODULE = nss diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c index ceb0b8ca62..886ce21c04 100644 --- a/security/nss/lib/util/nssb64d.c +++ b/security/nss/lib/util/nssb64d.c @@ -704,9 +704,8 @@ NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt, { SECItem *out_item = NULL; PRUint32 max_out_len = 0; - PRUint32 out_len; void *mark = NULL; - unsigned char *dummy; + unsigned char *dummy = NULL; if ((outItemOpt != NULL && outItemOpt->data != NULL) || inLen == 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -717,33 +716,35 @@ NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt, mark = PORT_ArenaMark(arenaOpt); max_out_len = PL_Base64MaxDecodedLength(inLen); + if (max_out_len == 0) { + goto loser; + } out_item = SECITEM_AllocItem(arenaOpt, outItemOpt, max_out_len); if (out_item == NULL) { - if (arenaOpt != NULL) - PORT_ArenaRelease(arenaOpt, mark); - return NULL; + goto loser; } dummy = PL_Base64DecodeBuffer(inStr, inLen, out_item->data, - max_out_len, &out_len); + max_out_len, &out_item->len); if (dummy == NULL) { - if (arenaOpt != NULL) { - PORT_ArenaRelease(arenaOpt, mark); - if (outItemOpt != NULL) { - outItemOpt->data = NULL; - outItemOpt->len = 0; - } - } else { - SECITEM_FreeItem(out_item, - (outItemOpt == NULL) ? PR_TRUE : PR_FALSE); - } - return NULL; + goto loser; } - - if (arenaOpt != NULL) + if (arenaOpt != NULL) { PORT_ArenaUnmark(arenaOpt, mark); - out_item->len = out_len; + } return out_item; + +loser: + if (arenaOpt != NULL) { + PORT_ArenaRelease(arenaOpt, mark); + if (outItemOpt != NULL) { + outItemOpt->data = NULL; + outItemOpt->len = 0; + } + } else if (dummy == NULL) { + SECITEM_FreeItem(out_item, (PRBool)(outItemOpt == NULL)); + } + return NULL; } /* diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index e4a65726b6..f4b9ef7ba3 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -290,3 +290,20 @@ PORT_DestroyCheapArena; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.25 { # NSS Utilities 3.25 release +;+ global: +SEC_ASN1DecoderSetMaximumElementSize; +;+ local: +;+ *; +;+}; +;+NSSUTIL_3.31 { # NSS Utilities 3.31 release +;+ global: +PK11URI_CreateURI; +PK11URI_ParseURI; +PK11URI_FormatURI; +PK11URI_DestroyURI; +PK11URI_GetPathAttribute; +PK11URI_GetQueryAttribute; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index bf1feae6e6..e8cb52aed9 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,10 +19,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.28.6" +#define NSSUTIL_VERSION "3.32.1" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 28 -#define NSSUTIL_VPATCH 6 +#define NSSUTIL_VMINOR 32 +#define NSSUTIL_VPATCH 1 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h index ebb812222d..399d656a8d 100644 --- a/security/nss/lib/util/pkcs11n.h +++ b/security/nss/lib/util/pkcs11n.h @@ -93,6 +93,8 @@ #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) +#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34) + /* * Trust attributes: * @@ -222,6 +224,12 @@ #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27) #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28) +/* Additional PKCS #12 PBE algorithms defined in v1.1 */ +#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKM_NSS + 29) +#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKM_NSS + 30) +#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKM_NSS + 31) +#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKM_NSS + 32) + /* * HISTORICAL: * Do not attempt to use these. They are only used by NETSCAPE's internal diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c new file mode 100644 index 0000000000..4534402938 --- /dev/null +++ b/security/nss/lib/util/pkcs11uri.c @@ -0,0 +1,833 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" +#include "pkcs11uri.h" +#include "plarena.h" +#include "prprf.h" +#include "secport.h" + +/* Character sets used in the ABNF rules in RFC7512. */ +#define PK11URI_DIGIT "0123456789" +#define PK11URI_ALPHA "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" +#define PK11URI_HEXDIG PK11URI_DIGIT "abcdefABCDEF" +#define PK11URI_UNRESERVED PK11URI_ALPHA PK11URI_DIGIT "-._~" +#define PK11URI_RES_AVAIL ":[]@!$'()*+,=" +#define PK11URI_PATH_RES_AVAIL PK11URI_RES_AVAIL "&" +#define PK11URI_QUERY_RES_AVAIL PK11URI_RES_AVAIL "/?|" +#define PK11URI_ATTR_NM_CHAR PK11URI_ALPHA PK11URI_DIGIT "-_" +#define PK11URI_PCHAR PK11URI_UNRESERVED PK11URI_PATH_RES_AVAIL +#define PK11URI_QCHAR PK11URI_UNRESERVED PK11URI_QUERY_RES_AVAIL + +/* Path attributes defined in RFC7512. */ +static const char *pattr_names[] = { + PK11URI_PATTR_TOKEN, + PK11URI_PATTR_MANUFACTURER, + PK11URI_PATTR_SERIAL, + PK11URI_PATTR_MODEL, + PK11URI_PATTR_LIBRARY_MANUFACTURER, + PK11URI_PATTR_LIBRARY_DESCRIPTION, + PK11URI_PATTR_LIBRARY_VERSION, + PK11URI_PATTR_OBJECT, + PK11URI_PATTR_TYPE, + PK11URI_PATTR_ID, + PK11URI_PATTR_SLOT_MANUFACTURER, + PK11URI_PATTR_SLOT_DESCRIPTION, + PK11URI_PATTR_SLOT_ID +}; + +/* Query attributes defined in RFC7512. */ +static const char *qattr_names[] = { + PK11URI_QATTR_PIN_SOURCE, + PK11URI_QATTR_PIN_VALUE, + PK11URI_QATTR_MODULE_NAME, + PK11URI_QATTR_MODULE_PATH +}; + +struct PK11URIBufferStr { + PLArenaPool *arena; + char *data; + size_t size; + size_t allocated; +}; +typedef struct PK11URIBufferStr PK11URIBuffer; + +struct PK11URIAttributeListEntryStr { + char *name; + char *value; +}; +typedef struct PK11URIAttributeListEntryStr PK11URIAttributeListEntry; + +struct PK11URIAttributeListStr { + PLArenaPool *arena; + PK11URIAttributeListEntry *attrs; + size_t num_attrs; +}; +typedef struct PK11URIAttributeListStr PK11URIAttributeList; + +struct PK11URIStr { + PLArenaPool *arena; + + PK11URIAttributeList pattrs; + PK11URIAttributeList vpattrs; + + PK11URIAttributeList qattrs; + PK11URIAttributeList vqattrs; +}; + +#define PK11URI_ARENA_SIZE 1024 + +typedef int (*PK11URIAttributeCompareNameFunc)(const char *a, const char *b); + +/* This belongs in secport.h */ +#define PORT_ArenaGrowArray(poolp, oldptr, type, oldnum, newnum) \ + (type *)PORT_ArenaGrow((poolp), (oldptr), \ + (oldnum) * sizeof(type), (newnum) * sizeof(type)) +#define PORT_ReallocArray(oldptr, type, newnum) \ + (type *)PORT_Realloc((oldptr), (newnum) * sizeof(type)) + +/* Functions for resizable buffer. */ +static SECStatus +pk11uri_AppendBuffer(PK11URIBuffer *buffer, const unsigned char *data, + size_t size) +{ + /* Check overflow. */ + if (buffer->size + size < buffer->size) + return SECFailure; + + if (buffer->size + size > buffer->allocated) { + size_t allocated = buffer->allocated * 2 + size; + if (allocated < buffer->allocated) + return SECFailure; + if (buffer->arena) + buffer->data = PORT_ArenaGrow(buffer->arena, buffer->data, + buffer->allocated, allocated); + else + buffer->data = PORT_Realloc(buffer->data, allocated); + if (buffer->data == NULL) + return SECFailure; + buffer->allocated = allocated; + } + + memcpy(&buffer->data[buffer->size], data, size); + buffer->size += size; + + return SECSuccess; +} + +static void +pk11uri_InitBuffer(PK11URIBuffer *buffer, PLArenaPool *arena) +{ + memset(buffer, 0, sizeof(PK11URIBuffer)); + buffer->arena = arena; +} + +static void +pk11uri_DestroyBuffer(PK11URIBuffer *buffer) +{ + if (buffer->arena == NULL) { + PORT_Free(buffer->data); + } +} + +/* URI encoding functions. */ +static char * +pk11uri_Escape(PLArenaPool *arena, const char *value, size_t length, + const char *available) +{ + PK11URIBuffer buffer; + const char *p; + unsigned char buf[4]; + char *result = NULL; + SECStatus ret; + + pk11uri_InitBuffer(&buffer, arena); + + for (p = value; p < value + length; p++) { + if (strchr(available, *p) == NULL) { + if (PR_snprintf((char *)buf, sizeof(buf), "%%%02X", *p) == (PRUint32)-1) { + goto fail; + } + ret = pk11uri_AppendBuffer(&buffer, buf, 3); + if (ret != SECSuccess) { + goto fail; + } + } else { + ret = pk11uri_AppendBuffer(&buffer, (const unsigned char *)p, 1); + if (ret != SECSuccess) { + goto fail; + } + } + } + buf[0] = '\0'; + ret = pk11uri_AppendBuffer(&buffer, buf, 1); + if (ret != SECSuccess) { + goto fail; + } + + /* Steal the memory allocated in buffer. */ + result = buffer.data; + buffer.data = NULL; + +fail: + pk11uri_DestroyBuffer(&buffer); + + return result; +} + +static char * +pk11uri_Unescape(PLArenaPool *arena, const char *value, size_t length) +{ + PK11URIBuffer buffer; + const char *p; + unsigned char buf[1]; + char *result = NULL; + SECStatus ret; + + pk11uri_InitBuffer(&buffer, arena); + + for (p = value; p < value + length; p++) { + if (*p == '%') { + int c; + size_t i; + + p++; + for (c = 0, i = 0; i < 2; i++) { + int h = *(p + i); + if ('0' <= h && h <= '9') { + c = (c << 4) | (h - '0'); + } else if ('a' <= h && h <= 'f') { + c = (c << 4) | (h - 'a' + 10); + } else if ('A' <= h && h <= 'F') { + c = (c << 4) | (h - 'A' + 10); + } else { + break; + } + } + if (i != 2) { + goto fail; + } + p++; + buf[0] = c; + } else { + buf[0] = *p; + } + ret = pk11uri_AppendBuffer(&buffer, buf, 1); + if (ret != SECSuccess) { + goto fail; + } + } + buf[0] = '\0'; + ret = pk11uri_AppendBuffer(&buffer, buf, 1); + if (ret != SECSuccess) { + goto fail; + } + + result = buffer.data; + buffer.data = NULL; + +fail: + pk11uri_DestroyBuffer(&buffer); + + return result; +} + +/* Functions for manipulating attributes array. */ + +/* Compare two attribute names by the array index in attr_names. Both + * attribute names must be present in attr_names, otherwise it is a + * programming error. */ +static int +pk11uri_CompareByPosition(const char *a, const char *b, + const char **attr_names, size_t num_attr_names) +{ + int i, j; + + for (i = 0; i < num_attr_names; i++) { + if (strcmp(a, attr_names[i]) == 0) { + break; + } + } + PR_ASSERT(i < num_attr_names); + + for (j = 0; j < num_attr_names; j++) { + if (strcmp(b, attr_names[j]) == 0) { + break; + } + } + PR_ASSERT(j < num_attr_names); + + return i - j; +} + +/* Those pk11uri_Compare{Path,Query}AttributeName functions are used + * to reorder attributes when inserting. */ +static int +pk11uri_ComparePathAttributeName(const char *a, const char *b) +{ + return pk11uri_CompareByPosition(a, b, pattr_names, PR_ARRAY_SIZE(pattr_names)); +} + +static int +pk11uri_CompareQueryAttributeName(const char *a, const char *b) +{ + return pk11uri_CompareByPosition(a, b, qattr_names, PR_ARRAY_SIZE(qattr_names)); +} + +static SECStatus +pk11uri_InsertToAttributeList(PK11URIAttributeList *attrs, + char *name, char *value, + PK11URIAttributeCompareNameFunc compare_name, + PRBool allow_duplicate) +{ + size_t i; + + if (attrs->arena) { + attrs->attrs = PORT_ArenaGrowArray(attrs->arena, attrs->attrs, + PK11URIAttributeListEntry, + attrs->num_attrs, + attrs->num_attrs + 1); + } else { + attrs->attrs = PORT_ReallocArray(attrs->attrs, + PK11URIAttributeListEntry, + attrs->num_attrs + 1); + } + if (attrs->attrs == NULL) { + return SECFailure; + } + + for (i = 0; i < attrs->num_attrs; i++) { + if (!allow_duplicate && strcmp(name, attrs->attrs[i].name) == 0) { + return SECFailure; + } + if (compare_name(name, attrs->attrs[i].name) < 0) { + memmove(&attrs->attrs[i + 1], &attrs->attrs[i], + sizeof(PK11URIAttributeListEntry) * (attrs->num_attrs - i)); + break; + } + } + + attrs->attrs[i].name = name; + attrs->attrs[i].value = value; + + attrs->num_attrs++; + + return SECSuccess; +} + +static SECStatus +pk11uri_InsertToAttributeListEscaped(PK11URIAttributeList *attrs, + const char *name, size_t name_size, + const char *value, size_t value_size, + PK11URIAttributeCompareNameFunc compare_name, + PRBool allow_duplicate) +{ + char *name_copy = NULL, *value_copy = NULL; + SECStatus ret; + + if (attrs->arena) { + name_copy = PORT_ArenaNewArray(attrs->arena, char, name_size + 1); + } else { + name_copy = PORT_Alloc(name_size + 1); + } + if (name_copy == NULL) { + goto fail; + } + memcpy(name_copy, name, name_size); + name_copy[name_size] = '\0'; + + value_copy = pk11uri_Unescape(attrs->arena, value, value_size); + if (value_copy == NULL) { + goto fail; + } + + ret = pk11uri_InsertToAttributeList(attrs, name_copy, value_copy, compare_name, + allow_duplicate); + if (ret != SECSuccess) { + goto fail; + } + + return ret; + +fail: + if (attrs->arena == NULL) { + PORT_Free(name_copy); + PORT_Free(value_copy); + } + + return SECFailure; +} + +static void +pk11uri_InitAttributeList(PK11URIAttributeList *attrs, PLArenaPool *arena) +{ + memset(attrs, 0, sizeof(PK11URIAttributeList)); + attrs->arena = arena; +} + +static void +pk11uri_DestroyAttributeList(PK11URIAttributeList *attrs) +{ + if (attrs->arena == NULL) { + size_t i; + + for (i = 0; i < attrs->num_attrs; i++) { + PORT_Free(attrs->attrs[i].name); + PORT_Free(attrs->attrs[i].value); + } + PORT_Free(attrs->attrs); + } +} + +static SECStatus +pk11uri_AppendAttributeListToBuffer(PK11URIBuffer *buffer, + PK11URIAttributeList *attrs, + int separator, + const char *unescaped) +{ + size_t i; + SECStatus ret; + + for (i = 0; i < attrs->num_attrs; i++) { + unsigned char sep[1]; + char *escaped; + PK11URIAttributeListEntry *attr = &attrs->attrs[i]; + + if (i > 0) { + sep[0] = separator; + ret = pk11uri_AppendBuffer(buffer, sep, 1); + if (ret != SECSuccess) { + return ret; + } + } + + ret = pk11uri_AppendBuffer(buffer, (unsigned char *)attr->name, + strlen(attr->name)); + if (ret != SECSuccess) { + return ret; + } + + sep[0] = '='; + ret = pk11uri_AppendBuffer(buffer, sep, 1); + if (ret != SECSuccess) { + return ret; + } + + escaped = pk11uri_Escape(buffer->arena, attr->value, strlen(attr->value), + unescaped); + if (escaped == NULL) { + return ret; + } + ret = pk11uri_AppendBuffer(buffer, (unsigned char *)escaped, + strlen(escaped)); + if (buffer->arena == NULL) { + PORT_Free(escaped); + } + if (ret != SECSuccess) { + return ret; + } + } + + return SECSuccess; +} + +/* Creation of PK11URI object. */ +static PK11URI * +pk11uri_AllocURI(void) +{ + PLArenaPool *arena; + PK11URI *result; + + arena = PORT_NewArena(PK11URI_ARENA_SIZE); + if (arena == NULL) { + return NULL; + } + + result = PORT_ArenaZAlloc(arena, sizeof(PK11URI)); + if (result == NULL) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + + result->arena = arena; + pk11uri_InitAttributeList(&result->pattrs, arena); + pk11uri_InitAttributeList(&result->vpattrs, arena); + pk11uri_InitAttributeList(&result->qattrs, arena); + pk11uri_InitAttributeList(&result->vqattrs, arena); + + return result; +} + +static SECStatus +pk11uri_InsertAttributes(PK11URIAttributeList *dest_attrs, + PK11URIAttributeList *dest_vattrs, + const PK11URIAttribute *attrs, + size_t num_attrs, + const char **attr_names, + size_t num_attr_names, + PK11URIAttributeCompareNameFunc compare_name, + PRBool allow_duplicate, + PRBool vendor_allow_duplicate) +{ + SECStatus ret; + size_t i; + + for (i = 0; i < num_attrs; i++) { + char *name, *value; + const char *p; + size_t j; + + p = attrs[i].name; + + /* The attribute must not be empty. */ + if (*p == '\0') { + return SECFailure; + } + + /* Check that the name doesn't contain invalid character. */ + for (; *p != '\0'; p++) { + if (strchr(PK11URI_ATTR_NM_CHAR, *p) == NULL) { + return SECFailure; + } + } + + name = PORT_ArenaStrdup(dest_attrs->arena, attrs[i].name); + if (name == NULL) { + return SECFailure; + } + + value = PORT_ArenaStrdup(dest_attrs->arena, attrs[i].value); + if (value == NULL) { + return SECFailure; + } + + for (j = 0; j < num_attr_names; j++) { + if (strcmp(name, attr_names[j]) == 0) { + break; + } + } + if (j < num_attr_names) { + /* Named attribute. */ + ret = pk11uri_InsertToAttributeList(dest_attrs, + name, value, + compare_name, + allow_duplicate); + if (ret != SECSuccess) { + return ret; + } + } else { + /* Vendor attribute. */ + ret = pk11uri_InsertToAttributeList(dest_vattrs, + name, value, + strcmp, + vendor_allow_duplicate); + if (ret != SECSuccess) { + return ret; + } + } + } + + return SECSuccess; +} + +PK11URI * +PK11URI_CreateURI(const PK11URIAttribute *pattrs, + size_t num_pattrs, + const PK11URIAttribute *qattrs, + size_t num_qattrs) +{ + PK11URI *result; + SECStatus ret; + + result = pk11uri_AllocURI(); + + ret = pk11uri_InsertAttributes(&result->pattrs, &result->vpattrs, + pattrs, num_pattrs, + pattr_names, PR_ARRAY_SIZE(pattr_names), + pk11uri_ComparePathAttributeName, + PR_FALSE, PR_FALSE); + if (ret != SECSuccess) { + goto fail; + } + + ret = pk11uri_InsertAttributes(&result->qattrs, &result->vqattrs, + qattrs, num_qattrs, + qattr_names, PR_ARRAY_SIZE(qattr_names), + pk11uri_CompareQueryAttributeName, + PR_FALSE, PR_TRUE); + if (ret != SECSuccess) { + goto fail; + } + + return result; + +fail: + PK11URI_DestroyURI(result); + + return NULL; +} + +/* Parsing. */ +static SECStatus +pk11uri_ParseAttributes(const char **string, + const char *stop_chars, + int separator, + const char *accept_chars, + const char **attr_names, size_t num_attr_names, + PK11URIAttributeList *attrs, + PK11URIAttributeList *vattrs, + PK11URIAttributeCompareNameFunc compare_name, + PRBool allow_duplicate, + PRBool vendor_allow_duplicate) +{ + const char *p = *string; + + for (; *p != '\0'; p++) { + const char *name_start, *name_end, *value_start, *value_end; + size_t name_length, value_length, i; + SECStatus ret; + + if (strchr(stop_chars, *p) != NULL) { + break; + } + for (name_start = p; *p != '=' && *p != '\0'; p++) { + if (strchr(PK11URI_ATTR_NM_CHAR, *p) != NULL) + continue; + + return SECFailure; + } + if (*p == '\0') { + return SECFailure; + } + name_end = p++; + + /* The attribute name must not be empty. */ + if (name_end == name_start) { + return SECFailure; + } + + for (value_start = p; *p != separator && *p != '\0'; p++) { + if (strchr(stop_chars, *p) != NULL) { + break; + } + if (strchr(accept_chars, *p) != NULL) { + continue; + } + if (*p == '%') { + const char ch2 = *++p; + if (strchr(PK11URI_HEXDIG, ch2) != NULL) { + const char ch3 = *++p; + if (strchr(PK11URI_HEXDIG, ch3) != NULL) + continue; + } + } + + return SECFailure; + } + value_end = p; + + name_length = name_end - name_start; + value_length = value_end - value_start; + + for (i = 0; i < num_attr_names; i++) { + if (name_length == strlen(attr_names[i]) && + memcmp(name_start, attr_names[i], name_length) == 0) { + break; + } + } + if (i < num_attr_names) { + /* Named attribute. */ + ret = pk11uri_InsertToAttributeListEscaped(attrs, + name_start, name_length, + value_start, value_length, + compare_name, + allow_duplicate); + if (ret != SECSuccess) { + return ret; + } + } else { + /* Vendor attribute. */ + ret = pk11uri_InsertToAttributeListEscaped(vattrs, + name_start, name_length, + value_start, value_length, + strcmp, + vendor_allow_duplicate); + if (ret != SECSuccess) { + return ret; + } + } + + if (*p == '?' || *p == '\0') { + break; + } + } + + *string = p; + return SECSuccess; +} + +PK11URI * +PK11URI_ParseURI(const char *string) +{ + PK11URI *result; + const char *p = string; + SECStatus ret; + + if (strncmp("pkcs11:", p, 7) != 0) { + return NULL; + } + p += 7; + + result = pk11uri_AllocURI(); + if (result == NULL) { + return NULL; + } + + /* Parse the path component and its attributes. */ + ret = pk11uri_ParseAttributes(&p, "?", ';', PK11URI_PCHAR, + pattr_names, PR_ARRAY_SIZE(pattr_names), + &result->pattrs, &result->vpattrs, + pk11uri_ComparePathAttributeName, + PR_FALSE, PR_FALSE); + if (ret != SECSuccess) { + goto fail; + } + + /* Parse the query component and its attributes. */ + if (*p == '?') { + p++; + ret = pk11uri_ParseAttributes(&p, "", '&', PK11URI_QCHAR, + qattr_names, PR_ARRAY_SIZE(qattr_names), + &result->qattrs, &result->vqattrs, + pk11uri_CompareQueryAttributeName, + PR_FALSE, PR_TRUE); + if (ret != SECSuccess) { + goto fail; + } + } + + return result; + +fail: + PK11URI_DestroyURI(result); + + return NULL; +} + +/* Formatting. */ +char * +PK11URI_FormatURI(PLArenaPool *arena, PK11URI *uri) +{ + PK11URIBuffer buffer; + SECStatus ret; + char *result = NULL; + + pk11uri_InitBuffer(&buffer, arena); + + ret = pk11uri_AppendBuffer(&buffer, (unsigned char *)"pkcs11:", 7); + if (ret != SECSuccess) + goto fail; + + ret = pk11uri_AppendAttributeListToBuffer(&buffer, &uri->pattrs, ';', PK11URI_PCHAR); + if (ret != SECSuccess) { + goto fail; + } + + if (uri->pattrs.num_attrs > 0 && uri->vpattrs.num_attrs > 0) { + ret = pk11uri_AppendBuffer(&buffer, (unsigned char *)";", 1); + if (ret != SECSuccess) { + goto fail; + } + } + + ret = pk11uri_AppendAttributeListToBuffer(&buffer, &uri->vpattrs, ';', + PK11URI_PCHAR); + if (ret != SECSuccess) { + goto fail; + } + + if (uri->qattrs.num_attrs > 0 || uri->vqattrs.num_attrs > 0) { + ret = pk11uri_AppendBuffer(&buffer, (unsigned char *)"?", 1); + if (ret != SECSuccess) { + goto fail; + } + } + + ret = pk11uri_AppendAttributeListToBuffer(&buffer, &uri->qattrs, '&', PK11URI_QCHAR); + if (ret != SECSuccess) { + goto fail; + } + + if (uri->qattrs.num_attrs > 0 && uri->vqattrs.num_attrs > 0) { + ret = pk11uri_AppendBuffer(&buffer, (unsigned char *)"&", 1); + if (ret != SECSuccess) { + goto fail; + } + } + + ret = pk11uri_AppendAttributeListToBuffer(&buffer, &uri->vqattrs, '&', + PK11URI_QCHAR); + if (ret != SECSuccess) { + goto fail; + } + + ret = pk11uri_AppendBuffer(&buffer, (unsigned char *)"\0", 1); + if (ret != SECSuccess) { + goto fail; + } + + result = buffer.data; + buffer.data = NULL; + +fail: + pk11uri_DestroyBuffer(&buffer); + + return result; +} + +/* Deallocating. */ +void +PK11URI_DestroyURI(PK11URI *uri) +{ + pk11uri_DestroyAttributeList(&uri->pattrs); + pk11uri_DestroyAttributeList(&uri->vpattrs); + pk11uri_DestroyAttributeList(&uri->qattrs); + pk11uri_DestroyAttributeList(&uri->vqattrs); + PORT_FreeArena(uri->arena, PR_FALSE); +} + +/* Accessors. */ +static const char * +pk11uri_GetAttribute(PK11URIAttributeList *attrs, + PK11URIAttributeList *vattrs, + const char *name) +{ + size_t i; + + for (i = 0; i < attrs->num_attrs; i++) { + if (strcmp(name, attrs->attrs[i].name) == 0) { + return attrs->attrs[i].value; + } + } + + for (i = 0; i < vattrs->num_attrs; i++) { + if (strcmp(name, vattrs->attrs[i].name) == 0) { + return vattrs->attrs[i].value; + } + } + + return NULL; +} + +const char * +PK11URI_GetPathAttribute(PK11URI *uri, const char *name) +{ + return pk11uri_GetAttribute(&uri->pattrs, &uri->vpattrs, name); +} + +const char * +PK11URI_GetQueryAttribute(PK11URI *uri, const char *name) +{ + return pk11uri_GetAttribute(&uri->qattrs, &uri->vqattrs, name); +} diff --git a/security/nss/lib/util/pkcs11uri.h b/security/nss/lib/util/pkcs11uri.h new file mode 100644 index 0000000000..662c854707 --- /dev/null +++ b/security/nss/lib/util/pkcs11uri.h @@ -0,0 +1,67 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _PKCS11URI_H_ +#define _PKCS11URI_H_ 1 + +#include "seccomon.h" + +/* Path attributes defined in RFC7512. */ +#define PK11URI_PATTR_TOKEN "token" +#define PK11URI_PATTR_MANUFACTURER "manufacturer" +#define PK11URI_PATTR_SERIAL "serial" +#define PK11URI_PATTR_MODEL "model" +#define PK11URI_PATTR_LIBRARY_MANUFACTURER "library-manufacturer" +#define PK11URI_PATTR_LIBRARY_DESCRIPTION "library-description" +#define PK11URI_PATTR_LIBRARY_VERSION "library-version" +#define PK11URI_PATTR_OBJECT "object" +#define PK11URI_PATTR_TYPE "type" +#define PK11URI_PATTR_ID "id" +#define PK11URI_PATTR_SLOT_MANUFACTURER "slot-manufacturer" +#define PK11URI_PATTR_SLOT_DESCRIPTION "slot-description" +#define PK11URI_PATTR_SLOT_ID "slot-id" + +/* Query attributes defined in RFC7512. */ +#define PK11URI_QATTR_PIN_SOURCE "pin-source" +#define PK11URI_QATTR_PIN_VALUE "pin-value" +#define PK11URI_QATTR_MODULE_NAME "module-name" +#define PK11URI_QATTR_MODULE_PATH "module-path" + +SEC_BEGIN_PROTOS + +/* A PK11URI object is an immutable structure that holds path and + * query attributes of a PKCS#11 URI. */ +struct PK11URIStr; +typedef struct PK11URIStr PK11URI; + +struct PK11URIAttributeStr { + const char *name; + const char *value; +}; +typedef struct PK11URIAttributeStr PK11URIAttribute; + +/* Create a new PK11URI object from a set of attributes. */ +extern PK11URI *PK11URI_CreateURI(const PK11URIAttribute *pattrs, + size_t num_pattrs, + const PK11URIAttribute *qattrs, + size_t num_qattrs); + +/* Parse PKCS#11 URI and return a new PK11URI object. */ +extern PK11URI *PK11URI_ParseURI(const char *string); + +/* Format a PK11URI object to a string. */ +extern char *PK11URI_FormatURI(PLArenaPool *arena, PK11URI *uri); + +/* Destroy a PK11URI object. */ +extern void PK11URI_DestroyURI(PK11URI *uri); + +/* Retrieve a path attribute with the given name. */ +extern const char *PK11URI_GetPathAttribute(PK11URI *uri, const char *name); + +/* Retrieve a query attribute with the given name. */ +extern const char *PK11URI_GetQueryAttribute(PK11URI *uri, const char *name); + +SEC_END_PROTOS + +#endif /* _PKCS11URI_H_ */ diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c index 49ff14d550..1b474822e3 100644 --- a/security/nss/lib/util/quickder.c +++ b/security/nss/lib/util/quickder.c @@ -408,6 +408,10 @@ DecodePointer(void* dest, { const SEC_ASN1Template* ptrTemplate = SEC_ASN1GetSubtemplate(templateEntry, dest, PR_FALSE); + if (!ptrTemplate) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } void* subdata = PORT_ArenaZAlloc(arena, ptrTemplate->size); *(void**)((char*)dest + templateEntry->offset) = subdata; if (subdata) { diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h index b6292cd3bf..78cab0a26b 100644 --- a/security/nss/lib/util/secasn1.h +++ b/security/nss/lib/util/secasn1.h @@ -54,6 +54,18 @@ extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx, extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx); +/* Sets the maximum size that should be allocated for a single ASN.1 + * element. Set to 0 to indicate there is no limit. + * + * Note: This does not set the maximum size overall that may be allocated + * while parsing, nor does it guarantee that the decoder won't allocate + * more than |max_size| while parsing an individual element; rather, it + * merely guarantees that any individual allocation for returned data + * should not exceed |max_size|. +*/ +extern void SEC_ASN1DecoderSetMaximumElementSize(SEC_ASN1DecoderContext *cx, + unsigned long max_size); + extern SECStatus SEC_ASN1Decode(PLArenaPool *pool, void *dest, const SEC_ASN1Template *t, const char *buf, long len); diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index 797640dc4a..e6abb5fd50 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -292,6 +292,17 @@ struct sec_DecoderContext_struct { sec_asn1d_state *current; sec_asn1d_parse_status status; + /* The maximum size the caller is willing to allow a single element + * to be before returning an error. + * + * In the case of an indefinite length element, this is the sum total + * of all child elements. + * + * In the case of a definite length element, this represents the maximum + * size of the top-level element. + */ + unsigned long max_element_size; + SEC_ASN1NotifyProc notify_proc; /* call before/after handling field */ void *notify_arg; /* argument to notify_proc */ PRBool during_notify; /* true during call to notify_proc */ @@ -1288,6 +1299,13 @@ sec_asn1d_prepare_for_contents(sec_asn1d_state *state) alloc_len += subitem->len; } + if (state->top->max_element_size > 0 && + alloc_len > state->top->max_element_size) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + state->top->status = decodeError; + return; + } + item->data = (unsigned char *)sec_asn1d_zalloc(poolp, alloc_len); if (item->data == NULL) { state->top->status = decodeError; @@ -1396,6 +1414,13 @@ sec_asn1d_prepare_for_contents(sec_asn1d_state *state) if (state->dest != NULL) { item = (SECItem *)(state->dest); item->len = 0; + if (state->top->max_element_size > 0 && + state->contents_length > state->top->max_element_size) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + state->top->status = decodeError; + return; + } + if (state->top->filter_only) { item->data = NULL; } else { @@ -2223,6 +2248,13 @@ sec_asn1d_concat_substrings(sec_asn1d_state *state) alloc_len = item_len; } + if (state->top->max_element_size > 0 && + alloc_len > state->top->max_element_size) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + state->top->status = decodeError; + return; + } + item = (SECItem *)(state->dest); PORT_Assert(item != NULL); PORT_Assert(item->data == NULL); @@ -2726,7 +2758,7 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx, #ifdef DEBUG_ASN1D_STATES printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n", (state->place >= 0 && state->place <= notInUse) ? place_names[state->place] : "(undefined)", - (unsigned int)((unsigned char *)buf)[consumed], + len ? (unsigned int)((unsigned char *)buf)[consumed] : 0, buf, consumed); dump_states(cx); #endif /* DEBUG_ASN1D_STATES */ @@ -3042,6 +3074,13 @@ SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx) } void +SEC_ASN1DecoderSetMaximumElementSize(SEC_ASN1DecoderContext *cx, + unsigned long max_size) +{ + cx->max_element_size = max_size; +} + +void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error) { PORT_Assert(cx); @@ -3061,6 +3100,10 @@ SEC_ASN1Decode(PLArenaPool *poolp, void *dest, if (dcx == NULL) return SECFailure; + /* In one-shot mode, there's no possibility of streaming data beyond the + * length of len */ + SEC_ASN1DecoderSetMaximumElementSize(dcx, len); + urv = SEC_ASN1DecoderUpdate(dcx, buf, len); frv = SEC_ASN1DecoderFinish(dcx); diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c index 0eea0cda0b..01a7d0834e 100644 --- a/security/nss/lib/util/secport.c +++ b/security/nss/lib/util/secport.c @@ -699,6 +699,9 @@ NSS_PutEnv(const char *envVarName, const char *envValue) #endif encoded = (char *)PORT_ZAlloc(strlen(envVarName) + 2 + strlen(envValue)); + if (!encoded) { + return SECFailure; + } strcpy(encoded, envVarName); strcat(encoded, "="); strcat(encoded, envValue); diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h index 0f4b08f33e..fb9ff4ebb5 100644 --- a/security/nss/lib/util/secport.h +++ b/security/nss/lib/util/secport.h @@ -72,8 +72,8 @@ * and does not use a lock to protect accesses. This makes it cheaper but * less general. It is best used for arena pools that (a) are hot, (b) have * lifetimes bounded within a single function, and (c) don't need locking. - * Use PORT_InitArena() and PORT_DestroyArena() to initialize and finalize - * PORTCheapArenaPools. + * Use PORT_InitCheapArena() and PORT_DestroyCheapArena() to initialize and + * finalize PORTCheapArenaPools. * * All the other PORT_Arena* functions will operate safely with either * subclass. diff --git a/security/nss/lib/util/util.gyp b/security/nss/lib/util/util.gyp index 9f3a74b188..74eaef4bfb 100644 --- a/security/nss/lib/util/util.gyp +++ b/security/nss/lib/util/util.gyp @@ -21,6 +21,7 @@ 'nssrwlk.c', 'oidstring.c', 'pkcs1sig.c', + 'pkcs11uri.c', 'portreg.c', 'quickder.c', 'secalgid.c', diff --git a/security/nss/lib/util/utilmod.c b/security/nss/lib/util/utilmod.c index e05680675e..971b6c1dca 100644 --- a/security/nss/lib/util/utilmod.c +++ b/security/nss/lib/util/utilmod.c @@ -232,10 +232,15 @@ nssutil_ReadSecmodDB(const char *appName, internal = PR_FALSE; /* is this an internal module */ skipParams = PR_FALSE; /* did we find an override parameter block*/ paramsValue = NULL; /* the current parameter block value */ - while (fgets(line, sizeof(line), fd) != NULL) { - int len = PORT_Strlen(line); + do { + int len; + + if (fgets(line, sizeof(line), fd) == NULL) { + goto endloop; + } /* remove the ending newline */ + len = PORT_Strlen(line); if (len && line[len - 1] == '\n') { len--; line[len] = 0; @@ -344,6 +349,7 @@ nssutil_ReadSecmodDB(const char *appName, continue; } + endloop: /* * if we are here, we have found a complete stanza. Now write out * any param section we may have found. @@ -379,7 +385,7 @@ nssutil_ReadSecmodDB(const char *appName, moduleString = NULL; internal = PR_FALSE; skipParams = PR_FALSE; - } + } while (!feof(fd)); if (moduleString) { PORT_Free(moduleString); |