diff options
Diffstat (limited to 'security/nss/cmd')
30 files changed, 477 insertions, 931 deletions
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index ca3d6f314..a3a162da1 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -20,14 +20,16 @@ #include "secport.h" #include "secoid.h" #include "nssutil.h" -#include "ecl-curve.h" #include "pkcs1_vectors.h" +#ifndef NSS_DISABLE_ECC +#include "ecl-curve.h" SECStatus EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, const ECParams *srcParams); +#endif char *progName; char *testdir = NULL; @@ -133,14 +135,18 @@ Usage() PRINTUSAGE(progName, "-S -m mode", "Sign a buffer"); PRINTUSAGE("", "", "[-i plaintext] [-o signature] [-k key]"); PRINTUSAGE("", "", "[-b bufsize]"); +#ifndef NSS_DISABLE_ECC PRINTUSAGE("", "", "[-n curvename]"); +#endif PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]"); PRINTUSAGE("", "-m", "cipher mode to use"); PRINTUSAGE("", "-i", "file which contains input buffer"); PRINTUSAGE("", "-o", "file for signature"); PRINTUSAGE("", "-k", "file which contains key"); +#ifndef NSS_DISABLE_ECC PRINTUSAGE("", "-n", "name of curve for EC key generation; one of:"); PRINTUSAGE("", "", " nistp256, nistp384, nistp521"); +#endif PRINTUSAGE("", "-p", "do performance test"); PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads"); PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)"); @@ -363,6 +369,7 @@ dsakey_from_filedata(PLArenaPool *arena, SECItem *filedata) return key; } +#ifndef NSS_DISABLE_ECC static ECPrivateKey * eckey_from_filedata(PLArenaPool *arena, SECItem *filedata) { @@ -512,6 +519,7 @@ getECParams(const char *curve) return ecparams; } +#endif /* NSS_DISABLE_ECC */ static void dump_pqg(PQGParams *pqg) @@ -529,6 +537,7 @@ dump_dsakey(DSAPrivateKey *key) SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0); } +#ifndef NSS_DISABLE_ECC static void dump_ecp(ECParams *ecp) { @@ -543,6 +552,7 @@ dump_eckey(ECPrivateKey *key) SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0); SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0); } +#endif static void dump_rsakey(RSAPrivateKey *key) @@ -628,15 +638,17 @@ typedef enum { bltestRSA, /* Public Key Ciphers */ bltestRSA_OAEP, /* . (Public Key Enc.) */ bltestRSA_PSS, /* . (Public Key Sig.) */ - bltestECDSA, /* . (Public Key Sig.) */ - bltestDSA, /* . (Public Key Sig.) */ - bltestMD2, /* Hash algorithms */ - bltestMD5, /* . */ - bltestSHA1, /* . */ - bltestSHA224, /* . */ - bltestSHA256, /* . */ - bltestSHA384, /* . */ - bltestSHA512, /* . */ +#ifndef NSS_DISABLE_ECC + bltestECDSA, /* . (Public Key Sig.) */ +#endif + bltestDSA, /* . (Public Key Sig.) */ + bltestMD2, /* Hash algorithms */ + bltestMD5, /* . */ + bltestSHA1, /* . */ + bltestSHA224, /* . */ + bltestSHA256, /* . */ + bltestSHA384, /* . */ + bltestSHA512, /* . */ NUMMODES } bltestCipherMode; @@ -666,7 +678,9 @@ static char *mode_strings[] = "rsa", "rsa_oaep", "rsa_pss", +#ifndef NSS_DISABLE_ECC "ecdsa", +#endif /*"pqg",*/ "dsa", "md2", @@ -718,11 +732,13 @@ typedef struct PQGParams *pqg; } bltestDSAParams; +#ifndef NSS_DISABLE_ECC typedef struct { char *curveName; bltestIO sigseed; } bltestECDSAParams; +#endif typedef struct { @@ -735,7 +751,9 @@ typedef struct union { bltestRSAParams rsa; bltestDSAParams dsa; +#ifndef NSS_DISABLE_ECC bltestECDSAParams ecdsa; +#endif } cipherParams; } bltestAsymKeyParams; @@ -1292,6 +1310,7 @@ dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input) return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input); } +#ifndef NSS_DISABLE_ECC SECStatus ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input) { @@ -1312,6 +1331,7 @@ ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input) bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx; return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input); } +#endif SECStatus bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt) @@ -1791,6 +1811,7 @@ bltest_dsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt) return SECSuccess; } +#ifndef NSS_DISABLE_ECC SECStatus bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt) { @@ -1856,6 +1877,7 @@ bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt) } return SECSuccess; } +#endif /* XXX unfortunately, this is not defined in blapi.h */ SECStatus @@ -2147,7 +2169,11 @@ finish: SECStatus pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file, +#ifndef NSS_DISABLE_ECC int keysize, int exponent, char *curveName) +#else + int keysize, int exponent) +#endif { int i; SECStatus rv = SECSuccess; @@ -2156,10 +2182,12 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file, RSAPrivateKey **rsaKey = NULL; bltestDSAParams *dsap; DSAPrivateKey **dsaKey = NULL; +#ifndef NSS_DISABLE_ECC SECItem *tmpECParamsDER; ECParams *tmpECParams = NULL; SECItem ecSerialize[3]; ECPrivateKey **ecKey = NULL; +#endif switch (cipherInfo->mode) { case bltestRSA: case bltestRSA_PSS: @@ -2196,6 +2224,7 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file, dsap->keysize = (*dsaKey)->params.prime.len * 8; } break; +#ifndef NSS_DISABLE_ECC case bltestECDSA: ecKey = (ECPrivateKey **)&asymk->privKey; if (curveName != NULL) { @@ -2225,6 +2254,7 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file, *ecKey = eckey_from_filedata(cipherInfo->arena, &asymk->key.buf); } break; +#endif default: return SECFailure; } @@ -2311,6 +2341,7 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt) } return bltest_dsa_init(cipherInfo, encrypt); break; +#ifndef NSS_DISABLE_ECC case bltestECDSA: if (encrypt) { SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, @@ -2318,6 +2349,7 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt) } return bltest_ecdsa_init(cipherInfo, encrypt); break; +#endif case bltestMD2: restart = cipherInfo->params.hash.restart; SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, @@ -2612,7 +2644,9 @@ cipherFinish(bltestCipherInfo *cipherInfo) case bltestRSA_PSS: /* will be freed with it. */ case bltestRSA_OAEP: case bltestDSA: +#ifndef NSS_DISABLE_ECC case bltestECDSA: +#endif case bltestMD2: /* hash contexts are ephemeral */ case bltestMD5: case bltestSHA1: @@ -2788,6 +2822,7 @@ print_td: fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize); } break; +#ifndef NSS_DISABLE_ECC case bltestECDSA: if (td) { fprintf(stdout, "%12s", "ec_curve"); @@ -2798,6 +2833,7 @@ print_td: ecCurve_map[curveName] ? ecCurve_map[curveName]->text : "Unsupported curve"); } break; +#endif case bltestMD2: case bltestMD5: case bltestSHA1: @@ -3027,6 +3063,7 @@ get_params(PLArenaPool *arena, bltestParams *params, sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j); load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded); break; +#ifndef NSS_DISABLE_ECC case bltestECDSA: sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j); load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded); @@ -3038,6 +3075,7 @@ get_params(PLArenaPool *arena, bltestParams *params, sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j); load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded); break; +#endif case bltestMD2: case bltestMD5: case bltestSHA1: @@ -3259,11 +3297,13 @@ dump_file(bltestCipherMode mode, char *filename) load_file_data(arena, &keydata, filename, bltestBase64Encoded); key = dsakey_from_filedata(arena, &keydata.buf); dump_dsakey(key); +#ifndef NSS_DISABLE_ECC } else if (mode == bltestECDSA) { ECPrivateKey *key; load_file_data(arena, &keydata, filename, bltestBase64Encoded); key = eckey_from_filedata(arena, &keydata.buf); dump_eckey(key); +#endif } PORT_FreeArena(arena, PR_FALSE); return SECFailure; @@ -3550,7 +3590,9 @@ enum { opt_Key, opt_HexWSpc, opt_Mode, +#ifndef NSS_DISABLE_ECC opt_CurveName, +#endif opt_Output, opt_Repetitions, opt_ZeroBuf, @@ -3602,7 +3644,9 @@ static secuCommandFlag bltest_options[] = { /* opt_Key */ 'k', PR_TRUE, 0, PR_FALSE }, { /* opt_HexWSpc */ 'l', PR_FALSE, 0, PR_FALSE }, { /* opt_Mode */ 'm', PR_TRUE, 0, PR_FALSE }, +#ifndef NSS_DISABLE_ECC { /* opt_CurveName */ 'n', PR_TRUE, 0, PR_FALSE }, +#endif { /* opt_Output */ 'o', PR_TRUE, 0, PR_FALSE }, { /* opt_Repetitions */ 'p', PR_TRUE, 0, PR_FALSE }, { /* opt_ZeroBuf */ 'q', PR_FALSE, 0, PR_FALSE }, @@ -3635,7 +3679,9 @@ main(int argc, char **argv) bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL; bltestIOMode ioMode; int bufsize, exponent, curThrdNum; +#ifndef NSS_DISABLE_ECC char *curveName = NULL; +#endif int i, commandsEntered; int inoff, outoff; int threads = 1; @@ -3871,10 +3917,12 @@ main(int argc, char **argv) else exponent = 65537; +#ifndef NSS_DISABLE_ECC if (bltest.options[opt_CurveName].activated) curveName = PORT_Strdup(bltest.options[opt_CurveName].arg); else curveName = NULL; +#endif if (bltest.commands[cmd_Verify].activated && !bltest.options[opt_SigFile].activated) { @@ -3960,7 +4008,11 @@ main(int argc, char **argv) file = PR_Open("tmp.key", PR_WRONLY | PR_CREATE_FILE, 00660); } params->key.mode = bltestBase64Encoded; +#ifndef NSS_DISABLE_ECC pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName); +#else + pubkeyInitKey(cipherInfo, file, keysize, exponent); +#endif PR_Close(file); } diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c index 4d1a1061a..35409e250 100644 --- a/security/nss/cmd/certcgi/certcgi.c +++ b/security/nss/cmd/certcgi/certcgi.c @@ -233,7 +233,8 @@ make_datastruct(char *data, int len) if (remaining == 1) { remaining += fields; fields = fields * 2; - datastruct = (Pair *)PORT_Realloc(datastruct, fields * sizeof(Pair)); + datastruct = (Pair *)PORT_Realloc(datastruct, fields * + sizeof(Pair)); if (datastruct == NULL) { error_allocate(); } diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 03f4478b7..fbc752c1b 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -194,8 +194,6 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, PLArenaPool *arena; void *extHandle; SECItem signedReq = { siBuffer, NULL, 0 }; - SECAlgorithmID signAlg; - SECItem *params = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -213,26 +211,11 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, /* Change cert type to RSA-PSS, if desired. */ if (pssCertificate) { - params = SEC_CreateSignatureAlgorithmParameters(arena, - NULL, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag, - NULL, - privk); - if (!params) { - PORT_FreeArena(arena, PR_FALSE); - SECKEY_DestroySubjectPublicKeyInfo(spki); - SECU_PrintError(progName, "unable to create RSA-PSS parameters"); - return SECFailure; - } - spki->algorithm.parameters.data = NULL; rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag == SEC_OID_UNKNOWN ? NULL : params); + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0); if (rv != SECSuccess) { PORT_FreeArena(arena, PR_FALSE); - SECKEY_DestroySubjectPublicKeyInfo(spki); SECU_PrintError(progName, "unable to set algorithm ID"); return SECFailure; } @@ -273,34 +256,16 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, return SECFailure; } - PORT_Memset(&signAlg, 0, sizeof(signAlg)); - if (pssCertificate) { - rv = SECOID_SetAlgorithmID(arena, &signAlg, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params); - if (rv != SECSuccess) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unable to set algorithm ID"); - return SECFailure; - } - } else { - signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); - if (signAlgTag == SEC_OID_UNKNOWN) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unknown Key or Hash type"); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0); - if (rv != SECSuccess) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unable to set algorithm ID"); - return SECFailure; - } + /* Sign the request */ + signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); + if (signAlgTag == SEC_OID_UNKNOWN) { + PORT_FreeArena(arena, PR_FALSE); + SECU_PrintError(progName, "unknown Key or Hash type"); + return SECFailure; } - /* Sign the request */ - rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq, - encoding->data, encoding->len, - privk, &signAlg); + rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len, + privk, signAlgTag); if (rv) { PORT_FreeArena(arena, PR_FALSE); SECU_PrintError(progName, "signing of data failed"); @@ -400,7 +365,7 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot, CERTCertificate *cert; CERTCertTrust *trust; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -626,10 +591,6 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email, { SECStatus rv; - if (slot && PK11_NeedUserInit(slot)) { - printf("\nDatabase needs user init\n"); - } - if (!ascii && !raw && !nickname && !email) { PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n", "Certificate Nickname", "Trust Attributes", "", @@ -653,12 +614,12 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email, } static SECStatus -DeleteCert(CERTCertDBHandle *handle, char *name, void *pwdata) +DeleteCert(CERTCertDBHandle *handle, char *name) { SECStatus rv; CERTCertificate *cert; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -674,12 +635,12 @@ DeleteCert(CERTCertDBHandle *handle, char *name, void *pwdata) } static SECStatus -RenameCert(CERTCertDBHandle *handle, char *name, char *newName, void *pwdata) +RenameCert(CERTCertDBHandle *handle, char *name, char *newName) { SECStatus rv; CERTCertificate *cert; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -1054,18 +1015,6 @@ ListModules(void) } static void -PrintBuildFlags() -{ -#ifdef NSS_FIPS_DISABLED - PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n"); -#endif -#ifdef NSS_NO_INIT_SUPPORT - PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n"); -#endif - exit(0); -} - -static void PrintSyntax(char *progName) { #define FPS fprintf(stderr, @@ -1095,10 +1044,15 @@ PrintSyntax(char *progName) "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n" "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); +#ifndef NSS_DISABLE_ECC FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n" "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", progName); +#else + FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", + progName); +#endif /* NSS_DISABLE_ECC */ FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n"); FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n", progName); @@ -1112,7 +1066,6 @@ PrintSyntax(char *progName) FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n", progName); FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n"); - FPS "\t%s --build-flags\n", progName); FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName); @@ -1231,8 +1184,6 @@ luC(enum usage_level ul, const char *command) " -o output-cert"); FPS "%-20s Self sign\n", " -x"); - FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", - " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1293,10 +1244,17 @@ luG(enum usage_level ul, const char *command) return; FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", + " -k key-type"); + FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n", + " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n", " -y exp"); FPS "%-20s Specify the password file\n", @@ -1305,6 +1263,7 @@ luG(enum usage_level ul, const char *command) " -z noisefile"); FPS "%-20s read PQG value from pqgfile (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", ""); @@ -1326,6 +1285,7 @@ luG(enum usage_level ul, const char *command) FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", ""); FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", ""); FPS "%-20s sect131r1, sect131r2\n", ""); +#endif FPS "%-20s Key database directory (default is ~/.netscape)\n", " -d keydir"); FPS "%-20s Cert & Key database prefix\n", @@ -1415,7 +1375,9 @@ luK(enum usage_level ul, const char *command) " -h token-name "); FPS "%-20s Key type (\"all\" (default), \"dsa\"," +#ifndef NSS_DISABLE_ECC " \"ec\"," +#endif " \"rsa\")\n", " -k key-type"); FPS "%-20s The nickname of the key or associated certificate\n", @@ -1558,7 +1520,11 @@ luR(enum usage_level ul, const char *command) " -s subject"); FPS "%-20s Output the cert request to this file\n", " -o output-req"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", +#endif /* NSS_DISABLE_ECC */ " -k key-type-or-id"); FPS "%-20s or nickname of the cert key to use \n", ""); @@ -1566,14 +1532,14 @@ luR(enum usage_level ul, const char *command) " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); - FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n", - " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s See the \"-G\" option for a full list of supported names.\n", ""); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Key database directory (default is ~/.netscape)\n", @@ -1739,24 +1705,26 @@ luS(enum usage_level ul, const char *command) " -c issuer-name"); FPS "%-20s Set the certificate trust attributes (see -A above)\n", " -t trustargs"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", +#endif /* NSS_DISABLE_ECC */ " -k key-type-or-id"); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); - FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n", - " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s See the \"-G\" option for a full list of supported names.\n", ""); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Self sign\n", " -x"); - FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", - " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1826,18 +1794,6 @@ luS(enum usage_level ul, const char *command) } static void -luBuildFlags(enum usage_level ul, const char *command) -{ - int is_my_command = (command && 0 == strcmp(command, "build-flags")); - if (ul == usage_all || !command || is_my_command) - FPS "%-15s Print enabled build flags relevant for NSS test execution\n", - "--build-flags"); - if (ul == usage_selected && !is_my_command) - return; - FPS "\n"); -} - -static void LongUsage(char *progName, enum usage_level ul, const char *command) { luA(ul, command); @@ -1851,7 +1807,6 @@ LongUsage(char *progName, enum usage_level ul, const char *command) luU(ul, command); luK(ul, command); luL(ul, command); - luBuildFlags(ul, command); luM(ul, command); luN(ul, command); luT(ul, command); @@ -1934,119 +1889,46 @@ MakeV1Cert(CERTCertDBHandle *handle, } static SECStatus -SetSignatureAlgorithm(PLArenaPool *arena, - SECAlgorithmID *signAlg, - SECAlgorithmID *spkiAlg, - SECOidTag hashAlgTag, - SECKEYPrivateKey *privKey, - PRBool pssSign) -{ - SECStatus rv; - - if (pssSign || - SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - SECItem *srcParams; - SECItem *params; - - if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - srcParams = &spkiAlg->parameters; - } else { - /* If the issuer's public key is RSA, the parameter field - * of the SPKI should be NULL, which can't be used as a - * basis of RSA-PSS parameters. */ - srcParams = NULL; - } - params = SEC_CreateSignatureAlgorithmParameters(arena, - NULL, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag, - srcParams, - privKey); - if (!params) { - SECU_PrintError(progName, "Could not create RSA-PSS parameters"); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, signAlg, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - params); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set signature algorithm id."); - return rv; - } - } else { - KeyType keyType = SECKEY_GetPrivateKeyType(privKey); - SECOidTag algID; - - algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); - if (algID == SEC_OID_UNKNOWN) { - SECU_PrintError(progName, "Unknown key or hash type for issuer."); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set signature algorithm id."); - return rv; - } - } - return SECSuccess; -} - -static SECStatus SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, SECOidTag hashAlgTag, SECKEYPrivateKey *privKey, char *issuerNickName, - int certVersion, PRBool pssSign, void *pwarg) + int certVersion, void *pwarg) { SECItem der; SECKEYPrivateKey *caPrivateKey = NULL; SECStatus rv; PLArenaPool *arena; - CERTCertificate *issuer; + SECOidTag algID; void *dummy; - arena = cert->arena; - - if (selfsign) { - issuer = cert; - } else { - issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); + if (!selfsign) { + CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); if ((CERTCertificate *)NULL == issuer) { SECU_PrintError(progName, "unable to find issuer with nickname %s", issuerNickName); - rv = SECFailure; - goto done; + return SECFailure; } + privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg); + CERT_DestroyCertificate(issuer); if (caPrivateKey == NULL) { SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName); - rv = SECFailure; - CERT_DestroyCertificate(issuer); - goto done; + return SECFailure; } } - if (pssSign && - (SECKEY_GetPrivateKeyType(privKey) != rsaKey && - SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) { - SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s", - issuerNickName); + arena = cert->arena; + + algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + fprintf(stderr, "Unknown key or hash type for issuer."); rv = SECFailure; - if (!selfsign) { - CERT_DestroyCertificate(issuer); - } goto done; } - rv = SetSignatureAlgorithm(arena, - &cert->signature, - &issuer->subjectPublicKeyInfo.algorithm, - hashAlgTag, - privKey, - pssSign); - if (!selfsign) { - CERT_DestroyCertificate(issuer); - } + rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0); if (rv != SECSuccess) { + fprintf(stderr, "Could not set signature algorithm id."); goto done; } @@ -2065,8 +1947,7 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - goto done; + return SECFailure; } der.len = 0; @@ -2079,8 +1960,7 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, goto done; } - rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len, - privKey, &cert->signature); + rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID); if (rv != SECSuccess) { fprintf(stderr, "Could not sign encoded certificate data.\n"); /* result allocated out of the arena, it will be freed @@ -2113,7 +1993,6 @@ CreateCert( certutilExtnList extnList, const char *extGeneric, int certVersion, - PRBool pssSign, SECItem *certDER) { void *extHandle = NULL; @@ -2174,7 +2053,7 @@ CreateCert( rv = SignCert(handle, subjectCert, selfsign, hashAlgTag, *selfsignprivkey, issuerNickName, - certVersion, pssSign, pwarg); + certVersion, pwarg); if (rv != SECSuccess) break; @@ -2427,7 +2306,6 @@ enum { cmd_Merge, cmd_UpgradeMerge, /* test only */ cmd_Rename, - cmd_BuildFlags, max_cmd }; @@ -2498,7 +2376,6 @@ enum certutilOpts { opt_GenericExtensions, opt_NewNickname, opt_Pss, - opt_PssSign, opt_Help }; @@ -2530,9 +2407,7 @@ static const secuCommandFlag commands_init[] = { /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE, "upgrade-merge" }, { /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE, - "rename" }, - { /* cmd_BuildFlags */ 0, PR_FALSE, 0, PR_FALSE, - "build-flags" } + "rename" } }; #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0])) @@ -2621,8 +2496,6 @@ static const secuCommandFlag options_init[] = "new-n" }, { /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE, "pss" }, - { /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE, - "pss-sign" }, }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -2719,10 +2592,6 @@ certutil_main(int argc, char **argv, PRBool initialize) exit(1); } - if (certutil.commands[cmd_BuildFlags].activated) { - PrintBuildFlags(); - } - if (certutil.options[opt_PasswordFile].arg) { pwdata.source = PW_FROMFILE; pwdata.data = certutil.options[opt_PasswordFile].arg; @@ -2752,10 +2621,12 @@ certutil_main(int argc, char **argv, PRBool initialize) progName, MIN_KEY_BITS, MAX_KEY_BITS); return 255; } +#ifndef NSS_DISABLE_ECC if (keytype == ecKey) { PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName); return 255; } +#endif /* NSS_DISABLE_ECC */ } /* -h specify token name */ @@ -2784,8 +2655,10 @@ certutil_main(int argc, char **argv, PRBool initialize) keytype = rsaKey; } else if (PL_strcmp(arg, "dsa") == 0) { keytype = dsaKey; +#ifndef NSS_DISABLE_ECC } else if (PL_strcmp(arg, "ec") == 0) { keytype = ecKey; +#endif /* NSS_DISABLE_ECC */ } else if (PL_strcmp(arg, "all") == 0) { keytype = nullKey; } else { @@ -2838,10 +2711,16 @@ certutil_main(int argc, char **argv, PRBool initialize) /* -q PQG file or curve name */ if (certutil.options[opt_PQGFile].activated) { +#ifndef NSS_DISABLE_ECC if ((keytype != dsaKey) && (keytype != ecKey)) { PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" " (-k dsa) or a named curve for EC keys (-k ec)\n)", progName); +#else /* } */ + if (keytype != dsaKey) { + PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)", + progName); +#endif /* NSS_DISABLE_ECC */ return 255; } } @@ -3153,43 +3032,11 @@ certutil_main(int argc, char **argv, PRBool initialize) /* If creating new database, initialize the password. */ if (certutil.commands[cmd_NewDBs].activated) { - if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) { - rv = PK11_InitPin(slot, (char *)NULL, ""); - } else { - rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, - certutil.options[opt_NewPasswordFile].arg); - } - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } - } - - /* if we are going to modify the cert database, - * make sure it's initialized */ - if (certutil.commands[cmd_ModifyCertTrust].activated || - certutil.commands[cmd_CreateAndAddCert].activated || - certutil.commands[cmd_AddCert].activated || - certutil.commands[cmd_AddEmailCert].activated) { - if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { - char *password = NULL; - /* fetch the password from the command line or the file - * if no password is supplied, initialize the password to NULL */ - if (pwdata.source == PW_FROMFILE) { - password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data); - } else if (pwdata.source == PW_PLAINTEXT) { - password = PL_strdup(pwdata.data); - } - rv = PK11_InitPin(slot, (char *)NULL, password ? password : ""); - if (password) { - PORT_Memset(password, 0, PL_strlen(password)); - PORT_Free(password); - } - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } - } + if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) + PK11_InitPin(slot, (char *)NULL, ""); + else + SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, + certutil.options[opt_NewPasswordFile].arg); } /* walk through the upgrade merge if necessary. @@ -3367,12 +3214,12 @@ certutil_main(int argc, char **argv, PRBool initialize) } /* Delete cert (-D) */ if (certutil.commands[cmd_DeleteCert].activated) { - rv = DeleteCert(certHandle, name, &pwdata); + rv = DeleteCert(certHandle, name); goto shutdown; } /* Rename cert (--rename) */ if (certutil.commands[cmd_Rename].activated) { - rv = RenameCert(certHandle, name, newName, &pwdata); + rv = RenameCert(certHandle, name, newName); goto shutdown; } /* Delete key (-F) */ @@ -3390,10 +3237,7 @@ certutil_main(int argc, char **argv, PRBool initialize) if (certutil.commands[cmd_ChangePassword].activated) { rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, certutil.options[opt_NewPasswordFile].arg); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } + goto shutdown; } /* Reset the a token */ if (certutil.commands[cmd_TokenReset].activated) { @@ -3518,25 +3362,6 @@ certutil_main(int argc, char **argv, PRBool initialize) } } - /* --pss-sign is to sign a certificate with RSA-PSS, even if the - * issuer's key is an RSA key. If the key is an RSA-PSS key, the - * generated signature is always RSA-PSS. */ - if (certutil.options[opt_PssSign].activated) { - if (!certutil.commands[cmd_CreateNewCert].activated && - !certutil.commands[cmd_CreateAndAddCert].activated) { - PR_fprintf(PR_STDERR, - "%s -%c: --pss-sign only works with -C or -S.\n", - progName, commandToRun); - return 255; - } - if (keytype != rsaKey) { - PR_fprintf(PR_STDERR, - "%s -%c: --pss-sign only works with RSA keys.\n", - progName, commandToRun); - return 255; - } - } - /* If we need a list of extensions convert the flags into list format */ if (certutil.commands[cmd_CertReq].activated || certutil.commands[cmd_CreateAndAddCert].activated || @@ -3674,7 +3499,6 @@ certutil_main(int argc, char **argv, PRBool initialize) (certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg : NULL), certVersion, - certutil.options[opt_PssSign].activated, &certDER); if (rv) goto shutdown; diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c index 330284c61..2878e3765 100644 --- a/security/nss/cmd/certutil/keystuff.c +++ b/security/nss/cmd/certutil/keystuff.c @@ -380,6 +380,7 @@ CERTUTIL_FileForRNG(const char *noise) return SECSuccess; } +#ifndef NSS_DISABLE_ECC typedef struct curveNameTagPairStr { char *curveName; SECOidTag curveOidTag; @@ -494,9 +495,9 @@ getECParams(const char *curve) ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len)); - /* + /* * ecparams->data needs to contain the ASN encoding of an object ID (OID) - * representing the named curve. The actual OID is in + * representing the named curve. The actual OID is in * oidData->oid.data so we simply prepend 0x06 and OID length */ ecparams->data[0] = SEC_ASN1_OBJECT_ID; @@ -505,6 +506,7 @@ getECParams(const char *curve) return ecparams; } +#endif /* NSS_DISABLE_ECC */ SECKEYPrivateKey * CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, @@ -562,12 +564,14 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, params = (void *)&default_pqg_params; } break; +#ifndef NSS_DISABLE_ECC case ecKey: mechanism = CKM_EC_KEY_PAIR_GEN; /* For EC keys, PQGFile determines EC parameters */ if ((params = (void *)getECParams(pqgFile)) == NULL) return NULL; break; +#endif /* NSS_DISABLE_ECC */ default: return NULL; } @@ -576,7 +580,8 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, fprintf(stderr, "Generating key. This may take a few moments...\n\n"); privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp, - attrFlags, opFlagsOn, opFlagsOn | opFlagsOff, + attrFlags, opFlagsOn, opFlagsOn | + opFlagsOff, pwdata /*wincx*/); /* free up the params */ switch (keytype) { @@ -584,9 +589,11 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, if (dsaparams) CERTUTIL_DestroyParamsPQG(dsaparams); break; +#ifndef NSS_DISABLE_ECC case ecKey: SECITEM_FreeItem((SECItem *)params, PR_TRUE); break; +#endif default: /* nothing to free */ break; } diff --git a/security/nss/cmd/crlutil/crlgen.c b/security/nss/cmd/crlutil/crlgen.c index fce5e2a60..1f9dc4b43 100644 --- a/security/nss/cmd/crlutil/crlgen.c +++ b/security/nss/cmd/crlutil/crlgen.c @@ -616,7 +616,8 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr, goto loser; } - PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) * sizeof(char)); + PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) * + sizeof(char)); *extCode = SEC_OID_X509_INVALID_DATE; return encodedItem; diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c index 061f3dde0..ab73e42a5 100644 --- a/security/nss/cmd/fipstest/fipstest.c +++ b/security/nss/cmd/fipstest/fipstest.c @@ -35,11 +35,13 @@ #include "../../lib/freebl/mpi/mpi.h" #endif +#ifndef NSS_DISABLE_ECC extern SECStatus EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, const ECParams *srcParams); +#endif #define ENCRYPT 1 #define DECRYPT 0 @@ -2092,6 +2094,7 @@ get_next_line(FILE *req, char *key, char *val, FILE *rsp) return (c == EOF) ? -1 : ignore; } +#ifndef NSS_DISABLE_ECC typedef struct curveNameTagPairStr { char *curveName; SECOidTag curveOidTag; @@ -2955,6 +2958,7 @@ loser: } fclose(ecdsareq); } +#endif /* NSS_DISABLE_ECC */ PRBool isblankline(char *b) @@ -5922,7 +5926,8 @@ tls(char *reqfn) goto loser; } crv = NSC_DeriveKey(session, &master_mech, pms_handle, - derive_template, derive_template_count - 1, + derive_template, derive_template_count - + 1, &master_handle); if (crv != CKR_OK) { fprintf(stderr, "NSC_DeriveKey(master) failed crv=0x%x\n", @@ -6089,6 +6094,7 @@ main(int argc, char **argv) /* Signature Verification Test */ dsa_sigver_test(argv[3]); } +#ifndef NSS_DISABLE_ECC /*************/ /* ECDSA */ /*************/ @@ -6107,6 +6113,7 @@ main(int argc, char **argv) /* Signature Verification Test */ ecdsa_sigver_test(argv[3]); } +#endif /* NSS_DISABLE_ECC */ /*************/ /* RNG */ /*************/ diff --git a/security/nss/cmd/fipstest/runtest.sh b/security/nss/cmd/fipstest/runtest.sh index 5f8e66a08..99cefed77 100644 --- a/security/nss/cmd/fipstest/runtest.sh +++ b/security/nss/cmd/fipstest/runtest.sh @@ -7,6 +7,9 @@ TESTDIR=${1-.} COMMAND=${2-run} TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea" +if [ ${NSS_ENABLE_ECC}x = 1x ]; then + TESTS=${TESTS} ecdsa +fi for i in $TESTS do echo "********************Running $i tests" diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 2b33f8963..cb4752df9 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -54,10 +54,6 @@ static char consoleName[] = { static PRBool utf8DisplayEnabled = PR_FALSE; -/* The minimum password/pin length (in Unicode characters) in FIPS mode, - * defined in lib/softoken/pkcs11i.h. */ -#define FIPS_MIN_PIN 7 - void SECU_EnableUtf8Display(PRBool enable) { @@ -240,8 +236,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) sprintf(prompt, "Press Enter, then enter PIN for \"%s\" on external device.\n", PK11_GetTokenName(slot)); - char *pw = SECU_GetPasswordString(NULL, prompt); - PORT_Free(pw); + (void)SECU_GetPasswordString(NULL, prompt); /* Fall Through */ case PW_PLAINTEXT: return PL_strdup(pwdata->data); @@ -281,25 +276,10 @@ secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) } /* we have no password, so initialize database with one */ - if (PK11_IsFIPS()) { - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least %d characters long,\n" - "and should consist of at least three character classes.\n" - "The available character classes are: digits (0-9), ASCII\n" - "lowercase letters, ASCII uppercase letters, ASCII\n" - "non-alphanumeric characters, and non-ASCII characters.\n\n" - "If an ASCII uppercase letter appears at the beginning of\n" - "the password, it is not counted toward its character class.\n" - "Similarly, if a digit appears at the end of the password,\n" - "it is not counted toward its character class.\n\n", - FIPS_MIN_PIN); - } else { - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least 8 characters long,\n" - "and should contain at least one non-alphabetic character.\n\n"); - } + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least 8 characters long,\n" + "and should contain at least one non-alphabetic character.\n\n"); output = fopen(consoleName, "w"); if (output == NULL) { @@ -485,6 +465,48 @@ SECU_ConfigDirectory(const char *base) return buf; } +/*Turn off SSL for now */ +/* This gets called by SSL when server wants our cert & key */ +int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + SECKEYPrivateKey *key; + CERTCertificate *cert; + int errsave; + + if (arg == NULL) { + fprintf(stderr, "no key/cert name specified for client auth\n"); + return -1; + } + cert = PK11_FindCertFromNickname(arg, NULL); + errsave = PORT_GetError(); + if (!cert) { + if (errsave == SEC_ERROR_BAD_PASSWORD) + fprintf(stderr, "Bad password\n"); + else if (errsave > 0) + fprintf(stderr, "Unable to read cert (error %d)\n", errsave); + else if (errsave == SEC_ERROR_BAD_DATABASE) + fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); + else + fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); + return -1; + } + + key = PK11_FindKeyByAnyCert(arg, NULL); + if (!key) { + fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); + return -1; + } + + *pRetCert = cert; + *pRetKey = key; + + return 0; +} + SECStatus SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, PRBool warnOnPrivateKeyInAsciiFile) @@ -969,7 +991,7 @@ secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level) for (s = my.data, d = tmp.data; len > 0; len--) { PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; s += 4; - if (!isprint(bmpChar & 0xFF)) + if (!isprint(bmpChar)) goto loser; *d++ = (unsigned char)bmpChar; } @@ -1193,7 +1215,7 @@ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) SECU_Indent(out, level + 1); fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); } else { - SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); + SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); } } else { SECU_Indent(out, level + 1); @@ -1313,12 +1335,15 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) return; } + if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); + return; + } + if (a->parameters.len == 0 || (a->parameters.len == 2 && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { /* No arguments or NULL argument */ - } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); } else { /* Print args to algorithm */ SECU_PrintAsHex(out, &a->parameters, "Args", level + 1); @@ -1365,6 +1390,7 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) } } +#ifndef NSS_DISABLE_ECC static void secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) { @@ -1383,6 +1409,7 @@ secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) SECU_PrintObjectID(out, &curveOID, "Curve", level + 1); } } +#endif /* NSS_DISABLE_ECC */ void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) @@ -1430,9 +1457,11 @@ secu_PrintSubjectPublicKeyInfo(FILE *out, PLArenaPool *arena, SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1); break; +#ifndef NSS_DISABLE_ECC case ecKey: secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1); break; +#endif case dhKey: case fortezzaKey: @@ -3585,6 +3614,44 @@ loser: return rv; } +#if 0 + +/* we need access to the private function cert_FindExtension for this code to work */ + +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *scrl) +{ + SECItem encodedExtenValue; + SECStatus rv; + CERTAuthKeyID *ret; + CERTCrl* crl; + + if (!scrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + crl = &scrl->crl; + + encodedExtenValue.data = NULL; + encodedExtenValue.len = 0; + + rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, + &encodedExtenValue); + if ( rv != SECSuccess ) { + return (NULL); + } + + ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); + + PORT_Free(encodedExtenValue.data); + encodedExtenValue.data = NULL; + + return(ret); +} + +#endif + /* * Find the issuer of a Crl. Use the authorityKeyID if it exists. */ @@ -3658,7 +3725,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle, void *pwarg) { CERTCertificate *the_cert; - the_cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwarg); + the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (the_cert) { return the_cert; } diff --git a/security/nss/cmd/libpkix/pkix/util/test_list2.c b/security/nss/cmd/libpkix/pkix/util/test_list2.c index b802ff0e6..7e4114e52 100644 --- a/security/nss/cmd/libpkix/pkix/util/test_list2.c +++ b/security/nss/cmd/libpkix/pkix/util/test_list2.c @@ -78,14 +78,16 @@ test_list2(int argc, char *argv[]) for (i = 0; i < size; i++) for (j = 9; j > i; j--) { PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j, &obj, plContext)); - PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j - 1, + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j - + 1, &obj2, plContext)); PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare(obj, obj2, &cmpResult, plContext)); if (cmpResult < 0) { /* Exchange the items */ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j, obj2, plContext)); - PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j - 1, + PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j - + 1, obj, plContext)); } /* DecRef objects */ diff --git a/security/nss/cmd/listsuites/listsuites.c b/security/nss/cmd/listsuites/listsuites.c index 8eb2c3553..458130e5e 100644 --- a/security/nss/cmd/listsuites/listsuites.c +++ b/security/nss/cmd/listsuites/listsuites.c @@ -10,9 +10,7 @@ #include <errno.h> #include <stdio.h> -#include "nss.h" #include "secport.h" -#include "secutil.h" #include "ssl.h" int @@ -21,43 +19,6 @@ main(int argc, char **argv) const PRUint16 *cipherSuites = SSL_ImplementedCiphers; int i; int errCount = 0; - SECStatus rv; - PRErrorCode err; - char *certDir = NULL; - - /* load policy from $SSL_DIR/pkcs11.txt, for testing */ - certDir = SECU_DefaultSSLDir(); - if (certDir) { - rv = NSS_Init(certDir); - } else { - rv = NSS_NoDB_Init(NULL); - } - if (rv != SECSuccess) { - err = PR_GetError(); - ++errCount; - fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err)); - goto out; - } - - /* apply policy */ - rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0); - if (rv != SECSuccess) { - err = PR_GetError(); - ++errCount; - fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n", - PORT_ErrorToString(err)); - goto out; - } - - /* update the default cipher suites according to the policy */ - rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); - if (rv != SECSuccess) { - err = PR_GetError(); - ++errCount; - fprintf(stderr, "SSL_OptionSetDefault failed: %s\n", - PORT_ErrorToString(err)); - goto out; - } fputs("This version of libSSL supports these cipher suites:\n\n", stdout); @@ -97,14 +58,5 @@ main(int argc, char **argv) info.isFIPS ? "FIPS" : "", info.nonStandard ? "nonStandard" : ""); } - -out: - rv = NSS_Shutdown(); - if (rv != SECSuccess) { - err = PR_GetError(); - ++errCount; - fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err)); - } - return errCount; } diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index f5e6bc236..153384ce1 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -63,7 +63,6 @@ NSS_SRCDIRS = \ pp \ pwdecrypt \ rsaperf \ - rsapoptst \ sdrtest \ selfserv \ signtool \ diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h index d9f06592f..b328afebc 100644 --- a/security/nss/cmd/modutil/error.h +++ b/security/nss/cmd/modutil/error.h @@ -57,7 +57,6 @@ typedef enum { UNSPECIFIED_ERR, NOCERTDB_MISUSE_ERR, NSS_INITIALIZE_FAILED_ERR, - INITPW_FAILED_ERR, LAST_ERR /* must be last */ } Error; @@ -110,9 +109,8 @@ static char *errStrings[] = { "ERROR: Failed to change default.\n", "ERROR: Unable to read from standard input.\n", "ERROR: Unknown error occurred.\n", - "ERROR: -nocertdb option can only be used with the -jar command.\n", - "ERROR: NSS_Initialize() failed.\n", - "ERROR: Unable to set initial password on the database.\n" + "ERROR: -nocertdb option can only be used with the -jar command.\n" + "ERROR: NSS_Initialize() failed.\n" }; typedef enum { diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c index 030568762..c8fef7897 100644 --- a/security/nss/cmd/modutil/install-ds.c +++ b/security/nss/cmd/modutil/install-ds.c @@ -975,7 +975,8 @@ Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad) printf("Doesn't use equiv\n"); } PAD(pad); - printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile : "<NULL>"); + printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile + : "<NULL>"); PAD(pad); printf("mechFlags: %lx\n", _this->mechFlags); PAD(pad); diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c index c1b44be53..02972f7b4 100644 --- a/security/nss/cmd/modutil/modutil.c +++ b/security/nss/cmd/modutil/modutil.c @@ -865,7 +865,7 @@ main(int argc, char* argv[]) errcode = ChangePW(tokenName, pwFile, newpwFile); break; case CREATE_COMMAND: - errcode = InitPW(); + /* The work was already done in init_crypto() */ break; case DEFAULT_COMMAND: errcode = SetDefaultModule(moduleName, slotName, mechanisms); diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h index 04aa908c8..127d0d0da 100644 --- a/security/nss/cmd/modutil/modutil.h +++ b/security/nss/cmd/modutil/modutil.h @@ -29,7 +29,6 @@ Error AddModule(char *moduleName, char *libFile, char *ciphers, Error DeleteModule(char *moduleName); Error ListModule(char *moduleName); Error ListModules(); -Error InitPW(void); Error ChangePW(char *tokenName, char *pwFile, char *newpwFile); Error EnableModule(char *moduleName, char *slotName, PRBool enable); Error RawAddModule(char *dbmodulespec, char *modulespec); diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c index 1efc1895c..834469af1 100644 --- a/security/nss/cmd/modutil/pk11.c +++ b/security/nss/cmd/modutil/pk11.c @@ -670,39 +670,6 @@ loser: /************************************************************************ * - * I n i t P W - */ -Error -InitPW(void) -{ - PK11SlotInfo *slot; - Error ret = UNSPECIFIED_ERR; - - slot = PK11_GetInternalKeySlot(); - if (!slot) { - PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal"); - return NO_SUCH_TOKEN_ERR; - } - - /* Set the initial password to empty */ - if (PK11_NeedUserInit(slot)) { - if (PK11_InitPin(slot, NULL, "") != SECSuccess) { - PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]); - ret = INITPW_FAILED_ERR; - goto loser; - } - } - - ret = SUCCESS; - -loser: - PK11_FreeSlot(slot); - - return ret; -} - -/************************************************************************ - * * C h a n g e P W */ Error @@ -728,7 +695,7 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile) ret = BAD_PW_ERR; goto loser; } - } else if (PK11_NeedLogin(slot)) { + } else { for (matching = PR_FALSE; !matching;) { oldpw = SECU_GetPasswordString(NULL, "Enter old password: "); if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) { diff --git a/security/nss/cmd/multinit/multinit.c b/security/nss/cmd/multinit/multinit.c index 874263e56..a57c4819f 100644 --- a/security/nss/cmd/multinit/multinit.c +++ b/security/nss/cmd/multinit/multinit.c @@ -502,7 +502,8 @@ do_list_certs(const char *progName, int log) SECU_PrintCertNickname(node, stderr); if (log) { - fprintf(stderr, "* Slot=%s*\n", cert->slot ? PK11_GetTokenName(cert->slot) : "none"); + fprintf(stderr, "* Slot=%s*\n", cert->slot ? PK11_GetTokenName(cert->slot) + : "none"); fprintf(stderr, "* Nickname=%s*\n", cert->nickname); fprintf(stderr, "* Subject=<%s>*\n", cert->subjectName); fprintf(stderr, "* Issuer=<%s>*\n", cert->issuerName); diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c index 99891096c..2f1fa374e 100644 --- a/security/nss/cmd/pk11mode/pk11mode.c +++ b/security/nss/cmd/pk11mode/pk11mode.c @@ -2169,22 +2169,36 @@ PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList, PKM_LogIt(" ulMinKeySize = %lu\n", minfo.ulMinKeySize); PKM_LogIt(" ulMaxKeySize = %lu\n", minfo.ulMaxKeySize); PKM_LogIt(" flags = 0x%08x\n", minfo.flags); - PKM_LogIt(" -> HW = %s\n", minfo.flags & CKF_HW ? "TRUE" : "FALSE"); - PKM_LogIt(" -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ? "TRUE" : "FALSE"); - PKM_LogIt(" -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ? "TRUE" : "FALSE"); - PKM_LogIt(" -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ? "TRUE" : "FALSE"); - PKM_LogIt(" -> SIGN = %s\n", minfo.flags & CKF_SIGN ? "TRUE" : "FALSE"); - PKM_LogIt(" -> SIGN_RECOVER = %s\n", minfo.flags & CKF_SIGN_RECOVER ? "TRUE" : "FALSE"); - PKM_LogIt(" -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ? "TRUE" : "FALSE"); + PKM_LogIt(" -> HW = %s\n", minfo.flags & CKF_HW ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> SIGN = %s\n", minfo.flags & CKF_SIGN ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> SIGN_RECOVER = %s\n", minfo.flags & + CKF_SIGN_RECOVER + ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ? "TRUE" + : "FALSE"); PKM_LogIt(" -> VERIFY_RECOVER = %s\n", minfo.flags & CKF_VERIFY_RECOVER ? "TRUE" : "FALSE"); - PKM_LogIt(" -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ? "TRUE" : "FALSE"); + PKM_LogIt(" -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ? "TRUE" + : "FALSE"); PKM_LogIt(" -> GENERATE_KEY_PAIR = %s\n", minfo.flags & CKF_GENERATE_KEY_PAIR ? "TRUE" : "FALSE"); - PKM_LogIt(" -> WRAP = %s\n", minfo.flags & CKF_WRAP ? "TRUE" : "FALSE"); - PKM_LogIt(" -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ? "TRUE" : "FALSE"); - PKM_LogIt(" -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ? "TRUE" : "FALSE"); - PKM_LogIt(" -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ? "TRUE" : "FALSE"); + PKM_LogIt(" -> WRAP = %s\n", minfo.flags & CKF_WRAP ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ? "TRUE" + : "FALSE"); PKM_LogIt("\n"); } @@ -3590,12 +3604,24 @@ PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList, PKM_LogIt(" state = %lu\n", sinfo.state); PKM_LogIt(" flags = 0x%08x\n", sinfo.flags); #ifdef CKF_EXCLUSIVE_SESSION - PKM_LogIt(" -> EXCLUSIVE SESSION = %s\n", sinfo.flags & CKF_EXCLUSIVE_SESSION ? "TRUE" : "FALSE"); + PKM_LogIt(" -> EXCLUSIVE SESSION = %s\n", sinfo.flags & + CKF_EXCLUSIVE_SESSION + ? "TRUE" + : "FALSE"); #endif /* CKF_EXCLUSIVE_SESSION */ - PKM_LogIt(" -> RW SESSION = %s\n", sinfo.flags & CKF_RW_SESSION ? "TRUE" : "FALSE"); - PKM_LogIt(" -> SERIAL SESSION = %s\n", sinfo.flags & CKF_SERIAL_SESSION ? "TRUE" : "FALSE"); + PKM_LogIt(" -> RW SESSION = %s\n", sinfo.flags & + CKF_RW_SESSION + ? "TRUE" + : "FALSE"); + PKM_LogIt(" -> SERIAL SESSION = %s\n", sinfo.flags & + CKF_SERIAL_SESSION + ? "TRUE" + : "FALSE"); #ifdef CKF_INSERTION_CALLBACK - PKM_LogIt(" -> INSERTION CALLBACK = %s\n", sinfo.flags & CKF_INSERTION_CALLBACK ? "TRUE" : "FALSE"); + PKM_LogIt(" -> INSERTION CALLBACK = %s\n", sinfo.flags & + CKF_INSERTION_CALLBACK + ? "TRUE" + : "FALSE"); #endif /* CKF_INSERTION_CALLBACK */ PKM_LogIt(" ulDeviceError = %lu\n", sinfo.ulDeviceError); PKM_LogIt("\n"); diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c index 70454a0d8..0ac1ba00e 100644 --- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -23,7 +23,6 @@ static char *progName; PRBool pk12_debugging = PR_FALSE; PRBool dumpRawFile; -static PRBool pk12uForceUnicode; PRIntn pk12uErrno = 0; @@ -358,7 +357,6 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, SECItem p12file = { 0 }; SECStatus rv = SECFailure; PRBool swapUnicode = PR_FALSE; - PRBool forceUnicode = pk12uForceUnicode; PRBool trypw; int error; @@ -426,18 +424,6 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, SEC_PKCS12DecoderFinish(p12dcx); uniPwp->len = 0; trypw = PR_TRUE; - } else if (forceUnicode == pk12uForceUnicode) { - /* try again with a different password encoding */ - forceUnicode = !pk12uForceUnicode; - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, - forceUnicode); - if (rv != SECSuccess) { - SECU_PrintError(progName, "PKCS12 decoding failed to set option"); - pk12uErrno = PK12UERR_DECODEVERIFY; - break; - } - SEC_PKCS12DecoderFinish(p12dcx); - trypw = PR_TRUE; } else { SECU_PrintError(progName, "PKCS12 decode not verified"); pk12uErrno = PK12UERR_DECODEVERIFY; @@ -445,15 +431,6 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, } } } while (trypw == PR_TRUE); - - /* revert the option setting */ - if (forceUnicode != pk12uForceUnicode) { - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); - if (rv != SECSuccess) { - SECU_PrintError(progName, "PKCS12 decoding failed to set option"); - pk12uErrno = PK12UERR_DECODEVERIFY; - } - } /* rv has been set at this point */ done: @@ -493,8 +470,6 @@ P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot, { SEC_PKCS12DecoderContext *p12dcx = NULL; SECItem uniPwitem = { 0 }; - PRBool forceUnicode = pk12uForceUnicode; - PRBool trypw; SECStatus rv = SECFailure; rv = P12U_InitSlot(slot, slotPw); @@ -505,62 +480,31 @@ P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot, return rv; } - do { - trypw = PR_FALSE; /* normally we do this once */ - rv = SECFailure; - p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); - - if (p12dcx == NULL) { - goto loser; - } + rv = SECFailure; + p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); - /* make sure the bags are okey dokey -- nicknames correct, etc. */ - rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); - if (rv != SECSuccess) { - if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { - pk12uErrno = PK12UERR_CERTALREADYEXISTS; - } else { - pk12uErrno = PK12UERR_DECODEVALIBAGS; - } - SECU_PrintError(progName, "PKCS12 decode validate bags failed"); - goto loser; - } + if (p12dcx == NULL) { + goto loser; + } - /* stuff 'em in */ - if (forceUnicode != pk12uForceUnicode) { - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, - forceUnicode); - if (rv != SECSuccess) { - SECU_PrintError(progName, "PKCS12 decode set option failed"); - pk12uErrno = PK12UERR_DECODEIMPTBAGS; - goto loser; - } - } - rv = SEC_PKCS12DecoderImportBags(p12dcx); - if (rv != SECSuccess) { - if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY && - forceUnicode == pk12uForceUnicode) { - /* try again with a different password encoding */ - forceUnicode = !pk12uForceUnicode; - SEC_PKCS12DecoderFinish(p12dcx); - SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); - trypw = PR_TRUE; - } else { - SECU_PrintError(progName, "PKCS12 decode import bags failed"); - pk12uErrno = PK12UERR_DECODEIMPTBAGS; - goto loser; - } + /* make sure the bags are okey dokey -- nicknames correct, etc. */ + rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { + pk12uErrno = PK12UERR_CERTALREADYEXISTS; + } else { + pk12uErrno = PK12UERR_DECODEVALIBAGS; } - } while (trypw); + SECU_PrintError(progName, "PKCS12 decode validate bags failed"); + goto loser; + } - /* revert the option setting */ - if (forceUnicode != pk12uForceUnicode) { - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); - if (rv != SECSuccess) { - SECU_PrintError(progName, "PKCS12 decode set option failed"); - pk12uErrno = PK12UERR_DECODEIMPTBAGS; - goto loser; - } + /* stuff 'em in */ + rv = SEC_PKCS12DecoderImportBags(p12dcx); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decode import bags failed"); + pk12uErrno = PK12UERR_DECODEIMPTBAGS; + goto loser; } fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName); @@ -1003,7 +947,6 @@ main(int argc, char **argv) int keyLen = 0; int certKeyLen = 0; secuCommand pk12util; - PRInt32 forceUnicode; #ifdef _CRTDBG_MAP_ALLOC _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); @@ -1035,14 +978,6 @@ main(int argc, char **argv) Usage(progName); } - rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); - if (rv != SECSuccess) { - SECU_PrintError(progName, - "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option"); - Usage(progName); - } - pk12uForceUnicode = forceUnicode; - slotname = SECU_GetOptionArg(&pk12util, opt_TokenName); import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List) diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c index d6e276834..9f33d10a4 100644 --- a/security/nss/cmd/pp/pp.c +++ b/security/nss/cmd/pp/pp.c @@ -84,8 +84,6 @@ main(int argc, char **argv) if (!inFile) { fprintf(stderr, "%s: unable to open \"%s\" for reading\n", progName, optstate->value); - PORT_Free(typeTag); - PL_DestroyOptState(optstate); return -1; } break; @@ -95,8 +93,6 @@ main(int argc, char **argv) if (!outFile) { fprintf(stderr, "%s: unable to open \"%s\" for writing\n", progName, optstate->value); - PORT_Free(typeTag); - PL_DestroyOptState(optstate); return -1; } break; diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c index 2bb23856e..556030f6a 100644 --- a/security/nss/cmd/rsaperf/rsaperf.c +++ b/security/nss/cmd/rsaperf/rsaperf.c @@ -671,7 +671,8 @@ main(int argc, char **argv) printf("%ld iterations in %s\n", iters, TimingGenerateString(timeCtx)); - printf("%.2f operations/s .\n", ((double)(iters) * (double)1000000.0) / (double)timeCtx->interval); + printf("%.2f operations/s .\n", ((double)(iters) * (double)1000000.0) / + (double)timeCtx->interval); TimingDivide(timeCtx, iters); printf("one operation every %s\n", TimingGenerateString(timeCtx)); diff --git a/security/nss/cmd/rsapoptst/rsapoptst.c b/security/nss/cmd/rsapoptst/rsapoptst.c index d9468e6d6..81ddcd6c4 100644 --- a/security/nss/cmd/rsapoptst/rsapoptst.c +++ b/security/nss/cmd/rsapoptst/rsapoptst.c @@ -23,7 +23,7 @@ static const struct test_args test_array[] = { { "d_n_q", 0x02, "private exponent, modulus, prime2" }, { "d_p_q", 0x04, "private exponent, prime1, prime2" }, { "e_d_q", 0x08, "public exponent, private exponent, prime2" }, - { "e_d_n", 0x10, "public exponent, private exponent, modulus" } + { "e_d_n", 0x10, "public exponent, private exponent, moduls" } }; static const int test_array_size = (sizeof(test_array) / sizeof(struct test_args)); @@ -58,7 +58,6 @@ const static CK_ATTRIBUTE rsaTemplate[] = { { CKA_TOKEN, NULL, 0 }, { CKA_SENSITIVE, NULL, 0 }, { CKA_PRIVATE, NULL, 0 }, - { CKA_ID, NULL, 0 }, { CKA_MODULUS, NULL, 0 }, { CKA_PUBLIC_EXPONENT, NULL, 0 }, { CKA_PRIVATE_EXPONENT, NULL, 0 }, @@ -124,77 +123,46 @@ fail: #define ATTR_STRING(x) getNameFromAttribute(x) -static void -dumphex(FILE *file, const unsigned char *cpval, int start, int end) -{ - int i; - for (i = start; i < end; i++) { - if ((i % 16) == 0) - fprintf(file, "\n "); - fprintf(file, " %02x", cpval[i]); - } - return; -} - void -dumpTemplate(FILE *file, const CK_ATTRIBUTE *template, int start, int end) +dumpTemplate(CK_ATTRIBUTE *template, int start, int end) { - int i; - for (i = start; i < end; i++) { + int i, j; + for (i = 0; i < end; i++) { unsigned char cval; CK_ULONG ulval; - const unsigned char *cpval; + unsigned char *cpval; - fprintf(file, "%s:", ATTR_STRING(template[i].type)); + fprintf(stderr, "%s:", ATTR_STRING(template[i].type)); switch (template[i].ulValueLen) { case 1: cval = *(unsigned char *)template[i].pValue; switch (cval) { case 0: - fprintf(file, " false"); + fprintf(stderr, " false"); break; case 1: - fprintf(file, " true"); + fprintf(stderr, " true"); break; default: - fprintf(file, " %d (=0x%02x,'%c')", cval, cval, cval); + fprintf(stderr, " %d (=0x%02x,'%c')", cval, cval, cval); break; } break; case sizeof(CK_ULONG): ulval = *(CK_ULONG *)template[i].pValue; - fprintf(file, " %ld (=0x%04lx)", ulval, ulval); + fprintf(stderr, " %ld (=0x%04lx)", ulval, ulval); break; default: - cpval = (const unsigned char *)template[i].pValue; - dumphex(file, cpval, 0, template[i].ulValueLen); + cpval = (unsigned char *)template[i].pValue; + for (j = 0; j < template[i].ulValueLen; j++) { + if ((j % 16) == 0) + fprintf(stderr, "\n "); + fprintf(stderr, " %02x", cpval[j]); + } break; } - fprintf(file, "\n"); - } -} - -void -dumpItem(FILE *file, const SECItem *item) -{ - const unsigned char *cpval; - - if (item == NULL) { - fprintf(file, " pNULL "); - return; - } - if (item->data == NULL) { - fprintf(file, " NULL "); - return; + fprintf(stderr, "\n"); } - if (item->len == 0) { - fprintf(file, " Empty "); - return; - } - cpval = item->data; - dumphex(file, cpval, 0, item->len); - fprintf(file, " "); - return; } PRBool @@ -216,16 +184,13 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src, printf("Could read source key\n"); return PR_FALSE; } - rv = readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES); + readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES); if (rv != SECSuccess) { printf("Could read dest key\n"); return PR_FALSE; } for (i = 0; i < RSA_ATTRIBUTES; i++) { - if (srcTemplate[i].type == CKA_ID) { - continue; /* we purposefully make the CKA_ID different */ - } if (srcTemplate[i].ulValueLen != destTemplate[i].ulValueLen) { printf("key->%s not equal src_len = %ld, dest_len=%ld\n", ATTR_STRING(srcTemplate[i].type), @@ -239,22 +204,18 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src, } if (!areEqual) { fprintf(stderr, "original key:\n"); - dumpTemplate(stderr, srcTemplate, 0, RSA_ATTRIBUTES); + dumpTemplate(srcTemplate, 0, RSA_ATTRIBUTES); fprintf(stderr, "created key:\n"); - dumpTemplate(stderr, destTemplate, 0, RSA_ATTRIBUTES); + dumpTemplate(destTemplate, 0, RSA_ATTRIBUTES); } - resetTemplate(srcTemplate, 0, RSA_ATTRIBUTES); - resetTemplate(destTemplate, 0, RSA_ATTRIBUTES); return areEqual; } static int exp_exp_prime_fail_count = 0; -#define LEAK_ID 0xf - static int doRSAPopulateTest(unsigned int keySize, unsigned long exponent, - int mask, int round, void *pwarg) + int mask, void *pwarg) { SECKEYPrivateKey *rsaPrivKey; SECKEYPublicKey *rsaPubKey; @@ -266,10 +227,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY; CK_KEY_TYPE key_type = CKK_RSA; CK_BBOOL ck_false = CK_FALSE; - CK_BYTE cka_id[2] = { 0, 0 }; int failed = 0; - int leak_found; /* did we find the expected leak */ - int expect_leak = 0; /* are we expecting a leak? */ rsaParams.pe = exponent; rsaParams.keySizeInBits = keySize; @@ -301,15 +259,11 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, tstTemplate[3].ulValueLen = sizeof(ck_false); tstTemplate[4].pValue = &ck_false; tstTemplate[4].ulValueLen = sizeof(ck_false); - tstTemplate[5].pValue = &cka_id[0]; - tstTemplate[5].ulValueLen = sizeof(cka_id); - tstHeaderCount = 6; - cka_id[0] = round; + tstHeaderCount = 5; if (mask & 1) { printf("%s\n", test_array[1].description); resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - cka_id[1] = 0; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PUBLIC_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -317,10 +271,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_PRIME_1); - tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp mod p\n"); failed = 1; @@ -336,7 +290,6 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[2].description); /* test the basic2 case, public exponent, modulus, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - cka_id[1] = 1; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PUBLIC_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -346,10 +299,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, /* test with q in the prime1 position */ tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1; - tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp mod q\n"); failed = 1; @@ -365,7 +318,6 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[3].description); /* test the medium case, private exponent, prime1, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - cka_id[1] = 2; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); @@ -377,10 +329,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1; tstTemplate[tstHeaderCount + 1].type = CKA_PRIME_2; - tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: privExp p q\n"); failed = 1; @@ -396,7 +348,6 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, printf("%s\n", test_array[4].description); /* test the advanced case, public exponent, private exponent, prime2 */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - cka_id[1] = 3; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, @@ -404,10 +355,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_PRIME_2); - tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate, - tstHeaderCount + - 3, - PR_FALSE); + tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, + tstHeaderCount + + 3, + PR_FALSE); if (tstPrivKey == NULL) { fprintf(stderr, "RSA Populate failed: pubExp privExp q\n"); fprintf(stderr, " this is expected periodically. It means we\n"); @@ -422,12 +373,11 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, if (tstPrivKey) PK11_DestroyGenericObject(tstPrivKey); } - if (mask & 0x10) { + if (mask & 16) { printf("%s\n", test_array[5].description); /* test the advanced case2, public exponent, private exponent, modulus */ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - cka_id[1] = LEAK_ID; copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount, CKA_PRIVATE_EXPONENT); @@ -436,7 +386,6 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate, tstHeaderCount + 2, CKA_MODULUS); - /* purposefully use the old version. This will create a leak */ tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate, tstHeaderCount + 3, @@ -449,59 +398,9 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent, fprintf(stderr, "RSA Populate key mismatch: pubExp privExp mod\n"); failed = 1; } - expect_leak = 1; if (tstPrivKey) PK11_DestroyGenericObject(tstPrivKey); } - resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES); - SECKEY_DestroyPrivateKey(rsaPrivKey); - SECKEY_DestroyPublicKey(rsaPubKey); - - /* make sure we didn't leak */ - leak_found = 0; - tstPrivKey = PK11_FindGenericObjects(slot, CKO_PRIVATE_KEY); - if (tstPrivKey) { - SECStatus rv; - PK11GenericObject *thisKey; - int i; - - fprintf(stderr, "Leaking keys...\n"); - for (i = 0, thisKey = tstPrivKey; thisKey; i++, - thisKey = PK11_GetNextGenericObject(thisKey)) { - SECItem id = { 0, NULL, 0 }; - - rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisKey, - CKA_ID, &id); - if (rv != SECSuccess) { - fprintf(stderr, "Key %d: couldn't read CKA_ID: %s\n", - i, PORT_ErrorToString(PORT_GetError())); - continue; - } - fprintf(stderr, "id = { "); - dumpItem(stderr, &id); - fprintf(stderr, "};"); - if (id.data[1] == LEAK_ID) { - fprintf(stderr, " ---> leak expected\n"); - if (id.data[0] == round) - leak_found = 1; - } else { - if (id.len != sizeof(cka_id)) { - fprintf(stderr, - " ---> ERROR unexpected leak in generated key\n"); - } else { - fprintf(stderr, - " ---> ERROR unexpected leak in constructed key\n"); - } - failed = 1; - } - SECITEM_FreeItem(&id, PR_FALSE); - } - PK11_DestroyGenericObjects(tstPrivKey); - } - if (expect_leak && !leak_found) { - fprintf(stderr, "ERROR expected leak not found\n"); - failed = 1; - } PK11_FreeSlot(slot); return failed ? -1 : 0; @@ -618,7 +517,7 @@ main(int argc, char **argv) exp_exp_prime_fail_count = 0; for (i = 0; i < repeat; i++) { printf("Running RSA Populate test run %d\n", i); - ret = doRSAPopulateTest(keySize, exponent, mask, i, NULL); + ret = doRSAPopulateTest(keySize, exponent, mask, NULL); if (ret != 0) { i++; break; @@ -632,9 +531,5 @@ main(int argc, char **argv) exp_exp_prime_fail_count, i, (((double)exp_exp_prime_fail_count) * 100.0) / (double)i); } - if (NSS_Shutdown() != SECSuccess) { - fprintf(stderr, "Shutdown failed\n"); - ret = -1; - } return ret; } diff --git a/security/nss/cmd/rsapoptst/rsapoptst.gyp b/security/nss/cmd/rsapoptst/rsapoptst.gyp deleted file mode 100644 index 325a10909..000000000 --- a/security/nss/cmd/rsapoptst/rsapoptst.gyp +++ /dev/null @@ -1,25 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. -{ - 'includes': [ - '../../coreconf/config.gypi', - '../../cmd/platlibs.gypi' - ], - 'targets': [ - { - 'target_name': 'rsapoptst', - 'type': 'executable', - 'sources': [ - 'rsapoptst.c' - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:dbm_exports', - '<(DEPTH)/exports.gyp:nss_exports', - ] - } - ], - 'variables': { - 'module': 'nss', - } -} diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index fac428e10..65b1ee304 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -38,7 +38,6 @@ #include "nss.h" #include "ssl.h" #include "sslproto.h" -#include "sslexp.h" #include "cert.h" #include "certt.h" #include "ocsp.h" @@ -166,7 +165,9 @@ PrintUsageHeader(const char *progName) " [-V [min-version]:[max-version]] [-a sni_name]\n" " [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n" " [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]" +#ifndef NSS_DISABLE_ECC " [-e ec_nickname]" +#endif /* NSS_DISABLE_ECC */ "\n" " -U [0|1] -H [0|1|2] -W [0|1]\n" "\n", @@ -1954,10 +1955,6 @@ server_main( if (enabledVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { errExit("You tried enabling 0RTT without enabling TLS 1.3!"); } - rv = SSL_SetupAntiReplay(10 * PR_USEC_PER_SEC, 7, 14); - if (rv != SECSuccess) { - errExit("error configuring anti-replay "); - } rv = SSL_OptionSet(model_sock, SSL_ENABLE_0RTT_DATA, PR_TRUE); if (rv != SECSuccess) { errExit("error enabling 0RTT "); @@ -2346,6 +2343,7 @@ main(int argc, char **argv) dir = optstate->value; break; +#ifndef NSS_DISABLE_ECC case 'e': if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) { Usage(progName); @@ -2353,6 +2351,7 @@ main(int argc, char **argv) } certNicknameArray[certNicknameIndex++] = PORT_Strdup(optstate->value); break; +#endif /* NSS_DISABLE_ECC */ case 'f': pwdata.source = PW_FROMFILE; @@ -2554,14 +2553,6 @@ main(int argc, char **argv) tmp = PR_GetEnvSecure("TMPDIR"); if (!tmp) tmp = PR_GetEnvSecure("TEMP"); - - /* Call the NSS initialization routines */ - rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY); - if (rv != SECSuccess) { - fputs("NSS_Init failed.\n", stderr); - exit(8); - } - if (envString) { /* we're one of the children in a multi-process server. */ listen_sock = PR_GetInheritedFD(inheritableSockName); @@ -2616,6 +2607,13 @@ main(int argc, char **argv) /* set our password function */ PK11_SetPasswordFunc(SECU_GetModulePassword); + /* Call the NSS initialization routines */ + rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY); + if (rv != SECSuccess) { + fputs("NSS_Init failed.\n", stderr); + exit(8); + } + /* all SSL3 cipher suites are enabled by default. */ if (cipherString) { char *cstringSaved = cipherString; @@ -2683,7 +2681,9 @@ main(int argc, char **argv) certNicknameArray[i]); exit(11); } +#ifdef NSS_DISABLE_ECC if (privKey[i]->keyType != ecKey) +#endif setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata); } diff --git a/security/nss/cmd/signtool/javascript.c b/security/nss/cmd/signtool/javascript.c index ffff2db59..746f724f8 100644 --- a/security/nss/cmd/signtool/javascript.c +++ b/security/nss/cmd/signtool/javascript.c @@ -1115,7 +1115,8 @@ extract_js(char *filename) textStart = 0; startLine = 0; - while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) != EOF) { + while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) != + EOF) { switch (state) { case TEXT_HTML_STATE: if (curchar == '<') { diff --git a/security/nss/cmd/signtool/signtool.c b/security/nss/cmd/signtool/signtool.c index 915a00fbc..51857d638 100644 --- a/security/nss/cmd/signtool/signtool.c +++ b/security/nss/cmd/signtool/signtool.c @@ -1033,7 +1033,9 @@ main(int argc, char *argv[]) if (errorCount > 0 || warningCount > 0) { PR_fprintf(outputFD, "%d error%s, %d warning%s.\n", errorCount, - errorCount == 1 ? "" : "s", warningCount, warningCount == 1 ? "" : "s"); + errorCount == 1 ? "" : "s", warningCount, warningCount == 1 + ? "" + : "s"); } else { PR_fprintf(outputFD, "Directory %s signed successfully.\n", jartree); diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c index fe17f26a4..10e743c6b 100644 --- a/security/nss/cmd/smimetools/cmsutil.c +++ b/security/nss/cmd/smimetools/cmsutil.c @@ -1572,7 +1572,10 @@ main(int argc, char **argv) { unsigned int j; for (j = 0; j < input.len; j++) - fprintf(stderr, "%2x%c", input.data[j], (j > 0 && j % 35 == 0) ? '\n' : ' '); + fprintf(stderr, "%2x%c", input.data[j], (j > 0 && + j % 35 == 0) + ? '\n' + : ' '); } } if (input.len > 0) { /* skip if certs-only (or other zero content) */ diff --git a/security/nss/cmd/ssltap/ssltap.c b/security/nss/cmd/ssltap/ssltap.c index a2471884e..197b1942d 100644 --- a/security/nss/cmd/ssltap/ssltap.c +++ b/security/nss/cmd/ssltap/ssltap.c @@ -1637,7 +1637,8 @@ print_ssl3_handshake(unsigned char *recordBuf, PR_snprintf(certFileName, sizeof certFileName, "cert.%03d", ++certFileNumber); cfd = - PR_Open(certFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, + PR_Open(certFileName, PR_WRONLY | + PR_CREATE_FILE | PR_TRUNCATE, 0664); if (!cfd) { PR_fprintf(PR_STDOUT, @@ -1721,7 +1722,8 @@ print_ssl3_handshake(unsigned char *recordBuf, 0 && sslhexparse) { PR_fprintf(PR_STDOUT, " = {\n"); - print_hex(dnLen, hsdata + pos); + print_hex(dnLen, hsdata + + pos); PR_fprintf(PR_STDOUT, " }\n"); } else { PR_fprintf(PR_STDOUT, "\n"); @@ -1794,7 +1796,8 @@ print_ssl3_handshake(unsigned char *recordBuf, PR_snprintf(ocspFileName, sizeof ocspFileName, "ocsp.%03d", ++ocspFileNumber); - ofd = PR_Open(ocspFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, + ofd = PR_Open(ocspFileName, PR_WRONLY | + PR_CREATE_FILE | PR_TRUNCATE, 0664); if (!ofd) { PR_fprintf(PR_STDOUT, @@ -2164,7 +2167,8 @@ print_ssl(DataBufferList *s, int length, unsigned char *buffer) break; case 22: /* handshake */ - print_ssl3_handshake(recordBuf, recordLen - s->hMACsize, + print_ssl3_handshake(recordBuf, recordLen - + s->hMACsize, &sr, s); break; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 7d259bd0a..f65e31913 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -886,10 +886,8 @@ PRBool LoggedIn(CERTCertificate *cert, SECKEYPrivateKey *key) { if ((cert->slot) && (key->pkcs11Slot) && - (!PK11_NeedLogin(cert->slot) || - PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) && - (!PK11_NeedLogin(key->pkcs11Slot) || - PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL))) { + (PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) && + (PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL))) { return PR_TRUE; } diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 1ad99502b..959afec59 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -31,7 +31,6 @@ #include "ocsp.h" #include "ssl.h" #include "sslproto.h" -#include "sslexp.h" #include "pk11func.h" #include "secmod.h" #include "plgetopt.h" @@ -96,7 +95,6 @@ PRBool verbose; int dumpServerChain = 0; int renegotiationsToDo = 0; int renegotiationsDone = 0; -PRBool initializedServerSessionCache = PR_FALSE; static char *progName; @@ -180,7 +178,7 @@ PrintUsageHeader(const char *progName) "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n" "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n" "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n" - "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n" + "[-A requestfile] [-L totalconnections]\n" "\n", progName); } @@ -204,7 +202,7 @@ PrintParameterUsage(void) fprintf(stderr, "%-20s Print certificate chain information\n", "-C"); fprintf(stderr, "%-20s (use -C twice to print more certificate details)\n", ""); fprintf(stderr, "%-20s (use -C three times to include PEM format certificate dumps)\n", ""); - fprintf(stderr, "%-20s Nickname of key and cert\n", + fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", "-n nickname"); fprintf(stderr, "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" @@ -253,9 +251,6 @@ PrintParameterUsage(void) "%-20s The following values are valid:\n" "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n", "-I", "", ""); - fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello"); - fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}"); - fprintf(stderr, "%-20s Exit after handshake\n", "-Q"); } static void @@ -919,12 +914,6 @@ char *requestString = NULL; PRInt32 requestStringLen = 0; PRBool requestSent = PR_FALSE; PRBool enableZeroRtt = PR_FALSE; -PRBool enableAltServerHello = PR_FALSE; -PRBool useDTLS = PR_FALSE; -PRBool actAsServer = PR_FALSE; -PRBool stopAfterHandshake = PR_FALSE; -PRBool requestToExit = PR_FALSE; -char *versionString = NULL; static int writeBytesToServer(PRFileDesc *s, const char *buf, int nb) @@ -1007,129 +996,12 @@ handshakeCallback(PRFileDesc *fd, void *client_data) writeBytesToServer(fd, requestString, requestStringLen); } } - if (stopAfterHandshake) { - requestToExit = PR_TRUE; - } } #define REQUEST_WAITING (requestString && !requestSent) -static SECStatus -installServerCertificate(PRFileDesc *s, char *nickname) -{ - CERTCertificate *cert; - SECKEYPrivateKey *privKey = NULL; - - if (!nickname) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - cert = PK11_FindCertFromNickname(nickname, &pwdata); - if (cert == NULL) { - return SECFailure; - } - - privKey = PK11_FindKeyByAnyCert(cert, &pwdata); - if (privKey == NULL) { - return SECFailure; - } - if (SSL_ConfigServerCert(s, cert, privKey, NULL, 0) != SECSuccess) { - return SECFailure; - } - SECKEY_DestroyPrivateKey(privKey); - CERT_DestroyCertificate(cert); - - return SECSuccess; -} - -static SECStatus -bindToClient(PRFileDesc *s) -{ - PRStatus status; - status = PR_Bind(s, &addr); - if (status != PR_SUCCESS) { - return SECFailure; - } - - for (;;) { - /* Bind the remote address on first packet. This must happen - * before we SSL-ize the socket because we need to get the - * peer's address before SSLizing. Recvfrom gives us that - * while not consuming any data. */ - unsigned char tmp; - PRNetAddr remote; - int nb; - - nb = PR_RecvFrom(s, &tmp, 1, PR_MSG_PEEK, - &remote, PR_INTERVAL_NO_TIMEOUT); - if (nb != 1) - continue; - - status = PR_Connect(s, &remote, PR_INTERVAL_NO_TIMEOUT); - if (status != PR_SUCCESS) { - SECU_PrintError(progName, "server bind to remote end failed"); - return SECFailure; - } - return SECSuccess; - } - - /* Unreachable. */ -} - -static SECStatus -connectToServer(PRFileDesc *s, PRPollDesc *pollset) -{ - PRStatus status; - PRInt32 filesReady; - - status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT); - if (status != PR_SUCCESS) { - if (PR_GetError() == PR_IN_PROGRESS_ERROR) { - if (verbose) - SECU_PrintError(progName, "connect"); - milliPause(50 * multiplier); - pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; - pollset[SSOCK_FD].out_flags = 0; - pollset[SSOCK_FD].fd = s; - while (1) { - FPRINTF(stderr, - "%s: about to call PR_Poll for connect completion!\n", - progName); - filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT); - if (filesReady < 0) { - SECU_PrintError(progName, "unable to connect (poll)"); - return SECFailure; - } - FPRINTF(stderr, - "%s: PR_Poll returned 0x%02x for socket out_flags.\n", - progName, pollset[SSOCK_FD].out_flags); - if (filesReady == 0) { /* shouldn't happen! */ - SECU_PrintError(progName, "%s: PR_Poll returned zero!\n"); - return SECFailure; - } - status = PR_GetConnectStatus(pollset); - if (status == PR_SUCCESS) { - break; - } - if (PR_GetError() != PR_IN_PROGRESS_ERROR) { - SECU_PrintError(progName, "unable to connect (poll)"); - return SECFailure; - } - SECU_PrintError(progName, "poll"); - milliPause(50 * multiplier); - } - } else { - SECU_PrintError(progName, "unable to connect"); - return SECFailure; - } - } - - return SECSuccess; -} - static int -run(void) +run_client(void) { int headerSeparatorPtrnId = 0; int error = 0; @@ -1145,23 +1017,13 @@ run(void) requestSent = PR_FALSE; /* Create socket */ - if (useDTLS) { - s = PR_OpenUDPSocket(addr.raw.family); - } else { - s = PR_OpenTCPSocket(addr.raw.family); - } - + s = PR_OpenTCPSocket(addr.raw.family); if (s == NULL) { SECU_PrintError(progName, "error creating socket"); error = 1; goto done; } - if (actAsServer) { - if (bindToClient(s) != SECSuccess) { - return 1; - } - } opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_TRUE; /* default */ if (serverCertAuth.testFreshStatusFromSideChannel) { @@ -1174,16 +1036,13 @@ run(void) goto done; } - if (useDTLS) { - s = DTLS_ImportFD(NULL, s); - } else { - s = SSL_ImportFD(NULL, s); - } + s = SSL_ImportFD(NULL, s); if (s == NULL) { SECU_PrintError(progName, "error importing socket"); error = 1; goto done; } + SSL_SetPKCS11PinArg(s, &pwdata); rv = SSL_OptionSet(s, SSL_SECURITY, 1); @@ -1193,7 +1052,7 @@ run(void) goto done; } - rv = SSL_OptionSet(s, actAsServer ? SSL_HANDSHAKE_AS_SERVER : SSL_HANDSHAKE_AS_CLIENT, 1); + rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling client handshake"); error = 1; @@ -1319,16 +1178,6 @@ run(void) } } - /* Alternate ServerHello content type (TLS 1.3 only) */ - if (enableAltServerHello) { - rv = SSL_UseAltServerHelloType(s, PR_TRUE); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling alternate ServerHello type"); - error = 1; - goto done; - } - } - /* require the use of fixed finite-field DH groups */ if (requireDHNamedGroups) { rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE); @@ -1363,21 +1212,7 @@ run(void) if (override) { SSL_BadCertHook(s, ownBadCertHandler, NULL); } - if (actAsServer) { - rv = installServerCertificate(s, nickname); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error installing server cert"); - return 1; - } - rv = SSL_ConfigServerSessionIDCache(1024, 0, 0, "."); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error configuring session cache"); - return 1; - } - initializedServerSessionCache = PR_TRUE; - } else { - SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname); - } + SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname); SSL_HandshakeCallback(s, handshakeCallback, hs2SniHostName); if (hs1SniHostName) { SSL_SetURL(s, hs1SniHostName); @@ -1385,27 +1220,56 @@ run(void) SSL_SetURL(s, host); } - if (actAsServer) { - rv = SSL_ResetHandshake(s, PR_TRUE /* server */); - if (rv != SECSuccess) { - return 1; - } - } else { - /* Try to connect to the server */ - rv = connectToServer(s, pollset); - if (rv != SECSuccess) { - ; + /* Try to connect to the server */ + status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT); + if (status != PR_SUCCESS) { + if (PR_GetError() == PR_IN_PROGRESS_ERROR) { + if (verbose) + SECU_PrintError(progName, "connect"); + milliPause(50 * multiplier); + pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; + pollset[SSOCK_FD].out_flags = 0; + pollset[SSOCK_FD].fd = s; + while (1) { + FPRINTF(stderr, + "%s: about to call PR_Poll for connect completion!\n", + progName); + filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT); + if (filesReady < 0) { + SECU_PrintError(progName, "unable to connect (poll)"); + error = 1; + goto done; + } + FPRINTF(stderr, + "%s: PR_Poll returned 0x%02x for socket out_flags.\n", + progName, pollset[SSOCK_FD].out_flags); + if (filesReady == 0) { /* shouldn't happen! */ + FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName); + error = 1; + goto done; + } + status = PR_GetConnectStatus(pollset); + if (status == PR_SUCCESS) { + break; + } + if (PR_GetError() != PR_IN_PROGRESS_ERROR) { + SECU_PrintError(progName, "unable to connect (poll)"); + error = 1; + goto done; + } + SECU_PrintError(progName, "poll"); + milliPause(50 * multiplier); + } + } else { + SECU_PrintError(progName, "unable to connect"); error = 1; goto done; } } pollset[SSOCK_FD].fd = s; - pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT; - if (!actAsServer) - pollset[SSOCK_FD].in_flags |= (clientSpeaksFirst ? 0 : PR_POLL_READ); - else - pollset[SSOCK_FD].in_flags |= PR_POLL_READ; + pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT | + (clientSpeaksFirst ? 0 : PR_POLL_READ); pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput); if (!REQUEST_WAITING) { pollset[STDIN_FD].in_flags = PR_POLL_READ; @@ -1455,11 +1319,9 @@ run(void) ** Select on stdin and on the socket. Write data from stdin to ** socket, read data from socket and write to stdout. */ - requestToExit = PR_FALSE; FPRINTF(stderr, "%s: ready...\n", progName); - while (!requestToExit && - ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) || - REQUEST_WAITING)) { + while ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) || + REQUEST_WAITING) { char buf[4000]; /* buffer for stdin */ int nb; /* num bytes read from stdin. */ @@ -1645,10 +1507,12 @@ main(int argc, char **argv) } } + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); + /* XXX: 'B' was used in the past but removed in 3.28, * please leave some time before resuing it. */ optstate = PL_CreateOptState(argc, argv, - "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); + "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1729,21 +1593,6 @@ main(int argc, char **argv) }; break; - case 'P': - useDTLS = PR_TRUE; - if (!strcmp(optstate->value, "server")) { - actAsServer = 1; - } else { - if (strcmp(optstate->value, "client")) { - Usage(progName); - } - } - break; - - case 'Q': - stopAfterHandshake = PR_TRUE; - break; - case 'R': rootModule = PORT_Strdup(optstate->value); break; @@ -1761,16 +1610,14 @@ main(int argc, char **argv) break; case 'V': - versionString = PORT_Strdup(optstate->value); - break; - - case 'X': - if (!strcmp(optstate->value, "alt-server-hello")) { - enableAltServerHello = PR_TRUE; - } else { + if (SECU_ParseSSLVersionRangeString(optstate->value, + enabledVersions, &enabledVersions) != + SECSuccess) { + fprintf(stderr, "Bad version specified.\n"); Usage(progName); } break; + case 'Y': PrintCipherUsage(progName); exit(0); @@ -1880,19 +1727,8 @@ main(int argc, char **argv) break; } } - PL_DestroyOptState(optstate); - SSL_VersionRangeGetSupported(useDTLS ? ssl_variant_datagram : ssl_variant_stream, &enabledVersions); - - if (versionString) { - if (SECU_ParseSSLVersionRangeString(versionString, - enabledVersions, &enabledVersions) != - SECSuccess) { - fprintf(stderr, "Bad version specified.\n"); - Usage(progName); - } - PORT_Free(versionString); - } + PL_DestroyOptState(optstate); if (optstatus == PL_OPT_BAD) { Usage(progName); @@ -1922,7 +1758,7 @@ main(int argc, char **argv) PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(SECU_GetModulePassword); - memset(&addr, 0, sizeof(addr)); + status = PR_StringToNetAddr(host, &addr); if (status == PR_SUCCESS) { addr.inet.port = PR_htons(portno); @@ -1934,7 +1770,6 @@ main(int argc, char **argv) addrInfo = PR_GetAddrInfoByName(host, PR_AF_UNSPEC, PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME); if (!addrInfo) { - fprintf(stderr, "HOSTNAME=%s\n", host); SECU_PrintError(progName, "error looking up host"); error = 1; goto done; @@ -2049,7 +1884,7 @@ main(int argc, char **argv) } while (numConnections--) { - error = run(); + error = run_client(); if (error) { goto done; } @@ -2080,12 +1915,6 @@ done: } if (NSS_IsInitialized()) { SSL_ClearSessionCache(); - if (initializedServerSessionCache) { - if (SSL_ShutdownServerSessionIDCache() != SECSuccess) { - error = 1; - } - } - if (NSS_Shutdown() != SECSuccess) { error = 1; } |