diff options
Diffstat (limited to 'security/nss/lib/pk11wrap/pk11pars.c')
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11pars.c | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c index db60f7c9d..c5e21df51 100644 --- a/security/nss/lib/pk11wrap/pk11pars.c +++ b/security/nss/lib/pk11wrap/pk11pars.c @@ -238,6 +238,8 @@ static const oidValDef curveOptList[] = { NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, { CIPHER_NAME("SECP521R1"), SEC_OID_SECG_EC_SECP521R1, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, /* ANSI X9.62 named elliptic curves (characteristic two field) */ { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, @@ -384,18 +386,26 @@ static const oidValDef kxOptList[] = { { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, }; +static const oidValDef signOptList[] = { + /* Signatures */ + { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, +}; + typedef struct { const oidValDef *list; PRUint32 entries; const char *description; + PRBool allowEmpty; } algListsDef; static const algListsDef algOptLists[] = { - { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" }, - { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" }, - { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" }, - { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" }, - { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" }, + { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC", PR_FALSE }, + { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH", PR_FALSE }, + { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, + { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, + { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, + { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, }; static const optionFreeDef sslOptList[] = { @@ -718,7 +728,7 @@ secmod_sanityCheckCryptoPolicy(void) for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { const algListsDef *algOptList = &algOptLists[i]; fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]); - if (!enabledCount[i]) { + if (!enabledCount[i] && !algOptList->allowEmpty) { haveWarning = PR_TRUE; } } @@ -807,6 +817,10 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName, mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); + /* if the system FIPS mode is enabled, force FIPS to be on */ + if (secmod_GetSystemFIPSEnabled()) { + mod->isFIPS = PR_TRUE; + } mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, |