summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd')
-rw-r--r--security/nss/cmd/addbuiltin/addbuiltin.c28
-rw-r--r--security/nss/cmd/bltest/blapitest.c9
-rw-r--r--security/nss/cmd/certutil/certext.c2
-rw-r--r--security/nss/cmd/certutil/certutil.c3
-rw-r--r--security/nss/cmd/certutil/keystuff.c11
-rw-r--r--security/nss/cmd/crlutil/crlutil.c5
-rw-r--r--security/nss/cmd/crmftest/testcrmf.c2
-rw-r--r--security/nss/cmd/ecperf/ecperf.c129
-rw-r--r--security/nss/cmd/fbectest/fbectest.c27
-rw-r--r--security/nss/cmd/lib/basicutil.c191
-rw-r--r--security/nss/cmd/lib/basicutil.h14
-rw-r--r--security/nss/cmd/lib/secutil.c149
-rw-r--r--security/nss/cmd/lib/secutil.h10
-rw-r--r--security/nss/cmd/lowhashtest/manifest.mn1
-rw-r--r--security/nss/cmd/modutil/pk11.c20
-rw-r--r--security/nss/cmd/mpitests/mpitests.gyp24
-rw-r--r--security/nss/cmd/pk12util/pk12util.c11
-rw-r--r--security/nss/cmd/platlibs.gypi18
-rw-r--r--security/nss/cmd/platlibs.mk34
-rw-r--r--security/nss/cmd/selfserv/selfserv.c12
-rw-r--r--security/nss/cmd/smimetools/cmsutil.c4
-rwxr-xr-xsecurity/nss/cmd/smimetools/smime4
-rw-r--r--security/nss/cmd/strsclnt/strsclnt.c1
-rw-r--r--security/nss/cmd/symkeyutil/symkeyutil.c3
-rw-r--r--security/nss/cmd/tstclnt/tstclnt.c88
25 files changed, 444 insertions, 356 deletions
diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c
index 9ecad3d64..831672039 100644
--- a/security/nss/cmd/addbuiltin/addbuiltin.c
+++ b/security/nss/cmd/addbuiltin/addbuiltin.c
@@ -31,6 +31,29 @@ dumpbytes(unsigned char *buf, int len)
printf("\n");
}
+int
+hasPositiveTrust(unsigned int trust)
+{
+ if (trust & CERTDB_TRUSTED) {
+ if (trust & CERTDB_TRUSTED_CA) {
+ return PR_TRUE;
+ } else {
+ return PR_FALSE;
+ }
+ } else {
+ if (trust & CERTDB_TRUSTED_CA) {
+ return PR_TRUE;
+ } else if (trust & CERTDB_VALID_CA) {
+ return PR_TRUE;
+ } else if (trust & CERTDB_TERMINAL_RECORD) {
+ return PR_FALSE;
+ } else {
+ return PR_FALSE;
+ }
+ }
+ return PR_FALSE;
+}
+
char *
getTrustString(unsigned int trust)
{
@@ -202,6 +225,11 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
printf("CKA_VALUE MULTILINE_OCTAL\n");
dumpbytes(sdder->data, sdder->len);
printf("END\n");
+ if (hasPositiveTrust(trust->sslFlags) ||
+ hasPositiveTrust(trust->emailFlags) ||
+ hasPositiveTrust(trust->objectSigningFlags)) {
+ printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
+ }
}
if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c
index ebe73e6be..a3a162da1 100644
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -917,6 +917,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file,
SECItem *in;
unsigned char *tok;
unsigned int i, j;
+ PRBool needToFreeFile = PR_FALSE;
if (file && (numBytes == 0 || file == PR_STDIN)) {
/* grabbing data from a file */
@@ -924,6 +925,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file,
if (rv != SECSuccess)
return SECFailure;
in = &fileData;
+ needToFreeFile = PR_TRUE;
} else if (str) {
/* grabbing data from command line */
fileData.data = (unsigned char *)str;
@@ -957,10 +959,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file,
--in->len;
if (in->data[in->len - 1] == '\r')
--in->len;
- SECITEM_CopyItem(arena, &input->buf, in);
- if (rv != SECSuccess) {
- return SECFailure;
- }
+ rv = SECITEM_CopyItem(arena, &input->buf, in);
break;
case bltestHexSpaceDelim:
SECITEM_AllocItem(arena, &input->buf, in->len / 5);
@@ -986,7 +985,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file,
break;
}
- if (file)
+ if (needToFreeFile)
SECITEM_FreeItem(&fileData, PR_FALSE);
return rv;
}
diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c
index b080f06f9..0be3eb120 100644
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -980,8 +980,6 @@ AddNameConstraints(void *extHandle)
GEN_BREAK(SECFailure);
}
- (void)SEC_ASN1EncodeInteger(arena, &current->min, 0);
-
if (!GetGeneralName(arena, &current->name, PR_TRUE)) {
GEN_BREAK(SECFailure);
}
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index 24acdbcb4..fbc752c1b 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1002,9 +1002,12 @@ ListModules(void)
/* look at each slot*/
for (le = list->head; le; le = le->next) {
+ char *token_uri = PK11_GetTokenURI(le->slot);
printf("\n");
printf(" slot: %s\n", PK11_GetSlotName(le->slot));
printf(" token: %s\n", PK11_GetTokenName(le->slot));
+ printf(" uri: %s\n", token_uri);
+ PORT_Free(token_uri);
}
PK11_FreeSlotList(list);
diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c
index 268ad471a..2878e3765 100644
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -17,14 +17,6 @@
#include <conio.h>
#endif
-#if defined(__sun) && !defined(SVR4)
-extern int fclose(FILE *);
-extern int fprintf(FILE *, char *, ...);
-extern int isatty(int);
-extern char *sys_errlist[];
-#define strerror(errno) sys_errlist[errno]
-#endif
-
#include "nspr.h"
#include "prtypes.h"
#include "prtime.h"
@@ -52,9 +44,10 @@ static int
UpdateRNG(void)
{
char randbuf[RAND_BUF_SIZE];
- int fd, count;
+ int fd;
int c;
int rv = 0;
+ size_t count;
#ifdef XP_UNIX
cc_t orig_cc_min;
cc_t orig_cc_time;
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c
index bdf112b4a..c008ecc01 100644
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -66,8 +66,11 @@ FindCRL(CERTCertDBHandle *certHandle, char *name, int type)
return ((CERTSignedCrl *)NULL);
}
} else {
- SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
+ SECStatus rv = SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
CERT_DestroyCertificate(cert);
+ if (rv != SECSuccess) {
+ return ((CERTSignedCrl *)NULL);
+ }
}
crl = SEC_FindCrlByName(certHandle, &derName, type);
diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c
index fefa6894d..cbc680b08 100644
--- a/security/nss/cmd/crmftest/testcrmf.c
+++ b/security/nss/cmd/crmftest/testcrmf.c
@@ -1261,11 +1261,13 @@ DoChallengeResponse(SECKEYPrivateKey *privKey,
return 908;
}
keyID = PK11_MakeIDFromPubKey(publicValue);
+ SECITEM_FreeItem(publicValue, PR_TRUE);
if (keyID == NULL) {
printf("Could not make the keyID from the public value\n");
return 909;
}
foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
+ SECITEM_FreeItem(keyID, PR_TRUE);
if (foundPrivKey == NULL) {
printf("Could not find the private key corresponding to the public"
" value.\n");
diff --git a/security/nss/cmd/ecperf/ecperf.c b/security/nss/cmd/ecperf/ecperf.c
index 814c0352d..705d68f35 100644
--- a/security/nss/cmd/ecperf/ecperf.c
+++ b/security/nss/cmd/ecperf/ecperf.c
@@ -9,7 +9,6 @@
#include "basicutil.h"
#include "pkcs11.h"
#include "nspr.h"
-#include "secutil.h"
#include <stdio.h>
#define __PASTE(x, y) x##y
@@ -27,70 +26,6 @@
#include "pkcs11f.h"
-/* mapping between ECCurveName enum and pointers to ECCurveParams */
-static SECOidTag ecCurve_oid_map[] = {
- SEC_OID_UNKNOWN, /* ECCurve_noName */
- SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */
- SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */
- SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */
- SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */
- SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */
- SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */
- SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */
- SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */
- SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */
- SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */
- SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */
- SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */
- SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */
- SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */
- SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */
- SEC_OID_ANSIX962_EC_PRIME192V2,
- SEC_OID_ANSIX962_EC_PRIME192V3,
- SEC_OID_ANSIX962_EC_PRIME239V1,
- SEC_OID_ANSIX962_EC_PRIME239V2,
- SEC_OID_ANSIX962_EC_PRIME239V3,
- SEC_OID_ANSIX962_EC_C2PNB163V1,
- SEC_OID_ANSIX962_EC_C2PNB163V2,
- SEC_OID_ANSIX962_EC_C2PNB163V3,
- SEC_OID_ANSIX962_EC_C2PNB176V1,
- SEC_OID_ANSIX962_EC_C2TNB191V1,
- SEC_OID_ANSIX962_EC_C2TNB191V2,
- SEC_OID_ANSIX962_EC_C2TNB191V3,
- SEC_OID_ANSIX962_EC_C2PNB208W1,
- SEC_OID_ANSIX962_EC_C2TNB239V1,
- SEC_OID_ANSIX962_EC_C2TNB239V2,
- SEC_OID_ANSIX962_EC_C2TNB239V3,
- SEC_OID_ANSIX962_EC_C2PNB272W1,
- SEC_OID_ANSIX962_EC_C2PNB304W1,
- SEC_OID_ANSIX962_EC_C2TNB359V1,
- SEC_OID_ANSIX962_EC_C2PNB368W1,
- SEC_OID_ANSIX962_EC_C2TNB431R1,
- SEC_OID_SECG_EC_SECP112R1,
- SEC_OID_SECG_EC_SECP112R2,
- SEC_OID_SECG_EC_SECP128R1,
- SEC_OID_SECG_EC_SECP128R2,
- SEC_OID_SECG_EC_SECP160K1,
- SEC_OID_SECG_EC_SECP160R1,
- SEC_OID_SECG_EC_SECP160R2,
- SEC_OID_SECG_EC_SECP192K1,
- SEC_OID_SECG_EC_SECP224K1,
- SEC_OID_SECG_EC_SECP256K1,
- SEC_OID_SECG_EC_SECT113R1,
- SEC_OID_SECG_EC_SECT113R2,
- SEC_OID_SECG_EC_SECT131R1,
- SEC_OID_SECG_EC_SECT131R2,
- SEC_OID_SECG_EC_SECT163R1,
- SEC_OID_SECG_EC_SECT193R1,
- SEC_OID_SECG_EC_SECT193R2,
- SEC_OID_SECG_EC_SECT239K1,
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */
- SEC_OID_CURVE25519,
- SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
-};
-
typedef SECStatus (*op_func)(void *, void *, void *);
typedef SECStatus (*pk11_op_func)(CK_SESSION_HANDLE, void *, void *, void *);
@@ -106,6 +41,8 @@ typedef struct ThreadDataStr {
int isSign;
} ThreadData;
+typedef SECItem SECKEYECParams;
+
void
PKCS11Thread(void *data)
{
@@ -373,30 +310,6 @@ PKCS11_Verify(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey,
return SECSuccess;
}
-static SECStatus
-ecName2params(ECCurveName curve, SECKEYECParams *params)
-{
- SECOidData *oidData = NULL;
-
- if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
- ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
- PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- return SECFailure;
- }
-
- SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len));
- /*
- * params->data needs to contain the ASN encoding of an object ID (OID)
- * representing the named curve. The actual OID is in
- * oidData->oid.data so we simply prepend 0x06 and OID length
- */
- params->data[0] = SEC_ASN1_OBJECT_ID;
- params->data[1] = oidData->oid.len;
- memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
-
- return SECSuccess;
-}
-
/* Performs basic tests of elliptic curve cryptography over prime fields.
* If tests fail, then it prints an error message, aborts, and returns an
* error code. Otherwise, returns 0. */
@@ -422,7 +335,7 @@ ectest_curve_pkcs11(ECCurveName curve, int iterations, int numThreads)
ecParams.data = NULL;
ecParams.len = 0;
- rv = ecName2params(curve, &ecParams);
+ rv = SECU_ecName2params(curve, &ecParams);
if (rv != SECSuccess) {
goto cleanup;
}
@@ -541,9 +454,9 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads,
unsigned char sigData[256];
unsigned char digestData[20];
double signRate, deriveRate = 0;
- char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
SECStatus rv = SECFailure;
PLArenaPool *arena;
+ SECItem ecEncodedParams = { siBuffer, NULL, 0 };
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
@@ -555,28 +468,11 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads,
return SECFailure;
}
- ecParams.name = curve;
- ecParams.type = ec_params_named;
- ecParams.curveOID.data = NULL;
- ecParams.curveOID.len = 0;
- ecParams.curve.seed.data = NULL;
- ecParams.curve.seed.len = 0;
- ecParams.DEREncoding.data = NULL;
- ecParams.DEREncoding.len = 0;
-
- ecParams.fieldID.size = ecCurve_map[curve]->size;
- ecParams.fieldID.type = fieldType;
- SECU_HexString2SECItem(arena, &ecParams.fieldID.u.prime, ecCurve_map[curve]->irr);
- SECU_HexString2SECItem(arena, &ecParams.curve.a, ecCurve_map[curve]->curvea);
- SECU_HexString2SECItem(arena, &ecParams.curve.b, ecCurve_map[curve]->curveb);
- genenc[0] = '0';
- genenc[1] = '4';
- genenc[2] = '\0';
- strcat(genenc, ecCurve_map[curve]->genx);
- strcat(genenc, ecCurve_map[curve]->geny);
- SECU_HexString2SECItem(arena, &ecParams.base, genenc);
- SECU_HexString2SECItem(arena, &ecParams.order, ecCurve_map[curve]->order);
- ecParams.cofactor = ecCurve_map[curve]->cofactor;
+ rv = SECU_ecName2params(curve, &ecEncodedParams);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+ EC_FillParams(arena, &ecEncodedParams, &ecParams);
PORT_Memset(digestData, 0xa5, sizeof(digestData));
digest.data = digestData;
@@ -586,7 +482,7 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads,
rv = EC_NewKey(&ecParams, &ecPriv);
if (rv != SECSuccess) {
- return SECFailure;
+ goto cleanup;
}
ecPub.ecParams = ecParams;
ecPub.publicValue = ecPriv->publicValue;
@@ -617,8 +513,11 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads,
}
cleanup:
+ SECITEM_FreeItem(&ecEncodedParams, PR_FALSE);
PORT_FreeArena(arena, PR_FALSE);
- PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE);
+ if (ecPriv) {
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE);
+ }
return rv;
}
diff --git a/security/nss/cmd/fbectest/fbectest.c b/security/nss/cmd/fbectest/fbectest.c
index 2336d3fa8..1c8f4c039 100644
--- a/security/nss/cmd/fbectest/fbectest.c
+++ b/security/nss/cmd/fbectest/fbectest.c
@@ -9,7 +9,6 @@
#include "basicutil.h"
#include "secder.h"
#include "secitem.h"
-#include "secutil.h"
#include "nspr.h"
#include <stdio.h>
@@ -89,26 +88,19 @@ ectest_ecdh_kat(ECDH_KAT *kat)
SECItem answer = { siBuffer, NULL, 0 };
SECItem answer2 = { siBuffer, NULL, 0 };
SECItem derived = { siBuffer, NULL, 0 };
- char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
+ SECItem ecEncodedParams = { siBuffer, NULL, 0 };
int i;
- rv = init_params(&ecParams, curve, &arena, kat->fieldType);
- if (rv != SECSuccess) {
- return rv;
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ return SECFailure;
}
- SECU_HexString2SECItem(arena, &ecParams.fieldID.u.prime, ecCurve_map[curve]->irr);
- SECU_HexString2SECItem(arena, &ecParams.curve.a, ecCurve_map[curve]->curvea);
- SECU_HexString2SECItem(arena, &ecParams.curve.b, ecCurve_map[curve]->curveb);
- genenc[0] = '0';
- genenc[1] = '4';
- genenc[2] = '\0';
- PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->genx));
- PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->geny));
- strcat(genenc, ecCurve_map[curve]->genx);
- strcat(genenc, ecCurve_map[curve]->geny);
- SECU_HexString2SECItem(arena, &ecParams.base, genenc);
- SECU_HexString2SECItem(arena, &ecParams.order, ecCurve_map[curve]->order);
+ rv = SECU_ecName2params(curve, &ecEncodedParams);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+ EC_FillParams(arena, &ecEncodedParams, &ecParams);
if (kat->our_pubhex) {
SECU_HexString2SECItem(arena, &answer, kat->our_pubhex);
@@ -162,6 +154,7 @@ ectest_ecdh_kat(ECDH_KAT *kat)
}
cleanup:
+ SECITEM_FreeItem(&ecEncodedParams, PR_FALSE);
PORT_FreeArena(arena, PR_FALSE);
if (ecPriv) {
PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE);
diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c
index dcd039391..de56fbdd9 100644
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -25,7 +25,6 @@
#endif
#include "secoid.h"
-#include "sslt.h"
extern long DER_GetInteger(const SECItem *src);
@@ -733,97 +732,135 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest)
return SECSuccess;
}
-SSLNamedGroup
-groupNameToNamedGroup(char *name)
+SECItem *
+SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
{
- if (PL_strlen(name) == 4) {
- if (!strncmp(name, "P256", 4)) {
- return ssl_grp_ec_secp256r1;
- }
- if (!strncmp(name, "P384", 4)) {
- return ssl_grp_ec_secp384r1;
- }
- if (!strncmp(name, "P521", 4)) {
- return ssl_grp_ec_secp521r1;
- }
+ int i = 0;
+ int byteval = 0;
+ int tmp = PORT_Strlen(str);
+
+ PORT_Assert(arena);
+ PORT_Assert(item);
+
+ if ((tmp % 2) != 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
}
- if (PL_strlen(name) == 6) {
- if (!strncmp(name, "x25519", 6)) {
- return ssl_grp_ec_curve25519;
- }
- if (!strncmp(name, "FF2048", 6)) {
- return ssl_grp_ffdhe_2048;
- }
- if (!strncmp(name, "FF3072", 6)) {
- return ssl_grp_ffdhe_3072;
- }
- if (!strncmp(name, "FF4096", 6)) {
- return ssl_grp_ffdhe_4096;
- }
- if (!strncmp(name, "FF6144", 6)) {
- return ssl_grp_ffdhe_6144;
+
+ item = SECITEM_AllocItem(arena, item, tmp / 2);
+ if (item == NULL) {
+ return NULL;
+ }
+
+ while (str[i]) {
+ if ((str[i] >= '0') && (str[i] <= '9')) {
+ tmp = str[i] - '0';
+ } else if ((str[i] >= 'a') && (str[i] <= 'f')) {
+ tmp = str[i] - 'a' + 10;
+ } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
+ tmp = str[i] - 'A' + 10;
+ } else {
+ /* item is in arena and gets freed by the caller */
+ return NULL;
}
- if (!strncmp(name, "FF8192", 6)) {
- return ssl_grp_ffdhe_8192;
+
+ byteval = byteval * 16 + tmp;
+ if ((i % 2) != 0) {
+ item->data[i / 2] = byteval;
+ byteval = 0;
}
+ i++;
}
- return ssl_grp_none;
+ return item;
}
+/* mapping between ECCurveName enum and SECOidTags */
+static SECOidTag ecCurve_oid_map[] = {
+ SEC_OID_UNKNOWN, /* ECCurve_noName */
+ SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */
+ SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */
+ SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */
+ SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */
+ SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */
+ SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */
+ SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */
+ SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */
+ SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */
+ SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */
+ SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */
+ SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */
+ SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */
+ SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */
+ SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */
+ SEC_OID_ANSIX962_EC_PRIME192V2,
+ SEC_OID_ANSIX962_EC_PRIME192V3,
+ SEC_OID_ANSIX962_EC_PRIME239V1,
+ SEC_OID_ANSIX962_EC_PRIME239V2,
+ SEC_OID_ANSIX962_EC_PRIME239V3,
+ SEC_OID_ANSIX962_EC_C2PNB163V1,
+ SEC_OID_ANSIX962_EC_C2PNB163V2,
+ SEC_OID_ANSIX962_EC_C2PNB163V3,
+ SEC_OID_ANSIX962_EC_C2PNB176V1,
+ SEC_OID_ANSIX962_EC_C2TNB191V1,
+ SEC_OID_ANSIX962_EC_C2TNB191V2,
+ SEC_OID_ANSIX962_EC_C2TNB191V3,
+ SEC_OID_ANSIX962_EC_C2PNB208W1,
+ SEC_OID_ANSIX962_EC_C2TNB239V1,
+ SEC_OID_ANSIX962_EC_C2TNB239V2,
+ SEC_OID_ANSIX962_EC_C2TNB239V3,
+ SEC_OID_ANSIX962_EC_C2PNB272W1,
+ SEC_OID_ANSIX962_EC_C2PNB304W1,
+ SEC_OID_ANSIX962_EC_C2TNB359V1,
+ SEC_OID_ANSIX962_EC_C2PNB368W1,
+ SEC_OID_ANSIX962_EC_C2TNB431R1,
+ SEC_OID_SECG_EC_SECP112R1,
+ SEC_OID_SECG_EC_SECP112R2,
+ SEC_OID_SECG_EC_SECP128R1,
+ SEC_OID_SECG_EC_SECP128R2,
+ SEC_OID_SECG_EC_SECP160K1,
+ SEC_OID_SECG_EC_SECP160R1,
+ SEC_OID_SECG_EC_SECP160R2,
+ SEC_OID_SECG_EC_SECP192K1,
+ SEC_OID_SECG_EC_SECP224K1,
+ SEC_OID_SECG_EC_SECP256K1,
+ SEC_OID_SECG_EC_SECT113R1,
+ SEC_OID_SECG_EC_SECT113R2,
+ SEC_OID_SECG_EC_SECT131R1,
+ SEC_OID_SECG_EC_SECT131R2,
+ SEC_OID_SECG_EC_SECT163R1,
+ SEC_OID_SECG_EC_SECT193R1,
+ SEC_OID_SECG_EC_SECT193R2,
+ SEC_OID_SECG_EC_SECT239K1,
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */
+ SEC_OID_CURVE25519,
+ SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
+};
+
SECStatus
-parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
- unsigned int *enabledGroupsCount)
+SECU_ecName2params(ECCurveName curve, SECItem *params)
{
- SSLNamedGroup *groups;
- char *str;
- char *p;
- unsigned int numValues = 0;
- unsigned int count = 0;
-
- /* Count the number of groups. */
- str = PORT_Strdup(arg);
- if (!str) {
+ SECOidData *oidData = NULL;
+
+ if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
+ ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
- p = strtok(str, ",");
- while (p) {
- ++numValues;
- p = strtok(NULL, ",");
- }
- PORT_Free(str);
- str = NULL;
- groups = PORT_ZNewArray(SSLNamedGroup, numValues);
- if (!groups) {
- goto done;
- }
-
- /* Get group names. */
- str = PORT_Strdup(arg);
- if (!str) {
- goto done;
- }
- p = strtok(str, ",");
- while (p) {
- SSLNamedGroup group = groupNameToNamedGroup(p);
- if (group == ssl_grp_none) {
- count = 0;
- goto done;
- }
- groups[count++] = group;
- p = strtok(NULL, ",");
- }
-done:
- if (str) {
- PORT_Free(str);
- }
- if (!count) {
- PORT_Free(groups);
+ if (SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)) == NULL) {
return SECFailure;
}
+ /*
+ * params->data needs to contain the ASN encoding of an object ID (OID)
+ * representing the named curve. The actual OID is in
+ * oidData->oid.data so we simply prepend 0x06 and OID length
+ */
+ params->data[0] = SEC_ASN1_OBJECT_ID;
+ params->data[1] = oidData->oid.len;
+ memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
- *enabledGroupsCount = count;
- *enabledGroups = groups;
return SECSuccess;
}
diff --git a/security/nss/cmd/lib/basicutil.h b/security/nss/cmd/lib/basicutil.h
index 345fd91a4..de8c1b01e 100644
--- a/security/nss/cmd/lib/basicutil.h
+++ b/security/nss/cmd/lib/basicutil.h
@@ -13,7 +13,7 @@
#include "base64.h"
#include "secasn1.h"
#include "secder.h"
-#include "sslt.h"
+#include "ecl-exp.h"
#include <stdio.h>
#ifdef SECUTIL_NEW
@@ -82,6 +82,14 @@ SECStatus
SECU_SECItemHexStringToBinary(SECItem *srcdest);
/*
+** Read a hex string into a SecItem.
+*/
+extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item,
+ const char *str);
+
+extern SECStatus SECU_ecName2params(ECCurveName curve, SECItem *params);
+
+/*
*
* Utilities for parsing security tools command lines
*
@@ -113,10 +121,6 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName,
char *
SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
-SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
- unsigned int *enabledGroupsCount);
-SSLNamedGroup groupNameToNamedGroup(char *name);
-
/*
*
* Error messaging
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index f3c15d870..cb4752df9 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -32,7 +32,7 @@
#include "certt.h"
#include "certdb.h"
-/* #include "secmod.h" */
+#include "secmod.h"
#include "pk11func.h"
#include "secoid.h"
@@ -3229,6 +3229,10 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
SECStatus rv;
SECItem data;
CERTCertTrust certTrust;
+ PK11SlotList *slotList;
+ PRBool falseAttributeFound = PR_FALSE;
+ PRBool trueAttributeFound = PR_FALSE;
+ const char *moz_policy_ca_info = NULL;
data.data = cert->derCert.data;
data.len = cert->derCert.len;
@@ -3238,6 +3242,35 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
if (rv) {
return (SECFailure);
}
+
+ slotList = PK11_GetAllSlotsForCert(cert, NULL);
+ if (slotList) {
+ PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+ for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+ if (handle != CK_INVALID_HANDLE) {
+ PORT_SetError(0);
+ if (PK11_HasAttributeSet(se->slot, handle,
+ CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+ trueAttributeFound = PR_TRUE;
+ } else if (!PORT_GetError()) {
+ falseAttributeFound = PR_TRUE;
+ }
+ }
+ }
+ PK11_FreeSlotList(slotList);
+ }
+
+ if (trueAttributeFound) {
+ moz_policy_ca_info = "true (attribute present)";
+ } else if (falseAttributeFound) {
+ moz_policy_ca_info = "false (attribute present)";
+ } else {
+ moz_policy_ca_info = "false (attribute missing)";
+ }
+ SECU_Indent(stdout, 1);
+ printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+
if (trust) {
SECU_PrintTrustFlags(stdout, trust,
"Certificate Trust Flags", 1);
@@ -3833,45 +3866,97 @@ SECU_ParseSSLVersionRangeString(const char *input,
return SECSuccess;
}
-SECItem *
-SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
+SSLNamedGroup
+groupNameToNamedGroup(char *name)
{
- int i = 0;
- int byteval = 0;
- int tmp = PORT_Strlen(str);
+ if (PL_strlen(name) == 4) {
+ if (!strncmp(name, "P256", 4)) {
+ return ssl_grp_ec_secp256r1;
+ }
+ if (!strncmp(name, "P384", 4)) {
+ return ssl_grp_ec_secp384r1;
+ }
+ if (!strncmp(name, "P521", 4)) {
+ return ssl_grp_ec_secp521r1;
+ }
+ }
+ if (PL_strlen(name) == 6) {
+ if (!strncmp(name, "x25519", 6)) {
+ return ssl_grp_ec_curve25519;
+ }
+ if (!strncmp(name, "FF2048", 6)) {
+ return ssl_grp_ffdhe_2048;
+ }
+ if (!strncmp(name, "FF3072", 6)) {
+ return ssl_grp_ffdhe_3072;
+ }
+ if (!strncmp(name, "FF4096", 6)) {
+ return ssl_grp_ffdhe_4096;
+ }
+ if (!strncmp(name, "FF6144", 6)) {
+ return ssl_grp_ffdhe_6144;
+ }
+ if (!strncmp(name, "FF8192", 6)) {
+ return ssl_grp_ffdhe_8192;
+ }
+ }
- PORT_Assert(arena);
- PORT_Assert(item);
+ return ssl_grp_none;
+}
- if ((tmp % 2) != 0) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return NULL;
- }
+SECStatus
+parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+ unsigned int *enabledGroupsCount)
+{
+ SSLNamedGroup *groups;
+ char *str;
+ char *p;
+ unsigned int numValues = 0;
+ unsigned int count = 0;
- item = SECITEM_AllocItem(arena, item, tmp / 2);
- if (item == NULL) {
- return NULL;
+ /* Count the number of groups. */
+ str = PORT_Strdup(arg);
+ if (!str) {
+ return SECFailure;
+ }
+ p = strtok(str, ",");
+ while (p) {
+ ++numValues;
+ p = strtok(NULL, ",");
+ }
+ PORT_Free(str);
+ str = NULL;
+ groups = PORT_ZNewArray(SSLNamedGroup, numValues);
+ if (!groups) {
+ goto done;
}
- while (str[i]) {
- if ((str[i] >= '0') && (str[i] <= '9')) {
- tmp = str[i] - '0';
- } else if ((str[i] >= 'a') && (str[i] <= 'f')) {
- tmp = str[i] - 'a' + 10;
- } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
- tmp = str[i] - 'A' + 10;
- } else {
- /* item is in arena and gets freed by the caller */
- return NULL;
+ /* Get group names. */
+ str = PORT_Strdup(arg);
+ if (!str) {
+ goto done;
+ }
+ p = strtok(str, ",");
+ while (p) {
+ SSLNamedGroup group = groupNameToNamedGroup(p);
+ if (group == ssl_grp_none) {
+ count = 0;
+ goto done;
}
+ groups[count++] = group;
+ p = strtok(NULL, ",");
+ }
- byteval = byteval * 16 + tmp;
- if ((i % 2) != 0) {
- item->data[i / 2] = byteval;
- byteval = 0;
- }
- i++;
+done:
+ if (str) {
+ PORT_Free(str);
+ }
+ if (!count) {
+ PORT_Free(groups);
+ return SECFailure;
}
- return item;
+ *enabledGroupsCount = count;
+ *enabledGroups = groups;
+ return SECSuccess;
}
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index 571615daa..fe07aca60 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -18,6 +18,7 @@
#include "basicutil.h"
#include "sslerr.h"
#include "sslt.h"
+#include "blapi.h"
#define SEC_CT_PRIVATE_KEY "private-key"
#define SEC_CT_PUBLIC_KEY "public-key"
@@ -402,11 +403,10 @@ SECStatus
SECU_ParseSSLVersionRangeString(const char *input,
const SSLVersionRange defaultVersionRange,
SSLVersionRange *vrange);
-/*
-** Read a hex string into a SecItem.
-*/
-extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item,
- const char *str);
+
+SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+ unsigned int *enabledGroupsCount);
+SSLNamedGroup groupNameToNamedGroup(char *name);
/*
*
diff --git a/security/nss/cmd/lowhashtest/manifest.mn b/security/nss/cmd/lowhashtest/manifest.mn
index f493571e5..db10daada 100644
--- a/security/nss/cmd/lowhashtest/manifest.mn
+++ b/security/nss/cmd/lowhashtest/manifest.mn
@@ -22,3 +22,4 @@ CSRCS = \
lowhashtest.c \
$(NULL)
+USE_STATIC_LIBS = 1
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
index 9c460ecd8..834469af1 100644
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -397,6 +397,7 @@ static void
printModule(SECMODModule *module, int *count)
{
int slotCount = module->loaded ? module->slotCount : 0;
+ char *modUri;
int i;
if ((*count)++) {
@@ -408,6 +409,11 @@ printModule(SECMODModule *module, int *count)
PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName);
}
+ modUri = PK11_GetModuleURI(module);
+ if (modUri) {
+ PR_fprintf(PR_STDOUT, "\t uri: %s\n", modUri);
+ PORT_Free(modUri);
+ }
if (slotCount == 0) {
PR_fprintf(PR_STDOUT,
"\t slots: There are no slots attached to this module\n");
@@ -425,10 +431,12 @@ printModule(SECMODModule *module, int *count)
/* Print slot and token names */
for (i = 0; i < slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
-
+ char *tokenUri = PK11_GetTokenURI(slot);
PR_fprintf(PR_STDOUT, "\n");
PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
+ PR_fprintf(PR_STDOUT, "\t uri: %s\n", tokenUri);
+ PORT_Free(tokenUri);
}
return;
}
@@ -494,7 +502,7 @@ static char *disableReasonStr[] = {
"could not verify token",
"token not present"
};
-static int numDisableReasonStr =
+static size_t numDisableReasonStr =
sizeof(disableReasonStr) / sizeof(disableReasonStr[0]);
/***********************************************************************
@@ -513,7 +521,7 @@ ListModule(char *moduleName)
CK_SLOT_INFO slotinfo;
CK_TOKEN_INFO tokeninfo;
char *ciphers, *mechanisms;
- PK11DisableReasons reason;
+ size_t reasonIdx;
Error rv = SUCCESS;
if (!moduleName) {
@@ -604,10 +612,10 @@ ListModule(char *moduleName)
PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n",
slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
if (PK11_IsDisabled(slot)) {
- reason = PK11_GetDisabledReason(slot);
- if (reason < numDisableReasonStr) {
+ reasonIdx = PK11_GetDisabledReason(slot);
+ if (reasonIdx < numDisableReasonStr) {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n",
- disableReasonStr[reason]);
+ disableReasonStr[reasonIdx]);
} else {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n");
}
diff --git a/security/nss/cmd/mpitests/mpitests.gyp b/security/nss/cmd/mpitests/mpitests.gyp
index 270b63ab8..346d23131 100644
--- a/security/nss/cmd/mpitests/mpitests.gyp
+++ b/security/nss/cmd/mpitests/mpitests.gyp
@@ -14,7 +14,16 @@
'mpi-test.c',
],
'dependencies': [
- '<(DEPTH)/lib/freebl/freebl.gyp:<(freebl_name)',
+ '<(DEPTH)/exports.gyp:nss_exports',
+ '<(DEPTH)/lib/util/util.gyp:nssutil3',
+ '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+ '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
+ '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+ '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+ '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+ '<(DEPTH)/lib/base/base.gyp:nssb',
+ '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+ '<(DEPTH)/lib/pki/pki.gyp:nsspki',
]
}
],
@@ -22,7 +31,18 @@
'include_dirs': [
'<(DEPTH)/lib/freebl/mpi',
'<(DEPTH)/lib/util',
- ]
+ ],
+ # This uses test builds and has to set defines for MPI.
+ 'conditions': [
+ [ 'target_arch=="ia32"', {
+ 'defines': [
+ 'MP_USE_UINT_DIGIT',
+ 'MP_ASSEMBLY_MULTIPLY',
+ 'MP_ASSEMBLY_SQUARE',
+ 'MP_ASSEMBLY_DIV_2DX1D',
+ ],
+ }],
+ ],
},
'variables': {
'module': 'nss'
diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
index cca27cbf6..0ac1ba00e 100644
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -615,11 +615,7 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot,
}
if (certlist) {
- CERTCertificate *cert = NULL;
- node = CERT_LIST_HEAD(certlist);
- if (node) {
- cert = node->cert;
- }
+ CERTCertificate *cert = CERT_LIST_HEAD(certlist)->cert;
if (cert) {
slot = cert->slot; /* use the slot from the first matching
certificate to create the context . This is for keygen */
@@ -861,6 +857,9 @@ p12u_EnableAllCiphers()
SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1);
+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1);
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
}
@@ -1059,7 +1058,7 @@ main(int argc, char **argv)
certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen);
/* If the user requested a cipher and we didn't find it, then
* don't just silently not encrypt. */
- if (cipher == SEC_OID_UNKNOWN) {
+ if (certCipher == SEC_OID_UNKNOWN) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
pk12uErrno = PK12UERR_INVALIDALGORITHM;
diff --git a/security/nss/cmd/platlibs.gypi b/security/nss/cmd/platlibs.gypi
index 5c3cc34e2..9963bdd33 100644
--- a/security/nss/cmd/platlibs.gypi
+++ b/security/nss/cmd/platlibs.gypi
@@ -32,9 +32,8 @@
'<(DEPTH)/lib/dev/dev.gyp:nssdev',
'<(DEPTH)/lib/base/base.gyp:nssb',
'<(DEPTH)/lib/freebl/freebl.gyp:freebl',
- '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
- '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
'<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
+ '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix',
],
'conditions': [
[ 'disable_dbm==0', {
@@ -43,21 +42,6 @@
'<(DEPTH)/lib/softoken/legacydb/legacydb.gyp:nssdbm',
],
}],
- [ 'disable_libpkix==0', {
- 'dependencies': [
- '<(DEPTH)/lib/libpkix/pkix/certsel/certsel.gyp:pkixcertsel',
- '<(DEPTH)/lib/libpkix/pkix/checker/checker.gyp:pkixchecker',
- '<(DEPTH)/lib/libpkix/pkix/params/params.gyp:pkixparams',
- '<(DEPTH)/lib/libpkix/pkix/results/results.gyp:pkixresults',
- '<(DEPTH)/lib/libpkix/pkix/top/top.gyp:pkixtop',
- '<(DEPTH)/lib/libpkix/pkix/util/util.gyp:pkixutil',
- '<(DEPTH)/lib/libpkix/pkix/crlsel/crlsel.gyp:pkixcrlsel',
- '<(DEPTH)/lib/libpkix/pkix/store/store.gyp:pkixstore',
- '<(DEPTH)/lib/libpkix/pkix_pl_nss/pki/pki.gyp:pkixpki',
- '<(DEPTH)/lib/libpkix/pkix_pl_nss/system/system.gyp:pkixsystem',
- '<(DEPTH)/lib/libpkix/pkix_pl_nss/module/module.gyp:pkixmodule'
- ],
- }],
]},{ # !use_static_libs
'conditions': [
['moz_fold_libs==0', {
diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk
index 032eed07b..a59d03d06 100644
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -32,6 +32,12 @@ else
DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX)
endif
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+SECTOOL_LIB = $(NULL)
+else
+SECTOOL_LIB = $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX)
+endif
+
ifdef USE_STATIC_LIBS
DEFINES += -DNSS_USE_STATIC_LIBS
@@ -70,20 +76,10 @@ endif
endif
NSS_LIBS_1=
-SECTOOL_LIB=
NSS_LIBS_2=
NSS_LIBS_3=
NSS_LIBS_4=
-ifneq ($(NSS_BUILD_UTIL_ONLY),1)
-SECTOOL_LIB = \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(NULL)
-else
-SECTOOL_LIB = \
- $(NULL)
-endif
-
ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
ifeq ($(OS_ARCH), WINNT)
# breakdown for windows
@@ -121,9 +117,6 @@ NSS_LIBS_1 = \
$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
$(NULL)
-SECTOOL_LIB = \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(NULL)
NSS_LIBS_2 = \
$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
@@ -201,7 +194,7 @@ ifeq ($(OS_ARCH), WINNT)
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
EXTRA_LIBS += \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+ $(SECTOOL_LIB) \
$(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
@@ -220,7 +213,7 @@ else
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
EXTRA_LIBS += \
- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+ $(SECTOOL_LIB) \
$(NULL)
ifeq ($(OS_ARCH), AIX)
@@ -231,9 +224,6 @@ endif
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
- -lssl3 \
- -lsmime3 \
- -lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
@@ -241,6 +231,14 @@ EXTRA_SHARED_LIBS += \
-lplds4 \
-lnspr4 \
$(NULL)
+ifndef NSS_BUILD_UTIL_ONLY
+ifndef NSS_BUILD_SOFTOKEN_ONLY
+EXTRA_SHARED_LIBS += \
+ -lssl3 \
+ -lsmime3 \
+ -lnss3
+endif
+endif
endif
ifdef SOFTOKEN_LIB_DIR
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index f34af7d74..65b1ee304 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -159,7 +159,7 @@ static void
PrintUsageHeader(const char *progName)
{
fprintf(stderr,
- "Usage: %s -n rsa_nickname -p port [-BDENRbjlmrsuvx] [-w password]\n"
+ "Usage: %s -n rsa_nickname -p port [-BDENRZbjlmrsuvx] [-w password]\n"
" [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n"
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n"
@@ -169,7 +169,8 @@ PrintUsageHeader(const char *progName)
" [-e ec_nickname]"
#endif /* NSS_DISABLE_ECC */
"\n"
- " -U [0|1] -H [0|1|2] -W [0|1]\n",
+ " -U [0|1] -H [0|1|2] -W [0|1]\n"
+ "\n",
progName);
}
@@ -219,7 +220,7 @@ PrintParameterUsage()
"-A <ca> Nickname of a CA used to sign a stapled cert status\n"
"-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
"-H override default DHE server support, 0: disable, 1: enable, "
- " 2: require DH named groups\n"
+ " 2: require DH named groups [RFC7919]\n"
"-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
"-c Restrict ciphers\n"
"-Y prints cipher values allowed for parameter -c and exits\n"
@@ -227,7 +228,8 @@ PrintParameterUsage()
"-Q enables ALPN for HTTP/1.1 [RFC7301]\n"
"-I comma separated list of enabled groups for TLS key exchange.\n"
" The following values are valid:\n"
- " P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
+ " P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n"
+ "-Z enable 0-RTT (for TLS 1.3; also use -u)\n",
stderr);
}
@@ -2305,7 +2307,9 @@ main(int argc, char **argv)
if (SECU_ParseSSLVersionRangeString(optstate->value,
enabledVersions, &enabledVersions) !=
SECSuccess) {
+ fprintf(stderr, "Bad version specified.\n");
Usage(progName);
+ exit(1);
}
break;
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
index f3587d016..10e743c6b 100644
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -84,7 +84,7 @@ Usage(char *progName)
" where id can be a certificate nickname or email address\n"
" -S create a CMS signed data message\n"
" -G include a signing time attribute\n"
- " -H hash use hash (default:SHA1)\n"
+ " -H hash use hash (default:SHA256)\n"
" -N nick use certificate named \"nick\" for signing\n"
" -P include a SMIMECapabilities attribute\n"
" -T do not include content in CMS message\n"
@@ -1097,7 +1097,7 @@ main(int argc, char **argv)
signOptions.signingTime = PR_FALSE;
signOptions.smimeProfile = PR_FALSE;
signOptions.encryptionKeyPreferenceNick = NULL;
- signOptions.hashAlgTag = SEC_OID_SHA1;
+ signOptions.hashAlgTag = SEC_OID_SHA256;
envelopeOptions.recipients = NULL;
encryptOptions.recipients = NULL;
encryptOptions.envmsg = NULL;
diff --git a/security/nss/cmd/smimetools/smime b/security/nss/cmd/smimetools/smime
index 634c3fbb4..e67f6bedc 100755
--- a/security/nss/cmd/smimetools/smime
+++ b/security/nss/cmd/smimetools/smime
@@ -199,8 +199,8 @@ sub signentity($$)
# construct a new multipart/signed MIME entity consisting of the original content and
# the signature
#
- # (we assume that cmsutil generates a SHA1 digest)
- $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
+ # (we assume that cmsutil generates a SHA256 digest)
+ $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
$out .= "\n"; # end of entity header
$out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
$out .= "\n--${boundary}\n";
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index 209dcca96..f65e31913 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -1350,6 +1350,7 @@ main(int argc, char **argv)
if (SECU_ParseSSLVersionRangeString(optstate->value,
enabledVersions, &enabledVersions) !=
SECSuccess) {
+ fprintf(stderr, "Bad version specified.\n");
Usage(progName);
}
break;
diff --git a/security/nss/cmd/symkeyutil/symkeyutil.c b/security/nss/cmd/symkeyutil/symkeyutil.c
index 6170cc3c5..444456808 100644
--- a/security/nss/cmd/symkeyutil/symkeyutil.c
+++ b/security/nss/cmd/symkeyutil/symkeyutil.c
@@ -233,6 +233,9 @@ BufToHex(SECItem *outbuf)
unsigned int i;
string = PORT_Alloc(len);
+ if (!string) {
+ return NULL;
+ }
ptr = string;
for (i = 0; i < outbuf->len; i++) {
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index eb114e935..959afec59 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -169,20 +169,6 @@ printSecurityInfo(PRFileDesc *fd)
}
}
-void
-handshakeCallback(PRFileDesc *fd, void *client_data)
-{
- const char *secondHandshakeName = (char *)client_data;
- if (secondHandshakeName) {
- SSL_SetURL(fd, secondHandshakeName);
- }
- printSecurityInfo(fd);
- if (renegotiationsDone < renegotiationsToDo) {
- SSL_ReHandshake(fd, (renegotiationsToDo < 2));
- ++renegotiationsDone;
- }
-}
-
static void
PrintUsageHeader(const char *progName)
{
@@ -192,7 +178,8 @@ PrintUsageHeader(const char *progName)
"[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
"[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
- "[-A requestfile] [-L totalconnections]",
+ "[-A requestfile] [-L totalconnections]\n"
+ "\n",
progName);
}
@@ -256,9 +243,7 @@ PrintParameterUsage(void)
fprintf(stderr, "%-20s Enforce using an IPv6 destination address\n", "-6");
fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", "");
fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G");
- fprintf(stderr, "%-20s Require the use of FFDHE supported groups "
- "[I-D.ietf-tls-negotiated-ff-dhe]\n",
- "-H");
+ fprintf(stderr, "%-20s Require the use of FFDHE supported groups [RFC7919]\n", "-H");
fprintf(stderr, "%-20s Read from a file instead of stdin\n", "-A");
fprintf(stderr, "%-20s Allow 0-RTT data (TLS 1.3 only)\n", "-Z");
fprintf(stderr, "%-20s Disconnect and reconnect up to N times total\n", "-L");
@@ -889,6 +874,10 @@ restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
if (SSL_AuthCertificateComplete(fd, error) != SECSuccess) {
rv = SECFailure;
+ } else {
+ /* restore the original error code, which could be reset by
+ * SSL_AuthCertificateComplete */
+ PORT_SetError(error);
}
return rv;
@@ -923,13 +912,19 @@ PRUint16 portno = 443;
int override = 0;
char *requestString = NULL;
PRInt32 requestStringLen = 0;
+PRBool requestSent = PR_FALSE;
PRBool enableZeroRtt = PR_FALSE;
static int
-writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb)
+writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
{
SECStatus rv;
const char *bufp = buf;
+ PRPollDesc pollDesc;
+
+ pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+ pollDesc.out_flags = 0;
+ pollDesc.fd = s;
FPRINTF(stderr, "%s: Writing %d bytes to server\n",
progName, nb);
@@ -956,12 +951,12 @@ writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb)
return EXIT_CODE_HANDSHAKE_FAILED;
}
- pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
- pollset[SSOCK_FD].out_flags = 0;
+ pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+ pollDesc.out_flags = 0;
FPRINTF(stderr,
"%s: about to call PR_Poll on writable socket !\n",
progName);
- cc = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
+ cc = PR_Poll(&pollDesc, 1, PR_INTERVAL_NO_TIMEOUT);
if (cc < 0) {
SECU_PrintError(progName,
"PR_Poll failed");
@@ -975,6 +970,36 @@ writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb)
return 0;
}
+void
+handshakeCallback(PRFileDesc *fd, void *client_data)
+{
+ const char *secondHandshakeName = (char *)client_data;
+ if (secondHandshakeName) {
+ SSL_SetURL(fd, secondHandshakeName);
+ }
+ printSecurityInfo(fd);
+ if (renegotiationsDone < renegotiationsToDo) {
+ SSL_ReHandshake(fd, (renegotiationsToDo < 2));
+ ++renegotiationsDone;
+ }
+ if (requestString && requestSent) {
+ /* This data was sent in 0-RTT. */
+ SSLChannelInfo info;
+ SECStatus rv;
+
+ rv = SSL_GetChannelInfo(fd, &info, sizeof(info));
+ if (rv != SECSuccess)
+ return;
+
+ if (!info.earlyDataAccepted) {
+ FPRINTF(stderr, "Early data rejected. Re-sending\n");
+ writeBytesToServer(fd, requestString, requestStringLen);
+ }
+ }
+}
+
+#define REQUEST_WAITING (requestString && !requestSent)
+
static int
run_client(void)
{
@@ -988,7 +1013,8 @@ run_client(void)
PRFileDesc *std_out;
PRPollDesc pollset[2];
PRBool wrStarted = PR_FALSE;
- char *requestStringInt = requestString;
+
+ requestSent = PR_FALSE;
/* Create socket */
s = PR_OpenTCPSocket(addr.raw.family);
@@ -1245,7 +1271,7 @@ run_client(void)
pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT |
(clientSpeaksFirst ? 0 : PR_POLL_READ);
pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput);
- if (!requestStringInt) {
+ if (!REQUEST_WAITING) {
pollset[STDIN_FD].in_flags = PR_POLL_READ;
npds = 2;
} else {
@@ -1295,7 +1321,7 @@ run_client(void)
*/
FPRINTF(stderr, "%s: ready...\n", progName);
while ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) ||
- requestStringInt) {
+ REQUEST_WAITING) {
char buf[4000]; /* buffer for stdin */
int nb; /* num bytes read from stdin. */
@@ -1333,13 +1359,12 @@ run_client(void)
"%s: PR_Poll returned 0x%02x for socket out_flags.\n",
progName, pollset[SSOCK_FD].out_flags);
}
- if (requestStringInt) {
- error = writeBytesToServer(s, pollset,
- requestStringInt, requestStringLen);
+ if (REQUEST_WAITING) {
+ error = writeBytesToServer(s, requestString, requestStringLen);
if (error) {
goto done;
}
- requestStringInt = NULL;
+ requestSent = PR_TRUE;
pollset[SSOCK_FD].in_flags = PR_POLL_READ;
}
if (pollset[STDIN_FD].out_flags & PR_POLL_READ) {
@@ -1356,7 +1381,7 @@ run_client(void)
/* EOF on stdin, stop polling stdin for read. */
pollset[STDIN_FD].in_flags = 0;
} else {
- error = writeBytesToServer(s, pollset, buf, nb);
+ error = writeBytesToServer(s, buf, nb);
if (error) {
goto done;
}
@@ -1487,7 +1512,7 @@ main(int argc, char **argv)
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
optstate = PL_CreateOptState(argc, argv,
- "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+ "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@@ -1588,6 +1613,7 @@ main(int argc, char **argv)
if (SECU_ParseSSLVersionRangeString(optstate->value,
enabledVersions, &enabledVersions) !=
SECSuccess) {
+ fprintf(stderr, "Bad version specified.\n");
Usage(progName);
}
break;