summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/softoken
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/softoken')
-rw-r--r--security/nss/lib/softoken/fipstest.c9
-rw-r--r--security/nss/lib/softoken/fipstokn.c33
-rw-r--r--security/nss/lib/softoken/legacydb/keydb.c8
-rw-r--r--security/nss/lib/softoken/legacydb/lgattr.c12
-rw-r--r--security/nss/lib/softoken/legacydb/lgcreate.c15
-rw-r--r--security/nss/lib/softoken/legacydb/lgfips.c4
-rw-r--r--security/nss/lib/softoken/legacydb/lginit.c4
-rw-r--r--security/nss/lib/softoken/legacydb/lowcert.c2
-rw-r--r--security/nss/lib/softoken/legacydb/lowkey.c7
-rw-r--r--security/nss/lib/softoken/legacydb/lowkeyi.h5
-rw-r--r--security/nss/lib/softoken/legacydb/lowkeyti.h2
-rw-r--r--security/nss/lib/softoken/legacydb/pcertdb.c10
-rw-r--r--security/nss/lib/softoken/lowkey.c12
-rw-r--r--security/nss/lib/softoken/lowkeyi.h2
-rw-r--r--security/nss/lib/softoken/lowkeyti.h2
-rw-r--r--security/nss/lib/softoken/pkcs11.c66
-rw-r--r--security/nss/lib/softoken/pkcs11c.c239
-rw-r--r--security/nss/lib/softoken/pkcs11i.h1
-rw-r--r--security/nss/lib/softoken/pkcs11u.c8
-rw-r--r--security/nss/lib/softoken/sdb.c105
-rw-r--r--security/nss/lib/softoken/sdb.h4
-rw-r--r--security/nss/lib/softoken/sftkdb.c84
-rw-r--r--security/nss/lib/softoken/sftkdbti.h1
-rw-r--r--security/nss/lib/softoken/sftkpwd.c11
-rw-r--r--security/nss/lib/softoken/softkver.h10
-rw-r--r--security/nss/lib/softoken/softoknt.h3
26 files changed, 196 insertions, 463 deletions
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
index 0cca74d6e..3563bd2d2 100644
--- a/security/nss/lib/softoken/fipstest.c
+++ b/security/nss/lib/softoken/fipstest.c
@@ -5,7 +5,6 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef NSS_FIPS_DISABLED
#include "seccomon.h"
#include "blapi.h"
#include "softoken.h"
@@ -653,11 +652,3 @@ sftk_FIPSEntryOK()
}
return CKR_OK;
}
-#else
-#include "pkcs11t.h"
-CK_RV
-sftk_FIPSEntryOK()
-{
- return CKR_DEVICE_ERROR;
-}
-#endif /* NSS_FIPS_DISABLED */
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
index ca7d7998a..fd4fd4207 100644
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -540,10 +540,7 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
crv = NSC_GetTokenInfo(slotID, pInfo);
if (crv == CKR_OK) {
- /* use the global database to figure out if we are running in
- * FIPS 140 Level 1 or Level 2 */
- if (slotID == FIPS_SLOT_ID &&
- (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
+ if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
isLevel2 = PR_FALSE;
}
}
@@ -619,8 +616,7 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
* we need to make sure the pin meets FIPS requirements */
if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
rv = NSC_InitPIN(hSession, pPin, ulPinLen);
- if ((rv == CKR_OK) &&
- (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
+ if (rv == CKR_OK) {
isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
}
}
@@ -648,8 +644,7 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
if ((rv = sftk_fipsCheck()) == CKR_OK &&
(rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
- if ((rv == CKR_OK) &&
- (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
+ if (rv == CKR_OK) {
/* if we set the password in level1 we now go
* to level2. NOTE: we don't allow the user to
* go from level2 to level1 */
@@ -710,23 +705,11 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
rv = NSC_GetSessionInfo(hSession, pInfo);
if (rv == CKR_OK) {
- /* handle the case where the auxilary slot doesn't require login.
- * piggy back on the main token's login state */
- if (isLoggedIn &&
- ((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
- (pInfo->state == CKS_RW_PUBLIC_SESSION))) {
- CK_RV crv;
- CK_TOKEN_INFO tInfo;
- crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
- &tInfo);
- /* if the token doesn't login, use our global login state */
- if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
- if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
- pInfo->state = CKS_RO_USER_FUNCTIONS;
- } else {
- pInfo->state = CKS_RW_USER_FUNCTIONS;
- }
- }
+ if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
+ pInfo->state = CKS_RO_USER_FUNCTIONS;
+ }
+ if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
+ pInfo->state = CKS_RW_USER_FUNCTIONS;
}
}
return rv;
diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c
index b4aa7754b..178e333ec 100644
--- a/security/nss/lib/softoken/legacydb/keydb.c
+++ b/security/nss/lib/softoken/legacydb/keydb.c
@@ -1137,10 +1137,12 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cer
namekey.data = pubkey->u.dh.publicValue.data;
namekey.size = pubkey->u.dh.publicValue.len;
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
namekey.data = pubkey->u.ec.publicValue.data;
namekey.size = pubkey->u.ec.publicValue.len;
break;
+#endif /* NSS_DISABLE_ECC */
default:
/* XXX We don't do Fortezza or DH yet. */
return PR_FALSE;
@@ -1465,10 +1467,12 @@ seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
SECItem *der_item = NULL;
SECItem *cipherText = NULL;
SECItem *dummy = NULL;
+#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
SECItem *fordebug = NULL;
#endif
int savelen;
+#endif
temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
if (temparena == NULL)
@@ -1544,6 +1548,7 @@ seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
goto loser;
}
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
lg_prepare_low_ec_priv_key_for_asn1(pk);
/* Public value is encoded as a bit string so adjust length
@@ -1584,6 +1589,7 @@ seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
#endif
break;
+#endif /* NSS_DISABLE_ECC */
default:
/* We don't support DH or Fortezza private keys yet */
PORT_Assert(PR_FALSE);
@@ -1803,6 +1809,7 @@ seckey_decrypt_private_key(SECItem *epki,
lg_nsslowkey_DHPrivateKeyTemplate,
&newPrivateKey);
break;
+#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
pk->keyType = NSSLOWKEYECKey;
lg_prepare_low_ec_priv_key_for_asn1(pk);
@@ -1842,6 +1849,7 @@ seckey_decrypt_private_key(SECItem *epki,
}
break;
+#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
break;
diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c
index 542b0c968..5c2cbdbc6 100644
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -133,7 +133,7 @@ lg_CopyAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type,
attr->ulValueLen = (CK_ULONG)-1;
return CKR_BUFFER_TOO_SMALL;
}
- if (len > 0 && value != NULL) {
+ if (value != NULL) {
PORT_Memcpy(attr->pValue, value, len);
}
attr->ulValueLen = len;
@@ -421,9 +421,11 @@ lg_GetPubItem(NSSLOWKEYPublicKey *pubKey)
case NSSLOWKEYDHKey:
pubItem = &pubKey->u.dh.publicValue;
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubItem = &pubKey->u.ec.publicValue;
break;
+#endif /* NSS_DISABLE_ECC */
default:
break;
}
@@ -542,6 +544,7 @@ lg_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
return lg_invalidAttribute(attribute);
}
+#ifndef NSS_DISABLE_ECC
static CK_RV
lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute)
@@ -591,6 +594,7 @@ lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
}
return lg_invalidAttribute(attribute);
}
+#endif /* NSS_DISABLE_ECC */
static CK_RV
lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
@@ -641,8 +645,10 @@ lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
return lg_FindDSAPublicKeyAttribute(key, type, attribute);
case NSSLOWKEYDHKey:
return lg_FindDHPublicKeyAttribute(key, type, attribute);
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
return lg_FindECPublicKeyAttribute(key, type, attribute);
+#endif /* NSS_DISABLE_ECC */
default:
break;
}
@@ -929,6 +935,7 @@ lg_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
return lg_invalidAttribute(attribute);
}
+#ifndef NSS_DISABLE_ECC
static CK_RV
lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute, SDB *sdbpw)
@@ -966,6 +973,7 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
}
return lg_invalidAttribute(attribute);
}
+#endif /* NSS_DISABLE_ECC */
static CK_RV
lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
@@ -1012,8 +1020,10 @@ lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
return lg_FindDSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
case NSSLOWKEYDHKey:
return lg_FindDHPrivateKeyAttribute(key, type, attribute, obj->sdb);
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
return lg_FindECPrivateKeyAttribute(key, type, attribute, obj->sdb);
+#endif /* NSS_DISABLE_ECC */
default:
break;
}
diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c
index f2b2aa634..a0d2b2e57 100644
--- a/security/nss/lib/softoken/legacydb/lgcreate.c
+++ b/security/nss/lib/softoken/legacydb/lgcreate.c
@@ -398,17 +398,21 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
NSSLOWKEYPrivateKey *priv;
SECItem pubKeySpace = { siBuffer, NULL, 0 };
SECItem *pubKey;
+#ifndef NSS_DISABLE_ECC
SECItem pubKey2Space = { siBuffer, NULL, 0 };
PLArenaPool *arena = NULL;
+#endif /* NSS_DISABLE_ECC */
NSSLOWKEYDBHandle *keyHandle = NULL;
switch (key_type) {
case CKK_RSA:
pubKeyAttr = CKA_MODULUS;
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
pubKeyAttr = CKA_EC_POINT;
break;
+#endif /* NSS_DISABLE_ECC */
case CKK_DSA:
case CKK_DH:
break;
@@ -421,6 +425,7 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
if (crv != CKR_OK)
return crv;
+#ifndef NSS_DISABLE_ECC
if (key_type == CKK_EC) {
SECStatus rv;
/*
@@ -443,6 +448,7 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
pubKey = &pubKey2Space;
}
}
+#endif /* NSS_DISABLE_ECC */
PORT_Assert(pubKey->data);
if (pubKey->data == NULL) {
@@ -463,12 +469,14 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
/* make sure the associated private key already exists */
/* only works if we are logged in */
priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/);
+#ifndef NSS_DISABLE_ECC
if (priv == NULL && pubKey == &pubKey2Space) {
/* no match on the decoded key, match the original pubkey */
pubKey = &pubKeySpace;
priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey,
sdb /*password*/);
}
+#endif
if (priv == NULL) {
/* the legacy database can only 'store' public keys which already
* have their corresponding private keys in the database */
@@ -482,9 +490,10 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
done:
PORT_Free(pubKeySpace.data);
- if (arena) {
+#ifndef NSS_DISABLE_ECC
+ if (arena)
PORT_FreeArena(arena, PR_FALSE);
- }
+#endif
return crv;
}
@@ -604,6 +613,7 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
}
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count,
@@ -636,6 +646,7 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
if (rv != SECSuccess)
crv = CKR_HOST_MEMORY;
break;
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
diff --git a/security/nss/lib/softoken/legacydb/lgfips.c b/security/nss/lib/softoken/legacydb/lgfips.c
index b991dcf8e..b017424db 100644
--- a/security/nss/lib/softoken/legacydb/lgfips.c
+++ b/security/nss/lib/softoken/legacydb/lgfips.c
@@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */
-#ifndef NSS_FIPS_DISABLED
-
#include "seccomon.h"
#include "lgdb.h"
#include "blapi.h"
@@ -115,5 +113,3 @@ lg_FIPSEntryOK()
#endif
return lg_self_tests_success;
}
-
-#endif /* NSS_FIPS_DISABLED */
diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c
index 4f0b53f52..6913eea50 100644
--- a/security/nss/lib/softoken/legacydb/lginit.c
+++ b/security/nss/lib/softoken/legacydb/lginit.c
@@ -586,15 +586,11 @@ legacy_Open(const char *configdir, const char *certPrefix,
#define NSS_VERSION_VARIABLE __nss_dbm_version
#include "verref.h"
-#ifndef NSS_FIPS_DISABLED
if (flags & SDB_FIPS) {
- /* We shouldn't get here when FIPS is not enabled on the database. But
- * we also don't care when this NSS build doesn't support FIPS. */
if (!lg_FIPSEntryOK()) {
return CKR_DEVICE_ERROR;
}
}
-#endif
rv = SECOID_Init();
if (SECSuccess != rv) {
diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c
index 5a349f0aa..2906120ee 100644
--- a/security/nss/lib/softoken/legacydb/lowcert.c
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -823,6 +823,7 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
if (rv == SECSuccess)
return pubk;
break;
+#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
pubk->keyType = NSSLOWKEYECKey;
/* Since PKCS#11 directly takes the DER encoding of EC params
@@ -844,6 +845,7 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
if (rv == SECSuccess)
return pubk;
break;
+#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
break;
diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c
index a9b7cce3d..7de4197a1 100644
--- a/security/nss/lib/softoken/legacydb/lowkey.c
+++ b/security/nss/lib/softoken/legacydb/lowkey.c
@@ -99,6 +99,8 @@ const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[] = {
{ 0 }
};
+#ifndef NSS_DISABLE_ECC
+
/* NOTE: The SECG specification allows the private key structure
* to contain curve parameters but recommends that they be stored
* in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
@@ -191,6 +193,7 @@ LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
loser:
return SECFailure;
}
+#endif /* NSS_DISABLE_ECC */
/*
* See bugzilla bug 125359
* Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
@@ -240,6 +243,7 @@ lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
key->u.dh.privateValue.type = siUnsignedInteger;
}
+#ifndef NSS_DISABLE_ECC
void
lg_prepare_low_ecparams_for_asn1(ECParams *params)
{
@@ -256,6 +260,7 @@ lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
key->u.ec.privateValue.type = siUnsignedInteger;
key->u.ec.publicValue.type = siUnsignedInteger;
}
+#endif /* NSS_DISABLE_ECC */
void
lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
@@ -357,6 +362,7 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
return pubk;
}
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
sizeof(NSSLOWKEYPublicKey));
@@ -377,6 +383,7 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
return pubk;
}
break;
+#endif /* NSS_DISABLE_ECC */
/* No Fortezza in Low Key implementations (Fortezza keys aren't
* stored in our data base */
default:
diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h
index 4a5bcfa91..5136b56a5 100644
--- a/security/nss/lib/softoken/legacydb/lowkeyi.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyi.h
@@ -26,8 +26,10 @@ extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifndef NSS_DISABLE_ECC
extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_DISABLE_ECC */
typedef char *(*NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
@@ -132,6 +134,7 @@ extern char *
nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
SECItem *modulus, SDB *sdb);
+#ifndef NSS_DISABLE_ECC
/*
* smaller version of EC_FillParams. In this code, we only need
* oid and DER data.
@@ -142,7 +145,7 @@ SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
/* Copy all of the fields from srcParams into dstParams */
SECStatus LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-
+#endif
SEC_END_PROTOS
#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h
index 2fd5d4e29..ef92689e0 100644
--- a/security/nss/lib/softoken/legacydb/lowkeyti.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyti.h
@@ -42,8 +42,10 @@ extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[];
extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
+#ifndef NSS_DISABLE_ECC
#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_DISABLE_ECC */
extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
index 2e8b650ee..f1444bf04 100644
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -1854,8 +1854,6 @@ DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
&dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
entry->subjectName.len],
entry->smimeOptions.len);
- } else {
- entry->smimeOptions.data = NULL;
}
if (entry->optionsDate.len) {
entry->optionsDate.data =
@@ -1870,8 +1868,6 @@ DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
entry->subjectName.len +
entry->smimeOptions.len],
entry->optionsDate.len);
- } else {
- entry->optionsDate.data = NULL;
}
/* both options and options date must either exist or not exist */
@@ -2018,7 +2014,7 @@ nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
{
PLArenaPool *arena = NULL;
PLArenaPool *tmparena = NULL;
- certDBEntrySMime *entry = NULL;
+ certDBEntrySMime *entry;
SECItem dbkey;
SECItem dbentry;
SECStatus rv;
@@ -2035,8 +2031,8 @@ nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
goto loser;
}
- entry = (certDBEntrySMime *)PORT_ArenaZAlloc(arena,
- sizeof(certDBEntrySMime));
+ entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntrySMime));
if (entry == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
index 295d55f40..73b1dc971 100644
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@@ -8,7 +8,10 @@
#include "base64.h"
#include "secasn1.h"
#include "secerr.h"
+
+#ifndef NSS_DISABLE_ECC
#include "softoken.h"
+#endif
SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
@@ -87,6 +90,8 @@ const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
{ 0 }
};
+#ifndef NSS_DISABLE_ECC
+
/* NOTE: The SECG specification allows the private key structure
* to contain curve parameters but recommends that they be stored
* in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
@@ -112,6 +117,7 @@ const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
SEC_ASN1_SUB(SEC_BitStringTemplate) },
{ 0 }
};
+#endif /* NSS_DISABLE_ECC */
/*
* See bugzilla bug 125359
* Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
@@ -167,6 +173,7 @@ prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
key->u.dh.privateValue.type = siUnsignedInteger;
}
+#ifndef NSS_DISABLE_ECC
void
prepare_low_ecparams_for_asn1(ECParams *params)
{
@@ -183,6 +190,7 @@ prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
key->u.ec.privateValue.type = siUnsignedInteger;
key->u.ec.publicValue.type = siUnsignedInteger;
}
+#endif /* NSS_DISABLE_ECC */
void
nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
@@ -317,6 +325,7 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
return pubk;
}
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
sizeof(NSSLOWKEYPublicKey));
@@ -337,6 +346,7 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
return pubk;
}
break;
+#endif /* NSS_DISABLE_ECC */
/* No Fortezza in Low Key implementations (Fortezza keys aren't
* stored in our data base */
default:
@@ -453,6 +463,7 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
if (rv != SECSuccess)
break;
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
&(privKey->u.ec.version));
@@ -473,6 +484,7 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
if (rv != SECSuccess)
break;
break;
+#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
}
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
index f9ba3a75f..a5878c2f6 100644
--- a/security/nss/lib/softoken/lowkeyi.h
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -25,8 +25,10 @@ extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+#ifndef NSS_DISABLE_ECC
extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_ecparams_for_asn1(ECParams *params);
+#endif /* NSS_DISABLE_ECC */
/*
** Destroy a private key object.
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
index c048b33e7..2ef16405f 100644
--- a/security/nss/lib/softoken/lowkeyti.h
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -20,8 +20,10 @@ extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#ifndef NSS_DISABLE_ECC
#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+#endif /* NSS_DISABLE_ECC */
extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 77882a274..a594fd501 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -282,11 +282,13 @@ static const struct mechanismList mechanisms[] = {
/* no diffie hellman yet */
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
{ CKM_DH_PKCS_DERIVE, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE }, PR_TRUE },
+#ifndef NSS_DISABLE_ECC
/* -------------------- Elliptic Curve Operations --------------------- */
{ CKM_EC_KEY_PAIR_GEN, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDH1_DERIVE, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_DERIVE | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA_SHA1, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+#endif /* NSS_DISABLE_ECC */
/* ------------------------- RC2 Operations --------------------------- */
{ CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE },
{ CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
@@ -421,20 +423,11 @@ static const struct mechanismList mechanisms[] = {
#endif
/* --------------------- Secret Key Operations ------------------------ */
{ CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE },
- { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_GENERATE }, PR_FALSE },
+ { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
+ { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_GENERATE }, PR_FALSE },
+ { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
{ CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
- { CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
-
/* ---------------------- SSL Key Derivations ------------------------- */
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE },
{ CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
@@ -938,6 +931,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
recover = CK_FALSE;
wrap = CK_FALSE;
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
@@ -951,6 +945,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
recover = CK_FALSE;
wrap = CK_FALSE;
break;
+#endif /* NSS_DISABLE_ECC */
default:
return CKR_ATTRIBUTE_VALUE_INVALID;
}
@@ -1119,6 +1114,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYP
recover = CK_FALSE;
wrap = CK_FALSE;
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
@@ -1131,6 +1127,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYP
recover = CK_FALSE;
wrap = CK_FALSE;
break;
+#endif /* NSS_DISABLE_ECC */
case CKK_NSS_JPAKE_ROUND1:
if (!sftk_hasAttribute(object, CKA_PRIME) ||
!sftk_hasAttribute(object, CKA_SUBPRIME) ||
@@ -1781,6 +1778,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
object, CKA_VALUE);
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
pubKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -1839,6 +1837,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
crv = CKR_ATTRIBUTE_VALUE_INVALID;
}
break;
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
@@ -1948,6 +1947,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
* if we don't set it explicitly */
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -1992,6 +1992,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
#endif
}
break;
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -2364,22 +2365,17 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
return slot;
}
-CK_SLOT_ID
-sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
+SFTKSlot *
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
{
CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
CK_ULONG moduleIndex = (handle >> 31) & 1;
if (slotIDIndex >= nscSlotCount[moduleIndex]) {
- return (CK_SLOT_ID)-1;
+ return NULL;
}
- return nscSlotList[moduleIndex][slotIDIndex];
-}
-SFTKSlot *
-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
-{
- return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
+ return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
}
static CK_RV
@@ -3309,15 +3305,6 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
}
}
- /* If there is no key database, this is for example the case when NSS was
- * initialized with NSS_NoDbInit(), then there won't be any point in
- * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that
- * PK11_NeedUserInit() doesn't indicate that a PIN is needed.
- */
- if (slot->keyDB == NULL) {
- pInfo->flags |= CKF_USER_PIN_INITIALIZED;
- }
-
/* ok we really should read it out of the keydb file. */
/* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
@@ -3579,6 +3566,7 @@ NSC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin,
{
SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
SFTKDBHandle *handle;
+ SFTKDBHandle *certHandle;
SECStatus rv;
unsigned int i;
SFTKObject *object;
@@ -3626,16 +3614,19 @@ NSC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin,
}
rv = sftkdb_ResetKeyDB(handle);
- /* clear the password */
- sftkdb_ClearPassword(handle);
- /* update slot->needLogin (should be true now since no password is set) */
- sftk_checkNeedLogin(slot, handle);
sftk_freeDB(handle);
if (rv != SECSuccess) {
return CKR_DEVICE_ERROR;
}
- return CKR_OK;
+ /* finally mark all the user certs as non-user certs */
+ certHandle = sftk_getCertDB(slot);
+ if (certHandle == NULL)
+ return CKR_OK;
+
+ sftk_freeDB(certHandle);
+
+ return CKR_OK; /*is this the right function for not implemented*/
}
/* NSC_InitPIN initializes the normal user's PIN. */
@@ -3801,10 +3792,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
/* Now update our local copy of the pin */
if (rv == SECSuccess) {
- PZ_Lock(slot->slotLock);
slot->needLogin = (PRBool)(ulNewLen != 0);
- slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess);
- PZ_Unlock(slot->slotLock);
/* Reset login flags. */
if (ulNewLen == 0) {
PRBool tokenRemoved = PR_FALSE;
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index d675d7331..0234aa431 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -65,6 +65,7 @@ sftk_Null(void *data, PRBool freeit)
return;
}
+#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
#define SEC_PRINT(str1, str2, num, sitem) \
printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
@@ -77,6 +78,7 @@ sftk_Null(void *data, PRBool freeit)
#undef EC_DEBUG
#define SEC_PRINT(a, b, c, d)
#endif
+#endif /* NSS_DISABLE_ECC */
/*
* free routines.... Free local type allocated data, and convert
@@ -122,6 +124,7 @@ sftk_MapCryptError(int error)
return CKR_KEY_SIZE_RANGE; /* the closest error code */
case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
return CKR_TEMPLATE_INCONSISTENT;
+ /* EC functions set this error if NSS_DISABLE_ECC is defined */
case SEC_ERROR_UNSUPPORTED_KEYALG:
return CKR_MECHANISM_INVALID;
case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
@@ -1524,7 +1527,8 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
maxout -= padoutlen;
}
/* now save the final block for the next decrypt or the final */
- PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen - context->blockSize],
+ PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen -
+ context->blockSize],
context->blockSize);
context->padDataLength = context->blockSize;
ulEncryptedPartLen -= context->padDataLength;
@@ -2413,6 +2417,7 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
return rv;
}
+#ifndef NSS_DISABLE_ECC
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
@@ -2447,6 +2452,7 @@ nsc_ECDSASignStub(void *ctx, void *sigBuf,
*sigLen = signature.len;
return rv;
}
+#endif /* NSS_DISABLE_ECC */
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
@@ -2606,6 +2612,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
break;
+#ifndef NSS_DISABLE_ECC
case CKM_ECDSA_SHA1:
context->multi = PR_TRUE;
crv = sftk_doSubSHA1(context);
@@ -2628,6 +2635,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
context->maxLen = MAX_ECKEY_LEN * 2;
break;
+#endif /* NSS_DISABLE_ECC */
#define INIT_HMAC_MECH(mmm) \
case CKM_##mmm##_HMAC_GENERAL: \
@@ -3295,6 +3303,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
context->destroy = sftk_Null;
break;
+#ifndef NSS_DISABLE_ECC
case CKM_ECDSA_SHA1:
context->multi = PR_TRUE;
crv = sftk_doSubSHA1(context);
@@ -3315,6 +3324,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
context->verify = (SFTKVerify)nsc_ECDSAVerifyStub;
context->destroy = sftk_Null;
break;
+#endif /* NSS_DISABLE_ECC */
INIT_HMAC_MECH(MD2)
INIT_HMAC_MECH(MD5)
@@ -4614,10 +4624,12 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
pairwise_digest_length = subPrimeLen;
mech.mechanism = CKM_DSA;
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
signature_length = MAX_ECKEY_LEN * 2;
mech.mechanism = CKM_ECDSA;
break;
+#endif
default:
return CKR_DEVICE_ERROR;
}
@@ -4734,10 +4746,12 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
/* Diffie Hellman */
DHPrivateKey *dhPriv;
+#ifndef NSS_DISABLE_ECC
/* Elliptic Curve Cryptography */
SECItem ecEncodedParams; /* DER Encoded parameters */
ECPrivateKey *ecPriv;
ECParams *ecParams;
+#endif /* NSS_DISABLE_ECC */
CHECK_FORK();
@@ -5083,6 +5097,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
PORT_FreeArena(dhPriv->arena, PR_TRUE);
break;
+#ifndef NSS_DISABLE_ECC
case CKM_EC_KEY_PAIR_GEN:
sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS);
sftk_DeleteAttributeType(privateKey, CKA_VALUE);
@@ -5151,6 +5166,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
/* should zeroize, since this function doesn't. */
PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
break;
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_MECHANISM_INVALID;
@@ -5280,10 +5296,12 @@ sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
void *dummy, *param = NULL;
SECStatus rv = SECSuccess;
SECItem *encodedKey = NULL;
+#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
SECItem *fordebug;
#endif
int savelen;
+#endif
if (!key) {
*crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
@@ -5335,6 +5353,7 @@ sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
nsslowkey_PQGParamsTemplate);
algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
break;
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
prepare_low_ec_priv_key_for_asn1(lk);
/* Public value is encoded as a bit string so adjust length
@@ -5363,6 +5382,7 @@ sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
break;
+#endif /* NSS_DISABLE_ECC */
case NSSLOWKEYDHKey:
default:
dummy = NULL;
@@ -5621,7 +5641,8 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
prepare_low_dsa_priv_key_export_for_asn1(lpk);
prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
break;
- /* case NSSLOWKEYDHKey: */
+/* case NSSLOWKEYDHKey: */
+#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
keyTemplate = nsslowkey_ECPrivateKeyTemplate;
paramTemplate = NULL;
@@ -5630,6 +5651,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
prepare_low_ec_priv_key_for_asn1(lpk);
prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
break;
+#endif /* NSS_DISABLE_ECC */
default:
keyTemplate = NULL;
paramTemplate = NULL;
@@ -5644,6 +5666,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
/* decode the private key and any algorithm parameters */
rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+#ifndef NSS_DISABLE_ECC
if (lpk->keyType == NSSLOWKEYECKey) {
/* convert length in bits to length in bytes */
lpk->u.ec.publicValue.len >>= 3;
@@ -5654,6 +5677,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
goto loser;
}
}
+#endif /* NSS_DISABLE_ECC */
if (rv != SECSuccess) {
goto loser;
@@ -5766,7 +5790,8 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
keyType = CKK_DH;
break;
#endif
- /* what about fortezza??? */
+/* what about fortezza??? */
+#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
keyType = CKK_EC;
crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
@@ -5798,6 +5823,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
break;
/* XXX Do we need to decode the EC Params here ?? */
break;
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
@@ -6127,6 +6153,7 @@ sftk_MapKeySize(CK_KEY_TYPE keyType)
return 0;
}
+#ifndef NSS_DISABLE_ECC
/* Inputs:
* key_len: Length of derived key to be generated.
* SharedSecret: a shared secret that is the output of a key agreement primitive.
@@ -6239,43 +6266,7 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len,
else
return CKR_MECHANISM_INVALID;
}
-
-/*
- * Handle the derive from a block encryption cipher
- */
-CK_RV
-sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo,
- int blockSize, SFTKObject *key, CK_ULONG keySize,
- unsigned char *data, CK_ULONG len)
-{
- /* large enough for a 512-bit key */
- unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE];
- SECStatus rv;
- unsigned int outLen;
- CK_RV crv;
-
- if ((len % blockSize) != 0) {
- return CKR_MECHANISM_PARAM_INVALID;
- }
- if (len > SFTK_MAX_DERIVE_KEY_SIZE) {
- return CKR_MECHANISM_PARAM_INVALID;
- }
- if (keySize && (len < keySize)) {
- return CKR_MECHANISM_PARAM_INVALID;
- }
- if (keySize == 0) {
- keySize = len;
- }
-
- rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len);
- if (rv != SECSuccess) {
- crv = sftk_MapCryptError(PORT_GetError());
- return crv;
- }
-
- crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize);
- return crv;
-}
+#endif /* NSS_DISABLE_ECC */
/*
* SSL Key generation given pre master secret
@@ -6935,172 +6926,6 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
break;
}
- case CKM_DES3_ECB_ENCRYPT_DATA:
- case CKM_DES3_CBC_ENCRYPT_DATA: {
- void *cipherInfo;
- unsigned char des3key[MAX_DES3_KEY_SIZE];
- CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
- int mode;
- unsigned char *iv;
- unsigned char *data;
- CK_ULONG len;
-
- if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) {
- stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
- pMechanism->pParameter;
- mode = NSS_DES_EDE3;
- iv = NULL;
- data = stringPtr->pData;
- len = stringPtr->ulLen;
- } else {
- mode = NSS_DES_EDE3_CBC;
- desEncryptPtr =
- (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
- pMechanism->pParameter;
- iv = desEncryptPtr->iv;
- data = desEncryptPtr->pData;
- len = desEncryptPtr->length;
- }
- if (att->attrib.ulValueLen == 16) {
- PORT_Memcpy(des3key, att->attrib.pValue, 16);
- PORT_Memcpy(des3key + 16, des3key, 8);
- } else if (att->attrib.ulValueLen == 24) {
- PORT_Memcpy(des3key, att->attrib.pValue, 24);
- } else {
- crv = CKR_KEY_SIZE_RANGE;
- break;
- }
- cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE);
- PORT_Memset(des3key, 0, 24);
- if (cipherInfo == NULL) {
- crv = CKR_HOST_MEMORY;
- break;
- }
- crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt,
- cipherInfo, 8, key, keySize,
- data, len);
- DES_DestroyContext(cipherInfo, PR_TRUE);
- break;
- }
-
- case CKM_AES_ECB_ENCRYPT_DATA:
- case CKM_AES_CBC_ENCRYPT_DATA: {
- void *cipherInfo;
- CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
- int mode;
- unsigned char *iv;
- unsigned char *data;
- CK_ULONG len;
-
- if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) {
- mode = NSS_AES;
- iv = NULL;
- stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
- data = stringPtr->pData;
- len = stringPtr->ulLen;
- } else {
- aesEncryptPtr =
- (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter;
- mode = NSS_AES_CBC;
- iv = aesEncryptPtr->iv;
- data = aesEncryptPtr->pData;
- len = aesEncryptPtr->length;
- }
-
- cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue,
- iv, mode, PR_TRUE,
- att->attrib.ulValueLen, 16);
- if (cipherInfo == NULL) {
- crv = CKR_HOST_MEMORY;
- break;
- }
- crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt,
- cipherInfo, 16, key, keySize,
- data, len);
- AES_DestroyContext(cipherInfo, PR_TRUE);
- break;
- }
-
- case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
- case CKM_CAMELLIA_CBC_ENCRYPT_DATA: {
- void *cipherInfo;
- CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
- int mode;
- unsigned char *iv;
- unsigned char *data;
- CK_ULONG len;
-
- if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) {
- stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
- pMechanism->pParameter;
- aesEncryptPtr = NULL;
- mode = NSS_CAMELLIA;
- data = stringPtr->pData;
- len = stringPtr->ulLen;
- iv = NULL;
- } else {
- stringPtr = NULL;
- aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
- pMechanism->pParameter;
- mode = NSS_CAMELLIA_CBC;
- iv = aesEncryptPtr->iv;
- data = aesEncryptPtr->pData;
- len = aesEncryptPtr->length;
- }
-
- cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue,
- iv, mode, PR_TRUE,
- att->attrib.ulValueLen);
- if (cipherInfo == NULL) {
- crv = CKR_HOST_MEMORY;
- break;
- }
- crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt,
- cipherInfo, 16, key, keySize,
- data, len);
- Camellia_DestroyContext(cipherInfo, PR_TRUE);
- break;
- }
-
- case CKM_SEED_ECB_ENCRYPT_DATA:
- case CKM_SEED_CBC_ENCRYPT_DATA: {
- void *cipherInfo;
- CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
- int mode;
- unsigned char *iv;
- unsigned char *data;
- CK_ULONG len;
-
- if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) {
- mode = NSS_SEED;
- stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
- pMechanism->pParameter;
- aesEncryptPtr = NULL;
- data = stringPtr->pData;
- len = stringPtr->ulLen;
- iv = NULL;
- } else {
- mode = NSS_SEED_CBC;
- aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
- pMechanism->pParameter;
- iv = aesEncryptPtr->iv;
- data = aesEncryptPtr->pData;
- len = aesEncryptPtr->length;
- }
-
- cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue,
- iv, mode, PR_TRUE);
- if (cipherInfo == NULL) {
- crv = CKR_HOST_MEMORY;
- break;
- }
- crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt,
- cipherInfo, 16, key, keySize,
- data, len);
- SEED_DestroyContext(cipherInfo, PR_TRUE);
- break;
- }
-
case CKM_CONCATENATE_BASE_AND_KEY: {
SFTKObject *newKey;
@@ -7417,6 +7242,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
break;
}
+#ifndef NSS_DISABLE_ECC
case CKM_ECDH1_DERIVE:
case CKM_ECDH1_COFACTOR_DERIVE: {
SECItem ecScalar, ecPoint;
@@ -7556,6 +7382,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
}
break;
}
+#endif /* NSS_DISABLE_ECC */
/* See RFC 5869 and CK_NSS_HKDFParams for documentation. */
case CKM_NSS_HKDF_SHA1:
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
index 7e57dc5e5..c5f21c30a 100644
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -667,7 +667,6 @@ extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
-extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
extern void sftk_FreeSession(SFTKSession *session);
extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index 27e411759..c51211b6c 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -1261,11 +1261,13 @@ static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
};
static const CK_ULONG dhPubKeyAttrsCount =
sizeof(dhPubKeyAttrs) / sizeof(dhPubKeyAttrs[0]);
+#ifndef NSS_DISABLE_ECC
static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
CKA_EC_PARAMS, CKA_EC_POINT
};
static const CK_ULONG ecPubKeyAttrsCount =
sizeof(ecPubKeyAttrs) / sizeof(ecPubKeyAttrs[0]);
+#endif
static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
@@ -1292,11 +1294,13 @@ static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
};
static const CK_ULONG dhPrivKeyAttrsCount =
sizeof(dhPrivKeyAttrs) / sizeof(dhPrivKeyAttrs[0]);
+#ifndef NSS_DISABLE_ECC
static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
CKA_EC_PARAMS, CKA_VALUE
};
static const CK_ULONG ecPrivKeyAttrsCount =
sizeof(ecPrivKeyAttrs) / sizeof(ecPrivKeyAttrs[0]);
+#endif
static const CK_ATTRIBUTE_TYPE certAttrs[] = {
CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
@@ -1401,10 +1405,12 @@ stfk_CopyTokenPrivateKey(SFTKObject *destObject, SFTKTokenObject *src_to)
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
dhPrivKeyAttrsCount);
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
ecPrivKeyAttrsCount);
break;
+#endif
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
* of token keys into our database. */
@@ -1461,10 +1467,12 @@ stfk_CopyTokenPublicKey(SFTKObject *destObject, SFTKTokenObject *src_to)
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
dhPubKeyAttrsCount);
break;
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
ecPubKeyAttrsCount);
break;
+#endif
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
* of token keys into our database. */
diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c
index 96717cb26..8690df34c 100644
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -37,7 +37,6 @@
#elif defined(XP_UNIX)
#include <unistd.h>
#endif
-#include "utilpars.h"
#ifdef SQLITE_UNSAFE_THREADS
#include "prlock.h"
@@ -191,34 +190,6 @@ sdb_done(int err, int *count)
return 0;
}
-#if defined(_WIN32)
-/*
- * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that
- * sqlite3 expects.
- */
-
-static int
-sdb_chmod(const char *filename, int pmode)
-{
- int result;
-
- if (!filename) {
- return -1;
- }
-
- wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
- if (!filenameWide) {
- return -1;
- }
- result = _wchmod(filenameWide, pmode);
- PORT_Free(filenameWide);
-
- return result;
-}
-#else
-#define sdb_chmod(filename, pmode) chmod((filename), (pmode))
-#endif
-
/*
* find out where sqlite stores the temp tables. We do this by replicating
* the logic from sqlite.
@@ -1629,7 +1600,7 @@ loser:
return error;
}
-static const char RESET_CMD[] = "DELETE FROM %s;";
+static const char RESET_CMD[] = "DROP TABLE IF EXISTS %s;";
CK_RV
sdb_Reset(SDB *sdb)
{
@@ -1650,19 +1621,17 @@ sdb_Reset(SDB *sdb)
goto loser;
}
- if (tableExists(sqlDB, sdb_p->table)) {
- /* delete the contents of the key table */
- newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table);
- if (newStr == NULL) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
- sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
- sqlite3_free(newStr);
-
- if (sqlerr != SQLITE_OK)
- goto loser;
+ /* delete the key table */
+ newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
}
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+
+ if (sqlerr != SQLITE_OK)
+ goto loser;
/* delete the password entry table */
sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;",
@@ -1768,7 +1737,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
* sqlite3 will always create it.
*/
LOCK_SQLITE();
- create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
+ create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
if ((flags == SDB_RDONLY) && create) {
error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
goto loser;
@@ -1785,7 +1754,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
*
* NO NSPR call for chmod? :(
*/
- if (create && sdb_chmod(dbname, 0600) != 0) {
+ if (create && chmod(dbname, 0600) != 0) {
error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
goto loser;
}
@@ -1897,29 +1866,30 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
* so we use it for the cache (see sdb_buildCache for how it's done).*/
/*
- * we decide whether or not to use the cache based on the following input.
- *
- * NSS_SDB_USE_CACHE environment variable is set to anything other than
- * "yes" or "no" (for instance, "auto"): NSS will measure the performance
- * of access to the temp database versus the access to the user's
- * passed-in database location. If the temp database location is
- * "significantly" faster we will use the cache.
- *
- * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no":
- * cache will not be used.
- *
- * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
- * always be used.
- *
- * It is expected that most applications will not need this feature, and
- * thus it is disabled by default.
- */
+ * we decide whether or not to use the cache based on the following input.
+ *
+ * NSS_SDB_USE_CACHE environment variable is non-existant or set to
+ * anything other than "no" or "yes" ("auto", for instance).
+ * This is the normal case. NSS will measure the performance of access
+ * to the temp database versus the access to the users passed in
+ * database location. If the temp database location is "significantly"
+ * faster we will use the cache.
+ *
+ * NSS_SDB_USE_CACHE environment variable is set to "no": cache will not
+ * be used.
+ *
+ * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
+ * always be used.
+ *
+ * It is expected that most applications would use the "auto" selection,
+ * the environment variable is primarily to simplify testing, and to
+ * correct potential corner cases where */
env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
- if (!env || PORT_Strcasecmp(env, "no") == 0) {
+ if (env && PORT_Strcasecmp(env, "no") == 0) {
enableCache = PR_FALSE;
- } else if (PORT_Strcasecmp(env, "yes") == 0) {
+ } else if (env && PORT_Strcasecmp(env, "yes") == 0) {
enableCache = PR_TRUE;
} else {
char *tempDir = NULL;
@@ -2065,11 +2035,10 @@ s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
{
char *env;
env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
- /* If the environment variable is undefined or set to yes or no,
- * sdb_init() will ignore the value of accessOps, and we can skip the
- * measuring.*/
- if (env && PORT_Strcasecmp(env, "no") != 0 &&
- PORT_Strcasecmp(env, "yes") != 0) {
+ /* If the environment variable is set to yes or no, sdb_init() will
+ * ignore the value of accessOps, and we can skip the measuring.*/
+ if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
+ (PORT_Strcasecmp(env, "yes") != 0))) {
accessOps = sdb_measureAccess(directory);
}
}
diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h
index 8ff254bf7..04b873e02 100644
--- a/security/nss/lib/softoken/sdb.h
+++ b/security/nss/lib/softoken/sdb.h
@@ -83,10 +83,6 @@ CK_RV s_open(const char *directory, const char *certPrefix,
int flags, SDB **certdb, SDB **keydb, int *newInit);
CK_RV s_shutdown();
-#if defined(_WIN32)
-wchar_t *sdb_UTF8ToWide(const char *buf);
-#endif
-
/* flags */
#define SDB_RDONLY 1
#define SDB_RDWR 2
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
index 2ae084068..52e516117 100644
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -28,9 +28,6 @@
#include "utilpars.h"
#include "secerr.h"
#include "softoken.h"
-#if defined(_WIN32)
-#include <windows.h>
-#endif
/*
* We want all databases to have the same binary representation independent of
@@ -43,7 +40,7 @@
*/
#define BBP 8
-PRBool
+static PRBool
sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type)
{
switch (type) {
@@ -1373,8 +1370,7 @@ sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object,
}
/* make sure we don't have attributes that conflict with the existing DB */
- crv = sftkdb_checkConflicts(db, object->objclass, ntemplate, count,
- objectID);
+ crv = sftkdb_checkConflicts(db, object->objclass, template, count, objectID);
if (crv != CKR_OK) {
goto loser;
}
@@ -1390,8 +1386,8 @@ sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object,
goto loser;
}
inTransaction = PR_TRUE;
- crv = sftkdb_setAttributeValue(arena, handle, db, objectID, ntemplate,
- count);
+ crv = sftkdb_setAttributeValue(arena, handle, db,
+ objectID, template, count);
if (crv != CKR_OK) {
goto loser;
}
@@ -2315,13 +2311,6 @@ loser:
crv = (*handle->update->sdb_GetMetaData)(handle->update, "password",
&item1, &item2);
if (crv != CKR_OK) {
- /* if we get here, neither the source, nor the target has been initialized
- * with a password entry. Create a metadata table now so that we don't
- * mistake this for a partially updated database */
- item1.data[0] = 0;
- item2.data[0] = 0;
- item1.len = item2.len = 1;
- crv = (*handle->db->sdb_PutMetaData)(handle->db, "empty", &item1, &item2);
goto done;
}
crv = (*handle->db->sdb_PutMetaData)(handle->db, "password", &item1,
@@ -2512,53 +2501,6 @@ sftk_oldVersionExists(const char *dir, int version)
return PR_FALSE;
}
-#if defined(_WIN32)
-/*
- * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the
- * current system codepage). Fails if the path contains a character outside
- * the current system codepage.
- */
-static char *
-sftk_legacyPathFromSDBPath(const char *confdir)
-{
- wchar_t *confdirWide;
- DWORD size;
- char *nconfdir;
- BOOL unmappable;
-
- if (!confdir) {
- return NULL;
- }
- confdirWide = _NSSUTIL_UTF8ToWide(confdir);
- if (!confdirWide) {
- return NULL;
- }
-
- size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
- NULL, 0, NULL, &unmappable);
- if (size == 0 || unmappable) {
- PORT_Free(confdirWide);
- return NULL;
- }
- nconfdir = PORT_Alloc(sizeof(char) * size);
- if (!nconfdir) {
- PORT_Free(confdirWide);
- return NULL;
- }
- size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
- nconfdir, size, NULL, &unmappable);
- PORT_Free(confdirWide);
- if (size == 0 || unmappable) {
- PORT_Free(nconfdir);
- return NULL;
- }
-
- return nconfdir;
-}
-#else
-#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir))
-#endif
-
static PRBool
sftk_hasLegacyDB(const char *confdir, const char *certPrefix,
const char *keyPrefix, int certVersion, int keyVersion)
@@ -2618,7 +2560,6 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
int flags = SDB_RDONLY;
PRBool newInit = PR_FALSE;
PRBool needUpdate = PR_FALSE;
- char *nconfdir = NULL;
if (!readOnly) {
flags = SDB_CREATE;
@@ -2657,14 +2598,11 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
* the exists.
*/
if (crv != CKR_OK) {
- if ((flags & SDB_RDONLY) == SDB_RDONLY) {
- nconfdir = sftk_legacyPathFromSDBPath(confdir);
- }
- if (nconfdir &&
- sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
+ if (((flags & SDB_RDONLY) == SDB_RDONLY) &&
+ sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
/* we have legacy databases, if we failed to open the new format
* DB's read only, just use the legacy ones */
- crv = sftkdbCall_open(nconfdir, certPrefix,
+ crv = sftkdbCall_open(confdir, certPrefix,
keyPrefix, 8, 3, flags,
noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
}
@@ -2693,10 +2631,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
/* if the new format DB was also a newly created DB, and we
* succeeded, then need to update that new database with data
* from the existing legacy DB */
- nconfdir = sftk_legacyPathFromSDBPath(confdir);
- if (nconfdir &&
- sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
- confdir = nconfdir;
+ if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
needUpdate = PR_TRUE;
}
}
@@ -2769,9 +2704,6 @@ done:
if (appName) {
PORT_Free(appName);
}
- if (nconfdir) {
- PORT_Free(nconfdir);
- }
return forceOpen ? CKR_OK : crv;
}
diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h
index 7b1db4560..4942e1b12 100644
--- a/security/nss/lib/softoken/sftkdbti.h
+++ b/security/nss/lib/softoken/sftkdbti.h
@@ -49,7 +49,6 @@ SECStatus sftkdb_VerifyAttribute(SECItem *passKey,
CK_ATTRIBUTE_TYPE attrType,
SECItem *plainText, SECItem *sigText);
-PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type);
void sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value);
CK_RV sftkdb_Update(SFTKDBHandle *handle, SECItem *key);
CK_RV sftkdb_PutAttributeSignature(SFTKDBHandle *handle,
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index 07b6922dc..0b8c91bfd 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -273,7 +273,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt,
- 30000);
+ 1);
if (param == NULL) {
rv = SECFailure;
goto loser;
@@ -444,7 +444,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, prfLength);
/* initialize our pkcs5 parameter */
- param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 30000);
+ param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1);
if (param == NULL) {
rv = SECFailure;
goto loser;
@@ -926,13 +926,6 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
continue;
}
- if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) &&
- sftkdb_isULONGAttribute(authAttrs[i].type)) {
- CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue;
- sftk_ULong2SDBULong(authAttrs[i].pValue, value);
- authAttrs[i].ulValueLen = SDB_ULONG_SIZE;
- }
-
plainText.data = authAttrs[i].pValue;
plainText.len = authAttrs[i].ulValueLen;
rv = sftkdb_SignAttribute(arena, newKey, id,
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 9fd99a8e0..fb2e5bda5 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -8,7 +8,11 @@
#ifndef _SOFTKVER_H_
#define _SOFTKVER_H_
+#ifndef NSS_DISABLE_ECC
#define SOFTOKEN_ECC_STRING " Basic ECC"
+#else
+#define SOFTOKEN_ECC_STRING ""
+#endif
/*
* Softoken's major version, minor version, patch level, build number,
@@ -17,10 +21,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.35" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.32.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 35
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VMINOR 32
+#define SOFTOKEN_VPATCH 1
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
index 03c92361c..071689842 100644
--- a/security/nss/lib/softoken/softoknt.h
+++ b/security/nss/lib/softoken/softoknt.h
@@ -9,9 +9,6 @@
#define _SOFTOKNT_H_
#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
-#define DES_BLOCK_SIZE 8 /* bytes */
-#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */
-#define SFTK_MAX_DERIVE_KEY_SIZE 64
/*
* FIPS 140-2 auditing