From f017b749ea9f1586d2308504553d40bf4cc5439d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 6 Feb 2018 11:46:26 +0100 Subject: Update NSS to 3.32.1-RTM --- security/nss/cmd/lib/basicutil.c | 191 +++++++++++++++++++++++---------------- security/nss/cmd/lib/basicutil.h | 14 ++- security/nss/cmd/lib/secutil.c | 149 +++++++++++++++++++++++------- security/nss/cmd/lib/secutil.h | 10 +- 4 files changed, 245 insertions(+), 119 deletions(-) (limited to 'security/nss/cmd/lib') diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c index dcd039391..de56fbdd9 100644 --- a/security/nss/cmd/lib/basicutil.c +++ b/security/nss/cmd/lib/basicutil.c @@ -25,7 +25,6 @@ #endif #include "secoid.h" -#include "sslt.h" extern long DER_GetInteger(const SECItem *src); @@ -733,97 +732,135 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest) return SECSuccess; } -SSLNamedGroup -groupNameToNamedGroup(char *name) +SECItem * +SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) { - if (PL_strlen(name) == 4) { - if (!strncmp(name, "P256", 4)) { - return ssl_grp_ec_secp256r1; - } - if (!strncmp(name, "P384", 4)) { - return ssl_grp_ec_secp384r1; - } - if (!strncmp(name, "P521", 4)) { - return ssl_grp_ec_secp521r1; - } + int i = 0; + int byteval = 0; + int tmp = PORT_Strlen(str); + + PORT_Assert(arena); + PORT_Assert(item); + + if ((tmp % 2) != 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - if (PL_strlen(name) == 6) { - if (!strncmp(name, "x25519", 6)) { - return ssl_grp_ec_curve25519; - } - if (!strncmp(name, "FF2048", 6)) { - return ssl_grp_ffdhe_2048; - } - if (!strncmp(name, "FF3072", 6)) { - return ssl_grp_ffdhe_3072; - } - if (!strncmp(name, "FF4096", 6)) { - return ssl_grp_ffdhe_4096; - } - if (!strncmp(name, "FF6144", 6)) { - return ssl_grp_ffdhe_6144; + + item = SECITEM_AllocItem(arena, item, tmp / 2); + if (item == NULL) { + return NULL; + } + + while (str[i]) { + if ((str[i] >= '0') && (str[i] <= '9')) { + tmp = str[i] - '0'; + } else if ((str[i] >= 'a') && (str[i] <= 'f')) { + tmp = str[i] - 'a' + 10; + } else if ((str[i] >= 'A') && (str[i] <= 'F')) { + tmp = str[i] - 'A' + 10; + } else { + /* item is in arena and gets freed by the caller */ + return NULL; } - if (!strncmp(name, "FF8192", 6)) { - return ssl_grp_ffdhe_8192; + + byteval = byteval * 16 + tmp; + if ((i % 2) != 0) { + item->data[i / 2] = byteval; + byteval = 0; } + i++; } - return ssl_grp_none; + return item; } +/* mapping between ECCurveName enum and SECOidTags */ +static SECOidTag ecCurve_oid_map[] = { + SEC_OID_UNKNOWN, /* ECCurve_noName */ + SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */ + SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */ + SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */ + SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */ + SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */ + SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */ + SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */ + SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */ + SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */ + SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */ + SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */ + SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */ + SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */ + SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */ + SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */ + SEC_OID_ANSIX962_EC_PRIME192V2, + SEC_OID_ANSIX962_EC_PRIME192V3, + SEC_OID_ANSIX962_EC_PRIME239V1, + SEC_OID_ANSIX962_EC_PRIME239V2, + SEC_OID_ANSIX962_EC_PRIME239V3, + SEC_OID_ANSIX962_EC_C2PNB163V1, + SEC_OID_ANSIX962_EC_C2PNB163V2, + SEC_OID_ANSIX962_EC_C2PNB163V3, + SEC_OID_ANSIX962_EC_C2PNB176V1, + SEC_OID_ANSIX962_EC_C2TNB191V1, + SEC_OID_ANSIX962_EC_C2TNB191V2, + SEC_OID_ANSIX962_EC_C2TNB191V3, + SEC_OID_ANSIX962_EC_C2PNB208W1, + SEC_OID_ANSIX962_EC_C2TNB239V1, + SEC_OID_ANSIX962_EC_C2TNB239V2, + SEC_OID_ANSIX962_EC_C2TNB239V3, + SEC_OID_ANSIX962_EC_C2PNB272W1, + SEC_OID_ANSIX962_EC_C2PNB304W1, + SEC_OID_ANSIX962_EC_C2TNB359V1, + SEC_OID_ANSIX962_EC_C2PNB368W1, + SEC_OID_ANSIX962_EC_C2TNB431R1, + SEC_OID_SECG_EC_SECP112R1, + SEC_OID_SECG_EC_SECP112R2, + SEC_OID_SECG_EC_SECP128R1, + SEC_OID_SECG_EC_SECP128R2, + SEC_OID_SECG_EC_SECP160K1, + SEC_OID_SECG_EC_SECP160R1, + SEC_OID_SECG_EC_SECP160R2, + SEC_OID_SECG_EC_SECP192K1, + SEC_OID_SECG_EC_SECP224K1, + SEC_OID_SECG_EC_SECP256K1, + SEC_OID_SECG_EC_SECT113R1, + SEC_OID_SECG_EC_SECT113R2, + SEC_OID_SECG_EC_SECT131R1, + SEC_OID_SECG_EC_SECT131R2, + SEC_OID_SECG_EC_SECT163R1, + SEC_OID_SECG_EC_SECT193R1, + SEC_OID_SECG_EC_SECT193R2, + SEC_OID_SECG_EC_SECT239K1, + SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */ + SEC_OID_CURVE25519, + SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */ +}; + SECStatus -parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, - unsigned int *enabledGroupsCount) +SECU_ecName2params(ECCurveName curve, SECItem *params) { - SSLNamedGroup *groups; - char *str; - char *p; - unsigned int numValues = 0; - unsigned int count = 0; - - /* Count the number of groups. */ - str = PORT_Strdup(arg); - if (!str) { + SECOidData *oidData = NULL; + + if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) || + ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); return SECFailure; } - p = strtok(str, ","); - while (p) { - ++numValues; - p = strtok(NULL, ","); - } - PORT_Free(str); - str = NULL; - groups = PORT_ZNewArray(SSLNamedGroup, numValues); - if (!groups) { - goto done; - } - - /* Get group names. */ - str = PORT_Strdup(arg); - if (!str) { - goto done; - } - p = strtok(str, ","); - while (p) { - SSLNamedGroup group = groupNameToNamedGroup(p); - if (group == ssl_grp_none) { - count = 0; - goto done; - } - groups[count++] = group; - p = strtok(NULL, ","); - } -done: - if (str) { - PORT_Free(str); - } - if (!count) { - PORT_Free(groups); + if (SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)) == NULL) { return SECFailure; } + /* + * params->data needs to contain the ASN encoding of an object ID (OID) + * representing the named curve. The actual OID is in + * oidData->oid.data so we simply prepend 0x06 and OID length + */ + params->data[0] = SEC_ASN1_OBJECT_ID; + params->data[1] = oidData->oid.len; + memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); - *enabledGroupsCount = count; - *enabledGroups = groups; return SECSuccess; } diff --git a/security/nss/cmd/lib/basicutil.h b/security/nss/cmd/lib/basicutil.h index 345fd91a4..de8c1b01e 100644 --- a/security/nss/cmd/lib/basicutil.h +++ b/security/nss/cmd/lib/basicutil.h @@ -13,7 +13,7 @@ #include "base64.h" #include "secasn1.h" #include "secder.h" -#include "sslt.h" +#include "ecl-exp.h" #include #ifdef SECUTIL_NEW @@ -81,6 +81,14 @@ SECU_SECItemToHex(const SECItem *item, char *dst); SECStatus SECU_SECItemHexStringToBinary(SECItem *srcdest); +/* +** Read a hex string into a SecItem. +*/ +extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, + const char *str); + +extern SECStatus SECU_ecName2params(ECCurveName curve, SECItem *params); + /* * * Utilities for parsing security tools command lines @@ -113,10 +121,6 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName, char * SECU_GetOptionArg(const secuCommand *cmd, int optionNum); -SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, - unsigned int *enabledGroupsCount); -SSLNamedGroup groupNameToNamedGroup(char *name); - /* * * Error messaging diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index f3c15d870..cb4752df9 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -32,7 +32,7 @@ #include "certt.h" #include "certdb.h" -/* #include "secmod.h" */ +#include "secmod.h" #include "pk11func.h" #include "secoid.h" @@ -3229,6 +3229,10 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, SECStatus rv; SECItem data; CERTCertTrust certTrust; + PK11SlotList *slotList; + PRBool falseAttributeFound = PR_FALSE; + PRBool trueAttributeFound = PR_FALSE; + const char *moz_policy_ca_info = NULL; data.data = cert->derCert.data; data.len = cert->derCert.len; @@ -3238,6 +3242,35 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, if (rv) { return (SECFailure); } + + slotList = PK11_GetAllSlotsForCert(cert, NULL); + if (slotList) { + PK11SlotListElement *se = PK11_GetFirstSafe(slotList); + for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) { + CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL); + if (handle != CK_INVALID_HANDLE) { + PORT_SetError(0); + if (PK11_HasAttributeSet(se->slot, handle, + CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) { + trueAttributeFound = PR_TRUE; + } else if (!PORT_GetError()) { + falseAttributeFound = PR_TRUE; + } + } + } + PK11_FreeSlotList(slotList); + } + + if (trueAttributeFound) { + moz_policy_ca_info = "true (attribute present)"; + } else if (falseAttributeFound) { + moz_policy_ca_info = "false (attribute present)"; + } else { + moz_policy_ca_info = "false (attribute missing)"; + } + SECU_Indent(stdout, 1); + printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info); + if (trust) { SECU_PrintTrustFlags(stdout, trust, "Certificate Trust Flags", 1); @@ -3833,45 +3866,97 @@ SECU_ParseSSLVersionRangeString(const char *input, return SECSuccess; } -SECItem * -SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) +SSLNamedGroup +groupNameToNamedGroup(char *name) { - int i = 0; - int byteval = 0; - int tmp = PORT_Strlen(str); + if (PL_strlen(name) == 4) { + if (!strncmp(name, "P256", 4)) { + return ssl_grp_ec_secp256r1; + } + if (!strncmp(name, "P384", 4)) { + return ssl_grp_ec_secp384r1; + } + if (!strncmp(name, "P521", 4)) { + return ssl_grp_ec_secp521r1; + } + } + if (PL_strlen(name) == 6) { + if (!strncmp(name, "x25519", 6)) { + return ssl_grp_ec_curve25519; + } + if (!strncmp(name, "FF2048", 6)) { + return ssl_grp_ffdhe_2048; + } + if (!strncmp(name, "FF3072", 6)) { + return ssl_grp_ffdhe_3072; + } + if (!strncmp(name, "FF4096", 6)) { + return ssl_grp_ffdhe_4096; + } + if (!strncmp(name, "FF6144", 6)) { + return ssl_grp_ffdhe_6144; + } + if (!strncmp(name, "FF8192", 6)) { + return ssl_grp_ffdhe_8192; + } + } - PORT_Assert(arena); - PORT_Assert(item); + return ssl_grp_none; +} - if ((tmp % 2) != 0) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } +SECStatus +parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount) +{ + SSLNamedGroup *groups; + char *str; + char *p; + unsigned int numValues = 0; + unsigned int count = 0; - item = SECITEM_AllocItem(arena, item, tmp / 2); - if (item == NULL) { - return NULL; + /* Count the number of groups. */ + str = PORT_Strdup(arg); + if (!str) { + return SECFailure; + } + p = strtok(str, ","); + while (p) { + ++numValues; + p = strtok(NULL, ","); + } + PORT_Free(str); + str = NULL; + groups = PORT_ZNewArray(SSLNamedGroup, numValues); + if (!groups) { + goto done; } - while (str[i]) { - if ((str[i] >= '0') && (str[i] <= '9')) { - tmp = str[i] - '0'; - } else if ((str[i] >= 'a') && (str[i] <= 'f')) { - tmp = str[i] - 'a' + 10; - } else if ((str[i] >= 'A') && (str[i] <= 'F')) { - tmp = str[i] - 'A' + 10; - } else { - /* item is in arena and gets freed by the caller */ - return NULL; + /* Get group names. */ + str = PORT_Strdup(arg); + if (!str) { + goto done; + } + p = strtok(str, ","); + while (p) { + SSLNamedGroup group = groupNameToNamedGroup(p); + if (group == ssl_grp_none) { + count = 0; + goto done; } + groups[count++] = group; + p = strtok(NULL, ","); + } - byteval = byteval * 16 + tmp; - if ((i % 2) != 0) { - item->data[i / 2] = byteval; - byteval = 0; - } - i++; +done: + if (str) { + PORT_Free(str); + } + if (!count) { + PORT_Free(groups); + return SECFailure; } - return item; + *enabledGroupsCount = count; + *enabledGroups = groups; + return SECSuccess; } diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 571615daa..fe07aca60 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -18,6 +18,7 @@ #include "basicutil.h" #include "sslerr.h" #include "sslt.h" +#include "blapi.h" #define SEC_CT_PRIVATE_KEY "private-key" #define SEC_CT_PUBLIC_KEY "public-key" @@ -402,11 +403,10 @@ SECStatus SECU_ParseSSLVersionRangeString(const char *input, const SSLVersionRange defaultVersionRange, SSLVersionRange *vrange); -/* -** Read a hex string into a SecItem. -*/ -extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, - const char *str); + +SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount); +SSLNamedGroup groupNameToNamedGroup(char *name); /* * -- cgit v1.2.3