From f017b749ea9f1586d2308504553d40bf4cc5439d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 6 Feb 2018 11:46:26 +0100 Subject: Update NSS to 3.32.1-RTM --- security/nss/cmd/addbuiltin/addbuiltin.c | 28 +++++ security/nss/cmd/bltest/blapitest.c | 9 +- security/nss/cmd/certutil/certext.c | 2 - security/nss/cmd/certutil/certutil.c | 3 + security/nss/cmd/certutil/keystuff.c | 11 +- security/nss/cmd/crlutil/crlutil.c | 5 +- security/nss/cmd/crmftest/testcrmf.c | 2 + security/nss/cmd/ecperf/ecperf.c | 129 +++------------------ security/nss/cmd/fbectest/fbectest.c | 27 ++--- security/nss/cmd/lib/basicutil.c | 191 ++++++++++++++++++------------- security/nss/cmd/lib/basicutil.h | 14 ++- security/nss/cmd/lib/secutil.c | 149 ++++++++++++++++++------ security/nss/cmd/lib/secutil.h | 10 +- security/nss/cmd/lowhashtest/manifest.mn | 1 + security/nss/cmd/modutil/pk11.c | 20 +++- security/nss/cmd/mpitests/mpitests.gyp | 24 +++- security/nss/cmd/pk12util/pk12util.c | 11 +- security/nss/cmd/platlibs.gypi | 18 +-- security/nss/cmd/platlibs.mk | 34 +++--- security/nss/cmd/selfserv/selfserv.c | 12 +- security/nss/cmd/smimetools/cmsutil.c | 4 +- security/nss/cmd/smimetools/smime | 4 +- security/nss/cmd/strsclnt/strsclnt.c | 1 + security/nss/cmd/symkeyutil/symkeyutil.c | 3 + security/nss/cmd/tstclnt/tstclnt.c | 88 +++++++++----- 25 files changed, 444 insertions(+), 356 deletions(-) (limited to 'security/nss/cmd') diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c index 9ecad3d64..831672039 100644 --- a/security/nss/cmd/addbuiltin/addbuiltin.c +++ b/security/nss/cmd/addbuiltin/addbuiltin.c @@ -31,6 +31,29 @@ dumpbytes(unsigned char *buf, int len) printf("\n"); } +int +hasPositiveTrust(unsigned int trust) +{ + if (trust & CERTDB_TRUSTED) { + if (trust & CERTDB_TRUSTED_CA) { + return PR_TRUE; + } else { + return PR_FALSE; + } + } else { + if (trust & CERTDB_TRUSTED_CA) { + return PR_TRUE; + } else if (trust & CERTDB_VALID_CA) { + return PR_TRUE; + } else if (trust & CERTDB_TERMINAL_RECORD) { + return PR_FALSE; + } else { + return PR_FALSE; + } + } + return PR_FALSE; +} + char * getTrustString(unsigned int trust) { @@ -202,6 +225,11 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, printf("CKA_VALUE MULTILINE_OCTAL\n"); dumpbytes(sdder->data, sdder->len); printf("END\n"); + if (hasPositiveTrust(trust->sslFlags) || + hasPositiveTrust(trust->emailFlags) || + hasPositiveTrust(trust->objectSigningFlags)) { + printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); + } } if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index ebe73e6be..a3a162da1 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -917,6 +917,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file, SECItem *in; unsigned char *tok; unsigned int i, j; + PRBool needToFreeFile = PR_FALSE; if (file && (numBytes == 0 || file == PR_STDIN)) { /* grabbing data from a file */ @@ -924,6 +925,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file, if (rv != SECSuccess) return SECFailure; in = &fileData; + needToFreeFile = PR_TRUE; } else if (str) { /* grabbing data from command line */ fileData.data = (unsigned char *)str; @@ -957,10 +959,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file, --in->len; if (in->data[in->len - 1] == '\r') --in->len; - SECITEM_CopyItem(arena, &input->buf, in); - if (rv != SECSuccess) { - return SECFailure; - } + rv = SECITEM_CopyItem(arena, &input->buf, in); break; case bltestHexSpaceDelim: SECITEM_AllocItem(arena, &input->buf, in->len / 5); @@ -986,7 +985,7 @@ setupIO(PLArenaPool *arena, bltestIO *input, PRFileDesc *file, break; } - if (file) + if (needToFreeFile) SECITEM_FreeItem(&fileData, PR_FALSE); return rv; } diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c index b080f06f9..0be3eb120 100644 --- a/security/nss/cmd/certutil/certext.c +++ b/security/nss/cmd/certutil/certext.c @@ -980,8 +980,6 @@ AddNameConstraints(void *extHandle) GEN_BREAK(SECFailure); } - (void)SEC_ASN1EncodeInteger(arena, ¤t->min, 0); - if (!GetGeneralName(arena, ¤t->name, PR_TRUE)) { GEN_BREAK(SECFailure); } diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 24acdbcb4..fbc752c1b 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -1002,9 +1002,12 @@ ListModules(void) /* look at each slot*/ for (le = list->head; le; le = le->next) { + char *token_uri = PK11_GetTokenURI(le->slot); printf("\n"); printf(" slot: %s\n", PK11_GetSlotName(le->slot)); printf(" token: %s\n", PK11_GetTokenName(le->slot)); + printf(" uri: %s\n", token_uri); + PORT_Free(token_uri); } PK11_FreeSlotList(list); diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c index 268ad471a..2878e3765 100644 --- a/security/nss/cmd/certutil/keystuff.c +++ b/security/nss/cmd/certutil/keystuff.c @@ -17,14 +17,6 @@ #include #endif -#if defined(__sun) && !defined(SVR4) -extern int fclose(FILE *); -extern int fprintf(FILE *, char *, ...); -extern int isatty(int); -extern char *sys_errlist[]; -#define strerror(errno) sys_errlist[errno] -#endif - #include "nspr.h" #include "prtypes.h" #include "prtime.h" @@ -52,9 +44,10 @@ static int UpdateRNG(void) { char randbuf[RAND_BUF_SIZE]; - int fd, count; + int fd; int c; int rv = 0; + size_t count; #ifdef XP_UNIX cc_t orig_cc_min; cc_t orig_cc_time; diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c index bdf112b4a..c008ecc01 100644 --- a/security/nss/cmd/crlutil/crlutil.c +++ b/security/nss/cmd/crlutil/crlutil.c @@ -66,8 +66,11 @@ FindCRL(CERTCertDBHandle *certHandle, char *name, int type) return ((CERTSignedCrl *)NULL); } } else { - SECITEM_CopyItem(NULL, &derName, &cert->derSubject); + SECStatus rv = SECITEM_CopyItem(NULL, &derName, &cert->derSubject); CERT_DestroyCertificate(cert); + if (rv != SECSuccess) { + return ((CERTSignedCrl *)NULL); + } } crl = SEC_FindCrlByName(certHandle, &derName, type); diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c index fefa6894d..cbc680b08 100644 --- a/security/nss/cmd/crmftest/testcrmf.c +++ b/security/nss/cmd/crmftest/testcrmf.c @@ -1261,11 +1261,13 @@ DoChallengeResponse(SECKEYPrivateKey *privKey, return 908; } keyID = PK11_MakeIDFromPubKey(publicValue); + SECITEM_FreeItem(publicValue, PR_TRUE); if (keyID == NULL) { printf("Could not make the keyID from the public value\n"); return 909; } foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata); + SECITEM_FreeItem(keyID, PR_TRUE); if (foundPrivKey == NULL) { printf("Could not find the private key corresponding to the public" " value.\n"); diff --git a/security/nss/cmd/ecperf/ecperf.c b/security/nss/cmd/ecperf/ecperf.c index 814c0352d..705d68f35 100644 --- a/security/nss/cmd/ecperf/ecperf.c +++ b/security/nss/cmd/ecperf/ecperf.c @@ -9,7 +9,6 @@ #include "basicutil.h" #include "pkcs11.h" #include "nspr.h" -#include "secutil.h" #include #define __PASTE(x, y) x##y @@ -27,70 +26,6 @@ #include "pkcs11f.h" -/* mapping between ECCurveName enum and pointers to ECCurveParams */ -static SECOidTag ecCurve_oid_map[] = { - SEC_OID_UNKNOWN, /* ECCurve_noName */ - SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */ - SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */ - SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */ - SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */ - SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */ - SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */ - SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */ - SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */ - SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */ - SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */ - SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */ - SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */ - SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */ - SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */ - SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */ - SEC_OID_ANSIX962_EC_PRIME192V2, - SEC_OID_ANSIX962_EC_PRIME192V3, - SEC_OID_ANSIX962_EC_PRIME239V1, - SEC_OID_ANSIX962_EC_PRIME239V2, - SEC_OID_ANSIX962_EC_PRIME239V3, - SEC_OID_ANSIX962_EC_C2PNB163V1, - SEC_OID_ANSIX962_EC_C2PNB163V2, - SEC_OID_ANSIX962_EC_C2PNB163V3, - SEC_OID_ANSIX962_EC_C2PNB176V1, - SEC_OID_ANSIX962_EC_C2TNB191V1, - SEC_OID_ANSIX962_EC_C2TNB191V2, - SEC_OID_ANSIX962_EC_C2TNB191V3, - SEC_OID_ANSIX962_EC_C2PNB208W1, - SEC_OID_ANSIX962_EC_C2TNB239V1, - SEC_OID_ANSIX962_EC_C2TNB239V2, - SEC_OID_ANSIX962_EC_C2TNB239V3, - SEC_OID_ANSIX962_EC_C2PNB272W1, - SEC_OID_ANSIX962_EC_C2PNB304W1, - SEC_OID_ANSIX962_EC_C2TNB359V1, - SEC_OID_ANSIX962_EC_C2PNB368W1, - SEC_OID_ANSIX962_EC_C2TNB431R1, - SEC_OID_SECG_EC_SECP112R1, - SEC_OID_SECG_EC_SECP112R2, - SEC_OID_SECG_EC_SECP128R1, - SEC_OID_SECG_EC_SECP128R2, - SEC_OID_SECG_EC_SECP160K1, - SEC_OID_SECG_EC_SECP160R1, - SEC_OID_SECG_EC_SECP160R2, - SEC_OID_SECG_EC_SECP192K1, - SEC_OID_SECG_EC_SECP224K1, - SEC_OID_SECG_EC_SECP256K1, - SEC_OID_SECG_EC_SECT113R1, - SEC_OID_SECG_EC_SECT113R2, - SEC_OID_SECG_EC_SECT131R1, - SEC_OID_SECG_EC_SECT131R2, - SEC_OID_SECG_EC_SECT163R1, - SEC_OID_SECG_EC_SECT193R1, - SEC_OID_SECG_EC_SECT193R2, - SEC_OID_SECG_EC_SECT239K1, - SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */ - SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */ - SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */ - SEC_OID_CURVE25519, - SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */ -}; - typedef SECStatus (*op_func)(void *, void *, void *); typedef SECStatus (*pk11_op_func)(CK_SESSION_HANDLE, void *, void *, void *); @@ -106,6 +41,8 @@ typedef struct ThreadDataStr { int isSign; } ThreadData; +typedef SECItem SECKEYECParams; + void PKCS11Thread(void *data) { @@ -373,30 +310,6 @@ PKCS11_Verify(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hKey, return SECSuccess; } -static SECStatus -ecName2params(ECCurveName curve, SECKEYECParams *params) -{ - SECOidData *oidData = NULL; - - if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) || - ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - return SECFailure; - } - - SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)); - /* - * params->data needs to contain the ASN encoding of an object ID (OID) - * representing the named curve. The actual OID is in - * oidData->oid.data so we simply prepend 0x06 and OID length - */ - params->data[0] = SEC_ASN1_OBJECT_ID; - params->data[1] = oidData->oid.len; - memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); - - return SECSuccess; -} - /* Performs basic tests of elliptic curve cryptography over prime fields. * If tests fail, then it prints an error message, aborts, and returns an * error code. Otherwise, returns 0. */ @@ -422,7 +335,7 @@ ectest_curve_pkcs11(ECCurveName curve, int iterations, int numThreads) ecParams.data = NULL; ecParams.len = 0; - rv = ecName2params(curve, &ecParams); + rv = SECU_ecName2params(curve, &ecParams); if (rv != SECSuccess) { goto cleanup; } @@ -541,9 +454,9 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads, unsigned char sigData[256]; unsigned char digestData[20]; double signRate, deriveRate = 0; - char genenc[3 + 2 * 2 * MAX_ECKEY_LEN]; SECStatus rv = SECFailure; PLArenaPool *arena; + SECItem ecEncodedParams = { siBuffer, NULL, 0 }; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -555,28 +468,11 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads, return SECFailure; } - ecParams.name = curve; - ecParams.type = ec_params_named; - ecParams.curveOID.data = NULL; - ecParams.curveOID.len = 0; - ecParams.curve.seed.data = NULL; - ecParams.curve.seed.len = 0; - ecParams.DEREncoding.data = NULL; - ecParams.DEREncoding.len = 0; - - ecParams.fieldID.size = ecCurve_map[curve]->size; - ecParams.fieldID.type = fieldType; - SECU_HexString2SECItem(arena, &ecParams.fieldID.u.prime, ecCurve_map[curve]->irr); - SECU_HexString2SECItem(arena, &ecParams.curve.a, ecCurve_map[curve]->curvea); - SECU_HexString2SECItem(arena, &ecParams.curve.b, ecCurve_map[curve]->curveb); - genenc[0] = '0'; - genenc[1] = '4'; - genenc[2] = '\0'; - strcat(genenc, ecCurve_map[curve]->genx); - strcat(genenc, ecCurve_map[curve]->geny); - SECU_HexString2SECItem(arena, &ecParams.base, genenc); - SECU_HexString2SECItem(arena, &ecParams.order, ecCurve_map[curve]->order); - ecParams.cofactor = ecCurve_map[curve]->cofactor; + rv = SECU_ecName2params(curve, &ecEncodedParams); + if (rv != SECSuccess) { + goto cleanup; + } + EC_FillParams(arena, &ecEncodedParams, &ecParams); PORT_Memset(digestData, 0xa5, sizeof(digestData)); digest.data = digestData; @@ -586,7 +482,7 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads, rv = EC_NewKey(&ecParams, &ecPriv); if (rv != SECSuccess) { - return SECFailure; + goto cleanup; } ecPub.ecParams = ecParams; ecPub.publicValue = ecPriv->publicValue; @@ -617,8 +513,11 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads, } cleanup: + SECITEM_FreeItem(&ecEncodedParams, PR_FALSE); PORT_FreeArena(arena, PR_FALSE); - PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE); + if (ecPriv) { + PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE); + } return rv; } diff --git a/security/nss/cmd/fbectest/fbectest.c b/security/nss/cmd/fbectest/fbectest.c index 2336d3fa8..1c8f4c039 100644 --- a/security/nss/cmd/fbectest/fbectest.c +++ b/security/nss/cmd/fbectest/fbectest.c @@ -9,7 +9,6 @@ #include "basicutil.h" #include "secder.h" #include "secitem.h" -#include "secutil.h" #include "nspr.h" #include @@ -89,26 +88,19 @@ ectest_ecdh_kat(ECDH_KAT *kat) SECItem answer = { siBuffer, NULL, 0 }; SECItem answer2 = { siBuffer, NULL, 0 }; SECItem derived = { siBuffer, NULL, 0 }; - char genenc[3 + 2 * 2 * MAX_ECKEY_LEN]; + SECItem ecEncodedParams = { siBuffer, NULL, 0 }; int i; - rv = init_params(&ecParams, curve, &arena, kat->fieldType); - if (rv != SECSuccess) { - return rv; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return SECFailure; } - SECU_HexString2SECItem(arena, &ecParams.fieldID.u.prime, ecCurve_map[curve]->irr); - SECU_HexString2SECItem(arena, &ecParams.curve.a, ecCurve_map[curve]->curvea); - SECU_HexString2SECItem(arena, &ecParams.curve.b, ecCurve_map[curve]->curveb); - genenc[0] = '0'; - genenc[1] = '4'; - genenc[2] = '\0'; - PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->genx)); - PORT_Assert(PR_ARRAY_SIZE(genenc) >= PORT_Strlen(ecCurve_map[curve]->geny)); - strcat(genenc, ecCurve_map[curve]->genx); - strcat(genenc, ecCurve_map[curve]->geny); - SECU_HexString2SECItem(arena, &ecParams.base, genenc); - SECU_HexString2SECItem(arena, &ecParams.order, ecCurve_map[curve]->order); + rv = SECU_ecName2params(curve, &ecEncodedParams); + if (rv != SECSuccess) { + goto cleanup; + } + EC_FillParams(arena, &ecEncodedParams, &ecParams); if (kat->our_pubhex) { SECU_HexString2SECItem(arena, &answer, kat->our_pubhex); @@ -162,6 +154,7 @@ ectest_ecdh_kat(ECDH_KAT *kat) } cleanup: + SECITEM_FreeItem(&ecEncodedParams, PR_FALSE); PORT_FreeArena(arena, PR_FALSE); if (ecPriv) { PORT_FreeArena(ecPriv->ecParams.arena, PR_FALSE); diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c index dcd039391..de56fbdd9 100644 --- a/security/nss/cmd/lib/basicutil.c +++ b/security/nss/cmd/lib/basicutil.c @@ -25,7 +25,6 @@ #endif #include "secoid.h" -#include "sslt.h" extern long DER_GetInteger(const SECItem *src); @@ -733,97 +732,135 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest) return SECSuccess; } -SSLNamedGroup -groupNameToNamedGroup(char *name) +SECItem * +SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) { - if (PL_strlen(name) == 4) { - if (!strncmp(name, "P256", 4)) { - return ssl_grp_ec_secp256r1; - } - if (!strncmp(name, "P384", 4)) { - return ssl_grp_ec_secp384r1; - } - if (!strncmp(name, "P521", 4)) { - return ssl_grp_ec_secp521r1; - } + int i = 0; + int byteval = 0; + int tmp = PORT_Strlen(str); + + PORT_Assert(arena); + PORT_Assert(item); + + if ((tmp % 2) != 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - if (PL_strlen(name) == 6) { - if (!strncmp(name, "x25519", 6)) { - return ssl_grp_ec_curve25519; - } - if (!strncmp(name, "FF2048", 6)) { - return ssl_grp_ffdhe_2048; - } - if (!strncmp(name, "FF3072", 6)) { - return ssl_grp_ffdhe_3072; - } - if (!strncmp(name, "FF4096", 6)) { - return ssl_grp_ffdhe_4096; - } - if (!strncmp(name, "FF6144", 6)) { - return ssl_grp_ffdhe_6144; + + item = SECITEM_AllocItem(arena, item, tmp / 2); + if (item == NULL) { + return NULL; + } + + while (str[i]) { + if ((str[i] >= '0') && (str[i] <= '9')) { + tmp = str[i] - '0'; + } else if ((str[i] >= 'a') && (str[i] <= 'f')) { + tmp = str[i] - 'a' + 10; + } else if ((str[i] >= 'A') && (str[i] <= 'F')) { + tmp = str[i] - 'A' + 10; + } else { + /* item is in arena and gets freed by the caller */ + return NULL; } - if (!strncmp(name, "FF8192", 6)) { - return ssl_grp_ffdhe_8192; + + byteval = byteval * 16 + tmp; + if ((i % 2) != 0) { + item->data[i / 2] = byteval; + byteval = 0; } + i++; } - return ssl_grp_none; + return item; } +/* mapping between ECCurveName enum and SECOidTags */ +static SECOidTag ecCurve_oid_map[] = { + SEC_OID_UNKNOWN, /* ECCurve_noName */ + SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */ + SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */ + SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */ + SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */ + SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */ + SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */ + SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */ + SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */ + SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */ + SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */ + SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */ + SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */ + SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */ + SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */ + SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */ + SEC_OID_ANSIX962_EC_PRIME192V2, + SEC_OID_ANSIX962_EC_PRIME192V3, + SEC_OID_ANSIX962_EC_PRIME239V1, + SEC_OID_ANSIX962_EC_PRIME239V2, + SEC_OID_ANSIX962_EC_PRIME239V3, + SEC_OID_ANSIX962_EC_C2PNB163V1, + SEC_OID_ANSIX962_EC_C2PNB163V2, + SEC_OID_ANSIX962_EC_C2PNB163V3, + SEC_OID_ANSIX962_EC_C2PNB176V1, + SEC_OID_ANSIX962_EC_C2TNB191V1, + SEC_OID_ANSIX962_EC_C2TNB191V2, + SEC_OID_ANSIX962_EC_C2TNB191V3, + SEC_OID_ANSIX962_EC_C2PNB208W1, + SEC_OID_ANSIX962_EC_C2TNB239V1, + SEC_OID_ANSIX962_EC_C2TNB239V2, + SEC_OID_ANSIX962_EC_C2TNB239V3, + SEC_OID_ANSIX962_EC_C2PNB272W1, + SEC_OID_ANSIX962_EC_C2PNB304W1, + SEC_OID_ANSIX962_EC_C2TNB359V1, + SEC_OID_ANSIX962_EC_C2PNB368W1, + SEC_OID_ANSIX962_EC_C2TNB431R1, + SEC_OID_SECG_EC_SECP112R1, + SEC_OID_SECG_EC_SECP112R2, + SEC_OID_SECG_EC_SECP128R1, + SEC_OID_SECG_EC_SECP128R2, + SEC_OID_SECG_EC_SECP160K1, + SEC_OID_SECG_EC_SECP160R1, + SEC_OID_SECG_EC_SECP160R2, + SEC_OID_SECG_EC_SECP192K1, + SEC_OID_SECG_EC_SECP224K1, + SEC_OID_SECG_EC_SECP256K1, + SEC_OID_SECG_EC_SECT113R1, + SEC_OID_SECG_EC_SECT113R2, + SEC_OID_SECG_EC_SECT131R1, + SEC_OID_SECG_EC_SECT131R2, + SEC_OID_SECG_EC_SECT163R1, + SEC_OID_SECG_EC_SECT193R1, + SEC_OID_SECG_EC_SECT193R2, + SEC_OID_SECG_EC_SECT239K1, + SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */ + SEC_OID_CURVE25519, + SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */ +}; + SECStatus -parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, - unsigned int *enabledGroupsCount) +SECU_ecName2params(ECCurveName curve, SECItem *params) { - SSLNamedGroup *groups; - char *str; - char *p; - unsigned int numValues = 0; - unsigned int count = 0; - - /* Count the number of groups. */ - str = PORT_Strdup(arg); - if (!str) { + SECOidData *oidData = NULL; + + if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) || + ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); return SECFailure; } - p = strtok(str, ","); - while (p) { - ++numValues; - p = strtok(NULL, ","); - } - PORT_Free(str); - str = NULL; - groups = PORT_ZNewArray(SSLNamedGroup, numValues); - if (!groups) { - goto done; - } - - /* Get group names. */ - str = PORT_Strdup(arg); - if (!str) { - goto done; - } - p = strtok(str, ","); - while (p) { - SSLNamedGroup group = groupNameToNamedGroup(p); - if (group == ssl_grp_none) { - count = 0; - goto done; - } - groups[count++] = group; - p = strtok(NULL, ","); - } -done: - if (str) { - PORT_Free(str); - } - if (!count) { - PORT_Free(groups); + if (SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)) == NULL) { return SECFailure; } + /* + * params->data needs to contain the ASN encoding of an object ID (OID) + * representing the named curve. The actual OID is in + * oidData->oid.data so we simply prepend 0x06 and OID length + */ + params->data[0] = SEC_ASN1_OBJECT_ID; + params->data[1] = oidData->oid.len; + memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); - *enabledGroupsCount = count; - *enabledGroups = groups; return SECSuccess; } diff --git a/security/nss/cmd/lib/basicutil.h b/security/nss/cmd/lib/basicutil.h index 345fd91a4..de8c1b01e 100644 --- a/security/nss/cmd/lib/basicutil.h +++ b/security/nss/cmd/lib/basicutil.h @@ -13,7 +13,7 @@ #include "base64.h" #include "secasn1.h" #include "secder.h" -#include "sslt.h" +#include "ecl-exp.h" #include #ifdef SECUTIL_NEW @@ -81,6 +81,14 @@ SECU_SECItemToHex(const SECItem *item, char *dst); SECStatus SECU_SECItemHexStringToBinary(SECItem *srcdest); +/* +** Read a hex string into a SecItem. +*/ +extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, + const char *str); + +extern SECStatus SECU_ecName2params(ECCurveName curve, SECItem *params); + /* * * Utilities for parsing security tools command lines @@ -113,10 +121,6 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName, char * SECU_GetOptionArg(const secuCommand *cmd, int optionNum); -SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, - unsigned int *enabledGroupsCount); -SSLNamedGroup groupNameToNamedGroup(char *name); - /* * * Error messaging diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index f3c15d870..cb4752df9 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -32,7 +32,7 @@ #include "certt.h" #include "certdb.h" -/* #include "secmod.h" */ +#include "secmod.h" #include "pk11func.h" #include "secoid.h" @@ -3229,6 +3229,10 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, SECStatus rv; SECItem data; CERTCertTrust certTrust; + PK11SlotList *slotList; + PRBool falseAttributeFound = PR_FALSE; + PRBool trueAttributeFound = PR_FALSE; + const char *moz_policy_ca_info = NULL; data.data = cert->derCert.data; data.len = cert->derCert.len; @@ -3238,6 +3242,35 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, if (rv) { return (SECFailure); } + + slotList = PK11_GetAllSlotsForCert(cert, NULL); + if (slotList) { + PK11SlotListElement *se = PK11_GetFirstSafe(slotList); + for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) { + CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL); + if (handle != CK_INVALID_HANDLE) { + PORT_SetError(0); + if (PK11_HasAttributeSet(se->slot, handle, + CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) { + trueAttributeFound = PR_TRUE; + } else if (!PORT_GetError()) { + falseAttributeFound = PR_TRUE; + } + } + } + PK11_FreeSlotList(slotList); + } + + if (trueAttributeFound) { + moz_policy_ca_info = "true (attribute present)"; + } else if (falseAttributeFound) { + moz_policy_ca_info = "false (attribute present)"; + } else { + moz_policy_ca_info = "false (attribute missing)"; + } + SECU_Indent(stdout, 1); + printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info); + if (trust) { SECU_PrintTrustFlags(stdout, trust, "Certificate Trust Flags", 1); @@ -3833,45 +3866,97 @@ SECU_ParseSSLVersionRangeString(const char *input, return SECSuccess; } -SECItem * -SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) +SSLNamedGroup +groupNameToNamedGroup(char *name) { - int i = 0; - int byteval = 0; - int tmp = PORT_Strlen(str); + if (PL_strlen(name) == 4) { + if (!strncmp(name, "P256", 4)) { + return ssl_grp_ec_secp256r1; + } + if (!strncmp(name, "P384", 4)) { + return ssl_grp_ec_secp384r1; + } + if (!strncmp(name, "P521", 4)) { + return ssl_grp_ec_secp521r1; + } + } + if (PL_strlen(name) == 6) { + if (!strncmp(name, "x25519", 6)) { + return ssl_grp_ec_curve25519; + } + if (!strncmp(name, "FF2048", 6)) { + return ssl_grp_ffdhe_2048; + } + if (!strncmp(name, "FF3072", 6)) { + return ssl_grp_ffdhe_3072; + } + if (!strncmp(name, "FF4096", 6)) { + return ssl_grp_ffdhe_4096; + } + if (!strncmp(name, "FF6144", 6)) { + return ssl_grp_ffdhe_6144; + } + if (!strncmp(name, "FF8192", 6)) { + return ssl_grp_ffdhe_8192; + } + } - PORT_Assert(arena); - PORT_Assert(item); + return ssl_grp_none; +} - if ((tmp % 2) != 0) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } +SECStatus +parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount) +{ + SSLNamedGroup *groups; + char *str; + char *p; + unsigned int numValues = 0; + unsigned int count = 0; - item = SECITEM_AllocItem(arena, item, tmp / 2); - if (item == NULL) { - return NULL; + /* Count the number of groups. */ + str = PORT_Strdup(arg); + if (!str) { + return SECFailure; + } + p = strtok(str, ","); + while (p) { + ++numValues; + p = strtok(NULL, ","); + } + PORT_Free(str); + str = NULL; + groups = PORT_ZNewArray(SSLNamedGroup, numValues); + if (!groups) { + goto done; } - while (str[i]) { - if ((str[i] >= '0') && (str[i] <= '9')) { - tmp = str[i] - '0'; - } else if ((str[i] >= 'a') && (str[i] <= 'f')) { - tmp = str[i] - 'a' + 10; - } else if ((str[i] >= 'A') && (str[i] <= 'F')) { - tmp = str[i] - 'A' + 10; - } else { - /* item is in arena and gets freed by the caller */ - return NULL; + /* Get group names. */ + str = PORT_Strdup(arg); + if (!str) { + goto done; + } + p = strtok(str, ","); + while (p) { + SSLNamedGroup group = groupNameToNamedGroup(p); + if (group == ssl_grp_none) { + count = 0; + goto done; } + groups[count++] = group; + p = strtok(NULL, ","); + } - byteval = byteval * 16 + tmp; - if ((i % 2) != 0) { - item->data[i / 2] = byteval; - byteval = 0; - } - i++; +done: + if (str) { + PORT_Free(str); + } + if (!count) { + PORT_Free(groups); + return SECFailure; } - return item; + *enabledGroupsCount = count; + *enabledGroups = groups; + return SECSuccess; } diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 571615daa..fe07aca60 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -18,6 +18,7 @@ #include "basicutil.h" #include "sslerr.h" #include "sslt.h" +#include "blapi.h" #define SEC_CT_PRIVATE_KEY "private-key" #define SEC_CT_PUBLIC_KEY "public-key" @@ -402,11 +403,10 @@ SECStatus SECU_ParseSSLVersionRangeString(const char *input, const SSLVersionRange defaultVersionRange, SSLVersionRange *vrange); -/* -** Read a hex string into a SecItem. -*/ -extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, - const char *str); + +SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount); +SSLNamedGroup groupNameToNamedGroup(char *name); /* * diff --git a/security/nss/cmd/lowhashtest/manifest.mn b/security/nss/cmd/lowhashtest/manifest.mn index f493571e5..db10daada 100644 --- a/security/nss/cmd/lowhashtest/manifest.mn +++ b/security/nss/cmd/lowhashtest/manifest.mn @@ -22,3 +22,4 @@ CSRCS = \ lowhashtest.c \ $(NULL) +USE_STATIC_LIBS = 1 diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c index 9c460ecd8..834469af1 100644 --- a/security/nss/cmd/modutil/pk11.c +++ b/security/nss/cmd/modutil/pk11.c @@ -397,6 +397,7 @@ static void printModule(SECMODModule *module, int *count) { int slotCount = module->loaded ? module->slotCount : 0; + char *modUri; int i; if ((*count)++) { @@ -408,6 +409,11 @@ printModule(SECMODModule *module, int *count) PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName); } + modUri = PK11_GetModuleURI(module); + if (modUri) { + PR_fprintf(PR_STDOUT, "\t uri: %s\n", modUri); + PORT_Free(modUri); + } if (slotCount == 0) { PR_fprintf(PR_STDOUT, "\t slots: There are no slots attached to this module\n"); @@ -425,10 +431,12 @@ printModule(SECMODModule *module, int *count) /* Print slot and token names */ for (i = 0; i < slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; - + char *tokenUri = PK11_GetTokenURI(slot); PR_fprintf(PR_STDOUT, "\n"); PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot)); PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot)); + PR_fprintf(PR_STDOUT, "\t uri: %s\n", tokenUri); + PORT_Free(tokenUri); } return; } @@ -494,7 +502,7 @@ static char *disableReasonStr[] = { "could not verify token", "token not present" }; -static int numDisableReasonStr = +static size_t numDisableReasonStr = sizeof(disableReasonStr) / sizeof(disableReasonStr[0]); /*********************************************************************** @@ -513,7 +521,7 @@ ListModule(char *moduleName) CK_SLOT_INFO slotinfo; CK_TOKEN_INFO tokeninfo; char *ciphers, *mechanisms; - PK11DisableReasons reason; + size_t reasonIdx; Error rv = SUCCESS; if (!moduleName) { @@ -604,10 +612,10 @@ ListModule(char *moduleName) PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n", slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor); if (PK11_IsDisabled(slot)) { - reason = PK11_GetDisabledReason(slot); - if (reason < numDisableReasonStr) { + reasonIdx = PK11_GetDisabledReason(slot); + if (reasonIdx < numDisableReasonStr) { PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n", - disableReasonStr[reason]); + disableReasonStr[reasonIdx]); } else { PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n"); } diff --git a/security/nss/cmd/mpitests/mpitests.gyp b/security/nss/cmd/mpitests/mpitests.gyp index 270b63ab8..346d23131 100644 --- a/security/nss/cmd/mpitests/mpitests.gyp +++ b/security/nss/cmd/mpitests/mpitests.gyp @@ -14,7 +14,16 @@ 'mpi-test.c', ], 'dependencies': [ - '<(DEPTH)/lib/freebl/freebl.gyp:<(freebl_name)', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/util/util.gyp:nssutil3', + '<(DEPTH)/lib/nss/nss.gyp:nss_static', + '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static', + '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi', + '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi', + '<(DEPTH)/lib/certdb/certdb.gyp:certdb', + '<(DEPTH)/lib/base/base.gyp:nssb', + '<(DEPTH)/lib/dev/dev.gyp:nssdev', + '<(DEPTH)/lib/pki/pki.gyp:nsspki', ] } ], @@ -22,7 +31,18 @@ 'include_dirs': [ '<(DEPTH)/lib/freebl/mpi', '<(DEPTH)/lib/util', - ] + ], + # This uses test builds and has to set defines for MPI. + 'conditions': [ + [ 'target_arch=="ia32"', { + 'defines': [ + 'MP_USE_UINT_DIGIT', + 'MP_ASSEMBLY_MULTIPLY', + 'MP_ASSEMBLY_SQUARE', + 'MP_ASSEMBLY_DIV_2DX1D', + ], + }], + ], }, 'variables': { 'module': 'nss' diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c index cca27cbf6..0ac1ba00e 100644 --- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -615,11 +615,7 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, } if (certlist) { - CERTCertificate *cert = NULL; - node = CERT_LIST_HEAD(certlist); - if (node) { - cert = node->cert; - } + CERTCertificate *cert = CERT_LIST_HEAD(certlist)->cert; if (cert) { slot = cert->slot; /* use the slot from the first matching certificate to create the context . This is for keygen */ @@ -861,6 +857,9 @@ p12u_EnableAllCiphers() SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); } @@ -1059,7 +1058,7 @@ main(int argc, char **argv) certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen); /* If the user requested a cipher and we didn't find it, then * don't just silently not encrypt. */ - if (cipher == SEC_OID_UNKNOWN) { + if (certCipher == SEC_OID_UNKNOWN) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString); pk12uErrno = PK12UERR_INVALIDALGORITHM; diff --git a/security/nss/cmd/platlibs.gypi b/security/nss/cmd/platlibs.gypi index 5c3cc34e2..9963bdd33 100644 --- a/security/nss/cmd/platlibs.gypi +++ b/security/nss/cmd/platlibs.gypi @@ -32,9 +32,8 @@ '<(DEPTH)/lib/dev/dev.gyp:nssdev', '<(DEPTH)/lib/base/base.gyp:nssb', '<(DEPTH)/lib/freebl/freebl.gyp:freebl', - '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap', - '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi', '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', + '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix', ], 'conditions': [ [ 'disable_dbm==0', { @@ -43,21 +42,6 @@ '<(DEPTH)/lib/softoken/legacydb/legacydb.gyp:nssdbm', ], }], - [ 'disable_libpkix==0', { - 'dependencies': [ - '<(DEPTH)/lib/libpkix/pkix/certsel/certsel.gyp:pkixcertsel', - '<(DEPTH)/lib/libpkix/pkix/checker/checker.gyp:pkixchecker', - '<(DEPTH)/lib/libpkix/pkix/params/params.gyp:pkixparams', - '<(DEPTH)/lib/libpkix/pkix/results/results.gyp:pkixresults', - '<(DEPTH)/lib/libpkix/pkix/top/top.gyp:pkixtop', - '<(DEPTH)/lib/libpkix/pkix/util/util.gyp:pkixutil', - '<(DEPTH)/lib/libpkix/pkix/crlsel/crlsel.gyp:pkixcrlsel', - '<(DEPTH)/lib/libpkix/pkix/store/store.gyp:pkixstore', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/pki/pki.gyp:pkixpki', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/system/system.gyp:pkixsystem', - '<(DEPTH)/lib/libpkix/pkix_pl_nss/module/module.gyp:pkixmodule' - ], - }], ]},{ # !use_static_libs 'conditions': [ ['moz_fold_libs==0', { diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 032eed07b..a59d03d06 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -32,6 +32,12 @@ else DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) endif +ifeq ($(NSS_BUILD_UTIL_ONLY),1) +SECTOOL_LIB = $(NULL) +else +SECTOOL_LIB = $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) +endif + ifdef USE_STATIC_LIBS DEFINES += -DNSS_USE_STATIC_LIBS @@ -70,20 +76,10 @@ endif endif NSS_LIBS_1= -SECTOOL_LIB= NSS_LIBS_2= NSS_LIBS_3= NSS_LIBS_4= -ifneq ($(NSS_BUILD_UTIL_ONLY),1) -SECTOOL_LIB = \ - $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \ - $(NULL) -else -SECTOOL_LIB = \ - $(NULL) -endif - ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1) ifeq ($(OS_ARCH), WINNT) # breakdown for windows @@ -121,9 +117,6 @@ NSS_LIBS_1 = \ $(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \ $(NULL) -SECTOOL_LIB = \ - $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \ - $(NULL) NSS_LIBS_2 = \ $(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \ @@ -201,7 +194,7 @@ ifeq ($(OS_ARCH), WINNT) # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) EXTRA_LIBS += \ - $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \ + $(SECTOOL_LIB) \ $(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \ @@ -220,7 +213,7 @@ else # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) EXTRA_LIBS += \ - $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \ + $(SECTOOL_LIB) \ $(NULL) ifeq ($(OS_ARCH), AIX) @@ -231,9 +224,6 @@ endif # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ - -lssl3 \ - -lsmime3 \ - -lnss3 \ -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ @@ -241,6 +231,14 @@ EXTRA_SHARED_LIBS += \ -lplds4 \ -lnspr4 \ $(NULL) +ifndef NSS_BUILD_UTIL_ONLY +ifndef NSS_BUILD_SOFTOKEN_ONLY +EXTRA_SHARED_LIBS += \ + -lssl3 \ + -lsmime3 \ + -lnss3 +endif +endif endif ifdef SOFTOKEN_LIB_DIR diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index f34af7d74..65b1ee304 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -159,7 +159,7 @@ static void PrintUsageHeader(const char *progName) { fprintf(stderr, - "Usage: %s -n rsa_nickname -p port [-BDENRbjlmrsuvx] [-w password]\n" + "Usage: %s -n rsa_nickname -p port [-BDENRZbjlmrsuvx] [-w password]\n" " [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n" " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" " [-V [min-version]:[max-version]] [-a sni_name]\n" @@ -169,7 +169,8 @@ PrintUsageHeader(const char *progName) " [-e ec_nickname]" #endif /* NSS_DISABLE_ECC */ "\n" - " -U [0|1] -H [0|1|2] -W [0|1]\n", + " -U [0|1] -H [0|1|2] -W [0|1]\n" + "\n", progName); } @@ -219,7 +220,7 @@ PrintParameterUsage() "-A Nickname of a CA used to sign a stapled cert status\n" "-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n" "-H override default DHE server support, 0: disable, 1: enable, " - " 2: require DH named groups\n" + " 2: require DH named groups [RFC7919]\n" "-W override default DHE server weak parameters support, 0: disable, 1: enable\n" "-c Restrict ciphers\n" "-Y prints cipher values allowed for parameter -c and exits\n" @@ -227,7 +228,8 @@ PrintParameterUsage() "-Q enables ALPN for HTTP/1.1 [RFC7301]\n" "-I comma separated list of enabled groups for TLS key exchange.\n" " The following values are valid:\n" - " P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n", + " P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n" + "-Z enable 0-RTT (for TLS 1.3; also use -u)\n", stderr); } @@ -2305,7 +2307,9 @@ main(int argc, char **argv) if (SECU_ParseSSLVersionRangeString(optstate->value, enabledVersions, &enabledVersions) != SECSuccess) { + fprintf(stderr, "Bad version specified.\n"); Usage(progName); + exit(1); } break; diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c index f3587d016..10e743c6b 100644 --- a/security/nss/cmd/smimetools/cmsutil.c +++ b/security/nss/cmd/smimetools/cmsutil.c @@ -84,7 +84,7 @@ Usage(char *progName) " where id can be a certificate nickname or email address\n" " -S create a CMS signed data message\n" " -G include a signing time attribute\n" - " -H hash use hash (default:SHA1)\n" + " -H hash use hash (default:SHA256)\n" " -N nick use certificate named \"nick\" for signing\n" " -P include a SMIMECapabilities attribute\n" " -T do not include content in CMS message\n" @@ -1097,7 +1097,7 @@ main(int argc, char **argv) signOptions.signingTime = PR_FALSE; signOptions.smimeProfile = PR_FALSE; signOptions.encryptionKeyPreferenceNick = NULL; - signOptions.hashAlgTag = SEC_OID_SHA1; + signOptions.hashAlgTag = SEC_OID_SHA256; envelopeOptions.recipients = NULL; encryptOptions.recipients = NULL; encryptOptions.envmsg = NULL; diff --git a/security/nss/cmd/smimetools/smime b/security/nss/cmd/smimetools/smime index 634c3fbb4..e67f6bedc 100755 --- a/security/nss/cmd/smimetools/smime +++ b/security/nss/cmd/smimetools/smime @@ -199,8 +199,8 @@ sub signentity($$) # construct a new multipart/signed MIME entity consisting of the original content and # the signature # - # (we assume that cmsutil generates a SHA1 digest) - $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n"; + # (we assume that cmsutil generates a SHA256 digest) + $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n"; $out .= "\n"; # end of entity header $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment $out .= "\n--${boundary}\n"; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 209dcca96..f65e31913 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -1350,6 +1350,7 @@ main(int argc, char **argv) if (SECU_ParseSSLVersionRangeString(optstate->value, enabledVersions, &enabledVersions) != SECSuccess) { + fprintf(stderr, "Bad version specified.\n"); Usage(progName); } break; diff --git a/security/nss/cmd/symkeyutil/symkeyutil.c b/security/nss/cmd/symkeyutil/symkeyutil.c index 6170cc3c5..444456808 100644 --- a/security/nss/cmd/symkeyutil/symkeyutil.c +++ b/security/nss/cmd/symkeyutil/symkeyutil.c @@ -233,6 +233,9 @@ BufToHex(SECItem *outbuf) unsigned int i; string = PORT_Alloc(len); + if (!string) { + return NULL; + } ptr = string; for (i = 0; i < outbuf->len; i++) { diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index eb114e935..959afec59 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -169,20 +169,6 @@ printSecurityInfo(PRFileDesc *fd) } } -void -handshakeCallback(PRFileDesc *fd, void *client_data) -{ - const char *secondHandshakeName = (char *)client_data; - if (secondHandshakeName) { - SSL_SetURL(fd, secondHandshakeName); - } - printSecurityInfo(fd); - if (renegotiationsDone < renegotiationsToDo) { - SSL_ReHandshake(fd, (renegotiationsToDo < 2)); - ++renegotiationsDone; - } -} - static void PrintUsageHeader(const char *progName) { @@ -192,7 +178,8 @@ PrintUsageHeader(const char *progName) "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n" "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n" "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n" - "[-A requestfile] [-L totalconnections]", + "[-A requestfile] [-L totalconnections]\n" + "\n", progName); } @@ -256,9 +243,7 @@ PrintParameterUsage(void) fprintf(stderr, "%-20s Enforce using an IPv6 destination address\n", "-6"); fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", ""); fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G"); - fprintf(stderr, "%-20s Require the use of FFDHE supported groups " - "[I-D.ietf-tls-negotiated-ff-dhe]\n", - "-H"); + fprintf(stderr, "%-20s Require the use of FFDHE supported groups [RFC7919]\n", "-H"); fprintf(stderr, "%-20s Read from a file instead of stdin\n", "-A"); fprintf(stderr, "%-20s Allow 0-RTT data (TLS 1.3 only)\n", "-Z"); fprintf(stderr, "%-20s Disconnect and reconnect up to N times total\n", "-L"); @@ -889,6 +874,10 @@ restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd, if (SSL_AuthCertificateComplete(fd, error) != SECSuccess) { rv = SECFailure; + } else { + /* restore the original error code, which could be reset by + * SSL_AuthCertificateComplete */ + PORT_SetError(error); } return rv; @@ -923,13 +912,19 @@ PRUint16 portno = 443; int override = 0; char *requestString = NULL; PRInt32 requestStringLen = 0; +PRBool requestSent = PR_FALSE; PRBool enableZeroRtt = PR_FALSE; static int -writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb) +writeBytesToServer(PRFileDesc *s, const char *buf, int nb) { SECStatus rv; const char *bufp = buf; + PRPollDesc pollDesc; + + pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; + pollDesc.out_flags = 0; + pollDesc.fd = s; FPRINTF(stderr, "%s: Writing %d bytes to server\n", progName, nb); @@ -956,12 +951,12 @@ writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb) return EXIT_CODE_HANDSHAKE_FAILED; } - pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; - pollset[SSOCK_FD].out_flags = 0; + pollDesc.in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT; + pollDesc.out_flags = 0; FPRINTF(stderr, "%s: about to call PR_Poll on writable socket !\n", progName); - cc = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT); + cc = PR_Poll(&pollDesc, 1, PR_INTERVAL_NO_TIMEOUT); if (cc < 0) { SECU_PrintError(progName, "PR_Poll failed"); @@ -975,6 +970,36 @@ writeBytesToServer(PRFileDesc *s, PRPollDesc *pollset, const char *buf, int nb) return 0; } +void +handshakeCallback(PRFileDesc *fd, void *client_data) +{ + const char *secondHandshakeName = (char *)client_data; + if (secondHandshakeName) { + SSL_SetURL(fd, secondHandshakeName); + } + printSecurityInfo(fd); + if (renegotiationsDone < renegotiationsToDo) { + SSL_ReHandshake(fd, (renegotiationsToDo < 2)); + ++renegotiationsDone; + } + if (requestString && requestSent) { + /* This data was sent in 0-RTT. */ + SSLChannelInfo info; + SECStatus rv; + + rv = SSL_GetChannelInfo(fd, &info, sizeof(info)); + if (rv != SECSuccess) + return; + + if (!info.earlyDataAccepted) { + FPRINTF(stderr, "Early data rejected. Re-sending\n"); + writeBytesToServer(fd, requestString, requestStringLen); + } + } +} + +#define REQUEST_WAITING (requestString && !requestSent) + static int run_client(void) { @@ -988,7 +1013,8 @@ run_client(void) PRFileDesc *std_out; PRPollDesc pollset[2]; PRBool wrStarted = PR_FALSE; - char *requestStringInt = requestString; + + requestSent = PR_FALSE; /* Create socket */ s = PR_OpenTCPSocket(addr.raw.family); @@ -1245,7 +1271,7 @@ run_client(void) pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT | (clientSpeaksFirst ? 0 : PR_POLL_READ); pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput); - if (!requestStringInt) { + if (!REQUEST_WAITING) { pollset[STDIN_FD].in_flags = PR_POLL_READ; npds = 2; } else { @@ -1295,7 +1321,7 @@ run_client(void) */ FPRINTF(stderr, "%s: ready...\n", progName); while ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) || - requestStringInt) { + REQUEST_WAITING) { char buf[4000]; /* buffer for stdin */ int nb; /* num bytes read from stdin. */ @@ -1333,13 +1359,12 @@ run_client(void) "%s: PR_Poll returned 0x%02x for socket out_flags.\n", progName, pollset[SSOCK_FD].out_flags); } - if (requestStringInt) { - error = writeBytesToServer(s, pollset, - requestStringInt, requestStringLen); + if (REQUEST_WAITING) { + error = writeBytesToServer(s, requestString, requestStringLen); if (error) { goto done; } - requestStringInt = NULL; + requestSent = PR_TRUE; pollset[SSOCK_FD].in_flags = PR_POLL_READ; } if (pollset[STDIN_FD].out_flags & PR_POLL_READ) { @@ -1356,7 +1381,7 @@ run_client(void) /* EOF on stdin, stop polling stdin for read. */ pollset[STDIN_FD].in_flags = 0; } else { - error = writeBytesToServer(s, pollset, buf, nb); + error = writeBytesToServer(s, buf, nb); if (error) { goto done; } @@ -1487,7 +1512,7 @@ main(int argc, char **argv) /* XXX: 'B' was used in the past but removed in 3.28, * please leave some time before resuing it. */ optstate = PL_CreateOptState(argc, argv, - "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); + "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1588,6 +1613,7 @@ main(int argc, char **argv) if (SECU_ParseSSLVersionRangeString(optstate->value, enabledVersions, &enabledVersions) != SECSuccess) { + fprintf(stderr, "Bad version specified.\n"); Usage(progName); } break; -- cgit v1.2.3