From 74cabf7948b2597f5b6a67d6910c844fd1a88ff6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 15 Dec 2018 01:42:53 +0100 Subject: Update NSS to 3.41 --- security/nss/lib/util/nssutil.def | 6 +++ security/nss/lib/util/nssutil.h | 4 +- security/nss/lib/util/pkcs11p.h | 5 ++- security/nss/lib/util/pkcs11u.h | 5 ++- security/nss/lib/util/pkcs11uri.c | 2 +- security/nss/lib/util/pkcs1sig.c | 67 +++++++++++++----------------- security/nss/lib/util/secder.h | 3 ++ security/nss/lib/util/secitem.c | 4 +- security/nss/lib/util/secitem.h | 2 +- security/nss/lib/util/secoid.c | 26 +++++++++++- security/nss/lib/util/secoidt.h | 5 +++ security/nss/lib/util/secport.c | 3 -- security/nss/lib/util/utilpars.c | 86 +++++++++++++++++++++++++++++++++++++++ security/nss/lib/util/utilpars.h | 1 + 14 files changed, 168 insertions(+), 51 deletions(-) (limited to 'security/nss/lib/util') diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index 26e438ba6..8c233f7d3 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -328,3 +328,9 @@ SECITEM_MakeItem; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.39 { # NSS Utilities 3.39 release +;+ global: +NSSUTIL_AddNSSFlagToModuleSpec; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 2749abaa1..62511eafe 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,9 +19,9 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.38" +#define NSSUTIL_VERSION "3.41" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 38 +#define NSSUTIL_VMINOR 41 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff --git a/security/nss/lib/util/pkcs11p.h b/security/nss/lib/util/pkcs11p.h index 2e904ee50..1c9201350 100644 --- a/security/nss/lib/util/pkcs11p.h +++ b/security/nss/lib/util/pkcs11p.h @@ -13,7 +13,10 @@ * though it's still needed. put in a central file to help merging.. */ -#if defined(_WIN32) +#if defined(_WIN32) || defined(_WINDOWS) +#ifdef __clang__ +#pragma clang diagnostic ignored "-Wpragma-pack" +#endif #ifdef _MSC_VER #pragma warning(disable : 4103) #endif diff --git a/security/nss/lib/util/pkcs11u.h b/security/nss/lib/util/pkcs11u.h index be949bcd4..64ec2fdb5 100644 --- a/security/nss/lib/util/pkcs11u.h +++ b/security/nss/lib/util/pkcs11u.h @@ -11,7 +11,10 @@ * reset any packing set by pkcs11p.h */ -#if defined(_WIN32) +#if defined(_WIN32) || defined(_WINDOWS) +#ifdef __clang__ +#pragma clang diagnostic ignored "-Wpragma-pack" +#endif #ifdef _MSC_VER #pragma warning(disable : 4103) #endif diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c index 94b00171e..c29521080 100644 --- a/security/nss/lib/util/pkcs11uri.c +++ b/security/nss/lib/util/pkcs11uri.c @@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string) const char *p = string; SECStatus ret; - if (strncmp("pkcs11:", p, 7) != 0) { + if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) { return NULL; } p += 7; diff --git a/security/nss/lib/util/pkcs1sig.c b/security/nss/lib/util/pkcs1sig.c index 502119aa5..68588c7f8 100644 --- a/security/nss/lib/util/pkcs1sig.c +++ b/security/nss/lib/util/pkcs1sig.c @@ -15,13 +15,6 @@ struct pkcs1PrefixStr { PRUint8 *data; }; -typedef struct pkcs1PrefixesStr pkcs1Prefixes; -struct pkcs1PrefixesStr { - unsigned int digestLen; - pkcs1Prefix prefixWithParams; - pkcs1Prefix prefixWithoutParams; -}; - /* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on * the possible prefix encodings as explained below. */ @@ -101,9 +94,8 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg, PRBool unsafeAllowMissingParameters) { SECOidData *hashOid; - pkcs1Prefixes pp; - const pkcs1Prefix *expectedPrefix; - SECStatus rv, rv2, rv3; + pkcs1Prefix prefix; + SECStatus rv; if (!digest || !digest->data || !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) { @@ -117,17 +109,9 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg, return SECFailure; } - pp.digestLen = digest->len; - pp.prefixWithParams.data = NULL; - pp.prefixWithoutParams.data = NULL; + prefix.data = NULL; - rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE); - rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE); - - rv = SECSuccess; - if (rv2 != SECSuccess || rv3 != SECSuccess) { - rv = SECFailure; - } + rv = encodePrefix(hashOid, digest->len, &prefix, PR_TRUE); if (rv == SECSuccess) { /* We don't attempt to avoid timing attacks on these comparisons because @@ -135,34 +119,39 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg, * operation. */ - if (dataRecoveredFromSignature->len == - pp.prefixWithParams.len + pp.digestLen) { - expectedPrefix = &pp.prefixWithParams; - } else if (unsafeAllowMissingParameters && - dataRecoveredFromSignature->len == - pp.prefixWithoutParams.len + pp.digestLen) { - expectedPrefix = &pp.prefixWithoutParams; - } else { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - rv = SECFailure; + if (dataRecoveredFromSignature->len != prefix.len + digest->len) { + PRBool lengthMismatch = PR_TRUE; +#ifdef NSS_PKCS1_AllowMissingParameters + if (unsafeAllowMissingParameters) { + if (prefix.data) { + PORT_Free(prefix.data); + prefix.data = NULL; + } + rv = encodePrefix(hashOid, digest->len, &prefix, PR_FALSE); + if (rv != SECSuccess || + dataRecoveredFromSignature->len == prefix.len + digest->len) { + lengthMismatch = PR_FALSE; + } + } +#endif + if (lengthMismatch) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + rv = SECFailure; + } } } if (rv == SECSuccess) { - if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data, - expectedPrefix->len) || - memcmp(dataRecoveredFromSignature->data + expectedPrefix->len, - digest->data, digest->len)) { + if (memcmp(dataRecoveredFromSignature->data, prefix.data, prefix.len) || + memcmp(dataRecoveredFromSignature->data + prefix.len, digest->data, + digest->len)) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); rv = SECFailure; } } - if (pp.prefixWithParams.data) { - PORT_Free(pp.prefixWithParams.data); - } - if (pp.prefixWithoutParams.data) { - PORT_Free(pp.prefixWithoutParams.data); + if (prefix.data) { + PORT_Free(prefix.data); } return rv; diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h index dbc35807d..1b487d193 100644 --- a/security/nss/lib/util/secder.h +++ b/security/nss/lib/util/secder.h @@ -34,6 +34,9 @@ SEC_BEGIN_PROTOS extern SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t, void *src); +/* +** This function is deprecated. +*/ extern SECStatus DER_Lengths(SECItem *item, int *header_len_p, PRUint32 *contents_len_p); diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c index 1e505a9af..cd6996178 100644 --- a/security/nss/lib/util/secitem.c +++ b/security/nss/lib/util/secitem.c @@ -76,10 +76,10 @@ loser: } SECStatus -SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, unsigned char *data, +SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, const unsigned char *data, unsigned int len) { - SECItem it = { siBuffer, data, len }; + SECItem it = { siBuffer, (unsigned char *)data, len }; return SECITEM_CopyItem(arena, dest, &it); } diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h index 4fb123938..f7a8241b5 100644 --- a/security/nss/lib/util/secitem.h +++ b/security/nss/lib/util/secitem.h @@ -41,7 +41,7 @@ extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item, * always siBuffer. */ extern SECStatus SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, - unsigned char *data, unsigned int len); + const unsigned char *data, unsigned int len); /* ** This is a legacy function containing bugs. It doesn't update item->len, diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index a05621c59..06b0cbcc4 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -122,7 +122,9 @@ const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING; #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45 -#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07 +#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05 + +#define PKIX INTERNET_SECURITY_MECH, 0x07 #define PKIX_CERT_EXTENSIONS PKIX, 1 #define PKIX_POLICY_QUALIFIERS PKIX, 2 #define PKIX_KEY_USAGE PKIX, 3 @@ -360,6 +362,7 @@ CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; +CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 }; CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; @@ -454,8 +457,13 @@ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; +/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */ +CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 }; CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 }; +CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 }; +CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 }; + /* OIDs for Netscape defined algorithms */ CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; @@ -1754,6 +1762,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = { "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ODE(SEC_OID_TLS13_KEA_ANY, "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + + OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE, + "Any Extended Key Usage", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(pkixExtendedKeyUsageIPsecIKE, + SEC_OID_EXT_KEY_USAGE_IPSEC_IKE, + "IPsec IKE Certificate", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(ipsecIKEEnd, + SEC_OID_IPSEC_IKE_END, + "IPsec IKE End", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(ipsecIKEIntermediate, + SEC_OID_IPSEC_IKE_INTERMEDIATE, + "IPsec IKE Intermediate", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), }; /* PRIVATE EXTENDED SECOID Table diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index 0a40f29fd..c77aeb19f 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -494,6 +494,11 @@ typedef enum { SEC_OID_TLS13_KEA_ANY = 356, + SEC_OID_X509_ANY_EXT_KEY_USAGE = 357, + SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358, + SEC_OID_IPSEC_IKE_END = 359, + SEC_OID_IPSEC_IKE_INTERMEDIATE = 360, + SEC_OID_TOTAL } SECOidTag; diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c index e5bd4c1bb..ae979ebad 100644 --- a/security/nss/lib/util/secport.c +++ b/security/nss/lib/util/secport.c @@ -199,9 +199,6 @@ PORT_Strdup(const char *str) void PORT_SetError(int value) { -#ifdef DEBUG_jp96085 - PORT_Assert(value != SEC_ERROR_REUSED_ISSUER_AND_SERIAL); -#endif PR_SetError(value, 0); return; } diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c index e7435bfcc..f9b807f7e 100644 --- a/security/nss/lib/util/utilpars.c +++ b/security/nss/lib/util/utilpars.c @@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters, return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL); } +/************************************************************************ + * add a single flag to the Flags= section inside the spec's NSS= section */ +char * +NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag) +{ + const char *prefix = "flags="; + const size_t prefixLen = strlen(prefix); + char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL; + char *nss2 = NULL, *result = NULL; + SECStatus rv; + + rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, ¶m, &nss, &conf); + if (rv != SECSuccess) { + return NULL; + } + + if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) { + /* It's already there, nothing to do! */ + PORT_Free(lib); + PORT_Free(name); + PORT_Free(param); + PORT_Free(nss); + PORT_Free(conf); + return PORT_Strdup(spec); + } + + if (!nss || !strlen(nss)) { + nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1); + PORT_Strcpy(nss2, prefix); + PORT_Strcat(nss2, addFlag); + } else { + const char *iNss = nss; + PRBool alreadyAdded = PR_FALSE; + size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */ + nss2 = PORT_Alloc(maxSize); + *nss2 = 0; + while (*iNss) { + iNss = NSSUTIL_ArgStrip(iNss); + if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) { + /* We found an existing Flags= section. */ + char *oldFlags; + const char *valPtr; + int valSize; + valPtr = iNss + prefixLen; + oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize); + iNss = valPtr + valSize; + PORT_Strcat(nss2, prefix); + PORT_Strcat(nss2, oldFlags); + PORT_Strcat(nss2, ","); + PORT_Strcat(nss2, addFlag); + PORT_Strcat(nss2, " "); + PORT_Free(oldFlags); + alreadyAdded = PR_TRUE; + iNss = NSSUTIL_ArgStrip(iNss); + PORT_Strcat(nss2, iNss); /* remainder of input */ + break; + } else { + /* Append this other name=value pair and continue. */ + const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss); + PORT_Strncat(nss2, iNss, (startOfNext - iNss)); + if (nss2[strlen(nss2) - 1] != ' ') { + PORT_Strcat(nss2, " "); + } + iNss = startOfNext; + } + iNss = NSSUTIL_ArgStrip(iNss); + } + if (!alreadyAdded) { + /* nss wasn't empty, and it didn't contain a Flags section. We can + * assume that other content from nss has already been added to + * nss2, which means we already have a trailing space separator. */ + PORT_Strcat(nss2, prefix); + PORT_Strcat(nss2, addFlag); + } + } + + result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf); + PORT_Free(lib); + PORT_Free(name); + PORT_Free(param); + PORT_Free(nss); + PORT_Free(nss2); + PORT_Free(conf); + return result; +} + #define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA" /****************************************************************************** * Parse the cipher flags from the NSS parameter diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h index 1b0b1ff1c..289fdca97 100644 --- a/security/nss/lib/util/utilpars.h +++ b/security/nss/lib/util/utilpars.h @@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters, char *NSS); char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName, char *parameters, char *NSS, char *config); +char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag); void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers, const char *cipherList); char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal, -- cgit v1.2.3