From 3bed2c2142acca1abefb29c851aefe21b35d6f26 Mon Sep 17 00:00:00 2001 From: Sergey Yanovich Date: Thu, 6 Mar 2008 21:52:57 +0200 Subject: [PATCH] Import 1.9b4 NSS tag from cvs --- security/nss/cmd/bltest/blapitest.c | 6 +- security/nss/cmd/certcgi/certcgi.c | 3 +- security/nss/cmd/certutil/certext.c | 49 ++++ security/nss/cmd/certutil/certutil.c | 275 ++++++++++++++------ security/nss/cmd/certutil/certutil.h | 1 + security/nss/cmd/lib/SECerrs.h | 2 +- security/nss/cmd/lib/secutil.c | 262 ++++++++++++++++++- security/nss/cmd/lib/secutil.h | 23 +- security/nss/cmd/pk12util/pk12util.c | 134 +++++++++- security/nss/cmd/pk12util/pk12util.h | 1 + security/nss/cmd/vfychain/vfychain.c | 166 ++++++++++-- security/nss/lib/base/hash.c | 6 +- security/nss/lib/certdb/cert.h | 6 +- security/nss/lib/certdb/certdb.c | 3 +- security/nss/lib/certdb/crl.c | 6 +- security/nss/lib/certdb/genname.c | 10 +- security/nss/lib/certdb/polcyxtn.c | 11 +- security/nss/lib/certdb/secname.c | 2 +- security/nss/lib/certdb/stanpcertdb.c | 1 - security/nss/lib/certdb/xauthkid.c | 4 +- security/nss/lib/certdb/xconst.c | 17 +- security/nss/lib/certdb/xconst.h | 2 +- security/nss/lib/certhigh/certhigh.c | 20 ++ security/nss/lib/certhigh/certreq.c | 2 +- security/nss/lib/certhigh/certvfy.c | 6 +- security/nss/lib/certhigh/certvfypkix.c | 12 + security/nss/lib/certhigh/ocsp.c | 218 ++++++++++++---- security/nss/lib/certhigh/ocspi.h | 77 +++++- security/nss/lib/certhigh/xcrldist.c | 4 +- security/nss/lib/ckfw/builtins/binst.c | 4 +- security/nss/lib/ckfw/builtins/bslot.c | 4 +- security/nss/lib/ckfw/builtins/btoken.c | 4 +- security/nss/lib/ckfw/builtins/builtins.h | 33 +-- security/nss/lib/ckfw/builtins/certdata.c | 8 +- security/nss/lib/ckfw/builtins/certdata.perl | 6 +- security/nss/lib/ckfw/builtins/constants.c | 40 +-- security/nss/lib/cryptohi/seckey.c | 6 +- security/nss/lib/dev/devtoken.c | 6 +- security/nss/lib/freebl/loader.c | 7 +- security/nss/lib/freebl/manifest.mn | 1 - security/nss/lib/freebl/mpi/mpcpucache.c | 37 ++- security/nss/lib/freebl/sha.c | 161 ------------ security/nss/lib/freebl/sha.h | 49 ---- security/nss/lib/freebl/sha512.c | 11 +- security/nss/lib/freebl/sha_fast.h | 10 +- security/nss/lib/jar/jarfile.c | 13 +- .../nss/lib/libpkix/include/pkix_errorstrings.h | 62 ++--- security/nss/lib/libpkix/include/pkix_pl_pki.h | 2 + security/nss/lib/libpkix/include/pkixt.h | 211 ++++++++-------- .../lib/libpkix/pkix/checker/pkix_ocspchecker.c | 57 ++++- .../lib/libpkix/pkix/top/pkix_defaultcrlchecker.c | 19 +- security/nss/lib/libpkix/pkix/util/pkix_tools.h | 11 + .../pkix_pl_nss/module/pkix_pl_ldaptemplates.c | 6 +- .../nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn | 3 + .../libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c | 278 +++++++++++++++++++++ ...{pkix_pl_ocsprequest.h => pkix_pl_ocspcertid.h} | 59 ++--- .../libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c | 115 ++------- .../libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h | 8 +- .../libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c | 24 +- .../libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h | 1 + .../libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c | 1 + .../libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h | 1 + security/nss/lib/nss/nss.def | 1 + security/nss/lib/nss/nss.h | 4 +- security/nss/lib/nss/nssinit.c | 41 ++- security/nss/lib/nss/utilwrap.c | 6 +- security/nss/lib/pk11wrap/pk11akey.c | 28 +-- security/nss/lib/pk11wrap/pk11cert.c | 78 +----- security/nss/lib/pk11wrap/pk11mech.c | 31 ++- security/nss/lib/pk11wrap/pk11pbe.c | 11 +- security/nss/lib/pk11wrap/pk11pk12.c | 4 +- security/nss/lib/pk11wrap/pk11priv.h | 4 - security/nss/lib/pk11wrap/pk11sdr.c | 2 +- security/nss/lib/pk11wrap/secmodi.h | 5 + security/nss/lib/pkcs12/p12.h | 1 + security/nss/lib/pkcs12/p12d.c | 11 +- security/nss/lib/pkcs12/p12e.c | 30 ++- security/nss/lib/pkcs7/p7common.c | 78 ++---- security/nss/lib/pkcs7/p7create.c | 38 ++- security/nss/lib/pkcs7/p7local.c | 78 ++---- security/nss/lib/pki/pkibase.c | 9 +- security/nss/lib/pki/pkistore.c | 8 +- security/nss/lib/smime/cmscipher.c | 86 ++----- security/nss/lib/smime/cmsencdata.c | 35 +-- security/nss/lib/softoken/config.mk | 4 + security/nss/lib/softoken/fipstokn.c | 149 ++++++++++- security/nss/lib/softoken/legacydb/lginit.c | 10 +- security/nss/lib/softoken/legacydb/lowcert.c | 4 +- security/nss/lib/softoken/legacydb/lowkey.c | 8 +- security/nss/lib/softoken/lowkey.c | 8 +- security/nss/lib/softoken/pkcs11.c | 101 +++++++- security/nss/lib/softoken/pkcs11c.c | 80 ++++++ security/nss/lib/softoken/softoken.h | 20 +- security/nss/lib/ssl/cmpcert.c | 4 +- security/nss/lib/ssl/ssl.h | 4 +- security/nss/lib/ssl/ssl3con.c | 19 +- security/nss/lib/ssl/ssl3ecc.c | 3 +- security/nss/lib/ssl/sslimpl.h | 8 +- security/nss/lib/ssl/sslnonce.c | 51 +++- security/nss/lib/ssl/sslsnce.c | 9 +- security/nss/lib/util/dertime.c | 243 +++++++----------- security/nss/lib/util/manifest.mn | 1 - security/nss/lib/util/nsslocks.c | 106 -------- security/nss/lib/util/nsslocks.h | 32 +-- security/nss/lib/util/nssrwlk.c | 35 --- security/nss/lib/util/nssutil.def | 3 +- security/nss/lib/util/secoid.c | 39 ++- security/nss/lib/util/secoid.h | 7 +- security/nss/lib/util/secport.c | 4 +- security/nss/lib/util/secport.h | 10 +- security/nss/lib/util/utilrename.h | 2 - security/nss/tests/cert/cert.sh | 20 +- security/nss/tests/cipher/cipher.sh | 2 +- security/nss/tests/cipher/performance.sh | 22 +- security/nss/tests/common/init.sh | 42 ++-- security/nss/tests/crmf/crmf.sh | 4 +- security/nss/tests/dbtests/dbtests.sh | 22 +- security/nss/tests/dbupgrade/dbupgrade.sh | 14 +- security/nss/tests/fips/fips.sh | 54 ++-- security/nss/tests/iopr/cert_iopr.sh | 4 +- security/nss/tests/iopr/ocsp_iopr.sh | 4 +- security/nss/tests/iopr/ssl_iopr.sh | 12 +- security/nss/tests/memleak/ignored | 3 + security/nss/tests/memleak/memleak.sh | 40 +-- security/nss/tests/perf/perf.sh | 2 +- security/nss/tests/pkits/pkits.sh | 22 +- security/nss/tests/sdr/sdr.sh | 8 +- security/nss/tests/smime/smime.sh | 50 ++-- security/nss/tests/ssl/ssl.sh | 31 +-- security/nss/tests/ssl/ssl_dist_stress.sh | 4 +- security/nss/tests/tools/tools.sh | 26 +- 131 files changed, 2723 insertions(+), 1803 deletions(-) delete mode 100644 security/nss/lib/freebl/sha.c delete mode 100644 security/nss/lib/freebl/sha.h create mode 100644 security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c copy security/nss/lib/libpkix/pkix_pl_nss/pki/{pkix_pl_ocsprequest.h => pkix_pl_ocspcertid.h} (63%) delete mode 100644 security/nss/lib/util/nsslocks.c diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index bbb8e38..f788600 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -51,6 +51,7 @@ #include "softoken.h" #include "nspr.h" #include "nss.h" +#include "secoid.h" #ifdef NSS_ENABLE_ECC #include "ecl-curve.h" @@ -58,7 +59,6 @@ SECStatus EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); SECStatus EC_CopyParams(PRArenaPool *arena, ECParams *dstParams, const ECParams *srcParams); -SECStatus secoid_Init(void); #endif /* Temporary - add debugging ouput on windows for RSA to track QA failure */ @@ -438,7 +438,7 @@ eckey_from_filedata(SECItem *filedata) /* read and convert params */ key->ecParams.arena = arena; key_from_filedata(arena, &key->ecParams.DEREncoding, 0, 1, filedata); - rv = secoid_Init(); + rv = SECOID_Init(); CHECKERROR(rv, __LINE__); rv = EC_DecodeParams(&key->ecParams.DEREncoding, &tmpECParams); CHECKERROR(rv, __LINE__); @@ -1860,7 +1860,7 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file, ecdsap = &cipherInfo->params.ecdsa; if (curveName != NULL) { tmpECParamsDER = getECParams(curveName); - rv = secoid_Init(); + rv = SECOID_Init(); CHECKERROR(rv, __LINE__); rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure; CHECKERROR(rv, __LINE__); diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c index 3390309..038b55f 100644 --- a/security/nss/cmd/certcgi/certcgi.c +++ b/security/nss/cmd/certcgi/certcgi.c @@ -952,8 +952,7 @@ AddSubKeyID(void *extHandle, (data,"subjectKeyIdentifier-text", PR_TRUE); subjectCert->subjectKeyID.len = len; rv = CERT_EncodeSubjectKeyID - (NULL, find_field(data,"subjectKeyIdentifier-text", PR_TRUE), - len, &encodedValue); + (NULL, &subjectCert->subjectKeyID, &encodedValue); if (rv) { return (rv); } diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c index eb57033..cdebedc 100644 --- a/security/nss/cmd/certutil/certext.c +++ b/security/nss/cmd/certutil/certext.c @@ -57,6 +57,7 @@ #endif #include "cert.h" +#include "xconst.h" #include "prprf.h" #include "certutil.h" @@ -703,6 +704,9 @@ AddAuthKeyID (void *extHandle) "enter to omit:", &authKeyID->keyID); if (rv != SECSuccess) break; + + SECU_SECItemHexStringToBinary(&authKeyID->keyID); + authKeyID->authCertIssuer = GetGeneralName (arena); if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ()) @@ -727,6 +731,43 @@ AddAuthKeyID (void *extHandle) } static SECStatus +AddSubjKeyID (void *extHandle) +{ + SECItem keyID; + PRArenaPool *arena = NULL; + SECStatus rv = SECSuccess; + PRBool yesNoAns; + + do { + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if ( !arena ) { + SECU_PrintError(progName, "out of memory"); + GEN_BREAK (SECFailure); + } + printf("Adding Subject Key ID extension.\n"); + + rv = GetString (arena, "Enter value for the key identifier fields," + "enter to omit:", &keyID); + if (rv != SECSuccess) + break; + + SECU_SECItemHexStringToBinary(&keyID); + + yesNoAns = GetYesNo ("Is this a critical extension [y/N]?"); + + rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, + &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID, + (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID); + if (rv) + break; + + } while (0); + if (arena) + PORT_FreeArena (arena, PR_FALSE); + return (rv); +} + +static SECStatus AddCrlDistPoint(void *extHandle) { PRArenaPool *arena = NULL; @@ -1548,6 +1589,14 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames, errstring = "AuthorityKeyID"; break; } + } + + if (extList[ext_subjectKeyID]) { + rv = AddSubjKeyID(extHandle); + if (rv) { + errstring = "SubjectKeyID"; + break; + } } if (extList[ext_CRLDistPts]) { diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index a54363e..f56c9d8 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -177,10 +177,11 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts, GEN_BREAK(SECFailure); } - if (!PK11_IsFriendly(slot)) { + if (PK11_IsFIPS() || !PK11_IsInternal(slot)) { rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) { - SECU_PrintError(progName, "could not authenticate to token or database"); + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); GEN_BREAK(SECFailure); } } @@ -196,8 +197,8 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts, if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) { rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) { - SECU_PrintError(progName, - "could not authenticate to token or database"); + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); GEN_BREAK(SECFailure); } rv = CERT_ChangeCertTrust(handle, cert, trust); @@ -392,8 +393,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot, if (PORT_GetError() == SEC_ERROR_TOKEN_NOT_LOGGED_IN) { rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) { - SECU_PrintError(progName, - "could not authenticate to token or database"); + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); return SECFailure; } rv = CERT_ChangeCertTrust(handle, cert, trust); @@ -409,35 +410,6 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot, } static SECStatus -printCertCB(CERTCertificate *cert, void *arg) -{ - SECStatus rv; - SECItem data; - CERTCertTrust *trust = (CERTCertTrust *)arg; - - data.data = cert->derCert.data; - data.len = cert->derCert.len; - - rv = SECU_PrintSignedData(stdout, &data, "Certificate", 0, - SECU_PrintCertificate); - if (rv) { - SECU_PrintError(progName, "problem printing certificate"); - return(SECFailure); - } - if (trust) { - SECU_PrintTrustFlags(stdout, trust, - "Certificate Trust Flags", 1); - } else if (cert->trust) { - SECU_PrintTrustFlags(stdout, cert->trust, - "Certificate Trust Flags", 1); - } - - printf("\n"); - - return(SECSuccess); -} - -static SECStatus DumpChain(CERTCertDBHandle *handle, char *name) { CERTCertificate *the_cert; @@ -476,8 +448,14 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, CERTCertListNode *node; /* List certs on a non-internal slot. */ - if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) - PK11_Authenticate(slot, PR_TRUE, pwarg); + if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) { + SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, pwarg); + if (newrv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return SECFailure; + } + } if (name) { CERTCertificate *the_cert; the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); @@ -510,7 +488,12 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, } rv = SECSuccess; } else { - rv = printCertCB(the_cert, the_cert->trust); + rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", + the_cert->trust); + if (rv != SECSuccess) { + SECU_PrintError(progName, "problem printing certificate"); + } + } if (rv != SECSuccess) { break; @@ -539,11 +522,16 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, } static SECStatus -ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, +ListCerts(CERTCertDBHandle *handle, char *nickname, PK11SlotInfo *slot, PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata) { SECStatus rv; + if (!ascii && !raw) { + PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n", + "Certificate Nickname", "Trust Attributes", "", + "SSL,S/MIME,JAR/XPI"); + } if (slot == NULL) { CERTCertList *list; CERTCertListNode *node; @@ -557,7 +545,7 @@ ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, CERT_DestroyCertList(list); return SECSuccess; } else { - rv = listCerts(handle,name,slot,raw,ascii,outfile,pwdata); + rv = listCerts(handle,nickname,slot,raw,ascii,outfile,pwdata); } return rv; } @@ -697,67 +685,167 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date, return (rv); } -/* callback for listing certs through pkcs11 */ -static SECStatus -secu_PrintKey(FILE *out, int count, SECKEYPrivateKey *key) +static PRBool +ItemIsPrintableASCII(const SECItem * item) { - char *name; + unsigned char *src = item->data; + unsigned int len = item->len; + while (len-- > 0) { + unsigned char uc = *src++; + if (uc < 0x20 || uc > 0x7e) + return PR_FALSE; + } + return PR_TRUE; +} + +/* Caller ensures that dst is at least item->len*2+1 bytes long */ +static void +SECItemToHex(const SECItem * item, char * dst) +{ + if (dst && item && item->data) { + unsigned char * src = item->data; + unsigned int len = item->len; + for (; len > 0; --len, dst += 2) { + sprintf(dst, "%02x", *src++); + } + *dst = '\0'; + } +} + +static const char * const keyTypeName[] = { + "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec" }; - name = PK11_GetPrivateKeyNickname(key); - if (name == NULL) { - /* should look up associated cert */ - name = PORT_Strdup("< orphaned >"); +#define MAX_CKA_ID_BIN_LEN 20 +#define MAX_CKA_ID_STR_LEN 40 + +/* print key number, key ID (in hex or ASCII), key label (nickname) */ +static SECStatus +PrintKey(PRFileDesc *out, const char *nickName, int count, + SECKEYPrivateKey *key, void *pwarg) +{ + SECItem * ckaID; + char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4]; + + pwarg = NULL; + ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key); + if (!ckaID) { + strcpy(ckaIDbuf, "(no CKA_ID)"); + } else if (ItemIsPrintableASCII(ckaID)) { + int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len); + ckaIDbuf[0] = '"'; + memcpy(ckaIDbuf + 1, ckaID->data, len); + ckaIDbuf[1 + len] = '"'; + ckaIDbuf[2 + len] = '\0'; + } else { + /* print ckaid in hex */ + SECItem idItem = *ckaID; + if (idItem.len > MAX_CKA_ID_BIN_LEN) + idItem.len = MAX_CKA_ID_BIN_LEN; + SECItemToHex(&idItem, ckaIDbuf); } - fprintf(out, "<%d> %s\n", count, name); - PORT_Free(name); + + PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count, + keyTypeName[key->keyType], ckaIDbuf, nickName); + SECITEM_ZfreeItem(ckaID, PR_TRUE); return SECSuccess; } +/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */ static SECStatus -listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg) +ListKeysInSlot(PK11SlotInfo *slot, const char *nickName, KeyType keyType, + void *pwarg) { SECKEYPrivateKeyList *list; SECKEYPrivateKeyListNode *node; - int count; + int count = 0; - if (PK11_NeedLogin(slot)) - PK11_Authenticate(slot, PR_TRUE, pwarg); + if (PK11_NeedLogin(slot)) { + SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwarg); + if (rv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return SECFailure; + } + } - list = PK11_ListPrivateKeysInSlot(slot); + if (nickName && nickName[0]) + list = PK11_ListPrivKeysInSlot(slot, (char *)nickName, pwarg); + else + list = PK11_ListPrivateKeysInSlot(slot); if (list == NULL) { SECU_PrintError(progName, "problem listing keys"); return SECFailure; } - for (count=0, node=PRIVKEY_LIST_HEAD(list) ; !PRIVKEY_LIST_END(node,list); - node= PRIVKEY_LIST_NEXT(node),count++) { - secu_PrintKey(stdout, count, node->key); + for (node=PRIVKEY_LIST_HEAD(list); + !PRIVKEY_LIST_END(node,list); + node=PRIVKEY_LIST_NEXT(node)) { + char * keyName; + static const char orphan[] = { "(orphan)" }; + + if (keyType != nullKey && keyType != node->key->keyType) + continue; + keyName = PK11_GetPrivateKeyNickname(node->key); + if (!keyName || !keyName[0]) { + /* Try extra hard to find nicknames for keys that lack them. */ + CERTCertificate * cert; + PORT_Free((void *)keyName); + keyName = NULL; + cert = PK11_GetCertFromPrivateKey(node->key); + if (cert) { + if (cert->nickname && !cert->nickname[0]) { + keyName = PORT_Strdup(cert->nickname); + } else if (cert->emailAddr && cert->emailAddr[0]) { + keyName = PORT_Strdup(cert->emailAddr); + } + CERT_DestroyCertificate(cert); + } + } + if (nickName) { + if (!keyName || PL_strcmp(keyName,nickName)) { + /* PKCS#11 module returned unwanted keys */ + PORT_Free((void *)keyName); + continue; + } + } + if (!keyName) + keyName = (char *)orphan; + + PrintKey(PR_STDOUT, keyName, count, node->key, pwarg); + + if (keyName != (char *)orphan) + PORT_Free((void *)keyName); + count++; } SECKEY_DestroyPrivateKeyList(list); if (count == 0) { - fprintf(stderr, "%s: no keys found\n", progName); + PR_fprintf(PR_STDOUT, "%s: no keys found\n", progName); return SECFailure; } return SECSuccess; } +/* returns SECSuccess if ANY keys are found, SECFailure otherwise. */ static SECStatus -ListKeys(PK11SlotInfo *slot, char *keyname, int index, +ListKeys(PK11SlotInfo *slot, const char *nickName, int index, KeyType keyType, PRBool dopriv, secuPWData *pwdata) { - SECStatus rv = SECSuccess; + SECStatus rv = SECFailure; if (slot == NULL) { PK11SlotList *list; PK11SlotListElement *le; list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata); - if (list) for (le = list->head; le; le = le->next) { - rv = listKeys(le->slot,keyType,pwdata); + if (list) { + for (le = list->head; le; le = le->next) { + rv &= ListKeysInSlot(le->slot,nickName,keyType,pwdata); + } + PK11_FreeSlotList(list); } } else { - rv = listKeys(slot,keyType,pwdata); + rv = ListKeysInSlot(slot,nickName,keyType,pwdata); } return rv; } @@ -770,8 +858,14 @@ DeleteKey(char *nickname, secuPWData *pwdata) PK11SlotInfo *slot; slot = PK11_GetInternalKeySlot(); - if (PK11_NeedLogin(slot)) - PK11_Authenticate(slot, PR_TRUE, pwdata); + if (PK11_NeedLogin(slot)) { + SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return SECFailure; + } + } cert = PK11_FindCertFromNickname(nickname, pwdata); if (!cert) { PK11_FreeSlot(slot); @@ -864,8 +958,8 @@ Usage(char *progName) "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n" "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n" "\t\t [-8 DNS-names]\n" - "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n", - progName); + "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n" + "\t\t [--extSKID]\n", progName); FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName); exit(1); } @@ -884,6 +978,8 @@ static void LongUsage(char *progName) " -n cert-name"); FPS "%-20s Set the certificate trust attributes:\n", " -t trustargs"); + FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", ""); + FPS "%-25s and z is for code signing\n", ""); FPS "%-25s p \t valid peer\n", ""); FPS "%-25s P \t trusted peer (implies p)\n", ""); FPS "%-25s c \t valid CA\n", ""); @@ -1019,18 +1115,19 @@ static void LongUsage(char *progName) " -X"); FPS "\n"); - FPS "%-15s List all keys\n", /*, or print out a single named key\n",*/ + FPS "%-15s List all private keys\n", "-K"); - FPS "%-20s Name of token in which to look for keys (default is internal," - " use \"all\" to list keys on all tokens)\n", + FPS "%-20s Name of token to search (\"all\" for all tokens)\n", " -h token-name "); + + FPS "%-20s Key type (\"all\" (default), \"dsa\"," #ifdef NSS_ENABLE_ECC - FPS "%-20s Type of key pair to list (\"all\", \"dsa\", \"ec\", \"rsa\" (default))\n", - " -k key-type"); -#else - FPS "%-20s Type of key pair to list (\"all\", \"dsa\", \"rsa\" (default))\n", - " -k key-type"); + " \"ec\"," #endif + " \"rsa\")\n", + " -k key-type"); + FPS "%-20s The nickname of the key or associated certificate\n", + " -n name"); FPS "%-20s Specify the password file\n", " -f password-file"); FPS "%-20s Key database directory (default is ~/.netscape)\n", @@ -1234,6 +1331,8 @@ static void LongUsage(char *progName) " --extPC "); FPS "%-20s Create an Inhibit Any Policy extension\n", " --extIA "); + FPS "%-20s Create a subject key ID extension\n", + " --extSKID "); FPS "\n"); exit(1); @@ -1538,7 +1637,8 @@ enum certutilOpts { opt_AddCertPoliciesExt, opt_AddPolicyMapExt, opt_AddPolicyConstrExt, - opt_AddInhibAnyExt + opt_AddInhibAnyExt, + opt_AddSubjectKeyIDExt }; static const @@ -1614,7 +1714,8 @@ secuCommandFlag options_init[] = { /* opt_AddCertPoliciesExt */ 0, PR_FALSE, 0, PR_FALSE, "extCP" }, { /* opt_AddPolicyMapExt */ 0, PR_FALSE, 0, PR_FALSE, "extPM" }, { /* opt_AddPolicyConstrExt */ 0, PR_FALSE, 0, PR_FALSE, "extPC" }, - { /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" } + { /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" }, + { /* opt_AddSubjectKeyIDExt */ 0, PR_FALSE, 0, PR_FALSE, "extSKID" } }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -1737,6 +1838,8 @@ certutil_main(int argc, char **argv, PRBool initialize) /* use an existing private/public key pair */ keysource = arg; } + } else if (certutil.commands[cmd_ListKeys].activated) { + keytype = nullKey; } /* -m serial number */ @@ -2088,7 +2191,8 @@ certutil_main(int argc, char **argv, PRBool initialize) if (PK11_IsFIPS() || !PK11_IsFriendly(slot)) { rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); if (rv != SECSuccess) { - SECU_PrintError(progName, "could not authenticate to token or database"); + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); goto shutdown; } } @@ -2117,8 +2221,14 @@ certutil_main(int argc, char **argv, PRBool initialize) if (certutil.commands[cmd_CheckCertValidity].activated) { /* XXX temporary hack for fips - must log in to get priv key */ if (certutil.options[opt_VerifySig].activated) { - if (slot && PK11_NeedLogin(slot)) - PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (slot && PK11_NeedLogin(slot)) { + SECStatus newrv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (newrv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + goto shutdown; + } + } } rv = ValidateCert(certHandle, name, certutil.options[opt_ValidityTime].arg, @@ -2195,6 +2305,8 @@ certutil_main(int argc, char **argv, PRBool initialize) certutil.options[opt_AddBasicConstraintExt].activated; certutil_extns[ext_authorityKeyID] = certutil.options[opt_AddAuthorityKeyIDExt].activated; + certutil_extns[ext_subjectKeyID] = + certutil.options[opt_AddSubjectKeyIDExt].activated; certutil_extns[ext_CRLDistPts] = certutil.options[opt_AddCRLDistPtsExt].activated; certutil_extns[ext_NSCertType] = @@ -2432,6 +2544,7 @@ shutdown: if ((initialized == PR_TRUE) && NSS_Shutdown() != SECSuccess) { exit(1); } + PR_Cleanup(); if (rv == SECSuccess) { return 0; diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h index b4b3f42..eda0c49 100644 --- a/security/nss/cmd/certutil/certutil.h +++ b/security/nss/cmd/certutil/certutil.h @@ -63,6 +63,7 @@ enum certutilExtns { ext_policyMappings, ext_policyConstr, ext_inhibitAnyPolicy, + ext_subjectKeyID, ext_End }; diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h index bb15336..2d5e7fe 100644 --- a/security/nss/cmd/lib/SECerrs.h +++ b/security/nss/cmd/lib/SECerrs.h @@ -515,7 +515,7 @@ ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), "The operation failed because the PKCS#11 token is not logged in.") ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, (SEC_ERROR_BASE + 156), -"OCSP Trusted Responder Cert is invalid.") +"Configured OCSP responder's certificate is invalid.") ER3(SEC_ERROR_OCSP_BAD_SIGNATURE, (SEC_ERROR_BASE + 157), "OCSP response has an invalid signature.") diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index cd4cbaa..1862f3b 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -51,6 +51,7 @@ #include "cryptohi.h" #include "secutil.h" #include "secpkcs7.h" +#include "secpkcs5.h" #include #if !defined(_WIN32_WCE) #include @@ -1431,13 +1432,160 @@ SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level) return SEC_OID_UNKNOWN; } +typedef struct secuPBEParamsStr { + SECItem salt; + SECItem iterationCount; + SECItem keyLength; + SECAlgorithmID cipherAlg; + SECAlgorithmID kdfAlg; +} secuPBEParams; + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); + +/* SECOID_PKCS5_PBKDF2 */ +const SEC_ASN1Template secuKDF2Params[] = +{ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +/* PKCS5v1 & PKCS12 */ +const SEC_ASN1Template secuPBEParamsTemp[] = +{ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { 0 } +}; + +/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ +const SEC_ASN1Template secuPBEV2Params[] = +{ + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams)}, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +void +secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) +{ + PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf (out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuKDF2Params, value); + if (rv == SECSuccess) { + SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1); + SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count", + level+1); + SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level+1); + SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level+1); + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level) +{ + PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf (out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEV2Params, value); + if (rv == SECSuccess) { + SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF", level+1); + SECU_PrintAlgorithmID(out, ¶m.cipherAlg, "Cipher", level+1); + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level) +{ + PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf (out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof(secuPBEParams)); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEParamsTemp, value); + if (rv == SECSuccess) { + SECU_PrintAsHex(out, ¶m.salt, "Salt", level+1); + SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count", + level+1); + } + PORT_FreeArena(pool, PR_FALSE); +} /* This function does NOT expect a DER type and length. */ void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) { + SECOidTag algtag; SECU_PrintObjectID(out, &a->algorithm, m, level); + algtag = SECOID_GetAlgorithmTag(a); + if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) { + switch (algtag) { + case SEC_OID_PKCS5_PBKDF2: + secu_PrintKDF2Params(out, &a->parameters, "Parameters", level+1); + break; + case SEC_OID_PKCS5_PBES2: + secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level+1); + break; + case SEC_OID_PKCS5_PBMAC1: + secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level+1); + break; + default: + secu_PrintPBEParams(out, &a->parameters, "Parameters", level+1); + break; + } + return; + } + + if (a->parameters.len == 0 || (a->parameters.len == 2 && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { @@ -3079,6 +3227,36 @@ loser: } SECStatus +SEC_PrintCertificateAndTrust(CERTCertificate *cert, + const char *label, + CERTCertTrust *trust) +{ + SECStatus rv; + SECItem data; + + data.data = cert->derCert.data; + data.len = cert->derCert.len; + + rv = SECU_PrintSignedData(stdout, &data, label, 0, + SECU_PrintCertificate); + if (rv) { + return(SECFailure); + } + if (trust) { + SECU_PrintTrustFlags(stdout, trust, + "Certificate Trust Flags", 1); + } else if (cert->trust) { + SECU_PrintTrustFlags(stdout, cert->trust, + "Certificate Trust Flags", 1); + } + + printf("\n"); + + return(SECSuccess); +} + + +SECStatus SECU_ParseCommandLine(int argc, char **argv, char *progName, const secuCommand *cmd) { @@ -3373,10 +3551,8 @@ SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, PRTime datetime) { CERTVerifyLog log; - CERTVerifyLogNode *node = NULL; - unsigned int depth = (unsigned int)-1; - unsigned int flags = 0; - char * errstr = NULL; + CERTVerifyLogNode *node; + PRErrorCode err = PORT_GetError(); log.arena = PORT_NewArena(512); @@ -3384,9 +3560,29 @@ SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, log.count = 0; CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL); - if (log.count > 0) { + SECU_displayVerifyLog(outfile, &log, verbose); + + for (node = log.head; node; node = node->next) { + if (node->cert) + CERT_DestroyCertificate(node->cert); + } + PORT_FreeArena(log.arena, PR_FALSE); + + PORT_SetError(err); /* restore original error code */ +} + +void +SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log, + PRBool verbose) +{ + CERTVerifyLogNode *node = NULL; + unsigned int depth = (unsigned int)-1; + unsigned int flags = 0; + char * errstr = NULL; + + if (log->count > 0) { fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); - for (node = log.head; node; node = node->next) { + for (node = log->head; node; node = node->next) { if (depth != node->depth) { depth = node->depth; fprintf(outfile,"CERT %d. %s %s:\n", depth, @@ -3462,10 +3658,8 @@ SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, if (errstr) { fprintf(stderr," %s\n",errstr); } - CERT_DestroyCertificate(node->cert); } } - PORT_SetError(err); /* restore original error code */ } void @@ -3505,7 +3699,7 @@ SECU_StringToSignatureAlgTag(const char *alg) SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, - const PRBool ascii, char *url) + PRBool ascii, char *url) { PORT_Assert(derCrl != NULL); if (!derCrl) { @@ -3810,3 +4004,53 @@ SECU_SECItemToHex(const SECItem * item, char * dst) *dst = '\0'; } } + +static unsigned char nibble(char c) { + c = PORT_Tolower(c); + return ( c >= '0' && c <= '9') ? c - '0' : + ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1; +} + +SECStatus +SECU_SECItemHexStringToBinary(SECItem* srcdest) +{ + int i; + + if (!srcdest) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + if (srcdest->len < 4 || (srcdest->len % 2) ) { + /* too short to convert, or even number of characters */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + if (PORT_Strncasecmp((const char*)srcdest->data, "0x", 2)) { + /* wrong prefix */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + /* 1st pass to check for hex characters */ + for (i=2; ilen; i++) { + char c = PORT_Tolower(srcdest->data[i]); + if (! ( ( c >= '0' && c <= '9') || + ( c >= 'a' && c <= 'f') + ) ) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + } + + /* 2nd pass to convert */ + for (i=2; ilen; i+=2) { + srcdest->data[(i-2)/2] = (nibble(srcdest->data[i]) << 4) + + nibble(srcdest->data[i+1]); + } + + /* adjust length */ + srcdest->len -= 2; + srcdest->len /= 2; + return SECSuccess; +} + diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index e3f4b95..d96116e 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -178,18 +178,25 @@ extern void SECU_PrintSystemError(char *progName, char *msg, ...); /* Return informative error string */ extern const char * SECU_Strerror(PRErrorCode errNum); -/* print information about cert verification failure at time == now */ +/* revalidate the cert and print information about cert verification + * failure at time == now */ extern void SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, void *pinArg, PRBool verbose); -/* print information about cert verification failure at specified time */ +/* revalidate the cert and print information about cert verification + * failure at specified time */ extern void SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, void *pinArg, PRBool verbose, PRTime datetime); +/* print out CERTVerifyLog info. */ +extern void +SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log, + PRBool verbose); + /* Read the contents of a file into a SECItem */ extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); @@ -287,6 +294,11 @@ extern SECStatus SECU_PKCS11Init(PRBool readOnly); extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level, SECU_PPFunc inner); +/* Print cert data and its trust flags */ +extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert, + const char *label, + CERTCertTrust *trust); + extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); extern void @@ -327,7 +339,7 @@ extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); * encodes with base64 and exports to file if ascii flag is set * and file is not NULL. */ extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, - PRFileDesc *outFile, int ascii, char *url); + PRFileDesc *outFile, PRBool ascii, char *url); /* @@ -391,6 +403,11 @@ SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, void SECU_SECItemToHex(const SECItem * item, char * dst); +/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if + * successful */ +SECStatus +SECU_SECItemHexStringToBinary(SECItem* srcdest); + /* * * Utilities for parsing security tools command lines diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c index 147f8b3..e001dbf 100644 --- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -42,6 +42,7 @@ #include "pk12util.h" #include "nss.h" #include "secport.h" +#include "secpkcs5.h" #include "certdb.h" #define PKCS12_IN_BUFFER_SIZE 200 @@ -66,6 +67,7 @@ Usage(char *progName) FPS "Usage: %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n", progName); + FPS "\t\t [-c key_cipher] [-C cert_cipher] [-k key_leng]\n"); FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); exit(PK12UERR_USAGE); @@ -592,7 +594,8 @@ p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len) void P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, - secuPWData *slotPw, secuPWData *p12FilePw) + SECOidTag cipher, SECOidTag certCipher, + secuPWData *slotPw, secuPWData *p12FilePw) { SEC_PKCS12ExportContext *p12ecx = NULL; SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL; @@ -676,11 +679,11 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, } keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx); - if(/*!SEC_PKCS12IsEncryptionAllowed() || */ PK11_IsFIPS()) { + if(certCipher == SEC_OID_UNKNOWN) { certSafe = keySafe; } else { - certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, - SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC); + certSafe = + SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certCipher); } if(!certSafe || !keySafe) { @@ -690,8 +693,7 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, } if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert, - CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem, - SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC) + CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem, cipher) != SECSuccess) { SECU_PrintError(progName,"add cert and key failed"); pk12uErrno = PK12UERR_ADDCERTKEY; @@ -785,6 +787,10 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot, printf(" Friendly Name: %s\n\n", dip->friendlyName->data); } + if (dip->shroudAlg) { + SECU_PrintAlgorithmID(stdout, dip->shroudAlg, + "Encryption algorithm",1); + } break; case SEC_OID_PKCS12_V1_KEY_BAG_ID: case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: @@ -796,6 +802,10 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot, printf(" Friendly Name: %s\n\n", dip->friendlyName->data); } + if (dip->shroudAlg) { + SECU_PrintAlgorithmID(stdout, dip->shroudAlg, + "Encryption algorithm",1); + } break; default: printf("unknown bag type(%d): %s\n\n", dip->type, @@ -819,6 +829,54 @@ loser: return rv; } +/* + * use the oid table description to map a user input string to a particular + * oid. + */ +SECOidTag +PKCS12U_MapCipherFromString(char *cipherString, int keyLen) +{ + SECOidTag tag; + SECOidData *oid; + SECOidTag cipher; + + /* future enhancement: accept dotted oid spec? */ + + /* future enhancement: provide 'friendlier' typed in names for + * pbe mechanisms. + */ + + /* look for the oid tag by Description */ + cipher = SEC_OID_UNKNOWN; + for (tag=1; (oid=SECOID_FindOIDByTag(tag)) != NULL ; tag++) { + /* only interested in oids that we actually understand */ + if (oid->mechanism == CKM_INVALID_MECHANISM) { + continue; + } + if (PORT_Strcasecmp(oid->desc, cipherString) != 0) { + continue; + } + /* we found a match... get the PBE version of this + * cipher... */ + if (!SEC_PKCS5IsAlgorithmPBEAlgTag(tag)) { + cipher = SEC_PKCS5GetPBEAlgorithm(tag, keyLen); + /* no eqivalent PKCS5/PKCS12 cipher, use the raw + * encryption tag we got and pass it directly in, + * pkcs12 will use the pkcsv5 mechanism */ + if (cipher == SEC_OID_PKCS5_PBES2) { + cipher = tag; + } else if (cipher == SEC_OID_PKCS5_PBMAC1) { + /* make sure we have not macing ciphers here */ + cipher = SEC_OID_UNKNOWN; + } + } else { + cipher = tag; + } + break; + } + return cipher; +} + static void p12u_EnableAllCiphers() { @@ -871,7 +929,11 @@ enum { opt_P12FilePWFile, opt_P12FilePW, opt_DBPrefix, - opt_Debug + opt_Debug, + opt_Cipher, + opt_CertCipher, + opt_KeyLength, + opt_CertKeyLength }; static secuCommandFlag pk12util_options[] = @@ -888,7 +950,11 @@ static secuCommandFlag pk12util_options[] = { /* opt_P12FilePWFile */ 'w', PR_TRUE, 0, PR_FALSE }, { /* opt_P12FilePW */ 'W', PR_TRUE, 0, PR_FALSE }, { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE }, - { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE } + { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }, + { /* opt_Cipher */ 'c', PR_TRUE, 0, PR_FALSE }, + { /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE }, + { /* opt_KeyLength */ 'k', PR_TRUE, 0, PR_FALSE }, + { /* opt_CertKeyLength */ 'K', PR_TRUE, 0, PR_FALSE } }; int @@ -902,6 +968,11 @@ main(int argc, char **argv) char *export_file = NULL; char *dbprefix = ""; SECStatus rv; + SECOidTag cipher = + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; + SECOidTag certCipher; + int keyLen = 0; + int certKeyLen = 0; secuCommand pk12util; pk12util.numCommands = 0; @@ -966,6 +1037,13 @@ main(int argc, char **argv) if (pk12util.options[opt_Raw].activated) { dumpRawFile = PR_TRUE; } + if (pk12util.options[opt_KeyLength].activated) { + keyLen = atoi(pk12util.options[opt_KeyLength].arg); + } + if (pk12util.options[opt_CertKeyLength].activated) { + certKeyLen = atoi(pk12util.options[opt_CertKeyLength].arg); + } + P12U_Init(SECU_ConfigDirectory(NULL), dbprefix, pk12util.options[opt_List].activated); @@ -980,13 +1058,49 @@ main(int argc, char **argv) goto done; } + if (pk12util.options[opt_Cipher].activated) { + char *cipherString = pk12util.options[opt_Cipher].arg; + + cipher = PKCS12U_MapCipherFromString(cipherString, keyLen); + /* We only want encryption PBE's. make sure we don't have + * any MAC pbes */ + if (cipher == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString); + pk12uErrno = PK12UERR_INVALIDALGORITHM; + goto done; + } + } + + certCipher = PK11_IsFIPS() ? SEC_OID_UNKNOWN : + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; + if (pk12util.options[opt_CertCipher].activated) { + char *cipherString = pk12util.options[opt_CertCipher].arg; + + if (PORT_Strcasecmp(cipherString, "none") == 0) { + certCipher = SEC_OID_UNKNOWN; + } else { + certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen); + /* If the user requested a cipher and we didn't find it, then + * don't just silently not encrypt. */ + if (cipher == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString); + pk12uErrno = PK12UERR_INVALIDALGORITHM; + goto done; + } + } + } + + if (pk12util.options[opt_Import].activated) { - P12U_ImportPKCS12Object(import_file, slot, &slotPw, + P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw); } else if (pk12util.options[opt_Export].activated) { P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg, - export_file, slot, &slotPw, &p12FilePw); + export_file, slot, cipher, certCipher, + &slotPw, &p12FilePw); } else if (pk12util.options[opt_List].activated) { P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw); diff --git a/security/nss/cmd/pk12util/pk12util.h b/security/nss/cmd/pk12util/pk12util.h index faf0c1f..53751a3 100644 --- a/security/nss/cmd/pk12util/pk12util.h +++ b/security/nss/cmd/pk12util/pk12util.h @@ -61,6 +61,7 @@ #define PK12UERR_CERTKEYSAFE 27 #define PK12UERR_ADDCERTKEY 28 #define PK12UERR_ENCODE 29 +#define PK12UERR_INVALIDALGORITHM 30 /* additions for importing and exporting PKCS 12 files */ diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c index 53ad006..3e4b459 100644 --- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -101,14 +101,17 @@ Usage(const char *progName) fprintf(stderr, "Usage: %s [options] certfile [[options] certfile] ...\n" "\twhere options are:\n" - "\t-a\t\t following certfile is base64 encoded\n" + "\t-a\t\t Following certfile is base64 encoded\n" "\t-b YYMMDDHHMMZ\t Validate date (default: now)\n" "\t-d directory\t Database directory\n" - "\t-r\t\t following certfile is raw binary DER (default)\n" + "\t-o oid\t\t Set policy OID for cert validation(Format OID.1.2.3)\n" + "\t-p \t\t Use PKIX Library to validate certificate\n" + "\t-r\t\t Following certfile is raw binary DER (default)\n" "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n" "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n" "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n" - "\t-v\t\t verbose mode\n" + "\t-v\t\t Verbose mode. Prints root cert subject(double the\n" + "\t\t\t argument for whole root cert info)\n" "\t-w password\t Database password\n", progName); exit(1); @@ -173,7 +176,7 @@ forgetCerts(void) CERTCertificate * -readCertFile(const char * fileName, PRBool isAscii) +getCert(const char *name, PRBool isAscii) { unsigned char * pb; CERTCertificate * cert = NULL; @@ -185,11 +188,21 @@ readCertFile(const char * fileName, PRBool isAscii) SECItem item; static unsigned char certBuf[RD_BUF_SIZE]; - fd = PR_Open(fileName, PR_RDONLY, 0777); + defaultDB = CERT_GetDefaultCertDB(); + + /* First, let's try to find the cert in existing DB. */ + cert = CERT_FindCertByNicknameOrEmailAddr(defaultDB, name); + if (cert) { + return cert; + } + + /* Don't have a cert with name "name" in the DB. Try to + * open a file with such name and get the cert from there.*/ + fd = PR_Open(name, PR_RDONLY, 0777); if (!fd) { PRIntn err = PR_GetError(); fprintf(stderr, "open of %s failed, %d = %s\n", - fileName, err, SECU_Strerror(err)); + name, err, SECU_Strerror(err)); return cert; } /* read until EOF or buffer is full */ @@ -201,7 +214,7 @@ readCertFile(const char * fileName, PRBool isAscii) if (cc < 0) { PRIntn err = PR_GetError(); fprintf(stderr, "read of %s failed, %d = %s\n", - fileName, err, SECU_Strerror(err)); + name, err, SECU_Strerror(err)); break; } /* cc > 0 */ @@ -211,12 +224,12 @@ readCertFile(const char * fileName, PRBool isAscii) if (cc < 0) return cert; if (!remaining || cc > 0) { /* file was too big. */ - fprintf(stderr, "cert file %s was too big.\n", fileName); + fprintf(stderr, "cert file %s was too big.\n", name); return cert; } total = pb - certBuf; if (!total) { /* file was empty */ - fprintf(stderr, "cert file %s was empty.\n", fileName); + fprintf(stderr, "cert file %s was empty.\n", name); return cert; } if (isAscii) { @@ -225,7 +238,6 @@ readCertFile(const char * fileName, PRBool isAscii) item.type = siBuffer; item.data = certBuf; item.len = total; - defaultDB = CERT_GetDefaultCertDB(); cert = CERT_NewTempCertificate(defaultDB, &item, NULL /* nickname */, PR_FALSE /* isPerm */, @@ -233,7 +245,7 @@ readCertFile(const char * fileName, PRBool isAscii) if (!cert) { PRIntn err = PR_GetError(); fprintf(stderr, "couldn't import %s, %d = %s\n", - fileName, err, SECU_Strerror(err)); + name, err, SECU_Strerror(err)); } return cert; } @@ -243,10 +255,13 @@ main(int argc, char *argv[], char *envp[]) { char * certDir = NULL; char * progName = NULL; + char * oidStr = NULL; CERTCertificate * cert; CERTCertificate * firstCert = NULL; + CERTCertificate * issuerCert = NULL; CERTCertDBHandle * defaultDB = NULL; PRBool isAscii = PR_FALSE; + PRBool usePkix = PR_FALSE; SECStatus secStatus; SECCertificateUsage certUsage = certificateUsageSSLServer; PLOptState * optstate; @@ -254,12 +269,13 @@ main(int argc, char *argv[], char *envp[]) PLOptStatus status; int rv = 1; int usage; + CERTVerifyLog log; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); - optstate = PL_CreateOptState(argc, argv, "ab:d:ru:w:v"); + optstate = PL_CreateOptState(argc, argv, "ab:d:o:pru:w:v"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 0 : /* positional parameter */ goto breakout; @@ -267,6 +283,8 @@ main(int argc, char *argv[], char *envp[]) case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); if (secStatus != SECSuccess) Usage(progName); break; case 'd' : certDir = PL_strdup(optstate->value); break; + case 'o' : oidStr = PL_strdup(optstate->value); break; + case 'p' : usePkix = PR_TRUE; break; case 'r' : isAscii = PR_FALSE; break; case 'u' : usage = PORT_Atoi(optstate->value); if (usage < 0 || usage > 62) Usage(progName); @@ -305,7 +323,7 @@ breakout: case 'a' : isAscii = PR_TRUE; break; case 'r' : isAscii = PR_FALSE; break; case 0 : /* positional parameter */ - cert = readCertFile(optstate->value, isAscii); + cert = getCert(optstate->value, isAscii); if (!cert) goto punt; rememberCert(cert); @@ -322,27 +340,123 @@ breakout: if (!time) time = PR_Now(); - /* NOW, verify the cert chain. */ - defaultDB = CERT_GetDefaultCertDB(); - secStatus = CERT_VerifyCertificate(defaultDB, firstCert, - PR_TRUE /* check sig */, - certUsage, - time, - NULL, /* wincx */ - NULL, /* error log */ - NULL); /* returned usages */ - - if (secStatus != SECSuccess) { + /* Initialize log structure */ + log.arena = PORT_NewArena(512); + log.head = log.tail = NULL; + log.count = 0; + + if (!usePkix) { + /* NOW, verify the cert chain. */ + defaultDB = CERT_GetDefaultCertDB(); + secStatus = CERT_VerifyCertificate(defaultDB, firstCert, + PR_TRUE /* check sig */, + certUsage, + time, + NULL, /* wincx */ + &log, /* error log */ + NULL);/* returned usages */ + } else do { + CERTValOutParam cvout[3]; + CERTValInParam cvin[3]; + SECOidTag oidTag; + int inParamIndex = 0; + + if (oidStr) { + PRArenaPool *arena; + SECOidData od; + memset(&od, 0, sizeof od); + od.offset = SEC_OID_UNKNOWN; + od.desc = "User Defined Policy OID"; + od.mechanism = CKM_INVALID_MECHANISM; + od.supportedExtension = INVALID_CERT_EXTENSION; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if ( !arena ) { + fprintf(stderr, "out of memory"); + goto punt; + } + + secStatus = SEC_StringToOID(arena, &od.oid, oidStr, 0); + if (secStatus != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + fprintf(stderr, "Can not encode oid: %s(%s)\n", oidStr, + SECU_Strerror(PORT_GetError())); + break; + } + + oidTag = SECOID_AddEntry(&od); + PORT_FreeArena(arena, PR_FALSE); + if (oidTag == SEC_OID_UNKNOWN) { + fprintf(stderr, "Can not add new oid to the dynamic " + "table: %s\n", oidStr); + secStatus = SECFailure; + break; + } + + cvin[0].type = cert_pi_policyOID; + cvin[0].value.arraySize = 1; + cvin[0].value.array.oids = &oidTag; + + inParamIndex = 1; + } + + cvin[inParamIndex].type = cert_pi_revocationFlags; + cvin[inParamIndex].value.scalar.ul = CERT_REV_FAIL_SOFT_CRL | + CERT_REV_FLAG_CRL; + cvin[inParamIndex + 1].type = cert_pi_end; + + cvout[0].type = cert_po_trustAnchor; + + /* setting pointer to CERTVerifyLog. Initialized structure + * will be used CERT_PKIXVerifyCert */ + cvout[1].type = cert_po_errorLog; + cvout[1].value.pointer.log = &log; + + cvout[2].type = cert_po_end; + + secStatus = CERT_PKIXVerifyCert(firstCert, certUsage, + cvin, cvout, NULL); + if (secStatus != SECSuccess) { + break; + } + issuerCert = cvout[0].value.pointer.cert; + } while (0); + + /* Display validation results */ + if (secStatus != SECSuccess || log.count > 0) { + CERTVerifyLogNode *node = NULL; PRIntn err = PR_GetError(); fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err)); - SECU_printCertProblemsOnDate(stderr, defaultDB, firstCert, - PR_TRUE, certUsage, NULL, verbose, time); + + SECU_displayVerifyLog(stderr, &log, verbose); + /* Have cert refs in the log only in case of failure. + * Destroy them. */ + for (node = log.head; node; node = node->next) { + if (node->cert) + CERT_DestroyCertificate(node->cert); + } rv = 1; } else { fprintf(stderr, "Chain is good!\n"); + if (issuerCert && verbose) { + if (verbose > 1) { + rv = SEC_PrintCertificateAndTrust(issuerCert, "Root Certificate", + NULL); + if (rv != SECSuccess) { + SECU_PrintError(progName, "problem printing certificate"); + } + } else { + SECU_PrintName(stdout, &issuerCert->subject, "Root " + "Certificate Subject:", 0); + } + CERT_DestroyCertificate(issuerCert); + } rv = 0; } + /* Need to destroy CERTVerifyLog arena at the end */ + PORT_FreeArena(log.arena, PR_FALSE); + punt: forgetCerts(); if (NSS_Shutdown() != SECSuccess) { diff --git a/security/nss/lib/base/hash.c b/security/nss/lib/base/hash.c index 9ea796e..389c296 100644 --- a/security/nss/lib/base/hash.c +++ b/security/nss/lib/base/hash.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.9 $ $Date: 2005/01/20 02:25:45 $"; +static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.11 $ $Date: 2008/02/03 01:59:48 $"; #endif /* DEBUG */ /* @@ -52,6 +52,8 @@ static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.9 $ $Date: #include "base.h" #endif /* BASE_H */ +#include "prbit.h" + /* * nssHash * @@ -101,7 +103,7 @@ nss_item_hash NSSItem *it = (NSSItem *)key; h = 0; for (i=0; isize; i++) - h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)it->data)[i]; + h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i]; return h; } diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index 1b8a76e..f87a7e9 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -37,7 +37,7 @@ /* * cert.h - public data structures and prototypes for the certificate library * - * $Id: cert.h,v 1.63 2008/01/08 07:33:58 kaie%kuix.de Exp $ + * $Id: cert.h,v 1.64 2008/02/16 01:17:43 julien.pierre.boogz%sun.com Exp $ */ #ifndef _CERT_H_ @@ -1258,10 +1258,6 @@ CERT_CheckForEvilCert(CERTCertificate *cert); CERTGeneralName * CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena); - -SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue); - char * CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena); diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index c3e60a9..b2683bb 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: certdb.c,v 1.89 2008/01/08 08:39:34 kaie%kuix.de Exp $ + * $Id: certdb.c,v 1.90 2008/02/16 04:38:05 julien.pierre.boogz%sun.com Exp $ */ #include "nssilock.h" @@ -61,7 +61,6 @@ #include "portreg.h" #include "secerr.h" #include "sslerr.h" -#include "nsslocks.h" #include "pk11func.h" #include "xconst.h" /* for CERT_DecodeAltNameExtension */ diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index 948e9e8..0a68b26 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -37,7 +37,7 @@ /* * Moved from secpkcs7.c * - * $Id: crl.c,v 1.57 2007/10/12 01:44:40 julien.pierre.boogz%sun.com Exp $ + * $Id: crl.c,v 1.58 2008/02/08 02:50:43 julien.pierre.boogz%sun.com Exp $ */ #include "cert.h" @@ -103,8 +103,8 @@ static const SEC_ASN1Template cert_KrlEntryTemplate[] = { { 0 } }; -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); -SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate); +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) +SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate) static const SEC_ASN1Template cert_KrlTemplate[] = { { SEC_ASN1_SEQUENCE, diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 332541a..21c89fe 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -49,11 +49,11 @@ #include "prprf.h" #include "genname.h" -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_IntegerTemplate); -SEC_ASN1_MKSUB(SEC_IA5StringTemplate); -SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); -SEC_ASN1_MKSUB(SEC_OctetStringTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_IntegerTemplate) +SEC_ASN1_MKSUB(SEC_IA5StringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) +SEC_ASN1_MKSUB(SEC_OctetStringTemplate) static const SEC_ASN1Template CERTNameConstraintTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) }, diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c index 64f0f94..812f4ba 100644 --- a/security/nss/lib/certdb/polcyxtn.c +++ b/security/nss/lib/certdb/polcyxtn.c @@ -37,7 +37,7 @@ /* * Support for various policy related extensions * - * $Id: polcyxtn.c,v 1.9 2007/10/12 01:44:40 julien.pierre.boogz%sun.com Exp $ + * $Id: polcyxtn.c,v 1.11 2008/02/13 04:03:19 julien.pierre.boogz%sun.com Exp $ */ #include "seccomon.h" @@ -49,8 +49,8 @@ #include "secerr.h" #include "nspr.h" -SEC_ASN1_MKSUB(SEC_IntegerTemplate); -SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); +SEC_ASN1_MKSUB(SEC_IntegerTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) const SEC_ASN1Template CERT_DisplayTextTypeTemplate[] = { { SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) }, @@ -77,10 +77,11 @@ const SEC_ASN1Template CERT_UserNoticeTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTUserNotice) }, { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL, + offsetof(CERTUserNotice, noticeReference), + CERT_NoticeReferenceTemplate, 0 }, + { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL, offsetof(CERTUserNotice, displayText), CERT_DisplayTextTypeTemplate, 0 }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(CERTUserNotice, derNoticeReference) }, { 0 } }; diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c index 4db90bc..fedba71 100644 --- a/security/nss/lib/certdb/secname.c +++ b/security/nss/lib/certdb/secname.c @@ -589,7 +589,7 @@ CERT_CompareRDN(CERTRDN *a, CERTRDN *b) } } if (!bava) /* didn't find a match */ - break; + return SECGreaterThan; } return rv; } diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 715215e..8d1bd63 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -48,7 +48,6 @@ #include "secerr.h" #include "nssilock.h" #include "prmon.h" -#include "nsslocks.h" #include "base64.h" #include "sechash.h" #include "plhash.h" diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c index 91cda22..2e7a9a3 100644 --- a/security/nss/lib/certdb/xauthkid.c +++ b/security/nss/lib/certdb/xauthkid.c @@ -51,8 +51,8 @@ #include "genname.h" #include "secerr.h" -SEC_ASN1_MKSUB(SEC_IntegerTemplate); -SEC_ASN1_MKSUB(SEC_OctetStringTemplate); +SEC_ASN1_MKSUB(SEC_IntegerTemplate) +SEC_ASN1_MKSUB(SEC_OctetStringTemplate) const SEC_ASN1Template CERTAuthKeyIDTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) }, diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c index 6b65d75..226b04e 100644 --- a/security/nss/lib/certdb/xconst.c +++ b/security/nss/lib/certdb/xconst.c @@ -63,7 +63,7 @@ static const SEC_ASN1Template CERTIA5TypeTemplate[] = { { SEC_ASN1_IA5_STRING } }; -SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate); +SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate) static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = { { SEC_ASN1_SEQUENCE, @@ -99,19 +99,16 @@ const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = { SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue) +CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString, + SECItem *encodedValue) { - SECItem encodeContext; SECStatus rv = SECSuccess; - - PORT_Memset (&encodeContext, 0, sizeof (encodeContext)); - - if (value != NULL) { - encodeContext.data = (unsigned char *)value; - encodeContext.len = len; + if (!srcString) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } - if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext, + if (SEC_ASN1EncodeItem (arena, encodedValue, srcString, CERTSubjectKeyIDTemplate) == NULL) { rv = SECFailure; } diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h index f1b1935..dfaf256 100644 --- a/security/nss/lib/certdb/xconst.h +++ b/security/nss/lib/certdb/xconst.h @@ -57,7 +57,7 @@ CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedValue); extern SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, +CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString, SECItem *encodedValue); extern SECStatus diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index 17a86de..6f4963f 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -282,6 +282,26 @@ CERT_FindUserCertByUsage(CERTCertDBHandle *handle, } if ( cert != NULL ) { + unsigned int requiredKeyUsage; + unsigned int requiredCertType; + + rv = CERT_KeyUsageAndTypeForCertUsage(usage, PR_FALSE, + &requiredKeyUsage, &requiredCertType); + if ( rv != SECSuccess ) { + /* drop the extra reference */ + CERT_DestroyCertificate(cert); + cert = NULL; + goto loser; + } + /* If we already found the right cert, just return it */ + if ( (!validOnly || CERT_CheckCertValidTimes(cert, time, PR_FALSE) + == secCertTimeValid) && + (CERT_CheckKeyUsage(cert, requiredKeyUsage) == SECSuccess) && + (cert->nsCertType & requiredCertType) && + CERT_IsUserCert(cert) ) { + return(cert); + } + /* collect certs for this nickname, sorting them into the list */ certList = CERT_CreateSubjectCertList(certList, handle, &cert->derSubject, time, validOnly); diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c index 21fbee6..fc7a7dd 100644 --- a/security/nss/lib/certhigh/certreq.c +++ b/security/nss/lib/certhigh/certreq.c @@ -42,7 +42,7 @@ #include "secasn1.h" #include "secerr.h" -SEC_ASN1_MKSUB(SEC_AnyTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) const SEC_ASN1Template CERT_AttributeTemplate[] = { { SEC_ASN1_SEQUENCE, diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c index fbdecce..d6a44ed 100644 --- a/security/nss/lib/certhigh/certvfy.c +++ b/security/nss/lib/certhigh/certvfy.c @@ -1043,8 +1043,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert, /* make sure that the issuer is not self signed. If it is, then * stop here to prevent looping. */ - rvCompare = SECITEM_CompareItem(&cert->derSubject, &cert->derIssuer); - if (rvCompare == SECEqual) { + if (cert->isRoot) { PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER); LOG_ERROR(log, cert, 0, 0); goto loser; @@ -1973,8 +1972,7 @@ CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage) return chain; } - if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject) - == SECEqual) { + if (cert->isRoot) { /* return complete chain */ return chain; } diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 8911014..7c267fa 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -1373,9 +1373,15 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon if (error == NULL) r = policyList; cleanup: + if (policyOID != NULL) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOID, plContext); + } if (policyList != NULL) { PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyList, plContext); } + if (error != NULL) { + PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); + } return r; } @@ -1704,6 +1710,9 @@ SECStatus CERT_PKIXVerifyCert( r = SECSuccess; cleanup: + if (anchors != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)anchors, plContext); + if (procParams != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)procParams, plContext); @@ -1725,6 +1734,9 @@ cleanup: if (certSelector != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certSelector, plContext); + if (error != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)error, plContext); + PKIX_PL_NssContext_Destroy(plContext); return r; diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 8181f4e..cf04f39 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -39,7 +39,7 @@ * Implementation of OCSP services, for both client and server. * (XXX, really, mostly just for client right now, but intended to do both.) * - * $Id: ocsp.c,v 1.46 2007/12/19 20:14:18 alexei.volkov.bugs%sun.com Exp $ + * $Id: ocsp.c,v 1.50 2008/02/13 15:29:12 kaie%kuix.de Exp $ */ #include "prerror.h" @@ -95,6 +95,9 @@ struct OCSPCacheItemStr { PRArenaPool *certStatusArena; /* NULL means: no cert status cached */ ocspCertStatus certStatus; + /* This may contain an error code when no OCSP response is available. */ + SECErrorCodes missingResponseError; + PRPackedBool haveThisUpdate; PRPackedBool haveNextUpdate; PRTime thisUpdate; @@ -155,10 +158,12 @@ ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle, #define OCSP_TRACE(msg) #define OCSP_TRACE_TIME(msg, time) #define OCSP_TRACE_CERT(cert) +#define OCSP_TRACE_CERTID(certid) #else #define OCSP_TRACE(msg) ocsp_Trace msg #define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time) #define OCSP_TRACE_CERT(cert) dumpCertificate(cert) +#define OCSP_TRACE_CERTID(certid) dumpCertID(certid) #if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \ || defined(XP_MACOSX)) && !defined(_WIN32_WCE) @@ -218,9 +223,9 @@ printHexString(const char *prefix, SECItem *hexval) for (i = 0; i < hexval->len; i++) { if (i != hexval->len - 1) { - PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); + hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); } else { - PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); + hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); } } if (hexbuf) { @@ -254,6 +259,16 @@ dumpCertificate(CERTCertificate *cert) ocsp_Trace("OCSP ## ISSUER: %s\n", cert->issuerName); printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber); } + +static void +dumpCertID(CERTOCSPCertID *certID) +{ + if (!wantOcspTrace()) + return; + + printHexString("OCSP certID issuer", &certID->issuerNameHash); + printHexString("OCSP certID serial", &certID->serialNumber); +} #endif SECStatus @@ -498,6 +513,7 @@ ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID) { OCSPCacheItem *found_ocsp_item = NULL; OCSP_TRACE(("OCSP ocsp_FindCacheEntry\n")); + OCSP_TRACE_CERTID(certID); PR_EnterMonitor(OCSP_Global.monitor); if (ocsp_IsCacheDisabled()) goto loser; @@ -592,7 +608,8 @@ ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache, arena = certID->poolp; mark = PORT_ArenaMark(arena); - /* ZAlloc will init all Bools to False and all Pointers to NULL */ + /* ZAlloc will init all Bools to False and all Pointers to NULL + and all error codes to zero/good. */ item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, sizeof(OCSPCacheItem)); if (!item) { @@ -640,6 +657,7 @@ ocsp_SetCacheItemResponse(OCSPCacheItem *item, item->certStatusArena = NULL; return rv; } + item->missingResponseError = 0; rv = DER_GeneralizedTimeToTime(&item->thisUpdate, &response->thisUpdate); item->haveThisUpdate = (rv == SECSuccess); @@ -772,6 +790,8 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, PR_ExitMonitor(OCSP_Global.monitor); return rv; } + } else { + cacheItem->missingResponseError = PORT_GetError(); } ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem); ocsp_CheckCacheSize(cache); @@ -949,13 +969,13 @@ typedef struct ocspCheckingContextStr { CERTCertificate *defaultResponderCert; } ocspCheckingContext; -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_IntegerTemplate); -SEC_ASN1_MKSUB(SEC_NullTemplate); -SEC_ASN1_MKSUB(SEC_OctetStringTemplate); -SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate); -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); -SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_IntegerTemplate) +SEC_ASN1_MKSUB(SEC_NullTemplate) +SEC_ASN1_MKSUB(SEC_OctetStringTemplate) +SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) +SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate) SEC_ASN1_MKSUB(SEC_PointerToGeneralizedTimeTemplate) SEC_ASN1_MKSUB(SEC_PointerToEnumeratedTemplate) @@ -1722,8 +1742,6 @@ CERT_CreateOCSPCertID(CERTCertificate *cert, int64 time) return certID; } - - /* * Callback to set Extensions in request object */ @@ -1845,6 +1863,7 @@ ocsp_CreateSingleRequestList(PRArenaPool *arena, CERTCertList *certList, if (requestList[i] == NULL) goto loser; + OCSP_TRACE(("OCSP CERT_CreateOCSPRequest %s\n", node->cert->subjectName)); requestList[i]->arena = arena; requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time); if (requestList[i]->reqCert == NULL) @@ -1942,13 +1961,24 @@ loser: return NULL; } -static CERTOCSPRequest * +CERTOCSPRequest * cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, CERTCertificate *singleCert, int64 time, - PRBool addServiceLocator) + PRBool addServiceLocator, + CERTCertificate *signerCert) { CERTOCSPRequest *request; + OCSP_TRACE(("OCSP cert_CreateSingleCertOCSPRequest %s\n", singleCert->subjectName)); + + /* XXX Support for signerCert may be implemented later, + * see also the comment in CERT_CreateOCSPRequest. + */ + if (signerCert != NULL) { + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return NULL; + } + request = ocsp_prepareEmptyOCSPRequest(); if (!request) return NULL; @@ -2012,17 +2042,14 @@ CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, return NULL; } /* - * XXX This should set an error, but since it is only temporary and - * since PSM will not initially provide a way to turn on signing of - * requests anyway, I figure we can just skip defining an error that - * will be obsolete in the next release. When we are prepared to - * put signing of requests back in, this entire check will go away, - * and later in this function we will need to allocate a signature + * XXX When we are prepared to put signing of requests back in, + * we will need to allocate a signature * structure for the request, fill in the "derCerts" field in it, * save the signerCert there, as well as fill in the "requestorName" * field of the tbsRequest. */ if (signerCert != NULL) { + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); return NULL; } request = ocsp_prepareEmptyOCSPRequest(); @@ -3283,6 +3310,8 @@ fetchOcspHttpClientV1(PRArenaPool *arena, /* we don't want result objects larger than this: */ myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN; + OCSP_TRACE(("OCSP trySendAndReceive %s\n", location)); + if ((*hcv1->trySendAndReceiveFcn)( pRequestSession, NULL, @@ -3295,6 +3324,8 @@ fetchOcspHttpClientV1(PRArenaPool *arena, goto loser; } + OCSP_TRACE(("OCSP trySendAndReceive result http %d\n", myHttpResponseCode)); + if (myHttpResponseCode != 200) { PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); goto loser; @@ -3456,7 +3487,7 @@ ocsp_GetEncodedOCSPResponseForSingleCert(PRArenaPool *arena, { CERTOCSPRequest *request; request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, - addServiceLocator); + addServiceLocator, NULL); if (!request) return NULL; return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, @@ -4535,32 +4566,44 @@ ocsp_CertHasGoodStatus(ocspCertStatus *status, int64 time) } static SECStatus -ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, int64 time) +ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, + int64 time) { return ocsp_CertHasGoodStatus(single->certStatus, time); } -/* return value SECFailure means: not found or not fresh */ -static SECStatus +/* Return value SECFailure means: not found or not fresh. + * On SECSuccess, the out parameters contain the OCSP status. + * rvOcsp contains the overall result of the OCSP operation. + * Depending on input parameter ignoreGlobalOcspFailureSetting, + * a soft failure might be converted into *rvOcsp=SECSuccess. + * If the cached attempt to obtain OCSP information had resulted + * in a failure, missingResponseError shows the error code of + * that failure. + */ +SECStatus ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, int64 time, - SECStatus *rv_ocsp) + PRBool ignoreGlobalOcspFailureSetting, + SECStatus *rvOcsp, + SECErrorCodes *missingResponseError) { OCSPCacheItem *cacheItem = NULL; SECStatus rv = SECFailure; - if (!certID || !rv_ocsp) { + if (!certID || !missingResponseError || !rvOcsp) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } - *rv_ocsp = SECFailure; + *rvOcsp = SECFailure; + *missingResponseError = 0; PR_EnterMonitor(OCSP_Global.monitor); cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID); if (cacheItem && ocsp_IsCacheItemFresh(cacheItem)) { /* having an arena means, we have a cached certStatus */ if (cacheItem->certStatusArena) { - *rv_ocsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time); + *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time); rv = SECSuccess; } else { /* @@ -4569,11 +4612,13 @@ ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, * However, if OCSP is optional, a recent OCSP failure is * an allowed good state. */ - if (OCSP_Global.ocspFailureMode == + if (!ignoreGlobalOcspFailureSetting && + OCSP_Global.ocspFailureMode == ocspMode_FailureIsNotAVerificationFailure) { rv = SECSuccess; - *rv_ocsp = SECSuccess; + *rvOcsp = SECSuccess; } + *missingResponseError = cacheItem->missingResponseError; } } PR_ExitMonitor(OCSP_Global.monitor); @@ -4637,7 +4682,8 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, CERTOCSPCertID *certID; PRBool certIDWasConsumed = PR_FALSE; SECStatus rv = SECFailure; - SECStatus rv_ocsp; + SECStatus rvOcsp; + SECErrorCodes dummy_error_code; /* we ignore this */ OCSP_TRACE_CERT(cert); OCSP_TRACE_TIME("## requested validity time:", time); @@ -4645,28 +4691,28 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, certID = CERT_CreateOCSPCertID(cert, time); if (!certID) return SECFailure; - rv = ocsp_GetCachedOCSPResponseStatusIfFresh(certID, time, &rv_ocsp); + rv = ocsp_GetCachedOCSPResponseStatusIfFresh( + certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */ + &rvOcsp, &dummy_error_code); if (rv == SECSuccess) { CERT_DestroyOCSPCertID(certID); - return rv_ocsp; + return rvOcsp; } rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, - &certIDWasConsumed, &rv_ocsp); + &certIDWasConsumed, + &rvOcsp); if (rv != SECSuccess) { /* we were unable to obtain ocsp status */ PR_EnterMonitor(OCSP_Global.monitor); - if (OCSP_Global.ocspFailureMode == - ocspMode_FailureIsVerificationFailure) { - rv_ocsp = SECFailure; - } else { - rv_ocsp = SECSuccess; - } + rvOcsp = (OCSP_Global.ocspFailureMode + == ocspMode_FailureIsVerificationFailure) + ? SECFailure : SECSuccess; PR_ExitMonitor(OCSP_Global.monitor); } if (!certIDWasConsumed) { CERT_DestroyOCSPCertID(certID); } - return rv_ocsp; + return rvOcsp; } /* @@ -4878,18 +4924,90 @@ CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, CERTCertificate *signerCert, int64 time) { + /* + * We do not update the cache, because: + * + * CERT_GetOCSPStatusForCertID is an old exported API that was introduced + * before the OCSP cache got implemented. + * + * The implementation of helper function cert_ProcessOCSPResponse + * requires the ability to transfer ownership of the the given certID to + * the cache. The external API doesn't allow us to prevent the caller from + * destroying the certID. We don't have the original certificate available, + * therefore we are unable to produce another certID object (that could + * be stored in the cache). + * + * Should we ever implement code to produce a deep copy of certID, + * then this could be changed to allow updating the cache. + * The duplication would have to be done in + * cert_ProcessOCSPResponse, if the out parameter to indicate + * a transfer of ownership is NULL. + */ + return cert_ProcessOCSPResponse(handle, response, certID, + signerCert, time, + NULL, NULL); +} + +/* + * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID. + */ +SECStatus +cert_ProcessOCSPResponse(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + int64 time, + PRBool *certIDWasConsumed, + SECStatus *cacheUpdateStatus) +{ SECStatus rv; - CERTOCSPSingleResponse *single; + SECStatus rv_cache; + CERTOCSPSingleResponse *single = NULL; rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, signerCert, time, &single); - if (rv != SECSuccess) - return rv; - /* - * Okay, the last step is to check whether the status says revoked, - * and if so how that compares to the time value passed into this routine. - */ - rv = ocsp_SingleResponseCertHasGoodStatus(single, time); + if (rv == SECSuccess) { + /* + * Check whether the status says revoked, and if so + * how that compares to the time value passed into this routine. + */ + rv = ocsp_SingleResponseCertHasGoodStatus(single, time); + } + + if (certIDWasConsumed) { + /* + * We don't have copy-of-certid implemented. In order to update + * the cache, the caller must supply an out variable + * certIDWasConsumed, allowing us to return ownership status. + */ + + PR_EnterMonitor(OCSP_Global.monitor); + if (OCSP_Global.maxCacheEntries >= 0) { + /* single == NULL means: remember response failure */ + rv_cache = + ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, + single, certIDWasConsumed); + } + PR_ExitMonitor(OCSP_Global.monitor); + if (cacheUpdateStatus) { + *cacheUpdateStatus = rv_cache; + } + } + + return rv; +} + +SECStatus +cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, + PRBool *certIDWasConsumed) +{ + SECStatus rv = SECSuccess; + PR_EnterMonitor(OCSP_Global.monitor); + if (OCSP_Global.maxCacheEntries >= 0) { + rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, + certIDWasConsumed); + } + PR_ExitMonitor(OCSP_Global.monitor); return rv; } diff --git a/security/nss/lib/certhigh/ocspi.h b/security/nss/lib/certhigh/ocspi.h index 0e3b823..b0f8c0d 100644 --- a/security/nss/lib/certhigh/ocspi.h +++ b/security/nss/lib/certhigh/ocspi.h @@ -36,7 +36,7 @@ /* * ocspi.h - NSS internal interfaces to OCSP code * - * $Id: ocspi.h,v 1.8 2007/12/19 20:14:18 alexei.volkov.bugs%sun.com Exp $ + * $Id: ocspi.h,v 1.9 2008/02/06 17:27:48 kaie%kuix.de Exp $ */ #ifndef _OCSPI_H_ @@ -63,4 +63,79 @@ ocsp_VerifyResponseSignature(CERTCertificate *signerCert, ocspSignature *signature, SECItem *tbsResponseDataDER, void *pwArg); + +CERTOCSPRequest * +cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, + CERTCertificate *singleCert, + int64 time, + PRBool addServiceLocator, + CERTCertificate *signerCert); + +SECStatus +ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, + int64 time, + PRBool ignoreOcspFailureMode, + SECStatus *rvOcsp, + SECErrorCodes *missingResponseError); + +/* + * FUNCTION: cert_ProcessOCSPResponse + * Same behavior and basic parameters as CERT_GetOCSPStatusForCertID. + * In addition it can update the OCSP cache (using information + * available internally to this function). + * INPUTS: + * CERTCertDBHandle *handle + * certificate DB of the cert that is being checked + * CERTOCSPResponse *response + * the OCSP response we want to retrieve status from. + * CERTOCSPCertID *certID + * the ID we want to look for from the response. + * CERTCertificate *signerCert + * the certificate that was used to sign the OCSP response. + * must be obtained via a call to CERT_VerifyOCSPResponseSignature. + * int64 time + * The time at which we're checking the status for. + * PRBool *certIDWasConsumed + * In and Out parameter. + * If certIDWasConsumed is NULL on input, + * this function might produce a deep copy of cert ID + * for storing it in the cache. + * If out value is true, ownership of parameter certID was + * transferred to the OCSP cache. + * SECStatus *cacheUpdateStatus + * This optional out parameter will contain the result + * of the cache update operation (if requested). + * RETURN: + * The return value is not influenced by the cache operation, + * it matches the documentation for CERT_CheckOCSPStatus + */ + +SECStatus +cert_ProcessOCSPResponse(CERTCertDBHandle *handle, + CERTOCSPResponse *response, + CERTOCSPCertID *certID, + CERTCertificate *signerCert, + int64 time, + PRBool *certIDWasConsumed, + SECStatus *cacheUpdateStatus); + +/* + * FUNCTION: cert_RememberOCSPProcessingFailure + * If an application notices a failure during OCSP processing, + * it should finally call this function. The failure will be recorded + * in the OCSP cache in order to avoid repetitive failures. + * INPUTS: + * CERTOCSPCertID *certID + * the ID that was used for the failed OCSP processing + * PRBool *certIDWasConsumed + * Out parameter, if set to true, ownership of parameter certID was + * transferred to the OCSP cache. + * RETURN: + * Status of the cache update operation. + */ + +SECStatus +cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, + PRBool *certIDWasConsumed); + #endif /* _OCSPI_H_ */ diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c index 5cf1293..4bdbad8 100644 --- a/security/nss/lib/certhigh/xcrldist.c +++ b/security/nss/lib/certhigh/xcrldist.c @@ -41,8 +41,8 @@ #include "certt.h" #include "secerr.h" -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_BitStringTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_BitStringTemplate) extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value); diff --git a/security/nss/lib/ckfw/builtins/binst.c b/security/nss/lib/ckfw/builtins/binst.c index 6f503b1..0988ab9 100644 --- a/security/nss/lib/ckfw/builtins/binst.c +++ b/security/nss/lib/ckfw/builtins/binst.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: binst.c,v $ $Revision: 1.4 $ $Date: 2006/06/13 17:48:03 $"; +static const char CVS_ID[] = "@(#) $RCSfile: binst.c,v $ $Revision: 1.5 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ #include "builtins.h" @@ -121,7 +121,7 @@ builtins_mdInstance_GetSlots return CKR_OK; } -NSS_IMPLEMENT_DATA const NSSCKMDInstance +const NSSCKMDInstance nss_builtins_mdInstance = { (void *)NULL, /* etc */ NULL, /* Initialize */ diff --git a/security/nss/lib/ckfw/builtins/bslot.c b/security/nss/lib/ckfw/builtins/bslot.c index 0048fdf..6c522d4 100644 --- a/security/nss/lib/ckfw/builtins/bslot.c +++ b/security/nss/lib/ckfw/builtins/bslot.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: bslot.c,v $ $Revision: 1.3 $ $Date: 2005/01/20 02:25:46 $"; +static const char CVS_ID[] = "@(#) $RCSfile: bslot.c,v $ $Revision: 1.4 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ #include "builtins.h" @@ -110,7 +110,7 @@ builtins_mdSlot_GetToken return (NSSCKMDToken *)&nss_builtins_mdToken; } -NSS_IMPLEMENT_DATA const NSSCKMDSlot +const NSSCKMDSlot nss_builtins_mdSlot = { (void *)NULL, /* etc */ NULL, /* Initialize */ diff --git a/security/nss/lib/ckfw/builtins/btoken.c b/security/nss/lib/ckfw/builtins/btoken.c index 77554fb..dc2e57b 100644 --- a/security/nss/lib/ckfw/builtins/btoken.c +++ b/security/nss/lib/ckfw/builtins/btoken.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: btoken.c,v $ $Revision: 1.3 $ $Date: 2005/01/20 02:25:46 $"; +static const char CVS_ID[] = "@(#) $RCSfile: btoken.c,v $ $Revision: 1.4 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ #include "builtins.h" @@ -150,7 +150,7 @@ builtins_mdToken_OpenSession return nss_builtins_CreateSession(fwSession, pError); } -NSS_IMPLEMENT_DATA const NSSCKMDToken +const NSSCKMDToken nss_builtins_mdToken = { (void *)NULL, /* etc */ NULL, /* Setup */ diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h index 38b3cfd..2f58341 100644 --- a/security/nss/lib/ckfw/builtins/builtins.h +++ b/security/nss/lib/ckfw/builtins/builtins.h @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile: builtins.h,v $ $Revision: 1.5 $ $Date: 2005/01/20 02:25:46 $"; +static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile: builtins.h,v $ $Revision: 1.6 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ #include "nssckmdt.h" @@ -64,23 +64,24 @@ struct builtinsInternalObjectStr { }; typedef struct builtinsInternalObjectStr builtinsInternalObject; -NSS_EXTERN_DATA builtinsInternalObject nss_builtins_data[]; -NSS_EXTERN_DATA const PRUint32 nss_builtins_nObjects; +extern builtinsInternalObject nss_builtins_data[]; +extern const PRUint32 nss_builtins_nObjects; -NSS_EXTERN_DATA const CK_VERSION nss_builtins_CryptokiVersion; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_ManufacturerID; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_LibraryDescription; -NSS_EXTERN_DATA const CK_VERSION nss_builtins_LibraryVersion; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_SlotDescription; -NSS_EXTERN_DATA const CK_VERSION nss_builtins_HardwareVersion; -NSS_EXTERN_DATA const CK_VERSION nss_builtins_FirmwareVersion; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_TokenLabel; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_TokenModel; -NSS_EXTERN_DATA const NSSUTF8 * nss_builtins_TokenSerialNumber; +extern const CK_VERSION nss_builtins_CryptokiVersion; +extern const CK_VERSION nss_builtins_LibraryVersion; +extern const CK_VERSION nss_builtins_HardwareVersion; +extern const CK_VERSION nss_builtins_FirmwareVersion; -NSS_EXTERN_DATA const NSSCKMDInstance nss_builtins_mdInstance; -NSS_EXTERN_DATA const NSSCKMDSlot nss_builtins_mdSlot; -NSS_EXTERN_DATA const NSSCKMDToken nss_builtins_mdToken; +extern const NSSUTF8 nss_builtins_ManufacturerID[]; +extern const NSSUTF8 nss_builtins_LibraryDescription[]; +extern const NSSUTF8 nss_builtins_SlotDescription[]; +extern const NSSUTF8 nss_builtins_TokenLabel[]; +extern const NSSUTF8 nss_builtins_TokenModel[]; +extern const NSSUTF8 nss_builtins_TokenSerialNumber[]; + +extern const NSSCKMDInstance nss_builtins_mdInstance; +extern const NSSCKMDSlot nss_builtins_mdSlot; +extern const NSSCKMDToken nss_builtins_mdToken; NSS_EXTERN NSSCKMDSession * nss_builtins_CreateSession diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c index 14b61b9..2f09662 100644 --- a/security/nss/lib/ckfw/builtins/certdata.c +++ b/security/nss/lib/ckfw/builtins/certdata.c @@ -35,7 +35,7 @@ * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.45 $ $Date: 2008/01/17 19:07:51 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.45 $ $Date: 2008/01/17 19:07:51 $"; +static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.46 $ $Date: 2008/01/23 07:34:49 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.46 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ #ifndef BUILTINS_H @@ -751,7 +751,7 @@ static const NSSItem nss_builtins_items_0 [] = { { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"CVS ID", (PRUint32)7 }, { (void *)"NSS", (PRUint32)4 }, - { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.45 $ $Date: 2008/01/17 19:07:51 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.45 $ $Date: 2008/01/17 19:07:51 $", (PRUint32)160 } + { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.46 $ $Date: 2008/01/23 07:34:49 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.46 $ $Date: 2008/01/23 07:34:49 $", (PRUint32)160 } }; #endif /* DEBUG */ static const NSSItem nss_builtins_items_1 [] = { @@ -15520,7 +15520,7 @@ static const NSSItem nss_builtins_items_229 [] = { { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -PR_IMPLEMENT_DATA(builtinsInternalObject) +builtinsInternalObject nss_builtins_data[] = { #ifdef DEBUG { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} }, @@ -15755,7 +15755,7 @@ nss_builtins_data[] = { { 11, nss_builtins_types_228, nss_builtins_items_228, {NULL} }, { 13, nss_builtins_types_229, nss_builtins_items_229, {NULL} } }; -PR_IMPLEMENT_DATA(const PRUint32) +const PRUint32 #ifdef DEBUG nss_builtins_nObjects = 229+1; #else diff --git a/security/nss/lib/ckfw/builtins/certdata.perl b/security/nss/lib/ckfw/builtins/certdata.perl index c2cb770..a632c5a 100644 --- a/security/nss/lib/ckfw/builtins/certdata.perl +++ b/security/nss/lib/ckfw/builtins/certdata.perl @@ -35,7 +35,7 @@ # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -my $cvs_id = '@(#) $RCSfile: certdata.perl,v $ $Revision: 1.11 $ $Date: 2006/07/17 16:50:45 $'; +my $cvs_id = '@(#) $RCSfile: certdata.perl,v $ $Revision: 1.12 $ $Date: 2008/01/23 07:34:49 $'; use strict; my %constants; @@ -266,7 +266,7 @@ for( $i = 0; $i <= $count; $i++ ) { } } -print CFILE "\nPR_IMPLEMENT_DATA(builtinsInternalObject)\n"; +print CFILE "\nbuiltinsInternalObject\n"; print CFILE "nss_builtins_data[] = {\n"; for( $i = 0; $i <= $count; $i++ ) { @@ -290,7 +290,7 @@ for( $i = 0; $i <= $count; $i++ ) { print CFILE "};\n"; -print CFILE "PR_IMPLEMENT_DATA(const PRUint32)\n"; +print CFILE "const PRUint32\n"; print CFILE "#ifdef DEBUG\n"; print CFILE " nss_builtins_nObjects = $count+1;\n"; print CFILE "#else\n"; diff --git a/security/nss/lib/ckfw/builtins/constants.c b/security/nss/lib/ckfw/builtins/constants.c index 9896b00..3d95c32 100644 --- a/security/nss/lib/ckfw/builtins/constants.c +++ b/security/nss/lib/ckfw/builtins/constants.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: constants.c,v $ $Revision: 1.12 $ $Date: 2007/07/10 22:35:19 $"; +static const char CVS_ID[] = "@(#) $RCSfile: constants.c,v $ $Revision: 1.13 $ $Date: 2008/01/23 07:34:49 $"; #endif /* DEBUG */ /* @@ -56,42 +56,42 @@ static const char CVS_ID[] = "@(#) $RCSfile: constants.c,v $ $Revision: 1.12 $ $ #include "nssckbi.h" #endif /* NSSCKBI_H */ -NSS_IMPLEMENT_DATA const CK_VERSION +const CK_VERSION nss_builtins_CryptokiVersion = { NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR, NSS_BUILTINS_CRYPTOKI_VERSION_MINOR }; -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation"; - -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_LibraryDescription = (NSSUTF8 *) "NSS Builtin Object Cryptoki Module"; - -NSS_IMPLEMENT_DATA const CK_VERSION +const CK_VERSION nss_builtins_LibraryVersion = { NSS_BUILTINS_LIBRARY_VERSION_MAJOR, NSS_BUILTINS_LIBRARY_VERSION_MINOR}; -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_SlotDescription = (NSSUTF8 *) "NSS Builtin Objects"; - -NSS_IMPLEMENT_DATA const CK_VERSION +const CK_VERSION nss_builtins_HardwareVersion = { NSS_BUILTINS_HARDWARE_VERSION_MAJOR, NSS_BUILTINS_HARDWARE_VERSION_MINOR }; -NSS_IMPLEMENT_DATA const CK_VERSION +const CK_VERSION nss_builtins_FirmwareVersion = { NSS_BUILTINS_FIRMWARE_VERSION_MAJOR, NSS_BUILTINS_FIRMWARE_VERSION_MINOR }; -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_TokenLabel = (NSSUTF8 *) "Builtin Object Token"; +const NSSUTF8 +nss_builtins_ManufacturerID[] = { "Mozilla Foundation" }; + +const NSSUTF8 +nss_builtins_LibraryDescription[] = { "NSS Builtin Object Cryptoki Module" }; + +const NSSUTF8 +nss_builtins_SlotDescription[] = { "NSS Builtin Objects" }; + +const NSSUTF8 +nss_builtins_TokenLabel[] = { "Builtin Object Token" }; -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_TokenModel = (NSSUTF8 *) "1"; +const NSSUTF8 +nss_builtins_TokenModel[] = { "1" }; /* should this be e.g. the certdata.txt RCS revision number? */ -NSS_IMPLEMENT_DATA const NSSUTF8 * -nss_builtins_TokenSerialNumber = (NSSUTF8 *) "1"; +const NSSUTF8 +nss_builtins_TokenSerialNumber[] = { "1" }; diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index a184f68..b24f019 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -50,7 +50,7 @@ #include "ec.h" #include "keyi.h" -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, @@ -502,9 +502,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) } /* check if the cert is self-signed */ - rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject, - &subjectCert->derIssuer); - if (rvCompare == SECEqual) { + if (subjectCert->isRoot) { /* fail since cert is self-signed and has no pqg params. */ return SECFailure; } diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index dfd99f9..fb1f9bf 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.42 $ $Date: 2007/11/16 05:29:25 $"; +static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.43 $ $Date: 2008/02/05 03:22:38 $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H @@ -274,7 +274,9 @@ create_objects_from_handles ( for (--i; i>0; --i) { nssCryptokiObject_Destroy(objects[i]); } - return (nssCryptokiObject **)NULL; + nss_ZFreeIf(objects); + objects = NULL; + break; } } } diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c index 8468a15..e8373ab 100644 --- a/security/nss/lib/freebl/loader.c +++ b/security/nss/lib/freebl/loader.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: loader.c,v 1.38 2007/11/09 23:43:32 wtc%google.com Exp $ */ +/* $Id: loader.c,v 1.39 2008/01/22 02:24:03 nelson%bolyard.com Exp $ */ #include "loader.h" #include "prmem.h" @@ -87,6 +87,11 @@ getLibName(void) buflen = sysinfo(SI_ISALIST, buf, sizeof buf); if (buflen <= 0) return NULL; + /* sysinfo output is always supposed to be NUL terminated, but ... */ + if (buflen < sizeof buf) + buf[buflen] = '\0'; + else + buf[(sizeof buf) - 1] = '\0'; /* The ISA list is a space separated string of names of ISAs and * ISA extensions, in order of decreasing performance. * There are two different ISAs with which NSS's crypto code can be diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn index cbb99dd..417f6bc 100644 --- a/security/nss/lib/freebl/manifest.mn +++ b/security/nss/lib/freebl/manifest.mn @@ -160,7 +160,6 @@ ALL_HDRS = \ rijndael.h \ camellia.h \ secmpi.h \ - sha.h \ sha_fast.h \ sha256.h \ shsign.h \ diff --git a/security/nss/lib/freebl/mpi/mpcpucache.c b/security/nss/lib/freebl/mpi/mpcpucache.c index 04f278f..65927d0 100644 --- a/security/nss/lib/freebl/mpi/mpcpucache.c +++ b/security/nss/lib/freebl/mpi/mpcpucache.c @@ -53,16 +53,19 @@ * */ -#if defined(i386) || defined(__i386) || defined(__X86__) || defined (_M_IX86) || defined(__x86_64__) || defined(__x86_64) +#if defined(i386) || defined(__i386) || defined(__X86__) || defined (_M_IX86) || defined(__x86_64__) || defined(__x86_64) || defined(_M_AMD64) /* X86 processors have special instructions that tell us about the cache */ #include "string.h" -#if defined(__x86_64__) || defined(__x86_64) +#if defined(__x86_64__) || defined(__x86_64) || defined(_M_AMD64) #define AMD_64 1 #endif /* Generic CPUID function */ #if defined(AMD_64) + +#if defined(__GNUC__) + static void cpuid(unsigned long op, unsigned long *eax, unsigned long *ebx, unsigned long *ecx, unsigned long *edx) @@ -74,7 +77,31 @@ static void cpuid(unsigned long op, unsigned long *eax, "=d" (*edx) : "0" (op)); } -#elif !defined(_MSC_VER) + +#elif defined(_MSC_VER) + +#include + +static void cpuid(unsigned long op, unsigned long *eax, + unsigned long *ebx, unsigned long *ecx, + unsigned long *edx) +{ + int intrinsic_out[4]; + + __cpuid(intrinsic_out, op); + *eax = intrinsic_out[0]; + *ebx = intrinsic_out[1]; + *ecx = intrinsic_out[2]; + *edx = intrinsic_out[3]; +} + +#endif + +#else /* !defined(AMD_64) */ + +/* x86 */ + +#if defined(__GNUC__) static void cpuid(unsigned long op, unsigned long *eax, unsigned long *ebx, unsigned long *ecx, unsigned long *edx) @@ -115,7 +142,7 @@ static unsigned long changeFlag(unsigned long flag) return changedFlags ^ originalFlags; } -#else +#elif defined(_MSC_VER) /* * windows versions of the above assembler @@ -166,6 +193,8 @@ static unsigned long changeFlag(unsigned long flag) } #endif +#endif + #if !defined(AMD_64) #define AC_FLAG 0x40000 #define ID_FLAG 0x200000 diff --git a/security/nss/lib/freebl/sha.c b/security/nss/lib/freebl/sha.c deleted file mode 100644 index f7031d3..0000000 --- a/security/nss/lib/freebl/sha.c +++ /dev/null @@ -1,161 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is SHA 180-1 Reference Implementation (Compact version). - * - * The Initial Developer of the Original Code is - * Paul Kocher of Cryptography Research. - * Portions created by the Initial Developer are Copyright (C) 1995-9 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#include "sha.h" - -static void shaHashBlock(SHA_CTX *ctx); - -void shaInit(SHA_CTX *ctx) { - int i; - - ctx->lenW = 0; - ctx->sizeHi = ctx->sizeLo = 0; - - /* Initialize H with the magic constants (see FIPS180 for constants) - */ - ctx->H[0] = 0x67452301L; - ctx->H[1] = 0xefcdab89L; - ctx->H[2] = 0x98badcfeL; - ctx->H[3] = 0x10325476L; - ctx->H[4] = 0xc3d2e1f0L; - - for (i = 0; i < 80; i++) - ctx->W[i] = 0; -} - - -void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len) { - int i; - - /* Read the data into W and process blocks as they get full - */ - for (i = 0; i < len; i++) { - ctx->W[ctx->lenW / 4] <<= 8; - ctx->W[ctx->lenW / 4] |= (unsigned long)dataIn[i]; - if ((++ctx->lenW) % 64 == 0) { - shaHashBlock(ctx); - ctx->lenW = 0; - } - ctx->sizeLo += 8; - ctx->sizeHi += (ctx->sizeLo < 8); - } -} - - -void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]) { - unsigned char pad0x80 = 0x80; - unsigned char pad0x00 = 0x00; - unsigned char padlen[8]; - int i; - - /* Pad with a binary 1 (e.g. 0x80), then zeroes, then length - */ - padlen[0] = (unsigned char)((ctx->sizeHi >> 24) & 255); - padlen[1] = (unsigned char)((ctx->sizeHi >> 16) & 255); - padlen[2] = (unsigned char)((ctx->sizeHi >> 8) & 255); - padlen[3] = (unsigned char)((ctx->sizeHi >> 0) & 255); - padlen[4] = (unsigned char)((ctx->sizeLo >> 24) & 255); - padlen[5] = (unsigned char)((ctx->sizeLo >> 16) & 255); - padlen[6] = (unsigned char)((ctx->sizeLo >> 8) & 255); - padlen[7] = (unsigned char)((ctx->sizeLo >> 0) & 255); - shaUpdate(ctx, &pad0x80, 1); - while (ctx->lenW != 56) - shaUpdate(ctx, &pad0x00, 1); - shaUpdate(ctx, padlen, 8); - - /* Output hash - */ - for (i = 0; i < 20; i++) { - hashout[i] = (unsigned char)(ctx->H[i / 4] >> 24); - ctx->H[i / 4] <<= 8; - } - - /* - * Re-initialize the context (also zeroizes contents) - */ - shaInit(ctx); -} - - -void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]) { - SHA_CTX ctx; - - shaInit(&ctx); - shaUpdate(&ctx, dataIn, len); - shaFinal(&ctx, hashout); -} - - -#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n)))) - -static void shaHashBlock(SHA_CTX *ctx) { - int t; - unsigned long A,B,C,D,E,TEMP; - - for (t = 16; t <= 79; t++) - ctx->W[t] = - SHA_ROTL(ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], 1); - - A = ctx->H[0]; - B = ctx->H[1]; - C = ctx->H[2]; - D = ctx->H[3]; - E = ctx->H[4]; - - for (t = 0; t <= 19; t++) { - TEMP = SHA_ROTL(A,5) + (((C^D)&B)^D) + E + ctx->W[t] + 0x5a827999L; - E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP; - } - for (t = 20; t <= 39; t++) { - TEMP = SHA_ROTL(A,5) + (B^C^D) + E + ctx->W[t] + 0x6ed9eba1L; - E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP; - } - for (t = 40; t <= 59; t++) { - TEMP = SHA_ROTL(A,5) + ((B&C)|(D&(B|C))) + E + ctx->W[t] + 0x8f1bbcdcL; - E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP; - } - for (t = 60; t <= 79; t++) { - TEMP = SHA_ROTL(A,5) + (B^C^D) + E + ctx->W[t] + 0xca62c1d6L; - E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP; - } - - ctx->H[0] += A; - ctx->H[1] += B; - ctx->H[2] += C; - ctx->H[3] += D; - ctx->H[4] += E; -} - diff --git a/security/nss/lib/freebl/sha.h b/security/nss/lib/freebl/sha.h deleted file mode 100644 index f3fa37f..0000000 --- a/security/nss/lib/freebl/sha.h +++ /dev/null @@ -1,49 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is SHA 180-1 Header File. - * - * The Initial Developer of the Original Code is - * Paul Kocher of Cryptography Research. - * Portions created by the Initial Developer are Copyright (C) 1995-9 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -typedef struct { - unsigned long H[5]; - unsigned long W[80]; - int lenW; - unsigned long sizeHi,sizeLo; -} SHA_CTX; - - -void shaInit(SHA_CTX *ctx); -void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len); -void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]); -void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]); - diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c index 7f5e9ac..c4bdd47 100644 --- a/security/nss/lib/freebl/sha512.c +++ b/security/nss/lib/freebl/sha512.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sha512.c,v 1.9 2006/10/13 16:54:04 wtchang%redhat.com Exp $ */ +/* $Id: sha512.c,v 1.11 2008/02/16 02:24:48 wtc%google.com Exp $ */ #include "prcpucfg.h" #if defined(_X86_) || defined(SHA_NO_LONG_LONG) #define NOUNROLL512 1 @@ -93,9 +93,14 @@ static const PRUint32 H256[8] = { 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 }; -#if defined(_MSC_VER) && defined(_X86_) +#if (_MSC_VER >= 1300) +#include +#pragma intrinsic(_byteswap_ulong) +#define SHA_HTONL(x) _byteswap_ulong(x) +#define BYTESWAP4(x) x = SHA_HTONL(x) +#elif defined(_MSC_VER) && defined(_X86_) #ifndef FORCEINLINE -#if (MSC_VER >= 1200) +#if (_MSC_VER >= 1200) #define FORCEINLINE __forceinline #else #define FORCEINLINE __inline diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h index 6243471..d579eba 100644 --- a/security/nss/lib/freebl/sha_fast.h +++ b/security/nss/lib/freebl/sha_fast.h @@ -57,8 +57,13 @@ struct SHA1ContextStr { SHA_HW_t H[22]; /* 5 state variables, 16 tmp values, 1 extra */ }; -#if defined(_MSC_VER) && defined(_X86_) +#if defined(_MSC_VER) +#include #if defined(IS_LITTLE_ENDIAN) +#if (_MSC_VER >= 1300) +#pragma intrinsic(_byteswap_ulong) +#define SHA_HTONL(x) _byteswap_ulong(x) +#elif defined(_X86_) #ifndef FORCEINLINE #if (_MSC_VER >= 1200) #define FORCEINLINE __forceinline @@ -78,12 +83,13 @@ swap4b(PRUint32 dwd) } #define SHA_HTONL(x) swap4b(x) +#endif /* _X86_ */ #endif /* IS_LITTLE_ENDIAN */ #pragma intrinsic (_lrotr, _lrotl) #define SHA_ROTL(x,n) _lrotl(x,n) #define SHA_ROTL_IS_DEFINED 1 -#endif /* _MSC_VER && _X86_ */ +#endif /* _MSC_VER */ #if defined(__GNUC__) /* __x86_64__ and __x86_64 are defined by GCC on x86_64 CPUs */ diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c index 91ae414..fc3ed2a 100644 --- a/security/nss/lib/jar/jarfile.c +++ b/security/nss/lib/jar/jarfile.c @@ -631,7 +631,7 @@ static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext) ZZList *list; char *fn, *e; - char ZHUGEP *manifest; + char ZHUGEP *manifest = NULL; long length; int status, ret = 0, num; @@ -683,13 +683,10 @@ static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext) } /* Read in the manifest and parse it */ - /* FIX? Does this break on win16 for very very large manifest files? */ - -#ifdef XP_WIN16 - PORT_Assert( phy->length+1 < 0xFFFF ); -#endif - - manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1); + /* limit is per J2SE SDK */ + if (phy->length <= 0xFFFF) { + manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1); + } if (manifest) { JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0); diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h index fd1a822..2b05df9 100755 --- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -20,6 +20,7 @@ * * Contributor(s): * Sun Microsystems, Inc. + * Red Hat, Inc. * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -45,8 +46,6 @@ */ /* ALLOCERROR should always be the first */ PKIX_ERRORENTRY(ALLOCERROR,Allocation Error), -PKIX_ERRORENTRY(PKIXUNKNOWNERROR,PKIX uninitialized error code), -PKIX_ERRORENTRY(GETPKIXERRORCODEFAILED,Get PKIX error code failed), PKIX_ERRORENTRY(ADDHEADERFUNCTIONNOTSUPPORTED,AddHeader function not supported), PKIX_ERRORENTRY(ADDTOVERIFYLOGFAILED,pkix_AddToVerifyLog failed), PKIX_ERRORENTRY(AIAMGRCREATEFAILED,PKIX_PL_AIAMgr_Create failed), @@ -85,6 +84,7 @@ PKIX_ERRORENTRY(BIGINTLENGTH0INVALID,BigInt length 0 is invalid), PKIX_ERRORENTRY(BIGINTTOSTRINGFAILED,pkix_pl_BigInt_ToString failed), PKIX_ERRORENTRY(BIGINTTOSTRINGHELPERFAILED,PKIX_PL_BigInt_ToString_Helper failed), PKIX_ERRORENTRY(BINDREJECTEDBYSERVER,BIND rejected by server), +PKIX_ERRORENTRY(BUILDANDVALIDATECHAINFAILED,Failed to build and validate a chain), PKIX_ERRORENTRY(BUILDBUILDSELECTORANDPARAMSFAILED,pkix_Build_BuildSelectorAndParams failed), PKIX_ERRORENTRY(BUILDCOMBINEWITHTRUSTFAILED,pkix_Build_CombineWithTrust failed), PKIX_ERRORENTRY(BUILDFORWARDDEPTHFIRSTSEARCHFAILED,pkix_BuildForwardDepthFirstSearch failed), @@ -120,6 +120,7 @@ PKIX_ERRORENTRY(CANNOTCALLAPPENDITEMONIMMUTABLELIST,Cannot call AppendItem on Im PKIX_ERRORENTRY(CANNOTCALLDELETEITEMONIMMUTABLELIST,Cannot call DeleteItem on Immutable List), PKIX_ERRORENTRY(CANNOTCALLINSERTITEMONIMMUTABLELIST,Cannot call InsertItem on Immutable List), PKIX_ERRORENTRY(CANNOTCALLSETITEMONIMMUTABLELIST,Cannot call SetItem on Immutable List), +PKIX_ERRORENTRY(CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES, Fail to convert certificate usage to pkix KU and EKU), PKIX_ERRORENTRY(CANNOTOPENCOLLECTIONCERTSTORECONTEXTDIRECTORY,Cannot open CollectionCertStoreContext directory), PKIX_ERRORENTRY(CANTCREATESTRING,Cannot create PKIX_PL_String), PKIX_ERRORENTRY(CANTDECODEBINDRESPONSEFROMSERVER,Cannot decode BIND response from server), @@ -139,6 +140,8 @@ PKIX_ERRORENTRY(CERTCHAINCHECKERGETSUPPORTEDEXTENSIONSFAILED,PKIX_CertChainCheck PKIX_ERRORENTRY(CERTCHAINCHECKERISFORWARDCHECKINGSUPPORTEDFAILED,PKIX_CertChainChecker_IsForwardCheckingSupported failed), PKIX_ERRORENTRY(CERTCHAINCHECKERSETCERTCHAINCHECKERSTATEFAILED,PKIX_CertChainChecker_SetCertChainCheckerState failed), PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICATEPOLICYVALIDATION,CertChain fails Certificate Policy validation), +PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain), +PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain), PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed), PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed), PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed), @@ -151,7 +154,6 @@ PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed), PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed), PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed), PKIX_ERRORENTRY(CERTCREATEWITHNSSCERTFAILED,pkix_pl_Cert_CreateWithNSSCert failed), -PKIX_ERRORENTRY(CERTGETCERTCERTIFICATEFAILED,PKIX_PL_Cert_GetCERTCertificate failed), PKIX_ERRORENTRY(CERTDECODEALTNAMEEXTENSIONFAILED,CERT_DecodeAltNameExtension failed), PKIX_ERRORENTRY(CERTDECODECERTIFICATEPOLICIESEXTENSIONFAILED,CERT_DecodeCertificatePoliciesExtension failed), PKIX_ERRORENTRY(CERTDECODEDERCERTIFICATEFAILED,CERT_DecodeDERCertificate failed), @@ -172,6 +174,7 @@ PKIX_ERRORENTRY(CERTGETAUTHORITYKEYIDENTIFIERFAILED,PKIX_PL_Cert_GetAuthorityKey PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTFAILED,PKIX_PL_Cert_GetBasicConstraint failed), PKIX_ERRORENTRY(CERTGETBASICCONSTRAINTSFAILED,PKIX_PL_Cert_GetBasicConstraints failed), PKIX_ERRORENTRY(CERTGETCACHEFLAGFAILED,PKIX_Cert_GetCacheFlag failed), +PKIX_ERRORENTRY(CERTGETCERTCERTIFICATEFAILED,PKIX_PL_Cert_GetCERTCertificate failed), PKIX_ERRORENTRY(CERTGETCERTIFICATENAMESRETURNNULL,CERT_GetCertificateNames return NULL), PKIX_ERRORENTRY(CERTGETCRITICALEXTENSIONOIDSFAILED,PKIX_PL_Cert_GetCriticalExtensionOIDs failed), PKIX_ERRORENTRY(CERTGETEXTENDEDKEYUSAGEFAILED,PKIX_PL_Cert_GetExtendedKeyUsage failed), @@ -297,9 +300,9 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCe PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed), PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed), PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed), PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed), PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed), -PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed), PKIX_ERRORENTRY(COMCRLSELPARAMSADDISSUERNAMEFAILED,PKIX_ComCRLSelParams_AddIssuerName failed), PKIX_ERRORENTRY(COMCRLSELPARAMSCREATEFAILED,PKIX_ComCRLSelParams_Create failed), PKIX_ERRORENTRY(COMCRLSELPARAMSEQUALSFAILED,pkix_ComCRLSelParams_Equals failed), @@ -371,6 +374,7 @@ PKIX_ERRORENTRY(COULDNOTMALLOCNEWKEY,Could not malloc new key), PKIX_ERRORENTRY(COULDNOTTESTWHETHERKEYSEQUAL,Could not test whether keys are equal), PKIX_ERRORENTRY(CREATECERTFAILED,CreateCert failed), PKIX_ERRORENTRY(CREATECRLSELECTORDUPLICATEOBJECTFAILED,Create CRLSelector Duplicate Object failed), +PKIX_ERRORENTRY(CREATEPROCESSINGPARAMSFAILED,Failed to create processing parameters), PKIX_ERRORENTRY(CRLCREATEFAILED,PKIX_PL_CRL_Create failed), PKIX_ERRORENTRY(CRLCREATETOLISTFAILED,pkix_pl_CRL_CreateToList failed), PKIX_ERRORENTRY(CRLCREATEWITHSIGNEDCRLFAILED,pkix_pl_CRL_CreateWithSignedCRL failed), @@ -430,8 +434,8 @@ PKIX_ERRORENTRY(DERUTCTIMETOASCIIFAILED,DER_UTCTimeToAscii failed), PKIX_ERRORENTRY(DESTROYSPKIFAILED,pkix_pl_DestroySPKI failed), PKIX_ERRORENTRY(DIRECTORYNAMECREATEFAILED,pkix_pl_DirectoryName_Create failed), PKIX_ERRORENTRY(DUPLICATEIMMUTABLEFAILED,pkix_duplicateImmutable failed), -PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed), PKIX_ERRORENTRY(EKUCHECKERGETREQUIREDEKUFAILED,pkix_pl_EkuChecker_GetRequiredEku failed), +PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed), PKIX_ERRORENTRY(EKUCHECKERSTATECREATEFAILED,pkix_pl_EkuCheckerState_Create failed), PKIX_ERRORENTRY(ENABLEREVOCATIONWITHOUTCERTSTORE,Enable Revocation without CertStore), PKIX_ERRORENTRY(ERRORALLOCATINGMONITORLOCK,Error Allocating MonitorLock), @@ -476,6 +480,7 @@ PKIX_ERRORENTRY(FAILEDINENCODINGABANDON,failed in encoding Abandon), PKIX_ERRORENTRY(FAILEDINENCODINGBINDREQUEST,failed in encoding bindRequest), PKIX_ERRORENTRY(FAILEDINENCODINGSEARCHREQUEST,failed in encoding searchRequest), PKIX_ERRORENTRY(FAILEDINENCODINGUNBIND,failed in encoding unbind), +PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots), PKIX_ERRORENTRY(FAILEDTOGETTRUST, failed to get trust from the cert), PKIX_ERRORENTRY(FAILUREHASHINGCERT,Failure hashing Cert), PKIX_ERRORENTRY(FAILUREHASHINGERROR,Failure hashing Error), @@ -484,6 +489,8 @@ PKIX_ERRORENTRY(FAILUREHASHINGLISTQUALIFIERSET,Failure hashing PKIX_List qualifi PKIX_ERRORENTRY(FAILUREHASHINGOIDVALIDPOLICY,Failure hashing PKIX_PL_OID validPolicy), PKIX_ERRORENTRY(FANOUTEXCEEDSRESOURCELIMITS,Fanout exceeds Resource Limits), PKIX_ERRORENTRY(FETCHINGCACHEDCRLFAILED,Fetching Cached CRLfailed), +PKIX_ERRORENTRY(FILLINPROCESSINGPARAMSFAILED,Fail to fill in parameters), +PKIX_ERRORENTRY(FILLINRETURNRESULTSFAILED,Fail to fill in return results), PKIX_ERRORENTRY(FIRSTARGUMENTNOTANOID,FirstObject is not an OID), PKIX_ERRORENTRY(FIRSTARGUMENTNOTBYTEARRAY,FirstObject is not a ByteArray), PKIX_ERRORENTRY(FIRSTARGUMENTNOTCERTBASICCONSTRAINTSOBJECT,First argument is not a CertBasicConstraints Object), @@ -541,7 +548,10 @@ PKIX_ERRORENTRY(GETCERTSFAILED,getCerts failed), PKIX_ERRORENTRY(GETCRITICALEXTENSIONOIDSFAILED,pkix_GetCriticalExtensionOIDs failed), PKIX_ERRORENTRY(GETCRLSFAILED,getCrls failed), PKIX_ERRORENTRY(GETOIDTOKENFAILED,pkix_pl_getOIDToken failed), +PKIX_ERRORENTRY(GETPKIXERRORCODEFAILED,Get PKIX error code failed), +PKIX_ERRORENTRY(GETREQCERTIFICATEUSAGESFAILED,Fail to get required certificate usages), PKIX_ERRORENTRY(GETRESULTCODECALLEDFORNONRESULTMESSAGE,GetResultCode called for non-Result message), +PKIX_ERRORENTRY(GETRETCERTIFICATEUSAGESFAILED,Fail to get returned certificate usages), PKIX_ERRORENTRY(GETTRUSTEDCERTLISTFAILED,Fail to get trusted cert list), PKIX_ERRORENTRY(HASHFAILED,pkix_hash failed), PKIX_ERRORENTRY(HASHTABLEADDFAILED,PKIX_PL_HashTable_Add failed), @@ -678,10 +688,10 @@ PKIX_ERRORENTRY(LISTTOSTRINGHELPERFAILED,pkix_List_ToString Helper failed), PKIX_ERRORENTRY(LOCATIONSTRINGNOTPROPERLYTERMINATED,Location string not properly terminated), PKIX_ERRORENTRY(LOCKHASNONZEROREADCOUNT,Lock has non-zero read count), PKIX_ERRORENTRY(LOCKOBJECTFAILED,pkix_LockObject failed), -PKIX_ERRORENTRY(LOOPOFERRORCAUSEDETECTED,Loop of error causes detected), PKIX_ERRORENTRY(LOGGERDUPLICATEFAILED,pkix_Logger_Duplicate failed), PKIX_ERRORENTRY(LOGGINGLEVELEXCEEDSMAXIMUM,Logging Level exceeds Maximum), PKIX_ERRORENTRY(LOOPDISCOVEREDDUPCERTSNOTALLOWED,Loop discovered: duplicate certificates not allowed), +PKIX_ERRORENTRY(LOOPOFERRORCAUSEDETECTED,Loop of error causes detected), PKIX_ERRORENTRY(MAJORVERSIONSDONTMATCH,Major versions do not match), PKIX_ERRORENTRY(MALLOCFAILED,PKIX_PL_Malloc failed), PKIX_ERRORENTRY(MEMCPYFAILED,PKIX_PL_Memcpy failed), @@ -704,20 +714,6 @@ PKIX_ERRORENTRY(NORESPONSEDATAINHTTPRESPONSE,No responseData in Http Response), PKIX_ERRORENTRY(NOTARGETCERTSUPPLIED,No target cert supplied), PKIX_ERRORENTRY(NOTDERPACKAGE,Not a DER package), PKIX_ERRORENTRY(NOTENOUGHNAMECOMPONENTSINGENERALNAME,Not enough name components in GeneralName), -PKIX_ERRORENTRY(CANNOTCONVERTCERTUSAGETOPKIXKEYANDEKUSAGES, Fail to convert certificate usage to pkix KU and EKU), -PKIX_ERRORENTRY(BUILDANDVALIDATECHAINFAILED,Failed to build and validate a chain), -PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain), -PKIX_ERRORENTRY(CREATEPROCESSINGPARAMSFAILED,Failed to create processing parameters), -PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots), -PKIX_ERRORENTRY(FILLINPROCESSINGPARAMSFAILED,Fail to fill in parameters), -PKIX_ERRORENTRY(FILLINRETURNRESULTSFAILED,Fail to fill in return results), -PKIX_ERRORENTRY(GETREQCERTIFICATEUSAGESFAILED,Fail to get required certificate usages), -PKIX_ERRORENTRY(GETRETCERTIFICATEUSAGESFAILED,Fail to get returned certificate usages), -PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain), -PKIX_ERRORENTRY(POLICYTREETOOIDSFAILED,Failed to convert policy tree to oid), -PKIX_ERRORENTRY(TRUSTANCHORTOCERTFAILED,Fail to convert trust anchor to cert), -PKIX_ERRORENTRY(SETPOLICIESFAILED,Fail to set cert validation policies), -PKIX_ERRORENTRY(VALIDATECERTCHAINFAILED,Failed to validate cert chain), PKIX_ERRORENTRY(NSSCONTEXTCREATEFAILED,PKIX_PL_NssContext_Create failed), PKIX_ERRORENTRY(NSSCONTEXTDESTROYFAILED,PKIX_PL_NssContext_Destroy failed), PKIX_ERRORENTRY(NSSCONTEXTGETCHECKALLUSAGESFAILED, pkix_pl_NssContext_GetCheckAllUsages failed), @@ -726,8 +722,8 @@ PKIX_ERRORENTRY(NSSCONTEXTGETWINCXFAILED,pkix_pl_NssContext_GetWincx failed), PKIX_ERRORENTRY(NSSCONTEXTSETCERTSIGNCHECKFAILED, pkix_pl_NssContext_SetCertSignatureCheck), PKIX_ERRORENTRY(NSSCONTEXTSETCERTUSAGEFAILED, pkix_pl_NssContext_SetCertUsage failed), PKIX_ERRORENTRY(NSSCONTEXTSETCHECKALLUSAGESFAILED, pkix_pl_NssContext_SetCheckAllUsages failed), -PKIX_ERRORENTRY(NSSCONTEXTSETRETURNUSAGESFAILED, pkix_pl_NssContext_SetReturnUsages failed), PKIX_ERRORENTRY(NSSCONTEXTSETRETURNEDCERTUSAGEFAILED, pkix_pl_NssContext_SetReturnedCertUsage), +PKIX_ERRORENTRY(NSSCONTEXTSETRETURNUSAGESFAILED, pkix_pl_NssContext_SetReturnUsages failed), PKIX_ERRORENTRY(NSSTRUSTEDLISTISEMPTY,nss trusted roots list is empty), PKIX_ERRORENTRY(NULLARGUMENT,Null argument), PKIX_ERRORENTRY(NUMBUCKETSEQUALSZERO,NumBuckets equals zero), @@ -750,6 +746,7 @@ PKIX_ERRORENTRY(OBJECTEQUALSFAILEDONEXPECTEDPOLICYSETS,PKIX_PL_Object_Equals fai PKIX_ERRORENTRY(OBJECTGETTYPEFAILED,PKIX_PL_Object_GetType failed), PKIX_ERRORENTRY(OBJECTHASHCODEFAILED,PKIX_PL_Object_Hashcode failed), PKIX_ERRORENTRY(OBJECTINVALIDATECACHEFAILED,PKIX_PL_Object_InvalidateCache failed), +PKIX_ERRORENTRY(OBJECTISTYPEREGISTEREDFAILED,PKIX_PL_Object_IsTypeRegistered failed), PKIX_ERRORENTRY(OBJECTLOCKFAILED,PKIX_PL_Object_Lock failed), PKIX_ERRORENTRY(OBJECTNOTAIAMGR,Object is not a AIAMgr), PKIX_ERRORENTRY(OBJECTNOTANEKUCHECKERSTATE,Object is not an EKU Checker State), @@ -796,6 +793,7 @@ PKIX_ERRORENTRY(OBJECTNOTLOGGER,Object is not a Logger), PKIX_ERRORENTRY(OBJECTNOTMONITORLOCK,Object is not a MonitorLock), PKIX_ERRORENTRY(OBJECTNOTMUTEX,Object is not a Mutex), PKIX_ERRORENTRY(OBJECTNOTNAMECONSTRAINTSCHECKERSTATE,Object is not a name constraints checker state), +PKIX_ERRORENTRY(OBJECTNOTOCSPCERTID,Object is not an OcspCertID), PKIX_ERRORENTRY(OBJECTNOTOCSPCHECKER,Object is not an OCSPChecker), PKIX_ERRORENTRY(OBJECTNOTOCSPREQUEST,Object is not an OcspRequest), PKIX_ERRORENTRY(OBJECTNOTPOLICYCHECKERSTATE,Object is not a PKIX_PolicyCheckerState), @@ -814,13 +812,15 @@ PKIX_ERRORENTRY(OBJECTNOTVALIDATEPARAMS,Object is not a ValidateParams), PKIX_ERRORENTRY(OBJECTNOTVALIDATERESULT,Object is not a ValidateResult), PKIX_ERRORENTRY(OBJECTNOTVERIFYNODE,Object is not a VerifyNode), PKIX_ERRORENTRY(OBJECTREGISTERTYPEFAILED,PKIX_PL_Object_RegisterType failed), -PKIX_ERRORENTRY(OBJECTISTYPEREGISTEREDFAILED,PKIX_PL_Object_IsTypeRegistered failed), PKIX_ERRORENTRY(OBJECTRETRIEVEEQUALSCALLBACKFAILED,pkix_pl_Object_RetrieveEqualsCallback failed), PKIX_ERRORENTRY(OBJECTSPECIFICFUNCTIONFAILED,object-specific function failed), PKIX_ERRORENTRY(OBJECTSTILLREFERENCED,Object is still referenced), PKIX_ERRORENTRY(OBJECTTOSTRINGFAILED,PKIX_PL_Object_ToString failed), PKIX_ERRORENTRY(OBJECTTYPESDONOTMATCH,Object types do not match), PKIX_ERRORENTRY(OBJECTWITHNONPOSITIVEREFERENCES,Object with non-positive references), +PKIX_ERRORENTRY(OCSPCERTIDCREATEFAILED,PKIX_PL_OcspCertID_Create failed), +PKIX_ERRORENTRY(OCSPCERTIDGETFRESHCACHESTATUSFAILED,PKIX_PL_OcspCertID_GetFreshCacheStatus returned an error), +PKIX_ERRORENTRY(OCSPCERTIDREMEMBEROCSPFAILUREDFAILED,PKIX_PL_OcspCertID_RememberOCSPProcessingFailure), PKIX_ERRORENTRY(OCSPCHECKERCREATEFAILED,PKIX_OcspChecker_Create failed), PKIX_ERRORENTRY(OCSPREQUESTCREATEFAILED,PKIX_PL_OcspRequest_Create failed), PKIX_ERRORENTRY(OCSPREQUESTGETCERTIDFAILED,pkix_pl_OcspRequest_GetCertID failed), @@ -851,6 +851,7 @@ PKIX_ERRORENTRY(OUTOFMEMORY,Out of Memory), PKIX_ERRORENTRY(PK11CERTSTORECERTQUERYFAILED,pkix_pl_Pk11CertStore_CertQuery failed), PKIX_ERRORENTRY(PK11CERTSTORECREATEFAILED,PKIX_PL_Pk11CertStore_Create failed), PKIX_ERRORENTRY(PK11CERTSTORECRLQUERYFAILED,pkix_pl_Pk11CertStore_CrlQuery failed), +PKIX_ERRORENTRY(PKIXUNKNOWNERROR,PKIX uninitialized error code), PKIX_ERRORENTRY(POLICYCHECKERCALCULATEINTERSECTIONFAILED,pkix_PolicyChecker_CalculateIntersection failed), PKIX_ERRORENTRY(POLICYCHECKERCHECKANYFAILED,pkix_PolicyChecker_CheckAny failed), PKIX_ERRORENTRY(POLICYCHECKERCHECKPOLICYRECURSIVEFAILED,pkix_PolicyChecker_CheckPolicyRecursive failed), @@ -874,6 +875,7 @@ PKIX_ERRORENTRY(POLICYNODEGETPOLICYQUALIFIERSFAILED,PKIX_PolicyNode_GetPolicyQua PKIX_ERRORENTRY(POLICYNODEGETVALIDPOLICYFAILED,PKIX_PolicyNode_GetValidPolicy failed), PKIX_ERRORENTRY(POLICYNODEISCRITICALFAILED,PKIX_PolicyNode_IsCritical failed), PKIX_ERRORENTRY(POLICYNODEPRUNEFAILED,pkix_PolicyNode_Prune failed), +PKIX_ERRORENTRY(POLICYTREETOOIDSFAILED,Failed to convert policy tree to oid), PKIX_ERRORENTRY(PORTARENAALLOCFAILED,PORT_ArenaAlloc failed), PKIX_ERRORENTRY(PORTARENAZNEWFAILED,PORT_ArenaZNew failed), PKIX_ERRORENTRY(PORTNEWARENAFAILED,PORT_NewArena failed), @@ -901,11 +903,11 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSGETCERTSTORESFAILED,PKIX_ProcessingParams_GetCer PKIX_ERRORENTRY(PROCESSINGPARAMSGETDATEFAILED,PKIX_ProcessingParams_GetDate failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETHINTCERTSFAILED,PKIX_ProcessingParams_GetHintCerts failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETINITIALPOLICIESFAILED,PKIX_ProcessingParams_GetInitialPolicies failed), +PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETPOLICYQUALIFIERSREJECTEDFAILED,PKIX_ProcessingParams_GetPolicyQualifiersRejected failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETRESOURCELIMITSFAILED,PKIX_ProcessingParams_GetResourceLimits failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONCHECKERSFAILED,PKIX_ProcessingParams_GetRevocationCheckers failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_GetRevocationEnabled failed), -PKIX_ERRORENTRY(PROCESSINGPARAMSGETNISTREVPOLICYENABLEDFAILED,pkix_ProcessingParams_GetNISTRevocationPolicyEnabled failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_GetTargetCertConstraints failed), PKIX_ERRORENTRY(PROCESSINGPARAMSGETTRUSTANCHORSFAILED,PKIX_ProcessingParams_GetTrustAnchors failed), PKIX_ERRORENTRY(PROCESSINGPARAMSISANYPOLICYINHIBITEDFAILED,PKIX_ProcessingParams_IsAnyPolicyInhibited failed), @@ -915,11 +917,11 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSSETANYPOLICYINHIBITED,PKIX_ProcessingParams_SetA PKIX_ERRORENTRY(PROCESSINGPARAMSSETCERTSTORESFAILED,PKIX_ProcessingParams_SetCertStores failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETDATEFAILED,PKIX_ProcessingParams_SetDate failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETEXPLICITPOLICYREQUIRED,PKIX_ProcessingParams_SetExplicitPolicyRequired failed), -PKIX_ERRORENTRY(PROCESSINGPARAMSSETINITIALPOLICIESFAILED,PKIX_ProcessingParams_SetInitialPolicies failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETHINTCERTSFAILED,PKIX_ProcessingParams_SetHintCerts failed), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETINITIALPOLICIESFAILED,PKIX_ProcessingParams_SetInitialPolicies failed), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetNISTRevocationEnabled failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetRevocationEnabled failed), -PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingParams_SetNISTRevocationEnabled failed), PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed), PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed), PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed), @@ -966,6 +968,7 @@ PKIX_ERRORENTRY(SECQUICKDERDECODERFAILED,SEC_QuickDERDecodeItem failed), PKIX_ERRORENTRY(SECREADPKCS7CERTSFAILED,SEC_ReadPKCS7Certs failed), PKIX_ERRORENTRY(SELECTORMATCHFAILED,selectorMatch failed), PKIX_ERRORENTRY(SESSIONNOTANHTTPDEFAULTCLIENT,session is not an HttpDefaultClient), +PKIX_ERRORENTRY(SETPOLICIESFAILED,Fail to set cert validation policies), PKIX_ERRORENTRY(SHUTDOWNFAILED,PKIX_PL_Shutdown failed), PKIX_ERRORENTRY(SIGNATURECHECKERINITIALIZEFAILED,pkix_SignatureChecker_Initialize failed), PKIX_ERRORENTRY(SIGNATURECHECKERSTATECREATEFAILED,pkix_SignatureCheckerState_Create failed), @@ -1001,11 +1004,11 @@ PKIX_ERRORENTRY(STRINGHASHCODEFAILED,pkix_pl_String_Hashcode failed), PKIX_ERRORENTRY(SUBJALTNAMECHECKFAILED,Validation failed: SubjAltNamecheck failed), PKIX_ERRORENTRY(TARGETCERTCHECKERINITIALIZEFAILED,pkix_TargetCertChecker_Initialize failed), PKIX_ERRORENTRY(TARGETCERTCHECKERSTATECREATEFAILED,pkix_TargetCertCheckerState_Create failed), -PKIX_ERRORENTRY(TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, Policies extension but no Policy Qualifiers), +PKIX_ERRORENTRY(TESTANOTHERERRORMESSAGE, Another Error Message), +PKIX_ERRORENTRY(TESTERRORMESSAGE, Error Message), PKIX_ERRORENTRY(TESTNOMATCHINGPOLICY, No Matching Policy), PKIX_ERRORENTRY(TESTNOTANERRORCRLSELECTMISMATCH, Not an error CRL Select mismatch), -PKIX_ERRORENTRY(TESTERRORMESSAGE, Error Message), -PKIX_ERRORENTRY(TESTANOTHERERRORMESSAGE, Another Error Message), +PKIX_ERRORENTRY(TESTPOLICYEXTWITHNOPOLICYQUALIFIERS, Policies extension but no Policy Qualifiers), PKIX_ERRORENTRY(TIMECONSUMEDEXCEEDSRESOURCELIMITS,Time consumed exceeds Resource Limits), PKIX_ERRORENTRY(TOOLITTLEDATAINDERSEQUENCE,Too little data in DER Sequence), PKIX_ERRORENTRY(TOOMUCHDATAINDERSEQUENCE,Too much data in DER Sequence), @@ -1016,6 +1019,7 @@ PKIX_ERRORENTRY(TRUSTANCHORGETCANAMEFAILED,PKIX_TrustAnchor_GetCAName failed), PKIX_ERRORENTRY(TRUSTANCHORGETCAPUBLICKEYFAILED,PKIX_TrustAnchor_GetCAPublicKey failed), PKIX_ERRORENTRY(TRUSTANCHORGETNAMECONSTRAINTSFAILED,PKIX_TrustAnchor_GetNameConstraints failed), PKIX_ERRORENTRY(TRUSTANCHORGETTRUSTEDCERTFAILED,PKIX_TrustAnchor_GetTrustedCert failed), +PKIX_ERRORENTRY(TRUSTANCHORTOCERTFAILED,Fail to convert trust anchor to cert), PKIX_ERRORENTRY(TYPEALREADYREGISTERED,Type is already registered), PKIX_ERRORENTRY(UNABLETOADDACCEPTABLERESPONSESTOREQUEST,Unable to add acceptableResponses to request), PKIX_ERRORENTRY(UNABLETOADDCERTTOCERTLIST,Unable to add Cert to CertList), @@ -1064,6 +1068,7 @@ PKIX_ERRORENTRY(UTF16TOESCASCIIFAILED,pkix_UTF16_to_EscASCII failed), PKIX_ERRORENTRY(UTF16TOUTF8FAILED,pkix_UTF16_to_UTF8 failed), PKIX_ERRORENTRY(UTF8TOUTF16FAILED,pkix_UTF8_to_UTF16 failed), PKIX_ERRORENTRY(VALIDATEBUILDUSEROIDSFAILED,pkix_Validate_BuildUserOIDs failed), +PKIX_ERRORENTRY(VALIDATECERTCHAINFAILED,Failed to validate cert chain), PKIX_ERRORENTRY(VALIDATECHAINFAILED,PKIX_ValidateChain failed), PKIX_ERRORENTRY(VALIDATEPARAMSGETCERTCHAINFAILED,PKIX_ValidateParams_GetCertChain failed), PKIX_ERRORENTRY(VALIDATEPARAMSGETPROCESSINGPARAMSFAILED,PKIX_ValidateParams_GetProcessingParams failed), @@ -1096,4 +1101,3 @@ PKIX_ERRORENTRY(X500NAMEMATCHFAILED,PKIX_PL_X500Name_Match failed), PKIX_ERRORENTRY(X500NAMETOSTRINGFAILED,PKIX_PL_X500Name_ToString failed), PKIX_ERRORENTRY(X500NAMETOSTRINGHELPERFAILED,pkix_pl_X500Name_ToString_Helper failed), PKIX_ERRORENTRY(ZEROLENGTHBYTEARRAYFORCRLENCODING,Zero-length ByteArray for CRL encoding) - diff --git a/security/nss/lib/libpkix/include/pkix_pl_pki.h b/security/nss/lib/libpkix/include/pkix_pl_pki.h index 86ed45f..02a4fa1 100755 --- a/security/nss/lib/libpkix/include/pkix_pl_pki.h +++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h @@ -2572,6 +2572,7 @@ typedef PKIX_Error * PKIX_Error * pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, + PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, @@ -2613,6 +2614,7 @@ pkix_pl_OcspResponse_VerifySignature( PKIX_Error * pkix_pl_OcspResponse_GetStatusForCert( + PKIX_PL_OcspCertID *cid, PKIX_PL_OcspResponse *response, PKIX_Boolean *pPassed, SECErrorCodes *pReturnCode, diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h index fe4bf96..54360dd 100755 --- a/security/nss/lib/libpkix/include/pkixt.h +++ b/security/nss/lib/libpkix/include/pkixt.h @@ -20,6 +20,7 @@ * * Contributor(s): * Sun Microsystems, Inc. + * Red Hat, Inc. * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -161,6 +162,7 @@ typedef struct PKIX_PL_LdapDefaultClientStruct PKIX_PL_LdapDefaultClient; typedef struct PKIX_PL_SocketStruct PKIX_PL_Socket; typedef struct PKIX_PL_InfoAccessStruct PKIX_PL_InfoAccess; typedef struct PKIX_PL_AIAMgrStruct PKIX_PL_AIAMgr; +typedef struct PKIX_PL_OcspCertIDStruct PKIX_PL_OcspCertID; typedef struct PKIX_PL_OcspRequestStruct PKIX_PL_OcspRequest; typedef struct PKIX_PL_OcspResponseStruct PKIX_PL_OcspResponse; typedef struct PKIX_PL_HttpClientStruct PKIX_PL_HttpClient; @@ -195,66 +197,67 @@ typedef int PKIX_Boolean; * Every reference-counted PKIX_PL_Object is associated with an integer type. */ #define PKIX_TYPES \ - TYPEMACRO(OBJECT), \ + TYPEMACRO(AIAMGR), \ + TYPEMACRO(BASICCONSTRAINTSCHECKERSTATE), \ TYPEMACRO(BIGINT), \ + TYPEMACRO(BUILDRESULT), \ TYPEMACRO(BYTEARRAY), \ - TYPEMACRO(ERROR), \ - TYPEMACRO(HASHTABLE), \ - TYPEMACRO(LIST), \ - TYPEMACRO(LOGGER), \ - TYPEMACRO(MUTEX), \ - TYPEMACRO(OID), \ - TYPEMACRO(RWLOCK), \ - TYPEMACRO(STRING), \ - TYPEMACRO(CERTBASICCONSTRAINTS), \ TYPEMACRO(CERT), \ - TYPEMACRO(CRL), \ - TYPEMACRO(CRLENTRY), \ - TYPEMACRO(DATE), \ - TYPEMACRO(GENERALNAME), \ - TYPEMACRO(CERTNAMECONSTRAINTS), \ - TYPEMACRO(PUBLICKEY), \ - TYPEMACRO(TRUSTANCHOR), \ - TYPEMACRO(X500NAME), \ - TYPEMACRO(HTTPCERTSTORECONTEXT), \ - TYPEMACRO(BUILDRESULT), \ - TYPEMACRO(PROCESSINGPARAMS), \ - TYPEMACRO(VALIDATEPARAMS), \ - TYPEMACRO(VALIDATERESULT), \ - TYPEMACRO(CERTSTORE), \ + TYPEMACRO(CERTBASICCONSTRAINTS), \ TYPEMACRO(CERTCHAINCHECKER), \ - TYPEMACRO(REVOCATIONCHECKER), \ - TYPEMACRO(CERTSELECTOR), \ - TYPEMACRO(COMCERTSELPARAMS), \ - TYPEMACRO(CRLSELECTOR), \ - TYPEMACRO(COMCRLSELPARAMS), \ + TYPEMACRO(CERTNAMECONSTRAINTS), \ + TYPEMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ + TYPEMACRO(CERTPOLICYCHECKERSTATE), \ TYPEMACRO(CERTPOLICYINFO), \ - TYPEMACRO(CERTPOLICYQUALIFIER), \ TYPEMACRO(CERTPOLICYMAP), \ TYPEMACRO(CERTPOLICYNODE), \ - TYPEMACRO(TARGETCERTCHECKERSTATE), \ - TYPEMACRO(BASICCONSTRAINTSCHECKERSTATE), \ - TYPEMACRO(CERTPOLICYCHECKERSTATE), \ + TYPEMACRO(CERTPOLICYQUALIFIER), \ + TYPEMACRO(CERTSELECTOR), \ + TYPEMACRO(CERTSTORE), \ TYPEMACRO(COLLECTIONCERTSTORECONTEXT), \ + TYPEMACRO(COMCERTSELPARAMS), \ + TYPEMACRO(COMCRLSELPARAMS), \ + TYPEMACRO(CRL), \ + TYPEMACRO(CRLENTRY), \ + TYPEMACRO(CRLSELECTOR), \ + TYPEMACRO(DATE), \ TYPEMACRO(DEFAULTCRLCHECKERSTATE), \ - TYPEMACRO(FORWARDBUILDERSTATE), \ - TYPEMACRO(SIGNATURECHECKERSTATE), \ - TYPEMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ TYPEMACRO(DEFAULTREVOCATIONCHECKER), \ + TYPEMACRO(EKUCHECKER), \ + TYPEMACRO(ERROR), \ + TYPEMACRO(FORWARDBUILDERSTATE), \ + TYPEMACRO(GENERALNAME), \ + TYPEMACRO(HASHTABLE), \ + TYPEMACRO(HTTPCERTSTORECONTEXT), \ + TYPEMACRO(HTTPDEFAULTCLIENT), \ + TYPEMACRO(INFOACCESS), \ + TYPEMACRO(LDAPDEFAULTCLIENT), \ TYPEMACRO(LDAPREQUEST), \ TYPEMACRO(LDAPRESPONSE), \ - TYPEMACRO(LDAPDEFAULTCLIENT), \ - TYPEMACRO(SOCKET), \ - TYPEMACRO(RESOURCELIMITS), \ + TYPEMACRO(LIST), \ + TYPEMACRO(LOGGER), \ TYPEMACRO(MONITORLOCK), \ - TYPEMACRO(INFOACCESS), \ - TYPEMACRO(AIAMGR), \ + TYPEMACRO(MUTEX), \ + TYPEMACRO(OBJECT), \ + TYPEMACRO(OCSPCERTID), \ TYPEMACRO(OCSPCHECKER), \ TYPEMACRO(OCSPREQUEST), \ TYPEMACRO(OCSPRESPONSE), \ - TYPEMACRO(HTTPDEFAULTCLIENT), \ + TYPEMACRO(OID), \ + TYPEMACRO(PROCESSINGPARAMS), \ + TYPEMACRO(PUBLICKEY), \ + TYPEMACRO(RESOURCELIMITS), \ + TYPEMACRO(REVOCATIONCHECKER), \ + TYPEMACRO(RWLOCK), \ + TYPEMACRO(SIGNATURECHECKERSTATE), \ + TYPEMACRO(SOCKET), \ + TYPEMACRO(STRING), \ + TYPEMACRO(TARGETCERTCHECKERSTATE), \ + TYPEMACRO(TRUSTANCHOR), \ + TYPEMACRO(VALIDATEPARAMS), \ + TYPEMACRO(VALIDATERESULT), \ TYPEMACRO(VERIFYNODE), \ - TYPEMACRO(EKUCHECKER) + TYPEMACRO(X500NAME) #define TYPEMACRO(type) PKIX_ ## type ## _TYPE @@ -283,77 +286,77 @@ typedef enum { /* Now invoke all those TYPEMACROs to assign the numbers */ * PKIX_MUTEX_ERROR is defined in pkixt.h as 4, and PKIX_ERRORCLASSNAMES[4] is * initialized in pkix_error.c with the value "MUTEX". */ - #define PKIX_ERRORCLASSES \ - ERRMACRO(OBJECT), \ - ERRMACRO(FATAL), \ - ERRMACRO(MEM), \ - ERRMACRO(ERROR), \ - ERRMACRO(MUTEX), \ - ERRMACRO(RWLOCK), \ - ERRMACRO(STRING), \ - ERRMACRO(OID), \ - ERRMACRO(LIST), \ - ERRMACRO(BYTEARRAY), \ + ERRMACRO(AIAMGR), \ + ERRMACRO(BASICCONSTRAINTSCHECKERSTATE), \ ERRMACRO(BIGINT), \ - ERRMACRO(HASHTABLE), \ + ERRMACRO(BUILD), \ + ERRMACRO(BUILDRESULT), \ + ERRMACRO(BYTEARRAY), \ ERRMACRO(CERT), \ - ERRMACRO(X500NAME), \ - ERRMACRO(GENERALNAME), \ - ERRMACRO(PUBLICKEY), \ - ERRMACRO(DATE), \ - ERRMACRO(TRUSTANCHOR), \ - ERRMACRO(PROCESSINGPARAMS), \ - ERRMACRO(VALIDATEPARAMS), \ - ERRMACRO(VALIDATE), \ - ERRMACRO(VALIDATERESULT), \ - ERRMACRO(CERTCHAINCHECKER), \ - ERRMACRO(CERTSELECTOR), \ - ERRMACRO(COMCERTSELPARAMS), \ - ERRMACRO(TARGETCERTCHECKERSTATE), \ ERRMACRO(CERTBASICCONSTRAINTS), \ - ERRMACRO(CERTPOLICYQUALIFIER), \ + ERRMACRO(CERTCHAINCHECKER), \ + ERRMACRO(CERTNAMECONSTRAINTS), \ + ERRMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ + ERRMACRO(CERTPOLICYCHECKERSTATE), \ ERRMACRO(CERTPOLICYINFO), \ + ERRMACRO(CERTPOLICYMAP), \ ERRMACRO(CERTPOLICYNODE), \ - ERRMACRO(CERTPOLICYCHECKERSTATE), \ - ERRMACRO(LIFECYCLE), \ - ERRMACRO(BASICCONSTRAINTSCHECKERSTATE), \ - ERRMACRO(COMCRLSELPARAMS), \ + ERRMACRO(CERTPOLICYQUALIFIER), \ + ERRMACRO(CERTSELECTOR), \ ERRMACRO(CERTSTORE), \ + ERRMACRO(CERTVFYPKIX), \ ERRMACRO(COLLECTIONCERTSTORECONTEXT), \ - ERRMACRO(DEFAULTCRLCHECKERSTATE), \ + ERRMACRO(COMCERTSELPARAMS), \ + ERRMACRO(COMCRLSELPARAMS), \ + ERRMACRO(CONTEXT), \ ERRMACRO(CRL), \ ERRMACRO(CRLENTRY), \ ERRMACRO(CRLSELECTOR), \ - ERRMACRO(CERTPOLICYMAP), \ - ERRMACRO(BUILD), \ - ERRMACRO(BUILDRESULT), \ - ERRMACRO(HTTPCERTSTORECONTEXT), \ - ERRMACRO(FORWARDBUILDERSTATE), \ - ERRMACRO(SIGNATURECHECKERSTATE), \ - ERRMACRO(CERTNAMECONSTRAINTS), \ - ERRMACRO(CERTNAMECONSTRAINTSCHECKERSTATE), \ - ERRMACRO(REVOCATIONCHECKER), \ - ERRMACRO(USERDEFINEDMODULES), \ - ERRMACRO(CONTEXT), \ + ERRMACRO(DATE), \ + ERRMACRO(DEFAULTCRLCHECKERSTATE), \ ERRMACRO(DEFAULTREVOCATIONCHECKER), \ - ERRMACRO(LDAPREQUEST), \ - ERRMACRO(LDAPRESPONSE), \ + ERRMACRO(EKUCHECKER), \ + ERRMACRO(ERROR), \ + ERRMACRO(FATAL), \ + ERRMACRO(FORWARDBUILDERSTATE), \ + ERRMACRO(GENERALNAME), \ + ERRMACRO(HASHTABLE), \ + ERRMACRO(HTTPCERTSTORECONTEXT), \ + ERRMACRO(HTTPDEFAULTCLIENT), \ + ERRMACRO(INFOACCESS), \ ERRMACRO(LDAPCLIENT), \ ERRMACRO(LDAPDEFAULTCLIENT), \ - ERRMACRO(SOCKET), \ - ERRMACRO(RESOURCELIMITS), \ + ERRMACRO(LDAPREQUEST), \ + ERRMACRO(LDAPRESPONSE), \ + ERRMACRO(LIFECYCLE), \ + ERRMACRO(LIST), \ ERRMACRO(LOGGER), \ + ERRMACRO(MEM), \ ERRMACRO(MONITORLOCK), \ - ERRMACRO(INFOACCESS), \ - ERRMACRO(AIAMGR), \ + ERRMACRO(MUTEX), \ + ERRMACRO(OBJECT), \ + ERRMACRO(OCSPCERTID), \ ERRMACRO(OCSPCHECKER), \ ERRMACRO(OCSPREQUEST), \ ERRMACRO(OCSPRESPONSE), \ - ERRMACRO(HTTPDEFAULTCLIENT), \ + ERRMACRO(OID), \ + ERRMACRO(PROCESSINGPARAMS), \ + ERRMACRO(PUBLICKEY), \ + ERRMACRO(RESOURCELIMITS), \ + ERRMACRO(REVOCATIONCHECKER), \ + ERRMACRO(RWLOCK), \ + ERRMACRO(SIGNATURECHECKERSTATE), \ + ERRMACRO(SOCKET), \ + ERRMACRO(STRING), \ + ERRMACRO(TARGETCERTCHECKERSTATE), \ + ERRMACRO(TRUSTANCHOR), \ + ERRMACRO(USERDEFINEDMODULES), \ + ERRMACRO(VALIDATE), \ + ERRMACRO(VALIDATEPARAMS), \ + ERRMACRO(VALIDATERESULT), \ ERRMACRO(VERIFYNODE), \ - ERRMACRO(EKUCHECKER), \ - ERRMACRO(CERTVFYPKIX) + ERRMACRO(X500NAME) #define ERRMACRO(type) PKIX_ ## type ## _ERROR @@ -472,17 +475,17 @@ PKIX_Error* PKIX_ALLOC_ERROR(void); /* * Define Certificate Extension hard-coded OID's */ -#define PKIX_CERTKEYUSAGE_OID "2.5.29.15" -#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17" -#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19" -#define PKIX_CRLREASONCODE_OID "2.5.29.21" -#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30" -#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32" +#define PKIX_CERTKEYUSAGE_OID "2.5.29.15" +#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17" +#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19" +#define PKIX_CRLREASONCODE_OID "2.5.29.21" +#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30" +#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32" #define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0" -#define PKIX_POLICYMAPPINGS_OID "2.5.29.33" -#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36" -#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37" -#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54" +#define PKIX_POLICYMAPPINGS_OID "2.5.29.33" +#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36" +#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37" +#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54" #define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1" #ifdef __cplusplus diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c index 3b79c88..d968b0e 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -20,6 +20,7 @@ * * Contributor(s): * Sun Microsystems, Inc. + * Red Hat, Inc. * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -42,6 +43,8 @@ */ #include "pkix_ocspchecker.h" +#include "pkix_pl_ocspcertid.h" +#include "pkix_error.h" /* --Private-Functions-------------------------------------------- */ @@ -143,11 +146,13 @@ pkix_OcspChecker_Check( PKIX_UInt32 *pResultCode, void *plContext) { - SECErrorCodes resultCode = 0; + SECErrorCodes resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP; PKIX_Boolean uriFound = PKIX_FALSE; PKIX_Boolean passed = PKIX_FALSE; PKIX_OcspChecker *checker = NULL; + PKIX_PL_OcspCertID *cid = NULL; PKIX_PL_OcspRequest *request = NULL; + PKIX_PL_Date *validity = NULL; void *nbioContext = NULL; PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Check"); @@ -167,13 +172,47 @@ pkix_OcspChecker_Check( if (nbioContext == 0) { /* We are initiating a check, not resuming previous I/O. */ + PKIX_Boolean hasFreshStatus = PKIX_FALSE; + PKIX_Boolean statusIsGood = PKIX_FALSE; + + PKIX_CHECK(PKIX_PL_OcspCertID_Create + (cert, + validity, + &cid, + plContext), + PKIX_OCSPCERTIDCREATEFAILED); + + if (!cid) { + goto cleanup; + } + + PKIX_CHECK(PKIX_PL_OcspCertID_GetFreshCacheStatus + (cid, + validity, + &hasFreshStatus, + &statusIsGood, + &resultCode, + plContext), + PKIX_OCSPCERTIDGETFRESHCACHESTATUSFAILED); + + if (hasFreshStatus) { + /* avoid updating the cache with a cached result... */ + passed = PKIX_TRUE; + + if (statusIsGood) { + resultCode = 0; + } + goto cleanup; + } + PKIX_INCREF(cert); checker->cert = cert; /* create request */ PKIX_CHECK(pkix_pl_OcspRequest_Create (cert, - NULL, /* PKIX_PL_Date *validity */ + cid, + validity, PKIX_FALSE, /* PKIX_Boolean addServiceLocator */ NULL, /* PKIX_PL_Cert *signerCert */ &uriFound, @@ -183,6 +222,7 @@ pkix_OcspChecker_Check( /* No uri to check is considered passing! */ if (uriFound == PKIX_FALSE) { + /* no caching for certs lacking URI */ passed = PKIX_TRUE; resultCode = 0; goto cleanup; @@ -244,12 +284,22 @@ pkix_OcspChecker_Check( } PKIX_CHECK(pkix_pl_OcspResponse_GetStatusForCert - ((checker->response), &passed, &resultCode, plContext), + (cid, (checker->response), &passed, &resultCode, plContext), PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED); cleanup: + if (!passed && cid) { + PKIX_Error *err; + err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure( + cid, plContext); + if (err) { + PKIX_PL_Object_DecRef((PKIX_PL_Object*)err, plContext); + } + } + *pResultCode = (PKIX_UInt32)resultCode; + PKIX_DECREF(cid); PKIX_DECREF(request); PKIX_DECREF(checker->response); @@ -269,7 +319,6 @@ pkix_OcspChecker_Create( void *plContext) { PKIX_OcspChecker *checkerObject = NULL; - PKIX_RevocationChecker *revChecker = NULL; PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Create"); PKIX_NULLCHECK_ONE(pChecker); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c b/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c index 3244a90..da333ae 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_defaultcrlchecker.c @@ -58,6 +58,9 @@ static char *reasonCodeMsgString[] = { "Certificate is revoked by CRL for aACompromise", }; +static const int numReasonCodes = + sizeof(reasonCodeMsgString) / sizeof(reasonCodeMsgString[0]); + /* --Private-DefaultCRLCheckerState-Functions------------------------------- */ /* @@ -433,8 +436,9 @@ pkix_DefaultCRLChecker_CheckCRLs( /* Set reason code in state for advance CRL reviewing */ - if (reasonCode >= 0 && - reasonCode < sizeof (reasonCodeMsgString)) { + if (reasonCode >= 0) { + if (reasonCode >= numReasonCodes) + reasonCode = 0; state->reasonCodeMask |= 1 << reasonCode; PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG @@ -726,12 +730,13 @@ pkix_DefaultCRLChecker_Check_Store( (crlEntry, &reasonCode, plContext), PKIX_CRLENTRYGETCRLENTRYREASONCODEFAILED); - if ((reasonCode >= 0) && - (reasonCode < sizeof (reasonCodeMsgString))) { + if (reasonCode >= 0) { + if (reasonCode >= numReasonCodes) + reasonCode = 0; - allReasonCodes |= (1 << (reasonCode - 1)); + allReasonCodes |= (1 << reasonCode); - PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG + PKIX_DEFAULTCRLCHECKERSTATE_DEBUG_ARG ("CRL revocation Reason: %s\n ", reasonCodeMsgString[reasonCode]); @@ -991,7 +996,7 @@ pkix_DefaultCRLChecker_Check( PKIX_PL_PublicKey *newPublicKey = NULL; PKIX_Error *checkKeyUsageFail = NULL; PKIX_Boolean selfIssued = PKIX_FALSE; - void *nbioContext = PKIX_FALSE; + void *nbioContext = NULL; PKIX_ENTER(CERTCHAINCHECKER, "pkix_DefaultCRLChecker_Check"); PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext); diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.h b/security/nss/lib/libpkix/pkix/util/pkix_tools.h index 86c2cb4..2096f2a 100755 --- a/security/nss/lib/libpkix/pkix/util/pkix_tools.h +++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.h @@ -20,6 +20,7 @@ * * Contributor(s): * Sun Microsystems, Inc. + * Red Hat, Inc. * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -1271,6 +1272,16 @@ extern const PKIX_StdVars zeroStdVars; #define PKIX_OCSPCHECKER_DEBUG_ARG(expr, arg) #endif +#if PKIX_OCSPCERTIDDEBUG +#define PKIX_OCSPCERTID_DEBUG(expr) \ + PKIX_DEBUG(expr) +#define PKIX_OCSPCERTID_DEBUG_ARG(expr, arg) \ + PKIX_DEBUG_ARG(expr, arg) +#else +#define PKIX_OCSPCERTID_DEBUG(expr) +#define PKIX_OCSPCERTID_DEBUG_ARG(expr, arg) +#endif + #if PKIX_OCSPREQUESTDEBUG #define PKIX_OCSPREQUEST_DEBUG(expr) \ PKIX_DEBUG(expr) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c index ec6c4cc..abd9fcb 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaptemplates.c @@ -38,9 +38,9 @@ #include "pkix_pl_ldapt.h" -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_NullTemplate); -SEC_ASN1_MKSUB(SEC_OctetStringTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_NullTemplate) +SEC_ASN1_MKSUB(SEC_OctetStringTemplate) /* * CertificatePair ::= SEQUENCE { diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn index df9211c..34941a3 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn @@ -21,6 +21,7 @@ # # Contributor(s): # Sun Microsystems, Inc. +# Red Hat, Inc. # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or @@ -56,6 +57,7 @@ PRIVATE_EXPORTS = \ pkix_pl_ocspresponse.h \ pkix_pl_publickey.h \ pkix_pl_x500name.h \ + pkix_pl_ocspcertid.h \ $(NULL) MODULE = nss @@ -76,6 +78,7 @@ CSRCS = \ pkix_pl_ocspresponse.c \ pkix_pl_publickey.c \ pkix_pl_x500name.c \ + pkix_pl_ocspcertid.c \ $(NULL) REQUIRES = dbm diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c new file mode 100644 index 0000000..073e632 --- /dev/null +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c @@ -0,0 +1,278 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the PKIX-C library. + * + * The Initial Developer of the Original Code is + * Red Hat, Inc. + * Portions created by the Initial Developer are + * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. + * + * Contributor(s): + * Red Hat, Inc. + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* + * pkix_pl_ocspcertid.c + * + * Certificate ID Object for OCSP + * + */ + +#include "pkix_pl_ocspcertid.h" + +/* --Private-Cert-Functions------------------------------------- */ + +/* + * FUNCTION: pkix_pl_OcspCertID_Destroy + * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h) + */ +static PKIX_Error * +pkix_pl_OcspCertID_Destroy( + PKIX_PL_Object *object, + void *plContext) +{ + PKIX_PL_OcspCertID *certID = NULL; + + PKIX_ENTER(OCSPCERTID, "pkix_pl_OcspCertID_Destroy"); + + PKIX_NULLCHECK_ONE(object); + + PKIX_CHECK(pkix_CheckType(object, PKIX_OCSPCERTID_TYPE, plContext), + PKIX_OBJECTNOTOCSPCERTID); + + certID = (PKIX_PL_OcspCertID *)object; + + if (!certID->certIDWasConsumed) { + CERT_DestroyOCSPCertID(certID->certID); + } + +cleanup: + + PKIX_RETURN(OCSPCERTID); +} + +/* + * FUNCTION: pkix_pl_OcspCertID_RegisterSelf + * DESCRIPTION: + * Registers PKIX_PUBLICKEY_TYPE and its related functions + * with systemClasses[] + * THREAD SAFETY: + * Not Thread Safe - for performance and complexity reasons + * + * Since this function is only called by PKIX_PL_Initialize, which should + * only be called once, it is acceptable that this function is not + * thread-safe. + */ +PKIX_Error * +pkix_pl_OcspCertID_RegisterSelf(void *plContext) +{ + extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; + pkix_ClassTable_Entry entry; + + PKIX_ENTER(OCSPCERTID, "pkix_pl_OcspCertID_RegisterSelf"); + + entry.description = "OcspCertID"; + entry.objCounter = 0; + entry.typeObjectSize = sizeof(PKIX_PL_OcspCertID); + entry.destructor = pkix_pl_OcspCertID_Destroy; + entry.equalsFunction = NULL; + entry.hashcodeFunction = NULL; + entry.toStringFunction = NULL; + entry.comparator = NULL; + entry.duplicateFunction = pkix_duplicateImmutable; + systemClasses[PKIX_OCSPCERTID_TYPE] = entry; + + PKIX_RETURN(OCSPCERTID); +} + +/* --Public-Functions------------------------------------------------------- */ + +/* + * FUNCTION: PKIX_PL_OcspCertID_Create + * DESCRIPTION: + * + * This function creates an OcspCertID for a given certificate, + * to be used with OCSP transactions. + * + * If a Date is provided in "validity" it may be used in the search for the + * issuer of "cert" but has no effect on the request itself. + * + * PARAMETERS: + * "cert" + * Address of the Cert for which an OcspCertID is to be created. Must be + * non-NULL. + * "validity" + * Address of the Date for which the Cert's validity is to be determined. + * May be NULL. + * "object" + * Address at which the result is stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OcspCertID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OcspCertID_Create( + PKIX_PL_Cert *cert, + PKIX_PL_Date *validity, + PKIX_PL_OcspCertID **object, + void *plContext) +{ + PKIX_PL_OcspCertID *cid; + int64 time = 0; + + PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_Create"); + PKIX_NULLCHECK_TWO(cert, object); + + PKIX_CHECK(PKIX_PL_Object_Alloc + (PKIX_OCSPCERTID_TYPE, + sizeof (PKIX_PL_OcspCertID), + (PKIX_PL_Object **)&cid, + plContext), + PKIX_COULDNOTCREATEOBJECT); + + cid->certIDWasConsumed = PR_FALSE; + + if (validity != NULL) { + PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext), + PKIX_DATEGETPRTIMEFAILED); + } else { + time = PR_Now(); + } + + cid->certID = CERT_CreateOCSPCertID(cert->nssCert, time); + if (!cid->certID) { + PKIX_ERROR(PKIX_COULDNOTCREATEOBJECT); + } + + *object = cid; + cid = NULL; +cleanup: + PKIX_DECREF(cid); + PKIX_RETURN(OCSPCERTID); +} + +/* + * FUNCTION: PKIX_PL_OcspCertID_GetFreshCacheStatus + * DESCRIPTION: + * + * This function may return cached OCSP results for the provided + * certificate, but only if stored information is still considered to be + * fresh. + * + * PARAMETERS + * "cid" + * A certificate ID as used by OCSP + * "validity" + * Optional date parameter to request validity for a specifc time. + * "hasFreshStatus" + * Output parameter, if the function successed to find fresh cached + * information, this will be set to true. Must be non-NULL. + * "statusIsGood" + * The good/bad result stored in the cache. Must be non-NULL. + * "missingResponseError" + * If OCSP status is "bad", this variable may indicate the exact + * reason why the previous OCSP request had failed. + * "plContext" + * Platform-specific context pointer. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OcspCertID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OcspCertID_GetFreshCacheStatus( + PKIX_PL_OcspCertID *cid, + PKIX_PL_Date *validity, + PKIX_Boolean *hasFreshStatus, + PKIX_Boolean *statusIsGood, + SECErrorCodes *missingResponseError, + void *plContext) +{ + int64 time = 0; + SECStatus rv; + SECStatus rvOcsp; + + PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_GetFreshCacheStatus"); + PKIX_NULLCHECK_THREE(cid, hasFreshStatus, statusIsGood); + + if (validity != NULL) { + PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext), + PKIX_DATEGETPRTIMEFAILED); + } else { + time = PR_Now(); + } + + rv = ocsp_GetCachedOCSPResponseStatusIfFresh( + cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/ + &rvOcsp, missingResponseError); + + *hasFreshStatus = (rv == SECSuccess); + if (*hasFreshStatus) { + *statusIsGood = (rvOcsp == SECSuccess); + } +cleanup: + PKIX_RETURN(OCSPCERTID); +} + +/* + * FUNCTION: PKIX_PL_OcspCertID_RememberOCSPProcessingFailure + * DESCRIPTION: + * + * Information about the current failure associated to the given certID + * will be remembered in the cache, potentially allowing future calls + * to prevent repetitive OCSP requests. + * After this function got called, it may no longer be safe to + * use the provided cid parameter, because ownership might have been + * transfered to the cache. This status will be recorded inside the + * cid object. + * + * PARAMETERS + * "cid" + * The certificate ID associated to a failed OCSP processing. + * "plContext" + * Platform-specific context pointer. + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OcspCertID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OcspCertID_RememberOCSPProcessingFailure( + PKIX_PL_OcspCertID *cid, + void *plContext) +{ + PKIX_ENTER(DATE, "PKIX_PL_OcspCertID_RememberOCSPProcessingFailure"); + + cert_RememberOCSPProcessingFailure(cid->certID, &cid->certIDWasConsumed); + + PKIX_RETURN(OCSPCERTID); +} + diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h similarity index 63% copy from security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h copy to security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h index d309edf..972d344 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.h @@ -14,12 +14,12 @@ * The Original Code is the PKIX-C library. * * The Initial Developer of the Original Code is - * Sun Microsystems, Inc. + * Red Hat, Inc. * Portions created by the Initial Developer are - * Copyright 2004-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2008 Red Hat, Inc. All Rights Reserved. * * Contributor(s): - * Sun Microsystems, Inc. + * Red Hat, Inc. * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -35,14 +35,14 @@ * * ***** END LICENSE BLOCK ***** */ /* - * pkix_pl_ocsprequest.h + * pkix_pl_ocspcertid.h * - * OcspRequest Object Definitions + * Public Key Object Definitions * */ -#ifndef _PKIX_PL_OCSPREQUEST_H -#define _PKIX_PL_OCSPREQUEST_H +#ifndef _PKIX_PL_OCSPCERTID_H +#define _PKIX_PL_OCSPCERTID_H #include "pkix_pl_common.h" @@ -50,51 +50,38 @@ extern "C" { #endif -struct PKIX_PL_OcspRequestStruct{ - PKIX_PL_Cert *cert; - PKIX_PL_Date *validity; - PKIX_Boolean addServiceLocator; - PKIX_PL_Cert *signerCert; - CERTCertList *certList; - CERTOCSPRequest *decoded; - SECItem *encoded; - char *location; +struct PKIX_PL_OcspCertIDStruct { + CERTOCSPCertID *certID; + PRBool certIDWasConsumed; }; /* see source file for function documentation */ +PKIX_Error *pkix_pl_OcspCertID_RegisterSelf(void *plContext); + PKIX_Error * -pkix_pl_OcspRequest_Create( +PKIX_PL_OcspCertID_Create( PKIX_PL_Cert *cert, PKIX_PL_Date *validity, - PKIX_Boolean addServiceLocator, - PKIX_PL_Cert *signerCert, - PKIX_Boolean *pURIFound, - PKIX_PL_OcspRequest **pRequest, - void *plContext); - -PKIX_Error * -pkix_pl_OcspRequest_GetEncoded( - PKIX_PL_OcspRequest *request, - SECItem **pRequest, + PKIX_PL_OcspCertID **object, void *plContext); PKIX_Error * -pkix_pl_OcspRequest_GetLocation( - PKIX_PL_OcspRequest *request, - char **pLocation, +PKIX_PL_OcspCertID_GetFreshCacheStatus( + PKIX_PL_OcspCertID *cid, + PKIX_PL_Date *validity, + PKIX_Boolean *hasFreshStatus, + PKIX_Boolean *statusIsGood, + SECErrorCodes *missingResponseError, void *plContext); PKIX_Error * -pkix_pl_OcspRequest_GetCertID( - PKIX_PL_OcspRequest *request, - CERTOCSPCertID **pCertID, +PKIX_PL_OcspCertID_RememberOCSPProcessingFailure( + PKIX_PL_OcspCertID *cid, void *plContext); -PKIX_Error *pkix_pl_OcspRequest_RegisterSelf(void *plContext); - #ifdef __cplusplus } #endif -#endif /* _PKIX_PL_OCSPREQUEST_H */ +#endif /* _PKIX_PL_OCSPCERTID_H */ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c index 161a08d..d71cbc1 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c @@ -53,7 +53,6 @@ pkix_pl_OcspRequest_Destroy( void *plContext) { PKIX_PL_OcspRequest *ocspReq = NULL; - PRCList *node = NULL; PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_Destroy"); PKIX_NULLCHECK_ONE(object); @@ -64,29 +63,15 @@ pkix_pl_OcspRequest_Destroy( ocspReq = (PKIX_PL_OcspRequest *)object; if (ocspReq->decoded != NULL) { - PKIX_PL_NSSCALL(OCSPREQUEST, CERT_DestroyOCSPRequest, - (ocspReq->decoded)); + CERT_DestroyOCSPRequest(ocspReq->decoded); } if (ocspReq->encoded != NULL) { - PKIX_PL_NSSCALL(OCSPREQUEST, SECITEM_FreeItem, - (ocspReq->encoded, PR_TRUE)); - } - - if (ocspReq->certList != NULL) { - /* - * The CertList thinks it owns the nssCert. If it destroys it, - * PKIX_PL_Cert_Destroy(ocspReq->cert) will crash. Let's - * remove the nssCert first, and then destroy the CertList. - */ - node = PR_LIST_HEAD(&ocspReq->certList->list); - PR_REMOVE_LINK(node); - PKIX_PL_NSSCALL(OCSPREQUEST, CERT_DestroyCertList, - (ocspReq->certList)); + SECITEM_FreeItem(ocspReq->encoded, PR_TRUE); } if (ocspReq->location != NULL) { - PKIX_PL_NSSCALL(OCSPREQUEST, PORT_Free, (ocspReq->location)); + PORT_Free(ocspReq->location); } PKIX_DECREF(ocspReq->cert); @@ -303,6 +288,7 @@ pkix_pl_OcspRequest_RegisterSelf(void *plContext) PKIX_Error * pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, + PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, @@ -315,7 +301,6 @@ pkix_pl_OcspRequest_Create( SECStatus rv = SECFailure; SECItem *encoding = NULL; CERTOCSPRequest *certRequest = NULL; - CERTCertList *certList = NULL; int64 time = 0; PRBool addServiceLocatorExtension = PR_FALSE; CERTCertificate *nssCert = NULL; @@ -348,18 +333,18 @@ pkix_pl_OcspRequest_Create( ocspRequest->decoded = NULL; ocspRequest->encoded = NULL; + ocspRequest->location = NULL; + nssCert = cert->nssCert; /* * Does this Cert have an Authority Information Access extension with * the URI of an OCSP responder? */ - PKIX_PL_NSSCALLRV - (OCSPREQUEST, location, CERT_GetOCSPAuthorityInfoAccessLocation, - (nssCert)); + location = CERT_GetOCSPAuthorityInfoAccessLocation(nssCert); if (location == NULL) { - PKIX_PL_NSSCALLRV(OCSPREQUEST, locError, PORT_GetError, ()); + locError = PORT_GetError(); if (locError == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { *pURIFound = PKIX_FALSE; goto cleanup; @@ -375,63 +360,42 @@ pkix_pl_OcspRequest_Create( nssSignerCert = signerCert->nssCert; } - /* - * Build a CertList with this one Cert. But be careful: apparently it - * is customary for CertLists to "own" the Certs, and to destroy - * them as part of CERT_DestroyCertList. We must remember to remove - * this Cert from the List before destroying the List. Otherwise it - * will be destroyed when the CertList is destroyed and again when - * the PKIX_PL_Cert that owns it is destroyed. - */ - PKIX_PL_NSSCALLRV(OCSPREQUEST, certList, CERT_NewCertList, ()); - if (certList == NULL) { - PKIX_ERROR(PKIX_UNABLETOCREATENEWCERTLIST); - } - - ocspRequest->certList = certList; - - PKIX_PL_NSSCALLRV(OCSPREQUEST, rv, CERT_AddCertToListTail, - (certList, nssCert)); - - if (rv == SECFailure) { - PKIX_ERROR(PKIX_UNABLETOADDCERTTOCERTLIST); - } - if (validity != NULL) { PKIX_CHECK(pkix_pl_Date_GetPRTime(validity, &time, plContext), PKIX_DATEGETPRTIMEFAILED); } else { - PKIX_PL_NSSCALLRV(OCSPREQUEST, time, PR_Now, ()); + time = PR_Now(); } addServiceLocatorExtension = ((addServiceLocator == PKIX_TRUE)? PR_TRUE : PR_FALSE); - PKIX_PL_NSSCALLRV(OCSPREQUEST, certRequest, CERT_CreateOCSPRequest, - (certList, time, addServiceLocatorExtension, nssSignerCert)); + certRequest = cert_CreateSingleCertOCSPRequest( + cid->certID, cert->nssCert, time, + addServiceLocatorExtension, nssSignerCert); + + ocspRequest->decoded = certRequest; if (certRequest == NULL) { PKIX_ERROR(PKIX_UNABLETOCREATECERTOCSPREQUEST); } - PKIX_PL_NSSCALLRV - (OCSPREQUEST, rv, CERT_AddOCSPAcceptableResponses, - (certRequest, SEC_OID_PKIX_OCSP_BASIC_RESPONSE)); + rv = CERT_AddOCSPAcceptableResponses( + certRequest, SEC_OID_PKIX_OCSP_BASIC_RESPONSE); if (rv == SECFailure) { PKIX_ERROR(PKIX_UNABLETOADDACCEPTABLERESPONSESTOREQUEST); } - ocspRequest->decoded = certRequest; - - PKIX_PL_NSSCALLRV(OCSPREQUEST, encoding, CERT_EncodeOCSPRequest, - (NULL, certRequest, NULL)); + encoding = CERT_EncodeOCSPRequest(NULL, certRequest, NULL); ocspRequest->encoded = encoding; *pRequest = ocspRequest; + ocspRequest = NULL; cleanup: + PKIX_DECREF(ocspRequest); PKIX_RETURN(OCSPREQUEST); } @@ -507,44 +471,3 @@ pkix_pl_OcspRequest_GetLocation( PKIX_RETURN(OCSPREQUEST); } - -/* - * FUNCTION: pkix_pl_OcspRequest_GetCertID - * DESCRIPTION: - * - * This function obtains the certID from the OcspRequest pointed to - * by "request", storing the result at "pCertID". - * - * PARAMETERS - * "request" - * The address of the OcspRequest whose certID is to be retrieved. Must - * be non-NULL. - * "pCertID" - * The address at which is stored the certID of the request. Must be - * non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -PKIX_Error * -pkix_pl_OcspRequest_GetCertID( - PKIX_PL_OcspRequest *request, - CERTOCSPCertID **pCertID, - void *plContext) -{ - ocspTBSRequest *tbsRequest = NULL; - - PKIX_ENTER(OCSPREQUEST, "pkix_pl_OcspRequest_GetCertID"); - PKIX_NULLCHECK_TWO(request, pCertID); - - PKIX_NULLCHECK_ONE(request->decoded); - tbsRequest = request->decoded->tbsRequest; - PKIX_NULLCHECK_ONE(tbsRequest); - *pCertID = tbsRequest->requestList[0]->reqCert; - - PKIX_RETURN(OCSPREQUEST); -} diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h index d309edf..2012a64 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.h @@ -55,7 +55,6 @@ struct PKIX_PL_OcspRequestStruct{ PKIX_PL_Date *validity; PKIX_Boolean addServiceLocator; PKIX_PL_Cert *signerCert; - CERTCertList *certList; CERTOCSPRequest *decoded; SECItem *encoded; char *location; @@ -66,6 +65,7 @@ struct PKIX_PL_OcspRequestStruct{ PKIX_Error * pkix_pl_OcspRequest_Create( PKIX_PL_Cert *cert, + PKIX_PL_OcspCertID *cid, PKIX_PL_Date *validity, PKIX_Boolean addServiceLocator, PKIX_PL_Cert *signerCert, @@ -85,12 +85,6 @@ pkix_pl_OcspRequest_GetLocation( char **pLocation, void *plContext); -PKIX_Error * -pkix_pl_OcspRequest_GetCertID( - PKIX_PL_OcspRequest *request, - CERTOCSPCertID **pCertID, - void *plContext); - PKIX_Error *pkix_pl_OcspRequest_RegisterSelf(void *plContext); #ifdef __cplusplus diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index 8cbb1f3..4fe32ae 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -987,13 +987,14 @@ cleanup: */ PKIX_Error * pkix_pl_OcspResponse_GetStatusForCert( + PKIX_PL_OcspCertID *cid, PKIX_PL_OcspResponse *response, PKIX_Boolean *pPassed, SECErrorCodes *pReturnCode, void *plContext) { - CERTOCSPCertID *certId = NULL; SECStatus rv = SECFailure; + SECStatus rvCache; PKIX_ENTER(OCSPRESPONSE, "pkix_pl_OcspResponse_GetStatusForCert"); PKIX_NULLCHECK_THREE(response, pPassed, pReturnCode); @@ -1005,25 +1006,20 @@ pkix_pl_OcspResponse_GetStatusForCert( */ PKIX_NULLCHECK_TWO(response->signerCert, response->request); - PKIX_CHECK( - pkix_pl_OcspRequest_GetCertID( - (PKIX_PL_OcspRequest*)response->request, &certId, plContext), - PKIX_OCSPREQUESTGETCERTIDFAILED); - - rv = CERT_GetOCSPStatusForCertID (response->handle, - response->nssOCSPResponse, - certId, - response->signerCert, - PR_Now()); + rv = cert_ProcessOCSPResponse(response->handle, + response->nssOCSPResponse, + cid->certID, + response->signerCert, + PR_Now(), + &cid->certIDWasConsumed, + &rvCache); if (rv == SECSuccess) { *pPassed = PKIX_TRUE; *pReturnCode = 0; } else { *pPassed = PKIX_FALSE; - PKIX_PL_NSSCALLRV - (OCSPRESPONSE, *pReturnCode, PORT_GetError, ()); + *pReturnCode = PORT_GetError(); } -cleanup: PKIX_RETURN(OCSPRESPONSE); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h index 1e3485a..f42356f 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h @@ -45,6 +45,7 @@ #define _PKIX_PL_OCSPRESPONSE_H #include "pkix_pl_common.h" +#include "pkix_pl_ocspcertid.h" #include "hasht.h" #include "cryptohi.h" #include "ocspti.h" diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c index b71d759..18cc43f 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c @@ -223,6 +223,7 @@ PKIX_PL_Initialize( pkix_pl_InfoAccess_RegisterSelf(plContext); pkix_pl_AIAMgr_RegisterSelf(plContext); pkix_OcspChecker_RegisterSelf(plContext); + pkix_pl_OcspCertID_RegisterSelf(plContext); pkix_pl_OcspRequest_RegisterSelf(plContext); pkix_pl_OcspResponse_RegisterSelf(plContext); pkix_pl_HttpDefaultClient_RegisterSelf(plContext); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h index 39054d8..80e1e00 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h @@ -99,6 +99,7 @@ #include "pkix_pl_nameconstraints.h" #include "pkix_nameconstraintschecker.h" #include "pkix_ocspchecker.h" +#include "pkix_pl_ocspcertid.h" #include "pkix_pl_ocsprequest.h" #include "pkix_pl_ocspresponse.h" #include "pkix_pl_httpdefaultclient.h" diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 0d5fd55..a41cbd2 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -916,6 +916,7 @@ CERT_EncodeInhibitAnyExtension; CERT_EncodeNoticeReference; CERT_EncodePolicyConstraintsExtension; CERT_EncodePolicyMappingExtension; +CERT_EncodeSubjectKeyID; CERT_EncodeUserNotice; CERT_FindCRLEntryReasonExten; CERT_FindCRLNumberExten; diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 84d711f..3474226 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nss.h,v 1.51.12.1 2008/01/17 20:00:14 rrelyea%redhat.com Exp $ */ +/* $Id: nss.h,v 1.51 2007/05/04 05:15:43 nelson%bolyard.com Exp $ */ #ifndef __nss_h_ #define __nss_h_ @@ -70,7 +70,7 @@ SEC_BEGIN_PROTOS * The format of the version string should be * ".[.][ ][ ]" */ -#define NSS_VERSION "3.12" _NSS_ECC_STRING " Beta 1" _NSS_CUSTOMIZED +#define NSS_VERSION "3.12" _NSS_ECC_STRING " Beta" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 12 #define NSS_VPATCH 0 diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index 99104ef..ebd886e 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nssinit.c,v 1.87 2007/12/19 23:03:55 alexei.volkov.bugs%sun.com Exp $ */ +/* $Id: nssinit.c,v 1.90 2008/02/16 04:38:06 julien.pierre.boogz%sun.com Exp $ */ #include #include "seccomon.h" @@ -413,7 +413,6 @@ nss_FindExternalRoot(const char *dbpath, const char* secmodprefix) static PRBool nss_IsInitted = PR_FALSE; static void* plContext = NULL; -extern SECStatus secoid_Init(void); static SECStatus nss_InitShutdownList(void); #ifdef DEBUG @@ -510,7 +509,7 @@ loser: } if (rv == SECSuccess) { - if (secoid_Init() != SECSuccess) { + if (SECOID_Init() != SECSuccess) { return SECFailure; } if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) { @@ -652,8 +651,8 @@ struct NSSShutdownFuncPair { static struct NSSShutdownListStr { PZLock *lock; - int maxFuncs; - int numFuncs; + int allocatedFuncs; + int peakFuncs; struct NSSShutdownFuncPair *funcs; } nssShutdownList = { 0 }; @@ -664,7 +663,7 @@ static int nss_GetShutdownEntry(NSS_ShutdownFunc sFunc, void *appData) { int count, i; - count = nssShutdownList.numFuncs; + count = nssShutdownList.peakFuncs; /* expect the list to be short, just do a linear search */ for (i=0; i < count; i++) { if ((nssShutdownList.funcs[i].func == sFunc) && @@ -697,34 +696,34 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData) /* make sure we don't have a duplicate */ i = nss_GetShutdownEntry(sFunc, appData); - if (i > 0) { + if (i >= 0) { PZ_Unlock(nssShutdownList.lock); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } /* find an empty slot */ i = nss_GetShutdownEntry(NULL, NULL); - if (i > 0) { + if (i >= 0) { nssShutdownList.funcs[i].func = sFunc; nssShutdownList.funcs[i].appData = appData; PZ_Unlock(nssShutdownList.lock); - return SECFailure; + return SECSuccess; } - if (nssShutdownList.maxFuncs == nssShutdownList.numFuncs) { + if (nssShutdownList.allocatedFuncs == nssShutdownList.peakFuncs) { struct NSSShutdownFuncPair *funcs = (struct NSSShutdownFuncPair *)PORT_Realloc (nssShutdownList.funcs, - (nssShutdownList.maxFuncs + NSS_SHUTDOWN_STEP) + (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) *sizeof(struct NSSShutdownFuncPair)); if (!funcs) { return SECFailure; } nssShutdownList.funcs = funcs; - nssShutdownList.maxFuncs += NSS_SHUTDOWN_STEP; + nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP; } - nssShutdownList.funcs[nssShutdownList.numFuncs].func = sFunc; - nssShutdownList.funcs[nssShutdownList.numFuncs].appData = appData; - nssShutdownList.numFuncs++; + nssShutdownList.funcs[nssShutdownList.peakFuncs].func = sFunc; + nssShutdownList.funcs[nssShutdownList.peakFuncs].appData = appData; + nssShutdownList.peakFuncs++; PZ_Unlock(nssShutdownList.lock); return SECSuccess; } @@ -744,7 +743,7 @@ NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData) PORT_Assert(nssShutdownList.lock); PZ_Lock(nssShutdownList.lock); i = nss_GetShutdownEntry(sFunc, appData); - if (i > 0) { + if (i >= 0) { nssShutdownList.funcs[i].func = NULL; nssShutdownList.funcs[i].appData = NULL; } @@ -774,8 +773,8 @@ nss_InitShutdownList(void) nssShutdownList.lock = NULL; return SECFailure; } - nssShutdownList.maxFuncs = NSS_SHUTDOWN_STEP; - nssShutdownList.numFuncs = 0; + nssShutdownList.allocatedFuncs = NSS_SHUTDOWN_STEP; + nssShutdownList.peakFuncs = 0; return SECSuccess; } @@ -787,7 +786,7 @@ nss_ShutdownShutdownList(void) int i; /* call all the registerd functions first */ - for (i=0; i < nssShutdownList.numFuncs; i++) { + for (i=0; i < nssShutdownList.peakFuncs; i++) { struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i]; if (funcPair->func) { if ((*funcPair->func)(funcPair->appData,NULL) != SECSuccess) { @@ -796,8 +795,8 @@ nss_ShutdownShutdownList(void) } } - nssShutdownList.numFuncs = 0; - nssShutdownList.maxFuncs = 0; + nssShutdownList.peakFuncs = 0; + nssShutdownList.allocatedFuncs = 0; PORT_Free(nssShutdownList.funcs); nssShutdownList.funcs = NULL; if (nssShutdownList.lock) { diff --git a/security/nss/lib/nss/utilwrap.c b/security/nss/lib/nss/utilwrap.c index 752c251..900ab32 100644 --- a/security/nss/lib/nss/utilwrap.c +++ b/security/nss/lib/nss/utilwrap.c @@ -46,11 +46,10 @@ #include "base64.h" #include "nssb64.h" #include "nssrwlk.h" -#include "nsslocks.h" #include "cert.h" +#include "prerror.h" /* wrappers for implementation in libnssutil3 */ -#undef __nss_InitLock #undef ATOB_AsciiToData #undef ATOB_ConvertAsciiToItem #undef BTOA_ConvertItemToAscii @@ -782,7 +781,8 @@ PRBool NSSRWLock_HaveWriteLock(NSSRWLock *rwlock) SECStatus __nss_InitLock( PZLock **ppLock, nssILockType ltype ) { - return __nss_InitLock_Util(ppLock, ltype); + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return SECFailure; } /* templates duplicated in libnss3 and libnssutil3 */ diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index 4e48fb4..bf22041 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -1928,32 +1928,10 @@ PK11_MakeIDFromPubKey(SECItem *pubKeyData) return certCKA_ID; } -SECItem * -PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx) -{ - CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, - }; - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); - SECItem *item = NULL; - CK_RV crv; - - crv = PK11_GetAttributes(NULL,key->pkcs11Slot,key->pkcs11ID, - theTemplate,tsize); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; - } - - item = PORT_ZNew(SECItem); - if (item) { - item->data = (unsigned char*) theTemplate[0].pValue; - item->len = theTemplate[0].ulValueLen; - } +/* Looking for PK11_GetKeyIDFromPrivateKey? + * Call PK11_GetLowLevelKeyIDForPrivateKey instead. + */ -loser: - return item; -} SECItem * PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey) diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 3c7030e..238133e 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -354,8 +354,7 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID, * valid CA's which are self-signed here. They must have an object * ID of '0'. */ if (pk11_isID0(slot,certID) && - SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer) - == SECEqual) { + cert->isRoot) { trustflags |= CERTDB_TRUSTED_CA; /* is the slot a fortezza card? allow the user or * admin to turn on objectSigning, but don't turn @@ -1998,46 +1997,6 @@ PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert, return c ? STAN_GetCERTCertificateOrRelease(c) : NULL; } -/* mcgreer 3.4 -- nobody uses this, ignoring */ -/* - * return the certificate associated with a derCert - */ -CERTCertificate * -PK11_FindCertFromDERSubjectAndNickname(PK11SlotInfo *slot, - CERTCertificate *cert, - char *nickname, void *wincx) -{ - CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; - CK_ATTRIBUTE theTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_LABEL, NULL, 0 }, - { CKA_CLASS, NULL, 0 } - }; - /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); - CK_OBJECT_HANDLE certh; - CK_ATTRIBUTE *attrs = theTemplate; - SECStatus rv; - - PK11_SETATTRS(attrs, CKA_SUBJECT, cert->derSubject.data, - cert->derSubject.len); attrs++; - PK11_SETATTRS(attrs, CKA_LABEL, nickname, PORT_Strlen(nickname)); - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); - - /* - * issue the find - */ - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) return NULL; - - certh = pk11_getcerthandle(slot,cert,theTemplate,tsize); - if (certh == CK_INVALID_HANDLE) { - return NULL; - } - - return PK11_MakeCertFromHandle(slot, certh, NULL); -} - /* * import a cert for a private key we have already generated. Set the label * on both to be the nickname. @@ -2267,39 +2226,10 @@ PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) return pk11_getcerthandle(slot,cert,theTemplate,tsize); } -SECItem * -PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx) -{ - CK_OBJECT_HANDLE handle; - PK11SlotInfo *slot = NULL; - CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, - }; - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); - SECItem *item = NULL; - CK_RV crv; - - handle = PK11_FindObjectForCert(cert,wincx,&slot); - if (handle == CK_INVALID_HANDLE) { - goto loser; - } - - crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; - } - - item = PORT_ZNew(SECItem); - if (item) { - item->data = (unsigned char*) theTemplate[0].pValue; - item->len = theTemplate[0].ulValueLen; - } +/* Looking for PK11_GetKeyIDFromCert? + * Use PK11_GetLowLevelKeyIDForCert instead. + */ -loser: - PK11_FreeSlot(slot); - return item; -} struct listCertsStr { PK11CertListType type; diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c index 386d855..1bc4873 100644 --- a/security/nss/lib/pk11wrap/pk11mech.c +++ b/security/nss/lib/pk11wrap/pk11mech.c @@ -801,7 +801,7 @@ PK11_GetIVLength(CK_MECHANISM_TYPE type) * like SSL and S-MIME to automatically add them. */ SECItem * -PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) +pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, SECItem *iv, int keyLen) { CK_RC2_CBC_PARAMS *rc2_params = NULL; CK_RC2_PARAMS *rc2_ecb_params = NULL; @@ -833,7 +833,7 @@ PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); if (rc2_ecb_params == NULL) break; /* Maybe we should pass the key size in too to get this value? */ - *rc2_ecb_params = 128; + *rc2_ecb_params = keyLen ? keyLen*8 : 128; param->data = (unsigned char *) rc2_ecb_params; param->len = sizeof(CK_RC2_PARAMS); break; @@ -842,7 +842,7 @@ PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); if (rc2_params == NULL) break; /* Maybe we should pass the key size in too to get this value? */ - rc2_params->ulEffectiveBits = 128; + rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128; if (iv && iv->data) PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv)); param->data = (unsigned char *) rc2_params; @@ -939,6 +939,16 @@ PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) return param; } +/* These next two utilities are here to help facilitate future + * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions + * like SSL and S-MIME to automatically add them. + */ +SECItem * +PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) +{ + return pk11_ParamFromIVWithLen(type, iv, 0); +} + unsigned char * PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len) { @@ -1343,7 +1353,8 @@ pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) { * key. Use Netscape's S/MIME Rules for the New param block. */ SECItem * -PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { +pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) +{ CK_RC2_CBC_PARAMS *rc2_params; CK_RC2_PARAMS *rc2_ecb_params; SECItem *mech; @@ -1378,7 +1389,7 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { } /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ - *rc2_ecb_params = key ? PK11_GetKeyLength(key)*8 : 128; + *rc2_ecb_params = keyLen ? keyLen*8 : 128; mech->data = (unsigned char *) rc2_ecb_params; mech->len = sizeof(CK_RC2_PARAMS); break; @@ -1396,7 +1407,7 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { } /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ - rc2_params->ulEffectiveBits = key ? PK11_GetKeyLength(key)*8 : 128; + rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128; if (iv.data) PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv)); mech->data = (unsigned char *) rc2_params; @@ -1475,6 +1486,14 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { } +SECItem * +PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) +{ + int keyLen = key ? PK11_GetKeyLength(key) : 0; + + return pk11_GenerateNewParamWithKeyLen(type, keyLen); +} + #define RC5_V10 0x10 /* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */ diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index f140ff5..ef6ccd8 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -101,7 +101,7 @@ const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] = { 0 } }; -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* SECOID_PKCS5_PBKDF2 */ const SEC_ASN1Template SEC_PKCS5V2PBEParameterTemplate[] = @@ -673,8 +673,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, } /* build the PKCS5v2 cipher algorithm id */ - cipherParams = PK11_GenerateNewParam( - PK11_AlgtagToMechanism(cipherAlgorithm), NULL); + cipherParams = pk11_GenerateNewParamWithKeyLen( + PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); if (!cipherParams) { goto loser; } @@ -1407,6 +1407,7 @@ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, SECItem *pbe_pwd, PRBool faulty3DES) { + int keyLen = 0; SECOidTag algTag = SEC_PKCS5GetCryptoAlgorithm(algid); CK_MECHANISM_TYPE mech = PK11_AlgtagToMechanism(algTag); CK_MECHANISM_TYPE returnedMechanism = CKM_INVALID_MECHANISM; @@ -1423,7 +1424,9 @@ pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, } } - *param = PK11_ParamFromIV(mech, iv); + keyLen = SEC_PKCS5GetKeyLength(algid); + + *param = pk11_ParamFromIVWithLen(mech, iv, keyLen); if (*param == NULL) { goto loser; } diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c index 4f64597..a90081e 100644 --- a/security/nss/lib/pk11wrap/pk11pk12.c +++ b/security/nss/lib/pk11wrap/pk11pk12.c @@ -112,8 +112,8 @@ struct SECKEYRawPrivateKeyStr { }; typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey; -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* ASN1 Templates for new decoder/encoder */ /* diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h index 616a147..ae5c638 100644 --- a/security/nss/lib/pk11wrap/pk11priv.h +++ b/security/nss/lib/pk11wrap/pk11priv.h @@ -161,10 +161,6 @@ SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, SECStatus(*callback)(CERTCertificate *, void *), void *arg); CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *derCert, void *wincx); -CERTCertificate *PK11_FindCertFromDERSubjectAndNickname( - PK11SlotInfo *slot, - CERTCertificate *cert, char *nickname, - void *wincx); SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c index ce61c2c..5d27489 100644 --- a/security/nss/lib/pk11wrap/pk11sdr.c +++ b/security/nss/lib/pk11wrap/pk11sdr.c @@ -54,7 +54,7 @@ struct SDRResult }; typedef struct SDRResult SDRResult; -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) static SEC_ASN1Template template[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) }, diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h index eca18a9..bf0de39 100644 --- a/security/nss/lib/pk11wrap/secmodi.h +++ b/security/nss/lib/pk11wrap/secmodi.h @@ -164,6 +164,11 @@ CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID); SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx); + +SECItem *pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen); +SECItem *pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, + SECItem *iv, int keyLen); + SEC_END_PROTOS #endif diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h index 6eb6ecf..612f4cd 100644 --- a/security/nss/lib/pkcs12/p12.h +++ b/security/nss/lib/pkcs12/p12.h @@ -99,6 +99,7 @@ struct SEC_PKCS12DecoderItemStr { SECOidTag type; PRBool hasKey; SECItem *friendlyName; /* UTF-8 string */ + SECAlgorithmID *shroudAlg; }; diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index b18d847..0be10c7 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -3076,11 +3076,15 @@ SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, if (p12dcx->decitem.type != 0 && p12dcx->decitem.der != NULL) { SECITEM_FreeItem(p12dcx->decitem.der, PR_TRUE); } + if (p12dcx->decitem.shroudAlg != NULL) { + SECOID_DestroyAlgorithmID(p12dcx->decitem.shroudAlg, PR_TRUE); + } if (p12dcx->decitem.friendlyName != NULL) { SECITEM_FreeItem(p12dcx->decitem.friendlyName, PR_TRUE); } p12dcx->decitem.type = 0; p12dcx->decitem.der = NULL; + p12dcx->decitem.shroudAlg = NULL; p12dcx->decitem.friendlyName = NULL; p12dcx->decitem.hasKey = PR_FALSE; *ipp = NULL; @@ -3101,8 +3105,13 @@ SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag); break; - case SEC_OID_PKCS12_V1_KEY_BAG_ID: case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: + p12dcx->decitem.shroudAlg = PORT_ZNew(SECAlgorithmID); + if (p12dcx->decitem.shroudAlg) { + SECOID_CopyAlgorithmID(NULL, p12dcx->decitem.shroudAlg, + &bag->safeBagContent.pkcs8ShroudedKeyBag->algorithm); + } + case SEC_OID_PKCS12_V1_KEY_BAG_ID: p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); break; default: diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c index f0fbbcb..52f3871 100644 --- a/security/nss/lib/pkcs12/p12e.c +++ b/security/nss/lib/pkcs12/p12e.c @@ -1720,8 +1720,8 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) SECItem *salt = sec_pkcs12_generate_salt(); PK11SymKey *symKey; SECItem *params; - CK_MECHANISM_TYPE integrityMech; - CK_MECHANISM_TYPE hmacMech; + CK_MECHANISM_TYPE integrityMechType; + CK_MECHANISM_TYPE hmacMechType; /* zero out macData and set values */ PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData)); @@ -1742,35 +1742,41 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) PR_TRUE, PR_TRUE)) { goto loser; } - + /* + * This code only works with PKCS #12 Mac using PKCS #5 v1 + * PBA keygens. PKCS #5 v2 support will require a change to + * the PKCS #12 spec. + */ params = PK11_CreatePBEParams(salt, &pwd, 1); SECITEM_ZfreeItem(salt, PR_TRUE); SECITEM_ZfreeItem(&pwd, PR_FALSE); + /* get the PBA Mechanism to generate the key */ switch (p12exp->integrityInfo.pwdInfo.algorithm) { case SEC_OID_SHA1: - integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break; + integrityMechType = CKM_PBA_SHA1_WITH_SHA1_HMAC; break; case SEC_OID_MD5: - integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; break; + integrityMechType = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; break; case SEC_OID_MD2: - integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; break; + integrityMechType = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; break; default: goto loser; } - symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL); + /* generate the key */ + symKey = PK11_KeyGen(NULL, integrityMechType, params, 20, NULL); PK11_DestroyPBEParams(params); if(!symKey) { goto loser; } - /* initialize hmac */ - /* XXX NBB, why is this mech different than the one above? */ - hmacMech = sec_pkcs12_algtag_to_mech( + /* initialize HMAC */ + /* Get the HMAC mechanism from the hash OID */ + hmacMechType= sec_pkcs12_algtag_to_mech( p12exp->integrityInfo.pwdInfo.algorithm); - p12enc->hmacCx = PK11_CreateContextBySymKey( hmacMech, CKA_SIGN, - symKey, &ignore); + p12enc->hmacCx = PK11_CreateContextBySymKey( hmacMechType, + CKA_SIGN, symKey, &ignore); PK11_FreeSymKey(symKey); if(!p12enc->hmacCx) { diff --git a/security/nss/lib/pkcs7/p7common.c b/security/nss/lib/pkcs7/p7common.c index 8252fd5..63c9a2c 100644 --- a/security/nss/lib/pkcs7/p7common.c +++ b/security/nss/lib/pkcs7/p7common.c @@ -38,7 +38,7 @@ * PKCS7 implementation -- the exported parts that are used whether * creating or decoding. * - * $Id: p7common.c,v 1.4 2004/04/25 15:03:13 gerv%gerv.net Exp $ + * $Id: p7common.c,v 1.7 2008/02/03 06:08:48 nelson%bolyard.com Exp $ */ #include "p7local.h" @@ -450,12 +450,10 @@ SEC_PKCS7EncryptContents(PRArenaPool *poolp, PK11SymKey * eKey = NULL; PK11SlotInfo * slot = NULL; - CK_MECHANISM pbeMech; - CK_MECHANISM cryptoMech; + CK_MECHANISM_TYPE cryptoMechType; int bs; - SECOidTag algtag; SECStatus rv = SECFailure; - SECItem c_param; + SECItem *c_param = NULL; if((cinfo == NULL) || (key == NULL)) return SECFailure; @@ -474,8 +472,6 @@ SEC_PKCS7EncryptContents(PRArenaPool *poolp, src = &cinfo->content.encryptedData->encContentInfo.plainContent; dest = &cinfo->content.encryptedData->encContentInfo.encContent; - algtag = SECOID_GetAlgorithmTag(algid); - c_param.data = NULL; dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64)); dest->len = (src->len + 64); if(dest->data == NULL) { @@ -488,32 +484,21 @@ SEC_PKCS7EncryptContents(PRArenaPool *poolp, rv = SECFailure; goto loser; } - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - result = PK11_ParamFromAlgid(algid); - if (result == NULL) { - rv = SECFailure; - goto loser; - } - pbeMech.pParameter = result->data; - pbeMech.ulParameterLen = result->len; - eKey = PK11_RawPBEKeyGen(slot, pbeMech.mechanism, result, key, PR_FALSE, - wincx); + eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx); if(eKey == NULL) { rv = SECFailure; goto loser; } - - if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key, - PR_FALSE) != CKR_OK) { + + cryptoMechType = PK11_GetPBECryptoMechanism(algid, &c_param, key); + if (cryptoMechType == CKM_INVALID_MECHANISM) { rv = SECFailure; goto loser; } - c_param.data = (unsigned char *)cryptoMech.pParameter; - c_param.len = cryptoMech.ulParameterLen; /* block according to PKCS 8 */ - bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param); + bs = PK11_GetBlockSize(cryptoMechType, c_param); rv = SECSuccess; if(bs) { char pad_char; @@ -522,7 +507,8 @@ SEC_PKCS7EncryptContents(PRArenaPool *poolp, rv = SECSuccess; blocked_data = PK11_BlockData(src, bs); if(blocked_data) { - PORT_Memset((blocked_data->data + blocked_data->len - (int)pad_char), + PORT_Memset((blocked_data->data + blocked_data->len + - (int)pad_char), pad_char, (int)pad_char); } else { rv = SECFailure; @@ -554,8 +540,8 @@ SEC_PKCS7EncryptContents(PRArenaPool *poolp, } } - cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_ENCRYPT, - eKey, &c_param); + cx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, + eKey, c_param); if(cx == NULL) { rv = SECFailure; goto loser; @@ -585,8 +571,8 @@ loser: if(slot != NULL) PK11_FreeSlot(slot); - if(c_param.data != NULL) - SECITEM_ZfreeItem(&c_param, PR_FALSE); + if(c_param != NULL) + SECITEM_ZfreeItem(c_param, PR_TRUE); return rv; } @@ -612,16 +598,15 @@ SEC_PKCS7DecryptContents(PRArenaPool *poolp, void *wincx) { SECAlgorithmID *algid = NULL; - SECOidTag algtag; SECStatus rv = SECFailure; SECItem *result = NULL, *dest, *src; void *mark; PK11SymKey *eKey = NULL; PK11SlotInfo *slot = NULL; - CK_MECHANISM pbeMech, cryptoMech; + CK_MECHANISM_TYPE cryptoMechType; void *cx; - SECItem c_param; + SECItem *c_param = NULL; int bs; if((cinfo == NULL) || (key == NULL)) @@ -641,8 +626,6 @@ SEC_PKCS7DecryptContents(PRArenaPool *poolp, src = &cinfo->content.encryptedData->encContentInfo.encContent; dest = &cinfo->content.encryptedData->encContentInfo.plainContent; - algtag = SECOID_GetAlgorithmTag(algid); - c_param.data = NULL; dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64)); dest->len = (src->len + 64); if(dest->data == NULL) { @@ -655,30 +638,21 @@ SEC_PKCS7DecryptContents(PRArenaPool *poolp, rv = SECFailure; goto loser; } - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - result = PK11_ParamFromAlgid(algid); - if (result == NULL) { - rv = SECFailure; - goto loser; - } - pbeMech.pParameter = result->data; - pbeMech.ulParameterLen = result->len; - eKey = PK11_RawPBEKeyGen(slot,pbeMech.mechanism,result,key,PR_FALSE,wincx); + + eKey = PK11_PBEKeyGen(slot, algid, key, PR_FALSE, wincx); if(eKey == NULL) { rv = SECFailure; goto loser; } - - if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key, - PR_FALSE) != CKR_OK) { + + cryptoMechType = PK11_GetPBECryptoMechanism(algid, &c_param, key); + if (cryptoMechType == CKM_INVALID_MECHANISM) { rv = SECFailure; goto loser; } - c_param.data = (unsigned char *)cryptoMech.pParameter; - c_param.len = cryptoMech.ulParameterLen; - cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_DECRYPT, - eKey, &c_param); + cx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, + eKey, c_param); if(cx == NULL) { rv = SECFailure; goto loser; @@ -688,7 +662,7 @@ SEC_PKCS7DecryptContents(PRArenaPool *poolp, (int)(src->len + 64), src->data, (int)src->len); PK11_DestroyContext((PK11Context *)cx, PR_TRUE); - bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param); + bs = PK11_GetBlockSize(cryptoMechType, c_param); if(bs) { /* check for proper badding in block algorithms. this assumes * RC2 cbc or a DES cbc variant. and the padding is thus defined @@ -718,8 +692,8 @@ loser: if(slot != NULL) PK11_FreeSlot(slot); - if(c_param.data != NULL) - SECITEM_ZfreeItem(&c_param, PR_FALSE); + if(c_param != NULL) + SECITEM_ZfreeItem(c_param, PR_TRUE); return rv; } diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c index 703f7cd..474bc2e 100644 --- a/security/nss/lib/pkcs7/p7create.c +++ b/security/nss/lib/pkcs7/p7create.c @@ -37,7 +37,7 @@ /* * PKCS7 creation. * - * $Id: p7create.c,v 1.6 2004/04/25 15:03:13 gerv%gerv.net Exp $ + * $Id: p7create.c,v 1.9 2008/02/03 06:08:48 nelson%bolyard.com Exp $ */ #include "p7local.h" @@ -50,6 +50,7 @@ #include "prtime.h" #include "secerr.h" #include "secder.h" +#include "secpkcs5.h" static SECStatus sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp, @@ -1281,27 +1282,24 @@ SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize, enc_data = cinfo->content.encryptedData; algid = &(enc_data->encContentInfo.contentEncAlg); - switch (algorithm) { - case SEC_OID_RC2_CBC: - case SEC_OID_DES_EDE3_CBC: - case SEC_OID_DES_CBC: + if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) { rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL); - break; - default: - { - /* - * Assume password-based-encryption. At least, try that. - */ - SECAlgorithmID *pbe_algid; - pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL); - if (pbe_algid == NULL) { - rv = SECFailure; - } else { - rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid); - SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE); - } + } else { + /* Assume password-based-encryption. + * Note: we can't generate pkcs5v2 from this interface. + * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting + * non-PBE oids and assuming that they are pkcs5v2 oids, but + * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular + * CMS encrypted data, so we can't tell SEC_PKCS7CreateEncryptedtedData + * to create pkcs5v2 PBEs */ + SECAlgorithmID *pbe_algid; + pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL); + if (pbe_algid == NULL) { + rv = SECFailure; + } else { + rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid); + SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE); } - break; } if (rv != SECSuccess) { diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c index be250a8..ce6d5ad 100644 --- a/security/nss/lib/pkcs7/p7local.c +++ b/security/nss/lib/pkcs7/p7local.c @@ -40,7 +40,7 @@ * encoding/creation side *and* the decoding/decryption side. Anything * else should be static routines in the appropriate file. * - * $Id: p7local.c,v 1.9 2007/05/09 19:02:18 rrelyea%redhat.com Exp $ + * $Id: p7local.c,v 1.12 2008/02/03 06:08:48 nelson%bolyard.com Exp $ */ #include "p7local.h" @@ -103,7 +103,7 @@ sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid) sec_PKCS7CipherObject *result; SECOidTag algtag; void *ciphercx; - CK_MECHANISM_TYPE mechanism; + CK_MECHANISM_TYPE cryptoMechType; SECItem *param; PK11SlotInfo *slot; @@ -116,8 +116,7 @@ sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid) algtag = SECOID_GetAlgorithmTag (algid); if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - CK_MECHANISM pbeMech, cryptoMech; - SECItem *pbeParams, *pwitem; + SECItem *pwitem; pwitem = (SECItem *)PK11_GetSymKeyUserData(key); if (!pwitem) { @@ -125,33 +124,13 @@ sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid) return NULL; } - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - pbeParams = PK11_ParamFromAlgid(algid); - if (!pbeParams) { + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { PORT_Free(result); return NULL; } - - pbeMech.pParameter = pbeParams->data; - pbeMech.ulParameterLen = pbeParams->len; - if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem, - PR_FALSE) != CKR_OK) { - PORT_Free(result); - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - return NULL; - } - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - - param = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); - if(!param) { - PORT_Free(result); - return NULL; - } - param->data = (unsigned char *)cryptoMech.pParameter; - param->len = cryptoMech.ulParameterLen; - mechanism = cryptoMech.mechanism; } else { - mechanism = PK11_AlgtagToMechanism(algtag); + cryptoMechType = PK11_AlgtagToMechanism(algtag); param = PK11_ParamFromAlgid(algid); if (param == NULL) { PORT_Free(result); @@ -159,11 +138,12 @@ sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid) } } - result->pad_size = PK11_GetBlockSize(mechanism,param); + result->pad_size = PK11_GetBlockSize(cryptoMechType, param); slot = PK11_GetSlotFromKey(key); result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size; PK11_FreeSlot(slot); - ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param); + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, + key, param); SECITEM_FreeItem(param,PR_TRUE); if (ciphercx == NULL) { PORT_Free (result); @@ -200,7 +180,7 @@ sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key, void *ciphercx; SECItem *param; SECStatus rv; - CK_MECHANISM_TYPE mechanism; + CK_MECHANISM_TYPE cryptoMechType; PRBool needToEncodeAlgid = PR_FALSE; PK11SlotInfo *slot; @@ -211,11 +191,7 @@ sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key, ciphercx = NULL; if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - CK_MECHANISM pbeMech, cryptoMech; - SECItem *pbeParams, *pwitem; - - PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM)); - PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM)); + SECItem *pwitem; pwitem = (SECItem *)PK11_GetSymKeyUserData(key); if (!pwitem) { @@ -223,34 +199,14 @@ sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key, return NULL; } - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - pbeParams = PK11_ParamFromAlgid(algid); - if(!pbeParams) { + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { PORT_Free(result); return NULL; } - - pbeMech.pParameter = pbeParams->data; - pbeMech.ulParameterLen = pbeParams->len; - if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem, - PR_FALSE) != CKR_OK) { - PORT_Free(result); - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - return NULL; - } - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - - param = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); - if(!param) { - PORT_Free(result); - return NULL; - } - param->data = (unsigned char *)cryptoMech.pParameter; - param->len = cryptoMech.ulParameterLen; - mechanism = cryptoMech.mechanism; } else { - mechanism = PK11_AlgtagToMechanism(algtag); - param = PK11_GenerateNewParam(mechanism,key); + cryptoMechType = PK11_AlgtagToMechanism(algtag); + param = PK11_GenerateNewParam(cryptoMechType, key); if (param == NULL) { PORT_Free(result); return NULL; @@ -258,11 +214,11 @@ sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key, needToEncodeAlgid = PR_TRUE; } - result->pad_size = PK11_GetBlockSize(mechanism,param); + result->pad_size = PK11_GetBlockSize(cryptoMechType,param); slot = PK11_GetSlotFromKey(key); result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size; PK11_FreeSlot(slot); - ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, key, param); if (ciphercx == NULL) { PORT_Free (result); diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c index 24e3944..04887e8 100644 --- a/security/nss/lib/pki/pkibase.c +++ b/security/nss/lib/pki/pkibase.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.29 $ $Date: 2007/11/21 18:02:13 $"; +static const char CVS_ID[] = "@(#) $RCSfile: pkibase.c,v $ $Revision: 1.30 $ $Date: 2008/01/21 23:20:19 $"; #endif /* DEBUG */ #ifndef DEV_H @@ -847,10 +847,7 @@ nssPKIObjectCollection_AddInstances ( PRBool foundIt; pkiObjectCollectionNode *node; if (instances) { - for (; *instances; instances++, i++) { - if (numInstances > 0 && i == numInstances) { - break; - } + while ((!numInstances || i < numInstances) && *instances) { if (status == PR_SUCCESS) { node = add_object_instance(collection, *instances, &foundIt); if (node == NULL) { @@ -861,6 +858,8 @@ nssPKIObjectCollection_AddInstances ( } else { nssCryptokiObject_Destroy(*instances); } + instances++; + i++; } } return status; diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c index 3fca6b6..6c4c910 100644 --- a/security/nss/lib/pki/pkistore.c +++ b/security/nss/lib/pki/pkistore.c @@ -35,7 +35,7 @@ * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.30 $ $Date: 2007/11/16 05:29:27 $"; +static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.32 $ $Date: 2008/02/03 01:59:49 $"; #endif /* DEBUG */ #ifndef PKIM_H @@ -60,6 +60,8 @@ static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.30 $ $D #include "cert.h" +#include "prbit.h" + /* * Certificate Store * @@ -719,9 +721,9 @@ nss_certificate_hash ( NSSCertificate *c = (NSSCertificate *)key; h = 0; for (i=0; iissuer.size; i++) - h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->issuer.data)[i]; + h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)c->issuer.data)[i]; for (i=0; iserial.size; i++) - h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->serial.data)[i]; + h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)c->serial.data)[i]; return h; } diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c index d31751d..374e0bb 100644 --- a/security/nss/lib/smime/cmscipher.c +++ b/security/nss/lib/smime/cmscipher.c @@ -37,7 +37,7 @@ /* * Encryption/decryption routines for CMS implementation, none of which are exported. * - * $Id: cmscipher.c,v 1.9 2006/06/12 21:05:12 alexei.volkov.bugs%sun.com Exp $ + * $Id: cmscipher.c,v 1.12 2008/02/03 06:08:49 nelson%bolyard.com Exp $ */ #include "cmslocal.h" @@ -72,7 +72,8 @@ struct NSSCMSCipherContextStr { /* * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption - * based on the given bulk * encryption key and algorithm identifier (which may include an iv). + * based on the given bulk encryption key and algorithm identifier (which + * may include an iv). * * XXX Once both are working, it might be nice to combine this and the * function below (for starting up encryption) into one routine, and just @@ -83,7 +84,7 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) { NSSCMSCipherContext *cc; void *ciphercx; - CK_MECHANISM_TYPE mechanism; + CK_MECHANISM_TYPE cryptoMechType; SECItem *param; PK11SlotInfo *slot; SECOidTag algtag; @@ -92,41 +93,19 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) /* set param and mechanism */ if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - CK_MECHANISM pbeMech, cryptoMech; - SECItem *pbeParams, *pwitem; - - PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM)); - PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM)); + SECItem *pwitem; pwitem = PK11_GetSymKeyUserData(key); if (!pwitem) return NULL; - /* find correct PK11 mechanism and parameters to initialize pbeMech */ - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - pbeParams = PK11_ParamFromAlgid(algid); - if (!pbeParams) - return NULL; - pbeMech.pParameter = pbeParams->data; - pbeMech.ulParameterLen = pbeParams->len; - - /* now map pbeMech to cryptoMech */ - if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem, - PR_FALSE) != CKR_OK) { - SECITEM_ZfreeItem(pbeParams, PR_TRUE); + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { return NULL; } - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - /* and use it to initialize param & mechanism */ - if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL) - return NULL; - - param->data = (unsigned char *)cryptoMech.pParameter; - param->len = cryptoMech.ulParameterLen; - mechanism = cryptoMech.mechanism; } else { - mechanism = PK11_AlgtagToMechanism(algtag); + cryptoMechType = PK11_AlgtagToMechanism(algtag); if ((param = PK11_ParamFromAlgid(algid)) == NULL) return NULL; } @@ -138,13 +117,14 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) } /* figure out pad and block sizes */ - cc->pad_size = PK11_GetBlockSize(mechanism, param); + cc->pad_size = PK11_GetBlockSize(cryptoMechType, param); slot = PK11_GetSlotFromKey(key); cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size; PK11_FreeSlot(slot); /* create PK11 cipher context */ - ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param); + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, + key, param); SECITEM_FreeItem(param, PR_TRUE); if (ciphercx == NULL) { PORT_Free (cc); @@ -162,8 +142,8 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) /* * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption, - * based on the given bulk encryption key and algorithm tag. Fill in the algorithm - * identifier (which may include an iv) appropriately. + * based on the given bulk encryption key and algorithm tag. Fill in the + * algorithm identifier (which may include an iv) appropriately. * * XXX Once both are working, it might be nice to combine this and the * function above (for starting up decryption) into one routine, and just @@ -176,49 +156,26 @@ NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgori void *ciphercx; SECItem *param; SECStatus rv; - CK_MECHANISM_TYPE mechanism; + CK_MECHANISM_TYPE cryptoMechType; PK11SlotInfo *slot; PRBool needToEncodeAlgid = PR_FALSE; SECOidTag algtag = SECOID_GetAlgorithmTag(algid); /* set param and mechanism */ if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - CK_MECHANISM pbeMech, cryptoMech; - SECItem *pbeParams, *pwitem; - - PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM)); - PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM)); + SECItem *pwitem; pwitem = PK11_GetSymKeyUserData(key); if (!pwitem) return NULL; - /* find correct PK11 mechanism and parameters to initialize pbeMech */ - pbeMech.mechanism = PK11_AlgtagToMechanism(algtag); - pbeParams = PK11_ParamFromAlgid(algid); - if (!pbeParams) - return NULL; - pbeMech.pParameter = pbeParams->data; - pbeMech.ulParameterLen = pbeParams->len; - - /* now map pbeMech to cryptoMech */ - if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem, - PR_FALSE) != CKR_OK) { - SECITEM_ZfreeItem(pbeParams, PR_TRUE); + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { return NULL; } - SECITEM_ZfreeItem(pbeParams, PR_TRUE); - - /* and use it to initialize param & mechanism */ - if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL) - return NULL; - - param->data = (unsigned char *)cryptoMech.pParameter; - param->len = cryptoMech.ulParameterLen; - mechanism = cryptoMech.mechanism; } else { - mechanism = PK11_AlgtagToMechanism(algtag); - if ((param = PK11_GenerateNewParam(mechanism, key)) == NULL) + cryptoMechType = PK11_AlgtagToMechanism(algtag); + if ((param = PK11_GenerateNewParam(cryptoMechType, key)) == NULL) return NULL; needToEncodeAlgid = PR_TRUE; } @@ -229,13 +186,14 @@ NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgori } /* now find pad and block sizes for our mechanism */ - cc->pad_size = PK11_GetBlockSize(mechanism,param); + cc->pad_size = PK11_GetBlockSize(cryptoMechType, param); slot = PK11_GetSlotFromKey(key); cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size; PK11_FreeSlot(slot); /* and here we go, creating a PK11 cipher context */ - ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, key, param); + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, + key, param); if (ciphercx == NULL) { PORT_Free(cc); cc = NULL; diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c index 05079d2..6b6a5e1 100644 --- a/security/nss/lib/smime/cmsencdata.c +++ b/security/nss/lib/smime/cmsencdata.c @@ -37,7 +37,7 @@ /* * CMS encryptedData methods. * - * $Id: cmsencdata.c,v 1.8 2005/10/03 22:01:57 relyea%netscape.com Exp $ + * $Id: cmsencdata.c,v 1.11 2008/02/03 06:08:49 nelson%bolyard.com Exp $ */ #include "cmslocal.h" @@ -61,7 +61,8 @@ * (Retrieve specific errors via PORT_GetError()/XP_GetError().) */ NSSCMSEncryptedData * -NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize) +NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, + int keysize) { void *mark; NSSCMSEncryptedData *encd; @@ -73,7 +74,7 @@ NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysiz mark = PORT_ArenaMark(poolp); - encd = (NSSCMSEncryptedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEncryptedData)); + encd = PORT_ArenaZNew(poolp, NSSCMSEncryptedData); if (encd == NULL) goto loser; @@ -81,23 +82,25 @@ NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysiz /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */ - switch (algorithm) { - /* XXX hmmm... hardcoded algorithms? */ - case SEC_OID_RC2_CBC: - case SEC_OID_DES_EDE3_CBC: - case SEC_OID_DES_CBC: - rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), algorithm, NULL, keysize); - break; - default: - /* Assume password-based-encryption. At least, try that. */ + if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) { + rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), + algorithm, NULL, keysize); + } else { + /* Assume password-based-encryption. + * Note: we can't generate pkcs5v2 from this interface. + * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting + * non-PBE oids and assuming that they are pkcs5v2 oids, but + * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular + * CMS encrypted data, so we can't tell NSS_CMS_EncryptedData_Create + * to create pkcs5v2 PBEs */ pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL); if (pbe_algid == NULL) { rv = SECFailure; - break; + } else { + rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, + &(encd->contentInfo), pbe_algid, keysize); + SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE); } - rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, &(encd->contentInfo), pbe_algid, keysize); - SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE); - break; } if (rv != SECSuccess) goto loser; diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk index 5252fb0..13455f3 100644 --- a/security/nss/lib/softoken/config.mk +++ b/security/nss/lib/softoken/config.mk @@ -94,6 +94,10 @@ EXTRA_SHARED_LIBS += \ $(NULL) endif +ifeq ($(OS_TARGET),AIX) +OS_LIBS += -lpthread +endif + ifeq ($(OS_TARGET),SunOS) # The -R '$ORIGIN' linker option instructs this library to search for its # dependencies in the same directory where it resides. diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index 3dd386b..ca6aa34 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -431,6 +431,9 @@ sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg) **********************************************************************/ /* return the function list */ CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) { + + CHECK_FORK(); + *pFunctionList = &sftk_fipsTable; return CKR_OK; } @@ -443,6 +446,8 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { const char *envp; CK_RV crv; + CHECK_FORK(); + if (nsf_init) { return CKR_CRYPTOKI_ALREADY_INITIALIZED; } @@ -483,6 +488,9 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { /*FC_Finalize indicates that an application is done with the PKCS #11 library.*/ CK_RV FC_Finalize (CK_VOID_PTR pReserved) { CK_RV crv; + + CHECK_FORK(); + if (!nsf_init) { return CKR_OK; } @@ -494,18 +502,24 @@ CK_RV FC_Finalize (CK_VOID_PTR pReserved) { /* FC_GetInfo returns general information about PKCS #11. */ CK_RV FC_GetInfo(CK_INFO_PTR pInfo) { + CHECK_FORK(); + return NSC_GetInfo(pInfo); } /* FC_GetSlotList obtains a list of slots in the system. */ CK_RV FC_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { + CHECK_FORK(); + return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount, NSC_FIPS_MODULE); } /* FC_GetSlotInfo obtains information about a particular slot in the system. */ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { + CHECK_FORK(); + return NSC_GetSlotInfo(slotID,pInfo); } @@ -514,6 +528,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) { CK_RV crv; + CHECK_FORK(); + crv = NSC_GetTokenInfo(slotID,pInfo); if (crv == CKR_OK) pInfo->flags |= CKF_LOGIN_REQUIRED; @@ -526,6 +542,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/ CK_RV FC_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) { + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID; /* FIPS Slot supports all functions */ @@ -537,6 +555,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { * possibly supported by a token. */ CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) { + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID; /* FIPS Slot supports all functions */ @@ -549,6 +569,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_ULONG usPinLen,CK_CHAR_PTR pLabel) { CK_RV crv; + CHECK_FORK(); + crv = NSC_InitToken(slotID,pPin,usPinLen,pLabel); if (sftk_audit_enabled) { char msg[128]; @@ -568,6 +590,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin, CK_ULONG ulPinLen) { CK_RV rv; + + CHECK_FORK(); + if (sftk_fatalError) return CKR_DEVICE_ERROR; if ((rv = sftk_newPinCheck(pPin,ulPinLen)) == CKR_OK) { rv = NSC_InitPIN(hSession,pPin,ulPinLen); @@ -590,6 +615,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) { CK_RV rv; + + CHECK_FORK(); + if ((rv = sftk_fipsCheck()) == CKR_OK && (rv = sftk_newPinCheck(pNewPin,usNewLen)) == CKR_OK) { rv = NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen); @@ -610,18 +638,26 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) { SFTK_FIPSFATALCHECK(); + + CHECK_FORK(); + return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession); } /* FC_CloseSession closes a session between an application and a token. */ CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) { + CHECK_FORK(); + return NSC_CloseSession(hSession); } /* FC_CloseAllSessions closes all sessions with a token. */ CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) { + + CHECK_FORK(); + return NSC_CloseAllSessions (slotID); } @@ -632,6 +668,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV rv; SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + rv = NSC_GetSessionInfo(hSession,pInfo); if (rv == CKR_OK) { if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) { @@ -669,6 +707,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_Logout logs a user out from a token. */ CK_RV FC_Logout(CK_SESSION_HANDLE hSession) { CK_RV rv; + + CHECK_FORK(); + if ((rv = sftk_fipsCheck()) == CKR_OK) { rv = NSC_Logout(hSession); isLoggedIn = PR_FALSE; @@ -691,7 +732,10 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject) { CK_OBJECT_CLASS * classptr; + SFTK_FIPSCHECK(); + CHECK_FORK(); + classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS); if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE; @@ -717,6 +761,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE_PTR phNewObject) { CK_RV rv; CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); if (rv == CKR_OK) { @@ -735,6 +782,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE hObject) { CK_RV rv; CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); if (rv == CKR_OK) { @@ -752,6 +802,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) { CK_RV rv; CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); if (rv == CKR_OK) { @@ -769,6 +822,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) { CK_RV rv; CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); if (rv == CKR_OK) { @@ -786,6 +842,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) { CK_RV rv; CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); if (rv == CKR_OK) { @@ -808,6 +867,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV rv; PRBool needLogin = PR_FALSE; + + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); for (i=0; i < usCount; i++) { @@ -839,6 +901,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) { + CHECK_FORK(); + /* let publically readable object be found */ SFTK_FIPSFATALCHECK(); return NSC_FindObjects(hSession,phObject,usMaxObjectCount, @@ -854,6 +918,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_EncryptInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("Encrypt",hSession,pMechanism,hKey,rv); @@ -866,6 +932,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pusEncryptedDataLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData, pusEncryptedDataLen); } @@ -876,6 +944,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pusEncryptedPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart, pusEncryptedPartLen); } @@ -884,8 +954,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_EncryptFinal finishes a multiple-part encryption operation. */ CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) { - SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_EncryptFinal(hSession,pLastEncryptedPart, pusLastEncryptedPartLen); } @@ -899,6 +970,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_DecryptInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("Decrypt",hSession,pMechanism,hKey,rv); @@ -911,6 +984,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData, CK_ULONG_PTR pusDataLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData, pusDataLen); } @@ -921,6 +996,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen, pPart,pusPartLen); } @@ -930,6 +1007,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen); } @@ -942,6 +1021,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_DigestInit(hSession, pMechanism); } @@ -951,6 +1032,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest, CK_ULONG_PTR pusDigestLen) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen); } @@ -959,6 +1042,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_ULONG usPartLen) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_DigestUpdate(hSession,pPart,usPartLen); } @@ -967,6 +1052,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest, CK_ULONG_PTR pusDigestLen) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_DigestFinal(hSession,pDigest,pusDigestLen); } @@ -981,6 +1068,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_SignInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("Sign",hSession,pMechanism,hKey,rv); @@ -996,6 +1085,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen); } @@ -1006,6 +1097,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_ULONG usPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignUpdate(hSession,pPart,usPartLen); } @@ -1015,6 +1108,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignFinal(hSession,pSignature,pusSignatureLen); } @@ -1027,6 +1122,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_SignRecoverInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("SignRecover",hSession,pMechanism,hKey,rv); @@ -1041,6 +1138,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen); } @@ -1054,6 +1153,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_VerifyInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("Verify",hSession,pMechanism,hKey,rv); @@ -1069,6 +1170,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) { /* make sure we're legal */ SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen); } @@ -1079,6 +1182,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG usPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyUpdate(hSession,pPart,usPartLen); } @@ -1088,6 +1193,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyFinal(hSession,pSignature,usSignatureLen); } @@ -1101,6 +1208,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_VerifyRecoverInit(hSession,pMechanism,hKey); if (sftk_audit_enabled) { sftk_AuditCryptInit("VerifyRecover",hSession,pMechanism,hKey,rv); @@ -1116,6 +1225,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen, CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData, pusDataLen); } @@ -1131,6 +1242,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BBOOL *boolptr; SFTK_FIPSCHECK(); + CHECK_FORK(); /* all secret keys must be sensitive, if the upper level code tries to say * otherwise, reject it. */ @@ -1160,6 +1272,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV crv; SFTK_FIPSCHECK(); + CHECK_FORK(); + /* all private keys must be sensitive, if the upper level code tries to say * otherwise, reject it. */ @@ -1192,6 +1306,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pulWrappedKeyLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey, pulWrappedKeyLen); if (sftk_audit_enabled) { @@ -1211,6 +1327,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BBOOL *boolptr; SFTK_FIPSCHECK(); + CHECK_FORK(); /* all secret keys must be sensitive, if the upper level code tries to say * otherwise, reject it. */ @@ -1239,6 +1356,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BBOOL *boolptr; SFTK_FIPSCHECK(); + CHECK_FORK(); /* all secret keys must be sensitive, if the upper level code tries to say * otherwise, reject it. */ @@ -1269,6 +1387,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV crv; SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + crv = NSC_SeedRandom(hSession,pSeed,usSeedLen); if (crv != CKR_OK) { sftk_fatalError = PR_TRUE; @@ -1282,6 +1402,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) { CK_RV crv; + CHECK_FORK(); + SFTK_FIPSFATALCHECK(); crv = NSC_GenerateRandom(hSession,pRandomData,ulRandomLen); if (crv != CKR_OK) { @@ -1305,6 +1427,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { * in parallel with an application. */ CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_GetFunctionStatus(hSession); } @@ -1312,6 +1436,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_CancelFunction cancels a function running in parallel */ CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_CancelFunction(hSession); } @@ -1324,6 +1450,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen); } @@ -1334,6 +1462,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen, CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) { SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen, hEncryptionKey,hAuthenticationKey); } @@ -1342,6 +1472,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) { /* let publically readable object be found */ SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + return NSC_FindObjectsFinal(hSession); } @@ -1354,6 +1486,8 @@ CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) { SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart, pulEncryptedPartLen); } @@ -1364,8 +1498,9 @@ CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) { - SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen, pPart,pulPartLen); } @@ -1375,8 +1510,9 @@ CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen) { - SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart, pulEncryptedPartLen); } @@ -1386,8 +1522,9 @@ CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) { - SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen, pData,pulDataLen); } @@ -1398,6 +1535,8 @@ CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, */ CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) { SFTK_FIPSCHECK(); + CHECK_FORK(); + rv = NSC_DigestKey(hSession,hKey); if (sftk_audit_enabled) { sftk_AuditDigestKey(hSession,hKey,rv); @@ -1409,5 +1548,7 @@ CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) { CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) { + CHECK_FORK(); + return NSC_WaitForSlotEvent(flags, pSlot, pReserved); } diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c index 5e7bc60..62732f0 100644 --- a/security/nss/lib/softoken/legacydb/lginit.c +++ b/security/nss/lib/softoken/legacydb/lginit.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: lginit.c,v 1.11 2007/10/09 17:06:24 slavomir.katuscak%sun.com Exp $ */ +/* $Id: lginit.c,v 1.12 2008/02/16 04:38:07 julien.pierre.boogz%sun.com Exp $ */ #include "lowkeyi.h" #include "pcert.h" @@ -573,8 +573,6 @@ loser: } -extern SECStatus secoid_Init(void); /* util *REALLY* needs - * to be a shared library */ /* * OK there are now lots of options here, lets go through them all: * @@ -598,9 +596,13 @@ legacy_Open(const char *configdir, const char *certPrefix, int flags, SDB **certDB, SDB **keyDB) { CK_RV crv = CKR_OK; + SECStatus rv; PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE; - secoid_Init(); + rv = SECOID_Init(); + if (SECSuccess != rv) { + return CKR_DEVICE_ERROR; + } nsslowcert_InitLocks(); if (keyDB) *keyDB = NULL; diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c index 681d467..a3fa7b8 100644 --- a/security/nss/lib/softoken/legacydb/lowcert.c +++ b/security/nss/lib/softoken/legacydb/lowcert.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: lowcert.c,v 1.3 2007/10/12 01:44:48 julien.pierre.boogz%sun.com Exp $ + * $Id: lowcert.c,v 1.4 2008/02/08 02:50:50 julien.pierre.boogz%sun.com Exp $ */ #include "seccomon.h" @@ -50,7 +50,7 @@ #include "secerr.h" #include "pcert.h" -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) }, diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c index 2a618c2..5ee64d1 100644 --- a/security/nss/lib/softoken/legacydb/lowkey.c +++ b/security/nss/lib/softoken/legacydb/lowkey.c @@ -41,10 +41,10 @@ #include "secasn1.h" #include "secerr.h" -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_BitStringTemplate); -SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_BitStringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) static const SEC_ASN1Template nsslowkey_AttributeTemplate[] = { { SEC_ASN1_SEQUENCE, diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c index fed429c..4174cef 100644 --- a/security/nss/lib/softoken/lowkey.c +++ b/security/nss/lib/softoken/lowkey.c @@ -46,10 +46,10 @@ #include "softoken.h" #endif -SEC_ASN1_MKSUB(SEC_AnyTemplate); -SEC_ASN1_MKSUB(SEC_BitStringTemplate); -SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); -SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate); +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_BitStringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) const SEC_ASN1Template nsslowkey_AttributeTemplate[] = { { SEC_ASN1_SEQUENCE, diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 3c48a45..355b47f 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -65,7 +65,7 @@ #include "prtypes.h" #include "nspr.h" #include "softkver.h" - +#include "secoid.h" #include "sftkdb.h" #include "sftkpars.h" @@ -460,6 +460,23 @@ static const struct mechanismList mechanisms[] = { }; static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]); +static PRBool nsc_init = PR_FALSE; + +#if defined(XP_UNIX) && !defined(NO_PTHREADS) + +#include + +PRBool forked = PR_FALSE; + +void ForkedChild(void) +{ + if (nsc_init || nsf_init) { + forked = PR_TRUE; + } +} + +#endif + static char * sftk_setStringName(const char *inString, char *buffer, int buffer_length) { @@ -1821,6 +1838,8 @@ sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type) /* return the function list */ CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) { + CHECK_FORK(); + *pFunctionList = (CK_FUNCTION_LIST_PTR) &sftk_funcList; return CKR_OK; } @@ -1828,6 +1847,8 @@ CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) /* return the function list */ CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) { + CHECK_FORK(); + return NSC_GetFunctionList(pFunctionList); } @@ -2333,6 +2354,10 @@ NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args) static char *success="Success"; char **rvstr = NULL; +#if defined(XP_UNIX) && !defined(NO_PTHREADS) + if (forked) return NULL; +#endif + secmod = sftk_getSecmodName(parameters, &dbType, &appName,&filename, &rw); switch (function) { @@ -2412,9 +2437,6 @@ sftk_closePeer(PRBool isFIPS) return; } -static PRBool nsc_init = PR_FALSE; -extern SECStatus secoid_Init(void); - /* NSC_Initialize initializes the Cryptoki library. */ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) { @@ -2424,12 +2446,11 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) int i; int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE; - if (isFIPS) { loginWaitTime = PR_SecondsToInterval(1); } - rv = secoid_Init(); + rv = SECOID_Init(); if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; return crv; @@ -2511,12 +2532,20 @@ loser: sftk_InitFreeLists(); } +#if defined(XP_UNIX) && !defined(NO_PTHREADS) + if (CKR_OK == crv) { + pthread_atfork(NULL, NULL, ForkedChild); + } +#endif return crv; } CK_RV NSC_Initialize(CK_VOID_PTR pReserved) { CK_RV crv; + + CHECK_FORK(); + if (nsc_init) { return CKR_CRYPTOKI_ALREADY_INITIALIZED; } @@ -2525,14 +2554,11 @@ CK_RV NSC_Initialize(CK_VOID_PTR pReserved) return crv; } -extern SECStatus SECOID_Shutdown(void); /* NSC_Finalize indicates that an application is done with the * Cryptoki library.*/ CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS) { - - nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE); /* don't muck with the globals is our peer is still initialized */ @@ -2566,6 +2592,8 @@ CK_RV NSC_Finalize (CK_VOID_PTR pReserved) { CK_RV crv; + CHECK_FORK(); + if (!nsc_init) { return CKR_OK; } @@ -2585,6 +2613,8 @@ CK_RV NSC_GetInfo(CK_INFO_PTR pInfo) { volatile char c; /* force a reference that won't get optimized away */ + CHECK_FORK(); + c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; pInfo->cryptokiVersion.major = 2; pInfo->cryptokiVersion.minor = 20; @@ -2613,6 +2643,7 @@ CK_RV nsc_CommonGetSlotList(CK_BBOOL tokenPresent, CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { + CHECK_FORK(); return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, NSC_NON_FIPS_MODULE); } @@ -2621,6 +2652,9 @@ CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent, CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE); + + CHECK_FORK(); + if (slot == NULL) return CKR_SLOT_ID_INVALID; pInfo->firmwareVersion.major = 0; @@ -2661,6 +2695,8 @@ CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) SFTKSlot *slot; SFTKDBHandle *handle; + CHECK_FORK(); + if (!nsc_init && !nsf_init) return CKR_CRYPTOKI_NOT_INITIALIZED; slot = sftk_SlotFromID(slotID, PR_FALSE); if (slot == NULL) return CKR_SLOT_ID_INVALID; @@ -2742,6 +2778,8 @@ CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID, { CK_ULONG i; + CHECK_FORK(); + switch (slotID) { /* default: */ case NETSCAPE_SLOT_ID: @@ -2776,6 +2814,8 @@ CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, PRBool isPrivateKey; CK_ULONG i; + CHECK_FORK(); + switch (slotID) { case NETSCAPE_SLOT_ID: isPrivateKey = PR_FALSE; @@ -2833,6 +2873,8 @@ CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin, unsigned int i; SFTKObject *object; + CHECK_FORK(); + if (slot == NULL) return CKR_SLOT_ID_INVALID; /* don't initialize the database if we aren't talking to a token @@ -2897,6 +2939,7 @@ CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession, SECStatus rv; CK_RV crv = CKR_SESSION_HANDLE_INVALID; + CHECK_FORK(); sp = sftk_SessionFromHandle(hSession); if (sp == NULL) { @@ -2979,6 +3022,7 @@ CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, SECStatus rv; CK_RV crv = CKR_SESSION_HANDLE_INVALID; + CHECK_FORK(); sp = sftk_SessionFromHandle(hSession); if (sp == NULL) { @@ -3056,6 +3100,8 @@ CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, SFTKSession *session; SFTKSession *sameID; + CHECK_FORK(); + slot = sftk_SlotFromID(slotID, PR_FALSE); if (slot == NULL) return CKR_SLOT_ID_INVALID; @@ -3107,6 +3153,8 @@ CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession) PRBool sessionFound; PZLock *lock; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; slot = sftk_SlotFromSession(session); @@ -3152,6 +3200,8 @@ CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID) { SFTKSlot *slot; + CHECK_FORK(); + slot = sftk_SlotFromID(slotID, PR_FALSE); if (slot == NULL) return CKR_SLOT_ID_INVALID; @@ -3166,6 +3216,8 @@ CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession, { SFTKSession *session; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; @@ -3186,6 +3238,7 @@ CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_RV crv; char pinStr[SFTK_MAX_PIN+1]; + CHECK_FORK(); /* get the slot */ slot = sftk_SlotFromSessionHandle(hSession); @@ -3292,6 +3345,8 @@ CK_RV NSC_Logout(CK_SESSION_HANDLE hSession) SFTKSession *session; SFTKDBHandle *handle; + CHECK_FORK(); + if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; } @@ -3425,6 +3480,8 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession, CK_RV crv; int i; + CHECK_FORK(); + *phObject = CK_INVALID_HANDLE; if (slot == NULL) { @@ -3492,6 +3549,8 @@ CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession, SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); int i; + CHECK_FORK(); + if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; } @@ -3570,7 +3629,10 @@ CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession, /* NSC_GetObjectSize gets the size of an object in bytes. */ CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) { + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) +{ + CHECK_FORK(); + *pulSize = 0; return CKR_OK; } @@ -3578,7 +3640,8 @@ CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession, /* NSC_GetAttributeValue obtains the value of one or more object attributes. */ CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) { + CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) +{ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); SFTKSession *session; SFTKObject *object; @@ -3587,6 +3650,8 @@ CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_RV crv; int i; + CHECK_FORK(); + if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; } @@ -3677,7 +3742,8 @@ CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, /* NSC_SetAttributeValue modifies the value of one or more object attributes */ CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) { + CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) +{ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); SFTKSession *session; SFTKAttribute *attribute; @@ -3687,6 +3753,8 @@ CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession, CK_BBOOL legal; int i; + CHECK_FORK(); + if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; } @@ -3933,6 +4001,8 @@ CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, PRBool tokenOnly = PR_FALSE; CK_RV crv = CKR_OK; PRBool isLoggedIn; + + CHECK_FORK(); if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; @@ -4005,6 +4075,8 @@ CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession, int transfer; int left; + CHECK_FORK(); + *pulObjectCount = 0; session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; @@ -4038,6 +4110,8 @@ CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession) SFTKSession *session; SFTKSearchResults *search; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; search = session->search; @@ -4054,5 +4128,8 @@ CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession) CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) { + CHECK_FORK(); + return CKR_FUNCTION_NOT_SUPPORTED; } + diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 3a1fde2..18b3d92 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -183,6 +183,8 @@ NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) SFTKObject *object; SFTKFreeStatus status; + CHECK_FORK(); + if (slot == NULL) { return CKR_SESSION_HANDLE_INVALID; } @@ -739,6 +741,7 @@ finish_des: CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { + CHECK_FORK(); return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, SFTK_ENCRYPT, PR_TRUE); } @@ -755,6 +758,8 @@ CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession, CK_RV crv; SECStatus rv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,NULL); if (crv != CKR_OK) return crv; @@ -832,6 +837,8 @@ CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession, SECStatus rv = SECSuccess; PRBool contextFinished = PR_TRUE; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,&session); if (crv != CKR_OK) return crv; @@ -886,6 +893,8 @@ CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, pText.data = pData; pText.len = ulDataLen; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,&session); if (crv != CKR_OK) return crv; @@ -958,6 +967,8 @@ finish: CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { + CHECK_FORK(); + return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, SFTK_DECRYPT, PR_FALSE); } @@ -974,6 +985,8 @@ CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession, CK_RV crv; SECStatus rv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,NULL); if (crv != CKR_OK) return crv; @@ -1042,6 +1055,8 @@ CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession, CK_RV crv; SECStatus rv = SECSuccess; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,&session); if (crv != CKR_OK) return crv; @@ -1095,6 +1110,8 @@ CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession, CK_RV crv2; SECStatus rv = SECSuccess; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_FALSE,&session); if (crv != CKR_OK) return crv; @@ -1155,6 +1172,8 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession, SFTKSessionContext *context; CK_RV crv = CKR_OK; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; @@ -1217,6 +1236,8 @@ CK_RV NSC_Digest(CK_SESSION_HANDLE hSession, unsigned int maxout = *pulDigestLen; CK_RV crv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_FALSE,&session); if (crv != CKR_OK) return crv; @@ -1247,6 +1268,8 @@ CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, SFTKSessionContext *context; CK_RV crv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_TRUE,NULL); if (crv != CKR_OK) return crv; @@ -1266,6 +1289,8 @@ CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest, unsigned int digestLen; CK_RV crv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session); if (crv != CKR_OK) return crv; @@ -1814,6 +1839,8 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession, NSSLOWKEYPrivateKey *privKey; SFTKHashSignInfo *info = NULL; + CHECK_FORK(); + /* Block Cipher MACing Algorithms use a different Context init method..*/ crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN); if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv; @@ -2051,6 +2078,8 @@ sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { + CHECK_FORK(); + return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN); } @@ -2069,6 +2098,8 @@ CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature, CK_RV crv; SECStatus rv = SECSuccess; + CHECK_FORK(); + /* make sure we're legal */ *pulSignatureLen = 0; crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session); @@ -2122,6 +2153,8 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession, CK_RV crv,crv2; SECStatus rv = SECSuccess; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_FALSE,&session); if (crv != CKR_OK) return crv; @@ -2163,6 +2196,8 @@ finish: CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) { + CHECK_FORK(); + switch (pMechanism->mechanism) { case CKM_RSA_PKCS: case CKM_RSA_X_509: @@ -2180,6 +2215,8 @@ CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession, CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) { + CHECK_FORK(); + return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen); } @@ -2262,6 +2299,8 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession, NSSLOWKEYPublicKey *pubKey; SFTKHashVerifyInfo *info = NULL; + CHECK_FORK(); + /* Block Cipher MACing Algorithms use a different Context init method..*/ crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY); if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv; @@ -2412,6 +2451,8 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_RV crv, crv2; SECStatus rv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_FALSE,&session); if (crv != CKR_OK) return crv; @@ -2442,6 +2483,8 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { + CHECK_FORK(); + return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY); } @@ -2459,6 +2502,8 @@ CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession, CK_RV crv; SECStatus rv = SECSuccess; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session); if (crv != CKR_OK) return crv; @@ -2507,6 +2552,8 @@ CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession, CK_RV crv = CKR_OK; NSSLOWKEYPublicKey *pubKey; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; crv = sftk_InitGeneric(session,&context,SFTK_VERIFY_RECOVER, @@ -2565,6 +2612,8 @@ CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession, CK_RV crv; SECStatus rv; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession,&context,SFTK_VERIFY_RECOVER, PR_FALSE,&session); @@ -2599,6 +2648,8 @@ CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, { SECStatus rv; + CHECK_FORK(); + rv = RNG_RandomUpdate(pSeed, ulSeedLen); return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; } @@ -2609,6 +2660,8 @@ CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession, { SECStatus rv; + CHECK_FORK(); + rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen); return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; } @@ -2975,6 +3028,8 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, */ PRBool faultyPBE3DES = PR_FALSE; + CHECK_FORK(); + if (!slot) { return CKR_SESSION_HANDLE_INVALID; } @@ -3478,6 +3533,8 @@ CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession, ECParams * ecParams; #endif /* NSS_ENABLE_ECC */ + CHECK_FORK(); + if (!slot) { return CKR_SESSION_HANDLE_INVALID; } @@ -4133,6 +4190,8 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession, SFTKObject *key; CK_RV crv; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) { return CKR_SESSION_HANDLE_INVALID; @@ -4503,6 +4562,8 @@ CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession, SECItem bpki; CK_OBJECT_CLASS target_type = CKO_SECRET_KEY; + CHECK_FORK(); + if (!slot) { return CKR_SESSION_HANDLE_INVALID; } @@ -4827,6 +4888,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, unsigned char key_block2[MD5_LENGTH]; PRBool isFIPS; + CHECK_FORK(); if (!slot) { return CKR_SESSION_HANDLE_INVALID; @@ -5803,12 +5865,16 @@ key_and_mac_derive_fail: * in parallel with an application. */ CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession) { + CHECK_FORK(); + return CKR_FUNCTION_NOT_PARALLEL; } /* NSC_CancelFunction cancels a function running in parallel */ CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession) { + CHECK_FORK(); + return CKR_FUNCTION_NOT_PARALLEL; } @@ -5825,6 +5891,8 @@ CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession, CK_RV crv; CK_ULONG pOSLen = *pulOperationStateLen; + CHECK_FORK(); + /* make sure we're legal */ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session); if (crv != CKR_OK) return crv; @@ -5867,6 +5935,8 @@ CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession, CK_MECHANISM mech; CK_RV crv = CKR_OK; + CHECK_FORK(); + while (ulOperationStateLen != 0) { /* get what type of state we're dealing with... */ PORT_Memcpy(&type,pOperationState, sizeof(SFTKContextType)); @@ -5922,6 +5992,8 @@ CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, { CK_RV crv; + CHECK_FORK(); + crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart, pulEncryptedPartLen); if (crv != CKR_OK) return crv; @@ -5939,6 +6011,8 @@ CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, { CK_RV crv; + CHECK_FORK(); + crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen); if (crv != CKR_OK) return crv; @@ -5956,6 +6030,8 @@ CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, { CK_RV crv; + CHECK_FORK(); + crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart, pulEncryptedPartLen); if (crv != CKR_OK) return crv; @@ -5973,6 +6049,8 @@ CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, { CK_RV crv; + CHECK_FORK(); + crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen, pData, pulDataLen); if (crv != CKR_OK) return crv; @@ -5991,6 +6069,8 @@ CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) SFTKAttribute *att; CK_RV crv; + CHECK_FORK(); + session = sftk_SessionFromHandle(hSession); if (session == NULL) return CKR_SESSION_HANDLE_INVALID; diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h index 490818a..a72bc19 100644 --- a/security/nss/lib/softoken/softoken.h +++ b/security/nss/lib/softoken/softoken.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: softoken.h,v 1.16 2007/08/09 22:36:18 rrelyea%redhat.com Exp $ */ +/* $Id: softoken.h,v 1.17 2008/02/05 05:33:37 julien.pierre.boogz%sun.com Exp $ */ #ifndef _SOFTOKEN_H_ #define _SOFTOKEN_H_ @@ -261,6 +261,24 @@ extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, */ extern PRBool sftk_fatalError; +/* +** macros to check for forked child after C_Initialize +*/ +#if defined(XP_UNIX) && !defined(NO_PTHREADS) + +extern PRBool forked; + +extern void ForkedChild(void); + +#define CHECK_FORK() \ + do { if (forked) return CKR_DEVICE_ERROR; } while (0) + +#else + +#define CHECK_FORK() + +#endif + SEC_END_PROTOS #endif /* _SOFTOKEN_H_ */ diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c index 7691fce..e3b7541 100644 --- a/security/nss/lib/ssl/cmpcert.c +++ b/security/nss/lib/ssl/cmpcert.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: cmpcert.c,v 1.5 2007/07/06 03:16:54 julien.pierre.bugs%sun.com Exp $ */ +/* $Id: cmpcert.c,v 1.6 2008/02/01 22:09:09 julien.pierre.boogz%sun.com Exp $ */ #include #include @@ -79,7 +79,7 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames) /* compute an alternate issuer name for compatibility with 2.0 * enterprise server, which send the CA names without - * the outer layer of DER hearder + * the outer layer of DER header */ rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen); if ( rv == SECSuccess ) { diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 9aec64e..c32da97 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.26 2007/07/18 21:38:54 neil.williams%sun.com Exp $ */ +/* $Id: ssl.h,v 1.27 2008/02/21 21:44:09 wtc%google.com Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -112,6 +112,8 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* step-down keys if needed. */ #define SSL_BYPASS_PKCS11 16 /* use PKCS#11 for pub key only */ #define SSL_NO_LOCKS 17 /* Don't use locks for protection */ +#define SSL_ENABLE_SESSION_TICKETS 18 /* Enable TLS SessionTicket */ + /* extension (not implemented) */ #ifdef SSL_DEPRECATED_FUNCTION /* Old deprecated function names */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 301f25f..6cb3c68 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.103 2007/08/22 06:12:02 nelson%bolyard.com Exp $ */ +/* $Id: ssl3con.c,v 1.107 2008/02/20 00:11:15 julien.pierre.boogz%sun.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -60,7 +60,6 @@ #include "pk11func.h" #include "secmod.h" -#include "nsslocks.h" #include "ec.h" #include "blapi.h" @@ -3944,14 +3943,15 @@ SSL3_ShutdownServerCache(void) } PZ_Unlock(symWrapKeysLock); + PZ_DestroyLock(symWrapKeysLock); + symWrapKeysLock = NULL; return SECSuccess; } -void ssl_InitSymWrapKeysLock(void) +SECStatus ssl_InitSymWrapKeysLock(void) { - /* atomically initialize the lock */ - if (!symWrapKeysLock) - nss_InitLock(&symWrapKeysLock, nssILockOther); + symWrapKeysLock = PZ_NewLock(nssILockOther); + return symWrapKeysLock ? SECSuccess : SECFailure; } /* Try to get wrapping key for mechanism from in-memory array. @@ -3990,7 +3990,7 @@ getWrappingKey( sslSocket * ss, pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType]; - ssl_InitSymWrapKeysLock(); + ssl_InitLocks(PR_TRUE); PZ_Lock(symWrapKeysLock); @@ -5538,6 +5538,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) return rv; /* error code is set. */ } + memset(&ss->serverExtensionSenders[0], 0, + sizeof ss->serverExtensionSenders); rv = ssl3_InitState(ss); if (rv != SECSuccess) { return rv; /* ssl3_InitState has set the error code. */ @@ -5982,6 +5984,9 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) ssl_GetSSL3HandshakeLock(ss); + memset(&ss->serverExtensionSenders[0], 0, + sizeof ss->serverExtensionSenders); + rv = ssl3_InitState(ss); if (rv != SECSuccess) { ssl_ReleaseSSL3HandshakeLock(ss); diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c index d6dd91a..6254c71 100644 --- a/security/nss/lib/ssl/ssl3ecc.c +++ b/security/nss/lib/ssl/ssl3ecc.c @@ -40,7 +40,7 @@ * ***** END LICENSE BLOCK ***** */ /* ECC code moved here from ssl3con.c */ -/* $Id: ssl3ecc.c,v 1.19 2007/07/18 21:38:54 neil.williams%sun.com Exp $ */ +/* $Id: ssl3ecc.c,v 1.20 2008/02/16 04:38:08 julien.pierre.boogz%sun.com Exp $ */ #include "nssrenam.h" #include "nss.h" @@ -63,7 +63,6 @@ #include "pk11func.h" #include "secmod.h" -#include "nsslocks.h" #include "ec.h" #include "blapi.h" diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 375bd91..b155d56 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslimpl.h,v 1.61 2007/09/11 22:40:40 julien.pierre.boogz%sun.com Exp $ */ +/* $Id: sslimpl.h,v 1.63 2008/02/16 04:38:08 julien.pierre.boogz%sun.com Exp $ */ #ifndef __sslimpl_h_ #define __sslimpl_h_ @@ -129,14 +129,12 @@ extern int Debug; #define SSL_DBG(b) #endif -#if defined (DEBUG) #ifdef macintosh #include "pprthred.h" #else #include "private/pprthred.h" /* for PR_InMonitor() */ #endif #define ssl_InMonitor(m) PZ_InMonitor(m) -#endif #define LSB(x) ((unsigned char) (x & 0xff)) #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8)) @@ -1448,9 +1446,9 @@ ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); /* get rid of the symmetric wrapping key references. */ extern SECStatus SSL3_ShutdownServerCache(void); -extern void ssl_InitClientSessionCacheLock(void); +extern SECStatus ssl_InitSymWrapKeysLock(void); -extern void ssl_InitSymWrapKeysLock(void); +extern SECStatus ssl_InitLocks(PRBool lateInit); /********************** misc calls *********************/ diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c index 20dbf93..db3bb55 100644 --- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslnonce.c,v 1.17 2005/09/09 03:02:16 nelsonb%netscape.com Exp $ */ +/* $Id: sslnonce.c,v 1.22 2008/02/20 00:11:16 julien.pierre.boogz%sun.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -46,7 +46,6 @@ #include "sslimpl.h" #include "sslproto.h" #include "nssilock.h" -#include "nsslocks.h" #if (defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)) && !defined(_WIN32_WCE) #include #endif @@ -68,16 +67,56 @@ static PZLock * cacheLock = NULL; #define LOCK_CACHE lock_cache() #define UNLOCK_CACHE PZ_Unlock(cacheLock) -void ssl_InitClientSessionCacheLock(void) +static SECStatus +ssl_InitClientSessionCacheLock(void) { - if (!cacheLock) - nss_InitLock(&cacheLock, nssILockCache); + cacheLock = PZ_NewLock(nssILockCache); + return cacheLock ? SECSuccess : SECFailure; +} + +static PRBool LocksInitializedEarly = PR_FALSE; + +static PRStatus +initLocks(void) +{ + SECStatus rv1, rv2; + rv1 = ssl_InitSymWrapKeysLock(); + rv2 = ssl_InitClientSessionCacheLock(); + if ( (SECSuccess == rv1) && (SECSuccess == rv2) ) { + return PR_SUCCESS; + } + return PR_FAILURE; +} + +static PRCallOnceType lockOnce; + +/* lateInit means that the call is not happening during a 1-time + * initialization function, but rather during dynamic, lazy initialization + */ +SECStatus +ssl_InitLocks(PRBool lateInit) +{ + if (LocksInitializedEarly) { + return SECSuccess; + } + + if (lateInit) { + return (PR_SUCCESS == PR_CallOnce(&lockOnce, initLocks)) ? + SECSuccess : SECFailure; + } + + if (PR_SUCCESS == initLocks()) { + LocksInitializedEarly = PR_TRUE; + return SECSuccess; + } + + return SECFailure; } static void lock_cache(void) { - ssl_InitClientSessionCacheLock(); + ssl_InitLocks(PR_TRUE); PZ_Lock(cacheLock); } diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index c34174d..b5fd64d 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsnce.c,v 1.41 2007/09/11 22:40:40 julien.pierre.boogz%sun.com Exp $ */ +/* $Id: sslsnce.c,v 1.42 2008/02/16 04:38:09 julien.pierre.boogz%sun.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! @@ -105,7 +105,6 @@ #define SET_ERROR_CODE /* reminder */ #include "nspr.h" -#include "nsslocks.h" #include "sslmutex.h" /* @@ -1174,8 +1173,7 @@ SSL_ConfigServerSessionIDCache( int maxCacheEntries, PRUint32 ssl3_timeout, const char * directory) { - ssl_InitClientSessionCacheLock(); - ssl_InitSymWrapKeysLock(); + ssl_InitLocks(PR_FALSE); return SSL_ConfigServerSessionIDCacheInstance(&globalCache, maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE); } @@ -1288,8 +1286,7 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) return SECSuccess; /* already done. */ } - ssl_InitClientSessionCacheLock(); - ssl_InitSymWrapKeysLock(); + ssl_InitLocks(PR_FALSE); ssl_sid_lookup = ServerSessionIDLookup; ssl_sid_cache = ServerSessionIDCache; diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c index 10d7ba8..a78d576 100644 --- a/security/nss/lib/util/dertime.c +++ b/security/nss/lib/util/dertime.c @@ -52,6 +52,7 @@ { \ if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \ (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0'); \ + p += 2; \ } #define SECMIN 60L /* seconds in a minute */ @@ -134,124 +135,48 @@ DER_TimeToUTCTime(SECItem *dst, int64 gmttime) return DER_TimeToUTCTimeArena(NULL, dst, gmttime); } +static SECStatus /* forward */ +der_TimeStringToTime(PRTime *dst, const char * string, int generalized); + +#define GEN_STRING 2 /* TimeString is a GeneralizedTime */ +#define UTC_STRING 0 /* TimeString is a UTCTime */ + /* The caller of DER_AsciiToItem MUST ENSURE that either ** a) "string" points to a null-terminated ASCII string, or ** b) "string" points to a buffer containing a valid UTCTime, -** whether null terminated or not. +** whether null terminated or not, or +** c) "string" contains at least 19 characters, with or without null char. ** otherwise, this function may UMR and/or crash. ** It suffices to ensure that the input "string" is at least 17 bytes long. */ SECStatus DER_AsciiToTime(int64 *dst, const char *string) { - long year, month, mday, hour, minute, second, hourOff, minOff, days; - int64 result, tmp1, tmp2; - - if (string == NULL) { - goto loser; - } - - /* Verify time is formatted properly and capture information */ - second = 0; - hourOff = 0; - minOff = 0; - CAPTURE(year,string+0,loser); - if (year < 50) { - /* ASSUME that year # is in the 2000's, not the 1900's */ - year += 100; - } - CAPTURE(month,string+2,loser); - if ((month == 0) || (month > 12)) goto loser; - CAPTURE(mday,string+4,loser); - if ((mday == 0) || (mday > 31)) goto loser; - CAPTURE(hour,string+6,loser); - if (hour > 23) goto loser; - CAPTURE(minute,string+8,loser); - if (minute > 59) goto loser; - if (ISDIGIT(string[10])) { - CAPTURE(second,string+10,loser); - if (second > 59) goto loser; - string += 2; - } - if (string[10] == '+') { - CAPTURE(hourOff,string+11,loser); - if (hourOff > 23) goto loser; - CAPTURE(minOff,string+13,loser); - if (minOff > 59) goto loser; - } else if (string[10] == '-') { - CAPTURE(hourOff,string+11,loser); - if (hourOff > 23) goto loser; - hourOff = -hourOff; - CAPTURE(minOff,string+13,loser); - if (minOff > 59) goto loser; - minOff = -minOff; - } else if (string[10] != 'Z') { - goto loser; - } - - - /* Compute the number of seconds in the years elapsed since 1970 */ - LL_I2L(tmp1, (year-70L)); /* ignores leap days (see below) */ - LL_I2L(tmp2, SECYEAR); - LL_MUL(result, tmp1, tmp2); - /* compute number of seconds since beginning of the given month */ - LL_I2L(tmp1, ( (mday-1L)*SECDAY + hour*SECHOUR + minute*SECMIN - - hourOff*SECHOUR - minOff*SECMIN + second ) ); - LL_ADD(result, result, tmp1); - /* compute days for elapsed months in the target year */ - days = monthToDayInYear[month-1]; /* ignoring leap days */ - - /* - ** Account for leap days. The return time value is in - ** microseconds since January 1st, 12:00am 1970 and may be negative. - ** Using two digit years, we can only represent dates from 1950 - ** to 2049. All years in that span of time that are divisible - ** by 4 are leap years. - **/ - /* compute number of elapsed leap days since 1970 */ - days += (year - 68)/4; - if (((year % 4) == 0) && (month < 3)) { - days--; - } - - LL_I2L(tmp1, (days * SECDAY) ); - LL_ADD(result, result, tmp1 ); - - /* convert to micro seconds */ - LL_I2L(tmp1, PR_USEC_PER_SEC); - LL_MUL(result, result, tmp1); - - *dst = result; - return SECSuccess; - - loser: - PORT_SetError(SEC_ERROR_INVALID_TIME); - return SECFailure; - + return der_TimeStringToTime(dst, string, UTC_STRING); } SECStatus DER_UTCTimeToTime(int64 *dst, const SECItem *time) { - const char * string; - char localBuf[20]; - /* Minimum valid UTCTime is yymmddhhmmZ which is 11 bytes. ** Maximum valid UTCTime is yymmddhhmmss+0000 which is 17 bytes. ** 20 should be large enough for all valid encoded times. */ + int len; + char localBuf[20]; + if (!time || !time->data || time->len < 11) { PORT_SetError(SEC_ERROR_INVALID_TIME); return SECFailure; } - if (time->len >= sizeof localBuf) { - string = (const char *)time->data; - } else { - memset(localBuf, 0, sizeof localBuf); - memcpy(localBuf, time->data, time->len); - string = (const char *)localBuf; + + len = PR_MIN(time->len, sizeof localBuf); + memcpy(localBuf, time->data, len); + while (len < sizeof localBuf) { + localBuf[len++] = '\0'; } - return DER_AsciiToTime(dst, string); + + return der_TimeStringToTime(dst, localBuf, UTC_STRING); } /* @@ -314,91 +239,103 @@ DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime) } -/* - The caller should make sure that the generalized time should only - be used for the certificate validity after the year 2051; otherwise, - the certificate should be consider invalid!? - */ SECStatus DER_GeneralizedTimeToTime(int64 *dst, const SECItem *time) { - PRExplodedTime genTime; - const char *string; - long hourOff, minOff; - uint16 century; - char localBuf[20]; - /* Minimum valid GeneralizedTime is ccyymmddhhmmZ which is 13 bytes. ** Maximum valid GeneralizedTime is ccyymmddhhmmss+0000 which is 19 bytes. ** 20 should be large enough for all valid encoded times. */ - if (!time || !time->data || time->len < 13) - goto loser; - if (time->len >= sizeof localBuf) { - string = (const char *)time->data; - } else { - memset(localBuf, 0, sizeof localBuf); - memcpy(localBuf, time->data, time->len); - string = (const char *)localBuf; + int len; + char localBuf[20]; + + if (!time || !time->data || time->len < 13) { + PORT_SetError(SEC_ERROR_INVALID_TIME); + return SECFailure; } - memset(&genTime, 0, sizeof genTime); + len = PR_MIN(time->len, sizeof localBuf); + memcpy(localBuf, time->data, len); + while (len < sizeof localBuf) { + localBuf[len++] = '\0'; + } + + return der_TimeStringToTime(dst, localBuf, GEN_STRING); +} + +static SECStatus +der_TimeStringToTime(PRTime *dst, const char * string, int generalized) +{ + PRExplodedTime genTime; + long hourOff = 0, minOff = 0; + uint16 century; + char signum; + + if (string == NULL || dst == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } /* Verify time is formatted properly and capture information */ - hourOff = 0; - minOff = 0; + memset(&genTime, 0, sizeof genTime); - CAPTURE(century, string+0, loser); - century *= 100; - CAPTURE(genTime.tm_year,string+2,loser); - genTime.tm_year += century; + if (generalized == UTC_STRING) { + CAPTURE(genTime.tm_year, string, loser); + century = (genTime.tm_year < 50) ? 20 : 19; + } else { + CAPTURE(century, string, loser); + CAPTURE(genTime.tm_year, string, loser); + } + genTime.tm_year += century * 100; - CAPTURE(genTime.tm_month,string+4,loser); - if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) goto loser; + CAPTURE(genTime.tm_month, string, loser); + if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) + goto loser; /* NSPR month base is 0 */ --genTime.tm_month; - CAPTURE(genTime.tm_mday,string+6,loser); - if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) goto loser; + CAPTURE(genTime.tm_mday, string, loser); + if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) + goto loser; - CAPTURE(genTime.tm_hour,string+8,loser); - if (genTime.tm_hour > 23) goto loser; + CAPTURE(genTime.tm_hour, string, loser); + if (genTime.tm_hour > 23) + goto loser; - CAPTURE(genTime.tm_min,string+10,loser); - if (genTime.tm_min > 59) goto loser; + CAPTURE(genTime.tm_min, string, loser); + if (genTime.tm_min > 59) + goto loser; - if (ISDIGIT(string[12])) { - CAPTURE(genTime.tm_sec,string+12,loser); - if (genTime.tm_sec > 59) goto loser; - string += 2; + if (ISDIGIT(string[0])) { + CAPTURE(genTime.tm_sec, string, loser); + if (genTime.tm_sec > 59) + goto loser; } - if (string[12] == '+') { - CAPTURE(hourOff,string+13,loser); - if (hourOff > 23) goto loser; - CAPTURE(minOff,string+15,loser); - if (minOff > 59) goto loser; - } else if (string[12] == '-') { - CAPTURE(hourOff,string+13,loser); - if (hourOff > 23) goto loser; - hourOff = -hourOff; - CAPTURE(minOff,string+15,loser); - if (minOff > 59) goto loser; - minOff = -minOff; - } else if (string[12] != 'Z') { + signum = *string++; + if (signum == '+' || signum == '-') { + CAPTURE(hourOff, string, loser); + if (hourOff > 23) + goto loser; + CAPTURE(minOff, string, loser); + if (minOff > 59) + goto loser; + if (signum == '-') { + hourOff = -hourOff; + minOff = -minOff; + } + } else if (signum != 'Z') { goto loser; } - /* Since the values of hourOff and minOff are small, there will - be no loss of data by the conversion to int8 */ - /* Convert the GMT offset to seconds and save it it genTime - for the implode time process */ + /* Convert the GMT offset to seconds and save it in genTime + * for the implode time call. + */ genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L); - *dst = PR_ImplodeTime (&genTime); + *dst = PR_ImplodeTime(&genTime); return SECSuccess; - loser: +loser: PORT_SetError(SEC_ERROR_INVALID_TIME); return SECFailure; - } diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn index c5824bf..3b33252 100644 --- a/security/nss/lib/util/manifest.mn +++ b/security/nss/lib/util/manifest.mn @@ -78,7 +78,6 @@ CSRCS = \ nssb64e.c \ nssrwlk.c \ nssilock.c \ - nsslocks.c \ oidstring.c \ portreg.c \ secalgid.c \ diff --git a/security/nss/lib/util/nsslocks.c b/security/nss/lib/util/nsslocks.c deleted file mode 100644 index 3589a65..0000000 --- a/security/nss/lib/util/nsslocks.c +++ /dev/null @@ -1,106 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -/* - * nsslocks.h - threadsafe functions to initialize lock pointers. - * - * NOTE - These are not public interfaces - * - * $Id: nsslocks.c,v 1.6 2007/10/12 01:44:51 julien.pierre.boogz%sun.com Exp $ - */ - -#include "seccomon.h" -#include "nsslocks.h" -#include "pratom.h" -#include "prthread.h" - -/* Given the address of a (global) pointer to a PZLock, - * atomicly create the lock and initialize the (global) pointer, - * if it is not already created/initialized. - */ - -SECStatus -__nss_InitLock( PZLock **ppLock, nssILockType ltype ) -{ - static PRInt32 initializers; - - PORT_Assert( ppLock != NULL); - - /* atomically initialize the lock */ - while (!*ppLock) { - PRInt32 myAttempt = PR_AtomicIncrement(&initializers); - if (myAttempt == 1) { - if (!*ppLock) { - *ppLock = PZ_NewLock(ltype); - } - (void) PR_AtomicDecrement(&initializers); - break; - } - PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield() */ - (void) PR_AtomicDecrement(&initializers); - } - - return (*ppLock != NULL) ? SECSuccess : SECFailure; -} - -/* Given the address of a (global) pointer to a PZMonitor, - * atomicly create the monitor and initialize the (global) pointer, - * if it is not already created/initialized. - */ - -SECStatus -nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype ) -{ - static PRInt32 initializers; - - PORT_Assert( ppMonitor != NULL); - - /* atomically initialize the lock */ - while (!*ppMonitor) { - PRInt32 myAttempt = PR_AtomicIncrement(&initializers); - if (myAttempt == 1) { - if (!*ppMonitor) { - *ppMonitor = PZ_NewMonitor(ltype); - } - (void) PR_AtomicDecrement(&initializers); - break; - } - PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield() */ - (void) PR_AtomicDecrement(&initializers); - } - - return (*ppMonitor != NULL) ? SECSuccess : SECFailure; -} diff --git a/security/nss/lib/util/nsslocks.h b/security/nss/lib/util/nsslocks.h index 7e9c407..0b48b71 100644 --- a/security/nss/lib/util/nsslocks.h +++ b/security/nss/lib/util/nsslocks.h @@ -37,35 +37,9 @@ /* * nsslocks.h - threadsafe functions to initialize lock pointers. * - * NOTE - These are not public interfaces + * NOTE - The interfaces formerly in this header were private and are now all + * obsolete. * - * $Id: nsslocks.h,v 1.4 2007/10/12 01:44:51 julien.pierre.boogz%sun.com Exp $ + * $Id: nsslocks.h,v 1.5 2008/02/16 04:38:09 julien.pierre.boogz%sun.com Exp $ */ -#ifndef _NSSLOCKS_H_ -#define _NSSLOCKS_H_ - -#include "utilrename.h" -#include "seccomon.h" -#include "nssilock.h" -#include "prmon.h" - -SEC_BEGIN_PROTOS - -/* Given the address of a (global) pointer to a PZLock, - * atomically create the lock and initialize the (global) pointer, - * if it is not already created/initialized. - */ - -extern SECStatus nss_InitLock( PZLock **ppLock, nssILockType ltype ); - -/* Given the address of a (global) pointer to a PZMonitor, - * atomicly create the monitor and initialize the (global) pointer, - * if it is not already created/initialized. - */ - -extern SECStatus nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype ); - -SEC_END_PROTOS - -#endif diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c index dd9a882..1eafde1 100644 --- a/security/nss/lib/util/nssrwlk.c +++ b/security/nss/lib/util/nssrwlk.c @@ -166,41 +166,6 @@ NSSRWLock_Destroy(NSSRWLock *rwlock) PR_DELETE(rwlock); } -/*********************************************************************** -** Given the address of a NULL pointer to a NSSRWLock, -** atomically initializes that pointer to a newly created NSSRWLock. -** Returns the value placed into that pointer, or NULL. -** If the lock cannot be created because of resource constraints, -** the pointer will be left NULL. -** -***********************************************************************/ -PR_IMPLEMENT(NSSRWLock *) -nssRWLock_AtomicCreate( NSSRWLock ** prwlock, - PRUint32 lock_rank, - const char * lock_name) -{ - NSSRWLock * rwlock; - static PRInt32 initializers; - - PR_ASSERT(prwlock != NULL); - - /* atomically initialize the lock */ - while (NULL == (rwlock = *prwlock)) { - PRInt32 myAttempt = PR_AtomicIncrement(&initializers); - if (myAttempt == 1) { - if (NULL == (rwlock = *prwlock)) { - *prwlock = rwlock = NSSRWLock_New(lock_rank, lock_name); - } - (void) PR_AtomicDecrement(&initializers); - break; - } - PR_Sleep(PR_INTERVAL_NO_WAIT); /* PR_Yield() */ - (void) PR_AtomicDecrement(&initializers); - } - - return rwlock; -} - /* ** Read-lock the RWLock. */ diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index 159dbcd..e3b5689 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -51,7 +51,6 @@ ;+ global: LIBRARY nssutil3 ;- EXPORTS ;- -__nss_InitLock_Util; ATOB_AsciiToData_Util; ATOB_ConvertAsciiToItem_Util; BTOA_ConvertItemToAscii_Util; @@ -166,7 +165,7 @@ SECOID_FindOIDByTag_Util; SECOID_FindOIDTag_Util; SECOID_FindOIDTagDescription_Util; SECOID_GetAlgorithmTag_Util; -secoid_Init; +SECOID_Init; SECOID_KnownCertExtenOID; SECOID_SetAlgorithmID_Util; SECOID_Shutdown; diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index f305a92..4de3430 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -1590,34 +1590,21 @@ static SECOidData ** dynOidTable; /* not in the pool */ static int dynOidEntriesAllocated; static int dynOidEntriesUsed; -/* Creates NSSRWLock and dynOidPool, if they don't exist. -** This function MIGHT create the lock, but not the pool, so -** code should test for dynOidPool, not dynOidLock, when deciding -** whether or not to call this function. +/* Creates NSSRWLock and dynOidPool at initialization time. */ static SECStatus secoid_InitDynOidData(void) { SECStatus rv = SECSuccess; - NSSRWLock * lock; - /* This function will create the lock if it doesn't exist, - ** and will return the address of the lock, whether it was - ** previously created, or was created by the function. - */ - lock = nssRWLock_AtomicCreate(&dynOidLock, 1, "dynamic OID data"); - if (!lock) { + dynOidLock = NSSRWLock_New(1, "dynamic OID data"); + if (!dynOidLock) { return SECFailure; /* Error code should already be set. */ } - PORT_Assert(lock == dynOidLock); - NSSRWLock_LockWrite(lock); + dynOidPool = PORT_NewArena(2048); if (!dynOidPool) { - dynOidPool = PORT_NewArena(2048); - if (!dynOidPool) { - rv = SECFailure /* Error code should already be set. */; - } + rv = SECFailure /* Error code should already be set. */; } - NSSRWLock_UnlockWrite(lock); return rv; } @@ -1714,8 +1701,8 @@ SECOID_AddEntry(const SECOidData * src) return ret; } - if (!dynOidPool && secoid_InitDynOidData() != SECSuccess) { - /* Caller has set error code. */ + if (!dynOidPool || !dynOidLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return ret; } @@ -1796,18 +1783,20 @@ secoid_HashNumber(const void *key) SECStatus -secoid_Init(void) +SECOID_Init(void) { PLHashEntry *entry; const SECOidData *oid; int i; - if (!dynOidPool && secoid_InitDynOidData() != SECSuccess) { - return SECFailure; + if (oidhash) { + return SECSuccess; /* already initialized */ } - if (oidhash) { - return SECSuccess; + if (secoid_InitDynOidData() != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + PORT_Assert(0); /* this function should never fail */ + return SECFailure; } oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare, diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h index fbaf3d6..a1a06b9 100644 --- a/security/nss/lib/util/secoid.h +++ b/security/nss/lib/util/secoid.h @@ -42,7 +42,7 @@ /* * secoid.h - public data structures and prototypes for ASN.1 OID functions * - * $Id: secoid.h,v 1.8 2007/10/12 01:44:51 julien.pierre.boogz%sun.com Exp $ + * $Id: secoid.h,v 1.9 2008/02/16 04:38:09 julien.pierre.boogz%sun.com Exp $ */ #include "plarena.h" @@ -122,6 +122,11 @@ extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum); extern SECOidTag SECOID_AddEntry(const SECOidData * src); /* + * initialize the oid data structures. + */ +extern SECStatus SECOID_Init(void); + +/* * free up the oid data structures. */ extern SECStatus SECOID_Shutdown(void); diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c index 64563da..843f246 100644 --- a/security/nss/lib/util/secport.c +++ b/security/nss/lib/util/secport.c @@ -41,7 +41,7 @@ * * NOTE - These are not public interfaces * - * $Id: secport.c,v 1.20 2006/08/15 23:56:01 wtchang%redhat.com Exp $ + * $Id: secport.c,v 1.21 2008/02/16 04:38:09 julien.pierre.boogz%sun.com Exp $ */ #include "seccomon.h" @@ -50,7 +50,7 @@ #include "plarena.h" #include "secerr.h" #include "prmon.h" -#include "nsslocks.h" +#include "nssilock.h" #include "secport.h" #include "prvrsion.h" #include "prenv.h" diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h index 51c0388..f70d14a 100644 --- a/security/nss/lib/util/secport.h +++ b/security/nss/lib/util/secport.h @@ -37,7 +37,7 @@ /* * secport.h - portability interfaces for security libraries * - * $Id: secport.h,v 1.14 2007/10/12 01:44:51 julien.pierre.boogz%sun.com Exp $ + * $Id: secport.h,v 1.15 2008/02/14 18:41:38 wtc%google.com Exp $ */ #ifndef _SECPORT_H_ @@ -143,9 +143,7 @@ extern void PORT_ArenaZRelease(PLArenaPool *arena, void *mark); extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark); extern char *PORT_ArenaStrdup(PLArenaPool *arena, const char *str); -#ifdef __cplusplus -} -#endif +SEC_END_PROTOS #define PORT_Assert PR_ASSERT #define PORT_ZNew(type) (type*)PORT_ZAlloc(sizeof(type)) @@ -203,9 +201,7 @@ typedef PRBool (PR_CALLBACK * PORTCharConversionFunc) (PRBool toUnicode, unsigned char *outBuf, unsigned int maxOutBufLen, unsigned int *outBufLen); -#ifdef __cplusplus -extern "C" { -#endif +SEC_BEGIN_PROTOS void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc); void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc); diff --git a/security/nss/lib/util/utilrename.h b/security/nss/lib/util/utilrename.h index 0190817..ee5ae67 100644 --- a/security/nss/lib/util/utilrename.h +++ b/security/nss/lib/util/utilrename.h @@ -45,8 +45,6 @@ #ifdef USE_UTIL_DIRECTLY /* functions moved from libnss3 */ -#define nss_InitLock __nss_InitLock_Util -#define __nss_InitLock __nss_InitLock_Util #define ATOB_AsciiToData ATOB_AsciiToData_Util #define ATOB_ConvertAsciiToItem ATOB_ConvertAsciiToItem_Util #define BTOA_ConvertItemToAscii BTOA_ConvertItemToAscii_Util diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 574a311..9e0c8df 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -144,12 +144,12 @@ certu() #the subject of the cert contains blanks, and the shell #will strip the quotes off the string, if called otherwise... echo "certutil -s \"${CU_SUBJECT}\" $*" - ${PROFTOOL} certutil -s "${CU_SUBJECT}" $* + ${PROFTOOL} ${BINDIR}/certutil -s "${CU_SUBJECT}" $* RET=$? CU_SUBJECT="" else echo "certutil $*" - ${PROFTOOL} certutil $* + ${PROFTOOL} ${BINDIR}/certutil $* RET=$? fi if [ "$RET" -ne 0 ]; then @@ -173,7 +173,7 @@ crlu() CRLUTIL="crlutil -q" echo "$CRLUTIL $*" - ${PROFTOOL} $CRLUTIL $* + ${PROFTOOL} ${BINDIR}/$CRLUTIL $* RET=$? if [ "$RET" -ne 0 ]; then CRLFAILED=$RET @@ -193,7 +193,7 @@ modu() MODUTIL="modutil" echo "$MODUTIL $*" # echo is used to press Enter expected by modutil - echo | $MODUTIL $* + echo | ${BINDIR}/$MODUTIL $* RET=$? if [ "$RET" -ne 0 ]; then MODFAILED=$RET @@ -249,7 +249,7 @@ hw_acc() echo "modutil -add rainbow -libfile /usr/lib/libcryptoki22.so " echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ + echo | ${BINDIR}/modutil -add rainbow -libfile /usr/lib/libcryptoki22.so \ -dbdir ${PROFILEDIR} 2>&1 if [ "$?" -ne 0 ]; then echo "modutil -add rainbow failed in `pwd`" @@ -260,7 +260,7 @@ hw_acc() echo "modutil -add ncipher " echo " -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so " echo " -dbdir ${PROFILEDIR} 2>&1 " - echo | modutil -add ncipher \ + echo | ${BINDIR}/modutil -add ncipher \ -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so \ -dbdir ${PROFILEDIR} 2>&1 if [ "$?" -ne 0 ]; then @@ -1008,7 +1008,7 @@ cert_fips() echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" echo "modutil -dbdir ${PROFILEDIR} -fips true " - modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <&1 </dev/null 2>&1 + ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -L -n $CERTNAME | grep "$fl" >/dev/null 2>&1 [ $? -ne $expStat ] && return 1 done return 0 @@ -1143,11 +1143,11 @@ cert_extensions() count=`expr $count + 1` echo "#################################################" CU_ACTION="Testing $testName" - certutil -d ${CERT_EXTENSIONS_DIR} -D -n $CERTNAME + ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -D -n $CERTNAME echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME \ -t "u,u,u" -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ -z "${R_NOISE_FILE}" -$opt < $TARG_FILE - certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" \ + ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n $CERTNAME -t "u,u,u" \ -o /tmp/cert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \ -z "${R_NOISE_FILE}" -$opt < $TARG_FILE ret=$? diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh index c66ab30..7abc5f9 100755 --- a/security/nss/tests/cipher/cipher.sh +++ b/security/nss/tests/cipher/cipher.sh @@ -102,7 +102,7 @@ cipher_main() while [ $outOff -lt 8 ] do echo "bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff" - ${PROFTOOL} bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff + ${PROFTOOL} ${BINDIR}/bltest -T -m $PARAM -d $CIPHERTESTDIR -1 $inOff -2 $outOff if [ $? -ne 0 ]; then failedStr="$failedStr[$inOff:$outOff]" fi diff --git a/security/nss/tests/cipher/performance.sh b/security/nss/tests/cipher/performance.sh index 01c2b6b..82b7e83 100755 --- a/security/nss/tests/cipher/performance.sh +++ b/security/nss/tests/cipher/performance.sh @@ -39,16 +39,16 @@ while read mode keysize bufsize reps cxreps do if [ $mode != "#" ]; then echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps" - bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT} + ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${SKPERFOUT} mv "tmp.in.0" "$mode.in" mv tmp.key $mode.key if [ -f tmp.iv ]; then mv tmp.iv $mode.iv fi echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out" - bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT} + ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.out >> ${SKPERFOUT} echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv" - bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT} + ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -v ${CIPHERDIR}/$mode.iv -p $reps -o ${CIPHERDIR}/$mode.inv >> ${SKPERFOUT} fi done < ${SKTESTS} @@ -68,13 +68,13 @@ while read mode keysize bufsize exp reps cxreps do if [ $mode != "#" ]; then echo "bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps" - bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT} + ${BINDIR}/bltest -N -m $mode -b $bufsize -e $exp -g $keysize -u $cxreps >> ${RSAPERFOUT} mv "tmp.in.0" "$mode.in" mv tmp.key $mode.key echo "bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out" - bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT} + ${BINDIR}/bltest -E -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${RSAPERFOUT} echo "bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv" - bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT} + ${BINDIR}/bltest -D -m $mode -i ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.inv >> ${RSAPERFOUT} fi done < ${RSATESTS} @@ -97,13 +97,13 @@ while read mode keysize bufsize reps cxreps do if [ $mode != "#" ]; then echo "bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps" - bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT} + ${BINDIR}/bltest -N -m $mode -b $bufsize -g $keysize -u $cxreps >> ${DSAPERFOUT} mv "tmp.in.0" "$mode.in" mv tmp.key $mode.key echo "bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out" - bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} + ${BINDIR}/bltest -S -m $mode -i ${CIPHERDIR}/$mode.in -k ${CIPHERDIR}/$mode.key -p $reps -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} echo "bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out" - bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} + ${BINDIR}/bltest -V -m $mode -f ${CIPHERDIR}/$mode.out -k ${CIPHERDIR}/$mode.key -p $reps -i ${CIPHERDIR}/$mode.in -o ${CIPHERDIR}/$mode.out >> ${DSAPERFOUT} fi done < ${DSATESTS} @@ -125,10 +125,10 @@ while read mode bufsize reps do if [ $mode != "#" ]; then echo "bltest -N -m $mode -b $bufsize" - bltest -N -m $mode -b $bufsize + ${BINDIR}/bltest -N -m $mode -b $bufsize mv "tmp.in.0" "$mode.in" echo "bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out" - bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT} + ${BINDIR}/bltest -H -m $mode -i ${CIPHERDIR}/$mode.in -p $reps -o ${CIPHERDIR}/$mode.out >> ${HASHPERFOUT} fi done < ${HASHTESTS} diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 05ca865..17479ce 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -262,14 +262,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then COMMON=${TEST_COMMON-$common} export COMMON - MAKE=`which gmake` - if [ -z "$MAKE" ]; then - MAKE=`which make` - fi - if [ -z "$MAKE" ]; then - You are missing make. - exit 5 - fi + MAKE=gmake + $MAKE -v >/dev/null 2>&1 || MAKE=make + $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; } DIST=${DIST-${MOZILLA_ROOT}/dist} SECURITY_ROOT=${SECURITY_ROOT-${MOZILLA_ROOT}/security/nss} @@ -280,6 +275,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)` OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"` + BINDIR="${DIST}/${OBJDIR}/bin" + # Pathnames constructed from ${TESTDIR} are passed to NSS tools # such as certutil, which don't understand Cygwin pathnames. # So we need to convert ${TESTDIR} to a Windows pathname (with @@ -440,23 +437,24 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then html "

" html "" - echo "********************************************" | tee ${LOGFILE} - echo " Platform: ${OBJDIR}" | tee ${LOGFILE} - echo " Results: ${HOST}.$version" | tee ${LOGFILE} - echo "********************************************" | tee ${LOGFILE} - echo "$BC_ACTION" | tee ${LOGFILE} - #if running remote side of the distributed stress test let the user know who it is... + echo "********************************************" | tee -a ${LOGFILE} + echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE} + echo " Results: ${HOST}.$version" | tee -a ${LOGFILE} + echo "********************************************" | tee -a ${LOGFILE} + echo "$BC_ACTION" | tee -a ${LOGFILE} +#if running remote side of the distributed stress test +# let the user know who it is... elif [ -n "$DO_REM_ST" -a "$DO_REM_ST" = "TRUE" ] ; then - echo "********************************************" | tee ${LOGFILE} - echo " Platform: ${OBJDIR}" | tee ${LOGFILE} - echo " Results: ${HOST}.$version" | tee ${LOGFILE} - echo " remote side of distributed stress test " | tee ${LOGFILE} - echo " `uname -n -s`" | tee ${LOGFILE} - echo "********************************************" | tee ${LOGFILE} + echo "********************************************" | tee -a ${LOGFILE} + echo " Platform: ${OBJDIR}" | tee -a ${LOGFILE} + echo " Results: ${HOST}.$version" | tee -a ${LOGFILE} + echo " remote side of distributed stress test " | tee -a ${LOGFILE} + echo " `uname -n -s`" | tee -a ${LOGFILE} + echo "********************************************" | tee -a ${LOGFILE} fi - echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" | - tee ${LOGFILE} + echo "$SCRIPTNAME init: Testing PATH $PATH against LIB $LD_LIBRARY_PATH" |\ + tee -a ${LOGFILE} KILL="kill" diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh index 251f102..f61569c 100644 --- a/security/nss/tests/crmf/crmf.sh +++ b/security/nss/tests/crmf/crmf.sh @@ -91,11 +91,11 @@ crmf_main() { echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------" echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode" - crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode + ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode html_msg $? 0 "CRMF test" "." echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf" - crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf + ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf html_msg $? 0 "CMMF test" "." # Add tests for key recovery and challange as crmftest's capabilities increase diff --git a/security/nss/tests/dbtests/dbtests.sh b/security/nss/tests/dbtests/dbtests.sh index fb3dbe9..aab6b1c 100755 --- a/security/nss/tests/dbtests/dbtests.sh +++ b/security/nss/tests/dbtests/dbtests.sh @@ -114,14 +114,14 @@ dbtest_main() Echo "test opening the database read/write in a nonexisting directory" - certutil -L -X -d ./non_existant_dir + ${BINDIR}/certutil -L -X -d ./non_existant_dir ret=$? if [ $ret -ne 255 ]; then html_failed "Certutil succeeded in a nonexisting directory $ret" else html_passed "Certutil didn't work in a nonexisting dir $ret" fi - dbtest -r -d ./non_existant_dir + ${BINDIR}/dbtest -r -d ./non_existant_dir ret=$? if [ $ret -ne 46 ]; then html_failed "Dbtest readonly succeeded in a nonexisting directory $ret" @@ -130,7 +130,7 @@ dbtest_main() fi Echo "test force opening the database in a nonexisting directory" - dbtest -f -d ./non_existant_dir + ${BINDIR}/dbtest -f -d ./non_existant_dir ret=$? if [ $ret -ne 0 ]; then html_failed "Dbtest force failed in a nonexisting directory $ret" @@ -140,14 +140,14 @@ dbtest_main() Echo "test opening the database readonly in an empty directory" mkdir $EMPTY_DIR - tstclnt -h ${HOST} -d $EMPTY_DIR + ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR ret=$? if [ $ret -ne 1 ]; then html_failed "Tstclnt succeded in an empty directory $ret" else html_passed "Tstclnt didn't work in an empty dir $ret" fi - dbtest -r -d $EMPTY_DIR + ${BINDIR}/dbtest -r -d $EMPTY_DIR ret=$? if [ $ret -ne 46 ]; then html_failed "Dbtest readonly succeeded in an empty directory $ret" @@ -155,7 +155,7 @@ dbtest_main() html_passed "Dbtest readonly didn't work in an empty dir $ret" fi rm -rf $EMPTY_DIR/* 2>/dev/null - certutil -D -n xxxx -d $EMPTY_DIR #created DB + ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB ret=$? if [ $ret -ne 255 ]; then html_failed "Certutil succeeded in deleting a cert in an empty directory $ret" @@ -164,7 +164,7 @@ dbtest_main() fi rm -rf $EMPTY_DIR/* 2>/dev/null Echo "test force opening the database readonly in a empty directory" - dbtest -r -f -d $EMPTY_DIR + ${BINDIR}/dbtest -r -f -d $EMPTY_DIR ret=$? if [ $ret -ne 0 ]; then html_failed "Dbtest force readonly failed in an empty directory $ret" @@ -186,14 +186,14 @@ dbtest_main() cat $RONLY_DIR/* > /dev/null fi - dbtest -d $RONLY_DIR + ${BINDIR}/dbtest -d $RONLY_DIR ret=$? if [ $ret -ne 46 ]; then html_failed "Dbtest r/w succeeded in an readonly directory $ret" else html_passed "Dbtest r/w didn't work in an readonly dir $ret" fi - certutil -D -n "TestUser" -d . + ${BINDIR}/certutil -D -n "TestUser" -d . ret=$? if [ $ret -ne 255 ]; then html_failed "Certutil succeeded in deleting a cert in an readonly directory $ret" @@ -203,7 +203,7 @@ dbtest_main() Echo "test opening the database ronly in a readonly directory" - dbtest -d $RONLY_DIR -r + ${BINDIR}/dbtest -d $RONLY_DIR -r ret=$? if [ $ret -ne 0 ]; then html_failed "Dbtest readonly failed in a readonly directory $ret" @@ -212,7 +212,7 @@ dbtest_main() fi Echo "test force opening the database r/w in a readonly directory" - dbtest -d $RONLY_DIR -f + ${BINDIR}/dbtest -d $RONLY_DIR -f ret=$? if [ $ret -ne 0 ]; then html_failed "Dbtest force failed in a readonly directory $ret" diff --git a/security/nss/tests/dbupgrade/dbupgrade.sh b/security/nss/tests/dbupgrade/dbupgrade.sh index e8b9254..51b3ab2 100755 --- a/security/nss/tests/dbupgrade/dbupgrade.sh +++ b/security/nss/tests/dbupgrade/dbupgrade.sh @@ -82,9 +82,9 @@ dbupgrade_main() # 'reset' the databases to initial values echo "Reset databases to their initial values:" cd ${HOSTDIR} - certutil -D -n objsigner -d alicedir 2>&1 - certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1 - certutil -L -d fips 2>&1 + ${BINDIR}/certutil -D -n objsigner -d alicedir 2>&1 + ${BINDIR}/certutil -M -n FIPS_PUB_140_Test_Certificate -t "C,C,C" -d fips -f ${FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -L -d fips 2>&1 rm -f smime/alicehello.env # test upgrade to the new database @@ -96,7 +96,7 @@ dbupgrade_main() echo $i if [ -d $i ]; then echo "upgrading db $i" - certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 + ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 html_msg $? 0 "Upgrading $i" else echo "skipping db $i" @@ -106,11 +106,11 @@ dbupgrade_main() if [ -d fips ]; then echo "upgrading db fips" - certutil -S -g 512 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1 + ${BINDIR}/certutil -S -g 512 -n tmprsa -t "u,u,u" -s "CN=tmprsa, C=US" -x -d sql:fips -f ${FIPSPWFILE} -z ${NOISE_FILE} 2>&1 html_msg $? 0 "Upgrading fips" # remove our temp certificate we created in the fist token - certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1 - certutil -L -d sql:fips 2>&1 + ${BINDIR}/certutil -F -n tmprsa -d sql:fips -f ${FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -L -d sql:fips 2>&1 fi html "
" diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh index 7d74a99..1950d76 100755 --- a/security/nss/tests/fips/fips.sh +++ b/security/nss/tests/fips/fips.sh @@ -100,45 +100,45 @@ fips_140() { echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" echo "modutil -dbdir ${P_R_FIPSDIR} -list" - modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 - modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 + ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certutil -d ${P_R_FIPSDIR} -L 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." echo "$SCRIPTNAME: List the FIPS module keys -------------------------" echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" - certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 RET=$? html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." echo "certutil -K returned $RET" echo "$SCRIPTNAME: Validate the certificate --------------------------" echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} html_msg $? 0 "Validate the certificate (certutil -V -e)" "." echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" - certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1` + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ret=$? echo "${certs}" if [ ${ret} -eq 0 ]; then @@ -150,12 +150,12 @@ fips_140() echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1` + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ret=$? echo "${certs}" if [ ${ret} -eq 0 ]; then @@ -168,7 +168,7 @@ fips_140() echo "$SCRIPTNAME: List the FIPS module keys." echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 # certutil -K now returns a failure if no keys are found. This verifies that # our delete succeded. html_msg $? 255 "List the FIPS module keys (certutil -K)" "." @@ -176,12 +176,12 @@ fips_140() echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1` + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ret=$? echo "${certs}" if [ ${ret} -eq 0 ]; then @@ -192,18 +192,18 @@ fips_140() echo "$SCRIPTNAME: List the FIPS module keys --------------------------" echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." echo "$SCRIPTNAME: Delete the certificate from the FIPS module" echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" - certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1` + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ret=$? echo "${certs}" if [ ${ret} -eq 0 ]; then @@ -217,12 +217,12 @@ fips_140() echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" - pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." echo "$SCRIPTNAME: List the FIPS module certificates -----------------" echo "certutil -d ${P_R_FIPSDIR} -L" - certs=`certutil -d ${P_R_FIPSDIR} -L 2>&1` + certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ret=$? echo "${certs}" if [ ${ret} -eq 0 ]; then @@ -233,18 +233,18 @@ fips_140() echo "$SCRIPTNAME: List the FIPS module keys --------------------------" echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" - certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "List the FIPS module keys (certutil -K)" "." echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" - pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" - pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 + ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." LIBDIR="${DIST}/${OBJDIR}/lib" @@ -265,7 +265,7 @@ fips_140() echo "mangling ${SOFTOKEN}" echo "mangle -i ${SOFTOKEN} -o -8 -b 5" - mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 + ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 if [ $? -eq 0 ]; then if [ "${OS_ARCH}" = "WINNT" ]; then DBTEST=`which dbtest` @@ -278,19 +278,19 @@ fips_140() RESULT=$? elif [ "${OS_ARCH}" = "HP-UX" ]; then echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 RESULT=$? elif [ "${OS_ARCH}" = "AIX" ]; then echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LIBPATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 RESULT=$? elif [ "${OS_ARCH}" = "Darwin" ]; then echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - DYLD_LIBRARY_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 RESULT=$? else echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" - LD_LIBRARY_PATH="${MANGLEDIR}" dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 + LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 RESULT=$? fi diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh index 0511d32..8d5bea6 100644 --- a/security/nss/tests/iopr/cert_iopr.sh +++ b/security/nss/tests/iopr/cert_iopr.sh @@ -64,7 +64,7 @@ pk12u() echo "${CU_ACTION} --------------------------" echo "pk12util $@" - pk12util $@ + ${BINDIR}/pk12util $@ RET=$? return $RET @@ -123,7 +123,7 @@ download_file() { echo "GET $filePath HTTP/1.0" > $req echo >> $req - tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ + ${BINDIR}/tstclnt -d $trgDir -S -h $host -p $IOPR_DOWNLOAD_PORT \ -w ${R_PWFILE} -o < $req > $file ret=$? rm -f $_tmp; diff --git a/security/nss/tests/iopr/ocsp_iopr.sh b/security/nss/tests/iopr/ocsp_iopr.sh index 3f4332c..bf1c6e5 100644 --- a/security/nss/tests/iopr/ocsp_iopr.sh +++ b/security/nss/tests/iopr/ocsp_iopr.sh @@ -99,7 +99,7 @@ ocsp_get_cert_status() { if [ -z "${MEMLEAK_DBG}" ]; then outFile=$dbDir/ocsptest.out.$$ echo "ocspclnt -d $dbDir -S $cert $clntParam" - ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1 + ${BINDIR}/ocspclnt -d $dbDir -S $cert $clntParam >$outFile 2>&1 ret=$? echo "ocspclnt output:" cat $outFile @@ -110,7 +110,7 @@ ocsp_get_cert_status() { fi OCSP_ATTR="-d $dbDir -S $cert $clntParam" - ${RUN_COMMAND_DBG} ocspclnt ${OCSP_ATTR} + ${RUN_COMMAND_DBG} ${BINDIR}/ocspclnt ${OCSP_ATTR} } ######################################################################## diff --git a/security/nss/tests/iopr/ssl_iopr.sh b/security/nss/tests/iopr/ssl_iopr.sh index 24ccf68..e4ba290 100644 --- a/security/nss/tests/iopr/ssl_iopr.sh +++ b/security/nss/tests/iopr/ssl_iopr.sh @@ -140,7 +140,7 @@ ssl_iopr_cov_ext_server() echo " -n $testUser -w nss ${CLIEN_OPTIONS} -f \\" echo " -d ${dbDir} < ${SSL_REQ_FILE} > $resFile" - tstclnt -w nss -p ${sslPort} -h ${host} -c ${param} \ + ${BINDIR}/tstclnt -w nss -p ${sslPort} -h ${host} -c ${param} \ ${TLS_FLAG} ${CLIEN_OPTIONS} -f -n $testUser -w nss \ -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1 ret=$? @@ -206,7 +206,7 @@ ssl_iopr_auth_ext_server() resFile=${TMP}/$HOST.tmp.$$ rm $rsFile 2>/dev/null - tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ -d ${dbDir} < ${SSL_REQ_FILE} >$resFile 2>&1 ret=$? grep "ACCESS=OK" $resFile @@ -267,7 +267,7 @@ ssl_iopr_crl_ext_server() echo " -f -d ${dbDir} ${cparam} < ${SSL_REQ_FILE}" resFile=${TMP}/$HOST.tmp.$$ rm -f $resFile 2>/dev/null - tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ + ${BINDIR}/tstclnt -p ${sslPort} -h ${host} ${CLIEN_OPTIONS} -f ${cparam} \ -d ${dbDir} < ${SSL_REQ_FILE} \ > $resFile 2>&1 ret=$? @@ -356,7 +356,7 @@ ssl_iopr_cov_ext_client() echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h $host \< $TEST_IN \>\> $TEST_OUT - tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ + ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h $host <$TEST_IN > $TEST_OUT echo "------- Server output Begin ----------" @@ -457,7 +457,7 @@ ssl_iopr_auth_ext_client() echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h $host \< $TEST_IN \>\> $TEST_OUT - tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ + ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h $host <$TEST_IN > $TEST_OUT echo "------- Server output Begin ----------" @@ -545,7 +545,7 @@ ssl_iopr_crl_ext_client() echo tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h ${host} \< $TEST_IN \>\> $TEST_OUT - tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ + ${BINDIR}/tstclnt -d $serDbDir -w ${R_PWFILE} -o -p $port \ -h ${host} <$TEST_IN > $TEST_OUT echo "------- Request ----------------------" cat $TEST_IN diff --git a/security/nss/tests/memleak/ignored b/security/nss/tests/memleak/ignored index 5672c55..853033d 100644 --- a/security/nss/tests/memleak/ignored +++ b/security/nss/tests/memleak/ignored @@ -46,3 +46,6 @@ selfserv/main/SSL_ConfigServerSessionIDCache/** **/testThreadLockingBehavior/pthread_create@@GLIBC_2.1/** **/findLockInfo/pthread_create@@GLIBC_2.1/** +#418365 +#selfserv/main/PR_NewTCPSocket/** + diff --git a/security/nss/tests/memleak/memleak.sh b/security/nss/tests/memleak/memleak.sh index 452cf98..5c72156 100644 --- a/security/nss/tests/memleak/memleak.sh +++ b/security/nss/tests/memleak/memleak.sh @@ -222,27 +222,27 @@ set_test_mode() fi if [ "${server_mode}" = "FIPS" ] ; then - modutil -dbdir ${SERVER_DB} -fips true -force - modutil -dbdir ${SERVER_DB} -list - modutil -dbdir ${CLIENT_DB} -fips false -force - modutil -dbdir ${CLIENT_DB} -list + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips true -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list echo "${SCRIPTNAME}: FIPS is ON" cipher_list="c d e i j k n v y z" elif [ "${client_mode}" = "FIPS" ] ; then - modutil -dbdir ${SERVER_DB} -fips false -force - modutil -dbdir ${SERVER_DB} -list - modutil -dbdir ${CLIENT_DB} -fips true -force - modutil -dbdir ${CLIENT_DB} -list + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips true -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list echo "${SCRIPTNAME}: FIPS is ON" cipher_list="c d e i j k n v y z" else - modutil -dbdir ${SERVER_DB} -fips false -force - modutil -dbdir ${SERVER_DB} -list - modutil -dbdir ${CLIENT_DB} -fips false -force - modutil -dbdir ${CLIENT_DB} -list + ${BINDIR}/modutil -dbdir ${SERVER_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${SERVER_DB} -list + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -fips false -force + ${BINDIR}/modutil -dbdir ${CLIENT_DB} -list echo "${SCRIPTNAME}: FIPS is OFF" cipher_list="A B C D E F :C001 :C002 :C003 :C004 :C005 :C006 :C007 :C008 :C009 :C00A :C010 :C011 :C012 :C013 :C014 c d e f g i j k l m n v y z" @@ -346,7 +346,7 @@ run_selfserv() echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" echo "${SCRIPTNAME}: -------- Running selfserv:" echo "selfserv ${SELFSERV_ATTR}" - selfserv ${SELFSERV_ATTR} + ${BINDIR}/selfserv ${SELFSERV_ATTR} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Selfserv" @@ -362,7 +362,7 @@ run_selfserv_dbg() { echo "PATH=${PATH}" echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" - ${RUN_COMMAND_DBG} selfserv ${SERVER_OPTION} ${SELFSERV_ATTR} + ${RUN_COMMAND_DBG} ${BINDIR}/selfserv ${SERVER_OPTION} ${SELFSERV_ATTR} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Selfserv" @@ -381,7 +381,7 @@ run_strsclnt() ATTR="${STRSCLNT_ATTR} -C ${cipher}" echo "${SCRIPTNAME}: -------- Trying cipher ${cipher}:" echo "strsclnt ${ATTR}" - strsclnt ${ATTR} + ${BINDIR}/strsclnt ${ATTR} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Strsclnt with cipher ${cipher}" @@ -392,7 +392,7 @@ run_strsclnt() echo "${SCRIPTNAME}: -------- Stopping server:" echo "tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}" - tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE} + ${BINDIR}/tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Tstclnt" @@ -409,7 +409,7 @@ run_strsclnt_dbg() { for cipher in ${cipher_list}; do ATTR="${STRSCLNT_ATTR} -C ${cipher}" - ${RUN_COMMAND_DBG} strsclnt ${CLIENT_OPTION} ${ATTR} + ${RUN_COMMAND_DBG} ${BINDIR}/strsclnt ${CLIENT_OPTION} ${ATTR} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Strsclnt with cipher ${cipher}" @@ -420,7 +420,7 @@ run_strsclnt_dbg() echo "${SCRIPTNAME}: -------- Stopping server:" echo "tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE}" - tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE} + ${BINDIR}/tstclnt ${TSTCLNT_ATTR} < ${REQUEST_FILE} ret=$? if [ $ret -ne 0 ]; then html_failed " ${LOGNAME}: Tstclnt" @@ -675,7 +675,9 @@ parse_logfile_valgrind() } !/==[0-9]*==/ { if ( $1 == "Running:" ) - bin_name = $2 + bin_name = $2 + bin_nf = split(bin_name, bin_fields, "/") + bin_name = bin_fields[bin_nf] next } /blocks are/ { diff --git a/security/nss/tests/perf/perf.sh b/security/nss/tests/perf/perf.sh index d921827..685c274 100755 --- a/security/nss/tests/perf/perf.sh +++ b/security/nss/tests/perf/perf.sh @@ -68,7 +68,7 @@ perf_init() perf_init cd ${PERFDIR} -RSAPERF_OUT=`rsaperf -i 300 -s -n none` +RSAPERF_OUT=`${BINDIR}/rsaperf -i 300 -s -n none` RSAPERF_OUT=`echo $RSAPERF_OUT | sed \ -e "s/^/RSAPERF: $OBJDIR /" \ -e 's/microseconds/us/' \ diff --git a/security/nss/tests/pkits/pkits.sh b/security/nss/tests/pkits/pkits.sh index 28bd0e2..91fb637 100755 --- a/security/nss/tests/pkits/pkits.sh +++ b/security/nss/tests/pkits/pkits.sh @@ -110,12 +110,12 @@ pkits_init() echo "crls" $crls echo nss > ${PKITSdb}/pw - certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw + ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw - certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \ + ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \ $certs/TrustAnchorRootCertificate.crt -d $PKITSdb if [ "$NSS_NO_PKITS_CRLS" -ne 1 ]; then - crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} + ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} else html "

NO CRLs are being used.

" pkits_log "NO CRLs are being used." @@ -163,7 +163,7 @@ break_table() pkits() { echo "vfychain -d $PKITSdb -u 4 $*" - vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? RET=$(expr $RET + $(grep -c ERROR ${PKITSDIR}/cmdout.txt)) cat ${PKITSDIR}/cmdout.txt @@ -187,7 +187,7 @@ pkits() pkitsn() { echo "vfychain -d $PKITSdb -u 4 $*" - vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/vfychain -d $PKITSdb -u 4 $* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? RET=$(expr $RET + $(grep -c ERROR ${PKITSDIR}/cmdout.txt)) cat ${PKITSDIR}/cmdout.txt @@ -210,7 +210,7 @@ crlImport() { if [ "$NSS_NO_PKITS_CRLS" -ne 1 ]; then echo "crlutil -d $PKITSdb -I -i $crls/$*" - crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt @@ -230,7 +230,7 @@ crlImportn() RET=0 if [ "$NSS_NO_PKITS_CRLS" -ne 1 ]; then echo "crlutil -d $PKITSdb -I -i $crls/$*" - crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/crlutil -d ${PKITSdb} -I -i $crls/$* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt @@ -255,7 +255,7 @@ delete() { if [ "$NSS_NO_PKITS_CRLS" -ne 1 ]; then echo "crlutil -d $PKITSdb -D -n $*" - crlutil -d ${PKITSdb} -D -n $* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/crlutil -d ${PKITSdb} -D -n $* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt @@ -266,7 +266,7 @@ delete() fi echo "certutil -d $PKITSdb -D -n $*" - certutil -d $PKITSdb -D -n $* > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/certutil -d $PKITSdb -D -n $* > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt @@ -283,7 +283,7 @@ delete() certImport() { echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt" - certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt @@ -302,7 +302,7 @@ certImportn() RET=0 if [ "$NSS_NO_PKITS_CRLS" -ne 1 ]; then echo "certutil -d $PKITSdb -A -t \",,\" -n $* -i $certs/$*.crt" - certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 + ${BINDIR}/certutil -d $PKITSdb -A -t ",," -n $* -i $certs/$*.crt > ${PKITSDIR}/cmdout.txt 2>&1 RET=$? cat ${PKITSDIR}/cmdout.txt diff --git a/security/nss/tests/sdr/sdr.sh b/security/nss/tests/sdr/sdr.sh index 37258a9..ad02a10 100755 --- a/security/nss/tests/sdr/sdr.sh +++ b/security/nss/tests/sdr/sdr.sh @@ -96,22 +96,22 @@ sdr_main() { echo "$SCRIPTNAME: Creating an SDR key/Encrypt" echo "sdrtest -d ${PROFILE} -o ${VALUE1} -t Test1" - sdrtest -d ${PROFILE} -o ${VALUE1} -t Test1 + ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE1} -t Test1 html_msg $? 0 "Creating SDR Key" echo "$SCRIPTNAME: SDR Encrypt - Second Value" echo "sdrtest -d ${PROFILE} -o ${VALUE2} -t '${T2}'" - sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}" + ${BINDIR}/sdrtest -d ${PROFILE} -o ${VALUE2} -t "${T2}" html_msg $? 0 "Encrypt - Value 2" echo "$SCRIPTNAME: Decrypt - Value 1" echo "sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1" - sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 + ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE1} -t Test1 html_msg $? 0 "Decrypt - Value 1" echo "$SCRIPTNAME: Decrypt - Value 2" echo "sdrtest -d ${PROFILE} -i ${VALUE2} -t ${T2}" - sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}" + ${BINDIR}/sdrtest -d ${PROFILE} -i ${VALUE2} -t "${T2}" html_msg $? 0 "Decrypt - Value 2" } diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh index d8d8892..3b0b295 100755 --- a/security/nss/tests/smime/smime.sh +++ b/security/nss/tests/smime/smime.sh @@ -97,20 +97,20 @@ smime_sign() echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------" echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}" - ${PROFTOOL} cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG} + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG} html_msg $? 0 "Create Detached Signature Alice (${HASH})" "." echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " - ${PROFTOOL} cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "." echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------" echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}" - ${PROFTOOL} cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG} + ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG} html_msg $? 0 "Create Attached Signature Alice (${HASH})" "." echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}" - ${PROFTOOL} cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH} + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH} html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "." echo "diff alice.txt alice.data.${HASH}" @@ -121,20 +121,20 @@ smime_sign() if [ -n "$NSS_ENABLE_ECC" ] ; then echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------" echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}" - ${PROFTOOL} cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG} + ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG} html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "." echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} " - ${PROFTOOL} cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "." echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------" echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}" - ${PROFTOOL} cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG} + ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG} html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "." echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}" - ${PROFTOOL} cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH} + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH} html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "." echo "diff alice.txt alice-ec.data.${HASH}" @@ -150,11 +150,11 @@ smime_p7() { echo "$SCRIPTNAME: p7 util Data Tests ------------------------------" echo "p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice_p7.env" - ${PROFTOOL} p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env + ${PROFTOOL} ${BINDIR}/p7env -d ${P_R_ALICEDIR} -r Alice -i alice.txt -o alice.env html_msg $? 0 "Creating envelope for user Alice" "." echo "p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data" - ${PROFTOOL} p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss + ${PROFTOOL} ${BINDIR}/p7content -d ${P_R_ALICEDIR} -i alice.env -o alice_p7.data -p nss html_msg $? 0 "Verifying file delivered to user Alice" "." sed -e '3,8p' -n alice_p7.data > alice_p7.data.sed @@ -164,11 +164,11 @@ smime_p7() html_msg $? 0 "Compare Decoded Enveloped Data and Original" "." echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e" - ${PROFTOOL} p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e + ${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e html_msg $? 0 "Signing file for user Alice" "." echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig" - ${PROFTOOL} p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig + ${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig html_msg $? 0 "Verifying file delivered to user Alice" "." } @@ -191,11 +191,11 @@ smime_main() echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------" echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\" echo " -o alice.env" - ${PROFTOOL} cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env + ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env html_msg $? 0 "Create Enveloped Data Alice" "." echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1" - ${PROFTOOL} cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1 html_msg $? 0 "Decode Enveloped Data Alice" "." echo "diff alice.txt alice.data1" @@ -206,35 +206,35 @@ smime_main() echo "$SCRIPTNAME: Testing multiple recipients ------------------------------" echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\" echo " -r bob@bogus.com,dave@bogus.com" - ${PROFTOOL} cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ + ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \ -r bob@bogus.com,dave@bogus.com ret=$? html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "." if [ $ret != 0 ] ; then echo "certutil -L -d ${P_R_ALICEDIR}" - certutil -L -d ${P_R_ALICEDIR} + ${BINDIR}/certutil -L -d ${P_R_ALICEDIR} echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com" - certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com + ${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com fi echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------" echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\" echo " -r eve@bogus.net" - ${PROFTOOL} cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ + ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \ -r eve@bogus.net ret=$? html_msg $ret 0 "Encrypt to a Multiple Email cert" "." echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2" - ${PROFTOOL} cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2 html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "." echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3" - ${PROFTOOL} cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3 html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Dave" "." echo "cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4" - ${PROFTOOL} cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i aliceve.env -d ${P_R_EVEDIR} -p nss -o alice.data4 html_msg $? 0 "Decrypt with a Multiple Email cert" "." diff alice.txt alice.data2 @@ -249,23 +249,23 @@ smime_main() echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------" echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\" echo " -d ${P_R_ALICEDIR} > co.der" - ${PROFTOOL} cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der + ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der html_msg $? 0 "Create Certs-Only Alice" "." echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}" - ${PROFTOOL} cmsutil -D -i co.der -d ${P_R_BOBDIR} + ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR} html_msg $? 0 "Verify Certs-Only by CA" "." echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------" echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\" echo " -r \"bob@bogus.com\" > alice.enc" - ${PROFTOOL} cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \ + ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \ -r "bob@bogus.com" > alice.enc html_msg $? 0 "Create Encrypted-Data" "." echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\" echo " -o alice.data2" - ${PROFTOOL} cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2 + ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2 html_msg $? 0 "Decode Encrypted-Data" "." diff alice.txt alice.data2 diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 518a9dc..0f457e2 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -157,14 +157,14 @@ wait_for_selfserv() echo "trying to connect to selfserv at `date`" echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" echo " -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" - tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} if [ $? -ne 0 ]; then html_failed "Waiting for Server" @@ -203,7 +203,7 @@ kill_selfserv() # the port. Wait until the port is free. (Bug 129701) if [ "${OS_ARCH}" = "Linux" ]; then echo "selfserv -b -p ${PORT} 2>/dev/null;" - until selfserv -b -p ${PORT} 2>/dev/null; do + until ${BINDIR}/selfserv -b -p ${PORT} 2>/dev/null; do echo "RETRY: selfserv -b -p ${PORT} 2>/dev/null;" sleep 1 done @@ -239,11 +239,11 @@ start_selfserv() echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" echo " ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &" if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \ > ${SERVEROUTFILE} 2>&1 & else - ${PROFTOOL} selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose & fi # The PID $! returned by the MKS or Cygwin shell is not the PID of @@ -342,7 +342,7 @@ ssl_cov() echo " -f -d ${P_R_CLIENTDIR} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \ + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -c ${param} ${TLS_FLAG} ${CLIENT_OPTIONS} -f \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -375,7 +375,7 @@ ssl_auth() echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} ${CLIENT_OPTIONS} \ -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -433,7 +433,7 @@ ssl_stress() echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\" echo " $verbose ${HOSTADDR}" echo "strsclnt started at `date`" - ${PROFTOOL} strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ + ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \ $verbose ${HOSTADDR} ret=$? echo "strsclnt completed at `date`" @@ -502,7 +502,7 @@ ssl_crl_ssl() echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -599,7 +599,7 @@ load_group_crl() { echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" echo "" echo "RELOAD time $i" - ${PROFTOOL} tstclnt -p ${PORT} -h ${HOSTADDR} -f \ + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f \ -d ${R_CLIENTDIR} -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ >${OUTFILE_TMP} 2>&1 <<_EOF_REQUEST_ GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix} @@ -686,7 +686,7 @@ ssl_crl_cache() echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} \\" echo " ${cparam} < ${REQUEST_FILE}" rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -d ${R_CLIENTDIR} < ${REQUEST_FILE} \ >${TMP}/$HOST.tmp.$$ 2>&1 ret=$? @@ -803,13 +803,13 @@ ssl_set_fips() echo "${SCRIPTNAME}: ${TESTNAME}" echo "${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force" - ${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 + ${BINDIR}/${MODUTIL} -dbdir ${DBDIR} -fips ${FIPSMODE} -force 2>&1 RET=$? html_msg "${RET}" "0" "${TESTNAME} (modutil -fips ${FIPSMODE})" \ "produced a returncode of ${RET}, expected is 0" echo "${MODUTIL} -dbdir ${DBDIR} -list" - DBLIST=`${MODUTIL} -dbdir ${DBDIR} -list 2>&1` + DBLIST=`${BINDIR}/${MODUTIL} -dbdir ${DBDIR} -list 2>&1` RET=$? html_msg "${RET}" "0" "${TESTNAME} (modutil -list)" \ "produced a returncode of ${RET}, expected is 0" @@ -829,7 +829,10 @@ CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00 if [ -z "$DO_REM_ST" -a -z "$DO_DIST_ST" ] ; then - ulimit -n 1000 # make sure we have enough file descriptors + if [ "${OS_ARCH}" != "WINNT" ]; then + ulimit -n 1000 # make sure we have enough file descriptors + fi + ssl_init # save the directories as setup by init.sh diff --git a/security/nss/tests/ssl/ssl_dist_stress.sh b/security/nss/tests/ssl/ssl_dist_stress.sh index 1192621..30d2ed3 100755 --- a/security/nss/tests/ssl/ssl_dist_stress.sh +++ b/security/nss/tests/ssl/ssl_dist_stress.sh @@ -201,7 +201,7 @@ ssl_ds_rem_stress() do echo "strsclnt -D -p ${PORT} -d ${P_R_CLIENTDIR} -w nss -c 1 $verbose " echo " -n TestUser$CONTINUE ${HOSTADDR} #`uname -n`" - strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \ + ${BINDIR}/strsclnt -D -p ${PORT} -d . -w nss -c 1 $verbose \ -n "TestUser$CONTINUE" ${HOSTADDR} & #${HOSTADDR} & CONTINUE=`expr $CONTINUE - 1 ` @@ -292,7 +292,7 @@ ssl_ds_dist_stress() echo "GET /stop HTTP/1.0\n\n" > stdin.txt #check to make sure it has /r/n echo "tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 " echo " -w nss -f < stdin.txt" - tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \ + ${BINDIR}/tstclnt -h $HOSTADDR -p 8443 -d ${P_R_CLIENTDIR} -n TestUser0 \ -w nss -f < stdin.txt html_msg 0 0 "${testname}" diff --git a/security/nss/tests/tools/tools.sh b/security/nss/tests/tools/tools.sh index b32eed2..76e1234 100644 --- a/security/nss/tests/tools/tools.sh +++ b/security/nss/tests/tools/tools.sh @@ -112,7 +112,7 @@ tools_p12() echo "$SCRIPTNAME: Exporting Alice's email cert & key------------------" echo "pk12util -o Alice.p12 -n \"Alice\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" echo " -w ${R_PWFILE}" - pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + ${BINDIR}/pk12util -o Alice.p12 -n "Alice" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Exporting Alice's email cert & key (pk12util -o)" @@ -120,14 +120,14 @@ tools_p12() echo "$SCRIPTNAME: Importing Alice's email cert & key -----------------" echo "pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ${BINDIR}/pk12util -i Alice.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing Alice's email cert & key (pk12util -i)" check_tmpfile echo "$SCRIPTNAME: Listing Alice's pk12 file -----------------" echo "pk12util -l Alice.p12 -w ${R_PWFILE}" - pk12util -l Alice.p12 -w ${R_PWFILE} 2>&1 + ${BINDIR}/pk12util -l Alice.p12 -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Listing Alice's pk12 file (pk12util -l)" check_tmpfile @@ -136,7 +136,7 @@ tools_p12() echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------" echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" echo " -w ${R_PWFILE}" - pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ + ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)" @@ -144,14 +144,14 @@ tools_p12() echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------" echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" - pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)" check_tmpfile echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" - pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 ret=$? html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" check_tmpfile @@ -178,7 +178,7 @@ tools_sign() { echo "$SCRIPTNAME: Create objsign cert -------------------------------" echo "signtool -G \"objectsigner\" -d ${P_R_ALICEDIR} -p \"nss\"" - signtool -G "objsigner" -d ${P_R_ALICEDIR} -p "nss" 2>&1 <&1 <