ported changes from tenfourfox:
M1357599, M923089+M1276618+M1278434, M1485864, M1520826, M1558548, #481-X25519, M1586176 with custom changes: - coreconf+makefiles: set NSS_NO_PKCS11_BYPASS by default (to disable, set NSS_PKCS11_BYPASS) and fix logic - curve25519_32: use PRuint32 instead of uint32_t - smime: fix decl on top of block - ssl3con: more VC6 fixes
This commit is contained in:
parent
6712ac7edb
commit
1c9b432ff7
|
@ -188,3 +188,9 @@ USE_UTIL_DIRECTLY = 1
|
|||
|
||||
# Hide old, deprecated, TLS cipher suite names when building NSS
|
||||
DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
|
||||
|
||||
# build with NO_PKCS11_BYPASS by default
|
||||
ifndef NSS_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
NSS_NO_PKCS11_BYPASS = 1
|
||||
endif
|
||||
|
|
|
@ -1607,8 +1607,36 @@ done:
|
|||
"\x30\x05\x82\x03" ".nc" \
|
||||
"\x30\x05\x82\x03" ".tf" \
|
||||
|
||||
/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */
|
||||
|
||||
#define TUBITAK1_SUBJECT_DN \
|
||||
"\x30\x81\xd2" \
|
||||
"\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \
|
||||
/* C */ "TR" \
|
||||
"\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \
|
||||
/* L */ "Gebze - Kocaeli" \
|
||||
"\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \
|
||||
/* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \
|
||||
"\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \
|
||||
/* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \
|
||||
"\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \
|
||||
/* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
|
||||
|
||||
#define TUBITAK1_NAME_CONSTRAINTS \
|
||||
"\x30\x65\xa0\x63" \
|
||||
"\x30\x09\x82\x07" ".gov.tr" \
|
||||
"\x30\x09\x82\x07" ".k12.tr" \
|
||||
"\x30\x09\x82\x07" ".pol.tr" \
|
||||
"\x30\x09\x82\x07" ".mil.tr" \
|
||||
"\x30\x09\x82\x07" ".tsk.tr" \
|
||||
"\x30\x09\x82\x07" ".kep.tr" \
|
||||
"\x30\x09\x82\x07" ".bel.tr" \
|
||||
"\x30\x09\x82\x07" ".edu.tr" \
|
||||
"\x30\x09\x82\x07" ".org.tr"
|
||||
|
||||
static const SECItem builtInNameConstraints[][2] = {
|
||||
NAME_CONSTRAINTS_ENTRY(ANSSI)
|
||||
NAME_CONSTRAINTS_ENTRY(ANSSI),
|
||||
NAME_CONSTRAINTS_ENTRY(TUBITAK1)
|
||||
};
|
||||
|
||||
SECStatus
|
||||
|
|
|
@ -618,6 +618,12 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
|
|||
if (rv == SECSuccess) return pubk;
|
||||
break;
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
/* A basic sanity check on inputs. */
|
||||
if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
break;
|
||||
}
|
||||
|
||||
pubk->keyType = ecKey;
|
||||
pubk->u.ec.size = 0;
|
||||
|
||||
|
|
|
@ -208,7 +208,8 @@ DH_Derive(SECItem *publicValue,
|
|||
unsigned int len = 0;
|
||||
unsigned int nb;
|
||||
unsigned char *secret = NULL;
|
||||
if (!publicValue || !prime || !privateValue || !derivedSecret) {
|
||||
if (!publicValue || !publicValue->len || !prime || !prime->len ||
|
||||
!privateValue || !privateValue->len || !derivedSecret) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
|
|
@ -215,7 +215,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
|
|||
#endif
|
||||
MP_DIGITS(&k) = 0;
|
||||
|
||||
if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
|
||||
if (!ecParams || ecParams->name == ECCurve_noName ||
|
||||
!privKey || !privKeyBytes || privKeyLen <= 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -395,7 +396,7 @@ EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
|
|||
int len;
|
||||
unsigned char *privKeyBytes = NULL;
|
||||
|
||||
if (!ecParams) {
|
||||
if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -437,7 +438,8 @@ EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
|
|||
mp_err err = MP_OKAY;
|
||||
int len;
|
||||
|
||||
if (!ecParams || !publicValue) {
|
||||
if (!ecParams || ecParams->name == ECCurve_noName ||
|
||||
!publicValue || !publicValue->len) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -537,8 +539,9 @@ ECDH_Derive(SECItem *publicValue,
|
|||
int i;
|
||||
#endif
|
||||
|
||||
if (!publicValue || !ecParams || !privateValue ||
|
||||
!derivedSecret) {
|
||||
if (!publicValue || !publicValue->len ||
|
||||
!ecParams || ecParams->name == ECCurve_noName ||
|
||||
!privateValue || !privateValue->len || !derivedSecret) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
|
|
|
@ -78,7 +78,8 @@ LIBOBJS = ecl.o ecl_curve.o ecl_mult.o ecl_gf.o \
|
|||
ecp_aff.o ecp_jac.o ecp_mont.o \
|
||||
ec_naf.o ecp_jm.o \
|
||||
ecp_192.o ecp_224.o ecp_256.o ecp_384.o ecp_521.o \
|
||||
ecp_256_32.o
|
||||
ecp_256_32.o \
|
||||
curve25519_32.o
|
||||
ifeq ($(ECL_USE_FP),1)
|
||||
LIBOBJS+= ecp_fp160.o ecp_fp192.o ecp_fp224.o ecp_fp.o
|
||||
endif
|
||||
|
@ -131,6 +132,7 @@ ecp_256.o: ecp_256.c $(LIBHDRS)
|
|||
ecp_384.o: ecp_384.c $(LIBHDRS)
|
||||
ecp_521.o: ecp_521.c $(LIBHDRS)
|
||||
ecp_fp.o: ecp_fp.c $(LIBHDRS)
|
||||
curve25519_32.o: curve25519_32.c $(LIBHDRS)
|
||||
ifeq ($(ECL_USE_FP),1)
|
||||
ecp_fp160.o: ecp_fp160.c ecp_fpinc.c $(LIBHDRS)
|
||||
ecp_fp192.o: ecp_fp192.c ecp_fpinc.c $(LIBHDRS)
|
||||
|
|
|
@ -0,0 +1,393 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*
|
||||
* Derived from public domain code by Matthew Dempsky and D. J. Bernstein.
|
||||
*/
|
||||
|
||||
#include "ecl-priv.h"
|
||||
#include "mpi.h"
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include "seccomon.h"
|
||||
#include "secerr.h"
|
||||
#include "prtypes.h"
|
||||
|
||||
typedef PRUint32 elem[32];
|
||||
|
||||
/*
|
||||
* Add two field elements.
|
||||
* out = a + b
|
||||
*/
|
||||
static void
|
||||
add(elem out, const elem a, const elem b)
|
||||
{
|
||||
PRUint32 j;
|
||||
PRUint32 u = 0;
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += a[j] + b[j];
|
||||
out[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
u += a[31] + b[31];
|
||||
out[31] = u;
|
||||
}
|
||||
|
||||
/*
|
||||
* Subtract two field elements.
|
||||
* out = a - b
|
||||
*/
|
||||
static void
|
||||
sub(elem out, const elem a, const elem b)
|
||||
{
|
||||
PRUint32 j;
|
||||
PRUint32 u;
|
||||
u = 218;
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += a[j] + 0xFF00 - b[j];
|
||||
out[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
u += a[31] - b[31];
|
||||
out[31] = u;
|
||||
}
|
||||
|
||||
/*
|
||||
* "Squeeze" an element after multiplication (and square).
|
||||
*/
|
||||
static void
|
||||
squeeze(elem a)
|
||||
{
|
||||
PRUint32 j;
|
||||
PRUint32 u;
|
||||
u = 0;
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += a[j];
|
||||
a[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
u += a[31];
|
||||
a[31] = u & 0x7F;
|
||||
u = 19 * (u >> 7);
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += a[j];
|
||||
a[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
a[31] += u;
|
||||
}
|
||||
|
||||
static const elem minusp = { 19, 0, 0, 0, 0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0, 0, 0, 128 };
|
||||
|
||||
/*
|
||||
* Reduce point a by 2^255-19
|
||||
*/
|
||||
static void
|
||||
reduce(elem a)
|
||||
{
|
||||
elem aorig;
|
||||
PRUint32 j;
|
||||
PRUint32 negative;
|
||||
|
||||
for (j = 0; j < 32; ++j) {
|
||||
aorig[j] = a[j];
|
||||
}
|
||||
add(a, a, minusp);
|
||||
negative = 1 + ~((a[31] >> 7) & 1);
|
||||
for (j = 0; j < 32; ++j) {
|
||||
a[j] ^= negative & (aorig[j] ^ a[j]);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Multiplication and squeeze
|
||||
* out = a * b
|
||||
*/
|
||||
static void
|
||||
mult(elem out, const elem a, const elem b)
|
||||
{
|
||||
PRUint32 i;
|
||||
PRUint32 j;
|
||||
PRUint32 u;
|
||||
|
||||
for (i = 0; i < 32; ++i) {
|
||||
u = 0;
|
||||
for (j = 0; j <= i; ++j) {
|
||||
u += a[j] * b[i - j];
|
||||
}
|
||||
for (j = i + 1; j < 32; ++j) {
|
||||
u += 38 * a[j] * b[i + 32 - j];
|
||||
}
|
||||
out[i] = u;
|
||||
}
|
||||
squeeze(out);
|
||||
}
|
||||
|
||||
/*
|
||||
* Multiplication
|
||||
* out = 121665 * a
|
||||
*/
|
||||
static void
|
||||
mult121665(elem out, const elem a)
|
||||
{
|
||||
PRUint32 j;
|
||||
PRUint32 u;
|
||||
|
||||
u = 0;
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += 121665 * a[j];
|
||||
out[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
u += 121665 * a[31];
|
||||
out[31] = u & 0x7F;
|
||||
u = 19 * (u >> 7);
|
||||
for (j = 0; j < 31; ++j) {
|
||||
u += out[j];
|
||||
out[j] = u & 0xFF;
|
||||
u >>= 8;
|
||||
}
|
||||
u += out[j];
|
||||
out[j] = u;
|
||||
}
|
||||
|
||||
/*
|
||||
* Square a and squeeze the result.
|
||||
* out = a * a
|
||||
*/
|
||||
static void
|
||||
square(elem out, const elem a)
|
||||
{
|
||||
PRUint32 i;
|
||||
PRUint32 j;
|
||||
PRUint32 u;
|
||||
|
||||
for (i = 0; i < 32; ++i) {
|
||||
u = 0;
|
||||
for (j = 0; j < i - j; ++j) {
|
||||
u += a[j] * a[i - j];
|
||||
}
|
||||
for (j = i + 1; j < i + 32 - j; ++j) {
|
||||
u += 38 * a[j] * a[i + 32 - j];
|
||||
}
|
||||
u *= 2;
|
||||
if ((i & 1) == 0) {
|
||||
u += a[i / 2] * a[i / 2];
|
||||
u += 38 * a[i / 2 + 16] * a[i / 2 + 16];
|
||||
}
|
||||
out[i] = u;
|
||||
}
|
||||
squeeze(out);
|
||||
}
|
||||
|
||||
/*
|
||||
* Constant time swap between r and s depending on b
|
||||
*/
|
||||
static void
|
||||
cswap(PRUint32 p[64], PRUint32 q[64], PRUint32 b)
|
||||
{
|
||||
PRUint32 j;
|
||||
PRUint32 swap = 1 + ~b;
|
||||
|
||||
for (j = 0; j < 64; ++j) {
|
||||
const PRUint32 t = swap & (p[j] ^ q[j]);
|
||||
p[j] ^= t;
|
||||
q[j] ^= t;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Montgomery ladder
|
||||
*/
|
||||
static void
|
||||
monty(elem x_2_out, elem z_2_out,
|
||||
const elem point, const elem scalar)
|
||||
{
|
||||
PRUint32 x_3[64] = { 0 };
|
||||
PRUint32 x_2[64] = { 0 };
|
||||
PRUint32 a0[64];
|
||||
PRUint32 a1[64];
|
||||
PRUint32 b0[64];
|
||||
PRUint32 b1[64];
|
||||
PRUint32 c1[64];
|
||||
PRUint32 r[32];
|
||||
PRUint32 s[32];
|
||||
PRUint32 t[32];
|
||||
PRUint32 u[32];
|
||||
PRUint32 swap = 0;
|
||||
PRUint32 k_t = 0;
|
||||
int j;
|
||||
|
||||
for (j = 0; j < 32; ++j) {
|
||||
x_3[j] = point[j];
|
||||
}
|
||||
x_3[32] = 1;
|
||||
x_2[0] = 1;
|
||||
|
||||
for (j = 254; j >= 0; --j) {
|
||||
k_t = (scalar[j >> 3] >> (j & 7)) & 1;
|
||||
swap ^= k_t;
|
||||
cswap(x_2, x_3, swap);
|
||||
swap = k_t;
|
||||
add(a0, x_2, x_2 + 32);
|
||||
sub(a0 + 32, x_2, x_2 + 32);
|
||||
add(a1, x_3, x_3 + 32);
|
||||
sub(a1 + 32, x_3, x_3 + 32);
|
||||
square(b0, a0);
|
||||
square(b0 + 32, a0 + 32);
|
||||
mult(b1, a1, a0 + 32);
|
||||
mult(b1 + 32, a1 + 32, a0);
|
||||
add(c1, b1, b1 + 32);
|
||||
sub(c1 + 32, b1, b1 + 32);
|
||||
square(r, c1 + 32);
|
||||
sub(s, b0, b0 + 32);
|
||||
mult121665(t, s);
|
||||
add(u, t, b0);
|
||||
mult(x_2, b0, b0 + 32);
|
||||
mult(x_2 + 32, s, u);
|
||||
square(x_3, c1);
|
||||
mult(x_3 + 32, r, point);
|
||||
}
|
||||
|
||||
cswap(x_2, x_3, swap);
|
||||
for (j = 0; j < 32; ++j) {
|
||||
x_2_out[j] = x_2[j];
|
||||
}
|
||||
for (j = 0; j < 32; ++j) {
|
||||
z_2_out[j] = x_2[j + 32];
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
recip(elem out, const elem z)
|
||||
{
|
||||
elem z2;
|
||||
elem z9;
|
||||
elem z11;
|
||||
elem z2_5_0;
|
||||
elem z2_10_0;
|
||||
elem z2_20_0;
|
||||
elem z2_50_0;
|
||||
elem z2_100_0;
|
||||
elem t0;
|
||||
elem t1;
|
||||
int i;
|
||||
|
||||
/* 2 */ square(z2, z);
|
||||
/* 4 */ square(t1, z2);
|
||||
/* 8 */ square(t0, t1);
|
||||
/* 9 */ mult(z9, t0, z);
|
||||
/* 11 */ mult(z11, z9, z2);
|
||||
/* 22 */ square(t0, z11);
|
||||
/* 2^5 - 2^0 = 31 */ mult(z2_5_0, t0, z9);
|
||||
|
||||
/* 2^6 - 2^1 */ square(t0, z2_5_0);
|
||||
/* 2^7 - 2^2 */ square(t1, t0);
|
||||
/* 2^8 - 2^3 */ square(t0, t1);
|
||||
/* 2^9 - 2^4 */ square(t1, t0);
|
||||
/* 2^10 - 2^5 */ square(t0, t1);
|
||||
/* 2^10 - 2^0 */ mult(z2_10_0, t0, z2_5_0);
|
||||
|
||||
/* 2^11 - 2^1 */ square(t0, z2_10_0);
|
||||
/* 2^12 - 2^2 */ square(t1, t0);
|
||||
/* 2^20 - 2^10 */
|
||||
for (i = 2; i < 10; i += 2) {
|
||||
square(t0, t1);
|
||||
square(t1, t0);
|
||||
}
|
||||
/* 2^20 - 2^0 */ mult(z2_20_0, t1, z2_10_0);
|
||||
|
||||
/* 2^21 - 2^1 */ square(t0, z2_20_0);
|
||||
/* 2^22 - 2^2 */ square(t1, t0);
|
||||
/* 2^40 - 2^20 */
|
||||
for (i = 2; i < 20; i += 2) {
|
||||
square(t0, t1);
|
||||
square(t1, t0);
|
||||
}
|
||||
/* 2^40 - 2^0 */ mult(t0, t1, z2_20_0);
|
||||
|
||||
/* 2^41 - 2^1 */ square(t1, t0);
|
||||
/* 2^42 - 2^2 */ square(t0, t1);
|
||||
/* 2^50 - 2^10 */
|
||||
for (i = 2; i < 10; i += 2) {
|
||||
square(t1, t0);
|
||||
square(t0, t1);
|
||||
}
|
||||
/* 2^50 - 2^0 */ mult(z2_50_0, t0, z2_10_0);
|
||||
|
||||
/* 2^51 - 2^1 */ square(t0, z2_50_0);
|
||||
/* 2^52 - 2^2 */ square(t1, t0);
|
||||
/* 2^100 - 2^50 */
|
||||
for (i = 2; i < 50; i += 2) {
|
||||
square(t0, t1);
|
||||
square(t1, t0);
|
||||
}
|
||||
/* 2^100 - 2^0 */ mult(z2_100_0, t1, z2_50_0);
|
||||
|
||||
/* 2^101 - 2^1 */ square(t1, z2_100_0);
|
||||
/* 2^102 - 2^2 */ square(t0, t1);
|
||||
/* 2^200 - 2^100 */
|
||||
for (i = 2; i < 100; i += 2) {
|
||||
square(t1, t0);
|
||||
square(t0, t1);
|
||||
}
|
||||
/* 2^200 - 2^0 */ mult(t1, t0, z2_100_0);
|
||||
|
||||
/* 2^201 - 2^1 */ square(t0, t1);
|
||||
/* 2^202 - 2^2 */ square(t1, t0);
|
||||
/* 2^250 - 2^50 */
|
||||
for (i = 2; i < 50; i += 2) {
|
||||
square(t0, t1);
|
||||
square(t1, t0);
|
||||
}
|
||||
/* 2^250 - 2^0 */ mult(t0, t1, z2_50_0);
|
||||
|
||||
/* 2^251 - 2^1 */ square(t1, t0);
|
||||
/* 2^252 - 2^2 */ square(t0, t1);
|
||||
/* 2^253 - 2^3 */ square(t1, t0);
|
||||
/* 2^254 - 2^4 */ square(t0, t1);
|
||||
/* 2^255 - 2^5 */ square(t1, t0);
|
||||
/* 2^255 - 21 */ mult(out, t1, z11);
|
||||
}
|
||||
|
||||
/*
|
||||
* Computes q = Curve25519(p, s)
|
||||
*/
|
||||
SECStatus
|
||||
ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p)
|
||||
{
|
||||
elem point = { 0 };
|
||||
elem x_2 = { 0 };
|
||||
elem z_2 = { 0 };
|
||||
elem X = { 0 };
|
||||
elem scalar = { 0 };
|
||||
PRUint32 i;
|
||||
|
||||
/* read and mask scalar */
|
||||
for (i = 0; i < 32; ++i) {
|
||||
scalar[i] = s[i];
|
||||
}
|
||||
scalar[0] &= 0xF8;
|
||||
scalar[31] &= 0x7F;
|
||||
scalar[31] |= 64;
|
||||
|
||||
/* read and mask point */
|
||||
for (i = 0; i < 32; ++i) {
|
||||
point[i] = p[i];
|
||||
}
|
||||
point[31] &= 0x7F;
|
||||
|
||||
monty(x_2, z_2, point, scalar);
|
||||
recip(z_2, z_2);
|
||||
mult(X, x_2, z_2);
|
||||
reduce(X);
|
||||
for (i = 0; i < 32; ++i) {
|
||||
q[i] = X[i];
|
||||
}
|
||||
return 0;
|
||||
}
|
|
@ -73,7 +73,7 @@ ifndef NSS_DISABLE_ECC
|
|||
ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \
|
||||
ecp_aff.c ecp_jac.c ecp_mont.c \
|
||||
ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \
|
||||
ecp_256_32.c
|
||||
ecp_256_32.c curve25519_32.c
|
||||
ifdef NSS_ECC_MORE_THAN_SUITE_B
|
||||
ECL_SRCS += ec2_aff.c ec2_mont.c ec2_proj.c \
|
||||
ec2_163.c ec2_193.c ec2_233.c \
|
||||
|
|
|
@ -2104,7 +2104,10 @@ mp_err s_mp_almost_inverse(const mp_int *a, const mp_int *p, mp_int *c)
|
|||
}
|
||||
}
|
||||
if (res >= 0) {
|
||||
while (MP_SIGN(c) != MP_ZPOS) {
|
||||
if (mp_cmp_mag(c, (mp_int *)p) >= 0) {
|
||||
MP_CHECKOK(mp_div(c, p, NULL, c));
|
||||
}
|
||||
if (MP_SIGN(c) != MP_ZPOS) {
|
||||
MP_CHECKOK( mp_add(c, p, c) );
|
||||
}
|
||||
res = k;
|
||||
|
@ -4788,38 +4791,61 @@ mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
|
|||
/* }}} */
|
||||
|
||||
/* {{{ mp_to_fixlen_octets(mp, str) */
|
||||
/* output a buffer of big endian octets exactly as long as requested. */
|
||||
/* output a buffer of big endian octets exactly as long as requested.
|
||||
constant time on the value of mp. */
|
||||
mp_err
|
||||
mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
|
||||
{
|
||||
int ix, pos = 0;
|
||||
unsigned int bytes;
|
||||
int ix, jx;
|
||||
unsigned int bytes;
|
||||
|
||||
ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
|
||||
ARGCHK(mp != NULL, MP_BADARG);
|
||||
ARGCHK(str != NULL, MP_BADARG);
|
||||
ARGCHK(!SIGN(mp), MP_BADARG);
|
||||
ARGCHK(length > 0, MP_BADARG);
|
||||
|
||||
bytes = mp_unsigned_octet_size(mp);
|
||||
ARGCHK(bytes <= length, MP_BADARG);
|
||||
/* Constant time on the value of mp. Don't use mp_unsigned_octet_size. */
|
||||
bytes = USED(mp) * MP_DIGIT_SIZE;
|
||||
|
||||
/* place any needed leading zeros */
|
||||
for (;length > bytes; --length) {
|
||||
*str++ = 0;
|
||||
/* If the output is shorter than the native size of mp, then check that any
|
||||
* bytes not written have zero values. This check isn't constant time on
|
||||
* the assumption that timing-sensitive callers can guarantee that mp fits
|
||||
* in the allocated space. */
|
||||
ix = USED(mp) - 1;
|
||||
if (bytes > length) {
|
||||
unsigned int zeros = bytes - length;
|
||||
|
||||
while (zeros >= MP_DIGIT_SIZE) {
|
||||
ARGCHK(DIGIT(mp, ix) == 0, MP_BADARG);
|
||||
zeros -= MP_DIGIT_SIZE;
|
||||
ix--;
|
||||
}
|
||||
|
||||
if (zeros > 0) {
|
||||
mp_digit d = DIGIT(mp, ix);
|
||||
mp_digit m = (mp_digit)~0 << ((MP_DIGIT_SIZE - zeros) * CHAR_BIT);
|
||||
ARGCHK((d & m) == 0, MP_BADARG);
|
||||
for (jx = MP_DIGIT_SIZE - zeros - 1; jx >= 0; jx--) {
|
||||
*str++ = d >> (jx * CHAR_BIT);
|
||||
}
|
||||
ix--;
|
||||
}
|
||||
} else if (bytes < length) {
|
||||
/* Place any needed leading zeros. */
|
||||
unsigned int zeros = length - bytes;
|
||||
memset(str, 0, zeros);
|
||||
str += zeros;
|
||||
}
|
||||
|
||||
/* Iterate over each digit... */
|
||||
for(ix = USED(mp) - 1; ix >= 0; ix--) {
|
||||
mp_digit d = DIGIT(mp, ix);
|
||||
int jx;
|
||||
/* Iterate over each whole digit... */
|
||||
for (; ix >= 0; ix--) {
|
||||
mp_digit d = DIGIT(mp, ix);
|
||||
|
||||
/* Unpack digit bytes, high order first */
|
||||
for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
|
||||
unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
|
||||
if (!pos && !x) /* suppress leading zeros */
|
||||
continue;
|
||||
str[pos++] = x;
|
||||
for (jx = MP_DIGIT_SIZE - 1; jx >= 0; jx--) {
|
||||
*str++ = d >> (jx * CHAR_BIT);
|
||||
}
|
||||
}
|
||||
if (!pos)
|
||||
str[pos++] = 0;
|
||||
return MP_OKAY;
|
||||
} /* end mp_to_fixlen_octets() */
|
||||
/* }}} */
|
||||
|
|
|
@ -125,7 +125,8 @@ typedef int mp_sword;
|
|||
#define MP_WORD_MAX UINT_MAX
|
||||
#endif
|
||||
|
||||
#define MP_DIGIT_BIT (CHAR_BIT*sizeof(mp_digit))
|
||||
#define MP_DIGIT_SIZE sizeof(mp_digit)
|
||||
#define MP_DIGIT_BIT (CHAR_BIT * MP_DIGIT_SIZE)
|
||||
#define MP_WORD_BIT (CHAR_BIT*sizeof(mp_word))
|
||||
#define MP_RADIX (1+(mp_word)MP_DIGIT_MAX)
|
||||
|
||||
|
|
|
@ -907,48 +907,56 @@ RSA_DecryptBlock(RSAPrivateKey * key,
|
|||
const unsigned char * input,
|
||||
unsigned int inputLen)
|
||||
{
|
||||
SECStatus rv;
|
||||
PRInt8 rv;
|
||||
unsigned int modulusLen = rsa_modulusLen(&key->modulus);
|
||||
unsigned int i;
|
||||
unsigned char * buffer;
|
||||
unsigned char *buffer = NULL;
|
||||
unsigned int outLen = 0;
|
||||
unsigned int copyOutLen = modulusLen - 11;
|
||||
|
||||
if (inputLen != modulusLen)
|
||||
goto failure;
|
||||
|
||||
buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
|
||||
if (!buffer)
|
||||
goto failure;
|
||||
|
||||
rv = RSA_PrivateKeyOp(key, buffer, input);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
|
||||
/* XXX(rsleevi): Constant time */
|
||||
if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
|
||||
buffer[1] != (unsigned char)RSA_BlockPublic) {
|
||||
goto loser;
|
||||
if (inputLen != modulusLen || modulusLen < 10) {
|
||||
return SECFailure;
|
||||
}
|
||||
*outputLen = 0;
|
||||
for (i = 2; i < modulusLen; i++) {
|
||||
if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
|
||||
*outputLen = modulusLen - i - 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (*outputLen == 0)
|
||||
goto loser;
|
||||
if (*outputLen > maxOutputLen)
|
||||
goto loser;
|
||||
|
||||
PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
|
||||
if (copyOutLen > maxOutputLen) {
|
||||
copyOutLen = maxOutputLen;
|
||||
}
|
||||
|
||||
// Allocate enough space to decrypt + copyOutLen to allow copying outLen later.
|
||||
buffer = PORT_ZAlloc(modulusLen + 1 + copyOutLen);
|
||||
if (!buffer) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
// rv is 0 if everything is going well and 1 if an error occurs.
|
||||
rv = RSA_PrivateKeyOp(key, buffer, input) != SECSuccess;
|
||||
rv |= (buffer[0] != RSA_BLOCK_FIRST_OCTET) |
|
||||
(buffer[1] != (unsigned char)RSA_BlockPublic);
|
||||
|
||||
// There have to be at least 8 bytes of padding.
|
||||
for (i = 2; i < 10; i++) {
|
||||
rv |= buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET;
|
||||
}
|
||||
|
||||
for (i = 10; i < modulusLen; i++) {
|
||||
unsigned int newLen = modulusLen - i - 1;
|
||||
unsigned int c = (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) & (outLen == 0);
|
||||
outLen = constantTimeCondition(c, newLen, outLen);
|
||||
}
|
||||
rv |= outLen == 0;
|
||||
rv |= outLen > maxOutputLen;
|
||||
|
||||
// Note that output is set even if SECFailure is returned.
|
||||
PORT_Memcpy(output, buffer + modulusLen - outLen, copyOutLen);
|
||||
*outputLen = constantTimeCondition(outLen > maxOutputLen, maxOutputLen,
|
||||
outLen);
|
||||
|
||||
PORT_Free(buffer);
|
||||
return SECSuccess;
|
||||
|
||||
loser:
|
||||
PORT_Free(buffer);
|
||||
failure:
|
||||
return SECFailure;
|
||||
for (i = 1; i < sizeof(rv) * 8; i <<= 1) {
|
||||
rv |= rv << i;
|
||||
}
|
||||
return (SECStatus)rv;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -164,7 +164,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
|
|||
keyType = CKK_EC;
|
||||
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
|
||||
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
|
||||
signedattr = attrs;
|
||||
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
|
||||
pubKey->u.ec.DEREncodedParams.data,
|
||||
pubKey->u.ec.DEREncodedParams.len); attrs++;
|
||||
|
@ -195,10 +194,14 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
|
|||
}
|
||||
|
||||
templateCount = attrs - theTemplate;
|
||||
signedcount = attrs - signedattr;
|
||||
PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
|
||||
for (attrs=signedattr; signedcount; attrs++, signedcount--) {
|
||||
pk11_SignedToUnsigned(attrs);
|
||||
|
||||
if (pubKey->keyType != ecKey) {
|
||||
PORT_Assert(signedattr);
|
||||
signedcount = attrs - signedattr;
|
||||
for (attrs = signedattr; signedcount; attrs++, signedcount--) {
|
||||
pk11_SignedToUnsigned(attrs);
|
||||
}
|
||||
}
|
||||
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
|
||||
templateCount, isToken, &objectID);
|
||||
|
@ -956,9 +959,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey,
|
|||
&cktrue, &ckfalse);
|
||||
|
||||
/* Not everyone can handle zero padded key values, give
|
||||
* them the raw data as unsigned */
|
||||
for (ap=attrs; extra_count; ap++, extra_count--) {
|
||||
pk11_SignedToUnsigned(ap);
|
||||
* them the raw data as unsigned. The exception is EC,
|
||||
* where the values are encoded or zero-preserving
|
||||
* per-RFC5915 */
|
||||
if (privKey->keyType != ecKey) {
|
||||
for (ap = attrs; extra_count; ap++, extra_count--) {
|
||||
pk11_SignedToUnsigned(ap);
|
||||
}
|
||||
}
|
||||
|
||||
/* now Store the puppies */
|
||||
|
|
|
@ -172,7 +172,9 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
|
|||
SECKEY_DestroyPublicKey(pubKey);
|
||||
return PR_FALSE;
|
||||
}
|
||||
pk11_SignedToUnsigned(&theTemplate);
|
||||
if (pubKey->keyType != ecKey) {
|
||||
pk11_SignedToUnsigned(&theTemplate);
|
||||
}
|
||||
if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
|
||||
SECKEY_DestroyPublicKey(pubKey);
|
||||
return PR_TRUE;
|
||||
|
|
|
@ -282,6 +282,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
|
|||
PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
|
||||
sizeof(CK_BBOOL) ); attrs++;
|
||||
|
||||
PORT_Assert(lpk->keyType != ecKey); /* see bug 1558548 if this is needed */
|
||||
switch (lpk->keyType) {
|
||||
case rsaKey:
|
||||
keyType = CKK_RSA;
|
||||
|
|
|
@ -53,6 +53,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
|
|||
{
|
||||
SECOidTag kind;
|
||||
|
||||
if (cinfo == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
|
||||
switch (kind) {
|
||||
case SEC_OID_PKCS7_ENVELOPED_DATA:
|
||||
|
@ -88,7 +92,13 @@ NSSCMSContentInfo *
|
|||
NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
NSSCMSContentInfo * ccinfo = NULL;
|
||||
SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
|
||||
SECOidTag tag;
|
||||
|
||||
if (cinfo == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
|
||||
switch (tag) {
|
||||
case SEC_OID_PKCS7_SIGNED_DATA:
|
||||
if (cinfo->content.signedData != NULL) {
|
||||
|
@ -129,6 +139,9 @@ SECStatus
|
|||
NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
|
||||
{
|
||||
SECStatus rv;
|
||||
if (cinfo == NULL) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
rv = NSS_CMSContentInfo_Private_Init(cinfo);
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -146,6 +159,9 @@ SECStatus
|
|||
NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr)
|
||||
{
|
||||
SECStatus rv;
|
||||
if (cinfo == NULL || cmsg == NULL) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
|
||||
if (cinfo->contentTypeTag == NULL)
|
||||
|
@ -227,9 +243,15 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
|
|||
void *
|
||||
NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
SECOidTag tag = cinfo->contentTypeTag
|
||||
? cinfo->contentTypeTag->offset
|
||||
: SEC_OID_UNKNOWN;
|
||||
SECOidTag tag;
|
||||
|
||||
if (cinfo == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
tag = cinfo->contentTypeTag
|
||||
? cinfo->contentTypeTag->offset
|
||||
: SEC_OID_UNKNOWN;
|
||||
switch (tag) {
|
||||
case SEC_OID_PKCS7_DATA:
|
||||
case SEC_OID_PKCS7_SIGNED_DATA:
|
||||
|
@ -255,6 +277,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
|
|||
SECOidTag tag;
|
||||
SECItem *pItem = NULL;
|
||||
|
||||
if (cinfo == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
|
||||
if (NSS_CMSType_IsData(tag)) {
|
||||
pItem = cinfo->content.data;
|
||||
|
@ -278,6 +304,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
|
|||
SECOidTag
|
||||
NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo == NULL) {
|
||||
return SEC_OID_UNKNOWN;
|
||||
}
|
||||
|
||||
if (cinfo->contentTypeTag == NULL)
|
||||
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
|
||||
|
||||
|
@ -290,6 +320,10 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
|
|||
SECItem *
|
||||
NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (cinfo->contentTypeTag == NULL)
|
||||
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
|
||||
|
||||
|
@ -306,6 +340,10 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
|
|||
SECOidTag
|
||||
NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo == NULL) {
|
||||
return SEC_OID_UNKNOWN;
|
||||
}
|
||||
|
||||
if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
|
||||
cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
|
||||
|
||||
|
@ -318,6 +356,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
|
|||
SECAlgorithmID *
|
||||
NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return &(cinfo->contentEncAlg);
|
||||
}
|
||||
|
||||
|
@ -326,6 +368,9 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo
|
|||
SECOidTag bulkalgtag, SECItem *parameters, int keysize)
|
||||
{
|
||||
SECStatus rv;
|
||||
if (cinfo == NULL) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
|
||||
if (rv != SECSuccess)
|
||||
|
@ -339,6 +384,9 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
|
|||
SECAlgorithmID *algid, int keysize)
|
||||
{
|
||||
SECStatus rv;
|
||||
if (cinfo == NULL) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
|
||||
if (rv != SECSuccess)
|
||||
|
@ -351,14 +399,23 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
|
|||
void
|
||||
NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
|
||||
{
|
||||
cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
|
||||
cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
|
||||
if (cinfo == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (bulkkey == NULL) {
|
||||
cinfo->bulkkey = NULL;
|
||||
cinfo->keysize = 0;
|
||||
} else {
|
||||
cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
|
||||
cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
|
||||
}
|
||||
}
|
||||
|
||||
PK11SymKey *
|
||||
NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo->bulkkey == NULL)
|
||||
if (cinfo == NULL || cinfo->bulkkey == NULL)
|
||||
return NULL;
|
||||
|
||||
return PK11_ReferenceSymKey(cinfo->bulkkey);
|
||||
|
@ -367,5 +424,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
|
|||
int
|
||||
NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
|
||||
{
|
||||
if (cinfo == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return cinfo->keysize;
|
||||
}
|
||||
|
|
|
@ -56,7 +56,9 @@ void
|
|||
NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
|
||||
{
|
||||
/* everything's in a pool, so don't worry about the storage */
|
||||
NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
|
||||
if (digd != NULL) {
|
||||
NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -86,7 +86,9 @@ void
|
|||
NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
|
||||
{
|
||||
/* everything's in a pool, so don't worry about the storage */
|
||||
NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
|
||||
if (encd != NULL) {
|
||||
NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
|
|||
poolp = envd->cmsg->poolp;
|
||||
cinfo = &(envd->contentInfo);
|
||||
|
||||
if (cinfo == NULL) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
recipientinfos = envd->recipientInfos;
|
||||
if (recipientinfos == NULL) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
|
|
|
@ -73,6 +73,10 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
|
|||
NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
|
||||
SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
|
||||
{
|
||||
if (cmsg == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (pwfn)
|
||||
PK11_SetPasswordFunc(pwfn);
|
||||
cmsg->pwfn_arg = pwfn_arg;
|
||||
|
@ -88,6 +92,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
|
|||
void
|
||||
NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
|
||||
{
|
||||
if (cmsg == NULL)
|
||||
return;
|
||||
|
||||
PORT_Assert (cmsg->refCount > 0);
|
||||
if (cmsg->refCount <= 0) /* oops */
|
||||
return;
|
||||
|
@ -127,6 +134,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
|
|||
PLArenaPool *
|
||||
NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
|
||||
{
|
||||
if (cmsg == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return cmsg->poolp;
|
||||
}
|
||||
|
||||
|
@ -136,6 +147,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
|
|||
NSSCMSContentInfo *
|
||||
NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
|
||||
{
|
||||
if (cmsg == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return &(cmsg->contentInfo);
|
||||
}
|
||||
|
||||
|
@ -147,9 +162,16 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
|
|||
SECItem *
|
||||
NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
|
||||
{
|
||||
NSSCMSContentInfo *cinfo;
|
||||
SECItem *pItem;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* this is a shortcut */
|
||||
NSSCMSContentInfo * cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
|
||||
SECItem * pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
|
||||
cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
|
||||
pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
|
||||
return pItem;
|
||||
}
|
||||
|
||||
|
@ -164,6 +186,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
|
|||
int count = 0;
|
||||
NSSCMSContentInfo *cinfo;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* walk down the chain of contentinfos */
|
||||
for (cinfo = &(cmsg->contentInfo); cinfo != NULL; ) {
|
||||
count++;
|
||||
|
@ -183,6 +209,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
|
|||
int count = 0;
|
||||
NSSCMSContentInfo *cinfo;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* walk down the chain of contentinfos */
|
||||
for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
|
||||
count++;
|
||||
|
@ -199,6 +229,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
|
|||
{
|
||||
NSSCMSContentInfo *cinfo;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
/* descend into CMS message */
|
||||
for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
|
||||
if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(cinfo)))
|
||||
|
@ -219,6 +253,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
|
|||
{
|
||||
NSSCMSContentInfo *cinfo;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
/* walk down the chain of contentinfos */
|
||||
for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
|
||||
{
|
||||
|
@ -249,11 +287,18 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
|
|||
{
|
||||
NSSCMSContentInfo *cinfo;
|
||||
|
||||
if (cmsg == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
/* walk down the chain of contentinfos */
|
||||
for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
|
||||
{
|
||||
switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
|
||||
case SEC_OID_PKCS7_SIGNED_DATA:
|
||||
if (cinfo->content.signedData == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
|
||||
return PR_TRUE;
|
||||
break;
|
||||
|
|
|
@ -240,7 +240,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
|
|||
{
|
||||
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
|
||||
|
||||
if (typeInfo && typeInfo->destroy) {
|
||||
if (typeInfo && typeInfo->destroy && (gd != NULL)) {
|
||||
(*typeInfo->destroy)(gd);
|
||||
}
|
||||
|
||||
|
|
|
@ -960,9 +960,9 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
|
|||
case CKA_UNWRAP:
|
||||
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
|
||||
case CKA_VALUE:
|
||||
return lg_CopyPrivAttrSigned(attribute, type,
|
||||
key->u.ec.privateValue.data,
|
||||
key->u.ec.privateValue.len, sdbpw);
|
||||
return lg_CopyPrivAttribute(attribute, type,
|
||||
key->u.ec.privateValue.data,
|
||||
key->u.ec.privateValue.len, sdbpw);
|
||||
case CKA_EC_PARAMS:
|
||||
return lg_CopyAttributeSigned(attribute, type,
|
||||
key->u.ec.ecParams.DEREncoding.data,
|
||||
|
|
|
@ -1159,8 +1159,7 @@ CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
|
|||
}
|
||||
/* encrypt the current padded data */
|
||||
rv = (*context->update)(context->cipherInfo, pEncryptedPart,
|
||||
&padoutlen, context->blockSize, context->padBuf,
|
||||
context->blockSize);
|
||||
&padoutlen, maxout, context->padBuf, context->blockSize);
|
||||
if (rv != SECSuccess) {
|
||||
return sftk_MapCryptError(PORT_GetError());
|
||||
}
|
||||
|
@ -6973,7 +6972,7 @@ key_and_mac_derive_fail:
|
|||
|
||||
rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
|
||||
withCofactor, &tmp);
|
||||
PORT_Free(ecScalar.data);
|
||||
PORT_ZFree(ecScalar.data, ecScalar.len);
|
||||
ecScalar.data = NULL;
|
||||
if (privKey != sourceKey->objectInfo) {
|
||||
nsslowkey_DestroyPrivateKey(privKey);
|
||||
|
|
|
@ -57,7 +57,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|||
|
||||
export:: private_export
|
||||
|
||||
ifndef NSS_NO_PKCS11_BYPASS
|
||||
#ifndef NSS_NO_PKCS11_BYPASS
|
||||
# indicates dependency on freebl static lib
|
||||
$(SHARED_LIBRARY): $(CRYPTOLIB)
|
||||
endif
|
||||
#endif
|
||||
|
|
|
@ -14,13 +14,14 @@ endif
|
|||
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
#else
|
||||
endif
|
||||
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
|
||||
|
||||
EXTRA_LIBS += \
|
||||
$(CRYPTOLIB) \
|
||||
$(NULL)
|
||||
endif
|
||||
#endif
|
||||
|
||||
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
|
||||
|
||||
|
|
|
@ -23,6 +23,9 @@
|
|||
#include "sslerr.h"
|
||||
|
||||
#ifndef NO_PKCS11_BYPASS
|
||||
|
||||
#error not patched for SHA384, see bug 923089
|
||||
|
||||
/* make this a macro! */
|
||||
#ifdef NOT_A_MACRO
|
||||
static void
|
||||
|
|
|
@ -38,6 +38,17 @@
|
|||
#include "zlib.h"
|
||||
#endif
|
||||
|
||||
#ifdef _MSC_VER
|
||||
#if _MSC_VER < 1900
|
||||
#define inline
|
||||
#endif
|
||||
|
||||
#if _MSC_VER <= 1200
|
||||
typedef signed int intptr_t;
|
||||
typedef unsigned int uintptr_t;
|
||||
#endif
|
||||
#endif /* defined(_MSC_VER) */
|
||||
|
||||
#ifndef PK11_SETATTRS
|
||||
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
|
||||
(x)->pValue=(v); (x)->ulValueLen = (l);
|
||||
|
@ -97,6 +108,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
|||
#ifndef NSS_DISABLE_ECC
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
|
||||
|
@ -294,6 +306,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = {
|
|||
{cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
|
||||
{cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
|
||||
{cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
|
||||
{cipher_aes_256_gcm, calg_aes_gcm, 32,32, type_aead, 4, 0,16, 8},
|
||||
{cipher_camellia_128_gcm, calg_camellia_gcm, 16,16, type_aead, 4, 0,16, 8},
|
||||
{cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
|
||||
};
|
||||
|
@ -419,8 +432,10 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
|
|||
|
||||
{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
|
||||
{TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
|
||||
|
||||
{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
|
||||
{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
|
||||
{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa}, // XXX: ssl_hash_sha384 hardcoded, see TenFourFox issue 480
|
||||
{TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, cipher_camellia_128_gcm, mac_aead, kea_ecdhe_rsa},
|
||||
{TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, cipher_camellia_128_gcm, mac_aead, kea_ecdhe_ecdsa},
|
||||
|
||||
|
@ -502,6 +517,7 @@ static const SSLCipher2Mech alg2Mech[] = {
|
|||
#define mmech_md5_hmac CKM_MD5_HMAC
|
||||
#define mmech_sha_hmac CKM_SHA_1_HMAC
|
||||
#define mmech_sha256_hmac CKM_SHA256_HMAC
|
||||
#define mmech_sha384_hmac CKM_SHA384_HMAC
|
||||
|
||||
static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
|
||||
/* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
|
||||
|
@ -513,6 +529,7 @@ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
|
|||
{hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
|
||||
{hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
|
||||
{ mac_aead, mmech_invalid, 0, 0 },
|
||||
{hmac_sha384, mmech_sha384_hmac, 0, SHA384_LENGTH},
|
||||
};
|
||||
|
||||
/* indexed by SSL3BulkCipher */
|
||||
|
@ -674,6 +691,7 @@ ssl3_CipherSuiteAllowedForVersionRange(
|
|||
case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
|
||||
case TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256:
|
||||
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
|
||||
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
|
||||
case TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256:
|
||||
case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
|
||||
case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
|
||||
|
@ -2258,6 +2276,7 @@ ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
|
|||
#ifndef NO_PKCS11_BYPASS
|
||||
if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
|
||||
/* Double Bypass succeeded in extracting the master_secret */
|
||||
#error not patched for SHA384, see bug 923089
|
||||
const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
|
||||
PRBool isTLS = (PRBool)(kea_def->tls_keygen ||
|
||||
(pwSpec->version > SSL_LIBRARY_VERSION_3_0));
|
||||
|
@ -2392,6 +2411,7 @@ ssl3_ComputeRecordMAC(
|
|||
case ssl_hmac_sha256: /* used with TLS */
|
||||
hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
|
||||
break;
|
||||
#error does not yet support SHA384, see bug 923089
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
@ -3636,6 +3656,55 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
|
|||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* XXX: These are stubs for TenFourFox issue 480, based on bug 923089.
|
||||
Instead of using the prf_hash field, these simply check the cipher.
|
||||
If we add a whole lot of new ciphers, we should probably just bite the
|
||||
bullet and add the hash field, but for now just hard-code them IN BOTH
|
||||
PLACES.
|
||||
|
||||
We get away with this because the code actually just maps ssl_hash_sha256
|
||||
and _none to SHA-256, and the only other value is SHA-384 for our
|
||||
exception ciphers. */
|
||||
|
||||
inline static CK_MECHANISM_TYPE
|
||||
ssl3_GetTls12PrfHashMechanism(sslSocket *ss)
|
||||
{
|
||||
#if(0)
|
||||
// For reference
|
||||
switch (ss->ssl3.hs.suite_def->prf_hash) {
|
||||
case ssl_hash_sha384:
|
||||
return CKM_SHA384;
|
||||
case ssl_hash_sha256:
|
||||
case ssl_hash_none:
|
||||
/* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */
|
||||
return CKM_SHA256;
|
||||
default:
|
||||
PORT_Assert(0);
|
||||
}
|
||||
return CKM_SHA256;
|
||||
#else
|
||||
if (ss->ssl3.hs.cipher_suite == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
return CKM_SHA384;
|
||||
return CKM_SHA256;
|
||||
#endif
|
||||
}
|
||||
|
||||
inline static SSLHashType
|
||||
ssl3_GetSuitePrfHash(sslSocket *ss) {
|
||||
#if(0)
|
||||
// For reference
|
||||
/* ssl_hash_none is for pre-1.2 suites, which use SHA-256. */
|
||||
if (ss->ssl3.hs.suite_def->prf_hash == ssl_hash_none) {
|
||||
return ssl_hash_sha256;
|
||||
}
|
||||
return ss->ssl3.hs.suite_def->prf_hash;
|
||||
#else
|
||||
if (ss->ssl3.hs.cipher_suite == TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
return ssl_hash_sha384;
|
||||
return ssl_hash_sha256;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* This method completes the derivation of the MS from the PMS.
|
||||
**
|
||||
** 1. Derive the MS, if possible, else return an error.
|
||||
|
@ -3753,7 +3822,7 @@ ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms,
|
|||
master_params.RandomInfo.pServerRandom = sr;
|
||||
master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
|
||||
if (isTLS12) {
|
||||
master_params.prfHashMechanism = CKM_SHA256;
|
||||
master_params.prfHashMechanism = ssl3_GetTls12PrfHashMechanism(ss);
|
||||
master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
|
||||
} else {
|
||||
/* prfHashMechanism is not relevant with this PRF */
|
||||
|
@ -3811,8 +3880,8 @@ tls_ComputeExtendedMasterSecretInt(sslSocket *ss, PK11SymKey *pms,
|
|||
}
|
||||
|
||||
if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
/* TLS 1.2 */
|
||||
extended_master_params.prfHashMechanism = CKM_SHA256;
|
||||
/* TLS 1.2+ */
|
||||
extended_master_params.prfHashMechanism = ssl3_GetTls12PrfHashMechanism(ss);
|
||||
key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
|
||||
} else {
|
||||
/* TLS < 1.2 */
|
||||
|
@ -3998,7 +4067,7 @@ ssl3_DeriveConnectionKeysPKCS11(sslSocket *ss)
|
|||
|
||||
if (isTLS12) {
|
||||
key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
|
||||
key_material_params.prfHashMechanism = CKM_SHA256;
|
||||
key_material_params.prfHashMechanism = ssl3_GetTls12PrfHashMechanism(ss);
|
||||
key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
|
||||
} else if (isTLS) {
|
||||
key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
|
||||
|
@ -4076,11 +4145,14 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
|
|||
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
/* If we ever support ciphersuites where the PRF hash isn't SHA-256
|
||||
* then this will need to be updated. */
|
||||
// We don't build with the bypass enabled, but this is here in case we need to.
|
||||
#error handling for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is incomplete
|
||||
ss->ssl3.hs.sha_obj = HASH_GetRawHashObject(HASH_AlgSHA256);
|
||||
if (!ss->ssl3.hs.sha_obj) {
|
||||
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
#error see bug 923089
|
||||
ss->ssl3.hs.sha_clone = (void (*)(void *, void *))SHA256_Clone;
|
||||
ss->ssl3.hs.hashType = handshake_hash_single;
|
||||
ss->ssl3.hs.sha_obj->begin(ss->ssl3.hs.sha_cx);
|
||||
|
@ -4099,9 +4171,20 @@ ssl3_InitHandshakeHashes(sslSocket *ss)
|
|||
* that the master secret will wind up in ...
|
||||
*/
|
||||
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
/* If we ever support ciphersuites where the PRF hash isn't SHA-256
|
||||
* then this will need to be updated. */
|
||||
ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA256);
|
||||
/* determine the hash from the prf */
|
||||
const SECOidData *hash_oid =
|
||||
SECOID_FindOIDByMechanism(ssl3_GetTls12PrfHashMechanism(ss));
|
||||
|
||||
/* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_hash)
|
||||
* Convert that to the OidTag. We can then use that OidTag to create our
|
||||
* PK11Context */
|
||||
PORT_Assert(hash_oid != NULL);
|
||||
if (hash_oid == NULL) {
|
||||
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
ss->ssl3.hs.sha = PK11_CreateDigestContext(hash_oid->offset);
|
||||
if (ss->ssl3.hs.sha == NULL) {
|
||||
ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
|
||||
return SECFailure;
|
||||
|
@ -4422,6 +4505,12 @@ ssl3_AppendSignatureAndHashAlgorithm(
|
|||
sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash)
|
||||
{
|
||||
PRUint8 serialized[2];
|
||||
SECOidTag hashAlg = ssl3_TLSHashAlgorithmToOID(sigAndHash->hashAlg);
|
||||
if (hashAlg == SEC_OID_UNKNOWN) {
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
serialized[0] = (PRUint8)sigAndHash->hashAlg;
|
||||
serialized[1] = (PRUint8)sigAndHash->sigAlg;
|
||||
|
@ -4755,6 +4844,8 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss,
|
|||
/* If we ever support ciphersuites where the PRF hash isn't SHA-256
|
||||
* then this will need to be updated. */
|
||||
hashes->hashAlg = ssl_hash_sha256;
|
||||
// We don't build with the bypass enabled, but this is here in case we need to.
|
||||
#error handling for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is incomplete
|
||||
rv = SECSuccess;
|
||||
} else if (ss->opt.bypassPKCS11) {
|
||||
/* compute them without PKCS11 */
|
||||
|
@ -4862,9 +4953,8 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss,
|
|||
rv = SECFailure;
|
||||
goto tls12_loser;
|
||||
}
|
||||
/* If we ever support ciphersuites where the PRF hash isn't SHA-256
|
||||
* then this will need to be updated. */
|
||||
hashes->hashAlg = ssl_hash_sha256;
|
||||
|
||||
hashes->hashAlg = ssl3_GetSuitePrfHash(ss);
|
||||
rv = SECSuccess;
|
||||
|
||||
tls12_loser:
|
||||
|
@ -6285,7 +6375,26 @@ loser:
|
|||
|
||||
|
||||
|
||||
/* Once a cipher suite has been selected, make sure that the necessary secondary
|
||||
* information is properly set. */
|
||||
static SECStatus
|
||||
ssl3_SetCipherSuite(sslSocket *ss, ssl3CipherSuite chosenSuite)
|
||||
{
|
||||
ss->ssl3.hs.cipher_suite = chosenSuite;
|
||||
ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef(chosenSuite);
|
||||
if (!ss->ssl3.hs.suite_def) {
|
||||
PORT_Assert(0);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
// XXX?
|
||||
ss->ssl3.hs.kea_def = &kea_defs[ss->ssl3.hs.suite_def->key_exchange_alg];
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
|
||||
|
||||
/* Now we've have a cipher suite, initialize the handshake hashes. */
|
||||
return ssl3_InitHandshakeHashes(ss);
|
||||
}
|
||||
|
||||
/* Called from ssl3_HandleServerHelloDone(). */
|
||||
static SECStatus
|
||||
|
@ -6526,13 +6635,6 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
|
||||
isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
|
||||
|
||||
rv = ssl3_InitHandshakeHashes(ss);
|
||||
if (rv != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
rv = ssl3_ConsumeHandshake(
|
||||
ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -6581,13 +6683,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
|
||||
goto alert_loser;
|
||||
}
|
||||
ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
|
||||
ss->ssl3.hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
|
||||
PORT_Assert(ss->ssl3.hs.suite_def);
|
||||
if (!ss->ssl3.hs.suite_def) {
|
||||
PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
|
||||
goto loser; /* we don't send alerts for our screw-ups. */
|
||||
|
||||
rv = ssl3_SetCipherSuite(ss, (ssl3CipherSuite)temp);
|
||||
if (rv != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
/* find selected compression method in our list. */
|
||||
|
@ -7172,7 +7273,7 @@ done:
|
|||
/* Destroys the backup handshake hash context if we don't need it. Note that
|
||||
* this function selects the hash algorithm for client authentication
|
||||
* signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
|
||||
* to determine whether to use SHA-1 or SHA-256. */
|
||||
* to determine whether to use SHA-1, or the PRF hash of the cipher suite. */
|
||||
static void
|
||||
ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
|
||||
const SECItem *algorithms)
|
||||
|
@ -7181,7 +7282,7 @@ ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
|
|||
SSLSignType sigAlg;
|
||||
PRBool preferSha1;
|
||||
PRBool supportsSha1 = PR_FALSE;
|
||||
PRBool supportsSha256 = PR_FALSE;
|
||||
PRBool supportsHandshakeHash = PR_FALSE;
|
||||
PRBool needBackupHash = PR_FALSE;
|
||||
unsigned int i;
|
||||
|
||||
|
@ -7205,15 +7306,17 @@ ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
|
|||
if (algorithms->data[i+1] == sigAlg) {
|
||||
if (algorithms->data[i] == ssl_hash_sha1) {
|
||||
supportsSha1 = PR_TRUE;
|
||||
} else if (algorithms->data[i] == ssl_hash_sha256) {
|
||||
supportsSha256 = PR_TRUE;
|
||||
}
|
||||
}
|
||||
} else if (algorithms->data[i] == ssl_hash_sha256 || algorithms->data[i] == ssl_hash_sha384) {
|
||||
/* XXX: This is wrong, but works. If we implement prf_hash,
|
||||
we should fix it. See bug 923089. */
|
||||
supportsHandshakeHash = PR_TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* If either the server does not support SHA-256 or the client key prefers
|
||||
/* If either the server does not support the handshake hash or the client key prefers
|
||||
* SHA-1, leave the backup hash. */
|
||||
if (supportsSha1 && (preferSha1 || !supportsSha256)) {
|
||||
if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) {
|
||||
needBackupHash = PR_TRUE;
|
||||
}
|
||||
|
||||
|
@ -8240,14 +8343,16 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
if (!suite->enabled)
|
||||
break;
|
||||
#endif
|
||||
/* Double check that the cached cipher suite is in the client's list */
|
||||
/* Double check that the cached cipher suite is in the client's
|
||||
* list. If it isn't, fall through and start a new session. */
|
||||
for (i = 0; i + 1 < suites.len; i += 2) {
|
||||
PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
|
||||
if (suite_i == suite->cipher_suite) {
|
||||
ss->ssl3.hs.cipher_suite = suite->cipher_suite;
|
||||
ss->ssl3.hs.suite_def =
|
||||
ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
|
||||
if (ssl3_SetCipherSuite(ss, suite_i) != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
/* Use the cached compression method. */
|
||||
ss->ssl3.hs.compression = sid->u.ssl3.compression;
|
||||
|
@ -8290,10 +8395,11 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
for (i = 0; i + 1 < suites.len; i += 2) {
|
||||
PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
|
||||
if (suite_i == suite->cipher_suite) {
|
||||
ss->ssl3.hs.cipher_suite = suite->cipher_suite;
|
||||
ss->ssl3.hs.suite_def =
|
||||
ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
|
||||
if (ssl3_SetCipherSuite(ss, suite_i) != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
goto suite_found;
|
||||
}
|
||||
}
|
||||
|
@ -8807,13 +8913,6 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
|||
}
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
|
||||
|
||||
rv = ssl3_InitHandshakeHashes(ss);
|
||||
if (rv != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
/* if we get a non-zero SID, just ignore it. */
|
||||
if (length !=
|
||||
SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
|
||||
|
@ -8867,10 +8966,11 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
|
|||
for (i = 0; i+2 < suite_length; i += 3) {
|
||||
PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
|
||||
if (suite_i == suite->cipher_suite) {
|
||||
ss->ssl3.hs.cipher_suite = suite->cipher_suite;
|
||||
ss->ssl3.hs.suite_def =
|
||||
ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
|
||||
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
|
||||
if (ssl3_SetCipherSuite(ss, suite_i) != SECSuccess) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
goto suite_found;
|
||||
}
|
||||
}
|
||||
|
@ -9419,6 +9519,8 @@ ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
|
|||
unsigned maxLen, PRUint32 *len)
|
||||
{
|
||||
unsigned int i;
|
||||
/* We only track a single hash, the one that is the basis for the PRF. */
|
||||
SSLHashType suiteHashAlg = ssl3_GetSuitePrfHash(ss);
|
||||
|
||||
PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2);
|
||||
if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) {
|
||||
|
@ -9430,9 +9532,9 @@ ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
|
|||
for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
|
||||
const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i];
|
||||
/* Note that we don't support a handshake hash with anything other than
|
||||
* SHA-256, so asking for a signature from clients for something else
|
||||
* would be inviting disaster. */
|
||||
if (alg->hashAlg == ssl_hash_sha256) {
|
||||
* the PRF hash, so asking for a signature from clients for something
|
||||
* else would be inviting disaster. */
|
||||
if (alg->hashAlg == suiteHashAlg) {
|
||||
buf[(*len)++] = (PRUint8)alg->hashAlg;
|
||||
buf[(*len)++] = (PRUint8)alg->sigAlg;
|
||||
}
|
||||
|
@ -9713,6 +9815,24 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
|
|||
return pms;
|
||||
}
|
||||
|
||||
static void
|
||||
ssl3_CSwapPK11SymKey(PK11SymKey **x, PK11SymKey **y, PRBool c)
|
||||
{
|
||||
uintptr_t x_ptr = (uintptr_t)*x;
|
||||
uintptr_t y_ptr = (uintptr_t)*y;
|
||||
uintptr_t mask = (uintptr_t)c;
|
||||
uintptr_t tmp;
|
||||
unsigned int i;
|
||||
for (i = 1; i < sizeof(uintptr_t) * 8; i <<= 1) {
|
||||
mask |= mask << i;
|
||||
}
|
||||
tmp = (x_ptr ^ y_ptr) & mask;
|
||||
x_ptr = x_ptr ^ tmp;
|
||||
y_ptr = y_ptr ^ tmp;
|
||||
*x = (PK11SymKey *)x_ptr;
|
||||
*y = (PK11SymKey *)y_ptr;
|
||||
}
|
||||
|
||||
/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
|
||||
* return any indication of failure of the Client Key Exchange message,
|
||||
* where that failure is caused by the content of the client's message.
|
||||
|
@ -9808,6 +9928,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
|
|||
rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
|
||||
}
|
||||
}
|
||||
#error not patched for SHA384, see bug 923089
|
||||
/* have PMS, build MS without PKCS11 */
|
||||
rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS,
|
||||
PR_TRUE);
|
||||
|
@ -9820,13 +9941,9 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
|
|||
} else
|
||||
#endif
|
||||
{
|
||||
PK11SymKey *tmpPms[2] = {NULL, NULL};
|
||||
PK11SlotInfo *slot;
|
||||
int useFauxPms = 0;
|
||||
#define currentPms tmpPms[!useFauxPms]
|
||||
#define unusedPms tmpPms[useFauxPms]
|
||||
#define realPms tmpPms[1]
|
||||
#define fauxPms tmpPms[0]
|
||||
PK11SymKey *pms = NULL;
|
||||
PK11SymKey *fauxPms = NULL;
|
||||
PK11SlotInfo *slot = NULL;
|
||||
|
||||
#ifndef NO_PKCS11_BYPASS
|
||||
double_bypass:
|
||||
|
@ -9886,29 +10003,28 @@ double_bypass:
|
|||
* the unwrap. Rather, it is the mechanism with which the
|
||||
* unwrapped pms will be used.
|
||||
*/
|
||||
realPms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
|
||||
CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
|
||||
pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
|
||||
CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
|
||||
|
||||
/* Temporarily use the PMS if unwrapping the real PMS fails. */
|
||||
useFauxPms |= (realPms == NULL);
|
||||
ssl3_CSwapPK11SymKey(&pms, &fauxPms, pms == NULL);
|
||||
|
||||
/* Attempt to derive the MS from the PMS. This is the only way to
|
||||
* check the version field in the RSA PMS. If this fails, we
|
||||
* then use the faux PMS in place of the PMS. Note that this
|
||||
* operation should never fail if we are using the faux PMS
|
||||
* since it is correctly formatted. */
|
||||
rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL);
|
||||
|
||||
/* If we succeeded, then select the true PMS and discard the
|
||||
* FPMS. Else, select the FPMS and select the true PMS */
|
||||
useFauxPms |= (rv != SECSuccess);
|
||||
|
||||
if (unusedPms) {
|
||||
PK11_FreeSymKey(unusedPms);
|
||||
}
|
||||
rv = ssl3_ComputeMasterSecret(ss, pms, NULL);
|
||||
|
||||
/* If we succeeded, then select the true PMS, else select the FPMS. */
|
||||
ssl3_CSwapPK11SymKey(&pms, &fauxPms, (rv != SECSuccess) & (fauxPms != NULL));
|
||||
/* This step will derive the MS from the PMS, among other things. */
|
||||
rv = ssl3_InitPendingCipherSpec(ss, currentPms);
|
||||
PK11_FreeSymKey(currentPms);
|
||||
rv = ssl3_InitPendingCipherSpec(ss, pms);
|
||||
|
||||
/* Clear both PMS. */
|
||||
PK11_FreeSymKey(pms);
|
||||
PK11_FreeSymKey(fauxPms);
|
||||
}
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -9916,11 +10032,6 @@ double_bypass:
|
|||
return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
|
||||
}
|
||||
|
||||
#undef currentPms
|
||||
#undef unusedPms
|
||||
#undef realPms
|
||||
#undef fauxPms
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
|
@ -10886,7 +10997,7 @@ done:
|
|||
}
|
||||
|
||||
static SECStatus
|
||||
ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
|
||||
ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec,
|
||||
PRBool isServer,
|
||||
const SSL3Hashes * hashes,
|
||||
TLSFinished * tlsFinished)
|
||||
|
@ -10909,7 +11020,7 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
|
|||
if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
tls_mac_params.prfMechanism = CKM_TLS_PRF;
|
||||
} else {
|
||||
tls_mac_params.prfMechanism = CKM_SHA256;
|
||||
tls_mac_params.prfMechanism = ssl3_GetTls12PrfHashMechanism(ss);
|
||||
}
|
||||
tls_mac_params.ulMacLength = 12;
|
||||
tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
|
||||
|
@ -11111,7 +11222,7 @@ ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
|
|||
isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
|
||||
rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
|
||||
if (isTLS && rv == SECSuccess) {
|
||||
rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
|
||||
rv = ssl3_ComputeTLSFinished(ss, cwSpec, isServer, &hashes, &tlsFinished);
|
||||
}
|
||||
ssl_ReleaseSpecReadLock(ss);
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -11282,7 +11393,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
|||
PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
|
||||
return SECFailure;
|
||||
}
|
||||
rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer,
|
||||
rv = ssl3_ComputeTLSFinished(ss, ss->ssl3.crSpec, !isServer,
|
||||
hashes, &tlsFinished);
|
||||
if (!isServer)
|
||||
ss->ssl3.hs.finishedMsgs.tFinished[1] = tlsFinished;
|
||||
|
|
|
@ -931,6 +931,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
|
|||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
TLS_ECDHE_RSA_WITH_NULL_SHA,
|
||||
|
@ -952,6 +953,7 @@ static const ssl3CipherSuite ecSuites[] = {
|
|||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||
TLS_ECDHE_RSA_WITH_NULL_SHA,
|
||||
|
|
|
@ -50,6 +50,7 @@ const PRUint16 SSL_ImplementedCiphers[] = {
|
|||
#ifndef NSS_DISABLE_ECC
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
|
||||
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
|
||||
|
|
|
@ -64,6 +64,7 @@ typedef SSLSignType SSL3SignType;
|
|||
#define hmac_md5 ssl_hmac_md5
|
||||
#define hmac_sha ssl_hmac_sha
|
||||
#define hmac_sha256 ssl_hmac_sha256
|
||||
#define hmac_sha384 ssl_hmac_sha384
|
||||
#define mac_aead ssl_mac_aead
|
||||
|
||||
#define SET_ERROR_CODE /* reminder */
|
||||
|
@ -292,7 +293,7 @@ typedef struct {
|
|||
} ssl3CipherSuiteCfg;
|
||||
|
||||
#ifndef NSS_DISABLE_ECC
|
||||
#define ssl_V3_SUITES_IMPLEMENTED 66
|
||||
#define ssl_V3_SUITES_IMPLEMENTED 67
|
||||
#else
|
||||
#define ssl_V3_SUITES_IMPLEMENTED 40
|
||||
#endif /* NSS_DISABLE_ECC */
|
||||
|
@ -478,6 +479,7 @@ typedef enum {
|
|||
cipher_camellia_256,
|
||||
cipher_seed,
|
||||
cipher_aes_128_gcm,
|
||||
cipher_aes_256_gcm,
|
||||
cipher_camellia_128_gcm,
|
||||
cipher_missing /* reserved for no such supported cipher */
|
||||
/* This enum must match ssl3_cipherName[] in ssl3con.c. */
|
||||
|
@ -596,7 +598,7 @@ typedef struct {
|
|||
ssl3KeyMaterial client;
|
||||
ssl3KeyMaterial server;
|
||||
SECItem msItem;
|
||||
unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
|
||||
unsigned char key_block[NUM_MIXERS * HASH_LENGTH_MAX];
|
||||
unsigned char raw_master_secret[56];
|
||||
SECItem srvVirtName; /* for server: name that was negotiated
|
||||
* with a client. For client - is
|
||||
|
|
|
@ -160,6 +160,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
|
|||
#define B_0 0, 0, 0
|
||||
|
||||
#define M_AEAD_128 "AEAD", ssl_mac_aead, 128
|
||||
#define M_SHA384 "SHA384", ssl_hmac_sha384, 384
|
||||
#define M_SHA256 "SHA256", ssl_hmac_sha256, 256
|
||||
#define M_SHA "SHA1", ssl_mac_sha, 160
|
||||
#define M_MD5 "MD5", ssl_mac_md5, 128
|
||||
|
@ -216,6 +217,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
|
|||
#ifndef NSS_DISABLE_ECC
|
||||
/* ECC cipher suites */
|
||||
{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
||||
{0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, },
|
||||
{0,CS(TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
||||
{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
||||
{0,CS(TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
||||
|
|
|
@ -258,6 +258,7 @@
|
|||
#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
|
||||
#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
|
||||
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
|
||||
#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030
|
||||
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
|
||||
|
||||
#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086
|
||||
|
|
|
@ -115,7 +115,8 @@ typedef enum {
|
|||
ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
|
||||
ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
|
||||
ssl_hmac_sha256 = 5,
|
||||
ssl_mac_aead = 6
|
||||
ssl_mac_aead = 6,
|
||||
ssl_hmac_sha384 = 7
|
||||
} SSLMACAlgorithm;
|
||||
|
||||
typedef enum {
|
||||
|
|
|
@ -870,8 +870,15 @@ static SECStatus DecodeItem(void* dest,
|
|||
break;
|
||||
}
|
||||
|
||||
case SEC_ASN1_BIT_STRING:
|
||||
{
|
||||
case SEC_ASN1_BIT_STRING: {
|
||||
/* Can't be 8 or more spare bits, or any spare bits
|
||||
* if there are no octets. */
|
||||
if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
|
||||
/* change the length in the SECItem to be the number
|
||||
of bits */
|
||||
temp.len = (temp.len-1)*8 - (temp.data[0] & 0x7);
|
||||
|
|
|
@ -466,6 +466,7 @@ CONST_OID aes128_OFB[] = { AES, 3 };
|
|||
CONST_OID aes128_CFB[] = { AES, 4 };
|
||||
#endif
|
||||
CONST_OID aes128_KEY_WRAP[] = { AES, 5 };
|
||||
CONST_OID aes128_GCM[] = { AES, 6 };
|
||||
|
||||
CONST_OID aes192_ECB[] = { AES, 21 };
|
||||
CONST_OID aes192_CBC[] = { AES, 22 };
|
||||
|
@ -474,6 +475,7 @@ CONST_OID aes192_OFB[] = { AES, 23 };
|
|||
CONST_OID aes192_CFB[] = { AES, 24 };
|
||||
#endif
|
||||
CONST_OID aes192_KEY_WRAP[] = { AES, 25 };
|
||||
CONST_OID aes192_GCM[] = { AES, 26 };
|
||||
|
||||
CONST_OID aes256_ECB[] = { AES, 41 };
|
||||
CONST_OID aes256_CBC[] = { AES, 42 };
|
||||
|
@ -482,6 +484,7 @@ CONST_OID aes256_OFB[] = { AES, 43 };
|
|||
CONST_OID aes256_CFB[] = { AES, 44 };
|
||||
#endif
|
||||
CONST_OID aes256_KEY_WRAP[] = { AES, 45 };
|
||||
CONST_OID aes256_GCM[] = { AES, 46 };
|
||||
|
||||
CONST_OID camellia128_CBC[] = { CAMELLIA_ENCRYPT_OID, 2};
|
||||
CONST_OID camellia192_CBC[] = { CAMELLIA_ENCRYPT_OID, 3};
|
||||
|
@ -1639,7 +1642,14 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
|
|||
"Microsoft Trust List Signing",
|
||||
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
|
||||
OD( x520Name, SEC_OID_AVA_NAME,
|
||||
"X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
|
||||
"X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
|
||||
|
||||
OD( aes128_GCM, SEC_OID_AES_128_GCM,
|
||||
"AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
|
||||
OD( aes192_GCM, SEC_OID_AES_192_GCM,
|
||||
"AES-192-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
|
||||
OD( aes256_GCM, SEC_OID_AES_256_GCM,
|
||||
"AES-256-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION )
|
||||
};
|
||||
|
||||
/* PRIVATE EXTENDED SECOID Table
|
||||
|
|
|
@ -443,6 +443,10 @@ typedef enum {
|
|||
/* The 'name' attribute type in X.520 */
|
||||
SEC_OID_AVA_NAME = 317,
|
||||
|
||||
SEC_OID_AES_128_GCM = 318,
|
||||
SEC_OID_AES_192_GCM = 319,
|
||||
SEC_OID_AES_256_GCM = 320,
|
||||
|
||||
SEC_OID_TOTAL
|
||||
} SECOidTag;
|
||||
|
||||
|
|
Loading…
Reference in New Issue