kamp/RetroZilla
1
0
Fork 0
mirror of https://github.com/rn10950/RetroZilla.git synced 2024-11-14 11:40:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

cherry-picked mozilla NSS upstream changes (to rev bad5fd065fa1, which is on par with 3.20):

Browse Source 
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
This commit is contained in:
roytam1 2018-07-12 21:44:51 +08:00
parent a4e283f567
commit 44b7f056d9
236 changed files with 4268 additions and 2567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
security/nss/cmd/bltest/blapitest.c
View File

@ -56,8 +56,7 @@ char *testdir = NULL;
#define TIMEMARK(seconds) \ #define TIMEMARK(seconds) \
time1 = PR_SecondsToInterval(seconds); \ time1 = PR_SecondsToInterval(seconds); \
{ \ { \
PRInt64 tmp, L100; \ PRInt64 tmp; \
LL_I2L(L100, 100); \
if (time2 == 0) { \ if (time2 == 0) { \
time2 = 1; \ time2 = 1; \
} \ } \
@ -313,7 +312,6 @@ serialize_key(SECItem *it, int ni, PRFileDesc *file)
{ {
unsigned char len[4]; unsigned char len[4];
int i; int i;
SECStatus status;
NSSBase64Encoder *cx; NSSBase64Encoder *cx;
cx = NSSBase64Encoder_Create(output_ascii, file); cx = NSSBase64Encoder_Create(output_ascii, file);
for (i=0; i<ni; i++, it++) { for (i=0; i<ni; i++, it++) {
@ -321,11 +319,11 @@ serialize_key(SECItem *it, int ni, PRFileDesc *file)
len[1] = (it->len >> 16) & 0xff; len[1] = (it->len >> 16) & 0xff;
len[2] = (it->len >> 8) & 0xff; len[2] = (it->len >> 8) & 0xff;
len[3] = (it->len & 0xff); len[3] = (it->len & 0xff);
status = NSSBase64Encoder_Update(cx, len, 4); NSSBase64Encoder_Update(cx, len, 4);
status = NSSBase64Encoder_Update(cx, it->data, it->len); NSSBase64Encoder_Update(cx, it->data, it->len);
} }
status = NSSBase64Encoder_Destroy(cx, PR_FALSE); NSSBase64Encoder_Destroy(cx, PR_FALSE);
status = PR_Write(file, "\r\n", 2); PR_Write(file, "\r\n", 2);
} }
void void
@ -1436,7 +1434,7 @@ bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
int minorMode; int minorMode;
int i; int i;
int keylen = aesp->key.buf.len; int keylen = aesp->key.buf.len;
int blocklen = AES_BLOCK_SIZE; unsigned int blocklen = AES_BLOCK_SIZE;
PRIntervalTime time1, time2; PRIntervalTime time1, time2;
unsigned char *params; unsigned char *params;
int len; int len;
@ -1635,6 +1633,8 @@ bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP
: rsa_decryptOAEP; : rsa_decryptOAEP;
break; break;
default:
break;
} }
return SECSuccess; return SECSuccess;
} }
@ -2569,8 +2569,6 @@ printPR_smpString(const char *sformat, char *reportStr,
fprintf(stdout, sformat, reportStr); fprintf(stdout, sformat, reportStr);
PR_smprintf_free(reportStr); PR_smprintf_free(reportStr);
} else { } else {
int prnRes;
LL_L2I(prnRes, rNum);
fprintf(stdout, nformat, rNum); fprintf(stdout, nformat, rNum);
} }
} }
@ -2791,8 +2789,8 @@ mode_str_to_hash_alg(const SECItem *modeStr)
case bltestSHA256: return HASH_AlgSHA256; case bltestSHA256: return HASH_AlgSHA256;
case bltestSHA384: return HASH_AlgSHA384; case bltestSHA384: return HASH_AlgSHA384;
case bltestSHA512: return HASH_AlgSHA512; case bltestSHA512: return HASH_AlgSHA512;
default: return HASH_AlgNULL;
} }
return HASH_AlgNULL;
} }
void void
@ -3004,7 +3002,7 @@ blapi_selftest(bltestCipherMode *modes, int numModes, int inoff, int outoff,
bltestIO pt, ct; bltestIO pt, ct;
bltestCipherMode mode; bltestCipherMode mode;
bltestParams *params; bltestParams *params;
int i, j, nummodes, numtests; unsigned int i, j, nummodes, numtests;
char *modestr; char *modestr;
char filename[256]; char filename[256];
PLArenaPool *arena; PLArenaPool *arena;
@ -3457,13 +3455,12 @@ static secuCommandFlag bltest_options[] =
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
char *infileName, *outfileName, *keyfileName, *ivfileName;
SECStatus rv = SECFailure; SECStatus rv = SECFailure;
double totalTime; double totalTime = 0.0;
PRIntervalTime time1, time2; PRIntervalTime time1, time2;
PRFileDesc *outfile = NULL; PRFileDesc *outfile = NULL;
bltestCipherInfo *cipherInfoListHead, *cipherInfo; bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL;
bltestIOMode ioMode; bltestIOMode ioMode;
int bufsize, exponent, curThrdNum; int bufsize, exponent, curThrdNum;
#ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC
@ -3511,8 +3508,6 @@ int main(int argc, char **argv)
cipherInfo = PORT_ZNew(bltestCipherInfo); cipherInfo = PORT_ZNew(bltestCipherInfo);
cipherInfoListHead = cipherInfo; cipherInfoListHead = cipherInfo;
/* set some defaults */
infileName = outfileName = keyfileName = ivfileName = NULL;
/* Check the number of commands entered on the command line. */ /* Check the number of commands entered on the command line. */
commandsEntered = 0; commandsEntered = 0;
@ -3713,7 +3708,9 @@ int main(int argc, char **argv)
progName); progName);
print_usage: print_usage:
if (cipherInfo) {
PORT_Free(cipherInfo); PORT_Free(cipherInfo);
}
Usage(); Usage();
} }

140
security/nss/cmd/certcgi/certcgi.c
View File

@ -356,81 +356,6 @@ find_field_bool(Pair *data,
} }
} }
static char *
update_data_by_name(Pair *data,
char *field_name,
char *new_data)
/* replaces the data in the data structure associated with
a name with new data, returns null if not found */
{
int i = 0;
int found = 0;
int length = 100;
char *new;
while (return_name(data, i) != NULL) {
if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
new = make_copy_string( new_data, length, '\0');
PORT_Free(return_data(data, i));
found = 1;
(*(data + i)).data = new;
break;
}
i++;
}
if (!found) {
new = NULL;
}
return new;
}
static char *
update_data_by_index(Pair *data,
int n,
char *new_data)
/* replaces the data of a particular index in the data structure */
{
int length = 100;
char *new;
new = make_copy_string(new_data, length, '\0');
PORT_Free(return_data(data, n));
(*(data + n)).data = new;
return new;
}
static Pair *
add_field(Pair *data,
char* field_name,
char* field_data)
/* adds a new name/data pair to the data structure */
{
int i = 0;
int j;
int name_length = 100;
int data_length = 100;
while(return_name(data, i) != NULL) {
i++;
}
j = START_FIELDS;
while ( j < (i + 1) ) {
j = j * 2;
}
if (j == (i + 1)) {
data = (Pair *) PORT_Realloc(data, (j * 2) * sizeof(Pair));
if (data == NULL) {
error_allocate();
}
}
(*(data + i)).name = make_copy_string(field_name, name_length, '\0');
(*(data + i)).data = make_copy_string(field_data, data_length, '\0');
(data + i + 1)->name = NULL;
return data;
}
static CERTCertificateRequest * static CERTCertificateRequest *
makeCertReq(Pair *form_data, makeCertReq(Pair *form_data,
int which_priv_key) int which_priv_key)
@ -527,10 +452,6 @@ MakeV1Cert(CERTCertDBHandle *handle,
PRExplodedTime printableTime; PRExplodedTime printableTime;
PRTime now, PRTime now,
after; after;
SECStatus rv;
if ( !selfsign ) { if ( !selfsign ) {
issuerCert = CERT_FindCertByNameString(handle, issuerNameStr); issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
if (!issuerCert) { if (!issuerCert) {
@ -539,7 +460,7 @@ MakeV1Cert(CERTCertDBHandle *handle,
} }
} }
if (find_field_bool(data, "manValidity", PR_TRUE)) { if (find_field_bool(data, "manValidity", PR_TRUE)) {
rv = DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE)); (void)DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
} else { } else {
now = PR_Now(); now = PR_Now();
} }
@ -550,7 +471,7 @@ MakeV1Cert(CERTCertDBHandle *handle,
PR_ExplodeTime (now, PR_GMTParameters, &printableTime); PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
} }
if (find_field_bool(data, "manValidity", PR_TRUE)) { if (find_field_bool(data, "manValidity", PR_TRUE)) {
rv = DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE)); (void)DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
PR_ExplodeTime (after, PR_GMTParameters, &printableTime); PR_ExplodeTime (after, PR_GMTParameters, &printableTime);
} else { } else {
printableTime.tm_month += 3; printableTime.tm_month += 3;
@ -591,7 +512,7 @@ get_serial_number(Pair *data)
if (ferror(serialFile) != 0) { if (ferror(serialFile) != 0) {
error_out("Error: Unable to read serial number file"); error_out("Error: Unable to read serial number file");
} }
if (serial == 4294967295) { if (serial == -1) {
serial = 21; serial = 21;
} }
fclose(serialFile); fclose(serialFile);
@ -1417,52 +1338,49 @@ string_to_ipaddress(char *string)
return ipaddress; return ipaddress;
} }
static int
chr_to_hex(char c) {
if (isdigit(c)) {
return c - '0';
}
if (isxdigit(c)) {
return toupper(c) - 'A' + 10;
}
return -1;
}
static SECItem * static SECItem *
string_to_binary(char *string) string_to_binary(char *string)
{ {
SECItem *rv; SECItem *rv;
int high_digit;
int low_digit;
rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem)); rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
if (rv == NULL) { if (rv == NULL) {
error_allocate(); error_allocate();
} }
rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2); rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2);
while (!isxdigit(*string)) {
string++;
}
rv->len = 0; rv->len = 0;
while (*string != '\0') { while (*string && !isxdigit(*string)) {
if (isxdigit(*string)) {
if (*string >= '0' && *string <= '9') {
high_digit = *string - '0';
} else {
*string = toupper(*string);
high_digit = *string - 'A' + 10;
}
string++;
if (*string >= '0' && *string <= '9') {
low_digit = *string - '0';
} else {
*string = toupper(*string);
low_digit = *string - 'A' + 10;
}
(rv->len)++;
} else {
if (*string == ':') {
string++;
} else {
if (*string == ' ') {
while (*string == ' ') {
string++; string++;
} }
} while (*string) {
if (*string != '\0') { int high, low;
high = chr_to_hex(*string++);
low = chr_to_hex(*string++);
if (high < 0 || low < 0) {
error_out("ERROR: Improperly formated binary encoding"); error_out("ERROR: Improperly formated binary encoding");
} }
rv->data[(rv->len)++] = high << 4 | low;
if (*string != ':') {
break;
} }
++string;
} }
while (*string == ' ') {
++string;
}
if (*string) {
error_out("ERROR: Junk after binary encoding");
} }
return rv; return rv;

13
security/nss/cmd/certutil/certext.c
View File

@ -987,10 +987,13 @@ AddNameConstraints(void *extHandle)
GEN_BREAK(SECFailure); GEN_BREAK(SECFailure);
} }
PrintChoicesAndGetAnswer("Type of Name Constraint?\n" if (PrintChoicesAndGetAnswer("Type of Name Constraint?\n"
"\t1 - permitted\n\t2 - excluded\n\tAny" "\t1 - permitted\n\t2 - excluded\n\tAny"
"other number to finish\n\tChoice", "other number to finish\n\tChoice",
buffer, sizeof(buffer)); buffer, sizeof(buffer)) != SECSuccess) {
GEN_BREAK(SECFailure);
}
intValue = PORT_Atoi(buffer); intValue = PORT_Atoi(buffer);
switch (intValue) { switch (intValue) {
case 1: case 1:
@ -1826,11 +1829,13 @@ AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
intValue = timeStamping; intValue = timeStamping;
} }
} else { } else {
PrintChoicesAndGetAnswer("Enter access method type " if (PrintChoicesAndGetAnswer("Enter access method type "
"for Authority Information Access extension:\n" "for Authority Information Access extension:\n"
"\t1 - CA Issuers\n\t2 - OCSP\n\tAny" "\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
"other number to finish\n\tChoice", "other number to finish\n\tChoice",
buffer, sizeof(buffer)); buffer, sizeof(buffer)) != SECSuccess) {
GEN_BREAK (SECFailure);
}
intValue = PORT_Atoi(buffer); intValue = PORT_Atoi(buffer);
} }
if (addSIAExt) { if (addSIAExt) {

88
security/nss/cmd/certutil/certutil.c
View File

@ -180,7 +180,7 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts,
static SECStatus static SECStatus
CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, SECOidTag hashAlgTag, CERTName *subject, const char *phone, int ascii,
const char *emailAddrs, const char *dnsNames, const char *emailAddrs, const char *dnsNames,
certutilExtnList extnList, const char *extGeneric, certutilExtnList extnList, const char *extGeneric,
/*out*/ SECItem *result) /*out*/ SECItem *result)
@ -270,7 +270,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
} }
if (!phone) if (!phone)
phone = strdup("(not specified)"); phone = "(not specified)";
email = CERT_GetCertEmailAddress(subject); email = CERT_GetCertEmailAddress(subject);
if (!email) if (!email)
@ -323,6 +323,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
} }
PR_smprintf_free(header); PR_smprintf_free(header);
} }
PORT_Free(obuf);
} else { } else {
(void) SECITEM_CopyItem(NULL, result, &signedReq); (void) SECITEM_CopyItem(NULL, result, &signedReq);
} }
@ -608,6 +609,27 @@ DeleteCert(CERTCertDBHandle *handle, char *name)
return rv; return rv;
} }
static SECStatus
RenameCert(CERTCertDBHandle *handle, char *name, char *newName)
{
SECStatus rv;
CERTCertificate *cert;
cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
if (!cert) {
SECU_PrintError(progName, "could not find certificate named \"%s\"",
name);
return SECFailure;
}
rv = __PK11_SetCertificateNickname(cert, newName);
CERT_DestroyCertificate(cert);
if (rv) {
SECU_PrintError(progName, "unable to rename certificate");
}
return rv;
}
static SECStatus static SECStatus
ValidateCert(CERTCertDBHandle *handle, char *name, char *date, ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
char *certUsage, PRBool checkSig, PRBool logit, char *certUsage, PRBool checkSig, PRBool logit,
@ -983,6 +1005,8 @@ PrintSyntax(char *progName)
"\t\t [-8 dns-names] [-a]\n", "\t\t [-8 dns-names] [-a]\n",
progName); progName);
FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s --rename -n cert-name --new-n new-cert-name\n"
"\t\t [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName); progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
@ -1549,6 +1573,25 @@ static void luW(enum usage_level ul, const char *command)
FPS "\n"); FPS "\n");
} }
static void luRename(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "rename"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Change the database nickname of a certificate\n",
"--rename");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The old nickname of the cert to rename\n",
" -n cert-name");
FPS "%-20s The new nickname of the cert to rename\n",
" --new-n new-name");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "\n");
}
static void luUpgradeMerge(enum usage_level ul, const char *command) static void luUpgradeMerge(enum usage_level ul, const char *command)
{ {
int is_my_command = (command && 0 == strcmp(command, "upgrade-merge")); int is_my_command = (command && 0 == strcmp(command, "upgrade-merge"));
@ -1711,6 +1754,7 @@ static void LongUsage(char *progName, enum usage_level ul, const char *command)
luC(ul, command); luC(ul, command);
luG(ul, command); luG(ul, command);
luD(ul, command); luD(ul, command);
luRename(ul, command);
luF(ul, command); luF(ul, command);
luU(ul, command); luU(ul, command);
luK(ul, command); luK(ul, command);
@ -2210,6 +2254,7 @@ enum {
cmd_Batch, cmd_Batch,
cmd_Merge, cmd_Merge,
cmd_UpgradeMerge, /* test only */ cmd_UpgradeMerge, /* test only */
cmd_Rename,
max_cmd max_cmd
}; };
@ -2278,6 +2323,7 @@ enum certutilOpts {
opt_AddSubjectAltNameExt, opt_AddSubjectAltNameExt,
opt_DumpExtensionValue, opt_DumpExtensionValue,
opt_GenericExtensions, opt_GenericExtensions,
opt_NewNickname,
opt_Help opt_Help
}; };
@ -2308,7 +2354,9 @@ secuCommandFlag commands_init[] =
{ /* cmd_Batch */ 'B', PR_FALSE, 0, PR_FALSE }, { /* cmd_Batch */ 'B', PR_FALSE, 0, PR_FALSE },
{ /* cmd_Merge */ 0, PR_FALSE, 0, PR_FALSE, "merge" }, { /* cmd_Merge */ 0, PR_FALSE, 0, PR_FALSE, "merge" },
{ /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE, { /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE,
"upgrade-merge" } "upgrade-merge" },
{ /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE,
"rename" }
}; };
#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0])) #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
@ -2394,6 +2442,8 @@ secuCommandFlag options_init[] =
"dump-ext-val"}, "dump-ext-val"},
{ /* opt_GenericExtensions */ 0, PR_TRUE, 0, PR_FALSE, { /* opt_GenericExtensions */ 0, PR_TRUE, 0, PR_FALSE,
"extGeneric"}, "extGeneric"},
{ /* opt_NewNickname */ 0, PR_TRUE, 0, PR_FALSE,
"new-n"},
}; };
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@ -2419,14 +2469,15 @@ certutil_main(int argc, char **argv, PRBool initialize)
PRFileDesc *outFile = PR_STDOUT; PRFileDesc *outFile = PR_STDOUT;
SECItem certReqDER = { siBuffer, NULL, 0 }; SECItem certReqDER = { siBuffer, NULL, 0 };
SECItem certDER = { siBuffer, NULL, 0 }; SECItem certDER = { siBuffer, NULL, 0 };
char * slotname = "internal"; const char *slotname = "internal";
char * certPrefix = ""; const char *certPrefix = "";
char * sourceDir = ""; char * sourceDir = "";
char * srcCertPrefix = ""; const char *srcCertPrefix = "";
char * upgradeID = ""; char * upgradeID = "";
char * upgradeTokenName = ""; char * upgradeTokenName = "";
KeyType keytype = rsaKey; KeyType keytype = rsaKey;
char * name = NULL; char * name = NULL;
char * newName = NULL;
char * email = NULL; char * email = NULL;
char * keysource = NULL; char * keysource = NULL;
SECOidTag hashAlgTag = SEC_OID_UNKNOWN; SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
@ -2533,7 +2584,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0) if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
slotname = NULL; slotname = NULL;
else else
slotname = PL_strdup(certutil.options[opt_TokenName].arg); slotname = certutil.options[opt_TokenName].arg;
} }
/* -Z hash type */ /* -Z hash type */
@ -2593,7 +2644,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
/* -P certdb name prefix */ /* -P certdb name prefix */
if (certutil.options[opt_DBPrefix].activated) { if (certutil.options[opt_DBPrefix].activated) {
if (certutil.options[opt_DBPrefix].arg) { if (certutil.options[opt_DBPrefix].arg) {
certPrefix = strdup(certutil.options[opt_DBPrefix].arg); certPrefix = certutil.options[opt_DBPrefix].arg;
} else { } else {
Usage(progName); Usage(progName);
} }
@ -2602,7 +2653,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
/* --source-prefix certdb name prefix */ /* --source-prefix certdb name prefix */
if (certutil.options[opt_SourcePrefix].activated) { if (certutil.options[opt_SourcePrefix].activated) {
if (certutil.options[opt_SourcePrefix].arg) { if (certutil.options[opt_SourcePrefix].arg) {
srcCertPrefix = strdup(certutil.options[opt_SourcePrefix].arg); srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
} else { } else {
Usage(progName); Usage(progName);
} }
@ -2785,6 +2836,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255; return 255;
} }
/* Rename needs an old and a new nickname */
if (certutil.commands[cmd_Rename].activated &&
!(certutil.options[opt_Nickname].activated &&
certutil.options[opt_NewNickname].activated)) {
PR_fprintf(PR_STDERR,
"%s --rename: specify an old nickname (-n) and\n"
" a new nickname (--new-n).\n",
progName);
return 255;
}
/* Upgrade/Merge needs a source database and a upgrade id. */ /* Upgrade/Merge needs a source database and a upgrade id. */
if (certutil.commands[cmd_UpgradeMerge].activated && if (certutil.commands[cmd_UpgradeMerge].activated &&
!(certutil.options[opt_SourceDir].activated && !(certutil.options[opt_SourceDir].activated &&
@ -2866,6 +2930,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
} }
name = SECU_GetOptionArg(&certutil, opt_Nickname); name = SECU_GetOptionArg(&certutil, opt_Nickname);
newName = SECU_GetOptionArg(&certutil, opt_NewNickname);
email = SECU_GetOptionArg(&certutil, opt_Emailaddress); email = SECU_GetOptionArg(&certutil, opt_Emailaddress);
PK11_SetPasswordFunc(SECU_GetModulePassword); PK11_SetPasswordFunc(SECU_GetModulePassword);
@ -3104,6 +3169,11 @@ merge_fail:
rv = DeleteCert(certHandle, name); rv = DeleteCert(certHandle, name);
goto shutdown; goto shutdown;
} }
/* Rename cert (--rename) */
if (certutil.commands[cmd_Rename].activated) {
rv = RenameCert(certHandle, name, newName);
goto shutdown;
}
/* Delete key (-F) */ /* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) { if (certutil.commands[cmd_DeleteKey].activated) {
rv = DeleteKey(name, &pwdata); rv = DeleteKey(name, &pwdata);

136
security/nss/cmd/certutil/keystuff.c
View File

@ -133,64 +133,92 @@ UpdateRNG(void)
} }
static const unsigned char P[] = { 0, static const unsigned char P[] = { 0,
0x98, 0xef, 0x3a, 0xae, 0x70, 0x98, 0x9b, 0x44, 0xc6, 0x2a, 0x47, 0x73, 0xea, 0x78, 0xfa, 0x65,
0xdb, 0x35, 0x86, 0xc1, 0xb6, 0xc2, 0x47, 0x7c, 0x47, 0x69, 0x39, 0x10, 0x08, 0x55, 0x6a, 0xdd,
0xb4, 0xff, 0x99, 0xe8, 0xae, 0x44, 0xf2, 0xeb, 0xbf, 0x77, 0xe1, 0x9a, 0x69, 0x73, 0xba, 0x66,
0xc3, 0xbe, 0x23, 0x0f, 0x65, 0xd0, 0x4c, 0x04, 0x37, 0x08, 0x93, 0x9e, 0xdb, 0x5d, 0x01, 0x08,
0x82, 0x90, 0xa7, 0x9d, 0x4a, 0xc8, 0x93, 0x7f, 0xb8, 0x3a, 0x73, 0xe9, 0x85, 0x5f, 0xa7, 0x2b,
0x41, 0xdf, 0xf8, 0x80, 0x6b, 0x0b, 0x68, 0x7f, 0x63, 0x7f, 0xd0, 0xc6, 0x4c, 0xdc, 0xfc, 0x8b,
0xaf, 0xe4, 0xa8, 0xb5, 0xb2, 0x99, 0xc3, 0x69, 0xa6, 0x03, 0xc9, 0x9c, 0x80, 0x5e, 0xec, 0xc6,
0xfb, 0x3f, 0xe7, 0x1b, 0xd0, 0x0f, 0xa9, 0x7a, 0x21, 0x23, 0xf7, 0x8e, 0xa4, 0x7b, 0x77, 0x83,
0x4a, 0x04, 0xbf, 0x50, 0x9e, 0x22, 0x33, 0xb8, 0x02, 0x44, 0xf8, 0x05, 0xd7, 0x36, 0x52, 0x13,
0x89, 0x53, 0x24, 0x10, 0xf9, 0x68, 0x77, 0xad, 0x57, 0x78, 0x97, 0xf3, 0x7b, 0xcf, 0x1f, 0xc9,
0xaf, 0x10, 0x68, 0xb8, 0xd3, 0x68, 0x5d, 0xa3, 0x2a, 0xa4, 0x71, 0x9d, 0xa8, 0xd8, 0x5d, 0xc5,
0xc3, 0xeb, 0x72, 0x3b, 0xa0, 0x0b, 0x73, 0x65, 0x3b, 0x64, 0x3a, 0x72, 0x60, 0x62, 0xb0, 0xb8,
0xc5, 0xd1, 0xfa, 0x8c, 0xc0, 0x7d, 0xaa, 0x52, 0xf3, 0xb1, 0xe7, 0xb9, 0x76, 0xdf, 0x74, 0xbe,
0x29, 0x34, 0x44, 0x01, 0xbf, 0x12, 0x25, 0xfe, 0x87, 0x6a, 0xd2, 0xf1, 0xa9, 0x44, 0x8b, 0x63,
0x18, 0x0a, 0xc8, 0x3f, 0xc1, 0x60, 0x48, 0xdb, 0x76, 0x4f, 0x5d, 0x21, 0x63, 0xb5, 0x4f, 0x3c,
0xad, 0x93, 0xb6, 0x61, 0x67, 0xd7, 0xa8, 0x2d }; 0x7b, 0x61, 0xb2, 0xf3, 0xea, 0xc5, 0xd8, 0xef,
0x30, 0x50, 0x59, 0x33, 0x61, 0xc0, 0xf3, 0x6e,
0x21, 0xcf, 0x15, 0x35, 0x4a, 0x87, 0x2b, 0xc3,
0xf6, 0x5a, 0x1f, 0x24, 0x22, 0xc5, 0xeb, 0x47,
0x34, 0x4a, 0x1b, 0xb5, 0x2e, 0x71, 0x52, 0x8f,
0x2d, 0x7d, 0xa9, 0x96, 0x8a, 0x7c, 0x61, 0xdb,
0xc0, 0xdc, 0xf1, 0xca, 0x28, 0x69, 0x1c, 0x97,
0xad, 0xea, 0x0d, 0x9e, 0x02, 0xe6, 0xe5, 0x7d,
0xad, 0xe0, 0x42, 0x91, 0x4d, 0xfa, 0xe2, 0x81,
0x16, 0x2b, 0xc2, 0x96, 0x3b, 0x32, 0x8c, 0x20,
0x69, 0x8b, 0x5b, 0x17, 0x3c, 0xf9, 0x13, 0x6c,
0x98, 0x27, 0x1c, 0xca, 0xcf, 0x33, 0xaa, 0x93,
0x21, 0xaf, 0x17, 0x6e, 0x5e, 0x00, 0x37, 0xd9,
0x34, 0x8a, 0x47, 0xd2, 0x1c, 0x67, 0x32, 0x60,
0xb6, 0xc7, 0xb0, 0xfd, 0x32, 0x90, 0x93, 0x32,
0xaa, 0x11, 0xba, 0x23, 0x19, 0x39, 0x6a, 0x42,
0x7c, 0x1f, 0xb7, 0x28, 0xdb, 0x64, 0xad, 0xd9 };
static const unsigned char Q[] = { 0, static const unsigned char Q[] = { 0,
0xb5, 0xb0, 0x84, 0x8b, 0x44, 0x29, 0xf6, 0x33, 0xe6, 0xa3, 0xc9, 0xc6, 0x51, 0x92, 0x8b, 0xb3,
0x59, 0xa1, 0x3c, 0xbe, 0xd2, 0x7f, 0x35, 0xa1, 0x98, 0x8f, 0x97, 0xb8, 0x31, 0x0d, 0x4a, 0x03,
0x76, 0x27, 0x03, 0x81 }; 0x1e, 0xba, 0x4e, 0xe6, 0xc8, 0x90, 0x98, 0x1d,
0x3a, 0x95, 0xf4, 0xf1 };
static const unsigned char G[] = { static const unsigned char G[] = {
0x04, 0x0e, 0x83, 0x69, 0xf1, 0xcd, 0x7d, 0xe5, 0x70, 0x32, 0x58, 0x5d, 0xb3, 0xbf, 0xc3, 0x62,
0x0c, 0x78, 0x93, 0xd6, 0x49, 0x6f, 0x00, 0x04, 0x63, 0x0b, 0xf8, 0xa5, 0xe1, 0xed, 0xeb, 0x79,
0x4e, 0x0e, 0x6c, 0x37, 0xaa, 0x38, 0x22, 0x47, 0xac, 0x18, 0x41, 0x64, 0xb3, 0xda, 0x4c, 0xa7,
0xd2, 0x58, 0xec, 0x83, 0x12, 0x95, 0xf9, 0x9c, 0x92, 0x63, 0xb1, 0x33, 0x7c, 0xcb, 0x43, 0xdc,
0xf1, 0xf4, 0x27, 0xff, 0xd7, 0x99, 0x57, 0x35, 0x1f, 0x38, 0x63, 0x5e, 0x0e, 0x6d, 0x45, 0xd1,
0xc6, 0x64, 0x4c, 0xc0, 0x47, 0x12, 0x31, 0x50, 0xc9, 0x67, 0xf3, 0xcf, 0x3d, 0x2d, 0x16, 0x4e,
0x82, 0x3c, 0x2a, 0x07, 0x03, 0x01, 0xef, 0x30, 0x92, 0x16, 0x06, 0x59, 0x29, 0x89, 0x6f, 0x54,
0x09, 0x89, 0x82, 0x41, 0x76, 0x71, 0xda, 0x9e, 0xff, 0xc5, 0x71, 0xc8, 0x3a, 0x95, 0x84, 0xb6,
0x57, 0x8b, 0x76, 0x38, 0x37, 0x5f, 0xa5, 0xcd, 0x7e, 0x7b, 0x1e, 0x8b, 0x47, 0x9d, 0x7a, 0x3a,
0x32, 0x84, 0x45, 0x8d, 0x4c, 0x17, 0x54, 0x2b, 0x36, 0x9b, 0x70, 0x2f, 0xd1, 0xbd, 0xef, 0xe8,
0x5d, 0xc2, 0x6b, 0xba, 0x3e, 0xa0, 0x7b, 0x95, 0x3a, 0x41, 0xd4, 0xf3, 0x1f, 0x81, 0xc7, 0x1f,
0xd7, 0x00, 0x42, 0xf7, 0x08, 0xb8, 0x83, 0x87, 0x96, 0x7c, 0x30, 0xab, 0xf4, 0x7a, 0xac, 0x93,
0x60, 0xe1, 0xe5, 0xf4, 0x1a, 0x54, 0xc2, 0x20, 0xed, 0x6f, 0x67, 0xb0, 0xc9, 0x5b, 0xf3, 0x83,
0xda, 0x38, 0x3a, 0xd1, 0xb6, 0x10, 0xf4, 0xcb, 0x9d, 0xa0, 0xd7, 0xb9, 0x01, 0xed, 0x28, 0xae,
0x35, 0xda, 0x97, 0x92, 0x87, 0xd6, 0xa5, 0x37, 0x1c, 0x6e, 0x2e, 0x48, 0xac, 0x9f, 0x7d, 0xf3,
0x62, 0xb4, 0x93, 0x4a, 0x15, 0x21, 0xa5, 0x10 }; 0x00, 0x48, 0xee, 0x0e, 0xfb, 0x7e, 0x5e, 0xcb,
0xf5, 0x39, 0xd8, 0x92, 0x90, 0x61, 0x2d, 0x1e,
0x3c, 0xd3, 0x55, 0x0d, 0x34, 0xd1, 0x81, 0xc4,
0x89, 0xea, 0x94, 0x2b, 0x56, 0x33, 0x73, 0x58,
0x48, 0xbf, 0x23, 0x72, 0x19, 0x5f, 0x19, 0xac,
0xff, 0x09, 0xc8, 0xcd, 0xab, 0x71, 0xef, 0x9e,
0x20, 0xfd, 0xe3, 0xb8, 0x27, 0x9e, 0x65, 0xb1,
0x85, 0xcd, 0x88, 0xfe, 0xd4, 0xd7, 0x64, 0x4d,
0xe1, 0xe8, 0xa6, 0xe5, 0x96, 0xc8, 0x5d, 0x9c,
0xc6, 0x70, 0x6b, 0xba, 0x77, 0x4e, 0x90, 0x4a,
0xb0, 0x96, 0xc5, 0xa0, 0x9e, 0x2c, 0x01, 0x03,
0xbe, 0xbd, 0x71, 0xba, 0x0a, 0x6f, 0x9f, 0xe5,
0xdb, 0x04, 0x08, 0xf2, 0x9e, 0x0f, 0x1b, 0xac,
0xcd, 0xbb, 0x65, 0x12, 0xcf, 0x77, 0xc9, 0x7d,
0xbe, 0x94, 0x4b, 0x9c, 0x5b, 0xde, 0x0d, 0xfa,
0x57, 0xdd, 0x77, 0x32, 0xf0, 0x5b, 0x34, 0xfd,
0x19, 0x95, 0x33, 0x60, 0x87, 0xe2, 0xa2, 0xf4 };
/* h:
* 4a:76:30:89:eb:e1:81:7c:99:0b:39:7f:95:4a:65:72: /* P, Q, G have been generated using the NSS makepqg utility:
* c6:b4:05:92:48:6c:3c:b2:7e:e7:39:f3:92:7d:c1:3f: * makepqg -l 2048 -g 224 -r
* bf:e1:fd:b3:4a:46:3e:ce:29:80:e3:d6:f4:59:c6:92: * (see also: bug 1170322)
* 16:2b:0e:d7:d6:bb:ef:94:36:31:c2:66:46:c5:4a:77: *
* aa:95:84:ef:99:7e:e3:9c:d9:a0:32:42:09:b6:4e:d0: * h: 1 (0x1)
* b3:c8:5e:06:df:a1:ac:4d:2d:f9:08:c2:cb:4b:a4:42:
* db:8a:5b:de:25:6e:2b:5b:ca:00:75:2c:57:00:18:aa:
* 68:59:a1:94:03:07:94:78:38:bc:f8:7c:1e:1c:a3:2e
* SEED: * SEED:
* b5:44:66:c9:0f:f1:ca:1c:95:45:ce:90:74:89:14:f2: * d2:0b:c5:63:1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f:
* 13:3e:23:5a:b0:6a:bf:86:ad:cb:a0:7d:ce:3b:c8:16: * 0e:be:d0:38:e4:78:d5:3c:7c:9e:a9:9a:d2:0b:c5:63:
* 7f:2d:a2:1a:cb:33:7d:c1:e7:d7:07:aa:1b:a2:d7:89: * 1b:af:dc:36:b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38:
* f5:a4:db:f7:8b:50:00:cd:b4:7d:25:81:3f:f8:a8:dd: * e4:78:d5:3c:7c:9e:c7:70:d2:0b:c5:63:1b:af:dc:36:
* 6c:46:e5:77:b5:60:7e:75:79:b8:99:57:c1:c4:f3:f7: * b7:7c:b9:3e:36:01:a0:8f:0e:be:d0:38:e4:78:d5:3c:
* 17:ca:43:00:b8:33:b6:06:8f:4d:91:ed:23:a5:66:1b: * 7c:9e:aa:3e
* ef:14:d7:bc:21:2b:82:d8:ab:fa:fd:a7:c3:4d:bf:52: * g: 672
* af:8e:57:59:61:1a:4e:65:c6:90:d6:a6:ff:0b:15:b1 * counter: 0
* g: 1024
* counter: 1003
*/ */
static const SECKEYPQGParams default_pqg_params = { static const SECKEYPQGParams default_pqg_params = {

38
security/nss/cmd/checkcert/checkcert.c
View File

@ -122,7 +122,6 @@ OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
SECStatus rv; SECStatus rv;
VFYContext *cx; VFYContext *cx;
SECOidData *sigAlgOid, *oiddata; SECOidData *sigAlgOid, *oiddata;
SECOidTag sigAlgTag;
SECOidTag hashAlgTag; SECOidTag hashAlgTag;
int showDigestOid=0; int showDigestOid=0;
@ -134,8 +133,6 @@ OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm); sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
if (sigAlgOid == 0) if (sigAlgOid == 0)
return SECFailure; return SECFailure;
sigAlgTag = sigAlgOid->offset;
if (showDigestOid) { if (showDigestOid) {
oiddata = SECOID_FindOIDByTag(hashAlgTag); oiddata = SECOID_FindOIDByTag(hashAlgTag);
@ -223,11 +220,9 @@ CERTCertificate *createEmptyCertificate(void)
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int rv, verbose=0, force=0; int verbose=0, force=0;
int ascii=0, issuerAscii=0; int ascii=0, issuerAscii=0;
char *progName=0; char *progName=0;
PRFileDesc *inFile=0, *issuerCertFile=0; PRFileDesc *inFile=0, *issuerCertFile=0;
@ -244,6 +239,7 @@ int main(int argc, char **argv)
char *inFileName = NULL, *issuerCertFileName = NULL; char *inFileName = NULL, *issuerCertFileName = NULL;
PLOptState *optstate; PLOptState *optstate;
PLOptStatus status; PLOptStatus status;
SECStatus rv;
PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption)); PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption)); PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
@ -389,7 +385,7 @@ int main(int argc, char **argv)
SECU_RegisterDynamicOids(); SECU_RegisterDynamicOids();
rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0, rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
if (rv) { if (rv) {
fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n", fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
@ -405,17 +401,37 @@ int main(int argc, char **argv)
printf("\n"); printf("\n");
/* Check algorithms */ /* Check algorithms */
SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption, rv = SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL); SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
if (rv) {
fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION.\n",
progName);
exit(1);
}
SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption, rv = SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL); SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
if (rv) {
fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION.\n",
progName);
exit(1);
}
SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption, rv = SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL); SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
if (rv) {
fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION.\n",
progName);
exit(1);
}
SECOID_SetAlgorithmID(arena, &rsaEncryption, rv = SECOID_SetAlgorithmID(arena, &rsaEncryption,
SEC_OID_PKCS1_RSA_ENCRYPTION, NULL); SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
if (rv) {
fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_RSA_ENCRYPTION.\n",
progName);
exit(1);
}
{ {
int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature, int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,

11
security/nss/cmd/crlutil/crlgen.c
View File

@ -545,7 +545,7 @@ crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,
{ {
SECItem *encodedItem; SECItem *encodedItem;
void *dummy; void *dummy;
void *mark; void *mark = NULL;
int code = 0; int code = 0;
PORT_Assert(arena && dataArr); PORT_Assert(arena && dataArr);
@ -583,7 +583,9 @@ crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,
return encodedItem; return encodedItem;
loser: loser:
if (mark) {
PORT_ArenaRelease (arena, mark); PORT_ArenaRelease (arena, mark);
}
return NULL; return NULL;
} }
@ -595,7 +597,7 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
{ {
SECItem *encodedItem; SECItem *encodedItem;
int length = 0; int length = 0;
void *mark; void *mark = NULL;
PORT_Assert(arena && dataArr); PORT_Assert(arena && dataArr);
if (!arena || !dataArr) { if (!arena || !dataArr) {
@ -624,7 +626,9 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
return encodedItem; return encodedItem;
loser: loser:
if (mark) {
PORT_ArenaRelease(arena, mark); PORT_ArenaRelease(arena, mark);
}
return NULL; return NULL;
} }
@ -1079,7 +1083,6 @@ static SECStatus
crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId) crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
{ {
PRUint64 i = 0; PRUint64 i = 0;
PLArenaPool *arena;
PORT_Assert(crlGenData && certId); PORT_Assert(crlGenData && certId);
if (!crlGenData || !certId) { if (!crlGenData || !certId) {
@ -1087,8 +1090,6 @@ crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
return SECFailure; return SECFailure;
} }
arena = crlGenData->signCrl->arena;
if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure && if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
certId) { certId) {
return SECFailure; return SECFailure;

8
security/nss/cmd/crlutil/crlutil.c
View File

@ -128,7 +128,7 @@ static void ListCRLNames (CERTCertDBHandle *certHandle, int crlType, PRBool dele
while (crlNode) { while (crlNode) {
char* asciiname = NULL; char* asciiname = NULL;
CERTCertificate *cert = NULL; CERTCertificate *cert = NULL;
if (crlNode->crl && &crlNode->crl->crl.derName) { if (crlNode->crl && crlNode->crl->crl.derName.data != NULL) {
cert = CERT_FindCertByName(certHandle, cert = CERT_FindCertByName(certHandle,
&crlNode->crl->crl.derName); &crlNode->crl->crl.derName);
if (!cert) { if (!cert) {
@ -698,6 +698,7 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName, signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
inFile, decodeOptions, importOptions); inFile, decodeOptions, importOptions);
if (signCrl == NULL) { if (signCrl == NULL) {
rv = SECFailure;
goto loser; goto loser;
} }
} }
@ -705,6 +706,7 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
if (!cert) { if (!cert) {
cert = FindSigningCert(certHandle, signCrl, certNickName); cert = FindSigningCert(certHandle, signCrl, certNickName);
if (cert == NULL) { if (cert == NULL) {
rv = SECFailure;
goto loser; goto loser;
} }
} }
@ -721,9 +723,11 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName,
outFileName); outFileName);
} }
signCrl = CreateNewCrl(arena, certHandle, cert); signCrl = CreateNewCrl(arena, certHandle, cert);
if (!signCrl) if (!signCrl) {
rv = SECFailure;
goto loser; goto loser;
} }
}
rv = UpdateCrl(signCrl, inCrlInitFile); rv = UpdateCrl(signCrl, inCrlInitFile);
if (rv != SECSuccess) { if (rv != SECSuccess) {

24
security/nss/cmd/crmftest/testcrmf.c
View File

@ -134,6 +134,10 @@ get_serial_number(long *dest)
return SECFailure; return SECFailure;
} }
rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long)); rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
if (rv != SECSuccess) {
/* PK11_GenerateRandom calls PORT_SetError */
return SECFailure;
}
/* make serial number positive */ /* make serial number positive */
if (*dest < 0L) if (*dest < 0L)
*dest = - *dest; *dest = - *dest;
@ -937,18 +941,6 @@ DoCMMFStuff(void)
return rv; return rv;
} }
static CK_MECHANISM_TYPE
mapWrapKeyType(KeyType keyType)
{
switch (keyType) {
case rsaKey:
return CKM_RSA_PKCS;
default:
break;
}
return CKM_INVALID_MECHANISM;
}
#define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/ #define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
int int
@ -1533,10 +1525,6 @@ main(int argc, char **argv)
PRUint32 flags = 0; PRUint32 flags = 0;
SECStatus rv; SECStatus rv;
PRBool nssInit = PR_FALSE; PRBool nssInit = PR_FALSE;
PRBool pArg = PR_FALSE;
PRBool eArg = PR_FALSE;
PRBool sArg = PR_FALSE;
PRBool PArg = PR_FALSE;
memset( &signPair, 0, sizeof signPair); memset( &signPair, 0, sizeof signPair);
memset( &cryptPair, 0, sizeof cryptPair); memset( &cryptPair, 0, sizeof cryptPair);
@ -1559,7 +1547,6 @@ main(int argc, char **argv)
printf ("-p failed\n"); printf ("-p failed\n");
return 603; return 603;
} }
pArg = PR_TRUE;
break; break;
case 'e': case 'e':
recoveryEncrypter = PORT_Strdup(optstate->value); recoveryEncrypter = PORT_Strdup(optstate->value);
@ -1567,7 +1554,6 @@ main(int argc, char **argv)
printf ("-e failed\n"); printf ("-e failed\n");
return 602; return 602;
} }
eArg = PR_TRUE;
break; break;
case 's': case 's':
caCertName = PORT_Strdup(optstate->value); caCertName = PORT_Strdup(optstate->value);
@ -1575,7 +1561,6 @@ main(int argc, char **argv)
printf ("-s failed\n"); printf ("-s failed\n");
return 604; return 604;
} }
sArg = PR_TRUE;
break; break;
case 'P': case 'P':
password = PORT_Strdup(optstate->value); password = PORT_Strdup(optstate->value);
@ -1585,7 +1570,6 @@ main(int argc, char **argv)
} }
pwdata.source = PW_PLAINTEXT; pwdata.source = PW_PLAINTEXT;
pwdata.data = password; pwdata.data = password;
PArg = PR_TRUE;
break; break;
case 'f': case 'f':
pwfile = PORT_Strdup(optstate->value); pwfile = PORT_Strdup(optstate->value);

79
security/nss/cmd/fipstest/fipstest.c
View File

@ -288,7 +288,7 @@ tdea_kat_mmt(char *reqfn)
FILE *req; /* input stream from the REQUEST file */ FILE *req; /* input stream from the REQUEST file */
FILE *resp; /* output stream to the RESPONSE file */ FILE *resp; /* output stream to the RESPONSE file */
int i, j; int i, j;
int mode; /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */ int mode = NSS_DES_EDE3; /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
int crypt = DECRYPT; /* 1 means encrypt, 0 means decrypt */ int crypt = DECRYPT; /* 1 means encrypt, 0 means decrypt */
unsigned char key[24]; /* TDEA 3 key bundle */ unsigned char key[24]; /* TDEA 3 key bundle */
unsigned int numKeys = 0; unsigned int numKeys = 0;
@ -997,10 +997,10 @@ aes_kat_mmt(char *reqfn)
FILE *aesreq; /* input stream from the REQUEST file */ FILE *aesreq; /* input stream from the REQUEST file */
FILE *aesresp; /* output stream to the RESPONSE file */ FILE *aesresp; /* output stream to the RESPONSE file */
int i, j; int i, j;
int mode; /* NSS_AES (ECB) or NSS_AES_CBC */ int mode = NSS_AES; /* NSS_AES (ECB) or NSS_AES_CBC */
int encrypt = 0; /* 1 means encrypt, 0 means decrypt */ int encrypt = 0; /* 1 means encrypt, 0 means decrypt */
unsigned char key[32]; /* 128, 192, or 256 bits */ unsigned char key[32]; /* 128, 192, or 256 bits */
unsigned int keysize; unsigned int keysize = 0;
unsigned char iv[16]; /* for all modes except ECB */ unsigned char iv[16]; /* for all modes except ECB */
unsigned char plaintext[10*16]; /* 1 to 10 blocks */ unsigned char plaintext[10*16]; /* 1 to 10 blocks */
unsigned int plaintextlen; unsigned int plaintextlen;
@ -1197,7 +1197,7 @@ aes_ecb_mct(char *reqfn)
int i, j; int i, j;
int encrypt = 0; /* 1 means encrypt, 0 means decrypt */ int encrypt = 0; /* 1 means encrypt, 0 means decrypt */
unsigned char key[32]; /* 128, 192, or 256 bits */ unsigned char key[32]; /* 128, 192, or 256 bits */
unsigned int keysize; unsigned int keysize = 0;
unsigned char plaintext[16]; /* PT[j] */ unsigned char plaintext[16]; /* PT[j] */
unsigned char plaintext_1[16]; /* PT[j-1] */ unsigned char plaintext_1[16]; /* PT[j-1] */
unsigned char ciphertext[16]; /* CT[j] */ unsigned char ciphertext[16]; /* CT[j] */
@ -1480,7 +1480,7 @@ aes_cbc_mct(char *reqfn)
int i, j; int i, j;
int encrypt = 0; /* 1 means encrypt, 0 means decrypt */ int encrypt = 0; /* 1 means encrypt, 0 means decrypt */
unsigned char key[32]; /* 128, 192, or 256 bits */ unsigned char key[32]; /* 128, 192, or 256 bits */
unsigned int keysize; unsigned int keysize = 0;
unsigned char iv[16]; unsigned char iv[16];
unsigned char plaintext[16]; /* PT[j] */ unsigned char plaintext[16]; /* PT[j] */
unsigned char plaintext_1[16]; /* PT[j-1] */ unsigned char plaintext_1[16]; /* PT[j-1] */
@ -2103,7 +2103,7 @@ ecdsa_pkv_test(char *reqfn)
ECParams *ecparams = NULL; ECParams *ecparams = NULL;
SECItem pubkey; SECItem pubkey;
unsigned int i; unsigned int i;
unsigned int len; unsigned int len = 0;
PRBool keyvalid = PR_TRUE; PRBool keyvalid = PR_TRUE;
ecdsareq = fopen(reqfn, "r"); ecdsareq = fopen(reqfn, "r");
@ -2360,10 +2360,10 @@ ecdsa_sigver_test(char *reqfn)
char curve[16]; /* "nistxddd" */ char curve[16]; /* "nistxddd" */
ECPublicKey ecpub; ECPublicKey ecpub;
unsigned int i, j; unsigned int i, j;
unsigned int flen; /* length in bytes of the field size */ unsigned int flen = 0; /* length in bytes of the field size */
unsigned int olen; /* length in bytes of the base point order */ unsigned int olen = 0; /* length in bytes of the base point order */
unsigned char msg[512]; /* message that was signed (<= 128 bytes) */ unsigned char msg[512]; /* message that was signed (<= 128 bytes) */
unsigned int msglen; unsigned int msglen = 0;
unsigned char sha1[20]; /* SHA-1 hash (160 bits) */ unsigned char sha1[20]; /* SHA-1 hash (160 bits) */
unsigned char sig[2*MAX_ECKEY_LEN]; unsigned char sig[2*MAX_ECKEY_LEN];
SECItem signature, digest; SECItem signature, digest;
@ -2532,43 +2532,6 @@ loser:
} }
#endif /* NSS_DISABLE_ECC */ #endif /* NSS_DISABLE_ECC */
/*
* Read a value from the test and allocate the result.
*/
static unsigned char *
alloc_value(char *buf, int *len)
{
unsigned char * value;
int i, count;
if (strncmp(buf, "<None>", 6) == 0) {
*len = 0;
return NULL;
}
/* find the length of the number */
for (count = 0; isxdigit(buf[count]); count++);
*len = count/2;
if (*len == 0) {
return NULL;
}
value = PORT_Alloc(*len);
if (!value) {
*len = 0;
return NULL;
}
for (i=0; i<*len; buf+=2 , i++) {
hex_to_byteval(buf, &value[i]);
}
return value;
}
PRBool PRBool
isblankline(char *b) isblankline(char *b)
{ {
@ -2599,7 +2562,9 @@ drbg(char *reqfn)
FILE *rngresp; /* output stream to the RESPONSE file */ FILE *rngresp; /* output stream to the RESPONSE file */
unsigned int i, j; unsigned int i, j;
#if 0
PRBool predictionResistance = PR_FALSE; PRBool predictionResistance = PR_FALSE;
#endif
unsigned char *nonce = NULL; unsigned char *nonce = NULL;
int nonceLen = 0; int nonceLen = 0;
unsigned char *personalizationString = NULL; unsigned char *personalizationString = NULL;
@ -2722,6 +2687,7 @@ drbg(char *reqfn)
continue; continue;
} }
#if 0 /* currently unsupported */
if (strncmp(buf, "[PredictionResistance", 21) == 0) { if (strncmp(buf, "[PredictionResistance", 21) == 0) {
i = 21; i = 21;
while (isspace(buf[i]) || buf[i] == '=') { while (isspace(buf[i]) || buf[i] == '=') {
@ -2736,6 +2702,7 @@ drbg(char *reqfn)
fputs(buf, rngresp); fputs(buf, rngresp);
continue; continue;
} }
#endif
if (strncmp(buf, "[EntropyInputLen", 16) == 0) { if (strncmp(buf, "[EntropyInputLen", 16) == 0) {
if (entropyInput) { if (entropyInput) {
@ -2990,7 +2957,7 @@ rng_vst(char *reqfn)
unsigned int i, j; unsigned int i, j;
unsigned char Q[DSA1_SUBPRIME_LEN]; unsigned char Q[DSA1_SUBPRIME_LEN];
PRBool hasQ = PR_FALSE; PRBool hasQ = PR_FALSE;
unsigned int b; /* 160 <= b <= 512, b is a multiple of 8 */ unsigned int b = 0; /* 160 <= b <= 512, b is a multiple of 8 */
unsigned char XKey[512/8]; unsigned char XKey[512/8];
unsigned char XSeed[512/8]; unsigned char XSeed[512/8];
unsigned char GENX[DSA1_SIGNATURE_LEN]; unsigned char GENX[DSA1_SIGNATURE_LEN];
@ -3113,7 +3080,7 @@ rng_mct(char *reqfn)
unsigned int i, j; unsigned int i, j;
unsigned char Q[DSA1_SUBPRIME_LEN]; unsigned char Q[DSA1_SUBPRIME_LEN];
PRBool hasQ = PR_FALSE; PRBool hasQ = PR_FALSE;
unsigned int b; /* 160 <= b <= 512, b is a multiple of 8 */ unsigned int b = 0; /* 160 <= b <= 512, b is a multiple of 8 */
unsigned char XKey[512/8]; unsigned char XKey[512/8];
unsigned char XSeed[512/8]; unsigned char XSeed[512/8];
unsigned char GENX[2*SHA1_LENGTH]; unsigned char GENX[2*SHA1_LENGTH];
@ -3416,8 +3383,8 @@ SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp)
void sha_test(char *reqfn) void sha_test(char *reqfn)
{ {
unsigned int i, j; unsigned int i, j;
unsigned int MDlen; /* the length of the Message Digest in Bytes */ unsigned int MDlen = 0; /* the length of the Message Digest in Bytes */
unsigned int msgLen; /* the length of the input Message in Bytes */ unsigned int msgLen = 0; /* the length of the input Message in Bytes */
unsigned char *msg = NULL; /* holds the message to digest.*/ unsigned char *msg = NULL; /* holds the message to digest.*/
size_t bufSize = 25608; /*MAX buffer size */ size_t bufSize = 25608; /*MAX buffer size */
char *buf = NULL; /* holds one line from the input REQUEST file.*/ char *buf = NULL; /* holds one line from the input REQUEST file.*/
@ -3594,18 +3561,18 @@ void hmac_test(char *reqfn)
unsigned int i, j; unsigned int i, j;
size_t bufSize = 400; /* MAX buffer size */ size_t bufSize = 400; /* MAX buffer size */
char *buf = NULL; /* holds one line from the input REQUEST file.*/ char *buf = NULL; /* holds one line from the input REQUEST file.*/
unsigned int keyLen; /* Key Length */ unsigned int keyLen = 0; /* Key Length */
unsigned char key[200]; /* key MAX size = 184 */ unsigned char key[200]; /* key MAX size = 184 */
unsigned int msgLen = 128; /* the length of the input */ unsigned int msgLen = 128; /* the length of the input */
/* Message is always 128 Bytes */ /* Message is always 128 Bytes */
unsigned char *msg = NULL; /* holds the message to digest.*/ unsigned char *msg = NULL; /* holds the message to digest.*/
unsigned int HMACLen; /* the length of the HMAC Bytes */ unsigned int HMACLen = 0; /* the length of the HMAC Bytes */
unsigned int TLen; /* the length of the requested */ unsigned int TLen = 0; /* the length of the requested */
/* truncated HMAC Bytes */ /* truncated HMAC Bytes */
unsigned char HMAC[HASH_LENGTH_MAX]; /* computed HMAC */ unsigned char HMAC[HASH_LENGTH_MAX]; /* computed HMAC */
unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */ unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */
/* supplied known answer */ /* supplied known answer */
HASH_HashType hash_alg; /* HMAC type */ HASH_HashType hash_alg = HASH_AlgNULL; /* HMAC type */
FILE *req = NULL; /* input stream from the REQUEST file */ FILE *req = NULL; /* input stream from the REQUEST file */
@ -3901,7 +3868,7 @@ dsa_pqgver_test(char *reqfn)
unsigned int i, j; unsigned int i, j;
PQGParams pqg; PQGParams pqg;
PQGVerify vfy; PQGVerify vfy;
unsigned int pghSize; /* size for p, g, and h */ unsigned int pghSize = 0; /* size for p, g, and h */
dsa_pqg_type type = FIPS186_1; dsa_pqg_type type = FIPS186_1;
dsareq = fopen(reqfn, "r"); dsareq = fopen(reqfn, "r");
@ -4234,7 +4201,7 @@ dsa_pqggen_test(char *reqfn)
unsigned int j; unsigned int j;
PQGParams *pqg = NULL; PQGParams *pqg = NULL;
PQGVerify *vfy = NULL; PQGVerify *vfy = NULL;
unsigned int keySizeIndex; unsigned int keySizeIndex = 0;
dsa_pqg_type type = FIPS186_1; dsa_pqg_type type = FIPS186_1;
dsareq = fopen(reqfn, "r"); dsareq = fopen(reqfn, "r");

5
security/nss/cmd/httpserv/httpserv.c
View File

@ -339,7 +339,6 @@ static enum {
static const char stopCmd[] = { "GET /stop " }; static const char stopCmd[] = { "GET /stop " };
static const char getCmd[] = { "GET " }; static const char getCmd[] = { "GET " };
static const char EOFmsg[] = { "EOF\r\n\r\n\r\n" };
static const char outHeader[] = { static const char outHeader[] = {
"HTTP/1.0 200 OK\r\n" "HTTP/1.0 200 OK\r\n"
"Server: Generic Web Server\r\n" "Server: Generic Web Server\r\n"
@ -712,8 +711,8 @@ handle_connection(
/* else good status response */ /* else good status response */
if (!isPost && ocspMethodsAllowed == ocspGetUnknown) { if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
unknown = PR_TRUE; unknown = PR_TRUE;
nextUpdate = PR_Now() + 60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/ nextUpdate = PR_Now() + (PRTime)60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
revoDate = PR_Now() - 60*60*24 * PR_USEC_PER_SEC; /*yesterday*/ revoDate = PR_Now() - (PRTime)60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
} }
} }
} }

4
security/nss/cmd/lib/basicutil.c
View File

@ -241,7 +241,7 @@ void
SECU_PrintAsHex(FILE *out, const SECItem *data, const char *m, int level) SECU_PrintAsHex(FILE *out, const SECItem *data, const char *m, int level)
{ {
unsigned i; unsigned i;
int column; int column = 0;
PRBool isString = PR_TRUE; PRBool isString = PR_TRUE;
PRBool isWhiteSpace = PR_TRUE; PRBool isWhiteSpace = PR_TRUE;
PRBool printedHex = PR_FALSE; PRBool printedHex = PR_FALSE;
@ -684,7 +684,7 @@ static unsigned char nibble(char c) {
SECStatus SECStatus
SECU_SECItemHexStringToBinary(SECItem* srcdest) SECU_SECItemHexStringToBinary(SECItem* srcdest)
{ {
int i; unsigned int i;
if (!srcdest) { if (!srcdest) {
PORT_SetError(SEC_ERROR_INVALID_ARGS); PORT_SetError(SEC_ERROR_INVALID_ARGS);

2
security/nss/cmd/lib/derprint.c
View File

@ -446,7 +446,7 @@ prettyPrintLength(FILE *out, const unsigned char *data, const unsigned char *end
} }
lenLen = nb + 1; lenLen = nb + 1;
if (raw) { if (raw) {
int i; unsigned int i;
rv = prettyPrintByte(out, lbyte, lv); rv = prettyPrintByte(out, lbyte, lv);
if (rv < 0) if (rv < 0)

10
security/nss/cmd/lib/pk11table.c
View File

@ -577,7 +577,7 @@ const Constant _consts[] = {
}; };
const Constant *consts = &_consts[0]; const Constant *consts = &_consts[0];
const int constCount = sizeof(_consts)/sizeof(_consts[0]); const unsigned int constCount = sizeof(_consts)/sizeof(_consts[0]);
const Commands _commands[] = { const Commands _commands[] = {
{"C_Initialize", F_C_Initialize, {"C_Initialize", F_C_Initialize,
@ -1389,7 +1389,7 @@ const int topicCount = sizeof(_topics) / sizeof(_topics[0]);
const char * const char *
getName(CK_ULONG value, ConstType type) getName(CK_ULONG value, ConstType type)
{ {
int i; unsigned int i;
for (i=0; i < constCount; i++) { for (i=0; i < constCount; i++) {
if (consts[i].type == type && consts[i].value == value) { if (consts[i].type == type && consts[i].value == value) {
@ -1409,9 +1409,9 @@ getNameFromAttribute(CK_ATTRIBUTE_TYPE type)
return getName(type, ConstAttribute); return getName(type, ConstAttribute);
} }
int totalKnownType(ConstType type) { unsigned int totalKnownType(ConstType type) {
int count = 0; unsigned int count = 0;
int i; unsigned int i;
for (i=0; i < constCount; i++) { for (i=0; i < constCount; i++) {
if (consts[i].type == type) count++; if (consts[i].type == type) count++;

4
security/nss/cmd/lib/pk11table.h
View File

@ -162,7 +162,7 @@ extern const int valueCount;
extern const char **constTypeString; extern const char **constTypeString;
extern const int constTypeCount; extern const int constTypeCount;
extern const Constant *consts; extern const Constant *consts;
extern const int constCount; extern const unsigned int constCount;
extern const Commands *commands; extern const Commands *commands;
extern const int commandCount; extern const int commandCount;
extern const Topics *topics; extern const Topics *topics;
@ -174,7 +174,7 @@ getName(CK_ULONG value, ConstType type);
extern const char * extern const char *
getNameFromAttribute(CK_ATTRIBUTE_TYPE type); getNameFromAttribute(CK_ATTRIBUTE_TYPE type);
extern int totalKnownType(ConstType type); extern unsigned int totalKnownType(ConstType type);
#endif /* _PK11_TABLE_H_ */ #endif /* _PK11_TABLE_H_ */

28
security/nss/cmd/lib/secutil.c
View File

@ -375,7 +375,8 @@ SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
PR_fprintf(PR_STDERR, "Invalid password.\n"); PR_fprintf(PR_STDERR, "Invalid password.\n");
PORT_Memset(oldpw, 0, PL_strlen(oldpw)); PORT_Memset(oldpw, 0, PL_strlen(oldpw));
PORT_Free(oldpw); PORT_Free(oldpw);
return SECFailure; rv = SECFailure;
goto done;
} }
} else } else
break; break;
@ -385,20 +386,22 @@ SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { rv = PK11_ChangePW(slot, oldpw, newpw);
if (rv != SECSuccess) {
PR_fprintf(PR_STDERR, "Failed to change password.\n"); PR_fprintf(PR_STDERR, "Failed to change password.\n");
return SECFailure; } else {
PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
} }
PORT_Memset(oldpw, 0, PL_strlen(oldpw)); PORT_Memset(oldpw, 0, PL_strlen(oldpw));
PORT_Free(oldpw); PORT_Free(oldpw);
PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
done: done:
if (newpw) {
PORT_Memset(newpw, 0, PL_strlen(newpw)); PORT_Memset(newpw, 0, PL_strlen(newpw));
PORT_Free(newpw); PORT_Free(newpw);
return SECSuccess; }
return rv;
} }
struct matchobj { struct matchobj {
@ -1550,7 +1553,7 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len); fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len);
{ {
int i; unsigned int i;
for (i=0; i < c->serialNumber.len; ++i) { for (i=0; i < c->serialNumber.len; ++i) {
unsigned char *chardata = (unsigned char*)(c->serialNumber.data); unsigned char *chardata = (unsigned char*)(c->serialNumber.data);
unsigned char c = *(chardata + i); unsigned char c = *(chardata + i);
@ -2417,7 +2420,6 @@ SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTCertificate *c; CERTCertificate *c;
int rv = SEC_ERROR_NO_MEMORY; int rv = SEC_ERROR_NO_MEMORY;
int iv;
if (!arena) if (!arena)
return rv; return rv;
@ -2743,7 +2745,7 @@ secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src,
while ((aCert = src->rawCerts[iv++]) != NULL) { while ((aCert = src->rawCerts[iv++]) != NULL) {
sprintf(om, "Certificate (%x)", iv); sprintf(om, "Certificate (%x)", iv);
rv = SECU_PrintSignedData(out, aCert, om, level + 2, rv = SECU_PrintSignedData(out, aCert, om, level + 2,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
if (rv) if (rv)
return rv; return rv;
} }
@ -2862,7 +2864,7 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *out,
while ((aCert = src->rawCerts[iv++]) != NULL) { while ((aCert = src->rawCerts[iv++]) != NULL) {
sprintf(om, "Certificate (%x)", iv); sprintf(om, "Certificate (%x)", iv);
rv = SECU_PrintSignedData(out, aCert, om, level + 2, rv = SECU_PrintSignedData(out, aCert, om, level + 2,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
if (rv) if (rv)
return rv; return rv;
} }
@ -3192,7 +3194,7 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
data.len = cert->derCert.len; data.len = cert->derCert.len;
rv = SECU_PrintSignedData(stdout, &data, label, 0, rv = SECU_PrintSignedData(stdout, &data, label, 0,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
if (rv) { if (rv) {
return(SECFailure); return(SECFailure);
} }
@ -3283,7 +3285,7 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
errstr = NULL; errstr = NULL;
switch (node->error) { switch (node->error) {
case SEC_ERROR_INADEQUATE_KEY_USAGE: case SEC_ERROR_INADEQUATE_KEY_USAGE:
flags = (unsigned int)node->arg; flags = (unsigned int)((char *)node->arg - (char *)NULL);
switch (flags) { switch (flags) {
case KU_DIGITAL_SIGNATURE: case KU_DIGITAL_SIGNATURE:
errstr = "Cert cannot sign."; errstr = "Cert cannot sign.";
@ -3299,7 +3301,7 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
break; break;
} }
case SEC_ERROR_INADEQUATE_CERT_TYPE: case SEC_ERROR_INADEQUATE_CERT_TYPE:
flags = (unsigned int)node->arg; flags = (unsigned int)((char *)node->arg - (char *)NULL);
switch (flags) { switch (flags) {
case NS_CERT_TYPE_SSL_CLIENT: case NS_CERT_TYPE_SSL_CLIENT:
case NS_CERT_TYPE_SSL_SERVER: case NS_CERT_TYPE_SSL_SERVER:

22
security/nss/cmd/modutil/error.h
View File

@ -133,25 +133,7 @@ typedef enum {
LAST_MSG /* must be last */ LAST_MSG /* must be last */
} Message; } Message;
static char *msgStrings[] = { /* defined in modutil.c */
"FIPS mode enabled.\n", extern char *msgStrings[];
"FIPS mode disabled.\n",
"Using database directory %s...\n",
"Creating \"%s\"...",
"Module \"%s\" added to database.\n",
"Module \"%s\" deleted from database.\n",
"Token \"%s\" password changed successfully.\n",
"Incorrect password, try again...\n",
"Passwords do not match, try again...\n",
"done.\n",
"Slot \"%s\" %s.\n",
"Successfully changed defaults.\n",
"Successfully changed defaults.\n",
"\nWARNING: Performing this operation while the browser is running could cause"
"\ncorruption of your security databases. If the browser is currently running,"
"\nyou should exit browser before continuing this operation. Type "
"\n'q <enter>' to abort, or <enter> to continue: ",
"\nAborting...\n"
};
#endif /* MODUTIL_ERROR_H */ #endif /* MODUTIL_ERROR_H */

3
security/nss/cmd/modutil/install.c
View File

@ -120,7 +120,8 @@ typedef struct StringNode_str {
StringNode* StringNode_new() StringNode* StringNode_new()
{ {
StringNode* new_this; StringNode* new_this;
new_this = (StringNode*)malloc(sizeof(StringNode)); new_this = (StringNode*)PR_Malloc(sizeof(StringNode));
PORT_Assert(new_this != NULL);
new_this->str = NULL; new_this->str = NULL;
new_this->next = NULL; new_this->next = NULL;
return new_this; return new_this;

4
security/nss/cmd/modutil/installparse.c
View File

@ -203,7 +203,7 @@ yyparse()
register char *yys; register char *yys;
extern char *getenv(); extern char *getenv();
if (yys = getenv("YYDEBUG")) if ((yys = getenv("YYDEBUG")) != NULL)
{ {
yyn = *yys; yyn = *yys;
if (yyn >= '0' && yyn <= '9') if (yyn >= '0' && yyn <= '9')
@ -220,7 +220,7 @@ yyparse()
*yyssp = yystate = 0; *yyssp = yystate = 0;
yyloop: yyloop:
if (yyn = yydefred[yystate]) goto yyreduce; if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
if (yychar < 0) if (yychar < 0)
{ {
if ((yychar = yylex()) < 0) yychar = 0; if ((yychar = yylex()) < 0) yychar = 0;

2
security/nss/cmd/modutil/lex.Pk11Install_yy.c
View File

@ -1100,6 +1100,7 @@ register char *yy_bp;
#endif /* ifndef YY_NO_UNPUT */ #endif /* ifndef YY_NO_UNPUT */
#ifndef YY_NO_INPUT
#ifdef __cplusplus #ifdef __cplusplus
static int yyinput() static int yyinput()
#else #else
@ -1171,6 +1172,7 @@ static int input()
return c; return c;
} }
#endif /* ifndef YY_NO_INPUT */
#ifdef YY_USE_PROTOS #ifdef YY_USE_PROTOS

2
security/nss/cmd/modutil/manifest.mn
View File

@ -24,7 +24,7 @@ PROGRAM = modutil
REQUIRES = seccmd nss dbm REQUIRES = seccmd nss dbm
DEFINES = -DNSPR20 DEFINES = -DNSPR20 -DYY_NO_UNPUT -DYY_NO_INPUT
# sigh # sigh
#INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap #INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap

21
security/nss/cmd/modutil/modutil.c
View File

@ -122,6 +122,27 @@ static char *optionStrings[] = {
"-chkfips", "-chkfips",
}; };
char *msgStrings[] = {
"FIPS mode enabled.\n",
"FIPS mode disabled.\n",
"Using database directory %s...\n",
"Creating \"%s\"...",
"Module \"%s\" added to database.\n",
"Module \"%s\" deleted from database.\n",
"Token \"%s\" password changed successfully.\n",
"Incorrect password, try again...\n",
"Passwords do not match, try again...\n",
"done.\n",
"Slot \"%s\" %s.\n",
"Successfully changed defaults.\n",
"Successfully changed defaults.\n",
"\nWARNING: Performing this operation while the browser is running could cause"
"\ncorruption of your security databases. If the browser is currently running,"
"\nyou should exit browser before continuing this operation. Type "
"\n'q <enter>' to abort, or <enter> to continue: ",
"\nAborting...\n"
};
/* Increment i if doing so would have i still be less than j. If you /* Increment i if doing so would have i still be less than j. If you
are able to do this, return 0. Otherwise return 1. */ are able to do this, return 0. Otherwise return 1. */
#define TRY_INC(i,j) ( ((i+1)<j) ? (++i, 0) : 1 ) #define TRY_INC(i,j) ( ((i+1)<j) ? (++i, 0) : 1 )

23
security/nss/cmd/multinit/multinit.c
View File

@ -313,27 +313,6 @@ appendHex(unsigned char nibble)
} }
} }
/*
* append a secitem as colon separated hex bytes.
*/
static void
appendItem(SECItem *item)
{
int i;
if (!buffer.data) {
return;
}
appendLabel(':');
for (i=0; i < item->len; i++) {
unsigned char byte=item->data[i];
appendHex(byte >> 4);
appendHex(byte & 0xf);
appendLabel(':');
}
}
/* /*
* append a 32 bit integer (even on a 64 bit platform). * append a 32 bit integer (even on a 64 bit platform).
* for simplicity append it as a hex value, full extension with 0x prefix. * for simplicity append it as a hex value, full extension with 0x prefix.
@ -493,7 +472,7 @@ do_list_certs(const char *progName, int log)
CERTCertList *sorted; CERTCertList *sorted;
CERTCertListNode *node; CERTCertListNode *node;
CERTCertTrust trust; CERTCertTrust trust;
int i; unsigned int i;
list = PK11_ListCerts(PK11CertListUnique, NULL); list = PK11_ListCerts(PK11CertListUnique, NULL);
if (list == NULL) { if (list == NULL) {

4
security/nss/cmd/ocspclnt/ocspclnt.c
View File

@ -562,7 +562,7 @@ print_raw_certificates (FILE *out_file, SECItem **raw_certs, int level)
while ((raw_cert = raw_certs[i++]) != NULL) { while ((raw_cert = raw_certs[i++]) != NULL) {
sprintf (cert_label, "Certificate (%d)", i); sprintf (cert_label, "Certificate (%d)", i);
(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1, (void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
} }
} }
@ -964,7 +964,7 @@ main (int argc, char **argv)
PLOptState *optstate; PLOptState *optstate;
SECStatus rv; SECStatus rv;
CERTCertDBHandle *handle = NULL; CERTCertDBHandle *handle = NULL;
SECCertUsage cert_usage; SECCertUsage cert_usage = certUsageSSLClient;
PRTime verify_time; PRTime verify_time;
CERTCertificate *cert = NULL; CERTCertificate *cert = NULL;
PRBool ascii = PR_FALSE; PRBool ascii = PR_FALSE;

46
security/nss/cmd/ocspresp/ocspresp.c
View File

@ -129,15 +129,12 @@ main(int argc, char **argv)
SECItem *encoded = NULL; SECItem *encoded = NULL;
CERTOCSPResponse *decoded = NULL; CERTOCSPResponse *decoded = NULL;
SECStatus statusDecoded;
SECItem *encodedRev = NULL; SECItem *encodedRev = NULL;
CERTOCSPResponse *decodedRev = NULL; CERTOCSPResponse *decodedRev = NULL;
SECStatus statusDecodedRev;
SECItem *encodedFail = NULL; SECItem *encodedFail = NULL;
CERTOCSPResponse *decodedFail = NULL; CERTOCSPResponse *decodedFail = NULL;
SECStatus statusDecodedFail;
CERTCertificate *obtainedSignerCert = NULL; CERTCertificate *obtainedSignerCert = NULL;
@ -181,40 +178,47 @@ main(int argc, char **argv)
encoded = encode(arena, cid, caCert); encoded = encode(arena, cid, caCert);
PORT_Assert(encoded); PORT_Assert(encoded);
decoded = CERT_DecodeOCSPResponse(encoded); decoded = CERT_DecodeOCSPResponse(encoded);
statusDecoded = CERT_GetOCSPResponseStatus(decoded); PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decoded));
PORT_Assert(statusDecoded == SECSuccess);
statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata, PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
&obtainedSignerCert, caCert); &obtainedSignerCert, caCert));
PORT_Assert(statusDecoded == SECSuccess); PORT_CheckSuccess(CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid, obtainedSignerCert, now));
obtainedSignerCert, now);
PORT_Assert(statusDecoded == SECSuccess);
CERT_DestroyCertificate(obtainedSignerCert); CERT_DestroyCertificate(obtainedSignerCert);
encodedRev = encodeRevoked(arena, cid, caCert); encodedRev = encodeRevoked(arena, cid, caCert);
PORT_Assert(encodedRev); PORT_Assert(encodedRev);
decodedRev = CERT_DecodeOCSPResponse(encodedRev); decodedRev = CERT_DecodeOCSPResponse(encodedRev);
statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev); PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
PORT_Assert(statusDecodedRev == SECSuccess);
statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata, PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
&obtainedSignerCert, caCert); &obtainedSignerCert, caCert));
PORT_Assert(statusDecodedRev == SECSuccess); #ifdef DEBUG
statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid, {
SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now); obtainedSignerCert, now);
PORT_Assert(statusDecodedRev == SECFailure); PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE); PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
}
#else
(void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
#endif
CERT_DestroyCertificate(obtainedSignerCert); CERT_DestroyCertificate(obtainedSignerCert);
encodedFail = CERT_CreateEncodedOCSPErrorResponse( encodedFail = CERT_CreateEncodedOCSPErrorResponse(
arena, SEC_ERROR_OCSP_TRY_SERVER_LATER); arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
PORT_Assert(encodedFail); PORT_Assert(encodedFail);
decodedFail = CERT_DecodeOCSPResponse(encodedFail); decodedFail = CERT_DecodeOCSPResponse(encodedFail);
statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail); #ifdef DEBUG
PORT_Assert(statusDecodedFail == SECFailure); {
SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(rv == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER); PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
}
#else
(void)CERT_GetOCSPResponseStatus(decodedFail);
#endif
retval = 0; retval = 0;
loser: loser:
if (retval != 0) if (retval != 0)

4
security/nss/cmd/oidcalc/oidcalc.c
View File

@ -44,13 +44,13 @@ main(int argc, char **argv)
secondval = atoi(curstr); secondval = atoi(curstr);
if ( ( firstval < 0 ) || ( firstval > 2 ) ) { if ( firstval > 2 ) {
fprintf(stderr, "first component out of range\n"); fprintf(stderr, "first component out of range\n");
exit(-1); exit(-1);
} }
if ( ( secondval < 0 ) || ( secondval > 39 ) ) { if ( secondval > 39 ) {
fprintf(stderr, "second component out of range\n"); fprintf(stderr, "second component out of range\n");
exit(-1); exit(-1);
} }

2
security/nss/cmd/p7env/p7env.c
View File

@ -130,7 +130,6 @@ main(int argc, char **argv)
{ {
char *progName; char *progName;
FILE *inFile, *outFile; FILE *inFile, *outFile;
char *certName;
CERTCertDBHandle *certHandle; CERTCertDBHandle *certHandle;
struct recipient *recipients, *rcpt; struct recipient *recipients, *rcpt;
PLOptState *optstate; PLOptState *optstate;
@ -142,7 +141,6 @@ main(int argc, char **argv)
inFile = NULL; inFile = NULL;
outFile = NULL; outFile = NULL;
certName = NULL;
recipients = NULL; recipients = NULL;
rcpt = NULL; rcpt = NULL;

12
security/nss/cmd/pk11gcmtest/pk11gcmtest.c
View File

@ -166,22 +166,22 @@ aes_gcm_kat(const char *respfn)
FILE *aesresp; /* input stream from the RESPONSE file */ FILE *aesresp; /* input stream from the RESPONSE file */
int i, j; int i, j;
unsigned int test_group = 0; unsigned int test_group = 0;
unsigned int num_tests; unsigned int num_tests = 0;
PRBool is_encrypt; PRBool is_encrypt;
unsigned char key[32]; /* 128, 192, or 256 bits */ unsigned char key[32]; /* 128, 192, or 256 bits */
unsigned int keysize; unsigned int keysize = 16;
unsigned char iv[10*16]; /* 1 to 10 blocks */ unsigned char iv[10*16]; /* 1 to 10 blocks */
unsigned int ivsize; unsigned int ivsize = 12;
unsigned char plaintext[10*16]; /* 1 to 10 blocks */ unsigned char plaintext[10*16]; /* 1 to 10 blocks */
unsigned int plaintextlen = 0; unsigned int plaintextlen = 0;
unsigned char aad[10*16]; /* 1 to 10 blocks */ unsigned char aad[10*16]; /* 1 to 10 blocks */
unsigned int aadlen = 0; unsigned int aadlen = 0;
unsigned char ciphertext[10*16]; /* 1 to 10 blocks */ unsigned char ciphertext[10*16]; /* 1 to 10 blocks */
unsigned int ciphertextlen; unsigned int ciphertextlen = 0;
unsigned char tag[16]; unsigned char tag[16];
unsigned int tagsize; unsigned int tagsize = 16;
unsigned char output[10*16]; /* 1 to 10 blocks */ unsigned char output[10*16]; /* 1 to 10 blocks */
unsigned int outputlen; unsigned int outputlen = 0;
unsigned int expected_keylen = 0; unsigned int expected_keylen = 0;
unsigned int expected_ivlen = 0; unsigned int expected_ivlen = 0;

8
security/nss/cmd/pk11mode/pk11mode.c
View File

@ -3506,8 +3506,8 @@ CK_RV PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
CK_ATTRIBUTE_PTR pTemplate; CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG tnObjects = 0; CK_ULONG tnObjects = 0;
int curMode; int curMode;
int i; unsigned int i;
int number_of_all_known_attribute_types = totalKnownType(ConstAttribute); unsigned int number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
NUMTESTS++; /* increment NUMTESTS */ NUMTESTS++; /* increment NUMTESTS */
@ -4558,7 +4558,7 @@ PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
CK_SESSION_HANDLE hSession; CK_SESSION_HANDLE hSession;
CK_RV crv; CK_RV crv;
CK_MECHANISM mk_mech; CK_MECHANISM mk_mech;
CK_VERSION expected_version, version; CK_VERSION version;
CK_OBJECT_CLASS class = CKO_SECRET_KEY; CK_OBJECT_CLASS class = CKO_SECRET_KEY;
CK_KEY_TYPE type = CKK_GENERIC_SECRET; CK_KEY_TYPE type = CKK_GENERIC_SECRET;
CK_BBOOL derive_bool = true; CK_BBOOL derive_bool = true;
@ -4625,8 +4625,6 @@ PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
case CKM_TLS_MASTER_KEY_DERIVE: case CKM_TLS_MASTER_KEY_DERIVE:
attrs[3].pValue = NULL; attrs[3].pValue = NULL;
attrs[3].ulValueLen = 0; attrs[3].ulValueLen = 0;
expected_version.major = 3;
expected_version.minor = 1;
mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom; mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom;
mkd_params.RandomInfo.ulClientRandomLen = mkd_params.RandomInfo.ulClientRandomLen =

2
security/nss/cmd/pk12util/pk12util.c
View File

@ -756,7 +756,7 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
} else } else
if (SECU_PrintSignedData(stdout, dip->der, if (SECU_PrintSignedData(stdout, dip->der,
(dip->hasKey) ? "(has private key)" : "", (dip->hasKey) ? "(has private key)" : "",
0, SECU_PrintCertificate) != 0) { 0, (SECU_PPFunc)SECU_PrintCertificate) != 0) {
SECU_PrintError(progName,"PKCS12 print cert bag failed"); SECU_PrintError(progName,"PKCS12 print cert bag failed");
} }
if (dip->friendlyName != NULL) { if (dip->friendlyName != NULL) {

2
security/nss/cmd/pk1sign/pk1sign.c
View File

@ -175,7 +175,7 @@ main(int argc, char **argv)
PRFileDesc *inFile; PRFileDesc *inFile;
char *keyName = NULL; char *keyName = NULL;
CERTCertDBHandle *certHandle; CERTCertDBHandle *certHandle;
CERTCertificate *cert; CERTCertificate *cert = NULL;
PLOptState *optstate; PLOptState *optstate;
PLOptStatus status; PLOptStatus status;
SECStatus rv; SECStatus rv;

9
security/nss/cmd/pp/pp.c
View File

@ -25,8 +25,11 @@ static void Usage(char *progName)
"Usage: %s [-t type] [-a] [-i input] [-o output] [-w] [-u]\n", "Usage: %s [-t type] [-a] [-i input] [-o output] [-w] [-u]\n",
progName); progName);
fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n"); fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n", fprintf(stderr, "%-14s Specify input and display type:", "-t type");
"-t type", SEC_CT_PRIVATE_KEY); #ifdef HAVE_EPV_TEMPLATE
fprintf(stderr, " %s (sk),", SEC_CT_PRIVATE_KEY);
#endif
fprintf(stderr, "\n");
fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY, fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST); SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID, fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
@ -136,7 +139,7 @@ int main(int argc, char **argv)
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 || if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 ||
PORT_Strcmp(typeTag, "c") == 0) { PORT_Strcmp(typeTag, "c") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0, rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
SECU_PrintCertificate); (SECU_PPFunc)SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 || } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 ||
PORT_Strcmp(typeTag, "ci") == 0) { PORT_Strcmp(typeTag, "ci") == 0) {
rv = SECU_PrintSignedContent(outFile, &data, 0, 0, rv = SECU_PrintSignedContent(outFile, &data, 0, 0,

4
security/nss/cmd/sdrtest/sdrtest.c
View File

@ -71,9 +71,9 @@ long_usage (char *program_name)
int int
readStdin(SECItem * result) readStdin(SECItem * result)
{ {
int bufsize = 0; unsigned int bufsize = 0;
int cc; int cc;
int wanted = 8192; unsigned int wanted = 8192U;
result->len = 0; result->len = 0;
result->data = NULL; result->data = NULL;

118
security/nss/cmd/selfserv/selfserv.c
View File

@ -119,16 +119,16 @@ const int ssl3CipherSuites[] = {
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */
TLS_RSA_WITH_RC4_128_SHA, /* n */ TLS_RSA_WITH_RC4_128_SHA, /* n */
-1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, * o */ TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */
-1, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, * p */ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */
-1, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, * q */ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */
-1, /* TLS_DHE_RSA_WITH_DES_CBC_SHA, * r */ TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */
-1, /* TLS_DHE_DSS_WITH_DES_CBC_SHA, * s */ TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */
-1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA, * t */ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */
-1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA, * u */ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */
TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ TLS_RSA_WITH_AES_128_CBC_SHA, /* v */
-1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA, * w */ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */
-1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA, * x */ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */
TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ TLS_RSA_WITH_AES_256_CBC_SHA, /* y */
TLS_RSA_WITH_NULL_SHA, /* z */ TLS_RSA_WITH_NULL_SHA, /* z */
0 0
@ -141,6 +141,9 @@ static PRBool noDelay;
static int requestCert; static int requestCert;
static int verbose; static int verbose;
static SECItem bigBuf; static SECItem bigBuf;
static int configureDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/
static int configureReuseECDHE = -1; /* -1: don't configure, 0 refresh, >=1 reuse*/
static int configureWeakDHE = -1; /* -1: don't configure, 0 disable, >=1 enable*/
static PRThread * acceptorThread; static PRThread * acceptorThread;
@ -160,11 +163,12 @@ PrintUsageHeader(const char *progName)
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n" " [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n" " [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname]"
#ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC
" [-C SSLCacheEntries] [-e ec_nickname]\n" " [-e ec_nickname]"
#else
" [-C SSLCacheEntries]\n"
#endif /* NSS_DISABLE_ECC */ #endif /* NSS_DISABLE_ECC */
"\n"
" -U [0|1] -H [0|1] -W [0|1]\n"
,progName); ,progName);
} }
@ -216,6 +220,9 @@ PrintParameterUsage()
" good, revoked, unknown, failure, badsig, corrupted\n" " good, revoked, unknown, failure, badsig, corrupted\n"
" ocsp: fetch from external OCSP server using AIA, or none\n" " ocsp: fetch from external OCSP server using AIA, or none\n"
"-A <ca> Nickname of a CA used to sign a stapled cert status\n" "-A <ca> Nickname of a CA used to sign a stapled cert status\n"
"-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
"-H override default DHE server support, 0: disable, 1: enable\n"
"-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
"-c Restrict ciphers\n" "-c Restrict ciphers\n"
"-Y prints cipher values allowed for parameter -c and exits\n" "-Y prints cipher values allowed for parameter -c and exits\n"
, stderr); , stderr);
@ -252,7 +259,16 @@ PrintCipherUsage(const char *progName)
"l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n" "l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n"
"m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n" "m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n"
"n SSL3 RSA WITH RC4 128 SHA\n" "n SSL3 RSA WITH RC4 128 SHA\n"
"o TLS_DHE_DSS_WITH_RC4_128_SHA\n"
"p TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA\n"
"q TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA\n"
"r TLS_DHE_RSA_WITH_DES_CBC_SHA\n"
"s TLS_DHE_DSS_WITH_DES_CBC_SHA\n"
"t TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n"
"u TLS_DHE_RSA_WITH_AES_128_CBC_SHA\n"
"v SSL3 RSA WITH AES 128 CBC SHA\n" "v SSL3 RSA WITH AES 128 CBC SHA\n"
"w TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n"
"x TLS_DHE_RSA_WITH_AES_256_CBC_SHA\n"
"y SSL3 RSA WITH AES 256 CBC SHA\n" "y SSL3 RSA WITH AES 256 CBC SHA\n"
"z SSL3 RSA WITH NULL SHA\n" "z SSL3 RSA WITH NULL SHA\n"
"\n" "\n"
@ -486,8 +502,8 @@ mySSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr,
pwdata = SSL_RevealPinArg(fd); pwdata = SSL_RevealPinArg(fd);
for (;current && i < sniNameArrSize;i++) { for (;current && (PRUint32)i < sniNameArrSize;i++) {
int j = 0; unsigned int j = 0;
for (;j < MAX_VIRT_SERVER_NAME_ARRAY_INDEX && nameArr[j];j++) { for (;j < MAX_VIRT_SERVER_NAME_ARRAY_INDEX && nameArr[j];j++) {
if (!PORT_Strncmp(nameArr[j], if (!PORT_Strncmp(nameArr[j],
(const char *)current[i].data, (const char *)current[i].data,
@ -1113,7 +1129,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
SECItemArray *result = NULL; SECItemArray *result = NULL;
SECItem *ocspResponse = NULL; SECItem *ocspResponse = NULL;
CERTOCSPSingleResponse **singleResponses; CERTOCSPSingleResponse **singleResponses;
CERTOCSPSingleResponse *sr; CERTOCSPSingleResponse *sr = NULL;
CERTOCSPCertID *cid = NULL; CERTOCSPCertID *cid = NULL;
CERTCertificate *ca; CERTCertificate *ca;
PRTime now = PR_Now(); PRTime now = PR_Now();
@ -1129,7 +1145,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
if (!cid) if (!cid)
errExit("cannot created cid"); errExit("cannot created cid");
nextUpdate = now + 60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */ nextUpdate = now + (PRTime)60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
switch (osm) { switch (osm) {
case osm_good: case osm_good:
@ -1144,7 +1160,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
case osm_revoked: case osm_revoked:
sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now, sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now,
&nextUpdate, &nextUpdate,
now - 60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */ now - (PRTime)60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
NULL); NULL);
break; break;
default: default:
@ -1905,6 +1921,27 @@ server_main(
} }
} }
if (configureDHE > -1) {
rv = SSL_OptionSet(model_sock, SSL_ENABLE_SERVER_DHE, (configureDHE > 0));
if (rv != SECSuccess) {
errExit("error configuring server side DHE support");
}
}
if (configureReuseECDHE > -1) {
rv = SSL_OptionSet(model_sock, SSL_REUSE_SERVER_ECDHE_KEY, (configureReuseECDHE > 0));
if (rv != SECSuccess) {
errExit("error configuring server side reuse of ECDHE key");
}
}
if (configureWeakDHE > -1) {
rv = SSL_EnableWeakDHEPrimeGroup(model_sock, (configureWeakDHE > 0));
if (rv != SECSuccess) {
errExit("error configuring weak DHE prime group");
}
}
for (kea = kt_rsa; kea < kt_kea_size; kea++) { for (kea = kt_rsa; kea < kt_kea_size; kea++) {
if (cert[kea] != NULL) { if (cert[kea] != NULL) {
secStatus = SSL_ConfigSecureServer(model_sock, secStatus = SSL_ConfigSecureServer(model_sock,
@ -2136,6 +2173,7 @@ main(int argc, char **argv)
#ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC
char * ecNickName = NULL; char * ecNickName = NULL;
#endif #endif
char * dsaNickName = NULL;
const char * fileName = NULL; const char * fileName = NULL;
char * cipherString= NULL; char * cipherString= NULL;
const char * dir = "."; const char * dir = ".";
@ -2180,7 +2218,7 @@ main(int argc, char **argv)
** numbers, then capital letters, then lower case, alphabetical. ** numbers, then capital letters, then lower case, alphabetical.
*/ */
optstate = PL_CreateOptState(argc, argv, optstate = PL_CreateOptState(argc, argv,
"2:A:BC:DEL:M:NP:RT:V:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); "2:A:BC:DEH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound; ++optionsFound;
switch(optstate->option) { switch(optstate->option) {
@ -2194,6 +2232,7 @@ main(int argc, char **argv)
case 'D': noDelay = PR_TRUE; break; case 'D': noDelay = PR_TRUE; break;
case 'E': disableStepDown = PR_TRUE; break; case 'E': disableStepDown = PR_TRUE; break;
case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break;
case 'I': /* reserved for OCSP multi-stapling */ break; case 'I': /* reserved for OCSP multi-stapling */ break;
@ -2217,6 +2256,8 @@ main(int argc, char **argv)
case 'R': disableRollBack = PR_TRUE; break; case 'R': disableRollBack = PR_TRUE; break;
case 'S': dsaNickName = PORT_Strdup(optstate->value); break;
case 'T': case 'T':
if (enableOCSPStapling(optstate->value) != SECSuccess) { if (enableOCSPStapling(optstate->value) != SECSuccess) {
fprintf(stderr, "Invalid OCSP stapling mode.\n"); fprintf(stderr, "Invalid OCSP stapling mode.\n");
@ -2225,6 +2266,8 @@ main(int argc, char **argv)
} }
break; break;
case 'U': configureReuseECDHE = (PORT_Atoi(optstate->value) != 0); break;
case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value, case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
enabledVersions, enableSSL2, enabledVersions, enableSSL2,
&enabledVersions, &enableSSL2) != SECSuccess) { &enabledVersions, &enableSSL2) != SECSuccess) {
@ -2232,10 +2275,12 @@ main(int argc, char **argv)
} }
break; break;
case 'W': configureWeakDHE = (PORT_Atoi(optstate->value) != 0); break;
case 'Y': PrintCipherUsage(progName); exit(0); break; case 'Y': PrintCipherUsage(progName); exit(0); break;
case 'a': if (virtServerNameIndex >= MAX_VIRT_SERVER_NAME_ARRAY_INDEX) { case 'a': if (virtServerNameIndex >= MAX_VIRT_SERVER_NAME_ARRAY_INDEX) {
Usage(progName); Usage(progName); break;
} }
virtServerNameArray[virtServerNameIndex++] = virtServerNameArray[virtServerNameIndex++] =
PORT_Strdup(optstate->value); break; PORT_Strdup(optstate->value); break;
@ -2362,6 +2407,7 @@ main(int argc, char **argv)
} }
if ((nickName == NULL) if ((nickName == NULL)
&& (dsaNickName == NULL)
#ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC
&& (ecNickName == NULL) && (ecNickName == NULL)
#endif #endif
@ -2593,6 +2639,33 @@ main(int argc, char **argv)
setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa, setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa,
&pwdata); &pwdata);
} }
if (dsaNickName) {
/* Investigate if ssl_kea_dh should be changed to ssl_auth_dsa.
* See bug 102794.*/
cert[ssl_kea_dh] = PK11_FindCertFromNickname(dsaNickName, &pwdata);
if (cert[ssl_kea_dh] == NULL) {
fprintf(stderr, "selfserv: Can't find certificate %s\n", dsaNickName);
exit(12);
}
privKey[ssl_kea_dh] = PK11_FindKeyByAnyCert(cert[ssl_kea_dh], &pwdata);
if (privKey[ssl_kea_dh] == NULL) {
fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n",
dsaNickName);
exit(11);
}
if (testbypass) {
PRBool bypassOK;
if (SSL_CanBypass(cert[ssl_kea_dh], privKey[ssl_kea_dh], protos, cipherlist,
nciphers, &bypassOK, &pwdata) != SECSuccess) {
SECU_PrintError(progName, "Bypass test failed %s\n", nickName);
exit(14);
}
fprintf(stderr, "selfserv: %s can%s bypass\n", nickName,
bypassOK ? "" : "not");
}
setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh,
&pwdata);
}
#ifndef NSS_DISABLE_ECC #ifndef NSS_DISABLE_ECC
if (ecNickName) { if (ecNickName) {
cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata); cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata);
@ -2625,6 +2698,13 @@ main(int argc, char **argv)
if (testbypass) if (testbypass)
goto cleanup; goto cleanup;
if (configureWeakDHE > 0) {
fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n");
rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
fprintf(stderr, "selfserv: Done creating dynamic weak DH parameters\n");
}
/* allocate the array of thread slots, and launch the worker threads. */ /* allocate the array of thread slots, and launch the worker threads. */
rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads); rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);

12
security/nss/cmd/shlibsign/shlibsign.c
View File

@ -195,6 +195,10 @@ static const unsigned char base[] = {
0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36, 0x14, 0x8e, 0xe7, 0xb8, 0xaa, 0xd5, 0xd1, 0x36,
0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f }; 0x1d, 0x7e, 0x5e, 0x7d, 0xfa, 0x5b, 0x77, 0x1f };
/*
* The constants h, seed, & counter aren't used in the code; they're provided
* here (commented-out) so that human readers can verify that our our PQG
* parameters were generated properly.
static const unsigned char h[] = { static const unsigned char h[] = {
0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac, 0x41, 0x87, 0x47, 0x79, 0xd8, 0xba, 0x4e, 0xac,
0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6, 0x44, 0x4f, 0x6b, 0xd2, 0x16, 0x5e, 0x04, 0xc6,
@ -232,6 +236,7 @@ static const unsigned char seed[] = { 0x00,
0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c }; 0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c };
static const unsigned int counter=1496; static const unsigned int counter=1496;
*/
static const unsigned char prime2[] = { 0x00, static const unsigned char prime2[] = { 0x00,
0xa4, 0xc2, 0x83, 0x4f, 0x36, 0xd3, 0x4f, 0xae, 0xa4, 0xc2, 0x83, 0x4f, 0x36, 0xd3, 0x4f, 0xae,
@ -307,6 +312,10 @@ static const unsigned char base2[] = { 0x00,
0x1c, 0xd3, 0xff, 0x4e, 0x2c, 0x38, 0x1c, 0xaa, 0x1c, 0xd3, 0xff, 0x4e, 0x2c, 0x38, 0x1c, 0xaa,
0x2e, 0x66, 0xbe, 0x32, 0x3e, 0x3c, 0x06, 0x5f }; 0x2e, 0x66, 0xbe, 0x32, 0x3e, 0x3c, 0x06, 0x5f };
/*
* The constants h2, seed2, & counter2 aren't used in the code; they're provided
* here (commented-out) so that human readers can verify that our our PQG
* parameters were generated properly.
static const unsigned char h2[] = { static const unsigned char h2[] = {
0x30, 0x91, 0xa1, 0x2e, 0x40, 0xa5, 0x7d, 0xf7, 0x30, 0x91, 0xa1, 0x2e, 0x40, 0xa5, 0x7d, 0xf7,
0xdc, 0xed, 0xee, 0x05, 0xc2, 0x31, 0x91, 0x37, 0xdc, 0xed, 0xee, 0x05, 0xc2, 0x31, 0x91, 0x37,
@ -376,6 +385,7 @@ static const unsigned char seed2[] = { 0x00,
0xc3, 0x29, 0x7d, 0xb7, 0x89, 0xbf, 0xe3, 0xde }; 0xc3, 0x29, 0x7d, 0xb7, 0x89, 0xbf, 0xe3, 0xde };
static const unsigned int counter2=210; static const unsigned int counter2=210;
*/
struct tuple_str { struct tuple_str {
CK_RV errNum; CK_RV errNum;
@ -697,7 +707,7 @@ int main(int argc, char **argv)
int bytesWritten; int bytesWritten;
unsigned char file_buf[512]; unsigned char file_buf[512];
int count=0; int count=0;
int keySize = 0; unsigned int keySize = 0;
int i; int i;
PRBool verify = PR_FALSE; PRBool verify = PR_FALSE;
static PRBool FIPSMODE = PR_FALSE; static PRBool FIPSMODE = PR_FALSE;

3
security/nss/cmd/signtool/certgen.c
View File

@ -420,7 +420,6 @@ sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
SECItem der2; SECItem der2;
SECItem * result2; SECItem * result2;
void *dummy;
SECOidTag alg = SEC_OID_UNKNOWN; SECOidTag alg = SEC_OID_UNKNOWN;
alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN); alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
@ -440,7 +439,7 @@ sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
der2.len = 0; der2.len = 0;
der2.data = NULL; der2.data = NULL;
dummy = SEC_ASN1EncodeItem (void)SEC_ASN1EncodeItem
(cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate)); (cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
if (rv != SECSuccess) { if (rv != SECSuccess) {

4
security/nss/cmd/signtool/util.c
View File

@ -18,7 +18,9 @@ long *mozilla_event_queue = 0;
#ifndef XP_WIN #ifndef XP_WIN
char *XP_GetString (int i) char *XP_GetString (int i)
{ {
return SECU_Strerror (i); /* nasty hackish cast to avoid changing the signature of
* JAR_init_callbacks() */
return (char *)SECU_Strerror (i);
} }
#endif #endif

22
security/nss/cmd/ssltap/ssltap.c
View File

@ -41,12 +41,12 @@ struct _DataBuffer;
typedef struct _DataBufferList { typedef struct _DataBufferList {
struct _DataBuffer *first,*last; struct _DataBuffer *first,*last;
int size; unsigned int size;
int isEncrypted; int isEncrypted;
unsigned char * msgBuf; unsigned char * msgBuf;
int msgBufOffset; unsigned int msgBufOffset;
int msgBufSize; unsigned int msgBufSize;
int hMACsize; unsigned int hMACsize;
} DataBufferList; } DataBufferList;
typedef struct _DataBuffer { typedef struct _DataBuffer {
@ -566,7 +566,7 @@ void print_sslv2(DataBufferList *s, unsigned char *recordBuf, unsigned int recor
(PRUint32)(GET_SHORT((chv2->rndlength))), (PRUint32)(GET_SHORT((chv2->rndlength))),
(PRUint32)(GET_SHORT((chv2->rndlength)))); (PRUint32)(GET_SHORT((chv2->rndlength))));
PR_fprintf(PR_STDOUT," cipher-suites = { \n"); PR_fprintf(PR_STDOUT," cipher-suites = { \n");
for (p=0;p<GET_SHORT((chv2->cslength));p+=3) { for (p=0;p<(PRUint32)GET_SHORT((chv2->cslength));p+=3) {
PRUint32 cs_int = GET_24((&chv2->csuites[p])); PRUint32 cs_int = GET_24((&chv2->csuites[p]));
const char *cs_str = V2CipherString(cs_int); const char *cs_str = V2CipherString(cs_int);
@ -575,17 +575,17 @@ void print_sslv2(DataBufferList *s, unsigned char *recordBuf, unsigned int recor
} }
q = p; q = p;
PR_fprintf(PR_STDOUT," }\n"); PR_fprintf(PR_STDOUT," }\n");
if (chv2->sidlength) { if (GET_SHORT((chv2->sidlength))) {
PR_fprintf(PR_STDOUT," session-id = { "); PR_fprintf(PR_STDOUT," session-id = { ");
for (p=0;p<GET_SHORT((chv2->sidlength));p+=2) { for (p=0;p<(PRUint32)GET_SHORT((chv2->sidlength));p+=2) {
PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q])))); PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
} }
} }
q += p; q += p;
PR_fprintf(PR_STDOUT,"}\n"); PR_fprintf(PR_STDOUT,"}\n");
if (chv2->rndlength) { if (GET_SHORT((chv2->rndlength))) {
PR_fprintf(PR_STDOUT," challenge = { "); PR_fprintf(PR_STDOUT," challenge = { ");
for (p=0;p<GET_SHORT((chv2->rndlength));p+=2) { for (p=0;p<(PRUint32)GET_SHORT((chv2->rndlength));p+=2) {
PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q])))); PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
} }
PR_fprintf(PR_STDOUT,"}\n"); PR_fprintf(PR_STDOUT,"}\n");
@ -978,7 +978,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
{ {
struct sslhandshake sslh; struct sslhandshake sslh;
unsigned char * hsdata; unsigned char * hsdata;
int offset=0; unsigned int offset=0;
PR_fprintf(PR_STDOUT," handshake {\n"); PR_fprintf(PR_STDOUT," handshake {\n");
@ -1365,7 +1365,7 @@ void print_ssl3_handshake(unsigned char *recordBuf,
offset += sslh.length + 4; offset += sslh.length + 4;
} /* while */ } /* while */
if (offset < recordLen) { /* stuff left over */ if (offset < recordLen) { /* stuff left over */
int newMsgLen = recordLen - offset; unsigned int newMsgLen = recordLen - offset;
if (!s->msgBuf) { if (!s->msgBuf) {
s->msgBuf = PORT_Alloc(newMsgLen); s->msgBuf = PORT_Alloc(newMsgLen);
if (!s->msgBuf) { if (!s->msgBuf) {

13
security/nss/cmd/strsclnt/strsclnt.c
View File

@ -498,7 +498,6 @@ init_thread_data(void)
PRBool useModelSocket = PR_TRUE; PRBool useModelSocket = PR_TRUE;
static const char stopCmd[] = { "GET /stop " };
static const char outHeader[] = { static const char outHeader[] = {
"HTTP/1.0 200 OK\r\n" "HTTP/1.0 200 OK\r\n"
"Server: Netscape-Enterprise/2.0a\r\n" "Server: Netscape-Enterprise/2.0a\r\n"
@ -567,7 +566,7 @@ do_writes(
{ {
PRFileDesc * ssl_sock = (PRFileDesc *)a; PRFileDesc * ssl_sock = (PRFileDesc *)a;
lockedVars * lv = (lockedVars *)b; lockedVars * lv = (lockedVars *)b;
int sent = 0; unsigned int sent = 0;
int count = 0; int count = 0;
while (sent < bigBuf.len) { while (sent < bigBuf.len) {
@ -712,7 +711,7 @@ PRInt32 lastFullHandshakePeerID;
void void
myHandshakeCallback(PRFileDesc *socket, void *arg) myHandshakeCallback(PRFileDesc *socket, void *arg)
{ {
PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32) arg); PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32)((char *)arg - (char *)NULL));
} }
#endif #endif
@ -732,7 +731,6 @@ do_connects(
PRFileDesc * tcp_sock = 0; PRFileDesc * tcp_sock = 0;
PRStatus prStatus; PRStatus prStatus;
PRUint32 sleepInterval = 50; /* milliseconds */ PRUint32 sleepInterval = 50; /* milliseconds */
SECStatus result;
int rv = SECSuccess; int rv = SECSuccess;
PRSocketOptionData opt; PRSocketOptionData opt;
@ -839,7 +837,8 @@ retry:
PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d", PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d",
thisPeerID); thisPeerID);
SSL_SetSockPeerID(ssl_sock, sockPeerIDString); SSL_SetSockPeerID(ssl_sock, sockPeerIDString);
SSL_HandshakeCallback(ssl_sock, myHandshakeCallback, (void*)thisPeerID); SSL_HandshakeCallback(ssl_sock, myHandshakeCallback,
(char *)NULL + thisPeerID);
#else #else
/* force a full handshake by setting the no cache option */ /* force a full handshake by setting the no cache option */
SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1); SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1);
@ -854,9 +853,9 @@ retry:
PR_ATOMIC_INCREMENT(&numConnected); PR_ATOMIC_INCREMENT(&numConnected);
if (bigBuf.data != NULL) { if (bigBuf.data != NULL) {
result = handle_fdx_connection( ssl_sock, tid); (void)handle_fdx_connection( ssl_sock, tid);
} else { } else {
result = handle_connection( ssl_sock, tid); (void)handle_connection( ssl_sock, tid);
} }
PR_ATOMIC_DECREMENT(&numConnected); PR_ATOMIC_DECREMENT(&numConnected);

3
security/nss/cmd/symkeyutil/symkeyutil.c
View File

@ -1015,8 +1015,7 @@ main(int argc, char **argv)
} }
} }
if (se) { if (se) {
SECStatus rv2 = PK11_FreeSlotListElement(slotList, se); PORT_CheckSuccess(PK11_FreeSlotListElement(slotList, se));
PORT_Assert(SECSuccess == rv2);
} }
PK11_FreeSlotList(slotList); PK11_FreeSlotList(slotList);
} }

13
security/nss/cmd/tstclnt/tstclnt.c
View File

@ -534,9 +534,9 @@ dumpServerCertificateChain(PRFileDesc *fd)
return; return;
} }
else if (dumpServerChain == 1) { else if (dumpServerChain == 1) {
dumpFunction = SECU_PrintCertificateBasicInfo; dumpFunction = (SECU_PPFunc)SECU_PrintCertificateBasicInfo;
} else { } else {
dumpFunction = SECU_PrintCertificate; dumpFunction = (SECU_PPFunc)SECU_PrintCertificate;
if (dumpServerChain > 2) { if (dumpServerChain > 2) {
dumpCertPEM = PR_TRUE; dumpCertPEM = PR_TRUE;
} }
@ -566,7 +566,7 @@ dumpServerCertificateChain(PRFileDesc *fd)
PR_TRUE); PR_TRUE);
} }
if (foundChain) { if (foundChain) {
int count = 0; unsigned int count = 0;
fprintf(stderr, "==== locally found issuer certificate(s): ====\n"); fprintf(stderr, "==== locally found issuer certificate(s): ====\n");
for(count = 0; count < (unsigned int)foundChain->len; count++) { for(count = 0; count < (unsigned int)foundChain->len; count++) {
CERTCertificate *c; CERTCertificate *c;
@ -619,7 +619,7 @@ ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
if (!serverCertAuth->shouldPause) { if (!serverCertAuth->shouldPause) {
CERTCertificate *cert; CERTCertificate *cert;
int i; unsigned int i;
const SECItemArray *csa; const SECItemArray *csa;
if (!serverCertAuth->testFreshStatusFromSideChannel) { if (!serverCertAuth->testFreshStatusFromSideChannel) {
@ -644,8 +644,7 @@ ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
if (CERT_CacheOCSPResponseFromSideChannel( if (CERT_CacheOCSPResponseFromSideChannel(
serverCertAuth->dbHandle, cert, PR_Now(), serverCertAuth->dbHandle, cert, PR_Now(),
&csa->items[i], arg) != SECSuccess) { &csa->items[i], arg) != SECSuccess) {
PRErrorCode error = PR_GetError(); PORT_Assert(PR_GetError() != 0);
PORT_Assert(error != 0);
} }
} }
} }
@ -1283,7 +1282,7 @@ int main(int argc, char **argv)
int cipher; int cipher;
if (ndx == ':') { if (ndx == ':') {
int ctmp; int ctmp = 0;
cipher = 0; cipher = 0;
HEXCHAR_TO_INT(*cipherString, ctmp) HEXCHAR_TO_INT(*cipherString, ctmp)

2
security/nss/cmd/vfychain/vfychain.c
View File

@ -333,7 +333,7 @@ configureRevocationParams(CERTRevocationFlags *flags)
int i; int i;
unsigned int testType = REVCONFIG_TEST_UNDEFINED; unsigned int testType = REVCONFIG_TEST_UNDEFINED;
static CERTRevocationTests *revTests = NULL; static CERTRevocationTests *revTests = NULL;
PRUint64 *revFlags; PRUint64 *revFlags = NULL;
for(i = 0;i < REV_METHOD_INDEX_MAX;i++) { for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) { if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) {

2
security/nss/cmd/vfyserv/vfyserv.c
View File

@ -510,7 +510,7 @@ main(int argc, char **argv)
int cipher; int cipher;
if (ndx == ':') { if (ndx == ':') {
int ctmp; int ctmp = 0;
cipher = 0; cipher = 0;
HEXCHAR_TO_INT(*cipherString, ctmp) HEXCHAR_TO_INT(*cipherString, ctmp)

2
security/nss/cmd/vfyserv/vfyutil.c
View File

@ -603,7 +603,7 @@ void
dumpCertChain(CERTCertificate *cert, SECCertUsage usage) dumpCertChain(CERTCertificate *cert, SECCertUsage usage)
{ {
CERTCertificateList *certList; CERTCertificateList *certList;
int count = 0; unsigned int count = 0;
certList = CERT_CertChainFromCert(cert, usage, PR_TRUE); certList = CERT_CertChainFromCert(cert, usage, PR_TRUE);
if (certList == NULL) { if (certList == NULL) {

46
security/nss/coreconf/Linux.mk
View File

@ -125,14 +125,58 @@ ifdef MOZ_DEBUG_SYMBOLS
endif endif
endif endif
ifndef COMPILER_TAG
COMPILER_TAG = _$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
CCC_COMPILER_TAG = _$(shell $(CCC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
endif
ifeq ($(USE_PTHREADS),1) ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread OS_PTHREAD = -lpthread
endif endif
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
OS_LIBS = $(OS_PTHREAD) -ldl -lc OS_LIBS = $(OS_PTHREAD) -ldl -lc
ifeq ($(COMPILER_TAG),_clang)
# -Qunused-arguments : clang objects to arguments that it doesn't understand
# and fixing this would require rearchitecture
# -Wno-parentheses-equality : because clang warns about macro expansions
OS_CFLAGS += -Qunused-arguments -Wno-parentheses-equality
ifdef BUILD_OPT
# clang is unable to handle glib's expansion of strcmp and similar for optimized
# builds, so ignore the resulting errors.
# See https://llvm.org/bugs/show_bug.cgi?id=20144
OS_CFLAGS += -Wno-array-bounds -Wno-unevaluated-expression
endif
# Clang reports its version as an older gcc, but it's OK
NSS_HAS_GCC48 = true
endif
# Check for the existence of gcc 4.8
ifndef NSS_HAS_GCC48
define GCC48_TEST =
int main() {\n
#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 8)\n
return 1;\n
#else\n
return 0;\n
#endif\n
}\n
endef
TEST_GCC48 := /tmp/test_gcc48_$(shell echo $$$$)
NSS_HAS_GCC48 := (,$(shell echo -e "$(GCC48_TEST)" > $(TEST_GCC48).c && \
$(CC) -o $(TEST_GCC48) $(TEST_GCC48).c && \
$(TEST_GCC48) && echo true || echo false; \
rm -f $(TEST_GCC48) $(TEST_GCC48).c))
export NSS_HAS_GCC48
endif
ifeq (true,$(NSS_HAS_GCC48))
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
# Here, we disable use of that #pragma and the warnings it suppresses.
OS_CFLAGS += -DNSS_NO_GCC48 -Wno-unused-variable
endif
ifdef USE_PTHREADS ifdef USE_PTHREADS
DEFINES += -D_REENTRANT DEFINES += -D_REENTRANT
endif endif

24
security/nss/coreconf/WIN32.mk
View File

@ -24,8 +24,9 @@ else
CC = cl CC = cl
CCC = cl CCC = cl
LINK = link LINK = link
LDFLAGS += -nologo
AR = lib AR = lib
AR += -NOLOGO -OUT:$@ AR += -nologo -OUT:$@
RANLIB = echo RANLIB = echo
BSDECHO = echo BSDECHO = echo
RC = rc.exe RC = rc.exe
@ -103,10 +104,7 @@ endif
DLL_SUFFIX = dll DLL_SUFFIX = dll
ifdef NS_USE_GCC ifdef NS_USE_GCC
# The -mnop-fun-dllimport flag allows us to avoid a drawback of OS_CFLAGS += -mwindows -mms-bitfields
# the dllimport attribute that a pointer to a function marked as
# dllimport cannot be used as as a constant address.
OS_CFLAGS += -mwindows -mms-bitfields -mnop-fun-dllimport
_GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY) _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
DLLFLAGS += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB)) DLLFLAGS += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
ifdef BUILD_OPT ifdef BUILD_OPT
@ -195,6 +193,11 @@ ifneq ($(_MSC_VER),$(_MSC_VER_6))
-we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \ -we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \
-we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715 -we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715
# NSS has too many of these to fix, downgrade the warning
# Disable C4267: conversion from 'size_t' to 'type', possible loss of data
# Disable C4244: conversion from 'type1' to 'type2', possible loss of data
# Disable C4018: 'expression' : signed/unsigned mismatch
OS_CFLAGS += -w44267 -w44244 -w44018
ifeq ($(_MSC_VER_GE_12),1) ifeq ($(_MSC_VER_GE_12),1)
OS_CFLAGS += -FS OS_CFLAGS += -FS
endif endif
@ -210,13 +213,22 @@ endif
ifeq (,$(filter-out x386 x86_64,$(CPU_ARCH))) ifeq (,$(filter-out x386 x86_64,$(CPU_ARCH)))
ifdef USE_64 ifdef USE_64
DEFINES += -D_AMD64_ DEFINES += -D_AMD64_
# Use subsystem 5.02 to allow running on Windows XP.
ifeq ($(_MSC_VER_GE_11),1)
LDFLAGS += -SUBSYSTEM:CONSOLE,5.02
endif
else else
DEFINES += -D_X86_ DEFINES += -D_X86_
# VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring # VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring
# SSE2. # SSE2. Clang-cl gets confused by -arch:IA32, so don't add it.
# (See https://llvm.org/bugs/show_bug.cgi?id=24335)
# Use subsystem 5.01 to allow running on Windows XP.
ifeq ($(_MSC_VER_GE_11),1) ifeq ($(_MSC_VER_GE_11),1)
ifneq ($(CLANG_CL),1)
OS_CFLAGS += -arch:IA32 OS_CFLAGS += -arch:IA32
endif endif
LDFLAGS += -SUBSYSTEM:CONSOLE,5.01
endif
endif endif
endif endif
ifeq ($(CPU_ARCH), ALPHA) ifeq ($(CPU_ARCH), ALPHA)

20
security/nss/coreconf/rules.mk
View File

@ -272,6 +272,10 @@ $(IMPORT_LIBRARY): $(MAPFILE)
$(IMPLIB) $@ $< $(IMPLIB) $@ $<
$(RANLIB) $@ $(RANLIB) $@
endif endif
ifeq ($(OS_ARCH),WINNT)
$(IMPORT_LIBRARY): $(LIBRARY)
cp -f $< $@
endif
ifdef SHARED_LIBRARY_LIBS ifdef SHARED_LIBRARY_LIBS
ifdef BUILD_TREE ifdef BUILD_TREE
@ -433,8 +437,22 @@ endif
# Please keep the next two rules in sync. # Please keep the next two rules in sync.
# #
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
@$(MAKE_OBJDIR) $(MAKE_OBJDIR)
ifdef STRICT_CPLUSPLUS_SUFFIX
echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
rm -f $(OBJDIR)/t_$*.cc
else
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $< $(CCC) -o $@ -c $(CFLAGS) $<
endif
endif
endif #STRICT_CPLUSPLUS_SUFFIX
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
@$(MAKE_OBJDIR) @$(MAKE_OBJDIR)

10
security/nss/doc/certutil.xml
View File

@ -72,6 +72,11 @@
<listitem><para>Delete a certificate from the certificate database.</para></listitem> <listitem><para>Delete a certificate from the certificate database.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>--rename </term>
<listitem><para>Change the database nickname of a certificate.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-E </term> <term>-E </term>
<listitem><para>Add an email certificate to the certificate database.</para></listitem> <listitem><para>Add an email certificate to the certificate database.</para></listitem>
@ -731,6 +736,11 @@ Comma separated list of one or more of the following:
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>--new-n nickname</term>
<listitem><para>A new nickname, used when renaming a certificate.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>--source-dir certdir</term> <term>--source-dir certdir</term>
<listitem><para>Identify the certificate database directory to upgrade.</para></listitem> <listitem><para>Identify the certificate database directory to upgrade.</para></listitem>

6
security/nss/doc/html/certutil.html
View File

@ -1,5 +1,5 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139713586320592"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139984205904704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p> </p><p>
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database. When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
@ -120,7 +120,7 @@ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected f
PKCS #11 key Operation Flags. PKCS #11 key Operation Flags.
Comma separated list of one or more of the following: Comma separated list of one or more of the following:
{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
</p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p> </p></dd><dt><span class="term">--new-n nickname</span></dt><dd><p>A new nickname, used when renaming a certificate.</p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <code class="option">-H</code> option to show the complete list of arguments for each command option. Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <code class="option">-H</code> option to show the complete list of arguments for each command option.
</p><p><span class="command"><strong>Creating New Security Databases</strong></span></p><p> </p><p><span class="command"><strong>Creating New Security Databases</strong></span></p><p>
Certificates, keys, and security modules related to managing certificates are stored in three related databases: Certificates, keys, and security modules related to managing certificates are stored in three related databases:

14
security/nss/doc/nroff/certutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CERTUTIL .\" Title: CERTUTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 23 February 2015 .\" Date: 13 August 2015
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "CERTUTIL" "1" "23 February 2015" "nss-tools" "NSS Security Tools" .TH "CERTUTIL" "1" "13 August 2015" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -80,6 +80,11 @@ prompts for a filename\&.
Delete a certificate from the certificate database\&. Delete a certificate from the certificate database\&.
.RE .RE
.PP .PP
\-\-rename
.RS 4
Change the database nickname of a certificate\&.
.RE
.PP
\-E \-E
.RS 4 .RS 4
Add an email certificate to the certificate database\&. Add an email certificate to the certificate database\&.
@ -1108,6 +1113,11 @@ PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected
PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE .RE
.PP .PP
\-\-new\-n nickname
.RS 4
A new nickname, used when renaming a certificate\&.
.RE
.PP
\-\-source\-dir certdir \-\-source\-dir certdir
.RS 4 .RS 4
Identify the certificate database directory to upgrade\&. Identify the certificate database directory to upgrade\&.

3
security/nss/lib/base/list.c
View File

@ -217,9 +217,8 @@ nsslist_add_element(nssList *list, void *data)
NSS_IMPLEMENT PRStatus NSS_IMPLEMENT PRStatus
nssList_Add(nssList *list, void *data) nssList_Add(nssList *list, void *data)
{ {
PRStatus nssrv;
NSSLIST_LOCK_IF(list); NSSLIST_LOCK_IF(list);
nssrv = nsslist_add_element(list, data); (void)nsslist_add_element(list, data);
NSSLIST_UNLOCK_IF(list); NSSLIST_UNLOCK_IF(list);
return PR_SUCCESS; return PR_SUCCESS;
} }

2
security/nss/lib/base/tracker.c
View File

@ -29,7 +29,7 @@ identity_hash
const void *key const void *key
) )
{ {
return (PLHashNumber)key; return (PLHashNumber)((char *)key - (char *)NULL);
} }
/* /*

34
security/nss/lib/certdb/certdb.c
View File

@ -2443,7 +2443,6 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
{ {
unsigned int i; unsigned int i;
CERTCertificate **certs = NULL; CERTCertificate **certs = NULL;
SECStatus rv;
unsigned int fcerts = 0; unsigned int fcerts = 0;
if ( ncerts ) { if ( ncerts ) {
@ -2491,9 +2490,10 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
* know which cert it belongs to. But we still may try * know which cert it belongs to. But we still may try
* the individual canickname from the cert itself. * the individual canickname from the cert itself.
*/ */
rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL); /* Bug 1192442 - propagate errors from these calls. */
(void)CERT_AddTempCertToPerm(certs[i], canickname, NULL);
} else { } else {
rv = CERT_AddTempCertToPerm(certs[i], (void)CERT_AddTempCertToPerm(certs[i],
nickname?nickname:canickname, NULL); nickname?nickname:canickname, NULL);
} }
@ -2511,7 +2511,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
} }
} }
return ((fcerts || !ncerts) ? SECSuccess : SECFailure); return (fcerts || !ncerts) ? SECSuccess : SECFailure;
} }
/* /*
@ -2893,15 +2893,16 @@ CERT_LockCertRefCount(CERTCertificate *cert)
void void
CERT_UnlockCertRefCount(CERTCertificate *cert) CERT_UnlockCertRefCount(CERTCertificate *cert)
{ {
PRStatus prstat;
PORT_Assert(certRefCountLock != NULL); PORT_Assert(certRefCountLock != NULL);
prstat = PZ_Unlock(certRefCountLock); #ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certRefCountLock);
PORT_Assert(prstat == PR_SUCCESS); PORT_Assert(prstat == PR_SUCCESS);
}
return; #else
PZ_Unlock(certRefCountLock);
#endif
} }
static PZLock *certTrustLock = NULL; static PZLock *certTrustLock = NULL;
@ -2973,15 +2974,16 @@ cert_DestroyLocks(void)
void void
CERT_UnlockCertTrust(const CERTCertificate *cert) CERT_UnlockCertTrust(const CERTCertificate *cert)
{ {
PRStatus prstat;
PORT_Assert(certTrustLock != NULL); PORT_Assert(certTrustLock != NULL);
prstat = PZ_Unlock(certTrustLock); #ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certTrustLock);
PORT_Assert(prstat == PR_SUCCESS); PORT_Assert(prstat == PR_SUCCESS);
}
return; #else
PZ_Unlock(certTrustLock);
#endif
} }

19
security/nss/lib/certdb/crl.c
View File

@ -627,7 +627,6 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
CERTSignedCrl *oldCrl = NULL, *crl = NULL; CERTSignedCrl *oldCrl = NULL, *crl = NULL;
PRBool deleteOldCrl = PR_FALSE; PRBool deleteOldCrl = PR_FALSE;
CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE; CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
SECStatus rv;
PORT_Assert(newCrl); PORT_Assert(newCrl);
PORT_Assert(derCrl); PORT_Assert(derCrl);
@ -640,7 +639,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
/* we can't use the cache here because we must look in the same /* we can't use the cache here because we must look in the same
token */ token */
rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type, (void)SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
&oldCrl, CRL_DECODE_SKIP_ENTRIES); &oldCrl, CRL_DECODE_SKIP_ENTRIES);
/* if there is an old crl on the token, make sure the one we are /* if there is an old crl on the token, make sure the one we are
installing is newer. If not, exit out, otherwise delete the installing is newer. If not, exit out, otherwise delete the
@ -2693,7 +2692,7 @@ cert_CheckCertRevocationStatus(CERTCertificate* cert, CERTCertificate* issuer,
} }
if (SECFailure == rv) if (SECFailure == rv)
{ {
SECStatus rv2 = CERT_FindCRLEntryReasonExten(entry, &reason); (void)CERT_FindCRLEntryReasonExten(entry, &reason);
PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
} }
break; break;
@ -3050,7 +3049,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
{ {
NamedCRLCacheEntry* oldEntry, * newEntry = NULL; NamedCRLCacheEntry* oldEntry, * newEntry = NULL;
NamedCRLCache* ncc = NULL; NamedCRLCache* ncc = NULL;
SECStatus rv = SECSuccess, rv2; SECStatus rv = SECSuccess;
PORT_Assert(namedCRLCache.lock); PORT_Assert(namedCRLCache.lock);
PORT_Assert(namedCRLCache.entries); PORT_Assert(namedCRLCache.entries);
@ -3088,8 +3087,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
(void*) newEntry)) (void*) newEntry))
{ {
PORT_Assert(0); PORT_Assert(0);
rv2 = NamedCRLCacheEntry_Destroy(newEntry); NamedCRLCacheEntry_Destroy(newEntry);
PORT_Assert(SECSuccess == rv2);
rv = SECFailure; rv = SECFailure;
} }
} }
@ -3112,8 +3110,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
} }
else else
{ {
rv2 = NamedCRLCacheEntry_Destroy(oldEntry); PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
PORT_Assert(SECSuccess == rv2);
} }
if (NULL == PL_HashTableAdd(namedCRLCache.entries, if (NULL == PL_HashTableAdd(namedCRLCache.entries,
(void*) newEntry->canonicalizedName, (void*) newEntry->canonicalizedName,
@ -3160,8 +3157,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
} }
else else
{ {
rv2 = NamedCRLCacheEntry_Destroy(oldEntry); PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
PORT_Assert(SECSuccess == rv2);
} }
if (NULL == PL_HashTableAdd(namedCRLCache.entries, if (NULL == PL_HashTableAdd(namedCRLCache.entries,
(void*) newEntry->canonicalizedName, (void*) newEntry->canonicalizedName,
@ -3173,8 +3169,7 @@ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
} }
} }
} }
rv2 = cert_ReleaseNamedCRLCache(ncc); PORT_CheckSuccess(cert_ReleaseNamedCRLCache(ncc));
PORT_Assert(SECSuccess == rv2);
return rv; return rv;
} }

24
security/nss/lib/certdb/genname.c
View File

@ -67,16 +67,6 @@ static const SEC_ASN1Template CERTOtherNameTemplate[] = {
sizeof(CERTGeneralName) } sizeof(CERTGeneralName) }
}; };
static const SEC_ASN1Template CERTOtherName2Template[] = {
{ SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
0, NULL, sizeof(CERTGeneralName) },
{ SEC_ASN1_OBJECT_ID,
offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
{ SEC_ASN1_ANY,
offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
{ 0, }
};
static const SEC_ASN1Template CERT_RFC822NameTemplate[] = { static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
{ SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 , { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
offsetof(CERTGeneralName, name.other), offsetof(CERTGeneralName, name.other),
@ -684,7 +674,7 @@ loser:
return NULL; return NULL;
} }
CERTNameConstraint * static CERTNameConstraint *
cert_DecodeNameConstraintSubTree(PLArenaPool *arena, cert_DecodeNameConstraintSubTree(PLArenaPool *arena,
SECItem **subTree, SECItem **subTree,
PRBool permited) PRBool permited)
@ -701,15 +691,17 @@ cert_DecodeNameConstraintSubTree(PLArenaPool *arena,
if (current == NULL) { if (current == NULL) {
goto loser; goto loser;
} }
if (last == NULL) { if (first == NULL) {
first = last = current; first = current;
} } else {
current->l.prev = &(last->l); current->l.prev = &(last->l);
current->l.next = last->l.next;
last->l.next = &(current->l); last->l.next = &(current->l);
}
last = current;
i++; i++;
} }
first->l.prev = &(current->l); first->l.prev = &(last->l);
last->l.next = &(first->l);
/* TODO: unmark arena */ /* TODO: unmark arena */
return first; return first;
loser: loser:

8
security/nss/lib/certdb/secname.c
View File

@ -240,14 +240,6 @@ CERT_CopyAVA(PLArenaPool *arena, CERTAVA *from)
return 0; return 0;
} }
/************************************************************************/
/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
static const SEC_ASN1Template cert_RDNTemplate[] = {
{ SEC_ASN1_SET_OF,
offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
};
CERTRDN * CERTRDN *
CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...) CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...)
{ {

7
security/nss/lib/certhigh/certhigh.c
View File

@ -24,8 +24,6 @@ CERT_MatchNickname(char *name1, char *name2) {
char *nickname2 = NULL; char *nickname2 = NULL;
char *token1; char *token1;
char *token2; char *token2;
char *token = NULL;
int len;
/* first deal with the straight comparison */ /* first deal with the straight comparison */
if (PORT_Strcmp(name1, name2) == 0) { if (PORT_Strcmp(name1, name2) == 0) {
@ -40,20 +38,17 @@ CERT_MatchNickname(char *name1, char *name2) {
return PR_FALSE; return PR_FALSE;
} }
if (token1) { if (token1) {
token=name1;
nickname1=token1; nickname1=token1;
nickname2=name2; nickname2=name2;
} else { } else {
token=name2;
nickname1=token2; nickname1=token2;
nickname2=name1; nickname2=name1;
} }
len = nickname1-token;
nickname1++; nickname1++;
if (PORT_Strcmp(nickname1,nickname2) != 0) { if (PORT_Strcmp(nickname1,nickname2) != 0) {
return PR_FALSE; return PR_FALSE;
} }
/* compare the other token with the internal slot here */ /* Bug 1192443 - compare the other token with the internal slot here */
return PR_TRUE; return PR_TRUE;
} }

6
security/nss/lib/certhigh/certvfypkix.c
View File

@ -1412,13 +1412,13 @@ setRevocationMethod(PKIX_RevocationChecker *revChecker,
{ {
PKIX_UInt32 methodFlags = 0; PKIX_UInt32 methodFlags = 0;
PKIX_Error *error = NULL; PKIX_Error *error = NULL;
int priority = 0; PKIX_UInt32 priority = 0;
if (revTest->number_of_defined_methods <= certRevMethod) { if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
return NULL; return NULL;
} }
if (revTest->preferred_methods) { if (revTest->preferred_methods) {
int i = 0; unsigned int i = 0;
for (;i < revTest->number_of_preferred_methods;i++) { for (;i < revTest->number_of_preferred_methods;i++) {
if (revTest->preferred_methods[i] == certRevMethod) if (revTest->preferred_methods[i] == certRevMethod)
break; break;

9
security/nss/lib/certhigh/ocsp.c
View File

@ -559,14 +559,19 @@ ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
* because of an allocation failure, or it could get removed because we're * because of an allocation failure, or it could get removed because we're
* cleaning up. * cleaning up.
*/ */
PRBool couldRemoveFromHashTable;
OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread())); OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
PR_EnterMonitor(OCSP_Global.monitor); PR_EnterMonitor(OCSP_Global.monitor);
ocsp_RemoveCacheItemFromLinkedList(cache, item); ocsp_RemoveCacheItemFromLinkedList(cache, item);
couldRemoveFromHashTable = PL_HashTableRemove(cache->entries, #ifdef DEBUG
{
PRBool couldRemoveFromHashTable = PL_HashTableRemove(cache->entries,
item->certID); item->certID);
PORT_Assert(couldRemoveFromHashTable); PORT_Assert(couldRemoveFromHashTable);
}
#else
PL_HashTableRemove(cache->entries, item->certID);
#endif
--cache->numberOfEntries; --cache->numberOfEntries;
ocsp_FreeCacheItem(item); ocsp_FreeCacheItem(item);
PR_ExitMonitor(OCSP_Global.monitor); PR_ExitMonitor(OCSP_Global.monitor);

3
security/nss/lib/certhigh/xcrldist.c
View File

@ -101,9 +101,6 @@ CERT_EncodeCRLDistributionPoints (PLArenaPool *arena,
rv = SECFailure; rv = SECFailure;
break; break;
/* distributionPointName is omitted */
case 0: break;
default: default:
PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID); PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
rv = SECFailure; rv = SECFailure;

7
security/nss/lib/ckfw/builtins/binst.c
View File

@ -65,11 +65,8 @@ builtins_mdInstance_GetLibraryVersion
NSSCKFWInstance *fwInstance NSSCKFWInstance *fwInstance
) )
{ {
extern const char __nss_builtins_rcsid[]; #define NSS_VERSION_VARIABLE __nss_builtins_version
extern const char __nss_builtins_sccsid[]; #include "verref.h"
volatile char c; /* force a reference that won't get optimized away */
c = __nss_builtins_rcsid[0] + __nss_builtins_sccsid[0];
return nss_builtins_LibraryVersion; return nss_builtins_LibraryVersion;
} }

1
security/nss/lib/ckfw/builtins/certdata.perl
View File

@ -11,7 +11,6 @@ my $o;
my @objects = (); my @objects = ();
my @objsize; my @objsize;
$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n"; $constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n"; $constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";

13
security/nss/lib/ckfw/builtins/ckbiver.c
View File

@ -13,14 +13,7 @@
#endif #endif
/* /*
* Version information for the 'ident' and 'what commands * Version information
*
* NOTE: the first component of the concatenated rcsid string
* must not end in a '$' to prevent rcs keyword substitution.
*/ */
const char __nss_builtins_rcsid[] = "$Header: NSS Builtin Trusted Root CAs " const char __nss_builtins_version[] = "Version: NSS Builtin Trusted Root CAs "
NSS_BUILTINS_LIBRARY_VERSION _DEBUG_STRING NSS_BUILTINS_LIBRARY_VERSION _DEBUG_STRING;
" " __DATE__ " " __TIME__ " $";
const char __nss_builtins_sccsid[] = "@(#)NSS Builtin Trusted Root CAs "
NSS_BUILTINS_LIBRARY_VERSION _DEBUG_STRING
" " __DATE__ " " __TIME__;

3
security/nss/lib/ckfw/builtins/config.mk
View File

@ -30,8 +30,5 @@ INCLUDES += -I.
# To create a loadable module on Darwin, we must use -bundle. # To create a loadable module on Darwin, we must use -bundle.
# #
ifeq ($(OS_TARGET),Darwin) ifeq ($(OS_TARGET),Darwin)
ifndef USE_64
DSO_LDOPTS = -bundle DSO_LDOPTS = -bundle
endif endif
endif

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@ -45,8 +45,8 @@
* of the comment in the CK_VERSION type definition. * of the comment in the CK_VERSION type definition.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 5
#define NSS_BUILTINS_LIBRARY_VERSION "2.4" #define NSS_BUILTINS_LIBRARY_VERSION "2.5"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

13
security/nss/lib/ckfw/capi/ckcapiver.c
View File

@ -12,14 +12,7 @@
#endif #endif
/* /*
* Version information for the 'ident' and 'what commands * Version information
*
* NOTE: the first component of the concatenated rcsid string
* must not end in a '$' to prevent rcs keyword substitution.
*/ */
const char __nss_ckcapi_rcsid[] = "$Header: NSS Access to Microsoft Certificate Store " const char __nss_ckcapi_version[] = "Version: NSS Access to Microsoft Certificate Store "
NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING;
" " __DATE__ " " __TIME__ " $";
const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Microsoft Certificate Store "
NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
" " __DATE__ " " __TIME__;

3
security/nss/lib/ckfw/capi/config.mk
View File

@ -27,8 +27,5 @@ endif
# To create a loadable module on Darwin, we must use -bundle. # To create a loadable module on Darwin, we must use -bundle.
# #
ifeq ($(OS_TARGET),Darwin) ifeq ($(OS_TARGET),Darwin)
ifndef USE_64
DSO_LDOPTS = -bundle DSO_LDOPTS = -bundle
endif endif
endif

4
security/nss/lib/ckfw/hash.c
View File

@ -48,9 +48,7 @@ nss_ckfw_identity_hash
const void *key const void *key
) )
{ {
PRUint32 i = (PRUint32)key; return (PLHashNumber)((char *)key - (char *)NULL);
PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
return (PLHashNumber)i;
} }
/* /*

13
security/nss/lib/ckfw/nssmkey/ckmkver.c
View File

@ -12,14 +12,7 @@
#endif #endif
/* /*
* Version information for the 'ident' and 'what commands * Version information
*
* NOTE: the first component of the concatenated rcsid string
* must not end in a '$' to prevent rcs keyword substitution.
*/ */
const char __nss_ckmk_rcsid[] = "$Header: NSS Access to the MAC OS X Key Ring " const char __nss_ckmk_version[] = "Version: NSS Access to the MAC OS X Key Ring "
NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING;
" " __DATE__ " " __TIME__ " $";
const char __nss_ckmk_sccsid[] = "@(#)NSS Access to the MAC OS X Key Ring "
NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING
" " __DATE__ " " __TIME__;

3
security/nss/lib/ckfw/token.c
View File

@ -1258,7 +1258,7 @@ nssCKFWToken_GetUTCTime
{ {
/* Format is YYYYMMDDhhmmss00 */ /* Format is YYYYMMDDhhmmss00 */
int i; int i;
int Y, M, D, h, m, s, z; int Y, M, D, h, m, s;
static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
for( i = 0; i < 16; i++ ) { for( i = 0; i < 16; i++ ) {
@ -1274,7 +1274,6 @@ nssCKFWToken_GetUTCTime
h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0'); h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0'); m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0'); s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem. heh heh heh */ if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem. heh heh heh */
if( (M < 1) || (M > 12) ) goto badtime; if( (M < 1) || (M > 12) ) goto badtime;

3
security/nss/lib/crmf/cmmfchal.c
View File

@ -30,7 +30,6 @@ cmmf_create_witness_and_challenge(PLArenaPool *poolp,
CMMFRand randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}}; CMMFRand randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
PK11SlotInfo *slot; PK11SlotInfo *slot;
PK11SymKey *symKey = NULL; PK11SymKey *symKey = NULL;
CK_OBJECT_HANDLE id;
CERTSubjectPublicKeyInfo *spki = NULL; CERTSubjectPublicKeyInfo *spki = NULL;
@ -76,7 +75,7 @@ cmmf_create_witness_and_challenge(PLArenaPool *poolp,
rv = SECFailure; rv = SECFailure;
goto loser; goto loser;
} }
id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE); (void)PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
/* In order to properly encrypt the data, we import as a symmetric /* In order to properly encrypt the data, we import as a symmetric
* key, and then wrap that key. That in essence encrypts the data. * key, and then wrap that key. That in essence encrypts the data.
* This is the method recommended in the PK11 world in order * This is the method recommended in the PK11 world in order

14
security/nss/lib/crmf/crmfcont.c
View File

@ -857,7 +857,6 @@ CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
{ {
SECKEYPublicKey *caPubKey = NULL; SECKEYPublicKey *caPubKey = NULL;
CRMFEncryptedKey *encKey = NULL; CRMFEncryptedKey *encKey = NULL;
CRMFEncryptedValue *dummy;
PORT_Assert(inPrivKey != NULL && inCACert != NULL); PORT_Assert(inPrivKey != NULL && inCACert != NULL);
if (inPrivKey == NULL || inCACert == NULL) { if (inPrivKey == NULL || inCACert == NULL) {
@ -873,10 +872,17 @@ CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
if (encKey == NULL) { if (encKey == NULL) {
goto loser; goto loser;
} }
dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, #ifdef DEBUG
caPubKey, {
&encKey->value.encryptedValue); CRMFEncryptedValue *dummy =
crmf_create_encrypted_value_wrapped_privkey(
inPrivKey, caPubKey, &encKey->value.encryptedValue);
PORT_Assert(dummy == &encKey->value.encryptedValue); PORT_Assert(dummy == &encKey->value.encryptedValue);
}
#else
crmf_create_encrypted_value_wrapped_privkey(
inPrivKey, caPubKey, &encKey->value.encryptedValue);
#endif
/* We won't add the der value here, but rather when it /* We won't add the der value here, but rather when it
* becomes part of a certificate request. * becomes part of a certificate request.
*/ */

2
security/nss/lib/crmf/crmfi.h
View File

@ -52,7 +52,7 @@
struct crmfEncoderArg { struct crmfEncoderArg {
SECItem *buffer; SECItem *buffer;
long allocatedLen; unsigned long allocatedLen;
}; };
struct crmfEncoderOutput { struct crmfEncoderOutput {

5
security/nss/lib/crmf/crmfpop.c
View File

@ -10,7 +10,7 @@
#include "keyhi.h" #include "keyhi.h"
#include "cryptohi.h" #include "cryptohi.h"
#define CRMF_DEFAULT_ALLOC_SIZE 1024 #define CRMF_DEFAULT_ALLOC_SIZE 1024U
SECStatus SECStatus
crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
@ -33,7 +33,6 @@ crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
SECStatus SECStatus
CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg) CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
{ {
SECItem *dummy;
CRMFProofOfPossession *pop; CRMFProofOfPossession *pop;
PLArenaPool *poolp; PLArenaPool *poolp;
void *mark; void *mark;
@ -52,7 +51,7 @@ CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
pop->popChoice.raVerified.data = NULL; pop->popChoice.raVerified.data = NULL;
pop->popChoice.raVerified.len = 0; pop->popChoice.raVerified.len = 0;
inCertReqMsg->pop = pop; inCertReqMsg->pop = pop;
dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP), (void)SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
&(pop->popChoice.raVerified), &(pop->popChoice.raVerified),
CRMFRAVerifiedTemplate); CRMFRAVerifiedTemplate);
return SECSuccess; return SECSuccess;

29
security/nss/lib/crmf/crmftmpl.c
View File

@ -138,19 +138,6 @@ const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)} CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
}; };
static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
{ SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(CRMFPOPOSigningKeyInput, publicKey),
SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
{ 0 }
};
const SEC_ASN1Template CRMFRAVerifiedTemplate[] = { const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
{ SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN, { SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN,
0, 0,
@ -252,19 +239,3 @@ const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
CRMFEncryptedValueTemplate}, CRMFEncryptedValueTemplate},
{ 0 } { 0 }
}; };
static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
{ SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
offsetof(CRMFSinglePubInfo, pubLocation) },
{ 0 }
};
static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
{ SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
{ SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
CRMFSinglePubInfoTemplate},
{ 0 }
};

5
security/nss/lib/cryptohi/keyhi.h
View File

@ -37,6 +37,11 @@ extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena,
extern SECStatus extern SECStatus
SECKEY_UpdateCertPQG(CERTCertificate * subjectCert); SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
/*
** Return the number of bits in the provided big integer. This assumes that the
** SECItem contains a big-endian number and counts from the first non-zero bit.
*/
extern unsigned SECKEY_BigIntegerBitLength(const SECItem *number);
/* /*
** Return the strength of the public key in bytes ** Return the strength of the public key in bytes

113
security/nss/lib/cryptohi/seckey.c
View File

@ -178,8 +178,8 @@ SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *c
PK11SlotInfo *slot; PK11SlotInfo *slot;
if (!param || !param->base.data || !param->prime.data || if (!param || !param->base.data || !param->prime.data ||
param->prime.len < 512/8 || param->base.len == 0 || SECKEY_BigIntegerBitLength(&param->prime) < DH_MIN_P_BITS ||
param->base.len > param->prime.len + 1 || param->base.len == 0 || param->base.len > param->prime.len + 1 ||
(param->base.len == 1 && param->base.data[0] == 0)) { (param->base.len == 1 && param->base.data[0] == 0)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS); PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL; return NULL;
@ -941,63 +941,78 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
} }
} }
/* The number of bits in the number from the first non-zero bit onward. */
unsigned
SECKEY_BigIntegerBitLength(const SECItem *number)
{
const unsigned char *p;
unsigned octets;
unsigned bits;
if (!number || !number->data) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
p = number->data;
octets = number->len;
while (octets > 0 && !*p) {
++p;
--octets;
}
if (octets == 0) {
return 0;
}
/* bits = 7..1 because we know at least one bit is set already */
/* Note: This could do a binary search, but this is faster for keys if we
* assume that good keys will have the MSB set. */
for (bits = 7; bits > 0; --bits) {
if (*p & (1 << bits)) {
break;
}
}
return octets * 8 + bits - 7;
}
/* returns key strength in bytes (not bits) */ /* returns key strength in bytes (not bits) */
unsigned unsigned
SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk) SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
{ {
unsigned char b0; return (SECKEY_PublicKeyStrengthInBits(pubk) + 7) / 8;
unsigned size;
/* interpret modulus length as key strength */
if (!pubk)
goto loser;
switch (pubk->keyType) {
case rsaKey:
if (!pubk->u.rsa.modulus.data) break;
b0 = pubk->u.rsa.modulus.data[0];
return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
case dsaKey:
if (!pubk->u.dsa.publicValue.data) break;
b0 = pubk->u.dsa.publicValue.data[0];
return b0 ? pubk->u.dsa.publicValue.len :
pubk->u.dsa.publicValue.len - 1;
case dhKey:
if (!pubk->u.dh.publicValue.data) break;
b0 = pubk->u.dh.publicValue.data[0];
return b0 ? pubk->u.dh.publicValue.len :
pubk->u.dh.publicValue.len - 1;
case ecKey:
/* Get the key size in bits and adjust */
size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
return (size + 7)/8;
default:
break;
}
loser:
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
} }
/* returns key strength in bits */ /* returns key strength in bits */
unsigned unsigned
SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
{ {
unsigned size; unsigned bitSize = 0;
switch (pubk->keyType) {
case rsaKey: if (!pubk) {
case dsaKey:
case dhKey:
return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */
case ecKey:
size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
return size;
default:
break;
}
PORT_SetError(SEC_ERROR_INVALID_KEY); PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0; return 0;
} }
/* interpret modulus length as key strength */
switch (pubk->keyType) {
case rsaKey:
bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus);
break;
case dsaKey:
bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue);
break;
case dhKey:
bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue);
break;
case ecKey:
bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
break;
default:
PORT_SetError(SEC_ERROR_INVALID_KEY);
break;
}
return bitSize;
}
/* returns signature length in bytes (not bits) */ /* returns signature length in bytes (not bits) */
unsigned unsigned
SECKEY_SignatureLen(const SECKEYPublicKey *pubk) SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
@ -1550,7 +1565,7 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
* this yet. * this yet.
*/ */
PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len); PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
PORT_Memset((char *)pvk, 0, sizeof(*pvk)); PORT_Memset(pvk, 0, sizeof(*pvk));
if(freeit == PR_TRUE) { if(freeit == PR_TRUE) {
PORT_FreeArena(poolp, PR_TRUE); PORT_FreeArena(poolp, PR_TRUE);
} else { } else {
@ -1560,7 +1575,7 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
SECITEM_ZfreeItem(&pvk->version, PR_FALSE); SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE); SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE); SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
PORT_Memset((char *)pvk, 0, sizeof(*pvk)); PORT_Memset(pvk, 0, sizeof(*pvk));
if(freeit == PR_TRUE) { if(freeit == PR_TRUE) {
PORT_Free(pvk); PORT_Free(pvk);
} }
@ -1581,7 +1596,7 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
* this yet. * this yet.
*/ */
PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len); PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
PORT_Memset((char *)epki, 0, sizeof(*epki)); PORT_Memset(epki, 0, sizeof(*epki));
if(freeit == PR_TRUE) { if(freeit == PR_TRUE) {
PORT_FreeArena(poolp, PR_TRUE); PORT_FreeArena(poolp, PR_TRUE);
} else { } else {
@ -1590,7 +1605,7 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
} else { } else {
SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE); SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE); SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
PORT_Memset((char *)epki, 0, sizeof(*epki)); PORT_Memset(epki, 0, sizeof(*epki));
if(freeit == PR_TRUE) { if(freeit == PR_TRUE) {
PORT_Free(epki); PORT_Free(epki);
} }

4
security/nss/lib/dbm/config/config.mk
View File

@ -25,10 +25,6 @@ ifdef HAVE_SNPRINTF
DEFINES += -DHAVE_SNPRINTF DEFINES += -DHAVE_SNPRINTF
endif endif
ifeq (,$(filter-out IRIX Linux,$(OS_TARGET)))
DEFINES += -DHAVE_SYS_CDEFS_H
endif
ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET))) ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET)))
DEFINES += -DHAVE_SYS_BYTEORDER_H DEFINES += -DHAVE_SYS_BYTEORDER_H
endif endif

126
security/nss/lib/dbm/include/cdefs.h
View File

@ -1,126 +0,0 @@
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/*
* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Berkeley Software Design, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. ***REMOVED*** - see
* ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)cdefs.h 8.7 (Berkeley) 1/21/94
*/
#ifndef _CDEFS_H_
#define _CDEFS_H_
#if defined(__cplusplus)
#define __BEGIN_DECLS extern "C" {
#define __END_DECLS }
#else
#define __BEGIN_DECLS
#define __END_DECLS
#endif
/*
* The __CONCAT macro is used to concatenate parts of symbol names, e.g.
* with "#define OLD(foo) __CONCAT(old,foo)", OLD(foo) produces oldfoo.
* The __CONCAT macro is a bit tricky -- make sure you don't put spaces
* in between its arguments. __CONCAT can also concatenate double-quoted
* strings produced by the __STRING macro, but this only works with ANSI C.
*/
#if defined(__STDC__) || defined(__cplusplus) || defined(_WINDOWS) || defined(XP_OS2)
#define __P(protos) protos /* full-blown ANSI C */
#define __CONCAT(x,y) x ## y
#define __STRING(x) #x
/* On HP-UX 11.00, <sys/stdsyms.h> defines __const. */
#ifndef __const
#define __const const /* define reserved names to standard */
#endif /* __const */
#define __signed signed
#define __volatile volatile
#ifndef _WINDOWS
#if defined(__cplusplus)
#define __inline inline /* convert to C++ keyword */
#else
#if !defined(__GNUC__) && !defined(__MWERKS__)
#define __inline /* delete GCC keyword */
#endif /* !__GNUC__ */
#endif /* !__cplusplus */
#endif /* !_WINDOWS */
#else /* !(__STDC__ || __cplusplus) */
#define __P(protos) () /* traditional C preprocessor */
#define __CONCAT(x,y) x/**/y
#define __STRING(x) "x"
#ifndef __GNUC__
#define __const /* delete pseudo-ANSI C keywords */
#define __inline
#define __signed
#define __volatile
/*
* In non-ANSI C environments, new programs will want ANSI-only C keywords
* deleted from the program and old programs will want them left alone.
* When using a compiler other than gcc, programs using the ANSI C keywords
* const, inline etc. as normal identifiers should define -DNO_ANSI_KEYWORDS.
* When using "gcc -traditional", we assume that this is the intent; if
* __GNUC__ is defined but __STDC__ is not, we leave the new keywords alone.
*/
#ifndef NO_ANSI_KEYWORDS
#define const /* delete ANSI C keywords */
#define inline
#define signed
#define volatile
#endif
#endif /* !__GNUC__ */
#endif /* !(__STDC__ || __cplusplus) */
/*
* GCC1 and some versions of GCC2 declare dead (non-returning) and
* pure (no side effects) functions using "volatile" and "const";
* unfortunately, these then cause warnings under "-ansi -pedantic".
* GCC2 uses a new, peculiar __attribute__((attrs)) style. All of
* these work for GNU C++ (modulo a slight glitch in the C++ grammar
* in the distribution version of 2.5.5).
*/
#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC_MINOR__ < 5
#define __attribute__(x) /* delete __attribute__ if non-gcc or gcc1 */
#if defined(__GNUC__) && !defined(__STRICT_ANSI__)
#define __dead __volatile
#define __pure __const
#endif
#endif
/* Delete pseudo-keywords wherever they are not available or needed. */
#ifndef __dead
#define __dead
#define __pure
#endif
#endif /* !_CDEFS_H_ */

4
security/nss/lib/dbm/include/manifest.mn
View File

@ -8,8 +8,7 @@ CORE_DEPTH = ../../..
MODULE = dbm MODULE = dbm
EXPORTS = cdefs.h \ EXPORTS = mcom_db.h \
mcom_db.h \
ncompat.h \ ncompat.h \
winfile.h \ winfile.h \
$(NULL) $(NULL)
@ -19,7 +18,6 @@ PRIVATE_EXPORTS = hsearch.h \
extern.h \ extern.h \
queue.h \ queue.h \
hash.h \ hash.h \
mpool.h \
search.h \ search.h \
$(NULL) $(NULL)

6
security/nss/lib/dbm/include/mcom_db.h
View File

@ -56,12 +56,6 @@ typedef PRUint32 uint32;
#ifdef __DBINTERFACE_PRIVATE #ifdef __DBINTERFACE_PRIVATE
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#else
#include "cdefs.h"
#endif
#ifdef HAVE_SYS_BYTEORDER_H #ifdef HAVE_SYS_BYTEORDER_H
#include <sys/byteorder.h> #include <sys/byteorder.h>
#endif #endif

97
security/nss/lib/dbm/include/mpool.h
View File

@ -1,97 +0,0 @@
/*-
* Copyright (c) 1991, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. ***REMOVED*** - see
* ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)mpool.h 8.2 (Berkeley) 7/14/94
*/
#include <sys/queue.h>
/*
* The memory pool scheme is a simple one. Each in-memory page is referenced
* by a bucket which is threaded in up to two of three ways. All active pages
* are threaded on a hash chain (hashed by page number) and an lru chain.
* Inactive pages are threaded on a free chain. Each reference to a memory
* pool is handed an opaque MPOOL cookie which stores all of this information.
*/
#define HASHSIZE 128
#define HASHKEY(pgno) ((pgno - 1) % HASHSIZE)
/* The BKT structures are the elements of the queues. */
typedef struct _bkt {
CIRCLEQ_ENTRY(_bkt) hq; /* hash queue */
CIRCLEQ_ENTRY(_bkt) q; /* lru queue */
void *page; /* page */
pgno_t pgno; /* page number */
#define MPOOL_DIRTY 0x01 /* page needs to be written */
#define MPOOL_PINNED 0x02 /* page is pinned into memory */
uint8 flags; /* flags */
} BKT;
typedef struct MPOOL {
CIRCLEQ_HEAD(_lqh, _bkt) lqh; /* lru queue head */
/* hash queue array */
CIRCLEQ_HEAD(_hqh, _bkt) hqh[HASHSIZE];
pgno_t curcache; /* current number of cached pages */
pgno_t maxcache; /* max number of cached pages */
pgno_t npages; /* number of pages in the file */
uint32 pagesize; /* file page size */
int fd; /* file descriptor */
/* page in conversion routine */
void (*pgin) (void *, pgno_t, void *);
/* page out conversion routine */
void (*pgout) (void *, pgno_t, void *);
void *pgcookie; /* cookie for page in/out routines */
#ifdef STATISTICS
uint32 cachehit;
uint32 cachemiss;
uint32 pagealloc;
uint32 pageflush;
uint32 pageget;
uint32 pagenew;
uint32 pageput;
uint32 pageread;
uint32 pagewrite;
#endif
} MPOOL;
__BEGIN_DECLS
MPOOL *mpool_open (void *, int, pgno_t, pgno_t);
void mpool_filter (MPOOL *, void (*)(void *, pgno_t, void *),
void (*)(void *, pgno_t, void *), void *);
void *mpool_new (MPOOL *, pgno_t *);
void *mpool_get (MPOOL *, pgno_t, uint);
int mpool_put (MPOOL *, void *, uint);
int mpool_sync (MPOOL *);
int mpool_close (MPOOL *);
#ifdef STATISTICS
void mpool_stat (MPOOL *);
#endif
__END_DECLS

4
security/nss/lib/dbm/src/h_bigkey.c
View File

@ -72,8 +72,8 @@ static char sccsid[] = "@(#)hash_bigkey.c 8.3 (Berkeley) 5/31/94";
#include "page.h" #include "page.h"
/* #include "extern.h" */ /* #include "extern.h" */
static int collect_key __P((HTAB *, BUFHEAD *, int, DBT *, int)); static int collect_key(HTAB *, BUFHEAD *, int, DBT *, int);
static int collect_data __P((HTAB *, BUFHEAD *, int, int)); static int collect_data(HTAB *, BUFHEAD *, int, int);
/* /*
* Big_insert * Big_insert

10
security/nss/lib/dbm/src/h_func.c
View File

@ -45,14 +45,14 @@ static char sccsid[] = "@(#)hash_func.c 8.2 (Berkeley) 2/21/94";
/* #include "extern.h" */ /* #include "extern.h" */
#if 0 #if 0
static uint32 hash1 __P((const void *, size_t)); static uint32 hash1(const void *, size_t);
static uint32 hash2 __P((const void *, size_t)); static uint32 hash2(const void *, size_t);
static uint32 hash3 __P((const void *, size_t)); static uint32 hash3(const void *, size_t);
#endif #endif
static uint32 hash4 __P((const void *, size_t)); static uint32 hash4(const void *, size_t);
/* Global default hash function */ /* Global default hash function */
uint32 (*__default_hash) __P((const void *, size_t)) = hash4; uint32 (*__default_hash)(const void *, size_t) = hash4;
/* /*
* HASH FUNCTIONS * HASH FUNCTIONS

30
security/nss/lib/dbm/src/h_page.c
View File

@ -89,13 +89,12 @@ static char sccsid[] = "@(#)hash_page.c 8.7 (Berkeley) 8/16/94";
extern int mkstempflags(char *path, int extraFlags); extern int mkstempflags(char *path, int extraFlags);
static uint32 *fetch_bitmap __P((HTAB *, uint32)); static uint32 *fetch_bitmap(HTAB *, uint32);
static uint32 first_free __P((uint32)); static uint32 first_free(uint32);
static int open_temp __P((HTAB *)); static int open_temp(HTAB *);
static uint16 overflow_page __P((HTAB *)); static uint16 overflow_page(HTAB *);
static void squeeze_key __P((uint16 *, const DBT *, const DBT *)); static void squeeze_key(uint16 *, const DBT *, const DBT *);
static int ugly_split static int ugly_split(HTAB *, uint32, BUFHEAD *, BUFHEAD *, int, int);
__P((HTAB *, uint32, BUFHEAD *, BUFHEAD *, int, int));
#define PAGE_INIT(P) { \ #define PAGE_INIT(P) { \
((uint16 *)(P))[0] = 0; \ ((uint16 *)(P))[0] = 0; \
@ -721,23 +720,6 @@ __get_page(HTAB *hashp,
PAGE_INIT(p); PAGE_INIT(p);
} else { } else {
#ifdef DEBUG
if(BYTE_ORDER == LITTLE_ENDIAN)
{
int is_little_endian;
is_little_endian = BYTE_ORDER;
}
else if(BYTE_ORDER == BIG_ENDIAN)
{
int is_big_endian;
is_big_endian = BYTE_ORDER;
}
else
{
assert(0);
}
#endif
if (hashp->LORDER != BYTE_ORDER) { if (hashp->LORDER != BYTE_ORDER) {
register int i, max; register int i, max;

32
security/nss/lib/dbm/src/hash.c
View File

@ -74,23 +74,23 @@ static char sccsid[] = "@(#)hash.c 8.9 (Berkeley) 6/16/94";
/* /*
#include "extern.h" #include "extern.h"
*/ */
static int alloc_segs __P((HTAB *, int)); static int alloc_segs(HTAB *, int);
static int flush_meta __P((HTAB *)); static int flush_meta(HTAB *);
static int hash_access __P((HTAB *, ACTION, DBT *, DBT *)); static int hash_access(HTAB *, ACTION, DBT *, DBT *);
static int hash_close __P((DB *)); static int hash_close(DB *);
static int hash_delete __P((const DB *, const DBT *, uint)); static int hash_delete(const DB *, const DBT *, uint);
static int hash_fd __P((const DB *)); static int hash_fd(const DB *);
static int hash_get __P((const DB *, const DBT *, DBT *, uint)); static int hash_get(const DB *, const DBT *, DBT *, uint);
static int hash_put __P((const DB *, DBT *, const DBT *, uint)); static int hash_put(const DB *, DBT *, const DBT *, uint);
static void *hash_realloc __P((SEGMENT **, size_t, size_t)); static void *hash_realloc(SEGMENT **, size_t, size_t);
static int hash_seq __P((const DB *, DBT *, DBT *, uint)); static int hash_seq(const DB *, DBT *, DBT *, uint);
static int hash_sync __P((const DB *, uint)); static int hash_sync(const DB *, uint);
static int hdestroy __P((HTAB *)); static int hdestroy(HTAB *);
static HTAB *init_hash __P((HTAB *, const char *, HASHINFO *)); static HTAB *init_hash(HTAB *, const char *, HASHINFO *);
static int init_htab __P((HTAB *, int)); static int init_htab(HTAB *, int);
#if BYTE_ORDER == LITTLE_ENDIAN #if BYTE_ORDER == LITTLE_ENDIAN
static void swap_header __P((HTAB *)); static void swap_header(HTAB *);
static void swap_header_copy __P((HASHHDR *, HASHHDR *)); static void swap_header_copy(HASHHDR *, HASHHDR *);
#endif #endif
/* Fast arithmetic, relying on powers of 2, */ /* Fast arithmetic, relying on powers of 2, */

2
security/nss/lib/dbm/src/hash_buf.c
View File

@ -70,7 +70,7 @@ static char sccsid[] = "@(#)hash_buf.c 8.5 (Berkeley) 7/15/94";
#include "page.h" #include "page.h"
/* #include "extern.h" */ /* #include "extern.h" */
static BUFHEAD *newbuf __P((HTAB *, uint32, BUFHEAD *)); static BUFHEAD *newbuf(HTAB *, uint32, BUFHEAD *);
/* Unlink B from its place in the lru */ /* Unlink B from its place in the lru */
#define BUF_REMOVE(B) { \ #define BUF_REMOVE(B) { \

5
security/nss/lib/dbm/src/memmove.c
View File

@ -37,11 +37,6 @@
static char sccsid[] = "@(#)bcopy.c 8.1 (Berkeley) 6/4/93"; static char sccsid[] = "@(#)bcopy.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */ #endif /* LIBC_SCCS and not lint */
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#else
#include "cdefs.h"
#endif
#include <string.h> #include <string.h>
/* /*

22
security/nss/lib/dbm/src/snprintf.c
View File

@ -4,32 +4,14 @@
#include <stddef.h> #include <stddef.h>
#include <stdio.h> #include <stdio.h>
#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#else
#include "cdefs.h"
#endif
#include "prtypes.h" #include "prtypes.h"
#include <ncompat.h> #include <ncompat.h>
#ifdef __STDC__
#include <stdarg.h> #include <stdarg.h>
#else
#include <varargs.h>
#endif
int int
#ifdef __STDC__
snprintf(char *str, size_t n, const char *fmt, ...) snprintf(char *str, size_t n, const char *fmt, ...)
#else
snprintf(str, n, fmt, va_alist)
char *str;
size_t n;
const char *fmt;
va_dcl
#endif
{ {
va_list ap; va_list ap;
#ifdef VSPRINTF_CHARSTAR #ifdef VSPRINTF_CHARSTAR
@ -37,11 +19,7 @@ snprintf(str, n, fmt, va_alist)
#else #else
int rval; int rval;
#endif #endif
#ifdef __STDC__
va_start(ap, fmt); va_start(ap, fmt);
#else
va_start(ap);
#endif
#ifdef VSPRINTF_CHARSTAR #ifdef VSPRINTF_CHARSTAR
rp = vsprintf(str, fmt, ap); rp = vsprintf(str, fmt, ap);
va_end(ap); va_end(ap);

3
security/nss/lib/dev/devslot.c
View File

@ -25,9 +25,6 @@
/* measured as interval */ /* measured as interval */
static PRIntervalTime s_token_delay_time = 0; static PRIntervalTime s_token_delay_time = 0;
/* The flags needed to open a read-only session. */
static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
NSS_IMPLEMENT PRStatus NSS_IMPLEMENT PRStatus
nssSlot_Destroy ( nssSlot_Destroy (
NSSSlot *slot NSSSlot *slot

3
security/nss/lib/dev/devtoken.c
View File

@ -1466,7 +1466,6 @@ nssToken_TraverseCertificates (
CK_ATTRIBUTE cert_template[2]; CK_ATTRIBUTE cert_template[2];
CK_ULONG ctsize; CK_ULONG ctsize;
NSSArena *arena; NSSArena *arena;
PRStatus status;
PRUint32 arraySize, numHandles; PRUint32 arraySize, numHandles;
nssCryptokiObject **objects; nssCryptokiObject **objects;
void *epv = nssToken_GetCryptokiEPV(token); void *epv = nssToken_GetCryptokiEPV(token);
@ -1544,7 +1543,7 @@ nssToken_TraverseCertificates (
if (objects) { if (objects) {
nssCryptokiObject **op; nssCryptokiObject **op;
for (op = objects; *op; op++) { for (op = objects; *op; op++) {
status = (*callback)(*op, arg); (void)(*callback)(*op, arg);
} }
nss_ZFreeIf(objects); nss_ZFreeIf(objects);
} }

2
security/nss/lib/freebl/cts.c
View File

@ -185,7 +185,7 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
unsigned char lastBlock[MAX_BLOCK_SIZE]; unsigned char lastBlock[MAX_BLOCK_SIZE];
const unsigned char *tmp; const unsigned char *tmp;
unsigned int tmpLen; unsigned int tmpLen;
int fullblocks, pad; unsigned int fullblocks, pad;
unsigned int i; unsigned int i;
SECStatus rv; SECStatus rv;

20
security/nss/lib/freebl/dh.c
View File

@ -205,7 +205,7 @@ DH_Derive(SECItem *publicValue,
{ {
mp_int p, Xa, Yb, ZZ, psub1; mp_int p, Xa, Yb, ZZ, psub1;
mp_err err = MP_OKAY; mp_err err = MP_OKAY;
int len = 0; unsigned int len = 0;
unsigned int nb; unsigned int nb;
unsigned char *secret = NULL; unsigned char *secret = NULL;
if (!publicValue || !prime || !privateValue || !derivedSecret) { if (!publicValue || !prime || !privateValue || !derivedSecret) {
@ -252,6 +252,24 @@ DH_Derive(SECItem *publicValue,
err = MP_BADARG; err = MP_BADARG;
goto cleanup; goto cleanup;
} }
/*
* We check to make sure that ZZ is not equal to 1 or -1 mod p.
* This helps guard against small subgroup attacks, since an attacker
* using a subgroup of size N will produce 1 or -1 with probability 1/N.
* When the protocol is executed within a properly large subgroup, the
* probability of this result will be negligibly small. For example,
* with a strong prime of the form 2p+1, the probability will be 1/p.
*
* We return MP_BADARG because this is probably the result of a bad
* public value or a bad prime having been provided.
*/
if (mp_cmp_d(&ZZ, 1) == 0 ||
mp_cmp(&ZZ, &psub1) == 0) {
err = MP_BADARG;
goto cleanup;
}
/* allocate a buffer which can hold the entire derived secret. */ /* allocate a buffer which can hold the entire derived secret. */
secret = PORT_Alloc(len); secret = PORT_Alloc(len);
/* grab the derived secret */ /* grab the derived secret */

36
security/nss/lib/freebl/drbg.c
View File

@ -247,26 +247,32 @@ prng_reseed_test(RNGContext *rng, const PRUint8 *entropy,
/* /*
* build some fast inline functions for adding. * build some fast inline functions for adding.
*/ */
#define PRNG_ADD_CARRY_ONLY(dest, start, cy) \ #define PRNG_ADD_CARRY_ONLY(dest, start, carry) \
carry = cy; \ { \
int k1; \
for (k1 = start; carry && k1 >= 0; k1--) { \ for (k1 = start; carry && k1 >= 0; k1--) { \
carry = !(++dest[k1]); \ carry = !(++dest[k1]); \
} \
} }
/* /*
* NOTE: dest must be an array for the following to work. * NOTE: dest must be an array for the following to work.
*/ */
#define PRNG_ADD_BITS(dest, dest_len, add, len) \ #define PRNG_ADD_BITS(dest, dest_len, add, len, carry) \
carry = 0; \ carry = 0; \
PORT_Assert((dest_len) >= (len)); \
{ \
int k1, k2; \
for (k1 = dest_len - 1, k2 = len - 1; k2 >= 0; --k1, --k2) { \ for (k1 = dest_len - 1, k2 = len - 1; k2 >= 0; --k1, --k2) { \
carry += dest[k1] + add[k2]; \ carry += dest[k1] + add[k2]; \
dest[k1] = (PRUint8) carry; \ dest[k1] = (PRUint8) carry; \
carry >>= 8; \ carry >>= 8; \
} \
} }
#define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len) \ #define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \
PRNG_ADD_BITS(dest, dest_len, add, len) \ PRNG_ADD_BITS(dest, dest_len, add, len, carry) \
PRNG_ADD_CARRY_ONLY(dest, k1, carry) PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry)
/* /*
* This function expands the internal state of the prng to fulfill any number * This function expands the internal state of the prng to fulfill any number
@ -286,7 +292,6 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes,
SHA256Context ctx; SHA256Context ctx;
unsigned int len; unsigned int len;
unsigned int carry; unsigned int carry;
int k1;
SHA256_Begin(&ctx); SHA256_Begin(&ctx);
SHA256_Update(&ctx, data, sizeof data); SHA256_Update(&ctx, data, sizeof data);
@ -295,7 +300,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes,
no_of_returned_bytes -= len; no_of_returned_bytes -= len;
/* The carry parameter is a bool (increment or not). /* The carry parameter is a bool (increment or not).
* This increments data if no_of_returned_bytes is not zero */ * This increments data if no_of_returned_bytes is not zero */
PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, no_of_returned_bytes); carry = no_of_returned_bytes;
PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, carry);
} }
PORT_Memset(data, 0, sizeof data); PORT_Memset(data, 0, sizeof data);
} }
@ -315,7 +321,6 @@ prng_generateNewBytes(RNGContext *rng,
PRUint8 H[SHA256_LENGTH]; /* both H and w since they PRUint8 H[SHA256_LENGTH]; /* both H and w since they
* aren't used concurrently */ * aren't used concurrently */
unsigned int carry; unsigned int carry;
int k1, k2;
if (!rng->isValid) { if (!rng->isValid) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@ -336,7 +341,7 @@ prng_generateNewBytes(RNGContext *rng,
SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data); SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data);
SHA256_Update(&ctx, additional_input, additional_input_len); SHA256_Update(&ctx, additional_input, additional_input_len);
SHA256_End(&ctx, w, NULL, sizeof w); SHA256_End(&ctx, w, NULL, sizeof w);
PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w) PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w, carry)
PORT_Memset(w, 0, sizeof w); PORT_Memset(w, 0, sizeof w);
#undef w #undef w
} }
@ -350,11 +355,12 @@ prng_generateNewBytes(RNGContext *rng,
/* advance our internal state... */ /* advance our internal state... */
rng->V_type = prngGenerateByteType; rng->V_type = prngGenerateByteType;
SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data); SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data);
PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H) PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H, carry)
PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C); PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C, carry);
PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter,
sizeof rng->reseed_counter) sizeof rng->reseed_counter, carry)
PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, 1); carry = 1;
PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, carry);
/* continuous rng check */ /* continuous rng check */
if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) { if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) {
@ -510,7 +516,7 @@ RNG_RandomUpdate(const void *data, size_t bytes)
PR_STATIC_ASSERT(sizeof(size_t) > 4); PR_STATIC_ASSERT(sizeof(size_t) > 4);
if (bytes > PRNG_MAX_ADDITIONAL_BYTES) { if (bytes > (size_t)PRNG_MAX_ADDITIONAL_BYTES) {
bytes = PRNG_MAX_ADDITIONAL_BYTES; bytes = PRNG_MAX_ADDITIONAL_BYTES;
} }
#else #else

2
security/nss/lib/freebl/dsa.c
View File

@ -502,7 +502,7 @@ DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature,
mp_int u1, u2, v, w; /* intermediate values used in verification */ mp_int u1, u2, v, w; /* intermediate values used in verification */
mp_int y; /* public key */ mp_int y; /* public key */
mp_err err; mp_err err;
int dsa_subprime_len, dsa_signature_len, offset; unsigned int dsa_subprime_len, dsa_signature_len, offset;
SECItem localDigest; SECItem localDigest;
unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN]; unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
SECStatus verified = SECFailure; SECStatus verified = SECFailure;

9
security/nss/lib/freebl/ec.c
View File

@ -543,6 +543,15 @@ ECDH_Derive(SECItem *publicValue,
return SECFailure; return SECFailure;
} }
/*
* We fail if the public value is the point at infinity, since
* this produces predictable results.
*/
if (ec_point_at_infinity(publicValue)) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
MP_DIGITS(&k) = 0; MP_DIGITS(&k) = 0;
memset(derivedSecret, 0, sizeof *derivedSecret); memset(derivedSecret, 0, sizeof *derivedSecret);
len = (ecParams->fieldID.size + 7) >> 3; len = (ecParams->fieldID.size + 7) >> 3;

27
security/nss/lib/freebl/ecl/ecl-priv.h
View File

@ -29,40 +29,39 @@
((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i)) ((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD) #if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
#define MP_ADD_CARRY(a1, a2, s, cin, cout) \ #define MP_ADD_CARRY(a1, a2, s, carry) \
{ mp_word w; \ { mp_word w; \
w = ((mp_word)(cin)) + (a1) + (a2); \ w = ((mp_word)carry) + (a1) + (a2); \
s = ACCUM(w); \ s = ACCUM(w); \
cout = CARRYOUT(w); } carry = CARRYOUT(w); }
#define MP_SUB_BORROW(a1, a2, s, bin, bout) \ #define MP_SUB_BORROW(a1, a2, s, borrow) \
{ mp_word w; \ { mp_word w; \
w = ((mp_word)(a1)) - (a2) - (bin); \ w = ((mp_word)(a1)) - (a2) - borrow; \
s = ACCUM(w); \ s = ACCUM(w); \
bout = (w >> MP_DIGIT_BIT) & 1; } borrow = (w >> MP_DIGIT_BIT) & 1; }
#else #else
/* NOTE, /* NOTE,
* cin and cout could be the same variable. * carry and borrow are both read and written.
* bin and bout could be the same variable.
* a1 or a2 and s could be the same variable. * a1 or a2 and s could be the same variable.
* don't trash those outputs until their respective inputs have * don't trash those outputs until their respective inputs have
* been read. */ * been read. */
#define MP_ADD_CARRY(a1, a2, s, cin, cout) \ #define MP_ADD_CARRY(a1, a2, s, carry) \
{ mp_digit tmp,sum; \ { mp_digit tmp,sum; \
tmp = (a1); \ tmp = (a1); \
sum = tmp + (a2); \ sum = tmp + (a2); \
tmp = (sum < tmp); /* detect overflow */ \ tmp = (sum < tmp); /* detect overflow */ \
s = sum += (cin); \ s = sum += carry; \
cout = tmp + (sum < (cin)); } carry = tmp + (sum < carry); }
#define MP_SUB_BORROW(a1, a2, s, bin, bout) \ #define MP_SUB_BORROW(a1, a2, s, borrow) \
{ mp_digit tmp; \ { mp_digit tmp; \
tmp = (a1); \ tmp = (a1); \
s = tmp - (a2); \ s = tmp - (a2); \
tmp = (s > tmp); /* detect borrow */ \ tmp = (s > tmp); /* detect borrow */ \
if ((bin) && !s--) tmp++; \ if (borrow && !s--) tmp++; \
bout = tmp; } borrow = tmp; }
#endif #endif

156
security/nss/lib/freebl/ecl/ecl_gf.c
View File

@ -242,9 +242,10 @@ ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(a0, r0, r0, 0, carry); carry = 0;
MP_ADD_CARRY(a1, r1, r1, carry, carry); MP_ADD_CARRY(a0, r0, r0, carry);
MP_ADD_CARRY(a2, r2, r2, carry, carry); MP_ADD_CARRY(a1, r1, r1, carry);
MP_ADD_CARRY(a2, r2, r2, carry);
#else #else
__asm__ ( __asm__ (
"xorq %3,%3 \n\t" "xorq %3,%3 \n\t"
@ -273,9 +274,10 @@ ec_GFp_add_3(const mp_int *a, const mp_int *b, mp_int *r,
a1 = MP_DIGIT(&meth->irr,1); a1 = MP_DIGIT(&meth->irr,1);
a0 = MP_DIGIT(&meth->irr,0); a0 = MP_DIGIT(&meth->irr,0);
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, a0, r0, 0, carry); carry = 0;
MP_SUB_BORROW(r1, a1, r1, carry, carry); MP_SUB_BORROW(r0, a0, r0, carry);
MP_SUB_BORROW(r2, a2, r2, carry, carry); MP_SUB_BORROW(r1, a1, r1, carry);
MP_SUB_BORROW(r2, a2, r2, carry);
#else #else
__asm__ ( __asm__ (
"subq %3,%0 \n\t" "subq %3,%0 \n\t"
@ -329,10 +331,11 @@ ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(a0, r0, r0, 0, carry); carry = 0;
MP_ADD_CARRY(a1, r1, r1, carry, carry); MP_ADD_CARRY(a0, r0, r0, carry);
MP_ADD_CARRY(a2, r2, r2, carry, carry); MP_ADD_CARRY(a1, r1, r1, carry);
MP_ADD_CARRY(a3, r3, r3, carry, carry); MP_ADD_CARRY(a2, r2, r2, carry);
MP_ADD_CARRY(a3, r3, r3, carry);
#else #else
__asm__ ( __asm__ (
"xorq %4,%4 \n\t" "xorq %4,%4 \n\t"
@ -364,10 +367,11 @@ ec_GFp_add_4(const mp_int *a, const mp_int *b, mp_int *r,
a1 = MP_DIGIT(&meth->irr,1); a1 = MP_DIGIT(&meth->irr,1);
a0 = MP_DIGIT(&meth->irr,0); a0 = MP_DIGIT(&meth->irr,0);
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, a0, r0, 0, carry); carry = 0;
MP_SUB_BORROW(r1, a1, r1, carry, carry); MP_SUB_BORROW(r0, a0, r0, carry);
MP_SUB_BORROW(r2, a2, r2, carry, carry); MP_SUB_BORROW(r1, a1, r1, carry);
MP_SUB_BORROW(r3, a3, r3, carry, carry); MP_SUB_BORROW(r2, a2, r2, carry);
MP_SUB_BORROW(r3, a3, r3, carry);
#else #else
__asm__ ( __asm__ (
"subq %4,%0 \n\t" "subq %4,%0 \n\t"
@ -426,11 +430,12 @@ ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r,
r0 = MP_DIGIT(b,0); r0 = MP_DIGIT(b,0);
} }
MP_ADD_CARRY(a0, r0, r0, 0, carry); carry = 0;
MP_ADD_CARRY(a1, r1, r1, carry, carry); MP_ADD_CARRY(a0, r0, r0, carry);
MP_ADD_CARRY(a2, r2, r2, carry, carry); MP_ADD_CARRY(a1, r1, r1, carry);
MP_ADD_CARRY(a3, r3, r3, carry, carry); MP_ADD_CARRY(a2, r2, r2, carry);
MP_ADD_CARRY(a4, r4, r4, carry, carry); MP_ADD_CARRY(a3, r3, r3, carry);
MP_ADD_CARRY(a4, r4, r4, carry);
MP_CHECKOK(s_mp_pad(r, 5)); MP_CHECKOK(s_mp_pad(r, 5));
MP_DIGIT(r, 4) = r4; MP_DIGIT(r, 4) = r4;
@ -450,11 +455,12 @@ ec_GFp_add_5(const mp_int *a, const mp_int *b, mp_int *r,
a2 = MP_DIGIT(&meth->irr,2); a2 = MP_DIGIT(&meth->irr,2);
a1 = MP_DIGIT(&meth->irr,1); a1 = MP_DIGIT(&meth->irr,1);
a0 = MP_DIGIT(&meth->irr,0); a0 = MP_DIGIT(&meth->irr,0);
MP_SUB_BORROW(r0, a0, r0, 0, carry); carry = 0;
MP_SUB_BORROW(r1, a1, r1, carry, carry); MP_SUB_BORROW(r0, a0, r0, carry);
MP_SUB_BORROW(r2, a2, r2, carry, carry); MP_SUB_BORROW(r1, a1, r1, carry);
MP_SUB_BORROW(r3, a3, r3, carry, carry); MP_SUB_BORROW(r2, a2, r2, carry);
MP_SUB_BORROW(r4, a4, r4, carry, carry); MP_SUB_BORROW(r3, a3, r3, carry);
MP_SUB_BORROW(r4, a4, r4, carry);
MP_DIGIT(r, 4) = r4; MP_DIGIT(r, 4) = r4;
MP_DIGIT(r, 3) = r3; MP_DIGIT(r, 3) = r3;
MP_DIGIT(r, 2) = r2; MP_DIGIT(r, 2) = r2;
@ -507,12 +513,13 @@ ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r,
r0 = MP_DIGIT(b,0); r0 = MP_DIGIT(b,0);
} }
MP_ADD_CARRY(a0, r0, r0, 0, carry); carry = 0;
MP_ADD_CARRY(a1, r1, r1, carry, carry); MP_ADD_CARRY(a0, r0, r0, carry);
MP_ADD_CARRY(a2, r2, r2, carry, carry); MP_ADD_CARRY(a1, r1, r1, carry);
MP_ADD_CARRY(a3, r3, r3, carry, carry); MP_ADD_CARRY(a2, r2, r2, carry);
MP_ADD_CARRY(a4, r4, r4, carry, carry); MP_ADD_CARRY(a3, r3, r3, carry);
MP_ADD_CARRY(a5, r5, r5, carry, carry); MP_ADD_CARRY(a4, r4, r4, carry);
MP_ADD_CARRY(a5, r5, r5, carry);
MP_CHECKOK(s_mp_pad(r, 6)); MP_CHECKOK(s_mp_pad(r, 6));
MP_DIGIT(r, 5) = r5; MP_DIGIT(r, 5) = r5;
@ -534,12 +541,13 @@ ec_GFp_add_6(const mp_int *a, const mp_int *b, mp_int *r,
a2 = MP_DIGIT(&meth->irr,2); a2 = MP_DIGIT(&meth->irr,2);
a1 = MP_DIGIT(&meth->irr,1); a1 = MP_DIGIT(&meth->irr,1);
a0 = MP_DIGIT(&meth->irr,0); a0 = MP_DIGIT(&meth->irr,0);
MP_SUB_BORROW(r0, a0, r0, 0, carry); carry = 0;
MP_SUB_BORROW(r1, a1, r1, carry, carry); MP_SUB_BORROW(r0, a0, r0, carry);
MP_SUB_BORROW(r2, a2, r2, carry, carry); MP_SUB_BORROW(r1, a1, r1, carry);
MP_SUB_BORROW(r3, a3, r3, carry, carry); MP_SUB_BORROW(r2, a2, r2, carry);
MP_SUB_BORROW(r4, a4, r4, carry, carry); MP_SUB_BORROW(r3, a3, r3, carry);
MP_SUB_BORROW(r5, a5, r5, carry, carry); MP_SUB_BORROW(r4, a4, r4, carry);
MP_SUB_BORROW(r5, a5, r5, carry);
MP_DIGIT(r, 5) = r5; MP_DIGIT(r, 5) = r5;
MP_DIGIT(r, 4) = r4; MP_DIGIT(r, 4) = r4;
MP_DIGIT(r, 3) = r3; MP_DIGIT(r, 3) = r3;
@ -587,9 +595,10 @@ ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, b0, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, b1, r1, borrow, borrow); MP_SUB_BORROW(r0, b0, r0, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow, borrow); MP_SUB_BORROW(r1, b1, r1, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow);
#else #else
__asm__ ( __asm__ (
"xorq %3,%3 \n\t" "xorq %3,%3 \n\t"
@ -610,9 +619,10 @@ ec_GFp_sub_3(const mp_int *a, const mp_int *b, mp_int *r,
b1 = MP_DIGIT(&meth->irr,1); b1 = MP_DIGIT(&meth->irr,1);
b0 = MP_DIGIT(&meth->irr,0); b0 = MP_DIGIT(&meth->irr,0);
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(b0, r0, r0, 0, borrow); borrow = 0;
MP_ADD_CARRY(b1, r1, r1, borrow, borrow); MP_ADD_CARRY(b0, r0, r0, borrow);
MP_ADD_CARRY(b2, r2, r2, borrow, borrow); MP_ADD_CARRY(b1, r1, r1, borrow);
MP_ADD_CARRY(b2, r2, r2, borrow);
#else #else
__asm__ ( __asm__ (
"addq %3,%0 \n\t" "addq %3,%0 \n\t"
@ -675,10 +685,11 @@ ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, b0, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, b1, r1, borrow, borrow); MP_SUB_BORROW(r0, b0, r0, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow, borrow); MP_SUB_BORROW(r1, b1, r1, borrow);
MP_SUB_BORROW(r3, b3, r3, borrow, borrow); MP_SUB_BORROW(r2, b2, r2, borrow);
MP_SUB_BORROW(r3, b3, r3, borrow);
#else #else
__asm__ ( __asm__ (
"xorq %4,%4 \n\t" "xorq %4,%4 \n\t"
@ -701,10 +712,11 @@ ec_GFp_sub_4(const mp_int *a, const mp_int *b, mp_int *r,
b1 = MP_DIGIT(&meth->irr,1); b1 = MP_DIGIT(&meth->irr,1);
b0 = MP_DIGIT(&meth->irr,0); b0 = MP_DIGIT(&meth->irr,0);
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(b0, r0, r0, 0, borrow); borrow = 0;
MP_ADD_CARRY(b1, r1, r1, borrow, borrow); MP_ADD_CARRY(b0, r0, r0, borrow);
MP_ADD_CARRY(b2, r2, r2, borrow, borrow); MP_ADD_CARRY(b1, r1, r1, borrow);
MP_ADD_CARRY(b3, r3, r3, borrow, borrow); MP_ADD_CARRY(b2, r2, r2, borrow);
MP_ADD_CARRY(b3, r3, r3, borrow);
#else #else
__asm__ ( __asm__ (
"addq %4,%0 \n\t" "addq %4,%0 \n\t"
@ -771,11 +783,12 @@ ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r,
b0 = MP_DIGIT(b,0); b0 = MP_DIGIT(b,0);
} }
MP_SUB_BORROW(r0, b0, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, b1, r1, borrow, borrow); MP_SUB_BORROW(r0, b0, r0, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow, borrow); MP_SUB_BORROW(r1, b1, r1, borrow);
MP_SUB_BORROW(r3, b3, r3, borrow, borrow); MP_SUB_BORROW(r2, b2, r2, borrow);
MP_SUB_BORROW(r4, b4, r4, borrow, borrow); MP_SUB_BORROW(r3, b3, r3, borrow);
MP_SUB_BORROW(r4, b4, r4, borrow);
/* Do quick 'add' if we've gone under 0 /* Do quick 'add' if we've gone under 0
* (subtract the 2's complement of the curve field) */ * (subtract the 2's complement of the curve field) */
@ -785,10 +798,11 @@ ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r,
b2 = MP_DIGIT(&meth->irr,2); b2 = MP_DIGIT(&meth->irr,2);
b1 = MP_DIGIT(&meth->irr,1); b1 = MP_DIGIT(&meth->irr,1);
b0 = MP_DIGIT(&meth->irr,0); b0 = MP_DIGIT(&meth->irr,0);
MP_ADD_CARRY(b0, r0, r0, 0, borrow); borrow = 0;
MP_ADD_CARRY(b1, r1, r1, borrow, borrow); MP_ADD_CARRY(b0, r0, r0, borrow);
MP_ADD_CARRY(b2, r2, r2, borrow, borrow); MP_ADD_CARRY(b1, r1, r1, borrow);
MP_ADD_CARRY(b3, r3, r3, borrow, borrow); MP_ADD_CARRY(b2, r2, r2, borrow);
MP_ADD_CARRY(b3, r3, r3, borrow);
} }
MP_CHECKOK(s_mp_pad(r, 5)); MP_CHECKOK(s_mp_pad(r, 5));
MP_DIGIT(r, 4) = r4; MP_DIGIT(r, 4) = r4;
@ -843,12 +857,13 @@ ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r,
b0 = MP_DIGIT(b,0); b0 = MP_DIGIT(b,0);
} }
MP_SUB_BORROW(r0, b0, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, b1, r1, borrow, borrow); MP_SUB_BORROW(r0, b0, r0, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow, borrow); MP_SUB_BORROW(r1, b1, r1, borrow);
MP_SUB_BORROW(r3, b3, r3, borrow, borrow); MP_SUB_BORROW(r2, b2, r2, borrow);
MP_SUB_BORROW(r4, b4, r4, borrow, borrow); MP_SUB_BORROW(r3, b3, r3, borrow);
MP_SUB_BORROW(r5, b5, r5, borrow, borrow); MP_SUB_BORROW(r4, b4, r4, borrow);
MP_SUB_BORROW(r5, b5, r5, borrow);
/* Do quick 'add' if we've gone under 0 /* Do quick 'add' if we've gone under 0
* (subtract the 2's complement of the curve field) */ * (subtract the 2's complement of the curve field) */
@ -859,11 +874,12 @@ ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r,
b2 = MP_DIGIT(&meth->irr,2); b2 = MP_DIGIT(&meth->irr,2);
b1 = MP_DIGIT(&meth->irr,1); b1 = MP_DIGIT(&meth->irr,1);
b0 = MP_DIGIT(&meth->irr,0); b0 = MP_DIGIT(&meth->irr,0);
MP_ADD_CARRY(b0, r0, r0, 0, borrow); borrow = 0;
MP_ADD_CARRY(b1, r1, r1, borrow, borrow); MP_ADD_CARRY(b0, r0, r0, borrow);
MP_ADD_CARRY(b2, r2, r2, borrow, borrow); MP_ADD_CARRY(b1, r1, r1, borrow);
MP_ADD_CARRY(b3, r3, r3, borrow, borrow); MP_ADD_CARRY(b2, r2, r2, borrow);
MP_ADD_CARRY(b4, r4, r4, borrow, borrow); MP_ADD_CARRY(b3, r3, r3, borrow);
MP_ADD_CARRY(b4, r4, r4, borrow);
} }
MP_CHECKOK(s_mp_pad(r, 6)); MP_CHECKOK(s_mp_pad(r, 6));

4
security/nss/lib/freebl/ecl/ecl_mult.c
View File

@ -129,7 +129,7 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
mp_err res = MP_OKAY; mp_err res = MP_OKAY;
mp_int precomp[4][4][2]; mp_int precomp[4][4][2];
const mp_int *a, *b; const mp_int *a, *b;
int i, j; unsigned int i, j;
int ai, bi, d; int ai, bi, d;
ARGCHK(group != NULL, MP_BADARG); ARGCHK(group != NULL, MP_BADARG);
@ -236,7 +236,7 @@ ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
mp_zero(rx); mp_zero(rx);
mp_zero(ry); mp_zero(ry);
for (i = d - 1; i >= 0; i--) { for (i = d; i-- > 0;) {
ai = MP_GET_BIT(a, 2 * i + 1); ai = MP_GET_BIT(a, 2 * i + 1);
ai <<= 1; ai <<= 1;
ai |= MP_GET_BIT(a, 2 * i); ai |= MP_GET_BIT(a, 2 * i);

112
security/nss/lib/freebl/ecl/ecp_192.c
View File

@ -72,34 +72,36 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
r0a = MP_DIGIT(a, 0); r0a = MP_DIGIT(a, 0);
/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */ /* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
MP_ADD_CARRY(r0a, a3a, r0a, 0, carry); carry = 0;
MP_ADD_CARRY(r0b, a3b, r0b, carry, carry); MP_ADD_CARRY(r0a, a3a, r0a, carry);
MP_ADD_CARRY(r1a, a3a, r1a, carry, carry); MP_ADD_CARRY(r0b, a3b, r0b, carry);
MP_ADD_CARRY(r1b, a3b, r1b, carry, carry); MP_ADD_CARRY(r1a, a3a, r1a, carry);
MP_ADD_CARRY(r2a, a4a, r2a, carry, carry); MP_ADD_CARRY(r1b, a3b, r1b, carry);
MP_ADD_CARRY(r2b, a4b, r2b, carry, carry); MP_ADD_CARRY(r2a, a4a, r2a, carry);
MP_ADD_CARRY(r2b, a4b, r2b, carry);
r3 = carry; carry = 0; r3 = carry; carry = 0;
MP_ADD_CARRY(r0a, a5a, r0a, 0, carry); MP_ADD_CARRY(r0a, a5a, r0a, carry);
MP_ADD_CARRY(r0b, a5b, r0b, carry, carry); MP_ADD_CARRY(r0b, a5b, r0b, carry);
MP_ADD_CARRY(r1a, a5a, r1a, carry, carry); MP_ADD_CARRY(r1a, a5a, r1a, carry);
MP_ADD_CARRY(r1b, a5b, r1b, carry, carry); MP_ADD_CARRY(r1b, a5b, r1b, carry);
MP_ADD_CARRY(r2a, a5a, r2a, carry, carry); MP_ADD_CARRY(r2a, a5a, r2a, carry);
MP_ADD_CARRY(r2b, a5b, r2b, carry, carry); MP_ADD_CARRY(r2b, a5b, r2b, carry);
r3 += carry; r3 += carry; carry = 0;
MP_ADD_CARRY(r1a, a4a, r1a, 0, carry); MP_ADD_CARRY(r1a, a4a, r1a, carry);
MP_ADD_CARRY(r1b, a4b, r1b, carry, carry); MP_ADD_CARRY(r1b, a4b, r1b, carry);
MP_ADD_CARRY(r2a, 0, r2a, carry, carry); MP_ADD_CARRY(r2a, 0, r2a, carry);
MP_ADD_CARRY(r2b, 0, r2b, carry, carry); MP_ADD_CARRY(r2b, 0, r2b, carry);
r3 += carry; r3 += carry;
/* reduce out the carry */ /* reduce out the carry */
while (r3) { while (r3) {
MP_ADD_CARRY(r0a, r3, r0a, 0, carry); carry = 0;
MP_ADD_CARRY(r0b, 0, r0b, carry, carry); MP_ADD_CARRY(r0a, r3, r0a, carry);
MP_ADD_CARRY(r1a, r3, r1a, carry, carry); MP_ADD_CARRY(r0b, 0, r0b, carry);
MP_ADD_CARRY(r1b, 0, r1b, carry, carry); MP_ADD_CARRY(r1a, r3, r1a, carry);
MP_ADD_CARRY(r2a, 0, r2a, carry, carry); MP_ADD_CARRY(r1b, 0, r1b, carry);
MP_ADD_CARRY(r2b, 0, r2b, carry, carry); MP_ADD_CARRY(r2a, 0, r2a, carry);
MP_ADD_CARRY(r2b, 0, r2b, carry);
r3 = carry; r3 = carry;
} }
@ -121,8 +123,9 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
(r1a == 0xfffffffe) && (r0a == 0xffffffff) && (r1a == 0xfffffffe) && (r0a == 0xffffffff) &&
(r0b == 0xffffffff)) ) { (r0b == 0xffffffff)) ) {
/* do a quick subtract */ /* do a quick subtract */
MP_ADD_CARRY(r0a, 1, r0a, 0, carry); carry = 0;
MP_ADD_CARRY(r0b, carry, r0a, 0, carry); MP_ADD_CARRY(r0a, 1, r0a, carry);
MP_ADD_CARRY(r0b, carry, r0a, carry);
r1a += 1+carry; r1a += 1+carry;
r1b = r2a = r2b = 0; r1b = r2a = r2b = 0;
} }
@ -154,16 +157,17 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */ /* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(r0, a3, r0, 0, carry); carry = 0;
MP_ADD_CARRY(r1, a3, r1, carry, carry); MP_ADD_CARRY(r0, a3, r0, carry);
MP_ADD_CARRY(r2, a4, r2, carry, carry); MP_ADD_CARRY(r1, a3, r1, carry);
r3 = carry; MP_ADD_CARRY(r2, a4, r2, carry);
MP_ADD_CARRY(r0, a5, r0, 0, carry); r3 = carry; carry = 0;
MP_ADD_CARRY(r1, a5, r1, carry, carry); MP_ADD_CARRY(r0, a5, r0, carry);
MP_ADD_CARRY(r2, a5, r2, carry, carry); MP_ADD_CARRY(r1, a5, r1, carry);
r3 += carry; MP_ADD_CARRY(r2, a5, r2, carry);
MP_ADD_CARRY(r1, a4, r1, 0, carry); r3 += carry; carry = 0;
MP_ADD_CARRY(r2, 0, r2, carry, carry); MP_ADD_CARRY(r1, a4, r1, carry);
MP_ADD_CARRY(r2, 0, r2, carry);
r3 += carry; r3 += carry;
#else #else
@ -195,9 +199,10 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
/* reduce out the carry */ /* reduce out the carry */
while (r3) { while (r3) {
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(r0, r3, r0, 0, carry); carry = 0;
MP_ADD_CARRY(r1, r3, r1, carry, carry); MP_ADD_CARRY(r0, r3, r0, carry);
MP_ADD_CARRY(r2, 0, r2, carry, carry); MP_ADD_CARRY(r1, r3, r1, carry);
MP_ADD_CARRY(r2, 0, r2, carry);
r3 = carry; r3 = carry;
#else #else
a3=r3; a3=r3;
@ -229,7 +234,8 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
((r1 == MP_DIGIT_MAX) || ((r1 == MP_DIGIT_MAX) ||
((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) { ((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
/* do a quick subtract */ /* do a quick subtract */
MP_ADD_CARRY(r0, 1, r0, 0, carry); carry = 0;
MP_ADD_CARRY(r0, 1, r0, carry);
r1 += 1+carry; r1 += 1+carry;
r2 = 0; r2 = 0;
} }
@ -280,9 +286,10 @@ ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(a0, r0, r0, 0, carry); carry = 0;
MP_ADD_CARRY(a1, r1, r1, carry, carry); MP_ADD_CARRY(a0, r0, r0, carry);
MP_ADD_CARRY(a2, r2, r2, carry, carry); MP_ADD_CARRY(a1, r1, r1, carry);
MP_ADD_CARRY(a2, r2, r2, carry);
#else #else
__asm__ ( __asm__ (
"xorq %3,%3 \n\t" "xorq %3,%3 \n\t"
@ -302,9 +309,10 @@ ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r,
((r1 == MP_DIGIT_MAX) || ((r1 == MP_DIGIT_MAX) ||
((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) { ((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_ADD_CARRY(r0, 1, r0, 0, carry); carry = 0;
MP_ADD_CARRY(r1, 1, r1, carry, carry); MP_ADD_CARRY(r0, 1, r0, carry);
MP_ADD_CARRY(r2, 0, r2, carry, carry); MP_ADD_CARRY(r1, 1, r1, carry);
MP_ADD_CARRY(r2, 0, r2, carry);
#else #else
__asm__ ( __asm__ (
"addq $1,%0 \n\t" "addq $1,%0 \n\t"
@ -362,9 +370,10 @@ ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r,
} }
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, b0, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, b1, r1, borrow, borrow); MP_SUB_BORROW(r0, b0, r0, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow, borrow); MP_SUB_BORROW(r1, b1, r1, borrow);
MP_SUB_BORROW(r2, b2, r2, borrow);
#else #else
__asm__ ( __asm__ (
"xorq %3,%3 \n\t" "xorq %3,%3 \n\t"
@ -382,9 +391,10 @@ ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r,
* (subtract the 2's complement of the curve field) */ * (subtract the 2's complement of the curve field) */
if (borrow) { if (borrow) {
#ifndef MPI_AMD64_ADD #ifndef MPI_AMD64_ADD
MP_SUB_BORROW(r0, 1, r0, 0, borrow); borrow = 0;
MP_SUB_BORROW(r1, 1, r1, borrow, borrow); MP_SUB_BORROW(r0, 1, r0, borrow);
MP_SUB_BORROW(r2, 0, r2, borrow, borrow); MP_SUB_BORROW(r1, 1, r1, borrow);
MP_SUB_BORROW(r2, 0, r2, borrow);
#else #else
__asm__ ( __asm__ (
"subq $1,%0 \n\t" "subq $1,%0 \n\t"

Some files were not shown because too many files have changed in this diff Show More