cherry-picked mozilla NSS upstream changes (to rev 50769413, which is on par with 3.21):
bug1009429, bug1216505, bug1208405, bug1216501, bug1216993, bug1216318, bug1218254, bug1219165, bug1211568, bug1220016
This commit is contained in:
parent
0310c45fa3
commit
fa0b14bb0c
|
@ -503,10 +503,9 @@ prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end,
|
|||
data += lenLen;
|
||||
|
||||
/*
|
||||
* Just quit now if slen more bytes puts us off the end,
|
||||
* or if there's no more data to process.
|
||||
* Just quit now if slen more bytes puts us off the end.
|
||||
*/
|
||||
if ((data + slen) >= end) {
|
||||
if ((data + slen) > end) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return -1;
|
||||
}
|
||||
|
|
|
@ -1470,7 +1470,6 @@ Pk11Install_Pair_delete(Pk11Install_Pair* _this)
|
|||
{
|
||||
PR_Free(_this->key);
|
||||
Pk11Install_ValueList_delete(_this->list);
|
||||
PR_Free(_this->list);
|
||||
}
|
||||
|
||||
/*************************************************************************/
|
||||
|
|
|
@ -712,6 +712,8 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile)
|
|||
newpw2 = SECU_GetPasswordString(NULL, "Re-enter new password: ");
|
||||
if(strcmp(newpw, newpw2)) {
|
||||
PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]);
|
||||
PORT_ZFree(newpw, strlen(newpw));
|
||||
PORT_ZFree(newpw2, strlen(newpw2));
|
||||
} else {
|
||||
matching = PR_TRUE;
|
||||
}
|
||||
|
@ -738,16 +740,13 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile)
|
|||
|
||||
loser:
|
||||
if(oldpw) {
|
||||
memset(oldpw, 0, strlen(oldpw));
|
||||
PORT_Free(oldpw);
|
||||
PORT_ZFree(oldpw, strlen(oldpw));
|
||||
}
|
||||
if(newpw) {
|
||||
memset(newpw, 0, strlen(newpw));
|
||||
PORT_Free(newpw);
|
||||
PORT_ZFree(newpw, strlen(newpw));
|
||||
}
|
||||
if(newpw2) {
|
||||
memset(newpw2, 0, strlen(newpw2));
|
||||
PORT_Free(newpw2);
|
||||
PORT_ZFree(newpw2, strlen(newpw2));
|
||||
}
|
||||
PK11_FreeSlot(slot);
|
||||
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/UNIX.mk
|
||||
include $(CORE_DEPTH)/coreconf/Werror.mk
|
||||
|
||||
DEFAULT_COMPILER = gcc
|
||||
|
||||
|
@ -81,27 +82,7 @@ endif
|
|||
# definitions so that the linker can catch multiply-defined symbols.
|
||||
# Also, common symbols are not allowed with Darwin dynamic libraries.
|
||||
|
||||
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
|
||||
|
||||
ifeq (clang,$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'))
|
||||
NSS_HAS_GCC48 = true
|
||||
endif
|
||||
ifndef NSS_HAS_GCC48
|
||||
NSS_HAS_GCC48 := $(shell \
|
||||
[ `$(CC) -dumpversion | cut -f 1 -d . -` -gt 4 -a \
|
||||
`$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \
|
||||
`$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \
|
||||
echo true || echo false)
|
||||
export NSS_HAS_GCC48
|
||||
endif
|
||||
ifeq (true,$(NSS_HAS_GCC48))
|
||||
OS_CFLAGS += -Werror
|
||||
else
|
||||
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
|
||||
# Use this to disable use of that #pragma and the warnings it suppresses.
|
||||
OS_CFLAGS += -DNSS_NO_GCC48 -Wno-unused-variable -Wno-strict-aliasing
|
||||
$(warning Unable to find gcc >= 4.8 disabling -Werror)
|
||||
endif
|
||||
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(WARNING_CFLAGS) -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
|
||||
|
||||
ifdef BUILD_OPT
|
||||
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/UNIX.mk
|
||||
include $(CORE_DEPTH)/coreconf/Werror.mk
|
||||
|
||||
#
|
||||
# The default implementation strategy for Linux is now pthreads
|
||||
|
@ -36,9 +37,12 @@ endif
|
|||
ANDROID_TOOLCHAIN=$(ANDROID_NDK)/toolchains/$(ANDROID_TARGET)/prebuilt/linux-x86
|
||||
ANDROID_SYSROOT=$(ANDROID_NDK)/platforms/android-$(OS_TARGET_RELEASE)/arch-$(OS_TEST)
|
||||
ANDROID_CC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-gcc
|
||||
ANDROID_CCC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-g++
|
||||
NSS_DISABLE_GTESTS=1
|
||||
# internal tools need to be built with the native compiler
|
||||
ifndef INTERNAL_TOOLS
|
||||
CC = $(ANDROID_CC) --sysroot=$(ANDROID_SYSROOT)
|
||||
CCC = $(ANDROID_CCC) --sysroot=$(ANDROID_SYSROOT)
|
||||
DEFAULT_COMPILER=$(ANDROID_PREFIX)-gcc
|
||||
ARCHFLAG = --sysroot=$(ANDROID_SYSROOT)
|
||||
DEFINES += -DNO_SYSINFO -DNO_FORK_CHECK -DANDROID
|
||||
|
@ -129,49 +133,16 @@ endif
|
|||
endif
|
||||
|
||||
ifndef COMPILER_TAG
|
||||
COMPILER_TAG = _$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
|
||||
CCC_COMPILER_TAG = _$(shell $(CCC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
|
||||
COMPILER_TAG := _$(CC_NAME)
|
||||
endif
|
||||
|
||||
ifeq ($(USE_PTHREADS),1)
|
||||
OS_PTHREAD = -lpthread
|
||||
endif
|
||||
|
||||
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
|
||||
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) $(WARNING_CFLAGS) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
|
||||
OS_LIBS = $(OS_PTHREAD) -ldl -lc
|
||||
|
||||
ifeq ($(COMPILER_TAG),_clang)
|
||||
# -Qunused-arguments : clang objects to arguments that it doesn't understand
|
||||
# and fixing this would require rearchitecture
|
||||
# -Wno-parentheses-equality : because clang warns about macro expansions
|
||||
OS_CFLAGS += -Qunused-arguments -Wno-parentheses-equality
|
||||
ifdef BUILD_OPT
|
||||
# clang is unable to handle glib's expansion of strcmp and similar for optimized
|
||||
# builds, so ignore the resulting errors.
|
||||
# See https://llvm.org/bugs/show_bug.cgi?id=20144
|
||||
OS_CFLAGS += -Wno-array-bounds -Wno-unevaluated-expression
|
||||
endif
|
||||
# Clang reports its version as an older gcc, but it's OK
|
||||
NSS_HAS_GCC48 = true
|
||||
endif
|
||||
|
||||
ifndef NSS_HAS_GCC48
|
||||
NSS_HAS_GCC48 := $(shell \
|
||||
[ `$(CC) -dumpversion | cut -f 1 -d . -` -gt 4 -a \
|
||||
`$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \
|
||||
`$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \
|
||||
echo true || echo false)
|
||||
export NSS_HAS_GCC48
|
||||
endif
|
||||
ifeq (true,$(NSS_HAS_GCC48))
|
||||
OS_CFLAGS += -Werror
|
||||
else
|
||||
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
|
||||
# Use this to disable use of that #pragma and the warnings it suppresses.
|
||||
OS_CFLAGS += -DNSS_NO_GCC48
|
||||
$(warning Unable to find gcc >= 4.8 disabling -Werror)
|
||||
endif
|
||||
|
||||
ifdef USE_PTHREADS
|
||||
DEFINES += -D_REENTRANT
|
||||
endif
|
||||
|
|
|
@ -113,19 +113,25 @@ ifdef NS_USE_GCC
|
|||
else
|
||||
OPTIMIZER += -O2
|
||||
endif
|
||||
DEFINES += -UDEBUG -U_DEBUG -DNDEBUG
|
||||
DEFINES += -UDEBUG -DNDEBUG
|
||||
else
|
||||
OPTIMIZER += -g
|
||||
NULLSTRING :=
|
||||
SPACE := $(NULLSTRING) # end of the line
|
||||
USERNAME := $(subst $(SPACE),_,$(USERNAME))
|
||||
USERNAME := $(subst -,_,$(USERNAME))
|
||||
DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
|
||||
DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
|
||||
endif
|
||||
else # !NS_USE_GCC
|
||||
OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
|
||||
-D_CRT_NONSTDC_NO_WARNINGS
|
||||
OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
|
||||
ifndef NSS_ENABLE_WERROR
|
||||
NSS_ENABLE_WERROR = 1
|
||||
endif
|
||||
ifeq ($(NSS_ENABLE_WERROR),1)
|
||||
OS_CFLAGS += -WX
|
||||
endif
|
||||
ifeq ($(_MSC_VER),$(_MSC_VER_6))
|
||||
ifndef MOZ_DEBUG_SYMBOLS
|
||||
OS_DLLFLAGS += -PDB:NONE
|
||||
|
@ -159,7 +165,7 @@ else # !NS_USE_GCC
|
|||
else
|
||||
OPTIMIZER += -O2
|
||||
endif
|
||||
DEFINES += -UDEBUG -U_DEBUG -DNDEBUG
|
||||
DEFINES += -UDEBUG -DNDEBUG
|
||||
DLLFLAGS += -OUT:$@
|
||||
ifdef MOZ_DEBUG_SYMBOLS
|
||||
ifdef MOZ_DEBUG_FLAGS
|
||||
|
@ -176,7 +182,7 @@ else # !NS_USE_GCC
|
|||
SPACE := $(NULLSTRING) # end of the line
|
||||
USERNAME := $(subst $(SPACE),_,$(USERNAME))
|
||||
USERNAME := $(subst -,_,$(USERNAME))
|
||||
DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
|
||||
DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
|
||||
DLLFLAGS += -DEBUG -OUT:$@
|
||||
LDFLAGS += -DEBUG
|
||||
ifeq ($(_MSC_VER),$(_MSC_VER_6))
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
# This sets warning flags for unix-like operating systems.
|
||||
|
||||
ifndef CC_NAME
|
||||
CC_NAME := $(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
|
||||
export CC_NAME
|
||||
endif
|
||||
|
||||
ifndef WARNING_CFLAGS
|
||||
# This tests to see if enabling the warning is possible before
|
||||
# setting an option to disable it.
|
||||
disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
|
||||
|
||||
WARNING_CFLAGS = -Wall
|
||||
ifeq ($(CC_NAME),clang)
|
||||
# -Qunused-arguments : clang objects to arguments that it doesn't understand
|
||||
# and fixing this would require rearchitecture
|
||||
WARNING_CFLAGS += -Qunused-arguments
|
||||
# -Wno-parentheses-equality : because clang warns about macro expansions
|
||||
OS_CFLAGS += $(call disable_warning,parentheses-equality)
|
||||
ifdef BUILD_OPT
|
||||
# clang is unable to handle glib's expansion of strcmp and similar for optimized
|
||||
# builds, so ignore the resulting errors.
|
||||
# See https://llvm.org/bugs/show_bug.cgi?id=20144
|
||||
WARNING_CFLAGS += $(call disable_warning,array-bounds)
|
||||
WARNING_CFLAGS += $(call disable_warning,unevaluated-expression)
|
||||
endif
|
||||
endif # if clang
|
||||
|
||||
ifndef NSS_ENABLE_WERROR
|
||||
ifeq ($(OS_TARGET),Android)
|
||||
# Android lollipop generates the following warning:
|
||||
# error: call to 'sprintf' declared with attribute warning:
|
||||
# sprintf is often misused; please use snprintf [-Werror]
|
||||
# So, just suppress -Werror entirely on Android
|
||||
NSS_ENABLE_WERROR = 0
|
||||
$(warning OS_TARGET is Android, disabling -Werror)
|
||||
else
|
||||
ifeq ($(CC_NAME),clang)
|
||||
# Clang reports its version as an older gcc, but it's OK
|
||||
NSS_ENABLE_WERROR = 1
|
||||
else
|
||||
CC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion))
|
||||
ifneq (,$(filter 4.8 4.9,$(word 1,$(CC_VERSION)).$(word 2,$(CC_VERSION))))
|
||||
NSS_ENABLE_WERROR = 1
|
||||
endif
|
||||
ifeq (,$(filter 0 1 2 3 4,$(word 1,$(CC_VERSION))))
|
||||
NSS_ENABLE_WERROR = 1
|
||||
endif
|
||||
ifndef NSS_ENABLE_WERROR
|
||||
$(warning Unable to find gcc 4.8 or greater, disabling -Werror)
|
||||
NSS_ENABLE_WERROR = 0
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
endif #ndef NSS_ENABLE_WERROR
|
||||
|
||||
ifeq ($(NSS_ENABLE_WERROR),1)
|
||||
WARNING_CFLAGS += -Werror
|
||||
else
|
||||
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
|
||||
# Use this to disable use of that #pragma and the warnings it suppresses.
|
||||
WARNING_CFLAGS += -DNSS_NO_GCC48
|
||||
endif
|
||||
export WARNING_CFLAGS
|
||||
endif # ndef WARNING_CFLAGS
|
|
@ -543,7 +543,7 @@ CERT_CreateEncodedOCSPSuccessResponse(
|
|||
done:
|
||||
if (privKey)
|
||||
SECKEY_DestroyPrivateKey(privKey);
|
||||
if (br->responseSignature.signature.data)
|
||||
if (br && br->responseSignature.signature.data)
|
||||
SECITEM_FreeItem(&br->responseSignature.signature, PR_FALSE);
|
||||
PORT_FreeArena(tmpArena, PR_FALSE);
|
||||
|
||||
|
|
|
@ -45,8 +45,8 @@
|
|||
* of the comment in the CK_VERSION type definition.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 5
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.5"
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 6
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.6"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
|
|
|
@ -85,9 +85,9 @@ nssCKFWHash_Create
|
|||
rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
|
||||
if (!rv->mutex) {
|
||||
if( CKR_OK == *pError ) {
|
||||
(void)nss_ZFreeIf(rv);
|
||||
*pError = CKR_GENERAL_ERROR;
|
||||
}
|
||||
(void)nss_ZFreeIf(rv);
|
||||
return (nssCKFWHash *)NULL;
|
||||
}
|
||||
|
||||
|
|
|
@ -171,6 +171,7 @@ nssCKFWObject_Create
|
|||
if( CKR_OK == *pError ) {
|
||||
*pError = CKR_GENERAL_ERROR;
|
||||
}
|
||||
nss_ZFreeIf(fwObject);
|
||||
return (NSSCKFWObject *)NULL;
|
||||
}
|
||||
|
||||
|
|
|
@ -413,6 +413,7 @@ SGN_Digest(SECKEYPrivateKey *privKey,
|
|||
}
|
||||
result->len = modulusLen;
|
||||
result->data = (unsigned char*) PORT_Alloc(modulusLen);
|
||||
result->type = siBuffer;
|
||||
|
||||
if (result->data == NULL) {
|
||||
rv = SECFailure;
|
||||
|
|
|
@ -22,28 +22,8 @@
|
|||
#define COPY8B(to, from, ptr) \
|
||||
HALFPTR(to)[0] = HALFPTR(from)[0]; \
|
||||
HALFPTR(to)[1] = HALFPTR(from)[1];
|
||||
#elif defined(USE_MEMCPY)
|
||||
#define COPY8B(to, from, ptr) memcpy(to, from, 8)
|
||||
#else
|
||||
#define COPY8B(to, from, ptr) \
|
||||
if (((ptrdiff_t)(ptr) & 0x3) == 0) { \
|
||||
HALFPTR(to)[0] = HALFPTR(from)[0]; \
|
||||
HALFPTR(to)[1] = HALFPTR(from)[1]; \
|
||||
} else if (((ptrdiff_t)(ptr) & 0x1) == 0) { \
|
||||
SHORTPTR(to)[0] = SHORTPTR(from)[0]; \
|
||||
SHORTPTR(to)[1] = SHORTPTR(from)[1]; \
|
||||
SHORTPTR(to)[2] = SHORTPTR(from)[2]; \
|
||||
SHORTPTR(to)[3] = SHORTPTR(from)[3]; \
|
||||
} else { \
|
||||
BYTEPTR(to)[0] = BYTEPTR(from)[0]; \
|
||||
BYTEPTR(to)[1] = BYTEPTR(from)[1]; \
|
||||
BYTEPTR(to)[2] = BYTEPTR(from)[2]; \
|
||||
BYTEPTR(to)[3] = BYTEPTR(from)[3]; \
|
||||
BYTEPTR(to)[4] = BYTEPTR(from)[4]; \
|
||||
BYTEPTR(to)[5] = BYTEPTR(from)[5]; \
|
||||
BYTEPTR(to)[6] = BYTEPTR(from)[6]; \
|
||||
BYTEPTR(to)[7] = BYTEPTR(from)[7]; \
|
||||
}
|
||||
#define COPY8B(to, from, ptr) memcpy(to, from, 8)
|
||||
#endif
|
||||
#define COPY8BTOHALF(to, from) COPY8B(to, from, from)
|
||||
#define COPY8BFROMHALF(to, from) COPY8B(to, from, to)
|
||||
|
|
|
@ -7,15 +7,15 @@
|
|||
/* Copyright(c) 2013, Intel Corp. */
|
||||
/******************************************************************************/
|
||||
/* Reference: */
|
||||
/* [1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication */
|
||||
/* [1] Shay Gueron, Michael E. Kounavis: Intel(R) Carry-Less Multiplication */
|
||||
/* Instruction and its Usage for Computing the GCM Mode (Rev. 2.01) */
|
||||
/* http://software.intel.com/sites/default/files/article/165685/clmul-wp-r*/
|
||||
/*ev-2.01-2012-09-21.pdf */
|
||||
/* [2] S. Gueron, M. E. Kounavis: Efficient Implementation of the Galois */
|
||||
/* Counter Mode Using a Carry-less Multiplier and a Fast Reduction */
|
||||
/* Algorithm. Information Processing Letters 110: 549–553 (2010). */
|
||||
/* [3] S. Gueron: AES Performance on the 2nd Generation Intel® Core™ Processor*/
|
||||
/* Family (to be posted) (2012). */
|
||||
/* Algorithm. Information Processing Letters 110: 549-553 (2010). */
|
||||
/* [3] S. Gueron: AES Performance on the 2nd Generation Intel(R) Core(TM) */
|
||||
/* Processor Family (to be posted) (2012). */
|
||||
/* [4] S. Gueron: Fast GHASH computations for speeding up AES-GCM (to be */
|
||||
/* published) (2012). */
|
||||
|
||||
|
@ -41,9 +41,9 @@ SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, unsigned char *
|
|||
const unsigned char *inbuf, unsigned int inlen,
|
||||
unsigned int blocksize);
|
||||
|
||||
/* Prorotypes of functions in the assembler file for fast AES-GCM, using
|
||||
/* Prototypes of functions in the assembler file for fast AES-GCM, using
|
||||
Intel AES-NI and CLMUL-NI, as described in [1]
|
||||
[1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication
|
||||
[1] Shay Gueron, Michael E. Kounavis: Intel(R) Carry-Less Multiplication
|
||||
Instruction and its Usage for Computing the GCM Mode */
|
||||
|
||||
/* Prepares the constants used in the aggregated reduction method */
|
||||
|
|
|
@ -26,6 +26,9 @@
|
|||
#define _NSS_CUSTOMIZED
|
||||
#endif
|
||||
|
||||
#undef _NSS_CUSTOMIZED
|
||||
#define _NSS_CUSTOMIZED " (RetroZilla)"
|
||||
|
||||
/*
|
||||
* NSS's major version, minor version, patch level, build number, and whether
|
||||
* this is a beta release.
|
||||
|
@ -33,11 +36,11 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define NSS_VERSION "3.20.0.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
|
||||
#define NSS_VERSION "3.21" _NSS_ECC_STRING _NSS_CUSTOMIZED
|
||||
#define NSS_VMAJOR 3
|
||||
#define NSS_VMINOR 20
|
||||
#define NSS_VMINOR 21
|
||||
#define NSS_VPATCH 0
|
||||
#define NSS_VBUILD 1
|
||||
#define NSS_VBUILD 0
|
||||
#define NSS_BETA PR_FALSE
|
||||
|
||||
#ifndef RC_INVOKED
|
||||
|
|
|
@ -1515,6 +1515,7 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length)
|
|||
|
||||
pkData.data = keyData;
|
||||
pkData.len = length;
|
||||
pkData.type = siBuffer;
|
||||
|
||||
arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
|
||||
if (arena == NULL)
|
||||
|
|
|
@ -1983,6 +1983,7 @@ gatherNicknames(CERTCertificate *cert, void *arg)
|
|||
|
||||
tempNick.data = (unsigned char *)cert->nickname;
|
||||
tempNick.len = PORT_Strlen(cert->nickname) + 1;
|
||||
tempNick.type = siAsciiString;
|
||||
|
||||
/* do we already have the nickname in the list? */
|
||||
if(nickArg->nNicks > 0) {
|
||||
|
|
|
@ -1776,6 +1776,7 @@ lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle,
|
|||
if (rv != SECSuccess) {
|
||||
crv = CKR_DEVICE_ERROR;
|
||||
}
|
||||
PORT_Free(label);
|
||||
}
|
||||
|
||||
lg_DestroyObjectCache(obj);
|
||||
|
|
|
@ -3698,6 +3698,7 @@ nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
|
|||
|
||||
salt.data = (unsigned char *)pbe_params->pSalt;
|
||||
salt.len = (unsigned int)pbe_params->ulSaltLen;
|
||||
salt.type = siBuffer;
|
||||
rv = SECITEM_CopyItem(arena,¶ms->salt,&salt);
|
||||
if (rv != SECSuccess) {
|
||||
PORT_FreeArena(arena,PR_TRUE);
|
||||
|
|
|
@ -25,11 +25,11 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define SOFTOKEN_VERSION "3.20.0.1" SOFTOKEN_ECC_STRING
|
||||
#define SOFTOKEN_VERSION "3.21" SOFTOKEN_ECC_STRING
|
||||
#define SOFTOKEN_VMAJOR 3
|
||||
#define SOFTOKEN_VMINOR 20
|
||||
#define SOFTOKEN_VMINOR 21
|
||||
#define SOFTOKEN_VPATCH 0
|
||||
#define SOFTOKEN_VBUILD 1
|
||||
#define SOFTOKEN_VBUILD 0
|
||||
#define SOFTOKEN_BETA PR_FALSE
|
||||
|
||||
#endif /* _SOFTKVER_H_ */
|
||||
|
|
|
@ -63,7 +63,6 @@ static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
|
|||
static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
|
||||
const unsigned char *b,
|
||||
unsigned int l);
|
||||
static SECOidTag ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc);
|
||||
static SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
|
||||
ssl3CipherSpec *spec,
|
||||
SSL3Hashes *hashes,
|
||||
|
@ -4553,7 +4552,7 @@ static const struct {
|
|||
* If the hash is not recognised, SEC_OID_UNKNOWN is returned.
|
||||
*
|
||||
* See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
|
||||
static SECOidTag
|
||||
SECOidTag
|
||||
ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc)
|
||||
{
|
||||
unsigned int i;
|
||||
|
@ -9220,6 +9219,7 @@ ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
|
|||
SSLSignatureAndHashAlg* out)
|
||||
{
|
||||
SSLSignType sigAlg;
|
||||
PRUint32 policy;
|
||||
unsigned int i, j;
|
||||
|
||||
switch (ss->ssl3.hs.kea_def->kea) {
|
||||
|
@ -9271,9 +9271,16 @@ ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
|
|||
for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
|
||||
const SSLSignatureAndHashAlg *serverPref =
|
||||
&ss->ssl3.signatureAlgorithms[i];
|
||||
SECOidTag hashOID;
|
||||
if (serverPref->sigAlg != sigAlg) {
|
||||
continue;
|
||||
}
|
||||
hashOID = ssl3_TLSHashAlgorithmToOID(serverPref->hashAlg);
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess)
|
||||
|| !(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
/* we ignore hashes we don't support */
|
||||
continue;
|
||||
}
|
||||
for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
|
||||
const SSLSignatureAndHashAlg *clientPref =
|
||||
&ss->ssl3.hs.clientSigAndHash[j];
|
||||
|
|
|
@ -2410,17 +2410,29 @@ ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
|
|||
{
|
||||
PRInt32 extension_length;
|
||||
unsigned int i;
|
||||
PRInt32 pos=0;
|
||||
PRUint32 policy;
|
||||
PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2];
|
||||
|
||||
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
for (i=0; i < ss->ssl3.signatureAlgorithmCount; i++) {
|
||||
SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(
|
||||
ss->ssl3.signatureAlgorithms[i].hashAlg);
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, & policy) != SECSuccess) ||
|
||||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg;
|
||||
buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg;
|
||||
}
|
||||
}
|
||||
|
||||
extension_length =
|
||||
2 /* extension type */ +
|
||||
2 /* extension length */ +
|
||||
2 /* supported_signature_algorithms length */ +
|
||||
ss->ssl3.signatureAlgorithmCount * 2;
|
||||
pos;
|
||||
|
||||
if (maxBytes < extension_length) {
|
||||
PORT_Assert(0);
|
||||
|
@ -2438,10 +2450,6 @@ ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
|
|||
return -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
|
||||
buf[i * 2] = ss->ssl3.signatureAlgorithms[i].hashAlg;
|
||||
buf[i * 2 + 1] = ss->ssl3.signatureAlgorithms[i].sigAlg;
|
||||
}
|
||||
rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2);
|
||||
if (rv != SECSuccess) {
|
||||
return -1;
|
||||
|
|
|
@ -1954,6 +1954,8 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
|
|||
const char *label, unsigned int labelLen,
|
||||
const unsigned char *val, unsigned int valLen,
|
||||
unsigned char *out, unsigned int outLen);
|
||||
extern SECOidTag
|
||||
ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc);
|
||||
|
||||
#ifdef TRACE
|
||||
#define SSL_TRACE(msg) ssl_Trace msg
|
||||
|
|
|
@ -19,11 +19,11 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
|
||||
*/
|
||||
#define NSSUTIL_VERSION "3.20.0.1"
|
||||
#define NSSUTIL_VERSION "3.21"
|
||||
#define NSSUTIL_VMAJOR 3
|
||||
#define NSSUTIL_VMINOR 20
|
||||
#define NSSUTIL_VMINOR 21
|
||||
#define NSSUTIL_VPATCH 0
|
||||
#define NSSUTIL_VBUILD 1
|
||||
#define NSSUTIL_VBUILD 0
|
||||
#define NSSUTIL_BETA PR_FALSE
|
||||
|
||||
SEC_BEGIN_PROTOS
|
||||
|
|
|
@ -1887,14 +1887,14 @@ handleHashAlgSupport(char * envVal)
|
|||
*nextArg++ = '\0';
|
||||
}
|
||||
}
|
||||
notEnable = (*arg == '-') ? NSS_USE_ALG_IN_CERT_SIGNATURE : 0;
|
||||
notEnable = (*arg == '-') ? (NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX) : 0;
|
||||
if ((*arg == '+' || *arg == '-') && *++arg) {
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~NSS_USE_ALG_IN_CERT_SIGNATURE);
|
||||
(xOids[i].notPolicyFlags & ~(NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -476,6 +476,7 @@ struct SECOidDataStr {
|
|||
*/
|
||||
#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */
|
||||
#define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */
|
||||
#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */
|
||||
#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
|
||||
|
||||
/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
|
||||
|
|
Loading…
Reference in New Issue