зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1283376 - Land NSS_3_26_BETA2 r=franziskus
This commit is contained in:
Родитель
e6a99fe9ed
Коммит
2c06cddb89
|
@ -62,6 +62,7 @@ tasks:
|
|||
env:
|
||||
TC_OWNER: {{owner}}
|
||||
TC_SOURCE: {{{source}}}
|
||||
TC_PROJECT: {{project}}
|
||||
NSS_PUSHLOG_ID: '{{pushlog_id}}'
|
||||
NSS_HEAD_REPOSITORY: '{{{url}}}'
|
||||
NSS_HEAD_REVISION: '{{revision}}'
|
||||
|
|
|
@ -1 +1 @@
|
|||
NSS_3.26_BETA1
|
||||
NSS_3.26_BETA2
|
||||
|
|
|
@ -12,6 +12,7 @@ var flatmap = require("flatmap");
|
|||
// Default values for debugging.
|
||||
var TC_OWNER = process.env.TC_OWNER || "{{tc_owner}}";
|
||||
var TC_SOURCE = process.env.TC_SOURCE || "{{tc_source}}";
|
||||
var TC_PROJECT = process.env.TC_PROJECT || "{{tc_project}}";
|
||||
var NSS_PUSHLOG_ID = process.env.NSS_PUSHLOG_ID || "{{nss_pushlog_id}}";
|
||||
var NSS_HEAD_REPOSITORY = process.env.NSS_HEAD_REPOSITORY || "{{nss_head_repo}}";
|
||||
var NSS_HEAD_REVISION = process.env.NSS_HEAD_REVISION || "{{nss_head_rev}}";
|
||||
|
@ -66,8 +67,8 @@ function decorateTask(task) {
|
|||
|
||||
// TreeHerder routes.
|
||||
task.task.routes = [
|
||||
"tc-treeherder-stage.v2.nss." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID,
|
||||
"tc-treeherder.v2.nss." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID
|
||||
"tc-treeherder-stage.v2." + TC_PROJECT + "." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID,
|
||||
"tc-treeherder.v2." + TC_PROJECT + "." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -27,9 +27,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
|
@ -123,13 +120,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Linux 32 (debug, NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 32 (debug, NO_PKCS11_BYPASS=1)"
|
||||
name: "Linux 32 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 32 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
|
|
|
@ -28,9 +28,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
|
@ -131,13 +128,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Linux 32 (opt, NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 32 (opt, NO_PKCS11_BYPASS=1)"
|
||||
name: "Linux 32 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 32 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
BUILD_OPT: 1
|
||||
|
||||
extra:
|
||||
|
|
|
@ -31,9 +31,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
|
|
|
@ -29,9 +29,6 @@
|
|||
- lowhash
|
||||
- memleak
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
|
@ -132,13 +129,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Linux 64 (debug, NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 64 (debug, NO_PKCS11_BYPASS=1)"
|
||||
name: "Linux 64 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 64 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
USE_64: 1
|
||||
|
||||
extra:
|
||||
|
|
|
@ -25,11 +25,14 @@
|
|||
lsan: true
|
||||
|
||||
tests:
|
||||
- chains
|
||||
- cipher
|
||||
- db
|
||||
- ec
|
||||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
- tools
|
||||
|
|
|
@ -29,9 +29,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- ssl
|
||||
|
@ -136,13 +133,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Linux 64 (opt, NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 64 (opt, NO_PKCS11_BYPASS=1)"
|
||||
name: "Linux 64 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Linux 64 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
BUILD_OPT: 1
|
||||
USE_64: 1
|
||||
|
||||
|
|
|
@ -1,20 +1,4 @@
|
|||
---
|
||||
- task:
|
||||
metadata:
|
||||
name: "MemLeak tests (ocsp)"
|
||||
description: "MemLeak tests (ocsp)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_MEMLEAK_TESTS: ocsp
|
||||
NSS_TESTS: memleak
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
symbol: ocsp
|
||||
collection:
|
||||
memleak: true
|
||||
|
||||
- task:
|
||||
metadata:
|
||||
name: "MemLeak tests (ssl_server, standard)"
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
- task:
|
||||
metadata:
|
||||
name: OCSP tests
|
||||
description: OCSP tests
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_TESTS: ocsp
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
symbol: OCSP
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
- task:
|
||||
metadata:
|
||||
name: NIST PKITS tests
|
||||
description: NIST PKITS tests
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_TESTS: pkits
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
symbol: PKITS
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
- task:
|
||||
metadata:
|
||||
name: libpkix tests
|
||||
description: libpkix tests
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_TESTS: libpkix
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
symbol: PKIX
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
reruns: 0
|
||||
|
||||
task:
|
||||
created: !from_now 0
|
||||
deadline: !from_now 24
|
||||
provisionerId: aws-provisioner-v1
|
||||
workerType: hg-worker
|
||||
schedulerId: task-graph-scheduler
|
||||
|
||||
metadata:
|
||||
owner: !env TC_OWNER
|
||||
source: !env TC_SOURCE
|
||||
|
||||
payload:
|
||||
maxRunTime: 3600
|
||||
image: ttaubert/nss-ci:0.0.17
|
||||
|
||||
env:
|
||||
NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
|
||||
NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
build:
|
||||
platform: nss-tools
|
||||
machine:
|
||||
platform: nss-tools
|
|
@ -1,35 +1,15 @@
|
|||
---
|
||||
- reruns: 0
|
||||
task:
|
||||
created: !from_now 0
|
||||
deadline: !from_now 24
|
||||
provisionerId: aws-provisioner-v1
|
||||
workerType: hg-worker
|
||||
schedulerId: task-graph-scheduler
|
||||
|
||||
- task:
|
||||
metadata:
|
||||
owner: !env TC_OWNER
|
||||
source: !env TC_SOURCE
|
||||
name: clang-format-3.8
|
||||
description: clang-format-3.8
|
||||
|
||||
payload:
|
||||
maxRunTime: 3600
|
||||
image: ttaubert/nss-ci:0.0.17
|
||||
|
||||
command:
|
||||
- "/bin/bash"
|
||||
- "-c"
|
||||
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh nss/lib/ssl"
|
||||
|
||||
env:
|
||||
NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
|
||||
NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
build:
|
||||
platform: nss-tools
|
||||
machine:
|
||||
platform: nss-tools
|
||||
symbol: clang-format-3.8
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
- task:
|
||||
metadata:
|
||||
name: scan-build-3.8
|
||||
description: scan-build-3.8
|
||||
|
||||
payload:
|
||||
artifacts:
|
||||
public:
|
||||
type: directory
|
||||
path: /home/worker/artifacts
|
||||
expires: !from_now 24
|
||||
|
||||
command:
|
||||
- "/bin/bash"
|
||||
- "-c"
|
||||
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_scan_build.sh"
|
||||
|
||||
env:
|
||||
GCC_VERSION: clang
|
||||
GXX_VERSION: clang++
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
USE_64: 1
|
||||
|
||||
extra:
|
||||
treeherder:
|
||||
symbol: scan-build-3.8
|
|
@ -27,9 +27,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- tools
|
||||
|
@ -57,13 +54,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Windows 2012 64 (debug, NO_PKCS11_BYPASS=1)"
|
||||
description: "Windows 2012 64 (debug, NO_PKCS11_BYPASS=1)"
|
||||
name: "Windows 2012 64 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Windows 2012 64 (debug, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
USE_64: 1
|
||||
|
||||
extra:
|
||||
|
|
|
@ -28,9 +28,6 @@
|
|||
- gtests
|
||||
- lowhash
|
||||
- merge
|
||||
- ocsp
|
||||
- pkits
|
||||
- pkix
|
||||
- sdr
|
||||
- smime
|
||||
- tools
|
||||
|
@ -59,13 +56,13 @@
|
|||
|
||||
- task:
|
||||
metadata:
|
||||
name: "Windows 2012 64 (opt, NO_PKCS11_BYPASS=1)"
|
||||
description: "Windows 2012 64 (opt, NO_PKCS11_BYPASS=1)"
|
||||
name: "Windows 2012 64 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
description: "Windows 2012 64 (opt, NSS_NO_PKCS11_BYPASS=1)"
|
||||
|
||||
payload:
|
||||
env:
|
||||
NSS_NO_PKCS11_BYPASS: 1
|
||||
NSS_ENABLE_TLS_1_3: 1
|
||||
NO_PKCS11_BYPASS: 1
|
||||
BUILD_OPT: 1
|
||||
USE_64: 1
|
||||
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -v -e -x
|
||||
|
||||
if [ $(id -u) = 0 ]; then
|
||||
source $(dirname $0)/tools.sh
|
||||
|
||||
# Set compiler.
|
||||
switch_compilers
|
||||
|
||||
# Drop privileges by re-running this script.
|
||||
exec su worker $0 $@
|
||||
fi
|
||||
|
||||
# Clone NSPR if needed.
|
||||
if [ ! -d "nspr" ]; then
|
||||
hg clone https://hg.mozilla.org/projects/nspr
|
||||
fi
|
||||
|
||||
# Build.
|
||||
cd nss && make nss_build_all
|
||||
|
||||
# we run scan-build on these folders
|
||||
declare -a scan=("lib/ssl" "lib/freebl")
|
||||
|
||||
for i in "${scan[@]}"
|
||||
do
|
||||
echo "cleaning $i ..."
|
||||
find "$i" -name "*.OBJ" | xargs rm -fr
|
||||
done
|
||||
|
||||
# run scan-build
|
||||
scan-build -o /home/worker/artifacts/ make nss_build_all && cd ..
|
||||
|
||||
# print errors we found
|
||||
set +v +x
|
||||
for i in "${scan[@]}"
|
||||
do
|
||||
n=$(grep -Rn "${i#*/}/" /home/worker/artifacts/*/index.html | wc -l)
|
||||
# TODO: print FAILED/PASSED and set exit code for folders we expect to be clean
|
||||
echo "$(date '+%T') WARNING - TEST-UNEXPECTED-FAIL: $i contains $n scan-build errors"
|
||||
done
|
|
@ -3298,6 +3298,9 @@ dump_file(bltestCipherMode mode, char *filename)
|
|||
bltestIO keydata;
|
||||
PLArenaPool *arena = NULL;
|
||||
arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
|
||||
if (!arena) {
|
||||
return SECFailure;
|
||||
}
|
||||
if (mode == bltestRSA || mode == bltestRSA_PSS || mode == bltestRSA_OAEP) {
|
||||
RSAPrivateKey *key;
|
||||
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
|
||||
|
|
|
@ -456,11 +456,15 @@ CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle,
|
|||
}
|
||||
|
||||
signCrl->arena = arena;
|
||||
signCrl->referenceCount = 1;
|
||||
|
||||
loser:
|
||||
if (crlDER.data) {
|
||||
SECITEM_FreeItem(&crlDER, PR_FALSE);
|
||||
}
|
||||
if (modArena && (!modCrl || modCrl->arena != modArena)) {
|
||||
PORT_FreeArena(modArena, PR_FALSE);
|
||||
}
|
||||
if (modCrl)
|
||||
SEC_DestroyCrl(modCrl);
|
||||
if (rv != SECSuccess && signCrl) {
|
||||
|
|
|
@ -120,13 +120,18 @@ main(int argc, char **argv)
|
|||
break;
|
||||
}
|
||||
}
|
||||
PL_DestroyOptState(optstate);
|
||||
if (optstatus == PL_OPT_BAD)
|
||||
Usage(progName);
|
||||
|
||||
if (!dbDir) {
|
||||
dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
|
||||
if (dbDir) {
|
||||
char *tmp = dbDir;
|
||||
dbDir = SECU_ConfigDirectory(tmp);
|
||||
PORT_Free(tmp);
|
||||
} else {
|
||||
/* Look in $SSL_DIR */
|
||||
dbDir = SECU_ConfigDirectory(SECU_DefaultSSLDir());
|
||||
}
|
||||
dbDir = SECU_ConfigDirectory(dbDir);
|
||||
PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);
|
||||
|
||||
if (dbDir[0] == '\0') {
|
||||
|
@ -162,6 +167,7 @@ main(int argc, char **argv)
|
|||
PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
|
||||
dbString);
|
||||
}
|
||||
PR_smprintf_free(dbString);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -285,6 +285,9 @@ hexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
|
|||
int byteval = 0;
|
||||
int tmp = PORT_Strlen(str);
|
||||
|
||||
PORT_Assert(arena);
|
||||
PORT_Assert(item);
|
||||
|
||||
if ((tmp % 2) != 0) {
|
||||
return NULL;
|
||||
}
|
||||
|
@ -295,19 +298,22 @@ hexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
|
|||
tmp -= 2;
|
||||
}
|
||||
|
||||
if (SECITEM_AllocItem(arena, item, tmp / 2) == NULL) {
|
||||
item = SECITEM_AllocItem(arena, item, tmp / 2);
|
||||
if (item == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
while (str[i]) {
|
||||
if ((str[i] >= '0') && (str[i] <= '9'))
|
||||
if ((str[i] >= '0') && (str[i] <= '9')) {
|
||||
tmp = str[i] - '0';
|
||||
else if ((str[i] >= 'a') && (str[i] <= 'f'))
|
||||
} else if ((str[i] >= 'a') && (str[i] <= 'f')) {
|
||||
tmp = str[i] - 'a' + 10;
|
||||
else if ((str[i] >= 'A') && (str[i] <= 'F'))
|
||||
} else if ((str[i] >= 'A') && (str[i] <= 'F')) {
|
||||
tmp = str[i] - 'A' + 10;
|
||||
else
|
||||
} else {
|
||||
/* item is in arena and gets freed by the caller */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
byteval = byteval * 16 + tmp;
|
||||
if ((i % 2) != 0) {
|
||||
|
@ -574,6 +580,7 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads)
|
|||
}
|
||||
|
||||
if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve)) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
|
|
|
@ -640,6 +640,7 @@ handle_connection(
|
|||
if (isOcspRequest && caRevoInfos) {
|
||||
CERTOCSPRequest *request = NULL;
|
||||
PRBool failThisRequest = PR_FALSE;
|
||||
PLArenaPool *arena = NULL;
|
||||
|
||||
if (ocspMethodsAllowed == ocspGetOnly && postData.len) {
|
||||
failThisRequest = PR_TRUE;
|
||||
|
@ -660,12 +661,17 @@ handle_connection(
|
|||
*/
|
||||
if (getData) {
|
||||
if (urldecode_base64chars_inplace(getData) == SECSuccess) {
|
||||
NSSBase64_DecodeBuffer(NULL, &postData, getData, strlen(getData));
|
||||
/* The code below can handle a NULL arena */
|
||||
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
NSSBase64_DecodeBuffer(arena, &postData, getData, strlen(getData));
|
||||
}
|
||||
}
|
||||
if (postData.len) {
|
||||
request = CERT_DecodeOCSPRequest(&postData);
|
||||
}
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
if (!request || !request->tbsRequest ||
|
||||
!request->tbsRequest->requestList ||
|
||||
!request->tbsRequest->requestList[0]) {
|
||||
|
@ -775,6 +781,7 @@ handle_connection(
|
|||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
}
|
||||
CERT_DestroyOCSPRequest(request);
|
||||
break;
|
||||
}
|
||||
} else if (local_file_fd) {
|
||||
|
@ -1367,6 +1374,7 @@ main(int argc, char **argv)
|
|||
revoInfo->crl =
|
||||
CERT_DecodeDERCrlWithFlags(NULL, &crlDER, SEC_CRL_TYPE,
|
||||
CRL_DECODE_DEFAULT_OPTIONS);
|
||||
SECITEM_FreeItem(&crlDER, PR_FALSE);
|
||||
if (!revoInfo->crl) {
|
||||
fprintf(stderr, "unable to decode crl file %s\n",
|
||||
revoInfo->crlFilename);
|
||||
|
|
|
@ -155,6 +155,7 @@ DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName)
|
|||
fprintf(out, "There were%s certs or crls included.\n",
|
||||
SEC_PKCS7ContainsCertsOrCrls(cinfo) ? "" : " no");
|
||||
|
||||
SECITEM_FreeItem(&derdata, PR_FALSE);
|
||||
SEC_PKCS7DestroyContentInfo(cinfo);
|
||||
return 0;
|
||||
}
|
||||
|
@ -172,6 +173,7 @@ main(int argc, char **argv)
|
|||
PLOptState *optstate;
|
||||
PLOptStatus status;
|
||||
SECStatus rv;
|
||||
int error = 0;
|
||||
|
||||
progName = strrchr(argv[0], '/');
|
||||
progName = progName ? progName + 1 : argv[0];
|
||||
|
@ -194,7 +196,8 @@ main(int argc, char **argv)
|
|||
if (!inFile) {
|
||||
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
|
||||
progName, optstate->value);
|
||||
return -1;
|
||||
error = -1;
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
|
||||
|
@ -203,7 +206,8 @@ main(int argc, char **argv)
|
|||
if (!outFile) {
|
||||
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
|
||||
progName, optstate->value);
|
||||
return -1;
|
||||
error = -1;
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
|
||||
|
@ -222,6 +226,8 @@ main(int argc, char **argv)
|
|||
break;
|
||||
}
|
||||
}
|
||||
PL_DestroyOptState(optstate);
|
||||
|
||||
if (status == PL_OPT_BAD)
|
||||
Usage(progName);
|
||||
|
||||
|
@ -235,19 +241,29 @@ main(int argc, char **argv)
|
|||
rv = NSS_Init(SECU_ConfigDirectory(NULL));
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintPRandOSError(progName);
|
||||
return -1;
|
||||
error = -1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
PK11_SetPasswordFunc(SECU_GetModulePassword);
|
||||
|
||||
if (DecodeAndPrintFile(outFile, inFile, progName)) {
|
||||
SECU_PrintError(progName, "problem decoding data");
|
||||
return -1;
|
||||
error = -1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
done:
|
||||
if (inFile && inFile != PR_STDIN) {
|
||||
PR_Close(inFile);
|
||||
}
|
||||
if (outFile && outFile != stdout) {
|
||||
fclose(outFile);
|
||||
}
|
||||
|
||||
if (NSS_Shutdown() != SECSuccess) {
|
||||
exit(1);
|
||||
error = -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
return error;
|
||||
}
|
||||
|
|
|
@ -190,12 +190,13 @@ main(int argc, char **argv)
|
|||
progName);
|
||||
return -1;
|
||||
}
|
||||
rcpt->nickname = strdup(optstate->value);
|
||||
rcpt->nickname = PORT_Strdup(optstate->value);
|
||||
rcpt->cert = NULL;
|
||||
rcpt->next = NULL;
|
||||
break;
|
||||
}
|
||||
}
|
||||
PL_DestroyOptState(optstate);
|
||||
|
||||
if (!recipients)
|
||||
Usage(progName);
|
||||
|
@ -235,5 +236,26 @@ main(int argc, char **argv)
|
|||
return -1;
|
||||
}
|
||||
|
||||
/* free certs */
|
||||
for (rcpt = recipients; rcpt != NULL; ) {
|
||||
struct recipient *next = rcpt->next;
|
||||
CERT_DestroyCertificate(rcpt->cert);
|
||||
PORT_Free(rcpt->nickname);
|
||||
PORT_Free(rcpt);
|
||||
rcpt = next;
|
||||
}
|
||||
|
||||
if (inFile && inFile != stdin) {
|
||||
fclose(inFile);
|
||||
}
|
||||
if (outFile && outFile != stdout) {
|
||||
fclose(outFile);
|
||||
}
|
||||
|
||||
if (NSS_Shutdown() != SECSuccess) {
|
||||
SECU_PrintError(progName, "NSS shutdown:");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -132,6 +132,7 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert,
|
|||
rv = SEC_PKCS7Encode(cinfo, SignOut, outFile, NULL,
|
||||
NULL, &pwdata);
|
||||
|
||||
SECITEM_FreeItem(&data2sign, PR_FALSE);
|
||||
SEC_PKCS7DestroyContentInfo(cinfo);
|
||||
|
||||
if (rv != SECSuccess)
|
||||
|
@ -212,6 +213,7 @@ main(int argc, char **argv)
|
|||
break;
|
||||
}
|
||||
}
|
||||
PL_DestroyOptState(optstate);
|
||||
|
||||
if (!keyName)
|
||||
Usage(progName);
|
||||
|
|
|
@ -171,6 +171,7 @@ HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
|
|||
fprintf(out, "invalid (Reason: %s).\n",
|
||||
SECU_Strerror(PORT_GetError()));
|
||||
|
||||
SECITEM_FreeItem(&derdata, PR_FALSE);
|
||||
SEC_PKCS7DestroyContentInfo(cinfo);
|
||||
return 0;
|
||||
}
|
||||
|
@ -245,6 +246,7 @@ main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
}
|
||||
PL_DestroyOptState(optstate);
|
||||
|
||||
if (!contentFile)
|
||||
Usage(progName);
|
||||
|
@ -267,6 +269,12 @@ main(int argc, char **argv)
|
|||
return -1;
|
||||
}
|
||||
|
||||
fclose(contentFile);
|
||||
PR_Close(signatureFile);
|
||||
if (outFile && outFile != stdout) {
|
||||
fclose(outFile);
|
||||
}
|
||||
|
||||
if (NSS_Shutdown() != SECSuccess) {
|
||||
exit(1);
|
||||
}
|
||||
|
|
|
@ -177,6 +177,8 @@ main(int argc, char **argv)
|
|||
return -1;
|
||||
}
|
||||
|
||||
PORT_Free(typeTag);
|
||||
|
||||
if (inFile != PR_STDIN)
|
||||
PR_Close(inFile);
|
||||
PORT_Free(der.data);
|
||||
|
|
|
@ -694,7 +694,7 @@ launch_threads(
|
|||
local)
|
||||
? PR_LOCAL_THREAD
|
||||
: PR_GLOBAL_THREAD,
|
||||
PR_UNJOINABLE_THREAD, 0);
|
||||
PR_JOINABLE_THREAD, 0);
|
||||
if (slot->prThread == NULL) {
|
||||
printf("selfserv: Failed to launch thread!\n");
|
||||
slot->state = rs_idle;
|
||||
|
@ -723,13 +723,24 @@ launch_threads(
|
|||
void
|
||||
terminateWorkerThreads(void)
|
||||
{
|
||||
VLOG(("selfserv: server_thead: waiting on stopping"));
|
||||
int i;
|
||||
|
||||
VLOG(("selfserv: server_thread: waiting on stopping"));
|
||||
PZ_Lock(qLock);
|
||||
PZ_NotifyAllCondVar(jobQNotEmptyCv);
|
||||
while (threadCount > 0) {
|
||||
PZ_WaitCondVar(threadCountChangeCv, PR_INTERVAL_NO_TIMEOUT);
|
||||
PZ_Unlock(qLock);
|
||||
|
||||
/* Wait for worker threads to terminate. */
|
||||
for (i = 0; i < maxThreads; ++i) {
|
||||
perThread *slot = threads + i;
|
||||
if (slot->prThread) {
|
||||
PR_JoinThread(slot->prThread);
|
||||
}
|
||||
}
|
||||
|
||||
/* The worker threads empty the jobQ before they terminate. */
|
||||
PZ_Lock(qLock);
|
||||
PORT_Assert(threadCount == 0);
|
||||
PORT_Assert(PR_CLIST_IS_EMPTY(&jobQ));
|
||||
PZ_Unlock(qLock);
|
||||
|
||||
|
@ -836,6 +847,7 @@ PRBool enableSessionTickets = PR_FALSE;
|
|||
PRBool enableCompression = PR_FALSE;
|
||||
PRBool failedToNegotiateName = PR_FALSE;
|
||||
PRBool enableExtendedMasterSecret = PR_FALSE;
|
||||
PRBool zeroRTT = PR_FALSE;
|
||||
|
||||
static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
|
||||
static int virtServerNameIndex = 1;
|
||||
|
@ -1842,6 +1854,9 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
|
|||
hostInfo->len)) {
|
||||
failedToNegotiateName = PR_TRUE;
|
||||
}
|
||||
if (hostInfo) {
|
||||
SECITEM_FreeItem(hostInfo, PR_TRUE);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1987,6 +2002,16 @@ server_main(
|
|||
}
|
||||
}
|
||||
|
||||
if (zeroRTT) {
|
||||
if (enabledVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
errExit("You tried enabling 0RTT without enabling TLS 1.3!");
|
||||
}
|
||||
rv = SSL_OptionSet(model_sock, SSL_ENABLE_0RTT_DATA, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
errExit("error enabling 0RTT ");
|
||||
}
|
||||
}
|
||||
|
||||
/* This cipher is not on by default. The Acceptance test
|
||||
* would like it to be. Turn this cipher on.
|
||||
*/
|
||||
|
@ -2239,7 +2264,7 @@ main(int argc, char **argv)
|
|||
** numbers, then capital letters, then lower case, alphabetical.
|
||||
*/
|
||||
optstate = PL_CreateOptState(argc, argv,
|
||||
"2:A:BC:DEGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
|
||||
"2:A:BC:DEGH:L:M:NP:RS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
|
||||
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
|
||||
++optionsFound;
|
||||
switch (optstate->option) {
|
||||
|
@ -2462,6 +2487,10 @@ main(int argc, char **argv)
|
|||
enableCompression = PR_TRUE;
|
||||
break;
|
||||
|
||||
case 'Z':
|
||||
zeroRTT = PR_TRUE;
|
||||
break;
|
||||
|
||||
default:
|
||||
case '?':
|
||||
fprintf(stderr, "Unrecognized or bad option specified.\n");
|
||||
|
@ -2879,6 +2908,9 @@ cleanup:
|
|||
PORT_Free(ecNickName);
|
||||
}
|
||||
#endif
|
||||
if (dsaNickName) {
|
||||
PORT_Free(dsaNickName);
|
||||
}
|
||||
|
||||
if (hasSidCache) {
|
||||
SSL_ShutdownServerSessionIDCache();
|
||||
|
|
|
@ -348,6 +348,8 @@ GenerateSelfSignedObjectSigningCert(char *nickname, CERTCertDBHandle *db,
|
|||
PK11_FreeSlot(slot);
|
||||
SECKEY_DestroyPrivateKey(privk);
|
||||
SECKEY_DestroyPublicKey(pubk);
|
||||
CERT_DestroyCertificate(temp_cert);
|
||||
CERT_DestroyCertificateRequest(req);
|
||||
|
||||
return cert;
|
||||
}
|
||||
|
@ -387,6 +389,7 @@ ChangeTrustAttributes(CERTCertDBHandle *db, CERTCertificate *cert, char *trusts)
|
|||
return SECFailure;
|
||||
}
|
||||
|
||||
PORT_Free(trust);
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
|
@ -627,6 +630,7 @@ make_cert(CERTCertificateRequest *req, unsigned long serial,
|
|||
}
|
||||
|
||||
cert = CERT_CreateCertificate(serial, ca_subject, validity, req);
|
||||
CERT_DestroyValidity(validity);
|
||||
|
||||
if (cert == NULL) {
|
||||
/* should probably be more precise here */
|
||||
|
@ -650,7 +654,7 @@ output_ca_cert(CERTCertificate *cert, CERTCertDBHandle *db)
|
|||
|
||||
SECItem *encodedCertChain;
|
||||
SEC_PKCS7ContentInfo *certChain;
|
||||
char *filename;
|
||||
char *filename, *certData;
|
||||
|
||||
/* the raw */
|
||||
|
||||
|
@ -695,11 +699,11 @@ output_ca_cert(CERTCertificate *cert, CERTCertDBHandle *db)
|
|||
return;
|
||||
}
|
||||
|
||||
fprintf(out, "%s\n%s\n%s\n",
|
||||
NS_CERT_HEADER,
|
||||
BTOA_DataToAscii(cert->derCert.data, cert->derCert.len),
|
||||
NS_CERT_TRAILER);
|
||||
certData = BTOA_DataToAscii(cert->derCert.data, cert->derCert.len);
|
||||
fprintf(out, "%s\n%s\n%s\n", NS_CERT_HEADER, certData, NS_CERT_TRAILER);
|
||||
PORT_Free(certData);
|
||||
|
||||
PORT_Free(filename);
|
||||
fclose(out);
|
||||
|
||||
if (verbosity >= 0) {
|
||||
|
|
|
@ -443,6 +443,7 @@ static int
|
|||
manifesto_fn(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
|
||||
{
|
||||
int use_js;
|
||||
char *md5, *sha1;
|
||||
|
||||
JAR_Digest dig;
|
||||
char fullname[FNSIZE];
|
||||
|
@ -494,11 +495,15 @@ manifesto_fn(char *relpath, char *basedir, char *reldir, char *filename, void *a
|
|||
|
||||
if (optimize == 0) {
|
||||
fprintf(mf, "Digest-Algorithms: MD5 SHA1\n");
|
||||
fprintf(mf, "MD5-Digest: %s\n", BTOA_DataToAscii(dig.md5,
|
||||
MD5_LENGTH));
|
||||
|
||||
md5 = BTOA_DataToAscii(dig.md5, MD5_LENGTH);
|
||||
fprintf(mf, "MD5-Digest: %s\n", md5);
|
||||
PORT_Free(md5);
|
||||
}
|
||||
|
||||
fprintf(mf, "SHA1-Digest: %s\n", BTOA_DataToAscii(dig.sha1, SHA1_LENGTH));
|
||||
sha1 = BTOA_DataToAscii(dig.sha1, SHA1_LENGTH);
|
||||
fprintf(mf, "SHA1-Digest: %s\n", sha1);
|
||||
PORT_Free(sha1);
|
||||
|
||||
if (!use_js) {
|
||||
JzipAdd(fullname, relpath, zipfile, compression_level);
|
||||
|
@ -674,6 +679,7 @@ generate_SF_file(char *manifile, char *who)
|
|||
long r1, r2, r3;
|
||||
char whofile[FNSIZE];
|
||||
char *buf, *name = NULL;
|
||||
char *md5, *sha1;
|
||||
JAR_Digest dig;
|
||||
int line = 0;
|
||||
|
||||
|
@ -756,12 +762,15 @@ generate_SF_file(char *manifile, char *who)
|
|||
|
||||
if (optimize == 0) {
|
||||
fprintf(sf, "Digest-Algorithms: MD5 SHA1\n");
|
||||
fprintf(sf, "MD5-Digest: %s\n",
|
||||
BTOA_DataToAscii(dig.md5, MD5_LENGTH));
|
||||
|
||||
md5 = BTOA_DataToAscii(dig.md5, MD5_LENGTH);
|
||||
fprintf(sf, "MD5-Digest: %s\n", md5);
|
||||
PORT_Free(md5);
|
||||
}
|
||||
|
||||
fprintf(sf, "SHA1-Digest: %s\n",
|
||||
BTOA_DataToAscii(dig.sha1, SHA1_LENGTH));
|
||||
sha1 = BTOA_DataToAscii(dig.sha1, SHA1_LENGTH);
|
||||
fprintf(sf, "SHA1-Digest: %s\n", sha1);
|
||||
PORT_Free(sha1);
|
||||
|
||||
/* restore normalcy after changing offset position */
|
||||
fseek(mf, r3, SEEK_SET);
|
||||
|
|
|
@ -231,6 +231,8 @@ verify_global(JAR *jar)
|
|||
"global metadigest is not available, strange.\n");
|
||||
}
|
||||
|
||||
PORT_Free(md5_digest);
|
||||
PORT_Free(sha1_digest);
|
||||
fclose(fp);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1251,7 +1251,7 @@ main(int argc, char **argv)
|
|||
SECU_ConfigDirectory(optstate->value);
|
||||
break;
|
||||
case 'e':
|
||||
envFileName = strdup(optstate->value);
|
||||
envFileName = PORT_Strdup(optstate->value);
|
||||
encryptOptions.envFile = PR_Open(envFileName, PR_RDONLY, 00660);
|
||||
break;
|
||||
|
||||
|
@ -1379,9 +1379,6 @@ main(int argc, char **argv)
|
|||
SECU_PrintError(progName, "unable to read infile");
|
||||
exit(1);
|
||||
}
|
||||
if (inFile != PR_STDIN) {
|
||||
PR_Close(inFile);
|
||||
}
|
||||
}
|
||||
if (cms_verbose) {
|
||||
fprintf(stderr, "received commands\n");
|
||||
|
@ -1461,9 +1458,6 @@ main(int argc, char **argv)
|
|||
}
|
||||
} else {
|
||||
exitstatus = doBatchDecode(outFile, inFile, &decodeOptions);
|
||||
if (inFile != PR_STDIN) {
|
||||
PR_Close(inFile);
|
||||
}
|
||||
}
|
||||
break;
|
||||
case SIGN: /* -S */
|
||||
|
@ -1611,6 +1605,16 @@ main(int argc, char **argv)
|
|||
if (outFile != stdout)
|
||||
fclose(outFile);
|
||||
|
||||
if (inFile != PR_STDIN) {
|
||||
PR_Close(inFile);
|
||||
}
|
||||
if (envFileName) {
|
||||
PORT_Free(envFileName);
|
||||
}
|
||||
if (encryptOptions.envFile) {
|
||||
PR_Close(encryptOptions.envFile);
|
||||
}
|
||||
|
||||
SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);
|
||||
SECITEM_FreeItem(&envmsg, PR_FALSE);
|
||||
SECITEM_FreeItem(&input, PR_FALSE);
|
||||
|
|
|
@ -894,7 +894,7 @@ restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
|
|||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
PRFileDesc *s;
|
||||
PRFileDesc *s = NULL;
|
||||
PRFileDesc *std_out;
|
||||
char *host = NULL;
|
||||
char *certDir = NULL;
|
||||
|
@ -1210,7 +1210,8 @@ main(int argc, char **argv)
|
|||
PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
|
||||
if (!addrInfo) {
|
||||
SECU_PrintError(progName, "error looking up host");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
for (;;) {
|
||||
enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, portno, &addr);
|
||||
|
@ -1224,12 +1225,22 @@ main(int argc, char **argv)
|
|||
PR_FreeAddrInfo(addrInfo);
|
||||
if (enumPtr == NULL) {
|
||||
SECU_PrintError(progName, "error looking up host address");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
printHostNameAndAddr(host, &addr);
|
||||
|
||||
if (!certDir) {
|
||||
certDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
|
||||
certDir = SECU_ConfigDirectory(certDir);
|
||||
} else {
|
||||
char *certDirTmp = certDir;
|
||||
certDir = SECU_ConfigDirectory(certDirTmp);
|
||||
PORT_Free(certDirTmp);
|
||||
}
|
||||
|
||||
if (pingServerFirst) {
|
||||
int iter = 0;
|
||||
PRErrorCode err;
|
||||
|
@ -1243,15 +1254,17 @@ main(int argc, char **argv)
|
|||
s = PR_OpenTCPSocket(addr.raw.family);
|
||||
if (s == NULL) {
|
||||
SECU_PrintError(progName, "Failed to create a TCP socket");
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(s, &opt);
|
||||
if (prStatus != PR_SUCCESS) {
|
||||
PR_Close(s);
|
||||
SECU_PrintError(progName,
|
||||
"Failed to set blocking socket option");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
if (pingTimeoutSeconds >= 0) {
|
||||
timeoutInterval = PR_SecondsToInterval(pingTimeoutSeconds);
|
||||
|
@ -1259,45 +1272,39 @@ main(int argc, char **argv)
|
|||
prStatus = PR_Connect(s, &addr, timeoutInterval);
|
||||
if (prStatus == PR_SUCCESS) {
|
||||
PR_Shutdown(s, PR_SHUTDOWN_BOTH);
|
||||
PR_Close(s);
|
||||
PR_Cleanup();
|
||||
return 0;
|
||||
goto done;
|
||||
}
|
||||
err = PR_GetError();
|
||||
if ((err != PR_CONNECT_REFUSED_ERROR) &&
|
||||
(err != PR_CONNECT_RESET_ERROR)) {
|
||||
SECU_PrintError(progName, "TCP Connection failed");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
PR_Close(s);
|
||||
s = NULL;
|
||||
PR_Sleep(PR_MillisecondsToInterval(WAIT_INTERVAL));
|
||||
} while (++iter < max_attempts);
|
||||
SECU_PrintError(progName,
|
||||
"Client timed out while waiting for connection to server");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* open the cert DB, the key DB, and the secmod DB. */
|
||||
if (!certDir) {
|
||||
certDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
|
||||
certDir = SECU_ConfigDirectory(certDir);
|
||||
} else {
|
||||
char *certDirTmp = certDir;
|
||||
certDir = SECU_ConfigDirectory(certDirTmp);
|
||||
PORT_Free(certDirTmp);
|
||||
}
|
||||
|
||||
if (openDB) {
|
||||
rv = NSS_Init(certDir);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "unable to open cert database");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
} else {
|
||||
rv = NSS_NoDB_Init(NULL);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "failed to initialize NSS");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1324,7 +1331,8 @@ main(int argc, char **argv)
|
|||
s = PR_OpenTCPSocket(addr.raw.family);
|
||||
if (s == NULL) {
|
||||
SECU_PrintError(progName, "error creating socket");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
|
@ -1338,19 +1346,22 @@ main(int argc, char **argv)
|
|||
s = SSL_ImportFD(NULL, s);
|
||||
if (s == NULL) {
|
||||
SECU_PrintError(progName, "error importing socket");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
rv = SSL_OptionSet(s, SSL_SECURITY, 1);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling socket");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling client handshake");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* all SSL3 cipher suites are enabled by default. */
|
||||
|
@ -1399,49 +1410,56 @@ main(int argc, char **argv)
|
|||
rv = SSL_VersionRangeSet(s, &enabledVersions);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error setting SSL/TLS version range ");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* enable PKCS11 bypass */
|
||||
rv = SSL_OptionSet(s, SSL_BYPASS_PKCS11, bypassPKCS11);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling PKCS11 bypass");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* disable SSL socket locking */
|
||||
rv = SSL_OptionSet(s, SSL_NO_LOCKS, disableLocking);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error disabling SSL socket locking");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* enable Session Ticket extension. */
|
||||
rv = SSL_OptionSet(s, SSL_ENABLE_SESSION_TICKETS, enableSessionTickets);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling Session Ticket extension");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* enable compression. */
|
||||
rv = SSL_OptionSet(s, SSL_ENABLE_DEFLATE, enableCompression);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling compression");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* enable false start. */
|
||||
rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling false start");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (forceFallbackSCSV) {
|
||||
rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error forcing fallback scsv");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1449,7 +1467,8 @@ main(int argc, char **argv)
|
|||
rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* enable extended master secret mode */
|
||||
|
@ -1457,7 +1476,8 @@ main(int argc, char **argv)
|
|||
rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling extended master secret");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1466,7 +1486,8 @@ main(int argc, char **argv)
|
|||
rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling extended master secret");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1475,7 +1496,8 @@ main(int argc, char **argv)
|
|||
enableSignedCertTimestamps);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "error enabling signed cert timestamps");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
SSL_SetPKCS11PinArg(s, &pwdata);
|
||||
|
@ -1511,14 +1533,16 @@ main(int argc, char **argv)
|
|||
filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
|
||||
if (filesReady < 0) {
|
||||
SECU_PrintError(progName, "unable to connect (poll)");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
FPRINTF(stderr,
|
||||
"%s: PR_Poll returned 0x%02x for socket out_flags.\n",
|
||||
progName, pollset[SSOCK_FD].out_flags);
|
||||
if (filesReady == 0) { /* shouldn't happen! */
|
||||
FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
status = PR_GetConnectStatus(pollset);
|
||||
if (status == PR_SUCCESS) {
|
||||
|
@ -1526,14 +1550,16 @@ main(int argc, char **argv)
|
|||
}
|
||||
if (PR_GetError() != PR_IN_PROGRESS_ERROR) {
|
||||
SECU_PrintError(progName, "unable to connect (poll)");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
SECU_PrintError(progName, "poll");
|
||||
milliPause(50 * multiplier);
|
||||
}
|
||||
} else {
|
||||
SECU_PrintError(progName, "unable to connect");
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1611,7 +1637,8 @@ main(int argc, char **argv)
|
|||
}
|
||||
if (filesReady == 0) { /* shouldn't happen! */
|
||||
FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
|
||||
return 1;
|
||||
error = 1;
|
||||
goto done;
|
||||
}
|
||||
FPRINTF(stderr, "%s: PR_Poll returned!\n", progName);
|
||||
if (pollset[STDIN_FD].in_flags) {
|
||||
|
@ -1738,10 +1765,15 @@ done:
|
|||
}
|
||||
PORT_Free(host);
|
||||
|
||||
PR_Close(s);
|
||||
SSL_ClearSessionCache();
|
||||
if (NSS_Shutdown() != SECSuccess) {
|
||||
exit(1);
|
||||
if (s) {
|
||||
PR_Close(s);
|
||||
}
|
||||
|
||||
if (NSS_IsInitialized()) {
|
||||
SSL_ClearSessionCache();
|
||||
if (NSS_Shutdown() != SECSuccess) {
|
||||
error = 1;
|
||||
}
|
||||
}
|
||||
|
||||
FPRINTF(stderr, "tstclnt: exiting with return code %d\n", error);
|
||||
|
|
|
@ -10,4 +10,3 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -1,130 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
OS=`uname -s`
|
||||
ARCH=`uname -p`
|
||||
SCRIPT_DIR=`pwd`
|
||||
DATE=`date +%Y%m%d`
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "Usage: $0 [securitytip|securityjes5]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BRANCH="$1"
|
||||
|
||||
if [ "${BRANCH}" != "securitytip" -a "${BRANCH}" != "securityjes5" ]; then
|
||||
echo "Usage: $0 [securitytip|securityjes5]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
COV_DIR="/share/builds/mccrel3/security/coverage"
|
||||
BRANCH_DIR="${COV_DIR}/${BRANCH}"
|
||||
DATE_DIR="${BRANCH_DIR}/${DATE}-${ARCH}"
|
||||
CVS_DIR="${DATE_DIR}/cvs_mozilla"
|
||||
TCOV_DIR="${DATE_DIR}/tcov_mozilla"
|
||||
|
||||
CVS_CHECKOUT_BRANCH="cvs_checkout_${BRANCH}"
|
||||
|
||||
export HOST=`hostname`
|
||||
export DOMSUF=red.iplanet.com
|
||||
|
||||
export NSS_ECC_MORE_THAN_SUITE_B=1
|
||||
export IOPR_HOSTADDR_LIST="dochinups.red.iplanet.com"
|
||||
export NSS_AIA_PATH="/share/builds/mccrel3/security/aia_certs"
|
||||
export NSS_AIA_HTTP="http://cindercone.red.iplanet.com/share/builds/mccrel3/security/aia_certs"
|
||||
|
||||
export USE_TCOV=1
|
||||
export SUN_PROFDATA_DIR="${DATE_DIR}"
|
||||
export SUN_PROFDATA="tcov_data"
|
||||
|
||||
if [ "${OS}" != "SunOS" ]; then
|
||||
echo "OS not supported"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "${ARCH}" in
|
||||
"sparc")
|
||||
export PATH="/usr/dist/share/sunstudio_sparc,v12.0/SUNWspro/prod/bin:/usr/sfw/bin:/usr/bin:/usr/ccs/bin:/usr/ucb:/tools/ns/bin:/usr/local/bin"
|
||||
;;
|
||||
"i386")
|
||||
export PATH="/usr/dist/share/sunstudio_i386,v12.0/SUNWspro/bin:/usr/sfw/bin:/usr/bin:/usr/ccs/bin:/usr/ucb:/tools/ns/bin:/usr/local/bin"
|
||||
;;
|
||||
*)
|
||||
echo "Platform not supported"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
cvs_checkout_securitytip()
|
||||
{
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/nsprpub
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/dbm
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/security/dbm
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/security/coreconf
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/security/nss
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A mozilla/security/jss
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_1_RTM mozilla/security/nss/lib/freebl/ecl/ecl-curve.h
|
||||
}
|
||||
|
||||
cvs_checkout_securityjes5()
|
||||
{
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSPR_4_6_BRANCH mozilla/nsprpub
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_BRANCH mozilla/dbm
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_BRANCH mozilla/security/dbm
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_BRANCH mozilla/security/coreconf
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_BRANCH mozilla/security/nss
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r JSS_4_2_BRANCH mozilla/security/jss
|
||||
cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -A -r NSS_3_11_1_RTM mozilla/security/nss/lib/freebl/ecl/ecl-curve.h
|
||||
}
|
||||
|
||||
cvs_checkout()
|
||||
{
|
||||
rm -rf "${DATE_DIR}"
|
||||
mkdir -p "${CVS_DIR}"
|
||||
cd "${CVS_DIR}"
|
||||
|
||||
${CVS_CHECKOUT_BRANCH}
|
||||
}
|
||||
|
||||
run_build()
|
||||
{
|
||||
cd "${CVS_DIR}/mozilla/security/nss"
|
||||
gmake nss_build_all
|
||||
}
|
||||
|
||||
run_tests()
|
||||
{
|
||||
cd "${CVS_DIR}/mozilla/security/nss/tests"
|
||||
./all.sh
|
||||
}
|
||||
|
||||
process_results()
|
||||
{
|
||||
rm -rf "${TCOV_DIR}"
|
||||
mkdir -p "${TCOV_DIR}"
|
||||
|
||||
cat "${SUN_PROFDATA_DIR}/${SUN_PROFDATA}/tcovd" | grep SRCFILE | grep "${CVS_DIR}/.*.c$" | sed "s:[^/]*\(.*\):\1:" | sort -u |
|
||||
while read line
|
||||
do
|
||||
DIR=`echo "${line}" | sed "s:${CVS_DIR}/\(.*\)/.*:\1:"`
|
||||
FILE=`echo "${line}" | sed "s:.*/\(.*\):\1:"`
|
||||
|
||||
mkdir -p "${TCOV_DIR}/${DIR}"
|
||||
tcov -o "${TCOV_DIR}/${DIR}/$FILE" -x "${SUN_PROFDATA}" $line >/dev/null 2>&1
|
||||
done
|
||||
}
|
||||
|
||||
cvs_checkout
|
||||
run_build
|
||||
run_tests
|
||||
process_results
|
||||
|
||||
cd "${SCRIPT_DIR}"
|
||||
./report.sh "${BRANCH}" "${DATE}" "${ARCH}"
|
||||
|
||||
exit 0
|
||||
|
|
@ -1,206 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
OS=`uname -s`
|
||||
ARCH=`uname -p`
|
||||
SCRIPT_DIR=`pwd`
|
||||
DATE=`date +%Y-%m-%d`
|
||||
|
||||
if [ $# -lt 1 -o $# -gt 3 ]; then
|
||||
echo "Usage: $0 [securitytip|securityjes5] <date> <architecture>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
BRANCH="$1"
|
||||
|
||||
if [ "${BRANCH}" != "securitytip" -a "${BRANCH}" != "securityjes5" ]; then
|
||||
echo "Usage: $0 [securitytip|securityjes5] <date> <architecture>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $# -ge 2 ]; then
|
||||
DATE=$2
|
||||
fi
|
||||
|
||||
if [ $# -ge 3 ]; then
|
||||
ARCH=$3
|
||||
fi
|
||||
|
||||
HEADER="Code Coverage - NSS - ${BRANCH} - ${OS}/${ARCH} - ${DATE}"
|
||||
|
||||
COV_DIR="/share/builds/mccrel3/security/coverage"
|
||||
BRANCH_DIR="${COV_DIR}/${BRANCH}"
|
||||
DATE_DIR="${BRANCH_DIR}/${DATE}-${ARCH}"
|
||||
CVS_DIR="${DATE_DIR}/cvs_mozilla"
|
||||
TCOV_DIR="${DATE_DIR}/tcov_mozilla"
|
||||
OUTPUT="${DATE_DIR}/nss.html"
|
||||
|
||||
LIB_PATH="/mozilla/security/nss/lib"
|
||||
CVS_PATH="${CVS_DIR}${LIB_PATH}"
|
||||
TCOV_PATH="${TCOV_DIR}${LIB_PATH}"
|
||||
|
||||
MIN_GREEN=70
|
||||
MIN_YELLOW=40
|
||||
|
||||
print_header()
|
||||
{
|
||||
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final\">"
|
||||
echo "<HTML><HEAD><TITLE>${HEADER}</TITLE></HEAD><BODY>"
|
||||
echo "<TABLE ALIGN=\"CENTER\" WIDTH=\"100%\">"
|
||||
echo "<TR><TH BGCOLOR=\"GREY\"><H2>${HEADER}</H2></TH></TR>"
|
||||
echo "</TABLE><BR>"
|
||||
}
|
||||
|
||||
print_footer()
|
||||
{
|
||||
echo "</BODY></HTML>"
|
||||
}
|
||||
|
||||
print_notes()
|
||||
{
|
||||
echo "<TABLE ALIGN=\"CENTER\" WIDTH=\"100%\">"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"LIGHTGREY\"><TD><A HREF=\"http://wikihome.sfbay.sun.com/jes-security/Wiki.jsp?page=Code_Coverage_Test_Execution\">Test Execution Notes</A></TD></TR>"
|
||||
echo "</TABLE><BR>"
|
||||
}
|
||||
|
||||
print_legend()
|
||||
{
|
||||
echo "<TABLE ALIGN=\"CENTER\" WIDTH=\"100%\">"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"GREY\"><TH>Legend</TH></TR>"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"LIGHTGREEN\"><TD>${MIN_GREEN}% - 100% of blocks tested</TD></TR>"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"YELLOW\"><TD>${MIN_YELLOW}% - ${MIN_GREEN}% of blocks tested</TD></TR>"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"ORANGE\"><TD>0% - ${MIN_YELLOW}% of blocks tested</TD></TR>"
|
||||
echo "<TR ALIGN=\"CENTER\" BGCOLOR=\"RED\"><TD>File not tested (these files are not included into statistics)</TD></TR>"
|
||||
echo "</TABLE>"
|
||||
}
|
||||
|
||||
set_color()
|
||||
{
|
||||
if [ ${PERCENT_INT} -le ${MIN_YELLOW} ]; then
|
||||
bgcolor="ORANGE"
|
||||
elif [ ${PERCENT_INT} -le ${MIN_GREEN} ]; then
|
||||
bgcolor="YELLOW"
|
||||
else
|
||||
bgcolor="LIGHTGREEN"
|
||||
fi
|
||||
}
|
||||
|
||||
create_table()
|
||||
{
|
||||
echo "<TABLE ALIGN=\"CENTER\" WIDTH=\"100%\">"
|
||||
echo "<TR><TH BGCOLOR=\"GREY\" COLSPAN=\"2\">${DIR}</TH></TR>"
|
||||
echo "<TR BGCOLOR=\"DARKGREY\"><TH WIDTH=\"50%\">File</TH>"
|
||||
echo "<TH>Tested blocks (Tested blocks/Total blocks/Total lines)</TR>"
|
||||
}
|
||||
|
||||
close_table()
|
||||
{
|
||||
if [ "${LASTDIR}" != "" ]; then
|
||||
if [ ${DFILES} -gt 0 ]; then
|
||||
if [ ${DBLOCKS_TOTAL} -eq 0 ]; then
|
||||
PERCENT_INT=0
|
||||
else
|
||||
PERCENT_INT=`expr ${DBLOCKS_EXEC} \* 100 \/ ${DBLOCKS_TOTAL}`
|
||||
fi
|
||||
set_color
|
||||
|
||||
echo "<TR><TH BGCOLOR=\"${bgcolor}\" COLSPAN=\"2\">Total: ${PERCENT_INT}% (${DBLOCKS_EXEC}/${DBLOCKS_TOTAL})</TH></TR>"
|
||||
else
|
||||
echo "<TR><TH BGCOLOR=\"RED\" COLSPAN=\"2\">Total: Not tested</TH></TR>"
|
||||
fi
|
||||
echo "</TABLE><BR>"
|
||||
fi
|
||||
}
|
||||
|
||||
print_line()
|
||||
{
|
||||
LINES_TOTAL=`wc -l "${file}" | /usr/bin/awk '{print $1}'`
|
||||
|
||||
if [ -r "${TCOV_PATH}/${DIR}/${FILE}" ]; then
|
||||
BLOCKS_EXEC=`cat "${TCOV_PATH}/${DIR}/${FILE}" | grep "Basic blocks executed" | /usr/bin/awk '{print $1}'`
|
||||
BLOCKS_TOTAL=`cat "${TCOV_PATH}/${DIR}/${FILE}" | grep "Basic blocks in this file" | /usr/bin/awk '{print $1}'`
|
||||
|
||||
DBLOCKS_EXEC=`expr ${DBLOCKS_EXEC} + ${BLOCKS_EXEC}`
|
||||
DBLOCKS_TOTAL=`expr ${DBLOCKS_TOTAL} + ${BLOCKS_TOTAL}`
|
||||
TBLOCKS_EXEC=`expr ${TBLOCKS_EXEC} + ${BLOCKS_EXEC}`
|
||||
TBLOCKS_TOTAL=`expr ${TBLOCKS_TOTAL} + ${BLOCKS_TOTAL}`
|
||||
|
||||
TFILES=`expr ${TFILES} + 1`
|
||||
DFILES=`expr ${DFILES} + 1`
|
||||
|
||||
PERCENT_EXEC=`cat "${TCOV_PATH}/${DIR}/${FILE}" | grep "Percent of the file executed" | /usr/bin/awk '{print $1}'`
|
||||
PERCENT_INT=`echo ${PERCENT_EXEC} | cut -d. -f1`
|
||||
set_color
|
||||
|
||||
echo "<TR><TD BGCOLOR=\"LIGHTGREY\"><A HREF=\"${TCOV_PATH}/${DIR}/${FILE}\">${FILE}</A></TD>"
|
||||
echo "<TD BGCOLOR=\"${bgcolor}\">${PERCENT_EXEC}% (${BLOCKS_EXEC}/${BLOCKS_TOTAL}/${LINES_TOTAL})</TD></TR>"
|
||||
else
|
||||
echo "<TR><TD BGCOLOR=\"LIGHTGREY\"><A HREF=\"${file}\">${FILE}</A></TD>"
|
||||
echo "<TD BGCOLOR=\"RED\">Not tested (0/?/${LINES_TOTAL})</TD></TR>"
|
||||
fi
|
||||
}
|
||||
|
||||
print_total()
|
||||
{
|
||||
echo "<TABLE ALIGN=\"CENTER\" WIDTH=\"100%\">"
|
||||
if [ ${TFILES} -gt 0 ]; then
|
||||
if [ ${TBLOCKS_TOTAL} -eq 0 ]; then
|
||||
PERCENT_INT=0
|
||||
else
|
||||
PERCENT_INT=`expr ${TBLOCKS_EXEC} \* 100 \/ ${TBLOCKS_TOTAL}`
|
||||
fi
|
||||
set_color
|
||||
|
||||
echo "<TR><TH BGCOLOR=\"${bgcolor}\"><H2>Total: ${PERCENT_INT}% (${TBLOCKS_EXEC}/${TBLOCKS_TOTAL})</H2></TH></TR>"
|
||||
else
|
||||
echo "<TR><TH BGCOLOR=\"RED\"><H2>Total: Not tested</H2></TH></TR>"
|
||||
fi
|
||||
echo "</TABLE><BR>"
|
||||
}
|
||||
|
||||
process_cmd()
|
||||
{
|
||||
LASTDIR=""
|
||||
TBLOCKS_EXEC=0
|
||||
TBLOCKS_TOTAL=0
|
||||
TFILES=0
|
||||
|
||||
for dir in `find "${CVS_PATH}" -type d | sort`
|
||||
do
|
||||
DIR=`echo "${dir}" | sed "s:^${CVS_PATH}/::"`
|
||||
for file in `ls -1 ${dir}/*.c 2> /dev/null`
|
||||
do
|
||||
if [ "${DIR}" != "${LASTDIR}" ]; then
|
||||
close_table
|
||||
create_table
|
||||
|
||||
LASTDIR="${DIR}";
|
||||
DBLOCKS_EXEC=0
|
||||
DBLOCKS_TOTAL=0
|
||||
DFILES=0
|
||||
fi
|
||||
|
||||
FILE=`echo "${file}" | sed "s:^.*/\(.*.c\):\1:"`
|
||||
print_line
|
||||
done
|
||||
done
|
||||
|
||||
close_table
|
||||
print_total
|
||||
}
|
||||
|
||||
report()
|
||||
{
|
||||
print_header > "${OUTPUT}"
|
||||
print_notes >> "${OUTPUT}"
|
||||
process_cmd >> "${OUTPUT}"
|
||||
print_legend >> "${OUTPUT}"
|
||||
print_footer >> "${OUTPUT}"
|
||||
}
|
||||
|
||||
report
|
||||
|
||||
exit 0
|
|
@ -184,15 +184,16 @@ PRBool sslint_DamageTrafficSecret(PRFileDesc *fd,
|
|||
return PR_FALSE;
|
||||
}
|
||||
keyPtr = (PK11SymKey **)((char *)&ss->ssl3.hs + offset);
|
||||
if (!keyPtr)
|
||||
if (!*keyPtr) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
PK11_FreeSymKey(*keyPtr);
|
||||
*keyPtr = PK11_ImportSymKey(slot,
|
||||
CKM_NSS_HKDF_SHA256, PK11_OriginUnwrap,
|
||||
*keyPtr = PK11_ImportSymKey(slot, CKM_NSS_HKDF_SHA256, PK11_OriginUnwrap,
|
||||
CKA_DERIVE, &key_item, NULL);
|
||||
PK11_FreeSlot(slot);
|
||||
if (!*keyPtr)
|
||||
if (!*keyPtr) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
#include "sslproto.h"
|
||||
#include <memory>
|
||||
#include <functional>
|
||||
#include <set>
|
||||
|
||||
#include "scoped_ptrs.h"
|
||||
#include "tls_parser.h"
|
||||
|
@ -25,22 +26,131 @@ TEST_P(TlsConnectGeneric, ConnectDhe) {
|
|||
CheckKeys(ssl_kea_dh, ssl_auth_rsa_sign);
|
||||
}
|
||||
|
||||
// Track groups and make sure that there are no duplicates.
|
||||
class CheckDuplicateGroup {
|
||||
public:
|
||||
void AddAndCheckGroup(uint16_t group) {
|
||||
EXPECT_EQ(groups_.end(), groups_.find(group))
|
||||
<< "Group " << group << " should not be duplicated";
|
||||
groups_.insert(group);
|
||||
}
|
||||
|
||||
private:
|
||||
std::set<uint16_t> groups_;
|
||||
};
|
||||
|
||||
// Check the group of each of the supported groups
|
||||
static void CheckGroups(const DataBuffer& groups,
|
||||
std::function<void(uint16_t)> check_group) {
|
||||
CheckDuplicateGroup group_set;
|
||||
uint32_t tmp;
|
||||
EXPECT_TRUE(groups.Read(0, 2, &tmp));
|
||||
EXPECT_EQ(groups.len() - 2, static_cast<size_t>(tmp));
|
||||
for (size_t i = 2; i < groups.len(); i += 2) {
|
||||
EXPECT_TRUE(groups.Read(i, 2, &tmp));
|
||||
uint16_t group = static_cast<uint16_t>(tmp);
|
||||
group_set.AddAndCheckGroup(group);
|
||||
check_group(group);
|
||||
}
|
||||
}
|
||||
|
||||
// Check the group of each of the shares
|
||||
static void CheckShares(const DataBuffer& shares,
|
||||
std::function<void(uint16_t)> check_group) {
|
||||
CheckDuplicateGroup group_set;
|
||||
uint32_t tmp;
|
||||
EXPECT_TRUE(shares.Read(0, 2, &tmp));
|
||||
EXPECT_EQ(shares.len() - 2, static_cast<size_t>(tmp));
|
||||
size_t i;
|
||||
for(i = 2; i < shares.len(); i += 4 + tmp) {
|
||||
ASSERT_TRUE(shares.Read(i, 2, &tmp));
|
||||
uint16_t group = static_cast<uint16_t>(tmp);
|
||||
group_set.AddAndCheckGroup(group);
|
||||
check_group(group);
|
||||
ASSERT_TRUE(shares.Read(i + 2, 2, &tmp));
|
||||
}
|
||||
EXPECT_EQ(shares.len(), i);
|
||||
}
|
||||
|
||||
#ifdef NSS_ENABLE_TLS_1_3
|
||||
TEST_P(TlsConnectTls13, SharesForBothEcdheAndDhe) {
|
||||
EnsureTlsSetup();
|
||||
client_->DisableAllCiphers();
|
||||
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
|
||||
client_->EnableCiphersByKeyExchange(ssl_kea_dh);
|
||||
|
||||
auto groups_capture = new TlsExtensionCapture(ssl_supported_groups_xtn);
|
||||
auto shares_capture = new TlsExtensionCapture(ssl_tls13_key_share_xtn);
|
||||
std::vector<PacketFilter*> captures;
|
||||
captures.push_back(groups_capture);
|
||||
captures.push_back(shares_capture);
|
||||
client_->SetPacketFilter(new ChainedPacketFilter(captures));
|
||||
|
||||
Connect();
|
||||
|
||||
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
|
||||
|
||||
bool ec, dh;
|
||||
auto track_group_type = [&ec, &dh](uint16_t group) {
|
||||
if ((group & 0xff00U) == 0x100U) {
|
||||
dh = true;
|
||||
} else {
|
||||
ec = true;
|
||||
}
|
||||
};
|
||||
CheckGroups(groups_capture->extension(), track_group_type);
|
||||
CheckShares(shares_capture->extension(), track_group_type);
|
||||
EXPECT_TRUE(ec) << "Should include an EC group and share";
|
||||
EXPECT_TRUE(dh) << "Should include an FFDHE group and share";
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, NoDheOnEcdheConnections) {
|
||||
EnsureTlsSetup();
|
||||
client_->DisableAllCiphers();
|
||||
client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
|
||||
|
||||
auto groups_capture = new TlsExtensionCapture(ssl_supported_groups_xtn);
|
||||
auto shares_capture = new TlsExtensionCapture(ssl_tls13_key_share_xtn);
|
||||
std::vector<PacketFilter*> captures;
|
||||
captures.push_back(groups_capture);
|
||||
captures.push_back(shares_capture);
|
||||
client_->SetPacketFilter(new ChainedPacketFilter(captures));
|
||||
|
||||
Connect();
|
||||
|
||||
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
|
||||
auto is_ecc = [](uint16_t group) {
|
||||
EXPECT_NE(0x100U, group & 0xff00U);
|
||||
};
|
||||
CheckGroups(groups_capture->extension(), is_ecc);
|
||||
CheckShares(shares_capture->extension(), is_ecc);
|
||||
}
|
||||
#endif
|
||||
|
||||
TEST_P(TlsConnectGeneric, ConnectFfdheClient) {
|
||||
EnableOnlyDheCiphers();
|
||||
EXPECT_EQ(SECSuccess,
|
||||
SSL_OptionSet(client_->ssl_fd(),
|
||||
SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE));
|
||||
auto clientCapture = new TlsExtensionCapture(ssl_supported_groups_xtn);
|
||||
client_->SetPacketFilter(clientCapture);
|
||||
auto groups_capture = new TlsExtensionCapture(ssl_supported_groups_xtn);
|
||||
auto shares_capture = new TlsExtensionCapture(ssl_tls13_key_share_xtn);
|
||||
std::vector<PacketFilter*> captures;
|
||||
captures.push_back(groups_capture);
|
||||
captures.push_back(shares_capture);
|
||||
client_->SetPacketFilter(new ChainedPacketFilter(captures));
|
||||
|
||||
Connect();
|
||||
|
||||
CheckKeys(ssl_kea_dh, ssl_auth_rsa_sign);
|
||||
|
||||
// Extension value: length + FFDHE 2048 group identifier.
|
||||
const uint8_t val[] = { 0x00, 0x02, 0x01, 0x00 };
|
||||
DataBuffer expected_groups(val, sizeof(val));
|
||||
EXPECT_EQ(expected_groups, clientCapture->extension());
|
||||
auto is_ffdhe_2048 = [](uint16_t group) {
|
||||
EXPECT_EQ(0x100U, group);
|
||||
};
|
||||
CheckGroups(groups_capture->extension(), is_ffdhe_2048);
|
||||
if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
CheckShares(shares_capture->extension(), is_ffdhe_2048);
|
||||
} else {
|
||||
EXPECT_EQ(0U, shares_capture->extension().len());
|
||||
}
|
||||
}
|
||||
|
||||
// Requiring the FFDHE extension on the server alone means that clients won't be
|
||||
|
@ -412,12 +522,7 @@ TEST_P(TlsConnectGenericPre13, WeakDHGroup) {
|
|||
Connect();
|
||||
}
|
||||
|
||||
#ifdef NSS_ENABLE_TLS_1_3
|
||||
|
||||
// In the absence of HelloRetryRequest, enabling only the 3072-bit group causes
|
||||
// the TLS 1.3 handshake to fail because the client will only add the 2048-bit
|
||||
// group to its ClientHello.
|
||||
TEST_P(TlsConnectTls13, DisableFfdhe2048) {
|
||||
TEST_P(TlsConnectGeneric, Ffdhe3072) {
|
||||
EnableOnlyDheCiphers();
|
||||
static const SSLDHEGroupType groups[] = { ssl_ff_dhe_3072_group };
|
||||
EXPECT_EQ(SECSuccess,
|
||||
|
@ -426,16 +531,12 @@ TEST_P(TlsConnectTls13, DisableFfdhe2048) {
|
|||
EXPECT_EQ(SECSuccess,
|
||||
SSL_DHEGroupPrefSet(server_->ssl_fd(), groups,
|
||||
PR_ARRAY_SIZE(groups)));
|
||||
EXPECT_EQ(SECSuccess,
|
||||
SSL_OptionSet(server_->ssl_fd(),
|
||||
SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE));
|
||||
|
||||
ConnectExpectFail();
|
||||
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
Connect();
|
||||
}
|
||||
|
||||
#ifdef NSS_ENABLE_TLS_1_3
|
||||
|
||||
TEST_P(TlsConnectTls13, ResumeFfdhe) {
|
||||
EnableOnlyDheCiphers();
|
||||
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
|
||||
|
|
|
@ -187,6 +187,8 @@ SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
|
|||
CERTCertificate** cert,
|
||||
SECKEYPrivateKey** privKey) {
|
||||
TlsAgent* agent = reinterpret_cast<TlsAgent*>(self);
|
||||
ScopedCERTCertificate peerCert(SSL_PeerCertificate(agent->ssl_fd()));
|
||||
EXPECT_TRUE(peerCert) << "Client should be able to see the server cert";
|
||||
if (agent->GetClientAuthCredentials(cert, privKey)) {
|
||||
return SECSuccess;
|
||||
}
|
||||
|
|
|
@ -803,6 +803,7 @@ ec_GFp_sub_5(const mp_int *a, const mp_int *b, mp_int *r,
|
|||
MP_ADD_CARRY(b1, r1, r1, borrow);
|
||||
MP_ADD_CARRY(b2, r2, r2, borrow);
|
||||
MP_ADD_CARRY(b3, r3, r3, borrow);
|
||||
MP_ADD_CARRY(b4, r4, r4, borrow);
|
||||
}
|
||||
MP_CHECKOK(s_mp_pad(r, 5));
|
||||
MP_DIGIT(r, 4) = r4;
|
||||
|
@ -880,6 +881,7 @@ ec_GFp_sub_6(const mp_int *a, const mp_int *b, mp_int *r,
|
|||
MP_ADD_CARRY(b2, r2, r2, borrow);
|
||||
MP_ADD_CARRY(b3, r3, r3, borrow);
|
||||
MP_ADD_CARRY(b4, r4, r4, borrow);
|
||||
MP_ADD_CARRY(b5, r5, r5, borrow);
|
||||
}
|
||||
|
||||
MP_CHECKOK(s_mp_pad(r, 6));
|
||||
|
|
|
@ -74,20 +74,23 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_ADD_CARRY(r5, a13, r5, carry);
|
||||
MP_ADD_CARRY(r6, a14, r6, carry);
|
||||
MP_ADD_CARRY(r7, a15, r7, carry);
|
||||
r8 = carry; carry = 0;
|
||||
r8 = carry;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r3, a11, r3, carry);
|
||||
MP_ADD_CARRY(r4, a12, r4, carry);
|
||||
MP_ADD_CARRY(r5, a13, r5, carry);
|
||||
MP_ADD_CARRY(r6, a14, r6, carry);
|
||||
MP_ADD_CARRY(r7, a15, r7, carry);
|
||||
r8 += carry; carry = 0;
|
||||
r8 += carry;
|
||||
carry = 0;
|
||||
/* sum 2 */
|
||||
MP_ADD_CARRY(r3, a12, r3, carry);
|
||||
MP_ADD_CARRY(r4, a13, r4, carry);
|
||||
MP_ADD_CARRY(r5, a14, r5, carry);
|
||||
MP_ADD_CARRY(r6, a15, r6, carry);
|
||||
MP_ADD_CARRY(r7, 0, r7, carry);
|
||||
r8 += carry; carry = 0;
|
||||
r8 += carry;
|
||||
carry = 0;
|
||||
/* combine last bottom of sum 3 with second sum 2 */
|
||||
MP_ADD_CARRY(r0, a8, r0, carry);
|
||||
MP_ADD_CARRY(r1, a9, r1, carry);
|
||||
|
@ -97,11 +100,13 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_ADD_CARRY(r5, a14, r5, carry);
|
||||
MP_ADD_CARRY(r6, a15, r6, carry);
|
||||
MP_ADD_CARRY(r7, a15, r7, carry); /* from sum 3 */
|
||||
r8 += carry; carry = 0;
|
||||
r8 += carry;
|
||||
carry = 0;
|
||||
/* sum 3 (rest of it)*/
|
||||
MP_ADD_CARRY(r6, a14, r6, carry);
|
||||
MP_ADD_CARRY(r7, 0, r7, carry);
|
||||
r8 += carry; carry = 0;
|
||||
r8 += carry;
|
||||
carry = 0;
|
||||
/* sum 4 (rest of it)*/
|
||||
MP_ADD_CARRY(r0, a9, r0, carry);
|
||||
MP_ADD_CARRY(r1, a10, r1, carry);
|
||||
|
@ -111,7 +116,8 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_ADD_CARRY(r5, a15, r5, carry);
|
||||
MP_ADD_CARRY(r6, a13, r6, carry);
|
||||
MP_ADD_CARRY(r7, a8, r7, carry);
|
||||
r8 += carry; carry = 0;
|
||||
r8 += carry;
|
||||
carry = 0;
|
||||
/* diff 5 */
|
||||
MP_SUB_BORROW(r0, a11, r0, carry);
|
||||
MP_SUB_BORROW(r1, a12, r1, carry);
|
||||
|
@ -121,7 +127,8 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_SUB_BORROW(r5, 0, r5, carry);
|
||||
MP_SUB_BORROW(r6, a8, r6, carry);
|
||||
MP_SUB_BORROW(r7, a10, r7, carry);
|
||||
r8 -= carry; carry = 0;
|
||||
r8 -= carry;
|
||||
carry = 0;
|
||||
/* diff 6 */
|
||||
MP_SUB_BORROW(r0, a12, r0, carry);
|
||||
MP_SUB_BORROW(r1, a13, r1, carry);
|
||||
|
@ -131,7 +138,8 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_SUB_BORROW(r5, 0, r5, carry);
|
||||
MP_SUB_BORROW(r6, a9, r6, carry);
|
||||
MP_SUB_BORROW(r7, a11, r7, carry);
|
||||
r8 -= carry; carry = 0;
|
||||
r8 -= carry;
|
||||
carry = 0;
|
||||
/* diff 7 */
|
||||
MP_SUB_BORROW(r0, a13, r0, carry);
|
||||
MP_SUB_BORROW(r1, a14, r1, carry);
|
||||
|
@ -141,7 +149,8 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_SUB_BORROW(r5, a10, r5, carry);
|
||||
MP_SUB_BORROW(r6, 0, r6, carry);
|
||||
MP_SUB_BORROW(r7, a12, r7, carry);
|
||||
r8 -= carry; carry = 0;
|
||||
r8 -= carry;
|
||||
carry = 0;
|
||||
/* diff 8 */
|
||||
MP_SUB_BORROW(r0, a14, r0, carry);
|
||||
MP_SUB_BORROW(r1, a15, r1, carry);
|
||||
|
@ -155,7 +164,7 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
|
||||
/* reduce the overflows */
|
||||
while (r8 > 0) {
|
||||
mp_digit r8_d = r8; carry = 0;
|
||||
mp_digit r8_d = r8;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r0, r8_d, r0, carry);
|
||||
MP_ADD_CARRY(r1, 0, r1, carry);
|
||||
|
@ -233,27 +242,26 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
|
||||
/* sum 1 */
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r1, a5h << 32, r1, carry);
|
||||
MP_ADD_CARRY(r2, a6, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7, r3, carry);
|
||||
r4 = carry;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r1, a5h << 32, r1, carry);
|
||||
MP_ADD_CARRY(r2, a6, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7, r3, carry);
|
||||
r4 = carry; carry = 0;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r1, a5h << 32, r1, carry);
|
||||
MP_ADD_CARRY(r2, a6, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7, r3, carry);
|
||||
r4 += carry; carry = 0;
|
||||
r4 += carry;
|
||||
/* sum 2 */
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r1, a6l, r1, carry);
|
||||
MP_ADD_CARRY(r2, a6h | a7l, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7h, r3, carry);
|
||||
r4 += carry; carry = 0;
|
||||
r4 += carry;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r1, a6l, r1, carry);
|
||||
MP_ADD_CARRY(r2, a6h | a7l, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7h, r3, carry);
|
||||
r4 += carry; carry = 0;
|
||||
r4 += carry;
|
||||
|
||||
/* sum 3 */
|
||||
carry = 0;
|
||||
|
@ -261,7 +269,7 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
MP_ADD_CARRY(r1, a5l >> 32, r1, carry);
|
||||
MP_ADD_CARRY(r2, 0, r2, carry);
|
||||
MP_ADD_CARRY(r3, a7, r3, carry);
|
||||
r4 += carry; carry = 0;
|
||||
r4 += carry;
|
||||
/* sum 4 */
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r0, a4h | a5l, r0, carry);
|
||||
|
@ -303,7 +311,6 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
|
|||
mp_digit r4_long = r4;
|
||||
mp_digit r4l = (r4_long << 32);
|
||||
carry = 0;
|
||||
carry = 0;
|
||||
MP_ADD_CARRY(r0, r4_long, r0, carry);
|
||||
MP_ADD_CARRY(r1, 0-r4l, r1, carry);
|
||||
MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry);
|
||||
|
|
|
@ -130,9 +130,13 @@ freebl_RunLoaderOnce( void )
|
|||
|
||||
const FREEBLVector *FREEBL_GetVector(void)
|
||||
{
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) {
|
||||
return NULL;
|
||||
return (vector->p_FREEBL_GetVector)();
|
||||
}
|
||||
if (vector) {
|
||||
return (vector->p_FREEBL_GetVector)();
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
NSSLOWInitContext *NSSLOW_Init(void)
|
||||
|
|
|
@ -525,7 +525,7 @@ mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r)
|
|||
{
|
||||
mp_err res;
|
||||
mp_int qp;
|
||||
mp_digit rem;
|
||||
mp_digit rem = 0;
|
||||
int pow;
|
||||
|
||||
ARGCHK(a != NULL, MP_BADARG);
|
||||
|
@ -561,8 +561,9 @@ mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r)
|
|||
if(s_mp_cmp_d(&qp, 0) == 0)
|
||||
SIGN(q) = ZPOS;
|
||||
|
||||
if(r)
|
||||
if(r) {
|
||||
*r = rem;
|
||||
}
|
||||
|
||||
if(q)
|
||||
s_mp_exch(&qp, q);
|
||||
|
@ -3290,7 +3291,7 @@ mp_err s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
|
|||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
|
||||
mp_word w = 0, q;
|
||||
#else
|
||||
mp_digit w, q;
|
||||
mp_digit w = 0, q;
|
||||
#endif
|
||||
int ix;
|
||||
mp_err res;
|
||||
|
@ -3378,8 +3379,9 @@ mp_err s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
|
|||
#endif
|
||||
|
||||
/* Deliver the remainder, if desired */
|
||||
if(r)
|
||||
if(r) {
|
||||
*r = (mp_digit)w;
|
||||
}
|
||||
|
||||
s_mp_clamp(");
|
||||
mp_exch(", mp);
|
||||
|
|
|
@ -410,7 +410,6 @@ mp_size mpl_significant_bits(const mp_int *a)
|
|||
|
||||
ARGCHK(a != NULL, MP_BADARG);
|
||||
|
||||
ix = MP_USED(a);
|
||||
for (ix = MP_USED(a); ix > 0; ) {
|
||||
mp_digit d;
|
||||
d = MP_DIGIT(a, --ix);
|
||||
|
|
|
@ -176,9 +176,13 @@ static unsigned int
|
|||
HASH_ResultLen(HASH_HashType type)
|
||||
{
|
||||
const SECHashObject *hash_obj = HASH_GetRawHashObject(type);
|
||||
PORT_Assert(hash_obj != NULL);
|
||||
if (hash_obj == NULL) {
|
||||
return 0;
|
||||
/* type is always a valid HashType. Thus a null hash_obj must be a bug */
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
PORT_Assert(hash_obj->length != 0);
|
||||
return hash_obj->length;
|
||||
}
|
||||
|
||||
|
|
|
@ -153,7 +153,7 @@ const SECHashObject SECRawHashObjects[] = {
|
|||
const SECHashObject *
|
||||
HASH_GetRawHashObject(HASH_HashType hashType)
|
||||
{
|
||||
if (hashType < HASH_AlgNULL || hashType >= HASH_AlgTOTAL) {
|
||||
if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
@ -553,7 +553,6 @@ rsa_get_primes_from_exponents(mp_int *e, mp_int *d, mp_int *p, mp_int *q,
|
|||
if (err != MP_OKAY) {
|
||||
if (err == MP_NO) {
|
||||
/* No, then we still have the wrong phi */
|
||||
err = MP_OKAY;
|
||||
continue;
|
||||
}
|
||||
goto cleanup;
|
||||
|
@ -1259,7 +1258,8 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
|||
|
||||
/* Put this at head of queue of usable params. */
|
||||
PZ_Lock(blindingParamsList.lock);
|
||||
holdingLock = PR_TRUE;
|
||||
holdingLock = PR_TRUE;
|
||||
(void)holdingLock;
|
||||
/* initialize RSABlindingParamsStr */
|
||||
bp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
|
||||
bp->next = rsabp->bp;
|
||||
|
@ -1285,6 +1285,7 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
|||
PR_WaitCondVar( blindingParamsList.cVar, PR_INTERVAL_NO_TIMEOUT );
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
holdingLock = PR_FALSE;
|
||||
(void)holdingLock;
|
||||
} while (1);
|
||||
|
||||
cleanup:
|
||||
|
@ -1304,7 +1305,6 @@ cleanup:
|
|||
}
|
||||
if (holdingLock) {
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
holdingLock = PR_FALSE;
|
||||
}
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
|
|
|
@ -80,6 +80,8 @@ JAR_destroy(JAR *jar)
|
|||
PORT_Free(jar->url);
|
||||
if (jar->filename)
|
||||
PORT_Free(jar->filename);
|
||||
if (jar->globalmeta)
|
||||
PORT_Free(jar->globalmeta);
|
||||
|
||||
/* Free the linked list elements */
|
||||
jar_destroy_list(jar->manifest);
|
||||
|
|
|
@ -339,17 +339,20 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
|
|||
of the MF file, still in the "met" structure. */
|
||||
|
||||
if (type == jarTypeSF) {
|
||||
if (!PORT_Strcasecmp(line, "MD5-Digest"))
|
||||
if (!PORT_Strcasecmp(line, "MD5-Digest")) {
|
||||
sf_md5 = (char *)met->info;
|
||||
|
||||
if (!PORT_Strcasecmp(line, "SHA1-Digest") ||
|
||||
!PORT_Strcasecmp(line, "SHA-Digest"))
|
||||
} else if (!PORT_Strcasecmp(line, "SHA1-Digest") ||
|
||||
!PORT_Strcasecmp(line, "SHA-Digest")) {
|
||||
sf_sha1 = (char *)met->info;
|
||||
} else {
|
||||
PORT_Free(met->info);
|
||||
met->info = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (type != jarTypeMF) {
|
||||
PORT_Free(met->header);
|
||||
if (type != jarTypeSF) {
|
||||
if ((type != jarTypeSF || !jar->globalmeta) && met->info) {
|
||||
PORT_Free(met->info);
|
||||
}
|
||||
PORT_Free(met);
|
||||
|
@ -369,11 +372,13 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
|
|||
|
||||
md5_digest = ATOB_AsciiToData(sf_md5, &md5_length);
|
||||
PORT_Assert(md5_length == MD5_LENGTH);
|
||||
PORT_Free(sf_md5);
|
||||
|
||||
if (md5_length != MD5_LENGTH)
|
||||
return JAR_ERR_CORRUPT;
|
||||
|
||||
match = PORT_Memcmp(md5_digest, glob->md5, MD5_LENGTH);
|
||||
PORT_Free(md5_digest);
|
||||
}
|
||||
|
||||
if (sf_sha1 && match == 0) {
|
||||
|
@ -382,11 +387,13 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
|
|||
|
||||
sha1_digest = ATOB_AsciiToData(sf_sha1, &sha1_length);
|
||||
PORT_Assert(sha1_length == SHA1_LENGTH);
|
||||
PORT_Free(sf_sha1);
|
||||
|
||||
if (sha1_length != SHA1_LENGTH)
|
||||
return JAR_ERR_CORRUPT;
|
||||
|
||||
match = PORT_Memcmp(sha1_digest, glob->sha1, SHA1_LENGTH);
|
||||
PORT_Free(sha1_digest);
|
||||
}
|
||||
|
||||
if (match != 0) {
|
||||
|
@ -510,6 +517,7 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
|
|||
}
|
||||
memcpy(dig->md5, binary_digest, MD5_LENGTH);
|
||||
dig->md5_status = jarHashPresent;
|
||||
PORT_Free(binary_digest);
|
||||
}
|
||||
|
||||
if (*x_sha) {
|
||||
|
@ -524,6 +532,7 @@ jar_parse_any(JAR *jar, int type, JAR_Signer *signer,
|
|||
}
|
||||
memcpy(dig->sha1, binary_digest, SHA1_LENGTH);
|
||||
dig->sha1_status = jarHashPresent;
|
||||
PORT_Free(binary_digest);
|
||||
}
|
||||
|
||||
PORT_Assert(type == jarTypeMF || type == jarTypeSF);
|
||||
|
|
|
@ -1788,8 +1788,6 @@ loser:
|
|||
* random numbers. For Mail usage RandomB should be NULL. In the Sender's
|
||||
* case RandomA is generate, outherwize it is passed.
|
||||
*/
|
||||
static unsigned char *rb_email = NULL;
|
||||
|
||||
PK11SymKey *
|
||||
PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
|
||||
PRBool isSender, SECItem *randomA, SECItem *randomB,
|
||||
|
@ -1801,15 +1799,6 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
|
|||
PK11SymKey *symKey;
|
||||
CK_RV crv;
|
||||
|
||||
|
||||
if (rb_email == NULL) {
|
||||
rb_email = PORT_ZAlloc(128);
|
||||
if (rb_email == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
rb_email[127] = 1;
|
||||
}
|
||||
|
||||
/* get our key Structure */
|
||||
symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx);
|
||||
if (symKey == NULL) {
|
||||
|
@ -1829,11 +1818,13 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
|
|||
case keaKey:
|
||||
case fortezzaKey:
|
||||
{
|
||||
static unsigned char rb_email[128] = { 0 };
|
||||
CK_KEA_DERIVE_PARAMS param;
|
||||
param.isSender = (CK_BBOOL) isSender;
|
||||
param.ulRandomLen = randomA->len;
|
||||
param.pRandomA = randomA->data;
|
||||
param.pRandomB = rb_email;
|
||||
param.pRandomB[127] = 1;
|
||||
if (randomB)
|
||||
param.pRandomB = randomB->data;
|
||||
if (pubKey->keyType == fortezzaKey) {
|
||||
|
|
|
@ -376,7 +376,6 @@ ssl3_KeyAndMacDeriveBypass(
|
|||
*/
|
||||
secret.data = &key_block[i];
|
||||
secret.len = effKeySize;
|
||||
i += effKeySize;
|
||||
keyblk.data = key_block2;
|
||||
keyblk.len = keySize;
|
||||
status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS);
|
||||
|
@ -604,7 +603,7 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
|
|||
*pcanbypass = PR_FALSE;
|
||||
return SECSuccess;
|
||||
#else
|
||||
SECStatus rv;
|
||||
SECStatus rv = SECFailure;
|
||||
int i;
|
||||
PRUint16 suite;
|
||||
PK11SymKey *pms = NULL;
|
||||
|
@ -633,7 +632,6 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
|
|||
return SECFailure;
|
||||
|
||||
*pcanbypass = PR_TRUE;
|
||||
rv = SECFailure;
|
||||
|
||||
/* determine which KEAs to test */
|
||||
/* 0 (TLS_NULL_WITH_NULL_NULL) is used as a list terminator because
|
||||
|
@ -687,7 +685,6 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
|
|||
if (privKeytype == rsaKey && testrsa_export) {
|
||||
if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
|
||||
*pcanbypass = PR_FALSE;
|
||||
rv = SECSuccess;
|
||||
break;
|
||||
} else
|
||||
testrsa = PR_TRUE;
|
||||
|
@ -813,7 +810,7 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
|
|||
SECKEY_DestroyPublicKey(keapub);
|
||||
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
|
||||
rv = SECFailure;
|
||||
break;
|
||||
goto done;
|
||||
}
|
||||
} else {
|
||||
/* TLS_ECDH_ECDSA */
|
||||
|
@ -832,7 +829,7 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
|
|||
}
|
||||
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
|
||||
rv = SECFailure;
|
||||
break;
|
||||
goto done;
|
||||
}
|
||||
/* now do the server side */
|
||||
/* determine the PMS using client's public value */
|
||||
|
|
|
@ -1493,6 +1493,7 @@ ssl3_ComputeDHKeyHash(sslSocket *ss, SSLHashType hashAlg, SSL3Hashes *hashes,
|
|||
|
||||
PORT_Assert(dh_p.data);
|
||||
PORT_Assert(dh_g.data);
|
||||
PORT_Assert(dh_Ys.data);
|
||||
|
||||
bufLen = 2 * SSL3_RANDOM_LENGTH +
|
||||
2 + dh_p.len +
|
||||
|
@ -5139,7 +5140,7 @@ ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
|
|||
PRUint8 bytes[2];
|
||||
SECStatus rv;
|
||||
|
||||
rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
|
||||
rv = ssl3_ConsumeHandshake(ss, &bytes[0], sizeof(bytes), b, length);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
|
@ -10555,20 +10556,26 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
|||
desc = decrypt_error;
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
if (hashes->u.pointer_to_hash_input.data) {
|
||||
#ifndef NO_PKCS11_BYPASS
|
||||
if (ss->opt.bypassPKCS11) {
|
||||
rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data,
|
||||
hashes->u.pointer_to_hash_input.len,
|
||||
sigAndHash.hashAlg,
|
||||
&localHashes);
|
||||
} else
|
||||
if (ss->opt.bypassPKCS11 && hashes->u.pointer_to_hash_input.data) {
|
||||
rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data,
|
||||
hashes->u.pointer_to_hash_input.len,
|
||||
sigAndHash.hashAlg,
|
||||
&localHashes);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data,
|
||||
hashes->u.pointer_to_hash_input.len,
|
||||
sigAndHash.hashAlg,
|
||||
&localHashes);
|
||||
{
|
||||
rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data,
|
||||
hashes->u.pointer_to_hash_input.len,
|
||||
sigAndHash.hashAlg,
|
||||
&localHashes);
|
||||
}
|
||||
} else {
|
||||
rv = SECFailure;
|
||||
}
|
||||
|
||||
if (rv == SECSuccess) {
|
||||
hashesForVerify = &localHashes;
|
||||
} else {
|
||||
|
@ -11049,9 +11056,12 @@ ssl3_SendEmptyCertificate(sslSocket *ss)
|
|||
SECStatus rv;
|
||||
unsigned int len = 0;
|
||||
PRBool isTLS13 = PR_FALSE;
|
||||
const SECItem *context;
|
||||
|
||||
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
len = ss->ssl3.hs.certReqContextLen + 1;
|
||||
PORT_Assert(ss->ssl3.hs.certificateRequest);
|
||||
context = &ss->ssl3.hs.certificateRequest->context;
|
||||
len = context->len + 1;
|
||||
isTLS13 = PR_TRUE;
|
||||
}
|
||||
|
||||
|
@ -11061,8 +11071,7 @@ ssl3_SendEmptyCertificate(sslSocket *ss)
|
|||
}
|
||||
|
||||
if (isTLS13) {
|
||||
rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.hs.certReqContext,
|
||||
ss->ssl3.hs.certReqContextLen, 1);
|
||||
rv = ssl3_AppendHandshakeVariable(ss, context->data, context->len, 1);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
|
@ -11244,6 +11253,7 @@ ssl3_SendCertificate(sslSocket *ss)
|
|||
int ndex = -1;
|
||||
#endif
|
||||
PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
SECItem context = { siBuffer, NULL, 0 };
|
||||
unsigned int contextLen = 0;
|
||||
|
||||
SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
|
||||
|
@ -11270,9 +11280,11 @@ ssl3_SendCertificate(sslSocket *ss)
|
|||
#endif
|
||||
|
||||
if (isTLS13) {
|
||||
contextLen = 1; /* Length of the context */
|
||||
contextLen = 1; /* Size of the context length */
|
||||
if (!ss->sec.isServer) {
|
||||
contextLen += ss->ssl3.hs.certReqContextLen;
|
||||
PORT_Assert(ss->ssl3.hs.certificateRequest);
|
||||
context = ss->ssl3.hs.certificateRequest->context;
|
||||
contextLen += context.len;
|
||||
}
|
||||
}
|
||||
if (certChain) {
|
||||
|
@ -11296,13 +11308,8 @@ ssl3_SendCertificate(sslSocket *ss)
|
|||
}
|
||||
|
||||
if (isTLS13) {
|
||||
if (ss->sec.isServer) {
|
||||
rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
|
||||
} else {
|
||||
rv = ssl3_AppendHandshakeVariable(ss,
|
||||
ss->ssl3.hs.certReqContext,
|
||||
ss->ssl3.hs.certReqContextLen, 1);
|
||||
}
|
||||
rv = ssl3_AppendHandshakeVariable(ss, context.data,
|
||||
context.len, 1);
|
||||
if (rv != SECSuccess) {
|
||||
return rv; /* err set by AppendHandshake. */
|
||||
}
|
||||
|
@ -13693,7 +13700,7 @@ ssl3_InitState(sslSocket *ss)
|
|||
ss->ssl3.hs.dheSecret = NULL;
|
||||
ss->ssl3.hs.trafficSecret = NULL;
|
||||
ss->ssl3.hs.hsTrafficSecret = NULL;
|
||||
ss->ssl3.hs.certReqContextLen = 0;
|
||||
ss->ssl3.hs.certificateRequest = NULL;
|
||||
PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs);
|
||||
|
||||
PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
|
||||
|
@ -14025,6 +14032,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
|||
SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
|
||||
SECITEM_FreeItem(&ss->ssl3.hs.srvVirtName, PR_FALSE);
|
||||
|
||||
if (ss->ssl3.hs.certificateRequest) {
|
||||
PORT_FreeArena(ss->ssl3.hs.certificateRequest->arena, PR_FALSE);
|
||||
ss->ssl3.hs.certificateRequest = NULL;
|
||||
}
|
||||
|
||||
/* free up the CipherSpecs */
|
||||
ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE /*freeSrvName*/);
|
||||
ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE /*freeSrvName*/);
|
||||
|
|
|
@ -965,7 +965,7 @@ ssl_IsSuiteEnabled(sslSocket *ss, const ssl3CipherSuite *list)
|
|||
}
|
||||
|
||||
/* Ask: is ANY ECC cipher suite enabled on this socket? */
|
||||
static PRBool
|
||||
PRBool
|
||||
ssl_IsECCEnabled(sslSocket *ss)
|
||||
{
|
||||
PK11SlotInfo *slot;
|
||||
|
@ -981,6 +981,12 @@ ssl_IsECCEnabled(sslSocket *ss)
|
|||
return ssl_IsSuiteEnabled(ss, ssl_all_ec_suites);
|
||||
}
|
||||
|
||||
PRBool
|
||||
ssl_IsDHEEnabled(sslSocket *ss)
|
||||
{
|
||||
return ssl_IsSuiteEnabled(ss, ssl_dhe_suites);
|
||||
}
|
||||
|
||||
/* This function already presumes we can do ECC, ssl_IsECCEnabled must be
|
||||
* called before this function. It looks to see if we have a token which
|
||||
* is capable of doing smaller than SuiteB curves. If the token can, we
|
||||
|
@ -1024,7 +1030,7 @@ ssl_SendSupportedGroupsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
|
|||
* 1.3 is a possibility. */
|
||||
if (ss->opt.requireDHENamedGroups ||
|
||||
ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
ff = ssl_IsSuiteEnabled(ss, ssl_dhe_suites);
|
||||
ff = ssl_IsDHEEnabled(ss);
|
||||
}
|
||||
if (!ec && !ff) {
|
||||
return 0;
|
||||
|
|
|
@ -1172,7 +1172,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, SECItem *ticket_data)
|
|||
AESContext *aes_ctx;
|
||||
const SECHashObject *hashObj = NULL;
|
||||
PRUint64 hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
|
||||
HMACContext *hmac_ctx;
|
||||
HMACContext *hmac_ctx = NULL;
|
||||
#endif
|
||||
CK_MECHANISM_TYPE cipherMech = CKM_AES_CBC;
|
||||
PK11Context *aes_ctx_pkcs11;
|
||||
|
@ -1485,16 +1485,19 @@ ssl3_EncodeSessionTicket(sslSocket *ss, SECItem *ticket_data)
|
|||
hmac_ctx = (HMACContext *)hmac_ctx_buf;
|
||||
hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
|
||||
if (HMAC_Init(hmac_ctx, hashObj, mac_key,
|
||||
mac_key_length, PR_FALSE) != SECSuccess)
|
||||
mac_key_length, PR_FALSE) != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
HMAC_Begin(hmac_ctx);
|
||||
HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
|
||||
HMAC_Update(hmac_ctx, iv, sizeof(iv));
|
||||
HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
|
||||
HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
|
||||
HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
|
||||
sizeof(computed_mac));
|
||||
if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
|
||||
sizeof(computed_mac)) != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
@ -1568,12 +1571,20 @@ ssl3_EncodeSessionTicket(sslSocket *ss, SECItem *ticket_data)
|
|||
ticket_buf.data = NULL;
|
||||
|
||||
loser:
|
||||
if (hmac_ctx_pkcs11)
|
||||
#ifndef NO_PKCS11_BYPASS
|
||||
if (hmac_ctx) {
|
||||
HMAC_Destroy(hmac_ctx, PR_FALSE);
|
||||
}
|
||||
#endif
|
||||
if (hmac_ctx_pkcs11) {
|
||||
PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
|
||||
if (plaintext_item.data)
|
||||
}
|
||||
if (plaintext_item.data) {
|
||||
SECITEM_FreeItem(&plaintext_item, PR_FALSE);
|
||||
if (ciphertext.data)
|
||||
}
|
||||
if (ciphertext.data) {
|
||||
SECITEM_FreeItem(&ciphertext, PR_FALSE);
|
||||
}
|
||||
if (ticket_buf.data) {
|
||||
SECITEM_FreeItem(&ticket_buf, PR_FALSE);
|
||||
}
|
||||
|
@ -1699,9 +1710,12 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, SECItem *data)
|
|||
HMAC_Begin(hmac_ctx);
|
||||
HMAC_Update(hmac_ctx, extension_data.data,
|
||||
extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
|
||||
if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
|
||||
sizeof(computed_mac)) != SECSuccess)
|
||||
rv = HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
|
||||
sizeof(computed_mac));
|
||||
HMAC_Destroy(hmac_ctx, PR_FALSE);
|
||||
if (rv != SECSuccess) {
|
||||
goto no_ticket;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
|
|
@ -893,6 +893,14 @@ typedef enum {
|
|||
handshake_hash_record
|
||||
} SSL3HandshakeHashType;
|
||||
|
||||
/* This holds state for TLS 1.3 CertificateRequest handling. */
|
||||
typedef struct TLS13CertificateRequestStr {
|
||||
PLArenaPool *arena;
|
||||
SECItem context;
|
||||
SECItem algorithms;
|
||||
CERTDistNames ca_list;
|
||||
} TLS13CertificateRequest;
|
||||
|
||||
/*
|
||||
** This is the "hs" member of the "ssl3" struct.
|
||||
** This entire struct is protected by ssl3HandshakeLock
|
||||
|
@ -1002,28 +1010,26 @@ typedef struct SSL3HandshakeStateStr {
|
|||
* always set to NULL.*/
|
||||
|
||||
/* This group of values is used for TLS 1.3 and above */
|
||||
PK11Context *clientHelloHash; /* The client hello hash state, used
|
||||
PK11Context *clientHelloHash; /* The client hello hash state, used
|
||||
* by the server for 0-RTT. */
|
||||
PRCList remoteKeyShares; /* The other side's public keys */
|
||||
PK11SymKey *currentSecret; /* The secret down the "left hand side"
|
||||
PRCList remoteKeyShares; /* The other side's public keys */
|
||||
PK11SymKey *currentSecret; /* The secret down the "left hand side"
|
||||
* of the TLS 1.3 key schedule. */
|
||||
PK11SymKey *resumptionPsk; /* The resumption PSK. */
|
||||
SECItem resumptionContext; /* The resumption context. */
|
||||
PK11SymKey *dheSecret; /* The (EC)DHE shared secret. */
|
||||
PK11SymKey *earlyTrafficSecret; /* The secret we use for 0-RTT. */
|
||||
PK11SymKey *hsTrafficSecret; /* The handshake traffic secret. */
|
||||
PK11SymKey *trafficSecret; /* The source key to use to generate
|
||||
PK11SymKey *resumptionPsk; /* The resumption PSK. */
|
||||
SECItem resumptionContext; /* The resumption context. */
|
||||
PK11SymKey *dheSecret; /* The (EC)DHE shared secret. */
|
||||
PK11SymKey *earlyTrafficSecret; /* The secret we use for 0-RTT. */
|
||||
PK11SymKey *hsTrafficSecret; /* The handshake traffic secret. */
|
||||
PK11SymKey *trafficSecret; /* The source key to use to generate
|
||||
* traffic keys */
|
||||
unsigned char certReqContext[255]; /* Ties CertificateRequest
|
||||
* to Certificate */
|
||||
PRUint8 certReqContextLen; /* Length of the context
|
||||
* cannot be greater than 255. */
|
||||
ssl3CipherSuite origCipherSuite; /* The cipher suite from the original
|
||||
/* The certificate request from the server. */
|
||||
TLS13CertificateRequest *certificateRequest;
|
||||
ssl3CipherSuite origCipherSuite; /* The cipher suite from the original
|
||||
* connection if we are resuming. */
|
||||
PRCList cipherSpecs; /* The cipher specs in the sequence they
|
||||
PRCList cipherSpecs; /* The cipher specs in the sequence they
|
||||
* will be applied. */
|
||||
PRBool doing0Rtt; /* Are we doing a 0-RTT handshake? */
|
||||
PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
|
||||
PRBool doing0Rtt; /* Are we doing a 0-RTT handshake? */
|
||||
PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
|
||||
* on server.*/
|
||||
} SSL3HandshakeState;
|
||||
|
||||
|
@ -1737,7 +1743,8 @@ extern SECStatus ssl_ValidateDHENamedGroup(sslSocket *ss,
|
|||
const namedGroupDef **groupDef,
|
||||
const ssl3DHParams **dhParams);
|
||||
|
||||
extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
|
||||
extern PRBool ssl_IsECCEnabled(sslSocket *ss);
|
||||
extern PRBool ssl_IsDHEEnabled(sslSocket *ss);
|
||||
|
||||
/* Macro for finding a curve equivalent in strength to RSA key's */
|
||||
/* clang-format off */
|
||||
|
|
|
@ -260,7 +260,10 @@ ssl_DupSocket(sslSocket *os)
|
|||
|
||||
ss->opt = os->opt;
|
||||
ss->opt.useSocks = PR_FALSE;
|
||||
SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &os->opt.nextProtoNego);
|
||||
rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &os->opt.nextProtoNego);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
ss->vrange = os->vrange;
|
||||
|
||||
ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
|
||||
|
|
|
@ -48,6 +48,12 @@ ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
|
|||
} else {
|
||||
SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
|
||||
}
|
||||
|
||||
if (!cp) {
|
||||
SSL_TRACE((" <NULL>"));
|
||||
return;
|
||||
}
|
||||
|
||||
memset(buf, ' ', sizeof buf);
|
||||
bp = buf;
|
||||
ap = buf + 50;
|
||||
|
|
|
@ -314,46 +314,67 @@ tls13_GetHmacMechanism(sslSocket *ss)
|
|||
}
|
||||
|
||||
/*
|
||||
* Called from ssl3_SendClientHello
|
||||
* Generate shares for ECDHE and FFDHE. This picks the first enabled group of
|
||||
* the requisite type and creates a share for that.
|
||||
*
|
||||
* Called from ssl3_SendClientHello.
|
||||
*/
|
||||
SECStatus
|
||||
tls13_SetupClientHello(sslSocket *ss)
|
||||
{
|
||||
unsigned int i;
|
||||
PRBool ecNeeded = ssl_IsECCEnabled(ss);
|
||||
/* This does FFDHE always only while we don't have HelloRetryRequest
|
||||
* support. FFDHE is too much of a burden for normal requests. We really
|
||||
* only want it when EC suites are disabled. */
|
||||
static const NamedGroup groups_to_try[] = { ec_secp256r1, ffdhe_2048 };
|
||||
unsigned int i;
|
||||
PRBool ffNeeded = ssl_IsDHEEnabled(ss);
|
||||
|
||||
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
||||
PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
|
||||
|
||||
PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
|
||||
|
||||
for (i = 0; i < PR_ARRAY_SIZE(groups_to_try); ++i) {
|
||||
for (i = 0; i < ssl_named_group_count; ++i) {
|
||||
SECStatus rv;
|
||||
sslEphemeralKeyPair *keyPair;
|
||||
const namedGroupDef *groupDef = ssl_LookupNamedGroup(groups_to_try[i]);
|
||||
sslEphemeralKeyPair *keyPair = NULL;
|
||||
const namedGroupDef *groupDef = &ssl_named_groups[i];
|
||||
const ssl3DHParams *params;
|
||||
if (!ssl_NamedGroupEnabled(ss, groupDef)) {
|
||||
continue;
|
||||
}
|
||||
switch (groupDef->type) {
|
||||
case group_type_ec:
|
||||
if (!ecNeeded) {
|
||||
continue;
|
||||
}
|
||||
rv = ssl_CreateECDHEphemeralKeyPair(groupDef, &keyPair);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
}
|
||||
ecNeeded = PR_FALSE;
|
||||
break;
|
||||
case group_type_ff: {
|
||||
const ssl3DHParams *params = ssl_GetDHEParams(groupDef);
|
||||
case group_type_ff:
|
||||
if (!ffNeeded) {
|
||||
continue;
|
||||
}
|
||||
params = ssl_GetDHEParams(groupDef);
|
||||
PORT_Assert(params->name != ffdhe_custom);
|
||||
rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
}
|
||||
ffNeeded = PR_FALSE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (rv != SECSuccess)
|
||||
return rv;
|
||||
|
||||
PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
|
||||
}
|
||||
|
||||
PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
|
||||
/* We don't permit all groups of a given type to be disabled, so this should
|
||||
* never reach this point wanting for a share of either type. */
|
||||
PORT_Assert(!ecNeeded);
|
||||
PORT_Assert(!ffNeeded);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
@ -1183,6 +1204,8 @@ tls13_HandleClientKeyShare(sslSocket *ss)
|
|||
return rv; /* Error code set already. */
|
||||
}
|
||||
|
||||
static const unsigned char tls13_certreq_context[] = { 0 };
|
||||
|
||||
/*
|
||||
* [draft-ietf-tls-tls13-11] Section 6.3.3.2
|
||||
*
|
||||
|
@ -1217,10 +1240,6 @@ tls13_SendCertificateRequest(sslSocket *ss)
|
|||
SSL_TRC(3, ("%d: TLS13[%d]: begin send certificate_request",
|
||||
SSL_GETPID(), ss->fd));
|
||||
|
||||
/* Fixed context value. */
|
||||
ss->ssl3.hs.certReqContext[0] = 0;
|
||||
ss->ssl3.hs.certReqContextLen = 1;
|
||||
|
||||
rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs),
|
||||
&sigAlgsLength);
|
||||
if (rv != SECSuccess) {
|
||||
|
@ -1228,15 +1247,15 @@ tls13_SendCertificateRequest(sslSocket *ss)
|
|||
}
|
||||
|
||||
ssl3_GetCertificateRequestCAs(ss, &calen, &names, &nnames);
|
||||
length = 1 + ss->ssl3.hs.certReqContextLen +
|
||||
length = 1 + sizeof(tls13_certreq_context) +
|
||||
2 + sigAlgsLength + 2 + calen + 2;
|
||||
|
||||
rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
|
||||
if (rv != SECSuccess) {
|
||||
return rv; /* err set by AppendHandshake. */
|
||||
}
|
||||
rv = ssl3_AppendHandshakeVariable(ss, ss->ssl3.hs.certReqContext,
|
||||
ss->ssl3.hs.certReqContextLen, 1);
|
||||
rv = ssl3_AppendHandshakeVariable(ss, tls13_certreq_context,
|
||||
sizeof(tls13_certreq_context), 1);
|
||||
if (rv != SECSuccess) {
|
||||
return rv; /* err set by AppendHandshake. */
|
||||
}
|
||||
|
@ -1266,10 +1285,10 @@ static SECStatus
|
|||
tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
||||
{
|
||||
SECStatus rv;
|
||||
TLS13CertificateRequest *certRequest = NULL;
|
||||
SECItem context = { siBuffer, NULL, 0 };
|
||||
SECItem algorithms = { siBuffer, NULL, 0 };
|
||||
PLArenaPool *arena;
|
||||
CERTDistNames ca_list;
|
||||
PRInt32 extensionsLength;
|
||||
|
||||
SSL_TRC(3, ("%d: TLS13[%d]: handle certificate_request sequence",
|
||||
|
@ -1279,7 +1298,8 @@ tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
||||
|
||||
/* Client */
|
||||
rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST, wait_cert_request);
|
||||
rv = TLS13_CHECK_HS_STATE(ss, SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST,
|
||||
wait_cert_request);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -1287,38 +1307,47 @@ tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
PORT_Assert(ss->ssl3.clientCertChain == NULL);
|
||||
PORT_Assert(ss->ssl3.clientCertificate == NULL);
|
||||
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
|
||||
PORT_Assert(ss->ssl3.hs.certificateRequest == NULL);
|
||||
|
||||
rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length);
|
||||
if (rv != SECSuccess)
|
||||
return SECFailure;
|
||||
PORT_Assert(sizeof(ss->ssl3.hs.certReqContext) == 255);
|
||||
PORT_Memcpy(ss->ssl3.hs.certReqContext, context.data, context.len);
|
||||
ss->ssl3.hs.certReqContextLen = context.len;
|
||||
|
||||
rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
|
||||
if (rv != SECSuccess)
|
||||
return SECFailure;
|
||||
|
||||
if (algorithms.len == 0 || (algorithms.len & 1) != 0) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
|
||||
illegal_parameter);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
if (!arena) {
|
||||
FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, arena, &ca_list);
|
||||
rv = ssl3_ConsumeHandshakeVariable(ss, &context, 1, &b, &length);
|
||||
if (rv != SECSuccess)
|
||||
goto loser; /* alert sent below */
|
||||
goto loser;
|
||||
if (context.len == 0) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
|
||||
illegal_parameter);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
if (algorithms.len == 0 || (algorithms.len & 1) != 0) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
|
||||
illegal_parameter);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
certRequest = PORT_ArenaZNew(arena, TLS13CertificateRequest);
|
||||
if (!certRequest)
|
||||
goto loser;
|
||||
certRequest->arena = arena;
|
||||
certRequest->ca_list.arena = arena;
|
||||
|
||||
rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, arena,
|
||||
&certRequest->ca_list);
|
||||
if (rv != SECSuccess)
|
||||
goto loser; /* alert already sent */
|
||||
|
||||
/* Verify that the extensions length is correct. */
|
||||
extensionsLength = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
|
||||
if (extensionsLength < 0) {
|
||||
goto loser; /* alert sent below */
|
||||
goto loser; /* alert already sent */
|
||||
}
|
||||
if (extensionsLength != length) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_REQUEST,
|
||||
|
@ -1326,15 +1355,16 @@ tls13_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
goto loser;
|
||||
}
|
||||
|
||||
TLS13_SET_HS_STATE(ss, wait_server_cert);
|
||||
|
||||
rv = ssl3_CompleteHandleCertificateRequest(ss, &algorithms, &ca_list);
|
||||
if (rv != SECSuccess) {
|
||||
FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
|
||||
rv = SECITEM_CopyItem(arena, &certRequest->context, &context);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
rv = SECITEM_CopyItem(arena, &certRequest->algorithms, &algorithms);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
}
|
||||
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
TLS13_SET_HS_STATE(ss, wait_server_cert);
|
||||
ss->ssl3.hs.certificateRequest = certRequest;
|
||||
|
||||
return SECSuccess;
|
||||
|
||||
loser:
|
||||
|
@ -1693,8 +1723,8 @@ tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
return SECFailure;
|
||||
}
|
||||
} else {
|
||||
if (!context.len || context.len != ss->ssl3.hs.certReqContextLen ||
|
||||
(NSS_SecureMemcmp(ss->ssl3.hs.certReqContext,
|
||||
if (context.len != sizeof(tls13_certreq_context) ||
|
||||
(NSS_SecureMemcmp(tls13_certreq_context,
|
||||
context.data, context.len) != 0)) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERTIFICATE,
|
||||
illegal_parameter);
|
||||
|
@ -1703,7 +1733,11 @@ tls13_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
|||
context.len = 0; /* Belt and suspenders. Zero out the context. */
|
||||
}
|
||||
|
||||
return ssl3_CompleteHandleCertificate(ss, b, length);
|
||||
rv = ssl3_CompleteHandleCertificate(ss, b, length);
|
||||
if (rv != SECSuccess)
|
||||
return rv;
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* Called from tls13_CompleteHandleHandshakeMessage() when it has deciphered a complete
|
||||
|
@ -2556,6 +2590,19 @@ tls13_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
|
|||
return SECFailure;
|
||||
}
|
||||
|
||||
/* Request a client certificate now if one was requested. */
|
||||
if (ss->ssl3.hs.certificateRequest) {
|
||||
TLS13CertificateRequest *req = ss->ssl3.hs.certificateRequest;
|
||||
|
||||
PORT_Assert(!ss->sec.isServer);
|
||||
rv = ssl3_CompleteHandleCertificateRequest(ss, &req->algorithms,
|
||||
&req->ca_list);
|
||||
if (rv != SECSuccess) {
|
||||
FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
TLS13_SET_HS_STATE(ss, wait_finished);
|
||||
|
||||
return SECSuccess;
|
||||
|
@ -2862,9 +2909,9 @@ tls13_SendClientSecondRound(sslSocket *ss)
|
|||
ss->ssl3.clientCertChain != NULL &&
|
||||
ss->ssl3.clientPrivateKey != NULL;
|
||||
|
||||
/* Defer client authentication sending if we are still
|
||||
* waiting for server authentication. See the long block
|
||||
* comment in ssl3_SendClientSecondRound for more detail.
|
||||
/* Defer client authentication sending if we are still waiting for server
|
||||
* authentication. This avoids unnecessary disclosure of client credentials
|
||||
* to an unauthenticated server.
|
||||
*/
|
||||
if (ss->ssl3.hs.restartTarget) {
|
||||
PR_NOT_REACHED("unexpected ss->ssl3.hs.restartTarget");
|
||||
|
@ -2906,6 +2953,10 @@ tls13_SendClientSecondRound(sslSocket *ss)
|
|||
goto loser; /* error code is set. */
|
||||
}
|
||||
}
|
||||
if (ss->ssl3.hs.certificateRequest) {
|
||||
PORT_FreeArena(ss->ssl3.hs.certificateRequest->arena, PR_FALSE);
|
||||
ss->ssl3.hs.certificateRequest = NULL;
|
||||
}
|
||||
|
||||
if (sendClientCert) {
|
||||
rv = tls13_SendCertificateVerify(ss, ss->ssl3.clientPrivateKey);
|
||||
|
|
|
@ -607,10 +607,10 @@ ssl_stress()
|
|||
fi
|
||||
|
||||
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \\"
|
||||
echo " $verbose ${HOSTADDR}"
|
||||
echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}"
|
||||
echo "strsclnt started at `date`"
|
||||
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss $cparam \
|
||||
$verbose ${HOSTADDR}
|
||||
-V ssl3:tls1.2 $verbose ${HOSTADDR}
|
||||
ret=$?
|
||||
echo "strsclnt completed at `date`"
|
||||
html_msg $ret $value \
|
||||
|
|
Загрузка…
Ссылка в новой задаче