mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1305970 - land NSS 0x3e7b53b18112, r=me 

--HG--
extra : rebase_source : ef363dba56df3ca76c43cfb20702ddef13d0f855
This commit is contained in:
Franziskus Kiefer 2016-10-25 20:38:17 +02:00
Родитель 0017f30b66
Коммит 4c1797bf92
156 изменённых файлов: 3167 добавлений и 8363 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
0c845c900217
3e7b53b18112

1643
security/nss/automation/taskcluster/graph/npm-shrinkwrap.json сгенерированный Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

40
security/nss/automation/taskcluster/graph/src/extend.js
Просмотреть файл

@ -20,23 +20,14 @@ function isSanitizer(task) {
queue.filter(task => {
if (task.group == "Builds") {
// Remove extra builds on UBSan and ARM.
if (task.collection == "ubsan" || task.collection == "arm-debug") {
// Remove extra builds on {A,UB}San and ARM.
if (isSanitizer(task) || task.collection == "arm-debug") {
return false;
}
// Remove extra builds w/o libpkix for non-asan.
if (task.symbol == "noLibpkix" && task.collection != "asan") {
return false;
}
// Remove extra builds w/ clang-3.9 on ASan.
if (task.symbol == "clang-3.9" && task.collection == "asan") {
return false;
}
// Remove extra builds w/ gcc-5 on non-ASan.
if (task.symbol == "gcc-5" && task.collection != "asan") {
// Remove extra builds w/o libpkix for non-linux64-debug.
if (task.symbol == "noLibpkix" &&
(task.platform != "linux64" || task.collection != "debug")) {
return false;
}
@ -58,8 +49,9 @@ queue.filter(task => {
}
}
// Start with BoGo on UBSan builds.
if (task.collection == "ubsan" && task.tests && task.tests != "bogo") {
// Filter test suites that currently fail with UBSan.
if (task.collection == "ubsan" &&
["crmf", "cipher", "fips", "merge", "smime"].includes(task.tests)) {
return false;
}
@ -114,6 +106,13 @@ export default async function main() {
image: LINUX_IMAGE
});
await scheduleLinux("Linux 64 (debug)", {
env: {USE_64: "1"},
platform: "linux64",
collection: "debug",
image: LINUX_IMAGE
});
await scheduleLinux("Linux 64 (debug, gyp)", {
command: [
"/bin/bash",
@ -242,15 +241,6 @@ async function scheduleLinux(name, base) {
symbol: "gcc-4.8"
}));
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ gcc-5`,
env: {
CC: "gcc-5",
CCC: "g++-5"
},
symbol: "gcc-5"
}));
queue.scheduleTask(merge(extra_base, {
name: `${name} w/ gcc-6.1`,
env: {

9
security/nss/automation/taskcluster/graph/src/try_syntax.js
Просмотреть файл

@ -22,7 +22,7 @@ function parseOptions(opts) {
}
// Parse platforms.
let allPlatforms = ["linux", "linux64", "win64", "arm", "linux64-gyp"];
let allPlatforms = ["linux", "linux64", "linux64-asan", "win64", "arm", "linux64-gyp"];
let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
// If the given value is nonsense or "none" default to all platforms.
@ -100,6 +100,7 @@ function filter(opts) {
let found = opts.platforms.some(platform => {
let aliases = {
"linux": "linux32",
"linux64-asan": "linux64",
"linux64-gyp": "linux64",
"win64": "windows2012-64",
"arm": "linux32"
@ -109,12 +110,14 @@ function filter(opts) {
let keep = (task.platform == (aliases[platform] || platform));
// Additional checks.
if (platform == "arm") {
if (platform == "linux64-asan") {
keep &= coll("asan") || coll("ubsan");
} else if (platform == "arm") {
keep &= coll("arm-opt") || coll("arm-debug");
} else if (platform == "linux64-gyp") {
keep &= coll("gyp");
} else {
keep &= coll("opt") || coll("debug") || coll("asan") || coll("ubsan");
keep &= coll("opt") || coll("debug");
}
return keep;

7
security/nss/automation/taskcluster/scripts/build_gyp.sh
Просмотреть файл

@ -11,11 +11,8 @@ fi
hg_clone https://hg.mozilla.org/projects/nspr nspr default
# Build.
cd nss && NSS_GYP_GEN=1 ./build.sh
if [ $? != 0 ]; then
exit 1
fi
nss/build.sh -g -v
# Package.
cd .. && mkdir artifacts
mkdir artifacts
tar cvfjh artifacts/dist.tar.bz2 dist

5
security/nss/automation/taskcluster/scripts/run_scan_build.sh
Просмотреть файл

@ -20,6 +20,9 @@ make nss_build_all
# key: directory to scan
# value: number of errors expected in that directory
declare -A scan=( \
[lib/base]=0 \
[lib/certdb]=0 \
[lib/certhigh]=0 \
[lib/ssl]=0 \
[lib/freebl]=0 \
[lib/util]=0 \
@ -31,7 +34,7 @@ for i in "${!scan[@]}"; do
done
# run scan-build (only building affected directories)
scan-build -o /home/worker/artifacts --use-cc=$(CC) --use-c++=$(CCC) make nss_build_all && cd ..
scan-build -o /home/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all && cd ..
# print errors we found
set +v +x

90
security/nss/build.sh
Просмотреть файл

@ -1,36 +1,72 @@
#!/bin/bash
# This script builds NSS with gyp and ninja.
#
# This build system is still under development. It does not yet support all
# the features or platforms that NSS supports.
#
# -c = clean before build
# -g = force a rebuild of gyp (and NSPR, because why not)
# -v = verbose build
# --test = ignore map files and export everything we have
CWD="$PWD/$(dirname $0)"
OBJ_DIR="$(make platform)"
set -e
CWD=$(cd $(dirname $0); pwd -P)
OBJ_DIR=$(make -s -C "$CWD" platform)
DIST_DIR="$CWD/../dist/$OBJ_DIR"
# do NSPR things
NSS_GYP=1 make install_nspr
if [ -z "${USE_64}" ]; then
GYP_PARAMS="-Dtarget_arch=ia32"
if [ -n "$CCC" ] && [ -z "$CXX" ]; then
export CXX="$CCC"
fi
# generate NSS build files only if asked for it
if [ -n "${NSS_GYP_GEN}" -o ! -d out/Debug ]; then
PKG_CONFIG_PATH="$CWD/../nspr/$OBJ_DIR/config" gyp -f ninja $GYP_PARAMS --depth=. nss.gyp
while [ $# -gt 0 ]; do
case $1 in
-c) CLEAN=1 ;;
-g) REBUILD_GYP=1 ;;
-v) VERBOSE=1 ;;
--test) GYP_PARAMS="$GYP_PARAMS -Dtest_build=1" ;;
esac
shift
done
# -c = clean first
if [ "$CLEAN" = 1 ]; then
rm -rf "$CWD/out"
fi
# build NSS
# TODO: only doing this for debug build for now
ninja -C out/Debug/
if [ $? != 0 ]; then
if [ "$BUILD_OPT" = "1" ]; then
TARGET=Release
else
TARGET=Debug
fi
if [ "$USE_64" == "1" ]; then
TARGET="${TARGET}_x64"
else
GYP_PARAMS="$GYP_PARAMS -Dtarget_arch=ia32"
fi
TARGET_DIR="$CWD/out/$TARGET"
# These steps can take a while, so don't overdo them.
# Force a redo with -g.
if [ "$REBUILD_GYP" = 1 -o ! -d "$TARGET_DIR" ]; then
# Build NSPR.
make -C "$CWD" NSS_GYP=1 install_nspr
# Run gyp.
PKG_CONFIG_PATH="$CWD/../nspr/$OBJ_DIR/config" $SCANBUILD \
gyp -f ninja $GYP_PARAMS --depth="$CWD" --generator-output="." "$CWD/nss.gyp"
fi
# Run ninja.
if which ninja >/dev/null 2>&1; then
NINJA=ninja
elif which ninja-build >/dev/null 2>&1; then
NINJA=ninja-build
else
echo "Please install ninja" 1>&2
exit 1
fi
# sign libs
# TODO: this is done every time at the moment.
cd out/Debug/
LD_LIBRARY_PATH=$DIST_DIR/lib/ ./shlibsign -v -i lib/libfreebl3.so
LD_LIBRARY_PATH=$DIST_DIR/lib/ ./shlibsign -v -i lib/libfreeblpriv3.so
LD_LIBRARY_PATH=$DIST_DIR/lib/ ./shlibsign -v -i lib/libnssdbm3.so
LD_LIBRARY_PATH=$DIST_DIR/lib/ ./shlibsign -v -i lib/libsoftokn3.so
# copy files over to the right directory
cp * "$DIST_DIR/bin/"
cp lib/* "$DIST_DIR/lib/"
find . -name "*.a" | xargs cp -t "$DIST_DIR/lib/"
if [ "$VERBOSE" = 1 ]; then
NINJA="$NINJA -v"
fi
$NINJA -C "$TARGET_DIR"

23
security/nss/cmd/bltest/blapitest.c
Просмотреть файл

@ -145,23 +145,7 @@ Usage()
PRINTUSAGE("", "-k", "file which contains key");
#ifndef NSS_DISABLE_ECC
PRINTUSAGE("", "-n", "name of curve for EC key generation; one of:");
PRINTUSAGE("", "", " sect163k1, nistk163, sect163r1, sect163r2,");
PRINTUSAGE("", "", " nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
PRINTUSAGE("", "", " sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
PRINTUSAGE("", "", " sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
PRINTUSAGE("", "", " nistb409, sect571k1, nistk571, sect571r1, nistb571,");
PRINTUSAGE("", "", " secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
PRINTUSAGE("", "", " nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
PRINTUSAGE("", "", " secp256r1, nistp256, secp384r1, nistp384, secp521r1,");
PRINTUSAGE("", "", " nistp521, prime192v1, prime192v2, prime192v3,");
PRINTUSAGE("", "", " prime239v1, prime239v2, prime239v3, c2pnb163v1,");
PRINTUSAGE("", "", " c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,");
PRINTUSAGE("", "", " c2tnb191v2, c2tnb191v3, c2onb191v4, c2onb191v5,");
PRINTUSAGE("", "", " c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,");
PRINTUSAGE("", "", " c2onb239v4, c2onb239v5, c2pnb272w1, c2pnb304w1,");
PRINTUSAGE("", "", " c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,");
PRINTUSAGE("", "", " secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,");
PRINTUSAGE("", "", " sect131r1, sect131r2, curve25519");
PRINTUSAGE("", "", " nistp256, nistp384, nistp521");
#endif
PRINTUSAGE("", "-p", "do performance test");
PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
@ -415,9 +399,6 @@ typedef struct curveNameTagPairStr {
SECOidTag curveOidTag;
} CurveNameTagPair;
#define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP192R1
/* #define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP160R1 */
static CurveNameTagPair nameTagPair[] =
{
{ "sect163k1", SEC_OID_SECG_EC_SECT163K1 },
@ -1863,7 +1844,7 @@ bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->cipher.pubkeyCipher = ecdsa_signDigest;
} else {
/* Have to convert private key to public key. Memory
* is freed with private key's arena */
* is freed with private key's arena */
ECPublicKey *pubkey;
ECPrivateKey *key = (ECPrivateKey *)asymk->privKey;
pubkey = (ECPublicKey *)PORT_ArenaZAlloc(key->ecParams.arena,

24
security/nss/cmd/bltest/tests/ecdsa/README
Просмотреть файл

@ -1,22 +1,4 @@
0 secp160k1
1 secp160r1
2 secp160r2
3 nistk163
4 sect163r1
5 nistb163
6 secp192k1
7 nistp192
8 secp224k1
9 nistp224
10 nistk233
11 nistb233
12 nistp256
13 nistk283
14 nistb283
15 nistp384
16 nistk409
17 nistb409
18 nistk571
19 nistb571
0 nistp256
1 nistp384
# the following tests are not yet implemented
#20 nistp521
2 nistp521

5
security/nss/cmd/bltest/tests/ecdsa/key0
Просмотреть файл

@ -1,2 +1,3 @@
AAAABwYFK4EEAAkAAAApBPiF0ntSFtn41JULxlA1l/lHE/zUPGJWkCqtdOryS6yD
WFCoF/IHwHsAAAAUcw+b2b1AJUlmezgu5EjmAGPC0YQ=
AAAACgYIKoZIzj0DAQcAAABBBNGB7n4kH15tKA/SMpetaQVqg6WxIuuUuMQT2tDX
NN5jKZfaxD47NsTjTr3x3D5t1qRBYuL6VtdgIuxBIHGG9dcAAAAgaGjyZBL+LN3a
7NkGiHJBfqh7XKNH0AnPF3vFWpostIQ=

6
security/nss/cmd/bltest/tests/ecdsa/key1
Просмотреть файл

@ -1,2 +1,4 @@
AAAABwYFK4EEAAgAAAApBI80VWK9xatmkFRiDTcdeFQ0T9h3h6iVOinMURyWZw0T
5vZqd8/gvwwAAAAUYOQMjDdtNSL5zY0nVWPWY+UJoqQ=
AAAABwYFK4EEACIAAABhBLWMJG3t4khPYcsl3H492rAqukJ1RqJm27pqpN54rFGG
r2VDwOfqb9tMninq8IyOh42eaaVOEPXXu4Q/ATWBEfrbTRBjTpzAE2SSPuQma0lM
q0RSVECCgdBOKIhB0H6VxAAAADA3WPjUaMWCS9E5KbVDrEcf5CV5tCNNWJQkwjsA
yALMCiXJqRVXwbq42WMuaELMW+g=

3
security/nss/cmd/bltest/tests/ecdsa/key10
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEABoAAAA9BACmzalMQJBOWV2FoyV0tXSpT07Xajq4bB1SUwSY7QGn
dgGC3GBqjPs9vEpqfMMQ2M9k3+5oubWnexNFhQAAAB4BRha/6sE7VSHl92ZqCj5p
LYtBpK23jzfdVWO8SAY=

3
security/nss/cmd/bltest/tests/ecdsa/key11
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEABsAAAA9BAD2/x9HSYYVEQ9AU4MivlIKPypJjsm0sTrp8BftlQGv
KaYrKpZCg/CEw3C2kqvke7HAu+10hafK9asRxQAAAB4AXyFCurtsXhahkyJpkb5J
LUg3xVL00vviR0KyFZY=

3
security/nss/cmd/bltest/tests/ecdsa/key12
Просмотреть файл

@ -1,3 +0,0 @@
AAAACgYIKoZIzj0DAQcAAABBBNGB7n4kH15tKA/SMpetaQVqg6WxIuuUuMQT2tDX
NN5jKZfaxD47NsTjTr3x3D5t1qRBYuL6VtdgIuxBIHGG9dcAAAAgaGjyZBL+LN3a
7NkGiHJBfqh7XKNH0AnPF3vFWpostIQ=

3
security/nss/cmd/bltest/tests/ecdsa/key13
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEABAAAABJBAT3klWkt7+1Pr6QGEcvEIZplopwt1alrsJUThDOxvUF
7KvBpQLVjB+DQTwYQnEREb/WFyRgUBuIbII0+zd/g0fLHE4PQ8SNlAAAACQFPsMX
mqSVRreUVasUOIZQFB2jnpwCUyoq+xa9SRril5LeOCY=

3
security/nss/cmd/bltest/tests/ecdsa/key14
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEABEAAABJBAf/ei/XCrFrMZLBp5BFkKZ3Odn+ZJu7QIAK32Ubuxmi
xgWTewf2vv+KY5kHwsBYuBXmmnKe9Ak9zGP4Lykvgk5n5J6iUz5ycQAAACQAQHXa
d29OqGxoDNCl9xETW3tAL/2hfZzstNuOPLm5kj4j1Dc=

4
security/nss/cmd/bltest/tests/ecdsa/key15
Просмотреть файл

@ -1,4 +0,0 @@
AAAABwYFK4EEACIAAABhBLWMJG3t4khPYcsl3H492rAqukJ1RqJm27pqpN54rFGG
r2VDwOfqb9tMninq8IyOh42eaaVOEPXXu4Q/ATWBEfrbTRBjTpzAE2SSPuQma0lM
q0RSVECCgdBOKIhB0H6VxAAAADA3WPjUaMWCS9E5KbVDrEcf5CV5tCNNWJQkwjsA
yALMCiXJqRVXwbq42WMuaELMW+g=

4
security/nss/cmd/bltest/tests/ecdsa/key16
Просмотреть файл

@ -1,4 +0,0 @@
AAAABwYFK4EEACQAAABpBADkgknFgTPuirxQxFlqIK+vcARWzlpJR+qmyRyQsBiz
Nh6Ws036xUKY9M8LxMIWXFNM6aIA2wxKsBF+HHD6oy27EAJSJOGbke/9F9Kv5AiW
2RXA4mllUaxCNsuQ36PqUdqv4FeXxWTpAAAANAHTZloqhR0V4bfyaeo2hojcvY3T
NO04ewNryBpsHZ0bhID0EfewYuwQmX00GYNfuV3mJ2w=

4
security/nss/cmd/bltest/tests/ecdsa/key17
Просмотреть файл

@ -1,4 +0,0 @@
AAAABwYFK4EEACUAAABpBAAEE/bAmqCjO3FLvN93Q/UjDyDp2sj+F//buuf1hZ0K
1rSOGXMLcBrqVa8R6UJ57F9/Yc0BCTylpJMXjfCr4eDczG4WOQk+5x8kpKQs5Q9U
V3IolHDiQY/Nhn7o4UFn5/mF71T3qUqwAAAANAH/o7jEl9Bw+Arj9uQ7ZHkoPGgx
t92UJg1r/lxa7UUd66iJfRI8n8yQH/sw56D1+CweeII=

5
security/nss/cmd/bltest/tests/ecdsa/key18
Просмотреть файл

@ -1,5 +0,0 @@
AAAABwYFK4EEACYAAACRBAffZTrfwIl0dciO2fui3UhZw6r+jnFh7gyER92gXL7+
LzPgTHagd1vdQiIX4K8Dv76KN0BldiFuX5odP7qC26MUaiURDdWT0AWcPmumSSBH
NXZYLLx5hQjW3BTNwV7v5bmUjezfgtuOCC30dQGs2GMgExAmiWRjTkiPrHg1SFKF
3RklauOyMWauaVpEzh3c+wAAAEgAZvLs4/Rx7tS+QGH92fGGIxPWPbVYOpDKwabY
poV2i1BD5Fxvw+eHlvxVOLmRPqRCPTfOLwAeNbHyt17U/BVZ8+svTChlzuA=

5
security/nss/cmd/bltest/tests/ecdsa/key19
Просмотреть файл

@ -1,5 +0,0 @@
AAAABwYFK4EEACcAAACRBASpPvOfQVqiMD+cBL/nulFit5pk/5beJ6/KpeIltg4s
6/s7PPggJA59BP7RJwak6rgY3PsRqXVPjyM/1UkUfRUR2BJgOfNTkQe9WF7Y5zXy
TM76cWhOP+sLSoUcscy/HTLCpHqRLLvWZPDzgjrfJqSlydMEDZjWsJRVPk9IfeQ/
amGiWOhJIQd/bSrAazZn6AAAAEgFz1qZzjHuhuP1boJ7gzndJhQslx1efbESxHSc
wbOpeBpw2MsCAwjtgo3Y8pviFIC8+5MStkFjE8uHQ0ngXc02wm3G0xj8XGQ=

7
security/nss/cmd/bltest/tests/ecdsa/key2
Просмотреть файл

@ -1,2 +1,5 @@
AAAABwYFK4EEAB4AAAApBGouC+vgvmItzsLO4hXn+AXi3skEE+M19o/QHLfjibbA
p7av8F4tcGgAAAAUmpQDUgnIkiXPBs0moD4jEmJHato=
AAAABwYFK4EEACMAAACFBAHLMSpMFVyG6mXE7SZ5O5Bwv4d8/QiAB3BzpXkyrU1W
jJ9O9uOYTXM+cFtF5v56+LsI4yGkaAl9+RF6lFPjrhpIswCmBmEqMBgZpjoz38my
nLHBI9MaFF8AHkRQwD3LJLo4eSZHOVkdIvDYLwicdlgr0zD3Nf76/HB1+0DkBGqE
MyG22gAAAEIAFah7z179UbqqdH68pzdZsP1ChXjtYZ11rBM0+HP7yLirxH3ahKTt
DjsY19GEjz4gKsaLfLiQ1/Dp+VKVLcBKpk0=

5
security/nss/cmd/bltest/tests/ecdsa/key20
Просмотреть файл

@ -1,5 +0,0 @@
AAAABwYFK4EEACMAAACFBAHLMSpMFVyG6mXE7SZ5O5Bwv4d8/QiAB3BzpXkyrU1W
jJ9O9uOYTXM+cFtF5v56+LsI4yGkaAl9+RF6lFPjrhpIswCmBmEqMBgZpjoz38my
nLHBI9MaFF8AHkRQwD3LJLo4eSZHOVkdIvDYLwicdlgr0zD3Nf76/HB1+0DkBGqE
MyG22gAAAEIAFah7z179UbqqdH68pzdZsP1ChXjtYZ11rBM0+HP7yLirxH3ahKTt
DjsY19GEjz4gKsaLfLiQ1/Dp+VKVLcBKpk0=

2
security/nss/cmd/bltest/tests/ecdsa/key3
Просмотреть файл

@ -1,2 +0,0 @@
AAAABwYFK4EEAAEAAAArBAe4qW9DTVGRVIYYznwJZbn8mWXLugA2A+Mv112Bu+y7
gxI8E4/fEdLTsQAAABUGEQDNcbxi0JhwALA8FCCxvmWYM3E=

2
security/nss/cmd/bltest/tests/ecdsa/key4
Просмотреть файл

@ -1,2 +0,0 @@
AAAABwYFK4EEAAIAAAArBAXw45Pc59l1QWmAB1W6M30lyFzQmAH/0FIFKYgEOYIa
dnEXMwKNwaRdsQAAABUCErj052f+Rth5OxAm376LOAQyvBY=

2
security/nss/cmd/bltest/tests/ecdsa/key5
Просмотреть файл

@ -1,2 +0,0 @@
AAAABwYFK4EEAA8AAAArBAFhm71N2wsUOYCwDNr/6rFvNX1okAbki1SNlHq2TQDO
Bktd1M0jlApWVQAAABUCILsraWg3Qi5nBsXQ1pGmZk0YuSA=

2
security/nss/cmd/bltest/tests/ecdsa/key6
Просмотреть файл

@ -1,2 +0,0 @@
AAAABwYFK4EEAB8AAAAxBHOYACoc9XsLk5n8NZZKV2U9CDoMj/VRDvqbf+myloR7
uBfVNm+uVN33Sa65phAfXQAAABitxs6KZtkqU4tglcdQ1Rmk2U74vjYP0JM=

2
security/nss/cmd/bltest/tests/ecdsa/key7
Просмотреть файл

@ -1,2 +0,0 @@
AAAACgYIKoZIzj0DAQEAAAAxBOyOI+rIs3x+jsChxQqSVblnoZGqhIM1WX0FMfw+
D8Dz6Y25iPcAQFpIAWh29FxnrgAAABh+uEQYXwMB783sULxE6PEd1t/MNZ9HSHI=

3
security/nss/cmd/bltest/tests/ecdsa/key8
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEACAAAAA5BKQnZoj4VtlPqrJ5dekM4haG+7PjfgO4wNNIqD7JnrKI
gTUd+oUQ41d517xCObyBaHNzdVPty9DvAAAAHIrG9+FE+OJV5UV2l/op7PCDPI4G
qkpgzPIwe7U=

3
security/nss/cmd/bltest/tests/ecdsa/key9
Просмотреть файл

@ -1,3 +0,0 @@
AAAABwYFK4EEACEAAAA5BGCNDWldzQCbI83PMR96tqR6JnIUpvfIO8l6hIf/QfMc
rx2BbrSLoy6EJmP++Jyw5yNyaoVaNYl6AAAAHDnjgcUSIshTSLuejnSsvtvU363b
1NJv4ULUbIs=

5
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -1262,8 +1262,8 @@ luG(enum usage_level ul, const char *command)
#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s One of nistp256, nistp384, nistp521, curve25519\n", "");
#ifdef NSS_ECC_MORE_THAN_SUITE_B
FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", "");
FPS "%-20s If a custom token is present, the following curves are also supported:\n", "");
FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
@ -1281,7 +1281,6 @@ luG(enum usage_level ul, const char *command)
FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
FPS "%-20s sect131r1, sect131r2\n", "");
#endif /* NSS_ECC_MORE_THAN_SUITE_B */
#endif
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");

3
security/nss/cmd/certutil/keystuff.c
Просмотреть файл

@ -393,9 +393,6 @@ typedef struct curveNameTagPairStr {
SECOidTag curveOidTag;
} CurveNameTagPair;
#define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP192R1
/* #define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP160R1 */
static CurveNameTagPair nameTagPair[] =
{
{ "sect163k1", SEC_OID_SECG_EC_SECT163K1 },

37
security/nss/cmd/ecperf/ecperf.c
Просмотреть файл

@ -470,7 +470,7 @@ ectest_curve_pkcs11(ECCurveName curve, int iterations, int numThreads)
unsigned char digestData[20];
unsigned char pubKeyData[256];
PRLock *lock = NULL;
double signRate, deriveRate;
double signRate, deriveRate = 0;
CK_ATTRIBUTE template;
SECStatus rv;
CK_RV crv;
@ -595,7 +595,7 @@ ectest_curve_freebl(ECCurveName curve, int iterations, int numThreads,
SECItem digest;
unsigned char sigData[256];
unsigned char digestData[20];
double signRate, deriveRate;
double signRate, deriveRate = 0;
char genenc[3 + 2 * 2 * MAX_ECKEY_LEN];
SECStatus rv = SECFailure;
PLArenaPool *arena;
@ -765,44 +765,11 @@ main(int argv, char **argc)
/* specific arithmetic tests */
if (nist) {
#ifdef NSS_ECC_MORE_THAN_SUITE_B
ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
ECTEST_NAMED_GFP("NIST-P192", ECCurve_NIST_P192);
ECTEST_NAMED_GFP("NIST-P224", ECCurve_NIST_P224);
#endif
ECTEST_NAMED_GFP("NIST-P256", ECCurve_NIST_P256);
ECTEST_NAMED_GFP("NIST-P384", ECCurve_NIST_P384);
ECTEST_NAMED_GFP("NIST-P521", ECCurve_NIST_P521);
ECTEST_NAMED_CUSTOM("Curve25519", ECCurve25519);
}
#ifdef NSS_ECC_MORE_THAN_SUITE_B
if (ansi) {
ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v1", ECCurve_X9_62_PRIME_192V1);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v2", ECCurve_X9_62_PRIME_192V2);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME192v3", ECCurve_X9_62_PRIME_192V3);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v1", ECCurve_X9_62_PRIME_239V1);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v2", ECCurve_X9_62_PRIME_239V2);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME239v3", ECCurve_X9_62_PRIME_239V3);
ECTEST_NAMED_GFP("ANSI X9.62 PRIME256v1", ECCurve_X9_62_PRIME_256V1);
}
if (secp) {
ECTEST_NAMED_GFP("SECP-112R1", ECCurve_SECG_PRIME_112R1);
ECTEST_NAMED_GFP("SECP-112R2", ECCurve_SECG_PRIME_112R2);
ECTEST_NAMED_GFP("SECP-128R1", ECCurve_SECG_PRIME_128R1);
ECTEST_NAMED_GFP("SECP-128R2", ECCurve_SECG_PRIME_128R2);
ECTEST_NAMED_GFP("SECP-160K1", ECCurve_SECG_PRIME_160K1);
ECTEST_NAMED_GFP("SECP-160R1", ECCurve_SECG_PRIME_160R1);
ECTEST_NAMED_GFP("SECP-160R2", ECCurve_SECG_PRIME_160R2);
ECTEST_NAMED_GFP("SECP-192K1", ECCurve_SECG_PRIME_192K1);
ECTEST_NAMED_GFP("SECP-192R1", ECCurve_SECG_PRIME_192R1);
ECTEST_NAMED_GFP("SECP-224K1", ECCurve_SECG_PRIME_224K1);
ECTEST_NAMED_GFP("SECP-224R1", ECCurve_SECG_PRIME_224R1);
ECTEST_NAMED_GFP("SECP-256K1", ECCurve_SECG_PRIME_256K1);
ECTEST_NAMED_GFP("SECP-256R1", ECCurve_SECG_PRIME_256R1);
ECTEST_NAMED_GFP("SECP-384R1", ECCurve_SECG_PRIME_384R1);
ECTEST_NAMED_GFP("SECP-521R1", ECCurve_SECG_PRIME_521R1);
}
#endif
cleanup:
rv |= SECOID_Shutdown();

95
security/nss/cmd/lib/basicutil.c
Просмотреть файл

@ -25,6 +25,7 @@
#endif
#include "secoid.h"
#include "sslt.h"
extern long DER_GetInteger(const SECItem *src);
@ -731,3 +732,97 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest)
srcdest->len /= 2;
return SECSuccess;
}
SSLNamedGroup
groupNameToNamedGroup(char *name)
{
if (PL_strlen(name) == 4) {
if (!strncmp(name, "P256", 4)) {
return ssl_grp_ec_secp256r1;
}
if (!strncmp(name, "P384", 4)) {
return ssl_grp_ec_secp384r1;
}
if (!strncmp(name, "P521", 4)) {
return ssl_grp_ec_secp521r1;
}
}
if (PL_strlen(name) == 6) {
if (!strncmp(name, "x25519", 6)) {
return ssl_grp_ec_curve25519;
}
if (!strncmp(name, "FF2048", 6)) {
return ssl_grp_ffdhe_2048;
}
if (!strncmp(name, "FF3072", 6)) {
return ssl_grp_ffdhe_3072;
}
if (!strncmp(name, "FF4096", 6)) {
return ssl_grp_ffdhe_4096;
}
if (!strncmp(name, "FF6144", 6)) {
return ssl_grp_ffdhe_6144;
}
if (!strncmp(name, "FF8192", 6)) {
return ssl_grp_ffdhe_8192;
}
}
return ssl_grp_none;
}
SECStatus
parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
unsigned int *enabledGroupsCount)
{
SSLNamedGroup *groups;
char *str;
char *p;
unsigned int numValues = 0;
unsigned int count = 0;
/* Count the number of groups. */
str = PORT_Strdup(arg);
if (!str) {
return SECFailure;
}
p = strtok(str, ",");
while (p) {
++numValues;
p = strtok(NULL, ",");
}
PORT_Free(str);
groups = PORT_ZNewArray(SSLNamedGroup, numValues);
if (!groups) {
goto done;
}
/* Get group names. */
str = PORT_Strdup(arg);
if (!str) {
goto done;
}
p = strtok(str, ",");
while (p) {
SSLNamedGroup group = groupNameToNamedGroup(p);
if (group == ssl_grp_none) {
count = 0;
goto done;
}
groups[count++] = group;
p = strtok(NULL, ",");
}
done:
if (str) {
PORT_Free(str);
}
if (!count) {
PORT_Free(groups);
return SECFailure;
}
*enabledGroupsCount = count;
*enabledGroups = groups;
return SECSuccess;
}

5
security/nss/cmd/lib/basicutil.h
Просмотреть файл

@ -13,6 +13,7 @@
#include "base64.h"
#include "secasn1.h"
#include "secder.h"
#include "sslt.h"
#include <stdio.h>
#ifdef SECUTIL_NEW
@ -112,6 +113,10 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName,
char *
SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
unsigned int *enabledGroupsCount);
SSLNamedGroup groupNameToNamedGroup(char *name);
/*
*
* Error messaging

4
security/nss/cmd/lib/exports.gyp
Просмотреть файл

@ -16,7 +16,7 @@
'pk11table.h',
'secutil.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -24,4 +24,4 @@
'variables': {
'module': 'nss'
}
}
}

1
security/nss/cmd/lib/lib.gyp
Просмотреть файл

@ -9,6 +9,7 @@
{
'target_name': 'sectool',
'type': 'static_library',
'standalone_static_library': 1,
'sources': [
'basicutil.c',
'derprint.c',

4
security/nss/cmd/modutil/modutil.gyp
Просмотреть файл

@ -29,8 +29,8 @@
],
'target_defaults': {
'include_dirs': [
'<(PRODUCT_DIR)/dist/nss/private',
'<(PRODUCT_DIR)/dist/dbm/private'
'<(nss_dist_dir)/private/nss',
'<(nss_dist_dir)/private/dbm'
],
'defines': [
'NSPR20',

36
security/nss/cmd/selfserv/selfserv.c
Просмотреть файл

@ -164,7 +164,7 @@ PrintUsageHeader(const char *progName)
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname] -Q"
" [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
#ifndef NSS_DISABLE_ECC
" [-e ec_nickname]"
#endif /* NSS_DISABLE_ECC */
@ -224,7 +224,10 @@ PrintParameterUsage()
"-c Restrict ciphers\n"
"-Y prints cipher values allowed for parameter -c and exits\n"
"-G enables the extended master secret extension [RFC7627]\n"
"-Q enables ALPN for HTTP/1.1 [RFC7301]\n",
"-Q enables ALPN for HTTP/1.1 [RFC7301]\n"
"-I comma separated list of enabled groups for TLS key exchange.\n"
" The following values are valid:\n"
" P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
stderr);
}
@ -801,6 +804,8 @@ PRBool failedToNegotiateName = PR_FALSE;
PRBool enableExtendedMasterSecret = PR_FALSE;
PRBool zeroRTT = PR_FALSE;
PRBool enableALPN = PR_FALSE;
SSLNamedGroup *enabledGroups = NULL;
unsigned int enabledGroupsCount = 0;
static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
static int virtServerNameIndex = 1;
@ -1968,6 +1973,13 @@ server_main(
}
}
if (enabledGroups) {
rv = SSL_NamedGroupConfig(model_sock, enabledGroups, enabledGroupsCount);
if (rv < 0) {
errExit("SSL_NamedGroupConfig failed");
}
}
/* This cipher is not on by default. The Acceptance test
* would like it to be. Turn this cipher on.
*/
@ -2185,7 +2197,7 @@ main(int argc, char **argv)
int optionsFound = 0;
int maxProcs = 1;
unsigned short port = 0;
SECStatus rv;
SECStatus rv = SECSuccess;
PRStatus prStatus;
PRBool bindOnly = PR_FALSE;
PRBool useLocalThreads = PR_FALSE;
@ -2214,7 +2226,7 @@ main(int argc, char **argv)
** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
** in 3.28, please leave some time before resuing those. */
optstate = PL_CreateOptState(argc, argv,
"2:A:C:DGH:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
"2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch (optstate->option) {
@ -2242,9 +2254,6 @@ main(int argc, char **argv)
enableExtendedMasterSecret = PR_TRUE;
break;
case 'I': /* reserved for OCSP multi-stapling */
break;
case 'L':
logStats = PR_TRUE;
if (optstate->value == NULL) {
@ -2442,6 +2451,16 @@ main(int argc, char **argv)
enableALPN = PR_TRUE;
break;
case 'I':
rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad group specified.\n");
fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
exit(5);
}
break;
default:
case '?':
fprintf(stderr, "Unrecognized or bad option specified.\n");
@ -2745,6 +2764,9 @@ cleanup:
if (certStatusArena) {
PORT_FreeArena(certStatusArena, PR_FALSE);
}
if (enabledGroups) {
PORT_Free(enabledGroups);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError(progName, "NSS_Shutdown");
if (loggerThread) {

38
security/nss/cmd/tstclnt/tstclnt.c
Просмотреть файл

@ -100,6 +100,9 @@ static char *progName;
secuPWData pwdata = { PW_NONE, 0 };
SSLNamedGroup *enabledGroups = NULL;
unsigned int enabledGroupsCount = 0;
void
printSecurityInfo(PRFileDesc *fd)
{
@ -188,7 +191,7 @@ PrintUsageHeader(const char *progName)
"[-D | -d certdir] [-C] [-b | -R root-module] \n"
"[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
"[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n",
progName);
}
@ -255,6 +258,10 @@ PrintParameterUsage(void)
fprintf(stderr, "%-20s Require the use of FFDHE supported groups "
"[I-D.ietf-tls-negotiated-ff-dhe]\n",
"-H");
fprintf(stderr, "%-20s Comma separated list of enabled groups for TLS key exchange.\n"
"%-20s The following values are valid:\n"
"%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
"-G", "", "");
}
static void
@ -959,7 +966,7 @@ main(int argc, char **argv)
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
optstate = PL_CreateOptState(argc, argv,
"46CDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z");
"46CDFGHI:KM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -1002,9 +1009,6 @@ main(int argc, char **argv)
requireDHNamedGroups = PR_TRUE;
break;
case 'I': /* reserved for OCSP multi-stapling */
break;
case 'O':
serverCertAuth.shouldPause = PR_FALSE;
break;
@ -1149,13 +1153,23 @@ main(int argc, char **argv)
case 'z':
enableCompression = 1;
break;
case 'I':
rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad group specified.\n");
Usage(progName);
}
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD)
if (optstatus == PL_OPT_BAD) {
Usage(progName);
}
if (!host || !portno) {
fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
@ -1472,6 +1486,15 @@ main(int argc, char **argv)
goto done;
}
if (enabledGroups) {
rv = SSL_NamedGroupConfig(s, enabledGroups, enabledGroupsCount);
if (rv < 0) {
SECU_PrintError(progName, "SSL_NamedGroupConfig failed");
error = 1;
goto done;
}
}
serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@ -1738,6 +1761,9 @@ done:
if (s) {
PR_Close(s);
}
if (enabledGroups) {
PORT_Free(enabledGroups);
}
if (NSS_IsInitialized()) {
SSL_ClearSessionCache();

63
security/nss/coreconf/config.gypi
Просмотреть файл

@ -30,20 +30,23 @@
#XXX: gyp breaks if these are empty!
'nspr_lib_dir%': ' ',
'nspr_include_dir%': ' ',
'nss_dist_obj_dir%': ' ',
'nss_dist_dir%': ' ',
'zlib_libs%': [],
#TODO
'moz_debug_flags%': '',
'dll_prefix': '',
'dll_suffix': 'dll',
}, {
# On non-windows, default to a system NSPR.
'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'],
'nspr_lib_dir%': '<!(<(python) <(DEPTH)/coreconf/nspr_lib_dir.py)',
'nspr_include_dir%': '<!(<(python) <(DEPTH)/coreconf/nspr_include_dir.py)',
'nspr_lib_dir%': '<!(<(python) <(DEPTH)/coreconf/pkg_config.py . --libs nspr)',
'nspr_include_dir%': '<!(<(python) <(DEPTH)/coreconf/pkg_config.py . --cflags nspr)',
'nss_dist_obj_dir%': '<!(<(python) <(DEPTH)/coreconf/pkg_config.py ../.. --cflags nspr)',
'nss_dist_dir%': '<!(<(python) <(DEPTH)/coreconf/pkg_config.py ../../.. --cflags nspr)',
'use_system_zlib%': 1,
}],
['OS=="linux" or OS=="android"', {
'zlib_libs%': ['<!@(<(python) <(DEPTH)/coreconf/pkg_config.py --libs zlib)'],
'zlib_libs%': ['<!@(<(python) <(DEPTH)/coreconf/pkg_config.py raw --libs zlib)'],
'moz_debug_flags%': '-gdwarf-2',
'optimize_flags%': '-O2',
'dll_prefix': 'lib',
@ -76,30 +79,37 @@
'nspr_libs%': ['<@(nspr_libs)'],
'nspr_lib_dir%': '<(nspr_lib_dir)',
'nspr_include_dir%': '<(nspr_include_dir)',
'nss_dist_obj_dir%': '<(nss_dist_obj_dir)',
'nss_dist_dir%': '<(nss_dist_dir)',
'use_system_sqlite%': '<(use_system_sqlite)',
'sqlite_libs%': ['-lsqlite3'],
'dll_prefix': '<(dll_prefix)',
'dll_suffix': '<(dll_suffix)',
'cc_is_clang%': '<(cc_is_clang)',
# Some defaults
'disable_tests%': 0,
'disable_chachapoly%': 0,
'disable_dbm%': 0,
'disable_libpkix%': 0,
'ssl_enable_zlib%': 1,
'use_asan%': 0,
'disable_werror%': 0,
'mozilla_client%': 0,
'moz_fold_libs%': 0,
'moz_folded_library_name%': '',
'ssl_enable_zlib%': 1,
'use_asan%': 0,
'test_build%': 0,
},
'target_defaults': {
# Settings specific to targets should go here.
# This is mostly for linking to libraries.
'variables': {
'mapfile%': '',
'test_build%': 0,
},
'standalone_static_library': 0,
'include_dirs': [
'<(nspr_include_dir)',
'<(PRODUCT_DIR)/dist/<(module)/private',
'<(nss_dist_dir)/private/<(module)',
],
'conditions': [
[ 'OS=="linux"', {
@ -111,8 +121,18 @@
}],
],
'target_conditions': [
# If we want to properly export a static library, and copy it to lib,
# we need to mark it as a 'standalone_static_library'. Otherwise,
# the relative paths in the thin archive will break linking.
[ '_type=="shared_library"', {
'product_dir': '<(nss_dist_obj_dir)/lib'
}, '_type=="executable"', {
'product_dir': '<(nss_dist_obj_dir)/bin'
}, '_standalone_static_library==1', {
'product_dir': '<(nss_dist_obj_dir)/lib'
}],
# mapfile handling
[ 'mapfile!=""', {
[ 'test_build==0 and mapfile!=""', {
# Work around a gyp bug. Fixed upstream but not in Ubuntu packages:
# https://chromium.googlesource.com/external/gyp/+/b85ad3e578da830377dbc1843aa4fbc5af17a192%5E%21/
'sources': [
@ -152,6 +172,14 @@
}],
}]
],
}, 'test_build==1 and _type=="shared_library"', {
# When linking a shared lib against a static one, XCode doesn't
# export the latter's symbols by default. -all_load fixes that.
'xcode_settings': {
'OTHER_LDFLAGS': [
'-all_load',
],
},
}],
[ '_type=="shared_library" or _type=="executable"', {
'libraries': [
@ -213,12 +241,9 @@
'-fno-common',
'-pipe',
],
# TODO:
# 'GCC_TREAT_WARNINGS_AS_ERRORS'
# 'WARNING_CFLAGS'
},
'conditions': [
['OS=="linux" or OS=="android"', {
[ 'OS=="linux" or OS=="android"', {
'defines': [
'LINUX2_1',
'LINUX',
@ -249,6 +274,11 @@
}],
],
}],
[ 'disable_werror==0 and (OS=="linux" or OS=="mac")', {
'cflags': [
'<!@(<(python) <(DEPTH)/coreconf/werror.py)',
],
}],
[ 'OS=="android" and mozilla_client==0', {
'defines': [
'NO_SYSINFO',
@ -285,6 +315,15 @@
],
'cflags': [
'-W3',
'-w44267', # Disable C4267: conversion from 'size_t' to 'type', possible loss of data
'-w44244', # Disable C4244: conversion from 'type1' to 'type2', possible loss of data
'-w44018', # Disable C4018: 'expression' : signed/unsigned mismatch
'-w44312', # Disable C4312: 'type cast': conversion from 'type1' to 'type2' of greater size
],
'conditions': [
[ 'disable_werror==0', {
'cflags': ['-WX']
}]
],
}],
[ 'disable_dbm==1', {

4
security/nss/coreconf/config.mk
Просмотреть файл

@ -150,10 +150,6 @@ ifdef NSS_DISABLE_ECC
DEFINES += -DNSS_DISABLE_ECC
endif
ifdef NSS_ECC_MORE_THAN_SUITE_B
DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B
endif
ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
endif

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

17
security/nss/coreconf/nspr_include_dir.py
Просмотреть файл

@ -1,17 +0,0 @@
#!/usr/bin/env python
import os
import subprocess
def main():
try:
for part in subprocess.Popen(['pkg-config', '--cflags', 'nspr'], stdout=subprocess.PIPE, stderr=open(os.devnull, 'wb')).communicate()[0].strip().split():
if part.startswith('-I'):
print part[2:]
return
except OSError:
# pkg-config is probably not installed
pass
if __name__ == '__main__':
main()

17
security/nss/coreconf/nspr_lib_dir.py
Просмотреть файл

@ -1,17 +0,0 @@
#!/usr/bin/env python
import os
import subprocess
def main():
try:
for part in subprocess.Popen(['pkg-config', '--libs', 'nspr'], stdout=subprocess.PIPE, stderr=open(os.devnull, 'wb')).communicate()[0].strip().split():
if part.startswith('-L'):
print part[2:]
return
except OSError:
# pkg-config is probably not installed
pass
if __name__ == '__main__':
main()

28
security/nss/coreconf/pkg_config.py
Просмотреть файл

@ -1,15 +1,39 @@
#!/usr/bin/env python
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import os
import subprocess
import sys
def main():
is_raw = sys.argv[1] == 'raw'
stdout = None if is_raw else subprocess.PIPE
if sys.argv[2] == '--libs':
part_prefix = '-L'
elif sys.argv[2] == '--cflags':
part_prefix = '-I'
else:
raise 'Specify either --libs or --cflags as the second argument.'
try:
subprocess.Popen(['pkg-config'] + sys.argv[1:], stderr=open(os.devnull, 'wb')).wait()
process = subprocess.Popen(['pkg-config'] + sys.argv[2:], stdout=stdout, stderr=open(os.devnull, 'wb'))
except OSError:
# pkg-config is probably not installed
pass
return
if is_raw:
process.wait()
return
for part in process.communicate()[0].strip().split():
if part.startswith(part_prefix):
print os.path.realpath(os.path.join(part[2:], sys.argv[1]))
return
if __name__ == '__main__':
main()

6
security/nss/coreconf/sanitizers.mk
Просмотреть файл

@ -23,7 +23,13 @@ LDFLAGS += $(SANITIZER_LDFLAGS)
# frame pointers even with this option.)
SANITIZER_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls
ifdef BUILD_OPT
# You probably want to be able to get debug info for failures, even with an
# optimized build.
OPTIMIZER += -g
else
# Try maintaining reasonable performance, ASan and UBSan slow things down.
OPTIMIZER += -O1
endif
endif

27
security/nss/coreconf/shlibsign.py Normal file
Просмотреть файл

@ -0,0 +1,27 @@
#!/usr/bin/env python
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import os
import subprocess
import sys
def main():
for lib_file in sys.argv[1:]:
if os.path.isfile(lib_file):
sign(lib_file)
def sign(lib_file):
ld_lib_path = os.path.realpath(os.path.join(lib_file, '..'))
bin_path = os.path.realpath(os.path.join(ld_lib_path, '../bin'))
env = os.environ.copy()
env['LD_LIBRARY_PATH'] = env['DYLD_LIBRARY_PATH'] = ld_lib_path
dev_null = open(os.devnull, 'wb')
subprocess.Popen([os.path.join(bin_path, 'shlibsign'), '-v', '-i', lib_file], env=env, stdout=dev_null, stderr=dev_null).wait()
if __name__ == '__main__':
main()

54
security/nss/coreconf/werror.py Normal file
Просмотреть файл

@ -0,0 +1,54 @@
#!/usr/bin/env python
import os
import subprocess
def main():
cc = os.environ.get('CC', 'cc')
sink = open(os.devnull, 'wb')
cc_is_clang = 'clang' in subprocess.check_output([cc, '--version'], stderr=sink)
def warning_supported(warning):
return subprocess.call([cc, '-x', 'c', '-E', '-Werror',
'-W%s' % warning, os.devnull], stdout=sink, stderr=sink) == 0
def can_enable():
# This would be a problem
if not warning_supported('all'):
return False
# If we aren't clang, make sure we have gcc 4.8 at least
if not cc_is_clang:
try:
v = subprocess.check_output([cc, '-dumpversion'], stderr=sink)
v = v.strip(' \r\n').split('.')
if v[0] < 4 or (v[0] == 4 and v[1] < 8):
# gcc 4.8 minimum
return False
except OSError:
return False
return True
if not can_enable():
print('-DNSS_NO_GCC48')
return
print('-Werror')
print('-Wall')
def set_warning(warning, contra=''):
if warning_supported(warning):
print('-W%s%s' % (contra, warning))
if cc_is_clang:
# clang is unable to handle glib's expansion of strcmp and similar for
# optimized builds, so disable the resulting errors.
# See https://llvm.org/bugs/show_bug.cgi?id=20144
for w in ['array-bounds', 'unevaluated-expression',
'parentheses-equality']:
set_warning(w, 'no-')
print('-Qunused-arguments')
# set_warning('shadow') # Bug 1309068
if __name__ == '__main__':
main()

39
security/nss/doc/certutil.xml
Просмотреть файл

@ -314,28 +314,27 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
<term>-q pqgfile or curve-name</term>
<listitem>
<para>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <command>certutil</command> generates its own PQG value. PQG files are created with a separate DSA utility.</para>
<para>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</para>
<para>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</para>
<para>
If NSS has been compiled with support curves outside of SUITE B:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
sect233r1, nistb233, sect239k1, sect283k1, nistk283,
sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571,
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
nistp192, secp224k1, secp224r1, nistp224, secp256k1,
secp256r1, secp384r1, secp521r1,
prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3,
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1,
c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
secp112r2, secp128r1, secp128r2, sect113r1, sect113r2
sect131r1, sect131r2
If a token is available that supports more curves, the foolowing curves are supported as well:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
sect233r1, nistb233, sect239k1, sect283k1, nistk283,
sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571,
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
nistp192, secp224k1, secp224r1, nistp224, secp256k1,
secp256r1, secp384r1, secp521r1,
prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3,
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1,
c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
sect131r1, sect131r2
</para>
</listitem>
</varlistentry>

39
security/nss/doc/html/certutil.html
Просмотреть файл

@ -20,26 +20,25 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
duplicate nicknames. Giving a key type generates a new key pair;
giving the ID of an existing key reuses that key pair (which is
required to renew certificates).
</p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</p><p>
If NSS has been compiled with support curves outside of SUITE B:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
sect233r1, nistb233, sect239k1, sect283k1, nistk283,
sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571,
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
nistp192, secp224k1, secp224r1, nistp224, secp256k1,
secp256r1, secp384r1, secp521r1,
prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3,
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1,
c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
secp112r2, secp128r1, secp128r2, sect113r1, sect113r2
sect131r1, sect131r2
</p></dd><dt><span class="term">-r </span></dt><dd><p>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</p></dd><dt><span class="term">-s subject</span></dt><dd><p>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</p></dd><dt><span class="term">-t trustargs</span></dt><dd><p>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <span class="emphasis"><em>SSL, email, object signing</em></span> for each trust setting. In each category position, use none, any, or all
</p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>If a token is available that supports more curves, the foolowing curves are supported as well:
sect163k1, nistk163, sect163r1, sect163r2,
nistb163, sect193r1, sect193r2, sect233k1, nistk233,
sect233r1, nistb233, sect239k1, sect283k1, nistk283,
sect283r1, nistb283, sect409k1, nistk409, sect409r1,
nistb409, sect571k1, nistk571, sect571r1, nistb571,
secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
nistp192, secp224k1, secp224r1, nistp224, secp256k1,
secp256r1, secp384r1, secp521r1,
prime192v1, prime192v2, prime192v3,
prime239v1, prime239v2, prime239v3, c2pnb163v1,
c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
c2tnb191v2, c2tnb191v3,
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
c2pnb272w1, c2pnb304w1,
c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
sect131r1, sect131r2</p>
</dd><dt><span class="term">-r </span></dt><dd><p>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</p></dd><dt><span class="term">-s subject</span></dt><dd><p>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</p></dd><dt><span class="term">-t trustargs</span></dt><dd><p>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <span class="emphasis"><em>SSL, email, object signing</em></span> for each trust setting. In each category position, use none, any, or all
of the attribute codes:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
<span class="command"><strong>p</strong></span> - Valid peer

4
security/nss/doc/nroff/certutil.1
Просмотреть файл

@ -371,9 +371,9 @@ Read an alternate PQG value from the specified file when generating DSA key pair
\fBcertutil\fR
generates its own PQG value\&. PQG files are created with a separate DSA utility\&.
.sp
Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521
Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.
.sp
If NSS has been compiled with support curves outside of SUITE B: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 sect131r1, sect131r2
If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
.RE
.PP
\-r

4
security/nss/exports.gyp
Просмотреть файл

@ -11,7 +11,7 @@
'type': 'none',
'direct_dependent_settings': {
'include_dirs': [
'<(PRODUCT_DIR)/dist/nss/public'
'<(nss_dist_dir)/public/nss'
]
},
'dependencies': [
@ -64,7 +64,7 @@
['disable_dbm==0', {
'direct_dependent_settings': {
'include_dirs': [
'<(PRODUCT_DIR)/dist/dbm/public'
'<(nss_dist_dir)/public/dbm'
]
},
'dependencies': [

12
security/nss/external_tests/nss_bogo_shim/config.json
Просмотреть файл

@ -1,18 +1,6 @@
{
"DisabledTests": {
"*TLS13*":"Draft version mismatch (NSS=15, BoGo=14)",
"FallbackSCSV-VersionMatch":"Draft version mismatch (NSS=15, BoGo=14)",
"SendEmptyRecords-Pass":"Draft version mismatch (NSS=15, BoGo=14)",
"SendSNIWarningAlert":"Draft version mismatch (NSS=15, BoGo=14)",
"UnknownCipher":"Draft version mismatch (NSS=15, BoGo=14)",
"UnknownCurve":"Draft version mismatch (NSS=15, BoGo=14)",
"*TrailingMessageData*":"Draft version mismatch (NSS=15, BoGo=14)",
"*Downgrade-TLS12*":"Draft version mismatch (NSS=15, BoGo=14)",
"UnknownCurve":"Draft version mismatch (NSS=15, BoGo=14)",
"*MissingKeyShare*":"Draft version mismatch (NSS=15, BoGo=14)",
"SecondClientHelloWrongCurve":"Draft version mismatch (NSS=15, BoGo=14)",
"*HelloRetryRequest*":"Draft version mismatch (NSS=15, BoGo=14)",
"*PartialEncryptedExtensionsWithServerHello*":"Draft version mismatch (NSS=15, BoGo=14)",
"*KeyUpdate*":"KeyUpdate Unimplemented",
"ClientAuth-NoFallback-TLS13":"Disagreement about alerts. Bug 1294975",
"ClientAuth-SHA1-Fallback":"Disagreement about alerts. Bug 1294975",

213
security/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc
Просмотреть файл

@ -99,8 +99,7 @@ TEST_P(TlsConnectTls12, ServerAuthCheckSigAlg) {
EXPECT_TRUE(buffer.Read(1, 2, &tmp)) << "read NamedCurve";
EXPECT_EQ(ssl_grp_ec_curve25519, tmp);
EXPECT_TRUE(buffer.Read(3, 1, &tmp)) << " read ECPoint";
CheckSigScheme(capture_ske, 4 + tmp, client_, kTlsSigSchemeRsaPssSha256,
1024);
CheckSigScheme(capture_ske, 4 + tmp, client_, ssl_sig_rsa_pss_sha256, 1024);
}
TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
@ -113,8 +112,7 @@ TEST_P(TlsConnectTls12, ClientAuthCheckSigAlg) {
Connect();
CheckKeys();
CheckSigScheme(capture_cert_verify, 0, server_, kTlsSigSchemeRsaPkcs1Sha1,
1024);
CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
}
TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
@ -126,18 +124,17 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
server_->RequestClientAuth(true);
Connect();
CheckKeys();
CheckSigScheme(capture_cert_verify, 0, server_, kTlsSigSchemeRsaPssSha256,
2048);
CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_sha256, 2048);
}
static const SSLSignatureAndHashAlg SignatureEcdsaSha384[] = {
{ssl_hash_sha384, ssl_sign_ecdsa}};
static const SSLSignatureAndHashAlg SignatureEcdsaSha256[] = {
{ssl_hash_sha256, ssl_sign_ecdsa}};
static const SSLSignatureAndHashAlg SignatureRsaSha384[] = {
{ssl_hash_sha384, ssl_sign_rsa}};
static const SSLSignatureAndHashAlg SignatureRsaSha256[] = {
{ssl_hash_sha256, ssl_sign_rsa}};
static const SSLSignatureScheme SignatureSchemeEcdsaSha384[] = {
ssl_sig_ecdsa_secp384r1_sha384};
static const SSLSignatureScheme SignatureSchemeEcdsaSha256[] = {
ssl_sig_ecdsa_secp256r1_sha256};
static const SSLSignatureScheme SignatureSchemeRsaSha384[] = {
ssl_sig_rsa_pkcs1_sha384};
static const SSLSignatureScheme SignatureSchemeRsaSha256[] = {
ssl_sig_rsa_pkcs1_sha256};
static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
// NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
@ -153,10 +150,10 @@ static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
// for TLS 1.1 and 1.0, where they should be ignored.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
Reset(TlsAgent::kServerEcdsa384);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
@ -171,8 +168,11 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
{ssl_hash_md5, ssl_sign_ecdsa} // unsupported and ignored
};
Reset(TlsAgent::kServerEcdsa384);
client_->SetSignatureAlgorithms(clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms));
EnsureTlsSetup();
// Use the old API for this function.
EXPECT_EQ(SECSuccess,
SSL_SignaturePrefSet(client_->ssl_fd(), clientAlgorithms,
PR_ARRAY_SIZE(clientAlgorithms)));
Connect();
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
@ -182,52 +182,38 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
// Defaults on the client include the provided option.
TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
Reset(TlsAgent::kServerEcdsa384);
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Connect();
CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}
// In TlS 1.2, a P-256 cert can be used with SHA-384.
TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch12) {
TEST_P(TlsConnectTls12Plus, SignatureSchemeCurveMismatch) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
Connect();
// The scheme is reported as using secp384r1, but this is just the generic
// ECDSA + SHA-384 codepoint as defined in TLS 1.2.
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
}
#ifndef NSS_DISABLE_TLS_1_3
TEST_P(TlsConnectTls13, SignatureAlgorithmServerUnsupported) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert
server_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
TEST_P(TlsConnectTls13, SignatureAlgorithmClientUnsupported) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
TEST_P(TlsConnectTls12Plus, SignatureSchemeBadConfig) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert can't be used.
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
#endif
// Where there is no overlap on signature schemes, we still connect successfully
// if we aren't going to use a signature.
TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
client_->SetSignatureAlgorithms(SignatureRsaSha384,
PR_ARRAY_SIZE(SignatureRsaSha384));
server_->SetSignatureAlgorithms(SignatureRsaSha256,
PR_ARRAY_SIZE(SignatureRsaSha256));
client_->SetSignatureSchemes(SignatureSchemeRsaSha384,
PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
server_->SetSignatureSchemes(SignatureSchemeRsaSha256,
PR_ARRAY_SIZE(SignatureSchemeRsaSha256));
EnableOnlyStaticRsaCiphers();
Connect();
CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
@ -235,10 +221,10 @@ TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
PR_ARRAY_SIZE(SignatureEcdsaSha256));
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
@ -247,10 +233,10 @@ TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
// Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureAlgorithms(SignatureEcdsaSha384,
PR_ARRAY_SIZE(SignatureEcdsaSha384));
server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
PR_ARRAY_SIZE(SignatureEcdsaSha256));
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
Connect();
}
@ -274,8 +260,8 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
}
TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
server_->SetSignatureAlgorithms(SignatureRsaSha384,
PR_ARRAY_SIZE(SignatureRsaSha384));
server_->SetSignatureSchemes(SignatureSchemeRsaSha384,
PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
server_->RequestClientAuth(false);
Connect();
}
@ -625,4 +611,117 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPss) {
EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaPss, false,
&ServerCertDataRsaPss));
}
// mode, version, certificate, auth type, signature scheme
typedef std::tuple<std::string, uint16_t, std::string, SSLAuthType,
SSLSignatureScheme>
SignatureSchemeProfile;
class TlsSignatureSchemeConfiguration
: public TlsConnectTestBase,
public ::testing::WithParamInterface<SignatureSchemeProfile> {
public:
TlsSignatureSchemeConfiguration()
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())),
certificate_(std::get<2>(GetParam())),
auth_type_(std::get<3>(GetParam())),
signature_scheme_(std::get<4>(GetParam())) {}
protected:
void TestSignatureSchemeConfig(TlsAgent* configPeer) {
EnsureTlsSetup();
configPeer->SetSignatureSchemes(&signature_scheme_, 1);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_,
signature_scheme_);
}
std::string certificate_;
SSLAuthType auth_type_;
SSLSignatureScheme signature_scheme_;
};
TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigServer) {
Reset(certificate_);
TestSignatureSchemeConfig(server_);
}
TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigClient) {
Reset(certificate_);
TlsExtensionCapture* capture =
new TlsExtensionCapture(ssl_signature_algorithms_xtn);
client_->SetPacketFilter(capture);
TestSignatureSchemeConfig(client_);
const DataBuffer& ext = capture->extension();
ASSERT_EQ(2U + 2U, ext.len());
uint32_t v = 0;
ASSERT_TRUE(ext.Read(0, 2, &v));
EXPECT_EQ(2U, v);
ASSERT_TRUE(ext.Read(2, 2, &v));
EXPECT_EQ(signature_scheme_, static_cast<SSLSignatureScheme>(v));
}
TEST_P(TlsSignatureSchemeConfiguration, SignatureSchemeConfigBoth) {
Reset(certificate_);
EnsureTlsSetup();
client_->SetSignatureSchemes(&signature_scheme_, 1);
server_->SetSignatureSchemes(&signature_scheme_, 1);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_, signature_scheme_);
}
INSTANTIATE_TEST_CASE_P(
SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
::testing::Combine(
TlsConnectTestBase::kTlsModesAll, TlsConnectTestBase::kTlsV12Plus,
::testing::Values(TlsAgent::kServerRsaSign),
::testing::Values(ssl_auth_rsa_sign),
::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_sha256,
ssl_sig_rsa_pss_sha384)));
// PSS with SHA-512 needs a bigger key to work.
INSTANTIATE_TEST_CASE_P(
SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12Plus,
::testing::Values(TlsAgent::kRsa2048),
::testing::Values(ssl_auth_rsa_sign),
::testing::Values(ssl_sig_rsa_pss_sha512)));
INSTANTIATE_TEST_CASE_P(
SignatureSchemeRsaSha1, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12,
::testing::Values(TlsAgent::kServerRsa),
::testing::Values(ssl_auth_rsa_sign),
::testing::Values(ssl_sig_rsa_pkcs1_sha1)));
INSTANTIATE_TEST_CASE_P(
SignatureSchemeEcdsaP256, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12Plus,
::testing::Values(TlsAgent::kServerEcdsa256),
::testing::Values(ssl_auth_ecdsa),
::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
INSTANTIATE_TEST_CASE_P(
SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12Plus,
::testing::Values(TlsAgent::kServerEcdsa384),
::testing::Values(ssl_auth_ecdsa),
::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
INSTANTIATE_TEST_CASE_P(
SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12Plus,
::testing::Values(TlsAgent::kServerEcdsa521),
::testing::Values(ssl_auth_ecdsa),
::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
INSTANTIATE_TEST_CASE_P(
SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
::testing::Combine(TlsConnectTestBase::kTlsModesAll,
TlsConnectTestBase::kTlsV12,
::testing::Values(TlsAgent::kServerEcdsa256,
TlsAgent::kServerEcdsa384),
::testing::Values(ssl_auth_ecdsa),
::testing::Values(ssl_sig_ecdsa_sha1)));
}

55
security/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
Просмотреть файл

@ -24,15 +24,15 @@ namespace nss_test {
// mode, version, cipher suite
typedef std::tuple<std::string, uint16_t, uint16_t, SSLNamedGroup,
TlsSignatureScheme>
SSLSignatureScheme>
CipherSuiteProfile;
class TlsCipherSuiteTestBase : public TlsConnectTestBase {
public:
TlsCipherSuiteTestBase(std::string mode, uint16_t version,
TlsCipherSuiteTestBase(const std::string &mode, uint16_t version,
uint16_t cipher_suite, SSLNamedGroup group,
TlsSignatureScheme signature_scheme)
: TlsConnectTestBase(TlsConnectTestBase::ToMode(mode), version),
SSLSignatureScheme signature_scheme)
: TlsConnectTestBase(mode, version),
cipher_suite_(cipher_suite),
group_(group),
signature_scheme_(signature_scheme),
@ -60,38 +60,35 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
server_->ConfigNamedGroups(groups);
kea_type_ = SSLInt_GetKEAType(group_);
SSLSignatureAndHashAlg signature_scheme = {
static_cast<SSLHashType>(signature_scheme_ >> 8),
static_cast<SSLSignType>(signature_scheme_ & 0xff)};
client_->SetSignatureAlgorithms(&signature_scheme, 1);
server_->SetSignatureAlgorithms(&signature_scheme, 1);
client_->SetSignatureSchemes(&signature_scheme_, 1);
server_->SetSignatureSchemes(&signature_scheme_, 1);
}
}
virtual void SetupCertificate() {
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
switch (signature_scheme_) {
case kTlsSignatureRsaPkcs1Sha256:
case kTlsSignatureRsaPkcs1Sha384:
case kTlsSignatureRsaPkcs1Sha512:
case ssl_sig_rsa_pkcs1_sha256:
case ssl_sig_rsa_pkcs1_sha384:
case ssl_sig_rsa_pkcs1_sha512:
Reset(TlsAgent::kServerRsaSign);
auth_type_ = ssl_auth_rsa_sign;
break;
case kTlsSignatureRsaPssSha256:
case kTlsSignatureRsaPssSha384:
case ssl_sig_rsa_pss_sha256:
case ssl_sig_rsa_pss_sha384:
Reset(TlsAgent::kServerRsaSign);
auth_type_ = ssl_auth_rsa_sign;
break;
case kTlsSignatureRsaPssSha512:
case ssl_sig_rsa_pss_sha512:
// You can't fit SHA-512 PSS in a 1024-bit key.
Reset(TlsAgent::kRsa2048);
auth_type_ = ssl_auth_rsa_sign;
break;
case kTlsSignatureEcdsaSecp256r1Sha256:
case ssl_sig_ecdsa_secp256r1_sha256:
Reset(TlsAgent::kServerEcdsa256);
auth_type_ = ssl_auth_ecdsa;
break;
case kTlsSignatureEcdsaSecp384r1Sha384:
case ssl_sig_ecdsa_secp384r1_sha384:
Reset(TlsAgent::kServerEcdsa384);
auth_type_ = ssl_auth_ecdsa;
break;
@ -184,7 +181,7 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
SSLAuthType auth_type_;
SSLKEAType kea_type_;
SSLNamedGroup group_;
TlsSignatureScheme signature_scheme_;
SSLSignatureScheme signature_scheme_;
SSLCipherSuiteInfo csinfo_;
};
@ -294,20 +291,16 @@ TEST_P(TlsCipherSuiteTest, WriteLimit) {
TlsConnectTestBase::kTls##versions, k##name##Ciphers, \
groups, sigalgs));
static const SSLNamedGroup kDummyNamedGroupParamsArr[] = {ssl_grp_none};
static const auto kDummyNamedGroupParams =
::testing::ValuesIn(kDummyNamedGroupParamsArr);
static const TlsSignatureScheme kDummySignatureSchemesParamsArr[] = {
kTlsSignatureNone};
static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none);
static const auto kDummySignatureSchemesParams =
::testing::ValuesIn(kDummySignatureSchemesParamsArr);
::testing::Values(ssl_sig_none);
#ifndef NSS_DISABLE_TLS_1_3
static TlsSignatureScheme kSignatureSchemesParamsArr[] = {
kTlsSignatureRsaPkcs1Sha256, kTlsSignatureRsaPkcs1Sha384,
kTlsSignatureRsaPkcs1Sha512, kTlsSignatureEcdsaSecp256r1Sha256,
kTlsSignatureEcdsaSecp384r1Sha384, kTlsSignatureRsaPssSha256,
kTlsSignatureRsaPssSha384, kTlsSignatureRsaPssSha512,
static SSLSignatureScheme kSignatureSchemesParamsArr[] = {
ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512, ssl_sig_ecdsa_secp256r1_sha256,
ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_sha256,
ssl_sig_rsa_pss_sha384, ssl_sig_rsa_pss_sha512,
};
#endif
@ -372,7 +365,7 @@ INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
TLS_AES_256_GCM_SHA384);
INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
::testing::ValuesIn(kAllDHEGroups),
::testing::Values(kTlsSignatureEcdsaSecp384r1Sha384),
::testing::Values(ssl_sig_ecdsa_secp384r1_sha384),
TLS_AES_256_GCM_SHA384);
#endif
@ -405,7 +398,7 @@ class SecurityStatusTest
SecurityStatusTest()
: TlsCipherSuiteTestBase("TLS", GetParam().version,
GetParam().cipher_suite, ssl_grp_none,
kTlsSignatureNone) {}
ssl_sig_none) {}
};
// SSL_SecurityStatus produces fairly useless output when compared to

51
security/nss/external_tests/ssl_gtest/ssl_dhe_unittest.cc
Просмотреть файл

@ -279,8 +279,7 @@ class TlsDamageDHYTest
public ::testing::WithParamInterface<DamageDHYProfile> {
public:
TlsDamageDHYTest()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
};
TEST_P(TlsDamageDHYTest, DamageServerY) {
@ -446,6 +445,54 @@ TEST_P(TlsConnectGeneric, Ffdhe3072) {
Connect();
}
// Even though the client doesn't have DHE groups enabled the server assumes it
// does. Because the client doesn't require named groups it accepts FF3072 as
// custom group.
TEST_P(TlsConnectGenericPre13, NamedGroupMismatchPre13) {
EnableOnlyDheCiphers();
static const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ffdhe_3072};
static const std::vector<SSLNamedGroup> client_groups = {
ssl_grp_ec_secp256r1};
server_->ConfigNamedGroups(server_groups);
client_->ConfigNamedGroups(client_groups);
Connect();
CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_custom, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
}
// Same test but for TLS 1.3. This has to fail.
TEST_P(TlsConnectTls13, NamedGroupMismatch13) {
EnableOnlyDheCiphers();
static const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ffdhe_3072};
static const std::vector<SSLNamedGroup> client_groups = {
ssl_grp_ec_secp256r1};
server_->ConfigNamedGroups(server_groups);
client_->ConfigNamedGroups(client_groups);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Even though the client doesn't have DHE groups enabled the server assumes it
// does. The client requires named groups and thus does not accept FF3072 as
// custom group in contrast to the previous test.
TEST_P(TlsConnectGenericPre13, RequireNamedGroupsMismatchPre13) {
EnableOnlyDheCiphers();
EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE));
static const std::vector<SSLNamedGroup> server_groups = {ssl_grp_ffdhe_3072};
static const std::vector<SSLNamedGroup> client_groups = {ssl_grp_ec_secp256r1,
ssl_grp_ffdhe_2048};
server_->ConfigNamedGroups(server_groups);
client_->ConfigNamedGroups(client_groups);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
TEST_P(TlsConnectGenericPre13, PreferredFfdhe) {
EnableOnlyDheCiphers();
static const SSLDHEGroupType groups[] = {ssl_ff_dhe_3072_group,

34
security/nss/external_tests/ssl_gtest/ssl_ecdh_unittest.cc
Просмотреть файл

@ -57,10 +57,8 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe) {
TEST_P(TlsConnectTls12, ConnectEcdheP384) {
Reset(TlsAgent::kServerEcdsa384);
ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
// This uses SHA-256 because TLS 1.2 doesn't care for the
// pairing of curve and hash function like in TLS 1.3.
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp256r1_sha256);
ssl_sig_ecdsa_secp384r1_sha384);
}
TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
@ -178,10 +176,6 @@ TEST_P(TlsConnectGenericPre13, P384PriorityOnServer) {
}
TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
#ifdef NSS_ECC_MORE_THAN_SUITE_B
// We can't run this test with a model socket and more than suite B.
return;
#endif
EnsureModelSockets();
/* Both prefer P384, set on the model socket. */
@ -213,9 +207,7 @@ TEST_P(TlsConnectTls13, UseLameGroup) {
server_->ConfigNamedGroups(groups);
client_->StartConnect();
client_->Handshake();
#ifndef NSS_ECC_MORE_THAN_SUITE_B // TODO: remove this guard
client_->CheckErrorCode(SSL_ERROR_NO_CIPHERS_SUPPORTED);
#endif
}
TEST_P(TlsConnectStreamPre13, ConfiguredGroupsRenegotiate) {
@ -363,7 +355,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPriorityWithIntermediateGroup13) {
}
TEST_P(TlsKeyExchangeTest13,
NotEqualPriorityWithUnsupportedIntermediateGroup13) {
NotEqualPriorityWithUnsupportedFFIntermediateGroup13) {
EnsureKeyShareSetup();
// As in the previous test, the server prefers ffdhe_2048. Thus, even though
@ -384,6 +376,28 @@ TEST_P(TlsKeyExchangeTest13,
CheckKEXDetails(client_groups, shares, true);
}
TEST_P(TlsKeyExchangeTest13,
NotEqualPriorityWithUnsupportedECIntermediateGroup13) {
EnsureKeyShareSetup();
// As in the previous test, the server prefers P-384. Thus, even though
// the client doesn't support this group, the server must not regard x25519 as
// equivalent to P-256. The server sends a HelloRetryRequest.
const std::vector<SSLNamedGroup> client_groups = {ssl_grp_ec_curve25519,
ssl_grp_ec_secp256r1};
const std::vector<SSLNamedGroup> server_groups = {
ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
client_->ConfigNamedGroups(client_groups);
server_->ConfigNamedGroups(server_groups);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
ssl_sig_rsa_pss_sha256);
const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
CheckKEXDetails(client_groups, shares, true);
}
TEST_P(TlsKeyExchangeTest13, EqualPriority13) {
EnsureKeyShareSetup();

46
security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
Просмотреть файл

@ -118,6 +118,8 @@ class TlsExtensionTestBase : public TlsConnectTestBase {
protected:
TlsExtensionTestBase(Mode mode, uint16_t version)
: TlsConnectTestBase(mode, version) {}
TlsExtensionTestBase(const std::string& mode, uint16_t version)
: TlsConnectTestBase(mode, version) {}
void ClientHelloErrorTest(PacketFilter* filter,
uint8_t alert = kTlsAlertDecodeError) {
@ -165,9 +167,8 @@ class TlsExtensionTest12Plus
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
public:
TlsExtensionTest12Plus()
: TlsExtensionTestBase(
TlsConnectTestBase::ToMode((std::get<0>(GetParam()))),
std::get<1>(GetParam())) {}
: TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
}
};
class TlsExtensionTest12
@ -175,17 +176,15 @@ class TlsExtensionTest12
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
public:
TlsExtensionTest12()
: TlsExtensionTestBase(
TlsConnectTestBase::ToMode((std::get<0>(GetParam()))),
std::get<1>(GetParam())) {}
: TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
}
};
class TlsExtensionTest13 : public TlsExtensionTestBase,
public ::testing::WithParamInterface<std::string> {
public:
TlsExtensionTest13()
: TlsExtensionTestBase(TlsConnectTestBase::ToMode(GetParam()),
SSL_LIBRARY_VERSION_TLS_1_3) {}
: TlsExtensionTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_3) {}
void ConnectWithBogusVersionList(const uint8_t* buf, size_t len) {
DataBuffer versions_buf(buf, len);
@ -218,9 +217,8 @@ class TlsExtensionTestGeneric
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
public:
TlsExtensionTestGeneric()
: TlsExtensionTestBase(
TlsConnectTestBase::ToMode((std::get<0>(GetParam()))),
std::get<1>(GetParam())) {}
: TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
}
};
class TlsExtensionTestPre13
@ -228,9 +226,8 @@ class TlsExtensionTestPre13
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
public:
TlsExtensionTestPre13()
: TlsExtensionTestBase(
TlsConnectTestBase::ToMode((std::get<0>(GetParam()))),
std::get<1>(GetParam())) {}
: TlsExtensionTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {
}
};
TEST_P(TlsExtensionTestGeneric, DamageSniLength) {
@ -486,25 +483,24 @@ TEST_P(TlsExtensionTestPre13, RenegotiationInfoExtensionEmpty) {
// This only works on TLS 1.2, since it relies on static RSA; otherwise libssl
// picks the wrong cipher suite.
TEST_P(TlsExtensionTest12, SignatureAlgorithmConfiguration) {
const SSLSignatureAndHashAlg algorithms[] = {
{ssl_hash_sha512, ssl_sign_rsa}, {ssl_hash_sha384, ssl_sign_ecdsa}};
const SSLSignatureScheme schemes[] = {ssl_sig_rsa_pss_sha512,
ssl_sig_rsa_pss_sha384};
TlsExtensionCapture* capture =
new TlsExtensionCapture(ssl_signature_algorithms_xtn);
client_->SetSignatureAlgorithms(algorithms, PR_ARRAY_SIZE(algorithms));
client_->SetSignatureSchemes(schemes, PR_ARRAY_SIZE(schemes));
client_->SetPacketFilter(capture);
EnableOnlyStaticRsaCiphers();
Connect();
const DataBuffer& ext = capture->extension();
EXPECT_EQ(2 + PR_ARRAY_SIZE(algorithms) * 2, ext.len());
EXPECT_EQ(2 + PR_ARRAY_SIZE(schemes) * 2, ext.len());
for (size_t i = 0, cursor = 2;
i < PR_ARRAY_SIZE(algorithms) && cursor < ext.len(); ++i) {
uint32_t v;
EXPECT_TRUE(ext.Read(cursor++, 1, &v));
EXPECT_EQ(algorithms[i].hashAlg, static_cast<SSLHashType>(v));
EXPECT_TRUE(ext.Read(cursor++, 1, &v));
EXPECT_EQ(algorithms[i].sigAlg, static_cast<SSLSignType>(v));
i < PR_ARRAY_SIZE(schemes) && cursor < ext.len(); ++i) {
uint32_t v = 0;
EXPECT_TRUE(ext.Read(cursor, 2, &v));
cursor += 2;
EXPECT_EQ(schemes[i], static_cast<SSLSignatureScheme>(v));
}
}
@ -581,7 +577,7 @@ TEST_F(TlsExtensionTest13Stream, NonEmptySignatureAlgorithms) {
DataBuffer sig_algs;
size_t index = 0;
index = sig_algs.Write(index, 2, 2);
index = sig_algs.Write(index, kTlsSignatureRsaPssSha256, 2);
index = sig_algs.Write(index, ssl_sig_rsa_pss_sha256, 2);
server_->SetPacketFilter(
new TlsExtensionReplacer(ssl_signature_algorithms_xtn, sig_algs));
ConnectExpectFail();

6
security/nss/external_tests/ssl_gtest/ssl_gtest.gyp
Просмотреть файл

@ -12,15 +12,21 @@
'type': 'executable',
'sources': [
'libssl_internals.c',
'ssl_0rtt_unittest.cc',
'ssl_agent_unittest.cc',
'ssl_auth_unittest.cc',
'ssl_cert_ext_unittest.cc',
'ssl_ciphersuite_unittest.cc',
'ssl_damage_unittest.cc',
'ssl_dhe_unittest.cc',
'ssl_drop_unittest.cc',
'ssl_ecdh_unittest.cc',
'ssl_ems_unittest.cc',
'ssl_extension_unittest.cc',
'ssl_gtest.cc',
'ssl_hrr_unittest.cc',
'ssl_loopback_unittest.cc',
'ssl_record_unittest.cc',
'ssl_resumption_unittest.cc',
'ssl_skip_unittest.cc',
'ssl_staticrsa_unittest.cc',

196
security/nss/external_tests/ssl_gtest/ssl_resumption_unittest.cc
Просмотреть файл

@ -170,13 +170,9 @@ TEST_P(TlsConnectGeneric, ConnectResumeClientNoneServerBoth) {
}
TEST_P(TlsConnectGenericPre13, ConnectResumeWithHigherVersion) {
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_1);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_1);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_1);
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
Connect();
Reset();
@ -219,7 +215,6 @@ TEST_P(TlsConnectGeneric, ServerSNICertSwitch) {
ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd()));
Reset();
EnsureTlsSetup();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
server_->SetSniCallback(SwitchCertificates);
@ -236,7 +231,6 @@ TEST_P(TlsConnectGeneric, ServerSNICertTypeSwitch) {
ScopedCERTCertificate cert1(SSL_PeerCertificate(client_->ssl_fd()));
Reset();
EnsureTlsSetup();
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
// Because we configure an RSA certificate here, it only adds a second, unused
@ -328,10 +322,51 @@ TEST_P(TlsConnectTls13, TestTls13ResumeDifferentGroup) {
CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign, ssl_sig_none);
}
// We need to enable different cipher suites at different times in the following
// tests. Those cipher suites need to be suited to the version.
static uint16_t ChooseOneCipher(uint16_t version) {
if (version >= SSL_LIBRARY_VERSION_TLS_1_3) {
return TLS_AES_128_GCM_SHA256;
}
return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
}
static uint16_t ChooseAnotherCipher(uint16_t version) {
if (version >= SSL_LIBRARY_VERSION_TLS_1_3) {
return TLS_CHACHA20_POLY1305_SHA256;
}
return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
}
// Test that we don't resume when we can't negotiate the same cipher.
TEST_P(TlsConnectTls13, TestTls13ResumeClientDifferentCipher) {
TEST_P(TlsConnectGeneric, TestResumeClientDifferentCipher) {
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
client_->EnableSingleCipher(TLS_AES_128_GCM_SHA256);
client_->EnableSingleCipher(ChooseOneCipher(version_));
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
client_->EnableSingleCipher(ChooseAnotherCipher(version_));
uint16_t ticket_extension;
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
ticket_extension = ssl_tls13_pre_shared_key_xtn;
} else {
ticket_extension = ssl_session_ticket_xtn;
}
auto ticket_capture = new TlsExtensionCapture(ticket_extension);
client_->SetPacketFilter(ticket_capture);
Connect();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
EXPECT_EQ(0U, ticket_capture->extension().len());
}
// Test that we don't resume when we can't negotiate the same cipher.
TEST_P(TlsConnectGeneric, TestResumeServerDifferentCipher) {
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
server_->EnableSingleCipher(ChooseOneCipher(version_));
Connect();
SendReceive(); // Need to read so that we absorb the session ticket.
CheckKeys();
@ -339,35 +374,137 @@ TEST_P(TlsConnectTls13, TestTls13ResumeClientDifferentCipher) {
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
client_->EnableSingleCipher(TLS_AES_256_GCM_SHA384);
server_->EnableSingleCipher(ChooseAnotherCipher(version_));
Connect();
CheckKeys();
}
// Test that we don't resume when we can't negotiate the same cipher.
TEST_P(TlsConnectTls13, TestTls13ResumeServerDifferentCipher) {
class SelectedCipherSuiteReplacer : public TlsHandshakeFilter {
public:
SelectedCipherSuiteReplacer(uint16_t suite) : cipher_suite_(suite) {}
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override {
if (header.handshake_type() != kTlsHandshakeServerHello) {
return KEEP;
}
*output = input;
uint32_t temp = 0;
EXPECT_TRUE(input.Read(0, 2, &temp));
// Cipher suite is after version(2) and random(32).
size_t pos = 34;
if (temp < SSL_LIBRARY_VERSION_TLS_1_3) {
// In old versions, we have to skip a session_id too.
EXPECT_TRUE(input.Read(pos, 1, &temp));
pos += 1 + temp;
}
output->Write(pos, static_cast<uint32_t>(cipher_suite_), 2);
return CHANGE;
}
private:
uint16_t cipher_suite_;
};
// Test that the client doesn't tolerate the server picking a different cipher
// suite for resumption.
TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
server_->EnableSingleCipher(TLS_AES_128_GCM_SHA256);
server_->EnableSingleCipher(ChooseOneCipher(version_));
Connect();
SendReceive(); // Need to read so that we absorb the session ticket.
CheckKeys();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ExpectResumption(RESUME_NONE);
server_->EnableSingleCipher(TLS_AES_256_GCM_SHA384);
server_->SetPacketFilter(
new SelectedCipherSuiteReplacer(ChooseAnotherCipher(version_)));
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
// The reason this test is stream only: the server is unable to decrypt
// the alert that the client sends, see bug 1304603.
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
} else {
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
}
}
class SelectedVersionReplacer : public TlsHandshakeFilter {
public:
SelectedVersionReplacer(uint16_t version) : version_(version) {}
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override {
if (header.handshake_type() != kTlsHandshakeServerHello) {
return KEEP;
}
*output = input;
output->Write(0, static_cast<uint32_t>(version_), 2);
return CHANGE;
}
private:
uint16_t version_;
};
// Test how the client handles the case where the server picks a
// lower version number on resumption.
TEST_P(TlsConnectGenericPre13, TestResumptionOverrideVersion) {
uint16_t override_version = 0;
if (mode_ == STREAM) {
switch (version_) {
case SSL_LIBRARY_VERSION_TLS_1_0:
return; // Skip the test.
case SSL_LIBRARY_VERSION_TLS_1_1:
override_version = SSL_LIBRARY_VERSION_TLS_1_0;
break;
case SSL_LIBRARY_VERSION_TLS_1_2:
override_version = SSL_LIBRARY_VERSION_TLS_1_1;
break;
default:
ASSERT_TRUE(false) << "unknown version";
}
} else {
if (version_ == SSL_LIBRARY_VERSION_TLS_1_2) {
override_version = SSL_LIBRARY_VERSION_DTLS_1_0_WIRE;
} else {
ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, version_);
return; // Skip the test.
}
}
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
// Need to use a cipher that is plausible for the lower version.
server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
Connect();
CheckKeys();
CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign);
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
// Enable the lower version on the client.
client_->SetVersionRange(version_ - 1, version_);
server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA);
server_->SetPacketFilter(new SelectedVersionReplacer(override_version));
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
}
// Test that two TLS resumptions work and produce the same ticket.
// This will change after bug 1257047 is fixed.
TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
Connect();
SendReceive(); // Need to read so that we absorb the session ticket.
CheckKeys();
@ -376,14 +513,11 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
ExpectResumption(RESUME_TICKET);
TlsExtensionCapture* c1 =
new TlsExtensionCapture(ssl_tls13_pre_shared_key_xtn);
client_->SetPacketFilter(c1);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
ExpectResumption(RESUME_TICKET);
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
@ -398,13 +532,10 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
Reset();
ClearStats();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
TlsExtensionCapture* c2 =
new TlsExtensionCapture(ssl_tls13_pre_shared_key_xtn);
client_->SetPacketFilter(c2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
ExpectResumption(RESUME_TICKET);
Connect();
SendReceive();
@ -425,4 +556,5 @@ TEST_F(TlsConnectTest, TestTls13ResumptionTwice) {
ASSERT_NE(initialTicket, c2->extension());
}
} // namespace nss_test

3
security/nss/external_tests/ssl_gtest/ssl_skip_unittest.cc
Просмотреть файл

@ -83,8 +83,7 @@ class TlsSkipTest
public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
protected:
TlsSkipTest()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
void ServerSkipTest(PacketFilter* filter,
uint8_t alert = kTlsAlertUnexpectedMessage) {

12
security/nss/external_tests/ssl_gtest/ssl_v2_client_hello_unittest.cc
Просмотреть файл

@ -204,11 +204,9 @@ TEST_P(SSLv2ClientHelloTest, Connect) {
// Test negotiating TLS 1.3.
TEST_F(SSLv2ClientHelloTestF, Connect13) {
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
SSL_LIBRARY_VERSION_TLS_1_3);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
std::vector<uint16_t> cipher_suites = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256};
SetAvailableCipherSuites(cipher_suites);
@ -317,11 +315,9 @@ TEST_P(SSLv2ClientHelloTest, RequireSafeRenegotiationWithSCSV) {
// a higher version. As the server doesn't support anything higher than TLS 1.1
// it must accept the connection.
TEST_F(SSLv2ClientHelloTestF, FallbackSCSV) {
EnsureTlsSetup();
SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_1);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_1);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_1);
std::vector<uint16_t> cipher_suites = {TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_FALLBACK_SCSV};

12
security/nss/external_tests/ssl_gtest/ssl_version_unittest.cc
Просмотреть файл

@ -206,10 +206,8 @@ TEST_P(TlsConnectStream, ConnectTls10AndClientRenegotiateHigher) {
}
TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) {
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
EnsureTlsSetup();
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
Connect();
SECStatus rv = SSL_ReHandshake(client_->ssl_fd(), PR_TRUE);
EXPECT_EQ(SECFailure, rv);
@ -217,10 +215,8 @@ TEST_F(TlsConnectTest, Tls13RejectsRehandshakeClient) {
}
TEST_F(TlsConnectTest, Tls13RejectsRehandshakeServer) {
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
SSL_LIBRARY_VERSION_TLS_1_3);
EnsureTlsSetup();
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
Connect();
SECStatus rv = SSL_ReHandshake(server_->ssl_fd(), PR_TRUE);
EXPECT_EQ(SECFailure, rv);

60
security/nss/external_tests/ssl_gtest/tls_agent.cc
Просмотреть файл

@ -37,6 +37,7 @@ const std::string TlsAgent::kServerRsaPss = "rsa_pss";
const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt";
const std::string TlsAgent::kServerEcdsa256 = "ecdsa256";
const std::string TlsAgent::kServerEcdsa384 = "ecdsa384";
const std::string TlsAgent::kServerEcdsa521 = "ecdsa521";
const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
const std::string TlsAgent::kServerDsa = "dsa";
@ -365,50 +366,49 @@ void TlsAgent::SetServerKeyBits(uint16_t bits) { server_key_bits_ = bits; }
void TlsAgent::ExpectReadWriteError() { expect_readwrite_error_ = true; }
void TlsAgent::SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
size_t count) {
void TlsAgent::SetSignatureSchemes(const SSLSignatureScheme* schemes,
size_t count) {
EXPECT_TRUE(EnsureTlsSetup());
EXPECT_LE(count, SSL_SignatureMaxCount());
EXPECT_EQ(SECSuccess, SSL_SignaturePrefSet(ssl_fd_, algorithms,
static_cast<unsigned int>(count)));
EXPECT_EQ(SECFailure, SSL_SignaturePrefSet(ssl_fd_, algorithms, 0))
<< "setting no algorithms should fail and do nothing";
EXPECT_EQ(SECSuccess,
SSL_SignatureSchemePrefSet(ssl_fd_, schemes,
static_cast<unsigned int>(count)));
EXPECT_EQ(SECFailure, SSL_SignatureSchemePrefSet(ssl_fd_, schemes, 0))
<< "setting no schemes should fail and do nothing";
std::vector<SSLSignatureAndHashAlg> configuredAlgorithms(count);
std::vector<SSLSignatureScheme> configuredSchemes(count);
unsigned int configuredCount;
EXPECT_EQ(SECFailure,
SSL_SignaturePrefGet(ssl_fd_, nullptr, &configuredCount, 1))
<< "get algorithms, algorithms is nullptr";
EXPECT_EQ(SECFailure, SSL_SignaturePrefGet(ssl_fd_, &configuredAlgorithms[0],
&configuredCount, 0))
<< "get algorithms, too little space";
SSL_SignatureSchemePrefGet(ssl_fd_, nullptr, &configuredCount, 1))
<< "get schemes, schemes is nullptr";
EXPECT_EQ(SECFailure,
SSL_SignaturePrefGet(ssl_fd_, &configuredAlgorithms[0], nullptr,
configuredAlgorithms.size()))
<< "get algorithms, algCountOut is nullptr";
SSL_SignatureSchemePrefGet(ssl_fd_, &configuredSchemes[0],
&configuredCount, 0))
<< "get schemes, too little space";
EXPECT_EQ(SECFailure,
SSL_SignatureSchemePrefGet(ssl_fd_, &configuredSchemes[0], nullptr,
configuredSchemes.size()))
<< "get schemes, countOut is nullptr";
EXPECT_EQ(SECSuccess, SSL_SignaturePrefGet(ssl_fd_, &configuredAlgorithms[0],
&configuredCount,
configuredAlgorithms.size()));
// SignaturePrefSet drops unsupported algorithms silently, so the number that
// are configured might be fewer.
EXPECT_EQ(SECSuccess, SSL_SignatureSchemePrefGet(
ssl_fd_, &configuredSchemes[0], &configuredCount,
configuredSchemes.size()));
// SignatureSchemePrefSet drops unsupported algorithms silently, so the
// number that are configured might be fewer.
EXPECT_LE(configuredCount, count);
unsigned int i = 0;
for (unsigned int j = 0; j < count && i < configuredCount; ++j) {
if (i < configuredCount &&
algorithms[j].hashAlg == configuredAlgorithms[i].hashAlg &&
algorithms[j].sigAlg == configuredAlgorithms[i].sigAlg) {
if (i < configuredCount && schemes[j] == configuredSchemes[i]) {
++i;
}
}
EXPECT_EQ(i, configuredCount) << "algorithms in use were all set";
EXPECT_EQ(i, configuredCount) << "schemes in use were all set";
}
void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
size_t kea_size) const {
EXPECT_EQ(STATE_CONNECTED, state_);
EXPECT_EQ(kea_type, info_.keaType);
EXPECT_EQ(kea_group, info_.keaGroup);
if (kea_size == 0) {
switch (kea_group) {
case ssl_grp_ec_curve25519:
@ -423,6 +423,11 @@ void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
case ssl_grp_ffdhe_2048:
kea_size = 2048;
break;
case ssl_grp_ffdhe_3072:
kea_size = 3072;
break;
case ssl_grp_ffdhe_custom:
break;
default:
if (kea_type == ssl_kea_rsa) {
kea_size = server_key_bits_;
@ -431,7 +436,10 @@ void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
}
}
}
EXPECT_EQ(kea_size, info_.keaKeyBits);
if (kea_group != ssl_grp_ffdhe_custom) {
EXPECT_EQ(kea_size, info_.keaKeyBits);
EXPECT_EQ(kea_group, info_.keaGroup);
}
}
void TlsAgent::CheckAuthType(SSLAuthType auth_type,

4
security/nss/external_tests/ssl_gtest/tls_agent.h
Просмотреть файл

@ -64,6 +64,7 @@ class TlsAgent : public PollTarget {
static const std::string kServerRsaDecrypt;
static const std::string kServerEcdsa256;
static const std::string kServerEcdsa384;
static const std::string kServerEcdsa521;
static const std::string kServerEcdhEcdsa;
static const std::string kServerEcdhRsa;
static const std::string kServerDsa;
@ -127,8 +128,7 @@ class TlsAgent : public PollTarget {
void ExpectReadWriteError();
void EnableFalseStart();
void ExpectResumption();
void SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
size_t count);
void SetSignatureSchemes(const SSLSignatureScheme* schemes, size_t count);
void EnableAlpn(const uint8_t* val, size_t len);
void CheckAlpn(SSLNextProtoState expected_state,
const std::string& expected = "") const;

27
security/nss/external_tests/ssl_gtest/tls_connect.cc
Просмотреть файл

@ -119,6 +119,10 @@ TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
std::cerr << "Version: " << mode_ << " " << v << std::endl;
}
TlsConnectTestBase::TlsConnectTestBase(const std::string& mode,
uint16_t version)
: TlsConnectTestBase(TlsConnectTestBase::ToMode(mode), version) {}
TlsConnectTestBase::~TlsConnectTestBase() {}
// Check the group of each of the supported groups
@ -195,8 +199,7 @@ void TlsConnectTestBase::Init() {
server_->SetPeer(client_);
if (version_) {
client_->SetVersionRange(version_, version_);
server_->SetVersionRange(version_, version_);
ConfigureVersion(version_);
}
}
@ -370,6 +373,11 @@ void TlsConnectTestBase::ConnectExpectFail() {
ASSERT_EQ(TlsAgent::STATE_ERROR, server_->state());
}
void TlsConnectTestBase::ConfigureVersion(uint16_t version) {
client_->SetVersionRange(version, version);
server_->SetVersionRange(version, version);
}
void TlsConnectTestBase::SetExpectedVersion(uint16_t version) {
client_->SetExpectedVersion(version);
server_->SetExpectedVersion(version);
@ -588,24 +596,19 @@ void TlsConnectTestBase::CheckEarlyDataAccepted() {
}
TlsConnectGeneric::TlsConnectGeneric()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
TlsConnectPre12::TlsConnectPre12()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
TlsConnectTls12::TlsConnectTls12()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(GetParam()),
SSL_LIBRARY_VERSION_TLS_1_2) {}
: TlsConnectTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_2) {}
TlsConnectTls12Plus::TlsConnectTls12Plus()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
std::get<1>(GetParam())) {}
: TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
TlsConnectTls13::TlsConnectTls13()
: TlsConnectTestBase(TlsConnectTestBase::ToMode(GetParam()),
SSL_LIBRARY_VERSION_TLS_1_3) {}
: TlsConnectTestBase(GetParam(), SSL_LIBRARY_VERSION_TLS_1_3) {}
void TlsKeyExchangeTest::EnsureKeyShareSetup() {
EnsureTlsSetup();

10
security/nss/external_tests/ssl_gtest/tls_connect.h
Просмотреть файл

@ -39,11 +39,8 @@ class TlsConnectTestBase : public ::testing::Test {
static ::testing::internal::ParamGenerator<uint16_t> kTlsV12Plus;
static ::testing::internal::ParamGenerator<uint16_t> kTlsVAll;
static inline Mode ToMode(const std::string& str) {
return str == "TLS" ? STREAM : DGRAM;
}
TlsConnectTestBase(Mode mode, uint16_t version);
TlsConnectTestBase(const std::string& mode, uint16_t version);
virtual ~TlsConnectTestBase();
void SetUp();
@ -84,6 +81,7 @@ class TlsConnectTestBase : public ::testing::Test {
void CheckShares(const DataBuffer& shares,
std::function<void(SSLNamedGroup)> check_group);
void ConfigureVersion(uint16_t version);
void SetExpectedVersion(uint16_t version);
// Expect resumption of a particular type.
void ExpectResumption(SessionResumptionMode expected);
@ -127,6 +125,10 @@ class TlsConnectTestBase : public ::testing::Test {
const uint8_t alpn_dummy_val_[4] = {0x01, 0x62, 0x01, 0x61};
private:
static inline Mode ToMode(const std::string& str) {
return str == "TLS" ? STREAM : DGRAM;
}
void CheckResumption(SessionResumptionMode expected);
void CheckExtendedMasterSecret();
void CheckEarlyDataAccepted();

25
security/nss/external_tests/ssl_gtest/tls_parser.h
Просмотреть файл

@ -48,9 +48,6 @@ const uint8_t kTlsAlertUnsupportedExtension = 110;
const uint8_t kTlsAlertUnrecognizedName = 112;
const uint8_t kTlsAlertNoApplicationProtocol = 120;
const uint16_t kTlsSigSchemeRsaPkcs1Sha1 = 0x0201;
const uint16_t kTlsSigSchemeRsaPssSha256 = 0x0804;
const uint8_t kTlsFakeChangeCipherSpec[] = {
kTlsChangeCipherSpecType, // Type
0xfe,
@ -68,28 +65,6 @@ const uint8_t kTlsFakeChangeCipherSpec[] = {
0x01 // Value
};
// We don't export this yet. Yuck.
enum TlsSignatureScheme {
kTlsSignatureNone = 0,
kTlsSignatureRsaPkcs1Sha1 = 0x0201,
kTlsSignatureRsaPkcs1Sha256 = 0x0401,
kTlsSignatureRsaPkcs1Sha384 = 0x0501,
kTlsSignatureRsaPkcs1Sha512 = 0x0601,
kTlsSignatureEcdsaSecp256r1Sha256 = 0x0403,
kTlsSignatureEcdsaSecp384r1Sha384 = 0x0503,
kTlsSignatureEcdsaSecp521r1Sha512 = 0x0603,
kTlsSignatureRsaPssSha256 = 0x0804,
kTlsSignatureRsaPssSha384 = 0x0805,
kTlsSignatureRsaPssSha512 = 0x0806,
kTlsSignatureEd25519 = 0x0807,
kTlsSignatureEd448 = 0x0808,
kTlsSignatureDsaSha1 = 0x0202,
kTlsSignatureDsaSha256 = 0x0402,
kTlsSignatureDsaSha384 = 0x0502,
kTlsSignatureDsaSha512 = 0x0602,
kTlsSignatureEcdsaSha1 = 0x0203
};
static const uint8_t kTls13PskKe = 0;
static const uint8_t kTls13PskDhKe = 1;
static const uint8_t kTls13PskAuth = 0;

6
security/nss/lib/base/exports.gyp
Просмотреть файл

@ -15,14 +15,14 @@
'nssbase.h',
'nssbaset.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
'base.h',
'baset.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -30,4 +30,4 @@
'variables': {
'module': 'nss'
}
}
}

5
security/nss/lib/base/list.c
Просмотреть файл

@ -52,20 +52,17 @@ pointer_compare(void *a, void *b)
static nssListElement *
nsslist_get_matching_element(nssList *list, void *data)
{
PRCList *link;
nssListElement *node;
node = list->head;
if (!node) {
return NULL;
}
link = &node->link;
while (node) {
/* using a callback slows things down when it's just compare ... */
if (list->compareFunc(node->data, data)) {
break;
}
link = &node->link;
if (link == PR_LIST_TAIL(&list->head->link)) {
if (&node->link == PR_LIST_TAIL(&list->head->link)) {
node = NULL;
break;
}

13
security/nss/lib/certdb/certdb.c
Просмотреть файл

@ -1295,12 +1295,16 @@ CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(
cert->arena, (sizeof *domainOK) + newNameLen);
if (!domainOK)
domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, sizeof(*domainOK));
if (!domainOK) {
return SECFailure; /* error code is already set. */
}
domainOK->name = (char *)PORT_ArenaZAlloc(cert->arena, newNameLen + 1);
if (!domainOK->name) {
return SECFailure; /* error code is already set. */
}
PORT_Strcpy(domainOK->name, hn);
PORT_Strncpy(domainOK->name, hn, newNameLen + 1);
sec_lower_string(domainOK->name);
/* put at head of list. */
@ -1402,7 +1406,6 @@ cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
goto fail;
}
isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
rv = SECFailure;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
goto fail;

2
security/nss/lib/certdb/certt.h
Просмотреть файл

@ -733,7 +733,7 @@ struct CERTVerifyLogStr {
struct CERTOKDomainNameStr {
CERTOKDomainName *next;
char name[1]; /* actual length may be longer. */
char *name;
};
typedef SECStatus(PR_CALLBACK *CERTStatusChecker)(CERTCertDBHandle *handle,

2
security/nss/lib/certdb/crl.c
Просмотреть файл

@ -2782,7 +2782,7 @@ cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
rv = cert_FindCRLByGeneralName(ncc, canonicalizedName, &oldEntry);
PORT_Assert(SECSuccess == rv);
if (SECSuccess != rv) {
rv = cert_ReleaseNamedCRLCache(ncc);
(void)cert_ReleaseNamedCRLCache(ncc);
SECITEM_ZfreeItem(crl, PR_TRUE);
return SECFailure;
}

6
security/nss/lib/certdb/exports.gyp
Просмотреть файл

@ -16,7 +16,7 @@
'certdb.h',
'certt.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
@ -25,7 +25,7 @@
'genname.h',
'xconst.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -33,4 +33,4 @@
'variables': {
'module': 'nss'
}
}
}

19
security/nss/lib/certdb/genname.c
Просмотреть файл

@ -303,7 +303,7 @@ CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
const SEC_ASN1Template *template;
PORT_Assert(arena);
if (arena == NULL) {
if (arena == NULL || !genName) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
@ -376,16 +376,17 @@ cert_EncodeGeneralNames(PLArenaPool *arena, CERTGeneralName *names)
{
CERTGeneralName *current_name;
SECItem **items = NULL;
int count = 0;
int count = 1;
int i;
PRCList *head;
if (!names) {
return NULL;
}
PORT_Assert(arena);
/* TODO: mark arena */
current_name = names;
if (names != NULL) {
count = 1;
}
head = &(names->l);
while (current_name->l.next != head) {
current_name = CERT_GetNextGeneralName(current_name);
@ -710,8 +711,10 @@ cert_DecodeNameConstraintSubTree(PLArenaPool *arena, SECItem **subTree,
last = current;
i++;
}
first->l.prev = &(last->l);
last->l.next = &(first->l);
if (first && last) {
first->l.prev = &(last->l);
last->l.next = &(first->l);
}
/* TODO: unmark arena */
return first;
loser:
@ -1069,7 +1072,7 @@ cert_ExtractDNEmailAddrs(CERTGeneralName *name, PLArenaPool *arena)
} /* loop over AVAs */
} /* loop over RDNs */
/* combine new names with old one. */
name = cert_CombineNamesLists(name, nameList);
(void)cert_CombineNamesLists(name, nameList);
/* TODO: unmark arena */
return SECSuccess;

7
security/nss/lib/certdb/secname.c
Просмотреть файл

@ -588,8 +588,11 @@ CERT_CompareName(const CERTName *a, const CERTName *b)
return SECGreaterThan;
for (;;) {
ardn = *ardns++;
brdn = *brdns++;
if (!ardns++ || !brdns++) {
break;
}
ardn = *ardns;
brdn = *brdns;
if (!ardn) {
break;
}

4
security/nss/lib/certdb/stanpcertdb.c
Просмотреть файл

@ -158,8 +158,6 @@ CERT_MapStanError()
int secError;
int i;
error = 0;
errorStack = NSS_GetErrorStack();
if (errorStack == 0) {
PORT_SetError(0);
@ -859,7 +857,7 @@ certdb_SaveSingleProfile(CERTCertificate *cert, const char *emailAddr,
if (saveit) {
if (cc) {
if (stanProfile) {
if (stanProfile && profileTime && emailProfile) {
/* stanProfile is already stored in the crypto context,
* overwrite the data
*/

76
security/nss/lib/certhigh/certhigh.c
Просмотреть файл

@ -55,12 +55,12 @@ CERT_MatchNickname(char *name1, char *name2)
/*
* Find all user certificates that match the given criteria.
*
* "handle" - database to search
* "usage" - certificate usage to match
* "oneCertPerName" - if set then only return the "best" cert per
* name
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
* "handle" - database to search
* "usage" - certificate usage to match
* "oneCertPerName" - if set then only return the "best" cert per
* name
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
*/
CERTCertList *
CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
@ -95,20 +95,20 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
while (nn > 0) {
cert = NULL;
/* use the pk11 call so that we pick up any certs on tokens,
* which may require login
*/
* which may require login
*/
if (proto_win != NULL) {
cert = PK11_FindCertFromNickname(*nnptr, proto_win);
}
/* Sigh, It turns out if the cert is already in the temp db, because
* it's in the perm db, then the nickname lookup doesn't work.
* since we already have the cert here, though, than we can just call
* CERT_CreateSubjectCertList directly. For those cases where we didn't
* find the cert in pkcs #11 (because we didn't have a password arg,
* or because the nickname is for a peer, server, or CA cert, then we
* go look the cert up.
*/
* it's in the perm db, then the nickname lookup doesn't work.
* since we already have the cert here, though, than we can just call
* CERT_CreateSubjectCertList directly. For those cases where we didn't
* find the cert in pkcs #11 (because we didn't have a password arg,
* or because the nickname is for a peer, server, or CA cert, then we
* go look the cert up.
*/
if (cert == NULL) {
cert = CERT_FindCertByNickname(handle, *nnptr);
}
@ -142,6 +142,10 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
nn = nicknames->numnicknames;
nnptr = nicknames->nicknames;
if (!certList) {
goto loser;
}
flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
if (flags == NULL) {
goto loser;
@ -156,21 +160,21 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
for (n = 0; n < nn; n++) {
if (CERT_MatchNickname(nnptr[n], node->cert->nickname)) {
/* We found a match. If this is the first one, then
* set the flag and move on to the next cert. If this
* is not the first one then delete it from the list.
*/
* set the flag and move on to the next cert. If this
* is not the first one then delete it from the list.
*/
if (flags[n]) {
/* We have already seen a cert with this nickname,
* so delete this one.
*/
* so delete this one.
*/
freenode = node;
node = CERT_LIST_NEXT(node);
CERT_RemoveCertListNode(freenode);
} else {
/* keep the first cert for each nickname, but set the
* flag so we know to delete any others with the same
* nickname.
*/
* flag so we know to delete any others with the same
* nickname.
*/
flags[n] = PR_TRUE;
node = CERT_LIST_NEXT(node);
}
@ -179,8 +183,8 @@ CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
}
if (n == nn) {
/* if we get here it means that we didn't find a matching
* nickname, which should not happen.
*/
* nickname, which should not happen.
*/
PORT_Assert(0);
node = CERT_LIST_NEXT(node);
}
@ -207,11 +211,11 @@ done:
/*
* Find a user certificate that matchs the given criteria.
*
* "handle" - database to search
* "nickname" - nickname to match
* "usage" - certificate usage to match
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
* "handle" - database to search
* "nickname" - nickname to match
* "usage" - certificate usage to match
* "validOnly" - only return certs that are curently valid
* "proto_win" - window handle passed to pkcs11
*/
CERTCertificate *
CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
@ -402,7 +406,7 @@ CollectNicknames(NSSCertificate *c, void *data)
if (saveit) {
nickname = STAN_GetCERTCertificateName(NULL, c);
/* nickname can only be NULL here if we are having memory
* alloc problems */
* alloc problems */
if (nickname == NULL) {
return PR_FAILURE;
}
@ -893,9 +897,9 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool
/* does it have the CA extension */
/*
* Make sure that if this is an intermediate CA in the chain that
* it was given permission by its signer to be a CA.
*/
* Make sure that if this is an intermediate CA in the chain that
* it was given permission by its signer to be a CA.
*/
isca = CERT_IsCACert(newcert, &certtype);
if (!isca) {
@ -1080,8 +1084,8 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
stanCert = stanChain[++i];
if (!stanCert && !cCert->isRoot) {
/* reached the end of the chain, but the final cert is
* not a root. Don't discard it.
*/
* not a root. Don't discard it.
*/
includeRoot = PR_TRUE;
}
CERT_DestroyCertificate(cCert);

6
security/nss/lib/certhigh/exports.gyp
Просмотреть файл

@ -15,14 +15,14 @@
'ocsp.h',
'ocspt.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
'ocspi.h',
'ocspti.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -30,4 +30,4 @@
'variables': {
'module': 'nss'
}
}
}

4
security/nss/lib/certhigh/ocsp.c
Просмотреть файл

@ -4128,9 +4128,7 @@ CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,
* Just because we have a cert does not mean it is any good; check
* it for validity, trust and usage.
*/
if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
rv = SECSuccess;
} else {
if (!ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
SECCertUsage certUsage;
if (CERT_IsCACert(signerCert, NULL)) {
certUsage = certUsageAnyCA;

4
security/nss/lib/ckfw/builtins/exports.gyp
Просмотреть файл

@ -14,7 +14,7 @@
'files': [
'nssckbi.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
}
]
}
@ -22,4 +22,4 @@
'variables': {
'module': 'nss'
}
}
}

6
security/nss/lib/ckfw/exports.gyp
Просмотреть файл

@ -22,7 +22,7 @@
'nssckmdt.h',
'nssckt.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
@ -33,7 +33,7 @@
'ckmd.h',
'ckt.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -41,4 +41,4 @@
'variables': {
'module': 'nss'
}
}
}

6
security/nss/lib/crmf/exports.gyp
Просмотреть файл

@ -17,7 +17,7 @@
'crmf.h',
'crmft.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
@ -26,7 +26,7 @@
'crmfi.h',
'crmfit.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -34,4 +34,4 @@
'variables': {
'module': 'nss'
}
}
}

4
security/nss/lib/cryptohi/exports.gyp
Просмотреть файл

@ -23,13 +23,13 @@
'keythi.h',
'sechash.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
'keyi.h',
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}

6
security/nss/lib/dbm/include/exports.gyp
Просмотреть файл

@ -16,7 +16,7 @@
'ncompat.h',
'winfile.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/public'
'destination': '<(nss_dist_dir)/public/<(module)'
},
{
'files': [
@ -27,7 +27,7 @@
'queue.h',
'search.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -35,4 +35,4 @@
'variables': {
'module': 'dbm'
}
}
}

4
security/nss/lib/dev/exports.gyp
Просмотреть файл

@ -20,7 +20,7 @@
'nssdev.h',
'nssdevt.h'
],
'destination': '<(PRODUCT_DIR)/dist/<(module)/private'
'destination': '<(nss_dist_dir)/private/<(module)'
}
]
}
@ -28,4 +28,4 @@
'variables': {
'module': 'nss'
}
}
}

5
security/nss/lib/freebl/blapit.h
Просмотреть файл

@ -78,13 +78,8 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
*/
#define MAX_ECKEY_LEN 72 /* Bytes */
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#define EC_MAX_KEY_BITS 571 /* in bits */
#define EC_MIN_KEY_BITS 112 /* in bits */
#else
#define EC_MAX_KEY_BITS 521 /* in bits */
#define EC_MIN_KEY_BITS 256 /* in bits */
#endif
/* EC point compression format */
#define EC_POINT_FORM_COMPRESSED_Y0 0x02

347
security/nss/lib/freebl/ecdecode.c
Просмотреть файл

@ -214,361 +214,26 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
#endif
switch (tag) {
/* Binary curves */
case SEC_OID_ANSIX962_EC_C2PNB163V1:
/* Populate params for c2pnb163v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB163V2:
/* Populate params for c2pnb163v2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V2, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB163V3:
/* Populate params for c2pnb163v3 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V3, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB176V1:
/* Populate params for c2pnb176v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB176V1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB191V1:
/* Populate params for c2tnb191v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB191V2:
/* Populate params for c2tnb191v2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V2, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB191V3:
/* Populate params for c2tnb191v3 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V3, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB208W1:
/* Populate params for c2pnb208w1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB208W1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB239V1:
/* Populate params for c2tnb239v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB239V2:
/* Populate params for c2tnb239v2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V2, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB239V3:
/* Populate params for c2tnb239v3 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V3, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB272W1:
/* Populate params for c2pnb272w1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB272W1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB304W1:
/* Populate params for c2pnb304w1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB304W1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB359V1:
/* Populate params for c2tnb359v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB359V1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2PNB368W1:
/* Populate params for c2pnb368w1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_PNB368W1, ec_field_GF2m,
params));
break;
case SEC_OID_ANSIX962_EC_C2TNB431R1:
/* Populate params for c2tnb431r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_CHAR2_TNB431R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT113R1:
/* Populate params for sect113r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_113R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT113R2:
/* Populate params for sect113r2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_113R2, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT131R1:
/* Populate params for sect131r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_131R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT131R2:
/* Populate params for sect131r2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_131R2, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT163K1:
/* Populate params for sect163k1
* (the NIST K-163 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_163K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT163R1:
/* Populate params for sect163r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_163R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT163R2:
/* Populate params for sect163r2
* (the NIST B-163 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_163R2, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT193R1:
/* Populate params for sect193r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_193R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT193R2:
/* Populate params for sect193r2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_193R2, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT233K1:
/* Populate params for sect233k1
* (the NIST K-233 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_233K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT233R1:
/* Populate params for sect233r1
* (the NIST B-233 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_233R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT239K1:
/* Populate params for sect239k1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_239K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT283K1:
/* Populate params for sect283k1
* (the NIST K-283 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_283K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT283R1:
/* Populate params for sect283r1
* (the NIST B-283 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_283R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT409K1:
/* Populate params for sect409k1
* (the NIST K-409 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_409K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT409R1:
/* Populate params for sect409r1
* (the NIST B-409 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_409R1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT571K1:
/* Populate params for sect571k1
* (the NIST K-571 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_571K1, ec_field_GF2m,
params));
break;
case SEC_OID_SECG_EC_SECT571R1:
/* Populate params for sect571r1
* (the NIST B-571 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_CHAR2_571R1, ec_field_GF2m,
params));
break;
/* Prime curves */
case SEC_OID_ANSIX962_EC_PRIME192V1:
/* Populate params for prime192v1 aka secp192r1
* (the NIST P-192 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_192V1, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME192V2:
/* Populate params for prime192v2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_192V2, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME192V3:
/* Populate params for prime192v3 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_192V3, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME239V1:
/* Populate params for prime239v1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_239V1, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME239V2:
/* Populate params for prime239v2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_239V2, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME239V3:
/* Populate params for prime239v3 */
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_239V3, ec_field_GFp,
params));
break;
case SEC_OID_ANSIX962_EC_PRIME256V1:
/* Populate params for prime256v1 aka secp256r1
* (the NIST P-256 curve)
*/
* (the NIST P-256 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_X9_62_PRIME_256V1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP112R1:
/* Populate params for secp112r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_112R1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP112R2:
/* Populate params for secp112r2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_112R2, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP128R1:
/* Populate params for secp128r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_128R1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP128R2:
/* Populate params for secp128r2 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_128R2, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP160K1:
/* Populate params for secp160k1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_160K1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP160R1:
/* Populate params for secp160r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_160R1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP160R2:
/* Populate params for secp160r1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_160R2, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP192K1:
/* Populate params for secp192k1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_192K1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP224K1:
/* Populate params for secp224k1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_224K1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP224R1:
/* Populate params for secp224r1
* (the NIST P-224 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_224R1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP256K1:
/* Populate params for secp256k1 */
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_256K1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP384R1:
/* Populate params for secp384r1
* (the NIST P-384 curve)
*/
* (the NIST P-384 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_384R1, ec_field_GFp,
params));
break;
case SEC_OID_SECG_EC_SECP521R1:
/* Populate params for secp521r1
* (the NIST P-521 curve)
*/
* (the NIST P-521 curve)
*/
CHECK_SEC_OK(gf_populate_params(ECCurve_SECG_PRIME_521R1, ec_field_GFp,
params));
break;

3
security/nss/lib/freebl/ecl/README
Просмотреть файл

@ -24,9 +24,6 @@ and point multiplication operations. Used by higher level algorithms
ecl-priv.h - Data structures and functions for internal use within the
library.
ec2.h - Internal header file that contains all functions for point
arithmetic over binary polynomial fields.
ecp.h - Internal header file that contains all functions for point
arithmetic over prime fields.

284
security/nss/lib/freebl/ecl/README.FP
Просмотреть файл

@ -1,284 +0,0 @@
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
The ECL exposes routines for constructing and converting curve
parameters for internal use.
The floating point code of the ECL provides algorithms for performing
elliptic-curve point multiplications in floating point.
The point multiplication algorithms perform calculations almost
exclusively in floating point for efficiency, but have the same
(integer) interface as the ECL for compatibility and to be easily
wired-in to the ECL. Please see README file (not this README.FP file)
for information on wiring-in.
This has been implemented for 3 curves as specified in [1]:
secp160r1
secp192r1
secp224r1
RATIONALE
=========
Calculations are done in the floating-point unit (FPU) since it
gives better performance on the UltraSPARC III chips. This is
because the FPU allows for faster multiplication than the integer unit.
The integer unit has a longer multiplication instruction latency, and
does not allow full pipelining, as described in [2].
Since performance is an important selling feature of Elliptic Curve
Cryptography (ECC), this implementation was created.
DATA REPRESENTATION
===================
Data is primarily represented in an array of double-precision floating
point numbers. Generally, each array element has 24 bits of precision
(i.e. be x * 2^y, where x is an integer of at most 24 bits, y some positive
integer), although the actual implementation details are more complicated.
e.g. a way to store an 80 bit number might be:
double p[4] = { 632613 * 2^0, 329841 * 2^24, 9961 * 2^48, 51 * 2^64 };
See section ARITHMETIC OPERATIONS for more details.
This implementation assumes that the floating-point unit rounding mode
is round-to-even as specified in IEEE 754
(as opposed to chopping, rounding up, or rounding down).
When subtracting integers represented as arrays of floating point
numbers, some coefficients (array elements) may become negative.
This effectively gives an extra bit of precision that is important
for correctness in some cases.
The described number presentation limits the size of integers to 1023 bits.
This is due to an upper bound of 1024 for the exponent of a double precision
floating point number as specified in IEEE-754.
However, this is acceptable for ECC key sizes of the foreseeable future.
DATA STRUCTURES
===============
For more information on coordinate representations, see [3].
ecfp_aff_pt
-----------
Affine EC Point Representation. This is the basic
representation (x, y) of an elliptic curve point.
ecfp_jac_pt
-----------
Jacobian EC Point. This stores a point as (X, Y, Z), where
the affine point corresponds to (X/Z^2, Y/Z^3). This allows
for fewer inversions in calculations.
ecfp_chud_pt
------------
Chudnovsky Jacobian Point. This representation stores a point
as (X, Y, Z, Z^2, Z^3), the same as a Jacobian representation
but also storing Z^2 and Z^3 for faster point additions.
ecfp_jm_pt
----------
Modified Jacobian Point. This representation stores a point
as (X, Y, Z, a*Z^4), the same as Jacobian representation but
also storing a*Z^4 for faster point doublings. Here "a" represents
the linear coefficient of x defining the curve.
EC_group_fp
-----------
Stores information on the elliptic curve group for floating
point calculations. Contains curve specific information, as
well as function pointers to routines, allowing different
optimizations to be easily wired in.
This should be made accessible from an ECGroup for the floating
point implementations of point multiplication.
POINT MULTIPLICATION ALGORITHMS
===============================
Elliptic Curve Point multiplication can be done at a higher level orthogonal
to the implementation of point additions and point doublings. There
are a variety of algorithms that can be used.
The following algorithms have been implemented:
4-bit Window (Jacobian Coordinates)
Double & Add (Jacobian & Affine Coordinates)
5-bit Non-Adjacent Form (Modified Jacobian & Chudnovsky Jacobian)
Currently, the fastest algorithm for multiplying a generic point
is the 5-bit Non-Adjacent Form.
See comments in ecp_fp.c for more details and references.
SOURCE / HEADER FILES
=====================
ecp_fp.c
--------
Main source file for floating point calculations. Contains routines
to convert from floating-point to integer (mp_int format), point
multiplication algorithms, and several other routines.
ecp_fp.h
--------
Main header file. Contains most constants used and function prototypes.
ecp_fp[160, 192, 224].c
-----------------------
Source files for specific curves. Contains curve specific code such
as specialized reduction based on the field defining prime. Contains
code wiring-in different algorithms and optimizations.
ecp_fpinc.c
-----------
Source file that is included by ecp_fp[160, 192, 224].c. This generates
functions with different preprocessor-defined names and loop iterations,
allowing for static linking and strong compiler optimizations without
code duplication.
TESTING
=======
The test suite can be found in ecl/tests/ecp_fpt. This tests and gets
timings of the different algorithms for the curves implemented.
ARITHMETIC OPERATIONS
---------------------
The primary operations in ECC over the prime fields are modular arithmetic:
i.e. n * m (mod p) and n + m (mod p). In this implementation, multiplication,
addition, and reduction are implemented as separate functions. This
enables computation of formulae with fewer reductions, e.g.
(a * b) + (c * d) (mod p) rather than:
((a * b) (mod p)) + ((c * d) (mod p)) (mod p)
This takes advantage of the fact that the double precision mantissa in
floating point can hold numbers up to 2^53, i.e. it has some leeway to
store larger intermediate numbers. See further detail in the section on
FLOATING POINT PRECISION.
Multiplication
--------------
Multiplication is implemented in a standard polynomial multiplication
fashion. The terms in opposite factors are pairwise multiplied and
added together appropriately. Note that the result requires twice
as many doubles for storage, as the bit size of the product is twice
that of the multiplicands.
e.g. suppose we have double n[3], m[3], r[6], and want to calculate r = n * m
r[0] = n[0] * m[0]
r[1] = n[0] * m[1] + n[1] * m[0]
r[2] = n[0] * m[2] + n[1] * m[1] + n[2] * m[0]
r[3] = n[1] * m[2] + n[2] * m[1]
r[4] = n[2] * m[2]
r[5] = 0 (This is used later to hold spillover from r[4], see tidying in
the reduction section.)
Addition
--------
Addition is done term by term. The only caveat is to be careful with
the number of terms that need to be added. When adding results of
multiplication (before reduction), twice as many terms need to be added
together. This is done in the addLong function.
e.g. for double n[4], m[4], r[4]: r = n + m
r[0] = n[0] + m[0]
r[1] = n[1] + m[1]
r[2] = n[2] + m[2]
r[3] = n[3] + m[3]
Modular Reduction
-----------------
For the curves implemented, reduction is possible by fast reduction
for Generalized Mersenne Primes, as described in [4]. For the
floating point implementation, a significant step of the reduction
process is tidying: that is, the propagation of carry bits from
low-order to high-order coefficients to reduce the precision of each
coefficient to 24 bits.
This is done by adding and then subtracting
ecfp_alpha, a large floating point number that induces precision roundoff.
See [5] for more details on tidying using floating point arithmetic.
e.g. suppose we have r = 961838 * 2^24 + 519308
then if we set alpha = 3 * 2^51 * 2^24,
FP(FP(r + alpha) - alpha) = 961838 * 2^24, because the precision for
the intermediate results is limited. Our values of alpha are chosen
to truncate to a desired number of bits.
The reduction is then performed as in [4], adding multiples of prime p.
e.g. suppose we are working over a polynomial of 10^2. Take the number
2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95, stored in 5 elements
for coefficients of 10^0, 10^2, ..., 10^8.
We wish to reduce modulo p = 10^6 - 2 * 10^4 + 1
We can subtract off from the higher terms
(2 * 10^8 + 11 * 10^6 + 53 * 10^4 + 23 * 10^2 + 95) - (2 * 10^2) * (10^6 - 2 * 10^4 + 1)
= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95
= 15 * 10^6 + 53 * 10^4 + 21 * 10^2 + 95 - (15) * (10^6 - 2 * 10^4 + 1)
= 83 * 10^4 + 21 * 10^2 + 80
Integrated Example
------------------
This example shows how multiplication, addition, tidying, and reduction
work together in our modular arithmetic. This is simplified from the
actual implementation, but should convey the main concepts.
Working over polynomials of 10^2 and with p as in the prior example,
Let a = 16 * 10^4 + 53 * 10^2 + 33
let b = 81 * 10^4 + 31 * 10^2 + 49
let c = 22 * 10^4 + 0 * 10^2 + 95
And suppose we want to compute a * b + c mod p.
We first do a multiplication: then a * b =
0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5100 * 10^4 + 3620 * 10^2 + 1617
Then we add in c before doing reduction, allowing us to get a * b + c =
0 * 10^10 + 1296 * 10^8 + 4789 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
We then perform a tidying on the upper half of the terms:
0 * 10^10 + 1296 * 10^8 + 4789 * 10^6
0 * 10^10 + (1296 + 47) * 10^8 + 89 * 10^6
0 * 10^10 + 1343 * 10^8 + 89 * 10^6
13 * 10^10 + 43 * 10^8 + 89 * 10^6
which then gives us
13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
we then reduce modulo p similar to the reduction example above:
13 * 10^10 + 43 * 10^8 + 89 * 10^6 + 5122 * 10^4 + 3620 * 10^2 + 1712
- (13 * 10^4 * p)
69 * 10^8 + 89 * 10^6 + 5109 * 10^4 + 3620 * 10^2 + 1712
- (69 * 10^2 * p)
227 * 10^6 + 5109 * 10^4 + 3551 * 10^2 + 1712
- (227 * p)
5563 * 10^4 + 3551 * 10^2 + 1485
finally, we do tidying to get the precision of each term down to 2 digits
5563 * 10^4 + 3565 * 10^2 + 85
5598 * 10^4 + 65 * 10^2 + 85
55 * 10^6 + 98 * 10^4 + 65 * 10^2 + 85
and perform another reduction step
- (55 * p)
208 * 10^4 + 65 * 10^2 + 30
There may be a small number of further reductions that could be done at
this point, but this is typically done only at the end when converting
from floating point to an integer unit representation.
FLOATING POINT PRECISION
========================
This section discusses the precision of floating point numbers, which
one writing new formulae or a larger bit size should be aware of. The
danger is that an intermediate result may be required to store a
mantissa larger than 53 bits, which would cause error by rounding off.
Note that the tidying with IEEE rounding mode set to round-to-even
allows negative numbers, which actually reduces the size of the double
mantissa to 23 bits - since it rounds the mantissa to the nearest number
modulo 2^24, i.e. roughly between -2^23 and 2^23.
A multiplication increases the bit size to 2^46 * n, where n is the number
of doubles to store a number. For the 224 bit curve, n = 10. This gives
doubles of size 5 * 2^47. Adding two of these doubles gives a result
of size 5 * 2^48, which is less than 2^53, so this is safe.
Similar analysis can be done for other formulae to ensure numbers remain
below 2^53.
Extended-Precision Floating Point
---------------------------------
Some platforms, notably x86 Linux, may use an extended-precision floating
point representation that has a 64-bit mantissa. [6] Although this
implementation is optimized for the IEEE standard 53-bit mantissa,
it should work with the 64-bit mantissa. A check is done at run-time
in the function ec_set_fp_precision that detects if the precision is
greater than 53 bits, and runs code for the 64-bit mantissa accordingly.
REFERENCES
==========
[1] Certicom Corp., "SEC 2: Recommended Elliptic Curve Domain Parameters", Sept. 20, 2000. www.secg.org
[2] Sun Microsystems Inc. UltraSPARC III Cu User's Manual, Version 1.0, May 2002, Table 4.4
[3] H. Cohen, A. Miyaji, and T. Ono, "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates".
[4] Henk C.A. van Tilborg, Generalized Mersenne Prime. http://www.win.tue.nl/~henkvt/GenMersenne.pdf
[5] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2.
[6] Daniel J. Bernstein, Floating-Point Arithmetic and Message Authentication, Journal of Cryptology, March 2000, Section 2 Notes.

92
security/nss/lib/freebl/ecl/ec2.h
Просмотреть файл

@ -1,92 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __ec2_h_
#define __ec2_h_
#include "ecl-priv.h"
/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */
mp_err ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py);
/* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */
mp_err ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py);
/* Computes R = P + Q where R is (rx, ry), P is (px, py) and Q is (qx,
* qy). Uses affine coordinates. */
mp_err ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py,
const mp_int *qx, const mp_int *qy, mp_int *rx,
mp_int *ry, const ECGroup *group);
/* Computes R = P - Q. Uses affine coordinates. */
mp_err ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py,
const mp_int *qx, const mp_int *qy, mp_int *rx,
mp_int *ry, const ECGroup *group);
/* Computes R = 2P. Uses affine coordinates. */
mp_err ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
mp_int *ry, const ECGroup *group);
/* Validates a point on a GF2m curve. */
mp_err ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group);
/* by default, this routine is unused and thus doesn't need to be compiled */
#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
* a, b and p are the elliptic curve coefficients and the irreducible that
* determines the field GF2m. Uses affine coordinates. */
mp_err ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
const ECGroup *group);
#endif
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
* a, b and p are the elliptic curve coefficients and the irreducible that
* determines the field GF2m. Uses Montgomery projective coordinates. */
mp_err ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
const ECGroup *group);
#ifdef ECL_ENABLE_GF2M_PROJ
/* Converts a point P(px, py) from affine coordinates to projective
* coordinates R(rx, ry, rz). */
mp_err ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
mp_int *ry, mp_int *rz, const ECGroup *group);
/* Converts a point P(px, py, pz) from projective coordinates to affine
* coordinates R(rx, ry). */
mp_err ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py,
const mp_int *pz, mp_int *rx, mp_int *ry,
const ECGroup *group);
/* Checks if point P(px, py, pz) is at infinity. Uses projective
* coordinates. */
mp_err ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
const mp_int *pz);
/* Sets P(px, py, pz) to be the point at infinity. Uses projective
* coordinates. */
mp_err ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz);
/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
* (qx, qy, qz). Uses projective coordinates. */
mp_err ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py,
const mp_int *pz, const mp_int *qx,
const mp_int *qy, mp_int *rx, mp_int *ry,
mp_int *rz, const ECGroup *group);
/* Computes R = 2P. Uses projective coordinates. */
mp_err ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py,
const mp_int *pz, mp_int *rx, mp_int *ry,
mp_int *rz, const ECGroup *group);
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
* a, b and p are the elliptic curve coefficients and the prime that
* determines the field GF2m. Uses projective coordinates. */
mp_err ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px,
const mp_int *py, mp_int *rx, mp_int *ry,
const ECGroup *group);
#endif
#endif /* __ec2_h_ */

223
security/nss/lib/freebl/ecl/ec2_163.c
Просмотреть файл

@ -1,223 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mp_gf2m.h"
#include "mp_gf2m-priv.h"
#include "mpi.h"
#include "mpi-priv.h"
#include <stdlib.h>
/* Fast reduction for polynomials over a 163-bit curve. Assumes reduction
* polynomial with terms {163, 7, 6, 3, 0}. */
mp_err
ec_GF2m_163_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, z;
if (a != r) {
MP_CHECKOK(mp_copy(a, r));
}
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(r) < 6) {
MP_CHECKOK(s_mp_pad(r, 6));
}
u = MP_DIGITS(r);
MP_USED(r) = 6;
/* u[5] only has 6 significant bits */
z = u[5];
u[2] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
z = u[4];
u[2] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
u[1] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
z = u[3];
u[1] ^= (z >> 28) ^ (z >> 29) ^ (z >> 32) ^ (z >> 35);
u[0] ^= (z << 36) ^ (z << 35) ^ (z << 32) ^ (z << 29);
z = u[2] >> 35; /* z only has 29 significant bits */
u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
/* clear bits above 163 */
u[5] = u[4] = u[3] = 0;
u[2] ^= z << 35;
#else
if (MP_USED(r) < 11) {
MP_CHECKOK(s_mp_pad(r, 11));
}
u = MP_DIGITS(r);
MP_USED(r) = 11;
/* u[11] only has 6 significant bits */
z = u[10];
u[5] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
u[4] ^= (z << 29);
z = u[9];
u[5] ^= (z >> 28) ^ (z >> 29);
u[4] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
u[3] ^= (z << 29);
z = u[8];
u[4] ^= (z >> 28) ^ (z >> 29);
u[3] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
u[2] ^= (z << 29);
z = u[7];
u[3] ^= (z >> 28) ^ (z >> 29);
u[2] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
u[1] ^= (z << 29);
z = u[6];
u[2] ^= (z >> 28) ^ (z >> 29);
u[1] ^= (z << 4) ^ (z << 3) ^ z ^ (z >> 3);
u[0] ^= (z << 29);
z = u[5] >> 3; /* z only has 29 significant bits */
u[1] ^= (z >> 25) ^ (z >> 26);
u[0] ^= (z << 7) ^ (z << 6) ^ (z << 3) ^ z;
/* clear bits above 163 */
u[11] = u[10] = u[9] = u[8] = u[7] = u[6] = 0;
u[5] ^= z << 3;
#endif
s_mp_clamp(r);
CLEANUP:
return res;
}
/* Fast squaring for polynomials over a 163-bit curve. Assumes reduction
* polynomial with terms {163, 7, 6, 3, 0}. */
mp_err
ec_GF2m_163_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, *v;
v = MP_DIGITS(a);
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(a) < 3) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 6) {
MP_CHECKOK(s_mp_pad(r, 6));
}
MP_USED(r) = 6;
#else
if (MP_USED(a) < 6) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 12) {
MP_CHECKOK(s_mp_pad(r, 12));
}
MP_USED(r) = 12;
#endif
u = MP_DIGITS(r);
#ifdef ECL_THIRTY_TWO_BIT
u[11] = gf2m_SQR1(v[5]);
u[10] = gf2m_SQR0(v[5]);
u[9] = gf2m_SQR1(v[4]);
u[8] = gf2m_SQR0(v[4]);
u[7] = gf2m_SQR1(v[3]);
u[6] = gf2m_SQR0(v[3]);
#endif
u[5] = gf2m_SQR1(v[2]);
u[4] = gf2m_SQR0(v[2]);
u[3] = gf2m_SQR1(v[1]);
u[2] = gf2m_SQR0(v[1]);
u[1] = gf2m_SQR1(v[0]);
u[0] = gf2m_SQR0(v[0]);
return ec_GF2m_163_mod(r, r, meth);
CLEANUP:
return res;
}
/* Fast multiplication for polynomials over a 163-bit curve. Assumes
* reduction polynomial with terms {163, 7, 6, 3, 0}. */
mp_err
ec_GF2m_163_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit a2 = 0, a1 = 0, a0, b2 = 0, b1 = 0, b0;
#ifdef ECL_THIRTY_TWO_BIT
mp_digit a5 = 0, a4 = 0, a3 = 0, b5 = 0, b4 = 0, b3 = 0;
mp_digit rm[6];
#endif
if (a == b) {
return ec_GF2m_163_sqr(a, r, meth);
} else {
switch (MP_USED(a)) {
#ifdef ECL_THIRTY_TWO_BIT
case 6:
a5 = MP_DIGIT(a, 5);
case 5:
a4 = MP_DIGIT(a, 4);
case 4:
a3 = MP_DIGIT(a, 3);
#endif
case 3:
a2 = MP_DIGIT(a, 2);
case 2:
a1 = MP_DIGIT(a, 1);
default:
a0 = MP_DIGIT(a, 0);
}
switch (MP_USED(b)) {
#ifdef ECL_THIRTY_TWO_BIT
case 6:
b5 = MP_DIGIT(b, 5);
case 5:
b4 = MP_DIGIT(b, 4);
case 4:
b3 = MP_DIGIT(b, 3);
#endif
case 3:
b2 = MP_DIGIT(b, 2);
case 2:
b1 = MP_DIGIT(b, 1);
default:
b0 = MP_DIGIT(b, 0);
}
#ifdef ECL_SIXTY_FOUR_BIT
MP_CHECKOK(s_mp_pad(r, 6));
s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
MP_USED(r) = 6;
s_mp_clamp(r);
#else
MP_CHECKOK(s_mp_pad(r, 12));
s_bmul_3x3(MP_DIGITS(r) + 6, a5, a4, a3, b5, b4, b3);
s_bmul_3x3(MP_DIGITS(r), a2, a1, a0, b2, b1, b0);
s_bmul_3x3(rm, a5 ^ a2, a4 ^ a1, a3 ^ a0, b5 ^ b2, b4 ^ b1,
b3 ^ b0);
rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 11);
rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 10);
rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 9);
rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 8);
rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 7);
rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 6);
MP_DIGIT(r, 8) ^= rm[5];
MP_DIGIT(r, 7) ^= rm[4];
MP_DIGIT(r, 6) ^= rm[3];
MP_DIGIT(r, 5) ^= rm[2];
MP_DIGIT(r, 4) ^= rm[1];
MP_DIGIT(r, 3) ^= rm[0];
MP_USED(r) = 12;
s_mp_clamp(r);
#endif
return ec_GF2m_163_mod(r, r, meth);
}
CLEANUP:
return res;
}
/* Wire in fast field arithmetic for 163-bit curves. */
mp_err
ec_group_set_gf2m163(ECGroup *group, ECCurveName name)
{
group->meth->field_mod = &ec_GF2m_163_mod;
group->meth->field_mul = &ec_GF2m_163_mul;
group->meth->field_sqr = &ec_GF2m_163_sqr;
return MP_OKAY;
}

240
security/nss/lib/freebl/ecl/ec2_193.c
Просмотреть файл

@ -1,240 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mp_gf2m.h"
#include "mp_gf2m-priv.h"
#include "mpi.h"
#include "mpi-priv.h"
#include <stdlib.h>
/* Fast reduction for polynomials over a 193-bit curve. Assumes reduction
* polynomial with terms {193, 15, 0}. */
mp_err
ec_GF2m_193_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, z;
if (a != r) {
MP_CHECKOK(mp_copy(a, r));
}
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(r) < 7) {
MP_CHECKOK(s_mp_pad(r, 7));
}
u = MP_DIGITS(r);
MP_USED(r) = 7;
/* u[6] only has 2 significant bits */
z = u[6];
u[3] ^= (z << 14) ^ (z >> 1);
u[2] ^= (z << 63);
z = u[5];
u[3] ^= (z >> 50);
u[2] ^= (z << 14) ^ (z >> 1);
u[1] ^= (z << 63);
z = u[4];
u[2] ^= (z >> 50);
u[1] ^= (z << 14) ^ (z >> 1);
u[0] ^= (z << 63);
z = u[3] >> 1; /* z only has 63 significant bits */
u[1] ^= (z >> 49);
u[0] ^= (z << 15) ^ z;
/* clear bits above 193 */
u[6] = u[5] = u[4] = 0;
u[3] ^= z << 1;
#else
if (MP_USED(r) < 13) {
MP_CHECKOK(s_mp_pad(r, 13));
}
u = MP_DIGITS(r);
MP_USED(r) = 13;
/* u[12] only has 2 significant bits */
z = u[12];
u[6] ^= (z << 14) ^ (z >> 1);
u[5] ^= (z << 31);
z = u[11];
u[6] ^= (z >> 18);
u[5] ^= (z << 14) ^ (z >> 1);
u[4] ^= (z << 31);
z = u[10];
u[5] ^= (z >> 18);
u[4] ^= (z << 14) ^ (z >> 1);
u[3] ^= (z << 31);
z = u[9];
u[4] ^= (z >> 18);
u[3] ^= (z << 14) ^ (z >> 1);
u[2] ^= (z << 31);
z = u[8];
u[3] ^= (z >> 18);
u[2] ^= (z << 14) ^ (z >> 1);
u[1] ^= (z << 31);
z = u[7];
u[2] ^= (z >> 18);
u[1] ^= (z << 14) ^ (z >> 1);
u[0] ^= (z << 31);
z = u[6] >> 1; /* z only has 31 significant bits */
u[1] ^= (z >> 17);
u[0] ^= (z << 15) ^ z;
/* clear bits above 193 */
u[12] = u[11] = u[10] = u[9] = u[8] = u[7] = 0;
u[6] ^= z << 1;
#endif
s_mp_clamp(r);
CLEANUP:
return res;
}
/* Fast squaring for polynomials over a 193-bit curve. Assumes reduction
* polynomial with terms {193, 15, 0}. */
mp_err
ec_GF2m_193_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, *v;
v = MP_DIGITS(a);
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(a) < 4) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 7) {
MP_CHECKOK(s_mp_pad(r, 7));
}
MP_USED(r) = 7;
#else
if (MP_USED(a) < 7) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 13) {
MP_CHECKOK(s_mp_pad(r, 13));
}
MP_USED(r) = 13;
#endif
u = MP_DIGITS(r);
#ifdef ECL_THIRTY_TWO_BIT
u[12] = gf2m_SQR0(v[6]);
u[11] = gf2m_SQR1(v[5]);
u[10] = gf2m_SQR0(v[5]);
u[9] = gf2m_SQR1(v[4]);
u[8] = gf2m_SQR0(v[4]);
u[7] = gf2m_SQR1(v[3]);
#endif
u[6] = gf2m_SQR0(v[3]);
u[5] = gf2m_SQR1(v[2]);
u[4] = gf2m_SQR0(v[2]);
u[3] = gf2m_SQR1(v[1]);
u[2] = gf2m_SQR0(v[1]);
u[1] = gf2m_SQR1(v[0]);
u[0] = gf2m_SQR0(v[0]);
return ec_GF2m_193_mod(r, r, meth);
CLEANUP:
return res;
}
/* Fast multiplication for polynomials over a 193-bit curve. Assumes
* reduction polynomial with terms {193, 15, 0}. */
mp_err
ec_GF2m_193_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
#ifdef ECL_THIRTY_TWO_BIT
mp_digit a6 = 0, a5 = 0, a4 = 0, b6 = 0, b5 = 0, b4 = 0;
mp_digit rm[8];
#endif
if (a == b) {
return ec_GF2m_193_sqr(a, r, meth);
} else {
switch (MP_USED(a)) {
#ifdef ECL_THIRTY_TWO_BIT
case 7:
a6 = MP_DIGIT(a, 6);
case 6:
a5 = MP_DIGIT(a, 5);
case 5:
a4 = MP_DIGIT(a, 4);
#endif
case 4:
a3 = MP_DIGIT(a, 3);
case 3:
a2 = MP_DIGIT(a, 2);
case 2:
a1 = MP_DIGIT(a, 1);
default:
a0 = MP_DIGIT(a, 0);
}
switch (MP_USED(b)) {
#ifdef ECL_THIRTY_TWO_BIT
case 7:
b6 = MP_DIGIT(b, 6);
case 6:
b5 = MP_DIGIT(b, 5);
case 5:
b4 = MP_DIGIT(b, 4);
#endif
case 4:
b3 = MP_DIGIT(b, 3);
case 3:
b2 = MP_DIGIT(b, 2);
case 2:
b1 = MP_DIGIT(b, 1);
default:
b0 = MP_DIGIT(b, 0);
}
#ifdef ECL_SIXTY_FOUR_BIT
MP_CHECKOK(s_mp_pad(r, 8));
s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
MP_USED(r) = 8;
s_mp_clamp(r);
#else
MP_CHECKOK(s_mp_pad(r, 14));
s_bmul_3x3(MP_DIGITS(r) + 8, a6, a5, a4, b6, b5, b4);
s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
s_bmul_4x4(rm, a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b3, b6 ^ b2, b5 ^ b1,
b4 ^ b0);
rm[7] ^= MP_DIGIT(r, 7);
rm[6] ^= MP_DIGIT(r, 6);
rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
MP_DIGIT(r, 11) ^= rm[7];
MP_DIGIT(r, 10) ^= rm[6];
MP_DIGIT(r, 9) ^= rm[5];
MP_DIGIT(r, 8) ^= rm[4];
MP_DIGIT(r, 7) ^= rm[3];
MP_DIGIT(r, 6) ^= rm[2];
MP_DIGIT(r, 5) ^= rm[1];
MP_DIGIT(r, 4) ^= rm[0];
MP_USED(r) = 14;
s_mp_clamp(r);
#endif
return ec_GF2m_193_mod(r, r, meth);
}
CLEANUP:
return res;
}
/* Wire in fast field arithmetic for 193-bit curves. */
mp_err
ec_group_set_gf2m193(ECGroup *group, ECCurveName name)
{
group->meth->field_mod = &ec_GF2m_193_mod;
group->meth->field_mul = &ec_GF2m_193_mul;
group->meth->field_sqr = &ec_GF2m_193_sqr;
return MP_OKAY;
}

263
security/nss/lib/freebl/ecl/ec2_233.c
Просмотреть файл

@ -1,263 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mp_gf2m.h"
#include "mp_gf2m-priv.h"
#include "mpi.h"
#include "mpi-priv.h"
#include <stdlib.h>
/* Fast reduction for polynomials over a 233-bit curve. Assumes reduction
* polynomial with terms {233, 74, 0}. */
mp_err
ec_GF2m_233_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, z;
if (a != r) {
MP_CHECKOK(mp_copy(a, r));
}
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(r) < 8) {
MP_CHECKOK(s_mp_pad(r, 8));
}
u = MP_DIGITS(r);
MP_USED(r) = 8;
/* u[7] only has 18 significant bits */
z = u[7];
u[4] ^= (z << 33) ^ (z >> 41);
u[3] ^= (z << 23);
z = u[6];
u[4] ^= (z >> 31);
u[3] ^= (z << 33) ^ (z >> 41);
u[2] ^= (z << 23);
z = u[5];
u[3] ^= (z >> 31);
u[2] ^= (z << 33) ^ (z >> 41);
u[1] ^= (z << 23);
z = u[4];
u[2] ^= (z >> 31);
u[1] ^= (z << 33) ^ (z >> 41);
u[0] ^= (z << 23);
z = u[3] >> 41; /* z only has 23 significant bits */
u[1] ^= (z << 10);
u[0] ^= z;
/* clear bits above 233 */
u[7] = u[6] = u[5] = u[4] = 0;
u[3] ^= z << 41;
#else
if (MP_USED(r) < 15) {
MP_CHECKOK(s_mp_pad(r, 15));
}
u = MP_DIGITS(r);
MP_USED(r) = 15;
/* u[14] only has 18 significant bits */
z = u[14];
u[9] ^= (z << 1);
u[7] ^= (z >> 9);
u[6] ^= (z << 23);
z = u[13];
u[9] ^= (z >> 31);
u[8] ^= (z << 1);
u[6] ^= (z >> 9);
u[5] ^= (z << 23);
z = u[12];
u[8] ^= (z >> 31);
u[7] ^= (z << 1);
u[5] ^= (z >> 9);
u[4] ^= (z << 23);
z = u[11];
u[7] ^= (z >> 31);
u[6] ^= (z << 1);
u[4] ^= (z >> 9);
u[3] ^= (z << 23);
z = u[10];
u[6] ^= (z >> 31);
u[5] ^= (z << 1);
u[3] ^= (z >> 9);
u[2] ^= (z << 23);
z = u[9];
u[5] ^= (z >> 31);
u[4] ^= (z << 1);
u[2] ^= (z >> 9);
u[1] ^= (z << 23);
z = u[8];
u[4] ^= (z >> 31);
u[3] ^= (z << 1);
u[1] ^= (z >> 9);
u[0] ^= (z << 23);
z = u[7] >> 9; /* z only has 23 significant bits */
u[3] ^= (z >> 22);
u[2] ^= (z << 10);
u[0] ^= z;
/* clear bits above 233 */
u[14] = u[13] = u[12] = u[11] = u[10] = u[9] = u[8] = 0;
u[7] ^= z << 9;
#endif
s_mp_clamp(r);
CLEANUP:
return res;
}
/* Fast squaring for polynomials over a 233-bit curve. Assumes reduction
* polynomial with terms {233, 74, 0}. */
mp_err
ec_GF2m_233_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit *u, *v;
v = MP_DIGITS(a);
#ifdef ECL_SIXTY_FOUR_BIT
if (MP_USED(a) < 4) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 8) {
MP_CHECKOK(s_mp_pad(r, 8));
}
MP_USED(r) = 8;
#else
if (MP_USED(a) < 8) {
return mp_bsqrmod(a, meth->irr_arr, r);
}
if (MP_USED(r) < 15) {
MP_CHECKOK(s_mp_pad(r, 15));
}
MP_USED(r) = 15;
#endif
u = MP_DIGITS(r);
#ifdef ECL_THIRTY_TWO_BIT
u[14] = gf2m_SQR0(v[7]);
u[13] = gf2m_SQR1(v[6]);
u[12] = gf2m_SQR0(v[6]);
u[11] = gf2m_SQR1(v[5]);
u[10] = gf2m_SQR0(v[5]);
u[9] = gf2m_SQR1(v[4]);
u[8] = gf2m_SQR0(v[4]);
#endif
u[7] = gf2m_SQR1(v[3]);
u[6] = gf2m_SQR0(v[3]);
u[5] = gf2m_SQR1(v[2]);
u[4] = gf2m_SQR0(v[2]);
u[3] = gf2m_SQR1(v[1]);
u[2] = gf2m_SQR0(v[1]);
u[1] = gf2m_SQR1(v[0]);
u[0] = gf2m_SQR0(v[0]);
return ec_GF2m_233_mod(r, r, meth);
CLEANUP:
return res;
}
/* Fast multiplication for polynomials over a 233-bit curve. Assumes
* reduction polynomial with terms {233, 74, 0}. */
mp_err
ec_GF2m_233_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
mp_err res = MP_OKAY;
mp_digit a3 = 0, a2 = 0, a1 = 0, a0, b3 = 0, b2 = 0, b1 = 0, b0;
#ifdef ECL_THIRTY_TWO_BIT
mp_digit a7 = 0, a6 = 0, a5 = 0, a4 = 0, b7 = 0, b6 = 0, b5 = 0, b4 =
0;
mp_digit rm[8];
#endif
if (a == b) {
return ec_GF2m_233_sqr(a, r, meth);
} else {
switch (MP_USED(a)) {
#ifdef ECL_THIRTY_TWO_BIT
case 8:
a7 = MP_DIGIT(a, 7);
case 7:
a6 = MP_DIGIT(a, 6);
case 6:
a5 = MP_DIGIT(a, 5);
case 5:
a4 = MP_DIGIT(a, 4);
#endif
case 4:
a3 = MP_DIGIT(a, 3);
case 3:
a2 = MP_DIGIT(a, 2);
case 2:
a1 = MP_DIGIT(a, 1);
default:
a0 = MP_DIGIT(a, 0);
}
switch (MP_USED(b)) {
#ifdef ECL_THIRTY_TWO_BIT
case 8:
b7 = MP_DIGIT(b, 7);
case 7:
b6 = MP_DIGIT(b, 6);
case 6:
b5 = MP_DIGIT(b, 5);
case 5:
b4 = MP_DIGIT(b, 4);
#endif
case 4:
b3 = MP_DIGIT(b, 3);
case 3:
b2 = MP_DIGIT(b, 2);
case 2:
b1 = MP_DIGIT(b, 1);
default:
b0 = MP_DIGIT(b, 0);
}
#ifdef ECL_SIXTY_FOUR_BIT
MP_CHECKOK(s_mp_pad(r, 8));
s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
MP_USED(r) = 8;
s_mp_clamp(r);
#else
MP_CHECKOK(s_mp_pad(r, 16));
s_bmul_4x4(MP_DIGITS(r) + 8, a7, a6, a5, a4, b7, b6, b5, b4);
s_bmul_4x4(MP_DIGITS(r), a3, a2, a1, a0, b3, b2, b1, b0);
s_bmul_4x4(rm, a7 ^ a3, a6 ^ a2, a5 ^ a1, a4 ^ a0, b7 ^ b3,
b6 ^ b2, b5 ^ b1, b4 ^ b0);
rm[7] ^= MP_DIGIT(r, 7) ^ MP_DIGIT(r, 15);
rm[6] ^= MP_DIGIT(r, 6) ^ MP_DIGIT(r, 14);
rm[5] ^= MP_DIGIT(r, 5) ^ MP_DIGIT(r, 13);
rm[4] ^= MP_DIGIT(r, 4) ^ MP_DIGIT(r, 12);
rm[3] ^= MP_DIGIT(r, 3) ^ MP_DIGIT(r, 11);
rm[2] ^= MP_DIGIT(r, 2) ^ MP_DIGIT(r, 10);
rm[1] ^= MP_DIGIT(r, 1) ^ MP_DIGIT(r, 9);
rm[0] ^= MP_DIGIT(r, 0) ^ MP_DIGIT(r, 8);
MP_DIGIT(r, 11) ^= rm[7];
MP_DIGIT(r, 10) ^= rm[6];
MP_DIGIT(r, 9) ^= rm[5];
MP_DIGIT(r, 8) ^= rm[4];
MP_DIGIT(r, 7) ^= rm[3];
MP_DIGIT(r, 6) ^= rm[2];
MP_DIGIT(r, 5) ^= rm[1];
MP_DIGIT(r, 4) ^= rm[0];
MP_USED(r) = 16;
s_mp_clamp(r);
#endif
return ec_GF2m_233_mod(r, r, meth);
}
CLEANUP:
return res;
}
/* Wire in fast field arithmetic for 233-bit curves. */
mp_err
ec_group_set_gf2m233(ECGroup *group, ECCurveName name)
{
group->meth->field_mod = &ec_GF2m_233_mod;
group->meth->field_mul = &ec_GF2m_233_mul;
group->meth->field_sqr = &ec_GF2m_233_sqr;
return MP_OKAY;
}

298
security/nss/lib/freebl/ecl/ec2_aff.c
Просмотреть файл

@ -1,298 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mplogic.h"
#include "mp_gf2m.h"
#include <stdlib.h>
/* Checks if point P(px, py) is at infinity. Uses affine coordinates. */
mp_err
ec_GF2m_pt_is_inf_aff(const mp_int *px, const mp_int *py)
{
if ((mp_cmp_z(px) == 0) && (mp_cmp_z(py) == 0)) {
return MP_YES;
} else {
return MP_NO;
}
}
/* Sets P(px, py) to be the point at infinity. Uses affine coordinates. */
mp_err
ec_GF2m_pt_set_inf_aff(mp_int *px, mp_int *py)
{
mp_zero(px);
mp_zero(py);
return MP_OKAY;
}
/* Computes R = P + Q based on IEEE P1363 A.10.2. Elliptic curve points P,
* Q, and R can all be identical. Uses affine coordinates. */
mp_err
ec_GF2m_pt_add_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
const mp_int *qy, mp_int *rx, mp_int *ry,
const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int lambda, tempx, tempy;
MP_DIGITS(&lambda) = 0;
MP_DIGITS(&tempx) = 0;
MP_DIGITS(&tempy) = 0;
MP_CHECKOK(mp_init(&lambda));
MP_CHECKOK(mp_init(&tempx));
MP_CHECKOK(mp_init(&tempy));
/* if P = inf, then R = Q */
if (ec_GF2m_pt_is_inf_aff(px, py) == 0) {
MP_CHECKOK(mp_copy(qx, rx));
MP_CHECKOK(mp_copy(qy, ry));
res = MP_OKAY;
goto CLEANUP;
}
/* if Q = inf, then R = P */
if (ec_GF2m_pt_is_inf_aff(qx, qy) == 0) {
MP_CHECKOK(mp_copy(px, rx));
MP_CHECKOK(mp_copy(py, ry));
res = MP_OKAY;
goto CLEANUP;
}
/* if px != qx, then lambda = (py+qy) / (px+qx), tempx = a + lambda^2
* + lambda + px + qx */
if (mp_cmp(px, qx) != 0) {
MP_CHECKOK(group->meth->field_add(py, qy, &tempy, group->meth));
MP_CHECKOK(group->meth->field_add(px, qx, &tempx, group->meth));
MP_CHECKOK(group->meth->field_div(&tempy, &tempx, &lambda, group->meth));
MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, &lambda, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, px, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, qx, &tempx, group->meth));
} else {
/* if py != qy or qx = 0, then R = inf */
if (((mp_cmp(py, qy) != 0)) || (mp_cmp_z(qx) == 0)) {
mp_zero(rx);
mp_zero(ry);
res = MP_OKAY;
goto CLEANUP;
}
/* lambda = qx + qy / qx */
MP_CHECKOK(group->meth->field_div(qy, qx, &lambda, group->meth));
MP_CHECKOK(group->meth->field_add(&lambda, qx, &lambda, group->meth));
/* tempx = a + lambda^2 + lambda */
MP_CHECKOK(group->meth->field_sqr(&lambda, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, &lambda, &tempx, group->meth));
MP_CHECKOK(group->meth->field_add(&tempx, &group->curvea, &tempx, group->meth));
}
/* ry = (qx + tempx) * lambda + tempx + qy */
MP_CHECKOK(group->meth->field_add(qx, &tempx, &tempy, group->meth));
MP_CHECKOK(group->meth->field_mul(&tempy, &lambda, &tempy, group->meth));
MP_CHECKOK(group->meth->field_add(&tempy, &tempx, &tempy, group->meth));
MP_CHECKOK(group->meth->field_add(&tempy, qy, ry, group->meth));
/* rx = tempx */
MP_CHECKOK(mp_copy(&tempx, rx));
CLEANUP:
mp_clear(&lambda);
mp_clear(&tempx);
mp_clear(&tempy);
return res;
}
/* Computes R = P - Q. Elliptic curve points P, Q, and R can all be
* identical. Uses affine coordinates. */
mp_err
ec_GF2m_pt_sub_aff(const mp_int *px, const mp_int *py, const mp_int *qx,
const mp_int *qy, mp_int *rx, mp_int *ry,
const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int nqy;
MP_DIGITS(&nqy) = 0;
MP_CHECKOK(mp_init(&nqy));
/* nqy = qx+qy */
MP_CHECKOK(group->meth->field_add(qx, qy, &nqy, group->meth));
MP_CHECKOK(group->point_add(px, py, qx, &nqy, rx, ry, group));
CLEANUP:
mp_clear(&nqy);
return res;
}
/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
* affine coordinates. */
mp_err
ec_GF2m_pt_dbl_aff(const mp_int *px, const mp_int *py, mp_int *rx,
mp_int *ry, const ECGroup *group)
{
return group->point_add(px, py, px, py, rx, ry, group);
}
/* by default, this routine is unused and thus doesn't need to be compiled */
#ifdef ECL_ENABLE_GF2M_PT_MUL_AFF
/* Computes R = nP based on IEEE P1363 A.10.3. Elliptic curve points P and
* R can be identical. Uses affine coordinates. */
mp_err
ec_GF2m_pt_mul_aff(const mp_int *n, const mp_int *px, const mp_int *py,
mp_int *rx, mp_int *ry, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int k, k3, qx, qy, sx, sy;
int b1, b3, i, l;
MP_DIGITS(&k) = 0;
MP_DIGITS(&k3) = 0;
MP_DIGITS(&qx) = 0;
MP_DIGITS(&qy) = 0;
MP_DIGITS(&sx) = 0;
MP_DIGITS(&sy) = 0;
MP_CHECKOK(mp_init(&k));
MP_CHECKOK(mp_init(&k3));
MP_CHECKOK(mp_init(&qx));
MP_CHECKOK(mp_init(&qy));
MP_CHECKOK(mp_init(&sx));
MP_CHECKOK(mp_init(&sy));
/* if n = 0 then r = inf */
if (mp_cmp_z(n) == 0) {
mp_zero(rx);
mp_zero(ry);
res = MP_OKAY;
goto CLEANUP;
}
/* Q = P, k = n */
MP_CHECKOK(mp_copy(px, &qx));
MP_CHECKOK(mp_copy(py, &qy));
MP_CHECKOK(mp_copy(n, &k));
/* if n < 0 then Q = -Q, k = -k */
if (mp_cmp_z(n) < 0) {
MP_CHECKOK(group->meth->field_add(&qx, &qy, &qy, group->meth));
MP_CHECKOK(mp_neg(&k, &k));
}
#ifdef ECL_DEBUG /* basic double and add method */
l = mpl_significant_bits(&k) - 1;
MP_CHECKOK(mp_copy(&qx, &sx));
MP_CHECKOK(mp_copy(&qy, &sy));
for (i = l - 1; i >= 0; i--) {
/* S = 2S */
MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
/* if k_i = 1, then S = S + Q */
if (mpl_get_bit(&k, i) != 0) {
MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
}
}
#else /* double and add/subtract method from \
* standard */
/* k3 = 3 * k */
MP_CHECKOK(mp_set_int(&k3, 3));
MP_CHECKOK(mp_mul(&k, &k3, &k3));
/* S = Q */
MP_CHECKOK(mp_copy(&qx, &sx));
MP_CHECKOK(mp_copy(&qy, &sy));
/* l = index of high order bit in binary representation of 3*k */
l = mpl_significant_bits(&k3) - 1;
/* for i = l-1 downto 1 */
for (i = l - 1; i >= 1; i--) {
/* S = 2S */
MP_CHECKOK(group->point_dbl(&sx, &sy, &sx, &sy, group));
b3 = MP_GET_BIT(&k3, i);
b1 = MP_GET_BIT(&k, i);
/* if k3_i = 1 and k_i = 0, then S = S + Q */
if ((b3 == 1) && (b1 == 0)) {
MP_CHECKOK(group->point_add(&sx, &sy, &qx, &qy, &sx, &sy, group));
/* if k3_i = 0 and k_i = 1, then S = S - Q */
} else if ((b3 == 0) && (b1 == 1)) {
MP_CHECKOK(group->point_sub(&sx, &sy, &qx, &qy, &sx, &sy, group));
}
}
#endif
/* output S */
MP_CHECKOK(mp_copy(&sx, rx));
MP_CHECKOK(mp_copy(&sy, ry));
CLEANUP:
mp_clear(&k);
mp_clear(&k3);
mp_clear(&qx);
mp_clear(&qy);
mp_clear(&sx);
mp_clear(&sy);
return res;
}
#endif
/* Validates a point on a GF2m curve. */
mp_err
ec_GF2m_validate_point(const mp_int *px, const mp_int *py, const ECGroup *group)
{
mp_err res = MP_NO;
mp_int accl, accr, tmp, pxt, pyt;
MP_DIGITS(&accl) = 0;
MP_DIGITS(&accr) = 0;
MP_DIGITS(&tmp) = 0;
MP_DIGITS(&pxt) = 0;
MP_DIGITS(&pyt) = 0;
MP_CHECKOK(mp_init(&accl));
MP_CHECKOK(mp_init(&accr));
MP_CHECKOK(mp_init(&tmp));
MP_CHECKOK(mp_init(&pxt));
MP_CHECKOK(mp_init(&pyt));
/* 1: Verify that publicValue is not the point at infinity */
if (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES) {
res = MP_NO;
goto CLEANUP;
}
/* 2: Verify that the coordinates of publicValue are elements
* of the field.
*/
if ((MP_SIGN(px) == MP_NEG) || (mp_cmp(px, &group->meth->irr) >= 0) ||
(MP_SIGN(py) == MP_NEG) || (mp_cmp(py, &group->meth->irr) >= 0)) {
res = MP_NO;
goto CLEANUP;
}
/* 3: Verify that publicValue is on the curve. */
if (group->meth->field_enc) {
group->meth->field_enc(px, &pxt, group->meth);
group->meth->field_enc(py, &pyt, group->meth);
} else {
mp_copy(px, &pxt);
mp_copy(py, &pyt);
}
/* left-hand side: y^2 + x*y */
MP_CHECKOK(group->meth->field_sqr(&pyt, &accl, group->meth));
MP_CHECKOK(group->meth->field_mul(&pxt, &pyt, &tmp, group->meth));
MP_CHECKOK(group->meth->field_add(&accl, &tmp, &accl, group->meth));
/* right-hand side: x^3 + a*x^2 + b */
MP_CHECKOK(group->meth->field_sqr(&pxt, &tmp, group->meth));
MP_CHECKOK(group->meth->field_mul(&pxt, &tmp, &accr, group->meth));
MP_CHECKOK(group->meth->field_mul(&group->curvea, &tmp, &tmp, group->meth));
MP_CHECKOK(group->meth->field_add(&tmp, &accr, &accr, group->meth));
MP_CHECKOK(group->meth->field_add(&accr, &group->curveb, &accr, group->meth));
/* check LHS - RHS == 0 */
MP_CHECKOK(group->meth->field_add(&accl, &accr, &accr, group->meth));
if (mp_cmp_z(&accr) != 0) {
res = MP_NO;
goto CLEANUP;
}
/* 4: Verify that the order of the curve times the publicValue
* is the point at infinity.
*/
MP_CHECKOK(ECPoint_mul(group, &group->order, px, py, &pxt, &pyt));
if (ec_GF2m_pt_is_inf_aff(&pxt, &pyt) != MP_YES) {
res = MP_NO;
goto CLEANUP;
}
res = MP_YES;
CLEANUP:
mp_clear(&accl);
mp_clear(&accr);
mp_clear(&tmp);
mp_clear(&pxt);
mp_clear(&pyt);
return res;
}

230
security/nss/lib/freebl/ecl/ec2_mont.c
Просмотреть файл

@ -1,230 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mplogic.h"
#include "mp_gf2m.h"
#include <stdlib.h>
/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery
* projective coordinates. Uses algorithm Mdouble in appendix of Lopez, J.
* and Dahab, R. "Fast multiplication on elliptic curves over GF(2^m)
* without precomputation". modified to not require precomputation of
* c=b^{2^{m-1}}. */
static mp_err
gf2m_Mdouble(mp_int *x, mp_int *z, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int t1;
MP_DIGITS(&t1) = 0;
MP_CHECKOK(mp_init(&t1));
MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
MP_CHECKOK(group->meth->field_sqr(z, &t1, group->meth));
MP_CHECKOK(group->meth->field_mul(x, &t1, z, group->meth));
MP_CHECKOK(group->meth->field_sqr(x, x, group->meth));
MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
MP_CHECKOK(group->meth->field_mul(&group->curveb, &t1, &t1, group->meth));
MP_CHECKOK(group->meth->field_add(x, &t1, x, group->meth));
CLEANUP:
mp_clear(&t1);
return res;
}
/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in
* Montgomery projective coordinates. Uses algorithm Madd in appendix of
* Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
* GF(2^m) without precomputation". */
static mp_err
gf2m_Madd(const mp_int *x, mp_int *x1, mp_int *z1, mp_int *x2, mp_int *z2,
const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int t1, t2;
MP_DIGITS(&t1) = 0;
MP_DIGITS(&t2) = 0;
MP_CHECKOK(mp_init(&t1));
MP_CHECKOK(mp_init(&t2));
MP_CHECKOK(mp_copy(x, &t1));
MP_CHECKOK(group->meth->field_mul(x1, z2, x1, group->meth));
MP_CHECKOK(group->meth->field_mul(z1, x2, z1, group->meth));
MP_CHECKOK(group->meth->field_mul(x1, z1, &t2, group->meth));
MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
MP_CHECKOK(group->meth->field_sqr(z1, z1, group->meth));
MP_CHECKOK(group->meth->field_mul(z1, &t1, x1, group->meth));
MP_CHECKOK(group->meth->field_add(x1, &t2, x1, group->meth));
CLEANUP:
mp_clear(&t1);
mp_clear(&t2);
return res;
}
/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2)
* using Montgomery point multiplication algorithm Mxy() in appendix of
* Lopex, J. and Dahab, R. "Fast multiplication on elliptic curves over
* GF(2^m) without precomputation". Returns: 0 on error 1 if return value
* should be the point at infinity 2 otherwise */
static int
gf2m_Mxy(const mp_int *x, const mp_int *y, mp_int *x1, mp_int *z1,
mp_int *x2, mp_int *z2, const ECGroup *group)
{
mp_err res = MP_OKAY;
int ret = 0;
mp_int t3, t4, t5;
MP_DIGITS(&t3) = 0;
MP_DIGITS(&t4) = 0;
MP_DIGITS(&t5) = 0;
MP_CHECKOK(mp_init(&t3));
MP_CHECKOK(mp_init(&t4));
MP_CHECKOK(mp_init(&t5));
if (mp_cmp_z(z1) == 0) {
mp_zero(x2);
mp_zero(z2);
ret = 1;
goto CLEANUP;
}
if (mp_cmp_z(z2) == 0) {
MP_CHECKOK(mp_copy(x, x2));
MP_CHECKOK(group->meth->field_add(x, y, z2, group->meth));
ret = 2;
goto CLEANUP;
}
MP_CHECKOK(mp_set_int(&t5, 1));
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(&t5, &t5, group->meth));
}
MP_CHECKOK(group->meth->field_mul(z1, z2, &t3, group->meth));
MP_CHECKOK(group->meth->field_mul(z1, x, z1, group->meth));
MP_CHECKOK(group->meth->field_add(z1, x1, z1, group->meth));
MP_CHECKOK(group->meth->field_mul(z2, x, z2, group->meth));
MP_CHECKOK(group->meth->field_mul(z2, x1, x1, group->meth));
MP_CHECKOK(group->meth->field_add(z2, x2, z2, group->meth));
MP_CHECKOK(group->meth->field_mul(z2, z1, z2, group->meth));
MP_CHECKOK(group->meth->field_sqr(x, &t4, group->meth));
MP_CHECKOK(group->meth->field_add(&t4, y, &t4, group->meth));
MP_CHECKOK(group->meth->field_mul(&t4, &t3, &t4, group->meth));
MP_CHECKOK(group->meth->field_add(&t4, z2, &t4, group->meth));
MP_CHECKOK(group->meth->field_mul(&t3, x, &t3, group->meth));
MP_CHECKOK(group->meth->field_div(&t5, &t3, &t3, group->meth));
MP_CHECKOK(group->meth->field_mul(&t3, &t4, &t4, group->meth));
MP_CHECKOK(group->meth->field_mul(x1, &t3, x2, group->meth));
MP_CHECKOK(group->meth->field_add(x2, x, z2, group->meth));
MP_CHECKOK(group->meth->field_mul(z2, &t4, z2, group->meth));
MP_CHECKOK(group->meth->field_add(z2, y, z2, group->meth));
ret = 2;
CLEANUP:
mp_clear(&t3);
mp_clear(&t4);
mp_clear(&t5);
if (res == MP_OKAY) {
return ret;
} else {
return 0;
}
}
/* Computes R = nP based on algorithm 2P of Lopex, J. and Dahab, R. "Fast
* multiplication on elliptic curves over GF(2^m) without
* precomputation". Elliptic curve points P and R can be identical. Uses
* Montgomery projective coordinates. */
mp_err
ec_GF2m_pt_mul_mont(const mp_int *n, const mp_int *px, const mp_int *py,
mp_int *rx, mp_int *ry, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int x1, x2, z1, z2;
int i, j;
mp_digit top_bit, mask;
MP_DIGITS(&x1) = 0;
MP_DIGITS(&x2) = 0;
MP_DIGITS(&z1) = 0;
MP_DIGITS(&z2) = 0;
MP_CHECKOK(mp_init(&x1));
MP_CHECKOK(mp_init(&x2));
MP_CHECKOK(mp_init(&z1));
MP_CHECKOK(mp_init(&z2));
/* if result should be point at infinity */
if ((mp_cmp_z(n) == 0) || (ec_GF2m_pt_is_inf_aff(px, py) == MP_YES)) {
MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
goto CLEANUP;
}
MP_CHECKOK(mp_copy(px, &x1)); /* x1 = px */
MP_CHECKOK(mp_set_int(&z1, 1)); /* z1 = 1 */
MP_CHECKOK(group->meth->field_sqr(&x1, &z2, group->meth)); /* z2 = x1^2 = px^2 */
MP_CHECKOK(group->meth->field_sqr(&z2, &x2, group->meth));
MP_CHECKOK(group->meth->field_add(&x2, &group->curveb, &x2, group->meth)); /* x2 = px^4 + b */
/* find top-most bit and go one past it */
i = MP_USED(n) - 1;
j = MP_DIGIT_BIT - 1;
top_bit = 1;
top_bit <<= MP_DIGIT_BIT - 1;
mask = top_bit;
while (!(MP_DIGITS(n)[i] & mask)) {
mask >>= 1;
j--;
}
mask >>= 1;
j--;
/* if top most bit was at word break, go to next word */
if (!mask) {
i--;
j = MP_DIGIT_BIT - 1;
mask = top_bit;
}
for (; i >= 0; i--) {
for (; j >= 0; j--) {
if (MP_DIGITS(n)[i] & mask) {
MP_CHECKOK(gf2m_Madd(px, &x1, &z1, &x2, &z2, group));
MP_CHECKOK(gf2m_Mdouble(&x2, &z2, group));
} else {
MP_CHECKOK(gf2m_Madd(px, &x2, &z2, &x1, &z1, group));
MP_CHECKOK(gf2m_Mdouble(&x1, &z1, group));
}
mask >>= 1;
}
j = MP_DIGIT_BIT - 1;
mask = top_bit;
}
/* convert out of "projective" coordinates */
i = gf2m_Mxy(px, py, &x1, &z1, &x2, &z2, group);
if (i == 0) {
res = MP_BADARG;
goto CLEANUP;
} else if (i == 1) {
MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
} else {
MP_CHECKOK(mp_copy(&x2, rx));
MP_CHECKOK(mp_copy(&z2, ry));
}
CLEANUP:
mp_clear(&x1);
mp_clear(&x2);
mp_clear(&z1);
mp_clear(&z2);
return res;
}

328
security/nss/lib/freebl/ecl/ec2_proj.c
Просмотреть файл

@ -1,328 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ec2.h"
#include "mplogic.h"
#include "mp_gf2m.h"
#include <stdlib.h>
#ifdef ECL_DEBUG
#include <assert.h>
#endif
/* by default, these routines are unused and thus don't need to be compiled */
#ifdef ECL_ENABLE_GF2M_PROJ
/* Converts a point P(px, py) from affine coordinates to projective
* coordinates R(rx, ry, rz). Assumes input is already field-encoded using
* field_enc, and returns output that is still field-encoded. */
mp_err
ec_GF2m_pt_aff2proj(const mp_int *px, const mp_int *py, mp_int *rx,
mp_int *ry, mp_int *rz, const ECGroup *group)
{
mp_err res = MP_OKAY;
MP_CHECKOK(mp_copy(px, rx));
MP_CHECKOK(mp_copy(py, ry));
MP_CHECKOK(mp_set_int(rz, 1));
if (group->meth->field_enc) {
MP_CHECKOK(group->meth->field_enc(rz, rz, group->meth));
}
CLEANUP:
return res;
}
/* Converts a point P(px, py, pz) from projective coordinates to affine
* coordinates R(rx, ry). P and R can share x and y coordinates. Assumes
* input is already field-encoded using field_enc, and returns output that
* is still field-encoded. */
mp_err
ec_GF2m_pt_proj2aff(const mp_int *px, const mp_int *py, const mp_int *pz,
mp_int *rx, mp_int *ry, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int z1, z2;
MP_DIGITS(&z1) = 0;
MP_DIGITS(&z2) = 0;
MP_CHECKOK(mp_init(&z1));
MP_CHECKOK(mp_init(&z2));
/* if point at infinity, then set point at infinity and exit */
if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
MP_CHECKOK(ec_GF2m_pt_set_inf_aff(rx, ry));
goto CLEANUP;
}
/* transform (px, py, pz) into (px / pz, py / pz^2) */
if (mp_cmp_d(pz, 1) == 0) {
MP_CHECKOK(mp_copy(px, rx));
MP_CHECKOK(mp_copy(py, ry));
} else {
MP_CHECKOK(group->meth->field_div(NULL, pz, &z1, group->meth));
MP_CHECKOK(group->meth->field_sqr(&z1, &z2, group->meth));
MP_CHECKOK(group->meth->field_mul(px, &z1, rx, group->meth));
MP_CHECKOK(group->meth->field_mul(py, &z2, ry, group->meth));
}
CLEANUP:
mp_clear(&z1);
mp_clear(&z2);
return res;
}
/* Checks if point P(px, py, pz) is at infinity. Uses projective
* coordinates. */
mp_err
ec_GF2m_pt_is_inf_proj(const mp_int *px, const mp_int *py,
const mp_int *pz)
{
return mp_cmp_z(pz);
}
/* Sets P(px, py, pz) to be the point at infinity. Uses projective
* coordinates. */
mp_err
ec_GF2m_pt_set_inf_proj(mp_int *px, mp_int *py, mp_int *pz)
{
mp_zero(pz);
return MP_OKAY;
}
/* Computes R = P + Q where R is (rx, ry, rz), P is (px, py, pz) and Q is
* (qx, qy, 1). Elliptic curve points P, Q, and R can all be identical.
* Uses mixed projective-affine coordinates. Assumes input is already
* field-encoded using field_enc, and returns output that is still
* field-encoded. Uses equation (3) from Hankerson, Hernandez, Menezes.
* Software Implementation of Elliptic Curve Cryptography Over Binary
* Fields. */
mp_err
ec_GF2m_pt_add_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
const mp_int *qx, const mp_int *qy, mp_int *rx,
mp_int *ry, mp_int *rz, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int A, B, C, D, E, F, G;
/* If either P or Q is the point at infinity, then return the other
* point */
if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
return ec_GF2m_pt_aff2proj(qx, qy, rx, ry, rz, group);
}
if (ec_GF2m_pt_is_inf_aff(qx, qy) == MP_YES) {
MP_CHECKOK(mp_copy(px, rx));
MP_CHECKOK(mp_copy(py, ry));
return mp_copy(pz, rz);
}
MP_DIGITS(&A) = 0;
MP_DIGITS(&B) = 0;
MP_DIGITS(&C) = 0;
MP_DIGITS(&D) = 0;
MP_DIGITS(&E) = 0;
MP_DIGITS(&F) = 0;
MP_DIGITS(&G) = 0;
MP_CHECKOK(mp_init(&A));
MP_CHECKOK(mp_init(&B));
MP_CHECKOK(mp_init(&C));
MP_CHECKOK(mp_init(&D));
MP_CHECKOK(mp_init(&E));
MP_CHECKOK(mp_init(&F));
MP_CHECKOK(mp_init(&G));
/* D = pz^2 */
MP_CHECKOK(group->meth->field_sqr(pz, &D, group->meth));
/* A = qy * pz^2 + py */
MP_CHECKOK(group->meth->field_mul(qy, &D, &A, group->meth));
MP_CHECKOK(group->meth->field_add(&A, py, &A, group->meth));
/* B = qx * pz + px */
MP_CHECKOK(group->meth->field_mul(qx, pz, &B, group->meth));
MP_CHECKOK(group->meth->field_add(&B, px, &B, group->meth));
/* C = pz * B */
MP_CHECKOK(group->meth->field_mul(pz, &B, &C, group->meth));
/* D = B^2 * (C + a * pz^2) (using E as a temporary variable) */
MP_CHECKOK(group->meth->field_mul(&group->curvea, &D, &D, group->meth));
MP_CHECKOK(group->meth->field_add(&C, &D, &D, group->meth));
MP_CHECKOK(group->meth->field_sqr(&B, &E, group->meth));
MP_CHECKOK(group->meth->field_mul(&E, &D, &D, group->meth));
/* rz = C^2 */
MP_CHECKOK(group->meth->field_sqr(&C, rz, group->meth));
/* E = A * C */
MP_CHECKOK(group->meth->field_mul(&A, &C, &E, group->meth));
/* rx = A^2 + D + E */
MP_CHECKOK(group->meth->field_sqr(&A, rx, group->meth));
MP_CHECKOK(group->meth->field_add(rx, &D, rx, group->meth));
MP_CHECKOK(group->meth->field_add(rx, &E, rx, group->meth));
/* F = rx + qx * rz */
MP_CHECKOK(group->meth->field_mul(qx, rz, &F, group->meth));
MP_CHECKOK(group->meth->field_add(rx, &F, &F, group->meth));
/* G = rx + qy * rz */
MP_CHECKOK(group->meth->field_mul(qy, rz, &G, group->meth));
MP_CHECKOK(group->meth->field_add(rx, &G, &G, group->meth));
/* ry = E * F + rz * G (using G as a temporary variable) */
MP_CHECKOK(group->meth->field_mul(rz, &G, &G, group->meth));
MP_CHECKOK(group->meth->field_mul(&E, &F, ry, group->meth));
MP_CHECKOK(group->meth->field_add(ry, &G, ry, group->meth));
CLEANUP:
mp_clear(&A);
mp_clear(&B);
mp_clear(&C);
mp_clear(&D);
mp_clear(&E);
mp_clear(&F);
mp_clear(&G);
return res;
}
/* Computes R = 2P. Elliptic curve points P and R can be identical. Uses
* projective coordinates.
*
* Assumes input is already field-encoded using field_enc, and returns
* output that is still field-encoded.
*
* Uses equation (3) from Hankerson, Hernandez, Menezes. Software
* Implementation of Elliptic Curve Cryptography Over Binary Fields.
*/
mp_err
ec_GF2m_pt_dbl_proj(const mp_int *px, const mp_int *py, const mp_int *pz,
mp_int *rx, mp_int *ry, mp_int *rz,
const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int t0, t1;
if (ec_GF2m_pt_is_inf_proj(px, py, pz) == MP_YES) {
return ec_GF2m_pt_set_inf_proj(rx, ry, rz);
}
MP_DIGITS(&t0) = 0;
MP_DIGITS(&t1) = 0;
MP_CHECKOK(mp_init(&t0));
MP_CHECKOK(mp_init(&t1));
/* t0 = px^2 */
/* t1 = pz^2 */
MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth));
MP_CHECKOK(group->meth->field_sqr(pz, &t1, group->meth));
/* rz = px^2 * pz^2 */
MP_CHECKOK(group->meth->field_mul(&t0, &t1, rz, group->meth));
/* t0 = px^4 */
/* t1 = b * pz^4 */
MP_CHECKOK(group->meth->field_sqr(&t0, &t0, group->meth));
MP_CHECKOK(group->meth->field_sqr(&t1, &t1, group->meth));
MP_CHECKOK(group->meth->field_mul(&group->curveb, &t1, &t1, group->meth));
/* rx = px^4 + b * pz^4 */
MP_CHECKOK(group->meth->field_add(&t0, &t1, rx, group->meth));
/* ry = b * pz^4 * rz + rx * (a * rz + py^2 + b * pz^4) */
MP_CHECKOK(group->meth->field_sqr(py, ry, group->meth));
MP_CHECKOK(group->meth->field_add(ry, &t1, ry, group->meth));
/* t0 = a * rz */
MP_CHECKOK(group->meth->field_mul(&group->curvea, rz, &t0, group->meth));
MP_CHECKOK(group->meth->field_add(&t0, ry, ry, group->meth));
MP_CHECKOK(group->meth->field_mul(rx, ry, ry, group->meth));
/* t1 = b * pz^4 * rz */
MP_CHECKOK(group->meth->field_mul(&t1, rz, &t1, group->meth));
MP_CHECKOK(group->meth->field_add(&t1, ry, ry, group->meth));
CLEANUP:
mp_clear(&t0);
mp_clear(&t1);
return res;
}
/* Computes R = nP where R is (rx, ry) and P is (px, py). The parameters
* a, b and p are the elliptic curve coefficients and the prime that
* determines the field GF2m. Elliptic curve points P and R can be
* identical. Uses mixed projective-affine coordinates. Assumes input is
* already field-encoded using field_enc, and returns output that is still
* field-encoded. Uses 4-bit window method. */
mp_err
ec_GF2m_pt_mul_proj(const mp_int *n, const mp_int *px, const mp_int *py,
mp_int *rx, mp_int *ry, const ECGroup *group)
{
mp_err res = MP_OKAY;
mp_int precomp[16][2], rz;
mp_digit precomp_arr[ECL_MAX_FIELD_SIZE_DIGITS * 16 * 2], *t;
int i, ni, d;
ARGCHK(group != NULL, MP_BADARG);
ARGCHK((n != NULL) && (px != NULL) && (py != NULL), MP_BADARG);
/* initialize precomputation table */
t = precomp_arr;
for (i = 0; i < 16; i++) {
/* x co-ord */
MP_SIGN(&precomp[i][0]) = MP_ZPOS;
MP_ALLOC(&precomp[i][0]) = ECL_MAX_FIELD_SIZE_DIGITS;
MP_USED(&precomp[i][0]) = 1;
*t = 0;
MP_DIGITS(&precomp[i][0]) = t;
t += ECL_MAX_FIELD_SIZE_DIGITS;
/* y co-ord */
MP_SIGN(&precomp[i][1]) = MP_ZPOS;
MP_ALLOC(&precomp[i][1]) = ECL_MAX_FIELD_SIZE_DIGITS;
MP_USED(&precomp[i][1]) = 1;
*t = 0;
MP_DIGITS(&precomp[i][1]) = t;
t += ECL_MAX_FIELD_SIZE_DIGITS;
}
/* fill precomputation table */
mp_zero(&precomp[0][0]);
mp_zero(&precomp[0][1]);
MP_CHECKOK(mp_copy(px, &precomp[1][0]));
MP_CHECKOK(mp_copy(py, &precomp[1][1]));
for (i = 2; i < 16; i++) {
MP_CHECKOK(group->point_add(&precomp[1][0], &precomp[1][1],
&precomp[i - 1][0], &precomp[i - 1][1],
&precomp[i][0], &precomp[i][1], group));
}
d = (mpl_significant_bits(n) + 3) / 4;
/* R = inf */
MP_DIGITS(&rz) = 0;
MP_CHECKOK(mp_init(&rz));
MP_CHECKOK(ec_GF2m_pt_set_inf_proj(rx, ry, &rz));
for (i = d - 1; i >= 0; i--) {
/* compute window ni */
ni = MP_GET_BIT(n, 4 * i + 3);
ni <<= 1;
ni |= MP_GET_BIT(n, 4 * i + 2);
ni <<= 1;
ni |= MP_GET_BIT(n, 4 * i + 1);
ni <<= 1;
ni |= MP_GET_BIT(n, 4 * i);
/* R = 2^4 * R */
MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
MP_CHECKOK(ec_GF2m_pt_dbl_proj(rx, ry, &rz, rx, ry, &rz, group));
/* R = R + (ni * P) */
MP_CHECKOK(ec_GF2m_pt_add_proj(rx, ry, &rz, &precomp[ni][0], &precomp[ni][1], rx, ry,
&rz, group));
}
/* convert result S to affine coordinates */
MP_CHECKOK(ec_GF2m_pt_proj2aff(rx, ry, &rz, rx, ry, group));
CLEANUP:
mp_clear(&rz);
return res;
}
#endif

4
security/nss/lib/freebl/ecl/ecl-curve.h
Просмотреть файл

@ -8,10 +8,6 @@
#ifndef __ecl_curve_h_
#define __ecl_curve_h_
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#error This source file is for Basic ECC only .
#endif
/* copied from certt.h */
#define KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
#define KU_KEY_AGREEMENT (0x08) /* bit 4 */

150
security/nss/lib/freebl/ecl/ecl-exp.h
Просмотреть файл

@ -35,81 +35,81 @@ typedef enum {
ECCurve_noName = 0,
/* NIST prime curves */
ECCurve_NIST_P192,
ECCurve_NIST_P224,
ECCurve_NIST_P192, /* not supported */
ECCurve_NIST_P224, /* not supported */
ECCurve_NIST_P256,
ECCurve_NIST_P384,
ECCurve_NIST_P521,
/* NIST binary curves */
ECCurve_NIST_K163,
ECCurve_NIST_B163,
ECCurve_NIST_K233,
ECCurve_NIST_B233,
ECCurve_NIST_K283,
ECCurve_NIST_B283,
ECCurve_NIST_K409,
ECCurve_NIST_B409,
ECCurve_NIST_K571,
ECCurve_NIST_B571,
ECCurve_NIST_K163, /* not supported */
ECCurve_NIST_B163, /* not supported */
ECCurve_NIST_K233, /* not supported */
ECCurve_NIST_B233, /* not supported */
ECCurve_NIST_K283, /* not supported */
ECCurve_NIST_B283, /* not supported */
ECCurve_NIST_K409, /* not supported */
ECCurve_NIST_B409, /* not supported */
ECCurve_NIST_K571, /* not supported */
ECCurve_NIST_B571, /* not supported */
/* ANSI X9.62 prime curves */
/* ECCurve_X9_62_PRIME_192V1 == ECCurve_NIST_P192 */
ECCurve_X9_62_PRIME_192V2,
ECCurve_X9_62_PRIME_192V3,
ECCurve_X9_62_PRIME_239V1,
ECCurve_X9_62_PRIME_239V2,
ECCurve_X9_62_PRIME_239V3,
ECCurve_X9_62_PRIME_192V2, /* not supported */
ECCurve_X9_62_PRIME_192V3, /* not supported */
ECCurve_X9_62_PRIME_239V1, /* not supported */
ECCurve_X9_62_PRIME_239V2, /* not supported */
ECCurve_X9_62_PRIME_239V3, /* not supported */
/* ECCurve_X9_62_PRIME_256V1 == ECCurve_NIST_P256 */
/* ANSI X9.62 binary curves */
ECCurve_X9_62_CHAR2_PNB163V1,
ECCurve_X9_62_CHAR2_PNB163V2,
ECCurve_X9_62_CHAR2_PNB163V3,
ECCurve_X9_62_CHAR2_PNB176V1,
ECCurve_X9_62_CHAR2_TNB191V1,
ECCurve_X9_62_CHAR2_TNB191V2,
ECCurve_X9_62_CHAR2_TNB191V3,
ECCurve_X9_62_CHAR2_PNB208W1,
ECCurve_X9_62_CHAR2_TNB239V1,
ECCurve_X9_62_CHAR2_TNB239V2,
ECCurve_X9_62_CHAR2_TNB239V3,
ECCurve_X9_62_CHAR2_PNB272W1,
ECCurve_X9_62_CHAR2_PNB304W1,
ECCurve_X9_62_CHAR2_TNB359V1,
ECCurve_X9_62_CHAR2_PNB368W1,
ECCurve_X9_62_CHAR2_TNB431R1,
ECCurve_X9_62_CHAR2_PNB163V1, /* not supported */
ECCurve_X9_62_CHAR2_PNB163V2, /* not supported */
ECCurve_X9_62_CHAR2_PNB163V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB176V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V2, /* not supported */
ECCurve_X9_62_CHAR2_TNB191V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB208W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V1, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V2, /* not supported */
ECCurve_X9_62_CHAR2_TNB239V3, /* not supported */
ECCurve_X9_62_CHAR2_PNB272W1, /* not supported */
ECCurve_X9_62_CHAR2_PNB304W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB359V1, /* not supported */
ECCurve_X9_62_CHAR2_PNB368W1, /* not supported */
ECCurve_X9_62_CHAR2_TNB431R1, /* not supported */
/* SEC2 prime curves */
ECCurve_SECG_PRIME_112R1,
ECCurve_SECG_PRIME_112R2,
ECCurve_SECG_PRIME_128R1,
ECCurve_SECG_PRIME_128R2,
ECCurve_SECG_PRIME_160K1,
ECCurve_SECG_PRIME_160R1,
ECCurve_SECG_PRIME_160R2,
ECCurve_SECG_PRIME_192K1,
ECCurve_SECG_PRIME_112R1, /* not supported */
ECCurve_SECG_PRIME_112R2, /* not supported */
ECCurve_SECG_PRIME_128R1, /* not supported */
ECCurve_SECG_PRIME_128R2, /* not supported */
ECCurve_SECG_PRIME_160K1, /* not supported */
ECCurve_SECG_PRIME_160R1, /* not supported */
ECCurve_SECG_PRIME_160R2, /* not supported */
ECCurve_SECG_PRIME_192K1, /* not supported */
/* ECCurve_SECG_PRIME_192R1 == ECCurve_NIST_P192 */
ECCurve_SECG_PRIME_224K1,
ECCurve_SECG_PRIME_224K1, /* not supported */
/* ECCurve_SECG_PRIME_224R1 == ECCurve_NIST_P224 */
ECCurve_SECG_PRIME_256K1,
ECCurve_SECG_PRIME_256K1, /* not supported */
/* ECCurve_SECG_PRIME_256R1 == ECCurve_NIST_P256 */
/* ECCurve_SECG_PRIME_384R1 == ECCurve_NIST_P384 */
/* ECCurve_SECG_PRIME_521R1 == ECCurve_NIST_P521 */
/* SEC2 binary curves */
ECCurve_SECG_CHAR2_113R1,
ECCurve_SECG_CHAR2_113R2,
ECCurve_SECG_CHAR2_131R1,
ECCurve_SECG_CHAR2_131R2,
ECCurve_SECG_CHAR2_113R1, /* not supported */
ECCurve_SECG_CHAR2_113R2, /* not supported */
ECCurve_SECG_CHAR2_131R1, /* not supported */
ECCurve_SECG_CHAR2_131R2, /* not supported */
/* ECCurve_SECG_CHAR2_163K1 == ECCurve_NIST_K163 */
ECCurve_SECG_CHAR2_163R1,
ECCurve_SECG_CHAR2_163R1, /* not supported */
/* ECCurve_SECG_CHAR2_163R2 == ECCurve_NIST_B163 */
ECCurve_SECG_CHAR2_193R1,
ECCurve_SECG_CHAR2_193R2,
ECCurve_SECG_CHAR2_193R1, /* not supported */
ECCurve_SECG_CHAR2_193R2, /* not supported */
/* ECCurve_SECG_CHAR2_233K1 == ECCurve_NIST_K233 */
/* ECCurve_SECG_CHAR2_233R1 == ECCurve_NIST_B233 */
ECCurve_SECG_CHAR2_239K1,
ECCurve_SECG_CHAR2_239K1, /* not supported */
/* ECCurve_SECG_CHAR2_283K1 == ECCurve_NIST_K283 */
/* ECCurve_SECG_CHAR2_283R1 == ECCurve_NIST_B283 */
/* ECCurve_SECG_CHAR2_409K1 == ECCurve_NIST_K409 */
@ -118,15 +118,15 @@ typedef enum {
/* ECCurve_SECG_CHAR2_571R1 == ECCurve_NIST_B571 */
/* WTLS curves */
ECCurve_WTLS_1,
ECCurve_WTLS_1, /* not supported */
/* there is no WTLS 2 curve */
/* ECCurve_WTLS_3 == ECCurve_NIST_K163 */
/* ECCurve_WTLS_4 == ECCurve_SECG_CHAR2_113R1 */
/* ECCurve_WTLS_5 == ECCurve_X9_62_CHAR2_PNB163V1 */
/* ECCurve_WTLS_6 == ECCurve_SECG_PRIME_112R1 */
/* ECCurve_WTLS_7 == ECCurve_SECG_PRIME_160R1 */
ECCurve_WTLS_8,
ECCurve_WTLS_9,
ECCurve_WTLS_8, /* not supported */
ECCurve_WTLS_9, /* not supported */
/* ECCurve_WTLS_10 == ECCurve_NIST_K233 */
/* ECCurve_WTLS_11 == ECCurve_NIST_B233 */
/* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
@ -138,30 +138,30 @@ typedef enum {
/* Aliased named curves */
#define ECCurve_X9_62_PRIME_192V1 ECCurve_NIST_P192
#define ECCurve_X9_62_PRIME_192V1 ECCurve_NIST_P192 /* not supported */
#define ECCurve_X9_62_PRIME_256V1 ECCurve_NIST_P256
#define ECCurve_SECG_PRIME_192R1 ECCurve_NIST_P192
#define ECCurve_SECG_PRIME_224R1 ECCurve_NIST_P224
#define ECCurve_SECG_PRIME_192R1 ECCurve_NIST_P192 /* not supported */
#define ECCurve_SECG_PRIME_224R1 ECCurve_NIST_P224 /* not supported */
#define ECCurve_SECG_PRIME_256R1 ECCurve_NIST_P256
#define ECCurve_SECG_PRIME_384R1 ECCurve_NIST_P384
#define ECCurve_SECG_PRIME_521R1 ECCurve_NIST_P521
#define ECCurve_SECG_CHAR2_163K1 ECCurve_NIST_K163
#define ECCurve_SECG_CHAR2_163R2 ECCurve_NIST_B163
#define ECCurve_SECG_CHAR2_233K1 ECCurve_NIST_K233
#define ECCurve_SECG_CHAR2_233R1 ECCurve_NIST_B233
#define ECCurve_SECG_CHAR2_283K1 ECCurve_NIST_K283
#define ECCurve_SECG_CHAR2_283R1 ECCurve_NIST_B283
#define ECCurve_SECG_CHAR2_409K1 ECCurve_NIST_K409
#define ECCurve_SECG_CHAR2_409R1 ECCurve_NIST_B409
#define ECCurve_SECG_CHAR2_571K1 ECCurve_NIST_K571
#define ECCurve_SECG_CHAR2_571R1 ECCurve_NIST_B571
#define ECCurve_WTLS_3 ECCurve_NIST_K163
#define ECCurve_WTLS_4 ECCurve_SECG_CHAR2_113R1
#define ECCurve_WTLS_5 ECCurve_X9_62_CHAR2_PNB163V1
#define ECCurve_WTLS_6 ECCurve_SECG_PRIME_112R1
#define ECCurve_WTLS_7 ECCurve_SECG_PRIME_160R1
#define ECCurve_WTLS_10 ECCurve_NIST_K233
#define ECCurve_WTLS_11 ECCurve_NIST_B233
#define ECCurve_WTLS_12 ECCurve_NIST_P224
#define ECCurve_SECG_CHAR2_163K1 ECCurve_NIST_K163 /* not supported */
#define ECCurve_SECG_CHAR2_163R2 ECCurve_NIST_B163 /* not supported */
#define ECCurve_SECG_CHAR2_233K1 ECCurve_NIST_K233 /* not supported */
#define ECCurve_SECG_CHAR2_233R1 ECCurve_NIST_B233 /* not supported */
#define ECCurve_SECG_CHAR2_283K1 ECCurve_NIST_K283 /* not supported */
#define ECCurve_SECG_CHAR2_283R1 ECCurve_NIST_B283 /* not supported */
#define ECCurve_SECG_CHAR2_409K1 ECCurve_NIST_K409 /* not supported */
#define ECCurve_SECG_CHAR2_409R1 ECCurve_NIST_B409 /* not supported */
#define ECCurve_SECG_CHAR2_571K1 ECCurve_NIST_K571 /* not supported */
#define ECCurve_SECG_CHAR2_571R1 ECCurve_NIST_B571 /* not supported */
#define ECCurve_WTLS_3 ECCurve_NIST_K163 /* not supported */
#define ECCurve_WTLS_4 ECCurve_SECG_CHAR2_113R1 /* not supported */
#define ECCurve_WTLS_5 ECCurve_X9_62_CHAR2_PNB163V1 /* not supported */
#define ECCurve_WTLS_6 ECCurve_SECG_PRIME_112R1 /* not supported */
#define ECCurve_WTLS_7 ECCurve_SECG_PRIME_160R1 /* not supported */
#define ECCurve_WTLS_10 ECCurve_NIST_K233 /* not supported */
#define ECCurve_WTLS_11 ECCurve_NIST_B233 /* not supported */
#define ECCurve_WTLS_12 ECCurve_NIST_P224 /* not supported */
#endif /* __ecl_exp_h_ */

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше