Bug 1460617 - land NSS 3d3e34bb7517 UPGRADE_NSS_RELEASE, r=me

--HG--
extra : rebase_source : 45b9c45b31b55dc1f5fcc043336b2ddc386f740c
extra : histedit_source : 221357b0e59b2a82786cc83d6b980062ec2b7ce9
This commit is contained in:
Franziskus Kiefer 2018-05-28 15:45:28 +02:00
Родитель 54c29475e9
Коммит 7eaf562442
8 изменённых файлов: 142 добавлений и 34 удалений

Просмотреть файл

@ -1 +1 @@
328d235fc7ee
3d3e34bb7517

Просмотреть файл

@ -36,6 +36,8 @@
#include "certdb.h"
#include "nss.h"
#include "certutil.h"
#include "basicutil.h"
#include "ssl.h"
#define MIN_KEY_BITS 512
/* MAX_KEY_BITS should agree with RSA_MAX_MODULUS_BITS in freebl */
@ -447,7 +449,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
}
static SECStatus
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii,
PRBool simpleSelfSigned)
{
CERTCertificate *the_cert;
CERTCertificateList *chain;
@ -458,6 +461,14 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
SECU_PrintError(progName, "Could not find: %s\n", name);
return SECFailure;
}
if (simpleSelfSigned &&
SECEqual == SECITEM_CompareItem(&the_cert->derIssuer,
&the_cert->derSubject)) {
printf("\"%s\" [%s]\n\n", the_cert->nickname, the_cert->subjectName);
CERT_DestroyCertificate(the_cert);
return SECSuccess;
}
chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
CERT_DestroyCertificate(the_cert);
if (!chain) {
@ -1115,7 +1126,9 @@ PrintSyntax()
FPS "\t%s --build-flags\n", progName);
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n"
"\t\t [--simple-self-signed]\n",
progName);
FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
"\t\t [-g key-size] [-Z hashAlg]\n",
@ -1542,6 +1555,8 @@ luO(enum usage_level ul, const char *command)
" -P dbprefix");
FPS "%-20s force the database to open R/W\n",
" -X");
FPS "%-20s don't search for a chain if issuer name equals subject name\n",
" --simple-self-signed");
FPS "\n");
}
@ -1560,7 +1575,7 @@ luR(enum usage_level ul, const char *command)
" -o output-req");
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
" -k key-type-or-id");
FPS "%-20s or nickname of the cert key to use \n",
FPS "%-20s or nickname of the cert key to use, or key id obtained using -K\n",
"");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
@ -2498,6 +2513,7 @@ enum certutilOpts {
opt_NewNickname,
opt_Pss,
opt_PssSign,
opt_SimpleSelfSigned,
opt_Help
};
@ -2622,6 +2638,8 @@ static const secuCommandFlag options_init[] =
"pss" },
{ /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
"pss-sign" },
{ /* opt_SimpleSelfSigned */ 0, PR_FALSE, 0, PR_FALSE,
"simple-self-signed" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@ -3122,6 +3140,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
initialized = PR_TRUE;
SECU_RegisterDynamicOids();
/* Ensure the SSL error code table has been registered. Bug 1460284. */
SSL_OptionSetDefault(-1, 0);
}
certHandle = CERT_GetDefaultCertDB();
@ -3348,7 +3368,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
if (certutil.commands[cmd_DumpChain].activated) {
rv = DumpChain(certHandle, name,
certutil.options[opt_ASCIIForIO].activated);
certutil.options[opt_ASCIIForIO].activated,
certutil.options[opt_SimpleSelfSigned].activated);
goto shutdown;
}
/* XXX needs work */
@ -3442,37 +3463,80 @@ certutil_main(int argc, char **argv, PRBool initialize)
keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
if (!keycert) {
keycert = PK11_FindCertFromNickname(keysource, NULL);
if (!keycert) {
SECU_PrintError(progName,
"%s is neither a key-type nor a nickname", keysource);
}
if (keycert) {
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
} else {
PLArenaPool *arena = NULL;
SECItem keyidItem = { 0 };
char *keysourcePtr = keysource;
/* Interpret keysource as CKA_ID */
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
if (0 == PL_strncasecmp("0x", keysource, 2)) {
keysourcePtr = keysource + 2; // skip leading "0x"
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "unable to allocate arena");
return SECFailure;
}
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
}
PORT_FreeArena(arena, PR_FALSE);
}
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
if (privkey)
pubkey = CERT_ExtractPublicKey(keycert);
if (!privkey) {
SECU_PrintError(
progName,
"%s is neither a key-type nor a nickname nor a key-id", keysource);
return SECFailure;
}
pubkey = SECKEY_ConvertToPublicKey(privkey);
if (!pubkey) {
SECU_PrintError(progName,
"Could not get keys from cert %s", keysource);
if (keycert) {
CERT_DestroyCertificate(keycert);
}
rv = SECFailure;
CERT_DestroyCertificate(keycert);
goto shutdown;
}
keytype = privkey->keyType;
/* On CertReq for renewal if no subject has been
* specified obtain it from the certificate.
*/
if (certutil.commands[cmd_CertReq].activated && !subject) {
subject = CERT_AsciiToName(keycert->subjectName);
if (!subject) {
SECU_PrintError(progName,
"Could not get subject from certificate %s", keysource);
CERT_DestroyCertificate(keycert);
if (keycert) {
subject = CERT_AsciiToName(keycert->subjectName);
if (!subject) {
SECU_PrintError(
progName,
"Could not get subject from certificate %s",
keysource);
CERT_DestroyCertificate(keycert);
rv = SECFailure;
goto shutdown;
}
} else {
SECU_PrintError(progName, "Subject name not provided");
rv = SECFailure;
goto shutdown;
}
}
CERT_DestroyCertificate(keycert);
if (keycert) {
CERT_DestroyCertificate(keycert);
}
} else {
privkey =
CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
@ -3535,6 +3599,14 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}
if (certutil.options[opt_SimpleSelfSigned].activated &&
!certutil.commands[cmd_DumpChain].activated) {
PR_fprintf(PR_STDERR,
"%s -%c: --simple-self-signed only works with -O.\n",
progName, commandToRun);
return 255;
}
/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||

Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -535,12 +535,16 @@ ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
# All intel architectures get the 64 bit version
# With custom uint128 if necessary (faster than generic 32 bit version).
ECL_SRCS += curve25519_64.c
VERIFIED_SRCS += Hacl_Curve25519.c FStar.c
VERIFIED_SRCS += Hacl_Curve25519.c
else
# All non intel architectures get the generic 32 bit implementation (slow!)
ECL_SRCS += curve25519_32.c
endif
ifndef HAVE_INT128_SUPPORT
VERIFIED_SRCS += FStar.c
endif
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################

Просмотреть файл

@ -277,18 +277,10 @@
'MP_IS_LITTLE_ENDIAN',
],
}],
[ 'OS!="win"', {
'conditions': [
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'defines': [
# The Makefile does version-tests on GCC, but we're not doing that here.
'HAVE_INT128_SUPPORT',
],
}, {
'defines': [
'KRML_NOUINT128',
],
}],
[ 'have_int128_support==1', {
'defines': [
# The Makefile does version-tests on GCC, but we're not doing that here.
'HAVE_INT128_SUPPORT',
],
}, {
'defines': [
@ -350,5 +342,18 @@
},
'variables': {
'module': 'nss',
'conditions': [
[ 'OS!="win"', {
'conditions': [
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'have_int128_support%': 1,
}, {
'have_int128_support%': 0,
}],
],
}, {
'have_int128_support%': 0,
}],
],
}
}

Просмотреть файл

@ -60,7 +60,6 @@
'shvfy.c',
'sysrand.c',
'tlsprfalg.c',
'verified/FStar.c',
],
'conditions': [
[ 'OS=="linux" or OS=="android"', {
@ -220,6 +219,9 @@
}],
],
}],
[ 'have_int128_support==0', {
'sources': [ 'verified/FStar.c' ],
}],
],
'ldflags': [
'-Wl,-Bsymbolic'

Просмотреть файл

@ -32,7 +32,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
size_t fileBytes = 0;
unsigned char *buffer = dest;
#if defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25)))
#if defined(__OpenBSD__) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
int result;
while (fileBytes < maxLen) {

Просмотреть файл

@ -2475,6 +2475,31 @@ EOF
RETEXPECTED=0
}
cert_test_orphan_key_reuse()
{
CU_ACTION="Create orphan key in serverdir"
certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
# Let's get the key ID of the first orphan key.
# The output of certutil -K (list keys) isn't well formatted.
# The initial <key-number> part may or may not contain white space, which
# makes the use of awk to filter the column unreliable.
# To fix that, we remove the initial <number> field using sed, then select the
# column that contains the key ID.
ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
CU_ACTION="Create cert request for orphan key"
certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \
-o ${SERVERDIR}/orphan.req
# Ensure that creating the request really works by listing it, and check
# if listing was successful.
${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req
RET=$?
if [ "$RET" -ne 0 ]; then
html_failed "Listing cert request for orphan key ($RET)"
cert_log "ERROR: Listing cert request for orphan key failed $RET"
fi
}
############################## cert_cleanup ############################
# local shell function to finish this script (no exit since it might be
# sourced)
@ -2494,6 +2519,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
if [ $IS_FIPS_DISABLED -ne 0 ]; then