Bug 1460617 - land NSS 3d3e34bb7517 UPGRADE_NSS_RELEASE, r=me

--HG-- extra : rebase_source : 45b9c45b31b55dc1f5fcc043336b2ddc386f740c extra : histedit_source : 221357b0e59b2a82786cc83d6b980062ec2b7ce9
2018-05-28 15:45:28 +02:00 · 2018-05-28 15:45:28 +02:00 · 7eaf562442
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-328d235fc7ee
+3d3e34bb7517
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@ -36,6 +36,8 @@
 #include "certdb.h"
 #include "nss.h"
 #include "certutil.h"
+#include "basicutil.h"
+#include "ssl.h"

 #define MIN_KEY_BITS 512
 /* MAX_KEY_BITS should agree with RSA_MAX_MODULUS_BITS in freebl */
@ -447,7 +449,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
 }

 static SECStatus
-DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
+DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii,
+          PRBool simpleSelfSigned)
 {
    CERTCertificate *the_cert;
    CERTCertificateList *chain;
@ -458,6 +461,14 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
        SECU_PrintError(progName, "Could not find: %s\n", name);
        return SECFailure;
    }
+    if (simpleSelfSigned &&
+        SECEqual == SECITEM_CompareItem(&the_cert->derIssuer,
+                                        &the_cert->derSubject)) {
+        printf("\"%s\" [%s]\n\n", the_cert->nickname, the_cert->subjectName);
+        CERT_DestroyCertificate(the_cert);
+        return SECSuccess;
+    }
+
    chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
    CERT_DestroyCertificate(the_cert);
    if (!chain) {
@ -1115,7 +1126,9 @@ PrintSyntax()
    FPS "\t%s --build-flags\n", progName);
    FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
        progName);
-    FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
+    FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n"
+        "\t\t [--simple-self-signed]\n",
+        progName);
    FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
        "\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
        "\t\t [-g key-size] [-Z hashAlg]\n",
@ -1542,6 +1555,8 @@ luO(enum usage_level ul, const char *command)
        "   -P dbprefix");
    FPS "%-20s force the database to open R/W\n",
        "   -X");
+    FPS "%-20s don't search for a chain if issuer name equals subject name\n",
+        "   --simple-self-signed");
    FPS "\n");
 }

@ -1560,7 +1575,7 @@ luR(enum usage_level ul, const char *command)
        "   -o output-req");
    FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
        "   -k key-type-or-id");
-    FPS "%-20s or nickname of the cert key to use \n",
+    FPS "%-20s or nickname of the cert key to use, or key id obtained using -K\n",
        "");
    FPS "%-20s Name of token in which to generate key (default is internal)\n",
        "   -h token-name");
@ -2498,6 +2513,7 @@ enum certutilOpts {
    opt_NewNickname,
    opt_Pss,
    opt_PssSign,
+    opt_SimpleSelfSigned,
    opt_Help
 };

@ -2622,6 +2638,8 @@ static const secuCommandFlag options_init[] =
        "pss" },
      { /* opt_PssSign             */ 0, PR_FALSE, 0, PR_FALSE,
        "pss-sign" },
+      { /* opt_SimpleSelfSigned    */ 0, PR_FALSE, 0, PR_FALSE,
+        "simple-self-signed" },
    };
 #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))

@ -3122,6 +3140,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
        }
        initialized = PR_TRUE;
        SECU_RegisterDynamicOids();
+        /* Ensure the SSL error code table has been registered. Bug 1460284. */
+        SSL_OptionSetDefault(-1, 0);
    }
    certHandle = CERT_GetDefaultCertDB();

@ -3348,7 +3368,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
    }
    if (certutil.commands[cmd_DumpChain].activated) {
        rv = DumpChain(certHandle, name,
-                       certutil.options[opt_ASCIIForIO].activated);
+                       certutil.options[opt_ASCIIForIO].activated,
+                       certutil.options[opt_SimpleSelfSigned].activated);
        goto shutdown;
    }
    /*  XXX needs work  */
@ -3442,37 +3463,80 @@ certutil_main(int argc, char **argv, PRBool initialize)
            keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
            if (!keycert) {
                keycert = PK11_FindCertFromNickname(keysource, NULL);
-                if (!keycert) {
-                    SECU_PrintError(progName,
-                                    "%s is neither a key-type nor a nickname", keysource);
+            }
+
+            if (keycert) {
+                privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
+            } else {
+                PLArenaPool *arena = NULL;
+                SECItem keyidItem = { 0 };
+                char *keysourcePtr = keysource;
+                /* Interpret keysource as CKA_ID */
+                if (PK11_NeedLogin(slot)) {
+                    rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
+                    if (rv != SECSuccess) {
+                        SECU_PrintError(progName, "could not authenticate to token %s.",
+                                        PK11_GetTokenName(slot));
                        return SECFailure;
                    }
                }
-            privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
-            if (privkey)
-                pubkey = CERT_ExtractPublicKey(keycert);
+                if (0 == PL_strncasecmp("0x", keysource, 2)) {
+                    keysourcePtr = keysource + 2; // skip leading "0x"
+                }
+                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+                if (!arena) {
+                    SECU_PrintError(progName, "unable to allocate arena");
+                    return SECFailure;
+                }
+                if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
+                    privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
+                }
+                PORT_FreeArena(arena, PR_FALSE);
+            }
+
+            if (!privkey) {
+                SECU_PrintError(
+                    progName,
+                    "%s is neither a key-type nor a nickname nor a key-id", keysource);
+                return SECFailure;
+            }
+
+            pubkey = SECKEY_ConvertToPublicKey(privkey);
            if (!pubkey) {
                SECU_PrintError(progName,
                                "Could not get keys from cert %s", keysource);
-                rv = SECFailure;
+                if (keycert) {
                    CERT_DestroyCertificate(keycert);
+                }
+                rv = SECFailure;
                goto shutdown;
            }
            keytype = privkey->keyType;
+
            /* On CertReq for renewal if no subject has been
             * specified obtain it from the certificate.
             */
            if (certutil.commands[cmd_CertReq].activated && !subject) {
+                if (keycert) {
                    subject = CERT_AsciiToName(keycert->subjectName);
                    if (!subject) {
-                    SECU_PrintError(progName,
-                                    "Could not get subject from certificate %s", keysource);
+                        SECU_PrintError(
+                            progName,
+                            "Could not get subject from certificate %s",
+                            keysource);
                        CERT_DestroyCertificate(keycert);
                        rv = SECFailure;
                        goto shutdown;
                    }
+                } else {
+                    SECU_PrintError(progName, "Subject name not provided");
+                    rv = SECFailure;
+                    goto shutdown;
                }
+            }
+            if (keycert) {
                CERT_DestroyCertificate(keycert);
+            }
        } else {
            privkey =
                CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
@ -3535,6 +3599,14 @@ certutil_main(int argc, char **argv, PRBool initialize)
        }
    }

+    if (certutil.options[opt_SimpleSelfSigned].activated &&
+        !certutil.commands[cmd_DumpChain].activated) {
+        PR_fprintf(PR_STDERR,
+                   "%s -%c: --simple-self-signed only works with -O.\n",
+                   progName, commandToRun);
+        return 255;
+    }
+
    /* If we need a list of extensions convert the flags into list format */
    if (certutil.commands[cmd_CertReq].activated ||
        certutil.commands[cmd_CreateAndAddCert].activated ||
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@ -535,12 +535,16 @@ ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
    # All intel architectures get the 64 bit version
    # With custom uint128 if necessary (faster than generic 32 bit version).
    ECL_SRCS += curve25519_64.c
-    VERIFIED_SRCS += Hacl_Curve25519.c FStar.c
+    VERIFIED_SRCS += Hacl_Curve25519.c
 else
    # All non intel architectures get the generic 32 bit implementation (slow!)
    ECL_SRCS += curve25519_32.c
 endif

+ifndef HAVE_INT128_SUPPORT
+    VERIFIED_SRCS += FStar.c
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@ -277,9 +277,7 @@
          'MP_IS_LITTLE_ENDIAN',
         ],
      }],
-      [ 'OS!="win"', {
-        'conditions': [
-          [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+      [ 'have_int128_support==1', {
        'defines': [
          # The Makefile does version-tests on GCC, but we're not doing that here.
          'HAVE_INT128_SUPPORT',
@ -289,12 +287,6 @@
          'KRML_NOUINT128',
        ],
      }],
-        ],
-      }, {
-        'defines': [
-          'KRML_NOUINT128',
-        ],
-      }],
      [ 'OS=="linux"', {
        'defines': [
          'FREEBL_LOWHASH',
@ -350,5 +342,18 @@
  },
  'variables': {
    'module': 'nss',
+    'conditions': [
+      [ 'OS!="win"', {
+        'conditions': [
+          [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+            'have_int128_support%': 1,
+          }, {
+            'have_int128_support%': 0,
+          }],
+        ],
+      }, {
+        'have_int128_support%': 0,
+      }],
+    ],
  }
 }
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@ -60,7 +60,6 @@
    'shvfy.c',
    'sysrand.c',
    'tlsprfalg.c',
-    'verified/FStar.c',
  ],
  'conditions': [
    [ 'OS=="linux" or OS=="android"', {
@ -220,6 +219,9 @@
        }],
      ],
    }],
+    [ 'have_int128_support==0', {
+        'sources': [ 'verified/FStar.c' ],
+    }],
  ],
 'ldflags': [
   '-Wl,-Bsymbolic'
--- a/security/nss/lib/freebl/unix_urandom.c
+++ b/security/nss/lib/freebl/unix_urandom.c
@ -32,7 +32,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
    size_t fileBytes = 0;
    unsigned char *buffer = dest;

-#if defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25)))
+#if defined(__OpenBSD__) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
    int result;

    while (fileBytes < maxLen) {
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@ -2475,6 +2475,31 @@ EOF
  RETEXPECTED=0
 }

+cert_test_orphan_key_reuse()
+{
+  CU_ACTION="Create orphan key in serverdir"
+  certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+  # Let's get the key ID of the first orphan key.
+  # The output of certutil -K (list keys) isn't well formatted.
+  # The initial <key-number> part may or may not contain white space, which
+  # makes the use of awk to filter the column unreliable.
+  # To fix that, we remove the initial <number> field using sed, then select the
+  # column that contains the key ID.
+  ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+          sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+  CU_ACTION="Create cert request for orphan key"
+  certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \
+        -o ${SERVERDIR}/orphan.req
+  # Ensure that creating the request really works by listing it, and check
+  # if listing was successful.
+  ${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req
+  RET=$?
+  if [ "$RET" -ne 0 ]; then
+    html_failed "Listing cert request for orphan key ($RET)"
+    cert_log "ERROR: Listing cert request for orphan key failed $RET"
+  fi
+}
+
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
@ -2494,6 +2519,7 @@ cert_all_CA
 cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
+cert_test_orphan_key_reuse
 cert_smime_client
 IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
 if [ $IS_FIPS_DISABLED -ne 0 ]; then