mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1470914, NSS 3.39 beta revision be5c5d3ad5f6 UPGRADE_NSS_RELEASE r=me

This commit is contained in:
Kai Engert 2018-07-27 15:08:55 +02:00
Родитель bcc2d68110
Коммит 81bf621fb6
9 изменённых файлов: 41 добавлений и 47 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
4a086733554e
be5c5d3ad5f6

8
security/nss/cmd/rsaperf/rsaperf.c
Просмотреть файл

@ -21,8 +21,8 @@
#define DEFAULT_THREADS 1
#define DEFAULT_EXPONENT 0x10001
extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(void);
extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(void);
extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(int);
extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(int);
secuPWData pwData = { PW_NONE, NULL };
@ -580,9 +580,9 @@ main(int argc, char **argv)
/* use a hardcoded key */
printf("Using hardcoded %ld bits key.\n", keybits);
if (doPub) {
pubKey = getDefaultRSAPublicKey();
pubKey = getDefaultRSAPublicKey(keybits);
} else {
privKey = getDefaultRSAPrivateKey();
privKey = getDefaultRSAPrivateKey(keybits);
}
}

4
security/nss/coreconf/config.mk
Просмотреть файл

@ -185,6 +185,10 @@ ifdef NSS_SEED_ONLY_DEV_URANDOM
DEFINES += -DSEED_ONLY_DEV_URANDOM
endif
ifdef NSS_PKCS1_AllowMissingParameters
DEFINES += -DNSS_PKCS1_AllowMissingParameters
endif
# Avoid building object leak test code for optimized library
ifndef BUILD_OPT
ifdef PKIX_OBJECT_LEAK_TEST

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

1
security/nss/gtests/pk11_gtest/manifest.mn
Просмотреть файл

@ -16,6 +16,7 @@ CPPSRCS = \
pk11_pbkdf2_unittest.cc \
pk11_prf_unittest.cc \
pk11_prng_unittest.cc \
pk11_rsapkcs1_unittest.cc \
pk11_rsapss_unittest.cc \
pk11_der_private_key_import_unittest.cc \
$(NULL)

1
security/nss/gtests/pk11_gtest/pk11_gtest.gyp
Просмотреть файл

@ -20,6 +20,7 @@
'pk11_pbkdf2_unittest.cc',
'pk11_prf_unittest.cc',
'pk11_prng_unittest.cc',
'pk11_rsapkcs1_unittest.cc',
'pk11_rsapss_unittest.cc',
'pk11_der_private_key_import_unittest.cc',
'<(DEPTH)/gtests/common/gtests.cc'

2
security/nss/lib/cryptohi/secvfy.c
Просмотреть файл

@ -161,7 +161,7 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
return _SGN_VerifyPKCS1DigestInfo(
cx->hashAlg, digest, &pkcs1DigestInfo,
PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
/*

2
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -3106,7 +3106,7 @@ RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
digest.len = digestLen;
rv = _SGN_VerifyPKCS1DigestInfo(
digestOid, &digest, &pkcs1DigestInfo,
PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
PORT_Free(pkcs1DigestInfoData);

67
security/nss/lib/util/pkcs1sig.c
Просмотреть файл

@ -15,13 +15,6 @@ struct pkcs1PrefixStr {
PRUint8 *data;
};
typedef struct pkcs1PrefixesStr pkcs1Prefixes;
struct pkcs1PrefixesStr {
unsigned int digestLen;
pkcs1Prefix prefixWithParams;
pkcs1Prefix prefixWithoutParams;
};
/* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on
* the possible prefix encodings as explained below.
*/
@ -101,9 +94,8 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
PRBool unsafeAllowMissingParameters)
{
SECOidData *hashOid;
pkcs1Prefixes pp;
const pkcs1Prefix *expectedPrefix;
SECStatus rv, rv2, rv3;
pkcs1Prefix prefix;
SECStatus rv;
if (!digest || !digest->data ||
!dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
@ -117,17 +109,9 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
return SECFailure;
}
pp.digestLen = digest->len;
pp.prefixWithParams.data = NULL;
pp.prefixWithoutParams.data = NULL;
prefix.data = NULL;
rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
rv = SECSuccess;
if (rv2 != SECSuccess || rv3 != SECSuccess) {
rv = SECFailure;
}
rv = encodePrefix(hashOid, digest->len, &prefix, PR_TRUE);
if (rv == SECSuccess) {
/* We don't attempt to avoid timing attacks on these comparisons because
@ -135,34 +119,39 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
* operation.
*/
if (dataRecoveredFromSignature->len ==
pp.prefixWithParams.len + pp.digestLen) {
expectedPrefix = &pp.prefixWithParams;
} else if (unsafeAllowMissingParameters &&
dataRecoveredFromSignature->len ==
pp.prefixWithoutParams.len + pp.digestLen) {
expectedPrefix = &pp.prefixWithoutParams;
} else {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
if (dataRecoveredFromSignature->len != prefix.len + digest->len) {
PRBool lengthMismatch = PR_TRUE;
#ifdef NSS_PKCS1_AllowMissingParameters
if (unsafeAllowMissingParameters) {
if (prefix.data) {
PORT_Free(prefix.data);
prefix.data = NULL;
}
rv = encodePrefix(hashOid, digest->len, &prefix, PR_FALSE);
if (rv != SECSuccess ||
dataRecoveredFromSignature->len == prefix.len + digest->len) {
lengthMismatch = PR_FALSE;
}
}
#endif
if (lengthMismatch) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
}
}
}
if (rv == SECSuccess) {
if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
expectedPrefix->len) ||
memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
digest->data, digest->len)) {
if (memcmp(dataRecoveredFromSignature->data, prefix.data, prefix.len) ||
memcmp(dataRecoveredFromSignature->data + prefix.len, digest->data,
digest->len)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
rv = SECFailure;
}
}
if (pp.prefixWithParams.data) {
PORT_Free(pp.prefixWithParams.data);
}
if (pp.prefixWithoutParams.data) {
PORT_Free(pp.prefixWithoutParams.data);
if (prefix.data) {
PORT_Free(prefix.data);
}
return rv;