mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1564499 - land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me 

--HG--
extra : rebase_source : 6a0e320432b452bc692f712c63c0cc66699cd130
This commit is contained in:
J.C. Jones 2019-08-05 15:58:54 +00:00
Родитель 53d19b15b1
Коммит 83fd5c4742
23 изменённых файлов: 189 добавлений и 16 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
a31fc0eefc4c
777b6070fe76

2
security/nss/cmd/lib/secpwd.c
Просмотреть файл

@ -66,7 +66,7 @@ SEC_GetPassword(FILE *input, FILE *output, char *prompt,
int infd = fileno(input);
int isTTY = isatty(infd);
#endif
char phrase[200] = { '\0' }; /* ensure EOF doesn't return junk */
char phrase[500] = { '\0' }; /* ensure EOF doesn't return junk */
for (;;) {
/* Prompt for password */

2
security/nss/cmd/pk11mode/pk11mode.c
Просмотреть файл

@ -5229,7 +5229,7 @@ PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList,
char *
PKM_FilePasswd(char *pwFile)
{
unsigned char phrase[200];
unsigned char phrase[500];
PRFileDesc *fd;
PRInt32 nb;
int i;

2
security/nss/cmd/shlibsign/shlibsign.c
Просмотреть файл

@ -614,7 +614,7 @@ cleanup:
static char *
filePasswd(char *pwFile)
{
unsigned char phrase[200];
unsigned char phrase[500];
PRFileDesc *fd;
PRInt32 nb;
int i;

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

116
security/nss/gtests/softoken_gtest/softoken_gtest.cc
Просмотреть файл

@ -3,6 +3,7 @@
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
#include "secmod.h"
#include "secerr.h"
#include "nss_scoped_ptrs.h"
@ -119,6 +120,27 @@ TEST_F(SoftokenTest, CreateObjectChangePassword) {
EXPECT_EQ(nullptr, obj);
}
/* The size limit for a password is 500 characters as defined in pkcs11i.h */
TEST_F(SoftokenTest, CreateObjectChangeToBigPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(
SECSuccess,
PK11_ChangePW(slot.get(), "",
"rUIFIFr2bxKnbJbitsfkyqttpk6vCJzlYMNxcxXcaN37gSZKbLk763X7iR"
"yeVNWZHQ02lSF69HYjzTyPW3318ZD0DBFMMbALZ8ZPZP73CIo5uIQlaowV"
"IbP8eOhRYtGUqoLGlcIFNEYogV8Q3GN58VeBMs0KxrIOvPQ9s8SnYYkqvt"
"zzgntmAvCgvk64x6eQf0okHwegd5wi6m0WVJytEepWXkP9J629FSa5kNT8"
"FvL3jvslkiImzTNuTvl32fQDXXMSc8vVk5Q3mH7trMZM0VDdwHWYERjHbz"
"kGxFgp0VhediHx7p9kkz6H6ac4et9sW4UkTnN7xhYc1Zr17wRSk2heQtcX"
"oZJGwuzhiKm8A8wkuVxms6zO56P4JORIk8oaUW6lyNTLo2kWWnTA"));
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
EXPECT_EQ(nullptr, obj);
}
TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
@ -265,6 +287,100 @@ TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
}
#ifndef NSS_FIPS_DISABLED
class SoftokenFipsTest : public SoftokenTest {
protected:
SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
virtual void SetUp() {
SoftokenTest::SetUp();
// Turn on FIPS mode (code borrowed from FipsMode in modutil/pk11.c)
char *internal_name;
ASSERT_FALSE(PK11_IsFIPS());
internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name));
PR_smprintf_free(internal_name);
ASSERT_TRUE(PK11_IsFIPS());
}
};
const std::vector<std::string> kFipsPasswordCases[] = {
// FIPS level1 -> level1 -> level1
{"", "", ""},
// FIPS level1 -> level1 -> level2
{"", "", "strong-_123"},
// FIXME: this should work: FIPS level1 -> level2 -> level2
// {"", "strong-_123", "strong-_456"},
// FIPS level2 -> level2 -> level2
{"strong-_123", "strong-_456", "strong-_123"}};
const std::vector<std::string> kFipsPasswordBadCases[] = {
// FIPS level1 -> level2 -> level1
{"", "strong-_123", ""},
// FIPS level2 -> level1 -> level1
{"strong-_123", ""},
// FIPS level2 -> level2 -> level1
{"strong-_123", "strong-_456", ""},
// initialize with a weak password
{"weak"},
// FIPS level1 -> weak password
{"", "weak"},
// FIPS level2 -> weak password
{"strong-_123", "weak"}};
class SoftokenFipsPasswordTest
: public SoftokenFipsTest,
public ::testing::WithParamInterface<std::vector<std::string>> {};
class SoftokenFipsBadPasswordTest
: public SoftokenFipsTest,
public ::testing::WithParamInterface<std::vector<std::string>> {};
TEST_P(SoftokenFipsPasswordTest, SetPassword) {
const std::vector<std::string> &passwords = GetParam();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
auto it = passwords.begin();
auto prev_it = it;
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, (*it).c_str()));
for (it++; it != passwords.end(); it++, prev_it++) {
EXPECT_EQ(SECSuccess,
PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str()));
}
}
TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
const std::vector<std::string> &passwords = GetParam();
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
auto it = passwords.begin();
auto prev_it = it;
SECStatus rv = PK11_InitPin(slot.get(), nullptr, (*it).c_str());
if (it + 1 == passwords.end())
EXPECT_EQ(SECFailure, rv);
else
EXPECT_EQ(SECSuccess, rv);
for (it++; it != passwords.end(); it++, prev_it++) {
rv = PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str());
if (it + 1 == passwords.end())
EXPECT_EQ(SECFailure, rv);
else
EXPECT_EQ(SECSuccess, rv);
}
}
INSTANTIATE_TEST_CASE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
::testing::ValuesIn(kFipsPasswordCases));
INSTANTIATE_TEST_CASE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
::testing::ValuesIn(kFipsPasswordBadCases));
#endif
} // namespace nss_test
int main(int argc, char **argv) {

8
security/nss/lib/freebl/pqg.c
Просмотреть файл

@ -890,7 +890,7 @@ findQfromSeed(
pqgGenType *typePtr, /* output. Generation Type used */
unsigned int *qgen_counter) /* output. q_counter */
{
HASH_HashType hashtype;
HASH_HashType hashtype = HASH_AlgNULL;
SECItem firstseed = { 0, 0, 0 };
SECItem qseed = { 0, 0, 0 };
SECStatus rv;
@ -1239,7 +1239,7 @@ pqg_ParamGen(unsigned int L, unsigned int N, pqgGenType type,
unsigned int offset; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
unsigned int outlen; /* Per FIPS 186-3, appendix A.1.1.2. */
unsigned int maxCount;
HASH_HashType hashtype;
HASH_HashType hashtype = HASH_AlgNULL;
SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
PLArenaPool *arena = NULL;
PQGParams *params = NULL;
@ -1630,8 +1630,8 @@ PQG_VerifyParams(const PQGParams *params,
unsigned int qseed_len;
unsigned int qgen_counter_ = 0;
SECItem pseed_ = { 0, 0, 0 };
HASH_HashType hashtype;
pqgGenType type;
HASH_HashType hashtype = HASH_AlgNULL;
pqgGenType type = FIPS186_1_TYPE;
#define CHECKPARAM(cond) \
if (!(cond)) { \

28
security/nss/lib/softoken/fipstokn.c
Просмотреть файл

@ -645,17 +645,37 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
CHECK_FORK();
if ((rv = sftk_fipsCheck()) == CKR_OK &&
(rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
rv = sftk_fipsCheck();
if (rv != CKR_OK) {
goto loser;
}
if (isLevel2 || usNewLen > 0) {
rv = sftk_newPinCheck(pNewPin, usNewLen);
if (rv != CKR_OK) {
goto loser;
}
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
if ((rv == CKR_OK) &&
(sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
if (rv != CKR_OK) {
goto loser;
}
if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) {
/* if we set the password in level1 we now go
* to level2. NOTE: we don't allow the user to
* go from level2 to level1 */
isLevel2 = PR_TRUE;
}
} else {
/* here both old and new passwords are empty, but we need to
* call NSC_SetPIN to force rekey the database entries */
PORT_Assert(usNewLen == 0);
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
if (rv != CKR_OK) {
goto loser;
}
}
loser:
if (sftk_audit_enabled) {
char msg[128];
NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;

5
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -3900,7 +3900,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
crv = CKR_PIN_LEN_RANGE;
goto loser;
}
if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
/* check the length of new pin, unless both old and new passwords
* are empty */
if ((ulNewLen != 0 || ulOldLen != 0) &&
ulNewLen < (CK_ULONG)slot->minimumPinLen) {
crv = CKR_PIN_LEN_RANGE;
goto loser;
}

2
security/nss/lib/softoken/pkcs11i.h
Просмотреть файл

@ -459,7 +459,7 @@ struct SFTKItemTemplateStr {
#define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1)
/* how big (in bytes) a password/pin we can deal with */
#define SFTK_MAX_PIN 255
#define SFTK_MAX_PIN 500
/* minimum password/pin length (in Unicode characters) in FIPS mode */
#define FIPS_MIN_PIN 7

10
security/nss/mach
Просмотреть файл

@ -197,6 +197,13 @@ class coverityAction(argparse.Action):
def dump_cov_artifact(self, cov_results, source, output):
import json
def relpath(path):
'''Build path relative to repository root'''
if path.startswith(cwd):
return os.path.relpath(path, cwd)
return path
# Parse Coverity json into structured issues
with open(cov_results) as f:
result = json.load(f)
@ -223,7 +230,7 @@ class coverityAction(argparse.Action):
# Embed all events into extra message
for event in issue['events']:
dict_issue['extra']['stack'].append({'file_path': event['strippedFilePathname'],
dict_issue['extra']['stack'].append({'file_path': relpath(event['strippedFilePathname']),
'line_number': event['lineNumber'],
'path_type': event['eventTag'],
'description': event['eventDescription']})
@ -237,6 +244,7 @@ class coverityAction(argparse.Action):
print('Skipping CID: {0} from file: {1} since it\'s not related with the current patch.'.format(
issue['stateOnServer']['cid'], issue['strippedMainEventFilePathname']))
continue
path = relpath(path)
if path in files_list:
files_list[path]['warnings'].append(build_element(issue))
else:

2
security/nss/tests/fips/cavs_scripts/aes.sh
Просмотреть файл

@ -83,6 +83,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $cbc_kat_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/aesgcm.sh
Просмотреть файл

@ -56,6 +56,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $gcm_decrypt_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/dsa.sh
Просмотреть файл

@ -59,6 +59,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
request=KeyPair.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/ecdsa.sh
Просмотреть файл

@ -50,6 +50,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
request=KeyPair.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

3
security/nss/tests/fips/cavs_scripts/hmac.sh
Просмотреть файл

@ -31,6 +31,9 @@ if [ ${COMMAND} = "verify" ]; then
done
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $hmac_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/ike.sh
Просмотреть файл

@ -33,6 +33,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
request=ikev1_dsa.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/kas.sh
Просмотреть файл

@ -68,6 +68,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

3
security/nss/tests/fips/cavs_scripts/rng.sh
Просмотреть файл

@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
done
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $drbg_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/rsa.sh
Просмотреть файл

@ -38,6 +38,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
request=SigGen15_186-3.req
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/sha.sh
Просмотреть файл

@ -51,6 +51,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $sha_ShortMsg_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

2
security/nss/tests/fips/cavs_scripts/tdea.sh
Просмотреть файл

@ -77,6 +77,8 @@ if [ ${COMMAND} = "verify" ]; then
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $cbc_kat_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response

3
security/nss/tests/fips/cavs_scripts/tls.sh
Просмотреть файл

@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
done
exit $result
fi
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
for request in $tls_requests; do
response=`echo $request | sed -e "s/req/rsp/"`
echo $request $response