зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1564499 - land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
--HG-- extra : rebase_source : 6a0e320432b452bc692f712c63c0cc66699cd130
This commit is contained in:
Родитель
53d19b15b1
Коммит
83fd5c4742
|
@ -1 +1 @@
|
|||
a31fc0eefc4c
|
||||
777b6070fe76
|
||||
|
|
|
@ -66,7 +66,7 @@ SEC_GetPassword(FILE *input, FILE *output, char *prompt,
|
|||
int infd = fileno(input);
|
||||
int isTTY = isatty(infd);
|
||||
#endif
|
||||
char phrase[200] = { '\0' }; /* ensure EOF doesn't return junk */
|
||||
char phrase[500] = { '\0' }; /* ensure EOF doesn't return junk */
|
||||
|
||||
for (;;) {
|
||||
/* Prompt for password */
|
||||
|
|
|
@ -5229,7 +5229,7 @@ PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList,
|
|||
char *
|
||||
PKM_FilePasswd(char *pwFile)
|
||||
{
|
||||
unsigned char phrase[200];
|
||||
unsigned char phrase[500];
|
||||
PRFileDesc *fd;
|
||||
PRInt32 nb;
|
||||
int i;
|
||||
|
|
|
@ -614,7 +614,7 @@ cleanup:
|
|||
static char *
|
||||
filePasswd(char *pwFile)
|
||||
{
|
||||
unsigned char phrase[200];
|
||||
unsigned char phrase[500];
|
||||
PRFileDesc *fd;
|
||||
PRInt32 nb;
|
||||
int i;
|
||||
|
|
|
@ -10,4 +10,3 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
#include "nspr.h"
|
||||
#include "nss.h"
|
||||
#include "pk11pub.h"
|
||||
#include "secmod.h"
|
||||
#include "secerr.h"
|
||||
|
||||
#include "nss_scoped_ptrs.h"
|
||||
|
@ -119,6 +120,27 @@ TEST_F(SoftokenTest, CreateObjectChangePassword) {
|
|||
EXPECT_EQ(nullptr, obj);
|
||||
}
|
||||
|
||||
/* The size limit for a password is 500 characters as defined in pkcs11i.h */
|
||||
TEST_F(SoftokenTest, CreateObjectChangeToBigPassword) {
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
ASSERT_TRUE(slot);
|
||||
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
|
||||
EXPECT_EQ(
|
||||
SECSuccess,
|
||||
PK11_ChangePW(slot.get(), "",
|
||||
"rUIFIFr2bxKnbJbitsfkyqttpk6vCJzlYMNxcxXcaN37gSZKbLk763X7iR"
|
||||
"yeVNWZHQ02lSF69HYjzTyPW3318ZD0DBFMMbALZ8ZPZP73CIo5uIQlaowV"
|
||||
"IbP8eOhRYtGUqoLGlcIFNEYogV8Q3GN58VeBMs0KxrIOvPQ9s8SnYYkqvt"
|
||||
"zzgntmAvCgvk64x6eQf0okHwegd5wi6m0WVJytEepWXkP9J629FSa5kNT8"
|
||||
"FvL3jvslkiImzTNuTvl32fQDXXMSc8vVk5Q3mH7trMZM0VDdwHWYERjHbz"
|
||||
"kGxFgp0VhediHx7p9kkz6H6ac4et9sW4UkTnN7xhYc1Zr17wRSk2heQtcX"
|
||||
"oZJGwuzhiKm8A8wkuVxms6zO56P4JORIk8oaUW6lyNTLo2kWWnTA"));
|
||||
EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
|
||||
ScopedPK11GenericObject obj(PK11_CreateGenericObject(
|
||||
slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
|
||||
EXPECT_EQ(nullptr, obj);
|
||||
}
|
||||
|
||||
TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
ASSERT_TRUE(slot);
|
||||
|
@ -265,6 +287,100 @@ TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
|
|||
ASSERT_EQ(SECSuccess, NSS_Shutdown());
|
||||
}
|
||||
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
|
||||
class SoftokenFipsTest : public SoftokenTest {
|
||||
protected:
|
||||
SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
|
||||
|
||||
virtual void SetUp() {
|
||||
SoftokenTest::SetUp();
|
||||
|
||||
// Turn on FIPS mode (code borrowed from FipsMode in modutil/pk11.c)
|
||||
char *internal_name;
|
||||
ASSERT_FALSE(PK11_IsFIPS());
|
||||
internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
|
||||
ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name));
|
||||
PR_smprintf_free(internal_name);
|
||||
ASSERT_TRUE(PK11_IsFIPS());
|
||||
}
|
||||
};
|
||||
|
||||
const std::vector<std::string> kFipsPasswordCases[] = {
|
||||
// FIPS level1 -> level1 -> level1
|
||||
{"", "", ""},
|
||||
// FIPS level1 -> level1 -> level2
|
||||
{"", "", "strong-_123"},
|
||||
// FIXME: this should work: FIPS level1 -> level2 -> level2
|
||||
// {"", "strong-_123", "strong-_456"},
|
||||
// FIPS level2 -> level2 -> level2
|
||||
{"strong-_123", "strong-_456", "strong-_123"}};
|
||||
|
||||
const std::vector<std::string> kFipsPasswordBadCases[] = {
|
||||
// FIPS level1 -> level2 -> level1
|
||||
{"", "strong-_123", ""},
|
||||
// FIPS level2 -> level1 -> level1
|
||||
{"strong-_123", ""},
|
||||
// FIPS level2 -> level2 -> level1
|
||||
{"strong-_123", "strong-_456", ""},
|
||||
// initialize with a weak password
|
||||
{"weak"},
|
||||
// FIPS level1 -> weak password
|
||||
{"", "weak"},
|
||||
// FIPS level2 -> weak password
|
||||
{"strong-_123", "weak"}};
|
||||
|
||||
class SoftokenFipsPasswordTest
|
||||
: public SoftokenFipsTest,
|
||||
public ::testing::WithParamInterface<std::vector<std::string>> {};
|
||||
|
||||
class SoftokenFipsBadPasswordTest
|
||||
: public SoftokenFipsTest,
|
||||
public ::testing::WithParamInterface<std::vector<std::string>> {};
|
||||
|
||||
TEST_P(SoftokenFipsPasswordTest, SetPassword) {
|
||||
const std::vector<std::string> &passwords = GetParam();
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
ASSERT_TRUE(slot);
|
||||
|
||||
auto it = passwords.begin();
|
||||
auto prev_it = it;
|
||||
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, (*it).c_str()));
|
||||
for (it++; it != passwords.end(); it++, prev_it++) {
|
||||
EXPECT_EQ(SECSuccess,
|
||||
PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str()));
|
||||
}
|
||||
}
|
||||
|
||||
TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
|
||||
const std::vector<std::string> &passwords = GetParam();
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
ASSERT_TRUE(slot);
|
||||
|
||||
auto it = passwords.begin();
|
||||
auto prev_it = it;
|
||||
SECStatus rv = PK11_InitPin(slot.get(), nullptr, (*it).c_str());
|
||||
if (it + 1 == passwords.end())
|
||||
EXPECT_EQ(SECFailure, rv);
|
||||
else
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
for (it++; it != passwords.end(); it++, prev_it++) {
|
||||
rv = PK11_ChangePW(slot.get(), (*prev_it).c_str(), (*it).c_str());
|
||||
if (it + 1 == passwords.end())
|
||||
EXPECT_EQ(SECFailure, rv);
|
||||
else
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
}
|
||||
}
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
|
||||
::testing::ValuesIn(kFipsPasswordCases));
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
|
||||
::testing::ValuesIn(kFipsPasswordBadCases));
|
||||
|
||||
#endif
|
||||
|
||||
} // namespace nss_test
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
|
|
|
@ -890,7 +890,7 @@ findQfromSeed(
|
|||
pqgGenType *typePtr, /* output. Generation Type used */
|
||||
unsigned int *qgen_counter) /* output. q_counter */
|
||||
{
|
||||
HASH_HashType hashtype;
|
||||
HASH_HashType hashtype = HASH_AlgNULL;
|
||||
SECItem firstseed = { 0, 0, 0 };
|
||||
SECItem qseed = { 0, 0, 0 };
|
||||
SECStatus rv;
|
||||
|
@ -1239,7 +1239,7 @@ pqg_ParamGen(unsigned int L, unsigned int N, pqgGenType type,
|
|||
unsigned int offset; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
|
||||
unsigned int outlen; /* Per FIPS 186-3, appendix A.1.1.2. */
|
||||
unsigned int maxCount;
|
||||
HASH_HashType hashtype;
|
||||
HASH_HashType hashtype = HASH_AlgNULL;
|
||||
SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
|
||||
PLArenaPool *arena = NULL;
|
||||
PQGParams *params = NULL;
|
||||
|
@ -1630,8 +1630,8 @@ PQG_VerifyParams(const PQGParams *params,
|
|||
unsigned int qseed_len;
|
||||
unsigned int qgen_counter_ = 0;
|
||||
SECItem pseed_ = { 0, 0, 0 };
|
||||
HASH_HashType hashtype;
|
||||
pqgGenType type;
|
||||
HASH_HashType hashtype = HASH_AlgNULL;
|
||||
pqgGenType type = FIPS186_1_TYPE;
|
||||
|
||||
#define CHECKPARAM(cond) \
|
||||
if (!(cond)) { \
|
||||
|
|
|
@ -645,17 +645,37 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
|
|||
|
||||
CHECK_FORK();
|
||||
|
||||
if ((rv = sftk_fipsCheck()) == CKR_OK &&
|
||||
(rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
|
||||
rv = sftk_fipsCheck();
|
||||
if (rv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
if (isLevel2 || usNewLen > 0) {
|
||||
rv = sftk_newPinCheck(pNewPin, usNewLen);
|
||||
if (rv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
|
||||
if ((rv == CKR_OK) &&
|
||||
(sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
|
||||
if (rv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) {
|
||||
/* if we set the password in level1 we now go
|
||||
* to level2. NOTE: we don't allow the user to
|
||||
* go from level2 to level1 */
|
||||
isLevel2 = PR_TRUE;
|
||||
}
|
||||
} else {
|
||||
/* here both old and new passwords are empty, but we need to
|
||||
* call NSC_SetPIN to force rekey the database entries */
|
||||
PORT_Assert(usNewLen == 0);
|
||||
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
|
||||
if (rv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
|
||||
loser:
|
||||
if (sftk_audit_enabled) {
|
||||
char msg[128];
|
||||
NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
|
||||
|
|
|
@ -3900,7 +3900,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
|
|||
crv = CKR_PIN_LEN_RANGE;
|
||||
goto loser;
|
||||
}
|
||||
if (ulNewLen < (CK_ULONG)slot->minimumPinLen) {
|
||||
/* check the length of new pin, unless both old and new passwords
|
||||
* are empty */
|
||||
if ((ulNewLen != 0 || ulOldLen != 0) &&
|
||||
ulNewLen < (CK_ULONG)slot->minimumPinLen) {
|
||||
crv = CKR_PIN_LEN_RANGE;
|
||||
goto loser;
|
||||
}
|
||||
|
|
|
@ -459,7 +459,7 @@ struct SFTKItemTemplateStr {
|
|||
|
||||
#define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1)
|
||||
/* how big (in bytes) a password/pin we can deal with */
|
||||
#define SFTK_MAX_PIN 255
|
||||
#define SFTK_MAX_PIN 500
|
||||
/* minimum password/pin length (in Unicode characters) in FIPS mode */
|
||||
#define FIPS_MIN_PIN 7
|
||||
|
||||
|
|
|
@ -197,6 +197,13 @@ class coverityAction(argparse.Action):
|
|||
|
||||
def dump_cov_artifact(self, cov_results, source, output):
|
||||
import json
|
||||
|
||||
def relpath(path):
|
||||
'''Build path relative to repository root'''
|
||||
if path.startswith(cwd):
|
||||
return os.path.relpath(path, cwd)
|
||||
return path
|
||||
|
||||
# Parse Coverity json into structured issues
|
||||
with open(cov_results) as f:
|
||||
result = json.load(f)
|
||||
|
@ -223,7 +230,7 @@ class coverityAction(argparse.Action):
|
|||
|
||||
# Embed all events into extra message
|
||||
for event in issue['events']:
|
||||
dict_issue['extra']['stack'].append({'file_path': event['strippedFilePathname'],
|
||||
dict_issue['extra']['stack'].append({'file_path': relpath(event['strippedFilePathname']),
|
||||
'line_number': event['lineNumber'],
|
||||
'path_type': event['eventTag'],
|
||||
'description': event['eventDescription']})
|
||||
|
@ -237,6 +244,7 @@ class coverityAction(argparse.Action):
|
|||
print('Skipping CID: {0} from file: {1} since it\'s not related with the current patch.'.format(
|
||||
issue['stateOnServer']['cid'], issue['strippedMainEventFilePathname']))
|
||||
continue
|
||||
path = relpath(path)
|
||||
if path in files_list:
|
||||
files_list[path]['warnings'].append(build_element(issue))
|
||||
else:
|
||||
|
|
|
@ -83,6 +83,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $cbc_kat_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -56,6 +56,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $gcm_decrypt_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -59,6 +59,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
request=KeyPair.req
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -50,6 +50,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
request=KeyPair.req
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -31,6 +31,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
done
|
||||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $hmac_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -33,6 +33,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
request=ikev1_dsa.req
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -68,6 +68,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
done
|
||||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $drbg_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -38,6 +38,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
request=SigGen15_186-3.req
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -51,6 +51,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $sha_ShortMsg_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -77,6 +77,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $cbc_kat_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
|
@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|||
done
|
||||
exit $result
|
||||
fi
|
||||
|
||||
test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
||||
|
||||
for request in $tls_requests; do
|
||||
response=`echo $request | sed -e "s/req/rsp/"`
|
||||
echo $request $response
|
||||
|
|
Загрузка…
Ссылка в новой задаче