mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1137470 - Upgrade Firefox to NSS 3.18, landing NSS_3_18_BETA7, r=nss-confcall

This commit is contained in:
Kai Engert 2015-02-26 23:29:08 +01:00
Родитель d01ea02613
Коммит 8c48f9f304
37 изменённых файлов: 606 добавлений и 191 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_17_4_RTM
NSS_3_18_BETA7

2
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -40,7 +40,7 @@
#define MIN_KEY_BITS 512
/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
#define MAX_KEY_BITS 8192
#define DEFAULT_KEY_BITS 1024
#define DEFAULT_KEY_BITS 2048
#define GEN_BREAK(e) rv=e; break;

2
security/nss/cmd/crlutil/crlgen.c
Просмотреть файл

@ -1169,7 +1169,7 @@ crlgen_setNextDataFn_field(CRLGENGeneratorData *crlGenData, void *str,
switch (crlGenData->contextId) {
case CRLGEN_CHANGE_RANGE_CONTEXT:
if (dtype != CRLGEN_TYPE_DIGIT || dtype != CRLGEN_TYPE_DIGIT_RANGE) {
if (dtype != CRLGEN_TYPE_DIGIT && dtype != CRLGEN_TYPE_DIGIT_RANGE) {
crlgen_PrintError(crlGenData->parsedLineNum,
"range value should have "
"numeric or numeric range values.\n");

40
security/nss/cmd/lib/secutil.c
Просмотреть файл

@ -2411,6 +2411,46 @@ loser:
return rv;
}
int
SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int level)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTCertificate *c;
int rv = SEC_ERROR_NO_MEMORY;
int iv;
if (!arena)
return rv;
/* Decode certificate */
c = PORT_ArenaZNew(arena, CERTCertificate);
if (!c)
goto loser;
c->arena = arena;
rv = SEC_ASN1DecodeItem(arena, c,
SEC_ASN1_GET(CERT_CertificateTemplate), der);
if (rv) {
SECU_Indent(out, level);
SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
SECU_PrintAny(out, der, "Raw", level);
goto loser;
}
/* Pretty print it out */
SECU_Indent(out, level); fprintf(out, "%s:\n", m);
SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
SECU_PrintName(out, &c->issuer, "Issuer", level+1);
if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
SECU_Newline(out);
secu_PrintValidity(out, &c->validity, "Validity", level+1);
SECU_PrintName(out, &c->subject, "Subject", level+1);
if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
SECU_Newline(out);
loser:
PORT_FreeArena(arena, PR_FALSE);
return rv;
}
int
SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level)
{

3
security/nss/cmd/lib/secutil.h
Просмотреть файл

@ -221,6 +221,9 @@ extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m,
int level);
extern int SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m,
int level);
extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
int level);

5
security/nss/cmd/pk12util/pk12util.c
Просмотреть файл

@ -45,7 +45,7 @@ Usage(char *progName)
FPS "\t\t [-c key_cipher] [-C cert_cipher]\n"
"\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n");
FPS "\t\t [-k slotpwfile | -K slotpw]\n"
"\t\t [-w p12filepwfile | -W p12filefilepw]\n");
"\t\t [-w p12filepwfile | -W p12filepw]\n");
exit(PK12UERR_USAGE);
}
@ -101,9 +101,6 @@ static p12uContext *
p12u_InitContext(PRBool fileImport, char *filename)
{
p12uContext *p12cxt;
PRBool fileExist;
fileExist = fileImport;
p12cxt = PORT_ZNew(p12uContext);
if(!p12cxt) {

1
security/nss/cmd/tstclnt/manifest.mn
Просмотреть файл

@ -17,6 +17,7 @@ REQUIRES = seccmd dbm
# DIRS =
CSRCS = tstclnt.c
DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
PROGRAM = tstclnt

164
security/nss/cmd/tstclnt/tstclnt.c
Просмотреть файл

@ -32,6 +32,7 @@
#include "ssl.h"
#include "sslproto.h"
#include "pk11func.h"
#include "secmod.h"
#include "plgetopt.h"
#include "plstr.h"
@ -97,6 +98,7 @@ int ssl3CipherSuites[] = {
unsigned long __cmp_umuls;
PRBool verbose;
int dumpServerChain = 0;
int renegotiationsToDo = 0;
int renegotiationsDone = 0;
@ -179,7 +181,8 @@ static void PrintUsageHeader(const char *progName)
{
fprintf(stderr,
"Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
"[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
"[-D | -d certdir] [-C] [-b | -R root-module] \n"
"[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
"[-V [min-version]:[max-version]] [-K] [-T]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
progName);
@ -196,6 +199,12 @@ static void PrintParameterUsage(void)
fprintf(stderr,
"%-20s Directory with cert database (default is ~/.netscape)\n",
"-d certdir");
fprintf(stderr, "%-20s Run without a cert database\n", "-D");
fprintf(stderr, "%-20s Load the default \"builtins\" root CA module\n", "-b");
fprintf(stderr, "%-20s Load the given root CA module\n", "-R");
fprintf(stderr, "%-20s Print certificate chain information\n", "-C");
fprintf(stderr, "%-20s (use -C twice to print more certificate details)\n", "");
fprintf(stderr, "%-20s (use -C three times to include PEM format certificate dumps)\n", "");
fprintf(stderr, "%-20s Nickname of key and cert for client auth\n",
"-n nickname");
fprintf(stderr,
@ -500,12 +509,114 @@ verifyFromSideChannel(CERTCertificate *cert, ServerCertAuth *sca)
EXIT_CODE_SIDECHANNELTEST_REVOKED;
}
static void
dumpCertificatePEM(CERTCertificate *cert)
{
SECItem data;
data.data = cert->derCert.data;
data.len = cert->derCert.len;
fprintf(stderr, "%s\n%s\n%s\n", NS_CERT_HEADER,
BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
}
static void
dumpServerCertificateChain(PRFileDesc *fd)
{
CERTCertList *peerCertChain = NULL;
CERTCertListNode *node = NULL;
CERTCertificate *peerCert = NULL;
CERTCertificateList *foundChain = NULL;
SECU_PPFunc dumpFunction = NULL;
PRBool dumpCertPEM = PR_FALSE;
if (!dumpServerChain) {
return;
}
else if (dumpServerChain == 1) {
dumpFunction = SECU_PrintCertificateBasicInfo;
} else {
dumpFunction = SECU_PrintCertificate;
if (dumpServerChain > 2) {
dumpCertPEM = PR_TRUE;
}
}
SECU_EnableWrap(PR_FALSE);
fprintf(stderr, "==== certificate(s) sent by server: ====\n");
peerCertChain = SSL_PeerCertificateChain(fd);
if (peerCertChain) {
node = CERT_LIST_HEAD(peerCertChain);
while ( ! CERT_LIST_END(node, peerCertChain) ) {
CERTCertificate *cert = node->cert;
SECU_PrintSignedContent(stderr, &cert->derCert, "Certificate", 0,
dumpFunction);
if (dumpCertPEM) {
dumpCertificatePEM(cert);
}
node = CERT_LIST_NEXT(node);
}
}
if (peerCertChain) {
peerCert = SSL_RevealCert(fd);
if (peerCert) {
foundChain = CERT_CertChainFromCert(peerCert, certificateUsageSSLServer,
PR_TRUE);
}
if (foundChain) {
int count = 0;
fprintf(stderr, "==== locally found issuer certificate(s): ====\n");
for(count = 0; count < (unsigned int)foundChain->len; count++) {
CERTCertificate *c;
PRBool wasSentByServer = PR_FALSE;
c = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &foundChain->certs[count]);
node = CERT_LIST_HEAD(peerCertChain);
while ( ! CERT_LIST_END(node, peerCertChain) ) {
CERTCertificate *cert = node->cert;
if (CERT_CompareCerts(cert, c)) {
wasSentByServer = PR_TRUE;
break;
}
node = CERT_LIST_NEXT(node);
}
if (!wasSentByServer) {
SECU_PrintSignedContent(stderr, &c->derCert, "Certificate", 0,
dumpFunction);
if (dumpCertPEM) {
dumpCertificatePEM(c);
}
}
CERT_DestroyCertificate(c);
}
CERT_DestroyCertificateList(foundChain);
}
if (peerCert) {
CERT_DestroyCertificate(peerCert);
}
CERT_DestroyCertList(peerCertChain);
peerCertChain = NULL;
}
fprintf(stderr, "==== end of certificate chain information ====\n");
fflush(stderr);
}
static SECStatus
ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
PRBool isServer)
{
ServerCertAuth * serverCertAuth = (ServerCertAuth *) arg;
if (dumpServerChain) {
dumpServerCertificateChain(fd);
}
if (!serverCertAuth->shouldPause) {
CERTCertificate *cert;
int i;
@ -828,6 +939,9 @@ int main(int argc, char **argv)
PLOptState *optstate;
PLOptStatus optstatus;
PRStatus prStatus;
PRBool openDB = PR_TRUE;
PRBool loadDefaultRootCAs = PR_FALSE;
char *rootModule = NULL;
serverCertAuth.shouldPause = PR_TRUE;
serverCertAuth.isPaused = PR_FALSE;
@ -854,7 +968,7 @@ int main(int argc, char **argv)
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
optstate = PL_CreateOptState(argc, argv,
"46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
"46BCDFKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -865,6 +979,10 @@ int main(int argc, char **argv)
case 'B': bypassPKCS11 = 1; break;
case 'C': ++dumpServerChain; break;
case 'D': openDB = PR_FALSE; break;
case 'F': if (serverCertAuth.testFreshStatusFromSideChannel) {
/* parameter given twice or more */
serverCertAuth.requireDataForIntermediates = PR_TRUE;
@ -895,6 +1013,8 @@ int main(int argc, char **argv)
};
break;
case 'R': rootModule = PORT_Strdup(optstate->value); break;
case 'S': skipProtoHeader = PR_TRUE; break;
case 'T': enableCertStatus = 1; break;
@ -917,6 +1037,8 @@ int main(int argc, char **argv)
}
break;
case 'b': loadDefaultRootCAs = PR_TRUE; break;
case 'c': cipherString = PORT_Strdup(optstate->value); break;
case 'g': enableFalseStart = 1; break;
@ -972,8 +1094,10 @@ int main(int argc, char **argv)
if (optstatus == PL_OPT_BAD)
Usage(progName);
if (!host || !portno)
if (!host || !portno) {
fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
Usage(progName);
}
if (serverCertAuth.testFreshStatusFromSideChannel
&& serverCertAuth.shouldPause) {
@ -981,6 +1105,16 @@ int main(int argc, char **argv)
exit(1);
}
if (certDir && !openDB) {
fprintf(stderr, "%s: Cannot combine parameters -D and -d\n", progName);
exit(1);
}
if (rootModule && loadDefaultRootCAs) {
fprintf(stderr, "%s: Cannot combine parameters -b and -R\n", progName);
exit(1);
}
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(SECU_GetModulePassword);
@ -1073,10 +1207,26 @@ int main(int argc, char **argv)
certDir = SECU_ConfigDirectory(certDirTmp);
PORT_Free(certDirTmp);
}
rv = NSS_Init(certDir);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to open cert database");
return 1;
if (openDB) {
rv = NSS_Init(certDir);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to open cert database");
return 1;
}
} else {
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "failed to initialize NSS");
return 1;
}
}
if (loadDefaultRootCAs) {
SECMOD_AddNewModule("Builtins",
DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
} else if (rootModule) {
SECMOD_AddNewModule("Builtins", rootModule, 0, 0);
}
/* set the policy bits true for all the cipher suites. */

19
security/nss/coreconf/Darwin.mk
Просмотреть файл

@ -116,3 +116,22 @@ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz
# The system sqlite library in the latest version of Mac OS X often becomes
# newer than the sqlite library in NSS. This may result in certain Mac OS X
# system libraries having unresolved sqlite symbols during the shlibsign step
# of the NSS build when we set DYLD_LIBRARY_PATH to the NSS lib directory and
# the NSS libsqlite3.dylib is used instead of the system one. So just use the
# system sqlite library on Mac, if it's sufficiently new.
SYS_SQLITE3_VERSION_FULL := $(shell /usr/bin/sqlite3 -version | awk '{print $$1}')
SYS_SQLITE3_VERSION_MAJOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$1 }')
SYS_SQLITE3_VERSION_MINOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$2 }')
ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR))
ifeq (,$(filter-out 0 1 2 3 4,$(SYS_SQLITE3_VERSION_MINOR)))
# sqlite <= 3.4.x is too old, it doesn't provide sqlite3_file_control
else
NSS_USE_SYSTEM_SQLITE = 1
endif
endif

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

2
security/nss/doc/certutil.xml
Просмотреть файл

@ -247,7 +247,7 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
<varlistentry>
<term>-g keysize</term>
<listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
<listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</para></listitem>
</varlistentry>

4
security/nss/doc/html/certutil.html
Просмотреть файл

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idp47645360"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139713586320592"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p>
@ -14,7 +14,7 @@ If this option is not used, the validity check defaults to the current system ti
Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
The valid key type options are rsa, dsa, ec, or all. The default
value is rsa. Specifying the type of key can avoid mistakes caused by
duplicate nicknames. Giving a key type generates a new key pair;

6
security/nss/doc/nroff/certutil.1
Просмотреть файл

@ -2,12 +2,12 @@
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 7 January 2015
.\" Date: 23 February 2015
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "CERTUTIL" "1" "7 January 2015" "nss-tools" "NSS Security Tools"
.TH "CERTUTIL" "1" "23 February 2015" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -310,7 +310,7 @@ Specify a file that will automatically supply the password to include in a certi
.PP
\-g keysize
.RS 4
Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 1024 bits\&. Any size between the minimum and maximum is allowed\&.
Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048 bits\&. Any size between the minimum and maximum is allowed\&.
.RE
.PP
\-h tokenname

7
security/nss/external_tests/ssl_gtest/gtest_utils.h
Просмотреть файл

@ -7,6 +7,10 @@
#ifndef gtest_utils_h__
#define gtest_utils_h__
#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"
#include "test_io.h"
namespace nss_test {
// Gtest utilities
@ -16,6 +20,9 @@ class Timeout : public PollTarget {
Poller::Instance()->SetTimer(timer_ms, this, &Timeout::ExpiredCallback,
&handle_);
}
~Timeout() {
Cancel();
}
static void ExpiredCallback(PollTarget* target, Event event) {
Timeout* timeout = static_cast<Timeout*>(target);

6
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
Просмотреть файл

@ -2,6 +2,8 @@
#include "nss.h"
#include "ssl.h"
#include <cstdlib>
#include "test_io.h"
#define GTEST_HAS_RTTI 0
@ -14,6 +16,10 @@ int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
g_working_dir_path = ".";
char* workdir = getenv("NSS_GTEST_WORKDIR");
if (workdir)
g_working_dir_path = workdir;
for (int i = 0; i < argc; i++) {
if (!strcmp(argv[i], "-d")) {
g_working_dir_path = argv[i + 1];

171
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
Просмотреть файл

@ -20,6 +20,13 @@ extern std::string g_working_dir_path;
namespace nss_test {
enum SessionResumptionMode {
RESUME_NONE = 0,
RESUME_SESSIONID = 1,
RESUME_TICKET = 2,
RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
};
#define LOG(a) std::cerr << name_ << ": " << a << std::endl;
// Inspector that parses out DTLS records and passes
@ -306,22 +313,6 @@ class TlsAgent : public PollTarget {
return true;
}
void SetSessionTicketsEnabled(bool en) {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
en ? PR_TRUE : PR_FALSE);
ASSERT_EQ(SECSuccess, rv);
}
void SetSessionCacheEnabled(bool en) {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
en ? PR_FALSE : PR_TRUE);
ASSERT_EQ(SECSuccess, rv);
}
void SetVersionRange(uint16_t minver, uint16_t maxver) {
SSLVersionRange range = {minver, maxver};
ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
@ -366,6 +357,7 @@ class TlsAgent : public PollTarget {
ASSERT_EQ(version, info_.protocolVersion);
}
void Handshake() {
SECStatus rv = SSL_ForceHandshake(ssl_fd_);
if (rv == SECSuccess) {
@ -404,6 +396,22 @@ class TlsAgent : public PollTarget {
info_.sessionID + info_.sessionIDLength);
}
void ConfigureSessionCache(SessionResumptionMode mode) {
ASSERT_TRUE(EnsureTlsSetup());
SECStatus rv = SSL_OptionSet(ssl_fd_,
SSL_NO_CACHE,
mode & RESUME_SESSIONID ?
PR_FALSE : PR_TRUE);
ASSERT_EQ(SECSuccess, rv);
rv = SSL_OptionSet(ssl_fd_,
SSL_ENABLE_SESSION_TICKETS,
mode & RESUME_TICKET ?
PR_TRUE : PR_FALSE);
ASSERT_EQ(SECSuccess, rv);
}
private:
const static char* states[];
@ -460,6 +468,10 @@ class TlsConnectTestBase : public ::testing::Test {
// Configure a fresh session cache.
SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
// Clear statistics.
SSL3Statistics* stats = SSL_GetStatistics();
memset(stats, 0, sizeof(*stats));
Init();
}
@ -467,6 +479,7 @@ class TlsConnectTestBase : public ::testing::Test {
client_ = nullptr;
server_ = nullptr;
SSL_ClearSessionCache();
SSL_ShutdownServerSessionIDCache();
}
@ -520,7 +533,7 @@ class TlsConnectTestBase : public ::testing::Test {
std::vector<uint8_t> sid_s1 = server_->GetSessionId();
ASSERT_EQ(32, sid_s1.size());
ASSERT_EQ(sid_c1, sid_s1);
session_id_ = sid_c1;
session_ids_.push_back(sid_c1);
}
void EnableSomeECDHECiphers() {
@ -528,11 +541,38 @@ class TlsConnectTestBase : public ::testing::Test {
server_->EnableSomeECDHECiphers();
}
void ConfigureSessionCache(SessionResumptionMode client,
SessionResumptionMode server) {
client_->ConfigureSessionCache(client);
server_->ConfigureSessionCache(server);
}
void CheckResumption(SessionResumptionMode expected) {
ASSERT_NE(RESUME_BOTH, expected);
int resume_ct = expected != 0;
int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
SSL3Statistics* stats = SSL_GetStatistics();
ASSERT_EQ(resume_ct, stats->hch_sid_cache_hits);
ASSERT_EQ(resume_ct, stats->hsh_sid_cache_hits);
ASSERT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
ASSERT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
if (resume_ct) {
// Check that the last two session ids match.
ASSERT_GE(2, session_ids_.size());
ASSERT_EQ(session_ids_[session_ids_.size()-1],
session_ids_[session_ids_.size()-2]);
}
}
protected:
Mode mode_;
TlsAgent* client_;
TlsAgent* server_;
std::vector<uint8_t> session_id_;
std::vector<std::vector<uint8_t>> session_ids_;
};
class TlsConnectTest : public TlsConnectTestBase {
@ -568,23 +608,102 @@ TEST_P(TlsConnectGeneric, Connect) {
}
TEST_P(TlsConnectGeneric, ConnectResumed) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
Connect();
std::vector<uint8_t> old_sid = session_id_;
Reset();
Connect();
ASSERT_EQ(old_sid, session_id_) << "Session was not resumed when it should have been";
CheckResumption(RESUME_SESSIONID);
}
TEST_P(TlsConnectGeneric, ConnectNotResumed) {
TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) {
ConfigureSessionCache(RESUME_NONE, RESUME_SESSIONID);
Connect();
Reset();
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) {
ConfigureSessionCache(RESUME_SESSIONID, RESUME_NONE);
Connect();
Reset();
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) {
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
Connect();
Reset();
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
// This prefers tickets.
ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
Connect();
std::vector<uint8_t> old_sid = session_id_;
Reset();
client_->SetSessionCacheEnabled(false);
ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
Connect();
CheckResumption(RESUME_TICKET);
}
TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
// This causes no resumption because the client needs the
// session cache to resume even with tickets.
ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
Connect();
ASSERT_NE(old_sid, session_id_) << "Session was resumed when it should not have been";
Reset();
ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
// This causes a ticket resumption.
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
Connect();
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
Connect();
CheckResumption(RESUME_TICKET);
}
TEST_P(TlsConnectGeneric, ConnectClientServerTicketOnly) {
// This causes no resumption because the client needs the
// session cache to resume even with tickets.
ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
Connect();
Reset();
ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectClientBothServerNone) {
ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
Connect();
Reset();
ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectClientNoneServerBoth) {
ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
Connect();
Reset();
ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
Connect();
CheckResumption(RESUME_NONE);
}
TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
@ -632,7 +751,7 @@ TEST_F(TlsConnectTest, ConnectECDHETwiceReuseKey) {
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetInspector(i2);
EnableSomeECDHECiphers();
client_->SetSessionCacheEnabled(false);
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
Connect();
client_->CheckKEAType(ssl_kea_ecdh);
@ -666,7 +785,7 @@ TEST_F(TlsConnectTest, ConnectECDHETwiceNewKey) {
TlsInspectorRecordHandshakeMessage* i2 =
new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
server_->SetInspector(i2);
client_->SetSessionCacheEnabled(false);
ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
Connect();
client_->CheckKEAType(ssl_kea_ecdh);

4
security/nss/external_tests/ssl_gtest/test_io.cc
Просмотреть файл

@ -438,7 +438,9 @@ bool Poller::Poll() {
Timer *timer = timers_.top();
timers_.pop();
timer->callback_(timer->target_, TIMER_EVENT);
if (timer->callback_) {
timer->callback_(timer->target_, TIMER_EVENT);
}
delete timer;
}

9
security/nss/lib/certdb/cert.h
Просмотреть файл

@ -929,14 +929,13 @@ extern SECStatus CERT_FindNSCertTypeExtension
extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
extern SECStatus CERT_FindIssuerCertExtension
(CERTCertificate *cert, int tag, SECItem *value);
extern SECStatus CERT_FindCertExtensionByOID
(CERTCertificate *cert, SECItem *oid, SECItem *value);
extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag,
int catag);
/* Find a URL extension in the cert.
** The caller must free the result string using PORT_Free.
*/
extern char *CERT_FindCertURLExtension (CERTCertificate *cert, SECOidTag tag);
/* Returns the decoded value of the authKeyID extension.
** Note that this uses passed in the arena to allocate storage for the result

14
security/nss/lib/certdb/certdb.c
Просмотреть файл

@ -1051,6 +1051,11 @@ SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
PRTime notBefore, notAfter, llPendingSlop, tmp1;
SECStatus rv;
if (!crl) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return(secCertTimeUndetermined);
}
rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
if (rv) {
@ -1063,6 +1068,7 @@ SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
LL_MUL(llPendingSlop, llPendingSlop, tmp1);
LL_SUB(notBefore, notBefore, llPendingSlop);
if ( LL_CMP( t, <, notBefore ) ) {
PORT_SetError(SEC_ERROR_CRL_EXPIRED);
return(secCertTimeNotValidYet);
}
@ -1074,6 +1080,7 @@ SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
}
if ( LL_CMP( t, >, notAfter) ) {
PORT_SetError(SEC_ERROR_CRL_EXPIRED);
return(secCertTimeExpired);
}
@ -1425,7 +1432,6 @@ cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
CERTGeneralName * current;
char * cn;
int cnBufLen;
unsigned int hnLen;
int DNSextCount = 0;
int IPextCount = 0;
PRBool isIPaddr = PR_FALSE;
@ -1435,7 +1441,6 @@ cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
char cnbuf[128];
subAltName.data = NULL;
hnLen = strlen(hn);
cn = cnbuf;
cnBufLen = sizeof cnbuf;
@ -2311,7 +2316,7 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
{
unsigned int i;
unsigned int *pflags;
if (!trust) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@ -2325,7 +2330,7 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
}
pflags = &trust->sslFlags;
for (i=0; i < PORT_Strlen(trusts); i++) {
switch (trusts[i]) {
case 'p':
@ -2371,6 +2376,7 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
}
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
}

24
security/nss/lib/certdb/certi.h
Просмотреть файл

@ -116,11 +116,16 @@ struct CRLDPCacheStr {
#else
PRLock* lock;
#endif
CERTCertificate* issuer; /* issuer cert
XXX there may be multiple issuer certs,
with different validity dates. Also
need to deal with SKID/AKID . See
bugzilla 217387, 233118 */
SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
to the actual cert so the trust can be
updated on the cert automatically.
XXX there may be multiple issuer certs,
with different validity dates. Also
need to deal with SKID/AKID . See
bugzilla 217387, 233118 */
CERTCertDBHandle *dbHandle;
SECItem* subject; /* DER of issuer subject */
SECItem* distributionPoint; /* DER of distribution point. This may be
NULL when distribution points aren't
@ -165,15 +170,6 @@ struct CRLDPCacheStr {
struct CRLIssuerCacheStr {
SECItem* subject; /* DER of issuer subject */
CRLDPCache* dpp;
#if 0
/* XCRL for future use.
We don't need to lock at the moment because we only have one DP,
which gets created at the same time as this object */
NSSRWLock* lock;
CRLDPCache** dps;
PLHashTable* distributionpoints;
CERTCertificate* issuer;
#endif
};
/* CRL revocation cache object

90
security/nss/lib/certdb/certv3.c
Просмотреть файл

@ -43,71 +43,31 @@ CERT_StartCertExtensions(CERTCertificate *cert)
return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
}
/* find the given extension in the certificate of the Issuer of 'cert' */
SECStatus
CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
{
CERTCertificate *issuercert;
SECStatus rv;
issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
if ( issuercert ) {
rv = cert_FindExtension(issuercert->extensions, tag, value);
CERT_DestroyCertificate(issuercert);
} else {
rv = SECFailure;
}
return(rv);
}
/* find a URL extension in the cert or its CA
* apply the base URL string if it exists
/* find a URL extension in the cert
*/
char *
CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
CERT_FindCertURLExtension(CERTCertificate *cert, SECOidTag tag)
{
SECStatus rv;
SECItem urlitem = {siBuffer,0};
SECItem baseitem = {siBuffer,0};
SECItem urlstringitem = {siBuffer,0};
SECItem basestringitem = {siBuffer,0};
PLArenaPool *arena = NULL;
PRBool hasbase;
char *urlstring;
char *urlstring = NULL;
char *str;
int len;
unsigned int i;
urlstring = NULL;
if (!cert) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( ! arena ) {
goto loser;
}
hasbase = PR_FALSE;
rv = cert_FindExtension(cert->extensions, tag, &urlitem);
if ( rv == SECSuccess ) {
rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
&baseitem);
if ( rv == SECSuccess ) {
hasbase = PR_TRUE;
}
} else if ( catag ) {
/* if the cert doesn't have the extensions, see if the issuer does */
rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
if ( rv != SECSuccess ) {
goto loser;
}
rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
&baseitem);
if ( rv == SECSuccess ) {
hasbase = PR_TRUE;
}
} else {
if ( rv != SECSuccess ) {
goto loser;
}
@ -117,42 +77,15 @@ CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
if ( rv != SECSuccess ) {
goto loser;
}
if ( hasbase ) {
rv = SEC_QuickDERDecodeItem(arena, &basestringitem,
SEC_ASN1_GET(SEC_IA5StringTemplate),
&baseitem);
if ( rv != SECSuccess ) {
goto loser;
}
}
len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
len = urlstringitem.len + 1;
str = urlstring = (char *)PORT_Alloc(len);
if ( urlstring == NULL ) {
goto loser;
}
/* copy the URL base first */
if ( hasbase ) {
/* if the urlstring has a : in it, then we assume it is an absolute
* URL, and will not get the base string pre-pended
*/
for ( i = 0; i < urlstringitem.len; i++ ) {
if ( urlstringitem.data[i] == ':' ) {
goto nobase;
}
}
PORT_Memcpy(str, basestringitem.data, basestringitem.len);
str += basestringitem.len;
}
nobase:
/* copy the rest (or all) of the URL */
/* copy the URL */
PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
str += urlstringitem.len;
@ -169,9 +102,6 @@ done:
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
if ( baseitem.data ) {
PORT_Free(baseitem.data);
}
if ( urlitem.data ) {
PORT_Free(urlitem.data);
}

28
security/nss/lib/certdb/crl.c
Просмотреть файл

@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCache* cache)
PORT_Free(cache->crls);
}
/* destroy the cert */
if (cache->issuer)
if (cache->issuerDERCert)
{
CERT_DestroyCertificate(cache->issuer);
SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
}
/* free the subject */
if (cache->subject)
@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject,
else
{
SECStatus signstatus = SECFailure;
if (cache->issuer)
if (cache->issuerDERCert)
{
signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
if (issuer) {
signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
wincx);
CERT_DestroyCertificate(issuer);
}
}
if (SECSuccess != signstatus)
{
if (!cache->issuer)
if (!cache->issuerDERCert)
{
/* we tried to verify without an issuer cert . This is
because this CRL came through a call to SEC_FindCrlByName.
@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate*
}
/* add issuer certificate if it was previously unavailable */
if (issuer && (NULL == cache->issuer) &&
if (issuer && (NULL == cache->issuerDERCert) &&
(SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
{
/* if we didn't have a valid issuer cert yet, but we do now. add it */
DPCache_LockWrite();
if (!cache->issuer)
if (!cache->issuerDERCert)
{
dirty = PR_TRUE;
cache->issuer = CERT_DupCertificate(issuer);
cache->dbHandle = issuer->dbhandle;
cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
}
DPCache_UnlockWrite();
}
@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate*
SEC_FindCrlByName, or through manual insertion, rather than through a
certificate verification (CERT_CheckCRL) */
if (cache->issuer && vfdate )
if (cache->issuerDERCert && vfdate )
{
mustunlock = PR_FALSE;
/* re-process all unverified CRLs */
@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCache** returned, CERTCertificate* issuer,
}
if (issuer)
{
cache->issuer = CERT_DupCertificate(issuer);
cache->dbHandle = issuer->dbhandle;
cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
}
cache->distributionPoint = SECITEM_DupItem(dp);
cache->subject = SECITEM_DupItem(subject);

8
security/nss/lib/nss/nss.def
Просмотреть файл

@ -1062,3 +1062,11 @@ PK11_PrivDecrypt;
;+ local:
;+ *;
;+};
;+NSS_3.18 { # NSS 3.18 release
;+ global:
CERT_FindCertURLExtension;
SEC_CheckCrlTimes;
SEC_GetCrlTimes;
;+ local:
;+ *;
;+};

8
security/nss/lib/nss/nss.h
Просмотреть файл

@ -33,12 +33,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.17.4" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VERSION "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 17
#define NSS_VPATCH 4
#define NSS_VMINOR 18
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

61
security/nss/lib/pkcs12/p12.h
Просмотреть файл

@ -36,14 +36,49 @@ typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)(
* In NSS 3.12 or later, 'arg' actually points to a CERTCertificate,
* the 'leafCert' variable in sec_pkcs12_validate_cert in p12d.c.
* See r1.35 of p12d.c ("Patch 2" in bug 321584).
*
* This callback might be called by SEC_PKCS12DecoderValidateBags each time
* a nickname collission is detected. The callback must return a new
* nickname. The returned SECItem should be of type siAsciiString,
* it should be allocated using:
* SECITEM_AllocItem(NULL, NULL, LENGTH_OF_NEW_NICKNAME + 1)
* and data must contain the new nickname as a zero terminated string.
*/
typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)(
SECItem *old_nickname,
PRBool *cancel,
void *arg);
/*
* This callback is called by SEC_PKCS12DecoderRenameCertNicknames for each
* certificate found in the p12 source data.
*
* cert: A decoded certificate.
* default_nickname: The nickname as found in the source data.
* Will be NULL if source data doesn't have nickname.
* new_nickname: Output parameter that may contain the renamed nickname.
* arg: The user data that was passed to SEC_PKCS12DecoderRenameCertNicknames.
*
* If the callback accept that NSS will use a nickname based on the
* default_nickname (potentially resolving conflicts), then the callback
* must set *new_nickname to NULL.
*
* If the callback wishes to override the nickname, it must set *new_nickname
* to a new SECItem which should be allocated using
* SECITEM_AllocItem(NULL, NULL, LENGTH_OF_NEW_NICKNAME + 1)
* new_nickname->type should be set to siAsciiString, and new_nickname->data
* must contain the new nickname as a zero terminated string.
*
* A return value of SECFailure indicates that the renaming operation failed,
* and callback should release new_nickname before returning if it's already
* being allocated.
* Otherwise, the callback function must return SECSuccess, including use
* default nickname as mentioned above.
*/
typedef SECStatus (PR_CALLBACK * SEC_PKCS12NicknameRenameCallback)(
const CERTCertificate *cert,
const SECItem *default_nickname,
SECItem **new_nickname,
void *arg);
typedef SECStatus (PR_CALLBACK *digestOpenFn)(void *arg, PRBool readData);
typedef SECStatus (PR_CALLBACK *digestCloseFn)(void *arg, PRBool removeFile);
@ -167,6 +202,26 @@ extern SECStatus
SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
SEC_PKCS12NicknameCollisionCallback nicknameCb);
/*
* SEC_PKCS12DecoderRenameCertNicknames() can be used to change
* certificate nicknames in SEC_PKCS12DecoderContext, prior to calling
* SEC_PKCS12DecoderImportBags.
*
* arg: User-defined data that will be passed to nicknameCb.
*
* If SEC_PKCS12DecoderRenameCertNicknames() is called after calling
* SEC_PKCS12DecoderValidateBags(), then only the certificate nickname
* will be changed.
* If SEC_PKCS12DecoderRenameCertNicknames() is called prior to calling
* SEC_PKCS12DecoderValidateBags(), then SEC_PKCS12DecoderValidateBags()
* will change the nickname of the corresponding private key, too.
*/
extern SECStatus
SEC_PKCS12DecoderRenameCertNicknames(SEC_PKCS12DecoderContext *p12dcx,
SEC_PKCS12NicknameRenameCallback nicknameCb,
void *arg);
extern SECStatus
SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);

58
security/nss/lib/pkcs12/p12d.c
Просмотреть файл

@ -2795,6 +2795,64 @@ SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
return rv;
}
SECStatus
SEC_PKCS12DecoderRenameCertNicknames(SEC_PKCS12DecoderContext *p12dcx,
SEC_PKCS12NicknameRenameCallback nicknameCb,
void *arg)
{
int i;
sec_PKCS12SafeBag *safeBag;
CERTCertificate *cert;
SECStatus srv;
if(!p12dcx || p12dcx->error || !p12dcx->safeBags || !nicknameCb) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
for (i = 0; safeBag = p12dcx->safeBags[i]; i++) {
SECItem *newNickname = NULL;
SECItem *defaultNickname = NULL;
SECStatus rename_rv;
if (SECOID_FindOIDTag(&(safeBag->safeBagType)) !=
SEC_OID_PKCS12_V1_CERT_BAG_ID) {
continue;
}
cert = CERT_DecodeDERCertificate(
&safeBag->safeBagContent.certBag->value.x509Cert,
PR_FALSE, NULL);
if (!cert) {
return SECFailure;
}
defaultNickname = sec_pkcs12_get_nickname(safeBag);
rename_rv = (*nicknameCb)(cert, defaultNickname, &newNickname, arg);
CERT_DestroyCertificate(cert);
if (defaultNickname) {
SECITEM_ZfreeItem(defaultNickname, PR_TRUE);
defaultNickname = NULL;
}
if (rename_rv != SECSuccess) {
return rename_rv;
}
if (newNickname) {
srv = sec_pkcs12_set_nickname(safeBag, newNickname);
SECITEM_ZfreeItem(newNickname, PR_TRUE);
newNickname = NULL;
if (srv != SECSuccess) {
return SECFailure;
}
}
}
return SECSuccess;
}
static SECKEYPublicKey *
sec_pkcs12_get_public_key_and_usage(sec_PKCS12SafeBag *certBag,

6
security/nss/lib/smime/smime.def
Просмотреть файл

@ -279,3 +279,9 @@ NSS_CMSSignerInfo_Verify;
;+ local:
;+ *;
;+};
;+NSS_3.18 { # NSS 3.18 release
;+ global:
SEC_PKCS12DecoderRenameCertNicknames;
;+ local:
;+ *;
;+};

2
security/nss/lib/smime/smimeutil.c
Просмотреть файл

@ -437,10 +437,12 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
*/
key = CERT_ExtractPublicKey(rcerts[rcount]);
pklen_bits = 0;
key_type = nullKey;
if (key != NULL) {
pklen_bits = SECKEY_PublicKeyStrengthInBits (key);
key_type = SECKEY_GetPublicKeyType(key);
SECKEY_DestroyPublicKey (key);
key = NULL;
}
if (key_type == ecKey) {

8
security/nss/lib/softoken/lowpbe.c
Просмотреть файл

@ -319,8 +319,8 @@ do_xor(unsigned char *dest, unsigned char *src, int len)
}
static SECStatus
nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
int iterations, unsigned int i, unsigned char *T)
nsspkcs5_PBKDF2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
int iterations, unsigned int i, unsigned char *T)
{
int j;
HMACContext *cx = NULL;
@ -393,7 +393,7 @@ nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
}
for (i=1,rp=result->data; i <= nblocks ; i++, rp +=hLen) {
rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
rv = nsspkcs5_PBKDF2_F(hashobj, pwitem, salt, iterations, i, T);
if (rv != SECSuccess) {
break;
}
@ -410,7 +410,7 @@ loser:
} else {
result->len = dkLen;
}
return result;
}
#endif

8
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -25,11 +25,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.17.4" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.18" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 17
#define SOFTOKEN_VPATCH 4
#define SOFTOKEN_VMINOR 18
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

10
security/nss/lib/ssl/ssl3ext.c
Просмотреть файл

@ -914,8 +914,9 @@ ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
{
/* The echoed extension must be empty. */
if (data->len != 0)
return SECFailure;
if (data->len != 0) {
return SECSuccess; /* Ignore the extension. */
}
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@ -1365,8 +1366,9 @@ SECStatus
ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
{
if (data->len != 0)
return SECFailure;
if (data->len != 0) {
return SECSuccess; /* Ignore the extension. */
}
/* Keep track of negotiated extensions. */
ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;

8
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.17.4"
#define NSSUTIL_VERSION "3.18 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 17
#define NSSUTIL_VPATCH 4
#define NSSUTIL_VMINOR 18
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS

2
security/nss/tests/all.sh
Просмотреть файл

@ -302,7 +302,7 @@ fi
# following test for modutil should check for that instead.
# Exception: when building softoken only, shlibsign is the
# last file created.
if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
LAST_FILE_BUILT=shlibsign
else
LAST_FILE_BUILT=modutil

2
security/nss/tests/cipher/cipher.sh
Просмотреть файл

@ -124,7 +124,7 @@ cipher_cleanup()
# built and the cipher suite run as part of an nss-softoken build.
if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
echo "bltest not built, skipping this test." >> ${LOGFILE}
res = 0
res=0
html_msg $res $EXP_RET "$TESTNAME"
return 0
fi

2
security/nss/tests/common/init.sh
Просмотреть файл

@ -226,7 +226,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
}
html_msg()
{
if [ "$1" -ne "$2" ] ; then
if [ $1 -ne $2 ] ; then
html_failed "$3" "$4"
else
html_passed "$3" "$4"

4
security/nss/tests/dbtests/dbtests.sh
Просмотреть файл

@ -170,7 +170,7 @@ dbtest_main()
# skipping the next two tests when user is root,
# otherwise they would fail due to rooty powers
if [ $UID -ne 0 ] then
if [ $UID -ne 0 ]; then
${BINDIR}/dbtest -d $RONLY_DIR
ret=$?
if [ $ret -ne 46 ]; then
@ -181,7 +181,7 @@ dbtest_main()
else
html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
fi
if [ $UID -ne 0 ] then
if [ $UID -ne 0 ]; then
${BINDIR}/certutil -D -n "TestUser" -d .
ret=$?
if [ $ret -ne 255 ]; then

6
security/nss/tests/ssl/sslcov.txt
Просмотреть файл

@ -78,8 +78,10 @@
noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA
noECC TLS12 l TLS12_RSA_EXPORT_WITH_DES_CBC_SHA (new)
noECC TLS12 m TLS12_RSA_EXPORT_WITH_RC4_56_SHA (new)
# disabled because of bug 1136095
# noECC TLS12 l TLS12_RSA_EXPORT_WITH_DES_CBC_SHA (new)
# disabled because of bug 1136095
# noECC TLS12 m TLS12_RSA_EXPORT_WITH_RC4_56_SHA (new)
noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA