diff --git a/security/coreconf/OSF1.mk b/security/coreconf/OSF1.mk index 93c09de77e5..fd520478cd1 100644 --- a/security/coreconf/OSF1.mk +++ b/security/coreconf/OSF1.mk @@ -72,3 +72,9 @@ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \ sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,-exported_symbol ,' > $@ DSO_LDOPTS += -shared + +# required for freebl +USE_64=1 +# this platform name does not use a bit tag due to only having a 64-bit ABI +64BIT_TAG= + diff --git a/security/coreconf/coreconf.dep b/security/coreconf/coreconf.dep index b536cfc01b9..831d1c16ee5 100644 --- a/security/coreconf/coreconf.dep +++ b/security/coreconf/coreconf.dep @@ -43,3 +43,4 @@ #error "Do not include this header file." +/* NSS 3.12.4 Beta */ diff --git a/security/coreconf/location.mk b/security/coreconf/location.mk index 2edba79f01e..3c0252fd947 100644 --- a/security/coreconf/location.mk +++ b/security/coreconf/location.mk @@ -83,4 +83,20 @@ ifndef NSS_LIB_DIR NSS_LIB_DIR = $(DIST)/lib endif +ifdef NSSUTIL_INCLUDE_DIR + INCLUDES += -I$(NSSUTIL_INCLUDE_DIR) +endif + +ifndef NSSUTIL_LIB_DIR + NSSUTIL_LIB_DIR = $(DIST)/lib +endif + +ifdef SOFTOKEN_INCLUDE_DIR + INCLUDES += -I$(SOFTOKEN_INCLUDE_DIR) +endif + +ifndef SOFTOKEN_LIB_DIR + SOFTOKEN_LIB_DIR = $(DIST)/lib +endif + MK_LOCATION = included diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/cmd/lib/SECerrs.h index de81429b431..d00eefd1021 100644 --- a/security/nss/cmd/lib/SECerrs.h +++ b/security/nss/cmd/lib/SECerrs.h @@ -555,3 +555,10 @@ ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168), ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169), "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.") + +ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD, (SEC_ERROR_BASE + 170), +"Unknown information access method in certificate extension.") + +ER3(SEC_ERROR_CRL_IMPORT_FAILED, (SEC_ERROR_BASE + 171), +"Error attempting to import a CRL.") + diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index b2ae2042f9f..7a53723e8c6 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -2351,7 +2351,7 @@ SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level) void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level) { - char *nameStr; + char *nameStr = NULL; char *str; SECItem my; diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 73b3fbf4002..18b480e438a 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -87,14 +87,7 @@ ifeq ($(OS_ARCH), WINNT) DEFINES += -DNSS_USE_STATIC_LIBS # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) -CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/crypto.lib -endif -ifdef MOZILLA_BSAFE_BUILD - CRYPTOLIB+=$(DIST)/lib/bsafe$(BSAFEVER).lib - CRYPTOLIB+=$(DIST)/lib/freebl.lib -endif +CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) PKIXLIB = \ $(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \ @@ -143,14 +136,7 @@ EXTRA_LIBS += \ else # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) -CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX) -endif -ifdef MOZILLA_BSAFE_BUILD - CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX) - CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -endif +CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) PKIXLIB = \ $(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \ @@ -202,6 +188,7 @@ endif EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ $(SQLITE) \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ @@ -253,6 +240,7 @@ EXTRA_SHARED_LIBS += \ -lssl3 \ -lsmime3 \ -lnss3 \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ diff --git a/security/nss/cmd/shlibsign/Makefile b/security/nss/cmd/shlibsign/Makefile index 63b1f8300ff..d6285854829 100644 --- a/security/nss/cmd/shlibsign/Makefile +++ b/security/nss/cmd/shlibsign/Makefile @@ -80,6 +80,7 @@ endif CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) +CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) MD_LIB_RELEASE_FILES = $(CHECKLOC) diff --git a/security/nss/lib/Makefile b/security/nss/lib/Makefile index a111275bd16..029f5812ec7 100644 --- a/security/nss/lib/Makefile +++ b/security/nss/lib/Makefile @@ -84,18 +84,3 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### -ifdef MOZILLA_SECURITY_BUILD -FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*) - -export:: - if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \ - $(NSINSTALL) -D crypto; \ - for file in $(FILES) ; do \ - if test -f $$file; then \ - $(INSTALL) -m 444 $$file crypto; \ - fi; \ - done; \ - $(INSTALL) -m 444 freebl/sha_fast.c crypto; \ - $(INSTALL) -m 444 freebl/sha_fast.h crypto; \ - fi -endif diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index 0d0107845c5..651b624d00d 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -757,9 +757,11 @@ CERT_GetOidString(const SECItem *oid) CASE(3, 0x7f); CASE(2, 0x7f); CASE(1, 0x7f); - case 0: n |= last[0]; /* most significant bit is zero. */ + case 0: n |= last[0] & 0x7f; break; } + if (last[0] & 0x80) + goto unsupported; if (!rvString) { /* This is the first number.. decompose it */ @@ -785,9 +787,11 @@ CERT_GetOidString(const SECItem *oid) CGET(3, 0x7f); CGET(2, 0x7f); CGET(1, 0x7f); - n |= last[0]; /* most significant bit is zero. */ + CGET(0, 0x7f); break; } + if (last[0] & 0x80) + goto unsupported; if (!rvString) { /* This is the first number.. decompose it */ @@ -905,18 +909,22 @@ get_hex_string(SECItem *data) static SECStatus AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict) { +#define TMPBUF_LEN 384 const NameToKind *pn2k = name2kinds; SECItem *avaValue = NULL; char *unknownTag = NULL; char *encodedAVA = NULL; PRBool useHex = PR_FALSE; /* use =#hexXXXX form */ + PRBool truncateName = PR_FALSE; + PRBool truncateValue = PR_FALSE; SECOidTag endKind; SECStatus rv; unsigned int len; - int nameLen, valueLen; + unsigned int nameLen, valueLen; + unsigned int maxName, maxValue; EQMode mode = minimalEscapeAndQuote; NameToKind n2k = { NULL, 32767, SEC_OID_UNKNOWN, SEC_ASN1_DS }; - char tmpBuf[384]; + char tmpBuf[TMPBUF_LEN]; #define tagName n2k.name /* non-NULL means use NAME= form */ #define maxBytes n2k.maxLen @@ -971,61 +979,102 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict) } } - if (strict == CERT_N2A_READABLE) { - if (maxBytes > sizeof(tmpBuf) - 4) - maxBytes = sizeof(tmpBuf) - 4; - /* Check value length. Must be room for "..." */ - if (avaValue->len > maxBytes + 3) { - /* avaValue is a UTF8 string, freshly allocated and returned to us - ** by CERT_DecodeAVAValue or get_hex_string just above, so we can - ** modify it here. See if we're in the middle of a multi-byte - ** UTF8 character. - */ - len = maxBytes; - while (((avaValue->data[len] & 0xc0) == 0x80) && len > 0) { - len--; - } - /* add elipsis to signify truncation. */ - avaValue->data[len++] = '.'; - avaValue->data[len++] = '.'; - avaValue->data[len++] = '.'; - avaValue->data[len] = 0; - avaValue->len = len; - } - } - nameLen = strlen(tagName); valueLen = (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len, &mode)); len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */ + maxName = nameLen; + maxValue = valueLen; if (len <= sizeof(tmpBuf)) { encodedAVA = tmpBuf; - } else if (strict == CERT_N2A_READABLE) { - PORT_SetError(SEC_ERROR_OUTPUT_LEN); - } else { + } else if (strict != CERT_N2A_READABLE) { encodedAVA = PORT_Alloc(len); + if (!encodedAVA) { + SECITEM_FreeItem(avaValue, PR_TRUE); + if (unknownTag) + PR_smprintf_free(unknownTag); + return SECFailure; + } + } else { + /* Must make output fit in tmpbuf */ + unsigned int fair = (sizeof tmpBuf)/2 - 1; /* for = and \0 */ + + if (nameLen < fair) { + /* just truncate the value */ + maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0", + and possibly '"' */ + } else if (valueLen < fair) { + /* just truncate the name */ + maxName = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */ + } else { + /* truncate both */ + maxName = maxValue = fair - 3; /* for "..." */ + } + if (nameLen > maxName) { + PORT_Assert(unknownTag && unknownTag == tagName); + truncateName = PR_TRUE; + nameLen = maxName; + } + encodedAVA = tmpBuf; } - if (!encodedAVA) { - SECITEM_FreeItem(avaValue, PR_TRUE); - if (unknownTag) - PR_smprintf_free(unknownTag); - return SECFailure; - } + memcpy(encodedAVA, tagName, nameLen); + if (truncateName) { + /* If tag name is too long, we know it is an OID form that was + * allocated from the heap, so we can modify it in place + */ + encodedAVA[nameLen-1] = '.'; + encodedAVA[nameLen-2] = '.'; + encodedAVA[nameLen-3] = '.'; + } + encodedAVA[nameLen++] = '='; if (unknownTag) PR_smprintf_free(unknownTag); - encodedAVA[nameLen++] = '='; - + + if (strict == CERT_N2A_READABLE && maxValue > maxBytes) + maxValue = maxBytes; + if (valueLen > maxValue) { + valueLen = maxValue; + truncateValue = PR_TRUE; + } /* escape and quote as necessary - don't quote hex strings */ if (useHex) { - memcpy(encodedAVA + nameLen, (char *)avaValue->data, avaValue->len); - encodedAVA[nameLen + avaValue->len] = '\0'; + char * end = encodedAVA + nameLen + valueLen; + memcpy(encodedAVA + nameLen, (char *)avaValue->data, valueLen); + end[0] = '\0'; + if (truncateValue) { + end[-1] = '.'; + end[-2] = '.'; + end[-3] = '.'; + } rv = SECSuccess; - } else + } else if (!truncateValue) { rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen, - (char *)avaValue->data, avaValue->len, &mode); + (char *)avaValue->data, avaValue->len, &mode); + } else { + /* must truncate the escaped and quoted value */ + char bigTmpBuf[TMPBUF_LEN * 3 + 3]; + rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf, + (char *)avaValue->data, valueLen, &mode); + + bigTmpBuf[valueLen--] = '\0'; /* hard stop here */ + /* See if we're in the middle of a multi-byte UTF8 character */ + while (((bigTmpBuf[valueLen] & 0xc0) == 0x80) && valueLen > 0) { + bigTmpBuf[valueLen--] = '\0'; + } + /* add ellipsis to signify truncation. */ + bigTmpBuf[++valueLen] = '.'; + bigTmpBuf[++valueLen] = '.'; + bigTmpBuf[++valueLen] = '.'; + if (bigTmpBuf[0] == '"') + bigTmpBuf[++valueLen] = '"'; + bigTmpBuf[++valueLen] = '\0'; + PORT_Assert(nameLen + valueLen <= (sizeof tmpBuf) - 1); + memcpy(encodedAVA + nameLen, bigTmpBuf, valueLen+1); + } + SECITEM_FreeItem(avaValue, PR_TRUE); if (rv == SECSuccess) rv = AppendStr(bufp, encodedAVA); diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index 54756ca86d7..d4dac5b7948 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -204,7 +204,7 @@ cert_NssKeyUsagesToPkix( PKIX_RETURN(CERTVFYPKIX); } -extern char* ekuOidStrings[]; +extern SECOidTag ekuOidStrings[]; enum { ekuIndexSSLServer = 0, @@ -489,6 +489,7 @@ cert_CreatePkixProcessingParams( PKIX_RevocationChecker *revChecker = NULL; PKIX_UInt32 methodFlags = 0; void *plContext = NULL; + CERTStatusConfig *statusConfig = NULL; PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); PKIX_NULLCHECK_TWO(cert, pprocParams); @@ -539,6 +540,14 @@ cert_CreatePkixProcessingParams( certSelector, plContext), PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED); + /* Turn off quialification of target cert since leaf cert is + * already check for date validity, key usages and extended + * key usages. */ + PKIX_CHECK( + PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE, + plContext), + PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED); + PKIX_CHECK( PKIX_PL_Pk11CertStore_Create(&certStore, plContext), PKIX_PK11CERTSTORECREATEFAILED); @@ -601,34 +610,42 @@ cert_CreatePkixProcessingParams( 0, NULL, PKIX_FALSE, plContext), PKIX_REVOCATIONCHECKERADDMETHODFAILED); - /* OCSP method flags */ - methodFlags = - PKIX_REV_M_TEST_USING_THIS_METHOD | - PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ - PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ - PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ - PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ - PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; + /* For compatibility with the old code, need to check that + * statusConfig is set in the db handle and status checker + * is defined befor allow ocsp status check on the leaf cert.*/ + statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB()); + if (statusConfig != NULL && statusConfig->statusChecker != NULL) { - /* Disabling ocsp fetching when checking the status - * of ocsp response signer. Here and in the next if, - * adjust flags for ocsp signer cert validation case. */ - if (disableOCSPRemoteFetching) { - methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; - } - - if (ocsp_FetchingFailureIsVerificationFailure() - && !disableOCSPRemoteFetching) { - methodFlags |= - PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; - } - - /* add OCSP revocation method to check only the leaf certificate.*/ - PKIX_CHECK( - PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, + /* Enable OCSP revocation checking for the leaf cert. */ + /* OCSP method flags */ + methodFlags = + PKIX_REV_M_TEST_USING_THIS_METHOD | + PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ + PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ + PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ + PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ + PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; + + /* Disabling ocsp fetching when checking the status + * of ocsp response signer. Here and in the next if, + * adjust flags for ocsp signer cert validation case. */ + if (disableOCSPRemoteFetching) { + methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; + } + + if (ocsp_FetchingFailureIsVerificationFailure() + && !disableOCSPRemoteFetching) { + methodFlags |= + PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; + } + + /* add OCSP revocation method to check only the leaf certificate.*/ + PKIX_CHECK( + PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, PKIX_RevocationMethod_OCSP, methodFlags, 1, NULL, PKIX_TRUE, plContext), - PKIX_REVOCATIONCHECKERADDMETHODFAILED); + PKIX_REVOCATIONCHECKERADDMETHODFAILED); + } PKIX_CHECK( PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, @@ -1206,7 +1223,15 @@ cert_VerifyCertChainPkix( int memLeakLoopCount = 0; int objCountTable[PKIX_NUMTYPES]; int fnInvLocalCount = 0; + PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine; + if (usePKIXValidationEngine) { + /* current memory leak testing implementation does not allow + * to run simultaneous tests one the same or a different threads. + * Setting the variable to false, to make additional chain + * validations be handled by old nss. */ + usePKIXValidationEngine = PR_FALSE; + } testStartFnStackPosition = 2; fnStackNameArr[0] = "cert_VerifyCertChainPkix"; fnStackInvCountArr[0] = 0; @@ -1320,6 +1345,7 @@ cleanup: runningLeakTest = PKIX_FALSE; PR_AtomicDecrement(¶llelFnInvocationCount); + usePKIXValidationEngine = savedUsePkixEngFlag; #endif /* PKIX_OBJECT_LEAK_TEST */ return rv; @@ -1414,39 +1440,6 @@ cleanup: return r; } -/* XXX - * There is no NSS SECItem -> PKIX OID - * conversion function. For now, I go via the ascii - * representation - * this should be in PKIX_PL_* - */ - -PKIX_PL_OID * -CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext) -{ - char *oidstring = NULL; - char *oidstring_adj = NULL; - PKIX_PL_OID *policyOID = NULL; - SECOidData *data; - - data = SECOID_FindOIDByTag(tag); - if (data != NULL) { - oidstring = CERT_GetOidString(&data->oid); - if (oidstring == NULL) { - goto cleanup; - } - oidstring_adj = oidstring; - if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) { - oidstring_adj += 4; - } - - PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext); - } -cleanup: - if (oidstring != NULL) PR_smprintf_free(oidstring); - - return policyOID; -} struct fake_PKIX_PL_CertStruct { CERTCertificate *nssCert; @@ -1479,8 +1472,8 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon } for (i=0; i> 9)) & 0x00550055; \ word ^= temp | (temp << 9); -#if defined(__GNUC__) && defined(_X86_) +#if defined(__GNUC__) && defined(NSS_X86_OR_X64) #define BYTESWAP(word, temp) \ __asm("bswap %0" : "+r" (word)); #else @@ -435,7 +435,7 @@ DES_MakeSchedule( HALF * ks, const BYTE * key, DESDirection direction) int delta; unsigned int ls; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) left = HALFPTR(key)[0]; right = HALFPTR(key)[1]; BYTESWAP(left, temp); @@ -586,7 +586,7 @@ DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf) register HALF left, right; register HALF temp; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) left = HALFPTR(inbuf)[0]; right = HALFPTR(inbuf)[1]; BYTESWAP(left, temp); @@ -657,7 +657,7 @@ DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf) FP(left, right, temp); -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) BYTESWAP(left, temp); BYTESWAP(right, temp); HALFPTR(outbuf)[0] = left; diff --git a/security/nss/lib/freebl/desblapi.c b/security/nss/lib/freebl/desblapi.c index b4bbc884442..deb789fcdd5 100644 --- a/security/nss/lib/freebl/desblapi.c +++ b/security/nss/lib/freebl/desblapi.c @@ -49,7 +49,7 @@ #include #include "secerr.h" -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) /* Intel X86 CPUs do unaligned loads and stores without complaint. */ #define COPY8B(to, from, ptr) \ HALFPTR(to)[0] = HALFPTR(from)[0]; \ diff --git a/security/nss/lib/freebl/md5.c b/security/nss/lib/freebl/md5.c index 1167cd6f667..4acfe74cf1d 100644 --- a/security/nss/lib/freebl/md5.c +++ b/security/nss/lib/freebl/md5.c @@ -475,7 +475,7 @@ MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen) /* Iterate over 64-byte chunks of the message. */ while (inputLen >= MD5_BUFFER_SIZE) { #ifdef IS_LITTLE_ENDIAN -#ifdef _X86_ +#ifdef NSS_X86_OR_X64 /* x86 can handle arithmetic on non-word-aligned buffers */ wBuf = (PRUint32 *)input; #else diff --git a/security/nss/lib/freebl/nsslowhash.c b/security/nss/lib/freebl/nsslowhash.c index 00d65c4a77b..507237db1fa 100644 --- a/security/nss/lib/freebl/nsslowhash.c +++ b/security/nss/lib/freebl/nsslowhash.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nsslowhash.c,v 1.2 2008/11/27 15:20:44 wtc%google.com Exp $ */ +/* $Id: nsslowhash.c,v 1.3 2009/04/15 21:31:55 rrelyea%redhat.com Exp $ */ #include "stubs.h" #include "prtypes.h" @@ -267,6 +267,27 @@ struct NSSLOWHASHContextStr { }; +static int nsslow_GetFIPSEnabled(void) { +#ifdef LINUX + FILE *f; + char d; + size_t size; + + f = fopen("/proc/sys/crypto/fips_enabled", "r"); + if (!f) + return 1; + + size = fread(&d, 1, 1, f); + fclose(f); + if (size != 1) + return 0; + if (d != '1') + return 0; +#endif + return 1; +} + + static int post = 0; static NSSLOWInitContext dummyContext = { 0 }; @@ -283,7 +304,7 @@ NSSLOW_Init(void) nsprAvailable = (rv == SECSuccess ) ? PR_TRUE : PR_FALSE; - if (!post) { + if (!post && nsslow_GetFIPSEnabled()) { crv = freebl_fipsPowerUpSelfTest(); if (crv != CKR_OK) { return NULL; diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c index c10104c92a5..6145a216ece 100644 --- a/security/nss/lib/freebl/os2_rand.c +++ b/security/nss/lib/freebl/os2_rand.c @@ -369,5 +369,5 @@ static void rng_systemJitter(void) size_t RNG_SystemRNG(void *dest, size_t maxLen) { - return rng_systemFromNoise(dest,maxlen); + return rng_systemFromNoise(dest,maxLen); } diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c index a650547cf2c..79deebdaca7 100644 --- a/security/nss/lib/freebl/rijndael.c +++ b/security/nss/lib/freebl/rijndael.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: rijndael.c,v 1.24 2008/12/04 18:16:31 rrelyea%redhat.com Exp $ */ +/* $Id: rijndael.c,v 1.25 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" @@ -563,7 +563,7 @@ rijndael_encryptBlock128(AESContext *cx, PRUint32 *roundkeyw; rijndael_state state; PRUint32 C0, C1, C2, C3; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) #define pIn input #define pOut output #else @@ -639,7 +639,7 @@ rijndael_encryptBlock128(AESContext *cx, *((PRUint32 *)(pOut + 4)) = C1; *((PRUint32 *)(pOut + 8)) = C2; *((PRUint32 *)(pOut + 12)) = C3; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) #undef pIn #undef pOut #else @@ -659,7 +659,7 @@ rijndael_decryptBlock128(AESContext *cx, PRUint32 *roundkeyw; rijndael_state state; PRUint32 C0, C1, C2, C3; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) #define pIn input #define pOut output #else @@ -731,7 +731,7 @@ rijndael_decryptBlock128(AESContext *cx, *((PRUint32 *)(pOut + 8)) ^= *roundkeyw--; *((PRUint32 *)(pOut + 4)) ^= *roundkeyw--; *((PRUint32 *) pOut ) ^= *roundkeyw--; -#if defined(_X86_) +#if defined(NSS_X86_OR_X64) #undef pIn #undef pOut #else diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c index bc3f4654135..44499859547 100644 --- a/security/nss/lib/freebl/sha512.c +++ b/security/nss/lib/freebl/sha512.c @@ -36,14 +36,14 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sha512.c,v 1.13 2008/11/19 21:10:52 nelson%bolyard.com Exp $ */ +/* $Id: sha512.c,v 1.14 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif #include "prcpucfg.h" -#if (defined(_X86_) && !defined(__x86_64__)) || defined(SHA_NO_LONG_LONG) +#if defined(NSS_X86) || defined(SHA_NO_LONG_LONG) #define NOUNROLL512 1 #undef HAVE_LONG_LONG #endif @@ -103,7 +103,7 @@ static const PRUint32 H256[8] = { #pragma intrinsic(_byteswap_ulong) #define SHA_HTONL(x) _byteswap_ulong(x) #define BYTESWAP4(x) x = SHA_HTONL(x) -#elif defined(_MSC_VER) && defined(_X86_) +#elif defined(_MSC_VER) && defined(NSS_X86_OR_X64) #ifndef FORCEINLINE #if (_MSC_VER >= 1200) #define FORCEINLINE __forceinline @@ -125,7 +125,7 @@ swap4b(PRUint32 dwd) #define SHA_HTONL(x) swap4b(x) #define BYTESWAP4(x) x = SHA_HTONL(x) -#elif defined(__GNUC__) && defined(_X86_) +#elif defined(__GNUC__) && defined(NSS_X86_OR_X64) static __inline__ PRUint32 swap4b(PRUint32 value) { __asm__("bswap %0" : "+r" (value)); diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h index d579ebad463..952d2cf93fa 100644 --- a/security/nss/lib/freebl/sha_fast.h +++ b/security/nss/lib/freebl/sha_fast.h @@ -63,7 +63,7 @@ struct SHA1ContextStr { #if (_MSC_VER >= 1300) #pragma intrinsic(_byteswap_ulong) #define SHA_HTONL(x) _byteswap_ulong(x) -#elif defined(_X86_) +#elif defined(NSS_X86_OR_X64) #ifndef FORCEINLINE #if (_MSC_VER >= 1200) #define FORCEINLINE __forceinline @@ -83,7 +83,7 @@ swap4b(PRUint32 dwd) } #define SHA_HTONL(x) swap4b(x) -#endif /* _X86_ */ +#endif /* NSS_X86_OR_X64 */ #endif /* IS_LITTLE_ENDIAN */ #pragma intrinsic (_lrotr, _lrotl) @@ -108,7 +108,7 @@ static __inline__ PRUint32 SHA_ROTL(PRUint32 t, PRUint32 n) #endif #define SHA_ROTL_IS_DEFINED 1 -#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) +#if defined(NSS_X86_OR_X64) static __inline__ PRUint32 swap4b(PRUint32 value) { __asm__("bswap %0" : "+r" (value)); @@ -124,7 +124,7 @@ static __inline__ PRUint32 swap4b(PRUint32 value) #define SHA_ROTL(X,n) (tmp = (X), ((tmp) << (n)) | ((tmp) >> (32-(n)))) #endif -#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64) +#if defined(NSS_X86_OR_X64) #define SHA_ALLOW_UNALIGNED_ACCESS 1 #endif diff --git a/security/nss/lib/libpkix/include/pkix_certsel.h b/security/nss/lib/libpkix/include/pkix_certsel.h index 8d424619cf2..e4f88624072 100755 --- a/security/nss/lib/libpkix/include/pkix_certsel.h +++ b/security/nss/lib/libpkix/include/pkix_certsel.h @@ -118,10 +118,9 @@ extern "C" { * DESCRIPTION: * * This callback function determines whether the specified Cert pointed to by - * "cert" matches the criteria of the CertSelector pointed to by "selector", - * and stores the result at "pResult". If the Cert matches the CertSelector's - * criteria, a value of PKIX_TRUE will be stored at "pResult"; otherwise a - * value of PKIX_FALSE will be stored. + * "cert" matches the criteria of the CertSelector pointed to by "selector". + * If the Cert does not matches the CertSelector's criteria, an exception will + * be thrown. * * PARAMETERS: * "selector" @@ -130,8 +129,6 @@ extern "C" { * "cert" * Address of Cert that is to be matched using "selector". * Must be non-NULL. - * "pResult" - * Address where Boolean value will be stored. Must be non-NULL. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -148,7 +145,6 @@ typedef PKIX_Error * (*PKIX_CertSelector_MatchCallback)( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, void *plContext); /* @@ -1796,6 +1792,66 @@ PKIX_ComCertSelParams_SetMatchAllSubjAltNames( PKIX_Boolean match, void *plContext); +/* + * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag + * DESCRIPTION: + * + * Return "leafCert" flag of the ComCertSelParams structure. If set to true, + * the flag indicates that a selector should filter out all cert that are not + * qualified to be a leaf cert according to the specified key/ekey usages. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object used to determine whether all + * subject alternative names must be matched. Must be non-NULL. + * "pLeafFlag" + * Address of returned value. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error* +PKIX_ComCertSelParams_GetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean *pLeafFlag, + void *plContext); + +/* + * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag + * DESCRIPTION: + * + * Sets a flag that if its value is true, indicates that the selector + * should only pick certs that qualifies to be leaf for this cert path + * validation. + * + * PARAMETERS: + * "params" + * Address of ComCertSelParams object whose match flag is to be set. + * Must be non-NULL. + * "leafFlag" + * Boolean value used to set the leaf flag. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Not Thread Safe - assumes exclusive access to "params" + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a CertSelector Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ComCertSelParams_SetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean leafFlag, + void *plContext); + #ifdef __cplusplus } #endif diff --git a/security/nss/lib/libpkix/include/pkix_certstore.h b/security/nss/lib/libpkix/include/pkix_certstore.h index 42e202760b5..edeaf5223ab 100755 --- a/security/nss/lib/libpkix/include/pkix_certstore.h +++ b/security/nss/lib/libpkix/include/pkix_certstore.h @@ -141,6 +141,8 @@ extern "C" { * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. @@ -162,6 +164,7 @@ typedef PKIX_Error * (*PKIX_CertStore_CertCallback)( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); @@ -194,6 +197,8 @@ typedef PKIX_Error * * "selector" * Address of CertSelector whose criteria must be satisfied. * Must be non-NULL. + * "verifyNode" + * Parent log node for tracking of filtered out certs. * "pNBIOContext" * Address at which platform-dependent information is stored if the * operation is suspended for non-blocking I/O. Must be non-NULL. @@ -215,6 +220,7 @@ PKIX_Error * PKIX_CertStore_CertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); @@ -223,6 +229,7 @@ typedef PKIX_Error * (*PKIX_CertStore_CertContinueFunction)( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, /* list of PKIX_PL_Cert */ void *plContext); diff --git a/security/nss/lib/libpkix/include/pkix_errorstrings.h b/security/nss/lib/libpkix/include/pkix_errorstrings.h index 20bfd5e227e..fcc1c39ffdb 100755 --- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -228,9 +228,14 @@ PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKey PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0), -PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTISSUERFAILED,cert does not match issuer name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTOBJECTFAILED,cert does not match cert object,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSERIALNUMFAILED,cert does not match serial number,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSUBJECTFAILED,cert does not match subject name,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHCERTVERSIONFAILED,cert does not match cert version,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,SEC_ERROR_INADEQUATE_CERT_TYPE), PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0), -PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,0), +PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE), PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0), PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0), @@ -283,6 +288,7 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_ PKIX_ERRORENTRY(COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED,PKIX_ComCertSelParams_GetExtendedKeyUsage failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSGETISSUERFAILED,PKIX_ComCertSelParams_GetIssuer failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSGETKEYUSAGEFAILED,PKIX_ComCertSelParams_GetKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSGETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_GetLeafCertFlag failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetMatchAllSubjAltNames failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED,PKIX_ComCertSelParams_GetNameConstraints failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSGETPATHTONAMESFAILED,PKIX_ComCertSelParams_GetPathToNames failed,0), @@ -299,6 +305,7 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCe PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed,0), +PKIX_ERRORENTRY(COMCERTSELPARAMSSETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_SetLeafCertFlag failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed,0), PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed,0), @@ -927,6 +934,7 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingPa PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed,0), PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED,PKIX_ProcessingParams_SetRevocationChecker failed,0), PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed,0), +PKIX_ERRORENTRY(PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED,ProcessingParams_SetQualifyTargetCertFlag failed,0), PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed,0), PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed,0), PKIX_ERRORENTRY(PRRECVFAILED,PR_Recv failed,0), @@ -1052,6 +1060,7 @@ PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in esta PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE), PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS), PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE), +PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD), PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0), PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0), PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0), diff --git a/security/nss/lib/libpkix/include/pkix_params.h b/security/nss/lib/libpkix/include/pkix_params.h index ef9e2988f3d..f0aed922563 100755 --- a/security/nss/lib/libpkix/include/pkix_params.h +++ b/security/nss/lib/libpkix/include/pkix_params.h @@ -752,6 +752,37 @@ PKIX_ProcessingParams_SetUseAIAForCertFetching( PKIX_Boolean useAIA, void *plContext); +/* + * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert + * DESCRIPTION: + * + * Sets a boolean value that tells if libpkix needs to check that + * the target certificate satisfies the conditions set in processing + * parameters. Includes but not limited to date, ku and eku checks. + * + * PARAMETERS: + * "params" + * Address of ProcessingParams whose List of TrustAnchors are to + * be stored. Must be non-NULL. + * "qualifyTargetCert" + * boolean value if set to true will trigger qualification of the + * target certificate. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Conditionally Thread Safe + * (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns a Params Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_ProcessingParams_SetQualifyTargetCert( + PKIX_ProcessingParams *params, + PKIX_Boolean qualifyTargetCert, + void *plContext); + /* * FUNCTION: PKIX_ProcessingParams_GetHintCerts * DESCRIPTION: diff --git a/security/nss/lib/libpkix/include/pkix_pl_system.h b/security/nss/lib/libpkix/include/pkix_pl_system.h index 447ea1e5e74..053942a2222 100755 --- a/security/nss/lib/libpkix/include/pkix_pl_system.h +++ b/security/nss/lib/libpkix/include/pkix_pl_system.h @@ -1462,20 +1462,11 @@ PKIX_PL_ByteArray_GetLength( * FUNCTION: PKIX_PL_OID_Create * DESCRIPTION: * - * Creates a new OID using the string pointed to by "stringRep" and stores it - * at "pOID". The string representation is a null-terminated char * consisting - * of decimal components separated by dots. All other characters are illegal. - * The first field must be be 0, 1 or 2. If the first field is 0 or 1, the - * second field must be between 0 and 39. All fields must be ASCII decimal - * digits less than or equal to 2^32. Once created, an OID is immutable. - * - * The regexp format is as follows: - * OID := [0,1,2](.NUM)+ - * NUM := [0-9]+ + * Creates a new OID using NSS oid tag. * * PARAMETERS: - * "stringRep" - * Address of character data representing an OID. Must be non-NULL. + * "idtag" + * nss oid id tag. * "pOID" * Address where object pointer will be stored. Must be non-NULL. * "plContext" @@ -1489,7 +1480,33 @@ PKIX_PL_ByteArray_GetLength( */ PKIX_Error * PKIX_PL_OID_Create( - char *stringRep, + SECOidTag idtag, + PKIX_PL_OID **pOID, + void *plContext); + +/* + * FUNCTION: PKIX_PL_OID_CreateBySECItem + * DESCRIPTION: + * + * Creates a new OID using a DER encoded OID stored as SECItem. + * + * PARAMETERS: + * "derOid" + * Address of SECItem that holds DER encoded OID. + * "pOID" + * Address where object pointer will be stored. Must be non-NULL. + * "plContext" + * Platform-specific context pointer. + * THREAD SAFETY: + * Thread Safe (see Thread Safety Definitions in Programmer's Guide) + * RETURNS: + * Returns NULL if the function succeeds. + * Returns an OID Error if the function fails in a non-fatal way. + * Returns a Fatal Error if the function fails in an unrecoverable way. + */ +PKIX_Error * +PKIX_PL_OID_CreateBySECItem( + SECItem *derOid, PKIX_PL_OID **pOID, void *plContext); diff --git a/security/nss/lib/libpkix/include/pkixt.h b/security/nss/lib/libpkix/include/pkixt.h index 9a830f6a203..9c509b44b2f 100755 --- a/security/nss/lib/libpkix/include/pkixt.h +++ b/security/nss/lib/libpkix/include/pkixt.h @@ -473,18 +473,26 @@ PKIX_Error* PKIX_ALLOC_ERROR(void); /* * Define Certificate Extension hard-coded OID's */ -#define PKIX_CERTKEYUSAGE_OID "2.5.29.15" -#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17" -#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19" -#define PKIX_CRLREASONCODE_OID "2.5.29.21" -#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30" -#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32" -#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0" -#define PKIX_POLICYMAPPINGS_OID "2.5.29.33" -#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36" -#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37" -#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54" -#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1" +#define PKIX_UNKNOWN_OID SEC_OID_UNKNOWN +#define PKIX_CERTKEYUSAGE_OID SEC_OID_X509_KEY_USAGE +#define PKIX_CERTSUBJALTNAME_OID SEC_OID_X509_SUBJECT_ALT_NAME +#define PKIX_BASICCONSTRAINTS_OID SEC_OID_X509_BASIC_CONSTRAINTS +#define PKIX_CRLREASONCODE_OID SEC_OID_X509_REASON_CODE +#define PKIX_NAMECONSTRAINTS_OID SEC_OID_X509_NAME_CONSTRAINTS +#define PKIX_CERTIFICATEPOLICIES_OID SEC_OID_X509_CERTIFICATE_POLICIES +#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY +#define PKIX_POLICYMAPPINGS_OID SEC_OID_X509_POLICY_MAPPINGS +#define PKIX_POLICYCONSTRAINTS_OID SEC_OID_X509_POLICY_CONSTRAINTS +#define PKIX_EXTENDEDKEYUSAGE_OID SEC_OID_X509_EXT_KEY_USAGE +#define PKIX_INHIBITANYPOLICY_OID SEC_OID_X509_INHIBIT_ANY_POLICY +#define PKIX_NSCERTTYPE_OID SEC_OID_NS_CERT_EXT_CERT_TYPE +#define PKIX_KEY_USAGE_SERVER_AUTH_OID SEC_OID_EXT_KEY_USAGE_SERVER_AUTH +#define PKIX_KEY_USAGE_CLIENT_AUTH_OID SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH +#define PKIX_KEY_USAGE_CODE_SIGN_OID SEC_OID_EXT_KEY_USAGE_CODE_SIGN +#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT +#define PKIX_KEY_USAGE_TIME_STAMP_OID SEC_OID_EXT_KEY_USAGE_TIME_STAMP +#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID SEC_OID_OCSP_RESPONDER + /* Available revocation method types. */ typedef enum PKIX_RevocationMethodTypeEnum { diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c index 1ea99ac4ae7..f02ce429547 100755 --- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c +++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c @@ -296,8 +296,7 @@ pkix_CertSelector_Match_Policies( if (!certPolicyInfos) { PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n"); *pResult = PKIX_FALSE; - goto cleanup; - + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); } PKIX_CHECK(PKIX_List_GetLength @@ -334,10 +333,8 @@ pkix_CertSelector_Match_Policies( PKIX_DECREF(polOID); } if (!result) { - PKIX_CERTSELECTOR_DEBUG - ("Certificate has no acceptable policies\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED); } } } @@ -407,7 +404,9 @@ pkix_CertSelector_Match_CertificateValid( } cleanup: - + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_DECREF(validityTime); PKIX_RETURN(CERTSELECTOR); @@ -466,6 +465,9 @@ pkix_CertSelector_Match_NameConstraints( } cleanup: + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_DECREF(nameConstraints); PKIX_RETURN(CERTSELECTOR); @@ -531,9 +533,8 @@ pkix_CertSelector_Match_PathToNames( PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED); if (passed != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); } } @@ -607,59 +608,52 @@ pkix_CertSelector_Match_SubjAltNames( (cert, &certSubjAltNames, plContext), PKIX_CERTGETSUBJALTNAMESFAILED); - if (certSubjAltNames != NULL) { + if (certSubjAltNames == NULL) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); + } - PKIX_CHECK(PKIX_List_GetLength - (subjAltNamesList, &numItems, plContext), - PKIX_LISTGETLENGTHFAILED); - - for (i = 0; i < numItems; i++) { - - PKIX_CHECK(PKIX_List_GetItem - (subjAltNamesList, + PKIX_CHECK(PKIX_List_GetLength + (subjAltNamesList, &numItems, plContext), + PKIX_LISTGETLENGTHFAILED); + + for (i = 0; i < numItems; i++) { + + PKIX_CHECK(PKIX_List_GetItem + (subjAltNamesList, i, (PKIX_PL_Object **) &name, plContext), - PKIX_LISTGETITEMFAILED); - - PKIX_CHECK(pkix_List_Contains - (certSubjAltNames, + PKIX_LISTGETITEMFAILED); + + PKIX_CHECK(pkix_List_Contains + (certSubjAltNames, (PKIX_PL_Object *) name, &checkPassed, plContext), - PKIX_LISTCONTAINSFAILED); - - PKIX_DECREF(name); - - if (checkPassed == PKIX_TRUE) { - - if (matchAll == PKIX_FALSE) { - /* one match is good enough */ - matchCount = numItems; - break; - } else { - /* else continue checking next */ - matchCount++; - } - - } - + PKIX_LISTCONTAINSFAILED); + + PKIX_DECREF(name); + + if (checkPassed == PKIX_TRUE) { + + if (matchAll == PKIX_FALSE) { + /* one match is good enough */ + matchCount = numItems; + break; + } else { + /* else continue checking next */ + matchCount++; + } + } - - if (matchCount != numItems) { - PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - - } else { - - PKIX_CERTSELECTOR_DEBUG - ("SubjAltName Match failed: Cert has no SubjAltName\n"); - *pResult = PKIX_FALSE; - goto cleanup; + + } + + if (matchCount != numItems) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); } - } cleanup: @@ -750,10 +744,8 @@ pkix_CertSelector_Match_ExtendedKeyUsage( PKIX_DECREF(ekuOid); if (isContained != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("Extended Key Usage Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); } } } @@ -819,6 +811,9 @@ pkix_CertSelector_Match_KeyUsage( } cleanup: + if (PKIX_ERROR_RECEIVED) { + *pResult = PKIX_FALSE; + } PKIX_RETURN(CERTSELECTOR); } @@ -874,24 +869,21 @@ pkix_CertSelector_Match_SubjKeyId( (cert, &certSubjKeyId, plContext), PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED); - if (certSubjKeyId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selSubjKeyId, - (PKIX_PL_Object *)certSubjKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjKeyId Match failed: Cert has no SubjKeyId\n"); + if (certSubjKeyId == NULL) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); + } + + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selSubjKeyId, + (PKIX_PL_Object *)certSubjKeyId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); } } @@ -954,24 +946,20 @@ pkix_CertSelector_Match_AuthKeyId( (cert, &certAuthKeyId, plContext), PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED); - if (certAuthKeyId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selAuthKeyId, - (PKIX_PL_Object *)certAuthKeyId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("AuthKeyId Match failed: Cert has no AuthKeyId\n"); + if (certAuthKeyId == NULL) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selAuthKeyId, + (PKIX_PL_Object *)certAuthKeyId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); } } @@ -1035,24 +1023,19 @@ pkix_CertSelector_Match_SubjPKAlgId( PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED); if (certPKAlgId != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPKAlgId, - (PKIX_PL_Object *)certPKAlgId, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("SubjPKAlgId Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n"); *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selPKAlgId, + (PKIX_PL_Object *)certPKAlgId, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); } } @@ -1115,26 +1098,20 @@ pkix_CertSelector_Match_SubjPubKey( (cert, &certPK, plContext), PKIX_CERTGETSUBJECTPUBLICKEYFAILED); - if (certPK != NULL) { - PKIX_CHECK(PKIX_PL_Object_Equals - ((PKIX_PL_Object *)selPK, - (PKIX_PL_Object *)certPK, - &equals, - plContext), - PKIX_OBJECTEQUALSFAILED); - - if (equals != PKIX_TRUE) { - PKIX_CERTSELECTOR_DEBUG - ("Subject Public Key Match failed\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - - } else { - PKIX_CERTSELECTOR_DEBUG - ("SubjPubKey Match failed: Cert has no SubjPubKey\n"); + if (certPK == NULL) { *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); + } + PKIX_CHECK(PKIX_PL_Object_Equals + ((PKIX_PL_Object *)selPK, + (PKIX_PL_Object *)certPK, + &equals, + plContext), + PKIX_OBJECTEQUALSFAILED); + + if (equals != PKIX_TRUE) { + *pResult = PKIX_FALSE; + PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); } } @@ -1152,9 +1129,8 @@ cleanup: * * This default match function determines whether the specified Cert pointed * to by "cert" matches the criteria of the CertSelector pointed to by - * "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE - * is stored at "pResult". If the Cert does not match the CertSelector's - * criteria, PKIX_FALSE is stored at "pResult". + * "selector". If the Cert does not match the CertSelector's + * criteria, an error will be thrown. * * This default match function understands how to process the most common * parameters. Any common parameter that is not set is assumed to be disabled, @@ -1175,8 +1151,6 @@ cleanup: * "cert" * Address of Cert that is to be matched using "selector". * Must be non-NULL. - * "pResult" - * Address of PKIX_Boolean that returns the match result. * "plContext" * Platform-specific context pointer. * THREAD SAFETY: @@ -1191,7 +1165,6 @@ static PKIX_Error * pkix_CertSelector_DefaultMatch( PKIX_CertSelector *selector, PKIX_PL_Cert *cert, - PKIX_Boolean *pResult, void *plContext) { PKIX_ComCertSelParams *params = NULL; @@ -1203,7 +1176,6 @@ pkix_CertSelector_DefaultMatch( PKIX_PL_BigInt *selSerialNumber = NULL; PKIX_PL_Cert *selCert = NULL; PKIX_PL_Date *selDate = NULL; - PKIX_UInt32 requiredKeyUsage = 0; PKIX_UInt32 selVersion = 0xFFFFFFFF; PKIX_UInt32 certVersion = 0; PKIX_Boolean result = PKIX_TRUE; @@ -1215,9 +1187,7 @@ pkix_CertSelector_DefaultMatch( #endif PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch"); - PKIX_NULLCHECK_THREE(selector, cert, pResult); - - *pResult = PKIX_TRUE; + PKIX_NULLCHECK_TWO(selector, cert); PKIX_INCREF(selector->params); params = selector->params; @@ -1236,9 +1206,7 @@ pkix_CertSelector_DefaultMatch( PKIX_CERTGETVERSIONFAILED); if (selVersion != certVersion) { - PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED); } } @@ -1257,16 +1225,10 @@ pkix_CertSelector_DefaultMatch( PKIX_X500NAMEMATCHFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG - ("Subject Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); } } else { /* cert has no subject */ - PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED); } } @@ -1284,9 +1246,7 @@ pkix_CertSelector_DefaultMatch( PKIX_X500NAMEMATCHFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED); } } @@ -1307,9 +1267,7 @@ pkix_CertSelector_DefaultMatch( PKIX_OBJECTEQUALSFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED); } } @@ -1326,13 +1284,10 @@ pkix_CertSelector_DefaultMatch( PKIX_OBJECTEQUALSFAILED); if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; + PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED); } } - PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid (params, &selDate, plContext), PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED); @@ -1343,136 +1298,55 @@ pkix_CertSelector_DefaultMatch( PKIX_CERTCHECKVALIDITYFAILED); } - PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage - (params, &requiredKeyUsage, plContext), - PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED); - - if (requiredKeyUsage != 0) { - PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage - (cert, requiredKeyUsage, plContext), - PKIX_CERTVERIFYKEYUSAGEFAILED); - } - PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_Policies (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHPOLICIESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_CertificateValid (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_NameConstraints (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_PathToNames (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHPATHTONAMESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - + /* Next two check are for user supplied additional KU and EKU. */ PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_KeyUsage (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHKEYUSAGEFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey (params, cert, &result, plContext), PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED); - if (result == PKIX_FALSE){ - PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n"); - *pResult = PKIX_FALSE; - goto cleanup; - } - /* if we reach here, the cert has successfully matched criteria */ @@ -1725,7 +1599,6 @@ pkix_CertSelector_Select( PKIX_List **pAfter, void *plContext) { - PKIX_Boolean match = PKIX_FALSE; PKIX_UInt32 numBefore = 0; PKIX_UInt32 i = 0; PKIX_List *filtered = NULL; @@ -1747,10 +1620,10 @@ pkix_CertSelector_Select( PKIX_LISTGETITEMFAILED); PKIX_CHECK_ONLY_FATAL(selector->matchCallback - (selector, candidate, &match, plContext), + (selector, candidate, plContext), PKIX_CERTSELECTORMATCHCALLBACKFAILED); - if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) { + if (!(PKIX_ERROR_RECEIVED)) { PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem (filtered, diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c index dbc153964e4..787ab26dfc3 100755 --- a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c +++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c @@ -192,6 +192,8 @@ pkix_ComCertSelParams_Duplicate( plContext, PKIX_OBJECTDUPLICATEFAILED); + paramsDuplicate->leafCertFlag = params->leafCertFlag; + *pNewObject = (PKIX_PL_Object *)paramsDuplicate; cleanup: @@ -219,21 +221,14 @@ PKIX_Error * pkix_ComCertSelParams_RegisterSelf(void *plContext) { extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; + pkix_ClassTable_Entry* entry = &systemClasses[PKIX_COMCERTSELPARAMS_TYPE]; PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_RegisterSelf"); - entry.description = "ComCertSelParams"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(PKIX_ComCertSelParams); - entry.destructor = pkix_ComCertSelParams_Destroy; - entry.equalsFunction = NULL; - entry.hashcodeFunction = NULL; - entry.toStringFunction = NULL; - entry.comparator = NULL; - entry.duplicateFunction = pkix_ComCertSelParams_Duplicate; - - systemClasses[PKIX_COMCERTSELPARAMS_TYPE] = entry; + entry->description = "ComCertSelParams"; + entry->typeObjectSize = sizeof(PKIX_ComCertSelParams); + entry->destructor = pkix_ComCertSelParams_Destroy; + entry->duplicateFunction = pkix_ComCertSelParams_Duplicate; PKIX_RETURN(COMCERTSELPARAMS); } @@ -283,6 +278,7 @@ PKIX_ComCertSelParams_Create( params->subjKeyId = NULL; params->subjPubKey = NULL; params->subjPKAlgId = NULL; + params->leafCertFlag = PKIX_TRUE; *pParams = params; @@ -1181,3 +1177,45 @@ cleanup: PKIX_RETURN(COMCERTSELPARAMS); } + +/* + * FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag + * (see comments in pkix_certsel.h) + */ +PKIX_Error* +PKIX_ComCertSelParams_GetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean *pLeafFlag, + void *plContext) +{ + PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetLeafCertFlag"); + PKIX_NULLCHECK_TWO(params, pLeafFlag); + + *pLeafFlag = params->leafCertFlag; + + PKIX_RETURN(COMCERTSELPARAMS); +} + +/* + * FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag + * (see comments in pkix_certsel.h) + */ +PKIX_Error * +PKIX_ComCertSelParams_SetLeafCertFlag( + PKIX_ComCertSelParams *params, + PKIX_Boolean leafFlag, + void *plContext) +{ + PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetLeafCertFlag"); + PKIX_NULLCHECK_ONE(params); + + params->leafCertFlag = leafFlag; + + PKIX_CHECK(PKIX_PL_Object_InvalidateCache + ((PKIX_PL_Object *)params, plContext), + PKIX_OBJECTINVALIDATECACHEFAILED); + +cleanup: + + PKIX_RETURN(COMCERTSELPARAMS); +} diff --git a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h index af778802d7d..0c67cb133d9 100755 --- a/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h +++ b/security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h @@ -76,6 +76,7 @@ struct PKIX_ComCertSelParamsStruct { PKIX_PL_ByteArray *subjKeyId; PKIX_PL_PublicKey *subjPubKey; PKIX_PL_OID *subjPKAlgId; + PKIX_Boolean leafCertFlag; }; /* see source file for function documentation */ diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c index 0fbf7cccd00..736e7619424 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c @@ -43,14 +43,14 @@ #include "pkix_ekuchecker.h" -char *ekuOidStrings[] = { - "1.3.6.1.5.5.7.3.1", /* id-kp-serverAuth */ - "1.3.6.1.5.5.7.3.2", /* id-kp-clientAuth */ - "1.3.6.1.5.5.7.3.3", /* id-kp-codeSigning */ - "1.3.6.1.5.5.7.3.4", /* id-kp-emailProtection */ - "1.3.6.1.5.5.7.3.8", /* id-kp-timeStamping */ - "1.3.6.1.5.5.7.3.9", /* id-kp-OCSPSigning */ - NULL +SECOidTag ekuOidStrings[] = { + PKIX_KEY_USAGE_SERVER_AUTH_OID, + PKIX_KEY_USAGE_CLIENT_AUTH_OID, + PKIX_KEY_USAGE_CODE_SIGN_OID, + PKIX_KEY_USAGE_EMAIL_PROTECT_OID, + PKIX_KEY_USAGE_TIME_STAMP_OID, + PKIX_KEY_USAGE_OCSP_RESPONDER_OID, + PKIX_UNKNOWN_OID }; typedef struct pkix_EkuCheckerStruct { diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c index 78e3b329309..2f32e86bb82 100644 --- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c @@ -251,7 +251,7 @@ pkix_OcspChecker_CheckExternal( PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo; void *nbioContext = NULL; - PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Check"); + PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal"); PKIX_CHECK( pkix_CheckType((PKIX_PL_Object*)checkerObject, diff --git a/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c index 57486fa2ce2..09697d3d899 100755 --- a/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c +++ b/security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c @@ -378,14 +378,8 @@ pkix_TargetCertChecker_Check( PKIX_CHECK(certSelectorMatch (state->certSelector, cert, - &checkPassed, plContext), PKIX_CERTSELECTORMATCHFAILED); - - if (checkPassed != PKIX_TRUE){ - PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED); - } - /* * There are two Extended Key Usage Checkings * available : diff --git a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c index 7253495fe41..02033e27a7d 100755 --- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c +++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c @@ -588,6 +588,7 @@ PKIX_ProcessingParams_Create( params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE; params->useAIAForCertFetching = PKIX_FALSE; + params->qualifyTargetCert = PKIX_TRUE; *pParams = params; params = NULL; @@ -636,6 +637,44 @@ PKIX_ProcessingParams_SetUseAIAForCertFetching( PKIX_RETURN(PROCESSINGPARAMS); } +/* + * FUNCTION: PKIX_ProcessingParams_GetQualifyTargetCert + * (see comments in pkix_params.h) + */ +PKIX_Error * +PKIX_ProcessingParams_GetValidateTargetCert( + PKIX_ProcessingParams *params, + PKIX_Boolean *pQualifyTargetCert, + void *plContext) +{ + PKIX_ENTER(PROCESSINGPARAMS, + "PKIX_ProcessingParams_GetValidateTargetCert"); + PKIX_NULLCHECK_TWO(params, pQualifyTargetCert); + + *pQualifyTargetCert = params->qualifyTargetCert; + + PKIX_RETURN(PROCESSINGPARAMS); +} + +/* + * FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert + * (see comments in pkix_params.h) + */ +PKIX_Error * +PKIX_ProcessingParams_SetQualifyTargetCert( + PKIX_ProcessingParams *params, + PKIX_Boolean qualifyTargetCert, + void *plContext) +{ + PKIX_ENTER(PROCESSINGPARAMS, + "PKIX_ProcessingParams_SetQualifyTargetCert"); + PKIX_NULLCHECK_ONE(params); + + params->qualifyTargetCert = qualifyTargetCert; + + PKIX_RETURN(PROCESSINGPARAMS); +} + /* * FUNCTION: PKIX_ProcessingParams_SetTrustAnchors * (see comments in pkix_params.h) diff --git a/security/nss/lib/libpkix/pkix/params/pkix_procparams.h b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h index 99cd27a1f88..5006a7f9a84 100755 --- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.h +++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.h @@ -68,6 +68,7 @@ struct PKIX_ProcessingParamsStruct { PKIX_RevocationChecker *revChecker; PKIX_ResourceLimits *resourceLimits; PKIX_Boolean useAIAForCertFetching; + PKIX_Boolean qualifyTargetCert; }; /* see source file for function documentation */ diff --git a/security/nss/lib/libpkix/pkix/store/pkix_store.c b/security/nss/lib/libpkix/pkix/store/pkix_store.c index faa3ccd8ed3..b1976ae35b7 100755 --- a/security/nss/lib/libpkix/pkix/store/pkix_store.c +++ b/security/nss/lib/libpkix/pkix/store/pkix_store.c @@ -299,6 +299,7 @@ PKIX_Error * PKIX_CertStore_CertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -307,7 +308,8 @@ PKIX_CertStore_CertContinue( PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList); PKIX_CHECK(store->certContinue - (store, selector, pNBIOContext, pCertList, plContext), + (store, selector, verifyNode, + pNBIOContext, pCertList, plContext), PKIX_CERTSTORECERTCONTINUEFUNCTIONFAILED); cleanup: diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index df19eecdf08..20aa6d39b31 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -53,14 +53,14 @@ extern PRLogModuleInfo *pkixLog; * checked. Those OIDs need to be removed from the unresolved critical * extension OIDs list manually (instead of by checker automatically). */ -static char *buildCheckedCritExtOIDs[] = { +static SECOidTag buildCheckedCritExtOIDs[] = { PKIX_CERTKEYUSAGE_OID, PKIX_CERTSUBJALTNAME_OID, PKIX_BASICCONSTRAINTS_OID, PKIX_NAMECONSTRAINTS_OID, PKIX_EXTENDEDKEYUSAGE_OID, PKIX_NSCERTTYPE_OID, - NULL + PKIX_UNKNOWN_OID }; /* --Private-ForwardBuilderState-Functions---------------------------------- */ @@ -1139,7 +1139,7 @@ pkix_Build_ValidationCheckers( PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext), PKIX_LISTCREATEFAILED); - for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) { + for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) { PKIX_CHECK(PKIX_PL_OID_Create (buildCheckedCritExtOIDs[i], &oid, plContext), PKIX_OIDCREATEFAILED); @@ -1557,7 +1557,6 @@ pkix_Build_SelectCertsFromTrustAnchors( PKIX_List *matchList = NULL; PKIX_CertSelector *certSel = NULL; PKIX_CertSelector_MatchCallback selectorMatchCB = NULL; - PKIX_Boolean certMatch = PKIX_TRUE; PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors"); @@ -1582,9 +1581,8 @@ pkix_Build_SelectCertsFromTrustAnchors( (anchor, &trustedCert, plContext), PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED); pkixErrorResult = - (*selectorMatchCB)(certSel, trustedCert, - &certMatch, plContext); - if (!pkixErrorResult && certMatch) { + (*selectorMatchCB)(certSel, trustedCert, plContext); + if (!pkixErrorResult) { if (!matchList) { PKIX_CHECK(PKIX_List_Create(&matchList, plContext), @@ -1796,6 +1794,7 @@ pkix_Build_GatherCerts( PKIX_CHECK(getCerts (certStore, state->certSel, + state->verifyNode, &nbioContext, &certsFound, plContext), @@ -1804,6 +1803,7 @@ pkix_Build_GatherCerts( PKIX_CHECK(PKIX_CertStore_CertContinue (certStore, state->certSel, + state->verifyNode, &nbioContext, &certsFound, plContext), @@ -3211,6 +3211,7 @@ pkix_Build_InitiateBuildChain( PKIX_TrustAnchor *matchingAnchor = NULL; PKIX_ForwardBuilderState *state = NULL; PKIX_CertStore_CheckTrustCallback trustCallback = NULL; + PKIX_CertSelector_MatchCallback selectorCallback = NULL; PKIX_PL_AIAMgr *aiaMgr = NULL; PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain"); @@ -3235,10 +3236,9 @@ pkix_Build_InitiateBuildChain( PKIX_LISTGETLENGTHFAILED); /* retrieve stuff from targetCertConstraints */ - PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints - (procParams, &targetConstraints, plContext), - PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); + (procParams, &targetConstraints, plContext), + PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED); PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams (targetConstraints, &targetParams, plContext), @@ -3329,10 +3329,28 @@ pkix_Build_InitiateBuildChain( (tentativeChain, (PKIX_PL_Object *)targetCert, plContext), PKIX_LISTAPPENDITEMFAILED); - /* Failure here is reportable */ - pkixErrorResult = PKIX_PL_Cert_CheckValidity - (targetCert, testDate, plContext); - if (pkixErrorResult) { + if (procParams->qualifyTargetCert) { + /* EE cert validation */ + /* Sync up the time on the target selector parameter struct. */ + PKIX_CHECK( + PKIX_ComCertSelParams_SetCertificateValid(targetParams, + testDate, + plContext), + PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED); + + PKIX_CHECK( + PKIX_ComCertSelParams_SetLeafCertFlag(targetParams, + PKIX_TRUE, plContext), + PKIX_COMCERTSELPARAMSSETLEAFCERTFLAGFAILED); + + PKIX_CHECK(PKIX_CertSelector_GetMatchCallback + (targetConstraints, &selectorCallback, plContext), + PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); + + pkixErrorResult = + (*selectorCallback)(targetConstraints, targetCert, + plContext); + if (pkixErrorResult) { pkixErrorClass = pkixErrorResult->errClass; if (pkixErrorClass == PKIX_FATAL_ERROR) { goto cleanup; @@ -3353,6 +3371,7 @@ pkix_Build_InitiateBuildChain( } pkixErrorCode = PKIX_CERTCHECKVALIDITYFAILED; goto cleanup; + } } PKIX_CHECK(PKIX_ProcessingParams_GetCertStores diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.c b/security/nss/lib/libpkix/pkix/util/pkix_tools.c index 36775dee999..5fcdfb1b109 100755 --- a/security/nss/lib/libpkix/pkix/util/pkix_tools.c +++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.c @@ -968,10 +968,10 @@ pkix_CacheCert_Lookup( PKIX_PL_Date *cacheValidUntilDate = NULL; PKIX_CertSelector *certSel = NULL; PKIX_Error *cachedCertError = NULL; + PKIX_Error *selectorError = NULL; PKIX_CertSelector_MatchCallback selectorMatch = NULL; PKIX_Int32 cmpValidTimeResult = PKIX_FALSE; PKIX_Int32 cmpCacheTimeResult = 0; - PKIX_Boolean certMatch = PKIX_FALSE; PKIX_UInt32 numItems = 0; PKIX_UInt32 i; @@ -1095,22 +1095,16 @@ pkix_CacheCert_Lookup( goto cleanup; } - PKIX_CHECK(selectorMatch - (certSel, - cert, - &certMatch, - plContext), - PKIX_SELECTORMATCHFAILED); - - if (certMatch){ + selectorError = selectorMatch(certSel, cert, plContext); + if (!selectorError){ /* put on the return list */ PKIX_CHECK(PKIX_List_AppendItem (selCertList, (PKIX_PL_Object *)cert, plContext), PKIX_LISTAPPENDITEMFAILED); - - *pFound = PKIX_TRUE; + } else { + PKIX_DECREF(selectorError); } PKIX_DECREF(cert); @@ -1149,6 +1143,7 @@ cleanup: PKIX_DECREF(selCertList); PKIX_DECREF(invalidAfterDate); PKIX_DECREF(cachedCertError); + PKIX_DECREF(selectorError); PKIX_RETURN(BUILD); } diff --git a/security/nss/lib/libpkix/pkix/util/pkix_tools.h b/security/nss/lib/libpkix/pkix/util/pkix_tools.h index dd7d5aac7c9..80d53281747 100755 --- a/security/nss/lib/libpkix/pkix/util/pkix_tools.h +++ b/security/nss/lib/libpkix/pkix/util/pkix_tools.h @@ -659,12 +659,16 @@ extern PLHashNumber PR_CALLBACK pkix_ErrorGen_Hash (const void *key); * This needs to be replaced with Loggers. */ +#ifdef DEBUG #define PKIX_DEBUG(expr) \ do { \ _PKIX_DEBUG_TRACE(pkixLoggersErrors, expr, PKIX_LOGGER_LEVEL_DEBUG); \ - (void) printf("(%s: ", myFuncName); \ - (void) printf(expr); \ + (void) fprintf(stderr, "(%s: ", myFuncName); \ + (void) fprintf(stderr, expr); \ } while (0) +#else +#define PKIX_DEBUG(expr) +#endif /* Logging doesn't support DEBUG with ARG: cannot convert control and arg */ #define PKIX_DEBUG_ARG(expr, arg) \ diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c index 3be40169144..bf40ea3f80e 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c @@ -910,7 +910,6 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert( PKIX_List *selectCertList = NULL; PKIX_PL_Cert *certItem = NULL; PKIX_CertSelector_MatchCallback certSelectorMatch = NULL; - PKIX_Boolean pass = PKIX_TRUE; PKIX_UInt32 numCerts = 0; PKIX_UInt32 i = 0; @@ -942,10 +941,10 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert( if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (certSelectorMatch - (selector, certItem, &pass, plContext), + (selector, certItem, plContext), PKIX_CERTSELECTORMATCHFAILED); - if (!PKIX_ERROR_RECEIVED && pass){ + if (!PKIX_ERROR_RECEIVED){ PKIX_CHECK_ONLY_FATAL (PKIX_List_AppendItem (selectCertList, @@ -1098,6 +1097,7 @@ PKIX_Error * pkix_pl_CollectionCertStore_GetCert( PKIX_CertStore *certStore, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCerts, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c index fc3ab3c1e71..b2776e80275 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c @@ -590,6 +590,7 @@ PKIX_Error * pkix_pl_HttpCertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -668,6 +669,7 @@ PKIX_Error * pkix_pl_HttpCertStore_GetCertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c index faadd646b6f..1bd0a5a3808 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c @@ -1423,15 +1423,15 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive( /* PR_smprintf_free original header buffer */ PR_smprintf_free(sendbuf); + sendbuf = NULL; } else if (client->send_http_method == HTTP_GET_METHOD) { - sendbuf = PR_smprintf + client->GETBuf = PR_smprintf ("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n", client->path, client->host, client->portnum); - client->GETBuf = sendbuf; - client->GETLen = PORT_Strlen(sendbuf); + client->GETLen = PORT_Strlen(client->GETBuf); } } @@ -1497,6 +1497,9 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive( } cleanup: + if (sendbuf) { + PR_smprintf_free(sendbuf); + } PKIX_RETURN(HTTPDEFAULTCLIENT); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c index 04022cca847..964cec1f1cf 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c @@ -568,6 +568,7 @@ PKIX_Error * pkix_pl_LdapCertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -737,6 +738,7 @@ PKIX_Error * pkix_pl_LdapCertStore_GetCertContinue( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *verifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c index e7c13295f9f..4a94161a932 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c @@ -680,6 +680,7 @@ PKIX_Error * pkix_pl_Pk11CertStore_GetCert( PKIX_CertStore *store, PKIX_CertSelector *selector, + PKIX_VerifyNode *parentVerifyNode, void **pNBIOContext, PKIX_List **pCertList, void *plContext) @@ -689,11 +690,12 @@ pkix_pl_Pk11CertStore_GetCert( PKIX_PL_Cert *candidate = NULL; PKIX_List *selected = NULL; PKIX_List *filtered = NULL; - PKIX_CertSelector_MatchCallback callback = NULL; + PKIX_CertSelector_MatchCallback selectorCallback = NULL; PKIX_CertStore_CheckTrustCallback trustCallback = NULL; PKIX_ComCertSelParams *params = NULL; - PKIX_Boolean pass = PKIX_TRUE; PKIX_Boolean cacheFlag = PKIX_FALSE; + PKIX_VerifyNode *verifyNode = NULL; + PKIX_Error *selectorError = NULL; PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCert"); PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList); @@ -701,7 +703,7 @@ pkix_pl_Pk11CertStore_GetCert( *pNBIOContext = NULL; /* We don't use non-blocking I/O */ PKIX_CHECK(PKIX_CertSelector_GetMatchCallback - (selector, &callback, plContext), + (selector, &selectorCallback, plContext), PKIX_CERTSELECTORGETMATCHCALLBACKFAILED); PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams @@ -740,12 +742,9 @@ pkix_pl_Pk11CertStore_GetCert( continue; /* just skip bad certs */ } - PKIX_CHECK_ONLY_FATAL(callback - (selector, candidate, &pass, plContext), - PKIX_CERTSELECTORFAILED); - - if (!(PKIX_ERROR_RECEIVED) && pass) { - + selectorError = + selectorCallback(selector, candidate, plContext); + if (!selectorError) { PKIX_CHECK(PKIX_PL_Cert_SetCacheFlag (candidate, cacheFlag, plContext), PKIX_CERTSETCACHEFLAGFAILED); @@ -761,8 +760,19 @@ pkix_pl_Pk11CertStore_GetCert( (PKIX_PL_Object *)candidate, plContext), PKIX_LISTAPPENDITEMFAILED); + } else if (parentVerifyNode) { + PKIX_CHECK_FATAL( + pkix_VerifyNode_Create(candidate, 0, selectorError, + &verifyNode, plContext), + PKIX_VERIFYNODECREATEFAILED); + PKIX_CHECK_FATAL( + pkix_VerifyNode_AddToTree(parentVerifyNode, + verifyNode, + plContext), + PKIX_VERIFYNODEADDTOTREEFAILED); + PKIX_DECREF(verifyNode); } - + PKIX_DECREF(selectorError); PKIX_DECREF(candidate); } @@ -773,11 +783,13 @@ pkix_pl_Pk11CertStore_GetCert( filtered = NULL; cleanup: - +fatal: PKIX_DECREF(filtered); PKIX_DECREF(candidate); PKIX_DECREF(selected); PKIX_DECREF(params); + PKIX_DECREF(verifyNode); + PKIX_DECREF(selectorError); PKIX_RETURN(CERTSTORE); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c index fa679c4768f..c255d2b9912 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c @@ -146,14 +146,10 @@ pkix_pl_Cert_DecodePolicyInfo( /* Allocated in the arena; freed in CERT_Destroy... */ CERTCertificatePolicies *certPol = NULL; CERTPolicyInfo **policyInfos = NULL; - CERTPolicyInfo *policyInfo = NULL; - CERTPolicyQualifier **policyQualifiers = NULL; - CERTPolicyQualifier *policyQualifier = NULL; /* Holder for the return value */ PKIX_List *infos = NULL; - char *oidAscii = NULL; PKIX_PL_OID *pkixOID = NULL; PKIX_List *qualifiers = NULL; PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL; @@ -204,26 +200,22 @@ pkix_pl_Cert_DecodePolicyInfo( * building each PKIX_PL_CertPolicyInfo object in turn */ while (*policyInfos != NULL) { - policyInfo = *policyInfos; - policyQualifiers = policyInfo->policyQualifiers; + CERTPolicyInfo *policyInfo = *policyInfos; + CERTPolicyQualifier **policyQualifiers = + policyInfo->policyQualifiers; if (policyQualifiers) { /* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */ PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext), PKIX_LISTCREATEFAILED); while (*policyQualifiers != NULL) { - policyQualifier = *policyQualifiers; + CERTPolicyQualifier *policyQualifier = + *policyQualifiers; /* create the qualifier's OID object */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyQualifier->qualifierID), - &oidAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyQualifier->qualifierID, + &pkixOID, plContext), PKIX_OIDCREATEFAILED); /* create qualifier's ByteArray object */ @@ -250,7 +242,6 @@ pkix_pl_Cert_DecodePolicyInfo( plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifierArray); PKIX_DECREF(certPolicyQualifier); @@ -269,13 +260,8 @@ pkix_pl_Cert_DecodePolicyInfo( * (The CERTPolicyInfo structure has an oid field, but it * is of type SECOidTag. This function wants a SECItem.) */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyInfo->policyID), &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyInfo->policyID, &pkixOID, plContext), PKIX_OIDCREATEFAILED); /* Create a CertPolicyInfo object */ @@ -288,7 +274,6 @@ pkix_pl_Cert_DecodePolicyInfo( (infos, (PKIX_PL_Object *)certPolicyInfo, plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifiers); PKIX_DECREF(certPolicyInfo); @@ -313,7 +298,6 @@ cleanup: CERT_DestroyCertificatePoliciesExtension(certPol); } - PKIX_FREE(oidAscii); PKIX_DECREF(infos); PKIX_DECREF(pkixOID); PKIX_DECREF(qualifiers); @@ -362,13 +346,10 @@ pkix_pl_Cert_DecodePolicyMapping( /* Allocated in the arena; freed in CERT_Destroy... */ CERTCertificatePolicyMappings *certPolMaps = NULL; CERTPolicyMap **policyMaps = NULL; - CERTPolicyMap *policyMap = NULL; /* Holder for the return value */ PKIX_List *maps = NULL; - char *issuerPolicyOIDAscii = NULL; - char *subjectPolicyOIDAscii = NULL; PKIX_PL_OID *issuerDomainOID = NULL; PKIX_PL_OID *subjectDomainOID = NULL; PKIX_PL_CertPolicyMap *certPolicyMap = NULL; @@ -408,30 +389,18 @@ pkix_pl_Cert_DecodePolicyMapping( * building each CertPolicyMap object in turn */ do { - policyMap = *policyMaps; + CERTPolicyMap *policyMap = *policyMaps; /* create the OID for the issuer Domain Policy */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyMap->issuerDomainPolicy), - &issuerPolicyOIDAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (issuerPolicyOIDAscii, &issuerDomainOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyMap->issuerDomainPolicy, + &issuerDomainOID, plContext), PKIX_OIDCREATEFAILED); /* create the OID for the subject Domain Policy */ - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&(policyMap->subjectDomainPolicy), - &subjectPolicyOIDAscii, - plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (subjectPolicyOIDAscii, &subjectDomainOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (&policyMap->subjectDomainPolicy, + &subjectDomainOID, plContext), PKIX_OIDCREATEFAILED); /* create the CertPolicyMap */ @@ -447,8 +416,6 @@ pkix_pl_Cert_DecodePolicyMapping( (maps, (PKIX_PL_Object *)certPolicyMap, plContext), PKIX_LISTAPPENDITEMFAILED); - PKIX_FREE(issuerPolicyOIDAscii); - PKIX_FREE(subjectPolicyOIDAscii); PKIX_DECREF(issuerDomainOID); PKIX_DECREF(subjectDomainOID); PKIX_DECREF(certPolicyMap); @@ -469,8 +436,6 @@ cleanup: CERT_DestroyPolicyMappingsExtension(certPolMaps); } - PKIX_FREE(issuerPolicyOIDAscii); - PKIX_FREE(subjectPolicyOIDAscii); PKIX_DECREF(maps); PKIX_DECREF(issuerDomainOID); PKIX_DECREF(subjectDomainOID); @@ -2052,43 +2017,32 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId( PKIX_PL_OID **pSubjKeyAlgId, void *plContext) { - CERTCertificate *nssCert = NULL; PKIX_PL_OID *pubKeyAlgId = NULL; - SECAlgorithmID algorithm; - SECItem algBytes; - char *asciiOID = NULL; PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId"); PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId); /* if we don't have a cached copy from before, we create one */ if (cert->publicKeyAlgId == NULL){ - PKIX_OBJECT_LOCK(cert); - if (cert->publicKeyAlgId == NULL){ + CERTCertificate *nssCert = cert->nssCert; + SECAlgorithmID *algorithm; + SECItem *algBytes; - nssCert = cert->nssCert; - algorithm = nssCert->subjectPublicKeyInfo.algorithm; - algBytes = algorithm.algorithm; - - PKIX_NULLCHECK_ONE(algBytes.data); - if (algBytes.len == 0) { - PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0); + algorithm = &nssCert->subjectPublicKeyInfo.algorithm; + algBytes = &algorithm->algorithm; + if (!algBytes->data || !algBytes->len) { + PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0); } - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&algBytes, &asciiOID, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (asciiOID, &pubKeyAlgId, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (algBytes, &pubKeyAlgId, plContext), PKIX_OIDCREATEFAILED); /* save a cached copy in case it is asked for again */ cert->publicKeyAlgId = pubKeyAlgId; + pubKeyAlgId = NULL; } - PKIX_OBJECT_UNLOCK(cert); } @@ -2096,7 +2050,7 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId( *pSubjKeyAlgId = cert->publicKeyAlgId; cleanup: - PKIX_FREE(asciiOID); + PKIX_DECREF(pubKeyAlgId); PKIX_RETURN(CERT); } @@ -2413,9 +2367,7 @@ PKIX_PL_Cert_GetExtendedKeyUsage( CERTCertificate *nssCert = NULL; PKIX_PL_OID *pkixOID = NULL; PKIX_List *oidsList = NULL; - char *oidAscii = NULL; SECItem **oids = NULL; - SECItem *oid = NULL; SECItem encodedExtKeyUsage; SECStatus rv; @@ -2462,14 +2414,10 @@ PKIX_PL_Cert_GetExtendedKeyUsage( PKIX_LISTCREATEFAILED); while (*oids){ - oid = *oids++; + SECItem *oid = *oids++; - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (oid, &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (oid, &pkixOID, plContext), PKIX_OIDCREATEFAILED); PKIX_CHECK(PKIX_List_AppendItem @@ -2477,9 +2425,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage( (PKIX_PL_Object *)pkixOID, plContext), PKIX_LISTAPPENDITEMFAILED); - - PKIX_FREE(oidAscii); - PKIX_DECREF(pkixOID); } @@ -2501,7 +2446,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage( cleanup: PKIX_OBJECT_UNLOCK(lockedObject); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_DECREF(oidsList); CERT_DestroyOidSequence(extKeyUsage); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c index 1f38ba35e00..e757b020242 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c @@ -207,54 +207,36 @@ pkix_pl_CRL_GetSignatureAlgId( PKIX_PL_OID **pSignatureAlgId, void *plContext) { - CERTCrl *nssCrl = NULL; PKIX_PL_OID *signatureAlgId = NULL; - SECAlgorithmID algorithm; - SECItem algBytes; - char *asciiOID = NULL; PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId"); PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId); /* if we don't have a cached copy from before, we create one */ if (crl->signatureAlgId == NULL){ - PKIX_OBJECT_LOCK(crl); - if (crl->signatureAlgId == NULL){ + CERTCrl *nssCrl = &(crl->nssSignedCrl->crl); + SECAlgorithmID *algorithm = &nssCrl->signatureAlg; + SECItem *algBytes = &algorithm->algorithm; - nssCrl = &(crl->nssSignedCrl->crl); - algorithm = nssCrl->signatureAlg; - algBytes = algorithm.algorithm; - - PKIX_NULLCHECK_ONE(algBytes.data); - if (algBytes.len == 0) { - PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0); - } - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&algBytes, &asciiOID, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (asciiOID, &signatureAlgId, plContext), - PKIX_OIDCREATEFAILED); - - /* save a cached copy in case it is asked for again */ - crl->signatureAlgId = signatureAlgId; + if (!algBytes->data || !algBytes->len) { + PKIX_ERROR(PKIX_OIDBYTESLENGTH0); + } + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem + (algBytes, &signatureAlgId, plContext), + PKIX_OIDCREATEFAILED); + + /* save a cached copy in case it is asked for again */ + crl->signatureAlgId = signatureAlgId; + signatureAlgId = NULL; } - PKIX_OBJECT_UNLOCK(crl); - } - PKIX_INCREF(crl->signatureAlgId); *pSignatureAlgId = crl->signatureAlgId; - cleanup: - - PKIX_FREE(asciiOID); - + PKIX_DECREF(signatureAlgId); PKIX_RETURN(CRL); } @@ -720,12 +702,7 @@ PKIX_PL_CRL_VerifyUpdateTime( PKIX_NULLCHECK_FOUR(crl, crl->nssSignedCrl, date, pResult); nssCrl = &(crl->nssSignedCrl->crl); - - PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on date\n"); - status = DER_DecodeTimeChoice(&timeToCheck, &(date->nssTime)); - if (status != SECSuccess) { - PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED); - } + timeToCheck = date->nssTime; /* nextUpdate can be NULL. Checking before using it */ nextUpdateDer = &nssCrl->nextUpdate; diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c index b4056f320e8..b4f74541ef1 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c @@ -241,9 +241,6 @@ pkix_pl_GeneralName_Create( OtherName *otherName = NULL; CERTGeneralNameList *nssGenNameList = NULL; CERTGeneralNameType nameType; - SECItem *secItem = NULL; - char *asciiName = NULL; - SECStatus rv; PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create"); PKIX_NULLCHECK_TWO(nssAltName, pGenName); @@ -308,12 +305,8 @@ pkix_pl_GeneralName_Create( genName->directoryName = pkixDN; break; case certRegisterID: - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&nssAltName->name.other, &asciiName, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext), + PKIX_CHECK(PKIX_PL_OID_CreateBySECItem(&nssAltName->name.other, + &pkixOID, plContext), PKIX_OIDCREATEFAILED); genName->oid = pkixOID; @@ -324,39 +317,20 @@ pkix_pl_GeneralName_Create( case certRFC822Name: case certX400Address: case certURI: - - PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n"); - secItem = SECITEM_AllocItem(NULL, NULL, 0); - if (secItem == NULL){ - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n"); - rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other); - if (rv != SECSuccess) { - PKIX_ERROR(PKIX_OUTOFMEMORY); - } - - genName->other = secItem; + genName->other = SECITEM_DupItem(&nssAltName->name.other); + if (!genName->other) { + PKIX_ERROR(PKIX_OUTOFMEMORY); + } break; default: PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED); } *pGenName = genName; + genName = NULL; + cleanup: - - PKIX_FREE(asciiName); - - if (PKIX_ERROR_RECEIVED){ - PKIX_DECREF(genName); - if (secItem){ - PKIX_GENERALNAME_DEBUG - ("\t\tCalling SECITEM_FreeItem).\n"); - SECITEM_FreeItem(secItem, PR_TRUE); - secItem = NULL; - } - } + PKIX_DECREF(genName); PKIX_RETURN(GENERALNAME); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c index 996544cc379..c7a2c169120 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c @@ -43,16 +43,6 @@ #include "pkix_pl_infoaccess.h" -/* XXX Following SEC_OID_PKIX defines should be merged in NSS */ -#define SEC_OID_PKIX_CA_REPOSITORY 1003 -#define SEC_OID_PKIX_TIMESTAMPING 1005 -/* XXX Following OID defines hould be moved to NSS */ -static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x030, 0x03}; -static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x030, 0x05}; - - /* --Private-InfoAccess-Functions----------------------------------*/ /* @@ -415,37 +405,6 @@ pkix_pl_InfoAccess_CreateList( PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n"); method = SECOID_FindOIDTag(&nssInfoAccess[i]->method); - - if (method == 0) { - - /* XXX - * This part of code is definitely hacking, need NSS decode - * support. We can reuse the CERT_DecodeAuthInfoAccessExtension - * since SIA and AIA are all the same type. However NSS need - * to add SIA, CaRepository, TimeStamping OID definitions and - * the numerical method, timeStamping and caRepository values. - * - * We assume now, since method is 0, implies the method for SIA - * was not decoded by CERT_DecodeAuthInfoAccessExtension() - * so we compare and put value in. This part should be taken - * out eventually if CERT_DecodeInfoAccessExtension (*renamed*) - * is doing the job. - */ - - PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n"); - if (PORT_Strncmp - ((char *)nssInfoAccess[i]->method.data, - (char *)siaTimeStampingOID, - nssInfoAccess[i]->method.len) == 0) { - method = SEC_OID_PKIX_TIMESTAMPING; - } else if (PORT_Strncmp - ((char *)nssInfoAccess[i]->method.data, - (char *)siaCaRepositoryOID, - nssInfoAccess[i]->method.len) == 0) { - method = SEC_OID_PKIX_CA_REPOSITORY; - } - } - /* Map NSS access method value into PKIX constant */ switch(method) { case SEC_OID_PKIX_CA_ISSUERS: @@ -461,7 +420,7 @@ pkix_pl_InfoAccess_CreateList( method = PKIX_INFOACCESS_CA_REPOSITORY; break; default: - break; + PKIX_ERROR(PKIX_UNKNOWNINFOACCESSMETHOD); } PKIX_CHECK(pkix_pl_InfoAccess_Create @@ -650,7 +609,7 @@ pkix_pl_InfoAccess_ParseTokens( */ if (numFilters > 2) numFilters = 2; - filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1); + filterP = PORT_ArenaZNewArray(arena, char*, numFilters+1); if (filterP == NULL) { PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c index 6fb1bf18c2b..86ad8a4986a 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c @@ -502,7 +502,9 @@ pkix_pl_OcspResponse_Create( ocspResponse->request = request; ocspResponse->httpClient = httpClient; ocspResponse->serverSession = serverSession; + serverSession = NULL; ocspResponse->sessionRequest = sessionRequest; + sessionRequest = NULL; ocspResponse->verifyFcn = verifyFcn; ocspResponse->handle = CERT_GetDefaultCertDB(); ocspResponse->encodedResponse = NULL; @@ -522,10 +524,10 @@ pkix_pl_OcspResponse_Create( hcv1 = &(httpClient->fcnTable.ftable1); - rv = (*hcv1->trySendAndReceiveFcn)(sessionRequest, + rv = (*hcv1->trySendAndReceiveFcn)(ocspResponse->sessionRequest, (PRPollDesc **)&nbioContext, &responseCode, - &responseContentType, + (const char **)&responseContentType, NULL, /* responseHeaders */ (const char **)&responseData, &responseDataLen); @@ -560,26 +562,24 @@ pkix_pl_OcspResponse_Create( responseData, responseDataLen); } *pResponse = ocspResponse; + ocspResponse = NULL; cleanup: if (path != NULL) { PORT_Free(path); } - if (hostname != NULL) { PORT_Free(hostname); } - - if (PKIX_ERROR_RECEIVED){ - if (ocspResponse) { - PKIX_DECREF(ocspResponse); - } else { - if (serverSession) - hcv1->freeSessionFcn(serverSession); - if (sessionRequest) - hcv1->freeFcn(sessionRequest); - } + if (ocspResponse) { + PKIX_DECREF(ocspResponse); + } + if (serverSession) { + hcv1->freeSessionFcn(serverSession); + } + if (sessionRequest) { + hcv1->freeFcn(sessionRequest); } PKIX_RETURN(OCSPRESPONSE); diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c index b0333a126b2..69c8a9f876f 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c @@ -45,7 +45,7 @@ /* --Private-OID-Functions---------------------------------------- */ -/* + /* * FUNCTION: pkix_pl_OID_Comparator * (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h) */ @@ -53,15 +53,14 @@ static PKIX_Error * pkix_pl_OID_Comparator( PKIX_PL_Object *firstObject, PKIX_PL_Object *secondObject, - PKIX_Int32 *pResult, + PKIX_Int32 *pRes, void *plContext) { PKIX_PL_OID *firstOID = NULL; PKIX_PL_OID *secondOID = NULL; - PKIX_UInt32 minLength; PKIX_ENTER(OID, "pkix_pl_OID_Comparator"); - PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult); + PKIX_NULLCHECK_THREE(firstObject, secondObject, pRes); PKIX_CHECK(pkix_CheckTypes (firstObject, secondObject, PKIX_OID_TYPE, plContext), @@ -70,19 +69,8 @@ pkix_pl_OID_Comparator( firstOID = (PKIX_PL_OID*)firstObject; secondOID = (PKIX_PL_OID*)secondObject; - *pResult = 0; - - minLength = (firstOID->length < secondOID->length)? - firstOID->length: - secondOID->length; - - /* Check if both array contents are identical */ - PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n"); - *pResult = PORT_Memcmp - (firstOID->components, - secondOID->components, - minLength * sizeof (PKIX_UInt32)); - + *pRes = (PKIX_Int32)SECITEM_CompareItem(&firstOID->derOid, + &secondOID->derOid); cleanup: PKIX_RETURN(OID); } @@ -103,14 +91,10 @@ pkix_pl_OID_Destroy( PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - oid = (PKIX_PL_OID*)object; - - PKIX_FREE(oid->components); - oid->length = 0; + SECITEM_FreeItem(&oid->derOid, PR_FALSE); cleanup: - PKIX_RETURN(OID); } @@ -124,7 +108,7 @@ pkix_pl_OID_Hashcode( PKIX_UInt32 *pHashcode, void *plContext) { - PKIX_PL_OID *pkixOID = NULL; + PKIX_PL_OID *oid = NULL; PKIX_ENTER(OID, "pkix_pl_OID_HashCode"); PKIX_NULLCHECK_TWO(object, pHashcode); @@ -132,11 +116,11 @@ pkix_pl_OID_Hashcode( PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - pkixOID = (PKIX_PL_OID *)object; + oid = (PKIX_PL_OID *)object; PKIX_CHECK(pkix_hash - ((unsigned char *)pkixOID->components, - pkixOID->length * sizeof (PKIX_UInt32), + ((unsigned char *)oid->derOid.data, + oid->derOid.len * sizeof (char), pHashcode, plContext), PKIX_HASHFAILED); @@ -157,7 +141,7 @@ pkix_pl_OID_Equals( void *plContext) { PKIX_UInt32 secondType; - PKIX_Int32 cmpResult; + SECComparison cmpResult; PKIX_ENTER(OID, "pkix_pl_OID_Equals"); PKIX_NULLCHECK_THREE(first, second, pResult); @@ -174,9 +158,7 @@ pkix_pl_OID_Equals( * Do a quick check that the second object is an OID. * If so, check that their lengths are equal. */ - if ((secondType != PKIX_OID_TYPE)|| - (((PKIX_PL_OID*)first)->length != - ((PKIX_PL_OID*)second)->length)) { + if (secondType != PKIX_OID_TYPE) { goto cleanup; } @@ -184,8 +166,7 @@ pkix_pl_OID_Equals( (first, second, &cmpResult, plContext), PKIX_OIDCOMPARATORFAILED); - *pResult = (cmpResult == 0); - + *pResult = (cmpResult == SECEqual); cleanup: PKIX_RETURN(OID); @@ -194,6 +175,8 @@ cleanup: /* * FUNCTION: pkix_pl_OID_ToString * (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h) + * Use this function only for printing OIDs and not to make any + * critical security decision. */ static PKIX_Error * pkix_pl_OID_ToString( @@ -201,31 +184,23 @@ pkix_pl_OID_ToString( PKIX_PL_String **pString, void *plContext) { - PKIX_UInt32 *components = NULL; - PKIX_UInt32 length; - char *ascii = NULL; + PKIX_PL_OID *oid = NULL; + char *oidString = NULL; PKIX_ENTER(OID, "pkix_pl_OID_toString"); PKIX_NULLCHECK_TWO(object, pString); PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext), PKIX_OBJECTNOTANOID); - - components = ((PKIX_PL_OID*)object)->components; - length = ((PKIX_PL_OID*)object)->length; - - PKIX_CHECK(pkix_pl_helperBytes2Ascii - (components, length, &ascii, plContext), - PKIX_HELPERBYTES2ASCIIFAILED); - + oid = (PKIX_PL_OID*)object; + oidString = CERT_GetOidString(&oid->derOid); + PKIX_CHECK(PKIX_PL_String_Create - (PKIX_ESCASCII, ascii, 0, pString, plContext), + (PKIX_ESCASCII, oidString , 0, pString, plContext), PKIX_STRINGCREATEFAILED); - cleanup: - - PKIX_FREE(ascii); - + PR_smprintf_free(oidString); + PKIX_RETURN(OID); } @@ -244,88 +219,19 @@ PKIX_Error * pkix_pl_OID_RegisterSelf( void *plContext) { - extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES]; - pkix_ClassTable_Entry entry; + pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OID_TYPE]; PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf"); - entry.description = "OID"; - entry.objCounter = 0; - entry.typeObjectSize = sizeof(PKIX_PL_OID); - entry.destructor = pkix_pl_OID_Destroy; - entry.equalsFunction = pkix_pl_OID_Equals; - entry.hashcodeFunction = pkix_pl_OID_Hashcode; - entry.toStringFunction = pkix_pl_OID_ToString; - entry.comparator = pkix_pl_OID_Comparator; - entry.duplicateFunction = pkix_duplicateImmutable; - - systemClasses[PKIX_OID_TYPE] = entry; - - PKIX_RETURN(OID); -} - -/* - * FUNCTION: pkix_pl_OID_GetNextToken - * DESCRIPTION: - * - * This function is essentially a thread safe version of strtok, except - * that we always use '.' (dot) for the token separator. - * - * Searches for tokens in the string pointed to by "input", using '.' (dot) - * as the token separator. If "input" contains multiple tokens, the first - * token is stored at "pToken", the character immediately follow the first - * token is replaced by a null character, and the rekmainder of "input" is - * stored at "pRem". If no additional tokens are available, this function - * stores NULL at "pToken". - * - * PARAMETERS - * "input" - * Address of string to be tokenized. May be NULL. - * "pToken" - * Destination for OID token. Must be non-NULL. - * "pRem" - * Destination for pointer to remainder of string. Must be non-NULL. - * "plContext" - * Platform-specific context pointer. - * THREAD SAFETY: - * Thread Safe (see Thread Safety Definitions in Programmer's Guide) - * RETURNS: - * Returns NULL if the function succeeds. - * Returns an OID Error if the function fails in a non-fatal way. - * Returns a Fatal Error if the function fails in an unrecoverable way. - */ -static PKIX_Error * -pkix_pl_OID_GetNextToken( - char *input, - char **pToken, - char **pRem, - void *plContext) -{ - char *token = input; - - PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken"); - PKIX_NULLCHECK_TWO(pToken, pRem); - - if (token == NULL){ - *pToken = token; - goto cleanup; - } - - while (*input != '.' && *input != '\0'){ - input++; - } - - if (*input == '.'){ - *input = 0; - *pRem = input + 1; - } else { /* NULL case */ - *pRem = NULL; - } - - *pToken = token; - -cleanup: + entry->description = "OID"; + entry->typeObjectSize = sizeof(PKIX_PL_OID); + entry->destructor = pkix_pl_OID_Destroy; + entry->equalsFunction = pkix_pl_OID_Equals; + entry->hashcodeFunction = pkix_pl_OID_Hashcode; + entry->toStringFunction = pkix_pl_OID_ToString; + entry->comparator = pkix_pl_OID_Comparator; + entry->duplicateFunction = pkix_duplicateImmutable; PKIX_RETURN(OID); } @@ -357,11 +263,7 @@ pkix_pl_OID_GetCriticalExtensionOIDs( void *plContext) { PKIX_List *oidsList = NULL; - CERTCertExtension *extension = NULL; PKIX_PL_OID *pkixOID = NULL; - SECItem critical; - SECItem oid; - char *oidAscii = NULL; PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs"); PKIX_NULLCHECK_ONE(pOidsList); @@ -369,40 +271,28 @@ pkix_pl_OID_GetCriticalExtensionOIDs( PKIX_CHECK(PKIX_List_Create(&oidsList, plContext), PKIX_LISTCREATEFAILED); - if (extensions){ + if (extensions) { + while (*extensions) { + CERTCertExtension *extension = NULL; + SECItem *critical = NULL; + SECItem *oid = NULL; - while (*extensions){ - extension = *extensions++; - - PKIX_NULLCHECK_ONE(extension); - - /* extension is critical */ - critical = extension->critical; - - if (critical.len != 0){ - - if (critical.data[0] == 0xff) { - oid = extension->id; - - PKIX_CHECK(pkix_pl_oidBytes2Ascii - (&oid, &oidAscii, plContext), - PKIX_OIDBYTES2ASCIIFAILED); - - PKIX_CHECK(PKIX_PL_OID_Create - (oidAscii, &pkixOID, plContext), - PKIX_OIDCREATEFAILED); - - PKIX_CHECK(PKIX_List_AppendItem - (oidsList, - (PKIX_PL_Object *)pkixOID, - plContext), - PKIX_LISTAPPENDITEMFAILED); - } - } - - PKIX_FREE(oidAscii); - PKIX_DECREF(pkixOID); + extension = *extensions++; + /* extension is critical ? */ + critical = &extension->critical; + if (critical->len == 0 || critical->data[0] == 0) { + continue; } + oid = &extension->id; + PKIX_CHECK( + PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext), + PKIX_OIDCREATEFAILED); + PKIX_CHECK( + PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID, + plContext), + PKIX_LISTAPPENDITEMFAILED); + PKIX_DECREF(pkixOID); + } } *pOidsList = oidsList; @@ -410,7 +300,6 @@ pkix_pl_OID_GetCriticalExtensionOIDs( cleanup: PKIX_DECREF(oidsList); - PKIX_FREE(oidAscii); PKIX_DECREF(pkixOID); PKIX_RETURN(OID); } @@ -418,137 +307,59 @@ cleanup: /* --Public-Functions------------------------------------------------------- */ /* - * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h) + * FUNCTION: PKIX_PL_OID_CreateBySECItem (see comments in pkix_pl_system.h) */ PKIX_Error * -PKIX_PL_OID_Create( - char *stringRep, +PKIX_PL_OID_CreateBySECItem( + SECItem *derOid, PKIX_PL_OID **pOID, void *plContext) { PKIX_PL_OID *oid = NULL; - char *strCpy1 = NULL; - char *strCpy2 = NULL; - char *token = NULL; - PKIX_UInt32 numTokens, i, length; - PKIX_UInt32 value; - PKIX_Boolean firstFieldTwo; - PKIX_UInt32 *components = NULL; - char *rem = NULL; - - PKIX_ENTER(OID, "PKIX_PL_OID_Create"); - PKIX_NULLCHECK_TWO(pOID, stringRep); - - PKIX_OID_DEBUG("\tCalling PL_strlen).\n"); - length = PL_strlen(stringRep); - - if (length < 3) { - PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT); - } - - for (i = 0; i < length; i++) { - if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) { - PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID); - } - } - - /* Check that string doesn't have extra dots */ - if ((stringRep[0] == '.') || - (stringRep[length-1] == '.')|| - (PL_strstr(stringRep, "..") != NULL)) { - PKIX_ERROR(PKIX_ILLEGALDOTINOID); - } - - PKIX_OID_DEBUG("\tCalling PL_strdup).\n"); - - strCpy1 = PL_strdup(stringRep); - strCpy2 = PL_strdup(stringRep); - - /* Validate and tally the number of tokens */ - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (strCpy1, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - - for (numTokens = 0; token != NULL; numTokens++){ - if (numTokens == 0) { - /* We know the string is all digits */ - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - value = PORT_Atoi(token); - if (value > 2) { - PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02); - } - - /* Set a flag if the first field is 2 */ - firstFieldTwo = (value == 2); - } else if (numTokens == 1) { - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - value = PORT_Atoi(token); - if ((!firstFieldTwo)&&(value > 39)) { - PKIX_ERROR - (PKIX_SECONDFIELDMUSTBEBETWEEN039); - } - } - - /* Check for 32-bit overflow */ - if (pkix_pl_UInt32_Overflows(token)){ - PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG); - } - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (rem, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - } - - if (numTokens < 2) { - PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS); - } - - PKIX_CHECK(PKIX_PL_Malloc - (numTokens * sizeof (PKIX_UInt32), - (void **)&components, plContext), - PKIX_MALLOCFAILED); - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (strCpy2, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - - for (i = 0; token != NULL; i++){ - PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n"); - components[i] = PORT_Atoi(token); - - PKIX_CHECK(pkix_pl_OID_GetNextToken - (rem, &token, &rem, plContext), - PKIX_OIDGETNEXTTOKENFAILED); - } + SECStatus rv; + + PKIX_ENTER(OID, "PKIX_PL_OID_CreateBySECItem"); + PKIX_NULLCHECK_TWO(pOID, derOid); PKIX_CHECK(PKIX_PL_Object_Alloc - (PKIX_OID_TYPE, + (PKIX_OID_TYPE, sizeof (PKIX_PL_OID), (PKIX_PL_Object **)&oid, plContext), PKIX_COULDNOTCREATEOBJECT); - - oid->length = numTokens; - oid->components = components; - - *pOID = oid; - + rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid); + if (rv != SECFailure) { + *pOID = oid; + oid = NULL; + } + +cleanup: + PKIX_DECREF(oid); + + PKIX_RETURN(OID); +} + +/* + * FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h) + */ +PKIX_Error * +PKIX_PL_OID_Create( + SECOidTag idtag, + PKIX_PL_OID **pOID, + void *plContext) +{ + SECOidData *oidData = NULL; + + PKIX_ENTER(OID, "PKIX_PL_OID_Create"); + PKIX_NULLCHECK_ONE(pOID); + + oidData = SECOID_FindOIDByTag((SECOidTag)idtag); + if (!oidData) { + PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED); + } + + pkixErrorResult = + PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext); cleanup: - - if (strCpy1){ - PKIX_OID_DEBUG("\tCalling PL_strfree).\n"); - PL_strfree(strCpy1); - } - - if (strCpy2){ - PKIX_OID_DEBUG("\tCalling PL_strfree).\n"); - PL_strfree(strCpy2); - } - - if (PKIX_ERROR_RECEIVED){ - PKIX_FREE(components); - } - PKIX_RETURN(OID); } diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h index d0327909e55..2660ae8b26a 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h +++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h @@ -51,8 +51,7 @@ extern "C" { #endif struct PKIX_PL_OIDStruct { - PKIX_UInt32 *components; - PKIX_UInt32 length; + SECItem derOid; }; /* see source file for function documentation */ diff --git a/security/nss/lib/nss/config.mk b/security/nss/lib/nss/config.mk index 195448df167..98e6802a496 100644 --- a/security/nss/lib/nss/config.mk +++ b/security/nss/lib/nss/config.mk @@ -53,6 +53,7 @@ RESNAME = $(LIBRARY_NAME).rc ifdef NS_USE_GCC EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ @@ -74,6 +75,7 @@ else # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 7d45c413a42..5604794e9ab 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nss.h,v 1.64 2009/03/27 21:42:54 christophe.ravel.bugs%sun.com Exp $ */ +/* $Id: nss.h,v 1.65 2009/04/13 17:46:59 christophe.ravel.bugs%sun.com Exp $ */ #ifndef __nss_h_ #define __nss_h_ @@ -66,11 +66,11 @@ * The format of the version string should be * ".[.][ ][ ]" */ -#define NSS_VERSION "3.12.3" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.12.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 #define NSS_VMINOR 12 -#define NSS_VPATCH 3 -#define NSS_BETA PR_FALSE +#define NSS_VPATCH 4 +#define NSS_BETA PR_TRUE #ifndef RC_INVOKED diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c index d94820bc4ae..412ba3ce5cb 100644 --- a/security/nss/lib/pk11wrap/pk11nobj.c +++ b/security/nss/lib/pk11wrap/pk11nobj.c @@ -527,6 +527,7 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, nssCryptokiObject_Destroy(object); } else { rvH = CK_INVALID_HANDLE; + PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED); } return rvH; } diff --git a/security/nss/lib/smime/config.mk b/security/nss/lib/smime/config.mk index 2437c62a539..7d0629a4720 100644 --- a/security/nss/lib/smime/config.mk +++ b/security/nss/lib/smime/config.mk @@ -50,6 +50,7 @@ ifdef NS_USE_GCC EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ -lnss3 \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ @@ -71,6 +72,7 @@ else EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ -lnss3 \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk index 7dddd346730..9c1e4bcf902 100644 --- a/security/nss/lib/softoken/config.mk +++ b/security/nss/lib/softoken/config.mk @@ -37,11 +37,6 @@ # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -CRYPTODIR=../freebl -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX) - CRYPTODIR=../crypto -endif EXTRA_LIBS += \ $(CRYPTOLIB) \ @@ -60,6 +55,7 @@ RESNAME = $(LIBRARY_NAME).rc ifdef NS_USE_GCC EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -lsqlite3 \ -L$(NSPR_LIB_DIR) \ @@ -85,6 +81,7 @@ else # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -lsqlite3 \ -L$(NSPR_LIB_DIR) \ diff --git a/security/nss/lib/softoken/legacydb/config.mk b/security/nss/lib/softoken/legacydb/config.mk index 1d541b8b1b4..f155a2aedd5 100644 --- a/security/nss/lib/softoken/legacydb/config.mk +++ b/security/nss/lib/softoken/legacydb/config.mk @@ -37,11 +37,6 @@ # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -CRYPTODIR=../freebl -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX) - CRYPTODIR=../crypto -endif EXTRA_LIBS += $(CRYPTOLIB) @@ -62,6 +57,7 @@ RESNAME = $(LIBRARY_NAME).rc ifdef NS_USE_GCC EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ @@ -84,6 +80,7 @@ else # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c index a3fa7b8b4eb..703faeb2f7b 100644 --- a/security/nss/lib/softoken/legacydb/lowcert.c +++ b/security/nss/lib/softoken/legacydb/lowcert.c @@ -38,7 +38,7 @@ /* * Certificate handling code * - * $Id: lowcert.c,v 1.4 2008/02/08 02:50:50 julien.pierre.boogz%sun.com Exp $ + * $Id: lowcert.c,v 1.5 2009/04/12 01:31:45 nelson%bolyard.com Exp $ */ #include "seccomon.h" @@ -363,6 +363,10 @@ nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, PORT_SetError(SEC_ERROR_INVALID_ARGS); goto loser; } + if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + goto loser; + } key->data = (unsigned char*)PORT_ArenaAlloc(arena, len); if ( !key->data ) { goto loser; diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c index 98f54042382..74c8f9d7177 100644 --- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -37,7 +37,7 @@ /* * Permanent Certificate database handling code * - * $Id: pcertdb.c,v 1.9 2009/04/09 02:00:33 nelson%bolyard.com Exp $ + * $Id: pcertdb.c,v 1.11 2009/04/13 17:23:15 nelson%bolyard.com Exp $ */ #include "lowkeyti.h" #include "pcert.h" @@ -637,16 +637,16 @@ EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem) /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff; - buf[1] = entry->trust.sslFlags & 0xff; - buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff; - buf[3] = entry->trust.emailFlags & 0xff; - buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff; - buf[5] = entry->trust.objectSigningFlags & 0xff; - buf[6] = ( entry->derCert.len >> 8 ) & 0xff; - buf[7] = entry->derCert.len & 0xff; - buf[8] = ( nnlen >> 8 ) & 0xff; - buf[9] = nnlen & 0xff; + buf[0] = (PRUint8)( entry->trust.sslFlags >> 8 ); + buf[1] = (PRUint8)( entry->trust.sslFlags ); + buf[2] = (PRUint8)( entry->trust.emailFlags >> 8 ); + buf[3] = (PRUint8)( entry->trust.emailFlags ); + buf[4] = (PRUint8)( entry->trust.objectSigningFlags >> 8 ); + buf[5] = (PRUint8)( entry->trust.objectSigningFlags ); + buf[6] = (PRUint8)( entry->derCert.len >> 8 ); + buf[7] = (PRUint8)( entry->derCert.len ); + buf[8] = (PRUint8)( nnlen >> 8 ); + buf[9] = (PRUint8)( nnlen ); PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data, entry->derCert.len); @@ -667,6 +667,8 @@ static SECStatus EncodeDBCertKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey) { unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN; + if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; if (arena) { dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len); } else { @@ -706,12 +708,14 @@ EncodeDBGenericKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; } PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], - certKey->data, certKey->len); + certKey->data, certKey->len); dbkey->data[0] = (unsigned char) entryType; return(SECSuccess); @@ -1156,10 +1160,10 @@ EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbit /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - buf[0] = ( entry->derCrl.len >> 8 ) & 0xff; - buf[1] = entry->derCrl.len & 0xff; - buf[2] = ( nnlen >> 8 ) & 0xff; - buf[3] = nnlen & 0xff; + buf[0] = (PRUint8)( entry->derCrl.len >> 8 ); + buf[1] = (PRUint8)( entry->derCrl.len ); + buf[2] = (PRUint8)( nnlen >> 8 ); + buf[3] = (PRUint8)( nnlen ); PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data, entry->derCrl.len); @@ -1452,7 +1456,6 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena, */ dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN; - dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); if ( dbitem->data == NULL) { goto loser; @@ -1460,10 +1463,8 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena, /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - - buf[0] = ( entry->subjectName.len >> 8 ) & 0xff; - buf[1] = entry->subjectName.len & 0xff; - + buf[0] = (PRUint8)( entry->subjectName.len >> 8 ); + buf[1] = (PRUint8)( entry->subjectName.len ); PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data, entry->subjectName.len); @@ -1486,6 +1487,8 @@ EncodeDBNicknameKey(char *nickname, PRArenaPool *arena, /* now get the database key and format it */ dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; @@ -1777,12 +1780,12 @@ EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena, /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - buf[0] = ( entry->subjectName.len >> 8 ) & 0xff; - buf[1] = entry->subjectName.len & 0xff; - buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff; - buf[3] = entry->smimeOptions.len & 0xff; - buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff; - buf[5] = entry->optionsDate.len & 0xff; + buf[0] = (PRUint8)( entry->subjectName.len >> 8 ); + buf[1] = (PRUint8)( entry->subjectName.len ); + buf[2] = (PRUint8)( entry->smimeOptions.len >> 8 ); + buf[3] = (PRUint8)( entry->smimeOptions.len ); + buf[4] = (PRUint8)( entry->optionsDate.len >> 8 ); + buf[5] = (PRUint8)( entry->optionsDate.len ); /* if no smime options, then there should not be an options date either */ PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) && @@ -1819,6 +1822,8 @@ EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena, /* now get the database key and format it */ dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; @@ -2167,8 +2172,8 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena, unsigned int nnlen = 0; unsigned int eaddrslen = 0; int keyidoff; - SECItem *certKeys; - SECItem *keyIDs; + SECItem *certKeys = entry->certKeys; + SECItem *keyIDs = entry->keyIDs;; if ( entry->nickname ) { nnlen = PORT_Strlen(entry->nickname) + 1; @@ -2184,10 +2189,15 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena, /* compute the length of the entry */ keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen ; - len = keyidoff + 4 * ncerts + eaddrslen; + len = keyidoff + (4 * ncerts) + eaddrslen; for ( i = 0; i < ncerts; i++ ) { - len += entry->certKeys[i].len; - len += entry->keyIDs[i].len; + if (keyIDs[i].len > 0xffff || + (certKeys[i].len > 0xffff)) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + goto loser; + } + len += certKeys[i].len; + len += keyIDs[i].len; } /* allocate space for encoded database record, including space @@ -2204,50 +2214,44 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena, /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - buf[0] = ( ncerts >> 8 ) & 0xff; - buf[1] = ncerts & 0xff; - buf[2] = ( nnlen >> 8 ) & 0xff; - buf[3] = nnlen & 0xff; + buf[0] = (PRUint8)( ncerts >> 8 ); + buf[1] = (PRUint8)( ncerts ); + buf[2] = (PRUint8)( nnlen >> 8 ); + buf[3] = (PRUint8)( nnlen ); /* v7 email field is NULL in v8 */ buf[4] = 0; buf[5] = 0; PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen); - + tmpbuf = &buf[keyidoff]; for ( i = 0; i < ncerts; i++ ) { - - certKeys = entry->certKeys; - keyIDs = entry->keyIDs; - - buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff; - buf[keyidoff+1+i*2] = certKeys[i].len & 0xff; - buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff; - buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff; + tmpbuf[0] = (PRUint8)( certKeys[i].len >> 8 ); + tmpbuf[1] = (PRUint8)( certKeys[i].len ); + tmpbuf += 2; + } + for ( i = 0; i < ncerts; i++ ) { + tmpbuf[0] = (PRUint8)( keyIDs[i].len >> 8 ); + tmpbuf[1] = (PRUint8)( keyIDs[i].len ); + tmpbuf += 2; } - /* temp pointer used to stuff certkeys and keyids into the buffer */ - tmpbuf = &buf[keyidoff+ncerts*4]; - for ( i = 0; i < ncerts; i++ ) { - certKeys = entry->certKeys; PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len); - tmpbuf = tmpbuf + certKeys[i].len; + tmpbuf += certKeys[i].len; } - for ( i = 0; i < ncerts; i++ ) { - keyIDs = entry->keyIDs; PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len); - tmpbuf = tmpbuf + keyIDs[i].len; + tmpbuf += keyIDs[i].len; } if (entry->emailAddrs) { - tmpbuf[0] = (entry->nemailAddrs >> 8) & 0xff; - tmpbuf[1] = entry->nemailAddrs & 0xff; + tmpbuf[0] = (PRUint8)( entry->nemailAddrs >> 8 ); + tmpbuf[1] = (PRUint8)( entry->nemailAddrs ); tmpbuf += 2; for (i=0; i < entry->nemailAddrs; i++) { int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1; - tmpbuf[0] = (nameLen >> 8) & 0xff; - tmpbuf[1] = nameLen & 0xff; + tmpbuf[0] = (PRUint8)( nameLen >> 8 ); + tmpbuf[1] = (PRUint8)( nameLen ); tmpbuf += 2; PORT_Memcpy(tmpbuf,entry->emailAddrs[i],nameLen); tmpbuf +=nameLen; @@ -2270,6 +2274,8 @@ EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena, SECItem *dbkey) { dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; @@ -2288,18 +2294,17 @@ static SECStatus DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry, const SECItem *derSubject) { - unsigned int ncerts; - PRArenaPool *arena; - unsigned int len, itemlen; + PRArenaPool *arena = entry->common.arena; unsigned char *tmpbuf; unsigned char *end; + void *mark = PORT_ArenaMark(arena); + unsigned int eaddrlen; unsigned int i; - SECStatus rv; unsigned int keyidoff; - unsigned int nnlen, eaddrlen; - unsigned int stdlen; - - arena = entry->common.arena; + unsigned int len; + unsigned int ncerts = 0; + unsigned int nnlen; + SECStatus rv; rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject); if ( rv != SECSuccess ) { @@ -2312,20 +2317,18 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry, goto loser; } - entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] ); - nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] ); - eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] ); - stdlen = ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen; - if ( dbentry->len < stdlen) { + entry->ncerts = ncerts = (( dbentry->data[0] << 8 ) | dbentry->data[1] ); + nnlen = (( dbentry->data[2] << 8 ) | dbentry->data[3] ); + eaddrlen = (( dbentry->data[4] << 8 ) | dbentry->data[5] ); + keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen; + len = keyidoff + (4 * ncerts); + if ( dbentry->len < len) { PORT_SetError(SEC_ERROR_BAD_DATABASE); goto loser; } - entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, - sizeof(SECItem) * ncerts); - entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, - sizeof(SECItem) * ncerts); - + entry->certKeys = PORT_ArenaNewArray(arena, SECItem, ncerts); + entry->keyIDs = PORT_ArenaNewArray(arena, SECItem, ncerts); if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; @@ -2347,7 +2350,7 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry, /* if we have an old style email entry, there is only one */ entry->nemailAddrs = 0; if ( eaddrlen > 1 ) { /* null terminator is stored */ - entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *)); + entry->emailAddrs = PORT_ArenaNewArray(arena, char *, 2); if ( entry->emailAddrs == NULL ) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; @@ -2368,87 +2371,85 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry, /* collect the lengths of the certKeys and keyIDs, and total the * overall length. */ - keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen; - len = keyidoff + 4 * ncerts; - - tmpbuf = &dbentry->data[0]; - + tmpbuf = &dbentry->data[keyidoff]; for ( i = 0; i < ncerts; i++ ) { - - itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ; - len += itemlen; - entry->certKeys[i].len = itemlen; - - itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) | - tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ; - len += itemlen; - entry->keyIDs[i].len = itemlen; + unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1]; + entry->certKeys[i].len = itemlen; + len += itemlen; + tmpbuf += 2; } - - /* is database entry correct length? */ + for ( i = 0; i < ncerts; i++ ) { + unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1] ; + entry->keyIDs[i].len = itemlen; + len += itemlen; + tmpbuf += 2; + } + + /* is encoded entry large enough ? */ if ( len > dbentry->len ){ PORT_SetError(SEC_ERROR_BAD_DATABASE); goto loser; } - - tmpbuf = &tmpbuf[keyidoff + 4*ncerts]; + for ( i = 0; i < ncerts; i++ ) { - entry->certKeys[i].data = - (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len); + unsigned int kLen = entry->certKeys[i].len; + entry->certKeys[i].data = (unsigned char *)PORT_ArenaAlloc(arena, kLen); if ( entry->certKeys[i].data == NULL ) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len); - tmpbuf = &tmpbuf[entry->certKeys[i].len]; + PORT_Memcpy(entry->certKeys[i].data, tmpbuf, kLen); + tmpbuf += kLen; } - for ( i = 0; i < ncerts; i++ ) { - entry->keyIDs[i].data = - (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len); + unsigned int iLen = entry->keyIDs[i].len; + entry->keyIDs[i].data = (unsigned char *)PORT_ArenaAlloc(arena, iLen); if ( entry->keyIDs[i].data == NULL ) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len); - tmpbuf = &tmpbuf[entry->keyIDs[i].len]; + PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, iLen); + tmpbuf += iLen; } - end = &dbentry->data[dbentry->len]; - if ((eaddrlen == 0) && (tmpbuf+1 < end)) { + end = dbentry->data + dbentry->len; + if ((eaddrlen == 0) && (end - tmpbuf > 1)) { /* read in the additional email addresses */ - entry->nemailAddrs = tmpbuf[0] << 8 | tmpbuf[1]; + entry->nemailAddrs = (((unsigned int)tmpbuf[0]) << 8) | tmpbuf[1]; tmpbuf += 2; - entry->emailAddrs = (char **) - PORT_ArenaAlloc(arena, entry->nemailAddrs * sizeof(char *)); + if (end - tmpbuf < 2 * (int)entry->nemailAddrs) + goto loser; + entry->emailAddrs = PORT_ArenaNewArray(arena, char *, entry->nemailAddrs); if (entry->emailAddrs == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } for (i=0; i < entry->nemailAddrs; i++) { int nameLen; - if (tmpbuf + 2 > end) { + if (end - tmpbuf < 2) { + goto loser; + } + nameLen = (((int)tmpbuf[0]) << 8) | tmpbuf[1]; + tmpbuf += 2; + if (end - tmpbuf < nameLen) { goto loser; } - - nameLen = tmpbuf[0] << 8 | tmpbuf[1]; entry->emailAddrs[i] = PORT_ArenaAlloc(arena,nameLen); if (entry->emailAddrs == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - if (tmpbuf + (nameLen+2) > end) { - goto loser; - } - PORT_Memcpy(entry->emailAddrs[i],&tmpbuf[2],nameLen); - tmpbuf += 2 + nameLen; + PORT_Memcpy(entry->emailAddrs[i], tmpbuf, nameLen); + tmpbuf += nameLen; } + if (tmpbuf != end) + goto loser; } - - + PORT_ArenaUnmark(arena, mark); return(SECSuccess); loser: + PORT_ArenaRelease(arena, mark); /* discard above allocations */ return(SECFailure); } diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h index 33d2a5dedd4..6862d36d6e4 100644 --- a/security/nss/lib/softoken/legacydb/pcertt.h +++ b/security/nss/lib/softoken/legacydb/pcertt.h @@ -36,7 +36,7 @@ /* * certt.h - public data structures for the certificate library * - * $Id: pcertt.h,v 1.2 2007/06/13 00:24:57 rrelyea%redhat.com Exp $ + * $Id: pcertt.h,v 1.3 2009/04/12 01:31:46 nelson%bolyard.com Exp $ */ #ifndef _PCERTT_H_ #define _PCERTT_H_ @@ -168,6 +168,8 @@ struct NSSLOWCERTCertificateStr { #define SEC_CRL_VERSION_1 0 /* default */ #define SEC_CRL_VERSION_2 1 /* v2 extensions */ +#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) + struct NSSLOWCERTIssuerAndSNStr { SECItem derIssuer; SECItem serialNumber; diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c index b5112dd36ee..3047e4006be 100644 --- a/security/nss/lib/softoken/lgglue.c +++ b/security/nss/lib/softoken/lgglue.c @@ -149,6 +149,7 @@ sftkdb_LoadFromPath(const char *path, const char *libname) return lib; } + static PRLibrary * sftkdb_LoadLibrary(const char *libname) { @@ -188,6 +189,7 @@ done: libSpec.value.pathname = libname; lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); } + return lib; } @@ -270,18 +272,39 @@ sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText) return rv; } +static const char *LEGACY_LIB_NAME = + SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX; +/* + * 2 bools to tell us if we've check the legacy library successfully or + * not. Initialize on startup to false by the C BSS segment; + */ +static PRBool legacy_glue_libCheckFailed; /* set if we failed the check */ +static PRBool legacy_glue_libCheckSucceeded; /* set if we passed the check */ static PRLibrary *legacy_glue_lib = NULL; static SECStatus -sftkdbLoad_Legacy() +sftkdbLoad_Legacy(PRBool isFIPS) { PRLibrary *lib = NULL; LGSetCryptFunc setCryptFunction = NULL; if (legacy_glue_lib) { + /* this check is necessary because it's possible we loaded the + * legacydb to read secmod.db, which told us whether we were in + * FIPS mode or not. */ + if (isFIPS && !legacy_glue_libCheckSucceeded) { + if (legacy_glue_libCheckFailed || + !BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { + legacy_glue_libCheckFailed = PR_TRUE; + /* don't clobber legacy glue to avoid race. just let it + * get cleared in shutdown */ + return SECFailure; + } + legacy_glue_libCheckSucceeded = PR_TRUE; + } return SECSuccess; } - lib = sftkdb_LoadLibrary(SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX); + lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); if (lib == NULL) { return SECFailure; } @@ -306,6 +329,16 @@ sftkdbLoad_Legacy() PR_UnloadLibrary(lib); return SECFailure; } + + /* verify the loaded library if we are in FIPS mode */ + if (isFIPS) { + if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { + PR_UnloadLibrary(lib); + return SECFailure; + } + legacy_glue_libCheckSucceeded = PR_TRUE; + } + setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub); legacy_glue_lib = lib; return SECSuccess; @@ -313,12 +346,12 @@ sftkdbLoad_Legacy() CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, - int certVersion, int keyVersion, int flags, + int certVersion, int keyVersion, int flags, PRBool isFIPS, SDB **certDB, SDB **keyDB) { SECStatus rv; - rv = sftkdbLoad_Legacy(); + rv = sftkdbLoad_Legacy(isFIPS); if (rv != SECSuccess) { return CKR_GENERAL_ERROR; } @@ -337,7 +370,7 @@ sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, { SECStatus rv; - rv = sftkdbLoad_Legacy(); + rv = sftkdbLoad_Legacy(PR_FALSE); if (rv != SECSuccess) { return NULL; } @@ -355,7 +388,7 @@ sftkdbCall_ReleaseSecmodDBData(const char *appName, { SECStatus rv; - rv = sftkdbLoad_Legacy(); + rv = sftkdbLoad_Legacy(PR_FALSE); if (rv != SECSuccess) { return rv; } @@ -374,7 +407,7 @@ sftkdbCall_DeleteSecmodDB(const char *appName, { SECStatus rv; - rv = sftkdbLoad_Legacy(); + rv = sftkdbLoad_Legacy(PR_FALSE); if (rv != SECSuccess) { return rv; } @@ -392,7 +425,7 @@ sftkdbCall_AddSecmodDB(const char *appName, { SECStatus rv; - rv = sftkdbLoad_Legacy(); + rv = sftkdbLoad_Legacy(PR_FALSE); if (rv != SECSuccess) { return rv; } @@ -427,6 +460,8 @@ sftkdbCall_Shutdown(void) legacy_glue_releaseSecmod = NULL; legacy_glue_deleteSecmod = NULL; legacy_glue_addSecmod = NULL; + legacy_glue_libCheckFailed = PR_FALSE; + legacy_glue_libCheckSucceeded = PR_FALSE; return crv; } diff --git a/security/nss/lib/softoken/lgglue.h b/security/nss/lib/softoken/lgglue.h index 998f30a94c9..091ff82b619 100644 --- a/security/nss/lib/softoken/lgglue.h +++ b/security/nss/lib/softoken/lgglue.h @@ -75,7 +75,7 @@ typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); */ CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, - int certVersion, int keyVersion, int flags, + int certVersion, int keyVersion, int flags, PRBool isFIPS, SDB **certDB, SDB **keyDB); char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, const char *dbname, char *params, PRBool rw); diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index c5c2a8e2baf..f9572476f36 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -2151,7 +2151,9 @@ SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir, params->updCertPrefix, params->updKeyPrefix, params->updateID ? params->updateID : updateID, params->readOnly, params->noCertDB, params->noKeyDB, - params->forceOpen, &certHandle, &keyHandle); + params->forceOpen, + moduleIndex == NSC_FIPS_MODULE, + &certHandle, &keyHandle); if (crv != CKR_OK) { goto loser; } diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index 45100cc5c01..655e196870a 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -2547,7 +2547,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix, const char *keyPrefix, const char *updatedir, const char *updCertPrefix, const char *updKeyPrefix, const char *updateID, PRBool readOnly, PRBool noCertDB, - PRBool noKeyDB, PRBool forceOpen, + PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS, SFTKDBHandle **certDB, SFTKDBHandle **keyDB) { const char *confdir; @@ -2577,11 +2577,11 @@ sftk_DBInit(const char *configdir, const char *certPrefix, switch (dbType) { case SDB_LEGACY: crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags, - noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB); + isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB); break; case SDB_MULTIACCESS: crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags, - noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB); + isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB); break; case SDB_SQL: case SDB_EXTERN: /* SHOULD open a loadable db */ @@ -2598,8 +2598,8 @@ sftk_DBInit(const char *configdir, const char *certPrefix, /* we have legacy databases, if we failed to open the new format * DB's read only, just use the legacy ones */ crv = sftkdbCall_open(confdir, certPrefix, - keyPrefix, 8, 3, flags, noCertDB? NULL : &certSDB, - noKeyDB ? NULL : &keySDB); + keyPrefix, 8, 3, flags, isFIPS, + noCertDB? NULL : &certSDB, noKeyDB ? NULL : &keySDB); } /* Handle the database merge case. * @@ -2669,7 +2669,8 @@ sftk_DBInit(const char *configdir, const char *certPrefix, CK_RV crv2; crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags, - noCertDB ? NULL : &updateCert, noKeyDB ? NULL : &updateKey); + isFIPS, noCertDB ? NULL : &updateCert, + noKeyDB ? NULL : &updateKey); if (crv2 == CKR_OK) { if (*certDB) { (*certDB)->update = updateCert; diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h index 36daddea0c3..2806d6f3cf1 100644 --- a/security/nss/lib/softoken/sftkdb.h +++ b/security/nss/lib/softoken/sftkdb.h @@ -107,7 +107,7 @@ CK_RV sftk_DBInit(const char *configdir, const char *certPrefix, const char *keyPrefix, const char *updatedir, const char *updCertPrefix, const char *updKeyPrefix, const char *updateID, PRBool readOnly, PRBool noCertDB, - PRBool noKeyDB, PRBool forceOpen, + PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS, SFTKDBHandle **certDB, SFTKDBHandle **keyDB); CK_RV sftkdb_Shutdown(void); diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index 4e2c36178ba..3559898cfe7 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -686,6 +686,16 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb) value.data = valueData; value.len = sizeof(valueData); crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + + /* If no password is set, we can update right away */ + if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update + && crv != CKR_OK) { + /* update the peer certdb if it exists */ + if (keydb->peerDB) { + sftkdb_Update(keydb->peerDB, NULL); + } + sftkdb_Update(keydb, NULL); + } return (crv == CKR_OK) ? SECSuccess : SECFailure; } diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index 41222fc6678..67ee0b72be0 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -57,10 +57,10 @@ * The format of the version string should be * ".[.][ ][ ]" */ -#define SOFTOKEN_VERSION "3.12.3" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.12.4" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 12 -#define SOFTOKEN_VPATCH 3 +#define SOFTOKEN_VPATCH 4 #define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk index 553110bb0c0..8901280f6a9 100644 --- a/security/nss/lib/ssl/config.mk +++ b/security/nss/lib/ssl/config.mk @@ -56,6 +56,7 @@ ifdef NS_USE_GCC EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ -lnss3 \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ @@ -73,12 +74,7 @@ EXTRA_SHARED_LIBS += \ endif # NS_USE_GCC # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) -CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -CRYPTODIR=../freebl -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX) - CRYPTODIR=../crypto -endif +CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) EXTRA_LIBS += \ $(CRYPTOLIB) \ @@ -87,12 +83,7 @@ EXTRA_LIBS += \ else # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) -CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) -CRYPTODIR=../freebl -ifdef MOZILLA_SECURITY_BUILD - CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX) - CRYPTODIR=../crypto -endif +CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) EXTRA_LIBS += \ $(CRYPTOLIB) \ @@ -104,6 +95,7 @@ EXTRA_LIBS += \ EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ -lnss3 \ + -L$(NSSUTIL_LIB_DIR) \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 7025d5d8628..83b057117ed 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -51,10 +51,10 @@ * The format of the version string should be * ".[.][ ]" */ -#define NSSUTIL_VERSION "3.12.3" +#define NSSUTIL_VERSION "3.12.4 Beta" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 12 -#define NSSUTIL_VPATCH 3 -#define NSSUTIL_BETA PR_FALSE +#define NSSUTIL_VPATCH 4 +#define NSSUTIL_BETA PR_TRUE #endif /* __nssutil_h_ */ diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h index 0c29838cc1a..c1ce24662e0 100644 --- a/security/nss/lib/util/secerr.h +++ b/security/nss/lib/util/secerr.h @@ -225,6 +225,9 @@ SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167), SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168), SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169), +SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170), +SEC_ERROR_CRL_IMPORT_FAILED = (SEC_ERROR_BASE + 171), + /* Add new error codes above here. */ SEC_ERROR_END_OF_LIST } SECErrorCodes; diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 287e154531d..7e8c1b6e1c5 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -361,6 +361,8 @@ CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; +CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; + CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; @@ -1586,6 +1588,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD( seed_CBC, SEC_OID_SEED_CBC, "SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION), + OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY, + "Certificate Policies AnyPolicy", + CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ), }; /* PRIVATE EXTENDED SECOID Table diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index c06a3aad8e0..28582182d11 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -43,7 +43,7 @@ /* * secoidt.h - public data structures for ASN.1 OID functions * - * $Id: secoidt.h,v 1.29 2009/03/13 02:59:03 nelson%bolyard.com Exp $ + * $Id: secoidt.h,v 1.30 2009/04/14 02:04:08 alexei.volkov.bugs%sun.com Exp $ */ #include "secitem.h" @@ -448,6 +448,8 @@ typedef enum { SEC_OID_SEED_CBC = 302, + SEC_OID_X509_ANY_POLICY = 303, + SEC_OID_TOTAL } SECOidTag; diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh index 85bc60540df..949905d3bf7 100644 --- a/security/nss/tests/chains/chains.sh +++ b/security/nss/tests/chains/chains.sh @@ -71,7 +71,7 @@ chains_init() CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios" - CERT_SN_CNT=$(date '+%m%d%H%M%S') + CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//") CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000) PK7_NONCE=$CERT_SN_CNT; diff --git a/security/nss/tests/cipher/cipher.sh b/security/nss/tests/cipher/cipher.sh index 7abc5f9975b..f61fb1fca77 100755 --- a/security/nss/tests/cipher/cipher.sh +++ b/security/nss/tests/cipher/cipher.sh @@ -1,4 +1,4 @@ -#! /bin/sh +#! /bin/bash # # ***** BEGIN LICENSE BLOCK ***** # Version: MPL 1.1/GPL 2.0/LGPL 2.1