summaryrefslogtreecommitdiff
path: root/security/nss/lib
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-14 07:52:35 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-14 16:42:52 +0200
commitab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch)
tree5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/lib
parentf44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff)
downloaduxp-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/lib')
-rw-r--r--security/nss/lib/certdb/crl.c8
-rw-r--r--security/nss/lib/ckfw/Makefile4
-rw-r--r--security/nss/lib/ckfw/builtins/certdata.txt467
-rw-r--r--security/nss/lib/ckfw/builtins/nssckbi.h6
-rw-r--r--security/nss/lib/ckfw/nssmkey/Makefile72
-rw-r--r--security/nss/lib/ckfw/nssmkey/README21
-rw-r--r--security/nss/lib/ckfw/nssmkey/ckmk.h182
-rw-r--r--security/nss/lib/ckfw/nssmkey/ckmkver.c17
-rw-r--r--security/nss/lib/ckfw/nssmkey/config.mk24
-rw-r--r--security/nss/lib/ckfw/nssmkey/manchor.c17
-rw-r--r--security/nss/lib/ckfw/nssmkey/manifest.mn33
-rw-r--r--security/nss/lib/ckfw/nssmkey/mconstants.c61
-rw-r--r--security/nss/lib/ckfw/nssmkey/mfind.c352
-rw-r--r--security/nss/lib/ckfw/nssmkey/minst.c97
-rw-r--r--security/nss/lib/ckfw/nssmkey/mobject.c1861
-rw-r--r--security/nss/lib/ckfw/nssmkey/mrsa.c479
-rw-r--r--security/nss/lib/ckfw/nssmkey/msession.c87
-rw-r--r--security/nss/lib/ckfw/nssmkey/mslot.c81
-rw-r--r--security/nss/lib/ckfw/nssmkey/mtoken.c184
-rw-r--r--security/nss/lib/ckfw/nssmkey/nssmkey.def26
-rw-r--r--security/nss/lib/ckfw/nssmkey/nssmkey.h41
-rw-r--r--security/nss/lib/ckfw/nssmkey/staticobj.c36
-rw-r--r--security/nss/lib/ckfw/session.c3
-rw-r--r--security/nss/lib/dev/devtoken.c4
-rw-r--r--security/nss/lib/freebl/Makefile10
-rw-r--r--security/nss/lib/freebl/blake2b.c2
-rw-r--r--security/nss/lib/freebl/chacha20poly1305.c88
-rw-r--r--security/nss/lib/freebl/dsa.c37
-rw-r--r--security/nss/lib/freebl/ec.c29
-rw-r--r--security/nss/lib/freebl/freebl.gyp36
-rw-r--r--security/nss/lib/freebl/freebl_base.gypi15
-rw-r--r--security/nss/lib/freebl/loader.c4
-rw-r--r--security/nss/lib/freebl/mpi/mpi.c13
-rw-r--r--security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c881
-rw-r--r--security/nss/lib/freebl/poly1305.c314
-rw-r--r--security/nss/lib/freebl/poly1305.h30
-rw-r--r--security/nss/lib/freebl/unix_urandom.c33
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Poly1305_32.c578
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Poly1305_32.h103
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c130
-rw-r--r--security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c20
-rw-r--r--security/nss/lib/nss/nss.h6
-rw-r--r--security/nss/lib/pk11wrap/pk11akey.c18
-rw-r--r--security/nss/lib/pk11wrap/pk11pars.c8
-rw-r--r--security/nss/lib/pkcs12/p12e.c5
-rw-r--r--security/nss/lib/pkcs7/p7decode.c1
-rw-r--r--security/nss/lib/pki/pki3hack.c4
-rw-r--r--security/nss/lib/smime/cmsrecinfo.c2
-rw-r--r--security/nss/lib/softoken/legacydb/pcertdb.c3
-rw-r--r--security/nss/lib/softoken/lowkey.c24
-rw-r--r--security/nss/lib/softoken/lowkeyi.h1
-rw-r--r--security/nss/lib/softoken/lowkeyti.h9
-rw-r--r--security/nss/lib/softoken/lowpbe.c10
-rw-r--r--security/nss/lib/softoken/pkcs11.c72
-rw-r--r--security/nss/lib/softoken/pkcs11c.c116
-rw-r--r--security/nss/lib/softoken/pkcs11u.c4
-rw-r--r--security/nss/lib/softoken/sdb.c69
-rw-r--r--security/nss/lib/softoken/sftkdb.c3
-rw-r--r--security/nss/lib/softoken/sftkpars.c34
-rw-r--r--security/nss/lib/softoken/sftkpwd.c6
-rw-r--r--security/nss/lib/softoken/softkver.h6
-rw-r--r--security/nss/lib/ssl/SSLerrs.h11
-rw-r--r--security/nss/lib/ssl/dtls13con.c59
-rw-r--r--security/nss/lib/ssl/dtls13con.h4
-rw-r--r--security/nss/lib/ssl/dtlscon.c116
-rw-r--r--security/nss/lib/ssl/dtlscon.h2
-rw-r--r--security/nss/lib/ssl/ssl.h81
-rw-r--r--security/nss/lib/ssl/ssl3con.c430
-rw-r--r--security/nss/lib/ssl/ssl3ecc.c6
-rw-r--r--security/nss/lib/ssl/ssl3ext.c13
-rw-r--r--security/nss/lib/ssl/ssl3ext.h3
-rw-r--r--security/nss/lib/ssl/ssl3exthandle.c181
-rw-r--r--security/nss/lib/ssl/ssl3exthandle.h7
-rw-r--r--security/nss/lib/ssl/ssl3gthr.c109
-rw-r--r--security/nss/lib/ssl/ssl3prot.h2
-rw-r--r--security/nss/lib/ssl/sslcert.c3
-rw-r--r--security/nss/lib/ssl/sslerr.h2
-rw-r--r--security/nss/lib/ssl/sslimpl.h39
-rw-r--r--security/nss/lib/ssl/sslsecur.c19
-rw-r--r--security/nss/lib/ssl/sslsock.c123
-rw-r--r--security/nss/lib/ssl/sslspec.c1
-rw-r--r--security/nss/lib/ssl/sslspec.h8
-rw-r--r--security/nss/lib/ssl/sslt.h3
-rw-r--r--security/nss/lib/ssl/tls13con.c262
-rw-r--r--security/nss/lib/ssl/tls13con.h2
-rw-r--r--security/nss/lib/ssl/tls13exthandle.c4
-rw-r--r--security/nss/lib/util/nssutil.def7
-rw-r--r--security/nss/lib/util/nssutil.h6
-rw-r--r--security/nss/lib/util/pkcs11t.h2
-rw-r--r--security/nss/lib/util/secasn1d.c4
-rw-r--r--security/nss/lib/util/secitem.c9
-rw-r--r--security/nss/lib/util/secitem.h8
92 files changed, 2224 insertions, 6189 deletions
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index d1c48dfba6..63adcad46d 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -898,13 +898,13 @@ static PLHashAllocOps preAllocOps = { PreAllocTable, PreFreeTable,
/* destructor for PreAllocator object */
void
-PreAllocator_Destroy(PreAllocator* PreAllocator)
+PreAllocator_Destroy(PreAllocator* allocator)
{
- if (!PreAllocator) {
+ if (!allocator) {
return;
}
- if (PreAllocator->arena) {
- PORT_FreeArena(PreAllocator->arena, PR_TRUE);
+ if (allocator->arena) {
+ PORT_FreeArena(allocator->arena, PR_TRUE);
}
}
diff --git a/security/nss/lib/ckfw/Makefile b/security/nss/lib/ckfw/Makefile
index 484dbb511a..2902bef48b 100644
--- a/security/nss/lib/ckfw/Makefile
+++ b/security/nss/lib/ckfw/Makefile
@@ -33,7 +33,3 @@ ifdef NSS_BUILD_CAPI
DIRS += capi
endif
endif
-
-#ifeq ($(OS_ARCH), Darwin)
-#DIRS += nssmkey
-#endif
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
index 5d2baf3a56..d291f28a5d 100644
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -7241,163 +7241,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "TC TrustCenter Class 3 CA II"
-#
-# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
-# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
-# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
-# Not Valid Before: Thu Jan 12 14:41:57 2006
-# Not Valid After : Wed Dec 31 22:59:59 2025
-# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
-# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter Class 3 CA II"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
-\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
-\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
-\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
-\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
-\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
-\040\063\040\103\101\040\111\111
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
-\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
-\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
-\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
-\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
-\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
-\040\063\040\103\101\040\111\111
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\252\060\202\003\222\240\003\002\001\002\002\016\112
-\107\000\001\000\002\345\240\135\326\077\000\121\277\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\060\166\061\013
-\060\011\006\003\125\004\006\023\002\104\105\061\034\060\032\006
-\003\125\004\012\023\023\124\103\040\124\162\165\163\164\103\145
-\156\164\145\162\040\107\155\142\110\061\042\060\040\006\003\125
-\004\013\023\031\124\103\040\124\162\165\163\164\103\145\156\164
-\145\162\040\103\154\141\163\163\040\063\040\103\101\061\045\060
-\043\006\003\125\004\003\023\034\124\103\040\124\162\165\163\164
-\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
-\101\040\111\111\060\036\027\015\060\066\060\061\061\062\061\064
-\064\061\065\067\132\027\015\062\065\061\062\063\061\062\062\065
-\071\065\071\132\060\166\061\013\060\011\006\003\125\004\006\023
-\002\104\105\061\034\060\032\006\003\125\004\012\023\023\124\103
-\040\124\162\165\163\164\103\145\156\164\145\162\040\107\155\142
-\110\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124
-\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
-\040\063\040\103\101\061\045\060\043\006\003\125\004\003\023\034
-\124\103\040\124\162\165\163\164\103\145\156\164\145\162\040\103
-\154\141\163\163\040\063\040\103\101\040\111\111\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\264\340\273
-\121\273\071\134\213\004\305\114\171\034\043\206\061\020\143\103
-\125\047\077\306\105\307\244\075\354\011\015\032\036\040\302\126
-\036\336\033\067\007\060\042\057\157\361\006\361\253\255\326\310
-\253\141\243\057\103\304\260\262\055\374\303\226\151\173\176\212
-\344\314\300\071\022\220\102\140\311\314\065\150\356\332\137\220
-\126\137\315\034\115\133\130\111\353\016\001\117\144\372\054\074
-\211\130\330\057\056\342\260\150\351\042\073\165\211\326\104\032
-\145\362\033\227\046\035\050\155\254\350\275\131\035\053\044\366
-\326\204\003\146\210\044\000\170\140\361\370\253\376\002\262\153
-\373\042\373\065\346\026\321\255\366\056\022\344\372\065\152\345
-\031\271\135\333\073\036\032\373\323\377\025\024\010\330\011\152
-\272\105\235\024\171\140\175\257\100\212\007\163\263\223\226\323
-\164\064\215\072\067\051\336\134\354\365\356\056\061\302\040\334
-\276\361\117\177\043\122\331\133\342\144\331\234\252\007\010\265
-\105\275\321\320\061\301\253\124\237\251\322\303\142\140\003\361
-\273\071\112\222\112\075\012\271\235\305\240\376\067\002\003\001
-\000\001\243\202\001\064\060\202\001\060\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125
-\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125
-\035\016\004\026\004\024\324\242\374\237\263\303\330\003\323\127
-\134\007\244\320\044\247\300\362\000\324\060\201\355\006\003\125
-\035\037\004\201\345\060\201\342\060\201\337\240\201\334\240\201
-\331\206\065\150\164\164\160\072\057\057\167\167\167\056\164\162
-\165\163\164\143\145\156\164\145\162\056\144\145\057\143\162\154
-\057\166\062\057\164\143\137\143\154\141\163\163\137\063\137\143
-\141\137\111\111\056\143\162\154\206\201\237\154\144\141\160\072
-\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
-\162\056\144\145\057\103\116\075\124\103\045\062\060\124\162\165
-\163\164\103\145\156\164\145\162\045\062\060\103\154\141\163\163
-\045\062\060\063\045\062\060\103\101\045\062\060\111\111\054\117
-\075\124\103\045\062\060\124\162\165\163\164\103\145\156\164\145
-\162\045\062\060\107\155\142\110\054\117\125\075\162\157\157\164
-\143\145\162\164\163\054\104\103\075\164\162\165\163\164\143\145
-\156\164\145\162\054\104\103\075\144\145\077\143\145\162\164\151
-\146\151\143\141\164\145\122\145\166\157\143\141\164\151\157\156
-\114\151\163\164\077\142\141\163\145\077\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\066\140
-\344\160\367\006\040\103\331\043\032\102\362\370\243\262\271\115
-\212\264\363\302\232\125\061\174\304\073\147\232\264\337\115\016
-\212\223\112\027\213\033\215\312\211\341\317\072\036\254\035\361
-\234\062\264\216\131\166\242\101\205\045\067\240\023\320\365\174
-\116\325\352\226\342\156\162\301\273\052\376\154\156\370\221\230
-\106\374\311\033\127\133\352\310\032\073\077\260\121\230\074\007
-\332\054\131\001\332\213\104\350\341\164\375\247\150\335\124\272
-\203\106\354\310\106\265\370\257\227\300\073\011\034\217\316\162
-\226\075\063\126\160\274\226\313\330\325\175\040\232\203\237\032
-\334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
-\367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
-\207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
-\362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
-\113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
-\346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
-\016\121\075\157\373\226\126\200\342\066\027\321\334\344
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "TC TrustCenter Class 3 CA II"
-# Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
-# Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
-# Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
-# Not Valid Before: Thu Jan 12 14:41:57 2006
-# Not Valid After : Wed Dec 31 22:59:59 2025
-# Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
-# Fingerprint (SHA1): 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TC TrustCenter Class 3 CA II"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\200\045\357\364\156\160\310\324\162\044\145\204\376\100\073\212
-\215\152\333\365
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\126\137\252\200\141\022\027\366\147\041\346\053\155\141\126\216
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\166\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\034\060\032\006\003\125\004\012\023\023\124\103\040\124\162\165
-\163\164\103\145\156\164\145\162\040\107\155\142\110\061\042\060
-\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163\164
-\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
-\101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
-\162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
-\040\063\040\103\101\040\111\111
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
# Certificate "Deutsche Telekom Root CA 2"
#
# Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
@@ -17883,155 +17726,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "S-TRUST Universal Root CA"
-#
-# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
-# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
-# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
-# Not Valid Before: Tue Oct 22 00:00:00 2013
-# Not Valid After : Thu Oct 21 23:59:59 2038
-# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
-# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "S-TRUST Universal Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
-\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
-\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
-\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
-\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
-\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
-\040\122\157\157\164\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
-\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
-\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
-\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
-\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
-\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
-\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
-\036\036
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\330\060\202\002\300\240\003\002\001\002\002\020\140
-\126\305\113\043\100\133\144\324\355\045\332\331\326\036\036\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
-\205\061\013\060\011\006\003\125\004\006\023\002\104\105\061\051
-\060\047\006\003\125\004\012\023\040\104\145\165\164\163\143\150
-\145\162\040\123\160\141\162\153\141\163\163\145\156\040\126\145
-\162\154\141\147\040\107\155\142\110\061\047\060\045\006\003\125
-\004\013\023\036\123\055\124\122\125\123\124\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143
-\145\163\061\042\060\040\006\003\125\004\003\023\031\123\055\124
-\122\125\123\124\040\125\156\151\166\145\162\163\141\154\040\122
-\157\157\164\040\103\101\060\036\027\015\061\063\061\060\062\062
-\060\060\060\060\060\060\132\027\015\063\070\061\060\062\061\062
-\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
-\004\006\023\002\104\105\061\051\060\047\006\003\125\004\012\023
-\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
-\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
-\110\061\047\060\045\006\003\125\004\013\023\036\123\055\124\122
-\125\123\124\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\061\042\060\040\006\003
-\125\004\003\023\031\123\055\124\122\125\123\124\040\125\156\151
-\166\145\162\163\141\154\040\122\157\157\164\040\103\101\060\202
-\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\250
-\343\013\337\021\067\205\202\232\265\154\146\174\141\077\300\107
-\032\035\106\343\260\125\144\345\270\202\071\050\007\176\027\377
-\364\233\212\360\221\201\352\070\077\041\170\154\110\354\153\057
-\242\323\212\162\262\247\327\331\352\177\264\300\111\153\060\045
-\211\214\353\267\325\100\141\230\342\334\074\040\222\315\145\112
-\162\237\032\216\214\372\045\025\277\363\041\203\050\015\213\257
-\131\021\202\103\134\233\115\045\121\177\130\030\143\140\073\263
-\265\212\213\130\143\067\110\110\220\104\302\100\335\135\367\103
-\151\051\230\134\022\145\136\253\220\222\113\146\337\325\165\022
-\123\124\030\246\336\212\326\273\127\003\071\131\231\030\005\014
-\371\375\025\306\220\144\106\027\202\327\302\112\101\075\375\000
-\276\127\162\030\224\167\033\123\132\211\001\366\063\162\016\223
-\072\334\350\036\375\005\005\326\274\163\340\210\334\253\117\354
-\265\030\206\117\171\204\016\110\052\146\052\335\062\310\170\145
-\310\013\235\130\001\005\161\355\201\365\150\027\156\313\015\264
-\113\330\241\354\256\070\353\034\130\057\241\145\003\064\057\002
-\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023\001
-\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017
-\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016
-\004\026\004\024\232\175\327\353\353\177\124\230\105\051\264\040
-\253\155\013\226\043\031\244\302\060\015\006\011\052\206\110\206
-\367\015\001\001\013\005\000\003\202\001\001\000\116\226\022\333
-\176\167\136\222\047\236\041\027\030\202\166\330\077\274\245\011
-\004\146\210\211\255\333\125\263\063\152\306\145\304\217\115\363
-\062\066\334\171\004\226\251\167\062\321\227\365\030\153\214\272
-\355\316\021\320\104\307\222\361\264\104\216\355\210\122\110\236
-\325\375\131\370\243\036\121\373\001\122\345\137\345\172\335\252
-\044\117\042\213\335\166\106\366\245\240\017\065\330\312\017\230
-\271\060\135\040\157\302\201\036\275\275\300\376\025\323\070\052
-\011\223\230\047\033\223\173\320\053\064\136\150\245\025\117\321
-\122\303\240\312\240\203\105\035\365\365\267\131\163\135\131\001
-\217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
-\043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
-\367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
-\032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
-\054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
-\052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
-\073\303\035\374\377\262\117\250\342\366\060\036
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "S-TRUST Universal Root CA"
-# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
-# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
-# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
-# Not Valid Before: Tue Oct 22 00:00:00 2013
-# Not Valid After : Thu Oct 21 23:59:59 2038
-# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
-# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "S-TRUST Universal Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\033\075\021\024\352\172\017\225\130\124\101\225\277\153\045\202
-\253\100\316\232
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\130\366\101\001\256\365\133\121\231\116\134\041\350\117\324\146
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
-\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
-\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
-\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
-\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
-\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
-\040\122\157\157\164\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
-\036\036
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
# Certificate "Entrust Root Certification Authority - G2"
#
# Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
@@ -18509,167 +18203,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
-#
-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
-# Serial Number:00:8e:17:fe:24:20:81
-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
-# Not Valid Before: Tue Apr 30 08:07:01 2013
-# Not Valid After : Fri Apr 28 08:07:01 2023
-# Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
-# Fingerprint (SHA1): C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
-\261\040\110\065
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
-\261\040\110\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\007\000\216\027\376\044\040\201
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\047\060\202\003\017\240\003\002\001\002\002\007\000
-\216\027\376\044\040\201\060\015\006\011\052\206\110\206\367\015
-\001\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004
-\006\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006
-\101\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014
-\104\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147
-\151\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040
-\102\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154
-\151\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040
-\101\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071
-\124\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164
-\162\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040
-\110\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261
-\143\304\261\163\304\261\040\110\065\060\036\027\015\061\063\060
-\064\063\060\060\070\060\067\060\061\132\027\015\062\063\060\064
-\062\070\060\070\060\067\060\061\132\060\201\261\061\013\060\011
-\006\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125
-\004\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003
-\125\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040
-\102\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155
-\040\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274
-\166\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154
-\145\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125
-\004\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105
-\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146
-\151\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154
-\141\171\304\261\143\304\261\163\304\261\040\110\065\060\202\001
-\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\001\017\000\060\202\001\012\002\202\001\001\000\244\045
-\031\341\145\236\353\110\041\120\112\010\345\021\360\132\272\046
-\377\203\131\316\104\052\057\376\341\316\140\003\374\215\003\245
-\355\377\153\250\272\314\064\006\237\131\065\366\354\054\273\235
-\373\215\122\151\343\234\047\020\123\363\244\002\305\247\371\021
-\032\151\165\156\303\035\213\321\230\215\223\207\247\161\227\015
-\041\307\231\371\122\323\054\143\135\125\274\350\037\001\110\271
-\140\376\102\112\366\310\200\256\315\146\172\236\105\212\150\167
-\342\110\150\237\242\332\361\341\301\020\237\353\074\051\201\247
-\341\062\010\324\240\005\261\214\373\215\226\000\016\076\045\337
-\123\206\042\073\374\364\275\363\011\176\167\354\206\353\017\063
-\345\103\117\364\124\165\155\051\231\056\146\132\103\337\313\134
-\312\310\345\070\361\176\073\065\235\017\364\305\132\241\314\363
-\040\200\044\323\127\354\025\272\165\045\233\350\144\113\263\064
-\204\357\004\270\366\311\154\252\002\076\266\125\342\062\067\137
-\374\146\227\137\315\326\236\307\040\277\115\306\254\077\165\137
-\034\355\062\234\174\151\000\151\221\343\043\030\123\351\002\003
-\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026
-\004\024\126\231\007\036\323\254\014\151\144\264\014\120\107\336
-\103\054\276\040\300\373\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367
-\015\001\001\013\005\000\003\202\001\001\000\236\105\166\173\027
-\110\062\362\070\213\051\275\356\226\112\116\201\030\261\121\107
-\040\315\320\144\261\016\311\331\001\331\011\316\310\231\334\150
-\045\023\324\134\362\243\350\004\376\162\011\307\013\252\035\045
-\125\176\226\232\127\267\272\305\021\172\031\346\247\176\075\205
-\016\365\371\056\051\057\347\371\154\130\026\127\120\045\366\076
-\056\076\252\355\167\161\252\252\231\226\106\012\256\216\354\052
-\121\026\260\136\315\352\147\004\034\130\060\365\140\212\275\246
-\275\115\345\226\264\374\102\211\001\153\366\160\310\120\071\014
-\055\325\146\331\310\322\263\062\267\033\031\155\313\063\371\337
-\245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
-\220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
-\162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
-\142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
-\267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
-\261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
-\372\253\101\341\113\266\065\013\300\233\025
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
-# Serial Number:00:8e:17:fe:24:20:81
-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
-# Not Valid Before: Tue Apr 30 08:07:01 2013
-# Not Valid After : Fri Apr 28 08:07:01 2023
-# Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
-# Fingerprint (SHA1): C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\304\030\366\115\106\321\337\000\075\047\060\023\162\103\251\022
-\021\306\165\373
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\332\160\216\360\042\337\223\046\366\137\237\323\025\006\122\116
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
-\261\040\110\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\007\000\216\027\376\044\040\201
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
# Certificate "Certinomis - Root CA"
#
# Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
index 0189369b1b..d40c8080eb 100644
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -32,7 +32,7 @@
* - whenever possible, if older branches require a modification to the
* list, these changes should be made on the main line of development (trunk),
* and the older branches should update to the most recent list.
- *
+ *
* - ODD minor version numbers are reserved to indicate a snapshot that has
* deviated from the main line of development, e.g. if it was necessary
* to modify the list on a stable branch.
@@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
-#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 24
+#define NSS_BUILTINS_LIBRARY_VERSION "2.24"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/security/nss/lib/ckfw/nssmkey/Makefile b/security/nss/lib/ckfw/nssmkey/Makefile
deleted file mode 100644
index e630e84b0f..0000000000
--- a/security/nss/lib/ckfw/nssmkey/Makefile
+++ /dev/null
@@ -1,72 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include manifest.mn
-include $(CORE_DEPTH)/coreconf/config.mk
-include config.mk
-
-EXTRA_LIBS = \
- $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
- $(NULL)
-
-# can't do this in manifest.mn because OS_TARGET isn't defined there.
-ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-
-ifdef NS_USE_GCC
-EXTRA_LIBS += \
- -L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
- -lnspr4 \
- $(NULL)
-else
-EXTRA_SHARED_LIBS += \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
- $(NULL)
-endif # NS_USE_GCC
-else
-
-EXTRA_LIBS += \
- -L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
- -lnspr4 \
- -framework Security \
- -framework CoreServices \
- $(NULL)
-endif
-
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-# Generate certdata.c.
-generate:
- perl certdata.perl < certdata.txt
-
-# This'll need some help from a build person.
-
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
-DSO_LDOPTS = -bM:SRE -bh:4 -bnoentry
-EXTRA_DSO_LDOPTS = -lc
-MKSHLIB = xlC $(DSO_LDOPTS)
-
-$(SHARED_LIBRARY): $(OBJS)
- @$(MAKE_OBJDIR)
- rm -f $@
- $(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
- chmod +x $@
-
-endif
-
-ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
-LD += -G
-endif
-
-
diff --git a/security/nss/lib/ckfw/nssmkey/README b/security/nss/lib/ckfw/nssmkey/README
deleted file mode 100644
index c060d9c3c0..0000000000
--- a/security/nss/lib/ckfw/nssmkey/README
+++ /dev/null
@@ -1,21 +0,0 @@
-This Cryptoki module provides acces to certs and keys stored in
-Macintosh key Ring.
-
-- It does not yet export PKCS #12 keys. To get this to work should be
- implemented using exporting the key object in PKCS #8 wrapped format.
- PSM work needs to happen before this can be completed.
-- It does not import or export CA Root trust from the mac keychain.
-- It does not handle S/MIME objects (pkcs #7 in mac keychain terms?).
-- The AuthRoots don't show up on the default list.
-- Only RSA keys are supported currently.
-
-There are a number of things that have not been tested that other PKCS #11
-apps may need:
-- reading Modulus and Public Exponents from private keys and public keys.
-- storing public keys.
-- setting attributes other than CKA_ID and CKA_LABEL.
-
-Other TODOs:
-- Check for and plug memory leaks.
-- Need to map mac errors into something more intellegible than
- CKR_GENERAL_ERROR.
diff --git a/security/nss/lib/ckfw/nssmkey/ckmk.h b/security/nss/lib/ckfw/nssmkey/ckmk.h
deleted file mode 100644
index 4f3ab82d72..0000000000
--- a/security/nss/lib/ckfw/nssmkey/ckmk.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef CKMK_H
-#define CKMK_H 1
-
-#include <Security/SecKeychainSearch.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecKeychain.h>
-#include <Security/cssmtype.h>
-#include <Security/cssmapi.h>
-#include <Security/SecKey.h>
-#include <Security/SecCertificate.h>
-
-#define NTO
-
-#include "nssckmdt.h"
-#include "nssckfw.h"
-/*
- * I'm including this for access to the arena functions.
- * Looks like we should publish that API.
- */
-#ifndef BASE_H
-#include "base.h"
-#endif /* BASE_H */
-/*
- * This is where the Netscape extensions live, at least for now.
- */
-#ifndef CKT_H
-#include "ckt.h"
-#endif /* CKT_H */
-
-/*
- * statically defined raw objects. Allows us to data description objects
- * to this PKCS #11 module.
- */
-struct ckmkRawObjectStr {
- CK_ULONG n;
- const CK_ATTRIBUTE_TYPE *types;
- const NSSItem *items;
-};
-typedef struct ckmkRawObjectStr ckmkRawObject;
-
-/*
- * Key/Cert Items
- */
-struct ckmkItemObjectStr {
- SecKeychainItemRef itemRef;
- SecItemClass itemClass;
- PRBool hasID;
- NSSItem modify;
- NSSItem private;
- NSSItem encrypt;
- NSSItem decrypt;
- NSSItem derive;
- NSSItem sign;
- NSSItem signRecover;
- NSSItem verify;
- NSSItem verifyRecover;
- NSSItem wrap;
- NSSItem unwrap;
- NSSItem label;
- NSSItem subject;
- NSSItem issuer;
- NSSItem serial;
- NSSItem derCert;
- NSSItem id;
- NSSItem modulus;
- NSSItem exponent;
- NSSItem privateExponent;
- NSSItem prime1;
- NSSItem prime2;
- NSSItem exponent1;
- NSSItem exponent2;
- NSSItem coefficient;
-};
-typedef struct ckmkItemObjectStr ckmkItemObject;
-
-typedef enum {
- ckmkRaw,
- ckmkItem,
-} ckmkObjectType;
-
-/*
- * all the various types of objects are abstracted away in cobject and
- * cfind as ckmkInternalObjects.
- */
-struct ckmkInternalObjectStr {
- ckmkObjectType type;
- union {
- ckmkRawObject raw;
- ckmkItemObject item;
- } u;
- CK_OBJECT_CLASS objClass;
- NSSItem hashKey;
- unsigned char hashKeyData[128];
- NSSCKMDObject mdObject;
-};
-typedef struct ckmkInternalObjectStr ckmkInternalObject;
-
-/* our raw object data array */
-NSS_EXTERN_DATA ckmkInternalObject nss_ckmk_data[];
-NSS_EXTERN_DATA const PRUint32 nss_ckmk_nObjects;
-
-NSS_EXTERN_DATA const CK_VERSION nss_ckmk_CryptokiVersion;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_ManufacturerID;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_LibraryDescription;
-NSS_EXTERN_DATA const CK_VERSION nss_ckmk_LibraryVersion;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_SlotDescription;
-NSS_EXTERN_DATA const CK_VERSION nss_ckmk_HardwareVersion;
-NSS_EXTERN_DATA const CK_VERSION nss_ckmk_FirmwareVersion;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_TokenLabel;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_TokenModel;
-NSS_EXTERN_DATA const NSSUTF8 *nss_ckmk_TokenSerialNumber;
-
-NSS_EXTERN_DATA const NSSCKMDInstance nss_ckmk_mdInstance;
-NSS_EXTERN_DATA const NSSCKMDSlot nss_ckmk_mdSlot;
-NSS_EXTERN_DATA const NSSCKMDToken nss_ckmk_mdToken;
-NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckmk_mdMechanismRSA;
-
-NSS_EXTERN NSSCKMDSession *
-nss_ckmk_CreateSession(
- NSSCKFWSession *fwSession,
- CK_RV *pError);
-
-NSS_EXTERN NSSCKMDFindObjects *
-nss_ckmk_FindObjectsInit(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError);
-
-/*
- * Object Utilities
- */
-NSS_EXTERN NSSCKMDObject *
-nss_ckmk_CreateMDObject(
- NSSArena *arena,
- ckmkInternalObject *io,
- CK_RV *pError);
-
-NSS_EXTERN NSSCKMDObject *
-nss_ckmk_CreateObject(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError);
-
-NSS_EXTERN const NSSItem *
-nss_ckmk_FetchAttribute(
- ckmkInternalObject *io,
- CK_ATTRIBUTE_TYPE type,
- CK_RV *pError);
-
-NSS_EXTERN void
-nss_ckmk_DestroyInternalObject(
- ckmkInternalObject *io);
-
-unsigned char *
-nss_ckmk_DERUnwrap(
- unsigned char *src,
- int size,
- int *outSize,
- unsigned char **next);
-
-CK_ULONG
-nss_ckmk_GetULongAttribute(
- CK_ATTRIBUTE_TYPE type,
- CK_ATTRIBUTE *template,
- CK_ULONG templateSize,
- CK_RV *pError);
-
-#define NSS_CKMK_ARRAY_SIZE(x) ((sizeof(x)) / (sizeof((x)[0])))
-
-#ifdef DEBUG
-#define CKMK_MACERR(str, err) cssmPerror(str, err)
-#else
-#define CKMK_MACERR(str, err)
-#endif
-
-#endif
diff --git a/security/nss/lib/ckfw/nssmkey/ckmkver.c b/security/nss/lib/ckfw/nssmkey/ckmkver.c
deleted file mode 100644
index 2b99f1e228..0000000000
--- a/security/nss/lib/ckfw/nssmkey/ckmkver.c
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* Library identity and versioning */
-
-#include "nssmkey.h"
-
-#if defined(DEBUG)
-#define _DEBUG_STRING " (debug)"
-#else
-#define _DEBUG_STRING ""
-#endif
-
-/*
- * Version information
- */
-const char __nss_ckmk_version[] = "Version: NSS Access to the MAC OS X Key Ring " NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING;
diff --git a/security/nss/lib/ckfw/nssmkey/config.mk b/security/nss/lib/ckfw/nssmkey/config.mk
deleted file mode 100644
index 7096910679..0000000000
--- a/security/nss/lib/ckfw/nssmkey/config.mk
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-ifdef BUILD_IDG
-DEFINES += -DNSSDEBUG
-endif
-
-ifdef NS_USE_CKFW_TRACE
-DEFINES += -DTRACE
-endif
-
-#
-# Override TARGETS variable so that only static libraries
-# are specifed as dependencies within rules.mk.
-#
-
-TARGETS = $(LIBRARY)
-SHARED_LIBRARY =
-IMPORT_LIBRARY =
-PROGRAM =
-
-
diff --git a/security/nss/lib/ckfw/nssmkey/manchor.c b/security/nss/lib/ckfw/nssmkey/manchor.c
deleted file mode 100644
index 3b8bc2dbbe..0000000000
--- a/security/nss/lib/ckfw/nssmkey/manchor.c
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * nssmkey/manchor.c
- *
- * This file "anchors" the actual cryptoki entry points in this module's
- * shared library, which is required for dynamic loading. See the
- * comments in nssck.api for more information.
- */
-
-#include "ckmk.h"
-
-#define MODULE_NAME ckmk
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckmk_mdInstance
-#include "nssck.api"
diff --git a/security/nss/lib/ckfw/nssmkey/manifest.mn b/security/nss/lib/ckfw/nssmkey/manifest.mn
deleted file mode 100644
index 036d9bc3f4..0000000000
--- a/security/nss/lib/ckfw/nssmkey/manifest.mn
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-CORE_DEPTH = ../../../..
-
-MODULE = nss
-MAPFILE = $(OBJDIR)/nssmkey.def
-
-EXPORTS = \
- nssmkey.h \
- $(NULL)
-
-CSRCS = \
- manchor.c \
- mconstants.c \
- mfind.c \
- minst.c \
- mobject.c \
- mrsa.c \
- msession.c \
- mslot.c \
- mtoken.c \
- ckmkver.c \
- staticobj.c \
- $(NULL)
-
-REQUIRES = nspr
-
-LIBRARY_NAME = nssmkey
-
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/nssmkey/mconstants.c b/security/nss/lib/ckfw/nssmkey/mconstants.c
deleted file mode 100644
index c26298ada3..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mconstants.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * nssmkey/constants.c
- *
- * Identification and other constants, all collected here in one place.
- */
-
-#ifndef NSSBASET_H
-#include "nssbaset.h"
-#endif /* NSSBASET_H */
-
-#ifndef NSSCKT_H
-#include "nssckt.h"
-#endif /* NSSCKT_H */
-
-#include "nssmkey.h"
-
-NSS_IMPLEMENT_DATA const CK_VERSION
- nss_ckmk_CryptokiVersion = {
- NSS_CKMK_CRYPTOKI_VERSION_MAJOR,
- NSS_CKMK_CRYPTOKI_VERSION_MINOR
- };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_ManufacturerID = (NSSUTF8 *)"Mozilla Foundation";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_LibraryDescription = (NSSUTF8 *)"NSS Access to Mac OS X Key Ring";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
- nss_ckmk_LibraryVersion = {
- NSS_CKMK_LIBRARY_VERSION_MAJOR,
- NSS_CKMK_LIBRARY_VERSION_MINOR
- };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_SlotDescription = (NSSUTF8 *)"Mac OS X Key Ring";
-
-NSS_IMPLEMENT_DATA const CK_VERSION
- nss_ckmk_HardwareVersion = {
- NSS_CKMK_HARDWARE_VERSION_MAJOR,
- NSS_CKMK_HARDWARE_VERSION_MINOR
- };
-
-NSS_IMPLEMENT_DATA const CK_VERSION
- nss_ckmk_FirmwareVersion = {
- NSS_CKMK_FIRMWARE_VERSION_MAJOR,
- NSS_CKMK_FIRMWARE_VERSION_MINOR
- };
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_TokenLabel = (NSSUTF8 *)"Mac OS X Key Ring";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_TokenModel = (NSSUTF8 *)"1";
-
-NSS_IMPLEMENT_DATA const NSSUTF8 *
- nss_ckmk_TokenSerialNumber = (NSSUTF8 *)"1";
diff --git a/security/nss/lib/ckfw/nssmkey/mfind.c b/security/nss/lib/ckfw/nssmkey/mfind.c
deleted file mode 100644
index d193a8de70..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mfind.c
+++ /dev/null
@@ -1,352 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef CKMK_H
-#include "ckmk.h"
-#endif /* CKMK_H */
-
-/*
- * nssmkey/mfind.c
- *
- * This file implements the NSSCKMDFindObjects object for the
- * "nssmkey" cryptoki module.
- */
-
-struct ckmkFOStr {
- NSSArena *arena;
- CK_ULONG n;
- CK_ULONG i;
- ckmkInternalObject **objs;
-};
-
-static void
-ckmk_mdFindObjects_Final(
- NSSCKMDFindObjects *mdFindObjects,
- NSSCKFWFindObjects *fwFindObjects,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
- NSSArena *arena = fo->arena;
- PRUint32 i;
-
- /* walk down an free the unused 'objs' */
- for (i = fo->i; i < fo->n; i++) {
- nss_ckmk_DestroyInternalObject(fo->objs[i]);
- }
-
- nss_ZFreeIf(fo->objs);
- nss_ZFreeIf(fo);
- nss_ZFreeIf(mdFindObjects);
- if ((NSSArena *)NULL != arena) {
- NSSArena_Destroy(arena);
- }
-
- return;
-}
-
-static NSSCKMDObject *
-ckmk_mdFindObjects_Next(
- NSSCKMDFindObjects *mdFindObjects,
- NSSCKFWFindObjects *fwFindObjects,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSArena *arena,
- CK_RV *pError)
-{
- struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc;
- ckmkInternalObject *io;
-
- if (fo->i == fo->n) {
- *pError = CKR_OK;
- return (NSSCKMDObject *)NULL;
- }
-
- io = fo->objs[fo->i];
- fo->i++;
-
- return nss_ckmk_CreateMDObject(arena, io, pError);
-}
-
-static CK_BBOOL
-ckmk_attrmatch(
- CK_ATTRIBUTE_PTR a,
- ckmkInternalObject *o)
-{
- PRBool prb;
- const NSSItem *b;
- CK_RV error;
-
- b = nss_ckmk_FetchAttribute(o, a->type, &error);
- if (b == NULL) {
- return CK_FALSE;
- }
-
- if (a->ulValueLen != b->size) {
- /* match a decoded serial number */
- if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
- int len;
- unsigned char *data;
-
- data = nss_ckmk_DERUnwrap(b->data, b->size, &len, NULL);
- if ((len == a->ulValueLen) &&
- nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
- return CK_TRUE;
- }
- }
- return CK_FALSE;
- }
-
- prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
-
- if (PR_TRUE == prb) {
- return CK_TRUE;
- } else {
- return CK_FALSE;
- }
-}
-
-static CK_BBOOL
-ckmk_match(
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- ckmkInternalObject *o)
-{
- CK_ULONG i;
-
- for (i = 0; i < ulAttributeCount; i++) {
- if (CK_FALSE == ckmk_attrmatch(&pTemplate[i], o)) {
- return CK_FALSE;
- }
- }
-
- /* Every attribute passed */
- return CK_TRUE;
-}
-
-#define CKMK_ITEM_CHUNK 20
-
-#define PUT_OBJECT(obj, err, size, count, list) \
- { \
- if (count >= size) { \
- (list) = (list) ? nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
- ((size) + \
- CKMK_ITEM_CHUNK)) \
- : nss_ZNEWARRAY(NULL, ckmkInternalObject *, \
- ((size) + \
- CKMK_ITEM_CHUNK)); \
- if ((ckmkInternalObject **)NULL == list) { \
- err = CKR_HOST_MEMORY; \
- goto loser; \
- } \
- (size) += CKMK_ITEM_CHUNK; \
- } \
- (list)[count] = (obj); \
- count++; \
- }
-
-/* find all the certs that represent the appropriate object (cert, priv key, or
- * pub key) in the cert store.
- */
-static PRUint32
-collect_class(
- CK_OBJECT_CLASS objClass,
- SecItemClass itemClass,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- ckmkInternalObject ***listp,
- PRUint32 *sizep,
- PRUint32 count,
- CK_RV *pError)
-{
- ckmkInternalObject *next = NULL;
- SecKeychainSearchRef searchRef = 0;
- SecKeychainItemRef itemRef = 0;
- OSStatus error;
-
- /* future, build the attribute list based on the template
- * so we can refine the search */
- error = SecKeychainSearchCreateFromAttributes(
- NULL, itemClass, NULL, &searchRef);
-
- while (noErr == SecKeychainSearchCopyNext(searchRef, &itemRef)) {
- /* if we don't have an internal object structure, get one */
- if ((ckmkInternalObject *)NULL == next) {
- next = nss_ZNEW(NULL, ckmkInternalObject);
- if ((ckmkInternalObject *)NULL == next) {
- *pError = CKR_HOST_MEMORY;
- goto loser;
- }
- }
- /* fill in the relevant object data */
- next->type = ckmkItem;
- next->objClass = objClass;
- next->u.item.itemRef = itemRef;
- next->u.item.itemClass = itemClass;
-
- /* see if this is one of the objects we are looking for */
- if (CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next)) {
- /* yes, put it on the list */
- PUT_OBJECT(next, *pError, *sizep, count, *listp);
- next = NULL; /* this one is on the list, need to allocate a new one now */
- } else {
- /* no , release the current item and clear out the structure for reuse */
- CFRelease(itemRef);
- /* don't cache the values we just loaded */
- nsslibc_memset(next, 0, sizeof(*next));
- }
- }
-loser:
- if (searchRef) {
- CFRelease(searchRef);
- }
- nss_ZFreeIf(next);
- return count;
-}
-
-static PRUint32
-collect_objects(
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- ckmkInternalObject ***listp,
- CK_RV *pError)
-{
- PRUint32 i;
- PRUint32 count = 0;
- PRUint32 size = 0;
- CK_OBJECT_CLASS objClass;
-
- /*
- * first handle the static build in objects (if any)
- */
- for (i = 0; i < nss_ckmk_nObjects; i++) {
- ckmkInternalObject *o = (ckmkInternalObject *)&nss_ckmk_data[i];
-
- if (CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, o)) {
- PUT_OBJECT(o, *pError, size, count, *listp);
- }
- }
-
- /*
- * now handle the various object types
- */
- objClass = nss_ckmk_GetULongAttribute(CKA_CLASS,
- pTemplate, ulAttributeCount, pError);
- if (CKR_OK != *pError) {
- objClass = CK_INVALID_HANDLE;
- }
- *pError = CKR_OK;
- switch (objClass) {
- case CKO_CERTIFICATE:
- count = collect_class(objClass, kSecCertificateItemClass,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- break;
- case CKO_PUBLIC_KEY:
- count = collect_class(objClass, CSSM_DL_DB_RECORD_PUBLIC_KEY,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- break;
- case CKO_PRIVATE_KEY:
- count = collect_class(objClass, CSSM_DL_DB_RECORD_PRIVATE_KEY,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- break;
- /* all of them */
- case CK_INVALID_HANDLE:
- count = collect_class(CKO_CERTIFICATE, kSecCertificateItemClass,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- count = collect_class(CKO_PUBLIC_KEY, CSSM_DL_DB_RECORD_PUBLIC_KEY,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- count = collect_class(CKO_PUBLIC_KEY, CSSM_DL_DB_RECORD_PRIVATE_KEY,
- pTemplate, ulAttributeCount, listp,
- &size, count, pError);
- break;
- default:
- break;
- }
- if (CKR_OK != *pError) {
- goto loser;
- }
-
- return count;
-loser:
- nss_ZFreeIf(*listp);
- return 0;
-}
-
-NSS_IMPLEMENT NSSCKMDFindObjects *
-nss_ckmk_FindObjectsInit(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- /* This could be made more efficient. I'm rather rushed. */
- NSSArena *arena;
- NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
- struct ckmkFOStr *fo = (struct ckmkFOStr *)NULL;
- ckmkInternalObject **temp = (ckmkInternalObject **)NULL;
-
- arena = NSSArena_Create();
- if ((NSSArena *)NULL == arena) {
- goto loser;
- }
-
- rv = nss_ZNEW(arena, NSSCKMDFindObjects);
- if ((NSSCKMDFindObjects *)NULL == rv) {
- *pError = CKR_HOST_MEMORY;
- goto loser;
- }
-
- fo = nss_ZNEW(arena, struct ckmkFOStr);
- if ((struct ckmkFOStr *)NULL == fo) {
- *pError = CKR_HOST_MEMORY;
- goto loser;
- }
-
- fo->arena = arena;
- /* fo->n and fo->i are already zero */
-
- rv->etc = (void *)fo;
- rv->Final = ckmk_mdFindObjects_Final;
- rv->Next = ckmk_mdFindObjects_Next;
- rv->null = (void *)NULL;
-
- fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
- if (*pError != CKR_OK) {
- goto loser;
- }
-
- fo->objs = nss_ZNEWARRAY(arena, ckmkInternalObject *, fo->n);
- if ((ckmkInternalObject **)NULL == fo->objs) {
- *pError = CKR_HOST_MEMORY;
- goto loser;
- }
-
- (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckmkInternalObject *) * fo->n);
- nss_ZFreeIf(temp);
- temp = (ckmkInternalObject **)NULL;
-
- return rv;
-
-loser:
- nss_ZFreeIf(temp);
- nss_ZFreeIf(fo);
- nss_ZFreeIf(rv);
- if ((NSSArena *)NULL != arena) {
- NSSArena_Destroy(arena);
- }
- return (NSSCKMDFindObjects *)NULL;
-}
diff --git a/security/nss/lib/ckfw/nssmkey/minst.c b/security/nss/lib/ckfw/nssmkey/minst.c
deleted file mode 100644
index fcb96c6527..0000000000
--- a/security/nss/lib/ckfw/nssmkey/minst.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-
-/*
- * nssmkey/minstance.c
- *
- * This file implements the NSSCKMDInstance object for the
- * "nssmkey" cryptoki module.
- */
-
-/*
- * NSSCKMDInstance methods
- */
-
-static CK_ULONG
-ckmk_mdInstance_GetNSlots(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (CK_ULONG)1;
-}
-
-static CK_VERSION
-ckmk_mdInstance_GetCryptokiVersion(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_CryptokiVersion;
-}
-
-static NSSUTF8 *
-ckmk_mdInstance_GetManufacturerID(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_ManufacturerID;
-}
-
-static NSSUTF8 *
-ckmk_mdInstance_GetLibraryDescription(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_LibraryDescription;
-}
-
-static CK_VERSION
-ckmk_mdInstance_GetLibraryVersion(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_LibraryVersion;
-}
-
-static CK_RV
-ckmk_mdInstance_GetSlots(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSCKMDSlot *slots[])
-{
- slots[0] = (NSSCKMDSlot *)&nss_ckmk_mdSlot;
- return CKR_OK;
-}
-
-static CK_BBOOL
-ckmk_mdInstance_ModuleHandlesSessionObjects(
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- /* we don't want to allow any session object creation, at least
- * until we can investigate whether or not we can use those objects
- */
- return CK_TRUE;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDInstance
- nss_ckmk_mdInstance = {
- (void *)NULL, /* etc */
- NULL, /* Initialize */
- NULL, /* Finalize */
- ckmk_mdInstance_GetNSlots,
- ckmk_mdInstance_GetCryptokiVersion,
- ckmk_mdInstance_GetManufacturerID,
- ckmk_mdInstance_GetLibraryDescription,
- ckmk_mdInstance_GetLibraryVersion,
- ckmk_mdInstance_ModuleHandlesSessionObjects,
- /*NULL, /* HandleSessionObjects */
- ckmk_mdInstance_GetSlots,
- NULL, /* WaitForSlotEvent */
- (void *)NULL /* null terminator */
- };
diff --git a/security/nss/lib/ckfw/nssmkey/mobject.c b/security/nss/lib/ckfw/nssmkey/mobject.c
deleted file mode 100644
index b19a8fdbde..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mobject.c
+++ /dev/null
@@ -1,1861 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-#include "nssbase.h"
-
-#include "secdert.h" /* for DER_INTEGER */
-#include "string.h"
-
-/* asn1 encoder (to build pkcs#8 blobs) */
-#include <seccomon.h>
-#include <secitem.h>
-#include <blapit.h>
-#include <secoid.h>
-#include <secasn1.h>
-
-/* for importing the keys */
-#include <CoreFoundation/CoreFoundation.h>
-#include <security/SecImportExport.h>
-
-/*
- * nssmkey/mobject.c
- *
- * This file implements the NSSCKMDObject object for the
- * "nssmkey" cryptoki module.
- */
-
-const CK_ATTRIBUTE_TYPE certAttrs[] = {
- CKA_CLASS,
- CKA_TOKEN,
- CKA_PRIVATE,
- CKA_MODIFIABLE,
- CKA_LABEL,
- CKA_CERTIFICATE_TYPE,
- CKA_SUBJECT,
- CKA_ISSUER,
- CKA_SERIAL_NUMBER,
- CKA_VALUE
-};
-const PRUint32 certAttrsCount = NSS_CKMK_ARRAY_SIZE(certAttrs);
-
-/* private keys, for now only support RSA */
-const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
- CKA_CLASS,
- CKA_TOKEN,
- CKA_PRIVATE,
- CKA_MODIFIABLE,
- CKA_LABEL,
- CKA_KEY_TYPE,
- CKA_DERIVE,
- CKA_LOCAL,
- CKA_SUBJECT,
- CKA_SENSITIVE,
- CKA_DECRYPT,
- CKA_SIGN,
- CKA_SIGN_RECOVER,
- CKA_UNWRAP,
- CKA_EXTRACTABLE,
- CKA_ALWAYS_SENSITIVE,
- CKA_NEVER_EXTRACTABLE,
- CKA_MODULUS,
- CKA_PUBLIC_EXPONENT,
-};
-const PRUint32 privKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(privKeyAttrs);
-
-/* public keys, for now only support RSA */
-const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
- CKA_CLASS,
- CKA_TOKEN,
- CKA_PRIVATE,
- CKA_MODIFIABLE,
- CKA_LABEL,
- CKA_KEY_TYPE,
- CKA_DERIVE,
- CKA_LOCAL,
- CKA_SUBJECT,
- CKA_ENCRYPT,
- CKA_VERIFY,
- CKA_VERIFY_RECOVER,
- CKA_WRAP,
- CKA_MODULUS,
- CKA_PUBLIC_EXPONENT,
-};
-const PRUint32 pubKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(pubKeyAttrs);
-static const CK_BBOOL ck_true = CK_TRUE;
-static const CK_BBOOL ck_false = CK_FALSE;
-static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
-static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
-static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
-static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
-static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
-static const NSSItem ckmk_trueItem = {
- (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)
-};
-static const NSSItem ckmk_falseItem = {
- (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)
-};
-static const NSSItem ckmk_x509Item = {
- (void *)&ckc_x509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE)
-};
-static const NSSItem ckmk_rsaItem = {
- (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE)
-};
-static const NSSItem ckmk_certClassItem = {
- (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS)
-};
-static const NSSItem ckmk_privKeyClassItem = {
- (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS)
-};
-static const NSSItem ckmk_pubKeyClassItem = {
- (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS)
-};
-static const NSSItem ckmk_emptyItem = {
- (void *)&ck_true, 0
-};
-
-/*
- * these are utilities. The chould be moved to a new utilities file.
- */
-#ifdef DEBUG
-static void
-itemdump(char *str, void *data, int size, CK_RV error)
-{
- unsigned char *ptr = (unsigned char *)data;
- int i;
- fprintf(stderr, str);
- for (i = 0; i < size; i++) {
- fprintf(stderr, "%02x ", (unsigned int)ptr[i]);
- }
- fprintf(stderr, " (error = %d)\n", (int)error);
-}
-#endif
-
-/*
- * unwrap a single DER value
- * now that we have util linked in, we should probably use
- * the ANS1_Decoder for this work...
- */
-unsigned char *
-nss_ckmk_DERUnwrap(
- unsigned char *src,
- int size,
- int *outSize,
- unsigned char **next)
-{
- unsigned char *start = src;
- unsigned int len = 0;
-
- /* initialize error condition return values */
- *outSize = 0;
- if (next) {
- *next = src;
- }
-
- if (size < 2) {
- return start;
- }
- src++; /* skip the tag -- should check it against an expected value! */
- len = (unsigned)*src++;
- if (len & 0x80) {
- int count = len & 0x7f;
- len = 0;
-
- if (count + 2 > size) {
- return start;
- }
- while (count-- > 0) {
- len = (len << 8) | (unsigned)*src++;
- }
- }
- if (len + (src - start) > (unsigned int)size) {
- return start;
- }
- if (next) {
- *next = src + len;
- }
- *outSize = len;
-
- return src;
-}
-
-/*
- * get an attribute from a template. Value is returned in NSS item.
- * data for the item is owned by the template.
- */
-CK_RV
-nss_ckmk_GetAttribute(
- CK_ATTRIBUTE_TYPE type,
- CK_ATTRIBUTE *template,
- CK_ULONG templateSize,
- NSSItem *item)
-{
- CK_ULONG i;
-
- for (i = 0; i < templateSize; i++) {
- if (template[i].type == type) {
- item->data = template[i].pValue;
- item->size = template[i].ulValueLen;
- return CKR_OK;
- }
- }
- return CKR_TEMPLATE_INCOMPLETE;
-}
-
-/*
- * get an attribute which is type CK_ULONG.
- */
-CK_ULONG
-nss_ckmk_GetULongAttribute(
- CK_ATTRIBUTE_TYPE type,
- CK_ATTRIBUTE *template,
- CK_ULONG templateSize,
- CK_RV *pError)
-{
- NSSItem item;
-
- *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item);
- if (CKR_OK != *pError) {
- return (CK_ULONG)0;
- }
- if (item.size != sizeof(CK_ULONG)) {
- *pError = CKR_ATTRIBUTE_VALUE_INVALID;
- return (CK_ULONG)0;
- }
- return *(CK_ULONG *)item.data;
-}
-
-/*
- * get an attribute which is type CK_BBOOL.
- */
-CK_BBOOL
-nss_ckmk_GetBoolAttribute(
- CK_ATTRIBUTE_TYPE type,
- CK_ATTRIBUTE *template,
- CK_ULONG templateSize,
- CK_BBOOL defaultBool)
-{
- NSSItem item;
- CK_RV error;
-
- error = nss_ckmk_GetAttribute(type, template, templateSize, &item);
- if (CKR_OK != error) {
- return defaultBool;
- }
- if (item.size != sizeof(CK_BBOOL)) {
- return defaultBool;
- }
- return *(CK_BBOOL *)item.data;
-}
-
-/*
- * get an attribute as a NULL terminated string. Caller is responsible to
- * free the string.
- */
-char *
-nss_ckmk_GetStringAttribute(
- CK_ATTRIBUTE_TYPE type,
- CK_ATTRIBUTE *template,
- CK_ULONG templateSize,
- CK_RV *pError)
-{
- NSSItem item;
- char *str;
-
- /* get the attribute */
- *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item);
- if (CKR_OK != *pError) {
- return (char *)NULL;
- }
- /* make sure it is null terminated */
- str = nss_ZNEWARRAY(NULL, char, item.size + 1);
- if ((char *)NULL == str) {
- *pError = CKR_HOST_MEMORY;
- return (char *)NULL;
- }
-
- nsslibc_memcpy(str, item.data, item.size);
- str[item.size] = 0;
-
- return str;
-}
-
-/*
- * Apple doesn't seem to have a public interface to the DER encoder,
- * wip out a quick one for integers only (anything more complicated,
- * we should use one of the 3 in lib/util). -- especially since we
- * now link with it.
- */
-static CK_RV
-ckmk_encodeInt(NSSItem *dest, void *src, int srcLen)
-{
- int dataLen = srcLen;
- int lenLen = 1;
- int encLen;
- int isSigned = 0;
- int offset = 0;
- unsigned char *data = NULL;
- int i;
-
- if (*(unsigned char *)src & 0x80) {
- dataLen++;
- isSigned = 1;
- }
-
- /* calculate the length of the length specifier */
- /* (NOTE: destroys dataLen value) */
- if (dataLen > 0x7f) {
- do {
- lenLen++;
- dataLen >>= 8;
- } while (dataLen);
- }
-
- /* calculate our total length */
- dataLen = isSigned + srcLen;
- encLen = 1 + lenLen + dataLen;
- data = nss_ZNEWARRAY(NULL, unsigned char, encLen);
- if ((unsigned char *)NULL == data) {
- return CKR_HOST_MEMORY;
- }
- data[0] = DER_INTEGER;
- if (1 == lenLen) {
- data[1] = dataLen;
- } else {
- data[1] = 0x80 + lenLen;
- for (i = 0; i < lenLen; i++) {
- data[i + 1] = ((dataLen >> ((lenLen -
- i - 1) *
- 8)) &
- 0xff);
- }
- }
- offset = lenLen + 1;
-
- if (isSigned) {
- data[offset++] = 0;
- }
- nsslibc_memcpy(&data[offset], src, srcLen);
- dest->data = data;
- dest->size = encLen;
- return CKR_OK;
-}
-
-/*
- * Get a Keyring attribute. If content is set to true, then we get the
- * content, not the attribute.
- */
-static CK_RV
-ckmk_GetCommonAttribute(
- ckmkInternalObject *io,
- SecItemAttr itemAttr,
- PRBool content,
- NSSItem *item,
- char *dbString)
-{
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttributeInfo attrInfo;
- PRUint32 len = 0;
- PRUint32 dataLen = 0;
- PRUint32 attrFormat = 0;
- void *dataVal = 0;
- void *out = NULL;
- CK_RV error = CKR_OK;
- OSStatus macErr;
-
- attrInfo.count = 1;
- attrInfo.tag = &itemAttr;
- attrInfo.format = &attrFormat;
-
- macErr = SecKeychainItemCopyAttributesAndData(io->u.item.itemRef,
- &attrInfo, NULL, &attrList, &len, &out);
- if (noErr != macErr) {
- CKMK_MACERR(dbString, macErr);
- return CKR_ATTRIBUTE_TYPE_INVALID;
- }
- dataLen = content ? len : attrList->attr->length;
- dataVal = content ? out : attrList->attr->data;
-
- /* Apple's documentation says this value is DER Encoded, but it clearly isn't
- * der encode it before we ship it back off to NSS
- */
- if (kSecSerialNumberItemAttr == itemAttr) {
- error = ckmk_encodeInt(item, dataVal, dataLen);
- goto loser; /* logically 'done' if error == CKR_OK */
- }
- item->data = nss_ZNEWARRAY(NULL, char, dataLen);
- if (NULL == item->data) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
- nsslibc_memcpy(item->data, dataVal, dataLen);
- item->size = dataLen;
-
-loser:
- SecKeychainItemFreeAttributesAndData(attrList, out);
- return error;
-}
-
-/*
- * change an attribute (does not operate on the content).
- */
-static CK_RV
-ckmk_updateAttribute(
- SecKeychainItemRef itemRef,
- SecItemAttr itemAttr,
- void *data,
- PRUint32 len,
- char *dbString)
-{
- SecKeychainAttributeList attrList;
- SecKeychainAttribute attrAttr;
- OSStatus macErr;
- CK_RV error = CKR_OK;
-
- attrList.count = 1;
- attrList.attr = &attrAttr;
- attrAttr.tag = itemAttr;
- attrAttr.data = data;
- attrAttr.length = len;
- macErr = SecKeychainItemModifyAttributesAndData(itemRef, &attrList, 0, NULL);
- if (noErr != macErr) {
- CKMK_MACERR(dbString, macErr);
- error = CKR_ATTRIBUTE_TYPE_INVALID;
- }
- return error;
-}
-
-/*
- * get an attribute (does not operate on the content)
- */
-static CK_RV
-ckmk_GetDataAttribute(
- ckmkInternalObject *io,
- SecItemAttr itemAttr,
- NSSItem *item,
- char *dbString)
-{
- return ckmk_GetCommonAttribute(io, itemAttr, PR_FALSE, item, dbString);
-}
-
-/*
- * get an attribute we know is a BOOL.
- */
-static CK_RV
-ckmk_GetBoolAttribute(
- ckmkInternalObject *io,
- SecItemAttr itemAttr,
- NSSItem *item,
- char *dbString)
-{
- SecKeychainAttribute attr;
- SecKeychainAttributeList attrList;
- CK_BBOOL *boolp = NULL;
- PRUint32 len = 0;
- ;
- void *out = NULL;
- CK_RV error = CKR_OK;
- OSStatus macErr;
-
- attr.tag = itemAttr;
- attr.length = 0;
- attr.data = NULL;
- attrList.count = 1;
- attrList.attr = &attr;
-
- boolp = nss_ZNEW(NULL, CK_BBOOL);
- if ((CK_BBOOL *)NULL == boolp) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
-
- macErr = SecKeychainItemCopyContent(io->u.item.itemRef, NULL,
- &attrList, &len, &out);
- if (noErr != macErr) {
- CKMK_MACERR(dbString, macErr);
- error = CKR_ATTRIBUTE_TYPE_INVALID;
- goto loser;
- }
- if (sizeof(PRUint32) != attr.length) {
- error = CKR_ATTRIBUTE_TYPE_INVALID;
- goto loser;
- }
- *boolp = *(PRUint32 *)attr.data ? 1 : 0;
- item->data = boolp;
- boolp = NULL;
- item->size = sizeof(CK_BBOOL);
-
-loser:
- nss_ZFreeIf(boolp);
- SecKeychainItemFreeContent(&attrList, out);
- return error;
-}
-
-/*
- * macros for fetching attributes into a cache and returning the
- * appropriate value. These operate inside switch statements
- */
-#define CKMK_HANDLE_ITEM(func, io, type, loc, item, error, str) \
- if (0 == (item)->loc.size) { \
- error = func(io, type, &(item)->loc, str); \
- } \
- return (CKR_OK == (error)) ? &(item)->loc : NULL;
-
-#define CKMK_HANDLE_OPT_ITEM(func, io, type, loc, item, error, str) \
- if (0 == (item)->loc.size) { \
- (void)func(io, type, &(item)->loc, str); \
- } \
- return &(item)->loc;
-
-#define CKMK_HANDLE_BOOL_ITEM(io, type, loc, item, error, str) \
- CKMK_HANDLE_ITEM(ckmk_GetBoolAttribute, io, type, loc, item, error, str)
-#define CKMK_HANDLE_DATA_ITEM(io, type, loc, item, error, str) \
- CKMK_HANDLE_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
-#define CKMK_HANDLE_OPT_DATA_ITEM(io, type, loc, item, error, str) \
- CKMK_HANDLE_OPT_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
-
-/*
- * fetch the unique identifier for each object type.
- */
-static void
-ckmk_FetchHashKey(
- ckmkInternalObject *io)
-{
- NSSItem *key = &io->hashKey;
-
- if (io->objClass == CKO_CERTIFICATE) {
- ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr,
- PR_TRUE, key, "Fetching HashKey (cert)");
- } else {
- ckmk_GetCommonAttribute(io, kSecKeyLabel,
- PR_FALSE, key, "Fetching HashKey (key)");
- }
-}
-
-/*
- * Apple mucks with the actual subject and issuer, so go fetch
- * the real ones ourselves.
- */
-static void
-ckmk_fetchCert(
- ckmkInternalObject *io)
-{
- CK_RV error;
- unsigned char *cert, *next;
- int certSize, thisEntrySize;
-
- error = ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr, PR_TRUE,
- &io->u.item.derCert, "Fetching Value (cert)");
- if (CKR_OK != error) {
- return;
- }
- /* unwrap the cert bundle */
- cert = nss_ckmk_DERUnwrap((unsigned char *)io->u.item.derCert.data,
- io->u.item.derCert.size,
- &certSize, NULL);
- /* unwrap the cert itself */
- /* cert == certdata */
- cert = nss_ckmk_DERUnwrap(cert, certSize, &certSize, NULL);
-
- /* skip the optional version */
- if ((cert[0] & 0xa0) == 0xa0) {
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- certSize -= next - cert;
- cert = next;
- }
- /* skip the serial number */
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- certSize -= next - cert;
- cert = next;
-
- /* skip the OID */
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- certSize -= next - cert;
- cert = next;
-
- /* save the (wrapped) issuer */
- io->u.item.issuer.data = cert;
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- io->u.item.issuer.size = next - cert;
- certSize -= io->u.item.issuer.size;
- cert = next;
-
- /* skip the OID */
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- certSize -= next - cert;
- cert = next;
-
- /* save the (wrapped) subject */
- io->u.item.subject.data = cert;
- nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next);
- io->u.item.subject.size = next - cert;
- certSize -= io->u.item.subject.size;
- cert = next;
-}
-
-static void
-ckmk_fetchModulus(
- ckmkInternalObject *io)
-{
- NSSItem item;
- PRInt32 modLen;
- CK_RV error;
-
- /* we can't reliably get the modulus for private keys through CSSM (sigh).
- * For NSS this is OK because we really only use this to get the modulus
- * length (unless we are trying to get a public key from a private keys,
- * something CSSM ALSO does not do!).
- */
- error = ckmk_GetDataAttribute(io, kSecKeyKeySizeInBits, &item,
- "Key Fetch Modulus");
- if (CKR_OK != error) {
- return;
- }
-
- modLen = *(PRInt32 *)item.data;
- modLen = modLen / 8; /* convert from bits to bytes */
-
- nss_ZFreeIf(item.data);
- io->u.item.modulus.data = nss_ZNEWARRAY(NULL, char, modLen);
- if (NULL == io->u.item.modulus.data) {
- return;
- }
- *(char *)io->u.item.modulus.data = 0x80; /* fake NSS out or it will
- * drop the first byte */
- io->u.item.modulus.size = modLen;
- return;
-}
-
-const NSSItem *
-ckmk_FetchCertAttribute(
- ckmkInternalObject *io,
- CK_ATTRIBUTE_TYPE type,
- CK_RV *pError)
-{
- ckmkItemObject *item = &io->u.item;
- *pError = CKR_OK;
- switch (type) {
- case CKA_CLASS:
- return &ckmk_certClassItem;
- case CKA_TOKEN:
- case CKA_MODIFIABLE:
- return &ckmk_trueItem;
- case CKA_PRIVATE:
- return &ckmk_falseItem;
- case CKA_CERTIFICATE_TYPE:
- return &ckmk_x509Item;
- case CKA_LABEL:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecLabelItemAttr, label, item, *pError,
- "Cert:Label attr")
- case CKA_SUBJECT:
- /* OK, well apple does provide an subject and issuer attribute, but they
- * decided to cannonicalize that value. Probably a good move for them,
- * but makes it useless for most users of PKCS #11.. Get the real subject
- * from the certificate */
- if (0 == item->derCert.size) {
- ckmk_fetchCert(io);
- }
- return &item->subject;
- case CKA_ISSUER:
- if (0 == item->derCert.size) {
- ckmk_fetchCert(io);
- }
- return &item->issuer;
- case CKA_SERIAL_NUMBER:
- CKMK_HANDLE_DATA_ITEM(io, kSecSerialNumberItemAttr, serial, item, *pError,
- "Cert:Serial Number attr")
- case CKA_VALUE:
- if (0 == item->derCert.size) {
- ckmk_fetchCert(io);
- }
- return &item->derCert;
- case CKA_ID:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecPublicKeyHashItemAttr, id, item, *pError,
- "Cert:ID attr")
- default:
- *pError = CKR_ATTRIBUTE_TYPE_INVALID;
- break;
- }
- return NULL;
-}
-
-const NSSItem *
-ckmk_FetchPubKeyAttribute(
- ckmkInternalObject *io,
- CK_ATTRIBUTE_TYPE type,
- CK_RV *pError)
-{
- ckmkItemObject *item = &io->u.item;
- *pError = CKR_OK;
-
- switch (type) {
- case CKA_CLASS:
- return &ckmk_pubKeyClassItem;
- case CKA_TOKEN:
- case CKA_LOCAL:
- return &ckmk_trueItem;
- case CKA_KEY_TYPE:
- return &ckmk_rsaItem;
- case CKA_LABEL:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError,
- "PubKey:Label attr")
- case CKA_ENCRYPT:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyEncrypt, encrypt, item, *pError,
- "PubKey:Encrypt attr")
- case CKA_VERIFY:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerify, verify, item, *pError,
- "PubKey:Verify attr")
- case CKA_VERIFY_RECOVER:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerifyRecover, verifyRecover,
- item, *pError, "PubKey:VerifyRecover attr")
- case CKA_PRIVATE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError,
- "PubKey:Private attr")
- case CKA_MODIFIABLE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError,
- "PubKey:Modify attr")
- case CKA_DERIVE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError,
- "PubKey:Derive attr")
- case CKA_WRAP:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyWrap, wrap, item, *pError,
- "PubKey:Wrap attr")
- case CKA_SUBJECT:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError,
- "PubKey:Subect attr")
- case CKA_MODULUS:
- return &ckmk_emptyItem;
- case CKA_PUBLIC_EXPONENT:
- return &ckmk_emptyItem;
- case CKA_ID:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError,
- "PubKey:ID attr")
- default:
- *pError = CKR_ATTRIBUTE_TYPE_INVALID;
- break;
- }
- return NULL;
-}
-
-const NSSItem *
-ckmk_FetchPrivKeyAttribute(
- ckmkInternalObject *io,
- CK_ATTRIBUTE_TYPE type,
- CK_RV *pError)
-{
- ckmkItemObject *item = &io->u.item;
- *pError = CKR_OK;
-
- switch (type) {
- case CKA_CLASS:
- return &ckmk_privKeyClassItem;
- case CKA_TOKEN:
- case CKA_LOCAL:
- return &ckmk_trueItem;
- case CKA_SENSITIVE:
- case CKA_EXTRACTABLE: /* will probably move in the future */
- case CKA_ALWAYS_SENSITIVE:
- case CKA_NEVER_EXTRACTABLE:
- return &ckmk_falseItem;
- case CKA_KEY_TYPE:
- return &ckmk_rsaItem;
- case CKA_LABEL:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError,
- "PrivateKey:Label attr")
- case CKA_DECRYPT:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDecrypt, decrypt, item, *pError,
- "PrivateKey:Decrypt attr")
- case CKA_SIGN:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeySign, sign, item, *pError,
- "PrivateKey:Sign attr")
- case CKA_SIGN_RECOVER:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeySignRecover, signRecover, item, *pError,
- "PrivateKey:Sign Recover attr")
- case CKA_PRIVATE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError,
- "PrivateKey:Private attr")
- case CKA_MODIFIABLE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError,
- "PrivateKey:Modify attr")
- case CKA_DERIVE:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError,
- "PrivateKey:Derive attr")
- case CKA_UNWRAP:
- CKMK_HANDLE_BOOL_ITEM(io, kSecKeyUnwrap, unwrap, item, *pError,
- "PrivateKey:Unwrap attr")
- case CKA_SUBJECT:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError,
- "PrivateKey:Subject attr")
- case CKA_MODULUS:
- if (0 == item->modulus.size) {
- ckmk_fetchModulus(io);
- }
- return &item->modulus;
- case CKA_PUBLIC_EXPONENT:
- return &ckmk_emptyItem;
-#ifdef notdef
- /* the following are sensitive attributes. We could implement them for
- * sensitive keys using the key export function, but it's better to
- * just support wrap through this token. That will more reliably allow us
- * to export any private key that is truly exportable.
- */
- case CKA_PRIVATE_EXPONENT:
- CKMK_HANDLE_DATA_ITEM(io, kSecPrivateExponentItemAttr, privateExponent,
- item, *pError)
- case CKA_PRIME_1:
- CKMK_HANDLE_DATA_ITEM(io, kSecPrime1ItemAttr, prime1, item, *pError)
- case CKA_PRIME_2:
- CKMK_HANDLE_DATA_ITEM(io, kSecPrime2ItemAttr, prime2, item, *pError)
- case CKA_EXPONENT_1:
- CKMK_HANDLE_DATA_ITEM(io, kSecExponent1ItemAttr, exponent1, item, *pError)
- case CKA_EXPONENT_2:
- CKMK_HANDLE_DATA_ITEM(io, kSecExponent2ItemAttr, exponent2, item, *pError)
- case CKA_COEFFICIENT:
- CKMK_HANDLE_DATA_ITEM(io, kSecCoefficientItemAttr, coefficient,
- item, *pError)
-#endif
- case CKA_ID:
- CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError,
- "PrivateKey:ID attr")
- default:
- *pError = CKR_ATTRIBUTE_TYPE_INVALID;
- return NULL;
- }
-}
-
-const NSSItem *
-nss_ckmk_FetchAttribute(
- ckmkInternalObject *io,
- CK_ATTRIBUTE_TYPE type,
- CK_RV *pError)
-{
- CK_ULONG i;
- const NSSItem *value = NULL;
-
- if (io->type == ckmkRaw) {
- for (i = 0; i < io->u.raw.n; i++) {
- if (type == io->u.raw.types[i]) {
- return &io->u.raw.items[i];
- }
- }
- *pError = CKR_ATTRIBUTE_TYPE_INVALID;
- return NULL;
- }
- /* deal with the common attributes */
- switch (io->objClass) {
- case CKO_CERTIFICATE:
- value = ckmk_FetchCertAttribute(io, type, pError);
- break;
- case CKO_PRIVATE_KEY:
- value = ckmk_FetchPrivKeyAttribute(io, type, pError);
- break;
- case CKO_PUBLIC_KEY:
- value = ckmk_FetchPubKeyAttribute(io, type, pError);
- break;
- default:
- *pError = CKR_OBJECT_HANDLE_INVALID;
- return NULL;
- }
-
-#ifdef DEBUG
- if (CKA_ID == type) {
- itemdump("id: ", value->data, value->size, *pError);
- }
-#endif
- return value;
-}
-
-static void
-ckmk_removeObjectFromHash(
- ckmkInternalObject *io);
-
-/*
- *
- * These are the MSObject functions we need to implement
- *
- * Finalize - unneeded (actually we should clean up the hashtables)
- * Destroy
- * IsTokenObject - CK_TRUE
- * GetAttributeCount
- * GetAttributeTypes
- * GetAttributeSize
- * GetAttribute
- * SetAttribute
- * GetObjectSize
- */
-
-static CK_RV
-ckmk_mdObject_Destroy(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
- OSStatus macErr;
-
- if (ckmkRaw == io->type) {
- /* there is not 'object write protected' error, use the next best thing */
- return CKR_TOKEN_WRITE_PROTECTED;
- }
-
- /* This API is done well. The following 4 lines are the complete apple
- * specific part of this implementation */
- macErr = SecKeychainItemDelete(io->u.item.itemRef);
- if (noErr != macErr) {
- CKMK_MACERR("Delete object", macErr);
- }
-
- /* remove it from the hash */
- ckmk_removeObjectFromHash(io);
-
- /* free the puppy.. */
- nss_ckmk_DestroyInternalObject(io);
-
- return CKR_OK;
-}
-
-static CK_BBOOL
-ckmk_mdObject_IsTokenObject(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return CK_TRUE;
-}
-
-static CK_ULONG
-ckmk_mdObject_GetAttributeCount(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
-
- if (ckmkRaw == io->type) {
- return io->u.raw.n;
- }
- switch (io->objClass) {
- case CKO_CERTIFICATE:
- return certAttrsCount;
- case CKO_PUBLIC_KEY:
- return pubKeyAttrsCount;
- case CKO_PRIVATE_KEY:
- return privKeyAttrsCount;
- default:
- break;
- }
- return 0;
-}
-
-static CK_RV
-ckmk_mdObject_GetAttributeTypes(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_ATTRIBUTE_TYPE_PTR typeArray,
- CK_ULONG ulCount)
-{
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
- CK_ULONG i;
- CK_RV error = CKR_OK;
- const CK_ATTRIBUTE_TYPE *attrs = NULL;
- CK_ULONG size = ckmk_mdObject_GetAttributeCount(
- mdObject, fwObject, mdSession, fwSession,
- mdToken, fwToken, mdInstance, fwInstance, &error);
-
- if (size != ulCount) {
- return CKR_BUFFER_TOO_SMALL;
- }
- if (io->type == ckmkRaw) {
- attrs = io->u.raw.types;
- } else
- switch (io->objClass) {
- case CKO_CERTIFICATE:
- attrs =
- certAttrs;
- break;
- case CKO_PUBLIC_KEY:
- attrs =
- pubKeyAttrs;
- break;
- case CKO_PRIVATE_KEY:
- attrs =
- privKeyAttrs;
- break;
- default:
- return CKR_OK;
- }
-
- for (i = 0; i < size; i++) {
- typeArray[i] = attrs[i];
- }
-
- return CKR_OK;
-}
-
-static CK_ULONG
-ckmk_mdObject_GetAttributeSize(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_ATTRIBUTE_TYPE attribute,
- CK_RV *pError)
-{
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
-
- const NSSItem *b;
-
- b = nss_ckmk_FetchAttribute(io, attribute, pError);
-
- if ((const NSSItem *)NULL == b) {
- return 0;
- }
- return b->size;
-}
-
-static CK_RV
-ckmk_mdObject_SetAttribute(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_ATTRIBUTE_TYPE attribute,
- NSSItem *value)
-{
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
- SecKeychainItemRef itemRef;
-
- if (io->type == ckmkRaw) {
- return CKR_TOKEN_WRITE_PROTECTED;
- }
- itemRef = io->u.item.itemRef;
-
- switch (io->objClass) {
- case CKO_PRIVATE_KEY:
- case CKO_PUBLIC_KEY:
- switch (attribute) {
- case CKA_ID:
- ckmk_updateAttribute(itemRef, kSecKeyLabel,
- value->data, value->size, "Set Attr Key ID");
-#ifdef DEBUG
- itemdump("key id: ", value->data, value->size, CKR_OK);
-#endif
- break;
- case CKA_LABEL:
- ckmk_updateAttribute(itemRef, kSecKeyPrintName, value->data,
- value->size, "Set Attr Key Label");
- break;
- default:
- break;
- }
- break;
-
- case CKO_CERTIFICATE:
- switch (attribute) {
- case CKA_ID:
- ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr,
- value->data, value->size, "Set Attr Cert ID");
- break;
- case CKA_LABEL:
- ckmk_updateAttribute(itemRef, kSecLabelItemAttr, value->data,
- value->size, "Set Attr Cert Label");
- break;
- default:
- break;
- }
- break;
-
- default:
- break;
- }
- return CKR_OK;
-}
-
-static NSSCKFWItem
-ckmk_mdObject_GetAttribute(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_ATTRIBUTE_TYPE attribute,
- CK_RV *pError)
-{
- NSSCKFWItem mdItem;
- ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc;
-
- mdItem.needsFreeing = PR_FALSE;
- mdItem.item = (NSSItem *)nss_ckmk_FetchAttribute(io, attribute, pError);
-
- return mdItem;
-}
-
-static CK_ULONG
-ckmk_mdObject_GetObjectSize(
- NSSCKMDObject *mdObject,
- NSSCKFWObject *fwObject,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- CK_ULONG rv = 1;
-
- /* size is irrelevant to this token */
- return rv;
-}
-
-static const NSSCKMDObject
- ckmk_prototype_mdObject = {
- (void *)NULL, /* etc */
- NULL, /* Finalize */
- ckmk_mdObject_Destroy,
- ckmk_mdObject_IsTokenObject,
- ckmk_mdObject_GetAttributeCount,
- ckmk_mdObject_GetAttributeTypes,
- ckmk_mdObject_GetAttributeSize,
- ckmk_mdObject_GetAttribute,
- NULL, /* FreeAttribute */
- ckmk_mdObject_SetAttribute,
- ckmk_mdObject_GetObjectSize,
- (void *)NULL /* null terminator */
- };
-
-static nssHash *ckmkInternalObjectHash = NULL;
-
-NSS_IMPLEMENT NSSCKMDObject *
-nss_ckmk_CreateMDObject(
- NSSArena *arena,
- ckmkInternalObject *io,
- CK_RV *pError)
-{
- if ((nssHash *)NULL == ckmkInternalObjectHash) {
- ckmkInternalObjectHash = nssHash_CreateItem(NULL, 10);
- }
- if (ckmkItem == io->type) {
- /* the hash key, not a cryptographic key */
- NSSItem *key = &io->hashKey;
- ckmkInternalObject *old_o = NULL;
-
- if (key->size == 0) {
- ckmk_FetchHashKey(io);
- }
- old_o = (ckmkInternalObject *)
- nssHash_Lookup(ckmkInternalObjectHash, key);
- if (!old_o) {
- nssHash_Add(ckmkInternalObjectHash, key, io);
- } else if (old_o != io) {
- nss_ckmk_DestroyInternalObject(io);
- io = old_o;
- }
- }
-
- if ((void *)NULL == io->mdObject.etc) {
- (void)nsslibc_memcpy(&io->mdObject, &ckmk_prototype_mdObject,
- sizeof(ckmk_prototype_mdObject));
- io->mdObject.etc = (void *)io;
- }
- return &io->mdObject;
-}
-
-static void
-ckmk_removeObjectFromHash(
- ckmkInternalObject *io)
-{
- NSSItem *key = &io->hashKey;
-
- if ((nssHash *)NULL == ckmkInternalObjectHash) {
- return;
- }
- if (key->size == 0) {
- ckmk_FetchHashKey(io);
- }
- nssHash_Remove(ckmkInternalObjectHash, key);
- return;
-}
-
-void
-nss_ckmk_DestroyInternalObject(
- ckmkInternalObject *io)
-{
- switch (io->type) {
- case ckmkRaw:
- return;
- case ckmkItem:
- nss_ZFreeIf(io->u.item.modify.data);
- nss_ZFreeIf(io->u.item.private.data);
- nss_ZFreeIf(io->u.item.encrypt.data);
- nss_ZFreeIf(io->u.item.decrypt.data);
- nss_ZFreeIf(io->u.item.derive.data);
- nss_ZFreeIf(io->u.item.sign.data);
- nss_ZFreeIf(io->u.item.signRecover.data);
- nss_ZFreeIf(io->u.item.verify.data);
- nss_ZFreeIf(io->u.item.verifyRecover.data);
- nss_ZFreeIf(io->u.item.wrap.data);
- nss_ZFreeIf(io->u.item.unwrap.data);
- nss_ZFreeIf(io->u.item.label.data);
- /*nss_ZFreeIf(io->u.item.subject.data); */
- /*nss_ZFreeIf(io->u.item.issuer.data); */
- nss_ZFreeIf(io->u.item.serial.data);
- nss_ZFreeIf(io->u.item.modulus.data);
- nss_ZFreeIf(io->u.item.exponent.data);
- nss_ZFreeIf(io->u.item.privateExponent.data);
- nss_ZFreeIf(io->u.item.prime1.data);
- nss_ZFreeIf(io->u.item.prime2.data);
- nss_ZFreeIf(io->u.item.exponent1.data);
- nss_ZFreeIf(io->u.item.exponent2.data);
- nss_ZFreeIf(io->u.item.coefficient.data);
- break;
- }
- nss_ZFreeIf(io);
- return;
-}
-
-static ckmkInternalObject *
-nss_ckmk_NewInternalObject(
- CK_OBJECT_CLASS objClass,
- SecKeychainItemRef itemRef,
- SecItemClass itemClass,
- CK_RV *pError)
-{
- ckmkInternalObject *io = nss_ZNEW(NULL, ckmkInternalObject);
-
- if ((ckmkInternalObject *)NULL == io) {
- *pError = CKR_HOST_MEMORY;
- return io;
- }
- io->type = ckmkItem;
- io->objClass = objClass;
- io->u.item.itemRef = itemRef;
- io->u.item.itemClass = itemClass;
- return io;
-}
-
-/*
- * Apple doesn't alway have a default keyChain set by the OS, use the
- * SearchList to try to find one.
- */
-static CK_RV
-ckmk_GetSafeDefaultKeychain(
- SecKeychainRef *keychainRef)
-{
- OSStatus macErr;
- CFArrayRef searchList = 0;
- CK_RV error = CKR_OK;
-
- macErr = SecKeychainCopyDefault(keychainRef);
- if (noErr != macErr) {
- int searchCount = 0;
- if (errSecNoDefaultKeychain != macErr) {
- CKMK_MACERR("Getting default key chain", macErr);
- error = CKR_GENERAL_ERROR;
- goto loser;
- }
- /* ok, we don't have a default key chain, find one */
- macErr = SecKeychainCopySearchList(&searchList);
- if (noErr != macErr) {
- CKMK_MACERR("failed to find a keyring searchList", macErr);
- error = CKR_DEVICE_REMOVED;
- goto loser;
- }
- searchCount = CFArrayGetCount(searchList);
- if (searchCount < 1) {
- error = CKR_DEVICE_REMOVED;
- goto loser;
- }
- *keychainRef =
- (SecKeychainRef)CFRetain(CFArrayGetValueAtIndex(searchList, 0));
- if (0 == *keychainRef) {
- error = CKR_DEVICE_REMOVED;
- goto loser;
- }
- /* should we set it as default? */
- }
-loser:
- if (0 != searchList) {
- CFRelease(searchList);
- }
- return error;
-}
-static ckmkInternalObject *
-nss_ckmk_CreateCertificate(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- NSSItem value;
- ckmkInternalObject *io = NULL;
- OSStatus macErr;
- SecCertificateRef certRef;
- SecKeychainItemRef itemRef;
- SecKeychainRef keychainRef;
- CSSM_DATA certData;
-
- *pError = nss_ckmk_GetAttribute(CKA_VALUE, pTemplate,
- ulAttributeCount, &value);
- if (CKR_OK != *pError) {
- goto loser;
- }
-
- certData.Data = value.data;
- certData.Length = value.size;
- macErr = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_BER, &certRef);
- if (noErr != macErr) {
- CKMK_MACERR("Create cert from data Failed", macErr);
- *pError = CKR_GENERAL_ERROR; /* need to map macErr */
- goto loser;
- }
-
- *pError = ckmk_GetSafeDefaultKeychain(&keychainRef);
- if (CKR_OK != *pError) {
- goto loser;
- }
-
- macErr = SecCertificateAddToKeychain(certRef, keychainRef);
- itemRef = (SecKeychainItemRef)certRef;
- if (errSecDuplicateItem != macErr) {
- NSSItem keyID = { NULL, 0 };
- char *nickname = NULL;
- CK_RV dummy;
-
- if (noErr != macErr) {
- CKMK_MACERR("Add cert to keychain Failed", macErr);
- *pError = CKR_GENERAL_ERROR; /* need to map macErr */
- goto loser;
- }
- /* these two are optional */
- nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate,
- ulAttributeCount, &dummy);
- /* we've added a new one, update the attributes in the key ring */
- if (nickname) {
- ckmk_updateAttribute(itemRef, kSecLabelItemAttr, nickname,
- strlen(nickname) + 1, "Modify Cert Label");
- nss_ZFreeIf(nickname);
- }
- dummy = nss_ckmk_GetAttribute(CKA_ID, pTemplate,
- ulAttributeCount, &keyID);
- if (CKR_OK == dummy) {
- dummy = ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr,
- keyID.data, keyID.size, "Modify Cert ID");
- }
- }
-
- io = nss_ckmk_NewInternalObject(CKO_CERTIFICATE, itemRef,
- kSecCertificateItemClass, pError);
- if ((ckmkInternalObject *)NULL != io) {
- itemRef = 0;
- }
-
-loser:
- if (0 != itemRef) {
- CFRelease(itemRef);
- }
- if (0 != keychainRef) {
- CFRelease(keychainRef);
- }
-
- return io;
-}
-
-/*
- * PKCS #8 attributes
- */
-struct ckmk_AttributeStr {
- SECItem attrType;
- SECItem *attrValue;
-};
-typedef struct ckmk_AttributeStr ckmk_Attribute;
-
-/*
- ** A PKCS#8 private key info object
- */
-struct PrivateKeyInfoStr {
- PLArenaPool *arena;
- SECItem version;
- SECAlgorithmID algorithm;
- SECItem privateKey;
- ckmk_Attribute **attributes;
-};
-typedef struct PrivateKeyInfoStr PrivateKeyInfo;
-
-const SEC_ASN1Template ckmk_RSAPrivateKeyTemplate[] = {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RSAPrivateKey) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, version) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, modulus) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, publicExponent) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, privateExponent) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime1) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, prime2) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent1) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, exponent2) },
- { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey, coefficient) },
- { 0 }
-};
-
-const SEC_ASN1Template ckmk_AttributeTemplate[] = {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ckmk_Attribute) },
- { SEC_ASN1_OBJECT_ID, offsetof(ckmk_Attribute, attrType) },
- { SEC_ASN1_SET_OF, offsetof(ckmk_Attribute, attrValue),
- SEC_AnyTemplate },
- { 0 }
-};
-
-const SEC_ASN1Template ckmk_SetOfAttributeTemplate[] = {
- { SEC_ASN1_SET_OF, 0, ckmk_AttributeTemplate },
-};
-
-SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
-
-/* ASN1 Templates for new decoder/encoder */
-const SEC_ASN1Template ckmk_PrivateKeyInfoTemplate[] = {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PrivateKeyInfo) },
- { SEC_ASN1_INTEGER, offsetof(PrivateKeyInfo, version) },
- { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(PrivateKeyInfo, algorithm),
- SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
- { SEC_ASN1_OCTET_STRING, offsetof(PrivateKeyInfo, privateKey) },
- { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(PrivateKeyInfo, attributes), ckmk_SetOfAttributeTemplate },
- { 0 }
-};
-
-#define CKMK_PRIVATE_KEY_INFO_VERSION 0
-static CK_RV
-ckmk_CreateRSAKeyBlob(
- RSAPrivateKey *lk,
- NSSItem *keyBlob)
-{
- PrivateKeyInfo *pki = NULL;
- PLArenaPool *arena = NULL;
- SECOidTag algorithm = SEC_OID_UNKNOWN;
- void *dummy;
- SECStatus rv;
- SECItem *encodedKey = NULL;
- CK_RV error = CKR_OK;
-
- arena = PORT_NewArena(2048); /* XXX different size? */
- if (!arena) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
-
- pki = (PrivateKeyInfo *)PORT_ArenaZAlloc(arena, sizeof(PrivateKeyInfo));
- if (!pki) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
- pki->arena = arena;
-
- dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
- ckmk_RSAPrivateKeyTemplate);
- algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
-
- if (!dummy) {
- error = CKR_DEVICE_ERROR; /* should map NSS SECError */
- goto loser;
- }
-
- rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm,
- (SECItem *)NULL);
- if (rv != SECSuccess) {
- error = CKR_DEVICE_ERROR; /* should map NSS SECError */
- goto loser;
- }
-
- dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
- CKMK_PRIVATE_KEY_INFO_VERSION);
- if (!dummy) {
- error = CKR_DEVICE_ERROR; /* should map NSS SECError */
- goto loser;
- }
-
- encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki,
- ckmk_PrivateKeyInfoTemplate);
- if (!encodedKey) {
- error = CKR_DEVICE_ERROR;
- goto loser;
- }
-
- keyBlob->data = nss_ZNEWARRAY(NULL, char, encodedKey->len);
- if (NULL == keyBlob->data) {
- error = CKR_HOST_MEMORY;
- goto loser;
- }
- nsslibc_memcpy(keyBlob->data, encodedKey->data, encodedKey->len);
- keyBlob->size = encodedKey->len;
-
-loser:
- if (arena) {
- PORT_FreeArena(arena, PR_TRUE);
- }
- if (encodedKey) {
- SECITEM_FreeItem(encodedKey, PR_TRUE);
- }
-
- return error;
-}
-/*
- * There MUST be a better way to do this. For now, find the key based on the
- * default name Apple gives it once we import.
- */
-#define IMPORTED_NAME "Imported Private Key"
-static CK_RV
-ckmk_FindImportedKey(
- SecKeychainRef keychainRef,
- SecItemClass itemClass,
- SecKeychainItemRef *outItemRef)
-{
- OSStatus macErr;
- SecKeychainSearchRef searchRef = 0;
- SecKeychainItemRef newItemRef;
-
- macErr = SecKeychainSearchCreateFromAttributes(keychainRef, itemClass,
- NULL, &searchRef);
- if (noErr != macErr) {
- CKMK_MACERR("Can't search for Key", macErr);
- return CKR_GENERAL_ERROR;
- }
- while (noErr == SecKeychainSearchCopyNext(searchRef, &newItemRef)) {
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttributeInfo attrInfo;
- SecItemAttr itemAttr = kSecKeyPrintName;
- PRUint32 attrFormat = 0;
- OSStatus macErr;
-
- attrInfo.count = 1;
- attrInfo.tag = &itemAttr;
- attrInfo.format = &attrFormat;
-
- macErr = SecKeychainItemCopyAttributesAndData(newItemRef,
- &attrInfo, NULL, &attrList, NULL, NULL);
- if (noErr == macErr) {
- if (nsslibc_memcmp(attrList->attr->data, IMPORTED_NAME,
- attrList->attr->length, NULL) == 0) {
- *outItemRef = newItemRef;
- CFRelease(searchRef);
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
- return CKR_OK;
- }
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
- }
- CFRelease(newItemRef);
- }
- CFRelease(searchRef);
- return CKR_GENERAL_ERROR; /* we can come up with something better! */
-}
-
-static ckmkInternalObject *
-nss_ckmk_CreatePrivateKey(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- NSSItem attribute;
- RSAPrivateKey lk;
- NSSItem keyID;
- char *nickname = NULL;
- ckmkInternalObject *io = NULL;
- CK_KEY_TYPE keyType;
- OSStatus macErr;
- SecKeychainItemRef itemRef = 0;
- NSSItem keyBlob = { NULL, 0 };
- CFDataRef dataRef = 0;
- SecExternalFormat inputFormat = kSecFormatBSAFE;
- /*SecExternalFormat inputFormat = kSecFormatOpenSSL; */
- SecExternalItemType itemType = kSecItemTypePrivateKey;
- SecKeyImportExportParameters keyParams;
- SecKeychainRef targetKeychain = 0;
- unsigned char zero = 0;
- CK_RV error;
-
- keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
- keyParams.flags = 0;
- keyParams.passphrase = 0;
- keyParams.alertTitle = 0;
- keyParams.alertPrompt = 0;
- keyParams.accessRef = 0; /* default */
- keyParams.keyUsage = 0; /* will get filled in */
- keyParams.keyAttributes = CSSM_KEYATTR_PERMANENT; /* will get filled in */
- keyType = nss_ckmk_GetULongAttribute(CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- if (CKK_RSA != keyType) {
- *pError = CKR_ATTRIBUTE_VALUE_INVALID;
- return (ckmkInternalObject *)NULL;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_DECRYPT,
- pTemplate, ulAttributeCount, CK_TRUE)) {
- keyParams.keyUsage |= CSSM_KEYUSE_DECRYPT;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_UNWRAP,
- pTemplate, ulAttributeCount, CK_TRUE)) {
- keyParams.keyUsage |= CSSM_KEYUSE_UNWRAP;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_SIGN,
- pTemplate, ulAttributeCount, CK_TRUE)) {
- keyParams.keyUsage |= CSSM_KEYUSE_SIGN;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_DERIVE,
- pTemplate, ulAttributeCount, CK_FALSE)) {
- keyParams.keyUsage |= CSSM_KEYUSE_DERIVE;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_SENSITIVE,
- pTemplate, ulAttributeCount, CK_TRUE)) {
- keyParams.keyAttributes |= CSSM_KEYATTR_SENSITIVE;
- }
- if (nss_ckmk_GetBoolAttribute(CKA_EXTRACTABLE,
- pTemplate, ulAttributeCount, CK_TRUE)) {
- keyParams.keyAttributes |= CSSM_KEYATTR_EXTRACTABLE;
- }
-
- lk.version.type = siUnsignedInteger;
- lk.version.data = &zero;
- lk.version.len = 1;
-
- *pError = nss_ckmk_GetAttribute(CKA_MODULUS, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.modulus.type = siUnsignedInteger;
- lk.modulus.data = attribute.data;
- lk.modulus.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.publicExponent.type = siUnsignedInteger;
- lk.publicExponent.data = attribute.data;
- lk.publicExponent.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.privateExponent.type = siUnsignedInteger;
- lk.privateExponent.data = attribute.data;
- lk.privateExponent.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_PRIME_1, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.prime1.type = siUnsignedInteger;
- lk.prime1.data = attribute.data;
- lk.prime1.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_PRIME_2, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.prime2.type = siUnsignedInteger;
- lk.prime2.data = attribute.data;
- lk.prime2.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_1, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.exponent1.type = siUnsignedInteger;
- lk.exponent1.data = attribute.data;
- lk.exponent1.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_2, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.exponent2.type = siUnsignedInteger;
- lk.exponent2.data = attribute.data;
- lk.exponent2.len = attribute.size;
-
- *pError = nss_ckmk_GetAttribute(CKA_COEFFICIENT, pTemplate,
- ulAttributeCount, &attribute);
- if (CKR_OK != *pError) {
- return (ckmkInternalObject *)NULL;
- }
- lk.coefficient.type = siUnsignedInteger;
- lk.coefficient.data = attribute.data;
- lk.coefficient.len = attribute.size;
-
- /* ASN1 Encode the pkcs8 structure... look at softoken to see how this
- * is done... */
- error = ckmk_CreateRSAKeyBlob(&lk, &keyBlob);
- if (CKR_OK != error) {
- goto loser;
- }
-
- dataRef = CFDataCreate(NULL, (UInt8 *)keyBlob.data, keyBlob.size);
- if (0 == dataRef) {
- *pError = CKR_HOST_MEMORY;
- goto loser;
- }
-
- *pError == ckmk_GetSafeDefaultKeychain(&targetKeychain);
- if (CKR_OK != *pError) {
- goto loser;
- }
-
- /* the itemArray that is returned is useless. the item does not
- * is 'not on the key chain' so none of the modify calls work on it.
- * It also has a key that isn't the same key as the one in the actual
- * key chain. In short it isn't the item we want, and it gives us zero
- * information about the item we want, so don't even bother with it...
- */
- macErr = SecKeychainItemImport(dataRef, NULL, &inputFormat, &itemType, 0,
- &keyParams, targetKeychain, NULL);
- if (noErr != macErr) {
- CKMK_MACERR("Import Private Key", macErr);
- *pError = CKR_GENERAL_ERROR;
- goto loser;
- }
-
- *pError = ckmk_FindImportedKey(targetKeychain,
- CSSM_DL_DB_RECORD_PRIVATE_KEY,
- &itemRef);
- if (CKR_OK != *pError) {
-#ifdef DEBUG
- fprintf(stderr, "couldn't find key in keychain \n");
-#endif
- goto loser;
- }
-
- /* set the CKA_ID and the CKA_LABEL */
- error = nss_ckmk_GetAttribute(CKA_ID, pTemplate,
- ulAttributeCount, &keyID);
- if (CKR_OK == error) {
- error = ckmk_updateAttribute(itemRef, kSecKeyLabel,
- keyID.data, keyID.size, "Modify Key ID");
-#ifdef DEBUG
- itemdump("key id: ", keyID.data, keyID.size, error);
-#endif
- }
- nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate,
- ulAttributeCount, &error);
- if (nickname) {
- ckmk_updateAttribute(itemRef, kSecKeyPrintName, nickname,
- strlen(nickname) + 1, "Modify Key Label");
- } else {
-#define DEFAULT_NICKNAME "NSS Imported Key"
- ckmk_updateAttribute(itemRef, kSecKeyPrintName, DEFAULT_NICKNAME,
- sizeof(DEFAULT_NICKNAME), "Modify Key Label");
- }
-
- io = nss_ckmk_NewInternalObject(CKO_PRIVATE_KEY, itemRef,
- CSSM_DL_DB_RECORD_PRIVATE_KEY, pError);
- if ((ckmkInternalObject *)NULL == io) {
- CFRelease(itemRef);
- }
-
- return io;
-
-loser:
- /* free the key blob */
- if (keyBlob.data) {
- nss_ZFreeIf(keyBlob.data);
- }
- if (0 != targetKeychain) {
- CFRelease(targetKeychain);
- }
- if (0 != dataRef) {
- CFRelease(dataRef);
- }
- return io;
-}
-
-NSS_EXTERN NSSCKMDObject *
-nss_ckmk_CreateObject(
- NSSCKFWSession *fwSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- CK_OBJECT_CLASS objClass;
- ckmkInternalObject *io = NULL;
- CK_BBOOL isToken;
-
- /*
- * only create token objects
- */
- isToken = nss_ckmk_GetBoolAttribute(CKA_TOKEN, pTemplate,
- ulAttributeCount, CK_FALSE);
- if (!isToken) {
- *pError = CKR_ATTRIBUTE_VALUE_INVALID;
- return (NSSCKMDObject *)NULL;
- }
-
- /*
- * only create keys and certs.
- */
- objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, pTemplate,
- ulAttributeCount, pError);
- if (CKR_OK != *pError) {
- return (NSSCKMDObject *)NULL;
- }
-#ifdef notdef
- if (objClass == CKO_PUBLIC_KEY) {
- return CKR_OK; /* fake public key creation, happens as a side effect of
- * private key creation */
- }
-#endif
- if (objClass == CKO_CERTIFICATE) {
- io = nss_ckmk_CreateCertificate(fwSession, pTemplate,
- ulAttributeCount, pError);
- } else if (objClass == CKO_PRIVATE_KEY) {
- io = nss_ckmk_CreatePrivateKey(fwSession, pTemplate,
- ulAttributeCount, pError);
- } else {
- *pError = CKR_ATTRIBUTE_VALUE_INVALID;
- }
-
- if ((ckmkInternalObject *)NULL == io) {
- return (NSSCKMDObject *)NULL;
- }
- return nss_ckmk_CreateMDObject(NULL, io, pError);
-}
diff --git a/security/nss/lib/ckfw/nssmkey/mrsa.c b/security/nss/lib/ckfw/nssmkey/mrsa.c
deleted file mode 100644
index 00175b47a8..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mrsa.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-
-/* Sigh, For all the talk about 'ease of use', apple has hidden the interfaces
- * needed to be able to truly use CSSM. These came from their modification
- * to NSS's S/MIME code. The following two functions currently are not
- * part of the SecKey.h interface.
- */
-OSStatus
-SecKeyGetCredentials(
- SecKeyRef keyRef,
- CSSM_ACL_AUTHORIZATION_TAG authTag,
- int type,
- const CSSM_ACCESS_CREDENTIALS **creds);
-
-/* this function could be implemented using 'SecKeychainItemCopyKeychain' and
- * 'SecKeychainGetCSPHandle' */
-OSStatus
-SecKeyGetCSPHandle(
- SecKeyRef keyRef,
- CSSM_CSP_HANDLE *cspHandle);
-
-typedef struct ckmkInternalCryptoOperationRSAPrivStr
- ckmkInternalCryptoOperationRSAPriv;
-struct ckmkInternalCryptoOperationRSAPrivStr {
- NSSCKMDCryptoOperation mdOperation;
- NSSCKMDMechanism *mdMechanism;
- ckmkInternalObject *iKey;
- NSSItem *buffer;
- CSSM_CC_HANDLE cssmContext;
-};
-
-typedef enum {
- CKMK_DECRYPT,
- CKMK_SIGN
-} ckmkRSAOpType;
-
-/*
- * ckmk_mdCryptoOperationRSAPriv_Create
- */
-static NSSCKMDCryptoOperation *
-ckmk_mdCryptoOperationRSAPriv_Create(
- const NSSCKMDCryptoOperation *proto,
- NSSCKMDMechanism *mdMechanism,
- NSSCKMDObject *mdKey,
- ckmkRSAOpType type,
- CK_RV *pError)
-{
- ckmkInternalObject *iKey = (ckmkInternalObject *)mdKey->etc;
- const NSSItem *classItem = nss_ckmk_FetchAttribute(iKey, CKA_CLASS, pError);
- const NSSItem *keyType = nss_ckmk_FetchAttribute(iKey, CKA_KEY_TYPE, pError);
- ckmkInternalCryptoOperationRSAPriv *iOperation;
- SecKeyRef privateKey;
- OSStatus macErr;
- CSSM_RETURN cssmErr;
- const CSSM_KEY *cssmKey;
- CSSM_CSP_HANDLE cspHandle;
- const CSSM_ACCESS_CREDENTIALS *creds = NULL;
- CSSM_CC_HANDLE cssmContext;
- CSSM_ACL_AUTHORIZATION_TAG authType;
-
- /* make sure we have the right objects */
- if (((const NSSItem *)NULL == classItem) ||
- (sizeof(CK_OBJECT_CLASS) != classItem->size) ||
- (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
- ((const NSSItem *)NULL == keyType) ||
- (sizeof(CK_KEY_TYPE) != keyType->size) ||
- (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
- *pError = CKR_KEY_TYPE_INCONSISTENT;
- return (NSSCKMDCryptoOperation *)NULL;
- }
-
- privateKey = (SecKeyRef)iKey->u.item.itemRef;
- macErr = SecKeyGetCSSMKey(privateKey, &cssmKey);
- if (noErr != macErr) {
- CKMK_MACERR("Getting CSSM Key", macErr);
- *pError = CKR_KEY_HANDLE_INVALID;
- return (NSSCKMDCryptoOperation *)NULL;
- }
- macErr = SecKeyGetCSPHandle(privateKey, &cspHandle);
- if (noErr != macErr) {
- CKMK_MACERR("Getting CSP for Key", macErr);
- *pError = CKR_KEY_HANDLE_INVALID;
- return (NSSCKMDCryptoOperation *)NULL;
- }
- switch (type) {
- case CKMK_DECRYPT:
- authType = CSSM_ACL_AUTHORIZATION_DECRYPT;
- break;
- case CKMK_SIGN:
- authType = CSSM_ACL_AUTHORIZATION_SIGN;
- break;
- default:
- *pError = CKR_GENERAL_ERROR;
-#ifdef DEBUG
- fprintf(stderr, "RSAPriv_Create: bad type = %d\n", type);
-#endif
- return (NSSCKMDCryptoOperation *)NULL;
- }
-
- macErr = SecKeyGetCredentials(privateKey, authType, 0, &creds);
- if (noErr != macErr) {
- CKMK_MACERR("Getting Credentials for Key", macErr);
- *pError = CKR_KEY_HANDLE_INVALID;
- return (NSSCKMDCryptoOperation *)NULL;
- }
-
- switch (type) {
- case CKMK_DECRYPT:
- cssmErr = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA,
- creds, cssmKey, CSSM_PADDING_PKCS1, &cssmContext);
- break;
- case CKMK_SIGN:
- cssmErr = CSSM_CSP_CreateSignatureContext(cspHandle, CSSM_ALGID_RSA,
- creds, cssmKey, &cssmContext);
- break;
- default:
- *pError = CKR_GENERAL_ERROR;
-#ifdef DEBUG
- fprintf(stderr, "RSAPriv_Create: bad type = %d\n", type);
-#endif
- return (NSSCKMDCryptoOperation *)NULL;
- }
- if (noErr != cssmErr) {
- CKMK_MACERR("Getting Context for Key", cssmErr);
- *pError = CKR_GENERAL_ERROR;
- return (NSSCKMDCryptoOperation *)NULL;
- }
-
- iOperation = nss_ZNEW(NULL, ckmkInternalCryptoOperationRSAPriv);
- if ((ckmkInternalCryptoOperationRSAPriv *)NULL == iOperation) {
- *pError = CKR_HOST_MEMORY;
- return (NSSCKMDCryptoOperation *)NULL;
- }
- iOperation->mdMechanism = mdMechanism;
- iOperation->iKey = iKey;
- iOperation->cssmContext = cssmContext;
-
- nsslibc_memcpy(&iOperation->mdOperation,
- proto, sizeof(NSSCKMDCryptoOperation));
- iOperation->mdOperation.etc = iOperation;
-
- return &iOperation->mdOperation;
-}
-
-static void
-ckmk_mdCryptoOperationRSAPriv_Destroy(
- NSSCKMDCryptoOperation *mdOperation,
- NSSCKFWCryptoOperation *fwOperation,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- ckmkInternalCryptoOperationRSAPriv *iOperation =
- (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
-
- if (iOperation->buffer) {
- nssItem_Destroy(iOperation->buffer);
- }
- if (iOperation->cssmContext) {
- CSSM_DeleteContext(iOperation->cssmContext);
- }
- nss_ZFreeIf(iOperation);
- return;
-}
-
-static CK_ULONG
-ckmk_mdCryptoOperationRSA_GetFinalLength(
- NSSCKMDCryptoOperation *mdOperation,
- NSSCKFWCryptoOperation *fwOperation,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- ckmkInternalCryptoOperationRSAPriv *iOperation =
- (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
- const NSSItem *modulus =
- nss_ckmk_FetchAttribute(iOperation->iKey, CKA_MODULUS, pError);
-
- return modulus->size;
-}
-
-/*
- * ckmk_mdCryptoOperationRSADecrypt_GetOperationLength
- * we won't know the length until we actually decrypt the
- * input block. Since we go to all the work to decrypt the
- * the block, we'll save if for when the block is asked for
- */
-static CK_ULONG
-ckmk_mdCryptoOperationRSADecrypt_GetOperationLength(
- NSSCKMDCryptoOperation *mdOperation,
- NSSCKFWCryptoOperation *fwOperation,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- const NSSItem *input,
- CK_RV *pError)
-{
- ckmkInternalCryptoOperationRSAPriv *iOperation =
- (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
- CSSM_DATA cssmInput;
- CSSM_DATA cssmOutput = { 0, NULL };
- PRUint32 bytesDecrypted;
- CSSM_DATA remainder = { 0, NULL };
- NSSItem output;
- CSSM_RETURN cssmErr;
-
- if (iOperation->buffer) {
- return iOperation->buffer->size;
- }
-
- cssmInput.Data = input->data;
- cssmInput.Length = input->size;
-
- cssmErr = CSSM_DecryptData(iOperation->cssmContext,
- &cssmInput, 1, &cssmOutput, 1,
- &bytesDecrypted, &remainder);
- if (CSSM_OK != cssmErr) {
- CKMK_MACERR("Decrypt Failed", cssmErr);
- *pError = CKR_DATA_INVALID;
- return 0;
- }
- /* we didn't suppy any buffers, so it should all be in remainder */
- output.data = nss_ZNEWARRAY(NULL, char, bytesDecrypted + remainder.Length);
- if (NULL == output.data) {
- free(cssmOutput.Data);
- free(remainder.Data);
- *pError = CKR_HOST_MEMORY;
- return 0;
- }
- output.size = bytesDecrypted + remainder.Length;
-
- if (0 != bytesDecrypted) {
- nsslibc_memcpy(output.data, cssmOutput.Data, bytesDecrypted);
- free(cssmOutput.Data);
- }
- if (0 != remainder.Length) {
- nsslibc_memcpy(((char *)output.data) + bytesDecrypted,
- remainder.Data, remainder.Length);
- free(remainder.Data);
- }
-
- iOperation->buffer = nssItem_Duplicate(&output, NULL, NULL);
- nss_ZFreeIf(output.data);
- if ((NSSItem *)NULL == iOperation->buffer) {
- *pError = CKR_HOST_MEMORY;
- return 0;
- }
-
- return iOperation->buffer->size;
-}
-
-/*
- * ckmk_mdCryptoOperationRSADecrypt_UpdateFinal
- *
- * NOTE: ckmk_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to
- * have been called previously.
- */
-static CK_RV
-ckmk_mdCryptoOperationRSADecrypt_UpdateFinal(
- NSSCKMDCryptoOperation *mdOperation,
- NSSCKFWCryptoOperation *fwOperation,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- const NSSItem *input,
- NSSItem *output)
-{
- ckmkInternalCryptoOperationRSAPriv *iOperation =
- (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
- NSSItem *buffer = iOperation->buffer;
-
- if ((NSSItem *)NULL == buffer) {
- return CKR_GENERAL_ERROR;
- }
- nsslibc_memcpy(output->data, buffer->data, buffer->size);
- output->size = buffer->size;
- return CKR_OK;
-}
-
-/*
- * ckmk_mdCryptoOperationRSASign_UpdateFinal
- *
- */
-static CK_RV
-ckmk_mdCryptoOperationRSASign_UpdateFinal(
- NSSCKMDCryptoOperation *mdOperation,
- NSSCKFWCryptoOperation *fwOperation,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- const NSSItem *input,
- NSSItem *output)
-{
- ckmkInternalCryptoOperationRSAPriv *iOperation =
- (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc;
- CSSM_DATA cssmInput;
- CSSM_DATA cssmOutput = { 0, NULL };
- CSSM_RETURN cssmErr;
-
- cssmInput.Data = input->data;
- cssmInput.Length = input->size;
-
- cssmErr = CSSM_SignData(iOperation->cssmContext, &cssmInput, 1,
- CSSM_ALGID_NONE, &cssmOutput);
- if (CSSM_OK != cssmErr) {
- CKMK_MACERR("Signed Failed", cssmErr);
- return CKR_FUNCTION_FAILED;
- }
- if (cssmOutput.Length > output->size) {
- free(cssmOutput.Data);
- return CKR_BUFFER_TOO_SMALL;
- }
- nsslibc_memcpy(output->data, cssmOutput.Data, cssmOutput.Length);
- free(cssmOutput.Data);
- output->size = cssmOutput.Length;
-
- return CKR_OK;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
- ckmk_mdCryptoOperationRSADecrypt_proto = {
- NULL, /* etc */
- ckmk_mdCryptoOperationRSAPriv_Destroy,
- NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
- ckmk_mdCryptoOperationRSADecrypt_GetOperationLength,
- NULL, /* Final - not needed for one shot operation */
- NULL, /* Update - not needed for one shot operation */
- NULL, /* DigetUpdate - not needed for one shot operation */
- ckmk_mdCryptoOperationRSADecrypt_UpdateFinal,
- NULL, /* UpdateCombo - not needed for one shot operation */
- NULL, /* DigetKey - not needed for one shot operation */
- (void *)NULL /* null terminator */
- };
-
-NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
- ckmk_mdCryptoOperationRSASign_proto = {
- NULL, /* etc */
- ckmk_mdCryptoOperationRSAPriv_Destroy,
- ckmk_mdCryptoOperationRSA_GetFinalLength,
- NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
- NULL, /* Final - not needed for one shot operation */
- NULL, /* Update - not needed for one shot operation */
- NULL, /* DigetUpdate - not needed for one shot operation */
- ckmk_mdCryptoOperationRSASign_UpdateFinal,
- NULL, /* UpdateCombo - not needed for one shot operation */
- NULL, /* DigetKey - not needed for one shot operation */
- (void *)NULL /* null terminator */
- };
-
-/********** NSSCKMDMechansim functions ***********************/
-/*
- * ckmk_mdMechanismRSA_Destroy
- */
-static void
-ckmk_mdMechanismRSA_Destroy(
- NSSCKMDMechanism *mdMechanism,
- NSSCKFWMechanism *fwMechanism,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- nss_ZFreeIf(fwMechanism);
-}
-
-/*
- * ckmk_mdMechanismRSA_GetMinKeySize
- */
-static CK_ULONG
-ckmk_mdMechanismRSA_GetMinKeySize(
- NSSCKMDMechanism *mdMechanism,
- NSSCKFWMechanism *fwMechanism,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return 384;
-}
-
-/*
- * ckmk_mdMechanismRSA_GetMaxKeySize
- */
-static CK_ULONG
-ckmk_mdMechanismRSA_GetMaxKeySize(
- NSSCKMDMechanism *mdMechanism,
- NSSCKFWMechanism *fwMechanism,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return 16384;
-}
-
-/*
- * ckmk_mdMechanismRSA_DecryptInit
- */
-static NSSCKMDCryptoOperation *
-ckmk_mdMechanismRSA_DecryptInit(
- NSSCKMDMechanism *mdMechanism,
- NSSCKFWMechanism *fwMechanism,
- CK_MECHANISM *pMechanism,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSCKMDObject *mdKey,
- NSSCKFWObject *fwKey,
- CK_RV *pError)
-{
- return ckmk_mdCryptoOperationRSAPriv_Create(
- &ckmk_mdCryptoOperationRSADecrypt_proto,
- mdMechanism, mdKey, CKMK_DECRYPT, pError);
-}
-
-/*
- * ckmk_mdMechanismRSA_SignInit
- */
-static NSSCKMDCryptoOperation *
-ckmk_mdMechanismRSA_SignInit(
- NSSCKMDMechanism *mdMechanism,
- NSSCKFWMechanism *fwMechanism,
- CK_MECHANISM *pMechanism,
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSCKMDObject *mdKey,
- NSSCKFWObject *fwKey,
- CK_RV *pError)
-{
- return ckmk_mdCryptoOperationRSAPriv_Create(
- &ckmk_mdCryptoOperationRSASign_proto,
- mdMechanism, mdKey, CKMK_SIGN, pError);
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDMechanism
- nss_ckmk_mdMechanismRSA = {
- (void *)NULL, /* etc */
- ckmk_mdMechanismRSA_Destroy,
- ckmk_mdMechanismRSA_GetMinKeySize,
- ckmk_mdMechanismRSA_GetMaxKeySize,
- NULL, /* GetInHardware - default false */
- NULL, /* EncryptInit - default errs */
- ckmk_mdMechanismRSA_DecryptInit,
- NULL, /* DigestInit - default errs*/
- ckmk_mdMechanismRSA_SignInit,
- NULL, /* VerifyInit - default errs */
- ckmk_mdMechanismRSA_SignInit, /* SignRecoverInit */
- NULL, /* VerifyRecoverInit - default errs */
- NULL, /* GenerateKey - default errs */
- NULL, /* GenerateKeyPair - default errs */
- NULL, /* GetWrapKeyLength - default errs */
- NULL, /* WrapKey - default errs */
- NULL, /* UnwrapKey - default errs */
- NULL, /* DeriveKey - default errs */
- (void *)NULL /* null terminator */
- };
diff --git a/security/nss/lib/ckfw/nssmkey/msession.c b/security/nss/lib/ckfw/nssmkey/msession.c
deleted file mode 100644
index e6a29244a1..0000000000
--- a/security/nss/lib/ckfw/nssmkey/msession.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-
-/*
- * nssmkey/msession.c
- *
- * This file implements the NSSCKMDSession object for the
- * "nssmkey" cryptoki module.
- */
-
-static NSSCKMDFindObjects *
-ckmk_mdSession_FindObjectsInit(
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- return nss_ckmk_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-static NSSCKMDObject *
-ckmk_mdSession_CreateObject(
- NSSCKMDSession *mdSession,
- NSSCKFWSession *fwSession,
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSArena *arena,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG ulAttributeCount,
- CK_RV *pError)
-{
- return nss_ckmk_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
-}
-
-NSS_IMPLEMENT NSSCKMDSession *
-nss_ckmk_CreateSession(
- NSSCKFWSession *fwSession,
- CK_RV *pError)
-{
- NSSArena *arena;
- NSSCKMDSession *rv;
-
- arena = NSSCKFWSession_GetArena(fwSession, pError);
- if ((NSSArena *)NULL == arena) {
- return (NSSCKMDSession *)NULL;
- }
-
- rv = nss_ZNEW(arena, NSSCKMDSession);
- if ((NSSCKMDSession *)NULL == rv) {
- *pError = CKR_HOST_MEMORY;
- return (NSSCKMDSession *)NULL;
- }
-
- /*
- * rv was zeroed when allocated, so we only
- * need to set the non-zero members.
- */
-
- rv->etc = (void *)fwSession;
- /* rv->Close */
- /* rv->GetDeviceError */
- /* rv->Login */
- /* rv->Logout */
- /* rv->InitPIN */
- /* rv->SetPIN */
- /* rv->GetOperationStateLen */
- /* rv->GetOperationState */
- /* rv->SetOperationState */
- rv->CreateObject = ckmk_mdSession_CreateObject;
- /* rv->CopyObject */
- rv->FindObjectsInit = ckmk_mdSession_FindObjectsInit;
- /* rv->SeedRandom */
- /* rv->GetRandom */
- /* rv->null */
-
- return rv;
-}
diff --git a/security/nss/lib/ckfw/nssmkey/mslot.c b/security/nss/lib/ckfw/nssmkey/mslot.c
deleted file mode 100644
index b2747ff7b2..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mslot.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-
-/*
- * nssmkey/mslot.c
- *
- * This file implements the NSSCKMDSlot object for the
- * "nssmkey" cryptoki module.
- */
-
-static NSSUTF8 *
-ckmk_mdSlot_GetSlotDescription(
- NSSCKMDSlot *mdSlot,
- NSSCKFWSlot *fwSlot,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_SlotDescription;
-}
-
-static NSSUTF8 *
-ckmk_mdSlot_GetManufacturerID(
- NSSCKMDSlot *mdSlot,
- NSSCKFWSlot *fwSlot,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_ManufacturerID;
-}
-
-static CK_VERSION
-ckmk_mdSlot_GetHardwareVersion(
- NSSCKMDSlot *mdSlot,
- NSSCKFWSlot *fwSlot,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_HardwareVersion;
-}
-
-static CK_VERSION
-ckmk_mdSlot_GetFirmwareVersion(
- NSSCKMDSlot *mdSlot,
- NSSCKFWSlot *fwSlot,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_FirmwareVersion;
-}
-
-static NSSCKMDToken *
-ckmk_mdSlot_GetToken(
- NSSCKMDSlot *mdSlot,
- NSSCKFWSlot *fwSlot,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSCKMDToken *)&nss_ckmk_mdToken;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDSlot
- nss_ckmk_mdSlot = {
- (void *)NULL, /* etc */
- NULL, /* Initialize */
- NULL, /* Destroy */
- ckmk_mdSlot_GetSlotDescription,
- ckmk_mdSlot_GetManufacturerID,
- NULL, /* GetTokenPresent -- defaults to true */
- NULL, /* GetRemovableDevice -- defaults to false */
- NULL, /* GetHardwareSlot -- defaults to false */
- ckmk_mdSlot_GetHardwareVersion,
- ckmk_mdSlot_GetFirmwareVersion,
- ckmk_mdSlot_GetToken,
- (void *)NULL /* null terminator */
- };
diff --git a/security/nss/lib/ckfw/nssmkey/mtoken.c b/security/nss/lib/ckfw/nssmkey/mtoken.c
deleted file mode 100644
index e18d612405..0000000000
--- a/security/nss/lib/ckfw/nssmkey/mtoken.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "ckmk.h"
-
-/*
- * nssmkey/mtoken.c
- *
- * This file implements the NSSCKMDToken object for the
- * "nssmkey" cryptoki module.
- */
-
-static NSSUTF8 *
-ckmk_mdToken_GetLabel(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_TokenLabel;
-}
-
-static NSSUTF8 *
-ckmk_mdToken_GetManufacturerID(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_ManufacturerID;
-}
-
-static NSSUTF8 *
-ckmk_mdToken_GetModel(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_TokenModel;
-}
-
-static NSSUTF8 *
-ckmk_mdToken_GetSerialNumber(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_RV *pError)
-{
- return (NSSUTF8 *)nss_ckmk_TokenSerialNumber;
-}
-
-static CK_BBOOL
-ckmk_mdToken_GetIsWriteProtected(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return CK_FALSE;
-}
-
-/* fake out Mozilla so we don't try to initialize the token */
-static CK_BBOOL
-ckmk_mdToken_GetUserPinInitialized(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return CK_TRUE;
-}
-
-static CK_VERSION
-ckmk_mdToken_GetHardwareVersion(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_HardwareVersion;
-}
-
-static CK_VERSION
-ckmk_mdToken_GetFirmwareVersion(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return nss_ckmk_FirmwareVersion;
-}
-
-static NSSCKMDSession *
-ckmk_mdToken_OpenSession(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- NSSCKFWSession *fwSession,
- CK_BBOOL rw,
- CK_RV *pError)
-{
- return nss_ckmk_CreateSession(fwSession, pError);
-}
-
-static CK_ULONG
-ckmk_mdToken_GetMechanismCount(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance)
-{
- return (CK_ULONG)1;
-}
-
-static CK_RV
-ckmk_mdToken_GetMechanismTypes(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_MECHANISM_TYPE types[])
-{
- types[0] = CKM_RSA_PKCS;
- return CKR_OK;
-}
-
-static NSSCKMDMechanism *
-ckmk_mdToken_GetMechanism(
- NSSCKMDToken *mdToken,
- NSSCKFWToken *fwToken,
- NSSCKMDInstance *mdInstance,
- NSSCKFWInstance *fwInstance,
- CK_MECHANISM_TYPE which,
- CK_RV *pError)
-{
- if (which != CKM_RSA_PKCS) {
- *pError = CKR_MECHANISM_INVALID;
- return (NSSCKMDMechanism *)NULL;
- }
- return (NSSCKMDMechanism *)&nss_ckmk_mdMechanismRSA;
-}
-
-NSS_IMPLEMENT_DATA const NSSCKMDToken
- nss_ckmk_mdToken = {
- (void *)NULL, /* etc */
- NULL, /* Setup */
- NULL, /* Invalidate */
- NULL, /* InitToken -- default errs */
- ckmk_mdToken_GetLabel,
- ckmk_mdToken_GetManufacturerID,
- ckmk_mdToken_GetModel,
- ckmk_mdToken_GetSerialNumber,
- NULL, /* GetHasRNG -- default is false */
- ckmk_mdToken_GetIsWriteProtected,
- NULL, /* GetLoginRequired -- default is false */
- ckmk_mdToken_GetUserPinInitialized,
- NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
- NULL, /* GetHasClockOnToken -- default is false */
- NULL, /* GetHasProtectedAuthenticationPath -- default is false */
- NULL, /* GetSupportsDualCryptoOperations -- default is false */
- NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
- NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
- NULL, /* GetMaxPinLen -- irrelevant */
- NULL, /* GetMinPinLen -- irrelevant */
- NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
- NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
- NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
- NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
- ckmk_mdToken_GetHardwareVersion,
- ckmk_mdToken_GetFirmwareVersion,
- NULL, /* GetUTCTime -- no clock */
- ckmk_mdToken_OpenSession,
- ckmk_mdToken_GetMechanismCount,
- ckmk_mdToken_GetMechanismTypes,
- ckmk_mdToken_GetMechanism,
- (void *)NULL /* null terminator */
- };
diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.def b/security/nss/lib/ckfw/nssmkey/nssmkey.def
deleted file mode 100644
index 45d307ff01..0000000000
--- a/security/nss/lib/ckfw/nssmkey/nssmkey.def
+++ /dev/null
@@ -1,26 +0,0 @@
-;+#
-;+# This Source Code Form is subject to the terms of the Mozilla Public
-;+# License, v. 2.0. If a copy of the MPL was not distributed with this
-;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;+#
-;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
-;+# 1. For all unix platforms, the string ";-" means "remove this line"
-;+# 2. For all unix platforms, the string " DATA " will be removed from any
-;+# line on which it occurs.
-;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
-;+# On AIX, lines containing ";+" will be removed.
-;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
-;+# 5. For all unix platforms, after the above processing has taken place,
-;+# all characters after the first ";" on the line will be removed.
-;+# And for AIX, the first ";" will also be removed.
-;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
-;+# directives are hidden behind ";", ";+", and ";-"
-;+
-;+NSSMKEY_3.0 { # First release of nssmkey
-;+ global:
-LIBRARY nssmkey ;-
-EXPORTS ;-
-C_GetFunctionList;
-;+ local:
-;+*;
-;+};
diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.h b/security/nss/lib/ckfw/nssmkey/nssmkey.h
deleted file mode 100644
index ba58233e62..0000000000
--- a/security/nss/lib/ckfw/nssmkey/nssmkey.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef NSSMKEY_H
-#define NSSMKEY_H
-
-/*
- * NSS CKMK Version numbers.
- *
- * These are the version numbers for the nssmkey module packaged with
- * this release on NSS. To determine the version numbers of the builtin
- * module you are using, use the appropriate PKCS #11 calls.
- *
- * These version numbers detail changes to the PKCS #11 interface. They map
- * to the PKCS #11 spec versions.
- */
-#define NSS_CKMK_CRYPTOKI_VERSION_MAJOR 2
-#define NSS_CKMK_CRYPTOKI_VERSION_MINOR 20
-
-/* These version numbers detail the changes
- * to the list of trusted certificates.
- *
- * NSS_CKMK_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
- * whether we may use its full range (0-255) or only 0-99 because
- * of the comment in the CK_VERSION type definition.
- */
-#define NSS_CKMK_LIBRARY_VERSION_MAJOR 1
-#define NSS_CKMK_LIBRARY_VERSION_MINOR 1
-#define NSS_CKMK_LIBRARY_VERSION "1.1"
-
-/* These version numbers detail the semantic changes to the ckfw engine. */
-#define NSS_CKMK_HARDWARE_VERSION_MAJOR 1
-#define NSS_CKMK_HARDWARE_VERSION_MINOR 0
-
-/* These version numbers detail the semantic changes to ckbi itself
- * (new PKCS #11 objects), etc. */
-#define NSS_CKMK_FIRMWARE_VERSION_MAJOR 1
-#define NSS_CKMK_FIRMWARE_VERSION_MINOR 0
-
-#endif /* NSSMKEY_H */
diff --git a/security/nss/lib/ckfw/nssmkey/staticobj.c b/security/nss/lib/ckfw/nssmkey/staticobj.c
deleted file mode 100644
index 5f3bb7c720..0000000000
--- a/security/nss/lib/ckfw/nssmkey/staticobj.c
+++ /dev/null
@@ -1,36 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef CKMK_H
-#include "ckmk.h"
-#endif /* CKMK_H */
-
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
-static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_BBOOL ck_true = CK_TRUE;
-static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
-static const CK_BBOOL ck_false = CK_FALSE;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-
-/* example of a static object */
-static const CK_ATTRIBUTE_TYPE nss_ckmk_types_1[] = {
- CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL
-};
-
-static const NSSItem nss_ckmk_items_1[] = {
- { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
- { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
- { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
- { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
- { (void *)"Mozilla Mac Key Ring Access", (PRUint32)28 }
-};
-
-ckmkInternalObject nss_ckmk_data[] = {
- { ckmkRaw, { { 5, nss_ckmk_types_1, nss_ckmk_items_1 } }, CKO_DATA, { NULL } },
-};
-
-const PRUint32 nss_ckmk_nObjects = 1;
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
index a3119345ca..7efedf4035 100644
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -1419,9 +1419,8 @@ nssCKFWSession_CopyObject(
/* use create object */
NSSArena *tmpArena;
CK_ATTRIBUTE_PTR newTemplate;
- CK_ULONG i, j, n, newLength, k;
+ CK_ULONG j, n, newLength, k;
CK_ATTRIBUTE_TYPE_PTR oldTypes;
- NSSCKFWObject *rv;
n = nssCKFWObject_GetAttributeCount(fwObject, pError);
if ((0 == n) && (CKR_OK != *pError)) {
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index 0d4c3b5a72..41ffe86da5 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -528,7 +528,9 @@ nssToken_ImportCertificate(
*/
NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
- NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
+ if (!rvObject->label && nickname) {
+ NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
+ }
NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
/* reset the mutable attributes on the token */
nssCKObject_SetAttributes(rvObject->handle,
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
index a4b1a86aec..bff11c7c8e 100644
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -517,13 +517,13 @@ ifndef NSS_DISABLE_CHACHAPOLY
ifdef HAVE_INT128_SUPPORT
EXTRA_SRCS += Hacl_Poly1305_64.c
else
- EXTRA_SRCS += poly1305.c
+ EXTRA_SRCS += Hacl_Poly1305_32.c
endif
else
ifeq ($(CPU_ARCH),aarch64)
EXTRA_SRCS += Hacl_Poly1305_64.c
else
- EXTRA_SRCS += poly1305.c
+ EXTRA_SRCS += Hacl_Poly1305_32.c
endif
endif # x86_64
@@ -535,12 +535,16 @@ ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
# All intel architectures get the 64 bit version
# With custom uint128 if necessary (faster than generic 32 bit version).
ECL_SRCS += curve25519_64.c
- VERIFIED_SRCS += Hacl_Curve25519.c FStar.c
+ VERIFIED_SRCS += Hacl_Curve25519.c
else
# All non intel architectures get the generic 32 bit implementation (slow!)
ECL_SRCS += curve25519_32.c
endif
+ifndef HAVE_INT128_SUPPORT
+ VERIFIED_SRCS += FStar.c
+endif
+
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
diff --git a/security/nss/lib/freebl/blake2b.c b/security/nss/lib/freebl/blake2b.c
index 4099c67e01..b4a0442c95 100644
--- a/security/nss/lib/freebl/blake2b.c
+++ b/security/nss/lib/freebl/blake2b.c
@@ -180,7 +180,7 @@ blake2b_Begin(BLAKE2BContext* ctx, uint8_t outlen, const uint8_t* key,
return SECSuccess;
failure:
- PORT_Memset(&ctx, 0, sizeof(ctx));
+ PORT_Memset(ctx, 0, sizeof(*ctx));
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/security/nss/lib/freebl/chacha20poly1305.c b/security/nss/lib/freebl/chacha20poly1305.c
index 859d05316e..302f0db9e7 100644
--- a/security/nss/lib/freebl/chacha20poly1305.c
+++ b/security/nss/lib/freebl/chacha20poly1305.c
@@ -24,36 +24,60 @@ extern void Hacl_Chacha20_Vec128_chacha20(uint8_t *output, uint8_t *plain,
extern void Hacl_Chacha20_chacha20(uint8_t *output, uint8_t *plain, uint32_t len,
uint8_t *k, uint8_t *n1, uint32_t ctr);
-/* Poly1305Do writes the Poly1305 authenticator of the given additional data
- * and ciphertext to |out|. */
#if defined(HAVE_INT128_SUPPORT) && (defined(NSS_X86_OR_X64) || defined(__aarch64__))
/* Use HACL* Poly1305 on 64-bit Intel and ARM */
#include "verified/Hacl_Poly1305_64.h"
+#define NSS_POLY1305_64 1
+#define Hacl_Poly1305_update Hacl_Poly1305_64_update
+#define Hacl_Poly1305_mk_state Hacl_Poly1305_64_mk_state
+#define Hacl_Poly1305_init Hacl_Poly1305_64_init
+#define Hacl_Poly1305_finish Hacl_Poly1305_64_finish
+typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state;
+#else
+/* All other platforms get the 32-bit poly1305 HACL* implementation. */
+#include "verified/Hacl_Poly1305_32.h"
+#define NSS_POLY1305_32 1
+#define Hacl_Poly1305_update Hacl_Poly1305_32_update
+#define Hacl_Poly1305_mk_state Hacl_Poly1305_32_mk_state
+#define Hacl_Poly1305_init Hacl_Poly1305_32_init
+#define Hacl_Poly1305_finish Hacl_Poly1305_32_finish
+typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state;
+#endif /* HAVE_INT128_SUPPORT */
static void
-Poly1305PadUpdate(Hacl_Impl_Poly1305_64_State_poly1305_state state,
+Poly1305PadUpdate(Hacl_Impl_Poly1305_State_poly1305_state state,
unsigned char *block, const unsigned char *p,
const unsigned int pLen)
{
unsigned int pRemLen = pLen % 16;
- Hacl_Poly1305_64_update(state, (uint8_t *)p, (pLen / 16));
+ Hacl_Poly1305_update(state, (uint8_t *)p, (pLen / 16));
if (pRemLen > 0) {
memcpy(block, p + (pLen - pRemLen), pRemLen);
- Hacl_Poly1305_64_update(state, block, 1);
+ Hacl_Poly1305_update(state, block, 1);
}
}
+/* Poly1305Do writes the Poly1305 authenticator of the given additional data
+ * and ciphertext to |out|. */
static void
Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
const unsigned char *ciphertext, unsigned int ciphertextLen,
const unsigned char key[32])
{
- uint64_t tmp1[6U] = { 0U };
- Hacl_Impl_Poly1305_64_State_poly1305_state state =
- Hacl_Poly1305_64_mk_state(tmp1, tmp1 + 3);
+#ifdef NSS_POLY1305_64
+ uint64_t stateStack[6U] = { 0U };
+ size_t offset = 3;
+#elif defined NSS_POLY1305_32
+ uint32_t stateStack[10U] = { 0U };
+ size_t offset = 5;
+#else
+#error "This can't happen."
+#endif
+ Hacl_Impl_Poly1305_State_poly1305_state state =
+ Hacl_Poly1305_mk_state(stateStack, stateStack + offset);
unsigned char block[16] = { 0 };
- Hacl_Poly1305_64_init(state, (uint8_t *)key);
+ Hacl_Poly1305_init(state, (uint8_t *)key);
Poly1305PadUpdate(state, block, ad, adLen);
memset(block, 0, 16);
@@ -68,49 +92,11 @@ Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
block[i] = j;
}
- Hacl_Poly1305_64_update(state, block, 1);
- Hacl_Poly1305_64_finish(state, out, (uint8_t *)(key + 16));
+ Hacl_Poly1305_update(state, block, 1);
+ Hacl_Poly1305_finish(state, out, (uint8_t *)(key + 16));
+#undef NSS_POLY1305_64
+#undef NSS_POLY1305_32
}
-#else
-/* All other platforms get the 32-bit poly1305 reference implementation. */
-#include "poly1305.h"
-
-static void
-Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
- const unsigned char *ciphertext, unsigned int ciphertextLen,
- const unsigned char key[32])
-{
- poly1305_state state;
- unsigned int j;
- unsigned char lengthBytes[8];
- static const unsigned char zeros[15];
- unsigned int i;
-
- Poly1305Init(&state, key);
- Poly1305Update(&state, ad, adLen);
- if (adLen % 16 > 0) {
- Poly1305Update(&state, zeros, 16 - adLen % 16);
- }
- Poly1305Update(&state, ciphertext, ciphertextLen);
- if (ciphertextLen % 16 > 0) {
- Poly1305Update(&state, zeros, 16 - ciphertextLen % 16);
- }
- j = adLen;
- for (i = 0; i < sizeof(lengthBytes); i++) {
- lengthBytes[i] = j;
- j >>= 8;
- }
- Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
- j = ciphertextLen;
- for (i = 0; i < sizeof(lengthBytes); i++) {
- lengthBytes[i] = j;
- j >>= 8;
- }
- Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
- Poly1305Finish(&state, out);
-}
-
-#endif /* HAVE_INT128_SUPPORT */
#endif /* NSS_DISABLE_CHACHAPOLY */
SECStatus
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
index 9324d306b1..aef353967d 100644
--- a/security/nss/lib/freebl/dsa.c
+++ b/security/nss/lib/freebl/dsa.c
@@ -16,14 +16,11 @@
#include "blapi.h"
#include "nssilock.h"
#include "secitem.h"
-#include "blapi.h"
+#include "blapit.h"
#include "mpi.h"
#include "secmpi.h"
#include "pqg.h"
-/* XXX to be replaced by define in blapit.h */
-#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
-
/*
* FIPS 186-2 requires result from random output to be reduced mod q when
* generating random numbers for DSA.
@@ -168,7 +165,7 @@ dsa_NewKeyExtended(const PQGParams *params, const SECItem *seed,
return SECFailure;
}
/* Initialize an arena for the DSA key. */
- arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
+ arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
if (!arena) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
@@ -213,8 +210,9 @@ cleanup:
mp_clear(&g);
mp_clear(&x);
mp_clear(&y);
- if (key)
+ if (key) {
PORT_FreeArena(key->params.arena, PR_TRUE);
+ }
if (err) {
translate_mpi_error(err);
return SECFailure;
@@ -321,6 +319,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
mp_int x, k; /* private key & pseudo-random integer */
mp_int r, s; /* tuple (r, s) is signature) */
mp_int t; /* holding tmp values */
+ mp_int ar; /* holding blinding values */
mp_err err = MP_OKAY;
SECStatus rv = SECSuccess;
unsigned int dsa_subprime_len, dsa_signature_len, offset;
@@ -364,6 +363,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
MP_DIGITS(&r) = 0;
MP_DIGITS(&s) = 0;
MP_DIGITS(&t) = 0;
+ MP_DIGITS(&ar) = 0;
CHECK_MPI_OK(mp_init(&p));
CHECK_MPI_OK(mp_init(&q));
CHECK_MPI_OK(mp_init(&g));
@@ -372,6 +372,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
CHECK_MPI_OK(mp_init(&r));
CHECK_MPI_OK(mp_init(&s));
CHECK_MPI_OK(mp_init(&t));
+ CHECK_MPI_OK(mp_init(&ar));
/*
** Convert stored PQG and private key into MPI integers.
*/
@@ -397,14 +398,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
rv = SECFailure;
goto cleanup;
}
- SECITEM_TO_MPINT(t2, &t); /* t <-$ Zq */
+ SECITEM_TO_MPINT(t2, &t); /* t <-$ Zq */
+ SECITEM_FreeItem(&t2, PR_FALSE);
+ if (DSA_NewRandom(NULL, &key->params.subPrime, &t2) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ rv = SECFailure;
+ goto cleanup;
+ }
+ SECITEM_TO_MPINT(t2, &ar); /* ar <-$ Zq */
+ SECITEM_FreeItem(&t2, PR_FALSE);
+
+ /* Using mp_invmod on k directly would leak bits from k. */
+ CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
- CHECK_MPI_OK(mp_addmod(&s, &x, &q, &s)); /* s = s + x mod q */
- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
+ /* To avoid leaking secret bits here the addition is blinded. */
+ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
+ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
+ CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
+ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
+ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
/*
** verify r != 0 and s != 0
** mentioned as optional in FIPS 186-1.
@@ -438,7 +453,7 @@ cleanup:
mp_clear(&r);
mp_clear(&s);
mp_clear(&t);
- SECITEM_FreeItem(&t2, PR_FALSE);
+ mp_clear(&ar);
if (err) {
translate_mpi_error(err);
rv = SECFailure;
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
index b28815ade9..6468a10d63 100644
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -653,6 +653,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
mp_int r, s; /* tuple (r, s) is the signature */
mp_int t; /* holding tmp values */
mp_int n;
+ mp_int ar; /* blinding value */
mp_err err = MP_OKAY;
ECParams *ecParams = NULL;
SECItem kGpoint = { siBuffer, NULL, 0 };
@@ -674,6 +675,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
MP_DIGITS(&s) = 0;
MP_DIGITS(&n) = 0;
MP_DIGITS(&t) = 0;
+ MP_DIGITS(&ar) = 0;
/* Check args */
if (!key || !signature || !digest || !kb || (kblen < 0)) {
@@ -700,6 +702,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
CHECK_MPI_OK(mp_init(&s));
CHECK_MPI_OK(mp_init(&n));
CHECK_MPI_OK(mp_init(&t));
+ CHECK_MPI_OK(mp_init(&ar));
SECITEM_TO_MPINT(ecParams->order, &n);
SECITEM_TO_MPINT(key->privateValue, &d);
@@ -815,12 +818,25 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
goto cleanup;
}
CHECK_MPI_OK(mp_read_unsigned_octets(&t, t2, 2 * ecParams->order.len)); /* t <-$ Zn */
- CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */
- CHECK_MPI_OK(mp_invmod(&k, &n, &k)); /* k = k**-1 mod n */
- CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */
- CHECK_MPI_OK(mp_mulmod(&d, &r, &n, &d)); /* d = d * r mod n */
- CHECK_MPI_OK(mp_addmod(&s, &d, &n, &s)); /* s = s + d mod n */
- CHECK_MPI_OK(mp_mulmod(&s, &k, &n, &s)); /* s = s * k mod n */
+ PORT_Memset(t2, 0, 2 * ecParams->order.len);
+ if (RNG_GenerateGlobalRandomBytes(t2, 2 * ecParams->order.len) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ rv = SECFailure;
+ goto cleanup;
+ }
+ CHECK_MPI_OK(mp_read_unsigned_octets(&ar, t2, 2 * ecParams->order.len)); /* ar <-$ Zn */
+
+ /* Using mp_invmod on k directly would leak bits from k. */
+ CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
+ CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */
+ CHECK_MPI_OK(mp_invmod(&k, &n, &k)); /* k = k**-1 mod n */
+ CHECK_MPI_OK(mp_mulmod(&k, &t, &n, &k)); /* k = k * t mod n */
+ /* To avoid leaking secret bits here the addition is blinded. */
+ CHECK_MPI_OK(mp_mul(&d, &ar, &t)); /* t = d * ar */
+ CHECK_MPI_OK(mp_mulmod(&t, &r, &n, &d)); /* d = t * r mod n */
+ CHECK_MPI_OK(mp_mulmod(&s, &ar, &n, &t)); /* t = s * ar mod n */
+ CHECK_MPI_OK(mp_add(&t, &d, &s)); /* s = t + d */
+ CHECK_MPI_OK(mp_mulmod(&s, &k, &n, &s)); /* s = s * k mod n */
#if EC_DEBUG
mp_todecimal(&s, mpstr);
@@ -858,6 +874,7 @@ cleanup:
mp_clear(&s);
mp_clear(&n);
mp_clear(&t);
+ mp_clear(&ar);
if (t2) {
PORT_Free(t2);
diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
index fae56f709e..004807483e 100644
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -272,28 +272,15 @@
},
}],
[ 'cc_use_gnu_ld==1 and OS=="win" and target_arch=="x64"', {
+ # mingw x64
'defines': [
'MP_IS_LITTLE_ENDIAN',
- 'NSS_BEVAND_ARCFOUR',
- 'MPI_AMD64',
- 'MP_ASSEMBLY_MULTIPLY',
- 'NSS_USE_COMBA',
- 'USE_HW_AES',
- 'INTEL_GCM',
],
}],
- [ 'OS!="win"', {
- 'conditions': [
- [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
- 'defines': [
- # The Makefile does version-tests on GCC, but we're not doing that here.
- 'HAVE_INT128_SUPPORT',
- ],
- }, {
- 'defines': [
- 'KRML_NOUINT128',
- ],
- }],
+ [ 'have_int128_support==1', {
+ 'defines': [
+ # The Makefile does version-tests on GCC, but we're not doing that here.
+ 'HAVE_INT128_SUPPORT',
],
}, {
'defines': [
@@ -355,5 +342,18 @@
},
'variables': {
'module': 'nss',
+ 'conditions': [
+ [ 'OS!="win"', {
+ 'conditions': [
+ [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+ 'have_int128_support%': 1,
+ }, {
+ 'have_int128_support%': 0,
+ }],
+ ],
+ }, {
+ 'have_int128_support%': 0,
+ }],
+ ],
}
}
diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
index ebd1018d81..1372994f4c 100644
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@@ -59,7 +59,7 @@
'sha_fast.c',
'shvfy.c',
'sysrand.c',
- 'tlsprfalg.c'
+ 'tlsprfalg.c',
],
'conditions': [
[ 'OS=="linux" or OS=="android"', {
@@ -122,6 +122,11 @@
'intel-gcm-x86-masm.asm',
],
}],
+ [ 'cc_use_gnu_ld==1', {
+ # mingw
+ 'sources': [
+ ],
+ }],
[ 'cc_is_clang!=1', {
# MSVC
'sources': [
@@ -135,7 +140,6 @@
# All intel and 64-bit ARM architectures get the 64 bit version.
'ecl/curve25519_64.c',
'verified/Hacl_Curve25519.c',
- 'verified/FStar.c',
],
}, {
'sources': [
@@ -167,7 +171,7 @@
}, {
# !Windows & !x64 & !arm64 & !aarch64
'sources': [
- 'poly1305.c',
+ 'verified/Hacl_Poly1305_32.c',
],
}],
],
@@ -176,7 +180,7 @@
}, {
# Windows
'sources': [
- 'poly1305.c',
+ 'verified/Hacl_Poly1305_32.c',
],
}],
],
@@ -215,6 +219,9 @@
}],
],
}],
+ [ 'have_int128_support==0', {
+ 'sources': [ 'verified/FStar.c' ],
+ }],
],
'ldflags': [
'-Wl,-Bsymbolic'
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
index fe5e0a6680..6d200e6dd1 100644
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -2164,12 +2164,12 @@ BLAKE2B_NewContext(void)
}
void
-BLAKE2B_DestroyContext(BLAKE2BContext *BLAKE2BContext, PRBool freeit)
+BLAKE2B_DestroyContext(BLAKE2BContext *ctx, PRBool freeit)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) {
return;
}
- (vector->p_BLAKE2B_DestroyContext)(BLAKE2BContext, freeit);
+ (vector->p_BLAKE2B_DestroyContext)(ctx, freeit);
}
SECStatus
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
index ae404019d8..8c893fb5fa 100644
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -2657,10 +2657,10 @@ mp_toradix(mp_int *mp, char *str, int radix)
/* Reverse the digits and sign indicator */
ix = 0;
while (ix < pos) {
- char tmp = str[ix];
+ char tmpc = str[ix];
str[ix] = str[pos];
- str[pos] = tmp;
+ str[pos] = tmpc;
++ix;
--pos;
}
@@ -3313,13 +3313,14 @@ s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
/* could check for power of 2 here, but mp_div_d does that. */
if (MP_USED(mp) == 1) {
mp_digit n = MP_DIGIT(mp, 0);
- mp_digit rem;
+ mp_digit remdig;
q = n / d;
- rem = n % d;
+ remdig = n % d;
MP_DIGIT(mp, 0) = q;
- if (r)
- *r = rem;
+ if (r) {
+ *r = remdig;
+ }
return MP_OKAY;
}
diff --git a/security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c b/security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c
deleted file mode 100644
index 3c803c167d..0000000000
--- a/security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c
+++ /dev/null
@@ -1,881 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/* This implementation of poly1305 is by Andrew Moon
- * (https://github.com/floodyberry/poly1305-donna) and released as public
- * domain. It implements SIMD vectorization based on the algorithm described in
- * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
- * block size. */
-
-#include <emmintrin.h>
-#include <stdint.h>
-
-#include "poly1305.h"
-#include "blapii.h"
-
-#define ALIGN(x) __attribute__((aligned(x)))
-#define INLINE inline
-#define U8TO64_LE(m) (*(uint64_t *)(m))
-#define U8TO32_LE(m) (*(uint32_t *)(m))
-#define U64TO8_LE(m, v) (*(uint64_t *)(m)) = v
-
-typedef __m128i xmmi;
-typedef unsigned __int128 uint128_t;
-
-static const uint32_t ALIGN(16) poly1305_x64_sse2_message_mask[4] = { (1 << 26) - 1, 0, (1 << 26) - 1, 0 };
-static const uint32_t ALIGN(16) poly1305_x64_sse2_5[4] = { 5, 0, 5, 0 };
-static const uint32_t ALIGN(16) poly1305_x64_sse2_1shl128[4] = { (1 << 24), 0, (1 << 24), 0 };
-
-static uint128_t INLINE
-add128(uint128_t a, uint128_t b)
-{
- return a + b;
-}
-
-static uint128_t INLINE
-add128_64(uint128_t a, uint64_t b)
-{
- return a + b;
-}
-
-static uint128_t INLINE
-mul64x64_128(uint64_t a, uint64_t b)
-{
- return (uint128_t)a * b;
-}
-
-static uint64_t INLINE
-lo128(uint128_t a)
-{
- return (uint64_t)a;
-}
-
-static uint64_t INLINE
-shr128(uint128_t v, const int shift)
-{
- return (uint64_t)(v >> shift);
-}
-
-static uint64_t INLINE
-shr128_pair(uint64_t hi, uint64_t lo, const int shift)
-{
- return (uint64_t)((((uint128_t)hi << 64) | lo) >> shift);
-}
-
-typedef struct poly1305_power_t {
- union {
- xmmi v;
- uint64_t u[2];
- uint32_t d[4];
- } R20, R21, R22, R23, R24, S21, S22, S23, S24;
-} poly1305_power;
-
-typedef struct poly1305_state_internal_t {
- poly1305_power P[2]; /* 288 bytes, top 32 bit halves unused = 144 bytes of free storage */
- union {
- xmmi H[5]; /* 80 bytes */
- uint64_t HH[10];
- };
- /* uint64_t r0,r1,r2; [24 bytes] */
- /* uint64_t pad0,pad1; [16 bytes] */
- uint64_t started; /* 8 bytes */
- uint64_t leftover; /* 8 bytes */
- uint8_t buffer[64]; /* 64 bytes */
-} poly1305_state_internal; /* 448 bytes total + 63 bytes for alignment = 511 bytes raw */
-
-static poly1305_state_internal INLINE
- *
- poly1305_aligned_state(poly1305_state *state)
-{
- return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);
-}
-
-/* copy 0-63 bytes */
-static void INLINE NO_SANITIZE_ALIGNMENT
-poly1305_block_copy(uint8_t *dst, const uint8_t *src, size_t bytes)
-{
- size_t offset = src - dst;
- if (bytes & 32) {
- _mm_storeu_si128((xmmi *)(dst + 0), _mm_loadu_si128((xmmi *)(dst + offset + 0)));
- _mm_storeu_si128((xmmi *)(dst + 16), _mm_loadu_si128((xmmi *)(dst + offset + 16)));
- dst += 32;
- }
- if (bytes & 16) {
- _mm_storeu_si128((xmmi *)dst, _mm_loadu_si128((xmmi *)(dst + offset)));
- dst += 16;
- }
- if (bytes & 8) {
- *(uint64_t *)dst = *(uint64_t *)(dst + offset);
- dst += 8;
- }
- if (bytes & 4) {
- *(uint32_t *)dst = *(uint32_t *)(dst + offset);
- dst += 4;
- }
- if (bytes & 2) {
- *(uint16_t *)dst = *(uint16_t *)(dst + offset);
- dst += 2;
- }
- if (bytes & 1) {
- *(uint8_t *)dst = *(uint8_t *)(dst + offset);
- }
-}
-
-/* zero 0-15 bytes */
-static void INLINE
-poly1305_block_zero(uint8_t *dst, size_t bytes)
-{
- if (bytes & 8) {
- *(uint64_t *)dst = 0;
- dst += 8;
- }
- if (bytes & 4) {
- *(uint32_t *)dst = 0;
- dst += 4;
- }
- if (bytes & 2) {
- *(uint16_t *)dst = 0;
- dst += 2;
- }
- if (bytes & 1) {
- *(uint8_t *)dst = 0;
- }
-}
-
-static size_t INLINE
-poly1305_min(size_t a, size_t b)
-{
- return (a < b) ? a : b;
-}
-
-void
-Poly1305Init(poly1305_state *state, const unsigned char key[32])
-{
- poly1305_state_internal *st = poly1305_aligned_state(state);
- poly1305_power *p;
- uint64_t r0, r1, r2;
- uint64_t t0, t1;
-
- /* clamp key */
- t0 = U8TO64_LE(key + 0);
- t1 = U8TO64_LE(key + 8);
- r0 = t0 & 0xffc0fffffff;
- t0 >>= 44;
- t0 |= t1 << 20;
- r1 = t0 & 0xfffffc0ffff;
- t1 >>= 24;
- r2 = t1 & 0x00ffffffc0f;
-
- /* store r in un-used space of st->P[1] */
- p = &st->P[1];
- p->R20.d[1] = (uint32_t)(r0);
- p->R20.d[3] = (uint32_t)(r0 >> 32);
- p->R21.d[1] = (uint32_t)(r1);
- p->R21.d[3] = (uint32_t)(r1 >> 32);
- p->R22.d[1] = (uint32_t)(r2);
- p->R22.d[3] = (uint32_t)(r2 >> 32);
-
- /* store pad */
- p->R23.d[1] = U8TO32_LE(key + 16);
- p->R23.d[3] = U8TO32_LE(key + 20);
- p->R24.d[1] = U8TO32_LE(key + 24);
- p->R24.d[3] = U8TO32_LE(key + 28);
-
- /* H = 0 */
- st->H[0] = _mm_setzero_si128();
- st->H[1] = _mm_setzero_si128();
- st->H[2] = _mm_setzero_si128();
- st->H[3] = _mm_setzero_si128();
- st->H[4] = _mm_setzero_si128();
-
- st->started = 0;
- st->leftover = 0;
-}
-
-static void
-poly1305_first_block(poly1305_state_internal *st, const uint8_t *m)
-{
- const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
- const xmmi FIVE = _mm_load_si128((xmmi *)poly1305_x64_sse2_5);
- const xmmi HIBIT = _mm_load_si128((xmmi *)poly1305_x64_sse2_1shl128);
- xmmi T5, T6;
- poly1305_power *p;
- uint128_t d[3];
- uint64_t r0, r1, r2;
- uint64_t r20, r21, r22, s22;
- uint64_t pad0, pad1;
- uint64_t c;
- uint64_t i;
-
- /* pull out stored info */
- p = &st->P[1];
-
- r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
- r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
- r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
- pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
- pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
-
- /* compute powers r^2,r^4 */
- r20 = r0;
- r21 = r1;
- r22 = r2;
- for (i = 0; i < 2; i++) {
- s22 = r22 * (5 << 2);
-
- d[0] = add128(mul64x64_128(r20, r20), mul64x64_128(r21 * 2, s22));
- d[1] = add128(mul64x64_128(r22, s22), mul64x64_128(r20 * 2, r21));
- d[2] = add128(mul64x64_128(r21, r21), mul64x64_128(r22 * 2, r20));
-
- r20 = lo128(d[0]) & 0xfffffffffff;
- c = shr128(d[0], 44);
- d[1] = add128_64(d[1], c);
- r21 = lo128(d[1]) & 0xfffffffffff;
- c = shr128(d[1], 44);
- d[2] = add128_64(d[2], c);
- r22 = lo128(d[2]) & 0x3ffffffffff;
- c = shr128(d[2], 42);
- r20 += c * 5;
- c = (r20 >> 44);
- r20 = r20 & 0xfffffffffff;
- r21 += c;
-
- p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)(r20)&0x3ffffff), _MM_SHUFFLE(1, 0, 1, 0));
- p->R21.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff), _MM_SHUFFLE(1, 0, 1, 0));
- p->R22.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 8)) & 0x3ffffff), _MM_SHUFFLE(1, 0, 1, 0));
- p->R23.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 34) | (r22 << 10)) & 0x3ffffff), _MM_SHUFFLE(1, 0, 1, 0));
- p->R24.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r22 >> 16))), _MM_SHUFFLE(1, 0, 1, 0));
- p->S21.v = _mm_mul_epu32(p->R21.v, FIVE);
- p->S22.v = _mm_mul_epu32(p->R22.v, FIVE);
- p->S23.v = _mm_mul_epu32(p->R23.v, FIVE);
- p->S24.v = _mm_mul_epu32(p->R24.v, FIVE);
- p--;
- }
-
- /* put saved info back */
- p = &st->P[1];
- p->R20.d[1] = (uint32_t)(r0);
- p->R20.d[3] = (uint32_t)(r0 >> 32);
- p->R21.d[1] = (uint32_t)(r1);
- p->R21.d[3] = (uint32_t)(r1 >> 32);
- p->R22.d[1] = (uint32_t)(r2);
- p->R22.d[3] = (uint32_t)(r2 >> 32);
- p->R23.d[1] = (uint32_t)(pad0);
- p->R23.d[3] = (uint32_t)(pad0 >> 32);
- p->R24.d[1] = (uint32_t)(pad1);
- p->R24.d[3] = (uint32_t)(pad1 >> 32);
-
- /* H = [Mx,My] */
- T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
- T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
- st->H[0] = _mm_and_si128(MMASK, T5);
- st->H[1] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
- st->H[2] = _mm_and_si128(MMASK, T5);
- st->H[3] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- st->H[4] = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
-}
-
-static void
-poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes)
-{
- const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
- const xmmi FIVE = _mm_load_si128((xmmi *)poly1305_x64_sse2_5);
- const xmmi HIBIT = _mm_load_si128((xmmi *)poly1305_x64_sse2_1shl128);
-
- poly1305_power *p;
- xmmi H0, H1, H2, H3, H4;
- xmmi T0, T1, T2, T3, T4, T5, T6;
- xmmi M0, M1, M2, M3, M4;
- xmmi C1, C2;
-
- H0 = st->H[0];
- H1 = st->H[1];
- H2 = st->H[2];
- H3 = st->H[3];
- H4 = st->H[4];
-
- while (bytes >= 64) {
- /* H *= [r^4,r^4] */
- p = &st->P[0];
- T0 = _mm_mul_epu32(H0, p->R20.v);
- T1 = _mm_mul_epu32(H0, p->R21.v);
- T2 = _mm_mul_epu32(H0, p->R22.v);
- T3 = _mm_mul_epu32(H0, p->R23.v);
- T4 = _mm_mul_epu32(H0, p->R24.v);
- T5 = _mm_mul_epu32(H1, p->S24.v);
- T6 = _mm_mul_epu32(H1, p->R20.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H2, p->S23.v);
- T6 = _mm_mul_epu32(H2, p->S24.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H3, p->S22.v);
- T6 = _mm_mul_epu32(H3, p->S23.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H4, p->S21.v);
- T6 = _mm_mul_epu32(H4, p->S22.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H1, p->R21.v);
- T6 = _mm_mul_epu32(H1, p->R22.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H2, p->R20.v);
- T6 = _mm_mul_epu32(H2, p->R21.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H3, p->S24.v);
- T6 = _mm_mul_epu32(H3, p->R20.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H4, p->S23.v);
- T6 = _mm_mul_epu32(H4, p->S24.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H1, p->R23.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H2, p->R22.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H3, p->R21.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H4, p->R20.v);
- T4 = _mm_add_epi64(T4, T5);
-
- /* H += [Mx,My]*[r^2,r^2] */
- T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
- T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
- M0 = _mm_and_si128(MMASK, T5);
- M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
- M2 = _mm_and_si128(MMASK, T5);
- M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
-
- p = &st->P[1];
- T5 = _mm_mul_epu32(M0, p->R20.v);
- T6 = _mm_mul_epu32(M0, p->R21.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(M1, p->S24.v);
- T6 = _mm_mul_epu32(M1, p->R20.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(M2, p->S23.v);
- T6 = _mm_mul_epu32(M2, p->S24.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(M3, p->S22.v);
- T6 = _mm_mul_epu32(M3, p->S23.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(M4, p->S21.v);
- T6 = _mm_mul_epu32(M4, p->S22.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(M0, p->R22.v);
- T6 = _mm_mul_epu32(M0, p->R23.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(M1, p->R21.v);
- T6 = _mm_mul_epu32(M1, p->R22.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(M2, p->R20.v);
- T6 = _mm_mul_epu32(M2, p->R21.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(M3, p->S24.v);
- T6 = _mm_mul_epu32(M3, p->R20.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(M4, p->S23.v);
- T6 = _mm_mul_epu32(M4, p->S24.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(M0, p->R24.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(M1, p->R23.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(M2, p->R22.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(M3, p->R21.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(M4, p->R20.v);
- T4 = _mm_add_epi64(T4, T5);
-
- /* H += [Mx,My] */
- T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 32)), _mm_loadl_epi64((xmmi *)(m + 48)));
- T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 40)), _mm_loadl_epi64((xmmi *)(m + 56)));
- M0 = _mm_and_si128(MMASK, T5);
- M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
- M2 = _mm_and_si128(MMASK, T5);
- M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
-
- T0 = _mm_add_epi64(T0, M0);
- T1 = _mm_add_epi64(T1, M1);
- T2 = _mm_add_epi64(T2, M2);
- T3 = _mm_add_epi64(T3, M3);
- T4 = _mm_add_epi64(T4, M4);
-
- /* reduce */
- C1 = _mm_srli_epi64(T0, 26);
- C2 = _mm_srli_epi64(T3, 26);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_and_si128(T3, MMASK);
- T1 = _mm_add_epi64(T1, C1);
- T4 = _mm_add_epi64(T4, C2);
- C1 = _mm_srli_epi64(T1, 26);
- C2 = _mm_srli_epi64(T4, 26);
- T1 = _mm_and_si128(T1, MMASK);
- T4 = _mm_and_si128(T4, MMASK);
- T2 = _mm_add_epi64(T2, C1);
- T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
- C1 = _mm_srli_epi64(T2, 26);
- C2 = _mm_srli_epi64(T0, 26);
- T2 = _mm_and_si128(T2, MMASK);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_add_epi64(T3, C1);
- T1 = _mm_add_epi64(T1, C2);
- C1 = _mm_srli_epi64(T3, 26);
- T3 = _mm_and_si128(T3, MMASK);
- T4 = _mm_add_epi64(T4, C1);
-
- /* H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My]) */
- H0 = T0;
- H1 = T1;
- H2 = T2;
- H3 = T3;
- H4 = T4;
-
- m += 64;
- bytes -= 64;
- }
-
- st->H[0] = H0;
- st->H[1] = H1;
- st->H[2] = H2;
- st->H[3] = H3;
- st->H[4] = H4;
-}
-
-static size_t
-poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes)
-{
- const xmmi MMASK = _mm_load_si128((xmmi *)poly1305_x64_sse2_message_mask);
- const xmmi HIBIT = _mm_load_si128((xmmi *)poly1305_x64_sse2_1shl128);
- const xmmi FIVE = _mm_load_si128((xmmi *)poly1305_x64_sse2_5);
-
- poly1305_power *p;
- xmmi H0, H1, H2, H3, H4;
- xmmi M0, M1, M2, M3, M4;
- xmmi T0, T1, T2, T3, T4, T5, T6;
- xmmi C1, C2;
-
- uint64_t r0, r1, r2;
- uint64_t t0, t1, t2, t3, t4;
- uint64_t c;
- size_t consumed = 0;
-
- H0 = st->H[0];
- H1 = st->H[1];
- H2 = st->H[2];
- H3 = st->H[3];
- H4 = st->H[4];
-
- /* p = [r^2,r^2] */
- p = &st->P[1];
-
- if (bytes >= 32) {
- /* H *= [r^2,r^2] */
- T0 = _mm_mul_epu32(H0, p->R20.v);
- T1 = _mm_mul_epu32(H0, p->R21.v);
- T2 = _mm_mul_epu32(H0, p->R22.v);
- T3 = _mm_mul_epu32(H0, p->R23.v);
- T4 = _mm_mul_epu32(H0, p->R24.v);
- T5 = _mm_mul_epu32(H1, p->S24.v);
- T6 = _mm_mul_epu32(H1, p->R20.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H2, p->S23.v);
- T6 = _mm_mul_epu32(H2, p->S24.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H3, p->S22.v);
- T6 = _mm_mul_epu32(H3, p->S23.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H4, p->S21.v);
- T6 = _mm_mul_epu32(H4, p->S22.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H1, p->R21.v);
- T6 = _mm_mul_epu32(H1, p->R22.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H2, p->R20.v);
- T6 = _mm_mul_epu32(H2, p->R21.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H3, p->S24.v);
- T6 = _mm_mul_epu32(H3, p->R20.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H4, p->S23.v);
- T6 = _mm_mul_epu32(H4, p->S24.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H1, p->R23.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H2, p->R22.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H3, p->R21.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H4, p->R20.v);
- T4 = _mm_add_epi64(T4, T5);
-
- /* H += [Mx,My] */
- T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 0)), _mm_loadl_epi64((xmmi *)(m + 16)));
- T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((xmmi *)(m + 8)), _mm_loadl_epi64((xmmi *)(m + 24)));
- M0 = _mm_and_si128(MMASK, T5);
- M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));
- M2 = _mm_and_si128(MMASK, T5);
- M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));
- M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);
-
- T0 = _mm_add_epi64(T0, M0);
- T1 = _mm_add_epi64(T1, M1);
- T2 = _mm_add_epi64(T2, M2);
- T3 = _mm_add_epi64(T3, M3);
- T4 = _mm_add_epi64(T4, M4);
-
- /* reduce */
- C1 = _mm_srli_epi64(T0, 26);
- C2 = _mm_srli_epi64(T3, 26);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_and_si128(T3, MMASK);
- T1 = _mm_add_epi64(T1, C1);
- T4 = _mm_add_epi64(T4, C2);
- C1 = _mm_srli_epi64(T1, 26);
- C2 = _mm_srli_epi64(T4, 26);
- T1 = _mm_and_si128(T1, MMASK);
- T4 = _mm_and_si128(T4, MMASK);
- T2 = _mm_add_epi64(T2, C1);
- T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
- C1 = _mm_srli_epi64(T2, 26);
- C2 = _mm_srli_epi64(T0, 26);
- T2 = _mm_and_si128(T2, MMASK);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_add_epi64(T3, C1);
- T1 = _mm_add_epi64(T1, C2);
- C1 = _mm_srli_epi64(T3, 26);
- T3 = _mm_and_si128(T3, MMASK);
- T4 = _mm_add_epi64(T4, C1);
-
- /* H = (H*[r^2,r^2] + [Mx,My]) */
- H0 = T0;
- H1 = T1;
- H2 = T2;
- H3 = T3;
- H4 = T4;
-
- consumed = 32;
- }
-
- /* finalize, H *= [r^2,r] */
- r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
- r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
- r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
-
- p->R20.d[2] = (uint32_t)(r0)&0x3ffffff;
- p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff;
- p->R22.d[2] = (uint32_t)((r1 >> 8)) & 0x3ffffff;
- p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff;
- p->R24.d[2] = (uint32_t)((r2 >> 16));
- p->S21.d[2] = p->R21.d[2] * 5;
- p->S22.d[2] = p->R22.d[2] * 5;
- p->S23.d[2] = p->R23.d[2] * 5;
- p->S24.d[2] = p->R24.d[2] * 5;
-
- /* H *= [r^2,r] */
- T0 = _mm_mul_epu32(H0, p->R20.v);
- T1 = _mm_mul_epu32(H0, p->R21.v);
- T2 = _mm_mul_epu32(H0, p->R22.v);
- T3 = _mm_mul_epu32(H0, p->R23.v);
- T4 = _mm_mul_epu32(H0, p->R24.v);
- T5 = _mm_mul_epu32(H1, p->S24.v);
- T6 = _mm_mul_epu32(H1, p->R20.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H2, p->S23.v);
- T6 = _mm_mul_epu32(H2, p->S24.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H3, p->S22.v);
- T6 = _mm_mul_epu32(H3, p->S23.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H4, p->S21.v);
- T6 = _mm_mul_epu32(H4, p->S22.v);
- T0 = _mm_add_epi64(T0, T5);
- T1 = _mm_add_epi64(T1, T6);
- T5 = _mm_mul_epu32(H1, p->R21.v);
- T6 = _mm_mul_epu32(H1, p->R22.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H2, p->R20.v);
- T6 = _mm_mul_epu32(H2, p->R21.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H3, p->S24.v);
- T6 = _mm_mul_epu32(H3, p->R20.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H4, p->S23.v);
- T6 = _mm_mul_epu32(H4, p->S24.v);
- T2 = _mm_add_epi64(T2, T5);
- T3 = _mm_add_epi64(T3, T6);
- T5 = _mm_mul_epu32(H1, p->R23.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H2, p->R22.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H3, p->R21.v);
- T4 = _mm_add_epi64(T4, T5);
- T5 = _mm_mul_epu32(H4, p->R20.v);
- T4 = _mm_add_epi64(T4, T5);
-
- C1 = _mm_srli_epi64(T0, 26);
- C2 = _mm_srli_epi64(T3, 26);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_and_si128(T3, MMASK);
- T1 = _mm_add_epi64(T1, C1);
- T4 = _mm_add_epi64(T4, C2);
- C1 = _mm_srli_epi64(T1, 26);
- C2 = _mm_srli_epi64(T4, 26);
- T1 = _mm_and_si128(T1, MMASK);
- T4 = _mm_and_si128(T4, MMASK);
- T2 = _mm_add_epi64(T2, C1);
- T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));
- C1 = _mm_srli_epi64(T2, 26);
- C2 = _mm_srli_epi64(T0, 26);
- T2 = _mm_and_si128(T2, MMASK);
- T0 = _mm_and_si128(T0, MMASK);
- T3 = _mm_add_epi64(T3, C1);
- T1 = _mm_add_epi64(T1, C2);
- C1 = _mm_srli_epi64(T3, 26);
- T3 = _mm_and_si128(T3, MMASK);
- T4 = _mm_add_epi64(T4, C1);
-
- /* H = H[0]+H[1] */
- H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));
- H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));
- H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));
- H3 = _mm_add_epi64(T3, _mm_srli_si128(T3, 8));
- H4 = _mm_add_epi64(T4, _mm_srli_si128(T4, 8));
-
- t0 = _mm_cvtsi128_si32(H0);
- c = (t0 >> 26);
- t0 &= 0x3ffffff;
- t1 = _mm_cvtsi128_si32(H1) + c;
- c = (t1 >> 26);
- t1 &= 0x3ffffff;
- t2 = _mm_cvtsi128_si32(H2) + c;
- c = (t2 >> 26);
- t2 &= 0x3ffffff;
- t3 = _mm_cvtsi128_si32(H3) + c;
- c = (t3 >> 26);
- t3 &= 0x3ffffff;
- t4 = _mm_cvtsi128_si32(H4) + c;
- c = (t4 >> 26);
- t4 &= 0x3ffffff;
- t0 = t0 + (c * 5);
- c = (t0 >> 26);
- t0 &= 0x3ffffff;
- t1 = t1 + c;
-
- st->HH[0] = ((t0) | (t1 << 26)) & 0xfffffffffffull;
- st->HH[1] = ((t1 >> 18) | (t2 << 8) | (t3 << 34)) & 0xfffffffffffull;
- st->HH[2] = ((t3 >> 10) | (t4 << 16)) & 0x3ffffffffffull;
-
- return consumed;
-}
-
-void
-Poly1305Update(poly1305_state *state, const unsigned char *m, size_t bytes)
-{
- poly1305_state_internal *st = poly1305_aligned_state(state);
- size_t want;
-
- /* need at least 32 initial bytes to start the accelerated branch */
- if (!st->started) {
- if ((st->leftover == 0) && (bytes > 32)) {
- poly1305_first_block(st, m);
- m += 32;
- bytes -= 32;
- } else {
- want = poly1305_min(32 - st->leftover, bytes);
- poly1305_block_copy(st->buffer + st->leftover, m, want);
- bytes -= want;
- m += want;
- st->leftover += want;
- if ((st->leftover < 32) || (bytes == 0))
- return;
- poly1305_first_block(st, st->buffer);
- st->leftover = 0;
- }
- st->started = 1;
- }
-
- /* handle leftover */
- if (st->leftover) {
- want = poly1305_min(64 - st->leftover, bytes);
- poly1305_block_copy(st->buffer + st->leftover, m, want);
- bytes -= want;
- m += want;
- st->leftover += want;
- if (st->leftover < 64)
- return;
- poly1305_blocks(st, st->buffer, 64);
- st->leftover = 0;
- }
-
- /* process 64 byte blocks */
- if (bytes >= 64) {
- want = (bytes & ~63);
- poly1305_blocks(st, m, want);
- m += want;
- bytes -= want;
- }
-
- if (bytes) {
- poly1305_block_copy(st->buffer + st->leftover, m, bytes);
- st->leftover += bytes;
- }
-}
-
-void
-Poly1305Finish(poly1305_state *state, unsigned char mac[16])
-{
- poly1305_state_internal *st = poly1305_aligned_state(state);
- size_t leftover = st->leftover;
- uint8_t *m = st->buffer;
- uint128_t d[3];
- uint64_t h0, h1, h2;
- uint64_t t0, t1;
- uint64_t g0, g1, g2, c, nc;
- uint64_t r0, r1, r2, s1, s2;
- poly1305_power *p;
-
- if (st->started) {
- size_t consumed = poly1305_combine(st, m, leftover);
- leftover -= consumed;
- m += consumed;
- }
-
- /* st->HH will either be 0 or have the combined result */
- h0 = st->HH[0];
- h1 = st->HH[1];
- h2 = st->HH[2];
-
- p = &st->P[1];
- r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
- r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
- r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
- s1 = r1 * (5 << 2);
- s2 = r2 * (5 << 2);
-
- if (leftover < 16)
- goto poly1305_donna_atmost15bytes;
-
-poly1305_donna_atleast16bytes:
- t0 = U8TO64_LE(m + 0);
- t1 = U8TO64_LE(m + 8);
- h0 += t0 & 0xfffffffffff;
- t0 = shr128_pair(t1, t0, 44);
- h1 += t0 & 0xfffffffffff;
- h2 += (t1 >> 24) | ((uint64_t)1 << 40);
-
-poly1305_donna_mul:
- d[0] = add128(add128(mul64x64_128(h0, r0), mul64x64_128(h1, s2)), mul64x64_128(h2, s1));
- d[1] = add128(add128(mul64x64_128(h0, r1), mul64x64_128(h1, r0)), mul64x64_128(h2, s2));
- d[2] = add128(add128(mul64x64_128(h0, r2), mul64x64_128(h1, r1)), mul64x64_128(h2, r0));
- h0 = lo128(d[0]) & 0xfffffffffff;
- c = shr128(d[0], 44);
- d[1] = add128_64(d[1], c);
- h1 = lo128(d[1]) & 0xfffffffffff;
- c = shr128(d[1], 44);
- d[2] = add128_64(d[2], c);
- h2 = lo128(d[2]) & 0x3ffffffffff;
- c = shr128(d[2], 42);
- h0 += c * 5;
-
- m += 16;
- leftover -= 16;
- if (leftover >= 16)
- goto poly1305_donna_atleast16bytes;
-
-/* final bytes */
-poly1305_donna_atmost15bytes:
- if (!leftover)
- goto poly1305_donna_finish;
-
- m[leftover++] = 1;
- poly1305_block_zero(m + leftover, 16 - leftover);
- leftover = 16;
-
- t0 = U8TO64_LE(m + 0);
- t1 = U8TO64_LE(m + 8);
- h0 += t0 & 0xfffffffffff;
- t0 = shr128_pair(t1, t0, 44);
- h1 += t0 & 0xfffffffffff;
- h2 += (t1 >> 24);
-
- goto poly1305_donna_mul;
-
-poly1305_donna_finish:
- c = (h0 >> 44);
- h0 &= 0xfffffffffff;
- h1 += c;
- c = (h1 >> 44);
- h1 &= 0xfffffffffff;
- h2 += c;
- c = (h2 >> 42);
- h2 &= 0x3ffffffffff;
- h0 += c * 5;
-
- g0 = h0 + 5;
- c = (g0 >> 44);
- g0 &= 0xfffffffffff;
- g1 = h1 + c;
- c = (g1 >> 44);
- g1 &= 0xfffffffffff;
- g2 = h2 + c - ((uint64_t)1 << 42);
-
- c = (g2 >> 63) - 1;
- nc = ~c;
- h0 = (h0 & nc) | (g0 & c);
- h1 = (h1 & nc) | (g1 & c);
- h2 = (h2 & nc) | (g2 & c);
-
- /* pad */
- t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
- t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
- h0 += (t0 & 0xfffffffffff);
- c = (h0 >> 44);
- h0 &= 0xfffffffffff;
- t0 = shr128_pair(t1, t0, 44);
- h1 += (t0 & 0xfffffffffff) + c;
- c = (h1 >> 44);
- h1 &= 0xfffffffffff;
- t1 = (t1 >> 24);
- h2 += (t1) + c;
-
- U64TO8_LE(mac + 0, ((h0) | (h1 << 44)));
- U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
-}
diff --git a/security/nss/lib/freebl/poly1305.c b/security/nss/lib/freebl/poly1305.c
deleted file mode 100644
index eb3e3cd55c..0000000000
--- a/security/nss/lib/freebl/poly1305.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/* This implementation of poly1305 is by Andrew Moon
- * (https://github.com/floodyberry/poly1305-donna) and released as public
- * domain. */
-
-#include <string.h>
-
-#include "poly1305.h"
-
-#if defined(_MSC_VER) && _MSC_VER < 1600
-#include "prtypes.h"
-typedef PRUint32 uint32_t;
-typedef PRUint64 uint64_t;
-#else
-#include <stdint.h>
-#endif
-
-#if defined(NSS_X86) || defined(NSS_X64)
-/* We can assume little-endian. */
-static uint32_t
-U8TO32_LE(const unsigned char *m)
-{
- uint32_t r;
- memcpy(&r, m, sizeof(r));
- return r;
-}
-
-static void
-U32TO8_LE(unsigned char *m, uint32_t v)
-{
- memcpy(m, &v, sizeof(v));
-}
-#else
-static uint32_t
-U8TO32_LE(const unsigned char *m)
-{
- return (uint32_t)m[0] |
- (uint32_t)m[1] << 8 |
- (uint32_t)m[2] << 16 |
- (uint32_t)m[3] << 24;
-}
-
-static void
-U32TO8_LE(unsigned char *m, uint32_t v)
-{
- m[0] = v;
- m[1] = v >> 8;
- m[2] = v >> 16;
- m[3] = v >> 24;
-}
-#endif
-
-static uint64_t
-mul32x32_64(uint32_t a, uint32_t b)
-{
- return (uint64_t)a * b;
-}
-
-struct poly1305_state_st {
- uint32_t r0, r1, r2, r3, r4;
- uint32_t s1, s2, s3, s4;
- uint32_t h0, h1, h2, h3, h4;
- unsigned char buf[16];
- unsigned int buf_used;
- unsigned char key[16];
-};
-
-/* update updates |state| given some amount of input data. This function may
- * only be called with a |len| that is not a multiple of 16 at the end of the
- * data. Otherwise the input must be buffered into 16 byte blocks. */
-static void
-update(struct poly1305_state_st *state, const unsigned char *in,
- size_t len)
-{
- uint32_t t0, t1, t2, t3;
- uint64_t t[5];
- uint32_t b;
- uint64_t c;
- size_t j;
- unsigned char mp[16];
-
- if (len < 16)
- goto poly1305_donna_atmost15bytes;
-
-poly1305_donna_16bytes:
- t0 = U8TO32_LE(in);
- t1 = U8TO32_LE(in + 4);
- t2 = U8TO32_LE(in + 8);
- t3 = U8TO32_LE(in + 12);
-
- in += 16;
- len -= 16;
-
- state->h0 += t0 & 0x3ffffff;
- state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
- state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
- state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
- state->h4 += (t3 >> 8) | (1 << 24);
-
-poly1305_donna_mul:
- t[0] = mul32x32_64(state->h0, state->r0) +
- mul32x32_64(state->h1, state->s4) +
- mul32x32_64(state->h2, state->s3) +
- mul32x32_64(state->h3, state->s2) +
- mul32x32_64(state->h4, state->s1);
- t[1] = mul32x32_64(state->h0, state->r1) +
- mul32x32_64(state->h1, state->r0) +
- mul32x32_64(state->h2, state->s4) +
- mul32x32_64(state->h3, state->s3) +
- mul32x32_64(state->h4, state->s2);
- t[2] = mul32x32_64(state->h0, state->r2) +
- mul32x32_64(state->h1, state->r1) +
- mul32x32_64(state->h2, state->r0) +
- mul32x32_64(state->h3, state->s4) +
- mul32x32_64(state->h4, state->s3);
- t[3] = mul32x32_64(state->h0, state->r3) +
- mul32x32_64(state->h1, state->r2) +
- mul32x32_64(state->h2, state->r1) +
- mul32x32_64(state->h3, state->r0) +
- mul32x32_64(state->h4, state->s4);
- t[4] = mul32x32_64(state->h0, state->r4) +
- mul32x32_64(state->h1, state->r3) +
- mul32x32_64(state->h2, state->r2) +
- mul32x32_64(state->h3, state->r1) +
- mul32x32_64(state->h4, state->r0);
-
- state->h0 = (uint32_t)t[0] & 0x3ffffff;
- c = (t[0] >> 26);
- t[1] += c;
- state->h1 = (uint32_t)t[1] & 0x3ffffff;
- b = (uint32_t)(t[1] >> 26);
- t[2] += b;
- state->h2 = (uint32_t)t[2] & 0x3ffffff;
- b = (uint32_t)(t[2] >> 26);
- t[3] += b;
- state->h3 = (uint32_t)t[3] & 0x3ffffff;
- b = (uint32_t)(t[3] >> 26);
- t[4] += b;
- state->h4 = (uint32_t)t[4] & 0x3ffffff;
- b = (uint32_t)(t[4] >> 26);
- state->h0 += b * 5;
-
- if (len >= 16)
- goto poly1305_donna_16bytes;
-
-/* final bytes */
-poly1305_donna_atmost15bytes:
- if (!len)
- return;
-
- for (j = 0; j < len; j++)
- mp[j] = in[j];
- mp[j++] = 1;
- for (; j < 16; j++)
- mp[j] = 0;
- len = 0;
-
- t0 = U8TO32_LE(mp + 0);
- t1 = U8TO32_LE(mp + 4);
- t2 = U8TO32_LE(mp + 8);
- t3 = U8TO32_LE(mp + 12);
-
- state->h0 += t0 & 0x3ffffff;
- state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
- state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
- state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
- state->h4 += (t3 >> 8);
-
- goto poly1305_donna_mul;
-}
-
-void
-Poly1305Init(poly1305_state *statep, const unsigned char key[32])
-{
- struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
- uint32_t t0, t1, t2, t3;
-
- t0 = U8TO32_LE(key + 0);
- t1 = U8TO32_LE(key + 4);
- t2 = U8TO32_LE(key + 8);
- t3 = U8TO32_LE(key + 12);
-
- /* precompute multipliers */
- state->r0 = t0 & 0x3ffffff;
- t0 >>= 26;
- t0 |= t1 << 6;
- state->r1 = t0 & 0x3ffff03;
- t1 >>= 20;
- t1 |= t2 << 12;
- state->r2 = t1 & 0x3ffc0ff;
- t2 >>= 14;
- t2 |= t3 << 18;
- state->r3 = t2 & 0x3f03fff;
- t3 >>= 8;
- state->r4 = t3 & 0x00fffff;
-
- state->s1 = state->r1 * 5;
- state->s2 = state->r2 * 5;
- state->s3 = state->r3 * 5;
- state->s4 = state->r4 * 5;
-
- /* init state */
- state->h0 = 0;
- state->h1 = 0;
- state->h2 = 0;
- state->h3 = 0;
- state->h4 = 0;
-
- state->buf_used = 0;
- memcpy(state->key, key + 16, sizeof(state->key));
-}
-
-void
-Poly1305Update(poly1305_state *statep, const unsigned char *in,
- size_t in_len)
-{
- unsigned int i;
- struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
-
- if (state->buf_used) {
- unsigned int todo = 16 - state->buf_used;
- if (todo > in_len)
- todo = in_len;
- for (i = 0; i < todo; i++)
- state->buf[state->buf_used + i] = in[i];
- state->buf_used += todo;
- in_len -= todo;
- in += todo;
-
- if (state->buf_used == 16) {
- update(state, state->buf, 16);
- state->buf_used = 0;
- }
- }
-
- if (in_len >= 16) {
- size_t todo = in_len & ~0xf;
- update(state, in, todo);
- in += todo;
- in_len &= 0xf;
- }
-
- if (in_len) {
- for (i = 0; i < in_len; i++)
- state->buf[i] = in[i];
- state->buf_used = in_len;
- }
-}
-
-void
-Poly1305Finish(poly1305_state *statep, unsigned char mac[16])
-{
- struct poly1305_state_st *state = (struct poly1305_state_st *)statep;
- uint64_t f0, f1, f2, f3;
- uint32_t g0, g1, g2, g3, g4;
- uint32_t b, nb;
-
- if (state->buf_used)
- update(state, state->buf, state->buf_used);
-
- b = state->h0 >> 26;
- state->h0 = state->h0 & 0x3ffffff;
- state->h1 += b;
- b = state->h1 >> 26;
- state->h1 = state->h1 & 0x3ffffff;
- state->h2 += b;
- b = state->h2 >> 26;
- state->h2 = state->h2 & 0x3ffffff;
- state->h3 += b;
- b = state->h3 >> 26;
- state->h3 = state->h3 & 0x3ffffff;
- state->h4 += b;
- b = state->h4 >> 26;
- state->h4 = state->h4 & 0x3ffffff;
- state->h0 += b * 5;
-
- g0 = state->h0 + 5;
- b = g0 >> 26;
- g0 &= 0x3ffffff;
- g1 = state->h1 + b;
- b = g1 >> 26;
- g1 &= 0x3ffffff;
- g2 = state->h2 + b;
- b = g2 >> 26;
- g2 &= 0x3ffffff;
- g3 = state->h3 + b;
- b = g3 >> 26;
- g3 &= 0x3ffffff;
- g4 = state->h4 + b - (1 << 26);
-
- b = (g4 >> 31) - 1;
- nb = ~b;
- state->h0 = (state->h0 & nb) | (g0 & b);
- state->h1 = (state->h1 & nb) | (g1 & b);
- state->h2 = (state->h2 & nb) | (g2 & b);
- state->h3 = (state->h3 & nb) | (g3 & b);
- state->h4 = (state->h4 & nb) | (g4 & b);
-
- f0 = ((state->h0) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
- f1 = ((state->h1 >> 6) | (state->h2 << 20)) + (uint64_t)U8TO32_LE(&state->key[4]);
- f2 = ((state->h2 >> 12) | (state->h3 << 14)) + (uint64_t)U8TO32_LE(&state->key[8]);
- f3 = ((state->h3 >> 18) | (state->h4 << 8)) + (uint64_t)U8TO32_LE(&state->key[12]);
-
- U32TO8_LE(&mac[0], (uint32_t)f0);
- f1 += (f0 >> 32);
- U32TO8_LE(&mac[4], (uint32_t)f1);
- f2 += (f1 >> 32);
- U32TO8_LE(&mac[8], (uint32_t)f2);
- f3 += (f2 >> 32);
- U32TO8_LE(&mac[12], (uint32_t)f3);
-}
diff --git a/security/nss/lib/freebl/poly1305.h b/security/nss/lib/freebl/poly1305.h
deleted file mode 100644
index 125f49b3ba..0000000000
--- a/security/nss/lib/freebl/poly1305.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * poly1305.h - header file for Poly1305 implementation.
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef FREEBL_POLY1305_H_
-#define FREEBL_POLY1305_H_
-
-#include "stddef.h"
-
-typedef unsigned char poly1305_state[512];
-
-/* Poly1305Init sets up |state| so that it can be used to calculate an
- * authentication tag with the one-time key |key|. Note that |key| is a
- * one-time key and therefore there is no `reset' method because that would
- * enable several messages to be authenticated with the same key. */
-extern void Poly1305Init(poly1305_state* state, const unsigned char key[32]);
-
-/* Poly1305Update processes |in_len| bytes from |in|. It can be called zero or
- * more times after poly1305_init. */
-extern void Poly1305Update(poly1305_state* state, const unsigned char* in,
- size_t inLen);
-
-/* Poly1305Finish completes the poly1305 calculation and writes a 16 byte
- * authentication tag to |mac|. */
-extern void Poly1305Finish(poly1305_state* state, unsigned char mac[16]);
-
-#endif /* FREEBL_POLY1305_H_ */
diff --git a/security/nss/lib/freebl/unix_urandom.c b/security/nss/lib/freebl/unix_urandom.c
index 25e6ad91cf..869a5ed8cc 100644
--- a/security/nss/lib/freebl/unix_urandom.c
+++ b/security/nss/lib/freebl/unix_urandom.c
@@ -4,10 +4,14 @@
#include <fcntl.h>
#include <unistd.h>
+#include <errno.h>
#include "secerr.h"
#include "secrng.h"
#include "prprf.h"
+/* syscall getentropy() is limited to retrieving 256 bytes */
+#define GETENTROPY_MAX_BYTES 256
+
void
RNG_SystemInfoForRNG(void)
{
@@ -28,6 +32,35 @@ RNG_SystemRNG(void *dest, size_t maxLen)
size_t fileBytes = 0;
unsigned char *buffer = dest;
+#if defined(__OpenBSD__) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
+ int result;
+
+ while (fileBytes < maxLen) {
+ size_t getBytes = maxLen - fileBytes;
+ if (getBytes > GETENTROPY_MAX_BYTES) {
+ getBytes = GETENTROPY_MAX_BYTES;
+ }
+ result = getentropy(buffer, getBytes);
+ if (result == 0) { /* success */
+ fileBytes += getBytes;
+ buffer += getBytes;
+ } else {
+ break;
+ }
+ }
+ if (fileBytes == maxLen) { /* success */
+ return maxLen;
+ }
+ /* If we failed with an error other than ENOSYS, it means the destination
+ * buffer is not writeable. We don't need to try writing to it again. */
+ if (errno != ENOSYS) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ return 0;
+ }
+ /* ENOSYS means the kernel doesn't support getentropy()/getrandom().
+ * Reset the number of bytes to get and fall back to /dev/urandom. */
+ fileBytes = 0;
+#endif
fd = open("/dev/urandom", O_RDONLY);
if (fd < 0) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
new file mode 100644
index 0000000000..246a41af39
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
@@ -0,0 +1,578 @@
+/* Copyright 2016-2017 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "Hacl_Poly1305_32.h"
+
+inline static void
+Hacl_Bignum_Modulo_reduce(uint32_t *b)
+{
+ uint32_t b0 = b[0U];
+ b[0U] = (b0 << (uint32_t)2U) + b0;
+}
+
+inline static void
+Hacl_Bignum_Modulo_carry_top(uint32_t *b)
+{
+ uint32_t b4 = b[4U];
+ uint32_t b0 = b[0U];
+ uint32_t b4_26 = b4 >> (uint32_t)26U;
+ b[4U] = b4 & (uint32_t)0x3ffffffU;
+ b[0U] = (b4_26 << (uint32_t)2U) + b4_26 + b0;
+}
+
+inline static void
+Hacl_Bignum_Modulo_carry_top_wide(uint64_t *b)
+{
+ uint64_t b4 = b[4U];
+ uint64_t b0 = b[0U];
+ uint64_t b4_ = b4 & (uint64_t)(uint32_t)0x3ffffffU;
+ uint32_t b4_26 = (uint32_t)(b4 >> (uint32_t)26U);
+ uint64_t b0_ = b0 + (uint64_t)((b4_26 << (uint32_t)2U) + b4_26);
+ b[4U] = b4_;
+ b[0U] = b0_;
+}
+
+inline static void
+Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) {
+ uint64_t xi = input[i];
+ output[i] = (uint32_t)xi;
+ }
+}
+
+inline static void
+Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint64_t *output, uint32_t *input, uint32_t s)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) {
+ uint64_t xi = output[i];
+ uint32_t yi = input[i];
+ uint64_t x_wide = (uint64_t)yi;
+ uint64_t y_wide = (uint64_t)s;
+ output[i] = xi + x_wide * y_wide;
+ }
+}
+
+inline static void
+Hacl_Bignum_Fproduct_carry_wide_(uint64_t *tmp)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+ uint32_t ctr = i;
+ uint64_t tctr = tmp[ctr];
+ uint64_t tctrp1 = tmp[ctr + (uint32_t)1U];
+ uint32_t r0 = (uint32_t)tctr & (uint32_t)0x3ffffffU;
+ uint64_t c = tctr >> (uint32_t)26U;
+ tmp[ctr] = (uint64_t)r0;
+ tmp[ctr + (uint32_t)1U] = tctrp1 + c;
+ }
+}
+
+inline static void
+Hacl_Bignum_Fproduct_carry_limb_(uint32_t *tmp)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+ uint32_t ctr = i;
+ uint32_t tctr = tmp[ctr];
+ uint32_t tctrp1 = tmp[ctr + (uint32_t)1U];
+ uint32_t r0 = tctr & (uint32_t)0x3ffffffU;
+ uint32_t c = tctr >> (uint32_t)26U;
+ tmp[ctr] = r0;
+ tmp[ctr + (uint32_t)1U] = tctrp1 + c;
+ }
+}
+
+inline static void
+Hacl_Bignum_Fmul_shift_reduce(uint32_t *output)
+{
+ uint32_t tmp = output[4U];
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+ uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
+ uint32_t z = output[ctr - (uint32_t)1U];
+ output[ctr] = z;
+ }
+ output[0U] = tmp;
+ Hacl_Bignum_Modulo_reduce(output);
+}
+
+static void
+Hacl_Bignum_Fmul_mul_shift_reduce_(uint64_t *output, uint32_t *input, uint32_t *input2)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
+ uint32_t input2i = input2[i];
+ Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+ Hacl_Bignum_Fmul_shift_reduce(input);
+ }
+ uint32_t i = (uint32_t)4U;
+ uint32_t input2i = input2[i];
+ Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+}
+
+inline static void
+Hacl_Bignum_Fmul_fmul(uint32_t *output, uint32_t *input, uint32_t *input2)
+{
+ uint32_t tmp[5U] = { 0U };
+ memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
+ uint64_t t[5U] = { 0U };
+ Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
+ Hacl_Bignum_Fproduct_carry_wide_(t);
+ Hacl_Bignum_Modulo_carry_top_wide(t);
+ Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
+ uint32_t i0 = output[0U];
+ uint32_t i1 = output[1U];
+ uint32_t i0_ = i0 & (uint32_t)0x3ffffffU;
+ uint32_t i1_ = i1 + (i0 >> (uint32_t)26U);
+ output[0U] = i0_;
+ output[1U] = i1_;
+}
+
+inline static void
+Hacl_Bignum_AddAndMultiply_add_and_multiply(uint32_t *acc, uint32_t *block, uint32_t *r)
+{
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) {
+ uint32_t xi = acc[i];
+ uint32_t yi = block[i];
+ acc[i] = xi + yi;
+ }
+ Hacl_Bignum_Fmul_fmul(acc, acc, r);
+}
+
+inline static void
+Hacl_Impl_Poly1305_32_poly1305_update(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m)
+{
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
+ uint32_t *h = scrut0.h;
+ uint32_t *acc = h;
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *r = scrut.r;
+ uint32_t *r5 = r;
+ uint32_t tmp[5U] = { 0U };
+ uint8_t *s0 = m;
+ uint8_t *s1 = m + (uint32_t)3U;
+ uint8_t *s2 = m + (uint32_t)6U;
+ uint8_t *s3 = m + (uint32_t)9U;
+ uint8_t *s4 = m + (uint32_t)12U;
+ uint32_t i0 = load32_le(s0);
+ uint32_t i1 = load32_le(s1);
+ uint32_t i2 = load32_le(s2);
+ uint32_t i3 = load32_le(s3);
+ uint32_t i4 = load32_le(s4);
+ uint32_t r0 = i0 & (uint32_t)0x3ffffffU;
+ uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU;
+ uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU;
+ uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU;
+ uint32_t r4 = i4 >> (uint32_t)8U;
+ tmp[0U] = r0;
+ tmp[1U] = r1;
+ tmp[2U] = r2;
+ tmp[3U] = r3;
+ tmp[4U] = r4;
+ uint32_t b4 = tmp[4U];
+ uint32_t b4_ = (uint32_t)0x1000000U | b4;
+ tmp[4U] = b4_;
+ Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r5);
+}
+
+inline static void
+Hacl_Impl_Poly1305_32_poly1305_process_last_block_(
+ uint8_t *block,
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint64_t rem_)
+{
+ uint32_t tmp[5U] = { 0U };
+ uint8_t *s0 = block;
+ uint8_t *s1 = block + (uint32_t)3U;
+ uint8_t *s2 = block + (uint32_t)6U;
+ uint8_t *s3 = block + (uint32_t)9U;
+ uint8_t *s4 = block + (uint32_t)12U;
+ uint32_t i0 = load32_le(s0);
+ uint32_t i1 = load32_le(s1);
+ uint32_t i2 = load32_le(s2);
+ uint32_t i3 = load32_le(s3);
+ uint32_t i4 = load32_le(s4);
+ uint32_t r0 = i0 & (uint32_t)0x3ffffffU;
+ uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU;
+ uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU;
+ uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU;
+ uint32_t r4 = i4 >> (uint32_t)8U;
+ tmp[0U] = r0;
+ tmp[1U] = r1;
+ tmp[2U] = r2;
+ tmp[3U] = r3;
+ tmp[4U] = r4;
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
+ uint32_t *h = scrut0.h;
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *r = scrut.r;
+ Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r);
+}
+
+inline static void
+Hacl_Impl_Poly1305_32_poly1305_process_last_block(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint64_t rem_)
+{
+ uint8_t zero1 = (uint8_t)0U;
+ KRML_CHECK_SIZE(zero1, (uint32_t)16U);
+ uint8_t block[16U];
+ for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
+ block[_i] = zero1;
+ uint32_t i0 = (uint32_t)rem_;
+ uint32_t i = (uint32_t)rem_;
+ memcpy(block, m, i * sizeof m[0U]);
+ block[i0] = (uint8_t)1U;
+ Hacl_Impl_Poly1305_32_poly1305_process_last_block_(block, st, m, rem_);
+}
+
+static void
+Hacl_Impl_Poly1305_32_poly1305_last_pass(uint32_t *acc)
+{
+ Hacl_Bignum_Fproduct_carry_limb_(acc);
+ Hacl_Bignum_Modulo_carry_top(acc);
+ uint32_t t0 = acc[0U];
+ uint32_t t10 = acc[1U];
+ uint32_t t20 = acc[2U];
+ uint32_t t30 = acc[3U];
+ uint32_t t40 = acc[4U];
+ uint32_t t1_ = t10 + (t0 >> (uint32_t)26U);
+ uint32_t mask_261 = (uint32_t)0x3ffffffU;
+ uint32_t t0_ = t0 & mask_261;
+ uint32_t t2_ = t20 + (t1_ >> (uint32_t)26U);
+ uint32_t t1__ = t1_ & mask_261;
+ uint32_t t3_ = t30 + (t2_ >> (uint32_t)26U);
+ uint32_t t2__ = t2_ & mask_261;
+ uint32_t t4_ = t40 + (t3_ >> (uint32_t)26U);
+ uint32_t t3__ = t3_ & mask_261;
+ acc[0U] = t0_;
+ acc[1U] = t1__;
+ acc[2U] = t2__;
+ acc[3U] = t3__;
+ acc[4U] = t4_;
+ Hacl_Bignum_Modulo_carry_top(acc);
+ uint32_t t00 = acc[0U];
+ uint32_t t1 = acc[1U];
+ uint32_t t2 = acc[2U];
+ uint32_t t3 = acc[3U];
+ uint32_t t4 = acc[4U];
+ uint32_t t1_0 = t1 + (t00 >> (uint32_t)26U);
+ uint32_t t0_0 = t00 & (uint32_t)0x3ffffffU;
+ uint32_t t2_0 = t2 + (t1_0 >> (uint32_t)26U);
+ uint32_t t1__0 = t1_0 & (uint32_t)0x3ffffffU;
+ uint32_t t3_0 = t3 + (t2_0 >> (uint32_t)26U);
+ uint32_t t2__0 = t2_0 & (uint32_t)0x3ffffffU;
+ uint32_t t4_0 = t4 + (t3_0 >> (uint32_t)26U);
+ uint32_t t3__0 = t3_0 & (uint32_t)0x3ffffffU;
+ acc[0U] = t0_0;
+ acc[1U] = t1__0;
+ acc[2U] = t2__0;
+ acc[3U] = t3__0;
+ acc[4U] = t4_0;
+ Hacl_Bignum_Modulo_carry_top(acc);
+ uint32_t i0 = acc[0U];
+ uint32_t i1 = acc[1U];
+ uint32_t i0_ = i0 & (uint32_t)0x3ffffffU;
+ uint32_t i1_ = i1 + (i0 >> (uint32_t)26U);
+ acc[0U] = i0_;
+ acc[1U] = i1_;
+ uint32_t a0 = acc[0U];
+ uint32_t a1 = acc[1U];
+ uint32_t a2 = acc[2U];
+ uint32_t a3 = acc[3U];
+ uint32_t a4 = acc[4U];
+ uint32_t mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU);
+ uint32_t mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU);
+ uint32_t mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU);
+ uint32_t mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU);
+ uint32_t mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU);
+ uint32_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
+ uint32_t a0_ = a0 - ((uint32_t)0x3fffffbU & mask);
+ uint32_t a1_ = a1 - ((uint32_t)0x3ffffffU & mask);
+ uint32_t a2_ = a2 - ((uint32_t)0x3ffffffU & mask);
+ uint32_t a3_ = a3 - ((uint32_t)0x3ffffffU & mask);
+ uint32_t a4_ = a4 - ((uint32_t)0x3ffffffU & mask);
+ acc[0U] = a0_;
+ acc[1U] = a1_;
+ acc[2U] = a2_;
+ acc[3U] = a3_;
+ acc[4U] = a4_;
+}
+
+static Hacl_Impl_Poly1305_32_State_poly1305_state
+Hacl_Impl_Poly1305_32_mk_state(uint32_t *r, uint32_t *h)
+{
+ return ((Hacl_Impl_Poly1305_32_State_poly1305_state){.r = r, .h = h });
+}
+
+static void
+Hacl_Standalone_Poly1305_32_poly1305_blocks(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint64_t len1)
+{
+ if (!(len1 == (uint64_t)0U)) {
+ uint8_t *block = m;
+ uint8_t *tail1 = m + (uint32_t)16U;
+ Hacl_Impl_Poly1305_32_poly1305_update(st, block);
+ uint64_t len2 = len1 - (uint64_t)1U;
+ Hacl_Standalone_Poly1305_32_poly1305_blocks(st, tail1, len2);
+ }
+}
+
+static void
+Hacl_Standalone_Poly1305_32_poly1305_partial(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *input,
+ uint64_t len1,
+ uint8_t *kr)
+{
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *r = scrut.r;
+ uint32_t *x0 = r;
+ FStar_UInt128_t k1 = load128_le(kr);
+ FStar_UInt128_t
+ k_clamped =
+ FStar_UInt128_logand(k1,
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
+ (uint32_t)64U),
+ FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
+ uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r1 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r2 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r3 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r4 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU;
+ x0[0U] = r0;
+ x0[1U] = r1;
+ x0[2U] = r2;
+ x0[3U] = r3;
+ x0[4U] = r4;
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
+ uint32_t *h = scrut0.h;
+ uint32_t *x00 = h;
+ x00[0U] = (uint32_t)0U;
+ x00[1U] = (uint32_t)0U;
+ x00[2U] = (uint32_t)0U;
+ x00[3U] = (uint32_t)0U;
+ x00[4U] = (uint32_t)0U;
+ Hacl_Standalone_Poly1305_32_poly1305_blocks(st, input, len1);
+}
+
+static void
+Hacl_Standalone_Poly1305_32_poly1305_complete(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint64_t len1,
+ uint8_t *k1)
+{
+ uint8_t *kr = k1;
+ uint64_t len16 = len1 >> (uint32_t)4U;
+ uint64_t rem16 = len1 & (uint64_t)0xfU;
+ uint8_t *part_input = m;
+ uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16);
+ Hacl_Standalone_Poly1305_32_poly1305_partial(st, part_input, len16, kr);
+ if (!(rem16 == (uint64_t)0U))
+ Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, last_block, rem16);
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *h = scrut.h;
+ uint32_t *acc = h;
+ Hacl_Impl_Poly1305_32_poly1305_last_pass(acc);
+}
+
+static void
+Hacl_Standalone_Poly1305_32_crypto_onetimeauth_(
+ uint8_t *output,
+ uint8_t *input,
+ uint64_t len1,
+ uint8_t *k1)
+{
+ uint32_t buf[10U] = { 0U };
+ uint32_t *r = buf;
+ uint32_t *h = buf + (uint32_t)5U;
+ Hacl_Impl_Poly1305_32_State_poly1305_state st = Hacl_Impl_Poly1305_32_mk_state(r, h);
+ uint8_t *key_s = k1 + (uint32_t)16U;
+ Hacl_Standalone_Poly1305_32_poly1305_complete(st, input, len1, k1);
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *h5 = scrut.h;
+ uint32_t *acc = h5;
+ FStar_UInt128_t k_ = load128_le(key_s);
+ uint32_t h0 = acc[0U];
+ uint32_t h1 = acc[1U];
+ uint32_t h2 = acc[2U];
+ uint32_t h3 = acc[3U];
+ uint32_t h4 = acc[4U];
+ FStar_UInt128_t
+ acc_ =
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4),
+ (uint32_t)104U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3),
+ (uint32_t)78U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2),
+ (uint32_t)52U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1),
+ (uint32_t)26U),
+ FStar_UInt128_uint64_to_uint128((uint64_t)h0)))));
+ FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
+ store128_le(output, mac_);
+}
+
+static void
+Hacl_Standalone_Poly1305_32_crypto_onetimeauth(
+ uint8_t *output,
+ uint8_t *input,
+ uint64_t len1,
+ uint8_t *k1)
+{
+ Hacl_Standalone_Poly1305_32_crypto_onetimeauth_(output, input, len1, k1);
+}
+
+void *
+Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b)
+{
+ return (void *)(uint8_t)0U;
+}
+
+Hacl_Impl_Poly1305_32_State_poly1305_state
+Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc)
+{
+ return Hacl_Impl_Poly1305_32_mk_state(r, acc);
+}
+
+void
+Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1)
+{
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *r = scrut.r;
+ uint32_t *x0 = r;
+ FStar_UInt128_t k10 = load128_le(k1);
+ FStar_UInt128_t
+ k_clamped =
+ FStar_UInt128_logand(k10,
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
+ (uint32_t)64U),
+ FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
+ uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r1 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r2 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r3 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U)) & (uint32_t)0x3ffffffU;
+ uint32_t
+ r4 =
+ (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) & (uint32_t)0x3ffffffU;
+ x0[0U] = r0;
+ x0[1U] = r1;
+ x0[2U] = r2;
+ x0[3U] = r3;
+ x0[4U] = r4;
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
+ uint32_t *h = scrut0.h;
+ uint32_t *x00 = h;
+ x00[0U] = (uint32_t)0U;
+ x00[1U] = (uint32_t)0U;
+ x00[2U] = (uint32_t)0U;
+ x00[3U] = (uint32_t)0U;
+ x00[4U] = (uint32_t)0U;
+}
+
+void *Hacl_Poly1305_32_empty_log = (void *)(uint8_t)0U;
+
+void
+Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m)
+{
+ Hacl_Impl_Poly1305_32_poly1305_update(st, m);
+}
+
+void
+Hacl_Poly1305_32_update(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint32_t len1)
+{
+ if (!(len1 == (uint32_t)0U)) {
+ uint8_t *block = m;
+ uint8_t *m_ = m + (uint32_t)16U;
+ uint32_t len2 = len1 - (uint32_t)1U;
+ Hacl_Poly1305_32_update_block(st, block);
+ Hacl_Poly1305_32_update(st, m_, len2);
+ }
+}
+
+void
+Hacl_Poly1305_32_update_last(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint32_t len1)
+{
+ if (!((uint64_t)len1 == (uint64_t)0U))
+ Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, m, (uint64_t)len1);
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *h = scrut.h;
+ uint32_t *acc = h;
+ Hacl_Impl_Poly1305_32_poly1305_last_pass(acc);
+}
+
+void
+Hacl_Poly1305_32_finish(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *mac,
+ uint8_t *k1)
+{
+ Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
+ uint32_t *h = scrut.h;
+ uint32_t *acc = h;
+ FStar_UInt128_t k_ = load128_le(k1);
+ uint32_t h0 = acc[0U];
+ uint32_t h1 = acc[1U];
+ uint32_t h2 = acc[2U];
+ uint32_t h3 = acc[3U];
+ uint32_t h4 = acc[4U];
+ FStar_UInt128_t
+ acc_ =
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4),
+ (uint32_t)104U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3),
+ (uint32_t)78U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2),
+ (uint32_t)52U),
+ FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1),
+ (uint32_t)26U),
+ FStar_UInt128_uint64_to_uint128((uint64_t)h0)))));
+ FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
+ store128_le(mac, mac_);
+}
+
+void
+Hacl_Poly1305_32_crypto_onetimeauth(
+ uint8_t *output,
+ uint8_t *input,
+ uint64_t len1,
+ uint8_t *k1)
+{
+ Hacl_Standalone_Poly1305_32_crypto_onetimeauth(output, input, len1, k1);
+}
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
new file mode 100644
index 0000000000..4dd0700267
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
@@ -0,0 +1,103 @@
+/* Copyright 2016-2017 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "kremlib.h"
+#ifndef __Hacl_Poly1305_32_H
+#define __Hacl_Poly1305_32_H
+
+typedef uint32_t Hacl_Bignum_Constants_limb;
+
+typedef uint64_t Hacl_Bignum_Constants_wide;
+
+typedef uint64_t Hacl_Bignum_Wide_t;
+
+typedef uint32_t Hacl_Bignum_Limb_t;
+
+typedef void *Hacl_Impl_Poly1305_32_State_log_t;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_State_uint8_p;
+
+typedef uint32_t *Hacl_Impl_Poly1305_32_State_bigint;
+
+typedef void *Hacl_Impl_Poly1305_32_State_seqelem;
+
+typedef uint32_t *Hacl_Impl_Poly1305_32_State_elemB;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB_16;
+
+typedef struct
+{
+ uint32_t *r;
+ uint32_t *h;
+} Hacl_Impl_Poly1305_32_State_poly1305_state;
+
+typedef void *Hacl_Impl_Poly1305_32_log_t;
+
+typedef uint32_t *Hacl_Impl_Poly1305_32_bigint;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_uint8_p;
+
+typedef uint32_t *Hacl_Impl_Poly1305_32_elemB;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_wordB;
+
+typedef uint8_t *Hacl_Impl_Poly1305_32_wordB_16;
+
+typedef uint8_t *Hacl_Poly1305_32_uint8_p;
+
+typedef uint64_t Hacl_Poly1305_32_uint64_t;
+
+void *Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b);
+
+typedef uint8_t *Hacl_Poly1305_32_key;
+
+typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Poly1305_32_state;
+
+Hacl_Impl_Poly1305_32_State_poly1305_state
+Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc);
+
+void Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1);
+
+extern void *Hacl_Poly1305_32_empty_log;
+
+void Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m);
+
+void
+Hacl_Poly1305_32_update(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint32_t len1);
+
+void
+Hacl_Poly1305_32_update_last(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *m,
+ uint32_t len1);
+
+void
+Hacl_Poly1305_32_finish(
+ Hacl_Impl_Poly1305_32_State_poly1305_state st,
+ uint8_t *mac,
+ uint8_t *k1);
+
+void
+Hacl_Poly1305_32_crypto_onetimeauth(
+ uint8_t *output,
+ uint8_t *input,
+ uint64_t len1,
+ uint8_t *k1);
+#endif
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
index 9954f0ca68..f73b95f686 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -70,7 +70,7 @@ static const PKIX_UInt32 httpprotocolLen = 5; /* strlen(httpprotocol) */
* The address at which the Boolean state machine flag is stored to
* indicate whether processing can continue without further input.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -85,7 +85,7 @@ pkix_pl_HttpDefaultClient_HdrCheckComplete(
PKIX_PL_HttpDefaultClient *client,
PKIX_UInt32 bytesRead,
PKIX_Boolean *pKeepGoing,
- void *plContext)
+ void *plCtx)
{
PKIX_UInt32 alreadyScanned = 0;
PKIX_UInt32 comp = 0;
@@ -142,7 +142,7 @@ pkix_pl_HttpDefaultClient_HdrCheckComplete(
headerLength = (eoh - client->rcvBuf);
/* allocate space to copy header (and for the NULL terminator) */
- PKIX_CHECK(PKIX_PL_Malloc(headerLength + 1, (void **)&copy, plContext),
+ PKIX_CHECK(PKIX_PL_Malloc(headerLength + 1, (void **)&copy, plCtx),
PKIX_MALLOCFAILED);
/* copy header data before we corrupt it (by storing NULLs) */
@@ -301,7 +301,7 @@ pkix_pl_HttpDefaultClient_HdrCheckComplete(
if (contentLength > 0) {
/* allocate a buffer of size contentLength for the content */
- PKIX_CHECK(PKIX_PL_Malloc(contentLength, (void **)&body, plContext),
+ PKIX_CHECK(PKIX_PL_Malloc(contentLength, (void **)&body, plCtx),
PKIX_MALLOCFAILED);
/* copy any remaining bytes in current buffer into new buffer */
@@ -311,7 +311,7 @@ pkix_pl_HttpDefaultClient_HdrCheckComplete(
}
}
- PKIX_CHECK(PKIX_PL_Free(client->rcvBuf, plContext),
+ PKIX_CHECK(PKIX_PL_Free(client->rcvBuf, plCtx),
PKIX_FREEFAILED);
client->rcvBuf = body;
@@ -340,7 +340,7 @@ cleanup:
* "pClient"
* The address at which the created HttpDefaultClient is to be stored.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -355,7 +355,7 @@ pkix_pl_HttpDefaultClient_Create(
const char *host,
PRUint16 portnum,
PKIX_PL_HttpDefaultClient **pClient,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
@@ -367,7 +367,7 @@ pkix_pl_HttpDefaultClient_Create(
(PKIX_HTTPDEFAULTCLIENT_TYPE,
sizeof (PKIX_PL_HttpDefaultClient),
(PKIX_PL_Object **)&client,
- plContext),
+ plCtx),
PKIX_COULDNOTCREATEHTTPDEFAULTCLIENTOBJECT);
/* Client timeout is overwritten in HttpDefaultClient_RequestCreate
@@ -408,10 +408,10 @@ pkix_pl_HttpDefaultClient_Create(
client->socket = NULL;
/*
- * The HttpClient API does not include a plContext argument in its
+ * The HttpClient API does not include a plCtx argument in its
* function calls. Save it here.
*/
- client->plContext = plContext;
+ client->plContext = plCtx;
*pClient = client;
@@ -430,7 +430,7 @@ cleanup:
static PKIX_Error *
pkix_pl_HttpDefaultClient_Destroy(
PKIX_PL_Object *object,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
@@ -438,13 +438,13 @@ pkix_pl_HttpDefaultClient_Destroy(
PKIX_NULLCHECK_ONE(object);
PKIX_CHECK(pkix_CheckType
- (object, PKIX_HTTPDEFAULTCLIENT_TYPE, plContext),
+ (object, PKIX_HTTPDEFAULTCLIENT_TYPE, plCtx),
PKIX_OBJECTNOTANHTTPDEFAULTCLIENT);
client = (PKIX_PL_HttpDefaultClient *)object;
if (client->rcvHeaders) {
- PKIX_PL_Free(client->rcvHeaders, plContext);
+ PKIX_PL_Free(client->rcvHeaders, plCtx);
client->rcvHeaders = NULL;
}
if (client->rcvContentType) {
@@ -456,11 +456,11 @@ pkix_pl_HttpDefaultClient_Destroy(
client->GETBuf = NULL;
}
if (client->POSTBuf != NULL) {
- PKIX_PL_Free(client->POSTBuf, plContext);
+ PKIX_PL_Free(client->POSTBuf, plCtx);
client->POSTBuf = NULL;
}
if (client->rcvBuf != NULL) {
- PKIX_PL_Free(client->rcvBuf, plContext);
+ PKIX_PL_Free(client->rcvBuf, plCtx);
client->rcvBuf = NULL;
}
if (client->host) {
@@ -493,7 +493,7 @@ cleanup:
* thread-safe.
*/
PKIX_Error *
-pkix_pl_HttpDefaultClient_RegisterSelf(void *plContext)
+pkix_pl_HttpDefaultClient_RegisterSelf(void *plCtx)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry *entry =
@@ -529,7 +529,7 @@ pkix_pl_HttpDefaultClient_RegisterSelf(void *plContext)
* The address at which the Boolean state machine flag is stored to
* indicate whether processing can continue without further input.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -543,7 +543,7 @@ static PKIX_Error *
pkix_pl_HttpDefaultClient_ConnectContinue(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
- void *plContext)
+ void *plCtx)
{
PRErrorCode status;
PKIX_Boolean keepGoing = PKIX_FALSE;
@@ -557,7 +557,7 @@ pkix_pl_HttpDefaultClient_ConnectContinue(
callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
PKIX_CHECK(callbackList->connectcontinueCallback
- (client->socket, &status, plContext),
+ (client->socket, &status, plCtx),
PKIX_SOCKETCONNECTCONTINUEFAILED);
if (status == 0) {
@@ -595,7 +595,7 @@ cleanup:
* "pBytesTransferred"
* The address at which the number of bytes sent is stored. Must be
* non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -610,7 +610,7 @@ pkix_pl_HttpDefaultClient_Send(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
PKIX_UInt32 *pBytesTransferred,
- void *plContext)
+ void *plCtx)
{
PKIX_Int32 bytesWritten = 0;
PKIX_Int32 lenToWrite = 0;
@@ -640,7 +640,7 @@ pkix_pl_HttpDefaultClient_Send(
dataToWrite,
lenToWrite,
&bytesWritten,
- plContext),
+ plCtx),
PKIX_SOCKETSENDFAILED);
client->rcvBuf = NULL;
@@ -690,7 +690,7 @@ cleanup:
* "pBytesTransferred"
* The address at which the number of bytes sent is stored. Must be
* non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -705,7 +705,7 @@ pkix_pl_HttpDefaultClient_SendContinue(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
PKIX_UInt32 *pBytesTransferred,
- void *plContext)
+ void *plCtx)
{
PKIX_Int32 bytesWritten = 0;
PKIX_PL_Socket_Callback *callbackList = NULL;
@@ -718,7 +718,7 @@ pkix_pl_HttpDefaultClient_SendContinue(
callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
PKIX_CHECK(callbackList->pollCallback
- (client->socket, &bytesWritten, NULL, plContext),
+ (client->socket, &bytesWritten, NULL, plCtx),
PKIX_SOCKETPOLLFAILED);
/*
@@ -752,7 +752,7 @@ cleanup:
* The address at which the Boolean state machine flag is stored to
* indicate whether processing can continue without further input.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -766,7 +766,7 @@ static PKIX_Error *
pkix_pl_HttpDefaultClient_RecvHdr(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
- void *plContext)
+ void *plCtx)
{
PKIX_UInt32 bytesToRead = 0;
PKIX_Int32 bytesRead = 0;
@@ -787,7 +787,7 @@ pkix_pl_HttpDefaultClient_RecvHdr(
(client->rcvBuf,
client->capacity,
(void **)&(client->rcvBuf),
- plContext),
+ plCtx),
PKIX_REALLOCFAILED);
bytesToRead = client->capacity - client->filledupBytes;
@@ -799,7 +799,7 @@ pkix_pl_HttpDefaultClient_RecvHdr(
(void *)&(client->rcvBuf[client->filledupBytes]),
bytesToRead,
&bytesRead,
- plContext),
+ plCtx),
PKIX_SOCKETRECVFAILED);
if (bytesRead > 0) {
@@ -808,7 +808,7 @@ pkix_pl_HttpDefaultClient_RecvHdr(
PKIX_CHECK(
pkix_pl_HttpDefaultClient_HdrCheckComplete(client, bytesRead,
pKeepGoing,
- plContext),
+ plCtx),
PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
} else {
client->connectStatus = HTTP_RECV_HDR_PENDING;
@@ -834,7 +834,7 @@ cleanup:
* The address at which the Boolean state machine flag is stored to
* indicate whether processing can continue without further input.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -848,7 +848,7 @@ static PKIX_Error *
pkix_pl_HttpDefaultClient_RecvHdrContinue(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
- void *plContext)
+ void *plCtx)
{
PKIX_Int32 bytesRead = 0;
PKIX_PL_Socket_Callback *callbackList = NULL;
@@ -861,14 +861,14 @@ pkix_pl_HttpDefaultClient_RecvHdrContinue(
callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
PKIX_CHECK(callbackList->pollCallback
- (client->socket, NULL, &bytesRead, plContext),
+ (client->socket, NULL, &bytesRead, plCtx),
PKIX_SOCKETPOLLFAILED);
if (bytesRead > 0) {
client->filledupBytes += bytesRead;
PKIX_CHECK(pkix_pl_HttpDefaultClient_HdrCheckComplete
- (client, bytesRead, pKeepGoing, plContext),
+ (client, bytesRead, pKeepGoing, plCtx),
PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
} else {
@@ -897,7 +897,7 @@ cleanup:
* The address at which the Boolean state machine flag is stored to
* indicate whether processing can continue without further input.
* Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -911,7 +911,7 @@ static PKIX_Error *
pkix_pl_HttpDefaultClient_RecvBody(
PKIX_PL_HttpDefaultClient *client,
PKIX_Boolean *pKeepGoing,
- void *plContext)
+ void *plCtx)
{
PKIX_Int32 bytesRead = 0;
PKIX_Int32 bytesToRead = 0;
@@ -952,7 +952,7 @@ pkix_pl_HttpDefaultClient_RecvBody(
client->capacity = newLength;
PKIX_CHECK(
PKIX_PL_Realloc(client->rcvBuf, newLength,
- (void**)&client->rcvBuf, plContext),
+ (void**)&client->rcvBuf, plCtx),
PKIX_REALLOCFAILED);
freeBuffSize = client->capacity -
client->filledupBytes;
@@ -964,7 +964,7 @@ pkix_pl_HttpDefaultClient_RecvBody(
/* Use poll callback if waiting on non-blocking IO */
if (client->connectStatus == HTTP_RECV_BODY_PENDING) {
PKIX_CHECK(callbackList->pollCallback
- (client->socket, NULL, &bytesRead, plContext),
+ (client->socket, NULL, &bytesRead, plCtx),
PKIX_SOCKETPOLLFAILED);
} else {
PKIX_CHECK(callbackList->recvCallback
@@ -972,7 +972,7 @@ pkix_pl_HttpDefaultClient_RecvBody(
(void *)&(client->rcvBuf[client->filledupBytes]),
bytesToRead,
&bytesRead,
- plContext),
+ plCtx),
PKIX_SOCKETRECVFAILED);
}
@@ -1026,7 +1026,7 @@ cleanup:
* PARAMETERS:
* "client"
* The address of the HttpDefaultClient object. Must be non-NULL.
- * "plContext"
+ * "plCtx"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
@@ -1039,7 +1039,7 @@ cleanup:
static PKIX_Error *
pkix_pl_HttpDefaultClient_Dispatch(
PKIX_PL_HttpDefaultClient *client,
- void *plContext)
+ void *plCtx)
{
PKIX_UInt32 bytesTransferred = 0;
PKIX_Boolean keepGoing = PKIX_TRUE;
@@ -1051,33 +1051,33 @@ pkix_pl_HttpDefaultClient_Dispatch(
switch (client->connectStatus) {
case HTTP_CONNECT_PENDING:
PKIX_CHECK(pkix_pl_HttpDefaultClient_ConnectContinue
- (client, &keepGoing, plContext),
+ (client, &keepGoing, plCtx),
PKIX_HTTPDEFAULTCLIENTCONNECTCONTINUEFAILED);
break;
case HTTP_CONNECTED:
PKIX_CHECK(pkix_pl_HttpDefaultClient_Send
- (client, &keepGoing, &bytesTransferred, plContext),
+ (client, &keepGoing, &bytesTransferred, plCtx),
PKIX_HTTPDEFAULTCLIENTSENDFAILED);
break;
case HTTP_SEND_PENDING:
PKIX_CHECK(pkix_pl_HttpDefaultClient_SendContinue
- (client, &keepGoing, &bytesTransferred, plContext),
+ (client, &keepGoing, &bytesTransferred, plCtx),
PKIX_HTTPDEFAULTCLIENTSENDCONTINUEFAILED);
break;
case HTTP_RECV_HDR:
PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdr
- (client, &keepGoing, plContext),
+ (client, &keepGoing, plCtx),
PKIX_HTTPDEFAULTCLIENTRECVHDRFAILED);
break;
case HTTP_RECV_HDR_PENDING:
PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdrContinue
- (client, &keepGoing, plContext),
+ (client, &keepGoing, plCtx),
PKIX_HTTPDEFAULTCLIENTRECVHDRCONTINUEFAILED);
break;
case HTTP_RECV_BODY:
case HTTP_RECV_BODY_PENDING:
PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvBody
- (client, &keepGoing, plContext),
+ (client, &keepGoing, plCtx),
PKIX_HTTPDEFAULTCLIENTRECVBODYFAILED);
break;
case HTTP_ERROR:
@@ -1106,7 +1106,7 @@ pkix_pl_HttpDefaultClient_CreateSession(
const char *host,
PRUint16 portnum,
SEC_HTTP_SERVER_SESSION *pSession,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
@@ -1115,7 +1115,7 @@ pkix_pl_HttpDefaultClient_CreateSession(
PKIX_NULLCHECK_TWO(host, pSession);
PKIX_CHECK(pkix_pl_HttpDefaultClient_Create
- (host, portnum, &client, plContext),
+ (host, portnum, &client, plCtx),
PKIX_HTTPDEFAULTCLIENTCREATEFAILED);
*pSession = (SEC_HTTP_SERVER_SESSION)client;
@@ -1130,7 +1130,7 @@ PKIX_Error *
pkix_pl_HttpDefaultClient_KeepAliveSession(
SEC_HTTP_SERVER_SESSION session,
PRPollDesc **pPollDesc,
- void *plContext)
+ void *plCtx)
{
PKIX_ENTER
(HTTPDEFAULTCLIENT,
@@ -1140,7 +1140,7 @@ pkix_pl_HttpDefaultClient_KeepAliveSession(
PKIX_CHECK(pkix_CheckType
((PKIX_PL_Object *)session,
PKIX_HTTPDEFAULTCLIENT_TYPE,
- plContext),
+ plCtx),
PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
/* XXX Not implemented */
@@ -1159,7 +1159,7 @@ pkix_pl_HttpDefaultClient_RequestCreate(
const char *http_request_method,
const PRIntervalTime timeout,
SEC_HTTP_REQUEST_SESSION *pRequest,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
PKIX_PL_Socket *socket = NULL;
@@ -1174,7 +1174,7 @@ pkix_pl_HttpDefaultClient_RequestCreate(
PKIX_CHECK(pkix_CheckType
((PKIX_PL_Object *)session,
PKIX_HTTPDEFAULTCLIENT_TYPE,
- plContext),
+ plCtx),
PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
client = (PKIX_PL_HttpDefaultClient *)session;
@@ -1212,7 +1212,7 @@ pkix_pl_HttpDefaultClient_RequestCreate(
2001, /* client->portnum, */
&status,
&socket,
- plContext),
+ plCtx),
PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
#else
PKIX_CHECK(pkix_HttpCertStore_FindSocketConnection
@@ -1221,20 +1221,20 @@ pkix_pl_HttpDefaultClient_RequestCreate(
client->portnum,
&status,
&socket,
- plContext),
+ plCtx),
PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
#endif
client->socket = socket;
PKIX_CHECK(pkix_pl_Socket_GetCallbackList
- (socket, &callbackList, plContext),
+ (socket, &callbackList, plCtx),
PKIX_SOCKETGETCALLBACKLISTFAILED);
client->callbackList = (void *)callbackList;
PKIX_CHECK(pkix_pl_Socket_GetPRFileDesc
- (socket, &fileDesc, plContext),
+ (socket, &fileDesc, plCtx),
PKIX_SOCKETGETPRFILEDESCFAILED);
client->pollDesc.fd = fileDesc;
@@ -1264,7 +1264,7 @@ pkix_pl_HttpDefaultClient_SetPostData(
const char *http_data,
const PRUint32 http_data_len,
const char *http_content_type,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
@@ -1276,7 +1276,7 @@ pkix_pl_HttpDefaultClient_SetPostData(
PKIX_CHECK(pkix_CheckType
((PKIX_PL_Object *)request,
PKIX_HTTPDEFAULTCLIENT_TYPE,
- plContext),
+ plCtx),
PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
client = (PKIX_PL_HttpDefaultClient *)request;
@@ -1307,7 +1307,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
PRUint32 *http_response_data_len,
PRPollDesc **pPollDesc,
SECStatus *pSECReturn,
- void *plContext)
+ void *plCtx)
{
PKIX_PL_HttpDefaultClient *client = NULL;
PKIX_UInt32 postLen = 0;
@@ -1324,7 +1324,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
PKIX_CHECK(pkix_CheckType
((PKIX_PL_Object *)request,
PKIX_HTTPDEFAULTCLIENT_TYPE,
- plContext),
+ plCtx),
PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
client = (PKIX_PL_HttpDefaultClient *)request;
@@ -1380,7 +1380,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
PKIX_CHECK(PKIX_PL_Malloc
(client->POSTLen,
(void **)&(client->POSTBuf),
- plContext),
+ plCtx),
PKIX_MALLOCFAILED);
/* copy header into postBuffer */
@@ -1407,7 +1407,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
}
/* continue according to state */
- PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plContext),
+ PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plCtx),
PKIX_HTTPDEFAULTCLIENTDISPATCHFAILED);
switch (client->connectStatus) {
@@ -1478,7 +1478,7 @@ cleanup:
PKIX_Error *
pkix_pl_HttpDefaultClient_Cancel(
SEC_HTTP_REQUEST_SESSION request,
- void *plContext)
+ void *plCtx)
{
PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Cancel");
PKIX_NULLCHECK_ONE(request);
@@ -1486,7 +1486,7 @@ pkix_pl_HttpDefaultClient_Cancel(
PKIX_CHECK(pkix_CheckType
((PKIX_PL_Object *)request,
PKIX_HTTPDEFAULTCLIENT_TYPE,
- plContext),
+ plCtx),
PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
/* XXX Not implemented */
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
index 9fa8e92608..09b54a2be3 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -23,8 +23,8 @@
* PARAMETERS
* "method"
* The UInt32 value to be stored as the method field of the InfoAccess.
- * "generalName"
- * The GeneralName to be stored as the generalName field of the InfoAccess.
+ * "gName"
+ * The GeneralName to be stored as the gName field of the InfoAccess.
* Must be non-NULL.
* "pInfoAccess"
* Address where the result is stored. Must be non-NULL.
@@ -39,7 +39,7 @@
static PKIX_Error *
pkix_pl_InfoAccess_Create(
PKIX_UInt32 method,
- PKIX_PL_GeneralName *generalName,
+ PKIX_PL_GeneralName *gName,
PKIX_PL_InfoAccess **pInfoAccess,
void *plContext)
{
@@ -47,7 +47,7 @@ pkix_pl_InfoAccess_Create(
PKIX_PL_InfoAccess *infoAccess = NULL;
PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Create");
- PKIX_NULLCHECK_TWO(generalName, pInfoAccess);
+ PKIX_NULLCHECK_TWO(gName, pInfoAccess);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_INFOACCESS_TYPE,
@@ -58,8 +58,8 @@ pkix_pl_InfoAccess_Create(
infoAccess->method = method;
- PKIX_INCREF(generalName);
- infoAccess->location = generalName;
+ PKIX_INCREF(gName);
+ infoAccess->location = gName;
*pInfoAccess = infoAccess;
infoAccess = NULL;
@@ -678,7 +678,7 @@ pkix_pl_UnescapeURL(
* [binary|<other-type>]]*
*
* PARAMETERS
- * "generalName"
+ * "gName"
* Address of the GeneralName whose LDAPLocation is to be parsed. Must be
* non-NULL.
* "arena"
@@ -700,7 +700,7 @@ pkix_pl_UnescapeURL(
*/
PKIX_Error *
pkix_pl_InfoAccess_ParseLocation(
- PKIX_PL_GeneralName *generalName,
+ PKIX_PL_GeneralName *gName,
PLArenaPool *arena,
LDAPRequestParams *request,
char **pDomainName,
@@ -722,9 +722,9 @@ pkix_pl_InfoAccess_ParseLocation(
LDAPNameComponent *nameComponent = NULL;
PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseLocation");
- PKIX_NULLCHECK_FOUR(generalName, arena, request, pDomainName);
+ PKIX_NULLCHECK_FOUR(gName, arena, request, pDomainName);
- PKIX_TOSTRING(generalName, &locationString, plContext,
+ PKIX_TOSTRING(gName, &locationString, plContext,
PKIX_GENERALNAMETOSTRINGFAILED);
PKIX_CHECK(PKIX_PL_String_GetEncoded
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index d62f4957b2..efb0827c51 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,10 +22,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.36.4" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.38" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
-#define NSS_VMINOR 36
-#define NSS_VPATCH 4
+#define NSS_VMINOR 38
+#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index c45901ec39..346e473a96 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -804,12 +804,30 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
/* don't know? look it up */
if (keyType == nullKey) {
CK_KEY_TYPE pk11Type = CKK_RSA;
+ SECItem info;
pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
switch (pk11Type) {
case CKK_RSA:
keyType = rsaKey;
+ /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
+ rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
+ if (rv == SECSuccess) {
+ CERTSubjectPublicKeyInfo *spki;
+
+ spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
+ if (spki) {
+ SECOidTag tag;
+
+ tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+ if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
+ keyType = rsaPssKey;
+ SECKEY_DestroySubjectPublicKeyInfo(spki);
+ }
+ SECITEM_FreeItem(&info, PR_FALSE);
+ }
+
break;
case CKK_DSA:
keyType = dsaKey;
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index fc30222b3d..c165e1ef24 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -547,16 +547,16 @@ secmod_applyCryptoPolicy(const char *policyString,
for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
const oidValDef *algOpt = &algOptList[i];
unsigned name_size = algOpt->name_size;
- PRBool newValue = PR_FALSE;
+ PRBool newOption = PR_FALSE;
if ((length >= name_size) && (cipher[name_size] == '/')) {
- newValue = PR_TRUE;
+ newOption = PR_TRUE;
}
- if ((newValue || algOpt->name_size == length) &&
+ if ((newOption || algOpt->name_size == length) &&
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
PRUint32 value = algOpt->val;
PRUint32 enable, disable;
- if (newValue) {
+ if (newOption) {
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
length - name_size - 1);
}
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
index 4a21d8955d..c42c4d2e2e 100644
--- a/security/nss/lib/pkcs12/p12e.c
+++ b/security/nss/lib/pkcs12/p12e.c
@@ -884,7 +884,9 @@ sec_PKCS12AddAttributeToBag(SEC_PKCS12ExportContext *p12ctxt,
unsigned int nItems = 0;
SECStatus rv;
- if (!safeBag || !p12ctxt) {
+ PORT_Assert(p12ctxt->arena == safeBag->arena);
+ if (!safeBag || !p12ctxt || p12ctxt->arena != safeBag->arena) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -1589,6 +1591,7 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
params = PK11_CreatePBEParams(salt, &pwd,
NSS_PBE_DEFAULT_ITERATION_COUNT);
SECITEM_ZfreeItem(salt, PR_TRUE);
+ salt = NULL;
SECITEM_ZfreeItem(&pwd, PR_FALSE);
/* get the PBA Mechanism to generate the key */
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index 4f17b8e842..ba51955abf 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -1596,7 +1596,6 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
} else {
SECItem *sig;
SECItem holder;
- SECStatus rv;
/*
* No authenticated attributes.
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index fb3110a233..fab3a7a027 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -1143,8 +1143,8 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
(PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
if (c->object.cryptoContext != NULL) {
/* The cert is in a context, set the trust there */
- NSSCryptoContext *cc = c->object.cryptoContext;
- nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
+ NSSCryptoContext *cctx = c->object.cryptoContext;
+ nssrv = nssCryptoContext_ImportTrust(cctx, nssTrust);
if (nssrv != PR_SUCCESS) {
goto done;
}
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
index 2efb6b1f22..8cab288d2e 100644
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -82,7 +82,7 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg,
if (DERinput) {
/* decode everything from DER */
SECItem newinput;
- SECStatus rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
+ rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
if (SECSuccess != rv)
goto loser;
rv = SEC_QuickDERDecodeItem(poolp, ri, NSSCMSRecipientInfoTemplate, &newinput);
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
index 2e8b650ee9..47778190db 100644
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -2577,14 +2577,13 @@ ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
SECItem dbentry;
SECStatus rv;
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
- PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
-
entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
sizeof(certDBEntrySubject));
if (entry == NULL) {
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
index 295d55f40b..a28a3a55ee 100644
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@@ -45,6 +45,23 @@ const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
{ 0 }
};
+const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYSubjectPublicKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_BIT_STRING,
+ offsetof(NSSLOWKEYSubjectPublicKeyInfo, subjectPublicKey) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.publicExponent) },
+ { 0 }
+};
+
const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
{ SEC_ASN1_INTEGER, offsetof(PQGParams, prime) },
@@ -135,6 +152,13 @@ prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
}
void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key)
+{
+ key->u.rsa.modulus.type = siUnsignedInteger;
+ key->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+void
prepare_low_pqg_params_for_asn1(PQGParams *params)
{
params->prime.type = siUnsignedInteger;
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
index f9ba3a75f3..e599f01fa0 100644
--- a/security/nss/lib/softoken/lowkeyi.h
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -27,6 +27,7 @@ extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_ecparams_for_asn1(ECParams *params);
+extern void prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key);
/*
** Destroy a private key object.
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
index c048b33e74..7e77592c53 100644
--- a/security/nss/lib/softoken/lowkeyti.h
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -25,6 +25,8 @@ extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[];
/*
* PKCS #8 attributes
@@ -48,6 +50,13 @@ struct NSSLOWKEYPrivateKeyInfoStr {
typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
+struct NSSLOWKEYSubjectPublicKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem subjectPublicKey;
+};
+typedef struct NSSLOWKEYSubjectPublicKeyInfoStr NSSLOWKEYSubjectPublicKeyInfo;
+
typedef enum {
NSSLOWKEYNullKey = 0,
NSSLOWKEYRSAKey = 1,
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
index 0a47804bf1..4a101c68c4 100644
--- a/security/nss/lib/softoken/lowpbe.c
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -1073,15 +1073,15 @@ sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy,
}
if (encrypt != PR_FALSE) {
- void *dummy;
+ void *v;
- dummy = CBC_PadBuffer(NULL, dup_src->data,
- dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
- if (dummy == NULL) {
+ v = CBC_PadBuffer(NULL, dup_src->data,
+ dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
+ if (v == NULL) {
SECITEM_FreeItem(dup_src, PR_TRUE);
return NULL;
}
- dup_src->data = (unsigned char *)dummy;
+ dup_src->data = (unsigned char *)v;
}
dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 77882a274e..34f25a9d06 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -1343,7 +1343,6 @@ sftk_handleSecretKeyObject(SFTKSession *session, SFTKObject *object,
if (sftk_isTrue(object, CKA_TOKEN)) {
SFTKSlot *slot = session->slot;
SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
- CK_RV crv;
if (keyHandle == NULL) {
return CKR_TOKEN_WRITE_PROTECTED;
@@ -3807,12 +3806,12 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
PZ_Unlock(slot->slotLock);
/* Reset login flags. */
if (ulNewLen == 0) {
- PRBool tokenRemoved = PR_FALSE;
PZ_Lock(slot->slotLock);
slot->isLoggedIn = PR_FALSE;
slot->ssoLoggedIn = PR_FALSE;
PZ_Unlock(slot->slotLock);
+ tokenRemoved = PR_FALSE;
rv = sftkdb_CheckPassword(handle, "", &tokenRemoved);
if (tokenRemoved) {
sftk_CloseAllSessions(slot, PR_FALSE);
@@ -4422,6 +4421,44 @@ NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
return CKR_OK;
}
+static CK_RV
+nsc_GetTokenAttributeValue(SFTKSession *session, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ SFTKSlot *slot = sftk_SlotFromSession(session);
+ SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
+ SFTKDBHandle *keydb = NULL;
+ CK_RV crv;
+
+ if (dbHandle == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
+
+ /* make sure we don't export any sensitive information */
+ keydb = sftk_getKeyDB(slot);
+ if (dbHandle == keydb) {
+ CK_ULONG i;
+ for (i = 0; i < ulCount; i++) {
+ if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
+ crv = CKR_ATTRIBUTE_SENSITIVE;
+ if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
+ PORT_Memset(pTemplate[i].pValue, 0,
+ pTemplate[i].ulValueLen);
+ }
+ pTemplate[i].ulValueLen = -1;
+ }
+ }
+ }
+
+ sftk_freeDB(dbHandle);
+ if (keydb) {
+ sftk_freeDB(keydb);
+ }
+ return crv;
+}
+
/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
CK_RV
NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
@@ -4450,37 +4487,8 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
/* short circuit everything for token objects */
if (sftk_isToken(hObject)) {
- SFTKSlot *slot = sftk_SlotFromSession(session);
- SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
- SFTKDBHandle *keydb = NULL;
-
- if (dbHandle == NULL) {
- sftk_FreeSession(session);
- return CKR_OBJECT_HANDLE_INVALID;
- }
-
- crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
-
- /* make sure we don't export any sensitive information */
- keydb = sftk_getKeyDB(slot);
- if (dbHandle == keydb) {
- for (i = 0; i < (int)ulCount; i++) {
- if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
- crv = CKR_ATTRIBUTE_SENSITIVE;
- if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
- PORT_Memset(pTemplate[i].pValue, 0,
- pTemplate[i].ulValueLen);
- }
- pTemplate[i].ulValueLen = -1;
- }
- }
- }
-
+ crv = nsc_GetTokenAttributeValue(session, hObject, pTemplate, ulCount);
sftk_FreeSession(session);
- sftk_freeDB(dbHandle);
- if (keydb) {
- sftk_freeDB(keydb);
- }
return crv;
}
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index d675d73315..385d3c1444 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -5324,7 +5324,52 @@ sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
prepare_low_rsa_priv_key_for_asn1(lk);
dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
nsslowkey_RSAPrivateKeyTemplate);
- algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+
+ /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
+ attribute = sftk_FindAttribute(key, CKA_PUBLIC_KEY_INFO);
+ if (attribute) {
+ NSSLOWKEYSubjectPublicKeyInfo *publicKeyInfo;
+ SECItem spki;
+
+ spki.data = attribute->attrib.pValue;
+ spki.len = attribute->attrib.ulValueLen;
+
+ publicKeyInfo = PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYSubjectPublicKeyInfo));
+ if (!publicKeyInfo) {
+ sftk_FreeAttribute(attribute);
+ *crvp = CKR_HOST_MEMORY;
+ rv = SECFailure;
+ goto loser;
+ }
+ rv = SEC_QuickDERDecodeItem(arena, publicKeyInfo,
+ nsslowkey_SubjectPublicKeyInfoTemplate,
+ &spki);
+ if (rv != SECSuccess) {
+ sftk_FreeAttribute(attribute);
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ goto loser;
+ }
+ algorithm = SECOID_GetAlgorithmTag(&publicKeyInfo->algorithm);
+ if (algorithm != SEC_OID_PKCS1_RSA_ENCRYPTION &&
+ algorithm != SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ sftk_FreeAttribute(attribute);
+ rv = SECFailure;
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ goto loser;
+ }
+ param = SECITEM_DupItem(&publicKeyInfo->algorithm.parameters);
+ if (!param) {
+ sftk_FreeAttribute(attribute);
+ rv = SECFailure;
+ *crvp = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sftk_FreeAttribute(attribute);
+ } else {
+ /* default to PKCS #1 */
+ algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+ }
break;
case NSSLOWKEYDSAKey:
prepare_low_dsa_priv_key_export_for_asn1(lk);
@@ -5803,6 +5848,53 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
break;
}
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* For RSA-PSS, record the original algorithm parameters so
+ * they can be encrypted altoghether when wrapping */
+ if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ NSSLOWKEYSubjectPublicKeyInfo spki;
+ NSSLOWKEYPublicKey pubk;
+ SECItem *publicKeyInfo;
+
+ memset(&spki, 0, sizeof(NSSLOWKEYSubjectPublicKeyInfo));
+ rv = SECOID_CopyAlgorithmID(arena, &spki.algorithm, &pki->algorithm);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ prepare_low_rsa_pub_key_for_asn1(&pubk);
+
+ rv = SECITEM_CopyItem(arena, &pubk.u.rsa.modulus, &lpk->u.rsa.modulus);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ rv = SECITEM_CopyItem(arena, &pubk.u.rsa.publicExponent, &lpk->u.rsa.publicExponent);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ if (SEC_ASN1EncodeItem(arena, &spki.subjectPublicKey,
+ &pubk, nsslowkey_RSAPublicKeyTemplate) == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ publicKeyInfo = SEC_ASN1EncodeItem(arena, NULL,
+ &spki, nsslowkey_SubjectPublicKeyInfoTemplate);
+ if (!publicKeyInfo) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(key, CKA_PUBLIC_KEY_INFO,
+ sftk_item_expand(publicKeyInfo));
+ }
+
loser:
if (lpk) {
nsslowkey_DestroyPrivateKey(lpk);
@@ -7575,13 +7667,13 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
(const CK_NSS_HKDFParams *)pMechanism->pParameter;
const SECHashObject *rawHash;
unsigned hashLen;
- CK_BYTE buf[HASH_LENGTH_MAX];
+ CK_BYTE hashbuf[HASH_LENGTH_MAX];
CK_BYTE *prk; /* psuedo-random key */
CK_ULONG prkLen;
CK_BYTE *okm; /* output keying material */
rawHash = HASH_GetRawHashObject(hashType);
- if (rawHash == NULL || rawHash->length > sizeof buf) {
+ if (rawHash == NULL || rawHash->length > sizeof(hashbuf)) {
crv = CKR_FUNCTION_FAILED;
break;
}
@@ -7615,7 +7707,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
saltLen = params->ulSaltLen;
if (salt == NULL) {
saltLen = hashLen;
- salt = buf;
+ salt = hashbuf;
memset(salt, 0, saltLen);
}
hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
@@ -7626,10 +7718,10 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
HMAC_Begin(hmac);
HMAC_Update(hmac, (const unsigned char *)att->attrib.pValue,
att->attrib.ulValueLen);
- HMAC_Finish(hmac, buf, &bufLen, sizeof(buf));
+ HMAC_Finish(hmac, hashbuf, &bufLen, sizeof(hashbuf));
HMAC_Destroy(hmac, PR_TRUE);
PORT_Assert(bufLen == rawHash->length);
- prk = buf;
+ prk = hashbuf;
prkLen = bufLen;
} else {
/* PRK = base key value */
@@ -7646,24 +7738,24 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
* key material = T(1) | ... | T(n)
*/
HMACContext *hmac;
- CK_BYTE i;
+ CK_BYTE bi;
unsigned iterations = PR_ROUNDUP(keySize, hashLen) / hashLen;
hmac = HMAC_Create(rawHash, prk, prkLen, isFIPS);
if (hmac == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
- for (i = 1; i <= iterations; ++i) {
+ for (bi = 1; bi <= iterations; ++bi) {
unsigned len;
HMAC_Begin(hmac);
- if (i > 1) {
- HMAC_Update(hmac, key_block + ((i - 2) * hashLen), hashLen);
+ if (bi > 1) {
+ HMAC_Update(hmac, key_block + ((bi - 2) * hashLen), hashLen);
}
if (params->ulInfoLen != 0) {
HMAC_Update(hmac, params->pInfo, params->ulInfoLen);
}
- HMAC_Update(hmac, &i, 1);
- HMAC_Finish(hmac, key_block + ((i - 1) * hashLen), &len,
+ HMAC_Update(hmac, &bi, 1);
+ HMAC_Finish(hmac, key_block + ((bi - 1) * hashLen), &len,
hashLen);
PORT_Assert(len == hashLen);
}
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
index 27e411759e..7b5fe732f3 100644
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -1193,7 +1193,7 @@ sftk_DeleteObject(SFTKSession *session, SFTKObject *object)
/* Handle Token case */
if (so && so->session) {
- SFTKSession *session = so->session;
+ session = so->session;
PZ_Lock(session->objectLock);
sftkqueue_delete(&so->sessionList, 0, session->objects, 0);
PZ_Unlock(session->objectLock);
@@ -1269,7 +1269,7 @@ static const CK_ULONG ecPubKeyAttrsCount =
static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
- CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB
+ CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB, CKA_PUBLIC_KEY_INFO
};
static const CK_ULONG commonPrivKeyAttrsCount =
sizeof(commonPrivKeyAttrs) / sizeof(commonPrivKeyAttrs[0]);
diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c
index 96717cb268..fb897d68cc 100644
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -37,6 +37,10 @@
#elif defined(XP_UNIX)
#include <unistd.h>
#endif
+#if defined(LINUX) && !defined(ANDROID)
+#include <linux/magic.h>
+#include <sys/vfs.h>
+#endif
#include "utilpars.h"
#ifdef SQLITE_UNSAFE_THREADS
@@ -154,7 +158,8 @@ static const CK_ATTRIBUTE_TYPE known_attributes[] = {
CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM,
CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
- CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS
+ CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS,
+ CKA_PUBLIC_KEY_INFO
};
static int known_attributes_size = sizeof(known_attributes) /
@@ -643,13 +648,18 @@ static int
sdb_openDB(const char *name, sqlite3 **sqlDB, int flags)
{
int sqlerr;
- /*
- * in sqlite3 3.5.0, there is a new open call that allows us
- * to specify read only. Most new OS's are still on 3.3.x (including
- * NSS's internal version and the version shipped with Firefox).
- */
+ int openFlags;
+
*sqlDB = NULL;
- sqlerr = sqlite3_open(name, sqlDB);
+
+ if (flags & SDB_RDONLY) {
+ openFlags = SQLITE_OPEN_READONLY;
+ } else {
+ openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+ }
+
+ /* Requires SQLite 3.5.0 or newer. */
+ sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
if (sqlerr != SQLITE_OK) {
return sqlerr;
}
@@ -1757,6 +1767,8 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
PRIntervalTime now = 0;
char *env;
PRBool enableCache = PR_FALSE;
+ PRBool checkFSType = PR_FALSE;
+ PRBool measureSpeed = PR_FALSE;
PRBool create;
int flags = inFlags & 0x7;
@@ -1917,11 +1929,48 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
- if (!env || PORT_Strcasecmp(env, "no") == 0) {
- enableCache = PR_FALSE;
+ /* Variables enableCache, checkFSType, measureSpeed are PR_FALSE by default,
+ * which is the expected behavior for NSS_SDB_USE_CACHE="no".
+ * We don't need to check for "no" here. */
+ if (!env) {
+ /* By default, with no variable set, we avoid expensive measuring for
+ * most FS types. We start with inexpensive FS type checking, and
+ * might perform measuring for some types. */
+ checkFSType = PR_TRUE;
} else if (PORT_Strcasecmp(env, "yes") == 0) {
enableCache = PR_TRUE;
- } else {
+ } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */
+ measureSpeed = PR_TRUE;
+ }
+
+ if (checkFSType) {
+#if defined(LINUX) && !defined(ANDROID)
+ struct statfs statfs_s;
+ if (statfs(dbname, &statfs_s) == 0) {
+ switch (statfs_s.f_type) {
+ case SMB_SUPER_MAGIC:
+ case 0xff534d42: /* CIFS_MAGIC_NUMBER */
+ case NFS_SUPER_MAGIC:
+ /* We assume these are slow. */
+ enableCache = PR_TRUE;
+ break;
+ case CODA_SUPER_MAGIC:
+ case 0x65735546: /* FUSE_SUPER_MAGIC */
+ case NCP_SUPER_MAGIC:
+ /* It's uncertain if this FS is fast or slow.
+ * It seems reasonable to perform slow measuring for users
+ * with questionable FS speed. */
+ measureSpeed = PR_TRUE;
+ break;
+ case AFS_SUPER_MAGIC: /* Already implements caching. */
+ default:
+ break;
+ }
+ }
+#endif
+ }
+
+ if (measureSpeed) {
char *tempDir = NULL;
PRUint32 tempOps = 0;
/*
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
index 2ae0840682..409c910f46 100644
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -1591,7 +1591,8 @@ static const CK_ATTRIBUTE_TYPE known_attributes[] = {
CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM,
CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
- CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS
+ CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS,
+ CKA_PUBLIC_KEY_INFO
};
static unsigned int known_attributes_size = sizeof(known_attributes) /
diff --git a/security/nss/lib/softoken/sftkpars.c b/security/nss/lib/softoken/sftkpars.c
index e972fe8541..5e96a1c040 100644
--- a/security/nss/lib/softoken/sftkpars.c
+++ b/security/nss/lib/softoken/sftkpars.c
@@ -162,7 +162,7 @@ sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS)
}
if (parsed->tokens == NULL) {
int count = isFIPS ? 1 : 2;
- int index = count - 1;
+ int i = count - 1;
sftk_token_parameters *tokens = NULL;
tokens = (sftk_token_parameters *)
@@ -172,30 +172,30 @@ sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS)
}
parsed->tokens = tokens;
parsed->token_count = count;
- tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
- tokens[index].certPrefix = certPrefix;
- tokens[index].keyPrefix = keyPrefix;
- tokens[index].minPW = minPW ? atoi(minPW) : 0;
- tokens[index].readOnly = parsed->readOnly;
- tokens[index].noCertDB = parsed->noCertDB;
- tokens[index].noKeyDB = parsed->noCertDB;
- tokens[index].forceOpen = parsed->forceOpen;
- tokens[index].pwRequired = parsed->pwRequired;
- tokens[index].optimizeSpace = parsed->optimizeSpace;
+ tokens[i].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+ tokens[i].certPrefix = certPrefix;
+ tokens[i].keyPrefix = keyPrefix;
+ tokens[i].minPW = minPW ? atoi(minPW) : 0;
+ tokens[i].readOnly = parsed->readOnly;
+ tokens[i].noCertDB = parsed->noCertDB;
+ tokens[i].noKeyDB = parsed->noCertDB;
+ tokens[i].forceOpen = parsed->forceOpen;
+ tokens[i].pwRequired = parsed->pwRequired;
+ tokens[i].optimizeSpace = parsed->optimizeSpace;
tokens[0].optimizeSpace = parsed->optimizeSpace;
certPrefix = NULL;
keyPrefix = NULL;
if (isFIPS) {
- tokens[index].tokdes = ftokdes;
- tokens[index].updtokdes = pupdtokdes;
- tokens[index].slotdes = fslotdes;
+ tokens[i].tokdes = ftokdes;
+ tokens[i].updtokdes = pupdtokdes;
+ tokens[i].slotdes = fslotdes;
fslotdes = NULL;
ftokdes = NULL;
pupdtokdes = NULL;
} else {
- tokens[index].tokdes = ptokdes;
- tokens[index].updtokdes = pupdtokdes;
- tokens[index].slotdes = pslotdes;
+ tokens[i].tokdes = ptokdes;
+ tokens[i].updtokdes = pupdtokdes;
+ tokens[i].slotdes = pslotdes;
tokens[0].slotID = NETSCAPE_SLOT_ID;
tokens[0].tokdes = tokdes;
tokens[0].slotdes = slotdes;
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index e0d2df9ab4..9834d3ba01 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -138,12 +138,14 @@ sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue)
SFTKDBEncryptedDataInfo edi;
SECStatus rv;
+ PORT_Assert(cipherValue);
+ cipherValue->arena = NULL;
+ cipherValue->param = NULL;
+
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
return SECFailure;
}
- cipherValue->arena = NULL;
- cipherValue->param = NULL;
rv = SEC_QuickDERDecodeItem(arena, &edi, sftkdb_EncryptedDataInfoTemplate,
cipherText);
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index f760ba21d8..827bf2e221 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,10 +17,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.36.4" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.38" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 36
-#define SOFTOKEN_VPATCH 4
+#define SOFTOKEN_VMINOR 38
+#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/ssl/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h
index d3f0875442..f01d165833 100644
--- a/security/nss/lib/ssl/SSLerrs.h
+++ b/security/nss/lib/ssl/SSLerrs.h
@@ -374,7 +374,7 @@ ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115),
"SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.")
ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116),
- "SSL received invalid NPN extension data.")
+ "SSL received invalid ALPN extension data.")
ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2, (SSL_ERROR_BASE + 117),
"SSL feature not supported for SSL 2.0 connections.")
@@ -543,3 +543,12 @@ ER3(SSL_ERROR_TOO_MANY_KEY_UPDATES, (SSL_ERROR_BASE + 171),
ER3(SSL_ERROR_HANDSHAKE_FAILED, (SSL_ERROR_BASE + 172),
"SSL handshake has already failed. No more operations possible.")
+
+ER3(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR, (SSL_ERROR_BASE + 173),
+ "SSL received an invalid resumption token.")
+
+ER3(SSL_ERROR_RX_MALFORMED_DTLS_ACK, (SSL_ERROR_BASE + 174),
+ "SSL received a malformed DTLS ACK")
+
+ER3(SSL_ERROR_DH_KEY_TOO_LONG, (SSL_ERROR_BASE + 175),
+ "SSL received a DH key share that's too long (>8192 bit).")
diff --git a/security/nss/lib/ssl/dtls13con.c b/security/nss/lib/ssl/dtls13con.c
index aba0f62ab8..de6cb47ca2 100644
--- a/security/nss/lib/ssl/dtls13con.c
+++ b/security/nss/lib/ssl/dtls13con.c
@@ -11,6 +11,43 @@
#include "sslimpl.h"
#include "sslproto.h"
+SECStatus
+dtls13_InsertCipherTextHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
+ sslBuffer *wrBuf, PRBool *needsLength)
+{
+ PRUint32 seq;
+ SECStatus rv;
+
+ /* Avoid using short records for the handshake. We pack multiple records
+ * into the one datagram for the handshake. */
+ if (ss->opt.enableDtlsShortHeader &&
+ cwSpec->epoch != TrafficKeyHandshake) {
+ *needsLength = PR_FALSE;
+ /* The short header is comprised of two octets in the form
+ * 0b001essssssssssss where 'e' is the low bit of the epoch and 's' is
+ * the low 12 bits of the sequence number. */
+ seq = 0x2000 |
+ (((uint64_t)cwSpec->epoch & 1) << 12) |
+ (cwSpec->nextSeqNum & 0xfff);
+ return sslBuffer_AppendNumber(wrBuf, seq, 2);
+ }
+
+ rv = sslBuffer_AppendNumber(wrBuf, content_application_data, 1);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ /* The epoch and sequence number are encoded on 4 octets, with the epoch
+ * consuming the first two bits. */
+ seq = (((uint64_t)cwSpec->epoch & 3) << 30) | (cwSpec->nextSeqNum & 0x3fffffff);
+ rv = sslBuffer_AppendNumber(wrBuf, seq, 4);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ *needsLength = PR_TRUE;
+ return SECSuccess;
+}
+
/* DTLS 1.3 Record map for ACK processing.
* This represents a single fragment, so a record which includes
* multiple fragments will have one entry for each fragment on the
@@ -82,10 +119,15 @@ dtls13_SendAck(sslSocket *ss)
SECStatus rv = SECSuccess;
PRCList *cursor;
PRInt32 sent;
+ unsigned int offset;
SSL_TRC(10, ("%d: SSL3[%d]: Sending ACK",
SSL_GETPID(), ss->fd));
+ rv = sslBuffer_Skip(&buf, 2, &offset);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
for (cursor = PR_LIST_HEAD(&ss->ssl3.hs.dtlsRcvdHandshake);
cursor != &ss->ssl3.hs.dtlsRcvdHandshake;
cursor = PR_NEXT_LINK(cursor)) {
@@ -99,6 +141,11 @@ dtls13_SendAck(sslSocket *ss)
}
}
+ rv = sslBuffer_InsertLength(&buf, offset, 2);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
ssl_GetXmitBufLock(ss);
sent = ssl3_SendRecord(ss, NULL, content_ack,
buf.buf, buf.len, 0);
@@ -364,6 +411,7 @@ dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf)
{
PRUint8 *b = databuf->buf;
PRUint32 l = databuf->len;
+ unsigned int length;
SECStatus rv;
/* Ensure we don't loop. */
@@ -372,10 +420,19 @@ dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf)
PORT_Assert(IS_DTLS(ss));
if (!tls13_MaybeTls13(ss)) {
tls13_FatalError(ss, SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, illegal_parameter);
- return SECSuccess;
+ return SECFailure;
}
SSL_TRC(10, ("%d: SSL3[%d]: Handling ACK", SSL_GETPID(), ss->fd));
+ rv = ssl3_ConsumeHandshakeNumber(ss, &length, 2, &b, &l);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (length != l) {
+ tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_DTLS_ACK, decode_error);
+ return SECFailure;
+ }
+
while (l > 0) {
PRUint64 seq;
PRCList *cursor;
diff --git a/security/nss/lib/ssl/dtls13con.h b/security/nss/lib/ssl/dtls13con.h
index bf14d3bd2e..ca48ef3638 100644
--- a/security/nss/lib/ssl/dtls13con.h
+++ b/security/nss/lib/ssl/dtls13con.h
@@ -9,6 +9,10 @@
#ifndef __dtls13con_h_
#define __dtls13con_h_
+SECStatus dtls13_InsertCipherTextHeader(const sslSocket *ss,
+ ssl3CipherSpec *cwSpec,
+ sslBuffer *wrBuf,
+ PRBool *needsLength);
SECStatus dtls13_RememberFragment(sslSocket *ss, PRCList *list,
PRUint32 sequence, PRUint32 offset,
PRUint32 length, DTLSEpoch epoch,
diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
index 2f335f9247..a82295c668 100644
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -724,13 +724,16 @@ dtls_FragmentHandshake(sslSocket *ss, DTLSQueuedMessage *msg)
PORT_Assert(end <= contentLen);
fragmentLen = PR_MIN(end, contentLen) - fragmentOffset;
- /* Reduce to the space remaining in the MTU. Allow for any existing
- * messages, record expansion, and the handshake header. */
+ /* Limit further by the record size limit. Account for the header. */
+ fragmentLen = PR_MIN(fragmentLen,
+ msg->cwSpec->recordSizeLimit - DTLS_HS_HDR_LEN);
+
+ /* Reduce to the space remaining in the MTU. */
fragmentLen = PR_MIN(fragmentLen,
ss->ssl3.mtu - /* MTU estimate. */
- ss->pendingBuf.len - /* Less unsent records. */
+ ss->pendingBuf.len - /* Less any unsent records. */
DTLS_MAX_EXPANSION - /* Allow for expansion. */
- DTLS_HS_HDR_LEN); /* + handshake header. */
+ DTLS_HS_HDR_LEN); /* And the handshake header. */
PORT_Assert(fragmentLen > 0 || fragmentOffset == 0);
/* Make totally sure that we will fit in the buffer. This should be
@@ -776,7 +779,7 @@ dtls_FragmentHandshake(sslSocket *ss, DTLSQueuedMessage *msg)
rv = dtls13_RememberFragment(ss, &ss->ssl3.hs.dtlsSentHandshake,
msgSeq, fragmentOffset, fragmentLen,
msg->cwSpec->epoch,
- msg->cwSpec->seqNum);
+ msg->cwSpec->nextSeqNum);
if (rv != SECSuccess) {
return SECFailure;
}
@@ -1319,6 +1322,107 @@ DTLS_GetHandshakeTimeout(PRFileDesc *socket, PRIntervalTime *timeout)
return SECSuccess;
}
+PRBool
+dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet)
+{
+#ifndef UNSAFE_FUZZER_MODE
+ return version < SSL_LIBRARY_VERSION_TLS_1_3 ||
+ firstOctet == content_handshake ||
+ firstOctet == content_ack ||
+ firstOctet == content_alert;
+#else
+ return PR_TRUE;
+#endif
+}
+
+DTLSEpoch
+dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
+{
+ DTLSEpoch epoch;
+ DTLSEpoch maxEpoch;
+ DTLSEpoch partial;
+
+ if (dtls_IsLongHeader(crSpec->version, hdr[0])) {
+ return ((DTLSEpoch)hdr[3] << 8) | hdr[4];
+ }
+
+ /* A lot of how we recover the epoch here will depend on how we plan to
+ * manage KeyUpdate. In the case that we decide to install a new read spec
+ * as a KeyUpdate is handled, crSpec will always be the highest epoch we can
+ * possibly receive. That makes this easier to manage. */
+ if ((hdr[0] & 0xe0) == 0x20) {
+ /* Use crSpec->epoch, or crSpec->epoch - 1 if the last bit differs. */
+ if (((hdr[0] >> 4) & 1) == (crSpec->epoch & 1)) {
+ return crSpec->epoch;
+ }
+ return crSpec->epoch - 1;
+ }
+
+ /* dtls_GatherData should ensure that this works. */
+ PORT_Assert(hdr[0] == content_application_data);
+
+ /* This uses the same method as is used to recover the sequence number in
+ * dtls_ReadSequenceNumber, except that the maximum value is set to the
+ * current epoch. */
+ partial = hdr[1] >> 6;
+ maxEpoch = PR_MAX(crSpec->epoch, 3);
+ epoch = (maxEpoch & 0xfffc) | partial;
+ if (partial > (maxEpoch & 0x03)) {
+ epoch -= 4;
+ }
+ return epoch;
+}
+
+static sslSequenceNumber
+dtls_ReadSequenceNumber(const ssl3CipherSpec *spec, const PRUint8 *hdr)
+{
+ sslSequenceNumber cap;
+ sslSequenceNumber partial;
+ sslSequenceNumber seqNum;
+ sslSequenceNumber mask;
+
+ if (dtls_IsLongHeader(spec->version, hdr[0])) {
+ static const unsigned int seqNumOffset = 5; /* type, version, epoch */
+ static const unsigned int seqNumLength = 6;
+ sslReader r = SSL_READER(hdr + seqNumOffset, seqNumLength);
+ (void)sslRead_ReadNumber(&r, seqNumLength, &seqNum);
+ return seqNum;
+ }
+
+ /* Only the least significant bits of the sequence number is available here.
+ * This recovers the value based on the next expected sequence number.
+ *
+ * This works by determining the maximum possible sequence number, which is
+ * half the range of possible values above the expected next value (the
+ * expected next value is in |spec->seqNum|). Then, the last part of the
+ * sequence number is replaced. If that causes the value to exceed the
+ * maximum, subtract an entire range.
+ */
+ if ((hdr[0] & 0xe0) == 0x20) {
+ /* A 12-bit sequence number. */
+ cap = spec->nextSeqNum + (1ULL << 11);
+ partial = (((sslSequenceNumber)hdr[0] & 0xf) << 8) |
+ (sslSequenceNumber)hdr[1];
+ mask = (1ULL << 12) - 1;
+ } else {
+ /* A 30-bit sequence number. */
+ cap = spec->nextSeqNum + (1ULL << 29);
+ partial = (((sslSequenceNumber)hdr[1] & 0x3f) << 24) |
+ ((sslSequenceNumber)hdr[2] << 16) |
+ ((sslSequenceNumber)hdr[3] << 8) |
+ (sslSequenceNumber)hdr[4];
+ mask = (1ULL << 30) - 1;
+ }
+ seqNum = (cap & ~mask) | partial;
+ /* The second check prevents the value from underflowing if we get a large
+ * gap at the start of a connection, where this subtraction would cause the
+ * sequence number to wrap to near UINT64_MAX. */
+ if ((partial > (cap & mask)) && (seqNum > mask)) {
+ seqNum -= mask + 1;
+ }
+ return seqNum;
+}
+
/*
* DTLS relevance checks:
* Note that this code currently ignores all out-of-epoch packets,
@@ -1336,7 +1440,7 @@ dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *spec,
const SSL3Ciphertext *cText,
sslSequenceNumber *seqNumOut)
{
- sslSequenceNumber seqNum = cText->seq_num & RECORD_SEQ_MASK;
+ sslSequenceNumber seqNum = dtls_ReadSequenceNumber(spec, cText->hdr);
if (dtls_RecordGetRecvd(&spec->recvdRecords, seqNum) != 0) {
SSL_TRC(10, ("%d: SSL3[%d]: dtls_IsRelevant, rejecting "
"potentially replayed packet",
diff --git a/security/nss/lib/ssl/dtlscon.h b/security/nss/lib/ssl/dtlscon.h
index d094380f8c..45fc069b97 100644
--- a/security/nss/lib/ssl/dtlscon.h
+++ b/security/nss/lib/ssl/dtlscon.h
@@ -41,8 +41,10 @@ extern SSL3ProtocolVersion
dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
extern SSL3ProtocolVersion
dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
+DTLSEpoch dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr);
extern PRBool dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *spec,
const SSL3Ciphertext *cText,
sslSequenceNumber *seqNum);
void dtls_ReceivedFirstMessageInFlight(sslSocket *ss);
+PRBool dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet);
#endif
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 25aabbaa21..ecc4f95066 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -158,23 +158,18 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
#define SSL_CBC_RANDOM_IV 23
#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
-/* SSL_ENABLE_NPN controls whether the NPN extension is enabled for the initial
- * handshake when application layer protocol negotiation is used.
- * SSL_SetNextProtoCallback or SSL_SetNextProtoNego must be used to control the
- * application layer protocol negotiation; otherwise, the NPN extension will
- * not be negotiated. SSL_ENABLE_NPN is currently enabled by default but this
- * may change in future versions.
- */
+/* SSL_ENABLE_NPN is defunct and defaults to false.
+ * Using this option will not have any effect but won't produce an error. */
#define SSL_ENABLE_NPN 25
/* SSL_ENABLE_ALPN controls whether the ALPN extension is enabled for the
* initial handshake when application layer protocol negotiation is used.
- * SSL_SetNextProtoNego (not SSL_SetNextProtoCallback) must be used to control
- * the application layer protocol negotiation; otherwise, the ALPN extension
- * will not be negotiated. ALPN is not negotiated for renegotiation handshakes,
- * even though the ALPN specification defines a way to use ALPN during
- * renegotiations. SSL_ENABLE_ALPN is currently disabled by default, but this
- * may change in future versions.
+ * SSL_SetNextProtoNego or SSL_SetNextProtoCallback can be used to control
+ * the application layer protocol negotiation;
+ * ALPN is not negotiated for renegotiation handshakes, even though the ALPN
+ * specification defines a way to use ALPN during renegotiations.
+ * SSL_ENABLE_ALPN is currently enabled by default, but this may change in
+ * future versions.
*/
#define SSL_ENABLE_ALPN 26
@@ -248,12 +243,45 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
*/
#define SSL_ENABLE_0RTT_DATA 33
+/* Sets a limit to the size of encrypted records (see
+ * draft-ietf-tls-record-limit). This is the value that is advertised to peers,
+ * not a limit on the size of records that will be created. Setting this value
+ * reduces the size of records that will be received (not sent).
+ *
+ * This limit applies to the plaintext, but the records that appear on the wire
+ * will be bigger. This doesn't include record headers, IVs, block cipher
+ * padding, and authentication tags or MACs.
+ *
+ * NSS always advertises the record size limit extension. If this option is not
+ * set, the extension will contain the maximum allowed size for the selected TLS
+ * version (currently this is 16384 or 2^14 for TLS 1.2 and lower and 16385 for
+ * TLS 1.3).
+ *
+ * By default, NSS creates records that are the maximum size possible, using all
+ * the data that was written by the application. Writes larger than the maximum
+ * are split into maximum sized records, and any remainder (unless
+ * SSL_CBC_RANDOM_IV is enabled and active). If a peer advertises a record size
+ * limit then that value is used instead.
+ */
+#define SSL_RECORD_SIZE_LIMIT 34
+
/* Enables TLS 1.3 compatibility mode. In this mode, the client includes a fake
* session ID in the handshake and sends a ChangeCipherSpec. A server will
* always use the setting chosen by the client, so the value of this option has
* no effect for a server. This setting is ignored for DTLS. */
#define SSL_ENABLE_TLS13_COMPAT_MODE 35
+/* Enables the sending of DTLS records using the short (two octet) record
+ * header. Only do this if there are 2^10 or fewer packets in flight at a time;
+ * using this with a larger number of packets in flight could mean that packets
+ * are dropped if there is reordering.
+ *
+ * This applies to TLS 1.3 only. This is not a parameter that is negotiated
+ * during the TLS handshake. Unlike other socket options, this option can be
+ * changed after a handshake is complete.
+ */
+#define SSL_ENABLE_DTLS_SHORT_HEADER 36
+
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on);
@@ -272,10 +300,10 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRIntn val);
SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRIntn *val);
SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
-/* SSLNextProtoCallback is called during the handshake for the client, when a
- * Next Protocol Negotiation (NPN) extension has been received from the server.
- * |protos| and |protosLen| define a buffer which contains the server's
- * advertisement. This data is guaranteed to be well formed per the NPN spec.
+/* SSLNextProtoCallback is called during the handshake for the server, when an
+ * Application-Layer Protocol Negotiation (ALPN) extension has been received
+ * from the client. |protos| and |protosLen| define a buffer which contains the
+ * client's advertisement.
* |protoOut| is a buffer provided by the caller, of length 255 (the maximum
* allowed by the protocol). On successful return, the protocol to be announced
* to the server will be in |protoOut| and its length in |*protoOutLen|.
@@ -291,27 +319,24 @@ typedef SECStatus(PR_CALLBACK *SSLNextProtoCallback)(
unsigned int *protoOutLen,
unsigned int protoMaxOut);
-/* SSL_SetNextProtoCallback sets a callback function to handle Next Protocol
- * Negotiation. It causes a client to advertise NPN. */
+/* SSL_SetNextProtoCallback sets a callback function to handle ALPN Negotiation.
+ * It causes a client to advertise ALPN. */
SSL_IMPORT SECStatus SSL_SetNextProtoCallback(PRFileDesc *fd,
SSLNextProtoCallback callback,
void *arg);
/* SSL_SetNextProtoNego can be used as an alternative to
- * SSL_SetNextProtoCallback. It also causes a client to advertise NPN and
- * installs a default callback function which selects the first supported
- * protocol in server-preference order. If no matching protocol is found it
- * selects the first supported protocol.
+ * SSL_SetNextProtoCallback.
*
- * Using this function also allows the client to transparently support ALPN.
+ * Using this function allows client and server to transparently support ALPN.
* The same set of protocols will be advertised via ALPN and, if the server
* uses ALPN to select a protocol, SSL_GetNextProto will return
* SSL_NEXT_PROTO_SELECTED as the state.
*
- * Since NPN uses the first protocol as the fallback protocol, when sending an
- * ALPN extension, the first protocol is moved to the end of the list. This
- * indicates that the fallback protocol is the least preferred. The other
- * protocols should be in preference order.
+ * Because the predecessor to ALPN, NPN, used the first protocol as the fallback
+ * protocol, when sending an ALPN extension, the first protocol is moved to the
+ * end of the list. This indicates that the fallback protocol is the least
+ * preferred. The other protocols should be in preference order.
*
* The supported protocols are specified in |data| in wire-format (8-bit
* length-prefixed). For example: "\010http/1.1\006spdy/2". */
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 2593bbaccb..466fc296ff 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -990,27 +990,22 @@ ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b, unsigned int *len,
if (rv != SECSuccess) {
return SECFailure; /* alert has been sent */
}
-
-#ifdef TLS_1_3_DRAFT_VERSION
- if (temp == SSL_LIBRARY_VERSION_TLS_1_3) {
- (void)SSL3_SendAlert(ss, alert_fatal, protocol_version);
- PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
- return SECFailure;
- }
- if (temp == tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3)) {
- v = SSL_LIBRARY_VERSION_TLS_1_3;
- } else {
- v = (SSL3ProtocolVersion)temp;
- }
-#else
v = (SSL3ProtocolVersion)temp;
-#endif
if (IS_DTLS(ss)) {
- /* If this fails, we get 0 back and the next check to fails. */
v = dtls_DTLSVersionToTLSVersion(v);
+ /* Check for failure. */
+ if (!v || v > SSL_LIBRARY_VERSION_MAX_SUPPORTED) {
+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+ return SECFailure;
+ }
}
+ /* You can't negotiate TLS 1.3 this way. */
+ if (v >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+ return SECFailure;
+ }
*version = v;
return SECSuccess;
}
@@ -1415,7 +1410,7 @@ ssl3_SetupPendingCipherSpec(sslSocket *ss, CipherSpecDirection direction,
spec->macDef = ssl_GetMacDef(ss, suiteDef);
spec->epoch = prev->epoch + 1;
- spec->seqNum = 0;
+ spec->nextSeqNum = 0;
if (IS_DTLS(ss) && direction == CipherSpecRead) {
dtls_InitRecvdRecords(&spec->recvdRecords);
}
@@ -1481,6 +1476,13 @@ ssl3_SetupBothPendingCipherSpecs(sslSocket *ss)
goto loser;
}
+ if (ssl3_ExtensionNegotiated(ss, ssl_record_size_limit_xtn)) {
+ ss->ssl3.prSpec->recordSizeLimit = PR_MIN(MAX_FRAGMENT_LENGTH,
+ ss->opt.recordSizeLimit);
+ ss->ssl3.pwSpec->recordSizeLimit = PR_MIN(MAX_FRAGMENT_LENGTH,
+ ss->xtnData.recordSizeLimit);
+ }
+
ssl_ReleaseSpecWriteLock(ss); /*******************************/
return SECSuccess;
@@ -2004,6 +2006,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
unsigned int ivLen = 0;
unsigned char pseudoHeaderBuf[13];
sslBuffer pseudoHeader = SSL_BUFFER(pseudoHeaderBuf);
+ int len;
if (cwSpec->cipherDef->type == type_block &&
cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
@@ -2013,29 +2016,32 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
* record.
*/
ivLen = cwSpec->cipherDef->iv_size;
- if (ivLen > wrBuf->space) {
+ if (ivLen > SSL_BUFFER_SPACE(wrBuf)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
- rv = PK11_GenerateRandom(wrBuf->buf, ivLen);
+ rv = PK11_GenerateRandom(SSL_BUFFER_NEXT(wrBuf), ivLen);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
return rv;
}
rv = cwSpec->cipher(cwSpec->cipherContext,
- wrBuf->buf, /* output */
- (int *)&wrBuf->len, /* outlen */
- ivLen, /* max outlen */
- wrBuf->buf, /* input */
- ivLen); /* input len */
- if (rv != SECSuccess || wrBuf->len != ivLen) {
+ SSL_BUFFER_NEXT(wrBuf), /* output */
+ &len, /* outlen */
+ ivLen, /* max outlen */
+ SSL_BUFFER_NEXT(wrBuf), /* input */
+ ivLen); /* input len */
+ if (rv != SECSuccess || len != ivLen) {
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
}
+
+ rv = sslBuffer_Skip(wrBuf, len, NULL);
+ PORT_Assert(rv == SECSuccess); /* Can't fail. */
}
rv = ssl3_BuildRecordPseudoHeader(
- cwSpec->epoch, cwSpec->seqNum, type,
+ cwSpec->epoch, cwSpec->nextSeqNum, type,
cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->recordVersion,
isDTLS, contentLen, &pseudoHeader);
PORT_Assert(rv == SECSuccess);
@@ -2043,23 +2049,26 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
const int nonceLen = cwSpec->cipherDef->explicit_nonce_size;
const int tagLen = cwSpec->cipherDef->tag_size;
- if (nonceLen + contentLen + tagLen > wrBuf->space) {
+ if (nonceLen + contentLen + tagLen > SSL_BUFFER_SPACE(wrBuf)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
rv = cwSpec->aead(
&cwSpec->keyMaterial,
- PR_FALSE, /* do encrypt */
- wrBuf->buf, /* output */
- (int *)&wrBuf->len, /* out len */
- wrBuf->space, /* max out */
- pIn, contentLen, /* input */
+ PR_FALSE, /* do encrypt */
+ SSL_BUFFER_NEXT(wrBuf), /* output */
+ &len, /* out len */
+ SSL_BUFFER_SPACE(wrBuf), /* max out */
+ pIn, contentLen, /* input */
SSL_BUFFER_BASE(&pseudoHeader), SSL_BUFFER_LEN(&pseudoHeader));
if (rv != SECSuccess) {
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
}
+
+ rv = sslBuffer_Skip(wrBuf, len, NULL);
+ PORT_Assert(rv == SECSuccess); /* Can't fail. */
} else {
int blockSize = cwSpec->cipherDef->block_size;
@@ -2069,7 +2078,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
rv = ssl3_ComputeRecordMAC(cwSpec, SSL_BUFFER_BASE(&pseudoHeader),
SSL_BUFFER_LEN(&pseudoHeader),
pIn, contentLen,
- wrBuf->buf + ivLen + contentLen, &macLen);
+ SSL_BUFFER_NEXT(wrBuf) + contentLen, &macLen);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
return SECFailure;
@@ -2095,7 +2104,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
PORT_Assert((fragLen % blockSize) == 0);
/* Pad according to TLS rules (also acceptable to SSL3). */
- pBuf = &wrBuf->buf[ivLen + fragLen - 1];
+ pBuf = SSL_BUFFER_NEXT(wrBuf) + fragLen - 1;
for (i = padding_length + 1; i > 0; --i) {
*pBuf-- = padding_length;
}
@@ -2112,14 +2121,14 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
p2Len += oddLen;
PORT_Assert((blockSize < 2) ||
(p2Len % blockSize) == 0);
- memmove(wrBuf->buf + ivLen + p1Len, pIn + p1Len, oddLen);
+ memmove(SSL_BUFFER_NEXT(wrBuf) + p1Len, pIn + p1Len, oddLen);
}
if (p1Len > 0) {
int cipherBytesPart1 = -1;
rv = cwSpec->cipher(cwSpec->cipherContext,
- wrBuf->buf + ivLen, /* output */
- &cipherBytesPart1, /* actual outlen */
- p1Len, /* max outlen */
+ SSL_BUFFER_NEXT(wrBuf), /* output */
+ &cipherBytesPart1, /* actual outlen */
+ p1Len, /* max outlen */
pIn,
p1Len); /* input, and inputlen */
PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int)p1Len);
@@ -2127,22 +2136,24 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
}
- wrBuf->len += cipherBytesPart1;
+ rv = sslBuffer_Skip(wrBuf, p1Len, NULL);
+ PORT_Assert(rv == SECSuccess);
}
if (p2Len > 0) {
int cipherBytesPart2 = -1;
rv = cwSpec->cipher(cwSpec->cipherContext,
- wrBuf->buf + ivLen + p1Len,
+ SSL_BUFFER_NEXT(wrBuf),
&cipherBytesPart2, /* output and actual outLen */
p2Len, /* max outlen */
- wrBuf->buf + ivLen + p1Len,
+ SSL_BUFFER_NEXT(wrBuf),
p2Len); /* input and inputLen*/
PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int)p2Len);
if (rv != SECSuccess || cipherBytesPart2 != (int)p2Len) {
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
}
- wrBuf->len += cipherBytesPart2;
+ rv = sslBuffer_Skip(wrBuf, p2Len, NULL);
+ PORT_Assert(rv == SECSuccess);
}
}
@@ -2150,16 +2161,20 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
}
/* Note: though this can report failure, it shouldn't. */
-static SECStatus
+SECStatus
ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
- SSL3ContentType contentType, unsigned int len,
- sslBuffer *wrBuf)
+ SSL3ContentType contentType, sslBuffer *wrBuf,
+ PRBool *needsLength)
{
SECStatus rv;
#ifndef UNSAFE_FUZZER_MODE
if (cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
- cwSpec->cipherDef->calg != ssl_calg_null) {
+ cwSpec->epoch > TrafficKeyClearText) {
+ if (IS_DTLS(ss)) {
+ return dtls13_InsertCipherTextHeader(ss, cwSpec, wrBuf,
+ needsLength);
+ }
contentType = content_application_data;
}
#endif
@@ -2177,16 +2192,12 @@ ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
if (rv != SECSuccess) {
return SECFailure;
}
- rv = sslBuffer_AppendNumber(wrBuf, cwSpec->seqNum, 6);
+ rv = sslBuffer_AppendNumber(wrBuf, cwSpec->nextSeqNum, 6);
if (rv != SECSuccess) {
return SECFailure;
}
}
- rv = sslBuffer_AppendNumber(wrBuf, len, 2);
- if (rv != SECSuccess) {
- return SECFailure;
- }
-
+ *needsLength = PR_TRUE;
return SECSuccess;
}
@@ -2194,66 +2205,67 @@ SECStatus
ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf)
{
- unsigned int headerLen = IS_DTLS(ss) ? DTLS_RECORD_HEADER_LENGTH
- : SSL3_RECORD_HEADER_LENGTH;
- sslBuffer protBuf = SSL_BUFFER_FIXED(SSL_BUFFER_BASE(wrBuf) + headerLen,
- SSL_BUFFER_SPACE(wrBuf) - headerLen);
- PRBool isTLS13;
+ PRBool needsLength;
+ unsigned int lenOffset;
SECStatus rv;
PORT_Assert(cwSpec->direction == CipherSpecWrite);
PORT_Assert(SSL_BUFFER_LEN(wrBuf) == 0);
PORT_Assert(cwSpec->cipherDef->max_records <= RECORD_SEQ_MAX);
- if (cwSpec->seqNum >= cwSpec->cipherDef->max_records) {
+
+ if (cwSpec->nextSeqNum >= cwSpec->cipherDef->max_records) {
/* We should have automatically updated before here in TLS 1.3. */
PORT_Assert(cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_3);
SSL_TRC(3, ("%d: SSL[-]: write sequence number at limit 0x%0llx",
- SSL_GETPID(), cwSpec->seqNum));
+ SSL_GETPID(), cwSpec->nextSeqNum));
PORT_SetError(SSL_ERROR_TOO_MANY_RECORDS);
return SECFailure;
}
- isTLS13 = (PRBool)(cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3);
+ rv = ssl_InsertRecordHeader(ss, cwSpec, type, wrBuf, &needsLength);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (needsLength) {
+ rv = sslBuffer_Skip(wrBuf, 2, &lenOffset);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
#ifdef UNSAFE_FUZZER_MODE
{
int len;
- rv = Null_Cipher(NULL, SSL_BUFFER_BASE(&protBuf), &len,
- SSL_BUFFER_SPACE(&protBuf), pIn, contentLen);
+ rv = Null_Cipher(NULL, SSL_BUFFER_NEXT(wrBuf), &len,
+ SSL_BUFFER_SPACE(wrBuf), pIn, contentLen);
if (rv != SECSuccess) {
return SECFailure; /* error was set */
}
- rv = sslBuffer_Skip(&protBuf, len, NULL);
+ rv = sslBuffer_Skip(wrBuf, len, NULL);
PORT_Assert(rv == SECSuccess); /* Can't fail. */
}
#else
- if (isTLS13) {
- rv = tls13_ProtectRecord(ss, cwSpec, type, pIn, contentLen, &protBuf);
+ if (cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ rv = tls13_ProtectRecord(ss, cwSpec, type, pIn, contentLen, wrBuf);
} else {
rv = ssl3_MACEncryptRecord(cwSpec, ss->sec.isServer, IS_DTLS(ss), type,
- pIn, contentLen, &protBuf);
+ pIn, contentLen, wrBuf);
}
#endif
if (rv != SECSuccess) {
return SECFailure; /* error was set */
}
- PORT_Assert(protBuf.len <= MAX_FRAGMENT_LENGTH + (isTLS13 ? 256 : 1024));
-
- rv = ssl_InsertRecordHeader(ss, cwSpec, type, SSL_BUFFER_LEN(&protBuf),
- wrBuf);
- if (rv != SECSuccess) {
- return SECFailure;
- }
-
- PORT_Assert(SSL_BUFFER_LEN(wrBuf) == headerLen);
- rv = sslBuffer_Skip(wrBuf, SSL_BUFFER_LEN(&protBuf), NULL);
- if (rv != SECSuccess) {
- PORT_Assert(0); /* Can't fail. */
- return SECFailure;
+ if (needsLength) {
+ /* Insert the length. */
+ rv = sslBuffer_InsertLength(wrBuf, lenOffset, 2);
+ if (rv != SECSuccess) {
+ PORT_Assert(0); /* Can't fail. */
+ return SECFailure;
+ }
}
- ++cwSpec->seqNum;
+ ++cwSpec->nextSeqNum;
return SECSuccess;
}
@@ -2267,7 +2279,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
unsigned int spaceNeeded;
SECStatus rv;
- contentLen = PR_MIN(nIn, MAX_FRAGMENT_LENGTH);
+ contentLen = PR_MIN(nIn, spec->recordSizeLimit);
spaceNeeded = contentLen + SSL3_BUFFER_FUDGE;
if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
spec->cipherDef->type == type_block) {
@@ -2291,6 +2303,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
*written = contentLen;
return SECSuccess;
}
+
/* Process the plain text before sending it.
* Returns the number of bytes of plaintext that were successfully sent
* plus the number of bytes of plaintext that were copied into the
@@ -2368,7 +2381,7 @@ ssl3_SendRecord(sslSocket *ss,
rv = ssl_ProtectNextRecord(ss, spec, type, pIn, nIn, &written);
ssl_ReleaseSpecReadLock(ss);
if (rv != SECSuccess) {
- return SECFailure;
+ goto loser;
}
PORT_Assert(written > 0);
@@ -3034,7 +3047,6 @@ ssl3_SendChangeCipherSpecsInt(sslSocket *ss)
return SECFailure; /* error code set by ssl3_SendRecord */
}
} else {
- SECStatus rv;
rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
if (rv != SECSuccess) {
return SECFailure;
@@ -5567,13 +5579,20 @@ ssl3_SendRSAClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey)
}
/* Get the wrapped (encrypted) pre-master secret, enc_pms */
- enc_pms.len = SECKEY_PublicKeyStrength(svrPubKey);
+ unsigned int svrPubKeyBits = SECKEY_PublicKeyStrengthInBits(svrPubKey);
+ enc_pms.len = (svrPubKeyBits + 7) / 8;
+ /* Check that the RSA key isn't larger than 8k bit. */
+ if (svrPubKeyBits > SSL_MAX_RSA_KEY_BITS) {
+ (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+ ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+ goto loser;
+ }
enc_pms.data = (unsigned char *)PORT_Alloc(enc_pms.len);
if (enc_pms.data == NULL) {
goto loser; /* err set by PORT_Alloc */
}
- /* wrap pre-master secret in server's public key. */
+ /* Wrap pre-master secret in server's public key. */
rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
@@ -5676,7 +5695,7 @@ ssl3_SendDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey)
};
sslEphemeralKeyPair *keyPair = NULL;
SECKEYPublicKey *pubKey;
- PRUint8 dhData[1026]; /* Enough for the 8192-bit group. */
+ PRUint8 dhData[SSL_MAX_DH_KEY_BITS / 8 + 2];
sslBuffer dhBuf = SSL_BUFFER(dhData);
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -6208,7 +6227,6 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
SECItem sidBytes = { siBuffer, NULL, 0 };
PRBool isHelloRetry;
SSL3AlertDescription desc = illegal_parameter;
- TLSExtension *versionExtension;
const PRUint8 *savedMsg = b;
const PRUint32 savedLength = length;
#ifndef TLS_1_3_DRAFT_VERSION
@@ -6299,16 +6317,10 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
}
}
- /* Update the version based on the extension, as necessary. */
- versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn);
- if (versionExtension) {
- rv = ssl_ClientReadVersion(ss, &versionExtension->data.data,
- &versionExtension->data.len,
- &ss->version);
- if (rv != SECSuccess) {
- errCode = PORT_GetError();
- goto loser; /* An alert is sent by ssl_ClientReadVersion */
- }
+ /* Read supported_versions if present. */
+ rv = tls13_ClientReadSupportedVersion(ss);
+ if (rv != SECSuccess) {
+ goto loser;
}
PORT_Assert(!SSL_ALL_VERSIONS_DISABLED(&ss->vrange));
@@ -6332,7 +6344,7 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
/* The server didn't pick 1.3 although we either received a
* HelloRetryRequest, or we prepared to send early app data. */
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
- if (ss->ssl3.hs.helloRetry) {
+ if (isHelloRetry || ss->ssl3.hs.helloRetry) {
/* SSL3_SendAlert() will uncache the SID. */
desc = illegal_parameter;
errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
@@ -6393,8 +6405,9 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
/* Finally, now all the version-related checks have passed. */
ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
/* Update the write cipher spec to match the version. But not after
- * HelloRetryRequest, because cwSpec might be a 0-RTT cipher spec. */
- if (!ss->firstHsDone && !ss->ssl3.hs.helloRetry) {
+ * HelloRetryRequest, because cwSpec might be a 0-RTT cipher spec,
+ * in which case this is a no-op. */
+ if (!ss->firstHsDone && !isHelloRetry) {
ssl_GetSpecWriteLock(ss);
ssl_SetSpecVersions(ss, ss->ssl3.cwSpec);
ssl_ReleaseSpecWriteLock(ss);
@@ -6729,6 +6742,10 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
goto alert_loser;
}
+ if (dh_p_bits > SSL_MAX_DH_KEY_BITS) {
+ errCode = SSL_ERROR_DH_KEY_TOO_LONG;
+ goto alert_loser;
+ }
rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
if (rv != SECSuccess) {
goto loser; /* malformed. */
@@ -6938,8 +6955,10 @@ ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b, PRUint32 *length,
goto alert_loser; /* malformed */
remaining -= 2;
+ if (SECITEM_MakeItem(ca_list->arena, &node->name, *b, len) != SECSuccess) {
+ goto no_mem;
+ }
node->name.len = len;
- node->name.data = *b;
*b += len;
*length -= len;
remaining -= len;
@@ -6967,7 +6986,6 @@ ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b, PRUint32 *length,
return SECSuccess;
no_mem:
- PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
alert_loser:
@@ -7332,10 +7350,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
* certificate to an attacker that does not have a valid cert for the
* domain we are connecting to.
*
- * XXX: We should do the same for the NPN extension, but for that we
- * need an option to give the application the ability to leak the NPN
- * information to get better performance.
- *
* During the initial handshake on a connection, we never send/receive
* application data until we have authenticated the server's certificate;
* i.e. we have fully authenticated the handshake before using the cipher
@@ -7409,14 +7423,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
ss->enoughFirstHsDone = PR_TRUE;
if (!ss->firstHsDone) {
- /* XXX: If the server's certificate hasn't been authenticated by this
- * point, then we may be leaking this NPN message to an attacker.
- */
- rv = ssl3_SendNextProto(ss);
- if (rv != SECSuccess) {
- goto loser; /* err code was set. */
- }
-
if (ss->opt.enableFalseStart) {
if (!ss->ssl3.hs.authCertificatePending) {
/* When we fix bug 589047, we will need to know whether we are
@@ -8879,12 +8885,10 @@ ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
SSL3ProtocolVersion version;
sslSessionID *sid = ss->sec.ci.sid;
- if (IS_DTLS(ss) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
- version = dtls_TLSVersionToDTLSVersion(ss->version);
- } else {
- version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2);
+ version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2);
+ if (IS_DTLS(ss)) {
+ version = dtls_TLSVersionToDTLSVersion(version);
}
-
rv = sslBuffer_AppendNumber(messageBuf, version, 2);
if (rv != SECSuccess) {
return SECFailure;
@@ -11404,6 +11408,10 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length,
/* Increment the expected sequence number */
ss->ssl3.hs.recvMessageSeq++;
}
+
+ /* Taint the message so that it's easier to detect UAFs. */
+ PORT_Memset(b, 'N', length);
+
return rv;
}
@@ -11738,7 +11746,7 @@ ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize)
}
for (i = 0; i < toCheck; i++) {
- unsigned int t = paddingLength - i;
+ t = paddingLength - i;
/* If i <= paddingLength then the MSB of t is zero and mask is
* 0xff. Otherwise, mask is 0. */
unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
@@ -11878,6 +11886,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
unsigned int good;
unsigned int ivLen = 0;
SSL3ContentType rType;
+ SSL3ProtocolVersion rVersion;
unsigned int minLength;
unsigned int originalLen = 0;
PRUint8 headerBuf[13];
@@ -11950,7 +11959,9 @@ ssl3_UnprotectRecord(sslSocket *ss,
return SECFailure;
}
- rType = cText->type;
+ rType = (SSL3ContentType)cText->hdr[0];
+ rVersion = ((SSL3ProtocolVersion)cText->hdr[1] << 8) |
+ (SSL3ProtocolVersion)cText->hdr[2];
if (cipher_def->type == type_aead) {
/* XXX For many AEAD ciphers, the plaintext is shorter than the
* ciphertext by a fixed byte count, but it is not true in general.
@@ -11960,8 +11971,8 @@ ssl3_UnprotectRecord(sslSocket *ss,
cText->buf->len - cipher_def->explicit_nonce_size -
cipher_def->tag_size;
rv = ssl3_BuildRecordPseudoHeader(
- spec->epoch, IS_DTLS(ss) ? cText->seq_num : spec->seqNum,
- rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen, &header);
+ spec->epoch, cText->seqNum,
+ rType, isTLS, rVersion, IS_DTLS(ss), decryptedLen, &header);
PORT_Assert(rv == SECSuccess);
rv = spec->aead(&spec->keyMaterial,
PR_TRUE, /* do decrypt */
@@ -12008,8 +12019,8 @@ ssl3_UnprotectRecord(sslSocket *ss,
/* compute the MAC */
rv = ssl3_BuildRecordPseudoHeader(
- spec->epoch, IS_DTLS(ss) ? cText->seq_num : spec->seqNum,
- rType, isTLS, cText->version, IS_DTLS(ss),
+ spec->epoch, cText->seqNum,
+ rType, isTLS, rVersion, IS_DTLS(ss),
plaintext->len - spec->macDef->mac_size, &header);
PORT_Assert(rv == SECSuccess);
if (cipher_def->type == type_block) {
@@ -12059,13 +12070,19 @@ ssl3_UnprotectRecord(sslSocket *ss,
return SECSuccess;
}
-static SECStatus
+SECStatus
ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
DTLSEpoch epoch, sslSequenceNumber seqNum,
sslBuffer *databuf)
{
SECStatus rv;
+ /* check for Token Presence */
+ if (!ssl3_ClientAuthTokenPresent(ss->sec.ci.sid)) {
+ PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+ return SECFailure;
+ }
+
ssl_GetSSL3HandshakeLock(ss);
/* All the functions called in this switch MUST set error code if
@@ -12111,15 +12128,16 @@ ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
* Returns NULL if no appropriate cipher spec is found.
*/
static ssl3CipherSpec *
-ssl3_GetCipherSpec(sslSocket *ss, sslSequenceNumber seq)
+ssl3_GetCipherSpec(sslSocket *ss, SSL3Ciphertext *cText)
{
ssl3CipherSpec *crSpec = ss->ssl3.crSpec;
ssl3CipherSpec *newSpec = NULL;
- DTLSEpoch epoch = seq >> 48;
+ DTLSEpoch epoch;
if (!IS_DTLS(ss)) {
return crSpec;
}
+ epoch = dtls_ReadEpoch(crSpec, cText->hdr);
if (crSpec->epoch == epoch) {
return crSpec;
}
@@ -12136,6 +12154,11 @@ ssl3_GetCipherSpec(sslSocket *ss, sslSequenceNumber seq)
return NULL;
}
+/* MAX_EXPANSION is the amount by which a record might plausibly be expanded
+ * when protected. It's the worst case estimate, so the sum of block cipher
+ * padding (up to 256 octets) and HMAC (48 octets for SHA-384). */
+#define MAX_EXPANSION (256 + 48)
+
/* if cText is non-null, then decipher and check the MAC of the
* SSL record from cText->buf (typically gs->inbuf)
* into databuf (typically gs->buf), and any previous contents of databuf
@@ -12159,16 +12182,16 @@ ssl3_GetCipherSpec(sslSocket *ss, sslSequenceNumber seq)
* Application Data records.
*/
SECStatus
-ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
+ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
{
SECStatus rv;
PRBool isTLS;
DTLSEpoch epoch;
- sslSequenceNumber seqNum = 0;
ssl3CipherSpec *spec = NULL;
+ PRUint16 recordSizeLimit;
PRBool outOfOrderSpec = PR_FALSE;
SSL3ContentType rType;
- sslBuffer *plaintext;
+ sslBuffer *plaintext = &ss->gs.buf;
SSL3AlertDescription alert = internal_error;
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
@@ -12178,27 +12201,23 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
return SECFailure;
}
- /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
- * This implies that databuf holds a previously deciphered SSL Handshake
- * message.
- */
- if (cText == NULL) {
- SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
- SSL_GETPID(), ss->fd));
- /* Note that this doesn't pass the epoch and sequence number of the
- * record through, which DTLS 1.3 depends on. DTLS doesn't support
- * asynchronous certificate validation, so that should be OK. */
- PORT_Assert(!IS_DTLS(ss));
- return ssl3_HandleNonApplicationData(ss, content_handshake,
- 0, 0, databuf);
+ /* Clear out the buffer in case this exits early. Any data then won't be
+ * processed twice. */
+ plaintext->len = 0;
+
+ /* We're waiting for another ClientHello, which will appear unencrypted.
+ * Use the content type to tell whether this should be discarded. */
+ if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr &&
+ cText->hdr[0] == content_application_data) {
+ PORT_Assert(ss->ssl3.hs.ws == wait_client_hello);
+ return SECSuccess;
}
ssl_GetSpecReadLock(ss); /******************************************/
- spec = ssl3_GetCipherSpec(ss, cText->seq_num);
+ spec = ssl3_GetCipherSpec(ss, cText);
if (!spec) {
PORT_Assert(IS_DTLS(ss));
ssl_ReleaseSpecReadLock(ss); /*****************************/
- databuf->len = 0; /* Needed to ensure data not left around */
return SECSuccess;
}
if (spec != ss->ssl3.crSpec) {
@@ -12209,66 +12228,68 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
}
isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
if (IS_DTLS(ss)) {
- if (!dtls_IsRelevant(ss, spec, cText, &seqNum)) {
+ if (!dtls_IsRelevant(ss, spec, cText, &cText->seqNum)) {
ssl_ReleaseSpecReadLock(ss); /*****************************/
- databuf->len = 0; /* Needed to ensure data not left around */
-
return SECSuccess;
}
} else {
- seqNum = spec->seqNum + 1;
+ cText->seqNum = spec->nextSeqNum;
}
- if (seqNum >= spec->cipherDef->max_records) {
+ if (cText->seqNum >= spec->cipherDef->max_records) {
ssl_ReleaseSpecReadLock(ss); /*****************************/
SSL_TRC(3, ("%d: SSL[%d]: read sequence number at limit 0x%0llx",
- SSL_GETPID(), ss->fd, seqNum));
+ SSL_GETPID(), ss->fd, cText->seqNum));
PORT_SetError(SSL_ERROR_TOO_MANY_RECORDS);
return SECFailure;
}
- plaintext = databuf;
- plaintext->len = 0; /* filled in by Unprotect call below. */
-
- /* We're waiting for another ClientHello, which will appear unencrypted.
- * Use the content type to tell whether this is should be discarded.
- *
- * XXX If we decide to remove the content type from encrypted records, this
- * will become much more difficult to manage. */
- if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr &&
- cText->type == content_application_data) {
+ recordSizeLimit = spec->recordSizeLimit;
+ if (cText->buf->len > recordSizeLimit + MAX_EXPANSION) {
ssl_ReleaseSpecReadLock(ss); /*****************************/
- PORT_Assert(ss->ssl3.hs.ws == wait_client_hello);
- databuf->len = 0;
- return SECSuccess;
+ SSL3_SendAlert(ss, alert_fatal, record_overflow);
+ PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+ return SECFailure;
}
- if (plaintext->space < MAX_FRAGMENT_LENGTH) {
- rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
+ if (plaintext->space < recordSizeLimit + MAX_EXPANSION) {
+ rv = sslBuffer_Grow(plaintext, recordSizeLimit + MAX_EXPANSION);
if (rv != SECSuccess) {
ssl_ReleaseSpecReadLock(ss); /*************************/
SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
- SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
+ SSL_GETPID(), ss->fd, recordSizeLimit + MAX_EXPANSION));
/* sslBuffer_Grow has set a memory error code. */
/* Perhaps we should send an alert. (but we have no memory!) */
return SECFailure;
}
}
+ /* Most record types aside from protected TLS 1.3 records carry the content
+ * type in the first octet. TLS 1.3 will override this value later. */
+ rType = cText->hdr[0];
+ /* Encrypted application data records could arrive before the handshake
+ * completes in DTLS 1.3. These can look like valid TLS 1.2 application_data
+ * records in epoch 0, which is never valid. Pretend they didn't decrypt. */
+ if (spec->epoch == 0 && rType == content_application_data) {
+ PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
+ alert = unexpected_message;
+ rv = SECFailure;
+ } else {
#ifdef UNSAFE_FUZZER_MODE
- rv = Null_Cipher(NULL, plaintext->buf, (int *)&plaintext->len,
- plaintext->space, cText->buf->buf, cText->buf->len);
+ rv = Null_Cipher(NULL, plaintext->buf, (int *)&plaintext->len,
+ plaintext->space, cText->buf->buf, cText->buf->len);
#else
- /* IMPORTANT: Unprotect functions MUST NOT send alerts
- * because we still hold the spec read lock. Instead, if they
- * return SECFailure, they set *alert to the alert to be sent. */
- if (spec->version < SSL_LIBRARY_VERSION_TLS_1_3 ||
- spec->cipherDef->calg == ssl_calg_null) {
- /* Unencrypted TLS 1.3 records use the pre-TLS 1.3 format. */
- rv = ssl3_UnprotectRecord(ss, spec, cText, plaintext, &alert);
- } else {
- rv = tls13_UnprotectRecord(ss, spec, cText, plaintext, &alert);
- }
+ /* IMPORTANT: Unprotect functions MUST NOT send alerts
+ * because we still hold the spec read lock. Instead, if they
+ * return SECFailure, they set *alert to the alert to be sent. */
+ if (spec->version < SSL_LIBRARY_VERSION_TLS_1_3 ||
+ spec->epoch == 0) {
+ rv = ssl3_UnprotectRecord(ss, spec, cText, plaintext, &alert);
+ } else {
+ rv = tls13_UnprotectRecord(ss, spec, cText, plaintext, &rType,
+ &alert);
+ }
#endif
+ }
if (rv != SECSuccess) {
ssl_ReleaseSpecReadLock(ss); /***************************/
@@ -12276,39 +12297,45 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
/* Ensure that we don't process this data again. */
- databuf->len = 0;
+ plaintext->len = 0;
- /* Ignore a CCS if the alternative handshake is negotiated. Note that
- * this will fail if the server fails to negotiate the alternative
- * handshake type in a 0-RTT session that is resumed from a session that
- * did negotiate it. We don't care about that corner case right now. */
+ /* Ignore a CCS if compatibility mode is negotiated. Note that this
+ * will fail if the server fails to negotiate compatibility mode in a
+ * 0-RTT session that is resumed from a session that did negotiate it.
+ * We don't care about that corner case right now. */
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
- cText->type == content_change_cipher_spec &&
+ cText->hdr[0] == content_change_cipher_spec &&
ss->ssl3.hs.ws != idle_handshake &&
cText->buf->len == 1 &&
cText->buf->buf[0] == change_cipher_spec_choice) {
/* Ignore the CCS. */
return SECSuccess;
}
+
if (IS_DTLS(ss) ||
(ss->sec.isServer &&
ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_trial)) {
- /* Silently drop the packet */
+ /* Silently drop the packet unless we sent a fatal alert. */
+ if (ss->ssl3.fatalAlertSent) {
+ return SECFailure;
+ }
return SECSuccess;
- } else {
- int errCode = PORT_GetError();
- SSL3_SendAlert(ss, alert_fatal, alert);
- /* Reset the error code in case SSL3_SendAlert called
- * PORT_SetError(). */
- PORT_SetError(errCode);
- return SECFailure;
}
+
+ int errCode = PORT_GetError();
+ SSL3_SendAlert(ss, alert_fatal, alert);
+ /* Reset the error code in case SSL3_SendAlert called
+ * PORT_SetError(). */
+ PORT_SetError(errCode);
+ return SECFailure;
}
/* SECSuccess */
- spec->seqNum = PR_MAX(spec->seqNum, seqNum);
if (IS_DTLS(ss)) {
- dtls_RecordSetRecvd(&spec->recvdRecords, seqNum);
+ dtls_RecordSetRecvd(&spec->recvdRecords, cText->seqNum);
+ spec->nextSeqNum = PR_MAX(spec->nextSeqNum, cText->seqNum + 1);
+ } else {
+ ++spec->nextSeqNum;
}
epoch = spec->epoch;
@@ -12317,19 +12344,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
/*
* The decrypted data is now in plaintext.
*/
- rType = cText->type; /* This must go after decryption because TLS 1.3
- * has encrypted content types. */
/* IMPORTANT: We are in DTLS 1.3 mode and we have processed something
* from the wrong epoch. Divert to a divert processing function to make
* sure we don't accidentally use the data unsafely. */
if (outOfOrderSpec) {
PORT_Assert(IS_DTLS(ss) && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
- return dtls13_HandleOutOfEpochRecord(ss, spec, rType, databuf);
+ return dtls13_HandleOutOfEpochRecord(ss, spec, rType, plaintext);
}
/* Check the length of the plaintext. */
- if (isTLS && databuf->len > MAX_FRAGMENT_LENGTH) {
+ if (isTLS && plaintext->len > recordSizeLimit) {
+ plaintext->len = 0;
SSL3_SendAlert(ss, alert_fatal, record_overflow);
PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
return SECFailure;
@@ -12344,14 +12370,16 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
ss->sec.isServer &&
ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted) {
- return tls13_HandleEarlyApplicationData(ss, databuf);
+ return tls13_HandleEarlyApplicationData(ss, plaintext);
}
+ plaintext->len = 0;
(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
return SECFailure;
}
- return ssl3_HandleNonApplicationData(ss, rType, epoch, seqNum, databuf);
+ return ssl3_HandleNonApplicationData(ss, rType, epoch, cText->seqNum,
+ plaintext);
}
/*
diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c
index 913a14f637..f8b9a94000 100644
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -548,12 +548,14 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
if (ss->ssl3.prSpec->version == SSL_LIBRARY_VERSION_TLS_1_2) {
rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
if (rv != SECSuccess) {
- goto loser; /* malformed or unsupported. */
+ errCode = PORT_GetError();
+ goto alert_loser; /* malformed or unsupported. */
}
rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme,
ss->sec.peerCert);
if (rv != SECSuccess) {
- goto loser;
+ errCode = PORT_GetError();
+ goto alert_loser;
}
hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
} else {
diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
index 5a50779989..9b6c719f88 100644
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -39,7 +39,6 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
{ ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
{ ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
{ ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn },
{ ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
@@ -51,6 +50,7 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
{ ssl_tls13_early_data_xtn, &tls13_ServerHandleEarlyDataXtn },
{ ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ServerHandlePskModesXtn },
{ ssl_tls13_cookie_xtn, &tls13_ServerHandleCookieXtn },
+ { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn },
{ 0, NULL }
};
@@ -61,7 +61,6 @@ static const ssl3ExtensionHandler serverHelloHandlersTLS[] = {
/* TODO: add a handler for ssl_ec_point_formats_xtn */
{ ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
{ ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn },
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
@@ -70,6 +69,7 @@ static const ssl3ExtensionHandler serverHelloHandlersTLS[] = {
{ ssl_tls13_key_share_xtn, &tls13_ClientHandleKeyShareXtn },
{ ssl_tls13_pre_shared_key_xtn, &tls13_ClientHandlePreSharedKeyXtn },
{ ssl_tls13_early_data_xtn, &tls13_ClientHandleEarlyDataXtn },
+ { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn },
{ 0, NULL }
};
@@ -122,7 +122,6 @@ static const sslExtensionBuilder clientHelloSendersTLS[] =
{ ssl_supported_groups_xtn, &ssl_SendSupportedGroupsXtn },
{ ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
{ ssl_session_ticket_xtn, &ssl3_ClientSendSessionTicketXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
{ ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn },
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
@@ -137,6 +136,7 @@ static const sslExtensionBuilder clientHelloSendersTLS[] =
{ ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn },
{ ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn },
{ ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn },
+ { ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn },
/* The pre_shared_key extension MUST be last. */
{ ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn },
{ 0, NULL }
@@ -183,7 +183,6 @@ static const struct {
{ ssl_tls13_psk_key_exchange_modes_xtn, ssl_ext_native_only },
{ ssl_tls13_ticket_early_data_info_xtn, ssl_ext_native_only },
{ ssl_tls13_certificate_authorities_xtn, ssl_ext_native },
- { ssl_next_proto_nego_xtn, ssl_ext_none },
{ ssl_renegotiation_info_xtn, ssl_ext_native }
};
@@ -681,7 +680,11 @@ ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf,
}
}
- sslBuffer_Append(buf, tail.buf, tail.len);
+ rv = sslBuffer_Append(buf, tail.buf, tail.len);
+ if (rv != SECSuccess) {
+ goto loser; /* Code already set. */
+ }
+
sslBuffer_Clear(&tail);
return SECSuccess;
diff --git a/security/nss/lib/ssl/ssl3ext.h b/security/nss/lib/ssl/ssl3ext.h
index d0f75a599a..6d77c7459e 100644
--- a/security/nss/lib/ssl/ssl3ext.h
+++ b/security/nss/lib/ssl/ssl3ext.h
@@ -98,6 +98,9 @@ struct TLSExtensionDataStr {
/* The application token contains a value that was passed to the client via
* a session ticket, or the cookie in a HelloRetryRequest. */
SECItem applicationToken;
+
+ /* The record size limit set by the peer. Our value is kept in ss->opt. */
+ PRUint16 recordSizeLimit;
};
typedef struct TLSExtensionStr {
diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c
index e6388945e1..d1f286dc3c 100644
--- a/security/nss/lib/ssl/ssl3exthandle.c
+++ b/security/nss/lib/ssl/ssl3exthandle.c
@@ -242,33 +242,11 @@ ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag)
return PR_FALSE;
}
-/* handle an incoming Next Protocol Negotiation extension. */
-SECStatus
-ssl3_ServerHandleNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
- SECItem *data)
-{
- PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
-
- if (ss->firstHsDone || data->len != 0) {
- /* Clients MUST send an empty NPN extension, if any. */
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
- return SECFailure;
- }
-
- xtnData->negotiated[xtnData->numNegotiated++] = ssl_next_proto_nego_xtn;
-
- /* TODO: server side NPN support would require calling
- * ssl3_RegisterServerHelloExtensionSender here in order to echo the
- * extension back to the client. */
-
- return SECSuccess;
-}
-
-/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
+/* ssl3_ValidateAppProtocol checks that the given block of data is valid: none
* of the lengths may be 0 and the sum of the lengths must equal the length of
* the block. */
SECStatus
-ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length)
+ssl3_ValidateAppProtocol(const unsigned char *data, unsigned int length)
{
unsigned int offset = 0;
@@ -286,7 +264,7 @@ ssl3_ValidateNextProtoNego(const unsigned char *data, unsigned int length)
return SECSuccess;
}
-/* protocol selection handler for ALPN (server side) and NPN (client side) */
+/* Protocol selection handler for ALPN. */
static SECStatus
ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
PRUint16 extension, SECItem *data)
@@ -295,7 +273,7 @@ ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
unsigned char resultBuffer[255];
SECItem result = { siBuffer, resultBuffer, 0 };
- rv = ssl3_ValidateNextProtoNego(data->data, data->len);
+ rv = ssl3_ValidateAppProtocol(data->data, data->len);
if (rv != SECSuccess) {
ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
@@ -303,11 +281,13 @@ ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
}
PORT_Assert(ss->nextProtoCallback);
- /* For ALPN, the cipher suite isn't selected yet. Note that extensions
+ /* The cipher suite isn't selected yet. Note that extensions
* sometimes affect what cipher suite is selected, e.g., for ECC. */
PORT_Assert((ss->ssl3.hs.preliminaryInfo &
ssl_preinfo_all & ~ssl_preinfo_cipher_suite) ==
(ssl_preinfo_all & ~ssl_preinfo_cipher_suite));
+ /* The callback has to make sure that either rv != SECSuccess or that result
+ * is not set if there is no common protocol. */
rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
result.data, &result.len, sizeof(resultBuffer));
if (rv != SECSuccess) {
@@ -320,21 +300,20 @@ ssl3_SelectAppProtocol(const sslSocket *ss, TLSExtensionData *xtnData,
* stack. */
if (result.len > sizeof(resultBuffer)) {
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- /* TODO: crash */
+ PORT_Assert(PR_FALSE);
return SECFailure;
}
SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE);
- if (extension == ssl_app_layer_protocol_xtn &&
- xtnData->nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) {
- /* The callback might say OK, but then it picks a default value - one
- * that was not listed. That's OK for NPN, but not ALPN. */
+ if (result.len < 1 || !result.data) {
+ /* Check that we actually got a result. */
ssl3_ExtSendAlert(ss, alert_fatal, no_application_protocol);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
return SECFailure;
}
+ xtnData->nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
xtnData->negotiated[xtnData->numNegotiated++] = extension;
return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result);
}
@@ -356,7 +335,7 @@ ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
return SECFailure;
}
- /* Unlike NPN, ALPN has extra redundant length information so that
+ /* ALPN has extra redundant length information so that
* the extension is the same in both ClientHello and ServerHello. */
rv = ssl3_ExtConsumeHandshakeNumber(ss, &count, 2, &data->data, &data->len);
if (rv != SECSuccess || count != data->len) {
@@ -389,39 +368,6 @@ ssl3_ServerHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
}
SECStatus
-ssl3_ClientHandleNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
- SECItem *data)
-{
- PORT_Assert(ss->version < SSL_LIBRARY_VERSION_TLS_1_3);
- PORT_Assert(!ss->firstHsDone);
-
- if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
- /* If the server negotiated ALPN then it has already told us what
- * protocol to use, so it doesn't make sense for us to try to negotiate
- * a different one by sending the NPN handshake message. However, if
- * we've negotiated NPN then we're required to send the NPN handshake
- * message. Thus, these two extensions cannot both be negotiated on the
- * same connection. */
- ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
- PORT_SetError(SSL_ERROR_BAD_SERVER);
- return SECFailure;
- }
-
- /* We should only get this call if we sent the extension, so
- * ss->nextProtoCallback needs to be non-NULL. However, it is possible
- * that an application erroneously cleared the callback between the time
- * we sent the ClientHello and now. */
- if (!ss->nextProtoCallback) {
- PORT_Assert(0);
- ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
- PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK);
- return SECFailure;
- }
-
- return ssl3_SelectAppProtocol(ss, xtnData, ssl_next_proto_nego_xtn, data);
-}
-
-SECStatus
ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
SECItem *data)
{
@@ -475,19 +421,6 @@ ssl3_ClientHandleAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
}
SECStatus
-ssl3_ClientSendNextProtoNegoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
- sslBuffer *buf, PRBool *added)
-{
- /* Renegotiations do not send this extension. */
- if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
- return SECSuccess;
- }
-
- *added = PR_TRUE;
- return SECSuccess;
-}
-
-SECStatus
ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
@@ -499,35 +432,15 @@ ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
return SECSuccess;
}
- /* NPN requires that the client's fallback protocol is first in the
- * list. However, ALPN sends protocols in preference order. So move the
- * first protocol to the end of the list. */
-
if (len > 0) {
/* Each protocol string is prefixed with a single byte length. */
- unsigned int i;
-
rv = sslBuffer_AppendNumber(buf, len, 2);
if (rv != SECSuccess) {
return SECFailure;
}
-
- i = ss->opt.nextProtoNego.data[0] + 1;
- if (i <= len) {
- rv = sslBuffer_Append(buf, &ss->opt.nextProtoNego.data[i], len - i);
- if (rv != SECSuccess) {
- return SECFailure;
- }
- rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, i);
- if (rv != SECSuccess) {
- return SECFailure;
- }
- } else {
- /* This seems to be invalid data so we'll send as-is. */
- rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, len);
- if (rv != SECSuccess) {
- return SECFailure;
- }
+ rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, len);
+ if (rv != SECSuccess) {
+ return SECFailure;
}
}
@@ -1955,3 +1868,67 @@ ssl_HandleSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
return SECSuccess;
}
+
+SECStatus
+ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ SECItem *data)
+{
+ SECStatus rv;
+ PRUint32 limit;
+ PRUint32 maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+
+ rv = ssl3_ExtConsumeHandshakeNumber(ss, &limit, 2, &data->data, &data->len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (data->len != 0 || limit < 64) {
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
+ return SECFailure;
+ }
+
+ if (ss->sec.isServer) {
+ rv = ssl3_RegisterExtensionSender(ss, xtnData, ssl_record_size_limit_xtn,
+ &ssl_SendRecordSizeLimitXtn);
+ if (rv != SECSuccess) {
+ return SECFailure; /* error already set. */
+ }
+ } else if (limit > maxLimit) {
+ /* The client can sensibly check the maximum. */
+ ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
+ return SECFailure;
+ }
+
+ /* We can't enforce the maximum on a server. But we do need to ensure
+ * that we don't apply a limit that is too large. */
+ xtnData->recordSizeLimit = PR_MIN(maxLimit, limit);
+ xtnData->negotiated[xtnData->numNegotiated++] = ssl_record_size_limit_xtn;
+ return SECSuccess;
+}
+
+SECStatus
+ssl_SendRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added)
+{
+ PRUint32 maxLimit;
+ if (ss->sec.isServer) {
+ maxLimit = (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+ } else {
+ maxLimit = (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3)
+ ? (MAX_FRAGMENT_LENGTH + 1)
+ : MAX_FRAGMENT_LENGTH;
+ }
+ PRUint32 limit = PR_MIN(ss->opt.recordSizeLimit, maxLimit);
+ SECStatus rv = sslBuffer_AppendNumber(buf, limit, 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *added = PR_TRUE;
+ return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/ssl3exthandle.h b/security/nss/lib/ssl/ssl3exthandle.h
index b84bd074c0..eaf7f0081c 100644
--- a/security/nss/lib/ssl/ssl3exthandle.h
+++ b/security/nss/lib/ssl/ssl3exthandle.h
@@ -119,4 +119,11 @@ SECStatus ssl_SendSupportedGroupsXtn(const sslSocket *ss,
SECStatus ssl3_SendSupportedPointFormatsXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added);
+SECStatus ssl_HandleRecordSizeLimitXtn(const sslSocket *ss,
+ TLSExtensionData *xtnData,
+ SECItem *data);
+SECStatus ssl_SendRecordSizeLimitXtn(const sslSocket *ss,
+ TLSExtensionData *xtnData,
+ sslBuffer *buf, PRBool *added);
+
#endif
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index 8b323bb054..5ea7cc249e 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -158,6 +158,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags, ssl2Gather *ssl2gs)
* the length of the following encrypted data, and then
* read in the rest of the record into gs->inbuf. */
gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4];
+ gs->hdrLen = SSL3_RECORD_HEADER_LENGTH;
} else {
/* Probably an SSLv2 record header. No need to handle any
* security escapes (gs->hdr[0] & 0x40) as we wouldn't get
@@ -264,8 +265,9 @@ static int
dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
{
int nb;
- int err;
- int rv = 1;
+ PRUint8 contentType;
+ unsigned int headerLen;
+ SECStatus rv;
SSL_TRC(30, ("dtls_GatherData"));
@@ -285,81 +287,97 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
** to 13 (the size of the record header).
*/
if (gs->dtlsPacket.space < MAX_FRAGMENT_LENGTH + 2048 + 13) {
- err = sslBuffer_Grow(&gs->dtlsPacket,
- MAX_FRAGMENT_LENGTH + 2048 + 13);
- if (err) { /* realloc has set error code to no mem. */
- return err;
+ rv = sslBuffer_Grow(&gs->dtlsPacket,
+ MAX_FRAGMENT_LENGTH + 2048 + 13);
+ if (rv != SECSuccess) {
+ return -1; /* Code already set. */
}
}
/* recv() needs to read a full datagram at a time */
nb = ssl_DefRecv(ss, gs->dtlsPacket.buf, gs->dtlsPacket.space, flags);
-
if (nb > 0) {
PRINT_BUF(60, (ss, "raw gather data:", gs->dtlsPacket.buf, nb));
} else if (nb == 0) {
/* EOF */
SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
- rv = 0;
- return rv;
+ return 0;
} else /* if (nb < 0) */ {
SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
PR_GetError()));
- rv = SECFailure;
- return rv;
+ return -1;
}
gs->dtlsPacket.len = nb;
}
+ contentType = gs->dtlsPacket.buf[gs->dtlsPacketOffset];
+ if (dtls_IsLongHeader(ss->version, contentType)) {
+ headerLen = 13;
+ } else if (contentType == content_application_data) {
+ headerLen = 7;
+ } else if ((contentType & 0xe0) == 0x20) {
+ headerLen = 2;
+ } else {
+ SSL_DBG(("%d: SSL3[%d]: invalid first octet (%d) for DTLS",
+ SSL_GETPID(), ss->fd, contentType));
+ PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
+ gs->dtlsPacketOffset = 0;
+ gs->dtlsPacket.len = 0;
+ return -1;
+ }
+
/* At this point we should have >=1 complete records lined up in
* dtlsPacket. Read off the header.
*/
- if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < 13) {
+ if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < headerLen) {
SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet "
"too short to contain header",
SSL_GETPID(), ss->fd));
- PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ PORT_SetError(PR_WOULD_BLOCK_ERROR);
gs->dtlsPacketOffset = 0;
gs->dtlsPacket.len = 0;
- rv = SECFailure;
- return rv;
+ return -1;
}
- memcpy(gs->hdr, gs->dtlsPacket.buf + gs->dtlsPacketOffset, 13);
- gs->dtlsPacketOffset += 13;
+ memcpy(gs->hdr, SSL_BUFFER_BASE(&gs->dtlsPacket) + gs->dtlsPacketOffset,
+ headerLen);
+ gs->hdrLen = headerLen;
+ gs->dtlsPacketOffset += headerLen;
/* Have received SSL3 record header in gs->hdr. */
- gs->remainder = (gs->hdr[11] << 8) | gs->hdr[12];
+ if (headerLen == 13) {
+ gs->remainder = (gs->hdr[11] << 8) | gs->hdr[12];
+ } else if (headerLen == 7) {
+ gs->remainder = (gs->hdr[5] << 8) | gs->hdr[6];
+ } else {
+ PORT_Assert(headerLen == 2);
+ gs->remainder = gs->dtlsPacket.len - gs->dtlsPacketOffset;
+ }
if ((gs->dtlsPacket.len - gs->dtlsPacketOffset) < gs->remainder) {
SSL_DBG(("%d: SSL3[%d]: rest of DTLS packet too short "
"to contain rest of body",
SSL_GETPID(), ss->fd));
- PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ PORT_SetError(PR_WOULD_BLOCK_ERROR);
gs->dtlsPacketOffset = 0;
gs->dtlsPacket.len = 0;
- rv = SECFailure;
- return rv;
+ return -1;
}
/* OK, we have at least one complete packet, copy into inbuf */
- if (gs->remainder > gs->inbuf.space) {
- err = sslBuffer_Grow(&gs->inbuf, gs->remainder);
- if (err) { /* realloc has set error code to no mem. */
- return err;
- }
+ gs->inbuf.len = 0;
+ rv = sslBuffer_Append(&gs->inbuf,
+ SSL_BUFFER_BASE(&gs->dtlsPacket) + gs->dtlsPacketOffset,
+ gs->remainder);
+ if (rv != SECSuccess) {
+ return -1; /* code already set. */
}
-
- SSL_TRC(20, ("%d: SSL3[%d]: dtls gathered record type=%d len=%d",
- SSL_GETPID(), ss->fd, gs->hdr[0], gs->inbuf.len));
-
- memcpy(gs->inbuf.buf, gs->dtlsPacket.buf + gs->dtlsPacketOffset,
- gs->remainder);
- gs->inbuf.len = gs->remainder;
gs->offset = gs->remainder;
gs->dtlsPacketOffset += gs->remainder;
gs->state = GS_INIT;
+ SSL_TRC(20, ("%d: SSL3[%d]: dtls gathered record type=%d len=%d",
+ SSL_GETPID(), ss->fd, contentType, gs->inbuf.len));
return 1;
}
@@ -442,7 +460,11 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
* We need to process it now before we overwrite it with the next
* handshake record.
*/
- rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+ SSL_DBG(("%d: SSL3[%d]: resuming handshake",
+ SSL_GETPID(), ss->fd));
+ PORT_Assert(!IS_DTLS(ss));
+ rv = ssl3_HandleNonApplicationData(ss, content_handshake,
+ 0, 0, &ss->gs.buf);
} else {
/* State for SSLv2 client hello support. */
ssl2Gather ssl2gs = { PR_FALSE, 0 };
@@ -495,20 +517,14 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
* If it's application data, ss->gs.buf will not be empty upon return.
* If it's a change cipher spec, alert, or handshake message,
* ss->gs.buf.len will be 0 when ssl3_HandleRecord returns SECSuccess.
+ *
+ * cText only needs to be valid for this next function call, so
+ * it can borrow gs.hdr.
*/
- cText.type = (SSL3ContentType)ss->gs.hdr[0];
- cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
-
- if (IS_DTLS(ss)) {
- sslSequenceNumber seq_num;
-
- /* DTLS sequence number */
- PORT_Memcpy(&seq_num, &ss->gs.hdr[3], sizeof(seq_num));
- cText.seq_num = PR_ntohll(seq_num);
- }
-
+ cText.hdr = ss->gs.hdr;
+ cText.hdrLen = ss->gs.hdrLen;
cText.buf = &ss->gs.inbuf;
- rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
+ rv = ssl3_HandleRecord(ss, &cText);
}
}
if (rv < 0) {
@@ -520,7 +536,6 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
* completing any renegotiation handshake we may be doing.
*/
PORT_Assert(ss->firstHsDone);
- PORT_Assert(cText.type == content_application_data);
break;
}
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
index d1f46db971..8e6cf27456 100644
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -16,7 +16,7 @@ typedef PRUint16 SSL3ProtocolVersion;
/* The TLS 1.3 draft version. Used to avoid negotiating
* between incompatible pre-standard TLS 1.3 drafts.
* TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
-#define TLS_1_3_DRAFT_VERSION 23
+#define TLS_1_3_DRAFT_VERSION 28
typedef PRUint16 ssl3CipherSuite;
/* The cipher suites are defined in sslproto.h */
diff --git a/security/nss/lib/ssl/sslcert.c b/security/nss/lib/ssl/sslcert.c
index 6cd02e4025..1c3ddb0e75 100644
--- a/security/nss/lib/ssl/sslcert.c
+++ b/security/nss/lib/ssl/sslcert.c
@@ -256,7 +256,8 @@ ssl_PopulateKeyPair(sslServerCert *sc, sslKeyPair *keyPair)
/* Get the size of the cert's public key, and remember it. */
sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->pubKey);
- if (sc->serverKeyBits == 0) {
+ if (sc->serverKeyBits == 0 ||
+ (keyType == rsaKey && sc->serverKeyBits > SSL_MAX_RSA_KEY_BITS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
index b94d0cc62e..518a2b8875 100644
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -262,6 +262,8 @@ typedef enum {
SSL_ERROR_TOO_MANY_KEY_UPDATES = (SSL_ERROR_BASE + 171),
SSL_ERROR_HANDSHAKE_FAILED = (SSL_ERROR_BASE + 172),
SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR = (SSL_ERROR_BASE + 173),
+ SSL_ERROR_RX_MALFORMED_DTLS_ACK = (SSL_ERROR_BASE + 174),
+ SSL_ERROR_DH_KEY_TOO_LONG = (SSL_ERROR_BASE + 175),
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index 10d0333d9e..a2209e90a1 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -121,6 +121,10 @@ typedef enum { SSLAppOpRead = 0,
/* default number of entries in namedGroupPreferences */
#define SSL_NAMED_GROUP_COUNT 31
+/* The maximum DH and RSA bit-length supported. */
+#define SSL_MAX_DH_KEY_BITS 8192
+#define SSL_MAX_RSA_KEY_BITS 8192
+
/* Types and names of elliptic curves used in TLS */
typedef enum {
ec_type_explicitPrime = 1, /* not supported */
@@ -232,6 +236,7 @@ typedef struct sslOptionsStr {
/* If SSL_SetNextProtoNego has been called, then this contains the
* list of supported protocols. */
SECItem nextProtoNego;
+ PRUint16 recordSizeLimit;
PRUint32 maxEarlyDataSize;
unsigned int useSecurity : 1;
@@ -251,7 +256,6 @@ typedef struct sslOptionsStr {
unsigned int enableFalseStart : 1;
unsigned int cbcRandomIV : 1;
unsigned int enableOCSPStapling : 1;
- unsigned int enableNPN : 1;
unsigned int enableALPN : 1;
unsigned int reuseServerECDHEKey : 1;
unsigned int enableFallbackSCSV : 1;
@@ -261,6 +265,7 @@ typedef struct sslOptionsStr {
unsigned int requireDHENamedGroups : 1;
unsigned int enable0RttData : 1;
unsigned int enableTls13CompatMode : 1;
+ unsigned int enableDtlsShortHeader : 1;
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@@ -325,9 +330,11 @@ struct sslGatherStr {
** than into buf or inbuf, while in the GS_HEADER state.
** The portion of the SSL record header put here always comes off the wire
** as plaintext, never ciphertext.
- ** For SSL3/TLS, the plaintext portion is 5 bytes long. For DTLS it is 13.
+ ** For SSL3/TLS, the plaintext portion is 5 bytes long. For DTLS it
+ ** varies based on version and header type.
*/
unsigned char hdr[13];
+ unsigned int hdrLen;
/* Buffer for DTLS data read off the wire as a single datagram */
sslBuffer dtlsPacket;
@@ -440,7 +447,7 @@ struct sslSessionIDStr {
*/
SECItem signedCertTimestamps;
- /* The NPN/ALPN value negotiated in the original connection.
+ /* The ALPN value negotiated in the original connection.
* Used for TLS 1.3. */
SECItem alpnSelection;
@@ -780,9 +787,13 @@ struct ssl3StateStr {
#define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
typedef struct {
- SSL3ContentType type;
- SSL3ProtocolVersion version;
- sslSequenceNumber seq_num; /* DTLS only */
+ /* |seqNum| eventually contains the reconstructed sequence number. */
+ sslSequenceNumber seqNum;
+ /* The header of the cipherText. */
+ const PRUint8 *hdr;
+ unsigned int hdrLen;
+
+ /* |buf| is the payload of the ciphertext. */
sslBuffer *buf;
} SSL3Ciphertext;
@@ -805,7 +816,7 @@ struct ssl3DHParamsStr {
};
typedef struct SSLWrappedSymWrappingKeyStr {
- PRUint8 wrappedSymmetricWrappingkey[512];
+ PRUint8 wrappedSymmetricWrappingkey[SSL_MAX_RSA_KEY_BITS / 8];
CK_MECHANISM_TYPE symWrapMechanism;
/* unwrapped symmetric wrapping key uses this mechanism */
CK_MECHANISM_TYPE asymWrapMechanism;
@@ -1375,8 +1386,11 @@ SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
/*
* input into the SSL3 machinery from the actualy network reading code
*/
-SECStatus ssl3_HandleRecord(
- sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
+SECStatus ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cipher);
+SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
+ DTLSEpoch epoch,
+ sslSequenceNumber seqNum,
+ sslBuffer *databuf);
SECStatus ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize);
int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
@@ -1537,8 +1551,8 @@ SECStatus ssl_GetSelfEncryptKeys(sslSocket *ss, unsigned char *keyName,
PK11SymKey **encKey, PK11SymKey **macKey);
void ssl_ResetSelfEncryptKeys();
-extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data,
- unsigned int length);
+extern SECStatus ssl3_ValidateAppProtocol(const unsigned char *data,
+ unsigned int length);
/* Construct a new NSPR socket for the app to use */
extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
@@ -1636,6 +1650,9 @@ SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme);
SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
+SECStatus ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
+ SSL3ContentType contentType, sslBuffer *wrBuf,
+ PRBool *needsLength);
/* Pull in DTLS functions */
#include "dtlscon.h"
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
index f09ec067ce..a1d3892145 100644
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -791,7 +791,7 @@ tls13_CheckKeyUpdate(sslSocket *ss, CipherSpecDirection dir)
spec = ss->ssl3.cwSpec;
margin = spec->cipherDef->max_records / 4;
}
- seqNum = spec->seqNum;
+ seqNum = spec->nextSeqNum;
keyUpdate = seqNum > spec->cipherDef->max_records - margin;
ssl_ReleaseSpecReadLock(ss);
if (!keyUpdate) {
@@ -922,21 +922,30 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
*/
if (!ss->firstHsDone) {
PRBool allowEarlySend = PR_FALSE;
+ PRBool firstClientWrite = PR_FALSE;
ssl_Get1stHandshakeLock(ss);
- if (ss->opt.enableFalseStart ||
- (ss->opt.enable0RttData && !ss->sec.isServer)) {
+ /* The client can sometimes send before the handshake is fully
+ * complete. In TLS 1.2: false start; in TLS 1.3: 0-RTT. */
+ if (!ss->sec.isServer &&
+ (ss->opt.enableFalseStart || ss->opt.enable0RttData)) {
ssl_GetSSL3HandshakeLock(ss);
- /* The client can sometimes send before the handshake is fully
- * complete. In TLS 1.2: false start; in TLS 1.3: 0-RTT. */
zeroRtt = ss->ssl3.hs.zeroRttState == ssl_0rtt_sent ||
ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted;
allowEarlySend = ss->ssl3.hs.canFalseStart || zeroRtt;
+ firstClientWrite = ss->ssl3.hs.ws == idle_handshake;
ssl_ReleaseSSL3HandshakeLock(ss);
}
if (!allowEarlySend && ss->handshake) {
rv = ssl_Do1stHandshake(ss);
}
+ if (firstClientWrite) {
+ /* Wait until after sending ClientHello and double-check 0-RTT. */
+ ssl_GetSSL3HandshakeLock(ss);
+ zeroRtt = ss->ssl3.hs.zeroRttState == ssl_0rtt_sent ||
+ ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted;
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ }
ssl_Release1stHandshakeLock(ss);
}
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index e08d5e2326..33595ffae9 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -55,6 +55,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */
static sslOptions ssl_defaults = {
.nextProtoNego = { siBuffer, NULL, 0 },
.maxEarlyDataSize = 1 << 16,
+ .recordSizeLimit = MAX_FRAGMENT_LENGTH + 1,
.useSecurity = PR_TRUE,
.useSocks = PR_FALSE,
.requestCertificate = PR_FALSE,
@@ -72,7 +73,6 @@ static sslOptions ssl_defaults = {
.enableFalseStart = PR_FALSE,
.cbcRandomIV = PR_TRUE,
.enableOCSPStapling = PR_FALSE,
- .enableNPN = PR_FALSE,
.enableALPN = PR_TRUE,
.reuseServerECDHEKey = PR_TRUE,
.enableFallbackSCSV = PR_FALSE,
@@ -81,7 +81,8 @@ static sslOptions ssl_defaults = {
.enableSignedCertTimestamps = PR_FALSE,
.requireDHENamedGroups = PR_FALSE,
.enable0RttData = PR_FALSE,
- .enableTls13CompatMode = PR_FALSE
+ .enableTls13CompatMode = PR_FALSE,
+ .enableDtlsShortHeader = PR_FALSE
};
/*
@@ -803,10 +804,23 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
ss->opt.enable0RttData = val;
break;
+ case SSL_RECORD_SIZE_LIMIT:
+ if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ } else {
+ ss->opt.recordSizeLimit = val;
+ }
+ break;
+
case SSL_ENABLE_TLS13_COMPAT_MODE:
ss->opt.enableTls13CompatMode = val;
break;
+ case SSL_ENABLE_DTLS_SHORT_HEADER:
+ ss->opt.enableDtlsShortHeader = val;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -914,7 +928,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
val = ss->opt.enableOCSPStapling;
break;
case SSL_ENABLE_NPN:
- val = ss->opt.enableNPN;
+ val = PR_FALSE;
break;
case SSL_ENABLE_ALPN:
val = ss->opt.enableALPN;
@@ -940,9 +954,15 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
case SSL_ENABLE_0RTT_DATA:
val = ss->opt.enable0RttData;
break;
+ case SSL_RECORD_SIZE_LIMIT:
+ val = ss->opt.recordSizeLimit;
+ break;
case SSL_ENABLE_TLS13_COMPAT_MODE:
val = ss->opt.enableTls13CompatMode;
break;
+ case SSL_ENABLE_DTLS_SHORT_HEADER:
+ val = ss->opt.enableDtlsShortHeader;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -1037,7 +1057,7 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
val = ssl_defaults.enableOCSPStapling;
break;
case SSL_ENABLE_NPN:
- val = ssl_defaults.enableNPN;
+ val = PR_FALSE;
break;
case SSL_ENABLE_ALPN:
val = ssl_defaults.enableALPN;
@@ -1060,9 +1080,15 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
case SSL_ENABLE_0RTT_DATA:
val = ssl_defaults.enable0RttData;
break;
+ case SSL_RECORD_SIZE_LIMIT:
+ val = ssl_defaults.recordSizeLimit;
+ break;
case SSL_ENABLE_TLS13_COMPAT_MODE:
val = ssl_defaults.enableTls13CompatMode;
break;
+ case SSL_ENABLE_DTLS_SHORT_HEADER:
+ val = ssl_defaults.enableDtlsShortHeader;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -1242,10 +1268,22 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
ssl_defaults.enable0RttData = val;
break;
+ case SSL_RECORD_SIZE_LIMIT:
+ if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ ssl_defaults.recordSizeLimit = val;
+ break;
+
case SSL_ENABLE_TLS13_COMPAT_MODE:
ssl_defaults.enableTls13CompatMode = val;
break;
+ case SSL_ENABLE_DTLS_SHORT_HEADER:
+ ssl_defaults.enableDtlsShortHeader = val;
+ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
@@ -1895,10 +1933,7 @@ DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd)
}
/* SSL_SetNextProtoCallback is used to select an application protocol
- * for ALPN and NPN. For ALPN, this runs on the server; for NPN it
- * runs on the client. */
-/* Note: The ALPN version doesn't allow for the use of a default, setting a
- * status of SSL_NEXT_PROTO_NO_OVERLAP is treated as a failure. */
+ * for ALPN. */
SECStatus
SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback,
void *arg)
@@ -1919,7 +1954,7 @@ SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback,
return SECSuccess;
}
-/* ssl_NextProtoNegoCallback is set as an ALPN/NPN callback when
+/* ssl_NextProtoNegoCallback is set as an ALPN callback when
* SSL_SetNextProtoNego is used.
*/
static SECStatus
@@ -1929,7 +1964,6 @@ ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd,
unsigned int protoMaxLen)
{
unsigned int i, j;
- const unsigned char *result;
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
@@ -1937,37 +1971,29 @@ ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd,
SSL_GETPID(), fd));
return SECFailure;
}
+ PORT_Assert(protoMaxLen <= 255);
+ if (protoMaxLen > 255) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
- /* For each protocol in server preference, see if we support it. */
- for (i = 0; i < protos_len;) {
- for (j = 0; j < ss->opt.nextProtoNego.len;) {
+ /* For each protocol in client preference, see if we support it. */
+ for (j = 0; j < ss->opt.nextProtoNego.len;) {
+ for (i = 0; i < protos_len;) {
if (protos[i] == ss->opt.nextProtoNego.data[j] &&
PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1],
protos[i]) == 0) {
/* We found a match. */
- ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
- result = &protos[i];
- goto found;
+ const unsigned char *result = &protos[i];
+ memcpy(protoOut, result + 1, result[0]);
+ *protoOutLen = result[0];
+ return SECSuccess;
}
- j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
+ i += 1 + (unsigned int)protos[i];
}
- i += 1 + (unsigned int)protos[i];
+ j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
}
- /* The other side supports the extension, and either doesn't have any
- * protocols configured, or none of its options match ours. In this case we
- * request our favoured protocol. */
- /* This will be treated as a failure for ALPN. */
- ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP;
- result = ss->opt.nextProtoNego.data;
-
-found:
- if (protoMaxLen < result[0]) {
- PORT_SetError(SEC_ERROR_OUTPUT_LEN);
- return SECFailure;
- }
- memcpy(protoOut, result + 1, result[0]);
- *protoOutLen = result[0];
return SECSuccess;
}
@@ -1976,8 +2002,6 @@ SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
unsigned int length)
{
sslSocket *ss;
- SECStatus rv;
- SECItem dataItem = { siBuffer, (unsigned char *)data, length };
ss = ssl_FindSocket(fd);
if (!ss) {
@@ -1986,17 +2010,22 @@ SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
return SECFailure;
}
- if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
+ if (ssl3_ValidateAppProtocol(data, length) != SECSuccess) {
return SECFailure;
+ }
+ /* NPN required that the client's fallback protocol is first in the
+ * list. However, ALPN sends protocols in preference order. So move the
+ * first protocol to the end of the list. */
ssl_GetSSL3HandshakeLock(ss);
SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
- rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &dataItem);
+ SECITEM_AllocItem(NULL, &ss->opt.nextProtoNego, length);
+ size_t firstLen = data[0] + 1;
+ /* firstLen <= length is ensured by ssl3_ValidateAppProtocol. */
+ PORT_Memcpy(ss->opt.nextProtoNego.data + (length - firstLen), data, firstLen);
+ PORT_Memcpy(ss->opt.nextProtoNego.data, data + firstLen, length - firstLen);
ssl_ReleaseSSL3HandshakeLock(ss);
- if (rv != SECSuccess)
- return rv;
-
return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL);
}
@@ -3034,26 +3063,27 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
} else { /* handshaking as server */
new_flags |= PR_POLL_READ;
}
- } else
+ } else if (ss->lastWriteBlocked) {
/* First handshake is in progress */
- if (ss->lastWriteBlocked) {
if (new_flags & PR_POLL_READ) {
/* The caller is waiting for data to be received,
** but the initial handshake is blocked on write, or the
** client's first handshake record has not been written.
** The code should select on write, not read.
*/
- new_flags ^= PR_POLL_READ; /* don't select on read. */
+ new_flags &= ~PR_POLL_READ; /* don't select on read. */
new_flags |= PR_POLL_WRITE; /* do select on write. */
}
} else if (new_flags & PR_POLL_WRITE) {
/* The caller is trying to write, but the handshake is
** blocked waiting for data to read, and the first
** handshake has been sent. So do NOT to poll on write
- ** unless we did false start.
+ ** unless we did false start or we are doing 0-RTT.
*/
- if (!ss->ssl3.hs.canFalseStart) {
- new_flags ^= PR_POLL_WRITE; /* don't select on write. */
+ if (!(ss->ssl3.hs.canFalseStart ||
+ ss->ssl3.hs.zeroRttState == ssl_0rtt_sent ||
+ ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)) {
+ new_flags &= ~PR_POLL_WRITE; /* don't select on write. */
}
new_flags |= PR_POLL_READ; /* do select on read. */
}
@@ -3093,6 +3123,9 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
}
}
+ SSL_TRC(20, ("%d: SSL[%d]: ssl_Poll flags %x -> %x",
+ SSL_GETPID(), fd, how_flags, new_flags));
+
if (new_flags && (fd->lower->methods->poll != NULL)) {
PRInt16 lower_out_flags = 0;
PRInt16 lower_new_flags;
diff --git a/security/nss/lib/ssl/sslspec.c b/security/nss/lib/ssl/sslspec.c
index 26c3eb5462..7833eeab69 100644
--- a/security/nss/lib/ssl/sslspec.c
+++ b/security/nss/lib/ssl/sslspec.c
@@ -143,6 +143,7 @@ ssl_CreateCipherSpec(sslSocket *ss, CipherSpecDirection direction)
spec->refCt = 1;
spec->version = ss->version;
spec->direction = direction;
+ spec->recordSizeLimit = MAX_FRAGMENT_LENGTH;
SSL_TRC(10, ("%d: SSL[%d]: new %s spec %d ct=%d",
SSL_GETPID(), ss->fd, SPEC_DIR(spec), spec,
spec->refCt));
diff --git a/security/nss/lib/ssl/sslspec.h b/security/nss/lib/ssl/sslspec.h
index 729ac1006f..b256017553 100644
--- a/security/nss/lib/ssl/sslspec.h
+++ b/security/nss/lib/ssl/sslspec.h
@@ -162,12 +162,18 @@ struct ssl3CipherSpecStr {
DTLSEpoch epoch;
const char *phase;
- sslSequenceNumber seqNum;
+
+ /* The next sequence number to be sent or received. */
+ sslSequenceNumber nextSeqNum;
DTLSRecvdRecords recvdRecords;
/* The number of 0-RTT bytes that can be sent or received in TLS 1.3. This
* will be zero for everything but 0-RTT. */
PRUint32 earlyDataRemaining;
+ /* The maximum plaintext length. This differs from the configured or
+ * negotiated value for TLS 1.3; it is reduced by one to account for the
+ * content type octet. */
+ PRUint16 recordSizeLimit;
};
typedef void (*sslCipherSpecChangedFunc)(void *arg,
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
index e2b80fb436..bb1bec7a3d 100644
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -432,6 +432,7 @@ typedef enum {
ssl_signed_cert_timestamp_xtn = 18,
ssl_padding_xtn = 21,
ssl_extended_master_secret_xtn = 23,
+ ssl_record_size_limit_xtn = 28,
ssl_session_ticket_xtn = 35,
/* 40 was used in draft versions of TLS 1.3; it is now reserved. */
ssl_tls13_pre_shared_key_xtn = 41,
@@ -454,7 +455,7 @@ typedef enum {
/* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are
* supported for any single message type. That is, a ClientHello; ServerHello
* and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */
-#define SSL_MAX_EXTENSIONS 20
+#define SSL_MAX_EXTENSIONS 21
/* Deprecated */
typedef enum {
diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c
index c06acc83a9..4d9170fb01 100644
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -792,7 +792,7 @@ tls13_HandleKeyUpdate(sslSocket *ss, PRUint8 *b, unsigned int length)
/* Only send an update if we have sent with the current spec. This
* prevents us from being forced to crank forward pointlessly. */
ssl_GetSpecReadLock(ss);
- sendUpdate = ss->ssl3.cwSpec->seqNum > 0;
+ sendUpdate = ss->ssl3.cwSpec->nextSeqNum > 0;
ssl_ReleaseSpecReadLock(ss);
} else {
sendUpdate = PR_TRUE;
@@ -1620,7 +1620,7 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
ssl_GetSpecWriteLock(ss);
/* Increase the write sequence number. The read sequence number
* will be reset after this to early data or handshake. */
- ss->ssl3.cwSpec->seqNum = 1;
+ ss->ssl3.cwSpec->nextSeqNum = 1;
ssl_ReleaseSpecWriteLock(ss);
}
@@ -2007,7 +2007,7 @@ tls13_SendHelloRetryRequest(sslSocket *ss,
/* We depend on this being exactly one record and one message. */
PORT_Assert(!IS_DTLS(ss) || (ss->ssl3.hs.sendMessageSeq == 1 &&
- ss->ssl3.cwSpec->seqNum == 1));
+ ss->ssl3.cwSpec->nextSeqNum == 1));
ssl_ReleaseXmitBufLock(ss);
ss->ssl3.hs.helloRetry = PR_TRUE;
@@ -2209,6 +2209,8 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *savedMsg,
} else {
PORT_Assert(ss->ssl3.hs.zeroRttState == ssl_0rtt_none);
}
+ /* Set the spec version, because we want to send CH now with 0303 */
+ tls13_SetSpecRecordVersion(ss, ss->ssl3.cwSpec);
/* Extensions must contain more than just supported_versions. This will
* ensure that a HelloRetryRequest isn't a no-op: we must have at least two
@@ -2248,6 +2250,7 @@ tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *savedMsg,
goto loser;
}
}
+
rv = ssl3_SendClientHello(ss, client_hello_retry);
if (rv != SECSuccess) {
goto loser;
@@ -3251,6 +3254,17 @@ tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
}
tls13_SetSpecRecordVersion(ss, spec);
+
+ /* The record size limit is reduced by one so that the remainder of the
+ * record handling code can use the same checks for all versions. */
+ if (ssl3_ExtensionNegotiated(ss, ssl_record_size_limit_xtn)) {
+ spec->recordSizeLimit = ((spec->direction == CipherSpecRead)
+ ? ss->opt.recordSizeLimit
+ : ss->xtnData.recordSizeLimit) -
+ 1;
+ } else {
+ spec->recordSizeLimit = MAX_FRAGMENT_LENGTH;
+ }
return SECSuccess;
}
@@ -3316,7 +3330,7 @@ tls13_SetCipherSpec(sslSocket *ss, PRUint16 epoch,
return SECFailure;
}
spec->epoch = epoch;
- spec->seqNum = 0;
+ spec->nextSeqNum = 0;
if (IS_DTLS(ss)) {
dtls_InitRecvdRecords(&spec->recvdRecords);
}
@@ -3536,14 +3550,15 @@ tls13_AESGCM(ssl3KeyMaterial *keys,
CK_GCM_PARAMS gcmParams;
unsigned char nonce[12];
+ PORT_Assert(additionalDataLen > 8);
memset(&gcmParams, 0, sizeof(gcmParams));
gcmParams.pIv = nonce;
gcmParams.ulIvLen = sizeof(nonce);
- gcmParams.pAAD = NULL;
- gcmParams.ulAADLen = 0;
+ gcmParams.pAAD = (PRUint8 *)(additionalData + 8);
+ gcmParams.ulAADLen = additionalDataLen - 8;
gcmParams.ulTagBits = 128; /* GCM measures tag length in bits. */
- tls13_WriteNonce(keys, additionalData, additionalDataLen,
+ tls13_WriteNonce(keys, additionalData, 8,
nonce, sizeof(nonce));
return tls13_AEAD(keys, doDecrypt, out, outlen, maxout, in, inlen,
CKM_AES_GCM,
@@ -3560,14 +3575,15 @@ tls13_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt,
CK_NSS_AEAD_PARAMS aeadParams;
unsigned char nonce[12];
+ PORT_Assert(additionalDataLen > 8);
memset(&aeadParams, 0, sizeof(aeadParams));
aeadParams.pNonce = nonce;
aeadParams.ulNonceLen = sizeof(nonce);
- aeadParams.pAAD = NULL; /* No AAD in TLS 1.3. */
- aeadParams.ulAADLen = 0;
+ aeadParams.pAAD = (PRUint8 *)(additionalData + 8);
+ aeadParams.ulAADLen = additionalDataLen - 8;
aeadParams.ulTagLen = 16; /* The Poly1305 tag is 16 octets. */
- tls13_WriteNonce(keys, additionalData, additionalDataLen,
+ tls13_WriteNonce(keys, additionalData, 8,
nonce, sizeof(nonce));
return tls13_AEAD(keys, doDecrypt, out, outlen, maxout, in, inlen,
CKM_NSS_CHACHA20_POLY1305,
@@ -3579,7 +3595,7 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
{
SECStatus rv;
PRUint32 innerLength;
- SECItem oldNpn = { siBuffer, NULL, 0 };
+ SECItem oldAlpn = { siBuffer, NULL, 0 };
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -3603,11 +3619,11 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
return SECFailure;
}
- /* If we are doing 0-RTT, then we already have an NPN value. Stash
+ /* If we are doing 0-RTT, then we already have an ALPN value. Stash
* it for comparison. */
if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent &&
ss->xtnData.nextProtoState == SSL_NEXT_PROTO_EARLY_VALUE) {
- oldNpn = ss->xtnData.nextProto;
+ oldAlpn = ss->xtnData.nextProto;
ss->xtnData.nextProto.data = NULL;
ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT;
}
@@ -3627,8 +3643,8 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
ss->ssl3.hs.zeroRttState = ssl_0rtt_accepted;
/* Check that the server negotiated the same ALPN (if any). */
- if (SECITEM_CompareItem(&oldNpn, &ss->xtnData.nextProto)) {
- SECITEM_FreeItem(&oldNpn, PR_FALSE);
+ if (SECITEM_CompareItem(&oldAlpn, &ss->xtnData.nextProto)) {
+ SECITEM_FreeItem(&oldAlpn, PR_FALSE);
FATAL_ERROR(ss, SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID,
illegal_parameter);
return SECFailure;
@@ -3650,7 +3666,7 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
ss->ssl3.hs.zeroRttState == ssl_0rtt_ignored));
}
- SECITEM_FreeItem(&oldNpn, PR_FALSE);
+ SECITEM_FreeItem(&oldAlpn, PR_FALSE);
if (ss->ssl3.hs.kea_def->authKeyType == ssl_auth_psk) {
TLS13_SET_HS_STATE(ss, wait_finished);
} else {
@@ -3815,13 +3831,14 @@ tls13_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length)
rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
if (rv != SECSuccess) {
- PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
+ FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CERT_VERIFY, illegal_parameter);
return SECFailure;
}
rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme, ss->sec.peerCert);
if (rv != SECSuccess) {
/* Error set already */
+ FATAL_ERROR(ss, PORT_GetError(), illegal_parameter);
return SECFailure;
}
hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
@@ -4740,7 +4757,8 @@ static const struct {
{ ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) },
{ ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
{ ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
- hello_retry_request) }
+ hello_retry_request) },
+ { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }
};
tls13ExtensionStatus
@@ -4780,19 +4798,20 @@ tls13_ExtensionStatus(PRUint16 extension, SSLHandshakeType message)
#undef _M2
#undef _M3
-/* TLS 1.3 doesn't actually have additional data but the aead function
- * signature overloads additional data to carry the record sequence
- * number and that's what we put here. The TLS 1.3 AEAD functions
- * just use this input as the sequence number and not as additional
- * data. */
+/* We cheat a bit on additional data because the AEAD interface
+ * which doesn't have room for the record number. The AAD we
+ * format is serialized record number followed by the true AD
+ * (i.e., the record header) plus the serialized record number. */
static SECStatus
-tls13_FormatAdditionalData(sslSocket *ss, PRUint8 *aad, unsigned int length,
- DTLSEpoch epoch, sslSequenceNumber seqNum)
+tls13_FormatAdditionalData(
+ sslSocket *ss,
+ const PRUint8 *header, unsigned int headerLen,
+ DTLSEpoch epoch, sslSequenceNumber seqNum,
+ PRUint8 *aad, unsigned int *aadLength, unsigned int maxLength)
{
SECStatus rv;
- sslBuffer buf = SSL_BUFFER_FIXED(aad, length);
+ sslBuffer buf = SSL_BUFFER_FIXED(aad, maxLength);
- PORT_Assert(length == 8);
if (IS_DTLS(ss)) {
rv = sslBuffer_AppendNumber(&buf, epoch, 2);
if (rv != SECSuccess) {
@@ -4803,6 +4822,14 @@ tls13_FormatAdditionalData(sslSocket *ss, PRUint8 *aad, unsigned int length,
if (rv != SECSuccess) {
return SECFailure;
}
+
+ rv = sslBuffer_Append(&buf, header, headerLen);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ *aadLength = buf.len;
+
return SECSuccess;
}
@@ -4843,43 +4870,68 @@ tls13_ProtectRecord(sslSocket *ss,
PORT_Assert(cwSpec->direction == CipherSpecWrite);
SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) protect 0x%0llx len=%u",
SSL_GETPID(), ss->fd, cwSpec, cwSpec->epoch, cwSpec->phase,
- cwSpec->seqNum, contentLen));
+ cwSpec->nextSeqNum, contentLen));
- if (contentLen + 1 + tagLen > wrBuf->space) {
+ if (contentLen + 1 + tagLen > SSL_BUFFER_SPACE(wrBuf)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* Copy the data into the wrBuf. We're going to encrypt in-place
* in the AEAD branch anyway */
- PORT_Memcpy(wrBuf->buf, pIn, contentLen);
+ PORT_Memcpy(SSL_BUFFER_NEXT(wrBuf), pIn, contentLen);
if (cipher_def->calg == ssl_calg_null) {
/* Shortcut for plaintext */
- wrBuf->len = contentLen;
+ rv = sslBuffer_Skip(wrBuf, contentLen, NULL);
+ PORT_Assert(rv == SECSuccess);
} else {
- PRUint8 aad[8];
+ PRUint8 hdr[13];
+ sslBuffer buf = SSL_BUFFER_FIXED(hdr, sizeof(hdr));
+ PRBool needsLength;
+ PRUint8 aad[21];
+ unsigned int aadLen;
+ int len;
+
PORT_Assert(cipher_def->type == type_aead);
/* Add the content type at the end. */
- wrBuf->buf[contentLen] = type;
+ *(SSL_BUFFER_NEXT(wrBuf) + contentLen) = type;
- rv = tls13_FormatAdditionalData(ss, aad, sizeof(aad), cwSpec->epoch,
- cwSpec->seqNum);
+ /* Create the header (ugly that we have to do it twice). */
+ rv = ssl_InsertRecordHeader(ss, cwSpec, content_application_data,
+ &buf, &needsLength);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (needsLength) {
+ rv = sslBuffer_AppendNumber(&buf, contentLen + 1 +
+ cwSpec->cipherDef->tag_size,
+ 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ rv = tls13_FormatAdditionalData(ss, SSL_BUFFER_BASE(&buf), SSL_BUFFER_LEN(&buf),
+ cwSpec->epoch, cwSpec->nextSeqNum,
+ aad, &aadLen, sizeof(aad));
if (rv != SECSuccess) {
return SECFailure;
}
rv = cwSpec->aead(&cwSpec->keyMaterial,
- PR_FALSE, /* do encrypt */
- wrBuf->buf, /* output */
- (int *)&wrBuf->len, /* out len */
- wrBuf->space, /* max out */
- wrBuf->buf, contentLen + 1, /* input */
- aad, sizeof(aad));
+ PR_FALSE, /* do encrypt */
+ SSL_BUFFER_NEXT(wrBuf), /* output */
+ &len, /* out len */
+ SSL_BUFFER_SPACE(wrBuf), /* max out */
+ SSL_BUFFER_NEXT(wrBuf), /* input */
+ contentLen + 1, /* input len */
+ aad, aadLen);
if (rv != SECSuccess) {
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
}
+ rv = sslBuffer_Skip(wrBuf, len, NULL);
+ PORT_Assert(rv == SECSuccess);
}
return SECSuccess;
@@ -4897,25 +4949,22 @@ tls13_ProtectRecord(sslSocket *ss,
SECStatus
tls13_UnprotectRecord(sslSocket *ss,
ssl3CipherSpec *spec,
- SSL3Ciphertext *cText, sslBuffer *plaintext,
+ SSL3Ciphertext *cText,
+ sslBuffer *plaintext,
+ SSL3ContentType *innerType,
SSL3AlertDescription *alert)
{
const ssl3BulkCipherDef *cipher_def = spec->cipherDef;
- sslSequenceNumber seqNum;
- PRUint8 aad[8];
+ PRUint8 aad[21];
+ unsigned int aadLen;
SECStatus rv;
*alert = bad_record_mac; /* Default alert for most issues. */
PORT_Assert(spec->direction == CipherSpecRead);
- if (IS_DTLS(ss)) {
- seqNum = cText->seq_num & RECORD_SEQ_MASK;
- } else {
- seqNum = spec->seqNum;
- }
SSL_TRC(3, ("%d: TLS13[%d]: spec=%d epoch=%d (%s) unprotect 0x%0llx len=%u",
- SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase, seqNum,
- cText->buf->len));
+ SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase,
+ cText->seqNum, cText->buf->len));
/* We can perform this test in variable time because the record's total
* length and the ciphersuite are both public knowledge. */
@@ -4927,28 +4976,38 @@ tls13_UnprotectRecord(sslSocket *ss,
return SECFailure;
}
- /* Verify that the content type is right, even though we overwrite it. */
- if (cText->type != content_application_data) {
+ /* Verify that the content type is right, even though we overwrite it.
+ * Also allow the DTLS short header in TLS 1.3. */
+ if (!(cText->hdr[0] == content_application_data ||
+ (IS_DTLS(ss) &&
+ ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+ (cText->hdr[0] & 0xe0) == 0x20))) {
SSL_TRC(3,
- ("%d: TLS13[%d]: record has invalid exterior content type=%d",
- SSL_GETPID(), ss->fd, cText->type));
+ ("%d: TLS13[%d]: record has invalid exterior type=%2.2x",
+ SSL_GETPID(), ss->fd, cText->hdr[0]));
/* Do we need a better error here? */
PORT_SetError(SSL_ERROR_BAD_MAC_READ);
return SECFailure;
}
- /* Check the version number in the record. */
- if (cText->version != spec->recordVersion) {
- /* Do we need a better error here? */
- SSL_TRC(3,
- ("%d: TLS13[%d]: record has bogus version",
- SSL_GETPID(), ss->fd));
- return SECFailure;
+ /* Check the version number in the record. Stream only. */
+ if (!IS_DTLS(ss)) {
+ SSL3ProtocolVersion version =
+ ((SSL3ProtocolVersion)cText->hdr[1] << 8) |
+ (SSL3ProtocolVersion)cText->hdr[2];
+ if (version != spec->recordVersion) {
+ /* Do we need a better error here? */
+ SSL_TRC(3, ("%d: TLS13[%d]: record has bogus version",
+ SSL_GETPID(), ss->fd));
+ return SECFailure;
+ }
}
/* Decrypt */
PORT_Assert(cipher_def->type == type_aead);
- rv = tls13_FormatAdditionalData(ss, aad, sizeof(aad), spec->epoch, seqNum);
+ rv = tls13_FormatAdditionalData(ss, cText->hdr, cText->hdrLen,
+ spec->epoch, cText->seqNum,
+ aad, &aadLen, sizeof(aad));
if (rv != SECSuccess) {
return SECFailure;
}
@@ -4959,7 +5018,7 @@ tls13_UnprotectRecord(sslSocket *ss,
plaintext->space, /* maxout */
cText->buf->buf, /* in */
cText->buf->len, /* inlen */
- aad, sizeof(aad));
+ aad, aadLen);
if (rv != SECSuccess) {
SSL_TRC(3,
("%d: TLS13[%d]: record has bogus MAC",
@@ -4968,6 +5027,16 @@ tls13_UnprotectRecord(sslSocket *ss,
return SECFailure;
}
+ /* There is a similar test in ssl3_HandleRecord, but this test is needed to
+ * account for padding. It's safe to do this here (including the alert),
+ * because it only confirms that the record exceeded the size limit, which
+ * is apparent from the size of the ciphertext. */
+ if (plaintext->len > spec->recordSizeLimit + 1) {
+ SSL3_SendAlert(ss, alert_fatal, record_overflow);
+ PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+ return SECFailure;
+ }
+
/* The record is right-padded with 0s, followed by the true
* content type, so read from the right until we receive a
* nonzero byte. */
@@ -4977,9 +5046,7 @@ tls13_UnprotectRecord(sslSocket *ss,
/* Bogus padding. */
if (plaintext->len < 1) {
- SSL_TRC(3,
- ("%d: TLS13[%d]: empty record",
- SSL_GETPID(), ss->fd, cText->type));
+ SSL_TRC(3, ("%d: TLS13[%d]: empty record", SSL_GETPID(), ss->fd));
/* It's safe to report this specifically because it happened
* after the MAC has been verified. */
PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
@@ -4987,12 +5054,12 @@ tls13_UnprotectRecord(sslSocket *ss,
}
/* Record the type. */
- cText->type = plaintext->buf[plaintext->len - 1];
+ *innerType = (SSL3ContentType)plaintext->buf[plaintext->len - 1];
--plaintext->len;
/* Check that we haven't received too much 0-RTT data. */
if (spec->epoch == TrafficKeyEarlyApplicationData &&
- cText->type == content_application_data) {
+ *innerType == content_application_data) {
if (plaintext->len > spec->earlyDataRemaining) {
*alert = unexpected_message;
PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA);
@@ -5002,9 +5069,8 @@ tls13_UnprotectRecord(sslSocket *ss,
}
SSL_TRC(10,
- ("%d: TLS13[%d]: %s received record of length=%d type=%d",
- SSL_GETPID(), ss->fd, SSL_ROLE(ss),
- plaintext->len, cText->type));
+ ("%d: TLS13[%d]: %s received record of length=%d, type=%d",
+ SSL_GETPID(), ss->fd, SSL_ROLE(ss), plaintext->len, *innerType));
return SECSuccess;
}
@@ -5227,6 +5293,58 @@ tls13_EncodeDraftVersion(SSL3ProtocolVersion version)
return (PRUint16)version;
}
+SECStatus
+tls13_ClientReadSupportedVersion(sslSocket *ss)
+{
+ PRUint32 temp;
+ SSL3ProtocolVersion v;
+ TLSExtension *versionExtension;
+ SECItem it;
+ SECStatus rv;
+
+ /* Update the version based on the extension, as necessary. */
+ versionExtension = ssl3_FindExtension(ss, ssl_tls13_supported_versions_xtn);
+ if (!versionExtension) {
+ return SECSuccess;
+ }
+
+ /* Struct copy so we don't damage the extension. */
+ it = versionExtension->data;
+
+ rv = ssl3_ConsumeHandshakeNumber(ss, &temp, 2, &it.data, &it.len);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ if (it.len) {
+ FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
+ return SECFailure;
+ }
+ v = (SSL3ProtocolVersion)temp;
+
+ /* You cannot negotiate < TLS 1.3 with supported_versions. */
+ if (v < SSL_LIBRARY_VERSION_TLS_1_3) {
+ FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
+ return SECFailure;
+ }
+
+#ifdef TLS_1_3_DRAFT_VERSION
+ if (temp == SSL_LIBRARY_VERSION_TLS_1_3) {
+ FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version);
+ return SECFailure;
+ }
+ if (temp == tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3)) {
+ v = SSL_LIBRARY_VERSION_TLS_1_3;
+ } else {
+ v = (SSL3ProtocolVersion)temp;
+ }
+#else
+ v = (SSL3ProtocolVersion)temp;
+#endif
+
+ ss->version = v;
+ return SECSuccess;
+}
+
/* Pick the highest version we support that is also advertised. */
SECStatus
tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions)
diff --git a/security/nss/lib/ssl/tls13con.h b/security/nss/lib/ssl/tls13con.h
index 1aaffb651d..f35b20023d 100644
--- a/security/nss/lib/ssl/tls13con.h
+++ b/security/nss/lib/ssl/tls13con.h
@@ -28,6 +28,7 @@ typedef enum {
SECStatus tls13_UnprotectRecord(
sslSocket *ss, ssl3CipherSpec *spec,
SSL3Ciphertext *cText, sslBuffer *plaintext,
+ SSL3ContentType *innerType,
SSL3AlertDescription *alert);
#if defined(WIN32)
@@ -101,6 +102,7 @@ PRInt32 tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len);
SECStatus tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf);
PRBool tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid);
PRUint16 tls13_EncodeDraftVersion(SSL3ProtocolVersion version);
+SECStatus tls13_ClientReadSupportedVersion(sslSocket *ss);
SECStatus tls13_NegotiateVersion(sslSocket *ss,
const TLSExtension *supported_versions);
diff --git a/security/nss/lib/ssl/tls13exthandle.c b/security/nss/lib/ssl/tls13exthandle.c
index 899f238276..1ab8a8e597 100644
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -860,12 +860,12 @@ tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
}
if (xtnData->cookie.len == 0) {
- PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
if (data->len) {
- PORT_SetError(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
return SECFailure;
}
diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def
index 936455f6e7..26e438ba6a 100644
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -322,4 +322,9 @@ _NSSUTIL_UTF8ToWide;-
_NSSUTIL_Access;-
;- local:
;- *;
-;-};
+;+NSSUTIL_3.38 { # NSS Utilities 3.38 release
+;+ global:
+SECITEM_MakeItem;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index b65d4a0c9f..2749abaa16 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.36.4"
+#define NSSUTIL_VERSION "3.38"
#define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 36
-#define NSSUTIL_VPATCH 4
+#define NSSUTIL_VMINOR 38
+#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
diff --git a/security/nss/lib/util/pkcs11t.h b/security/nss/lib/util/pkcs11t.h
index c945f314e2..01ff8a5725 100644
--- a/security/nss/lib/util/pkcs11t.h
+++ b/security/nss/lib/util/pkcs11t.h
@@ -466,6 +466,8 @@ typedef CK_ULONG CK_ATTRIBUTE_TYPE;
#define CKA_EXPONENT_1 0x00000126
#define CKA_EXPONENT_2 0x00000127
#define CKA_COEFFICIENT 0x00000128
+/* CKA_PUBLIC_KEY_INFO is new for v2.40 */
+#define CKA_PUBLIC_KEY_INFO 0x00000129
#define CKA_PRIME 0x00000130
#define CKA_SUBPRIME 0x00000131
#define CKA_BASE 0x00000132
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
index ccd97481d6..ed237ed72c 100644
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -2987,7 +2987,9 @@ SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx)
* XXX anything else that needs to be finished?
*/
- PORT_FreeArena(cx->our_pool, PR_TRUE);
+ if (cx) {
+ PORT_FreeArena(cx->our_pool, PR_TRUE);
+ }
return rv;
}
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index 22c5b1f6e6..1e505a9af1 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -76,6 +76,15 @@ loser:
}
SECStatus
+SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, unsigned char *data,
+ unsigned int len)
+{
+ SECItem it = { siBuffer, data, len };
+
+ return SECITEM_CopyItem(arena, dest, &it);
+}
+
+SECStatus
SECITEM_ReallocItem(PLArenaPool *arena, SECItem *item, unsigned int oldlen,
unsigned int newlen)
{
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
index 5b9d0e1748..4fb1239382 100644
--- a/security/nss/lib/util/secitem.h
+++ b/security/nss/lib/util/secitem.h
@@ -35,6 +35,14 @@ SEC_BEGIN_PROTOS
extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
unsigned int len);
+/* Allocate and make an item with the requested contents.
+ *
+ * We seem to have mostly given up on SECItemType, so the result is
+ * always siBuffer.
+ */
+extern SECStatus SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest,
+ unsigned char *data, unsigned int len);
+
/*
** This is a legacy function containing bugs. It doesn't update item->len,
** and it has other issues as described in bug 298649 and bug 298938.