author | Kai Engert <kaie@kuix.de> |
Fri, 16 Jan 2009 20:15:28 +0100 | |
changeset 23815 | d7c6fc72e3cd032ee4c24f903d58730336372dd3 |
parent 23814 | 6c571dc80a993be1b40e6a89cfad2892669d0982 |
child 23816 | fe5e6c0bb20c49b26e07f37ab9aeec062590185e |
push id | unknown |
push user | unknown |
push date | unknown |
bugs | 473837 |
milestone | 1.9.2a1pre |
backs out | 6c571dc80a993be1b40e6a89cfad2892669d0982 |
--- a/dbm/Makefile.in +++ b/dbm/Makefile.in @@ -0,0 +1,53 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is mozilla.org code. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1998 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +DEPTH = .. +topsrcdir = @top_srcdir@ +srcdir = @srcdir@ +VPATH = @srcdir@ + +include $(DEPTH)/config/autoconf.mk + +MODULE = dbm +DIRS = include src + +ifdef ENABLE_TESTS +DIRS += tests +endif + +include $(topsrcdir)/config/rules.mk +
--- a/dbm/include/mcom_db.h +++ b/dbm/include/mcom_db.h @@ -151,17 +151,17 @@ #ifdef SNI /* #include <sys/hetero.h> */ #define BYTE_ORDER BIG_ENDIAN #define BIG_ENDIAN 4321 #define LITTLE_ENDIAN 1234 #endif -#ifdef _WINDOWS +#if defined(_WINDOWS) || defined(XP_OS2_VACPP) #ifdef BYTE_ORDER #undef BYTE_ORDER #endif #define BYTE_ORDER LITTLE_ENDIAN #define LITTLE_ENDIAN 1234 /* LSB first: i386, vax, all NT risc */ #define BIG_ENDIAN 4321 #endif @@ -183,16 +183,24 @@ #if defined(_WINDOWS) || defined(XP_OS2) #include <stdio.h> #include <io.h> #ifndef XP_OS2 #define MAXPATHLEN 1024 #endif +#ifdef XP_OS2_VACPP +#include <os2.h> +#define MAXPATHLEN CCHMAXPATH +#define EPERM EINVAL +#define ENOTDIR EBADPOS +#define S_ISDIR(s) ((s) & S_IFDIR) +#endif + #define EFTYPE EINVAL /* POSIX 1003.1 format errno. */ #ifndef STDERR_FILENO #define STDIN_FILENO 0 /* ANSI C #defines */ #define STDOUT_FILENO 1 #define STDERR_FILENO 2 #endif
--- a/dbm/src/h_bigkey.c +++ b/dbm/src/h_bigkey.c @@ -51,17 +51,17 @@ static char sccsid[] = "@(#)hash_bigkey. * __big_return * __big_delete * __find_last_page * Internal * collect_key * collect_data */ -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP) #include <sys/param.h> #endif #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h>
--- a/dbm/src/h_page.c +++ b/dbm/src/h_page.c @@ -73,17 +73,17 @@ static char sccsid[] = "@(#)hash_page.c #if defined(_WIN32) || defined(_WINDOWS) #include <io.h> #endif #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP) #include <unistd.h> #endif #include <assert.h> #include "mcom_db.h" #include "hash.h" #include "page.h"
--- a/dbm/src/hash.c +++ b/dbm/src/hash.c @@ -33,39 +33,39 @@ */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)hash.c 8.9 (Berkeley) 6/16/94"; #endif /* LIBC_SCCS and not lint */ #include "watcomfx.h" -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP) #include <sys/param.h> #endif #if !defined(macintosh) -#ifdef XP_OS2 +#ifdef XP_OS2_EMX #include <sys/types.h> #endif #include <sys/stat.h> #endif #if defined(macintosh) #include <unix.h> #include <unistd.h> #endif #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP) #include <unistd.h> #endif #if defined(_WIN32) || defined(_WINDOWS) #include <windows.h> #endif #include <assert.h>
--- a/dbm/src/hash_buf.c +++ b/dbm/src/hash_buf.c @@ -48,17 +48,17 @@ static char sccsid[] = "@(#)hash_buf.c 8 * External * __buf_init * __get_buf * __buf_free * __reclaim_buf * Internal * newbuf */ -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2_VACPP) #include <sys/param.h> #endif #include <errno.h> #include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h>
--- a/dbm/src/mktemp.c +++ b/dbm/src/mktemp.c @@ -42,20 +42,24 @@ static char sccsid[] = "@(#)mktemp.c 8.1 #include <sys/stat.h> #endif #include <fcntl.h> #include <errno.h> #include <stdio.h> #include <ctype.h> #include "mcom_db.h" -#ifndef _WINDOWS +#if !defined(_WINDOWS) && !defined(XP_OS2_VACPP) #include <unistd.h> #endif +#ifdef XP_OS2_VACPP +#include <process.h> +#endif + #ifdef _WINDOWS #include <process.h> #include "winfile.h" #endif static int _gettemp(char *path, register int *doopen, int extraFlags); int
--- a/dbm/src/snprintf.c +++ b/dbm/src/snprintf.c @@ -10,40 +10,41 @@ #else #include "cdefs.h" #endif #include "prtypes.h" #include <ncompat.h> -#ifdef __STDC__ +/* The OS/2 VAC compiler doesn't appear to define __STDC__ and won't let us define it either */ +#if defined(__STDC__) || defined(XP_OS2_VACPP) #include <stdarg.h> #else #include <varargs.h> #endif int -#ifdef __STDC__ +#if defined(__STDC__) || defined(XP_OS2_VACPP) snprintf(char *str, size_t n, const char *fmt, ...) #else snprintf(str, n, fmt, va_alist) char *str; size_t n; const char *fmt; va_dcl #endif { va_list ap; #ifdef VSPRINTF_CHARSTAR char *rp; #else int rval; #endif -#ifdef __STDC__ +#if defined(__STDC__) || defined(XP_OS2_VACPP) va_start(ap, fmt); #else va_start(ap); #endif #ifdef VSPRINTF_CHARSTAR rp = vsprintf(str, fmt, ap); va_end(ap); return (strlen(rp));
--- a/dbm/tests/Makefile.in +++ b/dbm/tests/Makefile.in @@ -39,18 +39,16 @@ DEPTH = ../.. topsrcdir = @top_srcdir@ srcdir = @srcdir@ VPATH = @srcdir@ include $(DEPTH)/config/autoconf.mk MODULE = dbm -PACKAGE_FILE = dbmtest.pkg - PROGRAM = lots$(BIN_SUFFIX) CSRCS = lots.c ifeq ($(OS_ARCH),WINNT) EXTRA_DSO_LIBS = dbm$(MOZ_BITS) else EXTRA_DSO_LIBS = mozdbm_s
deleted file mode 100644 --- a/dbm/tests/dbmtest.pkg +++ /dev/null @@ -1,2 +0,0 @@ -[gecko-tests] -dist/bin/lots@BINS@
--- a/security/coreconf/WINCE.mk +++ b/security/coreconf/WINCE.mk @@ -76,17 +76,16 @@ MKDEPENDENCIES = $(OBJDIR_NAME)/depend. INSTALL = $(NSINSTALL) MAKE_OBJDIR = mkdir MAKE_OBJDIR += $(OBJDIR) RC = rc.exe GARBAGE += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb XP_DEFINE += -DXP_PC LIB_SUFFIX = lib DLL_SUFFIX = dll -OS_DLLFLAGS += -DLL ifdef BUILD_OPT # OS_CFLAGS += -MD OPTIMIZER += -O2 DEFINES += -UDEBUG -U_DEBUG -DNDEBUG DLLFLAGS += -OUT:"$@" else #
new file mode 100644 --- /dev/null +++ b/security/coreconf/WINCE3.0.mk @@ -0,0 +1,107 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +# +# Config stuff for WINCE 3.0 (MS Pocket PC 2002) +# +# CPU_ARCH must already be defined to one of: +# x86, ARM +# +# This makefile defines the following variables: +# OS_CFLAGS, and OS_DLLFLAGS. + +include $(CORE_DEPTH)/coreconf/WINCE.mk + +CEVersion = 300 +CePlatform = WIN32_PLATFORM_PSPC=310 + +ifeq ($(CPU_ARCH), x86) + DEFINES += -D_X86_ -D_i386_ -Di_386_ -Dx86 + OS_CFLAGS += -Gs8192 -GF + OS_DLLFLAGS += -machine:IX86 +else +ifeq ($(CPU_ARCH), ARM) + DEFINES += -DARM -D_ARM_ + OS_DLLFLAGS += -machine:ARM +else + include CPU_ARCH_is_undefined +endif +endif + +DEFINES += -D_WIN32_WCE=300 -DUNDER_CE=300 +DEFINES += -DWIN32_PLATFORM_PSPC=310 +DEFINES += -DUNICODE -D_UNICODE +OS_CFLAGS += -W3 -nologo + +OS_DLLFLAGS += -DLL + +LINKFLAGS = -nologo -subsystem:windowsce,3.00 \ + -nodefaultlib:libc.lib \ + -nodefaultlib:libcd.lib \ + -nodefaultlib:libcmt.lib \ + -nodefaultlib:libcmtd.lib \ + -nodefaultlib:msvcrt.lib \ + -nodefaultlib:msvcrtd.lib \ + -nodefaultlib:oldnames.lib \ + $(NULL) + +ifndef MOZ_DEBUG_SYMBOLS + LINKFLAGS += -PDB:NONE +endif + +LINK += $(LINKFLAGS) +LDFLAGS += $(LINKFLAGS) + +OS_LIBS= coredll.lib corelibc.lib + +#DLLBASE = -base:"0x00100000" -stack:0x10000,0x1000 -entry:"_DllMainCRTStartup" +DLLBASE += -align:"4096" + +#SUB_SHLOBJS = +#EXTRA_LIBS = +#EXTRA_SHARED_LIBS = +#OS_LIBS= +#LD_LIBS= + +# +# Win NT needs -GT so that fibers can work +# +#OS_CFLAGS += -GT +#DEFINES += -DWINNT + +# WINNT uses the lib prefix, Win95 and WinCE don't +NSPR31_LIB_PREFIX = $(NULL)
--- a/security/coreconf/config.mk +++ b/security/coreconf/config.mk @@ -58,17 +58,17 @@ endif # (dependent upon <architecture> tags) # # # # We are moving towards just having a $(OS_TARGET).mk file # # as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files, # # one for each OS release. # ####################################################################### TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ - OpenVMS AIX RISCOS WINCE + OpenVMS AIX RISCOS ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk else include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk endif ####################################################################### @@ -185,20 +185,16 @@ endif ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL endif ifdef BUILD_LIBPKIX_TESTS DEFINES += -DBUILD_LIBPKIX_TESTS endif -ifdef NSS_DISABLE_DBM -DEFINES += -DNSS_DISABLE_DBM -endif - # Avoid building object leak test code for optimized library ifndef BUILD_OPT ifdef PKIX_OBJECT_LEAK_TEST DEFINES += -DPKIX_OBJECT_LEAK_TEST endif endif # This allows all library and tools code to use the util function
--- a/security/dbm/Makefile +++ b/security/dbm/Makefile @@ -37,20 +37,16 @@ # ***** END LICENSE BLOCK ***** ####################################################################### # (1) Include initial platform-independent assignments (MANDATORY). # ####################################################################### include manifest.mn -ifdef NSS_DISABLE_DBM -DIRS = dummy -endif - ####################################################################### # (2) Include "global" configuration information. (OPTIONAL) # ####################################################################### include $(CORE_DEPTH)/coreconf/config.mk ####################################################################### # (3) Include "component" configuration information. (OPTIONAL) #
--- a/security/nss/Makefile +++ b/security/nss/Makefile @@ -142,21 +142,17 @@ endif build_nspr: $(NSPR_CONFIG_STATUS) cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber_nspr: $(NSPR_CONFIG_STATUS) cd $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) ; $(MAKE) clobber build_dbm: -ifndef NSS_DISABLE_DBM cd $(CORE_DEPTH)/dbm ; $(MAKE) export libs -else - echo "skipping the build of DBM" -endif clobber_dbm: cd $(CORE_DEPTH)/dbm ; $(MAKE) clobber moz_import:: ifeq (,$(filter-out WIN%,$(OS_TARGET))) $(NSINSTALL) -D $(DIST)/include/nspr cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
--- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -668,18 +668,16 @@ typedef enum { bltestRC2_CBC, /* . */ bltestRC4, /* . */ bltestRC5_ECB, /* . */ bltestRC5_CBC, /* . */ bltestAES_ECB, /* . */ bltestAES_CBC, /* . */ bltestCAMELLIA_ECB, /* . */ bltestCAMELLIA_CBC, /* . */ - bltestSEED_ECB, /* SEED algorithm */ - bltestSEED_CBC, /* SEED algorithm */ bltestRSA, /* Public Key Ciphers */ #ifdef NSS_ENABLE_ECC bltestECDSA, /* . (Public Key Sig.) */ #endif bltestDSA, /* . */ bltestMD2, /* Hash algorithms */ bltestMD5, /* . */ bltestSHA1, /* . */ @@ -699,18 +697,16 @@ static char *mode_strings[] = "rc2_cbc", "rc4", "rc5_ecb", "rc5_cbc", "aes_ecb", "aes_cbc", "camellia_ecb", "camellia_cbc", - "seed_ecb", - "seed_cbc", "rsa", #ifdef NSS_ENABLE_ECC "ecdsa", #endif /*"pqg",*/ "dsa", "md2", "md5", @@ -816,17 +812,17 @@ struct bltestCipherInfoStr { double cxtime; double optime; }; PRBool is_symmkeyCipher(bltestCipherMode mode) { /* change as needed! */ - if (mode >= bltestDES_ECB && mode <= bltestSEED_CBC) + if (mode >= bltestDES_ECB && mode <= bltestCAMELLIA_CBC) return PR_TRUE; return PR_FALSE; } PRBool is_pubkeyCipher(bltestCipherMode mode) { /* change as needed! */ @@ -858,18 +854,17 @@ is_sigCipher(bltestCipherMode mode) } PRBool cipher_requires_IV(bltestCipherMode mode) { /* change as needed! */ if (mode == bltestDES_CBC || mode == bltestDES_EDE_CBC || mode == bltestRC2_CBC || mode == bltestRC5_CBC || - mode == bltestAES_CBC || mode == bltestCAMELLIA_CBC|| - mode == bltestSEED_CBC) + mode == bltestAES_CBC || mode == bltestCAMELLIA_CBC) return PR_TRUE; return PR_FALSE; } SECStatus finishIO(bltestIO *output, PRFileDesc *file); SECStatus setupIO(PRArenaPool *arena, bltestIO *input, PRFileDesc *file, @@ -1114,34 +1109,16 @@ camellia_Decrypt(void *cx, unsigned char unsigned int inputLen) { return Camellia_Decrypt((CamelliaContext *)cx, output, outputLen, maxOutputLen, input, inputLen); } SECStatus -seed_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen, - unsigned int maxOutputLen, const unsigned char *input, - unsigned int inputLen) -{ - return SEED_Encrypt((SEEDContext *)cx, output, outputLen, maxOutputLen, - input, inputLen); -} - -SECStatus -seed_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen, - unsigned int maxOutputLen, const unsigned char *input, - unsigned int inputLen) -{ - return SEED_Decrypt((SEEDContext *)cx, output, outputLen, maxOutputLen, - input, inputLen); -} - -SECStatus rsa_PublicKeyOp(void *key, SECItem *output, const SECItem *input) { return RSA_PublicKeyOp((RSAPublicKey *)key, output->data, input->data); } SECStatus rsa_PrivateKeyOp(void *key, SECItem *output, const SECItem *input) { @@ -1395,56 +1372,16 @@ bltest_camellia_init(bltestCipherInfo *c if (encrypt) cipherInfo->cipher.symmkeyCipher = camellia_Encrypt; else cipherInfo->cipher.symmkeyCipher = camellia_Decrypt; return SECSuccess; } SECStatus -bltest_seed_init(bltestCipherInfo *cipherInfo, PRBool encrypt) -{ - PRIntervalTime time1, time2; - bltestSymmKeyParams *seedp = &cipherInfo->params.sk; - int minorMode; - int i; - - switch (cipherInfo->mode) { - case bltestSEED_ECB: minorMode = NSS_SEED; break; - case bltestSEED_CBC: minorMode = NSS_SEED_CBC; break; - default: - return SECFailure; - } - cipherInfo->cx = (void*)SEED_CreateContext(seedp->key.buf.data, - seedp->iv.buf.data, - minorMode, encrypt); - if (cipherInfo->cxreps > 0) { - SEEDContext **dummycx; - dummycx = PORT_Alloc(cipherInfo->cxreps * sizeof(SEEDContext *)); - TIMESTART(); - for (i=0; i<cipherInfo->cxreps; i++) { - dummycx[i] = (void*)SEED_CreateContext(seedp->key.buf.data, - seedp->iv.buf.data, - minorMode, encrypt); - } - TIMEFINISH(cipherInfo->cxtime, 1.0); - for (i=0; i<cipherInfo->cxreps; i++) { - SEED_DestroyContext(dummycx[i], PR_TRUE); - } - PORT_Free(dummycx); - } - if (encrypt) - cipherInfo->cipher.symmkeyCipher = seed_Encrypt; - else - cipherInfo->cipher.symmkeyCipher = seed_Decrypt; - - return SECSuccess; -} - -SECStatus bltest_rsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt) { int i; RSAPrivateKey **dummyKey; PRIntervalTime time1, time2; bltestRSAParams *rsap = &cipherInfo->params.rsa; /* RSA key gen was done during parameter setup */ cipherInfo->cx = cipherInfo->params.rsa.rsakey; @@ -1994,22 +1931,16 @@ cipherInit(bltestCipherInfo *cipherInfo, return bltest_aes_init(cipherInfo, encrypt); break; case bltestCAMELLIA_ECB: case bltestCAMELLIA_CBC: SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, cipherInfo->input.pBuf.len); return bltest_camellia_init(cipherInfo, encrypt); break; - case bltestSEED_ECB: - case bltestSEED_CBC: - SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, - cipherInfo->input.pBuf.len); - return bltest_seed_init(cipherInfo, encrypt); - break; case bltestRSA: SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, cipherInfo->input.pBuf.len); return bltest_rsa_init(cipherInfo, encrypt); break; case bltestDSA: SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, DSA_SIGNATURE_LEN); @@ -2454,20 +2385,16 @@ cipherFinish(bltestCipherInfo *cipherInf case bltestAES_ECB: case bltestAES_CBC: AES_DestroyContext((AESContext *)cipherInfo->cx, PR_TRUE); break; case bltestCAMELLIA_ECB: case bltestCAMELLIA_CBC: Camellia_DestroyContext((CamelliaContext *)cipherInfo->cx, PR_TRUE); break; - case bltestSEED_ECB: - case bltestSEED_CBC: - SEED_DestroyContext((SEEDContext *)cipherInfo->cx, PR_TRUE); - break; case bltestRC2_ECB: case bltestRC2_CBC: RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE); break; case bltestRC4: RC4_DestroyContext((RC4Context *)cipherInfo->cx, PR_TRUE); break; #if NSS_SOFTOKEN_DOES_RC5 @@ -2608,18 +2535,16 @@ print_td: case bltestDES_ECB: case bltestDES_CBC: case bltestDES_EDE_ECB: case bltestDES_EDE_CBC: case bltestAES_ECB: case bltestAES_CBC: case bltestCAMELLIA_ECB: case bltestCAMELLIA_CBC: - case bltestSEED_ECB: - case bltestSEED_CBC: case bltestRC2_ECB: case bltestRC2_CBC: case bltestRC4: if (td) fprintf(stdout, "%8s", "symmkey"); else fprintf(stdout, "%8d", 8*info->params.sk.key.buf.len); break; @@ -2753,26 +2678,24 @@ get_params(PRArenaPool *arena, bltestPar int index = 0; #endif switch (mode) { case bltestDES_CBC: case bltestDES_EDE_CBC: case bltestRC2_CBC: case bltestAES_CBC: case bltestCAMELLIA_CBC: - case bltestSEED_CBC: sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j); load_file_data(arena, ¶ms->sk.iv, filename, bltestBinary); case bltestDES_ECB: case bltestDES_EDE_ECB: case bltestRC2_ECB: case bltestRC4: case bltestAES_ECB: case bltestCAMELLIA_ECB: - case bltestSEED_ECB: sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j); load_file_data(arena, ¶ms->sk.key, filename, bltestBinary); break; #if NSS_SOFTOKEN_DOES_RC5 case bltestRC5_ECB: case bltestRC5_CBC: sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "iv", j); load_file_data(arena, ¶ms->sk.iv, filename, bltestBinary);
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_cbc/ciphertext0 +++ /dev/null @@ -1,1 +0,0 @@ -JVdzim3if1YIcpGABasoCQ==
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_cbc/iv0 +++ /dev/null @@ -1,1 +0,0 @@ -1234567890123456
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_cbc/key0 +++ /dev/null @@ -1,1 +0,0 @@ -fedcba9876543210
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_cbc/numtests +++ /dev/null @@ -1,1 +0,0 @@ -1
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_cbc/plaintext0 +++ /dev/null @@ -1,1 +0,0 @@ -0123456789abcdef
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_ecb/ciphertext0 +++ /dev/null @@ -1,1 +0,0 @@ -GX8KY3uUhAQnL6XbQhXjEw==
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_ecb/iv0 +++ /dev/null @@ -1,1 +0,0 @@ -1234567890123456
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_ecb/key0 +++ /dev/null @@ -1,1 +0,0 @@ -fedcba9876543210
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_ecb/numtests +++ /dev/null @@ -1,1 +0,0 @@ -1
deleted file mode 100644 --- a/security/nss/cmd/bltest/tests/seed_ecb/plaintext0 +++ /dev/null @@ -1,1 +0,0 @@ -0123456789abcdef
--- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -798,17 +798,17 @@ ListKeysInSlot(PK11SlotInfo *slot, const keyName = PK11_GetPrivateKeyNickname(node->key); if (!keyName || !keyName[0]) { /* Try extra hard to find nicknames for keys that lack them. */ CERTCertificate * cert; PORT_Free((void *)keyName); keyName = NULL; cert = PK11_GetCertFromPrivateKey(node->key); if (cert) { - if (cert->nickname && cert->nickname[0]) { + if (cert->nickname && !cert->nickname[0]) { keyName = PORT_Strdup(cert->nickname); } else if (cert->emailAddr && cert->emailAddr[0]) { keyName = PORT_Strdup(cert->emailAddr); } CERT_DestroyCertificate(cert); } } if (nickName) {
--- a/security/nss/cmd/pk11mode/pk11mode.c +++ b/security/nss/cmd/pk11mode/pk11mode.c @@ -44,25 +44,16 @@ #include <assert.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> -#if defined(XP_UNIX) && !defined(NO_FORK_CHECK) -#include <unistd.h> -#include <sys/wait.h> -#else -#ifndef NO_FORK_CHECK -#define NO_FORK_CHECK -#endif -#endif - #ifdef _WIN32 #include <windows.h> #define LIB_NAME "softokn3.dll" #endif #include "prlink.h" #include "prprf.h" #include "plgetopt.h" #include "prenv.h" @@ -548,19 +539,16 @@ CK_RV PKM_wrapUnwrap(CK_FUNCTION_LIST_PT CK_OBJECT_HANDLE hSecretKey, CK_ATTRIBUTE *sKeyTemplate, CK_ULONG skeyTempSize); CK_RV PKM_RecoverFunctions(CK_FUNCTION_LIST_PTR pFunctionList, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPubKey, CK_OBJECT_HANDLE hPrivKey, CK_MECHANISM *signMech, const CK_BYTE * pData, CK_ULONG pDataLen); -CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList, - PRBool forkAssert, CK_C_INITIALIZE_ARGS_NSS *initArgs); - void PKM_Help(); void PKM_CheckPath(char *string); char *PKM_FilePasswd(char *pwFile); static PRBool verbose = PR_FALSE; int main(int argc, char **argv) { CK_C_GetFunctionList pC_GetFunctionList; @@ -572,28 +560,24 @@ int main(int argc, char **argv) CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */ CK_UTF8CHAR *pwd = NULL; CK_ULONG pwdLen = 0; char *moduleSpec = NULL; char *configDir = NULL; char *dbPrefix = NULL; char *disableUnload = NULL; - PRBool doForkTests = PR_TRUE; PLOptStatus os; - PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:"); + PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:d:p:"); while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) { - if (PL_OPT_BAD == os) continue; + if (PL_OPT_BAD == os) continue; switch (opt->option) { - case 'F': /* disable fork tests */ - doForkTests = PR_FALSE; - break; case 'n': /* non fips mode */ MODE = NONFIPSMODE; slotID = 1; break; case 'f': /* password file */ pwd = (CK_UTF8CHAR *) PKM_FilePasswd((char *)opt->value); if (!pwd) PKM_Help(); break; @@ -623,26 +607,16 @@ int main(int argc, char **argv) pwdLen = strlen((const char*)pwd); if (!configDir) { configDir = strdup("."); } if (!dbPrefix) { dbPrefix = strdup(""); } - if (doForkTests) - { - /* first, try to fork without softoken loaded to make sure - * everything is OK */ - crv = PKM_ForkCheck(123, NULL, PR_FALSE, NULL); - if (crv != CKR_OK) - goto cleanup; - } - - #ifdef _WIN32 hModule = LoadLibrary(LIB_NAME); if (hModule == NULL) { PKM_Error( "cannot load %s\n", LIB_NAME); goto cleanup; } if (MODE == FIPSMODE) { /* FIPS mode == FC_GetFunctionList */ @@ -686,26 +660,16 @@ int main(int argc, char **argv) } else { printf("loaded C_GetFunctionList for NON FIPS MODE; slotID %d \n", (int) slotID); } crv = (*pC_GetFunctionList)(&pFunctionList); assert(crv == CKR_OK); - - if (doForkTests) - { - /* now, try to fork with softoken loaded, but not initialized */ - crv = PKM_ForkCheck(CKR_CRYPTOKI_NOT_INITIALIZED, pFunctionList, - PR_TRUE, NULL); - if (crv != CKR_OK) - goto cleanup; - } - initArgs.CreateMutex = NULL; initArgs.DestroyMutex = NULL; initArgs.LockMutex = NULL; initArgs.UnlockMutex = NULL; initArgs.flags = CKF_OS_LOCKING_OK; moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' " "keyPrefix='%s' secmod='secmod.db' flags= ", configDir, dbPrefix, dbPrefix); @@ -721,31 +685,16 @@ int main(int argc, char **argv) crv = pFunctionList->C_Initialize(&initArgs); if (crv == CKR_OK) { PKM_LogIt("C_Initialize succeeded\n"); } else { PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); goto cleanup; } - - if (doForkTests) - { - /* Disable core on fork for this test, since we are testing the - * pathological case, and if enabled, the child process would dump - * core in C_GetTokenInfo . - * We can still differentiate the correct from incorrect behavior - * by the PKCS#11 return code. - */ - /* try to fork with softoken both loaded and initialized */ - crv = PKM_ForkCheck(CKR_DEVICE_ERROR, pFunctionList, PR_FALSE, NULL); - if (crv != CKR_OK) - goto cleanup; - } - crv = PKM_ShowInfo(pFunctionList, slotID); if (crv == CKR_OK) { PKM_LogIt("PKM_ShowInfo succeeded\n"); } else { PKM_Error( "PKM_ShowInfo failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); goto cleanup; } @@ -914,64 +863,35 @@ int main(int argc, char **argv) if (crv == CKR_OK) { PKM_LogIt("C_Finalize succeeded\n"); } else { PKM_Error( "C_Finalize failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); goto cleanup; } - if (doForkTests) - { - /* try to fork with softoken still loaded, but de-initialized */ - crv = PKM_ForkCheck(CKR_CRYPTOKI_NOT_INITIALIZED, pFunctionList, - PR_TRUE, NULL); - if (crv != CKR_OK) - goto cleanup; - } - if (pSlotList) free(pSlotList); - /* demonstrate how an application can be in Hybrid mode */ + /* demostrate how an application can be in Hybrid mode */ /* PKM_HybridMode shows how to switch between NONFIPS */ /* mode to FIPS mode */ PKM_LogIt("Testing Hybrid mode \n"); crv = PKM_HybridMode(pwd, pwdLen, &initArgs); if (crv == CKR_OK) { PKM_LogIt("PKM_HybridMode succeeded\n"); } else { PKM_Error( "PKM_HybridMode failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); goto cleanup; } - if (doForkTests) { - /* testing one more C_Initialize / C_Finalize to exercise getpid() - * fork check code */ - crv = pFunctionList->C_Initialize(&initArgs); - if (crv == CKR_OK) { - PKM_LogIt("C_Initialize succeeded\n"); - } else { - PKM_Error( "C_Initialize failed with 0x%08X, %-26s\n", crv, - PKM_CK_RVtoStr(crv)); - goto cleanup; - } - crv = pFunctionList->C_Finalize(NULL); - if (crv == CKR_OK) { - PKM_LogIt("C_Finalize succeeded\n"); - } else { - PKM_Error( "C_Finalize failed with 0x%08X, %-26s\n", crv, - PKM_CK_RVtoStr(crv)); - goto cleanup; - } - /* try to C_Initialize / C_Finalize in child. This should succeed */ - crv = PKM_ForkCheck(CKR_OK, pFunctionList, PR_TRUE, &initArgs); - } - + printf("**** Total number of TESTS ran in %s is %d. ****\n", + ((MODE == FIPSMODE) ? "FIPS MODE" : "NON FIPS MODE"), (int) NUMTESTS); + printf("**** ALL TESTS PASSED ****\n"); PKM_LogIt("unloading NSS PKCS # 11 softoken and exiting\n"); cleanup: if (pwd) { free(pwd); } if (configDir) { @@ -987,26 +907,16 @@ cleanup: #ifdef _WIN32 FreeLibrary(hModule); #else disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); if (!disableUnload) { PR_UnloadLibrary(lib); } #endif - if (CKR_OK == crv && doForkTests && !disableUnload) { - /* try to fork with softoken both de-initialized and unloaded */ - crv = PKM_ForkCheck(123, NULL, PR_TRUE, NULL); - } - - printf("**** Total number of TESTS ran in %s is %d. ****\n", - ((MODE == FIPSMODE) ? "FIPS MODE" : "NON FIPS MODE"), (int) NUMTESTS); - if (CKR_OK == crv) { - printf("**** ALL TESTS PASSED ****\n"); - } return crv; } /* * PKM_KeyTests * * @@ -5400,21 +5310,19 @@ char * PKM_FilePasswd(char *pwFile) return (char*) strdup((char*)phrase); } void PKM_Help() { PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError); PR_fprintf(debug_out, "pk11mode test program usage:\n"); PR_fprintf(debug_out, "\t-f <file> Password File : echo pw > file \n"); - PR_fprintf(debug_out, "\t-F Disable Unix fork tests\n"); PR_fprintf(debug_out, "\t-n Non Fips Mode \n"); PR_fprintf(debug_out, "\t-d <path> Database path location\n"); PR_fprintf(debug_out, "\t-p <prefix> DataBase prefix\n"); - PR_fprintf(debug_out, "\t-v verbose\n"); PR_fprintf(debug_out, "\t-h this help message\n"); exit(1); } void PKM_CheckPath(char *string) { char *src; char *dest; @@ -5429,74 +5337,8 @@ void PKM_CheckPath(char *string) } } dest--; /* if the last char is a / set it to 0 */ if (*dest == '/') *dest = 0; } - -CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList, - PRBool forkAssert, CK_C_INITIALIZE_ARGS_NSS *initArgs) -{ - CK_RV crv = CKR_OK; -#ifndef NO_FORK_CHECK - int rc = -1; - int retStatus = 0; - NUMTESTS++; /* increment NUMTESTS */ - if (forkAssert) { - putenv("NSS_STRICT_NOFORK=1"); - } else { - putenv("NSS_STRICT_NOFORK=0"); - } - pid_t child = fork(); - switch (child) { - case -1: - PKM_Error("Fork failed.\n"); - crv = CKR_DEVICE_ERROR; - break; - case 0: - if (fList) { - if (!initArgs) { - /* If softoken is loaded, make a PKCS#11 call to C_GetTokenInfo - * in the child. This call should always fail. - * If softoken is uninitialized, - * it fails with CKR_CRYPTOKI_NOT_INITIALIZED. - * If it was initialized in the parent, the fork check should - * kick in, and make it return CKR_DEVICE_ERROR. - */ - CK_RV child_crv = fList->C_GetTokenInfo(NULL, NULL); - exit(child_crv & 255); - } else { - /* If softoken is loaded, make a PKCS#11 call to C_Initialize - * in the child. This call should always fail. - * If softoken is uninitialized, this should succeed. - * If it was initialized in the parent, the fork check should - * kick in, and make it return CKR_DEVICE_ERROR. - */ - CK_RV child_crv = fList->C_Initialize(initArgs); - if (CKR_OK == child_crv) { - child_crv = fList->C_Finalize(NULL); - } - exit(child_crv & 255); - } - } - exit(expected & 255); - default: - PKM_LogIt("Fork succeeded.\n"); - pid_t ret = wait(&rc); - if (ret != child || (!WIFEXITED(rc)) || - ( (expected & 255) != (WEXITSTATUS(rc) & 255)) ) { - int retstatus = -1; - if (WIFEXITED(rc)) { - retStatus = WEXITSTATUS(rc); - } - PKM_Error("Child misbehaved.\n"); - printf("Child return status : %d.\n", retStatus & 255); - crv = CKR_DEVICE_ERROR; - } - break; - } -#endif - return crv; -} -
--- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -69,22 +69,16 @@ EXTRA_SHARED_LIBS += \ else EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib' endif endif endif SQLITE=-lsqlite3 -ifdef NSS_DISABLE_DBM -DBMLIB = $(NULL) -else -DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) -endif - ifdef USE_STATIC_LIBS # can't do this in manifest.mn because OS_ARCH isn't defined there. ifeq ($(OS_ARCH), WINNT) DEFINES += -DNSS_USE_STATIC_LIBS # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) @@ -118,23 +112,23 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ + $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ $(PKIXLIB) \ - $(DBMLIB) \ + $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)sqlite3.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \ $(NULL) # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS) #OS_LIBS += \ wsock32.lib \ @@ -181,33 +175,33 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ - $(DBMLIB) \ + $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \ $(PKIXLIB) \ $(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \ $(NULL) ifeq ($(OS_ARCH), AIX) EXTRA_SHARED_LIBS += -brtl endif # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS) # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ $(SQLITE) \ - -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lplc4 \ -lplds4 \ -lnspr4 \ $(NULL) endif ifeq ($(OS_TARGET), SunOS)
--- a/security/nss/cmd/shlibsign/Makefile +++ b/security/nss/cmd/shlibsign/Makefile @@ -51,35 +51,17 @@ include $(CORE_DEPTH)/coreconf/config.mk ####################################################################### # (3) Include "component" configuration information. (OPTIONAL) # ####################################################################### ####################################################################### # (4) Include "local" platform-dependent assignments (OPTIONAL). # ####################################################################### -ifeq ($(OS_ARCH), WINNT) - -EXTRA_LIBS += \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \ - $(NULL) - -else - -EXTRA_SHARED_LIBS += \ - -L$(NSPR_LIB_DIR) \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ - $(NULL) - -endif - +include ../platlibs.mk # sign any and all shared libraries that contain the word freebl CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) MD_LIB_RELEASE_FILES = $(CHECKLOC)
--- a/security/nss/cmd/shlibsign/mangle/Makefile +++ b/security/nss/cmd/shlibsign/mangle/Makefile @@ -51,35 +51,17 @@ include $(CORE_DEPTH)/coreconf/config.mk ####################################################################### # (3) Include "component" configuration information. (OPTIONAL) # ####################################################################### ####################################################################### # (4) Include "local" platform-dependent assignments (OPTIONAL). # ####################################################################### -ifeq ($(OS_ARCH), WINNT) - -EXTRA_LIBS += \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \ - $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \ - $(NULL) - -else - -EXTRA_SHARED_LIBS += \ - -L$(NSPR_LIB_DIR) \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ - $(NULL) - -endif - +include ../../platlibs.mk ####################################################################### # (5) Execute "global" rules. (OPTIONAL) # ####################################################################### include $(CORE_DEPTH)/coreconf/rules.mk
--- a/security/nss/cmd/shlibsign/shlibsign.c +++ b/security/nss/cmd/shlibsign/shlibsign.c @@ -30,167 +30,109 @@ * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* - * shlibsign creates the checksum (.chk) files for the NSS libraries, - * libsoftokn3/softokn3 and libfreebl/freebl (platforms can have - * multiple freebl variants), that contain the NSS cryptograhic boundary. + * Test program for SDR (Secret Decoder Ring) functions. * - * The generated .chk files must be put in the same directory as - * the NSS libraries they were generated for. - * - * When in FIPS 140 mode, the NSS Internal FIPS PKCS #11 Module will - * compute the checksum for the NSS cryptographic boundary libraries - * and compare the checksum with the value in .chk file. - * - * $Id: shlibsign.c,v 1.18 2008/11/20 15:44:12 glen.beasley%sun.com Exp $ + * $Id: shlibsign.c,v 1.17 2008/09/30 04:32:43 nelson%bolyard.com Exp $ */ #ifdef XP_UNIX #define USES_LINKS 1 #endif -#include <assert.h> +#include "nspr.h" #include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <stdarg.h> +#include "nss.h" +#include "secutil.h" +#include "cert.h" +#include "pk11func.h" + +#include "plgetopt.h" +#include "pk11sdr.h" +#include "shsign.h" +#include "pk11pqg.h" #ifdef USES_LINKS #include <unistd.h> #include <sys/param.h> #include <sys/types.h> #include <sys/stat.h> #endif -/* nspr headers */ -#include "prlink.h" -#include "prprf.h" -#include "prenv.h" -#include "plgetopt.h" -#include "prinit.h" -#include "prmem.h" -#include "plstr.h" -#include "prerror.h" - -/* softoken headers */ -#include "pkcs11.h" -#include "pkcs11t.h" - -/* freebl headers */ -#include "shsign.h" +static void +usage (char *program_name) +{ + PRFileDesc *pr_stderr; -#define NUM_ELEM(array) (sizeof(array)/sizeof(array[0])) -CK_BBOOL true = CK_TRUE; -CK_BBOOL false = CK_FALSE; -static PRBool verbose = PR_FALSE; - -static void -usage (const char *program_name) -{ - PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError); - PR_fprintf (debug_out, - "type %s -H for more detail information.\n", program_name); - PR_fprintf (debug_out, - "Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n" - " [-F] [-p pwd] -[P dbprefix ] " - "-i shared_library_name\n", - program_name); - exit(1); + pr_stderr = PR_STDERR; + PR_fprintf (pr_stderr, + "Usage:%s [-v] [-o outfile] [-d dbdir] [-f pwfile] [-p pwd]\n" + " -i shared_library_name\n", program_name); } -static void -long_usage(const char *program_name) -{ - PRFileDesc *debug_out = PR_GetSpecialFD(PR_StandardError); - PR_fprintf(debug_out, "%s test program usage:\n", program_name); - PR_fprintf(debug_out, "\t-i <infile> shared_library_name to process\n"); - PR_fprintf(debug_out, "\t-o <outfile> checksum outfile\n"); - PR_fprintf(debug_out, "\t-d <path> database path location\n"); - PR_fprintf(debug_out, "\t-P <prefix> database prefix\n"); - PR_fprintf(debug_out, "\t-f <file> password File : echo pw > file \n"); - PR_fprintf(debug_out, "\t-F FIPS mode\n"); - PR_fprintf(debug_out, "\t-p <pwd> password\n"); - PR_fprintf(debug_out, "\t-v verbose output\n"); - PR_fprintf(debug_out, "\t-V perform Verify operations\n"); - PR_fprintf(debug_out, "\t-? short help message\n"); - PR_fprintf(debug_out, "\t-h short help message\n"); - PR_fprintf(debug_out, "\t-H this help message\n"); - PR_fprintf(debug_out, "\n\n\tNote: Use of FIPS mode requires your "); - PR_fprintf(debug_out, "library path is using \n"); - PR_fprintf(debug_out, "\t pre-existing libraries with generated "); - PR_fprintf(debug_out, "checksum files\n"); - PR_fprintf(debug_out, "\t and database in FIPS mode \n"); - exit(1); -} - -static char * +static char * mkoutput(const char *input) { - int in_len = strlen(input); - char *output = PR_Malloc(in_len+sizeof(SGN_SUFFIX)); + int in_len = PORT_Strlen(input); + char *output = PORT_Alloc(in_len+sizeof(SGN_SUFFIX)); int index = in_len + 1 - sizeof("."SHLIB_SUFFIX); if ((index > 0) && - (PL_strncmp(&input[index], - "."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) { - in_len = index; + (PORT_Strncmp(&input[index], + "."SHLIB_SUFFIX,sizeof("."SHLIB_SUFFIX)) == 0)) { + in_len = index; } - memcpy(output,input,in_len); - memcpy(&output[in_len],SGN_SUFFIX,sizeof(SGN_SUFFIX)); + PORT_Memcpy(output,input,in_len); + PORT_Memcpy(&output[in_len],SGN_SUFFIX,sizeof(SGN_SUFFIX)); return output; } -static void -lperror(const char *string) { - PRErrorCode errorcode; - errorcode = PR_GetError(); - PR_fprintf(PR_STDERR, "%s: %d: %s\n", string, errorcode, - PR_ErrorToString(errorcode, PR_LANGUAGE_I_DEFAULT)); +static void +lperror(const char *string) +{ + int errNum = PORT_GetError(); + const char *error = SECU_Strerror(errNum); + fprintf(stderr,"%s: %s\n",string, error); } static void encodeInt(unsigned char *buf, int val) { buf[3] = (val >> 0) & 0xff; buf[2] = (val >> 8) & 0xff; buf[1] = (val >> 16) & 0xff; buf[0] = (val >> 24) & 0xff; return; } -static PRStatus -writeItem(PRFileDesc *fd, CK_VOID_PTR pValue, - CK_ULONG ulValueLen, char *file) +static SECStatus +writeItem(PRFileDesc *fd, SECItem *item, char *file) { unsigned char buf[4]; int bytesWritten; - if (ulValueLen == 0) { - PR_fprintf(PR_STDERR, "call to writeItem with 0 bytes of data.\n"); - return PR_FAILURE; - } - encodeInt(buf,ulValueLen); + encodeInt(buf,item->len); bytesWritten = PR_Write(fd,buf, 4); if (bytesWritten != 4) { - lperror(file); - return PR_FAILURE; + lperror(file); + return SECFailure; } - bytesWritten = PR_Write(fd, pValue, ulValueLen); - if (bytesWritten != ulValueLen) { - lperror(file); - return PR_FAILURE; + bytesWritten = PR_Write(fd, item->data, item->len); + if (bytesWritten != item->len) { + lperror(file); + return SECFailure; } - return PR_SUCCESS; + return SECSuccess; } static const unsigned char prime[] = { 0x00, 0x97, 0x44, 0x1d, 0xcc, 0x0d, 0x39, 0x0d, 0x8d, 0xcb, 0x75, 0xdc, 0x24, 0x25, 0x6f, 0x01, 0x92, 0xa1, 0x11, 0x07, 0x6b, 0x70, 0xac, 0x73, 0xd7, 0x82, 0x28, 0xdf, 0xab, 0x82, 0x0c, 0x41, 0x0c, 0x95, 0xb3, 0x3c, 0x3d, 0xea, 0x8a, 0xe6, 0x44, @@ -260,864 +202,335 @@ static const unsigned char seed[] = { 0x 0x33, 0x46, 0x82, 0xec, 0xd6, 0x94, 0x77, 0xc3, 0x4f, 0x4c, 0x58, 0x1c, 0x7f, 0x61, 0x3c, 0x36, 0xd5, 0x2f, 0xa5, 0x66, 0xd8, 0x2f, 0xce, 0x6e, 0x8e, 0x20, 0x48, 0x4a, 0xbb, 0xe3, 0xe0, 0xb2, 0x50, 0x33, 0x63, 0x8a, 0x5b, 0x2d, 0x6a, 0xbe, 0x4c, 0x28, 0x81, 0x53, 0x5b, 0xe4, 0xf6, 0xfc, 0x64, 0x06, 0x13, 0x51, 0xeb, 0x4a, 0x91, 0x9c }; -static const unsigned int counter=1496; +#define MK_SECITEM(bb) { siBuffer, (unsigned char *)(bb), sizeof(bb) } -struct tuple_str { - CK_RV errNum; - const char * errString; +static PQGParams pqgParams = { + NULL, /* arena */ + MK_SECITEM(prime), /* P */ + MK_SECITEM(subprime), /* Q */ + MK_SECITEM(base) /* G */ }; -typedef struct tuple_str tuple_str; - -static const tuple_str errStrings[] = { -{CKR_OK , "CKR_OK "}, -{CKR_CANCEL , "CKR_CANCEL "}, -{CKR_HOST_MEMORY , "CKR_HOST_MEMORY "}, -{CKR_SLOT_ID_INVALID , "CKR_SLOT_ID_INVALID "}, -{CKR_GENERAL_ERROR , "CKR_GENERAL_ERROR "}, -{CKR_FUNCTION_FAILED , "CKR_FUNCTION_FAILED "}, -{CKR_ARGUMENTS_BAD , "CKR_ARGUMENTS_BAD "}, -{CKR_NO_EVENT , "CKR_NO_EVENT "}, -{CKR_NEED_TO_CREATE_THREADS , "CKR_NEED_TO_CREATE_THREADS "}, -{CKR_CANT_LOCK , "CKR_CANT_LOCK "}, -{CKR_ATTRIBUTE_READ_ONLY , "CKR_ATTRIBUTE_READ_ONLY "}, -{CKR_ATTRIBUTE_SENSITIVE , "CKR_ATTRIBUTE_SENSITIVE "}, -{CKR_ATTRIBUTE_TYPE_INVALID , "CKR_ATTRIBUTE_TYPE_INVALID "}, -{CKR_ATTRIBUTE_VALUE_INVALID , "CKR_ATTRIBUTE_VALUE_INVALID "}, -{CKR_DATA_INVALID , "CKR_DATA_INVALID "}, -{CKR_DATA_LEN_RANGE , "CKR_DATA_LEN_RANGE "}, -{CKR_DEVICE_ERROR , "CKR_DEVICE_ERROR "}, -{CKR_DEVICE_MEMORY , "CKR_DEVICE_MEMORY "}, -{CKR_DEVICE_REMOVED , "CKR_DEVICE_REMOVED "}, -{CKR_ENCRYPTED_DATA_INVALID , "CKR_ENCRYPTED_DATA_INVALID "}, -{CKR_ENCRYPTED_DATA_LEN_RANGE , "CKR_ENCRYPTED_DATA_LEN_RANGE "}, -{CKR_FUNCTION_CANCELED , "CKR_FUNCTION_CANCELED "}, -{CKR_FUNCTION_NOT_PARALLEL , "CKR_FUNCTION_NOT_PARALLEL "}, -{CKR_FUNCTION_NOT_SUPPORTED , "CKR_FUNCTION_NOT_SUPPORTED "}, -{CKR_KEY_HANDLE_INVALID , "CKR_KEY_HANDLE_INVALID "}, -{CKR_KEY_SIZE_RANGE , "CKR_KEY_SIZE_RANGE "}, -{CKR_KEY_TYPE_INCONSISTENT , "CKR_KEY_TYPE_INCONSISTENT "}, -{CKR_KEY_NOT_NEEDED , "CKR_KEY_NOT_NEEDED "}, -{CKR_KEY_CHANGED , "CKR_KEY_CHANGED "}, -{CKR_KEY_NEEDED , "CKR_KEY_NEEDED "}, -{CKR_KEY_INDIGESTIBLE , "CKR_KEY_INDIGESTIBLE "}, -{CKR_KEY_FUNCTION_NOT_PERMITTED , "CKR_KEY_FUNCTION_NOT_PERMITTED "}, -{CKR_KEY_NOT_WRAPPABLE , "CKR_KEY_NOT_WRAPPABLE "}, -{CKR_KEY_UNEXTRACTABLE , "CKR_KEY_UNEXTRACTABLE "}, -{CKR_MECHANISM_INVALID , "CKR_MECHANISM_INVALID "}, -{CKR_MECHANISM_PARAM_INVALID , "CKR_MECHANISM_PARAM_INVALID "}, -{CKR_OBJECT_HANDLE_INVALID , "CKR_OBJECT_HANDLE_INVALID "}, -{CKR_OPERATION_ACTIVE , "CKR_OPERATION_ACTIVE "}, -{CKR_OPERATION_NOT_INITIALIZED , "CKR_OPERATION_NOT_INITIALIZED "}, -{CKR_PIN_INCORRECT , "CKR_PIN_INCORRECT "}, -{CKR_PIN_INVALID , "CKR_PIN_INVALID "}, -{CKR_PIN_LEN_RANGE , "CKR_PIN_LEN_RANGE "}, -{CKR_PIN_EXPIRED , "CKR_PIN_EXPIRED "}, -{CKR_PIN_LOCKED , "CKR_PIN_LOCKED "}, -{CKR_SESSION_CLOSED , "CKR_SESSION_CLOSED "}, -{CKR_SESSION_COUNT , "CKR_SESSION_COUNT "}, -{CKR_SESSION_HANDLE_INVALID , "CKR_SESSION_HANDLE_INVALID "}, -{CKR_SESSION_PARALLEL_NOT_SUPPORTED , "CKR_SESSION_PARALLEL_NOT_SUPPORTED "}, -{CKR_SESSION_READ_ONLY , "CKR_SESSION_READ_ONLY "}, -{CKR_SESSION_EXISTS , "CKR_SESSION_EXISTS "}, -{CKR_SESSION_READ_ONLY_EXISTS , "CKR_SESSION_READ_ONLY_EXISTS "}, -{CKR_SESSION_READ_WRITE_SO_EXISTS , "CKR_SESSION_READ_WRITE_SO_EXISTS "}, -{CKR_SIGNATURE_INVALID , "CKR_SIGNATURE_INVALID "}, -{CKR_SIGNATURE_LEN_RANGE , "CKR_SIGNATURE_LEN_RANGE "}, -{CKR_TEMPLATE_INCOMPLETE , "CKR_TEMPLATE_INCOMPLETE "}, -{CKR_TEMPLATE_INCONSISTENT , "CKR_TEMPLATE_INCONSISTENT "}, -{CKR_TOKEN_NOT_PRESENT , "CKR_TOKEN_NOT_PRESENT "}, -{CKR_TOKEN_NOT_RECOGNIZED , "CKR_TOKEN_NOT_RECOGNIZED "}, -{CKR_TOKEN_WRITE_PROTECTED , "CKR_TOKEN_WRITE_PROTECTED "}, -{CKR_UNWRAPPING_KEY_HANDLE_INVALID , "CKR_UNWRAPPING_KEY_HANDLE_INVALID "}, -{CKR_UNWRAPPING_KEY_SIZE_RANGE , "CKR_UNWRAPPING_KEY_SIZE_RANGE "}, -{CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"}, -{CKR_USER_ALREADY_LOGGED_IN , "CKR_USER_ALREADY_LOGGED_IN "}, -{CKR_USER_NOT_LOGGED_IN , "CKR_USER_NOT_LOGGED_IN "}, -{CKR_USER_PIN_NOT_INITIALIZED , "CKR_USER_PIN_NOT_INITIALIZED "}, -{CKR_USER_TYPE_INVALID , "CKR_USER_TYPE_INVALID "}, -{CKR_USER_ANOTHER_ALREADY_LOGGED_IN , "CKR_USER_ANOTHER_ALREADY_LOGGED_IN "}, -{CKR_USER_TOO_MANY_TYPES , "CKR_USER_TOO_MANY_TYPES "}, -{CKR_WRAPPED_KEY_INVALID , "CKR_WRAPPED_KEY_INVALID "}, -{CKR_WRAPPED_KEY_LEN_RANGE , "CKR_WRAPPED_KEY_LEN_RANGE "}, -{CKR_WRAPPING_KEY_HANDLE_INVALID , "CKR_WRAPPING_KEY_HANDLE_INVALID "}, -{CKR_WRAPPING_KEY_SIZE_RANGE , "CKR_WRAPPING_KEY_SIZE_RANGE "}, -{CKR_WRAPPING_KEY_TYPE_INCONSISTENT , "CKR_WRAPPING_KEY_TYPE_INCONSISTENT "}, -{CKR_RANDOM_SEED_NOT_SUPPORTED , "CKR_RANDOM_SEED_NOT_SUPPORTED "}, -{CKR_RANDOM_NO_RNG , "CKR_RANDOM_NO_RNG "}, -{CKR_DOMAIN_PARAMS_INVALID , "CKR_DOMAIN_PARAMS_INVALID "}, -{CKR_BUFFER_TOO_SMALL , "CKR_BUFFER_TOO_SMALL "}, -{CKR_SAVED_STATE_INVALID , "CKR_SAVED_STATE_INVALID "}, -{CKR_INFORMATION_SENSITIVE , "CKR_INFORMATION_SENSITIVE "}, -{CKR_STATE_UNSAVEABLE , "CKR_STATE_UNSAVEABLE "}, -{CKR_CRYPTOKI_NOT_INITIALIZED , "CKR_CRYPTOKI_NOT_INITIALIZED "}, -{CKR_CRYPTOKI_ALREADY_INITIALIZED , "CKR_CRYPTOKI_ALREADY_INITIALIZED "}, -{CKR_MUTEX_BAD , "CKR_MUTEX_BAD "}, -{CKR_MUTEX_NOT_LOCKED , "CKR_MUTEX_NOT_LOCKED "}, -{CKR_FUNCTION_REJECTED , "CKR_FUNCTION_REJECTED "}, -{CKR_VENDOR_DEFINED , "CKR_VENDOR_DEFINED "}, -{0xCE534351 , "CKR_NETSCAPE_CERTDB_FAILED "}, -{0xCE534352 , "CKR_NETSCAPE_KEYDB_FAILED "} - +static PQGVerify pqgVerify = { + NULL, /* arena */ + 1496, /* counter */ + MK_SECITEM(seed), /* seed */ + MK_SECITEM(h) /* h */ }; -static const CK_ULONG numStrings = sizeof(errStrings) / sizeof(tuple_str); -/* Returns constant error string for "CRV". - * Returns "unknown error" if errNum is unknown. - */ -static const char * -CK_RVtoStr(CK_RV errNum) { - CK_ULONG low = 1; - CK_ULONG high = numStrings - 1; - CK_ULONG i; - CK_RV num; - static int initDone; - - /* make sure table is in ascending order. - * binary search depends on it. - */ - if (!initDone) { - CK_RV lastNum = CKR_OK; - for (i = low; i <= high; ++i) { - num = errStrings[i].errNum; - if (num <= lastNum) { - PR_fprintf(PR_STDERR, - "sequence error in error strings at item %d\n" - "error %d (%s)\n" - "should come after \n" - "error %d (%s)\n", - (int) i, (int) lastNum, errStrings[i-1].errString, - (int) num, errStrings[i].errString); - } - lastNum = num; - } - initDone = 1; - } - - /* Do binary search of table. */ - while (low + 1 < high) { - i = (low + high) / 2; - num = errStrings[i].errNum; - if (errNum == num) - return errStrings[i].errString; - if (errNum < num) - high = i; - else - low = i; - } - if (errNum == errStrings[low].errNum) - return errStrings[low].errString; - if (errNum == errStrings[high].errNum) - return errStrings[high].errString; - return "unknown error"; -} - -static void -pk11error(const char *string, CK_RV crv) { - PRErrorCode errorcode; - - PR_fprintf(PR_STDERR, "%s: 0x%08lX, %-26s\n", string, crv, CK_RVtoStr(crv)); - - errorcode = PR_GetError(); - if (errorcode) { - PR_fprintf(PR_STDERR, "NSPR error code: %d: %s\n", errorcode, - PR_ErrorToString(errorcode, PR_LANGUAGE_I_DEFAULT)); - } -} - -static void -logIt(const char *fmt, ...) { - va_list args; - - if (verbose) { - va_start (args, fmt); - vprintf(fmt, args); - va_end(args); - } -} - -static CK_RV -softokn_Init(CK_FUNCTION_LIST_PTR pFunctionList, const char * configDir, - const char * dbPrefix) { - - CK_RV crv = CKR_OK; - CK_C_INITIALIZE_ARGS initArgs; - char *moduleSpec = NULL; - - initArgs.CreateMutex = NULL; - initArgs.DestroyMutex = NULL; - initArgs.LockMutex = NULL; - initArgs.UnlockMutex = NULL; - initArgs.flags = CKF_OS_LOCKING_OK; - if (configDir) { - moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' " - "keyPrefix='%s' secmod='secmod.db' flags=ReadOnly ", - configDir, dbPrefix, dbPrefix); - } else { - moduleSpec = PR_smprintf("configdir='' certPrefix='' keyPrefix='' " - "secmod='' flags=noCertDB, noModDB"); - } - if (!moduleSpec) { - PR_fprintf(PR_STDERR, "softokn_Init: out of memory error\n"); - return CKR_HOST_MEMORY; - } - logIt("moduleSpec %s\n", moduleSpec); - initArgs.LibraryParameters = (CK_CHAR_PTR *) moduleSpec; - initArgs.pReserved = NULL; - crv = pFunctionList->C_Initialize(&initArgs); - if (crv != CKR_OK) { - pk11error("C_Initialize failed", crv); - goto cleanup; - } - -cleanup: - if (moduleSpec) { - PR_smprintf_free(moduleSpec); - } - - return crv; -} - -static char * -filePasswd(char *pwFile) -{ - unsigned char phrase[200]; - PRFileDesc *fd; - PRInt32 nb; - int i; - - if (!pwFile) - return 0; - - fd = PR_Open(pwFile, PR_RDONLY, 0); - if (!fd) { - lperror(pwFile); - return NULL; - } - - nb = PR_Read(fd, phrase, sizeof(phrase)); - - PR_Close(fd); - /* handle the Windows EOL case */ - i = 0; - while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; - phrase[i] = '\0'; - if (nb == 0) { - PR_fprintf(PR_STDERR,"password file contains no data\n"); - return NULL; - } - return (char*) PL_strdup((char*)phrase); -} - -static void -checkPath(char *string) +int +main (int argc, char **argv) { - char *src; - char *dest; - - /* - * windows support convert any back slashes to - * forward slashes. - */ - for (src=string, dest=string; *src; src++,dest++) { - if (*src == '\\') { - *dest = '/'; - } - } - dest--; - /* if the last char is a / set it to 0 */ - if (*dest == '/') - *dest = 0; - -} - -static CK_SLOT_ID * -getSlotList(CK_FUNCTION_LIST_PTR pFunctionList, - CK_ULONG slotIndex) { - CK_RV crv = CKR_OK; - CK_SLOT_ID *pSlotList = NULL; - CK_ULONG slotCount; - - /* Get slot list */ - crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */, - NULL, &slotCount); - if (crv != CKR_OK) { - pk11error( "C_GetSlotList failed", crv); - return NULL; - } - - if (slotIndex >= slotCount) { - PR_fprintf(PR_STDERR, "provided slotIndex is greater than the slot count."); - return NULL; - } - - pSlotList = (CK_SLOT_ID *)PR_Malloc(slotCount * sizeof(CK_SLOT_ID)); - if (!pSlotList) { - lperror("failed to allocate slot list"); - return NULL; - } - crv = pFunctionList->C_GetSlotList(CK_FALSE /* all slots */, - pSlotList, &slotCount); - if (crv != CKR_OK) { - pk11error( "C_GetSlotList failed", crv); - if (pSlotList) PR_Free(pSlotList); - return NULL; - } - return pSlotList; -} - -int main(int argc, char **argv) -{ - PLOptState *optstate; - char *program_name; - char *libname = NULL; - PRLibrary *lib; + int retval = 1; /* 0 - test succeeded. 1 - test failed */ + SECStatus rv; + PLOptState *optstate; + char *program_name; + const char *input_file = NULL; /* read encrypted data from here (or create) */ + char *output_file = NULL; /* write new encrypted data here */ + PRBool verbose = PR_FALSE; + SECKEYPrivateKey *privk = NULL; + SECKEYPublicKey *pubk = NULL; + PK11SlotInfo *slot = NULL; PRFileDesc *fd; - PRStatus rv = PR_SUCCESS; - const char *input_file = NULL; /* read/create encrypted data from here */ - char *output_file = NULL; /* write new encrypted data here */ int bytesRead; int bytesWritten; unsigned char file_buf[512]; + unsigned char hash_buf[SHA1_LENGTH]; + unsigned char sign_buf[40]; /* DSA_LENGTH */ + SECItem hash,sign; + PK11Context *hashcx = NULL; int count=0; - int i; - PRBool verify = PR_FALSE; - static PRBool FIPSMODE = PR_FALSE; - + int keySize = 1024; + const char *nssDir = NULL; + secuPWData pwdata = { PW_NONE, 0 }; #ifdef USES_LINKS int ret; struct stat stat_buf; char link_buf[MAXPATHLEN+1]; char *link_file = NULL; #endif - char *pwd = NULL; - char *configDir = NULL; - char *dbPrefix = NULL; - char *disableUnload = NULL; - - CK_C_GetFunctionList pC_GetFunctionList; - CK_TOKEN_INFO tokenInfo; - CK_FUNCTION_LIST_PTR pFunctionList = NULL; - CK_RV crv = CKR_OK; - CK_SESSION_HANDLE hRwSession; - CK_SLOT_ID *pSlotList = NULL; - CK_ULONG slotIndex = 0; - CK_MECHANISM digestmech; - CK_ULONG digestLen = 0; - CK_BYTE digest[20]; /* SHA1_LENGTH */ - CK_BYTE sign[40]; /* DSA SIGNATURE LENGTH */ - CK_ULONG signLen = 0 ; - CK_MECHANISM signMech = { - CKM_DSA, NULL, 0 - }; - - /*** DSA Key ***/ - - CK_MECHANISM dsaKeyPairGenMech; - CK_ATTRIBUTE dsaPubKeyTemplate[5]; - CK_ATTRIBUTE dsaPrivKeyTemplate[5]; - CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE; - - CK_BYTE dsaPubKey[128]; - CK_ATTRIBUTE dsaPubKeyValue; + hash.len = sizeof(hash_buf); hash.data = hash_buf; + sign.len = sizeof(sign_buf); sign.data = sign_buf; - /* DSA key init */ - dsaPubKeyTemplate[0].type = CKA_PRIME; - dsaPubKeyTemplate[0].pValue = (CK_VOID_PTR) ′ - dsaPubKeyTemplate[0].ulValueLen = sizeof(prime); - dsaPubKeyTemplate[1].type = CKA_SUBPRIME; - dsaPubKeyTemplate[1].pValue = (CK_VOID_PTR) &subprime; - dsaPubKeyTemplate[1].ulValueLen = sizeof(subprime); - dsaPubKeyTemplate[2].type = CKA_BASE; - dsaPubKeyTemplate[2].pValue = (CK_VOID_PTR) &base; - dsaPubKeyTemplate[2].ulValueLen = sizeof(base); - dsaPubKeyTemplate[3].type = CKA_TOKEN; - dsaPubKeyTemplate[3].pValue = &false; /* session object */ - dsaPubKeyTemplate[3].ulValueLen = sizeof(false); - dsaPubKeyTemplate[4].type = CKA_VERIFY; - dsaPubKeyTemplate[4].pValue = &true; - dsaPubKeyTemplate[4].ulValueLen = sizeof(true); - dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN; - dsaKeyPairGenMech.pParameter = NULL; - dsaKeyPairGenMech.ulParameterLen = 0; - dsaPrivKeyTemplate[0].type = CKA_TOKEN; - dsaPrivKeyTemplate[0].pValue = &false; /* session object */ - dsaPrivKeyTemplate[0].ulValueLen = sizeof(false); - dsaPrivKeyTemplate[1].type = CKA_PRIVATE; - dsaPrivKeyTemplate[1].pValue = &true; - dsaPrivKeyTemplate[1].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[2].type = CKA_SENSITIVE; - dsaPrivKeyTemplate[2].pValue = &true; - dsaPrivKeyTemplate[2].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[3].type = CKA_SIGN, - dsaPrivKeyTemplate[3].pValue = &true; - dsaPrivKeyTemplate[3].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE; - dsaPrivKeyTemplate[4].pValue = &false; - dsaPrivKeyTemplate[4].ulValueLen = sizeof(false); - digestmech.mechanism = CKM_SHA_1; - digestmech.pParameter = NULL; - digestmech.ulParameterLen = 0; + program_name = PL_strrchr(argv[0], '/'); + program_name = program_name ? (program_name + 1) : argv[0]; - program_name = strrchr(argv[0], '/'); - program_name = program_name ? (program_name + 1) : argv[0]; - optstate = PL_CreateOptState (argc, argv, "i:o:f:Fd:hH?p:P:vVs:"); + optstate = PL_CreateOptState (argc, argv, "d:f:i:o:p:v"); if (optstate == NULL) { - lperror("PL_CreateOptState failed"); - return 1; + SECU_PrintError (program_name, "PL_CreateOptState failed"); + return 1; } while (PL_GetNextOpt (optstate) == PL_OPT_OK) { - switch (optstate->option) { - - case 'd': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - configDir = PL_strdup(optstate->value); - checkPath(configDir); - break; - - case 'i': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - input_file = optstate->value; - break; + switch (optstate->option) { +#ifdef notdef + case '?': + short_usage (program_name); + return 0; - case 'o': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - output_file = PL_strdup(optstate->value); - break; + case 'H': + long_usage (program_name); + return 0; +#endif - case 'f': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - pwd = filePasswd((char *)optstate->value); - if (!pwd) usage(program_name); - break; + case 'd': + nssDir = optstate->value; + break; - case 'F': - FIPSMODE = PR_TRUE; - break; + case 'i': + input_file = optstate->value; + break; - case 'p': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - pwd = PL_strdup(optstate->value); - break; + case 'o': + output_file = PORT_Strdup(optstate->value); + break; - case 'P': - if (!optstate->value) { - PL_DestroyOptState(optstate); - usage(program_name); - } - dbPrefix = PL_strdup(optstate->value); - break; - - case 'v': - verbose = PR_TRUE; - break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup(optstate->value); + break; - case 'V': - verify = PR_TRUE; - break; - - case 'H': - PL_DestroyOptState(optstate); - long_usage (program_name); - return 1; - break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; - case 'h': - case '?': - default: - PL_DestroyOptState(optstate); - usage(program_name); - return 1; - break; - } - } - PL_DestroyOptState(optstate); - - if (!input_file) { - usage(program_name); - return 1; + case 'v': + verbose = PR_TRUE; + break; + } } - /* Get the platform-dependent library name of the - * NSS cryptographic module. - */ - libname = PR_GetLibraryName(NULL, "softokn3"); - assert(libname != NULL); - lib = PR_LoadLibrary(libname); - assert(lib != NULL); - PR_FreeLibraryName(libname); - - - if (FIPSMODE) { - /* FIPSMODE == FC_GetFunctionList */ - /* library path must be set to an already signed softokn3/freebl */ - pC_GetFunctionList = (CK_C_GetFunctionList) - PR_FindFunctionSymbol(lib, "FC_GetFunctionList"); - } else { - /* NON FIPS mode == C_GetFunctionList */ - pC_GetFunctionList = (CK_C_GetFunctionList) - PR_FindFunctionSymbol(lib, "C_GetFunctionList"); - } - assert(pC_GetFunctionList != NULL); - - crv = (*pC_GetFunctionList)(&pFunctionList); - assert(crv == CKR_OK); - - if (configDir) { - if (!dbPrefix) { - dbPrefix = PL_strdup(""); - } - crv = softokn_Init(pFunctionList, configDir, dbPrefix); - if (crv != CKR_OK) { - logIt("Failed to use provided database directory " - "will just initialize the volatile certdb.\n"); - crv = softokn_Init(pFunctionList, NULL, NULL); /* NoDB Init */ - } - } else { - crv = softokn_Init(pFunctionList, NULL, NULL); /* NoDB Init */ - } - - if (crv != CKR_OK) { - pk11error( "Initiailzing softoken failed", crv); - goto cleanup; + if (input_file == NULL) { + usage(program_name); + return 1; } - pSlotList = getSlotList(pFunctionList, slotIndex); - if (pSlotList == NULL) { - PR_fprintf(PR_STDERR, "getSlotList failed"); - goto cleanup; - } + /* + * Initialize the Security libraries. + */ + PK11_SetPasswordFunc(SECU_GetModulePassword); - crv = pFunctionList->C_OpenSession(pSlotList[slotIndex], - CKF_RW_SESSION | CKF_SERIAL_SESSION, - NULL, NULL, &hRwSession); - if (crv != CKR_OK) { - pk11error( "Opening a read/write session failed", crv); - goto cleanup; + if (nssDir) { + rv = NSS_Init(nssDir); + if (rv != SECSuccess) { + rv = NSS_NoDB_Init(""); + } + } else { + rv = NSS_NoDB_Init(""); + } + + if (rv != SECSuccess) { + lperror("NSS_Init failed"); + goto prdone; + } + + /* Generate a DSA Key pair */ + slot = PK11_GetBestSlot(CKM_DSA,&pwdata); + if (slot == NULL) { + lperror("CKM_DSA"); + goto loser; + + } + printf("Generating DSA Key Pair...."); fflush(stdout); + privk = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, &pqgParams, &pubk, + PR_FALSE, PR_TRUE, &pwdata); + if (privk == NULL) { + lperror("Generating DSA Key"); + goto loser; } - /* check if a password is needed */ - crv = pFunctionList->C_GetTokenInfo(pSlotList[slotIndex], &tokenInfo); - if (crv != CKR_OK) { - pk11error( "C_GetTokenInfo failed", crv); - goto cleanup; - } - if (tokenInfo.flags & CKF_LOGIN_REQUIRED) { - if (pwd) { - int pwdLen = strlen((const char*)pwd); - crv = pFunctionList->C_Login(hRwSession, CKU_USER, - (CK_UTF8CHAR_PTR) pwd, (CK_ULONG)pwdLen); - if (crv != CKR_OK) { - pk11error("C_Login failed", crv); - goto cleanup; - } - } else { - PR_fprintf(PR_STDERR, "Please provide the password for the token"); - goto cleanup; - } - } else if (pwd) { - logIt("A password was provided but the password was not used.\n"); - } - - /* Generate a DSA key pair */ - logIt("Generate a DSA key pair ... \n"); - crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech, - dsaPubKeyTemplate, - NUM_ELEM(dsaPubKeyTemplate), - dsaPrivKeyTemplate, - NUM_ELEM(dsaPrivKeyTemplate), - &hDSApubKey, &hDSAprivKey); - if (crv != CKR_OK) { - pk11error("DSA key pair generation failed", crv); - goto cleanup; - } + printf("done\n"); /* open the shared library */ fd = PR_OpenFile(input_file,PR_RDONLY,0); if (fd == NULL ) { - lperror(input_file); - goto cleanup; + lperror(input_file); + goto loser; } #ifdef USES_LINKS ret = lstat(input_file, &stat_buf); if (ret < 0) { - perror(input_file); - goto cleanup; + perror(input_file); + goto loser; } if (S_ISLNK(stat_buf.st_mode)) { - char *dirpath,*dirend; - ret = readlink(input_file, link_buf, sizeof(link_buf) - 1); - if (ret < 0) { - perror(input_file); - goto cleanup; - } - link_buf[ret] = 0; - link_file = mkoutput(input_file); - /* get the dirname of input_file */ - dirpath = PL_strdup(input_file); - dirend = strrchr(dirpath, '/'); - if (dirend) { - *dirend = '\0'; - ret = chdir(dirpath); - if (ret < 0) { - perror(dirpath); - goto cleanup; - } - } - PL_strfree(dirpath); - input_file = link_buf; - /* get the basename of link_file */ - dirend = strrchr(link_file, '/'); - if (dirend) { - char * tmp_file = NULL; - tmp_file = PL_strdup(dirend +1 ); - PL_strfree(link_file); - link_file = tmp_file; - } + char *dirpath,*dirend; + ret = readlink(input_file, link_buf, sizeof(link_buf) - 1); + if (ret < 0) { + perror(input_file); + goto loser; + } + link_buf[ret] = 0; + link_file = mkoutput(input_file); + /* get the dirname of input_file */ + dirpath = PORT_Strdup(input_file); + dirend = PORT_Strrchr(dirpath, '/'); + if (dirend) { + *dirend = '\0'; + ret = chdir(dirpath); + if (ret < 0) { + perror(dirpath); + goto loser; + } + } + PORT_Free(dirpath); + input_file = link_buf; + /* get the basename of link_file */ + dirend = PORT_Strrchr(link_file, '/'); + if (dirend) { + link_file = dirend + 1; + } } #endif if (output_file == NULL) { - output_file = mkoutput(input_file); - } - - /* compute the digest */ - memset(digest, 0, sizeof(digest)); - crv = pFunctionList->C_DigestInit(hRwSession, &digestmech); - if (crv != CKR_OK) { - pk11error("C_DigestInit failed", crv); - goto cleanup; + output_file = mkoutput(input_file); } - /* Digest the file */ - while ((bytesRead = PR_Read(fd,file_buf,sizeof(file_buf))) > 0) { - crv = pFunctionList->C_DigestUpdate(hRwSession, (CK_BYTE_PTR)file_buf, - bytesRead); - if (crv != CKR_OK) { - pk11error("C_DigestUpdate failed", crv); - goto cleanup; - } - count += bytesRead; + hashcx = PK11_CreateDigestContext(SEC_OID_SHA1); + if (hashcx == NULL) { + lperror("SHA1 Digest Create"); + goto loser; } - /* close the input_File */ + /* hash the file */ + while ((bytesRead = PR_Read(fd,file_buf,sizeof(file_buf))) > 0) { + PK11_DigestOp(hashcx,file_buf,bytesRead); + count += bytesRead; + } + PR_Close(fd); fd = NULL; if (bytesRead < 0) { - lperror("0 bytes read from input file"); - goto cleanup; - } - - digestLen = sizeof(digest); - crv = pFunctionList->C_DigestFinal(hRwSession, (CK_BYTE_PTR)digest, - &digestLen); - if (crv != CKR_OK) { - pk11error("C_DigestFinal failed", crv); - goto cleanup; - } - - if (digestLen != sizeof(digest)) { - PR_fprintf(PR_STDERR, "digestLen has incorrect length %lu " - "it should be %lu \n",digestLen, sizeof(digest)); - goto cleanup; - } - - /* sign the hash */ - memset(sign, 0, sizeof(sign)); - /* SignUpdate */ - crv = pFunctionList->C_SignInit(hRwSession, &signMech, hDSAprivKey); - if (crv != CKR_OK) { - pk11error("C_SignInit failed", crv); - goto cleanup; + lperror(input_file); + goto loser; } - signLen = sizeof(sign); - crv = pFunctionList->C_Sign(hRwSession, (CK_BYTE * ) digest, digestLen, - sign, &signLen); - if (crv != CKR_OK) { - pk11error("C_Sign failed", crv); - goto cleanup; + + PK11_DigestFinal(hashcx, hash.data, &hash.len, hash.len); + + if (hash.len != SHA1_LENGTH) { + fprintf(stderr, "Digest length was not correct\n"); + goto loser; } - if (signLen != sizeof(sign)) { - PR_fprintf(PR_STDERR, "signLen has incorrect length %lu " - "it should be %lu \n", signLen, sizeof(sign)); - goto cleanup; - } - - if (verify) { - crv = pFunctionList->C_VerifyInit(hRwSession, &signMech, hDSApubKey); - if (crv != CKR_OK) { - pk11error("C_VerifyInit failed", crv); - goto cleanup; - } - crv = pFunctionList->C_Verify(hRwSession, digest, digestLen, - sign, signLen); - if (crv != CKR_OK) { - pk11error("C_Verify failed", crv); - goto cleanup; - } + /* signe the hash */ + rv = PK11_Sign(privk,&sign,&hash); + if (rv != SECSuccess) { + lperror("Signing"); + goto loser; } if (verbose) { - int j; - PR_fprintf(PR_STDERR,"Library File: %s %d bytes\n",input_file, count); - PR_fprintf(PR_STDERR,"Check File: %s\n",output_file); + int i,j; + fprintf(stderr,"Library File: %s %d bytes\n",input_file, count); + fprintf(stderr,"Check File: %s\n",output_file); #ifdef USES_LINKS - if (link_file) { - PR_fprintf(PR_STDERR,"Link: %s\n",link_file); - } + if (link_file) { + fprintf(stderr,"Link: %s\n",link_file); + } #endif - PR_fprintf(PR_STDERR," hash: %lu bytes\n", digestLen); + fprintf(stderr," hash: %d bytes\n", hash.len); #define STEP 10 - for (i=0; i < (int) digestLen; i += STEP) { - PR_fprintf(PR_STDERR," "); - for (j=0; j < STEP && (i+j) < (int) digestLen; j++) { - PR_fprintf(PR_STDERR," %02x", digest[i+j]); - } - PR_fprintf(PR_STDERR,"\n"); - } - PR_fprintf(PR_STDERR," signature: %lu bytes\n", signLen); - for (i=0; i < (int) signLen; i += STEP) { - PR_fprintf(PR_STDERR," "); - for (j=0; j < STEP && (i+j) < (int) signLen; j++) { - PR_fprintf(PR_STDERR," %02x", sign[i+j]); - } - PR_fprintf(PR_STDERR,"\n"); - } + for (i=0; i < hash.len; i += STEP) { + fprintf(stderr," "); + for (j=0; j < STEP && (i+j) < hash.len; j++) { + fprintf(stderr," %02x", hash.data[i+j]); + } + fprintf(stderr,"\n"); + } + fprintf(stderr," signature: %d bytes\n", sign.len); + for (i=0; i < sign.len; i += STEP) { + fprintf(stderr," "); + for (j=0; j < STEP && (i+j) < sign.len; j++) { + fprintf(stderr," %02x", sign.data[i+j]); + } + fprintf(stderr,"\n"); + } } /* open the target signature file */ fd = PR_OpenFile(output_file,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0666); if (fd == NULL ) { - lperror(output_file); - goto cleanup; + lperror(output_file); + goto loser; } /* * we write the key out in a straight binary format because very * low level libraries need to read an parse this file. Ideally we should * just derEncode the public key (which would be pretty simple, and be * more general), but then we'd need to link the ASN.1 decoder with the * freebl libraries. */ file_buf[0] = NSS_SIGN_CHK_MAGIC1; file_buf[1] = NSS_SIGN_CHK_MAGIC2; file_buf[2] = NSS_SIGN_CHK_MAJOR_VERSION; file_buf[3] = NSS_SIGN_CHK_MINOR_VERSION; - encodeInt(&file_buf[4],12); /* offset to data start */ + encodeInt(&file_buf[4],12); /* offset to data start */ encodeInt(&file_buf[8],CKK_DSA); bytesWritten = PR_Write(fd,file_buf, 12); if (bytesWritten != 12) { - lperror(output_file); - goto cleanup; - } - - /* get DSA Public KeyValue */ - memset(dsaPubKey, 0, sizeof(dsaPubKey)); - dsaPubKeyValue.type =CKA_VALUE; - dsaPubKeyValue.pValue = (CK_VOID_PTR) &dsaPubKey; - dsaPubKeyValue.ulValueLen = sizeof(dsaPubKey); - - crv = pFunctionList->C_GetAttributeValue(hRwSession, hDSApubKey, - &dsaPubKeyValue, 1); - if (crv != CKR_OK && crv != CKR_ATTRIBUTE_TYPE_INVALID) { - pk11error("C_GetAttributeValue failed", crv); - goto cleanup; + lperror(output_file); + goto loser; } - /* CKA_PRIME */ - rv = writeItem(fd,dsaPubKeyTemplate[0].pValue, - dsaPubKeyTemplate[0].ulValueLen, output_file); - if (rv != PR_SUCCESS) goto cleanup; - /* CKA_SUBPRIME */ - rv = writeItem(fd,dsaPubKeyTemplate[1].pValue, - dsaPubKeyTemplate[1].ulValueLen, output_file); - if (rv != PR_SUCCESS) goto cleanup; - /* CKA_BASE */ - rv = writeItem(fd,dsaPubKeyTemplate[2].pValue, - dsaPubKeyTemplate[2].ulValueLen, output_file); - if (rv != PR_SUCCESS) goto cleanup; - /* DSA Public Key value */ - rv = writeItem(fd,dsaPubKeyValue.pValue, - dsaPubKeyValue.ulValueLen, output_file); - if (rv != PR_SUCCESS) goto cleanup; - /* DSA SIGNATURE */ - rv = writeItem(fd,&sign, signLen, output_file); - if (rv != PR_SUCCESS) goto cleanup; + rv = writeItem(fd,&pubk->u.dsa.params.prime,output_file); + if (rv != SECSuccess) goto loser; + rv = writeItem(fd,&pubk->u.dsa.params.subPrime,output_file); + if (rv != SECSuccess) goto loser; + rv = writeItem(fd,&pubk->u.dsa.params.base,output_file); + if (rv != SECSuccess) goto loser; + rv = writeItem(fd,&pubk->u.dsa.publicValue,output_file); + if (rv != SECSuccess) goto loser; + rv = writeItem(fd,&sign,output_file); + if (rv != SECSuccess) goto loser; + PR_Close(fd); #ifdef USES_LINKS if (link_file) { - (void)unlink(link_file); - ret = symlink(output_file, link_file); - if (ret < 0) { - perror(link_file); - goto cleanup; - } + (void)unlink(link_file); + ret = symlink(output_file, link_file); + if (ret < 0) { + perror(link_file); + goto loser; + } } #endif -cleanup: - if (pFunctionList) { - /* C_Finalize will automatically logout, close session, */ - /* and delete the temp objects on the token */ - crv = pFunctionList->C_Finalize(NULL); - if (crv != CKR_OK) { - pk11error("C_Finalize failed", crv); - } + retval = 0; + +loser: + if (hashcx) { + PK11_DestroyContext(hashcx, PR_TRUE); } - if (pSlotList) { - PR_Free(pSlotList); + if (privk) { + SECKEY_DestroyPrivateKey(privk); } - if (pwd) { - PL_strfree(pwd); - } - if (configDir) { - PL_strfree(configDir); + if (pubk) { + SECKEY_DestroyPublicKey(pubk); } - if (dbPrefix) { - PL_strfree(dbPrefix); + if (slot) { + PK11_FreeSlot(slot); } - if (output_file) { /* allocated by mkoutput function */ - PL_strfree(output_file); - } -#ifdef USES_LINKS - if (link_file) { /* allocated by mkoutput function */ - PL_strfree(link_file); + if (pwdata.data) { + PORT_Free(pwdata.data); } -#endif + if (NSS_Shutdown() != SECSuccess) { + exit(1); + } - disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); - if (!disableUnload) { - PR_UnloadLibrary(lib); - } - PR_Cleanup(); - - return crv; +prdone: + PR_Cleanup (); + return retval; }
--- a/security/nss/cmd/signtool/list.c +++ b/security/nss/cmd/signtool/list.c @@ -80,22 +80,22 @@ ListCerts(char *key, int list_certs) PR_fprintf(outputFD, "- ------------\n"); } else { PR_fprintf(outputFD, "\nObject signing certificates\n"); PR_fprintf(outputFD, "---------------------------------------\n"); } num_trav_certs = 0; - /* Traverse ALL tokens in all slots, authenticating to them all */ + /* Traverse non-internal DBs */ rv = PK11_TraverseSlotCerts(cert_trav_callback, (void * )&list_certs, &pwdata); if (rv) { - PR_fprintf(outputFD, "**Traverse of ALL slots & tokens failed**\n"); + PR_fprintf(outputFD, "**Traverse of non-internal DBs failed**\n"); return - 1; } if (num_trav_certs == 0) { PR_fprintf(outputFD, "You don't appear to have any object signing certificates.\n"); } @@ -175,77 +175,106 @@ ListCerts(char *key, int list_certs) /******************************************************************** * * c e r t _ t r a v _ c a l l b a c k */ static SECStatus cert_trav_callback(CERTCertificate *cert, SECItem *k, void *data) { + int isSigningCert; int list_certs = 1; - char *name; + + char *name, *issuerCN, *expires; + CERTCertificate * issuerCert = NULL; if (data) { list_certs = *((int * )data); } -#define LISTING_USER_SIGNING_CERTS (list_certs == 1) -#define LISTING_ALL_CERTS (list_certs == 2) - - name = cert->nickname; - if (name) { - int isSigningCert; + if (cert->nickname) { + name = cert->nickname; isSigningCert = cert->nsCertType & NS_CERT_TYPE_OBJECT_SIGNING; - if (!isSigningCert && LISTING_USER_SIGNING_CERTS) + issuerCert = CERT_FindCertIssuer (cert, PR_Now(), certUsageObjectSigner); + issuerCN = CERT_GetCommonName (&cert->issuer); + + if (!isSigningCert && list_certs == 1) return (SECSuccess); - /* Display this name or email address */ - num_trav_certs++; + /* Add this name or email to list */ - if (LISTING_ALL_CERTS) { - PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " "); - } - PR_fprintf(outputFD, "%s\n", name); + if (name) { + int rv; - if (LISTING_USER_SIGNING_CERTS) { - int rv = SECFailure; - if (rv) { - CERTCertificate * issuerCert; - issuerCert = CERT_FindCertIssuer(cert, PR_Now(), - certUsageObjectSigner); - if (issuerCert) { - if (issuerCert->nickname && issuerCert->nickname[0]) { - PR_fprintf(outputFD, " Issued by: %s\n", - issuerCert->nickname); - rv = SECSuccess; - } - CERT_DestroyCertificate(issuerCert); + num_trav_certs++; + if (list_certs == 2) { + PR_fprintf(outputFD, "%s ", isSigningCert ? "*" : " "); + } + PR_fprintf(outputFD, "%s\n", name); + + if (list_certs == 1) { + if (issuerCert == NULL) { + PR_fprintf(outputFD, + "\t++ Error ++ Unable to find issuer certificate\n"); + return SECSuccess; + /*function was a success even if cert is bogus*/ } - } - if (rv && cert->issuerName && cert->issuerName[0]) { - PR_fprintf(outputFD, " Issued by: %s \n", cert->issuerName); - } - { - char *expires; + if (issuerCN == NULL) + PR_fprintf(outputFD, " Issued by: %s\n", + issuerCert->nickname); + else + PR_fprintf(outputFD, + " Issued by: %s (%s)\n", issuerCert->nickname, + issuerCN); + expires = DER_TimeChoiceDayToAscii(&cert->validity.notAfter); - if (expires) { + + if (expires) PR_fprintf(outputFD, " Expires: %s\n", expires); - PORT_Free(expires); + + rv = CERT_CertTimesValid (cert); + + if (rv != SECSuccess) + PR_fprintf(outputFD, + " ++ Error ++ THIS CERTIFICATE IS EXPIRED\n"); + + if (rv == SECSuccess) { + rv = CERT_VerifyCertNow (cert->dbhandle, cert, + PR_TRUE, certUsageObjectSigner, &pwdata); + + if (rv != SECSuccess) { + rv = PORT_GetError(); + PR_fprintf(outputFD, + " ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n", + secErrorString(rv)); + } } - } - rv = CERT_VerifyCertNow (cert->dbhandle, cert, - PR_TRUE, certUsageObjectSigner, &pwdata); + expires = DER_TimeChoiceDayToAscii(&issuerCert->validity.notAfter); + if (expires == NULL) + expires = "(unknown)"; + + rv = CERT_CertTimesValid (issuerCert); - if (rv != SECSuccess) { - rv = PORT_GetError(); - PR_fprintf(outputFD, - " ++ Error ++ THIS CERTIFICATE IS NOT VALID (%s)\n", - secErrorString(rv)); + if (rv != SECSuccess) + PR_fprintf(outputFD, + " ++ Error ++ ISSUER CERT \"%s\" EXPIRED ON %s\n", + issuerCert->nickname, expires); + + if (rv == SECSuccess) { + rv = CERT_VerifyCertNow (issuerCert->dbhandle, issuerCert, + PR_TRUE, certUsageVerifyCA, &pwdata); + if (rv != SECSuccess) { + rv = PORT_GetError(); + PR_fprintf(outputFD, + " ++ Error ++ ISSUER CERT \"%s\" IS NOT VALID (%s)\n", + issuerCert->nickname, secErrorString(rv)); + } + } } } } return (SECSuccess); }
--- a/security/nss/cmd/symkeyutil/symkeyutil.c +++ b/security/nss/cmd/symkeyutil/symkeyutil.c @@ -1030,33 +1030,28 @@ main(int argc, char **argv) if (symKeyUtil.commands[cmd_ListKeys].activated) { int printLabel = 1; if (slot) { rv = ListKeys(slot,&printLabel,&pwdata); } else { /* loop over all the slots */ PK11SlotList *slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, &pwdata); + PK11SlotListElement *se; + if (slotList == NULL) { PR_fprintf(PR_STDERR, "%s: No tokens found\n",progName); - } else { - PK11SlotListElement *se; - for (se = PK11_GetFirstSafe(slotList); se; - se=PK11_GetNextSafe(slotList,se, PR_FALSE)) { - rv = ListKeys(se->slot,&printLabel,&pwdata); - if (rv !=SECSuccess) { - break; - } - } - if (se) { - SECStatus rv2 = PK11_FreeSlotListElement(slotList, se); - PORT_Assert(SECSuccess == rv2); - } - PK11_FreeSlotList(slotList); - } + } + for (se = PK11_GetFirstSafe(slotList); se; + se=PK11_GetNextSafe(slotList,se, PR_FALSE)) { + rv = ListKeys(se->slot,&printLabel,&pwdata); + if (rv !=SECSuccess) { + break; + } + } } } /* Move key (-M) */ if (symKeyUtil.commands[cmd_MoveKey].activated) { PK11SlotInfo *target; char *targetName = symKeyUtil.options[opt_TargetToken].arg; PK11SymKey *newKey;
--- a/security/nss/cmd/vfychain/vfychain.c +++ b/security/nss/cmd/vfychain/vfychain.c @@ -76,51 +76,40 @@ int verbose; secuPWData pwdata = { PW_NONE, 0 }; static void Usage(const char *progName) { fprintf(stderr, - "Usage: %s [options] [revocation options] certfile " - "[[options] certfile] ...\n" + "Usage: %s [options] certfile [[options] certfile] ...\n" "\tWhere options are:\n" "\t-a\t\t Following certfile is base64 encoded\n" "\t-b YYMMDDHHMMZ\t Validate date (default: now)\n" "\t-d directory\t Database directory\n" "\t-f \t\t Enable cert fetching from AIA URL\n" "\t-o oid\t\t Set policy OID for cert validation(Format OID.1.2.3)\n" "\t-p \t\t Use PKIX Library to validate certificate by calling:\n" "\t\t\t * CERT_VerifyCertificate if specified once,\n" "\t\t\t * CERT_PKIXVerifyCert if specified twice and more.\n" "\t-r\t\t Following certfile is raw binary DER (default)\n" + "\t-s\t\t Status checking, following a configuration description.\n" + "\t\t\t Implemented as of today are:\n" + "\t\t\t * allow-crl (default)\n" + "\t\t\t * allow-crl-and-ocsp\n" "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n" "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n" "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n" "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n" "\t-v\t\t Verbose mode. Prints root cert subject(double the\n" "\t\t\t argument for whole root cert info)\n" - "\t-w password\t Database password.\n" - "\t-W pwfile\t Password file.\n\n" - "\tRevocation options for PKIX API(invoked with -pp options) is a\n" - "\tcollection of the following flags:\n" - "\t\t[-g type [-h flags] [-m type [-s flags]] ...] ...\n" - "\tWhere:\n" - "\t-g test type\t Sets status checking test type. Possible values\n" - "\t\t\tare \"leaf\" or \"chain\"\n" - "\t-h test flags\t Sets revocation flags for the test type it\n" - "\t\t\tfollows. Possible flags: \"testLocalInfoFirst\" and\n" - "\t\t\t\"requireFreshInfo\".\n" - "\t-m method type\t Sets method type for the test type it follows.\n" - "\t\t\tPossible types are \"crl\" and \"ocsp\".\n" - "\t-s method flags\t Sets revocation flags for the method it follows.\n" - "\t\t\tPossible types are \"doNotUse\", \"forbidFetching\",\n" - "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failInNoInfo\".\n", - progName); + "\t-w password\t Database password.\n", + "\t-W pwfile\t Password file.\n", + progName); exit(1); } /************************************************************************** ** ** Error and information routines. ** **************************************************************************/ @@ -235,204 +224,28 @@ getCert(const char *name, PRBool isAscii PRIntn err = PR_GetError(); fprintf(stderr, "couldn't import %s, %d = %s\n", name, err, SECU_Strerror(err)); } PORT_Free(item.data); return cert; } - -#define REVCONFIG_TEST_UNDEFINED 0 -#define REVCONFIG_TEST_LEAF 1 -#define REVCONFIG_TEST_CHAIN 2 -#define REVCONFIG_METHOD_CRL 1 -#define REVCONFIG_METHOD_OCSP 2 - -#define REVCONFIG_TEST_LEAF_STR "leaf" -#define REVCONFIG_TEST_CHAIN_STR "chain" -#define REVCONFIG_METHOD_CRL_STR "crl" -#define REVCONFIG_METHOD_OCSP_STR "ocsp" - -#define REVCONFIG_TEST_TESTLOCALINFOFIRST_STR "testLocalInfoFirst" -#define REVCONFIG_TEST_REQUIREFRESHINFO_STR "requireFreshInfo" -#define REVCONFIG_METHOD_DONOTUSEMETHOD_STR "doNotUse" -#define REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR "forbidFetching" -#define REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR "ignoreDefaultSrc" -#define REVCONFIG_METHOD_REQUIREINFO_STR "requireInfo" -#define REVCONFIG_METHOD_FAILIFNOINFO_STR "failInNoInfo" - -#define REV_METHOD_INDEX_MAX 4 - -typedef struct RevMethodsStruct { - uint testType; - char *testTypeStr; - uint testFlags; - char *testFlagsStr; - uint methodType; - char *methodTypeStr; - uint methodFlags; - char *methodFlagsStr; -} RevMethods; - -RevMethods revMethodsData[REV_METHOD_INDEX_MAX]; - -SECStatus -parseRevMethodsAndFlags() -{ - int i; - uint testType = 0; - - for(i = 0;i < REV_METHOD_INDEX_MAX;i++) { - /* testType */ - if (revMethodsData[i].testTypeStr) { - char *typeStr = revMethodsData[i].testTypeStr; - - testType = 0; - if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_LEAF_STR)) { - testType = REVCONFIG_TEST_LEAF; - } else if (!PORT_Strcmp(typeStr, REVCONFIG_TEST_CHAIN_STR)) { - testType = REVCONFIG_TEST_CHAIN; - } - } - if (!testType) { - return SECFailure; - } - revMethodsData[i].testType = testType; - /* testFlags */ - if (revMethodsData[i].testFlagsStr) { - char *flagStr = revMethodsData[i].testFlagsStr; - uint testFlags = 0; - - if (PORT_Strstr(flagStr, REVCONFIG_TEST_TESTLOCALINFOFIRST_STR)) { - testFlags |= CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; - } - if (PORT_Strstr(flagStr, REVCONFIG_TEST_REQUIREFRESHINFO_STR)) { - testFlags |= CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; - } - revMethodsData[i].testFlags = testFlags; - } - /* method type */ - if (revMethodsData[i].methodTypeStr) { - char *methodStr = revMethodsData[i].methodTypeStr; - uint methodType = 0; - - if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_CRL_STR)) { - methodType = REVCONFIG_METHOD_CRL; - } else if (!PORT_Strcmp(methodStr, REVCONFIG_METHOD_OCSP_STR)) { - methodType = REVCONFIG_METHOD_OCSP; - } - if (!methodType) { - return SECFailure; - } - revMethodsData[i].methodType = methodType; - } - if (!revMethodsData[i].methodType) { - revMethodsData[i].testType = REVCONFIG_TEST_UNDEFINED; - continue; - } - /* method flags */ - if (revMethodsData[i].methodFlagsStr) { - char *flagStr = revMethodsData[i].methodFlagsStr; - uint methodFlags = 0; - - if (!PORT_Strstr(flagStr, REVCONFIG_METHOD_DONOTUSEMETHOD_STR)) { - methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD; - } - if (PORT_Strstr(flagStr, - REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR)) { - methodFlags |= CERT_REV_M_FORBID_NETWORK_FETCHING; - } - if (PORT_Strstr(flagStr, REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR)) { - methodFlags |= CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; - } - if (PORT_Strstr(flagStr, REVCONFIG_METHOD_REQUIREINFO_STR)) { - methodFlags |= CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE; - } - if (PORT_Strstr(flagStr, REVCONFIG_METHOD_FAILIFNOINFO_STR)) { - methodFlags |= CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO; - } - revMethodsData[i].methodFlags = methodFlags; - } else { - revMethodsData[i].methodFlags |= CERT_REV_M_TEST_USING_THIS_METHOD; - } - } - return SECSuccess; -} - -SECStatus -configureRevocationParams(CERTRevocationFlags *flags) -{ - int i; - uint testType = REVCONFIG_TEST_UNDEFINED; - static CERTRevocationTests *revTests = NULL; - PRUint64 *revFlags; - - for(i = 0;i < REV_METHOD_INDEX_MAX;i++) { - if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) { - continue; - } - if (revMethodsData[i].testType != testType) { - testType = revMethodsData[i].testType; - if (testType == REVCONFIG_TEST_CHAIN) { - revTests = &flags->chainTests; - } else { - revTests = &flags->leafTests; - } - revTests->number_of_preferred_methods = 0; - revTests->preferred_methods = 0; - revFlags = revTests->cert_rev_flags_per_method; - } - /* Set the number of the methods independently to the max number of - * methods. If method flags are not set it will be ignored due to - * default DO_NOT_USE flag. */ - revTests->number_of_defined_methods = cert_revocation_method_count; - revTests->cert_rev_method_independent_flags |= - revMethodsData[i].testFlags; - if (revMethodsData[i].methodType == REVCONFIG_METHOD_CRL) { - revFlags[cert_revocation_method_crl] = - revMethodsData[i].methodFlags; - } else if (revMethodsData[i].methodType == REVCONFIG_METHOD_OCSP) { - revFlags[cert_revocation_method_ocsp] = - revMethodsData[i].methodFlags; - } - } - return SECSuccess; -} - -void -freeRevocationMethodData() -{ - int i = 0; - for(;i < REV_METHOD_INDEX_MAX;i++) { - if (revMethodsData[i].testTypeStr) { - PORT_Free(revMethodsData[i].testTypeStr); - } - if (revMethodsData[i].testFlagsStr) { - PORT_Free(revMethodsData[i].testFlagsStr); - } - if (revMethodsData[i].methodTypeStr) { - PORT_Free(revMethodsData[i].methodTypeStr); - } - if (revMethodsData[i].methodFlagsStr) { - PORT_Free(revMethodsData[i].methodFlagsStr); - } - } -} +#define REVCONFIG_ALLOW_CRL "allow-crl" +#define REVCONFIG_ALLOW_CRL_OCSP "allow-crl-and-ocsp" PRBool -isOCSPEnabled() +isAllowedRevConfig(const char *name) { - int i; + if (strcmp(REVCONFIG_ALLOW_CRL, name) == 0) + return PR_TRUE; - for(i = 0;i < REV_METHOD_INDEX_MAX;i++) { - if (revMethodsData[i].methodType == REVCONFIG_METHOD_OCSP) { - return PR_TRUE; - } - } + if (strcmp(REVCONFIG_ALLOW_CRL_OCSP, name) == 0) + return PR_TRUE; + return PR_FALSE; } int main(int argc, char *argv[], char *envp[]) { char * certDir = NULL; char * progName = NULL; @@ -448,71 +261,36 @@ main(int argc, char *argv[], char *envp[ PLOptState * optstate; PRTime time = 0; PLOptStatus status; int usePkix = 0; int rv = 1; int usage; CERTVerifyLog log; CERTCertList *builtChain = NULL; + char * revConfig = NULL; PRBool certFetching = PR_FALSE; - int revDataIndex = 0; - PRBool ocsp_fetchingFailureIsAFailure = PR_TRUE; - PRBool useDefaultRevFlags = PR_TRUE; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); - optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:m:o:prs:tu:vw:W:"); + optstate = PL_CreateOptState(argc, argv, "ab:d:fo:prs:tu:vw:W:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 0 : /* positional parameter */ goto breakout; case 'a' : isAscii = PR_TRUE; break; case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); if (secStatus != SECSuccess) Usage(progName); break; case 'd' : certDir = PL_strdup(optstate->value); break; - case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; case 'f' : certFetching = PR_TRUE; break; - case 'g' : - if (revMethodsData[revDataIndex].testTypeStr || - revMethodsData[revDataIndex].methodTypeStr) { - revDataIndex += 1; - if (revDataIndex == REV_METHOD_INDEX_MAX) { - fprintf(stderr, "Invalid revocation configuration" - "specified.\n"); - secStatus = SECFailure; - break; - } - } - useDefaultRevFlags = PR_FALSE; - revMethodsData[revDataIndex]. - testTypeStr = PL_strdup(optstate->value); break; - case 'h' : - revMethodsData[revDataIndex]. - testFlagsStr = PL_strdup(optstate->value);break; - case 'm' : - if (revMethodsData[revDataIndex].methodTypeStr) { - revDataIndex += 1; - if (revDataIndex == REV_METHOD_INDEX_MAX) { - fprintf(stderr, "Invalid revocation configuration" - "specified.\n"); - secStatus = SECFailure; - break; - } - } - useDefaultRevFlags = PR_FALSE; - revMethodsData[revDataIndex]. - methodTypeStr = PL_strdup(optstate->value); break; case 'o' : oidStr = PL_strdup(optstate->value); break; case 'p' : usePkix += 1; break; case 'r' : isAscii = PR_FALSE; break; - case 's' : - revMethodsData[revDataIndex]. - methodFlagsStr = PL_strdup(optstate->value); break; + case 's' : revConfig = PL_strdup(optstate->value); break; case 't' : trusted = PR_TRUE; break; case 'u' : usage = PORT_Atoi(optstate->value); if (usage < 0 || usage > 62) Usage(progName); certUsage = ((SECCertificateUsage)1) << usage; if (certUsage > certificateUsageHighest) Usage(progName); break; case 'w': pwdata.source = PW_PLAINTEXT; @@ -539,17 +317,17 @@ breakout: } if (trusted) { fprintf(stderr, "Cert trust flag can be used only with" " CERT_PKIXVerifyChain(-pp) function.\n"); Usage(progName); } } - if (!useDefaultRevFlags && parseRevMethodsAndFlags()) { + if (revConfig && !isAllowedRevConfig(revConfig)) { fprintf(stderr, "Invalid revocation configuration specified.\n"); goto punt; } /* Set our password function callback. */ PK11_SetPasswordFunc(SECU_GetModulePassword); /* Initialize the NSS libraries. */ @@ -560,22 +338,19 @@ breakout: /* load the builtins */ SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0); } if (secStatus != SECSuccess) { exitErr("NSS_Init"); } SECU_RegisterDynamicOids(); - if (isOCSPEnabled()) { + if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) { CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()); - if (!ocsp_fetchingFailureIsAFailure) { - CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure); - } } while (status == PL_OPT_OK) { switch(optstate->option) { default : Usage(progName); break; case 'a' : isAscii = PR_TRUE; break; case 'r' : isAscii = PR_FALSE; break; case 't' : trusted = PR_TRUE; break; @@ -621,19 +396,18 @@ breakout: &pwdata, /* wincx */ &log, /* error log */ NULL);/* returned usages */ } else do { static CERTValOutParam cvout[4]; static CERTValInParam cvin[6]; SECOidTag oidTag; int inParamIndex = 0; - static PRUint64 revFlagsLeaf[2]; - static PRUint64 revFlagsChain[2]; static CERTRevocationFlags rev; + static PRUint64 revFlags[2]; if (oidStr) { PRArenaPool *arena; SECOidData od; memset(&od, 0, sizeof od); od.offset = SEC_OID_UNKNOWN; od.desc = "User Defined Policy OID"; od.mechanism = CKM_INVALID_MECHANISM; @@ -679,24 +453,42 @@ breakout: cvin[inParamIndex].type = cert_pi_useAIACertFetch; cvin[inParamIndex].value.scalar.b = certFetching; inParamIndex++; cvin[inParamIndex].type = cert_pi_date; cvin[inParamIndex].value.scalar.time = time; inParamIndex++; - rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf; - rev.chainTests.cert_rev_flags_per_method = revFlagsChain; - secStatus = configureRevocationParams(&rev); - if (secStatus) { - fprintf(stderr, "Can not config revocation parameters "); - break; + revFlags[cert_revocation_method_crl] = + CERT_REV_M_TEST_USING_THIS_METHOD; + rev.leafTests.number_of_defined_methods = + cert_revocation_method_crl +1; + rev.chainTests.number_of_defined_methods = + cert_revocation_method_crl +1; + + if (revConfig && strcmp(REVCONFIG_ALLOW_CRL_OCSP, revConfig) == 0) { + revFlags[cert_revocation_method_ocsp] = + CERT_REV_M_TEST_USING_THIS_METHOD; + rev.leafTests.number_of_defined_methods = + cert_revocation_method_ocsp +1; + rev.chainTests.number_of_defined_methods = + cert_revocation_method_ocsp +1; } + rev.leafTests.cert_rev_flags_per_method = revFlags; + rev.leafTests.number_of_preferred_methods = 0; + rev.leafTests.preferred_methods = 0; + rev.leafTests.cert_rev_method_independent_flags = 0; + + rev.chainTests.cert_rev_flags_per_method = revFlags; + rev.chainTests.number_of_preferred_methods = 0; + rev.chainTests.preferred_methods = 0; + rev.chainTests.cert_rev_method_independent_flags = 0; + cvin[inParamIndex].type = cert_pi_revocationFlags; cvin[inParamIndex].value.pointer.revocation = &rev; inParamIndex++; cvin[inParamIndex].type = cert_pi_end; cvout[0].type = cert_po_trustAnchor; cvout[0].value.pointer.cert = NULL; @@ -772,15 +564,15 @@ punt: forgetCerts(); if (NSS_Shutdown() != SECSuccess) { SECU_PrintError(progName, "NSS_Shutdown"); rv = 1; } PORT_Free(progName); PORT_Free(certDir); PORT_Free(oidStr); - freeRevocationMethodData(); + PORT_Free(revConfig); if (pwdata.data) { PORT_Free(pwdata.data); } PR_Cleanup(); return rv; }
--- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -32,17 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * cert.h - public data structures and prototypes for the certificate library * - * $Id: cert.h,v 1.75 2008/11/21 21:02:38 wtc%google.com Exp $ + * $Id: cert.h,v 1.74 2008/08/04 22:31:54 nelson%bolyard.com Exp $ */ #ifndef _CERT_H_ #define _CERT_H_ #include "utilrename.h" #include "plarena.h" #include "plhash.h" @@ -1103,17 +1103,17 @@ CERT_IsCertRevoked(CERTCertificate *cert void CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts); /* convert an email address to lower case */ char *CERT_FixupEmailAddr(const char *emailAddr); /* decode string representation of trust flags into trust struct */ SECStatus -CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts); +CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts); /* encode trust struct into string representation of trust flags */ char * CERT_EncodeTrustString(CERTCertTrust *trust); /* find the next or prev cert in a subject list */ CERTCertificate * CERT_PrevSubjectCert(CERTCertificate *cert);
--- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -33,30 +33,31 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Certificate handling code * - * $Id: certdb.c,v 1.95 2008/12/02 23:24:48 nelson%bolyard.com Exp $ + * $Id: certdb.c,v 1.92 2008/05/16 03:38:39 nelson%bolyard.com Exp $ */ #include "nssilock.h" #include "prmon.h" #include "prtime.h" #include "cert.h" #include "certi.h" #include "secder.h" #include "secoid.h" #include "secasn1.h" #include "genname.h" #include "keyhi.h" #include "secitem.h" +#include "mcom_db.h" #include "certdb.h" #include "prprf.h" #include "sechash.h" #include "prlong.h" #include "certxutl.h" #include "portreg.h" #include "secerr.h" #include "sslerr.h" @@ -2101,107 +2102,93 @@ done: /* CERT_Import_CAChain moved to certhigh.c */ void CERT_DestroyCrl (CERTSignedCrl *crl) { SEC_DestroyCrl (crl); } -static int -cert_Version(CERTCertificate *cert) -{ - int version = 0; - if (cert && cert->version.data && cert->version.len) { - version = DER_GetInteger(&cert->version); - if (version < 0) - version = 0; - } - return version; -} - -static unsigned int -cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType) -{ - CERTCertTrust *trust = cert->trust; - - if (trust && (trust->sslFlags | - trust->emailFlags | - trust->objectSigningFlags)) { - - if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT; - if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_SSL_CA; -#if defined(CERTDB_NOT_TRUSTED) - if (trust->sslFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT| - NS_CERT_TYPE_SSL_CA); -#endif - if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_EMAIL; - if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_EMAIL_CA; -#if defined(CERTDB_NOT_TRUSTED) - if (trust->emailFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA); -#endif - if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) - cType |= NS_CERT_TYPE_OBJECT_SIGNING; - if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) - cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA; -#if defined(CERTDB_NOT_TRUSTED) - if (trust->objectSigningFlags & CERTDB_NOT_TRUSTED) - cType &= ~(NS_CERT_TYPE_OBJECT_SIGNING| - NS_CERT_TYPE_OBJECT_SIGNING_CA); -#endif - } - return cType; -} + /* * Does a cert belong to a CA? We decide based on perm database trust * flags, Netscape Cert Type Extension, and KeyUsage Extension. */ PRBool CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype) { - unsigned int cType = cert->nsCertType; - PRBool ret = PR_FALSE; - - if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | - NS_CERT_TYPE_OBJECT_SIGNING_CA)) { - ret = PR_TRUE; + CERTCertTrust *trust; + SECStatus rv; + unsigned int type; + PRBool ret; + + ret = PR_FALSE; + type = 0; + + if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags| + cert->trust->objectSigningFlags)) { + trust = cert->trust; + if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) || + ( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) { + ret = PR_TRUE; + type |= NS_CERT_TYPE_SSL_CA; + } + + if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) || + ( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) { + ret = PR_TRUE; + type |= NS_CERT_TYPE_EMAIL_CA; + } + + if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) + == CERTDB_VALID_CA ) || + ( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA ) + == CERTDB_TRUSTED_CA ) ) { + ret = PR_TRUE; + type |= NS_CERT_TYPE_OBJECT_SIGNING_CA; + } } else { - SECStatus rv; - CERTBasicConstraints constraints; - - rv = CERT_FindBasicConstraintExten(cert, &constraints); - if (rv == SECSuccess && constraints.isCA) { + if ( cert->nsCertType & + ( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | + NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) { ret = PR_TRUE; - cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); + type = (cert->nsCertType & NS_CERT_TYPE_CA); + } else { + CERTBasicConstraints constraints; + rv = CERT_FindBasicConstraintExten(cert, &constraints); + if ( rv == SECSuccess ) { + if ( constraints.isCA ) { + ret = PR_TRUE; + type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); + } + } } + + /* finally check if it's a FORTEZZA V1 CA */ + if (ret == PR_FALSE) { + if (fortezzaIsCA(cert)) { + ret = PR_TRUE; + type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); + } + } } - /* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */ - if (!ret && - ((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) || - fortezzaIsCA(cert) )) { + /* the isRoot flag trumps all */ + if (cert->isRoot) { ret = PR_TRUE; - cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); + /* set only these by default, same as above */ + type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA); } - /* Now apply trust overrides, if any */ - cType = cert_ComputeTrustOverrides(cert, cType); - ret = (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | - NS_CERT_TYPE_OBJECT_SIGNING_CA)) ? PR_TRUE : PR_FALSE; - - if (rettype != NULL) { - *rettype = cType; + + if ( rettype != NULL ) { + *rettype = type; } - return ret; + + return(ret); } PRBool CERT_IsCADERCert(SECItem *derCert, unsigned int *type) { CERTCertificate *cert; PRBool isCA; /* This is okay -- only looks at extensions */ @@ -2368,17 +2355,17 @@ CERT_FixupEmailAddr(const char *emailAdd return(retaddr); } /* * NOTE - don't allow encode of govt-approved or invisible bits */ SECStatus -CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts) +CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts) { unsigned int i; unsigned int *pflags; if (!trust) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; }
--- a/security/nss/lib/certdb/certi.h +++ b/security/nss/lib/certdb/certi.h @@ -31,17 +31,17 @@ * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * certi.h - private data structures for the certificate library * - * $Id: certi.h,v 1.27 2008/10/31 23:02:36 alexei.volkov.bugs%sun.com Exp $ + * $Id: certi.h,v 1.26 2008/06/18 01:00:40 wtc%google.com Exp $ */ #ifndef _CERTI_H_ #define _CERTI_H_ #include "certt.h" #include "nssrwlkt.h" /* @@ -252,20 +252,16 @@ extern CERTAVA * CERT_CreateAVAFromRaw(P /* * get a DPCache object for the given issuer subject and dp * Automatically creates the cache object if it doesn't exist yet. */ SECStatus AcquireDPCache(CERTCertificate* issuer, SECItem* subject, SECItem* dp, int64 t, void* wincx, CRLDPCache** dpcache, PRBool* writeLocked); -/* check if a particular SN is in the CRL cache and return its entry */ -SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, - CERTCrlEntry** returned); - /* release a DPCache object that was previously acquired */ void ReleaseDPCache(CRLDPCache* dpcache, PRBool writeLocked); /* this function assumes the caller holds a lock on the DPCache */ SECStatus DPCache_GetAllCRLs(CRLDPCache* dpc, PRArenaPool* arena, CERTSignedCrl*** crls, PRUint16* status); /* this function assumes the caller holds a lock on the DPCache */
--- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -31,17 +31,17 @@ * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * certt.h - public data structures for the certificate library * - * $Id: certt.h,v 1.48 2008/10/31 23:02:36 alexei.volkov.bugs%sun.com Exp $ + * $Id: certt.h,v 1.47 2008/06/20 16:57:03 nelson%bolyard.com Exp $ */ #ifndef _CERTT_H_ #define _CERTT_H_ #include "prclist.h" #include "pkcs11t.h" #include "seccomon.h" #include "secmodt.h" @@ -1054,17 +1054,17 @@ typedef enum { * Other flags define what happens on missing fresh info. */ #define CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE 0L #define CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE 8L /* * Defines the behavior if we are unable to obtain fresh information. * INGORE means: - * Return "cert status unknown" + * Return "test succeded, not revoked" * FAIL means: * Return "cert revoked". */ #define CERT_REV_M_IGNORE_MISSING_FRESH_INFO 0L #define CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO 16L /* * What should happen if we were able to find fresh information using
--- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -32,17 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Moved from secpkcs7.c * - * $Id: crl.c,v 1.60 2008/10/31 23:02:36 alexei.volkov.bugs%sun.com Exp $ + * $Id: crl.c,v 1.59 2008/03/25 05:02:22 julien.pierre.boogz%sun.com Exp $ */ #include "cert.h" #include "certi.h" #include "secder.h" #include "secasn1.h" #include "secoid.h" #include "certdb.h" @@ -941,16 +941,20 @@ static SECStatus DPCache_Destroy(CRLDPCa returns the cached CRL object . Needs write access to DPCache. */ static SECStatus DPCache_AddCRL(CRLDPCache* cache, CachedCrl* crl, PRBool* added); /* fetch the CRL for this DP from the PKCS#11 tokens */ static SECStatus DPCache_FetchFromTokens(CRLDPCache* cache, PRTime vfdate, void* wincx); +/* check if a particular SN is in the CRL cache and return its entry */ +static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, + CERTCrlEntry** returned); + /* update the content of the CRL cache, including fetching of CRLs, and reprocessing with specified issuer and date */ static SECStatus DPCache_GetUpToDate(CRLDPCache* cache, CERTCertificate* issuer, PRBool readlocked, PRTime vfdate, void* wincx); /* returns true if there are CRLs from PKCS#11 slots */ static PRBool DPCache_HasTokenCRLs(CRLDPCache* cache); @@ -1704,17 +1708,17 @@ static SECStatus CachedCrl_GetEntry(Cach else { *returned = NULL; } return SECSuccess; } /* check if a particular SN is in the CRL cache and return its entry */ -SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, +static SECStatus DPCache_Lookup(CRLDPCache* cache, SECItem* sn, CERTCrlEntry** returned) { if (!cache || !sn || !returned) { PORT_SetError(SEC_ERROR_INVALID_ARGS); /* no cache or SN to look up, or no way to return entry */ return SECFailure; }
--- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -33,16 +33,17 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #include "plarena.h" #include "seccomon.h" #include "secitem.h" #include "secoidt.h" +#include "mcom_db.h" #include "secasn1.h" #include "secder.h" #include "certt.h" #include "cert.h" #include "xconst.h" #include "secerr.h" #include "secoid.h" #include "prprf.h"
--- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -32,16 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #include "prtime.h" #include "cert.h" +#include "mcom_db.h" #include "certdb.h" #include "secitem.h" #include "secder.h" /* Call to PK11_FreeSlot below */ #include "secasn1.h" #include "secerr.h"
--- a/security/nss/lib/certdb/xauthkid.c +++ b/security/nss/lib/certdb/xauthkid.c @@ -35,16 +35,17 @@ * ***** END LICENSE BLOCK ***** */ /* * X.509 v3 Subject Key Usage Extension * */ #include "prtypes.h" +#include "mcom_db.h" #include "seccomon.h" #include "secdert.h" #include "secoidt.h" #include "secasn1t.h" #include "secasn1.h" #include "secport.h" #include "certt.h" #include "genname.h"
--- a/security/nss/lib/certdb/xbsconst.c +++ b/security/nss/lib/certdb/xbsconst.c @@ -34,17 +34,17 @@ * * ***** END LICENSE BLOCK ***** */ /* * X.509 v3 Basic Constraints Extension */ #include "prtypes.h" -#include <limits.h> /* for LONG_MAX */ +#include "mcom_db.h" #include "seccomon.h" #include "secdert.h" #include "secoidt.h" #include "secasn1t.h" #include "secasn1.h" #include "certt.h" #include "secder.h" #include "prprf.h"
--- a/security/nss/lib/certdb/xconst.c +++ b/security/nss/lib/certdb/xconst.c @@ -34,16 +34,17 @@ * * ***** END LICENSE BLOCK ***** */ /* * X.509 Extension Encoding */ #include "prtypes.h" +#include "mcom_db.h" #include "seccomon.h" #include "secdert.h" #include "secoidt.h" #include "secasn1t.h" #include "secasn1.h" #include "cert.h" #include "secder.h" #include "prprf.h"
--- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -52,16 +52,17 @@ #include "cert.h" #include "secerr.h" #include "nssb64.h" #include "secasn1.h" #include "secder.h" #include "pkit.h" #include "pkix_pl_common.h" +#include "pkix_pl_ekuchecker.h" extern PRLogModuleInfo *pkixLog; #ifdef DEBUG_volkov /* Temporary declarations of functioins. Will be removed with fix for * 391183 */ extern char * pkix_Error2ASCII(PKIX_Error *error, void *plContext); @@ -412,16 +413,20 @@ cert_ProcessingParamsSetKuAndEku( PKIX_COMCERTSELPARAMSSETKEYUSAGEFAILED); PKIX_CHECK( PKIX_ComCertSelParams_SetExtendedKeyUsage(certSelParams, extKeyUsage, plContext), PKIX_COMCERTSELPARAMSSETEXTKEYUSAGEFAILED); + PKIX_CHECK( + PKIX_PL_EkuChecker_Create(procParams, plContext), + PKIX_EKUCHECKERINITIALIZEFAILED); + cleanup: PKIX_DECREF(extKeyUsage); PKIX_DECREF(certSelector); PKIX_DECREF(certSelParams); PKIX_RETURN(CERTVFYPKIX); } @@ -469,30 +474,33 @@ cleanup: */ static PKIX_Error* cert_CreatePkixProcessingParams( CERTCertificate *cert, PRBool checkSig, /* not used yet. See bug 391476 */ PRTime time, void *wincx, PRBool useArena, - PRBool disableOCSPRemoteFetching, +#ifdef DEBUG_volkov + PRBool checkAllCertsOCSP, +#endif PKIX_ProcessingParams **pprocParams, void **pplContext) { PKIX_List *anchors = NULL; PKIX_PL_Cert *targetCert = NULL; PKIX_PL_Date *date = NULL; PKIX_ProcessingParams *procParams = NULL; PKIX_CertSelector *certSelector = NULL; PKIX_ComCertSelParams *certSelParams = NULL; PKIX_CertStore *certStore = NULL; PKIX_List *certStores = NULL; - PKIX_RevocationChecker *revChecker = NULL; - PKIX_UInt32 methodFlags = 0; +#ifdef DEBUG_volkov + PKIX_RevocationChecker *ocspChecker = NULL; +#endif void *plContext = NULL; PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams"); PKIX_NULLCHECK_TWO(cert, pprocParams); PKIX_CHECK( PKIX_PL_NssContext_Create(0, useArena, wincx, &plContext), PKIX_NSSCONTEXTCREATEFAILED); @@ -559,81 +567,38 @@ cert_CreatePkixProcessingParams( PKIX_CHECK( PKIX_PL_Date_CreateFromPRTime(time, &date, plContext), PKIX_DATECREATEFROMPRTIMEFAILED); PKIX_CHECK( PKIX_ProcessingParams_SetDate(procParams, date, plContext), PKIX_PROCESSINGPARAMSSETDATEFAILED); - - PKIX_CHECK( - PKIX_RevocationChecker_Create(date, - PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | - PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, - PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST | - PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT, - &revChecker, plContext), - PKIX_REVOCATIONCHECKERCREATEFAILED); - - PKIX_CHECK( - PKIX_ProcessingParams_SetRevocationChecker(procParams, revChecker, - plContext), - PKIX_PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED); - - /* CRL method flags */ - methodFlags = - PKIX_REV_M_TEST_USING_THIS_METHOD | - PKIX_REV_M_FORBID_NETWORK_FETCHING | - PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ - PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ - PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; - - /* add CRL revocation method to check the leaf certificate */ - PKIX_CHECK( - PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_CRL, methodFlags, - 0, NULL, PKIX_TRUE, plContext), - PKIX_REVOCATIONCHECKERADDMETHODFAILED); - - /* add CRL revocation method for other certs in the chain. */ + PKIX_CHECK( - PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_CRL, methodFlags, - 0, NULL, PKIX_FALSE, plContext), - PKIX_REVOCATIONCHECKERADDMETHODFAILED); - - /* OCSP method flags */ - methodFlags = - PKIX_REV_M_TEST_USING_THIS_METHOD | - PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */ - PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */ - PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */ - PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */ - PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO; + PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled(procParams, + PKIX_FALSE, + plContext), + PKIX_PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED); - /* Disabling ocsp fetching when checking the status - * of ocsp response signer. Here and in the next if, - * adjust flags for ocsp signer cert validation case. */ - if (disableOCSPRemoteFetching) { - methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; +#ifdef DEBUG_volkov1 + /* Enables ocsp rev checking of the chain cert through pkix OCSP + * implementation. */ + if (checkAllCertsOCSP) { + PKIX_CHECK( + PKIX_OcspChecker_Initialize(date, NULL, NULL, + &ocspChecker, plContext), + PKIX_PROCESSINGPARAMSSETDATEFAILED); + + PKIX_CHECK( + PKIX_ProcessingParams_AddRevocationChecker(procParams, + ocspChecker, plContext), + PKIX_PROCESSINGPARAMSSETDATEFAILED); } - - if (ocsp_FetchingFailureIsVerificationFailure() - && !disableOCSPRemoteFetching) { - methodFlags |= - PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO; - } - - /* add OCSP revocation method to check only the leaf certificate.*/ - PKIX_CHECK( - PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - PKIX_RevocationMethod_OCSP, methodFlags, - 1, NULL, PKIX_TRUE, plContext), - PKIX_REVOCATIONCHECKERADDMETHODFAILED); +#endif PKIX_CHECK( PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE, plContext), PKIX_PROCESSINGPARAMSSETANYPOLICYINHIBITED); PKIX_CHECK( PKIX_ProcessingParams_SetExplicitPolicyRequired(procParams, PR_FALSE, @@ -652,17 +617,19 @@ cleanup: PKIX_DECREF(anchors); PKIX_DECREF(targetCert); PKIX_DECREF(date); PKIX_DECREF(certSelector); PKIX_DECREF(certSelParams); PKIX_DECREF(certStore); PKIX_DECREF(certStores); PKIX_DECREF(procParams); - PKIX_DECREF(revChecker); +#ifdef DEBUG_volkov + PKIX_DECREF(ocspChecker); +#endif PKIX_RETURN(CERTVFYPKIX); } /* * FUNCTION: cert_PkixToNssCertsChain * DESCRIPTION: * @@ -873,23 +840,18 @@ cert_PkixErrorToNssCode( /* Loop until we find at least one error with non-null * plErr code, that is going to be nss error code. */ while (errPtr) { if (errPtr->plErr && !nssErr) { nssErr = errPtr->plErr; if (!pkixLog) break; } if (pkixLog) { -#ifdef PKIX_ERROR_DESCRIPTION PR_LOG(pkixLog, 2, ("Error at level %d: %s\n", errLevel, PKIX_ErrorText[errPtr->errCode])); -#else - PR_LOG(pkixLog, 2, ("Error at level %d: Error code %d\n", errLevel, - errPtr->errCode)); -#endif /* PKIX_ERROR_DESCRIPTION */ } errPtr = errPtr->cause; errLevel += 1; } PORT_Assert(nssErr); if (!nssErr) { *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL; } else { @@ -1231,24 +1193,31 @@ do { validChain = NULL; #endif /* DEBUG */ errorGenerated = PKIX_FALSE; stackPosition = 0; if (leakedObjNum) { pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); } - memLeakLoopCount += 1; + + PR_LOG(pkixLog, 1, ("Memory leak test: Loop %d\n", memLeakLoopCount++)); #endif /* PKIX_OBJECT_LEAK_TEST */ error = cert_CreatePkixProcessingParams(cert, checkSig, time, wincx, - PR_FALSE/*use arena*/, - requiredUsage == certUsageStatusResponder, - &procParams, &plContext); + PR_FALSE/*use arena*/, +#ifdef DEBUG_volkov + /* If in DEBUG_volkov, then enable OCSP + * check for all certs in the chain + * using libpkix ocsp code. + * (except for certUsageStatusResponder). */ + requiredUsage != certUsageStatusResponder, +#endif + &procParams, &plContext); if (error) { goto cleanup; } error = cert_ProcessingParamsSetKuAndEku(procParams, cert, PR_TRUE, requiredUsage, 0, plContext); if (error) { @@ -1302,18 +1271,18 @@ cleanup: PKIX_PL_NssContext_Destroy(plContext); } #ifdef PKIX_OBJECT_LEAK_TEST leakedObjNum = pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); if (pkixLog && leakedObjNum) { - PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." - "Stack %s\n", memLeakLoopCount, errorFnStackString)); + PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. " + "Stack %s\n", errorFnStackString)); } PR_Free(errorFnStackString); errorFnStackString = NULL; if (abortOnLeak) { PORT_Assert(leakedObjNum == 0); } } while (errorGenerated); @@ -1521,73 +1490,32 @@ cert_pkix_FindOutputParam(CERTValOutPara for (i = params; i->type != cert_po_end; i++) { if (i->type == t) { return i; } } return NULL; } - -static PKIX_Error* -setRevocationMethod(PKIX_RevocationChecker *revChecker, - PKIX_ProcessingParams *procParams, - const CERTRevocationTests *revTest, - CERTRevocationMethodIndex certRevMethod, - PKIX_RevocationMethodType pkixRevMethod, - PKIX_Boolean verifyResponderUsages, - PKIX_Boolean isLeafTest, - void *plContext) -{ - PKIX_UInt32 methodFlags = 0; - PKIX_Error *error = NULL; - int priority = 0; - - if (revTest->number_of_defined_methods < certRevMethod) { - return NULL; - } - if (revTest->preferred_methods) { - int i = 0; - for (;i < revTest->number_of_preferred_methods;i++) { - if (revTest->preferred_methods[i] == certRevMethod) - break; - } - priority = i; - } - methodFlags = revTest->cert_rev_flags_per_method[certRevMethod]; - if (verifyResponderUsages && - pkixRevMethod == PKIX_RevocationMethod_OCSP) { - methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING; - } - error = - PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, - pkixRevMethod, methodFlags, - priority, NULL, - isLeafTest, plContext); - return error; -} - - SECStatus cert_pkixSetParam(PKIX_ProcessingParams *procParams, const CERTValInParam *param, void *plContext) { PKIX_Error * error = NULL; SECStatus r=SECSuccess; PKIX_PL_Date *date = NULL; PKIX_List *policyOIDList = NULL; + PKIX_RevocationChecker *ocspChecker = NULL; PKIX_List *certListPkix = NULL; const CERTRevocationFlags *flags; SECErrorCodes errCode = SEC_ERROR_INVALID_ARGS; const CERTCertList *certList = NULL; CERTCertListNode *node; PKIX_PL_Cert *certPkix = NULL; PKIX_TrustAnchor *trustAnchor = NULL; - PKIX_PL_Date *revDate = NULL; - PKIX_RevocationChecker *revChecker = NULL; /* XXX we need a way to map generic PKIX error to generic NSS errors */ switch (param->type) { case cert_pi_policyOID: /* needed? */ @@ -1629,96 +1557,161 @@ cert_pkixSetParam(PKIX_ProcessingParams error = PKIX_ProcessingParams_SetDate(procParams, date, plContext); if (error != NULL) { errCode = SEC_ERROR_INVALID_TIME; } break; case cert_pi_revocationFlags: { - PKIX_UInt32 leafIMFlags = 0; - PKIX_UInt32 chainIMFlags = 0; - PKIX_Boolean validatingResponderCert = PKIX_FALSE; + PRBool ocspTurnedOnForLeaf = PR_FALSE; + PRBool ocspTurnedOnForChain = PR_FALSE; + PRBool crlTurnedOnForLeaf = PR_FALSE; + PRBool crlTurnedOnForChain = PR_FALSE; + PRBool crlHardFailure = PR_FALSE; flags = param->value.pointer.revocation; if (!flags) { PORT_SetError(errCode); r = SECFailure; break; } - leafIMFlags = - flags->leafTests.cert_rev_method_independent_flags; - chainIMFlags = - flags->chainTests.cert_rev_method_independent_flags; + if ( + /* caller did define OCSP leaf behavior */ + (flags->leafTests.number_of_defined_methods > + cert_revocation_method_ocsp) + && + /* caller allows OCSP testing for the leaf */ + (flags->leafTests.cert_rev_flags_per_method + [cert_revocation_method_ocsp] + & CERT_REV_M_TEST_USING_THIS_METHOD)) { + ocspTurnedOnForLeaf = PR_TRUE; + } - error = PKIX_ProcessingParams_GetDate(procParams, &date, plContext); - if (error != NULL) { - errCode = SEC_ERROR_INVALID_TIME; + if ( + /* caller did define OCSP chain behavior */ + (flags->chainTests.number_of_defined_methods > + cert_revocation_method_ocsp) + && + /* caller allows OCSP testing for the chain */ + (flags->chainTests.cert_rev_flags_per_method + [cert_revocation_method_ocsp] + & CERT_REV_M_TEST_USING_THIS_METHOD)) { + ocspTurnedOnForChain = PR_TRUE; } - error = - PKIX_RevocationChecker_Create(date, leafIMFlags, chainIMFlags, - &revChecker, plContext); - if (error) { - break; + if ( + /* caller did define CRL leaf behavior */ + (flags->leafTests.number_of_defined_methods > + cert_revocation_method_crl) + && + /* caller allows CRL testing for the chain */ + (flags->leafTests.cert_rev_flags_per_method + [cert_revocation_method_crl] + & CERT_REV_M_TEST_USING_THIS_METHOD)) { + crlTurnedOnForLeaf = PR_TRUE; } - error = - PKIX_ProcessingParams_SetRevocationChecker(procParams, - revChecker, plContext); - if (error) { - break; + if ( + /* caller did define CRL chain behavior */ + (flags->chainTests.number_of_defined_methods > + cert_revocation_method_crl) + && + /* caller allows CRL testing for the chain */ + (flags->chainTests.cert_rev_flags_per_method + [cert_revocation_method_crl] + & CERT_REV_M_TEST_USING_THIS_METHOD)) { + crlTurnedOnForChain = PR_TRUE; } - if (((PKIX_PL_NssContext*)plContext)->certificateUsage & - certificateUsageStatusResponder) { - validatingResponderCert = PKIX_TRUE; + if ( + /* caller did define CRL chain behavior */ + (flags->chainTests.number_of_defined_methods > + cert_revocation_method_crl) + && + /* caller requests hard failure on missing (fresh) CRL */ + (flags->chainTests.cert_rev_flags_per_method + [cert_revocation_method_crl] + & CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO)) { + /* FIXME: should also consider flag + * CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE + */ + crlHardFailure = PR_TRUE; } - error = setRevocationMethod(revChecker, - procParams, &flags->leafTests, - cert_revocation_method_crl, - PKIX_RevocationMethod_CRL, - validatingResponderCert, - PKIX_TRUE, plContext); - if (error) { - break; + if (!ocspTurnedOnForChain) { + /* OCSP off either because: + * 1) we didn't turn ocsp on, or + * 2) we are only checking ocsp on the leaf cert only. + * The caller needs to handle the leaf case once we add leaf + * checking there */ + + /* currently OCSP is the only external revocation checker */ + error = PKIX_ProcessingParams_SetRevocationCheckers(procParams, + NULL, plContext); + } else { + /* FIXME: What should be done if !ocspTurnedOnForLeaf ? */ + + /* OCSP is on for the whole chain */ + if (date == NULL) { + error = PKIX_ProcessingParams_GetDate + (procParams, &date, plContext ); + if (error != NULL) { + errCode = SEC_ERROR_INVALID_TIME; + break; + } + } + error = PKIX_OcspChecker_Initialize(date, NULL, NULL, + &ocspChecker, plContext); + if (error != NULL) { + break; + } + + error = PKIX_ProcessingParams_AddRevocationChecker(procParams, + ocspChecker, plContext); + PKIX_PL_Object_DecRef((PKIX_PL_Object *)ocspChecker, plContext); + ocspChecker=NULL; + + /* FIXME: add support for other revocation flags when underlying + * pkix supports it */ } - - error = setRevocationMethod(revChecker, - procParams, &flags->leafTests, - cert_revocation_method_ocsp, - PKIX_RevocationMethod_OCSP, - validatingResponderCert, - PKIX_TRUE, plContext); - if (error) { + if (error != NULL) { break; } - - error = setRevocationMethod(revChecker, - procParams, &flags->chainTests, - cert_revocation_method_crl, - PKIX_RevocationMethod_CRL, - validatingResponderCert, - PKIX_FALSE, plContext); - if (error) { - break; - } + if (!crlTurnedOnForChain) { + /* CRL checking is off either because: + * 1) we didn't turn crl checking on, or + * 2) we are only checking crls on the leaf cert only. + * The caller needs to handle the leaf case once we add leaf + * checking there */ - error = setRevocationMethod(revChecker, - procParams, &flags->chainTests, - cert_revocation_method_ocsp, - PKIX_RevocationMethod_OCSP, - validatingResponderCert, - PKIX_FALSE, plContext); - if (error) { - break; + /* this function only affects the built-in CRL checker */ + error = PKIX_ProcessingParams_SetRevocationEnabled(procParams, + PKIX_FALSE, plContext); + if (error != NULL) { + break; + } + /* make sure NIST Revocation Policy is off as well */ + error = PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled + (procParams, PKIX_FALSE, plContext); + } else { + /* FIXME: What should be done if !crlTurnedOnForLeaf ? */ + + /* CRL checking is on for the whole chain */ + error = PKIX_ProcessingParams_SetRevocationEnabled(procParams, + PKIX_TRUE, plContext); + if (error != NULL) { + break; + } + error = PKIX_ProcessingParams_SetNISTRevocationPolicyEnabled + (procParams, + crlHardFailure ? PKIX_TRUE : PKIX_FALSE, + plContext); } - } break; case cert_pi_trustAnchors: certList = param->value.pointer.chain; error = PKIX_List_Create(&certListPkix, plContext); if (error != NULL) { @@ -1764,21 +1757,18 @@ cert_pkixSetParam(PKIX_ProcessingParams } if (policyOIDList != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)policyOIDList, plContext); if (date != NULL) PKIX_PL_Object_DecRef((PKIX_PL_Object *)date, plContext); - if (revDate != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)revDate, plContext); - - if (revChecker != NULL) - PKIX_PL_Object_DecRef((PKIX_PL_Object *)revChecker, plContext); + if (ocspChecker != NULL) + PKIX_PL_Object_DecRef((PKIX_PL_Object *)ocspChecker, plContext); if (certListPkix) PKIX_PL_Object_DecRef((PKIX_PL_Object *)certListPkix, plContext); if (trustAnchor) PKIX_PL_Object_DecRef((PKIX_PL_Object *)trustAnchor, plContext); if (certPkix) @@ -2095,17 +2085,18 @@ do { oparam = NULL; i=0; errorGenerated = PKIX_FALSE; stackPosition = 0; if (leakedObjNum) { pkix_pl_lifecycle_ObjectTableUpdate(objCountTable); } - memLeakLoopCount += 1; + + PR_LOG(pkixLog, 1, ("Memory leak test: Loop %d\n", memLeakLoopCount++)); #endif /* PKIX_OBJECT_LEAK_TEST */ error = PKIX_PL_NssContext_Create( 0, PR_FALSE /*use arena*/, wincx, &plContext); if (error != NULL) { /* need pkix->nss error map */ PORT_SetError(SEC_ERROR_CERT_NOT_VALID); goto cleanup; } @@ -2117,27 +2108,16 @@ do { } error = PKIX_ProcessingParams_Create(&procParams, plContext); if (error != NULL) { /* need pkix->nss error map */ PORT_SetError(SEC_ERROR_CERT_NOT_VALID); goto cleanup; } - /* local cert store should be set into procParams before - * filling in revocation settings. */ - certStores = cert_GetCertStores(plContext); - if (certStores == NULL) { - goto cleanup; - } - error = PKIX_ProcessingParams_SetCertStores - (procParams, certStores, plContext); - if (error != NULL) { - goto cleanup; - } /* now process the extensible input parameters structure */ if (paramsIn != NULL) { i=0; while (paramsIn[i].type != cert_pi_end) { if (paramsIn[i].type >= cert_pi_max) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; @@ -2146,26 +2126,37 @@ do { ¶msIn[i],plContext) != SECSuccess) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } i++; } } + certSelector = cert_GetTargetCertConstraints(cert, plContext); if (certSelector == NULL) { goto cleanup; } error = PKIX_ProcessingParams_SetTargetCertConstraints (procParams, certSelector, plContext); if (error != NULL) { goto cleanup; } + certStores = cert_GetCertStores(plContext); + if (certStores == NULL) { + goto cleanup; + } + error = PKIX_ProcessingParams_SetCertStores + (procParams, certStores, plContext); + if (error != NULL) { + goto cleanup; + } + error = PKIX_BuildChain( procParams, &nbioContext, &buildState, &buildResult, &verifyNode, plContext); if (error != NULL) { goto cleanup; } error = PKIX_BuildResult_GetValidateResult( buildResult, &valResult, @@ -2182,19 +2173,17 @@ do { error = PKIX_TrustAnchor_GetTrustedCert( trustAnchor, &trustAnchorCert, plContext); if (error != NULL) { goto cleanup; } #ifdef PKIX_OBJECT_LEAK_TEST - /* Can not continue if error was generated but not returned. - * Jumping to cleanup. */ - if (errorGenerated) goto cleanup; + PORT_Assert(!errorGenerated); #endif /* PKIX_OBJECT_LEAK_TEST */ oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor); if (oparam != NULL) { oparam->value.pointer.cert = cert_NSSCertFromPKIXCert(trustAnchorCert,plContext); } @@ -2267,18 +2256,18 @@ cleanup: PKIX_PL_NssContext_Destroy(plContext); #ifdef PKIX_OBJECT_LEAK_TEST leakedObjNum = pkix_pl_lifecycle_ObjectLeakCheck(leakedObjNum ? objCountTable : NULL); if (pkixLog && leakedObjNum) { - PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. Loop %d." - "Stack %s\n", memLeakLoopCount, errorFnStackString)); + PR_LOG(pkixLog, 1, ("The generated error caused an object leaks. " + "Stack %s\n", errorFnStackString)); } PR_Free(errorFnStackString); errorFnStackString = NULL; if (abortOnLeak) { PORT_Assert(leakedObjNum == 0); } } while (errorGenerated);
--- a/security/nss/lib/certhigh/certvfypkixprint.c +++ b/security/nss/lib/certhigh/certvfypkixprint.c @@ -142,20 +142,20 @@ pkix_Cert2ASCII(PKIX_PL_Cert *cert) errorResult = PKIX_PL_Malloc(200, &asciiString, NULL); if (errorResult) goto cleanup; numChars = PR_snprintf (asciiString, 200, - "Ref: %d Subject=%s\nIssuer=%s\n", + "Ref: %d Issuer=%s\nSubject=%s\n", refCount, - subjectAscii, - issuerAscii); + issuerAscii, + subjectAscii); if (!numChars) goto cleanup; cleanup: if (issuer){ if (PKIX_PL_Object_DecRef((PKIX_PL_Object*)issuer, NULL)){ return (NULL);
--- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -34,17 +34,17 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Implementation of OCSP services, for both client and server. * (XXX, really, mostly just for client right now, but intended to do both.) * - * $Id: ocsp.c,v 1.56 2008/10/31 23:02:37 alexei.volkov.bugs%sun.com Exp $ + * $Id: ocsp.c,v 1.55 2008/10/06 23:37:55 julien.pierre.boogz%sun.com Exp $ */ #include "prerror.h" #include "prprf.h" #include "plarena.h" #include "prnetdb.h" #include "seccomon.h" @@ -4468,36 +4468,33 @@ loser: SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); return locURI; } /* * Figure out where we should go to find out the status of the given cert - * via OCSP. If allowed to use a default responder uri and a default - * responder is set up, then that is our answer. + * via OCSP. If a default responder is set up, that is our answer. * If not, see if the certificate has an Authority Information Access (AIA) * extension for OCSP, and return the value of that. Otherwise return NULL. * We also let our caller know whether or not the responder chosen was * a default responder or not through the output variable isDefault; * its value has no meaning unless a good (non-null) value is returned * for the location. * * The result needs to be freed (PORT_Free) when no longer in use. */ char * ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool canUseDefault, PRBool *isDefault) + PRBool *isDefault) { - ocspCheckingContext *ocspcx = NULL; - - if (canUseDefault) { - ocspcx = ocsp_GetCheckingContext(handle); - } + ocspCheckingContext *ocspcx; + + ocspcx = ocsp_GetCheckingContext(handle); if (ocspcx != NULL && ocspcx->useDefaultResponder) { /* * A default responder wins out, if specified. * XXX Someday this may be a more complicated determination based * on the cert's issuer. (That is, we could have different default * responders configured for different issuers.) */ PORT_Assert(ocspcx->defaultResponderURI != NULL); @@ -4622,28 +4619,16 @@ ocsp_GetCachedOCSPResponseStatusIfFresh( } *missingResponseError = cacheItem->missingResponseError; } } PR_ExitMonitor(OCSP_Global.monitor); return rv; } -PRBool -ocsp_FetchingFailureIsVerificationFailure() -{ - PRBool isFailure; - - PR_EnterMonitor(OCSP_Global.monitor); - isFailure = - OCSP_Global.ocspFailureMode == ocspMode_FailureIsVerificationFailure; - PR_ExitMonitor(OCSP_Global.monitor); - return isFailure; -} - /* * FUNCTION: CERT_CheckOCSPStatus * Checks the status of a certificate via OCSP. Will only check status for * a certificate that has an AIA (Authority Information Access) extension * for OCSP *or* when a "default responder" is specified and enabled. * (If no AIA extension for OCSP and no default responder in place, the * cert is considered to have a good status and SECSuccess is returned.) * INPUTS: @@ -4711,20 +4696,22 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *h if (rv == SECSuccess) { CERT_DestroyOCSPCertID(certID); return rvOcsp; } rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, &certIDWasConsumed, &rvOcsp); if (rv != SECSuccess) { - /* we were unable to obtain ocsp status. Check if we should - * return cert status revoked. */ - rvOcsp = ocsp_FetchingFailureIsVerificationFailure() ? - SECFailure : SECSuccess; + /* we were unable to obtain ocsp status */ + PR_EnterMonitor(OCSP_Global.monitor); + rvOcsp = (OCSP_Global.ocspFailureMode + == ocspMode_FailureIsVerificationFailure) + ? SECFailure : SECSuccess; + PR_ExitMonitor(OCSP_Global.monitor); } if (!certIDWasConsumed) { CERT_DestroyOCSPCertID(certID); } return rvOcsp; } /* @@ -4763,18 +4750,17 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB * it will come out of the AIA extension in the cert (if present). * If we have no such location, then this cert does not "deserve" to * be checked -- that is, we consider it a success and just return. * The way we tell that is by looking at the error number to see if * the problem was no AIA extension was found; any other error was * a true failure that we unfortunately have to treat as an overall * failure here. */ - location = ocsp_GetResponderLocation(handle, cert, PR_TRUE, - &locationIsDefault); + location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault); if (location == NULL) { int err = PORT_GetError(); if (err == SEC_ERROR_EXTENSION_NOT_FOUND || err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { PORT_SetError(0); *rv_ocsp = SECSuccess; return SECSuccess; }
--- a/security/nss/lib/certhigh/ocspi.h +++ b/security/nss/lib/certhigh/ocspi.h @@ -31,17 +31,17 @@ * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * ocspi.h - NSS internal interfaces to OCSP code * - * $Id: ocspi.h,v 1.11 2008/10/31 23:02:37 alexei.volkov.bugs%sun.com Exp $ + * $Id: ocspi.h,v 1.10 2008/07/08 21:34:32 alexei.volkov.bugs%sun.com Exp $ */ #ifndef _OCSPI_H_ #define _OCSPI_H_ SECStatus OCSP_InitGlobal(void); SECStatus OCSP_ShutdownGlobal(void); @@ -151,22 +151,12 @@ cert_RememberOCSPProcessingFailure(CERTO * Out parameter, if set to true, URI of default responder is * returned. * RETURN: * Responder URI. */ char * ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, - PRBool canUseDefaultLocation, PRBool *isDefault); -/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure - * The function checks the global ocsp settings and - * tells how to treat an ocsp response fetching failure. - * RETURNS: - * if PR_TRUE is returned, then treat fetching as a - * revoked cert status. - */ -PRBool -ocsp_FetchingFailureIsVerificationFailure(); #endif /* _OCSPI_H_ */
--- a/security/nss/lib/ckfw/Makefile +++ b/security/nss/lib/ckfw/Makefile @@ -29,17 +29,17 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.16 $ $Date: 2008/12/03 18:44:24 $" +MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.14 $ $Date: 2007/06/19 08:03:45 $" include manifest.mn include $(CORE_DEPTH)/coreconf/config.mk include config.mk include $(CORE_DEPTH)/coreconf/rules.mk ifdef MOZILLA_CLIENT NSS_BUILD_CAPI = 1 @@ -56,17 +56,17 @@ endif # nssckft.h: ck.api ckapi.perl # nssckg.h: ck.api ckapi.perl # nssck.api: ck.api ckapi.perl # $(PERL) ckapi.perl ck.api export:: private_export # can't do this in manifest.mn because OS_TARGET isn't defined there. -ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) # list omits WINCE +ifeq (,$(filter-out WIN%,$(OS_TARGET))) ifdef NSS_BUILD_CAPI DIRS += capi endif endif #ifeq ($(OS_ARCH), Darwin) #DIRS += nssmkey #endif
--- a/security/nss/lib/ckfw/builtins/certdata.c +++ b/security/nss/lib/ckfw/builtins/certdata.c @@ -30,33 +30,32 @@ * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $"; +static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $"; #endif /* DEBUG */ #ifndef BUILTINS_H #include "builtins.h" #endif /* BUILTINS_H */ static const CK_BBOOL ck_false = CK_FALSE; static const CK_BBOOL ck_true = CK_TRUE; static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509; static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE; static const CK_OBJECT_CLASS cko_data = CKO_DATA; static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST; static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST; static const CK_TRUST ckt_netscape_trust_unknown = CKT_NETSCAPE_TRUST_UNKNOWN; static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR; -static const CK_TRUST ckt_netscape_untrusted = CKT_NETSCAPE_UNTRUSTED; #ifdef DEBUG static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_APPLICATION, CKA_VALUE }; #endif /* DEBUG */ static const CK_ATTRIBUTE_TYPE nss_builtins_types_1 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL }; @@ -805,31 +804,25 @@ static const CK_ATTRIBUTE_TYPE nss_built CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED }; static const CK_ATTRIBUTE_TYPE nss_builtins_types_250 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE }; static const CK_ATTRIBUTE_TYPE nss_builtins_types_251 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED }; -static const CK_ATTRIBUTE_TYPE nss_builtins_types_252 [] = { - CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE -}; -static const CK_ATTRIBUTE_TYPE nss_builtins_types_253 [] = { - CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED -}; #ifdef DEBUG static const NSSItem nss_builtins_items_0 [] = { { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"CVS ID", (PRUint32)7 }, { (void *)"NSS", (PRUint32)4 }, - { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $", (PRUint32)160 } + { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.51 $ $Date: 2008/10/17 23:06:45 $", (PRUint32)160 } }; #endif /* DEBUG */ static const NSSItem nss_builtins_items_1 [] = { { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"Mozilla Builtin Roots", (PRUint32)22 } @@ -16979,133 +16972,16 @@ static const NSSItem nss_builtins_items_ { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143" "\231\052" , (PRUint32)18 }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_252 [] = { - { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"MD5 Collisions Forged Rogue CA 25c3", (PRUint32)36 }, - { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, - { (void *)"\060\074\061\072\060\070\006\003\125\004\003\023\061\115\104\065" -"\040\103\157\154\154\151\163\151\157\156\163\040\111\156\143\056" -"\040\050\150\164\164\160\072\057\057\167\167\167\056\160\150\162" -"\145\145\144\157\155\056\157\162\147\057\155\144\065\051" -, (PRUint32)62 }, - { (void *)"0", (PRUint32)2 }, - { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061" -"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141" -"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060" -"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040" -"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102" -"\165\163\151\156\145\163\163\040\103\101\055\061" -, (PRUint32)92 }, - { (void *)"\002\001\102" -, (PRUint32)3 }, - { (void *)"\060\202\004\062\060\202\003\233\240\003\002\001\002\002\001\102" -"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060" -"\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034" -"\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170" -"\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053" -"\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123" -"\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165" -"\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\060" -"\064\060\067\063\061\060\060\060\060\060\061\132\027\015\060\064" -"\060\071\060\062\060\060\060\060\060\061\132\060\074\061\072\060" -"\070\006\003\125\004\003\023\061\115\104\065\040\103\157\154\154" -"\151\163\151\157\156\163\040\111\156\143\056\040\050\150\164\164" -"\160\072\057\057\167\167\167\056\160\150\162\145\145\144\157\155" -"\056\157\162\147\057\155\144\065\051\060\201\237\060\015\006\011" -"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060" -"\201\211\002\201\201\000\272\246\131\311\054\050\326\052\260\370" -"\355\237\106\244\244\067\356\016\031\150\131\321\263\003\231\121" -"\326\026\232\136\067\153\025\340\016\113\365\204\144\370\243\333" -"\101\157\065\325\233\025\037\333\304\070\122\160\201\227\136\217" -"\240\265\367\176\071\360\062\254\036\255\104\322\263\372\110\303" -"\316\221\233\354\364\234\174\341\132\365\310\067\153\232\203\336" -"\347\312\040\227\061\102\163\025\221\150\364\210\257\371\050\050" -"\305\351\017\163\260\027\113\023\114\231\165\320\104\346\176\010" -"\154\032\362\117\033\101\002\003\001\000\001\243\202\002\044\060" -"\202\002\040\060\013\006\003\125\035\017\004\004\003\002\001\306" -"\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001" -"\377\060\035\006\003\125\035\016\004\026\004\024\247\004\140\037" -"\253\162\103\010\305\177\010\220\125\126\034\326\316\346\070\353" -"\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250\240" -"\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150" -"\154\060\202\001\276\006\011\140\206\110\001\206\370\102\001\015" -"\004\202\001\257\026\202\001\253\063\000\000\000\047\136\071\340" -"\211\141\017\116\243\305\105\013\066\273\001\321\123\252\303\010" -"\217\157\370\117\076\207\207\104\021\334\140\340\337\222\125\371" -"\270\163\033\124\223\305\237\320\106\304\140\266\065\142\315\271" -"\257\034\250\151\032\311\133\074\226\067\300\355\147\357\273\376" -"\300\213\234\120\057\051\275\203\042\236\216\010\372\254\023\160" -"\242\130\177\142\142\212\021\367\211\366\337\266\147\131\163\026" -"\373\143\026\212\264\221\070\316\056\365\266\276\114\244\224\111" -"\344\145\021\012\102\025\311\301\060\342\151\325\105\175\245\046" -"\273\271\141\354\142\144\360\071\341\347\274\150\330\120\121\236" -"\035\140\323\321\243\247\012\370\003\040\241\160\001\027\221\066" -"\117\002\160\061\206\203\335\367\017\330\007\035\021\263\023\004" -"\245\334\360\256\120\261\050\016\143\151\052\014\202\157\217\107" -"\063\337\154\242\006\222\361\117\105\276\331\060\066\243\053\214" -"\326\167\256\065\143\177\116\114\232\223\110\066\331\237\002\003" -"\001\000\001\243\201\275\060\201\272\060\016\006\003\125\035\017" -"\001\001\377\004\004\003\002\004\360\060\035\006\003\125\035\016" -"\004\026\004\024\315\246\203\372\245\140\067\367\226\067\027\051" -"\336\101\170\361\207\211\125\347\060\073\006\003\125\035\037\004" -"\064\060\062\060\060\240\056\240\054\206\052\150\164\164\160\072" -"\057\057\143\162\154\056\147\145\157\164\162\165\163\164\056\143" -"\157\155\057\143\162\154\163\057\147\154\157\142\141\154\143\141" -"\061\056\143\162\154\060\037\006\003\125\035\043\004\030\060\026" -"\200\024\276\250\240\164\162\120\153\104\267\311\043\330\373\250" -"\377\263\127\153\150\154\060\035\006\003\125\035\045\004\026\060" -"\024\006\010\053\006\001\005\005\007\003\001\006\010\053\006\001" -"\005\005\007\003\002\060\014\006\003\125\035\023\001\001\377\004" -"\002\060\000\060\015\006\011\052\206\110\206\367\015\001\001\004" -"\005\000\003\201\201\000\247\041\002\215\321\016\242\200\167\045" -"\375\103\140\025\217\354\357\220\107\324\204\102\025\046\021\034" -"\315\302\074\020\051\251\266\337\253\127\165\221\332\345\053\263" -"\220\105\034\060\143\126\077\212\331\120\372\355\130\154\300\145" -"\254\146\127\336\034\306\166\073\365\000\016\216\105\316\177\114" -"\220\354\053\306\315\263\264\217\142\320\376\267\305\046\162\104" -"\355\366\230\133\256\313\321\225\365\332\010\276\150\106\261\165" -"\310\354\035\217\036\172\224\361\252\123\170\242\105\256\124\352" -"\321\236\164\310\166\147" -, (PRUint32)1078 } -}; -static const NSSItem nss_builtins_items_253 [] = { - { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, - { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, - { (void *)"MD5 Collisions Forged Rogue CA 25c3", (PRUint32)36 }, - { (void *)"\144\043\023\176\134\123\326\112\246\144\205\355\066\124\365\253" -"\005\132\213\212" -, (PRUint32)20 }, - { (void *)"\026\172\023\025\271\027\071\243\361\005\152\346\076\331\072\070" -, (PRUint32)16 }, - { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061" -"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141" -"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060" -"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040" -"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102" -"\165\163\151\156\145\163\163\040\103\101\055\061" -, (PRUint32)92 }, - { (void *)"\002\001\102" -, (PRUint32)3 }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) }, - { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } -}; builtinsInternalObject nss_builtins_data[] = { #ifdef DEBUG { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} }, #endif /* DEBUG */ { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} }, { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} }, @@ -17352,18 +17228,16 @@ nss_builtins_data[] = { { 13, nss_builtins_types_243, nss_builtins_items_243, {NULL} }, { 11, nss_builtins_types_244, nss_builtins_items_244, {NULL} }, { 13, nss_builtins_types_245, nss_builtins_items_245, {NULL} }, { 11, nss_builtins_types_246, nss_builtins_items_246, {NULL} }, { 13, nss_builtins_types_247, nss_builtins_items_247, {NULL} }, { 11, nss_builtins_types_248, nss_builtins_items_248, {NULL} }, { 13, nss_builtins_types_249, nss_builtins_items_249, {NULL} }, { 11, nss_builtins_types_250, nss_builtins_items_250, {NULL} }, - { 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} }, - { 11, nss_builtins_types_252, nss_builtins_items_252, {NULL} }, - { 13, nss_builtins_types_253, nss_builtins_items_253, {NULL} } + { 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} } }; const PRUint32 #ifdef DEBUG - nss_builtins_nObjects = 253+1; + nss_builtins_nObjects = 251+1; #else - nss_builtins_nObjects = 253; + nss_builtins_nObjects = 251; #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -29,17 +29,17 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.51 $ $Date: 2009/01/15 22:35:15 $" +CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.50 $ $Date: 2008/10/17 23:06:48 $" # # certdata.txt # # This file contains the object definitions for the certs and other # information "built into" NSS. # # Object definitions: @@ -17496,135 +17496,8 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143 \231\052 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "MD5 Collisions Forged Rogue CA 25c3" -# -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MD5 Collisions Forged Rogue CA 25c3" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\074\061\072\060\070\006\003\125\004\003\023\061\115\104\065 -\040\103\157\154\154\151\163\151\157\156\163\040\111\156\143\056 -\040\050\150\164\164\160\072\057\057\167\167\167\056\160\150\162 -\145\145\144\157\155\056\157\162\147\057\155\144\065\051 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141 -\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060 -\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040 -\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102 -\165\163\151\156\145\163\163\040\103\101\055\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\102 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\062\060\202\003\233\240\003\002\001\002\002\001\102 -\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060 -\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034 -\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170 -\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053 -\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123 -\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165 -\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\060 -\064\060\067\063\061\060\060\060\060\060\061\132\027\015\060\064 -\060\071\060\062\060\060\060\060\060\061\132\060\074\061\072\060 -\070\006\003\125\004\003\023\061\115\104\065\040\103\157\154\154 -\151\163\151\157\156\163\040\111\156\143\056\040\050\150\164\164 -\160\072\057\057\167\167\167\056\160\150\162\145\145\144\157\155 -\056\157\162\147\057\155\144\065\051\060\201\237\060\015\006\011 -\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060 -\201\211\002\201\201\000\272\246\131\311\054\050\326\052\260\370 -\355\237\106\244\244\067\356\016\031\150\131\321\263\003\231\121 -\326\026\232\136\067\153\025\340\016\113\365\204\144\370\243\333 -\101\157\065\325\233\025\037\333\304\070\122\160\201\227\136\217 -\240\265\367\176\071\360\062\254\036\255\104\322\263\372\110\303 -\316\221\233\354\364\234\174\341\132\365\310\067\153\232\203\336 -\347\312\040\227\061\102\163\025\221\150\364\210\257\371\050\050 -\305\351\017\163\260\027\113\023\114\231\165\320\104\346\176\010 -\154\032\362\117\033\101\002\003\001\000\001\243\202\002\044\060 -\202\002\040\060\013\006\003\125\035\017\004\004\003\002\001\306 -\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001 -\377\060\035\006\003\125\035\016\004\026\004\024\247\004\140\037 -\253\162\103\010\305\177\010\220\125\126\034\326\316\346\070\353 -\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250\240 -\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150 -\154\060\202\001\276\006\011\140\206\110\001\206\370\102\001\015 -\004\202\001\257\026\202\001\253\063\000\000\000\047\136\071\340 -\211\141\017\116\243\305\105\013\066\273\001\321\123\252\303\010 -\217\157\370\117\076\207\207\104\021\334\140\340\337\222\125\371 -\270\163\033\124\223\305\237\320\106\304\140\266\065\142\315\271 -\257\034\250\151\032\311\133\074\226\067\300\355\147\357\273\376 -\300\213\234\120\057\051\275\203\042\236\216\010\372\254\023\160 -\242\130\177\142\142\212\021\367\211\366\337\266\147\131\163\026 -\373\143\026\212\264\221\070\316\056\365\266\276\114\244\224\111 -\344\145\021\012\102\025\311\301\060\342\151\325\105\175\245\046 -\273\271\141\354\142\144\360\071\341\347\274\150\330\120\121\236 -\035\140\323\321\243\247\012\370\003\040\241\160\001\027\221\066 -\117\002\160\061\206\203\335\367\017\330\007\035\021\263\023\004 -\245\334\360\256\120\261\050\016\143\151\052\014\202\157\217\107 -\063\337\154\242\006\222\361\117\105\276\331\060\066\243\053\214 -\326\167\256\065\143\177\116\114\232\223\110\066\331\237\002\003 -\001\000\001\243\201\275\060\201\272\060\016\006\003\125\035\017 -\001\001\377\004\004\003\002\004\360\060\035\006\003\125\035\016 -\004\026\004\024\315\246\203\372\245\140\067\367\226\067\027\051 -\336\101\170\361\207\211\125\347\060\073\006\003\125\035\037\004 -\064\060\062\060\060\240\056\240\054\206\052\150\164\164\160\072 -\057\057\143\162\154\056\147\145\157\164\162\165\163\164\056\143 -\157\155\057\143\162\154\163\057\147\154\157\142\141\154\143\141 -\061\056\143\162\154\060\037\006\003\125\035\043\004\030\060\026 -\200\024\276\250\240\164\162\120\153\104\267\311\043\330\373\250 -\377\263\127\153\150\154\060\035\006\003\125\035\045\004\026\060 -\024\006\010\053\006\001\005\005\007\003\001\006\010\053\006\001 -\005\005\007\003\002\060\014\006\003\125\035\023\001\001\377\004 -\002\060\000\060\015\006\011\052\206\110\206\367\015\001\001\004 -\005\000\003\201\201\000\247\041\002\215\321\016\242\200\167\045 -\375\103\140\025\217\354\357\220\107\324\204\102\025\046\021\034 -\315\302\074\020\051\251\266\337\253\127\165\221\332\345\053\263 -\220\105\034\060\143\126\077\212\331\120\372\355\130\154\300\145 -\254\146\127\336\034\306\166\073\365\000\016\216\105\316\177\114 -\220\354\053\306\315\263\264\217\142\320\376\267\305\046\162\104 -\355\366\230\133\256\313\321\225\365\332\010\276\150\106\261\165 -\310\354\035\217\036\172\224\361\252\123\170\242\105\256\124\352 -\321\236\164\310\166\147 -END - -# Trust for Certificate "MD5 Collisions Forged Rogue CA 25c3" -CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "MD5 Collisions Forged Rogue CA 25c3" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\144\043\023\176\134\123\326\112\246\144\205\355\066\124\365\253 -\005\132\213\212 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\026\172\023\025\271\027\071\243\361\005\152\346\076\331\072\070 -END -CKA_ISSUER MULTILINE_OCTAL -\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141 -\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060 -\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040 -\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102 -\165\163\151\156\145\163\163\040\103\101\055\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\102 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_UNTRUSTED -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_UNTRUSTED -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/config.mk +++ b/security/nss/lib/ckfw/builtins/config.mk @@ -29,17 +29,17 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.12 $ $Date: 2008/11/19 20:09:37 $" +CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.11 $ $Date: 2005/01/20 02:25:46 $" # # Override TARGETS variable so that only shared libraries # are specifed as dependencies within rules.mk. # TARGETS = $(SHARED_LIBRARY) LIBRARY = @@ -64,16 +64,8 @@ DSO_LDOPTS = -bundle endif ifeq ($(OS_TARGET),SunOS) # The -R '$ORIGIN' linker option instructs this library to search for its # dependencies in the same directory where it resides. MKSHLIB += -R '$$ORIGIN' endif -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif
--- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -70,18 +70,18 @@ * ... * - NSS 3.30 branch: 250-255 * * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear * whether we may use its full range (0-255) or only 0-99 because * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 73 -#define NSS_BUILTINS_LIBRARY_VERSION "1.73" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 72 +#define NSS_BUILTINS_LIBRARY_VERSION "1.72" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 /* These version numbers detail the semantic changes to ckbi itself * (new PKCS #11 objects), etc. */ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/crmf/crmffut.h +++ b/security/nss/lib/crmf/crmffut.h @@ -35,17 +35,17 @@ * ***** END LICENSE BLOCK ***** */ /* * These functions to be implemented in the future if the features * which these functions would implement wind up being needed. */ /* - * Use this function to create the CRMFSinglePubInfo* variables that will + * Use this functionto create the CRMFSinglePubInfo* variables that will * populate the inPubInfoArray paramter for the funciton * CRMF_CreatePKIPublicationInfo. * * "inPubMethod" specifies which publication method will be used * "pubLocation" is a representation of the location where */ extern CRMFSinglePubInfo* CRMF_CreateSinglePubInfo(CRMFPublicationMethod inPubMethod,
new file mode 100644 --- /dev/null +++ b/security/nss/lib/cryptohi/hasht.h @@ -0,0 +1,102 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: hasht.h,v 1.7 2005/11/07 18:44:20 wtchang%redhat.com Exp $ */ + +#ifndef _HASHT_H_ +#define _HASHT_H_ + +/* Opaque objects */ +typedef struct SECHashObjectStr SECHashObject; +typedef struct HASHContextStr HASHContext; + +/* + * The hash functions the security library supports + * NOTE the order must match the definition of SECHashObjects[]! + */ +typedef enum { + HASH_AlgNULL = 0, + HASH_AlgMD2 = 1, + HASH_AlgMD5 = 2, + HASH_AlgSHA1 = 3, + HASH_AlgSHA256 = 4, + HASH_AlgSHA384 = 5, + HASH_AlgSHA512 = 6, + HASH_AlgTOTAL +} HASH_HashType; + +/* + * Number of bytes each hash algorithm produces + */ +#define MD2_LENGTH 16 +#define MD5_LENGTH 16 +#define SHA1_LENGTH 20 +#define SHA256_LENGTH 32 +#define SHA384_LENGTH 48 +#define SHA512_LENGTH 64 +#define HASH_LENGTH_MAX SHA512_LENGTH + +/* + * Structure to hold hash computation info and routines + */ +struct SECHashObjectStr { + unsigned int length; /* hash output length (in bytes) */ + void * (*create)(void); + void * (*clone)(void *); + void (*destroy)(void *, PRBool); + void (*begin)(void *); + void (*update)(void *, const unsigned char *, unsigned int); + void (*end)(void *, unsigned char *, unsigned int *, unsigned int); + unsigned int blocklength; /* hash input block size (in bytes) */ + HASH_HashType type; +}; + +struct HASHContextStr { + const struct SECHashObjectStr *hashobj; + void *hash_context; +}; + +/* This symbol is NOT exported from the NSS DLL. Code that needs a + * pointer to one of the SECHashObjects should call HASH_GetHashObject() + * instead. See "sechash.h". + */ +extern const SECHashObject SECHashObjects[]; + +/* Only those functions below the PKCS #11 line should use SECRawHashObjects. + * This symbol is not exported from the NSS DLL. + */ +extern const SECHashObject SECRawHashObjects[]; + +#endif /* _HASHT_H_ */
--- a/security/nss/lib/cryptohi/keythi.h +++ b/security/nss/lib/cryptohi/keythi.h @@ -197,20 +197,23 @@ struct SECKEYPublicKeyStr { SECKEYDHPublicKey dh; SECKEYKEAPublicKey kea; SECKEYFortezzaPublicKey fortezza; SECKEYECPublicKey ec; } u; }; typedef struct SECKEYPublicKeyStr SECKEYPublicKey; +#define CachedAttribute(attribute,setbit) \ +static const PRUint32 SECKEY_##attribute = 1 << setbit; + /* bit flag definitions for staticflags */ #define SECKEY_Attributes_Cached 0x1 /* bit 0 states whether attributes are cached */ -#define SECKEY_CKA_PRIVATE (1U << 1) /* bit 1 is the value of CKA_PRIVATE */ +CachedAttribute(CKA_PRIVATE,1) /* bit 1 is the value of CKA_PRIVATE */ #define SECKEY_ATTRIBUTES_CACHED(key) \ (0 != (key->staticflags & SECKEY_Attributes_Cached)) #define SECKEY_ATTRIBUTE_VALUE(key,attribute) \ (0 != (key->staticflags & SECKEY_##attribute)) #define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \
--- a/security/nss/lib/cryptohi/manifest.mn +++ b/security/nss/lib/cryptohi/manifest.mn @@ -40,20 +40,22 @@ MODULE = nss REQUIRES = dbm LIBRARY_NAME = cryptohi EXPORTS = \ cryptohi.h \ cryptoht.h \ + hasht.h \ key.h \ keyhi.h \ keyt.h \ keythi.h \ + sechash.h \ $(NULL) PRIVATE_EXPORTS = \ $(NULL) LIBSRCS = \ sechash.c \ seckey.c \
new file mode 100644 --- /dev/null +++ b/security/nss/lib/cryptohi/sechash.h @@ -0,0 +1,90 @@ +#ifndef _HASH_H_ +#define _HASH_H_ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* $Id: sechash.h,v 1.8 2008/02/22 21:14:20 nelson%bolyard.com Exp $ */ + +#include "seccomon.h" +#include "hasht.h" +#include "secoidt.h" + +SEC_BEGIN_PROTOS + +/* +** Generic hash api. +*/ + +extern unsigned int HASH_ResultLen(HASH_HashType type); + +extern unsigned int HASH_ResultLenContext(HASHContext *context); + +extern unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid); + +extern SECStatus HASH_HashBuf(HASH_HashType type, + unsigned char *dest, + unsigned char *src, + PRUint32 src_len); + +extern HASHContext * HASH_Create(HASH_HashType type); + +extern HASHContext * HASH_Clone(HASHContext *context); + +extern void HASH_Destroy(HASHContext *context); + +extern void HASH_Begin(HASHContext *context); + +extern void HASH_Update(HASHContext *context, + const unsigned char *src, + unsigned int len); + +extern void HASH_End(HASHContext *context, + unsigned char *result, + unsigned int *result_len, + unsigned int max_result_len); + +extern HASH_HashType HASH_GetType(HASHContext *context); + +extern const SECHashObject * HASH_GetHashObject(HASH_HashType type); + +extern const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid); + +extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid); +extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid); +extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid); + +SEC_END_PROTOS + +#endif /* _HASH_H_ */
--- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -30,17 +30,17 @@ * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.25 $ $Date: 2008/11/20 04:53:44 $"; +static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.24 $ $Date: 2008/08/09 01:25:58 $"; #endif /* DEBUG */ #ifndef NSSCKEPV_H #include "nssckepv.h" #endif /* NSSCKEPV_H */ #ifndef DEVM_H #include "devm.h" @@ -214,31 +214,29 @@ nssSlot_IsTokenPresent ( nssToken_Remove(slot->token); return PR_FALSE; } /* token is present, use the session info to determine if the card * has been removed and reinserted. */ session = nssToken_GetDefaultSession(slot->token); if (session) { - PRBool isPresent = PR_FALSE; nssSession_EnterMonitor(session); if (session->handle != CK_INVALID_SESSION) { CK_SESSION_INFO sessionInfo; ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo); if (ckrv != CKR_OK) { /* session is screwy, close and invalidate it */ CKAPI(epv)->C_CloseSession(session->handle); session->handle = CK_INVALID_SESSION; } } - isPresent = session->handle != CK_INVALID_SESSION; nssSession_ExitMonitor(session); /* token not removed, finished */ - if (isPresent) + if (session->handle != CK_INVALID_SESSION) return PR_TRUE; } /* the token has been removed, and reinserted, or the slot contains * a token it doesn't recognize. invalidate all the old * information we had on this token, if we can't refresh, clear * the present flag */ nssToken_NotifyCertsNotVisible(slot->token); nssToken_Remove(slot->token);
--- a/security/nss/lib/dev/devutil.c +++ b/security/nss/lib/dev/devutil.c @@ -30,17 +30,17 @@ * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.33 $ $Date: 2008/11/19 20:44:35 $"; +static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.32 $ $Date: 2008/09/30 04:09:02 $"; #endif /* DEBUG */ #ifndef DEVM_H #include "devm.h" #endif /* DEVM_H */ #ifndef CKHELPER_H #include "ckhelper.h" @@ -143,17 +143,19 @@ nssSlotArray_Clone ( { NSSSlot **rvSlots = NULL; NSSSlot **sp = slots; PRUint32 count = 0; while (sp && *sp) count++; if (count > 0) { rvSlots = nss_ZNEWARRAY(NULL, NSSSlot *, count + 1); if (rvSlots) { - for (sp = slots, count = 0; *sp; sp++) { + sp = slots; + count = 0; + for (sp = slots; *sp; sp++) { rvSlots[count++] = nssSlot_AddRef(*sp); } } } return rvSlots; } NSS_IMPLEMENT void @@ -369,17 +371,17 @@ static nssCryptokiObjectAndAttributes * create_object ( nssCryptokiObject *object, const CK_ATTRIBUTE_TYPE *types, PRUint32 numTypes, PRStatus *status ) { PRUint32 j; - NSSArena *arena = NULL; + NSSArena *arena; NSSSlot *slot = NULL; nssSession *session = NULL; nssCryptokiObjectAndAttributes *rvCachedObject = NULL; slot = nssToken_GetSlot(object->token); if (!slot) { nss_SetError(NSS_ERROR_INVALID_POINTER); goto loser;
--- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -69,22 +69,19 @@ FREEBL_BUILD_SINGLE_SHLIB = 1 ifdef USE_64 DEFINES += -DNSS_USE_64 endif ifdef USE_ABI32_FPU DEFINES += -DNSS_USE_ABI32_FPU endif -ifdef FREEBL_NO_DEPEND - DEFINES += -DFREEBL_NO_DEPEND -endif -# some codes want _X86_ defined for intel CPUs. +# des.c wants _X86_ defined for intel CPUs. # coreconf does this for windows, but not for Linux, FreeBSD, etc. -ifeq (,$(filter-out x86 x86_64,$(CPU_ARCH))) +ifeq ($(CPU_ARCH),x86) ifneq (,$(filter-out WIN%,$(OS_TARGET))) OS_REL_CFLAGS += -D_X86_ endif endif ifeq ($(OS_TARGET),OSF1) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD MPI_SRCS += mpvalpha.c @@ -133,19 +130,16 @@ endif ifeq ($(OS_TARGET),Linux) ifeq ($(CPU_ARCH),x86_64) ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s ASFLAGS += -march=opteron -m64 -fPIC DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY DEFINES += -DNSS_USE_COMBA DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN # DEFINES += -DMPI_AMD64_ADD - # comment the next two lines to turn off intel HW accelleration - DEFINES += -DUSE_HW_AES - ASFILES += intel-aes.s MPI_SRCS += mpi_amd64.c mp_comba.c endif ifeq ($(CPU_ARCH),x86) ASFILES = mpi_x86.s DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE DEFINES += -DMP_ASSEMBLY_DIV_2DX1D DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN # The floating point ECC code doesn't work on Linux x86 (bug 311432). @@ -383,19 +377,16 @@ else ASFILES += mp_comba_amd64_sun.s mpcpucache_amd64.s ASFLAGS += -xarch=generic64 -K PIC SOL_CFLAGS += -xprefetch=no SHA_SRCS = MPCPU_SRCS = endif DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY DEFINES += -DNSS_USE_COMBA -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN - # comment the next two lines to turn off intel HW accelleration - DEFINES += -DUSE_HW_AES - ASFILES += intel-aes.s MPI_SRCS += mpi_amd64.c else # Solaris x86 DEFINES += -D_X86_ DEFINES += -DMP_USE_UINT_DIGIT DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE DEFINES += -DMP_ASSEMBLY_DIV_2DX1D ASFILES = mpi_i86pc.s
--- a/security/nss/lib/freebl/aeskeywrap.c +++ b/security/nss/lib/freebl/aeskeywrap.c @@ -31,23 +31,19 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: aeskeywrap.c,v 1.5 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */ - -/* $Id: aeskeywrap.c,v 1.5 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */ +/* $Id: aeskeywrap.c,v 1.4 2005/08/06 07:24:21 nelsonb%netscape.com Exp $ */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif +/* $Id: aeskeywrap.c,v 1.4 2005/08/06 07:24:21 nelsonb%netscape.com Exp $ */ #include "prcpucfg.h" #if defined(IS_LITTLE_ENDIAN) || defined(SHA_NO_LONG_LONG) #define BIG_ENDIAN_WITH_64_BIT_REGISTERS 0 #else #define BIG_ENDIAN_WITH_64_BIT_REGISTERS 1 #endif #include "prtypes.h" /* for PRUintXX */
--- a/security/nss/lib/freebl/alg2268.c +++ b/security/nss/lib/freebl/alg2268.c @@ -32,21 +32,17 @@ * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: alg2268.c,v 1.8 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */ - -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif +/* $Id: alg2268.c,v 1.7 2005/08/06 07:24:21 nelsonb%netscape.com Exp $ */ #include "blapi.h" #include "secerr.h" #ifdef XP_UNIX_XXX #include <stddef.h> /* for ptrdiff_t */ #endif /*
--- a/security/nss/lib/freebl/alghmac.c +++ b/security/nss/lib/freebl/alghmac.c @@ -29,20 +29,16 @@ * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif - #include "secport.h" #include "hasht.h" #include "blapit.h" #include "alghmac.h" #include "secerr.h" #define HMAC_PAD_SIZE HASH_BLOCK_LENGTH_MAX
--- a/security/nss/lib/freebl/arcfive.c +++ b/security/nss/lib/freebl/arcfive.c @@ -31,21 +31,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: arcfive.c,v 1.6 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */ - -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif +/* $Id: arcfive.c,v 1.5 2004/04/27 23:04:36 gerv%gerv.net Exp $ */ #include "blapi.h" #include "prerror.h" /******************************************/ /* ** RC5 symmetric block cypher -- 64-bit block size */
--- a/security/nss/lib/freebl/arcfour.c +++ b/security/nss/lib/freebl/arcfour.c @@ -33,20 +33,16 @@ * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* See NOTES ON UMRs, Unititialized Memory Reads, below. */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif - #include "prerr.h" #include "secerr.h" #include "prtypes.h" #include "blapi.h" /* Architecture-dependent defines */
--- a/security/nss/lib/freebl/blapi.h +++ b/security/nss/lib/freebl/blapi.h @@ -32,17 +32,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: blapi.h,v 1.28 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */ +/* $Id: blapi.h,v 1.27 2007/11/09 18:49:32 wtc%google.com Exp $ */ #ifndef _BLAPI_H_ #define _BLAPI_H_ #include "blapit.h" #include "hasht.h" #include "alghmac.h" @@ -512,40 +512,16 @@ extern SECStatus DES_Encrypt(DESContext ** ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH */ extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, unsigned int maxOutputLen, const unsigned char *input, unsigned int inputLen); /******************************************/ -/* -** SEED symmetric block cypher -*/ -extern SEEDContext * -SEED_CreateContext(const unsigned char *key, const unsigned char *iv, - int mode, PRBool encrypt); -extern SEEDContext *SEED_AllocateContext(void); -extern SECStatus SEED_InitContext(SEEDContext *cx, - const unsigned char *key, - unsigned int keylen, - const unsigned char *iv, - int mode, unsigned int encrypt, - unsigned int ); -extern void SEED_DestroyContext(SEEDContext *cx, PRBool freeit); -extern SECStatus -SEED_Encrypt(SEEDContext *cx, unsigned char *output, - unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen); -extern SECStatus -SEED_Decrypt(SEEDContext *cx, unsigned char *output, - unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen); - -/******************************************/ /* ** AES symmetric block cypher (Rijndael) */ /* ** Create a new AES context suitable for AES encryption/decryption. ** "key" raw key data ** "keylen" the number of bytes of key data (16, 24, or 32)
--- a/security/nss/lib/freebl/blapit.h +++ b/security/nss/lib/freebl/blapit.h @@ -33,17 +33,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: blapit.h,v 1.22 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */ +/* $Id: blapit.h,v 1.21 2008/06/14 14:20:07 wtc%google.com Exp $ */ #ifndef _BLAPIT_H_ #define _BLAPIT_H_ #include "seccomon.h" #include "prlink.h" #include "plarena.h" #include "ecl-exp.h" @@ -68,20 +68,16 @@ /* AES operation modes */ #define NSS_AES 0 #define NSS_AES_CBC 1 /* Camellia operation modes */ #define NSS_CAMELLIA 0 #define NSS_CAMELLIA_CBC 1 -/* SEED operation modes */ -#define NSS_SEED 0 -#define NSS_SEED_CBC 1 - #define DSA_SIGNATURE_LEN 40 /* Bytes */ #define DSA_SUBPRIME_LEN 20 /* Bytes */ /* XXX We shouldn't have to hard code this limit. For * now, this is the quickest way to support ECDSA signature * processing (ECDSA signature lengths depend on curve * size). This limit is sufficient for curves upto * 576 bits. @@ -112,19 +108,16 @@ #define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH #define AES_KEY_WRAP_IV_BYTES 8 #define AES_KEY_WRAP_BLOCK_SIZE 8 /* bytes */ #define AES_BLOCK_SIZE 16 /* bytes */ #define CAMELLIA_BLOCK_SIZE 16 /* bytes */ -#define SEED_BLOCK_SIZE 16 /* bytes */ -#define SEED_KEY_LENGTH 16 /* bytes */ - #define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048 /* * These values come from the initial key size limits from the PKCS #11 * module. They may be arbitrarily adjusted to any value freebl supports. */ #define RSA_MIN_MODULUS_BITS 128 #define RSA_MAX_MODULUS_BITS 8192 @@ -185,33 +178,31 @@ struct RC5ContextStr ; struct AESContextStr ; struct CamelliaContextStr ; struct MD2ContextStr ; struct MD5ContextStr ; struct SHA1ContextStr ; struct SHA256ContextStr ; struct SHA512ContextStr ; struct AESKeyWrapContextStr ; -struct SEEDContextStr ; typedef struct DESContextStr DESContext; typedef struct RC2ContextStr RC2Context; typedef struct RC4ContextStr RC4Context; typedef struct RC5ContextStr RC5Context; typedef struct AESContextStr AESContext; typedef struct CamelliaContextStr CamelliaContext; typedef struct MD2ContextStr MD2Context; typedef struct MD5ContextStr MD5Context; typedef struct SHA1ContextStr SHA1Context; typedef struct SHA256ContextStr SHA256Context; typedef struct SHA512ContextStr SHA512Context; /* SHA384Context is really a SHA512ContextStr. This is not a mistake. */ typedef struct SHA512ContextStr SHA384Context; typedef struct AESKeyWrapContextStr AESKeyWrapContext; -typedef struct SEEDContextStr SEEDContext; /*************************************************************************** ** RSA Public and Private Key structures */ /* member names from PKCS#1, section 7.1 */ struct RSAPublicKeyStr { PLArenaPool * arena;
--- a/security/nss/lib/freebl/camellia.c +++ b/security/nss/lib/freebl/camellia.c @@ -31,23 +31,19 @@ * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* - * $Id: camellia.c,v 1.2 2008/11/18 19:48:22 rrelyea%redhat.com Exp $ + * $Id: camellia.c,v 1.1 2007/02/28 19:47:37 rrelyea%redhat.com Exp $ */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif - #include "prinit.h" #include "prerr.h" #include "secerr.h" #include "prtypes.h" #include "blapi.h" #include "camellia.h"
--- a/security/nss/lib/freebl/config.mk +++ b/security/nss/lib/freebl/config.mk @@ -96,26 +96,22 @@ else # ! NS_USE_GCC EXTRA_SHARED_LIBS += \ $(DIST)/lib/nssutil3.lib \ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ $(NULL) endif # NS_USE_GCC else -ifndef FREEBL_NO_DEPEND EXTRA_SHARED_LIBS += \ -L$(DIST)/lib \ -lnssutil3 \ -L$(NSPR_LIB_DIR) \ -lnspr4 \ $(NULL) -else -#drop pthreads as well -OS_PTHREAD= -endif + endif ifeq ($(OS_ARCH), Darwin) EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib endif endif
--- a/security/nss/lib/freebl/des.c +++ b/security/nss/lib/freebl/des.c @@ -395,25 +395,20 @@ static const HALF PC2[8][64] = { */ #define FLIP_RIGHT_DIAGONAL(word, temp) \ temp = (word ^ (word >> 18)) & 0x00003333; \ word ^= temp | (temp << 18); \ temp = (word ^ (word >> 9)) & 0x00550055; \ word ^= temp | (temp << 9); -#if defined(__GNUC__) && defined(_X86_) -#define BYTESWAP(word, temp) \ - __asm("bswap %0" : "+r" (word)); -#else #define BYTESWAP(word, temp) \ word = (word >> 16) | (word << 16); \ temp = 0x00ff00ff; \ word = ((word & temp) << 8) | ((word >> 8) & temp); -#endif #define PC1(left, right, c0, d0, temp) \ right ^= temp = ((left >> 4) ^ right) & 0x0f0f0f0f; \ left ^= temp << 4; \ FLIP_RIGHT_DIAGONAL(left, temp); \ FLIP_RIGHT_DIAGONAL(right, temp); \ BYTESWAP(right, temp); \ c0 = right >> 4; \
--- a/security/nss/lib/freebl/desblapi.c +++ b/security/nss/lib/freebl/desblapi.c @@ -36,20 +36,16 @@ * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif - #include "des.h" #include <stddef.h> #include "secerr.h" #if defined(_X86_) /* Intel X86 CPUs do unaligned loads and stores without complaint. */ #define COPY8B(to, from, ptr) \ HALFPTR(to)[0] = HALFPTR(from)[0]; \
--- a/security/nss/lib/freebl/dh.c +++ b/security/nss/lib/freebl/dh.c @@ -33,21 +33,18 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Diffie-Hellman parameter generation, key generation, and secret derivation. * KEA secret generation and verification. * - * $Id: dh.c,v 1.8 2008/11/18 19:48:22 rrelyea%redhat.com Exp $ + * $Id: dh.c,v 1.7 2004/04/25 15:03:08 gerv%gerv.net Exp $ */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif #include "prerr.h" #include "secerr.h" #include "blapi.h" #include "secitem.h" #include "mpi.h" #include "mpprime.h"
--- a/security/nss/lib/freebl/dsa.c +++ b/security/nss/lib/freebl/dsa.c @@ -30,21 +30,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: dsa.c,v 1.19 2008/11/18 19:48:23 rrelyea%redhat.com Exp $ */ - -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif +/* $Id: dsa.c,v 1.18 2005/10/12 00:48:25 wtchang%redhat.com Exp $ */ #include "secerr.h" #include "prtypes.h" #include "prinit.h" #include "blapi.h" #include "nssilock.h" #include "secitem.h"
--- a/security/nss/lib/freebl/ec.c +++ b/security/nss/lib/freebl/ec.c @@ -32,21 +32,16 @@ * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -#ifdef FREEBL_NO_DEPEND -#include "stubs.h" -#endif - - #include "blapi.h" #include "prerr.h" #include "secerr.h" #include "secmpi.h" #include "secitem.h" #include "mplogic.h" #include "ec.h" #include "ecl.h" @@ -117,17 +112,16 @@ ec_points_mul(const ECParams *params, co } #endif /* NOTE: We only support uncompressed points for now */ len = (params->fieldID.size + 7) >> 3; if (pointP != NULL) { if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) || (pointP->len != (2 * len + 1))) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); return SECFailure; }; } MP_DIGITS(&Px) = 0; MP_DIGITS(&Py) = 0; MP_DIGITS(&Qx) = 0; MP_DIGITS(&Qy) = 0; @@ -592,22 +586,19 @@ ECDH_Derive(SECItem *publicValue, /* multiply k with the cofactor */ MP_DIGITS(&cofactor) = 0; CHECK_MPI_OK( mp_init(&cofactor) ); mp_set(&cofactor, ecParams->cofactor); CHECK_MPI_OK( mp_mul(&k, &cofactor, &k) ); } /* Multiply our private key and peer's public point */ - if (ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess) + if ((ec_points_mul(ecParams, NULL, &k, publicValue, &pointQ) != SECSuccess) || + ec_point_at_infinity(&pointQ)) goto cleanup; - if (ec_point_at_infinity(&pointQ)) { - PORT_SetError(SEC_ERROR_BAD_KEY); /* XXX better error code? */ - goto cleanup; - } /* Allocate memory for the derived secret and copy * the x co-ordinate of pointQ into it. */ SECITEM_AllocItem(NULL, derivedSecret, len); memcpy(derivedSecret->data, pointQ.data + 1, len); rv = SECSuccess; @@ -617,20 +608,16 @@ ECDH_Derive(SECItem *publicValue, for (i = 0; i < derivedSecret->len; i++) printf("%02x:", derivedSecret->data[i]); printf("\n"); #endif cleanup: mp_clear(&k); - if (err) { - MP_TO_SEC_ERROR(err); - } - if (pointQ.data) { PORT_ZFree(pointQ.data, 2*len + 1); } #else PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); #endif /* NSS_ENABLE_ECC */ return rv;
deleted file mode 100644 --- a/security/nss/lib/freebl/freebl_hash.def +++ /dev/null @@ -1,71 +0,0 @@ -;+# -;+# ***** BEGIN LICENSE BLOCK ***** -;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -;+# -;+# The contents of this file are subject to the Mozilla Public License Version -;+# 1.1 (the "License"); you may not use this file except in compliance with -;+# the License. You may obtain a copy of the License at -;+# http://www.mozilla.org/MPL/ -;+# -;+# Software distributed under the License is distributed on an "AS IS" basis, -;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -;+# for the specific language governing rights and limitations under the -;+# License. -;+# -;+# The Original Code is the Netscape security libraries. -;+# -;+# The Initial Developer of the Original Code is -;+# Netscape Communications Corporation. -;+# Portions created by the Initial Developer are Copyright (C) 2000 -;+# the Initial Developer. All Rights Reserved. -;+# -;+# Contributor(s): -;+# -;+# Alternatively, the contents of this file may be used under the terms of -;+# either the GNU General Public License Version 2 or later (the "GPL"), or -;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -;+# in which case the provisions of the GPL or the LGPL are applicable instead -;+# of those above. If you wish to allow use of your version of this file only -;+# under the terms of either the GPL or the LGPL, and not to allow others to -;+# use your version of this file under the terms of the MPL, indicate your -;+# decision by deleting the provisions above and replace them with the notice -;+# and other provisions required by the GPL or the LGPL. If you do not delete -;+# the provisions above, a recipient may use your version of this file under -;+# the terms of any one of the MPL, the GPL or the LGPL. -;+# -;+# ***** END LICENSE BLOCK ***** -;+# -;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS -;+# 1. For all unix platforms, the string ";-" means "remove this line" -;+# 2. For all unix platforms, the string " DATA " will be removed from any -;+# line on which it occurs. -;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. -;+# On AIX, lines containing ";+" will be removed. -;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. -;+# 5. For all unix platforms, after the above processing has taken place, -;+# all characters after the first ";" on the line will be removed. -;+# And for AIX, the first ";" will also be removed. -;+# This file is passed directly to windows. Since ';' is a comment, all UNIX -;+# directives are hidden behind ";", ";+", and ";-" -;+ -;+NSSprivate_3.11 { # NSS 3.11 release -;+ global: -LIBRARY freebl3 ;- -EXPORTS ;- -FREEBL_GetVector; -;+ local: -;+ *; -;+}; -;+NSSRAWHASH_3.12.3 { # NSS 3.12.3 release -;+ global: -NSSLOW_Init; -NSSLOW_Shutdown; -NSSLOWHASH_Length; -NSSLOWHASH_Begin; -NSSLOWHASH_Destroy; -NSSLOWHASH_End; -NSSLOWHASH_NewContext; -NSSLOWHASH_Update; -;+ local: -;+ *; -;+};
deleted file mode 100644 --- a/security/nss/lib/freebl/hasht.h +++ /dev/null @@ -1,102 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -/* $Id: hasht.h,v 1.7 2008/12/10 22:48:03 wtchang%redhat.com Exp $ */ - -#ifndef _HASHT_H_ -#define _HASHT_H_ - -/* Opaque objects */ -typedef struct SECHashObjectStr SECHashObject; -typedef struct HASHContextStr HASHContext; - -/* - * The hash functions the security library supports - * NOTE the order must match the definition of SECHashObjects[]! - */ -typedef enum { - HASH_AlgNULL = 0, - HASH_AlgMD2 = 1, - HASH_AlgMD5 = 2, - HASH_AlgSHA1 = 3, - HASH_AlgSHA256 = 4, - HASH_AlgSHA384 = 5, - HASH_AlgSHA512 = 6, - HASH_AlgTOTAL -} HASH_HashType; - -/* - * Number of bytes each hash algorithm produces - */ -#define MD2_LENGTH 16 -#define MD5_LENGTH 16 -#define SHA1_LENGTH 20 -#define SHA256_LENGTH 32 -#define SHA384_LENGTH 48 -#define SHA512_LENGTH 64 -#define HASH_LENGTH_MAX SHA512_LENGTH - -/* - * Structure to hold hash computation info and routines - */ -struct SECHashObjectStr { - unsigned int length; /* hash output length (in bytes) */ - void * (*create)(void); - void * (*clone)(void *); - void (*destroy)(void *, PRBool); - void (*begin)(void *); - void (*update)(void *, const unsigned char *, unsigned int); - void (*end)(void *, unsigned char *, unsigned int *, unsigned int); - unsigned int blocklength; /* hash input block size (in bytes) */ - HASH_HashType type; -}; - -struct HASHContextStr { - const struct SECHashObjectStr *hashobj; - void *hash_context; -}; - -/* This symbol is NOT exported from the NSS DLL. Code that needs a - * pointer to one of the SECHashObjects should call HASH_GetHashObject() - * instead. See "sechash.h". - */ -extern const SECHashObject SECHashObjects[]; - -/* Only those functions below the PKCS #11 line should use SECRawHashObjects. - * This symbol is not exported from the NSS DLL. - */ -extern const SECHashObject SECRawHashObjects[]; - -#endif /* _HASHT_H_ */
deleted file mode 100644 --- a/security/nss/lib/freebl/intel-aes.h +++ /dev/null @@ -1,151 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Initial Developer of the Original Code is Red Hat, Inc, 2008. - * - * Contributor(s): - * Ulrich Drepper <drepper@redhat.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -/* Prototypes of the functions defined in the assembler file. */ -void intel_aes_encrypt_init_128(const unsigned char *key, PRUint32 *expanded); -void intel_aes_encrypt_init_192(const unsigned char *key, PRUint32 *expanded); -void intel_aes_encrypt_init_256(const unsigned char *key, PRUint32 *expanded); -void intel_aes_decrypt_init_128(const unsigned char *key, PRUint32 *expanded); -void intel_aes_decrypt_init_192(const unsigned char *key, PRUint32 *expanded); -void intel_aes_decrypt_init_256(const unsigned char *key, PRUint32 *expanded); -SECStatus intel_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); -SECStatus intel_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output, - unsigned int *outputLen, - unsigned int maxOutputLen, - const unsigned char *input, - unsigned int inputLen, - unsigned int blocksize); - - -#define intel_aes_ecb_worker(encrypt, keysize) \ - ((encrypt) \ - ? ((keysize) == 16 ? intel_aes_encrypt_ecb_128 : \ - (keysize) == 24 ? intel_aes_encrypt_ecb_192 : \ - intel_aes_encrypt_ecb_256) \ - : ((keysize) == 16 ? intel_aes_decrypt_ecb_128 : \ - (keysize) == 24 ? intel_aes_decrypt_ecb_192 : \ - intel_aes_decrypt_ecb_256)) - - -#define intel_aes_cbc_worker(encrypt, keysize) \ - ((encrypt) \ - ? ((keysize) == 16 ? intel_aes_encrypt_cbc_128 : \ - (keysize) == 24 ? intel_aes_encrypt_cbc_192 : \ - intel_aes_encrypt_cbc_256) \ - : ((keysize) == 16 ? intel_aes_decrypt_cbc_128 : \ - (keysize) == 24 ? intel_aes_decrypt_cbc_192 : \ - intel_aes_decrypt_cbc_256)) - - -#define intel_aes_init(encrypt, keysize) \ - do { \ - if (encrypt) { \ - if (keysize == 16) \ - intel_aes_encrypt_init_128(key, cx->expandedKey); \ - else if (keysize == 24) \ - intel_aes_encrypt_init_192(key, cx->expandedKey); \ - else \ - intel_aes_encrypt_init_256(key, cx->expandedKey); \ - } else { \ - if (keysize == 16) \ - intel_aes_decrypt_init_128(key, cx->expandedKey); \ - else if (keysize == 24) \ - intel_aes_decrypt_init_192(key, cx->expandedKey); \ - else \ - intel_aes_decrypt_init_256(key, cx->expandedKey); \ - } \ - } while (0)
deleted file mode 100644 --- a/security/nss/lib/freebl/intel-aes.s +++ /dev/null @@ -1,1631 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Initial Developer of the Original Code is Red Hat, Inc, 2008. - * - * Contributor(s): - * Ulrich Drepper <drepper@redhat.com> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - - .text - -#define IV_OFFSET 16 -#define EXPANDED_KEY_OFFSET 48 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_encrypt_init_128,@function - .globl intel_aes_encrypt_init_128 - .align 16 -intel_aes_encrypt_init_128: - movups (%rdi), %xmm1 - movups %xmm1, (%rsi) - leaq 16(%rsi), %rsi - xorl %eax, %eax - - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x01 /* aeskeygenassist $0x01, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x02 /* aeskeygenassist $0x02, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x04 /* aeskeygenassist $0x04, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x08 /* aeskeygenassist $0x08, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x10 /* aeskeygenassist $0x10, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x20 /* aeskeygenassist $0x20, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x40 /* aeskeygenassist $0x40, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x80 /* aeskeygenassist $0x80, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x1b /* aeskeygenassist $0x1b, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x36 /* aeskeygenassist $0x36, %xmm1, %xmm2 */ - call key_expansion128 - - ret - .size intel_aes_encrypt_init_128, .-intel_aes_encrypt_init_128 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_decrypt_init_128,@function - .globl intel_aes_decrypt_init_128 - .align 16 -intel_aes_decrypt_init_128: - movups (%rdi), %xmm1 - movups %xmm1, (%rsi) - leaq 16(%rsi), %rsi - xorl %eax, %eax - - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x01 /* aeskeygenassist $0x01, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x02 /* aeskeygenassist $0x02, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x04 /* aeskeygenassist $0x04, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x08 /* aeskeygenassist $0x08, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x10 /* aeskeygenassist $0x10, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x20 /* aeskeygenassist $0x20, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x40 /* aeskeygenassist $0x40, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x80 /* aeskeygenassist $0x80, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x1b /* aeskeygenassist $0x1b, %xmm1, %xmm2 */ - call key_expansion128 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd1,0x36 /* aeskeygenassist $0x36, %xmm1, %xmm2 */ - call key_expansion128 - - ret - .size intel_aes_decrypt_init_128, .-intel_aes_decrypt_init_128 - - - .type key_expansion128,@function - .align 16 -key_expansion128: - movd %eax, %xmm3 - pshufd $0xff, %xmm2, %xmm2 - shufps $0x10, %xmm1, %xmm3 - pxor %xmm3, %xmm1 - shufps $0x8c, %xmm1, %xmm3 - pxor %xmm2, %xmm1 - pxor %xmm3, %xmm1 - movdqu %xmm1, (%rsi) - addq $16, %rsi - ret - .size key_expansion128, .-key_expansion128 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_ecb_128,@function - .globl intel_aes_encrypt_ecb_128 - .align 16 -intel_aes_encrypt_ecb_128: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 160(%rdi), %xmm12 - xor %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm2, %xmm3 - pxor %xmm2, %xmm4 - pxor %xmm2, %xmm5 - pxor %xmm2, %xmm6 - pxor %xmm2, %xmm7 - pxor %xmm2, %xmm8 - pxor %xmm2, %xmm9 - pxor %xmm2, %xmm10 - movq $16, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xd9 /* aesenc %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdc,0xe1 /* aesenc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdc,0xe9 /* aesenc %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdc,0xf1 /* aesenc %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdc,0xf9 /* aesenc %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc1 /* aesenc %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xd1 /* aesenc %xmm1, %xmm10 */ - addq $16, %r10 - cmpq $160, %r10 - jne 3b - .byte 0x66,0x41,0x0f,0x38,0xdd,0xdc /* aesenclast %xmm12, %xmm3 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xe4 /* aesenclast %xmm12, %xmm4 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xec /* aesenclast %xmm12, %xmm5 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xf4 /* aesenclast %xmm12, %xmm6 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xfc /* aesenclast %xmm12, %xmm7 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xc4 /* aesenclast %xmm12, %xmm8 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xcc /* aesenclast %xmm12, %xmm9 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xd4 /* aesenclast %xmm12, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - -4: movdqu (%r8, %rax), %xmm1 - pxor %xmm2, %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xcc /* aesenclast %xmm12, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_encrypt_ecb_128, .-intel_aes_encrypt_ecb_128 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_ecb_128,@function - .globl intel_aes_decrypt_ecb_128 - .align 16 -intel_aes_decrypt_ecb_128: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 160(%rdi), %xmm12 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm12, %xmm3 - pxor %xmm12, %xmm4 - pxor %xmm12, %xmm5 - pxor %xmm12, %xmm6 - pxor %xmm12, %xmm7 - pxor %xmm12, %xmm8 - pxor %xmm12, %xmm9 - pxor %xmm12, %xmm10 - movq $144, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm8 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - -4: movdqu (%r8, %rax), %xmm1 - pxor %xmm12, %xmm1 - .byte 0x66,0x41,0x0f,0x38,0xde,0xcb /* aesdec %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xca /* aesdec %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc9 /* aesdec %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc8 /* aesdec %xmm8, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcf /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xce /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcd /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcc /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcb /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_decrypt_ecb_128, .-intel_aes_decrypt_ecb_128 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_cbc_128,@function - .globl intel_aes_encrypt_cbc_128 - .align 16 -intel_aes_encrypt_cbc_128: - testq %r9, %r9 - je 2f - -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu (%rdi), %xmm2 - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - movdqu 160(%rdi), %xmm12 - - xorl %eax, %eax -1: movdqu (%r8, %rax), %xmm1 - pxor %xmm0, %xmm1 - pxor %xmm2, %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmma, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmmb, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xcc /* aesenclast %xmm12, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - movdqa %xmm1, %xmm0 - addq $16, %rax - cmpq %rax, %r9 - jne 1b - - movdqu %xmm0, (%rdx) - -2: xor %eax, %eax - ret - .size intel_aes_encrypt_cbc_128, .-intel_aes_encrypt_cbc_128 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_cbc_128,@function - .globl intel_aes_decrypt_cbc_128 - .align 16 -intel_aes_decrypt_cbc_128: -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu (%rdi), %xmm2 - movdqu 160(%rdi), %xmm12 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm12, %xmm3 - pxor %xmm12, %xmm4 - pxor %xmm12, %xmm5 - pxor %xmm12, %xmm6 - pxor %xmm12, %xmm7 - pxor %xmm12, %xmm8 - pxor %xmm12, %xmm9 - pxor %xmm12, %xmm10 - movq $144, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm10 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - pxor %xmm0, %xmm3 - pxor (%r8, %rax), %xmm4 - pxor 16(%r8, %rax), %xmm5 - pxor 32(%r8, %rax), %xmm6 - pxor 48(%r8, %rax), %xmm7 - pxor 64(%r8, %rax), %xmm8 - pxor 80(%r8, %rax), %xmm9 - pxor 96(%r8, %rax), %xmm10 - movdqu 112(%r8, %rax), %xmm0 - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - -4: movdqu (%r8, %rax), %xmm1 - movdqa %xmm1, %xmm13 - pxor %xmm12, %xmm1 - .byte 0x66,0x41,0x0f,0x38,0xde,0xcb /* aesdec %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xca /* aesdec %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc9 /* aesdec %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc8 /* aesdec %xmm8, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcf /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xce /* aesdec %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcd /* aesdec %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcc /* aesdec %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcb /* aesdec %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm1 */ - pxor %xmm0, %xmm1 - movdqu %xmm1, (%rsi, %rax) - movdqa %xmm13, %xmm0 - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: movdqu %xmm0, (%rdx) - - xor %eax, %eax - ret - .size intel_aes_decrypt_cbc_128, .-intel_aes_decrypt_cbc_128 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_encrypt_init_192,@function - .globl intel_aes_encrypt_init_192 - .align 16 -intel_aes_encrypt_init_192: - movdqu (%rdi), %xmm1 - movq 16(%rdi), %xmm3 - movdqu %xmm1, (%rsi) - movq %xmm3, 16(%rsi) - leaq 24(%rsi), %rsi - - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x01 /* aeskeygenassist $0x01, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x02 /* aeskeygenassist $0x02, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x04 /* aeskeygenassist $0x04, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x08 /* aeskeygenassist $0x08, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x10 /* aeskeygenassist $0x10, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x20 /* aeskeygenassist $0x20, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x40 /* aeskeygenassist $0x40, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x80 /* aeskeygenassist $0x80, %xmm3, %xmm2 */ - call key_expansion192 - - ret - .size intel_aes_encrypt_init_192, .-intel_aes_encrypt_init_192 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_decrypt_init_192,@function - .globl intel_aes_decrypt_init_192 - .align 16 -intel_aes_decrypt_init_192: - movdqu (%rdi), %xmm1 - movq 16(%rdi), %xmm3 - movdqu %xmm1, (%rsi) - movq %xmm3, 16(%rsi) - leaq 24(%rsi), %rsi - - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x01 /* aeskeygenassist $0x01, %xmm3, %xmm2 */ - call key_expansion192 - movups -32(%rsi), %xmm2 - movups -16(%rsi), %xmm4 - .byte 0x66,0x0f,0x38,0xdb,0xd2 /* aesimc %xmm2, %xmm2 */ - .byte 0x66,0x0f,0x38,0xdb,0xe4 /* aesimc %xmm4, %xmm4 */ - movups %xmm2, -32(%rsi) - movups %xmm4, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x02 /* aeskeygenassist $0x02, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -24(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x04 /* aeskeygenassist $0x04, %xmm3, %xmm2 */ - call key_expansion192 - movups -32(%rsi), %xmm2 - movups -16(%rsi), %xmm4 - .byte 0x66,0x0f,0x38,0xdb,0xd2 /* aesimc %xmm2, %xmm2 */ - .byte 0x66,0x0f,0x38,0xdb,0xe4 /* aesimc %xmm4, %xmm4 */ - movups %xmm2, -32(%rsi) - movups %xmm4, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x08 /* aeskeygenassist $0x08, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -24(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x10 /* aeskeygenassist $0x10, %xmm3, %xmm2 */ - call key_expansion192 - movups -32(%rsi), %xmm2 - movups -16(%rsi), %xmm4 - .byte 0x66,0x0f,0x38,0xdb,0xd2 /* aesimc %xmm2, %xmm2 */ - .byte 0x66,0x0f,0x38,0xdb,0xe4 /* aesimc %xmm4, %xmm4 */ - movups %xmm2, -32(%rsi) - movups %xmm4, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x20 /* aeskeygenassist $0x20, %xmm3, %xmm2 */ - call key_expansion192 - .byte 0x66,0x0f,0x38,0xdb,0xd1 /* aesimc %xmm1, %xmm2 */ - movups %xmm2, -24(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x40 /* aeskeygenassist $0x40, %xmm3, %xmm2 */ - call key_expansion192 - movups -32(%rsi), %xmm2 - movups -16(%rsi), %xmm4 - .byte 0x66,0x0f,0x38,0xdb,0xd2 /* aesimc %xmm2, %xmm2 */ - .byte 0x66,0x0f,0x38,0xdb,0xe4 /* aesimc %xmm4, %xmm4 */ - movups %xmm2, -32(%rsi) - movups %xmm4, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x80 /* aeskeygenassist $0x80, %xmm3, %xmm2 */ - call key_expansion192 - - ret - .size intel_aes_decrypt_init_192, .-intel_aes_decrypt_init_192 - - - .type key_expansion192,@function - .align 16 -key_expansion192: - pshufd $0x55, %xmm2, %xmm2 - xor %eax, %eax - movd %eax, %xmm4 - shufps $0x10, %xmm1, %xmm4 - pxor %xmm4, %xmm1 - shufps $0x8c, %xmm1, %xmm4 - pxor %xmm2, %xmm1 - pxor %xmm4, %xmm1 - movdqu %xmm1, (%rsi) - addq $16, %rsi - - pshufd $0xff, %xmm1, %xmm4 - movd %eax, %xmm5 - shufps $0x00, %xmm3, %xmm5 - shufps $0x08, %xmm3, %xmm5 - pxor %xmm4, %xmm3 - pxor %xmm5, %xmm3 - movq %xmm3, (%rsi) - addq $8, %rsi - ret - .size key_expansion192, .-key_expansion192 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_ecb_192,@function - .globl intel_aes_encrypt_ecb_192 - .align 16 -intel_aes_encrypt_ecb_192: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 192(%rdi), %xmm14 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm2, %xmm3 - pxor %xmm2, %xmm4 - pxor %xmm2, %xmm5 - pxor %xmm2, %xmm6 - pxor %xmm2, %xmm7 - pxor %xmm2, %xmm8 - pxor %xmm2, %xmm9 - pxor %xmm2, %xmm10 - movq $16, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xd9 /* aesenc %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdc,0xe1 /* aesenc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdc,0xe9 /* aesenc %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdc,0xf1 /* aesenc %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdc,0xf9 /* aesenc %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc1 /* aesenc %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xd1 /* aesenc %xmm1, %xmm10 */ - addq $16, %r10 - cmpq $192, %r10 - jne 3b - .byte 0x66,0x41,0x0f,0x38,0xdd,0xde /* aesenclast %xmm14, %xmm3 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xe6 /* aesenclast %xmm14, %xmm4 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xee /* aesenclast %xmm14, %xmm5 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xf6 /* aesenclast %xmm14, %xmm7 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xfe /* aesenclast %xmm14, %xmm3 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xc6 /* aesenclast %xmm14, %xmm8 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xce /* aesenclast %xmm14, %xmm9 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xd6 /* aesenclast %xmm14, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - movdqu 160(%rdi), %xmm12 - movdqu 176(%rdi), %xmm13 - -4: movdqu (%r8, %rax), %xmm1 - pxor %xmm2, %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcc /* aesenc %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcd /* aesenc %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xce /* aesenclast %xmm14, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_encrypt_ecb_192, .-intel_aes_encrypt_ecb_192 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_ecb_192,@function - .globl intel_aes_decrypt_ecb_192 - .align 16 -intel_aes_decrypt_ecb_192: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 192(%rdi), %xmm14 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm14, %xmm3 - pxor %xmm14, %xmm4 - pxor %xmm14, %xmm5 - pxor %xmm14, %xmm6 - pxor %xmm14, %xmm7 - pxor %xmm14, %xmm8 - pxor %xmm14, %xmm9 - pxor %xmm14, %xmm10 - movq $176, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm10 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - movdqu 160(%rdi), %xmm12 - movdqu 176(%rdi), %xmm13 - -4: movdqu (%r8, %rax), %xmm1 - pxor %xmm14, %xmm1 - .byte 0x66,0x41,0x0f,0x38,0xde,0xcd /* aesdec %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcc /* aesdec %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcb /* aesdec %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xca /* aesdec %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc9 /* aesdec %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc8 /* aesdec %xmm8, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcf /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xce /* aesdec %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcd /* aesdec %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcc /* aesdec %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcb /* aesdec %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_decrypt_ecb_192, .-intel_aes_decrypt_ecb_192 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_cbc_192,@function - .globl intel_aes_encrypt_cbc_192 - .align 16 -intel_aes_encrypt_cbc_192: - testq %r9, %r9 - je 2f - -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu (%rdi), %xmm2 - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - movdqu 160(%rdi), %xmm12 - movdqu 176(%rdi), %xmm13 - movdqu 192(%rdi), %xmm14 - - xorl %eax, %eax -1: movdqu (%r8, %rax), %xmm1 - pxor %xmm0, %xmm1 - pxor %xmm2, %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcc /* aesenc %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcd /* aesenc %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xce /* aesenclast %xmm14, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - movdqa %xmm1, %xmm0 - addq $16, %rax - cmpq %rax, %r9 - jne 1b - - movdqu %xmm0, (%rdx) - -2: xor %eax, %eax - ret - .size intel_aes_encrypt_cbc_192, .-intel_aes_encrypt_cbc_192 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_cbc_192,@function - .globl intel_aes_decrypt_cbc_192 - .align 16 -intel_aes_decrypt_cbc_192: -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu (%rdi), %xmm2 - movdqu 192(%rdi), %xmm14 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm14, %xmm3 - pxor %xmm14, %xmm4 - pxor %xmm14, %xmm5 - pxor %xmm14, %xmm6 - pxor %xmm14, %xmm7 - pxor %xmm14, %xmm8 - pxor %xmm14, %xmm9 - pxor %xmm14, %xmm10 - movq $176, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm10 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - pxor %xmm0, %xmm3 - pxor (%r8, %rax), %xmm4 - pxor 16(%r8, %rax), %xmm5 - pxor 32(%r8, %rax), %xmm6 - pxor 48(%r8, %rax), %xmm7 - pxor 64(%r8, %rax), %xmm8 - pxor 80(%r8, %rax), %xmm9 - pxor 96(%r8, %rax), %xmm10 - movdqu 112(%r8, %rax), %xmm0 - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm3 - movdqu 32(%rdi), %xmm4 - movdqu 48(%rdi), %xmm5 - movdqu 64(%rdi), %xmm6 - movdqu 80(%rdi), %xmm7 - movdqu 96(%rdi), %xmm8 - movdqu 112(%rdi), %xmm9 - movdqu 128(%rdi), %xmm10 - movdqu 144(%rdi), %xmm11 - movdqu 160(%rdi), %xmm12 - movdqu 176(%rdi), %xmm13 - -4: movdqu (%r8, %rax), %xmm1 - movdqa %xmm1, %xmm15 - pxor %xmm14, %xmm1 - .byte 0x66,0x41,0x0f,0x38,0xde,0xcd /* aesdec %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcc /* aesdec %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcb /* aesdec %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xca /* aesdec %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc9 /* aesdec %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc8 /* aesdec %xmm8, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcf /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xce /* aesdec %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcd /* aesdec %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcc /* aesdec %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcb /* aesdec %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm1 */ - pxor %xmm0, %xmm1 - movdqu %xmm1, (%rsi, %rax) - movdqa %xmm15, %xmm0 - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: movdqu %xmm0, (%rdx) - - xor %eax, %eax - ret - .size intel_aes_decrypt_cbc_192, .-intel_aes_decrypt_cbc_192 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_encrypt_init_256,@function - .globl intel_aes_encrypt_init_256 - .align 16 -intel_aes_encrypt_init_256: - movdqu (%rdi), %xmm1 - movdqu 16(%rdi), %xmm3 - movdqu %xmm1, (%rsi) - movdqu %xmm3, 16(%rsi) - leaq 32(%rsi), %rsi - xor %eax, %eax - - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x01 /* aeskeygenassist $0x01, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x02 /* aeskeygenassist $0x02, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x04 /* aeskeygenassist $0x04, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x08 /* aeskeygenassist $0x08, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x10 /* aeskeygenassist $0x10, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x20 /* aeskeygenassist $0x20, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x40 /* aeskeygenassist $0x40, %xmm3, %xmm2 */ - call key_expansion256 - - ret - .size intel_aes_encrypt_init_256, .-intel_aes_encrypt_init_256 - - -/* in %rdi : the key - in %rsi : buffer for expanded key -*/ - .type intel_aes_decrypt_init_256,@function - .globl intel_aes_decrypt_init_256 - .align 16 -intel_aes_decrypt_init_256: - movdqu (%rdi), %xmm1 - movdqu 16(%rdi), %xmm3 - movdqu %xmm1, (%rsi) - .byte 0x66,0x0f,0x38,0xdb,0xe3 /* aesimc %xmm3, %xmm4 */ - movdqu %xmm4, 16(%rsi) - leaq 32(%rsi), %rsi - xor %eax, %eax - - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x01 /* aeskeygenassist $0x01, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x02 /* aeskeygenassist $0x02, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x04 /* aeskeygenassist $0x04, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x08 /* aeskeygenassist $0x08, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x10 /* aeskeygenassist $0x10, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x20 /* aeskeygenassist $0x20, %xmm3, %xmm2 */ - call key_expansion256 - .byte 0x66,0x0f,0x38,0xdb,0xe1 /* aesimc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdb,0xeb /* aesimc %xmm3, %xmm5 */ - movdqu %xmm4, -32(%rsi) - movdqu %xmm5, -16(%rsi) - .byte 0x66,0x0f,0x3a,0xdf,0xd3,0x40 /* aeskeygenassist $0x40, %xmm3, %xmm2 */ - call key_expansion256 - - ret - .size intel_aes_decrypt_init_256, .-intel_aes_decrypt_init_256 - - - .type key_expansion256,@function - .align 16 -key_expansion256: - movd %eax, %xmm6 - pshufd $0xff, %xmm2, %xmm2 - shufps $0x10, %xmm1, %xmm6 - pxor %xmm6, %xmm1 - shufps $0x8c, %xmm1, %xmm6 - pxor %xmm2, %xmm1 - pxor %xmm6, %xmm1 - movdqu %xmm1, (%rsi) - addq $16, %rsi - .byte 0x66,0x0f,0x3a,0xdf,0xe1,0x00 /* aeskeygenassist $0, %xmm1, %xmm4 */ - - pshufd $0xaa, %xmm4, %xmm4 - shufps $0x10, %xmm3, %xmm6 - pxor %xmm6, %xmm3 - shufps $0x8c, %xmm3, %xmm6 - pxor %xmm4, %xmm3 - pxor %xmm6, %xmm3 - movdqu %xmm3, (%rsi) - addq $16, %rsi - ret - .size key_expansion256, .-key_expansion256 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_ecb_256,@function - .globl intel_aes_encrypt_ecb_256 - .align 16 -intel_aes_encrypt_ecb_256: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 224(%rdi), %xmm15 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm2, %xmm3 - pxor %xmm2, %xmm4 - pxor %xmm2, %xmm5 - pxor %xmm2, %xmm6 - pxor %xmm2, %xmm7 - pxor %xmm2, %xmm8 - pxor %xmm2, %xmm9 - pxor %xmm2, %xmm10 - movq $16, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xd9 /* aesenc %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdc,0xe1 /* aesenc %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdc,0xe9 /* aesenc %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdc,0xf1 /* aesenc %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdc,0xf9 /* aesenc %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc1 /* aesenc %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdc,0xd1 /* aesenc %xmm1, %xmm10 */ - addq $16, %r10 - cmpq $224, %r10 - jne 3b - .byte 0x66,0x41,0x0f,0x38,0xdd,0xdf /* aesenclast %xmm15, %xmm3 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xe7 /* aesenclast %xmm15, %xmm4 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xef /* aesenclast %xmm15, %xmm5 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xf7 /* aesenclast %xmm15, %xmm6 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xff /* aesenclast %xmm15, %xmm7 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xc7 /* aesenclast %xmm15, %xmm8 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xcf /* aesenclast %xmm15, %xmm9 */ - .byte 0x66,0x45,0x0f,0x38,0xdd,0xd7 /* aesenclast %xmm15, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm2 - movdqu 32(%rdi), %xmm3 - movdqu 48(%rdi), %xmm4 - movdqu 64(%rdi), %xmm5 - movdqu 80(%rdi), %xmm6 - movdqu 96(%rdi), %xmm7 - movdqu 112(%rdi), %xmm8 - movdqu 128(%rdi), %xmm9 - movdqu 144(%rdi), %xmm10 - movdqu 160(%rdi), %xmm11 - movdqu 176(%rdi), %xmm12 - movdqu 192(%rdi), %xmm13 - movdqu 208(%rdi), %xmm14 - -4: movdqu (%r8, %rax), %xmm1 - pxor (%rdi), %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xca /* aesenc %xmm2, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcc /* aesenc %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcd /* aesenc %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xce /* aesenc %xmm14, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xcf /* aesenclast %xmm15, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_encrypt_ecb_256, .-intel_aes_encrypt_ecb_256 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_ecb_256,@function - .globl intel_aes_decrypt_ecb_256 - .align 16 -intel_aes_decrypt_ecb_256: -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 48(%rdi), %rdi - - movdqu (%rdi), %xmm2 - movdqu 224(%rdi), %xmm15 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm15, %xmm3 - pxor %xmm15, %xmm4 - pxor %xmm15, %xmm5 - pxor %xmm15, %xmm6 - pxor %xmm15, %xmm7 - pxor %xmm15, %xmm8 - pxor %xmm15, %xmm9 - pxor %xmm15, %xmm10 - movq $208, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm10 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - movdqu %xmm3, (%rsi, %rax) - movdqu %xmm4, 16(%rsi, %rax) - movdqu %xmm5, 32(%rsi, %rax) - movdqu %xmm6, 48(%rsi, %rax) - movdqu %xmm7, 64(%rsi, %rax) - movdqu %xmm8, 80(%rsi, %rax) - movdqu %xmm9, 96(%rsi, %rax) - movdqu %xmm10, 112(%rsi, %rax) -// addq $8*16, %rax - addq $128, %rax - cmpq %r11, %rax - jbe 2b -1: cmpq %rax, %r9 - je 5f - - movdqu 16(%rdi), %xmm2 - movdqu 32(%rdi), %xmm3 - movdqu 48(%rdi), %xmm4 - movdqu 64(%rdi), %xmm5 - movdqu 80(%rdi), %xmm6 - movdqu 96(%rdi), %xmm7 - movdqu 112(%rdi), %xmm8 - movdqu 128(%rdi), %xmm9 - movdqu 144(%rdi), %xmm10 - movdqu 160(%rdi), %xmm11 - movdqu 176(%rdi), %xmm12 - movdqu 192(%rdi), %xmm13 - movdqu 208(%rdi), %xmm14 - -4: movdqu (%r8, %rax), %xmm1 - pxor %xmm15, %xmm1 - .byte 0x66,0x41,0x0f,0x38,0xde,0xce /* aesdec %xmm14, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcd /* aesdec %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcc /* aesdec %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xcb /* aesdec %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xca /* aesdec %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc9 /* aesdec %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xde,0xc8 /* aesdec %xmm8, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcf /* aesdec %xmm7, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xce /* aesdec %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcd /* aesdec %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcc /* aesdec %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xcb /* aesdec %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xde,0xca /* aesdec %xmm2, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdf,0x0f /* aesdeclast (%rdi), %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - addq $16, %rax - cmpq %rax, %r9 - jne 4b - -5: xor %eax, %eax - ret - .size intel_aes_decrypt_ecb_256, .-intel_aes_decrypt_ecb_256 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_encrypt_cbc_256,@function - .globl intel_aes_encrypt_cbc_256 - .align 16 -intel_aes_encrypt_cbc_256: - testq %r9, %r9 - je 2f - -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu 16(%rdi), %xmm2 - movdqu 32(%rdi), %xmm3 - movdqu 48(%rdi), %xmm4 - movdqu 64(%rdi), %xmm5 - movdqu 80(%rdi), %xmm6 - movdqu 96(%rdi), %xmm7 - movdqu 112(%rdi), %xmm8 - movdqu 128(%rdi), %xmm9 - movdqu 144(%rdi), %xmm10 - movdqu 160(%rdi), %xmm11 - movdqu 176(%rdi), %xmm12 - movdqu 192(%rdi), %xmm13 - movdqu 208(%rdi), %xmm14 - movdqu 224(%rdi), %xmm15 - - xorl %eax, %eax -1: movdqu (%r8, %rax), %xmm1 - pxor %xmm0, %xmm1 - pxor (%rdi), %xmm1 - .byte 0x66,0x0f,0x38,0xdc,0xca /* aesenc %xmm2, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcb /* aesenc %xmm3, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcc /* aesenc %xmm4, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcd /* aesenc %xmm5, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xce /* aesenc %xmm6, %xmm1 */ - .byte 0x66,0x0f,0x38,0xdc,0xcf /* aesenc %xmm7, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc8 /* aesenc %xmm8, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xc9 /* aesenc %xmm9, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xca /* aesenc %xmm10, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcb /* aesenc %xmm11, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcc /* aesenc %xmm12, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xcd /* aesenc %xmm13, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdc,0xce /* aesenc %xmm14, %xmm1 */ - .byte 0x66,0x41,0x0f,0x38,0xdd,0xcf /* aesenclast %xmm15, %xmm1 */ - movdqu %xmm1, (%rsi, %rax) - movdqa %xmm1, %xmm0 - addq $16, %rax - cmpq %rax, %r9 - jne 1b - - movdqu %xmm0, (%rdx) - -2: xor %eax, %eax - ret - .size intel_aes_encrypt_cbc_256, .-intel_aes_encrypt_cbc_256 - - -/* in %rdi : cx - context - in %rsi : output - pointer to output buffer - in %rdx : outputLen - pointer to variable for length of output - (filled by caller) - in %rcx : maxOutputLen - length of output buffer - in %r8 : input - pointer to input buffer - in %r9 : inputLen - length of input buffer - on stack: blocksize - AES blocksize (always 16, unused) -*/ - .type intel_aes_decrypt_cbc_256,@function - .globl intel_aes_decrypt_cbc_256 - .align 16 -intel_aes_decrypt_cbc_256: -// leaq IV_OFFSET(%rdi), %rdx -// leaq EXPANDED_KEY_OFFSET(%rdi), %rdi - leaq 16(%rdi), %rdx - leaq 48(%rdi), %rdi - - movdqu (%rdx), %xmm0 - movdqu (%rdi), %xmm2 - movdqu 224(%rdi), %xmm15 - xorl %eax, %eax -// cmpq $8*16, %r9 - cmpq $128, %r9 - jb 1f -// leaq -8*16(%r9), %r11 - leaq -128(%r9), %r11 -2: movdqu (%r8, %rax), %xmm3 - movdqu 16(%r8, %rax), %xmm4 - movdqu 32(%r8, %rax), %xmm5 - movdqu 48(%r8, %rax), %xmm6 - movdqu 64(%r8, %rax), %xmm7 - movdqu 80(%r8, %rax), %xmm8 - movdqu 96(%r8, %rax), %xmm9 - movdqu 112(%r8, %rax), %xmm10 - pxor %xmm15, %xmm3 - pxor %xmm15, %xmm4 - pxor %xmm15, %xmm5 - pxor %xmm15, %xmm6 - pxor %xmm15, %xmm7 - pxor %xmm15, %xmm8 - pxor %xmm15, %xmm9 - pxor %xmm15, %xmm10 - movq $208, %r10 -3: movdqu (%rdi, %r10), %xmm1 - .byte 0x66,0x0f,0x38,0xde,0xd9 /* aesdec %xmm1, %xmm3 */ - .byte 0x66,0x0f,0x38,0xde,0xe1 /* aesdec %xmm1, %xmm4 */ - .byte 0x66,0x0f,0x38,0xde,0xe9 /* aesdec %xmm1, %xmm5 */ - .byte 0x66,0x0f,0x38,0xde,0xf1 /* aesdec %xmm1, %xmm6 */ - .byte 0x66,0x0f,0x38,0xde,0xf9 /* aesdec %xmm1, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc1 /* aesdec %xmm1, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xc9 /* aesdec %xmm1, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xde,0xd1 /* aesdec %xmm1, %xmm10 */ - subq $16, %r10 - jne 3b - .byte 0x66,0x0f,0x38,0xdf,0xda /* aesdeclast %xmm2, %xmm3 */ - .byte 0x66,0x0f,0x38,0xdf,0xe2 /* aesdeclast %xmm2, %xmm4 */ - .byte 0x66,0x0f,0x38,0xdf,0xea /* aesdeclast %xmm2, %xmm5 */ - .byte 0x66,0x0f,0x38,0xdf,0xf2 /* aesdeclast %xmm2, %xmm6 */ - .byte 0x66,0x0f,0x38,0xdf,0xfa /* aesdeclast %xmm2, %xmm7 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xc2 /* aesdeclast %xmm2, %xmm8 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xca /* aesdeclast %xmm2, %xmm9 */ - .byte 0x66,0x44,0x0f,0x38,0xdf,0xd2 /* aesdeclast %xmm2, %xmm10 */ - pxor %xmm0, %xmm3