author | Wan-Teh Chang <wtc@google.com> |
Tue, 28 Jul 2009 17:01:39 -0700 | |
changeset 30806 | aa1d4674a5ccd7ed64565fe2e24da3f0b8c69de8 |
parent 30805 | 26a7e8eca2514d68256e4b6ce12a9f71acaeae32 |
child 30807 | 37403bc90c4ab0c88ee3f9a8b95aeb8f5ca0ae6f |
push id | unknown |
push user | unknown |
push date | unknown |
bugs | 504080 |
milestone | 1.9.2a1pre |
--- a/dbm/include/mcom_db.h +++ b/dbm/include/mcom_db.h @@ -387,21 +387,18 @@ typedef struct { } #define P_16_COPY(a, b) { \ ((char *)&(b))[0] = ((char *)&(a))[1]; \ ((char *)&(b))[1] = ((char *)&(a))[0]; \ } #endif PR_BEGIN_EXTERN_C -#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__) + extern DB * -#else -PR_EXTERN(DB *) -#endif dbopen (const char *, int, int, DBTYPE, const void *); /* set or unset a global lock flag to disable the * opening of any DBM file */ void dbSetOrClearDBLock(DBLockFlagEnum type); #ifdef __DBINTERFACE_PRIVATE
--- a/dbm/src/db.c +++ b/dbm/src/db.c @@ -59,21 +59,17 @@ void dbSetOrClearDBLock(DBLockFlagEnum type) { if(type == LockOutDatabase) all_databases_locked_closed = 1; else all_databases_locked_closed = 0; } -#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__) DB * -#else -PR_IMPLEMENT(DB *) -#endif dbopen(const char *fname, int flags,int mode, DBTYPE type, const void *openinfo) { /* lock out all file databases. Let in-memory databases through */ if(all_databases_locked_closed && fname) { errno = EINVAL;
--- a/dbm/src/hash.c +++ b/dbm/src/hash.c @@ -334,17 +334,17 @@ init_hash(HTAB *hashp, const char *file, memset(hashp->SPARES, 0, sizeof(hashp->SPARES)); memset(hashp->BITMAPS, 0, sizeof (hashp->BITMAPS)); /* Fix bucket size to be optimal for file system */ if (file != NULL) { if (stat(file, &statbuf)) return (NULL); -#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(VMS) && !defined(XP_OS2) +#if !defined(_WIN32) && !defined(_WINDOWS) && !defined(macintosh) && !defined(XP_OS2) #if defined(__QNX__) && !defined(__QNXNTO__) hashp->BSIZE = 512; /* preferred blk size on qnx4 */ #else hashp->BSIZE = statbuf.st_blksize; #endif /* new code added by Lou to reduce block * size down below MAX_BSIZE
--- a/dbm/src/mktemp.c +++ b/dbm/src/mktemp.c @@ -73,21 +73,23 @@ mkstemp(char *path) int mkstempflags(char *path, int extraFlags) { int fd; return (_gettemp(path, &fd, extraFlags) ? fd : -1); } +#ifdef WINCE /* otherwise, use the one in libc */ char * mktemp(char *path) { return(_gettemp(path, (int *)NULL, 0) ? path : (char *)NULL); } +#endif /* NB: This routine modifies its input string, and does not always restore it. ** returns 1 on success, 0 on failure. */ static int _gettemp(char *path, register int *doopen, int extraFlags) { #if !defined(_WINDOWS) || defined(_WIN32)
--- a/security/coreconf/HP-UX.mk +++ b/security/coreconf/HP-UX.mk @@ -71,23 +71,23 @@ ifeq ($(DEFAULT_IMPL_STRATEGY),_PTH) endif ifdef PTHREADS_USER OS_CFLAGS += -D_POSIX_C_SOURCE=199506L endif LDFLAGS = -z -Wl,+s -MKSHLIB = $(LD) $(DSO_LDOPTS) +MKSHLIB = $(LD) $(DSO_LDOPTS) $(RPATH) ifdef MAPFILE MKSHLIB += -c $(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \ sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > $@ DSO_LDOPTS = -b +h $(notdir $@) -ifeq ($(OS_TEST),ia64) - DSO_LDOPTS += +b '$$ORIGIN' +ifeq ($(USE_64), 1) +RPATH = +b '$$ORIGIN' endif DSO_LDFLAGS = # +Z generates position independent code for use in shared libraries. DSO_CFLAGS = +Z
--- a/security/coreconf/Linux.mk +++ b/security/coreconf/Linux.mk @@ -47,109 +47,75 @@ ifeq ($(USE_PTHREADS),1) endif CC = gcc CCC = g++ RANLIB = ranlib DEFAULT_COMPILER = gcc -ifeq ($(OS_TEST),m68k) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = m68k -else ifeq ($(OS_TEST),ppc64) OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = ppc ifeq ($(USE_64),1) ARCHFLAG = -m64 endif else -ifeq ($(OS_TEST),ppc) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = ppc -else ifeq ($(OS_TEST),alpha) OS_REL_CFLAGS = -D_ALPHA_ -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = alpha else -ifeq ($(OS_TEST),ia64) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = ia64 -else ifeq ($(OS_TEST),x86_64) ifeq ($(USE_64),1) OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = x86_64 else OS_REL_CFLAGS = -DLINUX1_2 -Di386 -D_XOPEN_SOURCE CPU_ARCH = x86 ARCHFLAG = -m32 endif else -ifeq ($(OS_TEST),sparc) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = sparc -else ifeq ($(OS_TEST),sparc64) OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = sparc else ifeq (,$(filter-out arm% sa110,$(OS_TEST))) OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = arm else -ifeq ($(OS_TEST),parisc) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = hppa -else -ifeq ($(OS_TEST),parisc64) +ifeq (,$(filter-out parisc%,$(OS_TEST))) OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = hppa else -ifeq ($(OS_TEST),s390) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = s390 -else -ifeq ($(OS_TEST),s390x) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = s390x -else -ifeq ($(OS_TEST),mips) - OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE - CPU_ARCH = mips -else ifeq (,$(filter-out i%86,$(OS_TEST))) OS_REL_CFLAGS = -DLINUX1_2 -Di386 -D_XOPEN_SOURCE CPU_ARCH = x86 else +ifeq ($(OS_TEST),sh4a) + OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE + CPU_ARCH = sh4 +else +# $(OS_TEST) == m68k, ppc, ia64, sparc, s390, s390x, mips, sh3, sh4 OS_REL_CFLAGS = -DLINUX1_2 -D_XOPEN_SOURCE CPU_ARCH = $(OS_TEST) endif endif endif endif endif endif endif endif -endif -endif -endif -endif -endif -endif -endif LIBC_TAG = _glibc ifeq ($(OS_RELEASE),2.0) OS_REL_CFLAGS += -DLINUX2_0 - MKSHLIB = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) + MKSHLIB = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ endif ifdef BUILD_OPT @@ -177,14 +143,25 @@ DSO_CFLAGS = -fPIC DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,-z,defs DSO_LDFLAGS = LDFLAGS += $(ARCHFLAG) # INCLUDES += -I/usr/include -Y/usr/include/linux G++INCLUDES = -I/usr/include/g++ # -# Always set CPU_TAG on Linux, OpenVMS, WINCE. +# Always set CPU_TAG on Linux, WINCE. # CPU_TAG = _$(CPU_ARCH) USE_SYSTEM_ZLIB = 1 ZLIB_LIBS = -lz + +# The -rpath '$$ORIGIN' linker option instructs this library to search for its +# dependencies in the same directory where it resides. +ifeq ($(BUILD_SUN_PKG), 1) +ifeq ($(USE_64), 1) +RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib64:/opt/sun/private/lib' +else +RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib' +endif +endif +
--- a/security/coreconf/Linux2.1.mk +++ b/security/coreconf/Linux2.1.mk @@ -33,16 +33,16 @@ # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** include $(CORE_DEPTH)/coreconf/Linux.mk ifeq ($(OS_RELEASE),2.1) OS_REL_CFLAGS += -DLINUX2_1 - MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) + MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ endif
--- a/security/coreconf/Linux2.2.mk +++ b/security/coreconf/Linux2.2.mk @@ -33,16 +33,16 @@ # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** include $(CORE_DEPTH)/coreconf/Linux.mk OS_REL_CFLAGS += -DLINUX2_1 -MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) +MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/Linux2.4.mk +++ b/security/coreconf/Linux2.4.mk @@ -33,16 +33,16 @@ # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** include $(CORE_DEPTH)/coreconf/Linux.mk OS_REL_CFLAGS += -DLINUX2_1 -MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) +MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/Linux2.5.mk +++ b/security/coreconf/Linux2.5.mk @@ -33,16 +33,16 @@ # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** include $(CORE_DEPTH)/coreconf/Linux.mk OS_REL_CFLAGS += -DLINUX2_1 -MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) +MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/Linux2.6.mk +++ b/security/coreconf/Linux2.6.mk @@ -33,16 +33,16 @@ # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** include $(CORE_DEPTH)/coreconf/Linux.mk OS_REL_CFLAGS += -DLINUX2_1 -MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) +MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif PROCESS_MAP_FILE = grep -v ';-' $< | \ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
--- a/security/coreconf/OS2.mk +++ b/security/coreconf/OS2.mk @@ -92,17 +92,17 @@ PROCESS_MAP_FILE = \ echo DATA PRELOAD MOVEABLE MULTIPLE NONSHARED >> $@; \ echo EXPORTS >> $@; \ grep -v ';+' $< | grep -v ';-' | \ sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,\([\t ]*\),\1_,' | \ awk 'BEGIN {ord=1;} { print($$0 " @" ord " RESIDENTNAME"); ord++;}' >> $@ endif #NO_SHARED_LIB -OS_CFLAGS = -Wall -W -Wno-unused -Wpointer-arith -Wcast-align -Wno-switch -Zomf -DDEBUG -DTRACING -g +OS_CFLAGS = -Wall -Wno-unused -Wpointer-arith -Wcast-align -Wno-switch -Zomf -DDEBUG -DTRACING -g ifdef BUILD_OPT ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) OPTIMIZER += -Os -s else OPTIMIZER += -O2 -s endif DEFINES += -UDEBUG -U_DEBUG -DNDEBUG
deleted file mode 100755 --- a/security/coreconf/OpenVMS.mk +++ /dev/null @@ -1,75 +0,0 @@ -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is mozilla.org Code. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1998 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -# -# Config stuff for Compaq OpenVMS -# - -include $(CORE_DEPTH)/coreconf/UNIX.mk - -CC = cc -CCC = cxx - -RANLIB = /gnu/bin/true - -CPU_ARCH := $(shell uname -Wh) - -OS_CFLAGS = -DVMS -OS_CXXFLAGS = -DVMS - -# -# XCFLAGS are the only CFLAGS that are used during a link operation. Defining -# OPTIMIZER in XCFLAGS means that each compilation line gets OPTIMIZER -# included twice, but at least we get OPTIMIZER included in the link -# operations; and OpenVMS needs it! -# -XCFLAGS += $(OPTIMIZER) - -DSO_LDOPTS = -shared -auto_symvec -MKSHLIB = $(CC) $(OPTIMIZER) $(LDFLAGS) $(DSO_LDOPTS) - -ifdef MAPFILE -# Add LD options to restrict exported symbols to those in the map file -endif -# Change PROCESS to put the mapfile in the correct format for this platform -PROCESS_MAP_FILE = cp $< $@ - - -# -# Always set CPU_TAG on Linux, OpenVMS, WINCE. -# -CPU_TAG = _$(CPU_ARCH)
deleted file mode 100755 --- a/security/coreconf/OpenVMSV7.1-2.mk +++ /dev/null @@ -1,42 +0,0 @@ -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is mozilla.org Code. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1998 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either the GNU General Public License Version 2 or later (the "GPL"), or -# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -# -# Config stuff for Compaq OpenVMS -# - -include $(CORE_DEPTH)/coreconf/OpenVMS.mk
--- a/security/coreconf/SunOS5.mk +++ b/security/coreconf/SunOS5.mk @@ -108,17 +108,17 @@ INCLUDES += -I/usr/dt/include -I/usr/o RANLIB = echo CPU_ARCH = sparc OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT # Purify doesn't like -MDupdate NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS) -MKSHLIB = $(CC) $(DSO_LDOPTS) +MKSHLIB = $(CC) $(DSO_LDOPTS) $(RPATH) ifdef NS_USE_GCC ifeq (GNU,$(findstring GNU,$(shell `$(CC) -print-prog-name=ld` -v 2>&1))) GCC_USE_GNU_LD = 1 endif endif ifdef MAPFILE ifdef NS_USE_GCC ifdef GCC_USE_GNU_LD @@ -161,8 +161,20 @@ DSO_LDOPTS += -z combreloc -z defs -z ig ifdef NS_USE_GCC DSO_CFLAGS += -fPIC else DSO_CFLAGS += -KPIC endif NOSUCHFILE = /solaris-rm-f-sucks +ifeq ($(BUILD_SUN_PKG), 1) +# The -R '$ORIGIN' linker option instructs this library to search for its +# dependencies in the same directory where it resides. +ifeq ($(USE_64), 1) +RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64' +else +RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps' +endif +else +RPATH = -R '$$ORIGIN' +endif +
--- a/security/coreconf/WINCE.mk +++ b/security/coreconf/WINCE.mk @@ -78,16 +78,18 @@ MAKE_OBJDIR = mkdir MAKE_OBJDIR += $(OBJDIR) RC = rc.exe GARBAGE += $(OBJDIR)/vc20.pdb $(OBJDIR)/vc40.pdb XP_DEFINE += -DXP_PC LIB_SUFFIX = lib DLL_SUFFIX = dll OS_DLLFLAGS += -DLL +EXTRA_EXE_LD_FLAGS += -ENTRY:mainWCRTStartup + ifdef BUILD_OPT # OS_CFLAGS += -MD OPTIMIZER += -O2 DEFINES += -UDEBUG -U_DEBUG -DNDEBUG DLLFLAGS += -OUT:"$@" else # # Define USE_DEBUG_RTL if you want to use the debug runtime library @@ -201,12 +203,12 @@ endif # override the TARGETS defined in ruleset.mk, adding IMPORT_LIBRARY # ifndef TARGETS TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM) endif # -# Always set CPU_TAG on Linux, OpenVMS, WINCE. +# Always set CPU_TAG on Linux, WINCE. # CPU_TAG = _$(CPU_ARCH)
--- a/security/coreconf/arch.mk +++ b/security/coreconf/arch.mk @@ -160,21 +160,16 @@ endif # # For OS/2 # ifeq ($(OS_ARCH),OS_2) OS_ARCH = OS2 OS_RELEASE := $(shell uname -v) endif -ifneq (,$(findstring OpenVMS,$(OS_ARCH))) - OS_ARCH = OpenVMS - OS_RELEASE := $(shell uname -v) -endif - ####################################################################### # Master "Core Components" macros for getting the OS target # ####################################################################### # # Note: OS_TARGET should be specified on the command line for gmake. # When OS_TARGET=WIN95 is specified, then a Windows 95 target is built. # The difference between the Win95 target and the WinNT target is that
--- a/security/coreconf/config.mk +++ b/security/coreconf/config.mk @@ -58,17 +58,17 @@ endif # (dependent upon <architecture> tags) # # # # We are moving towards just having a $(OS_TARGET).mk file # # as opposed to multiple $(OS_TARGET)$(OS_RELEASE).mk files, # # one for each OS release. # ####################################################################### TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ - OpenVMS AIX RISCOS WINNT WIN95 WINCE + AIX RISCOS WINNT WIN95 WINCE ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk else include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk endif #######################################################################
--- a/security/coreconf/coreconf.dep +++ b/security/coreconf/coreconf.dep @@ -39,8 +39,9 @@ * A dummy header file that is a dependency for all the object files. * Used to force a full recompilation of NSS in Mozilla's Tinderbox * depend builds. See comments in rules.mk. */ #error "Do not include this header file." /* NSS 3.12.4 Beta */ +
--- a/security/coreconf/nsinstall/nsinstall.c +++ b/security/coreconf/nsinstall/nsinstall.c @@ -53,17 +53,17 @@ typedef unsigned int mode_t; #include <utime.h> #endif #include <sys/types.h> #include <sys/stat.h> #include "pathsub.h" #define HAVE_LCHOWN -#if defined(AIX) || defined(BSDI) || defined(HPUX) || defined(LINUX) || defined(SUNOS4) || defined(SCO) || defined(UNIXWARE) || defined(VMS) || defined(NTO) || defined(DARWIN) || defined(BEOS) || defined(__riscos__) +#if defined(AIX) || defined(BSDI) || defined(HPUX) || defined(LINUX) || defined(SUNOS4) || defined(SCO) || defined(UNIXWARE) || defined(NTO) || defined(DARWIN) || defined(BEOS) || defined(__riscos__) #undef HAVE_LCHOWN #endif #define HAVE_FCHMOD #if defined(BEOS) #undef HAVE_FCHMOD #endif @@ -402,51 +402,36 @@ retry: if (wc < 0) fail("cannot write to %s", toname); } if (cc < 0) fail("cannot read from %s", name); if (ftruncate(tofd, sb.st_size) < 0) fail("cannot truncate %s", toname); - /* - ** On OpenVMS we can't chmod() until the file is closed, and we - ** have to utime() last since fchown/chmod alter the timestamps. - */ -#ifndef VMS if (dotimes) { utb.actime = sb.st_atime; utb.modtime = sb.st_mtime; if (utime(toname, &utb) < 0) fail("cannot set times of %s", toname); } #ifdef HAVE_FCHMOD if (fchmod(tofd, mode) < 0) #else if (chmod(toname, mode) < 0) #endif fail("cannot change mode of %s", toname); -#endif + if ((owner || group) && fchown(tofd, uid, gid) < 0) fail("cannot change owner of %s", toname); /* Must check for delayed (NFS) write errors on close. */ if (close(tofd) < 0) fail("close reports write error on %s", toname); close(fromfd); -#ifdef VMS - if (chmod(toname, mode) < 0) - fail("cannot change mode of %s", toname); - if (dotimes) { - utb.actime = sb.st_atime; - utb.modtime = sb.st_mtime; - if (utime(toname, &utb) < 0) - fail("cannot set times of %s", toname); - } -#endif } free(toname); } free(cwd); free(todir); return 0;
--- a/security/coreconf/rules.mk +++ b/security/coreconf/rules.mk @@ -268,17 +268,17 @@ endif alltags: rm -f TAGS find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a $(PROGRAM): $(OBJS) $(EXTRA_LIBS) @$(MAKE_OBJDIR) ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET))) - $(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)) + $(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)) $(EXTRA_EXE_LD_FLAGS) ifdef MT if test -f $@.manifest; then \ $(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \ rm -f $@.manifest; \ fi endif # MSVC with manifest tool else $(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) @@ -368,17 +368,17 @@ endif @$(MAKE_OBJDIR) $(PROCESS_MAP_FILE) $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX) @$(MAKE_OBJDIR) ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET))) $(MKPROG) $< -Fe$@ -link \ - $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) + $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(EXTRA_EXE_LD_FLAGS) ifdef MT if test -f $@.manifest; then \ $(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \ rm -f $@.manifest; \ fi endif # MSVC with manifest tool else $(MKPROG) -o $@ $(CFLAGS) $< \ @@ -873,17 +873,17 @@ endif ################################################################################ -include $(DEPENDENCIES) -ifneq (,$(filter-out OpenVMS OS2 WIN%,$(OS_TARGET))) +ifneq (,$(filter-out OS2 WIN%,$(OS_TARGET))) # Can't use sed because of its 4000-char line length limit, so resort to perl PERL_DEPENDENCIES_PROGRAM = \ open(MD, "< $(DEPENDENCIES)"); \ while (<MD>) { \ if (m@ \.*/*$< @) { \ $$found = 1; \ last; \ } \
--- a/security/coreconf/ruleset.mk +++ b/security/coreconf/ruleset.mk @@ -205,22 +205,18 @@ ifdef JDIRS ALL_TRASH += $(addprefix $(JAVA_DESTPATH)/,$(JDIRS)) endif else # !JAVA_DESTPATH ALL_TRASH += $(wildcard $(PACKAGE)/*.class) $(JDIRS) endif endif #NS_USE_JDK -# -# If this is an "official" build, try to build everything. -# I.e., don't exit on errors. -# - -ifdef BUILD_OFFICIAL +ifdef NSS_BUILD_CONTINUE_ON_ERROR +# Try to build everything. I.e., don't exit on errors. EXIT_ON_ERROR = +e CLICK_STOPWATCH = date else EXIT_ON_ERROR = -e CLICK_STOPWATCH = true endif ifdef REQUIRES
--- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -3241,17 +3241,17 @@ static secuCommandFlag bltest_options[] int main(int argc, char **argv) { char *infileName, *outfileName, *keyfileName, *ivfileName; SECStatus rv = SECFailure; double totalTime; PRIntervalTime time1, time2; - PRFileDesc *outfile; + PRFileDesc *outfile = NULL; bltestCipherInfo *cipherInfoListHead, *cipherInfo; bltestIOMode ioMode; int bufsize, exponent, curThrdNum; #ifdef NSS_ENABLE_ECC char *curveName = NULL; #endif int i, commandsEntered; int inoff, outoff;
--- a/security/nss/cmd/certutil/certext.c +++ b/security/nss/cmd/certutil/certext.c @@ -1725,17 +1725,17 @@ AddExtensions(void *extHandle, const cha rv = AddCrlDistPoint(extHandle); if (rv) { errstring = "CRLDistPoints"; break; } } if (extList[ext_NSCertType].activated) { - rv = AddNscpCertType(extHandle, extList[ext_extKeyUsage].arg); + rv = AddNscpCertType(extHandle, extList[ext_NSCertType].arg); if (rv) { errstring = "NSCertType"; break; } } if (extList[ext_authInfoAcc].activated || extList[ext_subjInfoAcc].activated) {
--- a/security/nss/cmd/certutil/keystuff.c +++ b/security/nss/cmd/certutil/keystuff.c @@ -42,18 +42,20 @@ #if defined(XP_UNIX) #include <unistd.h> #include <sys/time.h> #include <termios.h> #endif #if defined(XP_WIN) || defined (XP_PC) #include <time.h> +#ifndef WINCE #include <conio.h> #endif +#endif #if defined(__sun) && !defined(SVR4) extern int fclose(FILE*); extern int fprintf(FILE *, char *, ...); extern int isatty(int); extern char *sys_errlist[]; #define strerror(errno) sys_errlist[errno] #endif @@ -107,34 +109,32 @@ UpdateRNG(void) FPS "\n"); FPS "Continue typing until the progress meter is full:\n\n"); FPS meter); FPS "\r|"); /* turn off echo on stdin & return on 1 char instead of NL */ fd = fileno(stdin); -#if defined(XP_UNIX) && !defined(VMS) +#if defined(XP_UNIX) tcgetattr(fd, &tio); orig_lflag = tio.c_lflag; orig_cc_min = tio.c_cc[VMIN]; orig_cc_time = tio.c_cc[VTIME]; tio.c_lflag &= ~ECHO; tio.c_lflag &= ~ICANON; tio.c_cc[VMIN] = 1; tio.c_cc[VTIME] = 0; tcsetattr(fd, TCSAFLUSH, &tio); #endif /* Get random noise from keyboard strokes */ count = 0; while (count < sizeof randbuf) { -#ifdef VMS - c = GENERIC_GETCHAR_NOECHO(); -#elif XP_UNIX +#if defined(XP_UNIX) || defined(WINCE) c = getc(stdin); #else c = getch(); #endif if (c == EOF) { rv = -1; break; } @@ -144,30 +144,25 @@ UpdateRNG(void) FPS "*"); } } PK11_RandomUpdate(randbuf, sizeof randbuf); memset(randbuf, 0, sizeof randbuf); FPS "\n\n"); FPS "Finished. Press enter to continue: "); -#if defined(VMS) - while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF) - ; -#else while ((c = getc(stdin)) != '\n' && c != EOF) ; -#endif if (c == EOF) rv = -1; FPS "\n"); #undef FPS -#if defined(XP_UNIX) && !defined(VMS) +#if defined(XP_UNIX) /* set back termio the way it was */ tio.c_lflag = orig_lflag; tio.c_cc[VMIN] = orig_cc_min; tio.c_cc[VTIME] = orig_cc_time; tcsetattr(fd, TCSAFLUSH, &tio); #endif return rv; }
--- a/security/nss/cmd/fipstest/fipstest.c +++ b/security/nss/cmd/fipstest/fipstest.c @@ -3514,26 +3514,31 @@ hmac_calc(unsigned char *hmac_computed, * * reqfn is the pathname of the input REQUEST file. * * The output RESPONSE file is written to stdout. */ void hmac_test(char *reqfn) { unsigned int i, j; - size_t bufSize = 288; /* MAX buffer size */ + size_t bufSize = 400; /* MAX buffer size */ char *buf = NULL; /* holds one line from the input REQUEST file.*/ unsigned int keyLen; /* Key Length */ - unsigned char key[140]; /* key MAX size = 140 */ + unsigned char key[200]; /* key MAX size = 184 */ unsigned int msgLen = 128; /* the length of the input */ /* Message is always 128 Bytes */ unsigned char *msg = NULL; /* holds the message to digest.*/ unsigned int HMACLen; /* the length of the HMAC Bytes */ + unsigned int TLen; /* the length of the requested */ + /* truncated HMAC Bytes */ unsigned char HMAC[HASH_LENGTH_MAX]; /* computed HMAC */ + unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */ + /* supplied known answer */ HASH_HashType hash_alg; /* HMAC type */ + FILE *req = NULL; /* input stream from the REQUEST file */ FILE *resp; /* output stream to the RESPONSE file */ buf = PORT_ZAlloc(bufSize); if (buf == NULL) { goto loser; } @@ -3541,16 +3546,38 @@ void hmac_test(char *reqfn) memset(msg, 0, msgLen); if (msg == NULL) { goto loser; } req = fopen(reqfn, "r"); resp = stdout; while (fgets(buf, bufSize, req) != NULL) { + if (strncmp(buf, "Mac", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + memset(expectedHMAC, 0, HASH_LENGTH_MAX); + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_to_byteval(&buf[i], &expectedHMAC[j]); + } + if (memcmp(HMAC, expectedHMAC, TLen) != 0) { + fprintf(stderr, "Generate failed:\n"); + fputs( " expected=", stderr); + to_hex_str(buf, expectedHMAC, + TLen); + fputs(buf, stderr); + fputs("\n generated=", stderr); + to_hex_str(buf, HMAC, + TLen); + fputs(buf, stderr); + fputc('\n', stderr); + } + } /* a comment or blank line */ if (buf[0] == '#' || buf[0] == '\n') { fputs(buf, resp); continue; } /* [L = Length of the MAC and HASH_type */ if (buf[0] == '[') { @@ -3578,17 +3605,17 @@ void hmac_test(char *reqfn) } } /* Count = test iteration number*/ if (strncmp(buf, "Count ", 5) == 0) { /* count can just be put into resp file */ fputs(buf, resp); /* zeroize the variables for the test with this data set */ keyLen = 0; - HMACLen = 0; + TLen = 0; memset(key, 0, sizeof key); memset(msg, 0, sizeof msg); memset(HMAC, 0, sizeof HMAC); continue; } /* KLen = Length of the Input Secret Key ... */ if (strncmp(buf, "Klen", 4) == 0) { i = 4; @@ -3611,17 +3638,17 @@ void hmac_test(char *reqfn) fputs(buf, resp); } /* TLen = Length of the calculated HMAC */ if (strncmp(buf, "Tlen", 4) == 0) { i = 4; while (isspace(buf[i]) || buf[i] == '=') { i++; } - HMACLen = atoi(&buf[i]); /* in bytes */ + TLen = atoi(&buf[i]); /* in bytes */ fputs(buf, resp); continue; } /* MSG = to HMAC always 128 bytes for these tests */ if (strncmp(buf, "Msg", 3) == 0) { i = 3; while (isspace(buf[i]) || buf[i] == '=') { i++; @@ -3631,17 +3658,17 @@ void hmac_test(char *reqfn) } fputs(buf, resp); /* calculate the HMAC and output */ if (hmac_calc(HMAC, HMACLen, key, keyLen, msg, msgLen, hash_alg) != SECSuccess) { goto loser; } fputs("MAC = ", resp); - to_hex_str(buf, HMAC, HMACLen); + to_hex_str(buf, HMAC, TLen); fputs(buf, resp); fputc('\n', resp); continue; } } loser: if (req) { fclose(req);
--- a/security/nss/cmd/lib/config.mk +++ b/security/nss/cmd/lib/config.mk @@ -40,8 +40,12 @@ # are specifed as dependencies within rules.mk. # TARGETS = $(LIBRARY) SHARED_LIBRARY = IMPORT_LIBRARY = PROGRAM = +ifeq (WINCE,$(OS_ARCH)) +CSRCS += wincemain.c +endif +
--- a/security/nss/cmd/lib/secpwd.c +++ b/security/nss/cmd/lib/secpwd.c @@ -58,29 +58,29 @@ #define QUIET_FGETS quiet_fgets static char * quiet_fgets (char *buf, int length, FILE *input); #else #define QUIET_FGETS fgets #endif static void echoOff(int fd) { -#if defined(XP_UNIX) && !defined(VMS) +#if defined(XP_UNIX) if (isatty(fd)) { struct termios tio; tcgetattr(fd, &tio); tio.c_lflag &= ~ECHO; tcsetattr(fd, TCSAFLUSH, &tio); } #endif } static void echoOn(int fd) { -#if defined(XP_UNIX) && !defined(VMS) +#if defined(XP_UNIX) if (isatty(fd)) { struct termios tio; tcgetattr(fd, &tio); tio.c_lflag |= ECHO; tcsetattr(fd, TCSAFLUSH, &tio); } #endif }
--- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -68,21 +68,17 @@ #include "certdb.h" /* #include "secmod.h" */ #include "pk11func.h" #include "secoid.h" static char consoleName[] = { #ifdef XP_UNIX -#ifdef VMS - "TT" -#else "/dev/tty" -#endif #else #ifdef XP_OS2 "\\DEV\\CON" #else "CON:" #endif #endif }; @@ -3310,29 +3306,82 @@ SEC_PrintCertificateAndTrust(CERTCertifi "Certificate Trust Flags", 1); } printf("\n"); return(SECSuccess); } +#if defined(DEBUG) || defined(FORCE_PR_ASSERT) +/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1] */ +static PRBool HasShortDuplicate(int i, secuCommandFlag *a, int count) +{ + char target = a[i].flag; + int j; + + /* duplicate '\0' flags are okay, they are used with long forms */ + for (j = i+1; j < count; j++) { + if (a[j].flag && a[j].flag == target) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */ +static PRBool HasLongDuplicate(int i, secuCommandFlag *a, int count) +{ + int j; + char *target = a[i].longform; + + if (!target) + return PR_FALSE; + + for (j = i+1; j < count; j++) { + if (a[j].longform && strcmp(a[j].longform, target) == 0) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +/* Returns true iff a has no short or long form duplicates + */ +PRBool HasNoDuplicates(secuCommandFlag *a, int count) +{ + int i; + + for (i = 0; i < count; i++) { + if (a[i].flag && HasShortDuplicate(i, a, count)) { + return PR_FALSE; + } + if (a[i].longform && HasLongDuplicate(i, a, count)) { + return PR_FALSE; + } + } + return PR_TRUE; +} +#endif SECStatus SECU_ParseCommandLine(int argc, char **argv, char *progName, const secuCommand *cmd) { PRBool found; PLOptState *optstate; PLOptStatus status; char *optstring; PLLongOpt *longopts = NULL; int i, j; int lcmd = 0, lopt = 0; + PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands)); + PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions)); + optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1); if (optstring == NULL) return SECFailure; j = 0; for (i=0; i<cmd->numCommands; i++) { if (cmd->commands[i].flag) /* single character option ? */ optstring[j++] = cmd->commands[i].flag;
new file mode 100644 --- /dev/null +++ b/security/nss/cmd/lib/wincemain.c @@ -0,0 +1,65 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef WINCE +#include <windows.h> + +int +wmain(int argc, WCHAR **wargv) +{ + char **argv; + int i, ret; + + argv = malloc(argc * sizeof(char*)); + + for (i = 0; i < argc; i++) { + int len = WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, NULL, 0, 0, 0); + argv[i] = malloc(len * sizeof(char)); + WideCharToMultiByte(CP_ACP, 0, wargv[i], -1, argv[i], len, 0, 0); + } + + ret = main(argc, argv); + + for (i = 0; i < argc; i++) { + free(argv[i]); + } + free(argv); + + return ret; +} + +#endif +
--- a/security/nss/cmd/pk11mode/pk11mode.c +++ b/security/nss/cmd/pk11mode/pk11mode.c @@ -775,17 +775,17 @@ cleanup: } if (configDir) { free(configDir); } if (dbPrefix) { free(dbPrefix); } if (moduleSpec) { - free(moduleSpec); + PR_smprintf_free(moduleSpec); } #ifdef _WIN32 FreeLibrary(hModule); #else disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); if (!disableUnload) { PR_UnloadLibrary(lib);
--- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -52,28 +52,32 @@ PRBool pk12_debugging = PR_FALSE; PRBool dumpRawFile; PRIntn pk12uErrno = 0; static void Usage(char *progName) { #define FPS PR_fprintf(PR_STDERR, - FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname] [-v]\n", + FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n", + progName); + FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); + FPS "\t\t [-v]\n"); + + FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n", progName); FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); - - FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname] [-r]\n", - progName); - FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); + FPS "\t\t [-v]\n"); - FPS "Usage: %s -o exportfile -n certname [-d certdir] [-P dbprefix] [-v]\n", - progName); - FPS "\t\t [-c key_cipher] [-C cert_cipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen]\n"); - FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filefilepw]\n"); + FPS "Usage: %s -o exportfile -n certname [-d certdir] [-P dbprefix]\n", + progName); + FPS "\t\t [-c key_cipher] [-C cert_cipher]\n" + "\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n"); + FPS "\t\t [-k slotpwfile | -K slotpw]\n" + "\t\t [-w p12filepwfile | -W p12filefilepw]\n"); exit(PK12UERR_USAGE); } static PRBool p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead) { if(!p12cxt || !p12cxt->filename) { @@ -950,17 +954,17 @@ static secuCommandFlag pk12util_options[ { /* opt_Raw */ 'r', PR_FALSE, 0, PR_FALSE }, { /* opt_P12FilePWFile */ 'w', PR_TRUE, 0, PR_FALSE }, { /* opt_P12FilePW */ 'W', PR_TRUE, 0, PR_FALSE }, { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE }, { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }, { /* opt_Cipher */ 'c', PR_TRUE, 0, PR_FALSE }, { /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE }, { /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" }, - { /* opt_CertKeyLength */ 'n', PR_TRUE, 0, PR_FALSE, "cert_key_len" } + { /* opt_CertKeyLength */ 0, PR_TRUE, 0, PR_FALSE, "cert_key_len" } }; int main(int argc, char **argv) { secuPWData slotPw = { PW_NONE, NULL }; secuPWData p12FilePw = { PW_NONE, NULL }; PK11SlotInfo *slot;
--- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -46,22 +46,30 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib' endif endif ifeq ($(OS_ARCH), Linux) +ifeq ($(BUILD_SUN_PKG), 1) +ifeq ($(USE_64), 1) +EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +else +EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +endif +else ifeq ($(USE_64), 1) EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib' else EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib' endif endif +endif ifeq ($(OS_ARCH), HP-UX) ifeq ($(OS_TEST), ia64) EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib' else # pa-risc ifeq ($(USE_64), 1) EXTRA_SHARED_LIBS += \ @@ -78,17 +86,17 @@ ifdef NSS_DISABLE_DBM DBMLIB = $(NULL) else DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) endif ifdef USE_STATIC_LIBS # can't do this in manifest.mn because OS_ARCH isn't defined there. -ifeq ($(OS_ARCH), WINNT) +ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) DEFINES += -DNSS_USE_STATIC_LIBS # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) PKIXLIB = \ $(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \ @@ -198,17 +206,17 @@ EXTRA_SHARED_LIBS += \ endif ifeq ($(OS_TARGET), SunOS) OS_LIBS += -lbsm endif else # USE_STATIC_LIBS # can't do this in manifest.mn because OS_ARCH isn't defined there. -ifeq ($(OS_ARCH), WINNT) +ifeq (,$(filter-out WINNT WINCE,$(OS_ARCH))) # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \ $(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
--- a/security/nss/cmd/sdrtest/sdrtest.c +++ b/security/nss/cmd/sdrtest/sdrtest.c @@ -32,17 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Test program for SDR (Secret Decoder Ring) functions. * - * $Id: sdrtest.c,v 1.14 2008/03/10 20:16:44 rrelyea%redhat.com Exp $ + * $Id: sdrtest.c,v 1.16 2009/07/08 21:37:43 julien.pierre.boogz%sun.com Exp $ */ #include "nspr.h" #include "string.h" #include "nss.h" #include "secutil.h" #include "cert.h" #include "pk11func.h" @@ -108,17 +108,17 @@ readStdin(SECItem * result) int bufsize = 0; int cc; int wanted = 8192; result->len = 0; result->data = NULL; do { if (bufsize < wanted) { - unsigned char * tmpData = (unsigned char *)realloc(result->data, wanted); + unsigned char * tmpData = (unsigned char *)PR_Realloc(result->data, wanted); if (!tmpData) { if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n"); return -1; } result->data = tmpData; bufsize = wanted; } cc = PR_Read(PR_STDIN, result->data + result->len, bufsize - result->len); @@ -148,17 +148,17 @@ readInputFile(const char * filename, SEC s = PR_GetOpenFileInfo(file, &info); if (s != PR_SUCCESS) { if (verbose) PR_fprintf(pr_stderr, "File info operation failed\n"); goto file_loser; } result->len = info.size; - result->data = (unsigned char *)malloc(result->len); + result->data = (unsigned char *)PR_Malloc(result->len); if (!result->data) { if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n"); goto file_loser; } count = PR_Read(file, result->data, result->len); if (count != result->len) { if (verbose) PR_fprintf(pr_stderr, "Read failed\n"); @@ -308,17 +308,17 @@ main (int argc, char **argv) SECItem newResult = {0, 0, 0}; SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult, (const char *)result.data, result.len); if (!ok) { SECU_PrintError(program_name, "Base 64 decode failed"); retval = -1; goto loser; } - free(result.data); + SECITEM_ZfreeItem(&result, PR_FALSE); result = *ok; } } else { SECItem keyid = { 0, 0, 0 }; SECItem outBuf = { 0, 0, 0 }; PK11SlotInfo *slot = NULL; @@ -431,18 +431,18 @@ main (int argc, char **argv) if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0) { if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n"); retval = -1; goto loser; } loser: - if (text.data) free(text.data); - if (result.data) free(result.data); + if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE); + if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE); if (NSS_Shutdown() != SECSuccess) { exit(1); } prdone: PR_Cleanup (); if (pwdata.data) { PORT_Free(pwdata.data);
--- a/security/nss/cmd/shlibsign/sign.sh +++ b/security/nss/cmd/shlibsign/sign.sh @@ -16,34 +16,16 @@ WIN*) ARG4=${4} fi PATH=${ARG1}/lib:${ARG1}/bin:${ARG4}:${PATH} fi export PATH echo ${2}/shlibsign -v -i ${5} ${2}/shlibsign -v -i ${5} ;; -OpenVMS) - temp="tmp$$.tmp" - temp2="tmp$$.tmp2" - cd ${1}/lib - vmsdir=`dcl show default` - ls *.so > $temp - sed -e "s/\([^\.]*\)\.so/\$ define\/job \1 ${vmsdir}\1.so/" $temp > $temp2 - echo '$ define/job getipnodebyname xxx' >> $temp2 - echo '$ define/job vms_null_dl_name sys$share:decc$shr' >> $temp2 - dcl @$temp2 - echo ${2}/shlibsign -v -i ${5} - ${2}/shlibsign -v -i ${5} - sed -e "s/\([^\.]*\)\.so/\$ deass\/job \1/" $temp > $temp2 - echo '$ deass/job getipnodebyname' >> $temp2 - echo '$ deass/job vms_null_dl_name' >> $temp2 - dcl @$temp2 - rm $temp $temp2 - ;; *) LIBPATH=`(cd ${1}/lib; pwd)`:`(cd ${4}; pwd)`:$LIBPATH export LIBPATH SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH export SHLIB_PATH LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH export LD_LIBRARY_PATH DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
new file mode 100644 --- /dev/null +++ b/security/nss/cmd/tests/baddbdir.c @@ -0,0 +1,68 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2009 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include <stdio.h> +#include <stdlib.h> + +#include "nss.h" +#include "secerr.h" + +/* + * Regression test for bug 495097. + * + * NSS_InitReadWrite("sql:<dbdir>") should fail with SEC_ERROR_BAD_DATABASE + * if the directory <dbdir> doesn't exist. + */ + +int main() +{ + SECStatus status; + int error; + + status = NSS_InitReadWrite("sql:/no/such/db/dir"); + if (status == SECSuccess) { + fprintf(stderr, "NSS_InitReadWrite succeeded unexpectedly\n"); + exit(1); + } + error = PORT_GetError(); + if (error != SEC_ERROR_BAD_DATABASE) { + fprintf(stderr, "NSS_InitReadWrite failed with the wrong error code: " + "%d\n", error); + exit(1); + } + printf("PASS\n"); + return 0; +}
--- a/security/nss/cmd/tests/manifest.mn +++ b/security/nss/cmd/tests/manifest.mn @@ -36,16 +36,17 @@ # ***** END LICENSE BLOCK ***** CORE_DEPTH = ../../.. # MODULE public and private header directories are implicitly REQUIRED. MODULE = nss CSRCS = \ + baddbdir.c \ conflict.c \ nonspr10.c \ remtest.c \ $(NULL) # The MODULE is always implicitly required. # Listing it here in REQUIRES makes it appear twice in the cc command line. REQUIRES = seccmd dbm
--- a/security/nss/cmd/zlib/README +++ b/security/nss/cmd/zlib/README @@ -12,17 +12,17 @@ All functions of the compression library of the library is given in the file example.c which also tests that the library is working correctly. Another example is given in the file minigzip.c. The compression library itself is composed of all source files except example.c and minigzip.c. To compile all files and run the test program, follow the instructions given at the top of Makefile. In short "make test; make install" should work for most machines. For Unix: "./configure; make test; make install". For MSDOS, use one -of the special makefiles such as Makefile.msc. For VMS, use make_vms.com. +of the special makefiles such as Makefile.msc. Questions about zlib should be sent to <zlib@gzip.org>, or to Gilles Vollant <info@winimage.com> for the Windows DLL version. The zlib home page is http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem, please check this site to verify that you have the latest version of zlib; otherwise get the latest version and check whether the problem still exists or not.
--- a/security/nss/cmd/zlib/example.c +++ b/security/nss/cmd/zlib/example.c @@ -1,24 +1,24 @@ /* example.c -- usage example of the zlib compression library * Copyright (C) 1995-2004 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: example.c,v 1.5 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */ +/* @(#) $Id: example.c,v 1.6 2009/06/05 02:22:16 nelson%bolyard.com Exp $ */ #include <stdio.h> #include "zlib.h" #ifdef STDC # include <string.h> # include <stdlib.h> #endif -#if defined(VMS) || defined(RISCOS) +#if defined(RISCOS) # define TESTFILE "foo-gz" #else # define TESTFILE "foo.gz" #endif #define CHECK_ERR(err, msg) { \ if (err != Z_OK) { \ fprintf(stderr, "%s error: %d\n", msg, err); \
--- a/security/nss/cmd/zlib/minigzip.c +++ b/security/nss/cmd/zlib/minigzip.c @@ -8,17 +8,17 @@ * only an example of using zlib and isn't meant to replace the * full-featured gzip. No attempt is made to deal with file systems * limiting names to 14 or 8+3 characters, etc... Error checking is * very limited. So use minigzip only for testing; use gzip for the * real thing. On MSDOS, use only on file names without extension * or in pipe mode. */ -/* @(#) $Id: minigzip.c,v 1.5 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */ +/* @(#) $Id: minigzip.c,v 1.6 2009/06/05 02:22:16 nelson%bolyard.com Exp $ */ #include <stdio.h> #include "zlib.h" #ifdef STDC # include <string.h> # include <stdlib.h> #endif @@ -32,20 +32,16 @@ #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__) # include <fcntl.h> # include <io.h> # define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY) #else # define SET_BINARY_MODE(file) #endif -#ifdef VMS -# define unlink delete -# define GZ_SUFFIX "-gz" -#endif #ifdef RISCOS # define unlink remove # define GZ_SUFFIX "-gz" # define fileno(file) file->__file #endif #if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os # include <unix.h> /* for fileno */ #endif
--- a/security/nss/cmd/zlib/zconf.h +++ b/security/nss/cmd/zlib/zconf.h @@ -1,14 +1,14 @@ /* zconf.h -- configuration of the zlib compression library * Copyright (C) 1995-2005 Jean-loup Gailly. * For conditions of distribution and use, see copyright notice in zlib.h */ -/* @(#) $Id: zconf.h,v 1.6 2005/07/20 20:32:42 wtchang%redhat.com Exp $ */ +/* @(#) $Id: zconf.h,v 1.7 2009/06/05 02:22:17 nelson%bolyard.com Exp $ */ #ifndef ZCONF_H #define ZCONF_H /* * If you *really* need a unique prefix for all types and library functions, * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. */ @@ -279,24 +279,16 @@ typedef uLong FAR uLongf; typedef void FAR *voidpf; typedef void *voidp; #else typedef Byte const *voidpc; typedef Byte FAR *voidpf; typedef Byte *voidp; #endif -#if 0 /* HAVE_UNISTD_H -- this line is updated by ./configure */ -# include <sys/types.h> /* for off_t */ -# include <unistd.h> /* for SEEK_* and off_t */ -# ifdef VMS -# include <unixio.h> /* for off_t */ -# endif -# define z_off_t off_t -#endif #ifndef SEEK_SET # define SEEK_SET 0 /* Seek from beginning of file. */ # define SEEK_CUR 1 /* Seek from current position. */ # define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ #endif #ifndef z_off_t # define z_off_t long #endif
--- a/security/nss/cmd/zlib/zutil.h +++ b/security/nss/cmd/zlib/zutil.h @@ -3,17 +3,17 @@ * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ -/* @(#) $Id: zutil.h,v 1.7 2007/12/01 02:16:10 julien.pierre.boogz%sun.com Exp $ */ +/* @(#) $Id: zutil.h,v 1.8 2009/06/05 02:22:17 nelson%bolyard.com Exp $ */ #ifndef ZUTIL_H #define ZUTIL_H #define ZLIB_INTERNAL #include "zlib.h" #ifdef STDC @@ -100,17 +100,17 @@ extern const char * const z_errmsg[10]; # include <malloc.h> # endif #endif #ifdef AMIGA # define OS_CODE 0x01 #endif -#if defined(VAXC) || defined(VMS) +#if defined(VAXC) # define OS_CODE 0x02 # define F_OPEN(name, mode) \ fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512") #endif #if defined(ATARI) || defined(atarist) # define OS_CODE 0x05 #endif @@ -200,19 +200,16 @@ extern const char * const z_errmsg[10]; # if !defined(vsnprintf) && !defined(NO_vsnprintf) # define vsnprintf _vsnprintf # endif # endif # ifdef __SASC # define NO_vsnprintf # endif #endif -#ifdef VMS -# define NO_vsnprintf -#endif #if defined(pyr) # define NO_MEMCPY #endif #if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__) /* Use our own functions for small and medium model with MSC <= 5.0. * You may have to use the same strategy for Borland C (untested). * The __SC__ check is for Symantec.
--- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -32,17 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * cert.h - public data structures and prototypes for the certificate library * - * $Id: cert.h,v 1.77 2009/04/17 22:46:27 julien.pierre.boogz%sun.com Exp $ + * $Id: cert.h,v 1.78 2009/05/14 01:33:36 julien.pierre.boogz%sun.com Exp $ */ #ifndef _CERT_H_ #define _CERT_H_ #include "utilrename.h" #include "plarena.h" #include "plhash.h" @@ -1605,35 +1605,35 @@ extern SECStatus CERT_EncodeNoticeReference(PLArenaPool *arena, CERTNoticeReference *reference, SECItem *dest); /* * Returns a pointer to a static structure. */ extern const CERTRevocationFlags* -CERT_GetPKIXVerifyNistRevocationPolicy(); +CERT_GetPKIXVerifyNistRevocationPolicy(void); /* * Returns a pointer to a static structure. */ extern const CERTRevocationFlags* -CERT_GetClassicOCSPEnabledSoftFailurePolicy(); +CERT_GetClassicOCSPEnabledSoftFailurePolicy(void); /* * Returns a pointer to a static structure. */ extern const CERTRevocationFlags* -CERT_GetClassicOCSPEnabledHardFailurePolicy(); +CERT_GetClassicOCSPEnabledHardFailurePolicy(void); /* * Returns a pointer to a static structure. */ extern const CERTRevocationFlags* -CERT_GetClassicOCSPDisabledPolicy(); +CERT_GetClassicOCSPDisabledPolicy(void); /* * Verify a Cert with libpkix * paramsIn control the verification options. If a value isn't specified * in paramsIn, it reverts to the application default. * paramsOut specifies the parameters the caller would like to get back. * the caller may pass NULL, in which case no parameters are returned. */ @@ -1657,13 +1657,13 @@ extern SECStatus CERT_PKIXSetDefaults(CE /* Makes old cert validation APIs(CERT_VerifyCert, CERT_VerifyCertificate) * to use libpkix validation engine. The function should be called ones at * application initialization time. * Function is not thread safe.*/ SECStatus CERT_SetUsePKIXForValidation(PRBool enable); /* The function return PR_TRUE if cert validation should use * libpkix cert validation engine. */ -PRBool CERT_GetUsePKIXForValidation(); +PRBool CERT_GetUsePKIXForValidation(void); SEC_END_PROTOS #endif /* _CERT_H_ */
--- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -34,17 +34,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Certificate handling code * - * $Id: certdb.c,v 1.100 2009/03/23 02:18:19 nelson%bolyard.com Exp $ + * $Id: certdb.c,v 1.101 2009/05/18 21:33:25 nelson%bolyard.com Exp $ */ #include "nssilock.h" #include "prmon.h" #include "prtime.h" #include "cert.h" #include "certi.h" #include "secder.h" @@ -1734,29 +1734,29 @@ cert_GetDNSPatternsFromGeneralNames(CERT ** so must copy it. */ cn = (char *)PORT_ArenaAlloc(nickNames->arena, currentInput->name.other.len + 1); if (!cn) return SECFailure; PORT_Memcpy(cn, currentInput->name.other.data, currentInput->name.other.len); - cn[currentInput->name.other.len + 1] = 0; + cn[currentInput->name.other.len] = 0; break; case certIPAddress: if (currentInput->name.other.len == 4) { addr.inet.family = PR_AF_INET; memcpy(&addr.inet.ip, currentInput->name.other.data, currentInput->name.other.len); } else if (currentInput->name.other.len == 16) { addr.ipv6.family = PR_AF_INET6; memcpy(&addr.ipv6.ip, currentInput->name.other.data, currentInput->name.other.len); } - if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf) == PR_FAILURE)) + if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) == PR_FAILURE) return SECFailure; cn = PORT_ArenaStrdup(nickNames->arena, ipbuf); if (!cn) return SECFailure; break; default: break; }
--- a/security/nss/lib/certdb/certdb.h +++ b/security/nss/lib/certdb/certdb.h @@ -58,17 +58,17 @@ SEC_FindCrlByKey(CERTCertDBHandle *handl CERTSignedCrl * SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type); CERTSignedCrl * SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type); PRBool -SEC_CertNicknameConflict(char *nickname, SECItem *derSubject, +SEC_CertNicknameConflict(const char *nickname, SECItem *derSubject, CERTCertDBHandle *handle); CERTSignedCrl * SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type); SECStatus SEC_DeletePermCRL(CERTSignedCrl *crl);
--- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -31,17 +31,17 @@ * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * certt.h - public data structures for the certificate library * - * $Id: certt.h,v 1.50 2009/04/24 19:18:32 nelson%bolyard.com Exp $ + * $Id: certt.h,v 1.52 2009/05/29 18:10:38 alexei.volkov.bugs%sun.com Exp $ */ #ifndef _CERTT_H_ #define _CERTT_H_ #include "prclist.h" #include "pkcs11t.h" #include "seccomon.h" #include "secmodt.h" @@ -935,22 +935,27 @@ typedef enum { * specified in value.scalar.time. A special * value '0' indicates 'now'. default is '0' */ cert_pi_revocationFlags = 9, /* Specify what revocation checking to do. * See CERT_REV_FLAG_* macros below * Set in value.pointer.revocation */ cert_pi_certStores = 10,/* Bitmask of Cert Store flags (see below) * Set in value.scalar.ui */ cert_pi_trustAnchors = 11,/* Specify the list of trusted roots to - * validate against. If the list in NULL all - * default trusted roots are used. + * validate against. + * The default set of trusted roots, these are + * root CA certs from libnssckbi.so or CA + * certs trusted by user, are used in any of + * the following cases: + * * when the parameter is not set. + * * when the list of trust anchors is empty. * Specified in value.pointer.chain */ cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension. - * Default is off. - * Value is in value.scalar.b */ + * In NSS 3.12.1 or later. Default is off. + * Value is in value.scalar.b */ cert_pi_max /* SPECIAL: signifies maximum allowed value, * can increase in future releases */ } CERTValParamInType; /* * for all out parameters: * out parameters are only returned if the caller asks for them in * the CERTValOutParam array. Caller is responsible for the CERTValOutParam
--- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -32,17 +32,17 @@ * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Moved from secpkcs7.c * - * $Id: crl.c,v 1.66 2009/04/21 22:53:58 julien.pierre.boogz%sun.com Exp $ + * $Id: crl.c,v 1.67 2009/05/13 22:47:28 julien.pierre.boogz%sun.com Exp $ */ #include "cert.h" #include "certi.h" #include "secder.h" #include "secasn1.h" #include "secoid.h" #include "certdb.h" @@ -3131,16 +3131,17 @@ static SECStatus addCRLToCache(CERTCertD /* all other reasons */ default: entry->unsupported = PR_TRUE; break; } rv = SECFailure; /* no need to keep unused CRL around */ SECITEM_ZfreeItem(entry->crl, PR_TRUE); + entry->crl = NULL; } return rv; } /* take ownership of CRL, and insert it into the named CRL cache * and indexed CRL cache */ SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl, @@ -3201,16 +3202,20 @@ SECStatus cert_CacheCRLByGeneralName(CER PORT_Assert(SECSuccess == rv); } removed = PL_HashTableRemove(namedCRLCache.entries, (void*) oldEntry->canonicalizedName); PORT_Assert(removed); if (!removed) { rv = SECFailure; + /* leak old entry since we couldn't remove it from the hash table */ + } + else + { rv2 = NamedCRLCacheEntry_Destroy(oldEntry); PORT_Assert(SECSuccess == rv2); } if (NULL == PL_HashTableAdd(namedCRLCache.entries, (void*) newEntry->canonicalizedName, (void*) newEntry)) { PORT_Assert(0); @@ -3244,17 +3249,21 @@ SECStatus cert_CacheCRLByGeneralName(CER else { /* previous cache entry was bad, just replace it */ PRBool removed = PL_HashTableRemove(namedCRLCache.entries, (void*) oldEntry->canonicalizedName); PORT_Assert(removed); if (!removed) { + /* leak old entry since we couldn't remove it from the hash table */ rv = SECFailure; + } + else + { rv2 = NamedCRLCacheEntry_Destroy(oldEntry); PORT_Assert(SECSuccess == rv2); } if (NULL == PL_HashTableAdd(namedCRLCache.entries, (void*) newEntry->canonicalizedName, (void*) newEntry)) { PORT_Assert(0);
--- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -58,17 +58,17 @@ #include "pki3hack.h" #include "ckhelper.h" #include "base.h" #include "pkistore.h" #include "dev3hack.h" #include "dev.h" PRBool -SEC_CertNicknameConflict(char *nickname, SECItem *derSubject, +SEC_CertNicknameConflict(const char *nickname, SECItem *derSubject, CERTCertDBHandle *handle) { CERTCertificate *cert; PRBool conflict = PR_FALSE; cert=CERT_FindCertByNickname(handle, nickname); if (!cert) {
--- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -1685,17 +1685,21 @@ cert_pkixSetParam(PKIX_ProcessingParams break; } } break; case cert_pi_trustAnchors: certList = param->value.pointer.chain; - + if (!certList) { + PORT_SetError(errCode); + r = SECFailure; + break; + } error = PKIX_List_Create(&certListPkix, plContext); if (error != NULL) { break; } for(node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node) ) { error = PKIX_PL_Cert_CreateFromCERTCertificate(node->cert, &certPkix, plContext);
--- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -34,17 +34,17 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* * Implementation of OCSP services, for both client and server. * (XXX, really, mostly just for client right now, but intended to do both.) * - * $Id: ocsp.c,v 1.58 2009/03/21 01:40:35 nelson%bolyard.com Exp $ + * $Id: ocsp.c,v 1.59 2009/06/10 22:59:09 julien.pierre.boogz%sun.com Exp $ */ #include "prerror.h" #include "prprf.h" #include "plarena.h" #include "prnetdb.h" #include "seccomon.h" @@ -725,17 +725,17 @@ ocsp_FreshenCacheItemNextFetchAttemptTim OCSP_Global.minimumSecondsToNextFetchAttempt * MICROSECONDS_PER_SECOND; OCSP_TRACE_TIME("no thisUpdate, " "latestTimeWhenResponseIsConsideredFresh:", latestTimeWhenResponseIsConsideredFresh); } if (cacheItem->haveNextUpdate) { - OCSP_TRACE_TIME("have nextUpdate:", cacheItem->thisUpdate); + OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate); } if (cacheItem->haveNextUpdate && cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) { latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate; OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting " "latestTimeWhenResponseIsConsideredFresh:", latestTimeWhenResponseIsConsideredFresh);
--- a/security/nss/lib/ckfw/Makefile +++ b/security/nss/lib/ckfw/Makefile @@ -29,24 +29,24 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.16 $ $Date: 2008/12/03 18:44:24 $" +MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.17 $ $Date: 2009/05/22 01:03:30 $" include manifest.mn include $(CORE_DEPTH)/coreconf/config.mk include config.mk include $(CORE_DEPTH)/coreconf/rules.mk -ifdef MOZILLA_CLIENT +ifdef NOTDEF # was ifdef MOZILLA_CLIENT NSS_BUILD_CAPI = 1 endif # This'll need some help from a build person. # The generated files are checked in, and differ from what ckapi.perl # will produce. ckapi.perl is currently newer than the targets, so # these rules are invoked, causing the wrong files to be generated.
--- a/security/nss/lib/ckfw/builtins/config.mk +++ b/security/nss/lib/ckfw/builtins/config.mk @@ -29,17 +29,17 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.13 $ $Date: 2009/03/20 07:19:36 $" +CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.14 $ $Date: 2009/06/11 00:55:34 $" # # Override TARGETS variable so that only shared libraries # are specifed as dependencies within rules.mk. # TARGETS = $(SHARED_LIBRARY) LIBRARY = @@ -60,22 +60,8 @@ endif # To create a loadable module on Darwin, we must use -bundle. # ifeq ($(OS_TARGET),Darwin) ifndef USE_64 DSO_LDOPTS = -bundle endif endif -ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' -endif - -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif
--- a/security/nss/lib/ckfw/capi/config.mk +++ b/security/nss/lib/ckfw/capi/config.mk @@ -29,17 +29,17 @@ # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** -CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.2 $ $Date: 2009/03/20 07:19:45 $" +CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.3 $ $Date: 2009/06/11 00:55:42 $" # # Override TARGETS variable so that only shared libraries # are specifed as dependencies within rules.mk. # TARGETS = $(SHARED_LIBRARY) LIBRARY = @@ -60,14 +60,8 @@ endif # To create a loadable module on Darwin, we must use -bundle. # ifeq ($(OS_TARGET),Darwin) ifndef USE_64 DSO_LDOPTS = -bundle endif endif -ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' -endif -
--- a/security/nss/lib/ckfw/sessobj.c +++ b/security/nss/lib/ckfw/sessobj.c @@ -30,17 +30,17 @@ * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #ifdef DEBUG -static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.14 $ $Date: 2009/02/09 07:55:53 $"; +static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.15 $ $Date: 2009/06/05 00:22:04 $"; #endif /* DEBUG */ /* * sessobj.c * * This file contains an NSSCKMDObject implementation for session * objects. The framework uses this implementation to manage * session objects when a Module doesn't wish to be bothered. @@ -701,28 +701,25 @@ nss_ckmdSessionObject_SetAttribute * It's new. */ ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1)); if (!ra) { nss_ZFreeIf(n.data); return CKR_HOST_MEMORY; } + obj->attributes = ra; - rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1)); - if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) { + rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, + sizeof(CK_ATTRIBUTE_TYPE) * (obj->n + 1)); + if (!rt) { nss_ZFreeIf(n.data); - obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n); - if (!obj->attributes) { - return CKR_GENERAL_ERROR; - } return CKR_HOST_MEMORY; } - obj->attributes = ra; obj->types = rt; obj->attributes[obj->n] = n; obj->types[obj->n] = attribute; obj->n++; return CKR_OK; }
--- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -253,21 +253,27 @@ SECKEYPrivateKey * SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx) { SECKEYPrivateKey *privk; PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx); if (!slot) { return NULL; } - privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, - pubk, PR_FALSE, PR_FALSE, cx); + privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, + param, pubk, + PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | + PK11_ATTR_PUBLIC, + CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx); if (!privk) - privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, - pubk, PR_FALSE, PR_TRUE, cx); + privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, + param, pubk, + PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | + PK11_ATTR_PRIVATE, + CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx); PK11_FreeSlot(slot); return(privk); } void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk) {
--- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -89,16 +89,24 @@ else endif endif ifeq ($(OS_TARGET),OSF1) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD MPI_SRCS += mpvalpha.c endif +ifeq (OS2,$(OS_TARGET)) + ASFILES = mpi_x86_os2.s + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_ASSEMBLY_DIV_2DX1D + DEFINES += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD + DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN +endif + ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) #omits WINCE ifndef USE_64 # 32-bit Windows ifdef NS_USE_GCC # Ideally, we want to use assembler # ASFILES = mpi_x86.s # DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE \ # -DMP_ASSEMBLY_DIV_2DX1D @@ -217,19 +225,16 @@ endif # (ldvector.c) to the blapi functions defined in the freebl # shared libraries. ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) MKSHLIB += -Wl,-Bsymbolic endif ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' ifdef NS_USE_GCC ifdef GCC_USE_GNU_LD MKSHLIB += -Wl,-Bsymbolic,-z,now,-z,text else MKSHLIB += -Wl,-B,symbolic,-z,now,-z,text endif # GCC_USE_GNU_LD else MKSHLIB += -B symbolic -z now -z text
--- a/security/nss/lib/freebl/des.c +++ b/security/nss/lib/freebl/des.c @@ -398,16 +398,21 @@ static const HALF PC2[8][64] = { temp = (word ^ (word >> 18)) & 0x00003333; \ word ^= temp | (temp << 18); \ temp = (word ^ (word >> 9)) & 0x00550055; \ word ^= temp | (temp << 9); #if defined(__GNUC__) && defined(NSS_X86_OR_X64) #define BYTESWAP(word, temp) \ __asm("bswap %0" : "+r" (word)); +#elif (_MSC_VER >= 1300) && defined(NSS_X86_OR_X64) +#include <stdlib.h> +#pragma intrinsic(_byteswap_ulong) +#define BYTESWAP(word, temp) \ + word = _byteswap_ulong(word); #else #define BYTESWAP(word, temp) \ word = (word >> 16) | (word << 16); \ temp = 0x00ff00ff; \ word = ((word & temp) << 8) | ((word >> 8) & temp); #endif #define PC1(left, right, c0, d0, temp) \
--- a/security/nss/lib/freebl/drbg.c +++ b/security/nss/lib/freebl/drbg.c @@ -31,17 +31,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: drbg.c,v 1.8 2009/04/01 03:37:29 wtc%google.com Exp $ */ +/* $Id: drbg.c,v 1.9 2009/06/10 03:24:01 rrelyea%redhat.com Exp $ */ #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif #include "prerror.h" #include "secerr.h" @@ -376,16 +376,19 @@ prng_generateNewBytes(RNGContext *rng, */ static const PRCallOnceType pristineCallOnce; static PRCallOnceType coRNGInit; static PRStatus rng_init(void) { PRUint8 bytes[PRNG_SEEDLEN*2]; /* entropy + nonce */ unsigned int numBytes; if (globalrng == NULL) { + /* bytes needs to have enough space to hold + * a SHA256 hash value. Blow up at compile time if this isn't true */ + PR_STATIC_ASSERT(sizeof(bytes) >= SHA256_LENGTH); /* create a new global RNG context */ globalrng = &theGlobalRng; PORT_Assert(NULL == globalrng->lock); /* create a lock for it */ globalrng->lock = PZ_NewLock(nssILockOther); if (globalrng->lock == NULL) { globalrng = NULL; PORT_SetError(PR_OUT_OF_MEMORY_ERROR); @@ -409,16 +412,20 @@ static PRStatus rng_init(void) PZ_DestroyLock(globalrng->lock); globalrng->lock = NULL; globalrng = NULL; return PR_FAILURE; } /* the RNG is in a valid state */ globalrng->isValid = PR_TRUE; + /* fetch one random value so that we can populate rng->oldV for our + * continous random number test. */ + prng_generateNewBytes(globalrng, bytes, SHA256_LENGTH, NULL, 0); + /* Fetch more entropy into the PRNG */ RNG_SystemInfoForRNG(); } return PR_SUCCESS; } /* * Clean up the global RNG context
new file mode 100644 --- /dev/null +++ b/security/nss/lib/freebl/mpi/mpi_x86_os2.s @@ -0,0 +1,573 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +# $Id: mpi_x86_os2.s,v 1.1 2009/06/04 23:53:42 julien.pierre.boogz%sun.com Exp $ +# + +.data +.align 4 + # + # -1 means to call _s_mpi_is_sse to determine if we support sse + # instructions. + # 0 means to use x86 instructions + # 1 means to use sse2 instructions +.type is_sse,@object +.size is_sse,4 +is_sse: .long -1 + +# +# sigh, handle the difference between -fPIC and not PIC +# default to pic, since this file seems to be exclusively +# linux right now (solaris uses mpi_i86pc.s and windows uses +# mpi_x86_asm.c) +# +#.ifndef NO_PIC +#.macro GET var,reg +# movl \var@GOTOFF(%ebx),\reg +#.endm +#.macro PUT reg,var +# movl \reg,\var@GOTOFF(%ebx) +#.endm +#.else +.macro GET var,reg + movl \var,\reg +.endm +.macro PUT reg,var + movl \reg,\var +.endm +#.endif + +.text + + + # ebp - 36: caller's esi + # ebp - 32: caller's edi + # ebp - 28: + # ebp - 24: + # ebp - 20: + # ebp - 16: + # ebp - 12: + # ebp - 8: + # ebp - 4: + # ebp + 0: caller's ebp + # ebp + 4: return address + # ebp + 8: a argument + # ebp + 12: a_len argument + # ebp + 16: b argument + # ebp + 20: c argument + # registers: + # eax: + # ebx: carry + # ecx: a_len + # edx: + # esi: a ptr + # edi: c ptr +.globl _s_mpv_mul_d +.type _s_mpv_mul_d,@function +_s_mpv_mul_d: + GET is_sse,%eax + cmp $0,%eax + je _s_mpv_mul_d_x86 + jg _s_mpv_mul_d_sse2 + call _s_mpi_is_sse2 + PUT %eax,is_sse + cmp $0,%eax + jg _s_mpv_mul_d_sse2 +_s_mpv_mul_d_x86: + push %ebp + mov %esp,%ebp + sub $28,%esp + push %edi + push %esi + push %ebx + movl $0,%ebx # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + mov 20(%ebp),%edi + cmp $0,%ecx + je 2f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +1: + lodsl # eax = [ds:esi]; esi += 4 + mov 16(%ebp),%edx # edx = b + mull %edx # edx:eax = Phi:Plo = a_i * b + + add %ebx,%eax # add carry (%ebx) to edx:eax + adc $0,%edx + mov %edx,%ebx # high half of product becomes next carry + + stosl # [es:edi] = ax; edi += 4; + dec %ecx # --a_len + jnz 1b # jmp if a_len != 0 +2: + mov %ebx,0(%edi) # *c = carry + pop %ebx + pop %esi + pop %edi + leave + ret + nop +_s_mpv_mul_d_sse2: + push %ebp + mov %esp,%ebp + push %edi + push %esi + psubq %mm2,%mm2 # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + movd 16(%ebp),%mm1 # mm1 = b + mov 20(%ebp),%edi + cmp $0,%ecx + je 6f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +5: + movd 0(%esi),%mm0 # mm0 = *a++ + add $4,%esi + pmuludq %mm1,%mm0 # mm0 = b * *a++ + paddq %mm0,%mm2 # add the carry + movd %mm2,0(%edi) # store the 32bit result + add $4,%edi + psrlq $32, %mm2 # save the carry + dec %ecx # --a_len + jnz 5b # jmp if a_len != 0 +6: + movd %mm2,0(%edi) # *c = carry + emms + pop %esi + pop %edi + leave + ret + nop + + # ebp - 36: caller's esi + # ebp - 32: caller's edi + # ebp - 28: + # ebp - 24: + # ebp - 20: + # ebp - 16: + # ebp - 12: + # ebp - 8: + # ebp - 4: + # ebp + 0: caller's ebp + # ebp + 4: return address + # ebp + 8: a argument + # ebp + 12: a_len argument + # ebp + 16: b argument + # ebp + 20: c argument + # registers: + # eax: + # ebx: carry + # ecx: a_len + # edx: + # esi: a ptr + # edi: c ptr +.globl _s_mpv_mul_d_add +.type _s_mpv_mul_d_add,@function +_s_mpv_mul_d_add: + GET is_sse,%eax + cmp $0,%eax + je _s_mpv_mul_d_add_x86 + jg _s_mpv_mul_d_add_sse2 + call _s_mpi_is_sse2 + PUT %eax,is_sse + cmp $0,%eax + jg _s_mpv_mul_d_add_sse2 +_s_mpv_mul_d_add_x86: + push %ebp + mov %esp,%ebp + sub $28,%esp + push %edi + push %esi + push %ebx + movl $0,%ebx # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + mov 20(%ebp),%edi + cmp $0,%ecx + je 11f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +10: + lodsl # eax = [ds:esi]; esi += 4 + mov 16(%ebp),%edx # edx = b + mull %edx # edx:eax = Phi:Plo = a_i * b + + add %ebx,%eax # add carry (%ebx) to edx:eax + adc $0,%edx + mov 0(%edi),%ebx # add in current word from *c + add %ebx,%eax + adc $0,%edx + mov %edx,%ebx # high half of product becomes next carry + + stosl # [es:edi] = ax; edi += 4; + dec %ecx # --a_len + jnz 10b # jmp if a_len != 0 +11: + mov %ebx,0(%edi) # *c = carry + pop %ebx + pop %esi + pop %edi + leave + ret + nop +_s_mpv_mul_d_add_sse2: + push %ebp + mov %esp,%ebp + push %edi + push %esi + psubq %mm2,%mm2 # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + movd 16(%ebp),%mm1 # mm1 = b + mov 20(%ebp),%edi + cmp $0,%ecx + je 16f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +15: + movd 0(%esi),%mm0 # mm0 = *a++ + add $4,%esi + pmuludq %mm1,%mm0 # mm0 = b * *a++ + paddq %mm0,%mm2 # add the carry + movd 0(%edi),%mm0 + paddq %mm0,%mm2 # add the carry + movd %mm2,0(%edi) # store the 32bit result + add $4,%edi + psrlq $32, %mm2 # save the carry + dec %ecx # --a_len + jnz 15b # jmp if a_len != 0 +16: + movd %mm2,0(%edi) # *c = carry + emms + pop %esi + pop %edi + leave + ret + nop + + # ebp - 8: caller's esi + # ebp - 4: caller's edi + # ebp + 0: caller's ebp + # ebp + 4: return address + # ebp + 8: a argument + # ebp + 12: a_len argument + # ebp + 16: b argument + # ebp + 20: c argument + # registers: + # eax: + # ebx: carry + # ecx: a_len + # edx: + # esi: a ptr + # edi: c ptr +.globl _s_mpv_mul_d_add_prop +.type _s_mpv_mul_d_add_prop,@function +_s_mpv_mul_d_add_prop: + GET is_sse,%eax + cmp $0,%eax + je _s_mpv_mul_d_add_prop_x86 + jg _s_mpv_mul_d_add_prop_sse2 + call _s_mpi_is_sse2 + PUT %eax,is_sse + cmp $0,%eax + jg _s_mpv_mul_d_add_prop_sse2 +_s_mpv_mul_d_add_prop_x86: + push %ebp + mov %esp,%ebp + sub $28,%esp + push %edi + push %esi + push %ebx + movl $0,%ebx # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + mov 20(%ebp),%edi + cmp $0,%ecx + je 21f # jmp if a_len == 0 + cld + mov 8(%ebp),%esi # esi = a +20: + lodsl # eax = [ds:esi]; esi += 4 + mov 16(%ebp),%edx # edx = b + mull %edx # edx:eax = Phi:Plo = a_i * b + + add %ebx,%eax # add carry (%ebx) to edx:eax + adc $0,%edx + mov 0(%edi),%ebx # add in current word from *c + add %ebx,%eax + adc $0,%edx + mov %edx,%ebx # high half of product becomes next carry + + stosl # [es:edi] = ax; edi += 4; + dec %ecx # --a_len + jnz 20b # jmp if a_len != 0 +21: + cmp $0,%ebx # is carry zero? + jz 23f + mov 0(%edi),%eax # add in current word from *c + add %ebx,%eax + stosl # [es:edi] = ax; edi += 4; + jnc 23f +22: + mov 0(%edi),%eax # add in current word from *c + adc $0,%eax + stosl # [es:edi] = ax; edi += 4; + jc 22b +23: + pop %ebx + pop %esi + pop %edi + leave + ret + nop +_s_mpv_mul_d_add_prop_sse2: + push %ebp + mov %esp,%ebp + push %edi + push %esi + push %ebx + psubq %mm2,%mm2 # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + movd 16(%ebp),%mm1 # mm1 = b + mov 20(%ebp),%edi + cmp $0,%ecx + je 26f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +25: + movd 0(%esi),%mm0 # mm0 = *a++ + movd 0(%edi),%mm3 # fetch the sum + add $4,%esi + pmuludq %mm1,%mm0 # mm0 = b * *a++ + paddq %mm0,%mm2 # add the carry + paddq %mm3,%mm2 # add *c++ + movd %mm2,0(%edi) # store the 32bit result + add $4,%edi + psrlq $32, %mm2 # save the carry + dec %ecx # --a_len + jnz 25b # jmp if a_len != 0 +26: + movd %mm2,%ebx + cmp $0,%ebx # is carry zero? + jz 28f + mov 0(%edi),%eax + add %ebx, %eax + stosl + jnc 28f +27: + mov 0(%edi),%eax # add in current word from *c + adc $0,%eax + stosl # [es:edi] = ax; edi += 4; + jc 27b +28: + emms + pop %ebx + pop %esi + pop %edi + leave + ret + nop + + + # ebp - 20: caller's esi + # ebp - 16: caller's edi + # ebp - 12: + # ebp - 8: carry + # ebp - 4: a_len local + # ebp + 0: caller's ebp + # ebp + 4: return address + # ebp + 8: pa argument + # ebp + 12: a_len argument + # ebp + 16: ps argument + # ebp + 20: + # registers: + # eax: + # ebx: carry + # ecx: a_len + # edx: + # esi: a ptr + # edi: c ptr + +.globl _s_mpv_sqr_add_prop +.type _s_mpv_sqr_add_prop,@function +_s_mpv_sqr_add_prop: + GET is_sse,%eax + cmp $0,%eax + je _s_mpv_sqr_add_prop_x86 + jg _s_mpv_sqr_add_prop_sse2 + call _s_mpi_is_sse2 + PUT %eax,is_sse + cmp $0,%eax + jg _s_mpv_sqr_add_prop_sse2 +_s_mpv_sqr_add_prop_x86: + push %ebp + mov %esp,%ebp + sub $12,%esp + push %edi + push %esi + push %ebx + movl $0,%ebx # carry = 0 + mov 12(%ebp),%ecx # a_len + mov 16(%ebp),%edi # edi = ps + cmp $0,%ecx + je 31f # jump if a_len == 0 + cld + mov 8(%ebp),%esi # esi = pa +30: + lodsl # %eax = [ds:si]; si += 4; + mull %eax + + add %ebx,%eax # add "carry" + adc $0,%edx + mov 0(%edi),%ebx + add %ebx,%eax # add low word from result + mov 4(%edi),%ebx + stosl # [es:di] = %eax; di += 4; + adc %ebx,%edx # add high word from result + movl $0,%ebx + mov %edx,%eax + adc $0,%ebx + stosl # [es:di] = %eax; di += 4; + dec %ecx # --a_len + jnz 30b # jmp if a_len != 0 +31: + cmp $0,%ebx # is carry zero? + jz 34f + mov 0(%edi),%eax # add in current word from *c + add %ebx,%eax + stosl # [es:edi] = ax; edi += 4; + jnc 34f +32: + mov 0(%edi),%eax # add in current word from *c + adc $0,%eax + stosl # [es:edi] = ax; edi += 4; + jc 32b +34: + pop %ebx + pop %esi + pop %edi + leave + ret + nop +_s_mpv_sqr_add_prop_sse2: + push %ebp + mov %esp,%ebp + push %edi + push %esi + push %ebx + psubq %mm2,%mm2 # carry = 0 + mov 12(%ebp),%ecx # ecx = a_len + mov 16(%ebp),%edi + cmp $0,%ecx + je 36f # jmp if a_len == 0 + mov 8(%ebp),%esi # esi = a + cld +35: + movd 0(%esi),%mm0 # mm0 = *a + movd 0(%edi),%mm3 # fetch the sum + add $4,%esi + pmuludq %mm0,%mm0 # mm0 = sqr(a) + paddq %mm0,%mm2 # add the carry + paddq %mm3,%mm2 # add the low word + movd 4(%edi),%mm3 + movd %mm2,0(%edi) # store the 32bit result + psrlq $32, %mm2 + paddq %mm3,%mm2 # add the high word + movd %mm2,4(%edi) # store the 32bit result + psrlq $32, %mm2 # save the carry. + add $8,%edi + dec %ecx # --a_len + jnz 35b # jmp if a_len != 0 +36: + movd %mm2,%ebx + cmp $0,%ebx # is carry zero? + jz 38f + mov 0(%edi),%eax + add %ebx, %eax + stosl + jnc 38f +37: + mov 0(%edi),%eax # add in current word from *c + adc $0,%eax + stosl # [es:edi] = ax; edi += 4; + jc 37b +38: + emms + pop %ebx + pop %esi + pop %edi + leave + ret + nop + + # + # Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized + # so its high bit is 1. This code is from NSPR. + # + # mp_err _s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor, + # mp_digit *qp, mp_digit *rp) + + # esp + 0: Caller's ebx + # esp + 4: return address + # esp + 8: Nhi argument + # esp + 12: Nlo argument + # esp + 16: divisor argument + # esp + 20: qp argument + # esp + 24: rp argument + # registers: + # eax: + # ebx: carry + # ecx: a_len + # edx: + # esi: a ptr + # edi: c ptr + # + +.globl _s_mpv_div_2dx1d +.type _s_mpv_div_2dx1d,@function +_s_mpv_div_2dx1d: + push %ebx + mov 8(%esp),%edx + mov 12(%esp),%eax + mov 16(%esp),%ebx + div %ebx + mov 20(%esp),%ebx + mov %eax,0(%ebx) + mov 24(%esp),%ebx + mov %edx,0(%ebx) + xor %eax,%eax # return zero + pop %ebx + ret + nop +
--- a/security/nss/lib/freebl/nsslowhash.c +++ b/security/nss/lib/freebl/nsslowhash.c @@ -28,17 +28,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nsslowhash.c,v 1.3 2009/04/15 21:31:55 rrelyea%redhat.com Exp $ */ +/* $Id: nsslowhash.c,v 1.4 2009/06/09 23:34:06 rrelyea%redhat.com Exp $ */ #include "stubs.h" #include "prtypes.h" #include "secerr.h" #include "pkcs11t.h" #include "blapi.h" #include "sechash.h" #include "nsslowhash.h" @@ -284,56 +284,76 @@ static int nsslow_GetFIPSEnabled(void) { if (d != '1') return 0; #endif return 1; } static int post = 0; +static int post_failed = 0; static NSSLOWInitContext dummyContext = { 0 }; NSSLOWInitContext * NSSLOW_Init(void) { SECStatus rv; CK_RV crv; PRBool nsprAvailable = PR_FALSE; rv = FREEBL_InitStubs(); nsprAvailable = (rv == SECSuccess ) ? PR_TRUE : PR_FALSE; + + if (post_failed) { + return NULL; + } if (!post && nsslow_GetFIPSEnabled()) { crv = freebl_fipsPowerUpSelfTest(); if (crv != CKR_OK) { + post_failed = 1; return NULL; } } post = 1; return &dummyContext; } void NSSLOW_Shutdown(NSSLOWInitContext *context) { PORT_Assert(context == &dummyContext); return; } +void +NSSLOW_Reset(NSSLOWInitContext *context) +{ + PORT_Assert(context == &dummyContext); + post_failed = 0; + post = 0; + return; +} + NSSLOWHASHContext * NSSLOWHASH_NewContext(NSSLOWInitContext *initContext, HASH_HashType hashType) { NSSLOWHASHContext *context; + if (post_failed) { + PORT_SetError(SEC_ERROR_PKCS11_DEVICE_ERROR); + return NULL; + } + if (initContext != &dummyContext) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return (NULL); } context = PORT_ZNew(NSSLOWHASHContext); if (!context) { return NULL;
--- a/security/nss/lib/freebl/nsslowhash.h +++ b/security/nss/lib/freebl/nsslowhash.h @@ -40,16 +40,17 @@ * Also NOTE: this only works with Hashing. Only the FIPS interface is enabled. */ typedef struct NSSLOWInitContextStr NSSLOWInitContext; typedef struct NSSLOWHASHContextStr NSSLOWHASHContext; NSSLOWInitContext *NSSLOW_Init(void); void NSSLOW_Shutdown(NSSLOWInitContext *context); +void NSSLOW_Reset(NSSLOWInitContext *context); NSSLOWHASHContext *NSSLOWHASH_NewContext( NSSLOWInitContext *initContext, HASH_HashType hashType); void NSSLOWHASH_Begin(NSSLOWHASHContext *context); void NSSLOWHASH_Update(NSSLOWHASHContext *context, const unsigned char *buf, unsigned int len); void NSSLOWHASH_End(NSSLOWHASHContext *context,
--- a/security/nss/lib/freebl/stubs.c +++ b/security/nss/lib/freebl/stubs.c @@ -530,16 +530,24 @@ freebl_InitNSSUtil(void *lib) * fetch the library if it's loaded. For NSS it should already be loaded */ #define freebl_getLibrary(libName) \ dlopen (libName, RTLD_LAZY|RTLD_NOLOAD) #define freebl_releaseLibrary(lib) \ if (lib) dlclose(lib) +static void * FREEBLnsprGlobalLib = NULL; +static void * FREEBLnssutilGlobalLib = NULL; + +void __attribute ((destructor)) FREEBL_unload() +{ + freebl_releaseLibrary(FREEBLnsprGlobalLib); + freebl_releaseLibrary(FREEBLnssutilGlobalLib); +} #endif /* * load the symbols from the real libraries if available. * * if force is set, explicitly load the libraries if they are not already * loaded. If we could not use the real libraries, return failure. */ @@ -547,35 +555,37 @@ extern SECStatus FREEBL_InitStubs() { SECStatus rv = SECSuccess; #ifdef FREEBL_NO_WEAK void *nspr = NULL; void *nssutil = NULL; /* NSPR should be first */ - if (!ptr_PR_DestroyLock) { + if (!FREEBLnsprGlobalLib) { nspr = freebl_getLibrary(nsprLibName); if (!nspr) { return SECFailure; } rv = freebl_InitNSPR(nspr); - freebl_releaseLibrary(nspr); if (rv != SECSuccess) { + freebl_releaseLibrary(nspr); return rv; } + FREEBLnsprGlobalLib = nspr; /* adopt */ } /* now load NSSUTIL */ - if (!ptr_SECITEM_ZfreeItem_Util) { + if (!FREEBLnssutilGlobalLib) { nssutil= freebl_getLibrary(nssutilLibName); if (!nssutil) { return SECFailure; } rv = freebl_InitNSSUtil(nssutil); - freebl_releaseLibrary(nssutil); if (rv != SECSuccess) { + freebl_releaseLibrary(nssutil); return rv; } + FREEBLnssutilGlobalLib = nssutil; /* adopt */ } #endif return rv; }
--- a/security/nss/lib/freebl/unix_rand.c +++ b/security/nss/lib/freebl/unix_rand.c @@ -624,54 +624,16 @@ GiveSystemInfo(void) } rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf)); if (rv > 0) { RNG_RandomUpdate(buf, rv); } } #endif /* sinix */ -#if defined(VMS) -#include <c_asm.h> - -static void -GiveSystemInfo(void) -{ - long si; - - /* - * This is copied from the SCO/UNIXWARE etc section. And like the comment - * there says, what's the point? This isn't random, it generates the same - * stuff every time its run! - */ - si = sysconf(_SC_CHILD_MAX); - RNG_RandomUpdate(&si, sizeof(si)); - - si = sysconf(_SC_STREAM_MAX); - RNG_RandomUpdate(&si, sizeof(si)); - - si = sysconf(_SC_OPEN_MAX); - RNG_RandomUpdate(&si, sizeof(si)); -} - -/* - * Use the "get the cycle counter" instruction on the alpha. - * The low 32 bits completely turn over in less than a minute. - * The high 32 bits are some non-counter gunk that changes sometimes. - */ -static size_t -GetHighResClock(void *buf, size_t maxbytes) -{ - unsigned long t; - - t = asm("rpcc %v0"); - return CopyLowBits(buf, maxbytes, &t, sizeof(t)); -} - -#endif /* VMS */ #ifdef BEOS #include <be/kernel/OS.h> static size_t GetHighResClock(void *buf, size_t maxbytes) { bigtime_t bigtime; /* Actually an int64 */ @@ -875,19 +837,16 @@ safe_pclose(FILE *fp) } /* Reset SIGCHLD signal hander before returning */ sigaction(SIGCHLD, &oldact, NULL); return status; } - -#if !defined(VMS) - #ifdef DARWIN #include <crt_externs.h> #endif /* Fork netstat to collect its output by default. Do not unset this unless * another source of entropy is available */ #define DO_NETSTAT 1 @@ -1018,75 +977,16 @@ void RNG_SystemInfoForRNG(void) if (fp != NULL) { while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0) RNG_RandomUpdate(buf, bytes); safe_pclose(fp); } #endif } -#else -void RNG_SystemInfoForRNG(void) -{ - FILE *fp; - char buf[BUFSIZ]; - size_t bytes; - int extra; - char **cp; - extern char **environ; - char *randfile; - - GiveSystemInfo(); - - bytes = RNG_GetNoise(buf, sizeof(buf)); - RNG_RandomUpdate(buf, bytes); - - /* - * Pass the C environment and the addresses of the pointers to the - * hash function. This makes the random number function depend on the - * execution environment of the user and on the platform the program - * is running on. - */ - cp = environ; - while (*cp) { - RNG_RandomUpdate(*cp, strlen(*cp)); - cp++; - } - RNG_RandomUpdate(environ, (char*)cp - (char*)environ); - - /* Give in system information */ - if (gethostname(buf, sizeof(buf)) > 0) { - RNG_RandomUpdate(buf, strlen(buf)); - } - GiveSystemInfo(); - - /* If the user points us to a random file, pass it through the rng */ - randfile = getenv("NSRANDFILE"); - if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) { - RNG_FileForRNG(randfile); - } - - /* - ** We need to generate at least 1024 bytes of seed data. Since we don't - ** do the file stuff for VMS, and because the environ list is so short - ** on VMS, we need to make sure we generate enough. So do another 1000 - ** bytes to be sure. - */ - extra = 1000; - while (extra > 0) { - cp = environ; - while (*cp) { - int n = strlen(*cp); - RNG_RandomUpdate(*cp, n); - extra -= n; - cp++; - } - } -} -#endif #define TOTAL_FILE_LIMIT 1000000 /* one million */ size_t RNG_FileUpdate(const char *fileName, size_t limit) { FILE * file; size_t bytes; size_t fileBytes = 0;
--- a/security/nss/lib/freebl/win_rand.c +++ b/security/nss/lib/freebl/win_rand.c @@ -53,16 +53,17 @@ #include <stdio.h> #include "prio.h" #include "prerror.h" static PRInt32 filesToRead; static DWORD totalFileBytes; static DWORD maxFileBytes = 250000; /* 250 thousand */ static DWORD dwNumFiles, dwReadEvery, dwFileToRead; +static PRBool usedWindowsPRNG; static BOOL CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow) { LARGE_INTEGER liCount; if (!QueryPerformanceCounter(&liCount)) return FALSE; @@ -126,55 +127,53 @@ size_t RNG_GetNoise(void *buf, size_t ma nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime); memcpy(((char *)buf) + n, &sTime, nBytes); n += nBytes; } return n; } -typedef PRInt32 (* Handler)(const char *); +typedef PRInt32 (* Handler)(const PRUnichar *); #define MAX_DEPTH 2 +#define MAX_FOLDERS 4 +#define MAX_FILES 1024 static void EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) { int iContinue; + unsigned int uFolders = 0; + unsigned int uFiles = 0; HANDLE lFindHandle; WIN32_FIND_DATAW fdData; PRUnichar szFileName[_MAX_PATH]; - char narrowFileName[_MAX_PATH]; if (maxDepth < 0) return; - // tack *.* on the end so we actually look for files. this will - // not overflow - wcscpy(szFileName, szSysDir); - wcscat(szFileName, L"\\*.*"); + // append *.* so we actually look for files. + _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir); lFindHandle = FindFirstFileW(szFileName, &fdData); if (lFindHandle == INVALID_HANDLE_VALUE) return; do { iContinue = 1; if (wcscmp(fdData.cFileName, L".") == 0 || wcscmp(fdData.cFileName, L"..") == 0) { // skip "." and ".." } else { // pass the full pathname to the callback _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, fdData.cFileName); if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { - EnumSystemFilesInFolder(func, szFileName, maxDepth - 1); + if (++uFolders <= MAX_FOLDERS) + EnumSystemFilesInFolder(func, szFileName, maxDepth - 1); } else { - iContinue = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, - narrowFileName, _MAX_PATH, - NULL, NULL); - if (iContinue) - iContinue = !(*func)(narrowFileName); + iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName); } } if (iContinue) iContinue = FindNextFileW(lFindHandle, &fdData); } while (iContinue); FindClose(lFindHandle); } @@ -182,17 +181,16 @@ static BOOL EnumSystemFiles(Handler func) { PRUnichar szSysDir[_MAX_PATH]; static const int folders[] = { CSIDL_BITBUCKET, CSIDL_RECENT, #ifndef WINCE CSIDL_INTERNET_CACHE, - CSIDL_COMPUTERSNEARME, CSIDL_HISTORY, #endif 0 }; int i = 0; if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) { if (i > 0 && szSysDir[i-1] == L'\\') szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash @@ -203,66 +201,81 @@ EnumSystemFiles(Handler func) if (szSysDir[0]) EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH); szSysDir[0] = L'\0'; } return PR_TRUE; } static PRInt32 -CountFiles(const char *file) +CountFiles(const PRUnichar *file) { dwNumFiles++; return 0; } -static void +static int ReadSingleFile(const char *filename) { PRFileDesc * file; - int nBytes; unsigned char buffer[1024]; file = PR_Open(filename, PR_RDONLY, 0); if (file != NULL) { while (PR_Read(file, buffer, sizeof buffer) > 0) ; PR_Close(file); } + return (file != NULL); } static PRInt32 -ReadOneFile(const char *file) +ReadOneFile(const PRUnichar *szFileName) { + char narrowFileName[_MAX_PATH]; + if (dwNumFiles == dwFileToRead) { - ReadSingleFile(file); + int success = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, + narrowFileName, _MAX_PATH, + NULL, NULL); + if (success) + success = ReadSingleFile(narrowFileName); + if (!success) + dwFileToRead++; /* couldn't read this one, read the next one. */ } dwNumFiles++; return dwNumFiles > dwFileToRead; } static PRInt32 -ReadFiles(const char *file) +ReadFiles(const PRUnichar *szFileName) { + char narrowFileName[_MAX_PATH]; + if ((dwNumFiles % dwReadEvery) == 0) { ++filesToRead; } if (filesToRead) { - DWORD prevFileBytes = totalFileBytes; - RNG_FileForRNG(file); + DWORD prevFileBytes = totalFileBytes; + int iContinue = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, + narrowFileName, _MAX_PATH, + NULL, NULL); + if (iContinue) { + RNG_FileForRNG(narrowFileName); + } if (prevFileBytes < totalFileBytes) { --filesToRead; } } dwNumFiles++; return (totalFileBytes >= maxFileBytes); } static void -ReadSystemFiles() +ReadSystemFiles(void) { // first count the number of files dwNumFiles = 0; if (!EnumSystemFiles(CountFiles)) return; RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles)); @@ -272,16 +285,17 @@ ReadSystemFiles() if (dwNumFiles == 0) return; dwReadEvery = dwNumFiles / 10; if (dwReadEvery == 0) dwReadEvery = 1; // less than 10 files dwNumFiles = 0; + totalFileBytes = 0; EnumSystemFiles(ReadFiles); } void RNG_SystemInfoForRNG(void) { DWORD dwVal; char buffer[256]; int nBytes; @@ -344,18 +358,19 @@ void RNG_SystemInfoForRNG(void) &dwNumClusters)) { RNG_RandomUpdate(&dwSectors, sizeof(dwSectors)); RNG_RandomUpdate(&dwBytes, sizeof(dwBytes)); RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters)); RNG_RandomUpdate(&dwNumClusters, sizeof(dwNumClusters)); } #endif - // now let's do some files - ReadSystemFiles(); + // Skip the potentially slow file scanning if the OS's PRNG worked. + if (!usedWindowsPRNG) + ReadSystemFiles(); nBytes = RNG_GetNoise(buffer, 20); // get up to 20 bytes RNG_RandomUpdate(buffer, nBytes); } static void rng_systemJitter(void) { dwNumFiles = 0; @@ -405,18 +420,20 @@ void RNG_FileForRNG(const char *filename * The Windows CE and Windows Mobile FIPS Security Policy, page 13, * (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp825.pdf) * says CeGenRandom is the right function to call for creating a seed * for a random number generator. */ size_t RNG_SystemRNG(void *dest, size_t maxLen) { size_t bytes = 0; + usedWindowsPRNG = PR_FALSE; if (CeGenRandom(maxLen, dest)) { - bytes = maxLen; + bytes = maxLen; + usedWindowsPRNG = PR_TRUE; } if (bytes == 0) { bytes = rng_systemFromNoise(dest,maxLen); } return bytes; } @@ -424,18 +441,16 @@ size_t RNG_SystemRNG(void *dest, size_t void RNG_FileForRNG(const char *filename) { FILE* file; int nBytes; struct stat stat_buf; unsigned char buffer[1024]; - /* static DWORD totalFileBytes = 0; */ - /* windows doesn't initialize all the bytes in the stat buf, * so initialize them all here to avoid UMRs. */ memset(&stat_buf, 0, sizeof stat_buf); if (stat((char *)filename, &stat_buf) < 0) return; @@ -511,25 +526,27 @@ size_t RNG_SystemRNG(void *dest, size_t HMODULE hModule; RtlGenRandomFn pRtlGenRandom; CryptAcquireContextAFn pCryptAcquireContextA; CryptReleaseContextFn pCryptReleaseContext; CryptGenRandomFn pCryptGenRandom; HCRYPTPROV hCryptProv; size_t bytes = 0; + usedWindowsPRNG = PR_FALSE; hModule = LoadLibrary("advapi32.dll"); if (hModule == NULL) { return rng_systemFromNoise(dest,maxLen); } pRtlGenRandom = (RtlGenRandomFn) GetProcAddress(hModule, "SystemFunction036"); if (pRtlGenRandom) { if (pRtlGenRandom(dest, maxLen)) { bytes = maxLen; + usedWindowsPRNG = PR_TRUE; } else { bytes = rng_systemFromNoise(dest,maxLen); } goto done; } pCryptAcquireContextA = (CryptAcquireContextAFn) GetProcAddress(hModule, "CryptAcquireContextA"); pCryptReleaseContext = (CryptReleaseContextFn) @@ -539,16 +556,17 @@ size_t RNG_SystemRNG(void *dest, size_t if (!pCryptAcquireContextA || !pCryptReleaseContext || !pCryptGenRandom) { bytes = rng_systemFromNoise(dest,maxLen); goto done; } if (pCryptAcquireContextA(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { if (pCryptGenRandom(hCryptProv, maxLen, dest)) { bytes = maxLen; + usedWindowsPRNG = PR_TRUE; } pCryptReleaseContext(hCryptProv, 0); } if (bytes == 0) { bytes = rng_systemFromNoise(dest,maxLen); } done: FreeLibrary(hModule);
--- a/security/nss/lib/jar/jarver.c +++ b/security/nss/lib/jar/jarver.c @@ -338,21 +338,21 @@ jar_parse_any(JAR *jar, int type, JAR_Si return status; #endif /* null terminate the first line */ raw_manifest = jar_eat_line(0, PR_TRUE, raw_manifest, &raw_len); /* skip over the preliminary section */ /* This is one section at the top of the file with global metainfo */ - while (raw_len) { + while (raw_len > 0) { JAR_Metainfo *met; raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len); - if (!*raw_manifest) + if (raw_len <= 0 || !*raw_manifest) break; met = PORT_ZNew(JAR_Metainfo); if (met == NULL) return JAR_ERR_MEMORY; /* Parse out the header & info */ if (PORT_Strlen (raw_manifest) >= SZ) { @@ -438,17 +438,17 @@ jar_parse_any(JAR *jar, int type, JAR_Si if (match != 0) { /* global digest doesn't match, SF file therefore invalid */ jar->valid = JAR_ERR_METADATA; return JAR_ERR_METADATA; } } /* done with top section of global data */ - while (raw_len) { + while (raw_len > 0) { *x_md5 = 0; *x_sha = 0; *x_name = 0; /* If this is a manifest file, attempt to get a digest of the following section, without damaging it. This digest will be saved later. */ if (type == jarTypeMF) { @@ -456,28 +456,28 @@ jar_parse_any(JAR *jar, int type, JAR_Si long sec_len = raw_len; if (!*raw_manifest || *raw_manifest == '\n') { /* skip the blank line */ sec = jar_eat_line(1, PR_FALSE, raw_manifest, &sec_len); } else sec = raw_manifest; - if (!PORT_Strncasecmp(sec, "Name:", 5)) { + if (sec_len > 0 && !PORT_Strncasecmp(sec, "Name:", 5)) { if (type == jarTypeMF) mfdig = jar_digest_section(sec, sec_len); else mfdig = NULL; } } - while (raw_len) { + while (raw_len > 0) { raw_manifest = jar_eat_line(1, PR_TRUE, raw_manifest, &raw_len); - if (!*raw_manifest) + if (raw_len <= 0 || !*raw_manifest) break; /* blank line, done with this entry */ if (PORT_Strlen(raw_manifest) >= SZ) { /* almost certainly nonsense */ continue; } /* Parse out the name/value pair */ @@ -742,63 +742,82 @@ loser: PORT_Free(fing); } return JAR_ERR_MEMORY; } /* * e a t _ l i n e * - * Consume an ASCII line from the top of a file kept in memory. - * This destroys the file in place. + * Reads and/or modifies input buffer "data" of length "*len". + * This function does zero, one or two of the following tasks: + * 1) if "lines" is non-zero, it reads and discards that many lines from + * the input. NUL characters are treated as end-of-line characters, + * not as end-of-input characters. The input is NOT NUL terminated. + * Note: presently, all callers pass either 0 or 1 for lines. + * 2) After skipping the specified number of input lines, if "eating" is + * non-zero, it finds the end of the next line of input and replaces + * the end of line character(s) with a NUL character. + * This function modifies the input buffer, containing the file, in place. * This function handles PC, Mac, and Unix style text files. + * On entry, *len contains the maximum number of characters that this + * function should ever examine, starting with the character in *data. + * On return, *len is reduced by the number of characters skipped by the + * first task, if any; + * If lines is zero and eating is false, this function returns + * the value in the data argument, but otherwise does nothing. */ static char * jar_eat_line(int lines, int eating, char *data, long *len) { - char *ret; + char *start = data; + long maxLen = *len; - ret = data; - if (!*len) - return ret; + if (maxLen <= 0) + return start; + +#define GO_ON ((data - start) < maxLen) /* Eat the requisite number of lines, if any; - prior to terminating the current line with a 0. */ + prior to terminating the current line with a 0. */ + for (/* yip */ ; lines > 0; lines--) { + while (GO_ON && *data && *data != '\r' && *data != '\n') + data++; - for (/* yip */ ; lines; lines--) { - while (*data && *data != '\n') + /* Eat any leading CR */ + if (GO_ON && *data == '\r') data++; /* After the CR, ok to eat one LF */ - if (*data == '\n') + if (GO_ON && *data == '\n') data++; - /* If there are zeros, we put them there */ - while (*data == 0 && data - ret < *len) + /* If there are NULs, this function probably put them there */ + while (GO_ON && !*data) data++; } - - *len -= data - ret; - ret = data; - - if (eating) { + maxLen -= data - start; /* we have this many characters left. */ + *len = maxLen; + start = data; /* now start again here. */ + if (maxLen > 0 && eating) { /* Terminate this line with a 0 */ - while (*data && *data != '\n' && *data != '\r') + while (GO_ON && *data && *data != '\n' && *data != '\r') data++; - /* In any case we are allowed to eat CR */ - if (*data == '\r') + /* If not past the end, we are allowed to eat one CR */ + if (GO_ON && *data == '\r') *data++ = 0; - /* After the CR, ok to eat one LF */ - if (*data == '\n') + /* After the CR (if any), if not past the end, ok to eat one LF */ + if (GO_ON && *data == '\n') *data++ = 0; } - return ret; + return start; } +#undef GO_ON /* * j a r _ d i g e s t _ s e c t i o n * * Return the digests of the next section of the manifest file. * Does not damage the manifest file, unlike parse_manifest. * */ @@ -806,19 +825,19 @@ static JAR_Digest * jar_digest_section(char *manifest, long length) { long global_len; char *global_end; global_end = manifest; global_len = length; - while (global_len) { + while (global_len > 0) { global_end = jar_eat_line(1, PR_FALSE, global_end, &global_len); - if (*global_end == 0 || *global_end == '\n') + if (global_len > 0 && (*global_end == 0 || *global_end == '\n')) break; } return JAR_calculate_digest (manifest, global_end - manifest); } /* * J A R _ v e r i f y _ d i g e s t *
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h +++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h @@ -137,17 +137,17 @@ PKIX_ERRORENTRY(CERTCHAINFAILSCERTIFICAT PKIX_ERRORENTRY(CERTCHAINTONSSCHAINFAILED,Fail to convert pkix cert chain to nss cert chain,0), PKIX_ERRORENTRY(CERTCHAINTOPKIXCERTLISTFAILED,Failed to convert nss cert chain to pkix cert chain,0), PKIX_ERRORENTRY(CERTCHECKCERTTYPEFAILED,Check cert type failed,SEC_ERROR_INADEQUATE_CERT_TYPE), PKIX_ERRORENTRY(CERTCHECKCERTVALIDTIMESFAILED,CERT_CheckCertValidTimes failed,SEC_ERROR_EXPIRED_CERTIFICATE), PKIX_ERRORENTRY(CERTCHECKCRLFAILED,Fail to get crl cache issued by cert,0), PKIX_ERRORENTRY(CERTCHECKEXTENDEDKEYUSAGEFAILED,pkix_pl_Cert_CheckExtendedKeyUsage failed,0), PKIX_ERRORENTRY(CERTCHECKKEYUSAGEFAILED,CERT_CheckKeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE), PKIX_ERRORENTRY(CERTCHECKNAMECONSTRAINTSFAILED,PKIX_PL_Cert_CheckNameConstraints failed,0), -PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,SEC_ERROR_CERT_NOT_VALID), +PKIX_ERRORENTRY(CERTCHECKVALIDITYFAILED,PKIX_PL_Cert_CheckValidity failed,0), PKIX_ERRORENTRY(CERTCOMPLETECRLDECODEDENTRIESFAILED,CERT_CompleteCRLDecodedEntries failed,0), PKIX_ERRORENTRY(CERTCOPYNAMECONSTRAINTFAILED,CERT_CopyNameConstraint failed,0), PKIX_ERRORENTRY(CERTCOPYNAMEFAILED,CERT_CopyName failed,0), PKIX_ERRORENTRY(CERTCREATEFAILED,PKIX_PL_Cert_Create failed,0), PKIX_ERRORENTRY(CERTCREATEGENERALNAMELISTFAILED,CERT_CreateGeneralNameList failed,0), PKIX_ERRORENTRY(CERTCREATETOLISTFAILED,pkix_pl_Cert_CreateToList failed,0), PKIX_ERRORENTRY(CERTCREATEWITHNSSCERTFAILED,pkix_pl_Cert_CreateWithNSSCert failed,0), PKIX_ERRORENTRY(CERTDECODEALTNAMEEXTENSIONFAILED,CERT_DecodeAltNameExtension failed,0),
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c @@ -269,16 +269,18 @@ pkix_pl_AIAMgr_GetHTTPCerts( PKIX_CHECK(PKIX_PL_InfoAccess_GetLocation (ia, &location, plContext), PKIX_INFOACCESSGETLOCATIONFAILED); /* find or create httpClient = default client */ httpClient = SEC_GetRegisteredHttpClient(); aiaMgr->client.hdata.httpClient = httpClient; + if (!httpClient) + PKIX_ERROR(PKIX_OUTOFMEMORY); if (httpClient->version == 1) { PKIX_UInt32 timeout = ((PKIX_PL_NssContext*)plContext)->timeoutSeconds; hcv1 = &(httpClient->fcnTable.ftable1);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c @@ -147,29 +147,29 @@ pkix_pl_CrlDp_Create( * a distinguish name. */ PKIX_ERROR(PKIX_NOTCONFORMINGCRLDP); } issuerName = &dp->crlIssuer->name.directoryName; } else { issuerName = certIssuerName; } rdnArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (rdnArena) { + if (!rdnArena) { PKIX_ERROR(PKIX_PORTARENAALLOCFAILED); } issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName*); if (!issuerNameCopy) { PKIX_ERROR(PKIX_ALLOCERROR); } rv = CERT_CopyName(rdnArena, issuerNameCopy, (CERTName*)issuerName); if (rv == SECFailure) { PKIX_ERROR(PKIX_ALLOCERROR); } rv = CERT_AddRDN(issuerNameCopy, (CERTRDN*)relName); - if (rv = SECFailure) { + if (rv == SECFailure) { PKIX_ERROR(PKIX_ALLOCERROR); } dpl->distPointType = relativeDistinguishedName; dpl->name.issuerName = issuerNameCopy; rdnArena = NULL; } *pPkixDP = dpl; dpl = NULL;
--- a/security/nss/lib/nss/config.mk +++ b/security/nss/lib/nss/config.mk @@ -124,39 +124,16 @@ SHARED_LIBRARY_DIRS = \ ../libpkix/pkix/util \ ../libpkix/pkix/crlsel \ ../libpkix/pkix/store \ ../libpkix/pkix_pl_nss/pki \ ../libpkix/pkix_pl_nss/system \ ../libpkix/pkix_pl_nss/module \ $(NULL) -ifeq ($(OS_TARGET),SunOS) -ifeq ($(BUILD_SUN_PKG), 1) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -ifeq ($(USE_64), 1) -MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64' -else -MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps' -endif -else -MKSHLIB += -R '$$ORIGIN' -endif -endif - -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif - ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifndef NS_USE_GCC # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x # but do not put it in the import library. See bug 142575. DEFINES += -DWIN32_NSS3_DLL_COMPAT DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE endif endif
--- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -31,17 +31,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nss.h,v 1.66 2009/04/30 18:16:09 kaie%kuix.de Exp $ */ +/* $Id: nss.h,v 1.67 2009/07/20 20:06:57 nelson%bolyard.com Exp $ */ #ifndef __nss_h_ #define __nss_h_ /* The private macro _NSS_ECC_STRING is for NSS internal use only. */ #ifdef NSS_ENABLE_ECC #ifdef NSS_ECC_MORE_THAN_SUITE_B #define _NSS_ECC_STRING " Extended ECC" @@ -61,17 +61,17 @@ /* * NSS's major version, minor version, patch level, and whether * this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.12.4.1" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" +#define NSS_VERSION "3.12.4.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta" #define NSS_VMAJOR 3 #define NSS_VMINOR 12 #define NSS_VPATCH 4 #define NSS_BETA PR_TRUE #ifndef RC_INVOKED #include "seccomon.h"
--- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -31,19 +31,20 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nssinit.c,v 1.97 2008/08/22 01:33:03 wtc%google.com Exp $ */ +/* $Id: nssinit.c,v 1.98 2009/05/29 19:23:30 wtc%google.com Exp $ */ #include <ctype.h> +#include <string.h> #include "seccomon.h" #include "prinit.h" #include "prprf.h" #include "prmem.h" #include "cert.h" #include "key.h" #include "ssl.h" #include "sslproto.h" @@ -550,17 +551,21 @@ loser: } if (nss_InitShutdownList() != SECSuccess) { return SECFailure; } CERT_SetDefaultCertDB((CERTCertDBHandle *) STAN_GetDefaultTrustDomain()); if ((!noModDB) && (!noCertDB) && (!noRootInit)) { if (!SECMOD_HasRootCerts()) { - nss_FindExternalRoot(configdir, secmodName); + const char *dbpath = configdir; + if (strncmp(dbpath, "sql:", 4) == 0) { + dbpath += 4; + } + nss_FindExternalRoot(dbpath, secmodName); } } pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); nss_IsInitted = PR_TRUE; } if (SECSuccess == rv) {
--- a/security/nss/lib/pk11wrap/pk11auth.c +++ b/security/nss/lib/pk11wrap/pk11auth.c @@ -625,26 +625,27 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBo } } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD); return rv; } void PK11_LogoutAll(void) { SECMODListLock *lock = SECMOD_GetDefaultModuleListLock(); - SECMODModuleList *modList = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modList; SECMODModuleList *mlp = NULL; int i; /* NSS is not initialized, there are not tokens to log out */ if (lock == NULL) { return; } SECMOD_GetReadLock(lock); + modList = SECMOD_GetDefaultModuleList(); /* find the number of entries */ for (mlp = modList; mlp != NULL; mlp = mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { PK11_Logout(mlp->module->slots[i]); } } SECMOD_ReleaseReadLock(lock);
--- a/security/nss/lib/pk11wrap/pk11sdr.h +++ b/security/nss/lib/pk11wrap/pk11sdr.h @@ -38,22 +38,23 @@ #define _PK11SDR_H_ #include "seccomon.h" SEC_BEGIN_PROTOS /* * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default - * + * result should be freed with SECItem_ZfreeItem */ SECStatus PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx); /* * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt + * result should be freed with SECItem_ZfreeItem */ SECStatus PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx); SEC_END_PROTOS #endif
--- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -45,16 +45,17 @@ #include "nssilock.h" #include "secmodi.h" #include "secmodti.h" #include "pkcs11.h" #include "pk11func.h" #include "secitem.h" #include "secoid.h" #include "secerr.h" +#include "hasht.h" /* forward static declarations. */ static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm); static void @@ -673,40 +674,52 @@ PK11_GetKeyData(PK11SymKey *symKey) /* This symbol is exported for backward compatibility. */ SECItem * __PK11_GetKeyData(PK11SymKey *symKey) { return PK11_GetKeyData(symKey); } + +/* + * PKCS #11 key Types with predefined length + */ +unsigned int +pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType) +{ + int length = 0; + switch (keyType) { + case CKK_DES: length = 8; break; + case CKK_DES2: length = 16; break; + case CKK_DES3: length = 24; break; + case CKK_SKIPJACK: length = 10; break; + case CKK_BATON: length = 20; break; + case CKK_JUNIPER: length = 20; break; + default: break; + } + return length; +} + /* return the keylength if possible. '0' if not */ unsigned int PK11_GetKeyLength(PK11SymKey *key) { CK_KEY_TYPE keyType; if (key->size != 0) return key->size; /* First try to figure out the key length from its type */ keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE); - switch (keyType) { - case CKK_DES: key->size = 8; break; - case CKK_DES2: key->size = 16; break; - case CKK_DES3: key->size = 24; break; - case CKK_SKIPJACK: key->size = 10; break; - case CKK_BATON: key->size = 20; break; - case CKK_JUNIPER: key->size = 20; break; - case CKK_GENERIC_SECRET: - if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN) { - key->size=48; - } - break; - default: break; + key->size = pk11_GetPredefinedKeyLength(keyType); + if ((keyType == CKK_GENERIC_SECRET) && + (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)) { + key->size=48; } + if( key->size != 0 ) return key->size; if (key->data.data == NULL) { PK11_ExtractKeyValue(key); } /* key is probably secret. Look up its length */ /* this is new PKCS #11 version 2.0 functionality. */ if (key->size == 0) { @@ -1631,17 +1644,16 @@ PK11_PubDerive(SECKEYPrivateKey *privKey CK_BBOOL cktrue = CK_TRUE; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; CK_ULONG key_size = 0; CK_ATTRIBUTE keyTemplate[4]; int templateCount; CK_ATTRIBUTE *attrs = keyTemplate; CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; - SECItem *pubValue = NULL; if (pubKey->keyType != ecKey) { PORT_SetError(SEC_ERROR_BAD_KEY); break; } PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++; @@ -1650,52 +1662,66 @@ PK11_PubDerive(SECKEYPrivateKey *privKey PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++; templateCount = attrs - keyTemplate; PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); keyType = PK11_GetKeyType(target,keySize); key_size = keySize; - symKey->size = keySize; - if (key_size == 0) templateCount--; + if (key_size == 0) { + if (pk11_GetPredefinedKeyLength(keyType)) { + templateCount --; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + key_size = SHA1_LENGTH; + } + } + symKey->size = key_size; mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); mechParams->kdf = CKD_SHA1_KDF; mechParams->ulSharedDataLen = 0; mechParams->pSharedData = NULL; - - if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) { - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; - } else { - pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - break; - } - mechParams->ulPublicDataLen = pubValue->len; - mechParams->pPublicData = pubValue->data; - } + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; mechanism.mechanism = derive; mechanism.pParameter = mechParams; mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); pk11_EnterKeyMonitor(symKey); crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID); pk11_ExitKeyMonitor(symKey); - if (pubValue) { + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this again with and encoded public key */ + if (crv != CKR_OK) { + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + break; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + SECITEM_FreeItem(pubValue,PR_TRUE); } + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); if (crv == CKR_OK) return symKey; PORT_SetError( PK11_MapError(crv) ); } } PK11_FreeSymKey(symKey); @@ -1717,17 +1743,16 @@ pk11_PubDeriveECKeyWithKDF( CK_BBOOL cktrue = CK_TRUE; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; CK_ULONG key_size = 0; CK_ATTRIBUTE keyTemplate[4]; int templateCount; CK_ATTRIBUTE *attrs = keyTemplate; CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; - SECItem *pubValue = NULL; if (pubKey->keyType != ecKey) { PORT_SetError(SEC_ERROR_BAD_KEY); return NULL; } if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; @@ -1745,63 +1770,87 @@ pk11_PubDeriveECKeyWithKDF( PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++; templateCount = attrs - keyTemplate; PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); keyType = PK11_GetKeyType(target,keySize); key_size = keySize; - symKey->size = keySize; - if (key_size == 0) - templateCount--; + if (key_size == 0) { + if (pk11_GetPredefinedKeyLength(keyType)) { + templateCount --; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + switch (kdf) { + case CKD_NULL: + key_size = (pubKey->u.ec.publicValue.len-1)/2; + break; + case CKD_SHA1_KDF: + key_size = SHA1_LENGTH; + break; + default: + PORT_Assert(!"Invalid CKD"); + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + } + } + symKey->size = key_size; mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); if (!mechParams) { PK11_FreeSymKey(symKey); return NULL; } mechParams->kdf = kdf; if (sharedData == NULL) { mechParams->ulSharedDataLen = 0; mechParams->pSharedData = NULL; } else { mechParams->ulSharedDataLen = sharedData->len; mechParams->pSharedData = sharedData->data; } - if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) { - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; - } else { - pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - PK11_FreeSymKey(symKey); - return NULL; - } - mechParams->ulPublicDataLen = pubValue->len; - mechParams->pPublicData = pubValue->data; - } + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; mechanism.mechanism = derive; mechanism.pParameter = mechParams; mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); pk11_EnterKeyMonitor(symKey); crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID); pk11_ExitKeyMonitor(symKey); - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - if (pubValue) { + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this again with and encoded public key */ + if (crv != CKR_OK) { + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + goto loser; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + SECITEM_FreeItem(pubValue,PR_TRUE); } +loser: + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + if (crv != CKR_OK) { PK11_FreeSymKey(symKey); symKey = NULL; PORT_SetError( PK11_MapError(crv) ); } return symKey; }
--- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -477,23 +477,29 @@ PK11_ExitSlotMonitor(PK11SlotInfo *slot) /*********************************************************** * Functions to find specific slots. ***********************************************************/ PRBool SECMOD_HasRootCerts(void) { SECMODModuleList *mlp; - SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PRBool found = PR_FALSE; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return found; + } + /* work through all the slots */ SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); for(mlp = modules; mlp != NULL; mlp = mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { if (tmpSlot->hasRootCerts) { found = PR_TRUE; break; } @@ -509,39 +515,45 @@ SECMOD_HasRootCerts(void) /*********************************************************** * Functions to find specific slots. ***********************************************************/ PK11SlotList * PK11_FindSlotsByNames(const char *dllName, const char* slotName, const char* tokenName, PRBool presentOnly) { SECMODModuleList *mlp; - SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PK11SlotList* slotList = NULL; PRUint32 slotcount = 0; SECStatus rv = SECSuccess; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slotList; + } + slotList = PK11_NewSlotList(); if (!slotList) { PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + return slotList; } if ( ((NULL == dllName) || (0 == *dllName)) && ((NULL == slotName) || (0 == *slotName)) && ((NULL == tokenName) || (0 == *tokenName)) ) { /* default to softoken */ PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot()); return slotList; } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL; mlp = mlp->next) { PORT_Assert(mlp->module); if (!mlp->module) { rv = SECFailure; break; } if ((!dllName) || (mlp->module->dllName && (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) { @@ -579,27 +591,32 @@ PK11_FindSlotsByNames(const char *dllNam return slotList; } PK11SlotInfo * PK11_FindSlotByName(const char *name) { SECMODModuleList *mlp; - SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PK11SlotInfo *slot = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; + } if ((name == NULL) || (*name == 0)) { return PK11_GetInternalKeySlot(); } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); for(mlp = modules; mlp != NULL; mlp = mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { if (PORT_Strcmp(tmpSlot->token_name,name) == 0) { slot = PK11_ReferenceSlot(tmpSlot); break; } @@ -616,23 +633,28 @@ PK11_FindSlotByName(const char *name) return slot; } PK11SlotInfo * PK11_FindSlotBySerial(char *serial) { SECMODModuleList *mlp; - SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PK11SlotInfo *slot = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; + } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); for(mlp = modules; mlp != NULL; mlp = mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { if (PORT_Memcmp(tmpSlot->serial,serial, sizeof(tmpSlot->serial)) == 0) { slot = PK11_ReferenceSlot(tmpSlot); break; @@ -1717,33 +1739,38 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C * Return true if a token that can do the desired mechanism exists. * This allows us to have hardware tokens that can do function XYZ magically * allow SSL Ciphers to appear if they are plugged in. */ PRBool PK11_TokenExists(CK_MECHANISM_TYPE type) { SECMODModuleList *mlp; - SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); PK11SlotInfo *slot; PRBool found = PR_FALSE; int i; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return found; + } /* we only need to know if there is a token that does this mechanism. * check the internal module first because it's fast, and supports * almost everything. */ slot = PK11_GetInternalSlot(); if (slot) { found = PK11_DoesMechanism(slot,type); PK11_FreeSlot(slot); } if (found) return PR_TRUE; /* bypass getting module locks */ SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { for (i=0; i < mlp->module->slotCount; i++) { slot = mlp->module->slots[i]; if (PK11_IsPresent(slot)) { if (PK11_DoesMechanism(slot,type)) { found = PR_TRUE; break; } @@ -1759,36 +1786,47 @@ PK11_TokenExists(CK_MECHANISM_TYPE type) * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM, * get all the tokens. Make sure tokens that need authentication are put at * the end of this list. */ PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, void *wincx) { - PK11SlotList * list = PK11_NewSlotList(); - PK11SlotList * loginList = PK11_NewSlotList(); - PK11SlotList * friendlyList = PK11_NewSlotList(); + PK11SlotList * list; + PK11SlotList * loginList; + PK11SlotList * friendlyList; SECMODModuleList * mlp; - SECMODModuleList * modules = SECMOD_GetDefaultModuleList(); - SECMODListLock * moduleLock = SECMOD_GetDefaultModuleListLock(); + SECMODModuleList * modules; + SECMODListLock * moduleLock; int i; #if defined( XP_WIN32 ) int j = 0; PRInt32 waste[16]; #endif + moduleLock = SECMOD_GetDefaultModuleListLock(); + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; + } + + list = PK11_NewSlotList(); + loginList = PK11_NewSlotList(); + friendlyList = PK11_NewSlotList(); if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { if (list) PK11_FreeSlotList(list); if (loginList) PK11_FreeSlotList(loginList); if (friendlyList) PK11_FreeSlotList(friendlyList); return NULL; } SECMOD_GetReadLock(moduleLock); + + modules = SECMOD_GetDefaultModuleList(); for(mlp = modules; mlp != NULL; mlp = mlp->next) { #if defined( XP_WIN32 ) /* This is works around some horrible cache/page thrashing problems ** on Win32. Without this, this loop can take up to 6 seconds at ** 100% CPU on a Pentium-Pro 200. The thing this changes is to ** increase the size of the stack frame and modify it. ** Moving the loop code itself seems to have no effect.
--- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -218,16 +218,20 @@ SECMODListLock *SECMOD_GetDefaultModuleL * return that module. */ SECMODModule * SECMOD_FindModule(const char *name) { SECMODModuleList *mlp; SECMODModule *module = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return module; + } SECMOD_GetReadLock(moduleLock); for(mlp = modules; mlp != NULL; mlp = mlp->next) { if (PORT_Strcmp(name,mlp->module->commonName) == 0) { module = mlp->module; SECMOD_ReferenceModule(module); break; } } @@ -253,16 +257,20 @@ found: * return that module. */ SECMODModule * SECMOD_FindModuleByID(SECMODModuleID id) { SECMODModuleList *mlp; SECMODModule *module = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return module; + } SECMOD_GetReadLock(moduleLock); for(mlp = modules; mlp != NULL; mlp = mlp->next) { if (id == mlp->module->moduleID) { module = mlp->module; SECMOD_ReferenceModule(module); break; } } @@ -277,16 +285,20 @@ SECMOD_FindModuleByID(SECMODModuleID id) * Find the Slot based on ID and the module. */ PK11SlotInfo * SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID) { int i; PK11SlotInfo *slot = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; + } SECMOD_GetReadLock(moduleLock); for (i=0; i < module->slotCount; i++) { PK11SlotInfo *cSlot = module->slots[i]; if (cSlot->slotID == slotID) { slot = PK11_ReferenceSlot(cSlot); break; } @@ -324,16 +336,21 @@ SECMOD_LookupSlot(SECMODModuleID moduleI SECStatus SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, int *type, PRBool permdb) { SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return rv; + } + *type = SECMOD_EXTERNAL; SECMOD_GetWriteLock(moduleLock); for (mlpp = &modules,mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) || mod == mlp->module) { /* don't delete the internal module */ @@ -400,16 +417,20 @@ SECMOD_DeleteInternalModule(const char * SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; if (pendingModule) { PORT_SetError(SEC_ERROR_MODULE_STUCK); return rv; } + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return rv; + } SECMOD_GetWriteLock(moduleLock); for(mlpp = &modules,mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { if (PORT_Strcmp(name,mlp->module->commonName) == 0) { /* don't delete the internal module */ if (mlp->module->internal) { SECMOD_RemoveList(mlpp,mlp); @@ -503,16 +524,20 @@ SECMOD_AddModule(SECMODModule *newModule PK11SlotInfo * SECMOD_FindSlot(SECMODModule *module,const char *name) { int i; char *string; PK11SlotInfo *retSlot = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return retSlot; + } SECMOD_GetReadLock(moduleLock); for (i=0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; if (PK11_IsPresent(slot)) { string = PK11_GetTokenName(slot); } else { string = PK11_GetSlotName(slot); @@ -569,16 +594,20 @@ SECMOD_AddNewModuleEx(const char* module char* modparms, char* nssparms) { SECMODModule *module; SECStatus result = SECFailure; int s,i; PK11SlotInfo* slot; PR_SetErrorText(0, NULL); + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return result; + } module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms); if (module == NULL) { return result; } if (module->dllName != NULL) { @@ -688,20 +717,24 @@ SECMOD_InternaltoPubCipherFlags(unsigned return internalFlags; } /* Funtion reports true if module of modType is installed/configured */ PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags ) { PRBool result = PR_FALSE; - SECMODModuleList *mods = SECMOD_GetDefaultModuleList(); + SECMODModuleList *mods; + + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return result; + } SECMOD_GetReadLock(moduleLock); - - + mods = SECMOD_GetDefaultModuleList(); for ( ; mods != NULL; mods = mods->next) { if (mods->module->ssl[0] & SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) { result = PR_TRUE; } } SECMOD_ReleaseReadLock(moduleLock); @@ -862,16 +895,21 @@ SECMOD_UpdateSlotList(SECMODModule *mod) CK_ULONG count; CK_ULONG i, oldCount; PRBool freeRef = PR_FALSE; void *mark = NULL; CK_ULONG *slotIDs = NULL; PK11SlotInfo **newSlots = NULL; PK11SlotInfo **oldSlots = NULL; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; + } + /* C_GetSlotList is not a session function, make sure * calls are serialized */ PZ_Lock(mod->refLock); freeRef = PR_TRUE; /* see if the number of slots have changed */ crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); @@ -983,16 +1021,20 @@ loser: PK11SlotInfo * secmod_HandleWaitForSlotEvent(SECMODModule *mod, unsigned long flags, PRIntervalTime latency) { PRBool removableSlotsFound = PR_FALSE; int i; int error = SEC_ERROR_NO_EVENT; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; + } PZ_Lock(mod->refLock); if (mod->evControlMask & SECMOD_END_WAIT) { mod->evControlMask &= ~SECMOD_END_WAIT; PZ_Unlock(mod->refLock); PORT_SetError(SEC_ERROR_NO_EVENT); return NULL; } mod->evControlMask |= SECMOD_WAIT_SIMULATED_EVENT; @@ -1179,16 +1221,20 @@ loser: * watch for. */ PRBool SECMOD_HasRemovableSlots(SECMODModule *mod) { int i; PRBool ret = PR_FALSE; + if (!moduleLock) { + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return ret; + } SECMOD_GetReadLock(moduleLock); for (i=0; i < mod->slotCount; i++) { PK11SlotInfo *slot = mod->slots[i]; /* perm modules are not inserted or removed */ if (slot->isPerm) { continue; } ret = PR_TRUE;
--- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -2402,17 +2402,20 @@ sec_pkcs12_add_cert(sec_PKCS12SafeBag *c certList[1] = NULL; rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport, 1, certList, NULL, PR_TRUE, PR_FALSE, nickData); } else { rv = PK11_ImportDERCert(cert->slot, derCert, CK_INVALID_HANDLE, nickData, PR_FALSE); } - + if (rv) { + cert->problem = 1; + cert->error = PORT_GetError(); + } cert->installed = PR_TRUE; if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE); return rv; } static SECItem * sec_pkcs12_get_public_value_and_type(SECKEYPublicKey *pubKey, KeyType *type);
--- a/security/nss/lib/smime/config.mk +++ b/security/nss/lib/smime/config.mk @@ -88,23 +88,8 @@ SHARED_LIBRARY_LIBS = \ $(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \ $(NULL) SHARED_LIBRARY_DIRS = \ ../pkcs12 \ ../pkcs7 \ $(NULL) -ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' -endif - -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif -
--- a/security/nss/lib/softoken/config.mk +++ b/security/nss/lib/softoken/config.mk @@ -91,26 +91,14 @@ EXTRA_SHARED_LIBS += \ $(NULL) endif ifeq ($(OS_TARGET),AIX) OS_LIBS += -lpthread endif ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' OS_LIBS += -lbsm endif -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif - ifeq ($(OS_TARGET),WINCE) DEFINES += -DDBM_USING_NSPR endif
--- a/security/nss/lib/softoken/fipstest.c +++ b/security/nss/lib/softoken/fipstest.c @@ -31,17 +31,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: fipstest.c,v 1.25 2009/03/29 03:45:34 wtc%google.com Exp $ */ +/* $Id: fipstest.c,v 1.27 2009/06/19 23:05:48 rrelyea%redhat.com Exp $ */ #include "softoken.h" /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB, */ /* DES-CBC, DES3-ECB, DES3-CBC, RSA */ /* and DSA. */ #include "seccomon.h" /* Required for RSA and DSA. */ #include "lowkeyi.h" /* Required for RSA and DSA. */ #include "pkcs11.h" /* Required for PKCS #11. */ #include "secerr.h" @@ -85,27 +85,27 @@ /* FIPS preprocessor directives for message digests */ #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ /* FIPS preprocessor directives for RSA. */ #define FIPS_RSA_TYPE siBuffer #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ -#define FIPS_RSA_MESSAGE_LENGTH 128 /* 1024-bits */ -#define FIPS_RSA_COEFFICIENT_LENGTH 64 /* 512-bits */ -#define FIPS_RSA_PRIME0_LENGTH 64 /* 512-bits */ -#define FIPS_RSA_PRIME1_LENGTH 64 /* 512-bits */ -#define FIPS_RSA_EXPONENT0_LENGTH 64 /* 512-bits */ -#define FIPS_RSA_EXPONENT1_LENGTH 64 /* 512-bits */ -#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 128 /* 1024-bits */ -#define FIPS_RSA_ENCRYPT_LENGTH 128 /* 1024-bits */ -#define FIPS_RSA_DECRYPT_LENGTH 128 /* 1024-bits */ -#define FIPS_RSA_SIGNATURE_LENGTH 128 /* 1024-bits */ -#define FIPS_RSA_MODULUS_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */ /* FIPS preprocessor directives for DSA. */ #define FIPS_DSA_TYPE siBuffer #define FIPS_DSA_DIGEST_LENGTH 20 /* 160-bits */ #define FIPS_DSA_SUBPRIME_LENGTH 20 /* 160-bits */ #define FIPS_DSA_SIGNATURE_LENGTH 40 /* 320-bits */ #define FIPS_DSA_PRIME_LENGTH 128 /* 1024-bits */ @@ -1144,212 +1144,333 @@ loser: return( SECFailure ); } static CK_RV sftk_fips_RSA_PowerUpSelfTest( void ) { - /* RSA Known Modulus used in both Public/Private Key Values (1024-bits). */ + /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */ static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { - 0xd5, 0x84, 0x95, 0x07, 0xf4, 0xd0, 0x1f, 0x82, - 0xf3, 0x79, 0xf4, 0x99, 0x48, 0x10, 0xe1, 0x71, - 0xa5, 0x62, 0x22, 0xa3, 0x4b, 0x00, 0xe3, 0x5b, - 0x3a, 0xcc, 0x10, 0x83, 0xe0, 0xaf, 0x61, 0x13, - 0x54, 0x6a, 0xa2, 0x6a, 0x2c, 0x5e, 0xb3, 0xcc, - 0xa3, 0x71, 0x9a, 0xb2, 0x3e, 0x78, 0xec, 0xb5, - 0x0e, 0x6e, 0x31, 0x3b, 0x77, 0x1f, 0x6e, 0x94, - 0x41, 0x60, 0xd5, 0x6e, 0xd9, 0xc6, 0xf9, 0x29, - 0xc3, 0x40, 0x36, 0x25, 0xdb, 0xea, 0x0b, 0x07, - 0xae, 0x76, 0xfd, 0x99, 0x29, 0xf4, 0x22, 0xc1, - 0x1a, 0x8f, 0x05, 0xfe, 0x98, 0x09, 0x07, 0x05, - 0xc2, 0x0f, 0x0b, 0x11, 0x83, 0x39, 0xca, 0xc7, - 0x43, 0x63, 0xff, 0x33, 0x80, 0xe7, 0xc3, 0x78, - 0xae, 0xf1, 0x73, 0x52, 0x98, 0x1d, 0xde, 0x5c, - 0x53, 0x6e, 0x01, 0x73, 0x0d, 0x12, 0x7e, 0x77, - 0x03, 0xf1, 0xef, 0x1b, 0xc8, 0xa8, 0x0f, 0x97}; + 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5, + 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2, + 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e, + 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88, + 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed, + 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f, + 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9, + 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e, + 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7, + 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7, + 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8, + 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2, + 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57, + 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6, + 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d, + 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20, + 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9, + 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d, + 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7, + 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e, + 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15, + 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12, + 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4, + 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e, + 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77, + 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53, + 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0, + 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46, + 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39, + 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4, + 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43, + 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b}; /* RSA Known Public Key Values (24-bits). */ static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 }; /* RSA Known Private Key Values (version is 8-bits), */ - /* (private exponent is 1024-bits), */ - /* (private prime0 is 512-bits), */ - /* (private prime1 is 512-bits), */ - /* (private prime exponent0 is 512-bits), */ - /* (private prime exponent1 is 512-bits), */ - /* and (private coefficient is 512-bits). */ + /* (private exponent is 2048-bits), */ + /* (private prime0 is 1024-bits), */ + /* (private prime1 is 1024-bits), */ + /* (private prime exponent0 is 1024-bits), */ + /* (private prime exponent1 is 1024-bits), */ + /* and (private coefficient is 1024-bits). */ static const PRUint8 rsa_version[] = { 0x00 }; static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] - = { 0x85, 0x27, 0x47, 0x61, 0x4c, 0xd4, 0xb5, 0xb2, - 0x0e, 0x70, 0x91, 0x8f, 0x3d, 0x97, 0xf9, 0x5f, - 0xcc, 0x09, 0x65, 0x1c, 0x7c, 0x5b, 0xb3, 0x6d, - 0x63, 0x3f, 0x7b, 0x55, 0x22, 0xbb, 0x7c, 0x48, - 0x77, 0xae, 0x80, 0x56, 0xc2, 0x10, 0xd5, 0x03, - 0xdb, 0x31, 0xaf, 0x8d, 0x54, 0xd4, 0x48, 0x99, - 0xa8, 0xc4, 0x23, 0x43, 0xb8, 0x48, 0x0b, 0xc7, - 0xbc, 0xf5, 0xcc, 0x64, 0x72, 0xbf, 0x59, 0x06, - 0x04, 0x1c, 0x32, 0xf5, 0x14, 0x2e, 0x6e, 0xe2, - 0x0f, 0x5c, 0xde, 0x36, 0x3c, 0x6e, 0x7c, 0x4d, - 0xcc, 0xd3, 0x00, 0x6e, 0xe5, 0x45, 0x46, 0xef, - 0x4d, 0x25, 0x46, 0x6d, 0x7f, 0xed, 0xbb, 0x4f, - 0x4d, 0x9f, 0xda, 0x87, 0x47, 0x8f, 0x74, 0x44, - 0xb7, 0xbe, 0x9d, 0xf5, 0xdd, 0xd2, 0x4c, 0xa5, - 0xab, 0x74, 0xe5, 0x29, 0xa1, 0xd2, 0x45, 0x3b, - 0x33, 0xde, 0xd5, 0xae, 0xf7, 0x03, 0x10, 0x21}; + = {0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c, + 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67, + 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5, + 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff, + 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35, + 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83, + 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0, + 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00, + 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e, + 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7, + 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67, + 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84, + 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4, + 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54, + 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9, + 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c, + 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06, + 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a, + 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7, + 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8, + 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95, + 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02, + 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb, + 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c, + 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38, + 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44, + 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23, + 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e, + 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d, + 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21, + 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48, + 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81 }; static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { - 0xf9, 0x74, 0x8f, 0x16, 0x02, 0x6b, 0xa0, 0xee, - 0x7f, 0x28, 0x97, 0x91, 0xdc, 0xec, 0xc0, 0x7c, - 0x49, 0xc2, 0x85, 0x76, 0xee, 0x66, 0x74, 0x2d, - 0x1a, 0xb8, 0xf7, 0x2f, 0x11, 0x5b, 0x36, 0xd8, - 0x46, 0x33, 0x3b, 0xd8, 0xf3, 0x2d, 0xa1, 0x03, - 0x83, 0x2b, 0xec, 0x35, 0x43, 0x32, 0xff, 0xdd, - 0x81, 0x7c, 0xfd, 0x65, 0x13, 0x04, 0x7c, 0xfc, - 0x03, 0x97, 0xf0, 0xd5, 0x62, 0xdc, 0x0d, 0xbf}; + 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40, + 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96, + 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f, + 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96, + 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d, + 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc, + 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58, + 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38, + 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85, + 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6, + 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4, + 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f, + 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19, + 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4, + 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95, + 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05}; static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { - 0xdb, 0x1e, 0xa7, 0x3d, 0xe7, 0xfa, 0x8b, 0x04, - 0x83, 0x48, 0xf3, 0xa5, 0x31, 0x9d, 0x35, 0x5e, - 0x4d, 0x54, 0x77, 0xcc, 0x84, 0x09, 0xf3, 0x11, - 0x0d, 0x54, 0xed, 0x85, 0x39, 0xa9, 0xca, 0xa8, - 0xea, 0xae, 0x19, 0x9c, 0x75, 0xdb, 0x88, 0xb8, - 0x04, 0x8d, 0x54, 0xc6, 0xa4, 0x80, 0xf8, 0x93, - 0xf0, 0xdb, 0x19, 0xef, 0xd7, 0x87, 0x8a, 0x8f, - 0x5a, 0x09, 0x2e, 0x54, 0xf3, 0x45, 0x24, 0x29}; + 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06, + 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c, + 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8, + 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34, + 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36, + 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88, + 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9, + 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd, + 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b, + 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35, + 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a, + 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70, + 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05, + 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed, + 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9, + 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf}; static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { - 0x6a, 0xd1, 0x25, 0x80, 0x18, 0x33, 0x3c, 0x2b, - 0x44, 0x19, 0xfe, 0xa5, 0x40, 0x03, 0xc4, 0xfc, - 0xb3, 0x9c, 0xef, 0x07, 0x99, 0x58, 0x17, 0xc1, - 0x44, 0xa3, 0x15, 0x7d, 0x7b, 0x22, 0x22, 0xdf, - 0x03, 0x58, 0x66, 0xf5, 0x24, 0x54, 0x52, 0x91, - 0x2d, 0x76, 0xfe, 0x63, 0x64, 0x4e, 0x0f, 0x50, - 0x2b, 0x65, 0x79, 0x1f, 0xf1, 0xbf, 0xc7, 0x41, - 0x26, 0xcc, 0xc6, 0x1c, 0xa9, 0x83, 0x6f, 0x03}; + 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1, + 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a, + 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9, + 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37, + 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d, + 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c, + 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59, + 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01, + 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda, + 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63, + 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde, + 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62, + 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5, + 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2, + 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8, + 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d}; static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { - 0x12, 0x84, 0x1a, 0x99, 0xce, 0x9a, 0x8b, 0x58, - 0xcc, 0x47, 0x43, 0xdf, 0x77, 0xbb, 0xd3, 0x20, - 0xae, 0xe4, 0x2e, 0x63, 0x67, 0xdc, 0xf7, 0x5f, - 0x3f, 0x83, 0x27, 0xb7, 0x14, 0x52, 0x56, 0xbf, - 0xc3, 0x65, 0x06, 0xe1, 0x03, 0xcc, 0x93, 0x57, - 0x09, 0x7b, 0x6f, 0xe8, 0x81, 0x4a, 0x2c, 0xb7, - 0x43, 0xa9, 0x20, 0x1d, 0xf6, 0x56, 0x8b, 0xcc, - 0xe5, 0x4c, 0xd5, 0x4f, 0x74, 0x67, 0x29, 0x51}; + 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b, + 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea, + 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44, + 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02, + 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c, + 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a, + 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4, + 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb, + 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea, + 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07, + 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97, + 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55, + 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4, + 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7, + 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40, + 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59}; static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { - 0x23, 0xab, 0xf4, 0x03, 0x2f, 0x29, 0x95, 0x74, - 0xac, 0x1a, 0x33, 0x96, 0x62, 0xed, 0xf7, 0xf6, - 0xae, 0x07, 0x2a, 0x2e, 0xe8, 0xab, 0xfb, 0x1e, - 0xb9, 0xb2, 0x88, 0x1e, 0x85, 0x05, 0x42, 0x64, - 0x03, 0xb2, 0x8b, 0xc1, 0x81, 0x75, 0xd7, 0xba, - 0xaa, 0xd4, 0x31, 0x3c, 0x8a, 0x96, 0x23, 0x9d, - 0x3f, 0x06, 0x3e, 0x44, 0xa9, 0x62, 0x2f, 0x61, - 0x5a, 0x51, 0x82, 0x2c, 0x04, 0x85, 0x73, 0xd1}; + 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96, + 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3, + 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91, + 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83, + 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b, + 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b, + 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0, + 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a, + 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5, + 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd, + 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37, + 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22, + 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21, + 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1, + 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2, + 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02}; /* RSA Known Plaintext Message (1024-bits). */ static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { - "Known plaintext message utilized" + "Known plaintext message utilized" "for RSA Encryption & Decryption" - "block, SHA1, SHA256, SHA384 and" - "SHA512 RSA Signature KAT tests."}; + "blocks SHA256, SHA384 and " + "SHA512 RSA Signature KAT tests. " + "Known plaintext message utilized" + "for RSA Encryption & Decryption" + "blocks SHA256, SHA384 and " + "SHA512 RSA Signature KAT tests."}; - /* RSA Known Ciphertext (1024-bits). */ + /* RSA Known Ciphertext (2048-bits). */ static const PRUint8 rsa_known_ciphertext[] = { - 0x1e, 0x7e, 0x12, 0xbb, 0x15, 0x62, 0xd0, 0x23, - 0x53, 0x4c, 0x51, 0x97, 0x77, 0x06, 0xa0, 0xbb, - 0x26, 0x99, 0x9a, 0x8f, 0x39, 0xad, 0x88, 0x5c, - 0xc4, 0xce, 0x33, 0x40, 0x94, 0x92, 0xb4, 0x0e, - 0xab, 0x71, 0xa9, 0x5d, 0x9a, 0x37, 0xe3, 0x9a, - 0x24, 0x95, 0x13, 0xea, 0x0f, 0xbb, 0xf7, 0xff, - 0xdf, 0x31, 0x33, 0x23, 0x1d, 0xce, 0x26, 0x9e, - 0xd1, 0xde, 0x98, 0x40, 0xde, 0x57, 0x86, 0x12, - 0xf1, 0xe6, 0x5a, 0x3f, 0x08, 0x02, 0x81, 0x85, - 0xe0, 0xd9, 0xad, 0x3c, 0x8c, 0x71, 0xf8, 0xcf, - 0x0a, 0x98, 0xc5, 0x08, 0xdc, 0xc4, 0xca, 0x8c, - 0x23, 0x1b, 0x4d, 0x9b, 0xb5, 0x13, 0x44, 0xe1, - 0x5f, 0xf9, 0x30, 0x80, 0x25, 0xe0, 0x1e, 0x94, - 0xa3, 0x0c, 0xdc, 0x82, 0x2e, 0xfb, 0x30, 0xbe, - 0x89, 0xba, 0x76, 0xb6, 0x23, 0xf7, 0xda, 0x7c, - 0xca, 0xe6, 0x02, 0xbd, 0x92, 0xce, 0x64, 0xfc}; + 0x04, 0x12, 0x46, 0xe3, 0x6a, 0xee, 0xde, 0xdd, + 0x49, 0xa1, 0xd9, 0x83, 0xf7, 0x35, 0xf9, 0x70, + 0x88, 0x03, 0x2d, 0x01, 0x8b, 0xd1, 0xbf, 0xdb, + 0xe5, 0x1c, 0x85, 0xbe, 0xb5, 0x0b, 0x48, 0x45, + 0x7a, 0xf0, 0xa0, 0xe3, 0xa2, 0xbb, 0x4b, 0xf6, + 0x27, 0xd0, 0x1b, 0x12, 0xe3, 0x77, 0x52, 0x34, + 0x9e, 0x8e, 0x03, 0xd2, 0xf8, 0x79, 0x6e, 0x39, + 0x79, 0x53, 0x3c, 0x44, 0x14, 0x94, 0xbb, 0x8d, + 0xaa, 0x14, 0x44, 0xa0, 0x7b, 0xa5, 0x8c, 0x93, + 0x5f, 0x99, 0xa4, 0xa3, 0x6e, 0x7a, 0x38, 0x40, + 0x78, 0xfa, 0x36, 0x91, 0x5e, 0x9a, 0x9c, 0xba, + 0x1e, 0xd4, 0xf9, 0xda, 0x4b, 0x0f, 0xa8, 0xa3, + 0x1c, 0xf3, 0x3a, 0xd1, 0xa5, 0xb4, 0x51, 0x16, + 0xed, 0x4b, 0xcf, 0xec, 0x93, 0x7b, 0x90, 0x21, + 0xbc, 0x3a, 0xf4, 0x0b, 0xd1, 0x3a, 0x2b, 0xba, + 0xa6, 0x7d, 0x5b, 0x53, 0xd8, 0x64, 0xf9, 0x29, + 0x7b, 0x7f, 0x77, 0x3e, 0x51, 0x4c, 0x9a, 0x94, + 0xd2, 0x4b, 0x4a, 0x8d, 0x61, 0x74, 0x97, 0xae, + 0x53, 0x6a, 0xf4, 0x90, 0xc2, 0x2c, 0x49, 0xe2, + 0xfa, 0xeb, 0x91, 0xc5, 0xe5, 0x83, 0x13, 0xc9, + 0x44, 0x4b, 0x95, 0x2c, 0x57, 0x70, 0x15, 0x5c, + 0x64, 0x8d, 0x1a, 0xfd, 0x2a, 0xc7, 0xb2, 0x9c, + 0x5c, 0x99, 0xd3, 0x4a, 0xfd, 0xdd, 0xf6, 0x82, + 0x87, 0x8c, 0x5a, 0xc4, 0xa8, 0x0d, 0x2a, 0xef, + 0xc3, 0xa2, 0x7e, 0x8e, 0x67, 0x9f, 0x6f, 0x63, + 0xdb, 0xbb, 0x1d, 0x31, 0xc4, 0xbb, 0xbc, 0x13, + 0x3f, 0x54, 0xc6, 0xf6, 0xc5, 0x28, 0x32, 0xab, + 0x96, 0x42, 0x10, 0x36, 0x40, 0x92, 0xbb, 0x57, + 0x55, 0x38, 0xf5, 0x43, 0x7e, 0x43, 0xc4, 0x65, + 0x47, 0x64, 0xaa, 0x0f, 0x4c, 0xe9, 0x49, 0x16, + 0xec, 0x6a, 0x50, 0xfd, 0x14, 0x49, 0xca, 0xdb, + 0x44, 0x54, 0xca, 0xbe, 0xa3, 0x0e, 0x5f, 0xef}; - /* RSA Known Signed Hash (1024-bits). */ - static const PRUint8 rsa_known_sha1_signature[] = { - 0xd2, 0xa4, 0xe0, 0x2b, 0xc7, 0x03, 0x7f, 0xc6, - 0x06, 0x9e, 0xa2, 0x82, 0x19, 0xe9, 0x2b, 0xaf, - 0xe3, 0x48, 0x88, 0xc1, 0xf3, 0xb5, 0x0d, 0xe4, - 0x52, 0x9e, 0xad, 0xd5, 0x58, 0xb5, 0x9f, 0xe8, - 0x40, 0xe9, 0xb7, 0x2e, 0xc6, 0x71, 0x58, 0x56, - 0x04, 0xac, 0xb0, 0xf3, 0x3a, 0x42, 0x38, 0x08, - 0xc4, 0x43, 0x39, 0xba, 0x19, 0xce, 0xb1, 0x99, - 0xf1, 0x8d, 0x89, 0xd8, 0x50, 0x07, 0x14, 0x3d, - 0xcf, 0xd0, 0xb6, 0x79, 0xde, 0x9c, 0x89, 0x32, - 0xb0, 0x73, 0x3f, 0xed, 0x03, 0x0b, 0xdf, 0x6d, - 0x7e, 0xc9, 0x1c, 0x39, 0xe8, 0x2b, 0x16, 0x09, - 0xbb, 0x5f, 0x99, 0x2f, 0xeb, 0xf3, 0x37, 0x73, - 0x0d, 0x0e, 0xcc, 0x95, 0xad, 0x90, 0x80, 0x03, - 0x1d, 0x80, 0x55, 0x37, 0xa1, 0x2a, 0x71, 0x76, - 0x23, 0x87, 0x8c, 0x9b, 0x41, 0x07, 0xc6, 0x3d, - 0xc6, 0xa3, 0x7d, 0x1b, 0xff, 0x4e, 0x11, 0x19}; - - /* RSA Known Signed Hash (1024-bits). */ + /* RSA Known Signed Hash (2048-bits). */ static const PRUint8 rsa_known_sha256_signature[] = { - 0x27, 0x35, 0xdd, 0xc4, 0xf8, 0xe2, 0x0b, 0xa3, - 0xef, 0x63, 0x57, 0x3b, 0xe1, 0x58, 0x9a, 0xbc, - 0x20, 0x9c, 0x25, 0x12, 0x01, 0xbf, 0xbb, 0x29, - 0x80, 0x1a, 0xb1, 0x37, 0x9c, 0xcd, 0x67, 0xc7, - 0x0d, 0xf8, 0x64, 0x10, 0x9f, 0xe2, 0xa1, 0x9b, - 0x21, 0x90, 0xcc, 0xda, 0x8b, 0x76, 0x5e, 0x79, - 0x00, 0x9d, 0x58, 0x8b, 0x8a, 0xb3, 0xc3, 0xb5, - 0xf1, 0x54, 0xc5, 0x8c, 0x72, 0xba, 0xde, 0x51, - 0x3c, 0x6b, 0x94, 0xd6, 0xf3, 0x1b, 0xa2, 0x53, - 0xe6, 0x1a, 0x46, 0x1d, 0x7f, 0x14, 0x86, 0xcc, - 0xa6, 0x30, 0x92, 0x96, 0xc0, 0x96, 0x24, 0xf0, - 0x42, 0x53, 0x4c, 0xdd, 0x27, 0xdf, 0x1d, 0x2e, - 0x8b, 0x83, 0xbe, 0xed, 0x85, 0x1d, 0x50, 0x46, - 0xa3, 0x7d, 0x20, 0xea, 0x3e, 0x91, 0xfb, 0xf6, - 0x86, 0x51, 0xfd, 0x8c, 0xe5, 0x31, 0xe6, 0x7e, - 0x60, 0x08, 0x0e, 0xec, 0xa6, 0xea, 0x24, 0x8d}; + 0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38, + 0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a, + 0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f, + 0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50, + 0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde, + 0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80, + 0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42, + 0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d, + 0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75, + 0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65, + 0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09, + 0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6, + 0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e, + 0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92, + 0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b, + 0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51, + 0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34, + 0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93, + 0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e, + 0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2, + 0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b, + 0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7, + 0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd, + 0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18, + 0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb, + 0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c, + 0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6, + 0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca, + 0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19, + 0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8, + 0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a, + 0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92}; - /* RSA Known Signed Hash (1024-bits). */ - static const PRUint8 rsa_known_sha384_signature[] = { - 0x0b, 0x03, 0x94, 0x4f, 0x94, 0x78, 0x9b, 0x96, - 0x76, 0xeb, 0x72, 0x58, 0xe1, 0xc5, 0xc7, 0x5f, - 0x85, 0x01, 0xa8, 0xc4, 0xf6, 0x1a, 0xb5, 0x2c, - 0xd1, 0xd8, 0x87, 0xde, 0x3a, 0x9c, 0x9f, 0x57, - 0x81, 0x2a, 0x1e, 0x23, 0x07, 0x70, 0xb0, 0xf9, - 0x28, 0x3d, 0xfa, 0xe5, 0x2e, 0x1b, 0x9a, 0x72, - 0xc3, 0x74, 0xb3, 0x42, 0x1c, 0x9a, 0x13, 0xdc, - 0xc9, 0xd6, 0xd5, 0x88, 0xc9, 0x9c, 0x46, 0xf1, - 0x0c, 0xa6, 0xf7, 0xd8, 0x06, 0xa3, 0x1b, 0xdf, - 0x55, 0xb3, 0x1b, 0x7b, 0x58, 0x1d, 0xff, 0x19, - 0xc7, 0xe0, 0xdd, 0x59, 0xac, 0x2f, 0x78, 0x71, - 0xe7, 0xe0, 0x17, 0xa3, 0x1c, 0x5c, 0x92, 0xef, - 0xb6, 0x75, 0xed, 0xbe, 0x18, 0x39, 0x6b, 0xd7, - 0xc9, 0x08, 0x62, 0x55, 0x62, 0xac, 0x5d, 0xa1, - 0x9b, 0xd5, 0xb8, 0x98, 0x15, 0xc0, 0xf5, 0x41, - 0x85, 0x44, 0x96, 0xca, 0x10, 0xdc, 0x57, 0x21}; + /* RSA Known Signed Hash (2048-bits). */ + static const PRUint8 rsa_known_sha384_signature[] = { + 0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15, + 0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf, + 0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f, + 0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf, + 0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa, + 0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66, + 0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49, + 0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3, + 0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac, + 0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37, + 0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7, + 0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d, + 0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1, + 0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb, + 0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16, + 0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92, + 0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70, + 0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec, + 0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f, + 0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1, + 0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3, + 0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2, + 0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e, + 0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c, + 0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8, + 0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7, + 0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71, + 0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e, + 0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b, + 0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb, + 0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4, + 0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa}; - /* RSA Known Signed Hash (1024-bits). */ - static const PRUint8 rsa_known_sha512_signature[] = { - 0xa5, 0xd0, 0x80, 0x04, 0x22, 0xfc, 0x80, 0x73, - 0x7d, 0x46, 0xc8, 0x7b, 0xac, 0x44, 0x7b, 0xe6, - 0x07, 0xe5, 0x61, 0x4c, 0x33, 0x7f, 0x6f, 0x46, - 0x7c, 0x30, 0xe3, 0x75, 0x59, 0x4b, 0x42, 0xf3, - 0x9f, 0x35, 0x3c, 0x10, 0x56, 0xdb, 0xd2, 0x69, - 0x43, 0xcb, 0x77, 0xe9, 0x7d, 0xcd, 0x07, 0x43, - 0xc5, 0xd4, 0x0c, 0x9d, 0xf5, 0x92, 0xbd, 0x0e, - 0x3b, 0xb7, 0x68, 0x88, 0x84, 0xca, 0xae, 0x0d, - 0xab, 0x71, 0x10, 0xad, 0xab, 0x27, 0xe4, 0xa3, - 0x24, 0x41, 0xeb, 0x1c, 0xa6, 0x5f, 0xf1, 0x85, - 0xd0, 0xf6, 0x22, 0x74, 0x3d, 0x81, 0xbe, 0xdd, - 0x1b, 0x2a, 0x4c, 0xd1, 0x6c, 0xb5, 0x6d, 0x7a, - 0xbb, 0x99, 0x69, 0x01, 0xa6, 0xc0, 0x98, 0xfa, - 0x97, 0xa3, 0xd1, 0xb0, 0xdf, 0x09, 0xe3, 0x3d, - 0x88, 0xee, 0x90, 0xf3, 0x10, 0x41, 0x0f, 0x06, - 0x31, 0xe9, 0x60, 0x2d, 0xbf, 0x63, 0x7b, 0xf8}; + /* RSA Known Signed Hash (2048-bits). */ + static const PRUint8 rsa_known_sha512_signature[] = { + 0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31, + 0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f, + 0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8, + 0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e, + 0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42, + 0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e, + 0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d, + 0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53, + 0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54, + 0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56, + 0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8, + 0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93, + 0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d, + 0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26, + 0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6, + 0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d, + 0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc, + 0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce, + 0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55, + 0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37, + 0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97, + 0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0, + 0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a, + 0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54, + 0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3, + 0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04, + 0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe, + 0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59, + 0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48, + 0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98, + 0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0, + 0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81}; static const RSAPublicKey bl_public_key = { NULL, { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, FIPS_RSA_MODULUS_LENGTH }, { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, FIPS_RSA_PUBLIC_EXPONENT_LENGTH } }; static const RSAPrivateKey bl_private_key = { NULL, @@ -1442,23 +1563,16 @@ sftk_fips_RSA_PowerUpSelfTest( void ) rsa_computed_plaintext, rsa_known_ciphertext); if( ( rsa_status != SECSuccess ) || ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext_msg, FIPS_RSA_DECRYPT_LENGTH ) != 0 ) ) goto rsa_loser; - rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA1, - rsa_public_key, rsa_private_key, - rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, - rsa_known_sha1_signature); - if( rsa_status != SECSuccess ) - goto rsa_loser; - rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA256, rsa_public_key, rsa_private_key, rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, rsa_known_sha256_signature); if( rsa_status != SECSuccess ) goto rsa_loser; rsa_status = sftk_fips_RSA_PowerUpSigSelfTest (HASH_AlgSHA384, @@ -1817,107 +1931,91 @@ sftk_fips_RNG_PowerUpSelfTest( void ) 0xc5,0x79,0x10,0x8b,0x23,0x79,0x37,0x14, 0x9f,0x2c,0xc7,0x0b,0x39,0xf8,0xee,0xef, 0x95,0x0c,0x97,0x59,0xfc,0x0a,0x85,0x41, 0x76,0x9d,0x6d,0x67,0x00,0x4e,0x19,0x12, 0x02,0x16,0x53,0xea,0xf2,0x73,0xd7,0xd6, 0x7f,0x7e,0xc8,0xae,0x9c,0x09,0x99,0x7d, 0xbb,0x9e,0x48,0x7f,0xbb,0x96,0x46,0xb3, 0x03,0x75,0xf8,0xc8,0x69,0x45,0x3f,0x97, - 0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c}; + 0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c }; static const PRUint8 rng_known_result[] = { 0x16,0xe1,0x8c,0x57,0x21,0xd8,0xf1,0x7e, 0x5a,0xa0,0x16,0x0b,0x7e,0xa6,0x25,0xb4, 0x24,0x19,0xdb,0x54,0xfa,0x35,0x13,0x66, 0xbb,0xaa,0x2a,0x1b,0x22,0x33,0x2e,0x4a, 0x14,0x07,0x9d,0x52,0xfc,0x73,0x61,0x48, 0xac,0xc1,0x22,0xfc,0xa4,0xfc,0xac,0xa4, - 0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3,0xec, - 0xb0,0xf2,0xee,0x63,0x11,0x61,0xdb,0x30, - 0xd3,0x04,0x6b,0x96,0x22,0x1e,0x17,0x24, - 0x1a,0x54,0x70,0xf3,0x4d,0x1c,0x6a,0xb0, - 0xf9,0xe3,0xc8,0x07,0x97,0x5f,0xbb,0xe5, - 0xde,0xce,0xa9,0x3f,0x91,0xd3,0x82,0x33, - 0x11,0x3f,0x5b,0xb2,0xa9,0x1e,0x71,0x59, - 0x68,0x8f,0x7d,0x77,0xfd,0xf5,0xcb,0xc8, - 0x8f,0x51,0xb9,0x62,0x30,0x1b,0x12,0xa5, - 0x7a,0xe1,0xf3,0x15,0x49,0x15,0xe9,0xc4, - 0x3d,0x2d,0x1f,0x8c,0xe8,0x4e,0xd1,0xe6, - 0x4e,0xf1,0x7a,0x64,0x2e,0x05,0xd6,0xee, - 0xb8,0x7b,0x71,0x82,0x38,0x2b,0xc5,0xdd, - 0x3a,0x32,0xae,0x64,0x0e,0xed,0x30,0xb2, - 0x00,0x72,0x61,0x65,0xfb,0x09,0x26,0x68, - 0x3e,0x36,0xb3,0x15,0xe2,0x30,0xde,0x49, - 0xed,0x60,0xc5,0x40,0xe1,0x1a,0xe9,0x33, - 0x7f,0x77,0xb5,0xa9,0xf7,0xa1,0xb9,0xdb, - 0x77,0x61,0x00,0xc2,0x18,0xa1,0xa1,0x3a, - 0x0e,0x2a,0x6c,0xa1,0x3f,0x33,0xdd,0xb9, - 0x23,0x48,0x75,0x50,0xd3,0xbb,0xd9,0x0e, - 0xdb,0xb4,0x62,0x33,0x52,0x41,0x5c,0xfc, - 0xdd,0x89,0xd6,0x60,0xe8,0x2b,0x6f,0xb2, - 0x7f,0x4d,0x97,0x8c,0x69,0xa4,0x15,0x16, - 0x4c,0x7f,0x4d,0x8d,0x2e,0xec,0xfa,0x0e, - 0xfa,0x37,0xe9,0x9d,0x21,0x9b,0x69,0x2a, - 0xc5,0x4f,0x5b,0x59,0xe9,0x98,0x73,0x54, - 0x28,0x33,0x4d,0x7c,0x53,0x8c,0x43,0x2b, - 0xc7,0x0e,0xfb,0x35,0x9d,0xf7,0x2e,0x1a, - 0xaa,0x80,0xa3,0x70,0x2c,0x72,0x43,0xb0, - 0x35,0x3b,0xe2,0x58,0x63,0xf8,0x1d,0xcd, - 0x55,0x66,0xb8,0x1e,0x06,0xa5,0xb6,0x4d, - 0xc2,0x9f,0x9b,0xde,0xa3,0xda,0x67,0x0e, - 0xd9,0x4b,0xfd,0x29,0xba,0x16,0x4e,0x03, - 0xe9,0x04,0x9a,0x67,0xf8,0xc4,0xb7,0x01, - 0xba,0x3c,0x5f,0xdd,0x8e,0x56,0xf3,0xea, - 0xf4,0xfb,0x75,0x76,0x30,0x20,0xe6,0xec, - 0x44,0xc9,0x76,0xb2,0x21,0x0c,0x1c,0xb9, - 0x5f,0x27,0xff,0x09,0x45,0x2c,0x26,0xfd, - 0x27,0xb0,0xca,0x67,0xd3,0xb0,0x77,0x3e, - 0x10,0x46,0xdd,0x81,0x70,0x47,0x5c,0x12, - 0xe7,0x37,0x49,0x17,0xf5,0x04,0xbc,0x62, - 0xef,0xba,0x6e,0x1d,0xb9,0x42,0xb5,0xf9, - 0xda,0x2f,0x5b,0x05,0xa7,0x34,0x19,0xf6, - 0xa4,0xdb,0x45,0xb0,0x18,0x6b,0x32,0x75, - 0x0f,0x34,0xc8,0x1c,0x14,0xca,0x4f,0xf9, - 0x43,0x76,0xa5,0x41,0xeb,0xd4,0x37,0xc9, - 0xc8,0x94,0xe7,0x0f,0x4a,0xa1,0x72,0xc7, - 0x48,0xbd,0x1c,0x84,0x74,0x73,0xd1,0x73, - 0xcd,0x1e,0xf0,0xb9,0x66,0x00,0x63,0xab}; + 0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3 }; + static const PRUint8 reseed_entropy[] = { + 0xc6,0x0b,0x0a,0x30,0x67,0x07,0xf4,0xe2, + 0x24,0xa7,0x51,0x6f,0x5f,0x85,0x3e,0x5d, + 0x67,0x97,0xb8,0x3b,0x30,0x9c,0x7a,0xb1, + 0x52,0xc6,0x1b,0xc9,0x46,0xa8,0x62,0x79 }; + static const PRUint8 additional_input[] = { + 0x86,0x82,0x28,0x98,0xe7,0xcb,0x01,0x14, + 0xae,0x87,0x4b,0x1d,0x99,0x1b,0xc7,0x41, + 0x33,0xff,0x33,0x66,0x40,0x95,0x54,0xc6, + 0x67,0x4d,0x40,0x2a,0x1f,0xf9,0xeb,0x65 }; + static const PRUint8 rng_reseed_result[] = { + 0x02,0x0c,0xc6,0x17,0x86,0x49,0xba,0xc4, + 0x7b,0x71,0x35,0x05,0xf0,0xdb,0x4a,0xc2, + 0x2c,0x38,0xc1,0xa4,0x42,0xe5,0x46,0x4a, + 0x7d,0xf0,0xbe,0x47,0x88,0xb8,0x0e,0xc6, + 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96, + 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61, + 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 }; static const PRUint8 Q[] = { 0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a, 0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c, 0x9d,0xef,0xeb,0xed}; - static const PRUint8 GENX[] = { + static const PRUint8 GENX[] = { 0x65,0x48,0xe3,0xca,0xac,0x64,0x2d,0xf7, 0x7b,0xd3,0x4e,0x79,0xc9,0x7d,0xa6,0xa8, 0xa2,0xc2,0x1f,0x8f,0xe9,0xb9,0xd3,0xa1, 0x3f,0xf7,0x0c,0xcd,0xa6,0xca,0xbf,0xce, 0x84,0x0e,0xb6,0xf1,0x0d,0xbe,0xa9,0xa3}; - static const PRUint8 rng_known_DSAX[] = { + static const PRUint8 rng_known_DSAX[] = { 0x7a,0x86,0xf1,0x7f,0xbd,0x4e,0x6e,0xd9, 0x0a,0x26,0x21,0xd0,0x19,0xcb,0x86,0x73, 0x10,0x1f,0x60,0xd7}; SECStatus rng_status = SECSuccess; + PR_STATIC_ASSERT(sizeof(rng_known_result) >= sizeof(rng_reseed_result)); PRUint8 result[sizeof(rng_known_result)]; PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH]; /********************************************/ /* Generate random bytes with a known seed. */ /********************************************/ rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy, NULL, 0, NULL, 0); if (rng_status != SECSuccess) { return ( CKR_DEVICE_ERROR ); } - rng_status = PRNGTEST_Generate(result, sizeof result, NULL, 0); + rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0); if ( ( rng_status != SECSuccess) || ( PORT_Memcmp( result, rng_known_result, - sizeof result ) != 0 ) ) { + sizeof rng_known_result ) != 0 ) ) { + PRNGTEST_Uninstantiate(); + return ( CKR_DEVICE_ERROR ); + } + rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy, + additional_input, sizeof additional_input); + if (rng_status != SECSuccess) { + PRNGTEST_Uninstantiate(); + return ( CKR_DEVICE_ERROR ); + } + rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0); + if ( ( rng_status != SECSuccess) || + ( PORT_Memcmp( result, rng_reseed_result, + sizeof rng_reseed_result ) != 0 ) ) { + PRNGTEST_Uninstantiate(); return ( CKR_DEVICE_ERROR ); } rng_status = PRNGTEST_Uninstantiate(); if (rng_status != SECSuccess) { return ( CKR_DEVICE_ERROR ); } /*******************************************/
--- a/security/nss/lib/softoken/legacydb/config.mk +++ b/security/nss/lib/softoken/legacydb/config.mk @@ -85,26 +85,14 @@ EXTRA_SHARED_LIBS += \ -L$(NSPR_LIB_DIR) \ -lplc4 \ -lplds4 \ -lnspr4 \ $(NULL) endif ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' OS_LIBS += -lbsm endif -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif - ifeq ($(OS_TARGET),WINCE) DEFINES += -DDBM_USING_NSPR endif
--- a/security/nss/lib/softoken/pk11pars.h +++ b/security/nss/lib/softoken/pk11pars.h @@ -117,17 +117,17 @@ static PRBool secmod_argGetPair(char c) case '[': return ']'; case '(': return ')'; default: break; } return ' '; } static PRBool secmod_argIsBlank(char c) { - return isspace(c); + return isspace((unsigned char )c); } static PRBool secmod_argIsEscape(char c) { return c == '\\'; } static PRBool secmod_argIsQuote(char c) { switch (c) {
--- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -2584,18 +2584,16 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR p crv = CKR_DEVICE_ERROR; return crv; } rv = BL_Init(); /* initialize freebl engine */ if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; return crv; } - RNG_SystemInfoForRNG(); - /* NOTE: * we should be getting out mutexes from this list, not statically binding * them from NSPR. This should happen before we allow the internal to split * off from the rest on NSS. */ /* initialize the key and cert db's */
--- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -138,17 +138,17 @@ sftk_FreeAttribute(SFTKAttribute *attrib } } static SFTKAttribute * sftk_FindTokenAttribute(SFTKTokenObject *object,CK_ATTRIBUTE_TYPE type) { SFTKAttribute *myattribute = NULL; SFTKDBHandle *dbHandle = NULL; - CK_RV crv; + CK_RV crv = CKR_HOST_MEMORY; myattribute = (SFTKAttribute*)PORT_Alloc(sizeof(SFTKAttribute)); if (myattribute == NULL) { goto loser; } dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
--- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -319,17 +319,17 @@ sdb_getTempDir(sqlite3 *sqlDB) } return tempDir; } /* * Map SQL_LITE errors to PKCS #11 errors as best we can. */ -static int +static CK_RV sdb_mapSQLError(sdbDataType type, int sqlerr) { switch (sqlerr) { /* good matches */ case SQLITE_OK: case SQLITE_DONE: return CKR_OK; case SQLITE_NOMEM: @@ -726,16 +726,17 @@ sdb_FindObjectsInit(SDB *sdb, const CK_A (*find)->sqlDB = sqlDB; UNLOCK_SQLITE() return CKR_OK; } error = sdb_mapSQLError(sdb_p->type, sqlerr); loser: if (findstmt) { + sqlite3_reset(findstmt); sqlite3_finalize(findstmt); } if (sqlDB) { sdb_closeDBLocal(sdb_p, sqlDB) ; } UNLOCK_SQLITE() return error; } @@ -1972,18 +1973,20 @@ s_open(const char *directory, const char char *cert = sdb_BuildFileName(directory, certPrefix, "cert", cert_version, flags); char *key = sdb_BuildFileName(directory, keyPrefix, "key", key_version, flags); CK_RV error = CKR_OK; int inUpdate; PRUint32 accessOps; - *certdb = NULL; - *keydb = NULL; + if (certdb) + *certdb = NULL; + if (keydb) + *keydb = NULL; *newInit = 0; #ifdef SQLITE_UNSAFE_THREADS if (sqlite_lock == NULL) { sqlite_lock = PR_NewLock(); if (sqlite_lock == NULL) { error = CKR_HOST_MEMORY; goto loser;
--- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -1323,22 +1323,23 @@ sftkdb_GetAttributeValue(SFTKDBHandle *h return crv; } CK_RV sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object, const CK_ATTRIBUTE *template, CK_ULONG count) { - CK_RV crv = CKR_OK; CK_ATTRIBUTE *ntemplate; unsigned char *data = NULL; PLArenaPool *arena = NULL; + SDB *db; + CK_RV crv = CKR_OK; CK_OBJECT_HANDLE objectID = (object->handle & SFTK_OBJ_ID_MASK); - SDB *db; + PRBool inTransaction = PR_FALSE; if (handle == NULL) { return CKR_TOKEN_WRITE_PROTECTED; } db = SFTK_GET_SDB(handle); /* nothing to do */ if (count == 0) { @@ -1358,43 +1359,47 @@ sftkdb_SetAttributeValue(SFTKDBHandle *h ntemplate = sftkdb_fixupTemplateIn(template, count, &data); if (ntemplate == NULL) { return CKR_HOST_MEMORY; } /* make sure we don't have attributes that conflict with the existing DB */ crv = sftkdb_checkConflicts(db, object->objclass, template, count, objectID); if (crv != CKR_OK) { - return crv; + goto loser; } arena = PORT_NewArena(256); if (arena == NULL) { - return CKR_HOST_MEMORY; + crv = CKR_HOST_MEMORY; + goto loser; } crv = (*db->sdb_Begin)(db); if (crv != CKR_OK) { goto loser; } + inTransaction = PR_TRUE; crv = sftkdb_setAttributeValue(arena, handle, db, objectID, template, count); if (crv != CKR_OK) { goto loser; } crv = (*db->sdb_Commit)(db); loser: - if (crv != CKR_OK) { + if (crv != CKR_OK && inTransaction) { (*db->sdb_Abort)(db); } if (data) { PORT_Free(ntemplate); PORT_Free(data); } - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } return crv; } CK_RV sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID) { CK_RV crv = CKR_OK; SDB *db; @@ -2108,17 +2113,18 @@ sftkdb_updateObjectTemplate(PRArenaPool case CKO_SECRET_KEY: /* secret keys in the old database are all sdr keys, * unfortunately they all appear to have the same CKA_ID, * even though they are truly different keys, so we always * want to update these keys, but we need to * give them a new CKA_ID */ /* NOTE: this changes ptemplate */ attr = sftkdb_getAttributeFromTemplate(CKA_ID,ptemplate,*plen); - crv = sftkdb_incrementCKAID(arena, attr); + crv = attr ? sftkdb_incrementCKAID(arena, attr) + : CKR_HOST_MEMORY; /* in the extremely rare event that we needed memory and * couldn't get it, just drop the key */ if (crv != CKR_OK) { return SFTKDB_DO_NOTHING; } done = PR_FALSE; /* repeat this find loop */ break; default:
--- a/security/nss/lib/softoken/sftkmod.c +++ b/security/nss/lib/softoken/sftkmod.c @@ -623,35 +623,41 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co if (!skip) { fputs(line,fd2); } /* we are definately not in a deleted block anymore */ skip = PR_FALSE; } fclose(fd); fclose(fd2); - /* rename dbname2 to dbname */ if (found) { + /* rename dbname2 to dbname */ PR_Delete(dbname); PR_Rename(dbname2,dbname); + } else { + PR_Delete(dbname2); } PORT_Free(dbname2); + PORT_Free(lib); + PORT_Free(name); return SECSuccess; loser: if (fd != NULL) { fclose(fd); } if (fd2 != NULL) { fclose(fd2); } if (dbname2) { PR_Delete(dbname2); PORT_Free(dbname2); } + PORT_Free(lib); + PORT_Free(name); return SECFailure; } /* * Add a module to the Data base */ SECStatus sftkdb_AddSecmodDB(SDBType dbType, const char *appName, @@ -690,19 +696,19 @@ sftkdb_AddSecmodDB(SDBType dbType, const if (PORT_Strncmp(module, "library=", 8) == 0) { libFound=PR_TRUE; } if (keyEnd == NULL) { block = sftkdb_DupCat(block, module); break; } - value = sftk_argFetchValue(&keyEnd[1], &count); block = sftkdb_DupnCat(block, module, keyEnd-module+1); if (block == NULL) { goto loser; } + value = sftk_argFetchValue(&keyEnd[1], &count); if (value) { block = sftkdb_DupCat(block, sftk_argStrip(value)); PORT_Free(value); } if (block == NULL) { goto loser; } block = sftkdb_DupnCat(block, "\n", 1); module = keyEnd + 1 + count; module = sftk_argStrip(module);
--- a/security/nss/lib/softoken/sftkpars.c +++ b/security/nss/lib/softoken/sftkpars.c @@ -69,17 +69,17 @@ static PRBool sftk_argGetPair(char c) { case '[': return ']'; case '(': return ')'; default: break; } return ' '; } static PRBool sftk_argIsBlank(char c) { - return isspace(c); + return isspace((unsigned char )c); } static PRBool sftk_argIsEscape(char c) { return c == '\\'; } static PRBool sftk_argIsQuote(char c) { switch (c) {
--- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -605,23 +605,23 @@ sftkdb_GetUpdatePasswordKey(SFTKDBHandle /* * free the update password key from a handle. */ void sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *handle) { SECItem *key = NULL; - /* if we're a cert db, we don't have one */ - if (handle->type == SFTK_CERTDB_TYPE) { + /* don't have one */ + if (!handle) { return; } - /* don't have one */ - if (!handle) { + /* if we're a cert db, we don't have one */ + if (handle->type == SFTK_CERTDB_TYPE) { return; } PZ_Lock(handle->passwordLock); if (handle->updatePasswordKey) { key = handle->updatePasswordKey; handle->updatePasswordKey = NULL; }
--- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -52,15 +52,15 @@ /* * Softoken's major version, minor version, patch level, and whether * this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.12.4" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.12.4.4" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 12 #define SOFTOKEN_VPATCH 4 #define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/sqlite/config.mk +++ b/security/nss/lib/sqlite/config.mk @@ -50,22 +50,11 @@ endif ifeq ($(OS_TARGET),AIX) EXTRA_LIBS += -lpthreads ifdef BUILD_OPT OPTIMIZER= endif endif ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' OS_LIBS += -lbsm endif -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif
--- a/security/nss/lib/ssl/config.mk +++ b/security/nss/lib/ssl/config.mk @@ -102,24 +102,9 @@ EXTRA_SHARED_LIBS += \ -lplds4 \ -lnspr4 \ $(NULL) ifeq ($(OS_ARCH), BeOS) EXTRA_SHARED_LIBS += -lbe endif -ifeq ($(OS_TARGET),SunOS) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -MKSHLIB += -R '$$ORIGIN' endif - -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif - -endif
--- a/security/nss/lib/ssl/sslmutex.c +++ b/security/nss/lib/ssl/sslmutex.c @@ -28,17 +28,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslmutex.c,v 1.23 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */ +/* $Id: sslmutex.c,v 1.24 2009/06/05 02:34:14 nelson%bolyard.com Exp $ */ #include "seccomon.h" /* This ifdef should match the one in sslsnce.c */ #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS) #include "sslmutex.h" #include "prerr.h" @@ -84,17 +84,17 @@ static SECStatus single_process_sslMutex if (!pMutex->u.sslLock) { PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } PR_Lock(pMutex->u.sslLock); return SECSuccess; } -#if defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) #include <unistd.h> #include <fcntl.h> #include <string.h> #include <errno.h> #include "unix_err.h" #include "pratom.h"
--- a/security/nss/lib/ssl/sslmutex.h +++ b/security/nss/lib/ssl/sslmutex.h @@ -28,17 +28,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslmutex.h,v 1.11 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */ +/* $Id: sslmutex.h,v 1.12 2009/06/05 02:34:15 nelson%bolyard.com Exp $ */ #ifndef __SSLMUTEX_H_ #define __SSLMUTEX_H_ 1 /* What SSL really wants is portable process-shared unnamed mutexes in * shared memory, that have the property that if the process that holds * them dies, they are released automatically, and that (unlike fcntl * record locking) lock to the thread, not to the process. * NSPR doesn't provide that. @@ -78,17 +78,17 @@ typedef struct #endif PRLock* sslLock; HANDLE sslMutx; } u; } sslMutex; typedef int sslPID; -#elif defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) #include <sys/types.h> #include "prtypes.h" typedef struct { PRBool isMultiProcess; union { PRLock* sslLock;
--- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -31,17 +31,17 @@ * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsnce.c,v 1.49 2008/12/02 06:36:59 nelson%bolyard.com Exp $ */ +/* $Id: sslsnce.c,v 1.50 2009/06/05 02:34:15 nelson%bolyard.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! * * About record locking among different server processes: * * All processes that are part of the same conceptual server (serving on * the same address and port) MUST share a common SSL session cache. @@ -255,17 +255,17 @@ static PRBool isMultiProcess = PR_FALSE #define DEF_SSL2_TIMEOUT 100 /* seconds */ #define MAX_SSL2_TIMEOUT 100 /* seconds */ #define MIN_SSL2_TIMEOUT 5 /* seconds */ #define DEF_SSL3_TIMEOUT 86400L /* 24 hours */ #define MAX_SSL3_TIMEOUT 86400L /* 24 hours */ #define MIN_SSL3_TIMEOUT 5 /* seconds */ -#if defined(AIX) || defined(LINUX) || defined(VMS) || defined(NETBSD) || defined(OPENBSD) +#if defined(AIX) || defined(LINUX) || defined(NETBSD) || defined(OPENBSD) #define MAX_SID_CACHE_LOCKS 8 /* two FDs per lock */ #elif defined(OSF1) #define MAX_SID_CACHE_LOCKS 16 /* one FD per lock */ #else #define MAX_SID_CACHE_LOCKS 256 #endif #define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size))
--- a/security/nss/lib/util/config.mk +++ b/security/nss/lib/util/config.mk @@ -75,30 +75,8 @@ EXTRA_SHARED_LIBS += \ -L$(NSPR_LIB_DIR) \ -lplc4 \ -lplds4 \ -lnspr4 \ $(NULL) endif -ifeq ($(OS_TARGET),SunOS) -ifeq ($(BUILD_SUN_PKG), 1) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -ifeq ($(USE_64), 1) -MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64' -else -MKSHLIB += -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps' -endif -else -MKSHLIB += -R '$$ORIGIN' -endif -endif - -ifeq ($(OS_ARCH), HP-UX) -ifneq ($(OS_TEST), ia64) -# pa-risc -ifeq ($(USE_64), 1) -MKSHLIB += +b '$$ORIGIN' -endif -endif -endif
--- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -46,15 +46,15 @@ /* * NSS utilities's major version, minor version, patch level, and whether * this is a beta release. * * The format of the version string should be * "<major version>.<minor version>[.<patch level>][ <Beta>]" */ -#define NSSUTIL_VERSION "3.12.4 Beta" +#define NSSUTIL_VERSION "3.12.4.4 Beta" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 12 #define NSSUTIL_VPATCH 4 #define NSSUTIL_BETA PR_TRUE #endif /* __nssutil_h_ */
--- a/security/nss/pkg/solaris/SUNWtlsd/prototype +++ b/security/nss/pkg/solaris/SUNWtlsd/prototype @@ -33,17 +33,17 @@ # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** # -#ident "$Id: prototype,v 1.9 2009/03/02 23:21:03 christophe.ravel.bugs%sun.com Exp $" +#ident "$Id: prototype,v 1.10 2009/06/25 01:29:18 julien.pierre.boogz%sun.com Exp $" # # This required package information file contains a list of package contents. # The 'pkgmk' command uses this file to identify the contents of a package # and their location on the development machine when building the package. # Can be created via a text editor or through use of the 'pkgproto' command. #!search <pathname pathname ...> # where to find pkg objects #!include <filename> # include another 'prototype' file @@ -154,8 +154,9 @@ f none usr/include/mps/secport.h 0644 ro #f none usr/include/mps/secrng.h 0644 root bin #f none usr/include/mps/secrngt.h 0644 root bin f none usr/include/mps/shsign.h 0644 root bin f none usr/include/mps/smime.h 0644 root bin f none usr/include/mps/ssl.h 0644 root bin f none usr/include/mps/sslerr.h 0644 root bin f none usr/include/mps/sslproto.h 0644 root bin f none usr/include/mps/sslt.h 0644 root bin +f none usr/include/mps/utilrename.h 0644 root bin
--- a/security/nss/tests/chains/chains.sh +++ b/security/nss/tests/chains/chains.sh @@ -162,17 +162,18 @@ 9 n y -1 n 5 6 7 9 -n" > ${CU_DATA} +n +" > ${CU_DATA} TESTNAME="Creating Root CA ${ENTITY}" echo "${SCRIPTNAME}: ${TESTNAME}" echo "certutil -s \"CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US\" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA}" print_cu_data ${BINDIR}/certutil -s "CN=${ENTITY} ROOT CA, O=${ENTITY}, C=US" -S -n ${ENTITY} ${CTYPE_OPT} -t CTu,CTu,CTu -v 600 -x -d ${ENTITY_DB} -1 -2 -5 -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -m ${CERT_SN} < ${CU_DATA} html_msg $? 0 "${SCENARIO}${TESTNAME}" @@ -199,30 +200,35 @@ create_cert_req() CTYPE_OPT= if [ -n "${CTYPE}" ]; then CTYPE_OPT="-k ${CTYPE}" fi CA_FLAG= EXT_DATA= + OPTIONS= + if [ "${TYPE}" != "EE" ]; then CA_FLAG="-2" EXT_DATA="y -1 -y" +y +" fi + process_crldp + echo "${EXT_DATA}" > ${CU_DATA} TESTNAME="Creating ${TYPE} certifiate request ${REQ}" echo "${SCRIPTNAME}: ${TESTNAME}" - echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA}" + echo "certutil -s \"CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US\" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA}" print_cu_data - ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} < ${CU_DATA} + ${BINDIR}/certutil -s "CN=${ENTITY} ${TYPE}, O=${ENTITY}, C=US" ${CTYPE_OPT} -R ${CA_FLAG} -d ${ENTITY_DB} -f ${ENTITY_DB}/dbpasswd -z ${NOISE_FILE} -o ${REQ} ${OPTIONS} < ${CU_DATA} html_msg $? 0 "${SCENARIO}${TESTNAME}" } ############################ create_entity ############################# # local shell function to create certificate chain entity ######################################################################## create_entity() { @@ -390,34 +396,96 @@ process_ocsp() if [ -n "${OCSP}" ]; then OPTIONS="${OPTIONS} --extAIA" DATA="${DATA}2 7 ${NSS_AIA_OCSP}:${OCSP} 0 n -n" +n +" + fi +} + +process_crldp() +{ + if [ -n "${CRLDP}" ]; then + OPTIONS="${OPTIONS} -4" + + EXT_DATA="${EXT_DATA}1 +" + + for ITEM in ${CRLDP}; do + CRL_PUBLIC="${HOST}-$$-${ITEM}.crl" + + EXT_DATA="${EXT_DATA}7 +${NSS_AIA_HTTP}/${CRL_PUBLIC} +" + done + + EXT_DATA="${EXT_DATA}0 +0 +0 +n +n +" fi } +process_ku_ns_eku() +{ + if [ -n "${EXT_KU}" ]; then + OPTIONS="${OPTIONS} --keyUsage ${EXT_KU}" + fi + if [ -n "${EXT_NS}" ]; then + EXT_NS_KEY=$(echo ${EXT_NS} | cut -d: -f1) + EXT_NS_CODE=$(echo ${EXT_NS} | cut -d: -f2) + + OPTIONS="${OPTIONS} --nsCertType ${EXT_NS_KEY}" + DATA="${DATA}${EXT_NS_CODE} +-1 +n +" + fi + if [ -n "${EXT_EKU}" ]; then + OPTIONS="${OPTIONS} --extKeyUsage ${EXT_EKU}" + fi +} + +copy_crl() + +{ + if [ -z "${NSS_AIA_PATH}" ]; then + return; + fi + + CRL_LOCAL="${COPYCRL}.crl" + CRL_PUBLIC="${HOST}-$$-${COPYCRL}.crl" + + cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null + chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC} + echo ${NSS_AIA_PATH}/${CRL_PUBLIC} >> ${AIA_FILES} +} + ########################## process_extension ########################### # local shell function to process entity extension parameters and # generate input for certutil ######################################################################## process_extensions() { OPTIONS= DATA= process_policy process_mapping process_inhibit process_aia process_ocsp + process_ku_ns_eku } ############################## sign_cert ############################### # local shell function to sign certificate sign reuqest ######################################################################## sign_cert() { ENTITY=$1 @@ -658,26 +726,29 @@ verify_cert() VFY_LIST="${VFY_LIST} ${CERT_NICK}.cert" else CERT=${CERT_NICK}${CERT_ISSUER}.der VFY_CERTS="${VFY_CERTS} ${CERT}" VFY_LIST="${VFY_LIST} ${CERT}" fi done - TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${POLICY_OPT} ${TRUST_OPT}" + VFY_OPTS_TNAME="${REV_OPTS} ${DB_OPT} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" + VFY_OPTS_ALL="${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" + + TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" echo "${SCRIPTNAME}: ${TESTNAME}" - echo "vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" + echo "vfychain ${VFY_OPTS_ALL}" if [ -z "${MEMLEAK_DBG}" ]; then - VFY_OUT=$(${BINDIR}/vfychain ${DB_OPT} -pp -vv ${REV_OPTS} ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>&1) + VFY_OUT=$(${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>&1) RESULT=$? echo "${VFY_OUT}" else - VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${REV_OPTS} ${DB_OPT} -pp -vv ${FETCH_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT} 2>> ${LOGFILE}) + VFY_OUT=$(${RUN_COMMAND_DBG} ${BINDIR}/vfychain ${VFY_OPTS_ALL} 2>> ${LOGFILE}) RESULT=$? echo "${VFY_OUT}" fi echo "${VFY_OUT}" | grep "ERROR -5990: I/O operation timed out" > /dev/null E5990=$? echo "${VFY_OUT}" | grep "ERROR -8030: Server returned bad HTTP response" > /dev/null E8030=$? @@ -694,17 +765,16 @@ verify_cert() html_passed "${SCENARIO}${TESTNAME}" elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then html_passed "${SCENARIO}${TESTNAME}" else html_failed "${SCENARIO}${TESTNAME}" fi } - check_ocsp() { OCSP_CERT=$1 CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1` CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2` if [ "${CERT_ISSUER}" = "x" ]; then @@ -717,17 +787,17 @@ check_ocsp() fi OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") if [ "${OS_ARCH}" = "WINNT" ]; then ping -n 1 ${OCSP_HOST} return $? elif [ "${OS_ARCH}" = "HP-UX" ]; then - ping ${OCSP_HOST} -c 1 + ping ${OCSP_HOST} -n 1 return $? else ping -c 1 ${OCSP_HOST} return $? fi } ############################ parse_result ############################## @@ -775,19 +845,23 @@ parse_config() ENTITY="${VALUE}" TYPE= ISSUER= CTYPE= POLICY= MAPPING= INHIBIT= AIA= + CRLDP= OCSP= DB= EMAILS= + EXT_KU= + EXT_NS= + EXT_EKU= ;; "type") TYPE="${VALUE}" ;; "issuer") if [ -n "${ISSUER}" ]; then if [ -z "${DB}" ]; then create_entity "${ENTITY}" "${TYPE}" @@ -795,32 +869,38 @@ parse_config() sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" fi ISSUER="${VALUE}" POLICY= MAPPING= INHIBIT= AIA= + EXT_KU= + EXT_NS= + EXT_EKU= ;; "ctype") CTYPE="${VALUE}" ;; "policy") POLICY="${POLICY} ${VALUE}" ;; "mapping") MAPPING="${MAPPING} ${VALUE}" ;; "inhibit") INHIBIT="${VALUE}" ;; "aia") AIA="${AIA} ${VALUE}" ;; + "crldp") + CRLDP="${CRLDP} ${VALUE}" + ;; "ocsp") OCSP="${VALUE}" ;; "db") DB="${VALUE}DB" create_db "${DB}" ;; "import") @@ -837,23 +917,28 @@ parse_config() create_crl "${ISSUER}" ;; "revoke") REVOKE="${VALUE}" ;; "serial") SERIAL="${VALUE}" ;; + "copycrl") + COPYCRL="${VALUE}" + copy_crl "${COPYCRL}" + ;; "verify") VERIFY="${VALUE}" TRUST= POLICY= FETCH= EXP_RESULT= REV_OPTS= + USAGE_OPT= ;; "cert") VERIFY="${VERIFY} ${VALUE}" ;; "testdb") if [ -n "${VALUE}" ]; then DB="${VALUE}DB" else @@ -902,16 +987,28 @@ parse_config() ;; "check_ocsp") check_ocsp ${VALUE} if [ $? -ne 0 ]; then echo "OCSP server not accessible, skipping OCSP tests" break; fi ;; + "ku") + EXT_KU="${VALUE}" + ;; + "ns") + EXT_NS="${VALUE}" + ;; + "eku") + EXT_EKU="${VALUE}" + ;; + "usage") + USAGE_OPT="-u ${VALUE}" + ;; "") if [ -n "${ENTITY}" ]; then if [ -z "${DB}" ]; then create_entity "${ENTITY}" "${TYPE}" fi sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" if [ "${TYPE}" = "Bridge" ]; then create_pkcs7 "${ENTITY}"
--- a/security/nss/tests/dbtests/dbtests.sh +++ b/security/nss/tests/dbtests/dbtests.sh @@ -75,18 +75,16 @@ dbtest_init() . ./init.sh fi if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here cd ../cert . ./cert.sh fi SCRIPTNAME="dbtests.sh" - DBTEST_LOG=${HOSTDIR}/dbtest.log #we don't want all the errormessages - # in the output.log, otherwise we can't tell what's a real error RONLY_DIR=${HOSTDIR}/ronlydir EMPTY_DIR=${HOSTDIR}/emptydir CONFLICT_DIR=${HOSTDIR}/conflictdir html_head "CERT and Key DB Tests" } @@ -278,10 +276,10 @@ dbtest_main() html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected" fi } ################## main ################################################# dbtest_init -dbtest_main >$DBTEST_LOG 2>&1 +dbtest_main 2>&1 dbtest_cleanup
index 1a8a0859330596e5b06b9f2899f7824077af6898..6e7f755542f4bf82aa4c6122d5da340fdcf4d14c GIT binary patch literal 1483 zc$|GydrT8|9PeGPErkNID+Q6qAwmGP{a(vk7-5A8K6n*s1*e?lfJ$juTPTPcsak^5 zz?k9|Hy$n#CL?3RxT%9VkN~=wi4Nn;f?>*ZW+O7iJz&`#0+B88{`!5tpYQYY{p7&L z8w4BnNedT6P;}Xj&Glb!`UPFbkDe%M)%gAm&U|60J=y-u89{hF4pd(toj}OvW@CID z%~p{f;LaM3xQm)L=~TKx!x|#Rpp}w-;KKq=xMTq!vP@-W3z14&tVUBYxelVA2gtK% zQ;C@{77%4-nxHI1k;PJKj*-c%R;#p}Nj5XdQmwH>W-6tKU~LFQkYONalezfn#p+5u zWi}HEBB{bc8}jLVLQUy)`IJRxG!QD)CPJA2z8=mH4Po*qnEP@(oJoK%Amxhi=<w(q zupzD_4sLv>)qDg)Y>}}j!kyc4Ie5J2L~(~iT2EOi6HTsw<?JM`_$z8s3TxOg*fqkX z!8=39W#GbsJY1jvGE5#3xs*J%7h|}I9iziZ1-VuZa&p1xfIBLg1qzHNgN`EIz?F3h z#11OTKx{CYX;K1W)+H1>%b6@9l^_{%RTk16@VSeKMd?&!I;Ee#hc|f5(JjVP3{26I zd15Nf7P`c|a7M1!g(ba|sw}1SEagz${GtL79*0|flu<z~T3yY#_aJig!I<06(u@;f z2VyhoYM!(;kF^f<c3-*Hn0QqYpL->+UCwLv(M&ws|7z&?xae$;rhBkEHJ~djJu~;Q zLb&y5O;prh>Af;zXXa4f$w}qDg#M~5dqT$W_1j<nnVjRU)!s+Sn}>&bJ|8@yYmh$L zd+Xus-P#SeD;mna?JGvP2nYGlhWySPZgP%S9~?u0Gp9Ts7fgbQ&v#UrZnS0Bjd2Kn z_akFdcP83m!HI=kF^r4yTHrO-@WU82LS##Li^5K_@?+GOq*l?|G84U4Ytk>3;Q}HD zh>$WUB(gOKEDl&rJLTDv5&IuWh`@snp%Bb>V1&ct2~b4h{W4`gpE?j@?>e8tMHXKu z__1&R<_VJh;+ezg7n;ro=2T@LN;}Tc);-h|D`C$<FoIyEV1Ts?HXwHY|1M?JnoF0A z0C9`q=>IvObkxf@piN*{>@LD~LSF0kmTiy&8c<7wx)Q38mKEv>z#sfTz~`-Y;i6uc zcw_PT;6}da;&+)*Cqq8oD0s`C=LtcQRrAgD#zN!LrsZbVM@rdJOaDt;8-j4`ABhUv zW%0&mX#+(qLvG4*PvQp;@Y_G|n<}m;AMYIw=v;rcdtl=)^~X|tCu&41uZ$M$8x7iY z`IfAyvG%D~dz0ak@8n3srqkt~vvJmB`s$Z6v*$w7yYf$9r(*V2wa46>YU)4u`sPzn z_Cw9vrm2cOw!=TUkL<d5Y0Kk=`bL9DFqwCM%b5nZ!z=M~>L1Ra9evlozxnp~8(UjD z)dBsx$W+a{@izsKRFM`@+b0~cy+3kr-Fs~@ej&NnPFMc3<IOvrxsRQ$#)WP>wEJ?= zK*(9w$o5r<$|t#b)^~ne5!A8%(O0wHyE~~H)BW3fK)7P_r=Q{9)cyFYW~%jA;>_LY Fe*yj$-W31<
index 28e971d684413f6336f2a1197e655cb1c2c9b4fc..459373be94872c6cf99e61b0550d14e82f28497d GIT binary patch literal 1512 zc$_n6Vtr!J#Byc<GZP~dlR$KN<T3G<hjGW%4;W3=)W|mAW#iOp^Jx3d%gD&e%3#oV z%8=WDlZ`o)g-w_#G}utwKorE`66Om_Ey@heOwZF%@XSlrGn6-w1xauVi@_umLW)X@ zOBDQ4OUm<$vJI^aEFcODHIg+Ij0_CS6i|&&&{c5DFH%S>Ey>6)%B)IFQ7A1=RmjiF zsWfyoa0cmR7Pf&K?wpfYT&!TM5Kx+wlbNg#P?VXQSX8OtoLW?pnU<NHSdy8ar{D-N ztE3WWw!5i;oH(z6nW3S9g#j2uiSrtQxaLO2rk19bQ3j2>sO4E}151bkqmb01++v0N zG_Yq9OB6CnN(zdt^!3Zj%k|2Dnu~#&^^)^*^@|D;6@VcFbfAfW5yZFJ7`}C_C`rvr z0R~N2VoqiX#FN3nJ_^o`22G4g$dSj$%D~*j$j<;2=VEGNWMr6edqL>yIe*0~AJ57Y zk=+<QL%Cfnuf1%}RtxK`3#zuTCv!?Z)9Ub8`F!p+gD8&aJa1M#5z8z}Ql9m@Dnw(( zQ6Amx*Oj)N_-P@2{O&D7w^>s}`sTf>Sg>8`if71l-=`(fllHvH(YgQp;5KQg(Cjo0 z=6culvy49q9LSmJHA%&gBlj+oU1C{9#kRL~=Ie4kcRt+y@Q&!2?P2p97Hnj#_cIs$ zzg=IhpUuKPV0)&<;;m`%W>P^O&S^pS7ftfNERnG9@vAt=Le~BBWO6c!RP#4i7oW`C zEA)T1qfy+K7j;Lu7yG1K^xLDxk@{P5dPK!T<Na?l>^7>q<{x<UW_srLn9JV-nV1<F z7#BA&UIK>5IdJ^R^0A1qi2Uga*fnpbYE*S-tN&Dn<o=ft+0F(+AZcMn#{VoF25dlz ziIKs;79^&?VrBq}9~K~!!9dGEgN;L*4VY8dnHa@naK>$NK`}(TJVg5fg9UnRIw0jh z)vjT|smY~9sk+HUIjGtSk`s+}(@ph&5(a!A?ff7Yu>f-}n}Hx3XF{6?W7`iWMn<Sm zF3c^AJS>R@@e5-YL>ojJgd2p4aRM_(da8bUW}1PbfxH1b8>==SGm{jHNdMEzQf+H` z`?3$8Z^*jhA)!+(sb`=nrVMpjPJVhms*}o!!D1kjG(j#BWKl9uSR!X2V<=@H0ZFxj z;KXX|>}X_QVxeoOYhn)cJIrN_EQSX92D&i50b`pYdNAZC7Z;#dY9J4?Nts2$K&(Ne z{&MQ_LwDco{$RlQ+1c_J(|Th=W3)nx8I;_oE&5ge%=YaS?Q`2j?GF?&$9L}%o1psr zQ1gxBr6$Q4Lcu)2oz*A9IF}zbbMfQ5kd(B!?bnNivrW=_gO$YX{;qkKuIKzHw%)kq z)1ra{c}>#~nEX{erd<E_*@mOx&Mlkn>3+QM%|l+KFnrS*!-vyVluruBmOOQP&sj6? z;Y>p=j!NnN!ujH9CoImt>zTfdZD+CDlgm>MK26xFTB>_9)9}sNX@?h={e4m5vPNj9 z@BY9SJFmF-sh?h_aIsFSW?QoRys}->FNi(o&dL4moNvsnX;A)a?$57&JIXenmDuuA q;l1tcXQ$TAzTkJMeI@TQm*RlC1<`NU)_Ltwy1GK`$)Q#S-kSh$LJTSZ