diff options
| author | nelsonb%netscape.com <devnull@localhost> | 2005-04-06 19:43:19 +0000 |
|---|---|---|
| committer | nelsonb%netscape.com <devnull@localhost> | 2005-04-06 19:43:19 +0000 |
| commit | bacf6dd62bff2253687c3a993cbce138cb39a7d1 (patch) | |
| tree | 3597dd003ebc3d90d4c0c5c096d9f341d28d5d02 | |
| parent | 26544f3a28a76ed1a2561a4ddb4aaf805f409f4a (diff) | |
| parent | 8047a8767235d27070be6c2dab297c6260d107bd (diff) | |
| download | nss-hg-bacf6dd62bff2253687c3a993cbce138cb39a7d1.tar.gz | |
Remove fortezza support from libSSL and related commands. Bug 239960.
ON PERFORMANCE_HACKS_BRANCH. r=rrelyea.
40 files changed, 1140 insertions, 1349 deletions
diff --git a/security/dbm/Makefile b/security/dbm/Makefile new file mode 100644 index 000000000..34cd6d899 --- /dev/null +++ b/security/dbm/Makefile @@ -0,0 +1,80 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +coreconf_hack: + cd ../coreconf; gmake + gmake import + +RelEng_bld: coreconf_hack + gmake diff --git a/security/dbm/config/config.mk b/security/dbm/config/config.mk new file mode 100644 index 000000000..753364931 --- /dev/null +++ b/security/dbm/config/config.mk @@ -0,0 +1,67 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +# +# These macros are defined by mozilla's configure script. +# We define them manually here. +# + +DEFINES += -DSTDC_HEADERS -DHAVE_STRERROR + +# +# Most platforms have snprintf, so it's simpler to list the exceptions. +# +HAVE_SNPRINTF = 1 +# +# OSF1 V4.0D doesn't have snprintf but V5.0A does. +# +ifeq ($(OS_TARGET)$(OS_RELEASE),OSF1V4.0D) +HAVE_SNPRINTF = +endif +ifdef HAVE_SNPRINTF +DEFINES += -DHAVE_SNPRINTF +endif + +ifeq (,$(filter-out IRIX Linux,$(OS_TARGET))) +DEFINES += -DHAVE_SYS_CDEFS_H +endif + +ifeq (,$(filter-out DGUX NCR ReliantUNIX SCO_SV SCOOS UNIXWARE,$(OS_TARGET))) +DEFINES += -DHAVE_SYS_BYTEORDER_H +endif + +# +# None of the platforms that we are interested in need to +# define HAVE_MEMORY_H. +# diff --git a/security/dbm/include/Makefile b/security/dbm/include/Makefile new file mode 100644 index 000000000..ba4dd8ddf --- /dev/null +++ b/security/dbm/include/Makefile @@ -0,0 +1,76 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + + diff --git a/security/dbm/include/manifest.mn b/security/dbm/include/manifest.mn new file mode 100644 index 000000000..886fedd98 --- /dev/null +++ b/security/dbm/include/manifest.mn @@ -0,0 +1,57 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +CORE_DEPTH = ../.. + +VPATH = $(CORE_DEPTH)/../dbm/include + +MODULE = dbm + +EXPORTS = nsres.h \ + cdefs.h \ + mcom_db.h \ + ncompat.h \ + winfile.h \ + $(NULL) + +PRIVATE_EXPORTS = hsearch.h \ + page.h \ + extern.h \ + ndbm.h \ + queue.h \ + hash.h \ + mpool.h \ + search.h \ + $(NULL) + diff --git a/security/dbm/manifest.mn b/security/dbm/manifest.mn new file mode 100644 index 000000000..d4065f761 --- /dev/null +++ b/security/dbm/manifest.mn @@ -0,0 +1,45 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +CORE_DEPTH = .. + +MODULE = dbm + +IMPORTS = nspr20/v4.4.1 + +RELEASE = dbm + +DIRS = include \ + src \ + $(NULL) diff --git a/security/dbm/src/Makefile b/security/dbm/src/Makefile new file mode 100644 index 000000000..8fce98394 --- /dev/null +++ b/security/dbm/src/Makefile @@ -0,0 +1,76 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/dbm/config/config.mk + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include config.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + + diff --git a/security/dbm/src/config.mk b/security/dbm/src/config.mk new file mode 100644 index 000000000..370fd75d6 --- /dev/null +++ b/security/dbm/src/config.mk @@ -0,0 +1,63 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +DEFINES += -DMEMMOVE -D__DBINTERFACE_PRIVATE $(SECURITY_FLAG) + +INCLUDES += -I$(CORE_DEPTH)/../dbm/include + +# +# Currently, override TARGETS variable so that only static libraries +# are specifed as dependencies within rules.mk. +# + +TARGETS = $(LIBRARY) +SHARED_LIBRARY = +IMPORT_LIBRARY = +PURE_LIBRARY = +PROGRAM = + +ifdef SHARED_LIBRARY + ifeq (,$(filter-out WINNT WIN95 WINCE,$(OS_TARGET))) # list omits WIN16 + DLLBASE=/BASE:0x30000000 + RES=$(OBJDIR)/dbm.res + RESNAME=../include/dbm.rc + endif + ifeq ($(DLL_SUFFIX),dll) + DEFINES += -D_DLL + endif +endif + +ifeq ($(OS_TARGET),AIX) + OS_LIBS += -lc_r +endif diff --git a/security/dbm/src/dirent.c b/security/dbm/src/dirent.c new file mode 100644 index 000000000..001a48c5c --- /dev/null +++ b/security/dbm/src/dirent.c @@ -0,0 +1,348 @@ +#ifdef OS2 + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +#include <dirent.h> +#include <errno.h> + +/*#ifndef __EMX__ +#include <libx.h> +#endif */ + +#define INCL_DOSFILEMGR +#define INCL_DOSERRORS +#include <os2.h> + +#if OS2 >= 2 +# define FFBUF FILEFINDBUF3 +# define Word ULONG + /* + * LS20 recommends a request count of 100, but according to the + * APAR text it does not lead to missing files, just to funny + * numbers of returned entries. + * + * LS30 HPFS386 requires a count greater than 2, or some files + * are missing (those starting with a character less that '.'). + * + * Novell looses entries which overflow the buffer. In previous + * versions of dirent2, this could have lead to missing files + * when the average length of 100 directory entries was 40 bytes + * or more (quite unlikely for files on a Novell server). + * + * Conclusion: Make sure that the entries all fit into the buffer + * and that the buffer is large enough for more than 2 entries + * (each entry is at most 300 bytes long). And ignore the LS20 + * effect. + */ +# define Count 25 +# define BufSz (25 * (sizeof(FILEFINDBUF3)+1)) +#else +# define FFBUF FILEFINDBUF +# define Word USHORT +# define BufSz 1024 +# define Count 3 +#endif + +#if defined(__IBMC__) || defined(__IBMCPP__) + #define error(rc) _doserrno = rc, errno = EOS2ERR +#elif defined(MICROSOFT) + #define error(rc) _doserrno = rc, errno = 255 +#else + #define error(rc) errno = 255 +#endif + +struct _dirdescr { + HDIR handle; /* DosFindFirst handle */ + char fstype; /* filesystem type */ + Word count; /* valid entries in <ffbuf> */ + long number; /* absolute number of next entry */ + int index; /* relative number of next entry */ + FFBUF * next; /* pointer to next entry */ + char name[MAXPATHLEN+3]; /* directory name */ + unsigned attrmask; /* attribute mask for seekdir */ + struct dirent entry; /* buffer for directory entry */ + BYTE ffbuf[BufSz]; +}; + +/* + * Return first char of filesystem type, or 0 if unknown. + */ +static char +getFSType(const char *path) +{ + static char cache[1+26]; + char drive[3], info[512]; + Word unit, infolen; + char r; + + if (isalpha(path[0]) && path[1] == ':') { + unit = toupper(path[0]) - '@'; + path += 2; + } else { + ULONG driveMap; +#if OS2 >= 2 + if (DosQueryCurrentDisk(&unit, &driveMap)) +#else + if (DosQCurDisk(&unit, &driveMap)) +#endif + return 0; + } + + if ((path[0] == '\\' || path[0] == '/') + && (path[1] == '\\' || path[1] == '/')) + return 0; + + if (cache [unit]) + return cache [unit]; + + drive[0] = '@' + unit; + drive[1] = ':'; + drive[2] = '\0'; + infolen = sizeof info; +#if OS2 >= 2 + if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen)) + return 0; + if (infolen >= sizeof(FSQBUFFER2)) { + FSQBUFFER2 *p = (FSQBUFFER2 *)info; + r = p->szFSDName[p->cbName]; + } else +#else + if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0)) + return 0; + if (infolen >= 9) { + char *p = info + sizeof(USHORT); + p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT); + r = *p; + } else +#endif + r = 0; + return cache [unit] = r; +} + +char * +abs_path(const char *name, char *buffer, int len) +{ + char buf[4]; + if (isalpha(name[0]) && name[1] == ':' && name[2] == '\0') { + buf[0] = name[0]; + buf[1] = name[1]; + buf[2] = '.'; + buf[3] = '\0'; + name = buf; + } +#if OS2 >= 2 + if (DosQueryPathInfo((PSZ)name, FIL_QUERYFULLNAME, buffer, len)) +#else + if (DosQPathInfo((PSZ)name, FIL_QUERYFULLNAME, (PBYTE)buffer, len, 0L)) +#endif + return NULL; + return buffer; +} + +DIR * +openxdir(const char *path, unsigned att_mask) +{ + DIR *dir; + char name[MAXPATHLEN+3]; + Word rc; + + dir = malloc(sizeof(DIR)); + if (dir == NULL) { + errno = ENOMEM; + return NULL; + } + + strncpy(name, path, MAXPATHLEN); + name[MAXPATHLEN] = '\0'; + switch (name[strlen(name)-1]) { + default: + strcat(name, "\\"); + case '\\': + case '/': + case ':': + ; + } + strcat(name, "."); + if (!abs_path(name, dir->name, MAXPATHLEN+1)) + strcpy(dir->name, name); + if (dir->name[strlen(dir->name)-1] == '\\') + strcat(dir->name, "*"); + else + strcat(dir->name, "\\*"); + + dir->fstype = getFSType(dir->name); + dir->attrmask = att_mask | A_DIR; + + dir->handle = HDIR_CREATE; + dir->count = 100; +#if OS2 >= 2 + rc = DosFindFirst(dir->name, &dir->handle, dir->attrmask, + dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD); +#else + rc = DosFindFirst((PSZ)dir->name, &dir->handle, dir->attrmask, + (PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0); +#endif + switch (rc) { + default: + free(dir); + error(rc); + return NULL; + case NO_ERROR: + case ERROR_NO_MORE_FILES: + ; + } + + dir->number = 0; + dir->index = 0; + dir->next = (FFBUF *)dir->ffbuf; + + return (DIR *)dir; +} + +DIR * +opendir(const char *pathname) +{ + return openxdir(pathname, 0); +} + +struct dirent * +readdir(DIR *dir) +{ + static int dummy_ino = 2; + + if (dir->index == dir->count) { + Word rc; + dir->count = 100; +#if OS2 >= 2 + rc = DosFindNext(dir->handle, dir->ffbuf, + sizeof dir->ffbuf, &dir->count); +#else + rc = DosFindNext(dir->handle, (PFILEFINDBUF)dir->ffbuf, + sizeof dir->ffbuf, &dir->count); +#endif + if (rc) { + error(rc); + return NULL; + } + + dir->index = 0; + dir->next = (FFBUF *)dir->ffbuf; + } + + if (dir->index == dir->count) + return NULL; + + memcpy(dir->entry.d_name, dir->next->achName, dir->next->cchName); + dir->entry.d_name[dir->next->cchName] = '\0'; + dir->entry.d_ino = dummy_ino++; + dir->entry.d_reclen = dir->next->cchName; + dir->entry.d_namlen = dir->next->cchName; + dir->entry.d_size = dir->next->cbFile; + dir->entry.d_attribute = dir->next->attrFile; + dir->entry.d_time = *(USHORT *)&dir->next->ftimeLastWrite; + dir->entry.d_date = *(USHORT *)&dir->next->fdateLastWrite; + + switch (dir->fstype) { + case 'F': /* FAT */ + case 'C': /* CDFS */ + if (dir->next->attrFile & FILE_DIRECTORY) + strupr(dir->entry.d_name); + else + strlwr(dir->entry.d_name); + } + +#if OS2 >= 2 + dir->next = (FFBUF *)((BYTE *)dir->next + dir->next->oNextEntryOffset); +#else + dir->next = (FFBUF *)((BYTE *)dir->next->achName + dir->next->cchName + 1); +#endif + ++dir->number; + ++dir->index; + + return &dir->entry; +} + +long +telldir(DIR *dir) +{ + return dir->number; +} + +void +seekdir(DIR *dir, long off) +{ + if (dir->number > off) { + char name[MAXPATHLEN+2]; + Word rc; + + DosFindClose(dir->handle); + + strcpy(name, dir->name); + strcat(name, "*"); + + dir->handle = HDIR_CREATE; + dir->count = 32767; +#if OS2 >= 2 + rc = DosFindFirst(name, &dir->handle, dir->attrmask, + dir->ffbuf, sizeof dir->ffbuf, &dir->count, FIL_STANDARD); +#else + rc = DosFindFirst((PSZ)name, &dir->handle, dir->attrmask, + (PFILEFINDBUF)dir->ffbuf, sizeof dir->ffbuf, &dir->count, 0); +#endif + switch (rc) { + default: + error(rc); + return; + case NO_ERROR: + case ERROR_NO_MORE_FILES: + ; + } + + dir->number = 0; + dir->index = 0; + dir->next = (FFBUF *)dir->ffbuf; + } + + while (dir->number < off && readdir(dir)) + ; +} + +void +closedir(DIR *dir) +{ + DosFindClose(dir->handle); + free(dir); +} + +/*****************************************************************************/ + +#ifdef TEST + +main(int argc, char **argv) +{ + int i; + DIR *dir; + struct dirent *ep; + + for (i = 1; i < argc; ++i) { + dir = opendir(argv[i]); + if (!dir) + continue; + while (ep = readdir(dir)) + if (strchr("\\/:", argv[i] [strlen(argv[i]) - 1])) + printf("%s%s\n", argv[i], ep->d_name); + else + printf("%s/%s\n", argv[i], ep->d_name); + closedir(dir); + } + + return 0; +} + +#endif + +#endif /* OS2 */ + diff --git a/security/dbm/src/dirent.h b/security/dbm/src/dirent.h new file mode 100644 index 000000000..07a6c0ac8 --- /dev/null +++ b/security/dbm/src/dirent.h @@ -0,0 +1,97 @@ +#ifndef __DIRENT_H__ +#define __DIRENT_H__ +/* + * @(#)msd_dir.h 1.4 87/11/06 Public Domain. + * + * A public domain implementation of BSD directory routines for + * MS-DOS. Written by Michael Rendell ({uunet,utai}michael@garfield), + * August 1897 + * + * Extended by Peter Lim (lim@mullian.oz) to overcome some MS DOS quirks + * and returns 2 more pieces of information - file size & attribute. + * Plus a little reshuffling of some #define's positions December 1987 + * + * Some modifications by Martin Junius 02-14-89 + * + * AK900712 + * AK910410 abs_path - make absolute path + * + */ + +#ifdef __EMX__ +#include <sys/param.h> +#else +#if defined(__IBMC__) || defined(__IBMCPP__) || defined(XP_W32_MSVC) +#include <stdio.h> +#ifdef MAXPATHLEN + #undef MAXPATHLEN +#endif +#define MAXPATHLEN (FILENAME_MAX*4) +#define MAXNAMLEN FILENAME_MAX + +#else +#include <param.h> +#endif +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* attribute stuff */ +#ifndef A_RONLY +# define A_RONLY 0x01 +# define A_HIDDEN 0x02 +# define A_SYSTEM 0x04 +# define A_LABEL 0x08 +# define A_DIR 0x10 +# define A_ARCHIVE 0x20 +#endif + +struct dirent { +#if defined(OS2) || defined(WIN32) /* use the layout of EMX to avoid trouble */ + int d_ino; /* Dummy */ + int d_reclen; /* Dummy, same as d_namlen */ + int d_namlen; /* length of name */ + char d_name[MAXNAMLEN + 1]; + unsigned long d_size; + unsigned short d_attribute; /* attributes (see above) */ + unsigned short d_time; /* modification time */ + unsigned short d_date; /* modification date */ +#else + char d_name[MAXNAMLEN + 1]; /* garentee null termination */ + char d_attribute; /* .. extension .. */ + unsigned long d_size; /* .. extension .. */ +#endif +}; + +typedef struct _dirdescr DIR; +/* the structs do not have to be defined here */ + +extern DIR *opendir(const char *); +extern DIR *openxdir(const char *, unsigned); +extern struct dirent *readdir(DIR *); +extern void seekdir(DIR *, long); +extern long telldir(DIR *); +extern void closedir(DIR *); +#define rewinddir(dirp) seekdir(dirp, 0L) + +extern char * abs_path(const char *name, char *buffer, int len); + +#ifndef S_IFMT +#define S_IFMT ( S_IFDIR | S_IFREG ) +#endif + +#ifndef S_ISDIR +#define S_ISDIR( m ) (((m) & S_IFMT) == S_IFDIR) +#endif + +#ifndef S_ISREG +#define S_ISREG( m ) (((m) & S_IFMT) == S_IFREG) +#endif + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/security/dbm/src/manifest.mn b/security/dbm/src/manifest.mn new file mode 100644 index 000000000..80f2abfd0 --- /dev/null +++ b/security/dbm/src/manifest.mn @@ -0,0 +1,61 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +CORE_DEPTH = ../.. + +VPATH = $(CORE_DEPTH)/../dbm/src + +MODULE = dbm + +# +# memmove.c, snprintf.c, and strerror.c are not in CSRCS because +# the Standard C Library has memmove and strerror and DBM is not +# using snprintf. +# + +CSRCS = db.c \ + h_bigkey.c \ + h_func.c \ + h_log2.c \ + h_page.c \ + hash.c \ + hash_buf.c \ + hsearch.c \ + mktemp.c \ + ndbm.c \ + nsres.c \ + dirent.c \ + $(NULL) + +LIBRARY_NAME = dbm diff --git a/security/dbm/tests/Makefile b/security/dbm/tests/Makefile new file mode 100644 index 000000000..fe132e19c --- /dev/null +++ b/security/dbm/tests/Makefile @@ -0,0 +1,69 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# +DEPTH = ../.. +CORE_DEPTH = ../.. + +VPATH = $(CORE_DEPTH)/../dbm/tests + +MODULE = dbm + +CSRCS = lots.c + +PROGRAM = lots + +include $(DEPTH)/coreconf/config.mk + +include $(DEPTH)/dbm/config/config.mk + +ifeq (,$(filter-out WIN%,$(OS_TARGET))) +LIBDBM = ../src/$(PLATFORM)/dbm$(STATIC_LIB_SUFFIX) +else +LIBDBM = ../src/$(PLATFORM)/libdbm$(STATIC_LIB_SUFFIX) +endif + +INCLUDES += -I$(CORE_DEPTH)/../dbm/include + +LDFLAGS = $(LDOPTS) $(LIBDBM) + +include $(DEPTH)/coreconf/rules.mk + +lots.pure: lots + purify $(CC) -o lots.pure $(CFLAGS) $(OBJS) $(MYLIBS) + +crash: crash.o $(MYLIBS) + $(CC) -o crash $(CFLAGS) $^ + +crash.pure: crash.o $(MYLIBS) + purify $(CC) -o crash.pure $(CFLAGS) $^ + diff --git a/security/nss/cmd/SSLsample/server.c b/security/nss/cmd/SSLsample/server.c index ced32d287..5965d4723 100644 --- a/security/nss/cmd/SSLsample/server.c +++ b/security/nss/cmd/SSLsample/server.c @@ -102,14 +102,11 @@ Usage(const char *progName) "E SSL2 DES 64 CBC WITH MD5\n" "F SSL2 DES 192 EDE3 CBC WITH MD5\n" "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" diff --git a/security/nss/cmd/SSLsample/sslsample.c b/security/nss/cmd/SSLsample/sslsample.c index 85f5d523b..422d453de 100644 --- a/security/nss/cmd/SSLsample/sslsample.c +++ b/security/nss/cmd/SSLsample/sslsample.c @@ -50,14 +50,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index de58f84c1..7066fa03e 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -72,7 +72,6 @@ DIRS = lib \ SSLsample \ ssltap \ strsclnt \ - swfort \ symkeyutil \ tstclnt \ vfychain \ @@ -81,6 +80,7 @@ DIRS = lib \ $(NULL) TEMPORARILY_DONT_BUILD = \ + sha1test \ $(NULL) # rsaperf \ @@ -92,5 +92,6 @@ TEMPORARILY_DONT_BUILD = \ # to build (requires allxpstr.h) # DONT_BULD = jar \ + swfort \ perror \ $(NULL) diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c index 77c91a31e..d277fea05 100644 --- a/security/nss/cmd/modutil/modutil.c +++ b/security/nss/cmd/modutil/modutil.c @@ -749,11 +749,10 @@ usage() "---------------------------------------------------------------------------\n" "\n" "Mechanism lists are colon-separated. The following mechanisms are recognized:\n" -"RSA, DSA, RC2, RC4, RC5, DES, DH, FORTEZZA, SHA1, MD5, MD2, SSL, TLS, RANDOM,\n" -" FRIENDLY\n" +"RSA, DSA, RC2, RC4, RC5, DES, DH, SHA1, MD5, MD2, SSL, TLS, RANDOM, FRIENDLY\n" "\n" "Cipher lists are colon-separated. The following ciphers are recognized:\n" -"FORTEZZA\n" +"\n" "\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n" ); diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 92269a250..b586c787e 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -66,7 +66,6 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ - $(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ @@ -116,7 +115,6 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \ diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index d5469ebc1..c936e71c8 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -133,14 +133,14 @@ const int ssl2CipherSuites[] = { }; const int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -253,14 +253,11 @@ Usage(const char *progName) "T TLS ECDHE RSA WITH AES 128 CBC SHA\n" #endif /* NSS_ENABLE_ECC */ "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" @@ -1895,7 +1892,7 @@ main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus status; status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); if (status != SECSuccess) diff --git a/security/nss/cmd/sslstrength/sslstrength.c b/security/nss/cmd/sslstrength/sslstrength.c index ee4c0a692..34ac5c0df 100644 --- a/security/nss/cmd/sslstrength/sslstrength.c +++ b/security/nss/cmd/sslstrength/sslstrength.c @@ -91,18 +91,11 @@ struct CipherPolicy ciphers[] = { { 'd',SSL_EN_DES_64_CBC_WITH_MD5, "SSL_EN_DES_64_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'e',SSL_EN_RC4_128_EXPORT40_WITH_MD5, "SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'f',SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'g',SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",1,SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'h',SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, "SSL_FORTEZZA_DMS_WITH_RC4_128_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif { 'i',SSL_RSA_WITH_RC4_128_MD5, "SSL_RSA_WITH_RC4_128_MD5 (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, { 'j',SSL_RSA_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, { 'k',SSL_RSA_WITH_DES_CBC_SHA, "SSL_RSA_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'l',SSL_RSA_EXPORT_WITH_RC4_40_MD5, "SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'm',SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'n',SSL_FORTEZZA_DMS_WITH_NULL_SHA, "SSL_FORTEZZA_DMS_WITH_NULL_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif { 'o',SSL_RSA_WITH_NULL_MD5, "SSL_RSA_WITH_NULL_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'p',SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'q',SSL_RSA_FIPS_WITH_DES_CBC_SHA, "SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED } diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 2e1a930dd..e6111b4ad 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -111,14 +111,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -1053,7 +1053,7 @@ client_main( cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus rv; rv = SSL_CipherPrefSetDefault(cipher, PR_TRUE); if (rv != SECSuccess) { diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index fb658604d..b0980a6d0 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -108,14 +108,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -257,14 +257,11 @@ static void Usage(const char *progName) "T TLS ECDHE RSA WITH AES 128 CBC SHA\n" #endif /* NSS_ENABLE_ECC */ "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" @@ -670,7 +667,7 @@ int main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus status; status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED); if (status != SECSuccess) diff --git a/security/nss/cmd/vfyserv/vfyserv.c b/security/nss/cmd/vfyserv/vfyserv.c index f1fd23825..4c31e4c70 100644 --- a/security/nss/cmd/vfyserv/vfyserv.c +++ b/security/nss/cmd/vfyserv/vfyserv.c @@ -444,7 +444,7 @@ main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SSL_CipherPrefSetDefault(cipher, PR_TRUE); } } diff --git a/security/nss/cmd/vfyserv/vfyutil.c b/security/nss/cmd/vfyserv/vfyutil.c index b1d282f64..4741a22ad 100644 --- a/security/nss/cmd/vfyserv/vfyutil.c +++ b/security/nss/cmd/vfyserv/vfyutil.c @@ -53,14 +53,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ diff --git a/security/nss/lib/manifest.mn b/security/nss/lib/manifest.mn index 108f188f0..268ff0496 100644 --- a/security/nss/lib/manifest.mn +++ b/security/nss/lib/manifest.mn @@ -47,7 +47,6 @@ DEPTH = ../.. # smime # ckfw (builtins module) # crmf jar (not dll's) -# fortcrypt DIRS = util freebl softoken \ base asn1 dev pki pki1 \ certdb certhigh pk11wrap cryptohi nss \ @@ -55,9 +54,10 @@ DIRS = util freebl softoken \ pkcs12 pkcs7 smime \ crmf jar \ ckfw \ - fortcrypt \ $(NULL) +# fortcrypt is no longer built + # NSS 4.0 build - pure stan libraries ifdef PURE_STAN_BUILD DIRS = base asn1 dev pki pki1 diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c index b61ac71e4..beafc506e 100644 --- a/security/nss/lib/ssl/nsskea.c +++ b/security/nss/lib/ssl/nsskea.c @@ -58,12 +58,6 @@ NSS_FindCertKEAType(CERTCertificate * cert) case SEC_OID_PKCS1_RSA_ENCRYPTION: keaType = kt_rsa; break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keaType = kt_fortezza; - break; case SEC_OID_X942_DIFFIE_HELMAN_KEY: keaType = kt_dh; break; diff --git a/security/nss/lib/ssl/preenc.h b/security/nss/lib/ssl/preenc.h index 9b6d3104a..f7c9093cb 100644 --- a/security/nss/lib/ssl/preenc.h +++ b/security/nss/lib/ssl/preenc.h @@ -1,8 +1,7 @@ /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */ /* - * Functions and types used by https servers to send (download) pre-encrypted - * files over SSL connections that use Fortezza ciphersuites. + * Fortezza support is removed. * * ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 @@ -41,6 +40,11 @@ * ***** END LICENSE BLOCK ***** */ /* $Id$ */ +/* Fortezza support is removed. + * This file remains so that old programs will continue to compile, + * But this functionality is no longer supported or implemented. + */ + #include "seccomon.h" #include "prio.h" @@ -48,53 +52,44 @@ typedef struct PEHeaderStr PEHeader; #define PE_MIME_TYPE "application/pre-encrypted" - -/* - * unencrypted header. The 'top' half of this header is generic. The union - * is type specific, and may include bulk cipher type information - * (Fortezza supports only Fortezza Bulk encryption). Only fortezza - * pre-encrypted is defined. - */ typedef struct PEFortezzaHeaderStr PEFortezzaHeader; typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader; typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader; typedef struct PERSAKeyHeaderStr PERSAKeyHeader; struct PEFortezzaHeaderStr { - unsigned char key[12]; /* Ks wrapped MEK */ - unsigned char iv[24]; /* iv for this MEK */ - unsigned char hash[20]; /* SHA hash of file */ - unsigned char serial[8]; /* serial number of the card that owns - * Ks */ + unsigned char key[12]; + unsigned char iv[24]; + unsigned char hash[20]; + unsigned char serial[8]; }; struct PEFortezzaGeneratedHeaderStr { - unsigned char key[12]; /* TEK wrapped MEK */ - unsigned char iv[24]; /* iv for this MEK */ - unsigned char hash[20]; /* SHA hash of file */ - unsigned char Ra[128]; /* RA to generate TEK */ - unsigned char Y[128]; /* Y to generate TEK */ + unsigned char key[12]; + unsigned char iv[24]; + unsigned char hash[20]; + unsigned char Ra[128]; + unsigned char Y[128]; }; struct PEFixedKeyHeaderStr { - unsigned char pkcs11Mech[4]; /* Symetric key operation */ - unsigned char labelLen[2]; /* length of the token label */ - unsigned char keyIDLen[2]; /* length of the token Key ID */ - unsigned char ivLen[2]; /* length of IV */ - unsigned char keyLen[2]; /* length of key (DES3_ECB encrypted) */ - unsigned char data[1]; /* start of data */ + unsigned char pkcs11Mech[4]; + unsigned char labelLen[2]; + unsigned char keyIDLen[2]; + unsigned char ivLen[2]; + unsigned char keyLen[2]; + unsigned char data[1]; }; struct PERSAKeyHeaderStr { - unsigned char pkcs11Mech[4]; /* Symetric key operation */ - unsigned char issuerLen[2]; /* length of cert issuer */ - unsigned char serialLen[2]; /* length of the cert serial */ - unsigned char ivLen[2]; /* length of IV */ - unsigned char keyLen[2]; /* length of key (RSA encrypted) */ - unsigned char data[1]; /* start of data */ + unsigned char pkcs11Mech[4]; + unsigned char issuerLen[2]; + unsigned char serialLen[2]; + unsigned char ivLen[2]; + unsigned char keyLen[2]; + unsigned char data[1]; }; -/* macros to get at the variable length data fields */ #define PEFIXED_Label(header) (header->data) #define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)]) #define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\ @@ -108,10 +103,10 @@ struct PERSAKeyHeaderStr { #define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\ +GetInt2(header->serialLen)+GetInt2(header->keyLen)]) struct PEHeaderStr { - unsigned char magic [2]; /* always 0xC0DE */ - unsigned char len [2]; /* length of PEHeader */ - unsigned char type [2]; /* FORTEZZA, DIFFIE-HELMAN, RSA */ - unsigned char version[2]; /* version number: 1.0 */ + unsigned char magic [2]; + unsigned char len [2]; + unsigned char type [2]; + unsigned char version[2]; union { PEFortezzaHeader fortezza; PEFortezzaGeneratedHeader g_fortezza; @@ -124,12 +119,9 @@ struct PEHeaderStr { #define PE_INTRO_LEN 4 #define PE_BASE_HEADER_LEN 8 -#define PRE_BLOCK_SIZE 8 /* for decryption blocks */ +#define PRE_BLOCK_SIZE 8 -/* - * Platform neutral encode/decode macros. - */ #define GetInt2(c) ((c[0] << 8) | c[1]) #define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\ |((unsigned long)c[2] << 8)| ((unsigned long)c[3])) @@ -137,28 +129,18 @@ struct PEHeaderStr { #define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\ (c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff)) -/* - * magic numbers. - */ #define PRE_MAGIC 0xc0de #define PRE_VERSION 0x1010 -#define PRE_FORTEZZA_FILE 0x00ff /* pre-encrypted file on disk */ -#define PRE_FORTEZZA_STREAM 0x00f5 /* pre-encrypted file in stream */ -#define PRE_FORTEZZA_GEN_STREAM 0x00f6 /* Generated pre-encrypted file */ -#define PRE_FIXED_FILE 0x000f /* fixed key on disk */ -#define PRE_RSA_FILE 0x001f /* RSA in file */ -#define PRE_FIXED_STREAM 0x0005 /* fixed key in stream */ - -/* - * internal implementation info - */ - +#define PRE_FORTEZZA_FILE 0x00ff +#define PRE_FORTEZZA_STREAM 0x00f5 +#define PRE_FORTEZZA_GEN_STREAM 0x00f6 +#define PRE_FIXED_FILE 0x000f +#define PRE_RSA_FILE 0x001f +#define PRE_FIXED_STREAM 0x0005 -/* convert an existing stream header to a version with local parameters */ PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *, int *headerSize); -/* convert an existing file header to one suitable for streaming out */ PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *, int *headerSize); diff --git a/security/nss/lib/ssl/prelib.c b/security/nss/lib/ssl/prelib.c index b24399b98..c63483924 100644 --- a/security/nss/lib/ssl/prelib.c +++ b/security/nss/lib/ssl/prelib.c @@ -50,205 +50,18 @@ #include "preenc.h" #include "pk11func.h" -static unsigned char fromHex(char x) { - if ((x >= '0') && (x <= '9')) return x-'0'; - if ((x >= 'a') && (x <= 'f')) return x-'a'+10; - return x-'A'+10; -} - PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, - int *headerSize) + int *headerSize) { - PK11SymKey *key, *tek, *Ks; - sslSocket *ss; - PK11SlotInfo *slot; - CK_TOKEN_INFO info; - int oldHeaderSize; - PEHeader *header; - SECStatus rv; - SECItem item; - int i; - - if (fd == NULL) { - /* XXX set an error */ - return NULL; - } - - ss = ssl_FindSocket(fd); - if (ss == NULL) { - return NULL; - } - - PORT_Assert(ss->ssl3 != NULL); - if (ss->ssl3 == NULL) { - return NULL; - } - - if (GetInt2(inHeader->magic) != PRE_MAGIC) { - return NULL; - } - - oldHeaderSize = GetInt2(inHeader->len); - header = (PEHeader *) PORT_ZAlloc(oldHeaderSize); - if (header == NULL) { - return NULL; - } - - switch (GetInt2(inHeader->type)) { - case PRE_FORTEZZA_FILE: - case PRE_FORTEZZA_GEN_STREAM: - case PRE_FIXED_FILE: - case PRE_RSA_FILE: - default: - *headerSize = oldHeaderSize; - PORT_Memcpy(header,inHeader,oldHeaderSize); - return header; - - case PRE_FORTEZZA_STREAM: - *headerSize = PE_BASE_HEADER_LEN + sizeof(PEFortezzaHeader); - PutInt2(header->magic,PRE_MAGIC); - PutInt2(header->len,*headerSize); - PutInt2(header->type, PRE_FORTEZZA_FILE); - PORT_Memcpy(header->version,inHeader->version,sizeof(header->version)); - PORT_Memcpy(header->u.fortezza.hash,inHeader->u.fortezza.hash, - sizeof(header->u.fortezza.hash)); - PORT_Memcpy(header->u.fortezza.iv,inHeader->u.fortezza.iv, - sizeof(header->u.fortezza.iv)); - - /* get the kea context from the session */ - tek = ss->ssl3->fortezza.tek; - if (tek == NULL) { - PORT_Free(header); - return NULL; - } - - - /* get the slot and the serial number */ - slot = PK11_GetSlotFromKey(tek); - if (slot == NULL) { - PORT_Free(header); - return NULL; - } - rv = PK11_GetTokenInfo(slot,&info); - if (rv != SECSuccess) { - PORT_Free(header); - PK11_FreeSlot(slot); - return NULL; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - PORT_Free(header); - return NULL; - } - - /* unwrap the key with the TEK */ - item.data = inHeader->u.fortezza.key; - item.len = sizeof(inHeader->u.fortezza.key); - key = PK11_UnwrapSymKey(tek,CKM_SKIPJACK_WRAP, - NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (key == NULL) { - PORT_Free(header); - PK11_FreeSymKey(Ks); - return NULL; - } - - /* rewrap with the local Ks */ - item.data = header->u.fortezza.key; - item.len = sizeof(header->u.fortezza.key); - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, key, &item); - PK11_FreeSymKey(Ks); - PK11_FreeSymKey(key); - if (rv != SECSuccess) { - PORT_Free(header); - return NULL; - } - - /* copy our local serial number into header */ - for (i=0; i < sizeof(header->u.fortezza.serial); i++) { - header->u.fortezza.serial[i] = - (fromHex(info.serialNumber[i*2]) << 4) | - fromHex(info.serialNumber[i*2 + 1]); - } - break; - case PRE_FIXED_STREAM: - /* not implemented yet */ - PORT_Free(header); - return NULL; - } - - return(header); + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return NULL; } -/* - * this one needs to allocate space and work for RSA & FIXED key files as well - */ PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, int *headerSize) { - PK11SymKey *key, *tek, *Ks; - sslSocket *ss; - PK11SlotInfo *slot; - SECStatus rv; - SECItem item; - - *headerSize = 0; /* hack */ - - if (fd == NULL) { - /* XXX set an error */ - return NULL; - } - - ss = ssl_FindSocket(fd); - if (ss == NULL) { - return NULL; - } - - PORT_Assert(ss->ssl3 != NULL); - if (ss->ssl3 == NULL) { - return NULL; - } - - /* get the kea context from the session */ - tek = ss->ssl3->fortezza.tek; - if (tek == NULL) { - return NULL; - } - - slot = PK11_GetSlotFromKey(tek); - if (slot == NULL) return NULL; - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, PK11_GetWindow(tek)); - PK11_FreeSlot(slot); - if (Ks == NULL) return NULL; - - - /* unwrap with the local Ks */ - item.data = header->u.fortezza.key; - item.len = sizeof(header->u.fortezza.key); - /* rewrap the key with the TEK */ - key = PK11_UnwrapSymKey(Ks,CKM_SKIPJACK_WRAP, - NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (key == NULL) { - PK11_FreeSymKey(Ks); - return NULL; - } - - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, key, &item); - PK11_FreeSymKey(Ks); - PK11_FreeSymKey(key); - if (rv != SECSuccess) { - return NULL; - } - - /* copy over our local serial number */ - PORT_Memset(header->u.fortezza.serial,0,sizeof(header->u.fortezza.serial)); - - /* change type to stream */ - PutInt2(header->type, PRE_FORTEZZA_STREAM); - - return(header); + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return NULL; } diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index f6ab20af7..e22c70504 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -190,7 +190,7 @@ SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, #define SSL_SECURITY_STATUS_OFF 0 #define SSL_SECURITY_STATUS_ON_HIGH 1 #define SSL_SECURITY_STATUS_ON_LOW 2 -#define SSL_SECURITY_STATUS_FORTEZZA 3 +#define SSL_SECURITY_STATUS_FORTEZZA 3 /* NO LONGER SUPPORTED */ /* ** Return the certificate for our SSL peer. If the client calls this diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 1e7f7411a..669060bc2 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -109,7 +109,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_ENABLE_ECC */ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -136,7 +135,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -152,7 +150,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, @@ -177,9 +174,6 @@ static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { #endif /* NSS_ENABLE_ECC */ }; -static const /*SSL3ClientCertificateType */ uint8 fortezza_certificate_types [] = { - ct_Fortezza, -}; /* * make sure there is room in the write buffer for padding and @@ -217,13 +211,13 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, - {cipher_fortezza, calg_fortezza, 10, 10, type_block, 24, 8, kg_null}, {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, }; -static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ +static const ssl3KEADef kea_defs[] = +{ /* indexed by SSL3KeyExchangeAlgorithm */ /* kea exchKeyType signKeyType is_limited limit tls_keygen */ {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, @@ -239,7 +233,6 @@ static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE}, {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE}, - {kea_fortezza, kt_fortezza, sign_dsa, PR_FALSE, 0, PR_FALSE}, {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE }, #ifdef NSS_ENABLE_ECC {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, @@ -250,7 +243,8 @@ static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ }; /* must use ssl_LookupCipherSuiteDef to access */ -static const ssl3CipherSuiteDef cipher_suite_defs[] = { +static const ssl3CipherSuiteDef cipher_suite_defs[] = +{ /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, @@ -298,10 +292,6 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = { {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, #endif - {SSL_FORTEZZA_DMS_WITH_NULL_SHA, cipher_null, mac_sha, kea_fortezza}, - {SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, - cipher_fortezza, mac_sha, kea_fortezza}, - {SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_fortezza}, /* New TLS cipher suites */ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, @@ -362,14 +352,16 @@ typedef struct SSLCipher2MechStr { CK_MECHANISM_TYPE cmech; } SSLCipher2Mech; +/* indexed by type SSLCipherAlgorithm */ static const SSLCipher2Mech alg2Mech[] = { + /* calg, cmech */ { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, { calg_rc4 , CKM_RC4 }, { calg_rc2 , CKM_RC2_CBC }, { calg_des , CKM_DES_CBC }, { calg_3des , CKM_DES3_CBC }, { calg_idea , CKM_IDEA_CBC }, - { calg_fortezza , CKM_SKIPJACK_CBC64 }, + { calg_fortezza , CKM_SKIPJACK_CBC64 }, { calg_aes , CKM_AES_CBC }, /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ }; @@ -401,7 +393,6 @@ const char * const ssl3_cipherName[] = { "3DES-EDE-CBC", "DES-CBC-40", "IDEA-CBC", - "FORTEZZA", "AES-128", "AES-256", "missing" @@ -838,7 +829,6 @@ ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, hashItem.len = sizeof(SSL3Hashes); break; case dsaKey: - case fortezzaKey: doDerEncode = isTLS; hashItem.data = hash->sha; hashItem.len = sizeof(hash->sha); @@ -911,7 +901,6 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, hashItem.len = sizeof(SSL3Hashes); break; case dsaKey: - case fortezzaKey: hashItem.data = hash->sha; hashItem.len = sizeof(hash->sha); if (isTLS) { @@ -1212,30 +1201,6 @@ done: } #endif /* NSS_ENABLE_ECC */ -/* Caller must set hiLevel error code. */ -static SECStatus -ssl3_ComputeFortezzaPublicKeyHash(SECItem publicValue, unsigned char * hash) -{ - PK11Context *sha = NULL; - SECStatus rv = SECFailure; - unsigned int outLen; - - sha = PK11_CreateDigestContext(SEC_OID_SHA1); - if (sha == NULL) { - return rv; /* Caller must set hiLevel error code. */ - } - - rv = PK11_DigestBegin(sha); - rv |= PK11_DigestOp(sha, (unsigned char *)publicValue.data, publicValue.len); - rv |= PK11_DigestFinal(sha, hash, &outLen, SHA1_LENGTH); - PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH); - if (rv != SECSuccess) - rv = SECFailure; - PK11_DestroyContext(sha, PR_TRUE); - - return rv; -} - static void ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) @@ -1713,10 +1678,9 @@ ssl3_SendRecord( sslSocket * ss, } } - /* This variable records - * the actual size of the buffer we allocated above. Some - * algorithms (FORTEZZA) will expand the number of bytes it needs to - * send data. If we only supply the output buffer with the same number + /* This variable records the actual size of the buffer allocated above. + * Some algorithms may expand the number of bytes needed to send data. + * If we only supply the output buffer with the same number * of bytes as the input buffer, we will fail. */ bufSize = contentLen + SSL3_BUFFER_FUDGE; @@ -1994,7 +1958,6 @@ ssl3_HandleNoCertificate(sslSocket *ss) ** ssl3_HandleClientHello <- ** ssl3_HandleV2ClientHello <- ** ssl3_HandleCertificateVerify <- -** ssl3_HandleFortezzaClientKeyExchange <- ** ssl3_HandleClientKeyExchange <- ** ssl3_HandleCertificate <- ** ssl3_HandleFinished <- @@ -2309,9 +2272,7 @@ ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms) void * pwArg = ss->pkcs11PinArg; PRBool isTLS = (PRBool)(kea_def->tls_keygen || (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); - PRBool skipKeysAndIVs = (PRBool) - ((cipher_def->calg == calg_fortezza) || - (cipher_def->calg == calg_null)); + PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); /* * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size @@ -2999,8 +2960,7 @@ ssl3_SendClientHello(sslSocket *ss) * make sure the token that holds the master secret still exists ... * If we previously did client-auth, make sure that the token that holds * the private key still exists, is logged in, hasn't been removed, etc. - * Also for fortezza, make sure that the card that holds the session keys - * exist as well... */ + */ if (sid) { PK11SlotInfo *slot; PRBool sidOK = PR_TRUE; @@ -3022,12 +2982,6 @@ ssl3_SendClientHello(sslSocket *ss) PK11_FreeSlot(slot); slot = NULL; } - /* do sid-has-FORTEZZA-slot check */ - if (sid->u.ssl3.hasFortezza) { - /* do has fortezza check */ - if (!PK11_VerifyKeyOK(sid->u.ssl3.tek)) - sidOK = PR_FALSE; - } /* If we previously did client-auth, make sure that the token that ** holds the private key still exists, is logged in, hasn't been @@ -3279,35 +3233,6 @@ ssl_UnwrapSymWrappingKey( PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); switch (exchKeyType) { - PK11SymKey * Ks; - PK11SlotInfo * slot; - SECItem param; - - case kt_fortezza: - /* get the slot that the fortezza server private key is in. */ - slot = PK11_GetSlotFromPrivateKey(svrPrivKey); - if (slot == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_CBC64, NULL, pwArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* unwrap client write key with the local Ks and IV */ - param.type = siBuffer; - param.data = pWswk->wrapIV; - param.len = pWswk->wrapIVLen; - unwrappedWrappingKey = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_CBC64, ¶m, &wrappedKey, - masterWrapMech, CKA_UNWRAP, 0); - PK11_FreeSymKey(Ks); - break; case kt_rsa: unwrappedWrappingKey = @@ -3466,36 +3391,6 @@ getWrappingKey( sslSocket * ss, /* wrap symmetric wrapping key in server's public key. */ switch (exchKeyType) { - PK11SymKey * Ks; - PK11SlotInfo * fSlot; - SECItem param; - - case kt_fortezza: - /* get the slot that the fortezza server private key is in. */ - fSlot = PK11_GetSlotFromPrivateKey(svrPrivKey); - if (fSlot == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(fSlot, CKM_SKIPJACK_CBC64, NULL, pwArg); - PK11_FreeSlot(fSlot); - if (Ks == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* wrap symmetricWrapping key with the local Ks */ - param.type = siBuffer; - param.data = wswk.wrapIV; - param.len = sizeof wswk.wrapIV; - rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, ¶m, Ks, - unwrappedWrappingKey, &wrappedKey); - wswk.wrapIVLen = param.len; - PK11_FreeSymKey(Ks); - asymWrapMechanism = CKM_SKIPJACK_CBC64; - break; case kt_rsa: asymWrapMechanism = CKM_RSA_PKCS; @@ -3554,20 +3449,6 @@ done: } -static SECStatus -ssl3_FortezzaAppendHandshake(sslSocket *ss, unsigned char * data, int len) -{ - SSL3FortezzaKeys *fortezza_CKE = NULL; - SECStatus rv = SECFailure; - - rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, - (sizeof(*fortezza_CKE)-sizeof(fortezza_CKE->y_c)) + 1 + len); - if (rv == SECSuccess) { - rv = ssl3_AppendHandshakeVariable(ss, data, len, 1); - } - return rv; /* err set by ssl3_AppendHandshake* */ -} - /* Called from ssl3_SendClientKeyExchange(). */ static SECStatus sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) @@ -3814,433 +3695,8 @@ loser: } #endif /* NSS_ENABLE_ECC */ -/* fortezza client-auth portion of ClientKeyExchange message - * This function appends the KEA public key from the client's V3 cert - * (empty for a V1 cert) to the outgoing ClientKeyExchange message. - * For a V3 cert, it also computes the Fortezza public key hash of that key - * and signs that hash with the client's signing private key. - * It also finds and returns the client's KEA private key. - * - * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange() - */ -static SECKEYPrivateKey * -sendFortezzaCKXClientAuth(sslSocket *ss, SSL3FortezzaKeys * fortezza_CKE) -{ - SECKEYPublicKey * pubKey = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - CERTCertificate * peerCert = ss->sec.peerCert; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - SECItem sigItem; - SECItem hashItem; - - /* extract our own local public key. */ - pubKey = CERT_ExtractPublicKey(ss->ssl3->clientCertificate); - if (!pubKey) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto loser; - } - - if (pubKey->keyType == fortezzaKey) { - /* fortezza clientauth with fortezza V1 certificate */ - rv = ssl3_FortezzaAppendHandshake(ss, NULL, 0); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ss->ssl3->clientCertificate, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - - } else { - /* fortezza clientauth w/ V3 certificate or non fortezza cert*/ - CERTCertificate * ccert = NULL; - SECKEYPublicKey * foundPubKey = NULL; - unsigned char hash[SHA1_LENGTH]; - - ccert = PK11_FindBestKEAMatch(peerCert, pwArg); - if (ccert == NULL) { - PORT_SetError(SSL_ERROR_FORTEZZA_PQG); - goto v3_loser; - } - - foundPubKey = CERT_ExtractPublicKey(ccert); - if (foundPubKey == NULL) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto v3_loser; - } - - if (foundPubKey->keyType == keaKey) { - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.kea.publicValue.data, - foundPubKey->u.kea.publicValue.len); - if (rv != SECSuccess) { - goto v3_loser; /* err was set by AppendHandshake. */ - } - - rv = ssl3_ComputeFortezzaPublicKeyHash( - foundPubKey->u.kea.publicValue, hash); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - } else { - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.fortezza.KEAKey.data, - foundPubKey->u.fortezza.KEAKey.len); - if (rv != SECSuccess) { - goto v3_loser; /* err was set by AppendHandshake. */ - } - - rv = ssl3_ComputeFortezzaPublicKeyHash( - foundPubKey->u.fortezza.KEAKey, hash); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - } - - hashItem.data = (unsigned char *) hash; - hashItem.len = SHA1_LENGTH; - - sigItem.data = fortezza_CKE->y_signature; - sigItem.len = sizeof fortezza_CKE->y_signature; - - rv = PK11_Sign(ss->ssl3->clientPrivateKey, &sigItem, &hashItem); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - -v3_loser: - if (foundPubKey) - SECKEY_DestroyPublicKey(foundPubKey); - if (ccert) - CERT_DestroyCertificate(ccert); - } /* fortezza clientauth w/ V3 certificate or non fortezza cert*/ - -loser: - - if (pubKey) - SECKEY_DestroyPublicKey(pubKey); - return privKeaKey; -} /* End of fortezza client-auth. */ - - -/* fortezza without client-auth */ -/* fortezza client-auth portion of ClientKeyExchange message - * This function appends the public KEA key from the client's cert - * to the outgoing ClientKeyExchange message. - * It also finds and returns the client's KEA private key. - * - * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange() - */ -static SECKEYPrivateKey * -sendFortezzaCKXNoClientAuth(sslSocket *ss) -{ - SECKEYPublicKey * foundPubKey = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - CERTCertificate * ccert = NULL; - CERTCertificate * peerCert = ss->sec.peerCert; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - - ccert = PK11_FindBestKEAMatch(peerCert, pwArg); - if (ccert == NULL) { - PORT_SetError(SSL_ERROR_FORTEZZA_PQG); - goto loser; - } - - foundPubKey = CERT_ExtractPublicKey(ccert); - if (foundPubKey == NULL) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto loser; - } - - if (foundPubKey->keyType == fortezzaKey) { - /* fortezza V1 cert */ - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.fortezza.KEAKey.data, - foundPubKey->u.fortezza.KEAKey.len); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - } else { - /* fortezza V3 cert */ - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.kea.publicValue.data, - foundPubKey->u.kea.publicValue.len); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - } - -loser: - if (foundPubKey) - SECKEY_DestroyPublicKey(foundPubKey); - if (ccert) - CERT_DestroyCertificate(ccert); - return privKeaKey; -} - -/* Called from ssl3_SendClientKeyExchange(). */ -static SECStatus -sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey) -{ - ssl3CipherSpec * pwSpec = NULL; - sslSessionID * sid = ss->sec.ci.sid; - PK11SlotInfo * slot = NULL; - PK11SymKey * pms = NULL; - PK11SymKey * tek = NULL; - PK11SymKey * client_write_key = NULL; - PK11SymKey * server_write_key = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - CK_VERSION version; - SECItem param; - SECItem raItem; - SECItem rbItem; - SECItem enc_pms; - SECItem item; - SSL3FortezzaKeys fortezza_CKE; - PRBool releaseSpecWriteLock = PR_FALSE; - - PORT_Assert( ssl_HaveXmitBufLock(ss)); - PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); - - /* first get an appropriate slot for doing MACing. - * Note: This slot will NOT be a Fortezza slot because Fortezza - * cannot generate an SSL3 pre-master-secret. - */ - slot = PK11_GetBestSlot(CKM_SSL3_PRE_MASTER_KEY_GEN, pwArg); - if (slot == NULL) { - PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); - goto loser; - } - - /* create a pre-Master secret */ - version.major = MSB(ss->version); - version.minor = LSB(ss->version); - - param.data = (unsigned char *)&version; - param.len = sizeof version; - - pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, - ¶m, 0, pwArg); - PK11_FreeSlot(slot); - slot = NULL; - if (pms == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* If we don't have a certificate, we need to read out your public key. - * This changes a bit when we need to deal with the PQG stuff - */ - PORT_Memset(fortezza_CKE.y_signature, 0, sizeof fortezza_CKE.y_signature); - - /* Send the KEA public key and get the KEA private key. */ - if (ss->ssl3->clientCertificate != NULL) { - /* with client-auth */ - privKeaKey = sendFortezzaCKXClientAuth(ss, &fortezza_CKE); - } else { - /* without client-auth */ - privKeaKey = sendFortezzaCKXNoClientAuth(ss); - } - if (privKeaKey == NULL) { - rv = SECFailure; - goto loser; /* error was already set. */ - } - - /* Now we derive the TEK, and generate r_c the client's "random" public key. - * r_c is generated and filled in by the PubDerive call below. - */ - raItem.data = fortezza_CKE.r_c; - raItem.len = sizeof fortezza_CKE.r_c; - - /* R_s == server's "random" public key, sent in the Server Key Exchange */ - rbItem.data = ss->ssl3->fortezza.R_s; - rbItem.len = sizeof ss->ssl3->fortezza.R_s; - - tek = PK11_PubDerive(privKeaKey, serverKey, PR_TRUE, /* generate r_c */ - &raItem, &rbItem, CKM_KEA_KEY_DERIVE, - CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg); - SECKEY_DestroyPrivateKey(privKeaKey); - privKeaKey = NULL; - if (tek == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); /* can't fail. */ - - /* encrypt the pms with the TEK. - * NB: PK11_WrapSymKey will generate and output the encrypted PMS - * AND the IV for decrypting the PMS. - */ - param.data = fortezza_CKE.master_secret_iv; - param.len = sizeof fortezza_CKE.master_secret_iv; - - enc_pms.data = fortezza_CKE.encrypted_preMasterSecret; - enc_pms.len = sizeof fortezza_CKE.encrypted_preMasterSecret; - - rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, ¶m, tek, pms, &enc_pms); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - rv = SECFailure; /* not there yet. */ - - slot = PK11_GetSlotFromKey(tek); - - ssl_GetSpecWriteLock(ss); releaseSpecWriteLock = PR_TRUE; - - pwSpec = ss->ssl3->pwSpec; - pwSpec->client.write_key = client_write_key = - PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, 0, pwArg); - if (client_write_key == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - /* the -1 is a hack. It's supposed to be key size, but we use it - * to tell the wrapper that we're doing a weird PKCS #11 key gen. - * Usually the result of key gen is an encrypt key. This is not - * the case with SSL, where this key is a decrypt key. - */ - pwSpec->server.write_key = server_write_key = - PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, -1, pwArg); - if (server_write_key == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - rv = ssl3_InitPendingCipherSpec(ss, pms); - PK11_FreeSymKey(pms); pms = NULL; - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* copy the keys and IVs out now */ - item.data = fortezza_CKE.wrapped_client_write_key; - item.len = sizeof fortezza_CKE.wrapped_client_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, client_write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - item.data = fortezza_CKE.wrapped_server_write_key; - item.len = sizeof fortezza_CKE.wrapped_server_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, server_write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* we only get the generated IV's if we're doing skipjack. */ - if (pwSpec->cipher_def->calg == calg_fortezza) { - PORT_Memcpy(fortezza_CKE.client_write_iv, pwSpec->client.write_iv, - sizeof fortezza_CKE.client_write_iv); - PORT_Memcpy(fortezza_CKE.server_write_iv, pwSpec->server.write_iv, - sizeof fortezza_CKE.server_write_iv); - } else { - /* generate IVs to make old servers happy */ - rv = PK11_GenerateFortezzaIV(client_write_key, - fortezza_CKE.client_write_iv, - sizeof fortezza_CKE.client_write_iv); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - rv = PK11_GenerateFortezzaIV(server_write_key, - fortezza_CKE.server_write_iv, - sizeof fortezza_CKE.server_write_iv); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - } - /* NOTE: This technique of writing out the struct, rather than writing - * out the individual members works only because all the rest of the - * values are fixed-length strings of well-defined byte order. - * Add one SECItem or one Number and we will need to break the elements out. - */ - rv = ssl3_AppendHandshake(ss, &fortezza_CKE.r_c, - (sizeof fortezza_CKE - sizeof fortezza_CKE.y_c)); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - - /* now we initialize our contexts */ - sid->u.ssl3.hasFortezza = PR_TRUE; - sid->u.ssl3.tek = tek; tek = NULL; /* adopt.. */ - - if (pwSpec->cipher_def->calg == calg_fortezza) { - sid->u.ssl3.clientWriteKey = - PK11_ReferenceSymKey(pwSpec->client.write_key); - sid->u.ssl3.serverWriteKey= - PK11_ReferenceSymKey(pwSpec->server.write_key); - - PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, - pwSpec->client.write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, - pwSpec->server.write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - rv = PK11_SaveContext((PK11Context *)pwSpec->encodeContext, - sid->u.ssl3.clientWriteSave, - &sid->u.ssl3.clientWriteSaveLen, - sizeof sid->u.ssl3.clientWriteSave); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - } else { - PK11_FreeSymKey(client_write_key); - pwSpec->client.write_key = client_write_key = NULL; - - PK11_FreeSymKey(server_write_key); - pwSpec->server.write_key = server_write_key = NULL; - - rv = SECSuccess; - } - /* FALL THROUGH */ -loser: - if (tek) PK11_FreeSymKey(tek); - if (slot) PK11_FreeSlot(slot); - if (pms) PK11_FreeSymKey(pms); - if (rv != SECSuccess) { - if (client_write_key) { - PK11_FreeSymKey(client_write_key); - pwSpec->client.write_key = client_write_key = NULL; - } - if (server_write_key) { - PK11_FreeSymKey(server_write_key); - pwSpec->server.write_key = server_write_key = NULL; - } - } - if (releaseSpecWriteLock) - ssl_GetSpecWriteLock(ss); - return rv; -} /* Called from ssl3_HandleServerHelloDone(). */ static SECStatus @@ -4290,10 +3746,6 @@ ssl3_SendClientKeyExchange(sslSocket *ss) rv = sendRSAClientKeyExchange(ss, serverKey); break; - case kt_fortezza: - rv = sendFortezzaClientKeyExchange(ss, serverKey); - break; - case kt_dh: rv = sendDHClientKeyExchange(ss, serverKey); break; @@ -4361,7 +3813,7 @@ ssl3_SendCertificateVerify(sslSocket *ss) PK11_FreeSlot(slot); } /* If we're doing RSA key exchange, we're all done with the private key - * here. Diffie-Hellman & Fortezza key exchanges need the client's + * here. Diffie-Hellman key exchanges need the client's * private key for the key exchange. */ if (ssl3->hs.kea_def->exchKeyType == kt_rsa) { @@ -4586,39 +4038,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); } - /* reload the FORTEZZA key material. These keys aren't generated - * by the master secret, but by the key exchange. We restart by - * reusing these keys. */ - if (sid->u.ssl3.hasFortezza) { - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(sid->u.ssl3.tek); - } - if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - ss->ssl3->pwSpec->client.write_key = - PK11_ReferenceSymKey(sid->u.ssl3.clientWriteKey); - ss->ssl3->pwSpec->server.write_key = - PK11_ReferenceSymKey(sid->u.ssl3.serverWriteKey); - /* add the tek later for pre-encrypted files */ - PORT_Memcpy(ss->ssl3->pwSpec->client.write_iv, - sid->u.ssl3.keys.client_write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(ss->ssl3->pwSpec->server.write_iv, - sid->u.ssl3.keys.server_write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - } /* NULL value for PMS signifies re-use of the old MS */ rv = ssl3_InitPendingCipherSpec(ss, NULL); if (rv != SECSuccess) { - goto alert_loser; /* err code was set by ssl3_InitPendingCipherSpec */ - } - if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - rv = PK11_RestoreContext( - (PK11Context *)ss->ssl3->pwSpec->encodeContext, - sid->u.ssl3.clientWriteSave, - sid->u.ssl3.clientWriteSaveLen); - if (rv != SECSuccess) { - goto alert_loser; /* err is set. */ - } + goto alert_loser; /* err code was set */ } SECITEM_ZfreeItem(&sidBytes, PR_FALSE); return SECSuccess; @@ -4974,26 +4398,6 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) return SECSuccess; #endif /* NSS_ENABLE_ECC */ - case kt_fortezza: - - /* Fortezza needs *BOTH* a server cert message - * and a server key exchange message. - */ - if (ss->ssl3->hs.ws == wait_server_cert) { - errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; - desc = unexpected_message; - goto alert_loser; - } - /* Get the server's "random" public key. */ - rv = ssl3_ConsumeHandshake(ss, ss->ssl3->fortezza.R_s, - sizeof ss->ssl3->fortezza.R_s, &b, &length); - if (rv != SECSuccess) { - goto loser; /* malformed */ - } - - ss->ssl3->hs.ws = wait_cert_request; - return SECSuccess; - default: desc = handshake_failure; errCode = SEC_ERROR_UNSUPPORTED_KEYALG; @@ -5407,7 +4811,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) sid->u.ssl3.resumable = PR_TRUE; sid->u.ssl3.policy = SSL_ALLOWED; - sid->u.ssl3.hasFortezza = PR_FALSE; sid->u.ssl3.clientWriteKey = NULL; sid->u.ssl3.serverWriteKey = NULL; sid->u.ssl3.tek = NULL; @@ -5456,12 +4859,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss) */ kea_def = ss->ssl3->hs.kea_def; ss->ssl3->hs.usedStepDownKey = PR_FALSE; - if (kea_def->kea == kea_fortezza) { - rv = ssl3_SendServerKeyExchange(ss); - if (rv != SECSuccess) { - return rv; /* err code was set. */ - } - } else if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { + + if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { /* see if we can legally use the key in the cert. */ int keyLen; /* bytes */ @@ -5717,7 +5116,6 @@ compression_found: * as if the client had sent us no sid to begin with, and make a new one. */ if (sid != NULL) do { - PK11SlotInfo * slot; PK11SymKey * wrapKey; /* wrapping key */ SECItem wrappedKey; /* wrapped key */ ssl3CipherSpec *pwSpec; @@ -5798,74 +5196,6 @@ compression_found: goto loser; } - /* reload the FORTEZZA key material. - * On Fortezza, the following keys & IVs are generated by the KEA, - * not from the PMS. Since we're not going to redo the KEA, we - * have to save & restore them for Fortezza. - * use kea because we haven't call InitCipher Specs yet...? - */ - if (ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - PK11SymKey * Ks; - SECItem item; - - PORT_Memcpy(pwSpec->client.write_iv, - sid->u.ssl3.keys.client_write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(pwSpec->server.write_iv, - sid->u.ssl3.keys.server_write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - /* Now, unwrap the client and server write keys with Ks */ - - /* get the slot that the fortezza server private key is in. */ - slot = PK11_GetSlotFromPrivateKey( - ss->serverCerts[kt_fortezza].serverKey); - if (slot == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, - ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* unwrap client write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_client_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_client_write_key; - - pwSpec->client.write_key = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (pwSpec->client.write_key == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto loser; - } - - /* unwrap server write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_server_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_server_write_key; - - pwSpec->server.write_key = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0); - if (pwSpec->server.write_key == NULL) { - PK11_FreeSymKey(pwSpec->client.write_key); - pwSpec->client.write_key = NULL; - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto loser; - } - /* Set flag that says "generate 8 byte random prefix plaintext." */ - PK11_SetFortezzaHack(pwSpec->server.write_key); /* can't fail */ - - } - if (haveSpecWriteLock) { ssl_ReleaseSpecWriteLock(ss); haveSpecWriteLock = PR_FALSE; @@ -6276,27 +5606,6 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; PORT_Free(signed_hash.data); return SECSuccess; - case kt_fortezza: - - /* Set server's "random" public key R_s to the email value == 1 */ - PORT_Memset(ss->ssl3->fortezza.R_s, 0, sizeof(ss->ssl3->fortezza.R_s)); - ss->ssl3->fortezza.R_s[127] = 1; - - /* don't waste time signing the random number */ - length = sizeof (ss->ssl3->fortezza.R_s) /*+ 2 + signed_hash.len*/; - - rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); - if (rv != SECSuccess) { - goto loser; /* err set by AppendHandshake. */ - } - - rv = ssl3_AppendHandshake( ss, &ss->ssl3->fortezza.R_s, - sizeof(ss->ssl3->fortezza.R_s)); - if (rv != SECSuccess) { - goto loser; /* err set by AppendHandshake. */ - } - return SECSuccess; - #ifdef NSS_ENABLE_ECC case kt_ecdh: /* Generate ephemeral ECDH key pair and send the public key */ @@ -6441,13 +5750,8 @@ const uint8 * certTypes; calen += 2 + name->len; } - if (ss->ssl3->hs.kea_def->exchKeyType == kt_fortezza) { - certTypes = fortezza_certificate_types; - certTypesLength = sizeof fortezza_certificate_types; - } else { - certTypes = certificate_types; - certTypesLength = sizeof certificate_types; - } + certTypes = certificate_types; + certTypesLength = sizeof certificate_types; length = 1 + certTypesLength + 2 + calen; @@ -6554,256 +5858,6 @@ loser: return SECFailure; } -/* -** Called from ssl3_HandleClientKeyExchange() -*/ -static SECStatus -ssl3_HandleFortezzaClientKeyExchange(sslSocket *ss, SSL3Opaque *b, - PRUint32 length, - SECKEYPrivateKey *serverKey) -{ - SECKEYPublicKey * pubKey = NULL; - PK11SymKey * tek = NULL; - PK11SymKey * pms; - PK11SymKey * Ks = NULL; - sslSessionID * sid = ss->sec.ci.sid; - ssl3CipherSpec * pwSpec = ss->ssl3->pwSpec; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv; - SECItem raItem; - SECItem rbItem; - SECItem param; - SECItem item; - SECItem enc_pms; - SSL3FortezzaKeys fortezza_CKE; - - PORT_Assert( ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); - - fortezza_CKE.y_c.data = NULL; - rv = ssl3_ConsumeHandshakeVariable(ss, &fortezza_CKE.y_c, 1, &b, &length); - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH); - goto fortezza_loser; - } - rv = ssl3_ConsumeHandshake(ss, &fortezza_CKE.r_c, - sizeof fortezza_CKE - sizeof fortezza_CKE.y_c, - &b, &length); - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH); - goto fortezza_loser; - } - - /* Build a Token Encryption key (tek). TEK's can never be unloaded - * from the card, but given these parameters, and *OUR* fortezza - * card, we can always regenerate the same one on the fly. - */ - if (ss->sec.peerCert != NULL) { - /* client-auth case */ - - pubKey = CERT_ExtractPublicKey(ss->sec.peerCert); - if (pubKey == NULL) { - SEND_ALERT - PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - rv = SECFailure; - goto fortezza_loser; - } - - if (pubKey->keyType != fortezzaKey) { - /* handle V3 client-auth case */ - SECItem sigItem; - SECItem hashItem; - unsigned char hash[SHA1_LENGTH]; - - rv = ssl3_ComputeFortezzaPublicKeyHash(fortezza_CKE.y_c, hash); - if (rv != SECSuccess) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - sigItem.data = fortezza_CKE.y_signature; - sigItem.len = sizeof fortezza_CKE.y_signature; - - hashItem.data = hash; - hashItem.len = sizeof hash; - - rv = PK11_Verify(pubKey, &sigItem, &hashItem, pwArg); - if (rv != SECSuccess) { - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - SECKEY_DestroyPublicKey(pubKey); pubKey = NULL; - } - } - rv = SECFailure; - - /* Make the public key if necessary */ - if (fortezza_CKE.y_c.len != 0) { - if (pubKey != NULL) { - /* The client is not allowed to send the public key - * if it can be extracted from the certificate. */ - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - pubKey = PK11_MakeKEAPubKey(fortezza_CKE.y_c.data, - fortezza_CKE.y_c.len); - } - if (pubKey == NULL) { - /* no public Key in either the cert or the protocol message*/ - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* Now we derive the TEK. r_c is the client's "random" public key. */ - raItem.data = fortezza_CKE.r_c; - raItem.len = sizeof(fortezza_CKE.r_c); - - /* R_s == server's "random" public key, sent in the Server Key Exchange */ - rbItem.data = ss->ssl3->fortezza.R_s; - rbItem.len = sizeof ss->ssl3->fortezza.R_s; - - tek = PK11_PubDerive(serverKey, pubKey, PR_FALSE, /* don't gen r_c */ - &raItem, &rbItem, CKM_KEA_KEY_DERIVE, - CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg); - SECKEY_DestroyPublicKey(pubKey); pubKey = NULL; - if (tek == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); - - if (pwSpec->cipher_def->calg == calg_fortezza) { - item.data = fortezza_CKE.wrapped_client_write_key; - item.len = sizeof fortezza_CKE.wrapped_client_write_key; - - pwSpec->client.write_key = - PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (pwSpec->client.write_key == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - - item.data = fortezza_CKE.wrapped_server_write_key; - item.len = sizeof fortezza_CKE.wrapped_server_write_key; - - pwSpec->server.write_key = - PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0); - if (pwSpec->server.write_key == NULL) { - PK11_FreeSymKey(pwSpec->client.write_key); - pwSpec->client.write_key = NULL; - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - /* Set a flag that says "generate 8 byte random prefix plaintext." */ - PK11_SetFortezzaHack(pwSpec->server.write_key); /* can't fail */ - - PORT_Memcpy(pwSpec->client.write_iv, fortezza_CKE.client_write_iv, - sizeof fortezza_CKE.client_write_iv); - PORT_Memcpy(pwSpec->server.write_iv, fortezza_CKE.server_write_iv, - sizeof fortezza_CKE.server_write_iv); - - } - - /* decrypt the pms with the TEK */ - enc_pms.data = fortezza_CKE.encrypted_preMasterSecret; - enc_pms.len = sizeof fortezza_CKE.encrypted_preMasterSecret; - - param.data = fortezza_CKE.master_secret_iv; - param.len = sizeof fortezza_CKE.master_secret_iv; - - pms = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, ¶m, &enc_pms, - CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); - if (pms == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - - rv = ssl3_InitPendingCipherSpec(ss, pms); - PK11_FreeSymKey(pms); - if (rv != SECSuccess) { - SEND_ALERT - goto fortezza_loser; /* err code is set. */ - } - - if (pwSpec->cipher_def->calg == calg_fortezza) { - PK11SlotInfo * slot; - - sid->u.ssl3.clientWriteKey = - PK11_ReferenceSymKey(pwSpec->client.write_key); - sid->u.ssl3.serverWriteKey = - PK11_ReferenceSymKey(pwSpec->server.write_key); - - PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, pwSpec->client.write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, pwSpec->server.write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - /* Now, wrap the client and server write keys in Ks for storage - * in the on-disk sid. - */ - - slot = PK11_GetSlotFromKey(tek); /* get ref to the slot */ - if (slot == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* rewrap server write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_server_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_server_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, - pwSpec->server.write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* rewrap client write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_client_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_client_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, - pwSpec->client.write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* wrap the master secret later, when we handle the client's - * finished message. - */ - } - - sid->u.ssl3.hasFortezza = PR_TRUE; - sid->u.ssl3.tek = tek; tek = NULL; - - rv = SECSuccess; - -fortezza_loser: - if (Ks) PK11_FreeSymKey(Ks); - if (tek) PK11_FreeSymKey(tek); - if (pubKey) SECKEY_DestroyPublicKey(pubKey); - if (fortezza_CKE.y_c.data != NULL) - SECITEM_FreeItem(&fortezza_CKE.y_c, PR_FALSE); - return rv; -} /* find a slot that is able to generate a PMS and wrap it with RSA. * Then generate and return the PMS. @@ -7109,12 +6163,6 @@ const ssl3KEADef * kea_def; } break; - case kt_fortezza: - rv = ssl3_HandleFortezzaClientKeyExchange(ss, b, length, serverKey); - if (rv != SECSuccess) { - return SECFailure; /* error code set */ - } - break; #ifdef NSS_ENABLE_ECC case kt_ecdh: @@ -7493,18 +6541,8 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) SECKEY_UpdateCertPQG(ss->sec.peerCert); /* - * We're making a fortezza connection, and the card hasn't unloaded it's - * certs, try to unload those certs now. + * Ask caller-supplied callback function to validate cert chain. */ - if (!trusted) { - CERTCertificate *ccert; - - ccert = PK11_FindBestKEAMatch(ss->sec.peerCert, ss->pkcs11PinArg); - if (ccert) - CERT_DestroyCertificate(ccert); - } - - rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, PR_TRUE, isServer); if (rv) { @@ -7597,7 +6635,6 @@ cert_block: ssl3->hs.ws = wait_cert_request; /* disallow server_key_exchange */ if (ssl3->hs.kea_def->is_limited || /* XXX OR server cert is signing only. */ - ssl3->hs.kea_def->kea == kea_fortezza || #ifdef NSS_ENABLE_ECC ssl3->hs.kea_def->kea == kea_ecdhe_ecdsa || ssl3->hs.kea_def->kea == kea_ecdhe_rsa || @@ -8625,7 +7662,6 @@ ssl3_InitState(sslSocket *ss) ssl3->hs.rehandshake = PR_FALSE; ssl3_InitCipherSpec(ss, ssl3->crSpec); ssl3_InitCipherSpec(ss, ssl3->prSpec); - ssl3->fortezza.tek = NULL; ssl3->hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; ssl_ReleaseSpecWriteLock(ss); @@ -8994,9 +8030,6 @@ ssl3_DestroySSL3Info(ssl3State *ssl3) PK11_DestroyContext(ssl3->hs.sha,PR_TRUE); } - if (ssl3->fortezza.tek != NULL) { - PK11_FreeSymKey(ssl3->fortezza.tek); - } /* free the SSL3Buffer (msg_body) */ PORT_Free(ssl3->hs.msg_body.buf); diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h index c68fa8270..da1e0d180 100644 --- a/security/nss/lib/ssl/ssl3prot.h +++ b/security/nss/lib/ssl/ssl3prot.h @@ -1,4 +1,4 @@ -/* +/* Private header file of libSSL. * Various and sundry protocol constants. DON'T CHANGE THESE. These * values are defined by the SSL 3.0 protocol specification. * @@ -206,7 +206,6 @@ typedef enum { kea_dhe_rsa_export, kea_dh_anon, kea_dh_anon_export, - kea_fortezza, kea_rsa_fips, kea_ecdh_ecdsa, kea_ecdhe_ecdsa, @@ -259,7 +258,6 @@ typedef enum { ct_RSA_fixed_ECDH = 8, ct_ECDSA_fixed_ECDH = 9, - ct_Fortezza = 20 } SSL3ClientCertificateType; typedef SECItem *SSL3DistinquishedName; @@ -271,18 +269,6 @@ typedef struct { typedef SECItem SSL3EncryptedPreMasterSecret; -/* Following struct is the format of a Fortezza ClientKeyExchange message. */ -typedef struct { - SECItem y_c; - SSL3Opaque r_c [128]; - SSL3Opaque y_signature [40]; - SSL3Opaque wrapped_client_write_key [12]; - SSL3Opaque wrapped_server_write_key [12]; - SSL3Opaque client_write_iv [24]; - SSL3Opaque server_write_iv [24]; - SSL3Opaque master_secret_iv [24]; - SSL3Opaque encrypted_preMasterSecret[48]; -} SSL3FortezzaKeys; typedef SSL3Opaque SSL3MasterSecret[48]; @@ -299,7 +285,6 @@ typedef struct { union { SSL3EncryptedPreMasterSecret rsa; SSL3ClientDiffieHellmanPublic diffie_helman; - SSL3FortezzaKeys fortezza; } exchange_keys; } SSL3ClientKeyExchange; diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c index 690008e42..24d250018 100644 --- a/security/nss/lib/ssl/sslauth.c +++ b/security/nss/lib/ssl/sslauth.c @@ -117,8 +117,7 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, cipherName = ssl3_cipherName[ss->sec.cipherType]; } if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; - /* do same key stuff for fortezza */ - + if (cp) { *cp = PORT_Strdup(cipherName); } diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index da20986b5..278478fc6 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -145,7 +145,7 @@ const char * const ssl_cipherName[] = { "DES-CBC", "DES-EDE3-CBC", "unknown", - "Fortezza", + "unknown", /* was fortezza, NO LONGER USED */ }; diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c index 2745155af..d28d689b7 100644 --- a/security/nss/lib/ssl/sslenum.c +++ b/security/nss/lib/ssl/sslenum.c @@ -56,7 +56,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { TLS_RSA_WITH_AES_256_CBC_SHA, /* 128-bit */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, @@ -84,9 +83,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, - /* 80 bit skipjack */ - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* KEA + SkipJack */ - /* 56-bit DES "domestic" cipher suites */ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, @@ -106,7 +102,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* ciphersuites with no encryption */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index f42bd4be3..ae6cb8a72 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -84,7 +84,7 @@ typedef SSLSignType SSL3SignType; #define calg_des ssl_calg_des #define calg_3des ssl_calg_3des #define calg_idea ssl_calg_idea -#define calg_fortezza ssl_calg_fortezza +#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */ #define calg_aes ssl_calg_aes #define mac_null ssl_mac_null @@ -414,7 +414,6 @@ typedef enum { cipher_3des, cipher_des40, cipher_idea, - cipher_fortezza, cipher_aes_128, cipher_aes_256, cipher_missing /* reserved for no such supported cipher */ @@ -522,7 +521,6 @@ struct sslSessionIDStr { SSL3CompressionMethod compression; PRBool resumable; int policy; - PRBool hasFortezza; ssl3SidKeys keys; CK_MECHANISM_TYPE masterWrapMech; /* mechanism used to wrap master secret */ @@ -560,11 +558,6 @@ struct sslSessionIDStr { char masterValid; char clAuthValid; - /* the following values are used only in the client, and only - * with fortezza. - */ - SSL3Opaque clientWriteSave[80]; - int clientWriteSaveLen; } ssl3; } u; }; @@ -660,12 +653,7 @@ const ssl3CipherSuiteDef *suite_def; /* protected by recvBufLock */ } SSL3HandshakeState; -struct SSL3FortezzaKEAParamsStr { - unsigned char R_s[128]; /* server's "random" public key */ - PK11SymKey * tek; -}; -typedef struct SSL3FortezzaKEAParamsStr SSL3FortezzaKEAParams; /* ** This is the "ssl3" struct, as in "ss->ssl3". @@ -704,7 +692,7 @@ struct ssl3StateStr { /* chain while we are trying to validate it. */ CERTDistNames * ca_list; /* used by server. trusted CAs for this socket. */ - SSL3FortezzaKEAParams fortezza; + }; typedef struct { diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c index 218973a2a..40dd9b31f 100644 --- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -100,8 +100,6 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) return SECSuccess; } -#define kt_kea kt_fortezza -#define calg_sj calg_fortezza #define CS(x) x, #x #define CK(x) x | 0xff00, #x @@ -143,7 +141,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 0, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 0, 0, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_RC4_128_SHA), S_KEA, K_KEA, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, }, @@ -156,7 +153,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, }, {0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),S_KEA, K_KEA, C_SJ, B_SJ, M_SHA, 1, 0, 0, }, {0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 0, 1, }, @@ -166,7 +162,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, 1, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_NULL_SHA), S_KEA, K_KEA, C_NULL,B_0, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, 1, 0, }, diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h index fa0639605..e7a998126 100644 --- a/security/nss/lib/ssl/sslproto.h +++ b/security/nss/lib/ssl/sslproto.h @@ -139,9 +139,9 @@ #define SSL_DH_ANON_WITH_DES_CBC_SHA 0x001a #define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA 0x001b -#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c -#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d -#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e +#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c /* deprecated */ +#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d /* deprecated */ +#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e /* deprecated */ /* New TLS cipher suites */ #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index 404f9a7dc..9f537a3ef 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -574,12 +574,7 @@ ssl_FindCertKEAType(CERTCertificate * cert) case SEC_OID_PKCS1_RSA_ENCRYPTION: keaType = kt_rsa; break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keaType = kt_fortezza; - break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: keaType = kt_dh; break; diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 345104f1f..a0c164963 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -147,7 +147,7 @@ struct sidCacheEntryStr { /* 2 */ PRUint16 compression; /* SSL3CompressionMethod */ /*122 */ ssl3SidKeys keys; /* keys and ivs, wrapped as needed. */ -/* 1 */ PRUint8 hasFortezza; +/* 1 */ PRUint8 unused; /* was hasFortezza; */ /* 1 */ PRUint8 resumable; /* 4 */ PRUint32 masterWrapMech; @@ -442,7 +442,6 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (uint16)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; - to->u.ssl3.hasFortezza = from->u.ssl3.hasFortezza; to->u.ssl3.keys = from->u.ssl3.keys; to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; @@ -518,7 +517,6 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (SSL3CompressionMethod)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; - to->u.ssl3.hasFortezza = from->u.ssl3.hasFortezza; to->u.ssl3.keys = from->u.ssl3.keys; to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; @@ -544,8 +542,6 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.clAuthSeries = 0; to->u.ssl3.clAuthValid = PR_FALSE; - to->u.ssl3.clientWriteSaveLen = 0; - if (from->u.ssl3.certIndex != -1 && pcce) { SECItem derCert; diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 9803eec96..2e8d73219 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -71,8 +71,6 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, @@ -81,7 +79,6 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index 0223ee2ad..052339b7d 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -66,7 +66,7 @@ typedef enum { ssl_kea_null = 0, ssl_kea_rsa = 1, ssl_kea_dh = 2, - ssl_kea_fortezza = 3, + ssl_kea_fortezza = 3, /* deprecated, now unused */ ssl_kea_ecdh = 4, ssl_kea_size /* number of ssl_kea_ algorithms */ } SSLKEAType; @@ -79,7 +79,7 @@ typedef enum { #define kt_null ssl_kea_null #define kt_rsa ssl_kea_rsa #define kt_dh ssl_kea_dh -#define kt_fortezza ssl_kea_fortezza +#define kt_fortezza ssl_kea_fortezza /* deprecated, now unused */ #define kt_ecdh ssl_kea_ecdh #define kt_kea_size ssl_kea_size @@ -105,7 +105,7 @@ typedef enum { ssl_calg_des = 3, ssl_calg_3des = 4, ssl_calg_idea = 5, - ssl_calg_fortezza = 6, /* skipjack */ + ssl_calg_fortezza = 6, /* deprecated, now unused */ ssl_calg_aes = 7 /* coming soon */ } SSLCipherAlgorithm; diff --git a/security/nss/pkg/solaris/SUNWtlsd/prototype b/security/nss/pkg/solaris/SUNWtlsd/prototype index 6581f32f1..b742d2f9e 100755 --- a/security/nss/pkg/solaris/SUNWtlsd/prototype +++ b/security/nss/pkg/solaris/SUNWtlsd/prototype @@ -160,6 +160,4 @@ f none usr/include/mps/ssl.h 0644 root bin f none usr/include/mps/sslerr.h 0644 root bin f none usr/include/mps/sslproto.h 0644 root bin f none usr/include/mps/sslt.h 0644 root bin -f none usr/include/mps/swfort.h 0644 root bin -f none usr/include/mps/swfortt.h 0644 root bin f none usr/include/mps/watcomfx.h 0644 root bin |