diff options
| author | cvs2hg <devnull@localhost> | 2012-03-31 15:54:05 +0000 |
|---|---|---|
| committer | cvs2hg <devnull@localhost> | 2012-03-31 15:54:05 +0000 |
| commit | f722c12a62735d9512cfa0b21280e5ce143b2ee6 (patch) | |
| tree | 1667943583d259aa78258d3449c28f4031cb49ba | |
| parent | cf9a042f0291e415ff9685cf2f67db9602c48fb9 (diff) | |
| download | nss-hg-f722c12a62735d9512cfa0b21280e5ce143b2ee6.tar.gz | |
fixup commit for branch 'NSS_3_13_4_BRANCH'
22 files changed, 533 insertions, 163 deletions
diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c index de73b5cd0..d4302e826 100644 --- a/security/nss/cmd/addbuiltin/addbuiltin.c +++ b/security/nss/cmd/addbuiltin/addbuiltin.c @@ -91,14 +91,115 @@ static const SEC_ASN1Template serialTemplate[] = { { 0 } }; +void print_crl_info(CERTName *name, SECItem *serial) +{ + PRBool saveWrapeState = SECU_GetWrapEnabled(); + SECU_EnableWrap(PR_FALSE); + + SECU_PrintNameQuotesOptional(stdout, name, "# Issuer", 0, PR_FALSE); + printf("\n"); + + SECU_PrintInteger(stdout, serial, "# Serial Number", 0); + + SECU_EnableWrap(saveWrapeState); +} + static SECStatus -ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) +ConvertCRLEntry(SECItem *sdder, PRInt32 crlentry, char *nickname) +{ + int rv; + PRArenaPool *arena = NULL; + CERTSignedCrl *newCrl = NULL; + CERTCrlEntry *entry; + + CERTName *name = NULL; + SECItem *derName = NULL; + SECItem *serial = NULL; + + rv = SEC_ERROR_NO_MEMORY; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) + return rv; + + newCrl = CERT_DecodeDERCrlWithFlags(arena, sdder, SEC_CRL_TYPE, + CRL_DECODE_DEFAULT_OPTIONS); + if (!newCrl) + return SECFailure; + + name = &newCrl->crl.name; + derName = &newCrl->crl.derName; + + if (newCrl->crl.entries != NULL) { + PRInt32 iv = 0; + while ((entry = newCrl->crl.entries[iv++]) != NULL) { + if (crlentry == iv) { + serial = &entry->serialNumber; + break; + } + } + } + + if (!name || !derName || !serial) + return SECFailure; + + printf("\n# Distrust \"%s\"\n",nickname); + print_crl_info(name, serial); + + printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); + printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); + printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); + printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); + printf("CKA_LABEL UTF8 \"%s\"\n",nickname); + + printf("CKA_ISSUER MULTILINE_OCTAL\n"); + dumpbytes(derName->data,derName->len); + printf("END\n"); + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); + printf("\\002\\%03o", serial->len); /* 002: type integer; len >=3 digits */ + dumpbytes(serial->data,serial->len); + printf("END\n"); + + printf("CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED\n"); + printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED\n"); + printf("CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED\n"); + printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE\n"); + + PORT_FreeArena (arena, PR_FALSE); + return rv; +} + +void print_info(SECItem *sdder, CERTCertificate *c) +{ + PRBool saveWrapeState = SECU_GetWrapEnabled(); + SECU_EnableWrap(PR_FALSE); + + SECU_PrintNameQuotesOptional(stdout, &c->issuer, "# Issuer", 0, PR_FALSE); + printf("\n"); + + SECU_PrintInteger(stdout, &c->serialNumber, "# Serial Number", 0); + + SECU_PrintNameQuotesOptional(stdout, &c->subject, "# Subject", 0, PR_FALSE); + printf("\n"); + + SECU_PrintTimeChoice(stdout, &c->validity.notBefore, "# Not Valid Before", 0); + SECU_PrintTimeChoice(stdout, &c->validity.notAfter, "# Not Valid After ", 0); + + SECU_PrintFingerprints(stdout, sdder, "# Fingerprint", 0); + + SECU_EnableWrap(saveWrapeState); +} + +static SECStatus +ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, + PRBool excludeCert, PRBool excludeHash) { SECStatus rv = SECSuccess; CERTCertificate *cert; unsigned char sha1_hash[SHA1_LENGTH]; unsigned char md5_hash[MD5_LENGTH]; SECItem *serial = NULL; + PRBool step_up = PR_FALSE; + const char *trust_info; cert = CERT_DecodeDERCertificate(sdder, PR_FALSE, nickname); if (!cert) { @@ -108,42 +209,56 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) if (!serial) { return SECFailure; } + + if (!excludeCert) { + printf("\n#\n# Certificate \"%s\"\n#\n",nickname); + print_info(sdder, cert); + printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"); + printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); + printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); + printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); + printf("CKA_LABEL UTF8 \"%s\"\n",nickname); + printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"); + printf("CKA_SUBJECT MULTILINE_OCTAL\n"); + dumpbytes(cert->derSubject.data,cert->derSubject.len); + printf("END\n"); + printf("CKA_ID UTF8 \"0\"\n"); + printf("CKA_ISSUER MULTILINE_OCTAL\n"); + dumpbytes(cert->derIssuer.data,cert->derIssuer.len); + printf("END\n"); + printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); + dumpbytes(serial->data,serial->len); + printf("END\n"); + printf("CKA_VALUE MULTILINE_OCTAL\n"); + dumpbytes(sdder->data,sdder->len); + printf("END\n"); + } + + if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) + == CERTDB_TERMINAL_RECORD) + trust_info = "Distrust"; + else + trust_info = "Trust for"; + + printf("\n# %s \"%s\"\n", trust_info, nickname); + print_info(sdder, cert); - printf("\n#\n# Certificate \"%s\"\n#\n",nickname); - printf("CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"); - printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); - printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); - printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); - printf("CKA_LABEL UTF8 \"%s\"\n",nickname); - printf("CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"); - printf("CKA_SUBJECT MULTILINE_OCTAL\n"); - dumpbytes(cert->derSubject.data,cert->derSubject.len); - printf("END\n"); - printf("CKA_ID UTF8 \"0\"\n"); - printf("CKA_ISSUER MULTILINE_OCTAL\n"); - dumpbytes(cert->derIssuer.data,cert->derIssuer.len); - printf("END\n"); - printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n"); - dumpbytes(serial->data,serial->len); - printf("END\n"); - printf("CKA_VALUE MULTILINE_OCTAL\n"); - dumpbytes(sdder->data,sdder->len); - printf("END\n"); - - PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len); - PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len); - printf("\n# Trust for Certificate \"%s\"\n",nickname); printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n"); printf("CKA_TOKEN CK_BBOOL CK_TRUE\n"); printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n"); printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"); printf("CKA_LABEL UTF8 \"%s\"\n",nickname); - printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n"); - dumpbytes(sha1_hash,SHA1_LENGTH); - printf("END\n"); - printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n"); - dumpbytes(md5_hash,MD5_LENGTH); - printf("END\n"); + + if (!excludeHash) { + PK11_HashBuf(SEC_OID_SHA1, sha1_hash, sdder->data, sdder->len); + printf("CKA_CERT_SHA1_HASH MULTILINE_OCTAL\n"); + dumpbytes(sha1_hash,SHA1_LENGTH); + printf("END\n"); + PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len); + printf("CKA_CERT_MD5_HASH MULTILINE_OCTAL\n"); + dumpbytes(md5_hash,MD5_LENGTH); + printf("END\n"); + } printf("CKA_ISSUER MULTILINE_OCTAL\n"); dumpbytes(cert->derIssuer.data,cert->derIssuer.len); @@ -153,11 +268,11 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) printf("END\n"); printf("CKA_TRUST_SERVER_AUTH CK_TRUST %s\n", - getTrustString(trust->sslFlags)); + getTrustString(trust->sslFlags)); printf("CKA_TRUST_EMAIL_PROTECTION CK_TRUST %s\n", - getTrustString(trust->emailFlags)); + getTrustString(trust->emailFlags)); printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n", - getTrustString(trust->objectSigningFlags)); + getTrustString(trust->objectSigningFlags)); #ifdef notdef printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n"); printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); @@ -167,10 +282,10 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust) printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n"); #endif + + step_up = (trust->sslFlags & CERTDB_GOVT_APPROVED_CA); printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n", - trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? - "CK_TRUE" : "CK_FALSE"); - + step_up ? "CK_TRUE" : "CK_FALSE"); PORT_Free(sdder->data); return(rv); @@ -285,41 +400,71 @@ void printheader() { static void Usage(char *progName) { - fprintf(stderr, "%s -n nickname -t trust [-i certfile]\n", progName); + fprintf(stderr, "%s -t trust -n nickname [-i certfile] [-c] [-h]\n", progName); fprintf(stderr, "\tRead a der-encoded cert from certfile or stdin, and output\n" "\tit to stdout in a format suitable for the builtin root module.\n" - "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n" - "\t(pipe through atob if the cert is b64-encoded)\n", progName); - fprintf(stderr, "%-15s nickname to assign to builtin cert.\n", - "-n nickname"); + "\tExample: %s -n MyCA -t \"C,C,C\" -i myca.der >> certdata.txt\n", + progName); + fprintf(stderr, "%s -D -n label [-i certfile]\n", progName); + fprintf(stderr, + "\tRead a der-encoded cert from certfile or stdin, and output\n" + "\ta distrust record.\n" + "\t(-D is equivalent to -t p,p,p -c -h)\n"); + fprintf(stderr, "%s -C -e crl-entry-number -n label [-i crlfile]\n", progName); + fprintf(stderr, + "\tRead a CRL from crlfile or stdin, and output\n" + "\ta distrust record (issuer+serial).\n" + "\t(-C implies -c -h)\n"); fprintf(stderr, "%-15s trust flags (cCTpPuw).\n", "-t trust"); - fprintf(stderr, "%-15s file to read (default stdin)\n", "-i certfile"); + fprintf(stderr, "%-15s nickname to assign to builtin cert, or\n", + "-n nickname"); + fprintf(stderr, "%-15s a label for the distrust record.\n", ""); + fprintf(stderr, "%-15s exclude the certificate (only add a trust record)\n", "-c"); + fprintf(stderr, "%-15s exclude hash from trust record\n", "-h"); + fprintf(stderr, "%-15s (useful to distrust any matching issuer/serial)\n", ""); + fprintf(stderr, "%-15s (not allowed when adding positive trust)\n", ""); + fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e"); + fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file"); + fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", ""); exit(-1); } enum { opt_Input = 0, opt_Nickname, - opt_Trust + opt_Trust, + opt_Distrust, + opt_ExcludeCert, + opt_ExcludeHash, + opt_DistrustCRL, + opt_CRLEnry }; static secuCommandFlag addbuiltin_options[] = { - { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, - { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, - { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE } + { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, + { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, + { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, + { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE }, }; int main(int argc, char **argv) { SECStatus rv; - char *nickname; - char *trusts; + char *nickname = NULL; + char *trusts = NULL; char *progName; PRFileDesc *infile; CERTCertTrust trust = { 0 }; - SECItem derCert = { 0 }; + SECItem derItem = { 0 }; + PRInt32 crlentry = 0; + PRInt32 mutuallyExclusiveOpts = 0; + PRBool decodeTrust = PR_FALSE; secuCommand addbuiltin = { 0 }; addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); @@ -332,12 +477,40 @@ int main(int argc, char **argv) if (rv != SECSuccess) Usage(progName); + + if (addbuiltin.options[opt_Trust].activated) + ++mutuallyExclusiveOpts; + if (addbuiltin.options[opt_Distrust].activated) + ++mutuallyExclusiveOpts; + if (addbuiltin.options[opt_DistrustCRL].activated) + ++mutuallyExclusiveOpts; + + if (mutuallyExclusiveOpts != 1) { + fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n", + progName); + Usage(progName); + } + + if (addbuiltin.options[opt_DistrustCRL].activated) { + if (!addbuiltin.options[opt_CRLEnry].activated) { + fprintf(stderr, "%s: you must specify the CRL entry number.\n", + progName); + Usage(progName); + } + else { + crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); + if (crlentry < 1) { + fprintf(stderr, "%s: The CRL entry number must be > 0.\n", + progName); + Usage(progName); + } + } + } - if (!addbuiltin.options[opt_Nickname].activated && - !addbuiltin.options[opt_Trust].activated) { - fprintf(stderr, "%s: you must specify both a nickname and trust.\n", - progName); - Usage(progName); + if (!addbuiltin.options[opt_Nickname].activated) { + fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n", + progName); + Usage(progName); } if (addbuiltin.options[opt_Input].activated) { @@ -365,24 +538,56 @@ int main(int argc, char **argv) } nickname = strdup(addbuiltin.options[opt_Nickname].arg); - trusts = strdup(addbuiltin.options[opt_Trust].arg); - + NSS_NoDB_Init(NULL); - rv = CERT_DecodeTrustString(&trust, trusts); - if (rv) { - fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); - Usage(progName); + if (addbuiltin.options[opt_Distrust].activated || + addbuiltin.options[opt_DistrustCRL].activated) { + addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE; + addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE; + } + + if (addbuiltin.options[opt_Distrust].activated) { + trusts = strdup("p,p,p"); + decodeTrust = PR_TRUE; + } + else if (addbuiltin.options[opt_Trust].activated) { + trusts = strdup(addbuiltin.options[opt_Trust].arg); + decodeTrust = PR_TRUE; + } + + if (decodeTrust) { + rv = CERT_DecodeTrustString(&trust, trusts); + if (rv) { + fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); + Usage(progName); + } + } + + if (addbuiltin.options[opt_Trust].activated && + addbuiltin.options[opt_ExcludeHash].activated) { + if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) + != CERTDB_TERMINAL_RECORD) { + fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName); + Usage(progName); + } } - SECU_FileToItem(&derCert, infile); + SECU_FileToItem(&derItem, infile); /*printheader();*/ - - rv = ConvertCertificate(&derCert, nickname, &trust); - if (rv) { - fprintf(stderr, "%s: failed to convert certificate.\n", progName); - exit(1); + + if (addbuiltin.options[opt_DistrustCRL].activated) { + rv = ConvertCRLEntry(&derItem, crlentry, nickname); + } + else { + rv = ConvertCertificate(&derItem, nickname, &trust, + addbuiltin.options[opt_ExcludeCert].activated, + addbuiltin.options[opt_ExcludeHash].activated); + if (rv) { + fprintf(stderr, "%s: failed to convert certificate.\n", progName); + exit(1); + } } if (NSS_Shutdown() != SECSuccess) { diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 09514fb97..88e403767 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -1171,7 +1171,7 @@ static void luC(enum usage_level ul, const char *command) "%-20s Create netscape cert type extension. Possible keywords:\n" "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n" "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n", - " -5 | -nsCertType keyword,keyword,... ", "", "", ""); + " -5 | --nsCertType keyword,keyword,... ", "", "", ""); FPS "%-20s \n" "%-20s Create extended key usage extension. Possible keywords:\n" "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n" diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c index 8f6b768e9..38dd484cc 100644 --- a/security/nss/cmd/crlutil/crlutil.c +++ b/security/nss/cmd/crlutil/crlutil.c @@ -313,6 +313,37 @@ SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, return (rv); } +SECStatus DumpCRL(PRFileDesc *inFile) +{ + int rv; + PRArenaPool *arena = NULL; + CERTSignedCrl *newCrl = NULL; + + SECItem crlDER; + crlDER.data = NULL; + + /* Read in the entire file specified with the -f argument */ + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "unable to read input file"); + return (SECFailure); + } + + rv = SEC_ERROR_NO_MEMORY; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) + return rv; + + newCrl = CERT_DecodeDERCrlWithFlags(arena, &crlDER, SEC_CRL_TYPE, + CRL_DECODE_DEFAULT_OPTIONS); + if (!newCrl) + return SECFailure; + + SECU_PrintCRLInfo (stdout, &newCrl->crl, "CRL file contents", 0); + + PORT_FreeArena (arena, PR_FALSE); + return rv; +} static CERTCertificate* FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl, @@ -756,6 +787,7 @@ static void Usage(char *progName) fprintf(stderr, "Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n" " %s -D -n nickname [-d keydir] [-P dbprefix]\n" + " %s -S -i crl\n" " %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] " "[-p pwd-file] -w [pwd-string]\n" " %s -E -t crlType [-d keydir] [-P dbprefix]\n" @@ -763,7 +795,7 @@ static void Usage(char *progName) " %s -G|-M -c crl-init-file -n nickname [-i crl] [-u url] " "[-d keydir] [-P dbprefix] [-Z alg] ] [-p pwd-file] -w [pwd-string] " "[-a] [-B]\n", - progName, progName, progName, progName, progName, progName); + progName, progName, progName, progName, progName, progName, progName); fprintf (stderr, "%-15s List CRL\n", "-L"); fprintf(stderr, "%-20s Specify the nickname of the CA certificate\n", @@ -788,6 +820,10 @@ static void Usage(char *progName) "-d keydir"); fprintf(stderr, "%-20s Cert & Key database prefix (default is \"\")\n", "-P dbprefix"); + + fprintf (stderr, "%-15s Show contents of a CRL file (without database)\n", "-S"); + fprintf(stderr, "%-20s Specify the file which contains the CRL to show\n", + "-i crl"); fprintf (stderr, "%-15s Import a CRL to the cert database\n", "-I"); fprintf(stderr, "%-20s Specify the file which contains the CRL to import\n", @@ -835,15 +871,14 @@ static void Usage(char *progName) int main(int argc, char **argv) { - SECItem privKeyDER; CERTCertDBHandle *certHandle; - FILE *certFile; PRFileDesc *inFile; PRFileDesc *inCrlInitFile = NULL; int generateCRL; int modifyCRL; int listCRL; int importCRL; + int showFileCRL; int deleteCRL; int rv; char *nickName; @@ -872,17 +907,15 @@ int main(int argc, char **argv) progName = progName ? progName+1 : argv[0]; rv = 0; - deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = 0; - certFile = NULL; + deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0; inFile = NULL; nickName = url = NULL; - privKeyDER.data = NULL; certHandle = NULL; crlType = SEC_CRL_TYPE; /* * Parse command line arguments */ - optstate = PL_CreateOptState(argc, argv, "sqBCDGILMTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:"); + optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -916,6 +949,10 @@ int main(int argc, char **argv) case 'I': importCRL = 1; break; + + case 'S': + showFileCRL = 1; + break; case 'C': case 'L': @@ -1015,12 +1052,13 @@ int main(int argc, char **argv) if (deleteCRL && !nickName) Usage (progName); if (importCRL && !inFile) Usage (progName); + if (showFileCRL && !inFile) Usage (progName); if ((generateCRL && !nickName) || (modifyCRL && !inFile && !nickName)) Usage (progName); - if (!(listCRL || deleteCRL || importCRL || generateCRL || + if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL || modifyCRL || test || erase)) Usage (progName); - if (listCRL) { + if (listCRL || showFileCRL) { readonly = PR_TRUE; } @@ -1028,12 +1066,18 @@ int main(int argc, char **argv) PK11_SetPasswordFunc(SECU_GetModulePassword); - secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix, - "secmod.db", readonly ? NSS_INIT_READONLY : 0); - if (secstatus != SECSuccess) { - SECU_PrintPRandOSError(progName); - return -1; + if (showFileCRL) { + NSS_NoDB_Init(NULL); + } + else { + secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix, + "secmod.db", readonly ? NSS_INIT_READONLY : 0); + if (secstatus != SECSuccess) { + SECU_PrintPRandOSError(progName); + return -1; + } } + SECU_RegisterDynamicOids(); certHandle = CERT_GetDefaultCertDB(); @@ -1056,6 +1100,9 @@ int main(int argc, char **argv) else if (importCRL) { rv = ImportCRL (certHandle, url, crlType, inFile, importOptions, decodeOptions, &pwdata); + } + else if (showFileCRL) { + rv = DumpCRL (inFile); } else if (generateCRL || modifyCRL) { if (!inCrlInitFile) inCrlInitFile = PR_STDIN; diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 0c52a647c..e6a54e853 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -86,6 +86,19 @@ static char consoleName[] = { #include "nssutil.h" #include "ssl.h" +static PRBool wrapEnabled = PR_TRUE; + +void +SECU_EnableWrap(PRBool enable) +{ + wrapEnabled = enable; +} + +PRBool +SECU_GetWrapEnabled() +{ + return wrapEnabled; +} void SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) @@ -789,11 +802,15 @@ SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) unsigned int limit = 15; if ( m ) { - SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_Indent(out, level); fprintf(out, "%s:", m); level++; + if (wrapEnabled) + fprintf(out, "\n"); + } + + if (wrapEnabled) { + SECU_Indent(out, level); column = level*INDENT_MULT; } - - SECU_Indent(out, level); column = level*INDENT_MULT; if (!data->len) { fprintf(out, "(empty)\n"); return; @@ -826,7 +843,8 @@ SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) column += 2; break; } - if (column > 76 || (i % 16 == limit)) { + if (wrapEnabled && + (column > 76 || (i % 16 == limit))) { secu_Newline(out); SECU_Indent(out, level); column = level*INDENT_MULT; @@ -849,7 +867,7 @@ SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) } else { column = 77; } - if (column > 76) { + if (wrapEnabled && column > 76) { secu_Newline(out); SECU_Indent(out, level); column = level*INDENT_MULT; } @@ -975,7 +993,8 @@ SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level) } static void -secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) +secu_PrintRawStringQuotesOptional(FILE *out, SECItem *si, const char *m, + int level, PRBool quotes) { int column; unsigned int i; @@ -988,11 +1007,13 @@ secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) SECU_Indent(out, level); column = level*INDENT_MULT; } - fprintf(out, "\""); column++; + if (quotes) { + fprintf(out, "\""); column++; + } for (i = 0; i < si->len; i++) { unsigned char val = si->data[i]; - if (column > 76) { + if (wrapEnabled && column > 76) { secu_Newline(out); SECU_Indent(out, level); column = level*INDENT_MULT; } @@ -1000,12 +1021,21 @@ secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) fprintf(out,"%c", printable[val]); column++; } - fprintf(out, "\""); column++; - if (column != level*INDENT_MULT || column > 76) { + if (quotes) { + fprintf(out, "\""); column++; + } + if (wrapEnabled && + (column != level*INDENT_MULT || column > 76)) { secu_Newline(out); } } +static void +secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) +{ + secu_PrintRawStringQuotesOptional(out, si, m, level, PR_TRUE); +} + void SECU_PrintString(FILE *out, SECItem *si, char *m, int level) { @@ -2409,7 +2439,8 @@ SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level) } void -SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) +SECU_PrintNameQuotesOptional(FILE *out, CERTName *name, const char *msg, + int level, PRBool quotes) { char *nameStr = NULL; char *str; @@ -2430,7 +2461,7 @@ SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) my.data = (unsigned char *)str; my.len = PORT_Strlen(str); #if 1 - secu_PrintRawString(out, &my, msg, level); + secu_PrintRawStringQuotesOptional(out, &my, msg, level, quotes); #else SECU_Indent(out, level); fprintf(out, "%s: ", msg); fprintf(out, str); @@ -2440,6 +2471,12 @@ SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) } void +SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) +{ + SECU_PrintNameQuotesOptional(out, name, msg, level, PR_TRUE); +} + +void printflags(char *trusts, unsigned int flags) { if (flags & CERTDB_VALID_CA) @@ -2753,8 +2790,15 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) fpItem.data = fingerprint; fpItem.len = MD5_LENGTH; fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (MD5):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + SECU_Indent(out, level); fprintf(out, "%s (MD5):", m); + if (wrapEnabled) { + fprintf(out, "\n"); + SECU_Indent(out, level+1); + } + else { + fprintf(out, " "); + } + fprintf(out, "%s\n", fpStr); PORT_Free(fpStr); fpStr = NULL; if (rv != SECSuccess && !err) @@ -2766,10 +2810,18 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) fpItem.data = fingerprint; fpItem.len = SHA1_LENGTH; fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (SHA1):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + SECU_Indent(out, level); fprintf(out, "%s (SHA1):", m); + if (wrapEnabled) { + fprintf(out, "\n"); + SECU_Indent(out, level+1); + } + else { + fprintf(out, " "); + } + fprintf(out, "%s\n", fpStr); PORT_Free(fpStr); - fprintf(out, "\n"); + if (wrapEnabled) + fprintf(out, "\n"); if (err) PORT_SetError(err); @@ -2907,7 +2959,7 @@ SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) if (crl->entries != NULL) { iv = 0; while ((entry = crl->entries[iv++]) != NULL) { - sprintf(om, "Entry (%x):\n", iv); + sprintf(om, "Entry %d (0x%x):\n", iv, iv); SECU_Indent(out, level + 1); fputs(om, out); SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", level + 2); diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index b611028e4..16e6a6638 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -168,6 +168,9 @@ SECU_GetClientAuthData(void *arg, PRFileDesc *fd, struct CERTCertificateStr **pRetCert, struct SECKEYPrivateKeyStr **pRetKey); +extern PRBool SECU_GetWrapEnabled(); +extern void SECU_EnableWrap(PRBool enable); + /* print out an error message */ extern void SECU_PrintError(char *progName, char *msg, ...); @@ -313,6 +316,9 @@ extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, char *msg, int level); +extern void SECU_PrintNameQuotesOptional(FILE *out, CERTName *name, + const char *msg, int level, + PRBool quotes); extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level); extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level); diff --git a/security/nss/cmd/symkeyutil/symkeyutil.c b/security/nss/cmd/symkeyutil/symkeyutil.c index 100834318..0d70643a9 100644 --- a/security/nss/cmd/symkeyutil/symkeyutil.c +++ b/security/nss/cmd/symkeyutil/symkeyutil.c @@ -750,7 +750,7 @@ main(int argc, char **argv) /* -P certdb name prefix */ if (symKeyUtil.options[opt_dbPrefix].activated) - certPrefix = strdup(symKeyUtil.options[opt_dbPrefix].arg); + certPrefix = symKeyUtil.options[opt_dbPrefix].arg; /* Check number of commands entered. */ commandsEntered = 0; diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 413615fae..63b153688 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -596,6 +596,20 @@ cert_ComputeCertType(CERTCertificate *cert) nsCertType |= NS_CERT_TYPE_SSL_SERVER; } } + /* + * Treat certs with step-up OID as also having SSL server type. + * COMODO needs this behaviour until June 2020. See Bug 737802. + */ + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == + SECSuccess){ + if (basicConstraintPresent == PR_TRUE && + (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_SSL_CA; + } else { + nsCertType |= NS_CERT_TYPE_SSL_SERVER; + } + } if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess){ diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 521857111..0d3a31fe4 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -631,7 +631,7 @@ CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert) static CERTCertificate * common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, - char *name, + const char *name, PRBool anyUsage, SECCertUsage lookingForUsage) { diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index df26ea290..bc84311a3 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2700,10 +2700,10 @@ ocsp_GetResponseSignature(CERTOCSPResponse *response) if (NULL == response->responseBytes) { return NULL; } - PORT_Assert(response->responseBytes != NULL); - PORT_Assert(response->responseBytes->responseTypeTag - == SEC_OID_PKIX_OCSP_BASIC_RESPONSE); - + if (response->responseBytes->responseTypeTag + != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { + return NULL; + } basic = response->responseBytes->decodedResponse.basic; PORT_Assert(basic != NULL); diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h index 7fa71a567..635eddd10 100644 --- a/security/nss/lib/freebl/blapi.h +++ b/security/nss/lib/freebl/blapi.h @@ -212,8 +212,13 @@ extern SECStatus DH_NewKey(DHParams * params, ** the prime. If successful, derivedSecret->data is set ** to the address of the newly allocated buffer containing the derived ** secret, and derivedSecret->len is the size of the secret produced. -** The size of the secret produced will never be larger than the length -** of the prime, and it may be smaller than maxOutBytes. +** The size of the secret produced will depend on the value of outBytes. +** If outBytes is 0, the key length will be all the significant bytes of +** the derived secret (leading zeros are dropped). This length could be less +** than the length of the prime. If outBytes is nonzero, the length of the +** produced key will be outBytes long. If the key is truncated, the most +** significant bytes are truncated. If it is expanded, zero bytes are added +** at the beginning. ** It is the caller's responsibility to free the allocated buffer ** containing the derived secret. */ @@ -221,7 +226,7 @@ extern SECStatus DH_Derive(SECItem * publicValue, SECItem * prime, SECItem * privateValue, SECItem * derivedSecret, - unsigned int maxOutBytes); + unsigned int outBytes); /* ** KEA_CalcKey returns octet string with the private key for a dual diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h index 976ff8c8d..2bc02afc5 100644 --- a/security/nss/lib/freebl/blapit.h +++ b/security/nss/lib/freebl/blapit.h @@ -142,7 +142,7 @@ #define RSA_MAX_MODULUS_BITS 8192 #define RSA_MAX_EXPONENT_BITS 64 #define DH_MIN_P_BITS 128 -#define DH_MAX_P_BITS 2236 +#define DH_MAX_P_BITS 3072 /* * The FIPS 186 algorithm for generating primes P and Q allows only 9 diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c index 4ba78c30b..266ff3501 100644 --- a/security/nss/lib/freebl/dh.c +++ b/security/nss/lib/freebl/dh.c @@ -215,7 +215,7 @@ DH_Derive(SECItem *publicValue, SECItem *prime, SECItem *privateValue, SECItem *derivedSecret, - unsigned int maxOutBytes) + unsigned int outBytes) { mp_int p, Xa, Yb, ZZ; mp_err err = MP_OKAY; @@ -251,15 +251,24 @@ DH_Derive(SECItem *publicValue, /* grab the derived secret */ err = mp_to_unsigned_octets(&ZZ, secret, len); if (err >= 0) err = MP_OKAY; - /* Take minimum of bytes requested and bytes in derived secret, - ** if maxOutBytes is 0 take all of the bytes from the derived secret. + /* + ** if outBytes is 0 take all of the bytes from the derived secret. + ** if outBytes is not 0 take exactly outBytes from the derived secret, zero + ** pad at the beginning if necessary, and truncate beginning bytes + ** if necessary. */ - if (maxOutBytes > 0) - nb = PR_MIN(len, maxOutBytes); + if (outBytes > 0) + nb = outBytes; else nb = len; SECITEM_AllocItem(NULL, derivedSecret, nb); - memcpy(derivedSecret->data, secret, nb); + if (len < nb) { + unsigned int offset = nb - len; + memset(derivedSecret->data, 0, offset); + memcpy(derivedSecret->data + offset, secret, len); + } else { + memcpy(derivedSecret->data, secret + len - nb, nb); + } cleanup: mp_clear(&p); mp_clear(&Xa); diff --git a/security/nss/lib/libpkix/pkix/top/pkix_build.c b/security/nss/lib/libpkix/pkix/top/pkix_build.c index 14f5eef1c..bd24ffda9 100755 --- a/security/nss/lib/libpkix/pkix/top/pkix_build.c +++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c @@ -3332,7 +3332,6 @@ pkix_Build_InitiateBuildChain( PKIX_LISTGETITEMFAILED); } PKIX_DECREF(firstHintCert); - firstHintCert = NULL; } } @@ -3470,7 +3469,6 @@ pkix_Build_InitiateBuildChain( } PKIX_DECREF(certStore); - certStore = NULL; } } diff --git a/security/nss/lib/pk11wrap/pk11auth.c b/security/nss/lib/pk11wrap/pk11auth.c index a57314c4f..a754714c4 100644 --- a/security/nss/lib/pk11wrap/pk11auth.c +++ b/security/nss/lib/pk11wrap/pk11auth.c @@ -165,7 +165,7 @@ PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw) } /* - * If the token does't need a login, don't try to relogin beause the + * If the token doesn't need a login, don't try to relogin because the * effect is undefined. It's not clear what it means to check a non-empty * password with such a token, so treat that as an error. */ diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c index 3069460b2..e1c71c97a 100644 --- a/security/nss/lib/pk11wrap/pk11merge.c +++ b/security/nss/lib/pk11wrap/pk11merge.c @@ -1109,7 +1109,7 @@ pk11_mergeTrust(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, CK_ULONG trustAttrsCount = sizeof(trustAttrs)/sizeof(trustAttrs[0]); - int i; + CK_ULONG i; CK_ATTRIBUTE targetTemplate, sourceTemplate; /* existing trust record, merge the two together */ diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c index a9511b392..56d93dd12 100644 --- a/security/nss/lib/pk11wrap/pk11sdr.c +++ b/security/nss/lib/pk11wrap/pk11sdr.c @@ -111,7 +111,7 @@ unpadBlock(SECItem *data, int blockSize, SECItem *result) { SECStatus rv = SECSuccess; int padLength; - int i; + unsigned int i; result->data = 0; result->len = 0; diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c index e16f76f33..bdfd2a745 100644 --- a/security/nss/lib/pkcs12/p12e.c +++ b/security/nss/lib/pkcs12/p12e.c @@ -50,6 +50,8 @@ #include "p12local.h" #include "prcpucfg.h" +extern const int NSS_PBE_DEFAULT_ITERATION_COUNT; /* defined in p7create.c */ + /* ** This PKCS12 file encoder uses numerous nested ASN.1 and PKCS7 encoder ** contexts. It can be difficult to keep straight. Here's a picture: @@ -1256,8 +1258,9 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *sa } epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, - &uniPwitem, cert, 1, - p12ctxt->wincx); + &uniPwitem, cert, + NSS_PBE_DEFAULT_ITERATION_COUNT, + p12ctxt->wincx); PK11_FreeSlot(slot); if(!epki) { PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY); @@ -1605,6 +1608,11 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } + if (!SEC_ASN1EncodeInteger(p12exp->arena, &(p12enc->mac.iter), + NSS_PBE_DEFAULT_ITERATION_COUNT)) { + /* XXX salt is leaked */ + goto loser; + } /* generate HMAC key */ if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, @@ -1618,7 +1626,8 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) * PBA keygens. PKCS #5 v2 support will require a change to * the PKCS #12 spec. */ - params = PK11_CreatePBEParams(salt, &pwd, 1); + params = PK11_CreatePBEParams(salt, &pwd, + NSS_PBE_DEFAULT_ITERATION_COUNT); SECITEM_ZfreeItem(salt, PR_TRUE); SECITEM_ZfreeItem(&pwd, PR_FALSE); diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c index 5c6a4f31a..1bba74eda 100644 --- a/security/nss/lib/pkcs7/p7create.c +++ b/security/nss/lib/pkcs7/p7create.c @@ -52,6 +52,8 @@ #include "secder.h" #include "secpkcs5.h" +const int NSS_PBE_DEFAULT_ITERATION_COUNT = 2000; /* used in p12e.c too */ + static SECStatus sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp, SECOidTag kind, PRBool detached) @@ -1293,7 +1295,9 @@ SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize, * CMS encrypted data, so we can't tell SEC_PKCS7CreateEncryptedtedData * to create pkcs5v2 PBEs */ SECAlgorithmID *pbe_algid; - pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL); + pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, + NSS_PBE_DEFAULT_ITERATION_COUNT, + NULL); if (pbe_algid == NULL) { rv = SECFailure; } else { diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c index fa76297c1..1fa32a10a 100644 --- a/security/nss/lib/softoken/legacydb/lgcreate.c +++ b/security/nss/lib/softoken/legacydb/lgcreate.c @@ -816,11 +816,16 @@ static NSSLOWKEYPrivateKey *lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ, privKey->keyType = NSSLOWKEYRSAKey; /* The modulus is set to the key id of the symmetric key */ - crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count, - &privKey->u.rsa.modulus); - if (crv != CKR_OK) goto loser; + privKey->u.rsa.modulus.data = + (unsigned char *) PORT_ArenaAlloc(arena, pubkey->len); + if (privKey->u.rsa.modulus.data == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + privKey->u.rsa.modulus.len = pubkey->len; + PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len); - /* The public exponent is set to 0 length to indicate a special key */ + /* The public exponent is set to 0 to indicate a special key */ privKey->u.rsa.publicExponent.len = sizeof derZero; privKey->u.rsa.publicExponent.data = derZero; diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index 8937a618e..a3d243c1c 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -592,10 +592,7 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, unsigned char resultBuffer[255]; SECItem result = { siBuffer, resultBuffer, 0 }; - if (ss->firstHsDone) { - PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); - return SECFailure; - } + PORT_Assert(!ss->firstHsDone); rv = ssl3_ValidateNextProtoNego(data->data, data->len); if (rv != SECSuccess) @@ -607,6 +604,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, */ PORT_Assert(ss->nextProtoCallback != NULL); if (!ss->nextProtoCallback) { + /* XXX Use a better error code. This is an application error, not an + * NSS bug. */ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } @@ -617,7 +616,7 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type, return rv; /* If the callback wrote more than allowed to |result| it has corrupted our * stack. */ - if (result.len > sizeof result) { + if (result.len > sizeof resultBuffer) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c index 3f4f20ccf..b1956af62 100644 --- a/security/nss/lib/util/quickder.c +++ b/security/nss/lib/util/quickder.c @@ -815,40 +815,57 @@ static SECStatus DecodeItem(void* dest, SECItem newtemp = temp; rv = GetItem(&newtemp, &temp, PR_FALSE); save = PR_TRUE; - if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) - switch (kind & SEC_ASN1_TAGNUM_MASK) + if ((SECSuccess == rv) && + SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) { - /* special cases of primitive types */ - case SEC_ASN1_INTEGER: + unsigned long tagnum = kind & SEC_ASN1_TAGNUM_MASK; + if ( temp.len == 0 && (tagnum == SEC_ASN1_BOOLEAN || + tagnum == SEC_ASN1_INTEGER || + tagnum == SEC_ASN1_BIT_STRING || + tagnum == SEC_ASN1_OBJECT_ID || + tagnum == SEC_ASN1_ENUMERATED || + tagnum == SEC_ASN1_UTC_TIME || + tagnum == SEC_ASN1_GENERALIZED_TIME) ) { - /* remove leading zeroes if the caller requested siUnsignedInteger - This is to allow RSA key operations to work */ - SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset); - if (destItem && (siUnsignedInteger == destItem->type)) + /* these types MUST have at least one content octet */ + PORT_SetError(SEC_ERROR_BAD_DER); + rv = SECFailure; + } + else + switch (tagnum) + { + /* special cases of primitive types */ + case SEC_ASN1_INTEGER: { - while (temp.len > 1 && temp.data[0] == 0) - { /* leading 0 */ - temp.data++; - temp.len--; + /* remove leading zeroes if the caller requested + siUnsignedInteger + This is to allow RSA key operations to work */ + SECItem* destItem = (SECItem*) ((char*)dest + + templateEntry->offset); + if (destItem && (siUnsignedInteger == destItem->type)) + { + while (temp.len > 1 && temp.data[0] == 0) + { /* leading 0 */ + temp.data++; + temp.len--; + } } + break; } - break; - } - case SEC_ASN1_BIT_STRING: - { - /* change the length in the SECItem to be the number of bits */ - if (temp.len && temp.data) + case SEC_ASN1_BIT_STRING: { - temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7); - temp.data = (unsigned char*)(temp.data+1); + /* change the length in the SECItem to be the number + of bits */ + temp.len = (temp.len-1)*8 - (temp.data[0] & 0x7); + temp.data += 1; + break; } - break; - } - default: - { - break; + default: + { + break; + } } } } @@ -863,7 +880,7 @@ static SECStatus DecodeItem(void* dest, If part of the destination was allocated by the decoder, in cases of POINTER, SET OF and SEQUENCE OF, then type is set to siBuffer due to the use of PORT_ArenaZAlloc*/ - destItem->data = temp.data; + destItem->data = temp.len ? temp.data : NULL; destItem->len = temp.len; } else diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c index b2b10a1f2..957bfe73f 100644 --- a/security/nss/lib/util/secitem.c +++ b/security/nss/lib/util/secitem.c @@ -153,7 +153,7 @@ SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b) { unsigned m; - SECComparison rv; + int rv; if (a == b) return SECEqual; @@ -164,9 +164,9 @@ SECITEM_CompareItem(const SECItem *a, const SECItem *b) m = ( ( a->len < b->len ) ? a->len : b->len ); - rv = (SECComparison) PORT_Memcmp(a->data, b->data, m); + rv = PORT_Memcmp(a->data, b->data, m); if (rv) { - return rv; + return rv < 0 ? SECLessThan : SECGreaterThan; } if (a->len < b->len) { return SECLessThan; |