diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-16 20:33:32 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-16 20:33:32 +0000 |
| commit | 1ba9dda31bb727000f7802925a332d2b42ace330 (patch) | |
| tree | 8539e9367f65dc29bbfa7acf21fb17ce0401e685 | |
| parent | 3dddc19b84c0975579edc0f5aefde869d85c55b1 (diff) | |
| download | nss-hg-1ba9dda31bb727000f7802925a332d2b42ace330.tar.gz | |
NSSOID --> NSSOIDTag, more SSL conversions
37 files changed, 1013 insertions, 640 deletions
diff --git a/security/nss/cmd/cipher/ciphertests.c b/security/nss/cmd/cipher/ciphertests.c index 6a43c261b..b1143cf0b 100644 --- a/security/nss/cmd/cipher/ciphertests.c +++ b/security/nss/cmd/cipher/ciphertests.c @@ -62,7 +62,7 @@ EncryptionTest(NSSSymKey *symKey, NULL, NULL, NULL); if (!encryptedData || !NSSItem_Equal(encryptedData, ciphertext, NULL)) { - NSSItem_Destroy(encryptedData); + if (encryptedData) NSSItem_Destroy(encryptedData); NSSCryptoContext_Destroy(cc); CMD_PrintError("Encryption failed"); return PR_FAILURE; @@ -129,17 +129,17 @@ static int numCipherArgs = sizeof(cipherArgs) / sizeof(cipherArgs[0]); static NSSSymKey * unwrap_symkey(NSSVolatileDomain *vd, NSSPrivateKey *unwrapKey, NSSAlgNParam *wrapAP, - const NSSOID *keyAlg, char *value) + NSSSymKeyType keyType, char *value) { NSSSymKey *symKey = NULL; NSSItem *wrappedKey; wrappedKey = CMD_ConvertHex(value, strlen(value), NULL); if (wrappedKey) { symKey = NSSVolatileDomain_UnwrapSymKey(vd, wrapAP, - unwrapKey, - wrappedKey, - keyAlg, - NULL, 0, 0); + unwrapKey, + wrappedKey, + keyType, + NULL, 0, 0); NSSItem_Destroy(wrappedKey); } return symKey; @@ -160,7 +160,8 @@ SymmetricCipherTests(CMDRunTimeData *rtData, NSSItem *plaintext = NULL; NSSItem *ciphertext = NULL; NSSItem *algID; - const NSSOID *alg; + NSSOIDTag alg; + NSSSymKeyType keyType; CMDReadBuf buf; buf.start = buf.finish = 0; @@ -200,7 +201,8 @@ SymmetricCipherTests(CMDRunTimeData *rtData, break; case cipherKey: alg = NSSAlgNParam_GetAlgorithm(ap); - symKey = unwrap_symkey(vd, unwrapKey, wrapAP, alg, value); + keyType = NSSOIDTag_GetSymKeyType(alg); + symKey = unwrap_symkey(vd, unwrapKey, wrapAP, keyType, value); if (!symKey) { goto loser; } @@ -254,9 +256,7 @@ SelfTest() NSSToken *token = GetInternalCryptoToken(); CMDRunTimeData rtData; NSSPrivateKey *unwrapKey; - NSSOID *alg; NSSAlgNParam *wrapAP; - NSSOID *anRSAkey = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); NSSItem *encodedKey; status = CMD_SetRunTimeData(UNWRAPPING_KEY_FILE, NULL, "ascii", @@ -280,8 +280,8 @@ SelfTest() /* decode the key in the volatile domain */ unwrapKey = NSSVolatileDomain_ImportEncodedPrivateKey(vd, encodedKey, - anRSAkey, 0, 0, - NULL, + NSSKeyPairType_RSA, + 0, 0, NULL, CMD_PWCallbackForKeyEncoding(WRAPKEY_PW), token /*, NULL*/); NSSItem_Destroy(encodedKey); @@ -298,8 +298,8 @@ SelfTest() return PR_FAILURE; } - alg = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); - wrapAP = NSSOID_CreateAlgNParam(alg, NULL, NULL); + wrapAP = NSSOIDTag_CreateAlgNParam(NSS_OID_PKCS1_RSA_ENCRYPTION, + NULL, NULL); if (!wrapAP) { NSSPrivateKey_Destroy(unwrapKey); CMD_PrintError("failed to create alg/param for unwrap"); @@ -317,7 +317,6 @@ CreateASelfTest(char *cipher, int keysize, char *input) NSSVolatileDomain *vd; NSSTrustDomain *td = NSS_GetDefaultTrustDomain(); CMDRunTimeData rtData; - NSSOID *alg; NSSAlgNParam *ap, *wrapAP; NSSSymKey *symKey; NSSItem *wrappedKey, *algID, plaintext, *ciphertext; @@ -364,8 +363,8 @@ CreateASelfTest(char *cipher, int keysize, char *input) return PR_FAILURE; } - alg = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); - wrapAP = NSSOID_CreateAlgNParam(alg, NULL, NULL); + wrapAP = NSSOIDTag_CreateAlgNParam(NSS_OID_PKCS1_RSA_ENCRYPTION, + NULL, NULL); if (!wrapAP) { NSSCert_Destroy(wrapCert); CMD_PrintError("failed to create alg/param for unwrap"); @@ -378,7 +377,7 @@ CreateASelfTest(char *cipher, int keysize, char *input) } symKey = NSSVolatileDomain_GenerateSymKey(vd, ap, keysize, NULL, - 0, 0, token, NULL); + 0, 0, token, NULL); NSSAlgNParam_Destroy(ap); if (!symKey) { CMD_PrintError("failed to generate symkey"); diff --git a/security/nss/cmd/cipher/cipherutil.c b/security/nss/cmd/cipher/cipherutil.c index 42fcc3273..547578798 100644 --- a/security/nss/cmd/cipher/cipherutil.c +++ b/security/nss/cmd/cipher/cipherutil.c @@ -49,20 +49,20 @@ GetSoftwareToken() NSSAlgNParam * GetHashAP(char *cipher) { - NSSOID *alg; + NSSOIDTag alg; if (strcmp(cipher, "sha") == 0 || strcmp(cipher, "sha1") == 0 || strcmp(cipher, "sha-1") == 0) { - alg = NSSOID_CreateFromTag(NSS_OID_SHA1); + alg = NSS_OID_SHA1; } else if (strcmp(cipher, "md5") == 0) { - alg = NSSOID_CreateFromTag(NSS_OID_MD5); + alg = NSS_OID_MD5; } else if (strcmp(cipher, "md2") == 0) { - alg = NSSOID_CreateFromTag(NSS_OID_MD2); + alg = NSS_OID_MD2; } else { fprintf(stderr, "Unknown hashing algorithm \"%s\"\n", cipher); return NULL; } - return NSSOID_CreateAlgNParam(alg, NULL, NULL); + return NSSOIDTag_CreateAlgNParam(alg, NULL, NULL); } PRStatus @@ -101,25 +101,25 @@ Hash NSSAlgNParam * GetSymKeyGenAP(char *cipher) { - NSSOID *alg; + NSSOIDTag alg; NSSAlgNParam *ap; if (IS_CIPHER(cipher, "des")) { - alg = NSSOID_CreateFromTag(NSS_OID_DES_ECB); + alg = NSS_OID_DES_ECB; } else if (IS_CIPHER(cipher, "des3")) { - alg = NSSOID_CreateFromTag(NSS_OID_DES_EDE3_CBC); /* XXX cbc? */ + alg = NSS_OID_DES_EDE3_CBC; /* XXX cbc? */ } else if (IS_CIPHER(cipher, "rc2")) { - alg = NSSOID_CreateFromTag(NSS_OID_RC2_CBC); /* XXX cbc? */ + alg = NSS_OID_RC2_CBC; /* XXX cbc? */ } else if (IS_CIPHER(cipher, "rc4")) { - alg = NSSOID_CreateFromTag(NSS_OID_RC4); + alg = NSS_OID_RC4; } else if (IS_CIPHER(cipher, "rc5")) { - alg = NSSOID_CreateFromTag(NSS_OID_RC5_CBC_PAD); + alg = NSS_OID_RC5_CBC_PAD; } else { PR_fprintf(PR_STDERR, "Unknown symmetric key algorithm \"%s\"\n", cipher); return NULL; } - ap = NSSOID_CreateAlgNParamForKeyGen(alg, NULL, NULL); + ap = NSSOIDTag_CreateAlgNParamForKeyGen(alg, NULL, NULL); if (!ap) { PR_fprintf(PR_STDERR, "Failed to create keygen alg/param for %s\n", cipher); @@ -161,7 +161,7 @@ GetSymCipherAP(char *cipher, char *iv) NSSItem cbcIV = { 0 }; NSSParameters params; NSSParameters *pParams = NULL; - NSSOID *alg; + NSSOIDTag alg; NSSAlgNParam *ap; PRBool haveIV = PR_FALSE; @@ -192,22 +192,22 @@ GetSymCipherAP(char *cipher, char *iv) } if (IS_CIPHER(cipher, "des")) { if (haveIV) { - alg = NSSOID_CreateFromTag(NSS_OID_DES_CBC); + alg = NSS_OID_DES_CBC; cbcIV.size = DES_IV_LENGTH; params.iv = cbcIV; pParams = ¶ms; } else { - alg = NSSOID_CreateFromTag(NSS_OID_DES_ECB); + alg = NSS_OID_DES_ECB; } } else if (IS_CIPHER(cipher, "des3")) { if (haveIV) { - alg = NSSOID_CreateFromTag(NSS_OID_DES_EDE3_CBC); + alg = NSS_OID_DES_EDE3_CBC; cbcIV.size = DES3_IV_LENGTH; params.iv = cbcIV; pParams = ¶ms; } else { #if 0 - alg = NSSOID_CreateFromTag(NSS_OID_DES_ECB); + alg = NSS_OID_DES_ECB; #endif return NULL; } @@ -220,18 +220,18 @@ GetSymCipherAP(char *cipher, char *iv) params.rc2.effectiveKeySizeInBits = RC2_EFF_KEY_BITS_DEFAULT; } if (haveIV) { - alg = NSSOID_CreateFromTag(NSS_OID_RC2_CBC); + alg = NSS_OID_RC2_CBC; cbcIV.size = RC2_IV_LENGTH; params.rc2.iv = cbcIV; pParams = ¶ms; } else { #if 0 - alg = NSSOID_CreateFromTag(NSS_OID_DES_ECB); + alg = NSS_OID_DES_ECB; #endif return NULL; } } else if (IS_CIPHER(cipher, "rc4")) { - alg = NSSOID_CreateFromTag(NSS_OID_RC4); + alg = NSS_OID_RC4; } else if (IS_CIPHER(cipher, "rc5")) { if (paramStr) { p = strchr(paramStr, '-'); @@ -248,20 +248,20 @@ GetSymCipherAP(char *cipher, char *iv) params.rc5.numRounds = RC5_NUMROUNDS_DEFAULT; } if (haveIV) { - alg = NSSOID_CreateFromTag(NSS_OID_RC5_CBC_PAD); /* XXX PAD? */ + alg = NSS_OID_RC5_CBC_PAD; /* XXX PAD? */ cbcIV.size = params.rc5.wordSize * 2; params.rc5.iv = cbcIV; pParams = ¶ms; } else { #if 0 - alg = NSSOID_CreateFromTag(NSS_OID_DES_ECB); + alg = NSS_OID_DES_ECB; #endif return NULL; } } else { PR_fprintf(PR_STDERR, "algorithm type \"%s\" unknown.\n", cipher); } - ap = NSSOID_CreateAlgNParam(alg, pParams, NULL); + ap = NSSOIDTag_CreateAlgNParam(alg, pParams, NULL); if (!ap) { PR_fprintf(PR_STDERR, "Failed to create encryption alg/param for %s\n", cipher); @@ -309,7 +309,7 @@ GetKeyPairGenAP(char *cipher) PRStatus status; char *paramStr, *param; NSSParameters params; - NSSOID *alg; + NSSOIDTag alg; memset(¶ms, 0, sizeof(params)); @@ -319,7 +319,7 @@ GetKeyPairGenAP(char *cipher) } if (strcmp(cipher, "rsa") == 0) { int pe; - alg = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); + alg = NSS_OID_PKCS1_RSA_ENCRYPTION; if (paramStr) { param = paramStr; paramStr = strchr(paramStr, '-'); @@ -336,7 +336,7 @@ GetKeyPairGenAP(char *cipher) return NULL; } } else if (strcmp(cipher, "dsa") == 0) { - alg = NSSOID_CreateFromTag(NSS_OID_ANSIX9_DSA_SIGNATURE); + alg = NSS_OID_ANSIX9_DSA_SIGNATURE; if (paramStr) { param = paramStr; paramStr = strchr(paramStr, '-'); @@ -349,7 +349,7 @@ GetKeyPairGenAP(char *cipher) } /* XXX pqg from file */ } else if (strcmp(cipher, "dh") == 0) { - alg = NSSOID_CreateFromTag(NSS_OID_X942_DIFFIE_HELLMAN_KEY); + alg = NSS_OID_X942_DIFFIE_HELLMAN_KEY; if (paramStr) { param = paramStr; paramStr = strchr(paramStr, '-'); @@ -375,7 +375,7 @@ GetKeyPairGenAP(char *cipher) fprintf(stderr, "Unknown keypair type\"%s\"\n", cipher); return (NSSAlgNParam *)NULL; } - return NSSOID_CreateAlgNParamForKeyGen(alg, ¶ms, NULL); + return NSSOIDTag_CreateAlgNParamForKeyGen(alg, ¶ms, NULL); } PRStatus diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c index 305da6f7e..16c13ee0b 100644 --- a/security/nss/cmd/pkiutil/pkiobject.c +++ b/security/nss/cmd/pkiutil/pkiobject.c @@ -85,19 +85,19 @@ get_key_pair_type(char *type) } } -static NSSOID * +static NSSOIDTag get_key_pair_alg(char *type) { NSSKeyPairType kpType = get_key_pair_type(type); switch (kpType) { case NSSKeyPairType_RSA: - return NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); + return NSS_OID_PKCS1_RSA_ENCRYPTION; case NSSKeyPairType_DSA: - return NSSOID_CreateFromTag(NSS_OID_ANSIX9_DSA_SIGNATURE); + return NSS_OID_ANSIX9_DSA_SIGNATURE; case NSSKeyPairType_DH: - return NSSOID_CreateFromTag(NSS_OID_X942_DIFFIE_HELLMAN_KEY); + return NSS_OID_X942_DIFFIE_HELLMAN_KEY; default: - return NULL; + return NSS_OID_UNKNOWN; } } @@ -447,7 +447,7 @@ dump_cert_info NSSDER *serial = NSSCert_GetSerialNumber(c); NSSCert *cp = NSSTrustDomain_FindCertByIssuerAndSerialNumber(td, issuer, serial); - tokens = NSSCert_GetTokens(cp, NULL); + tokens = NSSCert_GetTokens(cp, NULL, 0, NULL); if (tokens) { for (tp = tokens; *tp; tp++) { PR_fprintf(rtData->output.file, @@ -677,18 +677,18 @@ import_private_key PRStatus status; NSSItem *encoding; NSSPrivateKey *vkey; - NSSOID *keyPairAlg; + NSSOIDTag keyPairAlg; if (keyTypeOpt) { keyPairAlg = get_key_pair_alg(keyTypeOpt); - if (!keyPairAlg) { + if (keyPairAlg == NSS_OID_UNKNOWN) { PR_fprintf(PR_STDERR, "%s is not a valid key type.\n", keyTypeOpt); return PR_FAILURE; } } else { /* default to RSA */ - keyPairAlg = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); + keyPairAlg = NSS_OID_PKCS1_RSA_ENCRYPTION; } /* get the encoded key from the input source */ @@ -878,16 +878,12 @@ vkeys = NULL; if (vkey) { NSSAlgNParam *pbe; NSSParameters params; - NSSOID *pbeAlg; NSSItem *encKey; + params.pbe.iteration = 1; generate_salt(¶ms.pbe.salt); - pbeAlg = NSSOID_CreateFromTag(NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC); - if (!pbeAlg) { - NSSPrivateKey_Destroy(vkey); - return PR_FAILURE; - } - pbe = NSSOID_CreateAlgNParam(pbeAlg, ¶ms, NULL); + pbe = NSSOIDTag_CreateAlgNParam(NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, + ¶ms, NULL); if (!pbe) { NSSPrivateKey_Destroy(vkey); return PR_FAILURE; @@ -939,21 +935,14 @@ ExportObject ( static NSSAlgNParam * get_rsa_key_gen_params(PRUint32 keySizeInBits, PRUint32 pubExp) { - NSSOID *kpAlg; NSSParameters params; - kpAlg = NSSOID_CreateFromTag(NSS_OID_PKCS1_RSA_ENCRYPTION); - if (!kpAlg) { - CMD_PrintError("OID lookup failure"); - return NULL; - } - params.rsakg.modulusBits = keySizeInBits; if (CMD_SetRSAPE(¶ms.rsakg.publicExponent, pubExp) == PR_FAILURE) return NULL; - return NSSOID_CreateAlgNParamForKeyGen(kpAlg, ¶ms, - NULL); + return NSSOIDTag_CreateAlgNParamForKeyGen(NSS_OID_PKCS1_RSA_ENCRYPTION, + ¶ms, NULL); } PRStatus diff --git a/security/nss/lib/base/nssbase.h b/security/nss/lib/base/nssbase.h index bfcc17b19..bcf55965f 100644 --- a/security/nss/lib/base/nssbase.h +++ b/security/nss/lib/base/nssbase.h @@ -156,6 +156,10 @@ NSS_GetErrorStack ( void ); +#define NSSITEM_INIT(it, b, l) \ + (it)->data = (void *)b; \ + (it)->size = l; + NSS_EXTERN NSSItem * NSSItem_Create ( NSSArena *arenaOpt, diff --git a/security/nss/lib/dev/algparam.c b/security/nss/lib/dev/algparam.c index a78982186..ea257d331 100644 --- a/security/nss/lib/dev/algparam.c +++ b/security/nss/lib/dev/algparam.c @@ -1086,7 +1086,7 @@ NSSAlgNParam_Decode ( NSS_IMPLEMENT NSSBER * nssAlgNParam_Encode ( - NSSAlgNParam *ap, + const NSSAlgNParam *ap, NSSBER *rvOpt, NSSArena *arenaOpt ) @@ -1116,7 +1116,7 @@ nssAlgNParam_Encode ( NSS_IMPLEMENT NSSBER * NSSAlgNParam_Encode ( - NSSAlgNParam *ap, + const NSSAlgNParam *ap, NSSBER *rvOpt, NSSArena *arenaOpt ) @@ -1225,15 +1225,15 @@ nssAlgNParam_Clone ( return finish_create_algparam(rvAP, rvAP->arena, mark, status); } -NSS_IMPLEMENT const NSSOID * +NSS_IMPLEMENT NSSOIDTag nssAlgNParam_GetAlgorithm ( const NSSAlgNParam *ap ) { - return ap->alg; + return (nssOID_GetTag(ap->alg)); } -NSS_IMPLEMENT const NSSOID * +NSS_IMPLEMENT NSSOIDTag NSSAlgNParam_GetAlgorithm ( const NSSAlgNParam *ap ) diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 7dd288e2a..0d4ee1a88 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -666,11 +666,9 @@ nssToken_DeriveSSLSessionKeys ( nssSession *session, const NSSAlgNParam *ap, nssCryptokiObject *masterSecret, - NSSSymKeyType bulkKeyType, - NSSOperations operations, - NSSProperties properties, - PRUint32 keySizeOpt, - nssCryptokiObject **rvSessionKeys /* [4] */ + nssCryptokiObject **rvSessionKeys, /* [4] */ + NSSItem *rvClientIV, + NSSItem *rvServerIV ); NSS_EXTERN PRStatus @@ -919,7 +917,7 @@ nssAlgNParam_Clone ( NSS_EXTERN NSSBER * nssAlgNParam_Encode ( - NSSAlgNParam *ap, + const NSSAlgNParam *ap, NSSBER *rvOpt, NSSArena *arenaOpt ); diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index dcfd21074..c495e428f 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -1924,11 +1924,9 @@ nssToken_DeriveSSLSessionKeys ( nssSession *session, const NSSAlgNParam *ap, nssCryptokiObject *masterSecret, - NSSSymKeyType bulkKeyType, - NSSOperations operations, - NSSProperties properties, - PRUint32 keySizeOpt, - nssCryptokiObject **rvSessionKeys /* [4] */ + nssCryptokiObject **rvSessionKeys, /* [4] */ + NSSItem *rvClientIV, + NSSItem *rvServerIV ) { CK_RV ckrv; @@ -1937,10 +1935,9 @@ nssToken_DeriveSSLSessionKeys ( CK_ATTRIBUTE keyTemplate[16]; CK_ATTRIBUTE_PTR attr = keyTemplate; CK_ULONG ktSize; - CK_KEY_TYPE ckKeyType; void *epv = nssToken_GetCryptokiEPV(token); - PRUint32 numLeft; - PRUint32 numkt = sizeof(keyTemplate) / sizeof(keyTemplate[0]); + PRUint32 ivSize; + PRUint32 i, keyNum; mechanism = nssAlgNParam_GetMechanism(ap); @@ -1948,22 +1945,7 @@ nssToken_DeriveSSLSessionKeys ( NSS_CK_TEMPLATE_START(keyTemplate, attr, ktSize); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_symkey); - if (operations) { - numLeft = numkt - (attr - keyTemplate); - attr += nssCKTemplate_SetOperationAttributes(attr, numLeft, - operations); - } - - if (properties) { - numLeft = numkt - (attr - keyTemplate); - attr += nssCKTemplate_SetPropertyAttributes(attr, numLeft, - properties); - } - ckKeyType = nssCK_GetSymKeyType(bulkKeyType); - NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_KEY_TYPE, bulkKeyType); - if (keySizeOpt > 0) { - NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_VALUE_LEN, keySizeOpt); - } + /* XXX set any defaults, or allow token to do it? */ NSS_CK_TEMPLATE_FINISH(keyTemplate, attr, ktSize); /* ready to do the derivation */ nssSession_EnterMonitor(session); @@ -1978,30 +1960,47 @@ nssToken_DeriveSSLSessionKeys ( kmp = (CK_SSL3_KEY_MAT_PARAMS *)mechanism->pParameter; kmo = kmp->pReturnedKeyMaterial; /* XXX all in the same session? */ + keyNum = 0; rvSessionKeys[0] = nssCryptokiObject_Create(token, session, kmo->hClientMacSecret); if (!rvSessionKeys[0]) { return PR_FAILURE; } + keyNum++; rvSessionKeys[1] = nssCryptokiObject_Create(token, session, kmo->hServerMacSecret); if (!rvSessionKeys[1]) { - nssCryptokiObject_Destroy(rvSessionKeys[0]); + for (i=0; i<keyNum; i++) + nssCryptokiObject_Destroy(rvSessionKeys[i]); return PR_FAILURE; } + keyNum++; rvSessionKeys[2] = nssCryptokiObject_Create(token, session, kmo->hClientKey); if (!rvSessionKeys[2]) { - nssCryptokiObject_Destroy(rvSessionKeys[0]); - nssCryptokiObject_Destroy(rvSessionKeys[1]); + for (i=0; i<keyNum; i++) + nssCryptokiObject_Destroy(rvSessionKeys[i]); return PR_FAILURE; } + keyNum++; rvSessionKeys[3] = nssCryptokiObject_Create(token, session, kmo->hServerKey); if (!rvSessionKeys[3]) { - nssCryptokiObject_Destroy(rvSessionKeys[0]); - nssCryptokiObject_Destroy(rvSessionKeys[1]); - nssCryptokiObject_Destroy(rvSessionKeys[2]); + for (i=0; i<keyNum; i++) + nssCryptokiObject_Destroy(rvSessionKeys[i]); + return PR_FAILURE; + } + keyNum++; + ivSize = kmp->ulIVSizeInBits / 8; /* XXX */ + if (nssItem_Create(NULL, rvClientIV, ivSize, kmo->pIVClient) == NULL) { + for (i=0; i<keyNum; i++) + nssCryptokiObject_Destroy(rvSessionKeys[i]); + return PR_FAILURE; + } + if (nssItem_Create(NULL, rvServerIV, ivSize, kmo->pIVServer) == NULL) { + for (i=0; i<keyNum; i++) + nssCryptokiObject_Destroy(rvSessionKeys[i]); + nss_ZFreeIf(rvClientIV->data); rvClientIV->data = NULL; return PR_FAILURE; } return PR_SUCCESS; diff --git a/security/nss/lib/dev/nssdev.h b/security/nss/lib/dev/nssdev.h index 00e292bfb..0432a9da7 100644 --- a/security/nss/lib/dev/nssdev.h +++ b/security/nss/lib/dev/nssdev.h @@ -186,33 +186,6 @@ NSSToken_GetInfo ( * */ -#if 0 -NSS_EXTERN NSSAlgNParam * -NSSAlgNParam_CreateMAC ( - NSSArena *arenaOpt, - NSSAlgorithmType blockCipher, - NSSParameters *cipherParameters, - PRUint32 macLength /* in bytes, 0 means maximum for block cipher */ -); - -NSS_EXTERN NSSAlgNParam * -NSSAlgNParam_CreateHMAC ( - NSSArena *arenaOpt, - NSSAlgorithmType hashAlgorithm, - PRUint32 hmacLength /* in bytes, 0 means maximum for hash algorithm */ -); - -/* NSSAlgNParam_GetParameters - * - * Return the parameters, properly encoded for the algorithm OID. The - * returned item must be freed. - */ -NSS_EXTERN NSSItem * -NSSAlgNParam_GetParameters ( - NSSAlgNParam *ap -); -#endif - NSS_EXTERN NSSAlgNParam * NSSAlgNParam_Decode ( NSSBER *algIDber, @@ -227,18 +200,32 @@ NSSAlgNParam_Destroy ( NSSAlgNParam *ap ); -NSS_EXTERN const NSSOID * +NSS_EXTERN NSSOIDTag NSSAlgNParam_GetAlgorithm ( const NSSAlgNParam *ap ); NSS_EXTERN NSSBER * NSSAlgNParam_Encode ( - NSSAlgNParam *ap, + const NSSAlgNParam *ap, NSSBER *rvOpt, NSSArena *arenaOpt ); +/* SSL-specific stuff */ + +NSS_EXTERN NSSAlgNParam * +NSSAlgNParam_CreateForSSL ( + NSSArena *arenaOpt, + NSSSSLAlgorithm alg, + NSSParameters *parametersOpt +); + +NSS_EXTERN NSSSSLVersion +nssAlgNParam_GetSSLVersionFromMSDerive ( + const NSSAlgNParam *ap +); + NSS_EXTERN void NSSSlotArray_Destroy ( NSSSlot **slots diff --git a/security/nss/lib/dev/nssdevt.h b/security/nss/lib/dev/nssdevt.h index 1c2352d41..13d235dbe 100644 --- a/security/nss/lib/dev/nssdevt.h +++ b/security/nss/lib/dev/nssdevt.h @@ -272,6 +272,15 @@ NSSPBEParameters; * SSL */ +typedef enum { + NSSSSLAlgorithm_PMSGen = 0, + NSSSSLAlgorithm_MSDerive = 1, + NSSSSLAlgorithm_SessionKeyDerive = 2, + NSSSSLAlgorithm_TLS_PRF = 3, + NSSSSLAlgorithm_MD5_MAC = 4, + NSSSSLAlgorithm_SHA1_MAC = 5 +} NSSSSLAlgorithm; + /* XXX */ typedef enum { NSSSSLVersion_SSLv2 = 0, @@ -317,6 +326,7 @@ typedef union NSSPBEParameters pbe; NSSSSLPMSParameters sslpms; NSSSSLMSParameters sslms; + NSSSSLSessionKeyParameters sslsk; } NSSParameters; diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 92ac88562..312a4f271 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -78,11 +78,10 @@ NSSBase64Encoder_Create; NSSBase64Encoder_Update; NSSBase64Encoder_Destroy; NSSBase64_EncodeItem; -NSSOID_Create; -NSSOID_CreateFromTag; -NSSOID_CreateAlgNParam; -NSSOID_CreateAlgNParamForKeyGen; -NSSOID_IsTag; +NSSOIDTag_Create; +NSSOIDTag_CreateAlgNParam; +NSSOIDTag_CreateAlgNParamForKeyGen; +NSSOIDTag_GetSymKeyType; NSSTime_Now; NSSTime_CreateFromUTCTime; NSSTime_GetUTCTime; diff --git a/security/nss/lib/nss/nsst.h b/security/nss/lib/nss/nsst.h index 4d5195396..0edbf66b5 100644 --- a/security/nss/lib/nss/nsst.h +++ b/security/nss/lib/nss/nsst.h @@ -83,7 +83,7 @@ typedef struct * public key info */ PRStatus (PR_CALLBACK *getPublicKeyInfo)(void *cert, - NSSOID **keyAlg, + NSSOIDTag *keyAlg, NSSBitString *keyBits); /* diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c index 47201aa0a..3d39c3970 100644 --- a/security/nss/lib/pki/asymmkey.c +++ b/security/nss/lib/pki/asymmkey.c @@ -402,7 +402,7 @@ get_key_pair_type(NSSOID *kpAlg) NSS_IMPLEMENT NSSPrivateKey * nssPrivateKey_Decode ( NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -417,20 +417,20 @@ nssPrivateKey_Decode ( nssCryptokiObject *vkey = NULL; NSSAlgNParam *wrapAP = NULL; NSSAlgNParam *pbeAP = NULL; - EPKI epki = { 0 }; - NSSItem *epkiData = NULL; + EPKI epki; NSSUTF8 *password = NULL; nssSession *session = NULL; NSSArena *tmparena; NSSPrivateKey *rvKey = NULL; NSSSlot *slot; - NSSKeyPairType keyPairType; tmparena = nssArena_Create(); if (!tmparena) { return (NSSPrivateKey *)NULL; } + nsslibc_memset(&epki, 0, sizeof(EPKI)); + /* decode PKCS#8 formatted encoded key */ status = nssASN1_DecodeBER(tmparena, &epki, encrypted_private_key_info_tmpl, ber); @@ -480,9 +480,6 @@ nssPrivateKey_Decode ( nssTrustDomain_GetDefaultCallback(td, NULL)); nssSlot_Destroy(slot); - /* XXX */ - keyPairType = get_key_pair_type(keyPairAlg); - /* unwrap the private key with the PBE key */ vkey = nssToken_UnwrapPrivateKey(destination, session, wrapAP, pbeKey, &epki.encData, !vdOpt, @@ -614,7 +611,13 @@ NSSPrivateKey_UnwrapSymKey ( NSSPrivateKey *vk, const NSSAlgNParam *apOpt, NSSItem *wrappedKey, - NSSCallback *uhh + NSSSymKeyType targetType, + NSSUTF8 *labelOpt, + NSSOperations operations, + NSSProperties properties, + NSSToken *destinationOpt, + NSSVolatileDomain *vdOpt, + NSSCallback *uhhOpt ) { nss_SetError(NSS_ERROR_NOT_FOUND); @@ -626,7 +629,7 @@ NSSPrivateKey_DeriveSymKey ( NSSPrivateKey *vk, NSSPublicKey *bk, const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetSymKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh @@ -659,7 +662,7 @@ nssPrivateKey_FindPublicKey ( NSSToken **tokens, **tp; nssCryptokiObject *instance; NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vk, NULL); - tokens = nssPKIObject_GetTokens(&vk->object, &status); + tokens = nssPKIObject_GetTokens(&vk->object, NULL, 0, &status); if (!tokens) { return (NSSPublicKey *)NULL; /* defer to trust domain ??? */ } @@ -831,7 +834,7 @@ NSS_IMPLEMENT NSSPublicKey * nssPublicKey_CreateFromInfo ( NSSTrustDomain *td, NSSVolatileDomain *vd, - NSSOID *keyAlg, + NSSOIDTag keyAlg, NSSBitString *keyBits ) { @@ -852,7 +855,7 @@ nssPublicKey_CreateFromInfo ( return (NSSPublicKey *)NULL; } - switch (nssOID_GetTag(keyAlg)) { + switch (keyAlg) { case NSS_OID_PKCS1_RSA_ENCRYPTION: status = nssASN1_DecodeBER(arena, &bki, NSSASN1Template_RSAPublicKey, @@ -1186,7 +1189,7 @@ nssPublicKey_GetInstanceForAlgorithmAndObject ( nssCryptokiObject *instance = NULL; /* look on the target object's tokens */ - tokens = nssPKIObject_GetTokens((nssPKIObject *)ob, &status); + tokens = nssPKIObject_GetTokens((nssPKIObject *)ob, NULL, 0, &status); if (tokens) { for (tp = tokens; *tp; tp++) { if (nssToken_DoesAlgorithm(*tp, ap)) { diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c index 6cee3fc12..ecaf9dc59 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/certificate.c @@ -530,19 +530,23 @@ NSSCert_GetTrustDomain ( NSS_IMPLEMENT NSSToken ** nssCert_GetTokens ( NSSCert *c, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ) { - return nssPKIObject_GetTokens(&c->object, statusOpt); + return nssPKIObject_GetTokens(&c->object, rvOpt, rvMaxOpt, statusOpt); } NSS_IMPLEMENT NSSToken ** NSSCert_GetTokens ( NSSCert *c, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ) { - return nssCert_GetTokens(c, statusOpt); + return nssCert_GetTokens(c, rvOpt, rvMaxOpt, statusOpt); } NSS_IMPLEMENT NSSSlot * @@ -1141,7 +1145,7 @@ static NSSCert * find_cert_issuer ( NSSCert *c, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt ) { @@ -1175,10 +1179,8 @@ find_cert_issuer ( issuer = filter_subject_certs_for_id(issuers, issuerID); dc->methods->freeIdentifier(issuerID); } else { - issuer = nssCertArray_FindBestCert(issuers, - time, - usagesOpt, - policiesOpt); + issuer = nssCertArray_FindBestCert(issuers, time, + usagesOpt, policiesOpt); } nssCertArray_Destroy(issuers); } @@ -1193,7 +1195,7 @@ NSS_IMPLEMENT NSSCert ** nssCert_BuildChain ( NSSCert *c, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt, NSSCert **rvOpt, PRUint32 rvLimit, @@ -1255,7 +1257,7 @@ NSS_IMPLEMENT NSSCert ** NSSCert_BuildChain ( NSSCert *c, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt, NSSCert **rvOpt, PRUint32 rvLimit, /* zero for no limit */ @@ -1264,7 +1266,7 @@ NSSCert_BuildChain ( ) { return nssCert_BuildChain(c, time, usagesOpt, policiesOpt, - rvOpt, rvLimit, arenaOpt, statusOpt); + rvOpt, rvLimit, arenaOpt, statusOpt); } NSS_IMPLEMENT NSSItem * @@ -1390,7 +1392,7 @@ nssCert_GetPublicKey ( NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c); /* first look for a persistent object in the trust domain */ - tokens = nssPKIObject_GetTokens(&c->object, &status); + tokens = nssPKIObject_GetTokens(&c->object, NULL, 0, &status); if (tokens) { for (tp = tokens; *tp; tp++) { /* XXX need to iterate over cert instances to have session */ @@ -1417,7 +1419,7 @@ nssCert_GetPublicKey ( } return bk; } else { - NSSOID *keyAlg; + NSSOIDTag keyAlg; NSSBitString keyBits; nssCertDecoding *dc = nssCert_GetDecoding(c); @@ -1453,7 +1455,7 @@ nssCert_FindPrivateKey ( nssCryptokiObject *instance; NSSTrustDomain *td = nssCert_GetTrustDomain(c); - tokens = nssPKIObject_GetTokens(&c->object, &status); + tokens = nssPKIObject_GetTokens(&c->object, NULL, 0, &status); if (!tokens) { return PR_FALSE; /* actually, should defer to crypto context */ } @@ -1518,7 +1520,7 @@ nssCert_IsPrivateKeyAvailable ( nssCryptokiObject *instance = NULL; NSSTrustDomain *td = nssCert_GetTrustDomain(c); PRBool isLoggedIn; - tokens = nssPKIObject_GetTokens(&c->object, &status); + tokens = nssPKIObject_GetTokens(&c->object, NULL, 0, &status); if (!tokens) { return PR_FALSE; /* can't have private key w/o a token instance */ } @@ -1644,7 +1646,7 @@ NSSUserCert_DeriveSymKey ( NSSUserCert *uc, /* provides private key */ NSSCert *c, /* provides public key */ const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetSymKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h index 63995a112..bdf1d390f 100644 --- a/security/nss/lib/pki/nsspki.h +++ b/security/nss/lib/pki/nsspki.h @@ -60,6 +60,8 @@ static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #include "nsspkit.h" #endif /* NSSPKIT_H */ +#include "oiddata.h" /* XXX */ + PR_BEGIN_EXTERN_C /* @@ -114,6 +116,12 @@ PR_BEGIN_EXTERN_C * (think PGP) could be beneath this object. */ +/* XXX I suspect this will be required and thus public */ +NSS_EXTERN NSSCert * +nssCert_AddRef ( + NSSCert *c +); + /* * NSSCert_Destroy * @@ -219,13 +227,20 @@ NSSCert_SetTrustedUsages ( * */ -NSS_EXTERN NSSDER * +NSS_EXTERN NSSBER * NSSCert_Encode ( NSSCert *c, - NSSDER *rvOpt, + NSSBER *rvOpt, NSSArena *arenaOpt ); +/* XXX the difference is, this one wouldn't alloc... */ +NSS_EXTERN NSSBER * +NSSCert_GetEncoding ( + NSSCert *c, + NSSBER *rvOpt +); + /* * NSSCert_BuildChain * @@ -246,7 +261,7 @@ NSS_EXTERN NSSCert ** NSSCert_BuildChain ( NSSCert *c, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt, NSSCert **rvOpt, PRUint32 rvLimit, /* zero for no limit */ @@ -265,7 +280,7 @@ NSSCert_GetTrustDomain ( ); /* - * NSSCert_GetToken + * NSSCert_GetTokens * * There doesn't have to be any. */ @@ -273,6 +288,8 @@ NSSCert_GetTrustDomain ( NSS_EXTERN NSSToken ** NSSCert_GetTokens ( NSSCert *c, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ); @@ -459,7 +476,7 @@ NSSCert_IsPrivateKeyAvailable ( * NSSUserCert_Encode * NSSUserCert_BuildChain * NSSUserCert_GetTrustDomain - * NSSUserCert_GetToken + * NSSUserCert_GetTokens * NSSUserCert_GetSlot * NSSUserCert_GetModule * NSSUserCert_GetCryptoContext @@ -566,7 +583,7 @@ NSSUserCert_DeriveSymKey ( NSSUserCert *uc, /* provides private key */ NSSCert *c, /* provides public key */ const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh @@ -671,13 +688,16 @@ NSSPrivateKey_GetTrustDomain ( ); /* - * NSSPrivateKey_GetToken + * NSSPrivateKey_GetTokens * */ -NSS_EXTERN NSSToken * -NSSPrivateKey_GetToken ( - NSSPrivateKey *vk +NSS_EXTERN NSSToken ** +NSSPrivateKey_GetTokens ( + NSSPrivateKey *vk, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, + PRStatus *statusOpt ); /* @@ -755,7 +775,13 @@ NSSPrivateKey_UnwrapSymKey ( NSSPrivateKey *vk, const NSSAlgNParam *apOpt, NSSItem *wrappedKey, - NSSCallback *uhh + NSSSymKeyType targetType, + NSSUTF8 *labelOpt, + NSSOperations operations, + NSSProperties properties, + NSSToken *destinationOpt, + NSSVolatileDomain *vdOpt, + NSSCallback *uhhOpt ); /* @@ -768,7 +794,7 @@ NSSPrivateKey_DeriveSymKey ( NSSPrivateKey *vk, NSSPublicKey *bk, const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhh @@ -890,14 +916,16 @@ NSSPublicKey_GetTrustDomain ( ); /* - * NSSPublicKey_GetToken + * NSSPublicKey_GetTokens * - * There doesn't have to be one. + * There doesn't have to be any. */ -NSS_EXTERN NSSToken * -NSSPublicKey_GetToken ( +NSS_EXTERN NSSToken ** +NSSPublicKey_GetTokens ( NSSPublicKey *bk, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ); @@ -925,6 +953,22 @@ NSSPublicKey_GetModule ( PRStatus *statusOpt ); +NSS_EXTERN NSSKeyPairType +NSSPublicKey_GetType ( + NSSPublicKey *bk +); + +NSS_EXTERN PRUint32 +NSSPublicKey_GetKeyStrength ( + NSSPublicKey *bk +); + +NSS_EXTERN NSSPublicKeyInfo * +NSSPublicKey_GetKeyInfo ( + NSSPublicKey *bk, + NSSPublicKeyInfo *rvOpt +); + /* * NSSPublicKey_Encrypt * @@ -1116,14 +1160,16 @@ NSSSymKey_GetTrustDomain ( ); /* - * NSSSymKey_GetToken + * NSSSymKey_GetTokens * - * There doesn't have to be one. + * There doesn't have to be any. */ -NSS_EXTERN NSSToken * -NSSSymKey_GetToken ( +NSS_EXTERN NSSToken ** +NSSSymKey_GetTokens ( NSSSymKey *mk, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ); @@ -1250,7 +1296,7 @@ NSSSymKey_UnwrapSymKey ( NSSSymKey *wrappingKey, const NSSAlgNParam *ap, NSSItem *wrappedKey, - NSSOID *target, + NSSSymKeyType targetKeyType, PRUint32 keySizeOpt, NSSOperations operations, NSSCallback *uhh @@ -1289,6 +1335,15 @@ NSSSymKey_DeriveSymKey ( NSSCallback *uhh ); +NSS_EXTERN PRStatus +nssSymKey_DeriveSSLSessionKeys ( + NSSSymKey *masterSecret, + const NSSAlgNParam *ap, + NSSSymKey **rvSessionKeys, + NSSItem *rvClientIV, + NSSItem *rvServerIV +); + /* * NSSSymKey_CreateCryptoContext * @@ -1487,7 +1542,7 @@ NSSTrustDomain_FindTokenBySlotName ( NSS_EXTERN NSSToken * NSSTrustDomain_FindTokenForAlgorithm ( NSSTrustDomain *td, - const NSSOID *algorithm + NSSOIDTag algorithm ); /* @@ -1498,10 +1553,16 @@ NSSTrustDomain_FindTokenForAlgorithm ( NSS_EXTERN NSSToken * NSSTrustDomain_FindBestTokenForAlgorithms ( NSSTrustDomain *td, - NSSOID *algorithms[], /* may be null-terminated */ + NSSOIDTag *algorithms, PRUint32 nAlgorithmsOpt /* limits the array if nonzero */ ); +NSS_EXTERN NSSToken * +NSSTrustDomain_FindTokenForAlgNParam ( + NSSTrustDomain *td, + const NSSAlgNParam *ap +); + /* * NSSTrustDomain_Login * @@ -1568,16 +1629,12 @@ NSSTrustDomain_ImportEncodedCert ( /* * NSSTrustDomain_ImportEncodedCertChain * - * If you just want the leaf, pass in a maximum of one. */ -NSS_EXTERN NSSCert ** +NSS_EXTERN NSSCertChain * NSSTrustDomain_ImportEncodedCertChain ( NSSTrustDomain *td, NSSBER *ber, - NSSCert *rvOpt[], - PRUint32 maximumOpt, /* 0 for no max */ - NSSArena *arenaOpt, NSSToken *destinationOpt ); @@ -1590,7 +1647,7 @@ NSS_EXTERN NSSPrivateKey * NSSTrustDomain_ImportEncodedPrivateKey ( NSSTrustDomain *td, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, /* NULL will cause a callback */ @@ -1610,6 +1667,16 @@ NSSTrustDomain_ImportEncodedPublicKey ( NSSToken *destinationOpt ); +NSS_EXTERN NSSPublicKey * +NSSTrustDomain_ImportPublicKey ( + NSSTrustDomain *td, + NSSPublicKeyInfo *keyInfo, + NSSUTF8 *nicknameOpt, + NSSOperations operations, + NSSProperties properties, + NSSToken *destinationOpt +); + NSS_EXTERN NSSCRL * NSSTrustDomain_ImportEncodedCRL ( NSSTrustDomain *td, @@ -1995,7 +2062,7 @@ NSSTrustDomain_GenerateSymKeyFromPassword ( NSS_EXTERN NSSSymKey * NSSTrustDomain_FindSymKeyByAlgorithmAndKeyID ( NSSTrustDomain *td, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *keyID, NSSCallback *uhhOpt ); @@ -2052,7 +2119,7 @@ NSSTrustDomain_CreateCryptoContext ( NSS_EXTERN NSSCryptoContext * NSSTrustDomain_CreateCryptoContextForAlgorithm ( NSSTrustDomain *td, - NSSOID *algorithm + NSSOIDTag algorithm ); /* find/traverse other objects, e.g. s/mime profiles */ @@ -2315,11 +2382,11 @@ NSSVolatileDomain_ImportEncodedCert ( * */ -NSS_EXTERN PRStatus +NSS_EXTERN NSSCertChain * NSSVolatileDomain_ImportEncodedCertChain ( NSSVolatileDomain *vd, NSSBER *ber, - NSSCertType certType + NSSToken *destinationOpt ); /* @@ -2331,7 +2398,7 @@ NSS_EXTERN NSSPrivateKey * NSSVolatileDomain_ImportEncodedPrivateKey ( NSSVolatileDomain *vd, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, /* NULL will cause a callback */ @@ -2339,6 +2406,16 @@ NSSVolatileDomain_ImportEncodedPrivateKey ( NSSToken *destination ); +NSS_EXTERN NSSPublicKey * +NSSVolatileDomain_ImportPublicKey ( + NSSVolatileDomain *vd, + NSSPublicKeyInfo *keyInfo, + NSSUTF8 *nicknameOpt, + NSSOperations operations, + NSSProperties properties, + NSSToken *destinationOpt +); + /* Other importations: S/MIME capabilities */ @@ -2432,7 +2509,7 @@ NSSVolatileDomain_GenerateSymKeyFromPassword ( NSS_EXTERN NSSSymKey * NSSVolatileDomain_FindSymKeyByAlgorithmAndKeyID ( NSSVolatileDomain *vd, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *keyID, NSSCallback *uhhOpt ); @@ -2448,7 +2525,7 @@ NSSVolatileDomain_UnwrapSymKey ( const NSSAlgNParam *ap, NSSPrivateKey *wrapKey, NSSItem *wrappedKey, - const NSSOID *targetKeyAlg, + NSSSymKeyType targetSymKeyType, NSSCallback *uhhOpt, NSSOperations operations, NSSProperties properties @@ -2477,25 +2554,64 @@ NSSVolatileDomain_DeriveSymKey ( NSSVolatileDomain *vd, NSSPublicKey *bkOpt, const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetSymKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhhOpt ); +NSS_EXTERN NSSCryptoContext * +NSSVolatileDomain_CreateCryptoContext ( + NSSVolatileDomain *vd, + const NSSAlgNParam *apOpt, + NSSCallback *uhhOpt +); + +NSS_EXTERN NSSCertChain * +NSSVolatileDomain_CreateCertChain ( + NSSVolatileDomain *vd, + NSSCert *vdCertOpt +); + +/* + * NSSCertChain + * + * + */ + +NSS_EXTERN PRStatus +NSSCertChain_Destroy ( + NSSCertChain *chain +); + +NSS_EXTERN PRStatus +NSSCertChain_AddEncodedCert ( + NSSCertChain *chain, + NSSBER *encodedCert, + NSSUTF8 *nicknameOpt, + NSSToken *destinationOpt, + NSSCert **rvCertOpt +); + +NSS_EXTERN PRIntn +NSSCertChain_GetNumCerts ( + NSSCertChain *chain +); + +NSS_EXTERN NSSCert * +NSSCertChain_GetCert ( + NSSCertChain *chain, + PRIntn index +); + /* * NSSCryptoContext * - * A crypto context is sort of a short-term snapshot of a trust domain, - * used for the life of "one crypto operation." You can also think of - * it as a "temporary database." - * - * Just about all of the things you can do with a trust domain -- importing - * or creating certs, keys, etc. -- can be done with a crypto context. - * The difference is that the objects will be temporary ("session") objects. + * A crypto context is sort of a short-term snapshot of a PKI domain, + * used for the lifetime of "one crypto operation." * - * Also, if the context was created for a key, cert, and/or algorithm; or + * If the context was created for a key, cert, and/or algorithm; or * if such objects have been "associated" with the context, then the context * can do everything the keys can, like crypto operations. * diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h index a06eaf572..80c935bad 100644 --- a/security/nss/lib/pki/pki.h +++ b/security/nss/lib/pki/pki.h @@ -61,7 +61,7 @@ nssTrustDomain_FindTokenForAlgNParam ( NSS_EXTERN NSSToken * nssTrustDomain_FindTokenForAlgorithm ( NSSTrustDomain *td, - const NSSOID *algorithm + NSSOIDTag algorithm ); NSS_EXTERN NSSCallback * @@ -224,7 +224,7 @@ NSS_EXTERN NSSCert ** nssCert_BuildChain ( NSSCert *c, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt, NSSCert **rvOpt, PRUint32 rvLimit, @@ -240,7 +240,7 @@ nssPrivateKey_AddRef ( NSS_EXTERN NSSPrivateKey * nssPrivateKey_Decode ( NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -296,17 +296,6 @@ nssSymKey_AddRef ( NSSSymKey *mk ); -NSS_EXTERN PRStatus -nssSymKey_DeriveSSLSessionKeys ( - NSSSymKey *masterSecret, - const NSSAlgNParam *ap, - NSSSymKeyType bulkKeyType, - NSSOperations operations, - NSSProperties properties, - PRUint32 keySize, - NSSSymKey **sessionKeys -); - NSS_EXTERN NSSVolatileDomain * nssVolatileDomain_Create ( NSSTrustDomain *td, diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c index 2c8e4ceff..4e5c69542 100644 --- a/security/nss/lib/pki/pkibase.c +++ b/security/nss/lib/pki/pkibase.c @@ -283,22 +283,36 @@ nssPKIObject_DeleteStoredObject ( NSS_IMPLEMENT NSSToken ** nssPKIObject_GetTokens ( nssPKIObject *object, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ) { NSSToken **tokens = NULL; PZ_Lock(object->lock); if (object->numInstances > 0) { - tokens = nss_ZNEWARRAY(NULL, NSSToken *, object->numInstances + 1); + if (rvMaxOpt) { + rvMaxOpt = PR_MIN(rvMaxOpt, object->numInstances); + } else { + rvMaxOpt = object->numInstances; + } + if (rvOpt) { + tokens = rvOpt; + } else { + tokens = nss_ZNEWARRAY(NULL, NSSToken *, + object->numInstances + 1); + } if (tokens) { PRUint32 i; - for (i=0; i<object->numInstances; i++) { + for (i=0; i<rvMaxOpt; i++) { tokens[i] = nssToken_AddRef(object->instances[i]->token); } } } PZ_Unlock(object->lock); - if (statusOpt) *statusOpt = PR_SUCCESS; /* until more logic here */ + /* until more logic here */ + if (statusOpt) + *statusOpt = tokens ? PR_SUCCESS : PR_FAILURE; return tokens; } @@ -545,7 +559,7 @@ NSS_IMPLEMENT NSSCert * nssCertArray_FindBestCert ( NSSCert **certs, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt ) { @@ -645,8 +659,8 @@ nssCRLArray_Destroy ( NSS_IMPLEMENT PRBool nssUsages_Match ( - NSSUsages *usages, - NSSUsages *testUsages + const NSSUsages *usages, + const NSSUsages *testUsages ) { return (((usages->ca & testUsages->ca) == usages->ca) && diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 329addff6..4b9f90dba 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -128,6 +128,8 @@ nssPKIObject_HasInstance ( NSS_EXTERN NSSToken ** nssPKIObject_GetTokens ( nssPKIObject *object, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ); @@ -335,6 +337,8 @@ nssSymKey_CopyToToken ( NSS_EXTERN NSSToken ** nssSymKey_GetTokens ( NSSSymKey *mk, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ); @@ -376,7 +380,7 @@ NSS_EXTERN NSSPublicKey * nssPublicKey_CreateFromInfo ( NSSTrustDomain *td, NSSVolatileDomain *vdOpt, - NSSOID *keyAlg, + NSSOIDTag keyAlg, NSSBitString *keyBits ); @@ -444,8 +448,8 @@ nssPrivateKey_CopyToToken ( NSS_EXTERN PRBool nssUsages_Match ( - NSSUsages *usages, - NSSUsages *testUsages + const NSSUsages *usages, + const NSSUsages *testUsages ); /* nssCertArray @@ -493,7 +497,7 @@ NSS_EXTERN NSSCert * nssCertArray_FindBestCert ( NSSCert **certs, NSSTime time, - NSSUsages *usagesOpt, + const NSSUsages *usagesOpt, NSSPolicies *policiesOpt ); diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symmkey.c index 02e671c76..1466646d3 100644 --- a/security/nss/lib/pki/symmkey.c +++ b/security/nss/lib/pki/symmkey.c @@ -125,10 +125,12 @@ NSSSymKey_Destroy ( NSS_IMPLEMENT NSSToken ** nssSymKey_GetTokens ( NSSSymKey *mk, + NSSToken **rvOpt, + PRUint32 rvMaxOpt, PRStatus *statusOpt ) { - return nssPKIObject_GetTokens(&mk->object, statusOpt); + return nssPKIObject_GetTokens(&mk->object, rvOpt, rvMaxOpt, statusOpt); } NSS_IMPLEMENT nssCryptokiObject * @@ -522,7 +524,7 @@ NSSSymKey_UnwrapSymKey ( NSSSymKey *wrappingKey, const NSSAlgNParam *ap, NSSItem *wrappedKey, - NSSOID *target, + NSSSymKeyType targetSymKeyType, PRUint32 keySizeOpt, NSSOperations operations, NSSCallback *uhh @@ -603,11 +605,9 @@ NSS_IMPLEMENT PRStatus nssSymKey_DeriveSSLSessionKeys ( NSSSymKey *masterSecret, const NSSAlgNParam *ap, - NSSSymKeyType bulkKeyType, - NSSOperations operations, - NSSProperties properties, - PRUint32 keySize, - NSSSymKey **sessionKeys + NSSSymKey **rvSessionKeys, /* [4] */ + NSSItem *rvClientIV, + NSSItem *rvServerIV ) { nssCryptokiObject *mso; /* only one instance of master secret */ @@ -617,22 +617,21 @@ nssSymKey_DeriveSSLSessionKeys ( mso = masterSecret->object.instances[0]; status = nssToken_DeriveSSLSessionKeys(mso->token, mso->session, - ap, mso, bulkKeyType, - operations, properties, - keySize, skeys); + ap, mso, skeys, + rvClientIV, rvServerIV); if (status == PR_FAILURE) { return PR_FAILURE; } for (i=0; i<4; i++) { - sessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i], - masterSecret->object.td, - masterSecret->object.vd); - if (!sessionKeys[i]) break; + rvSessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i], + masterSecret->object.td, + masterSecret->object.vd); + if (!rvSessionKeys[i]) break; } if (i < 4) { nssCryptokiObject_Destroy(skeys[i]); for (--i; i>=0; --i) { - nssSymKey_Destroy(sessionKeys[i]); + nssSymKey_Destroy(rvSessionKeys[i]); } status = PR_FAILURE; } diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 5ab3929e0..ee25db741 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -334,13 +334,13 @@ nssTrustDomain_FindTokenForAlgNParam ( NSS_IMPLEMENT NSSToken * nssTrustDomain_FindTokenForAlgorithm ( NSSTrustDomain *td, - const NSSOID *algorithm + NSSOIDTag algorithm ) { NSSAlgNParam *ap; NSSToken *token = NULL; - ap = nssOID_CreateAlgNParam(algorithm, NULL, NULL); + ap = nssOIDTag_CreateAlgNParam(algorithm, NULL, NULL); if (ap) { token = nssTrustDomain_FindTokenForAlgNParam(td, ap); nssAlgNParam_Destroy(ap); @@ -351,7 +351,7 @@ nssTrustDomain_FindTokenForAlgorithm ( NSS_IMPLEMENT NSSToken * NSSTrustDomain_FindTokenForAlgorithm ( NSSTrustDomain *td, - const NSSOID *algorithm + NSSOIDTag algorithm ) { nss_SetError(NSS_ERROR_NOT_FOUND); @@ -361,8 +361,8 @@ NSSTrustDomain_FindTokenForAlgorithm ( NSS_IMPLEMENT NSSToken * NSSTrustDomain_FindBestTokenForAlgorithms ( NSSTrustDomain *td, - NSSOID *algorithms[], /* may be null-terminated */ - PRUint32 nAlgorithmsOpt /* limits the array if nonzero */ + NSSOIDTag *algorithms, + PRUint32 nAlgorithmsOpt ) { nss_SetError(NSS_ERROR_NOT_FOUND); @@ -456,13 +456,10 @@ NSSTrustDomain_ImportEncodedCert ( nicknameOpt); } -NSS_IMPLEMENT NSSCert ** +NSS_IMPLEMENT NSSCertChain * NSSTrustDomain_ImportEncodedCertChain ( NSSTrustDomain *td, NSSBER *ber, - NSSCert *rvOpt[], - PRUint32 maximumOpt, /* 0 for no max */ - NSSArena *arenaOpt, NSSToken *destinationOpt ) { @@ -474,7 +471,7 @@ NSS_IMPLEMENT NSSPrivateKey * nssTrustDomain_ImportEncodedPrivateKey ( NSSTrustDomain *td, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -482,7 +479,7 @@ nssTrustDomain_ImportEncodedPrivateKey ( NSSToken *destination ) { - return nssPrivateKey_Decode(ber, keyPairAlg, + return nssPrivateKey_Decode(ber, keyPairType, operations, properties, passwordOpt, uhhOpt, destination, td, NULL); } @@ -491,7 +488,7 @@ NSS_IMPLEMENT NSSPrivateKey * NSSTrustDomain_ImportEncodedPrivateKey ( NSSTrustDomain *td, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -499,7 +496,7 @@ NSSTrustDomain_ImportEncodedPrivateKey ( NSSToken *destination ) { - return nssTrustDomain_ImportEncodedPrivateKey(td, ber, keyPairAlg, + return nssTrustDomain_ImportEncodedPrivateKey(td, ber, keyPairType, operations, properties, passwordOpt, uhhOpt, destination); @@ -1615,7 +1612,7 @@ NSSTrustDomain_GenerateSymKeyFromPassword ( NSS_IMPLEMENT NSSSymKey * NSSTrustDomain_FindSymKeyByAlgorithmAndKeyID ( NSSTrustDomain *td, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *keyID, NSSCallback *uhhOpt ) @@ -1741,7 +1738,7 @@ NSSTrustDomain_CreateCryptoContext ( NSS_IMPLEMENT NSSCryptoContext * NSSTrustDomain_CreateCryptoContextForAlgorithm ( NSSTrustDomain *td, - NSSOID *algorithm + NSSOIDTag algorithm ) { nss_SetError(NSS_ERROR_NOT_FOUND); diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c index 7dd8ea35d..b792cb1ae 100644 --- a/security/nss/lib/pki/volatiledomain.c +++ b/security/nss/lib/pki/volatiledomain.c @@ -272,22 +272,22 @@ NSSVolatileDomain_ImportEncodedCert ( return nssVolatileDomain_ImportEncodedCert(vd, ber, nickOpt); } -NSS_IMPLEMENT PRStatus +NSS_IMPLEMENT NSSCertChain * NSSVolatileDomain_ImportEncodedCertChain ( NSSVolatileDomain *vd, NSSBER *ber, - NSSCertType certType + NSSToken *destinationOpt ) { nss_SetError(NSS_ERROR_NOT_FOUND); - return PR_FAILURE; + return NULL; } NSS_IMPLEMENT NSSPrivateKey * nssVolatileDomain_ImportEncodedPrivateKey ( NSSVolatileDomain *vd, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -295,7 +295,7 @@ nssVolatileDomain_ImportEncodedPrivateKey ( NSSToken *destination ) { - return nssPrivateKey_Decode(ber, keyPairAlg, + return nssPrivateKey_Decode(ber, keyPairType, operations, properties, passwordOpt, uhhOpt, destination, vd->td, vd); @@ -305,7 +305,7 @@ NSS_IMPLEMENT NSSPrivateKey * NSSVolatileDomain_ImportEncodedPrivateKey ( NSSVolatileDomain *vd, NSSBER *ber, - NSSOID *keyPairAlg, + NSSKeyPairType keyPairType, NSSOperations operations, NSSProperties properties, NSSUTF8 *passwordOpt, @@ -313,7 +313,7 @@ NSSVolatileDomain_ImportEncodedPrivateKey ( NSSToken *destination ) { - return nssVolatileDomain_ImportEncodedPrivateKey(vd, ber, keyPairAlg, + return nssVolatileDomain_ImportEncodedPrivateKey(vd, ber, keyPairType, operations, properties, passwordOpt, uhhOpt, @@ -962,7 +962,7 @@ NSSVolatileDomain_GenerateSymKeyFromPassword ( NSS_IMPLEMENT NSSSymKey * NSSVolatileDomain_FindSymKeyByAlgorithmAndKeyID ( NSSVolatileDomain *vd, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *keyID, NSSCallback *uhhOpt ) @@ -971,33 +971,13 @@ NSSVolatileDomain_FindSymKeyByAlgorithmAndKeyID ( return NULL; } -/* XXX at a lower layer, or with OID? */ -static NSSSymKeyType -get_sym_key_type(const NSSOID *symKeyAlg) -{ - switch (nssOID_GetTag(symKeyAlg)) { - case NSS_OID_DES_ECB: - case NSS_OID_DES_CBC: - case NSS_OID_DES_MAC: - return NSSSymKeyType_DES; - case NSS_OID_DES_EDE3_CBC: - return NSSSymKeyType_TripleDES; - case NSS_OID_RC2_CBC: - return NSSSymKeyType_RC2; - case NSS_OID_RC4: - return NSSSymKeyType_RC4; - default: - return NSSSymKeyType_Unknown; - } -} - NSS_IMPLEMENT NSSSymKey * nssVolatileDomain_UnwrapSymKey ( NSSVolatileDomain *vd, const NSSAlgNParam *ap, NSSPrivateKey *wrapKey, NSSItem *wrappedKey, - const NSSOID *targetKeyAlg, + NSSSymKeyType targetSymKeyType, NSSCallback *uhhOpt, NSSOperations operations, NSSProperties properties @@ -1005,7 +985,6 @@ nssVolatileDomain_UnwrapSymKey ( { nssCryptokiObject *vko, *mko; NSSSymKey *mkey = NULL; - NSSSymKeyType keyType = get_sym_key_type(targetKeyAlg); /* find a token to do it on */ vko = nssPrivateKey_FindInstanceForAlgorithm(wrapKey, ap); @@ -1015,7 +994,8 @@ nssVolatileDomain_UnwrapSymKey ( /* do the unwrap for a session object */ mko = nssToken_UnwrapSymKey(vko->token, vko->session, ap, vko, wrappedKey, PR_FALSE, - operations, properties, keyType); + operations, properties, + targetSymKeyType); /* done with the private key */ nssCryptokiObject_Destroy(vko); /* create a new symkey in the volatile domain */ @@ -1034,16 +1014,16 @@ NSSVolatileDomain_UnwrapSymKey ( const NSSAlgNParam *ap, NSSPrivateKey *wrapKey, NSSItem *wrappedKey, - const NSSOID *targetKeyAlg, + NSSSymKeyType targetSymKeyType, NSSCallback *uhhOpt, NSSOperations operations, NSSProperties properties ) { return nssVolatileDomain_UnwrapSymKey(vd, ap, wrapKey, - wrappedKey, targetKeyAlg, - uhhOpt, operations, - properties); + wrappedKey, targetSymKeyType, + uhhOpt, operations, + properties); } NSS_IMPLEMENT NSSSymKey * @@ -1051,7 +1031,7 @@ NSSVolatileDomain_DeriveSymKey ( NSSVolatileDomain *vd, NSSPublicKey *bk, const NSSAlgNParam *apOpt, - NSSOID *target, + NSSSymKeyType targetSymKeyType, PRUint32 keySizeOpt, /* zero for best allowed */ NSSOperations operations, NSSCallback *uhhOpt diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h index 7464c681e..fe2c41e3a 100644 --- a/security/nss/lib/pki1/nsspki1.h +++ b/security/nss/lib/pki1/nsspki1.h @@ -76,22 +76,11 @@ PR_BEGIN_EXTERN_C * NSSOID_GetUTF8Encoding */ -NSS_EXTERN NSSOID * -NSSOID_Create ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_Create ( NSSItem *oidData ); -NSS_EXTERN NSSOID * -NSSOID_CreateFromTag ( - NSSOIDTag tag -); - -NSS_EXTERN PRBool -NSSOID_IsTag ( - const NSSOID *oid, - NSSOIDTag tag -); - /* * NSSOID_CreateFromBER * @@ -108,8 +97,8 @@ NSSOID_IsTag ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -NSSOID_CreateFromBER ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_CreateFromBER ( NSSBER *berOid ); @@ -131,8 +120,8 @@ NSSOID_CreateFromBER ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -NSSOID_CreateFromUTF8 ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_CreateFromUTF8 ( NSSUTF8 *stringOid ); @@ -156,8 +145,8 @@ NSSOID_CreateFromUTF8 ( */ NSS_EXTERN NSSDER * -NSSOID_GetDEREncoding ( - const NSSOID *oid, +NSSOIDTag_GetDEREncoding ( + NSSOIDTag oidTag, NSSDER *rvOpt, NSSArena *arenaOpt ); @@ -184,8 +173,8 @@ NSSOID_GetDEREncoding ( */ NSS_EXTERN NSSUTF8 * -NSSOID_GetUTF8Encoding ( - const NSSOID *oid, +NSSOIDTag_GetUTF8Encoding ( + NSSOIDTag oidTag, NSSArena *arenaOpt ); @@ -195,19 +184,47 @@ NSSOID_GetUTF8Encoding ( */ NSS_EXTERN NSSAlgNParam * -NSSOID_CreateAlgNParam ( - const NSSOID *oid, - NSSParameters *parameters, +NSSOIDTag_CreateAlgNParam ( + NSSOIDTag algorithmTag, + NSSParameters *parametersOpt, NSSArena *arenaOpt ); NSS_EXTERN NSSAlgNParam * -NSSOID_CreateAlgNParamForKeyGen ( - const NSSOID *oid, - NSSParameters *parameters, +NSSOIDTag_CreateAlgNParamForKeyGen ( + NSSOIDTag keyAlgorithmTag, + NSSParameters *parametersOpt, + NSSArena *arenaOpt +); + +NSS_EXTERN NSSAlgNParam * +NSSOIDTag_CreateAlgNParamForWrap ( + NSSOIDTag encryptionOIDTag, + NSSParameters *parametersOpt, NSSArena *arenaOpt ); +NSS_EXTERN NSSAlgNParam * +NSSOIDTag_CreateAlgNParamForUnwrap ( + NSSOIDTag encryptionOIDTag, + NSSParameters *parametersOpt, + NSSArena *arenaOpt +); + +NSS_EXTERN NSSAlgNParam * +NSSOIDTag_CreateAlgNParamForHMAC ( + NSSOIDTag digestOIDTag, + NSSParameters *parametersOpt, + NSSArena *arenaOpt +); + +NSS_EXTERN NSSSymKeyType +NSSOIDTag_GetSymKeyType ( + NSSOIDTag alg +); + +#ifdef the_rest + /* * NSSATAV * @@ -2776,6 +2793,8 @@ NSSGeneralNameSeq_Duplicate ( NSSArena *arenaOpt ); +#endif /* the_rest */ + PR_END_EXTERN_C #endif /* NSSPT1M_H */ diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h index 8765a3ad3..c837566f4 100644 --- a/security/nss/lib/pki1/nsspki1t.h +++ b/security/nss/lib/pki1/nsspki1t.h @@ -57,8 +57,7 @@ PR_BEGIN_EXTERN_C * This is the basic OID that crops up everywhere. */ -struct NSSOIDStr; -typedef struct NSSOIDStr NSSOID; +typedef enum NSSOIDTagEnum NSSOIDTag; /* * AttributeTypeAndValue diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c index cf2820357..e68a39721 100644 --- a/security/nss/lib/pki1/oid.c +++ b/security/nss/lib/pki1/oid.c @@ -103,62 +103,16 @@ nssOID_CreateFromTag ( return (NSSOID *)NULL; } -NSS_IMPLEMENT NSSOID * -NSSOID_CreateFromTag ( - NSSOIDTag tag -) -{ - return nssOID_CreateFromTag(tag); -} - -NSS_IMPLEMENT PRBool -nssOID_IsTag ( - const NSSOID *oid, - NSSOIDTag tag -) -{ - NSSOID *tagOID; - - tagOID = nssOID_CreateFromTag(tag); - if (tagOID) { - return (tagOID == oid); - } - return PR_FALSE; -} - -/* XXX ugh */ -NSS_IMPLEMENT NSSOIDTag -nssOID_GetTag ( - const NSSOID *oid -) -{ - NSSOIDTag tag; - tag = oid - nss_builtin_oids; - if (tag >= 0 && tag < nss_builtin_oid_count) { - return tag; - } - return NSS_OID_UNKNOWN; -} - -NSS_IMPLEMENT PRBool -NSSOID_IsTag ( - const NSSOID *oid, - NSSOIDTag tag -) -{ - return nssOID_IsTag(oid, tag); -} - NSS_IMPLEMENT NSSAlgNParam * -nssOID_CreateAlgNParam ( - const NSSOID *oid, +nssOIDTag_CreateAlgNParam ( + NSSOIDTag oidTag, NSSParameters *parameters, NSSArena *arenaOpt ) { - if (oid->mechanism != CKM_INVALID_MECHANISM) { - return nssAlgNParam_Create(arenaOpt, oid, - parameters); + NSSOID *oid = nssOID_CreateFromTag(oidTag); + if (oid && oid->mechanism != CKM_INVALID_MECHANISM) { + return nssAlgNParam_Create(arenaOpt, oid, parameters); } else { nss_SetError(NSS_ERROR_INVALID_NSSOID); } @@ -166,25 +120,25 @@ nssOID_CreateAlgNParam ( } NSS_IMPLEMENT NSSAlgNParam * -NSSOID_CreateAlgNParam ( - const NSSOID *oid, +NSSOIDTag_CreateAlgNParam ( + NSSOIDTag oidTag, NSSParameters *parameters, NSSArena *arenaOpt ) { - return nssOID_CreateAlgNParam(oid, parameters, arenaOpt); + return nssOIDTag_CreateAlgNParam(oidTag, parameters, arenaOpt); } NSS_IMPLEMENT NSSAlgNParam * -nssOID_CreateAlgNParamForKeyGen ( - const NSSOID *oid, +nssOIDTag_CreateAlgNParamForKeyGen ( + NSSOIDTag oidTag, NSSParameters *parameters, NSSArena *arenaOpt ) { - if (oid->mechanism != CKM_INVALID_MECHANISM) { - return nssAlgNParam_CreateForKeyGen(arenaOpt, oid, - parameters); + NSSOID *oid = nssOID_CreateFromTag(oidTag); + if (oid && oid->mechanism != CKM_INVALID_MECHANISM) { + return nssAlgNParam_CreateForKeyGen(arenaOpt, oid, parameters); } else { nss_SetError(NSS_ERROR_INVALID_NSSOID); } @@ -192,33 +146,104 @@ nssOID_CreateAlgNParamForKeyGen ( } NSS_IMPLEMENT NSSAlgNParam * -NSSOID_CreateAlgNParamForKeyGen ( - const NSSOID *oid, +NSSOIDTag_CreateAlgNParamForKeyGen ( + NSSOIDTag oidTag, NSSParameters *parameters, NSSArena *arenaOpt ) { - return nssOID_CreateAlgNParamForKeyGen(oid, parameters, - arenaOpt); + return nssOIDTag_CreateAlgNParamForKeyGen(oidTag, parameters, arenaOpt); } -NSS_EXTERN NSSOID * -nssOID_Create ( +NSS_EXTERN NSSOIDTag +nssOIDTag_Create ( NSSItem *oidData ) { /* XXX this is because the code thinks the oids are der-encoded, but * they're not */ - return nssOID_CreateFromBER(oidData); + return nssOIDTag_CreateFromBER(oidData); } -NSS_EXTERN NSSOID * -NSSOID_Create ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_Create ( NSSItem *oidData ) { - return nssOID_Create(oidData); + return nssOIDTag_Create(oidData); +} + +NSS_IMPLEMENT NSSOID * +nssOID_CreateFromBER ( + NSSBER *berOid +) +{ + return nssOID_CreateFromTag(nssOIDTag_CreateFromBER(berOid)); +} + +/* XXX ugh */ +NSS_IMPLEMENT NSSOIDTag +nssOID_GetTag ( + const NSSOID *oid +) +{ + NSSOIDTag tag; + tag = oid - nss_builtin_oids; + if (tag >= 0 && tag < nss_builtin_oid_count) { + return tag; + } + return NSS_OID_UNKNOWN; +} + +NSS_IMPLEMENT NSSSymKeyType +nssOIDTag_GetSymKeyType ( + NSSOIDTag alg +) +{ + switch (alg) { + case NSS_OID_RC2_CBC: return NSSSymKeyType_RC2; + case NSS_OID_RC4: return NSSSymKeyType_RC4; + case NSS_OID_RC5_CBC_PAD: return NSSSymKeyType_RC5; + case NSS_OID_DES_EDE3_CBC: return NSSSymKeyType_TripleDES; + case NSS_OID_DES_ECB: + case NSS_OID_DES_CBC: + case NSS_OID_DES_OFB: + case NSS_OID_DES_CFB: return NSSSymKeyType_DES; + default: + return NSSSymKeyType_Unknown; + } +} + +NSS_IMPLEMENT NSSSymKeyType +NSSOIDTag_GetSymKeyType ( + NSSOIDTag alg +) +{ + return nssOIDTag_GetSymKeyType(alg); +} + +NSS_IMPLEMENT NSSSymKeyType +nssOIDTag_GetKeyPairType ( + NSSOIDTag alg +) +{ + switch (alg) { + case NSS_OID_ANSIX9_DSA_SIGNATURE: + case NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: + return NSSKeyPairType_DSA; + case NSS_OID_X942_DIFFIE_HELLMAN_KEY: + return NSSKeyPairType_DH; + case NSS_OID_PKCS1_RSA_ENCRYPTION: + case NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: + case NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: + case NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case NSS_OID_X500_RSA_ENCRYPTION: + return NSSKeyPairType_RSA; + default: + return NSSSymKeyType_Unknown; + } } /* @@ -237,8 +262,8 @@ NSSOID_Create ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -NSSOID_CreateFromBER ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_CreateFromBER ( NSSBER *berOid ) { @@ -252,16 +277,16 @@ NSSOID_CreateFromBER ( if( (NSSBER *)NULL == berOid ) { nss_SetError(NSS_ERROR_INVALID_BER); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } if( (void *)NULL == berOid->data ) { nss_SetError(NSS_ERROR_INVALID_BER); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } #endif /* DEBUG */ - return nssOID_CreateFromBER(berOid); + return nssOIDTag_CreateFromBER(berOid); } /* @@ -281,8 +306,8 @@ NSSOID_CreateFromBER ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -NSSOID_CreateFromUTF8 ( +NSS_EXTERN NSSOIDTag +NSSOIDTag_CreateFromUTF8 ( NSSUTF8 *stringOid ) { @@ -296,11 +321,11 @@ NSSOID_CreateFromUTF8 ( if( (NSSUTF8 *)NULL == stringOid ) { nss_SetError(NSS_ERROR_INVALID_UTF8); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } #endif /* DEBUG */ - return nssOID_CreateFromUTF8(stringOid); + return nssOIDTag_CreateFromUTF8(stringOid); } /* @@ -322,15 +347,15 @@ NSSOID_CreateFromUTF8 ( */ NSS_EXTERN NSSDER * -NSSOID_GetDEREncoding ( - const NSSOID *oid, +NSSOIDTag_GetDEREncoding ( + NSSOIDTag oidTag, NSSDER *rvOpt, NSSArena *arenaOpt ) { nss_ClearErrorStack(); - return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt); + return nssOIDTag_GetDEREncoding(oidTag, rvOpt, arenaOpt); } /* @@ -354,14 +379,14 @@ NSSOID_GetDEREncoding ( */ NSS_EXTERN NSSUTF8 * -NSSOID_GetUTF8Encoding ( - const NSSOID *oid, +NSSOIDTag_GetUTF8Encoding ( + NSSOIDTag oidTag, NSSArena *arenaOpt ) { nss_ClearErrorStack(); - return nssOID_GetUTF8Encoding(oid, arenaOpt); + return nssOIDTag_GetUTF8Encoding(oidTag, arenaOpt); } /* @@ -613,8 +638,8 @@ oid_sanity_check_ber ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -nssOID_CreateFromBER ( +NSS_EXTERN NSSOIDTag +nssOIDTag_CreateFromBER ( NSSBER *berOid ) { @@ -622,12 +647,12 @@ nssOID_CreateFromBER ( PLHashEntry *e; if( PR_SUCCESS != oid_init() ) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) { nss_SetError(NSS_ERROR_INVALID_BER); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } /* @@ -638,7 +663,7 @@ nssOID_CreateFromBER ( (void)PZ_Unlock(oid_hash_lock); if( (NSSOID *)NULL != rv ) { /* Found it! */ - return rv; + return rv - nss_builtin_oids; } /* @@ -646,12 +671,12 @@ nssOID_CreateFromBER ( */ rv = nss_ZNEW(oid_arena, NSSOID); if( (NSSOID *)NULL == rv ) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } rv->data.data = nss_ZAlloc(oid_arena, berOid->size); if( (void *)NULL == rv->data.data ) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } rv->data.size = berOid->size; @@ -669,10 +694,11 @@ nssOID_CreateFromBER ( nss_ZFreeIf(rv->data.data); nss_ZFreeIf(rv); nss_SetError(NSS_ERROR_NO_MEMORY); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } - return rv; + /* XXX shouldn't the dynamic oids be in a different table? */ + return rv - nss_builtin_oids; } /* @@ -1050,8 +1076,8 @@ oid_encode_string ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -nssOID_CreateFromUTF8 ( +NSS_EXTERN NSSOIDTag +nssOIDTag_CreateFromUTF8 ( NSSUTF8 *stringOid ) { @@ -1060,18 +1086,18 @@ nssOID_CreateFromUTF8 ( PLHashEntry *e; if( PR_SUCCESS != oid_init() ) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) { nss_SetError(NSS_ERROR_INVALID_STRING); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } candidate = oid_encode_string(stringOid); if( (NSSOID *)NULL == candidate ) { /* Internal error only */ - return rv; + return rv - nss_builtin_oids; } /* @@ -1084,7 +1110,7 @@ nssOID_CreateFromUTF8 ( /* Already exists. Delete my copy and return the original. */ (void)nss_ZFreeIf(candidate->data.data); (void)nss_ZFreeIf(candidate); - return rv; + return rv - nss_builtin_oids; } /* @@ -1120,7 +1146,7 @@ nssOID_CreateFromUTF8 ( goto loser; } - return rv; + return rv - nss_builtin_oids; loser: if( (NSSOID *)NULL != candidate ) { @@ -1133,7 +1159,7 @@ nssOID_CreateFromUTF8 ( } (void)nss_ZFreeIf(rv); - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } /* @@ -1155,16 +1181,17 @@ nssOID_CreateFromUTF8 ( */ NSS_EXTERN NSSDER * -nssOID_GetDEREncoding ( - const NSSOID *oid, +nssOIDTag_GetDEREncoding ( + NSSOIDTag oidTag, NSSDER *rvOpt, NSSArena *arenaOpt ) { const NSSItem *it; NSSDER *rv; + NSSOID *oid = nssOID_CreateFromTag(oidTag); - if( PR_SUCCESS != oid_init() ) { + if( PR_SUCCESS != oid_init() || NULL == oid) { return (NSSDER *)NULL; } @@ -1214,8 +1241,8 @@ nssOID_GetDEREncoding ( */ NSS_EXTERN NSSUTF8 * -nssOID_GetUTF8Encoding ( - const NSSOID *oid, +nssOIDTag_GetUTF8Encoding ( + NSSOIDTag oidTag, NSSArena *arenaOpt ) { @@ -1226,11 +1253,14 @@ nssOID_GetUTF8Encoding ( char *a; char *b; PRUint32 len; + NSSOID *oid; if( PR_SUCCESS != oid_init() ) { return (NSSUTF8 *)NULL; } + oid = nssOID_CreateFromTag(oidTag); + a = (char *)NULL; /* d will point to the next sequence of bytes to decode */ @@ -1413,6 +1443,7 @@ nssOID_getTaggedUTF8 ( char *b; PRBool done = PR_FALSE; PRUint32 len; + NSSOIDTag oidTag; if( PR_SUCCESS != oid_init() ) { return (NSSUTF8 *)NULL; @@ -1435,7 +1466,7 @@ nssOID_getTaggedUTF8 ( */ /* I know it's all ASCII, so I can use char */ - raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL); + raw = (char *)nssOIDTag_GetUTF8Encoding(oidTag, (NSSArena *)NULL); if( (char *)NULL == raw ) { return (NSSUTF8 *)NULL; } @@ -1452,7 +1483,8 @@ nssOID_getTaggedUTF8 ( } *c = '\0'; - lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw); + oidTag = nssOIDTag_CreateFromUTF8((NSSUTF8 *)raw); + lead = nssOID_CreateFromTag(oidTag); if( (NSSOID *)NULL == lead ) { PR_smprintf_free(a); nss_ZFreeIf(raw); diff --git a/security/nss/lib/pki1/oiddata.h b/security/nss/lib/pki1/oiddata.h index cecd36fc7..2a3c07d75 100644 --- a/security/nss/lib/pki1/oiddata.h +++ b/security/nss/lib/pki1/oiddata.h @@ -43,9 +43,6 @@ static const char OIDDATA_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$ ; #include "nsspki1t.h" #endif /* NSSPKI1T_H */ -extern const NSSOID nss_builtin_oids[]; -extern const PRUint32 nss_builtin_oid_count; - /*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/ /*extern const PRUint32 nss_attribute_type_alias_count;*/ @@ -217,6 +214,4 @@ enum NSSOIDTagEnum { NSS_OID_NS_CERT_EXT_SUBJECT_LOGO = 369 }; -typedef enum NSSOIDTagEnum NSSOIDTag; - #endif /* OIDDATA_H */ diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h index 0db9f7553..e50f54816 100644 --- a/security/nss/lib/pki1/pki1.h +++ b/security/nss/lib/pki1/pki1.h @@ -78,7 +78,22 @@ extern const PRUint32 nss_attribute_type_alias_count; */ NSS_EXTERN NSSOID * -nssOID_Create ( +nssOID_CreateFromTag ( + NSSOIDTag tag +); + +NSS_EXTERN NSSOID * +nssOID_CreateFromBER ( + NSSBER *berOid +); + +NSS_EXTERN NSSOIDTag +nssOID_GetTag ( + const NSSOID *oid +); + +NSS_EXTERN NSSOIDTag +nssOIDTag_Create ( NSSItem *oidData ); @@ -98,8 +113,8 @@ nssOID_Create ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -nssOID_CreateFromBER ( +NSS_EXTERN NSSOIDTag +nssOIDTag_CreateFromBER ( NSSBER *berOid ); @@ -122,20 +137,15 @@ nssOID_CreateFromBER ( * An NSSOID upon success */ -NSS_EXTERN NSSOID * -nssOID_CreateFromUTF8 ( +NSS_EXTERN NSSOIDTag +nssOIDTag_CreateFromUTF8 ( NSSUTF8 *stringOid ); -NSS_EXTERN NSSOIDTag -nssOID_GetTag ( - const NSSOID *oid -); - NSS_EXTERN NSSAlgNParam * -nssOID_CreateAlgNParam ( - const NSSOID *oid, +nssOIDTag_CreateAlgNParam ( + NSSOIDTag oidTag, NSSParameters *parameters, NSSArena *arenaOpt ); @@ -160,8 +170,8 @@ nssOID_CreateAlgNParam ( */ NSS_EXTERN NSSDER * -nssOID_GetDEREncoding ( - const NSSOID *oid, +nssOIDTag_GetDEREncoding ( + NSSOIDTag oidTag, NSSDER *rvOpt, NSSArena *arenaOpt ); @@ -187,8 +197,8 @@ nssOID_GetDEREncoding ( */ NSS_EXTERN NSSUTF8 * -nssOID_GetUTF8Encoding ( - const NSSOID *oid, +nssOIDTag_GetUTF8Encoding ( + NSSOIDTag oidTag, NSSArena *arenaOpt ); diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h index 89915e7af..b25031306 100644 --- a/security/nss/lib/pki1/pki1t.h +++ b/security/nss/lib/pki1/pki1t.h @@ -83,6 +83,12 @@ struct NSSOIDStr { PRBool certExtensionSupported; }; +struct NSSOIDStr; +typedef struct NSSOIDStr NSSOID; + +extern const NSSOID nss_builtin_oids[]; +extern const PRUint32 nss_builtin_oid_count; + /* * nssAttributeTypeAliasTable * diff --git a/security/nss/lib/pkix/include/nsspkix.h b/security/nss/lib/pkix/include/nsspkix.h index f139d021e..92f8a4f17 100644 --- a/security/nss/lib/pkix/include/nsspkix.h +++ b/security/nss/lib/pkix/include/nsspkix.h @@ -6501,7 +6501,7 @@ NSSPKIXAlgorithmIdentifier_Decode ( NSS_EXTERN NSSPKIXAlgorithmIdentifier * NSSPKIXAlgorithmIdentifier_Create ( NSSArena *arenaOpt, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *parameters ); @@ -6560,7 +6560,7 @@ NSSPKIXAlgorithmIdentifier_Encode ( * NULL upon failure */ -NSS_EXTERN NSSOID * +NSS_EXTERN NSSOIDTag NSSPKIXAlgorithmIdentifier_GetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid ); @@ -6582,7 +6582,7 @@ NSSPKIXAlgorithmIdentifier_GetAlgorithm ( NSS_EXTERN PRStatus NSSPKIXAlgorithmIdentifier_SetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid, - NSSOID *algorithm + NSSOIDTag algorithm ); /* diff --git a/security/nss/lib/pkix/include/nsspkixt.h b/security/nss/lib/pkix/include/nsspkixt.h index 32c2a54bb..cdd20c0bc 100644 --- a/security/nss/lib/pkix/include/nsspkixt.h +++ b/security/nss/lib/pkix/include/nsspkixt.h @@ -96,7 +96,7 @@ typedef struct NSSPKIXAttributeStr NSSPKIXAttribute; * */ -typedef NSSOID NSSPKIXAttributeType; +typedef NSSOIDTag NSSPKIXAttributeType; /* * AttributeValue @@ -1647,7 +1647,7 @@ typedef struct NSSPKIXPolicyInformationStr NSSPKIXPolicyInformation; * */ -typedef NSSOID NSSPKIXCertPolicyId; +typedef NSSOIDTag NSSPKIXCertPolicyId; /* * PolicyQualifierInfo @@ -1677,7 +1677,7 @@ typedef struct NSSPKIXPolicyQualifierInfoStr NSSPKIXPolicyQualifierInfo; * */ -typedef NSSOID NSSPKIXPolicyQualifierId; +typedef NSSOIDTag NSSPKIXPolicyQualifierId; /* * CPSuri @@ -2133,7 +2133,7 @@ typedef struct NSSPKIXExtKeyUsageSyntaxStr NSSPKIXExtKeyUsageSyntax; * */ -typedef NSSOID NSSPKIXKeyPurposeId; +typedef NSSOIDTag NSSPKIXKeyPurposeId; /* * AuthorityInfoAccessSyntax @@ -2267,7 +2267,7 @@ typedef NSSPKIXGeneralNames NSSPKIXCertificateIssuer; * */ -typedef NSSOID NSSPKIXHoldInstructionCode; +typedef NSSOIDTag NSSPKIXHoldInstructionCode; /* * InvalidityDate diff --git a/security/nss/lib/pkix/include/pkix.h b/security/nss/lib/pkix/include/pkix.h index b207bd87c..20aedccfd 100644 --- a/security/nss/lib/pkix/include/pkix.h +++ b/security/nss/lib/pkix/include/pkix.h @@ -6464,7 +6464,7 @@ nssPKIXAlgorithmIdentifier_Decode ( NSS_EXTERN NSSPKIXAlgorithmIdentifier * nssPKIXAlgorithmIdentifier_Create ( NSSArena *arenaOpt, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *parameters ); @@ -6523,7 +6523,7 @@ nssPKIXAlgorithmIdentifier_Encode ( * NULL upon failure */ -NSS_EXTERN NSSOID * +NSS_EXTERN NSSOIDTag nssPKIXAlgorithmIdentifier_GetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid ); @@ -6545,7 +6545,7 @@ nssPKIXAlgorithmIdentifier_GetAlgorithm ( NSS_EXTERN PRStatus nssPKIXAlgorithmIdentifier_SetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid, - NSSOID *algorithm + NSSOIDTag algorithm ); /* diff --git a/security/nss/lib/pkix/include/pkixtm.h b/security/nss/lib/pkix/include/pkixtm.h index 086d84055..2513a7c3a 100644 --- a/security/nss/lib/pkix/include/pkixtm.h +++ b/security/nss/lib/pkix/include/pkixtm.h @@ -52,6 +52,8 @@ static const char PKIXTM_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$"; /* XXX for time... */ #include "nsspkit.h" +/* XXX for OID */ +#include "oiddata.h" PR_BEGIN_EXTERN_C @@ -262,6 +264,7 @@ struct NSSPKIXAlgorithmIdentifierStr { NSSArena *arena; PRBool i_allocated_arena; NSSDER der; + NSSOIDTag algorithm; /* XXX should decode algID into this */ NSSItem algID; NSSItem parameters; }; diff --git a/security/nss/lib/pkix/src/AlgorithmID.c b/security/nss/lib/pkix/src/AlgorithmID.c index 98772b9ae..10c629f6e 100644 --- a/security/nss/lib/pkix/src/AlgorithmID.c +++ b/security/nss/lib/pkix/src/AlgorithmID.c @@ -77,7 +77,7 @@ nss_pkix_AlgorithmIdentifier_Clear ( NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier * nssPKIXAlgorithmIdentifier_Create ( NSSArena *arenaOpt, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *parameters ) { @@ -341,7 +341,7 @@ nssPKIXAlgorithmIdentifier_Equal ( return PR_FALSE; } -NSS_IMPLEMENT NSSOID * +NSS_IMPLEMENT NSSOIDTag nssPKIXAlgorithmIdentifier_GetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid ) @@ -350,10 +350,10 @@ nssPKIXAlgorithmIdentifier_GetAlgorithm ( if (NSSITEM_IS_EMPTY(&algid->der) || decode_me(algid) == PR_FAILURE) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } } - return NSSOID_Create(&algid->algID); + return NSSOIDTag_Create(&algid->algID); } NSS_IMPLEMENT NSSItem * @@ -374,7 +374,7 @@ nssPKIXAlgorithmIdentifier_GetParameters ( NSS_IMPLEMENT PRStatus nssPKIXAlgorithmIdentifier_SetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid, - NSSOID *algorithm + NSSOIDTag algorithm ) { #if 0 @@ -396,7 +396,7 @@ nssPKIXAlgorithmIdentifier_SetParameters ( NSS_IMPLEMENT PRStatus NSSPKIXAlgorithmIdentifier_SetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid, - NSSOID *algorithm + NSSOIDTag algorithm ) { nss_ClearErrorStack(); @@ -418,7 +418,7 @@ NSSPKIXAlgorithmIdentifier_SetParameters ( NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier * NSSPKIXAlgorithmIdentifier_Create ( NSSArena *arenaOpt, - NSSOID *algorithm, + NSSOIDTag algorithm, NSSItem *parameters ) { @@ -485,7 +485,7 @@ NSSPKIXAlgorithmIdentifier_Equal ( return nssPKIXAlgorithmIdentifier_Equal(algid1, algid2, statusOpt); } -NSS_IMPLEMENT NSSOID * +NSS_IMPLEMENT NSSOIDTag NSSPKIXAlgorithmIdentifier_GetAlgorithm ( NSSPKIXAlgorithmIdentifier *algid ) diff --git a/security/nss/lib/pkix/src/Extension.c b/security/nss/lib/pkix/src/Extension.c index c9bdf9568..c39bfe776 100644 --- a/security/nss/lib/pkix/src/Extension.c +++ b/security/nss/lib/pkix/src/Extension.c @@ -140,7 +140,7 @@ loser: NSS_IMPLEMENT NSSPKIXExtension * nssPKIXExtension_Create ( NSSArena *arenaOpt, - NSSOID *extnID, + NSSOIDTag extnID, PRBool critical, NSSItem *extnValue ) @@ -241,7 +241,7 @@ nssPKIXExtension_Encode ( NSS_IMPLEMENT void nssPKIXExtension_SetExtensionID ( NSSPKIXExtension *extension, - NSSOID *extnID + NSSOIDTag extnID ) { #if 0 @@ -364,7 +364,7 @@ nssPKIXExtension_Duplicate ( return rv; } -NSS_IMPLEMENT NSSOID * +NSS_IMPLEMENT NSSOIDTag nssPKIXExtension_GetExtensionID ( NSSPKIXExtension *extension ) @@ -373,10 +373,10 @@ nssPKIXExtension_GetExtensionID ( if (NSSITEM_IS_EMPTY(&extension->der) || decode_me(extension) == PR_FAILURE) { - return (NSSOID *)NULL; + return NSS_OID_UNKNOWN; } } - return NSSOID_Create(&extension->extnID); + return NSSOIDTag_Create(&extension->extnID); } /* @@ -398,7 +398,7 @@ nssPKIXExtension_GetExtensionID ( NSS_IMPLEMENT NSSPKIXExtension * NSSPKIXExtension_Create ( NSSArena *arenaOpt, - NSSOID *extnID, + NSSOIDTag extnID, PRBool critical, NSSItem *extnValue ) diff --git a/security/nss/lib/pkix/src/Extensions.c b/security/nss/lib/pkix/src/Extensions.c index 23144a1fe..ae0d36d98 100644 --- a/security/nss/lib/pkix/src/Extensions.c +++ b/security/nss/lib/pkix/src/Extensions.c @@ -362,7 +362,7 @@ nssPKIXExtensions_GetBasicConstraints ( NSSPKIXExtensions *extensions ) { - NSSOID *extnOID; + NSSOIDTag extnOID; NSSPKIXBasicConstraints *rv = NULL; NSSPKIXExtension **extns; PRIntn i; @@ -375,7 +375,7 @@ nssPKIXExtensions_GetBasicConstraints ( extns = extensions->extensions; for (i = 0; i < extensions->count; i++) { extnOID = nssPKIXExtension_GetExtensionID(extns[i]); - if (NSSOID_IsTag(extnOID, NSS_OID_X509_BASIC_CONSTRAINTS)) { + if (extnOID == NSS_OID_X509_BASIC_CONSTRAINTS) { if (extns[i]->extnData) { return (NSSPKIXBasicConstraints *)extns[i]->extnData; } @@ -394,7 +394,7 @@ nssPKIXExtensions_GetKeyUsage ( NSSPKIXExtensions *extensions ) { - NSSOID *extnOID; + NSSOIDTag extnOID; NSSPKIXKeyUsage *rv = NULL; NSSPKIXExtension **extns; PRIntn i; @@ -407,7 +407,7 @@ nssPKIXExtensions_GetKeyUsage ( extns = extensions->extensions; for (i = 0; i < extensions->count; i++) { extnOID = nssPKIXExtension_GetExtensionID(extns[i]); - if (NSSOID_IsTag(extnOID, NSS_OID_X509_KEY_USAGE)) { + if (extnOID == NSS_OID_X509_KEY_USAGE) { if (extns[i]->extnData) { return (NSSPKIXKeyUsage *)extns[i]->extnData; } @@ -426,7 +426,7 @@ nssPKIXExtensions_GetAuthorityKeyIdentifier ( NSSPKIXExtensions *extensions ) { - NSSOID *extnOID; + NSSOIDTag extnOID; NSSPKIXAuthorityKeyIdentifier *rv = NULL; NSSPKIXExtension **extns; PRIntn i; @@ -439,7 +439,7 @@ nssPKIXExtensions_GetAuthorityKeyIdentifier ( extns = extensions->extensions; for (i = 0; i < extensions->count; i++) { extnOID = nssPKIXExtension_GetExtensionID(extns[i]); - if (NSSOID_IsTag(extnOID, NSS_OID_X509_AUTH_KEY_ID)) { + if (extnOID == NSS_OID_X509_AUTH_KEY_ID) { if (extns[i]->extnData) { return (NSSPKIXAuthorityKeyIdentifier *)extns[i]->extnData; } @@ -459,7 +459,7 @@ nssPKIXExtensions_GetSubjectKeyIdentifier ( ) { PRStatus status; - NSSOID *extnOID; + NSSOIDTag extnOID; NSSPKIXSubjectKeyIdentifier *rv = NULL; NSSPKIXExtension **extns; PRIntn i; @@ -472,7 +472,7 @@ nssPKIXExtensions_GetSubjectKeyIdentifier ( extns = extensions->extensions; for (i = 0; i < extensions->count; i++) { extnOID = nssPKIXExtension_GetExtensionID(extns[i]); - if (NSSOID_IsTag(extnOID, NSS_OID_X509_SUBJECT_KEY_ID)) { + if (extnOID == NSS_OID_X509_SUBJECT_KEY_ID) { if (extns[i]->extnData) { return (NSSPKIXKeyIdentifier *)extns[i]->extnData; } @@ -500,7 +500,7 @@ nssPKIXExtensions_GetNetscapeCertType ( NSSPKIXExtensions *extensions ) { - NSSOID *extnOID; + NSSOIDTag extnOID; NSSPKIXnetscapeCertType *rv = NULL; NSSPKIXExtension **extns; PRIntn i; @@ -513,7 +513,7 @@ nssPKIXExtensions_GetNetscapeCertType ( extns = extensions->extensions; for (i = 0; i < extensions->count; i++) { extnOID = nssPKIXExtension_GetExtensionID(extns[i]); - if (NSSOID_IsTag(extnOID, NSS_OID_NS_CERT_EXT_CERT_TYPE)) { + if (extnOID == NSS_OID_NS_CERT_EXT_CERT_TYPE) { if (extns[i]->extnData) { return (NSSPKIXnetscapeCertType *)extns[i]->extnData; } diff --git a/security/nss/lib/pkix/src/pkiglue.c b/security/nss/lib/pkix/src/pkiglue.c index b8a1161de..fd76fbc1f 100644 --- a/security/nss/lib/pkix/src/pkiglue.c +++ b/security/nss/lib/pkix/src/pkiglue.c @@ -428,7 +428,7 @@ pkix_GetPolicies ( static PRStatus pkix_GetPublicKeyInfo ( void *cert, - NSSOID **keyType, + NSSOIDTag *keyType, NSSBitString *keyData ) { @@ -716,7 +716,7 @@ verify_signature ( NSSDER *tbsDER; NSSPublicKey *verifyKey; NSSAlgNParam *ap; - NSSOID *alg; + NSSOIDTag alg; NSSItem *params; sigAlg = nssPKIXCertificate_GetSignatureAlgorithm(cert); @@ -755,7 +755,7 @@ verify_signature ( return PR_FAILURE; } - ap = NSSOID_CreateAlgNParam(alg, params, NULL); + ap = NSSOIDTag_CreateAlgNParam(alg, params, NULL); if (!ap) { NSSPublicKey_Destroy(verifyKey); return PR_FAILURE; diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 81ecd6ce1..06feb6ef7 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -73,11 +73,8 @@ #define SSL_ERROR_INVALID_KEY_TYPE 5555 #define SSL_ERROR_UNSUPPORTED_KEY_EXCHANGE_ALG 5556 #define NSS_ERROR_INVALID_ARGS 5557 -static const NSSUsages s_ssl_client_usage; -static const NSSAlgNParam *s_rsa_unwrap_ap = NULL; -static const NSSAlgNParam *s_tls_prf_ap = NULL; -static const NSSAlgNParam *s_md5_ap = NULL; -static const NSSAlgNParam *s_sha1_ap = NULL; +#define SSL_ERROR_INVALID_VERSION 5558 +static const NSSUsages s_ssl_client_usage = { 0, NSSUsage_SSLClient }; static void ssl3_CleanupPeerCerts(ssl3State *ssl3); static NSSSymKey *ssl3_GenerateRSAPMS(sslSocket *ss, @@ -86,7 +83,9 @@ static NSSSymKey *ssl3_GenerateRSAPMS(sslSocket *ss, static PRStatus ssl3_GenerateSessionKeys( sslSocket *ss, NSSSymKey *pmsOpt); static SECStatus ssl3_HandshakeFailure( sslSocket *ss); static SECStatus ssl3_InitState( sslSocket *ss); +#ifdef IMPLEMENT_SESSION_ID_CACHE static sslSessionID *ssl3_NewSessionID( sslSocket *ss, PRBool is_server); +#endif /* IMPLEMENT_SESSION_ID_CACHE */ static SECStatus ssl3_SendCertificate( sslSocket *ss); static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); @@ -342,12 +341,6 @@ static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ {kea_rsa_fips, ssl_kea_rsa, ssl_sign_rsa, PR_FALSE, 0, PR_TRUE }, }; -/* set by call_once or initialization? */ -static const NSSAlgNParam *s_mac_md5_ap = NULL; -static const NSSAlgNParam *s_mac_sha_ap = NULL; -static const NSSAlgNParam *s_hmac_md5_ap = NULL; -static const NSSAlgNParam *s_hmac_sha_ap = NULL; - /* * Number of bytes each hash algorithm produces */ @@ -365,8 +358,125 @@ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ { ssl_hmac_sha,/* s_hmac_sha_ap,*/ 40, SHA1_LENGTH }, }; -static const NSSAlgNParam *s_ssl3PMSGen = NULL; -static const NSSAlgNParam *s_tlsPMSGen = NULL; +static NSSArena *s_algs_arena = NULL; +static const NSSAlgNParam *s_md5_ap = NULL; +static const NSSAlgNParam *s_sha1_ap = NULL; +static const NSSAlgNParam *s_rsa_wrap_ap = NULL; +static const NSSAlgNParam *s_rsa_unwrap_ap = NULL; +static const NSSAlgNParam *s_tls_prf_ap = NULL; +static const NSSAlgNParam *s_ssl3_pms_ap = NULL; +static const NSSAlgNParam *s_tls_pms_ap = NULL; +static const NSSAlgNParam *s_mac_md5_ap = NULL; +static const NSSAlgNParam *s_mac_sha1_ap = NULL; +static const NSSAlgNParam *s_hmac_md5_ap = NULL; +static const NSSAlgNParam *s_hmac_sha1_ap = NULL; + +PRStatus +ssl3_InitAlgorithms(void) +{ + NSSParameters params; + + s_algs_arena = NSSArena_Create(); + if (!s_algs_arena) return PR_FAILURE; + + /* initialize hashes */ + s_md5_ap = NSSOIDTag_CreateAlgNParam(NSS_OID_MD5, NULL, s_algs_arena); + s_sha1_ap = NSSOIDTag_CreateAlgNParam(NSS_OID_SHA1, NULL, s_algs_arena); + + /* initialize RSA wrap/unwrap */ + s_rsa_wrap_ap = NSSOIDTag_CreateAlgNParamForWrap( + NSS_OID_PKCS1_RSA_ENCRYPTION, + NULL, s_algs_arena); + + s_rsa_unwrap_ap = NSSOIDTag_CreateAlgNParamForUnwrap( + NSS_OID_PKCS1_RSA_ENCRYPTION, + NULL, s_algs_arena); + + /* initialize TLS pseudo-random function */ + s_tls_prf_ap = NSSAlgNParam_CreateForSSL(s_algs_arena, + NSSSSLAlgorithm_TLS_PRF, + NULL); + + /* initialize PMS generation algorithms */ + params.sslpms = NSSSSLVersion_SSLv3; + s_ssl3_pms_ap = NSSAlgNParam_CreateForSSL(s_algs_arena, + NSSSSLAlgorithm_PMSGen, + ¶ms); + params.sslpms = NSSSSLVersion_TLS; + s_ssl3_pms_ap = NSSAlgNParam_CreateForSSL(s_algs_arena, + NSSSSLAlgorithm_PMSGen, + ¶ms); + + /* initialize MACs and HMACS */ + s_mac_md5_ap = NSSAlgNParam_CreateForSSL(s_algs_arena, + NSSSSLAlgorithm_MD5_MAC, + ¶ms); + s_mac_sha1_ap = NSSAlgNParam_CreateForSSL(s_algs_arena, + NSSSSLAlgorithm_SHA1_MAC, + ¶ms); + params.hmac = MD5_LENGTH; + s_hmac_md5_ap = NSSOIDTag_CreateAlgNParamForHMAC(NSS_OID_MD5, + ¶ms, + s_algs_arena); + params.hmac = SHA1_LENGTH; + s_hmac_sha1_ap = NSSOIDTag_CreateAlgNParamForHMAC(NSS_OID_SHA1, + ¶ms, + s_algs_arena); + + return PR_SUCCESS; +} + +static const NSSAlgNParam * +ssl3_GetMacAP(ssl3State *ssl3) +{ + switch(ssl3->pwSpec->mac_def->mac) { + case ssl_mac_md5: return s_mac_md5_ap; + case ssl_mac_sha: return s_mac_sha1_ap; + case ssl_hmac_md5: return s_hmac_md5_ap; + case ssl_hmac_sha: return s_hmac_sha1_ap; + default: return (const NSSAlgNParam *)NULL; + } +} + +static NSSAlgNParam * +ssl3_GetBulkCipherAP(const ssl3BulkCipherDef *cipher_def, NSSItem *iv) +{ + NSSParameters params; + switch (cipher_def->cipher) { + case cipher_rc2: + params.rc2.effectiveKeySizeInBits = 128; /* always? */ + params.rc2.iv = *iv; + break; + default: + /* generic CBC */ + params.iv = *iv; + break; + } + return NSSOIDTag_CreateAlgNParam(cipher_def->calg, ¶ms, NULL); +} + +static NSSSSLVersion +ssl_GetVersion(sslSocket *ss) +{ + switch (ss->version) { + case SSL_LIBRARY_VERSION_2: return NSSSSLVersion_SSLv2; + case SSL_LIBRARY_VERSION_3_0: return NSSSSLVersion_SSLv3; + case SSL_LIBRARY_VERSION_3_1_TLS: return NSSSSLVersion_TLS; + default: return -1; + } +} + +/* XXX why does this info come from cryptoki? */ +static SSL3ProtocolVersion +ssl3_GetVersionFromDeriveParams(NSSAlgNParam *deriveAP) +{ + switch (nssAlgNParam_GetSSLVersionFromMSDerive(deriveAP)) { + case NSSSSLVersion_SSLv2: return SSL_LIBRARY_VERSION_2; + case NSSSSLVersion_SSLv3: return SSL_LIBRARY_VERSION_3_0; + case NSSSSLVersion_TLS: return SSL_LIBRARY_VERSION_3_1_TLS; + default: return -1; + } +} /* indexed by SSL3BulkCipher */ const char * const ssl3_cipherName[] = { @@ -490,7 +600,6 @@ ssl3_config_match_init(sslSocket *ss) PRBool isServer; sslServerCerts *svrAuth; NSSOIDTag algTag; - NSSOID * alg; NSSToken * token; if (!ss->enableSSL3 && !ss->enableTLS) { @@ -520,9 +629,9 @@ ssl3_config_match_init(sslSocket *ss) svrAuth->serverCertChain)) { algTag = kea_alg_defs[exchKeyType]; - alg = NSSOID_CreateFromTag(algTag); /* need to check for token for key exchange alg */ - token = NSSTrustDomain_FindTokenForAlgorithm(ss->td, alg); + token = NSSTrustDomain_FindTokenForAlgorithm(ss->td, + algTag); if (token) { suite->isPresent = PR_TRUE; NSSToken_Destroy(token); @@ -541,9 +650,8 @@ ssl3_config_match_init(sslSocket *ss) suite->isPresent) { algTag = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg; - alg = NSSOID_CreateFromTag(algTag); /* check for the cipher algorithm */ - token = NSSTrustDomain_FindTokenForAlgorithm(ss->td, alg); + token = NSSTrustDomain_FindTokenForAlgorithm(ss->td, algTag); if (token) { suite->isPresent = PR_TRUE; NSSToken_Destroy(token); @@ -602,6 +710,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) return count; } +#ifdef IMPLEMENT_SSL_STEP_UP static PRBool anyRestrictedEnabled(sslSocket *ss) { @@ -619,6 +728,7 @@ anyRestrictedEnabled(sslSocket *ss) } return PR_FALSE; } +#endif /* IMPLEMENT_SSL_STEP_UP */ /* * Null compression, mac and encryption functions @@ -906,7 +1016,6 @@ ssl3_ComputeDHKeyHash(NSSItem dh_p, NSSItem dh_g, NSSItem dh_Ys, unsigned int bufLen; NSSItem * it = NULL; PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; - NSSAlgNParam *ap; bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.size + 2 + dh_g.size + 2 + dh_Ys.size; if (bufLen <= sizeof buf) { @@ -947,18 +1056,10 @@ ssl3_ComputeDHKeyHash(NSSItem dh_p, NSSItem dh_g, NSSItem dh_Ys, goto done; } - ap = NSSOID_CreateAlgNParam(NSSOID_CreateFromTag(NSS_OID_MD5), - NULL, NULL); - if (!ap) { - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); - rv = SECFailure; - goto done; - } - hashData.data = hashes->md5; hashData.size = sizeof hashes->md5; - it = NSSCryptoContext_Digest(hash, ap, &hashIt, NULL, &hashData, NULL); - NSSAlgNParam_Destroy(ap); + it = NSSCryptoContext_Digest(hash, s_md5_ap, + &hashIt, NULL, &hashData, NULL); PR_ASSERT(it != NULL || it->size == MD5_LENGTH); if (it == NULL) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); @@ -966,16 +1067,8 @@ ssl3_ComputeDHKeyHash(NSSItem dh_p, NSSItem dh_g, NSSItem dh_Ys, goto done; } - ap = NSSOID_CreateAlgNParam(NSSOID_CreateFromTag(NSS_OID_SHA1), - NULL, NULL); - if (!ap) { - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); - rv = SECFailure; - goto done; - } - - it = NSSCryptoContext_Digest(hash, ap, &hashIt, NULL, &hashData, NULL); - NSSAlgNParam_Destroy(ap); + it = NSSCryptoContext_Digest(hash, s_sha1_ap, + &hashIt, NULL, &hashData, NULL); PR_ASSERT(it != NULL || it->size == SHA1_LENGTH); if (it == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); @@ -1953,14 +2046,16 @@ ssl3_DeriveMasterSecret(sslSocket *ss, NSSSymKey *pmsOpt) NSSOperations keyOps = 0; PRStatus status; - /* set up parameters for master secret derivation */ + /* set up alg/parameters for master secret derivation */ msParams.version = isTLS ? NSSSSLVersion_TLS : NSSSSLVersion_SSLv3; msParams.isDH = isDH; msParams.clientRandom.data = &ss->ssl3->hs.client_random; msParams.clientRandom.size = SSL3_RANDOM_LENGTH; msParams.serverRandom.data = &ss->ssl3->hs.server_random; msParams.serverRandom.size = SSL3_RANDOM_LENGTH; - msDerive = nssAlgNParam_CreateSSLMSDerive(NULL, &msParams); + msDerive = NSSAlgNParam_CreateForSSL(NULL, + NSSSSLAlgorithm_MSDerive, + (NSSParameters *)&msParams); if (!msDerive) { goto loser; } @@ -1976,7 +2071,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, NSSSymKey *pmsOpt) 0, keyOps, NULL); if (ms && !isDH && ss->detectRollBack) { SSL3ProtocolVersion client_version; - client_version = get_ssl_version_from_ap(msDerive); + client_version = ssl3_GetVersionFromDeriveParams(msDerive); /* XXX client_version = pms_version.major << 8 | pms_version.minor; */ if (client_version != ss->clientHelloVersion) { /* Destroy it. Version roll-back detected. */ @@ -2003,8 +2098,11 @@ ssl3_DeriveMasterSecret(sslSocket *ss, NSSSymKey *pmsOpt) } if (!ms) { /* XXX is this the correct analogue to the internal token? */ +#if 0 NSSToken *internal = nssTrustDomain_GetDefaultCryptoToken(ss->td); if (!internal) goto loser; +#endif + NSSToken *internal = NULL; /* generate a faux master secret in the internal slot */ fpms = ssl3_GenerateRSAPMS(ss, pwSpec, internal); if (fpms) { @@ -2050,13 +2148,13 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) PRBool skipKeysAndIVs = (PRBool)((cipher_def->calg == cipher_fortezza) || (cipher_def->calg == cipher_null)); PRStatus status; - PRUint32 keySize; - NSSSymKeyType bulkKeyType; NSSSSLSessionKeyParameters skParams = { 0 }; NSSAlgNParam *ap = NULL; + NSSAlgNParam *skAP = NULL; NSSSymKey *sessionKeys[4]; - int encIndex = ss->sec.isServer ? 3 : 2; - int decIndex = ss->sec.isServer ? 2 : 3; + NSSItem *iv1, *iv2; + NSSItem clientIV, serverIV; + PRIntn ecx, dcx; PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss)); PR_ASSERT( ssl_HaveSpecWriteLock(ss)); @@ -2085,29 +2183,25 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) skParams.ivSizeInBits = cipher_def->iv_size * BPB; skParams.clientIV = (PRUint8 *)pwSpec->client.write_iv; /* XXX */ skParams.serverIV = (PRUint8 *)pwSpec->server.write_iv; - keySize = cipher_def->key_size; - } else { - keySize = 0; } - - /* Derive the set of session keys from the master secret */ - ap = nssAlgNParam_CreateSSLSessionKeyDerivation(NULL, &skParams); - if (!ap) { + skAP = NSSAlgNParam_CreateForSSL(NULL, + NSSSSLAlgorithm_SessionKeyDerive, + (NSSParameters *)&skParams); + if (!skAP) { goto loser; } + /* Derive the set of session keys from the master secret */ status = nssSymKey_DeriveSSLSessionKeys(pwSpec->master_secret, - ap, bulkKeyType, - NSSOperations_ENCRYPT, - 0, keySize, sessionKeys); - NSSAlgNParam_Destroy(ap); + skAP, sessionKeys, + &clientIV, &serverIV); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); goto loser; } /* Set up the mac contexts */ - ap = ssl3_GetMacAP(ss->ssl3); + ap = (NSSAlgNParam *)ssl3_GetMacAP(ss->ssl3); /* it's const below */ pwSpec->client.write_mac_context = NSSSymKey_CreateCryptoContext( sessionKeys[0], ap, NULL); @@ -2116,11 +2210,45 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) ap, NULL); /* Set up the encryption and decryption contexts */ - ap = ssl3_GetBulkCipherAP(ss->ssl3); - pwSpec->encodeContext = NSSSymKey_CreateCryptoContext(sessionKeys[encIndex], + if (ss->sec.isServer) { + iv1 = &serverIV; + iv2 = &clientIV; + ecx = 3; + dcx = 2; + } else { + iv1 = &clientIV; + iv2 = &serverIV; + ecx = 2; + dcx = 3; + } + + ap = ssl3_GetBulkCipherAP(cipher_def, iv1); + if (!ap) { + goto loser; + } + + pwSpec->encodeContext = NSSSymKey_CreateCryptoContext(sessionKeys[ecx], ap, NULL); - pwSpec->decodeContext = NSSSymKey_CreateCryptoContext(sessionKeys[decIndex], + NSSAlgNParam_Destroy(ap); + if (!pwSpec->encodeContext) { + goto loser; + } + + ap = ssl3_GetBulkCipherAP(cipher_def, iv2); + if (!ap) { + NSSCryptoContext_Destroy(pwSpec->encodeContext); + pwSpec->encodeContext = NULL; + goto loser; + } + + pwSpec->decodeContext = NSSSymKey_CreateCryptoContext(sessionKeys[dcx], ap, NULL); + NSSAlgNParam_Destroy(ap); + if (!pwSpec->decodeContext) { + NSSCryptoContext_Destroy(pwSpec->encodeContext); + pwSpec->encodeContext = NULL; + goto loser; + } return PR_SUCCESS; loser: @@ -3261,7 +3389,6 @@ static SECStatus sendRSAClientKeyExchange(sslSocket * ss, NSSPublicKey * svrPubKey) { NSSSymKey * pms = NULL; - NSSAlgNParam * rsaWrap = NULL; SECStatus rv = SECFailure; NSSItem enc_pms = { NULL, 0 }; PRBool isTLS; @@ -3280,19 +3407,13 @@ sendRSAClientKeyExchange(sslSocket * ss, NSSPublicKey * svrPubKey) goto loser; } - rsaWrap = NSSAlgNParam_CreateWrap(NULL, NSS_OID_PKCS1_RSA_ENCRYPTION, - NULL); - if (!rsaWrap) { - goto loser; - } - /* wrap pre-master secret in server's public key. */ - if (NSSPublicKey_WrapSymKey(svrPubKey, rsaWrap, pms, NULL, &enc_pms, NULL) + if (NSSPublicKey_WrapSymKey(svrPubKey, s_rsa_wrap_ap, + pms, NULL, &enc_pms, NULL) == NULL) { ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); goto loser; } - NSSAlgNParam_Destroy(rsaWrap); rsaWrap = NULL; rv = ssl3_InitPendingCipherSpec(ss, pms); NSSSymKey_Destroy(pms); pms = NULL; @@ -3325,9 +3446,6 @@ loser: if (pms != NULL) { NSSSymKey_Destroy(pms); } - if (rsaWrap) { - NSSAlgNParam_Destroy(rsaWrap); - } return rv; } @@ -3877,7 +3995,7 @@ ssl3_SendClientKeyExchange(sslSocket *ss) isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0); /* enforce limits on kea key sizes. */ if (ss->ssl3->hs.kea_def->is_limited) { - int keyBits = NSSPublicKey_GetStrength(serverKey); + int keyBits = NSSPublicKey_GetKeyStrength(serverKey); if (keyBits > ss->ssl3->hs.kea_def->key_size_limit) { if (isTLS) @@ -3890,7 +4008,7 @@ ssl3_SendClientKeyExchange(sslSocket *ss) } ss->sec.keaType = ss->ssl3->hs.kea_def->exchKeyType; - ss->sec.keaKeyBits = NSSPublicKey_GetStrength(serverKey); + ss->sec.keaKeyBits = NSSPublicKey_GetKeyStrength(serverKey); switch (ss->ssl3->hs.kea_def->exchKeyType) { case ssl_kea_rsa: @@ -4311,6 +4429,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) switch (ss->ssl3->hs.kea_def->exchKeyType) { case ssl_kea_rsa: + keyInfo.kind = NSSKeyPairType_RSA; + rv = ssl3_ConsumeHandshakeVariable(ss, &keyInfo.u.rsa.modulus, 2, &b, &length, arena); if (rv != SECSuccess) { @@ -4357,13 +4477,16 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } - peerKey = NSSPublicKey_CreateFromInfo(&keyInfo); + peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo, + NULL, 0, 0, NULL); ss->sec.peerKey = peerKey; ss->ssl3->hs.ws = wait_cert_request; NSSArena_Destroy(arena); return SECSuccess; case ssl_kea_dh: + keyInfo.kind = NSSKeyPairType_DH; + rv = ssl3_ConsumeHandshakeVariable(ss, &keyInfo.u.dh.prime, 2, &b, &length, arena); if (rv != SECSuccess) { @@ -4422,7 +4545,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } - peerKey = NSSPublicKey_CreateFromInfo(&keyInfo); + peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo, + NULL, 0, 0, NULL); ss->sec.peerKey = peerKey; ss->ssl3->hs.ws = wait_cert_request; NSSArena_Destroy(arena); @@ -5387,7 +5511,9 @@ loser: SECStatus ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length) { +#ifdef IMPLEMENT_SESSION_ID_CACHE sslSessionID * sid = NULL; +#endif /* IMPLEMENT_SESSION_ID_CACHE */ unsigned char * suites; unsigned char * random; SSL3ProtocolVersion version; @@ -5493,6 +5619,7 @@ suite_found: ss->ssl3->hs.compression = compression_null; ss->sec.send = ssl3_SendApplicationData; +#ifdef IMPLEMENT_SSL_SESSION_ID_CACHE /* we don't even search for a cache hit here. It's just a miss. */ ++ssl3stats.hch_sid_cache_misses; sid = ssl3_NewSessionID(ss, PR_TRUE); @@ -5502,6 +5629,7 @@ suite_found: } ss->sec.ci.sid = sid; /* do not worry about memory leak of sid since it now belongs to ci */ +#endif /* IMPLEMENT_SSL_SESSION_ID_CACHE */ /* We have to update the handshake hashes before we can send stuff */ rv = ssl3_UpdateHandshakeHashes(ss, buffer, length); @@ -5621,7 +5749,7 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; NSSItem signed_hash = {NULL, 0}; SSL3Hashes hashes; NSSPublicKey * sdPub; /* public key for step-down */ - NSSPublicKeyInfo * sdPubInfo; + NSSPublicKeyInfo sdPubInfo; SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake", SSL_GETPID(), ss->fd)); @@ -5629,8 +5757,7 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; PR_ASSERT( ssl_HaveXmitBufLock(ss)); PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss)); - sdPubInfo = NSSPublicKey_GetInfo(sdPub); - if (!sdPubInfo) { + if (NSSPublicKey_GetKeyInfo(sdPub, &sdPubInfo) == NULL) { return SECFailure; } @@ -5643,8 +5770,8 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; nss_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); return SECFailure; } - rv = ssl3_ComputeExportRSAKeyHash(sdPubInfo->u.rsa.modulus, - sdPubInfo->u.rsa.publicExponent, + rv = ssl3_ComputeExportRSAKeyHash(sdPubInfo.u.rsa.modulus, + sdPubInfo.u.rsa.publicExponent, &ss->ssl3->hs.client_random, &ss->ssl3->hs.server_random, &hashes, ss->td); @@ -5664,8 +5791,8 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; nss_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); goto loser; } - length = 2 + sdPubInfo->u.rsa.modulus.size + - 2 + sdPubInfo->u.rsa.publicExponent.size + + length = 2 + sdPubInfo.u.rsa.modulus.size + + 2 + sdPubInfo.u.rsa.publicExponent.size + 2 + signed_hash.size; rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); @@ -5673,15 +5800,15 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; goto loser; /* err set by AppendHandshake. */ } - rv = ssl3_AppendHandshakeVariable(ss, sdPubInfo->u.rsa.modulus.data, - sdPubInfo->u.rsa.modulus.size, 2); + rv = ssl3_AppendHandshakeVariable(ss, sdPubInfo.u.rsa.modulus.data, + sdPubInfo.u.rsa.modulus.size, 2); if (rv != SECSuccess) { goto loser; /* err set by AppendHandshake. */ } rv = ssl3_AppendHandshakeVariable( - ss, sdPubInfo->u.rsa.publicExponent.data, - sdPubInfo->u.rsa.publicExponent.size, 2); + ss, sdPubInfo.u.rsa.publicExponent.data, + sdPubInfo.u.rsa.publicExponent.size, 2); if (rv != SECSuccess) { goto loser; /* err set by AppendHandshake. */ } @@ -6145,10 +6272,19 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, { NSSSymKey * pms = NULL; NSSToken * token = serverKeyToken; - const NSSAlgNParam *pmsAP = ssl3_GetPMSAlg(ss->clientHelloVersion); + const NSSAlgNParam *pmsAP; PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss) ); + switch (ssl_GetVersion(ss)) { + case NSSSSLVersion_SSLv3: pmsAP = s_ssl3_pms_ap; break; + case NSSSSLVersion_TLS: pmsAP = s_tls_pms_ap; break; + default: + /* XXX is this correct? */ + nss_SetError(SSL_ERROR_INVALID_VERSION); + return (NSSSymKey *)NULL; + } + if (!token) { /* The specReadLock would suffice here, but we cannot assert on ** read locks. Also, all the callers who call with a non-null @@ -6157,7 +6293,7 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, PR_ASSERT( ssl_HaveSpecWriteLock(ss)); PR_ASSERT(ss->ssl3->prSpec == ss->ssl3->pwSpec); - token = ssl3_FindTokenForPMSGen(ss->vd, spec->cipher_def->calg); + token = NSSTrustDomain_FindTokenForAlgNParam(ss->td, pmsAP); if (!token) { nss_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); return (NSSSymKey *)NULL; @@ -6198,6 +6334,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, NSSSymKey *pms; SECStatus rv; NSSItem enc_pms; + PRStatus status; PR_ASSERT( ssl_HaveRecvBufLock(ss) ); PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss) ); @@ -6228,13 +6365,14 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, */ } else { /* unwrap failed. Generate a bogus pre-master secret and carry on. */ - NSSToken *token = NSSPrivateKey_GetAToken(serverKey); - - ssl_GetSpecWriteLock(ss); - pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->prSpec, token); - ssl_ReleaseSpecWriteLock(ss); - - NSSToken_Destroy(token); + NSSToken *token; + (void)NSSPrivateKey_GetTokens(serverKey, &token, 1, &status); + if (status == PR_SUCCESS) { + ssl_GetSpecWriteLock(ss); + pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->prSpec, token); + ssl_ReleaseSpecWriteLock(ss); + NSSToken_Destroy(token); + } } if (!pms) { @@ -6357,8 +6495,10 @@ static SECStatus ssl3_SendCertificate(sslSocket *ss) { SECStatus rv; - NSSCertChain *certChain; - NSSDER derChain; + NSSCert * cert; + NSSCertChain * certChain; + PRIntn numCerts = 0; + NSSBER berCert; int len = 0; int i; @@ -6376,27 +6516,45 @@ ssl3_SendCertificate(sslSocket *ss) certChain = sc->serverCertChain; ss->sec.authKeyBits = sc->serverKeyBits; ss->sec.authAlgorithm = ss->ssl3->hs.kea_def->signKeyType; - ss->sec.localCert = NSSCertChain_GetLeaf(sc->serverCertChain); + ss->sec.localCert = NSSCertChain_GetCert(sc->serverCertChain, 0); } else { certChain = ss->ssl3->clientCertChain; - ss->sec.localCert = nssCertificate_AddRef(ss->ssl3->clientCertificate); + ss->sec.localCert = nssCert_AddRef(ss->ssl3->clientCertificate); } - if (NSSCertChain_Encode(certChain, &derChain, NULL) == NULL) { - return SECFailure; + if (certChain) { + numCerts = NSSCertChain_GetNumCerts(certChain); + if (numCerts < 0) { + return SECFailure; + } + for (i = 0; i < numCerts; i++) { + cert = NSSCertChain_GetCert(certChain, i); + if (cert) { + if (NSSCert_GetEncoding(cert, &berCert) == NULL) { + return SECFailure; + } + len += berCert.size + 3; + } else { + return SECFailure; + } + } } - rv = ssl3_AppendHandshakeHeader(ss, certificate, derChain.size); + rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ } - rv = ssl3_AppendHandshakeNumber(ss, derChain.size, 3); + rv = ssl3_AppendHandshakeNumber(ss, len, 3); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ } - rv = ssl3_AppendHandshakeVariable(ss, derChain.data, derChain.size, 3); - if (rv != SECSuccess) { - return rv; /* err set by AppendHandshake. */ + for (i = 0; i < numCerts; i++) { + cert = NSSCertChain_GetCert(certChain, i); + (void)NSSCert_GetEncoding(cert, &berCert); + rv = ssl3_AppendHandshakeVariable(ss, berCert.data, berCert.size, 3); + if (rv != SECSuccess) { + return rv; /* err set by AppendHandshake. */ + } } return SECSuccess; @@ -6420,15 +6578,17 @@ static SECStatus ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) { ssl3State * ssl3 = ss->ssl3; - NSSCert *cert; - PRInt32 size = 0; + NSSCert * cert; + NSSCertChain * chain; + PRInt32 remaining = 0; + PRInt32 size; + PRInt32 berSize; SECStatus rv; PRBool isServer = (PRBool)(!!ss->sec.isServer); - PRBool trusted = PR_FALSE; PRBool isTLS; SSL3AlertDescription desc = bad_certificate; int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE; - NSSDER derChain; + NSSBER berCert; PRStatus status; SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake", @@ -6460,12 +6620,12 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ** normal no_certificates message to maximize interoperability. */ if (length) { - size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (size < 0) + remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); + if (remaining < 0) goto loser; /* fatal alert already sent by ConsumeHandshake. */ } - if (!size) { + if (!remaining) { if (!(isTLS && isServer)) goto alert_loser; /* This is TLS's version of a no_certificate alert. */ @@ -6478,29 +6638,80 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto cert_block; } - derChain.data = nss_ZAlloc(NULL, length); - if (!derChain.data) { - goto loser; /* don't send alerts on memory errors */ + /* First get the peer cert */ + remaining -= 3; + if (remaining < 0) { + goto decode_loser; } - derChain.size = length; - rv = ssl3_ConsumeHandshake(ss, derChain.data, length, &b, &length); - if (rv != SECSuccess) { - goto loser; + size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); + if (size < 0) + goto loser; /* fatal alert already sent by ConsumeHandshake. */ + + remaining -= size; + if (remaining < 0) + goto decode_loser; + + ssl3->peerCertChain = chain = NSSVolatileDomain_CreateCertChain(ss->vd, + NULL); + + /* XXX or in an arena? */ + berCert.data = nss_ZAlloc(NULL, size); + if (!berCert.data) { + goto loser; /* don't send alerts on memory errors */ } + berCert.size = berSize = size; - ssl3->peerCertChain = NSSVolatileDomain_ImportEncodedCertChain(ss->vd, - &derChain, - NULL); - if (!ssl3->peerCertChain) { - goto loser; + rv = ssl3_ConsumeHandshake(ss, berCert.data, berCert.size, &b, &length); + if (rv != SECSuccess) + goto loser; /* fatal alert already sent by ConsumeHandshake. */ + + status = NSSCertChain_AddEncodedCert(chain, &berCert, NULL, NULL, + &ss->sec.peerCert); + if (status == PR_FAILURE) { + /* We should report an alert if the cert was bad, but not if the + * problem was just some local problem, like memory error. + */ + goto ambiguous_err; } - ss->sec.peerCert = NSSCertChain_GetLeaf(ssl3->peerCertChain); - if (!ss->sec.peerCert) { - goto loser; + /* Now get all of the CA certs. */ + while (remaining != 0) { + remaining -= 3; + if (remaining < 0) + goto decode_loser; + + size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); + if (size < 0) + goto loser; /* fatal alert already sent by ConsumeHandshake. */ + + remaining -= size; + if (remaining < 0) + goto decode_loser; + + if (size > berSize) { + berCert.data = nss_ZRealloc(berCert.data, size); + if (!berCert.data) { + goto loser; /* don't send alerts on memory errors */ + } + berSize = length; + } + berCert.size = size; /* the size of the cert, not buffer */ + + rv = ssl3_ConsumeHandshake(ss, berCert.data, berCert.size, + &b, &length); + if (rv != SECSuccess) + goto loser; /* fatal alert already sent by ConsumeHandshake. */ + + status = NSSCertChain_AddEncodedCert(chain, &berCert, + NULL, NULL, NULL); + if (status == PR_FAILURE) + goto ambiguous_err; } + if (remaining != 0) + goto decode_loser; + /* XXX ??? this should happen inside NSSCertChain or something... SECKEY_UpdateCertPQG(ss->sec.peerCert); */ @@ -6831,9 +7042,11 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, { ssl3State * ssl3 = ss->ssl3; sslSessionID * sid = ss->sec.ci.sid; +#ifdef IMPLEMENT_SESSION_ID_CACHE NSSSymKey * wrappingKey = NULL; NSSToken * symKeyToken; void * pwArg = ss->pkcs11PinArg; +#endif /* IMPLEMENT_SESSION_ID_CACHE */ SECStatus rv; PRBool isServer = ss->sec.isServer; PRBool isTLS; diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index ead44288a..859dd1240 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -649,10 +649,10 @@ struct ssl3StateStr { SSL3HandshakeState hs; - NSSCert * clientCertificate; /* used by client */ - NSSPrivateKey * clientPrivateKey; /* used by client */ - NSSCertChain *clientCertChain; /* used by client */ - PRBool sendEmptyCert; /* used by client */ + NSSCert * clientCertificate; /* used by client */ + NSSPrivateKey * clientPrivateKey; /* used by client */ + NSSCertChain * clientCertChain; /* used by client */ + PRBool sendEmptyCert; /* used by client */ int policy; /* This says what cipher suites we can do, and should diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 19bc541e9..fbf977460 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -899,6 +899,9 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) return rv; } +/* XXX where/how to init this stuff? */ +extern PRStatus ssl3_InitAlgorithms(void); + SECStatus NSS_SetDomesticPolicy(void) { @@ -906,6 +909,10 @@ NSS_SetDomesticPolicy(void) SECStatus status = SECSuccess; cipherPolicy * policy; + if (ssl3_InitAlgorithms() == PR_FAILURE) { + return SECFailure; + } + for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); if (status != SECSuccess) |